Layer 2 Circuit on SRX
I will briefly show how you can set up Layer 2 circuit between two packet-mode SRX boxes on 12.1X46-D10 release. Simply, if you set up a Layer 2 circuit between two sites, you can connect the same subnet between two different geographic location over an MPLS cloud. Look at the following sample topology and assume SRX j29 is in Ankara, which is my hometown 🙂 and j34 (which is in Amsterdam where live currently). I know they are so far 🙁 but we will set up the circuit and j40 will be able to ping 10.0.5.2 address of j35 from its address 10.0.5.1 which are in the same subnets.
First of all my assumptions on this setup;
- J29,j30 and j34 are forming an MPLS cloud
- We use LDP for label distribution
- On this setup all these boxes are in packet mode
- We don’t care what is on J30 as long as it provides MPLS connectivity, nothing special configured on that device
- J40 and j35 have no special config, you can put PCs to test the connectivity as well.
Let’s first bring the L2 link UP;
Configure interfaces on PE routers
L2 circuit is established between j29 and j34. Interface configuration is really important as a single mistake doesn’t bring the link up.
J29
[edit]
lab@jgw29# show interfaces
interface-range mpls-int {
member ge-0/0/0;
member ge-0/0/1;
member ge-0/0/3;
member ge-0/0/4;
unit 0 {
family mpls;
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.196.1/24;
}
}
}
ge-0/0/2 {
vlan-tagging;
encapsulation vlan-ccc;
unit 800 {
encapsulation vlan-ccc;
vlan-id 800;
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 172.29.1.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.1.1.2/32;
}
family mpls;
}
}
Unnecessary interface config is removed from the output. As you can see ge-0/0/2 is the CE facing interface i.e towards j40 device. It is a trunk interface and our vlan tag is 800. As you can see we have no IP configuration here as we are connecting a L2 segment. j40 device will think as if it is connected to a switch.
j34
[edit]
root@J34# show interfaces
interface-range mpls-int {
member ge-0/0/0;
member ge-0/0/1;
member ge-0/0/3;
member ge-0/0/4;
unit 0 {
family mpls;
}
}
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.198.2/24;
}
family mpls;
}
}
ge-0/0/2 {
vlan-tagging;
encapsulation vlan-ccc;
unit 800 {
encapsulation vlan-ccc;
vlan-id 800;
}
}
lo0 {
unit 0 {
family inet {
address 10.1.1.6/32;
}
family mpls;
}
}
On this box as well, ge-0/0/2 is the CE facing interface and it has very similar config to j29.
Configure L2 circuit
This is the most important part. Things to remember are IGP i.e OSPF here is really important as LDP relies on this protocol. If OSPF isn’t running properly, don’t expect any L2 circuit. LDP should also be running on loopback interface.
j29
[edit]
lab@jgw29# show protocols
mpls {
interface all;
}
ospf {
area 0.0.0.0 {
interface all;
interface ge-0/0/4.0 {
disable;
}
}
}
ldp {
interface ge-0/0/1.0;
interface lo0.0;
}
l2circuit {
neighbor 10.1.1.6 {
interface ge-0/0/2.800 {
virtual-circuit-id 10;
no-control-word;
}
}
}
As you can see circuit neighbor address is the loopback of remote device and interface is the local CE facing interface. You should also assign a circuit id which should be the same on both peers.
j34
[edit]
root@J34# show protocols
mpls {
interface all;
}
ospf {
area 0.0.0.0 {
interface all;
interface ge-0/0/4.0 {
disable;
}
}
}
ldp {
interface ge-0/0/0.0;
interface lo0.0;
}
l2circuit {
neighbor 10.1.1.2 {
interface ge-0/0/2.800 {
virtual-circuit-id 10;
no-control-word;
}
}
}
Verification
We can check the l2circuit status as below. As you can see, status(St) is Up. To see if our setup is working we can ping j35 from j40 .
lab@jgw29> show l2circuit connections
Layer-2 Circuit Connections:
Legend for connection status (St)
EI -- encapsulation invalid NP -- interface h/w not present
MM -- mtu mismatch Dn -- down
EM -- encapsulation mismatch VC-Dn -- Virtual circuit Down
CM -- control-word mismatch Up -- operational
VM -- vlan id mismatch CF -- Call admission control failure
OL -- no outgoing label IB -- TDM incompatible bitrate
NC -- intf encaps not CCC/TCC TM -- TDM misconfiguration
BK -- Backup Connection ST -- Standby Connection
CB -- rcvd cell-bundle size bad SP -- Static Pseudowire
LD -- local site signaled down RS -- remote site standby
RD -- remote site signaled down XX -- unknown
Legend for interface status
Up -- operational
Dn -- down
Neighbor: 10.1.1.6
Interface Type St Time last up # Up trans
ge-0/0/2.800(vc 10) rmt Up Mar 17 17:26:26 2014 1
Remote PE: 10.1.1.6, Negotiated control-word: No
Incoming label: 299776, Outgoing label: 299776
Negotiated PW status TLV: No
Local interface: ge-0/0/2.800, Status: Up, Encapsulation: VLAN
Yes we can ping the IP address which is on the same subnet.
root@j40> ping 10.0.5.2 count 3 PING 10.0.5.2 (10.0.5.2): 56 data bytes 64 bytes from 10.0.5.2: icmp_seq=0 ttl=64 time=39.416 ms 64 bytes from 10.0.5.2: icmp_seq=1 ttl=64 time=35.215 ms 64 bytes from 10.0.5.2: icmp_seq=2 ttl=64 time=35.254 ms --- 10.0.5.2 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 35.215/36.628/39.416/1.971 ms root@j40> show arp no-resolve MAC Address Address Interface Flags 00:0c:29:86:ba:4a 10.0.5.2 ge-0/0/0.0 none
You can see that j40 learns the MAC address of j35 after an ARP request. Let’s look at j35’s ge-0/0/0 interface. We should see the same MAC.
root@j35> show interfaces ge-0/0/0 | match Hardware Current address: 00:0c:29:86:ba:4a, Hardware address: 00:0c:29:86:ba:4a
As we again see, MAC is being learned with no issues.
I hope to have explained L2 circuit in this short blog post. I hope it was useful. To contribute to this post you are welcomed to share troubleshooting methods or any issue you experienced and how you solved it. That would be highly appreciated.
nfigured same way between two PE, I mean I configured L2circuit traffic to take a particular RSVP LSP if there are multiple equal-cost RSVP LSP’s available to reach the L2circuit neighbor.
Well How can i verify or traceroute l2circuit follow the particular binded LSP.
I mean is there any command to verify l2circuit traceroute…..
Many Thanks,
Brijesh
..
If you want to traceroute a particular LSP I believe you can use the command like below;
lab@j40> traceroute mpls rsvp lsp-j40-j35 no-resolve
Probe options: retries 3, exp 7
ttl Label Protocol Address Previous Hop Probe Status
1 300352 RSVP-TE 25.1.2.1 (null) Unhelpful
2 10.1.1.4 25.1.2.1 Unhelpful
3 10.1.1.5 10.1.1.4 Unhelpful
4 10.1.1.7 10.1.1.5 Egress
Path 1 via ge-0/0/1.0 destination 127.0.0.64
This command output is for RSVP but you can also use with LDP option I believe.
Hi BRJU,
How to configure l2 Circuit traffic to take a specific LSP ? Please provide a sample configuration.
Thanks,
Aravinth
Good article,,,, however I have a bit different scenario. I have 2x SRX 210 and they got IPSEC tunnel developed, I am not aware much with MPLS/VPLS technologies however so far I have read few forums and learnt that I need MPLS connectivity for Pseudowires.
My question is if both of these SRX got IPSEC tunnel developed (no MPLS connectivity) can I still configure Pseudowire between 2 sites to extend layer2 circuit?
Ali,
You should check MPLS over GRE over IPSEC or VPLS documents. VPLS is also great in doing this. I am hoping to write an article on this as well but God knows when I will get round to it.
Thanks, i am thinking on same lines.