H-VPLS Deployment using Juniper devices

Recently I was working on a project that required a P2MP solution for gigabit last mile internet access. Essentially we needed to stitch multiple tower sites back to the Edge where they would participate in the same broadcast domain or VPLS instance. This would make management much easier as now you can deploy a centralized PPPOE server, DHCP server, NAT services, etc Simple enough right? Deploy a ELAN solution and call it a day. Thats what I said until I discovered that the tower sites were using Juniper ACX devices which do not natively support ELAN configurations out of the box (dammit man).

The Edge network consisted of MX devices, so thats an easy implementation but with the ACX's on the other end we would need to implement a H-VPLS solution to get the P2MP topology to operate properly.

For those not familiar with VPLS, here is a quick definition and use case.

Credit to Juniper article "DEMYSTIFYING H-VPLS"

VPLS is one of the key MPLS-based services that has developed in the industry over the past few years. As its name implies, the purpose of VPLS is to provide a private multipoint LAN-type Ethernet connectivity service. For those more familiar with technologies like ATM, we could say VPLS is the LAN emulation service for MPLS. VPLS has special relevance in the service provider space as the way to deliver Layer 2 (L2) multipoint transparent services over an Ethernet infrastructure using MPLS. But what is so special about this? The key point is MPLS. MPLS has become the catalyst that can turn an Ethernet infrastructure into carrier class making it suitable for the service provider, as opposed to a VLAN-based or QinQ operation that has demonstrated through multiple examples that it does not provide what is required in the carrier environment. VPLS, as the main technology in use in the Metro Ethernet space, has two implementation options that the industry has standardized:

? RFC4761 – BGP-based VPLS

? RFC4762 – LDP-based VPLS

To put it in simple terms, what we are trying to do is extend the VPLS domain to Juniper devices by establishing pseudowires into a centralized/semi-centralized PE-rs, which is one of the main motivations for using H-VPLS.

Enough of the damn technical jargon, and let's get this setup on the CLI. First we will do the ACX side. This end utilizes standard l2circuit configurations methods. In this case we are using ethernet encapsulation to avoid having to pop any VLAN tags.

ACX Interface Config:

set interfaces xe-1/3/0 description "L2circuit Interface"

set interfaces xe-1/3/0 mtu 9052

set interfaces xe-1/3/0 encapsulation ethernet-ccc

set interfaces xe-1/3/0 unit 0        

ACX L2circuit Config:

set protocols l2circuit neighbor X.X.X.X interface xe-1/3/0.0 virtual-circuit-id 2000

set protocols l2circuit neighbor X.X.X.X interface xe-1/3/0.0 encapsulation-type ethernet

set protocols l2circuit neighbor X.X.X.X interface xe-1/3/0.0 ignore-mtu-mismatch
        

Couple of notes here:

-L2circuit VCID must match the VPLS-ID on the other end

-Get in the habit of using "ignore-mtu-mismatch" to avoid MTU Mismatch errors

-Make sure your underlying IGP/MPLS is operational before attempting this. No shit right?

Now let's get to the meat and potatoes. The MX side. You will want to apply the below configuration to get an operational LDP-VPLS instance.

MX Interface Configuration:

set interfaces xe-5/3/0 description "VPLS INTERFACE"

set interfaces xe-5/3/0 mtu 9192

set interfaces xe-5/3/0 encapsulation ethernet-vpls

set interfaces xe-5/3/0 unit 0        

MX VPLS configuration:

set routing-instances ELAN protocols vpls interface xe-5/3/0.0 encapsulation-type ethernet

set routing-instances ELAN protocols vpls no-tunnel-services

set routing-instances ELAN protocols vpls vpls-id 2000

set routing-instances ELAN protocols vpls ignore-mtu-mismatch

set routing-instances ELAN protocols vpls neighbor X.X.X.X encapsulation-type ethernet

set routing-instances ELAN instance-type vpls

set routing-instances ELAN interface xe-5/3/0.0        

Couple of quick notes here:

-VPLS ID is 2000 which matches the Virtual Circuit ID on the remote ACX

-We again use "ignore-mtu-mismatch" under the instance. This will make life way easier. Trust me and use it.

-Make sure to have the "no-tunnel-services" knob. I initially forgot to apply this, and the instance would not come up. Juniper docs did not mention this!

As soon as this was applied, the instance was up and packets were flowing! You can use the following show commands to verify H-VPLS operation.

ACX Side:

alex@ACX> show l2circuit connections

Layer-2 Circuit Connections:




Legend for connection status (St)? ?

EI -- encapsulation invalid? ? ? NP -- interface h/w not present? ?

MM -- mtu mismatch ? ? ? ? ? ? ? Dn -- down? ? ? ? ? ? ? ? ? ? ? ?

EM -- encapsulation mismatch ? ? VC-Dn -- Virtual circuit Down ? ?

CM -- control-word mismatch? ? ? Up -- operational ? ? ? ? ? ? ? ?

VM -- vlan id mismatch		 CF -- Call admission control failure

OL -- no outgoing label? ? ? ? ? IB -- TDM incompatible bitrate?

NC -- intf encaps not CCC/TCC? ? TM -- TDM misconfiguration?

BK -- Backup Connection? ? ? ? ? ST -- Standby Connection

CB -- rcvd cell-bundle size bad? SP -- Static Pseudowire

LD -- local site signaled down ? RS -- remote site standby

RD -- remote site signaled down? HS -- Hot-standby Connection

XX -- unknown




Legend for interface status ?

Up -- operational ? ? ? ? ? ?

Dn -- down? ? ? ? ? ? ? ? ? ?

Neighbor: X.X.X.X?

? ? Interface ? ? ? ? ? ? ? ? Type? St ? ? Time last up? ? ? ? ? # Up trans

? ? xe-1/3/0.0(vc 2000) ? ? ? rmt ? Up ? ? Jan? 2 04:53:16 2015 ? ? ? ? ? 1

? ? ? Remote PE: X.X.X.X, Negotiated control-word: No

? ? ? Incoming label: 299776, Outgoing label: 21

? ? ? Negotiated PW status TLV: No

? ? ? Local interface: xe-1/3/0.0, Status: Up, Encapsulation: ETHERNET

? ? ? Flow Label Transmit: No, Flow Label Receive: No?        

MX Side:

alex@MX> show vpls connections extensive instance ELAN

Layer-2 VPN connections:




Legend for connection status (St)? ?

EI -- encapsulation invalid? ? ? NC -- interface encapsulation not CCC/TCC/VPLS

EM -- encapsulation mismatch ? ? WE -- interface and instance encaps not same

VC-Dn -- Virtual circuit down? ? NP -- interface hardware not present?

CM -- control-word mismatch? ? ? -> -- only outbound connection is up

CN -- circuit not provisioned? ? <- -- only inbound connection is up

OR -- out of range ? ? ? ? ? ? ? Up -- operational

OL -- no outgoing label? ? ? ? ? Dn -- down ? ? ? ? ? ? ? ? ? ? ?

LD -- local site signaled down ? CF -- call admission control failure ? ? ?

RD -- remote site signaled down? SC -- local and remote site ID collision

LN -- local site not designated? LM -- local site ID not minimum designated

RN -- remote site not designated RM -- remote site ID not minimum designated

XX -- unknown connection status? IL -- no incoming label

MM -- MTU mismatch ? ? ? ? ? ? ? MI -- Mesh-Group ID not available

BK -- Backup connection	 ? ? ? ? ST -- Standby connection

PF -- Profile parse failure? ? ? PB -- Profile busy

RS -- remote site standby	 SN -- Static Neighbor

LB -- Local site not best-site ? RB -- Remote site not best-site

VM -- VLAN ID mismatch ? ? ? ? ? HS -- Hot-standby Connection




Legend for interface status?

Up -- operational? ? ? ? ? ? ? ? ? ? ? ?

Dn -- down




Instance: ELAN

? VPLS-id: 2000

? ? Number of local interfaces: 1

? ? Number of local interfaces up: 1

? ? xe-5/3/0.0 ? ? ? ? ?

? ? lsi.1048587 ? ? ? ? ? ? ? ? ? Intf - vpls ELAN neighbor X.X.X.X vpls-id 2000


? ? Neighbor? ? ? ? ? ? ? ? ? Type? St ? ? Time last up? ? ? ? ? # Up trans

? ? X.X.X.X (vpls-id 2000) rmt? Up ? ? Jun? 9 01:46:14 2022 ? ? ? ? ? 1

? ? ? Remote PE: X.X.X.X, Negotiated control-word: No

? ? ? Incoming label: 21, Outgoing label: 299776

? ? ? Negotiated PW status TLV: No

? ? ? Local interface: lsi.1048587, Status: Up, Encapsulation: ETHERNET

? ? ? ? Description: Intf - vpls ELAN neighbor X.X.X.X vpls-id 2000

? ? ? Flow Label Transmit: No, Flow Label Receive: No?        

You can take one extra step and make sure you are learning MAC's across the instance.

alex@MX> show vpls mac-table instance ELAN




MAC flags ? ? ? (S -static MAC, D -dynamic MAC, L -locally learned, C -Control MAC

? ? O -OVSDB MAC, SE -Statistics enabled, NM -Non configured MAC, R -Remote PE MAC, P -Pinned MAC)




Routing instance : ELAN

?Bridging domain : __ELAN__, VLAN : NA

?? MAC ? ? ? ? ? ? ? ? MAC? ? ? Logical? ? ? ? ? NH ? ? MAC ? ? ? ? active

?? address ? ? ? ? ? ? flags? ? interface? ? ? ? Index? property? ? source

?? 00:e0:e2:d5:71:44 ? D? ? ? ? lsi.1048587? ? ?

?? 04:f1:7d:80:1b:08 ? D? ? ? ? lsi.1048587? ? ?

?? 04:f1:7d:80:38:1a ? D? ? ? ? lsi.1048587? ? ? ? ?

?? 64:d1:54:e5:16:3c ? D? ? ? ? xe-5/3/0.0? ? ? ??        

Please note that MAC addresses are being learned via lsi.1048587. If you look at the previous snippet, you can verify that the LSI matches therefore these MAC addresses are being learned via the remote ACX. Additionally, we are also learning a mac on the local interface.

With all of these devices now connected to the same L2 broadcast domain or "switch" devices will be able to ping each other once basic IP addressing has been applied. You are now ready to start adding more sites and scaling out this solution across multiple endpoints.

Hopefully this helps someone out that needs to get H-VPLS up quick and dirty. It took me half a day or so to finally get it configured properly, so I hope this cuts down the time it takes for you to get it working. Thanks for reading and stay tuned for future tutorials on hard shit that ends up on my desk. Happy Routing!

#junipernetworks #engineering #gigabit #internet #router #cli #datacenter #mpls #wireless #consulting #network #technology #www #consultant #follow #texas

--

Alex Ochoa