Configuring Virtual Private LAN Service

Reading Time: 4 minutes

As normal on a Friday, it’s a bit of slow day at work 😐 but it does give me the chance to mess about in the lab! We were talking about the VPLS instances that we have going at in the office and I had never configured it up for myself, so I thought this would be the perfect time to set something up and give it a punt!

This post is just about how to configure a VPLS instance. I will write another post going into the inner working of VPLS, however right now I know and understand how it VPLS works but couldn’t explain it!

So that is for future, but for the today…. Let’s begin 😀

I will be using 1x EX4200 with routing instances to separate the routing tables and 3x SRX220h2 as the Provider Edge (PE) routers. I will have 3 routing instances on the EX4200, each will represent a different Site location and will have a single VPLS instances across the 3x PE routers. As shown below, Logical Topology that will be used for this VPLS lab will be:

To have create a VPLS instance you will need to have the following configured:

IGP – On all PE and P routers, with traffic-engineering enabled
MPLS – You will need Label Switched Paths (LSPs) configured between the PE routers
BGP – You will need BGP configured between the PE routers (BGP enabling VPLS method)

This is my base configuration for my 3 PE routers

Base configuration
PE Router 1PE router 2PE router 3
[email protected]_SRX> show configuration 
## Last commit: 2015-05-15 15:47:03 UTC by root
version 12.1X44-D45.2;
system {
    host-name Top_SRX;
    root-authentication {
        encrypted-password "$1$n8lY2iyW$5gx34QuELucAjscTH.vTe1"; ## SECRET-DATA
    }
    services {
        ssh {
            protocol-version v2;
        }
    }
}
interfaces {
    ge-0/0/0 {
        description "Other SRX g0/0/0";
        enable;
        unit 0 {
            family inet {
                address 1.1.1.6/31;
        }
    }
    ge-0/0/1 {
        description "Bottom SRX g0/0/1";
        unit 0 {
            family inet {
                address 1.1.1.4/31;
        }        
    }
    ge-0/0/2 {
        description "EX g0/0/2";
    }
    ge-0/0/6 {
        enable;
        unit 0 {
            family inet {
                address 10.1.0.201/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 1.1.1.1/32;
            }                           
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop 10.1.0.1;
            no-readvertise;
        }
    }
    autonomous-system 200;
}
protocols {
    lldp {                              
        interface all;
    }
security {
    forwarding-options {
        family {
            inet6 {
                mode packet-based;
            }
            mpls {
                mode packet-based;
            }
            iso {
                mode packet-based;
            }
        }
    }
}
[email protected]> show configuration 
## Last commit: 2015-05-15 15:56:47 UTC by root
version 12.1X44-D45.2;
system {
    host-name BottomSRX;
    root-authentication {
        encrypted-password "$1$8zJP2rqE$aNbSmTjuldkr99uQIp4J30"; ## SECRET-DATA
    }
    services {
        ssh {
            protocol-version v2;
        }
    }
}
interfaces {
    ge-0/0/0 {
        description "Other SRX g0/0/1";
        unit 0 {
            family inet {
                address 1.1.1.9/31;
            }
    }
    ge-0/0/1 {
        description "Top SRX g0/0/1";
        unit 0 {
            family inet {
                address 1.1.1.5/31;
            }                           
    }
    ge-0/0/2 {
        description "EX g0/0/2";
    }
    ge-0/0/6 {
        enable;
        unit 0 {
            family inet {
                address 10.1.0.202/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 2.2.2.2/32;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop 10.1.0.1;          
            no-readvertise;
        }
    }
}
protocols {
    lldp {                              
        interface all;
    }
}
security {
    forwarding-options {
        family {
            inet6 {
                mode packet-based;
            }                           
            mpls {
                mode packet-based;
            }
            iso {
                mode packet-based;
            }
        }
    }
}
[email protected]_SRX> show configuration 
## Last commit: 2015-05-15 16:03:13 UTC by root
version 12.1X44-D45.2;
system {
    host-name Single_SRX;
    root-authentication {
        encrypted-password "$1$0pm5C2Ie$5ss3qkj8WZxBFU2bTwlyE."; ## SECRET-DATA
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    services {
        ssh {
            protocol-version v2;
        }
    }
}
interfaces {
    ge-0/0/0 {
        description "Bottom SRX g0/0/0";
        enable;
        unit 0 {
            family inet {
                address 1.1.1.8/31;
        }
    }
    ge-0/0/1 {
        description "Top SRX g0/0/0";
        enable;
        unit 0 {
            family inet {
                address 1.1.1.7/31;
        }
    }
    ge-0/0/2 {  
    	description "EX SRX g0/0/2";                        
    }
    ge-0/0/7 {
        description "Lab Management";
        enable;
        unit 0 {
            family inet {
                address 10.1.0.207/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 3.3.3.3/32;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop 10.1.0.1;
            no-readvertise;
        }
    }
    autonomous-system 200;
}
protocols {
    lldp {                              
        interface all;
    }
}
security {
    forwarding-options {
        family {
            inet6 {
                mode packet-based;
            }
            mpls {
                mode packet-based;
            }
            iso {
                mode packet-based;
            }
        }
    }
}
routing-instances {
    vpls {
        instance-type vpls;
        interface ge-0/0/2.0;
        protocols {
            vpls {
                no-tunnel-services;
                vpls-id 1;
                neighbor 1.1.1.1;
                neighbor 2.2.2.2;
            }
        }
    }
}

This is the configuration I have on the EX4200, which will be used as the 3 different locations. I have enabled OSPF at the each of the sites

EX4200 Configuration
root> show configuration 
## Last commit: 2015-03-08 18:33:10 UTC by root
version 12.3R9.4;
system {
    root-authentication {
        encrypted-password "$1$kgkXgKFb$plTKQqiKNknDciGKJ8i8V/"; ## SECRET-DATA
    }
    services {
        ssh {
            protocol-version v2;
        }
    }
}
interfaces {
    ge-0/0/0 {
        description "Top SRX";
        unit 0 {
            family inet {
                address 172.16.1.4/24;
            }
        }
    }
    ge-0/0/1 {
        description "Bottom SRX";
        unit 0 {                        
            family inet {               
                address 172.16.1.2/24;
            }
        }
    }
    ge-0/0/2 {
        description "Other SRX";
        unit 0 {
            family inet {
                address 172.16.1.3/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 7.7.7.7/32;
            }
        }
        unit 1 {
            family inet {
                address 8.8.8.8/32;
            }
        }                               
        unit 2 {
            family inet {
                address 9.9.9.9/32;
            }
        }
    }
    me0 {
        unit 0 {
            family inet {
                address 10.1.0.200/24;
            }
        }
    }
}
protocols {
    lldp {
        interface all;
    }
}
routing-instances {
    SiteA {
        instance-type virtual-router;
        interface ge-0/0/0.0;           
        interface lo0.0;
        protocols {
            ospf {
                area 0.0.0.0 {
                    interface ge-0/0/0.0;
                    interface lo0.0;
                }
            }
        }
    }
    SiteB {
        instance-type virtual-router;
        interface ge-0/0/1.0;
        interface lo0.1;
        protocols {
            ospf {
                area 0.0.0.0 {
                    interface ge-0/0/1.0;
                    interface lo0.1;
                }
            }
        }
    }                                   
    SiteC {
        instance-type virtual-router;
        interface ge-0/0/2.0;
        interface lo0.2;
        protocols {
            ospf {
                area 0.0.0.0 {
                    interface lo0.2;
                    interface ge-0/0/2.0;
                }
            }
        }
    }
}

LDP

Ill be working off PE1, all the other routers have been configured. Once we have PE1 sorted, we will have a VPLS instance with LDP signaling 🙂

Firstly, I will configure the interface that is connected the Customer Edge (CE) device, so that the router knows this is apart of the VPLS. We will need to set the encapsulation to VPLS and set the logical interface.

[email protected]_SRX> show configuration interfaces ge-0/0/2                        
description "EX g0/0/2";
encapsulation ethernet-vpls;
unit 0;

Out of the 3 ways of configuring a VPLS instance using LDP, configuration wise, is the most straightforward. Under the protocols stanza, we will need to make sure all the related protocols are enabled, in addition we will need to make sure the MPLS LSPs correctly configured. It is important to know that, you will only need to set LDP on the loopback address not on any other interfaces that has MPLS configured. This is because the LDP peering with only the other PE and not the interlinks between the routers, this is also why you need to have an IGP configured to get connectivity to the loopback.

protocols {
    rsvp {
        interface ge-0/0/0.0;
        interface ge-0/0/1.0;
        interface lo0.0;
    }
    mpls {
        no-cspf;
        label-switched-path to_3.3.3.3 {
            from 1.1.1.1;
            to 3.3.3.3;
        }
        label-switched-path to_2.2.2.2 {
            from 1.1.1.1;
            to 2.2.2.2;
        }
        interface ge-0/0/0.0;
        interface ge-0/0/1.0;
    }
    ospf {
        traffic-engineering;
        area 0.0.0.0 {
            interface ge-0/0/0.0;
            interface ge-0/0/1.0;
            interface lo0.0;
        }                               
    }
    ldp {
        interface lo0.0;
    }

It is key to remember with all VPNs, their goal is to isolate their routing tables from other networks; this is no different with VPLS. We will need to create an isolated VPLS instance, to allow traffic between Sites A, B and C to be independent from the rest of the network. With this in mind, we will need to configure a Routing-Instance and include statement instance-type vpls

[email protected]_SRX> show configuration routing-instances 
vpls {
    instance-type vpls;
    interface ge-0/0/2.0;
    protocols {
        vpls {
            no-tunnel-services;
Note
no-tunnel-services needs to be configured, as device I’m using (SRX220h2) doesn’t have Tunnel Service PIC. This statement creates a label-switched interface (LSI) to provide VPLS functionality. For more information check here

We can see everything is working, when I do a show route we can see that all 3 sites have learnt the loopback address via OSPF

Site A Routing TableSite B Routing TableSite C Routing Table
SiteA.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

7.7.7.7/32         *[Direct/0] 17:54:17
                    > via lo0.0
8.8.8.8/32         *[OSPF/10] 01:05:51, metric 1
                    > to 172.16.1.2 via ge-0/0/0.0
9.9.9.9/32         *[OSPF/10] 01:05:51, metric 1
                    > to 172.16.1.3 via ge-0/0/0.0
224.0.0.5/32       *[OSPF/10] 17:54:17, metric 1
                      MultiRecv
SiteB.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

7.7.7.7/32         *[OSPF/10] 01:05:51, metric 1
                    > to 172.16.1.4 via ge-0/0/1.0
8.8.8.8/32         *[Direct/0] 17:54:17
                    > via lo0.1
9.9.9.9/32         *[OSPF/10] 01:05:56, metric 1
                    > to 172.16.1.3 via ge-0/0/1.0
224.0.0.5/32       *[OSPF/10] 17:54:17, metric 1
                      MultiRecv
SiteC.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

7.7.7.7/32         *[OSPF/10] 01:05:51, metric 1
                    > to 172.16.1.4 via ge-0/0/2.0
8.8.8.8/32         *[OSPF/10] 01:05:56, metric 1
                    > to 172.16.1.2 via ge-0/0/2.0
9.9.9.9/32         *[Direct/0] 17:54:17
                    > via lo0.2
224.0.0.5/32       *[OSPF/10] 17:54:17, metric 1
                      MultiRecv

BGP

Time to move onto the BGP version of configuration a VPLS. We will keep the same configuration above keep on the all the PEs. Using BGP configuration for VPLS is extremely useful as if more scalable and if you already have BGP running on your network, you don’t need to create any new BGP sessions for the VPLS session!

Firstly we will need to set the autonomous system (AS) number and have our BGP peering session with the other PEs. Note that we have selected the family l2vpn signaling

[edit]
[email protected]_SRX# show routing-options autonomous-system 
200;

[edit]
[email protected]_SRX# show protocols bgp 
group PE-routers {
    type internal;
    local-address 1.1.1.1;
    family l2vpn {
        signaling;
    }
    peer-as 200;
    neighbor 2.2.2.2;
    neighbor 3.3.3.3;
}

As similar with L3VPNs, under the VPLS routing-instance, we will need to add Route-Target and Route-Distinguisher. This is because unlike with we used LDP, we don’t have defined neighbor under the VPLS stanza. Additionally under the VPLS protocol site-identifiers have to be added.

Note
The Route-Target and Route-Distinguisher on all the PEs in the VPLS instance have to be same
[edit routing-instances vpls]
[email protected]_SRX# show 
instance-type vpls;
interface ge-0/0/2.0;
route-distinguisher 200:100;
vrf-target target:200:100;
protocols {
    vpls {
        no-tunnel-services;
        site SiteC {
            site-identifier 3;
        }
    }
}

We can see everything is working, when I do a show route we can see that all 3 sites have learnt the loopback address via OSPF still 😀

Site A Routing TableSite B Routing TableSite C Routing Table
SiteA.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

8.8.8.8/32         *[OSPF/10] 00:02:11, metric 1
                    > to 172.16.1.2 via ge-0/0/0.0
9.9.9.9/32         *[OSPF/10] 00:02:16, metric 1
                    > to 172.16.1.3 via ge-0/0/0.0
224.0.0.5/32       *[OSPF/10] 22:38:49, metric 1
                      MultiRecv
SiteB.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

7.7.7.7/32         *[OSPF/10] 00:02:11, metric 1
                    > to 172.16.1.4 via ge-0/0/1.0
9.9.9.9/32         *[OSPF/10] 00:02:11, metric 1
                    > to 172.16.1.3 via ge-0/0/1.0
224.0.0.5/32       *[OSPF/10] 22:38:49, metric 1
                      MultiRecv
SiteC.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

7.7.7.7/32         *[OSPF/10] 00:02:16, metric 1
                    > to 172.16.1.4 via ge-0/0/2.0
8.8.8.8/32         *[OSPF/10] 00:02:11, metric 1
                    > to 172.16.1.2 via ge-0/0/2.0
224.0.0.5/32       *[OSPF/10] 22:38:49, metric 1
                      MultiRecv

LDP & BGP

We are also able to configure a VPLS instance with LDP and BGP. We will use the same configure as above, as we will only need a few changes. We will need to change the family l2vpn stanza in the BGP session from signaling to auto-discovery-only, add l2vpn-id and remove the entire configuration under the protocol vpls (except no-tunnel-services) stanza in VPLS routing instance.

[email protected]_SRX# show protocols bgp  
group PE-routers {
    type internal;
    local-address 1.1.1.1;
    family l2vpn {
        auto-discovery-only;
    }
    peer-as 200;
    neighbor 2.2.2.2;
    neighbor 3.3.3.3;
}


[email protected]_SRX# show routing-instances vpls 
instance-type vpls;
interface ge-0/0/2.0;
route-distinguisher 200:100;
l2vpn-id l2vpn-id:200:100;
vrf-target target:200:100;
protocols {
    vpls {
        no-tunnel-services;
    }
}

We can see everything is working, when I do a show route protocol ospf we can see that all 3 sites have learnt the loopback address via OSPF still 😀

Site A OSPF Routing TableSite B OSPF Routing TableSite C OSPF Routing Table
SiteA.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

8.8.8.8/32         *[OSPF/10] 00:00:18, metric 1
                    > to 172.16.1.2 via ge-0/0/0.0
9.9.9.9/32         *[OSPF/10] 00:00:18, metric 1
                    > to 172.16.1.3 via ge-0/0/0.0
224.0.0.5/32       *[OSPF/10] 23:48:35, metric 1
                      MultiRecv
SiteB.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

7.7.7.7/32         *[OSPF/10] 00:00:18, metric 1
                    > to 172.16.1.4 via ge-0/0/1.0
9.9.9.9/32         *[OSPF/10] 00:00:23, metric 1
                    > to 172.16.1.3 via ge-0/0/1.0
224.0.0.5/32       *[OSPF/10] 23:48:35, metric 1
                      MultiRecv
SiteC.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

7.7.7.7/32         *[OSPF/10] 00:00:18, metric 1
                    > to 172.16.1.4 via ge-0/0/2.0
8.8.8.8/32         *[OSPF/10] 00:00:23, metric 1
                    > to 172.16.1.2 via ge-0/0/2.0
224.0.0.5/32       *[OSPF/10] 23:48:35, metric 1
                      MultiRecv

You can get indepth detail about VPLS from Juniper Website here

The following two tabs change content below.

Keeran Marquis

Network Engineer
Keeran Marquis is a Network Engineer. His main goal is to learn everything within the Networking field, pick up a little bit of scripting, be a poor man sysadmin and share whatever he knows! All Posts are his own views, opinions and experiences, no guarantees they will work for you but point you in the right direction 🙂
Share this:
Share

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.