Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
12
r/networkingPosted byAMA TP-Link,DrayTek and SonicWall4 months ago

Hi All,

It is Barry the Bestbuy Guy here!

Let’s take a moment to give praise to Watchguard for not only accepting me to a temp position at their Best Buy Watchguard diversion but also for being the best product known to human kind and also possibly aliens.

Share your story about how Watchguard has improved and/or saved your life!

12
23 comments
0
0
r/networkingPosted byAMA TP-Link,DrayTek and SonicWall5 months ago

I had a fun(?) idea for a twitch stream where the chat controls the topics covered. So the idea is that I’ll cover whatever comes up, as long as I’m able to explain it / lab it in the stream.

So if you want to ask a question / challenge me then checkout twitch.tv/PacketThrower tomorrow, I’m not sure when the stream will start but I’ll post out notice before.

Should start around 1:30 MST

——- Mod note: I’m thinking of a better way of doing these announcements that is less...spammy but since this is the first one I’ll see how this goes.

0
comment
11

I had a fun(?) idea for a twitch stream where the chat controls the topics covered. So the idea is that I’ll cover whatever comes up, as long as I’m able to explain it / lab it in the stream.

So if you want to ask a question / challenge me then checkout twitch.tv/PacketThrower tomorrow, I’m not sure when the stream will start but I’ll post out notice before.

Should start around 1:30 MST ——- Mod note: I’m thinking of a better way of doing these announcements that is less...spammy.

11
2 comments
3
r/cciePosted byMeow 🐈🐈Meow 🐱🐱 Meow Meow🍺🐈🐱Meow A+!5 months ago

I had a fun(?) idea for a twitch stream where the chat controls the topics covered. So the idea is that I’ll cover whatever comes up, as long as I’m able to explain it / lab it in the stream.

So if you want to ask a question / challenge me then checkout twitch.tv/PacketThrower tomorrow, I’m not sure when the stream will start but I’ll post out notice before.

Should start around 1:30 MST

——- Mod note: I’m thinking of a better way of doing these announcements that is less...spammy.

3
6 comments
8
r/ccnaPosted byMeow 🐈🐈Meow 🐱🐱 Meow Meow🍺🐈🐱Meow A+!5 months ago

I had a fun(?) idea for a twitch stream where the chat controls the topics covered. So the idea is that I’ll cover whatever comes up, as long as I’m able to explain it / lab it in the stream.

So if you want to ask a question / challenge me then checkout twitch.tv/PacketThrower tomorrow, I’m not sure when the stream will start but I’ll post out notice before.

Should start around 1:30 MST

——- Mod note: I’m thinking of a better way of doing these announcements that is less...spammy.

8
3 comments
98
r/ccnaPosted byMeow 🐈🐈Meow 🐱🐱 Meow Meow🍺🐈🐱Meow A+!5 months ago

Hi All,

If anyone is interested I'll be doing a CCNA Security stream on Firepower, Tacacs, and a few other minor things at www.twitch.tv/PacketThrower, The stream will be recorded if you want to check it out later.

—— Stream is done for the day!

98
13 comments
7
r/ccnaPosted byMeow 🐈🐈Meow 🐱🐱 Meow Meow🍺🐈🐱Meow A+!6 months ago
Archived

Hi All,

I've been buried for a while and have fallen a bit behind on issuing kitty gifs!

If I have missed you, link your "I passed" post here and I'll get it sorted out!!!!!!!!!

7
11 comments
6
r/networkingPosted byAMA TP-Link,DrayTek and SonicWall7 months ago
ArchivedComments are locked

[removed]

6
3 comments
7
r/cciePosted byMeow 🐈🐈Meow 🐱🐱 Meow Meow🍺🐈🐱Meow A+!7 months ago
Archived

Hi all,

It's been awhile since I did a proper post on reddit and with the xmas break I finally managed to finish one! So if anyone wants to read about LISP and such then you can do so at my blog here.

Since I'm lazy over the holidays I won't convert this one over to reddit so if you don't want to click then enjoy this holday CAT!!!

7
7 comments
5

Hi all,

It's been awhile since I did a proper post on reddit and with the xmas break I finally managed to finish one! So if anyone wants to read about LISP and such then you can do so at my blog here.

Since I'm lazy over the holidays I won't convert this one over to reddit so if you don't want to click then enjoy this holday CAT!!!

5
2 comments
11
r/ccnaPosted byMeow 🐈🐈Meow 🐱🐱 Meow Meow🍺🐈🐱Meow A+!7 months ago
Archived

Hi all,

It's been awhile since I did a proper post on reddit and with the xmas break I finally managed to finish one! So if anyone wants to read about LISP and such then you can do so at my blog here.

Since I'm lazy over the holidays I won't convert this one over to reddit so if you don't want to click then enjoy this holday CAT!!!

11
1 comment
6

My MPLS post the other week was pretty well received so I figured might as well show the other side of the coin and do it again with Juniper boxes.

Topology

Today's Topology is similar to last time but Juniperified, we have:

  • 4 x PE routers that are vMX
  • 4 x P are vSRX
  • 4 x CE routers are VSRX boxes as well.

There are again two customers, CUST-A and CUST-B because originality is hard.

To save on some config space I'll just focus on a single router at a time unless there is differences that are worth seeing.

Provider Routers

Disable Flow Mode

I'm using SRX routers for my core so we need to disable the default flow based mode and reboot the boxes before we can use them with MPLS.

root@P01# set security forwarding-options family inet6 mode packet-based 

[edit]
root@P01# set security forwarding-options family mpls mode packet-based 

[edit]
root@P01# set security forwarding-options family iso mode packet-based 

root@P01# commit 
commit complete

[edit]

root@P01# run request system reboot 
Reboot the system ? [yes,no] (no) yes

Once this is done we will no longer need to use security zones for everything.

Basic Setup

To keep things clean I'm using a virtual-router instance to move the first interface into another routing table for management.

set routing-instances MGMT instance-type virtual-router
set routing-instances MGMT interface ge-0/0/0.0
set routing-instances MGMT routing-options static route 0.0.0.0/0 next-hop 10.20.2.1
set interfaces ge-0/0/0 unit 0 family inet address 10.20.2.211/24

Most of my interfaces are connecting to trunk ports to make life easier so I'm going to enable vlan tagging and use subinterfaces to connect to everything.

set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 3011 vlan-id 3011
set interfaces ge-0/0/1 unit 3011 family inet address 10.1.11.1/24
set interfaces ge-0/0/1 unit 3012 vlan-id 3012
set interfaces ge-0/0/1 unit 3012 family inet address 10.1.2.1/24
set interfaces ge-0/0/1 unit 3013 vlan-id 3013
set interfaces ge-0/0/1 unit 3013 family inet address 10.1.3.1/24
set interfaces ge-0/0/1 unit 3014 vlan-id 3014
set interfaces ge-0/0/1 unit 3014 family inet address 10.1.4.1/24
set interfaces lo0 unit 0 family inet address 192.168.255.1/32

Then I'll just turn on OSPF on all active interfaces in the routing instance.

root@P01# set protocols ospf area 0.0.0.0 interface all 

Once we are done we should see a neighbor with every other P router and a PE router (once we get that far)

root@P01# run show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
10.1.11.254      ge-0/0/1.3011          Full      192.168.255.11   128    39
10.1.2.2         ge-0/0/1.3012          Full      192.168.255.2    128    32
10.1.3.3         ge-0/0/1.3013          Full      192.168.255.3    128    39
10.1.4.4         ge-0/0/1.3014          Full      192.168.255.4    128    34

Enabling MPLS

While Cisco put effort into making sure MPLS is turned on right away, Juniper takes a bit more effort.

First we need to enable MPLS and LDP in the control plane under protocols, we can conveniently use the interface all keyword to enable it on all interfaces.

root@P01# set protocols mpls interface all 

root@P01# set protocols ldp interface all   

Next we need to turn it on for the forwarding plane by adding the mpls family to each interface on the router that will be in the MPLS path. This can be a bit annoying so you might want to look into things like config groups to ease the admin burden.

set interfaces ge-0/0/1 unit 3011 family mpls

set interfaces ge-0/0/1 unit 3012 family mpls

set interfaces ge-0/0/1 unit 3013 family mpls

set interfaces ge-0/0/1 unit 3014 family mpls

set interfaces lo0 unit 0 family mpls

Route Reflector

We'll use a route reflector again but this time I'm just take advantage of the logical-system feature to carve PE01 and PE02 into two new Route Reflector boxes.

RR01

First we'll turn on vlan-tagging for the interface I want to use since we still need to configure physical stuff at the interface level in logical-systems.

root@PE11# set interfaces ge-0/0/2 vlan-tagging 

Next we configure the interfaces like above under the logical-system.

root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 vlan-id 3123 
root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 family inet address 10.0.123.254/24 
root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 family mpls 
root@PE11# set logical-systems RR01 interfaces lo0 unit 1 family inet address 192.168.255.154/32 

root@PE11# set logical-systems RR01 protocols ospf area 0.0.0.0 interface all 
root@PE11# set logical-systems RR01 protocols mpls interface all 
root@PE11# set logical-systems RR01 protocols ldp interface all 

BGP is configured with the inet-vpn family which is the same as Cisco's VPNv4 family, the route reflector will have all for PEs as a peer, will use 65123 as the AS for iBGP and will set a cluster-id so Juniper knows it is a Route Reflector.

root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL type internal 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL local-address 192.168.255.154 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL family inet-vpn unicast 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL cluster 192.168.255.254 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.11 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.22 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.33 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.44 
root@PE11# set logical-systems RR01 routing-options autonomous-system 65123 

RR02

root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 vlan-id 3123 
root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 family inet address 10.1.123.254/24 
root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 family mpls 
root@PE22# set logical-systems RR02 interfaces lo0 unit 1 family inet address 192.168.255.254/32 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL type internal 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL local-address 192.168.255.254 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL family inet-vpn unicast 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL cluster 192.168.255.254 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.11 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.22 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.33 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.44 
root@PE22# set logical-systems RR02 protocols ospf area 0.0.0.0 interface all 
root@PE22# set logical-systems RR02 protocols mpls interface all 
root@PE22# set logical-systems RR02 protocols ldp interface all 
root@PE22# set logical-systems RR02 routing-options autonomous-system 65123 

Provider Edge

The PE will be similar to the Route-Reflector minus the logical system stuff, we'll setup the interfaces enable OSPF and MPLS, then peer with each of the RRs.

root@PE11# set routing-instances MGMT instance-type virtual-router 
root@PE11# set routing-instances MGMT interface ge-0/0/0.0 
root@PE11# set routing-instances MGMT routing-options static route 0.0.0.0/0 next-hop 10.20.2.1 
root@PE11# set interfaces ge-0/0/0 unit 0 family inet address 10.20.2.201/24 

root@PE11# set interfaces ge-0/0/1 vlan-tagging 
root@PE11# set interfaces ge-0/0/1 unit 3011 vlan-id 3011 
root@PE11# set interfaces ge-0/0/1 unit 3011 family inet address 10.1.11.254/24 
root@PE11# set interfaces ge-0/0/1 unit 3011 family mpls 
root@PE11# set interfaces ge-0/0/1 unit 3123 vlan-id 3123 
root@PE11# set interfaces ge-0/0/1 unit 3123 family inet address 10.0.123.11/24 
root@PE11# set interfaces ge-0/0/1 unit 3123 family mpls 
root@PE11# set interfaces ge-0/0/2 vlan-tagging 
root@PE11# set interfaces ge-0/0/5 unit 0 family inet address 192.168.1.254/24 

root@PE11# set interfaces lo0 unit 0 family inet address 192.168.255.11/32 
root@PE11# set interfaces lo0 unit 0 family inet6 address 2001:1234::1/128 
root@PE11# set interfaces lo0 unit 0 family mpls 

root@PE11# set routing-options autonomous-system 65123 
root@PE11# set protocols bgp group RR type internal 
root@PE11# set protocols bgp group RR local-address 192.168.255.11 
root@PE11# set protocols bgp group RR family inet-vpn unicast 
root@PE11# set protocols bgp group RR neighbor 192.168.255.154 
root@PE11# set protocols bgp group RR neighbor 192.168.255.254 

VRF / Policies

Now our BGP is up it is time to create the last piece of the L3VPN and which is making the policies as well as the VRF the CE goes into.

Policies

In Cisco land we controlled what route we imported and exported under the VRF configuration, Juniper does that too but for more granular control we will make a more elaborate policy.

First we make an community policy that just exports the PE's RD on each router.

root@PE11# set policy-options community RT-EXPORT-CE01 members target:65123:101 

Next we'll do the same for the import community where we will make one for each CE for flexibility's sake.

root@PE11# set policy-options community RT-IMPORT-CE01 members target:65123:101 
root@PE11# set policy-options community RT-IMPORT-CE02 members target:65123:102 
root@PE11# set policy-options community RT-IMPORT-CE03 members target:65123:103 
root@PE11# set policy-options community RT-IMPORT-CE04 members target:65123:104

With that in place we make a policy that will become our VRF-Export policy, we will say that if the protocol is directly connected or one of the routing protocols then we will add the export community and accept the route.

root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT from protocol [ direct bgp rip ospf ]
root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT then community add RT-EXPORT-CE01 
root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT then accept 

If it doesn't match that criteria then we will reject it.

root@PE11# set policy-options policy-statement EXPORT-CE01 term REJECT then reject 

The VRF-Import policy will always be from MBGP so we match on protocol BGP, then we select what communities we want to talk to each other.

In our topology Cust-A is CE01 and CE02 so we'll do that then reject the rest.

root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT from protocol bgp 
root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT from community [ RT-IMPORT-CE01 RT-IMPORT-CE02 ] 
root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT then accept 
root@PE11# set policy-options policy-statement IMPORT-CE01 term REJECT then reject

VRFs

With all that in place we need to make a VRF instance. In my case I'm using ge-0/0/5 on all the PEs as the CE interface so we add it to the VRF, we also set the PE's proper RD and apply the VRF policies we just made. We also use vrf-table-label to help make the L3VPN happy.

root@PE11# set routing-instances CE01 instance-type vrf 
root@PE11# set routing-instances CE01 interface ge-0/0/5.0 
root@PE11# set routing-instances CE01 route-distinguisher 65123:101 
root@PE11# set routing-instances CE01 vrf-import IMPORT-CE01 
root@PE11# set routing-instances CE01 vrf-export EXPORT-CE01 
root@PE11# set routing-instances CE01 vrf-table-label 

We'll also set the router-id for the instance just to have a bit more control

root@PE11# set routing-instances CE01 routing-options router-id 192.168.255.11 

Customer Edge

PE01

Finally we will start working on the CE routing!

We need an export policy so Juniper knows what to send so I'll make a simple one that just accepts any route, since PE01 is BGP we'll setup that too. The config is the same as you have seen though you may want to use the as-override option if you are using BGP.

root@PE11# set policy-options policy-statement EXPORT-BGP then accept
root@PE11# set routing-instances CE01 protocols bgp group CUST-A type external 
root@PE11# set routing-instances CE01 protocols bgp group CUST-A export EXPORT-BGP 
root@PE11# set routing-instances CE01 protocols bgp group CUST-A peer-as 65101 
root@PE11# set routing-instances CE01 protocols bgp group CUST-A neighbor 192.168.1.1 as-override 



root@PE11# set policy-options policy-statement EXPORT-BGP then accept 

root@PE11# set policy-options policy-statement EXPORT-OSPF from protocol bgp 
root@PE11# set policy-options policy-statement EXPORT-OSPF then accept
root@PE11# set policy-options policy-statement EXPORT-RIP then metric 5 
root@PE11# set policy-options policy-statement EXPORT-RIP then accept 

CE01, CE02, CE03, CE04

Since the CE's are still in flow mode, we need to make sure the interfaces we use are trusted by the security zone, we could get more specific but we aren't really playing with the firewall today :)

root@CE01# set security zones security-zone trust host-inbound-traffic system-services all 
root@CE01# set security zones security-zone trust host-inbound-traffic protocols all 
root@CE01# set security zones security-zone trust interfaces ge-0/0/1.0 
root@CE01# set security zones security-zone trust interfaces ge-0/0/2.0 

CE01

For BGP we just do a normal peering and advertise everything directly connected.

root@CE01# set policy-options policy-statement EXPORT-BGP from protocol direct 
root@CE01# set policy-options policy-statement EXPORT-BGP then accept

root@CE01# set protocols bgp group CUST-A type external 
root@CE01# set protocols bgp group CUST-A export EXPORT-BGP 
root@CE01# set protocols bgp group CUST-A peer-as 65123 
root@CE01# set protocols bgp group CUST-A neighbor 192.168.1.254 

CE02

Same with RIP for CE02

root@CE02# set policy-options policy-statement EXPORT-RIP from protocol direct 
root@CE02# set policy-options policy-statement EXPORT-RIP then accept

root@CE02# set protocols rip group CUST-A export EXPORT-RIP 
root@CE02# set protocols rip group CUST-A neighbor ge-0/0/1.0 

CE03 and CE04

The OSPF CE is a bit unique because it is the only protocol we are looking at today that cares about external routes. Let's setup OSPF in two ways, one will simply add all interfaces to OSPF and the other will use the export method we have been doing

root@CE03# set protocols ospf area 0.0.0.0 interface all 
root@CE03# set protocols ospf area 0.0.0.0 interface lo0.0 passive 


root@CE04# set policy-options policy-statement EXPORT-OSPF from protocol direct 
root@CE04# set policy-options policy-statement EXPORT-OSPF then accept 
root@CE04# set protocols ospf export EXPORT-OSPF    
root@CE04# set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 

Now we get the routes but routes from CE04 are external! We might talk about OSPF specific MPLS topics another day!

root@CE03# run show ospf route    
Topology default Route Table:

Prefix             Path  Route      NH       Metric NextHop       Nexthop      
                   Type  Type       Type            Interface     Address/LSP
192.168.3.254      Intra Area/AS BR IP            1 ge-0/0/1.0    192.168.3.254
172.16.31.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.32.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.33.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.34.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.41.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
172.16.42.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
172.16.43.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
172.16.44.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
192.168.3.0/24     Intra Network    IP            1 ge-0/0/1.0
192.168.4.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254

Verification

Now that everything is up we can make sure that BGP is working properly (probably should have done that sooner!)

root@PE11# run show bgp summary                                        
Groups: 2 Peers: 3 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
bgp.l3vpn.0          
                      12          6          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
192.168.1.1           65101       1803       1794       0       3    13:27:34 Establ
  CE01.inet.0: 5/6/6/0
192.168.255.154       65123       1594       1582       0       1    11:54:35 Establ
  bgp.l3vpn.0: 6/6/6/0
  CE01.inet.0: 6/6/6/0
192.168.255.254       65123       1591       1581       0       1    11:54:41 Establ
  bgp.l3vpn.0: 0/6/6/0
  CE01.inet.0: 0/6/6/0

We can also see the MPLS interfaces on the router

root@PE11# run show mpls interface 
Interface        State       Administrative groups (x: extended)
ge-0/0/1.3011    Up         <none>
ge-0/0/1.3123    Up         <none>

[edit]

As well as the LDP neighbors

root@PE11# run show ldp neighbor 
Address                             Interface       Label space ID     Hold time
10.1.11.1                           ge-0/0/1.3011   192.168.255.1:0      14
10.0.123.33                         ge-0/0/1.3123   192.168.255.33:0     13
10.0.123.44                         ge-0/0/1.3123   192.168.255.44:0     13
10.0.123.254                        ge-0/0/1.3123   192.168.255.154:0    11

PE01 Routing Table

Juniper groups everything into the routing table so we can see the main routing table, the MPLS labels, the VRF routes, and IPv6 routes all in one place! We can also see the INET-VPN routes so we can see if things are being learned properly.

root@PE11# run show route 

inet.0: 26 destinations, 26 routes (26 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.123.0/24      *[Direct/0] 12:09:45
                    > via ge-0/0/1.3123
10.0.123.11/32     *[Local/0] 12:09:45
                      Local via ge-0/0/1.3123
10.1.2.0/24        *[OSPF/10] 14:45:03, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
10.1.3.0/24        *[OSPF/10] 14:45:03, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
10.1.4.0/24        *[OSPF/10] 14:45:03, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
10.1.11.0/24       *[Direct/0] 14:45:09
                    > via ge-0/0/1.3011
10.1.11.254/32     *[Local/0] 14:45:09
                      Local via ge-0/0/1.3011
10.1.123.0/24      *[OSPF/10] 11:41:39, metric 2
                    > to 10.0.123.33 via ge-0/0/1.3123
                      to 10.0.123.44 via ge-0/0/1.3123
10.2.3.0/24        *[OSPF/10] 11:42:39, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                    > to 10.0.123.33 via ge-0/0/1.3123
10.2.4.0/24        *[OSPF/10] 11:41:48, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                    > to 10.0.123.44 via ge-0/0/1.3123
10.2.22.0/24       *[OSPF/10] 11:41:39, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.33 via ge-0/0/1.3123
                    > to 10.0.123.44 via ge-0/0/1.3123
10.3.4.0/24        *[OSPF/10] 11:41:48, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.33 via ge-0/0/1.3123
                    > to 10.0.123.44 via ge-0/0/1.3123
10.3.33.0/24       *[OSPF/10] 11:42:39, metric 2
                    > to 10.0.123.33 via ge-0/0/1.3123
10.4.44.0/24       *[OSPF/10] 11:41:48, metric 2
                    > to 10.0.123.44 via ge-0/0/1.3123
192.168.255.1/32   *[OSPF/10] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011
192.168.255.2/32   *[OSPF/10] 12:00:32, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
192.168.255.3/32   *[OSPF/10] 11:42:39, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.33 via ge-0/0/1.3123
192.168.255.4/32   *[OSPF/10] 11:41:48, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.44 via ge-0/0/1.3123
192.168.255.11/32  *[Direct/0] 14:52:17
                    > via lo0.0
192.168.255.22/32  *[OSPF/10] 11:41:39, metric 2
                    > to 10.0.123.33 via ge-0/0/1.3123
                      to 10.0.123.44 via ge-0/0/1.3123
192.168.255.33/32  *[OSPF/10] 11:42:39, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123
192.168.255.44/32  *[OSPF/10] 11:41:48, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123
192.168.255.154/32 *[OSPF/10] 12:07:04, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123
192.168.255.254/32 *[OSPF/10] 11:41:39, metric 2
                      to 10.0.123.33 via ge-0/0/1.3123
                    > to 10.0.123.44 via ge-0/0/1.3123
224.0.0.2/32       *[LDP/9] 14:52:17, metric 1
                      MultiRecv
224.0.0.5/32       *[OSPF/10] 14:52:17, metric 1
                      MultiRecv

inet.3: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.255.1/32   *[LDP/9] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011
192.168.255.2/32   *[LDP/9] 12:00:32, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Push 299840
192.168.255.3/32   *[LDP/9] 11:42:38, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Push 299808
                      to 10.0.123.33 via ge-0/0/1.3123, Push 299776
192.168.255.4/32   *[LDP/9] 11:41:47, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Push 299792
                      to 10.0.123.44 via ge-0/0/1.3123, Push 299776
192.168.255.22/32  *[LDP/9] 11:37:45, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 299952
                      to 10.0.123.44 via ge-0/0/1.3123, Push 299952
192.168.255.33/32  *[LDP/9] 11:42:38, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123
192.168.255.44/32  *[LDP/9] 11:41:47, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123
192.168.255.154/32 *[LDP/9] 11:44:55, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123
192.168.255.254/32 *[LDP/9] 11:37:45, metric 1
                      to 10.0.123.33 via ge-0/0/1.3123, Push 299936
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 299936

CE01.inet.0: 13 destinations, 20 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.11.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.12.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.13.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.14.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.21.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.22.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.23.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.24.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
192.168.1.0/24     *[Direct/0] 14:45:09
                    > via ge-0/0/5.0
                    [BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
192.168.1.254/32   *[Local/0] 14:45:09
                      Local via ge-0/0/5.0
192.168.2.0/24     *[BGP/170] 00:33:22, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:33:22, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
192.168.254.1/32   *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
192.168.254.2/32   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)

MGMT.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 14:45:09
                    > to 10.20.2.1 via ge-0/0/0.0
10.20.2.0/24       *[Direct/0] 14:45:09
                    > via ge-0/0/0.0
10.20.2.201/32     *[Local/0] 14:45:09
                      Local via ge-0/0/0.0

mpls.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0                  *[MPLS/0] 14:52:17, metric 1
                      to table inet.0
0(S=0)             *[MPLS/0] 14:52:17, metric 1
                      to table mpls.0
1                  *[MPLS/0] 14:52:17, metric 1
                      Receive
2                  *[MPLS/0] 14:52:17, metric 1
                      to table inet6.0
2(S=0)             *[MPLS/0] 14:52:17, metric 1
                      to table mpls.0
13                 *[MPLS/0] 14:52:17, metric 1
                      Receive
16                 *[VPN/0] 14:52:17
                    > via lsi.0 (CE01), Pop      
299776             *[LDP/9] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Pop      
299776(S=0)        *[LDP/9] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Pop      
299792             *[LDP/9] 11:41:47, metric 1
                      to 10.1.11.1 via ge-0/0/1.3011, Swap 299792
                    > to 10.0.123.44 via ge-0/0/1.3123, Swap 299776
299808             *[LDP/9] 11:42:38, metric 1
                      to 10.1.11.1 via ge-0/0/1.3011, Swap 299808
                    > to 10.0.123.33 via ge-0/0/1.3123, Swap 299776
299824             *[LDP/9] 12:00:32, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Swap 299840
299856             *[LDP/9] 11:42:38, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Pop      
299856(S=0)        *[LDP/9] 11:42:38, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Pop      
299872             *[LDP/9] 11:41:47, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123, Pop      
299872(S=0)        *[LDP/9] 11:41:47, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123, Pop      
299904             *[LDP/9] 11:44:55, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123, Pop      
299904(S=0)        *[LDP/9] 11:44:55, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123, Pop      
299936             *[LDP/9] 11:37:45, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Swap 299936
                      to 10.0.123.44 via ge-0/0/1.3123, Swap 299936
299952             *[LDP/9] 11:37:45, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Swap 299952
                      to 10.0.123.44 via ge-0/0/1.3123, Swap 299952

bgp.l3vpn.0: 6 destinations, 12 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

65123:102:172.16.21.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.22.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.23.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.24.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:192.168.2.0/24                
                   *[BGP/170] 00:33:22, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:33:22, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:192.168.254.2/32                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)

inet6.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2001:1234::1/128   *[Direct/0] 14:52:17
                    > via lo0.0
fe80::250:560f:fc9e:4cd1/128
                   *[Direct/0] 14:52:17
                    > via lo0.0
ff02::2/128        *[INET6/0] 14:52:17
                      MultiRecv

Pastebins

Here are the configs in pastebins for a bit more convenient looking at.

PE01

PE02

PE03

PE04

P01

P02

P03

P04

CE01

CE02

CE03

CE04

6
2 comments
4

My MPLS post the other week was pretty well received so I figured might as well show the other side of the coin and do it again with Juniper boxes.

Topology

Today's Topology is similar to last time but Juniperified, we have:

  • 4 x PE routers that are vMX
  • 4 x P are vSRX
  • 4 x CE routers are VSRX boxes as well.

There are again two customers, CUST-A and CUST-B because originality is hard.

To save on some config space I'll just focus on a single router at a time unless there is differences that are worth seeing.

Provider Routers

Disable Flow Mode

I'm using SRX routers for my core so we need to disable the default flow based mode and reboot the boxes before we can use them with MPLS.

root@P01# set security forwarding-options family inet6 mode packet-based 

[edit]
root@P01# set security forwarding-options family mpls mode packet-based 

[edit]
root@P01# set security forwarding-options family iso mode packet-based 

root@P01# commit 
commit complete

[edit]

root@P01# run request system reboot 
Reboot the system ? [yes,no] (no) yes

Once this is done we will no longer need to use security zones for everything.

Basic Setup

To keep things clean I'm using a virtual-router instance to move the first interface into another routing table for management.

set routing-instances MGMT instance-type virtual-router
set routing-instances MGMT interface ge-0/0/0.0
set routing-instances MGMT routing-options static route 0.0.0.0/0 next-hop 10.20.2.1
set interfaces ge-0/0/0 unit 0 family inet address 10.20.2.211/24

Most of my interfaces are connecting to trunk ports to make life easier so I'm going to enable vlan tagging and use subinterfaces to connect to everything.

set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 3011 vlan-id 3011
set interfaces ge-0/0/1 unit 3011 family inet address 10.1.11.1/24
set interfaces ge-0/0/1 unit 3012 vlan-id 3012
set interfaces ge-0/0/1 unit 3012 family inet address 10.1.2.1/24
set interfaces ge-0/0/1 unit 3013 vlan-id 3013
set interfaces ge-0/0/1 unit 3013 family inet address 10.1.3.1/24
set interfaces ge-0/0/1 unit 3014 vlan-id 3014
set interfaces ge-0/0/1 unit 3014 family inet address 10.1.4.1/24
set interfaces lo0 unit 0 family inet address 192.168.255.1/32

Then I'll just turn on OSPF on all active interfaces in the routing instance.

root@P01# set protocols ospf area 0.0.0.0 interface all 

Once we are done we should see a neighbor with every other P router and a PE router (once we get that far)

root@P01# run show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
10.1.11.254      ge-0/0/1.3011          Full      192.168.255.11   128    39
10.1.2.2         ge-0/0/1.3012          Full      192.168.255.2    128    32
10.1.3.3         ge-0/0/1.3013          Full      192.168.255.3    128    39
10.1.4.4         ge-0/0/1.3014          Full      192.168.255.4    128    34

Enabling MPLS

While Cisco put effort into making sure MPLS is turned on right away, Juniper takes a bit more effort.

First we need to enable MPLS and LDP in the control plane under protocols, we can conveniently use the interface all keyword to enable it on all interfaces.

root@P01# set protocols mpls interface all 

root@P01# set protocols ldp interface all   

Next we need to turn it on for the forwarding plane by adding the mpls family to each interface on the router that will be in the MPLS path. This can be a bit annoying so you might want to look into things like config groups to ease the admin burden.

set interfaces ge-0/0/1 unit 3011 family mpls

set interfaces ge-0/0/1 unit 3012 family mpls

set interfaces ge-0/0/1 unit 3013 family mpls

set interfaces ge-0/0/1 unit 3014 family mpls

set interfaces lo0 unit 0 family mpls

Route Reflector

We'll use a route reflector again but this time I'm just take advantage of the logical-system feature to carve PE01 and PE02 into two new Route Reflector boxes.

RR01

First we'll turn on vlan-tagging for the interface I want to use since we still need to configure physical stuff at the interface level in logical-systems.

root@PE11# set interfaces ge-0/0/2 vlan-tagging 

Next we configure the interfaces like above under the logical-system.

root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 vlan-id 3123 
root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 family inet address 10.0.123.254/24 
root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 family mpls 
root@PE11# set logical-systems RR01 interfaces lo0 unit 1 family inet address 192.168.255.154/32 

root@PE11# set logical-systems RR01 protocols ospf area 0.0.0.0 interface all 
root@PE11# set logical-systems RR01 protocols mpls interface all 
root@PE11# set logical-systems RR01 protocols ldp interface all 

BGP is configured with the inet-vpn family which is the same as Cisco's VPNv4 family, the route reflector will have all for PEs as a peer, will use 65123 as the AS for iBGP and will set a cluster-id so Juniper knows it is a Route Reflector.

root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL type internal 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL local-address 192.168.255.154 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL family inet-vpn unicast 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL cluster 192.168.255.254 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.11 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.22 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.33 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.44 
root@PE11# set logical-systems RR01 routing-options autonomous-system 65123 

RR02

root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 vlan-id 3123 
root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 family inet address 10.1.123.254/24 
root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 family mpls 
root@PE22# set logical-systems RR02 interfaces lo0 unit 1 family inet address 192.168.255.254/32 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL type internal 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL local-address 192.168.255.254 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL family inet-vpn unicast 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL cluster 192.168.255.254 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.11 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.22 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.33 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.44 
root@PE22# set logical-systems RR02 protocols ospf area 0.0.0.0 interface all 
root@PE22# set logical-systems RR02 protocols mpls interface all 
root@PE22# set logical-systems RR02 protocols ldp interface all 
root@PE22# set logical-systems RR02 routing-options autonomous-system 65123 

Provider Edge

The PE will be similar to the Route-Reflector minus the logical system stuff, we'll setup the interfaces enable OSPF and MPLS, then peer with each of the RRs.

root@PE11# set routing-instances MGMT instance-type virtual-router 
root@PE11# set routing-instances MGMT interface ge-0/0/0.0 
root@PE11# set routing-instances MGMT routing-options static route 0.0.0.0/0 next-hop 10.20.2.1 
root@PE11# set interfaces ge-0/0/0 unit 0 family inet address 10.20.2.201/24 

root@PE11# set interfaces ge-0/0/1 vlan-tagging 
root@PE11# set interfaces ge-0/0/1 unit 3011 vlan-id 3011 
root@PE11# set interfaces ge-0/0/1 unit 3011 family inet address 10.1.11.254/24 
root@PE11# set interfaces ge-0/0/1 unit 3011 family mpls 
root@PE11# set interfaces ge-0/0/1 unit 3123 vlan-id 3123 
root@PE11# set interfaces ge-0/0/1 unit 3123 family inet address 10.0.123.11/24 
root@PE11# set interfaces ge-0/0/1 unit 3123 family mpls 
root@PE11# set interfaces ge-0/0/2 vlan-tagging 
root@PE11# set interfaces ge-0/0/5 unit 0 family inet address 192.168.1.254/24 

root@PE11# set interfaces lo0 unit 0 family inet address 192.168.255.11/32 
root@PE11# set interfaces lo0 unit 0 family inet6 address 2001:1234::1/128 
root@PE11# set interfaces lo0 unit 0 family mpls 

root@PE11# set routing-options autonomous-system 65123 
root@PE11# set protocols bgp group RR type internal 
root@PE11# set protocols bgp group RR local-address 192.168.255.11 
root@PE11# set protocols bgp group RR family inet-vpn unicast 
root@PE11# set protocols bgp group RR neighbor 192.168.255.154 
root@PE11# set protocols bgp group RR neighbor 192.168.255.254 

VRF / Policies

Now our BGP is up it is time to create the last piece of the L3VPN and which is making the policies as well as the VRF the CE goes into.

Policies

In Cisco land we controlled what route we imported and exported under the VRF configuration, Juniper does that too but for more granular control we will make a more elaborate policy.

First we make an community policy that just exports the PE's RD on each router.

root@PE11# set policy-options community RT-EXPORT-CE01 members target:65123:101 

Next we'll do the same for the import community where we will make one for each CE for flexibility's sake.

root@PE11# set policy-options community RT-IMPORT-CE01 members target:65123:101 
root@PE11# set policy-options community RT-IMPORT-CE02 members target:65123:102 
root@PE11# set policy-options community RT-IMPORT-CE03 members target:65123:103 
root@PE11# set policy-options community RT-IMPORT-CE04 members target:65123:104

With that in place we make a policy that will become our VRF-Export policy, we will say that if the protocol is directly connected or one of the routing protocols then we will add the export community and accept the route.

root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT from protocol [ direct bgp rip ospf ]
root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT then community add RT-EXPORT-CE01 
root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT then accept 

If it doesn't match that criteria then we will reject it.

root@PE11# set policy-options policy-statement EXPORT-CE01 term REJECT then reject 

The VRF-Import policy will always be from MBGP so we match on protocol BGP, then we select what communities we want to talk to each other.

In our topology Cust-A is CE01 and CE02 so we'll do that then reject the rest.

root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT from protocol bgp 
root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT from community [ RT-IMPORT-CE01 RT-IMPORT-CE02 ] 
root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT then accept 
root@PE11# set policy-options policy-statement IMPORT-CE01 term REJECT then reject

VRFs

With all that in place we need to make a VRF instance. In my case I'm using ge-0/0/5 on all the PEs as the CE interface so we add it to the VRF, we also set the PE's proper RD and apply the VRF policies we just made. We also use vrf-table-label to help make the L3VPN happy.

root@PE11# set routing-instances CE01 instance-type vrf 
root@PE11# set routing-instances CE01 interface ge-0/0/5.0 
root@PE11# set routing-instances CE01 route-distinguisher 65123:101 
root@PE11# set routing-instances CE01 vrf-import IMPORT-CE01 
root@PE11# set routing-instances CE01 vrf-export EXPORT-CE01 
root@PE11# set routing-instances CE01 vrf-table-label 

We'll also set the router-id for the instance just to have a bit more control

root@PE11# set routing-instances CE01 routing-options router-id 192.168.255.11 

Customer Edge

PE01

Finally we will start working on the CE routing!

We need an export policy so Juniper knows what to send so I'll make a simple one that just accepts any route, since PE01 is BGP we'll setup that too. The config is the same as you have seen though you may want to use the as-override option if you are using BGP.

root@PE11# set policy-options policy-statement EXPORT-BGP then accept
root@PE11# set routing-instances CE01 protocols bgp group CUST-A type external 
root@PE11# set routing-instances CE01 protocols bgp group CUST-A export EXPORT-BGP 
root@PE11# set routing-instances CE01 protocols bgp group CUST-A peer-as 65101 
root@PE11# set routing-instances CE01 protocols bgp group CUST-A neighbor 192.168.1.1 as-override 



root@PE11# set policy-options policy-statement EXPORT-BGP then accept 

root@PE11# set policy-options policy-statement EXPORT-OSPF from protocol bgp 
root@PE11# set policy-options policy-statement EXPORT-OSPF then accept
root@PE11# set policy-options policy-statement EXPORT-RIP then metric 5 
root@PE11# set policy-options policy-statement EXPORT-RIP then accept 

CE01, CE02, CE03, CE04

Since the CE's are still in flow mode, we need to make sure the interfaces we use are trusted by the security zone, we could get more specific but we aren't really playing with the firewall today :)

root@CE01# set security zones security-zone trust host-inbound-traffic system-services all 
root@CE01# set security zones security-zone trust host-inbound-traffic protocols all 
root@CE01# set security zones security-zone trust interfaces ge-0/0/1.0 
root@CE01# set security zones security-zone trust interfaces ge-0/0/2.0 

CE01

For BGP we just do a normal peering and advertise everything directly connected.

root@CE01# set policy-options policy-statement EXPORT-BGP from protocol direct 
root@CE01# set policy-options policy-statement EXPORT-BGP then accept

root@CE01# set protocols bgp group CUST-A type external 
root@CE01# set protocols bgp group CUST-A export EXPORT-BGP 
root@CE01# set protocols bgp group CUST-A peer-as 65123 
root@CE01# set protocols bgp group CUST-A neighbor 192.168.1.254 

CE02

Same with RIP for CE02

root@CE02# set policy-options policy-statement EXPORT-RIP from protocol direct 
root@CE02# set policy-options policy-statement EXPORT-RIP then accept

root@CE02# set protocols rip group CUST-A export EXPORT-RIP 
root@CE02# set protocols rip group CUST-A neighbor ge-0/0/1.0 

CE03 and CE04

The OSPF CE is a bit unique because it is the only protocol we are looking at today that cares about external routes. Let's setup OSPF in two ways, one will simply add all interfaces to OSPF and the other will use the export method we have been doing

root@CE03# set protocols ospf area 0.0.0.0 interface all 
root@CE03# set protocols ospf area 0.0.0.0 interface lo0.0 passive 


root@CE04# set policy-options policy-statement EXPORT-OSPF from protocol direct 
root@CE04# set policy-options policy-statement EXPORT-OSPF then accept 
root@CE04# set protocols ospf export EXPORT-OSPF    
root@CE04# set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 

Now we get the routes but routes from CE04 are external! We might talk about OSPF specific MPLS topics another day!

root@CE03# run show ospf route    
Topology default Route Table:

Prefix             Path  Route      NH       Metric NextHop       Nexthop      
                   Type  Type       Type            Interface     Address/LSP
192.168.3.254      Intra Area/AS BR IP            1 ge-0/0/1.0    192.168.3.254
172.16.31.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.32.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.33.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.34.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.41.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
172.16.42.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
172.16.43.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
172.16.44.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
192.168.3.0/24     Intra Network    IP            1 ge-0/0/1.0
192.168.4.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254

Verification

Now that everything is up we can make sure that BGP is working properly (probably should have done that sooner!)

root@PE11# run show bgp summary                                        
Groups: 2 Peers: 3 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
bgp.l3vpn.0          
                      12          6          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
192.168.1.1           65101       1803       1794       0       3    13:27:34 Establ
  CE01.inet.0: 5/6/6/0
192.168.255.154       65123       1594       1582       0       1    11:54:35 Establ
  bgp.l3vpn.0: 6/6/6/0
  CE01.inet.0: 6/6/6/0
192.168.255.254       65123       1591       1581       0       1    11:54:41 Establ
  bgp.l3vpn.0: 0/6/6/0
  CE01.inet.0: 0/6/6/0

We can also see the MPLS interfaces on the router

root@PE11# run show mpls interface 
Interface        State       Administrative groups (x: extended)
ge-0/0/1.3011    Up         <none>
ge-0/0/1.3123    Up         <none>

[edit]

As well as the LDP neighbors

root@PE11# run show ldp neighbor 
Address                             Interface       Label space ID     Hold time
10.1.11.1                           ge-0/0/1.3011   192.168.255.1:0      14
10.0.123.33                         ge-0/0/1.3123   192.168.255.33:0     13
10.0.123.44                         ge-0/0/1.3123   192.168.255.44:0     13
10.0.123.254                        ge-0/0/1.3123   192.168.255.154:0    11

PE01 Routing Table

Juniper groups everything into the routing table so we can see the main routing table, the MPLS labels, the VRF routes, and IPv6 routes all in one place! We can also see the INET-VPN routes so we can see if things are being learned properly.

root@PE11# run show route 

inet.0: 26 destinations, 26 routes (26 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.123.0/24      *[Direct/0] 12:09:45
                    > via ge-0/0/1.3123
10.0.123.11/32     *[Local/0] 12:09:45
                      Local via ge-0/0/1.3123
10.1.2.0/24        *[OSPF/10] 14:45:03, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
10.1.3.0/24        *[OSPF/10] 14:45:03, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
10.1.4.0/24        *[OSPF/10] 14:45:03, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
10.1.11.0/24       *[Direct/0] 14:45:09
                    > via ge-0/0/1.3011
10.1.11.254/32     *[Local/0] 14:45:09
                      Local via ge-0/0/1.3011
10.1.123.0/24      *[OSPF/10] 11:41:39, metric 2
                    > to 10.0.123.33 via ge-0/0/1.3123
                      to 10.0.123.44 via ge-0/0/1.3123
10.2.3.0/24        *[OSPF/10] 11:42:39, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                    > to 10.0.123.33 via ge-0/0/1.3123
10.2.4.0/24        *[OSPF/10] 11:41:48, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                    > to 10.0.123.44 via ge-0/0/1.3123
10.2.22.0/24       *[OSPF/10] 11:41:39, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.33 via ge-0/0/1.3123
                    > to 10.0.123.44 via ge-0/0/1.3123
10.3.4.0/24        *[OSPF/10] 11:41:48, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.33 via ge-0/0/1.3123
                    > to 10.0.123.44 via ge-0/0/1.3123
10.3.33.0/24       *[OSPF/10] 11:42:39, metric 2
                    > to 10.0.123.33 via ge-0/0/1.3123
10.4.44.0/24       *[OSPF/10] 11:41:48, metric 2
                    > to 10.0.123.44 via ge-0/0/1.3123
192.168.255.1/32   *[OSPF/10] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011
192.168.255.2/32   *[OSPF/10] 12:00:32, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
192.168.255.3/32   *[OSPF/10] 11:42:39, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.33 via ge-0/0/1.3123
192.168.255.4/32   *[OSPF/10] 11:41:48, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.44 via ge-0/0/1.3123
192.168.255.11/32  *[Direct/0] 14:52:17
                    > via lo0.0
192.168.255.22/32  *[OSPF/10] 11:41:39, metric 2
                    > to 10.0.123.33 via ge-0/0/1.3123
                      to 10.0.123.44 via ge-0/0/1.3123
192.168.255.33/32  *[OSPF/10] 11:42:39, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123
192.168.255.44/32  *[OSPF/10] 11:41:48, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123
192.168.255.154/32 *[OSPF/10] 12:07:04, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123
192.168.255.254/32 *[OSPF/10] 11:41:39, metric 2
                      to 10.0.123.33 via ge-0/0/1.3123
                    > to 10.0.123.44 via ge-0/0/1.3123
224.0.0.2/32       *[LDP/9] 14:52:17, metric 1
                      MultiRecv
224.0.0.5/32       *[OSPF/10] 14:52:17, metric 1
                      MultiRecv

inet.3: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.255.1/32   *[LDP/9] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011
192.168.255.2/32   *[LDP/9] 12:00:32, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Push 299840
192.168.255.3/32   *[LDP/9] 11:42:38, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Push 299808
                      to 10.0.123.33 via ge-0/0/1.3123, Push 299776
192.168.255.4/32   *[LDP/9] 11:41:47, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Push 299792
                      to 10.0.123.44 via ge-0/0/1.3123, Push 299776
192.168.255.22/32  *[LDP/9] 11:37:45, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 299952
                      to 10.0.123.44 via ge-0/0/1.3123, Push 299952
192.168.255.33/32  *[LDP/9] 11:42:38, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123
192.168.255.44/32  *[LDP/9] 11:41:47, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123
192.168.255.154/32 *[LDP/9] 11:44:55, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123
192.168.255.254/32 *[LDP/9] 11:37:45, metric 1
                      to 10.0.123.33 via ge-0/0/1.3123, Push 299936
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 299936

CE01.inet.0: 13 destinations, 20 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.11.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.12.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.13.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.14.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.21.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.22.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.23.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.24.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
192.168.1.0/24     *[Direct/0] 14:45:09
                    > via ge-0/0/5.0
                    [BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
192.168.1.254/32   *[Local/0] 14:45:09
                      Local via ge-0/0/5.0
192.168.2.0/24     *[BGP/170] 00:33:22, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:33:22, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
192.168.254.1/32   *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
192.168.254.2/32   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)

MGMT.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 14:45:09
                    > to 10.20.2.1 via ge-0/0/0.0
10.20.2.0/24       *[Direct/0] 14:45:09
                    > via ge-0/0/0.0
10.20.2.201/32     *[Local/0] 14:45:09
                      Local via ge-0/0/0.0

mpls.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0                  *[MPLS/0] 14:52:17, metric 1
                      to table inet.0
0(S=0)             *[MPLS/0] 14:52:17, metric 1
                      to table mpls.0
1                  *[MPLS/0] 14:52:17, metric 1
                      Receive
2                  *[MPLS/0] 14:52:17, metric 1
                      to table inet6.0
2(S=0)             *[MPLS/0] 14:52:17, metric 1
                      to table mpls.0
13                 *[MPLS/0] 14:52:17, metric 1
                      Receive
16                 *[VPN/0] 14:52:17
                    > via lsi.0 (CE01), Pop      
299776             *[LDP/9] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Pop      
299776(S=0)        *[LDP/9] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Pop      
299792             *[LDP/9] 11:41:47, metric 1
                      to 10.1.11.1 via ge-0/0/1.3011, Swap 299792
                    > to 10.0.123.44 via ge-0/0/1.3123, Swap 299776
299808             *[LDP/9] 11:42:38, metric 1
                      to 10.1.11.1 via ge-0/0/1.3011, Swap 299808
                    > to 10.0.123.33 via ge-0/0/1.3123, Swap 299776
299824             *[LDP/9] 12:00:32, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Swap 299840
299856             *[LDP/9] 11:42:38, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Pop      
299856(S=0)        *[LDP/9] 11:42:38, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Pop      
299872             *[LDP/9] 11:41:47, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123, Pop      
299872(S=0)        *[LDP/9] 11:41:47, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123, Pop      
299904             *[LDP/9] 11:44:55, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123, Pop      
299904(S=0)        *[LDP/9] 11:44:55, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123, Pop      
299936             *[LDP/9] 11:37:45, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Swap 299936
                      to 10.0.123.44 via ge-0/0/1.3123, Swap 299936
299952             *[LDP/9] 11:37:45, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Swap 299952
                      to 10.0.123.44 via ge-0/0/1.3123, Swap 299952

bgp.l3vpn.0: 6 destinations, 12 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

65123:102:172.16.21.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.22.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.23.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.24.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:192.168.2.0/24                
                   *[BGP/170] 00:33:22, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:33:22, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:192.168.254.2/32                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)

inet6.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2001:1234::1/128   *[Direct/0] 14:52:17
                    > via lo0.0
fe80::250:560f:fc9e:4cd1/128
                   *[Direct/0] 14:52:17
                    > via lo0.0
ff02::2/128        *[INET6/0] 14:52:17
                      MultiRecv

Pastebins

Here are the configs in pastebins for a bit more convenient looking at.

PE01

PE02

PE03

PE04

P01

P02

P03

P04

CE01

CE02

CE03

CE04

4
comment
2

My MPLS post the other week was pretty well received so I figured might as well show the other side of the coin and do it again with Juniper boxes.

Topology

Today's Topology is similar to last time but Juniperified, we have:

  • 4 x PE routers that are vMX
  • 4 x P are vSRX
  • 4 x CE routers are VSRX boxes as well.

There are again two customers, CUST-A and CUST-B because originality is hard.

To save on some config space I'll just focus on a single router at a time unless there is differences that are worth seeing.

Provider Routers

Disable Flow Mode

I'm using SRX routers for my core so we need to disable the default flow based mode and reboot the boxes before we can use them with MPLS.

root@P01# set security forwarding-options family inet6 mode packet-based 

[edit]
root@P01# set security forwarding-options family mpls mode packet-based 

[edit]
root@P01# set security forwarding-options family iso mode packet-based 

root@P01# commit 
commit complete

[edit]

root@P01# run request system reboot 
Reboot the system ? [yes,no] (no) yes

Once this is done we will no longer need to use security zones for everything.

Basic Setup

To keep things clean I'm using a virtual-router instance to move the first interface into another routing table for management.

set routing-instances MGMT instance-type virtual-router
set routing-instances MGMT interface ge-0/0/0.0
set routing-instances MGMT routing-options static route 0.0.0.0/0 next-hop 10.20.2.1
set interfaces ge-0/0/0 unit 0 family inet address 10.20.2.211/24

Most of my interfaces are connecting to trunk ports to make life easier so I'm going to enable vlan tagging and use subinterfaces to connect to everything.

set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 3011 vlan-id 3011
set interfaces ge-0/0/1 unit 3011 family inet address 10.1.11.1/24
set interfaces ge-0/0/1 unit 3012 vlan-id 3012
set interfaces ge-0/0/1 unit 3012 family inet address 10.1.2.1/24
set interfaces ge-0/0/1 unit 3013 vlan-id 3013
set interfaces ge-0/0/1 unit 3013 family inet address 10.1.3.1/24
set interfaces ge-0/0/1 unit 3014 vlan-id 3014
set interfaces ge-0/0/1 unit 3014 family inet address 10.1.4.1/24
set interfaces lo0 unit 0 family inet address 192.168.255.1/32

Then I'll just turn on OSPF on all active interfaces in the routing instance.

root@P01# set protocols ospf area 0.0.0.0 interface all 

Once we are done we should see a neighbor with every other P router and a PE router (once we get that far)

root@P01# run show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
10.1.11.254      ge-0/0/1.3011          Full      192.168.255.11   128    39
10.1.2.2         ge-0/0/1.3012          Full      192.168.255.2    128    32
10.1.3.3         ge-0/0/1.3013          Full      192.168.255.3    128    39
10.1.4.4         ge-0/0/1.3014          Full      192.168.255.4    128    34

Enabling MPLS

While Cisco put effort into making sure MPLS is turned on right away, Juniper takes a bit more effort.

First we need to enable MPLS and LDP in the control plane under protocols, we can conveniently use the interface all keyword to enable it on all interfaces.

root@P01# set protocols mpls interface all 

root@P01# set protocols ldp interface all   

Next we need to turn it on for the forwarding plane by adding the mpls family to each interface on the router that will be in the MPLS path. This can be a bit annoying so you might want to look into things like config groups to ease the admin burden.

set interfaces ge-0/0/1 unit 3011 family mpls

set interfaces ge-0/0/1 unit 3012 family mpls

set interfaces ge-0/0/1 unit 3013 family mpls

set interfaces ge-0/0/1 unit 3014 family mpls

set interfaces lo0 unit 0 family mpls

Route Reflector

We'll use a route reflector again but this time I'm just take advantage of the logical-system feature to carve PE01 and PE02 into two new Route Reflector boxes.

RR01

First we'll turn on vlan-tagging for the interface I want to use since we still need to configure physical stuff at the interface level in logical-systems.

root@PE11# set interfaces ge-0/0/2 vlan-tagging 

Next we configure the interfaces like above under the logical-system.

root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 vlan-id 3123 
root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 family inet address 10.0.123.254/24 
root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 family mpls 
root@PE11# set logical-systems RR01 interfaces lo0 unit 1 family inet address 192.168.255.154/32 

root@PE11# set logical-systems RR01 protocols ospf area 0.0.0.0 interface all 
root@PE11# set logical-systems RR01 protocols mpls interface all 
root@PE11# set logical-systems RR01 protocols ldp interface all 

BGP is configured with the inet-vpn family which is the same as Cisco's VPNv4 family, the route reflector will have all for PEs as a peer, will use 65123 as the AS for iBGP and will set a cluster-id so Juniper knows it is a Route Reflector.

root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL type internal 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL local-address 192.168.255.154 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL family inet-vpn unicast 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL cluster 192.168.255.254 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.11 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.22 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.33 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.44 
root@PE11# set logical-systems RR01 routing-options autonomous-system 65123 

RR02

root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 vlan-id 3123 
root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 family inet address 10.1.123.254/24 
root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 family mpls 
root@PE22# set logical-systems RR02 interfaces lo0 unit 1 family inet address 192.168.255.254/32 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL type internal 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL local-address 192.168.255.254 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL family inet-vpn unicast 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL cluster 192.168.255.254 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.11 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.22 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.33 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.44 
root@PE22# set logical-systems RR02 protocols ospf area 0.0.0.0 interface all 
root@PE22# set logical-systems RR02 protocols mpls interface all 
root@PE22# set logical-systems RR02 protocols ldp interface all 
root@PE22# set logical-systems RR02 routing-options autonomous-system 65123 

Provider Edge

The PE will be similar to the Route-Reflector minus the logical system stuff, we'll setup the interfaces enable OSPF and MPLS, then peer with each of the RRs.

root@PE11# set routing-instances MGMT instance-type virtual-router 
root@PE11# set routing-instances MGMT interface ge-0/0/0.0 
root@PE11# set routing-instances MGMT routing-options static route 0.0.0.0/0 next-hop 10.20.2.1 
root@PE11# set interfaces ge-0/0/0 unit 0 family inet address 10.20.2.201/24 

root@PE11# set interfaces ge-0/0/1 vlan-tagging 
root@PE11# set interfaces ge-0/0/1 unit 3011 vlan-id 3011 
root@PE11# set interfaces ge-0/0/1 unit 3011 family inet address 10.1.11.254/24 
root@PE11# set interfaces ge-0/0/1 unit 3011 family mpls 
root@PE11# set interfaces ge-0/0/1 unit 3123 vlan-id 3123 
root@PE11# set interfaces ge-0/0/1 unit 3123 family inet address 10.0.123.11/24 
root@PE11# set interfaces ge-0/0/1 unit 3123 family mpls 
root@PE11# set interfaces ge-0/0/2 vlan-tagging 
root@PE11# set interfaces ge-0/0/5 unit 0 family inet address 192.168.1.254/24 

root@PE11# set interfaces lo0 unit 0 family inet address 192.168.255.11/32 
root@PE11# set interfaces lo0 unit 0 family inet6 address 2001:1234::1/128 
root@PE11# set interfaces lo0 unit 0 family mpls 

root@PE11# set routing-options autonomous-system 65123 
root@PE11# set protocols bgp group RR type internal 
root@PE11# set protocols bgp group RR local-address 192.168.255.11 
root@PE11# set protocols bgp group RR family inet-vpn unicast 
root@PE11# set protocols bgp group RR neighbor 192.168.255.154 
root@PE11# set protocols bgp group RR neighbor 192.168.255.254 

VRF / Policies

Now our BGP is up it is time to create the last piece of the L3VPN and which is making the policies as well as the VRF the CE goes into.

Policies

In Cisco land we controlled what route we imported and exported under the VRF configuration, Juniper does that too but for more granular control we will make a more elaborate policy.

First we make an community policy that just exports the PE's RD on each router.

root@PE11# set policy-options community RT-EXPORT-CE01 members target:65123:101 

Next we'll do the same for the import community where we will make one for each CE for flexibility's sake.

root@PE11# set policy-options community RT-IMPORT-CE01 members target:65123:101 
root@PE11# set policy-options community RT-IMPORT-CE02 members target:65123:102 
root@PE11# set policy-options community RT-IMPORT-CE03 members target:65123:103 
root@PE11# set policy-options community RT-IMPORT-CE04 members target:65123:104

With that in place we make a policy that will become our VRF-Export policy, we will say that if the protocol is directly connected or one of the routing protocols then we will add the export community and accept the route.

root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT from protocol [ direct bgp rip ospf ]
root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT then community add RT-EXPORT-CE01 
root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT then accept 

If it doesn't match that criteria then we will reject it.

root@PE11# set policy-options policy-statement EXPORT-CE01 term REJECT then reject 

The VRF-Import policy will always be from MBGP so we match on protocol BGP, then we select what communities we want to talk to each other.

In our topology Cust-A is CE01 and CE02 so we'll do that then reject the rest.

root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT from protocol bgp 
root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT from community [ RT-IMPORT-CE01 RT-IMPORT-CE02 ] 
root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT then accept 
root@PE11# set policy-options policy-statement IMPORT-CE01 term REJECT then reject

VRFs

With all that in place we need to make a VRF instance. In my case I'm using ge-0/0/5 on all the PEs as the CE interface so we add it to the VRF, we also set the PE's proper RD and apply the VRF policies we just made. We also use vrf-table-label to help make the L3VPN happy.

root@PE11# set routing-instances CE01 instance-type vrf 
root@PE11# set routing-instances CE01 interface ge-0/0/5.0 
root@PE11# set routing-instances CE01 route-distinguisher 65123:101 
root@PE11# set routing-instances CE01 vrf-import IMPORT-CE01 
root@PE11# set routing-instances CE01 vrf-export EXPORT-CE01 
root@PE11# set routing-instances CE01 vrf-table-label 

We'll also set the router-id for the instance just to have a bit more control

root@PE11# set routing-instances CE01 routing-options router-id 192.168.255.11 

Customer Edge

PE01

Finally we will start working on the CE routing!

We need an export policy so Juniper knows what to send so I'll make a simple one that just accepts any route, since PE01 is BGP we'll setup that too. The config is the same as you have seen though you may want to use the as-override option if you are using BGP.

root@PE11# set policy-options policy-statement EXPORT-BGP then accept
root@PE11# set routing-instances CE01 protocols bgp group CUST-A type external 
root@PE11# set routing-instances CE01 protocols bgp group CUST-A export EXPORT-BGP 
root@PE11# set routing-instances CE01 protocols bgp group CUST-A peer-as 65101 
root@PE11# set routing-instances CE01 protocols bgp group CUST-A neighbor 192.168.1.1 as-override 



root@PE11# set policy-options policy-statement EXPORT-BGP then accept 

root@PE11# set policy-options policy-statement EXPORT-OSPF from protocol bgp 
root@PE11# set policy-options policy-statement EXPORT-OSPF then accept
root@PE11# set policy-options policy-statement EXPORT-RIP then metric 5 
root@PE11# set policy-options policy-statement EXPORT-RIP then accept 

CE01, CE02, CE03, CE04

Since the CE's are still in flow mode, we need to make sure the interfaces we use are trusted by the security zone, we could get more specific but we aren't really playing with the firewall today :)

root@CE01# set security zones security-zone trust host-inbound-traffic system-services all 
root@CE01# set security zones security-zone trust host-inbound-traffic protocols all 
root@CE01# set security zones security-zone trust interfaces ge-0/0/1.0 
root@CE01# set security zones security-zone trust interfaces ge-0/0/2.0 

CE01

For BGP we just do a normal peering and advertise everything directly connected.

root@CE01# set policy-options policy-statement EXPORT-BGP from protocol direct 
root@CE01# set policy-options policy-statement EXPORT-BGP then accept

root@CE01# set protocols bgp group CUST-A type external 
root@CE01# set protocols bgp group CUST-A export EXPORT-BGP 
root@CE01# set protocols bgp group CUST-A peer-as 65123 
root@CE01# set protocols bgp group CUST-A neighbor 192.168.1.254 

CE02

Same with RIP for CE02

root@CE02# set policy-options policy-statement EXPORT-RIP from protocol direct 
root@CE02# set policy-options policy-statement EXPORT-RIP then accept

root@CE02# set protocols rip group CUST-A export EXPORT-RIP 
root@CE02# set protocols rip group CUST-A neighbor ge-0/0/1.0 

CE03 and CE04

The OSPF CE is a bit unique because it is the only protocol we are looking at today that cares about external routes. Let's setup OSPF in two ways, one will simply add all interfaces to OSPF and the other will use the export method we have been doing

root@CE03# set protocols ospf area 0.0.0.0 interface all 
root@CE03# set protocols ospf area 0.0.0.0 interface lo0.0 passive 


root@CE04# set policy-options policy-statement EXPORT-OSPF from protocol direct 
root@CE04# set policy-options policy-statement EXPORT-OSPF then accept 
root@CE04# set protocols ospf export EXPORT-OSPF    
root@CE04# set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 

Now we get the routes but routes from CE04 are external! We might talk about OSPF specific MPLS topics another day!

root@CE03# run show ospf route    
Topology default Route Table:

Prefix             Path  Route      NH       Metric NextHop       Nexthop      
                   Type  Type       Type            Interface     Address/LSP
192.168.3.254      Intra Area/AS BR IP            1 ge-0/0/1.0    192.168.3.254
172.16.31.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.32.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.33.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.34.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.41.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
172.16.42.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
172.16.43.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
172.16.44.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
192.168.3.0/24     Intra Network    IP            1 ge-0/0/1.0
192.168.4.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254

Verification

Now that everything is up we can make sure that BGP is working properly (probably should have done that sooner!)

root@PE11# run show bgp summary                                        
Groups: 2 Peers: 3 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
bgp.l3vpn.0          
                      12          6          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
192.168.1.1           65101       1803       1794       0       3    13:27:34 Establ
  CE01.inet.0: 5/6/6/0
192.168.255.154       65123       1594       1582       0       1    11:54:35 Establ
  bgp.l3vpn.0: 6/6/6/0
  CE01.inet.0: 6/6/6/0
192.168.255.254       65123       1591       1581       0       1    11:54:41 Establ
  bgp.l3vpn.0: 0/6/6/0
  CE01.inet.0: 0/6/6/0

We can also see the MPLS interfaces on the router

root@PE11# run show mpls interface 
Interface        State       Administrative groups (x: extended)
ge-0/0/1.3011    Up         <none>
ge-0/0/1.3123    Up         <none>

[edit]

As well as the LDP neighbors

root@PE11# run show ldp neighbor 
Address                             Interface       Label space ID     Hold time
10.1.11.1                           ge-0/0/1.3011   192.168.255.1:0      14
10.0.123.33                         ge-0/0/1.3123   192.168.255.33:0     13
10.0.123.44                         ge-0/0/1.3123   192.168.255.44:0     13
10.0.123.254                        ge-0/0/1.3123   192.168.255.154:0    11

PE01 Routing Table

Juniper groups everything into the routing table so we can see the main routing table, the MPLS labels, the VRF routes, and IPv6 routes all in one place! We can also see the INET-VPN routes so we can see if things are being learned properly.

root@PE11# run show route 

inet.0: 26 destinations, 26 routes (26 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.123.0/24      *[Direct/0] 12:09:45
                    > via ge-0/0/1.3123
10.0.123.11/32     *[Local/0] 12:09:45
                      Local via ge-0/0/1.3123
10.1.2.0/24        *[OSPF/10] 14:45:03, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
10.1.3.0/24        *[OSPF/10] 14:45:03, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
10.1.4.0/24        *[OSPF/10] 14:45:03, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
10.1.11.0/24       *[Direct/0] 14:45:09
                    > via ge-0/0/1.3011
10.1.11.254/32     *[Local/0] 14:45:09
                      Local via ge-0/0/1.3011
10.1.123.0/24      *[OSPF/10] 11:41:39, metric 2
                    > to 10.0.123.33 via ge-0/0/1.3123
                      to 10.0.123.44 via ge-0/0/1.3123
10.2.3.0/24        *[OSPF/10] 11:42:39, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                    > to 10.0.123.33 via ge-0/0/1.3123
10.2.4.0/24        *[OSPF/10] 11:41:48, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                    > to 10.0.123.44 via ge-0/0/1.3123
10.2.22.0/24       *[OSPF/10] 11:41:39, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.33 via ge-0/0/1.3123
                    > to 10.0.123.44 via ge-0/0/1.3123
10.3.4.0/24        *[OSPF/10] 11:41:48, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.33 via ge-0/0/1.3123
                    > to 10.0.123.44 via ge-0/0/1.3123
10.3.33.0/24       *[OSPF/10] 11:42:39, metric 2
                    > to 10.0.123.33 via ge-0/0/1.3123
10.4.44.0/24       *[OSPF/10] 11:41:48, metric 2
                    > to 10.0.123.44 via ge-0/0/1.3123
192.168.255.1/32   *[OSPF/10] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011
192.168.255.2/32   *[OSPF/10] 12:00:32, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
192.168.255.3/32   *[OSPF/10] 11:42:39, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.33 via ge-0/0/1.3123
192.168.255.4/32   *[OSPF/10] 11:41:48, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.44 via ge-0/0/1.3123
192.168.255.11/32  *[Direct/0] 14:52:17
                    > via lo0.0
192.168.255.22/32  *[OSPF/10] 11:41:39, metric 2
                    > to 10.0.123.33 via ge-0/0/1.3123
                      to 10.0.123.44 via ge-0/0/1.3123
192.168.255.33/32  *[OSPF/10] 11:42:39, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123
192.168.255.44/32  *[OSPF/10] 11:41:48, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123
192.168.255.154/32 *[OSPF/10] 12:07:04, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123
192.168.255.254/32 *[OSPF/10] 11:41:39, metric 2
                      to 10.0.123.33 via ge-0/0/1.3123
                    > to 10.0.123.44 via ge-0/0/1.3123
224.0.0.2/32       *[LDP/9] 14:52:17, metric 1
                      MultiRecv
224.0.0.5/32       *[OSPF/10] 14:52:17, metric 1
                      MultiRecv

inet.3: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.255.1/32   *[LDP/9] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011
192.168.255.2/32   *[LDP/9] 12:00:32, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Push 299840
192.168.255.3/32   *[LDP/9] 11:42:38, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Push 299808
                      to 10.0.123.33 via ge-0/0/1.3123, Push 299776
192.168.255.4/32   *[LDP/9] 11:41:47, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Push 299792
                      to 10.0.123.44 via ge-0/0/1.3123, Push 299776
192.168.255.22/32  *[LDP/9] 11:37:45, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 299952
                      to 10.0.123.44 via ge-0/0/1.3123, Push 299952
192.168.255.33/32  *[LDP/9] 11:42:38, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123
192.168.255.44/32  *[LDP/9] 11:41:47, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123
192.168.255.154/32 *[LDP/9] 11:44:55, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123
192.168.255.254/32 *[LDP/9] 11:37:45, metric 1
                      to 10.0.123.33 via ge-0/0/1.3123, Push 299936
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 299936

CE01.inet.0: 13 destinations, 20 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.11.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.12.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.13.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.14.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.21.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.22.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.23.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.24.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
192.168.1.0/24     *[Direct/0] 14:45:09
                    > via ge-0/0/5.0
                    [BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
192.168.1.254/32   *[Local/0] 14:45:09
                      Local via ge-0/0/5.0
192.168.2.0/24     *[BGP/170] 00:33:22, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:33:22, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
192.168.254.1/32   *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
192.168.254.2/32   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)

MGMT.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 14:45:09
                    > to 10.20.2.1 via ge-0/0/0.0
10.20.2.0/24       *[Direct/0] 14:45:09
                    > via ge-0/0/0.0
10.20.2.201/32     *[Local/0] 14:45:09
                      Local via ge-0/0/0.0

mpls.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0                  *[MPLS/0] 14:52:17, metric 1
                      to table inet.0
0(S=0)             *[MPLS/0] 14:52:17, metric 1
                      to table mpls.0
1                  *[MPLS/0] 14:52:17, metric 1
                      Receive
2                  *[MPLS/0] 14:52:17, metric 1
                      to table inet6.0
2(S=0)             *[MPLS/0] 14:52:17, metric 1
                      to table mpls.0
13                 *[MPLS/0] 14:52:17, metric 1
                      Receive
16                 *[VPN/0] 14:52:17
                    > via lsi.0 (CE01), Pop      
299776             *[LDP/9] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Pop      
299776(S=0)        *[LDP/9] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Pop      
299792             *[LDP/9] 11:41:47, metric 1
                      to 10.1.11.1 via ge-0/0/1.3011, Swap 299792
                    > to 10.0.123.44 via ge-0/0/1.3123, Swap 299776
299808             *[LDP/9] 11:42:38, metric 1
                      to 10.1.11.1 via ge-0/0/1.3011, Swap 299808
                    > to 10.0.123.33 via ge-0/0/1.3123, Swap 299776
299824             *[LDP/9] 12:00:32, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Swap 299840
299856             *[LDP/9] 11:42:38, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Pop      
299856(S=0)        *[LDP/9] 11:42:38, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Pop      
299872             *[LDP/9] 11:41:47, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123, Pop      
299872(S=0)        *[LDP/9] 11:41:47, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123, Pop      
299904             *[LDP/9] 11:44:55, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123, Pop      
299904(S=0)        *[LDP/9] 11:44:55, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123, Pop      
299936             *[LDP/9] 11:37:45, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Swap 299936
                      to 10.0.123.44 via ge-0/0/1.3123, Swap 299936
299952             *[LDP/9] 11:37:45, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Swap 299952
                      to 10.0.123.44 via ge-0/0/1.3123, Swap 299952

bgp.l3vpn.0: 6 destinations, 12 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

65123:102:172.16.21.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.22.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.23.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.24.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:192.168.2.0/24                
                   *[BGP/170] 00:33:22, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:33:22, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:192.168.254.2/32                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)

inet6.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2001:1234::1/128   *[Direct/0] 14:52:17
                    > via lo0.0
fe80::250:560f:fc9e:4cd1/128
                   *[Direct/0] 14:52:17
                    > via lo0.0
ff02::2/128        *[INET6/0] 14:52:17
                      MultiRecv

Pastebins

Here are the configs in pastebins for a bit more convenient looking at.

PE01

PE02

PE03

PE04

P01

P02

P03

P04

CE01

CE02

CE03

CE04

2
1 comment
7

My MPLS post the other week was pretty well received so I figured might as well show the other side of the coin and do it again with Juniper boxes.

Topology

Today's Topology is similar to last time but Juniperified, we have:

  • 4 x PE routers that are vMX
  • 4 x P are vSRX
  • 4 x CE routers are VSRX boxes as well.

There are again two customers, CUST-A and CUST-B because originality is hard.

To save on some config space I'll just focus on a single router at a time unless there is differences that are worth seeing.

Provider Routers

Disable Flow Mode

I'm using SRX routers for my core so we need to disable the default flow based mode and reboot the boxes before we can use them with MPLS.

root@P01# set security forwarding-options family inet6 mode packet-based 

[edit]
root@P01# set security forwarding-options family mpls mode packet-based 

[edit]
root@P01# set security forwarding-options family iso mode packet-based 

root@P01# commit 
commit complete

[edit]

root@P01# run request system reboot 
Reboot the system ? [yes,no] (no) yes

Once this is done we will no longer need to use security zones for everything.

Basic Setup

To keep things clean I'm using a virtual-router instance to move the first interface into another routing table for management.

set routing-instances MGMT instance-type virtual-router
set routing-instances MGMT interface ge-0/0/0.0
set routing-instances MGMT routing-options static route 0.0.0.0/0 next-hop 10.20.2.1
set interfaces ge-0/0/0 unit 0 family inet address 10.20.2.211/24

Most of my interfaces are connecting to trunk ports to make life easier so I'm going to enable vlan tagging and use subinterfaces to connect to everything.

set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 3011 vlan-id 3011
set interfaces ge-0/0/1 unit 3011 family inet address 10.1.11.1/24
set interfaces ge-0/0/1 unit 3012 vlan-id 3012
set interfaces ge-0/0/1 unit 3012 family inet address 10.1.2.1/24
set interfaces ge-0/0/1 unit 3013 vlan-id 3013
set interfaces ge-0/0/1 unit 3013 family inet address 10.1.3.1/24
set interfaces ge-0/0/1 unit 3014 vlan-id 3014
set interfaces ge-0/0/1 unit 3014 family inet address 10.1.4.1/24
set interfaces lo0 unit 0 family inet address 192.168.255.1/32

Then I'll just turn on OSPF on all active interfaces in the routing instance.

root@P01# set protocols ospf area 0.0.0.0 interface all 

Once we are done we should see a neighbor with every other P router and a PE router (once we get that far)

root@P01# run show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
10.1.11.254      ge-0/0/1.3011          Full      192.168.255.11   128    39
10.1.2.2         ge-0/0/1.3012          Full      192.168.255.2    128    32
10.1.3.3         ge-0/0/1.3013          Full      192.168.255.3    128    39
10.1.4.4         ge-0/0/1.3014          Full      192.168.255.4    128    34

Enabling MPLS

While Cisco put effort into making sure MPLS is turned on right away, Juniper takes a bit more effort.

First we need to enable MPLS and LDP in the control plane under protocols, we can conveniently use the interface all keyword to enable it on all interfaces.

root@P01# set protocols mpls interface all 

root@P01# set protocols ldp interface all   

Next we need to turn it on for the forwarding plane by adding the mpls family to each interface on the router that will be in the MPLS path. This can be a bit annoying so you might want to look into things like config groups to ease the admin burden.

set interfaces ge-0/0/1 unit 3011 family mpls

set interfaces ge-0/0/1 unit 3012 family mpls

set interfaces ge-0/0/1 unit 3013 family mpls

set interfaces ge-0/0/1 unit 3014 family mpls

set interfaces lo0 unit 0 family mpls

Route Reflector

We'll use a route reflector again but this time I'm just take advantage of the logical-system feature to carve PE01 and PE02 into two new Route Reflector boxes.

RR01

First we'll turn on vlan-tagging for the interface I want to use since we still need to configure physical stuff at the interface level in logical-systems.

root@PE11# set interfaces ge-0/0/2 vlan-tagging 

Next we configure the interfaces like above under the logical-system.

root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 vlan-id 3123 
root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 family inet address 10.0.123.254/24 
root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 family mpls 
root@PE11# set logical-systems RR01 interfaces lo0 unit 1 family inet address 192.168.255.154/32 

root@PE11# set logical-systems RR01 protocols ospf area 0.0.0.0 interface all 
root@PE11# set logical-systems RR01 protocols mpls interface all 
root@PE11# set logical-systems RR01 protocols ldp interface all 

BGP is configured with the inet-vpn family which is the same as Cisco's VPNv4 family, the route reflector will have all for PEs as a peer, will use 65123 as the AS for iBGP and will set a cluster-id so Juniper knows it is a Route Reflector.

root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL type internal 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL local-address 192.168.255.154 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL family inet-vpn unicast 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL cluster 192.168.255.254 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.11 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.22 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.33 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.44 
root@PE11# set logical-systems RR01 routing-options autonomous-system 65123 

RR02

root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 vlan-id 3123 
root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 family inet address 10.1.123.254/24 
root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 family mpls 
root@PE22# set logical-systems RR02 interfaces lo0 unit 1 family inet address 192.168.255.254/32 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL type internal 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL local-address 192.168.255.254 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL family inet-vpn unicast 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL cluster 192.168.255.254 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.11 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.22 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.33 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.44 
root@PE22# set logical-systems RR02 protocols ospf area 0.0.0.0 interface all 
root@PE22# set logical-systems RR02 protocols mpls interface all 
root@PE22# set logical-systems RR02 protocols ldp interface all 
root@PE22# set logical-systems RR02 routing-options autonomous-system 65123 

Provider Edge

The PE will be similar to the Route-Reflector minus the logical system stuff, we'll setup the interfaces enable OSPF and MPLS, then peer with each of the RRs.

root@PE11# set routing-instances MGMT instance-type virtual-router 
root@PE11# set routing-instances MGMT interface ge-0/0/0.0 
root@PE11# set routing-instances MGMT routing-options static route 0.0.0.0/0 next-hop 10.20.2.1 
root@PE11# set interfaces ge-0/0/0 unit 0 family inet address 10.20.2.201/24 

root@PE11# set interfaces ge-0/0/1 vlan-tagging 
root@PE11# set interfaces ge-0/0/1 unit 3011 vlan-id 3011 
root@PE11# set interfaces ge-0/0/1 unit 3011 family inet address 10.1.11.254/24 
root@PE11# set interfaces ge-0/0/1 unit 3011 family mpls 
root@PE11# set interfaces ge-0/0/1 unit 3123 vlan-id 3123 
root@PE11# set interfaces ge-0/0/1 unit 3123 family inet address 10.0.123.11/24 
root@PE11# set interfaces ge-0/0/1 unit 3123 family mpls 
root@PE11# set interfaces ge-0/0/2 vlan-tagging 
root@PE11# set interfaces ge-0/0/5 unit 0 family inet address 192.168.1.254/24 

root@PE11# set interfaces lo0 unit 0 family inet address 192.168.255.11/32 
root@PE11# set interfaces lo0 unit 0 family inet6 address 2001:1234::1/128 
root@PE11# set interfaces lo0 unit 0 family mpls 

root@PE11# set routing-options autonomous-system 65123 
root@PE11# set protocols bgp group RR type internal 
root@PE11# set protocols bgp group RR local-address 192.168.255.11 
root@PE11# set protocols bgp group RR family inet-vpn unicast 
root@PE11# set protocols bgp group RR neighbor 192.168.255.154 
root@PE11# set protocols bgp group RR neighbor 192.168.255.254 

VRF / Policies

Now our BGP is up it is time to create the last piece of the L3VPN and which is making the policies as well as the VRF the CE goes into.

Policies

In Cisco land we controlled what route we imported and exported under the VRF configuration, Juniper does that too but for more granular control we will make a more elaborate policy.

First we make an community policy that just exports the PE's RD on each router.

root@PE11# set policy-options community RT-EXPORT-CE01 members target:65123:101 

Next we'll do the same for the import community where we will make one for each CE for flexibility's sake.

root@PE11# set policy-options community RT-IMPORT-CE01 members target:65123:101 
root@PE11# set policy-options community RT-IMPORT-CE02 members target:65123:102 
root@PE11# set policy-options community RT-IMPORT-CE03 members target:65123:103 
root@PE11# set policy-options community RT-IMPORT-CE04 members target:65123:104

With that in place we make a policy that will become our VRF-Export policy, we will say that if the protocol is directly connected or one of the routing protocols then we will add the export community and accept the route.

root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT from protocol [ direct bgp rip ospf ]
root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT then community add RT-EXPORT-CE01 
root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT then accept 

If it doesn't match that criteria then we will reject it.

root@PE11# set policy-options policy-statement EXPORT-CE01 term REJECT then reject 

The VRF-Import policy will always be from MBGP so we match on protocol BGP, then we select what communities we want to talk to each other.

In our topology Cust-A is CE01 and CE02 so we'll do that then reject the rest.

root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT from protocol bgp 
root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT from community [ RT-IMPORT-CE01 RT-IMPORT-CE02 ] 
root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT then accept 
root@PE11# set policy-options policy-statement IMPORT-CE01 term REJECT then reject

VRFs

With all that in place we need to make a VRF instance. In my case I'm using ge-0/0/5 on all the PEs as the CE interface so we add it to the VRF, we also set the PE's proper RD and apply the VRF policies we just made. We also use vrf-table-label to help make the L3VPN happy.

root@PE11# set routing-instances CE01 instance-type vrf 
root@PE11# set routing-instances CE01 interface ge-0/0/5.0 
root@PE11# set routing-instances CE01 route-distinguisher 65123:101 
root@PE11# set routing-instances CE01 vrf-import IMPORT-CE01 
root@PE11# set routing-instances CE01 vrf-export EXPORT-CE01 
root@PE11# set routing-instances CE01 vrf-table-label 

We'll also set the router-id for the instance just to have a bit more control

root@PE11# set routing-instances CE01 routing-options router-id 192.168.255.11 

Customer Edge

PE01

Finally we will start working on the CE routing!

We need an export policy so Juniper knows what to send so I'll make a simple one that just accepts any route, since PE01 is BGP we'll setup that too. The config is the same as you have seen though you may want to use the as-override option if you are using BGP.

root@PE11# set policy-options policy-statement EXPORT-BGP then accept
root@PE11# set routing-instances CE01 protocols bgp group CUST-A type external 
root@PE11# set routing-instances CE01 protocols bgp group CUST-A export EXPORT-BGP 
root@PE11# set routing-instances CE01 protocols bgp group CUST-A peer-as 65101 
root@PE11# set routing-instances CE01 protocols bgp group CUST-A neighbor 192.168.1.1 as-override 



root@PE11# set policy-options policy-statement EXPORT-BGP then accept 

root@PE11# set policy-options policy-statement EXPORT-OSPF from protocol bgp 
root@PE11# set policy-options policy-statement EXPORT-OSPF then accept
root@PE11# set policy-options policy-statement EXPORT-RIP then metric 5 
root@PE11# set policy-options policy-statement EXPORT-RIP then accept 

CE01, CE02, CE03, CE04

Since the CE's are still in flow mode, we need to make sure the interfaces we use are trusted by the security zone, we could get more specific but we aren't really playing with the firewall today :)

root@CE01# set security zones security-zone trust host-inbound-traffic system-services all 
root@CE01# set security zones security-zone trust host-inbound-traffic protocols all 
root@CE01# set security zones security-zone trust interfaces ge-0/0/1.0 
root@CE01# set security zones security-zone trust interfaces ge-0/0/2.0 

CE01

For BGP we just do a normal peering and advertise everything directly connected.

root@CE01# set policy-options policy-statement EXPORT-BGP from protocol direct 
root@CE01# set policy-options policy-statement EXPORT-BGP then accept

root@CE01# set protocols bgp group CUST-A type external 
root@CE01# set protocols bgp group CUST-A export EXPORT-BGP 
root@CE01# set protocols bgp group CUST-A peer-as 65123 
root@CE01# set protocols bgp group CUST-A neighbor 192.168.1.254 

CE02

Same with RIP for CE02

root@CE02# set policy-options policy-statement EXPORT-RIP from protocol direct 
root@CE02# set policy-options policy-statement EXPORT-RIP then accept

root@CE02# set protocols rip group CUST-A export EXPORT-RIP 
root@CE02# set protocols rip group CUST-A neighbor ge-0/0/1.0 

CE03 and CE04

The OSPF CE is a bit unique because it is the only protocol we are looking at today that cares about external routes. Let's setup OSPF in two ways, one will simply add all interfaces to OSPF and the other will use the export method we have been doing

root@CE03# set protocols ospf area 0.0.0.0 interface all 
root@CE03# set protocols ospf area 0.0.0.0 interface lo0.0 passive 


root@CE04# set policy-options policy-statement EXPORT-OSPF from protocol direct 
root@CE04# set policy-options policy-statement EXPORT-OSPF then accept 
root@CE04# set protocols ospf export EXPORT-OSPF    
root@CE04# set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 

Now we get the routes but routes from CE04 are external! We might talk about OSPF specific MPLS topics another day!

root@CE03# run show ospf route    
Topology default Route Table:

Prefix             Path  Route      NH       Metric NextHop       Nexthop      
                   Type  Type       Type            Interface     Address/LSP
192.168.3.254      Intra Area/AS BR IP            1 ge-0/0/1.0    192.168.3.254
172.16.31.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.32.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.33.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.34.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.41.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
172.16.42.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
172.16.43.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
172.16.44.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
192.168.3.0/24     Intra Network    IP            1 ge-0/0/1.0
192.168.4.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254

Verification

Now that everything is up we can make sure that BGP is working properly (probably should have done that sooner!)

root@PE11# run show bgp summary                                        
Groups: 2 Peers: 3 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
bgp.l3vpn.0          
                      12          6          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
192.168.1.1           65101       1803       1794       0       3    13:27:34 Establ
  CE01.inet.0: 5/6/6/0
192.168.255.154       65123       1594       1582       0       1    11:54:35 Establ
  bgp.l3vpn.0: 6/6/6/0
  CE01.inet.0: 6/6/6/0
192.168.255.254       65123       1591       1581       0       1    11:54:41 Establ
  bgp.l3vpn.0: 0/6/6/0
  CE01.inet.0: 0/6/6/0

We can also see the MPLS interfaces on the router

root@PE11# run show mpls interface 
Interface        State       Administrative groups (x: extended)
ge-0/0/1.3011    Up         <none>
ge-0/0/1.3123    Up         <none>

[edit]

As well as the LDP neighbors

root@PE11# run show ldp neighbor 
Address                             Interface       Label space ID     Hold time
10.1.11.1                           ge-0/0/1.3011   192.168.255.1:0      14
10.0.123.33                         ge-0/0/1.3123   192.168.255.33:0     13
10.0.123.44                         ge-0/0/1.3123   192.168.255.44:0     13
10.0.123.254                        ge-0/0/1.3123   192.168.255.154:0    11

PE01 Routing Table

Juniper groups everything into the routing table so we can see the main routing table, the MPLS labels, the VRF routes, and IPv6 routes all in one place! We can also see the INET-VPN routes so we can see if things are being learned properly.

root@PE11# run show route 

inet.0: 26 destinations, 26 routes (26 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.123.0/24      *[Direct/0] 12:09:45
                    > via ge-0/0/1.3123
10.0.123.11/32     *[Local/0] 12:09:45
                      Local via ge-0/0/1.3123
10.1.2.0/24        *[OSPF/10] 14:45:03, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
10.1.3.0/24        *[OSPF/10] 14:45:03, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
10.1.4.0/24        *[OSPF/10] 14:45:03, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
10.1.11.0/24       *[Direct/0] 14:45:09
                    > via ge-0/0/1.3011
10.1.11.254/32     *[Local/0] 14:45:09
                      Local via ge-0/0/1.3011
10.1.123.0/24      *[OSPF/10] 11:41:39, metric 2
                    > to 10.0.123.33 via ge-0/0/1.3123
                      to 10.0.123.44 via ge-0/0/1.3123
10.2.3.0/24        *[OSPF/10] 11:42:39, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                    > to 10.0.123.33 via ge-0/0/1.3123
10.2.4.0/24        *[OSPF/10] 11:41:48, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                    > to 10.0.123.44 via ge-0/0/1.3123
10.2.22.0/24       *[OSPF/10] 11:41:39, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.33 via ge-0/0/1.3123
                    > to 10.0.123.44 via ge-0/0/1.3123
10.3.4.0/24        *[OSPF/10] 11:41:48, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.33 via ge-0/0/1.3123
                    > to 10.0.123.44 via ge-0/0/1.3123
10.3.33.0/24       *[OSPF/10] 11:42:39, metric 2
                    > to 10.0.123.33 via ge-0/0/1.3123
10.4.44.0/24       *[OSPF/10] 11:41:48, metric 2
                    > to 10.0.123.44 via ge-0/0/1.3123
192.168.255.1/32   *[OSPF/10] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011
192.168.255.2/32   *[OSPF/10] 12:00:32, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
192.168.255.3/32   *[OSPF/10] 11:42:39, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.33 via ge-0/0/1.3123
192.168.255.4/32   *[OSPF/10] 11:41:48, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.44 via ge-0/0/1.3123
192.168.255.11/32  *[Direct/0] 14:52:17
                    > via lo0.0
192.168.255.22/32  *[OSPF/10] 11:41:39, metric 2
                    > to 10.0.123.33 via ge-0/0/1.3123
                      to 10.0.123.44 via ge-0/0/1.3123
192.168.255.33/32  *[OSPF/10] 11:42:39, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123
192.168.255.44/32  *[OSPF/10] 11:41:48, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123
192.168.255.154/32 *[OSPF/10] 12:07:04, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123
192.168.255.254/32 *[OSPF/10] 11:41:39, metric 2
                      to 10.0.123.33 via ge-0/0/1.3123
                    > to 10.0.123.44 via ge-0/0/1.3123
224.0.0.2/32       *[LDP/9] 14:52:17, metric 1
                      MultiRecv
224.0.0.5/32       *[OSPF/10] 14:52:17, metric 1
                      MultiRecv

inet.3: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.255.1/32   *[LDP/9] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011
192.168.255.2/32   *[LDP/9] 12:00:32, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Push 299840
192.168.255.3/32   *[LDP/9] 11:42:38, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Push 299808
                      to 10.0.123.33 via ge-0/0/1.3123, Push 299776
192.168.255.4/32   *[LDP/9] 11:41:47, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Push 299792
                      to 10.0.123.44 via ge-0/0/1.3123, Push 299776
192.168.255.22/32  *[LDP/9] 11:37:45, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 299952
                      to 10.0.123.44 via ge-0/0/1.3123, Push 299952
192.168.255.33/32  *[LDP/9] 11:42:38, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123
192.168.255.44/32  *[LDP/9] 11:41:47, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123
192.168.255.154/32 *[LDP/9] 11:44:55, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123
192.168.255.254/32 *[LDP/9] 11:37:45, metric 1
                      to 10.0.123.33 via ge-0/0/1.3123, Push 299936
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 299936

CE01.inet.0: 13 destinations, 20 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.11.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.12.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.13.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.14.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.21.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.22.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.23.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.24.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
192.168.1.0/24     *[Direct/0] 14:45:09
                    > via ge-0/0/5.0
                    [BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
192.168.1.254/32   *[Local/0] 14:45:09
                      Local via ge-0/0/5.0
192.168.2.0/24     *[BGP/170] 00:33:22, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:33:22, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
192.168.254.1/32   *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
192.168.254.2/32   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)

MGMT.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 14:45:09
                    > to 10.20.2.1 via ge-0/0/0.0
10.20.2.0/24       *[Direct/0] 14:45:09
                    > via ge-0/0/0.0
10.20.2.201/32     *[Local/0] 14:45:09
                      Local via ge-0/0/0.0

mpls.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0                  *[MPLS/0] 14:52:17, metric 1
                      to table inet.0
0(S=0)             *[MPLS/0] 14:52:17, metric 1
                      to table mpls.0
1                  *[MPLS/0] 14:52:17, metric 1
                      Receive
2                  *[MPLS/0] 14:52:17, metric 1
                      to table inet6.0
2(S=0)             *[MPLS/0] 14:52:17, metric 1
                      to table mpls.0
13                 *[MPLS/0] 14:52:17, metric 1
                      Receive
16                 *[VPN/0] 14:52:17
                    > via lsi.0 (CE01), Pop      
299776             *[LDP/9] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Pop      
299776(S=0)        *[LDP/9] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Pop      
299792             *[LDP/9] 11:41:47, metric 1
                      to 10.1.11.1 via ge-0/0/1.3011, Swap 299792
                    > to 10.0.123.44 via ge-0/0/1.3123, Swap 299776
299808             *[LDP/9] 11:42:38, metric 1
                      to 10.1.11.1 via ge-0/0/1.3011, Swap 299808
                    > to 10.0.123.33 via ge-0/0/1.3123, Swap 299776
299824             *[LDP/9] 12:00:32, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Swap 299840
299856             *[LDP/9] 11:42:38, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Pop      
299856(S=0)        *[LDP/9] 11:42:38, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Pop      
299872             *[LDP/9] 11:41:47, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123, Pop      
299872(S=0)        *[LDP/9] 11:41:47, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123, Pop      
299904             *[LDP/9] 11:44:55, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123, Pop      
299904(S=0)        *[LDP/9] 11:44:55, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123, Pop      
299936             *[LDP/9] 11:37:45, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Swap 299936
                      to 10.0.123.44 via ge-0/0/1.3123, Swap 299936
299952             *[LDP/9] 11:37:45, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Swap 299952
                      to 10.0.123.44 via ge-0/0/1.3123, Swap 299952

bgp.l3vpn.0: 6 destinations, 12 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

65123:102:172.16.21.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.22.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.23.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.24.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:192.168.2.0/24                
                   *[BGP/170] 00:33:22, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:33:22, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:192.168.254.2/32                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)

inet6.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2001:1234::1/128   *[Direct/0] 14:52:17
                    > via lo0.0
fe80::250:560f:fc9e:4cd1/128
                   *[Direct/0] 14:52:17
                    > via lo0.0
ff02::2/128        *[INET6/0] 14:52:17
                      MultiRecv

Pastebins

Here are the configs in pastebins for a bit more convenient looking at.

PE01

PE02

PE03

PE04

P01

P02

P03

P04

CE01

CE02

CE03

CE04

7
comment
2
r/networking
Posted byAMA TP-Link,DrayTek and SonicWall11 months ago
Archived

My MPLS post the other week was pretty well received so I figured might as well show the other side of the coin and do it again with Juniper boxes.

Topology

Today's Topology is similar to last time but Juniperified, we have:

  • 4 x PE routers that are vMX
  • 4 x P are vSRX
  • 4 x CE routers are VSRX boxes as well.

There are again two customers, CUST-A and CUST-B because originality is hard.

To save on some config space I'll just focus on a single router at a time unless there is differences that are worth seeing.

Provider Routers

Disable Flow Mode

I'm using SRX routers for my core so we need to disable the default flow based mode and reboot the boxes before we can use them with MPLS.

root@P01# set security forwarding-options family inet6 mode packet-based 

[edit]
root@P01# set security forwarding-options family mpls mode packet-based 

[edit]
root@P01# set security forwarding-options family iso mode packet-based 

root@P01# commit 
commit complete

[edit]

root@P01# run request system reboot 
Reboot the system ? [yes,no] (no) yes

Once this is done we will no longer need to use security zones for everything.

Basic Setup

To keep things clean I'm using a virtual-router instance to move the first interface into another routing table for management.

set routing-instances MGMT instance-type virtual-router
set routing-instances MGMT interface ge-0/0/0.0
set routing-instances MGMT routing-options static route 0.0.0.0/0 next-hop 10.20.2.1
set interfaces ge-0/0/0 unit 0 family inet address 10.20.2.211/24

Most of my interfaces are connecting to trunk ports to make life easier so I'm going to enable vlan tagging and use subinterfaces to connect to everything.

set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 3011 vlan-id 3011
set interfaces ge-0/0/1 unit 3011 family inet address 10.1.11.1/24
set interfaces ge-0/0/1 unit 3012 vlan-id 3012
set interfaces ge-0/0/1 unit 3012 family inet address 10.1.2.1/24
set interfaces ge-0/0/1 unit 3013 vlan-id 3013
set interfaces ge-0/0/1 unit 3013 family inet address 10.1.3.1/24
set interfaces ge-0/0/1 unit 3014 vlan-id 3014
set interfaces ge-0/0/1 unit 3014 family inet address 10.1.4.1/24
set interfaces lo0 unit 0 family inet address 192.168.255.1/32

Then I'll just turn on OSPF on all active interfaces in the routing instance.

root@P01# set protocols ospf area 0.0.0.0 interface all 

Once we are done we should see a neighbor with every other P router and a PE router (once we get that far)

root@P01# run show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
10.1.11.254      ge-0/0/1.3011          Full      192.168.255.11   128    39
10.1.2.2         ge-0/0/1.3012          Full      192.168.255.2    128    32
10.1.3.3         ge-0/0/1.3013          Full      192.168.255.3    128    39
10.1.4.4         ge-0/0/1.3014          Full      192.168.255.4    128    34

Enabling MPLS

While Cisco put effort into making sure MPLS is turned on right away, Juniper takes a bit more effort.

First we need to enable MPLS and LDP in the control plane under protocols, we can conveniently use the interface all keyword to enable it on all interfaces.

root@P01# set protocols mpls interface all 

root@P01# set protocols ldp interface all   

Next we need to turn it on for the forwarding plane by adding the mpls family to each interface on the router that will be in the MPLS path. This can be a bit annoying so you might want to look into things like config groups to ease the admin burden.

set interfaces ge-0/0/1 unit 3011 family mpls

set interfaces ge-0/0/1 unit 3012 family mpls

set interfaces ge-0/0/1 unit 3013 family mpls

set interfaces ge-0/0/1 unit 3014 family mpls

set interfaces lo0 unit 0 family mpls

Route Reflector

We'll use a route reflector again but this time I'm just take advantage of the logical-system feature to carve PE01 and PE02 into two new Route Reflector boxes.

RR01

First we'll turn on vlan-tagging for the interface I want to use since we still need to configure physical stuff at the interface level in logical-systems.

root@PE11# set interfaces ge-0/0/2 vlan-tagging 

Next we configure the interfaces like above under the logical-system.

root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 vlan-id 3123 
root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 family inet address 10.0.123.254/24 
root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 family mpls 
root@PE11# set logical-systems RR01 interfaces lo0 unit 1 family inet address 192.168.255.154/32 

root@PE11# set logical-systems RR01 protocols ospf area 0.0.0.0 interface all 
root@PE11# set logical-systems RR01 protocols mpls interface all 
root@PE11# set logical-systems RR01 protocols ldp interface all 

BGP is configured with the inet-vpn family which is the same as Cisco's VPNv4 family, the route reflector will have all for PEs as a peer, will use 65123 as the AS for iBGP and will set a cluster-id so Juniper knows it is a Route Reflector.

root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL type internal 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL local-address 192.168.255.154 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL family inet-vpn unicast 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL cluster 192.168.255.254 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.11 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.22 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.33 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.44 
root@PE11# set logical-systems RR01 routing-options autonomous-system 65123 

RR02

root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 vlan-id 3123 
root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 family inet address 10.1.123.254/24 
root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 family mpls 
root@PE22# set logical-systems RR02 interfaces lo0 unit 1 family inet address 192.168.255.254/32 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL type internal 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL local-address 192.168.255.254 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL family inet-vpn unicast 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL cluster 192.168.255.254 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.11 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.22 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.33 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.44 
root@PE22# set logical-systems RR02 protocols ospf area 0.0.0.0 interface all 
root@PE22# set logical-systems RR02 protocols mpls interface all 
root@PE22# set logical-systems RR02 protocols ldp interface all 
root@PE22# set logical-systems RR02 routing-options autonomous-system 65123 

Provider Edge

The PE will be similar to the Route-Reflector minus the logical system stuff, we'll setup the interfaces enable OSPF and MPLS, then peer with each of the RRs.

root@PE11# set routing-instances MGMT instance-type virtual-router 
root@PE11# set routing-instances MGMT interface ge-0/0/0.0 
root@PE11# set routing-instances MGMT routing-options static route 0.0.0.0/0 next-hop 10.20.2.1 
root@PE11# set interfaces ge-0/0/0 unit 0 family inet address 10.20.2.201/24 

root@PE11# set interfaces ge-0/0/1 vlan-tagging 
root@PE11# set interfaces ge-0/0/1 unit 3011 vlan-id 3011 
root@PE11# set interfaces ge-0/0/1 unit 3011 family inet address 10.1.11.254/24 
root@PE11# set interfaces ge-0/0/1 unit 3011 family mpls 
root@PE11# set interfaces ge-0/0/1 unit 3123 vlan-id 3123 
root@PE11# set interfaces ge-0/0/1 unit 3123 family inet address 10.0.123.11/24 
root@PE11# set interfaces ge-0/0/1 unit 3123 family mpls 
root@PE11# set interfaces ge-0/0/2 vlan-tagging 
root@PE11# set interfaces ge-0/0/5 unit 0 family inet address 192.168.1.254/24 

root@PE11# set interfaces lo0 unit 0 family inet address 192.168.255.11/32 
root@PE11# set interfaces lo0 unit 0 family inet6 address 2001:1234::1/128 
root@PE11# set interfaces lo0 unit 0 family mpls 

root@PE11# set routing-options autonomous-system 65123 
root@PE11# set protocols bgp group RR type internal 
root@PE11# set protocols bgp group RR local-address 192.168.255.11 
root@PE11# set protocols bgp group RR family inet-vpn unicast 
root@PE11# set protocols bgp group RR neighbor 192.168.255.154 
root@PE11# set protocols bgp group RR neighbor 192.168.255.254 

VRF / Policies

Now our BGP is up it is time to create the last piece of the L3VPN and which is making the policies as well as the VRF the CE goes into.

Policies

In Cisco land we controlled what route we imported and exported under the VRF configuration, Juniper does that too but for more granular control we will make a more elaborate policy.

First we make an community policy that just exports the PE's RD on each router.

root@PE11# set policy-options community RT-EXPORT-CE01 members target:65123:101 

Next we'll do the same for the import community where we will make one for each CE for flexibility's sake.

root@PE11# set policy-options community RT-IMPORT-CE01 members target:65123:101 
root@PE11# set policy-options community RT-IMPORT-CE02 members target:65123:102 
root@PE11# set policy-options community RT-IMPORT-CE03 members target:65123:103 
root@PE11# set policy-options community RT-IMPORT-CE04 members target:65123:104

With that in place we make a policy that will become our VRF-Export policy, we will say that if the protocol is directly connected or one of the routing protocols then we will add the export community and accept the route.

root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT from protocol [ direct bgp rip ospf ]
root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT then community add RT-EXPORT-CE01 
root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT then accept 

If it doesn't match that criteria then we will reject it.

root@PE11# set policy-options policy-statement EXPORT-CE01 term REJECT then reject 

The VRF-Import policy will always be from MBGP so we match on protocol BGP, then we select what communities we want to talk to each other.

In our topology Cust-A is CE01 and CE02 so we'll do that then reject the rest.

root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT from protocol bgp 
root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT from community [ RT-IMPORT-CE01 RT-IMPORT-CE02 ] 
root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT then accept 
root@PE11# set policy-options policy-statement IMPORT-CE01 term REJECT then reject

VRFs

With all that in place we need to make a VRF instance. In my case I'm using ge-0/0/5 on all the PEs as the CE interface so we add it to the VRF, we also set the PE's proper RD and apply the VRF policies we just made. We also use vrf-table-label to help make the L3VPN happy.

root@PE11# set routing-instances CE01 instance-type vrf 
root@PE11# set routing-instances CE01 interface ge-0/0/5.0 
root@PE11# set routing-instances CE01 route-distinguisher 65123:101 
root@PE11# set routing-instances CE01 vrf-import IMPORT-CE01 
root@PE11# set routing-instances CE01 vrf-export EXPORT-CE01 
root@PE11# set routing-instances CE01 vrf-table-label 

We'll also set the router-id for the instance just to have a bit more control

root@PE11# set routing-instances CE01 routing-options router-id 192.168.255.11 

Customer Edge

PE01

Finally we will start working on the CE routing!

We need an export policy so Juniper knows what to send so I'll make a simple one that just accepts any route, since PE01 is BGP we'll setup that too. The config is the same as you have seen though you may want to use the as-override option if you are using BGP.

root@PE11# set policy-options policy-statement EXPORT-BGP then accept
root@PE11# set routing-instances CE01 protocols bgp group CUST-A type external 
root@PE11# set routing-instances CE01 protocols bgp group CUST-A export EXPORT-BGP 
root@PE11# set routing-instances CE01 protocols bgp group CUST-A peer-as 65101 
root@PE11# set routing-instances CE01 protocols bgp group CUST-A neighbor 192.168.1.1 as-override 



root@PE11# set policy-options policy-statement EXPORT-BGP then accept 

root@PE11# set policy-options policy-statement EXPORT-OSPF from protocol bgp 
root@PE11# set policy-options policy-statement EXPORT-OSPF then accept
root@PE11# set policy-options policy-statement EXPORT-RIP then metric 5 
root@PE11# set policy-options policy-statement EXPORT-RIP then accept 

CE01, CE02, CE03, CE04

Since the CE's are still in flow mode, we need to make sure the interfaces we use are trusted by the security zone, we could get more specific but we aren't really playing with the firewall today :)

root@CE01# set security zones security-zone trust host-inbound-traffic system-services all 
root@CE01# set security zones security-zone trust host-inbound-traffic protocols all 
root@CE01# set security zones security-zone trust interfaces ge-0/0/1.0 
root@CE01# set security zones security-zone trust interfaces ge-0/0/2.0 

CE01

For BGP we just do a normal peering and advertise everything directly connected.

root@CE01# set policy-options policy-statement EXPORT-BGP from protocol direct 
root@CE01# set policy-options policy-statement EXPORT-BGP then accept

root@CE01# set protocols bgp group CUST-A type external 
root@CE01# set protocols bgp group CUST-A export EXPORT-BGP 
root@CE01# set protocols bgp group CUST-A peer-as 65123 
root@CE01# set protocols bgp group CUST-A neighbor 192.168.1.254 

CE02

Same with RIP for CE02

root@CE02# set policy-options policy-statement EXPORT-RIP from protocol direct 
root@CE02# set policy-options policy-statement EXPORT-RIP then accept

root@CE02# set protocols rip group CUST-A export EXPORT-RIP 
root@CE02# set protocols rip group CUST-A neighbor ge-0/0/1.0 

CE03 and CE04

The OSPF CE is a bit unique because it is the only protocol we are looking at today that cares about external routes. Let's setup OSPF in two ways, one will simply add all interfaces to OSPF and the other will use the export method we have been doing

root@CE03# set protocols ospf area 0.0.0.0 interface all 
root@CE03# set protocols ospf area 0.0.0.0 interface lo0.0 passive 


root@CE04# set policy-options policy-statement EXPORT-OSPF from protocol direct 
root@CE04# set policy-options policy-statement EXPORT-OSPF then accept 
root@CE04# set protocols ospf export EXPORT-OSPF    
root@CE04# set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 

Now we get the routes but routes from CE04 are external! We might talk about OSPF specific MPLS topics another day!

root@CE03# run show ospf route    
Topology default Route Table:

Prefix             Path  Route      NH       Metric NextHop       Nexthop      
                   Type  Type       Type            Interface     Address/LSP
192.168.3.254      Intra Area/AS BR IP            1 ge-0/0/1.0    192.168.3.254
172.16.31.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.32.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.33.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.34.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.41.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
172.16.42.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
172.16.43.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
172.16.44.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
192.168.3.0/24     Intra Network    IP            1 ge-0/0/1.0
192.168.4.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254

Verification

Now that everything is up we can make sure that BGP is working properly (probably should have done that sooner!)

root@PE11# run show bgp summary                                        
Groups: 2 Peers: 3 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
bgp.l3vpn.0          
                      12          6          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
192.168.1.1           65101       1803       1794       0       3    13:27:34 Establ
  CE01.inet.0: 5/6/6/0
192.168.255.154       65123       1594       1582       0       1    11:54:35 Establ
  bgp.l3vpn.0: 6/6/6/0
  CE01.inet.0: 6/6/6/0
192.168.255.254       65123       1591       1581       0       1    11:54:41 Establ
  bgp.l3vpn.0: 0/6/6/0
  CE01.inet.0: 0/6/6/0

We can also see the MPLS interfaces on the router

root@PE11# run show mpls interface 
Interface        State       Administrative groups (x: extended)
ge-0/0/1.3011    Up         <none>
ge-0/0/1.3123    Up         <none>

[edit]

As well as the LDP neighbors

root@PE11# run show ldp neighbor 
Address                             Interface       Label space ID     Hold time
10.1.11.1                           ge-0/0/1.3011   192.168.255.1:0      14
10.0.123.33                         ge-0/0/1.3123   192.168.255.33:0     13
10.0.123.44                         ge-0/0/1.3123   192.168.255.44:0     13
10.0.123.254                        ge-0/0/1.3123   192.168.255.154:0    11

PE01 Routing Table

Juniper groups everything into the routing table so we can see the main routing table, the MPLS labels, the VRF routes, and IPv6 routes all in one place! We can also see the INET-VPN routes so we can see if things are being learned properly.

root@PE11# run show route 

inet.0: 26 destinations, 26 routes (26 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.123.0/24      *[Direct/0] 12:09:45
                    > via ge-0/0/1.3123
10.0.123.11/32     *[Local/0] 12:09:45
                      Local via ge-0/0/1.3123
10.1.2.0/24        *[OSPF/10] 14:45:03, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
10.1.3.0/24        *[OSPF/10] 14:45:03, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
10.1.4.0/24        *[OSPF/10] 14:45:03, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
10.1.11.0/24       *[Direct/0] 14:45:09
                    > via ge-0/0/1.3011
10.1.11.254/32     *[Local/0] 14:45:09
                      Local via ge-0/0/1.3011
10.1.123.0/24      *[OSPF/10] 11:41:39, metric 2
                    > to 10.0.123.33 via ge-0/0/1.3123
                      to 10.0.123.44 via ge-0/0/1.3123
10.2.3.0/24        *[OSPF/10] 11:42:39, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                    > to 10.0.123.33 via ge-0/0/1.3123
10.2.4.0/24        *[OSPF/10] 11:41:48, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                    > to 10.0.123.44 via ge-0/0/1.3123
10.2.22.0/24       *[OSPF/10] 11:41:39, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.33 via ge-0/0/1.3123
                    > to 10.0.123.44 via ge-0/0/1.3123
10.3.4.0/24        *[OSPF/10] 11:41:48, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.33 via ge-0/0/1.3123
                    > to 10.0.123.44 via ge-0/0/1.3123
10.3.33.0/24       *[OSPF/10] 11:42:39, metric 2
                    > to 10.0.123.33 via ge-0/0/1.3123
10.4.44.0/24       *[OSPF/10] 11:41:48, metric 2
                    > to 10.0.123.44 via ge-0/0/1.3123
192.168.255.1/32   *[OSPF/10] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011
192.168.255.2/32   *[OSPF/10] 12:00:32, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
192.168.255.3/32   *[OSPF/10] 11:42:39, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.33 via ge-0/0/1.3123
192.168.255.4/32   *[OSPF/10] 11:41:48, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.44 via ge-0/0/1.3123
192.168.255.11/32  *[Direct/0] 14:52:17
                    > via lo0.0
192.168.255.22/32  *[OSPF/10] 11:41:39, metric 2
                    > to 10.0.123.33 via ge-0/0/1.3123
                      to 10.0.123.44 via ge-0/0/1.3123
192.168.255.33/32  *[OSPF/10] 11:42:39, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123
192.168.255.44/32  *[OSPF/10] 11:41:48, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123
192.168.255.154/32 *[OSPF/10] 12:07:04, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123
192.168.255.254/32 *[OSPF/10] 11:41:39, metric 2
                      to 10.0.123.33 via ge-0/0/1.3123
                    > to 10.0.123.44 via ge-0/0/1.3123
224.0.0.2/32       *[LDP/9] 14:52:17, metric 1
                      MultiRecv
224.0.0.5/32       *[OSPF/10] 14:52:17, metric 1
                      MultiRecv

inet.3: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.255.1/32   *[LDP/9] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011
192.168.255.2/32   *[LDP/9] 12:00:32, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Push 299840
192.168.255.3/32   *[LDP/9] 11:42:38, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Push 299808
                      to 10.0.123.33 via ge-0/0/1.3123, Push 299776
192.168.255.4/32   *[LDP/9] 11:41:47, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Push 299792
                      to 10.0.123.44 via ge-0/0/1.3123, Push 299776
192.168.255.22/32  *[LDP/9] 11:37:45, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 299952
                      to 10.0.123.44 via ge-0/0/1.3123, Push 299952
192.168.255.33/32  *[LDP/9] 11:42:38, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123
192.168.255.44/32  *[LDP/9] 11:41:47, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123
192.168.255.154/32 *[LDP/9] 11:44:55, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123
192.168.255.254/32 *[LDP/9] 11:37:45, metric 1
                      to 10.0.123.33 via ge-0/0/1.3123, Push 299936
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 299936

CE01.inet.0: 13 destinations, 20 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.11.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.12.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.13.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.14.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.21.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.22.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.23.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.24.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
192.168.1.0/24     *[Direct/0] 14:45:09
                    > via ge-0/0/5.0
                    [BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
192.168.1.254/32   *[Local/0] 14:45:09
                      Local via ge-0/0/5.0
192.168.2.0/24     *[BGP/170] 00:33:22, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:33:22, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
192.168.254.1/32   *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
192.168.254.2/32   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)

MGMT.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 14:45:09
                    > to 10.20.2.1 via ge-0/0/0.0
10.20.2.0/24       *[Direct/0] 14:45:09
                    > via ge-0/0/0.0
10.20.2.201/32     *[Local/0] 14:45:09
                      Local via ge-0/0/0.0

mpls.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0                  *[MPLS/0] 14:52:17, metric 1
                      to table inet.0
0(S=0)             *[MPLS/0] 14:52:17, metric 1
                      to table mpls.0
1                  *[MPLS/0] 14:52:17, metric 1
                      Receive
2                  *[MPLS/0] 14:52:17, metric 1
                      to table inet6.0
2(S=0)             *[MPLS/0] 14:52:17, metric 1
                      to table mpls.0
13                 *[MPLS/0] 14:52:17, metric 1
                      Receive
16                 *[VPN/0] 14:52:17
                    > via lsi.0 (CE01), Pop      
299776             *[LDP/9] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Pop      
299776(S=0)        *[LDP/9] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Pop      
299792             *[LDP/9] 11:41:47, metric 1
                      to 10.1.11.1 via ge-0/0/1.3011, Swap 299792
                    > to 10.0.123.44 via ge-0/0/1.3123, Swap 299776
299808             *[LDP/9] 11:42:38, metric 1
                      to 10.1.11.1 via ge-0/0/1.3011, Swap 299808
                    > to 10.0.123.33 via ge-0/0/1.3123, Swap 299776
299824             *[LDP/9] 12:00:32, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Swap 299840
299856             *[LDP/9] 11:42:38, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Pop      
299856(S=0)        *[LDP/9] 11:42:38, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Pop      
299872             *[LDP/9] 11:41:47, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123, Pop      
299872(S=0)        *[LDP/9] 11:41:47, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123, Pop      
299904             *[LDP/9] 11:44:55, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123, Pop      
299904(S=0)        *[LDP/9] 11:44:55, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123, Pop      
299936             *[LDP/9] 11:37:45, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Swap 299936
                      to 10.0.123.44 via ge-0/0/1.3123, Swap 299936
299952             *[LDP/9] 11:37:45, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Swap 299952
                      to 10.0.123.44 via ge-0/0/1.3123, Swap 299952

bgp.l3vpn.0: 6 destinations, 12 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

65123:102:172.16.21.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.22.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.23.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.24.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:192.168.2.0/24                
                   *[BGP/170] 00:33:22, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:33:22, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:192.168.254.2/32                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)

inet6.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2001:1234::1/128   *[Direct/0] 14:52:17
                    > via lo0.0
fe80::250:560f:fc9e:4cd1/128
                   *[Direct/0] 14:52:17
                    > via lo0.0
ff02::2/128        *[INET6/0] 14:52:17
                      MultiRecv

Pastebins

Here are the configs in pastebins for a bit more convenient looking at.

PE01

PE02

PE03

PE04

P01

P02

P03

P04

CE01

CE02

CE03

CE04

114 points
2
comment
114
r/networkingPosted byAMA TP-Link,DrayTek and SonicWall11 months ago
Archived

My MPLS post the other week was pretty well received so I figured might as well show the other side of the coin and do it again with Juniper boxes.

Topology

Today's Topology is similar to last time but Juniperified, we have:

  • 4 x PE routers that are vMX
  • 4 x P are vSRX
  • 4 x CE routers are VSRX boxes as well.

There are again two customers, CUST-A and CUST-B because originality is hard.

To save on some config space I'll just focus on a single router at a time unless there is differences that are worth seeing.

Provider Routers

Disable Flow Mode

I'm using SRX routers for my core so we need to disable the default flow based mode and reboot the boxes before we can use them with MPLS.

root@P01# set security forwarding-options family inet6 mode packet-based 

[edit]
root@P01# set security forwarding-options family mpls mode packet-based 

[edit]
root@P01# set security forwarding-options family iso mode packet-based 

root@P01# commit 
commit complete

[edit]

root@P01# run request system reboot 
Reboot the system ? [yes,no] (no) yes

Once this is done we will no longer need to use security zones for everything.

Basic Setup

To keep things clean I'm using a virtual-router instance to move the first interface into another routing table for management.

set routing-instances MGMT instance-type virtual-router
set routing-instances MGMT interface ge-0/0/0.0
set routing-instances MGMT routing-options static route 0.0.0.0/0 next-hop 10.20.2.1
set interfaces ge-0/0/0 unit 0 family inet address 10.20.2.211/24

Most of my interfaces are connecting to trunk ports to make life easier so I'm going to enable vlan tagging and use subinterfaces to connect to everything.

set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 3011 vlan-id 3011
set interfaces ge-0/0/1 unit 3011 family inet address 10.1.11.1/24
set interfaces ge-0/0/1 unit 3012 vlan-id 3012
set interfaces ge-0/0/1 unit 3012 family inet address 10.1.2.1/24
set interfaces ge-0/0/1 unit 3013 vlan-id 3013
set interfaces ge-0/0/1 unit 3013 family inet address 10.1.3.1/24
set interfaces ge-0/0/1 unit 3014 vlan-id 3014
set interfaces ge-0/0/1 unit 3014 family inet address 10.1.4.1/24
set interfaces lo0 unit 0 family inet address 192.168.255.1/32

Then I'll just turn on OSPF on all active interfaces in the routing instance.

root@P01# set protocols ospf area 0.0.0.0 interface all 

Once we are done we should see a neighbor with every other P router and a PE router (once we get that far)

root@P01# run show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
10.1.11.254      ge-0/0/1.3011          Full      192.168.255.11   128    39
10.1.2.2         ge-0/0/1.3012          Full      192.168.255.2    128    32
10.1.3.3         ge-0/0/1.3013          Full      192.168.255.3    128    39
10.1.4.4         ge-0/0/1.3014          Full      192.168.255.4    128    34

Enabling MPLS

While Cisco put effort into making sure MPLS is turned on right away, Juniper takes a bit more effort.

First we need to enable MPLS and LDP in the control plane under protocols, we can conveniently use the interface all keyword to enable it on all interfaces.

root@P01# set protocols mpls interface all 

root@P01# set protocols ldp interface all   

Next we need to turn it on for the forwarding plane by adding the mpls family to each interface on the router that will be in the MPLS path. This can be a bit annoying so you might want to look into things like config groups to ease the admin burden.

set interfaces ge-0/0/1 unit 3011 family mpls

set interfaces ge-0/0/1 unit 3012 family mpls

set interfaces ge-0/0/1 unit 3013 family mpls

set interfaces ge-0/0/1 unit 3014 family mpls

set interfaces lo0 unit 0 family mpls

Route Reflector

We'll use a route reflector again but this time I'm just take advantage of the logical-system feature to carve PE01 and PE02 into two new Route Reflector boxes.

RR01

First we'll turn on vlan-tagging for the interface I want to use since we still need to configure physical stuff at the interface level in logical-systems.

root@PE11# set interfaces ge-0/0/2 vlan-tagging 

Next we configure the interfaces like above under the logical-system.

root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 vlan-id 3123 
root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 family inet address 10.0.123.254/24 
root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 family mpls 
root@PE11# set logical-systems RR01 interfaces lo0 unit 1 family inet address 192.168.255.154/32 

root@PE11# set logical-systems RR01 protocols ospf area 0.0.0.0 interface all 
root@PE11# set logical-systems RR01 protocols mpls interface all 
root@PE11# set logical-systems RR01 protocols ldp interface all 

BGP is configured with the inet-vpn family which is the same as Cisco's VPNv4 family, the route reflector will have all for PEs as a peer, will use 65123 as the AS for iBGP and will set a cluster-id so Juniper knows it is a Route Reflector.

root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL type internal 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL local-address 192.168.255.154 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL family inet-vpn unicast 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL cluster 192.168.255.254 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.11 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.22 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.33 
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.44 
root@PE11# set logical-systems RR01 routing-options autonomous-system 65123 

RR02

root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 vlan-id 3123 
root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 family inet address 10.1.123.254/24 
root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 family mpls 
root@PE22# set logical-systems RR02 interfaces lo0 unit 1 family inet address 192.168.255.254/32 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL type internal 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL local-address 192.168.255.254 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL family inet-vpn unicast 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL cluster 192.168.255.254 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.11 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.22 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.33 
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.44 
root@PE22# set logical-systems RR02 protocols ospf area 0.0.0.0 interface all 
root@PE22# set logical-systems RR02 protocols mpls interface all 
root@PE22# set logical-systems RR02 protocols ldp interface all 
root@PE22# set logical-systems RR02 routing-options autonomous-system 65123 

Provider Edge

The PE will be similar to the Route-Reflector minus the logical system stuff, we'll setup the interfaces enable OSPF and MPLS, then peer with each of the RRs.

root@PE11# set routing-instances MGMT instance-type virtual-router 
root@PE11# set routing-instances MGMT interface ge-0/0/0.0 
root@PE11# set routing-instances MGMT routing-options static route 0.0.0.0/0 next-hop 10.20.2.1 
root@PE11# set interfaces ge-0/0/0 unit 0 family inet address 10.20.2.201/24 

root@PE11# set interfaces ge-0/0/1 vlan-tagging 
root@PE11# set interfaces ge-0/0/1 unit 3011 vlan-id 3011 
root@PE11# set interfaces ge-0/0/1 unit 3011 family inet address 10.1.11.254/24 
root@PE11# set interfaces ge-0/0/1 unit 3011 family mpls 
root@PE11# set interfaces ge-0/0/1 unit 3123 vlan-id 3123 
root@PE11# set interfaces ge-0/0/1 unit 3123 family inet address 10.0.123.11/24 
root@PE11# set interfaces ge-0/0/1 unit 3123 family mpls 
root@PE11# set interfaces ge-0/0/2 vlan-tagging 
root@PE11# set interfaces ge-0/0/5 unit 0 family inet address 192.168.1.254/24 

root@PE11# set interfaces lo0 unit 0 family inet address 192.168.255.11/32 
root@PE11# set interfaces lo0 unit 0 family inet6 address 2001:1234::1/128 
root@PE11# set interfaces lo0 unit 0 family mpls 

root@PE11# set routing-options autonomous-system 65123 
root@PE11# set protocols bgp group RR type internal 
root@PE11# set protocols bgp group RR local-address 192.168.255.11 
root@PE11# set protocols bgp group RR family inet-vpn unicast 
root@PE11# set protocols bgp group RR neighbor 192.168.255.154 
root@PE11# set protocols bgp group RR neighbor 192.168.255.254 

VRF / Policies

Now our BGP is up it is time to create the last piece of the L3VPN and which is making the policies as well as the VRF the CE goes into.

Policies

In Cisco land we controlled what route we imported and exported under the VRF configuration, Juniper does that too but for more granular control we will make a more elaborate policy.

First we make an community policy that just exports the PE's RD on each router.

root@PE11# set policy-options community RT-EXPORT-CE01 members target:65123:101 

Next we'll do the same for the import community where we will make one for each CE for flexibility's sake.

root@PE11# set policy-options community RT-IMPORT-CE01 members target:65123:101 
root@PE11# set policy-options community RT-IMPORT-CE02 members target:65123:102 
root@PE11# set policy-options community RT-IMPORT-CE03 members target:65123:103 
root@PE11# set policy-options community RT-IMPORT-CE04 members target:65123:104

With that in place we make a policy that will become our VRF-Export policy, we will say that if the protocol is directly connected or one of the routing protocols then we will add the export community and accept the route.

root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT from protocol [ direct bgp rip ospf ]
root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT then community add RT-EXPORT-CE01 
root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT then accept 

If it doesn't match that criteria then we will reject it.

root@PE11# set policy-options policy-statement EXPORT-CE01 term REJECT then reject 

The VRF-Import policy will always be from MBGP so we match on protocol BGP, then we select what communities we want to talk to each other.

In our topology Cust-A is CE01 and CE02 so we'll do that then reject the rest.

root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT from protocol bgp 
root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT from community [ RT-IMPORT-CE01 RT-IMPORT-CE02 ] 
root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT then accept 
root@PE11# set policy-options policy-statement IMPORT-CE01 term REJECT then reject

VRFs

With all that in place we need to make a VRF instance. In my case I'm using ge-0/0/5 on all the PEs as the CE interface so we add it to the VRF, we also set the PE's proper RD and apply the VRF policies we just made. We also use vrf-table-label to help make the L3VPN happy.

root@PE11# set routing-instances CE01 instance-type vrf 
root@PE11# set routing-instances CE01 interface ge-0/0/5.0 
root@PE11# set routing-instances CE01 route-distinguisher 65123:101 
root@PE11# set routing-instances CE01 vrf-import IMPORT-CE01 
root@PE11# set routing-instances CE01 vrf-export EXPORT-CE01 
root@PE11# set routing-instances CE01 vrf-table-label 

We'll also set the router-id for the instance just to have a bit more control

root@PE11# set routing-instances CE01 routing-options router-id 192.168.255.11 

Customer Edge

PE01

Finally we will start working on the CE routing!

We need an export policy so Juniper knows what to send so I'll make a simple one that just accepts any route, since PE01 is BGP we'll setup that too. The config is the same as you have seen though you may want to use the as-override option if you are using BGP.

root@PE11# set policy-options policy-statement EXPORT-BGP then accept
root@PE11# set routing-instances CE01 protocols bgp group CUST-A type external 
root@PE11# set routing-instances CE01 protocols bgp group CUST-A export EXPORT-BGP 
root@PE11# set routing-instances CE01 protocols bgp group CUST-A peer-as 65101 
root@PE11# set routing-instances CE01 protocols bgp group CUST-A neighbor 192.168.1.1 as-override 



root@PE11# set policy-options policy-statement EXPORT-BGP then accept 

root@PE11# set policy-options policy-statement EXPORT-OSPF from protocol bgp 
root@PE11# set policy-options policy-statement EXPORT-OSPF then accept
root@PE11# set policy-options policy-statement EXPORT-RIP then metric 5 
root@PE11# set policy-options policy-statement EXPORT-RIP then accept 

CE01, CE02, CE03, CE04

Since the CE's are still in flow mode, we need to make sure the interfaces we use are trusted by the security zone, we could get more specific but we aren't really playing with the firewall today :)

root@CE01# set security zones security-zone trust host-inbound-traffic system-services all 
root@CE01# set security zones security-zone trust host-inbound-traffic protocols all 
root@CE01# set security zones security-zone trust interfaces ge-0/0/1.0 
root@CE01# set security zones security-zone trust interfaces ge-0/0/2.0 

CE01

For BGP we just do a normal peering and advertise everything directly connected.

root@CE01# set policy-options policy-statement EXPORT-BGP from protocol direct 
root@CE01# set policy-options policy-statement EXPORT-BGP then accept

root@CE01# set protocols bgp group CUST-A type external 
root@CE01# set protocols bgp group CUST-A export EXPORT-BGP 
root@CE01# set protocols bgp group CUST-A peer-as 65123 
root@CE01# set protocols bgp group CUST-A neighbor 192.168.1.254 

CE02

Same with RIP for CE02

root@CE02# set policy-options policy-statement EXPORT-RIP from protocol direct 
root@CE02# set policy-options policy-statement EXPORT-RIP then accept

root@CE02# set protocols rip group CUST-A export EXPORT-RIP 
root@CE02# set protocols rip group CUST-A neighbor ge-0/0/1.0 

CE03 and CE04

The OSPF CE is a bit unique because it is the only protocol we are looking at today that cares about external routes. Let's setup OSPF in two ways, one will simply add all interfaces to OSPF and the other will use the export method we have been doing

root@CE03# set protocols ospf area 0.0.0.0 interface all 
root@CE03# set protocols ospf area 0.0.0.0 interface lo0.0 passive 


root@CE04# set policy-options policy-statement EXPORT-OSPF from protocol direct 
root@CE04# set policy-options policy-statement EXPORT-OSPF then accept 
root@CE04# set protocols ospf export EXPORT-OSPF    
root@CE04# set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 

Now we get the routes but routes from CE04 are external! We might talk about OSPF specific MPLS topics another day!

root@CE03# run show ospf route    
Topology default Route Table:

Prefix             Path  Route      NH       Metric NextHop       Nexthop      
                   Type  Type       Type            Interface     Address/LSP
192.168.3.254      Intra Area/AS BR IP            1 ge-0/0/1.0    192.168.3.254
172.16.31.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.32.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.33.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.34.0/24     Intra Network    IP            1 ge-0/0/2.0
172.16.41.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
172.16.42.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
172.16.43.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
172.16.44.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254
192.168.3.0/24     Intra Network    IP            1 ge-0/0/1.0
192.168.4.0/24     Ext2  Network    IP            0 ge-0/0/1.0    192.168.3.254

Verification

Now that everything is up we can make sure that BGP is working properly (probably should have done that sooner!)

root@PE11# run show bgp summary                                        
Groups: 2 Peers: 3 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
bgp.l3vpn.0          
                      12          6          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
192.168.1.1           65101       1803       1794       0       3    13:27:34 Establ
  CE01.inet.0: 5/6/6/0
192.168.255.154       65123       1594       1582       0       1    11:54:35 Establ
  bgp.l3vpn.0: 6/6/6/0
  CE01.inet.0: 6/6/6/0
192.168.255.254       65123       1591       1581       0       1    11:54:41 Establ
  bgp.l3vpn.0: 0/6/6/0
  CE01.inet.0: 0/6/6/0

We can also see the MPLS interfaces on the router

root@PE11# run show mpls interface 
Interface        State       Administrative groups (x: extended)
ge-0/0/1.3011    Up         <none>
ge-0/0/1.3123    Up         <none>

[edit]

As well as the LDP neighbors

root@PE11# run show ldp neighbor 
Address                             Interface       Label space ID     Hold time
10.1.11.1                           ge-0/0/1.3011   192.168.255.1:0      14
10.0.123.33                         ge-0/0/1.3123   192.168.255.33:0     13
10.0.123.44                         ge-0/0/1.3123   192.168.255.44:0     13
10.0.123.254                        ge-0/0/1.3123   192.168.255.154:0    11

PE01 Routing Table

Juniper groups everything into the routing table so we can see the main routing table, the MPLS labels, the VRF routes, and IPv6 routes all in one place! We can also see the INET-VPN routes so we can see if things are being learned properly.

root@PE11# run show route 

inet.0: 26 destinations, 26 routes (26 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.123.0/24      *[Direct/0] 12:09:45
                    > via ge-0/0/1.3123
10.0.123.11/32     *[Local/0] 12:09:45
                      Local via ge-0/0/1.3123
10.1.2.0/24        *[OSPF/10] 14:45:03, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
10.1.3.0/24        *[OSPF/10] 14:45:03, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
10.1.4.0/24        *[OSPF/10] 14:45:03, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
10.1.11.0/24       *[Direct/0] 14:45:09
                    > via ge-0/0/1.3011
10.1.11.254/32     *[Local/0] 14:45:09
                      Local via ge-0/0/1.3011
10.1.123.0/24      *[OSPF/10] 11:41:39, metric 2
                    > to 10.0.123.33 via ge-0/0/1.3123
                      to 10.0.123.44 via ge-0/0/1.3123
10.2.3.0/24        *[OSPF/10] 11:42:39, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                    > to 10.0.123.33 via ge-0/0/1.3123
10.2.4.0/24        *[OSPF/10] 11:41:48, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                    > to 10.0.123.44 via ge-0/0/1.3123
10.2.22.0/24       *[OSPF/10] 11:41:39, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.33 via ge-0/0/1.3123
                    > to 10.0.123.44 via ge-0/0/1.3123
10.3.4.0/24        *[OSPF/10] 11:41:48, metric 3
                      to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.33 via ge-0/0/1.3123
                    > to 10.0.123.44 via ge-0/0/1.3123
10.3.33.0/24       *[OSPF/10] 11:42:39, metric 2
                    > to 10.0.123.33 via ge-0/0/1.3123
10.4.44.0/24       *[OSPF/10] 11:41:48, metric 2
                    > to 10.0.123.44 via ge-0/0/1.3123
192.168.255.1/32   *[OSPF/10] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011
192.168.255.2/32   *[OSPF/10] 12:00:32, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
192.168.255.3/32   *[OSPF/10] 11:42:39, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.33 via ge-0/0/1.3123
192.168.255.4/32   *[OSPF/10] 11:41:48, metric 2
                    > to 10.1.11.1 via ge-0/0/1.3011
                      to 10.0.123.44 via ge-0/0/1.3123
192.168.255.11/32  *[Direct/0] 14:52:17
                    > via lo0.0
192.168.255.22/32  *[OSPF/10] 11:41:39, metric 2
                    > to 10.0.123.33 via ge-0/0/1.3123
                      to 10.0.123.44 via ge-0/0/1.3123
192.168.255.33/32  *[OSPF/10] 11:42:39, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123
192.168.255.44/32  *[OSPF/10] 11:41:48, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123
192.168.255.154/32 *[OSPF/10] 12:07:04, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123
192.168.255.254/32 *[OSPF/10] 11:41:39, metric 2
                      to 10.0.123.33 via ge-0/0/1.3123
                    > to 10.0.123.44 via ge-0/0/1.3123
224.0.0.2/32       *[LDP/9] 14:52:17, metric 1
                      MultiRecv
224.0.0.5/32       *[OSPF/10] 14:52:17, metric 1
                      MultiRecv

inet.3: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.255.1/32   *[LDP/9] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011
192.168.255.2/32   *[LDP/9] 12:00:32, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Push 299840
192.168.255.3/32   *[LDP/9] 11:42:38, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Push 299808
                      to 10.0.123.33 via ge-0/0/1.3123, Push 299776
192.168.255.4/32   *[LDP/9] 11:41:47, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Push 299792
                      to 10.0.123.44 via ge-0/0/1.3123, Push 299776
192.168.255.22/32  *[LDP/9] 11:37:45, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 299952
                      to 10.0.123.44 via ge-0/0/1.3123, Push 299952
192.168.255.33/32  *[LDP/9] 11:42:38, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123
192.168.255.44/32  *[LDP/9] 11:41:47, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123
192.168.255.154/32 *[LDP/9] 11:44:55, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123
192.168.255.254/32 *[LDP/9] 11:37:45, metric 1
                      to 10.0.123.33 via ge-0/0/1.3123, Push 299936
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 299936

CE01.inet.0: 13 destinations, 20 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.11.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.12.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.13.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.14.0/24     *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
172.16.21.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.22.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.23.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.24.0/24     *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
192.168.1.0/24     *[Direct/0] 14:45:09
                    > via ge-0/0/5.0
                    [BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
192.168.1.254/32   *[Local/0] 14:45:09
                      Local via ge-0/0/5.0
192.168.2.0/24     *[BGP/170] 00:33:22, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:33:22, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
192.168.254.1/32   *[BGP/170] 13:28:31, localpref 100
                      AS path: 65101 I, validation-state: unverified
                    > to 192.168.1.1 via ge-0/0/5.0
192.168.254.2/32   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)

MGMT.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 14:45:09
                    > to 10.20.2.1 via ge-0/0/0.0
10.20.2.0/24       *[Direct/0] 14:45:09
                    > via ge-0/0/0.0
10.20.2.201/32     *[Local/0] 14:45:09
                      Local via ge-0/0/0.0

mpls.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0                  *[MPLS/0] 14:52:17, metric 1
                      to table inet.0
0(S=0)             *[MPLS/0] 14:52:17, metric 1
                      to table mpls.0
1                  *[MPLS/0] 14:52:17, metric 1
                      Receive
2                  *[MPLS/0] 14:52:17, metric 1
                      to table inet6.0
2(S=0)             *[MPLS/0] 14:52:17, metric 1
                      to table mpls.0
13                 *[MPLS/0] 14:52:17, metric 1
                      Receive
16                 *[VPN/0] 14:52:17
                    > via lsi.0 (CE01), Pop      
299776             *[LDP/9] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Pop      
299776(S=0)        *[LDP/9] 14:45:03, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Pop      
299792             *[LDP/9] 11:41:47, metric 1
                      to 10.1.11.1 via ge-0/0/1.3011, Swap 299792
                    > to 10.0.123.44 via ge-0/0/1.3123, Swap 299776
299808             *[LDP/9] 11:42:38, metric 1
                      to 10.1.11.1 via ge-0/0/1.3011, Swap 299808
                    > to 10.0.123.33 via ge-0/0/1.3123, Swap 299776
299824             *[LDP/9] 12:00:32, metric 1
                    > to 10.1.11.1 via ge-0/0/1.3011, Swap 299840
299856             *[LDP/9] 11:42:38, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Pop      
299856(S=0)        *[LDP/9] 11:42:38, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Pop      
299872             *[LDP/9] 11:41:47, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123, Pop      
299872(S=0)        *[LDP/9] 11:41:47, metric 1
                    > to 10.0.123.44 via ge-0/0/1.3123, Pop      
299904             *[LDP/9] 11:44:55, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123, Pop      
299904(S=0)        *[LDP/9] 11:44:55, metric 1
                    > to 10.0.123.254 via ge-0/0/1.3123, Pop      
299936             *[LDP/9] 11:37:45, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Swap 299936
                      to 10.0.123.44 via ge-0/0/1.3123, Swap 299936
299952             *[LDP/9] 11:37:45, metric 1
                    > to 10.0.123.33 via ge-0/0/1.3123, Swap 299952
                      to 10.0.123.44 via ge-0/0/1.3123, Swap 299952

bgp.l3vpn.0: 6 destinations, 12 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

65123:102:172.16.21.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.22.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.23.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.24.0/24                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:192.168.2.0/24                
                   *[BGP/170] 00:33:22, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:33:22, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                    > to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                      to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:192.168.254.2/32                
                   *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    [BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
                      AS path: I, validation-state: unverified
                      to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
                    > to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)

inet6.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2001:1234::1/128   *[Direct/0] 14:52:17
                    > via lo0.0
fe80::250:560f:fc9e:4cd1/128
                   *[Direct/0] 14:52:17
                    > via lo0.0
ff02::2/128        *[INET6/0] 14:52:17
                      MultiRecv

Pastebins

Here are the configs in pastebins for a bit more convenient looking at.

PE01

PE02

PE03

PE04

P01

P02

P03

P04

CE01

CE02

CE03

CE04

114
27 comments
2
r/ccna
Posted byMeow 🐈🐈Meow 🐱🐱 Meow Meow🍺🐈🐱Meow A+!11 months ago
Archived

Lately we have been looking at various automation topics like Python where we can do some configuration or grab some output on a few boxes. Today we are going to kick the tires with Cisco's Embedded Event Manager (EEM), the neat difference with this feature is that it runs directly on the Cisco device so it can run based on events like a command being entered or the router getting a new CDP neighbor.

The Basics

Most of the configuration we'll be looking at today is under the event manager applet <name> We can call the script anything we want so of course I'll use MEOWCAT, once instead the config we have 3 main options that we care about:

  • EVENT - This is the "event" that causes the script to run

  • ACTION - This is what the actual script that runs

  • TRIGGER - This is optional but lets you adjust when the event is triggered.

The number of events varies depending on your platform and version but EEM is pretty much supported across the board.

    R01(config-applet)#event ?
      application         Application specific event
      cli                 CLI event
      config              Configuration policy event
      counter             Counter event
      env                 Environmental event
      gold                GOLD event
      interface           Interface event
      ioswdsysmon         IOS WDSysMon event
      ipsla               IPSLA Event
      mat                 MAC address table event
      neighbor-discovery  Neighbor Discovery event
      none                Manually run policy event
      oir                 OIR event
      resource            Resource event
      rf                  Redundancy Facility event
      routing             Routing event
      rpc                 Remote Procedure Call event
      snmp                SNMP event
      snmp-notification   SNMP Notification Event
      snmp-object         SNMP object event
      syslog              Syslog event
      tag                 event tag identifier
      timer               Timer event
      track               Tracking object event

Likewise the number of actions depends on your platform and version.

    R01(config-applet)#action 10 ?
      add                Add
      append             Append to a variable
      break              Break out of a conditional loop
      cli                Execute a CLI command
      cns-event          Send a CNS event
      comment            add comment
      context            Save or retrieve context information
      continue           Continue to next loop iteration
      counter            Modify a counter value
      decrement          Decrement a variable
      divide             Divide
      else               else conditional
      elseif             elseif conditional
      end                end conditional block
      exit               Exit from applet run
      file               file operations
      force-switchover   Force a software switchover
      foreach            foreach loop
      gets               get line of input from active tty
      handle-error       On error action
      help               Read/Set parser help buffer
      if                 if conditional
      increment          Increment a variable
      info               Obtain system specific information
      mail               Send an e-mail
      multiply           Multiply
      policy             Run a pre-registered policy
      publish-event      Publish an application specific event
      puts               print data to active tty
      regexp             regular expression match
      reload             Reload system
      set                Set a variable
      snmp-object-value  Specify value for the SNMP get request
      snmp-trap          Send an SNMP trap
      string             string commands
      subtract           Subtract
      syslog             Log a syslog message
      track              Read/Set a tracking object
      wait               Wait for a specified amount of time
      while              while loop

Actions are run from lowest number to highest number and IOS will automatically sort the actions when you exit, it is a good practice to use consistent numbering since going from 1 digit actions to 2 digits might mix things in a way you don't want.

R01(config-applet)# action 1 syslog msg "TEST03"
R01(config-applet)#action 08 syslog msg  TEST02"
R01(config-applet)#action 11 syslog msg "TEST04"
R01(config-applet)#exit
R01(config)#
R01(config)#do sh run | s TEST
event manager applet TEST
 event none
 action 08 syslog msg "TEST02""
 action 1  syslog msg "TEST03"
 action 10 syslog msg "TEST01"
 action 11 syslog msg "TEST04"
R01(config)#

CLI Example

Let's look at a simple example that can stop some headaches in your network. We have all heard of a horror story where a junior accidentally causes an outage by typing switchport trunk allowed vlan 100 instead of switchport trunk allowed vlan add 100

We will stop that by preventing the evil command from running and then have the switch remind the junior!

First we name the script

SW01(config-if)#event manager applet ANTI-NOOB

Then we look for a CLI event that looks for switchport trunk allowed vlan followed by any number, the sync yes tells the router to run the script instead of the command. We can also have both the script and command run etc.

SW01(config-applet)# event cli pattern "switchport trunk allowed vlan [0-9*]" sync yes

Next we just have the switch display our educational message then we exit, just like with vlans we need to exit for the config to become live.

SW01(config-applet)# action 100 puts "NO! BAD JUNIOR! NO! Use the Add keyword"
SW01(config-applet)#exit

Now if we try to run the evil command we get our message instead and we can see the config didn't apply.

SW01(config)#int g1/0
SW01(config-if)#switchport trunk allowed vlan none
SW01(config-if)#switchport trunk allowed vlan 100 
NO! BAD JUNIOR! NO! Use the Add keyword

SW01(config-if)#do sh run int g1/0 | in allowed
 switchport trunk allowed vlan none

But we can still use the add keyword like normal.

SW01(config-if)#switchport trunk allowed vlan add 100
SW01(config-if)#do sh run int g1/0 | in allowed
 switchport trunk allowed vlan 100

Routing Example

Lets do another simple example where EEM makes and advertises a new Loopback if it detects a certain OSPF route in the routing table.

First we make an event that that matches the OSPF route we want to look for.

R01(config)#  event manager applet ROUTE
R01(config-applet)# event routing network 192.168.254.33/32 type add protocol OSPF

Next we have our actions add the loopback and advertise it

Note: EEM's process starts as unprivileged so we need to enter enable mode though we don't need to specify the actual password. We also need to go to config mode if we are changing things.

R01(config-applet)# action 10 cli command "enable"
R01(config-applet)# action 11 cli command "conf t"
R01(config-applet)# action 12 cli command "interface l1"
R01(config-applet)# action 13 cli command "ip add 1.1.1.1 255.255.255.255"
R01(config-applet)# action 14 cli command "ip ospf 1 area 100"

Lastly we will add a syslog message so we know the script ran.

R01(config-applet)# action 20 syslog msg "Added New Loopback!"
R01(config-applet)#exit

Lets test this out by making a new loopback with the 192.168.254.33/32 address and add it to OSPF

R03(config)#int l33
R03(config-if)#ip add 192.168.254.33 255.255.255.255
R03(config-if)#ip ospf 1 area 300

On R01 we see that our loopback is created.

Sep  2 22:00:26.131: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
R01(config)#
Sep  2 22:00:26.519: %HA_EM-6-LOG: ROUTE: Added New Loopback!
R01(config)#do sh run int l1
Building configuration...

Current configuration : 83 bytes
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.255
 ip ospf 1 area 100
end

On R03 we see the 1.1.1.1 route!

R03(config-if)#do sh ip route ospf | in IA
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
O IA     1.1.1.1 [110/3] via 10.2.3.2, 00:00:30, GigabitEthernet2.23

Destructive Change Example

One simple but effective use of EEM is scripting out destructive changes, say you have to change a IP and default gateway on a router through SSH - You can't simply paste in the commands because you'll lose connectivity when you change the IP or remove the gateway. With EEM we can have the router run all the commands even though it loses connectivity.

Lets see how R02 is configured now.

R02#show ip int br | ex unass
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet2.12    10.1.2.22        YES manual up                    up      
GigabitEthernet2.23    10.2.3.2        YES manual up                    up      
Loopback0              192.168.254.2   YES manual up                    up    

R02#show run | in ip route
ip route 0.0.0.0 0.0.0.0 10.1.2.3

Then we'll SSH into the router from R01 to keep things authentic

R01#ssh -l cisco 10.1.2.22    
Password: 

R02>en
Password: 
R02#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

We will use event none for this which means we will have to manually call the script when we are ready.

R02(config)#event manager applet CHANGEIP
R02(config-applet)#event none

Then we just add all the commands we want to run, one things to note is that there is no ? or validation for the IOS commands in this section so make sure you don't do a typo.

R02(config-applet)#action 10 cli command "enable"
R02(config-applet)#action 11 cli command "conf t"
R02(config-applet)#action 12 cli command "interface g2.12"
R02(config-applet)#action 13 cli command "ip add 10.1.2.2 255.255.255.0"
R02(config-applet)#action 14 cli command "no ip route 0.0.0.0 0.0.0.0 10.1.2.3"
R02(config-applet)#action 15 cli command "ip route 0.0.0.0 0.0.0.0 10.1.2.1"   
R02(config-applet)#exit
R02(config)#end         

Then we run the script from privileged mode.

R02#event manager run CHANGEIP

We can see the changes worked!!!

R02#show ip int br | ex unass
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet2.12    10.1.2.2        YES manual up                    up      
GigabitEthernet2.23    10.2.3.2        YES manual up                    up      
Loopback0              192.168.254.2   YES manual up                    up      

R02#
.Sep  2 22:20:58.183: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.254.1 on GigabitEthernet2.12 from LOADING to FULL, Loading Done

R02#show run | in ^ip route
ip route 0.0.0.0 0.0.0.0 10.1.2.1

CDP Example

We'll close this out by looking a more complex script that Cisco put out on their site, this will use set the interface description by using CDP info. We'll also do some manipulations to make the output a bit nicer.

First we will make an event that runs when a new CDP neighbor is discovered.

SW01(config)# event manager applet auto-update-port-description authorization bypass
SW01(config-applet)# description "Auto-update port-description based on CDP neighbors info"
SW01(config-applet)# event neighbor-discovery interface regexp .*GigabitEthernet.* cdp add

Next we strip the domain-name from the CDP output

SW01(config-applet)# action 0.0  comment "Event line regexp: Deside which interface to auto-update description on"
SW01(config-applet)# action 1.0  comment "Trim domain name"
SW01(config-applet)# action 1.1  string trimright "$_nd_cdp_entry_name" ".testlab.com"
SW01(config-applet)# action 1.2  set _host "$_string_result"
SW01(config-applet)# action 1.3  set _host "$_string_result"

Then we do some manipulations to shorten the port name from GigabitEthernet to Gi etc.

SW01(config-applet)# action 2.0  comment "Convert long interface name to short"
SW01(config-applet)# action 2.1  string first "Ethernet" "$_nd_port_id"
SW01(config-applet)# action 2.2  if $_string_result eq "7"
SW01(config-applet)# action 2.21  string replace "$_nd_port_id" 0 14 "Gi"
SW01(config-applet)# action 2.3  elseif $_string_result eq 10
SW01(config-applet)# action 2.31  string replace "$_nd_port_id" 0 17 "Te"
SW01(config-applet)# action 2.4  elseif $_string_result eq 4
SW01(config-applet)# action 2.41  string replace "$_nd_port_id" 0 11 "Fa"
SW01(config-applet)# action 2.5  end
SW01(config-applet)# action 2.6  set _int "$_string_result"

Lastly we set the description based on the CDP information

SW01(config-applet)# action 3.0  comment "Actual config of port description"
SW01(config-applet)# action 3.1  cli command "enable"
SW01(config-applet)# action 3.2  cli command "config t"
SW01(config-applet)# action 3.3  cli command "interface $_nd_local_intf_name"
SW01(config-applet)# action 3.4  cli command "description Connected to $_host Port $_int"
SW01(config-applet)# action 3.5  cli command "do write"
SW01(config-applet)# action 4.0  syslog msg "EEM script updated description on $_nd_local_intf_name and saved config"

Let's test this out!!!!

First we'll have a look at what neighbors we have on SW01

SW01#show cdp ne
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, 
                  D - Remote, C - CVTA, M - Two-port Mac Relay 

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
SW02.testlab.com Gig 3/0           134             R S I            Gig 3/0
SW02.testlab.com Gig 3/1           164             R S I            Gig 3/1
SW03.testlab.com Gig 3/3           145             R S I            Gig 3/3
SW03.testlab.com Gig 3/2           165             R S I            Gig 3/2
R01.testlab.com  Gig 0/1           170              R I   CSR1000V  Gig 2

Total cdp entries displayed : 5

Since the script works when CDP discovers a new neighbor we need to clear the CDP table. Then we'll see the syslog messages as CDP discovers each neighbor.

SW01#clear cdp table

*Sep  2 21:59:55.954: %GRUB-5-CONFIG_WRITING: GRUB configuration is being updated on disk. Please wait...
*Sep  2 21:59:56.880: %GRUB-5-CONFIG_WRITTEN: GRUB configuration was written to disk successfully.
*Sep  2 21:59:56.923: %HA_EM-6-LOG: auto-update-port-description: EEM script updated description on GigabitEthernet3/1 and saved config
*Sep  2 22:00:01.275: %GRUB-5-CONFIG_WRITING: GRUB configuration is being updated on disk. Please wait...
*Sep  2 22:00:02.083: %GRUB-5-CONFIG_WRITTEN: GRUB configuration was written to disk successfully.
*Sep  2 22:00:02.155: %HA_EM-6-LOG: auto-update-port-description: EEM script updated description on GigabitEthernet3/2 and saved config
*Sep  2 22:00:14.658: %GRUB-5-CONFIG_WRITING: GRUB configuration is being updated on disk. Please wait...
*Sep  2 22:00:15.440: %GRUB-5-CONFIG_WRITTEN: GRUB configuration was written to disk successfully.
*Sep  2 22:00:15.481: %HA_EM-6-LOG: auto-update-port-description: EEM script updated description on GigabitEthernet3/0 and saved config
*Sep  2 22:00:20.310: %GRUB-5-CONFIG_WRITING: GRUB configuration is being updated on disk. Please wait...
*Sep  2 22:00:21.110: %GRUB-5-CONFIG_WRITTEN: GRUB configuration was written to disk successfully.
*Sep  2 22:00:21.185: %HA_EM-6-LOG: auto-update-port-description: EEM script updated description on GigabitEthernet0/1 and saved config
*Sep  2 22:00:28.503: %GRUB-5-CONFIG_WRITING: GRUB configuration is being updated on disk. Please wait...
*Sep  2 22:00:29.358: %GRUB-5-CONFIG_WRITTEN: GRUB configuration was written to disk successfully.
*Sep  2 22:00:29.428: %HA_EM-6-LOG: auto-update-port-description: EEM script updated description on GigabitEthernet3/3 and saved config

Now if we look at the interface descriptions we can see "Connected to <Device> Port <Port>

SW01#show interface description | in Gi
Gi0/0                          up             up       OOB management
Gi0/1                          up             up       Connected to R01 Port Gi2
Gi0/2                          up             up       to R02
Gi0/3                          up             up       to R03
Gi1/0                          up             up       to S01
Gi1/1                          up             up       
Gi1/2                          up             up       
Gi1/3                          up             up       
Gi2/0                          up             up       to RM01
Gi2/1                          up             up       
Gi2/2                          up             up       
Gi2/3                          up             up       
Gi3/0                          up             up       Connected to SW02 Port Gi3/0
Gi3/1                          up             up       Connected to SW02 Port Gi3/1
Gi3/2                          up             up       Connected to SW03 Port Gi3/2
Gi3/3                          up             up       Connected to SW03 Port Gi3/3

Wrapping up

That is all for today, hope y'all found it interesting.

21 points
2
comment
2
r/ccna
Posted byMeow 🐈🐈Meow 🐱🐱 Meow Meow🍺🐈🐱Meow A+!11 months ago
Archived

I has chatting with a fellow colleague about the value in seeing the bigger picture when learning topics the other day and had an idea, lets look at a relatively complex example of the full MPLS VPN picture. The point of this is that you can see that advanced solutions are often just the sum of other features and concepts being combined. Plus if you happen to be interesting in the SP track, your day has arrived!

Topology

The topology today is a good 20 routers in VIRL broken up into a few groups.

  • 6 x Provider (P) routers - This is the ISP core that runs OSPF and MPLS
  • 6 x Provider Edge (PE) routers - These routers run BGP and MPLS for the VPN, they also have the VRFs for the CE routers.
  • 2 x Route Reflectors (RR) routers - These are Route Reflector routers, all the PE routers peer to them to receive the VPNv4 routes.
  • 6 x Customer Edge (CE) routers - These are the Customer routers, this is what most of you would see when you order a MPLS service from a ISP.

There are two customers in this topology, CUST-A and CUST-B, very original I know!

Provider Routers

The Basics

The P routers just provide the routing between the PE routers so we just make sure we have IPs on the interfaces and turn on OSPF. For MPLS we will need a /32 loopback address, this is because OSPF will automatically advertise a loopback as a /32 route no matter what the mask is and that will mess with the MPLS side of things.

P01(config)#do sh ip int br | ex unass|0/0
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/1         10.1.2.1        YES NVRAM  up                    up      
GigabitEthernet0/2         10.1.4.1        YES NVRAM  up                    up      
GigabitEthernet0/4         10.1.5.1        YES NVRAM  up                    up      
GigabitEthernet0/9         10.1.255.1      YES manual up                    up      
GigabitEthernet0/10        10.1.11.1       YES NVRAM  up                    up      
Loopback0                  192.168.255.1   YES NVRAM  up                    up 


P01(config)#router ospf 1
P01(config-router)#network 0.0.0.0 255.255.255.255 area 0 

P02(config)#router ospf 1
P02(config-router)#network 0.0.0.0 255.255.255.255 area 0 

P03(config)#router ospf 1
P03(config-router)#network 0.0.0.0 255.255.255.255 area 0 

P04(config)#router ospf 1
P04(config-router)#network 0.0.0.0 255.255.255.255 area 0 

P05(config)#router ospf 1
P05(config-router)#network 0.0.0.0 255.255.255.255 area 0 

P06(config)#router ospf 1
P06(config-router)#network 0.0.0.0 255.255.255.255 area 0 

Turning on MPLS

Cisco actually makes turning on MPLS very easy when compared with other vendors so we can do it with just one command! But because MPLS labels are dynamically generated and are locally significant, we'll explicitly define the MPLS ranges so our traceroutes are easier to read.

P01(config)#mpls label range 100 199

P02(config)#mpls label range 200 299

P03(config)#mpls label range 300 399

P04(config)#mpls label range 400 499

P05(config)#mpls label range 500 599

P06(config)#mpls label range 600 699

OSPF has a MPLS feature that automagically enables LDP on all OSPF enabled interfaces

P01(config)#router ospf 1
P01(config-router)# mpls ldp autoconfig

Once all our P's are configured we can view the MPLS version of the routing table to see what label a particular route will use.

Note:At this point we are using MPLS forwarding in our core! This means that things like ACLs won't be able to affect the MPLS traffic unless you block MPLS entirely.

P01#show mpls forwarding-table 
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop    
Label      Label      or Tunnel Id     Switched      interface              
100        200        192.168.255.16/32   \
                                       0             Gi0/1      10.1.2.2    
           501        192.168.255.16/32   \
                                       0             Gi0/4      10.1.5.5    
101        500        192.168.255.15/32   \
                                       0             Gi0/4      10.1.5.5    
102        202        192.168.255.6/32 0             Gi0/1      10.1.2.2    
           502        192.168.255.6/32 0             Gi0/4      10.1.5.5    
103        Pop Label  192.168.255.5/32 0             Gi0/4      10.1.5.5    
104        Pop Label  192.168.255.4/32 1229          Gi0/2      10.1.4.4    
105        205        192.168.255.3/32 0             Gi0/1      10.1.2.2    
           504        192.168.255.3/32 0             Gi0/4      10.1.5.5    
106        Pop Label  192.168.255.2/32 0             Gi0/1      10.1.2.2    
107        Pop Label  10.4.14.0/24     0             Gi0/2      10.1.4.4    
108        208        10.3.13.0/24     0             Gi0/1      10.1.2.2    
           506        10.3.13.0/24     0             Gi0/4      10.1.5.5    
109        Pop Label  10.2.255.0/24    0             Gi0/1      10.1.2.2    
110        Pop Label  10.2.12.0/24     0             Gi0/1      10.1.2.2    
111        Pop Label  10.2.6.0/24      0             Gi0/1      10.1.2.2    
112        Pop Label  10.2.5.0/24      0             Gi0/1      10.1.2.2    
           Pop Label  10.2.5.0/24      0             Gi0/4      10.1.5.5    
113        Pop Label  10.2.4.0/24      0             Gi0/1      10.1.2.2    
           Pop Label  10.2.4.0/24      0             Gi0/2      10.1.4.4    
114        Pop Label  10.2.3.0/24      0             Gi0/1      10.1.2.2    
115        217        10.6.16.0/24     0             Gi0/1      10.1.2.2    
           511        10.6.16.0/24     0             Gi0/4      10.1.5.5    
116        216        10.3.6.0/24      0             Gi0/1      10.1.2.2    
           512        10.3.6.0/24      0             Gi0/4      10.1.5.5    
117        Pop Label  10.5.6.0/24      0             Gi0/4      10.1.5.5    
118        Pop Label  10.3.5.0/24      0             Gi0/4      10.1.5.5    
119        Pop Label  10.5.15.0/24     0             Gi0/4      10.1.5.5    
120        Pop Label  10.4.5.0/24      0             Gi0/2      10.1.4.4    
           Pop Label  10.4.5.0/24      0             Gi0/4      10.1.5.5

Provider Edge Routers

The Basics

The PEs are about the same except their label range starts at 10000 for PE01 and ends at 60000 for PE06, this is because I have added some IOS-XR routers for fun and their labels start at 16000.

PE01(config)#mpls label range 10000 19999
PE01(config)#
PE01(config)#router ospf 1
PE01(config-router)# network 0.0.0.0 255.255.255.255 area 0
PE01(config-router)# mpls ldp autoconfig

The XR way of doing this is:

RP/0/0/CPU0:PE05(config)#router ospf 1
RP/0/0/CPU0:PE05(config-ospf)# mpls ldp auto-config
RP/0/0/CPU0:PE05(config-ospf)# area 0.0.0.0
RP/0/0/CPU0:PE05(config-ospf-ar)#  interface Loopback0
RP/0/0/CPU0:PE05(config-ospf-ar-if)#  interface GigabitEthernet0/0/0/0

RP/0/0/CPU0:PE05(config)#mpls ldp
RP/0/0/CPU0:PE05(config)#mpls label range table 0 50000 59999

The VRFs

The PE puts each customer's route into a separate routing table, this among other things allows customer's to use the same address space without any conflict. We do that by making a VRF to store the routes. We have two customers so there will be CUST-A and CUST-B depending on the router.

The MPLS solution needs a Route Distinguisher to keep the customer routes unique, we also need to tell BGP what routes we want the customer to receive with the route target. Lastly we tell the router what address family we want, we'll just look at IPv4 right now.

Note: To save some time I've put the same VRFs and values on all the PE routers, though we could use unique RDs for each router to allow for more granular control of routes.

PE01(config)#vrf definition CUST-A
PE01(config-vrf)# rd 100:101
PE01(config-vrf)# route-target export 100:101
PE01(config-vrf)# route-target import 100:101
PE01(config-vrf)# !
PE01(config-vrf)# address-family ipv4

PE01(config)#vrf definition CUST-B
PE01(config-vrf)# rd 100:102
PE01(config-vrf)# route-target export 100:102
PE01(config-vrf)# route-target import 100:102
PE01(config-vrf)# !
PE01(config-vrf)# address-family ipv4

Then we need to add the interface that connects the CE router to the VRF.

Note: If you have an IP on the interface the router will remove it when you add a VRF!

PE01(config)#interface GigabitEthernet3
PE01(config-if)# vrf forwarding CUST-A
PE01(config-if)# ip address 192.168.1.254 255.255.255.0

Now that this is done we can view the interface in its own routing table

PE01(config-if)#do sh ip route vrf CUST-A | be Gateway
Gateway of last resort is not set

      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, GigabitEthernet3
L        192.168.1.254/32 is directly connected, GigabitEthernet3

The XR routers do things a bit differently like so

RP/0/0/CPU0:PE05(config)#vrf CUST-A
RP/0/0/CPU0:PE05(config-vrf)# address-family ipv4 unicast
RP/0/0/CPU0:PE05(config-vrf-af)#  import route-target
RP/0/0/CPU0:PE05(config-vrf-import-rt)#   100:101
RP/0/0/CPU0:PE05(config-vrf-import-rt)#  export route-target
RP/0/0/CPU0:PE05(config-vrf-export-rt)#   100:101

RP/0/0/CPU0:PE05(config)#vrf CUST-B
RP/0/0/CPU0:PE05(config-vrf)# address-family ipv4 unicast
RP/0/0/CPU0:PE05(config-vrf-af)#  import route-target
RP/0/0/CPU0:PE05(config-vrf-import-rt)#   100:102
RP/0/0/CPU0:PE05(config-vrf-import-rt)#  export route-target
RP/0/0/CPU0:PE05(config-vrf-export-rt)#   100:102


RP/0/0/CPU0:PE05(config)#interface GigabitEthernet0/0/0/1
RP/0/0/CPU0:PE05(config-if)# description to CE05
RP/0/0/CPU0:PE05(config-if)# vrf CUST-B
RP/0/0/CPU0:PE05(config-if)# ipv4 address 192.168.5.254 255.255.255.0

BGP

The BGP portion is probably the most config heavy we have seen so far, to make things a bit more concise we are going to utilize a BGP feature called templates, templates let you group similar configurations together so we don't have to repeat the neighbor configuration for all of our peers.

All the PEs will peer with each route reflector that is running for the VPNv4 family. Here is the first RR configuration which is identical to the other one. Each peer calls a template and only the VPNv4 address-family is running.

Note: The RRs don't actually run MPLS because they aren't in the data path, they just make sure all the PEs get the routes.

RR12(config)#router bgp 65123
RR12(config-router)# template peer-policy MPLSVPN-POLICY
RR12(config-router-ptmp)#  route-reflector-client
RR12(config-router-ptmp)#  send-community both
RR12(config-router-ptmp)# exit-peer-policy
RR12(config-router)# !
RR12(config-router)# template peer-session MPLSVPN-PEER
RR12(config-router-stmp)#  remote-as 65123
RR12(config-router-stmp)#  update-source Loopback0
RR12(config-router-stmp)# exit-peer-session
RR12(config-router)# !
RR12(config-router)# bgp cluster-id 1.2.3.4
RR12(config-router)# bgp log-neighbor-changes
RR12(config-router)# no bgp default ipv4-unicast
RR12(config-router)# neighbor 192.168.255.11 inherit peer-session MPLSVPN-PEER
RR12(config-router)# neighbor 192.168.255.12 inherit peer-session MPLSVPN-PEER
RR12(config-router)# neighbor 192.168.255.13 inherit peer-session MPLSVPN-PEER
RR12(config-router)# neighbor 192.168.255.14 inherit peer-session MPLSVPN-PEER
RR12(config-router)# neighbor 192.168.255.15 inherit peer-session MPLSVPN-PEER
RR12(config-router)# neighbor 192.168.255.16 inherit peer-session MPLSVPN-PEER
RR12(config-router)# neighbor 192.168.255.123 inherit peer-session MPLSVPN-PEER
RR12(config-router)# !
RR12(config-router)# address-family vpnv4
RR12(config-router-af)#  neighbor 192.168.255.11 activate
RR12(config-router-af)#  neighbor 192.168.255.11 send-community extended
RR12(config-router-af)#  neighbor 192.168.255.11 inherit peer-policy MPLSVPN-POLICY
RR12(config-router-af)#  neighbor 192.168.255.12 activate
RR12(config-router-af)#  neighbor 192.168.255.12 send-community extended
RR12(config-router-af)#  neighbor 192.168.255.12 inherit peer-policy MPLSVPN-POLICY
RR12(config-router-af)#  neighbor 192.168.255.13 activate
RR12(config-router-af)#  neighbor 192.168.255.13 send-community extended
RR12(config-router-af)#  neighbor 192.168.255.13 inherit peer-policy MPLSVPN-POLICY
RR12(config-router-af)#  neighbor 192.168.255.14 activate
RR12(config-router-af)#  neighbor 192.168.255.14 send-community extended
RR12(config-router-af)#  neighbor 192.168.255.14 inherit peer-policy MPLSVPN-POLICY
RR12(config-router-af)#  neighbor 192.168.255.15 activate
RR12(config-router-af)#  neighbor 192.168.255.15 send-community extended
RR12(config-router-af)#  neighbor 192.168.255.15 inherit peer-policy MPLSVPN-POLICY
RR12(config-router-af)#  neighbor 192.168.255.16 activate
RR12(config-router-af)#  neighbor 192.168.255.16 send-community extended
RR12(config-router-af)#  neighbor 192.168.255.16 inherit peer-policy MPLSVPN-POLICY
RR12(config-router-af)#  neighbor 192.168.255.123 activate
RR12(config-router-af)#  neighbor 192.168.255.123 send-community extended
RR12(config-router-af)#  neighbor 192.168.255.123 inherit peer-policy MPLSVPN-POLICY
RR12(config-router-af)# exit-address-family

On each of the PEs we do a IBGP peering with each RR, we'll also use templates to keep things clean.

PE01(config)#router bgp 65123
PE01(config-router)# template peer-policy MPLSVPN-POLICY
PE01(config-router-ptmp)#  send-community both
PE01(config-router-ptmp)# exit-peer-policy
PE01(config-router)# !
PE01(config-router)# template peer-session MPLSVPN-PEER
PE01(config-router-stmp)#  remote-as 65123
PE01(config-router-stmp)#  update-source Loopback0
PE01(config-router-stmp)# exit-peer-session
PE01(config-router)# !
PE01(config-router)# bgp log-neighbor-changes
PE01(config-router)# no bgp default ipv4-unicast
PE01(config-router)# neighbor 192.168.255.112 inherit peer-session MPLSVPN-PEER
PE01(config-router)# neighbor 192.168.255.134 inherit peer-session MPLSVPN-PEER
PE01(config-router)# !
PE01(config-router)# address-family vpnv4
PE01(config-router-af)#  neighbor 192.168.255.112 activate
PE01(config-router-af)#  neighbor 192.168.255.112 send-community extended
PE01(config-router-af)#  neighbor 192.168.255.112 inherit peer-policy MPLSVPN-POLICY
PE01(config-router-af)#  neighbor 192.168.255.134 activate
PE01(config-router-af)#  neighbor 192.168.255.134 send-community extended
PE01(config-router-af)#  neighbor 192.168.255.134 inherit peer-policy MPLSVPN-POLICY

CE Routing / Redistribution

Next we need to have the VRF run a routing protocol and have the routes be learned by BGP and back again.

We need to enable VRF aware routing on each protocol.

With OSPF we have to make a new process that calls the VRF we want to use. Then we do mutual redistribution between the protocol and BGP.

PE01(config)# router ospf 100 vrf CUST-A
PE01(config-router)# redistribute bgp 65123 subnets
PE01(config-router)# network 0.0.0.0 255.255.255.255 area 0
PE01(config-router)#exit

PE01(config)#router bgp 65123
PE01(config-router)#address-family ipv4 vrf CUST-A
PE01(config-router-af)#  redistribute ospf 100

For EIGRP I'll use Named Mode which I'm sure we'll talk about shortly

PE03(config)#router eigrp MEOWCAT
PE03(config-router)# !
PE03(config-router)# address-family ipv4 unicast vrf CUST-B autonomous-system 2323
PE03(config-router-af)#  !
PE03(config-router-af)#  topology base
PE03(config-router-af-topology)#   redistribute bgp 65123 metric 100000 100 255 1 1500
PE03(config-router-af-topology)#  exit-af-topology
PE03(config-router-af)#  network 0.0.0.0
PE03(config-router-af)# exit-address-family

PE03(config)#router bgp 65123
PE03(config-router)# address-family ipv4 vrf CUST-B
PE03(config-router-af)#  redistribute eigrp 2323

RIP just calls the VRF under its configuration

PE04(config)#router rip
PE04(config-router)# !
PE04(config-router)# address-family ipv4 vrf CUST-B
PE04(config-router-af)#  redistribute bgp 65123 metric 5
PE04(config-router-af)#  network 0.0.0.0
PE04(config-router-af)#  no auto-summary
PE04(config-router-af)#  version 2

PE04(config)#router bgp 65123
PE04(config-router)# address-family ipv4 vrf CUST-B
PE04(config-router-af)#  redistribute rip

The XR side of things looks like this:

For RIP we first need to set a metric with a route-policy

RP/0/0/CPU0:PE05(config)#route-policy BGP_TO_RIP
RP/0/0/CPU0:PE05(config-rpl)#  set rip-metric 5
RP/0/0/CPU0:PE05(config-rpl)#end-policy

Then we enable RIP and do the redistribution with the policy.

RP/0/0/CPU0:PE05(config)#router rip
RP/0/0/CPU0:PE05(config-rip)# vrf CUST-B
RP/0/0/CPU0:PE05(config-rip-vrf)#  interface GigabitEthernet0/0/0/1
RP/0/0/CPU0:PE05(config-rip-vrf-if)#  !
RP/0/0/CPU0:PE05(config-rip-vrf-if)#  redistribute bgp 65123 route-policy BGP_TO_RIP

On the BGP end one thing to note is that the rd is set under the BGP VRF config.

RP/0/0/CPU0:PE05(config)#router bgp 65123
RP/0/0/CPU0:PE05(config-bgp-nbr-af)# vrf CUST-B
RP/0/0/CPU0:PE05(config-bgp-vrf)#  rd 100:102
RP/0/0/CPU0:PE05(config-bgp-vrf)#  address-family ipv4 unicast
RP/0/0/CPU0:PE05(config-bgp-vrf-af)#   redistribute rip

CE

The CE side simply does routing like you would normally do, so nothing exciting there!

CE01(config)#router ospf 1
CE01(config-router)# network 0.0.0.0 255.255.255.255 area 0

Verification

If we did everything correctly we should see OSPF routes on CE01 from CE02 and CE06....we do! Notice that routes from CE02 are O IA even though they are both area 0, this is because MPLS creates a "super backbone" that acts as the main area 0. The routes from CE06 are external because they come from EIGRP.

CE01(config)#do sh ip route ospf | be Gate
Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 16 subnets, 2 masks
O IA     172.16.21.1/32 
           [110/3] via 192.168.1.254, 02:23:02, GigabitEthernet0/1
O IA     172.16.22.1/32 
           [110/3] via 192.168.1.254, 02:23:02, GigabitEthernet0/1
O IA     172.16.23.1/32 
           [110/3] via 192.168.1.254, 02:23:02, GigabitEthernet0/1
O IA     172.16.24.1/32 
           [110/3] via 192.168.1.254, 02:23:02, GigabitEthernet0/1
O E2     172.16.61.0/24 
           [110/1] via 192.168.1.254, 02:23:07, GigabitEthernet0/1
O E2     172.16.62.0/24 
           [110/1] via 192.168.1.254, 02:23:07, GigabitEthernet0/1
O E2     172.16.63.0/24 
           [110/1] via 192.168.1.254, 02:23:07, GigabitEthernet0/1
O E2     172.16.64.0/24 
           [110/1] via 192.168.1.254, 02:23:07, GigabitEthernet0/1
O IA  192.168.2.0/24 [110/2] via 192.168.1.254, 02:23:02, GigabitEthernet0/1
O E2  192.168.6.0/24 [110/1] via 192.168.1.254, 02:23:07, GigabitEthernet0/1
      192.168.254.0/32 is subnetted, 3 subnets
O IA     192.168.254.2 [110/3] via 192.168.1.254, 02:23:02, GigabitEthernet0/1
O E2     192.168.254.6 [110/1] via 192.168.1.254, 02:23:07, GigabitEthernet0/1


CE01(config)#do ping 172.16.21.1 so l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.21.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.254.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/25/53 ms

We can tell it is using MPLS by using a traceroute, this may be turned off in the real world but its on by default, we can see what labels are used through the network.

Note: MPLS VPN will use two labels, one for the transport and one from the destination PE.

We can see the second label by looking at BGP

PE01#show bgp vpnv4 unicast rd 100:101 172.16.21.0/24         
BGP routing table entry for 100:101:172.16.21.0/24, version 127
Paths: (2 available, best #2, table CUST-A)
  Not advertised to any peer
  Refresh Epoch 1
  Local
    192.168.255.12 (metric 4) (via default) from 192.168.255.134 (192.168.255.134)
      Origin incomplete, metric 2, localpref 100, valid, internal
      Extended Community: RT:100:101 OSPF DOMAIN ID:0x0005:0x000000640200 
        OSPF RT:0.0.0.126:2:0 OSPF ROUTER ID:192.168.2.254:0
      Originator: 192.168.255.12, Cluster list: 1.2.3.4
      mpls labels in/out nolabel/20039
      rx pathid: 0, tx pathid: 0
  Refresh Epoch 1
  Local
    192.168.255.12 (metric 4) (via default) from 192.168.255.112 (192.168.255.112)
      Origin incomplete, metric 2, localpref 100, valid, internal, best
      Extended Community: RT:100:101 OSPF DOMAIN ID:0x0005:0x000000640200 
        OSPF RT:0.0.0.126:2:0 OSPF ROUTER ID:192.168.2.254:0
      Originator: 192.168.255.12, Cluster list: 1.2.3.4
      mpls labels in/out nolabel/20039
      rx pathid: 0, tx pathid: 0x0

Looking at a traceroute we can see the labels at play.

CE01#traceroute 172.16.21.1 source l11
Type escape sequence to abort.
Tracing the route to 172.16.21.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.254 9 msec 2 msec 2 msec
  2 10.1.11.1 [MPLS: Labels 125/20034 Exp 0] 33 msec 5 msec 1 msec
  3 10.1.2.2 [MPLS: Labels 223/20034 Exp 0] 10 msec 17 msec 14 msec
  4 192.168.2.254 [MPLS: Label 20034 Exp 0] 10 msec 13 msec 10 msec
  5 192.168.2.2 17 msec *  21 msec

R03 on the other hand can see routes from R04 and R05

CE03#show ip route eigrp  | b Gate
Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 16 subnets, 2 masks
D EX     172.16.41.0/24 
           [170/568320] via 192.168.3.254, 02:32:17, GigabitEthernet0/1
D EX     172.16.42.0/24 
           [170/568320] via 192.168.3.254, 02:32:17, GigabitEthernet0/1
D EX     172.16.43.0/24 
           [170/568320] via 192.168.3.254, 02:32:17, GigabitEthernet0/1
D EX     172.16.44.0/24 
           [170/568320] via 192.168.3.254, 02:32:17, GigabitEthernet0/1
D EX     172.16.51.0/24 
           [170/568320] via 192.168.3.254, 02:32:18, GigabitEthernet0/1
D EX     172.16.52.0/24 
           [170/568320] via 192.168.3.254, 02:32:18, GigabitEthernet0/1
D EX     172.16.53.0/24 
           [170/568320] via 192.168.3.254, 02:32:18, GigabitEthernet0/1
D EX     172.16.54.0/24 
           [170/568320] via 192.168.3.254, 02:32:18, GigabitEthernet0/1
D EX  192.168.4.0/24 
           [170/568320] via 192.168.3.254, 02:32:17, GigabitEthernet0/1
D EX  192.168.5.0/24 
           [170/568320] via 192.168.3.254, 02:32:18, GigabitEthernet0/1
      192.168.254.0/32 is subnetted, 3 subnets
D EX     192.168.254.4 
           [170/568320] via 192.168.3.254, 02:32:17, GigabitEthernet0/1
D EX     192.168.254.5 
           [170/568320] via 192.168.3.254, 02:32:18, GigabitEthernet0/1

The End

I suspect it will take a lot of you a while to try to figure this all out but the point is just to show a larger more complex topology than you would see in a typical CCNA R&S day to day. We can see how MPLS VPN is really just BGP + MPLS + VRF + Routing Protocols, when we get around to talking about IWAN you'll see it is DMVPN + VRF + PfR + IPSEC at its core. Cisco really loves gluing things together!

45 points
2
comment
101
r/networkingPosted byAMA TP-Link,DrayTek and SonicWall11 months ago
Archived

Here is a post I did for /r/CCNA y'all might like

I has chatting with a fellow colleague about the value in seeing the bigger picture when learning topics the other day and had an idea, lets look at a relatively complex example of the full MPLS VPN picture. The point of this is that you can see that advanced solutions are often just the sum of other features and concepts being combined. Plus if you happen to be interesting in the SP track, your day has arrived!

Topology

The topology today is a good 20 routers in VIRL broken up into a few groups.

  • 6 x Provider (P) routers - This is the ISP core that runs OSPF and MPLS
  • 6 x Provider Edge (PE) routers - These routers run BGP and MPLS for the VPN, they also have the VRFs for the CE routers.
  • 2 x Route Reflectors (RR) routers - These are Route Reflector routers, all the PE routers peer to them to receive the VPNv4 routes.
  • 6 x Customer Edge (CE) routers - These are the Customer routers, this is what most of you would see when you order a MPLS service from a ISP.

There are two customers in this topology, CUST-A and CUST-B, very original I know!

Provider Routers

The Basics

The P routers just provide the routing between the PE routers so we just make sure we have IPs on the interfaces and turn on OSPF. For MPLS we will need a /32 loopback address, this is because OSPF will automatically advertise a loopback as a /32 route no matter what the mask is and that will mess with the MPLS side of things.

P01(config)#do sh ip int br | ex unass|0/0
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/1         10.1.2.1        YES NVRAM  up                    up      
GigabitEthernet0/2         10.1.4.1        YES NVRAM  up                    up      
GigabitEthernet0/4         10.1.5.1        YES NVRAM  up                    up      
GigabitEthernet0/9         10.1.255.1      YES manual up                    up      
GigabitEthernet0/10        10.1.11.1       YES NVRAM  up                    up      
Loopback0                  192.168.255.1   YES NVRAM  up                    up 


P01(config)#router ospf 1
P01(config-router)#network 0.0.0.0 255.255.255.255 area 0 

P02(config)#router ospf 1
P02(config-router)#network 0.0.0.0 255.255.255.255 area 0 

P03(config)#router ospf 1
P03(config-router)#network 0.0.0.0 255.255.255.255 area 0 

P04(config)#router ospf 1
P04(config-router)#network 0.0.0.0 255.255.255.255 area 0 

P05(config)#router ospf 1
P05(config-router)#network 0.0.0.0 255.255.255.255 area 0 

P06(config)#router ospf 1
P06(config-router)#network 0.0.0.0 255.255.255.255 area 0 

Turning on MPLS

Cisco actually makes turning on MPLS very easy when compared with other vendors so we can do it with just one command! But because MPLS labels are dynamically generated and are locally significant, we'll explicitly define the MPLS ranges so our traceroutes are easier to read.

P01(config)#mpls label range 100 199

P02(config)#mpls label range 200 299

P03(config)#mpls label range 300 399

P04(config)#mpls label range 400 499

P05(config)#mpls label range 500 599

P06(config)#mpls label range 600 699

OSPF has a MPLS feature that automagically enables LDP on all OSPF enabled interfaces

P01(config)#router ospf 1
P01(config-router)# mpls ldp autoconfig

Once all our P's are configured we can view the MPLS version of the routing table to see what label a particular route will use.

Note:At this point we are using MPLS forwarding in our core! This means that things like ACLs won't be able to affect the MPLS traffic unless you block MPLS entirely.

P01#show mpls forwarding-table 
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop    
Label      Label      or Tunnel Id     Switched      interface              
100        200        192.168.255.16/32   \
                                       0             Gi0/1      10.1.2.2    
           501        192.168.255.16/32   \
                                       0             Gi0/4      10.1.5.5    
101        500        192.168.255.15/32   \
                                       0             Gi0/4      10.1.5.5    
102        202        192.168.255.6/32 0             Gi0/1      10.1.2.2    
           502        192.168.255.6/32 0             Gi0/4      10.1.5.5    
103        Pop Label  192.168.255.5/32 0             Gi0/4      10.1.5.5    
104        Pop Label  192.168.255.4/32 1229          Gi0/2      10.1.4.4    
105        205        192.168.255.3/32 0             Gi0/1      10.1.2.2    
           504        192.168.255.3/32 0             Gi0/4      10.1.5.5    
106        Pop Label  192.168.255.2/32 0             Gi0/1      10.1.2.2    
107        Pop Label  10.4.14.0/24     0             Gi0/2      10.1.4.4    
108        208        10.3.13.0/24     0             Gi0/1      10.1.2.2    
           506        10.3.13.0/24     0             Gi0/4      10.1.5.5    
109        Pop Label  10.2.255.0/24    0             Gi0/1      10.1.2.2    
110        Pop Label  10.2.12.0/24     0             Gi0/1      10.1.2.2    
111        Pop Label  10.2.6.0/24      0             Gi0/1      10.1.2.2    
112        Pop Label  10.2.5.0/24      0             Gi0/1      10.1.2.2    
           Pop Label  10.2.5.0/24      0             Gi0/4      10.1.5.5    
113        Pop Label  10.2.4.0/24      0             Gi0/1      10.1.2.2    
           Pop Label  10.2.4.0/24      0             Gi0/2      10.1.4.4    
114        Pop Label  10.2.3.0/24      0             Gi0/1      10.1.2.2    
115        217        10.6.16.0/24     0             Gi0/1      10.1.2.2    
           511        10.6.16.0/24     0             Gi0/4      10.1.5.5    
116        216        10.3.6.0/24      0             Gi0/1      10.1.2.2    
           512        10.3.6.0/24      0             Gi0/4      10.1.5.5    
117        Pop Label  10.5.6.0/24      0             Gi0/4      10.1.5.5    
118        Pop Label  10.3.5.0/24      0             Gi0/4      10.1.5.5    
119        Pop Label  10.5.15.0/24     0             Gi0/4      10.1.5.5    
120        Pop Label  10.4.5.0/24      0             Gi0/2      10.1.4.4    
           Pop Label  10.4.5.0/24      0             Gi0/4      10.1.5.5

Provider Edge Routers

The Basics

The PEs are about the same except their label range starts at 10000 for PE01 and ends at 60000 for PE06, this is because I have added some IOS-XR routers for fun and their labels start at 16000.

PE01(config)#mpls label range 10000 19999
PE01(config)#
PE01(config)#router ospf 1
PE01(config-router)# network 0.0.0.0 255.255.255.255 area 0
PE01(config-router)# mpls ldp autoconfig

The XR way of doing this is:

RP/0/0/CPU0:PE05(config)#router ospf 1
RP/0/0/CPU0:PE05(config-ospf)# mpls ldp auto-config
RP/0/0/CPU0:PE05(config-ospf)# area 0.0.0.0
RP/0/0/CPU0:PE05(config-ospf-ar)#  interface Loopback0
RP/0/0/CPU0:PE05(config-ospf-ar-if)#  interface GigabitEthernet0/0/0/0

RP/0/0/CPU0:PE05(config)#mpls ldp
RP/0/0/CPU0:PE05(config)#mpls label range table 0 50000 59999

The VRFs

The PE puts each customer's route into a separate routing table, this among other things allows customer's to use the same address space without any conflict. We do that by making a VRF to store the routes. We have two customers so there will be CUST-A and CUST-B depending on the router.

The MPLS solution needs a Route Distinguisher to keep the customer routes unique, we also need to tell BGP what routes we want the customer to receive with the route target. Lastly we tell the router what address family we want, we'll just look at IPv4 right now.

Note: To save some time I've put the same VRFs and values on all the PE routers, though we could use unique RDs for each router to allow for more granular control of routes.

PE01(config)#vrf definition CUST-A
PE01(config-vrf)# rd 100:101
PE01(config-vrf)# route-target export 100:101
PE01(config-vrf)# route-target import 100:101
PE01(config-vrf)# !
PE01(config-vrf)# address-family ipv4

PE01(config)#vrf definition CUST-B
PE01(config-vrf)# rd 100:102
PE01(config-vrf)# route-target export 100:102
PE01(config-vrf)# route-target import 100:102
PE01(config-vrf)# !
PE01(config-vrf)# address-family ipv4

Then we need to add the interface that connects the CE router to the VRF.

Note: If you have an IP on the interface the router will remove it when you add a VRF!

PE01(config)#interface GigabitEthernet3
PE01(config-if)# vrf forwarding CUST-A
PE01(config-if)# ip address 192.168.1.254 255.255.255.0

Now that this is done we can view the interface in its own routing table

PE01(config-if)#do sh ip route vrf CUST-A | be Gateway
Gateway of last resort is not set

      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, GigabitEthernet3
L        192.168.1.254/32 is directly connected, GigabitEthernet3

The XR routers do things a bit differently like so

RP/0/0/CPU0:PE05(config)#vrf CUST-A
RP/0/0/CPU0:PE05(config-vrf)# address-family ipv4 unicast
RP/0/0/CPU0:PE05(config-vrf-af)#  import route-target
RP/0/0/CPU0:PE05(config-vrf-import-rt)#   100:101
RP/0/0/CPU0:PE05(config-vrf-import-rt)#  export route-target
RP/0/0/CPU0:PE05(config-vrf-export-rt)#   100:101

RP/0/0/CPU0:PE05(config)#vrf CUST-B
RP/0/0/CPU0:PE05(config-vrf)# address-family ipv4 unicast
RP/0/0/CPU0:PE05(config-vrf-af)#  import route-target
RP/0/0/CPU0:PE05(config-vrf-import-rt)#   100:102
RP/0/0/CPU0:PE05(config-vrf-import-rt)#  export route-target
RP/0/0/CPU0:PE05(config-vrf-export-rt)#   100:102


RP/0/0/CPU0:PE05(config)#interface GigabitEthernet0/0/0/1
RP/0/0/CPU0:PE05(config-if)# description to CE05
RP/0/0/CPU0:PE05(config-if)# vrf CUST-B
RP/0/0/CPU0:PE05(config-if)# ipv4 address 192.168.5.254 255.255.255.0

BGP

The BGP portion is probably the most config heavy we have seen so far, to make things a bit more concise we are going to utilize a BGP feature called templates, templates let you group similar configurations together so we don't have to repeat the neighbor configuration for all of our peers.

All the PEs will peer with each route reflector that is running for the VPNv4 family. Here is the first RR configuration which is identical to the other one. Each peer calls a template and only the VPNv4 address-family is running.

Note: The RRs don't actually run MPLS because they aren't in the data path, they just make sure all the PEs get the routes.

RR12(config)#router bgp 65123
RR12(config-router)# template peer-policy MPLSVPN-POLICY
RR12(config-router-ptmp)#  route-reflector-client
RR12(config-router-ptmp)#  send-community both
RR12(config-router-ptmp)# exit-peer-policy
RR12(config-router)# !
RR12(config-router)# template peer-session MPLSVPN-PEER
RR12(config-router-stmp)#  remote-as 65123
RR12(config-router-stmp)#  update-source Loopback0
RR12(config-router-stmp)# exit-peer-session
RR12(config-router)# !
RR12(config-router)# bgp cluster-id 1.2.3.4
RR12(config-router)# bgp log-neighbor-changes
RR12(config-router)# no bgp default ipv4-unicast
RR12(config-router)# neighbor 192.168.255.11 inherit peer-session MPLSVPN-PEER
RR12(config-router)# neighbor 192.168.255.12 inherit peer-session MPLSVPN-PEER
RR12(config-router)# neighbor 192.168.255.13 inherit peer-session MPLSVPN-PEER
RR12(config-router)# neighbor 192.168.255.14 inherit peer-session MPLSVPN-PEER
RR12(config-router)# neighbor 192.168.255.15 inherit peer-session MPLSVPN-PEER
RR12(config-router)# neighbor 192.168.255.16 inherit peer-session MPLSVPN-PEER
RR12(config-router)# neighbor 192.168.255.123 inherit peer-session MPLSVPN-PEER
RR12(config-router)# !
RR12(config-router)# address-family vpnv4
RR12(config-router-af)#  neighbor 192.168.255.11 activate
RR12(config-router-af)#  neighbor 192.168.255.11 send-community extended
RR12(config-router-af)#  neighbor 192.168.255.11 inherit peer-policy MPLSVPN-POLICY
RR12(config-router-af)#  neighbor 192.168.255.12 activate
RR12(config-router-af)#  neighbor 192.168.255.12 send-community extended
RR12(config-router-af)#  neighbor 192.168.255.12 inherit peer-policy MPLSVPN-POLICY
RR12(config-router-af)#  neighbor 192.168.255.13 activate
RR12(config-router-af)#  neighbor 192.168.255.13 send-community extended
RR12(config-router-af)#  neighbor 192.168.255.13 inherit peer-policy MPLSVPN-POLICY
RR12(config-router-af)#  neighbor 192.168.255.14 activate
RR12(config-router-af)#  neighbor 192.168.255.14 send-community extended
RR12(config-router-af)#  neighbor 192.168.255.14 inherit peer-policy MPLSVPN-POLICY
RR12(config-router-af)#  neighbor 192.168.255.15 activate
RR12(config-router-af)#  neighbor 192.168.255.15 send-community extended
RR12(config-router-af)#  neighbor 192.168.255.15 inherit peer-policy MPLSVPN-POLICY
RR12(config-router-af)#  neighbor 192.168.255.16 activate
RR12(config-router-af)#  neighbor 192.168.255.16 send-community extended
RR12(config-router-af)#  neighbor 192.168.255.16 inherit peer-policy MPLSVPN-POLICY
RR12(config-router-af)#  neighbor 192.168.255.123 activate
RR12(config-router-af)#  neighbor 192.168.255.123 send-community extended
RR12(config-router-af)#  neighbor 192.168.255.123 inherit peer-policy MPLSVPN-POLICY
RR12(config-router-af)# exit-address-family

On each of the PEs we do a IBGP peering with each RR, we'll also use templates to keep things clean.

PE01(config)#router bgp 65123
PE01(config-router)# template peer-policy MPLSVPN-POLICY
PE01(config-router-ptmp)#  send-community both
PE01(config-router-ptmp)# exit-peer-policy
PE01(config-router)# !
PE01(config-router)# template peer-session MPLSVPN-PEER
PE01(config-router-stmp)#  remote-as 65123
PE01(config-router-stmp)#  update-source Loopback0
PE01(config-router-stmp)# exit-peer-session
PE01(config-router)# !
PE01(config-router)# bgp log-neighbor-changes
PE01(config-router)# no bgp default ipv4-unicast
PE01(config-router)# neighbor 192.168.255.112 inherit peer-session MPLSVPN-PEER
PE01(config-router)# neighbor 192.168.255.134 inherit peer-session MPLSVPN-PEER
PE01(config-router)# !
PE01(config-router)# address-family vpnv4
PE01(config-router-af)#  neighbor 192.168.255.112 activate
PE01(config-router-af)#  neighbor 192.168.255.112 send-community extended
PE01(config-router-af)#  neighbor 192.168.255.112 inherit peer-policy MPLSVPN-POLICY
PE01(config-router-af)#  neighbor 192.168.255.134 activate
PE01(config-router-af)#  neighbor 192.168.255.134 send-community extended
PE01(config-router-af)#  neighbor 192.168.255.134 inherit peer-policy MPLSVPN-POLICY

CE Routing / Redistribution

Next we need to have the VRF run a routing protocol and have the routes be learned by BGP and back again.

We need to enable VRF aware routing on each protocol.

With OSPF we have to make a new process that calls the VRF we want to use. Then we do mutual redistribution between the protocol and BGP.

PE01(config)# router ospf 100 vrf CUST-A
PE01(config-router)# redistribute bgp 65123 subnets
PE01(config-router)# network 0.0.0.0 255.255.255.255 area 0
PE01(config-router)#exit

PE01(config)#router bgp 65123
PE01(config-router)#address-family ipv4 vrf CUST-A
PE01(config-router-af)#  redistribute ospf 100

For EIGRP I'll use Named Mode which I'm sure we'll talk about shortly

PE03(config)#router eigrp MEOWCAT
PE03(config-router)# !
PE03(config-router)# address-family ipv4 unicast vrf CUST-B autonomous-system 2323
PE03(config-router-af)#  !
PE03(config-router-af)#  topology base
PE03(config-router-af-topology)#   redistribute bgp 65123 metric 100000 100 255 1 1500
PE03(config-router-af-topology)#  exit-af-topology
PE03(config-router-af)#  network 0.0.0.0
PE03(config-router-af)# exit-address-family

PE03(config)#router bgp 65123
PE03(config-router)# address-family ipv4 vrf CUST-B
PE03(config-router-af)#  redistribute eigrp 2323

RIP just calls the VRF under its configuration

PE04(config)#router rip
PE04(config-router)# !
PE04(config-router)# address-family ipv4 vrf CUST-B
PE04(config-router-af)#  redistribute bgp 65123 metric 5
PE04(config-router-af)#  network 0.0.0.0
PE04(config-router-af)#  no auto-summary
PE04(config-router-af)#  version 2

PE04(config)#router bgp 65123
PE04(config-router)# address-family ipv4 vrf CUST-B
PE04(config-router-af)#  redistribute rip

The XR side of things looks like this:

For RIP we first need to set a metric with a route-policy

RP/0/0/CPU0:PE05(config)#route-policy BGP_TO_RIP
RP/0/0/CPU0:PE05(config-rpl)#  set rip-metric 5
RP/0/0/CPU0:PE05(config-rpl)#end-policy

Then we enable RIP and do the redistribution with the policy.

RP/0/0/CPU0:PE05(config)#router rip
RP/0/0/CPU0:PE05(config-rip)# vrf CUST-B
RP/0/0/CPU0:PE05(config-rip-vrf)#  interface GigabitEthernet0/0/0/1
RP/0/0/CPU0:PE05(config-rip-vrf-if)#  !
RP/0/0/CPU0:PE05(config-rip-vrf-if)#  redistribute bgp 65123 route-policy BGP_TO_RIP

On the BGP end one thing to note is that the rd is set under the BGP VRF config.

RP/0/0/CPU0:PE05(config)#router bgp 65123
RP/0/0/CPU0:PE05(config-bgp-nbr-af)# vrf CUST-B
RP/0/0/CPU0:PE05(config-bgp-vrf)#  rd 100:102
RP/0/0/CPU0:PE05(config-bgp-vrf)#  address-family ipv4 unicast
RP/0/0/CPU0:PE05(config-bgp-vrf-af)#   redistribute rip

CE

The CE side simply does routing like you would normally do, so nothing exciting there!

CE01(config)#router ospf 1
CE01(config-router)# network 0.0.0.0 255.255.255.255 area 0

Verification

If we did everything correctly we should see OSPF routes on CE01 from CE02 and CE06....we do! Notice that routes from CE02 are O IA even though they are both area 0, this is because MPLS creates a "super backbone" that acts as the main area 0. The routes from CE06 are external because they come from EIGRP.

CE01(config)#do sh ip route ospf | be Gate
Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 16 subnets, 2 masks
O IA     172.16.21.1/32 
           [110/3] via 192.168.1.254, 02:23:02, GigabitEthernet0/1
O IA     172.16.22.1/32 
           [110/3] via 192.168.1.254, 02:23:02, GigabitEthernet0/1
O IA     172.16.23.1/32 
           [110/3] via 192.168.1.254, 02:23:02, GigabitEthernet0/1
O IA     172.16.24.1/32 
           [110/3] via 192.168.1.254, 02:23:02, GigabitEthernet0/1
O E2     172.16.61.0/24 
           [110/1] via 192.168.1.254, 02:23:07, GigabitEthernet0/1
O E2     172.16.62.0/24 
           [110/1] via 192.168.1.254, 02:23:07, GigabitEthernet0/1
O E2     172.16.63.0/24 
           [110/1] via 192.168.1.254, 02:23:07, GigabitEthernet0/1
O E2     172.16.64.0/24 
           [110/1] via 192.168.1.254, 02:23:07, GigabitEthernet0/1
O IA  192.168.2.0/24 [110/2] via 192.168.1.254, 02:23:02, GigabitEthernet0/1
O E2  192.168.6.0/24 [110/1] via 192.168.1.254, 02:23:07, GigabitEthernet0/1
      192.168.254.0/32 is subnetted, 3 subnets
O IA     192.168.254.2 [110/3] via 192.168.1.254, 02:23:02, GigabitEthernet0/1
O E2     192.168.254.6 [110/1] via 192.168.1.254, 02:23:07, GigabitEthernet0/1


CE01(config)#do ping 172.16.21.1 so l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.21.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.254.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/25/53 ms

We can tell it is using MPLS by using a traceroute, this may be turned off in the real world but its on by default, we can see what labels are used through the network.

Note: MPLS VPN will use two labels, one for the transport and one from the destination PE.

We can see the second label by looking at BGP

PE01#show bgp vpnv4 unicast rd 100:101 172.16.21.0/24         
BGP routing table entry for 100:101:172.16.21.0/24, version 127
Paths: (2 available, best #2, table CUST-A)
  Not advertised to any peer
  Refresh Epoch 1
  Local
    192.168.255.12 (metric 4) (via default) from 192.168.255.134 (192.168.255.134)
      Origin incomplete, metric 2, localpref 100, valid, internal
      Extended Community: RT:100:101 OSPF DOMAIN ID:0x0005:0x000000640200 
        OSPF RT:0.0.0.126:2:0 OSPF ROUTER ID:192.168.2.254:0
      Originator: 192.168.255.12, Cluster list: 1.2.3.4
      mpls labels in/out nolabel/20039
      rx pathid: 0, tx pathid: 0
  Refresh Epoch 1
  Local
    192.168.255.12 (metric 4) (via default) from 192.168.255.112 (192.168.255.112)
      Origin incomplete, metric 2, localpref 100, valid, internal, best
      Extended Community: RT:100:101 OSPF DOMAIN ID:0x0005:0x000000640200 
        OSPF RT:0.0.0.126:2:0 OSPF ROUTER ID:192.168.2.254:0
      Originator: 192.168.255.12, Cluster list: 1.2.3.4
      mpls labels in/out nolabel/20039
      rx pathid: 0, tx pathid: 0x0

Looking at a traceroute we can see the labels at play.

CE01#traceroute 172.16.21.1 source l11
Type escape sequence to abort.
Tracing the route to 172.16.21.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.254 9 msec 2 msec 2 msec
  2 10.1.11.1 [MPLS: Labels 125/20034 Exp 0] 33 msec 5 msec 1 msec
  3 10.1.2.2 [MPLS: Labels 223/20034 Exp 0] 10 msec 17 msec 14 msec
  4 192.168.2.254 [MPLS: Label 20034 Exp 0] 10 msec 13 msec 10 msec
  5 192.168.2.2 17 msec *  21 msec

R03 on the other hand can see routes from R04 and R05

CE03#show ip route eigrp  | b Gate
Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 16 subnets, 2 masks
D EX     172.16.41.0/24 
           [170/568320] via 192.168.3.254, 02:32:17, GigabitEthernet0/1
D EX     172.16.42.0/24 
           [170/568320] via 192.168.3.254, 02:32:17, GigabitEthernet0/1
D EX     172.16.43.0/24 
           [170/568320] via 192.168.3.254, 02:32:17, GigabitEthernet0/1
D EX     172.16.44.0/24 
           [170/568320] via 192.168.3.254, 02:32:17, GigabitEthernet0/1
D EX     172.16.51.0/24 
           [170/568320] via 192.168.3.254, 02:32:18, GigabitEthernet0/1
D EX     172.16.52.0/24 
           [170/568320] via 192.168.3.254, 02:32:18, GigabitEthernet0/1
D EX     172.16.53.0/24 
           [170/568320] via 192.168.3.254, 02:32:18, GigabitEthernet0/1
D EX     172.16.54.0/24 
           [170/568320] via 192.168.3.254, 02:32:18, GigabitEthernet0/1
D EX  192.168.4.0/24 
           [170/568320] via 192.168.3.254, 02:32:17, GigabitEthernet0/1
D EX  192.168.5.0/24 
           [170/568320] via 192.168.3.254, 02:32:18, GigabitEthernet0/1
      192.168.254.0/32 is subnetted, 3 subnets
D EX     192.168.254.4 
           [170/568320] via 192.168.3.254, 02:32:17, GigabitEthernet0/1
D EX     192.168.254.5 
           [170/568320] via 192.168.3.254, 02:32:18, GigabitEthernet0/1

The End

I suspect it will take a lot of you a while to try to figure this all out but the point is just to show a larger more complex topology than you would see in a typical CCNA R&S day to day. We can see how MPLS VPN is really just BGP + MPLS + VRF + Routing Protocols, when we get around to talking about IWAN you'll see it is DMVPN + VRF + PfR + IPSEC at its core. Cisco really loves gluing things together!

101
28 comments

the-packet-thrower

u/the-packet-thrower
Karma
35,586
Cake day
June 6, 2014
Moderator of these communities
r/networking

127,575 subscribers

r/HomeNetworking

44,981 subscribers

r/ccna

34,145 subscribers

Trophy Case (2)
Four-Year Club

Verified Email

Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.