Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Basic MPLS Configuration

MPLS Configuration Overview

When you first install Junos OS on your device, MPLS is disabled by default. You must explicitly configure your device to allow MPLS traffic to pass through. Complete the following steps for all devices in your MPLS network that are running Junos OS.

To enable MPLS:

  1. Delete all configured security services from the device. If you do not complete this step, you will get a commit failure. See Example: Deleting Security Services.
  2. Enable MPLS on the device. See Example: Enabling MPLS.
  3. Commit the configuration.
  4. Reboot the device.
  5. Configure MPLS features such as traffic engineering, VPNs, and VPLS. See:
CAUTION:

When packet forwarding mode is changed to MPLS, all flow-based security features are deactivated, and the device performs packet-based processing only. Flow-based services such as security policies, zones, NAT, ALGs, chassis clustering, screens, firewall authentication, and IPsec VPNs are unavailable on the device. However, MPLS can be enabled in flow-based packet forwarding mode for selected traffic using firewall filters.

MPLS Configuration Guidelines

When configuring MPLS on QFX Series devices or on EX4600, note that the number of IP prefixes supported depends on the specific platform being used. See the scale specifications in the data sheet of your device for additional information.

  • We recommend the following:

    • If your ingress provider edge (PE) switch needs to support more than 8000 external IP prefixes, use a larger capacity device as an ingress PE switch.

    • If you use a switch as a route reflector for BGP labeled routes, use it as a dedicated route reflector (that is, the switch must not participate in managing data traffic).

    • If you use a switch as a PE switch or as a route reflector for BGP labeled routes, configure routing policies on the PE switch and the route reflector to filter external IP routes from the routing table.

      The configuration example for a routing policy named fib_policy (at the [edit policy-options and [edit routing-options hierarchy levels) to filter BGP labeled routes from the inet.0 routing table is given below:

  • Packet fragmentation using the allow-fragmentation statement at the [edit protocols mpls path-mtu] hierarchy level is not supported on QFX Series devices or on the EX4600 switch. Therefore, you must ensure that the maximum transmission unit (MTU) values configured on every MPLS interface is sufficient to handle MPLS packets. The packets whose size exceeds the MTU value of an interface will be dropped.

Configuring MPLS

You must also configure MPLS for a Layer 2 cross-connect to work. The following is a minimal MPLS configuration:

 

Example: Enabling MPLS

This example shows how to enable MPLS for packet-based processing. It also shows how to enable the MPLS family and MPLS process on all of the transit interfaces in the network.

Requirements

Before you begin, delete all configured security services. See Example: Deleting Security Services.

Overview

The instructions in this topic describe how to enable MPLS on the device. You must enable MPLS on the device before including a device running Junos OS in an MPLS network.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To enable MPLS:

  1. Enable the MPLS family on each transit interface that you want to include in the MPLS network.

  2. Enable the MPLS process on all of the transit interfaces in the MPLS network.

  3. Additionally, for security devices, enable MPLS for packet-based processing. Skip this step for routing and switching devices.

    Note:

    When MPLS is enabled, all flow-based security features are deactivated and the device performs packet-based processing. Flow-based services such as security policies, zones, NAT, ALGs, chassis clustering, screens, firewall authentication, IP packets, and IPsec VPNs are unavailable on the device.

    Before changing from flow mode to packet mode, you must remove all security policies remaining under flow mode. To prevent management connection loss, you must bind the management interface to zones and enable host-inbound traffic to prevent the device from losing connectivity.

    For information about configuring zones, see Security Policies User Guide for Security Devices.

Results

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying MPLS Is Enabled at the Protocols Level

Purpose

Verify that MPLS is enabled at the protocols level.

Action

From operational mode, enter the show protocols command.

Verifying MPLS Is Enabled at the Interfaces Level

Purpose

Verify that MPLS is enabled at the interfaces level.

Action

From operational mode, enter the show interfaces command.

Verifying Packet-based Processing Is Enabled

Purpose

Specific to security devices, verify that packet-based processing is enabled.

Action

From operational mode, enter the show security forwarding-options command.

Note:

If you enable MPLS for packet-based processing by using the command set security forward-option family mpls mode packet, the mode will not change immediately and the system will display the following messages:

warning: Reboot may required when try reset flow inet mode

warning: Reboot may required when try reset mpls flow mode please check security flow status for detail.

You need to reboot your device for the configuration to take effect.

CAUTION:

If you disable MPLS and switch back to using the security services (flow-based processing), the mode will not change immediately and the system will display warning messages instructing you to restart your device. You must reboot your device for the configuration to take effect. This will also result in management sessions being reset and transit traffic getting interrupted.

Example: Configuring MPLS on EX8200 and EX4500 Switches

You can configure MPLS on switches to increase transport efficiency in your network. MPLS services can be used to connect various sites to a backbone network and to ensure better performance for low-latency applications such as voice over IP (VoIP) and other business-critical functions.

To implement MPLS on the switches, you must configure two provider edge (PE) switches—an ingress PE switch and an egress PE switch— and at least one provider (transit) switch. You can configure the customer edge (CE) interfaces on the PE switches of the MPLS network as either circuit cross-connect (CCC) or IP (family inet) interfaces.

This example shows how to configure an MPLS tunnel using a simple interface as a CCC:

Note:

This example shows how to configure MPLS using a simple interface as a CCC. For information on configuring a tagged VLAN interface as a CCC, see Configuring an MPLS-Based VLAN CCC Using a Layer 2 VPN (CLI Procedure) or Configuring an MPLS-Based VLAN CCC Using a Layer 2 Circuit.

Requirements

This example uses the following hardware and software components:

  • Junos OS Release 10.1 or later for switches

  • Three EX Series switches

Before you begin configuring MPLS, ensure that you have configured the routing protocol (OSPF or IS-IS) on the core interface and the loopback interface on all the switches. This example includes the configuration of OSPF on all the switches. For information on configuring IS-IS as the routing protocol, see the Junos OS Routing Protocols Configuration Guide.

Overview and Topology

This example includes an ingress or local PE switch, an egress or remote PE switch, and one provider switch. It includes CCCs that tie the customer edge interface of the local PE switch (PE-1) to the customer edge interface of the remote PE switch (PE-2). It also describes how to configure the core interfaces of the PE switches and the provider switch to support the transmission of the MPLS packets. In this example, the core interfaces that connect the local PE switch and the provider switch are individual interfaces, while the core interfaces that connect the remote PE switch and the provider switch are aggregated Ethernet interfaces.

Note:
  • Core interfaces cannot be tagged VLAN interfaces.

  • Core interfaces can be aggregated Ethernet interfaces. This example includes a LAG between the provider switch and the remote PE switch because this type of configuration is another option you can implement. For information on configuring LAGs, see Configuring Aggregated Ethernet Links (CLI Procedure).

Figure 1 shows the topology used in this example.

Figure 1: Configuring MPLS on EX Series SwitchesConfiguring MPLS on EX Series Switches

Table 1 shows the MPLS configuration components used for the ingress PE switch in this example.

Table 1: Components of the Ingress PE Switch in the Topology for MPLS with Interface-Based CCC

Property

Settings

Description

Local PE switch hardware

EX Series switch

PE-1

Loopback address

lo0 127.1.1.1/32

Identifies PE-1 for interswitch communications.

Routing protocol

ospf traffic-engineering

Indicates that this switch is using OSPF as the routing protocol and that traffic engineering is enabled.

MPLS protocol and definition of label-switched path

mpls

label-switched-path lsp_to_pe2_ge1

to 127.1.13

Indicates that this PE switch is using the MPLS protocol with the specified LSP to reach the other PE switch (specified by the loopback address).

The statement must also specify the core interfaces to be used for MPLS traffic.

RSVP

rsvp

Indicates that this switch is using RSVP. The statement must specify the loopback address and the core interfaces that will be used for the RSVP session.

Interface family

family inet

family mpls

family ccc

The logical units of the core interfaces are configured to belong to both family inet and family mpls.

The logical unit of the customer edge interface is configured to belong to family ccc.

Customer edge interface

ge-0/0/1

Interface that connects this network to devices outside the network.

Core interfaces

ge-0/0/5.0 and ge-0/0/6.0 with IP addresses 10.1.5.1/24 and 10.1.6.1/24

Interfaces that connect to other switches within the MPLS network.

CCC definition

connections remote-interface-switch ge-1-to-pe2

interface ge-0/0/1.0

transmit-lsp lsp_to_pe2_ge1 receive-lsp lsp_to_pe1_ge1

Associates the circuit cross-connect (CCC), ge-0/0/1, with the LSPs that have been defined on the local and remote PE switches.

Table 2 shows the MPLS configuration components used for the egress PE switch in this example.

Table 2: Components of the Egress PE Switch in the Topology for MPLS with Interface-Based CCC

Property

Settings

Description

Remote PE switch hardware

EX Series switch

PE-2

Loopback address

lo0 127.1.1.3/32

Identifies PE-2 for interswitch communications.

Routing protocol

ospf traffic-engineering

Indicates that this switch is using OSPF as the routing protocol and that traffic engineering is enabled.

MPLS protocol and definition of label-switched path

mpls

label-switched-path lsp_to_pe1_ge1

to 127.1.1.1

Indicates that this PE switch is using the MPLS protocol with the specified label-switched path (LSP) to reach the other PE switch.

The statement must also specify the core interfaces to be used for MPLS traffic.

RSVP

rsvp

Indicates that this switch is using RSVP. The statement must specify the loopback address and the core interfaces that will be used for the RSVP session.

Interface family

family inet

family mpls

family ccc

The logical unit of the core interface is configured to belong to both family inet and family mpls.

The logical unit of the customer edge interface is configured to belong to family ccc.

Customer edge interface

ge-0/0/1

Interface that connects this network to devices outside the network.

Core interface

ae0 with IP address 10.1.9.2/24

Aggregated Ethernet interface on PE-2 that connects to aggregated Ethernet interface ae0 of the provider switch and belongs to family mpls.

CCC definition

connections remote-interface-switch ge-1-to-pe1

interface ge-0/0/1.0

transmit-lsp lsp_to_pe1_ge1; receive-lsp lsp_to_pe2_ge1;

Associates the CCC, ge-0/0/1, with the LSPs that have been defined on the local and remote PE switches.

Table 3 shows the MPLS configuration components used for the provider switch in this example.

Table 3: Components of the Provider Switch in the Topology for MPLS with Interface-Based CCC

Property

Settings

Description

Provider switch hardware

EX Series switch

Transit switch within the MPLS network configuration.

Loopback address

lo0 127.1.1.2/32

Identifies provider switch for interswitch communications.

Routing protocol

ospf traffic-engineering

Indicates that this switch is using OSPF as the routing protocol and that traffic engineering is enabled.

MPLS protocol

mpls

Indicates that this switch is using the MPLS protocol.

The statement must specify the core interfaces that will be used for MPLS traffic.

RSVP

rsvp

Indicates that this switch is using RSVP. The statement must specify the loopback and the core interfaces that will be used for the RSVP session.

Interface family

family inet

family mpls

The logical units for the loopback interface and the core interfaces belong to family inet.

The logical units of the core interfaces are also configured to belong to family mpls.

Core interfaces

ge-0/0/5.0 and ge-0/0/6.0 with IP addresses 10.1.5.1/24 and 10.1.6.1/24and ae0 with IP address 10.1.9.1/24

Interfaces that connect the provider switch (P) to PE-1.

Aggregated Ethernet interface on P that connects to aggregated Ethernet interface ae0 of PE-2.

Configuring the Local PE Switch

Procedure

CLI Quick Configuration

To quickly configure the local ingress PE switch, copy the following commands and paste them into the switch terminal window of PE-1:

Step-by-Step Procedure

To configure the local ingress PE switch:

  1. Configure OSPF with traffic engineering enabled:

  2. Configure OSPF on the loopback address and the core interfaces:

  3. Configure MPLS on this PE switch (PE-1) with a label-switched path (LSP) to the other PE switch (PE-2):

  4. Configure MPLS on the core interfaces:

  5. Configure RSVP on the loopback interface and the core interfaces:

  6. Configure IP addresses for the loopback interface and the core interfaces:

  7. Configure family mpls on the logical unit of the core interface addresses:

  8. Configure the logical unit of the customer edge interface as a CCC:

  9. Configure the interface-based CCC from PE-1 to PE-2:

Results

Display the results of the configuration:

Configuring the Remote PE Switch

Procedure

CLI Quick Configuration

To quickly configure the remote PE switch, copy the following commands and paste them into the switch terminal window of PE-2:

Step-by-Step Procedure

To configure the remote PE switch (PE-2):

  1. Configure OSPF with traffic engineering enabled:

  2. Configure OSPF on the loopback interface and the core interface:

  3. Configure MPLS on this switch (PE-2) with a label-switched path (LSP) to the other PE switch (PE-1):

  4. Configure MPLS on the core interface:

  5. Configure RSVP on the loopback interface and the core interface:

  6. Configure IP addresses for the loopback interface and the core interface:

  7. Configure family mpls on the logical unit of the core interface:

  8. Configure the logical unit of the customer edge interface as a CCC:

  9. Configure the interface-based CCC from PE-2 to PE-1:

Results

Display the results of the configuration:

Configuring the Provider Switch

Procedure

CLI Quick Configuration

To quickly configure the provider switch, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

To configure the provider switch:

  1. Configure OSPF with traffic engineering enabled:

  2. Configure OSPF on the loopback interface and the core interfaces:

  3. Configure MPLS on the core interfaces on the switch:

  4. Configure RSVP on the loopback interface and the core interfaces:

  5. Configure IP addresses for the loopback interface and the core interfaces:

  6. Configure family mpls on the logical unit of the core interface addresses:

Results

Display the results of the configuration:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the Physical Layer on the Switches

Purpose

Verify that the interfaces are up. Perform this verification task on each of the switches.

Action
Meaning

The show interfaces terse command displays status information about the Gigabit Ethernet interfaces on the switch. This output verifies that the interfaces are up. The output for the protocol family (Proto column) shows that interface ge-0/0/1.0 is configured as a circuit cross-connect. The output for the protocol family of the core interfaces (ge-0/0/5.0 and ge-0/0/6.0) shows that these interfaces are configured as both inet and mpls. The Local column for the core interfaces shows the IP address configured for these interfaces.

Verifying the Routing Protocol

Purpose

Verify the state of the configured routing protocol. Perform this verification task on each of the switches. The state must be Full.

Action
Meaning

The show ospf neighbor command displays the status of the routing protocol. This output shows that the state is Full, meaning that the routing protocol is operating correctly—that is, hello packets are being exchanged between directly connected neighbors.

Verifying the Core Interfaces Being Used for MPLS Traffic

Purpose

Verify that the state of the MPLS interface is Up. Perform this verification task on each of the switches.

Action
Meaning

The show mpls interface command displays the status of the core interfaces that have been configured to belong to family mpls. This output shows that the interface configured to belong to family mpls is Up.

Verifying the Status of the RSVP Sessions

Purpose

Verify the status of the RSVP sessions. Perform this verification task on each of the switches.

Action
Meaning

This output confirms that the RSVP sessions are Up.

Verifying the Assignment of Interfaces for MPLS Label Operations

Purpose

Verify which interface is being used as the beginning of the CCC and which interface is being used to push the MPLS packet to the next hop. Perform this task only on the PE switches.

Action
Meaning

This output shows that the CCC has been set up on interface ge-0/0/1.0. The switch receives ingress traffic on ge-0/0/1.0 and pushes label 299792 onto the packet, which goes out through interface ge-0/0/5.0. The output also shows when the switch receives an MPLS packet with label 29976, it pops the label and sends the packet out through interface ge-0/0/1.0

After you have checked the local PE switch, run the same command on the remote PE switch.

Verifying the Status of the CCC

Purpose

Verify the status of the CCC. Perform this task only on the PE switches.

Action
Meaning

The show connections command displays the status of the CCC connections. This output verifies that the CCC interface and its associated transmit and receive LSPs are Up. After you have checked the local PE switch, run the same command on the remote PE switch.