Example: SCU in a Layer 3 VPN Configuration
Figure 28 displays a Layer 3 VPN topology. CE1 and CE2 are customer edge (CE) routers connected by a VPN through provider routers PE1, P0, and PE2. EBGP is established between routers CE1 and PE1; IBGP connects routers PE1 and PE2 over an IS-IS/MPLS/LDP core; and a second EBGP connection flows between routers PE2 and CE2.
On router CE1, begin your VPN by setting up an EBGP connection to PE1. Install a static route of 10.114.1.0/24 and advertise this route to your EBGP neighbor.
CE1
[edit]
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.20.250.1/30;
}
}
}
}
routing-options {
static {
route 10.114.1.0/24 reject;
}
autonomous-system 100;
}
protocols {
bgp {
group to-pe1 {
local-address 10.20.250.1;
export inject-direct;
peer-as 300;
neighbor 10.20.250.2;
}
}
}
policy-options {
policy-statement inject-direct {
term 1 {
from {
protocol static;
route-filter 10.114.1.0/24 exact;
}
then accept;
}
term 2 {
from protocol direct;
then accept;
}
}
}
On PE1, complete the EBGP connection to CE1 through a VRF routing instance. Set an export policy for your VRF instance that puts BGP traffic into a community, and an import policy that accepts like community traffic from your VPN neighbor. Lastly, configure an IBGP relationship to router PE2 that runs over an IS-IS, MPLS and LDP core.
PE1
[edit]
interfaces {
ge-0/0/1 {
unit 0 {
family inet {
address 10.20.250.2/30;
}
}
}
so-0/2/1 {
unit 0 {
family inet {
address 10.20.251.1/30;
}
family iso;
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 10.250.245.245/32;
}
family iso;
family mpls;
}
}
}
routing-options {
autonomous-system 300;
}
protocols {
mpls {
interface so-0/2/1;
}
bgp {
group ibgp {
type internal;
local-address 10.250.245.245;
family inet-vpn {
unicast;
}
neighbor 10.250.71.14;
}
}
isis {
interface so-0/2/1;
}
ldp {
interface so-0/2/1;
}
}
policy-options {
policy-statement red-import {
from {
protocol bgp;
community red-com;
}
then accept;
}
policy-statement red-export {
from protocol bgp;
then {
community add red-com;
accept;
}
}
community red-com members target:20:20;
}
routing-instances {
red {
instance-type vrf;
interface ge-0/0/1.0;
route-distinguisher 10.250.245.245:100;
vrf-import red-import;
vrf-export red-export;
protocols {
bgp {
group to-ce1 {
local-address 10.20.250.2;
peer-as 100;
neighbor 10.20.250.1;
}
}
}
}
}
On P0, connect the IBGP neighbors located at PE1 and PE2. Remember to include VPN-related protocols (MPLS, LDP, and IGP) on all interfaces.
P0
[edit]
interfaces {
so-0/1/0 {
unit 0 {
family inet {
address 10.20.252.1/30;
}
family iso;
family mpls;
}
}
so-0/2/0 {
unit 0 {
family inet {
address 10.20.251.2/30;
}
family iso;
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 10.250.245.246/32;
}
family iso;
family mpls;
}
}
}
routing-options {
autonomous-system 300;
}
protocols {
mpls {
interface so-0/1/0;
interface so-0/2/0;
}
isis {
interface all;
}
ldp {
interface all;
}
}
On PE2, complete the IBGP relationship to router PE1. Establish an EBGP connection to CE2 through a VRF routing instance. Set an export policy for the VRF instance that places BGP traffic into a community, and an import policy that accepts like community traffic from the VPN neighbor. Next, establish a policy that adds the static route from CE1 to a source class called GOLD1. Also, export this SCU policy into the forwarding table. Finally, set your vt interface as the SCU input interface and establish the CE-facing interface so-0/0/0 as the SCU output interface.
PE2
[edit]
interfaces {
so-0/1/1 {
unit 0 {
family inet {
address 10.20.252.2/30;
}
family iso;
family mpls;
}
}
so-0/0/0 {
unit 0 {
family inet {
accounting {
source-class-usage {
output;
}
}
address 10.20.253.1/30;
}
}
}
vt-4/1/0 {
unit 0 {
family inet {
accounting {
source-class-usage {
input;
}
}
address 10.250.71.14/32;
}
family iso;
family mpls;
}
}
}
routing-options {
autonomous-system 300;
forwarding-table {
export inject-customer2-dest-class;
}
}
protocols {
mpls {
interface so-0/1/1;
interface vt-4/1/0;
}
bgp {
group ibgp {
type internal;
local-address 10.250.71.14;
family inet-vpn {
unicast;
}
neighbor 10.250.245.245;
}
}
isis {
interface so-0/1/1;
}
ldp {
interface so-0/1/1;
}
}
routing-instances {
red {
instance-type vrf;
interface so-0/0/0.0;
interface vt-4/1/0.0;
route-distinguisher 10.250.71.14:100;
vrf-import red-import;
vrf-export red-export;
protocols {
bgp {
group to-ce2 {
local-address 10.20.253.1;
peer-as 400;
neighbor 10.20.253.2;
}
}
}
}
}
policy-options {
policy-statement red-import {
from {
protocol bgp;
community red-com;
}
then accept;
}
policy-statement red-export {
from protocol bgp;
then {
community add red-com;
accept;
}
}
policy-statement inject-customer2-dest-class {
term term-gold1-traffic {
from {
route-filter 10.114.1.0/24 exact;
}
then source-class GOLD1;
}
}
community red-com members target:20:20;
}
On Router CE2, complete the VPN path by finishing the EBGP connection to PE2.
CE2
[edit]
interfaces {
so-0/0/1 {
unit 0 {
family inet {
address 10.20.253.2/30;
}
}
}
routing-options {
autonomous-system 400;
}
protocols {
bgp {
group to-pe2 {
local-address 10.20.253.2;
export inject-direct;
peer-as 300;
neighbor 10.20.253.1;
}
}
}
policy-options {
policy-statement inject-direct {
from {
protocol direct;
}
then accept;
}
}