Configuring L2 MPSL VPN and L3 MPLS VPN in backup mode on USG firewalls

11

The USG firewalls do not support the configuration of L2 MPSL VPN and L3 MPLS VPN in backup mode.

Other related questions:
L2 MPLS VPN supported by USG firewalls
The USG2000, USG5000, and USG6000 do not support L2 MPLS VPN.

MPLS VPN configuration of USG firewalls
The scenario and configuration for establishing the LSP using the LDP on the USG2000, USG5000, and USG6000 are as follows: Local LDP sessions can be established only between adjacent LSRs. LDP LSP is a method used to create a dynamic LSP. When the LSP establishment process does not need to be strictly controlled and traffic engineering is not required by the MPLS network, you can create the LSP using LDP. 1. Enable the global MPLS and MPLS LDP on each LSR. Modify the LDP LSP triggering policy to all on each LSR, so that all static routes and IGP entries in the routing table can trigger the LDP LSP establishment. a. Configure the LSRA. [LSRA] mpls lsr-id 1.1.1.9 [LSRA] mpls [LSRA-mpls] lsp-trigger all [LSRA-mpls] quit [LSRA] mpls ldp b. Configure the LSRB. [LSRB] mpls lsr-id 2.2.2.9 [LSRB] mpls [LSRB-mpls] lsp-trigger all [LSRB-mpls] quit [LSRB] mpls ldp c. Configure the LSRC. [LSRC] mpls lsr-id 3.3.3.9 [LSRC] mpls [LSRC-mpls] lsp-trigger all [LSRC-mpls] quit [LSRC] mpls ldp 2. Enable the MPLS and MPLS LDP function on each LSR interface. a. Configure the LSRA. [LSRA] interface GigabitEthernet 0/0/3 [LSRA-GigabitEthernet0/0/3] mpls [LSRA-GigabitEthernet0/0/3] mpls ldp b. Configure the LSRB. [LSRB] interface GigabitEthernet 0/0/2 [LSRB-GigabitEthernet0/0/2] mpls [LSRB-GigabitEthernet0/0/2] mpls ldp [LSRB] interface GigabitEthernet 0/0/3 [LSRB-GigabitEthernet0/0/3] mpls [LSRB-GigabitEthernet0/0/3] mpls ldp c. Configure the LSRC. [LSRC] interface GigabitEthernet 0/0/3 [LSRC-GigabitEthernet0/0/3] mpls [LSRC-GigabitEthernet0/0/3] mpls ldp The scenario and configuration for establishing the static LSP on the USG2000, USG5000, and USG6000 are as follows: You can configure the static LSP for stable small-scaled network with simple topology. 1. Configure the global MPLS for each node. a. Configure the LSRA. [LSRA] mpls lsr-id 1.1.1.9 [LSRA] mpls b. Configure the LSRB. [LSRB] mpls lsr-id 2.2.2.9 [LSRB] mpls c. Configure the LSRC. [LSRC] mpls lsr-id 3.3.3.9 [LSRC] mpls d. Configure the LSRD. [LSRD] mpls lsr-id 4.4.4.9 [LSRD] mpls 2. Configure the MPLS for each interface. a. Configure the LSRA. [LSRA] interface GigabitEthernet 0/0/2 [LSRA-GigabitEthernet0/0/2] mpls [LSRA] interface GigabitEthernet 0/0/3 [LSRA-GigabitEthernet0/0/3] mpls b. Configure the LSRB. [LSRB] interface GigabitEthernet 0/0/2 [LSRB-GigabitEthernet0/0/2] mpls [LSRB] interface GigabitEthernet 0/0/3 [LSRB-GigabitEthernet0/0/3] mpls c. Configure the LSRC. [LSRC] interface GigabitEthernet 0/0/2 [LSRC-GigabitEthernet0/0/2] mpls [LSRC] interface GigabitEthernet 0/0/3 [LSRC-GigabitEthernet0/0/3] mpls d. Configure the LSRD. [LSRD] interface GigabitEthernet 0/0/2 [LSRD-GigabitEthernet0/0/2] mpls [LSRD] interface GigabitEthernet 0/0/3 [LSRD-GigabitEthernet0/0/3] mpls 3. Create the static LSP from LSRA to LSRD. a. Configure the ingress LSRA. [LSRA] static-lsp ingress RAtoRD destination 4.4.4.9 32 nexthop 10.1.1.2 out-label 20 b. Configure the Transit LSRB. [LSRB] static-lsp transit RAtoRD incoming-interface GigabitEthernet 0/0/2 in-label 20 nexthop 10.2.1.2 out-label 40 c. Configure the egress LSRD. [LSRD] static-lsp egress RAtoRD incoming-interface GigabitEthernet 0/0/2 in-label 40 The LSP is unidirectional. Therefore, you need to configure the static LSP from LSRD to LSRA. 4. Create the static LSP from LSRD to LSRA. You can configure the static LSP from LSRD to LSRA using the same method. a. Configure the ingress LSRD. [LSRD] static-lsp ingress RDtoRA destination 1.1.1.9 32 nexthop 10.4.1.1 out-label 30 b. Configure the Transit LSRC. [LSRC] static-lsp transit RDtoRA incoming-interface GigabitEthernet 0/0/3 in-label 30 nexthop 10.3.1.1 out-label 60 c. Configure the egress LSRA. [LSRA] static-lsp egress RDtoRA incoming-interface GigabitEthernet 0/0/3 in-label 60

MPLS VPN supported by USG firewalls
The USG2000, USG5000, and USG6000 support MPLS VPN.

USG firewall configuration Layer-2 MPLS VPN and Layer-3 MPLS VPN backup each other
USG firewall does not support configuration Layer-2 VPN and Layer-3 MPLS VPN backup each other

Whether the MPLS VPN function on USG firewalls is controlled by a license
The MPLS VPN function of the USG2000, USG5000, and USG6000 is not controlled by a license.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top