Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Configuring an LDP-over-RSVP VPN Topology

This example shows how to set up a VPN topology in which LDP packets are tunneled over an RSVP LSP. This configuration consists of the following components (see Figure 1):

  • One VPN (VPN-A)
  • Two PE routers
  • LDP as the signaling protocol between the PE routers and their adjacent P routers
  • An RSVP LSP between two of the P routers over which LDP is tunneled

Figure 1: Example of an LDP-over-RSVP VPN Topology

Example of an LDP-over-RSVP VPN Topology

The following steps describe how this topology is established and how packets are sent from CE Router CE2 to CE Router CE1:

  1. The P routers P1 and P3 establish RSVP LSPs between each other and install their loopback addresses in their inet.3 routing tables.
  2. PE Router PE1 establishes an LDP session with Router P1 over interface so-1/0/0.0.
  3. Router P1 establishes an LDP session with Router P3’s loopback address, which is reachable using the RSVP LSP.
  4. Router P1 sends its label bindings, which include a label to reach Router PE1, to Router P3. These label bindings allow Router P3 to direct LDP packets to Router PE1.
  5. Router P3 establishes an LDP session with Router PE2 over interface so0-0/0/0.0 and establishes an LDP session with Router P1’s loopback address.
  6. Router P3 sends its label bindings, which include a label to reach Router PE2, to Router P1. These label bindings allow Router P1 to direct LDP packets to Router PE2’s loopback address.
  7. Routers PE1 and PE2 establish IBGP sessions with each other.
  8. When Router PE1 announces to Router PE2 routes that it learned from Router CE1, it includes its VPN label. (The PE router creates the VPN label and binds it to the interface between the PE and CE routers.) Similarly, when Router PE2 announces routes that it learned from Router CE2, it sends its VPN label to Router PE1.

When Router PE2 wants to forward a packet to Router CE1, it pushes two labels onto the packet’s label stack: first the VPN label that is bound to the interface between Router PE1 and Router CE1, then the LDP label used to reach Router PE1. Then it forwards the packets to Router P3 over interface so-0/0/1.0.

  1. When Router P3 receives the packets from Router PE2, it swaps the LDP label that is on top of the stack (according to its LDP database) and also pushes an RSVP label onto the top of the stack so that the packet can now be switched by the RSVP LSP. At this point, there are three labels on the stack: the inner (bottom) label is the VPN label, the middle is the LDP label, and the outer (top) is the RSVP label.
  2. Router P2 receives the packet and switches it to Router P1 by swapping the RSVP label. In this topology, because Router P2 is the penultimate-hop router in the LSP, it pops the RSVP label and forwards the packet over interface so-1/1/0.0 to Router P1. At this point, there are two labels on the stack: The inner label is the VPN label, and the outer one is the LDP label.
  3. When Router P1 receives the packet, it pops the outer label (the LDP label) and forwards the packet to Router PE1 using interface so-1/0/0.0. In this topology, Router PE1 is the egress LDP router, so Router P1 pops the LDP label instead of swapping it with another label. At this point, there is only one label on the stack, the VPN label.
  4. When Router PE1 receives the packet, it pops the VPN label and forwards the packet as an IPv4 packet to Router CE1 over interface ge-1/1/0.0.

A similar set of operations occurs for packets sent from Router CE1 that are destined for Router CE2.

The following list explains how, for packets being sent from Router CE2 to Router CE1, the LDP, RSVP, and VPN labels are announced by the various routers. These steps include examples of label values (illustrated in Figure 2).

  • LDP labels
    • Router PE1 announces LDP label 3 for itself to Router P1.
    • Router P1 announces LDP label 100,001 for Router PE1 to Router P3.
    • Router P3 announces LDP label 100,002 for Router PE1 to Router PE2.
  • RSVP labels
    • Router P1 announces RSVP label 3 to Router P2.
    • Router P2 announces RSVP label 100,003 to Router P3.
  • VPN label
    • Router PE1 announces VPN label 100,004 to Router PE2 for the route from Router CE1 to Router CE2.

Figure 2: Label Pushing and Popping

Label Pushing and Popping

For a packet sent from Host B in Figure 2 to Host A, the packet headers and labels change as the packet travels to its destination:

  1. The packet that originates from Host B has a source address of B and a destination address of A in its header.
  2. Router CE2 adds to the packet a next hop of interface so-1/0/0.
  3. Router PE2 swaps out the next hop of interface so-1/0/0 and replaces it with a next hop of PE1. It also adds two labels for reaching Router PE1, first the VPN label (100,004), then the LDP label (100,002). The VPN label is thus the inner (bottom) label on the stack, and the LDP label is the outer label.
  4. Router P3 swaps out the LDP label added by Router PE2 (100,002) and replaces it with its LDP label for reaching Router PE1 (100,001). It also adds the RSVP label for reaching Router P2 (100,003).
  5. Router P2 removes the RSVP label (100,003) because it is the penultimate hop in the MPLS LSP.
  6. Router P1 removes the LDP label (100,001) because it is the penultimate LDP router. It also swaps out the next hop of PE1 and replaces it with the next-hop interface, so-1/0/0.
  7. Router PE1 removes the VPN label (100,004). It also swaps out the next-hop interface of so-1/0/0 and replaces it with its next-hop interface, ge-1/1/0.
  8. Router CE1 removes the next-hop interface of ge-1/1/0, and the packet header now contains just a source address of B and a destination address of A.

The final section in this example consolidates the statements needed to configure VPN functionality on each of the service P routers shown in Figure 1.

Note: In this example, a private AS number is used for the route distinguisher and the route target. This number is used for illustration only. When you are configuring VPNs, you should use an assigned AS number.

The following sections explain how to configure the VPN functionality on the PE and P routers. The CE routers do not have any information about the VPN, so you configure them normally.

Enabling an IGP on the PE and P Routers

To allow the PE and P routers to exchange routing information among themselves, you must configure an IGP on all these routers or you must configure static routes. You configure the IGP on the master instance of the routing protocol process (rpd) (that is, at the [edit protocols] hierarchy level), not within the VPN routing instance (that is, not at the [edit routing-instances] hierarchy level).

You configure the IGP in the standard way. This configuration example does not include this portion of the configuration.

Enabling LDP on the PE and P Routers

In this configuration example, the LDP is the signaling protocol between the PE routers. For the VPN to function, you must configure LDP on the two PE routers and on the P routers that are connected to the PE routers. You need to configure LDP only on the interfaces in the core of the service provider’s network; that is, between the PE and P routers and between the P routers. You do not need to configure LDP on the interface between the PE and CE routers.

In this configuration example, you configure LDP on the P routers’ loopback interfaces because these are the interfaces on which the MPLS LSP is configured.

On the PE routers, you must also configure family inet when you configure the logical interface.

On Router PE1, configure LDP:

[edit protocols]ldp {interface so-1/0/0.0;}[edit interfaces]so-1/0/0 {unit 0 {family mpls;}}

On Router PE2, configure LDP:

[edit protocols]ldp {interface so-0/0/0.0;}[edit interfaces]so-0/0/1 {unit 0 {family mpls;}}

On Router P1, configure LDP:

[edit protocols]ldp {interface so-1/0/0.0;interface lo0;}

On Router P3, configure LDP:

[edit protocols]ldp {interface lo0;interface so-0/0/0.0;}

On Router P2, although you do not need to configure LDP, you can optionally configure it to provide a fallback LDP path in case the RSVP LSP becomes nonoperational:

[edit protocols]ldp {interface so-1/1/0.0;interface at-2/0/0.0;}

Enabling RSVP and MPLS on the P Router

On the P Router P2 you must configure RSVP and MPLS because this router exists on the MPLS LSP path between the P Routers P1 and P3:

[edit]protocols {rsvp {interface so-1/1/0.0;interface at-2/0/0.0;}mpls {interface so-1/1/0.0;interface at-2/0/0.0;}}

Configuring the MPLS LSP Tunnel Between the P Routers

In this configuration example, LDP is tunneled over an RSVP LSP. Therefore, in addition to configuring RSVP, you must enable traffic engineering support in an IGP, and you must create an MPLS LSP to tunnel the LDP traffic.

On Router P1, enable RSVP and configure one end of the MPLS LSP tunnel. In this example, traffic engineering support is enabled for OSPF, and you configure MPLS on the interfaces to the LSP and to Router PE1. In the to statement, you specify the loopback address of Router P3.

[edit]protocols {rsvp {interface so-1/0/1.0;}mpls {label-switched-path P1-to-P3 {to 10.255.100.1;ldp-tunneling;}interface so-1/0/0.0;interface so-1/0/1.0;}ospf {traffic-engineering;area 0.0.0.0 {interface so-1/0/0.0;interface so-1/0/1.0;}}}

On Router P3, enable RSVP and configure the other end of the MPLS LSP tunnel. Again, traffic engineering support is enabled for OSPF, and you configure MPLS on the interfaces to the LSP and to Router PE2. In the to statement, you specify the loopback address of Router P1.

[edit]protocols {rsvp {interface at-2/0/1.0;}mpls {label-switched-path P3-to-P1 {to 10.255.2.2;ldp-tunneling;}interface at-2/0/1.0;interface so-0/0/0.0;}ospf {traffic-engineering;area 0.0.0.0 {interface at-2/0/1.0;interface so-0/0/0.0;}}}

Configuring IBGP on the PE Routers

On the PE routers, configure an IBGP session with the following properties:

  • VPN family—To indicate that the IBGP session is for the VPN, include the family inet-vpn statement.
  • Loopback address—Include the local-address statement, specifying the local PE router’s loopback address. The IBGP session for VPNs runs through the loopback address. You must also configure the lo0 interface at the [edit interfaces] hierarchy level. The example does not include this part of the router’s configuration.
  • Neighbor address—Include the neighbor statement, specifying the IP address of the neighboring PE router, which is its loopback (lo0) address.

On Router PE1, configure IBGP:

[edit]protocols {bgp {group PE1-to-PE2 {type internal;local-address 10.255.1.1; family inet-vpn {unicast;}neighbor 10.255.200.2;}}}

On Router PE2, configure IBGP:

[edit]protocols {bgp {group PE2-to-PE1 {type internal;local-address 10.255.200.2; family inet-vpn {unicast;}neighbor 10.255.1.1;}}}

Configuring Routing Instances for VPNs on the PE Routers

Both PE routers service VPN-A, so you must configure one routing instance on each router for the VPN in which you define the following:

  • Route distinguisher, which must be unique for each routing instance on the PE router. It is used to distinguish the addresses in one VPN from those in another VPN.
  • Instance type of vrf, which creates the VRF table on the PE router.
  • Interfaces connected to the CE routers.
  • VRF import and export policies, which must be the same on each PE router that services the same VPN. Unless the import policy contains only a then reject statement, it must include reference to a community. Otherwise, when you try to commit the configuration, the commit fails.

    Note: In this example, a private AS number is used for the route distinguisher. This number is used for illustration only. When you are configuring VPNs, you should use an assigned AS number.

  • Routing between the PE and CE routers, which is required for the PE router to distribute VPN-related routes to and from connected CE routers. You can configure a routing protocol—BGP, OSPF, or RIP—or you can configure static routing.

On Router PE1, configure the following routing instance for VPN-A. In this example, Router PE1 uses RIP to distribute routes to and from the CE router to which it is connected.

[edit]routing-instance {VPN-A {instance-type vrf;interface ge-1/0/0.0;route-distinguisher 65535:0;vrf-import VPN-A-import;vrf-export VPN-A-export;protocols {rip {group PE1-to-CE1 {neighbor ge-1/0/0.0;}}}}}

On Router PE2, configure the following routing instance for VPN-A. In this example, Router PE2 uses OSPF to distribute routes to and from the CE router to which it is connected.

[edit]routing-instance {VPN-A {instance-type vrf;interface so-1/2/0.0;route-distinguisher 65535:1;vrf-import VPN-A-import;vrf-export VPN-A-export;protocols {ospf {area 0.0.0.0 {interface so-1/2/0.0;}}}}}

Configuring VPN Policy on the PE Routers

You must configure VPN import and export policies on each of the PE routers so that they install the appropriate routes in their VRF tables, which they use to forward packets within a VPN. For VPN-A, the VRF table is VPN-A.inet.0.

In the VPN policy, you also configure VPN target communities.

Note: In this example, a private AS number is used for the route target. This number is used for illustration only. When you are configuring VPNs, you should use an assigned AS number.

On Router PE1, configure the following VPN import and export policies:

Note: The policy qualifiers shown in this example are only those needed for the VPN to function. You can configure additional qualifiers, as needed, to any policies that you configure.

[edit]policy-options {policy-statement VPN-A-import {term a {from {protocol bgp;community VPN-A;}then accept;}term b {then reject;}}policy-statement VPN-A-export {term a {from protocol rip;then {community add VPN-A;accept;}}term b {then reject;}}community VPN-A members target:65535:00;}

On Router PE2, configure the following VPN import and export policies:

[edit]policy-options {policy-statement VPN-A-import {term a {from {protocol bgp;community VPN-A;}then accept;}term b {then reject;}}policy-statement VPN-A-export {term a {from protocol ospf;then {community add VPN-A;accept;}}term b {then reject;}}community VPN-A members target:65535:00;}

To apply the VPN policies on the routers, include the vrf-export and vrf-import statements when you configure the routing instance on the PE routers. The VRF import and export policies handle the route distribution across the IBGP session running between the PE routers.

LDP-over-RSVP VPN Configuration Summarized by Router

Router PE1

Routing Instance for VPN-A

routing-instance {VPN-A {instance-type vrf;interface ge-1/0/0.0;route-distinguisher 65535:0;vrf-import VPN-A-import;vrf-export VPN-A-export;}}

Instance Routing Protocol

protocols {rip {group PE1-to-CE1 {neighbor ge-1/0/0.0;}}}

Interfaces

interfaces {so-1/0/0 {unit 0 {family mpls;}}ge-1/0/0 {unit 0;}}

Master Protocol Instance

protocols {}

Enable LDP

ldp {interface so-1/0/0.0;}

Enable MPLS

mpls {interface so-1/0/0.0;interface ge-1/0/0.0;}

Configure IBGP

bgp {group PE1-to-PE2 {type internal;local-address 10.255.1.1; family inet-vpn {unicast;}neighbor 10.255.100.1;}}

Configure VPN Policy

policy-options {policy-statement VPN-A-import {term a {from {protocol bgp;community VPN-A;}then accept;}term b {then reject;}}policy-statement VPN-A-export {term a {from protocol rip;then {community add VPN-A;accept;}}term b {then reject;}}community VPN-A members target:65535:00;}

Router P1

Master Protocol Instance

protocols {}

Enable RSVP

rsvp {interface so-1/0/1.0;}

Enable LDP

ldp {interface so-1/0/0.0;interface lo0.0;}

Enable MPLS

mpls {label-switched-path P1-to-P3 {to 10.255.100.1;ldp-tunneling;}interface so-1/0/0.0;interface so-1/0/1.0;}

Configure OSPF for Traffic Engineering Support

ospf {traffic-engineering;area 0.0.0.0 {interface so-1/0/0.0;interface so-1/0/1.0;}}

Router P2

Master Protocol Instance

protocols {}

Enable RSVP

rsvp {interface so-1/1/0.0;interface at-2/0/0.0;}

Enable MPLS

mpls {interface so-1/1/0.0;interface at-2/0/0.0;}

Router P3

Master Protocol Instance

protocols {}

Enable RSVP

rsvp {interface at-2/0/1.0;}

Enable LDP

ldp {interface so-0/0/0.0;interface lo0.0;}

Enable MPLS

mpls {label-switched-path P3-to-P1 {to 10.255.2.2;ldp-tunneling;}interface at-2/0/1.0;interface so-0/0/0.0;}

Configure OSPF for Traffic Engineering Support

ospf {traffic-engineering;area 0.0.0.0 {interface at-2/0/1.0;interface at-2/0/1.0;}}

Router PE2

Routing Instance for VPN-A

routing-instance {VPN-A {instance-type vrf;interface so-1/2/0.0;route-distinguisher 65535:1;vrf-import VPN-A-import;vrf-export VPN-A-export;}}

Instance Routing Protocol

protocols {ospf {area 0.0.0.0 {interface so-1/2/0.0;}}}

Interfaces

interfaces {so-0/0/0 {unit 0 {family mpls;}}so-1/2/0 {unit 0;}}

Master Protocol Instance

protocols {}

Enable LDP

ldp {interface so-0/0/0.0;}

Enable MPLS

mpls {interface so-0/0/0.0;interface so-1/2/0.0;}

Configure IBGP

bgp {group PE2-to-PE1 {type internal;local-address 10.255.200.2; family inet-vpn {unicast;}neighbor 10.255.1.1;}}

Configure VPN Policy

policy-options {policy-statement VPN-A-import {term a {from {protocol bgp;community VPN-A;}then accept;}term b {then reject;}}policy-statement VPN-A-export {term a {from protocol ospf;then {community add VPN-A;accept;}}term b {then reject;}}community VPN-A members target:65535:01;}

Published: 2012-11-29

Supported Platforms

Published: 2012-11-29

Previous Page Next Page