Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Junos OS Layer 3 VPNs User Guide for Routing Devices Layer 3 VPNs Interprovider and Carrier-of-Carrier VPNs

Layer 3 VPNs User Guide for Routing Devices

keyboard_arrow_up
close
keyboard_arrow_left
Layer 3 VPNs User Guide for Routing Devices
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Interprovider VPNs

date_range 10-Jun-24
arrow_backward
arrow_forward

Interprovider VPNs

Interprovider VPNs provide connectivity between separate ASs. This functionality might be used by a VPN customer who has connections to several different service providers, or different connections to the same service provider in different geographic regions, each of which has a different AS. Figure 1 illustrates the type of network topology used by an interprovider VPN.

Figure 1: Interprovider VPN Network TopologyInterprovider VPN Network Topology

The following sections describe the ways you can configure an interprovider VPN:

Linking VRF Tables Between Autonomous Systems

You can connect two separate ASs by simply linking the VPN routing and forwarding (VRF) table in the AS border router (ASBR) of one AS to the VRF table in the ASBR in the other AS. Each ASBR must include a VRF routing instance for each VPN configured in both service provider networks. You then configure an IP session between the two ASBRs. In effect, the ASBRs treat each other as customer edge (CE) routers.

Because of the complexity of the configuration, particularly with regard to scaling, this method is not recommended. The details of this configuration are not provided with documentation.

Configuring Next Generation Layer 3 VPNs Options A, B, and C

For next generation Layer 3 VPNs, the PE routers within an AS use multiprotocol external BGP (MP-EBGP) to distribute labeled VPN–Internet Protocol version 4 (IPv4) routes to an ASBR or to a route reflector of which the ASBR is a client. The ASBR uses multiprotocol external BGP (MP-EBGP) to distribute the labeled VPN-IPv4 routes to its peer ASBR in the neighboring AS. The peer ASBR then uses MP-IBGP to distribute labeled VPN-IPv4 routes to PE routers, or to a route reflector of which the PE routers are a client.

You can configure both unicast (Junos OS Release 9.5 and later) and multicast (Junos OS Release 12.1 and later) next generation Layer 3 VPNs across ASs. The Junos OS software supports next generation Layer 3 VPNs option A, option B, and option C:

  • Option A—This is simple though less scaleable interprovider VPN solution to the problem of providing VPN services to a customer that has different sites, not all of which can use the same service provider. In this implementation, the VPN routing and forwarding (VRF) table in the ASBR of one AS is linked to the VRF table in the ASBR in the other AS. Each ASBR must include a VRF instance for each VPN configured in both service provider networks. Then an IGP or BGP must be configured between the ASBRs.

  • Option B—For this interprovider VPN solution, the customer requires VPN services for different sites, yet the same service provider is not available for all of those sites. With option B, the ASBR routers keep all VPN-IPv4 routes in the routing information base (RIB), and the labels associated with the prefixes are kept in the forwarding information base (FIB). Because the RIB and FIB tables can take too much of the respective allocated memory, this solution is not very scalable for an interprovider VPN. If a transit service provider is used between service provider 1 and service provider 2, the transit service provider also has to keep all VPN-IPv4 routes in the RIB and the corresponding labels in the FIB. The ASBRs at the transit service provider have the same functionality as ASBRs at service provider 1 or service provider 2 in this solution. The PE routers within each AS use multiprotocol internal BGP (MP-IBGP) to distribute labeled VPN-IPv4 routes to an ASBR or to a route reflector of which the ASBR is a client. The ASBR uses MP-EBGP to distribute the labeled VPN-IPv4 routes to its peer ASBR router in the neighboring AS. The peer ASBR then uses MP-IBGP to distribute labeled VPN-IPv4 routes to PE routers, or to a route reflector of which the PE routers are a client.

  • Option C—For this interprovider VPN solution, the customer service provider depends on the VPN service provider to deliver a VPN transport service between the customer service provider’s points of presence (POPs) or regional networks. This functionality might be used by a VPN customer who has connections to several different service providers, or different connections to the same service provider in different geographic regions, each of which has a different AS number. For option C, only routes internal to the service provider networks are announced between ASBRs. This is achieved by using the family inet labeled-unicast statements in the IBGP and EBGP configuration on the PE routers. Labeled IPv4 (not VPN-IPv4) routes are exchanged by the ASBRs to support MPLS. An MP-EBGP session between the end PE routers is used for the announcement of VPN-IPv4 routes. In this manner, VPN connectivity is provided while keeping VPN-IPv4 routes out of the core network.

Configuring Multihop MP-EBGP Between AS Border Routers

In this type of interprovider VPN configuration, P routers do not need to store all the routes in all the VPNs. Only the PE routers must have all the VPN routes. The P routers simply forward traffic to the PE routers—they do not store or process any information about the packets’ destination. The connections between the AS border routers in separate ASs forward traffic between the ASs, much as a label-switched path (LSP) works.

The following are the basic steps you take to configure an interprovider VPN in this manner:

  1. Configure multihop EBGP redistribution of labeled VPN-IPv4 routes between the source and destination ASs.

  2. Configure EBGP to redistribute labeled IPv4 routes from its AS to neighboring ASs.

  3. Configure MPLS on the end PE routers of the VPNs.

See Also

Example: Configuring Interprovider Layer 3 VPN Option A

Interprovider Layer 3 VPN Option A provides interprovider VRF-to-VRF connections at the AS boundary routers (ASBRs). Compared to Option B and Option C, Option A is the least scalable solution.

This example provides a step-by-step procedure to configure interprovider Layer 3 VPN option A, which is one of the recommended implementations of MPLS VPN when that service is required by a customer that has more than one AS and but not all of the customer’s ASs can be serviced by the same service provider. It is organized in the following sections:

Requirements

This example uses the following hardware and software components:

  • Junos OS Release 9.5 or later.

  • Eight M Series, T Series, TX Series, or MX Series Juniper Networks routers.

Overview and Topology

This is the simplest and least scalable interprovider VPN solution to the problem of providing VPN services to a customer that has different sites, not all of which can use the same service provider (SP).

RFC 4364, section 10, refers to this method as Interprovider VRF-to-VRF connections at the AS border routers.

In this configuration:

  • The virtual routing and forwarding (VRF) table in the ASBR of one AS is linked to the VRF table in the ASBR in the other AS. Each ASBR must contain a VRF instance for every VPN configured in both service provider networks. Then an IGP or BGP must be configured between the ASBRs. This has the disadvantage of limiting scalability.

  • In this configuration, the autonomous system boundary routers (ASBRs) at both SPs are configured as regular PE routers, and provide MPLS L3 VPN service to the neighbor SP.

  • Each PE router treats the other as if it were a customer edge (CE) router. ASBRs play the role of regular CE routers for the ASBR of the remote SP. ASBRs see each other as CE devices.

  • A provider edge (PE) router in one autonomous system (AS) attaches directly to a PE router in another AS.

  • The two PE routers are attached by multiple sub-interfaces, at least one for each of the VPNs whose routes need to be passed from AS to AS.

  • The PE routers associate each sub-interface with a VPN routing and forwarding (VRF) table, and use EBGP to distribute unlabeled IPv4 addresses to each other.

  • In this solution, all common VPNs defined at both PEs must also be defined at one or more ASBRs between the two SPs. This is not a very scalable methodology, especially when a transit SP is used by two regional SPs for interconnection.

  • This is a procedure that is simple to configure and it does not require MPLS at the border between ASs. Additionally, it does not scale as well as other recommended procedures.

The topology of the network is shown in Figure 2.

Figure 2: Physical Topology of Interprovider Layer 3 VPN Option APhysical Topology of Interprovider Layer 3 VPN Option A

Topology

Configuration

Note:

The procedure presented here is written with the assumption that the reader is already familiar with MPLS MVPN configuration. This example focuses on explaining the unique configuration required for carrier-of-carriers solutions for VPN services to different sites.

To configure interprovider layer 3 VPN option A, perform the following tasks:

Configuring Router CE1

Step-by-Step Procedure

  1. On Router CE1, configure the IP address and protocol family on the Fast Ethernet interface for the link between Router CE1 and Router PE1. Specify the inet address family type.

    content_copy zoom_out_map
    [edit interfaces fe-0/0/1.0]
family inet {
    address 198.51.100.1/24;
}

  2. On Router CE1, configure the IP address and protocol family on the loopback interface. Specify the inet address family type.

    content_copy zoom_out_map
    [edit interfaces lo0]
unit 0 {
    family inet {
        address 192.0.2.1/32;
    }
}

  3. On Router CE1, configure a routing protocol. The routing protocol can be a static route, RIP, OSPF, ISIS, or EBGP. In this example we configure OSPF. Include the Fast Ethernet interface for the link between Router CE1 and Router PE1 and the logical loopback interface of Router CE1.

    content_copy zoom_out_map
    [edit protocols]
ospf {
    area 0.0.0.2 {
        interface fe-0/0/1.0;
        interface lo0.0;
    }
}

Configuring Router PE1

Step-by-Step Procedure

  1. On Router PE1, configure IPv4 addresses on the SONET, Fast Ethernet, and logical loopback interfaces. Specify the inet address family on all of the interfaces. Specify the mpls address family on the SONET and Fast Ethernet interfaces.

    content_copy zoom_out_map
    [edit interfaces]
so-0/2/0 {
    unit 0 {
        family inet {
            address 192.168.1.9/24;
        }
        family mpls;
    }
}
fe-1/2/3 {
    unit 0 {
        family inet {
            address 198.51.100.2/24;
        }
        family mpls;
    }
}
lo0 {
    unit 0 {
        family inet {
            address 192.0.2.2/32;
        }
        
    }
}

  2. On Router PE1, configure the routing instance for VPN2. Specify the vrf instance type and specify the customer-facing Fast Ethernet interface. Configure a route distinguisher to create a unique VPN-IPv4 address prefix. Apply the VRF import and export policies to enable the sending and receiving of route targets. Configure the OSPF protocol within the VRF. Specify the customer-facing Fast Ethernet interface and specify the export policy to export BGP routes into OSPF.

    content_copy zoom_out_map
    [edit routing-instances]
vpn2CE1 {
    instance-type vrf;
    interface fe-1/2/3.0;
    route-distinguisher 1:100;
    vrf-import vpnimport;
    vrf-export vpnexport;
    protocols {
        ospf {
            export bgp-to-ospf;
            area 0.0.0.2 {
                interface fe-1/2/3.0;
            }
        }
    }
}

  3. On Router PE1, configure the RSVP and MPLS protocols to support the label-switched path (LSP). Configure the LSP to Router ASBR1 and specify the IP address of the logical loopback interface on Router ASBR1. Configure a BGP group. Specify the group type as internal. Specify the local address as the logical loopback interface on Router PE1. Specify the neighbor address as the logical loopback interface on Router ASBR1. Specify the inet-vpn address family and unicast traffic type to enable BGP to carry IPv4 network layer reachability information (NLRI) for VPN routes. Configure the OSPF protocol. Specify the core-facing SONET interface and specify the logical loopback interface on Router PE1.

    content_copy zoom_out_map
    [edit protocols]
rsvp {
    interface so-0/2/0.0;
    interface lo0.0;
}
mpls {
    label-switched-path To-ASBR1 {
        to 192.0.2.4;
    }
    interface so-0/2/0.0;
    interface lo0.0;
}
bgp {
    group To_ASBR1 {
        type internal;
        local-address 192.0.2.2;
        neighbor 192.0.2.4 {
            family inet-vpn {
                unicast;
            }
        }
    }
}
ospf {
    traffic-engineering;
    area 0.0.0.0 {
        interface so-0/2/0.0;
        interface lo0.0;
    }
}

  4. On Router PE1, configure the BGP local autonomous system number.

    content_copy zoom_out_map
    [edit routing-options]
autonomous-system 100;

  5. On Router PE1, configure a policy to export the BGP routes into OSPF.

    content_copy zoom_out_map
    [edit policy-options]
policy-statement bgp-to-ospf {
    term 1 {
        from protocol bgp;
        then accept;
    }
    term 2 {
        then reject;
    }
}

  6. On Router PE1, configure a policy to add the VRF route target to the routes being advertised for this VPN.

    content_copy zoom_out_map
    [edit policy-options]
policy-statement vpnexport {
    term 1 {
        from protocol ospf;
        then {
            community add test_comm;
            accept;
        }
    }
    term 2 {
        then reject;
    }
}

  7. On Router PE1, configure a policy to import routes from BGP that have the test_comm community attached.

    content_copy zoom_out_map
    [edit policy-options]
policy-statement vpnimport {
    term 1 {
        from {
            protocol bgp;
            community test_comm;
        }
        then accept;
    }
    term 2 {
        then reject;
    }
}

  8. On Router PE1, define the test_comm BGP community with a route target.

    content_copy zoom_out_map
    [edit policy-options]
community test_comm members target:1:100;

Configuring Router P1

Step-by-Step Procedure

  1. On Router P1, configure IP addresses for the SONET and Gigabit Ethernet interfaces. Enable the interfaces to process the inet and mpls address families. Configure the IP address for the lo0.0 loopback interface and enable the interface to process the inet address family.

    content_copy zoom_out_map
    [edit interfaces]
so-0/2/1 {
    unit 0 {
        family inet {
            address 192.168.1.4/24;
        }
        family mpls;
    }
}
ge-1/3/0 {
    unit 0 {
        family inet {
            address 192.168.2.5/24;
        }
        family mpls;
    }
}
lo0 {
    unit 0 {
        family inet {
            address 192.0.2.3/32;
        }
    }
}

  2. On Router P1, configure the RSVP and MPLS protocols to support the LSP. Specify the SONET and Gigabit Ethernet interfaces.

    Configure the OSPF protocol. Specify the SONET and Gigabit Ethernet interfaces and specify the logical loopback interface. Enable OSPF to support traffic engineering extensions.

    content_copy zoom_out_map
    [edit protocols]
rsvp {
    interface so-0/2/1.0;
    interface ge-1/3/0.0;
    interface lo0.0;
}
mpls {
    interface lo0.0;
    interface ge-1/3/0.0;
    interface so-0/2/1.0;
}
ospf {
    traffic-engineering;
    area 0.0.0.0 {
        interface ge-1/3/0.0;
        interface so-0/2/1.0;
        interface lo0.0;
    }
}

Configuring Router ASBR1

Step-by-Step Procedure

  1. On Router ASBR1, configure IP addresses for the Gigabit Ethernet interfaces. Enable the interfaces to process the inet and mpls addresses families. Configure the IP addresses for the lo0.0 loopback interface and enable the interface to process the inet address family.

    content_copy zoom_out_map
    [edit interfaces]
ge-0/0/0 {
    unit 0 {
        family inet {
            address 192.168.2.6/24;
        }
        family mpls;
    }
}
ge-0/1/1 {
    unit 0 {
        family inet {
            address 192.168.3.7/24;
        }
        family mpls;
    }
}
lo0 {
    unit 0 {
        family inet {
            address 192.0.2.4/32;
        }
    }
}

  2. On Router ASBR1, configure the To_ASBR2 routing instance. Specify the vrf instance type and specify the core-facing Gigabit Ethernet interface. Configure a route distinguisher to create a unique VPN-IPv4 address prefix. Configure a route target for the VPN. Configure the BGP peer group within the VRF. Specify AS 200 as the peer AS and specify the IP address of the Gigabit Ethernet interface on Router ASBR2 as the neighbor address.

    content_copy zoom_out_map
    [edit routing instances]
To_ASBR2{
    instance-type vrf;
    interface ge-0/1/1.0;
    route-distinguisher 1:100;
    vrf-target target:1:100;
    protocols {
        bgp {
            group To_ASBR2 {
                type external;
                neighbor 192.168.3.8 {
                    peer-as 200;
                }
            }
        }
    }
}

  3. On Router ASBR1, configure the RSVP and MPLS protocols to support the LSP by specifying the Gigabit Ethernet interface that is facing the P1 router.

    Configure the OSPF protocol by specifying the Gigabit Ethernet interface that is facing the P1 router and the logical loopback interface. Enable OSPF to support traffic engineering extensions.

    content_copy zoom_out_map
    [edit protocols]
rsvp {
    interface ge-0/0/0.0;
    interface lo0.0;
}
mpls {
    label-switched-path To_PE1 {
        to 192.0.2.2;
    }
    interface lo0.0;
    interface ge-0/0/0.0;
}
ospf {
    traffic-engineering;
    area 0.0.0.0 {
        interface ge-0/0/0.0;
        interface lo0.0;
    }
}

  4. On Router ASBR1, create the To-PE1 internal BGP peer group. Specify the local IP peer address as the local lo0.0 address. Specify the neighbor IP peer address as the lo0.0 interface address of Router PE1.

    content_copy zoom_out_map
    [edit protocols]
bgp {
    group To-PE1 {
        type internal;
        local-address 192.0.2.4;
        neighbor 192.0.2.2 {
            family inet-vpn {
                unicast;
            }
        }
    }
}

  5. On Router ASBR1, configure the BGP local autonomous system number.

    content_copy zoom_out_map
    [edit routing-options]
autonomous-system 100;

Configuring Router ASBR2

Step-by-Step Procedure

  1. On Router ASBR2, configure IP addresses for the Gigabit Ethernet interfaces. Enable the interfaces to process the inet and mpls address families. Configure the IP address for the lo0.0 loopback interface and enable the interface to process the inet address family.

    content_copy zoom_out_map
    [edit interfaces]
ge-0/1/1 {
    unit 0 {
        family inet {
            address 192.168.3.8/24;
        }
        family mpls;
    }
}
ge-0/2/3 {
    unit 0 {
        family inet {
            address 192.168.4.10/24;
        }
        family mpls;
    }
}
lo0 {
    unit 0 {
        family inet {
            address 192.0.2.5/32;
        }
    }
}

  2. On Router ASBR2, configure the To_ASBR1 routing instance. Specify the vrf instance type and specify the core-facing Gigabit Ethernet interface. Configure a route distinguisher to create a unique VPN-IPv4 address prefix. Configure a route target for the VPN. Configure the BGP peer group within the VRF. Specify AS 100 as the peer AS and specify the IP address of the Gigabit Ethernet interface on Router ASBR1 as the neighbor address.

    content_copy zoom_out_map
    [edit routing-instances]
To_ASBR1 {
    instance-type vrf;
    interface ge-0/1/1.0;
    route-distinguisher 1:100;
    vrf-target target:1:100;
    protocols {
        bgp {
            group To_ASBR1 {
                type external;
                neighbor 192.168.3.7 {
                    peer-as 100;
                }
            }
        }
    }
}

  3. On Router ASBR2, configure the RSVP and MPLS protocols to support the LSP by specifying the Gigabit Ethernet interface that is facing the P2 router.

    Configure the OSPF protocol by specifying the Gigabit Ethernet interface that is facing the P2 router and the logical loopback interface. Enable OSPF to support traffic engineering extensions.

    content_copy zoom_out_map
    [edit protocols]
rsvp {
    interface ge-0/2/3.0;
    interface lo0.0;
}
mpls {
    label-switched-path To_PE2 {
        to 192.0.2.7;
    }
    interface lo0.0;
    interface ge-0/2/3.0;
}
ospf {
    traffic-engineering;
    area 0.0.0.0 {
        interface ge-0/2/3.0;
        interface lo0.0;
    }
}

  4. On Router ASBR2, create the To-PE2 internal BGP peer group. Specify the local IP peer address as the local lo0.0 address. Specify the neighbor IP peer address as the lo0.0 interface address of Router PE2.

    content_copy zoom_out_map
    [edit protocols]
bgp {
    group To-PE2 {
        type internal;
        local-address 192.0.2.5;
        neighbor 192.0.2.7 {
            family inet-vpn {
                unicast;
            }
        }
    }

  5. On Router ASBR2, configure the BGP local autonomous system number.

    content_copy zoom_out_map
    [edit routing-options]
autonomous-system 200;

Configuring Router P2

Step-by-Step Procedure

  1. On Router P2, configure IP addresses for the SONET and Gigabit Ethernet interfaces. Enable the interfaces to process the inet and mpls address families. Configure the IP address for the lo0.0 loopback interface and enable the interface to process the inet address family.

    content_copy zoom_out_map
    [edit interfaces]
so-0/0/0 {
    unit 0 {
        family inet {
            address 192.168.5.11/24;
        }
        family mpls;
    }
}
ge-0/2/2 {
    unit 0 {
        family inet {
            address 192.168.4.12/24;
        }
        family mpls;
    }
}
lo0 {
    unit 0 {
        family inet {
            address 192.0.2.6/32;
        }
    }
}

  2. On Router P2, configure the RSVP and MPLS protocols to support the LSP. Specify the SONET and Gigabit Ethernet interfaces.

    Configure the OSPF protocol. Specify the SONET and Gigabit Ethernet interfaces and specify the logical loopback interface. Enable OSPF to support traffic engineering extensions.

    content_copy zoom_out_map
    [edit protocols]
rsvp {
    interface so-0/0/0.0;
    interface ge-0/2/2.0;
    interface lo0.0;
}
mpls {
    interface lo0.0;
    interface ge-0/2/2.0;
    interface so-0/0/0.0;
}
ospf {
    traffic-engineering;
    area 0.0.0.0 {
        interface ge-0/2/2.0;
        interface so-0/0/0.0;
        interface lo0.0;
    }
}

Configuring Router PE2

Step-by-Step Procedure

  1. On Router PE2, configure IPv4 addresses on the SONET, Fast Ethernet, and logical loopback interfaces. Specify the inet address family on all of the interfaces. Specify the mpls address family on the SONET and Fast Ethernet interfaces.

    content_copy zoom_out_map
    [edit interfaces]
so-0/0/1 {
    unit 0 {
        family inet {
            address 192.168.5.12/24;
        }
        family mpls;
    }
}
fe-0/3/1 {
    unit 0 {
        family inet {
            address 192.168.6.13/24;
        }
        family mpls;
    }
lo0 {
    unit 0 {
        family inet {
            address 192.0.2.7/32;
        }
    }
}

  2. On Router PE2, configure the routing instance for VPN2. Specify the vrf instance type and specify the customer-facing Fast Ethernet interface. Configure a route distinguisher to create a unique VPN-IPv4 address prefix. Apply the VRF import and export policies to enable the sending and receiving of route targets. Configure the BGP peer group within the VRF. Specify AS 20 as the peer AS and specify the IP address of the Fast Ethernet interface on Router CE2 as the neighbor address.

    content_copy zoom_out_map
    [edit routing-instances]
vpn2CE2 {
    instance-type vrf;
    interface fe-0/3/1.0;
    route-distinguisher 1:100;
    vrf-import vpnimport;
    vrf-export vpnexport;
    protocols {
        bgp {
            group To_CE2 {
                peer-as 20;
                neighbor 192.168.6.14;
            }
        }
    }
}

  3. On Router PE2, configure the RSVP and MPLS protocols to support the LSP. Configure the LSP to ASBR2 and specify the IP address of the logical loopback interface on Router ASBR2. Configure a BGP group. Specify the group type as internal. Specify the local address as the logical loopback interface on Router PE2. Specify the neighbor address as the logical loopback interface on the Router ASBR2. Specify the inet-vpn address family and unicast traffic type to enable BGP to carry IPv4 NLRI for VPN routes. Configure the OSPF protocol. Specify the core-facing SONET interface and specify the logical loopback interface on Router PE2.

    content_copy zoom_out_map
    [edit protocols]
rsvp {
    interface so-0/0/1.0;
    interface lo0.0;
}
mpls {
    label-switched-path To-ASBR2 {
        to 192.0.2.5;
    }
    interface so-0/0/1.0;
    interface lo0.0;
}
bgp {
    group To_ASBR2 {
        type internal;
        local-address 192.0.2.7;
        neighbor 192.0.2.5 {
            family inet-vpn {
                unicast;
            }
        }
    }
}
ospf {
    traffic-engineering;
    area 0.0.0.0 {
        interface so-0/0/1.0;
        interface lo0.0;
    }
}

  4. On Router PE2, configure the BGP local autonomous system number.

    content_copy zoom_out_map
    [edit routing-options]
autonomous-system 200;

  5. On Router PE2, configure a policy to add the VRF route target to the routes being advertised for this VPN.

    content_copy zoom_out_map
    [edit policy-options]
policy-statement vpnexport {
    term 1 {
        from protocol bgp;
        then {
            community add test_comm;
            accept;
        }
    }
    term 2 {
        then reject;
    }
}

  6. On Router PE2, configure a policy to import routes from BGP that have the test_comm community attached.

    content_copy zoom_out_map
    [edit policy-options]
    policy-statement vpnimport {
        term 1 {
            from {
                protocol bgp;
                community test_comm;
            }
            then accept;
        }
        term 2 {
            then reject;
        }
    }

  7. On Router PE2, define the test_comm BGP community with a route target.

    content_copy zoom_out_map
    [edit policy-options]
community test_comm members target:1:100;

Configuring Router CE2

Step-by-Step Procedure

  1. On Router CE2, configure the IP address and protocol family on the Fast Ethernet interface for the link between Router CE2 and Router PE2. Specify the inet address family type.

    content_copy zoom_out_map
    [edit interfaces]
fe-3/0/0 {
    unit 0 {
        family inet {
            address 192.168.6.14/24;
        }
    }
}

  2. On Router CE2, configure the IP address and protocol family on the loopback interface. Specify the inet address family type.

    content_copy zoom_out_map
    [edit interfaces lo0]
lo0 {
    unit 0 {
        family inet {
            address 192.0.2.8/32;
        }
    }
}

  3. On Router CE2, define a policy named myroutes that accepts direct routes.

    content_copy zoom_out_map
    [edit policy-options]
policy-statement myroutes {
    from protocol direct;
    then accept;
}

  4. On Router CE2, configure a routing protocol. The routing protocol can be a static route, RIP, OSPF, ISIS, or EBGP. In this example, we configure EBGP. Specify AS 200 as the peer AS and specify the BGP neighbor IP address as the Fast Ethernet interface of Router PE2.

    content_copy zoom_out_map
    [edit protocols]
bgp {
    group To_PE2 {
        neighbor 192.168.6.13 {
            export myroutes;
            peer-as 200;
        }
    }
}

  5. On Router CE2, configure the BGP local autonomous system number.

    content_copy zoom_out_map
    [edit routing-options]
autonomous-system 20;

Verifying the VPN Operation

Step-by-Step Procedure

  1. Commit the configuration on each router.

    Note:

    The MPLS labels shown in this example will be different than the labels used in your configuration.

  2. On Router PE1, display the routes for the vpn2CE1 routing instance using the show ospf route command. Verify that the 192.0.2.1 route is learned from OSPF.

    content_copy zoom_out_map
    user@PE1> show ospf route instance vpn2CE1
Topology default Route Table:

Prefix             Path   Route       NH   Metric  NextHop       Nexthop      
                   Type   Type        Type         Interface     addr/label
192.0.2.1            Intra  Router      IP        1  fe-1/2/3.0    198.51.100.1
192.0.2.1/32         Intra  Network     IP        1  fe-1/2/3.0    198.51.100.1
198.51.100.0/24      Intra  Network     IP        1  fe-1/2/3.0    198.51.100.1

  3. On Router PE1, use the show route advertising-protocol command to verify that Router PE1 advertises the 192.0.2.1 route to Router ASBR1 using MP-BGP with the VPN MPLS label.

    content_copy zoom_out_map
    user@PE1> show route advertising-protocol bgp 192.0.2.4 extensive
vpn2CE1.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
* 192.0.2.1/32 (1 entry, 1 announced)
 BGP group To_PE1 type Internal
     Route Distinguisher: 1:100
     VPN Label: 299856
     Nexthop: Self
     Flags: Nexthop Change
     MED: 1
     Localpref: 100
     AS path: [100] I
     Communities: target:1:100 rte-type:0.0.0.2:1:0

  4. On Router ASBR1, use the show route receive-protocol command to verify that the router receives and accepts the 192.0.2.1 route and places it in the To_ASBR2.inet.0 routing table.

    content_copy zoom_out_map
    user@ASBR1> show route receive-protocol bgp 192.0.2.2 extensive
inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)

inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

To_ASBR2.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
* 192.0.2.1/32 (1 entry, 1 announced)
     Route Distinguisher: 1:100
     VPN Label: 299856 
     Nexthop: 192.0.2.2
     MED: 1
     Localpref: 100
     AS path: I
     Communities: target:1:100 rte-type:0.0.0.2:1:0

MPLS.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

BGP.13VPN.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

* 1:100:192.0.2.1/32 (1 entry, 0 announced)
     Route Distinguisher: 1:100
     VPN Label: 299856
     Nexthop: 192.0.2.2
     MED: 1         
     Localpref: 100
     AS path: I
     Communities: target:1:100 rte-type:0.0.0.2:1:0

  5. On Router ASBR1, use the show route advertising-protocol command to verify that Router ASBR1 advertises the 192.0.2.1 route to Router ASBR2.

    content_copy zoom_out_map
    user@ASBR1> show route advertising-protocol bgp 192.168.3.8 extensive
To_ASBR2.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
* 192.0.2.1/32 (1 entry, 1 announced)
 BGP group To_ASBR2.inet.0 type External
     Nexthop: Self
     AS path: [100] I
     Communities: target:1:100 rte-type:0.0.0.2:1:0

  6. On Router ASBR2, use the show route receive-protocol command to verify that the router receives and accepts the 192.0.2.1 route and places it in the To_ASBR1.inet.0 routing table.

    content_copy zoom_out_map
    user@ASBR2> show route receive-protocol bgp 192.168.3.7 extensive
inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)

inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

To_ASBR1.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
* 192.0.2.1/32 (1 entry, 1 announced)
     Accepted
     Nexthop: 192.168.3.7
     AS path: 100 I
     Communities: target:1:100 rte-type:0.0.0.2:1:0

MPLS.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

BGP.l3VPN.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

  7. On Router ASBR2, use the show route advertising-protocol command to verify that Router ASBR2 advertises the 192.0.2.1 route to Router PE2.

    content_copy zoom_out_map
    user@ASBR2> show route advertising-protocol bgp 192.0.2.7 extensive
To_ASBR1.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
* 192.0.2.1/32 (1 entry, 1 announced)
 BGP group To-PE2 type Internal
     Route Distinguisher: 1:100
     VPN Label: 299936
     Nexthop: Self
     Flags: Nexthop Change
     Localpref: 100
     AS path: [200] 100 I
     Communities: target:1:100 rte-type:0.0.0.2:1:0

  8. On Router PE2, use the show route receive-protocol command to verify that the router receives and accepts the 192.0.2.1 route and places it in the vpn2CE2.inet.0 routing table.

    content_copy zoom_out_map
    user@PE2> show route receive-protocol bgp 192.0.2.5 extensive
inet.0: 12 destinations, 13 routes (12 active, 0 holddown, 0 hidden)

inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

__juniper_private1__.inet.0: 14 destinations, 14 routes (8 active, 0 holddown, 6 hidden)

__juniper_private2__.inet.0: 1 destinations, 1 routes (0 active, 0 holddown, 1 hidden)

vpn2CE2.inet.0: 5 destinations, 6 routes (5 active, 0 holddown, 0 hidden)
* 192.0.2.1/32 (1 entry, 1 announced)
     Accepted
     Route Distinguisher: 1:100
     VPN Label: 299936 
     Nexthop: 192.0.2.5
     Localpref: 100
     AS path: 100 I
     AS path: Recorded
     Communities: target:1:100 rte-type:0.0.0.2:1:0

  9. On Router PE2, use the show route advertising-protocol command to verify that Router PE2 advertises the 192.0.2.1 route to Router CE2 through the To_CE2 peer group.

    content_copy zoom_out_map
    user@PE2> show route advertising-protocol bgp 192.168.6.14 extensive
vpn2CE2.0: 5 destinations, 6 routes (5 active, 0 holddown, 0 hidden)
* 192.0.2.1/32  (1 entry, 1 announced)
 BGP group To_CE2 type External
     Nexthop: Self
     AS path: [200] 100 I
     Communities: target:1:100 rte-type:0.0.0.2:1:0

  10. On Router CE2, use the show route command to verify that Router CE2 receives the 192.0.2.1 route from Router PE2.

    content_copy zoom_out_map
    user@CE2> show route 192.0.2.1
inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.0.2.1/32         *[BGP/170] 00:25:36, localpref 100
                      AS path: 200 100 I
                    > to 192.168.6.13  via fe-3/0/0.0

  11. On Router CE2, use the ping command and specify 192.0.2.8 as the source of the ping packets to verify connectivity with Router CE1.

    content_copy zoom_out_map
    user@CE2> ping 192.0.2.1 source 192.0.2.8
PING 192.0.2.1 (192.0.2.1): 56 data bytes
64 bytes from 192.0.2.1: icmp_seq=0 ttl=58 time=4.672 ms
64 bytes from 192.0.2.1: icmp_seq=1 ttl=58 time=10.480 ms
64 bytes from 192.0.2.1: icmp_seq=2 ttl=58 time=10.560 ms

  12. On Router PE2, use the show route command to verify that the traffic is sent with an inner label of 299936 and a top label of 299776.

    content_copy zoom_out_map
    user@PE2> show route 192.0.2.1 detail

vpn2CE2.inet.0: 5 destinations, 6 routes (5 active, 0 holddown, 0 hidden)
192.0.2.1/32 (1 entry, 1 announced)
        *BGP    Preference: 170/-101
                Route Distinguisher: 1:100
                Next hop type: Indirect
                Next-hop reference count: 6
                Source: 192.0.2.5
                Next hop type: Router, Next hop index: 648
                Next hop: via so-0/0/1.0 weight 0x1, selected
                Label-switched-path To-ASBR2
                Label operation: Push 299936, Push 299776(top)
                Protocol next hop: 192.0.2.5
                Push 299984
                Indirect next hop: 8c6109c 262143
                State: <Secondary Active Int Ext>
                Local AS:   200 Peer AS:   200
                Age: 3:37       Metric2: 2 
                Task: BGP_200.192.0.2.5+179
                Announcement bits (3): 0-RT 1-KRT 2-BGP RT Background 
                AS path: 100 I
                AS path: Recorded
                Communities: target:1:100 rte-type:0.0.0.2:1:0
                Accepted
                VPN Label: 299984
                Localpref: 100
                Router ID: 192.0.2.5
                Primary Routing Table BGP.l3VPN.0

  13. On Router ASBR2, use the show route table command to verify that Router ASBR2 receives the traffic.

    content_copy zoom_out_map
    user@ASBR2# show route table mpls.0 detail
299936 (1 entry, 1 announced)
        *VPN    Preference: 170
                Next hop type: Router, Next hop index: 649
                Next-hop reference count: 2
                Source: 192.168.3.7                Next hop: 192.168.3.7 via ge-0/1/1.0, selected
                Label operation: Pop      
                State: <Active Int Ext>
                Local AS:   200 
                Age: 9:54 
                Task: BGP RT Background
                Announcement bits (1): 0-KRT 
                AS path: 100 I
                Ref Cnt: 1
                Communities: target:1:100 rte-type:0.0.0.2:1:0

  14. On Router ASBR2, use the show route table command to verify that Router ASBR2 receives the traffic.

    content_copy zoom_out_map
    user@ASBR2# show route 192.0.2.1  detail
To_ASBR1.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
192.0.2.1/32  (1 entry, 1 announced)
        *BGP    Preference: 170/-101
                Next hop type: Router, Next hop index: 576
                Next-hop reference count: 3
                Source: 192.168.3.7
                Next hop: 192.168.3.7  via ge-0/1/1.0, selected
                State: <Active Ext>
                Peer AS:   100
                Age: 13:07 
                Task: BGP_192.168.3.7+53372
                Announcement bits (2): 0-KRT 1-BGP RT Background 
                AS path: 100 I
                Communities: target:1:100 rte-type:0.0.0.2:1:0
                Accepted
                Localpref: 100
                Router ID: 192.168.3.7

  15. On Router ASBR1, use the show route command to verify that ASBR1 sends traffic toward PE1 with the top label 299792 and VPN label 299856.

    content_copy zoom_out_map
    user@ASBR1# show route 192.0.2.1 detail
To_ASBR2.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
192.0.2.1/24 (1 entry, 1 announced)
        *BGP    Preference: 170/-101
                Route Distinguisher: 1:100
                Next hop type: Indirect
                Next-hop reference count: 3
                Source: 192.0.2.2
                Next hop type: Router, Next hop index: 669
                Next hop: 192.168.2.5 via ge-0/0/0.0 weight 0x1, selected
                Label-switched-path To_PE1
                Label operation: Push 299856, Push 299792(top)
                Protocol next hop: 192.0.2.2                Push 299856
                Indirect next hop: 8af70a0 262143
                State: <Secondary Active Int Ext>
                Local AS:   100 Peer AS:   100
                Age: 12:15      Metric: 1       Metric2: 2 
                Task: BGP_100.192.0.2.2+58065
                Announcement bits (2): 0-KRT 1-BGP RT Background 
                AS path: I
                Communities: target:1:100 rte-type:0.0.0.2:1:0
                VPN Label: 299856
                Localpref: 100
                Router ID: 192.0.2.2
                Primary Routing Table BGP.l3VPN.0

  16. On Router PE1, use the show route table command to verify that Router PE1 receives the traffic with label 299856, pops the label,l and the traffic is sent toward Router CE1 through interface fe-1/2/3.0.

    content_copy zoom_out_map
    lab@PE1# show route table mpls.0 detail
299856 (1 entry, 1 announced)
        *VPN    Preference: 170
                Next hop type: Router, Next hop index: 666
                Next-hop reference count: 2
                Next hop: 198.51.100.8 via fe-1/2/3.0, selected
                Label operation: Pop      
                State: <Active Int Ext>
                Local AS:   100 
                Age: 17:38 
                Task: BGP RT Background
                Announcement bits (1): 0-KRT 
                AS path: I
                Ref Cnt: 1
                Communities: rte-type:0.0.0.2:1:0

  17. On Router PE1, use the show route command to verify that PE1 receives the traffic after the top label is popped by Router P and the traffic is sent toward Router CE1 through interface fe-1/2/3.0.

    content_copy zoom_out_map
    lab@PE1# show route 192.0.2.1 detail 

 vpn2CE1.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
192.0.2.1/32 (1 entry, 1 announced)
        *OSPF   Preference: 10
                Next hop type: Router, Next hop index: 634
                Next-hop reference count: 3
                Next hop: 198.51.100.8 via fe-1/2/3.0, selected
                State: <Active Int>
                Age: 18:42      Metric: 1 
                Area: 0.0.0.2
                Task: VPN2alice-OSPFv2
                Announcement bits (2): 2-KRT 3-BGP RT Background 
                AS path: I
                Communities: rte-type:0.0.0.2:1:0

Example: Configuring Interprovider Layer 3 VPN Option B

Interprovider Layer 3 VPN Option B provides interprovider EBGP redistribution of labeled VPN-IPv4 routes from AS to neighboring AS. This solution is considered to be more scalable than Option A, but not as scalable as Option C.

This example provides a step-by-step procedure to configure interprovider layer 3 VPN option B, which is one of the recommended implementations of an MPLS VPN for a customer that has more than one AS, but not all of the customer’s ASs can be serviced by the same service provider. It is organized in the following sections:

Requirements

This example uses the following hardware and software components:

  • Junos OS Release 9.5 or later.

    • This example has been recently updated and revalidated on Junos OS Release 21.1R1.

  • Eight M Series, T Series, TX Series, QFX10000, or MX Series Juniper Networks routers.

Configuration Overview and Topology

Interprovider layer 3 VPN option B is a somewhat scalable solution to the problem of providing VPN services to a customer that has different sites, not all of which can use the same service provider. RFC 4364, section 10, refers to this method as interprovider EBGP redistribution of labeled VPN-IPv4 routes from AS to neighboring AS.

In the topology shown in Figure 1, the following events occur:

  • The PE routers use IBGP to redistribute labeled VPN-IPv4 routes to an ASBR.

  • The ASBR then uses EBGP to redistribute those labeled VPN-IPv4 routes to an ASBR in another AS, which distributes them to the PE routers in that AS.

  • Labeled VPN-IPv4 routes are distributed between ASBR routers on each site. There is no need to define a separate VPN routing and forwarding instance (VRF) for each common VPN that resides on two different SPs.

  • Router PE2 distributes VPN-IPv4 routes to Router ASBR2 using MP-IBGP.

  • Router ASBR2 distributes these labeled VPN-IPv4 routes to Router ASBR1, using the MP-EBGP session between them.

  • Router ASBR1 redistributes those routes to Router PE1, using MP-IBGP. Each time a label is advertised, routers change the next-hop information and labels.

  • An MPLS path is established between Router PE1 and Router PE2. This path enables changing of the next-hop attribute for the routes that are learned from the neighbor SP router and map the incoming label for the given routes to the outgoing label advertised to PE routers in the internal network.

  • The ingress PE router inserts two labels onto the IP packet coming from the end customer. The inner label is for the VPN-IPv4 routes learned from internal ASBRs and the outer label is for the route to the internal ASBR, obtained through resource reservation protocol (RSVP) or label distribution protocol (LDP).

  • When a packet arrives at the ASBR, it removes the outer label (when explicit-null signaling is used; otherwise, penultimate hop-popping (PHP) pops the label) and swaps the inner label with the label obtained from the neighbor ASBR through MP-EBGP label and prefix advertisements.

  • The second ASBR swaps the VPN-IPv4 label and pushes another label to reach the PE router in its own AS.

  • The remaining process is the same as for a regular VPN.

Note:

In this solution, ASBR routers keep all VPN-IPv4 routes in the routing information base (RIB), and the labels associated with the prefixes are kept in the forwarding information base (FIB). Because the RIB and FIB tables can take occupy much of the respective allocated memory, this solution is not very scalable for an interprovider VPN.

If a transit SP is used between SP1 and SP2, the transit SP also has to keep all VPN-IPv4 routes in the RIB and the corresponding labels in the FIB. The ASBRs at the transit SP have the same functionality as ASBRs in the SP1 or SP2 networks in this solution.

Topology

The topology of the network is shown in Figure 3.

Figure 3: Physical Topology of Interprovider Layer 3 VPN Option BPhysical Topology of Interprovider Layer 3 VPN Option B

Configuration

Note:

The procedure presented here is written with the assumption that the reader is already familiar with MPLS MVPN configuration. This example focuses on explaining the unique configuration required for carrier-of-carriers solutions for VPN services to different sites.

To configure layer 3 VPN option B, perform the following tasks:

Configuring Router CE1

Step-by-Step Procedure

  1. On Router CE1, configure the IP address and protocol family on the logical loopback interface and the Gigabit Ethernet interface for the link between Router CE1 and Router PE1. Specify the inet address family type.

    content_copy zoom_out_map
    user@CE1#
set interfaces ge-0/0/0 description to_PE1
set interfaces ge-0/0/0 unit 0 family inet address 172.16.1.1/30
set interfaces lo0 unit 0 family inet address 192.168.1.1/32

  2. On Router CE1, configure the router ID.

    content_copy zoom_out_map
    user@CE1#
set routing-options router-id 192.168.1.1

  3. On Router CE1, configure a routing protocol. Include the logical interface for the link between Router CE1 and Router PE1 and the logical loopback interface of Router CE1. The routing protocol can be a static route, RIP, OSPF, ISIS, or EBGP. In this example we configure OSPF.

    content_copy zoom_out_map
    user@CE1#
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface lo0.0

Configuring Router PE1

Step-by-Step Procedure

  1. On Router PE1, configure IPv4 addresses on the Gigabit Ethernet and logical loopback interfaces. Specify the inet address family on all of the interfaces. Specify the mpls address family on the core-facing interface.

    content_copy zoom_out_map
    user@PE1#
set interfaces ge-0/0/0 description to_CE1
set interfaces ge-0/0/0 unit 0 family inet address 172.16.1.2/30
set interfaces ge-0/0/1 description to_P1
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.1/30
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.168.100.1/32

  2. On Router PE1, configure a VRF routing instance. Specify the vrf instance type and specify the customer-facing interface. Configure a route distinguisher to create a unique VPN-IPv4 address prefix. Apply the VRF import and export policies to enable the sending and receiving of route targets. Configure the OSPF protocol within the VRF. Specify the customer-facing interface and specify the export policy to export BGP routes into OSPF.

    content_copy zoom_out_map
    user@PE1#
set routing-instances to_CE1 instance-type vrf
set routing-instances to_CE1 protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set routing-instances to_CE1 protocols ospf export bgp-to-ospf
set routing-instances to_CE1 interface ge-0/0/0.0
set routing-instances to_CE1 route-distinguisher 192.168.100.1:1
set routing-instances to_CE1 vrf-import vpnimport
set routing-instances to_CE1 vrf-export vpnexport

  3. On Router PE1, configure the RSVP and MPLS protocols to support the label-switched path (LSP). Configure the LSP to Router ASBR1 and specify the IP address of the logical loopback interface on Router ASBR1. Configure a BGP group. Specify the group type as internal. Specify the local address as the logical loopback interface on Router PE1. Specify the neighbor address as the logical loopback interface on Router ASBR1. Specify the inet-vpn address family and unicast traffic type to enable BGP to carry IPv4 network layer reachability information (NLRI) for VPN routes. Configure the OSPF protocol. Specify the core-facing interface and specify the logical loopback interface on Router PE1.

    content_copy zoom_out_map
    user@PE1#
set protocols bgp group to-ASBR1 type internal
set protocols bgp group to-ASBR1 local-address 192.168.100.1
set protocols bgp group to-ASBR1 neighbor 192.168.100.3 family inet-vpn unicast
set protocols mpls label-switched-path to-ASBR1 to 192.168.100.3
set protocols mpls interface ge-0/0/1.0
set protocols mpls interface lo0.0
set protocols ospf traffic-engineering
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0
set protocols ospf area 0.0.0.0 interface lo0.0
set protocols rsvp interface ge-0/0/1.0
set protocols rsvp interface lo0.0

  4. On Router PE1, configure the BGP local autonomous system number and router ID.

    content_copy zoom_out_map
    user@PE1#
set routing-options router-id 192.168.100.1
set routing-options autonomous-system 65100

  5. On Router PE1, configure a policy to export the BGP routes into OSPF.

    content_copy zoom_out_map
    user@PE1#
set policy-options policy-statement bgp-to-ospf term 1 from protocol bgp
set policy-options policy-statement bgp-to-ospf term 1 then accept
set policy-options policy-statement bgp-to-ospf term 2 then reject

  6. On Router PE1, configure a policy to add the VRF route target to the routes being advertised from CE1.

    content_copy zoom_out_map
    user@PE1#
set policy-options policy-statement vpnexport term 1 from protocol ospf
set policy-options policy-statement vpnexport term 1 then community add pe1_comm
set policy-options policy-statement vpnexport term 1 then accept
set policy-options policy-statement vpnexport term 2 then reject

  7. On Router PE1, configure a policy to import routes from PE2 that have the pe2_comm community attached.

    content_copy zoom_out_map
    user@PE1#
set policy-options policy-statement vpnimport term 1 from protocol bgp
set policy-options policy-statement vpnimport term 1 from community pe2_comm
set policy-options policy-statement vpnimport term 1 then accept
set policy-options policy-statement vpnimport term 2 then reject

  8. On Router PE1, define the pe1_comm BGP community with a route target to apply to the vpnexport policy and define the pe2_comm BGP community with a route target to apply to the vpnimport policy.

    content_copy zoom_out_map
    user@PE1#
set policy-options community pe1_comm members target:65100:1
set policy-options community pe2_comm members target:65200:1

Configuring Router P1

Step-by-Step Procedure

  1. On Router P1, configure IP addresses for the Gigabit Ethernet interfaces. Enable the interfaces to process the inet and mpls address families. Configure the IP addresses for the lo0.0 loopback interface and enable the interface to process the inet address family.

    content_copy zoom_out_map
    user@P1#
set interfaces ge-0/0/0 description to_PE1
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.2/30
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 description to_ASBR1
set interfaces ge-0/0/1 unit 0 family inet address 10.1.2.1/30
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.168.100.2/32

  2. On Router P1, configure the RSVP and MPLS protocols to support the LSP. Specify the Gigabit Ethernet interfaces.

    Configure the OSPF protocol. Specify the Gigabit Ethernet interfaces and specify the logical loopback interface. Enable OSPF to support traffic engineering extensions.

    content_copy zoom_out_map
    user@P1#
set protocols mpls interface ge-0/0/0.0
set protocols mpls interface ge-0/0/1.0
set protocols mpls interface lo0.0
set protocols ospf traffic-engineering
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0
set protocols ospf area 0.0.0.0 interface lo0.0
set protocols rsvp interface ge-0/0/0.0
set protocols rsvp interface ge-0/0/1.0
set protocols rsvp interface lo0.0

Configuring Router ASBR1

Step-by-Step Procedure

  1. On Router ASBR1, configure IP addresses for the Gigabit Ethernet interfaces. Enable the interfaces to process the inet and mpls addresses families. Configure the IP addresses for the lo0.0 loopback interface and enable the interface to process the inet address family.

    content_copy zoom_out_map
    user@ASBR1#
set interfaces ge-0/0/0 description to_P1
set interfaces ge-0/0/0 unit 0 family inet address 10.1.2.2/30
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 description to_ASBR2
set interfaces ge-0/0/1 unit 0 family inet address 172.16.12.1/30
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.168.100.3/32

  2. On Router ASBR1, configure the RSVP and MPLS protocols to support the LSP by specifying the Gigabit Ethernet interface facing the P1 router and the lo0.0 logical loopback interface.

    Configure the OSPF protocol by specifying the Gigabit Ethernet interface that is facing the P1 router and the logical loopback interface. Enable OSPF to support traffic engineering extensions.

    content_copy zoom_out_map
    user@ASBR1#
set protocols mpls label-switched-path to-PE1 to 192.168.100.1
set protocols mpls interface ge-0/0/0.0
set protocols mpls interface lo0.0
set protocols ospf traffic-engineering
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface lo0.0
set protocols rsvp interface ge-0/0/0.0
set protocols rsvp interface lo0.0

  3. On Router ASBR1, create the to-PE1 internal BGP peer group. Specify the local IP peer address as the local lo0.0 address. Specify the neighbor IP peer address as the lo0.0 interface address of Router PE1.

    content_copy zoom_out_map
    user@ASBR1#
set protocols bgp group to-PE1 type internal
set protocols bgp group to-PE1 local-address 192.168.100.3
set protocols bgp group to-PE1 neighbor 192.168.100.1 family inet-vpn unicast

  4. On Router ASBR1, create the to-ASBR2 external BGP peer group. Enable the router to use BGP to advertise NLRI for unicast routes. Specify the neighbor IP peer address as the Gigabit Ethernet interface address of Router ASBR2.

    content_copy zoom_out_map
    user@ASBR1#
set protocols bgp group to-ASBR2 type external
set protocols bgp group to-ASBR2 family inet-vpn unicast
set protocols bgp group to-ASBR2 neighbor 172.16.12.2 peer-as 65200

  5. On Router ASBR1, configure the BGP local autonomous system number the router ID.

    content_copy zoom_out_map
    user@ASBR1#
set routing-options router-id 192.168.100.3
set routing-options autonomous-system 65100

Configuring Router ASBR2

Step-by-Step Procedure

  1. On Router ASBR2, configure IP addresses for the Gigabit Ethernet interfaces. Enable the interfaces to process the inet and mpls address families. Configure the IP address for the lo0.0 loopback interface and enable the interface to process the inet address family.

    content_copy zoom_out_map
    user@ASBR2#
set interfaces ge-0/0/0 description to_ASBR1
set interfaces ge-0/0/0 unit 0 family inet address 172.16.12.2/30
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 description to_P2
set interfaces ge-0/0/1 unit 0 family inet address 10.2.2.2/30
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.168.200.3/32

  2. On Router ASBR2, configure the RSVP and MPLS protocols to support the LSP by specifying the Gigabit Ethernet interface that is facing the P2 router.

    Configure the OSPF protocol by specifying the Gigabit Ethernet interface that is facing the P2 router and the logical loopback interface. Enable OSPF to support traffic engineering extensions.

    content_copy zoom_out_map
    user@ASBR2#
set protocols mpls label-switched-path to-PE2 to 192.168.200.1
set protocols mpls interface ge-0/0/1.0
set protocols mpls interface lo0.0
set protocols ospf traffic-engineering
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0
set protocols ospf area 0.0.0.0 interface lo0.0
set protocols rsvp interface ge-0/0/1.0
set protocols rsvp interface lo0.0

  3. On Router ASBR2, create the to-PE2 internal BGP peer group. Specify the local IP peer address as the local lo0.0 address. Specify the neighbor IP peer address as the lo0.0 interface address of Router PE2.

    content_copy zoom_out_map
    user@ASBR2#
set protocols bgp group to-PE2 type internal
set protocols bgp group to-PE2 local-address 192.168.200.3
set protocols bgp group to-PE2 neighbor 192.168.200.1 family inet-vpn unicast

  4. On Router ASBR2, create the to-ASBR1 external BGP peer group. Enable the router to use BGP to advertise NLRI for unicast routes. Specify the neighbor IP peer address as the Gigabit Ethernet interface on Router ASBR1.

    content_copy zoom_out_map
    user@ASBR2#
set protocols bgp group to-ASBR1 type external
set protocols bgp group to-ASBR1 family inet-vpn unicast
set protocols bgp group to-ASBR1 neighbor 172.16.12.1 peer-as 65100

  5. On Router ASBR2, configure the BGP local autonomous system number and the router ID.

    content_copy zoom_out_map
    user@ASBR2#
set routing-options router-id 192.168.200.3
set routing-options autonomous-system 65200

Configuring Router P2

Step-by-Step Procedure

  1. On Router P2, configure IP addresses for the Gigabit Ethernet interfaces. Enable the interfaces to process the inet and mpls address families. Configure the IP address for the lo0.0 loopback interface and enable the interface to process the inet address family.

    content_copy zoom_out_map
    user@P2#
set interfaces ge-0/0/0 description to_ASBR2
set interfaces ge-0/0/0 unit 0 family inet address 10.2.2.1/30
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 description to_PE2
set interfaces ge-0/0/1 unit 0 family inet address 10.2.1.2/30
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 192.168.200.2/32

  2. On Router P2, configure the RSVP and MPLS protocols to support the LSP. Specify the Gigabit Ethernet interfaces.

    Configure the OSPF protocol. Specify the Gigabit Ethernet interfaces and specify the logical loopback interface. Enable OSPF to support traffic engineering extensions.

    content_copy zoom_out_map
    user@P2#
set protocols mpls interface ge-0/0/0.0
set protocols mpls interface ge-0/0/1.0
set protocols mpls interface lo0.0
set protocols ospf traffic-engineering
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0
set protocols ospf area 0.0.0.0 interface lo0.0
set protocols rsvp interface ge-0/0/0.0
set protocols rsvp interface ge-0/0/1.0
set protocols rsvp interface lo0.0

Configuring Router PE2

Step-by-Step Procedure

  1. On Router PE2, configure IPv4 addresses on the Gigabit Ethernet and logical loopback interfaces. Specify the inet address family on all of the interfaces. Specify the mpls address family on the Gigabit Ethernet interfaces.

    content_copy zoom_out_map
    user@PE2#
set interfaces ge-0/0/0 description to_P2
set interfaces ge-0/0/0 unit 0 family inet address 10.2.1.1/30
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 description to_CE2
set interfaces ge-0/0/1 unit 0 family inet address 172.16.2.2/30
set interfaces lo0 unit 0 family inet address 192.168.200.1/32

  2. On Router PE2, configure a VRF routing instance. Specify the vrf instance type and specify the customer-facing interface. Configure a route distinguisher to create a unique VPN-IPv4 address prefix. Apply the VRF import and export policies to enable the sending and receiving of route targets. Configure the BGP peer group within the VRF. Specify AS 65020 as the peer AS and specify the IP address of the Gigabit Ethernet interface on Router CE1 as the neighbor address.

    content_copy zoom_out_map
    user@PE2#
set routing-instances to_CE2 instance-type vrf
set routing-instances to_CE2 protocols bgp group to_CE2 peer-as 65020
set routing-instances to_CE2 protocols bgp group to_CE2 neighbor 172.16.2.1
set routing-instances to_CE2 interface ge-0/0/1.0
set routing-instances to_CE2 route-distinguisher 192.168.200.1:1
set routing-instances to_CE2 vrf-import vpnimport
set routing-instances to_CE2 vrf-export vpnexport

  3. On Router PE2, configure the RSVP and MPLS protocols to support the LSP. Configure the LSP to ASBR2 and specify the IP address of the logical loopback interface on Router ASBR2. Configure a BGP group. Specify the group type as internal. Specify the local address as the logical loopback interface on Router PE2. Specify the neighbor address as the logical loopback interface on the Router ASBR2. Specify the inet-vpn address family and unicast traffic type to enable BGP to carry IPv4 NLRI for VPN routes. Configure the OSPF protocol. Specify the core-facing interface and the logical loopback interface on Router PE2.

    content_copy zoom_out_map
    user@PE2#
set protocols bgp group to-ASBR2 type internal
set protocols bgp group to-ASBR2 local-address 192.168.200.1
set protocols bgp group to-ASBR2 neighbor 192.168.200.3 family inet-vpn unicast
set protocols mpls label-switched-path to-ASBR2 to 192.168.200.3
set protocols mpls interface ge-0/0/0.0
set protocols mpls interface lo0.0
set protocols ospf traffic-engineering
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface lo0.0
set protocols rsvp interface ge-0/0/0.0
set protocols rsvp interface lo0.0

  4. On Router PE2, configure the BGP local autonomous system number and the router ID.

    content_copy zoom_out_map
    user@PE2#
set routing-options router-id 192.168.200.1
set routing-options autonomous-system 65200

  5. On Router PE2, configure a policy to add the VRF route target to the routes being advertised from CE2.

    content_copy zoom_out_map
    user@PE2#
set policy-options policy-statement vpnexport term 1 from protocol bgp
set policy-options policy-statement vpnexport term 1 then community add pe2_comm
set policy-options policy-statement vpnexport term 1 then accept
set policy-options policy-statement vpnexport term 2 then reject

  6. On Router PE2, configure a policy to import routes from PE1 that have the pe1_comm community attached.

    content_copy zoom_out_map
    user@PE2#
set policy-options policy-statement vpnimport term 1 from protocol bgp
set policy-options policy-statement vpnimport term 1 from community pe1_comm
set policy-options policy-statement vpnimport term 1 then accept
set policy-options policy-statement vpnimport term 2 then reject

  7. On Router PE2, define the pe2_comm BGP community with a route target to apply to the vpnexport policy and define the pe1_comm BGP community with a route target to apply to the vpnimport policy

    content_copy zoom_out_map
    user@PE2#
set policy-options community pe1_comm members target:65100:1
set policy-options community pe2_comm members target:65200:1

Configuring Router CE2

Step-by-Step Procedure

  1. On Router CE2, configure the IP address and protocol family on the logical loopback interface and the Gigabit Ethernet interface for the link between Router CE2 and Router PE2. Specify the inet address family type.

    content_copy zoom_out_map
    user@CE2#
set interfaces ge-0/0/0 description to_PE2
set interfaces ge-0/0/0 unit 0 family inet address 172.16.2.1/30
set interfaces lo0 unit 0 family inet address 192.168.2.1/32

  2. On Router CE2, define a policy named loopback that matches on the loopback address for CE2.

    content_copy zoom_out_map
    user@CE2#
set policy-options policy-statement loopback term 1 from route-filter 192.168.2.1/32 exact
set policy-options policy-statement loopback term 1 then accept

  3. On Router CE2, configure a routing protocol. The routing protocol can be a static route, RIP, OSPF, ISIS, or EBGP. In this example, we configure EBGP. Specify AS 65200 as the peer AS and specify the BGP neighbor IP address as the Gigabit Ethernet interface of Router PE2. Include the export statement.

    content_copy zoom_out_map
    user@CE2#
set protocols bgp group to_PE2 export loopback
set protocols bgp group to_PE2 peer-as 65200
set protocols bgp group to_PE2 neighbor 172.16.2.2

  4. On Router CE2, configure the BGP local autonomous system number and the router ID.

    content_copy zoom_out_map
    user@CE2#
set routing-options router-id 192.168.2.1
set routing-options autonomous-system 65020

Verifying the VPN Operation

Step-by-Step Procedure

  1. Commit the configuration on each router.

    Note:

    The MPLS labels shown in this example will be different than the labels used in your configuration.

  2. On Router PE1, display the routes for the to_CE1 routing instance using the show ospf route command. Verify that the 192.168.1.1 route is learned from OSPF.

    content_copy zoom_out_map
    user@PE1> show ospf route instance to_CE1
Topology default Route Table:

Prefix             Path  Route      NH       Metric NextHop       Nexthop
                   Type  Type       Type            Interface     Address/LSP
192.168.1.1        Intra Router     IP            1 ge-0/0/0.0    172.16.1.1
172.16.1.0/30      Intra Network    IP            1 ge-0/0/0.0
192.168.1.1/32     Intra Network    IP            1 ge-0/0/0.0    172.16.1.1

  3. On Router PE1, use the show route advertising-protocol command to verify that Router PE1 advertises the 192.168.1.1 route to Router ASBR1 using MP-BGP with the VPN MPLS label.

    content_copy zoom_out_map
    user@PE1> show route advertising-protocol bgp 192.168.100.3 extensive
to_CE1.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
* 192.168.1.1/32 (1 entry, 1 announced)
 BGP group to-ASBR1 type Internal
     Route Distinguisher: 192.168.100.1:1
     VPN Label: 299808
     Nexthop: Self
     Flags: Nexthop Change
     MED: 1
     Localpref: 100
     AS path: [65100] I 
     Communities: target:65100:1 rte-type:0.0.0.0:1:0

  4. On Router ASBR1, use the show route receive-protocol command to verify that the router receives and accepts the 192.168.1.1 route and places it in the bgp.l3vpn.0 routing table.

    content_copy zoom_out_map
    user@ASBR1> show route receive-protocol bgp 192.168.100.1 extensive
inet.0: 15 destinations, 15 routes (15 active, 0 holddown, 0 hidden)

inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

mpls.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)

bgp.l3vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
* 192.168.100.1:1:192.168.1.1/32 (1 entry, 1 announced)
     Accepted
     Route Distinguisher: 192.168.100.1:1
     VPN Label: 299808
     Nexthop: 192.168.100.1
     MED: 1
     Localpref: 100
     AS path: I 
     Communities: target:65100:1 rte-type:0.0.0.0:1:0

  5. On Router ASBR1, use the show route advertising-protocol command to verify that Router ASBR1 advertises the 192.168.1.1 route to Router ASBR2.

    content_copy zoom_out_map
    user@ASBR1> show route advertising-protocol bgp 172.16.12.2 extensive
bgp.l3vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
* 192.168.100.1:1:192.168.1.1/32 (1 entry, 1 announced)
 BGP group to-ASBR2 type External
     Route Distinguisher: 192.168.100.1:1
     VPN Label: 299824
     Nexthop: Self
     Flags: Nexthop Change
     AS path: [65100] I 
     Communities: target:65100:1 rte-type:0.0.0.0:1:0

  6. On Router ASBR2, use the show route receive-protocol command to verify that the router receives and accepts the 192.168.1.1 route and places it in the bgp.l3vpn.0 routing table.

    content_copy zoom_out_map
    user@ASBR2> show route receive-protocol bgp 172.16.12.1 extensive
inet.0: 15 destinations, 15 routes (15 active, 0 holddown, 0 hidden)

inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

mpls.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)

bgp.l3vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
* 192.168.100.1:1:192.168.1.1/32 (1 entry, 1 announced)
     Accepted
     Route Distinguisher: 192.168.100.1:1
     VPN Label: 299824
     Nexthop: 172.16.12.1
     AS path: 65100 I 
     Communities: target:65100:1 rte-type:0.0.0.0:1:0

  7. On Router ASBR2, use the show route advertising-protocol command to verify that Router ASBR2 advertises the 192.168.1.1 route to Router PE2.

    content_copy zoom_out_map
    user@ASBR2> show route advertising-protocol bgp 192.168.200.1 extensive
bgp.l3vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
* 192.168.100.1:1:192.168.1.1/32 (1 entry, 1 announced)
 BGP group to-PE2 type Internal
     Route Distinguisher: 192.168.100.1:1
     VPN Label: 299824
     Nexthop: Self
     Flags: Nexthop Change
     Localpref: 100
     AS path: [65200] 65100 I 
     Communities: target:65100:1 rte-type:0.0.0.0:1:0

  8. On Router PE2, use the show route receive-protocol command to verify that the router receives and accepts the 192.168.1.1 route and places it in the to_CE2.inet.0 routing table.

    content_copy zoom_out_map
    user@PE2> show route receive-protocol bgp 192.168.200.3 extensive
inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)

inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
to_CE2.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
* 192.168.1.1/32 (1 entry, 1 announced)
     Import Accepted
     Route Distinguisher: 192.168.100.1:1
     VPN Label: 299824
     Nexthop: 192.168.200.3
     Localpref: 100
     AS path: 65100 I 
     Communities: target:65100:1 rte-type:0.0.0.0:1:0

mpls.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)

bgp.l3vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

* 192.168.100.1:1:192.168.1.1/32 (1 entry, 0 announced)
     Import Accepted
     Route Distinguisher: 192.168.100.1:1
     VPN Label: 299824
     Nexthop: 192.168.200.3
     Localpref: 100
     AS path: 65100 I 
     Communities: target:65100:1 rte-type:0.0.0.0:1:0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

to_CE2.inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

  9. On Router PE2, use the show route advertising-protocol command to verify that Router PE2 advertises the 192.168.1.1 route to Router CE2 through the to_CE2 peer group.

    content_copy zoom_out_map
    user@PE2> show route advertising-protocol bgp 172.16.2.1 extensive
to_CE2.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
* 192.168.1.1/32 (1 entry, 1 announced)
 BGP group to_CE2 type External
     Nexthop: Self
     AS path: [65200] 65100 I 
     Communities: target:65100:1 rte-type:0.0.0.0:1:0

  10. On Router CE2, use the show route command to verify that Router CE2 receives the 192.168.1.1 route from Router PE2.

    content_copy zoom_out_map
    user@CE2> show route 192.168.1.1
inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.1/32     *[BGP/170] 6d 02:09:53, localpref 100
                      AS path: 65200 65100 I, validation-state: unverified
                    >  to 172.16.2.2 via ge-0/0/0.0

  11. On Router CE2, use the ping command and specify 192.168.2.1 as the source of the ping packets to verify connectivity with Router CE1.

    content_copy zoom_out_map
    user@CE2> ping 192.168.1.1 source 192.168.2.1 count 2
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=58 time=27.008 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=58 time=40.004 ms

--- 192.168.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 27.008/33.506/40.004/6.498 ms
    Note:

    To ping end-to-end without sourcing from the loopback make sure to advertise the PE-to-CE interface routes. You can accomplish this a few ways but for this example add protocol direct to the vpnexport policy on both PE1 and PE2.

See Also

Example: Configuring Interprovider Layer 3 VPN Option C

Interprovider Layer 3 VPN Option C provides interprovider multihop EBGP redistribution of labeled VPN-IPv4 routes between source and destination ASs, with EBGP redistribution of labeled IPv4 routes from AS to neighboring AS. Compared to Option A and Option B, Option C is the most scalable solution. To configure an interprovider Layer 3 VPN option C service, you need to configure the AS border routers and the PE routers connected to the end customer’s CE routers using multihop EBGP.

This example provides a step-by-step procedure to configure interprovider layer 3 VPN option C, which is one of the recommended implementations of MPLS VPN when that service is required by a customer that has more than one AS but not all of the customer’s ASs can be serviced by the same service provider (SP). It is organized in the following sections:

Requirements

This example requires the following hardware and software components:

  • Junos OS Release 9.5 or later.

  • Eight Juniper Networks M Series Multiservice Edge Routers, T Series Core Routers, TX Matrix Routers, or MX Series 5G Universal Routing Platforms.

Configuration Overview and Topology

Interprovider layer 3 VPN option C is a very scalable interprovider VPN solution to the problem of providing VPN services to a customer that has different sites, not all of which can use the same SP.

RFC 4364 section 10, refers to this method as multihop EBGP redistribution of labeled VPN-IPv4 routes between source and destination ASs, with EBGP redistribution of labeled IPv4 routes from AS to neighboring AS.

This solution is similar to the solution described in Implementing Interprovider Layer 3 VPN Option B, except internal IPv4 unicast routes are advertised instead of external VPN-IPv4-unicast routes, using EBGP. Internal routes are internal to leaf SPs (SP1 and SP2 in this example), and external routes are those learned from the end customer requesting VPN services.

In this configuration:

  • After the loopback address of Router PE2 is learned by Router PE1 and the loopback address of Router PE1 is learned by Router PE2, the end PE routers establish an MP-EBGP session for exchanging VPN-IPv4 routes.

  • Since VPN-IPv4 routes are exchanged among end PE routers, any other router on the path from Router PE1 and Router PE2 does not need to keep or install VPN-IPv4 routes in their routing information base (RIB) or forwarding information base (FIB) tables.

  • An MPLS path needs to be established between Router PE1 and Router PE2.

RFC 4364 describes only one solution that uses a BGP labeled-unicast approach. In this approach, the ASBR routers advertise the loopback addresses of the PE routers and associate each prefix with a label according to RFC 3107. Service providers may use RSVP or LDP to establish an LSP between ASBR routers and PE routers in their internal network.

In this network, ASBR1 receives label information associated with the loopback IP address of Router PE1 and advertises another label to Router ASBR2 using MP-EBGP labeled-unicast. Meanwhile, the ASBRs build their own MPLS forwarding table according to the received and advertised routes and labels. Router ASBR1 uses its own IP address as the next-hop information.

Router ASBR2 receives this prefix associated with a label, assigns another label, changes the next-hop address to its own address, and advertises it to Router PE1. Router PE1 now has an update with the label information and next-hop to Router ASBR1. Also, Router PE1 already has a label associated with the IP address of Router ASBR1. If Router PE1 sends an IP packet to Router PE2, it pushes two labels: one for the IP address of Router PE2 (obtained using MP-IBGP labeled-unicast advertisement) and one for the IP address of Router ASBR1 (obtained using LDP or RSVP).

Router ASBR1 then pops the outer label and swaps the inner label with the label learned from a neighbor ASBR for its neighboring PE router. Router ASBR2 performs a similar function and swaps the incoming label (only one) and pushes another label that is associated with the address of Router PE2. Router PE2 pops both labels and passes the remaining IP packet to its own CPU. After the end-to-end connection among the PE routers is created, the PE routers establish an MP-EBGP session to exchange VPN-IPv4 routes.

In this solution, PE routers push three labels onto the IP packet coming from the VPN end user. The inner-most label, obtained using MP-EBGP, determines the correct VPN routing and forwarding (VRF) routing instance at the remote PE. The middle label is associated with the IP address of the remote PE and is obtained from an ASBR using MP-IBGP labeled-unicast. The outer label is associated with the IP addresses of the ASBRs and is obtained using LDP or RSVP.

The physical topology of the network is shown in Figure 4.

Figure 4: Physical Topology of Interprovider Layer 3 VPN Option C Physical Topology of Interprovider Layer 3 VPN Option C

Topology

Configuration

Note:

The procedure presented here is written with the assumption that the reader is already familiar with MPLS MVPN configuration. This example focuses on explaining the unique configuration required for carrier-of-carriers solutions for VPN services to different sites.

To configure interprovider layer 3 VPN option C, perform the following tasks:

Configuring Router CE1

Step-by-Step Procedure

  1. On Router CE1, configure the IP address and protocol family on the Fast Ethernet interface for the link between Router CE1 and Router PE1. Specify the inet address family type.

    content_copy zoom_out_map
    [edit interfaces fe-0/0/1.0]
family inet {
    address 198.51.100.1/24;
}

  2. On Router CE1, configure the IP address and protocol family on the loopback interface. Specify the inet address family type.

    content_copy zoom_out_map
    [edit interfaces lo0]
unit 0 {
    family inet {
        address 192.0.2.1/32;
    }
}

  3. On Router CE1, configure a routing protocol. The routing protocol can be a static route, RIP, OSPF, ISIS, or EBGP. In this example we configure OSPF. Include the logical interface for the link between Router CE1 and Router PE1 and the logical loopback interface of Router CE1.

    content_copy zoom_out_map
    [edit protocols]
ospf {
    area 0.0.0.2 {
        interface fe-0/0/1.0;
        interface lo0.0 {
            passive;
        }
    }
}

Configuring Router PE1

Step-by-Step Procedure

  1. On Router PE1, configure IPv4 addresses on the SONET, Fast Ethernet, and logical loopback interfaces. Specify the inet address family on all of the interfaces. Specify the mpls address family on the SONET interfaces.

    content_copy zoom_out_map
    [edit interfaces]
so-0/2/0 {
    unit 0 {
        family inet {
            address 192.168.1.2/24;
        }
        family mpls;
    }
}
fe-1/2/3 {
    unit 0 {
        family inet {
            address 198.51.100.3/24;
        }
    }
}
lo0 {
    unit 0 {
        family inet {
            address 192.0.2.2/32;
        }
        
    }
}

  2. On Router PE1, configure the routing instance for VPN2. Specify the vrf instance type and specify the customer-facing Fast Ethernet interface. Configure a route distinguisher to create a unique VPN-IPv4 address prefix. Apply the VRF import and export policies to enable the sending and receiving of route targets. Configure the OSPF protocol within the VRF. Specify the customer-facing Fast Ethernet interface and specify the export policy to export BGP routes into OSPF.

    content_copy zoom_out_map
    [edit routing-instances]
vpn2CE1 {
    instance-type vrf;
    interface fe-1/2/3.0;
    route-distinguisher 1:100;
    vrf-import vpnimport;
    vrf-export vpnexport;
    protocols {
        ospf {
            export bgp-to-ospf;
            area 0.0.0.2 {
                interface fe-1/2/3.0;
            }
        }
    }
}

  3. On Router PE1, configure the RSVP and MPLS protocols to support the LSP. Configure the LSP to Router ASBR1 and specify the IP address of the logical loopback interface on Router ASBR1. Configure the OSPF protocol. Specify the core-facing SONET interface and specify the logical loopback interface on Router PE1.

    content_copy zoom_out_map
    [edit protocols]
rsvp {
    interface so-0/2/0.0;
    interface lo0.0;
}
mpls {
    label-switched-path To-ASBR1 {
        to 192.0.2.4;
    }
    interface so-0/2/0.0;
    interface lo0.0;
}
ospf {
    traffic-engineering;
    area 0.0.0.0 {
        interface so-0/2/0.0;
        interface lo0.0 {
            passive;
        }
    }
}

  4. On Router PE1, configure the To_ASBR1 peer BGP group. Specify the group type as internal. Specify the local address as the logical loopback interface on Router PE1. Specify the neighbor address as the logical loopback interface on Router ASBR1. Specify the inet address family. For a PE router to install a route in the VRF, the next hop must resolve to a route stored within the inet.3 table. The labeled-unicast resolve-vpn statements allow labeled routes to be placed in the inet.3 routing table for route resolution, which are then resolved for PE router connections where the remote PE is located across another AS.

    content_copy zoom_out_map
    [edit protocols]
bgp {
    group To_ASBR1 {
        type internal;
        local-address 192.0.2.2;
        neighbor 192.0.2.4 {
            family inet {
                labeled-unicast {
                    resolve-vpn;
                }
            }
        }
    }
}

  5. On Router PE1, configure multihop EBGP toward PE2. Specify the inet-vpn family.

    content_copy zoom_out_map
    [edit protocols]
bgp {
    group To_PE2 {
        multihop {
            ttl 20;
        }
        local-address 192.0.2.2;
        family inet-VPN {
            unicast;
        }
        neighbor 192.0.2.7 {
            peer-as 200;
        }
    }
}

  6. On Router PE1, configure the BGP local autonomous system number.

    content_copy zoom_out_map
    [edit routing-options]
autonomous-system 100;

  7. On Router PE1, configure a policy to export the BGP routes into OSPF.

    content_copy zoom_out_map
    [edit policy-options]
policy-statement bgp-to-ospf {
    term 1 {
        from protocol bgp;
        then accept;
    }
    term 2 {
        then reject;
    }
}

  8. On Router PE1, configure a policy to add the VRF route target to the routes being advertised for this VPN.

    content_copy zoom_out_map
    [edit policy-options]
    policy-statement vpnexport {
        term 1 {
            from protocol ospf;
            then {
                community add test_comm;
                accept;
            }
        }
        term 2 {
            then reject;
        }
    }

  9. On Router PE1, configure a policy to import routes from BGP that have the test_comm community attached.

    content_copy zoom_out_map
    [edit policy-options]
    policy-statement vpnimport {
        term 1 {
            from {
                protocol bgp;
                community test_comm;
            }
            then accept;
        }
        term 2 {
            then reject;
        }
    }

  10. On Router PE1, define the test_comm BGP community with a route target.

    content_copy zoom_out_map
    [edit policy-options]
community test_comm members target:1:100;

Configuring Router P1

Step-by-Step Procedure

  1. On Router P1, configure IP addresses for the SONET and Gigabit Ethernet interfaces. Enable the interfaces to process the inet and mpls address families. Configure the IP address for the lo0.0 loopback interface and enable the interface to process the inet address family.

    content_copy zoom_out_map
    [edit interfaces]
so-0/2/1 {
    unit 0 {
        family inet {
            address 192.168.1.4/24;
        }
        family mpls;
    }
}
ge-1/3/0 {
    unit 0 {
        family inet {
            address 192.168.2.5/24;
        }
        family mpls;
    }
}
lo0 {
    unit 0 {
        family inet {
            address 192.0.2.3/32;
        }
    }
}

  2. On Router P1, configure the RSVP and MPLS protocols to support the LSP. Specify the SONET and Gigabit Ethernet interfaces.

    Configure the OSPF protocol. Specify the SONET and Gigabit Ethernet interfaces and specify the logical loopback interface. Enable OSPF to support traffic engineering extensions.

    content_copy zoom_out_map
    [edit protocols]
rsvp {
    interface so-0/2/1.0;
    interface ge-1/3/0.0;
    interface lo0.0;
}
mpls {
    interface lo0.0;
    interface ge-1/3/0.0;
    interface so-0/2/1.0;
}
ospf {
    traffic-engineering;
    area 0.0.0.0 {
        interface ge-1/3/0.0;
        interface so-0/2/1.0;
        interface lo0.0 {
            passive;
        }
    }
}

Configuring Router ASBR1

Step-by-Step Procedure

  1. On Router ASBR1, configure IP addresses for the Gigabit Ethernet interfaces. Enable the interfaces to process the inet and mpls addresses families. Configure the IP addresses for the lo0.0 loopback interface and enable the interface to process the inet address family.

    content_copy zoom_out_map
    [edit interfaces]
ge-0/0/0 {
    unit 0 {
        family inet {
            address 192.168.2.6/24;
        }
        family mpls;
    }
}
ge-0/1/1 {
    unit 0 {
        family inet {
            address 192.168.3.7/24;
        }
        family mpls;
    }
}
lo0 {
    unit 0 {
        family inet {
            address 192.0.2.4/32;
        }
    }
}

  2. On Router ASBR1, configure the protocols to support the LSP.

    Configure the RSVP protocol by specifying the Gigabit Ethernet interface that is facing the P1 router and the logical loopback interface.

    Configure the MPLS protocol by specifying the Gigabit Ethernet interfaces and the logical loopback interface. Include the traffic-engineering bgp-igp-both-ribs statement at the [edit protocols mpls] hierarchy level.

    Configure the OSPF protocol on the Gigabit Ethernet interface facing the P1 router and the logical loopback interface. Enable OSPF to support traffic engineering extensions.

    content_copy zoom_out_map
    [edit protocols]
rsvp {
    interface ge-0/0/0.0;
    interface lo0.0;
}
mpls {
    traffic-engineering bgp-igp-both-ribs;
    label-switched-path To_PE1 {
        to 192.0.2.2;
    }
    interface lo0.0;
    interface ge-0/0/0.0;
    interface ge-0/1/1.0;
}
ospf {
    traffic-engineering;
    area 0.0.0.0 {
        interface ge-0/0/0.0;
        interface lo0.0 {
            passive;
        }
    }
}

  3. On Router ASBR1, create the To-PE1 internal BGP peer group. Specify the local IP peer address as the local lo0.0 address. Specify the neighbor IP peer address as the Gigabit Ethernet interface address of Router PE1.

    content_copy zoom_out_map
    [edit protocols]
bgp {
    group To-PE1 {
        type internal;
        local-address 192.0.2.4;
        neighbor 192.0.2.2 {
            family inet {
                labeled-unicast;
            }
            export next-hop-self;
        }
    }

  4. On Router ASBR1, create the To-ASBR2 external BGP peer group. Enable the router to use BGP to advertise network layer reachability information (NLRI) for unicast routes. Specify the neighbor IP peer address as the Gigabit Ethernet interface address on Router ASBR2.

    content_copy zoom_out_map
    [edit protocols]
group To-ASBR2 {
    type external;
    family inet {
        labeled-unicast;
    }
    export To-ASBR2;
    neighbor 192.168.3.8 {
        peer-as 200;
    }
}

  5. On Router ASBR1, configure the BGP local autonomous system number.

    content_copy zoom_out_map
    [edit routing-options]
autonomous-system 100;

  6. On Router ASBR 1, configure a policy to import routes from BGP that match the 192.0.2.2/24 route.

    content_copy zoom_out_map
    [edit policy-options]
policy-statement To-ASBR2 {
    term 1 {
        from {
            route-filter 192.0.2.2/32 exact;
        }
        then accept;
    }
    term 2 {
        then reject;
    }

  7. On Router ASBR 1, define a next-hop self policy and apply it to the IBGP sessions.

    content_copy zoom_out_map
    [edit policy-options]
policy-statement next-hop-self {
    then {
        next-hop self;
    }
}

Configuring Router ASBR2

Step-by-Step Procedure

  1. On Router ASBR2, configure IP addresses for the Gigabit Ethernet interfaces. Enable the interfaces to process the inet and mpls address families. Configure the IP address for the lo0.0 loopback interface and enable the interface to process the inet address family.

    content_copy zoom_out_map
    [edit interfaces]
ge-0/1/1 {
    unit 0 {
        family inet {
            address 192.168.3.8/24;
        }
        family mpls;
    }
}
ge-0/2/3 {
    unit 0 {
        family inet {
            address 192.168.4.9/24;
        }
        family mpls;
    }
}
lo0 {
    unit 0 {
        family inet {
            address 192.0.2.5/32;
        }
    }
}

  2. On Router ASBR2, configure the protocols to support the LSP.

    Configure the RSVP protocol by specifying the Gigabit Ethernet interface facing the P2 router and the logical loopback interface .

    Configure the MPLS protocol by specifying the Gigabit Ethernet interfaces and the logical loopback interface. Include the traffic-engineering bgp-igp-both-ribs statement at the [edit protocols mpls] hierarchy level.

    Configure the OSPF protocol on the Gigabit Ethernet interface facing the P2 router and the logical loopback interface . Enable OSPF to support traffic engineering extensions.

    content_copy zoom_out_map
    [edit protocols]
rsvp {
    interface ge-0/2/3.0;
    interface lo0.0;
}
mpls {
    traffic-engineering bgp-igp-both-ribs;
    label-switched-path To_PE2 {
        to 192.0.2.7;
    }
    interface lo0.0
    interface ge-0/2/3.0;
    interface ge-0/1/1.0;
}
ospf {
    traffic-engineering;
    area 0.0.0.0 {
        interface ge-0/2/3.0;
        interface lo0.0 {
            passive;
        }
    }
}

  3. On Router ASBR2, create the To-PE2 internal BGP peer group. Specify the local IP peer address as the local lo0.0 address. Specify the neighbor IP peer address as the lo0.0 interface address of Router PE2.

    content_copy zoom_out_map
    [edit protocols]
bgp {
    group To-PE2 {
        type internal;
        local-address 192.0.2.5;
        export next-hop-self;
        neighbor 192.0.2.7 {
            family inet {
                labeled-unicast;
            }
            export next-hop-self;
        }
    }
}

  4. On Router ASBR2, create the To-ASBR1 external BGP peer group. Enable the router to use BGP to advertise NLRI for unicast routes. Specify the neighbor IP peer address as the Gigabit Ethernet interface address on Router ASBR1.

    content_copy zoom_out_map
    [edit protocols]
bgp {
    group To-ASBR1 {
        type external;
        family inet {
            labeled-unicast;
        }
        export To-ASBR1;
        neighbor 192.168.3.7 {
            peer-as 100;
        }
    }
}

  5. On Router ASBR2 configure the BGP local autonomous system number.

    content_copy zoom_out_map
    [edit routing-options]
autonomous-system 200;

  6. On Router ASBR2, configure a policy to import routes from BGP that match the 192.0.2.7/24 route.

    content_copy zoom_out_map
    [edit policy-options]
policy-statement To-ASBR1 {
    term 1 {
        from {
            route-filter 192.0.2.7/32 exact;
        }
        then accept;
    }
    term 2 {
        then reject;
    }
}

  7. On Router ASBR 2, define a next-hop self policy.

    content_copy zoom_out_map
    [edit policy-options]
policy-statement next-hop-self {
    then {
        next-hop self;
    }
}

Configuring Router P2

Step-by-Step Procedure

  1. On Router P2, configure IP addresses for the SONET and Gigabit Ethernet interfaces. Enable the interfaces to process the inet and mpls addresses families. Configure the IP addresses for the lo0.0 loopback interface and enable the interface to process the inet address family.

    content_copy zoom_out_map
    [edit interfaces]
so-0/0/0 {
    unit 0 {
        family inet {
            address 192.168.5.10/24;
        }
        family mpls;
    }
}
ge-0/2/2 {
    unit 0 {
        family inet {
            address 192.168.4.11/24;
        }
        family mpls;
    }
}
lo0 {
    unit 0 {
        family inet {
            address 192.0.2.6/32;
        }
    }
}

  2. On Router P2, configure the RSVP and MPLS protocols to support the LSP. Specify the SONET and Gigabit Ethernet interfaces.

    Configure the OSPF protocol. Specify the SONET and Gigabit Ethernet interfaces and specify the logical loopback interface. Enable OSPF to support traffic engineering extensions.

    content_copy zoom_out_map
    [edit protocols]
rsvp {
    interface so-0/0/0.0;
    interface ge-0/2/2.0;
    interface lo0.0;
}
mpls {
    interface lo0.0;
    interface ge-0/2/2.0;
    interface so-0/0/0.0;
}
ospf {
    traffic-engineering;
    area 0.0.0.0 {
        interface ge-0/2/2.0;
        interface so-0/0/0.0;
        interface lo0.0 {
            passive;
        }
    }
}

Configuring Router PE2

Step-by-Step Procedure

  1. On Router PE2, configure IPv4 addresses on the SONET, Fast Ethernet, and logical loopback interfaces. Specify the inet address family on all of the interfaces. Specify the mpls address family on the SONET interface.

    content_copy zoom_out_map
    [edit interfaces]
so-0/0/1 {
    unit 0 {
        family inet {
            address 192.168.5.12/24;
        }
        family mpls;
    }
}
fe-0/3/1 {
    unit 0 {
        family inet {
            address 192.168.6.13/24;
        }
    }
}
lo0 {
    unit 0 {
        family inet {
            address 192.0.2.7/32;
        }
    }
}

  2. On Router PE2, configure the routing instance for VPN2. Specify the vrf instance type and specify the customer-facing Fast Ethernet interface. Configure a route distinguisher to create a unique VPN-IPv4 address prefix. Apply the VRF import and export policies to enable the sending and receiving of route targets. Configure the BGP peer group within the VRF. Specify AS 20 as the peer AS and specify the IP address of the Fast Ethernet interface on Router CE1 as the neighbor address.

    content_copy zoom_out_map
    [edit routing-instances]
vpn2CE2 {
    instance-type vrf;
    interface fe-0/3/1.0;
    route-distinguisher 1:100;
    vrf-import vpnimport;
    vrf-export vpnexport;
    protocols {
        bgp {
            group To_CE2 {
                peer-as 20;
                neighbor 192.168.6.14;
            }
        }
    }
}

  3. On Router PE2, configure the RSVP and MPLS protocols to support the LSP. Configure the LSP to ASBR2 and specify the IP address of the logical loopback interface on Router ASBR2. Configure the OSPF protocol. Specify the core-facing SONET interface and specify the logical loopback interface on Router PE2.

    content_copy zoom_out_map
    [edit protocols]
rsvp {
    interface so-0/0/1.0;
    interface lo0.0;
}
mpls {
    label-switched-path To-ASBR2 {
        to 192.0.2.5;
    }
    interface so-0/0/1.0;
    interface lo0.0;
}
ospf {
    traffic-engineering;
    area 0.0.0.0 {
        interface so-0/0/1.0;
        interface lo0.0 {
            passive;
        }
    }
}

  4. On Router PE2, configure the To_ASBR2 BGP group. Specify the group type as internal. Specify the local address as the logical loopback interface on Router PE2. Specify the neighbor address as the logical loopback interface on the Router ASBR2.

    content_copy zoom_out_map
    [edit protocols]
bgp {
    group To_ASBR2 {
        type internal;
        local-address 192.0.2.7;
        neighbor 192.0.2.5 {
            family inet {
                labeled-unicast {
                    resolve-vpn;
                }
            }
        }
    }
}

  5. On Router PE2, configure multihop EBGP towards Router PE1 Specify the inet-vpn address family.

    content_copy zoom_out_map
    [edit protocols]
bgp {
    group To_PE1 {
        type external;
        local-address 192.0.2.7;
        multihop {
            ttl 20;
        }
        family inet-vpn {
            unicast;
        }
        neighbor 192.0.2.2 {
            peer-as 100;
        }
    }
}

  6. On Router PE2, configure the BGP local autonomous system number.

    content_copy zoom_out_map
    [edit routing-options]
autonomous-system 200;

  7. On Router PE2, configure a policy to add the VRF route target to the routes being advertised for this VPN.

    content_copy zoom_out_map
    [edit policy-options]
policy-statement vpnexport {
    term 1 {
        from protocol bgp;
        then {
            community add test_comm;
            accept;
        }
    }
    term 2 {
        then reject;
    }
}

  8. On Router PE2, configure a policy to import routes from BGP that have the test_comm community attached.

    content_copy zoom_out_map
    [edit policy-options]
policy-statement vpnimport {
    term 1 {
        from {
            protocol bgp;
            community test_comm;
        }
        then accept;
    }
    term 2 {
        then reject;
    }
}

  9. On Router PE1, define the test_comm BGP community with a route target.

    content_copy zoom_out_map
    [edit policy-options]
community test_comm members target:1:100;

Configuring Router CE2

Step-by-Step Procedure

  1. On Router CE2, configure the IP address and protocol family on the Fast Ethernet interface for the link between Router CE2 and Router PE2. Specify the inet address family type.

    content_copy zoom_out_map
    [edit interfaces]
fe-3/0/0 {
    unit 0 {
        family inet {
            address 192.168.6.14/24;
        }
    }
}

  2. On Router CE2, configure the IP address and protocol family on the loopback interface. Specify the inet address family type.

    content_copy zoom_out_map
    [edit interfaces lo0]
lo0 {
    unit 0 {
        family inet {
            address 192.0.2.8/32;
        }
    }
}

  3. On Router CE2, define a policy named myroutes that accepts direct routes.

    content_copy zoom_out_map
    [edit policy-options]
policy-statement myroutes {
    from protocol direct;
    then accept;
}

  4. On Router CE2, configure a routing protocol. The routing protocol can be a static route, RIP, OSPF, ISIS, or EBGP. In this example, we configure EBGP. Specify the BGP neighbor IP address as the logical loopback interface of Router PE1. Apply the myroutes policy.

    content_copy zoom_out_map
    [edit protocols]
bgp {
    group To_PE2 {
        neighbor 198.51.100.13 {
            export myroutes;
            peer-as 200;
        }
    }
}

  5. On Router CE2, configure the BGP local autonomous system number.

    content_copy zoom_out_map
    [edit routing-options]
autonomous-system 20;

Verifying the VPN Operation

Step-by-Step Procedure

  1. Commit the configuration on each router.

    Note:

    The MPLS labels shown in this example will be different than the labels used in your configuration.

  2. On Router PE1, display the routes for the vpn2CE1 routing instance using the show ospf route command. Verify that the 192.0.2.1 route is learned from OSPF.

    content_copy zoom_out_map
    user@PE1> show ospf route instance vpn2CE1
Topology default Route Table:

Prefix             Path   Route       NH   Metric  NextHop       Nexthop      
                   Type   Type        Type         Interface     addr/label
192.0.2.1            Intra  Router      IP        1  fe-1/2/3.0    198.51.100.1
192.0.2.1/32          Intra  Network     IP        1  fe-1/2/3.0    198.51.100.1
198.51.100.0/24      Intra Network    IP            1 fe-1/2/3.0

  3. On Router PE1, use the show route advertising-protocol command to verify that Router PE1 advertises the 192.0.2.1 route to Router PE2 using MP-BGP with the VPN MPLS label.

    content_copy zoom_out_map
    user@PE1> show route advertising-protocol bgp 192.0.2.7 extensive
bgp.l3vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
* 1:100:192.0.2.1/32 (1 entry, 1 announced)
 BGP group To_PE2 type External
     Route Distinguisher: 1:100
     VPN Label: 300016
     Nexthop: Self
     Flags: Nexthop Change
     MED: 1
     AS path: [100] I
     Communities: target:1:100 rte-type:0.0.0.2:1:0

  4. On Router ASBR1, use the show route advertising-protocol command to verify that Router ASBR1 advertises the 192.0.2.2 route to Router ASBR2.

    content_copy zoom_out_map
    user@ASBR1> show route advertising-protocol bgp 192.168.3,8 extensive
inet.0: 14 destinations, 16 routes (14 active, 0 holddown, 0 hidden)
* 192.0.2.2/32 (2 entries, 1 announced)
 BGP group To-PE2 type External
     Route Label: 300172
     Nexthop: Self
     Flags: Nexthop Change
     MED: 2
     AS path: [100] I

  5. On Router ASBR2, use the show route receive-protocol command to verify that the router receives and accepts the 192.0.2.2 route .

    content_copy zoom_out_map
    user@ASBR2> show route receive-protocol bgp 192.168.3.7 extensive
inet.0: 10 destinations, 11 routes (10 active, 0 holddown, 0 hidden)
* 192.0.2.2/32 (1 entry, 1 announced)
     Accepted
     Route Label: 300172
     Nexthop: 192.168.3.7
     MED: 2
     AS path: 100 I

  6. On Router ASBR2, use the show route advertising-protocol command to verify that Router ASBR2 advertises the 192.0.2.2 route to Router PE2.

    content_copy zoom_out_map
    user@ASBR2> show route advertising-protocol bgp 192.0.2.7 extensive
inet.0: 10 destinations, 11 routes (10 active, 0 holddown, 0 hidden)
* 192.0.2.2/32 (1 entry, 1 announced)
 BGP group To-PE2 type Internal
     Route Label: 300192
     Nexthop: Self
     Flags: Nexthop Change
     MED: 2
     Localpref: 100
     AS path: [200] 100 I

  7. On Router PE2, use the show route receive-protocol command to verify that Router PE2 receives the route and puts it in the inet.0. routing table. Verify that Router PE2 also receives the update from Router PE1 and accepts the route.

    content_copy zoom_out_map
    user@PE2> show route receive-protocol bgp 192.0.2.5 extensive
inet.0: 13 destinations, 14 routes (13 active, 0 holddown, 0 hidden)
* 192.0.2.2/32 (1 entry, 1 announced)
     Accepted
     Route Label: 300192
     Nexthop: 192.0.2.5
     MED: 2
     Localpref: 100
     AS path: 100 I
     AS path: Recorded

inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)

* 192.0.2.2/32  (1 entry, 1 announced)
     Accepted
     Route Label: 300192
     Nexthop: 192.0.2.5
     MED: 2
     Localpref: 100
     AS path: 100 I
     AS path: Recorded

  8. On Router PE2, use the show route receive-protocol command to verify that Router PE2 puts the route in the routing table of the vpn2CE2 routing instance and advertises the route to Router CE2 using EBGP.

    content_copy zoom_out_map
    user@PE2> show route receive-protocol bgp 192.0.2.2 detail
inet.0: 17 destinations, 18 routes (17 active, 0 holddown, 0 hidden)

inet.3: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)

__juniper_private1__.inet.0: 14 destinations, 14 routes (8 active, 0 holddown, 6 hidden)

__juniper_private2__.inet.0: 1 destinations, 1 routes (0 active, 0 holddown, 1 hidden)

vpn2CE2.inet.0: 4 destinations, 5 routes (4 active, 0 holddown, 0 hidden)
* 192.0.2.1/32 (1 entry, 1 announced)
     Accepted
     Route Distinguisher: 1:100
     VPN Label: 300016
     Nexthop: 192.0.2.2
     MED: 1
     AS path: 100 I
     AS path: Recorded
     Communities: target:1:100 rte-type:0.0.0.2:1:0

iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
                    
mpls.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

bgp.l3vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)

* 1:100:192.0.2.1/32 (1 entry, 0 announced)
     Accepted
     Route Distinguisher: 1:100
     VPN Label: 300016
     Nexthop: 192.0.2.2
     MED: 1
     AS path: 100 I
     AS path: Recorded
     Communities: target:1:100 rte-type:0.0.0.2:1:0

__juniper_private1__.inet6.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

  9. On Router PE2, use the show route advertising-protocol command to verify that Router PE2 advertises the 192.0.2.1 route to Router CE2 through the vpn2CE2 peer group.

    content_copy zoom_out_map
    user@PE2> show route advertising-protocol bgp 192.168.6.14 extensive
vpn2CE2.inet.0: 4 destinations, 5 routes (4 active, 0 holddown, 0 hidden)
* 192.0.2.1/32 (1 entry, 1 announced)
 BGP group vpn2CE2 type External
     Nexthop: Self
     AS path: [200] 100 I
     Communities: target:1:100 rte-type:0.0.0.2:1:0

  10. On Router CE2, use the show route command to verify that Router CE2 receives the 192.0.2.1 route from Router PE2.

    content_copy zoom_out_map
    user@CE2> show route 192.0.2.1
inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.0.2.1/32         *[BGP/170] 00:25:36, localpref 100
                      AS path: 200 100 I
                    > to 192.168.6.13 via fe-3/0/0.0

  11. On Router CE2, use the ping command and specify 192.0.2.8 as the source of the ping packets to verify connectivity with Router CE1.

    content_copy zoom_out_map
    user@CE2> ping 192.0.2.1 source 192.0.2.8
PING 192.0.2.1 (192.0.2.1): 56 data bytes
64 bytes from 192.0.2.1: icmp_seq=0 ttl=58 time=4.786 ms
64 bytes from 192.0.2.1: icmp_seq=1 ttl=58 time=10.210 ms
64 bytes from 192.0.2.1: icmp_seq=2 ttl=58 time=10.588 ms

  12. On Router PE2, use the show route command to verify that the traffic is sent with an inner label of 300016, a middle label of 300192, and a top label of 299776.

    content_copy zoom_out_map
    user@PE2> show route 192.0.2.1 detail
vpn2CE2.inet.0: 4 destinations, 5 routes (4 active, 0 holddown, 0 hidden)
192.0.2.1/32 (1 entry, 1 announced)
        *BGP    Preference: 170/-101
                Route Distinguisher: 1:100
                Next hop type: Indirect
                Next-hop reference count: 3
                Source: 192.0.2.2
                Next hop type: Router, Next hop index: 653
                Next hop: via so-0/0/1.0 weight 0x1, selected
                Label-switched-path To-ASBR2
             Label operation: Push 300016, Push 300192, Push 299776(top)
                Protocol next hop: 192.0.2.2
                Push 300016
                Indirect next hop: 8c61138 262142
                State: <Secondary Active Ext>
                Local AS:   200 Peer AS:   100
                Age: 17:33      Metric: 1       Metric2: 2 
                Task: BGP_100.192.0.2.2+62319
                Announcement bits (3): 0-RT 1-KRT 2-BGP RT Background 
                AS path: 100 I
                AS path: Recorded
                Communities: target:1:100 rte-type:0.0.0.2:1:0
                Accepted
                VPN Label: 300016
                Localpref: 100
                Router ID: 192.0.2.2
                Primary Routing Table bgp.l3vpn.0

  13. On Router ASBR2, use the show route table command to verify that Router ASBR2 receives the traffic after the top label is popped by Router P2. Verify that label 300192 is a swapped with label 300176 and the traffic is sent towards Router ASBR1 using interface ge-0/1/1.0. At this point, the bottom label 300016 is preserved.

    content_copy zoom_out_map
    user@ASBR2# show route table mpls.0 detail
300192 (1 entry, 1 announced)
        *VPN    Preference: 170
                Next hop type: Router, Next hop index: 660
                Next-hop reference count: 2
                Source: 192.168.3.7                Next hop: 192.168.3.7 via ge-0/1/1.0, selected
                Label operation: Swap 300176
                State: <Active Int Ext>
                Local AS:   200 
                Age: 24:01 
                Task: BGP RT Background
                Announcement bits (1): 0-KRT 
                AS path: 100 I
                Ref Cnt: 1

  14. On Router ASBR1, use the show route table command to verify that when Router ASBR1 receives traffic with label 300176, it swaps the label with 299824 to reach Router PE1.

    content_copy zoom_out_map
    user@ASBR1> show route table mpls.0 detail
300176 (1 entry, 1 announced)
        *VPN    Preference: 170	
                Next hop type: Router, Next hop index: 651
                Next-hop reference count: 2
                Next hop: 192.168.2.5 via ge-0/0/0.0 weight 0x1, selected
                Label operation: Swap 299824
                State: <Active Int Ext>
                Local AS:   100 
                Age: 25:53 
                Task: BGP RT Background
                Announcement bits (1): 0-KRT 
                AS path: I
                Ref Cnt: 1

  15. On Router PE1, use the show route table command to verify that Router PE1 receives the traffic after the top label is popped by Router P1. Verify that label 300016 is popped and the traffic is sent towards Router CE1 using interface fe-1/2/3.0.

    content_copy zoom_out_map
    user@PE1>  show route table mpls.0 detail
300016 (1 entry, 1 announced)
        *VPN    Preference: 170
                Next hop type: Router, Next hop index: 643
                Next-hop reference count: 2
                Next hop: 198.51.100.1 via fe-1/2/3.0, selected
                Label operation: Pop      
                State:< Active Int Ext>
                Local AS:   100 
                Age: 27:37 
                Task: BGP RT Background
                Announcement bits (1): 0-KRT 
                AS path: I
                Ref Cnt: 1
                Communities: rte-type:0.0.0.2:1:0

See Also

arrow_backward PREVIOUS Interprovider and Carrier-of-Carriers VPNs
NEXT arrow_forward Carrier-of-Carrier VPNs
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top