Example: Tunneling IPv6 Traffic over MPLS IPv4 Networks
This example shows how to configure Junos OS to tunnel IPv6 over an MPLS-based IPv4 network. External BGP (EBGP) is used between the customer edge (CE) and provider edge (PE) devices. The remote CE devices have different AS numbers for loop detection.
No special configuration beyond device initialization is required before you configure this example.
Detailed information about the Juniper Networks implementation of IPv6 over MPLS is described in the following Internet drafts:
Internet draft draft-ietf-l3vpn-bgp-ipv6-07.txt, BGP-MPLS IP VPN extension for IPv6 VPN (expires January 2006)
Internet draft draft-ooms-v6ops-bgp-tunnel-06.txt, Connecting IPv6 Islands over IPv4 MPLS using IPv6 Provider Edge Routers (expires July 2006)
These Internet drafts are available on the IETF website at http://www.ietf.org/.
This example shows you how to interconnect a two IPv6 networks over an IPv4-based network core, giving you the ability to provide IPv6 service without having to upgrade the routers in your core network. Multiprotocol Border Gateway Protocol (MP-BGP) is configured to exchange routes between the IPv6 networks, and data is tunneled between these IPv6 networks by means of IPv4-based MPLS.
In Figure 1, PE1 and PE2 are dual-stack BGP routers or switches, meaning they have both IPv4 and IPv6 stacks. The PE devices link the IPv6 networks through the customer edge (CE) routers or switches to the IPv4 core network. The CE devices and the PE devices connect through a link layer that can carry IPv6 traffic. The PE devices use IPv6 on the CE router-facing interfaces and use IPv4 and MPLS on the core-facing interfaces. Note that one of the connected IPv6 networks could be the global IPv6 Internet.
The two PE devices are linked through an MP-BGP session using IPv4 addresses. They use the session to exchange IPv6 routes with an IPv6 (value 2) address family indicator (AFI) and a subsequent AFI (SAFI) (value 4). Each PE router sets the next hop for the IPv6 routes advertised on this session to its own IPv4 address. Because MP-BGP requires the BGP next hop to correspond to the same address family as the network layer reachability information (NLRI), this IPv4 address needs to be embedded within an IPv6 format.
The PE devices can learn the IPv6 routes from the CE devices connected to them using MP-BGP or through static configuration. Note that if BGP is used as the PE-router-to-CE-router protocol, the MP-BGP session between the PE device and CE device could occur over an IPv4 or IPv6 Transmission Control Protocol (TCP) session. Also, the BGP routes exchanged on that session would have SAFI unicast. You must configure an export policy to pass routes between IBGP and EBGP, and between BGP and any other protocol.
The PE routers have MPLS LSPs routed to each others’ IPv4 addresses. IPv4 provides signaling for the LSPs by means of RSVP. These LSPs are used to resolve the next-hop addresses of the IPv6 routes learned from MP-BGP. The next hops use IPv4-mapped IPv6 addresses, while the LSPs use IPv4 addresses.
The PE devices always advertise IPv6 routes to each other using a label value of 2, the explicit null label for IPv6 as defined in RFC 3032, MPLS Label Stack Encoding. As a consequence, each of the forwarding next hops for the IPv6 routes learned from remote PE routers normally push two labels. The inner label is 2 (this label could be different if the advertising PE device is not a Juniper Networks routing or switching platform), and the outer label is the LSP label. If the LSP is a single-hop LSP, then only Label 2 is pushed.
It is also possible for the PE devices to exchange plain IPv6 routes using SAFI unicast. However, there is one major advantage in exchanging labeled IPv6 routes. The penultimate-hop router for an MPLS LSP can pop the outer label and then send the packet with the inner label as an MPLS packet. Without the inner label, the penultimate-hop router would need to discover whether the packet is an IPv4 or IPv6 packet to set the protocol field in the Layer 2 header correctly.
When the PE1 device in Figure 1 receives an IPv6 packet from the CE1 device, it performs a lookup in the IPv6 forwarding table. If the destination matches a prefix learned from the CE2 device, then no labels need to be pushed and the packet is simply sent to the CE2 device. If the destination matches a prefix that was learned from the PE2 device, then the PE1 router pushes two labels onto the packet and sends it to the Provider router. The inner label is 2 and the outer label is the LSP label for the PE2 router.
Each provider router in the service provider’s network handles the packet as it would any MPLS packet, swapping labels as it passes from provider router to provider router. The penultimate-hop provider router for the LSP pops the outer label and sends the packet to the PE2 router. When the PE2 router receives the packet, it recognizes the IPv6 explicit null label on the packet (Label 2). It pops this label and treats it as an IPv6 packet, performing a lookup in the IPv6 forwarding table and forwarding the packet to the CE3 router.
This example includes the following settings:
In addition to configuring the family inet6 statement on all the CE router–facing interfaces, you must also configure the statement on all the core-facing interfaces running MPLS. Both configurations are necessary because the router must be able to process any IPv6 packets it receives on these interfaces. You should not see any regular IPv6 traffic arrive on these interfaces, but you will receive MPLS packets tagged with Label 2. Even though Label 2 MPLS packets are sent in IPv4, these packets are treated as native IPv6 packets.
You enable IPv6 tunneling by including the ipv6-tunneling statement in the configuration for the PE routers. This statement allows IPv6 routes to be resolved over an MPLS network by converting all routes stored in the inet.3 routing table to IPv4-mapped IPv6 addresses and then copying them into the inet6.3 routing table. This routing table can be used to resolve next hops for both inet6 and inet6-vpn routes.
BGP automatically runs its import policy even when copying routes from a primary routing table group to a secondary routing table group. If IPv4 labeled routes arrive from a BGP session (for example, when you have configured the labeled-unicast statement at the [edit protocols bgp family inet] hierarchy level on the PE router), the BGP neighbor’s import policy also accepts IPv6 routes, since the neighbor’s import policy is run while doing the copy operation to the inet6.3 routing table.
When you configure MP-BGP to carry IPv6 traffic, the IPv4 MPLS label is removed at the destination PE router. The remaining IPv6 packet without a label can then be forwarded to the IPv6 network. To enable this, include the explicit-null statement in the BGP configuration.
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the  hierarchy level.
Configuring Device PE1
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure Device PE1:
- Configure the interfaces.[edit interfaces]user@PE1# set xe-0/0/5 unit 2 family inet6 address ::10.1.1.2/126user@PE1# set xe-0/0/5 unit 2 family mplsuser@PE1# set xe-0/0/6 unit 5 family inet address 10.1.1.5/30user@PE1# set xe-0/0/6 unit 5 family inet6user@PE1# set xe-0/0/6 unit 5 family mplsuser@PE1# set lo0 unit 2 family inet address 22.214.171.124/32
- Configure MPLS on the interfaces.[edit protocols mpls]user@PE1# set ipv6-tunnelinguser@PE1# set interface xe-0/0/5.2user@PE1# set interface xe-0/0/6.5
- Configure BGP.[edit protocols bgp]user@PE1# set group toCE1 type externaluser@PE1# set group toCE1 local-address ::10.1.1.2user@PE1# set group toCE1 family inet6 unicastuser@PE1# set group toCE1 export send-bgp6user@PE1# set group toCE1 peer-as 1user@PE1# set group toCE1 neighbor ::10.1.1.1user@PE1# set group toPE2 type internaluser@PE1# set group toPE2 local-address 126.96.36.199user@PE1# set group toPE2 family inet6 labeled-unicast explicit-nulluser@PE1# set group toPE2 export next-hop-selfuser@PE1# set group toPE2 export send-v6user@PE1# set group toPE2 neighbor 188.8.131.52
- Configure OSPF[edit protocols ospf area 0.0.0.0]user@PE1# set interface xe-0/0/6.5user@PE1# set interface lo0.2 passive
- Configure a signaling protocol. [edit protocols]user@PE1# set rsvp interface xe-0/0/6.5
- Configure the routing policies.[edit policy-options]user@PE1# set policy-statement next-hop-self then next-hop selfuser@PE1# set policy-statement send-bgp6 from family inet6user@PE1# set policy-statement send-bgp6 from protocol bgpuser@PE1# set policy-statement send-bgp6 then acceptuser@PE1# set policy-statement send-v6 from family inet6user@PE1# set policy-statement send-v6 from protocol bgpuser@PE1# set policy-statement send-v6 from protocol directuser@PE1# set policy-statement send-v6 then accept
- Configure the router ID and the autonomous system (AS)
number.[edit routing-options]user@PE1# set router-id 184.108.40.206user@PE1# set autonomous-system 2
From configuration mode, confirm your configuration by entering the show interfaces, show policy-options, show protocols, and show routing-options commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
If you are done configuring the device, enter commit from configuration mode.
Configure the other devices in the topology, as shown in CLI Quick Configuration.
Confirm that the configuration is working properly.
Verifying That the CE Devices Have Connectivity
Make sure that the tunnel is operating.
From operational mode, enter the ping command.
user@CE1> ping ::10.1.1.14
PING6(56=40+8+8 bytes) ::10.1.1.1 --> ::10.1.1.14 16 bytes from ::10.1.1.14, icmp_seq=0 hlim=61 time=10.687 ms 16 bytes from ::10.1.1.14, icmp_seq=1 hlim=61 time=9.239 ms 16 bytes from ::10.1.1.14, icmp_seq=2 hlim=61 time=1.842 ms
user@CE3> ping ::10.1.1.1
PING6(56=40+8+8 bytes) ::10.1.1.14 --> ::10.1.1.1 16 bytes from ::10.1.1.1, icmp_seq=0 hlim=61 time=1.484 ms 16 bytes from ::10.1.1.1, icmp_seq=1 hlim=61 time=1.338 ms 16 bytes from ::10.1.1.1, icmp_seq=2 hlim=61 time=1.351 ms
The IPv6 CE devices can communicate over the core IPv4 network.