08-06-2010 12:23 PM
I have two locations with a layer 2 link in between (AT&T opt-e-man to be specific). I have J series routers running JunOS 10.0R3 on both ends.
I would like to be able to bridge location A's private LAN (assigned to a VLAN) to a VLAN at location B, such that devices on the private VLAN at location A can access the private VLAN at location B as though the devices were on the same physical LAN.
In addition, I would like to create a second channel/VLAN on this connection that can be used for IP connectivity between the router at each location. The objective of this component would be to establish IP routing (and BGP peering) between the two devices so that this connection can also be used for Internet connectivity. (Both locations also have a separate path to the Internet)
I've attached a diagram of what I'd like to accomplish. It appears that this could be accomplished using VPLS (between the ge-0/0/3 interfaces of the two routers), but I have not been able to find configuration instructions that match what I'm trying to do with the bridging of the 10.10.10.0/24 (VLAN 10) network.
08-07-2010 08:44 AM
I have provided more specific documentation on the j-series routing and interfaces guide. I have seen quite a few people embrace VPLS and MPLS layered technologies, and we use the j-series routers in labs. So I dont think you are going to have much of an issue.
To start with, are these routers going to be the security routers too? Generally when I turn on MPLS it is just a router not a firewall and router. I do believe you can do some filters to get-around this to do flow and packet based on the same unit, but generally when you enable mpls globally on 10.0.x it will turn the secure router into packet mode w/ no security features available.
Recently we have setup vpls using RSVP to signal the lables.
Simply turn on OSPF as a transit protocl on the metro interfaces (both sides), setup a lo0 /32 on each of the end-points, and enable mpls and rsvp on these interfaces. Turn on bgp specify an ASN and create a peer relationship between the two routers accross the metro network. (Note to specify l2-signaling under protocols...bgp). Then create a routing-instance, specify the instance type as a vpls instance. From there you setup your access/edge interfaces for the two data centers. Setup a dot1q trunk with various units and vlan-ids facing your switch(s), and specify the encaps type as ethernet-vpls on the j-series routers. You should create a routing-instance per vlan for the VPLS to create the bridge(s) accross the metro network vlan to vlan.
This should be enough to get you started. For the public internet access I would create 2 vpls instances one for each provider, unless there is just one provider and the connections are on the same subnet & broadcast domain at both locations. You could get away with just one at that point.
I hope that gives you enough info to start with, check out the link to the docs for 10.0 and have fun!
08-09-2010 05:37 PM
Thanks...your quick summary was what it took to push me over the last hurdle on getting this working.
I do have it working in my lab configuration now. I haven't, however, found a way to maintain flow mode for any of my non-MPLS interfaces. The documentation indicates that this isn't possible and that appears to be true at this point. I'm fine with losing flow mode (I can get by with stateless filtering -- no problem). The part I can't afford to lose is IPSec VPN support, which goes away completely when flow mode is disabled.
I've tried applying input filters to force packet mode on all of the MPLS related interfaces, but it doesn't seem to help, unfortunately.
08-09-2010 05:50 PM
It looks like I spoke too soon. It appears that this actually does work in a mixed flow/packet mode deployment. The key appears to be to set up a filter that forces packet mode under [edit firewall family mpls] and then apply that on the metro link interfaces under the mpls family. The inet family on the metro interface can remain in flow mode.
I haven't checked the full functionality of everything else I need (eBGP, IPSec tunnels, and OSPF in a virtual router instance), but so far so good -- VPLS appears to be working as expected.
11-25-2010 04:58 PM
Are you able to provide a sample configuration and basic diagram? this sounds really interesting and i would love to see how this is done.
Would this setup pass STP and LLDP between the 2 switches over the MPLS?