Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation

Example: Configuring MPLS-Based Layer 3 VPNs on EX Series Switches

You can implement an MPLS-based Layer 3 virtual private network (VPN) on EX8200 and EX4500 switches to interconnect sites for customers who want the service provider to handle all the Layer 3 routing functions. To support an MPLS-based Layer 3 VPN, you need to add components of the Layer 3 VPN to the configuration of the two provider edge (PE) switches. You do not need to change the configuration of the provider switches.

Note: The core interfaces and the loopback interfaces are configured in the same way for Layer 2 VPNs and Layer 3 VPNs.

This example shows how to configure an MPLS-based Layer 3 VPN spanning two corporate sites:

Requirements

This example uses the following software and hardware components:

  • Junos OS Release 11.1 or later for EX Series switches
  • Three EX8200 switches

Before you configure the Layer 3 VPN components, you must configure the basic components for an MPLS network:

Note: A Layer 3 VPN requires that the PE switches be configured using IP over MPLS.

Overview and Topology

Layer 3 VPNs allow customers to leverage the service provider’s technical expertise to ensure efficient site-to-site routing. The customer’s customer edge (CE) switch uses a routing protocol such as BGP or OSPF to communicate with the service provider’s provider edge (PE) switch to carry IP prefixes across the network. MPLS-based Layer 3  VPNs use only IP over MPLS; other protocol packets are not supported. This example includes two PE switches, PE1 and PE2.

In the basic MPLS configuration of the PE switches using IP over MPLS, the PE switches were configured to use OSPF as the routing protocol between the MPLS switches and RSVP as the signaling protocol. Traffic engineering was enabled. A label-switched path (LSP) was configured.

Note: A static path is not configured in this example.

The following components must be added to the PE switches for an MPLS-based Layer 3 VPN:

  • BGP group with family inet-vpn unicast
  • Routing instance with instance type vrf

Figure 1 illustrates the topology of this MPLS-based Layer 3 VPN.

Figure 1: MPLS-Based Layer 3 VPN

MPLS-Based Layer 3 VPN

Table 1 shows the settings of the customer edge interface on the local CE switch.

Table 1: Local CE Switch in the MPLS-Based Layer 3 VPN Topology

Property

Settings

Description

Local CE switch hardware

EX8200 switch

CE1

Customer edge interface


ge-0/0/14 unit 0
family inet
address 51.51.0.14/16

Interface that connects CE1 to PE1.

Table 2 shows the settings of the customer edge interface on the remote CE switch.

Table 2: Remote CE Switch in the MPLS-Based Layer 3 VPN Topology

Property

Settings

Description

Remote CE switch hardware

EX8200 switch

CE2

Customer edge interface

ge-0/0/14 unit 0
family inet
address 11.22.26.1/16

Interface that connects CE2 to PE2.

Table 3 shows the Layer 3 VPN components of the local PE switch.

Table 3: Layer 3 VPN Components of the Local PE Switch

Property

Settings

Description

Local PE switch hardware

EX8200 switch

PE1

Customer edge interface

ge-5/0/24 unit 0
family inet
address 51.51.0.1/16

Connects PE1 to CE1.

Note: The family inet configuration should already have been completed as part of the basic MPLS configuration of the PE switch for IP over MPLS. It is included here to show what was specified for that portion of the configuration.

Core interface

xe-6/0/0 unit 0
family inet address 60.0.0.60/16
family iso;
family mpls

Connects PE1 to P.

Note: This portion of the configuration should already have been completed as part of the basic MPLS configuration. It is included here to show what was specified for that portion of the configuration.

Loopback interface

lo0 unit 0
family inet address 21.21.21.21/32
family iso address 49.0001.2102.1021.0210.00

Note: This portion of the configuration should already have been completed as part of the basic MPLS configuration. It is included here to show what was specified for that portion of the configuration.

BGP

bgp

Added for the Layer 3 VPN configuration.

Routing instance

L3VPN-1

Added for the Layer 3 VPN configuration.

Table 4 shows the Layer 3 VPN components of the remote PE switch.

Table 4: Layer 3 VPN Components of the Remote PE Switch

Property

Settings

Description

Remote PE switch hardware

EX8200 switch

PE2

Customer edge interface

ge-11/0/14 unit 0
family inet
address 11.22.26.14/16
family mpls

Connects PE2 to CE2.

For the Layer 3 VPN configuration, added family mpls.

Note: The family inet configuration should already have been completed as part of the basic MPLS configuration of the PE switch for IP over MPLS. It is included here to show what was specified for that portion of the configuration.

Core interface

xe-6/0/0/ unit 0
family inet address 60.2.0.60/16
family iso
family mpls

Connects PE1 to P.

Note: This portion of the configuration should already have been completed as part of the basic MPLS configuration. It is included here to show what was specified for that portion of the configuration.

Loopback interface

lo0 unit 0
family inet address 22.22.22.22/32
family iso address 49.0001.2202.1022.0220.00

Note: This portion of the configuration should already have been completed as part of the basic MPLS configuration. It is included here to show what was specified for that portion of the configuration.

BGP

bgp

Added for the Layer 3 VPN configuration.

Routing instances

L3VPN-1

Added for the Layer 3 VPN configuration.

Configuring the Local PE Switch

CLI Quick Configuration

To quickly configure the Layer 3 VPN components on the local PE switch, copy the following commands and paste them into the switch terminal window of PE1:

[edit]
set protocols bgp group ibgp local-address 21.21.21.21 family inet-vpn unicast
set protocols bgp group ibgp type internal
set protocols bgp group ibgp neighbor 22.22.22.22
set routing-instances L3VPN-1 instance-type vrf
set routing-instances L3VPN-1 description "BETWEEN PE1 AND PE2"
set routing-instances L3VPN-1 interface ge-5/0/24.0
set routing-instances L3VPN-1 route-distinguisher 21:21
set routing-instances L3VPN-1 vrf-target target:21:21
set routing-instances L3VPN-1 vrf-table-label;
set routing-options router-id 21.21.21.21
set routing-options autonomous-system 10;

Step-by-Step Procedure

To configure the Layer 3 VPN components on the local PE switch:

  1. Configure BGP, specifying the loopback address as the local address and specifying family inet-vpn unicast:
    [edit protocols bgp]
    user@switchPE1# set group ibgp local-address 21.21.21.21 family inet-vpn unicast
  2. Configure the BGP group, specifying the group name and type:
    [edit protocols bgp]
    user@switchPE1# set group ibgp type internal
  3. Configure the BGP neighbor, specifying the loopback address of the remote PE switch as the neighbor’s address:
    [edit protocols bgp]
    user@switchPE1# set group ibgp neighbor 22.22.22.22
  4. Configure the routing instance, specifying the routing-instance name and using vrf as the instance type:
    [edit routing-instances]
    user@switchPE1# set L3VPN-1 instance-type vrf
  5. Configure a description for this routing instance:
    [edit routing-instances]
    user@switchPE1# set L3VPN-1 description "BETWEEN PE1 AND PE2"
  6. Configure the routing instance to use a route distinguisher:
    [edit routing-instances]
    user@switchPE1# set L3VPN-1 route-distinguisher 21:21

    Note: Each routing instance that you configure on a PE switch must have a unique route distinguisher associated with it. VPN routing instances require a route distinguisher to allow BGP to distinguish between potentially identical network layer reachability information (NLRI) messages received from different VPNs. If you configure different VPN routing instances with the same route distinguisher, the commit fails.

  7. Configure the VPN routing and forwarding (VRF) target of the routing instance:
    [edit routing-instances]
    user@switchPE1# set L3VPN-1 vrf-target target:21:21

    Note: You can create more complex policies by explicitly configuring VRF import and export policies using the import and export options. See the Junos OS VPNs Configuration Guide.

  8. Configure this routing instance with vrf-table-label, which maps the inner label of a packet to a specific VPN routing and forwarding (VRF) table and allows the examination of the encapsulated IP header:
    [edit routing-instances]
    user@switchPE1# set L3VPN-1 vrf-table-label
  9. Configure the router ID and autonomous system (AS):

    Note: We recommend that you explicitly configure the router identifier under the [edit routing-options] hierarchy level to avoid unpredictable behavior if the interface address on a loopback interface changes.

    [edit routing-options]
    user@switchPE1# set router-id 21.21.21.21 autonomous-system 10

Results

Display the results of the configuration:

user@switchPE1> vrf-table-label
interfaces {ge-5/0/24 {unit 0 {family inet {address 51.51.0.1/16;}}}lo0 {unit 0 {family inet {address 21.21.21.21/32;}}}xe-6/0/0 {unit 0 {family inet {address 60.0.0.60/16;}family iso;family mpls;}}protocols {mpls {label-switched-path 21-22 {from 21.21.21.21;to 22.22.22.22;no-cspf;}interface xe-6/0/0.0;interface lo0.0;bgp {group ibgptype internallocal-address 21.21.21.21family inet-vpnunicast}ospf {traffic-engineering;area 0.0.0.0 {interface ge-5/0/24.0;interface lo0.0;interface xe-6/0/0.0;}}}routing-instances {L3VPN-1 {instance-type vrf;description "BETWEEN PE1 AND PE2";route-distinguisher 21:21;vrf-target target:21:21;vrf-table-label;}routing-options {router-id 21.21.21.21;autonomous-system 10;

Configuring the Remote PE Switch

CLI Quick Configuration

To quickly configure the Layer 3 VPN components on the remote PE switch, copy the following commands and paste them into the switch terminal window of PE2:

[edit]
set protocols bgp group ibgp local-address 22.22.22.22 family inet-vpn unicast
set protocols bgp group ibgp type internal
set protocols bgp group ibgp neighbor 21.21.21.21
set routing-instances L3VPN-1 instance-type vrf
set routing-instances L3VPN-1 description "BETWEEN PE1 AND PE2"
set routing-instances L3VPN-1 interface ge-11/0/14.0
set routing-instances L3VPN-1 route-distinguisher 21:21
set routing-instances L3VPN-1 vrf-target target:21:21
set routing-instances L3VPN-1 vrf-table-label;
set routing-options router-id 22.22.22.22;
set routing-options autonomous-system 10;

Step-by-Step Procedure

To configure Layer 3 VPN components on the remote PE switch:

  1. Configure BGP, specifying the loopback address as the local address and specifying family inet-vpn unicast:
    [edit protocols bgp]
    user@switchPE2# set group ibgp local-address 22.22.22.22 family inet-vpn unicast
  2. Configure the BGP group, specifying the group name and type:
    [edit protocols bgp]
    user@switchPE2# set group ibgp type internal
  3. Configure the BGP neighbor, specifying the loopback address of the remote PE switch as the neighbor’s address:
    [edit protocols bgp]
    user@switchPE2# set group ibgp neighbor 21.21.21.21
  4. Configure the routing instance, specifying the routing-instance name and using vrf as the instance type:
    [edit routing-instances]
    user@switchPE2# set L3VPN-1 instance-type vrf
  5. Configure a description for this routing instance:
    [edit routing-instances]
    user@switchPE1# set L3VPN-1 description "BETWEEN PE1 AND PE2"
  6. Configure the routing instance to apply to the customer edge interface:
    [edit routing-instances]
    user@switchPE2# set L3VPN-1 interface ge-11/0/14.0
  7. Configure the routing instance to use a route distinguisher, using the format ip-address:number:
    [edit routing-instances]
    user@switchPE2# set L3VPN-1 route-distinguisher 21:21
  8. Configure the VPN routing and forwarding (VRF) target of the routing instance:
    [edit routing-instances]
    user@switchPE2# set L3VPN-1 vrf-target target:21:21
  9. Configure this routing instance with vrf-table-label, which maps the inner label of a packet to a specific VPN routing and forwarding (VRF) table and allows the examination of the encapsulated IP header.
    [edit routing-instances]
    user@switchPE2# set L3VPN-1 vrf-tabel-label
  10. Configure the router ID and autonomous system (AS):
    [edit routing-options]
    user@switchPE2# set router-id 22.22.22.22 autonomous-system 10

Results

Display the results of the configuration:

user@switchPE2> show configuration
interfaces {ge-11/0/14 {unit 0 {family inet {address 11.22.26.14/16;}}}lo0 {unit 0 {family inet {address 22.22.22.22/32;}}}xe-6/0/0 {unit 0 {family inet {address 60.2.0.60/16;}family iso;family mpls;}}protocols {mpls {label-switched-path 22-21 {from 22.22.22.22;to 21.21.21.21;no-cspf;}interface xe-6/0/0.0;interface lo0.0;bgp {group ibgptype internallocal-address 21.21.21.21family inet-vpnunicast}ospf {traffic-engineering;area 0.0.0.0 {interface ge-11/0/14.0;interface lo0.0;interface xe-6/0/0.0;}}}routing-instances {L3VPN-1 {instance-type vrf;description"BETWEEN PE1 AND PE2";route-distinguisher 21:21;vrf-target target:21:21;vrf-table-label;}routing-options {router-id 22.22.22.22;autonomous-system 10;

Verification

To confirm that the MPLS-based Layer 3 VPN is working properly, perform these tasks:

Verifying Peering and Adjacency

Purpose

Verify the peering and adjacency along the route from CE1 (the local CE switch or router) to CE2 (the remote CE switch or router), starting with checking the routing protocol adjacency on the local PE switch:

Note: Be sure to specify the name of the routing instance.

Action

user@switchPE1> show ospf neighbor instance L3VPN-1
Address    Interface   State ID         Pri Dead
51.51.0.14 ge-5/0/24.0 Full 21.21.21.21 128 38

Meaning

The Address field shows the IP address of the customer edge interface that connects CE1 to PE1. The Interface field shows the interface name of the customer edge interface that connects PE1 to CE1. For our purposes, the State field is the most important. It shows a status of Full, indicating that neighboring routing devices are fully adjacent. These adjacencies appear in router-link and network-link advertisements. (The field Pri indicates the priority of the neighbor to become the designated router. The field Dead indicates the number of seconds until the neighbor becomes unreachable.)

Verifying That the Local CE Switch Can Ping the Local PE Switch

Purpose

Verify that the local CE switch can ping the local PE switch:

Action

user@switchCE1> ping 51.51.0.1
PING 51.51.0.1 (51.51.0.1): 56 data bytes
64 bytes from 51.51.0.1: icmp_seq=0 ttl=64 time=3.461 ms
64 bytes from 51.51.0.1: icmp_seq=1 ttl=64 time=3.543 ms

Meaning

This command specified the IP address of the customer edge interface on PE1. The results indicate that CE1 is receiving packets from PE1.

Verifying That the Local PE Switch Can Ping the Local CE Switch

Purpose

Verify that the local PE switch can ping the local CE switch:

Action

user@switchPE1> ping 51.51.0.14 routing-instance L3VPN-1
PING 51.51.0.14 (51.51.0.14): 56 data bytes
64 bytes from 51.51.0.14: icmp_seq=0 ttl=64 time=3.842 ms
64 bytes from 51.51.0.14: icmp_seq=1 ttl=64 time=3.736 ms

Meaning

The results indicate a successful connection.

Published: 2014-04-23