L2 And L3 VPN over Ethernet Ring

In this post we are going to discuss how can we setup L2VPN and L3VPN over an Ethernet ring network, this is very challenging actually, knowing the fact that we need to achieve redundancy for both our edge network and to our customer.

As illustrated below, we have our MX104 PE router connected to the ring network that’s connected to MSAN cabins (Access Layer) through 2 Gigabit interfaces in order to achieve redundancy over the network.


The 1st challenge to take is how to setup L3VPN.

In our situaion we can’t use a logical unit of one of the main Gigs as this will not achieve the needed redundancy for the customer as there’s one Gig that will be up and the other will be down in order to prevent loops. So  the right solution would be to use Integrated Routing & Bridging interfaces (IRB) and assign it to the same bridge domain as the logical units of the main Gigs.

root@R02J> show interfaces descriptions | match Cust-A
ge-0/0/1.700  up     up    VPN: Cust-A –> Main Gig the customer is working on right now
ge-0/1/1.700   up    down VPN: Cust-A –> Backup Gig for the same customer
irb.700             up     up       VPN: Cust-A –>Layer 3 IRB interface for this customer (like an SVI interface on a Cisco Switches)

The two logical units of the main Gig interfaces are configured as layer 2 interfaces with VLAN 700 and assigned to a bridge domain only for learning/forwarding layer 2 traffic.

root@R02J> show configuration interfaces ge-0/0/1.700
description “VPN: Cust-A”;
encapsulation vlan-bridge;
vlan-id 700;{master}
root@R02J>show configuration interfaces ge-0/1/1.700
description “VPN: Cust-A” ;
encapsulation vlan-bridge;
vlan-id 700;

The 3 interface is assigned to the same bridge domain that has VLAN 700 configured in it as follow

root@R02J>show configuration bridge-domains
Cust-A {
vlan-id 700;
interface ge-0/0/1.700;
interface ge-0/1/1.700;
        routing-interface irb.700;

The IRB interfaces is then assigned an IP address and added to the Cust-A routing-instance as follow

root@R02J> show configuration routing-instance Cust-A
instance-type vrf;
interface irb.700;
route-distinguisher 8452:150;
vrf-import Cust-A-import;
vrf-export Cust-A-export;
routing-options {
static {
route next-hop ;root@R02J> show configuration interfaces irb.700
description “VPN: Cust-A”;
family inet {

Some useful troubleshooting command is illustrated below

root@R02J> show bridge domain Cust-A
Routing instance        Bridge domain            VLAN ID     Interfaces
default-switch               Cust-A                           700
root@R02J> show bridge mac-table vlan-id 700
MAC flags (S -static MAC, D -dynamic MAC, L -locally learned, C -Control MAC
SE -Statistics enabled, NM -Non configured MAC, R -Remote PE MAC)
Routing instance : default-switch
Bridging domain : Cust-A, VLAN : 700
MAC                           MAC            Logical            NH     RTR
address                     flags            interface        Index   ID
00:e0:fc:20:3b:b9      D               ge-0/0/1.700 –> currently customer’s traffic is forwarded out of ge-0/0/1 (Main Working Gig)

The 2nd challenge to take is how to setup L2VPN.

In L2VPN, we don’t have the luxary to use IRB interfaces as we did with L3VPN, that’s beacuse IRBs are L3 interfaces so in order to maintain redundancy we’ll create a VPLS instance and stitch it to customer’s L2VPN with the use of Logical Tunnels Interfaces.

root@R02J> show interfaces descriptions | match Cust-B
ge-0/0/1.800  up    up     VPN:Cust-B
ge-0/1/1.800  up    down VPN:Cust-B
root@R02J> show configuration interfaces ge-0/0/1.800
description “Cust-B”;
encapsulation vlan-vpls;
vlan-id 800;

As L2VPN is using L2circuit (xconnect) and we are using VPLS in order to maintain redundancy, we need to create an xconnect on a virtual link called logical tunnel (lt0/0/0.8001) on our PE first then stitch it to lt0/0/0.800 that belongs to the same instance of the VPLS so we can forward the layer 2 traffic to the customer’s site.

The Data will take the path R01(VC 3000) >>> R02(VC 3000 lt0/0/0.8001) >>> VPLS Instance Cust-B (lt0/0/0.800)>>> Customer-Site ge-0/0/1.800

Configuration is straight forward, 1st we’ll configure the 2 lt interfaces

root@R02J> show configuration interfaces lt-0/0/0.8001 >>> L2VPN belonging interface
encapsulation vlan-ccc;
vlan-id 800;
peer-unit 800;

root@R02J> show configuration interfaces lt-0/0/0.800 >>> VPLS belonging interface
encapsulation vlan-vpls;
vlan-id 800;
peer-unit 800;

Then we need to configure the L2circuit Protocols and the VPLS instance and add the appropriate interfaces.

root@R02J> show configuration protocols l2circuit
neighbor {
 interface lt-0/0/0.8001{
     virtual-circuit-id 3000;
mtu 1600;
root@R02J> show configuration routing-instance Cust-B
instance-type vpls;
interface lt-0/0/0.800;
interface ge-0/0/1.800;
interface ge-0/1/1.800;
route-distinguisher 8452:19;
vrf-target target:8452:19;
protocols {
vpls {
site-range 10;
site 1 {
site-identifier 1;
interface ge-0/0/1.800;
              interface ge-0/1/1.800;
  site 2 {
site-identifier 2;
               interface lt-0/0/0.800;

Now we can verify that xconnect is working fine between the 2 PEs

root@R02J> show l2circuit connections interface lt-0/0/0.8001| find Neighbor
Interface                             Type  St     Time last up          # Up trans
    lt-0/0/0.8001(vc 3000)   rmt   Up     Aug 22 17:06:11 2016    1
Remote PE:, Negotiated control-word: Yes (Null)
Incoming label: 386769, Outgoing label: 32413
Negotiated PW status TLV: No
Local interface: lt-0/0/0.8001, Status: Up, Encapsulation: VLAN

And we can verify learned MAC Addresses over the L2VPN/VPLS network as below

root@R02J> show vpls mac-table instance Cust-B

MAC flags (S -static MAC, D -dynamic MAC, L -locally learned, C -Control MAC
SE -Statistics enabled, NM -Non configured MAC, R -Remote PE MAC)

Routing instance : Cust-B
Bridging domain : __Cust-B__, VLAN : NA
MAC                        MAC      Logical          NH     RTR
address                   flags    interface        Index  ID
   00:e0:bd:20:3b:c3   D        ge-0/0/1.800 >>>  from customer’s local site
   78:da:af:29:13:00   D        lt-0/0/0.800 >>>  from customer’s remote site

Finally I wish this was informative for you and thank you for viewing.

Posted on August 30, 2016, in Juniper and tagged , , , , , , . Bookmark the permalink. 1 Comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: