Layer 2 Circuit on SRX

I will briefly show how you can set up Layer 2 circuit between two packet-mode SRX boxes on 12.1X46-D10 release. Simply, if you set up a Layer 2 circuit between two sites, you can connect the same subnet between two different geographic location over an MPLS cloud. Look at the following sample topology and assume SRX j29 is in Ankara, which is my hometown 🙂 and j34 (which is in Amsterdam where live currently). I know they are so far 🙁 but we will set up the circuit and j40 will be able to ping 10.0.5.2 address of j35 from its address 10.0.5.1 which are in the same subnets.

l2circuit_vlanccc

First of all my assumptions on this setup;

  • J29,j30 and j34 are forming an MPLS cloud
  • We use LDP for label distribution
  • On this setup all these boxes are in packet mode
  • We don’t care what is on J30 as long as it provides MPLS connectivity, nothing special configured on that device
  • J40 and j35 have no special config, you can put PCs to test the connectivity as well.

Let’s first bring the L2 link UP;

Configure interfaces on PE routers
L2 circuit is established between j29 and j34. Interface configuration is really important as a single mistake doesn’t bring the link up.

J29

[edit]
lab@jgw29# show interfaces 
interface-range mpls-int {
    member ge-0/0/0;
    member ge-0/0/1;
    member ge-0/0/3;
    member ge-0/0/4;
    unit 0 {
        family mpls;
    }
}

ge-0/0/1 {
    unit 0 {
        family inet {
            address 192.168.196.1/24;
        }
    }
}
ge-0/0/2 {
    vlan-tagging;
    encapsulation vlan-ccc;
    unit 800 {
        encapsulation vlan-ccc;
        vlan-id 800;
    }
}
ge-0/0/3 {
    unit 0 {
        family inet {
            address 172.29.1.1/24;
        }
    }
}
lo0 {
    unit 0 {
        family inet {
            address 10.1.1.2/32;
        }
        family mpls;
    }
}

Unnecessary interface config is removed from the output. As you can see ge-0/0/2 is the CE facing interface i.e towards j40 device. It is a trunk interface and our vlan tag is 800. As you can see we have no IP configuration here as we are connecting a L2 segment. j40 device will think as if it is connected to a switch.

j34

[edit]
root@J34# show interfaces 
interface-range mpls-int {
    member ge-0/0/0;
    member ge-0/0/1;
    member ge-0/0/3;
    member ge-0/0/4;
    unit 0 {
        family mpls;
    }
}
ge-0/0/0 {
    unit 0 {
        family inet {
            address 192.168.198.2/24;
        }
        family mpls;
    }
}

ge-0/0/2 {
    vlan-tagging;
    encapsulation vlan-ccc;
    unit 800 {
        encapsulation vlan-ccc;
        vlan-id 800;
    }
}

lo0 {
    unit 0 {
        family inet {
            address 10.1.1.6/32;
        }
        family mpls;
    }
}                                       

On this box as well, ge-0/0/2 is the CE facing interface and it has very similar config to j29.

Configure L2 circuit
This is the most important part. Things to remember are IGP i.e OSPF here is really important as LDP relies on this protocol. If OSPF isn’t running properly, don’t expect any L2 circuit. LDP should also be running on loopback interface.

j29

[edit]
lab@jgw29# show protocols 
mpls {
    interface all;
}
ospf {
    area 0.0.0.0 {
        interface all;
        interface ge-0/0/4.0 {
            disable;
        }
    }
}
ldp {
    interface ge-0/0/1.0;
    interface lo0.0;
}
l2circuit {
    neighbor 10.1.1.6 {
        interface ge-0/0/2.800 {
            virtual-circuit-id 10;
            no-control-word;
        }
    }
}

As you can see circuit neighbor address is the loopback of remote device and interface is the local CE facing interface. You should also assign a circuit id which should be the same on both peers.

j34

[edit]
root@J34# show protocols 
mpls {
    interface all;
}
ospf {
    area 0.0.0.0 {
        interface all;
        interface ge-0/0/4.0 {
            disable;
        }
    }
}
ldp {
    interface ge-0/0/0.0;
    interface lo0.0;
}
l2circuit {
    neighbor 10.1.1.2 {
        interface ge-0/0/2.800 {
            virtual-circuit-id 10;
            no-control-word;
        }
    }
}

Verification

We can check the l2circuit status as below. As you can see, status(St) is Up. To see if our setup is working we can ping j35 from j40 .

lab@jgw29> show l2circuit connections 
Layer-2 Circuit Connections:

Legend for connection status (St)   
EI -- encapsulation invalid      NP -- interface h/w not present   
MM -- mtu mismatch               Dn -- down                       
EM -- encapsulation mismatch     VC-Dn -- Virtual circuit Down    
CM -- control-word mismatch      Up -- operational                
VM -- vlan id mismatch           CF -- Call admission control failure
OL -- no outgoing label          IB -- TDM incompatible bitrate 
NC -- intf encaps not CCC/TCC    TM -- TDM misconfiguration 
BK -- Backup Connection          ST -- Standby Connection
CB -- rcvd cell-bundle size bad  SP -- Static Pseudowire
LD -- local site signaled down   RS -- remote site standby
RD -- remote site signaled down  XX -- unknown

Legend for interface status  
Up -- operational            
Dn -- down                   
Neighbor: 10.1.1.6 
    Interface                 Type  St     Time last up          # Up trans
    ge-0/0/2.800(vc 10)       rmt   Up     Mar 17 17:26:26 2014           1
      Remote PE: 10.1.1.6, Negotiated control-word: No
      Incoming label: 299776, Outgoing label: 299776
      Negotiated PW status TLV: No
      Local interface: ge-0/0/2.800, Status: Up, Encapsulation: VLAN

Yes we can ping the IP address which is on the same subnet.

root@j40> ping 10.0.5.2 count 3 
PING 10.0.5.2 (10.0.5.2): 56 data bytes
64 bytes from 10.0.5.2: icmp_seq=0 ttl=64 time=39.416 ms
64 bytes from 10.0.5.2: icmp_seq=1 ttl=64 time=35.215 ms
64 bytes from 10.0.5.2: icmp_seq=2 ttl=64 time=35.254 ms

--- 10.0.5.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 35.215/36.628/39.416/1.971 ms

root@j40> show arp no-resolve 
MAC Address       Address         Interface     Flags
00:0c:29:86:ba:4a 10.0.5.2        ge-0/0/0.0           none

You can see that j40 learns the MAC address of j35 after an ARP request. Let’s look at j35’s ge-0/0/0 interface. We should see the same MAC.

root@j35> show interfaces ge-0/0/0 | match Hardware
  Current address: 00:0c:29:86:ba:4a, Hardware address: 00:0c:29:86:ba:4a

As we again see, MAC is being learned with no issues.

I hope to have explained L2 circuit in this short blog post. I hope it was useful. To contribute to this post you are welcomed to share troubleshooting methods or any issue you experienced and how you solved it. That would be highly appreciated.

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


6 thoughts on “Layer 2 Circuit on SRX”

  1. nfigured same way between two PE, I mean I configured L2circuit traffic to take a particular RSVP LSP if there are multiple equal-cost RSVP LSP’s available to reach the L2circuit neighbor.

    Well How can i verify or traceroute l2circuit follow the particular binded LSP.

    I mean is there any command to verify l2circuit traceroute…..

    Many Thanks,

    Brijesh
    ..

    1. If you want to traceroute a particular LSP I believe you can use the command like below;

      lab@j40> traceroute mpls rsvp lsp-j40-j35 no-resolve
      Probe options: retries 3, exp 7

      ttl Label Protocol Address Previous Hop Probe Status
      1 300352 RSVP-TE 25.1.2.1 (null) Unhelpful
      2 10.1.1.4 25.1.2.1 Unhelpful
      3 10.1.1.5 10.1.1.4 Unhelpful
      4 10.1.1.7 10.1.1.5 Egress

      Path 1 via ge-0/0/1.0 destination 127.0.0.64

      This command output is for RSVP but you can also use with LDP option I believe.

    2. Hi BRJU,

      How to configure l2 Circuit traffic to take a specific LSP ? Please provide a sample configuration.

      Thanks,
      Aravinth

  2. Good article,,,, however I have a bit different scenario. I have 2x SRX 210 and they got IPSEC tunnel developed, I am not aware much with MPLS/VPLS technologies however so far I have read few forums and learnt that I need MPLS connectivity for Pseudowires.
    My question is if both of these SRX got IPSEC tunnel developed (no MPLS connectivity) can I still configure Pseudowire between 2 sites to extend layer2 circuit?

    1. Ali,
      You should check MPLS over GRE over IPSEC or VPLS documents. VPLS is also great in doing this. I am hoping to write an article on this as well but God knows when I will get round to it.

Leave a Reply to BRJUCancel reply

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading