To configure Layer 3 VPN functionality, you must enable VPN support on the PE router. You must also configure any P routers that service the VPN, and you must configure the CE routers so that their routes are distributed into the VPN. To configure Layer 3 VPNs, you include statements. In addition, you must enable a signaling protocol, IBGP sessions between the PE routers, and an IGP on the PE and provider routers. [edit routing-instances] routing-instance-name { description text ; interface interface-name ; instance-type vrf; route-distinguisher ( as-number:number ip-address: number ); vrf-import [ policy-names ]; vrf-export [ policy-names ]; vrf-table-label; protocols { bgp { bgp configuration } ospf { ospf configuration } rip { rip configuration } } routing-options { autonomous-system autonomous-system <loops number >; forwarding-table { export [ policy-names ]; } interface-routes { rib-group group-name ; } martians { destination-prefix match-type <allow>; } maximum-routes route-limit <log-only threshold value >; options { syslog (level level upto level ); } rib routing-table { static { defaults { static-options ; } route destination-prefix { next-hop ; static-options ; } } } martians { destination-prefix match-type <allow>; } static { defaults { static-options ; } route destination-prefix { policy [ policy-names ]; static-options ; } } } router-id address ; static { defaults { static-options ; } route destination-prefix { policy [ policy-names ]; static-options ; } } } } By default, Layer 3 VPNs are disabled. For Layer 3 VPNs to function, you enable a signaling protocol on the PE routers using either LDP or RSVP. To use LDP for VPN signaling, perform the following steps on the PE and provider routers:
To configure IS-IS, include the isis statement and configure the loopback interface and ISO family at the [edit interfaces] hierarchy level. At a minimum, you must enable IS-IS on the router, configure a network entity title (NET) on one of the router's interfaces (preferably the loopback interface, lo0 ), and configure the ISO family on all interfaces on which you want IS-IS to run. When you enable IS-IS, Level 1 and Level 2 are enabled by default. The following is the minimum IS-IS configuration. In the address statement, address is the NET. [edit] interfaces { lo0 { unit logical-unit-number { family iso { address address ; } } } type-fpc/pic/port { unit logical-unit-number { family iso ; } } } protocols { isis { interface all; } } To use RSVP for VPN signaling, perform the following steps:
To allow the PE and provider routers to exchange routing information, you must either configure an IGP on all these routers, or you must configure static routes. You configure the IGP on the master instance of the routing protocol process ( rpd ) (that is, at the [edit protocols] hierarchy level), not within the routing instance used for the VPN (that is, not at the [edit routing-instances] hierarchy level). When you configure the PE router, do not configure any summarization of the PE router's loopback addresses at the area boundary. Each PE router's loopback address should appear as a separate route. You must configure an IBGP session between PE routers to allow the PE routers to exchange information about routes originating and terminating in the VPN. To do this, include the family inet-vpn statement when configuring IBGP to indicate that the IBGP session is for the VPN: [edit protocols] bgp { group group-name { type internal; local-address ip-address ; family inet-vpn { unicast; } neighbor ip-address ; } } The IP address in the local-address statement is the address of the loopback interface ( lo0 ) on the local PE router. The IBGP session for VPNs runs through the loopback address. (You must also configure the lo0 interface at the [edit interfaces] hierarchy level.) The IP address in the neighbor statement is the loopback address of the neighboring PE router. If you are using RSVP signaling, this IP address is the same address you specify in the to statement at the [edit mpls label-switched-path] hierarchy level when you configure the MPLS LSP. To configure routing instances for VPNs, include the routing-instances statement. You configure VPN routing instances only on PE routers. The instance-type , interface , route-distinguisher , vrf-export , and vrf-import statements are required for the Layer 2 VPN to function. [edit] routing-instances { routing-instance-name { description text ; instance-type vrf; interface interface-name ; route-distinguisher ( as-number: number ip-address: number ); vrf-import [ policy-names ]; vrf-export [ policy-names ]; vrf-table-label; } } To provide a textual description for the routing instance, include the description statement. To enable Layer 2 VPN routing on a PE router, include the instance-type statement, specifying the instance type as vrf . On each PE router, include the interface statement to configure an interface over which the VPN traffic travels between the PE and CE routers. You should specify both the physical and logical portions of the interface name, in the format physical . logical . A logical interface can be associated with only one routing instance. When you configure this same interface at the [edit interfaces] hierarchy level, you must also configure family inet and family mpls when configuring the logical interface: [edit interfaces interface-name unit logical-unit-number ] family inet; family mpls; Each routing instance that you configure on a PE router must have a unique route distinguisher associated with it. The route distinguisher is used to place bounds around a VPN so that the same IP address prefixes can be used in different VPNs without overlapping. To configure a route distinguisher on a PE router, include the route-distinguisher statement. The route distinguisher is a 6-byte value that you can specify in one of the following formats:
|