Juniper University

Education Services

Junos Layer 2 VPNs

LAB GUIDE Revision V21A

.•

0
1J

!D riven by
Experience ·

Juniper University Education Services Courseware

Juniper Business Use Only

This document is produced by Juniper Networks, Inc.
This document or any part thereof may not be reproduced or transmitted in any form under penalty of law, without the prior written permission of Juniper
Networks Education Services.
Juniper Networks, Junes, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other
countries. The Juniper Networks Logo, the Junes logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered
trademarks, or registered service marks are the property of their respective owners.
Junos Layer 2 VPNs Lab Guide, Revision 21A
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
Printed in USA.
Revision History:
Revision 21A - September 2021
The information in this document is current as of the date listed above.
The information in this document has been carefully verified and is believed to be accurate to reflect the latest release available at publication.
Juniper Networks assumes no responsibilities for any inaccuracies that may appear in this document. In no event will Juniper Networks be liable for direct,
indirect, special, exemplary, incidental, or consequential damages resulting from any defect or omission in this document, even if advised of the possibility of
such damages.

Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junes operating system
has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in
an agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you
understand and agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are
permitted to use the Juniper Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is
automatically terminated. You should consult the software license for further details.
 Contents

Lab 1: BGP-Signaled L2VPNs ................................................................................................1

Lab 2: L2VPNs Adva need Concepts ................................................................................... 2 7

Lab 3: LOP-Signaled L2Circuits .......................................................................................... 4 7

Lab 4: FEC 129 Pseudowi res (Option aI) ............................................................................ 65

Lab 5: VPLS ......................................................................................................................... 79

Lab 6: EVPN ...................................................................................................................... 119

Lab 7: Inter-AS L2VPNs ..................................................................................................... 145

a
Course Overview

Th is two-day course is designed to provide students with the knowledge required to design, implement, and troubleshoot a
wide variety of layer 2 MPLS VPNs, including pseudowires (BGP L2VPNs, LDP L2Circuits, FEC 129, and CCC), virtual private
LAN service (VPLS), Ethernet VPN (EVPN), and Inter-AS Layer 2 VPNs. This course is based on Junos 21.2R1 and contains
hands-on labs that gives extensive CLI configuration practice as well as many examples of common errors, and the
troubleshooting steps requ ired to f ix them.

Course Level
Interm ed iate-to-adva need

Intended Audience

The primary audiences for th is course include individuals responsible for designing, implementing, and troubleshooting
MPLS VPNs wh ich operate at layer 2; individuals who work with service provider networks; and individuals studying for the
JNCIP-SP or JNCIE-SP exam.

Prerequisites
The following are the prerequisites for th is course:

• Strong general TCP/IP knowledge

• Junos knowledge to JNCIA-Junos level

• LDP/RSVP and routing/switching knowledge to JNCIS-SP level

Objectives
After successfully completing this course, you should be able to:

• Describe some of the different kinds of VPN, their mechanics and their use cases
IPsec VPNs and MPLS VPNs

Layer 3 VPNs and layer 2 VPNs

• Discuss the types of MPLS VPN which operate at layer 2

Discuss the function and creation of pseudowires

Discuss the function and creation of VPLS

Discuss the function and creation of EVPN

• Discuss the mechanics of BGP-signaled pseudowires, also known as a Layer 2 VPN (L2VPN)
Define some essential L2VPN terminology

Explore the control plane and data plane of an L2VPN

Observe an L2VPN packet capture

• Configure and troubleshoot BGP-signaled L2VPNs

Configure an L2VPN which accepts all Ethernet traffic

Configure an L2VPN which accepts specific VLAN tags

Troubleshoot common L2VPN problems

• Describe how and why L2VPNs advertise a range of labels

The Site ID and the VPN label

Overprovisioned L2VPN configuration

• Configure advanced BGP-signa led L2VPN features

Configure and verify multihoming

Explain Martini encapsulation and VLAN normalization

 - Configure traffic policing, out-of-band route reflection, and route target constraint

• Discuss the mechanics of LOP-signaled pseudowires, also known as a Layer 2 Circuit (L2Circuit)

Configure and verify an L2Circuit

Analyze a packet capture of an LDP advertisement

• Identify and fix common L2Circuit problems

Configure the Pseudowire Status TLV

Observe the most frequent L2Circuit error statuses

• Configure advanced LOP-signaled L2Circuit features

Enable Virtual Circuit Connectivity Verification

Configure multihoming, local switching, and interworking

• Discuss the mechanics of FEC 129 pseudowires, which combines BGP for autodiscovery and LOP for
signaling
Discuss the mechanics of FEC 129

Configure and verify a FEC 129 pseudowire

• Describe the purpose and mechanics of a VPLS

Explain how VPLS forwards traffic between multiple sites

Describe the three methods of signaling VPLS

• Configure and verify VPLS

Configure a BGP-signaled VPLS

Verify a BGP-signaled VPLS

Configure and verify an LOP-signaled VPLS

Configure and verify a FEC 129 VPLS

• Configure and verify different VPLS VLAN modes

Configure and verify the default VLAN mode and VLAN-Aware mode

Configure and verify VLAN-Normalizing mode and No-VLAN mode

Configure and verify dual-stacked VLAN tags in VPLS

• Describe and configure VPLS advanced features, and VPLS troubleshooting

Configure protection and MAC limiting in a VPLS

Add IRB interfaces to VPLS instances, and configure efficient traffic flooding

Describe VPLS-specific troubleshooting techniques

• Configure advanced VPLS topologies

Configure hub-and-spoke VPLS

Configure multihomed sites in a VPLS

• Describe the features and advantages of Ethernet VPN

Describe the advantages of EVPN over VPLS

Explain the structure and purpose of EVPN route types 2 and 3

• Configure and verify single-homed EVPN instances

Configure and verify a VLAN-based EVI

Configure and verify a VLAN-aware bundle EVI

• Explain, configure, and verify EVPN multihoming

- Describe Type 4 Ethernet Segment routes, and configure multihoming
 - Describe Type 1 Ethernet Auto-Discovery routes

• Configure EVPN IRS interfaces, and other advanced EVPN concepts

Configure and verify Automatic Gateway MAC-IP Synchronization

Describe host routes in an L3VPN

Configure alternative IRB methods

Configure advanced EVPN features and mechanics

Course Agenda

Day 1
Module 1: Course Introduction

Module 2: Refresher VPNs and MPLS

Module 3: The Different Flavors of Layer 2 VPN

Module 4: L2VPN , aka BGP-Signalled Pseudowi res

Module 5: L2VPN Configuration and Troubleshooting

Module 6: L2VPN - Site IDs, The Label Base, and Overprovisioning

Lab 1: BGP-Signaled L2VPNs

Module 7: L2VPN Advanced Concepts

Lab 2: L2VPNs Advanced Concepts

Module 8: L2Circuit, aka LOP-Signalled Pseudowires

Module 9: L2Circuit - Troubleshooting

Module 10: L2Circuit - Advanced Concepts

Lab 3: LOP-Signaled L2Circuits

Day 2
Module 11: FEC 129 Pseudowires

Lab 4: FEC 129 Pseudowires (Optional)

Module 12: Virtua l Private LAN Service Introduction

Module 13: VPLS - Configuration and Verification

Module 14: VPLS - The Four VLAN Modes

Module 15: VPLS - Advanced Features and Troubleshooting

Module 16: VPLS - Advanced Topologies

Lab 5: VPLS

Module 17: EVPN Introduction

Module 18: EVPN Single-Homed Configu ration

Module 19: EVPN Multihoming

Module 20: EVPN-I RB and Advanced Concepts

Lab 6: EVPN

Append ix A: Inter-AS L2VPNs

Lab 7: Inter-AS L2VPNs

Append ix B: Circuit Cross-Connect

Document Conventions

CLI and GUI Text

Frequently throughout this course, we refer to text that appears in a command-l ine interface (CLI) or a graphical user
interface (GUI). To make the language of these documents easier to read, we distinguish GUI and CLI text from chapter text
according to the following table.

Style Description Usage Example

San serif Normal text. Most of what you read in the Lab Guide and
Student Guide.

Serif Console text: commit complete

• Screen captures Ex it ing configuration mode
• Noncommand-related syntax Select File > Ope n, and then click
GUI text elements: Configuration . conf in the F ilename
• Menu names text box.
• Text field entry

Input Text Versus Output Text

You will also frequently see cases where you must enter input text yourself. Often these instances will be shown in the
context of where you must enter them. We use bold style to distinguish text that is input versus text that is simply displayed.

Style Description Usage Example

Normal CL I No distinguishing variant. Physical i nter face:fx pO , Enab l ed

Normal CL I View configuration history by clicking
Conf igu r atio n> Hi story .
CLI Input Text that you must enter. lab @San Jo se> show route
GUI Input Select File > Save, and type
config. ini in the Filename field.

Syntax Variables

Finally, this course distinguishes syntax variables, where you must assign the value. Note that these styles can be
combined with the input style as well.

Style Description Usage Example

CLI Undefined Text where the variable's value is the user's Type set policy ,Rolic.v.-name. ping
GUI Undefined discretion or text where the variable's va lue as 10.0.x.y .
shown in the lab guide might differ from the value Select File > Save, and type filename in
the user must input according to the lab topology. the Filename field.
Add itional Information

Education Services Offerings

You can obtain information on the latest Education Services offerings, course dates, and class locations from the World
Wide Web by pointing your Web browser to: http://www.juniper.net/training,/education/.

About This Publication

This course was developed and tested using the software release listed on the copyright page. Previous and later versions
of software might behave differently so you should always consult the documentation and release notes for the version of
code you are running before reporting errors.

This document is written and maintained by the Juniper Networks Education Services development team. Please send
questions and suggestions for improvement to [email protected].

Technical Publications
You can print technical manuals and release notes directly from the Internet in a variety of formats:

• Go to http : //www . jun i per . net/techpubs/.

• Locate the specific software or hardware release and title you need, and choose the format in which you want
to view or print the document.

Documentation sets and CDs are available through your local Juniper Networks sales office or account representative.

Juniper Networks Support

For technical support, contact Jun iper Networks at http://www.juniper.net/customers/supportj, or at 1-888-314-JTAC

(within the United States) or 408-745-2121 (outside the United States).
 Junos Layer 2 VPNs

Lab 1: BGP-Signaled L2 VPNs

Overview
In this lab, you will establish a point-to-point BGP Layer 2 virtual private network (VPN) using LOP signaled label
switched paths (LSP) between provider edge (PE) routers. Once the virtual LAN (VLAN)-based Layer 2 VPN is
operational, you will configure the customer edge (CE) routers to run one of several available routing protocols
and advertise their static route and loopback address blocks. Because this is a BGP Layer 2 VPN, the PE
routers will not interact with the routing protocols used on the CE routers.

The setup uses logical systems, a Junos feature which allows to partition a single router into multiple logical
devices, each with independent configuration; we will use logical systems to simulate a more complex
environment.

By completing this lab, you will perform the following tasks:

• Load the initial configuration and verify proper operation of the IGP.
• Configure an LOP-signaled label-switched path (LSP) to the remote PE router.

• Add protocol BGP support for the Layer 2 VPN network layer reachability information (N LRI).

• Create and establish a BGP Layer 2 VPN over the core network.
• Add OSPF to your CE network and create a neighborship between your CE router and the remote CE
router.

• Export your static routes into OSPF and share these routes with the remote CE network.

• Verify connectivity and behavior using operational mode commands including ping and other
commands used to examine routing tables.

www.juniper.net Lab 1: BGP-Signaled L2VPNs 1

Junos Layer 2 VPNs

Lab Diagrams

Management Network Diagram

Management Network
172.25. 11.0/24
Virtual Student Desktop Console and
I
VNC Connections '==, , , , I I

-- • -
=-=· • • 11
: : : 11
/ Physica l
Desktops

~r,; ""'
::J ~ \--_____..~H~y:ip~e:rv~i~s:or;
Virtual Switch Management Addresses
Student-MX1 172.25.11 .1
Management Port Student-MX2 172.25.11 .2
fxpO (on all vMX devices) vr-device 172.25.11 .3
Student Desktop 172.25.11 .254

Student
Virtual Environment Note: Your instructor will provide the information
you need to access your student desktop.

O 2021 Juniper Networks JUn~J I ,

Lab: BGP-Signaled L2 VPNs, Part 1

VR-Device
'I --------------------
P2 P4
'I 172.17.23.12/30
I loO 172.1 7.20.2 .13 .14 loO 172.17.20.4 I
I >----.--"'
'\,
--"""T----,,,"1,..1
;;; ·,>.s-
a,

g AS 65512 g
PE-1
-
(0
,.;
OSPF
AreaO
c5
"!
,.; PE-2
"!
....
-
lo0.1 172.17.20.1 N lo0.6 172.17.20.6
....
..... -
-
....
N
....
N
X
~I -
-C
Q)

- -
"C
:::, 0

( f)
172.17.23.16/30
P3 PS
CE1-1 loO 172.17.20.3 .1 7 .18 loO 172.17.20.5 CE1-2

'-------------------~
O 2021 Juniper Network! Junw I 2

2 Lab 1: BGP-Signaled L2VPNs www.juniper.net

 Junos Layer 2 VPNs

Lab: BGP-Signaled L2 VPNs, Part 2-4

BGP Layer 2 VPN

PE-1
lo0.1 172.17.20. 1
- - --- ----------------- ----
AS 65512
OSPF
- - - . PE-2
lo0.6 172.1 7.20.6
.....
X
~
.....CI
,~
o,q
q
0
~

<D
z
Area 0

Q) "'~ :5>
c5 .
"O
::,
9~
.....
Cl)
& ~

CE1-1 10.1.0.0/24 - 10.1.3.0/24 10.1.4.0/24-10.1.7.0/24 CE1-2

lo0.111 0.1.20.1 AS 65101 lo0.12 10.1.20.2
Site ID 1
AS 65101 S ite ID 2
...

O 2021 Juniper Networks

www.juniper.net Lab 1: BGP-Signaled L2VPNs 3

Junos Layer 2 VPNs

Part 1: Creating The Baseline SP Network And Enabling PE For Layer 2

VPN Signaling
In this lab part, you will configure the baseline network for the lab. You will load a baseline OSPF configuration
and then enable Label Distribution Protocol (LOP) and multiprotocol label switching (MPLS) on the core-facing
interfaces, configure a MP-BGP peering session with the remote PE router, and configure a route-distinguisher
ID.

NOTE: > The instructor will tell you the nature of your
access and will provide you with the neces.s ary details to
access your assigned device.

Step 1.1
You should make sure you are familiar with the lab topology and environment. This lab is comprised of eight
logical devices that are operating on three virtual MX (vMX) routers. These vMXs are nested inside an ESXi
hypervisor. The four devices you are in charge of configuring (PE-1, CE1-1) reside on Student-MX1 and (PE-2,
CE1-2) reside on Student-MX2 as logical systems. The core devices (P2, P3, P4, and PS) are preconfigured on
vr-device also as logical systems.

Step 1.2
Consult the management network diagram, provided by your instructor, to determine your device's
management address.

Question: What is the management address of Student-MX1 and Student-MX2?

Answer: The management IP address of Student-MX1 is 172.25.11.1 and

Student-MX2 is 172.25.11.2

Step 1.3
Access the CLI of your Student-MX1 device using Secure Shell (SSH) as directed by your instructor.

Log in as user lab with the password supplied by your instructor. Enter into configuration mode and load this
lab's starting configuration file j 12v / lab l-s t art. conf ig and exit back to operational mode using the
commit and-quit command.

Student-MXl (tt ypO)

log i n : lab
Pass wo rd:

Last log in : Thu J ul 11 1 4 : 23 : 37 2021 from 1 72 . 25 . 1 1.254

--- J UNOS 2 1. 2Rl . 10 Kernel 64 -bit JNPR- 12 . 0 -2 0 1 80614 . 6c3f819 buil
lab@Student - MX l> configure
Entering configuration mode

[edit]
lab@Student - MX l# load override j l2 v/lab l- start . config
load complete

[edit]
lab@Student - MX l# commit and- qu it

4 Lab 1: BGP-Signaled L2VPNs www.juniper.net

 Junos Layer 2 VPNs
commit complete
Exiting configuration mode

lab@Student-MX l>

Step 1.4
On your Student-MX1 device, change your CLI to the PE-1 logical system.

On PE-1, use the show configuration p r otocols command to determine what protocols have been
pre-defined on your PE-1 device.

lab@Student-MX l> set cli logical-system PE-1

Logical system: PE-1

lab@Student-MX l:PE-1> show configuration p rotocols

ospf {
area 0 . 0 . 0 .0 {
interface ge-0/0/0 .0;
interface ge-0/0/ 1.0;
interface lo0 . 1 ;
}
}

Question: Which protocols have been preconfigured for you?

Answer: OSPF has been preconfigured.

Step 1.5
Verify your OSPF neighbor relationships are up and operational using the show ospf neighbor command.

lab@Student-MX l:PE-1> show ospf neighbor

Address Interface State ID Pri Dead
172 . 17 .23.2 ge-0/0/0.0 Ful l 172 .1 7 . 20.2 12 8 36
172 . 17 .23. 6 ge-0/0/1.0 Ful l 172 .1 7 . 20.3 12 8 33

Question: What is the state of your PE router's OSPF neighbors?

Answer: After a short time, the OSPF neighbors should attain the Fu ll state.

Step 1.6
Still on PE-1, enter into configuration mode and navigate to the [ edi t p r otocols bgp group my-int-
g r oup] hierarchy. Configure the IBGP group to use PE-l's loopback (172.17.20.1) as the source address of all
IBGP packets. Finally, configure the PE-1 router to peer with PE-2's loopback (172.17.20.6).

lab@Student-MX l:PE-1> configure

Entering configuration mode

[edit]

www.juniper.net Lab 1: BGP-Signaled L2VPNs 5

Junos Layer 2 VPNs
lab@Student-MXl:PE-1# edi t protocols bgp group my-int-group

[edit protocols bgp group my-int-group]

lab@Student-MXl:PE-1# set type internal

[edit protocols bgp group my-int-group]

lab@Student-MXl:PE-1# set local-address 172 . 17.20 .1

[edit protocols bgp group my-int-group]

lab@Student-MXl:PE-1# set neighbor 172 .1 7 . 20 . 6

[edit protocols bgp group my-int-group]

lab@Student-MXl:PE-1#

Step 1.7
Next, allow for the exchange of BGP Layer 2 VPN routes by enabling the 12vpn s i g n a l ing NLRI for PE-l's
BGP session with PE-2. Make sure to also enable the exchange of standard unicast 1Pv4 routes as well. Commit
your configuration and exit to operation mode using the commit and-quit command.

[edit protocols bgp group my-int-group]

lab@Student-MXl : PE-1# set family inet unicast

[ edit protocols bgp group my-int-group]

lab@Student -MXl:PE-1# set family 12 vpn signaling

[ edit protocols bgp group my-int-group]

lab@Student -MXl:PE-1# commit and-quit
commit complete
Exiting configu r ation mode

lab@Student -MXl:PE-1>

Step 1.8
Access the CLI of your Student-MX2 device using Secure Shell (SSH) as directed by your instructor.
Log in as user lab with the password supplied by your instructor. Enter into configuration mode and load this
lab's starting configuration file j 12v / lab l-s ta rt. conf ig and exit back to operational mode using the
commit and-quit command.

Step 1.9
On your Student-MX2 device, change your CLI to the PE-2 logical system.

On PE-2, enter into configuration mode and navigate to the [edi t proto cols bgp g roup my-int-
g roup J hierarchy. Configure the IBGP group to use PE-2's loopback (172.17.20.6) as the source address of all
IBGP packets. Ensure this IBGP session peers to PE-l's loopback address (172.17.20.1). Finally, ensure the
IBGP session is configured to allow the exchange of both the BGP Layer 2 VPN and inet NLRls.

Once you have completed your changes, commit your configuration and exit to operation mode using the
commit and-quit command.

Student-MX2 (tt ypO )

log i n : lab
Password :

Last logi n : Th u J ul 11 14:23:3 7 2021 from 1 72 . 25.11 . 254

--- J UNOS 2 1. 2Rl . 10 Kernel 64-bit JNPR- 12 . 0-20 1 80614 . 6c3f8 1 9 buil
lab@Student -MX2> configure
Entering configuration mode

[ edit]
lab@Student -MX2# load override j l2 v/lab l- start . config
load complete

6 Lab 1: BGP-Signaled L2VPNs www.juniper.net

 Junos Layer 2 VPNs

[ edit]
lab@Student-MX2# commit and-quit
commit complete
Exiting configuration mode

lab@Student-MX2> set cli logical-system PE-2

Logical system: PE-2
lab@Student-MX2:PE-2> configure
Entering configuration mode

[ edit]
lab@Student-MX2:PE-2# edit protocols bgp group my-int-group

[ edit protocols bgp group my-int-group]

lab@Student-MX2:PE-2# set type internal

[ edit protocols bgp group my-int-group]

lab@Student-MX2:PE-2# set local-address 172 . 17 . 20.6

[ edit protocols bgp group my-int-group]

lab@Student-MX2:PE-2# set neighbor 172 .1 7 . 20.1

[ edit protocols bgp group my-int-group]

lab@Student-MX2 : PE-2# set family inet unicast

[ edit protocols bgp group my-int-group]

lab@Student-MX2:PE-2# set family 12vpn signaling

[ edit protocols bgp group my-int-group]

lab@Student-MX2 : PE-2# commit and-quit
commit complete
Exiting configuration mode
lab@Student-MX2 : PE-2>

Step 1.10
Still on PE-2, verify that you r PE router has established an IBGP neighbor relationship with the PE-1 router.

lab@Student-MX2 : PE-2> show bgp neighbor

Peer: 1 72.17 . 20 .1 +179 AS 65512 Local: 172 .1 7.20 . 6 +62647 AS 65512
Group : my-int-group Routing- I nstance: master
Forwarding routing-instance: master
Type: Internal State : Established Flags: <Sync>
Last State : OpenConfirm Last Event: RecvKeepAlive
Last Error : None
Options: <LocalAddress AddressFamily Rib-group Refresh>
Options: <GracefulShutdownRcv>
Address families configured: inet-unicast 12vpn-signaling
Local Address : 172 .1 7 . 20.6 Holdtime: 90 Preference: 170
Graceful Shutdown Receiver local-preference: 0
Number of flaps: 0
Peer I D: 1 72.17.20 .1 Local I D: 1 72.17 . 20 . 6 Active Holdtime: 90
Keepalive I nterval : 30 Group index: 0 Peer index : 0 SNMP index: 0

I /0 Session Thread : bgpio-0 State: Enabled

BF D: disabled , down
NLRI for restart configured on peer: inet-unicast 12vpn
NLRI advertised by peer : inet-unicast 12vpn
NLRI for this session: inet-unicast 12vpn
Peer supports Refresh capability (2)
Stale routes from peer are kept for: 300
Peer does not support Restarter functionality
Restart flag received from the peer: Notification
NLRI that restart is negotiated for: inet-unicast 12vpn
NLRI of received end-of-rib markers: inet-unicast 12vpn
NLRI of all end-of-rib markers sent: inet-unicast 12vpn
Peer does not support LLGR Restarter functionality
Peer supports 4 byte AS extension (peer-as 65512)
Peer does not support Addpath
NLRI (s) enabled for color nexthop resolution : inet-unicast 12vpn
Table inet . O Bit: 20000
www.juniper.net Lab 1: BGP-Signaled L2VPNs 7
Junos Layer 2 VPNs
RIB State: BGP restart is complete
Send state: i n sync
Active prefixes : 0
Received prefixes : 0
Accepted prefixes : 0
Suppressed due to damp ing : 0
Advertised prefixes : 0
Table bgp .1 2vpn.O
RIB State: BGP restart is complete
RIB State: VPN restart is complete
Send state : not advertising
Active prefixes : 0
Received prefixes : 0
Accepted prefixes : 0
Suppressed due to damp ing : 0
Last traff ic (seconds): Received 23 Sent 23 Checked 8 1
I nput messages : Tota l 5 Updates 2 Refreshes O Octets 110
Output messages: Total 5 Updat es O Refreshes O Octets 11 0
Output Queue[l]: 0 (inet.O , inet-unicast)
lab@Student-MX2 :PE-2>

Question: Is the neighbor relationship in the established state with the remote PE
router?

Answer: The remote PE router should be in an established state with your PE

router. If it is not, double check the interface and BGP settings. If you need further
assistance, consult with your instructor.

Question: What NLRI types have been negotiated between PE-1 and PE-2?

Answer: You should notice that the NLRls for this session should be inet-unicast
and 12vpn.

Step 1.11
Now that you have the BGP peering up and working you will configure MPLS and LOP sessions. First, you must
enable the core facing interfaces to support MPLS forwarding.

Still on Student-MX:PE-2, enter into configuration mode and navigate to the [edi t int erfaces] hierarchy.
Enable the MPLS family on both core-facing interfaces.

lab@Student-MX2 :PE-2> configure

Entering configuration mode

[edit]
lab@Student-MX2 :PE-2# edit i n t er faces

[edit interfaces]
lab@Student-MX2 :PE-2# set ge-0/0/2 unit O fami l y mpls

[edit interfaces]
lab@Student-MX2 :PE-2# set ge-0/0/3 unit O fami l y mpls

[edit interfaces]
lab@Student-MX2 :PE-2#

8 Lab 1: BGP-Signaled L2VPNs www.juniper.net

 Junos Layer 2 VPNs

Step 1.12
Next, navigate to the [ edit protocols mp l s] hierarchy and configure t he MPLS protocol with t he core-
facing interfaces.

[ edit inte r faces]

lab@Student-MX2 : PE-2# top edit protocols mpls

[ edit protocols mpls]

lab@Student-MX2 : PE-2# set interface ge-0/0/2 . 0

[ edit protocols mpls]

lab@Student-MX2 : PE-2# set interface ge-0/0/3 . 0

[ edit protocols mpls]

lab@Student-MX2 : PE-2#

Step 1.13
Next, navigate to the [ edit protocols ldp] hierarchy. Enable LOP for t he two core-faci ng interfaces and
the loopback interface.

[ edit protocols mpls]

lab@Student-MX2 : PE-2# up

[ edit protocols]
lab@Student-MX2 : PE-2# edit ldp

[ edit protocols ldp]

lab@Student-MX2 : PE-2# set interface ge-0/0/2 . 0

[ edit protocols ldp]

lab@Student-MX2 : PE-2# set interface ge-0/0/3 . 0

[ edit protocols ldp]

lab@Student-MX2 : PE-2# set interface lo0 . 6

[ edit protocols ldp]

lab@Student-MX2 : PE-2#

Step 1.14
To allow for the automat ic generat ion of route distinguishers, navigate to the [edi t r outi n g-optio n s]
hierarchy and specify the r oute-di st i nguishe r -i d using PE-2's loopback address (172.17.20.6).

Once you are fi nished making your changes, comm it your configurat ion and exit out to operational mode using
the commi t and-quit command.

[ edit protocols ldp]

lab@Student-MX2 : PE-2# top edit routing-options

[ edit routing-options]
lab@Student-MX2 : PE-2# set route-distinguisher-id 172 . 17 . 20 . 6

[ edit routing-options]
lab@Student-MX2 : PE-2# commit and-quit
commit complete
Exiting configu r ation mode

lab@Student-MX2 : PE-2>

www.juniper.net Lab 1: BGP-Signaled L2VPNs 9

Junos Layer 2 VPNs

Step 1.15
Use the show mpls interface command to verify that MPLS is configured correctly on the core-facing
interfaces.

lab@Student-MX2 :PE-2> show mpls interface

Interface State Administrative groups (x: extended)
ge-0/0/2.0 Up <none>
ge-0/0/3.0 Up <none>

Question: Can your core-facing interfaces now support the transmission of MPLS
packets?

Answer: The output of the command shows that the two interfaces can now
support the forwarding of MPLS packets.

Step 1.16
Verify that your router has established LOP neighbor relationships with the neighboring P routers.

lab@Student -MX2:PE-2> show ldp neighbor

Address I nterface Label space ID Ho ld time
172 . 17 . 23.25 ge-0/0/2 . 0 1 72 .1 7 . 20 . 4 : 0 11
172 . 17 . 23.29 ge-0/0/3 . 0 1 72 .1 7 . 20 . 5:0 10
lab@Student -MX2:PE-2> show ldp session
Address State Connection Ho ld time Adv . Mode
172 . 17 . 20.4 Ope rat ional Open 27 DU
172 . 17 . 20.5 Ope rat ional Open 27 DU

Question: What is the state of your PE router's relationship with the neighboring P
routers?

Answer: The neighboring P routers should be in the Operational state with

your PE router.

Step 1.17
Verify that the inet. 3 routing table contains an LOP route to all the P routers as well as to the PE-1 router
using the show rout e table inet. 3 command.

lab@Student-MX2 :PE-2> show route table i net . 3

i ne t .3: 4 destinat ions , 4 rout es (4 active , 0 ho lddown , 0 hidden)

+ = Active Route , - = Last Active , *=Both
172 . 17 . 20.2/32 *[LDP /9 ) 00 : 04 : 24 , metric 1
> to 172 . 17 . 23.25 via ge-0/0/2 . 0 , Push 22
172 . 17 . 20.3/32 *[LDP /9 ) 00 : 04 : 24 , metric 1
> to 172 . 17 . 23.29 via ge-0/0/3 . 0 , Push 1 6
172 . 17 . 20.4/32 *[LDP /9 ) 00 : 04 : 24 , metric 1

10 Lab 1: BGP-Signaled L2VPNs www.juniper.net

 Junos Layer 2 VPNs
> to 172 . 17 . 23.25 via ge-0/0/2.0
172 . 17 .2 0 . 5/32 *[ LDP/9) 00 : 04 : 24, metric 1
> to 172 . 17 . 23.29 via ge-0/0/3.0

lab@Student-MX2 :PE-2>

Question: Do you see the LDP route to all internal routers including PE-1?

Answer: No, you should see the LDP routes in the inet . 3 routing table for P2,
P3, P4 and P5. You should not currently see any LDP information for PE-1.

Step 1.18
Return to Student-MX1 device.

On Student-MX1, in logical system PE-1, enable MPLS on the core facing interfaces. Then, make sure you
enable these interfaces for the MPLS and LOP protocols. Make sure you include the local loopback interface
(lo0.1) in your LOP configuration. Finally ensure the route distinguisher is automatically created using your
loopback address (172.17.20.1).

Once you are finished making your changes, commit your configuration and exit out to operational mode using
the commit and-quit command.

lab@Student-MX l:PE-1> configure

Entering configuration mode

[edit]
lab@Student-MX l:PE-1# set interfaces ge-0/0/0 unit 0 family mpls

[edit]
lab@Student-MX l:PE-1# set interfaces ge-0/0/1 unit 0 family mpls

[edit]
lab@Student-MX l:PE-1# set protocols mpls interface ge-0/0/0 . 0

[edit]
lab@Student-MX l:PE-1# set protocols mpls interface ge-0/0/1 . 0

[edit]
lab@Student-MXl :PE-1# set protocols ldp interface ge-0/0/0.0

[edit]
lab@Student-MXl :PE-1# set protocols ldp interface ge-0/0/1.0

[edit]
lab@Student-MXl :PE-1# set protocols ldp interface lo 0 . 1

[edit]
lab@Student-MXl :PE-1# set routing-options route-dist i ngu is her-id 1 72 .1 7 .20. 1

[edit]
lab@Student-MXl :PE-1# commit and-quit
commit complete
Exiting configuration mode

lab@Student-MX :PE-1>

www.juniper.net Lab 1: BGP-Signaled L2VPNs 11

Junos Layer 2 VPNs

Step 1.19
Use the show mpls interface command to verify that MPLS is configured correctly on the core-facing
interfaces.

lab@Student -MXl:PE-1> show mpls in te r fac e

Interface State Administrative g roups (x: extended)
ge -0 /0/0 . 0 Up <none>
ge -0 /0/ 1. 0 Up <none>

Question: Can your core-facing interfaces now support the transmission of MPLS
packets?

Answer: The output of the command shows that the two interfaces can now
support the forwarding of MPLS packets.

Step 1.20
Verify that your router has established LOP neighbor relationships with the neighboring P routers.

lab@Student -MXl:PE-1> show ldp ne ighbor

Address I nterfac e Label space ID Ho ld time
172 . 17 . 23.2 ge-0/0/0 . 0 1 72 .1 7 . 20 . 2:0 14
172 . 17 . 23 . 6 ge-0/0/1 . 0 1 72 .1 7 . 20 . 3:0 14
lab@Student -MXl:PE-1> show ldp session
Address State Connection Ho ld time Adv . Mode
172 . 17 . 20 . 2 Ope rat ional Ope n 29 DU
172 . 17 . 20 . 3 Ope rat ional Open 29 DU

Question: What is the state of your PE-1 router's relationship with the neighboring
P routers?

Answer: The neighboring P routers should be in the Operational state with

your PE-1 router.

Step 1.21
Verify that the inet. 3 routing table contains an LOP route to all the P routers as well as to the PE-1 router
using the s h ow rout e table inet. 3

lab@Student -MXl:PE-1> show route table i net . 3

i ne t .3: 5 dest inations , 5 rout es (5 active , 0 ho l d down , 0 h idden)

+ = Active Route , - = Last Active , *=Both
172 . 17 . 20 . 2/32 *[LDP /9 ) 00 : 04 :1 6 , metric 1
> to 172 .1 7 . 23.2 via ge-0/0/0 . 0
172 . 17 . 20.3/32 *[LDP /9 ) 00 : 04 :1 6 , metric 1
> to 172 .1 7 . 23.6 via ge-0/0/1 . 0
172 . 17 . 20.4/32 *[LDP /9 ) 00 : 04 :1 6 , metric 1

12 Lab 1: BGP-Signaled L2VPNs www.juniper.net

 Junos Layer 2 VPNs
> to 172 .1 7 . 23 . 2 via ge - 0/0/0 . 0, Push 23
172 . 17 . 20 . 5/32 *[ LDP /9 ) 00 : 04 :1 6 , met ri c 1
> to 172 .1 7 . 23 . 6 via ge - 0/0/1 . 0, Push 1 7
172 . 17 . 20 . 6/32 * [ LDP /9 ) 00 : 04 :1 6 , met ri c 1
to 172 .1 7 . 23 . 2 via ge - 0/0/0 . 0, Push 30
> to 172 .1 7 . 23 . 6 via ge - 0/0/1 . 0, Push 3 1

lab@Student-MXl: PE -1 >

Question: Do you see the LDP route to all internal routers including PE-2?

Answer: Yes, you should now see a LDP route in the inet. 3 routing table for
P2, P3, P4, P5 and PE-2.

Step 1.22
Verify MPLS connectivity from PE-1 (172.17.20.1) to PE-2 (172.17.20.6) using the MPLS ping utility.

lab@Student - MX l: PE -1 > pin g mp l s l dp 172 . 17 . 20 . 6

I I I I I
--- lsp i ng statistics ---
5 packets transmitted , 5 packe ts r eceived, 0 % packet loss

lab@Student - MX :PE-1>

Question: Are your MPLS pings successful?

Answer: Yes, your pings should succeed. If they do not, verify your configuration
and contact your instructor if you need assistance.

www.juniper.net Lab 1: BGP-Signaled L2VPNs 13

Junos Layer 2 VPNs

Part 2: Verifying The PE To CE Interfaces

In t his lab part, you will verify t he preconfigurations on both of your CE1 logical systems and answer some
questions pertaining to what is configured. Then, you wil l review t he PE to CE1 interface configurations from t he
PE's perspective.

Step 2.1
On your Student-MX1 device, change the CLI to the CE1-1 routing instance.

On CE1-1, use t he show configuration command to view the configuration of the CE router.

lab@Student-MXl:PE-1> set cli logical-system CEl-1

Logical system: CEl- 1
lab@Student-MX l:CE l- 1 > show configuration
i n t er faces {
ge-0/0/2 {
unit 610 {
vla n- i d 61 0 ;
family inet {
address 1 0 . 1 . 0 . 1/24 ;
}
}
}
loO {
unit 1 1 {
family inet {
address 1 0 . 1 . 20.1/32 ;
}
}
}
}
policy-options {
policy-statement export- po l icy {
term static {
from protocol static;
the n accept ;
}
term direct {
from protocol d i rect;
the n accept ;
}
}
}
routi n g-opt ions {
autonomous-system 65 1 01 ;
static {
rou t e 1 0 . 1 .1. 0/24 recei' ve ;
rou t e 1 0 . 1 .2. 0/24 recei' ve ;
rou t e 1 0 . 1 . 3 . 0/24 recei' ve ;
rou t e 1 0 . 1 . 0 . 0/24 recei' ve ;
}
}

lab@Student - MX l:CE l -1>

Question: What interfaces have been configured on the CE1-1 router? According
to the lab diagram, do they have the appropriate IP addressing?

14 Lab 1: BGP-Signaled L2VPNs www.juniper.net

 Junos Layer 2 VPNs

Answer: The CE1-1 router should have both the loopback and ge-0/0/2 interface
configured with the appropriate addressing according to the lab diagram.

Question: What is configured under the routing-options hierarchy?

According to the lab diagram, are these settings appropriate?

Answer: Four static routes (next hop of receive) and the CE router's autonomous
system should be configured under routing-options hierarchy. These
settings are appropriate.

Question: What is configured under the policy-options hierarchy? What

does this policy do?

Answer: A policy called export-policy is configured under policy-options hierarchy.

If applied as an export policy, this policy will redistribute active direct and static
routes into the protocol to which it is applied. It is currently not applied to any
protocol in the configuration.

Question: What is the IP address of the CE1-1's ge-0/0/2 interface? How does
this compare to CE1-2's interface outlined on the topology?

Answer: CE1-1's ge-0/0/2 interface is assigned the 10.1.0.1 address and it

should be on the same subnet as the CE1-2. You will verify that in the next step.

Question: Why must both CE1 router interfaces be in the same subnet?

Answer: The reason both CE1 router interfaces must be in the same subnet is
because you are configuring the PE router to pass the traffic based on the Layer 2
information. As far as the CE1 routers are concerned, they are directly connected.

Step 2.2
Return to your Student-MX2 device, change the CLI to the CE1-2 logical system.

On Student-MX2, in the logical system CE1-2, use the s h ow conf i gu r ation command to view the
configuration of the CE router and answer the questions.

lab@Student-MX2 : PE - 2> set cli logical-system CEl -2

www.juniper.net Lab 1: BGP-Signaled L2VPNs 15
Junos Layer 2 VPNs
Logical system : CEl-2
lab@Student-MX2:CE1-2> show configuration
interfaces {
ge-0/0/ 1 {
unit 610 {
vlan-id 61 0 ;
family inet {
address 10 . 1 . 0 . 2/24;
}
}
}
loO {
unit 12 {
fami l y inet {
address 10 . 1 . 20 . 2/32 ;
}
}
}
}
policy-options {
policy-statement export-policy {
te r m static {
from protocol static ;
then accept ;
}
te r m direct {
from protocol di r ect ;
then accept ;
}
}
}
routing-options {
autonomous-system 65101 ;
static {
'
route 10 . 1 . 4 . 0/24 receive ;
'
route 10 . 1 . 5 . 0/24 receive ;
'
route 10 . 1 . 6 . 0/24 receive ;
route 10 . 1 . 7 . 0/24 receive ;
'

}
}

lab@Student-MX2 : CE1-2>

Question: What is the IP address of CE1-2's PE facing interface?

Answer: The CE1-2's interface should be configured with the 10.1.0.2 address,
which means it should be on the same subnet as the CE1-1.

Step 2.3
Still on CE1-2, use the pi n g utility with the rapid option to attempt to ping the CE1-1 router's ge-0/0/2
interface address (10.1.0 .1) five times.

lab@Student-MX2 : CE1-2> ping 1 0 . 1 . 0.1 r apid count 5

PI NG 1 0 . 1 . 0 .1 ( 1 0 . 1 . 0 . 1) : 56 data bytes
• • • • •
--- 10 .1. 0 .1 ping statistics ---
5 packets transmitted, 0 packets r eceived , 1 00 % packet loss
lab@Student-MX2 : CE1-2>

16 Lab 1: BGP-Signaled L2VPNs www.juniper.net

 Junos Layer 2 VPNs

Question: Do your pings succeed? Why?

Answer: The pings do not succeed because the local and remote PE router's CE
facing interfaces have not been configured as part of a layer 2 VPN.

Step 2.4
Return to your Student-MX1 device, change the CLI to the PE-1 logical system.

On PE-1, review the configuration of your CE1-1 facing interfaces (ge-0/0/ 4). If you want you can also verify the
PE-2 to CE1-2 interface. The configuration should have the same properties and encapsulation.

lab @Stu d e nt - MXl: CEl -1 > s et c li log i ca l- syste m PE- 1

Log i ca l s yste m: PE -1

lab @Stu d e nt - MXl: PE -1 > show co nf igu rat i o n in t er fac es g e- 0/0/4

u ni t 6 1 0 {
enc ap sulat i o n v l a n- c c c ;
v l a n- id 610 ;
}

lab @Stu d e nt - MXl: PE -1 >

Question: What encapsulation is enabled on the CE1 facing logical interface?

Answer: The logical interface should have vlan-ccc encapsulation enabled.

Question: Why don't you see the physical properties like vlan-tagging and
encapsulation?

Answer: When working with logical systems, the physical properties are defined in
the main instance and are inherited by the logical interface in the logical system.

Question: Do you see any Layer 3 information on the interface?

www.juniper.net Lab 1: BGP-Signaled L2VPNs 17

Junos Layer 2 VPNs

Answer: No, because we are configuring a Layer 2 VPN there will not be any Layer
3 information associated with this interface.

18 Lab 1: BGP-Signaled L2VPNs www.juniper.net

 Junos Layer 2 VPNs

Part 3: Configuring A BGP Layer 2 VPN Instance

In this lab part, you will configure a BGP Layer 2 VPN instance. You begin by enabling BGP to signal the Layer 2
NLRI. You will create your BGP Layer 2 VPN instance and assign a unique route target (65512: 1). You will
include your CE1-facing interface within this instance. In this lab you will be using the v rf-target option
because of its simplicity. Please note that vrf-impo r t and vrf-export policies would work also.

Step 3.1
On your Student-MX1 device, ensure the CLI is set to the PE-1 logical system.

On PE-1, enter into configuration mode and navigate to the [edit routing-instances vpn-A] hierarchy.
Configure the instance type as 12vpn and define the VR F target using the 65512:1 community value . Finally
include the CE-1 facing interface (ge-0/0/4.610) in the VPN. Make sure you include the correct unit value when
applying the interface.

lab@Student-MX l:PE-1> configure

Entering configuration mode

[edit]
lab@Student-MX l:PE-1# edit routing-instances vpn-A

[edit routing -instances vpn -A]

lab@Student-MXl :PE-1# set instance-type 12vpn

[edit routing -instances vpn -A]

lab@Student-MXl :PE-1# set vrf-ta rget target : 65512:1

[edit routing -instances vpn -A]

lab@Student-MX l:PE-1# set interface ge-0/0/4 .61 0

[edit routing -instances vpn -A]

lab@Student-MXl :PE-1#

Step 3.2
Still on PE-1, navigate to the [edi t rou ting-ins tance s vpn-A protocols 12vpn] hierarchy.
Configure the encapsulation type as ethernet-vlan and define your site name as CEl-1 . Please refer to
lab diagram to determine which site identifier you should use. Because we are only dealing with 2 sites, you will
not need to configure the remote site ID. You must also indicate the interface (ge-0/0/4.610) that will be
participating in your BGP Layer 2 VPN for this site. Commit and exit to operational mode after you have
completed your changes.

[edit routing -instances vpn -A]

lab@Student-MXl :PE-1# edit protocols 12vpn

[edit routing -instances vpn -A protocols 12vpn]

lab@Student-MXl :PE-1# set encapsulation-type ethernet-vlan

[edit routing -instances vpn -A protocols 12vpn]

lab@Student-MXl :PE-1# set site CEl-1 site-identifier 1

[edit routing -instances vpn -A protocols 12vpn]

lab@Student-MXl :PE-1# set site CEl-1 interface ge-0/0/4.610

[edit routing -instances vpn -A protocols 12vpn]

lab@Student-MXl :PE-1# show
site CEl-1 {
interface ge-0/0/4.610;
site-identifier 1;
}
encapsulation-type ethernet-vlan;

[edit routing -instances vpn -A protocols 12vpn]

lab@Student-MXl :PE-1# commit and-quit
commit complete
Exiting configuration mode
www.juniper.net Lab 1: BGP-Signaled L2VPNs 19
Junos Layer 2 VPNs

lab@Student-MXl:PE-1>

Step 3.3
Return to your Student-MX2 device, change the CLI to the PE-2 logical system.

On PE-2, enter into configuration mode and configure the Layer 2 VPN routing instance with the properties
needed for this side including, name: vpn-A , instance-type: 12vpn , VRF target: ta r get : 65512 : 1, and
interface: ge-0 / O/ 6 . 61 O. Next, configure the Layer 2 VPN protocol parameters including the encapsulation
type: ethernet-vlan, site name: CEl -2 , site identifier: 2 . and the site interface: ge-0/0/6 . 610 .

Once completed commit and exit to operational mode using the commit and-quit command .

lab@Student-MX2 :CE1-2> set cli logical-system PE-2

Logical system: PE-2

lab@Student-MX2 :PE-2> configure

Entering configuration mode

[edit]
lab@Student-MX2 :PE-2# edit routing-instances vpn-A

[edit routing -instances vpn -A]

lab@Student-MX2 :PE-2# set instance-type 12vpn

[edit routing -instances vpn -A]

lab@Student-MX2 :PE-2# set interface ge-0/0/6 .610

[edit routing -instances vpn -A]

lab@Student-MX2 :PE-2# set vrf-ta rget target : 65512:1

[edit routing -instances vpn -A]

lab@Student-MX2 :PE-2# edit protocols 12vpn

[edit routing -instances vpn -A protocols 12vpn]

lab@Student-MX2 :PE-2# set encapsulation-type ethernet-vlan

[edit routing -instances vpn -A protocols 12vpn]

lab@Student-MX2 :PE-2# set site CEl-2 site-identifier 2

[edit routing -instances vpn -A protocols 12vpn]

lab@Student-MX2 :PE-2# set site CEl-2 interface ge-0/0/6 . 610

[edit routing -instances vpn -A protocols 12vpn]

lab@Student-MX2 :PE-2# show
site CEl-2 {
interface ge-0/0/6.610;
site-identifier 2;
}
encapsulation-type ethernet-vlan;

[edit routing -instances vpn -A protocols 12vpn]

lab@Student-MX2 :PE-2# commit and-quit
commit complete
Exiting configuration mode

lab@Student-MX2 :PE-2>

Step 3.4
Still on PE-2, verify your Layer 2 VPN connection status by issuing the show 12vpn connections
command.

lab@Student-MX2 :PE-2> show 12vpn connections

Layer-2 VPN connections :

Legend for connection status (St)

EI encapsulation invalid NC -- interface encapsulation no t CCC/TCC/VPLS
EM -- encapsulation mismatch WE -- interface and i ns tance encaps not same

20 Lab 1: BGP-Signaled L2VPNs www.juniper.net

 Junos Layer 2 V PN s
VC-Dn -- Virtual circuit down NP
interface hardware not present
CM control-word mismatch ->
only outbound connection is up
CN circuit not provisioned <- only inbound connection is up
OR out of range Up operational
OL no outgoing label Dn down
LD local site signaled down CF call admission control failure
RD remote site signaled down SC local and remote site I D collision
LN local site not designated LM local site I D not minimum designated
RN remote site not designated RM remote site I D not minimum designated
xx unknown connection status IL no incoming label
MM MTU mismatch MI Mesh-Group I D not available
BK Backup connection ST Standby connection
PF Profile parse failure PB Profile busy
RS remote site standby SN -- Static Neighbor
LB Local site not best-site RB Remote site not best-site
VM VLAN I D mismatch HS -- Hot-standby Connection

Legend for interface status

Up -- operational
Dn -- down

Instance : vpn-A
Edge protection : Not-Primary
Local site : CE l -2 (2)
connection-site Type St Time last up # Up trans
1 rmt Up Aug 27 12 : 45 : 35 2021 1
Remote PE : 172 .1 7 . 20 . 1 , Negotiated control-word: Yes (Null)
I ncoming label : 21 , Outgoing label: 22
Local interface : ge-0/0/6 . 610 , Status : Up , Encapsulation: VLAN
Flow Label Transmit : No , Flow Label Receive : No

lab@Student-MX2 : PE-2>

Question: What is the status of your connection?

Answer: Your connection should show a status value of Up. If it does not, find the
status code value in the legend and review your configuration. Contact your
instructor for assistance, if needed.

Step 3.5
Return to your Student-MX1 device, change the CLI to the CE1-1 logical system.

On CE1-1, use ping to verify reachability to the CE1-2 PE facing interface address (10.1.0.2).

lab@Student-MXl:PE-1> set cli logical-system CEl -1

Logical system : CEl- 1

lab@Student-MXl : CEl- 1 > ping 10 . 1 . 0 . 2 count 5

PI NG 10 . 1 . 0 . 2 (10 . 1 . 0 . 2) : 56 data bytes
64 bytes f r om 10 . 1 . 0 . 2: icmp seq=O ttl =64 time= 35 . 744 ms
64 bytes f r om 10 . 1 . 0 . 2: icmp- seq= l ttl =64 time= 5 . 287 ms
64 bytes f r om 10 . 1 . 0 . 2: icmp- seq= 2 ttl =64 time= 6 . 080 ms
64 bytes f r om 10 . 1 . 0 . 2: icmp- seq= 3 ttl =64 time= 246 . 164 ms
64 bytes f r om 10 . 1 . 0 . 2: icmp- seq= 4 ttl =64 time=4 62 . 716 ms

--- 10 .1. 0 . 2 ping statistics ---

5 packets transmitted , 5 packets received , 0 % packet loss
round-trip min/avg/max/stddev = 5 . 287/ 1 51 . 198/462 . 7 1 6/179 . 856 ms
lab@Student-MX : CEl-1>

www.juniper.net Lab 1: BGP-Signaled L2VPNs 21

Junos Layer 2 VPNs
Question: Do your ping requests complete?

Answer: Yes, your ping requests should complete. If they do not, review your
configurations and request assistance from the instructor, if needed.

22 Lab 1: BGP-Signaled L2VPNs www.juniper.net

 Junos Layer 2 VPNs

Part 4: Configuring Routing Protocols On The CE Router

In this lab part, you will configure OSPF on your CE1 routers. You will create a policy that will export your static
routes to your OSPF neighbor. You will peer with the remote CE1 router across the BGP Layer 2 VPN you just
created . You will then configure the CE1 router to share the static routes that are preconfigured. Once you have
completed the configurations on one side you will move to the other CE1 device and configure a return peering
session and policy to share its routes. After establishing an OSPF neighborship between the two CE1 devices
you will verify that you are receiving the remote networks and verify reachability to the remote loopback using
the ping utility.

Ste p 4.1
On your Student-MX1 device, ensure the CLI is set to the CE1-1 logical system.

On Student-MX1, in the logical system CE1-1, enter into configuration mode and navigate to the [edit
po l icy-opt i ons pol i cy-state me nt stati cs ] hierarchy. Define a term called acce pt-stati cs
that matches and accepts all static routes. This policy will be used to redistribute these static routes into OSPF.

lab@Student-MXl : CEl- 1 > configure

En t ering configuration mode

[ edit]
lab@Student-MXl : CE l - 1 # edit polic y -options policy-statement s t atics

[ edit policy-options policy- s t atement s t atics ]

lab@Student-MXl : CEl- 1 # se t term accept-stat i cs from protocol static

[ edit policy-options policy- s t atement s t atics ]

lab@Student-MXl : CEl- 1 # se t term accept-statics t hen accept

[ edit policy-options policy- s t atement s t atics ]

lab@Student-MXl : CEl- 1 # s h ow
term accept-statics {
f r om p r o t oco l stat ic ;
then accept ;
}

[ edit policy-options policy- s t atement s t atics ]

lab@Student-MXl : CEl- 1 #

Step 4.2
Next, navigate to the [edit protocols ospf J hierarchy. Configure your loop back (lo0.11) and PE-facing
interface (ge-0/0/2.610) under area 0. Then, apply the policy stati cs you defined as an export policy to your
OSPF protocol. This action will export your static routes to your peer. Commit and exit to operational mode using
the commi t a nd-quit command.

[ edit policy-options policy-s t atement s t atics ]

lab@Student-MXl : CE l - 1 # top edi t p r otocols ospf

[ edit protocols ospf]

lab@Student-MXl : CE l - 1 # se t a r ea O interface ge-0/0/2 . 610

[ edit protocols ospf]

lab@Student-MXl : CE l - 1 # se t a r ea O interface lo0 .1 1

[ edit protocols ospf]

lab@Student-MXl : CE l - 1 # se t export statics

[ edit protocols ospf]

lab@Student-MXl : CE l - 1 # commit and-qu it
commit complete
Exi t ing configu r ation mode

l ab@Student-MXl : CE l - 1 >

www.juniper.net Lab 1: BGP-Signaled L2VPNs 23

Junos Layer 2 VPNs

Step 4.3
Return to you r Student-MX2 device .

On Student-MX2, in t he logical system CE1-2, enter into configuration mode and navigate to the [ edi t
po l icy-opt i ons pol i cy-stateme nt stati c s ] hierarchy. Define a term ca lled acce pt-stati cs
that matches and accepts all static routes. Next, navigate to the [edi t protocols ospf ] hierarchy.
Configure you r loopback (lo0.12) and PE-facing interface (ge-0/0/1.610) under area 0 . Then, apply t he policy

lab@Student-MX2 : CE1-2> configure

Entering configuration mode

[edit]
lab@Student-MX2 : CE1-2# edit policy-options policy-statement statics

[edit policy-options policy-statement statics]

lab@Student-MX2 : CE1-2# set term accept-statics from protocol static

[edit policy-options policy-statement statics]

lab@Student-MX2 : CE1-2# set term accept-statics then accept

[edit policy-options policy-statement statics]

lab@Student-MX2 : CE1-2# top edit protocols ospf

[edit protocols ospf]

lab@Student-MX2 : CE1-2# set area O interface ge-0/0/1 . 610

[edit protocols ospf]

lab@Student-MX2 : CE1-2# set area O interface lo0 .1 2

[edit protocols ospf]

lab@Student-MX2 : CE1-2# set export statics

[edit protocols ospf]

lab@Student-MX2 : CE1-2# commit and-quit
commit complete
Exiting configuration mode
lab@Student-MX2 : CE1-2>

Step 4.4
Verify t hat t he neighbor relationship has established between t he CE routers by issuing the s h ow ospf
n e i ghbor command.

lab@Student-MX2 : CE1-2> s h ow ospf neigh bor

Address Interface State ID Pri Dead
10 .1. 0 .1 ge-0/0/ 1 . 610 Fu l l 1 0 . 1 . 20 . 1 1 28 35

Step 4.5
Review the routes being learned by OSPF and ensure you have t he remote CE router's static routes by issuing
the show rou t e pro tocol ospf command.

lab@Student-MX2 : CE1-2> show route protocol ospf

inet . O: 12 destinations , 1 2 routes (12 active , 0 holddown , 0 hidden)

+ = Active Route , - = Last Active , * = Both

10 .1. 1 . 0/24 *[OS PF/150) 00 : 00 : 37 , metric 0 , tag 0

> to 10 .1. 0 .1 via ge-0/0/1 . 610
10 .1. 2 . 0/24 *[OS PF/150) 00 : 00 : 37 , metric 0 , tag 0
> to 10 .1. 0 .1 via ge-0/0/1 . 610
10 .1. 3 . 0/24 *[OS PF/150) 00 : 00 : 37 , metric 0 , tag 0
> to 10 .1. 0 .1 via ge-0/0/1 . 610
10 .1. 20 . 1/32 *[OS PF/10) 00:00 : 37 , metric 1
> to 10 .1. 0 .1 via ge-0/0/1 . 610
224 . 0 . 0 . 5/32 *[OS PF/10) 00:00 : 47 , metric 1
24 Lab 1: BGP-Signaled L2VPNs www.juniper.net
 Junos Layer 2 VPNs
Mu l tiRecv
in e t6 . 0 : 1 d e stinations , 1 routes (1 active , 0 holddown , 0 h i dde n )

lab@Student-MX2 : CE1-2>

Question: Do you see all the CE1·1 router's static routes?

Answer: Yes, you shou ld see all the static routes from CE1-1's network. If you do
not, check your configurations on CE1-1 and request assistance from the
instructor, if needed.

Step 4.6
Verify you have reachabi lity to CE1-1's network by pinging the loopback address (10.1.20.1) f ive times, while
sourci ng the packets from CE1-2's loopback address (10.1.20.2).

lab@Student-MX2 : CE1-2> ping 1 0 . 1 . 20 . 1 sou r ce 10 . 1 . 20 . 2 count 5

PI NG 1 0 . 1 . 20 . 1 ( 1 0 .1. 20 .1 ) : 56 d ata bytes

64 bytes f r om 1 0 . 1 . 20 . 1 : i' cmp- seq= O tt l = 64 time =264 . 498 ms
64 bytes f r om 1 0 . 1 . 20 . 1 : i' cmp- seq= l tt l = 64 time = 315 . 814 ms
64 bytes f r om 1 0 . 1 . 20 . 1 : i' cmp- seq= 2 tt l = 64 time = 368 . 832 ms
64 bytes f r om 1 0 . 1 . 20 . 1 : i' cmp- seq= 3 tt l = 64 time =27 . 4 1 4 ms
64 bytes f r om 1 0 . 1 . 20 . 1 : i' cmp- seq= 4 tt l = 64 time = 5 . 3 1 7 ms

- -- 10 . 1 . 20 . 1 ping statistics ---

5 packets transmitted , 5 packets r eceived , 0 % packet loss
round-trip mi n/avg/max/stddev = 5 . 317/ 1 96 . 375/368 . 832/ 1 50 . 797 ms

lab@Student-MX2 : CE1-2>

Question: Do your pings complete?

Answer: Yes, you shou ld be able to ping the remote CE router's loopback address.
If you are not able to, please review your configuration and routes that you are
receiving. Please request assistance from the instructor, if needed.

Step 4.7
Log out of your assigned devices using the e x it command.

lab@Student-MX2 : CE1-2> c l ear c l i logical-system

Cl eared default logical system
lab@Student-MX2> exit

Student-MX2 (ttyuO)
login :

www.juniper.net Lab 1: BGP-Signaled L2VPNs 25

Junos Layer 2 VPNs

. • • Tell your instructor that you have completed this lab.

26 Lab 1: BGP-Signaled L2VPNs www.juniper.net

 Junos Layer 2 VPNs

Lab 2: L2VPNs - Advanced Concepts

Overview
In t his lab, you will establish a Layer 2 VPN BGP peering using a route reflector (RR). You will add an additional
point-to-point BGP Layer 2 virtual private network (VPN) to demonstrate the benefit of route-target filtering.

The setup uses logical systems, a Junos feature which allows to partition a single router into multiple logical
devices, each with independent configuration; we will use logical systems to simulate a more complex
environment.

By completi ng this lab, you will perform t he following tasks:

• Load t he initial configuration and verify proper operat ion of t he IGP.

• Establish a IBGP peering to a route reflector and add protocol support for t he Layer 2 VPN NLRI.

• Create and establish a second BGP Layer 2 VPN over t he core network.

• Create a route-target mismatch on the newly added BGP Layer 2 VPN, and use the keep a l l
option in the BGP configuration.

• Verify connectivity and behavior using operational mode commands incl uding commands used to
examine routing tables.

• Add t he famil y route-t arge t to t he BGP group configuration to enable route-ta rget filtering.

• Verify connectivity and behavior using operational mode commands incl uding commands used to
examine routing tables. You should see t he effect of the route-target filtering.

www.juniper.net Lab 2: L2VPNs Advanced Concepts 27

Junos Layer 2 VPNs

Lab Diagrams

Management Network Diagram

Management Network
172 .25. 11.0/24
Virtua l Student Desktop Cons ole a nd I
VNC Connections '==c:::, I
I
•=
I Physica l
Desktops

Management Addresses
Student-MX1 172.25.11 .1
Manageme nt Port Student-MX2 172.25.11 .2
fxpO (on all vMX devices) vr-device 172.25.11 .3
Student Desktop 172.25.11 .254

Student
Virtual Environment Note: Your instructor will provide the information
you need to access your student desktop.

Junw I ,

Lab: L2VPNs - Advanced Concepts, Part 1

VR-Device
CE2-1 (
I
-------------------- '
P2 172.17.23.1 2/30 p I
CE2-2
I Route Reflectorl---------1 4 1
I loO 172 _17 _20_2 .13 .14 loO 172.17.20.4 I
'\, ~ -~6"
N

.....
X
~
..!. PE-1
AS 65512
OSPF
PE-2
-
en
C:
C.
CD
C: AreaO :::,
Q) 'i'"
s::
-
-0
:::,
C l) ~

0 N
• IS"
~
N
I 172.17.23.16/30 I
P3 PS
I I
CE1-1 loO 172.17 .20.3 .1 7 .18 loO 172.17.20.5 CE1-2
I I
' -------------------~
O 2021 Juniper Network! JUn~J I 2

28 Lab 2: L2VPNs Advanced Concepts www.juniper.net

 Junos Layer 2 VPNs

Lab: L2VPNs - Advanced Concepts, Part 2-4

CE2-1 CE2-2
lo0.21 10.2.20.1 lo0.22 10.2.20.2
Site ID 1 Site ID 2
I")
a -. 0

~ ...
N
.
~~
c,q ~
(0
d, !:::!
c,q ~
(0
0 z q z
a_ o .
"'<'i <(
a .
a~ ~
... N

., 5 ::::::
..-
><
~
.!.
C:
o -
C)

PE-1
~- - --- ---- ----------- - ----- - -- - .
~ BGP Layer 2 VPNs
AS 65512
...:::...
............
'
8,

PE-2
-
en
C:
C.
CD
::,
Q) lo0.1 172.17.20.1 OSPF lo0.6 172.17.20.6 '7
"'C
::, ·~ Area O s::
~d, !:::!... ~
~
(0

u5 a
o,C?
-z
0
(0

~! ./ 9., ...
o,O
!:::! -
0
(0

--
q <( q z
N-
a· 5 a· 1>
a• ~ a~
•
8,
- 8, N

CE1-1 CE1-2
lo0.111 0.1.20.1 lo0.1210.1.20.2
Site ID 1 S ite ID 2
,

O 2021 Juniper Network! Junw I 3

www.juniper.net Lab 2: L2VPNs Advanced Concepts 29

Junos Layer 2 VPNs

Part 1: Creating The Baseline SP Network And Enabling PE For Layer 2

VPN Signaling
In this lab part, you will configure the baseline network for the lab. You will load a baseline configuration and
then configure a MP-BGP peering session with the route reflector, and configure a route-distinguisher ID.

NOTE: > The instructor will tell you the nature of your
access and will provide you with the necessary details to
access your assigned device.

Step 1.1
You should make sure you are familiar with the lab topology and environment. Th is lab is comprised of ten
logical devices that are operating on three virtual MX (vMX) routers. These vMXs are nested inside an ESXi
environment. The six devices you are in charge of configuring are (PE-1, CE1-1 and CE2-1 ) residing on Student-
MX1 as logicial systems and (PE-2, CE1-2 and CE2-2) residing on Student-MX2 as logical systems. The core
devices (P2 , P3, P4, and P5) are preconfigured on vr-device also as logical systems.

Step 1.2
Consult the management network diagram, provided by your instructor, to determine your device's
management address.

Question: What is the management address of Student-MX1 and Student-MX2?

Answer: The management IP address of Student-MX1 is 172.25.11.1 and

Student-MX2 is 172.25.11.2

Step 1.3
Access the CLI of your Student-MX1 device using Secure Shell (SSH) as directed by your instructor.

Log in as user l ab with the password supplied by your instructor. Enter into configuration mode and load this
labs starting configuration file j 1 2v / l a b 2-s ta r t . co nf ig and exit back to operational mode using the
commit a nd-qui t command.

Student-MXl (ttypO)

log i n : lab
Passwo r d :

Last login : Thu July 1 1 1 4 : 23 : 37 2021 from 1 72 . 25 .11. 254

--- JUNOS 2 1. 2Rl. 10 Kernel 64-bit JNPR-12 .1 -202 1 0529 . 2f59a40 bui l
lab@Student-MX l > conf i gu r e
Entering configuration mode

[edi t]
lab@Student-MX l # load override j l 2v/lab2-start . config
load complete

[edi t]
lab@Student-MX l # commi t and-quit
commit comp l ete
Exiting configu r ation mode

lab@Student-MX l >
30 Lab 2: L2VPNs Advanced Concepts www.juniper.net
 Junos Layer 2 VPNs

Step 1.4
Access t he CLI of your Student-MX2 device using Secure Shell (SSH) as directed by your instructor.

Log in as user lab with the password supplied by your instructor. Enter into configurat ion mode and load this
labs starting configuration file j 1 2v / l a b 2-s ta r t . co nf ig and exit back to operat ional mode using the
commi t a nd-quit command.

Student-MX2 (ttypO)

log i n : lab
Passwo r d :

Last login : Thu July 1 1 1 4 : 23 : 37 2021 from 1 72 . 25 .11. 254

- -- JUNOS 2 1. 2Rl. 10 Kernel 64-bit JNPR-12 .1- 202 1 0529 . 2f59a40 bui l
lab@Student-MX2> conf i gu r e
Entering configuration mode

[edi t]
lab@Student-MX2# load override j l 2v/lab2 - start . config
load complete

[edi t]
lab@Student-MX2# commi t and- quit
commit comp l ete
Exiting configu r ation mode

lab@Student-MX2>

Step 1.5
Return to you r Student-MX1 device, change your CLI to the PE-1 logical system.

On PE-1, use the s how c onf igu rat ion protoco ls command to determine what protocols have been
pre-defined on your PE-1 device.

lab@Student-MX l > set cli logical-system PE - 1

Log i ca l system : PE- 1

lab@Student-MX l : PE- 1 > show configuration p r otocols

ldp {
interface ge-0/0/0 . 0 ;
interface ge-0/0/ 1. 0 ;
interface l o0 . 1 ;
}
mpls {
interface ge-0/0/0 . 0 ;
interface ge-0/0/ 1. 0 ;
}
ospf {
a r ea 0 . 0 . 0 . 0 {
interface ge-0/0/0 . 0 ;
interface ge-0/0/ 1. 0 ;
interface lo0 . 1 ;
}
}

lab@Student-MX l : PE - 1 >

www.juniper.net Lab 2: L2VPNs Advanced Concepts 31

Junos Layer 2 VPNs

Question: Which protocols have been preconfigured for you?

Answer: OSPF, LDP, and MPLS have all been preconfigured.

Step 1.6
Review PE-l 's predefined interfaces using the show configuration interfaces command.

lab@Student-MXl:PE-1> show configuration interfaces

ge-0/0/0 {
u ni t O {
family inet {
address 1 72 .1 7 .23.1 /30 ;
}
family mpls;
}
}
ge-0/0/ 1 {
u ni t O {
family inet {
address 1 72 .1 7 .23.5 /30 ;
}
family mpls;
}
}
ge-0/0/4 {
u ni t 610 {
encapsulation v lan-ccc;
vlan-id 610;
}
}
ge-0/0/5 {
unit 620 {
encapsulation v lan-ccc;
vlan-id 620;
}
}
loO {
unit 1 {
family inet {
address 1 72 .1 7 .2 0 .1 /32 ;
}
}
}

lab@Student-MXl:PE-1>

Question: Do you see configurations for all the expected interfaces including the
PE to CE interfaces outlined on the lab diagram.

32 Lab 2: L2VPNs Advanced Concepts www.juniper.net

 Junos Layer 2 VPNs

Answer: Yes, you should see that both core interfaces are configured as well as
the two CE facing interfaces.

Step 1.7
Verify your OSPF neighbor relationships are up and operational using the show ospf neighbor command .

lab@Student-MX l:PE-1> show ospf nei ghbor

Address Interface State ID Pri Dead
172 . 17 .23.2 ge-0/0/0 . 0 Full 172 .1 7 .2 0 .2 128 39
172 . 17 .23.6 ge-0/0/ 1. 0 Full 172 .1 7 .2 0 .3 128 32

Question: What is the state of your PE router's OSPF neighbors?

Answer: After a short time, the OSPF neighbors should attain the Full state.

Step 1.8
Use the show mpls interface comma nd to verify that MPLS is configured correctly on the core-facing
inte rf aces.

lab@Student-MX l:PE-1> show mpls interface

Interface State Administrative g roups (x: extended)
ge-0/0/0 . 0 Up <none>
ge-0/0/ 1. 0 Up <none>

Question: Can your core-facing interfaces now support the transmission of MPLS
packets?

Answer: The output of the command shows that the two interfaces can now
support the forwarding of MPLS packets.

Step 1.9
Verify t hat your router has established LOP neighbor relationships with the neighboring P routers.

lab@Student-MX l:PE-1> show ldp neighbor

Address I nterfac e Labe l space ID Ho ld time
172 . 17 .23.2 ge-0/0/0.0 172.17.20.2:0 14
172 . 17 .23. 6 ge-0/0/1.0 1 72 .1 7 .2 0 .3: 0 14
•
lab@Student-MX l:PE-1> show ldp session
Address State Connection Hold time Adv. Mode
172 . 17 .2 0 .2 Ope rat ional Open 26 DU
172 . 17 .2 0 .3 Ope rat ional Open 26 DU

www.juniper.net Lab 2: L2VPNs Advanced Concepts 33

Junos Layer 2 VPNs

Question: What is the state of your PE router's relationship with the neighboring P
routers?

Answer: The neighboring P routers shou ld be in the Operational state with

your PE router.

Step 1.10
Verify that the ine t . 3 routing table contains an LDP route to the remote PE router.

lab@Student-MXl: PE -1 > show route table i net . 3

in e t . 3 : 5 destinations , 5 route s (5 act i ve , 0 holddown , 0 hidden)

+ = Active Route , - = Last Active , * = Both

172 . 17 . 20 . 2/32 * [ LDP /9) 20 : 57 : 08 , met ri c 1

•
> to 172 .1 7 . 23 . 2 via g e- 0/0/0 .0
172 . 17 . 20 . 3/32 * [ LDP /9) 20 : 57 : 08 , met ri c 1
•
> to 172 .1 7 . 23 . 6 via g e- 0/0/1 .0
172 . 17 . 20 . 4/32 * [ LDP /9) 20 : 57 : 08 , met ri c 1
•
> to 172 .1 7 . 23 . 2 via g e- 0/0/0 . 0, Push 23
172 . 17 . 20 . 5/32 * [ LDP /9) 20 : 57 : 08 , met ri c 1
•
> to 172 .1 7 . 23 . 6 via g e- 0/0/1 . 0, Push 1 7
172 . 17 . 20 . 6/32 * [ LDP /9) 20 : 57 : 08 , met ri c 1
•
to 172 .1 7 . 23 . 2 via g e- 0/0/0 . 0, Push 30
•
> to 172 .1 7 . 23 . 6 via g e- 0/0/1 . 0, Push 3 1

Question: Do you see the LDP route to the remote PE router in your inet. 3
routing table?

Answer: Yes, you shou ld see the LDP route in the inet. 3 routing table now. If
you do not, please review your configuration and verify the state of your MPLS LSP
is Up.

Step 1.11
Verify MPLS connectivity to PE-2 (172.17.20.6) using the MPLS ping utility.

lab@Student-MXl: PE- 1 > pi n g mp l s l dp 172 . 17 . 20 . 6

.I .I .I ..I .I
--- lsping statistics ---
5 packets transmi tted , 5 packets r ece i ve d, 0 % packet loss

Question: Are your MPLS pings successful?

34 Lab 2: L2VPNs Advanced Concepts www.juniper.net

 Junos Layer 2 VPNs

Answer: Yes, your pings should succeed. If they do not, make sure you loaded the
appropriate start configuration file and contact your instructor if you need
assistance.

Step 1.12
On PE-1, enter into configuration mode and navigate to the [edi t p r otoco l s bgp g r oup my-int-
g r oup] hierarchy. Use PE-l 's loopback address (172.17.20.1) as the source address of all IBGP packets for
this IBGP neighborship. Finally, configure your router to peer with the route reflector (P2 - 172.17.20.2). Ensure
this IBGP peering to the route reflector allows the exchange of Layer 2 VPN as well as 1Pv4 NLRls.

NOTE: > For your convenience t he PE-2 device has been

preconfigured with all the requ ired steps for t his lab.

lab@Student-MX l:PE-1> configure

Entering configuration mode

[edit]
lab@Student-MX l:PE-1# edit p r otocols bgp g roup my-int-group

[edit protocols bgp group my-int-group]

lab@Student-MX l:PE-1# set type internal

[edit protocols bgp group my-int-group]

lab@Student-MX l:PE-1# set local-address 172 . 17 . 20 .1

[edit protocols bgp group my-int-group]

lab@Student-MX l:PE-1# set neighbo r 172 .1 7 . 20 . 2

[edit protocols bgp group my-int-group]

lab@Student-MX l:PE-1# set family inet unicast

[edit protocols bgp group my-int-group]

lab@Student-MX l:PE-1# set family 12vpn signaling

[edit protocols bgp group my-int-group]

lab@Student-MX l:PE-1# show
type internal;
local-address 1 72 . 17 . 20 .1;
family inet {
unicast ;
}
family 12vpn {
signaling;
}
neighbor 172 . 17 . 20 . 2;

[edit protocols bgp group my-int-group]

lab@Student-MX l:PE-1# commit and-quit
commit complete
Exiting configu r ation mode
lab@Student-MX l:PE-1>

Step 1.13
Verify t hat PE-1 router has established an IBGP neighbor relationship wit h the route reflector.

lab@Student-MX l:PE-1> show bgp neighbor

Peer: 1 72 .1 7 . 20 . 2 +179 AS 655 1 2 Local : 1 72 .1 7 . 20 .1 + 64953 AS 65512
Group: my-int-group Routing- I nstance : master
Forwarding routing-instance : master
Type : Internal State: Established Flags : <Sync>
Last State: OpenConfi r m Last Event : RecvKeepAlive
Last Error: None

www.juniper.net Lab 2: L2VPNs Advanced Concepts 35

Junos Layer 2 VPNs
Options : <Loca lAddress AddressFamily Rib-group Refresh>
Options : <GracefulShutdownRcv>
Address fami lies configured: inet- un icast 12vpn-signa ling
Loc a l Address: 172 .1 7 .2 0 . 1 Ho ldt ime: 90 Preference: 170
Graceful Shutdown Receiver local-preference: 0
Number of flaps: 0
Peer ID: 1 72 .1 7 .2 0 .2 Loca l ID: 1 72 .1 7 .2 0 .1 Active Ho ldtime: 90
Keepalive I nterva l: 30 Group i ndex : 0 Peer i ndex : 0 SNMP index: 1
I /0 Session Thread : bgpio-0 State: Enabled
BFD: disabled, down
NLRI for restart configured on pee r: i net-unicast 12vpn
NLRI advertised by peer: i ne t -unicast i ne t - vpn-unicast 12vpn route-target
NLRI for this session: i net-unicast 12 vpn
Peer supports Refresh capability (2)
Stale routes from peer are kept for: 300
Peer does not support Restarter functionality
Restart f lag receiv ed from t he p eer: Notification
NLRI that restart is negotiated for: inet-unicast 12vpn
NLRI of receiv ed end-of-rib markers: i net-unicast 12vpn
NLRI of all end-of-rib markers sent: i net-unicast 12vpn
Peer does not support LLGR Restarter functionality
Peer supports 4 byte AS extension (peer-as 65512)
Peer does not support Addpath
NLRI(s) enabled for color nexthop reso lut ion : i net-unicast 12vpn
Table inet . O Bit: 20000
RIB State: BGP restart is complete
Send state: i n sync
Active prefixes: 0
Received prefixes: 0
Accepted prefixes: 0
Suppressed due to damping: 0
Advertised prefixes: 0
Table bgp.12vpn.O
RIB State: BGP restart is complete
RIB State: VPN restart is complete
Send state: not advertising
Active prefixes: 1
Received prefixes: 1
Accepted prefixes: 1
Suppressed due to damping: 0
Table vp n-A.12 vpn . O Bit: 40000
RIB State: BGP restart is complete
RIB State: VPN restart is complete
Send state: i n sync
Active prefixes: 1
Received prefixes: 1
Accepted prefixes: 1
Suppressed due to damping: 0
Advertised prefixes: 1
Last t ra ff ic (seconds): Received 6 Sent 6 Checked 14
Input messages: Tota l 8 Updat es 7 Refreshes O Octets 545
Output messages: Tota l 5 Updat es 1 Refreshes 1 Octets 18 7
Output Queue[l]: 0 (inet.O, inet-unicast)
Output Queue[3]: 0 (vpn-A.12vpn.O, 12vpn)
lab@Student-MXl:PE-1>

Question: Is the neighbor relationship in the established state with the route
reflector?

36 Lab 2: L2VPNs Advanced Concepts www.juniper.net

 Junos Layer 2 VPNs

Answer: The peering should be in an establ ished state. If it is not, double check
the interface and BGP settings. If you need further assistance, consult with your
instructor.

Question: What NLRI type have been negotiated between your PE router and the
route reflector?

Answer: Using the show bgp neighbor command, you shou ld see that the
NLRI for this session should be inet-unicast and 12vpn.

www.juniper.net Lab 2: L2VPNs Advanced Concepts 37

Junos Layer 2 VPNs

Part 2: Configuring A Second BGP Layer 2 VPN Instance

In t his lab part, you will configure a second BGP Layer 2 VPN instance. You begin by verifying the CE2-1
interface is correct ly defined and then you will create a second BGP Layer 2 VPN instance.

Step 2.1
On your Student-MX1 device, change the CLI to the CE2-1 logical system.

On CE2-1, verify the interface configuration for the interface connecting to PE-1 using t he show
configuration int erfaces command .

lab@Student-MX l:PE-1> set cli logica l-system CE2-1

Logical system: CE2- 1

lab@Student-MX1:CE2-1 > show configuration interfaces

ge-0/0/3 {
unit 620 {
vlan-id 620 ;
family inet {
address 1 0 .2 . 0 . 1/24 ;
}
}
}
loO {
unit 21 {
family inet {
address 1 0 .2 . 20.1/32 ;
}
}
}

Question: Which interfaces have been defined on the CE2-1 device?

Answer: You should see the ge-0/0/3.620 and lo0.21 interfaces.

Step 2.2
On your Student-MX1 device, change the CLI back to the PE-1 logical system.

On PE-1, enter into configuration mode and navigate to the [ edit r outing-instances vpn-B] hierarchy.
Configure the instance type as 12vpn and define the VRF target using the 65512:2 community value. Finally,
include the CE-2-1 facing interface (ge-0/0/5.620) in t he VPN . Make sure you specify the correct unit value
when applying the interface.

lab@Student-MX1 : CE2- 1 > set cli log ical-s yst em PE -1

Logical system: PE-1

lab@Student-MX l:PE-1> configure

Entering configuration mode

[edit]
lab@Student-MX l:PE-1# edit routi ng-instances vpn-B

[edit routing -instances vpn -B]

lab@Student-MX l : PE-1# set instance-type 12vpn

[edit routing -instances vpn -B]

lab@Student-MX l:PE-1# set interface ge-0/0/5 . 620

[edit routing -instances vpn -B]

38 Lab 2: L2VPNs Advanced Concepts www.juniper.net

 Junos Layer 2 VPNs
lab@Student-MX l : PE- 1 # set vrf-target target:65512:2

[edit routing -instances vpn -B]

lab@Student-MX l : PE- 1 #

Step 2.3
Still on PE-1, navigate to t he [edi t rou ting-instances vpn-B protocols 12vpn] hierarchy and
configure t he protocol properties for the BGP Layer 2 VPN . You will be using the encapsulation type e th ernet-
v l an . Define your site name as CE2-1 and define the site ID (1). Because we are only dealing with two sites,
you will not need to configure the remote site ID. You must also indicate the interface that will be participati ng
in your BGP Layer 2 VPN site. Commit and exit to operationa l mode after you have completed your changes.

[edit routing -instances vpn -B]

lab@Student-MX l : PE- 1 # edit protocols 12vpn

[edit routing -instances vpn -B protocols 12vpn]

lab@Student-MX l:PE-1# set encapsulation-type ethernet-vlan

[edit routing -instances vpn -B protocols 12vpn]

lab@Student-MX l : PE- 1 # set site CE2-1 site-identifier 1

[edit routing -instances vpn -B protocols 12vpn]

lab@Student-MX l:PE-1# set site CE2-1 interface ge-0/0/5 . 620

[edit routing -instances vpn -B protocols 12vpn]

lab@Student-MX l : PE- 1 # show
site CE2- 1 {
interface ge-0/0/5.620;
site-identifier 1;
}
encapsulation-type ethernet-vlan ;

[edit routing -instances vpn -B protocols 12vpn]

lab@Student-MX l : PE- 1 # commit and-quit
commit complete
Exiting configuration mode
lab@Student-MX l : PE- 1 >

Question: Which remote site wi ll your configuration automatically associate?

Answer: Since your loca l site identifier is 1, then your remote site identified for
your first interface entry will default to two.

Step 2.4
Verify both your Layer 2 VPN connections are established by issuing the show 1 2vpn connections
command.

lab@Student-MX l : PE- 1 > show 12vpn connections

Layer-2 VPN connections :

Legend for connection status (St)

E I -- encapsulation inval id NC interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE interface and i ns tance encaps not same
VC-Dn -- Virtual circuit down NP interface hardwa re not present
CM control-word mismatch -> only outbound connection is up
CN circuit not provisioned <- only inbound connection is up
OR out of range Up operational
OL no outgoing label Dn down

www.juniper.net Lab 2: L2VPNs Advanced Concepts 39

Junos Layer 2 VPNs
LO local site signaled down CF call admission control failure
RD remote site signaled down SC local and remote site I D collision
LN local site not designated LM local site I D not minimum designated
RN remote site not designated RM remote site I D not minimum designated
XX unknown connection status IL no incoming label
MM MTU mismatch MI Mesh-Group I D not available
BK Backup connection ST Standby connection
PF P rofile parse failure PB Profile busy
RS remote site standby SN -- Static Neighbor
LB Local site not best-site RB Remote site not best-site
VM VLAN I D mismatch HS -- Hot-standby Connection

Legend for interface status

Up -- operational
On -- down

Instance : vpn-A
Edge protection : Not-Primary
Local site : CE l- 1 (1)
connection-site Type St Time last up # Up trans
2 rmt Up Aug 28 08 :1 0 : 58 2021 1
Remote PE: 172 .1 7 . 20.6 , Negotiated control-word: Yes (Null)
I ncoming label: 22 , Outgoing label: 21
Local interface: ge-0/0/4.610 , Status : Up, Encapsulation: VLAN
Flow Label Transmit : No, Flow Label Receive: No

Instance: vpn-B
Edge protection: Not-Primary
Local site : CE2-1 (1)
connection-site Type St Time last up # Up trans
2 rmt Up Aug 28 08:35:14 2021 1
Remote PE: 172 .1 7 . 20.6 , Negotiated control-word: Yes (Null)
In coming label: 24 , Outgoing label: 23
Local interface: ge-0/0/5.620 , Status : Up, Encapsulation: VLAN
Flow Label Transmit : No, Flow Label Receive: No

lab@Student-MXl : PE-1>

Question: What is the status of your connections?

Answer: Your connections should both show a status value of Up . If it does not,
find the status code value in the legend and review your configuration. Contact
your instructor for assistance, if needed.

Step 2.5
On your Student-MX1 device, change the CLI to the CE2-1 logical system.

On CE2-1, verify reachability to t he CE2-2 device by using the ping 1 o. 2 . o. 2 count 5 comma nd.

lab@Student-MXl : PE-1> set cli logical-system CE2-1

Logical system: CE2-1

lab@Student-MX:CE2-1> ping 10.2.0 . 2 count 5

PING 10.2.0.2 (10.2.0 . 2): 56 data bytes
64 bytes from 10.2.0.2: icmp seq= O ttl = 64 time= 613.036 ms
64 bytes from 10.2.0.2: icmp- seq= l ttl =64 time= 354.032 ms
64 bytes from 10.2.0.2: icmp- seq= 2 ttl = 64 time= 95.772 ms
64 bytes from 10.2.0.2: icmp- seq= 3 ttl =64 time= 7 . 024 ms
64 bytes from 10.2.0.2: icmp- seq= 4 ttl = 64 time= 6 . 059 ms

--- 10.2.0 . 2 ping statistics ---

5 packets transmitted , 5 packets received, 0 % packet loss
round-trip min/avg/max/stddev = 6 . 059/215 .1 85/613.036/236.173 ms

lab@Student-MX1 : CE2-1>
40 Lab 2: L2VPNs Advanced Concepts www.juniper.net
 Junos Layer 2 VPNs

Question: Do your ping requests complete?

Answer: Yes, your ping requests shou ld complete. If they do not, review your
configuration and work with the remote team to troubleshoot the problem.
Request assistance from the instructor, if needed.

www.juniper.net Lab 2: L2VPNs Advanced Concepts 41

Junos Layer 2 VPNs

Part 3: Configuring Route Target Mismatch And Keep All Option

In t his lab part, you will create a route target mismat ch in the newly added BGP Layer 2 VPN ca lled vpn-B . You
will do t his to illustrate that without route target f iltering the route reflector still sends t he m ismatched L2VPN
NLRI.

Step 3.1
On your Student-MX1 device, change the CLI to the PE-1 logical system.

On PE-1, enter into configuration mode and navigate to the [edi t routing-instances vpn-B] hierarchy.
Create a route target mismatch by changing t he route ta rget used for this VPN to ta r g et: 65512 : 22 .

lab@Student-MX1:CE2-1> set cli log ical-s yst em PE -1

Logical system : PE-1

lab@Student-MX l:PE-1> configure

Entering configuration mode

[ edit]
lab@Student -MXl:PE-1# edit routi ng-i nstances vpn -B

[ edit routing -instances vpn -B]

lab@Student -MXl:PE-1# set v r f - ta rget target : 655 1 2 : 22

[ edit routing -instances vpn -B]

lab@Student -MXl:PE-1#

Step 3.2
Still on PE-1, navigate to t he [edi tpro t ocols bgp] hierarchy. Add t he keep all option to the
configuration . Commit and exit to operational mode after you have completed your changes with t he cornrni t
a nd-qu it command.

[ edit routing -instances vpn -B]

lab@Student -MXl:PE-1# top edit protoco l s bgp

[ edit protocols bgp]

lab@Student -MXl:PE-1# set keep all

[ edit protocols bgp]

lab@Student -MXl:PE-1# commit and-quit
commit complete
Exiting configu r ation mode

lab@Student -MXl:PE-1>

Step 3.3
On PE-1, verify t he route tables relat ing to the BGP Layer 2 VPNs by looking at the bgp. 12vpn . o, vpn-
A. 12vpn . 0 , and vpn-B. 12vpn . 0 tables.

lab@Student-MX l:PE-1> show route table bgp .1 2vpn . O

bgp . 12vpn . O: 2 d estinations, 2 routes (2 active , 0 ho lddown , 0 hidden)

+ = Act i ve Route , - = Last Act i ve , * = Both

172 . 17 . 20 . 6 : 65533 : 2 :1 /96

*[BGP / 1 70] 00 :1 7 : 08 , localpre f 1 00 , from 1 72 .1 7 . 20 . 2
AS path : I , val idation-state : unverified
> to 172 . 17 . 23 . 2 via ge - 0/0/0 . 0 , Push 30
to 172 . 17 . 23 . 6 via ge - 0/0/1 . 0 , Push 3 1
172 . 17 . 20 . 6 : 65534 : 2 :1 /96
*[BGP / 1 70] 00 : 41: 23 , localpre f 1 00 , from 1 72 .1 7 . 20 . 2
AS path : I , val idation-state : unverified
> to 172 . 17 . 23 . 2 via ge - 0/0/0 . 0 , Push 30
42 Lab 2: L2VPNs Advanced Concepts www.juniper.net
 Junos Layer 2 VPNs
•
to 172 .1 7 . 23.6 via ge-0/0/1 . 0 , Push 31

lab@Student-MXl : PE-1> show route table vpn-A.12vpn . O

vpn-A . 12vpn . O: 2 destinations , 2 routes (2 active , 0 holddown , 0 hidden)

+ = Active Route , - = Last Active , * = Both

172 . 17 . 20.1 : 65534:1 :1 /96

*[ L2VPN/170/-101 ] 20:42 : 47 , metric2 1
I ndirect
172 . 17 . 20.6 : 65534:2 :1 /96
*[BGP/ 1 70) 00:42: 1 4 , localpref 100 , from 172 . 17 . 20 . 2
AS path : I , validation-state : unverified
> to 172 .1 7 . 23 . 2 via ge-0/0/0 . 0 , Push 30
to 172 .1 7 . 23 . 6 via ge-0/0/1 . 0 , Push 31

lab@Student-MXl : PE-1> show route table vpn-B . 12vpn . O

vpn-B . 12vpn . O: 1 destinations , 1 routes (1 active , 0 holddown , 0 hidden)
+ = Active Route , - = Last Active , * = Both

172 . 17 . 20 . 1 : 65533:1: 1 /96

*[ L2VPN/170/-101 ] 00 : 18 : 08 , metric2 1
I ndirect
lab@Student-MXl : PE-1>

Question: Why do you see two routes in the bgp. 12vpn. 0 table but only one
of them is imported into a vpn-B table?

Answer: Because of the keep al 1 option, the router accepts and retains all
routes regardless of the matching route target, which is why two routes are seen
in the bgp .12vpn. 0 route table. The actual import into the 12vpn routing-
instance is still only a llowed if there is a matching route target, which explains
why, regardless of the keep all option, the route mismatch will result in the
second VPN connection to be signaled down, as you can see in the show
12vpn connections command output.

lab@Student-MXl : PE-1> show 12vpn connections

Layer-2 VPN connections :

Legend for connection status (St)

EI -- encapsulation invalid NC interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE interface and instance encaps not same
VC-Dn -- Virtual circuit down NP interface hardware not present
CM cont r ol-word mismatch -> only outbound connection is up
CN circuit not provisioned <- only inbound connection is up
OR out of range Up operational
OL no outgoing label Dn down
LD local site signaled down CF call admission control failure
RD remote site signaled down SC local and remote site I D collision
LN local site not designated LM local site I D not minimum designated
RN remote site not designated RM remote site I D not minimum designated
XX unknown connection status IL no incoming label
MM MTU mismatch MI Mesh-Group I D not available
BK Backup connection ST Standby connection
PF P rofile parse failure PB Profile busy
RS remote site standby SN -- Static Neighbor
LB Local site not best-site RB Remote site not best-site
VM VLAN I D mismatch HS -- Hot-standby Connection

Legend for inte r face status

Up operational
Dn -- down

www.juniper.net Lab 2: L2VPNs Advanced Concepts 43

Junos Layer 2 VPNs
Instance: vpn-A
Edge p rotec t ion: Not-Primar y
Local site: CEl- 1 (1)
connection-site Type St Time last up # Up t rans
2 rmt Up Aug 28 08 :1 0 : 58 2021 1
Remote PE: 172 .1 7 .2 0 .6, Negotiated control-word: Yes (Null)
Incoming label: 22, Outgoing label: 21
Loca l i nterfac e: ge-0/0/4 . 61 0 , Status: Up , Encapsulation: VLAN
Flow Label Transmit: No, Flow Labe l Receive: No

Instance: vpn -B
Edge p rotec t ion: Not-Primar y
Local site: CE2- 1 (1)
No connections found .
lab@Student-MXl:PE-1>

44 Lab 2: L2VPNs Advanced Concepts www.juniper.net

 Junos Layer 2 VPNs

Part 4: Enabling Route Target Filtering

In t his lab part, you will enable route target filtering on your IBGP sessions. You will then determine if t he routes
in your Layer 2 VPN tables are affected.

Step 4.1
Still on PE-1, enter into configurat ion mode and navigate to t he [edit p rotocols bgp group my-int-
g roup] hierarchy. Add t he family route-target for the IBGP group. This will enable route target fi ltering
for better scalability, wh ich is useful in very large environments. Commit and exit to operat ional mode after you
have completed your cha nges.

lab@Student-MXl:PE-1> configure
Entering configuration mode

[ edit]
lab@Student-MXl:PE-1# edit protocols bgp group my-int-group

[ edit protocols bgp group my-int-group ]

lab@Student-MXl:PE-1# set family route-target

[ edit protocols bgp group my-int-group ]

lab@Student-MXl:PE-1# commit and-quit
commit complete
Exiting configuration mode

lab@Student-MXl:PE-1>

Step 4.2
Now that route target filtering has been enabled, review t he route tables relating to the BGP Layer 2 VPNs
again, by looking at t he bgp .12vp n . O, vpn-A . 12vpn . O, and vp n-B . 1 2vpn. O tables.

lab@Student-MXl:PE-1> show route table bgp .1 2vpn.O

bgp.12vpn.O: 1 destinations , 1 routes (1 active , 0 holddown, 0 hidden)

+ = Active Route , - = Last Active , * = Both

172.17 . 20.6:65534:2: 1 /96

*[BGP/170] 00:00:28 , localpref 100, from 172.17.20.2
AS path: I , validation-state: unverified
> to 172.17.23.2 via ge-0/0/0.0 , Push 30
to 172.17.23.6 via ge-0/0/1.0 , Push 31

lab@Student-MXl:PE-1> show route table vpn-A.12vpn.O

vpn-A.12vpn.O: 2 destinations, 2 routes (2 active , 0 holddown , 0 hidden)

+ = Active Route , - = Last Active , * = Both

172.17.20.1:65534:1: 1 /96
*[L2VPN/170/-101 ] 20:47:32 , metric2 1
In direct
172.17.20.6:65534:2: 1 /96
*[BGP/170] 00:00:56 , localpref 100, from 172.17.20.2
AS path: I , validation-state: unverified
> to 172.17.23.2 via ge-0/0/0.0 , Push 30
to 172.17.23.6 via ge-0/0/1.0 , Push 31

lab@Student-MXl:PE-1> show route table vpn-B.12vpn.O

vpn-B.12vpn.O: 1 destinations, 1 routes (1 active , 0 holddown , 0 hidden)

+ = Active Route , - = Last Active , * = Both

172.17.20.1:65533:1: 1 /96
*[L2VPN/170/- 1 01 ] 00:22:51 , metric2 1
In direct

lab@Student-MX l :PE- 1 >

www.juniper.net Lab 2: L2VPNs Advanced Concepts 45

Junos Layer 2 VPNs

Question: What difference do you see in the output of the route tables after
enable route target filtering?

Answer: You should see that the bgp. 12vpn. 0 route table no longer contains
the route from the L2VPN with the mismatched route target, even though the
keep all option is still configured. With route target fi ltering, you will receive
on ly the routes that you signaled that you are interested in. The output of the
show route table bgp. rtarget. 0 shows wh ich routes you are
interested in ( Default), and which routes your peering partner is interested in
( BGP ). Remember that your peering partner is the route reflector and it will
typical ly signal the route targets that all his other peering partners are interested
1n.

lab@Student-MX l:PE-1> show route table bgp.rtarget.O

bgp . rtarget . O: 3 destinations , 5 routes (3 active , 0 ho lddown , 0 hidden)

+ = Active Route , - = Last Active , * = Both

65512 : 65512 :1 /96

*[RTarget /5] 00 : 02 : 42
Type Default
Local
[BGP / 1 70 ] 00 :02:39, localpref 10 0 , from 1 72 .1 7 .2 0 .2
AS path: I , val idation-state : unverified
> to 172 . 17 . 23.2 via ge-0/0/0.0
65512 : 65512 :2 /96
*[BGP / 1 70 ] 00 :02:39, localpref 10 0 , from 1 72 .1 7 .2 0 .2
AS path: I , val idation-state : unverified
> to 172 . 17 .23.2 via ge-0/0/0.0
65512 : 65512:22/96
*[RTarget /5] 00:02:42
Type Default
Local
[BGP / 1 70 ] 00:02:39 , localpref 100, from 1 72 .1 7 .20.2
AS path: I , val idation-state : unverified
> to 172 . 17 .23.2 via ge-0/0/0.0

lab@Student -MXl:PE-1>

Step 4.3
Log out of your assigned devices using the exit command.

lab@Student -MXl:PE-1> clear cli logical-s ystem

Cleared defau lt logica l system

lab@Student -MXl> exit

Student-MXl (tt yuO)

log i n :

• • Tell your instructor that you have completed this lab.

46 Lab 2: L2VPNs Advanced Concepts www.juniper.net

 Junos Layer 2 VPNs

Lab 3: LDP -Signaled L2 Circuits

Overview
In t his lab, you will establish an LDP Layer 2 circuit using RSVP signaling between provider edge (PE) routers.
Once the virtual LAN (VLAN)-based LDP Layer 2 circuit is operationa l, you will configure the customer edge (CE)
routers to run one of several ava ilable routing protocols and advertise their static route and loopback add ress
blocks. Because t his is a Layer 2 circuit, the PE routers will not interact with the rout ing protocols used on the
CE routers.

By complet ing this lab, you will perform t he following tasks:

• Load t he initial configuration and verify proper operat ion of t he IGP.

• Configure an RSVP-signa led LSP between t he two PE routers.

• Create and establish an LDP Layer 2 circuit over the core net work.

• Add OSPF to your CE network and create a neighbor relat ionship between you r local CE router and
the remote CE router.

• Export your static routes into OSPF and share these routes with the remote CE network.

• Verify connectivity and behavior using operational mode commands including p in g and commands
used to examine routing tables

www.juniper.net Lab 3: LOP-Signaled L2Circuits 47

Junos Layer 2 VPNs

Lab Diagrams

Management Network Diagram

Management Network
172.25. 11.0/24
Virtua l Student Desktop Cons ole a nd I
VNC Connections '==c:::, I
I
•=
I Physica l
Desktops

Management Addresses
Student-MX1 172.25.11 .1
Manageme nt Port Student-MX2 172.25.11 .2
fxpO (on all vMX devices) vr-device 172.25.11 .3
Student Desktop 172.25.11 .254

Student
Virtual Environment Note: Your instructor w ill provide the information
you need to access your student desktop.

Junw I ,

Lab: LOP-Signaled L2Circuits, Part 1

VR-Device
(
I
-------------------- ' 172.17.23.1 2/30 I
P2 P4
I loO 172.1 7.20.2 .13 .14 loO 172.17.20.4 I
I >-----.--"' --"""T---,-"1,..1
;;; ·,o.s-

g AS 65512 g
PE-1
-
(0
,.;
OSPF
AreaO
c5
"!
,.; PE-2
lo0.1 172.17.20.1 "!
....
- ....
N

..- -.... -
en
-
....
N
x N

- C:
~
-
I
C:
Q)
-0
C.
CD
:::,
7"
s::
.3
en 172.17.23.16/30 ~
P3 PS
CE1-1 loO 172.17 .20.3 .1 7 .18 loO 172.17.20.5 CE1-2

'-------------------~
O 2021 Juniper Network! JUn~J I 2

48 Lab 3: LOP-Signaled L2Circuits www.juniper.net

 Junos Layer 2 VPNs

Lab: LOP-Signaled L2Circuits, Part 2-3

LDP Layer 2 Circuit

PE-1
lo0.1 172.17.20.1
- - - - -- -- ----------- --- ---
AS 65512
OSPF
- - - - PE-2
lo0.6 172.17.20.6
.....
X
~ ~d, ~. -z
Area O
<O
a
9., ..
-
-
(f)
C

- C.
0 0
~
I o,q <O o,O <O CD

--
C q q z :::,
Q) "'-
a· 5 a· 5 '7
a~ > > s::
- a~
"C •
:::, •
( f)
8,
- 8,
"I
X
N
CE1-1 10.1.0.0/24 - 10.1.3.0/24 10.1.4.0/24 - 10.1 .7.0/24 CE1-2
lo0.111 0.1.20.1 AS 65101 AS 65101 lo0.1210.1.20.2
Site ID 1 S ite ID 2

O 2021 Juniper Network! Junw I 3

www.juniper.net Lab 3: LOP-Signaled L2Circuits 49

Junos Layer 2 VPNs

Part 1: Creating The Baseline SP Network

In t his lab part, you will configure t he baseline network for the lab. You will load a baseline OSPF configuration
and then enable Resou rce Reservation Protocol (RSVP) and multiprotocol label switching (MPLS) on t he core-
facing interfaces.

NOTE: > The instructor will tell you the nature of you r
access and will provide you with t he necessary details to
access your assigned device.

Step 1.1
You shou ld make sure you are familiar with t he lab topology and envi ronment. Th is lab is comprised of eight
logical devices t hat are operating on th ree virtual MX (vMX) routers. These vMXs are nested inside a n ESXi
hypervisor. The four devices you are in charge of configuring (PE-1, CE1-1 ) reside on Student-MX1 and (PE-2,
CE1-2 ) reside on Student-MX2 as logical systems. The core devices (P2, P3, P4, and PS) are preconfigured on
vr-device also as logical systems.

Step 1.2
Consu lt the management network diagram, provided by your instructor, to determine your device's
management add ress.

Question: What is the management address of Student-MX1 and Student-MX2?

Answer: The management IP address of Student-MX1 is 172.25.11.1 and

Student-MX2 is 172.25.11.2

Step 1.3
Access t he CLI of your Student-MX1 device using Secure Shell (SSH ) as directed by your instructor.

Log in as user lab with the password supplied by your inst ructor. Enter into configurat ion mode and load t his
labs starting configuration file j 1 2v / l a b 3-s ta r t . co nf ig and exit back to operat ional mode using t he
comm it a nd-quit comma nd.

Student-MXl (ttypO)

login : l ab
Passwo r d :

Last login : Thu July 1 1 1 4 : 23 : 37 2021 from 1 72 . 25 . 1 1. 254

--- J UNOS 2 1 . 2Rl. 10 Kerne l 64-bit JNPR-12 .1 -202 1 0529 . 2f59a40 bui l
lab@Student-MX l > conf i gu r e
Entering configuration mode

[ edi t]
lab@Student-MX l # load override j l 2v/lab3-start . config
load complete

[ edi t]
lab@Student-MX l # commi t and-qu i t
commit comp l ete
50 Lab 3: LOP-Signaled L2Circuits www.juniper.net
 Junos Layer 2 VPNs
Exiting configu r ation mode

lab@Student-MX l >

Step 1.4
Access the CLI of your Student-MX2 device using Secure Shell (SSH) as directed by your instructor.

Log in as user lab with the password supplied by your instructor. Enter into configuration mode and load this
labs starting configuration file j 1 2v / l a b 3-s ta r t . co nf ig and exit back to operational mode using the
comm it and-quit command .

Student-MX2 (ttypO)

log i n : lab
Passwo r d :

Last login : Thu July 1 1 1 4 : 23 : 37 2021 from 1 72 . 25 .11. 254

- -- JUNOS 2 1. 2Rl. 10 Kernel 64-bit JNPR-12 .1- 202 1 0529 . 2f59a40 bui l
lab@Student-MX2> conf i gu r e
Entering configuration mode

[edi t]
lab@Student-MX2# load override j l 2v/lab3 - start . config
load complete

[edi t]
lab@Student-MX2# commi t and- quit
commit comp l ete
Exiting configuration mode

lab@Student-MX2>

Step 1.5
Return to your Student-MX1 device, change your CLI to the PE-1 logical system.

On PE-1, use the s how co nf igu rat i o n protoco ls command to determine what protocols have been
pre-defined on your PE-1 device.

lab@Student-MX l > set cli logical-system PE - 1

Log i ca l system : PE -1

lab@Student-MXl: PE -1 > show configuration p r otocols

ospf {
area 0 . 0 . 0 . 0 {
interface ge-0/0/0 . 0 ;
interface ge-0/0/ 1. 0 ;
interface lo0 . 1 ;
}
}

lab@Student-MXl: PE -1 >

Question: Which protocols have been preconfigured for you?

www.juniper.net Lab 3: LOP-Signaled L2Circuits 51

Junos Layer 2 VPNs

Answer: OSPF is the only preconfigured configuration.

Step 1.6
Verify t hat your Open Shortest Path First (OSPF) neighbor relationships are up and operational.

lab@Student-MXl: PE -1 > show ospf n e i ghbor

Address Int e rfac e State ID Pri Dead
172 . 17 . 23 . 2 ge-0/0/0 . 0 Full 172 .1 7 . 20 . 2 1 28 36
172 . 17 . 23 . 6 ge-0/0/ 1. 0 Full 172 .1 7 . 20 . 3 1 28 32

Question: What is the state of your PE router's OSPF neighbors?

Answer: After a short time, the OSPF neighbors should attain the Full state.

Step 1.7
For an interface to support the forwarding of MPLS packets, you must enable the MPLS family on each
interface that you expect to receive and send MPLS packets through . For your conven ience, the ge-0/0/0.0 and
ge-0/0/1.0 interfaces have already been configured to support MPLS traffic. But you must add these interfaces
to the MPLS protocol.
Still on PE-1, enter into configurat ion mode and navigate to the [ e d i t p r otoco l s ] hierarchy. Configure the
MPLS protocol with t he core-facing interfaces.

lab@Student-MXl: PE -1 > configure

Entering configuration mode

[ edi t]
lab@Student-MXl: PE -1 # edit p r otocols

[ edi t protocols]
lab@Student-MXl: PE -1 # set mpls interface ge-0/0/0 . 0

[ edi t protocols]
lab@Student-MXl: PE -1 # set mpls interface ge-0/0/ 1. 0

[ edi t protocols]
lab@Student-MXl: PE -1 #

Step 1.8
Whi le still at t he [edi t p r otoco l s] hierarchy on PE-1, configure the LOP protocol with the core-facing
interfaces including t he loopback interface (lo0.1). Once you have completed you r configuration changes,
comm it your configuration and exit to operat ional mode using the commi t a n d-q ui t command .

[ edi t protocols]
lab@Student-MXl: PE -1 # set ldp interface ge-0/0/0 . 0

[ edi t protocols]
lab@Student-MXl: PE -1 # set ldp interface ge-0/0/ 1. 0

[ edi t protocols]
lab@Student-MXl: PE -1 # set ldp interface lo0 . 1

[ edi t protocols]
lab@Student-MXl: PE -1 # show
ldp {

52 Lab 3: LOP-Signaled L2Circuits www.juniper.net

 Junos Layer 2 VPNs
interface ge-0/0/0.0 ;
interface ge-0/0/1.0 ;
interface lo0.1;
}
mpls {
interface ge-0/0/0.0 ;
interface ge-0/0/1.0 ;
}
ospf {
area 0 . 0 . 0 . 0 {
interface ge-0/0/0.0 ;
interface ge-0/0/1.0 ;
interface lo0 . 1 ;
}
}

[edit protocols]
lab@Student-MXl : PE-1# commit and-quit
commit complete
Exiting configuration mode
lab@Student-MXl : PE-1>

Step 1.9
Use the show mpls interfac e comma nd to verify that MPLS is configured correctly on the core-facing
i nte rfaces.

lab@Student-MXl : PE-1> show mpls interface

Interface State Administrative groups (x: extended)
ge-0/0/0.0 Up <none>
ge-0/0/1 . 0 Up <none>

Question: Can your core-facing interfaces now support the transmission of MPLS
packets?

Answer: The output of the command shows that the two interfaces can now
support the forwarding of MPLS packets.

Step 1.10
Verify t hat your router has established an LDP neighbor relationsh ip with t he neighboring P routers.

lab@Student-MXl:PE-1> show ldp neighbor

Address I nterface Label space ID Hold time
172 . 17 . 23.2 ge-0/0/0 . 0 172.17.20.2:0 12
172 . 17 . 23.6 ge-0/0/1 . 0 172.17.20.3:0 12
172 . 17 . 20.6 lo0.1 172.17.20.6:0 37
lab@Student-MXl:PE-1> show ldp session
Address State Connection Hold time Adv . Mode
172 . 17 . 20.2 Operational Open 20 DU
172 . 17 . 20.3 Operational Open 20 DU
172 . 17 . 20.6 Operational Open 25 DU

www.juniper.net Lab 3: LOP-Signaled L2Circuits 53

Junos Layer 2 VPNs

Question: What is the state of your PE router's relationship with the neighboring P
routers?

Answer: The neighboring P routers shou ld be in the Operational state with

your PE router.

Step 1.11
Verify t hat the ine t . 3 routing table contains an LDP route to the remote PE router.

lab@Student-MXl: PE - 1 > show route table i net . 3

in e t . 3 : 5 destinations , 5 route s (5 act i ve , 0 holddown , 0 hidden)

+ = Active Route , - = Last Active , * = Both

172 . 17 . 20 . 2/32 *[ LDP /9) 00 : 4 1 : 33 , met ri c 1

•
> to 172 .1 7 . 23 . 2 via g e- 0/0/0 .0
172 . 17 . 20 . 3/32 *[ LDP /9) 00 : 4 1 : 33 , met ri c 1
•
> to 172 .1 7 . 23 . 6 via ge - 0/0/1 .0
172 . 17 . 20 . 4/32 *[ LDP /9) 00 : 4 1 : 33 , met ri c 1
•
> to 172 .1 7 . 23 . 2 via ge - 0/0/0 . 0, Push 23
172 . 17 . 20 . 5/32 *[ LDP /9) 00 : 4 1 : 33 , met ri c 1
•
> to 172 .1 7 . 23 . 6 via ge - 0/0/1 . 0, Push 1 7
172 . 17 . 20 . 6/32 *[ LDP /9) 00 : 4 1 : 33 , met ri c 1
•
to 172 .1 7 . 23 . 2 via ge - 0/0/0 . 0, Push 30
•
> to 172 .1 7 . 23 . 6 via ge - 0/0/1 . 0, Push 3 1

Question: Do you see the LDP route to the remote PE router in your inet. 3
routing table?

Answer: Yes, you shou ld see the LDP route in the inet. 3 routing table now. If
you do not, please review your configuration and verify the state of your MPLS LSP
is Up.

Step 1.12
Verify MPLS connectivity to PE-2 (172.17.20.6) using the MPLS ping utility.

lab@Student-MX l : PE- 1 > ping mpls l dp 172 . 17 . 20 . 6

.I .I .I ..I .I
--- lsping statistics ---
5 packets transmitted , 5 packets r eceived , 0 % packet loss

Question: Are your MPLS pings successful?

54 Lab 3: LOP-Signaled L2Circuits www.juniper.net

 Junos Layer 2 VPNs

Answer: Yes, your pings should succeed. If they do not, make sure you loaded the
appropriate start configuration file and contact your instructor if you need
assistance.

www.juniper.net Lab 3: LOP-Signaled L2Circuits 55

Junos Layer 2 VPNs

Part 2: Configuring A LDP Layer 2 Circuit

In t his lab part, you will begin by verifying t he exist ing CE1-1 configuration. You will then verify the PE to CE
interface configuration on t he PE-1 device. After reviewing the PE to CE related information, you wil l configure
an LOP Layer 2 circuit. You will create t he ci rcuit to PE-2's loopback address and assign the correct CE-facing
interface. You will assign a unique VC identifier. You will t hen verify that the circu it has been signaled and is
fu nct ioning properly.

Step 2.1
On your Student-MX1 device, change t he CLI to t he CE1-1 logical system.

On CE1-1, issue t he s h ow c onfigu ra tion command to view the current configuration of t he CE1-1 router.

lab@Student-MX l : PE-1 > set cli logical-system CEl -1

Log i ca l syste m: CEl- 1
lab@Student-MX l : CEl- 1 > s h ow configuration
i n terfaces {
ge-0/0/2 {
unit 61 0 {
vlan-id 61 0 ;
fami l y inet {
addr ess 1 0 . 1 . 0 . 1/24 ;
}
}
}
loO {
unit 1 1 {
fami l y inet {
addr ess 1 0 . 1 . 20 . 1 /32 ;
}
}
}
}
routing-opt i ons {
autonomous-system 65 1 01 ;
static {
route 1 0 . 1 . 1 . 0/24 receive
'
;
route 1 0 . 1 . 2 . 0/24 receive
'
;
route 1 0 . 1 . 3 . 0/24 receive
'
;
route 1 0 . 1 . 0 . 0/24 receive
'
;
}
}

lab@Student-MX l : CEl- 1 >

Question: What interfaces have been configured on the CE router? According to

the lab diagram, do they have the appropriate IP addressing?

Answer: The CE router should have both the loopback (lo0.11) and ge-0/0/2.610
interface configured with the appropriate addressing according to the lab
diagram.

56 Lab 3: LOP-Signaled L2Circuits www.juniper.net

 Junos Layer 2 VPNs

Question: What is configured under the routing-options

Answer: Four static routes (next hop of receive) and CE1-1's autonomous system
should be configured under routing-options hierarchy. These settings are
appropriate.

Question: Based on the lab diagram, what is the IP address of the CE1-2 router's
CE-to-PE interface? Is the CE1-1 address on the same network?

Answer: The interface should be configured with the 10.1.0.2 address. Yes the
CE1-1 interface is on the same network.

Question: Why must both CE router interfaces be in the same subnet?

Answer: The reason both CE router interfaces must be in the same subnet is
because you are configuring the PE router to pass the traffic based on the Layer 2
information. As far as the CE routers are concerned, they are directly connected.

Step 2.2
Use the ping utility to attempt to ping the CE1-2 router's ge-0/0/1 interface address (10.1.0.2).

lab@Student-MX l:CE l- 1> ping 1 0 . 1 . 0 .2 rap id count 5

PING 1 0 . 1 . 0 .2 (10.1.0.2): 56 data bytes
• • • • •
--- 10 .1. 0 .2 ping statistics ---
5 packets transmitted, 0 packets receiv ed, 1 00 % packet loss

Question: Does your ping succeed? Why?

Answer: The pings do not succeed because the PE-1 and PE-2 router's interfaces
have not been configured as part of a Layer 2 circuit.

www.juniper.net Lab 3: LOP-Signaled L2Circuits 57

Junos Layer 2 VPNs

Step 2.3
On your Student-MX1 device, change the CLI to the PE-1 logical system.

On PE-1, review the CE facing interface (ge-0/0/4) configuration.

lab@Student-MX l : CEl- 1 > set cli log i cal-system PE -1

Log i cal system : PE - 1

lab@Student-MX l: PE - 1> show configuration interfaces ge - 0/0/4

unit 6 1 0 {
encapsu l ation vlan - ccc ;
vlan - id 610 ;
}

lab@Student-MX l: PE - 1 >

Question: What encapsu lation is enabled on the CE1 facing logical interface?

Answer: The logical interface should have vlan-ccc encapsu lation enabled.

Question: Why don't you see the physical properties like vlan-tagging and
encapsulation?

Answer: When working with logical systems, the physica l properties are defined in
the main instance and are inherited by the logica l interface in the logical system.

Question: Do you see any Layer 3 information on the interface?

Answer: No, because we are configuring a Layer 2 Circuit there will not be any
Layer 3 information associated with this interface.

Step 2.4
Still on PE-1, enter into configurat ion mode and navigate to the [ e d i t p r otocols 1 2ci r cui t ] hierarchy
and specify t he neig hbo r address (172.17.20.6) for the circuit. Add the PE to CE interface (ge-0/0/4.610)
that will be participating in this neighbor relationship. Use t he value of 1 for the VC identifier. Once you are
finished with your configuration changes, commit and exit to operational mode using t he cornrni t a nd-qui t
command.

lab@Student-MX l : PE- 1 > configure

Entering configuration mode

[edi t]
lab@Student-MX l : PE- 1 # edit p r otocols 12ci r cuit

58 Lab 3: LOP-Signaled L2Circuits www.juniper.net

 Junos Layer 2 VPNs
[edit protocols 12circuit]
lab@Student-MXl : PE-1# set neighbo r 172 . 17 . 20.6 interface ge-0/0/4 . 610 virtual-
circuit-id 1

[edit protocols 12circuit]

lab@Student-MXl : PE-1# show
neighbor 172 . 17 . 20.6 {
interface ge-0/0/4.610 {
virtual-circuit-id 1 ;
}
}

[edit protocols 12circuit]

lab@Student-MXl : PE-1# commit and-quit
commit complete
Exiting configuration mode
lab@Student-MXl : PE-1>

Step 2.5
Now go to Student-MX1 and Verify that the LDP Layer 2 circuit is up and functional by issuing t he show
12circui t connections command.

lab@Student-MXl : PE-1> show 12circuit connections

Layer-2 Circuit Connections:

Legend for connection status (St)

EI encapsulation invalid NP interface h/w not present
MM mtu mismatch On down
EM encapsulation mismatch VC-Dn -- Virtual circuit Down
CM control-word mismatch Up -- operational
VM vlan id mismatch CF -- Call admission control failure
OL no outgoing label IB TOM incompatible bitrate
NC intf encaps not CCC/TCC TM TOM misconfiguration
BK Backup Connection ST Standby Connection
CB rcvd cell-bundle size bad SP Static P seudowire
LO local site signaled down RS remote site standby
RD remote site signaled down HS Hot-standby Connection
XX unknown

Legend for interface status

Up -- operational
On -- down
Neighbor: 172 . 17 . 20 . 6
Interface Type St Time last up # Up trans
ge-0/0/4 . 610(vc 1) rmt Up Aug 28 14: 1 1 : 31 2021 1
Remote PE : 172 .1 7 . 20 . 6 , Negotiated control-word: Yes (Null)
I ncoming label: 30 , Outgoing label: 25
Negotiated PW status TLV : No
Local interface: ge-0/0/4 . 610 , Status : Up , Encapsulation : VLAN
Flow Label Transmit: No , Flow Label Receive : No

lab@Student-MXl:PE-1>

Question: What is the status of your circuit?

www.juniper.net Lab 3: LOP-Signaled L2Circuits 59

Junos Layer 2 VPNs

Answer: The status should show that the circuit is Up. If your circuit is not Up,
review your configuration changes. Request assistance from your instructor as
needed.

Question: Can you tell from the output what your VC identifier is?

Answer: Yes, if your session is up and operational. You can see to the right of the
interface, in parenthesis, that your VC value is displayed.

Step 2.6
On your Student-MX1 device, change the CLI to the CE1-1 logical system.

On CE-1, determine if you are now able to ping from CE-1-1 to CE2-1. Ping CE1-2's PE facing interface address
(10.1.0 .2) a total of 5 t imes.

lab@Student-MXl:PE-1> set cli logical-system CEl-1

Logical system: CEl-1
lab@Student-MXl:CE l- 1> ping 1 0 . 1 . 0 .2 count 5
PING 1 0 . 1 . 0 .2 (10.1.0.2): 56 data bytes
64 bytes from 1 0 . 1 . 0 .2: icmp seq= O ttl =64 time= 493 .3 43 ms
64 bytes from 1 0 . 1 . 0 .2: icmp- seq= l ttl =64 time= 5.908 ms
64 bytes from 1 0 . 1 . 0 .2: icmp- seq=2 ttl =64 time= 5.386 ms
64 bytes from 1 0 . 1 . 0 .2: icmp- seq= 3 ttl =64 time= 5.482 ms
64 bytes from 1 0 . 1 . 0 .2: icmp- seq= 4 ttl =64 time= 6.899 ms
--- 10 .1. 0 .2 ping statistics ---
5 packets transmitted, 5 packets received , 0% packet loss
round-trip min/avg/max/stddev = 5 .3 86/ 1 03 . 404/493 .3 43/ 19 4 .970 ms
lab@Student-MXl:CE l- 1>

Question: Do your ping requests complete?

Answer: Yes, Your ping requests should complete. If they do not, review your
configuration and work with the instructor, if needed.

60 Lab 3: LOP-Signaled L2Circuits www.juniper.net

 Junos Layer 2 VPNs

Part 3: Configuring Routing Protocols On The CE Router

In t his lab part, you will configure OSPF on you r CE1-1 router. You will create a policy t hat will export your static
routes to your OSPF neighbor. Your router's OSPF neighbor will be CE1-2, wh ich is across t he LDP Layer 2 circuit
you created in t he previous part. You wi ll configure t he CE router to sha re the stat ic routes that you have
configured . You will verify t hat you are receiving the remote net works and verify reachability to the remote
loopback using the ping utility.

Step 3.1
Still on CE1-1, enter configuration mode and navigate to the [ed i t po li cy-opt i ons p ol i cy-
state men t stati cs] hierarchy. Create a term named acc e pt-stat i cs that matches and accepts the
static routes .

lab@Student-MX l: CEl- 1 > configure

Entering configuration mode

[ edi t]
lab@Student-MX l: CEl- 1 # ed i t po l icy-opt i ons policy- statement statics

[ edi t policy-opt i ons policy- statement statics ]

lab@Student-MX l: CEl- 1 # set term accept-stat i cs from protocol stat i c

[ edi t policy-opt i ons policy- statement statics ]

lab@Student-MX l: CEl- 1 # set term accept-stat i cs then accept

[ edi t policy-opt i ons policy- statement statics ]

lab@Student-MX l: CEl- 1 # s h ow
term accept-stat i cs {
f r om p r otocol static ;
t h en accept ;
}

[ edi t policy-options policy- statement statics ]

lab@Student-MX l: CEl- 1 #

Step 3.2
Next, navigate to the [ edi t protocols ospf ] hierarchy. Configure your loopback (lo0.11) and PE-facing
interface (ge-0/0/2.610) under area 0. Apply t he policy sta ti cs you defined as an export policy to your OSPF
protocol. This change will export you r stat ic routes to your peer. Comm it and exit to operational mode.

[ edi t policy-options policy- statement statics ]

lab@Student-MX l: CEl- 1 # top ed i t p r otocols ospf

[ edi t protocols ospf]

lab@Student-MX l: CEl- 1 # set a r ea O i nterface ge-0/0/2 . 610

[ edi t protocols ospf]

lab@Student-MX l: CEl- 1 # set a r ea O i nterface lo0 .1 1

[ edi t protocols ospf]

lab@Student-MX l: CEl- 1 # set export stat i cs

[ edi t protocols ospf]

lab@Student-MX l: CEl- 1 # commit and-quit
commit comp l ete
Ex i ting conf i gu r ation mode

lab@Student-MX l: CEl- 1 >

www.juniper.net Lab 3: LOP-Signaled L2Circuits 61

Junos Layer 2 VPNs

Step 3.3
Verify t hat the neighbor relationship has established between t he CE routers by issuing the s h ow ospf
ne i ghbor command.

lab@Student-MX l : CEl- 1 > show ospf neighbor

Address Interface State ID Pri Dead
10 .1. 0 . 2 ge-0/0/2 . 610 Full 10 .1. 20 . 2 1 28 37

Step 3.4
Review the routes being learned by OSPF and ensure that you have CE1-2's static routes by issu ing t he show
r o u te protocol ospf

lab@Student-MX l : CEl- 1 > show r oute protocol ospf

inet . O: 12 destinations , 1 3 r outes (12 active , 0 ho l ddown , 0 h idden)
+ = Ac ti ve Rou t e , - = Last Act i ve , * = Both

10 .1. 4 . 0/24 * [OS PF /150] 00 : 00 : 1 5 , metric 0 , tag 0

> to 10 .1. 0 . 2 via ge-0/0/2 . 610
10 .1. 5 . 0/24 * [OS PF /150] 00 : 00 : 1 5 , metric 0 , tag 0
> to 10 .1. 0 . 2 via ge-0/0/2 . 610
10 .1. 6 . 0/24 * [OS PF /150] 00 : 00 : 1 5 , metric 0 , tag 0
> to 10 .1. 0 . 2 via ge-0/0/2 . 610
10 .1. 7 . 0/24 * [OS PF /150] 00 : 00 : 1 5 , metric 0 , tag 0
> to 10 .1. 0 . 2 via ge-0/0/2 . 610
10 .1. 20 . 2/32 * [OS PF /10] 00 : 00 :1 5 , metric 1
> to 10 .1. 0 . 2 via ge-0/0/2 . 610
224 . 0 . 0 . 5/32 * [OS PF /10 ] 00 : 00 : 25 , metric 1
Mu l tiRecv
inet6 . 0 : 1 destinations , 1 routes (1 active , 0 holddown , 0 hidden)
lab@Student-MX l : CEl- 1 >

Question: Do you see al l CE1-2's static routes static?

Answer: Yes, you shou ld see all the static routes from CE1-2's network. Request
assistance from the instructor, if needed.

Step 3.5
Verify t hat you have reachabi lity to CE1-2's network by pinging the CE1-2's loopback address (10.1.20.2) five
times, whi le sourcing t he packets from CE1-1's loopback address (10.1.20.1).

•
lab@Student-MX l : CEl- 1 > ping 1 0 . 1 . 20 . 2 sou r ce 10 .1. 20 . 1 count 5
PI NG 1 0 . 1 . 20 . 2 ( 1 0 . 1 . 20 . 2) : 56 data bytes
64 bytes f r om 1 0 . 1 . 20 . 2 : i' cmp- seq= O tt l = 64 time =349 . 713 ms
64 bytes f r om 1 0 . 1 . 20 . 2 : i' cmp- seq= l tt l = 64 time =267 . 259 ms
64 bytes f r om 1 0 . 1 . 20 . 2 : i' cmp- seq=2 tt l = 64 time =228 . 820 ms
64 bytes f r om 1 0 . 1 . 20 . 2 : i' cmp- seq= 3 tt l = 64 time =1 93 . 342 ms
64 bytes f r om 1 0 . 1 . 20 . 2 : i' cmp- seq= 4 tt l = 64 time = 4 . 725 ms
--- 10 .1. 20 . 2 ping statistics ---
5 packets transmitted, 5 packets r eceived , 0 % packet loss
round-trip mi n/avg/max/stddev = 4 . 725/208 . 772/349 . 7 1 3/ 1 1 4 . 508 ms

62 Lab 3: LOP-Signaled L2Circuits www.juniper.net

 Junos Layer 2 VPNs

Question: Do your pings complete?

Answer: Yes, you shou ld be able to ping CE1-2's loopback address. If you are not
able to, please review your configuration and routes that you are receiving. Please
request assistance from the instructor, if needed.

Step 3.6
Log out of your assigned devices using the exit command.

lab@Student-MX l: CEl- 1 > clear cli logical-system

Cleared default logical system
lab@Student-MXl> exit

Student-MXl (tt yuO)

log i n :

• • Tell your instructor that you have completed this lab.

www.juniper.net Lab 3: LOP-Signaled L2Circuits 63

Junos Layer 2 VPNs

64 Lab 3: LOP-Signaled L2Circuits www.juniper.net

 Junos Layer 2 VPNs

Lab 4: FEC 129

Overview
In t his lab, you will establish a Layer 2 circuit using FEC 129 BGP autodiscovery mechanism . You will then verify
the connection again f rom CE to CE.

By complet ing this lab, you will perform t he following tasks:

• Create and establish the same Layer 2 connection over the core network using the FEC 129 BGP
autod iscovery mechanism.

• Verify connectivity and behavior using operational mode commands including ping and commands
used to examine routing tables.

www.juniper.net Lab 4 : FEC 129 Pseudowires (Optional) 65

Junos Layer 2 VPNs

Lab Diagrams

Management Network Diagram

Management Network
172.25. 11.0/24
Virtual Student Desktop Console and
I
VNC Connections '==, , , , I I

-- • -
=-=
/
· • • 11
: : : 11
Physica l
Desktops

~r,; ""'
::J ~ \--_____..~H~y:ip~e:rv~i~s:or;
Virtual Switch Management Addresses
Student-MX1 172.25.11 .1
Management Port Student-MX2 172.25.11 .2
fxpO (on all vMX devices) vr-device 172.25.11 .3
Student Desktop 172.25.11 .254

Student
Virtual Environment Note: Your instructor will provide the information
you need to access your student desktop.

O 2021 Juniper Networks JUn~J I ,

Lab: FEC 129

FEC 129 BGP Autodiscovery Circuit --.........

PE-1
lo0.1 172.17.20.1
- - - - -- -- ----------- --- ---
AS 65512
OSPF
- - - - PE-2
lo0.6 172.17.20.6
.....
X
~ ~d, ~. Area O
<O
a
9., ~
..
- -
U)
C

- C.
0 0
~
I o,q <O o,O <O CD
C
Q)
q
-
z
"'a~ >~
a· ~
a· ~
> -
q z :::,
'7
s::
- a~
"C
:::, •
8, 8,' X
U)
~
"I N
CE1-1 10.1.0.0/24 - 10.1.3.0/24 10.1.4.0/24 - 10.1 .7.0/24 CE1-2
lo0.111 0.1.20.1 AS 65101 lo0.1210.1.20.2
Site ID 1
AS 65101 S ite ID 2

O 2021 Juniper Network! Junw I 2

66 Lab 4: FEC 129 Pseudowires (Optional) www.juniper.net

 Junos Layer 2 VPNs

Part 1: Creating The Baseline SP Network

In t his lab part, you will configure t he baseline network for the lab. You will load a baseline OSPF configuration
and then enable Resou rce Reservation Protocol (RSVP) and multiprotocol label switching (MPLS) on the core-
facing interfaces. The starting configuration file also deletes the Layer 2 Circu it configuration you created in the
previous lab.

NOTE: > The instructor will tell you the nature of you r
access and will provide you with t he necessary details to
access your assigned device.

Step 1.1
You should make sure you are familiar with t he lab topology and envi ronment. This lab is comprised of eight
logical devices that are operating on th ree virtual MX (vMX) routers. These vMXs are nested inside an ESXi
environment. The four devices you are in charge of configuring (PE-1, CE1-1) reside on Student-MX1 and (PE-2,
CE1-2) reside on Student-MX2 as logical systems. The core devices (P2, P3, P4, and PS) are preconfigured on
vr-device also as logical systems.

Step 1.2
Consult the management network diagram, provided by your instructor, to determine your device's
management address.

Question: What is the management address of Student-MX1 and Student-MX2?

Answer: The management IP address of Student-MX1 is 172.25.11.1 and

Student-MX2 is 172.25.11.2

Step 1.3
Access t he CLI of your Student-MX1 device using Secure Shell (SS H) as directed by your instructor.

Log in as user lab with the password supplied by your instructor. Enter into configurat ion mode and load this
labs starting conf iguration file j 1 2v / l a b 4-s ta r t . co nf ig and exit back to operat ional mode using the
comm it and-quit command .

Student-MXl (ttypO)

log i n : l ab
Passwo r d :

Last login : Thu July 1 1 1 4 : 23 : 37 2021 from 1 72 . 25 .11. 254

- -- JUNOS 2 1. 2Rl. 10 Kerne l 64-bit JNPR-12 .1- 202 1 0529 . 2f59a40 buil
lab@Student-MX l > conf i gu r e
Entering configuration mode

[ edi t]
lab@Student-MX l # load override j l2v/lab4 - start . config
load complete

[ edi t]

www.juniper.net Lab 4: FEC 129 Pseudowires (Optional) 67

Junos Layer 2 VPNs
lab@Student-MX l# commit and-qu i t
commit complete
Exiting configuration mode

lab@Student-MX l>

Step 1.4
Access the CLI of your Student-MX2 device using Secure Shell (SSH) as directed by your instructor.

Log in as user lab with the password supplied by your instructor. Enter into configuration mode and load this
labs starting configuration file j 1 2v / lab4-s tart . conf ig and exit back to operational mode using the
commit and-quit command.

Student-MX2 (ttypO)

log i n : lab
Pass wo rd:

Last login : Thu July 1 1 1 4 :23:3 7 2021 from 1 72 . 25.1 1. 254

--- JUNOS 21 . 2Rl. 10 Kernel 64-bit JNPR-12 .1- 202 1 0529 .2 f59a40 buil
lab@Student-MX2> configure
Entering configuration mode

[ edit]
lab@Student-MX2# load override j l2 v/lab4 -start.config
load complete

[ edit]
lab@Student-MX2# commit and-quit
commit complete
Exiting configuration mode

lab@Student-MX2>

68 Lab 4: FEC 129 Pseudowires (Optional) www.juniper.net

 Junos Layer 2 VPNs

Part 2: Configuring A LDP Layer 2 Circuit Using The FEC 129 BGP
Autodiscovery Mechanism
In t his lab part, you will establish the same point-to-point Layer 2 VPN using t he FEC 129 BGP autodiscovery
mechanism. You will create a L2VPN routing instance to support the L2VPN connection using t he FEC 129
autodiscovery mechanism.

Step 2.1
On your Student-MX1 device, change the CLI to the PE-1 logical system.

On PE-1, enter into configuration mode and navigate to the [edi t routing-instanc es vpn-B] hierarchy.
Configure the instance type as 12vpn and define the VRF target using the 655 1 2 : 1 community va lue. Next,
configure t he Layer 2 VPN ID as 1 2vpn-id : 655 1 2 : 1 . Manually define the route distinguisher for t his VPN as
172 .1 7 . 20 . 1 :1 00 .
Finally include t he CE-1 facing interface (ge-0/0/4.610) in the VPN. Make sure you include the correct unit
value when applying the interface.

lab@Student-MX l> set cli logical-system PE-1

Logical system: PE-1

lab@Student-MX l:PE-1> configure

Entering configuration mode

[edit]
lab@Student-MX l:PE-1# edit routing-instances vpn-B

[edit routing -instances vpn -B]

lab@Student-MX l:PE-1# set instance-type 12vpn

[edit routing -instances vpn -B]

lab@Student-MX l:PE-1# set vrf-ta r get target:65512:1

[edit routing -instances vpn -B]

lab@Student-MX l:PE-1# set 12vpn-id 12vpn-id : 655 12:1

[edit routing -instances vpn -B]

lab@Student-MX l:PE-1# set route-distinguisher 1 72 .1 7 . 20 .1: 100

[edit routing -instances vpn -B]

lab@Student-MX l:PE-1# set interface ge-0/0/4 . 6 1 0

[edit routing -instances vpn -B]

lab@Student-MX l:PE-1# show
instance -t ype 12vpn ;
interface ge-0/0/4 . 6 1 0 ;
route-distinguisher 1 72 .1 7 .2 0 .1:1 00 ;
12vpn-id 12vpn-id : 655 12:1;
v rf-target target : 655 12:1;

[edit routing -instances vpn -B]

lab@Student-MX l:PE-1#

Step 2.2
Next, navigate to the [edit routing-instances vpn-B p ro toco ls 12 vpn] hierarchy. Create a site
named CE l-1 with a source-attachment -identifie r of 1 . Next, add the CE facing interface ge-
0/0/4.610 with t he ta rge t -a ttachment-identif ier of 2 .

www.juniper.net Lab 4: FEC 129 Pseudowires (Optional) 69

Junos Layer 2 VPNs

[edit routing -instances vpn -B]

lab@Student-MX l:PE-1# edit protocols 12vp n

[edit routing -instances vpn -B protocols 12vpn]

lab@Student-MX l:PE-1# set site CEl-1 source-attachment-identifier 1

[edit routing -instances vpn -B protocols 12vpn]

lab@Student-MX l:PE-1# set site CEl-1 interface ge-0/0/4 . 6 1 0 ta r get-at tachme nt-
identi f ier 2

Step 2.3

Review and verify the new L2VPN routing-instance configuration . Once satisfied with the configuration, commit
your changes and exit to operational mode using the commi t and-qu it command.

[edit routing -instances vpn -B protocols 12vpn]

lab@Student-MX l:PE-1# up 2

[edit rout ing-instances vpn -B]

lab@Student-MX l:PE-1# show
i ns ta nce-t ype 12vpn ;
12vpn-id 12vpn- id:655 12:1;
protocols {
12vpn {
site CEl-1 {
i nterfac e ge-0/0/4 . 610 {
ta r g e t -at tachme nt- iden t ifier 2 ;
}
source-attachment-identifier 1;
}
}
}
i n t er face g e- 0/0/4 . 6 1 0 ;
route-d istingu isher 1 72 .1 7 .2 0 .1:1 00 ;
v rf-target ta r get :655 12:1;

[edit rout ing-instances vpn -B]

lab@Student-MX l:PE-1# commit and-quit
commit complete
Exiting configuration mode

lab@Student-MX l:PE-1>

Question: What is the meaning of source-attachment identifier

and target-attachment-identifier?

Answer: They basically identify the un ique connections between the different
sites. The source-at tachmen t-identi f ier defines the loca l site
number, and the target-attachment-identifier defines the remote
site number. In this case site number 1 is connected to site number 2 in this
specific VPN ( vpn-B ).As with BGP L2VPNs site numbers need to be unique
within a given Layer 2 VPN.

Step 2.4

Determine the current status of your Layer 2 VPN with the show 12vpn connections command.

lab@Student-MX l:PE-1> show 12vpn connections

Layer-2 VPN connections :

70 Lab 4: FEC 129 Pseudowires (Optional) www.juniper.net

 Junos Layer 2 VPNs
Legend for connection status (St)
EI -- encapsulation inva l id NC interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE interface and instance encaps not same
VC-Dn -- Virtual circuit down NP interface hardware not present
CM control-word mismatch -> only outbound connection is up
CN circuit not provisioned <- only inbound connection is up
OR out of range Up operational
OL no outgoing label Dn down
LD l ocal site signaled down CF call admission control failure
RD remote site signaled down SC local and remote site I D collision
LN l ocal site not designated LM local site I D not minimum designated
RN remote site not designated RM remote site I D not minimum designated
XX unknown connection status IL no incoming labe l
MM MTU mismatch MI Mesh-Group I D not available
BK Backup connection ST Standby connection
PF Profile parse failure PB Profile busy
RS remote site standby SN -- Static Neighbor
LB Local site not best-site RB Remote site not best-site
VM VLAN I D mismatch HS -- Hot-standby Connection

Legend for interface status

Up operational
Dn -- down

Instance : vpn-B
L2vpn-id : 65512:1
No connections found .
lab@Student-MX l : PE- 1 >

Question: What is the status of your VPN?

Answer: As the sample output indicates, there are no connections

found.

Question: What are we missing for the Layer 2 VPN?

Answer: We need to configure a BGP session that supports the FEC 129
autodiscovery NLRI.

w ww.juniper.net Lab 4 : FEC 129 Pseudow ires (Opt ional) 71

Junos Layer 2 VPNs

Part 3: Configuring BGP Peering To Support FEC 129 BGP

Autodiscovery
In t his lab part, you configure the BGP peering session to enable the FEC 129 BGP autod iscovery mechanism .
After committing the configuration, you also verify that the Layer 2 VPN is now working, and investigate the
route tables involved.

Step 3.1
On your Student-MX1 device, ensure your CLI is set to the PE-1 logica l system.

On PE-1, enter into configuration mode and navigate to the [ edit p r otoco l s bgp g r oup my-i n t-
g r oup] hierarchy. Configure the IBGP peer group to use PE-l's loopback address (172.17.20.1) as the source
address of all IBGP packets. Define PE-2 's loopback address (172.17.20.6 ) as t he neighboring device for t his
IBGP session.

Finally, in order to allow t he exchange of BGP Layer 2 VPN autodiscovery routes, you must enable t he 12vpn
autod iscovery-only NLRI for your IBGP session. Verify your BGP configuration and use t he commit and-
quit command to apply t he changes and exit to operat ion mode.

lab@Student-MXl:PE-1> configure
Entering configuration mode

[edit]
lab@Student-MXl:PE-1# edit protocols bgp group my-int-group

[edit protocols bgp group my-int-group]

lab@Student-MXl : PE-1# set type internal

[edit protocols bgp group my-int-group]

lab@Student-MXl:PE-1# set local-address 172 . 17 . 20.1

[edit protocols bgp group my-int-group]

lab@Student-MXl : PE-1# set neighbor 172 .1 7 . 20.6

[edit protocols bgp group my-int-group]

lab@Student-MXl:PE-1# set family 12vpn auto-discovery-only

[edit protocols bgp group my-int-group]

lab@Student-MXl : PE-1# show
type internal;
local-address 172.17 . 20 . 1;
family 12vpn {
auto-discovery-only ;
}
neighbor 172 . 17 . 20.6;

[edit protocols bgp group my-int-group]

lab@Student-MXl:PE-1# commit and-quit
commit complete
Exiting configuration mode
lab@Student-MXl:PE-1>

Step 3.2
Verify t hat your BGP session is in the Establ state using t he s h ow bgp summary comma nd.

lab@Student-MXl : PE-1> show bgp summary

Threading mode: BGP I /0
Default eBGP mode: advertise - accept , receive - accept
Groups: 1 Peers : 1 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
bgp . 12vpn.O
1 1 0 0 0 0
Peer AS I n Pkt Out P kt OutQ Flaps Last Up/Dwn
Statel#Active/Received/Accepted/Damped .. .

72 Lab 4: FEC 129 Pseudowires (Optional) www.juniper.net

 Junos Layer 2 VPNs
172 . 17 . 20 . 6 655 1 2 11 11 0 0 3 : 25
Establ
bgp .12vpn . O: 1 /1/ 1 /0
vpn-B. 12vpn . O: 1/ 1 / 1 /0
lab@Student-MXl: PE- 1 >

Step 3.3
Verify t hat your L2VPN connection is working by using t he sh ow 12vpn connection s command.

lab@Student-MXl: PE- 1 > show 12vpn connections

Layer-2 VPN connections :

Legend for connection status (St)

EI -- encapsulation invalid NC interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE interface and instance encaps not same
VC-Dn -- Virtual ci r cuit down NP interface hardwa r e not p r esent
CM cont r ol-word mismatch -> only outbound connection is up
CN circuit not p r ovisioned <- only inbound connection is up
OR out of range Up operational
OL no outgoing label Dn down
LD l ocal site signaled down CF call admission control failure
RD r emote site signaled down SC local and remote site I D collision
LN local site not designated LM local site I D not minimum designated
RN r emote site not designated RM remote site I D not minimum designated
XX unknown connection status IL no incoming labe l
MM MTU mismatch MI Mesh-Gr oup I D not available
BK Backup connection ST Standby connection
PF P rofile parse failure PB Profile busy
RS r emote site standby SN -- Static Neighbor
LB Local site not best-site RB Remote site not best-site
VM VLAN I D mismatch HS -- Hot-standby Connection

Legend for inte r face status

Up operational
Dn -- down

Instance : vpn-B
L2vpn-id : 65512 : 1
Loca l source-attachment-id : 1 (CEl- 1 )
Ta r get-attachment-id Type St Time last up # Up trans
2 rmt Up Aug 3 1 09 :1 7 : 0 1 202 1 1
Remote PE: 172 .1 7 . 20 . 6 , Negotiated control-wo r d : Yes (Nul l )
I ncoming label: 31 , Outgoing label : 27
Negotiated PW status TLV : No
Local interface : ge-0/0/4 . 610 , Status : Up , Encapsulation : VLAN
Flow Label Transmit : No , Fl ow Label Receive : No

Question: What is the state of the Layer 2 VPN connection?

Answer: The state of the Layer 2 VPN should be Up .

Step 3.4
Identify the FEC 129 autod iscovery (AD) routes that are being received from t he PE-2 router by looking at the
b gp .1 2vpn. 0 and vpn-B .1 2vpn. 0 tables .

lab@Student-MXl: PE- 1 > show route table bgp . 12vpn . O

bgp . 12vpn . O: 1 destinations , 1 routes (1 active , 0 holddown , 0 h idden)

+ = Active Route , - = Last Active , * = Both

www.juniper.net Lab 4: FEC 129 Pseudowires (Optional) 73

Junos Layer 2 VPNs
172 . 17 . 20 . 6 :1 00 : 0 . 0 . 0 . 2/96 AD
*[BGP / 1 70] 00 : 05 : 38 , localpr ef 100 , from 1 72 .1 7 . 20 . 6
AS path : I , validation - state : unverified
> to 172 .1 7 . 23 . 2 via ge - 0/0/0 . 0 , Push 30
to 172 .1 7 . 23 . 6 via ge-0/0/1 . 0 , Push 3 1

lab@Student-MXl: PE-1> show route table vpn-B . 12vpn . O

vpn-B . 12vpn . O: 4 destinations , 4 routes (4 active , 0 holddown , 0 hidden)

+ = Active Route , - = Last Active , * = Both

172 . 17 . 20 .1:1 00 : 0 . 0 . 0 . l/96 AD

*[ L2VPN/170] 00 : 1 1: 26 , met r ic2 1
I ndirect
172 . 17 . 20 . 6 :1 00 : 0 . 0 . 0 . 2/96 AD
*[BGP / 1 70] 00 : 06 : 08 , localpr ef 1 00 , from 1 72 .1 7 . 20 . 6
AS path : I , validation-state : unverified
> to 172 .1 7 . 23 . 2 via ge-0/0/0 . 0 , Push 30
to 172 .1 7 . 23 . 6 via ge-0/0/1 . 0 , Push 3 1
172 . 17 . 20 . 6 : Ct r lWord : 4 : 65512 :1: 0 . 0 . 0 .1: 0 . 0 . 0 . 2/ 1 76
*[ L2VPN/7] 00 : 06 : 08 , metric2 1
> to 172 .1 7 . 23 . 2 via ge-0/0/0 . 0 , Push 30
to 172 .1 7 . 23 . 6 via ge-0/0/1 . 0 , Push 3 1
172 . 17 . 20 . 6 : Ct r lWord : 4 : 65512 :1: 0 . 0 . 0 . 2 : 0 . 0 . 0 . l/ 1 76
*[ LDP /9 ] 00 : 06 : 07
Disca r d

lab@Student-MXl: PE- 1 >

Question: Can you explain the format of the received BGP autodiscovery route in
bgp .12vpn. 0 route table?

Answer: The received AD route has the following format

172 . 1 7 . 2 0 . 6: 10 0 : 0 . 0 . 0 . 2 / 9 6 AD The 172.17.20.6:100 equals the
route-distinguisher and the 0.0.0.2 identifies the advertised site-id, which is PE-
2's source-attachment-identifier.

Step 3.5
Verify that you have received the L2VPN label through the LOP protocol using the show rou t e tab l e
l dp . 12vpn . O d eta i l command , and the s h ow ldp d atab as e session 1 72 .1 7 . 20 . 6 command

lab@Student-MXl: PE- 1 > show route table ldp . 12vpn . O detail

ldp . 12vpn . O: 1 destinations , 1 routes (1 active , 0 holddown , 0 hidden)

1 72 .1 7 . 20 . 6 : Ct r lWo r d : 4 : 65512 :1: 0 . 0 . 0 . 2 : 0 . 0 . 0 .l / 1 76 (1 entry , 0 announced)
*LOP Preference : 9
Next hop type : Discard , Next hop index : 0
Addr ess : Ox709 1 124
Next-hop reference count : 2
State : <Active Int>
Local AS : 655 1 2
Age : 9 : 30
Validation State : unverified
Task : LOP
AS path : I
VC Label 27 , MTU 1 500 , VLAN I D 6 1 0 , F low Label T Bit : 0 ,
F low Label R Bit : O
Thread : junos-main
lab@Student-MXl: PE- 1 > show ldp database session 172 .1 7 . 20 . 6
Input l abel database , 172 . 17 . 20 .1: 0-- 1 72 .1 7 . 20 . 6 : 0
Labels received : 7
Labe l Prefix
26 172 . 17 . 20 .1 /32
74 Lab 4: FEC 129 Pseudowires (Optional) www.juniper.net
 Junos Layer 2 VPNs
17 172 . 17 . 20 . 2/32
19 172 . 17 . 20 . 3/32
16 172 . 17 . 20 . 4/32
18 172 . 17 . 20 . 5/32
3 172 . 17 . 20 . 6/32
27 FEC1 29 CtrlWord VLAN 000affe8 : 0000000 1 00000002 0000000 1
Output label database , 172 . 17 . 20 .1: 0 - - 1 72 .1 7 . 20 . 6 : 0
Labels advertised : 7
Labe l Prefi x
3 172 . 17 . 20 .1 /32
25 172 . 17 . 20 . 2/32
28 172 . 17 . 20 . 3/32
26 172 . 17 . 20 . 4/32
29 172 . 17 . 20 . 5/32
27 172 . 17 . 20 . 6/32
31 FEC1 29 CtrlWord VLAN 000affe8 : 0000000 1 0000000 1 00000002
lab@Student-MXl: PE-1 >

Question: What is the outgoing VC label on PE-1 to reach the PE-2 in the L2VPN?

Answer: From the show ldp database command you can see that the
input label database shows the FEC129 label to 31 .This is the label sent from
PE-2 telling PE-1 to use this label if it wants to send traffic on this L2VPN virtua l-
circuit. The 27 label will be used by PE-2 to send traffic to PE-1. The labels would
be different on different Student devices.

www.juniper.net Lab 4: FEC 129 Pseudowires (Optional) 75

Junos Layer 2 VPNs

Part 4: Verifying The L2VPN From The CE

In t his lab part you check that the L2VPN is working from CE1-1's perspective. The CE1 devices configurat ions
have not changed so you ca n do the same verifications of OSPF and connectivity.

Step 4.1
On your Student-MX1 device, change the CLI to the CE1-1 logical system.

On CE1-1, verify that the neighbor relationship has established between the CE routers and t hat you are
receiving the appropriate routes using t he show ospf neighbor and s h ow route protocol ospf
commands.

lab@Student-MXl:PE-1> set cli logical-system CE l- 1

Logical system: CEl- 1
lab@Student-MXl : CEl- 1 > show ospf neighbor
Address I nterface State ID Pri Dead
10 .1. 0 . 2 ge-0/0/2 . 61 0 Full 10 .1. 20 . 2 1 28 33
lab@Student-MXl : CEl- 1 > show route protocol ospf
inet.O: 12 destinations , 1 3 routes (12 active , 0 holddown , 0 hidden)
+ = Active Route , - = Last Active , * = Both

10 .1. 4 . 0/24 *[OSPF/150] 00 : 20 : 31, metric 0 , tag 0

> to 10 .1. 0 . 2 via ge-0/0/2 . 610
10 .1. 5 . 0/24 *[OSPF/150] 00 : 20 : 31, metric 0 , tag 0
> to 10 .1. 0 . 2 via ge-0/0/2 . 610
10 .1. 6 . 0/24 *[OSPF/150] 00 : 20 : 31, metric 0 , tag 0
> to 10 .1. 0 . 2 via ge-0/0/2 . 610
10 .1. 7 . 0/24 *[OSPF/150] 00 : 20 : 31, metric 0 , tag 0
> to 10 .1. 0 . 2 via ge-0/0/2 . 610
10 .1. 20 . 2/32 *[OSPF/10] 00:20:31 , metric 1
> to 10 .1. 0 . 2 via ge-0/0/2 . 610
224 . 0 . 0 . 5/32 *[OSPF/10] 2d 1 9:19 : 53 , metric 1
MultiRecv
inet6 . 0 : 1 destinations , 1 routes (1 active , 0 holddown, 0 hidden)
lab@Student-MX l : CEl- 1 >

Question: Do you see al l the CE1-2's static routes?

Answer: Yes, you shou ld see all the static routes from the CE1-2's network. If you
do not, check your configurations and request assistance from the instructor, if
needed.

Step 4.2
Verify t hat you have reachabi lity to t he CE1-2's network by pinging t he CE1-2's loopback address (10.1.20.2)
five times, while sourcing t he packets from CE1-1's loopback address (10.1.20.1).

76 Lab 4 : FEC 129 Pseudowires (Opt ional) www.juniper.net

 Junos Layer 2 VPNs

lab@Student-MXl: CEl- 1 > ping 1 0 . 1 . 20 . 2 sou r c e 10 .1. 20 . 1 count 5

PI NG 1 0 . 1 . 20 . 2 (1 0 .1. 20 . 2) : 56 d ata byte s
64 bytes f r om 1 0 . 1 . 20 . 2 : i cmp seq= O tt l = 64 time = 6 .1 90 ms
64 bytes f r om 1 0 . 1 . 20 . 2 : i cmp- seq= l tt l = 64 time = 6 . 555 ms
64 bytes f r om 1 0 . 1 . 20 . 2 : i cmp- seq=2 tt l = 64 time =9 . 52 1 ms
64 bytes f r om 1 0 . 1 . 20 . 2 : i cmp- seq= 3 tt l = 64 time = 6 . 5 1 6 ms
64 bytes f r om 1 0 . 1 . 20 . 2 : i cmp= seq= 4 tt l = 64 time =S . 898 ms
- -- 10 .1. 20 . 2 ping statistics - - -
5 packets transmi tted , 5 packets r eceived , 0 % packet loss
round-trip mi n/avg/max/stddev = 5 . 898/6 . 936/9 . 521/ l. 314 ms

Question: Do your pings complete?

Answer: Yes, you shou ld be able to ping CE1-2's loopback address. If you are not
able to, please review your configuration and routes that you are receiving. Please
request assistance from the instructor, if needed.

Step 4.3
Log out of your assigned devices using the exit command.

lab@Student-MXl: CEl- 1 > c l ear c l i logical - system

Cl eared default logical system
lab@Student-MX l > exit

Student-MXl (ttyuO)
log i n :

• • Tell your instructor that you have completed this lab.

www.juniper.net Lab 4: FEC 129 Pseudowires (Optional) 77

Junos Layer 2 VPNs

78 Lab 4: FEC 129 Pseudowires (Optional) www.juniper.net

 Junos Layer 2 VPNs

Lab 5: VPLS

Overview
In t his lab, you will establish an LDP virt ual private LAN service (VPLS) and a BGP VPLS bet ween provider edge
(PE) routers. You will also configure a virtual switch to act as t he customer edge (CE) router. There will be
redundant links between the PE and CE routers so you will be required to prevent any Layer 2 loops from
forming.

By complet ing this lab, you will perform t he following tasks:

• Load t he initial configuration and verify proper operat ion of t he IGP, MPLS and LDP.

• Verify the CE1-1 logical system that will be the Layer 3 device at the customer edge.
• Verify the CE-VS logical system that will act as one of the CE router.

• Configure an LDP VPLS instance across the core network.

• Configure a FEC 129 BGP autodiscovery VPLS instance across the core network.

• Configure a BGP VPLS instance across t he core network.

• Configure redundant links between CE and PE routers and prevent Layer 2 loops from forming.

• Verify connectivity and behavior using operational mode commands including p in g and commands
used to examine routing tables, and PE to PE router BGP an nouncements.

www.juniper.net Lab 5: VPLS 79

Junos Layer 2 VPNs

Lab Diagrams

Management Network Diagram

Management Network
172.25.11.0/24
Virtual Student Desktop Console and I
I
VNC Connections I

~11=-===11
/ Physical
Desktops

~r:; "'
~~ \ . - - - - --"-~H~y:
pe:.r~i
v s::;~
Virtual Switch Management Addresses
Student-MX1 172.25.11.1
Management Port Student-MX2 172.25.11 .2
fxpO (on all vMX devices) vr-device 172.25.11 .3
Student Des ktop 172.25.11 .254

Student
Virtual Environment Note: Your instructor will provide the information
you need to access your student desktop.

O 2021 Juniper Network! JUn~J I ,

Management Network Diagram

Management Network
172.25.11.0/24
Virtual Student Desktop Console and I

VNC Connections •~ I I

•=

--11=====11
/ Physical
Desktops

~~
~r::; "'
\ . - - - - --"-~H~y:p:e.r~v is::;~
Virtual Switch Management Addresses
Student-MX1 172.25.11 .1
Management Port Student-MX2 172.25.11 .2
fxpO (on all vMX devices) vr-device 172.25.11 .3
Student Desktop 172.25.11 .254

Student
Virtual Environment Note: Your instructor will provide the information
you need to access your student desktop.

O 2021 Juniper Network! Junw I ,

80 Lab 5: VPLS www.juniper.net

 Junos Layer 2 VPNs

Lab: VPLS, Part 2-3 (LDP)

VPLS
PE-1
lo0.1 172.17.20.1
- --- -- -- ----------- --- --- ----
AS 65512
OSPF
PE-2
lo0.6 172.17.20.6
.....
X
~
ge-0/0/5 ge-0/0/6 Area O
~
9
., ..,~ - -
(f)
C

-
0 C.
ge-0/0/3 ge-0/0/7
I o,O <D
CD
C C! z :::,
CE-VS 1>
Q) o
c5 -. '7
c5 ~ s::
-
"C
:::, VLAN 610 ge-0/0/4 '
(f) 10.1.0.1/24 ge-0/0/2
& "! X
N
CE1-1 CE1-2
lo0.11 10.1.20.1 lo0.12 10.1.20.2
Site ID 1 Site ID 2

O 2021 Juniper Network! Junw I 3

Lab: VPLS, Part 4 (FEC 129)

VPLS
PE-1
lo0.1 172.17.20.1
- - - ---- ------------- ---
AS 65512
OSPF
- - - - - - PE-2
lo0.6 172.17.20.6
..-
X
~
ge-0/0/5 Area O
~
-- -
(f)
C

- 9~ 0 C.
ge-0/0/3 ge-0/0/7
.,o,C!
-s::
I <D
CD
C C! z :::,
CE-VS o 1>
Q) c5 -. I
c5 ~

-
"C
:::, VLAN 610 ge-0/0/4 '
( f) 10.1.0.1/24 ge-0/0/2
& "! X
N
CE1-1 CE1-2
lo0.111 0.1 .20.1 lo0.12 10.1.20.2
Site ID 1 Site ID 2

O 2021 Juniper Network! Junw I •

www.juniper.net Lab5: VPLS 81

Junos Layer 2 VPNs

Lab: VPLS, Part 5 (BGP)

VPLS
PE-1
lo0.1 172.17.20. 1
- - --- ----------------- ----
AS 65512 - - - PE-2
lo0.6 172.1 7.20.6

x ge-0/0/5
-
ge-0/0/6
r--
OSPF
Area 0
icl ... -
en
C:
~ ge-0/0/3 ge-0/0/7
0
0.
..!. '"' "'z
a,q
Q) -

q
~

Cl)
::,
C: CE-VS
Q) o~
c5 . :5 -;--
>
-0
::, VLAN 610 ge-0/0/4 '1 ~ ~
en 10.1.0.1/24 ge-0/0/2 & <'i ><
I\.)
CE1-1 CE1-2
lo0.1110.1 .20.1 lo0.12 10.1.20.2
Site ID 1 S ite ID 2

O 2021 Ju,-per Network! JUn~J I s

82 Lab 5: VPLS www.juniper.net

 Junos Layer 2 VPNs

Part 1: Creating The Baseline SP Network

In t his lab part, you will configure t he baseline network for the lab. You will load t he sta rt ing configuration t hat
will serve as your basel ine for this lab. You wi ll verify the baseline protocols are establishing correct ly. You will
then review the CE1-1 configurations and val idate the CE facing interface has been properly configured. Finally,
you review t he configuration and va lidate the CE-VS logical system 's bridging setup.

NOTE: > The instructor will tell you the nature of you r
access and will provide you with t he necessary details to
access your assigned device.

Step 1.1
This lab is comprised of nine logical devices that are operating on t hree virtua l MX (vMX) routers. These vMXs
are nested inside an ESXi hypervisor. The five devices you are in charge of configuring (PE-1, CE-VS, CE1-1 ) are
residing on Student-MX1 and (PE-2, CE1-2) reside on Student-MX2 as logical systems. The core devices (P2,
P3, P4, and P5) are preconfigured on vr-device also as logical systems. You will also be required to configure a
virtual switch routing instance on you r PE-1 logical system to act as a CE device.

Step 1.2
Consu lt the management network diagram, provided by your instructor, to determine your device's
management address.

Question: What is the management address of Student-MX1 and Student-MX2?

Answer: The management IP address of Student-MX1 is 172.25.11.1 and

Student-MX2 is 172.25.11.2

Step 1.3
Access t he CLI of your Student-MX1 device using Secure Shell (SSH ) as directed by your instructor.

Log in as user lab with the password supplied by your instructor. Enter into configurat ion mode and load t his
labs starting configuration file j 1 2v / l a b 5-s ta r t . con f ig and exit back to operat ional mode using the
commi t and-quit command.

Student-MXl (ttypO)

login : l ab
Passwo r d :

Last login : Thu July 1 1 14 : 23 : 37 2021 from 1 72 . 25 . 1 1. 254

--- JUNOS 2 1. 2Rl. 10 Kerne l 64-bit JNPR-12 .1 -202 1 0529 . 2f59a40 buil
lab@Student-MX l > configu r e
Entering configuration mode

[ edit]
lab@Student-MX l # load override j l2v/lab5-start . config
load complete

[ edit]
lab@Student-MX l # commit and-qu i t
commit complete

www.juniper.net Lab 5: VPLS 83

Junos Layer 2 VPNs
Ex i ting conf i gu r ation mode

lab@Student-MX l >

Step 1.4
Access t he CLI of your Student-MX2 device using Secure Shell (SSH) as directed by your instructor.

Log in as user lab with the password supplied by your instructor. Enter into configurat ion mode and load this
labs starting configuration file j 1 2v / l a b 5-s ta r t . co nf ig and exit back to operat ional mode using
the commi t a n d-qui t command .

Student-MX2 (ttypO)

log i n : l ab
Passwo r d :

Last login : Thu July 1 1 1 4 : 23 : 37 2021 from 1 72 . 25 .11. 254

- -- JUNOS 2 1. 2Rl. 10 Kerne l 64-bit JNPR-12 .1- 202 1 0529 . 2f59a40 buil
lab@Student-MX2> conf i gu r e
Entering configuration mode

[edi t]
lab@Student-MX2# load override j l 2v/lab5 - start . config
load complete

[edi t]
lab@Student-MX2# commi t and- qu i t
commit complete
Ex i ting conf i gu r ation mode

lab@Student-MX2>

Step 1.5
Return to you r Student-MX1 device, change the CLI to t he PE-1 logical system.

On PE-1, use t he sh o w co nf igu rat i o n p r otoco l s command to review and analyze t he protocols that
have been preconfigured for you.

lab@Student-MX l > set cli l ogical-system PE - 1

Log i ca l system : PE -1

lab@Student-MXl: PE -1 > show configuration p r otoco l s

ldp {
interface ge-0/0/0 . 0 ;
interface ge-0/0/ 1. 0 ;
interface l o0 . 1 ;
}
mp l s {
interface ge-0/0/0 . 0 ;
interface ge-0/0/ 1. 0 ;
}
ospf {
a r ea 0 . 0 . 0 . 0 {
interface ge-0/0/0 . 0 ;
interface ge-0/0/ 1. 0 ;
interface lo0 . 1 ;
}
}

lab@Student-MXl: PE -1 >

84 Lab 5: VPLS www.juniper.net

 Junos Layer 2 VPNs

Question: Which protocols have been preconfigured for you?

Answer: OSPF, MPLS, and LOP have all been preconfigured.

Step 1.6
Verify t hat your Open Shortest Path First (OSPF) neighbor relationships are up and operational.

lab@Student-MXl : PE- 1 > show ospf ne i ghbor

Address Interface State ID Pri Dead
172 . 17 . 23 . 2 ge-0/0/0 . 0 Full 172 .1 7 . 20 . 2 1 28 33
172 . 17 . 23 . 6 ge-0/0/ 1. 0 Full 172 .1 7 . 20 . 3 1 28 39

Question: What is the state of your PE router's OSPF neighbors?

Answer: After a short time, the OSPF neighbors should attain the Full state.

Step 1.7
Use the show mp l s inte rfac e comma nd to verify that MPLS is configured correctly on the core-facing
i nte rf aces.

lab@Student-MXl: PE-1 > show mp l s interface

Interface State Admin i st r ative groups (x : extended)
ge-0/0/0 . 0 Up <none>
ge-0/0/ 1. 0 Up <none>

Question: Can your core-facing interfaces support the transmission of MPLS

packets?

Answer: The output of the command shows that the two interfaces can support
the forward ing of MPLS packets.

www.juniper.net Lab 5: VPLS 85

Junos Layer 2 VPNs

Step 1.8
Verify t hat your router has established LOP neighbor relationships with the neighboring P routers.

lab@Student-MX l : PE - 1 > show ldp neighbor

Address I nterface Labe l space ID Hold time
172 . 17 . 23 . 2 ge-0/0/0 . 0 1 72 . 1 7 . 20 . 2 : 0 14
172 . 17 . 23 . 6 ge-0/0/ 1 . 0 1 72 . 1 7 . 20 . 3 : 0 13
172 . 17 . 20 . 6 lo0 .1 1 72 . 1 7 . 20 . 6 : 0 34
lab@Student-MX l : PE - 1 > show ldp session
Addr ess State Connection Hold time Adv . Mode
172 . 17 . 20 . 2 Ope r ational Open 23 DU
172 . 17 . 20 . 3 Ope r ational Open 23 DU
172 . 17 . 20 . 6 Ope r ational Open 23 DU

lab@Student-MX l : PE- 1 >

Question: What is the state of PE-l's relationsh ip with the neighboring P routers?

Answer: The neighboring P routers shou ld be in the Operationa l state with the PE-
1 router.

Step 1.9
Verify t hat t he i ne t . 3 routing table conta ins an LOP route to t he remote PE router.

lab@Student-MX l : PE- 1 > show route table inet . 3

inet . 3 : 5 destinations , 5 routes (5 active , 0 holddown , 0 hidden)

+ = Active Route , - = Last Active , * = Both

172 . 17 . 20 . 2/32 * [ LDP /9) 3d 18 : 04 : 28 , metric 1

172 . 17 . 20 . 3/32
172 . 17 . 20 . 4/32
172 . 17 . 20 . 5/32
172 . 17 . 20 . 6/32
> to 172 .1 7 . 23 . 2 via ge-0/0/0 .0
* [ LDP /9) 3d 18 : 04 : 28 , metric 1
> to 172 .1 7 . 23 . 6 via ge-0/0/1 .0
* [ LDP /9) 3d 18 : 04 : 28 , metric 1
> to 172 .1 7 . 23 . 2 via ge-0/0/0 . 0 , Push 23
* [ LDP /9) 3d 18 : 04 : 28 , metric 1
> to 172 .1 7 . 23 . 6 via ge-0/0/1 . 0 , Push 1 7
* [ LDP /9) 3d 18 : 04 : 28 , metric 1
to 172 .1 7 . 23 . 2 via ge-0/0/0 . 0 , Push 30
> to 172 .1 7 . 23 . 6 via ge-0/0/1 . 0 , Push 3 1

Question: Do you see the LDP route to the PE-2 router in your inet.3 routing table?

86 Lab 5: VPLS www.juniper.net

 Junos Layer 2 VPNs

Answer: Yes, you shou ld see the LOP route in the inet.3 routing table now. If you
do not, please review your configuration and verify the state of your MPLS LSP is
Up.

Step 1.10
Verify MPLS connectivity to PE-2's loopback using the MPLS ping utility.

lab@Student-MXl:PE-1> ping mpls l dp 172 . 17 .2 0 . 6

.I .I .I .I .I
--- lsp i ng statistics ---
5 packets transmitted, 5 packets received , 0% packet loss

Question: Are your MPLS pings successful?

Answer: Yes, your pings should succeed. If they do not, verify you loaded to correct
starting configuration file. Contact your instructor if you need assistance.

Step 1.11
On your Student-MX1 device, change the CLI to the CE1-1 logical system.

On CE1-1, issue the show configu r ation comma nd to view the current configuration of the CE1-1 router.

lab@Student-MXl:PE-1> set cli logical-system CEl-1

Logical system: CEl-1
lab@Student-MX l:CE l- 1> show configuration
interfaces {
ge-0/0/2 {
unit 610 {
vlan-id 61 0 ;
family inet {
address 1 0 . 1 . 0 . 1/24 ;
}
}
}
loO {
unit 1 1 {
family inet {
address 1 0 . 1 .2 0 .1 /32 ;
}
}
}
}

Question: Which interfaces have been configured on the CE router? According to

the lab diagram, do they have the appropriate IP addressing?

www.juniper.net Lab 5: VPLS 87

Junos Layer 2 VPNs

Answer: The CE router should have both the loopback and ge-0/0/2 interface
configured with the appropriate addressing according to the lab diagram.

Question: Referring to the lab guide, what is the IP address of CE1-2's ge-0/0/0
interface?

Answer: The CE1-2's ge-0/0/0 interface is on the same subnet as the local CE1-
1's ge-0/0/2 interface.

Question: Why must both CE router interfaces be in the same subnet?

Answer: The reason both CE router interfaces must be in the same subnet is
because you are configuring the PE router to pass the traffic based on the Layer 2
information. As far as the CE1 routers are concerned, they are directly connected.

Step 1.12
Use the ping utility to attempt to ping the remote CE router's ge-0/0/0 interface (10.1.0.2).

lab@Student-MX l : CEl- 1 > ping 10 . 1 . 0 . 2 r apid count 5

PI NG 10 . 1 . 0 . 2 ( 1 0 . 1 . 0 . 2): 56 data bytes
• • • • •
--- 10 .1. 0 . 2 ping statistics ---
5 packets transmi tted , 0 packets r eceived , 1 00 % packet l oss

Question: Does your ping succeed? Why?

Answer: The pings do not succeed because the local and remote PE router's CE
facing interfaces have not been configured as part of a VPLS instance.

Step 1.13
On your Student-MX1 device, change the CLI to the CE-VS logical system.

On CE-VS, use the show co n f i gu r atio n command to display the current configuration. This logical system
will act as a CE device for t his lab. The CE-VS is configured with one interface t hat connects to the CE1-1 logica l
system and two interfaces t hat connect to the PE logical system. Use t he lab d iagram to verify t he intended
connectivity.

lab@Student-MX l : CEl- 1 > set cli logica l -system CE-VS

Logical system: CE-VS

88 Lab 5: VPLS www.juniper.net

 Junos Layer 2 VPNs
lab@Student-MXl : CE-VS> show configuration
interfaces {
ge-0/0/3 {
unit 610 {
encapsulation vlan-bridge;
vlan-id 610 ;
}
}
ge-0/0/4 {
unit 610 {
encapsulation vlan-bridge;
vlan-id 610;
}
}
ge-0/0/7 {
unit 610 {
encapsulation vlan-bridge;
vlan-id 610 ;
}
}
}
bridge-domains {
vlan-610 {
vlan-id 610 ;
interface ge-0/0/4.610;
interface ge-0/0/3.610;
interface ge-0/0/7.610;
}
}

Step 1.14
Finally, verify t he status of the Layer 2 CE-VS device using t he show b ridge domain command.

lab@Student-MXl:CE-VS> show bridge domain

Routing instance Bridge domain VLAN ID I nterfaces

default vlan-6 1 0 610
ge-0/0/3 . 610
ge-0/0/4 . 610
ge-0/0/7 . 610

Question: Have the three interfaces been applied to the correct routing instance
and bridge domain?

Answer: The three Layer 2 interfaces should be applied to the CE virtual switch. If
not, verify your configuration and check with your instructor if you need help.

www.juniper.net Lab 5: VPLS 89

Junos Layer 2 VPNs

Part 2: Configuring An LOP VPLS Instance

In t his lab part, you will configure an LOP VPLS instance . You will include the CE router-facing interface withi n
this instance.

Step 2.1
On your Student-MX1 device, change the CLI to the PE-1 logica l system.

On PE-1, enter into configuration mode and navigate to the [ edi t i n t erfac e s ] hierarchy. Use t he show
ge-0 / O/ 6 comma nd to review the current configuration for this interface.

lab@Student-MXl : CE-VS> set cli logical-system PE-1

Logical system: PE-1

lab@Student-MXl : PE-1> configure

Entering configuration mode

[edit]
lab@Student-MXl : PE-1# edit interfaces

[edit interfaces]
lab@Student-MXl : PE-1# show ge-0/0/6
unit 610 {
encapsulation vlan-vpls;
vlan-id 610 ;
}

[edit interfaces]
lab@Student-MXl : PE-1#

Question: What encapsu lation and VLAN are configured on the CE facing
interface?

Answer: The ge-0/0/6 interface is configured with the VLAN ID of 610 and vlan-
vpls encapsu lation.

Step 2.2
Still on PE-1, navigate to t he [ed i t routing-instances vpn-1 ] hierarchy. Specify t hat t his is a VPLS
instance and add t he ge-0 / O/ 6 . 6 1 O interface. Make sure you specify the correct unit when applying t he
interface.

[edit interfaces]
lab@Student-MXl : PE-1# top edit routing-instances vpn-1

[edit routing-instances vpn-1]

lab@Student-MXl : PE-1# set instance-type vpls

[edit routing-instances vpn-1]

lab@Student-MXl : PE-1# set interface ge-0/0/6.610

[edit routing-instances vpn-1]

lab@Student-MXl : PE-1#

90 Lab 5: VPLS www .juniper.net

 Junos Layer 2 VPNs

Step 2.3
Next, navigate to the [edit routing-instances vpn-1 p r otoco l s vpls ] hierarchy. Create an LDP
VPLS instance using a VPLS ID of 1 oo and specifyi ng t he PE-2 router as t he neighbor (172.17.20.6). Once
completed, com mit your configurat ion and exit to operational mode.

[edit routing-instances vpn- 1 ]

lab@Student-MXl : PE-1# edit p r otocols vpls

[edit routing-instances vpn- 1 protocols vpls]

lab@Student-MXl : PE-1# set vpls-id 100 neighbor 172 .1 7.20 . 6

[edit routing-instances vpn- 1 protocols vpls]

lab@Student-MXl : PE-1# commit and-quit
commit complete
Exiting configu r ation mode
lab@Student-MXl : PE-1>

Step 2.4
Check t he status of the VPLS connection using the show vp l s con n e ctions command.

lab@Student-MXl : PE-1> show vpls connections

Layer-2 VPN connections :

Legend for connection status (St)

EI -- encapsulation invalid NC interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE interface and instance encaps not same
VC-Dn -- Virtual circuit down NP interface hardware not present
CM cont r ol-word mismatch -> only outbound connection is up
CN circuit not provisioned <- only inbound connection is up
OR out of range Up operational
OL no outgoing label Dn down
LD local site signaled down CF call admission control failure
RD remote site signaled down SC local and remote site I D collision
LN local site not designated LM local site I D not minimum designated
RN remote site not designated RM remote site I D not minimum designated
XX unknown connection status IL no incoming label
MM MTU mismatch MI Mesh-Group I D not available
BK Backup connection ST Standby connection
PF P rofile parse failure PB Profile busy
RS remote site standby SN -- Static Neighbor
LB Local site not best-site RB Remote site not best-site
VM VLAN I D mismatch HS -- Hot-standby Connection

Legend for inte r face status

Up operational
Dn -- down

Instance : vpn- 1
VPLS-id : 1 00
Neighbor Type St Time last up # Up trans
172 . 17 . 20 . 6(vpls-id 1 00) rmt NP

Question: Has a VPLS pseudowire been establ ished to the remote PE router?

w ww.juniper.net Lab 5: VPLS 91

Junos Layer 2 VPNs

Answer: The output of the command should show that the VPLS is not in the up
state.

Question: What does the legend suggest the current state might be? What is the
solution to the problem?

Answer: The VPLS is in the NP state. According to the legend this state means that
the interface hardware is not present. Th is absence generally equates to a
missing tunnel services PIC. You simply must enable tunnel services on your PE
router.

Step 2.5
Since we are dealing wit h many logical systems we must enable tun nel services in the main instance. On your
Student-MX1, change t he CLI to the main instance using t he clear cli log i ca l -sys t em command.
In your main instance, enter into configuration mode and navigate to t he [ edi t chassis] hierarchy. Enable
tunnel services on FPC slot 1, PIC slot Oat a bandwidth of 1 Gbps. Commit your configuration and exit to
operat ional mode.

lab@Student-MX l:PE-1> clear cli logical-s ystem

Cleared de fault log ica l system

lab@Student-MX l> configure

Entering configuration mode

[ edit]
lab@Student-MX l# edit chassis

[ edit chassis ]
lab@Student-MX l# set fpc Opie O tunnel-services bandwidth lG

[ edit chassis ]
lab@Student-MX l# commit and-quit
commit complete
Exiting configuration mode
lab@Student-MX l>

Step 2.6
Return to you r Student-MX2 device, enter into configuration mode and navigate to t he [edi t
c h assis] hierarchy. Enable tun nel services on FPC slot 1, PIC slot Oat a bandwidth of 1 Gbps. Commit your
configuration and exit to operational mode.

lab@Student-MX2> configure
Entering configuration mode

[ edit]
lab@Student-MX2# edit chassis

[ edit chassis ]
lab@Student-MX2# set fpc Opie O tunnel-services bandwidth lG

[ edit chassis ]
lab@Student-MX2# commit and-quit
commit complete
Exiting configuration mode
92 Lab 5: VPLS www.juniper.net
 Junos Layer 2 VPNs

lab@Student-MX2>

Step 2.7
Return to your Student-MX1 device, change the CLI to t he PE-1 logical system.

On PE-1, check t he status of the VPLS connection us ing the show vpls connections extensive
command.

lab@Student-MX l > set cli logical-system PE- 1

Logical system: PE- 1
lab@Student-MX l :PE- 1 > show vpls connections extensive
Layer-2 VPN connections:
Legend for connection status (St)
EI -- encapsulation inva l id NC interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE interface and instance encaps not same
VC-Dn -- Virtual circuit down NP interface hardware not present
CM control-word mismatch -> only outbound connection is up
CN circuit not provisioned <- only inbound connection is up
OR out of range Up operational
OL no outgoing label Dn down
LD l ocal site signaled down CF call admission control failure
RD remote site signaled down SC local and remote site I D collision
LN l ocal site not designated LM local site I D not minimum designated
RN remote site not designated RM remote site I D not minimum designated
XX unknown connection status I L no incoming labe l
MM MTU mismatch MI Mesh-Group I D not available
BK Backup connection ST Standby connection
PF P rofile parse failure PB Profile busy
RS remote site standby SN -- Static Neighbor
LB Local site not best-site RB Remote site not best-site
VM VLAN I D mismatch HS -- Hot-standby Connection

Legend for interface status

Up -- operational
Dn -- down

Instance: vpn- 1
VPLS-id: 100
Number of l ocal interfaces: 1
Number of l ocal interfaces up: 1
ge-0/0/6 . 61 0
vt-0/0/10 . 68157440 I ntf - vpls vpn- 1 neighbor 1 72 . 17 . 20 . 6 vpls-id
100
Neighbor Type St Time last up # Up trans
172 . 17 . 20.6(vpls-id 1 00) rmt Up Sep 1 08 : 07 : 24 2021 1
Remote PE : 172 . 17 . 20 . 6 , Negotiated control-word: No
I ncoming labe l : 32 , Outgoing label: 28
Negotiated PW status TLV : No
Local interface : vt-0/0/ 1 0 . 68157440 , Status: Up , Encapsulation : ETHERNET
Description: I ntf - vpls vpn- 1 neighbor 172 . 17 . 20.6 vpls-id 1 00
Flow Label Transmit: No , Fl ow Label Receive: No
Connection History:
Sep 1 08:07:24 2021 status update timer
Sep 1 08:07:24 2021 PE route changed
Sep 1 08:07:24 2021 Out lbl Update 28
Sep 1 08:07:24 2021 I n lbl Update 32
Sep 1 08:07:24 2021 loc intf up vt-0/0/10 . 68157440
lab@Student-MX l : PE- 1 >

www.juniper.net Lab 5: VPLS 93

Junos Layer 2 VPNs

Question: Has a VPLS pseudowire been established to the remote PE router?

Answer: The output of the command should show that the VPLS is now in the up
state.

Question: Which transm it and receive labels have been reserved for the VPLS?

Answer: This answer wi ll vary between students. The example outputs indicates
the receive label is 32 and the sending is 33.

Question: Which local interfaces are listed as participating in the VPLS instance?

Answer: The ge-0/0/6 interface and a randomly generated vt-0/0/10 interface

should be listed as participating in the VPLS instance.

Step 2.8
On your Student-MX1 device, change the CLI to the CE1-1 logical system.

On CE1-1, determine if you have connectivity from CE1-1 to CE1-2 through the VPLS instance by pinging CE1-
2 's ge-0/0/0 interface address (10.1.0.2). Send five packets for this test.

lab@Student-MXl: PE- 1 > set cli l ogical-system CEl -1

Logical system : CEl- 1
lab@Student-MX : CEl- 1 > ping 10 .1. 0 . 2 count 5
PI NG 1 0 . 1 . 0 . 2 (1 0 . 1 . 0 . 2) : 56 data bytes
64 bytes f r om 1 0 . 1 . 0 . 2 : icmp seq=O tt l =64 t i me= l 0 . 758 ms
64 bytes f r om 1 0 . 1 . 0 . 2 : icmp- seq= l tt l =64 t i me= l 0 . 425 ms
64 bytes f r om 1 0 . 1 . 0 . 2 : icmp- seq=2 tt l =64 t i me= 1 5 . 600 ms
64 bytes f r om 1 0 . 1 . 0 . 2 : icmp- seq= 3 tt l =64 t i me=24 . 01 8 ms
64 bytes f r om 1 0 . 1 . 0 . 2 : icmp- seq= 4 tt l =64 t i me= 6 . 705 ms
- -- 10 .1. 0 . 2 pi n g statist i cs -- -
5 packets transmi tted , 5 packets r eceived , 0 % packet loss
round-trip mi n/avg/max/stddev = 6 . 705/ 1 3 . 50 1 /24 . 018/5 . 970 ms

Question: Do all your ping packets complete?

94 Lab 5: VPLS www.juniper.net

 Junos Layer 2 VPNs

Answer: Yes, they should all complete. If they do not, please review your
configuration and request assistance from your instructor, if needed.

Step 2.9
On your Student-MX1 device, change the CLI to the PE-1 logical system.

On PE-1, use the s how vpl s s tatist i c s command to view details of t raffic t hat has t raversed t he VPLS.

lab@Student-MXl: CEl- 1 > set cl i log i ca l -system PE-1

Log i ca l system : PE- 1
lab@Student-MXl: PE- 1 > show vp l s statisti cs
VPLS statisti cs :

Instance : vpn- 1
Loca l interface : ge-0/0/6 . 6 1 0 , I ndex : 360
Broadcast packets : 1
Broadcast bytes : 64
Mu l ticast packets : 0
Mu l ticast bytes : 0
Flooded packets : 0
Flooded bytes : 0
Un i cast packets : 5
Un i cast bytes : 51 0
Current MAC count : 1 (Limit 1024)
Loca l interface : vt-0/0/10 . 68 1 57440 , Index : 364
Remote PE: 1 72 . 17 . 20 . 6
Broadcast packets : 0
Broadcast bytes : 0
Mu l ticast packets : 0
Mu l ticast bytes : 0
Flooded packets : 0
Flooded bytes : 0
Un i cast packets : 6
Un i cast bytes : 574
Current MAC count : 1

Question: How many broadcast packets have been received on the ge-0/0/6
interface? Can you th ink of a reason why the PE router has received a broadcast
packet?

Answer: The number of broadcast packets will vary but at th is point in the lab
there should be at least one (it cou ld take some time for it to show up). An
address resolution protocol (ARP) exchange was necessary for the local router to
determine the media access control (MAC) address of the remote router. An ARP
is sent as a broadcast.

Step 2.10
Use the show v pls mac-tab le command to determine whether t he PE router has learned any MAC
addresses. You might need to issue another ping from the local customer router to allow for the PE router to
learn MAC addresses.

lab@Student-MX l : PE-1 > show vp l s mac - tab l e

www.juniper.net Lab 5: VPLS 95

Junos Layer 2 VPNs
MAC flags (S -static MAC , D -dynamic MAC , L - l ocal l y learned, C -Control MAC
0 -OVSDB MAC , SE -Statist i cs enable d , NM - Non configu r ed MAC , R -Remote PE
MAC , P - Pinne d MAC , FU - Fast Update)
Log i ca l syste m : PE -1
Routing instance : vpn -1
Br idging domain : _ vpn- 1 , VLAN : NA
MAC MAC Logica l NH MAC active
addre ss f l ags inte r face Index property source
OO : Oc : 29 : 01 : 3e : fe D ge-0/0/6 . 61 0
OO : Oc : 29 : 2c : cb : 3e D vt-0/0/ 1 0 . 68157440

Question: Of the MAC addresses that have been learned, which one is owned by
CE1-1 and which one is owned by the CE1-2?

Answer: The answer wi ll vary, but the one associated with the vt-0/0/ 10 interface
should be owned by the CE1-2. The MAC address associated with the ge-0/0/6
interface is owned by the loca l CE1-1. If you do not see any entries, return to your
CE1-1 device and ping the CE1-2 device aga in.

96 Lab 5: VPLS www.juniper.net

 Junos Layer 2 VPNs

Part 3: Using MSTP To Prevent A Layer 2 Loop In A VPLS Instance

In t his lab part, you will add a second interface for redundancy between the PE-1 and CE1-1 routers that will
create a Layer 2 loop. To ensure that only one interface is learning and forwarding at any one time, you will
configure Multiple Spanning Tree Protocol (MSTP) between the PE and CE routers using a Layer 2 control
instance on the PE router.

Step 3.1
On your Student-MX1, enter configuration mode and navigate to the [edit int erfaces] hierarchy. Review
the ge-0/0/5 interface configuration. This interface will be used as the second CE router-facing interface for the
VPLS instance. Remember that the ge-0/0/11 interface was already added to the CE-VS logical system's bridge
domain.

lab@Student-MX l:PE-1> configure

Entering configuration mode

[edit]
lab@Student-MX l:PE-1# edit i n terfaces

[edit interfaces]
lab@Student-MX l:PE-1# show ge-0/0/5
un i t 6 1 0 {
encapsulation v lan- vp ls;
vlan - id 610 ;
}

[edit interfaces]
lab@Student-MX l:PE-1#

Step 3.2
Still on PE-1, navigate to t he [edi t rou ting-ins tances] hierarchy. Add the ge-0/0/5.610 interface to
the VPLS instance. Commit your configuration and exit to operational mode.

[edit interfaces]
lab@Student-MX l:PE-1# top edit routing-instances
[edit routing -instances]
lab@Student-MX l:PE-1# set vp n-1 interface ge - 0/0/5 . 6 1 0

[edit routing -instances]

lab@Student-MX l:PE-1# commit and-quit
commit complete
Exiting configuration mode
lab@Student-MXl:PE-1>

Step 3.3
Be aware that you have now created a Layer 2 loop between t he PE-1 and CE1-1 router. Verify t hat the new
interface has been added using t he show vpls co nne ctions extensi ve command .

lab@Student-MXl:PE-1> show vp ls connections extensive

Layer-2 VPN connections :

Legend for connection status (St)

E I -- encapsulation inva lid NC interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE interface and instance encaps not same
VC-Dn -- Virtual circuit down NP interface hardwa re not present
CM control-word mismatch -> only outbound connection is up
CN circuit not provisioned <- only inbound connection is up
OR out of range Up operational
OL no outgoing label Dn down
LD local site signaled down CF call admission control failure
www.juniper.net Lab 5: VPLS 97
Junos Layer 2 VPNs
RD remote site signaled down SC local and remote site I D collision
LN local site not designated LM local site I D not minimum designated
RN remote site not designated RM remote site I D not minimum designated
xx unknown connection status IL no incoming label
MM MTU mismatch MI Mesh-Group I D not available
BK Backup connection ST Standby connection
PF Profile parse failure PB Profile busy
RS remote site standby SN -- Static Neighbor
LB Local site not best-site RB Remote site not best-site
VM VLAN I D mismatch HS -- Hot-standby Connection

Legend for interface status

Up -- operational
On -- down

Instance : vpn- 1
VPLS-id: 1 00
Number of local interfaces: 2
Number of local interfaces up : 2
ge-0/0/6 . 6 1 0
ge-0/0/5 . 6 1 0
vt-0/0/ 1 0 . 68 1 57440 I ntf - vpls vpn- 1 neighbor 172.17.20.6 vpls-id
100
Neighbor Type St Time last up # Up trans
172 . 17 . 20 . 6(vpls-id 1 00) rmt Up Sep 1 08:07:24 2021 1
Remote PE: 172 .1 7 . 20.6 , Negotiated control-word : No
I ncoming label: 32 , Outgoing label : 28
Negotiated PW status TLV : No
Local interface: vt-0/0/10.68157440 , Status: Up , Encapsulation: ETHERNET
Description: I ntf - vpls vpn- 1 neighbor 172 .1 7 . 20.6 vpls-id 1 00
Flow Label Transmit : No , Flow Label Receive: No
Connection History:
Sep 1 08:07 : 24 2021 status update timer
Sep 1 08:07 : 24 2021 PE route changed
Sep 1 08:07 : 24 2021 Out lbl Update 28
Sep 1 08:07 : 24 2021 I n lbl Update 32
Sep 1 08:07 : 24 2021 loc intf up vt-0/0/10 . 68157440

Question: Which interfaces are now listed as participating in the VPLS?

Answer: Interfaces ge-0/0/5, ge-0/0/6, and vt-0/0/10 should be listed as

interfaces participating in the VPLS.

Step 3.4
On your Student-MX1 device, change your CLI to the CE1-1 logical system.

On CE1-1, verify that a Layer 2 loop is in the network by issuing a ping to the broadcast address for the CE to PE
subnet (10.1.0 .255). Attempt to ping 5 t imes.

lab@Student-MXl: PE- 1 > set cli logical-system CE l- 1

Logical system: CEl-1
•
lab@Student-MXl: CEl-1> ping 10.1.0.255 count 5
PING 10.1.0.255 (10.1.0.255): 56 data bytes
•
64 bytes from 1 0 . 1.0 . 255: 1cmp-
seq= O ttl = 64 time = 4437.962 ms
•
64 bytes from 1 0 . 1.0 . 255: 1cmp- seq= O ttl = 64 time = 4468.526 ms ( DUP ! )
•
64 bytes from 1 0 . 1.0 . 255: 1cmp-
seq= O ttl = 64 time = 4497.306 ms ( DUP ! )
•
64 bytes from 1 0 . 1.0 . 255: 1cmp- seq= O ttl = 64 time = 4497.479 ms ( DUP ! )
• • •
•
64 bytes from 1 0 . 1.0 . 255: 1cmp-
seq= O ttl = 64 time = 4852.6 1 3 ms ( DUP ! )
•
64 bytes from 1 0 . 1.0 . 255: 1cmp-
seq= O ttl = 64 time = 4852.637 ms ( DUP ! )
•
64 bytes from 1 0 . 1.0 . 255: 1cmp-
seq= l ttl = 64 time =3912.990 ms ( DUP ! )
•
64 bytes from 1 0 . 1.0 . 255: 1cmp-
seq= l ttl = 64 time =3913.134 ms ( DUP ! )

10.1.0 . 255 ping statistics ---

98 Lab 5: VPLS www.juniper.net
 Junos Layer 2 VPNs
5 packets transmitted , 5 packets received, + 86 duplicates , 0 % packet loss
round-trip min/avg/max/stddev = 3531 . 407/6308 .1 89/7546 . 009/1003 . 854 ms

Question: Based on the results of the ping, does there appear to be a Layer 2 loop
in the network?

Answer: The results of the ping shou ld show that the customer router is receiving
multiple, duplicate echo responses from the hosts on the broadcast segment,
which would be a symptom of a Layer 2 loop.

Step 3.5
On your Student-MX1 device, change the CLI to the PE-1 logical system.

on PE-1, enter configuration mode and navigate to the [ edit routing-instances vpn-1-L2control]
hierarchy. Specify that t he new routing instance is for Layer 2 control.

lab@Student-MXl:CEl- 1 > set cli logical-system PE-1

Logical system: PE-1

lab@Student-MXl : PE-1> configure

Entering configuration mode

[ edit]
lab@Student-MXl : PE-1# edit routing-instances vpn-1-L2control

[ edit routing-instances vpn-1- L2control]

lab@Student-MXl:PE-1# set instance-type layer2-control

[ edit routing-instances vpn-1- L2control]

lab@Student-MXl : PE-1#

Step 3.6
Next, navigate to the [ edit routing-instances vpn-1-L2control protocols mstp] hierarchy. In
the vpn-1-L2control instance, configure MSTP to run on the ge-0/0/5 and ge-0/0/6 interfaces. Set the
MSTP configuration name to vpn-1 and the revision level to 1 . Once completed, commit your changes and exit
to operational mode.

[ edit routing-instances vpn-1- L2control]

lab@Student-MXl : PE-1# edit protocols mstp

[ edit routing-instances vpn-1- L2control protocols mstp ]

lab@Student-MXl : PE-1# set configuration-name vpn-1 revision-level 1

[ edit routing-instances vpn-1- L2control protocols mstp ]

lab@Student-MXl : PE-1# set interface ge-0/0/5

[ edit routing-instances vpn-1- L2control protocols mstp ]

lab@Student-MXl : PE-1# set interface ge-0/0/6

[ [ edit routing-instances vpn-1- L2control protocols mstp]

lab@Student-MXl : PE-1# commit and-quit
commit complete
Exiting configuration mode

lab@Student-MXl : PE-1>

www.juniper.net Lab 5: VPLS 99

Junos Layer 2 VPNs

Step 3.7
On your Student-MX1 device, change the CLI to the CE-VS logical system .

On CE-VS, enter into configuration moder and navigate to the [edi t p r otoco ls mstp ] hierarchy.
Configure MSTP to run on the ge-0/0/3 and ge-0/0/7 interfaces. Set the MSTP configuration name to vpn-
1 and the revision level to 1 . Commit your configuration and exit to operational mode.

lab@Student-MXl: PE- 1 > set cli logical-system CE -VS

Logical system : CE-VS

lab@Student-MXl: CE-VS> configure

Entering configuration mode

[ edit]
lab@Student-MXl: CE-VS# edit protocols mstp

[ edit protocols mstp]

lab@Student-MXl: CE-VS# set configuration-name vpn- 1 revision-level 1

[ edit protocols mstp]

lab@Student-MXl: CE-VS# set interface ge-0/0/3

[ edit protocols mstp]

lab@Student-MXl: CE-VS# set interface ge-0/0/7

[ edit protocols mstp]

lab@Student-MXl: CE-VS# commit and-quit
commit complete
Exiting configu r ation mode

lab@Student-MXl: CE-VS>

Step 3.8
Use the show spa nn ing t r ee int e rfac e command to determine what the interface statuses are.

lab@Student-MXl: CE-VS> show spanning-tree inte r face

Spanning t r ee interface paramete r s fo r instance 0

Interface Port I D Designated Designated Port State Role

port I D b r idge I D Cost
ge-0/0/3 1 28 : 490 1 28 : 6 32768 . 2c6bf56335dl 20000 FWD ROOT
ge-0/0/7 1 28 : 491 1 28 : 7 32768 . 2c6bf56335dl 20000 BLK ALT

Question: Are there any interfaces currently in the blocking state?

Answer: The answer wil l vary by student. The interface wil l be chosen through
MSTP norma l behavior of building a loop-free spanning tree.

Step 3.9
On your Student-MX1 device, change the CLI to the PE-1 logical system.

On PE-1, use the show spa n ni n g t r e e i n t er fac e r out ing-insta n ce vpn-1 -L2cont r o l

100 Lab 5: VPLS www.juniper.net

 Junos Layer 2 VPNs

lab@Student-MXl: CE - VS> set c li log i ca l -syste m PE -1

Log i ca l syste m: PE-1
lab@Student-MXl: PE-1 > s h ow spanni n g - t re e interface r outing- insta n c e vpn - 1-
L2cont r ol

Spanning t r e e i n te r face pa r ame te r s fo r instance 0

Inter face Po r t ID Des i gnate d Des i gnat e d Po r t State Ro l e

port I D b r idge I D Cost
ge-0/0/5 128 : 6 1 28 : 6 32768 . 2c6bf56335dl 20000 FWD DESG
ge-0/0/6 128 : 7 1 28 : 7 32768 . 2c6bf56335dl 20000 FWD DESG

Question: Does a Layer 2 loop exist between the PE and CE routers?

Answer: At th is point, there should be no Layer 2 loop between PE and CE routers

because one interface exists in the blocking state.

Step 3.10
On your Student-MX1 device, change the CLI to the CE1-1 logical system.

On CE1-1, verify that the Layer 2 loop has been removed from t he network by issuing a ping to the broadcast
address on the PE-CE link (10.1.0.255). Limit your ping attempts to 5 tries .

lab@Student-MXl: PE-1 > set cli l ogical-system CEl -1

Log i ca l syste m: CEl- 1
lab@Student-MX : CEl -1 > ping 10 .1. 0 . 255 count 5
PI NG 1 0 . 1 . 0 . 255 (10 .1. 0 . 255) : 56 data bytes
64 bytes f r om 1 0 . 1 . 0 . 255 : icmp seq=O tt l = 64 time =374 . 38 1 ms
64 bytes f r om 1 0 . 1 . 0 . 255 : icmp- seq= l tt l = 64 time = 294 . 032 ms
64 bytes f r om 1 0 . 1 . 0 . 255 : icmp- seq= 2 tt l = 64 time =37 . 622 ms
64 bytes f r om 1 0 . 1 . 0 . 255 : icmp- seq=3 tt l = 64 time = 6 . 658 ms
64 bytes f r om 1 0 . 1 . 0 . 255 : icmp= seq= 4 tt l = 64 time = 6 . 809 ms
- -- 10 .1. 0 . 255 p i ng statistics - --
5 packets transmi tted , 5 packe ts re ceive d , 0 % packet loss
r ound-trip mi n/avg/max/stddev = 6 . 658/ 1 43 . 900/374 . 38 1 / 1 57 . 85 1 ms

Question: Based on the results of the ping, does there appear to be a Layer 2 loop
in the network?

www.juniper.net Lab 5: VPLS 101

Junos Layer 2 VPNs

Answer: The results of the ping shou ld show that the CE1-1 router is no longer
receiving multiple, duplicate echo responses from the hosts on the broadcast
segment, which would be a symptom of a no Layer 2 loop.

102 Lab 5: VPLS www.juniper.net

 Junos Layer 2 VPNs

Part 4: Reconfiguring LDP VPLS To FEC 129 BGP Autodiscovery VPLS

In t his lab part, you will load a part 4 starting configuration on Student-MX2. This configuration will preconfigure
the PE-2 side of t he topology. You will then change the LDP VPLS configuration on PE-1 to use FEC 129 BGP
autodiscovery VPLS. You wi ll begin by removing some of t he VPLS protocol configuration under t he v p n-1
routing instance. You will use the same topology, j ust using FEC 129 BGP autodiscovery instead of manual LDP
neighbor provision ing.

Step 4.1
Return to you r Student-MX2.

On your Student-MX2, enter into configuration mode and use t he l oad overri d e j 1 2v / l a b 5-pa r t4-
sta r t . conf i g command to load the starting configuration. After you have loaded the configuration, commit
your changes and exit to operational mode.

lab@Student-MX2> conf i gu r e
Entering configuration mode

[edi t]
lab@Student-MX2# load override j l 2v/lab5 - part4-sta r t . conf i g
load complete

[edi t]
lab@Student-MX2# commi t and- qu i t
commit complete
Ex i ting conf i gu r ation mode

lab@Student-MX2>

Step 4.2
Return to you r Student-MX1 device, change the CLI to t he PE-1 logical system.

On PE-1, enter into configuration mode and navigate to the [edi t r o u ting-instanc e s vpn-1 ] hierarchy.
Delete the VPLS protocols properties from the rout ing-instance.

lab@Student-MX : CE l -1 > set cli l ogical-system PE - 1

Log i ca l system : PE -1

lab@Student-MXl: PE -1 > configure

Entering configuration mode

[edi t]
lab@Student-MXl: PE -1 # edit routing-instances vpn-1

[edi t r outing- instances vpn -1 ]

lab@Student-MXl: PE -1 # de l ete protocols vpls vpls-id

[edi t r outing- instances vpn -1 ]

lab@Student-MX :PE- 1# delete protocols vpls neighbo r 1 72 .1 7 . 20 . 6

[edi t r outing- instances vpn -1 ]

lab@Student-MXl: PE -1 # show
instance - type vpls ;
p r otoco l s {
vpl s ;
}
interface ge-0/0/5 . 6 1 0 ;
interface ge-0/0/6 . 6 1 0 ;

www.juniper.net Lab 5: VPLS 103

Junos Layer 2 VPNs

Step 4.3
Still on PE-1, at the [edi t rou ting-ins tanc es vpn-1 ] hierarchy. In order for t he identification of the
VPLS instance in t he FEC 129 BGP autodiscovery solution, you must configure the route-distingu isher
( 1 72 .1 7 . 20 .1: 100 ), the Layer 2 VPN ID ( 12vpn-id: 65512 : 1 01 ), and the route target
(target: 655 1 2 : 1 02) under the routing instance.

[edit rout ing-instances vpn -1]

lab@Student - MX l:PE-1# set route-distinguisher 1 72 .1 7 . 20 . 1 : 100

[edit routing -instances vpn -1]

lab@Student-MX l:PE-1# set 12vpn-id 12vpn-id :65 5 12:1 0 1

[edit routing -instances vpn -1]

lab@Student-MX l:PE-1# set vrf-ta r get target:65512 :1 02

[edit routing -instances vpn -1]

lab@Student-MX l:PE-1# show
instance -t ype vp ls;
12vpn-id 12vpn-id :655 12:1 01 ;
protocols {
vpls;
}
interface ge-0/0/5 . 6 1 0 ;
interface ge-0/0/6 . 6 1 0 ;
route-distinguisher 1 72 .1 7 . 20 .1:1 00 ;
v rf-target target : 655 12:1 02 ;

[edit routing -instances vpn -1]

lab@Student-MX l:PE-1#

Step 4.4
Next, navigate to the [edit protocols bgp group my-int-group] hierarchy. Now, configure the IBGP
peering between PE-l 's local address (172.17.20.1) and PE-2's loopback address (172.17.20.6). Ensure you
also configure the session to support the 1 2vpn auto-discovery-only

[edit routing -instances vpn -1]

lab@Student-MX l:PE-1# top edit protocols bgp g roup my-int-group

[edit protocols bgp group my-int-group]

lab@Student-MX l:PE-1# set type interna l

[edit protocols bgp group my-int-group]

lab@Student-MX l:PE-1# set loca l-address 172 . 17 . 20 .1

[edit protocols bgp group my-int-group]

lab@Student-MX l:PE-1# set neighbo r 172 .1 7 . 20 . 6

[edit protocols bgp group my-int-group]

lab@Student-MX l:PE-1# set family 12vpn auto-discovery-only

[edit protocols bgp group my-int-group]

lab@Student-MX l:PE-1# commit and-quit
commit complete
Exiting configuration mode

lab@Student-MX l:PE-1>

Step 4.5
Check t he BGP status using show bgp summa r y command .

104 Lab 5: VPLS www.juniper.net

 Junos Layer 2 VPNs

lab@Student-MXl: PE- 1 > show bgp summary

Groups : 1 Peers : 1 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
bgp . 12vpn.O
1 1 0 0 0 0
Peer AS I n Pkt OutPkt OutQ Flaps Last Up/Own
Statel#Active/Received/Accepted/Damped .. .
172 . 17 . 20.6 655 1 2 10 8 0 0 3:16
Establ
bgp . 12vpn.O : 1/1/1/0
vpn-1 .12vpn . O: 1/1/ 1 /0

Question: What is the current status of your BGP peering?

Answer: The status should show that it has been established. If it has not, please
give it a few more moments and check again. Ask the instructor for help if
needed.

Step 4.6
Check the status of the VPLS connectio n using the show vp l s con nect i ons ex t ensive command.
Ensure t hat the remote group has completed t he previous step of the lab.

lab@Student-MX l :PE- 1 > show vpls connections

Layer-2 VPN connections:

Legend for connection status (St)

E I -- encapsulation invalid NC interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE interface and instance encaps not same
VC-Dn -- Virtual circuit down NP interface hardware not present
CM control-word mismatch -> only outbound connection is up
CN circuit not provisioned <- only inbound connection is up
OR out of range Up operational
OL no outgoing label On down
LO l ocal site signaled down CF call admission control failure
RD remote site signaled down SC local and remote site I D collision
LN l ocal site not designated LM local site I D not minimum designated
RN remote site not designated RM remote site I D not minimum designated
XX unknown connection status IL no incoming labe l
MM MTU mismatch MI Mesh-Group I D not available
BK Backup connection ST Standby connection
PF P rofile parse failure PB Profile busy
RS remote site standby SN -- Static Neighbor
LB Local site not best-site RB Remote site not best-site
VM VLAN I D mismatch HS -- Hot-standby Connection

Legend for interface status

Up operational
Dn -- down

Instance : vpn- 1
L2vpn-id : 655 1 2:10 1
Loca l -id : 1 72 .1 7 . 20 . 1
Remote-id Type St Time last up # Up trans
172 . 17 . 20 . 6 rmt Up Sep 1 09 : 41:53 2021 1
Remote PE : 172 .1 7 . 20 . 6 , Negotiated control-wo r d: No
I ncoming labe l : 33 , Outgoing label: 29
Negotiated PW status TLV: No
Local interface : vt-0/0/ 1 0 . 68157696 , Status : Up , Encapsulation: ETHERNET
Description: I ntf - vpls vpn- 1 local-id 172 .1 7 . 20 . 1 remote-id 1 72 .1 7.20.6
neighbor 172 . 17 . 20 . 6
Flow Label Transmit : No , Fl ow Label Receive: No

w ww.juniper.net Lab 5: VPLS 105

Junos Layer 2 VPNs

Question: What is the state of the VPLS connection?

Answer: The state of the VPLS connection to PE-2 shou ld be Up.

Step 4.7
Review the autodiscovery routes being exchanged with PE-2 using the s h ow r oute a d vertis ing-
p r otoco l bgp 172 . 17 . 20 . 6 d e ta i l and show r oute r e c eiv e-protocol bgp 1 72 .1 7 . 20 . 6
d e tai l commands.

lab@Student-MX l : PE - 1 > show route adve r t i sing- p r otoco l bgp 172 . 17 . 20 . 6 detail

vpn-1 . 12vpn . O: 4 dest i nations , 4 routes (4 active , 0 holddown , 0 hidde n)

* 1 72 .1 7 . 20 . 1 :1 00 : 1 72 .1 7 . 20 .l /96 AD ( 1 entry, 1 announced)
BGP g r oup my- int- g r oup type I nte r nal
Route Distinguishe r: 172 .1 7 . 20 .1:1 00
Autodiscovery for mesh - group : ves
Nexthop : Se l f
Flags : Nexthop Change
Localpref : 1 00
AS path : [ 65512 ] I
Communities : target:655 1 2 : 102 12vpn- id : 655 1 2 : 1 0 1
lab@Student-MX l : PE - 1 > show route r eceive - p r otocol bgp 1 72 . 17 . 20 . 6 deta i l

inet . O: 18 destinations , 1 8 r outes (18 active , 0 holddown , 0 hidden)

inet . 3 : 5 destinations , 5 routes (5 act i ve , 0 holddown , 0 hidden)

mpls . O: 13 destinations , 1 3 r outes (13 active , 0 holddown , 0 hidden)

inet6 . 0 : 1 destinations , 1 routes (1 active , 0 holddown , 0 h i dden)

bgp . 12vpn . O: 1 destinations , 1 routes (1 active , 0 holddown , 0 hidden)

* 1 72 .1 7 . 20 . 6 :1 00 : 1 72 .1 7 . 20 . 6/96 AD ( 1 entry, 0 announced)
I mport Accepted
Route Distinguishe r: 172 . 17 . 20 . 6 :1 00
Nexthop : 1 72 . 17 . 20 . 6
Localpref : 1 00
AS path : I
Communities : target : 655 1 2 : 102 12vpn- id : 655 1 2 : 1 0 1
ldp . 12vpn . O: 1 destinations , 1 routes (1 active , 0 holddown , 0 hidden)

vpn-1 . 1 2vpn . O: 4 destinations , 4 routes (4 active , 0 ho l ddown , 0 hidden)

* 1 72 .1 7 . 20 . 6 :1 00 : 1 72 .1 7 . 20 . 6/96 AD ( 1 entry, 1 announced)

I mport Accepted
Route Distinguishe r: 172 . 17 . 20 . 6 :1 00
Nexthop : 1 72 . 17 . 20 . 6
Localpref : 1 00
AS path : I
Communities : target : 655 1 2 : 102 12vpn- id : 655 1 2 : 1 0 1
lab@Student-MX l : PE - 1 >

106 Lab 5: VPLS www.juniper.net

 Junos Layer 2 VPNs

Question: What is the function of the 12vpn-id? How is it transported with the BGP
autodiscovery route?

Answer: The 12vpn-id is used to identify the VPLS instance from other VPLS
instances. It is added to the BGP autodiscovery route as an extended community,
simi lar to the route-target. For a VPLS connection to be set up, both the route
target and the 12vpn-id must match.

Step 4.8
Check t he route tables associated with the FEC 129 BGP autodiscovery solution. Use the show r o ute
t a b l e command to look at the b g p .12 vpn. O, vpn-1.1 2vpn. O, and the ldp . 12v pn. O tables.

lab@Student-MXl: PE- 1 > show route table bgp . 12vpn . O

bgp . 12vpn . O: 1 destinations , 1 routes ( 1 active , 0 holddown , 0 h idden)

+ = Active Route , - = Last Active , * = Both

172 . 17 . 20 . 6 :1 00 :1 72 .1 7 . 20 . 6/96 AD
*[BGP / 1 70] 00 :1 8 : 44 , localpr ef 1 00 , from 1 72 .1 7 . 20 . 6
AS path : I , validation-state : unver i fied
to 172 .1 7 . 23 . 2 via ge-0/0/0 . 0 , Push 30
> to 172 .1 7 . 23 . 6 via ge-0/0/1 . 0 , Push 3 1

lab@Student-MX l : PE- 1 > show route table vpn- 1. 12vpn . O

vpn-1 . 1 2vpn . O: 4 destinations , 4 routes (4 active , 0 ho l ddown , 0 hidden)

+ = Active Route , - = Last Active , * = Both

172 . 17 . 20 .1:1 00 :1 72 .1 7 . 20 . l/96 AD

*[VPLS/170] 00 : 46 : 3 1, metric2 1
I ndirect
172 . 17 . 20 . 6 :1 00 :1 72 .1 7 . 20 . 6/96 AD
*[BGP / 1 70] 00 :1 9 : 54 , localpr ef 1 00 , from 1 72 .1 7 . 20 . 6
AS path : I , validation-state : unver i fied
to 172 . 17 . 23 . 2 via ge-0/0/0 . 0 , Push 30
> to 172 . 17 . 23 . 6 via ge-0/0/1 . 0 , Push 3 1
172 . 17 . 20 . 6 : NoCtrlWord : 5 : 655 1 2 : 10 1: 172 .1 7 . 20 . l :1 72 .1 7 . 20 . 6/ 1 76
*[VPLS/7] 00 : 1 9 : 54 , metric2 1
> to 172 . 17 . 23 . 2 via ge-0/0/0 . 0 , Push 30
to 172 . 17 . 23 . 6 via ge-0/0/1 . 0 , Push 3 1
172 . 17 . 20 . 6 : NoCtrlWord : 5 : 655 1 2 : 10 1: 172 .1 7 . 20 . 6 :1 72 .1 7 . 20 .l / 1 76
*[ LDP /9] 00 : 19 : 53
Disca r d
lab@Student-MX l : PE- 1 > show route table ldp . 12vpn . O

ldp . 12vpn . O: 1 destinations , 1 routes ( 1 active , 0 holddown , 0 h idden)

+ = Active Route , - = Last Active , * = Both

172 . 17 . 20 . 6 : NoCtrlWord : 5 : 655 1 2 : 10 1: 172 .1 7 . 20 . 6 :1 72 .1 7 . 20 .l / 1 76

*[ LDP /9] 00 : 20 : 25
Disca r d

www.juniper.net Lab 5: VPLS 107

Junos Layer 2 VPNs
Question: What is the format of the route in the ldp.12vpn.O table?

Answer: The routes in the ldp.12vpn.O table have the following format:

-Advertising PE router-id (172.17.20.6)

- CtrlWorrd setting (NoCtrlWord)

- Pseudowire type (5 = Ethernet)

- L2vpn-id (= AGI = 65512:101)

- SAIi {= remote PE router-id = 172.17.20.6)

-TAIi (= local PE router-id= 172.17.20.1)

Step 4.9
Check the VPLS LOP label exchange between the two PE routers using the show l d p s e ss i' on
1 72 . 17 . 20 . 6 de ta i l , and the s h ow ldp databa se s es s i on 1 72 .1 7 . 20 . 6 command.

lab@Student-MX l: PE -1 > show ldp session 172 .1 7 . 20 . 6 detail

Address : 172 . 17 . 20 . 6 , State : Ope r ational , Connectio n: Open , Hold t ime: 29
Session I D: 1 72 . 17 . 20 .1: 0 - - 1 72 .1 7 . 20 . 6 : 0
Next keepa l ive in 9 seconds
Passive , Maximum PDU : 4096 , Hold time : 30 , Ne i ghbor count : 1
Neighbor types : auto - discovered
Keepalive i nterva l: 10 , Connect ret r y i nterval : 1
Loca l address : 172 .1 7 . 20 . 1 , Remote address : 1 72 .1 7 . 20 . 6
Up for 00 : 24 : 2 1
Capab i lities adve r t i sed : none
Capab i lities r eceived : none
Protection : disab l ed
Session flags : none
Loca l - Resta r t : d isab l ed , Helper mode : enabled
Remote - Restart : disabled , Helper mode : enabled
Loca l max i mum neighbo r reconnect time : 1 20000 msec
Loca l max i mum neighbo r recovery time : 240000 msec
Loca l Label Advertisement mode : Downstream unsolic i ted
Remote Label Adve r t i sement mode : Downst r eam unso l icited
Negotiated Label Adve r tisement mode : Downstream unsolic i ted
MTU d iscovery : disabled
Nonstop r outing state : Not i n sync
Next-hop addr esses received :
172 . 17 . 20 . 6
172 . 17 . 23 . 26
172 . 17 . 23 . 30

Question: What is the Neighbor types in the output of the show ldp session
command for PE-2 neighbor.

108 Lab 5: VPLS www.juniper.net

 Junos Layer 2 VPNs

Answer: The Neighbor types should indicate auto-discovered as the type. The
address for the targeted LOP session to the remote PE was autodiscovered using
the BGP session.

lab@Stu dent-MX l: PE-1 > show ldp databas e session 172 .1 7 . 20 . 6

I nput l abel database , 172 . 17 . 20 .1: 0 --1 72 .1 7 . 20 . 6 : 0
Labe ls rece i ved : 7
Labe l Pr ef i x
32 1 72 .1 7 . 20 . 1/32
29 1 72 .1 7 . 20 . 2/32
31 1 72 .1 7 . 20 . 3/32
28 1 72 .1 7 . 20 . 4/32
30 1 72 .1 7 . 20 . 5/32
3 1 72 .1 7 . 20 . 6/32
33 FEC 1 29 NoCt rlWo r d ETHE RNET 000affe8 : 00000065 ac 111 406 ac 111 40 1
Output labe l databas e, 172 . 17 . 20 .1: 0 - - 1 72 .1 7 . 20 . 6 : 0
Labe ls advertised : 7
Labe l Pr ef i x
3 1 72 .1 7 . 20 . 1/32
31 1 72 .1 7 . 20 . 2/32
36 1 72 .1 7 . 20 . 3/32
32 1 72 .1 7 . 20 . 4/32
37 1 72 .1 7 . 20 . 5/32
35 1 72 .1 7 . 20 . 6/32
38 FEC 1 29 NoCt rlWo r d ETHE RNET 000affe8 : 00000065 ac 111 40 1 ac 111 406

Question: What is the inner VPLS label used for sending traffic in the direction of
PE-2 (172.17.20.6)?

Answer: The answer may vary. In this case you need to look at the input database
information of the session with the PE-2 router. The label here is 33. If you break
down the full information in the LOP database: FEC129 NoCtrlWord ETHERNET
000affe8:00000065 ac111406 ac111401 you see that it is very similar to the
route format in the ldp.12vpn.O table

- NoCtrlWord = CtrlWord setting

- ETHERNET = Pseudowire type

- 000affe8:00000065 = 12vpn-id:65512:101 · ac111406 = SAIi = remote PE=

172.17.20.6 · ac111401 = TAIi = local PE = 172.17.20.1

Step 4.10
On your Student-MX1 device, change the CLI to the CE1-1 logical system.

On CE1-1, verify connectivity from CE1-1 to CE1-2's ge-0/0/0 interface (10.1.20.2) t hrough the VPLS by using
the p i n g utility. Limit the attempts to f ive packets.

lab@Student-MXl: PE-1 > set cli logical-system CEl -1

Log i cal syste m: CEl- 1
lab@Student-MXl: CEl- 1 > p i ng 1 0 . 1 . 0 . 2 count 5
PI NG 1 0 . 1 . 0 . 2 (1 0 . 1 . 0 . 2) : 56 data bytes
www.juniper.net Lab 5: VPLS 109
Junos Layer 2 VPNs
64 bytes f r om 10 . 1 . 0 . 2 : icmp seq= O ttl = 64 time= 1 6 . 557 ms
64 bytes f r om 10 . 1 . 0 . 2 : icmp seq= l ttl = 64 time= 65 . 66 1 ms
64 bytes f r om 10 . 1 . 0 . 2 : icmp- seq= 2 ttl = 64 time= 7 . 388 ms
64 bytes f r om 10 . 1 . 0 . 2 : icmp- seq= 3 ttl = 64 time= 7 . 758 ms
64 bytes f r om 10 . 1 . 0 . 2 : icmp- seq= 4 ttl = 64 time= 605 . 592 ms

--- 10 .1. 0 . 2 ping statistics ---

5 packets transmitted , 5 packets r eceived , 0 % packet loss
round-trip min/avg/max/stddev = 7 . 388/ 1 40 . 591/605 . 592/233 . 50 1 ms

Question: Do all your ping packets complete?

Answer: Yes, they should all complete. If they do not, please review your
configuration and request assistance from your instructor, if needed.

Step 4.11
On your Student-MX1 device, change t he CLI to PE-1 logical system.

On PE-1, use the show vpl s mac-tab l e command to determine whether the PE router has learned any
MAC addresses. You might need to issue anot her ping from t he local customer router to allow for t he PE router
to learn MAC addresses.

lab@Student-MXl : CEl- 1 > set cli logical-system PE -1

Logical system: PE-1
lab@Student-MXl : PE-1> show vpls mac-table

MAC flags (S -static MAC , D -dynamic MAC , L -locally learned, C -Control MAC
0 -OVSDB MAC , SE -Statistics enabled, NM -Non configured MAC , R -Remote PE
MAC , P - Pinned MAC , FU - Fast Update)

Logical system : PE -1
Routing instance : vpn-1
Bridging domain : _ vpn- 1 , VLAN : NA
MAC MAC Logical NH MAC active
addr ess flags interface Index property source
OO : Oc : 29 : 01:3e : fe D ge-0/0/5 . 610
OO : Oc : 29 : 2c:cb : 3e D vt-0/0/ 1 0 . 68157696

Question: Which CE router-facing interface is being used for forwarding in the vpn-
1 routing instance?

Answer: The answer can vary depending on which interface was selected by
MSTP. In the example, the ge-0/0/5 interface is the only PE router to CE router
interface used for forward ing.

110 Lab 5: VPLS www.juniper.net

 Junos Layer 2 VPNs

Part 5: Configuring BGP Signaled VPLS Without MSTP

In t his lab part, you change the VPLS instance to ru n over BGP without autodiscovery. You will load a sta rting
configuration on Student-MX2 t hat preconfigures PE-2 with t he appropriate VPLS configuration changes. You
will then make the necessary changes on PE-1 to establish this new VPLS instance. You will also remove the
MSTP related configurations on both the CE-VS logical system and in the vpn-1-L 2co n t r o l instance. You will
then define t he CE facing interface t hat you want to be the active interface to avoid the Layer 2 loop between
PE-1 and CE1-1.

Step 5.1
Return to you r Student-MX2 device, change the CLI to t he main instance using the c le a r cl i l ogica l-
sys tem command .

Enter into configuration mode and load the j 1 2v / l ab5-pa r t5-s tart . conf i g fi le. Once com pleted,
comm it the configuration and exit to operational mode using the commi t a nd-quit command.

lab@Student-MX2> conf i gu r e
Entering configuration mode

[edi t]
lab@Student-MX2# load override jl2v/lab5 - part5-sta r t . conf i g
load complete

[edi t]
lab@Student-MX2# commi t and- qu i t
commit complete
Ex i ting conf i gu r ation mode

lab@Student-MX2>

Step 5.2
On the Student-MX1, change the CLI to the PE-1 logical system. You will begin by removing the MSTP
configuration on t he PE-1 device.

On PE-1, enter into configuration mode and navigate to the [edi t r o u ting-instanc e s] hierarchy and
delete the vpn-1-L2control routing instance. Once you have completed th is change, commit the
configuration and exit to operational mode.

lab@Student-MX l: PE -1 > configure

Entering configuration mode

[edi t]
lab@Student-MX l: PE -1 # edit routing-instances

[edi t r outing - i n stances]

lab@Student-MX l: PE -1 # de l ete vpn- 1 - L2cont r o l

[edi t r outing - i n stances]

lab@Student-MX l: PE -1 # commit and-quit
commit comp l ete
Ex i ti ng co n f i gu r ation mode

lab@Student-MX l: PE -1 >

Step 5.3
On your Student-MX1 device, change the CLI to the CE-VS logical system.

On CE-VS, enter into configuration mode and delete t he MSTP protocol configuration . When completed , commit
and exit to operational mode.

lab@Student-MX l: PE -1 > set cli l ogical-system CE -VS

www.juniper.net Lab 5: VPLS 111

Junos Layer 2 VPNs
Logical system: CE-VS

lab@Student-MXl : CE-VS> configure

Entering configuration mode

[edit]
lab@Student-MX l : CE-VS# de lete protocols mstp

[edit]
lab@Student-MX l : CE-VS# commit and-quit
commit complete
Exiting configuration mode

lab@Student-MX l : CE-VS>

Step 5.4
On your Student-MX1 device, change the CLI to t he PE-1 logical system.

On PE-1, enter into configuration mode and navigate to the [ edit p ro toc ols bgp g roup my-i n t -
g r oup] hierarchy. Change t he NLRI used for t his IBGP neighborship to 12vpn signaling .

lab@Student-MX l : CE-VS> set cli log ical-s yst em PE- 1

Logical system: PE- 1

lab@Student-MX l : PE- 1 > configure

Entering configuration mode

[edit]
lab@Student-MX l : PE- 1 # edit p r otocols bgp group my-int-group

[edit protocols bgp group my-int-group]

lab@Student-MX l : PE-1# delete family 12vpn auto-discovery-only

[edit protocols bgp group my-int-group]

lab@Student-MX l : PE- 1 # set family 12 vp n signaling

[edit protocols bgp group my-int-group]

lab@Student-MX l : PE-1# show
type internal;
local-address 1 72 . 17 . 20 . 1;
family 12vpn {
signaling;
}
ne ighbor 172 . 17 . 20 . 6;

[edit protocols bgp group my-int-group]

lab@Student -MXl:PE-1#

Step 5.5
Navigate to he [edi t rou ting-ins tan ces vpn-1 ] hierarchy and delete t he 1 2vpn-id since we will not
need this when not using autodiscovery.

[edit protocols bgp group my-int-group]

lab@Student-MX l:PE-1# top edit rou ting- i nstances vpn- 1

[edit routing -instances vpn -1]

lab@Student-MX l:PE-1# delete 12 vpn-id

[edit routing -instances vpn -1]

lab@Student-MX l:PE-1#

112 Lab 5: VPLS www.juniper.net

 Junos Layer 2 VPNs

Step 5.6
Navigate to t he [edit routing-instances vpn-1 protocols vpls] hierarchy and define the VP LS
site information. Create a site called CE l -1 with a site ID of 1 . Then add the ge-0/ 0/ 5.610 and ge-0/ 0/ 6.610
interfaces to t his site configurat ion. Once completed, commit and exit to operat ional mode using t he commit
and-qu i t command.

[edit routing-instances vpn-1]

lab@Student-MXl:PE-1# edit protocols vpls

[edit routing-instances vpn-1 protocols vpls]

lab@Student-MXl : PE-1# set site CEl-1 site-identifier 1

[edit routing-instances vpn-1 protocols vpls]

lab@Student-MXl:PE-1# set site CEl-1 interface ge-0/0/5 . 610

[edit routing-instances vpn-1 protocols vpls]

lab@Student-MXl : PE-1# set site CEl-1 interface ge-0/0/6 . 610

[edit routing-instances vpn-1 protocols vpls]

lab@Student-MXl:PE-1# show
site CE l -1 {
interface ge-0/0/5.610;
interface ge-0/0/6.610;
site-identifier 1 ;
}

[edit routing-instances vpn-1 protocols vpls]

lab@Student-MXl:PE-1# commit and-quit
commit complete
Exiting configuration mode
lab@Student-MXl:PE-1>

Step 5.7
Determine the status of your new VPLS instance.

lab@Student-MXl:PE-1> show vpls connections

Layer-2 VPN connections :
Legend for connection status (St)
E I -- encapsulation invalid NC interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE interface and instance encaps not same
VC-Dn -- Virtual circuit down NP interface hardware not present
CM control-word mismatch -> only outbound connection is up
CN circuit not provisioned <- only inbound connection is up
OR out of range Up operational
OL no outgoing label Dn down
LD local site signaled down CF call admission control failure
RD remote site signaled down SC local and remote site I D collision
LN local site not designated LM local site I D not minimum designated
RN remote site not designated RM remote site I D not minimum designated
XX unknown connection status IL no incoming label
MM MTU mismatch MI Mesh-Group I D not available
BK Backup connection ST Standby connection
PF P rofile parse failure PB Profile busy
RS remote site standby SN -- Static Neighbor
LB Local site not best-site RB Remote site not best-site
VM VLAN I D mismatch HS -- Hot-standby Connection

Legend for interface status

Up operational
Dn -- down

Instance : vpn-1
Edge protection: Not-Primary
Local site : CEl-1 (1)
connection-site Type St Time last up # Up trans
2 rmt Up Sep 1 10 : 45 : 56 202 1 1
Remote PE : 172 . 17 . 20 . 6 , Negotiated control-word: No

www.juniper.net Lab 5: VPLS 113

Junos Layer 2 VPNs
I ncoming label: 35, Outgoing label: 30
Local i nterfac e: vt-0/0/ 1 0 . 68157952 , Status: Up , Encapsulat ion : VPLS
Description: I ntf - vpls vpn -1 loca l site 1 remote site 2
Flow Label Transmit: No, Flow Label Receiv e: No
lab@Student-MXl:PE-1>

Question: Has a VPLS pseudowire been established to the remote PE router?

Answer: The output of the command should show that the VPLS is now in the up
state.

Step 5.8
On your Student-MX device, change t he CLI to the CE1-1 logical system .

On CE1-1, determine if t he Layer 2 loop is in the network by issuing a ping to the broadcast address for the CE
to PE subnet. Keep your attempts limited to ping 5 t imes.

lab@Student - MX l:PE-1> set cli logica l -s ystem CEl-1

Logical system: CEl-1
lab@Student -MXl:CE l -1> p ing 1 0 . 1 . 0 .25 5 count 5
PING 1 0 . 1 . 0 .25 5 (10.1.0.255): 56 data bytes
64 bytes from 1 0 . 1 . 0 .25 5 : icmp seq=O ttl = 64 time =21.479 ms
64 bytes from 1 0 . 1 . 0 .25 5 : icmp- seq=O ttl = 64 time =21.635 ms (DUP!)
64 bytes from 1 0 . 1 . 0 .25 5 : icmp- seq=O ttl = 64 time =35.628 ms (DUP ! )
64 bytes from 1 0 . 1 . 0 .25 5 : icmp= seq=O ttl = 64 time =35.670 ms (DUP ! )
• • •
64 bytes from 1 0 . 1 . 0 .25 5 : icmp seq=O ttl = 64 time =10491 .2 42 ms (DUP!)
64 bytes from 1 0 . 1 . 0 .25 5 : icmp= seq=O ttl = 64 time =10491 .91 7 ms (DUP!)
--- 10 .1. 0 .255 p i ng statistics ---
5 packets transmitted, 1 packets receiv ed, +446 d up licates, 80 % packet loss
round-trip min/avg/max/stddev = 21.479/5375.542/10979.130/3924.955 ms
lab@Student-MXl:CE l- 1>

Question: Based on t he results of the ping, does there appear to be a Layer 2 loop
in the net work?

Answer: The results of the ping shou ld show that CE1-1 is receiving multiple,
duplicate echo responses f rom the hosts on the broadcast segment, which would
be a symptom of a Layer 2 loop.

114 Lab 5: VPLS www.juniper.net

 Junos Layer 2 VPNs

Step 5.9
On your Student-MX1 change the CLI to the PE-1 logical system.

On PE-1, enter into configuration mode and navigate to the [edit routing-instances vpn-1
p rotocols vpls] hierarchy. Set the ge-0/0/6.610 interface as the primary active interface for the CE1-1
site. Commit and exit to operational mode with the commit and-quit command.

lab@Student-MXl : CEl- 1 > set cli logical-system PE-1

Logical system: PE-1
lab@Student-MXl:PE-1> configure
Entering configuration mode

[edit]
lab@Student-MXl:PE-1# edit routing-instances vpn-1 protocols vpls

[edit routing-instances vpn-1 protocols vpls]

lab@Student-MXl:PE-1# set site CEl-1 active-interface primary ge-0/0/6.610

[edit routing-instances vpn-1 protocols vpls]

lab@Student-MXl:PE-1# show
site CE l- 1 {
interface ge-0/0/5.610;
interface ge-0/0/6.610;
site-identifier 1;
active-interface primary ge-0/0/6 . 610;
}

[edit routing-instances vpn-1 protocols vpls]

lab@Student-MXl:PE-1# commit and-quit
commit complete
Exiting configuration mode
lab@Student-MXl:PE-1>

Step 5.10
Determine the current VPLS connection status and information using the show vpls connections
extensive command.

lab@Student-MXl:PE-1> show vpls connections extensive

Layer-2 VPN connections:

Legend for connection status (St)

E I -- encapsulation invalid NC interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE interface and instance encaps not same
VC-Dn -- Virtual circuit down NP interface hardware not present
CM control-word mismatch -> only outbound connection is up
CN circuit not provisioned <- only inbound connection is up
OR out of range Up operational
OL no outgoing label Dn down
LD local site signaled down CF call admission control failure
RD remote site signaled down SC local and remote site I D collision
LN local site not designated LM local site I D not minimum designated
RN remote site not designated RM remote site I D not minimum designated
XX unknown connection status IL no incoming label
MM MTU mismatch MI Mesh-Group I D not available
BK Backup connection ST Standby connection
PF P rofile parse failure PB Profile busy
RS remote site standby SN -- Static Neighbor
LB Local site not best-site RB Remote site not best-site
VM VLAN I D mismatch HS -- Hot-standby Connection

Legend for interface status

Up operational
Dn -- down

Instance: vpn-1
Edge protection : Not-Primary
Local site: CEl-1 (1)

www.juniper.net Lab 5: VPLS 115

Junos Layer 2 VPNs
Number of loca l interfaces: 2
Number of loca l interfaces up : 2
IRB interface present: no
ge-0/0/5 .61 0
Interface flags: VC-Down
ge-0/0/6 .61 0
vt-0/0/ 1 0 . 68 15 7952 2 I ntf - vp ls vpn -1 local site 1 remote site 2
Label - base Offset Size Range Preference
34 1 8 8 1 00
connection-site Type St Time last up # Up t rans
2 rmt Up Sep 1 10 : 45 : 56 2021 1
Remote PE: 172 .1 7 .2 0 .6, Negotiated control-word: No
I ncoming label: 35 , Outgoing label: 30
Local i nterfac e: vt-0/0/ 1 0 . 68157952 , Status: Up , Encapsulat ion : VPLS
Description: I ntf - vpls vpn- 1 loca l site 1 remote site 2
Flow Label Transmit: No, Flow Label Receive: No
Connection History :
Sep 1 1 0 :4 5 :56 2021 status update timer
Sep 1 1 0 :4 5 :56 2021 loc i ntf up vt-0/0/ 1 0 .6815 7952
Sep 1 1 0 :4 5 :56 2021 PE route changed
Sep 1 1 0 :4 5 :56 2021 Out lb l Update 30
Sep 1 1 0 :4 5 :56 2021 I n lb l Update 35
Sep 1 1 0 :4 5 :56 2021 loc i ntf down

Question: Can you tell from the output of the command which CE router-facing
interface is currently active?

Answer: The ge-0/0/5 is listed as having an interface status of VC-down. That

listing means that the ge-0/0/5 interface is not being used for learning and
forward ing. The ge-0/0/6 and vt-0/0/10 interfaces are the only interfaces being
used for learning and forwarding.

Step 5.11
On the Student-MX1 device, change the CLI to the CE1-1 logical system.

On CE1-1, determine if you still have a layer 2 loop in the CE network by pinging the broadcast address 5 times
again.

lab@Student-MXl:PE-1> set cli logical-system CEl-1

Logical system: CEl-lsh
lab@Student-MXl:CE l- 1> ping 1 0 . 1 . 0 .25 5 count 5
PING 1 0 . 1 . 0 .25 5 (10.1.0.255): 56 data bytes
64 bytes from 1 0 . 1 . 0 .25 5 : icmp seq=O ttl = 64 time =41 . 929 ms
64 bytes from 1 0 . 1 . 0 .25 5 : icmp- seq= l ttl = 64 time =7 .2 07 ms
64 bytes from 1 0 . 1 . 0 .25 5 : icmp- seq=2 ttl = 64 time =41.311 ms
64 bytes from 1 0 . 1 . 0 .25 5 : icmp- seq=3 ttl = 64 time =306.786 ms
64 bytes from 1 0 . 1 . 0 .25 5 : icmp= seq=4 ttl = 64 time = 158 .2 00 ms
--- 10 .1. 0 .255 p i ng statistics ---
5 packets transmitted, 5 packets receiv ed, 0 % packet loss
round-tr ip min/avg/max/stddev = 7 .2 07/ l ll . 087/306 . 786/ 110.418 ms
lab@Student-MXl:CE l- 1>

116 Lab 5: VPLS www.juniper.net

 Junos Layer 2 VPNs

Question: Do al l your ping packets complete?

Answer: Yes, they shou ld all complete. If they do not, please review your
configuration and request assistance from your instructor, if needed.

Step 5.12
Log out of your assigned devices using the exi t command.

lab@Student-MXl: CEl- 1 > c l ear c l i l ogical- system

Cleared d efault l ogical system
lab@Student-MX l > exit

Studen t-MX l (ttyuO)

log i n :

. • • Tell your instructor that you have completed this lab.

www.juniper.net Lab 5: VPLS 117

Junos Layer 2 VPNs

118 Lab 5: VPLS www.juniper.net

 Junos Layer 2 VPNs

Lab 6: EVPN

Overview
In t his lab, you will establish Ethernet VPNs between two provider edge (PE) routers in the same autonomous
system You will configure two types of EVPN services: VLAN-based, and a VLAN-aware bund le.

By complet ing this lab, you will perform t he following tasks:

• Load t he initial configuration and verify proper operat ion of t he IGP, BGP, MPLS and LOP.

• Configure t he IBGP session between t he PEs to use the EVPN NLRI.

• Configure t he Layer 2 interfaces, and apply them to the EVPN routing instances.

• Configure t wo types of EVPN routing instances.

• Verify connectivity and behavior using operational mode commands including p in g and commands
used to examine EVPN routing tables, a nd PE-PE BGP announcements.

• Configure IRB interfaces for Layer 3 connectivity, and add the interfaces to a preconfigured L3VPN
ro uti ng-i nsta nee.

• Add t he address Layer 3 VPN NLRI to the existing IBGP session.

• Verify inter-subnet connectivity and behavior using operational mode commands including ping and
commands used to examine EVPN routing tables, and PE-PE BGP announcements.

www.juniper.net Lab 6: EVPN 119

Junos Layer 2 VPNs

Lab Diagrams

Management Network Diagram

Management Network
172.25. 11.0/24
Virtual Student Desktop Console and
I
VNC Connections '=, , , , I I

-- • -
=-=· • • 11
: : : 11
/ Physical
Desktops

~G""'
::J ~ \.-_____..~H~y:ip~e:rv~i~s:o r;
Virtual Switch Management Addresses
Student-MX1 172.25.11 .1
Management Port Student-MX2 172.25.11 .2
fxpO (on all vMX devices) vr-device 172.25.11 .3
Student Desktop 172.25.11 .254

Student
Virtual Environment Note: Your instructor will provide the information
you need to access your student desktop.

O 2021 Juniper Networks JUn~J I ,

Lab: VPLS, Part 1

VR-Device
I
I
-------------------- ' 172.17.23.1 2/30 I
P2 P4
I loO 172.1 7.20.2 .13 .14 loO 172.17.20.4 I

f'>~
"f.>""
I
.
'), "? -
N
·,>.s-
I
~
"'7>
'\':I, -2
cl-rs-~'\'\,'.' -?~
~,9\;i
csIt[ " V "t1
g ~
g AS 65512

PE-1
-
(0
,.;
OSPF
AreaO
c5
"!
,.;
"d~
PE-2
lo0.1 172.17.20.1 ,._
"!
-,._ ....
N lo0.6 172.17.20.6
.....
,9.,
'%~ -,._ 'If~
f>~

-
en
-
ge-0/0/5 N
X
N
cs~
~
ge-0/~/6 7>
-2 - ~ ~
9 ..,
-
C:

-
0
I
ge-0/0/3 ge-0/0/7 "7>
·-2.;
f'>'Y
'\'y
., ~
o,O <D
C.
CD
z :::,
C: CE-VS -~i:? "
'),· o
C!
cS -. 1> 7"
Q) ~
cS ~ s::
-
-0
:::,
en
VLAN 610
ge-0/0/4
10.1.0.1/24 ge-0/0/2
0
- 172.17.23.16/30
N
N
I
&'
N X
N
P3 PS
CE1-1 loO 172.17.20.3 .17 .18
I CE1-2
loO 172.17.20.5
lo0.1110.1.20.1 I lo0.1210.1.20.2
' -------------------~
O 2021 Juniper Network! JUn~J I 2

120 Lab 6: EVPN www.juniper.net

 Junos Layer 2 VPNs

Lab: Ethernet VPN, Parts 2-5

VR-Device
r------,
CE1
I
I CE3
I
I st
g --"'
0

.....
I
I -- "'5
0
z<(

X EVPN
0
--
~
..!.
C:
Q)
PE-1
lo0.1 172.11.20.1
- - -- ------- --- ~ ~
AS65512
OSPF
PE-2
loO 172.11.20.4

-
-0 Area 0
:::,
en 172.11 .0.0/16
-- st
N N
'=!"'
Nz
I
I
;~
- "' -
I
I
-
·------
I CE4
CE2
_______ ,

O 2021 Juniper Network! Junw I 3

www.juniper.net Lab 6: EVPN 121

Junos Layer 2 VPNs

Part 1: Creating The Baseline SP Network

In t his lab part, you will configure t he baseline network for the lab. You will load a baseline configuration and do
a quick verification of t he OSPF, BGP and LDP setti ngs. You will also check the preconfigured CE settings.

NOTE: > The instructor will tell you the nature of you r
access and will provide you with t he necessary details to
access your assigned device.

Step 1.1
You should make sure you are familiar with the lab topology and envi ronment. This lab is comprised of eight
logical devices that are operating on th ree virtual MX (vMX) routers. These vMXs are nested inside an ESXi
hypervisor The three devices you are in charge of configuring (PE-1, CE1, CE2) reside on Student-MX1 as logical
systems. The core devices (P2, P3, PE-2, CE3 and CE4) are preconfigured on vr-device also as logical systems.

Step 1.2
Consult the management network diagram, provided by your instructor, to determine your device's
management address.

Question: What is the management address of Student-MX1 and Student-MX2?

Answer: The management IP address of Student-MX is 172.25.11.1 and IP

address of Student-MX2 is 172.25.11.2

Step 1.3
Access the CLI of your Student-MX1 device using Secure Shell (SSH) as directed by your instructor.

Step 1.4
Log in as user lab with the password supplied by your instructor. Enter configuration mode and load the reset
configuration file j 1 2v /lab 6-s ta r t . co n f i g and exit back to operational mode using the commi t a nd-
q ui t command.

Studen t-MX l (ttypO)

logi n : l ab
Passwo r d :

L ast l ogin : Thu Aug 26 07 : 44 : 46 2021 from 1 72 . 25 . 1 1. 254

- -- J UNOS 2 1. 2Rl . 10 Kern e l 64-bit J NPR-12 .1- 202 1 0529 . 2f59a40 bui l
lab@Student-MXl > configu r e
Entering configuration mode

[ edi t]
lab@Student-MXl # load override j l 2v/lab6 - start . config
load complete

[ edi t]
lab@Student-MXl # commi t and- qui t
commit comp l ete
Exi t i ng co n f i gur ation mode
122 Lab 6: EVPN www.juniper.net
 Junos Layer 2 VPNs

lab@Student-MXl >

Step 1.5
To quickly determi ne if the start configuration has correctly loaded, verify that OSPF has learned all loopback
routesinyourlocalAS. Usethe show r oute protocol ospf 1 72 .11 / 1 6 I match /32 command.

lab@Student-MXl > show route protocol ospf 1 72 .11 /16 match /32
172 . 11. 20 . 2/32 *[OS PF /10] 00 : 05 :1 8 , metric 1
172 . 11. 20 . 3/32 *[OS PF /10] 00 : 05 :1 3 , metric 1
172 . 11. 20 . 4/32 *[OS PF /10] 00 : 05 :1 3 , metric 2
lab@Student-MXl >

Question: Do you see the loopback routes of the P routers and the other PE
router?

Answer: Yes, loopback addresses of the P routers, and the other PE router should
show here.

Step 1.6
Verify t hat the P and PE loopback addresses have a route in the i ne t . 3 table using t he s how r oute
tab l e ine t . 3 172 . 11 / 1 6 comma nd.

lab@Student-MXl > show route table i net . 3 1 72 .11 /16

inet . 3 : 10 destinations , 1 0 r outes (10 active , 0 holddown , 0 hidden)
+ = Act i ve Route , - = Last Act i ve , * = Both
172 . 11. 20 . 2/32 *[ LDP/9] l d 23 :1 4 : 49 , metric 1
> to 172 .1 1 . 23 . 2 via ge - 0/0/0 .1 00
172 . 11. 20 . 3/32 *[ LDP/9] l d 23 :1 4 : 49 , metric 1
> to 172 .1 1 . 23 . 6 via ge - 0/0/1 .11 0
172 . 11. 20 . 4/32 *[ LDP/9] l d 23 :1 3 : 59 , metric 1
> to 172 .1 1 . 23 . 2 via ge - 0/0/0 .1 00 , Pus h 22
to 172 .1 1 . 23 . 6 via ge - 0/0/1 .11 0 , Push 20

lab@Student-MXl >

Question: Do you see the loopback addresses in table inet.3?

www.juniper.net Lab 6: EVPN 123

Junos Layer 2 VPNs

Answer: Yes, /32 loopback addresses to the P and other PE routers are learned in
inet.3 as LOP routes.

Step 1.7
Verify the correct settings for your preconfigured CE devices using the show co n f i gu r atio n log i cal-
syste ms command.

lab@Student-MX l > show configuration log i cal-systems

CEl {
interfaces {
ge-0/0/2 {
unit 610 {
vlan- i d 6 1 0 ;
family inet {
addr ess 10 . 1 .1 0 .11 /24 ;
}
}
}
}
routing-options {
static {
route 0 . 0 . 0 . 0/0 next-hop 1 0 . 1 .1 0 .1;
}
}
}
CE2 {
interfaces {
ge-0/0/3 {
unit 61 1 {
vlan- i d 6 1 1 ;
family inet {
addr ess 1 0 . 1 .11.11 /24 ;
}
}
unit 612 {
vlan- i d 6 1 2 ;
family inet {
addr ess 1 0 . 1 .1 2 .11 /24 ;
}
}
}
}
po l icy-options {
pol i cy-statement LB {
then {
load-balance per-packet ;
}
}
}
routing-options {
static {
route 0 . 0 . 0 . 0/0 next-hop [ 10 .1. 1 1.1 10 .1.1 2 . 1 ] ;
}
fo r warding- table {
export LB ;
}
}
}

lab@Student-MX l >

Question: Why do the CEs need a static default route?

124 Lab 6: EVPN www.juniper.net

 Junos Layer 2 VPNs

Answer: The CEs only need static routes if they need to route outside of their own
VLAN. In the later parts of the lab we will enable Layer 3 routing between the
VLANs.

www.juniper.net Lab 6: EVPN 125

Junos Layer 2 VPNs

Part 2: Configuring The BGP Sessions To Exchange EVPN Routes

In t his lab part, you will configure and verify t he IBGP session between t he two PE routers. You will ensure that
this session supports the EVPN NLRI.

Step 2.1
On your Student device, enter into configuration mode and navigate to the [ e d i t p r otoco l s bgp g r oup
my-i n t-gr oup] hierarchy. Review t he current configuration and then add support for t he EVPN NLRI by
enabling fam i ly e vp n sign ali n g . Once completed, commit your configuration and exit to operational
mode.

lab@Student-MXl> configu r e
Entering configuration mode

[ edit]
lab@Student-MXl# edit protocols bgp g r oup my-int-gr oup

[ edit protocols bgp group my-int-group]

lab@Student-MXl# show
type internal ;
local-address 172 . 11 . 20 . 1 ;
neighbor 172 . 11 . 20 . 4 ;

[ edit protocols bgp group my-int-group]

lab@Student-MXl# set family evpn signaling

[ edit protocols bgp group my-int-group]

lab@Student-MXl# commit and-quit
commit complete
Exiting configuration mode
lab@Student-MXl>

Step 2.2
Verify t he IBGP session status and validate t hat EVPN information ca n be exchanged across th is session. Use
the show b gp summa r y, and show bgp neighb o r comma nds.

lab@Student-MXl> show bgp summary

Threading mode: BGP I /0
Default eBGP mode : advertise - accept , receive - accept
Groups: 1 Peers : 1 Down peers : 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
bgp . evpn . O
0 0 0 0 0 0
inet . O
00 0 0 0 0
Peer AS I n Pkt Out P kt OutQ Flaps Last Up/Dwn
Statel#Active/Received/Accepted/Damped ...
172 . 11 . 20 . 4 655 1 2 11 4 0 0 1 : 31
Establ
bgp . evpn . O: 0/0/0/0

lab@Student-MXl> show bgp neighbor

Peer : 172 . 1 1. 20 . 4 +179 AS 65512 Local : 1 72 . 1 1. 20 .1 +56 1 80 AS 65512
Group : my-int-group Routing- I nstance : master
Forwarding routing-instance : master
Type : Internal State : Established Flags : <Sync>
Last State : OpenConfirm Last Event : RecvKeepAlive
Last Error : None
Options : <LocalAddress AddressFamily Rib-group Refresh>
Options : <GracefulShutdownRcv>
Address families configured : evpn
Local Address : 172 .1 1 . 20 . 1 Holdtime : 90 Preference : 1 70
Graceful Shutdown Receiver local-preference : 0
Number of flaps : 0
Peer I D: 1 72 . 1 1. 20 . 4 Local I D: 1 72 . 1 1 . 20 .1 Active Holdtime : 90

126 Lab 6: EVPN www.juniper.net

 Junos Layer 2 VPNs
Keepalive I nterval : 30 Group index : 0 Peer index : 0 SNMP index: 0
I /0 Session Thread: bgpio-0 State: Enabled
BFD: disabled , down
NLRI for restart configured on peer: evpn
NLRI advertised by peer: inet-vpn-unicast evpn
NLRI for this session: evpn
Peer supports Refresh capability (2)
Stale routes from peer are kept for: 300
Peer does not support Restarter functionality
Restart flag received from the peer: Notification
NLRI that restart is negotiated for: evpn
NLRI of received end-of-rib markers: evpn
NLRI of all end-of-rib markers sent: evpn
Peer does not support LLGR Restarter functionality
Peer supports 4 byte AS extension (peer-as 65512)
Peer does not support Addpath
NLRI (s) enabled for color nexthop resolution: evpn
Table bgp.evpn.O Bit: 30000
RI B State: BGP restart is complete
RI B State: VPN restart is complete
Send state: in sync
Active prefixes: 0
Received prefixes: 0
Accepted prefixes: 0
Suppressed due to damping: 0
Advertised prefixes: 0
Last traffic (seconds): Received 25 Sent 22 Checked 185
I nput messages: Total 1 4 Updates 7 Refreshes O Octets 1 000
Output messages: Total 7 Updates O Refreshes O Octets 1 44
Output Queue [2]: 0 (bgp.evpn . O, evpn)

lab@Student-MX l >

Question: How can you determine if EVPN routes can be exchanged based on the
output above?

Answer: The easiest, and quickest check is to see what route tables are shown on
the show bgp summary output. If the bgp.evpn.O table is shown, even with O
routes, it indicates that the family evpn signaling is successful ly negotiated.

In the show bgp neighbor output, the NLRI for this session line tells you if fam ily
evpn signa ling is supported on this session.

w ww.juniper.net Lab 6: EVPN 127

Junos Layer 2 VPNs

Part 3: Configuring Layer 2 Interfaces And EVPN Instances

In t his lab part, you will configure t he CE-faci ng interfaces and create t he EVPN l routing-instance. You wil l t hen
verify the EVPN operation using multiple operational commands.

Step 3.1
Enter configuration mode and navigate to the [edi t i nte r faces ge-0/0/ 4] hierarchy level. Configure
the CE-faci ng ge-0/0/4 interface to use v l an-bridge

lab@Student-MXl> configu r e
Entering configuration mode

[edit]
lab@Student-MXl# edit interfaces ge-0/0/4

[edit interfaces ge-0/0/4 ]

lab@Student-MXl# show
flexible-vlan-tagging ;
encapsulation flexible-ethernet-services;
unit 610 {
vlan-id 610 ;
}

[edit interfaces ge-0/0/4 ]

lab@Student-MXl# set unit 610 encapsulation vlan-b r idge family bridge

[edit interfaces ge-0/0/4 ]

lab@Student-MXl# show
flexible-vlan-tagging ;
encapsulation flexible-ethernet-services;
unit 610 {
encapsulation vlan-br idge ;
vlan-id 610 ;
family bridge ;
}

[edit interfaces ge-0/0/4 ]

lab@Student-MXl#

Step 3.2
Next, navigate to the [ edit routing-instances EVPNl ] hierarchy. Configure the EVPNl routing
instance to be of type evpn and add the client facing interface (ge-0/0/ 4 .610. Then, set t he vlan-id to be 610
and specify a route distinguisher of 1 72 . 1 1. 20 .1: 10 1 and a vrf t arget of target : 655 1 2 : 1 0 1 . Make
sure you enable the EVPN protocol for the new instance. Once completed, commit your configuration and exit to
operational mode.

[edit interfaces ge-0/0/4 ]

lab@Student-MXl# top edit routing-instances EVPNl

[edit routing-instances EVPNl]

lab@Student-MXl# set instance-type evpn

[edit routing-instances EVPNl]

lab@Student-MXl# set interface ge-0/0/4 . 610

[edit routing-instances EVPNl]

lab@Student-MXl# set vlan-id 6 1 0

[edit routing-instances EVPNl]

lab@Student-MXl# set route-distinguisher 172.11 . 20 . 1 : 101

[edit routing-instances EVPNl]

lab@Student-MXl# set vrf-target target : 65512:10 1

[edit routing-instances EVPNl]

lab@Student-MXl# set protocols evpn
128 Lab 6: EVPN www .juniper.net
 Junos Layer 2 VPNs

[edit routing-instances EVPNl]

lab@Student-MX l # show
instance-type evpn;
protocols {
evpn;
}
vlan-id 610;
interface ge-0/0/4.6 1 0;
route-distinguisher 1 72 .11. 20 .1:1 01;
vrf-target target:65512 :1 01;

[edit routing-instances EVPNl]

lab@Student-MXl# commit and-quit
commit complete
Exiting configuration mode
lab@Student-MXl>

Step 3.3
Verify your EVPN instance status using the s h ow evpn instance EVPNl extens ive

lab@Student-MXl> show evpn instance EVPNl extensive

Instance: EVPNl
Route Distinguisher : 172.11.20.1:101
VLAN I D: 61 0
Per-instance MAC route label: 73
Duplicate MAC detection threshold: 5
Duplicate MAC detection window : 180
MAC database status Local Remote
MAC advertisements: 1 1
MAC + I P advertisements: 1 1
Default gateway MAC advertisements: 0 0
Number of local interfaces: 2 (2 up)
Interface name ESI Mode Status AC-
Role
. local .. 1 5 00:00:00:00:00:00:00:00:00:00 single-homed Up
Root
ge-0/0/4 . 610 00:00:00:00:00:00:00:00:00:00 single-homed Up
Root
Number of I RB interfaces: 0 (0 up)
Number of protect interfaces: 0
Number of bridge domains: 1
VLAN Domain-ID I ntfs/up IRB-intf Mode MAC-sync I M-label MAC-
label v4-SG-sync IM-core-NH v6-SG-sync IM-core-NH Trans-ID
610 1 1 Extended Enabled 78
Disabled Disabled
Number of neighbors: 1
Address MAC MAC + I P AD IM ES Leaf-label
Remote-DCI-Peer
172 . 11 . 20.4 1 1 0 0 0
Number of ethernet segments: 0
SMET Forwarding: Disabled
lab@Student-MXl>

Question: What is the ESI, and Mode for the ge-0/0/ 4.610 interface in the show
evpn instance EVPN1 output?

www.juniper.net Lab 6: EVPN 129

Junos Layer 2 VPNs

Answer: The ESI should be the defau lt 00:00:00:00:00:00:00:00:00:00 for

single-homed interfaces. The Mode should also show single-homed.

Question: How many routes are received from the EVPN neighbor?

Answer: The answer wi ll vary but you shou ld at least see 1 Inclusive multicast
route received. It is possible to also see the MAC advertisement route if there has
been some traffic activity in the EVPN.

Step 3.4
Usethe show bgp summary , show r oute rece i ve-protocol bgp 1 72 .11. 20 . 4 and s h ow
r oute adve r tising-protocol bgp 1 72 . 1 1. 20 . 4 commands to see what EVPN routes have been
exchanged between t he two PE routers.

lab@Student-MXl> show bgp summary

Threading mode: BGP I /0
Default eBGP mode : adve r tise - accept , receive - accept
Groups : 1 Peers : 1 Down peers : 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
bgp . evpn . O
3 3 0 0 0 0
inet . O
0 0 0 0 0 0
Peer AS I n Pkt Out P kt OutQ Flaps Last Up/Dwn
Statel#Active/Received/Accepted/Damped ...
172 . 11 . 20 . 4 65512 93 78 0 0 32 : 59
Establ
EVPNl . evpn . O: 3/3/3/0
bgp . evpn . O: 3/3/3/0
default evpn . evpn . O: 0/0/0/0

lab@Student-MXl> show route r eceive-protocol bgp 172 . 11 . 20 . 4

inet . O: 36 destinations , 36 r outes (36 active , 0 holddown , 0 hidden)

inet . 3 : 10 destinations , 10 r outes ( 10 active , 0 holddown , 0 hidden)

mpls . O: 14 destinations , 14 r outes ( 14 active , 0 holddown , 0 hidden)

inet6 . 0 : 1 destinations , 1 routes (1 active , 0 holddown , 0 hidden)

bgp . evpn . O: 6 destinations , 6 routes (6 active , 0 holddown , 0 hidden)
Prefix Nexthop MED Lclpref AS path
2 : 172 . 11 . 20 . 4 :1 01 : : 610 : : OO : Oc : 29 : fc : 27 : 4e/304 MAC/ IP
* 172 . 11 . 20 . 4 100 I
2 : 172 . 11 . 20 . 4 :1 01 : : 610 : : OO : Oc : 29 : fc : 27 : 4e : : 10 . 1 . 10 . 12/304 MAC/ I P
* 172 . 11 . 20 . 4 100 I
3 : 172 . 11 . 20 . 4 :1 01 : : 610 : : 172 . 11 . 20 . 4/248 I M
* 172 . 11 . 20 . 4 100 I

EVPNl . evpn . O: 6 destinations , 6 routes (6 active , 0 holddown , 0 hidden)

Prefix Nexthop MED Lclpref AS path
2 : 172 . 11 . 20 . 4 :1 01 : : 610 : : OO : Oc : 29 : fc : 27 : 4e/304 MAC/ IP
* 172 . 11 . 20 . 4 100 I
2 : 172 . 11 . 20 . 4 :1 01 : : 610 : : OO : Oc : 29 : fc : 27 : 4e : : 10 . 1 . 10 . 12/304 MAC/ I P
* 172 . 11 . 20 . 4 100 I
3 : 172 . 11 . 20 . 4 :1 01 : : 610 : : 172 . 11 . 20 . 4/248 I M
* 172 . 11 . 20 . 4 100 I

130 Lab 6: EVPN www .juniper.net

 Junos Layer 2 VPNs

lab@Student-MX l > show route advertising-protocol bgp 172.11 . 20.4

bgp.evpn.O: 6 destinations , 6 routes (6 active , 0 holddown , 0 hidden)

Prefix Nexthop MED Lclpref AS path
2:172 . 11 . 20. 1: 101 : : 610: : OO : Oc:29 : 01:3e:fe/304 MAC/ IP
* Self 1 00 I
2 : 172 . 11 . 20 .1: 101 : : 610: : OO : Oc : 29 : 01:3e : fe : : 10 .1.1 0 . 11/304 MAC/ I P
* Self 1 00 I
3 : 172 . 11 . 20 .1:1 01 : : 610: : 172 .1 1 . 20 . 1/248 I M
* Self 1 00 I

EVPNl . evpn . O: 6 destinations , 6 routes (6 active , 0 holddown , 0 hidden)

Prefix Nexthop MED Lclpref AS path
2 : 172 . 11 . 20 .1:1 01 : : 610: : OO : Oc : 29 : 01 : 3e : fe/304 MAC/ IP
* Self 1 00 I
2 : 172 . 11 . 20 .1:1 01: : 610: :OO : Oc : 29 : 01 : 3e : fe :: 10 .l.1 0 . ll/304 MAC/ I P
* Self 1 00 I
3 : 172 . 11 . 20 .1:1 01: : 610: : 172 .1 1 . 20 . 1/248 I M
* Self 1 00 I

lab@Student-MX l >

Step 3.5
Review the Type 3 EVPN routes using t he show r o u t e table EVPNl. evpn . 0 detai l I f i n d "3 :

lab@Student-MX l > show route table EVPN l. evpn . O detail I find "3:
3 :1 72 .ll. 20 .l:1 01:: 6 1 0 ::1 72 . 1 1. 20 .l /248 IM (1 entry , 1 announced)
*EVPN Preference : 170
Next hop type : Indirect , Next hop index : 0
Addr ess : Ox704d8dc
Next-hop reference count : 11
Protocol next hop : 172 . 11 . 20 . 1
I ndirect next hop : OxO - I NH Session ID: OxO
State : <Active Int Ext>
Age: 34 : 50
Validation State : unverified
Task : EVPNl-evpn
Announcement bits (1): 2- r t-export
AS path : I
Route Label : 78
PMS I: Flags OxO : Label 78 : Type INGRESS-RE PLI CAT I ON 1 72 .11. 20 .1
Thread : junos-main

3: 1 72 .ll. 20 . 4 :1 01:: 6 1 0 :: 172 . l l. 20 . 4/248 IM (1 entry , 0 announced)

*BGP Preference : 170/-1 01
Route Distinguisher : 1 72 .11. 20 . 4 : 10 1
PMS I: Flags OxO : Label 41 : Type INGRESS-RE PLI CAT I ON 0 . 0 . 0 . 0
Next hop type : Indirect , Next hop index: 0
Addr ess : Ox704dd54
Next-hop reference count : 6
Sou r ce : 1 72 .11. 20 . 4
Protocol next hop : 172 . 11 . 20 . 4
I ndirect next hop : Ox2 no-forward I NH Session ID : OxO
State : <Secondary Active I nt Ext>
Local AS : 655 1 2 Peer AS : 65512
Age : 34 : 52 Metric2 : 1
Validation State : unverified
Task : BGP 655 1 2 .1 72 . 11 . 20 . 4
AS path : I
Communities : target : 655 1 2 :1 01
I mport Accepted
Localpref : 100
Router I D: 172 . 1 1. 20 . 4
Primary Routing Table : bgp . evpn . O
Thread : junos-main

lab@Student-MX l >

w ww.juniper.net Lab 6: EVPN 131

Junos Layer 2 VPNs

Question: What is the function of the Type 3 EVPN routes?

Answer: The Type 3 EVPN routes are advertised to allow sending of BUM traffic
using ingress-replication between the PEs of the EVPN instance.

Step 3.6
Generate some Layer 2 traffic by pinging between the two PEs involved in the EVPNl instance using the pi n g
1 0 . 1 .1 0 . 12 l ogical-system CEl cou nt 5 comma nd. This triggers the Type 2 route exchanges
between t he PEs as they learn the loca l and remote CE's MAC addresses. Verify the exchange of Type 2 EVPN
routesusingthe show r oute rece i ve-p r otoco l bgp 1 72 .11. 20 . 4 command .

NOTE: > The generation of the Layer 2 traffic might not be

needed if t he device already generated t raffic by itself. You
might have already not iced t he Type 2 routes in previous
outputs in previous steps.

lab@Student-MXl> ping 10 .1. 10 .1 2 logical-system CEl count 5

P I NG 1 0 . 1 .1 0 . 12 (10 .1. 10 .1 2) : 56 data bytes
64 bytes f r om 10 . 1 . 10 . 12 : icmp seq= O tt1 = 64 time = l7 .1 95 ms
64 bytes f r om 10 . 1 . 10 . 12 : icmp- seq= l tt1 = 64 time = 4 . 475 ms
64 bytes f r om 10 . 1 . 10 . 12 : icmp- seq= 2 tt1 = 64 time = 3 . 666 ms
64 bytes f r om 10 . 1 . 10 . 12 : icmp- seq= 3 tt1 = 64 time = 4 . 082 ms
64 bytes f r om 10 . 1 . 10 . 12 : icmp= seq= 4 tt1 = 64 time = 4 . 060 ms

- -- 10 .1. 10 .1 2 ping statistics - --

5 packets transmitted , 5 packets r eceived , 0 % packet loss
round-trip mi n/avg/max/stddev = 3 . 666/6 . 696/17 .1 95/5 . 256 ms

lab@Student-MXl> show route r eceive - protoco l bgp 172 . 1 1. 20 . 4

inet . O: 36 destinations , 36 r outes (36 active , 0 ho l ddown , 0 hidden)

inet . 3 : 10 destinations , 1 0 r outes ( 10 active , 0 ho l ddown , 0 hidden)

mp l s . O: 14 destinations , 1 4 r outes ( 14 active , 0 ho l ddown , 0 hidden)

inet6 . 0 : 1 destinations , 1 routes (1 active , 0 holddown , 0 h idden)

bgp . evpn . O: 6 destinations , 6 routes (6 act i ve , 0 holddown , 0 hidden)

Prefix Nexthop MED Lclpref AS path
2 : 172 . 11 . 20 . 4 :1 01 : : 610 : : OO : Oc : 29 : fc : 27 : 4e/304 MAC/ IP
* 172 .1 1 . 20 . 4 1 00 I
2 : 172 . 11 . 20 . 4 :1 01 : : 610 : : OO : Oc : 29 : fc : 27 : 4e :: 10 .l. 1 0 . 12/304 MAC/ I P
* 172 .1 1 . 20 . 4 1 00 I
3 : 172 . 11 . 20 . 4 :1 01 : : 610 : : 172 .1 1 . 20 . 4/248 I M
* 172 .1 1 . 20 . 4 1 00 I

EVPNl . evpn . O: 6 dest i nations , 6 r outes (6 active , 0 holddown , 0 h idden)

Prefix Nexthop MED Lclpref AS path
2 : 172 . 11 . 20 . 4 :1 01 : : 610 : : OO : Oc : 29 : fc : 27 : 4e/304 MAC/ IP
* 172 .1 1 . 20 . 4 1 00 I
2 : 172 . 11 . 20 . 4 :1 01 : : 610 : : OO : Oc : 29 : fc : 27 : 4e : : 10 .1. 1 0 . 12/304 MAC/ I P
* 172 .1 1 . 20 . 4 1 00 I
3 : 172 . 11 . 2 0 . 4 : 1 01 : : 610 : : 172 . 1 1 . 2 0 . 4 / 2 4 8 I M
* 172 .1 1 . 20 . 4 1 00 I

lab@Student-MX l >

132 Lab 6: EVPN w w w .juniper.net

 Junos Layer 2 VPNs

Question: What information is exchanged in these Type 2 EVPN routes exchanged

so far?

Answer: The Type 2 routes exchanged shows both Layer 2 and Layer 3 interfaces
are included in the EVPN instance. The VR-device has been pre-configured with
an IRB gateway interface, which enables the EVPN to also advertise the IP
information to peers.

Step 3.7
Review the EVPN MAC address information using t he s h ow e vp n d atab a se, and sh ow e vpn mac-
tab l e commands.

lab@Student-MX l > show evpn database

Insta n ce : EVPN l
VLAN Domain i d MAC address Active source Times tamp I P address
61 0 OO : Oc : 29 : 01: 3e : fe ge - 0/0/4 . 6 1 0 Aug 26 08 : 52 :1 1 1 0 . 1 .1 0 .11
61 0 OO : Oc : 29 : fc : 27 : 4e 1 72 .11. 20 . 4 Aug 26 08 : 52 : 05 1 0 . 1 .1 0 .1 2
lab@Student-MX l > show evpn mac-tab l e

MAC flags (S -static MAC , D -dynamic MAC , L -locall y learned, C -Control MAC
0 -OVSDB MAC , SE -Statist i cs enab l ed, NM -Non configured MAC , R -Remote PE
MAC , P - Pinned MAC , FU - Fast Update)

Routing instance : EVPN l

Br i dging domain : EVPNl , VLAN : 6 1 0
MAC MAC Logica l NH MAC act i ve
addr ess f l ags interface I ndex p r ope r ty source
OO : Oc : 29 : 01 : 3e : fe D ge-0/0/4 . 6 1 0
OO : Oc : 29 : fc : 27 : 4e DC 1 048576 1 72 . 1 1. 20 . 4

lab@Student-MX l >

Question: How many MAC addresses do you see in the previous output?

Answer: You should see two MAC addresses, one from each CE interface (local
and remote). If you do not see two MAC addresses generate some traffic between
the two CEs.

www.juniper.net Lab 6: EVPN 133

Junos Layer 2 VPNs

Part 4: Configuring Layer 2 Interfaces And VLAN-Aware Bundle EVPN

Instance
In t his lab part, you will configure t he CE-faci ng interfaces, create t he EVPN2 routing instance. You will then
verify the EVPN operation using multiple operational commands.

Step 4.1
Enter configuration mode and navigate to t he [ edi t i n te r faces ge-0 / 0/ 5] hierarchy level. Configure
the CE-faci ng interface (ge-0/ 0/5.0) for use in the EVPN2 routing instance as a VLAN-aware bundle.

lab@Student-MXl> configure
Entering configuration mode

[edit]
lab@Student-MXl# edit interfaces ge-0/0/5

[edit interfaces ge-0/0/5 ]

lab@Student-MX l # show
flexible-vlan-tagging ;
encapsulation flexible-ethernet-services;

[edit interfaces ge-0/0/5 ]

lab@Student-MX l # set unit O family bridge interface-mode t runk

[edit interfaces ge-0/0/5 ]

lab@Student-MX l # set unit O family bridge vlan-id-list (6 1 1 6 1 2]

[edit interfaces ge-0/0/5 ]

lab@Student-MX l # show
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
u ni t O {
family bridge {
interface-mode trunk ;
vlan-id-list 611-612 ;
}
}

[edit interfaces ge-0/0/5 ]

lab@Student-MX l #

Step 4.2
Configure the EVPN2 rout ing instance with a route dist inguisher of 172 . 11 . 2 o. 1: 1 02 and a route target of
ta r g e t : 65512 : 1 02 . Add the cl ient facing interface (ge-0/ 0/5.0) and configure bridge domains for t he
VLANs (611 and 612). Make sure you enable t he EVPN protocol for t he new instance and set t he e xtended-
v lan-l i st to include VLANs 611 and 612.

[edit interfaces ge-0/0/5 ]

lab@Student-MX l # top edit rou t ing-instances EVPN2

[edit rout ing-instances EVPN2]

lab@Student-MX l # set instance- type virtual-switch

[edit rout ing-instances EVPN2]

lab@Student-MX l # set interface ge-0/0/5 . 0

[edit rout ing-instances EVPN2]

lab@Student-MX l # set route-distinguisher 172 . 11 . 20 . 1 : 102

[edit rout ing-instances EVPN2]

lab@Student-MX l # set vrf-target target:655 1 2:102

[edit rout ing-instances EVPN2]

lab@Student-MX l # set protocols evpn ext ended-vlan-list 6 11 -612

134 Lab 6: EVPN www .juniper.net

 Junos Layer 2 VPNs
[edit routing -instances EVPN2]
lab@Student-MXl# set bridge-domains v6 11 v lan -id 6 11

[edit routing -instances EVPN2]

lab@Student-MXl# set bridge-domains v6 12 v lan -id 6 12

[edit routing -instances EVPN2]

lab@Student-MXl# show
i ns tanc e-t ype virtua l-s wi tch ;
protocols {
evpn {
extended-vlan-list 611- 612;
}
}
bridge-domains {
v6 11 {
vlan-id 611;
}
v6 12 {
vlan-id 612 ;
}
}
i n te r face g e- 0/0/5 . 0 ;
route-distinguisher 1 72 .11. 20.1:102;
v rf-target ta r get : 655 12:1 02 ;

[edit routing -instances EVPN2]

lab@Student-MXl# commit and-quit
commit complete
Exiting configuration mode
lab@Student-MX l>

Step 4.3
Verify t he status of the EVPN2 instance using the show evpn i n stance EVPN2 ext e ns ive

lab@Student-MX l> show evpn instance EVPN2 extensive

Instance: EVPN2
Route Distinguisher: 1 72 . 1 1.2 0 .1: 102
Per-instance MAC route label: 79
Duplicate MAC detection threshold: 5
Duplicate MAC detection window : 1 80
MAC database status Local Remote
MAC advertisements: 2 4
MAC + IP advertisements: 2 4
Default gateway MAC advertisements: 0 2
Number of local inter faces : 2 (2 up)
Interface name ESI Mode Status AC-
Ro le
. local .. 16 00 : 00 : 00 : 00 : 00 : 00 : 00 : 00 : 00 : 00 single-homed Up
Root
ge-0/0/5 . 0 00 : 00 : 00 : 00 : 00 : 00 : 00 : 00 : 00 : 00 single-homed Up
Root
Number of I RB i nterfaces : 0 (0 up)
Number of protect interfaces: 0
Number of bridge domains : 2
VLAN Domain-ID Int fs/up IRB-intf Mode MAC-sync IM-label MAC-
label v4 -SG-s ync IM-core-NH v6 -SG-s ync IM-core-NH Trans- I D
6 11 1 1 Extended Enabled 83
Disabled Disabled
6 12 1 1 Extended Enabled 84
Disabled Disabled
Number of neighbors: 1
Address MAC MAC + I P AD IM ES Leaf-label
Remote-DCI-Peer
172 . 11 .2 0 . 4 4 4 0 0 0
Number of ethernet segments: 0
SMET Forwarding: Disabled
lab@Student-MX l>

www.juniper.net Lab 6: EVPN 135

Junos Layer 2 VPNs

Question: How many bridge domains are listed in the EVPN2 instance output?

Answer: The EVPN2 instance conta ins two bridge domains, one for each of the
VLANs defined in the routing instance. By configuring the EVPN2 instance as a
type virtual-switch, it allows multiple VLANs to share the same instance. Th is
makes it more scalable and easier to provision for move/add/changes of VLANs
in a data center or network.

Step 4.4
Generate traff ic for each network bet ween the two CEs in the second EVPN instance ( EVPN2) using the ping
1 0 . 1 .11. 12 logical-system CE2 count 5 and ping 1 0 . 1 .1 2 . 1 2 logical-system CE2
count 5 comma nds.
Then review the learned MAC addresses for the EVPN2 instance using the show bridge mac-table
b ridge-domain v611 instance EVPN2 and show bridge mac-table bridge-domain v6 12
instance EVPN2 commands. You can also use t he show evpn database command.

lab@Student - MX l> ping 10 .1. 1 1.12 logica l-s ystem CE2 count 5
PING 1 0 . 1 .11. 12 ( 10 .1. 1 1.12): 56 data bytes
64 bytes from 1 0 . 1 .11. 12 : icmp seq= O ttl = 64 time = 9.817 ms
64 bytes from 1 0 . 1 .11. 12 : icmp- seq= l ttl = 64 time = 4.082 ms
64 bytes from 1 0 . 1 .11. 12 : icmp- seq= 2 ttl = 64 time = 3.898 ms
64 bytes from 1 0 . 1 .11. 12 : icmp- seq= 3 ttl = 64 time = 3.706 ms
64 bytes from 1 0 . 1 .11. 12 : icmp= seq= 4 ttl = 64 time = 5.031 ms

--- 10 .1. 1 1.12 p i ng statistics ---

5 packets transmitted, 5 packets received , 0 % packet loss
round-tr ip min/avg/max/stddev = 3.706/5.307/9.817/2 . 301 ms

lab@Student-MX l> ping 10 .1. 12 .12 logica l-s ystem CE2 count 5
PING 1 0 . 1 .12. 12 (10.1.12.12): 56 data bytes
64 bytes from 1 0 . 1 .12. 12 : icmp seq= O ttl = 64 time = l0 . 925 ms
64 bytes from 1 0 . 1 .12. 12 : icmp- seq= l ttl = 64 time = 4.043 ms
64 bytes from 1 0 . 1 .12. 12 : icmp- seq= 2 ttl = 64 time = 4.461 ms
64 bytes from 1 0 . 1 .12. 12 : icmp- seq= 3 ttl = 64 time = 3.899 ms
64 bytes from 1 0 . 1 .12. 12 : icmp= seq= 4 ttl = 64 time = 3.926 ms

--- 10 .1. 12 .12 p i ng statistics ---

5 packets transmitted, 5 packets received , 0 % packet loss
round-tr ip min/avg/max/stddev = 3.899/5.451/10 . 925/2.745 ms

lab@Student-MX l> show bridge mac-table bridge-domain v6 11 i ns tance EVPN2

MAC flags (S -static MAC , D -dynamic MAC , L -locally learned, C -Control MAC
0 -OVSDB MAC, SE -Statistics enabled, NM - Non configured MAC , R -Remote PE
MAC, P -Pinned MAC , FU - Fast Update)

Routing instance •• EVPN2

Bridging domain •• v6 1 1 , VLAN •
• 6 11
MAC MAC Logica l NH MAC active
address f lags interface Index property source
OO : Oc :29: 01 :3e: 08 D ge-0/0/5.0
OO : Oc :29:fc:2 7 :4e DC 1048578 1 72 . 1 1.2 0 . 4

2c:6b:f5:cl:99:f0 DC 1048578 1 72 .11.2 0 . 4

lab@Student-MX l> show bridge mac-table bridge-domain v6 12 i ns tance EVPN2

MAC flags (S -static MAC , D -dynamic MAC , L -locally learned, C -Control MAC
136 Lab 6: EVPN www.juniper.net
 Junos Layer 2 VPNs
0 -OVSDB MAC,
SE -Statistics enabled, NM - Non configured MAC, R -Remote PE
MAC, P -Pinned MAC, FU - Fast Update)

Routing instance : EVPN2

Bridging domain : v6 12, VLAN : 6 12
MAC MAC Logical NH MAC active
address f lags interface Index property source
OO : Oc :2 9 : 01 :3e: 08 D ge-0/0/5.0
OO : Oc :29:fc:2 7 :4e DC 1048578 1 72 . 1 1.2 0 .4

2c:6b:f5:cl:99:f0 DC 1048578 1 72 . 1 1.2 0 .4

lab@Student-MX l> show evpn database

Instance: EVPNl
VLAN Domainid MAC address Active source Times tamp IP address
610 OO : Oc :29: 01:3e:fe ge-0/0/4 . 6 1 0 Aug 26 08 :52:11 1 0 . 1 .1 0 .11
610 OO : Oc :29: fc :2 7 : 4e 1 72 . 1 1.2 0 . 4 Aug 26 08 :52: 05 1 0 . 1 .1 0 .12

Instance: EVPN2
VLAN Domainid MAC address Active source Timestamp IP address
611 OO : Oc :29: 01 :3e: 08 ge-0/0/5 . 0 Aug 26 1 0 :59:59 1 0 . 1 .11.11
611 OO : Oc :29:fc:2 7 :4e 172 . 11 .2 0 . 4 Aug 26 1 0 :59: 48 1 0 . 1 .11.12
611 2c:6b:f5:cl:99:f0 172 . 11 .2 0 . 4 Aug 26 1 0 :59: 48 1 0 . 1 .11.1
612 OO : Oc :29: 01 :3e: 08 ge-0/0/5 . 0 Aug 26 1 0 :59: 48 1 0 . 1 .12.11
612 OO : Oc :29:fc:2 7 :4e 172 . 11 .2 0 . 4 Aug 26 1 0 :59: 48 1 0 . 1 .12.12
612 2c:6b:f5:cl:99:f0 172 . 11 .2 0 . 4 Aug 26 1 0 :59: 48 1 0 . 1 .12.1
lab@Student-MX l>

www.juniper.net Lab 6: EVPN 137

Junos Layer 2 VPNs

Part 5: Configuring IRB Interfaces And Enabling Layer 3 Operations For

EVPN
In t his lab part, you will configure local IRB interfaces to enable Layer 3 operations for t he EVPN solution. You
will add these interfaces to the EVPN instance to wh ich they belong, and you will add them to a preconfigured
L3VPN routi ng instance.

Step 5.1
Enter configuration mode and navigate to the [ edi t int erfaces irb] hierarchy. Configure the IRB
interface irb.610 with IP address 10.1.10.1/24, interface irb.611 with IP address 10.1 .11.1/ 24, and interface
irb.612 with IP address 10.1.12.1/24.

lab@Student-MX l> configure

Entering configuration mode

[edit]
lab@Student-MX l# e d i t interfaces irb

[edit inte r faces irb ]

lab@Student-MX l# set unit 610 family inet address 1 0 . 1 .1 0 . 1/24

[edit inte r faces irb ]

lab@Student-MX l# set unit 61 1 family inet address 1 0 . 1 .11. 1/24

[edit inte r faces irb ]

lab@Student-MX l# set unit 612 family inet address 1 0 . 1 .1 2 . 1/24

[edit inte r faces irb ]

lab@Student-MX l# show
u n i t 61 0 {
fam i ly inet {
address 1 0 .1.1 0 .1 /24 ;
}
}
uni t 611 {
fam i ly inet {
address 1 0 .1.1 1 .1 /24 ;
}
}
uni t 6 12 {
fam i ly inet {
address 1 0 .1.1 2 .1 /24 ;
}
}

[edit inte r faces irb ]

lab@Student-MX l#

Step 5.2
Navigate to t he [ edit routing-instances EVPNl ] hierarchy and add the irb . 610 interface. Then
move to EVPN2 and add t he irb . 61 1 and irb. 6 12 interfaces. Make su re to create bridge domains for
each routed interface in EVPN2 .

[edit inte r faces irb ]

lab@Student-MX l# top edit rout i ng- i nstances EVPNl

[edit routing - instance s EVPN l ]

lab@Student-MX l# set rout i ng- inte r face irb . 610

[edit routing - instances EVPN l ]

lab@Student-MX l# up

[edit routing - i n stance s]

lab@Student-MX l# e d i t EVPN2

[edit routing - i n stances EVPN2]

138 Lab 6: EVPN www.juniper.net
 Junos Layer 2 VPNs
lab@Student-MX l# set bridge-domains v6 11 rout ing-interface irb.611

[edit routing -instances EVPN2]

lab@Student-MX l# set bridge-domains v6 1 2 rout ing-interface irb.612

[edit routing -instances EVPN2]

lab@Student-MX l#

Step 5.3
Next, activate the preconfigured Layer 3 VPN routing instance named L3VPN , and add all three IRB interfaces
to it.

[edit routing -instances EVPN2]

lab@Student-MX l# up

[edit routing -instances]

lab@Student-MX l# activate L3VPN

[edit routing -instances]

lab@Student-MX l# edit L 3VPN

[edit routing -instances L3VPN]

lab@Student-MX l# set i nterface i r b . 610

[edit routing -instances L3VPN]

lab@Student-MX l# set i nterface i r b . 61 1

[edit routing -instances L3VPN]

lab@Student-MX l# set i nterface i r b . 612

[edit routing -instances L3VPN]

lab@Student-MX l#

Step 5.4
Finally, navigate to the [edit protocols bgp group my-i nt-group ] hierarchy and configure the
existing IBGP session to support the Layer 3 VPN NLRI by adding famil y inet-vpn unicas t

[edit routing -instances L3VPN]

lab@Student-MX l# top edit protocols bgp g roup my-int-group

[edit protocols bgp group my-int-group]

lab@Student-MX l# set family inet-vpn unicast

[edit protocols bgp group my-int-group]

lab@Student-MX l# commit and-quit
commit complete
Exiting configuration mode
lab@Student-MX l>

Step 5.5
See which routes have been exchanged after enabling Layer 3 operations for EVPN instances, and enable the
L3VPN instance. Use the s how bgp s umma r y command.

lab@Student-MX l> show bgp summary

Threading mode: BGP I /0
Default eBGP mode: advertise - accept , recei ve - accept
Groups : 1 Peers: 1 Down p eers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
bgp . evpn.O
13 13 0 0 0 0
bgp . 13vpn . O
6 6 0 0 0 0
in e t . O

www.juniper.net Lab 6: EVPN 139

Junos Layer 2 VPNs
0 0 0 0 0 0
Pe e r AS I n Pkt Out P kt OutQ Flaps Last Up/Own
State l #Active /Receive d/Accepted/Damped ...
172 . 1 1. 20 . 4 655 1 2 18 13 0 0 9
Establ
EVPNl. evpn . O: 3/3/3/0
bgp . evpn . O: 1 3/13/ 1 3/0
default evpn . evpn . O: 0/0/0/0
EVPN2 . evpn . 0 : 10/ 1 0/10/0
bgp .1 3vpn. O: 6/6/6/0
L3VPN. inet . 0 : 3/6/6/0

lab@Student-MX l >

Question: What can you learn from the show bgp summary output?

Answer: You should now see that there are a couple more routes being exchanged
in the EVPN tables. You should also see that IP routes are now exchanged
regarding the EVPN subnets and hosts(/ 32) using the Layer 3 VPN.

Step 5.6
Let's first focus on the EVPNl instance to see what new Type 2 routes can be seen. Generate traffic within the
subnet by pinging the remote CE f ive times from your local CE. Once completed , review t he routes using the
s h o w rout es table EVPNl. e vpn . 0 ma t c h-pre f ix " 2: *" command.

lab@Student-MX l > ping 10 .1. 10 .1 2 l ogical- system CE l count 5

PI NG 1 0 . 1 .1 0 . 12 (10 .1. 10 .1 2) : 56 data bytes
64 bytes f r om 1 0 . 1 .1 0 . 12 : icmp seq= O tt l = 64 time = 4 . 256 ms
64 bytes f r om 1 0 . 1 .1 0 . 12 : icmp- seq= l tt l = 64 time = 3 . 9 1 0 ms
64 bytes f r om 1 0 . 1 .1 0 . 12 : icmp- seq= 2 tt l = 64 time = 4 . 2 1 1 ms
64 bytes f r om 1 0 . 1 .1 0 . 12 : icmp- seq= 3 tt l = 64 time = 3 . 844 ms
64 bytes f r om 1 0 . 1 .1 0 . 12 : icmp= seq= 4 tt l = 64 time = 4 . 238 ms
- -- 10 .1. 10 .1 2 p i ng stat i stics - --
5 packets transmi tted , 5 packe ts re ce i v ed, 0 % packet loss
r ound -trip mi n/avg/max/stdd ev = 3 . 844/4 . 092/4 . 256/0 .1 77 ms

lab@Student-MX l > show r oute table EVPNl. evpn . O match -p r ef i x " 2 :*"

EVPNl . evpn . O: 8 dest i nat i ons , 8 r outes (8 act i v e, 0 ho l ddown, 0 hidden)

+ = Act i ve Route , - = Last Act i ve , * = Both

2 :1 72 .11. 20 .1:1 01:: 6 1 0 : : OO : Oc : 29 : 0 1: 3e : fe/304 MAC/ IP

* [ EVPN/170] 02 : 32 :1 6
In di r ect
2 :1 72 .11. 20 .1:1 01:: 6 1 0 : : 2c : 6b : f5 : 63 : 35 : f0/304 MAC/ IP
* [ EVPN/170] 00 : 02 : 06
In di r ect
2 :1 72 .ll. 20 . 4 :1 01:: 6 1 0 :: 00 : 0c : 29 : fc : 27 : 4e/304 MAC/ IP
* [ BGP / 1 70] 00 : 02 : 04 , localpre f 1 00 , from 1 72 .11. 20 . 4
AS path: I , val i dation - state : unver i fied
> to 172 .1 1 . 23 . 2 via g e- 0/0/0 .1 00 , Pus h 22
to 172 .1 1 . 23 . 6 via g e- 0/0/1 .11 0 , Pus h 20
2 :1 72 .11. 20 .1:1 01:: 6 1 0 : : OO : Oc : 29 : 0 1: 3e : fe ::1 0 .l.1 0 .ll /304 MAC/I P
* [ EVPN/170] 02 : 32 :1 6
In di r ect
2 :1 72 .ll. 20 .l:1 01:: 6 1 0 :: 2c : 6b : f5 : 63 : 35 : f0 ::1 0 .l.1 0 .l /304 MAC/ IP
* [ EVPN/170] 00 : 02 : 06
In di r ect
2 :1 72 .ll. 20 . 4 :1 01:: 6 1 0 :: 00 : 0c : 29 : fc : 27 : 4e ::1 0 .l.1 0 .1 2/304 MAC/I P
* [ BGP / 1 70] 00 : 02 : 04 , localpre f 1 00 , from 1 72 .11. 20 . 4
AS path : I , val i dation - state : unver i fied
140 Lab 6: EVPN www.juniper.net
 Junos Layer 2 VPNs
•
> to 172 . 11 . 23 . 2 via
•
g e- 0/0/0 .1 00 , Push 22
to 172 . 11 . 23 . 6 via g e- 0/0/1 .11 0 , Push 20

lab@Student-MX l >

Question: What Type 2 EVPN routes do you see now in the output?

Answer: The new Type 2 routes are MAC/IP advertisements for the IRB interface
address. The IRB interface address is considered the default-gateway address
and is tagged with the evpn-default-gateway community.

Step 5.7
To avoid the advertisement of the local default-gateway MAC address, statically define the IRB's MAC address
for EVPNl as 00:00:00:00:00:01. The MAC addresses has already been applied to the IRB interfaces on the
vr-device, so they will be identical (as expected). Next, disable the advertisement of the default-gateway and
enable remote-ip-host-routes under the EVPNl instance. Once completed, commit your configuration and exit
to operational mode.

lab@Student-MX l > configu r e

Entering configuration mode
[edi t]
lab@Student-MX l # edit interfaces irb . 6 1 0

[edi t inte r faces irb unit 610]

lab@Student-MX l # set mac 00 : 00 : 00 : 00 : 00 : 0 1

[edi t inte r faces irb unit 610]

lab@Student-MX l # top edit rout i ng- i nstances EVPNl p r otoco l s evpn

[edi t r outing- instances EVPNl protoco l s evpn]

lab@Student-MX l # set default-gateway do-not-advertise

[edi t r outing- instances EVPNl protoco l s evpn]

lab@Student-MX l # set remote - ip-host - routes

[edi t r outing- instances EVPNl protoco l s evpn]

lab@Student-MX l # commi t and- qu i t
commit comp l ete
Ex i ting conf i gu r ation mode
lab@Student-MX l >

Question: Why do you expect to have changed regarding the gateway route
advertisement?

www.juniper.net Lab 6: EVPN 141

Junos Layer 2 VPNs

Answer: The loca l router should no longer be advertising this route to the remote
PE (VR-device) as shown below. Th is is because it is no longer needed since you
have manually synchronized the MAC/IP of the IRB interfaces by configuring the
same MAC/IP addresses on both PEs. This improves convergence because there
is no learning or re-learn ing of gateway MACs needed.

Step 5.8
Verify t hat ARP snoopi ng is working in the EVPN1 instance by pinging the EVPN1's default-gateway address
( 1 o. 1 . 1 o. 1 ) five t imes from your local CE logical system. During the first ping command, the f irst ping packet
might fail. On later ping commands, there should not be any ping packet drops. Then issue the s h ow evpn
a r p -tabl e command.

lab@Student-MX l > ping 10 .1. 10 .1 logica l -system CE l count 5

PI NG 1 0 . 1 .1 0 . 1 ( 1 0 . 1 .1 0 . 1 ) : 56 data bytes
64 bytes f r om 10 . 1 . 1 0 . 1 : i cmp seq= l tt l = 64 time = l. 875 ms
64 bytes f r om 1 0 . 1 . 1 0 . 1 : i cmp- seq= 2 tt l = 64 time = l. 8 11 ms
64 bytes f r om 10 . 1 . 1 0 . 1 : i cmp- seq= 3 tt l = 64 time = l. 748 ms
64 bytes f r om 1 0 . 1 . 1 0 . 1 : i cmp= seq= 4 tt l = 64 time = l. 970 ms
--- 10 .1. 10 .1 ping statistics ---
5 packets transmitted , 4 packets r eceived , 20 % packet loss
round-trip mi n/avg/max/stddev = l . 748/ 1. 85 1 /1 . 970/0 . 082 ms

lab@Student-MX l > show evpn a r p-table

INET MAC Logical Routing Bridgi ng
address addr ess interface instance domain
10 .1.1 0 . 1 00 : 00 : 00 : 00 : 00 : 01 irb . 610 EVPNl EVPNl
10 .1.1 0 . 11 52 : 54 : 00 : fb : c3 : 59 ge-0/0/4 . 610 EVPNl - EVPNl
10 .1.1 0 . 12 OO : Oc : 29 : fc : 27 : 4e EVPNl - EVPNl

lab@Student-MX l >

Step 5.9
Verify t he route to t he loca l CE's IP address, and the remote CE's IP address in t he EVPNl instance using the
show r o u te command .

lab@Student-MX l > show route 1 0 . 1 .1 0 .1 1

L 3VPN . inet . O: 1 2 destinat i ons , 16 routes ( 1 2 active , 0 holddown , 0 hidden)

+ = Act i ve Route , - = Last Act i ve , * = Both

10 .1.1 0 . 11/32 * [ EVPN/7) 00 : 06 : 4 1

> via i r b . 6 1 0

lab@Student-MX l > show route 1 0 . 1 .1 0 .1 2

L 3VPN . inet . O: 1 2 destinat i ons , 16 routes ( 1 2 active , 0 holddown , 0 hidden)

+ = Act i ve Route , - = Last Act i ve , * = Both

10 .1.1 0 . 12/32 * [ EVPN/7 ) 00 : 03 : 46

> via i rb . 6 1 0
[ BGP/ 1 70) 00 : 22 : 49 , l ocalpref 100 , f r om 172 . 1 1 . 20 . 4
AS path : I, vali d ation-state : unverified
to 1 72 . 1 1. 23 . 2 via ge-0/0/0 .1 00 , Push 22 , Push22(top)
to 1 72 . 1 1. 23 . 6 via ge-0/0/ 1.1 10 , Push 22 , Push20(top)

lab@Student-MX l >

142 Lab 6: EVPN www.juniper.net

 Junos Layer 2 VPNs

Question: Why is the remote route learned by two different sources (protocols)?

Answer: The remote PE advertises the 10.1.10.12/32 route twice. Once through
the EVPN instance using the MAC/IP advertisement (route Type 2), and once as a
host route in the L3VPN instance. As you see in the output, the EVPN MAC/IP
advertisement is preferred over the /32 host route from the L3VPN instance.

Step 5.10
Verify t hat inter-VLAN routing is working correctly by pinging CE addresses from t he other VLANs while sourcing
them from you r CE1 logical system.

lab@Student - MX l > ping 10 .1. 1 1.1 1 l ogical - system CE l count 5

PI NG 1 0 . 1 .11. 1 1 (10 .1. 1 1.1 1) : 56 data bytes
64 bytes f r om 1 0 . 1 . 1 1. 1 1: icmp seq=O ttl = 63 time =3 . 272 ms
64 bytes f r om 1 0 . 1 . 1 1. 1 1: icmp- seq= l ttl = 63 time =3 . 325 ms
64 bytes f r om 1 0 . 1 . 1 1. 1 1: icmp- seq=2 ttl = 63 time =143 . 644 ms
64 bytes f r om 1 0 . 1 . 1 1. 1 1: icmp- seq=3 ttl = 63 time =49 . 990 ms
64 bytes f r om 1 0 . 1 . 1 1. 1 1: icmp= seq=4 ttl = 63 time =163 . 323 ms
-- - 10 .1. 1 1.1 1 ping statistics ---
5 packets transmitted, 5 packets r eceived , 0 % packet loss
round-trip mi n/avg/max/stddev = 3 . 272/72 . 7 11 / 1 63 . 323/68 . 402 ms

lab@Student-MX l > ping 10 .1. 11 .1 2 logical-system CE l count 5

PI NG 10 . 1 . 1 1. 12 (10 .1. 1 1.1 2) : 56 data bytes
64 bytes f r om 1 0 . 1 . 1 1. 12 : icmp seq=O ttl = 63 time =468 . 388 ms
64 bytes f r om 1 0 . 1 . 1 1. 12 : icmp- seq= l ttl = 63 time = 177 . 055 ms
64 bytes f r om 1 0 . 1 . 1 1. 12 : icmp- seq=2 ttl = 63 time =4 . 81 8 ms
64 bytes f r om 1 0 . 1 . 1 1. 12 : icmp- seq=3 ttl = 63 time =5 . 727 ms
64 bytes f r om 1 0 . 1 . 1 1. 12 : icmp= seq=4 ttl = 63 time =4 . 941 ms
--- 10 .1. 1 1.1 2 ping statistics ---
5 packets transmi tted , 5 packets r eceived , 0 % packet loss
round-trip mi n/avg/max/stddev = 4 . 818/ 1 32 .1 86/468 . 388/ 1 80 . 804 ms
lab@Student-MX l >

Step 5.11
Log out of your assigned device using the exit command.

lab@Student-MX l > exit

Student-MXl (ttyuO)
log i n :

. • • Tell your instructor that you have completed this lab.

www.juniper.net Lab 6: EVPN 143

Junos Layer 2 VPNs

144 Lab 6: EVPN www.juniper.net

 Junos Layer 2 VPNs

Lab 7: Inter-AS L2VPNs

Overview
In t his lab you, will establish a BGP VPLS con nection between two provider edge (PE) routers t hat belong to
different autonomous systems (ASs). Inter-AS VPN option C will be used to provide the PE-to-PE VPLS signaling
and forwa rding plane using route reflectors (RR). You wi ll use l abe l ed-uni cast address family when
passi ng provider's loopback interface routes between the two provider ASBR routers.

In Part 4, you will establish a FEC 129 BGP autod iscovery-based inter-AS L2VPN using mult isegment
pseudowires.

By completing this lab, you will perform t he following tasks:

• Load t he VPN baseline configuration for your router. This configuration includes your baseline core
configuration including OSPF, LOP, MPLS and CE configuration. The starting configuration also
contains t he preconfigurations required for t he second side of your topology.
• Configure an IBGP session between the P-PE1, ASBR1 and the RR (P-P1) using the l abe led-
un i cas t add ress family.
• Configure an EBGP session between t he ASBR routers using t he labe l e d-u ni cast address fami ly.

• Configure a multihop EBGP session between the RR routers using the 12vpn address fami ly.
• Configure a BGP VPLS to provide connect ivity between the subscriber CE routers.

• Verify connectivity and behavior using operational mode commands including p in g and commands
used to examine routing tables, and P-PE1-to-P-PE2 BGP announcements.

• Configure an IBGP session between the P-PE1 and ASBR1 using the 1 2vpn autodi scover y-
rnspw family.
• Configure an EBGP session between t he ASBR routers using t he 12vpn autodi scover y-rnspw
fam ily.

• Configure a FEC 129 BGP autodiscovery L2VPN to provide connectivity between the subscriber CE
routers.

www.juniper.net Lab 7: Inter-AS L2VPNs 145

Junos Layer 2 VPNs

Lab Diagrams

Management Network Diagram

Management Network
172.25. 11.0/24
Virtual Student Desktop Console and
I
VNC Connections '=, , , , I I

--·••11
--•==:::11
/ Physical
Desktops

~G""'
::J ~ \.-_____..~H~y:ip~e:rv~i~s:o r;
Virtual Switch Management Addresses
Student-MX1 172.25.11 .1
Management Port Student-MX2 172.25.11 .2
fxpO (on all vMX devices) vr-device 172.25.11 .3
Student Desktop 172.25.11 .254

Student
Virtual Environment Note: Your instructor will provide the information
you need to access your student desktop.

O 2021 Juniper Networks JUn~J I ,

Lab: Inter-AS VPN Core

_____ ,
-------------------- VR-Device
172.17.23.12/30 I
P2 P4
loO 172.17.20.2 .13 .14 loO 172.17.20.4

"? ~
N
.,.>
<?.,.
GRE Tunnel
--
:>
·,2
•
•172.0.20.0/30 <?~
..... • • %,-9..
• ~V0/70 ~'q,
X OSPF g ~
~ g . -1 -,a
..!.
C:
-
(0
,.;
Area 0 cl
N
,.;
I
I ·< ASBR2
"!
Q) .... "!
.... f>~ lo0.6 172.17.20.6

-
-0 ~
~ 'If~
:::, ....
N
....
N
~~ ":,<:,
~
~

C l) ~

I '.\'V.
I fl-·
~
"
I
0 N
~
"!
172.17.23.16/30 I
P3 PS
loO 172.17.20.3 .1 7 .18
I
loO 172.17.20.5
I
'-------------------~
O 2021 Juniper Network! JUn~J I 2

146 Lab 7: Inter-AS L2VPNs www.juniper.net

 Junos Layer 2 VPNs

Lab: Inter-AS VPN, Parts 1-3

Student-MX1 Student-MX2
Subscriber preconfigured Subscriber

CE1 l ogical System CE2

logical System

<~6
a-
>c:,Q
<O
a,

. ....,
~

-- -- -- - - -- .....
BGPVPlS

Zl5
~a
ON.
O, •
(0
'I'
~ , --
AS 65101
OSPFArea
- <O
AS 65102
OSPFArea 0
.......
.,
-"' ... !ii. .
a:: .., N <'!
0
.,
.6 ge-0/0/5
N
.2 ge-0/0/4 .1 gr-0/0/10.1 a:: ~ ge-0/0/4 .2 ~
.... ge-0/0/5 .6
IXI ~ IXl j:!
ge-0/0/3 .5 lL ;:i IX .1 f/l - gr-0/0/10.0 .2 .1 ge-0/0/0
N °'

- 172.0.21.4/30
a..' ....ii a::
0--
ge-0/0/2
172.0.21.0/30
~
-'il
II f/l -
ct II
"!
'il 172.0.22.0/30
Q. N ~
' ....
CL U
-
M
.5 ge-0/0/6

172.0.22.4/30
0 s, 172.0.20.0/30 0
SI
SI
stem .....__ _...-i_,o ical Sy
logica System --ii..,. logica ystem
ogical System

O 2021 Juniper Network! Junw I 3

Lab: Inter-AS VPN, Part 4

Student-MX1 Student-MX2
Subscriber preconfigured Subscriber

CE1 l ogical System CE2

logical System

p .G
. __P FEC 129 BGP Autodiscovery Multisegment Pseudowire

,ifll"' AS65101
OSPFArea
_.....- ~-, ~
EBGP
;--. AS 65102
OSPF Area 0

-
<O

-
;:.
...a:: !ii..,. . N <'!
0
"'!:s
.6 ge-0/0/5 .2 ge-0/0/4 .1 gr-0/0/10.1 ~~ ge-0/0/4 .2 ~ ge-0/0/5 .6
lL "'~ IX
IXI ~ N ,c
ge-0/0/11 .5 ge-0/0/10 .1 f/l - gr-0/0/10.0 .2 ~ -;;- .1 ge-0/0/0 ~~~ w i::!
-
a..' ....ii a::
-~-
~
-II
"!
'il
CL U
-
M
.5 ge-0/0/6 Q.
,-
..-
Q. •

172.0.21 .4/30 172.0. 172.0.20.0/30 ~ ~

ogical Sys logica System

O 2021 Juniper Network! Junw I •

www.juniper.net Lab 7: Inter-AS L2VPNs 147

Junos Layer 2 VPNs

Part 1: Creating The Baseline SP Network

In t his lab part, you will load a starting configuration and configure and verify the baseline network for t he lab
including OSPF, MPLS a nd LDP settings.

NOTE: > The instructor will tell you the nature of you r
access and will provide you with t he necessary details to
access your assigned device.

Step 1.1
You shou ld make sure you are familiar with t he lab topology and envi ronment. Th is lab is comprised of twelve
logical devices t hat are operating on th ree virtual MX (vMX) routers. These vMXs are nested inside a n ESXi
Hypervisor.

Your lab device is broken down into eight logical systems. Four of t hese logical systems have been
preconfigured (ASBR2 , P-PE2, P-P2, and CE2) on Student-MX2 as part of t he starting configuration. You will be
responsible for configuring the remain ing four devices (ASBR1, P-PE1, P-P1, and CE1) on Student-MX1 in th is
lab. The core devices (P2 , P3, P4, and P5) are also preconfigured on vr-device.

Step 1.2
Consu lt the management network diagram, provided by your instructor, to determine your device's
management address.

Question: What is the management address of Student-MX1 and Student-MX2?

Answer: The management IP address of Student-MX1 is 172.25.11.1 and IP

address of Student-MX2 is 172.25.11.2

Step 1.3
Access t he CLI of your Student-MX1 device using Secu re Shell (SSH ) as directed by your instructor.

Log in as user lab with the password supplied by your inst ructor. Enter into configurat ion mode and load t his
labs starting configuration file j 1 2v / l a b 7-s ta r t . co nf ig and exit back to operat ional mode using t he
commi t a nd-quit com mand.

Student-MXl (ttypO)

log i n : lab
Passwo r d :

Last login : Thu July 1 1 1 4 : 23 : 37 2021 from 1 72 . 25 . 1 1. 254

--- JUNOS 2 1 . 2Rl. 10 Kernel 64-bit JNPR-12 .1 -202 1 0529 . 2f59a40 bui l
lab@Student-MX l > conf i gu r e
Entering configuration mode

[ edi t]
lab@Student-MX l # load override j l 2v/lab7-start . config
load complete

[ edi t]
lab@Student-MX l # commi t and-quit
commit comp l ete
Exiting configu r ation mode
148 Lab 7: Inter-AS L2VPNs www.juniper.net
 Junos Layer 2 VPNs

lab@Student-MX l >

Step 1.4
Access t he CLI of your Student-MX2 device using Secure Shell (SSH) as directed by your instructor.

Log in as user lab with the password supplied by your instructor. Enter into configurat ion mode and load this
labs starting configuration file j 1 2v / l a b 7-s ta r t . co nf ig and exit back to operat ional mode using
the commi t a n d-qui t command .

Student-MX2 (ttypO)

log i n : lab
Passwo r d :

Last login : Thu July 1 1 1 4 : 23 : 37 2021 from 1 72 . 25 . 1 1. 254

- -- JUNOS 2 1. 2Rl. 10 Kernel 64-bit JNPR-12 .1- 202 1 0529 . 2f59a40 buil
lab@Student-MX2> conf i gu r e
Entering configuration mode

[edi t]
lab@Student-MX2# load override jl2v/lab7 - start . config
load complete

[edi t]
lab@Student-MX2# commi t and- quit
commit complete
Exiting configu r ation mode

lab@Student-MX2>

Step 1.5
On your Student-MX1 device, change the CLI to the AS BR1 logical system.

On ASBR1, verify that the start configuration has correctly loaded by ensuring that OSPF has learned all
loopback routes in the local AS using t he show r o u t e p r otoco l ospf command.

lab@Student-MX l > set cli logical-system ASBRl

Log i cal system : ASBRl

lab@Student-MX l : ASBRl > show r oute protocol ospf

inet . O: 15 destinations , 1 5 r outes (15 active , 0 holddown , 0 hidden)

+ = Active Route , - = Last Active , * = Both

172 . 0 . 2 1. 4/30 *[OS PF /10] 00 : 0 1: 36 , metric 2

> to 1 72 . 0 . 2 1 . 2 via ge-0/0/4 . 0
172 . 17 . 21 .1 /32 *[OS PF /10] 00 : 0 1: 46 , metric 1
> to 1 72 . 0 . 2 1 . 2 via ge-0/0/4 . 0
172 . 17 . 21 . 2/32 *[OS PF /10] 00 : 0 1: 36 , metric 2
> to 1 72 . 0 . 2 1 . 2 via ge-0/0/4 . 0
224 . 0 . 0 . 5/32 *[OS PF /10] 00 : 02 : 42 , metric 1
MultiRecv

inet . 3 : 2 destinations , 2 routes (2 act i ve , 0 holddown , 0 hidden)

mpls . O: 7 destinations , 7 routes (7 act i ve , 0 holddown , 0 hidden)

inet6 . 0 : 1 destinations 1 routes ( 1 act i ve , 0 holddown , 0 hidden)

lab@Student-MX l : ASBRl >

www.juniper.net Lab 7: Inter-AS L2VPNs 149

Junos Layer 2 VPNs

Question: Do you see the loopback routes for the P-P1 and P-PE1 routers?

Answer: Yes, both loopback addresses of the P-P1 (172.17.21.1) and P-PE1
(172.17.21.2) routers shou ld be present. If they don't show up at first, wait a bit as
OSPF needs t ime to settle down.

Step 1.6
Verify that there is an entry for the P-P1 (172.17.21.1) and P-PE1 (172.17.21.2) loopback addresses in the
inet . 3 routing t able using t he show r oute table inet . 3 command.

lab@Student-MX l:ASBRl> show route tab le i ne t .3

inet .3: 2 destinat io ns, 2 rou t es (2 active , 0 ho l d down , 0 hidden)

+ = Active Route, - = Las t Active, * = Both

172 . 17 .2 1 .1 /32 *[LDP /9) 00 : 18 :19, metric 1

> to 172 . 0 .21.2 v ia g e- 0/0/4 . 0
172 . 17 .2 1 .2 /32 *[LDP /9) 00 : 18 :19, metric 1
> to 172 . 0 .21.2 v ia g e- 0/0/4 . 0 , Push 17

Question: Do you see both loopback addresses in table inet.3?

Answer: Yes, both /32 loopback addresses are learned in inet. 3 as LDP
routes.

150 Lab 7: Inter-AS L2VPNs www.juniper.net

 Junos Layer 2 VPNs

Part 2: Configuring The BGP Sessions To Exchange Labeled Unicast

Routes
In this lab part, you will setup both IBGP and EBGP sessions to exchange the loopback addresses between the
two autonomous systems using the fami l y i ne t labe l e d-uni cast . The P-P1 router will be used as the
route reflector for both the l a beled-uni cas t family, and the 1 2vpn sig nal ing fam ily (covered later).

Step 2.1
On your Student-MX1 device, change the CLI to the P-P1 logical system.
On P-P1, enter into configuration mode and navigate to the [e d i t p r otocols bgp group i nterna l]
hierarchy. Use your loopback address (172.17.21.1) as the source of your BGP messages and enable the i n et
l a beled-u ni cast NLRI. Establish this device as the route reflector for this AS using 1 72 .1 7 . 21. 1 as the
cluster ID. Establish a peering to the loopback addresses of both devices in this AS (P-PE1 (172.17.21.2) and
ASBR1(172.17.20.1)). Next, define the local autonomous system number ( 651 O1) under the r ou ting-
option s hierarchy. Once completed, Commit your changes and return to operational mode using the cornrni t
a nd-qui t command.
lab@Student-MXl : ASBRl > set cli logi cal-system P-Pl
Logi cal system : P- Pl
lab@Student-MXl: P- Pl> configure
Entering configuration mode
[ edi t]
lab@Student-MXl: P-Pl # edit p r otoco l s bgp g r oup i nte r nal
[ edi t protocols bgp group internal]
lab@Student-MXl: P-Pl # set type interna l
[ edi t protocols bgp group internal]
lab@Student-MXl: P-Pl # set local- address 172 . 17 . 21.1
[ edi t protocols bgp group internal]
lab@Student-MXl: P-Pl # set famil y inet l abeled- un i cast
[ edi t protocols bgp group internal]
lab@Student-MXl: P-Pl # set cluster 1 72 .1 7 . 21. 1
[ edi t protocols bgp group internal]
lab@Student-MXl: P-Pl # set neighbo r 172 .1 7 . 20 . 1
[ edi t protocols bgp group internal]
lab@Student-MXl: P-Pl # set neighbo r 172 .1 7 . 21. 2
[ edi t protocols bgp group internal]
lab@Student-MXl: P-Pl # show
type internal;
local-address 172 . 17 . 21 .1;
fami ly inet {
labeled-unicast ;
}
c l uste r 172 .1 7 . 21. 1 ;
neighbor 172 . 17 . 20 .1;
neighbor 172 . 17 . 21 . 2 ;
[ edi t protocols bgp group internal]
lab@Student-MXl: P-Pl # top
[ edi t]
lab@Student-MXl: P-Pl # set rout i ng-options autonomous-system 6510 1
[ edi t]
lab@Student-MXl: P-Pl # commit and-quit
commit compl ete
Exiting configu r ation mode
lab@Student-MXl: P-Pl >

www.juniper.net Lab 7: Inter-AS L2VPNs 151

Junos Layer 2 VPNs

Step 2.2
On your Student-MX1 device, change the CLI to the P-PE1 logical system.

On P-PE1, enter into configuration mode and navigate to the [ed i t p r otoco ls bgp g r oup in t ernal ]
hierarchy. Use your loopback address (172.17.21.2) as the source of your BGP messages and enable the i ne t
l abe led-u ni cast NLRI. Establish a peering to the loopback addresses of the route reflector in this AS (P-P1
(172.17.21.1)). Next, define the local autonomous system number ( 651 O1) under the r outi ng-opt i ons
hierarchy. Once completed, Commit your changes and return to operational mode using the cornrni t a nd-
q ui t command.

lab@Student-MX l: P- Pl > set cli l ogical-system P-PE l

Logical system : P- PEl

lab@Student-MX l: P- PEl > configure

Entering configuration mode

[ edit]
lab@Student-MX l: P- PEl # ed i t protocols bgp group i nternal

[ edit protocols bgp group internal]

lab@Student-MX l: P- PEl # set type i n ternal

[ edit protocols bgp group internal]

lab@Student-MX l: P- PEl # set local-address 1 72 . 17 . 21 . 2

[ edit protocols bgp group internal]

lab@Student-MX l: P- PEl # set fam i ly inet labe l ed-unicast

[ edit protocols bgp group internal]

lab@Student-MX l: P-PEl # set neighbor 172 . 17 . 21 .1

[ edi t protocols bgp group internal]

lab@Student-MX l: P- PEl # show
type internal;
local-address 1 72 . 17 . 21 . 2 ;
family i net {
labeled-unicast ;
}
ne i ghbor 172 . 17 . 21 .1;

[ edi t protocols bgp group internal]

lab@Student-MX l: P- PEl # top

[ edi t]
lab@Student-MX l: P- PEl # set routing-opt i ons autonomous-system 65 1 0 1

[ edi t]
lab@Student-MX l: P- PEl # commit and-quit
commit complete
Ex i ting conf i gu r ation mode

lab@Student-MX l: P- PEl >

Step 2.3
On your Student-MX1 device, change the CLI to the AS BR1 logical system.

On ASBR1, enter into configuration mode and navigate to the [edi t protocols bgp grou p
int ern a l ] hierarchy. Use your loopback address (172.17.20.1) as the source of your BGP messages and
enable the ine t l a bele d -uni cast NLRI. Establish a peering to the loopback addresses of the route
reflector in this AS (P-P1 (172.17.21.1)). Next, define the local autonomous system number ( 65 1 o1) under the
r out i ng-opt i ons hierarchy. Once completed, Commit your changes and return to operational mode using
the cornrni t a nd-quit command.

lab@Student-MX l: P- PEl > set cli logical-system ASBR l

Logical system : ASBRl

lab@Student-MX l: ASBRl > configure

Entering configuration mode

152 Lab 7: Int er-AS L2VPNs www.juniper.net

 Junos Layer 2 VPNs
[edit]
lab@Student-MXl: ASBRl # edit protocols bgp group internal

[edit protocols bgp group internal]

lab@Student-MXl: ASBRl # set type internal

[edit protocols bgp group internal]

lab@Student-MXl: ASBRl # set local-address 1 72 . 17 . 20 .1

[edit protocols bgp group internal]

lab@Student-MXl: ASBRl # set family inet labeled-unicast

[edit protocols bgp group internal]

lab@Student-MXl: ASBRl # set neighbor 172 . 17 . 21 .1

[edit protocols bgp group internal]

lab@Student-MXl: ASBRl # show
type internal;
local-address 1 72 . 17 . 20 .1 ;
family inet {
labeled-unicast ;
}
neighbor 172 . 17 . 21 .1 ;

[edit protocols bgp group internal]

lab@Student-MXl: ASBRl # top

[edit]
lab@Student-MXl: ASBRl # set routing-options autonomous-system 65 1 0 1

[edit]
lab@Student-MXl: ASBRl # commit and-quit
commit complete
Exiting configu r ation mode
lab@Student-MXl: ASBRl >

Step 2.4
On your Student-MX1 device, change the CLI to the P-P1 logical system.

On P-P1, verify the status of the IBGP sessions with the route reflector have been established using the show
bgp summa r y command .

lab@Student-MXl: ASBRl > set cli logical-system P -Pl

Logical system : P- Pl

lab@Student-MXl: P- Pl > show bgp summary

Threading mode : BGP I /0
Default eBGP mode : adve r tise - accept , receive - accept
Groups : 1 Peers : 2 Down peers : 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet . O
0 0 0 0 0 0
Peer AS I n Pkt Out P kt OutQ Flaps Last Up/Dwn
Statel#Active/Received/Accepted/Damped ...
172 . 17 . 20 .1 65101 5 4 0 0 1: 12
Establ
inet . O: 0/0/0/0
172 . 17 . 21 . 2 65 1 01 10 9 0 0 3 : 37
Establ
inet . O: 0/0/0/0

lab@Student-MXl: P- Pl >

Question: Are your IBGP sessions established to both peers of the route reflector?

w w w.juniper.net Lab 7: Int er-AS L2VPNs 153

Junos Layer 2 VPNs
Answer: Yes, you should see that both peerings are established.

Question: Do you see any labeled routes received by the route reflector at this
point?

Answer: No, no routes should be received at th is point. The reason for this is,
there are currently no routers advertising labeled unicast routes.

Step 2.5
On your Student-MX1 device, change the CLI to the ASBR1 logical system.

On ASBR1, enter into configuration mode and configure the ASBR router to copy the inet. 3 routes in to the
inet . 0 table using the mpls-f orwa r ding option .

lab@Student-MX l:P-Pl> set cli logica l-system ASBRlLogical system:

ASBRllab@Student-MXl:ASBRl> configureEntering configuration mode[edit]lab@Student-
MXl:ASBRl# set protocols mpls traffic-engineering mpls-
forwarding[edit]lab@Student-MXl:ASBRl#

Step 2.6
Next, navigate to the [edit policy-options policy-statement export-loOs] hierarchy. Create a
term called loopbacks that accepts the /32 loopback addresses of both P-P1 (172.17.21.1) and P-PE1
(172.17.21.2). You will apply this export policy to your EBGP peering with ASB R2 in the next step.

[ edit]lab@Student-MXl:ASBRl# edit policy-options policy-statement export-loOs[edit

policy-options policy-statement export-loOs ] lab@Student-MXl :ASBRl# set term
loopbacks from route-filter 1 72 .1 7 .2 1 .1 /32 exact[edit policy-options policy-
statement export-loOs]lab@Student-MXl:ASBRl# set term loopbacks from route-filter
172 . 17 .2 1 .2 /32 exact[edit policy-options po l icy-statement export-loOs]lab@Student-
MXl:ASBRl# set term loopbacks then accept[edit policy-options policy-statement
export-loOs]lab@Student-MXl:ASBRl# show term loopbacks { from { route-
filter 1 72 .1 7 .21. 1/32 exact; route-filter 172 . 17 .21.2 /32 exact; }
then accept;} [ edit policy-opt ions policy-statement export-loOs ]l ab@Student-
MXl:ASBRl#

Step 2.7
Still on ASBR1, navigate to the [edit protocols bgp group external] hierarchy and create an
EBGP peering with ASBR2, that peers with the g r-0 / O/ 1 O. 1 interface address (172.0.20.2). Enable the
session for inet labeled-unicas t routes and specify the remote AS as 65102 . Next, apply the export
policy export-loOs to this EBGP group. Once completed , commit your changes and return to operational
mode using the commit and-quit command.

[ edit policy-options policy-statement export-loOs ] lab@Student-MXl:ASBRl# top edit

protocols bgp group external[edit protocols bgp group external ]l ab@Student-
MXl:ASBRl# set type external[edit protocols bgp group external ]l ab@Student-
MXl:ASBRl# set fami l y inet labeled-unicast [edit protocols bgp group
external ]l ab@Student-MXl:ASBRl# set peer-as 65102 [ edit protocols bgp group
external ]l ab@Student-MXl:ASBRl# set ne ighbor 172 . 0 .2 0 .2[edit protocols bgp group
external ]l ab@Student-MXl:ASBRl# set export export-loOs [ edit protocols bgp group
external ]l ab@Student-MXl:ASBRl# show type external;family inet { labe led-
un icast; }export export-loOs;peer-as 65102;neighbor 1 72 . 0 .2 0 .2; [ edit p rotocols bgp
g roup external]lab@Student-MXl:ASBRl# commit and-quitcommit completeExiting
configuration modelab@Student-MX:ASBRl>

154 Lab 7: Inter-AS L2VPNs www.juniper.net

 Junos Layer 2 VPNs

Step 2.8
Verify t hat the EBGP session between the ASB R routers is established and advertising the labeled-un icast
routes using the show bgp summa r y , and the show rou te advertising-protocol bgp
172 . O. 2 O. 2 detail comma nds.

lab@Student-MXl:ASBRl> show bgp summary Threading mode: BGP I /ODe fa u lt eBGP mode:
advertise - accept , receive - acceptGroups: 2 Peers: 2 Down peers: OTable
Tot Paths Act Paths Suppressed Histo r y Damp State Pendinginet.O
2 2 0 0 0
OPeer AS I n Pkt OutPkt OutQ Flaps Last Up/Dwn
Statel#Active/Received/Accepted/Damped ... 172 . 0 .2 0 .2 65 1 02 5
5 0 0 34 Es tabl i ne t . O: 2/2/2/0172.17 . 21.1
65 1 01 39 41 0 0 1 6 :4 8 Estab l inet.O:
0/0/0/0 lab@Student-MXl:ASBRl> show rou te advertising-protocol bgp 1 72 . 0 .2 0 .2
detail i net . O: 1 7 destinations , 1 9 rou tes (17 active, 0 ho lddown , 0 hidden) @
172 . 17 .2 1 .1 /32 (2 entries , 2 announced) BGP g roup external type Exte rna l Route
Label: 20 Nexthop : Self Flags : Nexthop Change MED: 1 AS path:
(65 1 0 1] I Entropy label capable@ 1 72 .1 7 .21.2 /32 (2 entries, 2 announced) BGP
g roup external type External Route Label: 21 Nexthop : Self Flags:
Nexthop Change MED: 2 AS path : (65101 ] I Entropy label
capablelab@Student-MXl:ASBRl>

Question: Is the session between the two ASBR routers up and running?

Answer: The session between the two ASBRs should be established. If it is not,
double check the interface and BGP settings. If you need further assistance,
consu lt with your instructor.

Question: Does the show route command indicate if the routes are labeled?

Answer: Yes you should see that there is a label associated with each of the
routes, as expected for routes advertised with fam ily inet labeled-unicast.

Step 2.9
On your Student-MX1 device, change the CLI to the ma in instance using the clear cli l ogical-system
command. The next series of commands are designed to track the path between P-P1 and P-PE2 and is best
executed from the main instance instead of changing to each logical system in the path. You will use the label
values from each hop to verify t hat there is an e nd-to-end labeled path.
From the main instance use the show rou t e 17 2 . 17 . 22. 2 logical-system P-P l command to
determ ine the first label value fo r traffic destined to P-PE2's loopback.

lab@Student-MXl:ASBRl> clear cli logical-s ystem Cleared default logical

systemlab@Student-MXl> show route 1 72 .1 7 .22.2 logical-s ystem P-Pl inet . O: 1 1
des ti na tio ns, 11 rou t es (11 active, 0 ho lddown, 0 hidden) + = Active Route, - -
Last Active, * = Both172.17.22.2/32 *[BGP/170 ] 00 : 05 :49, ME D 2 , localpre f 1 00 ,
from 172 . 17 .2 0 .1 AS path : 65102 I , validation-state :
u nv eri f ied > to 172 . 0 .21.1 via ge-0/0/2.0 , Pus h 21lab@Student-
MX1>

www.juniper.net Lab 7: Inter-AS L2VPNs 155

Junos Layer 2 VPNs

Step 2.10
Next, use the show route table mpls. 0 label <value> log i cal-system ASBRl comma nd,
where value equals the label va lue from the previous output. In the example here the label is 21.

lab@Student-MX l> show route table mpls . O labe l <value> log ica l-s ystem ASBRl mpls . O:
12 destinations , 12 routes (12 active , 0 holddown , 0 hidden) += Active Route , -
Last Active , * = Both21 *[VPN/170 ) 00 : 30:19 >
to 1 72 . 0 . 20 . 2 via g r- 0/0/ 1 0 . 0 , Swap 19 lab@Student -MX1>

Step 2.11
Return to you r Student-MX2.

On Student-MX2, use the show route table mpl s . 0 label <va l ue> logical-system ASBR2
command , where value equals the label value from the previous out put, in the example here the label is 1 9 .

lab@Student-MX2> show rou te table mpls . O labe l <value> log ica l-s ystem ASBR2mpls . O:
12 destinations , 12 routes ( 1 2 active , 0 holddown , 0 hidden) += Active Route , -
Last Active , * = Both19 *[VPN/ 1 70) 00 :31:49 >
to 1 72 . 0 . 22 . 2 via ge-0/0/4 . 0 , Swap 16lab@Studen t-MX2>

Step 2.12
Next, use the show rout e table mpls. 0 labe l <value> log i cal-system P-P2 comma nd,
where value equals the label va lue from the previous output, in the example here the label is 1 6 .

lab@Student-MX2> show route table mpls . O labe l <value> logical-s ystem P-P2mpls . O:
8 destinations , 8 routes (8 active , 0 holddown , 0 hidden) + = Active Route , - =
Last Active , * = Both16 *[LDP/9) 00 :32:3 7 , metric 1
> to 1 72 . 0 . 22 . 6 via ge-0/0/5 . 0 , Pop16(S = O) *[LDP /9) 00 : 32:37 ,
metric 1 > to 1 72 . 0 . 22 . 6 via ge-0/0/5 . 0 , Poplab@Student-MX2>

Question: Can you see an end-to-end labeled path towards the P-PE2 router from
your P-P1 router?

Answer: Yes you should see that there is a label for each hop toward the P-PE2
device, except the last hop as penultimate hop popping (PHP) is applied here.This
labeled path is essentia l for our L2VPN traffic later on.

156 Lab 7: Inter-AS L2VPNs www.juniper.net

 Junos Layer 2 VPNs

Part 3: Establishing The BGP Sessions For Inter-AS BGP VPLS

Deployment
In t his lab part, you will configure a multihop EBGP session between the two route reflectors to exchange BGP
VPLS information. You will alter your current IBGP peering between P-P1 and P-PE1 to support t he Layer 2 NLRI.
You will then configure a VPLS instance t o con nect your CE1 device with t he remote CE2 device. Finally, you will
verify the connectivity across the inter-AS VPLS instance.

Step 3.1
Return to you r Student-MX1 device, change the CLI to t he P-P1 logical system.

On P-P1, enter into configuration mode and navigate to the [edi t p r otocols bgp group external ]
hierarchy. Establish the multihop EBGP session between PE-l 's loopback address (172.17.21.1) and P-P2 's
loopback address (172.17.22.1). Ensure t hat the route reflector does not change the next-hop of routes sent
through th is EBGP peering. Enable this session to support t he Layer 2 VPN NLRI. Once completed, commit your
changes but remain in configuration mode.

lab@Student-MXl> set cli logical-system P-PlLog ical system: P-Pllab@Student-MXl:P-

Pl> configureEntering configuration mode [ edit ] lab@Studen t-MX l:P-Pl# edit protocols
bgp g roup external [ edit protocols bgp group external]lab@Student-MXl:P-Pl# set
type external [ edit protocols bgp group externa l]lab@Student-MX l :P-P l# set local-
address 172 .1 7 .21. l [edit protocols b gp group external ]l ab@Student-MXl:P-Pl# set
multihop no -nexthop-chang e [edit p rotocols bgp group external]lab@Student-MXl:P-P l#
set family 12 vpn signaling [edit p rotocols bgp group external]lab@Student-MXl:P-P l#
set peer-as 65 1 02[ed i t p rotocols bgp group external]lab@Stude nt-MXl:P-P l# set
ne ighbor 172 . 17 .22.l[edit protocols bgp g roup external ] lab@Studen t -MXl:P-Pl# show
type external;multihop { no- nexthop -cha nge;}local-address 1 72 .1 7 .21. l ; fami l y
12vpn { signaling;}peer-as 65 1 02 ; ne ighbor 172 . 17 .22.1; [edit protocols bgp g roup
external ]l ab@Student-MXl:P-Pl# commit commit complete [edit p rotocols bgp group
external ]l ab@Student-MXl:P-Pl#

Step 3.2
Verify t hat your new EBGP session has established between the two route reflectors using t he run show bgp
summary comma nd.

[ edit protocols bgp group externa l] lab@Stu d e nt -MX l :P-P l# r u n show b gp summary
Threading mode: BGP I /ODefau l t eBGP mode: advertise - accept , recei ve -
acceptGroups: 2 Peers: 3 Down peers: OTable Tot Paths Act Paths Suppressed
Histo r y Damp State Pending inet. O 2 2 0
0 0 Obgp . 12vpn . O 1 0 0 0
0 OPeer AS In Pkt Out Pkt OutQ Flaps
Last Up/ Own State l #Active/Received/Accepted/Damped ... 172 .1 7 .2 0 . 1 65101
123 1 19 0 0 53 :3 5 Estab l inet. O: 2/2/2/0172.17.21.2
65 1 0 1 12 7 12 8 0 0 56 : 00 Estab l i net . O:
0/0/0/0 1 72 .1 7 .22. 1 65102 4 2 0 0
44 Estab l bgp.12vpn.O: 0/1/ 1 /0[ed it protocols bgp group externa l]lab@Student-
MXl:P-Pl#

Question: Is the EBGP session established?

www.juniper.net Lab 7: Inter-AS L2VPNs 157

Junos Layer 2 VPNs

Answer: Yes, the EBGP session should be established. This can sometimes take a
couple minutes to establish. If you are stil l having problems, review your
configuration and engage your instructor as needed.

Step 3.3
Stil l on P-P1, navigate to the [edi t p ro tocols bgp group internal] hierarchy and configure the
IBGP session between P-P1 and P-PE1 to use the Layer 2 VPN NLRI. Once completed, use the commit and-
quit command to return to operational mode.

[edit protocols bgp group external]lab@Student-MXl:P-Pl# up[edit protocols

bgp]lab@Student-MXl:P-Pl# edit g roup internal[edit protocols bgp group
interna l ]lab@Student-MXl:P-Pl# set neighbo r 172 .1 7 .21.2 family inet labeled-
un icast[edit protocols bgp g roup internal]lab@Student-MXl:P-Pl# set neighbor
172 . 17 .2 1 .2 family 12vpn signaling[edit protocols bgp g roup internal]lab@Student-
MXl:P-Pl# show type internal ; local-address 1 72 .1 7 .21. l ; family inet { labeled-
un icast; }cluster 172 .1 7 .21. l ; neighbor 1 72 .1 7 .2 0 .l;neighbor 172 . 17 .2 1 .2 { family
inet { labeled-unicast ; } family 12vpn { signaling; }} [edit
protocols bgp g roup internal]lab@Student -MXl:P-Pl# commit and-quitcommit
completeExiting configuration modelab@Student-MXl:P-Pl>

Step 3.4
On your Student-MX1 device, change the CLI to the P-PE1 logical system.
On P-PE1, enter into configuration mode and navigate to the [edit p rotoco ls bgp g r oup internal]
hierarchy. Add support for t he Layer 2 VPN NLRI for the session to your route reflector. Once completed, use t he
cornrni t and-quit command to retu rn to operational mode.

lab@Student-MXl:P-Pl> set cli logical-system P-PE lLogica l system: P-

PEllab@Student-MXl :P-PEl> configureEntering configuration mode[edit]lab@Student-
MXl:P-PEl# edit protocols bgp group interna l [edi t p rotocols bgp group
interna l ]lab@Student-MXl:P-PEl# set ne ighbor 172 . 17 .2 1 .1 family inet labeled-
un icast[edit protocols bgp g roup internal]lab@Student-MXl:P-PEl# set neighbor
172 . 17 .2 1 .1 family 12vpn signaling[edit protocols bgp g roup internal]lab@Student-
MXl:P-PEl# show type i nternal ;local-address 172 .1 7 .21.2;family inet { labeled-
un icast; }neighbor 172 . 17 .2 1 .1 { family inet { labeled-unicast ; }
family 12vpn { signaling; }} [edit protocols bgp g roup
interna l ]lab@Student-MXl:P-PEl# commit and-quit commit completeExiting
configuration modelab@Student-MXl:P-PEl>

Step 3.5
On your Student-MX1 device, change the CLI to the P-P1 logical system.
On P-P1, verify that the IBGP session is reestablished and is enabled with the Layer 2 VPN NLRI using t he
show bgp summary, show bgp neighbor 1 72 .1 7 . 21. 2 ,and show bgp neighbor
172 . 17 . 22 . 1 commands.

158 Lab 7: Inter-AS L2VPNs www.juniper.net

 Junos Layer 2 VPNs
lab@Student-MXl:P-PEl> set cli log ical-s ystem P-P lLogical system: P-Pllab@Student-
MXl:P-Pl> show bgp summaryGroups: 2 Peers: 3 Down peers : OTable Tot Paths
Act Paths Suppressed History Damp State Pendinginet . 02 2 0
0 0 Obgp . 12vpn . 0 1 0 0 0
0 OPee r AS I n Pkt Out Pkt OutQ Flaps
Last Up/Own State l #Active/Received/Accepted/Damped ... 172 .1 7 .2 0 .1 65 1 0 1
433 426 0 0 3:12:22 Establinet . O: 2/2/2/0172.17.21.2
65 1 0 1 16 12 0 1 6 :19 Es tablinet . O:
0/0/0/0bgp .12 vpn . O: 0/0/0/0172 . 17 .22.1 65 1 02 36 33
0 0 15:11 Establbgp .12vpn . O: 0/ 1 /1/0lab@Student-MXl :P-P l> show bgp
neighbor 172 . 17 .2 1 .2 Peer: 172 . 17 .2 1 .2+594 50 AS 65 1 0 1 Local: 1 72 .1 7 .21. 1+1 79 AS
65 1 01 Group: internal Routing-Instance : master Forwarding routing-
instance : master Type: Internal State: Establis hed (route reflector
client)Flags: <Sync> Las t State: OpenConfirm Last Event: RecvKeepAlive Last
Error: None Options: <LocalAddress Cluster AddressFamily Rib-group Refresh>
Options: <GracefulS hutdownRcv> Address families configured: inet-labeled-unicast
12vpn-signaling Local Address: 1 72 . 17 .2 1 .1 Holdtime : 90 Preference: 1 70 Graceful
Shutdown Receiver local-preference : 0 Number of flaps: 1 Last flap event:
RecvNotify Error: ' Cease ' Sent: 0 Recv : 1 Peer ID: 172 .1 7 .21.2 Loca l ID:
172 . 17 .2 1 .1 Active Holdtime: 90 Keepalive Interval: 30 Group index :
0 Peer index: 0 SNMP index : 1 I /0 Session Thread: bgpio-0 State:
Enabled BFD: disab led, down NLRI for restart configured on peer: 12vpn inet-
labeled-unicast NLRI advertised by peer: 12 vpn inet-labeled-unicast NLR I for
this session: 12vpn inet-labeled-unicast Peer supports Refresh capability (2)
Stale routes from peer are kept for : 300 Peer does not support Restarter
functionality Restart f lag received from the peer : Notification NLRI that
restart is negotiated for: 12vpn inet-labeled-unicast NLRI of received end-of-rib
markers: 12vpn inet-labeled-unicast NLRI of all end-of-rib markers sent: 12vpn
inet-labeled-unicast Peer does not support LLGR Restarter functiona li ty Peer
supports 4 byte AS extension (peer-as 6510 1) Peer does not support Addpath
NLRI (s) enabled for color nexthop resolution: 12vpn inet-labeled-unicast Ent rop y
label NLRI : inet-labeled-unicast Entropy label : No ; next hop validation : Yes
Local entropy labe l capability: Yes; stitching capability: Yes Table inet.O Bit:
20000 RIB State: BGP restart is complete Send state: in sync Active
prefixes: 0 Received prefixes : 0 Accepted prefixes:
0 Suppressed due to damping: 0 Advertised prefixes: 2
Table bgp .12vpn . O Bit: 30001 RIB State: BGP restart is complete RIB State:
VPN restart is complete Send state: in sync Active prefixes: 0
Received prefixes: 0 Accepted prefixes: 0
Suppressed due to damping: 0 Advertised prefixes : 0 Last traffic
(seconds): Received 24 Sent 22 Checked 638 Input messages: Total 27
Updates 2 Refreshes O Octets 587 Output messages: Total 27 Updates 2
Refreshes O Octets 689 Output Queue [ l]: 0 (inet.O, inet-labeled-
unicast) Output Queue [ 2]: 0 (bgp.12vpn.O, 12vpn) lab@S tudent-MX1:P-Pl>

Question: Is family 12vpn signaling correctly negotiated on both the

IBGP and EBGP session?

Answer: Yes, the EBGP session between the two route reflectors shows family
12vpn signaling has been negotiated as can been seen by looking at the NLRI for
this session field in the show bgp neighbor output. For the IBGP session both
family inet labeled-unicast, and family 12vpn signaling has been negotiated.

Step 3.6
On your Student-MX1 device, change the CLI to the P-PE1 logical system.

On P-PE1, enter into configuration mode and review the CE facing interface's configuration .

lab@Student-MXl:P-Pl> set cli logical-system P-PE l Logical system: P-

PEllab@Student-MXl :P-PEl> configure Entering configuration mode [ edit]lab@Student-
MXl:P-PEl# show interfaces ge-0/0/6 unit 6 1 0 { encapsulation vlan-vpls ;
v lan-id 610 ;} [ edit ] lab@Studen t-MX l:P-PEl#

www.juniper.net Lab 7: Inter-AS L2VPNs 159

Junos Layer 2 VPNs

Step 3.7
Still on P-PE1, navigate to the [edi t ro uti n g-instances vpnl] hierarchy and define a BGP based
VPLS instance. Include the CE facing interface in this routing instance. Define t he route dist inguisher as
172 .1 7 . 2 1. 2 : 100 and define the route target for this instance as 6510 1 : 100 .

Next, navigate to the [edit routing-instances vpn l protocols vpls] hierarchy and define the
CE l site with a site ID of 1 . Finally, t urn off tunnel services for this VPLS instance. Once completed, commit
your changes and exit to operational mode using the cornrni t and-quit command.

[edit]lab@S tudent-MX l:P-PE l# edit routing-instances vpn l [edit routing-instances

vpn l ]lab@Student-MXl:P-PEl# set instance-type vp ls[edit routing-instances
vpn l ]lab@Student-MXl:P-PEl# set interface ge - 0/0/6 . 6 1 0[edit routing -instances
vpn l ]lab@Student-MXl:P-PEl# set route-distinguishe r 1 72 .1 7 .21.2:l OO[edit routing-
instances vpnl]lab@Student -MXl:P-PE l# set vrf -target target:65101:lOO[edit
routing-instances vpn l ]lab@Student-MXl:P-PEl # edit protocols vpls[edit routing-
instances vpnl protocols vpls] lab@Student-MXl :P-PEl# set site CEl site-identifier
l [edit routing-instances vpn l protocols vpls ]lab@Student-MXl:P-PEl# set no-tunnel -
services[edit rout ing-instances vpnl protocols vpls] lab@Student - MX l:P-PEl# commit
and-quitcornrnit completeExiting configuration modelab@Student-MXl:P-PEl>

Step 3.8
On PE-1, check the status of the inter-AS VPLS connection using the show vpls connections command .

lab@Student-MX l:P-PEl> show vp ls connections Layer-2 VPN connections:Legend for

connection status (St)EI -- encapsulation inval id NC -- i nterface
encapsulation not CCC/TCC/VPLSEM -- encapsulation mismatch WE -- interface and
instance encaps not sameVC-Dn -- Virtua l circuit down NP -- interface hardware
not presentCM -- control-word mismatch -> -- only outbound connection is upCN
-- circuit not provis ioned <- -- only inbound connection is upOR -- out of
range Up -- operationalOL -- no outgoing label Dn -- downLD
-- local site signaled down CF -- call admission control fa i lu re RD -- remote
site signaled down SC -- loca l and remote site ID collisionLN -- loca l site not
designated LM -- local site I D not minimum designatedRN -- remote site not
designated RM -- remote site I D not minimum designatedXX -- unknown connection
status IL -- no incoming labe lMM -- MTU mismatch MI -- Mesh-Group
ID not availableBK -- Backup connection ST -- Standby connectionPF --
Profile parse fa i lu re PB -- Profile busyRS -- remot e site standby SN -
- Static NeighborLB -- Local site not best-site RB -- Remote site not best-
siteVM -- VLAN ID mismatch HS -- Hot-standb y Connection Legend for
interface statusUp -- operationalDn -- downinstance: vpn lEdge protection: Not-
Primary Local site: CEl (l)No connections found .lab@Student - MX l:P-PE l>

Question: What is the status for the inter-AS VPLS connection?

Answer: The status is no connections found, which indicates an issue

with the BGP advertisements between the PEs involved in the VPLS instance.

Step 3.9
On your Student-MX1 device, change the CLI to the P-P1 logical system.

On P-P1, review the VPLS NLRI advertisements and try to figure out what might be the cause for t he status of
the VPLS connection. Use the show bgp su mmary, show route receive-protocol bgp 172.17.22.1, show route
receive-protocol bgp 172.17.22.1 hidden, and show route 172.17.22.2 commands to investigate.

160 Lab 7: Inter-AS L2VPNs www.juniper.net

 Junos Layer 2 VPNs
lab@Student-MXl : P-PE l > set cli logical-system P-PlLogical system: P- Pl lab@Student-
MX l :P-Pl > show bgp summary Threading mode: BGP I /ODefault eBGP mode: advertise -
accept , receive - acceptGroups: 2 Peers: 3 Down peers: OTable Tot Paths
Act Paths Suppressed History Damp State Pendinginet . O
2 2 0 0 0 Obgp . 12vpn.O
2 1 0 0 0
OPeer AS I nPkt OutPkt OutQ F laps Last
Up/Own State l #Active/Received/Accepted/Damped . .. 1 72 . 17 . 20.1 6510 1
190 186 0 0 1:23 : 24 Establ inet . O: 2/2/2/0 1 72 . 17 . 2 1. 2
65101 56 53 0 1 22:10 Establ inet . O:
0/0/0/0 bgp . 12vpn . O: 1/1/1/0172 . 17 . 22 . 1 65102 70 70
0 0 30 : 33 Establ bgp . 12vpn . O: 0/ 1 /1/0lab@Student-MX l:P-Pl> show
route receive-protocol bgp 172 . 17 . 22 . 1 inet . O: 11 destinations , 1 1 routes (11
active , 0 holddown , 0 hidden)inet . 3 : 2 destinations , 2 routes (2 active , 0
holddown , 0 hidden)mpls . O: 8 destinations , 8 routes (8 active , 0 holddown , 0
hidden)inet6 . 0: 1 destinations , 1 routes (1 active , 0 holddown , 0
hidden)bgp . 12vpn . O: 2 destinations , 2 routes ( 1 active , 0 holddown , 1
hidden)lab@Student-MX l : P-Pl> show route receive-protocol bgp 1 72 .1 7 . 22 . 1 hidden
inet . O: 11 destinations , 1 1 r outes (11 active , 0 holddown , 0 hidden)inet . 3 : 2
destinations , 2 routes (2 active , 0 holddown , 0 hidden)mpls . O: 8 destinations , 8
routes (8 active , 0 holddown , 0 hidden)inet6 . 0 : 1 destinations , 1 routes ( 1
active , 0 holddown , 0 hidden)bgp . 12vpn . O: 2 destinations , 2 routes (1 active , 0
holddown , 1 hidden) Prefix Nexthop MED Lclpr ef AS path
172 . 17 . 22 . 2 :1 00 : 2 : 1/96 172 . 17 . 22 . 2
65102 I lab@Student-MXl: P- Pl > show r oute 1 72 .1 7 . 22 . 2
inet . O: 11 destinations , 1 1 r outes (11 active , 0 holddown , 0 hidden)+ = Active
Route , - = Last Active , * = Both172 . 17 . 22 . 2/32 *[BGP / 1 70] 01 : 08 : 15 , MED 2 ,
localpr ef 100 , from 1 72 . 17 . 20 .1 AS path: 65102 I, validation-
state : unverified > to 1 72 . 0 . 21 .1 via ge-0/0/2 . 0 , Push
23lab@Student-MX1: P-P l >

Question: What could be the cause for the VPLS connection status of no
connections found?

Answer: When you look at the output of the show bgp summary command
and show route receive-protocol bgp 172 .17. 22 .1 on P-P1,
you see that the VPLS route has been received but it is hidden. When you look at
hidden route you see that what the protocol next-hop is (172.17.22.2). This prefix
is known only in inet. 0 and therefore can't be used to resolve the next-hop for
VPN routes, even though it is a labeled unicast route as shown before. This is the
reason the route is hidden, and as a result not advertised to your local PE. As your
local PE doesn't receive the VPLS NLRI it causes the no connections found status.

Step 3.10
To fix t he hidden route issue, you need to enable the P-P1 and P-PE1 devices to use t he labeled unicast routes
to resolve t he next-hops for t he VPN routes.

On P-P1, enter into configurat ion mode and navigate to the [edi t p r otoco l s bgp group i nternal ]
hierarchy. Configure t he r e sol ve-vpn' ' option on t he family inet labeled-unicast sessions for t he
P-P1 to ASBR1 and P-P1 to P-PE1 routers. Commit you r configuration and exit to operational mode using the
cornrni t and-quit command.

w ww.juniper.net Lab 7: Inter-AS L2VPNs 16 1

Junos Layer 2 VPNs
lab@Student-MXl:P-Pl> configure En te ring configuration mode[edit]lab@Student-
MX l:P - Pl # edit protocols bgp group interna l [ed i t p rotocols bgp group
i n t ernal ]lab@Student-MXl:P-Pl# show type internal;local-address 1 72 .1 7 . 21 .l; fam i ly
i ne t { labeled-unicast;}cluster 172 .1 7 . 2 1. l ;ne ighbor 1 72 .1 7 .2 0 .l;neighbor
172 . 17 . 21.2 { family inet { labeled-unicas t ; } family 12vpn {
signaling; }} [edit protocols bgp group i n t ernal ]lab@Student-MXl:P-Pl# set
family i net labe led-un icast resolv e- vpn [edit protocols bgp group
i n t ernal ]lab@Student-MXl:P-Pl# set ne ighbor 172 .1 7 . 21.2 family i ne t labe led-
u nicast resol ve-vpn [edit protocols bgp g roup inte rna l] lab@Studen t-MX l:P-Pl# show
type in te rnal;loca l-address 1 72 .1 7 . 21 .l; family inet { labe led-un icast {
reso lve-vp n; }}cluster 172 .1 7 . 21.l;neighbor 1 72 .1 7 .2 0 .l;neighbor 1 72 . 17 .2 1 . 2 {
family inet { labeled-unicas t { resol ve-vpn ; } }
family 12vpn { signaling; }} [edit protocols bgp g roup
i n t ernal ]lab@Student-MXl:P-Pl# commit and-quit commit completeExiting
configuration modelab@Student-MXl:P-Pl>

Step 3.11
On your Student-MX1 device, change the CLI to the P-PE1 logical system.

On P-PE1, enter into configuration mode and navigate to the [edit prot ocols bgp g roup internal]
hierarchy. Configure the re sol ve-vp n option under the fam i ly inet labeled-unicast statement
configured for the P-P1 neighborship. Once completed, commit your changes and return to operationa l mode
using the commit and-qu it command.

lab@Student-MXl:P-Pl> set cli log ical-system P-PE l Logica l system: P-

PEllab@Student-MX l :P-PEl> configure Entering configuration mode[edit]lab@Student-
MX l:P - PE l# edit protocols bgp group i n t ernal [edit protocols bgp group
i n t ernal ]lab@Student -MXl:P-PEl# show type interna l ;local-add ress
172 . 17 . 21.2;family inet { labeled-unicas t ; }nei g h bo r 1 72 .1 7 .2 1 .1 { family
i ne t { labe led-u nicast; } family 12vpn { signaling; }} [edit
protocols bgp g roup internal] lab@Student -MXl:P-PE l# set neighbor 1 72 .1 7 .21.1
family i net labe led-un icast resolv e- vpn [edit protocols bgp group
i n t ernal ]lab@Student -MXl:P-PEl# commit and-quit commit completeExiting
configuration modelab@Student-MXl:P-PE l >

Step 3.12
Still on P-PE1, verify the inter-AS VPLS connection using the show vp ls connecti ons' ' command .

lab@Student-MX l:P-PEl> show vp ls connections Layer-2 VPN connections : Le ge nd for

connection status (St) EI -- encapsulation inval id NC -- interface
encapsulation no t CCC/TCC/VPLSEM -- encapsulation mismatch WE -- interface and
i ns tance encaps not sameVC-Dn -- Virtual circuit down NP -- in te r face hardware
not present CM -- control-word mismatch -> -- only outbound connection is
upCN -- circuit not provisioned <- -- only inbound connection is upOR -- out of
range Up -- operationalOL -- no outgoing label Dn -- down
LD -- local site signaled down CF -- call admission control
failure RD -- remote site signaled down SC -- local and remote site I D
collisionLN -- local site not designated LM -- loca l site I D not minimum
desi g na tedRN -- remote site not designated RM -- remote site I D not minimum
desi g na tedXX -- unknown connection status IL -- no i ncoming labelMM -- MTU
mismatch MI -- Mesh-Group ID not availableBK -- Backup connection
ST -- Standby connectionPF -- Profile parse failure PB -- Profile
busyRS -- remote site standby SN -- Static Nei g hborLB -- Local site not best-
site RB -- Remote site not best-siteVM -- VLAN ID mismatch HS -- Hot-
standby ConnectionLegend for interface status Up -- operational Dn --
downins tanc e: vpnlEdge p rotec t ion: Not-Primar y Local site: CEl (1) connection-
site Type St Time last up # Up trans 2
rmt Up Sep 2 1 1 :39:28 2021 1 Remote PE: 172 . 17 . 22.2 ,
Negotia ted control-word: No I ncoming label: 19 , Outgoing label: 16 Local
interface: lsi.68 157440 , Status: Up , Encapsulat ion : VPLS Description: In tf
- vpls vpn l local site 1 remote site 2 Flow Label Transmit: No , Flow Label
Receive: Nolab @Student -MXl:P-PE l>

Step 3.13
On your Student-MX1 device, change the CLI to the CE1 logical system.

On CE1, review the status of the preconfigured OSPF neighborship between CE1 and CE2 using the show
ospf neighbor command .

162 Lab 7: Inter-AS L2VPNs www.juniper.net

 Junos Layer 2 VPNs
lab@Student-MXl:P-PEl> set cli logical-system CEl Logical system: CEllab@Student-
MXl:CEl> show ospf neighborAddress Interface State ID
Pri Deadl0.0.30.2 ge-0/0/7.610 Fu ll 10.0.30.2
128 39lab@Student-MX1:CE1>

Question: What is the state of the show ospf neighbor command for the
loca l CE?

Answer: The state should be Full which proves bid irectiona l connectivity across
the inter-AS VPLS deployment.

www.juniper.net Lab 7: Inter-AS L2VPNs 163

Junos Layer 2 VPNs

Part 4: Configuring FEC 129 Autodiscovery Inter-AS L2VPN Using

Multisegment Pseudowires
In t his lab part, you will load a starting configuration that has removed all the BGP VPLS configurat ions on your
devices. Th is starting configuration will also preconfigure the remote side of your topology. Once loaded, you will
configure multisegment pseudowires for an inter-AS FEC 129 BGP autodiscovery Layer 2 VPN deployment. You
will configure the BGP sessions for family 12vpn autodis cover y-mspw . You will also configure the
Layer 2 VPN instance for FEC 129 BGP autodiscovery.

Step 4.1
Access the CLI of your Student-MX1 device using Secure Shell (SSH) as directed by your instructor.

Log in as user lab with the password supplied by your instructor. Enter into configuration mode and load this
labs starting configuration file j 1 2v / lab 7-pa r t4-start . conf ig and exit back to operationa l mode using
the commit a nd-quit command.

lab@Student-MX l: CEl> clear cli log ical-s ystemlab@Student-MX l > configureEntering

configuration mode[edit]lab@Student-MX l # load override jl2v/ lab 7-part4-
start . configload complete[edit]lab@Student-MXl# commit and-quitcornrnit
completeExiting configu r ation modelab@Student-MX l >

Step 4.2
Access the CLI of your Student-MX2 device using Secure Shell (SSH) as directed by your instructor.

Log in as user lab with the password supplied by your instructor. Enter into configuration mode and load this
labs starting configuration file j 12v / lab 7-pa r t4-start . conf ig and exit back to operationa l mode using
the cornrni t a n d-qui t command .

Student-MX2 (ttypO)login : labPassword :Last login : Thu July 11 14 : 23 : 37 202 1 f r om

172 . 25 .1 1 . 254--- JUNOS 21 . 2R l.1 0 Kernel 64-bit JNPR-12 .1-
20210529 . 2f59a40 buillab@Student-MX2> configure Ente ri ng configuration
mode[edit]lab@Student-MX2# load over r ide j l2 v/lab7-part4-start . configload
complete[edit]lab@Student-MX2# commit and-quitcommit complete Exiting configuration
modelab@Student-MX2>

Step 4.3
Return to you r Student-MX1 device, change the CLI to the ASBR1 logical system.

On ASBR1, enter into configuration mode and add the ASBR2 facing interface ( gr-0/0/ 1 0 . O) to the
preconfigured LOP protocol.

lab@Student-MX l> set cli logical-system ASBRl Logical system : ASBRllab@Student-

MX l: ASBRl> configure Entering configuration mode[edit]lab@Student-MXl : ASBRl# set
protocols ldp interface gr-0/0/10 . 0[edit]lab@Student-MXl:ASBRl# show protocols
ldp i nterface ge-0/0/4 . 0 ; inte r face gr-0/0/ 1 0 . 0 ; interface lo0 .1; [edi t] lab@Student-
MX l: ASBRl#

Step 4.4
Next, navigate to the [edit policy-optio n s policy-statemen t nhs] hierarchy and create a policy
that sets t he next-hop of BGP routes to self. This export policy will be used in the next step.

[edit]lab@S tudent -MXl:ASBR l# edit policy-options policy-statement nhs[edit policy-

options policy-statement nhs]lab@Student-MX l: ASBRl# set then next-hop self[edit
policy-options policy-statement nhs]lab@Student-MXl : ASBRl # show then { next-hop
self;} [edit policy-options policy-statement nhs]lab@Student-MXl : ASBRl#

164 Lab 7: Inter-AS L2VPNs www.juniper.net

 Junos Layer 2 VPNs

Step 4.5
Stil l on ASBR1, navigate to the [ edit protocols bgp group internal] hierarchy and configure an
IBGP session between ASB R1's loopback address (172.17.20.1) and P-PE1 's loopback address (172.17.21.2).
Specify that t his session should use family 1 2vpn autodiscovery-mspw. Add the nhs policy as an
export policy for this peering. Finally, set the local autonomous system number ( 65 1 o1) under the routing-
options hierarchy. Once completed, commit your changes and retu rn to operational mode using the cornrni t
and-quit command.

[ edit policy-opt ions policy-statement nhs]lab@Student-MXl:ASBRl# top edit

protocols bgp group internal[edit protocols bgp group inter nal ]l ab@Student-
MXl:ASBRl# set type internal[edit protocols bgp group inter nal ]l ab@Student-
MXl:ASBRl# set local-address 1 72 .1 7 .2 0 .l [ edit protocols bgp group
interna l ]l ab@Student-MXl:ASBRl# set family 12vpn auto-discovery-mspw[edit
protocols bgp g roup internal] lab@Student-MXl:ASBRl# set export nhs [edit protocols
bgp g roup internal ] lab@Student-MXl:ASBRl# set neighbor 1 72 .1 7 .2 1 .2[edit protocols
bgp g roup internal ] lab@Studen t-MX l:ASBRl# set cluster 172 . 17 .2 0 .l[edit protocols
bgp g roup internal ] lab@Studen t-MX l:ASBRl# show type i nternal ;local-address
172 . 17 .2 0 .l;famil y 12vpn { auto-discovery-mspw;}export nhs ;cluste r
172 . 17 .2 0 .l;neighbor 1 72 .1 7 .21.2; [edit protocols bgp group internal ] lab@Student-
MXl:ASBRl# top [edit ] lab@Student-MXl :ASBRl# set routing-options autonomous-system
65101 [edit]lab@Student-MXl:ASBRl# commit and-quit commit completeExiting
configuration modelab@Student-MXl:ASBRl>

Step 4.6
On your Student-MX1 device, change the CLI to the P-PE1 logical system.
On P-PE1, enter into configuration mode and navigate to the [edit p r otocols bgp g r oup internal]
hierarchy. Configure a n IBGP session between P-PE1's loopback address (172.17.21.2) and ASBR1's loopback
address (172.17.20.1). Specify that this session s hould use family 12vpn autodiscovery-mspw .
Finally, set t he local autonomous system number ( 65 1 O1) under the routing-options hierarchy. Once
completed, commit your changes and return to operational mode usi ng the commit and-quit command.
lab@Student-MXl:ASBRl> set cli logical-s ystem P-PEl Logical system: P-
PEllab@Student-MXl :P-PEl> configureEntering configuration mode [edit ] lab@Student-
MXl:P-PEl# edit protocols bgp group interna l [edit p rotocols bgp group
interna l ]l ab@Student-MXl:P-PEl# set type internal [ edit protocols bgp group
interna l ]l ab@Student-MXl:P-PEl# set local-address 172 . 17 .2 1 .2[edit protocols bgp
g roup internal]lab@Student-MXl:P-PEl# set family 12vpn auto-discovery-mspw[edit
protocols bgp group internal] lab@Student-MXl:P-PE l# set neighbor 1 72 .1 7 .2 0 .l [ edit
protocols bgp group internal] lab@Student-MXl:P-PE l# show type internal ; local-
address 172 .1 7 .21.2;family 12vpn { auto-discovery-mspw; }neighbor 172 . 17 .2 0 .1;
[ edit protocols bgp group internal]lab@Student-MXl :P-PEl# top[edit]lab@Student-
MXl:P-PEl# set routing -options autonomous-system 65101 [ edit]lab@Student-MX1:P-PE1#
commit and-quitcornrnit completeExiting configuration modelab@Student-MXl:P-PEl>

Step 4.7
Now that the IBGP session has been configured on both sides, verify the status of this new neighborship using
the show bgp s umma ry command. You might need to wait a minute for the session to negotiate.

lab@Student-MXl:P-PEl> show bgp summaryGroups: 1 Peers: 1 Down peers : OTable

Tot Paths Act Pa ths Suppressed Histor y Damp State Pe ndingbgp . 12vpn .1 0
0 0 0 0 OPee r AS
I n Pkt OutPkt OutQ Flaps Last Up/Own
Statel#Active/Received/Accepted/Damped ... 172.17.20.1 65101 11
9 0 0 4 :2 8 Es tablbgp .12 vpn . 1 : 0/0/0/0lab@Student-MXl:P-
PEl>

Question: Is your IBGP session established?

www.juniper.net Lab 7: Inter-AS L2VPNs 165

Junos Layer 2 VPNs

Answer: Yes, the IBGP session should show established. You shou ld also notice
the creation of the bgp .12vpn table.

Step 4.8
On your Student-MX1 device, change the CLI to the ASBR1 logical system.

On ASBR1, enter into configuration mode and configure a static route to ASBR2 's loopback address
(172.17.20.6). Use ASBR2 's g r -0 / O/ 1 O. 1 IP address (172.0.20.2) as the next-hop for th is route.

lab@Student-MXl :P-PEl> set cli log ical-s ystem ASBRlLogical system:

ASBRllab@Student-MXl:ASBRl> configureEntering configuration mode[edit]lab@Student-
MXl:ASBRl# set routing -options static route 172 .1 7 .2 0 .6 next-hop 1 72 . 0 .2 0 .2
[ edit]lab@Student-MXl:ASBRl#

Step 4.9
Next, navigate to the [edit protocols bgp group external] hierarchy. Configure a multi hop EBGP
session between ASBR1's loopback address (172.17.20.1) and AS BR2's loopback address (172.17.20.6).
Specify that t his session should use family 12vpn autodiscovery-mspw . Once completed, commit your
changes and return to operational mode using the commit and-quit command.

[ edit]lab@Student-MXl:ASBRl# edit protocols bgp group external [ edit protocols bgp

g roup external]lab@Student-MXl:ASBRl# set type external[edit protocols bgp group
external ]l ab@Student-MXl:ASBRl# set multihop [edit p rotocols bgp group
external ]l ab@Student-MXl:ASBRl# set local-address 1 72 . 17 .2 0 .l[edit protocols bgp
g roup external]lab@Student-MXl:ASBRl# set family 12vpn auto-discovery-mspw[edit
protocols bgp g roup external]lab@Student-MXl:ASBRl# set peer-as 65 1 02[edit
protocols bgp g roup external]lab@Student-MXl:ASBRl# set neighbor 1 72 .1 7 .2 0 .6 [ edit
protocols bgp g roup external]lab@Student-MXl:ASBRl# show type
external;multihop;local-address 1 72 . 17 .2 0 .l;famil y 12vpn { auto-discovery-
mspw;}peer-as 65 1 02 ;ne ighbor 1 72 .1 7 .2 0 . 6 ; [edit protocols bgp group
external ]l ab@Student-MXl:ASBRl# commit and-quitcornmit completeExiting
configuration modelab@Student-MXl:ASBRl>

Step 4.10
Still on ASBR1, verify t hat bot h IBGP and EBGP sessions are established using t he show bgp summary
command.

lab@Student-MX l:ASBRl> show bgp summaryGroups: 2 Peers: 2 Down peers : OTable

Tot Paths Act Pa ths Suppressed Histor y Damp State Pe ndingbgp . 12vpn .11
1 0 0 0 OPee r AS
I n Pkt OutPkt OutQ F laps Last Up/Own
Statel#Active/Received/Accepted/Damped ... 1 72 . 17 .2 0 . 6 65 1 02 7
2 0 0 1:29 Es tablbgp .12 vpn . 1 : 1 /1/ 1 /0172 . 17 .2 1 .2
6510 1 67 64 0 0 29:03 Establbgp.12vpn.1:
0/0/0/0 lab@Student -MXl:ASBRl>

Question: Are the BGP sessions all in an established state?

Answer: Yes, both the IBGP and the EBGP sessions are in the Establ state.
The bgp .12vpn. 1 table indicates that the family 12vpn
autodiscovery-mspw has been negotiated. This can also be verified with
the show bgp neighbor command.

166 Lab 7: Inter-AS L2VPNs www.juniper.net

 Junos Layer 2 VPNs

Step 4.11
On your Student-MX1 device, change the CLI to the P-PE1 logical system.

On P-PE1, enter into configuration mode and review t he current CE facing interface (ge-0/0/6) configurations.
Next, navigate to the [ edit routing-instances vpn2] hierarchy and define it as a FEC 129 BGP
autodiscovery Layer 2 VPN instance. Add t he CE facing interf ace ( ge-0 / O/ 6 . 6 1 O) to the instance. Define the
route distinguisher ( 172 . 17 . 20 . 1 : 1 00 ), route target (targe t : 65 1 01 : 1 00 ), and L2VPN ID ( 12vpn-
id: 65101 : 1 00 ). Next, navigate tothe [edit routi ng-ins tanc es vpn2 protocols 12vpn site
CEl ] hierarchy and define t he source attachment ID ( 1 00 : 1 00 : 1 ), interface ( ge-0/0/ 6 . 6 1 0 ), and target
attachment ID ( 1 OO: 1 OO: 2 ). Once completed, commit your changes and exit to operat ional mode using the
commit and-quit command.

lab@Student-MX l:ASBRl> set cli log ical-s ystem P-PEl Logica l system: P-
PEllab@Student-MXl :P-PEl> configureEntering configuration mode[edit]lab@Student-
MXl:P-PEl# show interfaces ge-0/0/6 unit 6 1 0 { encapsulation vlan-ccc ;
vlan -id 610;} [edit ]lab@Student-MXl:P-PEl# edit routing-instances vpn2[edit
routing-instances vpn2]lab@Student-MX1:P-PE1# set instance-type 12vpn[edit
routing-instances vpn2]lab@Student-MX1:P-PE1# set interface ge - 0/0/6 . 6 1 0[edit
routing-instances vpn2]lab@Student-MX1:P-PE1# set route-distinguishe r
172 . 17 .2 0 .1:l OO[edit routing-instances vpn2 ] lab@Student-MX1 :P-PE1# set vrf-ta r get
target:65101:lOO[edit routing-instances vpn2]lab@Student-MX1:P-PE1# set 12vpn-id
12vpn-id : 65 1 01 :1 00[edit routing -instances vpn2] lab @Student -MX1:P-PE 1# edit
protocols 12vpn site CEl[edit routing-instances vpn2 protocols 12vpn site
CEl]lab@Student-MXl:P-PE l # set source-attachment-identifier 1 00 :1 00 :l[edit
routing-instances vpn2 p rotocols 12vpn site CEl]lab@Student-MXl:P-PEl# set
interface ge-0/0/6 . 6 1 0 target-attachment-identifier 1 00 :1 00 :2[edit routing-
instances vpn2 protocols 12vpn site CEl]lab@Student-MXl:P-PEl# up 3[edit routing-
instances vpn -2]lab@Student -MX1:P-PE 1# show instance-type 12vpn ;l2vpn- id 12vpn-
id : 65 1 0 1: 100 ;protocols { 12vpn { site CEl { interface ge-
0/0/6 . 6 1 0 { target-attachment-identifier 1 00 :1 00 :2; }
source-attachment-identifier 1 00 :1 00 :1; } }}interface ge-
0/0/6 . 6 1 0 ;route-distinguishe r 1 72 .1 7 .2 0 . 1 :l OO ; vrf -target ta r g et: 65 1 0 1:1 00 ; [edit
routing-instances vpn-2]lab@Student -MX1:P-PE 1# commit and-quit commit
completeExiting configuration modelab@Student-MXl:P-PEl>

Step 4.12
On P-PE1, verify the new Layer 2 VPN stat us and FEC 129 BGP autodiscovery using the show 12vpn
connections extensive, bgp summa r y and route p r otocol bgp comma nds.

www.juniper.net Lab 7: Inter-AS L2VPNs 167

Junos Layer 2 VPNs
lab@Student-MX l : P-PE l > show 12vpn connections extensive Layer-2 VPN
connect i ons: Legend for connecti on status (St) EI -- encapsu l ation invalid
NC -- interface encapsulation not CCC/TCC/VPLSEM -- encapsulation mismatch WE
-- interface and instance encaps not sameVC-Dn -- Vi rtua l circuit down NP
interface hardware not present CM -- contro l -word mismatch -> -- only
outbound connection i s upCN -- circuit not provisioned <- -- only inbound
connect i on is upOR -- out of range Up -- operati onalOL -- no
outgoing label Dn -- down LD -- local s i te signaled
down CF -- call admission control fa i lure RD -- remote site signaled down
SC -- local and remote site I D collisionLN -- local site not designated LM --
local site I D not minimum designatedRN -- remote site not designated RM -- remote
site I D not minimum designatedXX -- unknown connection status I L -- no incoming
labelMM -- MTU mismatch MI -- Mesh-Group I D not availableBK --
Backup connection ST -- Standby connectionPF -- Profile parse failu r e
PB -- Profile busyRS remote site standby SN -- Static NeighborLB -- Loca l
site not best-site RB Remote site not best-siteVM -- VLAN I D mismatch
HS -- Hot-standby ConnectionLegend for interface status Up -- operational
Dn -- down i nstance: vpn-2 L2vpn-id : 65 1 0 1 :1 00 Numbe r of local interfaces :
1 Numbe r of local interfaces up : 1 ge-0/0/6 . 6 1 0 Local source-
attachment-id : 100 : 0 . 0 . 0 .1 00 :1 (CEl ) Target-attachment-id Type St
Time last up # Up t r ans 100 : 0 . 0 . 0 . 100 : 2 rmt Up Sep 2
13 :1 3 : 38 202 1 1 Remote PE : 1 72 . 17 . 20 .1, Negotiated control-word:
Yes (Null) I ncoming label : 26 , Outgoing label: 25 Negotiated PW status
TLV : No Local inte r face : ge-0/0/6 . 610 , Status: Up , Encapsulation : VLAN
Flow Label Transmit : No , F low Label Receive : No Pseudowire Switching Points :
Local address Remote address 1 72 .1 7 . 20 . 1
172 . 17 . 20 . 6 1 72 . 17 . 20 . 6 1 72 .1 7 . 22 . 2
Connection History : Sep 2 1 3 : 13 : 38 2021 PE route changed Sep
2 1 3:13 : 38 2021 Out lbl Update 25 Sep 2 13 : 13 : 38
202 1 I n lbl Update 26 Sep 2 1 3:13 : 38 2021 loc
intf up ge-0/0/6 . 6 1 0lab@Student-MX1 : P- PE1 > show bgp summary
Threading mode : BGP I /ODefault eBGP mode : adve r tise - accept , receive -
acceptGroups : 1 Peers : 1 Down pee r s : OTable Tot Paths Act Paths
Suppressed History Damp State Pendingbgp . 12vpn . 1
1 1 0 0 0 OPeer
AS I nPkt Out P kt OutQ Flaps Last Up/Dwn
Statel#Active/Received/Accepted/Damped ... 172 . 17 . 20 .1 65 1 01 28
28 0 0 10 : 59 Establ bgp . 12vpn . 1 : 1/ 1 /1/0 vpn-2 . 12 vpn .1:
1/ 1 /1/0lab@Student-MX l:P-PEl> show route protocol bgp inet . O: 8 destinations , 8
routes (8 active , 0 holddown , 0 hidden)inet . 3 : 2 destinations , 2 routes (2 active ,
0 holddown , 0 hidden)mpls . O: 9 destinations , 9 routes (9 active , 0 holddown , 0
hidden)inet6 . 0 : 1 destinations , 1 routes (1 active , 0 holddown , 0
hidden)bgp . 12vpn . 1 : 1 destinations , 1 routes ( 1 active , 0 ho lddown , 0 hidden) + -
Active Route , - = Last Active , * = Both1 72 .1 7 . 22 . 2 :1 00 : 1 00 : 0 . 0 . 0 .1 00 : 2/160 AD2
*[BGP/170] 00 : 02 : 58 , localpref 1 00 , from 172 .1 7 . 20 . 1
AS path : 65102 I, va lidation-state : unverified
> to 1 72 . 0 . 21 . 5 via ge-0/0/3 . 0 , Push 1 6ldp . 12vpn . 1 : 1 destinations , 1 routes (1
active , 0 holddown , 0 hidden)vpn-2 . 12vpn .1: 4 destinations , 4 routes (4 active , 0
holddown , 0 hidden)+ = Active Route , - = Last Active , * -
Both172 . 17 . 22 . 2 :1 00 :1 00 : 0 . 0 . 0 .1 00 : 2/160 AD2 *
[BGP/ 1 70] 00 : 02 : 58 , localpref 1 00 , from 172 . 17 . 20 . 1 AS path :
65 1 02 I, validation-state : unverified > to 172 . 0 . 2 1. 5 via ge-
0/0/3 . 0 , Push 1 6lab@Student-MX1:P-PE1>

Question: What is the status of the inter-AS 12vpn connection?

Answer: The 12vpn connection is Up. If the status is not Up, check your
configuration or ask your instructor for assistance.

Question: What is the format of the FEC 129 BGP autodiscovery mu ltisegment
pseudowire routes?

168 Lab 7: Inter-AS L2VPNs www .juniper.net

 Junos Layer 2 VPNs

Answer: The format of the multisegment pseudowire autodiscovery ( AD2) routes

is route-distinguisher:source-attachment-identifier. For example the
172 . 1 7 . 2 2 . 2 : 10 0 : 10 0 : 0 . 0 . 0 . 10 0 : 2 / 16 0 route is learned from the
P-PE2 (route-distinguisher 172.17.22.2:100 and the source-attachment-identifier
for PE1 is 10 0 : 10 0 : 2

Step 4.13
On your Student-MX1 device, change the CLI to the CE1 logical system.

On CE1, verify that t he inter-AS Layer 2 VPN is working by reviewing t he status of the OSPF neighborship
between CE1 and CE2 using t he show osp f nei g h bo r command.

lab@Student-MXl: P-PEl > set cl i log i cal-system CElL og i cal system : CEllab@Student-
MX l: CEl> s h ow ospf ne i g h borAddress Interface State ID
Pr i Dead l 0 . 0 . 30 . 2 ge-0/0/7 . 6 1 0 Ful l 1 0 . 0 . 30 . 2
1 28 34lab@Student-MX1: CE 1 >

Step 4.14
On your Student-MX1 device, change the CLI to the main instance using the c le a r c l i l ogica l-sys tem
command. The next few steps are designed to follow the labeled path t hrough t he network, so we will issue t he
commands from the perspective of t he main instance so we do not have to change the CLI between logical
systems for each comma nd.

From the main instance, use t he s h ow r oute table mp l s . O l og i cal-sys tem P-PEl command to
identify t he first label va lues in the path between P-PEs.

lab@Student-MXl: CEl> clear cl i log i cal-systemCleared default l ogical

systemlab@Student- MX l > show r oute table mpls . O logical-system P- PEl mpls . O: 9
destinations , 9 routes (9 act i ve , 0 ho l ddown , 0 hidden) + = Active Route , - = Last
Act i ve , * = BothO *[MPLS/0 ] 03 : 53 : 04 , metric 1
Receive l * [MPLS/0 ] 03 : 53 : 04 , metric 1
Receive2 *[MPLS/0] 03 : 53 : 04 , metric 1
Receive 1 3 *[MPLS/0] 03 : 53 : 04 , metric 1
Receive 1 6 *[LDP/9] 03 : 52 :1 2 , metric 1 > to
172 . 0 . 2 1. 5 v i a ge-0/0/3 . 0 , Pop 1 6(8 = 0) * [L DP /9] 03 : 52 :1 2 , met ri c 1
> to 1 72 . 0 . 2 1. 5 via ge-0/0/3 . 0 , Pop 17 *
[LDP/9] 03 : 52 :1 2 , metric 1 > to 1 72 . 0 . 2 1. 5 via ge-0/0/3 . 0 ,
Swap 1 626 *[L2VPN/7] 00 : 08 : 20 > v i a ge-
0/0/6 . 6 1 0 , Pop Offset : 4ge-0/0/6 . 610 *[L2VPN/7] 00 : 08 : 20 , metr i c2 1
> to 1 72 . 0 . 2 1. 5 via ge-0/0/3 . 0 , Push 25 , Push 1 6(top) Offset :
252

Step 4.15
Next, use the show rou t e table mpl s. 0 labe l <val u e> log i ca l -syste m P-P l comma nd,
where val u e equals the outer label value from the previous output. In the example here, t he outer label is
16 .

lab@Student-MX l > show route table mpls . O label <value> logica l -system P- Pl mpls . O:
8 destinations , 8 routes (8 active , 0 holddown , 0 h i dden) + = Active Route ,
Last Active , * = Both1 6 *[LDP/9] 05 : 04 : 58 , metric 1
> to 1 72 . 0 . 21 .1 via ge-0/0/2 . 0 , Pop 1 6(S = O) *[LDP/9]
05 : 04 : 58 , metric 1 > to 172 . 0 . 2 1. 1 v i a ge-0/0/2 . 0 , Pop

Step 4.16
Since the action is Pop on the P-P1 router, only the inner label sent from P-PE1 will be left. You will use this
value to define the label val u e in the s h ow route tab le mp l s . 0 l abe l <va l u e > log i ca l -
system ASBRl command . In our example outputs, the inner label value f rom P-PE1 is 25 .

lab@Student-MX l > show route table mpls . O label <value> logica l -system ASBRl
mp l s . O: 11 destinations , 1 1 r outes (1 1 active , 0 ho l ddown , 0 hidden) + = Active
Route , - = Last Active , * = Both25 *[ L2VPN/7] 00 : 28 :1 6 , metric2 1
> via gr-0/0/ 1 0 . 0 , Swap 23

www.juniper.net Lab 7: Inter-AS L2VPNs 169

Junos Layer 2 VPNs

Step 4.17
Return to Student-MX2.

On your Student-MX2 and use the show r o u t e tab l e mpl s. 0 labe l <val ue > l ogica l-s ys tem
ASBR2 command , where val ue equals the label value from the previous output. In the example here, t he
label is 23 .

lab@Student-MX2> show route table mpls . O label <va l ue> l ogical - system ASBR2
mpls . O: 11 d e stinations , 1 1 r outes (1 1 active , 0 holddown , 0 hidden) + = Active
Route , - = Last Active , * = Both23 *[ L2VPN/7] 00 : 31 : 58 , metric2 1
> to 1 72 . 0 . 22 . 2 via ge-0/0/4 . 0 , Swap 26 , Push 17(top)

Step 4.18
Next, use the show rou t e t a ble mpl s. 0 labe l <val ue > log i ca l -s yste m P-P2 comma nd,
where val u e equals the outer label value from the previous output. In the example here, t he label is 1 7 .

lab@Student-MX2> show route table mpls . O label <va l ue> l ogical-system P- P2mpls . O:
8 destinations , 8 routes (8 active , 0 holddown , 0 hidden) + = Active Route , -
Last Active , * = Both1 7 *[LDP/9] 04 :1 8 : 02 , metric 1
> to 1 72 . 0 . 22 . 6 via ge-0/0/5 . 0 , Pop 1 7(S = O) * [LDP/9]
04 :1 8 : 02 , metric 1 > to 172 . 0 . 22 . 6 via ge-0/0/5 . 0 , Pop

Step 4.19
Since the action is Po p on the P-P2 router, only the inner label sent from ASBR2 will be left. You wi ll use this
value to define the label val u e in the show route t ab le mp ls. 0 l abel <va l u e > log i ca l-
sys tem P-PE 2 command. In our example outputs, t he inner label value from ASBR2 is 26 .

lab@Student-MX2> show route table mpls . O label <va l ue> l ogical-system P- PE 2mpls . O:
9 destinations , 9 routes (9 active , 0 holddown , 0 h idden) + = Active Route , - =
Last Active , * = Both26 *[L2VPN/7] 00 : 38 : 05 >
via ge-0/0/ 1. 6 1 0 , Pop Offset : 4

Question: Can you follow the end-to-end path and label settings using the show
route table mpls. 0 command?

Answer: Yes, you shou ld be able to fo llow the complete path. In this example
output, we go from left to right in the lab diagram (P-PE1--> P-PE2). In first output
we can see that traffic coming from the ge-0/0/6.610 gets a double push: Push
2 5, Pu sh 16 (top) . The 25 label is for the first part of the mu ltisegment
pseudowire (between P-PE1 and ASBR1). The 16 label is the LDP label to get to
ASBR1.

The 25 label is swapped for a second mu ltisegment pseudowire label (23)

between ASBR1 and ASBR2, th is is done at ASBR1. At ASBR2 this label is aga in
swapped (26) for the third segment of the multisegment pseudowire (ASBR2-to-P-
PE2). To go across the P-P2 router the loca l LDP label is pushed on top to reach P-
PE2 (Push 17(top)). This label 17 is then popped at the P-P2 router. Final ly, al l
that is left is the mu ltisegment pseudowire label sent by ASBR2 (26), which is
popped at P-PE2.

170 Lab 7: Inter-AS L2VPNs www.juniper.net

 Junos Layer 2 VPNs

Step 4.20
Return to Student-MX1.

On your Student-MX1 device, change the CLI to the AS BR1 logical system.

On ASBR1, review the LOP information for FEC 129 BGP autodiscovery labels using the show ldp
neighbor, and show l dp database session 172 . 17 . 20 . 6 comma nds.

lab@Student-MX l > set cli logical-system ASBRlLogical system: ASBRllab@Student-

MXl:ASBRl> show ldp neighbor Address In terface Label
space I D Hold time172.0.21.2 ge-0/0/4.0 1 72 .1 7 .21.1: 0
1 0172 . 17 .2 1 .2 lo0.1 1 72 .1 7 .21.2: 0
32172.17.20.6 lo0. 1 172 . 17 .2 0 . 6 : 0 42172.0.20.2
gr-0/0/10 . 0 172 . 17 .2 0 . 6 : 0 l llab@Student-MXl:ASBRl>
show ldp database session 172 . 17 .2 0 . 6 Input l abel database, 1 72 .1 7 .2 0 . 1 : 0-
- 1 72 .1 7 .2 0 .6: 0Labels received: 5 Label Prefix 22 172 . 17 .2 0 .1 /32
3 172 .1 7 .2 0 .6 /32 16 172 .1 7 .22. 1/32 17 172 . 17 .22.2 /32
23 FEC129 CtrlWord VLAN 000afe4d : 00000064 00000064 : 00000064 : 00000002
00000064 : 00000064 : 0000000 lOutput labe l database, 172 . 17 .2 0 .1: 0-
- 1 72 .1 7 .2 0 .6: 0Labels advertised: 5 Label Prefix 3 1 72 .1 7 .2 0 . 1/32
24 1 72 .1 7 .2 0 . 6/32 18 1 72 .1 7 .2 1 .1 /32 19 1 72 .1 7 .21.2 /32
26 FEC129 CtrlWord VLAN 000afe4d : 00000064 00000064 : 00000064 : 0000000 1
00000064 : 00000064 : 00000002lab@Student-MX1 :ASBR1>

Question: Why are P-PE1 and ASBR1 LDP neighbors? On what interface is this
neighborship established?

Answer: They became LDP neighbors because of the targeted LDP session setup
for requesting the FEC 129 labels needed for the multisegment pseudowire .. The
targeted LDP neighbors are established on the loO interface. It is therefore
important to have the loO interface configured under the [edit protocols ldp]
hierarchy.

Step 4.21
Log out of your assigned devices using the exit command.

lab@Student-MXl: ASBRl> c l ear cli logical-systemCleared default l ogical

systeml ab@Student-MXl> exitStudent-MXl (ttyuO)login:

www.juniper.net Lab 7: Inter-AS L2VPNs 171

Junos Layer 2 VPNs

172 Lab 7: Inter-AS L2VPNs www.juniper.net

 Juniper University
Education Services

Corporate and Sales Headquarters

Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, CA 94089 USA
Phone: 888.JUNIPER (888.586.4737)
or 408. 745.2000
Fax: 408.745.2100
www.juniper.net

APAC and EMEA Headquarters

Juniper Networks International B.V.
Boeing Avenue 240
1110 PZ SCHIPHOL-RIJK
Amsterdam, Netherlands
Phone: 31.0.207.125.700
Fax: 31.0.207.125.701

']

Driven by
1

Experience··
EDU-JUN-JL2V, Revision V21A

Juniper Business Use Only