[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring VPNs with a Configuration Editor

To configure a basic Layer 3 VPN, Layer 2 VPN, or Layer 2 circuit, perform the following tasks. Use Table 188 to help you select the tasks for your VPN type. For information about using the J-Web and CLI configuration editors, see the J-Web Interface User Guide and the JUNOS CLI User Guide.

Table 188: VPN Configuration Task Summary

Section

Layer 3 VPN

Layer 2 VPN

Layer 2 Circuit

Configuring Interfaces Participating in a VPN

All Services Routers

All Services Routers

All Services Routers

Configuring Protocols Used by a VPN

All Services Routers

All Services Routers

All Services Routers

Configuring a VPN Routing Instance

PE Services Routers

PE Services Routers

N/A

Configuring a VPN Routing Policy

CE Services Routers

(PE Services Routers if you are not using a route target)

PE Services Routers if you are not using a route target

N/A

Configuring Interfaces Participating in a VPN

Configuring the Services Router interfaces that participate in the VPN is similar to configuring them for other uses, with a few requirements for VPN.

Before following the procedures in this section, make sure you have initially configured the interface as described in Configuring Ethernet, DS1, DS3, and Serial Interfaces.

To configure an interface for a VPN:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 189 for each interface involved in the VPN, except Layer 3 loopback interfaces, which do not require other configuration.
  3. Go on to Configuring Protocols Used by a VPN.

Table 189: Configuring an Interface for a VPN

Task

J-Web Configuration Editor

CLI Configuration Editor

Configure IPv4.

(interfaces on all Services Routers)

(See the interface naming conventions in Network Interface Naming.)

  1. In the J-Web interface, select Configure>CLI Tools>Point and Click CLI.
  2. Next to Interfaces, click Configure or Edit.
  3. In the Interface name column, select the interface.
  4. For Layer 2 VPNs on the interface facing a CE router, select an encapsulation type, such as ethernet-ccc from the Encapsulation list. For Fast Ethernet interfaces, you also must select Vlan tagging from the Vlan tag mode list.
  5. In the Interface unit number column, select the logical interface.
  6. In the Family group, select Inet and click Edit.
  7. Next to Address, click Add new entry
  8. In the Source box, type the IPv4 address—for example, 10.49.102.1/30. For a loopback address on a Layer 2 configuration, select Primary.
  9. Click OK to return to the Unit page.
  • For all interfaces except loopback, and a Layer 2 VPN interface facing a CE router:

    From the [edit] hierarchy level, enter

    edit interfaces interface-name unit logical_interface family inet address ipv4_address

  • For a loopback address on a Layer 2 configuration:

    From the [edit] hierarchy level, enter

    edit interfaces lo0 unit logical_interfacefamily inet address ipv4_address primary

  • For a Layer 2 VPN interface facing a CE router:

    From the [edit] hierarchy level, enter

    set interfacesinterface-name vlan-tagging encapsulation vlan-ccc unit logical_interface encapsulation vlan-ccc vlan-id id-number

Configure the MPLS address family.

(for interfaces on a PE or provider Services Router that communicate with a PE or provider Services Router only, and not for loopback addresses)

On the Unit page, select Mpls in the Family group.

At the [edit interfaces interface] level, enter

set unit logical_interfacefamily mpls

For Layer 2 VPNs and circuits, configure encapsulation.

If multiple logical units are configured, the encapsulation type is needed at the interface level only. It is always required at the unit level.

(for interfaces on a PE Services Router that communicate with a CE Services Router)

  1. On the Unit page, select an encapsulation type from the Encapsulation list.
  2. Click OK.
  3. On the Interface page, select an encapsulation type from the Encapsulation list.
  4. Click OK until you see the Configuration Interfaces page displaying all interfaces on the router.
  1. At the [edit interfaces interface] level, enter

    set encapsulation encapsulation_type

  2. Enter

    set unit logical_interfaceencapsulation encapsulation_type

Configuring Protocols Used by a VPN

The Services Routers in a VPN use a variety of protocols to communicate between PE and provider Services Routers. Use Table 190 to help you select the tasks for your VPN type. For more information about configuring routing protocols, see the JUNOS Routing Protocols Configuration Guide and the JUNOS MPLS Applications Configuration Guide.

This section contains the following topics:

Table 190: VPN Protocol Configuration Task Summary

Section

Layer 3 VPN

Layer 2 VPN

Layer 2 Circuit

Configuring MPLS for VPNs

N/A unless you are using RSVP

PE and provider Services Routers

PE Services Routers

Configuring a BGP Session

PE Services Routers

PE Services Routers

PE Services Routers

Configuring Routing Options for VPNs

All Services Routers

All Services Routers

All Services Routers

Configuring an IGP and a Signaling Protocolone of the following tasks:

PE and provider Services Routers

PE Services Routers

PE Services Routers

Configuring a Layer 2 Circuit

N/A

N/A

PE Services Routers

Configuring MPLS for VPNs

For Layer 2 VPN and Layer 2 circuit interfaces that communicate with other PE Services Routers and provider Services Routers, you must advertise the interface using MPLS. Unless you are using RSVP, this section does not apply to Layer 3 VPNs because MPLS is configured on the interface.

For more information about configuring MPLS, see Multiprotocol Label Switching OverviewJUNOS MPLS Applications Configuration Guide.

To configure MPLS for VPNs:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 191 on each PE Services Router and provider Services Router interface that communicates with another PE Services Router.
  3. If you are finished configuring the router, commit the configuration.
  4. To verify the configuration, see Verifying a VPN Configuration
  5. Go on to Configuring a BGP Session.

Table 191: Configuring MPLS for VPNs

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the top of the configuration hierarchy and specify the interfaces used for communication between PE routers and between PE routers and provider routers.

(PE and provider Services Routers)

(See the interface naming conventions in Network Interface Naming.)

  1. In the J-Web interface, select Configure>CLI Tools>Point and Click CLI.
  2. Next to Protocols, click Configure or Edit.
  3. Next to Mpls, click Configure or Edit.
  4. Next to Interface, click Configure or Edit.
  5. In the Interface name box, type interface-name.
  6. Click OK.

From the [edit] hierarchy level, enter the following command for each interface you want to enable:

edit protocols mpls interface interface-name

For RSVP only, configure an MPLS label-switched path (LSP) to the destination point on the PE router for LSP. During configuration, you specify the IP address of the LSP destination point, which is an address on the remote PE router.

The path name is defined on the source Services Router only and is unique between two routers.

(PE Services Router interface communicating with another PE Services Router)

  1. In the MPLS page, click Add New Entry in the Label switched path group.
  2. Type a path name in the Path name box and an IP address in the To box.
  3. Click OK.
  4. Next to Interface, click Add New Entry.
  5. Type interface-name in the Interface name box.
  6. Click OK.
  7. Repeat Steps 4 through 6 for each interface.
  1. From the [edit] hierarchy level, enter

    edit protocols mpls label-switched-path path-name

  2. Enter

    set to ip-address

  3. Enter up.
  4. Enter

    interface interface-name

Configuring a BGP Session

You must configure an internal BGP (IBGP) session between PE Services Routers so the Services Routers can exchange information about routes originating and terminating in the VPN. The PE routers use this information to determine which labels to use for traffic destined for remote sites. The IBGP session for the VPN runs through the loopback address. This section is valid for Layer 2 VPNs and Layer 3 VPNs, but not Layer 2 circuits.

For the Layer 3 example, you also configure an EBGP session.

For more information about configuring IBGP sessions, see Configuring BGP Within a Network (Required) and the JUNOS Routing Protocols Configuration Guide.

To configure an IBGP session:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 192 on each PE router.
  3. If you are finished configuring the router, commit the configuration.
  4. To verify the configuration, Verifying a VPN Configuration.
  5. Go on to Configuring Routing Options for VPNs.

Table 192: Configuring an IBGP Session

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the top of the configuration hierarchy and configure the IGBP session.

(PE Services Router)

  1. In the J-Web interface, select Configure>CLI Tools>Point and Click CLI.
  2. Next to Protocols, click Configure or Edit.
  3. Next to Bgp, click Configure or Edit.
  4. Next to Group, click Add New Entry.
  5. Type a name in the Group name box.
  6. From the Type list, select Internal.
  7. In the Local address box, type the local loopback IP address.
  8. In the Family group, select L2vpn for a Layer 2 VPN or Inet vpn for a Layer 3 VPN.
  9. Select Unicast.
  10. Click OK.
  11. In the Neighbor group, click Add new entry.
  12. In the Address box, type the loopback IP address of the neighboring PE router.
  13. Click OK until you return to the BGP page.

  1. From the [edit] hierarchy level, enter

    edit protocols bgp group group-name

  2. Enter

    set type internal

  3. Enter

    set local-address loopback-interface-ip-address

  4. Enter

    set family family-type unicast

    Replace family-type with l2vpn for a Layer  2 VPN or inet–vpn for a Layer  3 VPN.

  5. Enter up.
  6. Enter the loopback address of the neighboring PE router:

    set neighbor ip-address

Configuring Routing Options for VPNs

The only required routing option for VPNs is the autonomous system (AS) number. You must specify it on each router involved in the VPN.

To configure routing options for a VPN:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration task described in Table 193.
  3. If you are finished configuring the router, commit the configuration.
  4. To verify the configuration, see Verifying a VPN Configuration
  5. Go on to Configuring an IGP and a Signaling Protocol.

Table 193: Configuring Routing Options for a VPN

Task

J-Web Configuration Editor

CLI Configuration Editor

Configure the AS number.

  1. In the J-Web interface, select Configure>CLI Tools>Point and Click CLI.
  2. Next to Routing options, click Configure or Edit.
  3. In the AS number box, type the AS number.
  4. Click OK.

From the [edit] hierarchy level, enter

set routing-options autonomous-system as-number

Configuring an IGP and a Signaling Protocol

The PE Services Routers and provider Services Routers must be able to exchange routing information. To enable this exchange, you must configure either an IGP such as OSPF or static routes on these routers. You must configure the IGP at the [edit protocols] level, not within the routing instance at the [edit routing-instances] level.

You can use LDP or RSVP between PE routers and between PE routers and provider routers, but not for interfaces between PE routers and CE routers. LDP routes traffic using IGP metrics. RSVP has traffic engineering that lets you override IGP metrics as needed. For more information about these protocols, see Signaling Protocols Overview.

Each PE Services Router's loopback address must appear as a separate route. Do not configure any summarization of the PE Services Router's loopback addresses at the area boundary.

For more information about configuring IGPs and static routes, see Configuring a RIP Network, Configuring an OSPF Network , Configuring the IS-IS Protocol, Configuring Static Routes, and the JUNOS Routing Protocols Configuration Guide.

Configure the appropriate signaling protocol for your VPN:

Configuring LDP for Signaling

You must configure LDP and OSPF on PE and provider routers. For more information about configuring OSPF see Configuring an OSPF Network.

To configure LDP and OSPF:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 194 on PE and provider router interfaces that communicate with a PE router or provider router.

    For the protocols to work properly, you also must configure the MPLS address family for each interface that uses LDP or RSVP, as described previously in Configuring Interfaces Participating in a VPN.

  3. If you are finished configuring the router, commit the configuration.
  4. To verify the configuration, see Verifying a VPN Configuration.
  5. Go on to Configuring a VPN Routing Instance.

Table 194: Configuring LDP and OSPF for Signaling

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the top of the configuration hierarchy and specify the LDP protocol. Enable local interfaces that communicate with a PE router or provider router, and the loopback interface of the PE router.

(PE and provider Services Routers)

(See the interface naming conventions in Network Interface Naming.)

  1. In the J-Web interface, select Configure>CLI Tools>Point and Click CLI.
  2. Next to Protocols, click Configure or Edit.
  3. Next to Ldp, click Configure or Edit.
  4. Next to Interface, click Configure or Edit.
  5. In the Interface name column, type interface-name.
  6. Click OK.
  7. Repeat Steps 4 and 5 for each interface you want to enable.

From the [edit] hierarchy level, enter the following command for each interface you want to enable:

edit protocols ldp interface interface-name

Configure OSPF for each interface that uses LDP.

For OSPF, you must configure at least one area on at least one of the router's interfaces. An AS can be divided into multiple areas. This example uses the backbone area 0.0.0.0.

(PE and provider Services Routers)

For OSPF:

  1. On the main Configuration page next to Protocols, click Configure or Edit.
  2. Next to Ospf, click Configure or Edit.
  3. For Layer 2 VPN or circuit, select Traffic engineering.
  4. Next to Area group, click Add new entry and add the area.
  5. Next to Area group, select the area (0.0.0.0).
  6. Next to Interface group, select Add new entry.
  7. In the Interface name box, type interface-name.
  8. Click OK.
  9. Repeat Steps 5 through 7 to enable additional interfaces.
  10. Click OK twice to return to the Protocols page.

For OSPF:

  1. From the [edit] hierarchy level, enter the following command for each interface you want to enable:

    edit protocols ospf area 0.0.0.0 interface interface-name

  2. For Layer 2 VPN or circuit, move up to the [edit protocols ospf] level and enter

    set traffic-engineering

Configuring RSVP for Signaling

You must enable RSVP for all connections that participate in the label-switched path (LSP) on PE and provider Services Routers. In addition, you must configure OSPF on various interfaces.

For more information about configuring OSPF see Configuring an OSPF Network.

To configure RSVP and OSPF:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 195 on each PE router and provider router, as specified.
  3. If you are finished configuring the router, commit the configuration.
  4. To verify the configuration, see Verifying a VPN Configuration.
  5. Go on to Configuring a VPN Routing Instance.

Table 195: Configuring RSVP and OSPF for Signaling

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the top of the configuration hierarchy and configure OSPF with traffic engineering support.

(PE Services Router)

For OSPF, follow these steps:

  1. In the J-Web interface, select Configure>CLI Tools>Point and Click CLI.
  2. Next to Protocols, click Configure or Edit.
  3. Next to Ospf, click Configure or Edit.
  4. Select Traffic engineering, and then click Configure.
  5. Select Shortcuts.
  6. Click OK until you return to the Protocols page.

From the [edit] hierarchy level, enter the following command for each interface you want to enable:

edit protocols ospf traffic-engineering shortcuts

Enable RSVP on interfaces that participate in the LSP.

(PE Services Router) Enable interfaces on the source and destination points.

(provider Services Router) Enable interfaces that connect the LSP between the PE Services Routers.

(See the interface naming conventions in Network Interface Naming.)

  1. On the main Configuration page next to Protocols, click Configure or Edit.
  2. Next to Rsvp, click Configure or Edit.
  3. In the Interface group, click Add New Entry.
  4. Type an interface name.
  5. Click OK.
  6. Repeat Steps 2 through 4 for each interface you want to enable.
  7. Click OK.

From the [edit] hierarchy level, enter the following command for each interface you want to enable:

edit protocols rsvp interface interface-name

Configuring a Layer 2 Circuit

Each Layer 2 circuit is represented by the logical interface connecting the local PE Services Router to the local CE Services Router. All Layer 2 circuits using a particular remote PE Services Router neighbor is identified by its IP address and is usually the endpoint destination for the LSP tunnel transporting the Layer 2 circuit.

You configure a virtual circuit ID on each interface. Each virtual circuit ID uniquely identifies the Layer 2 circuit among all the Layer 2 circuits to a specific neighbor. The key to identifying a particular Layer 2 circuit on a PE router is the neighbor address and the virtual circuit ID. Based on the virtual circuit ID and the neighbor relationship, an LDP label is bound to an LDP circuit. LDP uses the binding for sending traffic on that Layer 2 circuit to the remote CE router.

To configure a Layer 2 circuit:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 196 on each PE router and provider router, as specified.
  3. If you are finished configuring the router, commit the configuration.
  4. To verify the configuration, see Verifying a VPN Configuration.

Table 196: Configuring a Layer 2 Circuit

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the top of the configuration hierarchy and enable a Layer 2 circuit on the appropriate interface.

(PE Services Router)

(See the interface naming conventions in Network Interface Naming.)

  1. In the J-Web interface, select Configure>CLI Tools>Point and Click CLI.
  2. Next to Protocols, click Configure or Edit.
  3. Next to L2circuit, click Configure or Edit.
  4. Next to Neighbor, click Add new entry.
  5. In the Neighbor box, enter the loopback address of the local router.
  6. Next to Interface, click Add new entry.
  7. In the Interface box, type the interface name of the remote PE router.
  8. In the Virtual circuit id box, type an ID number.
  9. Click OK until you return to the Protocols page.
  1. From the [edit] hierarchy level, enter

    edit protocols l2circuit neighbor interface-name interface interface-name

    For neighbor, specify the local loopback address, and for interface, specify the interface name of the remote PE router.

  2. Enter

    set virtual-circuit-id id-number

Configuring a VPN Routing Instance

You must configure a routing instance for each VPN on each PE Services Router participating in the VPN. The routing instance has the same name on each PE router. VPN routing instances need a route distinguisher to help BGP distinguish between potentially identical network layer reachability information (NLRI) messages received from different VPNs. This section does not apply to Layer 2 circuit configurations.

Each routing instance that you configure on a PE router must have a unique route distinguisher. There are two possible formats:

The route target defines which route is part of a VPN. A unique route target helps distinguish between different VPN services on the same router. Each VPN also has a policy that defines how routes are imported into the VPN routing and forwarding (VRF) table on the router. A Layer 2 VPN is configured with import and export policies. A Layer 3 VPN uses a unique route target to distinguish between VPN routes.

To configure a VPN routing instance:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 197 on each PE router.
  3. If you are finished configuring the router, commit the configuration.
  4. To verify the configuration, see Verifying a VPN Configuration.
  5. Go on to Configuring a VPN Routing Policy.

Table 197: Configuring a VPN Routing Instance

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the top of the configuration hierarchy and create the routing instance.

(PE Services Router)

  1. In the J-Web interface, select Configure>CLI Tools>Point and Click CLI.
  2. Next to Routing instances, click Configure or Edit.
  3. In the Instance group, click Add New Entry.
  4. Type a name in the Instance name box.

From the [edit] hierarchy level, enter

edit routing-instances routing-instance-name

Specify a text description for the routing instance. This text appears in the output of the show route instance detail command.

(PE Services Router)

In the Description box, type a description.

Enter

set description “text

Specify the instance type, either l2vpn for Layer 2 VPNs or vrf for Layer 3 VPNs.

(PE Services Router)

From the Instance type list, select an instance type.

Enter

set instance-typeinstance-type

Specify the interface of the remote PE Services Router.

(PE Services Router)

(See the interface naming conventions in Network Interface Naming.)

  1. Next to Interface group, click Add New Entry.
  2. In the Interface name box, enter interface-name.
  3. Click OK.

Enter

set interface interface-name

Specify the route distinguisher.

(PE Services Router)

In the Rd type box, enter a route distinguisher in the format as-number:numberor ip-address:number.

Enter one of the following commands:

  • set route-distinguisheras-number:number
  • set route-distinguisher ip-address:number

Specify the policy for the Layer 2 VRF table.

For the Layer 2 VPN example, the routing policies are defined in Configuring a Routing Policy for Layer 2 VPNs.

(PE Services Router)

For the sample Layer 2 VPN configuration, which uses import and export policies:

  1. Next to Vrf export group, select Add new entry.
  2. In the Value box, type the export routing policy name.
  3. Click OK.
  4. Next to Vrf import group, click Add new entry.
  5. In the Value box, type the import routing policy name.
  6. Click OK.

For the sample Layer 2 VPN configuration, which uses import and export policies, enter

set vrf-import import-policy-name vrf-export export-policy-name

Specify the policy for the Layer 3 VRF table.

For the Layer 3 VPN example, the routing policy is defined in Configuring a Routing Policy for Layer 3 VPNs.

(PE Services Router)

For the sample Layer 3 VPN configuration, which uses a route target:

  1. In the Vrf target box, click Configure.
  2. In the Community box, type the community (target:community-id, where community-id is as-number:number or ip-address:number).
  3. Click OK.

For the sample Layer 3 VPN configuration, which uses a route target, enter

set vrf-target target:community-id

Replace community-id with either of the following:

  • as-number:number
  • ip-address:number

Configuring a VPN Routing Policy

Layer 2 and Layer 3 VPNs require a routing policy that describes which packets are sent and received across the VPN. Layer 2 circuits do not use a policy, and therefore, Layer 2 circuits send and receive all packets. For Layer 2 VPNs, the routing policy resides on the PE Services Routers. For the Layer 3 VPN example, the routing policy resides on the CE Services Routers.

This section contains the following topics. For more information about configuring routing policies, see Configuring Routing Policies and the JUNOS Routing Protocols Configuration Guide.

Configuring a Routing Policy for Layer 2 VPNs

If the routing instance uses a policy for accepting and rejecting packets instead of a route target, you must specify the import and export routing policies and the community on each PE Services Router.

To configure a Layer 2 VPN routing policy on a PE Services Router:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 198 and Table 199 on each PE router.
  3. If you are finished configuring the router, commit the configuration.
  4. To verify the configuration, see Verifying a VPN Configuration.

Table 198: Configuring an Import Routing Policy for Layer 2 VPNs

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the top of the configuration hierarchy and configure the import routing policy.

(PE Services Router)

  1. In the J-Web interface, select Configure>CLI Tools>Point and Click CLI.
  2. Next to Policy options, click Configure or Edit.
  3. Next to Policy statement, click Add new entry.
  4. In the Policy name box, type the policy name—for example, import_vpn.

From the [edit] hierarchy level, enter

edit policy-options policy-statement import-policy-name

Define the term for accepting packets.

(PE Services Router)

  1. Next to Term group, click Add new entry.
  2. In the Term name box, type a term name—for example, 10.
  3. Next to From, click Configure.
  4. Click Add new entry.
  5. Click Protocol and select bgp from the Value menu.
  6. Click OK.
  7. Next to Community, click Add new entry.
  8. Type the community-name value in the Community Name box.
  9. Click OK.
  10. Next to Then, click Configure.
  11. From the Accept reject list, select accept.
  12. Click OK until you are at the Policy statement page.
  1. Enter

    set termterm-name-accept from protocol bgp community community-name

  2. Enter

    set termterm-name-accept then accept

Define the term for rejecting packets.

(PE Services Router)

  1. Next to the Term group, click Add new entry.
  2. In the Term name box, type a term name—for example, 20.
  3. Next to Then, click Configure.
  4. From the Accept list, select reject.
  5. Click OK until you return to the Policy options page.

Enter

set term term-name-reject then reject

After configuring an import routing policy for a Layer 2 VPN, configure an export routing policy for the Layer 2 VPN. The export routing policy defines how routes are exported from the PE Services Router routing table. An export policy is applied to routes sent to other PE Services Routers in the VPN. The export policy must also evaluate all routes received over the routing protocol session with the CE Services Router. The export policy must also contain a second term for rejecting all other routes.

Table 199: Configuring an Export Routing Policy for Layer 2 VPNs

Task

J-Web Configuration Editor

CLI Configuration Editor

Configure the export routing policy.

(PE Services Router)

  1. In the J-Web interface, select Configure>CLI Tools>Point and Click CLI.
  2. Next to Policy options, click Configure or Edit.
  3. Next to Policy statement, click Add new entry.
  4. In the Policy name box, type the policy name—for example, export_vpn.

From the [edit] hierarchy level, enter

edit policy-options policy-statement export-policy-name

Define the term for accepting packets.

(PE Services Router)

  1. Next to the Term group, click Add new entry.
  2. In the Term name box, type a term name—for example, 10.
  3. Next to From, click Configure.
  4. Next to Community, click Add new entry.
  5. Type the community-name value in the Community Name box.
  6. Click OK.
  7. Next to Then, click Configure.
  8. From the Accept reject list, select accept.
  9. Click OK twice until you are at the Policy statement page.
  1. Enter

    set termterm-name-accept from community add community-name

  2. Enter

    set termterm-name-accept then accept

Define the term for rejecting packets.

(PE Services Router)

  1. Next to the Term group, click Add new entry.
  2. In the Term name box, type a term name—for example, 20.
  3. Next to Then, click Configure.
  4. From the Accept reject list, select reject.
  5. Click OK until you return to the Policy options page.
  1. Enter

    set termterm-name-reject from community add community-name

  2. Enter

    set termterm-name-reject then reject

Define the community.

(PE Services Router)

  1. In the Community group, click Add new entry.
  2. In the Community name box, type a community name—for example, VPN.
  3. In the Members group, click Add new entry.
  4. In the Value box, type target:community-id, where community-id is as-number:number or ip-address:number.
  5. Click OK until you return to the Policy options page.

Type the following commands:

communitycommunity-nametarget:as-number or ip-address:number

Configuring a Routing Policy for Layer 3 VPNs

To configure a Layer 3 VPN routing policy on a CE Services Router:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 200 on each CE Services Router.
  3. If you are finished configuring the router, commit the configuration.
  4. To verify the configuration, see Verifying a VPN Configuration.

Table 200: Configuring a Routing Policy for Layer 3 VPNs

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the top of the configuration hierarchy and configure the routing policy for the loopback interface.

(CE Services Router)

  1. In the J-Web interface, select Configure>CLI Tools>Point and Click CLI.
  2. Next to Policy options, click Configure or Edit.
  3. Next to Policy statement, click Configure or Edit.
  4. In the Policy name box, type the policy name—for example, loopback.

From the [edit] hierarchy level, enter

edit policy-options policy-statement policy-name

Define the term for accepting packets.

(CE Services Router)

  1. In the Term group, click Add new entry.
  2. In the Term name box, type a term name—for example, 1.
  3. Next to From, click Configure.
  4. Click protocol, then Add new entry.
  5. Select direct from the Value menu, and click OK.
  7. Next to Route Filter, click Add new entry.
  8. Type local-loopback-address/netmask in the Address box.
  9. Select exact from the Modifier list.
  10. Click OK twice.
  11. Next to Then, click Configure.
  12. From the Accept reject list, select accept.
  13. Click OK until you are at the Policy statement page.
  1. Enter

    set termterm-name-accept from protocol direct route-filter local-loopback-address/netmask exact

  2. Enter

    set termterm-name-accept then accept

Define the term for rejecting packets.

(CE Services Router)

  1. Next to the Term group, click Add new entry.
  2. In the Term name box, type a term name—for example, 2.
  3. Next to Then, click Configure.
  4. From the Accept reject list, select reject.
  5. Click OK until you return to the Policy options page.

Enter

set termterm-name-reject then reject

[Contents] [Prev] [Next] [Index] [Report an Error]


[an error occurred while processing this directive]