Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Layer 3 VPNs User Guide for Routing Devices Layer 3 VPNs Interprovider and Carrier-of-Carrier VPNs

Layer 3 VPNs User Guide for Routing Devices

keyboard_arrow_up
close
keyboard_arrow_left
Layer 3 VPNs User Guide for Routing Devices
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Carrier-of-Carrier VPNs

date_range 24-Nov-23
arrow_backward
arrow_forward

Understanding Carrier-of-Carriers VPNs

The customer of a VPN service provider might be a service provider for the end customer. The following are the two main types of carrier-of-carriers VPNs (as described in RFC 4364:

  • Internet Service Provider as the Customer—The VPN customer is an ISP that uses the VPN service provider’s network to connect its geographically disparate regional networks. The customer does not have to configure MPLS within its regional networks.

  • VPN Service Provider as the Customer—The VPN customer is itself a VPN service provider offering VPN service to its customers. The carrier-of-carriers VPN service customer relies on the backbone VPN service provider for inter-site connectivity. The customer VPN service provider is required to run MPLS within its regional networks.

Figure 1 illustrates the network architecture used for a carrier-of-carriers VPN service.

Figure 1: Carrier-of-Carriers VPN ArchitectureCarrier-of-Carriers VPN Architecture

This topic covers the following:

Internet Service Provider as the Customer

In this type of carrier-of-carriers VPN configuration, ISP A configures its network to provide Internet service to ISP B. ISP B provides the connection to the customer wanting Internet service, but the actual Internet service is provided by ISP A.

This type of carrier-of-carriers VPN configuration has the following characteristics:

  • The carrier-of-carriers VPN service customer (ISP B) does not need to configure MPLS on its network.

  • The carrier-of-carriers VPN service provider (ISP A) must configure MPLS on its network.

  • MPLS must also be configured on the CE routers and PE routers connected together in the carrier-of-carriers VPN service customer’s and carrier-of-carriers VPN service provider’s networks.

VPN Service Provider as the Customer

A VPN service provider can have customers that are themselves VPN service providers. In this type of configuration, also called a hierarchical or recursive VPN, the customer VPN service provider’s VPN-IPv4 routes are considered external routes, and the backbone VPN service provider does not import them into its VRF table. The backbone VPN service provider imports only the customer VPN service provider’s internal routes into its VRF table.

The similarities and differences between interprovider and carrier-of-carriers VPNs are shown in Table 1.

Table 1: Comparison of Interprovider and Carrier-of-Carriers VPNs

Feature

ISP Customer

VPN Service Provider Customer

Customer edge device

AS border router

PE router

IBGP sessions

Carry IPv4 routes

Carry external VPN-IPv4 routes with associated labels

Forwarding within the customer network

MPLS is optional

MPLS is required

Support for VPN service as the customer is supported on QFX10000 switches starting with Junos OS Release 17.1R1.

Configuring Carrier-of-Carriers VPNs for Customers That Provide Internet Service

You can configure a carrier-of-carriers VPN service for customers who want to provide basic Internet service. The carrier-of-carriers VPN service provider must configure MPLS in its network, although this configuration is optional for the carrier service customer. Carrier-of-Carriers VPN Architecture shows how the routers or switches in this type of service interconnect.

To configure a carrier-of-carriers VPN, perform the tasks described in the following sections:

Configuring the Carrier-of-Carriers VPN Service Customer’s CE Router

The carrier-of-carriers VPN service customer’s router (or switch) acts as a CE router with respect to the service provider’s PE router or switch. The following sections describe how to configure the carrier-of-carriers VPN service customer’s CE router or switch:

Configuring MPLS

To configure MPLS on the customer’s CE router or switch, include the mpls statement:

content_copy zoom_out_map
mpls {
    traffic-engineering bgp-igp;
    interface interface-name;
}

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring BGP

To configure a group to collate the customer’s internal routes, include the bgp statement:

content_copy zoom_out_map
bgp {
    group group-name {
        type internal;
        local-address address;
        neighbor address;
    }
}

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

The customer’s CE router (or switch) must be able to send labels to the VPN service provider’s router. Enable this by including the labeled-unicast statement in the configuration for the BGP group:

content_copy zoom_out_map
bgp {
    group group-name {
        export internal;
        peer-as as-number;
        neighbor address {
            family inet {
                labeled-unicast;
            }
        }
    }
}

You can include the bgp statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring OSPF

To configure OSPF on the customer’s CE router or switch, include the ospf statement:

content_copy zoom_out_map
ospf {
    area area-id {
        interface interface-name {
            passive;
        }
        interface interface-name;
    }
}

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring Policy Options

To configure policy options on the customer’s CE router or switch, include the policy-statement statement:

content_copy zoom_out_map
policy-statement statement-name {
    term term-name {
        from protocol [ospf direct ldp];
        then accept;
    }
    term term-name {
        then reject;
    }
}

You can include this statement at the following hierarchy levels:

  • [edit policy-options]

  • [edit logical-systems logical-system-name policy-options]

Configuring the Carrier-of-Carriers VPN Service Provider’s PE Routers

The service provider’s PE routers connect to the customer’s CE routers and forward the customer’s VPN traffic across the provider’s network.

The following sections describe how to configure the carrier-of-carriers VPN service provider’s PE routers:

Configuring MPLS

To configure MPLS on the provider’s PE routers or switches include the mpls statement:

content_copy zoom_out_map
mpls {
    interface interface-name;
    interface interface-name;
}

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring BGP

To configure a BGP session with the provider PE router at the other end of the provider’s network, include the bgp statement:

content_copy zoom_out_map
bgp {
    group group-name {
        type internal;
        local-address address;
        family inet-vpn {
            any;
        }
        neighbor address;
    }
}

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring IS-IS

To configure IS-IS on the provider’s PE routers or switches, include the isis statement:

content_copy zoom_out_map
isis {
    interface interface-name;
    interface interface-name {
        passive;
    }
}

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring LDP

To configure LDP on the provider’s PE routers or switches, include the ldp statement:

content_copy zoom_out_map
ldp {
    interface interface-name;
}

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring a Routing Instance

To configure Layer 3 VPN service with the customer’s CE router or switch, include the labeled-unicast statement in the configuration for the routing instance so the PE router (or switch) can send labels to the customer’s CE router or switch:

content_copy zoom_out_map
routing-instance-name {
    instance-type vrf;
    interface interface-name;
    route-distinguisher address;
    vrf-import policy-name;
    vrf-export policy-name;
    protocols {
        bgp {
            group group-name {
                peer-as as-number;
                neighbor address {
                    family inet {
                        labeled-unicast;
                    }
                }
            }
        }
    }
}

You can include these statements at the following hierarchy levels:

  • [edit routing-instances]

  • [edit logical-systems logical-system-name routing-instances]

Configuring Policy Options

To configure a policy statement to import routes from the customer’s CE router or switch, include the policy-statement statement:

content_copy zoom_out_map
policy-statement policy-name {
    term term-name {
        from {
            protocol bgp;
            community community-name;
        }
        then accept;
    }
    term term-name {
        then reject;
    }
}

You can include this statement at the following hierarchy levels:

  • [edit policy-options]

  • [edit logical-systems logical-system-name policy-options]

To configure a policy statement to export routes to the customer’s CE router or switch, include the policy-statement and community statements:

content_copy zoom_out_map
policy-statement policy-name {
    term term-name {
        from protocol bgp;
        then {
            community add community-name;
            accept;
        }
    }
    term term-name {
        then reject;
    }
}
community community-name members value;

You can include these statements at the following hierarchy levels:

  • [edit policy-options]

  • [edit logical-systems logical-system-name policy-options]

See Also

Carrier-of-Carriers VPN Example—Customer Provides Internet Service

In this example, the carrier customer is not required to configure MPLS and LDP on its network. However, the carrier provider must configure MPLS and LDP on its network.

For configuration information see the following sections:

Network Topology for Carrier-of-Carriers Service

A carrier-of-carriers service allows an Internet service provider (ISP) to connect to a transparent outsourced backbone at multiple locations.

Figure 2 shows the network topology in this carrier-of-carriers example.

Figure 2: Carrier-of-Carriers VPN Example Network TopologyCarrier-of-Carriers VPN Example Network Topology

Configuration for Router A

In this example, Router A represents an end customer. You configure this router as a CE device.

content_copy zoom_out_map
[edit]
protocols {
    bgp {
        group to-routerB {
            export attached;
            peer-as 21;
            as-override;
            neighbor 192.168.197.169;
        }
    }
}
policy-options {
    policy-statement attached {
        from protocol direct;
        then accept;
    }
}

Configuration for Router B

Router B can act as the gateway router, responsible for aggregating end customers and connecting them to the network. If a full-mesh IBGP session is configured, you can use route reflectors.

content_copy zoom_out_map
[edit]
protocols {
    bgp {
        group int {
            type internal;
            local-address 10.255.14.179;
            neighbor 10.255.14.175;
            neighbor 10.255.14.181;
            neighbor 10.255.14.176;
            neighbor 10.255.14.178;
            neighbor 10.255.14.177;
        }
        group to-vpn-blue {
            peer-as 1;
            neighbor 192.168.197.170;
        }
    }
    ospf {
        area 0.0.0.0 {
            interface lo0.0 {
                passive;
            }
            interface fe-1/0/3.0;
            interface fe-1/0/2.0 {
                passive;
            }
        }
    }
}

Configuration for Router C

Configure Router C:

content_copy zoom_out_map
[edit]
protocols {
    bgp {
        group int {
            type internal;
            local-address 10.255.14.176;
            neighbor 10.255.14.179;
            neighbor 10.255.14.175;
            neighbor 10.255.14.177;
            neighbor 10.255.14.178;
            neighbor 10.255.14.181;
        }
    }
    ospf {
        area 0.0.0.0 {
            interface lo0.0 {
                passive;
            }
            interface fe-0/3/3.0;
            interface fe-0/3/0.0;
        }
    }
}

Configuration for Router D

Router D is the CE router with respect to AS 10023. In a carrier-of-carriers VPN, the CE router must be able to send labels to the carrier provider; this is done with the labeled-unicast statement in group to-isp-red.

content_copy zoom_out_map
[edit]
protocols {
    mpls {
        interface t3-0/0/0.0;
    }
    bgp {
        group int {
            type internal;
            local-address 10.255.14.175;
            neighbor 10.255.14.179;
            neighbor 10.255.14.176;
            neighbor 10.255.14.177;
            neighbor 10.255.14.178;
            neighbor 10.255.14.181;
        }
        group to-isp-red {
            export internal;
            peer-as 10023;
            neighbor 192.168.197.13 {
                family inet {
                    labeled-unicast;
                }
            }
        }
    }
    ospf {
        area 0.0.0.0 {
            interface lo0.0 {
                passive;
            }
            interface fe-0/3/0.0;
            interface t3-0/0/0.0 {
                passive;
            }
        }
    }
}
policy options {
    policy-statement internal {
        term a {
            from protocol [ ospf direct ];
            then accept;
        }
        term b {
            then reject;
        }
    }
}

Configuration for Router E

This configuration sets up the inet-vpn IBGP session with Router H and the PE router portion of the VPN with Router D. Because Router D is required to send labels in this example, configure the BGP session with the labeled-unicast statement within the virtual routing and forwarding (VRF) table.

content_copy zoom_out_map
[edit]
protocols {
    mpls {
        interface t3-0/2/0.0;
        interface at-0/1/0.0;
    }
    bgp {
        group pe-pe {
            type internal;
            local-address 10.255.14.171;
            family inet-vpn {
                any;
            }
            neighbor 10.255.14.173;
        }
    }
    isis {
        interface at-0/1/0.0;
        interface lo0.0 {
            passive;
        }
    }
    ldp {
        interface at-0/1/0.0;
    }
}
routing-instances {
    vpn-isp1 {
        instance-type vrf;
        interface t3-0/2/0.0;
        route-distinguisher 10.255.14.171:21;
        vrf-import vpn-isp1-import;
        vrf-export vpn-isp1-export;
        protocols {
            bgp {
                group to-isp1 {
                    peer-as 21;
                    neighbor 192.168.197.14 {
                        family inet {
                            labeled-unicast;
                        }
                    }
                }
            }
        }
    }
}
policy-options {
    policy-statement vpn-isp1-import {
        term a {
            from {
                protocol bgp;
                community vpn-isp1-comm;
            }
            then accept;
        }
        term b {
            then reject;
        }
    }
    policy-statement vpn-isp1-export {
        term a {
            from protocol bgp;
            then {
                community add vpn-isp1-comm;
                accept;
            }
        }
        term b {
            then reject;
        }
    }
    community vpn-isp1-comm members target:69:21;
}

Configuration for Router F

Configure Router F to act as a label-swapping router:

content_copy zoom_out_map
[edit]
protocols {
    isis {
        interface so-0/2/0.0;
        interface at-0/3/0.0;
        interface lo0.0 {
            passive;
        }
    }
    ldp {
        interface so-0/2/0.0;
        interface at-0/3/0.0;
    }
}

Configuration for Router G

Configure Router G to act as a label-swapping router:

content_copy zoom_out_map
[edit]
protocols {
    isis {
        interface so-0/0/0.0;
        interface so-1/0/0.0;
        interface lo0.0 {
            passive;
        }
    }
    ldp {
        interface so-0/0/0.0;
        interface so-1/0/0.0;
    }
}

Configuration for Router H

Router H acts as the PE router for AS 10023. The configuration that follows is similar to that for Router F:

content_copy zoom_out_map
[edit]
protocols {
    mpls {
        interface fe-1/1/0.0;
        interface so-1/0/0.0;
    }
    bgp {
        group pe-pe {
            type internal;
            local-address 10.255.14.173;
            family inet-vpn {
                any;
            }
            neighbor 10.255.14.171;
        }
    }
    isis {
        interface so-1/0/0.0;
        interface lo0.0 {
            passive;
        }
    }
    ldp {
        interface so-1/0/0.0;
    }
}
routing-instances {
    vpn-isp1 {
        instance-type vrf;
        interface fe-1/1/0.0;
        route-distinguisher 10.255.14.173:21;
        vrf-import vpn-isp1-import;
        vrf-export vpn-isp1-export;
        protocols {
            bgp {
                group to-isp1 {
                    peer-as 21;
                    neighbor 192.168.197.94 {
                        family inet {
                            labeled-unicast;
                        }
                    }
                }
            }
        }
    }
}
policy-options {
    policy-statement vpn-isp1-import {
        term a {
            from {
                protocol bgp;
                community vpn-isp1-comm;
            }
            then accept;
        }
        term b {
            then reject;
        }
    }
    policy-statement vpn-isp1-export {
        term a {
            from protocol bgp;
            then {
                community add vpn-isp1-comm;
                accept;
            }
        }
        term b {
            then reject;
        }
    }
    community vpn-isp1-comm members target:69:21;
}

Configuration for Router I

Configure Router I to connect to the basic Internet service customer (Router L):

content_copy zoom_out_map
[edit]
protocols {
    mpls {
        interface fe-1/0/1.0;
        interface fe-1/1/3.0;
    }
    bgp {
        group int {
            type internal;
            local-address 10.255.14.181;
            neighbor 10.255.14.177;
            neighbor 10.255.14.179;
            neighbor 10.255.14.175;
            neighbor 10.255.14.176;
            neighbor 10.255.14.178;
        }
        group to-vpn-green {
            peer-as 1;
            neighbor 192.168.197.198;
        }
    }
    ospf {
        area 0.0.0.0 {
            interface lo0.0 {
                passive;
            }
            interface fe-1/0/1.0 {
                passive;
            }
            interface fe-1/1/3.0;
        }
    }
}

Configuration for Router J

Configure Router J as a label-swapping router:

content_copy zoom_out_map
[edit]
protocols {
    bgp {
        group int {
            type internal;
            local-address 10.255.14.178;
            neighbor 10.255.14.177;
            neighbor 10.255.14.181;
            neighbor 10.255.14.175;
            neighbor 10.255.14.176;
            neighbor 10.255.14.179;
        }
    }
}
ospf {
    area 0.0.0.0 {
        interface lo0.0 {
            passive;
        }
        interface fe-1/0/2.0;
        interface fe-1/0/3.0;
    }
}

Configuration for Router K

Router K acts as the CE router at the end of the connection to the carrier provider. As in the configuration for Router D, include the labeled-unicast statement for the EBGP session:

content_copy zoom_out_map
[edit]
protocols {
    mpls {
        interface fe-1/1/2.0;
        interface fe-1/0/2.0;
    }
    bgp {
        group int {
            type internal;
            local-address 10.255.14.177;
            neighbor 10.255.14.181;
            neighbor 10.255.14.178;
            neighbor 10.255.14.175;
            neighbor 10.255.14.176;
            neighbor 10.255.14.179;
        }
        group to-isp-red {
            export internal;
            peer-as 10023;
            neighbor 192.168.197.93 {
                family inet {
                    labeled-unicast;
                }
            }
        }
    }
    ospf {
        area 0.0.0.0 {
            interface lo0.0 {
                passive;
            }
            interface fe-1/0/2.0;
            interface fe-1/1/2.0 {
                passive;
            }
        }
    }
}
policy-options {
    policy-statement internal {
        term a {
            from protocol [ ospf direct ];
            then accept;
        }
        term b {
            then reject;
        }
    }
}

Configuration for Router L

Configure Router L to act as the end customer for the carrier-of-carriers VPN service:

content_copy zoom_out_map
[edit]
protocols {
    bgp {
        group to-routerI {
            export attached;
            peer-as 21;
            neighbor 192.168.197.197;
        }
    }
}
policy-options {
    policy-statement attached {
        from protocol direct;
        then accept;
    }
}

See Also

Configuring Carrier-of-Carriers VPNs for Customers That Provide VPN Service

You can configure a carrier-of-carriers VPN service for customers who want VPN service.

To configure the routers (or switches) in the customer’s and provider’s networks to enable carrier-of-carriers VPN service, perform the steps in the following sections:

Configuring the Carrier-of-Carriers Customer’s PE Router

The carrier-of-carriers customer’s PE router (or switch) is connected to the end customer’s CE router (or switch).

The following sections describe how to configure the carrier-of-carriers customer’s PE router (or switch):

Configuring MPLS

To configure MPLS on the carrier-of-carriers customer’s PE router (or switch), include the mpls statement:

content_copy zoom_out_map
mpls {
    interface interface-name;
    interface interface-name;
}

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring BGP

Include the labeled-unicast statement in the configuration for the IBGP session to the carrier-of-carriers customer’s CE router (or switch) ), and include the family-inet-vpn statement in the configuration for the IBGP session to the carrier-of-carriers PE router (or switch) on the other side of the network:

content_copy zoom_out_map
bgp {
    group group-name {
        type internal;
        local-address address;
        neighbor address {
            family inet {
                labeled-unicast;
                resolve-vpn;
            }
        }
    }
    neighbor address {
        family inet-vpn {
            any;
        }
    }
}

You can include these statements at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring OSPF

To configure OSPF on the carrier-of-carriers customer’s PE router (or switch), include the ospf statement:

content_copy zoom_out_map
ospf {
    area area-id {
        interface interface-name {
            passive;
        }
        interface interface-name;
    }
}

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring LDP

To configure LDP on the carrier-of-carriers customer’s PE router (or switch), include the ldp statement:

content_copy zoom_out_map
ldp {
    interface interface-name;
}

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring VPN Service in the Routing Instance

To configure VPN service for the end customer’s CE router (or switch) on the carrier-of-carriers customer’s PE router (or switch), include the following statements:

content_copy zoom_out_map
instance-type vrf;
interface interface-name;
route-distinguisher address;
vrf-import policy-name;
vrf-export policy-name;
protocols {
    bgp {
        group group-name {
            peer-as as-number;
            neighbor address;
        }
    }
}

You can include these statements at the following hierarchy levels:

  • [edit routing-instances routing-instance-name]

  • [edit logical-systems logical-system-name routing-instances routing-instance-name]

Configuring Policy Options

To configure policy options to import and export routes to and from the end customer’s CE router (or switch), include the policy-statement and community statements:

content_copy zoom_out_map
policy-statement policy-name {
    term term-name {
        from {
            protocol bgp;
            community community-name;
        }
        then accept;
    }
    term term-name {
        then reject;
    }
}
policy-statement policy-name {
    term term-name {
        from protocol bgp;
        then {
            community add community-name;
            accept;
        }
    }
    term term-name {
        then reject;
    }
}
community community-name members value;

You can include these statements at the following hierarchy levels:

  • [edit policy-options]

  • [edit logical-systems logical-system-name policy-options]

Configuring the Carrier-of-Carriers Customer’s CE Router (or switch)

The carrier-of-carriers customer’s CE router (or switch) connects to the provider’s PE router (or switch). Complete the instructions in the following sections to configure the carrier-of-carriers customers’ CE router (or switch):

Configuring MPLS

In the MPLS configuration for the carrier-of-carriers customer’s CE router (or switch), include the interfaces to the provider’s PE router (or switch) and to a P router (or switch) in the customer’s network:

content_copy zoom_out_map
mpls {
    traffic-engineering bgp-igp;
    interface interface-name;
    interface interface-name;
}

You can include these statements at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring BGP

In the BGP configuration for the carrier-of-carriers customer’s CE router (or switch), configure a group that includes the labeled-unicast statement to extend VPN service to the PE router (or switch)connected to the end customer’s CE router (or switch):

content_copy zoom_out_map
bgp {
    group group-name {
        type internal;
        local-address address;
        neighbor address {
            family inet {
                labeled-unicast;
            }
        }
    }
}

You can include the bgp statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

To configure a group to send labeled internal routes to the provider’s PE router (or switch), include the bgp statement:

content_copy zoom_out_map
bgp {
    group group-name {
        export internal;
        peer-as as-number;
        neighbor address {
            family inet {
                labeled-unicast;
            }
        }
    }
}

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring OSPF and LDP

To configure OSPF and LDP on the carrier-of-carriers customer’s CE router (or switch), include the ospf and ldp statements:

content_copy zoom_out_map
ospf {
    area area-id {
        interface interface-name {
            passive;
        }
        interface interface-name;
    }
}
ldp {
    interface interface-name;
}

You can include these statements at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring Policy Options

To configure the policy options on the carrier-of-carriers customer’s CE router (or switch), include the policy-statement statement:

content_copy zoom_out_map
policy-statement policy-statement-name {
    term term-name {
        from protocol [ ospf direct ldp ];
        then accept;
    }
    term term-name {
        then reject;
    }
}

You can include this statement at the following hierarchy levels:

  • [edit policy-options]

  • [edit logical-systems logical-system-name policy-options]

Configuring the Provider’s PE Router or Switch

The carrier-of-carriers provider’s PE routers (or switches) connect to the carrier customer’s CE routers (or switches) . Complete the instructions in the following sections to configure the provider’s PE router (or switch):

Configuring MPLS

In the MPLS configuration, specify at least two interfaces—one to the customer’s CE router (or switch)and one to connect to the provider’s PE router (or switch)on the other side of the provider’s network:

content_copy zoom_out_map
interface interface-name;
interface interface-name;

You can include these statements at the following hierarchy levels:

  • [edit protocols mpls]

  • [edit logical-systems logical-system-name protocols mpls]

Configuring a PE-to-PE BGP Session

To configure a PE-to-PE BGP session on the provider’s PE routers (or switches) to allow VPN-IPv4 routes to pass between the PE routers (or switches, include the bgp statement:

content_copy zoom_out_map
bgp {
    group group-name {
        type internal;
        local-address address;
        family inet-vpn {
            any;
        }
        neighbor address;
    }
}

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring IS-IS and LDP

To configure IS-IS and LDP on the provider’s PE routers (or switches), include the isis and ldp statements:

content_copy zoom_out_map
isis {
    interface interface-name;
    interface interface-name {
        passive;
    }
}
ldp {
    interface interface-name;
}

You can include these statements at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring Policy Options

To configure policy statements on the provider’s PE router (or switch) to export routes to and import routes from the carrier customer’s network, include the policy-statement and community statements:

content_copy zoom_out_map
policy-statement statement-name {
    term term-name {
        from {
            protocol bgp;
            community community-name;
        }
        then accept;
    }
    term term-name {
        then reject;
    }
}
policy-statement statement-name {
    term term-name {
        from protocol bgp;
        then {
            community add community-name;
            accept;
        }
    }
    term term-name {
        then reject;
    }
}
community community-name members value;

You can include these statements at the following hierarchy levels:

  • [edit policy-options]

  • [edit logical-systems logical-system-name policy-options]

Configuring a Routing Instance to Send Routes to the CE Router

To configure the routing instance on the provider’s PE router (or switch) to send labeled routes to the carrier customer’s CE router (or switch), include the following statements:

content_copy zoom_out_map
instance-type vrf;
interface interface-name;
route-distinguisher value;
vrf-import policy-name;
vrf-export policy-name;
protocols {
    bgp {
        group group-name {
            peer-as as-number;
            neighbor address {
                family inet {
                    labeled-unicast;
                }
            }
        }
    }
}

You can include these statements at the following hierarchy levels:

  • [edit routing-instances routing-instance-name]

  • [edit logical-systems logical-system-name routing-instances routing-instance-name]

See Also

Carrier-of-Carriers VPN Example—Customer Provides VPN Service

In this example, the carrier customer must run some form of MPLS (Resource Reservation Protocol [RSVP] or LDP) on its network to provide VPN services to the end customer. In the example below, Router B and Router I act as PE routers (or switches), and a functioning MPLS path is required between these routers if they exchange VPN-IPv4 routes.

For configuration information see the following sections:

Network Topology for Carrier-of-Carriers Service

A carrier-of-carriers service allows an Internet service provider (ISP) to connect to a transparent outsourced backbone at multiple locations.

Figure 3 shows the network topology in this carrier-of-carriers example.

Figure 3: Carrier-of-Carriers VPN Example Network TopologyCarrier-of-Carriers VPN Example Network Topology

Configuration for Router A

In this example, Router A acts as the CE router for the end customer. Configure a default family inet BGP session on Router A:

content_copy zoom_out_map
[edit]
protocols {
    bgp {
        group to-routerB {
            export attached;
            peer-as 21;
            neighbor 192.168.197.169;
        }
    }
}
policy-options {
    policy-statement attached {
        from protocol direct;
        then accept;
    }
}

Configuration for Router B

Because Router B is the PE router for the end customer CE router (Router A), you need to configure a routing instance (vpna). Configure the labeled-unicast statement on the IBGP session to Router D, and configure family-inet-vpn for the IBGP session to the other side of the network with Router I:

content_copy zoom_out_map
[edit]
protocols {
    mpls {
        interface fe-1/0/2.0;
        interface fe-1/0/3.0;
    }
    bgp {
        group int {
            type internal;
            local-address 10.255.14.179;
            neighbor 10.255.14.175 {
                family inet {
                    labeled-unicast {
                        resolve-vpn;
                    }
                }
            }
        }
        neighbor 10.255.14.181 {
            family inet-vpn {
                any;
            }
        }
    }
    ospf {
        area 0.0.0.0 {
            interface lo0.0 {
                passive;
            }
            interface fe-1/0/3.0;
        }
    }
    ldp {
        interface fe-1/0/3.0;
    }
}
routing-instances {
    vpna {
        instance-type vrf;
        interface fe-1/0/2.0;
        route-distinguisher 10.255.14.179:21;
        vrf-import vpna-import;
        vrf-export vpna-export;
        protocols {
            bgp {
                group vpna-06 {
                    peer-as 1;
                    neighbor 192.168.197.170;
                }
            }
        }
    }
}
policy-options {
    policy-statement vpna-import {
        term a {
            from {
                protocol bgp;
                community vpna-comm;
            }
            then accept;
        }
        term b {
            then reject;
        }
    }
    policy-statement vpna-export {
        term a {
            from protocol bgp;
            then {
                community add vpna-comm;
                accept;
            }
        }
        term b {
            then reject;
        }
    }
    community vpna-comm members target:100:1001;
}

Configuration for Router C

Configure Router C as a label-swapping router within the local AS:

content_copy zoom_out_map
[edit]
protocols {
    mpls {
        traffic-engineering bgp-igp;
    }
    ospf {
        area 0.0.0.0 {
            interface lo0.0 {
                passive;
            }
            interface fe-0/3/3.0;
            interface fe-0/3/0.0;
        }
    }
    ldp {
        interface fe-0/3/0.0;
        interface fe-0/3/3.0;
    }
}

Configuration for Router D

Router D acts as the CE router for the VPN services provided by the AS 10023 network. In the BGP group configuration for group int, which handles traffic to Router B (10.255.14.179), you include the labeled-unicast statement. You also need to configure the BGP group to-isp-red to send labeled internal routes to the PE router (Router E).

content_copy zoom_out_map
[edit]
protocols {
    mpls {
        traffic-engineering bgp-igp;
        interface fe-0/3/0.0;
        interface t3-0/0/0.0;
    }
    bgp {
        group int {
            type internal;
            local-address 10.255.14.175;
            neighbor 10.255.14.179 {
                family inet {
                    labeled-unicast;
                }
            }
        }
        group to-isp-red {
            export internal;
            peer-as 10023;
            neighbor 192.168.197.13 {
                family inet {
                    labeled-unicast;
                }
            }
        }
    }
    ospf {
        area 0.0.0.0 {
            interface lo0.0 {
                passive;
            }
            interface fe-0/3/0.0;
        }
    }
    ldp {
        interface fe-0/3/0.0;
    }
}
policy-options {
    policy-statement internal {
        term a {
            from protocol [ ospf direct ];
            then accept;
        }
        term b {
            then reject;
        }
    }
}

Configuration for Router E

Router E and Router H are PE routers. Configure a PE-router-to-PE-router BGP session to allow VPN-IPv4 routes to pass between these two PE routers. Configure the routing instance on Router E to send labeled routes to the CE router (Router D).

Configure Router E:

content_copy zoom_out_map
[edit]
protocols {
    mpls {
        interface t3-0/2/0.0;
        interface at-0/1/0.0;
    }
    bgp {
        group pe-pe {
            type internal;
            local-address 10.255.14.171;
            family inet-vpn {
                any;
            }
            neighbor 10.255.14.173;
        }
    }
    isis {
        interface at-0/1/0.0;
        interface lo0.0 {
            passive;
        }
    }
    ldp {
        interface at-0/1/0.0;
    }
}
policy-options {
    policy-statement vpn-isp1-import {
        term a {
            from {
                protocol bgp;
                community vpn-isp1-comm;
            }
            then accept;
        }
        term b {
            then reject;
        }
    }
    policy-statement vpn-isp1-export {
        term a {
            from protocol bgp;
            then {
                community add vpn-isp1-comm;
                accept;
            }
        }
        term b {
            then reject;
        }
    }
    community vpn-isp1-comm members target:69:21;
}
routing-instances {
    vpn-isp1 {
        instance-type vrf;
        interface t3-0/2/0.0;
        route-distinguisher 10.255.14.171:21;
        vrf-import vpn-isp1-import;
        vrf-export vpn-isp1-export;
        protocols {
            bgp {
                group to-isp1 {
                    peer-as 21;
                    neighbor 192.168.197.14 {
                        as-override;
                        family inet {
                            labeled-unicast;
                        }
                    }
                }
            }
        }
    }
}

Configuration for Router F

Configure Router F to swap labels for routes running through its interfaces:

content_copy zoom_out_map
[edit]
protocols {
    isis {
        interface so-0/2/0.0;
        interface at-0/3/0.0;
        interface lo0.0 {
            passive;
        }
    }
    ldp {
        interface so-0/2/0.0;
        interface at-0/3/0.0;
    }
}

Configuration for Router G

Configure Router G:

content_copy zoom_out_map
[edit]
protocols {
    isis {
        interface so-0/0/0.0;
        interface so-1/0/0.0;
        interface lo0.0 {
            passive;
        }
    }
    ldp {
        interface so-0/0/0.0;
        interface so-1/0/0.0;
    }
}

Configuration for Router H

The configuration for Router H is similar to the configuration for Router E:

content_copy zoom_out_map
[edit]
protocols {
    mpls {
        interface fe-1/1/0.0;
        interface so-1/0/0.0;
    }
    bgp {
        group pe-pe {
            type internal;
            local-address 10.255.14.173;
            family inet-vpn {
                any;
            }
            neighbor 10.255.14.171;
        }
    }
    isis {
        interface so-1/0/0.0;
        interface lo0.0 {
            passive;
        }
    }
    ldp {
        interface so-1/0/0.0;
    }
}
routing-instances {
    vpn-isp1 {
        instance-type vrf;
        interface fe-1/1/0.0;
        route-distinguisher 10.255.14.173:21;
        vrf-import vpn-isp1-import;
        vrf-export vpn-isp1-export;
        protocols {
            bgp {
                group to-isp1 {
                    peer-as 21;
                    neighbor 192.168.197.94 {
                        as-override;
                        family inet {
                            labeled-unicast;
                        }
                    }
                }
            }
        }
    }
}
policy-options {
    policy-statement vpn-isp1-import {
        term a {
            from {
                protocol bgp;
                community vpn-isp1-comm;
            }
            then accept;
        }
        term b {
            then reject;
        }
    }
    policy-statement vpn-isp1-export {
        term a {
            from protocol bgp;
            then {
                community add vpn-isp1-comm;
                accept;
            }
        }
        term b {
            then reject;
        }
    }
    community vpn-isp1-comm members target:69:21;
}

Configuration for Router I

Router I acts as the PE router for the end customer. The configuration that follows is similar to the configuration for Router B:

content_copy zoom_out_map
[edit]
protocols {
    mpls {
        interface fe-1/0/1.0;
        interface fe-1/1/3.0;
    }
    bgp {
        group int {
            type internal;
            local-address 10.255.14.181;
            neighbor 10.255.14.177 {
                family inet {
                    labeled-unicast {
                        resolve-vpn;
                    }
                }
            }
            neighbor 10.255.14.179 {
                family inet-vpn {
                    any;
                }
            }
        }
    }
    ospf {
        area 0.0.0.0 {
            interface lo0.0 {
                passive;
            }
            interface fe-1/1/3.0;
        }
    }
    ldp {
        interface fe-1/1/3.0;
    }
}
routing-instances {
    vpna {
        instance-type vrf;
        interface fe-1/0/1.0;
        route-distinguisher 10.255.14.181:21;
        vrf-import vpna-import;
        vrf-export vpna-export;
        protocols {
            bgp {
                group vpna-0 {
                    peer-as 1;
                    neighbor 192.168.197.198;
                }
            }
        }
    }
}
policy-options {
    policy-statement vpna-import {
        term a {
            from {
                protocol bgp;
                community vpna-comm;
            }
            then accept;
        }
        term b {
            then reject;
        }
    }
    policy-statement vpna-export {
        term a {
            from protocol bgp;
            then {
                community add vpna-comm;
                accept;
            }
        }
        term b {
            then reject;
        }
    }
    community vpna-comm members target:100:1001;
}

Configuration for Router J

Configure Router J to swap labels for routes running through its interfaces:

content_copy zoom_out_map
[edit]
protocols {
    mpls {
        traffic-engineering bgp-igp;
    }
    ospf {
        area 0.0.0.0 {
            interface lo0.0 {
                passive;
            }
            interface fe-1/0/2.0;
            interface fe-1/0/3.0;
        }
    }
    ldp {
        interface fe-1/0/2.0;
        interface fe-1/0/3.0;
    }
}

Configuration for Router K

The configuration for Router K is similar to the configuration for Router D:

content_copy zoom_out_map
[edit]
protocols {
    mpls {
        traffic-engineering bgp-igp;
        interface fe-1/1/2.0;
        interface fe-1/0/2.0;
    }
    bgp {
        group int {
            type internal;
            local-address 10.255.14.177;
            neighbor 10.255.14.181 {
                family inet {
                    labeled-unicast;
                }
            }
        }
        group to-isp-red {
            export internal;
            peer-as 10023;
            neighbor 192.168.197.93 {
                family inet {
                    labeled-unicast;
                }
            }
        }
    }
    ospf {
        area 0.0.0.0 {
            interface lo0.0 {
                passive;
            }
            interface fe-1/0/2.0;
        }
    }
    ldp {
        interface fe-1/0/2.0;
    }
}
policy-options {
    policy-statement internal {
        term a {
            from protocol [ ospf direct ];
            then accept;
        }
        term b {
            then reject;
        }
    }
}

Configuration for Router L

In this example, Router L is the end customer’s CE router. Configure a default family inet BGP session on Router L:

content_copy zoom_out_map
[edit]
protocols {
    bgp {
        group to-I {
            export attached;
            peer-as 21;
            neighbor 192.168.197.197;
        }
    }
}
policy-options {
    policy-statement attached {
        from protocol direct;
        then accept;
    }
}

See Also

Multiple Instances for LDP and Carrier-of-Carriers VPNs

By configuring multiple LDP routing instances, you can use LDP to advertise labels in a carrier-of-carriers VPN from a core provider PE router to a customer carrier CE router. Having LDP advertise labels in this manner is especially useful when the carrier customer is a basic ISP and wants to restrict full Internet routes to its PE routers. By using LDP instead of BGP, the carrier customer shields its other internal routers from the Internet at large. Multiple-instance LDP is also useful when a carrier customer wants to provide Layer 3 VPN or Layer 2 VPN services to its customers.

For an example of how to configure multiple LDP routing instances for carrier-of-carriers VPNs see https://www.juniper.net/documentation/us/en/software/junos/mpls/topics/example/multiple-instance-ldp-configuring-detailed-solutions.html.

See Also

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
17.1R1
Support for VPN service as the customer is supported on QFX10000 switches starting with Junos OS Release 17.1R1.
arrow_backward PREVIOUS Interprovider VPNs
NEXT arrow_forward Multicast on Layer 3 VPNs
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top