To configure a Layer 3 VPN as the tunnel end point of a generic routing encapsulation (GRE) tunnel interface, you need to specify which routing table to search on the router, indicated by the destination IP address, so that the appropriate routing table can be searched for the routing prefix, because identical routing prefixes can appear in different routing tables. To configure a Layer 3 VPN as the tunnel end point of a tunnel interface, include the routing-instance statement: [edit interfaces interface-name unit unit-number tunnel { routing-instance { destination routing-instance-name ; } You must also configure the GRE tunnel interface at the [edit routing-instance routing-instance-name ] hierarchy level. Otherwise, any prefix mentioned under family inet of that tunnel interface is placed in the default inet routing table. To configure an encrypted tunnel interface for a Layer 3 VPN, you configure ES tunnel interfaces on the PE and CE routers, and you configure Internet Protocol Security (IPSec) on these routers. To configure these routers as tunnel end points of an ES tunnel interface, configure a tunnel on the ES interface: [edit] interfaces { interface-name { unit unit-number { family mpls; tunnel { source address ; destination address ; } } } } Then associate the ES interface on the appropriate routing instance: [edit routing-instances] routing-instance-name { interface interface-name ; } |