Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Layer 3 VPNs User Guide for Routing Devices Layer 3 VPNs Protection and Performance Features for Layer 3 VPNs

Layer 3 VPNs User Guide for Routing Devices

keyboard_arrow_up
close
keyboard_arrow_left
Layer 3 VPNs User Guide for Routing Devices
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Egress Protection in Layer 3 VPNs

date_range 23-Nov-23
arrow_backward
arrow_forward

This topic introduces the concept and components in egress protection in layer 3 VPN. It describes and provides examples on how to configure the protected, protector, and point of local repair (PLR) routers.

Egress Protection for BGP Labeled Unicast

When network node or link failures occur, it takes some time to restore service using traditional routing table convergence. Local repair procedures can provide much faster restoration by establishing local protection as close to a failure as possible. Fast protection for egress nodes is available to services in which BGP labeled unicast interconnects IGP areas, levels, or autonomous systems (ASs). If a provider router detects that an egress router (AS or area border router) is down, it immediately forwards the traffic destined to that router to a protector router that forwards the traffic downstream to the destination.

To provide egress protection for BGP labeled unicast, the protector node must create a backup state for downstream destinations before the failure happens. The basic idea of the solution is that the protector node constructs a forwarding state associated with the protected node and relays the MPLS labels assigned by the protected node further downstream to the final destination.

This feature supports the applications Inter-AS Option C and Seamless MPLS.

Inter-AS Option C—BGP labeled unicast provides end-to-end transport label-switched paths (LSPs) by stitching the intra-AS LSPs together. AS boundary routers run EBGP to other AS boundary routers to exchange labels for /32 PE loopback routes. IBGP runs between the provider edge router and AS boundary routers within each AS. In Figure 1, the traffic goes from CE1 to CE2. ASBR1 is the protected AS boundary router, ASBR2 is the protector, and Device P1 is the point of local repair (PLR). The primary path is chosen from PE1 to PE2 over ASBR1 and ASBR3. When ASBR1 fails, Router P1 detects the ASBR1 failure and forwards the traffic to ASBR2, which provides backup service and forwards the traffic downstream.

Figure 1: Inter-AS Option CInter-AS Option C

Seamless MPLS—BGP labeled unicast provides end-to-end transport LSPs by stitching the intra-area/level LSPs. Area border routers (ABRs) run BGP labeled unicast to other ABRs to exchange labels for /32 PE loopback routes. In Figure 2, the traffic goes from Device CE1 to Device CE2. ABR1 is the protected ABR, ABR2 is the protector, and T1 is the PLR. The primary path is chosen from PE1 to PE2 over ABR1 and ABR3. When ABR1 fails, Router T1 detects the ABR1 failure and forwards the traffic to ABR2, which provides backup service and forwards the traffic downstream.

Figure 2: Seamless MPLSSeamless MPLS

In each of these applications, the protected node advertises a primary BGP labeled unicast route that needs protection. When fast protection is enabled, BGP advertises the label routes with a special address as the next hop. This special address is a context identifier that is configured through the CLI. The protected node also advertises the context identifier in IGP and a NULL label in LDP for the context identifier.

The backup node advertises backup BGP labeled unicast routes for the protected routes. The protector node forwards traffic to the backup node using the labels advertised by the backup node.

The protector node provides the backup service by cross-connecting the labels originated by the protected node and the labels originated by the backup node. The protector node forwards the traffic to the backup node in case of failure of the protected node. The protector node advertises the same context-identifier into IGP with high metric. Also, it advertises a real label in LDP for the context identifier. The protector node listens for the BGP labeled unicast routes advertised by both the protected node and backup node and populates the context label table and backup FIB. When traffic with the real context LDP label arrives, the lookup is done in the context of a protected node. The protector node often acts as the backup node.

The PLR detects the protected node failure and forwards the MPLS traffic to the protector node. The high IGP metric along with the LDP label advertised by the protector node ensure that the PLR uses the protector node as an LDP backup LSP.

There are two supported protection types: collocated protector and centralized protector. In the collocated type, the protector node is also the backup node. In the centralized type, the backup node is different from the protector node.

Configuring Egress Protection for BGP Labeled Unicast

Fast protection for egress nodes is available to services in which BGP labeled unicast interconnects IGP areas, levels, or ASs. If a provider router detects that an egress router (AS or area border router) is down, it immediately forwards the traffic destined to that router to a protector router that forwards the traffic downstream to the destination.

Before configuring egress protection for BGP labeled unicast, ensure that all routers in the AS or area are running Junos OS 14.1 or a later release.

To configure egress protection for BGP labeled unicast:

  1. Add the following configuration to the protected router:
    content_copy zoom_out_map
    [edit protocols]
       mpls {
           egress-protection {
               context-identifier context-id {
                    primary;
               }
           }
       }
       bgp {
           group group-name {
               type internal;
               family inet {
                   labeled-unicast {
                       egress-protection {
                           context-identifier context-id;
                       }
                   }
               }
           }
        }
  2. Add the following configuration to the protector router:
    content_copy zoom_out_map
    [edit protocols]
       mpls {
           egress-protection {
               context-identifier context-id {
                    protector;
               }
           }
       }
       bgp {
           group group-name {
               type internal;
               family inet {
                   labeled-unicast {
                       egress-protection;
                   }
               }
           }
        }
  3. Add the following configuration to the PLR (point of local repair) router:
    content_copy zoom_out_map
    [edit protocols]
mpls {
    interface all;
    interface fxp0.0 {
        disable;
    }
}
isis {
    backup-spf-options per-prefix-calculation;
    level 1 disable;
    interface all {
        node-link-protection;
    }
}
ldp {
    track-igp-metric;
    interface all;
    interface fxp0.0 {
        disable;
    }
}
  4. Run show bgp neighbor on the protected router to verify that egress protection is enabled, for example:
    content_copy zoom_out_map
    user@host# run show bgp neighbor 
Peer: 192.0.2.2+179 AS 65536 Local: 192.0.2.1+59264 AS 65536
Type: Internal    State: Established    Flags: <ImportEval Sync>
Last State: OpenConfirm   Last Event: RecvKeepAlive   
Last Error: None   
Options: <Preference LocalAddress KeepAll AddressFamily Rib-group Refresh>
Address families configured: inet-label-unicast   
Local Address: 192.0.2.1 Holdtime: 90 Preference: 170   
NLRI configured with egress-protection: inet-label-unicast   
Egress-protection NLRI inet-label-unicast   
Number of flaps: 0

See Also

Example: Configuring Egress Protection for BGP Labeled Unicast

This example shows how to configure BGP labeled unicast protection that can be used in case of a PE failure in an Inter-AS Option C topology.

Requirements

This example uses the following hardware and software components:

  • M Series Multiservice Edge Routers, MX Series 5G Universal Routing Platforms, or T Series Core Routers

  • Junos OS Release 14.1 or later

Overview

When network node or link failures occur, it takes some time to restore service using traditional routing table convergence. Local repair procedures can provide much faster restoration by establishing local protection as close to a failure as possible. Fast protection for egress nodes is available to services in which BGP labeled unicast interconnects IGP areas, levels, or autonomous systems (ASs). If a provider router detects that an egress router (AS or area border router) is down, it immediately forwards the traffic destined to that router to a protector router that forwards the traffic downstream to the destination.

This example shows how to configure labeled-unicast egress protection in a Layer 3 VPN.

Topology

In this example, an Inter-AS Option C topology is set up by configuring two customer edge (CE) devices and six service provider edge (PE) devices in four autonomous systems. The CE devices are configured in AS100 and AS101. The PE devices are configured in AS200 and AS300.

Figure 3 shows the topology used in this example.

Figure 3: Egress Protection in a Layer 3 VPNEgress Protection in a Layer 3 VPN

The aim of this example is to protect PE Router R4. Egress protection is configured on Router R4 and Router R9 so that the traffic can be routed through the backup link (R9 to R8) when Router R4 (or the link from R5 to R4) goes down. In this example, Router R4 is the protected router, Router R9 is the protector router, and Router R5 is the point of local repair (PLR).

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Router R0

content_copy zoom_out_map
set interfaces ge-0/0/0 unit 0 description toR1
set interfaces ge-0/0/0 unit 0 family inet address 10.2.0.1/30
set interfaces lo0 unit 0 family inet address 192.0.2.1/24 primary
set routing-options router-id 192.0.2.1
set routing-options autonomous-system 100
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 metric 10

Router R1

content_copy zoom_out_map
set interfaces ge-0/0/0 unit 0 description toR0
set interfaces ge-0/0/0 unit 0 family inet address 10.2.0.2/30
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 unit 0 description toR2
set interfaces ge-0/0/1 unit 0 family inet address 10.2.0.5/30
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.0.2.2/24
set routing-options router-id 192.0.2.2
set routing-options autonomous-system 200
set protocols mpls label-switched-path ToR3 to 192.0.2.4
set protocols mpls label-switched-path ToR8 to 192.0.2.9
set protocols mpls interface all
set protocols bgp group parent-vpn-peers type internal
set protocols bgp group parent-vpn-peers local-address 192.0.2.2
set protocols bgp group parent-vpn-peers family inet unicast
set protocols bgp group parent-vpn-peers family inet labeled-unicast rib inet.3
set protocols bgp group parent-vpn-peers neighbor 192.0.2.4
set protocols bgp group parent-vpn-peers neighbor 192.0.2.9
set protocols bgp group toR6 type external
set protocols bgp group toR6 multihop ttl 10
set protocols bgp group toR6 local-address 192.0.2.2
set protocols bgp group toR6 family inet-vpn unicast
set protocols bgp group toR6 peer-as 300
set protocols bgp group toR6 neighbor 192.0.2.7
set protocols ospf traffic-engineering
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 metric 10
set protocols ldp interface ge-0/0/1.0
set protocols ldp interface lo0.0
set policy-options policy-statement child_vpn_routes term 1 from protocol bgp
set policy-options policy-statement child_vpn_routes term 1 then accept
set policy-options policy-statement child_vpn_routes term 2 then reject
set policy-options policy-statement vpnexport term 1 from protocol ospf
set policy-options policy-statement vpnexport term 1 then community add test_comm
set policy-options policy-statement vpnexport term 1 then accept
set policy-options policy-statement vpnexport term 2 then reject
set policy-options policy-statement vpnimport term 1 from protocol bgp
set policy-options policy-statement vpnimport term 1 from community test_comm
set policy-options policy-statement vpnimport term 1 then accept
set policy-options policy-statement vpnimport term 2 then reject
set policy-options community text_comm members target:1:200
set routing-instances customer-provider-vpn instance-type vrf
set routing-instances customer-provider-vpn interface ge-0/0/0.0
set routing-instances customer-provider-vpn route-distinguisher 192.0.2.4:1
set routing-instances customer-provider-vpn vrf-import vpnimport
set routing-instances customer-provider-vpn vrf-export vpnexport
set routing-instances customer-provider-vpn vrf-target target:200:1
set routing-instances customer-provider-vpn protocols ospf export child_vpn_routes
set routing-instances customer-provider-vpn protocols ospf area 0.0.0.0 interface ge-0/0/0.0

Router R2

content_copy zoom_out_map
set interfaces ge-0/0/0 unit 0 description toR3
set interfaces ge-0/0/0 unit 0 family inet address 10.2.0.9/30
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 unit 0 description toR1
set interfaces ge-0/0/1 unit 0 family inet address 10.2.0.6/30
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces ge-0/0/2 unit 0 description toR8
set interfaces ge-0/0/2 unit 0 family inet address 10.2.0.29/30
set interfaces ge-0/0/2 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.0.2.3/24
set routing-options router-id 192.0.2.3
set routing-options autonomous-system 200
set protocols mpls interface all
set protocols ospf traffic-engineering
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 metric 10
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 metric 10
set protocols ospf area 0.0.0.0 interface ge-0/0/2.0 metric 10
set protocols ldp interface ge-0/0/0.0
set protocols ldp interface ge-0/0/1.0
set protocols ldp interface ge-0/0/2.0
set protocols ldp interface lo0.0

Router R3

content_copy zoom_out_map
set interfaces ge-0/0/0 unit 0 description toR2
set interfaces ge-0/0/0 unit 0 family inet address 10.2.0.10/30
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 unit 0 description toR4
set interfaces ge-0/0/1 unit 0 family inet address 10.2.0.13/30
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.0.2.4/24
set routing-options router-id 192.0.2.4
set routing-options autonomous-system 200
set protocols mpls traffic-engineering bgp-igp-both-ribs
set protocols mpls label-switched-path ToR1 to 192.0.2.2
set protocols mpls interface all
set protocols bgp group toR4 type external
set protocols bgp group toR4 family inet unicast
set protocols bgp group toR4 family inet labeled-unicast rib inet.3
set protocols bgp group toR4 export send-pe
set protocols bgp group toR4 neighbor 10.2.0.14 peer-as 300
set protocols bgp group parent-vpn-peers type internal
set protocols bgp group parent-vpn-peers local-address 192.0.2.4
set protocols bgp group parent-vpn-peers family inet unicast
set protocols bgp group parent-vpn-peers family inet labeled-unicast rib inet.3
set protocols bgp group parent-vpn-peers export next-hop-self
set protocols bgp group parent-vpn-peers neighbor 192.0.2.2
set protocols bgp group parent-vpn-peers neighbor 192.0.2.9
set protocols ospf traffic-engineering
set protocols ospf export from-bgp
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 metric 10
set protocols ldp interface ge-0/0/0.0
set protocols ldp interface ge-0/0/1.0
set protocols ldp interface lo0.0
set policy-options policy-statement next-hop-self term 1 then next-hop-self
set policy-options policy-statement send-pe from route-filter 192.0.2.2/24 exact
set policy-options policy-statement send-pe then accept

Router R4

content_copy zoom_out_map
set interfaces ge-0/0/0 unit 0 description toR5
set interfaces ge-0/0/0 unit 0 family inet address 10.2.0.17/30
set interfaces ge-0/0/0 unit 0 family iso
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 unit 0 description toR3
set interfaces ge-0/0/1 unit 0 family inet address 10.2.0.14/30
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.0.2.5/24
set interfaces lo0 unit 0 family iso address 47.0005.80ff.f800.0000.0108.0001.0102.5507.2049.00
set routing-options router-id 192.0.2.5
set routing-options autonomous-system 300
set protocols mpls traffic-engineering bgp-igp-both-ribs
set protocols mpls label-switched-path ToR6 to 192.0.2.7
set protocols mpls interface all
set protocols mpls interface fxp.0 disable
set protocols mpls egress-protection context-identifier 203.0.113.1 primary
set protocols bgp group parent-vpn-peers type internal
set protocols bgp group parent-vpn-peers local-address 192.0.2.5
set protocols bgp group parent-vpn-peers family inet unicast
set protocols bgp group parent-vpn-peers family inet labeled-unicast rib inet.3
set protocols bgp group parent-vpn-peers family inet labeled-unicast egress-protection context-identifier 203.0.113.1
set protocols bgp group parent-vpn-peers export next-hop-self
set protocols bgp group parent-vpn-peers neighbor 192.0.2.7
set protocols bgp group parent-vpn-peers neighbor 192.0.2.10
set protocols bgp group toR3 type external
set protocols bgp group toR3 family inet labeled-unicast rib inet.3
set protocols bgp group toR3 export send-pe
set protocols bgp group toR3 peer-as 200
set protocols bgp group toR3 neighbor 10.2.0.13
set protocols isis level 1 disable
set protocols isis level 2 wide-metrics-only
set protocols isis interface ge-0/0/0.0 level 2 metric 10
set protocols isis interface lo0.0 passive
set protocols ldp interface ge-0/0/0.0
set protocols ldp interface ge-0/0/1.0
set protocols ldp interface lo0.0
set policy-options policy-statement next-hop-self term 1 then next-hop-self
set policy-options policy-statement send-pe from route-filter 192.0.2.7/24 exact
set policy-options policy-statement send-pe then accept

Router R5

content_copy zoom_out_map
set interfaces ge-0/0/0 unit 0 description toR4
set interfaces ge-0/0/0 unit 0 family inet address 10.2.0.18/30
set interfaces ge-0/0/0 unit 0 family iso
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 unit 0 description toR6
set interfaces ge-0/0/1 unit 0 family inet address 10.2.0.21/30
set interfaces ge-0/0/1 unit 0 family iso
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces ge-0/0/2 unit 0 description toR9
set interfaces ge-0/0/2 unit 0 family inet address 10.2.0.38/30
set interfaces ge-0/0/2 unit 0 family iso
set interfaces ge-0/0/2 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.0.2.6/24
set interfaces lo0 unit 0 family iso address 47.0005.80ff.f800.0000.0108.0001.0102.5507.2050.00
set routing-options router-id 192.0.2.6
set routing-options autonomous-system 300
set protocols mpls interface all
set protocols mpls interface fxp0.0 disable
set protocols isis backup-spf-options per-prefix-calculation
set protocols isis level 1 disable
set protocols isis level 2 wide-metrics-only
set protocols isis interface all node-link-protection
set protocols isis interface fxp0.0 disable 
set protocols isis interface ge-0/0/0.0 link-protection
set protocols isis interface ge-0/0/0.0 level 2 metric 10
set protocols isis interface ge-0/0/1.0 link-protection
set protocols isis interface ge-0/0/1.0 level 2 metric 10
set protocols isis interface ge-0/0/2.0 link-protection
set protocols isis interface ge-0/0/2.0 level 2 metric 10
set protocols isis interface lo0.0 passive
set protocols ldp track-igp-metric
set protocols ldp interface all
set protocols ldp interface fxp0.0 disable

Router R6

content_copy zoom_out_map
set interfaces ge-0/0/0 unit 0 description toR7
set interfaces ge-0/0/0 unit 0 family inet address 10.2.0.25/30 
set interfaces ge-0/0/0 unit 0 family iso 
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 unit 0 description toR5
set interfaces ge-0/0/1 unit 0 family inet address 10.2.0.22/30 
set interfaces ge-0/0/1 unit 0 family iso 
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.0.2.7/24
set interfaces lo0 unit 0 family iso address 47.0005.80ff.f800.0000.0108.0001.0102.5507.2048.00
set routing-options router-id 192.0.2.7
set routing-options autonomous-system 300
set protocols mpls label-switched-path ToR4 to 192.0.2.5
set protocols mpls label-switched-path ToR9 to 192.0.2.10
set protocols mpls interface all
set protocols bgp group parent-vpn-peers type internal
set protocols bgp group parent-vpn-peers local-address 192.0.2.7
set protocols bgp group parent-vpn-peers family inet unicast
set protocols bgp group parent-vpn-peers family inet labeled-unicast rib inet.3
set protocols bgp group parent-vpn-peers neighbor 192.0.2.5
set protocols bgp group parent-vpn-peers neighbor 192.0.2.10
set protocols bgp group toR1 type external
set protocols bgp group toR1 multihop ttl 10
set protocols bgp group toR1 local-address 192.0.2.7
set protocols bgp group toR1 family inet-vpn unicast
set protocols bgp group toR1 peers-as 200
set protocols bgp group toR1 neighbor 192.0.2.2
set protocols isis level 1 disable
set protocols isis level 2 wide-metrics-only
set protocols isis interface ge-0/0/1.0 level 2 metric 10
set protocols isis interface lo0.0 passive
set protocols ldp interface ge-0/0/1.0
set protocols ldp interface lo0.0
set policy-options policy-statement child-vpn-routes term 1 from protocol bgp
set policy-options policy-statement child-vpn-routes term 1 then accept
set policy-options policy-statement child-vpn-routes term 2 then reject
set policy-options policy-statement vpnexport term 1 from protocol ospf
set policy-options policy-statement vpnexport term 1 then community add test_comm
set policy-options policy-statement vpnexport term 1 then accept
set policy-options policy-statement vpnexport term 2 then reject
set policy-options policy-statement vpnimport term 1 from protocol bgp
set policy-options policy-statement vpnimport term 1 from community test_comm
set policy-options policy-statement vpnimport term 1 then accept
set policy-options policy-statement vpnimport term 2 then reject
set policy-options community test_comm members target:1:300
set routing-instances customer-provider-vpn instance-type vrf
set routing-instances customer-provider-vpn interface ge-0/0/0.0
set routing-instances customer-provider-vpn route-distinguisher 192.0.2.5:1
set routing-instances customer-provider-vpn vrf-import vpnimport
set routing-instances customer-provider-vpn vrf-export vpnexport
set routing-instances customer-provider-vpn vrf-target target:300:1
set routing-instances customer-provider-vpn protocols ospf export child-vpn-routes
set routing-instances customer-provider-vpn protocols ospf area 0.0.0.0 interface ge-0/0/0.0

Router R7

content_copy zoom_out_map
set interfaces ge-0/0/0 unit 0 description toR6
set interfaces ge-0/0/0 unit 0 family inet address 10.2.0.26/30
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.0.2.8/24 primary
set routing-options router-id 192.0.2.8
set routing-options autonomous-system 101
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 metric 10

Router R8

content_copy zoom_out_map
set interfaces ge-0/0/0 unit 0 description toR9
set interfaces ge-0/0/0 unit 0 family inet address 10.2.0.33/30
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 unit 0 description toR2
set interfaces ge-0/0/1 unit 0 family inet address 10.2.0.30/30
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.0.2.9/24
set routing-options router-id 192.0.2.9
set routing-options autonomous-system 200
set protocols mpls traffic-engineering bgp-igp-both-ribs
set protocols mpls label-switched-path ToR1 to 192.0.2.2
set protocols mpls interface all
set protocols bgp group toR9 type external
set protocols bgp group toR9 family inet unicast
set protocols bgp group toR9 family inet labeled-unicast rib inet.3
set protocols bgp group toR9 export send-pe
set protocols bgp group toR9 neighbor 10.2.0.34 peer-as 300
set protocols bgp group parent-vpn-peers type internal
set protocols bgp group parent-vpn-peers local-address 192.0.2.9
set protocols bgp group parent-vpn-peers family inet unicast
set protocols bgp group parent-vpn-peers family inet labeled-unicast rib inet.3
set protocols bgp group parent-vpn-peers export next-hop-self
set protocols bgp group parent-vpn-peers neighbor 192.0.2.2
set protocols bgp group parent-vpn-peers neighbor 192.0.2.4
set protocols ospf traffic-engineering
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 metric 10
set protocols ldp interface ge-0/0/0.0
set protocols ldp interface ge-0/0/1.0
set protocols ldp interface lo0.0
set policy-options policy-statement from-bgp from protocol bgp
set policy-options policy-statement from-bgp then metric add 100
set policy-options policy-statement from-bgp then accept
set policy-options policy-statement next-hop-self term 1 then next-hop-self
set policy-options policy-statement send-pe from route-filter 192.0.2.2/24 exact
set policy-options policy-statement send-pe then accept

Router R9

content_copy zoom_out_map
set interfaces ge-0/0/0 unit 0 description toR8
set interfaces ge-0/0/0 unit 0 family inet address 10.2.0.34/30
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 unit 0 description toR5
set interfaces ge-0/0/1 unit 0 family inet address 10.2.0.37/30
set interfaces ge-0/0/1 unit 0 family iso
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.0.2.10/24
set interfaces lo0 unit 0 family iso address 47.0005.80ff.f800.0000.0108.0001.0102.5507.2062.00
set routing-options router-id 192.0.2.10
set routing-options autonomous-system 300
set protocols mpls traffic-engineering bgp-igp-both-ribs
set protocols mpls label-switched-path ToR6 to 192.0.2.7
set protocols mpls interface all
set protocols mpls egress-protection context-identifier 203.0.113.1 protector
set protocols bgp group parent-vpn-peers type internal
set protocols bgp group parent-vpn-peers local-address 192.0.2.10
set protocols bgp group parent-vpn-peers family inet unicast
set protocols bgp group parent-vpn-peers family inet labeled-unicast rib inet.3
set protocols bgp group parent-vpn-peers family inet labeled-unicast egress-protection
set protocols bgp group parent-vpn-peers export next-hop-self
set protocols bgp group parent-vpn-peers neighbor 192.0.2.7
set protocols bgp group parent-vpn-peers neighbor 192.0.2.5
set protocols bgp group toR8 type external
set protocols bgp group toR8 family inet labeled-unicast rib inet.3
set protocols bgp group toR8 export send-pe
set protocols bgp group toR8 neighbor 10.2.0.33 peer-as 200
set protocols isis level 1 disable
set protocols isis level 2 wide-metrics-only
set protocols isis interface ge-0/0/1.0 level 2 metric 10
set protocols isis interface lo0.0 passive
set protocols ldp interface ge-0/0/0.0
set protocols ldp interface ge-0/0/1.0
set protocols ldp interface lo0.0
set policy-options policy-statement next-hop-self term 1 then next-hop-self
set policy-options policy-statement send-pe from route-filter 192.0.2.7/24 exact
set policy-options policy-statement send-pe then accept

Configuring Egress Protection in Layer 3 VPNs

Step-by-Step Procedure

The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure labeled unicast egress protection:

  1. Configure the interfaces on each router, for example:

    content_copy zoom_out_map
    [edit interfaces]
user@R4# set ge-0/0/0 unit 0 description toR5
user@R4# set ge-0/0/0 unit 0 family inet address 10.2.0.17/30
user@R4# set ge-0/0/0 unit 0 family iso
user@R4# set ge-0/0/0 unit 0 family mpls
    content_copy zoom_out_map
    user@R4# set ge-0/0/1 unit 0 description toR3
user@R4# set ge-0/0/1 unit 0 family inet address 10.2.0.14/30
user@R4# set ge-0/0/1 unit 0 family mpls
    content_copy zoom_out_map
    user@R4# set lo0 unit 0 family inet address 192.0.2.5/24
user@R4# set lo0 unit 0 family iso address 47.0005.80ff.f800.0000.0108.0001.0102.5507.2049.00

  2. Configure the router ID and autonomous system (AS) number for each router, for example:

    content_copy zoom_out_map
    [edit routing-options]
user@R4# set router-id 192.0.2.5
user@R4# set autonomous-system 300

    In this example, the router ID is chosen to be identical to the loopback address configured on the router.

  3. Configure the protocols on each router, for example:

    content_copy zoom_out_map
    [edit protocols]
user@R4# set mpls traffic-engineering bgp-igp-both-ribs
user@R4# set mpls label-switched-path ToR6 to 192.0.2.7
user@R4# set mpls interface all
user@R4# set mpls interface fxp.0 disable
user@R4# set bgp group parent-vpn-peers type internal
user@R4# set bgp group parent-vpn-peers local-address 192.0.2.5
user@R4# set bgp group parent-vpn-peers family inet unicast
user@R4# set bgp group parent-vpn-peers family inet labeled-unicast rib inet.3
user@R4# set bgp group parent-vpn-peers export next-hop-self
user@R4# set bgp group parent-vpn-peers neighbor 192.0.2.7
user@R4# set bgp group parent-vpn-peers neighbor 192.0.2.10
user@R4# set bgp group toR3 type external
user@R4# set bgp group toR3 family inet labeled-unicast rib inet.3
user@R4# set bgp group toR3 export send-pe
user@R4# set bgp group toR3 peer-as 200
user@R4# set bgp group toR3 neighbor 10.2.0.13
user@R4# set isis level 1 disable
user@R4# set isis level 2 wide-metrics-only
user@R4# set isis interface ge-0/0/0.0 level 2 metric 10
user@R4# set isis interface lo0.0 passive
user@R4# set ldp interface ge-0/0/0.0
user@R4# set ldp interface ge-0/0/1.0
user@R4# set ldp interface lo0.0

  4. Configure routing policies on all PE routers and AS border routers (Routers R1, R3, R4, R6, R8, and R9), for example:

    content_copy zoom_out_map
    user@R4# set policy-options policy-statement next-hop-self term 1 then next-hop-self
user@R4# set policy-options policy-statement send-pe from route-filter 192.0.2.7/24 exact
user@R4# set policy-options policy-statement send-pe then accept

  5. Configure the VPN routing instance on Routers R1 and R6.

    content_copy zoom_out_map
    user@R1# set routing-instances customer-provider-vpn instance-type vrf
user@R1# set routing-instances customer-provider-vpn interface ge-0/0/0.0
user@R1# set routing-instances customer-provider-vpn route-distinguisher 192.0.2.4:1
user@R1# set routing-instances customer-provider-vpn vrf-import vpnimport
user@R1# set routing-instances customer-provider-vpn vrf-export vpnexport
user@R1# set routing-instances customer-provider-vpn vrf-target target:200:1
user@R1# set routing-instances customer-provider-vpn protocols ospf export child_vpn_routes
user@R1# set routing-instances customer-provider-vpn protocols ospf area 0.0.0.0 interface ge-0/0/0.0

    and

    content_copy zoom_out_map
    user@R6# set routing-instances customer-provider-vpn instance-type vrf
user@R6# set routing-instances customer-provider-vpn interface ge-0/0/0.0
user@R6# set routing-instances customer-provider-vpn route-distinguisher 192.0.2.5:1
user@R6# set routing-instances customer-provider-vpn vrf-import vpnimport
user@R6# set routing-instances customer-provider-vpn vrf-export vpnexport
user@R6# set routing-instances customer-provider-vpn vrf-target target:300:1
user@R6# set routing-instances customer-provider-vpn protocols ospf export child-vpn-routes
user@R6# set routing-instances customer-provider-vpn protocols ospf area 0.0.0.0 interface ge-0/0/0.0

  6. Configure egress protection for Router R4, setting Router R4 as the protected router and Router R9 as the protector.

    content_copy zoom_out_map
    user@R4# set protocols mpls egress-protection context-identifier 203.0.113.1 primary
user@R4# set protocols bgp group parent-vpn-peers family inet labeled-unicast egress-protection context-identifier 203.0.113.1

    and

    content_copy zoom_out_map
    user@R9# set protocols mpls egress-protection context-identifier 203.0.113.1 protector
user@R9# set protocols bgp group parent-vpn-peers family inet labeled-unicast egress-protection

Results

From configuration mode, confirm your configuration by entering the show interfaces, show routing-options, show protocols, show policy-options (if applicable), and show routing-instances (if applicable) commands.

If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

content_copy zoom_out_map
user@R4# show interfaces
ge-0/0/0 {
    unit 0 {
        description toR5;
        family inet {
            address 10.2.0.17/30;
        }
        family iso;
        family mpls;
    }
}
ge-0/0/1 {
    unit 0 {
        description toR3;
        family inet {
            address 10.2.0.14/30;
        }
        family mpls;
    }
}
lo0 {
    unit 0 {
        family inet {
            address 192.0.2.5/24;
        }
        family iso {
            address 47.0005.80ff.f800.0000.0108.0001.0102.5507.2049.00;
        }
    }
}
content_copy zoom_out_map
user@R4# show routing-options
router-id 192.0.2.5;
autonomous-system 300;
content_copy zoom_out_map
user@R4# show protocols
mpls {
    traffic-engineering bgp-igp-both-ribs;
    label-switched-path ToR6 {
        to 192.0.2.7;
    }
    interface all;
    interface fxp0.0 {
        disable;
    }
    egress-protection {
        context-identifier 203.0.113.1 {
            primary;
        }
    }
}
bgp {
    group parent-vpn-peers {
        type internal;
        local-address 192.0.2.5;
        family inet {
            unicast;
            labeled-unicast {
                rib {
                    inet.3;
                }
                egress-protection {
                    context-identifier {
                        203.0.113.1;
                    }
                }
            }
        }
        export next-hop-self;
        neighbor 192.0.2.7;
        neighbor 192.0.2.10;
    }
    group toR3 {
        type external;
        family inet {
            unicast;
            labeled-unicast {
                rib {
                    inet.3;
                }
            }
        }
        export send-pe;
        peer-as 200;
        neighbor 10.2.0.13;
    }
}
isis {
    level 1 disable;                    
    level 2 wide-metrics-only;
    interface ge-0/0/0.0 {
        level 2 metric 10;
    }
    interface lo0.0 {
        passive;
    }
}
ldp {
    interface ge-0/0/0.0;
    interface ge-0/0/1.0;
    interface lo0.0;
}
content_copy zoom_out_map
user@R4# show policy-options
policy-statement next-hop-self {
    term 1 {
        then {
            next-hop self;
        }
    }
}
policy-statement send-pe {
    from {
        route-filter 192.0.2.7/24 exact;
    }
    then accept;
}

If you are done configuring the router, enter commit from configuration mode.

Repeat the procedure for every router in this example, using the appropriate interface names and addresses for each router.

Verification

Verifying That Egress Protection Is Enabled

Purpose

Verify that egress protection is enabled on the protected router, Router R4.

Action

Run show bgp neighbor on Router R4 to verify that egress protection is enabled.

content_copy zoom_out_map
user@R4> show bgp neighbor
Peer: 192.0.2.10+45824 AS 300    Local: 192.0.2.5+27630 AS 300  
  Type: Internal    State: Established    Flags: <Sync> 
  Last State: OpenConfirm   Last Event: RecvKeepAlive 
  Last Error: None 
  Export: [ next-hop-self ]  
  Options: <Preference LocalAddress AddressFamily Refresh>
  Address families configured: inet-unicast inet-labeled-unicast
  Local Address: 192.0.2.5 Holdtime: 90 Preference: 170
  NLRI configured with egress-protection: inet-labeled-unicast
  Egress-protection NLRI inet-labeled-unicast context-identifier: 203.0.113.1
  Number of flaps: 0
  ...

Verifying the State of the Protected ASBR as ’primary’

Purpose

Verify that the state of the protected AS border router, Router R4, is ’primary’.

Action

Run show mpls context-identifier on Router R4.

content_copy zoom_out_map
user@R4> show mpls context-identifier
ID                Type        Metric     ContextTable
203.0.113.1         primary     1        
Total 1, Primary 1, Protector 0

Verifying the State of the Protector ASBR as ’protector’

Purpose

Verify that the state of the protector AS border router, Router R9, is ’protector’.

Action

Run show mpls context-identifier on Router R9.

content_copy zoom_out_map
user@R9> show mpls context-identifier
ID                Type        Metric     ContextTable
203.0.113.1         protector   16777215   __203.0.113.1__.mpls.0    
Total 1, Primary 0, Protector 1

See Also

Egress Protection for Layer 3 VPN Edge Protection Overview

Typically, Layer 3 VPN service restoration for multihomed customer edge (CE) routers depends on the ingress provider edge (PE) router to detect the egress PE link or node failure and switch traffic to the backup PE router. To achieve faster restoration, a protector mechanism for the PE router can be used to perform local restoration of the service immediately in case of an egress PE node failure. This mechanism requires the router at the point of local repair (PLR) to redirect VPN traffic to a protector PE router for fast reroute of traffic.

The following topology describes the concept of egress protection.

Figure 4: Sample Topology for Egress ProtectionSample Topology for Egress Protection

In this topology:

Router PE3 acts as the protector for the PE2 Layer 3 VPN routing instances or subnets.

The CE routers are part of a VPN where Router CE1 is multihomed with Router PE1 and Router PE2. Likewise, Router CE2 is multihomed with Routers PE2 and PE3.

Router PE1 can be the originator for the context identifier for Router CE1, while Router PE2 is the protector for that context identifier. Likewise, PE2 can be the originator for the context identifier for Router CE2, while Router PE3 is the protector for that context identifier.

The working path taken by Router PE4 might be through PLR>PE2 for both Router CE1 and Router CE2. The backup path for Router CE1 is through PLR>PE1. The backup path for Router CE2 is through PLR>PE3. Traffic flows through the working path under normal circumstances.

When Router PE4 detects a PE2 node or link failure, traffic is rerouted from the working path to the protected path. In the normal failover process, the detection of failure and the recovery rely on the control plane and is therefore relatively slow.

Typically, if there is a link or node failure in the core network, the egress PE router would have to rely on the ingress PE router to detect the failure and switch over to the backup path, because a local repair option for egress failure is not available.

To provide a local repair solution for the egress PE link or node failure, a mechanism known as egress protection can be used to repair and restore the connection quickly. If egress protection is configured, the PLR router detects the PE2 link or node failure and reroutes traffic through the protector Router PE3 using the backup LDP-signaled label-switched path (LSP). The PLR router uses per-prefix loop-free alternate routes to program the backup next hop through Router PE3, and traffic is forwarded to Routers CE1 and CE2 using the alternate paths. This restoration is done quickly after the PLR router detects the Router PE2 egress node or link failure.

The dual protection mechanism can also be used for egress protection where the two PE routers can simultaneously act as the primary PE router and the protector PE router for their respective context ID routes or next hops.

Router Functions

In Figure 4, the following routers perform the following functions:

Protected PE Router

The protected PE, PE2, performs the following functions:

  • Updates a context identifier for the BGP next hop for the Layer 3 VPN prefix.

  • Advertises the context identifier to the IS-IS domain.

Protector PE Router

The protector PE router, PE3, performs the following functions:

  • Advertises the context identifier to the IS-IS domain with a high metric. The high IGP metric (configurable) along with the LDP label ensures that the PLR router uses the LDP-signaled backup LSP in the event of an egress PE router failure.

  • Builds a context-label table for route lookup and a backup forwarding table for the protected PE router (PE2).

    Note:

    The protector PE router should not be in the forwarding path to the primary PE router.

PLR Router

The router acting as the point of local repair (PLR) performs the following functions:

  • Computes per-prefix loop-free alternate routes. For this computation to work, the configuration of the node-link-protection statement and the backup-spf-options per-prefix-calculation statement is necessary at the [edit protocols isis] hierarchy level.

  • Installs backup next hops for the context identifier through the PE3 router (protector PE).

  • Detects PE router failure and redirects the transport LSP traffic to the protector.

Note:

The PLR router must be directly connected to the protector router (in this case, PE3). If not, the loop-free alternate route cannot find the backup path to the protector. This limitation is removed in Junos OS Release 13.3 and later.

Protector and Protection Models

Protector is a new role or function for the restoration of egress PE node failure. This role could be played by a backup egress PE router or any other node that participates in the VPN control plane for VPN prefixes that require egress node protection. There are two protection models based on the location and role of a protector:

  • Co-located protector—In this model, the protector PE router and the backup PE router configurations are done on the same router. The protector is co-located with the backup PE router for the protected prefix, and it has a direct connection to the multihomed site that originates the protected prefix. In the event of an egress PE failure, the protector receives traffic from the PLR router and routes the traffic to the multihomed site.

  • Centralized protector—In this model, the protector PE router and the backup PE router are different. The centralized protector might not have a direct connection to the multihomed site. In the event of an egress PE link or node failure, the centralized protector reroutes the traffic to the backup egress PE router with the VPN label advertised for the backup egress PE router that takes over the role of sending traffic to the multihomed site.

A network can use either of the protection models or a combination of both, depending on the requirement.

As a special scenario of egress node protection, if a router is both a Protector and a PLR, it installs backup next hops to protect the transport LSP. In particular, it does not need a bypass LSP for local repair.

In the Co-located protector model, the PLR or the Protector is directly connected to the CE via a backup AC, while in the Centralized protector model, the PLR or the protector has an MPLS tunnel to the backup PE. In either case, the PLR or the Protector will install a backup next hop with a label followed by a lookup in a context label table, i.e. __context__.mpls.0. When the egress node fails, the PLR or the Protector will switch traffic to this backup next hop in PFE. The outer label (th etransport LSP label) of packets is popped, and the inner label (the layer 3 VPN label allocated by the egress node) is looked up in __context__.mpls.0, which results in forwarding the packets directly to the CE (in Collocated protector model) or the backup PE (in Centralized protector model).

For more information about egress PE failure protection, see Internet draft draft-minto-2547-egress-node-fast-protection-00, 2547 egress PE Fast Failure Protection..

IGP Advertisement Model

Egress protection availability is advertised in the interior gateway protocol (IGP). Label protocols along with Constrained Shortest Path First (CSPF) use this information to do egress protection.

For Layer 3 VPNs, the IGP advertisements can be of the following types:

  • Context identifier as a stub link (supported in Junos OS 11.4 R3 and later). A link connecting a stub node to a transit node is a stub link.

  • Context identifier as a stub alias node (supported in Junos OS 13.3 and later).

  • Context identifier as a stub proxy node (supported in Junos OS 13.3 and later).

By default, the stub link is used. To enable enhanced point-of-local-repair (PLR) functionality, in which the PLR reroutes service traffic during an egress failure, configure a stub alias node or a stub proxy node as follows:

content_copy zoom_out_map
[edit protocols mpls egress-protection context-identifier 192.0.2.6] 
user@host# set advertise-mode ?
Possible completions:
  stub-alias           Alias
  stub-proxy           Proxy

The two methods offer different advantages, depending on the needs of your network deployment.

Context Identifier as a Stub Alias Node

In the stub alias method, the LSP end-point address has an explicit backup egress node where the backup can be learned or configured on the penultimate hop node of a protected LSP. With this model, the penultimate hop node of a protected LSP sets up the bypass LSP tunnel to back up the egress node by avoiding the primary egress node. This model requires a Junos OS upgrade in core nodes, but is flexible enough to support all traffic engineering constraints.

The PLR learns that the context ID has a protector. When the primary context ID goes down, packets are rerouted to the protector by way of a pre-programmed backup path. The context ID and protector mapping are configured or learned on the PLR and signaled in the IGP from the protector. A routing table called inet.5 on the PLR provides the configured or IGP-learned details.

IS-IS advertises context IDs into the TED through an IP address TLV. IS-IS imports this TLV into the TED as extended information. IS-IS advertises the protector TLV routes in the inet.5 route for the context ID with protocol next hop being the protector’s router ID. If the protector TLV has a label, the label is added to the route in the inet.5 routing table for LDP to use.

CSPF considers the IP address TLV for tunnel endpoint computation.

With the stub alias model, the protector LSP setup does not require any changes in any nodes. But bypass LSP setup for node protection requires changes in the PHN and the protector router.

When RSVP sets up bypass for node protection LSP, RSVP also performs a lookup for the protector if the PLR is the penultimate hop of the LSP. If the protector is available for the LSP destination, it uses CSPF to compute a path with a constraint that excludes the egress PE and sets up a bypass LSP destination to the context ID if one is not already set up. When setting up a bypass LSP to the context ID, the PLR unsets all protection options.

LDP is useful in the case when the network supports 100 percent LFA coverage but does not support 100 percent per-prefix LFA coverage. LDP sets up a backup path with the protector with the context label advertised by the protector to the service point.

In networks in which 100 percent LFA coverage is not available, it is useful to have backup LSP LFAs with RSVP-based tunnels.

In a steady state, the forwarding is the same as on any other protected LSP in the PLR. In the protector, the non-null label that is advertised and signaled for the context ID has the table next hop point to the MPLS context table, where the peers' labels are programmed.

During a failure, the PLR swaps the transport label with the bypass LSP for the context ID or swaps the label context-label (the protector-advertised label for the context ID) and pushes the transport label to the protector lo0 interface address.

Context Identifier as a Stub Proxy Node

Context identifier as a stub proxy node (supported in Junos OS 13.3 and later). A stub node is one that only appears at the end of an AS path, which means it does not provide transit service. In this mode, known as the virtual or proxy mode, the LSP end-point address is represented as a node with bidirectional links, with the LSP's primary egress node and backup egress node. With this representation, the penultimate hop of the LSP primary egress point can behave like a PLR in setting up a bypass tunnel to back up the egress by avoiding the primary egress node. This model has the advantage that you do not need to upgrade Junos OS on core nodes and will thereby help operators to deploy this technology.

The context ID is represented as a node in the traffic engineering (TE) and IGP databases. The primary PE device advertises the context node into the IGP and TE databases. The primary PE device and the protected PE device support one link to the context node with a bandwidth and a TE metric. Other TE characteristics of TE links are not advertised by Junos OS.

In IS-IS, the primary PE router advertises the proxy node along with links to the primary router and the protector router. The primary and the protector routers advertise links to the proxy node. The proxy node builds the following information.

  • System ID—Binary-coded decimal based on the context ID.

  • Host name—Protector-name:context ID

  • LSP-ID—<System-ID>.00

  • PDU type—Level 2 and Level 1, based on the configuration

  • LSP attributes:

    • Overload—1

    • IS_TYPE_L1(0x01) | IS_TYPE_L2(0x02) for the level 2 PDU

    • IS_TYPE_L1 for level 1

    • Multiarea—No

    • All other attributes—0

The proxy node only contains area, MT, host name, router ID, protocols and IS reachabilty TLVs. The area, MT, authentication, and protocols TLV are the same as on the primary. The IS reachability TLVs contains two links called Cnode-primary-link and Cnode-protector-link. Both links include TE TLVs. The following TE-link-TLVs are advertised in context links:

  • IPv4 interface or neighbor address

  • Maximum bandwidth

  • TE default metric

  • Link (local or remote) Identifiers

Sub TLV values:

  • Bandwidth—zero

  • TE metric—Maximum TE metric

  • Interface address—context ID

  • Protector neighbor address—protector router ID

  • Primary neighbor address—protected router ID

  • Link local-ID protector—0x80fffff1

  • Link local-ID primary—0x80fffff2

  • Link remote-ID protector—Learned from protector

  • Link remote-ID primary—Learned from primary

Protected PE links to context node (primary advertises the link with the following details):

  • Bandwidth—Maximum

  • TE metric—1

  • Interface address—Router ID

  • Context neighbor address—Context ID

  • Link local-ID to context node—Automatically generated (similar to a sham link)

  • Link remote-ID to context node—0x80fffff2

Protector PE links to context node:

  • The protector advertises unnumbered transit links with the maximum routable link metric and the maximum TE metric and zero bandwidth to the context node. Other TE characteristics are not advertised.

Unnumbered links are advertised with the following attributes:

  • bandwidth—0

  • TE metric—MAX TE metric

  • Interface address—Router ID

  • Context neighbor address—Context ID

  • Link local ID to context node—Autogenerated (similar to a sham link)

  • Link remote ID to context node—0x80fffff1

In RSVP, the behavior changes are only in the protector and primary routers. RSVP terminates the LSP and the bypass LSP to the context ID. If the context ID is the protector, a non-null label is signaled. Otherwise, it will be based on the configuration or the requested label type. RSVP verifies the Explicit Route Object (ERO) from the path for itself and the context ID. RSVP sends the Resv message with two Record Route Object (RRO) objects—one for the context ID and one for itself. This simulates the penultimate-hop node (PHN) to do node protection with the protector for the primary for context ID LSP. As the fast reroute (FRR)-required bypass, the LSP has to merge back to the protector LSP PHN setup bypass to context ID through the protector by avoiding the primary.

The protector also terminates the backup LSP for the context ID to keep the protected LSP alive during a failure until the ingress node resignals the LSP. The new LSP is reestablished through the protector, but this LSP is not used for service traffic as service protocol does not use the context ID. The LSP traverses through the protector even if the primary comes up. Only reoptimization resignals the LSP through the primary. In stub proxy mode, the bypass LSP with constraints is not supported.

LDP cannot use the stub proxy method due to the inflated metric advertised in the IGP.

With regard the forwarding state, a PE router that protects one or more segments that are connected to another PE is referred to as a protector PE. A protector PE must learn the forwarding state of the segments that it is protecting from the primary PE that is being protected.

For a given segment, if the protector PE is not directly connected to the CE device associated with the segment, it must also learn the forwarding state from at least one backup PE. This situation might arise only in the case of egress PE failure protection.

A protector PE maintains forwarding state for a given segment in the context of the primary PE. A protector PE might maintain state for only a subset of the segments on the primary PE or for all the segments on the primary PE.

Example: Configuring MPLS Egress Protection for Layer 3 VPN Services

This example describes a local repair mechanism for protecting Layer 3 VPN services against egress provider edge (PE) router failure in a scenario where the customer edge (CE) routers are multihomed with more than one PE router.

The following terminology is used in this example:

  • Originator PE router—A PE router with protected routing instances or subnets that distributes the primary Layer 3 VPN router.

  • Backup PE router—A PE router that announces a backup Layer 3 VPN route.

  • Protector PE router—A router that cross-connects VPN labels distributed by the originator PE router to the labels originated by the backup PE router. The protector PE router can also be a backup PE router.

  • Transport LSP—An LDP-signaled label-switched path (LSP) for BGP next hops.

  • PLR—A router acting as the point of local repair (PLR) that can redirect Layer 3 VPN traffic to a protector PE router to enable fast restoration and reroute.

  • Loop-free alternate routes—A technology that essentially adds IP fast-reroute capability for the interior gateway protocol (IGP) by precomputing backup routes for all the primary routes of the IGP. In the context of this document, the IGP is IS-IS.

  • Multihoming—A technology that enables you to connect a CE device to multiple PE routers. In the event that a connection to the primary PE router fails, traffic can be automatically switched to the backup PE router.

  • Context identifier—An IPv4 address used to identify the VPN prefix that requires protection. The identifier is propagated to the PE and PLR core routers, making it possible for the protected egress PE router to signal the egress protection to the protector PE router.

  • Dual protection—A protection mechanism where two PE routers can simultaneously act as the primary PE router and the protector PE router for their respective context ID routes or next hops. For example, between the two PE routers PE1 and PE2, PE1 could be a primary PE router for context identifier 203.0.113.1 and protector for context identifier 203.0.113.2 Likewise, the PE2 router could be a protector for context identifier 203.0.113.1 and a primary PE router for context identifier 203.0.113.2.

Example: Configuring Egress Protection for Layer 3 VPN Services

This example shows how to configure egress protection for fast restoration of Layer 3 VPN services.

Requirements

This example uses the following hardware and software components

  • MX Series 5G Universal Routing Platforms

  • Tunnel PICs or the configuration of the Enhanced IP Network Services mode (using the network-services enhanced-ip statement at the [edit chassis] hierarchy level).

  • Junos OS Release 11.4R3 or later running on the devices

Before you begin:

  • Configure the device interfaces. See the Junos OS Network Interfaces Configuration Guide.

  • Configure the following routing protocols on all the PE and PLR routers.

    • MPLS, LSPs, and LDP. See the Junos OS MPLS Applications Configuration Guide.

    • BGP and IS-IS. See the Junos OS Routing Protocols Configuration Guide.

  • Configure Layer 3 VPNs. See the Junos OS VPNs Configuration Guide.

Overview

Typically, Layer 3 VPN service restoration, in case of egress PE router failure (for multihomed customer edge [CE] routers), depends on the ingress PE router to detect the egress PE node failure and switch traffic to the backup PE router for multihomed CE sites.

Junos OS Release 11.4R3 or later enables you to configure egress protection for Layer 3 VPN services that protects the services from egress PE node failure in a scenario where the CE site is multihomed with more than one PE router. The mechanism enables local repair to be performed immediately upon an egress node failure. The router acting as the point of local repair (PLR) redirects VPN traffic to a protector PE router for restoring service quickly, achieving fast protection that is comparable to MPLS fast reroute.

The statements used to configure egress protection are:

  • egress-protection—When configured at the [edit protocols mpls] hierarchy level, this statement specifies protector information and the context identifier for the Layer 3 VPN and edge protection virtual circuit:

    content_copy zoom_out_map
    [edit protocols mpls]
egress-protection {
    context-identifier context-id {
        primary | protector;
        metric igp-metric-value;
    }
}

    When configured at the [edit protocols bgp group group-name family inet-vpn unicast], [edit protocols bgp group group-name family inet6-vpn unicast], or [edit protocols bgp group group-name family iso-vpn unicast] hierarchy levels, the egress-protection statement specifies the context identifier that enables egress protection for the configured BGP VPN network layer reachability information (NLRI).

    content_copy zoom_out_map
    [edit protocols bgp]
group internal {
    type internal;
local-address ip-address;
    family <inet-vpn|inet6-vpn|iso-vpn> {
        unicast {
            egress-protection {
                context-identifier {
                    context-id-ip-address;
                    }
                }
            }
        }
    }

    When configured at the [edit routing-instances] hierarchy level, the egress-protection statement holds the context identifier of the protected PE router.

    This configuration must be done only in the primary PE router and is used for outbound BGP updates for the next hops.

    content_copy zoom_out_map
    [edit routing-instance]
routing-instance-name {
    egress-protection {
        context-identifier {
            context-id-ip-address;
        }
    }
}

    Configuring the context-identifier statement at the [edit routing-instances routing-instance-name] hierarchy level provides customer edge VRF-level context ID granularity for each VRF instance.

  • context-identifier—This statement specifies an IPV4 address used to define the pair of PE routers participating in the egress protection LSP. The context identifier is used to assign an identifier to the protector PE router. The identifier is propagated to the other PE routers participating in the network, making it possible for the protected egress PE router to signal the egress protection LSP to the protector PE router.

Configuration

CLI Quick Configuration

Note:

This example only shows sample configuration that is relevant to configuring egress PE protection for Layer 3 VPN services on the protected router, PE2, the protector router, PE3, and the PLR router.

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

PE2 (Protected PE Router)

content_copy zoom_out_map
set protocols mpls interface all
set protocols mpls interface fxp0.0 disable
set protocols mpls egress-protection context-identifier 192.0.2.6 primary
set protocols bgp group ibgp type internal
set protocols bgp group ibgp local-address 10.255.245.194
set protocols bgp group ibgp family inet-vpn unicast egress-protection context-identifier 192.0.2.6

PE3 (Protector PE Router)

content_copy zoom_out_map
set protocols mpls interface all
set protocols mpls interface fxp0.0 disable
set protocols mpls egress-protection context-identifier 192.0.2.6 protector
set protocols bgp group ibgp type internal
set protocols bgp group ibgp local-address 10.255.245.196
set protocols bgp group ibgp family inet-vpn unicast egress-protection keep-import remote-vrf
set policy-options policy-statement remote-vrf from community rsite1
set policy-options policy-statement remote-vrf from community rsite24
set policy-options policy-statement remote-vrf then accept
set policy-options community rsite1 members target:1:1
set policy-options community rsite24 members target:100:1023

PLR Router

content_copy zoom_out_map
set protocols mpls interface all
set protocols mpls interface fxp0.0 disable
set protocols isis level 1 disable
set protocols isis interface all node-link-protection
set protocols isis backup-spf-options per-prefix-calculation
set protocols ldp track-igp-metric
set protocols ldp interface all
set protocols ldp interface fxp0.0 disable

Configuring the Protected PE Router (PE2)

Step-by-Step Procedure

To configure the protected PE router, PE2:

  1. Configure MPLS on the interfaces.

    content_copy zoom_out_map
    [edit protocols mpls]
user@PE2# set interface all
user@PE2#set interface fxp0.0 disable

  2. Configure egress protection and the context identifier.

    Note:

    The context identifier type must be set to primary.

    content_copy zoom_out_map
    [edit protocols mpls]
user@PE2# set egress-protection context-identifier 192.0.2.6 primary

  3. Configure egress protection for the configured BGP NRLI.

    Note:

    The context identifier configured at the [edit protocols bgp group group-name family inet-vpn] hierarchy level should match the context identifier configured at the [edit protocols mpls] hierarchy level.

    content_copy zoom_out_map
    [edit protocols bgp]
user@PE2# set group ibgp type internal
user@PE2# set group ibgp local-address 10.255.245.194
user@PE2# set group ibgp family inet-vpn unicast egress-protection context-identifier 192.0.2.6
    Note:

    Configuring the context-identifier at the [edit routing-instances routing-instance-name] hierarchy level provides CE VRF-level context-id granularity for each virtual routing and forwarding (VRF) instance.

  4. After you are done configuring the device, commit the configuration.

    content_copy zoom_out_map
    [edit]
user@PE2#  commit
Results

Confirm your configuration by issuing the show protocols command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

content_copy zoom_out_map
user@PE2# show protocols
mpls {
    interface all;
    interface fxp0.0 {
        disable;
    }
    egress-protection {
        context-identifier 192.0.2.6 {
            primary;
        }
    }
}
    bgp {
        group ibgp {
            type internal;
            local-address 10.255.245.194;
            family inet-vpn {
                unicast {
                    egress-protection {
                        context-identifier {
                            192.0.2.6;
                        }
                    }
                }
            }
        }
    }

Configuring the Protector PE Router (PE3)

Step-by-Step Procedure

To configure the protector PE router, PE3:

  1. Configure MPLS on the interfaces.

    content_copy zoom_out_map
    [edit protocols mpls]
user@PE3# set interface all
user@PE3#set mpls interface fxp0.0 disable

  2. Configure egress protection and the context identifier.

    content_copy zoom_out_map
    [edit protocols mpls]
user@PE3#set egress-protection context-identifier 192.0.2.6 protector

  3. Configure IPv4 Layer 3 VPN NRLI parameters.

    content_copy zoom_out_map
    [edit protocols bgp]
user@PE3# set group ibgp type internal
user@PE3# set group ibgp local-address 10.255.245.196
user@PE3# set group ibgp family inet-vpn unicast egress-protection keep-import remote-vrf

  4. Configure routing policy options.

    content_copy zoom_out_map
    [edit policy-options]
user@PE3# set policy-statement remote-vrf from community rsite1
user@PE3# set policy-statement remote-vrf from community rsite24
user@PE3# set policy-statement remote-vrf then accept
user@PE3# set community rsite1 members target:1:1
user@PE3# set community rsite24 members target:100:1023

  5. After you are done configuring the device, commit the configuration.

    content_copy zoom_out_map
    [edit]
user@PE3#  commit
Results

Confirm your configuration by issuing the show protocols and the show policy-options commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

content_copy zoom_out_map
user@PE3# show protocols
mpls {
    interface all;
    interface fxp0.0 {
        disable;
    }
    egress-protection {
        context-identifier 192.0.2.6 {
            protector;
        }
    }
}
    bgp {
        group ibgp {
            type internal;
            local-address 10.255.245.196;
            family inet-vpn {
                unicast {
                    egress-protection {
                        keep-import remote-vrf;
                    }
                }
            }
        }
    }
content_copy zoom_out_map
user@PE3# show policy-options
policy-statement remote-vrf {
    from community [ rsite1 rsite24 ];
    then accept;
    }
    community rsite1 members target:1:1;
community rsite24 members target:100:1023;

Configuring the PLR Router

Step-by-Step Procedure

To configure the router acting as the point of local repair (PLR):

  1. Configure MPLS on the interfaces.

    content_copy zoom_out_map
    [edit protocols mpls]
user@PLR# set interface all
user@PLR# set interface fxp0.0 disable

  2. Configure per-prefix-LFA calculation along with link protection.

    content_copy zoom_out_map
    [edit protocols isis]
user@PLR# set backup-spf-options per-prefix-calculation
user@PLR# set level 1 disable
user@PLR# set interface all node-link-protection
user@PLR# set interface fxp0.0 disable

  3. Configure LDP to use the interior gateway protocol (IGP) route metric instead of the default LDP route metric (the default LDP route metric is 1).

    content_copy zoom_out_map
    [edit protocols ldp]
user@PLR# set track-igp-metric
user@PLR# set interface all
user@PLR# set interface fxp0.0 disable
Results

Confirm your configuration by issuing the show protocols command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

content_copy zoom_out_map
user@PLR# show protocols
mpls {
    interface all;
    interface fxp0.0 {
        disable;
    }
}
isis {
    backup-spf-options per-prefix-calculation;
    level 1 disable;
    interface all {
        node-link-protection;
    }
}
ldp {
    track-igp-metric;
    interface all;
    interface fxp0.0 {
        disable;
    }
}

Verification

Confirm that the configuration is working properly.

Verifying Egress Protection Details

Purpose

Check the egress protection configuration.

Action
content_copy zoom_out_map
user@PE3> show mpls egress-protection details

Instance                 Type      Protection-Type       
rsite1                  remote-vrf  Protector           
  RIB __192.0.2.6-rsite1__.inet.0, Context-Id 192.0.2.6, Enhanced-lookup 
  Route Target 1:1
rsite24                 remote-vrf  Protector           
  RIB __192.0.2.6-rsite24__.inet.0, Context-Id 192.0.2.6, Enhanced-lookup 
  Route Target 100:1023
Meaning

Instance indicates the routing-instance name. Type shows the type of the VRF. It can be either local-vrf or remote-vrf. RIB (routing information base) indicates the edge-protection created routing table. Context-Id shows the context ID associated with the RIB. Route Target shows the route target associated with the routing instance.

Verifying Routing Instances

Purpose

Verify the routing instances.

Action
content_copy zoom_out_map
user@PE3> show route instance site1 detail

site1:
  Router ID: 198.51.100.1
  Type: vrf               State: Active        
  Interfaces:
    lt-1/3/0.8
  Route-distinguisher: 10.255.255.11:150
  Vrf-import: [ site1-import ]
  Vrf-export: [ __vrf-export-site1-internal__ ]
  Vrf-export-target: [ target:100:250 ]
  Fast-reroute-priority: low
  Vrf-edge-protection-id:  192.0.2.6 
  Tables:
    site1.inet.0           : 27 routes (26 active, 0 holddown, 0 hidden)
    site1.iso.0            : 0 routes (0 active, 0 holddown, 0 hidden)
    site1.inet6.0          : 0 routes (0 active, 0 holddown, 0 hidden)
    site1.mdt.0            : 0 routes (0 active, 0 holddown, 0 hidden)
Meaning

Vrf-edge-protection-id shows the egress protection configured in the protector PE router with the routing instance.

Verifying BGP NRLI

Purpose

Check the details of the BGP VPN network layer reachability information.

Action
content_copy zoom_out_map
user@PE3> show bgp neighbor

Peer: 10.255.55.1+179 AS 65535 Local: 10.255.22.1+59264 AS 65535
  Type: Internal    State: Established    Flags: <ImportEval Sync>
  Last State: OpenConfirm   Last Event: RecvKeepAlive
  Last Error: None
  Options: <Preference LocalAddress KeepAll AddressFamily Rib-group Refresh>
  Address families configured: inet-vpn-unicast
  Local Address: 10.255.22.1 Holdtime: 90 Preference: 170
  NLRI configured with egress-protection: inet-vpn-unicast
  Egress-protection NLRI inet-vpn-unicast, keep-import: [ VPN-A-remote ]
  Number of flaps: 0
Meaning

NLRI configured with egress-protection shows the BGP family configured with egress protection. egress-protection NLRI inet-vpn-unicast, keep-import: [remote-vrf] shows the egress protection routing policy for the BGP group.

Example: Configuring Layer 3 VPN Egress Protection with RSVP and LDP

This example shows how to configure fast service restoration at the egress of a Layer 3 VPN when the customer is multihomed to the service provider. Further, this example includes enhanced point-of-local-repair (PLR) functionality, in which the PLR reroutes service traffic during an egress failure.

Starting in Junos OS Release 13.3, enhanced PLR functionality is available, in which the PLR reroutes service traffic during an egress failure. As part of this enhancement, the PLR router no longer needs to be directly connected to the protector router. Previously, if the PLR was not directly connected to the protector router, the loop-free alternate route could not find the backup path to the protector.

Requirements

No special configuration beyond device initialization is required before configuring this example.

This example requires Junos OS Release 13.3 or later.

Overview

In this example, the customer edge (CE) devices are part of a VPN where Device CE1 is multihomed with Device PE2 and Device PE3.

Device PE3 acts as the protector for the Layer 3 VPN routing instances or subnets.

Device PE1 is the originator for the context identifier for Device CE1, Device PE2 is the primary router for that context identifier, while Device PE3 is the protector for that context identifier.

Device P1 acts as the point of local repair (PLR). As such, Device P1 can redirect Layer 3 VPN traffic to the protector PE router to enable fast restoration and reroute.

The working path is through P1>PE2. The backup path is through P1>PE3. Traffic flows through the working path under normal circumstances. When a Device PE2 node or link failure is detected, traffic is rerouted from the working path to the protected path. In the normal failover process, the detection of failure and the recovery rely on the control plane and is therefore relatively slow. Typically, if there is a link or node failure in the core network, the egress PE router would have to rely on the ingress PE router to detect the failure and switch over to the backup path, because a local repair option for egress failure is not available. To provide a local repair solution for the egress PE link or node failure, a mechanism known as egress protection is used in this example to repair and restore the connection quickly. Because egress protection is configured, the PLR router detects the Device PE2 link or node failure and reroutes traffic through the protector Device PE3 using the backup LDP-signaled label-switched path (LSP). The PLR router uses per-prefix loop-free alternate routes to program the backup next hop through Device PE3, and traffic is forwarded to Device CE2 using the alternate paths. This restoration is done quickly after the PLR router detects the Device PE2 egress node or link failure. The dual protection mechanism can also be used for egress protection where the two PE routers can simultaneously act as the primary PE router and the protector PE router for their respective context ID routes or next hops.

In addition to egress protection, this example demonstrates an enhanced PLR function, in which the PLR reroutes service traffic during the egress failure. This enhancement is supported in Junos OS Release 13.3 and later. In this example, Device P1 (the PLR) is directly connected to Device PE3 (the protector). A new configuration statement, advertise-mode, enables you to set the method for the interior gateway protocol (IGP) to advertise egress protection availability.

Topology

Figure 5 shows the sample network.

Figure 5: Layer 3 VPN Egress Protection with RSVP and LDPLayer 3 VPN Egress Protection with RSVP and LDP

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Device CE1

content_copy zoom_out_map
set interfaces ge-1/2/0 unit 0 description to_PE1
set interfaces ge-1/2/0 unit 0 family inet address 10.1.0.1/24
set interfaces lo0 unit 0 family inet address 172.16.0.1/32
set protocols ospf area 0.0.0.0 interface ge-1/2/0.0

Device CE2

content_copy zoom_out_map
set interfaces ge-1/2/2 unit 0 description to_PE2
set interfaces ge-1/2/2 unit 0 family inet address 10.8.0.2/24
set interfaces ge-1/2/0 unit 0 description to_PE3
set interfaces ge-1/2/0 unit 0 family inet address 10.9.0.2/24
set interfaces lo0 unit 0 family inet address 172.16.0.2/32
set protocols ospf area 0.0.0.0 interface ge-1/2/2.0
set protocols ospf area 0.0.0.0 interface ge-1/2/0.0

Device P1

content_copy zoom_out_map
set interfaces ge-1/2/1 unit 0 description to_PE1
set interfaces ge-1/2/1 unit 0 family inet address 10.2.0.2/24
set interfaces ge-1/2/1 unit 0 family iso
set interfaces ge-1/2/1 unit 0 family mpls
set interfaces ge-1/2/0 unit 0 description to_PE2
set interfaces ge-1/2/0 unit 0 family inet address 10.4.0.1/24
set interfaces ge-1/2/0 unit 0 family iso
set interfaces ge-1/2/0 unit 0 family mpls
set interfaces ge-1/2/2 unit 0 description to_PE3
set interfaces ge-1/2/2 unit 0 family inet address 10.5.0.1/24
set interfaces ge-1/2/2 unit 0 family iso
set interfaces ge-1/2/2 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 172.16.0.3/32
set interfaces lo0 unit 0 family iso address 49.0002.0172.0016.0003.00
set protocols rsvp interface all
set protocols rsvp interface fxp0.0 disable
set protocols mpls interface all
set protocols isis backup-spf-options per-prefix-calculation
set protocols isis level 1 disable
set protocols isis level 2 wide-metrics-only
set protocols isis interface all node-link-protection
set protocols isis interface fxp0.0 disable
set protocols isis interface lo0.0
set protocols ldp track-igp-metric
set protocols ldp interface all
set protocols ldp interface fxp0.0 disable

Device PE1

content_copy zoom_out_map
set interfaces ge-1/2/0 unit 0 description to_CE1
set interfaces ge-1/2/0 unit 0 family inet address 10.1.0.2/24
set interfaces ge-1/2/1 unit 0 description to_P1
set interfaces ge-1/2/1 unit 0 family inet address 10.2.0.1/24
set interfaces ge-1/2/1 unit 0 family iso
set interfaces ge-1/2/1 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 172.16.183.55/32
set interfaces lo0 unit 0 family iso address 49.0002.1720.1618.3055.00
set protocols rsvp interface all
set protocols rsvp interface fxp0.0 disable
set protocols mpls label-switched-path toPrimary192.0.2.6 to 192.0.2.6
set protocols mpls label-switched-path toPrimary192.0.2.6 egress-protection
set protocols mpls interface all
set protocols bgp group ibgp type internal
set protocols bgp group ibgp local-address 172.16.183.55
set protocols bgp group ibgp family inet-vpn unicast
set protocols bgp group ibgp neighbor 172.16.183.56
set protocols bgp group ibgp neighbor 172.16.183.59
set protocols isis level 1 disable
set protocols isis level 2 wide-metrics-only
set protocols isis interface all
set protocols isis interface fxp0.0 disable
set protocols isis interface lo0.0
set protocols ldp track-igp-metric
set protocols ldp interface all
set protocols ldp interface fxp0.0 disable
set routing-instances vpn1 instance-type vrf
set routing-instances vpn1 interface ge-1/2/0.0
set routing-instances vpn1 route-distinguisher 172.16.183.55:10
set routing-instances vpn1 vrf-target target:10:10
set routing-instances vpn1 routing-options static route 100.0.0.0/24 next-hop 10.1.0.1
set routing-instances vpn1 protocols ospf area 0.0.0.0 interface ge-1/2/0.0
set routing-options autonomous-system 64510

Device PE2

content_copy zoom_out_map
set interfaces ge-1/2/0 unit 0 description to_P1
set interfaces ge-1/2/0 unit 0 family inet address 10.4.0.2/24
set interfaces ge-1/2/0 unit 0 family iso
set interfaces ge-1/2/0 unit 0 family mpls
set interfaces ge-1/2/2 unit 0 description to_CE2
set interfaces ge-1/2/2 unit 0 family inet address 10.8.0.1/24
set interfaces ge-1/2/1 unit 0 description to_PE3
set interfaces ge-1/2/1 unit 0 family inet address 10.7.0.1/24
set interfaces ge-1/2/1 unit 0 family iso
set interfaces ge-1/2/1 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 172.16.183.56/32
set interfaces lo0 unit 0 family iso address 49.0002.1720.1618.3056.00
set protocols rsvp interface all
set protocols rsvp interface fxp0.0 disable
set protocols mpls label-switched-path toPE1 to 172.16.183.55
set protocols mpls label-switched-path toPrimary192.0.2.6 to 192.0.2.6
set protocols mpls label-switched-path toPrimary192.0.2.6 egress-protection
set protocols mpls interface all
set protocols mpls egress-protection context-identifier 192.0.2.6 primary
set protocols mpls egress-protection context-identifier 192.0.2.6 advertise-mode stub-proxy
set protocols bgp group ibgp type internal
set protocols bgp group ibgp local-address 172.16.183.56
set protocols bgp group ibgp family inet-vpn unicast egress-protection context-identifier 192.0.2.6
set protocols bgp group ibgp neighbor 172.16.183.55
set protocols bgp group ibgp neighbor 172.16.183.59
set protocols isis level 1 disable
set protocols isis level 2 wide-metrics-only
set protocols isis interface all
set protocols isis interface fxp0.0 disable
set protocols isis interface lo0.0
set protocols ldp track-igp-metric
set protocols ldp interface all
set protocols ldp interface fxp0.0 disable
set routing-options autonomous-system 64510

Device PE3

content_copy zoom_out_map
set interfaces ge-1/2/2 unit 0 description to_P1
set interfaces ge-1/2/2 unit 0 family inet address 10.5.0.2/24
set interfaces ge-1/2/2 unit 0 family iso
set interfaces ge-1/2/2 unit 0 family mpls
set interfaces ge-1/2/0 unit 0 description to_CE2
set interfaces ge-1/2/0 unit 0 family inet address 10.9.0.1/24
set interfaces ge-1/2/1 unit 0 description to_PE2
set interfaces ge-1/2/1 unit 0 family inet address 10.7.0.2/24
set interfaces ge-1/2/1 unit 0 family iso
set interfaces ge-1/2/1 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 172.16.183.59/32
set interfaces lo0 unit 0 family iso address 49.0002.1720.1618.3059.00
set protocols rsvp interface all
set protocols rsvp interface fxp0.0 disable
set protocols mpls label-switched-path toPE1 to 172.16.183.55
set protocols mpls interface all
set protocols mpls egress-protection context-identifier 192.0.2.6 protector
set protocols mpls egress-protection context-identifier 192.0.2.6 advertise-mode stub-proxy
set protocols bgp group ibgp type internal
set protocols bgp group ibgp local-address 172.16.183.59
set protocols bgp group ibgp family inet-vpn unicast egress-protection keep-import remote-vrf
set protocols bgp group ibgp neighbor 172.16.183.55
set protocols bgp group ibgp neighbor 172.16.183.56
set protocols isis level 1 disable
set protocols isis level 2 wide-metrics-only
set protocols isis interface all
set protocols isis interface fxp0.0 disable
set protocols isis interface lo0.0
set protocols ldp track-igp-metric
set protocols ldp interface all
set policy-options policy-statement remote-vrf from community rsite1
set policy-options policy-statement remote-vrf from community rsite24
set policy-options policy-statement remote-vrf then accept
set policy-options community rsite1 members target:1:1
set policy-options community rsite24 members target:100:1023
set routing-options autonomous-system 64510

Procedure

Step-by-Step Procedure

The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure Device P1 (the PLR):

  1. Configure the device interfaces.

    content_copy zoom_out_map
    [edit interfaces]
user@P1# set ge-1/2/1 unit 0 description to_PE1
user@P1# set ge-1/2/1 unit 0 family inet address 10.2.0.2/24
user@P1# set ge-1/2/1 unit 0 family iso
user@P1# set ge-1/2/1 unit 0 family mpls
user@P1# set ge-1/2/0 unit 0 description to_PE2
user@P1# set ge-1/2/0 unit 0 family inet address 10.4.0.1/24
user@P1# set ge-1/2/0 unit 0 family iso
user@P1# set ge-1/2/0 unit 0 family mpls
user@P1# set ge-1/2/2 unit 0 description to_PE3
user@P1# set ge-1/2/2 unit 0 family inet address 10.5.0.1/24
user@P1# set ge-1/2/2 unit 0 family iso
user@P1# set ge-1/2/2 unit 0 family mpls
user@P1# set lo0 unit 0 family inet address 172.16.0.3/32
user@P1# set lo0 unit 0 family iso address 49.0002.0172.0016.0003.00

  2. Configure IS-IS.

    Configure per-prefix-LFA calculation along with node link protection.

    content_copy zoom_out_map
    [edit protocols isis]
user@P1# set backup-spf-options per-prefix-calculation
user@P1# set level 1 disable
user@P1# set level 2 wide-metrics-only
user@P1# set interface all node-link-protection
user@P1# set interface fxp0.0 disable
user@P1# set interface lo0.0

  3. Enable MPLS.

    content_copy zoom_out_map
    [edit protocols mpls ]
user@P1# set interface all

  4. Enable RSVP.

    content_copy zoom_out_map
    [edit protocols rsvp]
user@P1# set interface all
user@P1# set interface fxp0.0 disable

  5. Enable LDP.

    content_copy zoom_out_map
    [edit protocols ldp]
user@P1# set track-igp-metric
user@P1# set interface all
user@P1# set interface fxp0.0 disable
Step-by-Step Procedure

The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure Device PE1:

  1. Configure the device interfaces.

    content_copy zoom_out_map
    [edit interfaces]
user@PE1# set ge-1/2/0 unit 0 description to_CE1
user@PE1# set ge-1/2/0 unit 0 family inet address 10.1.0.2/24
user@PE1# set ge-1/2/1 unit 0 description to_P1
user@PE1# set ge-1/2/1 unit 0 family inet address 10.2.0.1/24
user@PE1# set ge-1/2/1 unit 0 family iso
user@PE1# set ge-1/2/1 unit 0 family mpls
user@PE1# set lo0 unit 0 family inet address 172.16.183.55/32
user@PE1# set lo0 unit 0 family iso address 49.0002.1720.1618.3055.00

  2. Enable RSVP.

    content_copy zoom_out_map
    [edit protocols rsvp]
user@PE1# set interface all
user@PE1# set interface fxp0.0 disable

  3. Configure MPLS.

    content_copy zoom_out_map
    [edit protocols mpls]
user@PE1# set label-switched-path toPrimary192.0.2.6 to 192.0.2.6
user@PE1# set label-switched-path toPrimary192.0.2.6 egress-protection
user@PE1# set interface all

  4. Configure IBGP.

    content_copy zoom_out_map
    [edit protocols bgp group ibgp]
user@PE1# set type internal
user@PE1# set local-address 172.16.183.55
user@PE1# set family inet-vpn unicast
user@PE1# set neighbor 172.16.183.56
user@PE1# set neighbor 172.16.183.59

  5. Configure IS-IS.

    content_copy zoom_out_map
    [edit protocols isis]
user@PE1# set level 1 disable
user@PE1# set level 2 wide-metrics-only
user@PE1# set interface all
user@PE1# set interface fxp0.0 disable
user@PE1# set interface lo0.0

  6. Enable LDP.

    content_copy zoom_out_map
    [edit protocols ldp]
user@PE1# set track-igp-metric
user@PE1# set interface all
user@PE1# set interface fxp0.0 disable

  7. Configure the routing instance.

    content_copy zoom_out_map
    [edit routing-instances vpn1]
user@PE1# set instance-type vrf
user@PE1# set interface ge-1/2/0.0
user@PE1# set route-distinguisher 172.16.183.55:10
user@PE1# set vrf-target target:10:10
user@PE1# set routing-options static route 100.0.0.0/24 next-hop 10.1.0.1
user@PE1# set protocols ospf area 0.0.0.0 interface ge-1/2/0.0

  8. Configure the autonomous system (AS) number.

    content_copy zoom_out_map
    [edit routing-options]
user@PE1# set autonomous-system 64510
Step-by-Step Procedure

The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in theCLI User Guide.

To configure Device PE2:

  1. Configure the device interfaces.

    content_copy zoom_out_map
    [edit interfaces]
user@PE2# set ge-1/2/0 unit 0 description to_P1
user@PE2# set ge-1/2/0 unit 0 family inet address 10.4.0.2/24
user@PE2# set ge-1/2/0 unit 0 family iso
user@PE2# set ge-1/2/0 unit 0 family mpls
user@PE2# set ge-1/2/2 unit 0 description to_CE2
user@PE2# set ge-1/2/2 unit 0 family inet address 10.8.0.1/24
user@PE2# set ge-1/2/1 unit 0 description to_PE3
user@PE2# set ge-1/2/1 unit 0 family inet address 10.7.0.1/24
user@PE2# set ge-1/2/1 unit 0 family iso
user@PE2# set ge-1/2/1 unit 0 family mpls
user@PE2# set lo0 unit 0 family inet address 172.16.183.56/32
user@PE2# set lo0 unit 0 family iso address 49.0002.1720.1618.3056.00

  2. Enable RSVP.

    content_copy zoom_out_map
    [edit protocols rsvp]
user@PE2# set interface all
user@PE2# set interface fxp0.0 disable

  3. Configure MPLS.

    content_copy zoom_out_map
    [edit protocols mpls]
user@PE2# set label-switched-path toPE1 to 172.16.183.55
user@PE2# set label-switched-path toPrimary192.0.2.6 to 192.0.2.6
user@PE2# set label-switched-path toPrimary192.0.2.6 egress-protection
user@PE2# set interface all
user@PE2# set egress-protection context-identifier 192.0.2.6 primary
user@PE2# set egress-protection context-identifier 192.0.2.6 advertise-mode stub-proxy

  4. Configure IBGP.

    content_copy zoom_out_map
    [edit protocols bgp group ibgp]
user@PE2# set type internal
user@PE2# set local-address 172.16.183.56
user@PE2# set family inet-vpn unicast egress-protection context-identifier 192.0.2.6
user@PE2# set neighbor 172.16.183.55
user@PE2# set neighbor 172.16.183.59

  5. Configure IS-IS.

    content_copy zoom_out_map
    [edit protocols isis]
user@PE2# set level 1 disable
user@PE2# set level 2 wide-metrics-only
user@PE2# set interface all
user@PE2# set interface fxp0.0 disable
user@PE2# set interface lo0.0

  6. Enable LDP.

    content_copy zoom_out_map
    [edit protocols ldp]
user@PE2# set track-igp-metric
user@PE2# set interface all
user@PE2# set interface fxp0.0 disable

  7. Configure the AS number.

    content_copy zoom_out_map
    [edit routing-options]
user@PE2# set autonomous-system 64510
Step-by-Step Procedure

The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure Device PE3:

  1. Configure the device interfaces.

    content_copy zoom_out_map
    [edit interfaces]
user@PE3# set ge-1/2/2 unit 0 description to_P1
user@PE3# set ge-1/2/2 unit 0 family inet address 10.5.0.2/24
user@PE3# set ge-1/2/2 unit 0 family iso
user@PE3# set ge-1/2/2 unit 0 family mpls
user@PE3# set ge-1/2/0 unit 0 description to_CE2
user@PE3# set ge-1/2/0 unit 0 family inet address 10.9.0.1/24
user@PE3# set ge-1/2/1 unit 0 description to_PE2
user@PE3# set ge-1/2/1 unit 0 family inet address 10.7.0.2/24
user@PE3# set ge-1/2/1 unit 0 family iso
user@PE3# set ge-1/2/1unit 0 family mpls
user@PE3# set lo0 unit 0 family inet address 172.16.183.59/32
user@PE3# set lo0 unit 0 family iso address 49.0002.1720.1618.3059.00

  2. Enable RSVP.

    content_copy zoom_out_map
    [edit protocols rsvp]
user@PE3# set interface all
user@PE3# set interface fxp0.0 disable

  3. Configure MPLS.

    content_copy zoom_out_map
    [edit protocols mpls]
user@PE3# set label-switched-path toPE1 to 172.16.183.55
user@PE3# set interface all
user@PE3# set egress-protection context-identifier 192.0.2.6 protector
user@PE3# set egress-protection context-identifier 192.0.2.6 advertise-mode stub-proxy

  4. Configure IBGP.

    content_copy zoom_out_map
    [edit protocols bgp group ibgp]
user@PE3# set type internal
user@PE3# set local-address 172.16.183.59
user@PE3# set family inet-vpn unicast egress-protection keep-import remote-vrf
user@PE3# set neighbor 172.16.183.55
user@PE3# set neighbor 172.16.183.56

  5. Configure IS-IS.

    content_copy zoom_out_map
    [edit protocols isis]
user@PE3# set level 1 disable
user@PE3# set level 2 wide-metrics-only
user@PE3# set interface all
user@PE3# set interface fxp0.0 disable
user@PE3# set interface lo0.0

  6. Enable LDP.

    content_copy zoom_out_map
    [edit protocols ldp]
user@PE3# set track-igp-metric
user@PE3# set interface all

  7. Configure the routing policy.

    content_copy zoom_out_map
    [edit policy-options]
user@PE3# set policy-statement remote-vrf from community rsite1
user@PE3# set policy-statement remote-vrf from community rsite24
user@PE3# set policy-statement remote-vrf then accept
user@PE3# set community rsite1 members target:1:1
user@PE3# set community rsite24 members target:100:1023

  8. Configure the AS number.

    content_copy zoom_out_map
    [edit routing-options]
user@PE3# set autonomous-system 64510
Results

From configuration mode, confirm your configuration by entering the show interfaces and show protocols commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Device P1

content_copy zoom_out_map
user@P1# show interfaces
ge-1/2/0 {
    unit 0 {
        description to_PE2;
        family inet {
            address 10.4.0.1/24;
        }
        family iso;
        family mpls;
    }
}
ge-1/2/1 {
    unit 0{
        description to_PE1;
        family inet {
            address 10.2.0.2/24;
        }
        family iso;
        family mpls;
    }
}
ge-1/2/2 {
    unit 0 {
        description to_PE3;
        family inet {
            address 10.5.0.1/24;
        }
        family iso;
        family mpls;
    }
}
lo0 {
    unit 0 {
        family inet {
            address 172.16.0.3/32;
        }
        family iso {
            address 49.0002.0172.0016.0003.00;
        }
    }
}
content_copy zoom_out_map
user@P1# show protocols
rsvp {
    interface all;
    interface fxp0.0 {
        disable;
    }
}
mpls {
    interface all;
}
isis {
    backup-spf-options per-prefix-calculation;
    level 1 disable;
    level 2 wide-metrics-only;
    interface all {
        node-link-protection;
    }
    interface fxp0.0 {
        disable;
    }
    interface lo0.0;
}
ldp {
    track-igp-metric;
    interface all;
    interface fxp0.0 {
        disable;
    }
}

Device PE1

content_copy zoom_out_map
user@PE1# show interfaces
ge-1/2/0 {
    unit 0 {
        description to_CE1;
        family inet {
            address 10.1.0.2/24;
        }
    }
}
ge-1/2/1 {
    unit 0 {
        description to_P1;
        family inet {
            address 10.2.0.1/24;
        }
        family iso;
        family mpls;
    }
}
lo0 {
    unit 0 {
        family inet {
            address 172.16.183.55/32;
        }
        family iso {
            address 49.0002.1720.1618.3055.00;
        }
    }
}
content_copy zoom_out_map
user@PE1# show protocols
rsvp {
    interface all;
    interface fxp0.0 {
        disable;
    }
}
mpls {
    label-switched-path toPE2Primary192.0.2.6 {
        to 192.0.2.6;
        egress-protection;
    }
    interface all;
}
bgp {
    group ibgp {
        type internal;
        local-address 172.16.183.55;
        family inet-vpn {
            unicast;
        }
        neighbor 172.16.183.56;
        neighbor 172.16.183.59;
    }
}
isis {
    level 1 disable;
    level 2 wide-metrics-only;
    interface all;
    interface fxp0.0 {
        disable;
    }
    interface lo0.0;
}
ldp {
    track-igp-metric;
    interface all;
    interface fxp0.0 {
        disable;
    }
}
content_copy zoom_out_map
user@PE1# show routing-instances
vpn1 {
    instance-type vrf;
    interface ge-1/2/0.0;
    route-distinguisher 172.16.183.55:10;
    vrf-target target:10:10;
    routing-options {
        static {
            route 100.0.0.0/24 next-hop 10.1.0.1;
        }
    }
    protocols {
        ospf {
            area 0.0.0.0 {
                interface ge-1/2/0.0;
            }
        }
    }
}
content_copy zoom_out_map
user@PE1# show routing-options
autonomous-system 64510;

Device PE2

content_copy zoom_out_map
user@PE2# show interfaces
ge-1/2/0 {
    unit 0 {
        description to_P1;
        family inet {
            address 10.4.0.2/24;
        }
        family iso;
        family mpls;
    }
}
ge-1/2/1 {
    unit 0 {
        description to_PE3;
        family inet {
            address 10.7.0.1/24;
        }
        family iso;
        family mpls;
    }
}
ge-1/2/2 {
    unit 0 {
        description to_CE2;
        family inet {
            address 10.8.0.1/24;
        }
    }
}
lo0 {
    unit 0 {
        family inet {
            address 172.16.183.56/32;
        }
        family iso {
            address 49.0002.1720.1618.3056.00;
        }
    }
}
content_copy zoom_out_map
user@PE2# show protocols
rsvp {
    interface all;
    interface fxp0.0 {
        disable;
    }
}
mpls {
    label-switched-path toPE1 {
        to 172.16.183.55;
    }
    label-switched-path toPE2Primary192.0.2.6 {
        to 192.0.2.6;
        egress-protection;
    }
    interface all;
    egress-protection {
        context-identifier 192.0.2.6 {
            primary;
            advertise-mode stub-proxy;
        }
    }
}
bgp {
    group ibgp {
        type internal;
        local-address 172.16.183.56;
        family inet-vpn {
            unicast {
                egress-protection {
                    context-identifier {
                        192.0.2.6;
                    }
                }
            }
        }
        neighbor 172.16.183.55;
        neighbor 172.16.183.59;
    }
}
isis {
    level 1 disable;
    level 2 wide-metrics-only;
    interface all;
    interface fxp0.0 {
        disable;
    }
    interface lo0.0;
}
ldp {
    track-igp-metric;
    interface all;
    interface fxp0.0 {
        disable;
    }
}
content_copy zoom_out_map
user@PE2# show routing-options
autonomous-system 64510;

Device PE3

content_copy zoom_out_map
user@PE3# show interfaces
ge-1/2/0 {
    unit 0 {
        description to_CE2;
        family inet {
            address 10.9.0.1/24;
        }
    }
}
ge-1/2/1 {
    unit 0 {
        description to_PE2;
        family inet {
            address 10.7.0.2/24;
        }
        family iso;
        family mpls;
    }
}
ge-1/2/2 {
    unit 0 {
        description to_P1;
        family inet {
            address 10.5.0.2/24;
        }
        family iso;
        family mpls;
    }
}
lo0 {
    unit 0 {
        family inet {
            address 172.16.183.59/32;
        }
        family iso {
            address 49.0002.1720.1618.3059.00;
        }
    }
}
content_copy zoom_out_map
user@PE3# show protocols
rsvp {
    interface all;
    interface fxp0.0 {
        disable;
    }
}
mpls {
    label-switched-path toPE1 {
        to 172.16.183.55;
    }
    interface all;
    egress-protection {
        context-identifier 192.0.2.6 {
            protector;
            advertise-mode stub-proxy;
        }
    }
}
bgp {
    group ibgp {
        type internal;
        local-address 172.16.183.59;
        family inet-vpn {
            unicast {
                egress-protection {
                    keep-import remote-vrf;
                }
            }
        }
        neighbor 172.16.183.55;
        neighbor 172.16.183.56;
    }
}
isis {
    level 1 disable;
    level 2 wide-metrics-only;
    interface all;
    interface fxp0.0 {
        disable;
    }
    interface lo0.0;
}
ldp {
    track-igp-metric;
    interface all;
}
content_copy zoom_out_map
user@PE3# show policy-options
policy-statement remote-vrf {
    from community [ rsite1 rsite24 ];
    then accept;
}
community rsite1 members target:1:1;
community rsite24 members target:100:1023;
content_copy zoom_out_map
user@PE3# show routing-options
autonomous-system 64510;

If you are done configuring the devices, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the Protector Node

Purpose

On the protector node (Device PE3), check the information about configured egress protection context identifiers.

Action
content_copy zoom_out_map
user@PE3> show mpls context-identifer detail protector 

ID: 192.0.2.6
  Type: protector, Metric: 16777215, Mode: proxy
  Context table: __PE3:192.0.2.6__.mpls.0
  Context LSPs: 
    toPE2Primary192.0.2.6, from: 172.16.183.55
    toPE2Primary192.0.2.6, from: 172.16.183.56

Total 1, Primary 0, Protector 1
Meaning

Device PE3 is the protector node for two LSPs configured from Device PE1 (172.16.183.55) and Device PE2 (172.16.183.56).

Verifying the Primary Node

Purpose

On the primary node (Device PE2), check the information about configured egress protection context identifiers.

Action
content_copy zoom_out_map
user@PE2> show mpls context-identifer detail primary

ID: 192.0.2.6
  Type: primary, Metric: 1, Mode: proxy

Total 1, Primary 1, Protector 0
Meaning

Device PE2 is the primary node.

Checking the Context Identifier Route

Purpose

Examine the information about the contenxt identifier (192.0.2.6).

Action
content_copy zoom_out_map
user@PE1> show route 192.0.2.6


inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.0.2.6/24         *[IS-IS/18] 00:53:39, metric 21
                    > to 10.2.0.2 via ge-1/2/1.0

inet.3: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.0.2.6/24         *[LDP/9] 00:53:39, metric 21
                    > to 10.2.0.2 via ge-1/2/1.0, Push 299808
user@PE2> show route 192.0.2.6


inet.0: 13 destinations, 14 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.0.2.6/24         *[MPLS/1] 3d 02:53:37, metric 1
                      Receive
                    [IS-IS/18] 00:06:08, metric 16777224
                    > to 10.7.0.2 via ge-1/2/1.0
user@PE3> show route 192.0.2.6
inet.0: 13 destinations, 14 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.0.2.6/24         *[MPLS/2] 3d 02:53:36, metric 16777215
                      Receive
                    [IS-IS/18] 3d 02:53:28, metric 11
                    > to 10.7.0.1 via ge-1/2/1.0

user@P1> show route 192.0.2.6

inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.0.2.6/24         *[IS-IS/18] 00:53:40, metric 11
                    > to 10.4.0.2 via ge-1/2/0.0

inet.3: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.0.2.6/24         *[LDP/9] 00:53:40, metric 11
                    > to 10.4.0.2 via ge-1/2/0.0

Verifying Egress Protection

Purpose

On Device PE3, check the routes in the routing table.

Action
content_copy zoom_out_map
user@PE3> show mpls egress-protection detail
Instance                 Type      Protection-Type       
rsite1                  remote-vrf  Protector           
  Route Target 1:1
rsite24                 remote-vrf  Protector           
  Route Target 100:1023
Meaning

Instance indicates the community name. Type shows the type of the VRF. It can be either local-vrf or remote-vrf. Route Target shows the route target associated with the routing instance.

Verifying the Routing Instance on Device PE1

Purpose

On Device PE1, check the routes in the routing table.

Action
content_copy zoom_out_map
user@PE1> show route instance vpn1 detail

vpn1:
  Router ID: 10.1.0.2
  Type: vrf               State: Active        
  Interfaces:
    ge-1/2/0.0
  Route-distinguisher: 172.16.183.55:10
  Vrf-import: [ __vrf-import-vpn1-internal__ ]
  Vrf-export: [ __vrf-export-vpn1-internal__ ]
  Vrf-import-target: [ target:10:10 ]
  Vrf-export-target: [ target:10:10 ]
  Fast-reroute-priority: low
  Tables:
    vpn1.inet.0            : 4 routes (4 active, 0 holddown, 0 hidden)

Verifying the LSPs

Purpose

On all devices, check the LSP information.

Action
content_copy zoom_out_map
user@PE1> show mpls lsp extensive

Ingress LSP: 1 sessions

192.0.2.6
  From: 172.16.183.55, State: Up, ActiveRoute: 0, LSPname: toPE2Primary192.0.2.6
  ActivePath:  (primary)
  LSPtype: Static Configured, Penultimate hop popping
  LoadBalance: Random
  Encoding type: Packet, Switching type: Packet, GPID: IPv4
 *Primary                    State: Up
    Priorities: 7 0
    SmartOptimizeTimer: 180
    Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 16777234)
 10.2.0.2 S 10.5.0.2 S 192.0.2.6 S (link-id=2) 
    Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt 20=Node-ID):
          10.2.0.2 10.5.0.2
   17 Jun 10 13:13:04.973 CSPF: computation result accepted  10.2.0.2 10.5.0.2 192.0.2.6(link-id=2)
   16 Jun 10 13:12:36.155 CSPF failed: no route toward 192.0.2.6[4 times]
   15 Jun 10 13:11:26.269 CSPF: link down/deleted: 0.0.0.0(172.16.183.59:2147618818)(PE3.00/172.16.183.59)->0.0.0.0(192.0.2.6:2)(PE2-192.0.2.6.00/192.0.2.6)
   14 Jun 10 13:10:11.771 Selected as active path
   13 Jun 10 13:10:11.770 Record Route:  10.2.0.2 10.5.0.2
   12 Jun 10 13:10:11.770 Up
   11 Jun 10 13:10:11.634 Originate Call
   10 Jun 10 13:10:11.634 CSPF: computation result accepted  10.2.0.2 10.5.0.2 192.0.2.6(link-id=2)
    9 Jun 10 13:10:11.623 Clear Call
    8 Jun 10 13:10:11.622 Deselected as active
    7 Jun  7 11:23:08.224 Selected as active path
    6 Jun  7 11:23:08.224 Record Route:  10.2.0.2 10.5.0.2
    5 Jun  7 11:23:08.223 Up
    4 Jun  7 11:23:08.116 Originate Call
    3 Jun  7 11:23:08.116 CSPF: computation result accepted  10.2.0.2 10.5.0.2 192.0.2.6(link-id=2)
    2 Jun  7 11:22:38.132 CSPF failed: no route toward 192.0.2.6
    1 Jun  7 11:22:08.607 CSPF: could not determine self[8 times]
  Created: Fri Jun  7 11:18:46 2013     
Total 1 displayed, Up 1, Down 0

Egress LSP: 2 sessions

172.16.183.55
  From: 172.16.183.59, LSPstate: Up, ActiveRoute: 0
  LSPname: toPE1, LSPpath: Primary
  Suggested label received: -, Suggested label sent: -
  Recovery label received: -, Recovery label sent: -
  Resv style: 1 FF, Label in: 3, Label out: -
  Time left:  126, Since: Mon Jun 10 13:10:11 2013
  Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500
  Port number: sender 2 receiver 10941 protocol 0
  PATH rcvfrom: 10.2.0.2 (ge-1/2/1.0) 105 pkts
  Adspec: received MTU 1500 
  PATH sentto: localclient
  RESV rcvfrom: localclient 
  Record route: 10.5.0.2 10.2.0.2 <self>  

172.16.183.55
  From: 172.16.183.56, LSPstate: Up, ActiveRoute: 0
  LSPname: toPE1, LSPpath: Primary
  Suggested label received: -, Suggested label sent: -
  Recovery label received: -, Recovery label sent: -
  Resv style: 1 FF, Label in: 3, Label out: -
  Time left:  156, Since: Mon Jun 10 13:10:11 2013
  Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500
  Port number: sender 2 receiver 59956 protocol 0
  PATH rcvfrom: 10.2.0.2 (ge-1/2/1.0) 105 pkts
  Adspec: received MTU 1500 
  PATH sentto: localclient
  RESV rcvfrom: localclient 
  Record route: 10.4.0.2 10.2.0.2 <self>  
Total 2 displayed, Up 2, Down 0

Transit LSP: 0 sessions
Total 0 displayed, Up 0, Down 0
-----

user@PE2> show mpls lsp extensive
Ingress LSP: 2 sessions

192.0.2.6
  From: 172.16.183.56, State: Up, ActiveRoute: 0, LSPname: toPE2Primary192.0.2.6
  ActivePath:  (primary)
  LSPtype: Static Configured, Penultimate hop popping
  LoadBalance: Random
  Encoding type: Packet, Switching type: Packet, GPID: IPv4
 *Primary                    State: Up
    Priorities: 7 0
    SmartOptimizeTimer: 180
    Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 16777224)
 10.7.0.2 S 192.0.2.6 S (link-id=2) 
    Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt 20=Node-ID):
          10.7.0.2
   16 Jun 10 13:13:07.220 CSPF: computation result accepted  10.7.0.2 192.0.2.6(link-id=2)
   15 Jun 10 13:12:38.250 CSPF failed: no route toward 192.0.2.6[4 times]
   14 Jun 10 13:11:26.258 CSPF: link down/deleted: 0.0.0.0(172.16.183.59:2147618818)(PE3.00/172.16.183.59)->0.0.0.0(192.0.2.6:2)(PE2-192.0.2.6.00/192.0.2.6)
   13 Jun 10 13:10:11.746 Selected as active path
   12 Jun 10 13:10:11.743 Record Route:  10.7.0.2
   11 Jun 10 13:10:11.742 Up
   10 Jun 10 13:10:11.680 Originate Call
    9 Jun 10 13:10:11.680 CSPF: computation result accepted  10.7.0.2 192.0.2.6(link-id=2)
    8 Jun 10 13:10:11.674 Clear Call
    7 Jun 10 13:10:11.669 Deselected as active
    6 Jun  7 11:23:09.370 Selected as active path
    5 Jun  7 11:23:09.370 Record Route:  10.7.0.2
    4 Jun  7 11:23:09.369 Up
    3 Jun  7 11:23:09.349 Originate Call
    2 Jun  7 11:23:09.349 CSPF: computation result accepted  10.7.0.2 192.0.2.6(link-id=2)
    1 Jun  7 11:22:40.140 CSPF failed: no route toward 192.0.2.6[9 times]
  Created: Fri Jun  7 11:18:46 2013

172.16.183.55
  From: 172.16.183.56, State: Up, ActiveRoute: 0, LSPname: toPE1
  ActivePath:  (primary)
  LSPtype: Static Configured, Penultimate hop popping
  LoadBalance: Random
  Encoding type: Packet, Switching type: Packet, GPID: IPv4
 *Primary                    State: Up
    Priorities: 7 0
    SmartOptimizeTimer: 180
    Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 20)
 10.4.0.1 S 10.2.0.1 S 
    Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt 20=Node-ID):
          10.4.0.1 10.2.0.1
   13 Jun 10 13:10:11.794 Selected as active path
   12 Jun 10 13:10:11.793 Record Route:  10.4.0.1 10.2.0.1
   11 Jun 10 13:10:11.793 Up
   10 Jun 10 13:10:11.679 Originate Call
    9 Jun 10 13:10:11.679 CSPF: computation result accepted  10.4.0.1 10.2.0.1
    8 Jun 10 13:10:11.660 Clear Call
    7 Jun 10 13:10:11.645 Deselected as active
    6 Jun  7 11:22:40.031 Selected as active path
    5 Jun  7 11:22:40.024 Record Route:  10.4.0.1 10.2.0.1
    4 Jun  7 11:22:40.012 Up
    3 Jun  7 11:22:39.687 Originate Call
    2 Jun  7 11:22:39.687 CSPF: computation result accepted  10.4.0.1 10.2.0.1
    1 Jun  7 11:22:10.235 CSPF failed: no route toward 172.16.183.55[8 times]
  Created: Fri Jun  7 11:18:45 2013
Total 2 displayed, Up 2, Down 0

Egress LSP: 0 sessions
Total 0 displayed, Up 0, Down 0

Transit LSP: 0 sessions
Total 0 displayed, Up 0, Down 0
user@PE3> show mpls lsp extensive
Ingress LSP: 1 sessions

172.16.183.55
  From: 172.16.183.59, State: Up, ActiveRoute: 0, LSPname: toPE1
  ActivePath:  (primary)
  LSPtype: Static Configured, Penultimate hop popping
  LoadBalance: Random
  Encoding type: Packet, Switching type: Packet, GPID: IPv4
 *Primary                    State: Up
    Priorities: 7 0
    SmartOptimizeTimer: 180
    Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 20)
 10.5.0.1 S 10.2.0.1 S 
    Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt 20=Node-ID):
          10.5.0.1 10.2.0.1
   13 Jun 10 13:10:11.708 Selected as active path
   12 Jun 10 13:10:11.703 Record Route:  10.5.0.1 10.2.0.1
   11 Jun 10 13:10:11.703 Up
   10 Jun 10 13:10:11.599 Originate Call
    9 Jun 10 13:10:11.599 CSPF: computation result accepted  10.5.0.1 10.2.0.1
    8 Jun 10 13:10:11.558 Clear Call
    7 Jun 10 13:10:11.555 Deselected as active
    6 Jun  7 11:22:41.829 Selected as active path
    5 Jun  7 11:22:41.828 Record Route:  10.5.0.1 10.2.0.1
    4 Jun  7 11:22:41.827 Up
    3 Jun  7 11:22:41.767 Originate Call
    2 Jun  7 11:22:41.767 CSPF: computation result accepted  10.5.0.1 10.2.0.1
    1 Jun  7 11:22:12.289 CSPF failed: no route toward 172.16.183.55[8 times]
  Created: Fri Jun  7 11:18:45 2013
Total 1 displayed, Up 1, Down 0

Egress LSP: 2 sessions

192.0.2.6
  From: 172.16.183.55, LSPstate: Up, ActiveRoute: 0
  LSPname: toPE2Primary192.0.2.6, LSPpath: Primary
  Suggested label received: -, Suggested label sent: -
  Recovery label received: -, Recovery label sent: -
  Resv style: 1 FF, Label in: 299920, Label out: 3
  Time left:  141, Since: Mon Jun 10 13:10:11 2013
  Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500
  Port number: sender 2 receiver 17060 protocol 0
  Attrib flags: Non-PHP OOB
  PATH rcvfrom: 10.5.0.1 (ge-1/2/2.0) 105 pkts
  Adspec: received MTU 1500 
  PATH sentto: localclient
  RESV rcvfrom: localclient 
  Record route: 10.2.0.1 10.5.0.1 <self>  

192.0.2.6
  From: 172.16.183.56, LSPstate: Up, ActiveRoute: 0
  LSPname: toPE2Primary192.0.2.6, LSPpath: Primary
  Suggested label received: -, Suggested label sent: -
  Recovery label received: -, Recovery label sent: -
  Resv style: 1 FF, Label in: 299936, Label out: 3
  Time left:  152, Since: Mon Jun 10 13:10:11 2013
  Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500
  Port number: sender 2 receiver 59957 protocol 0
  Attrib flags: Non-PHP OOB
  PATH rcvfrom: 10.7.0.1 (ge-1/2/1.0) 106 pkts
  Adspec: received MTU 1500 
  PATH sentto: localclient
  RESV rcvfrom: localclient 
  Record route: 10.7.0.1 <self>  
Total 2 displayed, Up 2, Down 0

Transit LSP: 0 sessions
Total 0 displayed, Up 0, Down 0
user@P1> show mpls lsp extensive
Ingress LSP: 0 sessions
Total 0 displayed, Up 0, Down 0         

Egress LSP: 0 sessions
Total 0 displayed, Up 0, Down 0

Transit LSP: 3 sessions

192.0.2.6
  From: 172.16.183.55, LSPstate: Up, ActiveRoute: 0
  LSPname: toPE2Primary192.0.2.6, LSPpath: Primary
  Suggested label received: -, Suggested label sent: -
  Recovery label received: -, Recovery label sent: 299920
  Resv style: 1 FF, Label in: 299904, Label out: 299920
  Time left:  141, Since: Mon Jun 10 13:10:11 2013
  Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500
  Port number: sender 2 receiver 17060 protocol 0
  Attrib flags: Non-PHP OOB
  PATH rcvfrom: 10.2.0.1 (ge-1/2/1.0) 106 pkts
  Adspec: received MTU 1500 sent MTU 1500
  PATH sentto: 10.5.0.2 (ge-1/2/2.0) 105 pkts
  RESV rcvfrom: 10.5.0.2 (ge-1/2/2.0) 105 pkts
  Explct route: 10.5.0.2 192.0.2.6 (link-id=2) 
  Record route: 10.2.0.1 <self> 10.5.0.2  

172.16.183.55
  From: 172.16.183.59, LSPstate: Up, ActiveRoute: 0
  LSPname: toPE1, LSPpath: Primary
  Suggested label received: -, Suggested label sent: -
  Recovery label received: -, Recovery label sent: 3
  Resv style: 1 FF, Label in: 299888, Label out: 3
  Time left:  158, Since: Mon Jun 10 13:10:11 2013
  Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500
  Port number: sender 2 receiver 10941 protocol 0
  PATH rcvfrom: 10.5.0.2 (ge-1/2/2.0) 106 pkts
  Adspec: received MTU 1500 sent MTU 1500
  PATH sentto: 10.2.0.1 (ge-1/2/1.0) 105 pkts
  RESV rcvfrom: 10.2.0.1 (ge-1/2/1.0) 105 pkts
  Explct route: 10.2.0.1 
  Record route: 10.5.0.2 <self> 10.2.0.1  

172.16.183.55
  From: 172.16.183.56, LSPstate: Up, ActiveRoute: 0
  LSPname: toPE1, LSPpath: Primary
  Suggested label received: -, Suggested label sent: -
  Recovery label received: -, Recovery label sent: 3
  Resv style: 1 FF, Label in: 299920, Label out: 3
  Time left:  141, Since: Mon Jun 10 13:10:11 2013
  Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500
  Port number: sender 2 receiver 59956 protocol 0
  PATH rcvfrom: 10.4.0.2 (ge-1/2/0.0) 105 pkts
  Adspec: received MTU 1500 sent MTU 1500
  PATH sentto: 10.2.0.1 (ge-1/2/1.0) 105 pkts
  RESV rcvfrom: 10.2.0.1 (ge-1/2/1.0) 105 pkts
  Explct route: 10.2.0.1 
  Record route: 10.4.0.2 <self> 10.2.0.1  
Total 3 displayed, Up 3, Down 0

Verifying BGP NRLI

Purpose

Check the details of the BGP VPN network layer reachability information.

Action
content_copy zoom_out_map
user@PE3> show bgp neighbor

Peer: 172.16.183.55+179 AS 64510 Local: 172.16.183.59+61747 AS 64510
  Type: Internal    State: Established    Flags: <Sync>
  Last State: OpenConfirm   Last Event: RecvKeepAlive
  Last Error: None
  Options: <Preference LocalAddress AddressFamily Rib-group Refresh>
  Address families configured: inet-vpn-unicast
  Local Address: 172.16.183.59 Holdtime: 90 Preference: 170
  NLRI configured with egress-protection: inet-vpn-unicast
  Egress-protection NLRI inet-vpn-unicast, keep-import: [ remote-vrf ]
  Number of flaps: 0
  Peer ID: 172.16.183.55   Local ID: 172.16.183.59     Active Holdtime: 90
  Keepalive Interval: 30         Group index: 0    Peer index: 0   
  BFD: disabled, down
  NLRI for restart configured on peer: inet-vpn-unicast
  NLRI advertised by peer: inet-vpn-unicast
  NLRI for this session: inet-vpn-unicast
  Peer supports Refresh capability (2)
  Stale routes from peer are kept for: 300
  Peer does not support Restarter functionality
  NLRI that restart is negotiated for: inet-vpn-unicast
  NLRI of received end-of-rib markers: inet-vpn-unicast
  Peer supports 4 byte AS extension (peer-as 64510)
  Peer does not support Addpath
  Table bgp.l3vpn.0
    RIB State: BGP restart is complete
    RIB State: VPN restart is complete
    Send state: not advertising
    Active prefixes:              0
    Received prefixes:            0
    Accepted prefixes:            0
    Suppressed due to damping:    0
  Last traffic (seconds): Received 25   Sent 21   Checked 11  
  Input messages:  Total 32046  Updates 7       Refreshes 0     Octets 609365
  Output messages: Total 32050  Updates 0       Refreshes 5     Octets 609010
  Output Queue[0]: 0

Peer: 172.16.183.56+62754 AS 64510 Local: 172.16.183.59+179 AS 64510
  Type: Internal    State: Established    Flags: <Sync>
  Last State: OpenConfirm   Last Event: RecvKeepAlive
  Last Error: None
  Options: <Preference LocalAddress AddressFamily Rib-group Refresh>
  Address families configured: inet-vpn-unicast
  Local Address: 172.16.183.59 Holdtime: 90 Preference: 170
  NLRI configured with egress-protection: inet-vpn-unicast
  Egress-protection NLRI inet-vpn-unicast, keep-import: [ remote-vrf ]
  Number of flaps: 1
  Last flap event: TransportError
  Peer ID: 172.16.183.56   Local ID: 172.16.183.59     Active Holdtime: 90
  Keepalive Interval: 30         Group index: 0    Peer index: 1   
  BFD: disabled, down
  NLRI for restart configured on peer: inet-vpn-unicast
  NLRI advertised by peer: inet-vpn-unicast
  NLRI for this session: inet-vpn-unicast
  Peer supports Refresh capability (2)
  Stale routes from peer are kept for: 300
  Peer does not support Restarter functionality
  NLRI that restart is negotiated for: inet-vpn-unicast
  Peer supports 4 byte AS extension (peer-as 64510)
  Peer does not support Addpath
  Table bgp.l3vpn.0
    RIB State: BGP restart is complete
    RIB State: VPN restart is complete
    Send state: not advertising
    Active prefixes:              0
    Received prefixes:            0
    Accepted prefixes:            0
    Suppressed due to damping:    0
  Last traffic (seconds): Received 19   Sent 8    Checked 34  
  Input messages:  Total 10025  Updates 0       Refreshes 2     Octets 190523
  Output messages: Total 10024  Updates 0       Refreshes 2     Octets 190504
  Output Queue[0]: 0
Meaning

NLRI configured with egress-protection shows the BGP family configured with egress protection. egress-protection NLRI inet-vpn-unicast, keep-import: [remote-vrf] shows the egress protection routing policy for the BGP group.

Verifying the Traffic Engineering Database

Purpose

On all devices, check the TED.

Action
content_copy zoom_out_map
user@PE1> show ted database

TED database: 9 ISIS nodes 5 INET nodes
ID                            Type Age(s) LnkIn LnkOut Protocol
P1.00(172.16.0.3)         Rtr      44     3      3 IS-IS(2)
    To: P1.02, Local: 10.2.0.2, Remote: 0.0.0.0
      Local interface index: 149, Remote interface index: 0
    To: PE2.02, Local: 10.4.0.1, Remote: 0.0.0.0
      Local interface index: 150, Remote interface index: 0
    To: PE3.03, Local: 10.5.0.1, Remote: 0.0.0.0
      Local interface index: 133, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
P1.02                     Net     111     2      2 IS-IS(2)
    To: PE1.00(172.16.183.55), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
    To: P1.00(172.16.0.3), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
PE2-192.0.2.6.00(192.0.2.6)   Rtr     345     2      2 IS-IS(2)
    To: PE2.00(172.16.183.56), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 1, Remote interface index: 2147618817
    To: PE3.00(172.16.183.59), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 2, Remote interface index: 2147618818
ID                            Type Age(s) LnkIn LnkOut Protocol
PE1.00(172.16.183.55)     Rtr     487     1      1 IS-IS(2)
    To: P1.02, Local: 10.2.0.1, Remote: 0.0.0.0
      Local interface index: 148, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
PE2.00(172.16.183.56)     Rtr     353     3      3 IS-IS(2)
    To: PE2.02, Local: 10.4.0.2, Remote: 0.0.0.0
      Local interface index: 155, Remote interface index: 0
    To: PE3.02, Local: 10.7.0.1, Remote: 0.0.0.0
      Local interface index: 153, Remote interface index: 0
    To: PE2-192.0.2.6.00(192.0.2.6), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 2147618817, Remote interface index: 1
ID                            Type Age(s) LnkIn LnkOut Protocol
PE2.02                    Net      59     2      2 IS-IS(2)
    To: P1.00(172.16.0.3), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
    To: PE2.00(172.16.183.56), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
PE3.00(172.16.183.59)     Rtr     435     3      3 IS-IS(2)
    To: PE3.02, Local: 10.7.0.2, Remote: 0.0.0.0
      Local interface index: 154, Remote interface index: 0
    To: PE3.03, Local: 10.5.0.2, Remote: 0.0.0.0
      Local interface index: 158, Remote interface index: 0
    To: PE2-192.0.2.6.00(192.0.2.6), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 2147618818, Remote interface index: 2
ID                            Type Age(s) LnkIn LnkOut Protocol
PE3.02                    Net     706     2      2 IS-IS(2)
    To: PE2.00(172.16.183.56), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
    To: PE3.00(172.16.183.59), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
PE3.03                    Net     583     2      2 IS-IS(2)
    To: P1.00(172.16.0.3), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
    To: PE3.00(172.16.183.59), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
user@PE2> show ted database
TED database: 9 ISIS nodes 5 INET nodes
ID                            Type Age(s) LnkIn LnkOut Protocol
P1.00(172.16.0.3)         Rtr      44     3      3 IS-IS(2)
    To: PE2.02, Local: 10.4.0.1, Remote: 0.0.0.0
      Local interface index: 150, Remote interface index: 0
    To: P1.02, Local: 10.2.0.2, Remote: 0.0.0.0
      Local interface index: 149, Remote interface index: 0
    To: PE3.03, Local: 10.5.0.1, Remote: 0.0.0.0
      Local interface index: 133, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
P1.02                     Net     111     2      2 IS-IS(2)
    To: P1.00(172.16.0.3), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
    To: PE1.00(172.16.183.55), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
PE2-192.0.2.6.00(192.0.2.6)   Rtr     345     2      2 IS-IS(2)
    To: PE2.00(172.16.183.56), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 1, Remote interface index: 2147618817
    To: PE3.00(172.16.183.59), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 2, Remote interface index: 2147618818
ID                            Type Age(s) LnkIn LnkOut Protocol
PE1.00(172.16.183.55)     Rtr     487     1      1 IS-IS(2)
    To: P1.02, Local: 10.2.0.1, Remote: 0.0.0.0
      Local interface index: 148, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
PE2.00(172.16.183.56)     Rtr     353     3      3 IS-IS(2)
    To: PE2.02, Local: 10.4.0.2, Remote: 0.0.0.0
      Local interface index: 155, Remote interface index: 0
    To: PE3.02, Local: 10.7.0.1, Remote: 0.0.0.0
      Local interface index: 153, Remote interface index: 0
    To: PE2-192.0.2.6.00(192.0.2.6), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 2147618817, Remote interface index: 1
ID                            Type Age(s) LnkIn LnkOut Protocol
PE2.02                    Net      60     2      2 IS-IS(2)
    To: P1.00(172.16.0.3), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
    To: PE2.00(172.16.183.56), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
PE3.00(172.16.183.59)     Rtr     435     3      3 IS-IS(2)
    To: PE3.02, Local: 10.7.0.2, Remote: 0.0.0.0
      Local interface index: 154, Remote interface index: 0
    To: PE3.03, Local: 10.5.0.2, Remote: 0.0.0.0
      Local interface index: 158, Remote interface index: 0
    To: PE2-192.0.2.6.00(192.0.2.6), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 2147618818, Remote interface index: 2
ID                            Type Age(s) LnkIn LnkOut Protocol
PE3.02                    Net     706     2      2 IS-IS(2)
    To: PE2.00(172.16.183.56), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
    To: PE3.00(172.16.183.59), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
PE3.03                    Net     583     2      2 IS-IS(2)
    To: P1.00(172.16.0.3), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
    To: PE3.00(172.16.183.59), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
user@PE3> show ted database
TED database: 9 ISIS nodes 5 INET nodes
ID                            Type Age(s) LnkIn LnkOut Protocol
P1.00(172.16.0.3)         Rtr      44     3      3 IS-IS(2)
    To: P1.02, Local: 10.2.0.2, Remote: 0.0.0.0
      Local interface index: 149, Remote interface index: 0
    To: PE2.02, Local: 10.4.0.1, Remote: 0.0.0.0
      Local interface index: 150, Remote interface index: 0
    To: PE3.03, Local: 10.5.0.1, Remote: 0.0.0.0
      Local interface index: 133, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
P1.02                     Net     111     2      2 IS-IS(2)
    To: PE1.00(172.16.183.55), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
    To: P1.00(172.16.0.3), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
PE2-192.0.2.6.00(192.0.2.6)   Rtr     345     2      2 IS-IS(2)
    To: PE2.00(172.16.183.56), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 1, Remote interface index: 2147618817
    To: PE3.00(172.16.183.59), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 2, Remote interface index: 2147618818
ID                            Type Age(s) LnkIn LnkOut Protocol
PE1.00(172.16.183.55)     Rtr     487     1      1 IS-IS(2)
    To: P1.02, Local: 10.2.0.1, Remote: 0.0.0.0
      Local interface index: 148, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
PE2.00(172.16.183.56)     Rtr     353     3      3 IS-IS(2)
    To: PE3.02, Local: 10.7.0.1, Remote: 0.0.0.0
      Local interface index: 153, Remote interface index: 0
    To: PE2.02, Local: 10.4.0.2, Remote: 0.0.0.0
      Local interface index: 155, Remote interface index: 0
    To: PE2-192.0.2.6.00(192.0.2.6), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 2147618817, Remote interface index: 1
ID                            Type Age(s) LnkIn LnkOut Protocol
PE2.02                    Net      59     2      2 IS-IS(2)
    To: PE2.00(172.16.183.56), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
    To: P1.00(172.16.0.3), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
PE3.00(172.16.183.59)     Rtr     435     3      3 IS-IS(2)
    To: PE3.02, Local: 10.7.0.2, Remote: 0.0.0.0
      Local interface index: 154, Remote interface index: 0
    To: PE3.03, Local: 10.5.0.2, Remote: 0.0.0.0
      Local interface index: 158, Remote interface index: 0
    To: PE2-192.0.2.6.00(192.0.2.6), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 2147618818, Remote interface index: 2
ID                            Type Age(s) LnkIn LnkOut Protocol
PE3.02                    Net     706     2      2 IS-IS(2)
    To: PE2.00(172.16.183.56), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
    To: PE3.00(172.16.183.59), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
PE3.03                    Net     583     2      2 IS-IS(2)
    To: PE3.00(172.16.183.59), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
    To: P1.00(172.16.0.3), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
-----

user@P1> show ted database
TED database: 9 ISIS nodes 5 INET nodes
ID                            Type Age(s) LnkIn LnkOut Protocol
P1.00(172.16.0.3)         Rtr      44     3      3 IS-IS(2)
    To: PE2.02, Local: 10.4.0.1, Remote: 0.0.0.0
      Local interface index: 150, Remote interface index: 0
    To: P1.02, Local: 10.2.0.2, Remote: 0.0.0.0
      Local interface index: 149, Remote interface index: 0
    To: PE3.03, Local: 10.5.0.1, Remote: 0.0.0.0
      Local interface index: 133, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
P1.02                     Net     111     2      2 IS-IS(2)
    To: P1.00(172.16.0.3), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
    To: PE1.00(172.16.183.55), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
PE2-192.0.2.6.00(192.0.2.6)   Rtr     345     2      2 IS-IS(2)
    To: PE2.00(172.16.183.56), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 1, Remote interface index: 2147618817
    To: PE3.00(172.16.183.59), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 2, Remote interface index: 2147618818
ID                            Type Age(s) LnkIn LnkOut Protocol
PE1.00(172.16.183.55)     Rtr     487     1      1 IS-IS(2)
    To: P1.02, Local: 10.2.0.1, Remote: 0.0.0.0
      Local interface index: 148, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
PE2.00(172.16.183.56)     Rtr     353     3      3 IS-IS(2)
    To: PE2.02, Local: 10.4.0.2, Remote: 0.0.0.0
      Local interface index: 155, Remote interface index: 0
    To: PE3.02, Local: 10.7.0.1, Remote: 0.0.0.0
      Local interface index: 153, Remote interface index: 0
    To: PE2-192.0.2.6.00(192.0.2.6), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 2147618817, Remote interface index: 1
ID                            Type Age(s) LnkIn LnkOut Protocol
PE2.02                    Net      59     2      2 IS-IS(2)
    To: P1.00(172.16.0.3), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
    To: PE2.00(172.16.183.56), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
PE3.00(172.16.183.59)     Rtr     435     3      3 IS-IS(2)
    To: PE3.02, Local: 10.7.0.2, Remote: 0.0.0.0
      Local interface index: 154, Remote interface index: 0
    To: PE3.03, Local: 10.5.0.2, Remote: 0.0.0.0
      Local interface index: 158, Remote interface index: 0
    To: PE2-192.0.2.6.00(192.0.2.6), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 2147618818, Remote interface index: 2
ID                            Type Age(s) LnkIn LnkOut Protocol
PE3.02                    Net     706     2      2 IS-IS(2)
    To: PE2.00(172.16.183.56), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
    To: PE3.00(172.16.183.59), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
ID                            Type Age(s) LnkIn LnkOut Protocol
PE3.03                    Net     583     2      2 IS-IS(2)
    To: P1.00(172.16.0.3), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0
    To: PE3.00(172.16.183.59), Local: 0.0.0.0, Remote: 0.0.0.0
      Local interface index: 0, Remote interface index: 0

Verifying the IS-IS Database

Purpose

On all devices, check the IS-IS database.

Action
content_copy zoom_out_map
user@PE1> show isis database

IS-IS level 1 link-state database:
  0 LSPs

IS-IS level 2 link-state database:
LSP ID                      Sequence Checksum Lifetime Attributes
P1.00-00                   0x46b   0x1924      590 L1 L2
P1.02-00                   0x465   0xe67a      523 L1 L2
PE2-192.0.2.6.00-00          0xd0e   0x6b8d     1086 L1 L2 Overload
PE1.00-00                  0x46f    0xa8b      992 L1 L2
PE2.00-00                  0x46b   0xefd6     1077 L1 L2
PE2.02-00                  0x464   0x4db4      573 L1 L2
PE3.00-00                  0x46f   0xb6e8     1016 L1 L2
PE3.02-00                  0x465   0x2675      762 L1 L2
PE3.03-00                  0x465   0x47b2      797 L1 L2
  9 LSPs

user@PE2> show isis database
IS-IS level 1 link-state database:
  0 LSPs

IS-IS level 2 link-state database:
LSP ID                      Sequence Checksum Lifetime Attributes
P1.00-00                   0x46b   0x1924      590 L1 L2
P1.02-00                   0x465   0xe67a      523 L1 L2
PE2-192.0.2.6.00-00          0xd0e   0x6b8d     1090 L1 L2 Overload
PE1.00-00                  0x46f    0xa8b      988 L1 L2
PE2.00-00                  0x46b   0xefd6     1080 L1 L2
PE2.02-00                  0x464   0x4db4      576 L1 L2
PE3.00-00                  0x46f   0xb6e8     1018 L1 L2
PE3.02-00                  0x465   0x2675      763 L1 L2
PE3.03-00                  0x465   0x47b2      799 L1 L2
  9 LSPs
user@PE3> show isis database
IS-IS level 1 link-state database:
  0 LSPs

IS-IS level 2 link-state database:
LSP ID                      Sequence Checksum Lifetime Attributes
P1.00-00                   0x46b   0x1924      590 L1 L2
P1.02-00                   0x465   0xe67a      523 L1 L2
PE2-192.0.2.6.00-00          0xd0e   0x6b8d     1088 L1 L2 Overload
PE1.00-00                  0x46f    0xa8b      988 L1 L2
PE2.00-00                  0x46b   0xefd6     1079 L1 L2
PE2.02-00                  0x464   0x4db4      575 L1 L2
PE3.00-00                  0x46f   0xb6e8     1020 L1 L2
PE3.02-00                  0x465   0x2675      765 L1 L2
PE3.03-00                  0x465   0x47b2      801 L1 L2
  9 LSPs
user@P1> show isis database
IS-IS level 1 link-state database:
  0 LSPs

IS-IS level 2 link-state database:
LSP ID                      Sequence Checksum Lifetime Attributes
P1.00-00                   0x46b   0x1924      592 L1 L2
P1.02-00                   0x465   0xe67a      525 L1 L2
PE2-192.0.2.6.00-00          0xd0e   0x6b8d     1088 L1 L2 Overload
PE1.00-00                  0x46f    0xa8b      990 L1 L2
PE2.00-00                  0x46b   0xefd6     1079 L1 L2
PE2.02-00                  0x464   0x4db4      575 L1 L2
PE3.00-00                  0x46f   0xb6e8     1018 L1 L2
PE3.02-00                  0x465   0x2675      763 L1 L2
PE3.03-00                  0x465   0x47b2      799 L1 L2
  9 LSPs
arrow_backward PREVIOUS BGP PIC for Layer 3 VPNs
NEXT arrow_forward Provider Edge Link Protections in Layer 3 VPNs
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top