Configuring an MPLS-Based Layer 3 VPN (CLI Procedure)
You can configure MPLS-based Layer 3 virtual private networks (VPNs) on EX8200 and EX4500 switches. Layer 3 VPNs leverage the service provider’s technical expertise for site-to-site routing.
To configure Layer 3 VPN functionality in your MPLS network, you must enable Layer 3 VPN support on the local and remote provider edge (PE) switches as described in this task.
Before you configure the Layer 3 VPN components, you must configure the basic components for an MPLS network:
Configure two PE switches. See Configuring MPLS on Provider Edge Switches Using IP Over MPLS (CLI Procedure).
Configure one or more provider switches. See Configuring MPLS on EX8200 and EX4500 Provider Switches (CLI Procedure).
A Layer 3 VPN requires that the PE switches be configured using IP over MPLS.
Configure the Layer 3 VPN components on both PE switches. This procedure describes how to configure one PE switch. Repeat the procedure to configure the remote PE switch.
When you configure the remote PE switch, the information specified for the routing instance must be configured the same as the information specified for the routing instance on the local PE switch. You must also specify the same BGP group name. The following statements will have different values on the remote PE switch from those on the local PE switch:
To configure an MPLS-based Layer 3 VPN on the PE switch:
- Configure BGP, specifying the loopback address as the
local address and specifying family inet-vpn unicast:
[edit protocols bgp]
user@switch# set local-address address family inet-vpn unicast
- Configure the BGP group, specifying the group name and type internal:
- Configure the BGP neighbor, specifying the loopback address
of the remote PE switch as the neighbor’s address:
[edit protocols bgp]
user@switch# set neighbor address
- Configure the routing instance, specifying the routing-instance
name and using vrf as the instance type:
user@switch# set routing-instances routing-instance-name instance-type vrf
- Configure a description for this routing instance:
user@switch# set routing-instances routing-instance-name description text
- Configure the routing instance to use a route distinguisher:
Each routing instance that you configure on a PE switch must have a unique route distinguisher associated with it. VPN routing instances must have a route distinguisher to allow BGP to distinguish between potentially identical network layer reachability information (NLRI) messages received from different VPNs. If you configure different VPN routing instances with the same route distinguisher, the commit fails.
user@switch# set routing-instances routing-instance-name route-distinguisher ip-address:number
- Configure the VPN routing and forwarding (VRF) target
of the routing instance:
user@switch# set routing-instance-name vrf-target community
If you configure the community option only, default VRF import and export policies are generated that accept and tag routes with the specified target community. You can create more complex policies by explicitly configuring VRF import and export policies using the import and export options. See the Junos OS VPNs Configuration Guide.
- Configure this routing instance with vrf-table-label, which maps the inner label of a packet to a specific VPN routing
and forwarding (VRF) table and allows the examination of the encapsulated
user@switch# set routing-instance-name vrf-table-label
- (Optional) Configure the routing options:
We recommend that you configure the router identifier under the [edit routing-options] hierarchy level to avoid unpredictable behavior if the interface address on a loopback interface changes.