Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Configuring the Common Configuration for MX Series Router Cloud CPE Services

Configure the cCPE common configuration on each MX Series router that provides cloud services. Complete the following tasks to configure the cCPE common configuration:

  1. Configuring the Subscriber Access Link on the PE Router for the MX Series Router Cloud CPE Services Common Configuration
  2. Configuring the Layer 2 IRB Interface for the MX Series Router Cloud CPE Services Common Configuration
  3. (Optional) Configuring a Private Subnet on the IRB Interface
  4. Configuring the Bridge Domains for the MX Series Router Cloud CPE Services Common Configuration
  5. Configuring the Firewall Filters and Policers for the MX Series Router Cloud CPE Services Common Configuration
  6. Configuring the VPN Routing Instances for the MX Series Router Cloud CPE Services Common Configuration
  7. Configuring the VRF Import Routing Policies for the MX Series Router Cloud CPE Services Common Configuration
  8. Configuring the VRF Export Routing Policies for the MX Series Router Cloud CPE Services Common Configuration

Configuring the Subscriber Access Link on the PE Router for the MX Series Router Cloud CPE Services Common Configuration

Complete the following tasks to configure the cCPE access link:

  1. Specify the name of the physical interface being used to connect to the subscriber.
    [edit]user@host# edit interfaces type-fpc/pic/port

    For example:

    [edit]user@host# edit interfaces ge-1/1/1
  2. Configure a description to distinguish the subscriber interface.
    [edit interfaces ge-1/1/1]user@host# set description description
  3. Configure the speed of the interface.
    [edit interfaces ge-1/1/1]user@host# set speed (auto | 1Gbps | 100Mbps | 10Mbps)
  4. Enable CoS hierarchical scheduling on the interface.
    [edit interfaces ge-1/1/1]user@host# set hierarchical-scheduler
  5. Configure the encapsulation type for the interface for flexible Ethernet services.
    [edit interfaces ge-1/1/1]user@host# set encapsulation flexible-ethernet-services
  6. Enable the reception and transmission of 802.1Q VLAN-tagged frames on the interface.
    [edit interfaces ge-1/1/1]user@host# set vlan-tagging
  7. Configure the link mode for full duplex.
    [edit interfaces ge-1/1/1]user@host# set link-mode full-duplex
  8. Configure the interface for autonegotiation.
    [edit interfaces ge-1/1/1]user@host# set gigether-options auto-negotiation
  9. Create a logical interface and configure it with a unique description that identifies the subscriber.
    [edit interfaces ge-1/1/1]user@host# edit unit interface-unit-number user@host# set description description
  10. Configure the encapsulation type on the logical interface as Layer 2 Ethernet VLAN bridge encapsulation.
    [edit interfaces ge-1/1/1 unit 105]user@host# set encapsulation vlan-bridge
  11. Configure the subscriber VLAN ID that you want to bind to the logical interface.
    [edit interfaces ge-1/1/1 unit 105]user@host# set vlan-id 105
  12. Verify the configuration.
    user@host> show interfaces ge-1/2/3
    ge-1/1/1 {
    description "VPN-cCPE for ifd-acme-abc";
    hierarchical-scheduler;
    vlan-tagging;
    speed 1g;
    link-mode full-duplex;
    encapsulation flexible-ethernet-services;
    gigether-options {
        auto-negotiation;
    }
    unit 105 {
        description "ifl-acme-site-abc";
        encapsulation vlan-bridge;
        vlan-id 105;
    }

Configuring the Layer 2 IRB Interface for the MX Series Router Cloud CPE Services Common Configuration

For the cCPE common configuration, you need to configure the logical interface as an integrated routing and bridging (IRB) interface. For private IP addresses, you can configure multiple addresses on different subnets on the IRB interface. Multiple VPN routes are advertised through the VPN routing protocol, like BGP, to the remote VPN sites. Communication between hosts on different subnets, but the same LAN, goes through the IRB interfaces on the edge router because their gateway addresses are on the IRB interface. To configure the IRB interface:

  1. Configure the logical interface as an IRB interface, and provide a description that identifies the subscriber.

    Be sure to specify the unit number from the physical interface used for the subscriber access link.

    [edit]user@host# edit interfaces irb unit 105
  2. Specify a description for the IRB interface that identifies the subscriber.
    [edit interfaces irb unit 105]user@host# set description description
  3. Specify the IPv4 subnet (subscriber-facing IP address/prefix) for private addresses for the subscriber VPN site.
    [edit interfaces irb unit 105]user@host# set family inet address address
  4. Specify the bandwidth for the IRB interface.
    [edit interfaces irb unit 105]user@host# set bandwidth bandwidth
  5. Review the configuration of the IRB interface.
    [edit interfaces irb unit 105]user@host# show interfaces irb 
    description "IRB interface of Example Customer";
bandwidth 1g;
family inet {
    address 192.168.1.1/24;
}

(Optional) Configuring a Private Subnet on the IRB Interface

If the subscriber has set up multiple private subnets in one site, the IRB interface connecting this subscriber site to the PE router needs to be configured with multiple private subnets.

To configure a private subnet:

  • [edit] user@host# set interfaces irb unit vlan-unit-id family inet address private customer ip 2/prefix

Configuring the Bridge Domains for the MX Series Router Cloud CPE Services Common Configuration

To configure the bridge domains for the cCPE common configuration, you need to associate the IRB, the physical interface, and the VLAN with the bridge domain. Configure one bridge domain for each subscriber site. To configure the bridge domain:

  1. Specify the domain name and configure the domain type as bridge.
    [edit]user@host# edit bridge-domains acme-bd
  2. Define the bridge domain type as bridge.
    [edit bridge-domains acme-bd]user@host# set domain-type bridge
  3. Associate the subscriber’s VLAN ID with the bridge domain.
    [edit bridge-domains acme-bd]user@host# set vlan-id 105
  4. Specify the routing interface to include in the bridge domain.
    [edit bridge-domains acme-bd]user@host# set routing-interface irb.105
  5. Specify the logical interfaces to include in the bridge domain.
    [edit bridge-domains acme-bd]user@host# set interface ge-1/1/1.105
  6. Specify the maximum number of MAC addresses allowed to be learned for the bridge domain, and specify that packets for new source MAC addresses be dropped after the MAC address limit is reached.
    [edit bridge-domains acme-bd]user@host# set bridge-options interface-mac-limit 64 packet-action drop
  7. Review the configuration of the bridge domain.
    [edit bridge-domains acme-bd]user@host# show
    domain-type bridge;
vlan-id 105;
interface ge-1/1/1.105; 
routing-interface irb.105;
bridge-options {
    interface-mac-limit {
        64;
        packet-action drop;
    }
}

Configuring the Firewall Filters and Policers for the MX Series Router Cloud CPE Services Common Configuration

Create a firewall filter and a policer for the bridge domain. Traffic policing is an essential component of network access security designed to minimize the risks of denial of service (DoS) attacks. It enables the control of the maximum rate of traffic sent or received on an interface.

  1. Configure an IPv4 firewall filter for Layer 2 traffic. Configure the filter to track Address Resolution Protocol (ARP) packets. In the following procedure, ARP packets are policed by a policer called ARP-Policer, and counted by a counter called ARP-Count. Ethernet packets using ARP are accepted.
    [edit]user@host# edit firewall family bridge filter L2-Traffic[edit firewall family bridge filter L2-Traffic]user@host# edit term ARP [edit firewall family bridge filter L2-Traffic term ARP]user@host# set from ether-type arp user@host# set then policer ARP-Policer user@host# set then count ARP-Count user@host# set then accept
  2. Configure filters for broadcast, multicast, and unicast traffic. In this example, broadcast, multicast, and unicast packets are policed by a policer called BMU-Policer and counted by a counter called BMU-Count. Any other types of packets are discarded.
    [edit firewall family bridge filter L2-Traffic term ARP]user@host# up [edit firewall family bridge filter L2-Traffic]user@host# edit term BMU [edit firewall family bridge filter L2-Traffic term BMU]user@host# set from traffic-type broadcastuser@host# set from traffic-type multicast user@host# set from traffic-type unknown-unicast user@host# set then policer BMU-Policer user@host# set then count BMU-Count user@host# set then accept user@host# upuser@host# edit term DROP[edit firewall family bridge filter L2-Traffic term DROP]user@host# set then discard
  3. Configure the ARP policer traffic limits and action to take on nonconforming traffic.
    [edit firewall family bridge filter L2-Traffic term DROP]user@host# topuser@host# edit firewall policer ARP-Policer [edit firewall policer ARP-Policer]user@host# set filter-specificuser@host# set if-exceeding bandwidth-limit 8k user@host# set if-exceeding burst-size-limit 1500 user@host# set then discard
  4. Configure the broadcast, multicast, and unicast policer traffic limits and action to take on nonconforming traffic.
    [edit firewall policer ARP-Policer]user@host# upuser@host# edit policer BMU-Policer [edit firewall policer BMU-Policer]user@host# set filter-specificuser@host# set if-exceeding bandwidth-limit 8k user@host# set if-exceeding burst-size-limit 1500 user@host# set then discard
  5. Apply the firewall filters and policers to the bridge domain.
    [edit firewall policer BMU-Policer]user@host# topuser@host# edit bridge-domains acme-bd forwarding-options filter user@host# set input L2-Traffic
  6. Review the configuration.
    user@host>  show firewall
family bridge {
    filter l2-traffic {
        term ARP {
            from {
                ether-type arp;
            }
            then {
                policer ARP-Policer;
                count ARP-Count;
                accept;
            }
        }
        term BMU {
            from {
                traffic-type [ broadcast multicast unknown-unicast ];
            }
            then {
                policer BMU-Policer;
                count BMU-Count;
                accept;
            }
        }
        term DROP {
            then discard;
        }
    }
}
policer ARP-Policer {
    filter-specific;
    if-exceeding {
        bandwidth-limit 8k;
        burst-size-limit 1500;
    }
    then discard;
}
policer BMU-Policer {
    filter-specific;
    if-exceeding {
        bandwidth-limit 8k;
        burst-size-limit 1500;
    }
    then discard;
}

Configuring the VPN Routing Instances for the MX Series Router Cloud CPE Services Common Configuration

For the common configuration, you must configure a routing instance that supports Layer 3 VPNs. To configure the routing instance:

  1. Configure a name for the routing instance.
    [edit]user@host# edit routing-instances ri-acme-site-abc
  2. Configure a unique description to identify the routing instance.
    [edit routing-instances ri-acme-site-abc]user@host# set description “routing-instance for acme site-abc”
  3. Configure the routing instance as a VRF instance.
    [edit routing-instances ri-acme-site-abc]user@host# set instance-type vrf
  4. (Optional-Required only when using IRB interfaces) Associate the Layer 3 interface with the subscriber.
    [edit routing-instances ri-acme-site-abc]user@host# set interface irb.105
  5. Specify a route distinguisher for the routing instance, enabling you to distinguish which VPN the route belongs to. Each routing instance must have a unique route distinguisher associated with it. The route distinguisher is used to place boundaries around a VPN so that the same IP address prefixes can be used in different VPNs without having them overlap. The format is as-number:id.
    [edit routing-instances ri-acme-site-abc]user@host# set route-distinguisher as-number:id
  6. Reference the VRF import and export policies.
    [edit routing-instances ri-acme-site-abc]user@host# set vrf-import acme-import user@host# set vrf-export acme-export
  7. Map the inner label of a packet to a specific VRF table. This allows examination of the encapsulated IP header. All routes in the VRF configured with this option are advertised with the label allocated per VRF.

    Note: vrf-table-label is mandatory when the PE router to customer edge (CE) router connection is over a shared medium.

    [edit routing-instances ri-acme-site-abc]user@host# set vrf-table-label
  8. Review the configuration.
    user@host> show routing-instances
ri-acme-site-abc {
    description routing-instance for acme site-abc;
    instance-type vrf;
    interface irb.105;
    route-distinguisher 65535:1;
    }
    vrf-import acme-import;
    vrf-export acme-export;
    vrf-table-label;

Configuring the VRF Import Routing Policies for the MX Series Router Cloud CPE Services Common Configuration

For the common configuration, you need to specify the VRF import routing policies. The import policy is always based on an IBGP session between the PE routers; therefore, BGP is the protocol used for the import policy. To configure the VRF import routing policies, specify the following options:

  1. Specify the protocol used between the PE routers.
    [edit]user@host# edit policy-options policy-statement acme-import-policy term a from protocol bgpuser@host# set term a from protocol bgp
  2. (Optional) If the protocol used between the edge routers is BGP, specify the BGP community.
    [edit policy-options policy-statement acme-import-policy]user@host# set term a from community vpn-acme-site-abc
  3. Specify the match condition actions to take for import routing policies.
    [edit policy-options policy-statement acme-import-policy]user@host# set term a then acceptuser@host# set term b then reject
  4. Review the configuration of the import policies.
    user@host# show
        term a {
        from {
            protocol bgp;
            community vpn-acme;
        }
        then accept;
    }
    term b {
        then reject;
    }

Configuring the VRF Export Routing Policies for the MX Series Router Cloud CPE Services Common Configuration

For the common configuration, you need to specify the VRF export routing policies to other sites that are in the same VPN. The type of policies you define depends on the type of routing protocol that is configured between the PE routers, the cCPE, and the customer edge (CE) router. PE routers always use the IBPG protocol. To configure the VRF export routing policies, specify the following options:

  1. Specify the routing protocol used for routing into the customer’s LAN (between the cCPE and the CE router).
    [edit]user@host# edit policy-options policy-statement acme-export-policy user@host# set term a from protocol direct
  2. Add the community to IBGP session.
    [edit policy-options policy-statement acme-export-policy]user@host# set term a then community add vpn-acme-site-abc
  3. Specify the export routing policies.
    [edit policy-options policy-statement acme-export-policy]user@host# set term a then acceptuser@host# set term b then reject
  4. (Optional) If the protocol used is BGP, add the subscriber route as a community member.
    [edit]user@host# set policy-options community vpn-acme-site-abc members target:65535:5
  5. user@host> show 
        term a {
        from {
            protocol direct;
            community vpn-acme-site-abc;
        }
        then accept;
    }
    term b {
        then reject;
    }
}
community vpn-acme-site-abc members target:65535:5;
 

Related Documentation

 

Modified: 2015-10-29

Previous Page Next Page