Configuring Layer 3 VPNs

To configure Layer 3 virtual private network (VPN) functionality, you must enable VPN support on the provider edge (PE) router. You must also configure any provider (P) routers that service the VPN, and you must configure the customer edge (CE) routers so that their routes are distributed into the VPN.

To configure Layer 3 VPNs, you include the following statements:

description text;

interface interface-name;

instance-type vrf;

route-distinguisher ( as-number:number | ip-address:number );

vrf-import [ policy-names ];

vrf-export [ policy-names ];

vrf-target ( community-name | export community-name | import community-name );

vrf-table-label;

protocols {

    bgp {

        bgp-configuration;

    }

    ospf {

        ospf-configuration;

    }

    pim {

        pim-configuration;

        vpn-group-address address;

    }

    rip {

        rip-configuration;

    }

}

routing-options {

    autonomous-system autonomous-system {

        independent-domain;

        loops number;

    }

    forwarding-table {

        export [ policy-names ];

    } 

    interface-routes {

        rib-group group-name;

    }

    martians {

        destination-prefix match-type <allow>; 

    }

    maximum-routes route-limit <log-only | threshold value>;

    options {

        syslog (level level | upto level);

    }

    rib routing-table {

        static {

            defaults {

                static-options;

            }

            route destination-prefix {

                next-hop; 

                static-options; 

                }

            }

        }

        martians {

            destination-prefix match-type <allow>; 

        }

    }

    router-id address;

    static {

        defaults {

            static-options;

        }

        route destination-prefix {

            policy [ policy-names ];

            static-options;

        }

    }

}

You can include these statements at the following hierarchy levels:

• [edit routing-instances routing-instance-name]
• [edit logical-routers logical-router-name routing-instances routing-instance-name]

For Layer 3 VPNs, only some of the statements in the [edit routing-instances] hierarchy are valid. For the full hierarchy, see the JUNOS Routing Protocols Configuration Guide.

In addition to these statements, you must enable a signaling protocol, internal Border Gateway Protocol (IBGP) sessions between the PE routers, and an interior gateway protocol (IGP) on the PE and P routers.

By default, Layer 3 VPNs are disabled.

Many of the configuration procedures for Layer 3 VPNs are common to all types of VPNs. These procedures are described in detail in Configuring VPNs and include the following:

• Enabling a Signaling Protocol on the PE Routers
• Configuring an IGP on the PE and P Routers
• Configuring an IBGP Session Between PE Routers
• Configuring a VPN Routing Instance on the PE Routers
• Configuring Graceful Restart

This chapter describes how to configure Layer 3 VPNs, discussing the following topics:

• Configuring VPN Routing Between the PE and CE Routers
• Configuring Layer 3 VPNs to Carry IBGP Traffic
• Filtering Traffic Based on the IP Header
• Configuring a VPN Tunnel for VRF Table Lookup
• Configuring a Logical Unit on the Loopback Interface
• Configuring Multicast over Layer 3 VPNs
• Configuring Packet Forwarding for Layer 3 VPNs
• Configuring GRE Tunnels for Layer 3 VPNs
• Configuring an ES Tunnel Interface for Layer 3 VPNs
• Configuring IPSec Instead of MPLS Between PE Routers
• Configuring SCU and DCU for Layer 3 VPNs
• Protocol-Independent Load Balancing for Layer 3 VPNs

For configuration examples, see Layer 3 VPN Configuration Examples and Layer 3 VPN Internet Access Examples.