Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation
keyboard_arrow_up
close
keyboard_arrow_left
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

Example: Configuring Pseudowire Redundancy in a Mobile Backhaul Scenario

date_range 23-Nov-23

This example shows how to configure pseudowire redundancy where Layer 2 and Layer 3 segments are interconnected in a mobile backhaul scenario.

Requirements

This example can be configured using the following hardware and software components:

  • Junos OS Release 13.2 or later

  • ACX5000 line of routers as the access (A) routers

  • MX Series 5G Universal Routing Platforms or M Series Multiservice Edge Routers for the Provider Edge (PE) Routers

  • PTX Series Packet Transport Routers acting as transit label-switched routers

  • T Series Core Routers for the Core Routers

Note:

The PE routers could also be T Series Core Routers but that is not typical. Depending on your scaling requirements, the core routers could also be MX Series 5G Universal Routing Platforms or M Series Multiservice Edge Routers. The Customer Edge (CE) devices could be other routers or switches from Juniper Networks or another vendor.

No special configuration beyond device initialization is required before configuring this example.

Overview

Device CE1 is a simple edge router with an IPv4 interface and a static route pointing to the PE devices. Device A1 establishes two virtual circuits (VCs) toward Device PE1 and Device PE2 by making use of the hot-standby statement. Device PE1 and Device PE2 terminate these VCs and enforce a policy condition over the logical tunnel IPv4 subnet. Device PE3 performs as a Layer 3 VPN provider edge device by having an IPv4 interface in a Layer 3 VPN shared with Device PE1 and Device PE2.

CLI Quick Configuration shows the configuration for all of the devices in Figure 1.

The section Step-by-Step Procedure describes the steps on Device A1 and Device PE1.

Figure 1: Pseudowire Redundancy in a Mobile Backhaul Example TopologyPseudowire Redundancy in a Mobile Backhaul Example Topology

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Device CE1

content_copy zoom_out_map
set interfaces ge-1/3/3 vlan-tagging
set interfaces ge-1/3/3 unit 600 vlan-id 600
set interfaces ge-1/3/3 unit 600 family inet address 10.41.0.104/24
set interfaces lo0 unit 0 family inet address 192.168.0.104/32 primary
set protocols ospf area 0.0.0.0 interface ge-1/3/3.600
set protocols ospf area 0.0.0.0 interface lo0.0
set routing-options static route 192.168.0.0/8 next-hop 10.41.0.1
set routing-options static route 10.53.0.0/16 next-hop 10.41.0.1
set routing-options router-id 192.168.0.104

Device A1

content_copy zoom_out_map
set interfaces ge-1/3/0 unit 0 family inet address 10.20.0.100/24
set interfaces ge-1/3/0 unit 0 family iso
set interfaces ge-1/3/0 unit 0 family mpls
set interfaces ge-1/3/1 unit 0 family inet address 10.10.0.100/24
set interfaces ge-1/3/1 unit 0 family iso
set interfaces ge-1/3/1 unit 0 family mpls
set interfaces ge-1/3/2 vlan-tagging
set interfaces ge-1/3/2 encapsulation vlan-ccc
set interfaces ge-1/3/2 unit 600 encapsulation vlan-ccc
set interfaces ge-1/3/2 unit 600 vlan-id 600
set interfaces ge-1/3/2 unit 600 family ccc
set interfaces lo0 unit 0 family inet address 192.168.0.100/32 primary
set interfaces lo0 unit 0 family iso address 49.0002.0192.0168.0100.00
set routing-options router-id 192.168.0.100
set routing-options autonomous-system 64510
set routing-options forwarding-table export pplb
set protocols rsvp interface ge-1/3/0.0
set protocols rsvp interface ge-1/3/1.0
set protocols rsvp interface lo0.0
set protocols mpls interface ge-1/3/0.0
set protocols mpls interface ge-1/3/1.0
set protocols isis interface ge-1/3/0.0
set protocols isis interface ge-1/3/1.0
set protocols isis interface lo0.0
set protocols ldp interface ge-1/3/0.0
set protocols ldp interface ge-1/3/1.0
set protocols ldp interface lo0.0
set protocols l2circuit neighbor 192.168.0.101 interface ge-1/3/2.600 virtual-circuit-id 1
set protocols l2circuit neighbor 192.168.0.101 interface ge-1/3/2.600 pseudowire-status-tlv
set protocols l2circuit neighbor 192.168.0.101 interface ge-1/3/2.600 revert-time 10 maximum 60
set protocols l2circuit neighbor 192.168.0.101 interface ge-1/3/2.600 backup-neighbor 192.168.0.102 virtual-circuit-id 2
set protocols l2circuit neighbor 192.168.0.101 interface ge-1/3/2.600 backup-neighbor 192.168.0.102 hot-standby
set policy-options policy-statement pplb then load-balance per-packet

Device PE1

content_copy zoom_out_map
set interfaces ge-0/1/1 unit 0 family inet address 10.21.0.101/24
set interfaces ge-0/1/1 unit 0 family iso
set interfaces ge-0/1/1 unit 0 family mpls
set interfaces ge-0/1/2 unit 0 family inet address 10.31.0.101/24
set interfaces ge-0/1/2 unit 0 family iso
set interfaces ge-0/1/2 unit 0 family mpls
set interfaces ge-0/1/3 unit 0 family inet address 10.10.0.101/24
set interfaces ge-0/1/3 unit 0 family iso
set interfaces ge-0/1/3 unit 0 family mpls
set interfaces lt-1/2/0 unit 600 encapsulation vlan-ccc
set interfaces lt-1/2/0 unit 600 vlan-id 600
set interfaces lt-1/2/0 unit 600 peer-unit 601
set interfaces lt-1/2/0 unit 601 encapsulation vlan
set interfaces lt-1/2/0 unit 601 vlan-id 600
set interfaces lt-1/2/0 unit 601 peer-unit 600
set interfaces lt-1/2/0 unit 601 family inet filter input icmp_inet
set interfaces lt-1/2/0 unit 601 family inet filter output icmp_inet
set interfaces lt-1/2/0 unit 601 family inet address 10.41.0.101/24 vrrp-group 0 virtual-address 10.41.0.1
set interfaces lt-1/2/0 unit 601 family inet address 10.41.0.101/24 vrrp-group 0 accept-data
set interfaces lo0 unit 0 family inet address 192.168.0.101/32 primary
set interfaces lo0 unit 0 family iso address 49.0002.0192.0168.0003.00
set interfaces lo0 unit 1 family inet address 192.168.1.101/32
set routing-options router-id 192.168.0.101
set routing-options autonomous-system 64511
set protocols rsvp interface ge-0/1/1.0
set protocols rsvp interface ge-0/1/2.0
set protocols rsvp interface ge-0/1/3.0
set protocols rsvp interface lo0.0
set protocols mpls label-switched-path to_PE3 to 192.168.0.103
set protocols mpls label-switched-path to_PE2 to 192.168.0.102
set protocols mpls interface ge-0/1/1.0
set protocols mpls interface ge-0/1/2.0
set protocols mpls interface ge-0/1/3.0
set protocols bgp local-address 192.168.0.101
set protocols bgp group ibgp family inet-vpn any
set protocols bgp group ibgp peer-as 64511
set protocols bgp group ibgp neighbor 192.168.0.102
set protocols bgp group ibgp neighbor 192.168.0.103
set protocols isis interface ge-0/1/1.0
set protocols isis interface ge-0/1/2.0
set protocols isis interface ge-0/1/3.0
set protocols isis interface lo0.0
set protocols ldp interface ge-0/1/1.0
set protocols ldp interface ge-0/1/2.0
set protocols ldp interface ge-0/1/3.0
set protocols ldp interface lo0.0
set protocols l2circuit neighbor 192.168.0.100 interface lt-1/2/0.600 virtual-circuit-id 1
set protocols l2circuit neighbor 192.168.0.100 interface lt-1/2/0.600 pseudowire-status-tlv hot-standby-vc-on
set policy-options policy-statement l3vpn_export term primary from condition primary
set policy-options policy-statement l3vpn_export term primary then local-preference add 300
set policy-options policy-statement l3vpn_export term primary then community set l3vpn
set policy-options policy-statement l3vpn_export term primary then accept
set policy-options policy-statement l3vpn_export term standby from condition standby
set policy-options policy-statement l3vpn_export term standby then local-preference add 30
set policy-options policy-statement l3vpn_export term standby then community set l3vpn
set policy-options policy-statement l3vpn_export term standby then accept
set policy-options policy-statement l3vpn_export term default then community set l3vpn
set policy-options policy-statement l3vpn_export term default then accept
set policy-options policy-statement l3vpn_import term 1 from community l3vpn
set policy-options policy-statement l3vpn_import term 1 then accept
set policy-options policy-statement l3vpn_import term default then reject
set policy-options policy-statement ospf_export term 0 from community l3vpn
set policy-options policy-statement ospf_export term 0 then accept
set policy-options community l3vpn members target:64511:600
set policy-options condition primary if-route-exists address-family ccc lt-1/2/0.600
set policy-options condition primary if-route-exists address-family ccc table mpls.0
set policy-options condition primary if-route-exists address-family ccc peer-unit 601
set policy-options condition standby if-route-exists address-family ccc lt-1/2/0.600
set policy-options condition standby if-route-exists address-family ccc table mpls.0
set policy-options condition standby if-route-exists address-family ccc standby
set policy-options condition standby if-route-exists address-family ccc peer-unit 601
set firewall family inet filter icmp_inet interface-specific
set firewall family inet filter icmp_inet term 0 from source-address 10.41.0.101/32 except
set firewall family inet filter icmp_inet term 0 from source-address 10.0.0.0/8
set firewall family inet filter icmp_inet term 0 from protocol icmp
set firewall family inet filter icmp_inet term 0 then count icmp_inet
set firewall family inet filter icmp_inet term 0 then log
set firewall family inet filter icmp_inet term 0 then accept
set firewall family inet filter icmp_inet term 1 then accept
set routing-instances l3vpn instance-type vrf
set routing-instances l3vpn interface lt-1/2/0.601
set routing-instances l3vpn interface lo0.1
set routing-instances l3vpn route-distinguisher 192.168.1.101:64511
set routing-instances l3vpn vrf-import l3vpn_import
set routing-instances l3vpn vrf-export l3vpn_export
set routing-instances l3vpn vrf-table-label
set routing-instances l3vpn protocols ospf export ospf_export
set routing-instances l3vpn protocols ospf area 0.0.0.0 lt-1/2/0.601
set routing-instances l3vpn protocols ospf area 0.0.0.0 lo0.1

Device PE2

content_copy zoom_out_map
set interfaces ge-0/3/0 unit 0 family inet address 10.20.0.102/24
set interfaces ge-0/3/0 unit 0 family iso
set interfaces ge-0/3/0 unit 0 family mpls
set interfaces ge-0/3/1 unit 0 family inet address 10.21.0.102/24
set interfaces ge-0/3/1 unit 0 family iso
set interfaces ge-0/3/1 unit 0 family mpls
set interfaces ge-0/3/3 unit 0 family inet address 10.32.0.102/24
set interfaces ge-0/3/3 unit 0 family iso
set interfaces ge-0/3/3 unit 0 family mpls
set interfaces lt-1/2/0 unit 600 encapsulation vlan-ccc
set interfaces lt-1/2/0 unit 600 vlan-id 600
set interfaces lt-1/2/0 unit 600 peer-unit 601
set interfaces lt-1/2/0 unit 601 encapsulation vlan
set interfaces lt-1/2/0 unit 601 vlan-id 600
set interfaces lt-1/2/0 unit 601 peer-unit 600
set interfaces lt-1/2/0 unit 601 family inet filter input icmp_inet
set interfaces lt-1/2/0 unit 601 family inet filter output icmp_inet
set interfaces lt-1/2/0 unit 601 family inet address 10.41.0.102/24 vrrp-group 0 virtual-address 10.41.0.1
set interfaces lt-1/2/0 unit 601 family inet address 10.41.0.102/24 vrrp-group 0 accept-data
set interfaces lo0 unit 0 family inet address 192.168.0.102/32 primary
set interfaces lo0 unit 0 family iso address 49.0002.0192.0168.0102.00
set interfaces lo0 unit 1 family inet address 192.168.1.102/32
set routing-options router-id 192.168.0.102
set routing-options autonomous-system 64511
set protocols rsvp interface ge-0/3/0.0
set protocols rsvp interface ge-0/3/1.0
set protocols rsvp interface ge-0/3/3.0
set protocols rsvp interface lo0.0
set protocols mpls label-switched-path to_PE1 to 192.168.0.101
set protocols mpls label-switched-path to_PE3 to 192.168.0.103
set protocols mpls interface ge-0/3/0.0
set protocols mpls interface ge-0/3/1.0
set protocols mpls interface ge-0/3/3.0
set protocols bgp local-address 192.168.0.102
set protocols bgp group ibgp family inet-vpn any
set protocols bgp group ibgp peer-as 64511
set protocols bgp group ibgp neighbor 192.168.0.101
set protocols bgp group ibgp neighbor 192.168.0.103
set protocols isis interface ge-0/3/0.0
set protocols isis interface ge-0/3/1.0
set protocols isis interface ge-0/3/3.0
set protocols isis interface lo0.0
set protocols ldp interface ge-0/3/0.0
set protocols ldp interface ge-0/3/1.0
set protocols ldp interface ge-0/3/3.0
set protocols ldp interface lo0.0
set protocols l2circuit neighbor 192.168.0.100 interface lt-1/2/0.600 virtual-circuit-id 2
set protocols l2circuit neighbor 192.168.0.100 interface lt-1/2/0.600 pseudowire-status-tlv hot-standby-vc-on
set policy-options policy-statement l3vpn_export term primary from condition primary
set policy-options policy-statement l3vpn_export term primary then local-preference add 300
set policy-options policy-statement l3vpn_export term primary then community set l3vpn
set policy-options policy-statement l3vpn_export term primary then accept
set policy-options policy-statement l3vpn_export term standby from condition standby
set policy-options policy-statement l3vpn_export term standby then local-preference add 30
set policy-options policy-statement l3vpn_export term standby then community set l3vpn
set policy-options policy-statement l3vpn_export term standby then accept
set policy-options policy-statement l3vpn_export term default then community set l3vpn
set policy-options policy-statement l3vpn_export term default then accept
set policy-options policy-statement l3vpn_import term 1 from community l3vpn
set policy-options policy-statement l3vpn_import term 1 then accept
set policy-options policy-statement l3vpn_import term default then reject
set policy-options policy-statement ospf_export term 0 from community l3vpn
set policy-options policy-statement ospf_export term 0 then accept
set policy-options community l3vpn members target:64511:600
set policy-options condition primary if-route-exists address-family ccc lt-1/2/0.600
set policy-options condition primary if-route-exists address-family ccc table mpls.0
set policy-options condition primary if-route-exists address-family ccc peer-unit 601
set policy-options condition standby if-route-exists address-family ccc lt-1/2/0.600
set policy-options condition standby if-route-exists address-family ccc table mpls.0
set policy-options condition standby if-route-exists address-family ccc standby
set policy-options condition standby if-route-exists address-family ccc peer-unit 601
set firewall family inet filter icmp_inet interface-specific
set firewall family inet filter icmp_inet term 0 from source-address 10.41.0.102/32 except
set firewall family inet filter icmp_inet term 0 from source-address 10.0.0.0/8
set firewall family inet filter icmp_inet term 0 from protocol icmp
set firewall family inet filter icmp_inet term 0 then count icmp_inet
set firewall family inet filter icmp_inet term 0 then log
set firewall family inet filter icmp_inet term 0 then accept
set firewall family inet filter icmp_inet term 1 then accept
set routing-instances l3vpn instance-type vrf
set routing-instances l3vpn interface lt-1/2/0.601
set routing-instances l3vpn interface lo0.1
set routing-instances l3vpn route-distinguisher 192.168.1.102:64511
set routing-instances l3vpn vrf-import l3vpn_import
set routing-instances l3vpn vrf-export l3vpn_export
set routing-instances l3vpn vrf-table-label
set routing-instances l3vpn protocols ospf export ospf_export
set routing-instances l3vpn protocols ospf area 0.0.0.0 interface lt-1/2/0.601
set routing-instances l3vpn protocols ospf area 0.0.0.0 interface lo0.1

Device PE3

content_copy zoom_out_map
set interfaces ge-2/0/3 unit 0 family inet address 10.32.0.103/24
set interfaces ge-2/0/3 unit 0 family iso
set interfaces ge-2/0/3 unit 0 family mpls
set interfaces ge-2/0/5 unit 0 family inet address 10.53.0.103/24
set interfaces ge-2/0/5 unit 0 family mpls
set interfaces ge-2/1/8 unit 0 family inet address 10.31.0.103/24
set interfaces ge-2/1/8 unit 0 family iso
set interfaces ge-2/1/8 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.168.0.103/32 primary
set interfaces lo0 unit 0 family iso address 49.0002.0192.0168.0103.00
set interfaces lo0 unit 1 family inet address 192.168.1.103/32
set routing-options router-id 192.168.0.103
set routing-options autonomous-system 64511
set protocols rsvp interface ge-2/0/3.0
set protocols rsvp interface ge-2/1/8.0
set protocols rsvp interface lo0.0
set protocols mpls label-switched-path to_PE1 to 192.168.0.101
set protocols mpls label-switched-path to_PE2 to 192.168.0.102
set protocols mpls interface ge-2/0/3.0
set protocols mpls interface ge-2/1/8.0
set protocols bgp local-address 192.168.0.103
set protocols bgp group ibgp family inet-vpn any
set protocols bgp group ibgp peer-as 64511
set protocols bgp group ibgp neighbor 192.168.0.101
set protocols bgp group ibgp neighbor 192.168.0.102
set protocols isis interface ge-2/0/3.0
set protocols isis interface ge-2/1/8.0
set protocols isis interface lo0.0
set protocols ldp interface ge-2/0/3.0
set protocols ldp interface ge-2/1/8.0
set protocols ldp interface lo0.0
set policy-options policy-statement l3vpn_ospf_export term 0 from protocol direct
set policy-options policy-statement l3vpn_ospf_export term 0 then accept
set policy-options policy-statement l3vpn_ospf_import term 0 from protocol bgp
set policy-options policy-statement l3vpn_ospf_import term 0 from community l3vpn
set policy-options policy-statement l3vpn_ospf_import term 0 then accept
set policy-options policy-statement ospf_export term 0 from community l3vpn
set policy-options policy-statement ospf_export term 0 then accept
set policy-options community l3vpn members target:64511:600
set routing-instances l3vpn instance-type vrf
set routing-instances l3vpn interface ge-2/0/5.0
set routing-instances l3vpn interface lo0.1
set routing-instances l3vpn route-distinguisher 192.168.0.103:64511
set routing-instances l3vpn vrf-target target:64511:600
set routing-instances l3vpn vrf-table-label
set routing-instances l3vpn protocols ospf export ospf_export
set routing-instances l3vpn protocols ospf area 0.0.0.0 interface ge-2/0/5.0
set routing-instances l3vpn protocols ospf area 0.0.0.0 interface lo0.1

Device CE2

content_copy zoom_out_map
set interfaces ge-2/0/8 unit 0 family inet address 10.53.0.105/24
set interfaces lo0 unit 0 family inet address 192.168.0.105/32 primary
set protocols ospf area 0.0.0.0 interface ge-2/0/8.0
set protocols ospf area 0.0.0.0 interface lo0.0
set routing-options router-id 192.168.0.105

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure Device A1:

  1. Configure the interfaces.

    Enable MPLS on the core-facing interfaces. The ISO address family is also enabled, because IS-IS is used as the interior gateway protocol (IGP) in the provider network.

    On the customer-facing interface, you do not need to enable MPLS. On this interface, enable CCC encapsulation and address family CCC.

    content_copy zoom_out_map
    [edit interfaces]
    user@A1# set ge-1/3/0 unit 0 family inet address 10.20.0.100/24
    user@A1# set ge-1/3/0 unit 0 family iso
    user@A1# set ge-1/3/0 unit 0 family mpls
    user@A1# set ge-1/3/1 unit 0 family inet address 10.10.0.100/24
    user@A1# set ge-1/3/1 unit 0 family iso
    user@A1# set ge-1/3/1 unit 0 family mpls
    user@A1# set ge-1/3/2 vlan-tagging
    user@A1# set ge-1/3/2 encapsulation vlan-ccc
    user@A1# set ge-1/3/2 unit 600 encapsulation vlan-ccc
    user@A1# set ge-1/3/2 unit 600 vlan-id 600
    user@A1# set ge-1/3/2 unit 600 family ccc
    user@A1# set lo0 unit 0 family inet address 192.168.0.100/32 primary
    user@A1# set lo0 unit 0 family iso address 49.0002.0192.0168.0100.00
    
  2. Configure the RSVP on the core-facing interfaces and on the loopback interface.

    RSVP is used in the Layer 3 domain.

    content_copy zoom_out_map
    [edit protocols rsvp]
    user@A1# set interface ge-1/3/0.0
    user@A1# set interface ge-1/3/1.0
    user@A1# set interface lo0.0
    
  3. Configure LDP on the core-facing interfaces and on the loopback interface.

    LDP is used in Layer 2 domain.

    content_copy zoom_out_map
    [edit protocols ldp]
    user@A1# set interface ge-1/3/0.0
    user@A1# set interface ge-1/3/1.0
    user@A1# set interface lo0.0
    
  4. Configure MPLS on the core-facing interfaces.

    content_copy zoom_out_map
    [edit protocols mpls]
    user@A1# set interface ge-1/3/0.0
    user@A1# set interface ge-1/3/1.0
    
  5. Configure an interior gateway protocol, such as IS-IS or OSPF, on the core-facing interfaces and on the loopback interface.

    content_copy zoom_out_map
    [edit protocols isis]
    user@A1# set interface ge-1/3/0.0
    user@A1# set interface ge-1/3/1.0
    user@A1# set interface lo0.0
    
  6. On the interface that faces the customer edge, configure the Layer 2 circuit.

    Configure the hot-standby statement on those routers with both active and standby virtual circuits (VCs) (Device A1 in our topology). You must include the pseudowire-status-tlv statement on access routers. Without the status TLV signaling, the standby flag cannot be advertised to remote provider edge (PE) devices.

    The revert-time statement and the maximum option should also be configured on access routers. Without the revert-time statement, traffic of all the VCs will not be transitioned to the primary path upon completion of the restoration. If a revert-time delay is defined but a maximum delay is not, then VCs are restored immediately upon the revert timer's expiration. The maximum option allows the VCs to be restored in a scattered fashion rather than all at once.

    content_copy zoom_out_map
    [edit protocols l2circuit neighbor 192.168.0.101 interface ge-1/3/2.600]
    user@A1# set virtual-circuit-id 1
    user@A1# set pseudowire-status-tlv
    user@A1# set revert-time 10 maximum 60
    user@A1# set backup-neighbor 192.168.0.102 virtual-circuit-id 2
    user@A1# set backup-neighbor 192.168.0.102 hot-standby
    
  7. To have the unilist next hop get pushed to other access routers, configure per-packet load balancing.

    content_copy zoom_out_map
    [edit policy-options policy-statement pplb]
    user@A1# set then load-balance per-packet
    
  8. Apply the per-packet load balancing policy.

    content_copy zoom_out_map
    [edit routing-options forwarding-table]
    user@A1# set export pplb
    
  9. Configure the autonomous system (AS) ID and the router ID.

    content_copy zoom_out_map
    [edit routing-options]
    user@A1# set router-id 192.168.0.100
    user@A1# set autonomous-system 64510
    

    Similarly, configure any other access devices.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure Device PE1:

  1. Configure the interfaces.

    Enable MPLS on the core-facing interfaces.

    content_copy zoom_out_map
    [edit interfaces]
    user@PE1# set ge-0/1/1 unit 0 family inet address 10.21.0.101/24
    user@PE1# set ge-0/1/1 unit 0 family iso
    user@PE1# set ge-0/1/1 unit 0 family mpls
    user@PE1# set ge-0/1/2 unit 0 family inet address 10.31.0.101/24
    user@PE1# set ge-0/1/2 unit 0 family iso
    user@PE1# set ge-0/1/2 unit 0 family mpls
    user@PE1# set ge-0/1/3 unit 0 family inet address 10.10.0.101/24
    user@PE1# set ge-0/1/3 unit 0 family iso
    user@PE1# set ge-0/1/3 unit 0 family mpls
    user@PE1# set lo0 unit 0 family inet address 192.168.0.101/32 primary
    user@PE1# set lo0 unit 0 family iso address 49.0002.0192.0168.0003.00
    user@PE1# set lo0 unit 1 family inet address 192.168.1.101/32
    
  2. On Device PE1 and Device PE2, which are aggregation routers, configure a pair of logical tunnel interfaces to represent LT(x) and LT(y).

    The solution uses logical tunnel (lt-) paired interfaces for stitching the Layer 2 and Layer 3 domains.

    A Layer 2 pseudowire terminates on one of the logical tunnel interfaces, LT(x), defined with the circuit cross-connect (CCC) address family. A Layer 3 VPN terminates the second logical tunnel interface, LT(y), defined with the IPv4 (inet) address family. LT(x) and LT(y) are paired.

    content_copy zoom_out_map
    [edit interfaces]
    user@PE1# set lt-1/2/0 unit 600 encapsulation vlan-ccc
    user@PE1# set lt-1/2/0 unit 600 vlan-id 600
    user@PE1# set lt-1/2/0 unit 600 peer-unit 601
    user@PE1# set lt-1/2/0 unit 601 encapsulation vlan
    user@PE1# set lt-1/2/0 unit 601 vlan-id 600
    user@PE1# set lt-1/2/0 unit 601 peer-unit 600
    user@PE1# set lt-1/2/0 unit 601 family inet filter input icmp_inet
    user@PE1# set lt-1/2/0 unit 601 family inet filter output icmp_inet
    
  3. (Optional) Associate a unique VRRP address with both Device PE1 and Device PE2.

    In this case, both Device PE1 and Device PE2 assume the primary state for the defined VIP IPv4 address, so no VRRP hello message are exchanged between the routers.

    content_copy zoom_out_map
    [edit interfaces lt-1/2/0 unit 601 family inet address 10.41.0.101/24]
    user@PE1# set vrrp-group 0 virtual-address 10.41.0.1
    user@PE1# set vrrp-group 0 accept-data
    
  4. Configure IS-IS or another IGP.

    content_copy zoom_out_map
    [edit protocols isis]
    user@PE1# set interface ge-0/1/1.0
    user@PE1# set interface ge-0/1/2.0
    user@PE1# set interface ge-0/1/3.0
    user@PE1# set interface lo0.0
    
  5. Configure the MPLS on the core-facing interfaces.

    content_copy zoom_out_map
    [edit protocols mpls]
    user@PE1# set interface ge-0/1/1.0
    user@PE1# set interface ge-0/1/2.0
    user@PE1# set interface ge-0/1/3.0
    
  6. Configure label-switched paths to the other PE devices.

    BGP is a policy-driven protocol, so also configure and apply any needed routing policies. For example, you might want to export static routes into BGP.

    content_copy zoom_out_map
    [edit protocols mpls]
    user@PE1# set label-switched-path to_PE3 to 192.168.0.103
    user@PE1# set label-switched-path to_PE2 to 192.168.0.102
    
  7. Configure LDP on the core-facing interfaces and on the loopback interface.

    content_copy zoom_out_map
    [edit protocols ldp]
    user@PE1# set interface ge-0/1/1.0
    user@PE1# set interface ge-0/1/2.0
    user@PE1# set interface ge-0/1/3.0
    user@PE1# set interface lo0.0
    
  8. Configure RSVP on the core-facing interfaces and on the loopback interface.

    content_copy zoom_out_map
    [edit protocols rsvp]
    user@PE1# set interface ge-0/1/1.0
    user@PE1# set interface ge-0/1/2.0
    user@PE1# set interface ge-0/1/3.0
    user@PE1# set interface lo0.0
    
  9. Configure internal BGP (IBGP).

    content_copy zoom_out_map
    [edit protocols bgp]
    user@PE1# set local-address 192.168.0.101
    user@PE1# set group ibgp family inet-vpn any
    user@PE1# set group ibgp peer-as 64511
    user@PE1# set group ibgp neighbor 192.168.0.102
    user@PE1# set group ibgp neighbor 192.168.0.103
    
  10. Configure the Layer 2 circuit on the logical tunnel interface.

    Configure the hot-standby-vc-on statement if you want a hot standby pseudowire to be established upon arrival of PW_FWD_STDBY status TLV.

    content_copy zoom_out_map
    [edit protocols l2circuit neighbor 192.168.0.100 interface lt-1/2/0.600]
    user@PE1# set virtual-circuit-id 1
    user@PE1# set pseudowire-status-tlv hot-standby-vc-on
    
  11. Define a pair of conditions to be applied to the egress policy defined within the Layer 3 VPN instance.

    In both condition primary and condition standby, the matching route corresponds to the interface lt-1/2/0.600 (y), as this is the format in which egress routes appear in routing table mpls.0 to represent any given pseudowire.

    The difference between these conditions is in the standby attribute. Upon arrival of the PW_FWD_STDBY status TLV to Device PE1 or Device PE2, Junos OS matches condition standby, and in consequence, only term standby within the l3vpn policy will be executed. On the other hand, if the PW_FWD_STDBY status TLV is not present, the policy only matches condition primary, which then executes term primary in the l3vpn policy. Also, for logical tunnel-based CCC services, you must specify the logical tunnel interface, LT(y), that is associated with the logical tunnel CCC interface, LT(x). (See Understanding Pseudowire Redundancy Mobile Backhaul Scenarios.)

    Finally, for CCC-based conditions, Junos OS only allows mpls.0 as the matching routing table. For the address attribute, Junos OS only allows strings with a logical interface unit format (for example, lt-0/0/0.0).

    content_copy zoom_out_map
    [edit policy-options condition primary if-route-exists address-family ccc]
    user@PE1# set lt-1/2/0.600
    user@PE1# set table mpls.0
    user@PE1# set peer-unit 601
    [edit policy-options condition standby if-route-exists address-family ccc]
    user@PE1# set lt-1/2/0.600
    user@PE1# set table mpls.0
    user@PE1# set standby
    user@PE1# set peer-unit 601
    
  12. Configure the Layer 3 VPN export policy.

    If the Layer 2 virtual circuit (VC) is primary, the corresponding provider edge (PE) routing device advertises the attachment circuit’s (AC’s) subnet with the higher local preference. All aggregation PE devices initially advertise the AC’s subnet with the same local preference.

    This routing policy allows a higher local preference value to be advertised if the Layer 2 VC is active.

    content_copy zoom_out_map
    [edit policy-options policy-statement l3vpn_export]
    user@PE1# set term primary from condition primary
    user@PE1# set term primary then local-preference add 300
    user@PE1# set term primary then community set l3vpn
    user@PE1# set term primary then accept
    user@PE1# set term standby from condition standby
    user@PE1# set term standby then local-preference add 30
    user@PE1# set term standby then community set l3vpn
    user@PE1# set term standby then accept
    user@PE1# set term default then community set l3vpn
    user@PE1# set term default then accept
    
  13. Configure the Layer 3 VPN community members.

    content_copy zoom_out_map
    [edit policy-options community l3vpn]
    user@PE1# set members target:64511:600
    
  14. Configure the Layer 3 VPN import policy, based on the Layer 3 VPN community.

    content_copy zoom_out_map
    [edit policy-options policy-statement l3vpn_import]
    user@PE1# set term 1 from community l3vpn
    user@PE1# set term 1 then accept
    user@PE1# set term default then reject
    
  15. Configure OSPF export policy, based on the Layer 3 VPN community.

    content_copy zoom_out_map
    [edit policy-options policy-statement ospf_export term 0]
    user@PE1# set from community l3vpn
    user@PE1# set then accept
    
  16. (Optional) Configure a firewall filter to check the path taken by traffic.

    content_copy zoom_out_map
    [edit firewall family inet filter icmp_inet]
    user@PE1# set interface-specific
    user@PE1# set term 0 from source-address 10.41.0.101/32 except
    user@PE1# set term 0 from source-address 10.0.0.0/8
    user@PE1# set term 0 from protocol icmp
    user@PE1# set term 0 then count icmp_inet
    user@PE1# set term 0 then log
    user@PE1# set term 0 then accept
    user@PE1# set term 1 then accept
    
  17. Configure the routing instance.

    This routing instance is in the Layer 2 domain where Device PE1 and Device PE2 are interconnected to the metro ring over multiaccess media (Ethernet). You must include the vrf-table-label' statement on Device PE1 and Device PE2 to enable advertisement of the direct subnet prefix corresponding to the logical tunnel (lt-) interface toward the Layer 3 domain.

    Device PE1 and Device PE2 use OSPF for Layer 3 VPN communication with Device CE1.

    content_copy zoom_out_map
    [edit routing-instances l3vpn]
    user@PE1# set instance-type vrf
    user@PE1# set interface lt-1/2/0.601
    user@PE1# set interface lo0.1
    user@PE1# set route-distinguisher 192.168.1.101:64511
    user@PE1# set vrf-import l3vpn_import
    user@PE1# set vrf-export l3vpn_export
    user@PE1# set vrf-table-label
    user@PE1# set protocols ospf export ospf_export
    user@PE1# set protocols ospf area 0.0.0.0 interface lt-1/2/0.601
    user@PE1# set protocols ospf area 0.0.0.0 interface lo0.1
    
  18. Configure the autonomous system (AS) ID and router ID.

    content_copy zoom_out_map
    [edit routing-options]
    user@PE1# set router-id 192.168.0.101
    user@PE1# set autonomous-system 64511
    

    Similarly, configure Device PE2.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show firewall, show protocols, show policy-options, show routing-options, and show routing-instances commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Device A1

content_copy zoom_out_map
user@A1# show interfaces
ge-1/3/0 {
    unit 0 {
        family inet {
            address 10.20.0.100/24;
        }
        family iso;
        family mpls;
    }
}
ge-1/3/1 {
    unit 0 {
        family inet {
            address 10.10.0.100/24;
        }
        family iso;
        family mpls;
    }
}
ge-1/3/2 {
    vlan-tagging;
    encapsulation vlan-ccc;
    unit 600 {
        encapsulation vlan-ccc;
        vlan-id 600;
        family ccc;
    }
}
lo0 {
    unit 0 {
        family inet {
            address 192.168.0.100/32 {
                primary;
            }
        }
        family iso {
            address 49.0002.0192.0168.0100.00;
        }
    }
}
content_copy zoom_out_map
user@A1# show protocols
rsvp {
    interface ge-1/3/0.0;
    interface ge-1/3/1.0;
    interface lo0.0;
}
mpls {
    interface ge-1/3/0.0;
    interface ge-1/3/1.0;
}
isis {
    interface ge-1/3/0.0;
    interface ge-1/3/1.0;
    interface lo0.0;
}
ldp {
    interface ge-1/3/0.0;
    interface ge-1/3/1.0;
    interface lo0.0;
}
l2circuit {
    neighbor 192.168.0.101 {
        interface ge-1/3/2.600 {
            virtual-circuit-id 1;
            pseudowire-status-tlv;
            backup-neighbor 192.168.0.102 {
                virtual-circuit-id 2;
                hot-standby;
            }
        }
    }
}
content_copy zoom_out_map
user@A1# show policy-options
policy-statement pplb {
    then {
        load-balance per-packet;
    }
}
content_copy zoom_out_map
user@A1# show routing-options
autonomous-system 64510;
router-id 192.168.0.100;
forwarding-table {
    export pplb;
}

Device PE1

content_copy zoom_out_map
user@PE1# show interfaces
ge-0/1/1 {
    unit 0 {
        family inet {
            address 10.21.0.101/24;
        }
        family iso;
        family mpls;
    }
}
ge-0/1/2 {
    unit 0 {
        family inet {
            address 10.31.0.101/24;
        }
        family iso;
        family mpls;
    }
}
ge-0/1/3 {
    unit 0 {
        family inet {
            address 10.10.0.101/24;
        }
        family iso;
        family mpls;
    }
}
lt-1/2/0 {
    unit 600 {
        encapsulation vlan-ccc;
        vlan-id 600;
        peer-unit 601;
    }
    unit 601 {
        encapsulation vlan;
        vlan-id 600;
        peer-unit 600;
        family inet {
            filter {
                input icmp_inet;
                output icmp_inet;
            }
            address 10.41.0.101/24 {
                vrrp-group 0 {
                    virtual-address 10.41.0.1;
                    accept-data;
                }
            }
        }
    }
}
lo0 {
    unit 0 {
        family inet {
            address 192.168.0.101/32 {
                primary;
            }
        }
        family iso {
            address 49.0002.0192.0168.0003.00;
        }
    }
    unit 1 {
        family inet {
            address 192.168.1.101/32;
        }
    }
}
content_copy zoom_out_map
user@PE1# show firewall
family inet {
    filter icmp_inet {
        interface-specific;
        term 0 {
            from {
                source-address {
                    10.41.0.101/32 except;
                    10.0.0.0/8;
                }
                protocol icmp;
            }
            then {
                count icmp_inet;
                log;
                accept;
            }
        }
        term 1 {
            then accept;
        }
    }
}
content_copy zoom_out_map
user@PE1# show protocols
rsvp {
    interface ge-0/1/1.0;
    interface ge-0/1/2.0;
    interface ge-0/1/3.0;
    interface lo0.0;
}
mpls {
    label-switched-path to_PE3 {
        to 192.168.0.103;
    }
    label-switched-path to_PE2 {
        to 192.168.0.102;
    }
    interface ge-0/1/1.0;
    interface ge-0/1/2.0;
    interface ge-0/1/3.0;
}
bgp {
    local-address 192.168.0.101;
    group ibgp {
        family inet-vpn {
            any;
        }
        peer-as 64511;
        neighbor 192.168.0.102;
        neighbor 192.168.0.103;
    }
}
isis {
    interface ge-0/1/1.0;
    interface ge-0/1/2.0;
    interface ge-0/1/3.0;
    interface lo0.0;
}
ldp {
    interface ge-0/1/1.0;
    interface ge-0/1/2.0;
    interface ge-0/1/3.0;
    interface lo0.0;
}
l2circuit {
    neighbor 192.168.0.100 {
        interface lt-1/2/0.600 {
            virtual-circuit-id 1;
            pseudowire-status-tlv hot-standby-vc-on;
        }
    }
}
content_copy zoom_out_map
user@PE1# show policy-options
policy-statement l3vpn_export {
    term primary {
        from condition primary;
        then {
            local-preference add 300;
            community set l3vpn;
            accept;
        }
    }
    term standby {
        from condition standby;
        then {
            local-preference add 30;
            community set l3vpn;
            accept;
        }
    }
    term default {
        then {
            community set l3vpn;
            accept;
        }
    }
}
policy-statement l3vpn_import {
    term 1 {
        from community l3vpn;
        then accept;
    }
    term default {
        then reject;
    }
}
policy-statement ospf_export {
    term 0 {
        from community l3vpn;
        then accept;
    }
}
community l3vpn members target:64511:600;
condition primary {
    if-route-exists {
        address-family {
            ccc {
                lt-1/2/0.600;
                table mpls.0;
                peer-unit 601;
            }
        }
    }
}
condition standby {
    if-route-exists {
        address-family {
            ccc {
                lt-1/2/0.600;
                table mpls.0;
                standby;
                peer-unit 601;
            }
        }
    }
}
content_copy zoom_out_map
user@PE1# show routing-options
router-id 192.168.0.101;
autonomous-system 64511;
content_copy zoom_out_map
user@PE1# show routing-instances
l3vpn {
    instance-type vrf;
    interface lt-1/2/0.601;
    interface lo0.1;
    route-distinguisher 192.168.1.101:64511;
    vrf-import l3vpn_import;
    vrf-export l3vpn_export;
    vrf-table-label;
    protocols {
        ospf {
            export ospf_export;
            area 0.0.0.0 {
                interface lt-1/2/0.601;
                interface lo0.1;
            }
        }
    }
}

If you are done configuring the devices, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Checking Layer 2 Circuits

Purpose

Upon Layer 2 virtual circuit (VC) establishment, the output of the show l2circuit connections command shows the active and the hot-standby VC. In addition, control-plane details are shown for the hot-standby VC.

Action

From operational mode, enter the show l2circuit connections extensive command.

content_copy zoom_out_map
user@A1> show l2circuit connections extensive

Layer-2 Circuit Connections:

Legend for connection status (St)   
EI -- encapsulation invalid      NP -- interface h/w not present   
MM -- mtu mismatch               Dn -- down                       
EM -- encapsulation mismatch     VC-Dn -- Virtual circuit Down    
CM -- control-word mismatch      Up -- operational                
VM -- vlan id mismatch           CF -- Call admission control failure
OL -- no outgoing label          IB -- TDM incompatible bitrate 
NC -- intf encaps not CCC/TCC    TM -- TDM misconfiguration 
BK -- Backup Connection          ST -- Standby Connection
CB -- rcvd cell-bundle size bad  SP -- Static Pseudowire
LD -- local site signaled down   RS -- remote site standby
RD -- remote site signaled down  HS -- Hot-standby Connection
XX -- unknown

Legend for interface status  
Up -- operational            
Dn -- down                   
Neighbor: 192.168.0.101 
    Interface                 Type  St     Time last up          # Up trans
    ge-1/3/2.600(vc 1)        rmt   Up     Jan 24 11:00:26 2013           1
      Remote PE: 192.168.0.101, Negotiated control-word: Yes (Null)
      Incoming label: 299776, Outgoing label: 299776
      Negotiated PW status TLV: Yes
      local PW status code: 0x00000000, Neighbor PW status code: 0x00000000
      Local interface: ge-1/3/2.600, Status: Up, Encapsulation: VLAN
    Connection History:
        Jan 24 11:00:26 2013  status update timer  
        Jan 24 11:00:26 2013  PE route changed     
        Jan 24 11:00:26 2013  Out lbl Update                    299776
        Jan 24 11:00:26 2013  In lbl Update                     299776
        Jan 24 11:00:26 2013  loc intf up                 ge-1/3/2.600
Neighbor: 192.168.0.102 
    Interface                 Type  St     Time last up          # Up trans
    ge-1/3/2.600(vc 2)        rmt   HS     -----                       ----
      Remote PE: 192.168.0.102, Negotiated control-word: Yes (Null)
      Incoming label: 299792, Outgoing label: 299776
      Negotiated PW status TLV: Yes
      local PW status code: 0x00000020, Neighbor PW status code: 0x00000000
      Local interface: ge-1/3/2.600, Status: Up, Encapsulation: VLAN
user@PE1> show l2circuit connections extensive

Layer-2 Circuit Connections:

Legend for connection status (St)   
EI -- encapsulation invalid      NP -- interface h/w not present   
MM -- mtu mismatch               Dn -- down                       
EM -- encapsulation mismatch     VC-Dn -- Virtual circuit Down    
CM -- control-word mismatch      Up -- operational                
VM -- vlan id mismatch           CF -- Call admission control failure
OL -- no outgoing label          IB -- TDM incompatible bitrate 
NC -- intf encaps not CCC/TCC    TM -- TDM misconfiguration 
BK -- Backup Connection          ST -- Standby Connection
CB -- rcvd cell-bundle size bad  SP -- Static Pseudowire
LD -- local site signaled down   RS -- remote site standby
RD -- remote site signaled down  HS -- Hot-standby Connection
XX -- unknown

Legend for interface status  
Up -- operational            
Dn -- down                   
Neighbor: 192.168.0.100 
    Interface                 Type  St     Time last up          # Up trans
    lt-1/2/0.600(vc 1)        rmt   Up     Jan 24 11:06:36 2013           1
      Remote PE: 192.168.0.100, Negotiated control-word: Yes (Null)
      Incoming label: 299776, Outgoing label: 299776
      Negotiated PW status TLV: Yes
      local PW status code: 0x00000000, Neighbor PW status code: 0x00000000
      Local interface: lt-1/2/0.600, Status: Up, Encapsulation: VLAN
    Connection History:
        Jan 24 11:06:36 2013  status update timer  
        Jan 24 11:06:36 2013  PE route changed     
        Jan 24 11:06:36 2013  Out lbl Update                    299776
        Jan 24 11:06:36 2013  In lbl Update                     299776
        Jan 24 11:06:36 2013  loc intf up                 lt-1/2/0.600
user@PE2> show l2circuit connections extensive

Layer-2 Circuit Connections:

Legend for connection status (St)   
EI -- encapsulation invalid      NP -- interface h/w not present   
MM -- mtu mismatch               Dn -- down                       
EM -- encapsulation mismatch     VC-Dn -- Virtual circuit Down    
CM -- control-word mismatch      Up -- operational                
VM -- vlan id mismatch           CF -- Call admission control failure
OL -- no outgoing label          IB -- TDM incompatible bitrate 
NC -- intf encaps not CCC/TCC    TM -- TDM misconfiguration 
BK -- Backup Connection          ST -- Standby Connection
CB -- rcvd cell-bundle size bad  SP -- Static Pseudowire
LD -- local site signaled down   RS -- remote site standby
RD -- remote site signaled down  HS -- Hot-standby Connection
XX -- unknown

Legend for interface status  
Up -- operational            
Dn -- down                   
Neighbor: 192.168.0.100 
    Interface                 Type  St     Time last up          # Up trans
    lt-1/2/0.600(vc 2)        rmt   Up     Jan 24 10:55:31 2013           1
      Remote PE: 192.168.0.100, Negotiated control-word: Yes (Null)
      Incoming label: 299776, Outgoing label: 299792
      Negotiated PW status TLV: Yes
      local PW status code: 0x00000000, Neighbor PW status code: 0x00000020
      Local interface: lt-1/2/0.600, Status: Up, Encapsulation: VLAN
    Connection History:
        Jan 24 10:55:31 2013  status update timer  
        Jan 24 10:55:31 2013  PE route changed     
        Jan 24 10:55:31 2013  Out lbl Update                    299792
        Jan 24 10:55:31 2013  In lbl Update                     299776
        Jan 24 10:55:31 2013  loc intf up                 lt-1/2/0.600

Meaning

From the perspective of Device PE1 and Device PE2, a single Layer 2 circuit is established toward access routers, so there is no standby device information in the CLI output of the show l2circuit connections command. Note that no timing and flapping information is provided for the VC acting as the hot-standby. Junos OS only allows these counters to be tracked for the active VC.

Checking the Policy Conditions

Purpose

On the PE devices, verify the state of the different conditions defined as part of the Layer3 VPN's egress policy, where 10.41.0.0/24 corresponds to the logical tunnel (y) subnet.

Action

From operational mode, enter the show policy conditions detail command.

content_copy zoom_out_map
user@PE1> show policy conditions detail
Configured conditions:
Condition primary (static), event: Existence of a route in a specific routing table
Dependent routes:
 10.41.0.0/24, generation 8
 192.168.0.104/32, generation 8

Condition standby (static), event: Existence of a route in a specific routing table
Dependent routes:
None

Condition tables:
Table mpls.0, generation 0, dependencies 0, If-route-exists conditions: primary (static) standby (static)
Table l3vpn.inet.0, generation 12, dependencies 2
content_copy zoom_out_map
user@PE2> show policy conditions detail
Configured conditions:
Condition primary (static), event: Existence of a route in a specific routing table
Dependent routes:
 10.41.0.0/24, generation 18

Condition standby (static), event: Existence of a route in a specific routing table
Dependent routes:
 10.41.0.0/24, generation 18

Condition tables:
Table mpls.0, generation 0, dependencies 0, If-route-exists conditions: primary (static) standby (static)
Table l3vpn.inet.0, generation 367, dependencies 2
footer-navigation