USG firewalls supporting interfaces with MPLS attributes

52

The USG2000, USG5000, and USG6000 support the following interfaces with MPLS attributes:
1. L3 Ethernet interfaces
2. Ethernet subinterfaces
3. VLANIF interfaces
4. L3 Eth-Trunk interfaces
5. Eth-Trunk subinterfaces

Note: Tunnel interfaces do not support the MPLS attributes.

Other related questions:
USG firewall supports MPLS interface
The USG2000&5000&6000 supports the MPLS characteristics of the interface as follows: 1 Layer-3 Ethernet interface 2 Ethernet sub interface 3 Vlanif interface 4 Layer-3 Eth-Trunk interface 5 Eth-Trunk sub interface Note: Tunnel interface does not support MPLS features.

MPLS VPN supported by USG firewalls
The USG2000, USG5000, and USG6000 support MPLS VPN.

L2 MPLS VPN supported by USG firewalls
The USG2000, USG5000, and USG6000 do not support L2 MPLS VPN.

MPLS VPN configuration of USG firewalls
The scenario and configuration for establishing the LSP using the LDP on the USG2000, USG5000, and USG6000 are as follows: Local LDP sessions can be established only between adjacent LSRs. LDP LSP is a method used to create a dynamic LSP. When the LSP establishment process does not need to be strictly controlled and traffic engineering is not required by the MPLS network, you can create the LSP using LDP. 1. Enable the global MPLS and MPLS LDP on each LSR. Modify the LDP LSP triggering policy to all on each LSR, so that all static routes and IGP entries in the routing table can trigger the LDP LSP establishment. a. Configure the LSRA. [LSRA] mpls lsr-id 1.1.1.9 [LSRA] mpls [LSRA-mpls] lsp-trigger all [LSRA-mpls] quit [LSRA] mpls ldp b. Configure the LSRB. [LSRB] mpls lsr-id 2.2.2.9 [LSRB] mpls [LSRB-mpls] lsp-trigger all [LSRB-mpls] quit [LSRB] mpls ldp c. Configure the LSRC. [LSRC] mpls lsr-id 3.3.3.9 [LSRC] mpls [LSRC-mpls] lsp-trigger all [LSRC-mpls] quit [LSRC] mpls ldp 2. Enable the MPLS and MPLS LDP function on each LSR interface. a. Configure the LSRA. [LSRA] interface GigabitEthernet 0/0/3 [LSRA-GigabitEthernet0/0/3] mpls [LSRA-GigabitEthernet0/0/3] mpls ldp b. Configure the LSRB. [LSRB] interface GigabitEthernet 0/0/2 [LSRB-GigabitEthernet0/0/2] mpls [LSRB-GigabitEthernet0/0/2] mpls ldp [LSRB] interface GigabitEthernet 0/0/3 [LSRB-GigabitEthernet0/0/3] mpls [LSRB-GigabitEthernet0/0/3] mpls ldp c. Configure the LSRC. [LSRC] interface GigabitEthernet 0/0/3 [LSRC-GigabitEthernet0/0/3] mpls [LSRC-GigabitEthernet0/0/3] mpls ldp The scenario and configuration for establishing the static LSP on the USG2000, USG5000, and USG6000 are as follows: You can configure the static LSP for stable small-scaled network with simple topology. 1. Configure the global MPLS for each node. a. Configure the LSRA. [LSRA] mpls lsr-id 1.1.1.9 [LSRA] mpls b. Configure the LSRB. [LSRB] mpls lsr-id 2.2.2.9 [LSRB] mpls c. Configure the LSRC. [LSRC] mpls lsr-id 3.3.3.9 [LSRC] mpls d. Configure the LSRD. [LSRD] mpls lsr-id 4.4.4.9 [LSRD] mpls 2. Configure the MPLS for each interface. a. Configure the LSRA. [LSRA] interface GigabitEthernet 0/0/2 [LSRA-GigabitEthernet0/0/2] mpls [LSRA] interface GigabitEthernet 0/0/3 [LSRA-GigabitEthernet0/0/3] mpls b. Configure the LSRB. [LSRB] interface GigabitEthernet 0/0/2 [LSRB-GigabitEthernet0/0/2] mpls [LSRB] interface GigabitEthernet 0/0/3 [LSRB-GigabitEthernet0/0/3] mpls c. Configure the LSRC. [LSRC] interface GigabitEthernet 0/0/2 [LSRC-GigabitEthernet0/0/2] mpls [LSRC] interface GigabitEthernet 0/0/3 [LSRC-GigabitEthernet0/0/3] mpls d. Configure the LSRD. [LSRD] interface GigabitEthernet 0/0/2 [LSRD-GigabitEthernet0/0/2] mpls [LSRD] interface GigabitEthernet 0/0/3 [LSRD-GigabitEthernet0/0/3] mpls 3. Create the static LSP from LSRA to LSRD. a. Configure the ingress LSRA. [LSRA] static-lsp ingress RAtoRD destination 4.4.4.9 32 nexthop 10.1.1.2 out-label 20 b. Configure the Transit LSRB. [LSRB] static-lsp transit RAtoRD incoming-interface GigabitEthernet 0/0/2 in-label 20 nexthop 10.2.1.2 out-label 40 c. Configure the egress LSRD. [LSRD] static-lsp egress RAtoRD incoming-interface GigabitEthernet 0/0/2 in-label 40 The LSP is unidirectional. Therefore, you need to configure the static LSP from LSRD to LSRA. 4. Create the static LSP from LSRD to LSRA. You can configure the static LSP from LSRD to LSRA using the same method. a. Configure the ingress LSRD. [LSRD] static-lsp ingress RDtoRA destination 1.1.1.9 32 nexthop 10.4.1.1 out-label 30 b. Configure the Transit LSRC. [LSRC] static-lsp transit RDtoRA incoming-interface GigabitEthernet 0/0/3 in-label 30 nexthop 10.3.1.1 out-label 60 c. Configure the egress LSRA. [LSRA] static-lsp egress RDtoRA incoming-interface GigabitEthernet 0/0/3 in-label 60

Whether the MPLS VPN function on USG firewalls is controlled by a license
The MPLS VPN function of the USG2000, USG5000, and USG6000 is not controlled by a license.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top