Supported Platforms
Example: Configuring MPLS-Based Layer 3 VPNs on EX Series Switches
You can implement an MPLS-based Layer 3 virtual private network (VPN) on EX8200 and EX4500 switches to interconnect sites for customers who want the service provider to handle all the Layer 3 routing functions. To support an MPLS-based Layer 3 VPN, you need to add components of the Layer 3 VPN to the configuration of the two provider edge (PE) switches. You do not need to change the configuration of the provider switches.
![]() | Note: The core interfaces and the loopback interfaces are configured in the same way for Layer 2 VPNs and Layer 3 VPNs. |
This example shows how to configure an MPLS-based Layer 3 VPN spanning two corporate sites:
Requirements
This example uses the following software and hardware components:
- Junos OS Release 11.1 or later for EX Series switches
- Three EX8200 switches
Before you configure the Layer 3 VPN components, you must configure the basic components for an MPLS network:
- Configure two PE switches. See Configuring MPLS on Provider Edge Switches Using IP Over MPLS (CLI Procedure).
- Configure one or more provider switches. See Configuring MPLS on Provider Switches (CLI Procedure).
![]() | Note: A Layer 3 VPN requires that the PE switches be configured using IP over MPLS. |
Overview and Topology
Layer 3 VPNs allow customers to leverage the service provider’s technical expertise to ensure efficient site-to-site routing. The customer’s customer edge (CE) switch uses a routing protocol such as BGP or OSPF to communicate with the service provider’s provider edge (PE) switch to carry IP prefixes across the network. MPLS-based Layer 3 VPNs use only IP over MPLS; other protocol packets are not supported. This example includes two PE switches, PE1 and PE2.
In the basic MPLS configuration of the PE switches using IP over MPLS, the PE switches were configured to use OSPF as the routing protocol between the MPLS switches and RSVP as the signaling protocol. Traffic engineering was enabled. A label-switched path (LSP) was configured.
![]() | Note: A static path is not configured in this example. |
The following components must be added to the PE switches for an MPLS-based Layer 3 VPN:
- BGP group with family inet-vpn unicast
- Routing instance with instance type vrf
Figure 1 illustrates the topology of this MPLS-based Layer 3 VPN.
Figure 1: MPLS-Based Layer 3 VPN

Table 1 shows the settings of the customer edge interface on the local CE switch.
Table 1: Local CE Switch in the MPLS-Based Layer 3 VPN Topology
Property | Settings | Description |
---|---|---|
Local CE switch hardware | EX8200 switch | CE1 |
Customer edge interface |
| Interface that connects CE1 to PE1. |
Table 2 shows the settings of the customer edge interface on the remote CE switch.
Table 2: Remote CE Switch in the MPLS-Based Layer 3 VPN Topology
Property | Settings | Description |
---|---|---|
Remote CE switch hardware | EX8200 switch | CE2 |
Customer edge interface | ge-0/0/14 unit 0 | Interface that connects CE2 to PE2. |
Table 3 shows the Layer 3 VPN components of the local PE switch.
Table 3: Layer 3 VPN Components of the Local PE Switch
Property | Settings | Description |
---|---|---|
Local PE switch hardware | EX8200 switch | PE1 |
Customer edge interface | ge-5/0/24 unit 0 | Connects PE1 to CE1. Note: The family inet configuration should already have been completed as part of the basic MPLS configuration of the PE switch for IP over MPLS. It is included here to show what was specified for that portion of the configuration. |
Core interface | xe-6/0/0 unit 0 | Connects PE1 to P. Note: This portion of the configuration should already have been completed as part of the basic MPLS configuration. It is included here to show what was specified for that portion of the configuration. |
Loopback interface | lo0 unit 0 | Note: This portion of the configuration should already have been completed as part of the basic MPLS configuration. It is included here to show what was specified for that portion of the configuration. |
BGP | bgp | Added for the Layer 3 VPN configuration. |
Routing instance | L3VPN-1 | Added for the Layer 3 VPN configuration. |
Table 4 shows the Layer 3 VPN components of the remote PE switch.
Table 4: Layer 3 VPN Components of the Remote PE Switch
Property | Settings | Description |
---|---|---|
Remote PE switch hardware | EX8200 switch | PE2 |
Customer edge interface | ge-11/0/14 unit 0 | Connects PE2 to CE2. For the Layer 3 VPN configuration, added family mpls. Note: The family inet configuration should already have been completed as part of the basic MPLS configuration of the PE switch for IP over MPLS. It is included here to show what was specified for that portion of the configuration. |
Core interface | xe-6/0/0/ unit 0 | Connects PE1 to P. Note: This portion of the configuration should already have been completed as part of the basic MPLS configuration. It is included here to show what was specified for that portion of the configuration. |
Loopback interface | lo0 unit 0 | Note: This portion of the configuration should already have been completed as part of the basic MPLS configuration. It is included here to show what was specified for that portion of the configuration. |
BGP | bgp | Added for the Layer 3 VPN configuration. |
Routing instances | L3VPN-1 | Added for the Layer 3 VPN configuration. |
Configuring the Local PE Switch
CLI Quick Configuration
To quickly configure the Layer 3 VPN components on the local PE switch, copy the following commands and paste them into the switch terminal window of PE1:
[edit]
set protocols bgp group
ibgp local-address 21.21.21.21 family inet-vpn unicast
set protocols bgp group ibgp type internal
set protocols bgp group ibgp neighbor
22.22.22.22
set routing-instances
L3VPN-1 instance-type vrf
set routing-instances L3VPN-1 description "BETWEEN PE1 AND PE2"
set routing-instances L3VPN-1 interface
ge-5/0/24.0
set routing-instances
L3VPN-1 route-distinguisher 21:21
set routing-instances L3VPN-1 vrf-target target:21:21
set routing-instances L3VPN-1 vrf-table-label;
set routing-options router-id 21.21.21.21
set routing-options autonomous-system
10;
Step-by-Step Procedure
To configure the Layer 3 VPN components on the local PE switch:
- Configure BGP, specifying the loopback address as the
local address and specifying family inet-vpn unicast:
[edit protocols bgp]
user@switchPE1# set group ibgp local-address 21.21.21.21 family inet-vpn unicast - Configure the BGP group, specifying the group name and type:
- Configure the BGP neighbor, specifying the loopback address
of the remote PE switch as the neighbor’s address:
[edit protocols bgp]
user@switchPE1# set group ibgp neighbor 22.22.22.22 - Configure the routing instance, specifying the routing-instance
name and using vrf as the instance type:
[edit routing-instances]
user@switchPE1# set L3VPN-1 instance-type vrf - Configure a description for this routing instance:
[edit routing-instances]
user@switchPE1# set L3VPN-1 description "BETWEEN PE1 AND PE2" - Configure the routing instance to use a route distinguisher:
[edit routing-instances]
user@switchPE1# set L3VPN-1 route-distinguisher 21:21Note: Each routing instance that you configure on a PE switch must have a unique route distinguisher associated with it. VPN routing instances require a route distinguisher to allow BGP to distinguish between potentially identical network layer reachability information (NLRI) messages received from different VPNs. If you configure different VPN routing instances with the same route distinguisher, the commit fails.
- Configure the VPN routing and forwarding (VRF) target
of the routing instance:
[edit routing-instances]
user@switchPE1# set L3VPN-1 vrf-target target:21:21Note: You can create more complex policies by explicitly configuring VRF import and export policies using the import and export options. See the Junos OS VPNs Configuration Guide.
- Configure this routing instance with vrf-table-label, which maps the inner label of a packet to a specific VPN routing
and forwarding (VRF) table and allows the examination of the encapsulated
IP header:
[edit routing-instances]
user@switchPE1# set L3VPN-1 vrf-table-label - Configure the router ID and autonomous system (AS):
Note: We recommend that you explicitly configure the router identifier under the [edit routing-options] hierarchy level to avoid unpredictable behavior if the interface address on a loopback interface changes.
[edit routing-options]
user@switchPE1# set router-id 21.21.21.21 autonomous-system 10
Results
Display the results of the configuration:
user@switchPE1> vrf-table-label
Configuring the Remote PE Switch
CLI Quick Configuration
To quickly configure the Layer 3 VPN components on the remote PE switch, copy the following commands and paste them into the switch terminal window of PE2:
[edit]
set protocols bgp group
ibgp local-address 22.22.22.22 family inet-vpn unicast
set protocols bgp group ibgp type internal
set protocols bgp group ibgp neighbor
21.21.21.21
set routing-instances
L3VPN-1 instance-type vrf
set routing-instances L3VPN-1 description "BETWEEN PE1 AND PE2"
set routing-instances L3VPN-1 interface
ge-11/0/14.0
set routing-instances
L3VPN-1 route-distinguisher 21:21
set routing-instances L3VPN-1 vrf-target target:21:21
set routing-instances L3VPN-1 vrf-table-label;
set routing-options router-id 22.22.22.22;
set routing-options autonomous-system
10;
Step-by-Step Procedure
To configure Layer 3 VPN components on the remote PE switch:
- Configure BGP, specifying the loopback address as the
local address and specifying family inet-vpn unicast:
[edit protocols bgp]
user@switchPE2# set group ibgp local-address 22.22.22.22 family inet-vpn unicast - Configure the BGP group, specifying the group name and
type:
[edit protocols bgp]
user@switchPE2# set group ibgp type internal - Configure the BGP neighbor, specifying the loopback address
of the remote PE switch as the neighbor’s address:
[edit protocols bgp]
user@switchPE2# set group ibgp neighbor 21.21.21.21 - Configure the routing instance, specifying the routing-instance
name and using vrf as the instance type:
[edit routing-instances]
user@switchPE2# set L3VPN-1 instance-type vrf - Configure a description for this routing instance:
[edit routing-instances]
user@switchPE1# set L3VPN-1 description "BETWEEN PE1 AND PE2" - Configure the routing instance to apply to the customer
edge interface:
[edit routing-instances]
user@switchPE2# set L3VPN-1 interface ge-11/0/14.0 - Configure the routing instance to use a route distinguisher,
using the format ip-address:number:
[edit routing-instances]
user@switchPE2# set L3VPN-1 route-distinguisher 21:21 - Configure the VPN routing and forwarding (VRF) target
of the routing instance:
[edit routing-instances]
user@switchPE2# set L3VPN-1 vrf-target target:21:21 - Configure this routing instance with vrf-table-label, which maps the inner label of a packet to a specific VPN routing
and forwarding (VRF) table and allows the examination of the encapsulated
IP header.
[edit routing-instances]
user@switchPE2# set L3VPN-1 vrf-tabel-label - Configure the router ID and autonomous system (AS):
[edit routing-options]
user@switchPE2# set router-id 22.22.22.22 autonomous-system 10
Results
Display the results of the configuration:
user@switchPE2> show configuration
Verification
To confirm that the MPLS-based Layer 3 VPN is working properly, perform these tasks:
- Verifying Peering and Adjacency
- Verifying That the Local CE Switch Can Ping the Local PE Switch
- Verifying That the Local PE Switch Can Ping the Local CE Switch
Verifying Peering and Adjacency
Purpose
Verify the peering and adjacency along the route from CE1 (the local CE switch or router) to CE2 (the remote CE switch or router), starting with checking the routing protocol adjacency on the local PE switch:
![]() | Note: Be sure to specify the name of the routing instance. |
Action
user@switchPE1> show ospf neighbor instance
L3VPN-1
Address Interface State ID Pri Dead 51.51.0.14 ge-5/0/24.0 Full 21.21.21.21 128 38
Meaning
The Address field shows the IP address of the customer edge interface that connects CE1 to PE1. The Interface field shows the interface name of the customer edge interface that connects PE1 to CE1. For our purposes, the State field is the most important. It shows a status of Full, indicating that neighboring routing devices are fully adjacent. These adjacencies appear in router-link and network-link advertisements. (The field Pri indicates the priority of the neighbor to become the designated router. The field Dead indicates the number of seconds until the neighbor becomes unreachable.)
Verifying That the Local CE Switch Can Ping the Local PE Switch
Purpose
Verify that the local CE switch can ping the local PE switch:
Action
user@switchCE1> ping 51.51.0.1
PING 51.51.0.1 (51.51.0.1): 56 data bytes 64 bytes from 51.51.0.1: icmp_seq=0 ttl=64 time=3.461 ms 64 bytes from 51.51.0.1: icmp_seq=1 ttl=64 time=3.543 ms
Meaning
This command specified the IP address of the customer edge interface on PE1. The results indicate that CE1 is receiving packets from PE1.
Verifying That the Local PE Switch Can Ping the Local CE Switch
Purpose
Verify that the local PE switch can ping the local CE switch:
Action
user@switchPE1> ping 51.51.0.14 routing-instance
L3VPN-1
PING 51.51.0.14 (51.51.0.14): 56 data bytes 64 bytes from 51.51.0.14: icmp_seq=0 ttl=64 time=3.842 ms 64 bytes from 51.51.0.14: icmp_seq=1 ttl=64 time=3.736 ms
Meaning
The results indicate a successful connection.