Hi,
> 2- Answering your second question, yes you are right if we connect the PC to PE or any where in MPLS network we are not facing any problem at all.
Just to be clear, you connect the PC on the actual interface where the trunk to the Cisco goes, and the problem disappear?
In order to do this (looking at your diagram), you need to have vlan-tagging enabled on the PC; is that the case?
I am just trying to understand if we can rule out problems within the MPLS cloud; but in order to do this, I need to know if pings which succeed take the MPLS path or not. It would help to have the configuration of the VPLS instance, just to be sure we are on the same page.
Now, about your question:
> Can you please elaborate your troubleshooting procedure more like fast ping from windows connected to Cisco 6500
> to fortinet firewall and where I have to place the firewall filter on PE?
You need to have a way of generating lots of unidirectional traffic; on Unix, you could do a flood ping, on Juniper you could do a 'ping rapid interval 0.1' - but on Microsoft Windows, you cannot do any of this.
So you need to find/install a different (better) tool to generate that traffic, since it would make it easier to find out where the loss is - you want to be able to send few thousand pings without having to wait for hours.
I did a search "rapid ping for windows" and found several programs, but I cannot recommend any in particular as I do not use windows; please pick one which fits your version of Windows.
Now, about the troubleshooting procedure: if you do not have other traffic on the path, you can simply clear interface statistics ("clear interface statistics all") , send 1000 pings, and check again the counters ("show interfaces ge-X/XX extensive"); you should see at least 1000 packets coming in the PE1, and being send out of the remote PE2.
If there is other traffic, you should be able to configure a firewall filter (under family VPLS) on PE1:
http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-policy/firewall-fitler-match-conditions-vpls-configuring.html
You can do something like this:
[edit firewall]
family vpls {
filter pc-traffic {
term 1 {
from {
source-mac-address {
<your PC MAC address>;
}
}
then {
count traffic-from-pc;
accept;
}
}
term t2 {
then accept;
}
}
}
Then, apply this on the CE-facing interface; under family vpls:
interfaces {
ge-X/Y/Z {
vlan-tagging;
...
family vpls {
filter {
input pc-traffic;
}
}
}
Then, do a "clear firewall", send 1000 ping packets, and do a "show firewall". If you do not see the the 1000 packets, they have been dropped before.
Hope it helps,
Saverio