Category Archives: BGP

vSONIC Virtual Switch on EVE-NG

BGP, Cisco, IOS-XR, Juniper, Junos, Networking, NFV, SDN, , , , , , , , , ,

SONiC is an open source network operating system based on Linux that runs on switches from multiple vendors and ASICs. SONiC offers a full-suite of network functionality, like BGP and OSPF, VXLAN that has been production-hardened in the data centers of some of the largest cloud-service providers.

The community around SONiC has been growing and includes Juniper including Apstra, Arista, Nokia, Alibaba, Comcast, Cisco, Broadcom, Nvidia-Mellanox and VMware. SONiC underpins Microsoft’s Azure networking services. According to IDC, a SONiC data-center switch market will be worth $2 billion by 2024.

Some term it as ‘Linux of Networking’.

In this blog, we will see how to spin up a sample topology using vSONIC Virtual Switch on EVE-NG.

To start with, we will use mssonic.yml file which lists the generic parameters for spinning up the instance.

  1. Copy mssonic.yml file into “/opt/unetlab/html/templates/intel” or “/opt/unetlab/html/templates/amd” based on your cpu. In my case, I am using EVE-NG on macbook so I have used Intel.

root@eve-ng:~# ls -l /opt/unetlab/html/templates/intel/ | grep mssonic

-rw-r–r– 1 root root 1993 Jul 30 22:41 mssonic.yml

root@eve-ng:~#

2. Create a folder under “opt/unetlab/addons/qemu/” with name “mssonic-version/” like “mssonic-3.1.2”.

Keyword “mssonic” is important as using this only, eve-ng will recognize this image.

root@eve-ng:~# ls -l /opt/unetlab/addons/qemu/ | grep ms

drwxr-xr-x 2 root root 4096 Jul 30 22:48 mssonic-3.1.2

root@eve-ng:~#

https://github.com/Broadcom/sonic-VirtualSwitch/tree/master/3.1.2

3. Gunzip the .gz file to extract the image file.

root@eve-ng:/opt/unetlab/addons/qemu/mssonic-3.1.2# gunzip sonic-vs-3.1.2.img.gz

root@eve-ng:/opt/unetlab/addons/qemu/mssonic-3.1.2# ls -l

total 2380932

-rw-r–r– 1 root root 2438070272 Jul 30 22:55 sonic-vs-3.1.2.img

4. Rename sonic-vs-3.1.2.img to virtioa.qcow2. Please make sure to rename only and don’t convert it.

root@eve-ng:/opt/unetlab/addons/qemu/mssonic-3.1.2# mv sonic-vs-3.1.2.img virtioa.qcow2

root@eve-ng:/opt/unetlab/addons/qemu/mssonic-3.1.2# ls -l

total 2380932

-rw-r–r– 1 root root 2438070272 Jul 30 22:58 virtioa.qcow2

5. Fix the permissions as usual on eve-ng.

root@eve-ng:/opt/unetlab/addons/qemu/mssonic-3.1.2# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

root@eve-ng:/opt/unetlab/addons/qemu/mssonic-3.1.2#

Now we all set to use this under EVE-NG

I have made a simple leaf-spine topology using Sonic Virtual Switches

6. Open the Eve-NG UI.

Add the new Node, and select Sonic Router as below.

7. Change any settings here if you need however defaults should be good.

8. I have built a simple Leaf-Spine topology using 4 Sonic VS.

9. Start one or more Switches and let it boot.

Trying 172.16.137.130…

Connected to 172.16.137.130.

Escape character is ‘^]’.

Jul 31 15:30:59.295935 2021 sonic INFO sonic-ztp[3850]: ZTP service started.

Jul 31 15:30:59.295971 2021 sonic INFO sonic-ztp[3850]: Failed to set system MAC address as the random number generator seed input.

Jul 31 15:30:59.295999 2021 sonic INFO sonic-ztp[3850]: Checking running configuration to load ZTP configuration profile.

Jul 31 15:30:59.893505 2021 sonic INFO sonic-ztp[3845]: Waiting for system online status before continuing ZTP. (This may take 30–120 seconds).

Debian GNU/Linux 9 sonic ttyS0

Jul 31 15:31:34.932822 System is ready

Jul 31 15:31:36.290136 2021 sonic INFO sonic-ztp[3845]: System is ready to respond.

Jul 31 15:31:36.308466 2021 sonic INFO sonic-ztp[3850]: Link up detected for interface Ethernet0

Jul 31 15:31:36.308525 2021 sonic INFO sonic-ztp[3850]: Link up detected for interface Ethernet1

Jul 31 15:31:36.308554 2021 sonic INFO sonic-ztp[3850]: Link up detected for interface Ethernet2

Jul 31 15:31:36.308581 2021 sonic INFO sonic-ztp[3850]: Link up detected for interface Ethernet3

Jul 31 15:31:36.308609 2021 sonic INFO sonic-ztp[3850]: Link up detected for interface Ethernet4

Jul 31 15:31:36.308637 2021 sonic INFO sonic-ztp[3850]: Link up detected for interface Ethernet5

Jul 31 15:31:36.308664 2021 sonic INFO sonic-ztp[3850]: Link up detected for interface Ethernet6

Jul 31 15:31:36.308741 2021 sonic INFO sonic-ztp[3850]: Link up detected for interface Ethernet7

Jul 31 15:31:36.308769 2021 sonic INFO sonic-ztp[3850]: Link up detected for interface Ethernet8

Jul 31 15:31:36.308821 2021 sonic INFO sonic-ztp[3850]: Link up detected for interface Ethernet9

Jul 31 15:31:36.308850 2021 sonic INFO sonic-ztp[3850]: Link up detected for interface Ethernet10

Jul 31 15:31:36.309163 2021 sonic INFO sonic-ztp[3850]: Link up detected for interface Ethernet11

Jul 31 15:31:36.340452 2021 sonic INFO sonic-ztp[3850]: Link up detected for interface Ethernet12

Jul 31 15:31:36.340489 2021 sonic INFO sonic-ztp[3850]: Link up detected for interface Ethernet13

Jul 31 15:31:36.340761 2021 sonic INFO sonic-ztp[3850]: Link up detected for interface Ethernet14

Default username/pwd – admin/YourPaSsWoRd

10. Once up and running, you would see lots of ztp related messages which can be disabled using below command.

sudo config ztp disable

sudo config save -y

11. Once done, you can go into sonic cli, using sonic-cli

admin@sonic:~$ sonic-cli

sonic#

sonic#

sonic# ?

  clear        Clear commands

  configure    Enter configuration mode

  copy         Perform file copy operations

  exit         Exit from the CLI

  fast-reboot  fast-reboot [options] (-h shows help)

  image        Image related commands

  logger       Enter messages into the system log

  no           No commands under Exec mode

  ping         Send ICMP ECHO_REQUEST to network hosts

  ping6        Send ICMPv6 ECHO_REQUEST to network hosts

  reboot       reboot [options] (-h shows help)

  renew        Renew commands

  show         Show running system information

  terminal     Set terminal settings

  tpcm         SONiC image installation manager

  traceroute   Print the route packets take to the host

  traceroute6  Print the route packets take to the IPv6 host

  warm-reboot  warm-reboot [options] (-h shows help)

  write        Save config

sonic#

to prove its working, lets configure IP Addresses on Interfaces and see if we can ping each other.

On Leaf-1:

sonic(config)# hostname leaf-1

leaf-1#

leaf-1#

leaf-1#

leaf-1#

leaf-1# show running-configuration interface Ethernet 0

!

interface Ethernet0

 mtu 9100

 speed 25000

 fec none

 no shutdown

 ip address 10.10.10.2/30

leaf-1#

On Spine-1:

spine-1# show running-configuration interface Ethernet0

!

interface Ethernet0

 mtu 9100

 speed 25000

 fec none

 no shutdown

 ip address 10.10.10.1/30

spine-1#

12. Ping the other end to find everything is working

spine-1# ping 10.10.10.2

PING 10.10.10.2 (10.10.10.2) 56(84) bytes of data.

64 bytes from 10.10.10.2: icmp_seq=1 ttl=64 time=5.32 ms

64 bytes from 10.10.10.2: icmp_seq=2 ttl=64 time=1.34 ms

^C

— 10.10.10.2 ping statistics —

2 packets transmitted, 2 received, 0% packet loss, time 1001ms

rtt min/avg/max/mdev = 1.349/3.336/5.323/1.987 ms

spine-1#

That’s all, hope you like it.. In next sessions, we can go through some more specific scenarios around it.

Advertisement

Connecting OpendayLight to Juniper Routers via Netconf

Automation, BGP, JNCIP, JNCIS, Juniper, Junos, MPLS, Networking, NFV, SDN, , , , , , , , ,

Hi All

In this blog, we will look at configuring Juniper routers via Opendaylight which in turn uses netconf/restconf for making the connection.

Before we can start doing the configuration we need to create a Netconf connector between Opendaylight and Juniper routers. Also before that let’s first see what NETCONF is 🙂

Network Configuration Protocol (NETCONF) provides a mechanism to install, manipulate and delete the configuration of network devices. It uses an Extensible Markup Language (XML) based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs).

OpenDaylight uses YANG modules to access the device via NETCONF and we can do config as well. In this post we will see how to configure ODL for NETCONF connections. This is tried method so please do this as listed and I have seen others methods may not work properly.

Below topology we will be using in this blog.

  • Juniper MXs are running on 18.2R1 and 17.4R1
  • OpendayLight Release is Oxygen 0.8.2

 

ODL-Netconf-Juniper1) In First instance, you need to enable netconf on Juniper

write@Manchester> show configuration system services netconf
ssh {
    connection-limit 10;
    rate-limit 5;
}
rfc-compliant;
yang-compliant;

 

2) Download the 0.8.2 Oxygen Tar file from Opendaylight website and untar it.

Command “ tar –xvf karaf-0.8.2.tar.gz

This will create a directory called karaf-0.8.2 in same directory structure.

[root@Opendaylight-2 sun]# ls -l | grep karaf-0.8.2
drwxr-xr-x. 13 root root      4096 Jul 26 15:42 karaf-0.8.2
-rw-rw-r--.  1 sun  sun  358590049 Jul 24 13:46 karaf-0.8.2.tar.gz

 

3) Now create a file called, 99-netconf-connector.xml and paste the following contents in it




  
    
      
        
        
          prefix:sal-netconf-connector
          controller-config
          
10.198.206.3

          830
          write
          write
          false
          true
            
                
                    http://xml.juniper.net/xnm/1.1/xnm?module=configuration&revision=2018-01-01
                
            
          
            prefix:netty-event-executor
            global-event-executor
          
          
            prefix:binding-broker-osgi-registry
            binding-osgi-broker
          
          
            prefix:dom-broker-osgi-registry
            dom-broker
          
          
            prefix:netconf-client-dispatcher
            global-netconf-dispatcher
          
          
            prefix:threadpool
            global-netconf-processing-executor
          
          
            prefix:scheduled-threadpool
            global-netconf-ssh-scheduled-executor
          
        
        
    
  
  
      urn:opendaylight:params:xml:ns:yang:controller:md:sal:connector:netconf?module=odl-sal-netconf-connector-cfg&revision=2015-08-03

You have to change the details for the values mentioned in Red above according to first device you are trying to add. Don’t change anything else. However if your Junos version is other than 18.2 then you need to check the revision number of yang modules and put the correct date for field in Green above.

Once done, save the file.

4)  Now start the opendaylight using command:

[root@Opendaylight-2 sun]# ./karaf-0.8.2/bin/karaf
Apache Karaf starting up. Press Enter to open the shell now...
100% [========================================================================]
Karaf started in 18s. Bundle stats: 388 active, 389 total
    ________                       ________                .__  .__       .__     __
    \_____  \ ______   ____   ____ \______ \ _____  ___.__.|  | |__| ____ |  |___/  |_
     /   |   \\____ \_/ __ \ /    \ |    |  \\__  \ >  ___/|   |  \|    `   \/ __ \\___  ||  |_|  / /_/  >   Y  \  |
    \_______  /   __/ \___  >___|  /_______  (____  / ____||____/__\___  /|___|  /__|
            \/|__|        \/     \/        \/     \/\/            /_____/      \/

Hit '' for a list of available commands
and '[cmd] --help' for help on a specific command.
Hit '' or type 'system:shutdown' or 'logout' to shutdown OpenDaylight.
opendaylight-user@root>

 

Install following packages, you don’t have to add any other at this moment of time:

feature:install odl-netconf-topology odl-restconf odl-netconf-connector-all

After installing, copy the file 99-netconf-connector.xml created above under directory karaf-0.8.2/etc/opendaylight/karaf/

cp 99-netconf-connector.xml karaf-0.8.2/etc/opendaylight/karaf/

 

5) After this, using POSTMAN or similar application, send a PUT request to following URL

PUT http://&lt;CONTROLLER-IP-ADDRESS:8181>/restconf/config/network-topology:network-topology/topology/topology-netconf/node/<node-name>

Same as before change the values in Red and Green accordingly for your case.

   node-name
   10.198.206.3
   830
   write
   write
   false
   0
   
    
	 http://xml.juniper.net/xnm/1.1/xnm?module=junos-common-types&revision=2018-01-01
	
	    
	 http://xml.juniper.net/xnm/1.1/xnm?module=module=junos-conf-root&revision=2018-01-01

 

6) After this restart the opendaylight

opendaylight-user@root>system:shutdown
Confirm: halt instance root (yes/no): yes
opendaylight-user@root>

[root@Opendaylight-2 sun]# ./karaf-0.8.2/bin/karaf
Apache Karaf starting up. Press Enter to open the shell now...
opendaylight-user@root>

At this point you should some messages like as mentioned in Karaf_Logs after adding the netconf-connector. Let it run..it may take 10-20 minutes from here which is basically ODL is pulling all the Juniper Yang modules in its cache/schema folder.

Once that is done you should see the below message in karaf log which you can see using log:tail from opendaylight shell prompt.

| INFO  | sing-executor-22 | NetconfDevice   | 304 - org.opendaylight.netconf.sal-netconf-connector - 1.7.2 | RemoteDevice{Manchester}: Netconf connector initialized successfully

Once you get the message, your node has been mounted which you can check using GET request at following URL

GET http:// <CONTROLLER-IP-ADDRESS:8181/restconf/operational/network-topology:network-topology/topology/topology-netconf/node/<Node-name>/yang-ext:mount/

GET-Mount

Now its ready to configure 🙂

Let’s configure a sample L3VPN using this

See the snapshot which is basically a PUT request with XML payload

Send-L3VPN-Request

Lets’s verify

write@Manchester> show configuration routing-instances odl-test
instance-type vrf;
interface xe-0/2/0.4000;
route-distinguisher 10.198.206.41:4000;
vrf-target target:2856:4000;
vrf-table-label;
routing-options {
    multipath;
    protect core;
}
protocols {
    bgp {
        group ebgp {
            type external;
            peer-as 65101;
            as-override;
            neighbor 7.7.7.7 {
                authentication-key "$9$CuyoAORhclMLNylJDkP3nylKvWx"; ## SECRET-DATA
                bfd-liveness-detection {
                    minimum-interval 100;
                    multiplier 3;
                }
            }
        }
    }
}

 

Here you go.. its working 🙂

That’s all for today.. I will do a separate blog for other service configurations via ODL. Let me know if you have any questions.

 

Bbye

Mohit

PCEP Initiated LSP using OpenDayLight and Juniper vMX

Automation, BGP, JNCIP, JNCIS, Juniper, Junos, MPLS, Networking, NFV, OSPF, RSVP, SDN, , , , , , , , , , , , , , ,

Hi All

In this post, we will look at Open day light controller working with Juniper vMXs and how we can use the controller to get the BGP, BGP-LS and PCEP working. Once everything is up and running we will use the Controller to initiate the PCEP initiated MPLS LSPs between 2 VMXs.

Sounds interesting? Let’s see how we can achieve this.

Before I go further, if you want to check anything on PCEP and some of its concept, I did a post on Juniper Northstar Controller some time ago which you can check.

https://networkzblogger.com/2017/03/17/juniper-northstar-wan-sdn-controller/

Below is the topology we will be using where all Juniper VMXs are loaded in Virtual Control Plane mode and they have fxp0 interface in 192.168.71.x subnet. Open day light controller version is Nitrogen and we have booted it on CentOS 7.5 version.

There is Windows VM in same subnet also from where we will run the REST APIs calls to Open day light using POSTMAN App.

Topology Diagram
Topology Diagram

 

We will divide the post into 3 parts.

  • Configuring BGP/BGP-Link state between ODL and 192.168.71.24 VMX-3.
  • Configuring PCEP session between all VMXs and ODL
  • Initiate MPLS LSP from ODL using PCEP

I am assuming that you already know how to start an ODL controller. However if you don’t know let me know and I can help you.

So lets start with 1) Configuring BGP/BGP-Link state between ODL and 192.168.71.24 VMX-3.

If you already don’t know, Open day light versions in recent times doesn’t come auto-installed with all the features. You have to manually add them. You don’t need to download them individually. It’s just you need to activate them.

We will be configure the BGP and BGP-LS on VMX-3 first

Standard BGP config with IPv4 Unicast address family however for BGP-LS we have to enable a separate family traffic-engineering additionally.

root@VMX-3> show configuration protocols bgp
group opendaylight {
 type internal;
 description Controller;
 local-address 192.168.71.24;
 family inet {
 unicast;
 }
 family traffic-engineering {
 unicast;
 }
 peer-as 2856;
 neighbor 192.168.71.22;
}

On ODL side, First install the BGP and restconf feature on karaf console using command

feature:install odl-restconf odl-bgpcep-bgp

Then using REST API we will enable the BGP Router-ID with Link State family

POST URL : 192.168.71.22:8181/restconf/config/openconfig-network-instance:network-instances/network-instance/global-bgp/openconfig-network-instance:protocols

POST Request_BGP Router ID
POST Request_BGP Router ID

Then Configure the peer 192.168.71.24 with specific BGP Parameters and families

POST URL: 192.168.71.22:8181/restconf/config/openconfig-network-instance:network-instances/network-instance/global-bgp/openconfig-network-instance:protocols/protocol/openconfig-policy-types:BGP/bgp-test-odl/bgp/neighbors

POST Request_BGP Peer
POST Request_BGP Peer

We can check the status of BGP peering off course from VMX side but let’s see what comes up from ODL side

GET URL: 192.168.71.22:8181/restconf/operational/bgp-rib:bgp-rib/rib/bgp-test-odl/peer/bgp:%2F%2F3.3.3.3

GET Request_BGP Peering
GET Request_BGP Peering

From VMX side:

root@VMX-3> show bgp neighbor
Peer: 192.168.71.22+27755 AS 2856 Local: 192.168.71.24+179 AS 2856
 Description: Controller
 Group: opendaylight Routing-Instance: master
 Forwarding routing-instance: master
 Type: Internal State: Established Flags: <Sync>
 Last State: OpenConfirm Last Event: RecvKeepAlive
 Last Error: None
 Options: <Preference LocalAddress LogUpDown AddressFamily PeerAS Refresh>
 Options: <VpnApplyExport DropPathAttributes>
 Address families configured: inet-unicast te-unicast
 Path-attributes dropped: 128
 Local Address: 192.168.71.24 Holdtime: 90 Preference: 170
 Number of flaps: 2
 Last flap event: RecvNotify
 Error: 'Cease' Sent: 0 Recv: 33
 Peer ID: 192.168.71.22 Local ID: 3.3.3.3 Active Holdtime: 90
 Keepalive Interval: 30 Group index: 0 Peer index: 0 SNMP index: 0
 I/O Session Thread: bgpio-0 State: Enabled
 BFD: disabled, down
 NLRI for restart configured on peer: inet-unicast te-unicast

 

BGP-LS configuration we did will be used to advertise the Traffic Engineering database to Controller. You can see the routes advertised using lsdist.0 table in juniper.

Snippet below:

root@VMX-3> show route table lsdist.0
lsdist.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
NODE { AS:2856 Area:0.0.0.0 IPv4:2.2.2.2 OSPF:0 }/1152
 *[OSPF/10] 02:02:38
 Fictitious
NODE { AS:2856 Area:0.0.0.0 IPv4:3.3.3.3 OSPF:0 }/1152
 *[OSPF/10] 02:02:43
 Fictitious
NODE { AS:2856 Area:0.0.0.0 IPv4:4.4.4.4 OSPF:0 }/1152
 *[OSPF/10] 02:02:38
 Fictitious
NODE { AS:2856 Area:0.0.0.0 IPv4:4.4.4.4-192.168.71.26 OSPF:0 }/1152
 *[OSPF/10] 02:02:31
 Fictitious
LINK { Local { AS:2856 Area:0.0.0.0 IPv4:2.2.2.2 }.{ IPv4:192.168.71.23 } Remote { AS:2856 Area:0.0.0.0 IPv4:4.4.4.4-192.168.71.26 }.{ } OSPF:0 }/1152
 *[OSPF/10] 02:02:31
 Fictitious
..
…
…

 

2) Now let’s configure the PCEP

On VMX (This will be repeated on all with change in local address)

root@VMX-3> show configuration protocols pcep
pce odl {
 local-address 192.168.71.24;
 destination-ipv4-address 192.168.71.22;
 destination-port 4189;
 pce-type active stateful;
 lsp-provisioning;
 p2mp-lsp-report-capability;
}

If you have any firewall, make sure to allow port 4189 between Controller and VMXs.

On ODL, we need to install odl-bgpcep-pcep feature

There is no other config to do. As soon as you install this feature, you should see PCEP status up.

Let’s see it from VMX-4

 

root@VMX-4> show path-computation-client status
Session Type            Provisioning Status
odl     Stateful Active On           Up

LSP Summary
 Total number of LSPs : 0
 Static LSPs : 0
 Externally controlled LSPs : 0
 Externally provisioned LSPs : 0/16000 (current/limit)
 Orphaned LSPs : 0

odl (main)
 Delegated : 0
 Externally provisioned : 0

From ODL side:

GET Request_PCEP Status
GET Request_PCEP Status

3)      PCEP Initiated LSP

Now, we will configure the LSP from VMX-3 to VMX-4 between their Loopback IPs.

POST URL: 192.168.71.22:8181/restconf/operations/network-topology-pcep:add-lsp

You can see we haven’t given any ERO while provisioning the LSP. ODL has auto calculated the path and you can verify in VMX-3

PCEP LSP ADD with No Ero
PCEP LSP ADD with No Ero

root@VMX-3> show mpls lsp name test-pcep-2 extensive
Ingress LSP: 1 sessions

4.4.4.4
 From: 3.3.3.3, State: Up, ActiveRoute: 0, LSPname: test-pcep-2
 ActivePath: (primary)
 LSPtype: Externally provisioned, Penultimate hop popping
 LSP Control Status: Externally controlled
 LoadBalance: Random
 Encoding type: Packet, Switching type: Packet, GPID: IPv4
 LSP Self-ping Status : Enabled
 *Primary State: Up, Preference: 200
 Priorities: 0 0
 External Path CSPF Status: external
 SmartOptimizeTimer: 180
 Flap Count: 0
 MBB Count: 0
 Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt 20=Node-ID):
 192.168.71.26(Label=0)
 12 May 24 12:10:08.334 Self-ping ended successfully
 11 May 24 12:10:07.830 EXTCTRL LSP: Sent Path computation request and LSP status
 10 May 24 12:10:07.830 EXTCTRL_LSP: Computation request/lsp status contains: signalled bw 0 req BW 0 admin group(exclude 0 include any 0 include all 0) priority setup 0 hold 0
 9 May 24 12:10:07.829 Selected as active path
 8 May 24 12:10:07.828 EXTCTRL LSP: Sent Path computation request and LSP status
 7 May 24 12:10:07.828 EXTCTRL_LSP: Computation request/lsp status contains: signalled bw 0 req BW 0 admin group(exclude 0 include any 0 include all 0) priority setup 0 hold 0
 6 May 24 12:10:07.828 Up
 5 May 24 12:10:07.828 Self-ping started
 4 May 24 12:10:07.828 Self-ping enqueued
 3 May 24 12:10:07.828 Record Route: 192.168.71.26(Label=0)
 2 May 24 12:10:07.824 Originate Call
 1 May 24 12:10:07.824 EXTCTRL_LSP: Received setup parameters ::
 Created: Thu May 24 12:10:07 2018
Total 1 displayed, Up 1, Down 0

 

You can do various operations like Deleting LSP, Modifying LSP etc from REST API.

One thing which we can’t do at the moment using PCEP is configuring Point to Multipoint LSP as standard is still being drafted for this but I hope it will come out soon.

So that’s all for now, I hope you enjoyed it and let me know your feedback.

 

Regards

Mohit

 

EVPN in JunOS

BGP, JNCIP, JNCIS, Juniper, Junos, MPLS, Networking, RSVP, , , , , ,

Hi All

This time we will be looking at EVPN, its configuration on JunOS and how it is different from VPLS.

Currently if service provider has to join customer’s multiple sites via Layer 2, only option is VPLS. VPLS can be LDP based or BGP based.

BGP based VPLS has advantages that you can use RRs to scale however VPLS as a whole has a disadvantages that:

  • We can’t do active-active multihoming with both links from CE to PE.
  • Control plane MAC-Learning is not possible.
  • L2 Loop detection is not possible.
  • VPLS consumes less in control plane however more MPLS labels (because MAC learning relies on a different label for each remote site) than EVPN.

EVPN is immune to all the above problems and it’s only based upon BGP so we don’t have to fight between LDP vs BGP advantages.

Underlying EVPN can be used with VXLAN or MPLS however solution which I am going to discuss is based upon MPLS.

Look at the diagram below. We have 3 sites basically 3 VMs all part of same IP Network and they are connected to same EVPN instances on 3 different Juniper routers via switch in their path.

EVPN
EVPN Topology

Let’s see config on Manchester Juniper PE router.

You can see its fairly straightforward config with same parameters as L3VPNs except instance-type is evpn and we need to use protocols evpn to define parameters to limit the mac and ip if we want.

write@re1.Manchester > show configuration routing-instances evpn-1
instance-type evpn;
vlan-id 1200;
interface xe-1/0/0:0.1200;
route-distinguisher 10.198.206.41:1200;
vrf-target target:2856:1200;
protocols {
 evpn {
 interface-mac-limit {
 1000;
 packet-action drop;
 }
 interface-mac-ip-limit {
 1000;
 }
 interface xe-1/0/0:0.1200;
 label-allocation per-instance;
 }
}

From RR point of view, we need to add family evpn under BGP on all PEs and RR.

write@re1.Manchester > show configuration protocols bgp
path-selection external-router-id;
advertise-from-main-vpn-tables;
log-updown;
drop-path-attributes 128;
authentication-algorithm md5;
vpn-apply-export;
tcp-mss 4096;
group LAB-RR {
 type internal;
 local-address 10.198.206.41;
 family inet-vpn {
 unicast;
 family l2vpn {
 signaling;
 }
 family evpn {
 signaling;
 }
 neighbor 10.198.206.46;
}

We will be doing the same configs on rest 2 PEs.

write@re1.Manchester > show evpn instance evpn-1 extensive
Instance: evpn-1
 Route Distinguisher: 10.198.206.41:1200
 VLAN ID: 1200
 Per-instance MAC route label: 119
 Per-instance multicast route label: 120
 Duplicate MAC detection threshold: 5
 Duplicate MAC detection window: 180
 MAC database status Local Remote
 MAC advertisements: 1 2
 MAC+IP advertisements: 1 2
 Default gateway MAC advertisements: 0 0
 Number of local interfaces: 3 (3 up)
 Interface name ESI Mode Status AC-Role
 et-1/1/0.1200 00:00:00:00:00:00:00:00:00:00 single-homed Up Root
 xe-1/0/0:0.1200 00:00:00:00:00:00:00:00:00:00 single-homed Up Root
 xe-1/0/0:0.1210 00:00:00:00:00:00:00:00:00:00 single-homed Up Root
 Number of IRB interfaces: 0 (0 up)
 Number of protect interfaces: 0
 Number of bridge domains: 1
 VLAN Domain ID Intfs / up IRB intf Mode MAC sync IM route label SG sync IM core nexthop
 1200 3 3 Extended Enabled 120 Enabled
 Number of neighbors: 4
 Address MAC MAC+IP AD IM ES Leaf-label
 10.198.206.42 0 0 0 1 0
 10.198.206.43 1 1 0 1 0
 10.198.206.44 0 0 0 1 0
 10.198.206.45 1 1 0 1 0
 Number of ethernet segments: 0

Some key take away from above is that due to config “label-allocation per-instance” we are seeing one MPLS Label for the whole EVPN routing instance.

write@re1.Manchester > show route table mpls.0 label 119
mpls.0: 45 destinations, 45 routes (45 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

119 *[EVPN/7] 3d 20:05:21, routing-instance evpn-1, route-type Ingress-MAC, vlan-id 1200
 to table evpn-1.evpn-mac.0

ESI (Ethernet Segment Identifier) is all zeros for PE which is single homed to CE. In active-active multihoming, an Ethernet segment appears as a LAG to the CE device.

Let’s check the mac-table on PE. So you can see   00:0c:29:34:04:26 is learned dynamically by Manc PE over xe-1/0/0:0/1200 interface. This is still Data Plane learning and with EVPN there is no difference. However look at MAC Flags for other 2 MAC addresses. DC corresponds to Dynamic Control MAC means they are learned via Control Plane (using BGP)

write@re1.Manchester > show evpn mac-table instance evpn-1
MAC flags       (S -static MAC, D -dynamic MAC, L -locally learned, C -Control MAC
O -OVSDB MAC, SE -Statistics enabled, NM -Non configured MAC, R -Remote PE MAC, P -Pinned MAC)
Routing instance : evpn-1
Bridging domain : __evpn-1__, VLAN : 1200
MAC                         MAC      Logical          NH     MAC         active
address                    flags    interface        Index  property    source
00:0c:29:34:04:26   D        xe-1/0/0:0.1200
00:0c:29:37:55:3d   DC                        1048585            10.198.206.43
00:0c:29:55:5a:45   DC                        1048584            10.198.206.45

Evpn has also learned the IP Address and added in arp-table so you can see MAC/IP Association.

write@re1.Manchester > show evpn arp-table instance evpn-1
INET MAC Logical Routing Bridging
address address interface instance domain
10.10.10.3 00:0c:29:34:04:26 xe-1/0/0:0.1200 evpn-1 __evpn-1__
10.10.10.4 00:0c:29:37:55:3d evpn-1 __evpn-1__
10.10.10.2 00:0c:29:55:5a:45 evpn-1 __evpn-1__

Same thing you can see in routing table as well.

There are several types of routes in EVPN, Type 1, 2, 3, 5, 6 etc.. Type 2 is MAC and IP Route which shows relationship between them however Junos shows that also in 2 ways. Type 2 route as pure MAC and type 2 route as MAC/IP.

Type 3 routes are required for Broadcast, Unknown Unicast and Multicast (BUM) traffic delivery across EVPN networks. Type 3 advertisements provide information about P-tunnels that should be used to send BUM traffic. Without Type 3 advertisements, ingress router would not know how to deliver BUM traffic to other PE devices that comprise given EVPN instance.

write@re1.Manchester > show route table evpn-1
evpn-1.evpn.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2:10.198.206.41:1200::1200::00:0c:29:34:04:26/304 MAC/IP
 *[EVPN/170] 3d 19:18:39
 Indirect
2:10.198.206.43:1200::1200::00:0c:29:37:55:3d/304 MAC/IP
 *[BGP/170] 1d 02:03:17, localpref 100, from 10.198.206.46
 AS path: I, validation-state: unverified
 > to 30.30.30.2 via xe-0/0/0:1.0
2:10.198.206.45:1200::1200::00:0c:29:55:5a:45/304 MAC/IP
 *[BGP/170] 03:13:24, localpref 100, from 10.198.206.46
 AS path: I, validation-state: unverified
 > to 30.30.30.14 via et-0/1/0.0, Push 945
2:10.198.206.41:1200::1200::00:0c:29:34:04:26::10.10.10.3/304 MAC/IP
 *[EVPN/170] 3d 19:18:34
 Indirect
2:10.198.206.43:1200::1200::00:0c:29:37:55:3d::10.10.10.4/304 MAC/IP
 *[BGP/170] 01:53:03, localpref 100, from 10.198.206.46
 AS path: I, validation-state: unverified
 > to 30.30.30.2 via xe-0/0/0:1.0
2:10.198.206.45:1200::1200::00:0c:29:55:5a:45::10.10.10.2/304 MAC/IP
 *[BGP/170] 03:13:24, localpref 100, from 10.198.206.46
 AS path: I, validation-state: unverified
 > to 30.30.30.14 via et-0/1/0.0, Push 945
3:10.198.206.41:1200::1200::10.198.206.41/248 IM
 *[EVPN/170] 6d 22:17:38
 Indirect
3:10.198.206.42:1200::1200::10.198.206.42/248 IM
 *[BGP/170] 03:13:24, localpref 100, from 10.198.206.46
 AS path: I, validation-state: unverified
 > to 30.30.30.14 via et-0/1/0.0
3:10.198.206.43:1200::1200::10.198.206.43/248 IM
 *[BGP/170] 1d 02:03:17, localpref 100, from 10.198.206.46
 AS path: I, validation-state: unverified
 > to 30.30.30.2 via xe-0/0/0:1.0
3:10.198.206.44:1200::1200::10.198.206.44/248 IM
 *[BGP/170] 1d 02:03:17, localpref 100, from 10.198.206.46
 AS path: I, validation-state: unverified
 > to 30.30.30.6 via xe-0/0/0:2.0
3:10.198.206.45:1200::1200::10.198.206.45/248 IM
 *[BGP/170] 03:13:24, localpref 100, from 10.198.206.46
 AS path: I, validation-state: unverified
 > to 30.30.30.14 via et-0/1/0.0, Push 945

 

Let’s do a ping test from VM (10.10.10.4) connected to London to VM (10.10.10.3) connected to Manchester PE via EVPN Network.

For completeness, I have shown the arp-table for London EVPN-1.

write@re0.London > show evpn arp-table instance evpn-1
INET MAC Logical Routing Bridging
address address interface instance domain
10.10.10.3 00:0c:29:34:04:26 evpn-1 __evpn-1__
10.10.10.4 00:0c:29:37:55:3d xe-0/2/0.1200 evpn-1 __evpn-1__
10.10.10.2 00:0c:29:55:5a:45 evpn-1 __evpn-1__

You can see Ping works without any loss.

Ping

So that’s all for EVPN. Let me know if you have any queries and I hope to show you more in next blogs about EVPN.

BBye 🙂

Mohit

vrf-table-label on Juniper JunOS

BGP, Cisco, Juniper, Junos, MPLS, Networking, , , , , , , , , ,

In this blog we will discuss about one important knob in JunOS i.e vrf-table-label.

Vrf-table-label is useful for 2 purposes in Junos

  1. Save label space
  2. Perform 2 lookup on packet

So let’s understand it more. We will start with 1st point above

Junos by default allocates same VPN Label to prefixes recieved from one CE Interface. So for example if you have 2 CEs connected via 2 different interfaces and they are in same VPN on PE then Junos will allocate 2 different VPN labels to the prefixes recieved. In Cisco this is different where VPN label is allocated on per prefix which according to some is not optimal but we are not comparing anything here.

Currently in our configuration vrf-table-label is not configured. If you see below, we have 2 CEs connected to Juniper M320 PE1 via 2 different interfaces and we have Ebgp relationship between them and we are receiving some routes over it.

PE1-re1> show route 10.203.20.6
MVPN-1.inet.0: 46 destinations, 77 routes (46 active, 0 holddown, 0 hidden)
Restart Complete
+ = Active Route, – = Last Active, * = Both

10.203.20.4/30 *[Direct/0] 3d 00:21:55
> via ge-0/3/2.20

PE1-re1> show route 10.203.12.2
MVPN-1.inet.0: 46 destinations, 77 routes (46 active, 0 holddown, 0 hidden)
Restart Complete
+ = Active Route, – = Last Active, * = Both

10.203.12.0/30 *[Direct/0] 00:10:26
> via so-1/0/0.12

PE1-re1> show route receive-protocol bgp 10.203.12.2 table MVPN-1.inet.0
MVPN-1.inet.0: 46 destinations, 77 routes (46 active, 0 holddown, 0 hidden)
Restart Complete
Prefix                              Nexthop              MED Lclpref AS path
* 10.1.225.128/32          10.203.12.2                                 65012 I
10.203.12.0/30               10.203.12.2                                 65012 I

PE1-re1> show route receive-protocol bgp 10.203.20.6 table MVPN-1.inet.0
MVPN-1.inet.0: 46 destinations, 77 routes (46 active, 0 holddown, 0 hidden)
Restart Complete
Prefix                              Nexthop             MED Lclpref AS path
* 10.0.233.0/30               10.203.20.6                                65020 I

Now if we look at the VPN label which is being tagged by this PE1 for the routes received by CE, we can see that Junos is allocating separate VPN Labels to both of the routes which is what I mentioned earlier.

PE1-re1> show route advertising-protocol bgp 10.198.123.236 10.0.233.0/30 extensive
MVPN-1.inet.0: 46 destinations, 77 routes (46 active, 0 holddown, 0 hidden)
Restart Complete
* 10.0.233.0/30 (2 entries, 1 announced)
BGP group mvpn-rr type Internal
Route Distinguisher: 10.198.123.203:32764
VPN Label: 300448
Nexthop: Self
Flags: Nexthop Change
Localpref: 100
AS path: [65004] 65020 I
Communities: target:65000:321 src-as:65004:0 rt-import:10.198.123.203:16

PE1-re1> show route advertising-protocol bgp 10.198.123.236 10.203.12.0/30 extensive
MVPN-1.inet.0: 46 destinations, 77 routes (46 active, 0 holddown, 0 hidden)
Restart Complete
* 10.203.12.0/30 (2 entries, 1 announced)
BGP group mvpn-rr type Internal
Route Distinguisher: 10.198.123.203:32764
VPN Label: 300480
Nexthop: Self
Flags: Nexthop Change
Localpref: 100
AS path: [65004] I
Communities: target:65000:321 src-as:65004:0 rt-import:10.198.123.203:16

Now if we configure the vrf-table-label under routing instance on PE1, we can see the difference.

[edit routing-instances MVPN-1]
PE1-re1# set vrf-table-label

edit routing-instances MVPN-1]
PE1-re1# commit
re1:
configuration check succeeds
re0:
commit complete
re1:
commit complete

See the difference below, now only one VPN label is being allocated for the whole VRF and this really saves the label space.

PE1-re1> show route advertising-protocol bgp 10.198.123.236 10.203.12.0/30 extensive
MVPN-1.inet.0: 46 destinations, 77 routes (46 active, 0 holddown, 0 hidden)
Restart Complete
* 10.203.12.0/30 (2 entries, 1 announced)
BGP group mvpn-rr type Internal
Route Distinguisher: 10.198.123.203:32764
VPN Label: 39
Nexthop: Self
Flags: Nexthop Change
Localpref: 100
AS path: [65004] I
Communities: target:65000:321 src-as:65004:0 rt-import:10.198.123.203:16

PE1-re1> show route advertising-protocol bgp 10.198.123.236 10.0.233.0/30 extensive
MVPN-1.inet.0: 46 destinations, 77 routes (46 active, 0 holddown, 0 hidden)
Restart Complete
* 10.0.233.0/30 (2 entries, 1 announced)
BGP group mvpn-rr type Internal
Route Distinguisher: 10.198.123.203:32764
VPN Label: 39
Nexthop: Self
Flags: Nexthop Change
Localpref: 100
AS path: [65004] 65020 I
Communities: target:65000:321 src-as:65004:0 rt-import:10.198.123.203:16

So this completes one part. Now moving over to 2nd part.
Junos by default looks at the incoming MPLS packet, Pops the label and sends the underlying packet to CE without looking at IP packet at all. This situation is fine in case you have PE connected to CE via P2P links like Serial links however if you have Broadcast medium like Ethernet in between then router can’t just send the packet like this without first building the frame and to build frame it needs to do ARP lookup to get the MAC Address of the CE. So it needs to do extra lookup apart from MPLS lookup.
Vrf-table-label actually allows the router to do 2 lookups. The first lookup is done on the VPN label to determine which VRF table to refer to, and the second lookup is done on the IP header to determine how to forward packets to the correct end hosts on the shared medium. This can be useful for number of applications like ingress firewall filters, CoS etc. Now a days VT interface (tunnel-pic) is also used to do the same however if router doesn’t support tunnel-pic then vrf-table-label can be used in its place to do the same thing. With VTL, lsi interface is created which allows it to handle the first lookup before a second ARP/IP lookup is carried out through the PFE.

Lets rollback the changes we did above and come back to same situation where unique label is assigned per CE port.

VPN Label 300560 is assigned for the route by PE1 and when mpls table is checked for that particular label we can see action is Pop plus to send the packet directly to interface.

PE1-re1> show route advertising-protocol bgp 10.198.123.236 10.203.12.0/30 extensive
MVPN-1.inet.0: 46 destinations, 77 routes (46 active, 0 holddown, 0 hidden)
Restart Complete
* 10.203.12.0/30 (2 entries, 1 announced)
BGP group mvpn-rr type Internal
Route Distinguisher: 10.198.123.203:32764
VPN Label: 300560
Nexthop: Self
Flags: Nexthop Change
Localpref: 100
AS path: [65004] I
Communities: target:65000:321 src-as:65004:0 rt-import:10.198.123.203:16

PE1-re1> show route table mpls.0 label 300560
mpls.0: 57 destinations, 57 routes (57 active, 0 holddown, 0 hidden)
Restart Complete
+ = Active Route, – = Last Active, * = Both
300560 *[VPN/170] 00:00:41
> via so-1/0/0.12, Pop

If we enable the vrf-table-label now and check the same route and corresponding label. Lets see what we see.

PE1-re1> show route advertising-protocol bgp 10.198.123.236 10.203.12.0/30 extensive
MVPN-1.inet.0: 46 destinations, 77 routes (46 active, 0 holddown, 0 hidden)
Restart Complete
* 10.203.12.0/30 (2 entries, 1 announced)
BGP group mvpn-rr type Internal
Route Distinguisher: 10.198.123.203:32764
VPN Label: 40
Nexthop: Self
Flags: Nexthop Change
Localpref: 100
AS path: [65004] I
Communities: target:65000:321 src-as:65004:0 rt-import:10.198.123.203:16

PE1-re1> show route table mpls.0 label 40
mpls.0: 53 destinations, 53 routes (53 active, 0 holddown, 0 hidden)
Restart Complete
+ = Active Route, – = Last Active, * = Both

40 *[VPN/0] 00:00:12
to table MVPN-1.inet.0, Pop

So we can see, label 40 is basically pointing to routing-table now and not to interface as in our previous case. You can see the corresponding LSI interface allocated by looking at following command

PE1-re1> show route instance MVPN-1 detail
MVPN-1:
Router ID: 10.14.233.1
Type: vrf State: Active
Restart State: Complete Path selection timeout: 300
Interfaces:
lsi.24
so-1/0/0.12
ge-0/3/3.50
ge-0/3/2.20
vt-1/2/0.20
Route-distinguisher: 10.198.123.203:32764
Vrf-import: [ __vrf-import-MVPN-1-internal__ ]
Vrf-export: [ __vrf-export-MVPN-1-internal__ ]
Vrf-import-target: [ target:65000:321 ]
Vrf-export-target: [ target:65000:321 ]
Fast-reroute-priority: low
Tables:
MVPN-1.inet.0 : 77 routes (46 active, 0 holddown, 0 hidden)
Restart Complete
MVPN-1.inet.1 : 11 routes (9 active, 0 holddown, 0 hidden)
Restart Complete
MVPN-1.mvpn.0 : 77 routes (42 active, 7 holddown, 0 hidden)
Restart Complete

Ok so that’s all. I hope you liked the blog and I was able to resolve some of your confusion on this command. If you still have any queries, please let me know and I would be happy to discuss.

Regards
Mohit Mittal

 

 

L2VPN using Kompella – Junos

BGP, Juniper, MPLS, Networking, , , , , , , ,

In my earlier blog on L2VPN via CCC https://networkzblogger.com/2017/04/23/l2vpn-via-ccc-in-junos/ we saw in that method customer interface needs to be bind with LSP and for each customer we need to have separate LSP configured which is not ideal from operational perspective. In this blog we will look at another method of achieving this where BGP is used as signalling protocol which automates the connections, so manual configuration of the association between the LSP and the customer edge interface is not required.

This config is also called Kompella after its author (https://tools.ietf.org/html/draft-kompella-l2vpn-l2vpn-00) where BGP is used to signal the control plane and it uses a two label stack as Martini. The VC (VPN) label is signalled via BGP and transport label can be signaled via either RSVP or LDP.

We would be looking at below topology where we will be configuring the MPLS L2VPN or Juniper L2CIRCUIT between M10i and MX960 PEs. M320s in between are just acting as Transit P/PE nodes and no configuration specifically needed on them for L2VPN however normal RSVP/LDP/MPLS/IGP config needs to be configured for transport label same as how L3VPN works.

L2VPN Kompella

MX104s are acting as RR so BGP neighborship will appropriate family needs to be activated between PEs-RRs.

For BGP based L2VPNs, following configuration needs to be configured

  1. BGP group with family l2vpn signalling
  2. Routing instance using instance type “l2vpn”
  3. Ethernet link needs to be established with Customer and same needs to be defined under Routing-instance.

Let’s start with Juniper l2vpn configuration.

First BGP Group where l2vpn signalling family needs to be enabled for PE-RR group.

BGP neighborship between M10i and one of the RR.

M10i-PE> show configuration protocols bgp group L2VPN-RRs
type internal;
family l2vpn {
    signaling;
}
authentication-algorithm md5;
authentication-key-chain BGP-L2VPN-key-chain;
neighbor 10.198.123.234;  <<<<<<<<< Loopback of RR1
neighbor 10.198.123.237;  <<<<<<<<< Loopback of RR2

BGP neighborship between M10i and one of the RR.

M10i-PE > show bgp neighbor 10.198.123.234
Peer: 10.198.123.234+179 AS 65004 Local: 10.198.123.213+50453 AS 65004
 Group: L2VPN-RRs Routing-Instance: master
 Type: Internal State: Established Flags: <Sync>
 Options: <Preference LocalAddress GracefulRestart LogUpDown AddressFamily Rib-group Refresh>
 Address families configured: l2vpn-signaling
 Local Address: 10.198.123.213 Holdtime: 90 Preference: 170
 Peer ID: 10.198.123.234 Local ID: 10.198.123.213 Active Holdtime: 90
 NLRI for restart configured on peer: l2vpn
 NLRI advertised by peer: l2vpn
 NLRI for this session: l2vpn
 Peer supports Refresh capability (2)
 Restart time configured on the peer: 120
 Stale routes from peer are kept for: 300
 Restart time requested by this peer: 120
 NLRI that peer supports restart for: l2vpn
 NLRI peer can save forwarding state: l2vpn
 NLRI that peer saved forwarding for: l2vpn
 NLRI that restart is negotiated for: l2vpn
 NLRI of received end-of-rib markers: l2vpn
 NLRI of all end-of-rib markers sent: l2vpn.
.
.

Even though customer facing config is not part of MPLS L2VPN, I will define it here which is using l2vpn encapsulation vlan-ccc.

M10i-PE > show configuration interfaces fe-0/1/1
description "Connected to CE-1";
vlan-tagging;
link-mode full-duplex;
encapsulation vlan-ccc;
unit 2 {
 encapsulation vlan-ccc;
 vlan-id 1001;
 family ccc;
}

Fairly simple configuration which is using encapsulation vlan-ccc.

OK, lets move to 2nd and 3rd part which is routing-instance configuration. I have highlighted important bits below. Off course for this L2VPN type you need to define RD, RT, and Interface which I am not mentioning specifically but you can see below.

M10i-PE > show configuration routing-instances L2VPN
instance-type l2vpn;
interface fe-0/1/1.2;
route-distinguisher 10.198.123.213:2;
vrf-target target:65004:2;
protocols {
 l2vpn {
 encapsulation-type ethernet-vlan;
 site Audi {
 site-identifier 2;
 interface fe-0/1/1.2 {
 remote-site-id 3;
 }
 }
 }
}

Important bit is instance-type l2vpn which enables this routing-instance for L2VPN. Under protocols l2vpn we have to enable the encap type as ethernet-vlan and then under site parameters we need to be define local site-identifier which is in our case is 2 and an optional remote-site-id. I have defined remote-site-id as 3 which will be configured on MX960 Remote-PE as its local site-identifier.

In same way we will be configuring the MX960 PE

MX960-PE> show configuration interfaces ge-1/1/9.700
encapsulation vlan-ccc;
vlan-id 700;
family ccc;

MX960-PE> show configuration routing-instances L2VPN
instance-type l2vpn;
interface ge-1/1/9.700;
route-distinguisher 10.198.123.205:3;
vrf-target target:65004:2;
protocols {
 l2vpn {
 encapsulation-type ethernet-vlan;
 site Bentley {
 site-identifier 3;
 interface ge-1/1/9.700 {
 remote-site-id 2;
 }
 }
 }
}

Once this is configured, let’s check the routing table on M10i

M10i-PE > show route table L2VPN.l2vpn.0
L2VPN.l2vpn.0: 3 destinations, 5 routes (3 active, 0 holddown, 0 hidden)
Restart Complete
+ = Active Route, - = Last Active, * = Both

10.198.123.205:3:3:1/96 <<<<<<<<<------------ Learnt from MX960
 *[BGP/170] 13:56:58, localpref 100, from 10.198.123.237
 AS path: I, validation-state: unverified
 > via so-0/0/0.0, Push 299888
 [BGP/170] 13:56:58, localpref 100, from 10.198.123.234
 AS path: I, validation-state: unverified
 > via so-0/0/0.0, Push 299888
.
.
.
10.198.123.213:2:2:3/96 <<<<<<<<-------------- Local route on M10i
 *[L2VPN/170/-101] 16:56:08, metric2 1
 Indirect

This output is showing us RD value of 10.198.123.205:3 plus value of remote-side identifier which is 3 as well plus label-offset value which is 1

In same way, local route has RD value of 10.198.123.213:2 plus value of remote-side identifier which is 2 and label-offset value of 3. Will explain label-offset later.

So this completes our BGP control signalling path.

L2VPN connection state is up between both PEs

M10i-PE > show l2vpn connections up
Layer-2 VPN connections:

Instance: L2VPN
Edge protection: Not-Primary
 Local site: Audi (2)
 connection-site Type St Time last up # Up trans
 3               rmt  Up May 2 20:53:51 2017 1
 Remote PE: 10.198.123.205, Negotiated control-word: Yes (Null)
 Incoming label: 800006, Outgoing label: 800003
 Local interface: fe-0/1/1.2, Status: Up, Encapsulation: VLAN

Now we can move over to forwarding path where we will see MPLS labels. As in case of L3VPNs, we have 2 Labels on each packet i.e. VPN Label and other is transport label.

Transport label is calculated in same way where label is assigned for next-hop which in our case is remote-PE MX960 loopback address and this label can be learnt by any method LDP or RSVP and will be advertised to M10i PE by its immediate neighbour which in our case is M320.

So to check the label stack which is being pushed at M10i, we can see the MPLS.0 table.

M10i-PE > show route table mpls.0
mpls.0: 25 destinations, 25 routes (25 active, 0 holddown, 0 hidden)
Restart Complete
+ = Active Route, - = Last Active, * = Both
.
.
.
fe-0/1/1.2 *[L2VPN/7] 14:27:18, metric2 1
 > via so-0/0/0.0, Push 800003, Push 299888(top) Offset: 252

So you can see two labels are being pushed, TOP (transport) label is 299888 which is advertised by M320

M320-Transit-P-1> show ldp database session 10.198.123.213
.
.

Output label database, 10.198.123.202:0--10.198.123.213:0
 Label Prefix
 306336 10.198.123.100/32
 299808 10.198.123.201/32
 3      10.198.123.202/32
 299792 10.198.123.203/32
 308832 10.198.123.204/32
 299888 10.198.123.205/32
 304288 10.198.123.211/32

VPN Label is 800003 which is calculated little bit differently in case of L2VPNs and not directly advertised by Remote-Pes.

Formula to calculate VPN label is

L2VPN label = Label-Base (remote) + Site-Id(Local) – Label-Offset (remote)

Label-base (remote) value is what we can get from MX960 by looking at its L2VPN.l2vpn table

MX960-PE > show route table L2VPN.l2vpn.0 extensive
L2VPN.l2vpn.0: 3 destinations, 5 routes (3 active, 0 holddown, 0 hidden)
.
.
 Advertised metrics:
 Flags: Nexthop Change
 Nexthop: Self
 Localpref: 100
 AS path: [65004] I
Path 10.198.123.205:3:3:1 Vector len 4. Val: 0
 *L2VPN Preference: 170/-101
 Next hop type: Indirect, Next hop index: 0
 Address: 0xa5d246c
.
.
.
 Label-base: 800002, range: 2, status-vector: 0x0, offset: 1
 Secondary Tables: L2VPN.l2id.0

You can see above that label-base is 800002 on MX960 and Label-offset value is 1

So as per our equation above,

L2VPN Label = 800002 + 2 (Site-id local on M10i)  – 1  = 800003

Once this VPN Label reaches MX960, it is pop as per normal MPLS procedures and out to CE-2 interface.

800003 *[L2VPN/7] 14:37:16
 > via ge-1/1/9.700, Pop Offset: 4

In same way, MX960 will also calculate the VPN label for traffic flowing from MX960 to M10i.

So that’s all for this blog. I hope you enjoyed it and let me know if you still have any issues.

 

Regards

Mohit Mittal