MPLS Layer 3 VPN Configuration Overview
To configure MPLS Layer 3 VPN functionality on a router running Junos OS, you must enable support on the provider edge (PE) router and configure the PE router to distribute routing information to other routers in the VPN, as explained in the following steps. However, because the tunnel information is maintained at both PE routers, neither the provider core routers nor the customer edge (CE) routers need to maintain any VPN information in their configuration databases.
To configure an MPLS Layer 3 VPN:
- Determine all of the routers that you want to participate in the VPN, and then complete the initial configuration of their interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices.
- For all of the routers in the VPN configuration, update the interface configurations to enable participation in the Layer 3 VPN. As part of the interface configuration, you must configure the MPLS address family for each interface that uses LDP or RSVP. See Configuring Interfaces for Layer 2 VPNs (CLI Procedure).
- For all of the routers in the VPN configuration, configure
the appropriate protocols.
- MPLS—If you are using RSVP, use MPLS to advertise the Layer 3 VPN interfaces on the PE routers and provider routers that communicate with other PE routers and provider routers.
- BGP, EBGP, and internal BGP (IBGP)—For PE routers, configure a BGP session to enable the routers to exchange information about routes originating and terminating in the VPN. (The PE routers use this information to determine which labels to use for traffic destined to the remote sites. The IBGP session for the VPN runs through the loopback address.) In addition, CE routers require a BGP connection to the PE routers. See Configuring a BGP Session for MPLS VPNs (CLI Procedure).
- IGP and a signaling protocol—For PE routers and
provider, configure a signaling protocol (either LDP or RSVP) to dynamically
set up label-switched paths (LSPs) through the provider network. (LDP
routes traffic using IGP metrics. RSVP has traffic engineering that
lets you override IGP metrics as needed.) You must use LDP or RSVP
between PE routers and provider routers, but cannot use them for interfaces
between PE routers and CE routers.
In addition, configure an IGP such as OSPF or static routes on the PE routers in order to enable exchanges of routing information between the PE routers and provider routers. Each PE router's loopback address must appear as a separate route. Do not configure any summarization of the PE router's loopback addresses at the area boundary. Configure the provider network to run OSPF or IS-IS as an IGP, as well as IBGP sessions through either a full mesh or route reflector.
- For all of the routers in the VPN configuration, configure routing options. The only required routing option for VPNs is the autonomous system (AS) number. You must specify it on each router involved in the VPN. See Configuring Routing Options for MPLS VPNs (CLI Procedure).
- For each PE router in the VPN configuration, configure a routing instance for each VPN. The routing instance should have the same name on each PE router. Each routing instance must have a unique route distinguisher associated with it. (VPN routing instances need a route distinguisher to help BGP distinguish between potentially identical network layer reachable information [NLRI] messages received from different VPNs.) See Configuring a Routing Instance for MPLS VPNs (CLI Procedure).
- For CE routers, configure a routing policy. In addition, if you are not using a route target, configure a VPN routing policy for each PE router in the VPN configuration. Within the policy, describe which packets are sent and received across the VPN and specify how routes are imported into and exported from the router's VRF table. Each advertisement must have an associated route target that uniquely identifies the VPN for which the advertisement is valid. See Configuring a Routing Policy for MPLS Layer 3 VPNs (CLI Procedure).