Layer 3 VPN Configuration Guidelines

To configure Layer 3 virtual private network (VPN) functionality, you must enable VPN support on the provider edge (PE) router. You must also configure any provider (P) routers that service the VPN, and you must configure the customer edge (CE) routers so that their routes are distributed into the VPN.

To configure Layer 3 VPNs, you include statements at the [edit routing-instances] hierarchy level:

[edit]

routing-instances {

    routing-instance-name {

        description text;

        interface interface-name ;

        instance-type vrf;

        route-distinguisher ( as-number:number | ip-address:number );

        vrf-import [ policy-names ];

        vrf-export [ policy-names  ];

        vrf-table-label;

        protocols {

            bgp {

                bgp-configuration;

            }

            ospf {

                ospf-configuration ;

            }

            pim {

                pim-configuration;

                vpn-group-address address;

            }

            rip {

                rip-configuration;

            }

        }

        routing-options {

            autonomous-system autonomous-system <loops number>;

            forwarding-table {

                export [ policy-names ];

            } 

            interface-routes {

                rib-group group-name ;

            }

            martians {

                destination-prefix match-type <allow>; 

            }

            maximum-routes route-limit <log-only | threshold value>;

            options {

                syslog (level level | upto level );

            }

            rib routing-table {

                static {

                    defaults {

                        static-options ;

                    }

                    route destination-prefix {

                        next-hop ; 

                        static-options ; 

                        }

                    }

                }

                martians {

                    destination-prefix match-type <allow>; 

                }

                static {

                    defaults {

                        static-options ;

                    }

                    route destination-prefix {

                        policy [ policy-names ];

                        static-options ;

                    }

                }

            }

            router-id address  ;

            static {

                defaults {

                    static-options ;

                }

                route destination-prefix {

                    policy [ policy-names ];

                    static-options ;

                }

            }

        }

    }

}

For Layer 3 VPNs, only some of the statements in the [edit routing-instances] hierarchy are valid. For the full hierarchy, see the JUNOS Internet Software Configuration Guide: Routing and Routing Protocols.

In addition to these statements, you must enable a signaling protocol, internal Border Gateway Protocol (IBGP) sessions between the PE routers, and an interior gateway protocol (IGP) on the PE and provider routers.

By default, Layer 3 VPNs are disabled.

This chapter describes the following tasks for configuring VPNs:

• Enable a Signaling Protocol
• Configure an IGP on PE and Provider Routers
• Configure an IBGP Session between PE Routers
• Configure Routing Instances for Layer 3 VPNs on PE Routers
• Configure VPN Routing between the PE and CE Routers
• Configure Multicast over Layer 3 VPNs
• Configure a GRE Tunnel Interface for Layer 3 VPNs
• Configure an ES Tunnel Interface for Layer 3 VPNs
• Configure IPSec between PE Routers Instead of MPLS
• Configure Packet Forwarding for VPNs

For configuration examples, see Layer 3 VPN Configuration Examples.