Routing Instances in Layer 3 VPNs
This topic discusses configuring routing instances in Layer 3 VPNs
Routing Instances in Layer 3 VPNs
A routing instance is a collection of routing tables, interfaces, and routing protocol parameters. The set of interfaces belongs to the routing tables, and the routing protocol parameters control the information in the routing tables. Each routing instance has a unique name and a corresponding IP unicast table.
To implement Layer 3 VPNs in the JUNOS Software, you configure one routing instance for each VPN. You configure the routing instances on PE routers only. Each VPN routing instance consists of the following components:
VRF table—On each PE router, you configure one VRF table for each VPN.
Set of interfaces that use the VRF table—The logical interface to each directly connected CE router must be associated with a VRF table. You can associate more than one interface with the same VRF table if more than one CE router in a VPN is directly connected to the PE router.
Policy rules—These control the import of routes into and the export of routes from the VRF table.
One or more routing protocols that install routes from CE routers into the VRF table—You can use the BGP, OSPF, and RIP routing protocols, and you can use static routes.
Configuring Logical Units on the Loopback Interface for Routing Instances in Layer 3 VPNs
For Layer 3 VPNs (VRF routing instances), you can configure a logical unit on the loopback interface into each VRF routing instance that you have configured on the router. Associating a VRF routing instance with a logical unit on the loopback interface allows you to easily identify the VRF routing instance.
Doing this is useful for troubleshooting:
It allows you to ping a remote CE router from a local PE router in a Layer 3 VPN. For more information, see Example: Troubleshooting Layer 3 VPNs.
It ensures that a path maximum transmission unit (MTU) check on traffic originating on a VRF or virtual-router routing instance functions properly. For more information, see Configuring Path MTU Checks for VPN Routing Instances.
You can also configure a firewall filter for the logical unit on the loopback interface; this configuration allows you to filter traffic for the VRF routing instance associated with it.
The following describes how firewall filters affect the VRF
routing instance depending on whether they are configured on the default
loopback interface, the VRF routing instance, or some combination
of the two. The “default loopback interface” refers to lo0.0 (associated with the default routing table), and the
“VRF loopback interface” refers to lo0.n, which is configured in the VRF routing instance.
If you configure Filter A on the default loopback interface and Filter B on the VRF loopback interface, the VRF routing instance uses Filter B.
If you configure Filter A on the default loopback interface but do not configure a filter on the VRF loopback interface, the VRF routing instance does not use a filter.
If you configure Filter A on the default loopback interface but do not configure a VRF loopback interface, the VRF routing instance uses Filter A. For MX80 devices, the behavior is slightly different: If you configure filters on the default loopback interface but do not configure a VRF loopback interface, the VRF routing instance uses only the input filters assigned to the default loopback (it does not use output filters from the default loopback).
For some ACX Series Universal Metro Routers (ACX1000, ACX2000, ACX4000, and ACX5000), the default loopback filter must be in the same routing, or virtual routing and forwarding (VRF), instance as the ingress traffic it filters. That is, on these devices, the default loopback filter cannot be used for traffic traversing an interface that belongs to a different routing instance.
To configure a logical unit on the loopback interface, include
the unit statement:
unit number {
family inet {
address address;
}
}
You can include this statement at the following hierarchy levels:
[edit interfaces lo0][edit logical-systems logical-system-name interfaces lo0]
To associate a firewall filter with the logical unit on the
loopback interface, include the filter statement:
filter {
input filter-name;
}
You can include this statement at the following hierarchy levels:
[edit interfaces lo0 unit unit-number family inet][edit logical-systems logical-system-name interfaces lo0 unit unit-number family inet]
To include the lo0.n interface
(where n specifies the logical unit)
in the configuration for the VRF routing instance, include the following
statement:
interface lo0.n;
You can include this statement at the following hierarchy levels:
[edit routing-instances routing-instance-name][edit logical-systems logical-system-name routing-instances routing-instance-name]
Configuring Routing Instances on PE Routers in VPNs
You need to configure a routing instance for each VPN on each of the PE routers participating in the VPN. The configuration procedures outlined in this section are applicable to Layer 2 VPNs, Layer 3 VPNs, and VPLS. The configuration procedures specific to each type of VPN are described in the corresponding sections in the other configuration chapters.
To configure routing instances for VPNs, include the following statements:
description text; instance-type type; interface interface-name; route-distinguisher (as-number:number | ip-address:number); vrf-import [ policy-names ]; vrf-export [ policy-names ]; vrf-target { export community-name; import community-name; }
You can include these statements at the following hierarchy levels:
[edit routing-instances routing-instance-name][edit logical-systems logical-system-name routing-instances routing-instance-name]
To configure VPN routing instances, you perform the steps in the following sections:
- Configuring the Routing Instance Name for a VPN
- Configuring the Description
- Configuring the Instance Type
- Configuring Interfaces for VPN Routing
- Configuring the Route Distinguisher
- Configuring Automatic Route Distinguishers
Configuring the Routing Instance Name for a VPN
The name of the routing instance for a VPN can be a maximum
of 128 characters and can contain letters, numbers, and hyphens. In
Junos OS Release 9.0 and later, you can no longer specify default as the actual routing-instance name. You also cannot use any special
characters (! @ # $ % ^ & * , +< > : ;) within the name of
a routing instance.
In Junos OS Release 9.6 and later, you can include a slash (/) in a routing instance name only if a logical system is not configured. That is, you cannot include the slash character in a routing instance name if a logical system other than the default is explicitly configured.
Specify the routing-instance name with the routing-instance statement:
routing-instance routing-instance-name {...}
You can include this statement at the following hierarchy levels:
[edit][edit logical-systems logical-system-name]
Configuring the Description
To provide a text description for the routing instance, include
the description statement. If the text includes one or
more spaces, enclose them in quotation marks (" "). Any descriptive
text you include is displayed in the output of the show route
instance detail command and has no effect on the operation of
the routing instance.
To configure a text description, include the description statement:
description text;
You can include this statement at the following hierarchy levels:
[edit routing-instances routing-instance-name][edit logical-systems logical-system-name routing-instances routing-instance-name]
Configuring the Instance Type
The instance type you configure varies depending on whether
you are configuring Layer 2 VPNs, Layer 3 VPNs, VPLS, or
virtual routers. Specify the instance type by including the instance-type statement:
To enable Layer 2 VPN routing on a PE router, include the
instance-typestatement and specify the valuel2vpn:instance-type l2vpn;
To enable VPLS routing on a PE router, include the
instance-typestatement and specify the valuevpls:instance-type vpls;
Layer 3 VPNs require that each PE router have a VPN routing and forwarding (VRF) table for distributing routes within the VPN. To create the VRF table on the PE router, include the
instance-typestatement and specify the valuevrf:instance-type vrf;
Note:Routing Engine based sampling is not supported on VRF routing instances.
To enable the virtual-router routing instance, include the
instance-typestatement and specify the valuevirtual-router:instance-type virtual-router;
You can include this statement at the following hierarchy levels:
[edit routing-instances routing-instance-name][edit logical-systems logical-system-name routing-instances routing-instance-name]
Configuring Interfaces for VPN Routing
On each PE router, you must configure an interface over which the VPN traffic travels between the PE and CE routers.
The sections that follow describe how to configure interfaces for VPNs:
- General Configuration for VPN Routing
- Configuring Interfaces for Layer 3 VPNs
- Configuring Interfaces for Carrier-of-Carriers VPNs
- Configuring Unicast RPF on VPN Interfaces
General Configuration for VPN Routing
The configuration described in this section applies to all types of VPNs. For Layer 3 VPNs and carrier-of-carriers VPNs, complete the configuration described in this section before proceeding to the interface configuration sections specific to those topics.
To configure interfaces for VPN routing, include the interface statement:
interface interface-name;
You can include this statement at the following hierarchy levels:
[edit routing-instances routing-instance-name][edit logical-systems logical-system-name routing-instances routing-instance-name]
Specify both the physical and logical portions of the interface name, in the following format:
physical.logical
For example, in at-1/2/1.2, at-1/2/1 is
the physical portion of the interface name and 2 is the
logical portion. If you do not specify the logical portion of the
interface name, the value 0 is set by default.
A logical interface can be associated with only one routing
instance. If you enable a routing protocol on all instances by specifying interfaces all when configuring the master instance of the
protocol at the [edit protocols] hierarchy level, and if
you configure a specific interface for VPN routing at the [edit
routing-instances routing-instance-name] hierarchy level or at the [edit logical-systems logical-system-name routing-instances routing-instance-name] hierarchy level, the latter interface statement takes precedence
and the interface is used exclusively for the VPN.
If you explicitly configure the same interface name at the [edit protocols] hierarchy level and at either the [edit
routing-instances routing-instance-name] or [edit logical-systems logical-system-name routing-instances routing-instance-name] hierarchy levels, an attempt to commit the configuration fails.
Configuring Interfaces for Layer 3 VPNs
When you configure the Layer 3 VPN interfaces at the [edit interfaces] hierarchy level, you must also configure family inet when configuring the logical interface:
[edit interfaces]
interface-name {
unit logical-unit-number {
family inet;
}
}
Configuring Interfaces for Carrier-of-Carriers VPNs
When you configure carrier-of-carriers VPNs, you need to configure
the family mpls statement in addition to the family
inet statement for the interfaces between the PE and CE routers.
For carrier-of-carriers VPNs, configure the logical interface as follows:
[edit interfaces]
interface-name {
unit logical-unit-number {
family inet;
family mpls;
}
}
If you configure family mpls on the logical interface
and then configure this interface for a non-carrier-of-carriers routing
instance, the family mpls statement is automatically removed
from the configuration for the logical interface, since it is not
needed.
Configuring Unicast RPF on VPN Interfaces
For VPN interfaces that carry IP version 4 or version 6 (IPv4 or IPv6) traffic, you can reduce the impact of denial-of-service (DoS) attacks by configuring unicast reverse path forwarding (RPF). Unicast RPF helps determine the source of attacks and rejects packets from unexpected source addresses on interfaces where unicast RPF is enabled.
You can configure unicast RPF on a VPN interface by enabling
unicast RPF on the interface and including the interface statement at the [edit routing-instances routing-instance-name] hierarchy level.
You cannot configure unicast RPF on the core-facing interfaces. You can only configure unicast RPF on the CE router-to-PE router interfaces on the PE router. However, for virtual-router routing instances, unicast RPF is supported on all interfaces you specify in the routing instance.
For information about how to configure unicast RPF on VPN interfaces, see Understanding Unicast RPF (Routers).
Configuring the Route Distinguisher
Each routing instance that you configure on a PE router must have a unique route distinguisher associated with it. VPN routing instances need a route distinguisher to help BGP to distinguish between potentially identical network layer reachability information (NLRI) messages received from different VPNs. If you configure different VPN routing instances with the same route distinguisher, the commit fails.
For Layer 2 VPNs and VPLS, if you have configured the l2vpn-use-bgp-rules statement, you must configure a unique route distinguisher for each
PE router participating in a specific routing instance.
For other types of VPNs, we recommend that you use a unique route distinguisher for each PE router participating in the routing instance. Although you can use the same route distinguisher on all PE routers for the same VPN routing instance (except for Layer 2 VPNs and VPLS), if you use a unique route distinguisher, you can determine the CE router from which a route originated within the VPN.
To configure a route distinguisher on a PE router, include the route-distinguisher statement:
route-distinguisher (as-number:number | ip-address:number);
For a list of hierarchy levels at which you can include this statement, see the statement summary section for this statement.
The route distinguisher is a 6-byte value that you can specify in one of the following formats:
as-number:number, whereas-numberis an autonomous system (AS) number (a 2-byte value) andnumberis any 4-byte value. The AS number can be in the range 1 through 65,535. We recommend that you use an Internet Assigned Numbers Authority (IANA)-assigned, nonprivate AS number, preferably the Internet service provider’s (ISP’s) own or the customer’s own AS number.ip-address:number, whereip-addressis an IP address (a 4-byte value) andnumberis any 2-byte value. The IP address can be any globally unique unicast address. We recommend that you use the address that you configure in therouter-idstatement, which is a nonprivate address in your assigned prefix range.
Configuring Automatic Route Distinguishers
If you configure the route-distinguisher-id statement at the [edit routing-options] hierarchy level, a route distinguisher is automatically assigned
to the routing instance. If you also configure the route-distinguisher statement in addition to the route-distinguisher-id statement,
the value configured for route-distinguisher supersedes
the value generated from route-distinguisher-id.
To assign a route distinguisher automatically, include the route-distinguisher-id statement:
route-distinguisher-id ip-address;
You can include this statement at the following hierarchy levels:
[edit routing-options][edit logical-systems logical-system-name routing-options]
A type 1 route distinguisher is automatically assigned
to the routing instance using the format ip-address:number. The IP address is specified by
the route-distinguisher-id statement and the number is
unique for the routing instance.
Configuring Virtual-Router Routing Instances in VPNs
A virtual-router routing instance, like a VRF routing instance,
maintains separate routing and forwarding tables for each instance.
However, many of the configuration steps required for VRF routing
instances are not required for virtual-router routing instances. Specifically,
you do not need to configure a route distinguisher, a routing table
policy (the vrf-export, vrf-import, and route-distinguisher statements), or MPLS between the service
provider routers.
Configure a virtual-router routing instance by including the following statements:
description text; instance-type virtual-router; interface interface-name; protocols { ... }
You can include these statements at the following hierarchy levels:
[edit routing-instances routing-instance-name][edit logical-systems logical-system-name routing-instances routing-instance-name]
The following sections explain how to configure a virtual-router routing instance:
- Configuring a Routing Protocol Between the Service Provider Routers
- Configuring Logical Interfaces Between Participating Routers
Configuring a Routing Protocol Between the Service Provider Routers
The service provider routers need to be able to exchange routing
information. You can configure the following protocols for the virtual-router
routing instance protocols statement configuration at the [edit routing-instances routing-instance-name] hierarchy level:
BGP
IS-IS
LDP
OSPF
Protocol Independent Multicast (PIM)
RIP
You can also configure static routes.
IBGP route reflection is not supported for virtual-router routing instances.
If you configure LDP under a virtual-router instance, LDP routes
are placed by default in the routing instance’s inet.0 and inet.3
routing tables (for example, sample.inet.0 and sample.inet.3). To
restrict LDP routes to only the routing instance’s inet.3 table,
include the no-forwarding statement:
no-forwarding;
You can include this statement at the following hierarchy levels:
[edit routing-instances routing-instance-name protocols ldp][edit logical-systems logical-system-name routing-instances routing-instance-name protocols ldp]
When you restrict the LDP routes to only the inet.3 routing table, the corresponding IGP route in the inet.0 routing table can be redistributed and advertised into other routing protocols.
For information about routing tables, see Understanding Junos OS Routing Tables.
Configuring Logical Interfaces Between Participating Routers
You must configure an interface to each customer router participating
in the routing instance and to each P router participating in the
routing instance. Each virtual-router routing instance requires its
own separate logical interfaces to all P routers participating in
the instance. To configure interfaces for virtual-router instances,
include the interface statement:
interface interface-name;
You can include this statement at the following hierarchy levels:
[edit routing-instances routing-instance-name][edit logical-systems logical-system-name routing-instances routing-instance-name]
Specify both the physical and logical portions of the interface name, in the following format:
physical.logical
For example, in at-1/2/1.2, at-1/2/1 is
the physical portion of the interface name and 2 is the
logical portion. If you do not specify the logical portion of the
interface name, 0 is set by default.
You must also configure the interfaces at the [edit interfaces] hierarchy level.
One method of providing this logical interface between the provider routers is by configuring tunnels between them. You can configure IP Security (IPsec), generic routing encapsulation (GRE), or IP-IP tunnels between the provider routers, terminating the tunnels at the virtual-router instance.
For information about how to configure tunnels and interfaces, see the Junos OS Services Interfaces Library for Routing Devices.
Configuring Path MTU Checks for VPN Routing Instances
By default, the maximum transmission unit (MTU) check for VPN routing instances is disabled on M Series routers (except the M320 router) and enabled for the M320 router. On M Series routers, you can configure path MTU checks on the outgoing interfaces for unicast traffic routed on VRF routing instances and on virtual-router routing instances.
When you enable an MTU check, the routing platform sends an
Internet Control Message Protocol (ICMP) message when a packet traversing
the routing instance exceeds the MTU size and has the do-not-fragment bit set. The ICMP message uses the VRF local address as its source
address.
For an MTU check to work in a routing instance, you must both
include the vrf-mtu-check statement at the [edit chassis] hierarchy level and assign at least one interface containing an
IP address to the routing instance.
For more information about the path MTU check, see the Junos OS Administration Library for Routing Devices.
To configure path MTU checks, do the tasks described in the following sections:
- Enabling Path MTU Checks for a VPN Routing Instance
- Assigning an IP Address to the VPN Routing Instance
Enabling Path MTU Checks for a VPN Routing Instance
To enable path checks on the outgoing interface for
unicast traffic routed on a VRF or virtual-router routing instance,
include the vrf-mtu-check statement at the [edit chassis] hierarchy level:
[edit chassis] vrf-mtu-check;
Assigning an IP Address to the VPN Routing Instance
To ensure that the path MTU check functions properly, at least one IP address must be associated with each VRF or virtual-router routing instance. If an IP address is not associated with the routing instance, ICMP reply messages cannot be sent.
Typically, the VRF or virtual-router routing instance IP address is drawn from among the IP addresses associated with interfaces configured for that routing instance. If none of the interfaces associated with a VRF or virtual-router routing instance is configured with an IP address, you need to explicitly configure a logical loopback interface with an IP address. This interface must then be associated with the routing instance. See Configuring Logical Units on the Loopback Interface for Routing Instances in Layer 3 VPNs for details.