Whether the MPLS VPN function on USG firewalls is controlled by a license

2

The MPLS VPN function of the USG2000, USG5000, and USG6000 is not controlled by a license.

Other related questions:
MPLS VPN supported by USG firewalls
The USG2000, USG5000, and USG6000 support MPLS VPN.

Functions of USG firewalls controlled by a license
The license control items of the USG2000, USG5000, and USG6000 series are different. 1. License control items of the USG5500: Number of virtual firewalls, number of concurrent SSL VPN users, intrusion prevention system (IPS), anti-virus (AV), real-time blackhole list (RBL) for spams, remote query of URL predefined category, mail content filtering, web content filtering, search keyword filtering, FTP filtering, and GTP 2. License control items of the USG2110-X, USG2100, USG2200, USG5100, USG2200, and USG 5100 HSR: Number of virtual firewalls, number of concurrent SSL VPN users, IPS, AV, RBL for spams, remote query of URL predefined category, mail content filtering, web content filtering, search keyword filtering, and FTP filtering 3. License control items of the USG6000 series: Number of virtual systems, number of concurrent SSL VPN users, content security combination (file type filtering, content filtering, application behavior control, mail filtering, and auditing), IPS, AV, remote query of URL predefined category, and encryption algorithms approved by the State Password Administration Committee Office (SM2, SM3, and SM4)

MPLS VPN configuration of USG firewalls
The scenario and configuration for establishing the LSP using the LDP on the USG2000, USG5000, and USG6000 are as follows: Local LDP sessions can be established only between adjacent LSRs. LDP LSP is a method used to create a dynamic LSP. When the LSP establishment process does not need to be strictly controlled and traffic engineering is not required by the MPLS network, you can create the LSP using LDP. 1. Enable the global MPLS and MPLS LDP on each LSR. Modify the LDP LSP triggering policy to all on each LSR, so that all static routes and IGP entries in the routing table can trigger the LDP LSP establishment. a. Configure the LSRA. [LSRA] mpls lsr-id 1.1.1.9 [LSRA] mpls [LSRA-mpls] lsp-trigger all [LSRA-mpls] quit [LSRA] mpls ldp b. Configure the LSRB. [LSRB] mpls lsr-id 2.2.2.9 [LSRB] mpls [LSRB-mpls] lsp-trigger all [LSRB-mpls] quit [LSRB] mpls ldp c. Configure the LSRC. [LSRC] mpls lsr-id 3.3.3.9 [LSRC] mpls [LSRC-mpls] lsp-trigger all [LSRC-mpls] quit [LSRC] mpls ldp 2. Enable the MPLS and MPLS LDP function on each LSR interface. a. Configure the LSRA. [LSRA] interface GigabitEthernet 0/0/3 [LSRA-GigabitEthernet0/0/3] mpls [LSRA-GigabitEthernet0/0/3] mpls ldp b. Configure the LSRB. [LSRB] interface GigabitEthernet 0/0/2 [LSRB-GigabitEthernet0/0/2] mpls [LSRB-GigabitEthernet0/0/2] mpls ldp [LSRB] interface GigabitEthernet 0/0/3 [LSRB-GigabitEthernet0/0/3] mpls [LSRB-GigabitEthernet0/0/3] mpls ldp c. Configure the LSRC. [LSRC] interface GigabitEthernet 0/0/3 [LSRC-GigabitEthernet0/0/3] mpls [LSRC-GigabitEthernet0/0/3] mpls ldp The scenario and configuration for establishing the static LSP on the USG2000, USG5000, and USG6000 are as follows: You can configure the static LSP for stable small-scaled network with simple topology. 1. Configure the global MPLS for each node. a. Configure the LSRA. [LSRA] mpls lsr-id 1.1.1.9 [LSRA] mpls b. Configure the LSRB. [LSRB] mpls lsr-id 2.2.2.9 [LSRB] mpls c. Configure the LSRC. [LSRC] mpls lsr-id 3.3.3.9 [LSRC] mpls d. Configure the LSRD. [LSRD] mpls lsr-id 4.4.4.9 [LSRD] mpls 2. Configure the MPLS for each interface. a. Configure the LSRA. [LSRA] interface GigabitEthernet 0/0/2 [LSRA-GigabitEthernet0/0/2] mpls [LSRA] interface GigabitEthernet 0/0/3 [LSRA-GigabitEthernet0/0/3] mpls b. Configure the LSRB. [LSRB] interface GigabitEthernet 0/0/2 [LSRB-GigabitEthernet0/0/2] mpls [LSRB] interface GigabitEthernet 0/0/3 [LSRB-GigabitEthernet0/0/3] mpls c. Configure the LSRC. [LSRC] interface GigabitEthernet 0/0/2 [LSRC-GigabitEthernet0/0/2] mpls [LSRC] interface GigabitEthernet 0/0/3 [LSRC-GigabitEthernet0/0/3] mpls d. Configure the LSRD. [LSRD] interface GigabitEthernet 0/0/2 [LSRD-GigabitEthernet0/0/2] mpls [LSRD] interface GigabitEthernet 0/0/3 [LSRD-GigabitEthernet0/0/3] mpls 3. Create the static LSP from LSRA to LSRD. a. Configure the ingress LSRA. [LSRA] static-lsp ingress RAtoRD destination 4.4.4.9 32 nexthop 10.1.1.2 out-label 20 b. Configure the Transit LSRB. [LSRB] static-lsp transit RAtoRD incoming-interface GigabitEthernet 0/0/2 in-label 20 nexthop 10.2.1.2 out-label 40 c. Configure the egress LSRD. [LSRD] static-lsp egress RAtoRD incoming-interface GigabitEthernet 0/0/2 in-label 40 The LSP is unidirectional. Therefore, you need to configure the static LSP from LSRD to LSRA. 4. Create the static LSP from LSRD to LSRA. You can configure the static LSP from LSRD to LSRA using the same method. a. Configure the ingress LSRD. [LSRD] static-lsp ingress RDtoRA destination 1.1.1.9 32 nexthop 10.4.1.1 out-label 30 b. Configure the Transit LSRC. [LSRC] static-lsp transit RDtoRA incoming-interface GigabitEthernet 0/0/3 in-label 30 nexthop 10.3.1.1 out-label 60 c. Configure the egress LSRA. [LSRA] static-lsp egress RDtoRA incoming-interface GigabitEthernet 0/0/3 in-label 60

L2 MPLS VPN supported by USG firewalls
The USG2000, USG5000, and USG6000 do not support L2 MPLS VPN.

Configuring L2 MPSL VPN and L3 MPLS VPN in backup mode on USG firewalls
The USG firewalls do not support the configuration of L2 MPSL VPN and L3 MPLS VPN in backup mode.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top