Layer 2 Circuit on SRX

I will briefly show how you can set up Layer 2 circuit between two packet-mode SRX boxes on 12.1X46-D10 release. Simply, if you set up a Layer 2 circuit between two sites, you can connect the same subnet between two different geographic location over an MPLS cloud. Look at the following sample topology and assume SRX j29 is in Ankara, which is my hometown 🙂 and j34 (which is in Amsterdam where live currently). I know they are so far 🙁 but we will set up the circuit and j40 will be able to ping 10.0.5.2 address of j35 from its address 10.0.5.1 which are in the same subnets.

l2circuit_vlanccc

First of all my assumptions on this setup;

  • J29,j30 and j34 are forming an MPLS cloud
  • We use LDP for label distribution
  • On this setup all these boxes are in packet mode
  • We don’t care what is on J30 as long as it provides MPLS connectivity, nothing special configured on that device
  • J40 and j35 have no special config, you can put PCs to test the connectivity as well.

Let’s first bring the L2 link UP;

Configure interfaces on PE routers
L2 circuit is established between j29 and j34. Interface configuration is really important as a single mistake doesn’t bring the link up.

J29

Unnecessary interface config is removed from the output. As you can see ge-0/0/2 is the CE facing interface i.e towards j40 device. It is a trunk interface and our vlan tag is 800. As you can see we have no IP configuration here as we are connecting a L2 segment. j40 device will think as if it is connected to a switch.

j34

On this box as well, ge-0/0/2 is the CE facing interface and it has very similar config to j29.

Configure L2 circuit
This is the most important part. Things to remember are IGP i.e OSPF here is really important as LDP relies on this protocol. If OSPF isn’t running properly, don’t expect any L2 circuit. LDP should also be running on loopback interface.

j29

As you can see circuit neighbor address is the loopback of remote device and interface is the local CE facing interface. You should also assign a circuit id which should be the same on both peers.

j34

Verification

We can check the l2circuit status as below. As you can see, status(St) is Up. To see if our setup is working we can ping j35 from j40 .

Yes we can ping the IP address which is on the same subnet.

You can see that j40 learns the MAC address of j35 after an ARP request. Let’s look at j35’s ge-0/0/0 interface. We should see the same MAC.

As we again see, MAC is being learned with no issues.

I hope to have explained L2 circuit in this short blog post. I hope it was useful. To contribute to this post you are welcomed to share troubleshooting methods or any issue you experienced and how you solved it. That would be highly appreciated.

6 thoughts on “Layer 2 Circuit on SRX

  1. BRJU

    nfigured same way between two PE, I mean I configured L2circuit traffic to take a particular RSVP LSP if there are multiple equal-cost RSVP LSP’s available to reach the L2circuit neighbor.

    Well How can i verify or traceroute l2circuit follow the particular binded LSP.

    I mean is there any command to verify l2circuit traceroute…..

    Many Thanks,

    Brijesh
    ..

    Reply
    1. rtoodtoo Post author

      If you want to traceroute a particular LSP I believe you can use the command like below;

      lab@j40> traceroute mpls rsvp lsp-j40-j35 no-resolve
      Probe options: retries 3, exp 7

      ttl Label Protocol Address Previous Hop Probe Status
      1 300352 RSVP-TE 25.1.2.1 (null) Unhelpful
      2 10.1.1.4 25.1.2.1 Unhelpful
      3 10.1.1.5 10.1.1.4 Unhelpful
      4 10.1.1.7 10.1.1.5 Egress

      Path 1 via ge-0/0/1.0 destination 127.0.0.64

      This command output is for RSVP but you can also use with LDP option I believe.

      Reply
    2. Aravinth

      Hi BRJU,

      How to configure l2 Circuit traffic to take a specific LSP ? Please provide a sample configuration.

      Thanks,
      Aravinth

      Reply
  2. A Ali

    Good article,,,, however I have a bit different scenario. I have 2x SRX 210 and they got IPSEC tunnel developed, I am not aware much with MPLS/VPLS technologies however so far I have read few forums and learnt that I need MPLS connectivity for Pseudowires.
    My question is if both of these SRX got IPSEC tunnel developed (no MPLS connectivity) can I still configure Pseudowire between 2 sites to extend layer2 circuit?

    Reply
    1. rtoodtoo Post author

      Ali,
      You should check MPLS over GRE over IPSEC or VPLS documents. VPLS is also great in doing this. I am hoping to write an article on this as well but God knows when I will get round to it.

      Reply

You have a feedback?