Example: Multiple-Instance LDP Configuration
Figure 20 shows an example of a carrier-of-carriers network. CE3 and CE4 are end customer CE routers residing in AS 100. The VPN provider in AS 200 has three types of routers: PE3 and PE4 are PE routers that connect to the end customer, CE1 and CE2 act as the intermediate carrier CE routers, and P2 and P3 are internal transit routers. PE1 and PE2 in AS 300 are PE routers servicing the intermediate VPN provider, and P0 and P1 are transit routers for the top tier carrier.
To make this configuration work, you must complete three major tasks:
- Configure External BGP between the VPN customer CE and the VPN provider PE.
- Configure Internal BGP using the VPN family between both pairs of PE routers (one IBGP connection between PE1 and PE2 and a second IBGP connection between PE3 and PE 4).
- Establish LDP and Interior Gateway Protocol (IGP) connections on all remaining links. This example uses OSPF as the IGP, but you can use the IGP of your choice.
Information supporting this carrier-of-carriers Multiple Instance LDP example is summarized in Table 13 and Table 14.
Your configuration tasks start at CE3 and move router-by-router through the first part of the VPN provider network, into the carrier AS, through the second VPN provider cluster of AS 200, and end at the second VPN customer router CE4.
Since CE3 is the first customer router, configure EBGP between CE3 and the connected VPN provider router PE3. You must also advertise your loopback address into BGP with a routing policy to allow IP reachability with CE4.
CE3
[edit]
interfaces {
so-1/2/0 {
description "to pe3 so-1/2/0";
unit 0 {
family inet {
address 192.255.198.14/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.255.255.181/32;
address 10.49.100.1/32;
}
}
}
}
routing-options {
static {
route 10.49.100.0/24 reject;
route 10.49.101.0/24 reject;
}
autonomous-system 100;
}
protocols {
bgp {
group provider {
type external;
export static-to-bgp;
peer-as 200;
neighbor 192.255.198.13;
}
}
}
policy-options {
policy-statement static-to-bgp {
term 1 {
from {
protocol static;
route-filter 10.49.100.0/24 exact;
route-filter 10.49.101.0/24 exact;
}
then accept;
}
term 2 {
from protocol direct;
then accept;
}
term 3 {
then reject;
}
}
}
On PE3, the configuration tasks are more involved. You need to complete the EBGP connection to CE3 in a VRF instance, enable MPLS and LDP on the interface pointing toward the VPN provider CE1 router, and configure a master instance of IBGP to reach PE4 at the far edge of AS 200.
Finally, set up an outbound VRF policy that places all BGP traffic and directly connected interfaces into a BGP community and an inbound VRF policy that accepts similar BGP community traffic from PE4.
PE3
[edit]
interfaces {
so-1/2/0 {
unit 0 {
family inet {
address 192.255.198.13/30;
}
family mpls;
}
}
so-1/2/1 {
description "to p2 so-1/2/1";
unit 0 {
family inet {
address 192.255.198.9/30;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 10.255.255.177/32;
}
}
}
}
routing-options {
autonomous-system 200;
}
protocols {
mpls {
interface so-1/2/0.0;
}
bgp {
group internal {
type internal;
local-address 10.255.255.177;
peer-as 200;
neighbor 10.255.255.178 {
family inet-vpn {
unicast;
}
}
}
}
ospf {
area 0.0.0.0 {
interface so-1/2/1.0;
interface lo0.0 {
passive;
}
}
}
ldp {
interface so-1/2/1.0;
}
}
policy-options {
policy-statement vpn-customer-import {
term 1 {
from {
protocol bgp;
community vpn-customer-comm;
}
then accept;
}
term 2 {
then reject;
}
}
policy-statement vpn-customer-export {
term 1 {
from protocol [ bgp direct ];
then {
community add vpn-customer-comm;
accept;
}
}
term 2 {
then reject;
}
}
community vpn-customer-comm members target:200:100;
}
routing-instances {
vpn-customer {
instance-type vrf;
interface so-1/2/0.0;
route-distinguisher 10.255.255.177:1;
vrf-import vpn-customer-import;
vrf-export vpn-customer-export;
protocols {
bgp {
group customer {
type external;
peer-as 100;
as-override;
neighbor 192.255.198.14;
}
}
}
}
}
On P2, enable LDP and the IGP used for transporting labels (in this case, OSPF). You will repeat these tasks on all transit core routers, both in the VPN provider network and the core carrier network.
P2
[edit]
interfaces {
so-1/2/0 {
description "to ce1 so-1/2/0";
unit 0 {
family inet {
address 192.255.198.2/30;
}
family mpls;
}
}
so-1/2/1 {
description "to pe3 so-1/2/1";
unit 0 {
family inet {
address 192.255.198.10/30;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 10.255.255.175/32;
}
}
}
}
routing-options {
autonomous-system 200;
}
protocols {
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface so-1/2/0.0;
interface so-1/2/1.0;
}
}
ldp {
interface so-1/2/0.0;
interface so-1/2/1.0;
}
}
For Router CE1, configure LDP and OSPF in the same manner that you configured the P2 router.
CE1
[edit]
interfaces {
t3-0/1/0 {
description "to pe1 t3-0/2/1";
unit 0 {
family inet {
address 192.255.197.18/30;
}
family mpls;
}
}
so-1/2/0 {
description "to p2 so-1/2/0";
unit 0 {
family inet {
address 192.255.198.1/30;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 10.255.255.179/32;
}
}
}
}
routing-options {
autonomous-system 200;
}
protocols {
ospf {
area 0.0.0.0 {
interface so-1/2/0.0;
interface lo0.0 {
passive;
}
interface t3-0/1/0.0;
}
}
ldp {
interface t3-0/1/0.0;
interface so-1/2/0.0;
}
}
On core carrier router PE1, configure a master instance for OSPF, LDP, MPLS, and IBGP (with the family inet-vpn option) to connect the router to neighbor PE2. Next, implement multiple-instance LDP by establishing a secondary instance. Enable LDP and OSPF in this instance for PE1 to communicate with CE1. MPLS is not required in the secondary instance.
Finally, set up an outbound VRF policy that places all LDP traffic coming from CE1 into a BGP community, an export policy that sends this community traffic to PE2, and an inbound VRF policy that accepts similar BGP community traffic from PE2. This step tunnels the VPN provider's LDP traffic into the carrier's BGP session.
PE1
[edit]
interfaces {
so-0/0/0 {
description "to p0 so-0/1/0";
unit 0 {
family inet {
address 192.255.197.21/30;
}
family mpls;
}
}
t3-0/2/1 {
description "to ce1 t3-0/1/0";
unit 0 {
family inet {
address 192.255.197.17/30;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 10.255.255.171/32;
}
}
}
}
routing-options {
autonomous-system 300;
}
protocols {
mpls {
interface t3-0/2/1.0;
}
bgp {
group pe {
type internal;
local-address 10.255.255.171;
family inet-vpn {
unicast;
}
peer-as 300;
neighbor 10.255.255.172;
}
}
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface so-0/0/0.0;
}
}
ldp {
interface so-0/0/0.0;
}
}
policy-options {
policy-statement vpn-provider-import {
term 1 {
from {
protocol bgp;
community vpn-provider-comm;
}
then accept;
}
term 2 {
then reject;
}
}
policy-statement vpn-provider-export {
term 1 {
from protocol ldp;
then {
community add vpn-provider-comm;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement bgp-routes-to-export {
term 1 {
from {
protocol bgp;
community vpn-provider-comm;
}
then accept;
}
term 2 {
then reject;
}
}
community vpn-provider-comm members target:300:200;
}
routing-instances {
vpn-provider {
instance-type vrf;
interface t3-0/2/1.0;
route-distinguisher 10.255.255.171:1;
vrf-import vpn-provider-import;
vrf-export vpn-provider-export;
protocols {
ospf {
export bgp-routes-to-export;
area 0.0.0.0 {
interface t3-0/2/1.0;
}
}
ldp {
egress-policy bgp-routes-to-export;
interface t3-0/2/1.0;
}
}
}
}
On P0, enable LDP and OSPF in the same manner that you configured these protocols on P2. You will repeat these tasks on routers P1 and P3.
P0
[edit]
interfaces {
so-0/1/0 {
description "to pe1 so-0/0/0";
unit 0 {
family inet {
address 192.255.197.22/30;
}
family mpls;
}
}
so-1/0/0 {
description "to p1 so-1/0/0";
unit 0 {
family inet {
address 192.255.197.85/30;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 10.255.255.173/32;
}
}
}
}
routing-options {
autonomous-system 300;
}
protocols {
ospf {
area 0.0.0.0 {
interface so-0/1/0.0;
interface so-1/0/0.0;
interface lo0.0 {
passive;
}
}
}
ldp {
interface so-0/1/0.0;
interface so-1/0/0.0;
}
}
On P1, enable LDP and the IGP used for transporting labels (OSPF in this case).
P1
[edit]
interfaces {
so-0/0/0 {
description "to pe2 so-0/2/0";
unit 0 {
family inet {
address 192.255.197.74/30;
}
family mpls;
}
}
so-1/0/0 {
description "to p0 so-1/0/0";
unit 0 {
family inet {
address 192.255.197.86/30;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 10.255.255.174/32;
}
}
}
}
routing-options {
autonomous-system 300;
}
protocols {
ospf {
area 0.0.0.0 {
interface so-0/0/0.0;
interface so-1/0/0.0;
interface lo0.0 {
passive;
}
}
}
ldp {
interface so-0/0/0.0;
interface so-1/0/0.0;
}
}
Core carrier router PE2 is a mirror image of PE1. First, configure a master instance for OSPF, LDP, MPLS, and IBGP (with the family inet-vpn option) to connect PE2 to neighbor PE1. Next, implement multiple-instance LDP by establishing a secondary instance. Enable LDP and OSPF in this instance for PE2 to communicate with CE2. MPLS is not required in the secondary instance.
Finally, set up an outbound VRF policy that places all LDP traffic coming from CE2 into a BGP community, an export policy that sends this community traffic to PE1, and an inbound VRF policy that accepts similar BGP community traffic from PE1. This step tunnels the VPN provider's LDP traffic into the carrier's BGP session.
PE2
[edit]
interfaces {
so-0/2/0 {
description "to p1 so-0/0/0";
unit 0 {
family inet {
address 192.255.197.73/30;
}
family mpls;
}
}
t1-3/0/0 {
description "to ce2 t1-0/0/0";
unit 0 {
family inet {
address 192.255.197.37/30;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 10.255.255.172/32;
}
}
}
}
routing-options {
autonomous-system 300;
}
protocols {
mpls {
interface t1-3/0/0.0;
}
bgp {
group pe {
type internal;
local-address 10.255.255.172;
family inet-vpn {
unicast;
}
peer-as 300;
neighbor 10.255.255.171;
}
}
ospf {
area 0.0.0.0 {
interface so-0/2/0.0;
interface lo0.0 {
passive;
}
}
}
ldp {
interface so-0/2/0.0;
}
}
policy-options {
policy-statement vpn-provider-import {
term 1 {
from {
protocol bgp;
community vpn-provider-comm;
}
then accept;
}
term 2 {
then reject;
}
}
policy-statement vpn-provider-export {
term 1 {
from protocol ldp;
then {
community add vpn-provider-comm;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement bgp-routes-to-export {
term 1 {
from {
protocol bgp;
community vpn-provider-comm;
}
then accept;
}
term 2 {
then reject;
}
}
community vpn-provider-comm members target:300:200;
}
routing-instances {
vpn-provider {
instance-type vrf;
interface t1-3/0/0.0;
route-distinguisher 10.255.255.172:1;
vrf-import vpn-provider-import;
vrf-export vpn-provider-export;
protocols {
ospf {
export bgp-routes-to-export;
area 0.0.0.0 {
interface t1-3/0/0.0;
}
}
ldp {
egress-policy bgp-routes-to-export;
interface t1-3/0/0.0;
}
}
}
}
}
For Router CE2, configure LDP and OSPF as you did on CE1 and the transit P routers.
CE2
[edit]
interfaces {
t1-0/0/0 {
description "to pe2 t1-3/0/0";
unit 0 {
family inet {
address 192.255.197.38/30;
}
family mpls;
}
}
t3-0/3/3 {
description "to p3 t3-0/0/3";
unit 0 {
family inet {
address 192.255.198.26/30;
}
family mpls;
}
lo0 {
unit 0 {
family inet {
address 10.255.255.180/32;
}
}
}
}
routing-options {
autonomous-system 200;
}
protocols {
ospf {
area 0.0.0.0 {
interface t1-0/0/0.0;
interface t3-0/3/3.0;
interface lo0.0 {
passive;
}
}
}
ldp {
interface t1-0/0/0.0;
interface t3-0/3/3.0;
}
}
Since P3 is another core provider router, enable LDP and OSPF on all transit interfaces.
P3
[edit]
interfaces {
t3-0/0/3 {
description "to ce2 t3-0/3/3";
unit 0 {
family inet {
address 192.255.198.25/30;
}
family mpls;
}
}
t1-0/1/1 {
description "to pe4 t1-0/1/1";
unit 0 {
family inet {
address 192.255.198.37/30;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 10.255.255.176/32;
}
}
}
}
routing-options {
autonomous-system 200;
}
protocols {
ospf {
area 0.0.0.0 {
interface t3-0/0/3.0;
interface t1-0/1/1.0;
interface lo0.0 {
passive;
}
}
}
ldp {
interface t3-0/0/3.0;
interface t1-0/1/1.0;
}
}
On PE4, complete the IBGP connection initiated on PE3 to connect the edge routers in AS 200. Also, enable LDP and MPLS on the t1-0/0/1 interface pointing toward the VPN provider CE2 router and establish an EBGP connection to CE4 through use of a VRF instance.
Finally, set up an outbound VRF policy that places all BGP traffic and directly connected interfaces into a BGP community and an inbound VRF policy that accepts similar BGP community traffic from PE3.
PE4
[edit]
interfaces {
t3-0/0/3 {
description to ce4 t3-0/0/3";
unit 0 {
family inet {
address 192.255.198.21/30;
}
family mpls;
}
}
t1-0/1/1 {
unit 0 {
family inet {
address 192.255.198.38/30;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 10.255.255.178/32;
}
}
}
}
routing-options {
autonomous-system 200;
}
protocols {
mpls {
interface t3-0/0/3.0;
}
bgp {
group internal {
type internal;
local-address 10.255.255.178;
peer-as 200;
neighbor 10.255.255.177 {
family inet-vpn {
unicast;
}
}
}
}
ospf {
area 0.0.0.0 {
interface t1-0/1/1.0;
interface lo0.0 {
passive;
}
}
}
ldp {
interface t1-0/1/1.0;
}
}
policy-options {
policy-statement vpn-customer-import {
term 1 {
from {
protocol bgp;
community vpn-customer-comm;
}
then accept;
}
term 2 {
then reject;
}
}
policy-statement vpn-customer-export {
term 1 {
from protocol [ bgp direct ];
then {
community add vpn-customer-comm;
accept;
}
}
term 2 {
then reject;
}
}
community vpn-customer-comm members target:200:100;
}
routing-instances {
vpn-customer {
instance-type vrf;
interface t3-0/0/3.0;
route-distinguisher 10.255.255.178:1;
vrf-import vpn-customer-import;
vrf-export vpn-customer-export;
protocols {
bgp {
group customer {
type external;
peer-as 100;
as-override;
neighbor 192.255.198.22;
}
}
}
}
}
CE4 is the destination VPN customer router. Configure EBGP between CE4 and the connected VPN provider router PE4 to complete the configuration. Remember to advertise the loopback address into BGP by using a routing policy to allow IP reachability with CE3.
CE4
[edit]
interfaces {
t3-0/0/3 {
description "to pe4 t3-0/0/3";
unit 0 {
family inet {
address 192.255.198.22/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.255.255.182/32;
address 10.49.200.1/32;
}
}
}
}
routing-options {
static {
route 10.49.200.0/24 reject;
route 10.49.201.0/24 reject;
}
autonomous-system 100;
}
protocols {
bgp {
group provider {
type external;
export static-to-bgp;
peer-as 200;
neighbor 192.255.198.21;
}
}
}
policy-options {
policy-statement static-to-bgp {
term 1 {
from {
protocol static;
route-filter 10.49.200.0/24 exact;
route-filter 10.49.201.0/24 exact;
}
then accept;
}
term 2 {
from protocol direct;
then accept;
}
term 3 {
then reject;
}
}
}