Configuring an MPLS-Based Layer 3 VPN (CLI Procedure)


You can configure MPLS-based Layer 3 virtual private networks (VPNs) on EX8200 and EX4500 switches. Layer 3 VPNs leverage the service provider’s technical expertise for site-to-site routing.

To configure Layer 3 VPN functionality in your MPLS network, you must enable Layer 3 VPN support on the local and remote provider edge (PE) switches as described in this task.

Before you configure the Layer 3 VPN components, you must configure the basic components for an MPLS network:


A Layer 3 VPN requires that the PE switches be configured using IP over MPLS.

Configure the Layer 3 VPN components on both PE switches. This procedure describes how to configure one PE switch. Repeat the procedure to configure the remote PE switch.


When you configure the remote PE switch, the information specified for the routing instance must be configured the same as the information specified for the routing instance on the local PE switch. You must also specify the same BGP group name. The following statements will have different values on the remote PE switch from those on the local PE switch:

  • local-address

  • neighbor

To configure an MPLS-based Layer 3 VPN on the PE switch:

  1. Configure BGP, specifying the loopback address as the local address and specifying family inet-vpn unicast:
    [edit protocols bgp]

    user@switch# set local-address address family inet-vpn unicast
  2. Configure the BGP group, specifying the group name and type internal:
    [edit protocols bgp]

    user@switch# set group group-name type internal
  3. Configure the BGP neighbor, specifying the loopback address of the remote PE switch as the neighbor’s address:
    [edit protocols bgp]

    user@switch# set neighbor address
  4. Configure the routing instance, specifying the routing-instance name and using vrf as the instance type:

    user@switch# set routing-instances routing-instance-name instance-type vrf
  5. Configure a description for this routing instance:

    user@switch# set routing-instances routing-instance-name description text
  6. Configure the routing instance to use a route distinguisher:Note

    Each routing instance that you configure on a PE switch must have a unique route distinguisher associated with it. VPN routing instances must have a route distinguisher to allow BGP to distinguish between potentially identical network layer reachability information (NLRI) messages received from different VPNs. If you configure different VPN routing instances with the same route distinguisher, the commit fails.

    user@switch# set routing-instances routing-instance-name route-distinguisher ip-address:number
  7. Configure the VPN routing and forwarding (VRF) target of the routing instance:
    [edit routing-instances]

    user@switch# set routing-instance-name vrf-target community

    If you configure the community option only, default VRF import and export policies are generated that accept and tag routes with the specified target community. You can create more complex policies by explicitly configuring VRF import and export policies using the import and export options. See the Junos OS VPNs Configuration Guide.

  8. Configure this routing instance with vrf-table-label, which maps the inner label of a packet to a specific VPN routing and forwarding (VRF) table and allows the examination of the encapsulated IP header.
    [edit routing-instances]

    user@switch# set routing-instance-name vrf-table-label
  9. (Optional) Configure the routing options:Note

    We recommend that you configure the router identifier under the [edit routing-options] hierarchy level to avoid unpredictable behavior if the interface address on a loopback interface changes.

    [edit routing-options]

    user@switch# set router-id ip-address autonomous-system as-number