Configuring Layer 3 VPNs


To configure Layer 3 VPN functionality, you must enable VPN support on the PE router. You must also configure any P routers that service the VPN, and you must configure the CE routers so that their routes are distributed into the VPN. To configure Layer 3 VPNs, you include statements. In addition, you must enable a signaling protocol, IBGP sessions between the PE routers, and an IGP on the PE and provider routers.

 [edit routing-instances]  routing-instance-name  {   description  text  ;   interface  interface-name  ;   instance-type vrf;   route-distinguisher (  as-number:number   ip-address:   number  );   vrf-import [  policy-names  ];   vrf-export [  policy-names  ];   vrf-table-label;   protocols {     bgp {  bgp configuration  }     ospf {  ospf configuration  }     rip {  rip configuration  }   }   routing-options {     autonomous-system  autonomous-system  <loops  number  >;     forwarding-table {       export [  policy-names  ];     }     interface-routes {       rib-group  group-name  ;     }     martians {  destination-prefix   match-type  <allow>;     }     maximum-routes  route-limit  <log-only  threshold  value  >;     options {       syslog (level  level  upto  level  );     }     rib  routing-table  {       static {         defaults {  static-options  ;         }         route  destination-prefix  {  next-hop  ;  static-options  ;           }         }       }       martians {         destination-prefix  match-type  <allow>;       }       static {         defaults {  static-options  ;         }         route  destination-prefix  {           policy [  policy-names  ];  static-options  ;         }       }     }     router-id  address  ;     static {       defaults {  static-options  ;       }       route  destination-prefix  {         policy [  policy-names  ];  static-options  ;       }     }   } } 

By default, Layer 3 VPNs are disabled. For Layer 3 VPNs to function, you enable a signaling protocol on the PE routers using either LDP or RSVP.

To use LDP for VPN signaling, perform the following steps on the PE and provider routers:

  1. Configure LDP on the interfaces in the core of the service provider's network by including the ldp statement. You need to configure LDP only on the interfaces between PE routers or between PE and provider routers. You can think of these as the "core- facing " interfaces. You do not need to configure LDP on the interface between the PE and CE routers.

     [edit protocols]  ldp {   interface  interface-name  ; } 
  2. Configure the MPLS address family on the interfaces on which you enable LDP (that is, on the interfaces you configured in Step 1):

     [edit]  interfaces {  interface-name  {     unit  logical-unit-number  {       family mpls ;     }   } } 
  3. Configure OSPF or IS-IS on each PE and provider router. You configure these protocols at the master instance of the routing protocol, not within the routing instance used for the VPN.

    To configure OSPF, include the ospf statement. At a minimum, you must configure a backbone area on at least one of the router's interfaces.

     [edit protocols]  ospf {   area 0.0.0.0 {     interface  interface-name  ;   } } 

To configure IS-IS, include the isis statement and configure the loopback interface and ISO family at the [edit interfaces] hierarchy level. At a minimum, you must enable IS-IS on the router, configure a network entity title (NET) on one of the router's interfaces (preferably the loopback interface, lo0 ), and configure the ISO family on all interfaces on which you want IS-IS to run. When you enable IS-IS, Level 1 and Level 2 are enabled by default. The following is the minimum IS-IS configuration. In the address statement, address is the NET.

 [edit]  interfaces {   lo0 {     unit  logical-unit-number  {       family iso {         address  address  ;       }     }   }  type-fpc/pic/port  {     unit  logical-unit-number  {       family iso ;     }   } } protocols {   isis {     interface all;   } } 

To use RSVP for VPN signaling, perform the following steps:

  1. On each PE router, configure traffic engineering. To do this, you must configure an IGP that supports traffic engineering (either IS-IS or OSPF) and enable traffic engineering support for that protocol. For IS-IS, traffic engineering support is enabled by default. To enable OSPF traffic engineering support, include the traffic-engineering statement:

     [edit protocols ospf]  traffic-engineering {   no-topology;   shortcuts; } 
  2. On each PE and provider router, enable RSVP on the router interfaces that participate in the label-switched path (LSP). On the PE router, these are the interfaces that are the ingress and egress points to the LSP. On the provider router, these are the interfaces that connect the LSP between the PE routers. Do not enable RSVP on the interface between the PE and the CE routers, because this interface is not part of the LSP. To configure RSVP on the PE and provider routers, include one interface statement for each interface on which you are enabling RSVP:

     [edit rsvp]  interface  interface-name  ; 
  3. On each PE router, configure an MPLS LSP to the PE router that is the LSP's egress point by including the label-switched-path and interface statements. In the to statement, specify the address of the LSP's egress point, which is an address on the remote PE router. In the interface statement, specify the name of the interface (both the physical and logical portions). Include one interface statement for the interface associated with the LSP.

     [edit mpls]  label-switched-path  path-name  {   to  ip-address  ; } interface  interface-name  ; 

    You must also configure family mpls and family inet when configuring the logical interface:

     [edit interfaces  interface-name  unit  logical-unit-   number  ] family inet; family mpls; 
  4. On all provider routers that participate in the LSP, enable MPLS by including one interface statement for each connection to the LSP:

     [edit mpls]  interface  interface-name  ; 
  5. Enable MPLS on the interface between the PE and CE routers by including the interface statement. Doing this allows the PE router to assign an MPLS label to traffic entering the LSP or to remove the label from traffic exiting the LSP.

     [edit mpls]  interface  interface-name  ; 

To allow the PE and provider routers to exchange routing information, you must either configure an IGP on all these routers, or you must configure static routes. You configure the IGP on the master instance of the routing protocol process ( rpd ) (that is, at the [edit protocols] hierarchy level), not within the routing instance used for the VPN (that is, not at the [edit routing-instances] hierarchy level). When you configure the PE router, do not configure any summarization of the PE router's loopback addresses at the area boundary. Each PE router's loopback address should appear as a separate route. You must configure an IBGP session between PE routers to allow the PE routers to exchange information about routes originating and terminating in the VPN. To do this, include the family inet-vpn statement when configuring IBGP to indicate that the IBGP session is for the VPN:

 [edit protocols]  bgp {   group  group-name  {     type internal;     local-address  ip-address  ;     family inet-vpn {       unicast;     }     neighbor  ip-address  ;   } } 

The IP address in the local-address statement is the address of the loopback interface ( lo0 ) on the local PE router. The IBGP session for VPNs runs through the loopback address. (You must also configure the lo0 interface at the [edit interfaces] hierarchy level.) The IP address in the neighbor statement is the loopback address of the neighboring PE router. If you are using RSVP signaling, this IP address is the same address you specify in the to statement at the [edit mpls label-switched-path] hierarchy level when you configure the MPLS LSP.

To configure routing instances for VPNs, include the routing-instances statement. You configure VPN routing instances only on PE routers. The instance-type , interface , route-distinguisher , vrf-export , and vrf-import statements are required for the Layer 2 VPN to function.

 [edit]  routing-instances {  routing-instance-name  {     description  text  ;     instance-type vrf;     interface  interface-name  ;     route-distinguisher (  as-number:   number   ip-address:   number  );     vrf-import [  policy-names  ];     vrf-export [  policy-names  ];     vrf-table-label;   } } 

To provide a textual description for the routing instance, include the description statement. To enable Layer 2 VPN routing on a PE router, include the instance-type statement, specifying the instance type as vrf .

On each PE router, include the interface statement to configure an interface over which the VPN traffic travels between the PE and CE routers. You should specify both the physical and logical portions of the interface name, in the format physical . logical . A logical interface can be associated with only one routing instance. When you configure this same interface at the [edit interfaces] hierarchy level, you must also configure family inet and family mpls when configuring the logical interface:

 [edit interfaces  interface-name  unit  logical-unit-number  ]  family inet; family mpls; 

Each routing instance that you configure on a PE router must have a unique route distinguisher associated with it. The route distinguisher is used to place bounds around a VPN so that the same IP address prefixes can be used in different VPNs without overlapping. To configure a route distinguisher on a PE router, include the route-distinguisher statement. The route distinguisher is a 6-byte value that you can specify in one of the following formats:

  • as-number : number , where as-number is an AS number (a 2-byte value), and number is any 4-byte value. The AS number can be in the range 1 through 65,535. We recommend that you use an IANA assigned, nonprivate AS number, preferably the ISP's own or the customer's own AS number.

  • ip-address : number , where ip-address is an IP address (a 4-byte value), and number is any 2-byte value. The IP address can be any globally unique unicast address. We recommend that you use the address that you configure in the router-id statement, which is a nonprivate address in your assigned prefix range.



Juniper Networks Field Guide and Reference
Juniper Networks Field Guide and Reference
ISBN: 0321122445
EAN: 2147483647
Year: 2002
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net