Carrier-of-Carrier VPNs
Understanding Carrier-of-Carriers VPNs
The customer of a VPN service provider might be a service provider for the end customer. The following are the two main types of carrier-of-carriers VPNs (as described in RFC 4364:
Internet Service Provider as the Customer—The VPN customer is an ISP that uses the VPN service provider’s network to connect its geographically disparate regional networks. The customer does not have to configure MPLS within its regional networks.
VPN Service Provider as the Customer—The VPN customer is itself a VPN service provider offering VPN service to its customers. The carrier-of-carriers VPN service customer relies on the backbone VPN service provider for inter-site connectivity. The customer VPN service provider is required to run MPLS within its regional networks.
Figure 1 illustrates the network architecture used for a carrier-of-carriers VPN service.
This topic covers the following:
Internet Service Provider as the Customer
In this type of carrier-of-carriers VPN configuration, ISP A configures its network to provide Internet service to ISP B. ISP B provides the connection to the customer wanting Internet service, but the actual Internet service is provided by ISP A.
This type of carrier-of-carriers VPN configuration has the following characteristics:
The carrier-of-carriers VPN service customer (ISP B) does not need to configure MPLS on its network.
The carrier-of-carriers VPN service provider (ISP A) must configure MPLS on its network.
MPLS must also be configured on the CE routers and PE routers connected together in the carrier-of-carriers VPN service customer’s and carrier-of-carriers VPN service provider’s networks.
VPN Service Provider as the Customer
A VPN service provider can have customers that are themselves VPN service providers. In this type of configuration, also called a hierarchical or recursive VPN, the customer VPN service provider’s VPN-IPv4 routes are considered external routes, and the backbone VPN service provider does not import them into its VRF table. The backbone VPN service provider imports only the customer VPN service provider’s internal routes into its VRF table.
The similarities and differences between interprovider and carrier-of-carriers VPNs are shown in Table 1.
Feature |
ISP Customer |
VPN Service Provider Customer |
|---|---|---|
Customer edge device |
AS border router |
PE router |
IBGP sessions |
Carry IPv4 routes |
Carry external VPN-IPv4 routes with associated labels |
Forwarding within the customer network |
MPLS is optional |
MPLS is required |
Support for VPN service as the customer is supported on QFX10000 switches starting with Junos OS Release 17.1R1.
Configuring Carrier-of-Carriers VPNs for Customers That Provide Internet Service
You can configure a carrier-of-carriers VPN service for customers who want to provide basic Internet service. The carrier-of-carriers VPN service provider must configure MPLS in its network, although this configuration is optional for the carrier service customer. Carrier-of-Carriers VPN Architecture shows how the routers or switches in this type of service interconnect.
To configure a carrier-of-carriers VPN, perform the tasks described in the following sections:
- Configuring the Carrier-of-Carriers VPN Service Customer’s CE Router
- Configuring the Carrier-of-Carriers VPN Service Provider’s PE Routers
Configuring the Carrier-of-Carriers VPN Service Customer’s CE Router
The carrier-of-carriers VPN service customer’s router (or switch) acts as a CE router with respect to the service provider’s PE router or switch. The following sections describe how to configure the carrier-of-carriers VPN service customer’s CE router or switch:
Configuring MPLS
To configure MPLS on the customer’s CE router or
switch, include the mpls statement:
mpls {
traffic-engineering bgp-igp;
interface interface-name;
}
You can include this statement at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring BGP
To configure a group to collate the customer’s internal
routes, include the bgp statement:
bgp {
group group-name {
type internal;
local-address address;
neighbor address;
}
}
You can include this statement at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
The customer’s CE router (or switch) must be able
to send labels to the VPN service provider’s router. Enable
this by including the labeled-unicast statement in the
configuration for the BGP group:
bgp {
group group-name {
export internal;
peer-as as-number;
neighbor address {
family inet {
labeled-unicast;
}
}
}
}
You can include the bgp statement at the following
hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring OSPF
To configure OSPF on the customer’s CE router or switch,
include the ospf statement:
ospf {
area area-id {
interface interface-name {
passive;
}
interface interface-name;
}
}
You can include this statement at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring Policy Options
To configure policy options on the customer’s CE router
or switch, include the policy-statement statement:
policy-statement statement-name {
term term-name {
from protocol [ospf direct ldp];
then accept;
}
term term-name {
then reject;
}
}
You can include this statement at the following hierarchy levels:
[edit policy-options][edit logical-systems logical-system-name policy-options]
Configuring the Carrier-of-Carriers VPN Service Provider’s PE Routers
The service provider’s PE routers connect to the customer’s CE routers and forward the customer’s VPN traffic across the provider’s network.
The following sections describe how to configure the carrier-of-carriers VPN service provider’s PE routers:
- Configuring MPLS
- Configuring BGP
- Configuring IS-IS
- Configuring LDP
- Configuring a Routing Instance
- Configuring Policy Options
Configuring MPLS
To configure MPLS on the provider’s PE routers or switches
include the mpls statement:
mpls {
interface interface-name;
interface interface-name;
}
You can include this statement at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring BGP
To configure a BGP session with the provider PE router
at the other end of the provider’s network, include the bgp statement:
bgp {
group group-name {
type internal;
local-address address;
family inet-vpn {
any;
}
neighbor address;
}
}
You can include this statement at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring IS-IS
To configure IS-IS on the provider’s PE routers or switches,
include the isis statement:
isis {
interface interface-name;
interface interface-name {
passive;
}
}
You can include this statement at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring LDP
To configure LDP on the provider’s PE routers or switches,
include the ldp statement:
ldp {
interface interface-name;
}
You can include this statement at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring a Routing Instance
To configure Layer 3 VPN service with the customer’s
CE router or switch, include the labeled-unicast statement
in the configuration for the routing instance so the PE router (or
switch) can send labels to the customer’s CE router or switch:
routing-instance-name {
instance-type vrf;
interface interface-name;
route-distinguisher address;
vrf-import policy-name;
vrf-export policy-name;
protocols {
bgp {
group group-name {
peer-as as-number;
neighbor address {
family inet {
labeled-unicast;
}
}
}
}
}
}
You can include these statements at the following hierarchy levels:
[edit routing-instances][edit logical-systems logical-system-name routing-instances]
Configuring Policy Options
To configure a policy statement to import routes from the customer’s
CE router or switch, include the policy-statement statement:
policy-statement policy-name {
term term-name {
from {
protocol bgp;
community community-name;
}
then accept;
}
term term-name {
then reject;
}
}
You can include this statement at the following hierarchy levels:
[edit policy-options][edit logical-systems logical-system-name policy-options]
To configure a policy statement to export routes to the customer’s
CE router or switch, include the policy-statement and community statements:
policy-statement policy-name {
term term-name {
from protocol bgp;
then {
community add community-name;
accept;
}
}
term term-name {
then reject;
}
}
community community-name members value;
You can include these statements at the following hierarchy levels:
[edit policy-options][edit logical-systems logical-system-name policy-options]
See Also
Carrier-of-Carriers VPN Example—Customer Provides Internet Service
In this example, the carrier customer is not required to configure MPLS and LDP on its network. However, the carrier provider must configure MPLS and LDP on its network.
For configuration information see the following sections:
- Network Topology for Carrier-of-Carriers Service
- Configuration for Router A
- Configuration for Router B
- Configuration for Router C
- Configuration for Router D
- Configuration for Router E
- Configuration for Router F
- Configuration for Router G
- Configuration for Router H
- Configuration for Router I
- Configuration for Router J
- Configuration for Router K
- Configuration for Router L
Network Topology for Carrier-of-Carriers Service
A carrier-of-carriers service allows an Internet service provider (ISP) to connect to a transparent outsourced backbone at multiple locations.
Figure 2 shows the network topology in this carrier-of-carriers example.
Configuration for Router A
In this example, Router A represents an end customer. You configure this router as a CE device.
[edit]
protocols {
bgp {
group to-routerB {
export attached;
peer-as 21;
as-override;
neighbor 192.168.197.169;
}
}
}
policy-options {
policy-statement attached {
from protocol direct;
then accept;
}
}
Configuration for Router B
Router B can act as the gateway router, responsible for aggregating end customers and connecting them to the network. If a full-mesh IBGP session is configured, you can use route reflectors.
[edit]
protocols {
bgp {
group int {
type internal;
local-address 10.255.14.179;
neighbor 10.255.14.175;
neighbor 10.255.14.181;
neighbor 10.255.14.176;
neighbor 10.255.14.178;
neighbor 10.255.14.177;
}
group to-vpn-blue {
peer-as 1;
neighbor 192.168.197.170;
}
}
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface fe-1/0/3.0;
interface fe-1/0/2.0 {
passive;
}
}
}
}
Configuration for Router C
Configure Router C:
[edit]
protocols {
bgp {
group int {
type internal;
local-address 10.255.14.176;
neighbor 10.255.14.179;
neighbor 10.255.14.175;
neighbor 10.255.14.177;
neighbor 10.255.14.178;
neighbor 10.255.14.181;
}
}
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface fe-0/3/3.0;
interface fe-0/3/0.0;
}
}
}
Configuration for Router D
Router D is the CE router with respect to AS 10023. In
a carrier-of-carriers VPN, the CE router must be able to send labels
to the carrier provider; this is done with the labeled-unicast statement in group to-isp-red.
[edit]
protocols {
mpls {
interface t3-0/0/0.0;
}
bgp {
group int {
type internal;
local-address 10.255.14.175;
neighbor 10.255.14.179;
neighbor 10.255.14.176;
neighbor 10.255.14.177;
neighbor 10.255.14.178;
neighbor 10.255.14.181;
}
group to-isp-red {
export internal;
peer-as 10023;
neighbor 192.168.197.13 {
family inet {
labeled-unicast;
}
}
}
}
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface fe-0/3/0.0;
interface t3-0/0/0.0 {
passive;
}
}
}
}
policy options {
policy-statement internal {
term a {
from protocol [ ospf direct ];
then accept;
}
term b {
then reject;
}
}
}
Configuration for Router E
This configuration sets up the inet-vpn IBGP session
with Router H and the PE router portion of the VPN with Router D.
Because Router D is required to send labels in this example, configure
the BGP session with the labeled-unicast statement within
the virtual routing and forwarding (VRF) table.
[edit]
protocols {
mpls {
interface t3-0/2/0.0;
interface at-0/1/0.0;
}
bgp {
group pe-pe {
type internal;
local-address 10.255.14.171;
family inet-vpn {
any;
}
neighbor 10.255.14.173;
}
}
isis {
interface at-0/1/0.0;
interface lo0.0 {
passive;
}
}
ldp {
interface at-0/1/0.0;
}
}
routing-instances {
vpn-isp1 {
instance-type vrf;
interface t3-0/2/0.0;
route-distinguisher 10.255.14.171:21;
vrf-import vpn-isp1-import;
vrf-export vpn-isp1-export;
protocols {
bgp {
group to-isp1 {
peer-as 21;
neighbor 192.168.197.14 {
family inet {
labeled-unicast;
}
}
}
}
}
}
}
policy-options {
policy-statement vpn-isp1-import {
term a {
from {
protocol bgp;
community vpn-isp1-comm;
}
then accept;
}
term b {
then reject;
}
}
policy-statement vpn-isp1-export {
term a {
from protocol bgp;
then {
community add vpn-isp1-comm;
accept;
}
}
term b {
then reject;
}
}
community vpn-isp1-comm members target:69:21;
}
Configuration for Router F
Configure Router F to act as a label-swapping router:
[edit]
protocols {
isis {
interface so-0/2/0.0;
interface at-0/3/0.0;
interface lo0.0 {
passive;
}
}
ldp {
interface so-0/2/0.0;
interface at-0/3/0.0;
}
}
Configuration for Router G
Configure Router G to act as a label-swapping router:
[edit]
protocols {
isis {
interface so-0/0/0.0;
interface so-1/0/0.0;
interface lo0.0 {
passive;
}
}
ldp {
interface so-0/0/0.0;
interface so-1/0/0.0;
}
}
Configuration for Router H
Router H acts as the PE router for AS 10023. The configuration that follows is similar to that for Router F:
[edit]
protocols {
mpls {
interface fe-1/1/0.0;
interface so-1/0/0.0;
}
bgp {
group pe-pe {
type internal;
local-address 10.255.14.173;
family inet-vpn {
any;
}
neighbor 10.255.14.171;
}
}
isis {
interface so-1/0/0.0;
interface lo0.0 {
passive;
}
}
ldp {
interface so-1/0/0.0;
}
}
routing-instances {
vpn-isp1 {
instance-type vrf;
interface fe-1/1/0.0;
route-distinguisher 10.255.14.173:21;
vrf-import vpn-isp1-import;
vrf-export vpn-isp1-export;
protocols {
bgp {
group to-isp1 {
peer-as 21;
neighbor 192.168.197.94 {
family inet {
labeled-unicast;
}
}
}
}
}
}
}
policy-options {
policy-statement vpn-isp1-import {
term a {
from {
protocol bgp;
community vpn-isp1-comm;
}
then accept;
}
term b {
then reject;
}
}
policy-statement vpn-isp1-export {
term a {
from protocol bgp;
then {
community add vpn-isp1-comm;
accept;
}
}
term b {
then reject;
}
}
community vpn-isp1-comm members target:69:21;
}
Configuration for Router I
Configure Router I to connect to the basic Internet service customer (Router L):
[edit]
protocols {
mpls {
interface fe-1/0/1.0;
interface fe-1/1/3.0;
}
bgp {
group int {
type internal;
local-address 10.255.14.181;
neighbor 10.255.14.177;
neighbor 10.255.14.179;
neighbor 10.255.14.175;
neighbor 10.255.14.176;
neighbor 10.255.14.178;
}
group to-vpn-green {
peer-as 1;
neighbor 192.168.197.198;
}
}
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface fe-1/0/1.0 {
passive;
}
interface fe-1/1/3.0;
}
}
}
Configuration for Router J
Configure Router J as a label-swapping router:
[edit]
protocols {
bgp {
group int {
type internal;
local-address 10.255.14.178;
neighbor 10.255.14.177;
neighbor 10.255.14.181;
neighbor 10.255.14.175;
neighbor 10.255.14.176;
neighbor 10.255.14.179;
}
}
}
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface fe-1/0/2.0;
interface fe-1/0/3.0;
}
}
Configuration for Router K
Router K acts as the CE router at the end of the connection
to the carrier provider. As in the configuration for Router D, include
the labeled-unicast statement for the EBGP session:
[edit]
protocols {
mpls {
interface fe-1/1/2.0;
interface fe-1/0/2.0;
}
bgp {
group int {
type internal;
local-address 10.255.14.177;
neighbor 10.255.14.181;
neighbor 10.255.14.178;
neighbor 10.255.14.175;
neighbor 10.255.14.176;
neighbor 10.255.14.179;
}
group to-isp-red {
export internal;
peer-as 10023;
neighbor 192.168.197.93 {
family inet {
labeled-unicast;
}
}
}
}
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface fe-1/0/2.0;
interface fe-1/1/2.0 {
passive;
}
}
}
}
policy-options {
policy-statement internal {
term a {
from protocol [ ospf direct ];
then accept;
}
term b {
then reject;
}
}
}
Configuration for Router L
Configure Router L to act as the end customer for the carrier-of-carriers VPN service:
[edit]
protocols {
bgp {
group to-routerI {
export attached;
peer-as 21;
neighbor 192.168.197.197;
}
}
}
policy-options {
policy-statement attached {
from protocol direct;
then accept;
}
}
See Also
Configuring Carrier-of-Carriers VPNs for Customers That Provide VPN Service
You can configure a carrier-of-carriers VPN service for customers who want VPN service.
To configure the routers (or switches) in the customer’s and provider’s networks to enable carrier-of-carriers VPN service, perform the steps in the following sections:
- Configuring the Carrier-of-Carriers Customer’s PE Router
- Configuring the Carrier-of-Carriers Customer’s CE Router (or switch)
- Configuring the Provider’s PE Router or Switch
Configuring the Carrier-of-Carriers Customer’s PE Router
The carrier-of-carriers customer’s PE router (or switch) is connected to the end customer’s CE router (or switch).
The following sections describe how to configure the carrier-of-carriers customer’s PE router (or switch):
- Configuring MPLS
- Configuring BGP
- Configuring OSPF
- Configuring LDP
- Configuring VPN Service in the Routing Instance
- Configuring Policy Options
Configuring MPLS
To configure MPLS on the carrier-of-carriers customer’s
PE router (or switch), include the mpls statement:
mpls {
interface interface-name;
interface interface-name;
}
You can include this statement at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring BGP
Include the labeled-unicast statement in the configuration
for the IBGP session to the carrier-of-carriers customer’s CE
router (or switch) ),
and include the family-inet-vpn statement in the configuration
for the IBGP session to the carrier-of-carriers PE router (or switch)
on the other side of the network:
bgp {
group group-name {
type internal;
local-address address;
neighbor address {
family inet {
labeled-unicast;
resolve-vpn;
}
}
}
neighbor address {
family inet-vpn {
any;
}
}
}
You can include these statements at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring OSPF
To configure OSPF on the carrier-of-carriers customer’s
PE router (or switch), include the ospf statement:
ospf {
area area-id {
interface interface-name {
passive;
}
interface interface-name;
}
}
You can include this statement at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring LDP
To configure LDP on the carrier-of-carriers customer’s
PE router (or switch), include the ldp statement:
ldp {
interface interface-name;
}
You can include this statement at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring VPN Service in the Routing Instance
To configure VPN service for the end customer’s CE router (or switch) on the carrier-of-carriers customer’s PE router (or switch), include the following statements:
instance-type vrf;
interface interface-name;
route-distinguisher address;
vrf-import policy-name;
vrf-export policy-name;
protocols {
bgp {
group group-name {
peer-as as-number;
neighbor address;
}
}
}
You can include these statements at the following hierarchy levels:
[edit routing-instances routing-instance-name][edit logical-systems logical-system-name routing-instances routing-instance-name]
Configuring Policy Options
To configure policy options to import and export routes to and
from the end customer’s CE router (or switch), include
the policy-statement and community statements:
policy-statement policy-name {
term term-name {
from {
protocol bgp;
community community-name;
}
then accept;
}
term term-name {
then reject;
}
}
policy-statement policy-name {
term term-name {
from protocol bgp;
then {
community add community-name;
accept;
}
}
term term-name {
then reject;
}
}
community community-name members value;
You can include these statements at the following hierarchy levels:
[edit policy-options][edit logical-systems logical-system-name policy-options]
Configuring the Carrier-of-Carriers Customer’s CE Router (or switch)
The carrier-of-carriers customer’s CE router (or switch) connects to the provider’s PE router (or switch). Complete the instructions in the following sections to configure the carrier-of-carriers customers’ CE router (or switch):
Configuring MPLS
In the MPLS configuration for the carrier-of-carriers customer’s CE router (or switch), include the interfaces to the provider’s PE router (or switch) and to a P router (or switch) in the customer’s network:
mpls {
traffic-engineering bgp-igp;
interface interface-name;
interface interface-name;
}
You can include these statements at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring BGP
In the BGP configuration for the carrier-of-carriers
customer’s CE router (or switch), configure a group that includes
the labeled-unicast statement to extend VPN service to
the PE router (or switch)connected to the end customer’s CE router
(or switch):
bgp {
group group-name {
type internal;
local-address address;
neighbor address {
family inet {
labeled-unicast;
}
}
}
}
You can include the bgp statement at the following
hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
To configure a group to send labeled internal routes to the
provider’s PE router (or switch), include the bgp statement:
bgp {
group group-name {
export internal;
peer-as as-number;
neighbor address {
family inet {
labeled-unicast;
}
}
}
}
You can include this statement at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring OSPF and LDP
To configure OSPF and LDP on the carrier-of-carriers customer’s
CE router (or switch), include the ospf and ldp statements:
ospf {
area area-id {
interface interface-name {
passive;
}
interface interface-name;
}
}
ldp {
interface interface-name;
}
You can include these statements at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring Policy Options
To configure the policy options on the carrier-of-carriers customer’s
CE router (or switch), include the policy-statement statement:
policy-statement policy-statement-name {
term term-name {
from protocol [ ospf direct ldp ];
then accept;
}
term term-name {
then reject;
}
}
You can include this statement at the following hierarchy levels:
[edit policy-options][edit logical-systems logical-system-name policy-options]
Configuring the Provider’s PE Router or Switch
The carrier-of-carriers provider’s PE routers (or switches) connect to the carrier customer’s CE routers (or switches) . Complete the instructions in the following sections to configure the provider’s PE router (or switch):
- Configuring MPLS
- Configuring a PE-to-PE BGP Session
- Configuring IS-IS and LDP
- Configuring Policy Options
- Configuring a Routing Instance to Send Routes to the CE Router
Configuring MPLS
In the MPLS configuration, specify at least two interfaces—one to the customer’s CE router (or switch)and one to connect to the provider’s PE router (or switch)on the other side of the provider’s network:
interface interface-name; interface interface-name;
You can include these statements at the following hierarchy levels:
[edit protocols mpls][edit logical-systems logical-system-name protocols mpls]
Configuring a PE-to-PE BGP Session
To configure a PE-to-PE BGP session on the provider’s
PE routers (or switches) to allow VPN-IPv4 routes to pass between
the PE routers (or switches, include the bgp statement:
bgp {
group group-name {
type internal;
local-address address;
family inet-vpn {
any;
}
neighbor address;
}
}
You can include this statement at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring IS-IS and LDP
To configure IS-IS and LDP on the provider’s PE routers
(or switches), include the isis and ldp statements:
isis {
interface interface-name;
interface interface-name {
passive;
}
}
ldp {
interface interface-name;
}
You can include these statements at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring Policy Options
To configure policy statements on the provider’s PE router
(or switch) to export routes to and import routes from the carrier
customer’s network, include the policy-statement and community statements:
policy-statement statement-name {
term term-name {
from {
protocol bgp;
community community-name;
}
then accept;
}
term term-name {
then reject;
}
}
policy-statement statement-name {
term term-name {
from protocol bgp;
then {
community add community-name;
accept;
}
}
term term-name {
then reject;
}
}
community community-name members value;
You can include these statements at the following hierarchy levels:
[edit policy-options][edit logical-systems logical-system-name policy-options]
Configuring a Routing Instance to Send Routes to the CE Router
To configure the routing instance on the provider’s PE router (or switch) to send labeled routes to the carrier customer’s CE router (or switch), include the following statements:
instance-type vrf;
interface interface-name;
route-distinguisher value;
vrf-import policy-name;
vrf-export policy-name;
protocols {
bgp {
group group-name {
peer-as as-number;
neighbor address {
family inet {
labeled-unicast;
}
}
}
}
}
You can include these statements at the following hierarchy levels:
[edit routing-instances routing-instance-name][edit logical-systems logical-system-name routing-instances routing-instance-name]
See Also
Carrier-of-Carriers VPN Example—Customer Provides VPN Service
In this example, the carrier customer must run some form of MPLS (Resource Reservation Protocol [RSVP] or LDP) on its network to provide VPN services to the end customer. In the example below, Router B and Router I act as PE routers (or switches), and a functioning MPLS path is required between these routers if they exchange VPN-IPv4 routes.
For configuration information see the following sections:
- Network Topology for Carrier-of-Carriers Service
- Configuration for Router A
- Configuration for Router B
- Configuration for Router C
- Configuration for Router D
- Configuration for Router E
- Configuration for Router F
- Configuration for Router G
- Configuration for Router H
- Configuration for Router I
- Configuration for Router J
- Configuration for Router K
- Configuration for Router L
Network Topology for Carrier-of-Carriers Service
A carrier-of-carriers service allows an Internet service provider (ISP) to connect to a transparent outsourced backbone at multiple locations.
Figure 3 shows the network topology in this carrier-of-carriers example.
Configuration for Router A
In this example, Router A acts as the CE router for the end
customer. Configure a default family inet BGP session on
Router A:
[edit]
protocols {
bgp {
group to-routerB {
export attached;
peer-as 21;
neighbor 192.168.197.169;
}
}
}
policy-options {
policy-statement attached {
from protocol direct;
then accept;
}
}
Configuration for Router B
Because Router B is the PE router for the end customer CE router
(Router A), you need to configure a routing instance (vpna). Configure the labeled-unicast statement on the IBGP
session to Router D, and configure family-inet-vpn for
the IBGP session to the other side of the network with Router I:
[edit]
protocols {
mpls {
interface fe-1/0/2.0;
interface fe-1/0/3.0;
}
bgp {
group int {
type internal;
local-address 10.255.14.179;
neighbor 10.255.14.175 {
family inet {
labeled-unicast {
resolve-vpn;
}
}
}
}
neighbor 10.255.14.181 {
family inet-vpn {
any;
}
}
}
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface fe-1/0/3.0;
}
}
ldp {
interface fe-1/0/3.0;
}
}
routing-instances {
vpna {
instance-type vrf;
interface fe-1/0/2.0;
route-distinguisher 10.255.14.179:21;
vrf-import vpna-import;
vrf-export vpna-export;
protocols {
bgp {
group vpna-06 {
peer-as 1;
neighbor 192.168.197.170;
}
}
}
}
}
policy-options {
policy-statement vpna-import {
term a {
from {
protocol bgp;
community vpna-comm;
}
then accept;
}
term b {
then reject;
}
}
policy-statement vpna-export {
term a {
from protocol bgp;
then {
community add vpna-comm;
accept;
}
}
term b {
then reject;
}
}
community vpna-comm members target:100:1001;
}
Configuration for Router C
Configure Router C as a label-swapping router within the local AS:
[edit]
protocols {
mpls {
traffic-engineering bgp-igp;
}
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface fe-0/3/3.0;
interface fe-0/3/0.0;
}
}
ldp {
interface fe-0/3/0.0;
interface fe-0/3/3.0;
}
}
Configuration for Router D
Router D acts as the CE router for the VPN services provided
by the AS 10023 network. In the BGP group configuration for group int, which handles traffic to Router B (10.255.14.179),
you include the labeled-unicast statement. You also need
to configure the BGP group to-isp-red to send labeled internal
routes to the PE router (Router E).
[edit]
protocols {
mpls {
traffic-engineering bgp-igp;
interface fe-0/3/0.0;
interface t3-0/0/0.0;
}
bgp {
group int {
type internal;
local-address 10.255.14.175;
neighbor 10.255.14.179 {
family inet {
labeled-unicast;
}
}
}
group to-isp-red {
export internal;
peer-as 10023;
neighbor 192.168.197.13 {
family inet {
labeled-unicast;
}
}
}
}
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface fe-0/3/0.0;
}
}
ldp {
interface fe-0/3/0.0;
}
}
policy-options {
policy-statement internal {
term a {
from protocol [ ospf direct ];
then accept;
}
term b {
then reject;
}
}
}
Configuration for Router E
Router E and Router H are PE routers. Configure a PE-router-to-PE-router BGP session to allow VPN-IPv4 routes to pass between these two PE routers. Configure the routing instance on Router E to send labeled routes to the CE router (Router D).
Configure Router E:
[edit]
protocols {
mpls {
interface t3-0/2/0.0;
interface at-0/1/0.0;
}
bgp {
group pe-pe {
type internal;
local-address 10.255.14.171;
family inet-vpn {
any;
}
neighbor 10.255.14.173;
}
}
isis {
interface at-0/1/0.0;
interface lo0.0 {
passive;
}
}
ldp {
interface at-0/1/0.0;
}
}
policy-options {
policy-statement vpn-isp1-import {
term a {
from {
protocol bgp;
community vpn-isp1-comm;
}
then accept;
}
term b {
then reject;
}
}
policy-statement vpn-isp1-export {
term a {
from protocol bgp;
then {
community add vpn-isp1-comm;
accept;
}
}
term b {
then reject;
}
}
community vpn-isp1-comm members target:69:21;
}
routing-instances {
vpn-isp1 {
instance-type vrf;
interface t3-0/2/0.0;
route-distinguisher 10.255.14.171:21;
vrf-import vpn-isp1-import;
vrf-export vpn-isp1-export;
protocols {
bgp {
group to-isp1 {
peer-as 21;
neighbor 192.168.197.14 {
as-override;
family inet {
labeled-unicast;
}
}
}
}
}
}
}
Configuration for Router F
Configure Router F to swap labels for routes running through its interfaces:
[edit]
protocols {
isis {
interface so-0/2/0.0;
interface at-0/3/0.0;
interface lo0.0 {
passive;
}
}
ldp {
interface so-0/2/0.0;
interface at-0/3/0.0;
}
}
Configuration for Router G
Configure Router G:
[edit]
protocols {
isis {
interface so-0/0/0.0;
interface so-1/0/0.0;
interface lo0.0 {
passive;
}
}
ldp {
interface so-0/0/0.0;
interface so-1/0/0.0;
}
}
Configuration for Router H
The configuration for Router H is similar to the configuration for Router E:
[edit]
protocols {
mpls {
interface fe-1/1/0.0;
interface so-1/0/0.0;
}
bgp {
group pe-pe {
type internal;
local-address 10.255.14.173;
family inet-vpn {
any;
}
neighbor 10.255.14.171;
}
}
isis {
interface so-1/0/0.0;
interface lo0.0 {
passive;
}
}
ldp {
interface so-1/0/0.0;
}
}
routing-instances {
vpn-isp1 {
instance-type vrf;
interface fe-1/1/0.0;
route-distinguisher 10.255.14.173:21;
vrf-import vpn-isp1-import;
vrf-export vpn-isp1-export;
protocols {
bgp {
group to-isp1 {
peer-as 21;
neighbor 192.168.197.94 {
as-override;
family inet {
labeled-unicast;
}
}
}
}
}
}
}
policy-options {
policy-statement vpn-isp1-import {
term a {
from {
protocol bgp;
community vpn-isp1-comm;
}
then accept;
}
term b {
then reject;
}
}
policy-statement vpn-isp1-export {
term a {
from protocol bgp;
then {
community add vpn-isp1-comm;
accept;
}
}
term b {
then reject;
}
}
community vpn-isp1-comm members target:69:21;
}
Configuration for Router I
Router I acts as the PE router for the end customer. The configuration that follows is similar to the configuration for Router B:
[edit]
protocols {
mpls {
interface fe-1/0/1.0;
interface fe-1/1/3.0;
}
bgp {
group int {
type internal;
local-address 10.255.14.181;
neighbor 10.255.14.177 {
family inet {
labeled-unicast {
resolve-vpn;
}
}
}
neighbor 10.255.14.179 {
family inet-vpn {
any;
}
}
}
}
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface fe-1/1/3.0;
}
}
ldp {
interface fe-1/1/3.0;
}
}
routing-instances {
vpna {
instance-type vrf;
interface fe-1/0/1.0;
route-distinguisher 10.255.14.181:21;
vrf-import vpna-import;
vrf-export vpna-export;
protocols {
bgp {
group vpna-0 {
peer-as 1;
neighbor 192.168.197.198;
}
}
}
}
}
policy-options {
policy-statement vpna-import {
term a {
from {
protocol bgp;
community vpna-comm;
}
then accept;
}
term b {
then reject;
}
}
policy-statement vpna-export {
term a {
from protocol bgp;
then {
community add vpna-comm;
accept;
}
}
term b {
then reject;
}
}
community vpna-comm members target:100:1001;
}
Configuration for Router J
Configure Router J to swap labels for routes running through its interfaces:
[edit]
protocols {
mpls {
traffic-engineering bgp-igp;
}
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface fe-1/0/2.0;
interface fe-1/0/3.0;
}
}
ldp {
interface fe-1/0/2.0;
interface fe-1/0/3.0;
}
}
Configuration for Router K
The configuration for Router K is similar to the configuration for Router D:
[edit]
protocols {
mpls {
traffic-engineering bgp-igp;
interface fe-1/1/2.0;
interface fe-1/0/2.0;
}
bgp {
group int {
type internal;
local-address 10.255.14.177;
neighbor 10.255.14.181 {
family inet {
labeled-unicast;
}
}
}
group to-isp-red {
export internal;
peer-as 10023;
neighbor 192.168.197.93 {
family inet {
labeled-unicast;
}
}
}
}
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface fe-1/0/2.0;
}
}
ldp {
interface fe-1/0/2.0;
}
}
policy-options {
policy-statement internal {
term a {
from protocol [ ospf direct ];
then accept;
}
term b {
then reject;
}
}
}
Configuration for Router L
In this example, Router L is the end customer’s CE router.
Configure a default family inet BGP session on Router L:
[edit]
protocols {
bgp {
group to-I {
export attached;
peer-as 21;
neighbor 192.168.197.197;
}
}
}
policy-options {
policy-statement attached {
from protocol direct;
then accept;
}
}
See Also
Multiple Instances for LDP and Carrier-of-Carriers VPNs
By configuring multiple LDP routing instances, you can use LDP to advertise labels in a carrier-of-carriers VPN from a core provider PE router to a customer carrier CE router. Having LDP advertise labels in this manner is especially useful when the carrier customer is a basic ISP and wants to restrict full Internet routes to its PE routers. By using LDP instead of BGP, the carrier customer shields its other internal routers from the Internet at large. Multiple-instance LDP is also useful when a carrier customer wants to provide Layer 3 VPN or Layer 2 VPN services to its customers.
For an example of how to configure multiple LDP routing instances for carrier-of-carriers VPNs see https://www.juniper.net/documentation/us/en/software/junos/mpls/topics/example/multiple-instance-ldp-configuring-detailed-solutions.html.
See Also
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.