TechLibrary

Navigation

Supported Platforms

EX4600

Example: Configuring MPLS-Based Layer 3 VPNs

You can implement an MPLS-based Layer 3 virtual private network (VPN) on QFX3500 switches to interconnect sites for customers who want the service provider to handle all the Layer 3 routing functions. To support an MPLS-based Layer 3 VPN, you need to add components of the Layer 3 VPN to the configuration of the two provider edge (PE) switches. You do not need to change the configuration of the provider switches.

This example shows how to configure an MPLS-based Layer 3 VPN spanning two corporate sites:

Requirements

This example uses the following software and hardware components:

Junos OS Release 12.3x50 or later for the QFX Series
Three QFX3500 switches

Before you configure the Layer 3 VPN components, you must configure the basic components for an MPLS network:

Configure two PE switches. See Configuring MPLS on Provider Edge Switches.
Configure one or more provider switches. See Configuring MPLS on Provider Switches.

Overview and Topology

Layer 3 VPNs allow customers to leverage the service provider’s technical expertise to ensure efficient site-to-site routing. The customer’s customer edge (CE) switch uses a routing protocol such as BGP or OSPF to communicate with the service provider’s provider edge (PE) switch to carry IP prefixes across the network. MPLS-based Layer 3 VPNs use only IP over MPLS; other protocol packets are not supported. This example includes two PE switches, PE1 and PE2.

In the basic MPLS configuration of the PE switches using IP over MPLS, the PE switches were configured to use OSPF as the routing protocol between the MPLS switches and RSVP as the signaling protocol. Traffic engineering was enabled. A label-switched path (LSP) was configured.

The following components must be added to the PE switches for an MPLS-based Layer 3 VPN:

BGP group with family inet-vpn unicast
Routing instance with instance type vrf

Figure 1 illustrates the topology of this MPLS-based Layer 3 VPN.

Figure 1: MPLS-Based Layer 3 VPN

Table 1 shows the settings of the customer edge interface on the local CE switch.

Table 1: Local CE Switch in the MPLS-Based Layer 3 VPN Topology

Property	Settings	Description
Local CE switch hardware	QFX3500 switch	CE1
Customer edge interface	ge-0/0/14 unit 0 family inet address 51.51.0.14/16	Interface that connects CE1 to PE1.

Table 2 shows the settings of the customer edge interface on the remote CE switch.

Table 2: Remote CE Switch in the MPLS-Based Layer 3 VPN Topology

Property	Settings	Description
Remote CE switch hardware	QFX3500 switch	CE2
Customer edge interface	ge-0/0/14 unit 0 family inet address 11.22.26.1/16	Interface that connects CE2 to PE2.

Table 3 shows the Layer 3 VPN components of the local PE switch.

Table 3: Layer 3 VPN Components of the Local PE Switch

Property	Settings	Description
Local PE switch hardware	QFX3500 switch	PE1
Customer edge interface	ge-0/0/14 unit 0 family inet address 51.51.0.1/16	Connects PE1 to CE1. Note: The family inet configuration should already have been completed as part of the basic MPLS configuration of the PE switch for IP over MPLS. It is included here to show what was specified for that portion of the configuration.
Core interface	xe-0/0/6 unit 0 family inet address 60.0.0.60/16 family mpls	Connects PE1 to P. Note: This portion of the configuration should already have been completed as part of the basic MPLS configuration. It is included here to show what was specified for that portion of the configuration.
Loopback interface	lo0 unit 0 family inet address 21.21.21.21/32	Note: This portion of the configuration should already have been completed as part of the basic MPLS configuration. It is included here to show what was specified for that portion of the configuration.
BGP	bgp	Added for the Layer 3 VPN configuration.
Routing instance	L3VPN-1	Added for the Layer 3 VPN configuration.

Table 4 shows the Layer 3 VPN components of the remote PE switch.

Table 4: Layer 3 VPN Components of the Remote PE Switch

Property	Settings	Description
Remote PE switch hardware	QFX3500 switch	PE2
Customer edge interface	ge-0/0/14 unit 0 family inet address 11.22.26.14/16 family mpls	Connects PE2 to CE2. For the Layer 3 VPN configuration, added family mpls. Note: The family inet configuration should already have been completed as part of the basic MPLS configuration of the PE switch for IP over MPLS. It is included here to show what was specified for that portion of the configuration.
Core interface	xe-0/0/6 unit 0 family inet address 60.2.0.60/16 family mpls	Connects PE1 to P. Note: This portion of the configuration should already have been completed as part of the basic MPLS configuration. It is included here to show what was specified for that portion of the configuration.
Loopback interface	lo0 unit 0 family inet address 22.22.22.22/32	Note: This portion of the configuration should already have been completed as part of the basic MPLS configuration. It is included here to show what was specified for that portion of the configuration.
BGP	bgp	Added for the Layer 3 VPN configuration.
Routing instances	L3VPN-1	Added for the Layer 3 VPN configuration.

Configuring the Local PE Switch

CLI Quick Configuration

To quickly configure the Layer 3 VPN components on the local PE switch, copy the following commands and paste them into the switch terminal window of PE1:

[edit]
set protocols bgp local-address
21.21.21.21 family inet-vpn unicast
set protocols bgp group PE1-PE2 type internal 
set protocols bgp neighbor 22.22.22.22
set routing-instances L3VPN-1  instance-type
 vrf
set routing-instances
L3VPN-1 description "BETWEEN PE1 AND PE2"
set routing-instances L3VPN-1 interface ge-0/0/14.0
set routing-instances L3VPN-1  route-distinguisher
21:21
set routing-instances
L3VPN-1 vrf-target target:21:21 
 set routing-instances L3VPN-1 vrf-table-label
set routing-options router-id 21.21.21.21
set routing-options autonomous-system
10

Step-by-Step Procedure

To configure the Layer 3 VPN components on the local PE switch:

Configure BGP, specifying the loopback address as the local address and specifying family inet-vpn unicast:
[edit protocols bgp] user@switchPE1# set local-address 21.21.21.21 family inet-vpn unicast
Configure the BGP group, specifying the group name and type:
[edit protocols bgp] user@switchPE1# set group PE1-PE2 type internal
Configure the BGP neighbor, specifying the loopback address of the remote PE switch as the neighbor’s address:
[edit protocols bgp] user@switchPE1# set neighbor 22.22.22.22
Configure the routing instance, specifying the routing-instance name and using vrf as the instance type:
[edit routing-instances] user@switchPE1# set L3VPN-1 instance-type vrf
Configure a description for this routing instance:
[edit routing-instances] user@switchPE1# set L3VPN-1 description "BETWEEN PE1 AND PE2"

Configure the routing instance to use a route distinguisher:

[edit routing-instances]
user@switchPE1# set L3VPN-1  route-distinguisher 21:21

Note: Each routing instance that you configure on a PE switch must have a unique route distinguisher associated with it. VPN routing instances require a route distinguisher to allow BGP to distinguish between potentially identical network layer reachability information (NLRI) messages received from different VPNs. If you configure different VPN routing instances with the same route distinguisher, the commit fails.

Configure the VPN routing and forwarding (VRF) target of the routing instance:
[edit routing-instances] user@switchPE1# set L3VPN-1 vrf-target target:21:21
Note: You can create more complex policies by explicitly configuring VRF import and export policies using the import and export options. See the Junos OS VPNs Library for Routing Devices.
Configure this routing instance with vrf-table-label, which maps the inner label of a packet to a specific VPN routing and forwarding (VRF) table and allows the examination of the encapsulated IP header:
[edit routing-instances] user@switchPE1# set L3VPN-1 vrf-table-label

Configure the router ID and autonomous system (AS):

Note: We recommend that you explicitly configure the router identifier under the [edit routing-options] hierarchy level to avoid unpredictable behavior if the interface address on a loopback interface changes.

[edit routing-options]
user@switchPE1# set router-id 21.21.21.21 autonomous-system 10

Results

Display the results of the configuration:

user@switchPE1>                              show configuration

interfaces {ge-0/0/14 {unit 0 {family inet {address 51.51.0.1/16;}}}lo0 {unit 0 {family inet {address 21.21.21.21/32;}}}xe-0/0/6 {unit 0 {family inet {address 60.0.0.60/16;}family mpls;}}protocols {mpls {label-switched-path 21-22 {from 21.21.21.21;to 22.22.22.22;no-cspf;}interface xe-0/0/6.0;interface lo0.0;bgp {local-address 21.21.21.21;family inet-vpn {unicast;}group PE1-PE2 {type internal;neighbor 22.22.22.22;}}ospf {traffic-engineering;area 0.0.0.0 {interface ge-0/0/14.0;interface lo0.0;interface xe-0/0/6.0;}}}routing-instances {L3VPN-1 {instance-type vrf;description "BETWEEN PE1 AND PE2";route-distinguisher 21:21;vrf-target target:21:21;vrf-table-label;}routing-options {router-id 21.21.21.21;autonomous-system 10;

Configuring the Remote PE Switch

CLI Quick Configuration

To quickly configure the Layer 3 VPN components on the remote PE switch, copy the following commands and paste them into the switch terminal window of PE2:

[edit]
set protocols bgp local-address
22.22.22.22 family inet-vpn unicast
set protocols bgp group PE1-PE2 type internal 
set protocols bgp neighbor 21.21.21.21
set routing-instances L3VPN-1  instance-type
vrf
set routing-instances
L3VPN-1 description "BETWEEN PE1 AND PE2"
set routing-instances L3VPN-1 interface ge-0/0/14.0
set routing-instances L3VPN-1  route-distinguisher
21:21
set routing-instances
L3VPN-1 vrf-target target:21:21 
 set routing-instances L3VPN-1 vrf-table-label;
set routing-options router-id 22.22.22.22
set routing-options autonomous-system
10

Step-by-Step Procedure

To configure Layer 3 VPN components on the remote PE switch:

Configure BGP, specifying the loopback address as the local address and specifying family inet-vpn unicast:
[edit protocols bgp] user@switchPE2# set local-address 22.22.22.22 family inet-vpn unicast
Configure the BGP group, specifying the group name and type:
[edit protocols bgp] user@switchPE2# set group PE1-PE2 type internal
Configure the BGP neighbor, specifying the loopback address of the remote PE switch as the neighbor’s address:
[edit protocols bgp] user@switchPE2# set neighbor 21.21.21.21
Configure the routing instance, specifying the routing-instance name and using vrf as the instance type:
[edit routing-instances] user@switchPE2# set L3VPN-1 instance-type vrf
Configure a description for this routing instance:
[edit routing-instances] user@switchPE1# set L3VPN-1 description "BETWEEN PE1 AND PE2"
Configure the routing instance to apply to the customer edge interface:
[edit routing-instances] user@switchPE2# set L3VPN-1 interface ge-0/0/14.0
Configure the routing instance to use a route distinguisher, using the format ip-address:number:
[edit routing-instances] user@switchPE2# set L3VPN-1 route-distinguisher 21:21
Configure the VPN routing and forwarding (VRF) target of the routing instance:
[edit routing-instances] user@switchPE2# set L3VPN-1 vrf-target target:21:21
Configure this routing instance with vrf-table-label, which maps the inner label of a packet to a specific VPN routing and forwarding (VRF) table and allows the examination of the encapsulated IP header.
[edit routing-instances] user@switchPE2# set L3VPN-1 vrf-tabel-label
Configure the router ID and autonomous system (AS):
[edit routing-options] user@switchPE2# set router-id 22.22.22.22 autonomous-system 10

Results

Display the results of the configuration:

user@switchPE2> show configuration

interfaces {ge-0/0/14 {unit 0 {family inet {address 11.22.26.14/16;}}}lo0 {unit 0 {family inet {address 22.22.22.22/32;}}}xe-0/0/6 {unit 0 {family inet {address 60.2.0.60/16;}family mpls;}}protocols {mpls {label-switched-path 22-21 {from 22.22.22.22;to 21.21.21.21;no-cspf;}interface xe-0/0/6.0;interface lo0.0;bgp {local-address 22.22.22.22;family inet-vpn {unicast;}group PE1-PE2 {type internal;neighbor 21.21.21.21;}}ospf {traffic-engineering;area 0.0.0.0 {interface ge-0/0/14.0;interface lo0.0;interface xe-0/0/6.0;}}}routing-instances {L3VPN-1 {instance-type vrf;description"BETWEEN PE1 AND PE2";route-distinguisher 21:21;vrf-target target:21:21;vrf-table-label;}routing-options {router-id 22.22.22.22;autonomous-system 10;

Supported Platforms

EX4600

TechLibrary

Supported Platforms

Related Documentation

Example: Configuring MPLS-Based Layer 3 VPNs

Requirements

Overview and Topology

Configuring the Local PE Switch

CLI Quick Configuration

Step-by-Step Procedure

Results

Configuring the Remote PE Switch

CLI Quick Configuration

Step-by-Step Procedure

Results

Related Documentation

Published: 2014-09-26

Supported Platforms

Related Documentation

Published: 2014-09-26