Carrier-of-Carrier VPNs

 

Understanding Carrier-of-Carriers VPNs

The customer of a VPN service provider might be a service provider for the end customer. The following are the two main types of carrier-of-carriers VPNs (as described in RFC 4364:

  • Internet Service Provider as the Customer—The VPN customer is an ISP that uses the VPN service provider’s network to connect its geographically disparate regional networks. The customer does not have to configure MPLS within its regional networks.

  • VPN Service Provider as the Customer—The VPN customer is itself a VPN service provider offering VPN service to its customers. The carrier-of-carriers VPN service customer relies on the backbone VPN service provider for inter-site connectivity. The customer VPN service provider is required to run MPLS within its regional networks.

Figure 1 illustrates the network architecture used for a carrier-of-carriers VPN service.

Figure 1: Carrier-of-Carriers VPN Architecture
Carrier-of-Carriers VPN Architecture

This topic covers the following:

Internet Service Provider as the Customer

In this type of carrier-of-carriers VPN configuration, ISP A configures its network to provide Internet service to ISP B. ISP B provides the connection to the customer wanting Internet service, but the actual Internet service is provided by ISP A.

This type of carrier-of-carriers VPN configuration has the following characteristics:

  • The carrier-of-carriers VPN service customer (ISP B) does not need to configure MPLS on its network.

  • The carrier-of-carriers VPN service provider (ISP A) must configure MPLS on its network.

  • MPLS must also be configured on the CE routers and PE routers connected together in the carrier-of-carriers VPN service customer’s and carrier-of-carriers VPN service provider’s networks.

VPN Service Provider as the Customer

A VPN service provider can have customers that are themselves VPN service providers. In this type of configuration, also called a hierarchical or recursive VPN, the customer VPN service provider’s VPN-IPv4 routes are considered external routes, and the backbone VPN service provider does not import them into its VRF table. The backbone VPN service provider imports only the customer VPN service provider’s internal routes into its VRF table.

The similarities and differences between interprovider and carrier-of-carriers VPNs are shown in Table 1.

Table 1: Comparison of Interprovider and Carrier-of-Carriers VPNs

Feature

ISP Customer

VPN Service Provider Customer

Customer edge device

AS border router

PE router

IBGP sessions

Carry IPv4 routes

Carry external VPN-IPv4 routes with associated labels

Forwarding within the customer network

MPLS is optional

MPLS is required

Support for VPN service as the customer is supported on QFX10000 switches starting with Junos OS Release 17.1R1.

Configuring Carrier-of-Carriers VPNs for Customers That Provide Internet Service

You can configure a carrier-of-carriers VPN service for customers who want to provide basic Internet service. The carrier-of-carriers VPN service provider must configure MPLS in its network, although this configuration is optional for the carrier service customer. Carrier-of-Carriers VPN Architecture shows how the routers or switches in this type of service interconnect.

To configure a carrier-of-carriers VPN, perform the tasks described in the following sections:

Configuring the Carrier-of-Carriers VPN Service Customer’s CE Router

The carrier-of-carriers VPN service customer’s router (or switch) acts as a CE router with respect to the service provider’s PE router or switch. The following sections describe how to configure the carrier-of-carriers VPN service customer’s CE router or switch:

Configuring MPLS

To configure MPLS on the customer’s CE router or switch, include the mpls statement:

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring BGP

To configure a group to collate the customer’s internal routes, include the bgp statement:

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

The customer’s CE router (or switch) must be able to send labels to the VPN service provider’s router. Enable this by including the labeled-unicast statement in the configuration for the BGP group:

You can include the bgp statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring OSPF

To configure OSPF on the customer’s CE router or switch, include the ospf statement:

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring Policy Options

To configure policy options on the customer’s CE router or switch, include the policy-statement statement:

You can include this statement at the following hierarchy levels:

  • [edit policy-options]

  • [edit logical-systems logical-system-name policy-options]

Configuring the Carrier-of-Carriers VPN Service Provider’s PE Routers

The service provider’s PE routers connect to the customer’s CE routers and forward the customer’s VPN traffic across the provider’s network.

The following sections describe how to configure the carrier-of-carriers VPN service provider’s PE routers:

Configuring MPLS

To configure MPLS on the provider’s PE routers or switches include the mpls statement:

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring BGP

To configure a BGP session with the provider PE router at the other end of the provider’s network, include the bgp statement:

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring IS-IS

To configure IS-IS on the provider’s PE routers or switches, include the isis statement:

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring LDP

To configure LDP on the provider’s PE routers or switches, include the ldp statement:

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring a Routing Instance

To configure Layer 3 VPN service with the customer’s CE router or switch, include the labeled-unicast statement in the configuration for the routing instance so the PE router (or switch) can send labels to the customer’s CE router or switch:

You can include these statements at the following hierarchy levels:

  • [edit routing-instances]

  • [edit logical-systems logical-system-name routing-instances]

Configuring Policy Options

To configure a policy statement to import routes from the customer’s CE router or switch, include the policy-statement statement:

You can include this statement at the following hierarchy levels:

  • [edit policy-options]

  • [edit logical-systems logical-system-name policy-options]

To configure a policy statement to export routes to the customer’s CE router or switch, include the policy-statement and community statements:

You can include these statements at the following hierarchy levels:

  • [edit policy-options]

  • [edit logical-systems logical-system-name policy-options]

Carrier-of-Carriers VPN Example—Customer Provides Internet Service

In this example, the carrier customer is not required to configure MPLS and LDP on its network. However, the carrier provider must configure MPLS and LDP on its network.

For configuration information see the following sections:

Network Topology for Carrier-of-Carriers Service

A carrier-of-carriers service allows an Internet service provider (ISP) to connect to a transparent outsourced backbone at multiple locations.

Figure 2 shows the network topology in this carrier-of-carriers example.

Figure 2: Carrier-of-Carriers VPN Example Network Topology
Carrier-of-Carriers VPN Example
Network Topology

Configuration for Router A

In this example, Router A represents an end customer. You configure this router as a CE device.

Configuration for Router B

Router B can act as the gateway router, responsible for aggregating end customers and connecting them to the network. If a full-mesh IBGP session is configured, you can use route reflectors.

Configuration for Router C

Configure Router C:

Configuration for Router D

Router D is the CE router with respect to AS 10023. In a carrier-of-carriers VPN, the CE router must be able to send labels to the carrier provider; this is done with the labeled-unicast statement in group to-isp-red.

Configuration for Router E

This configuration sets up the inet-vpn IBGP session with Router H and the PE router portion of the VPN with Router D. Because Router D is required to send labels in this example, configure the BGP session with the labeled-unicast statement within the virtual routing and forwarding (VRF) table.

Configuration for Router F

Configure Router F to act as a label-swapping router:

Configuration for Router G

Configure Router G to act as a label-swapping router:

Configuration for Router H

Router H acts as the PE router for AS 10023. The configuration that follows is similar to that for Router F:

Configuration for Router I

Configure Router I to connect to the basic Internet service customer (Router L):

Configuration for Router J

Configure Router J as a label-swapping router:

Configuration for Router K

Router K acts as the CE router at the end of the connection to the carrier provider. As in the configuration for Router D, include the labeled-unicast statement for the EBGP session:

Configuration for Router L

Configure Router L to act as the end customer for the carrier-of-carriers VPN service:

Configuring Carrier-of-Carriers VPNs for Customers That Provide VPN Service

You can configure a carrier-of-carriers VPN service for customers who want VPN service.

To configure the routers (or switches) in the customer’s and provider’s networks to enable carrier-of-carriers VPN service, perform the steps in the following sections:

Configuring the Carrier-of-Carriers Customer’s PE Router

The carrier-of-carriers customer’s PE router (or switch) is connected to the end customer’s CE router (or switch).

The following sections describe how to configure the carrier-of-carriers customer’s PE router (or switch):

Configuring MPLS

To configure MPLS on the carrier-of-carriers customer’s PE router (or switch), include the mpls statement:

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring BGP

Include the labeled-unicast statement in the configuration for the IBGP session to the carrier-of-carriers customer’s CE router (or switch) ), and include the family-inet-vpn statement in the configuration for the IBGP session to the carrier-of-carriers PE router (or switch) on the other side of the network:

You can include these statements at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring OSPF

To configure OSPF on the carrier-of-carriers customer’s PE router (or switch), include the ospf statement:

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring LDP

To configure LDP on the carrier-of-carriers customer’s PE router (or switch), include the ldp statement:

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring VPN Service in the Routing Instance

To configure VPN service for the end customer’s CE router (or switch) on the carrier-of-carriers customer’s PE router (or switch), include the following statements:

You can include these statements at the following hierarchy levels:

  • [edit routing-instances routing-instance-name]

  • [edit logical-systems logical-system-name routing-instances routing-instance-name]

Configuring Policy Options

To configure policy options to import and export routes to and from the end customer’s CE router (or switch), include the policy-statement and community statements:

You can include these statements at the following hierarchy levels:

  • [edit policy-options]

  • [edit logical-systems logical-system-name policy-options]

Configuring the Carrier-of-Carriers Customer’s CE Router (or switch)

The carrier-of-carriers customer’s CE router (or switch) connects to the provider’s PE router (or switch). Complete the instructions in the following sections to configure the carrier-of-carriers customers’ CE router (or switch):

Configuring MPLS

In the MPLS configuration for the carrier-of-carriers customer’s CE router (or switch), include the interfaces to the provider’s PE router (or switch) and to a P router (or switch) in the customer’s network:

You can include these statements at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring BGP

In the BGP configuration for the carrier-of-carriers customer’s CE router (or switch), configure a group that includes the labeled-unicast statement to extend VPN service to the PE router (or switch)connected to the end customer’s CE router (or switch):

You can include the bgp statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

To configure a group to send labeled internal routes to the provider’s PE router (or switch), include the bgp statement:

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring OSPF and LDP

To configure OSPF and LDP on the carrier-of-carriers customer’s CE router (or switch), include the ospf and ldp statements:

You can include these statements at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring Policy Options

To configure the policy options on the carrier-of-carriers customer’s CE router (or switch), include the policy-statement statement:

You can include this statement at the following hierarchy levels:

  • [edit policy-options]

  • [edit logical-systems logical-system-name policy-options]

Configuring the Provider’s PE Router or Switch

The carrier-of-carriers provider’s PE routers (or switches) connect to the carrier customer’s CE routers (or switches) . Complete the instructions in the following sections to configure the provider’s PE router (or switch):

Configuring MPLS

In the MPLS configuration, specify at least two interfaces—one to the customer’s CE router (or switch)and one to connect to the provider’s PE router (or switch)on the other side of the provider’s network:

You can include these statements at the following hierarchy levels:

  • [edit protocols mpls]

  • [edit logical-systems logical-system-name protocols mpls]

Configuring a PE-to-PE BGP Session

To configure a PE-to-PE BGP session on the provider’s PE routers (or switches) to allow VPN-IPv4 routes to pass between the PE routers (or switches, include the bgp statement:

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring IS-IS and LDP

To configure IS-IS and LDP on the provider’s PE routers (or switches), include the isis and ldp statements:

You can include these statements at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring Policy Options

To configure policy statements on the provider’s PE router (or switch) to export routes to and import routes from the carrier customer’s network, include the policy-statement and community statements:

You can include these statements at the following hierarchy levels:

  • [edit policy-options]

  • [edit logical-systems logical-system-name policy-options]

Configuring a Routing Instance to Send Routes to the CE Router

To configure the routing instance on the provider’s PE router (or switch) to send labeled routes to the carrier customer’s CE router (or switch), include the following statements:

You can include these statements at the following hierarchy levels:

  • [edit routing-instances routing-instance-name]

  • [edit logical-systems logical-system-name routing-instances routing-instance-name]

Carrier-of-Carriers VPN Example—Customer Provides VPN Service

In this example, the carrier customer must run some form of MPLS (Resource Reservation Protocol [RSVP] or LDP) on its network to provide VPN services to the end customer. In the example below, Router B and Router I act as PE routers (or switches), and a functioning MPLS path is required between these routers if they exchange VPN-IPv4 routes.

For configuration information see the following sections:

Network Topology for Carrier-of-Carriers Service

A carrier-of-carriers service allows an Internet service provider (ISP) to connect to a transparent outsourced backbone at multiple locations.

Figure 3 shows the network topology in this carrier-of-carriers example.

Figure 3: Carrier-of-Carriers VPN Example Network Topology
Carrier-of-Carriers VPN Example Network
Topology

Configuration for Router A

In this example, Router A acts as the CE router for the end customer. Configure a default family inet BGP session on Router A:

Configuration for Router B

Because Router B is the PE router for the end customer CE router (Router A), you need to configure a routing instance (vpna). Configure the labeled-unicast statement on the IBGP session to Router D, and configure family-inet-vpn for the IBGP session to the other side of the network with Router I:

Configuration for Router C

Configure Router C as a label-swapping router within the local AS:

Configuration for Router D

Router D acts as the CE router for the VPN services provided by the AS 10023 network. In the BGP group configuration for group int, which handles traffic to Router B (10.255.14.179), you include the labeled-unicast statement. You also need to configure the BGP group to-isp-red to send labeled internal routes to the PE router (Router E).

Configuration for Router E

Router E and Router H are PE routers. Configure a PE-router-to-PE-router BGP session to allow VPN-IPv4 routes to pass between these two PE routers. Configure the routing instance on Router E to send labeled routes to the CE router (Router D).

Configure Router E:

Configuration for Router F

Configure Router F to swap labels for routes running through its interfaces:

Configuration for Router G

Configure Router G:

Configuration for Router H

The configuration for Router H is similar to the configuration for Router E:

Configuration for Router I

Router I acts as the PE router for the end customer. The configuration that follows is similar to the configuration for Router B:

Configuration for Router J

Configure Router J to swap labels for routes running through its interfaces:

Configuration for Router K

The configuration for Router K is similar to the configuration for Router D:

Configuration for Router L

In this example, Router L is the end customer’s CE router. Configure a default family inet BGP session on Router L:

Multiple Instances for LDP and Carrier-of-Carriers VPNs

By configuring multiple LDP routing instances, you can use LDP to advertise labels in a carrier-of-carriers VPN from a core provider PE router to a customer carrier CE router. Having LDP advertise labels in this manner is especially useful when the carrier customer is a basic ISP and wants to restrict full Internet routes to its PE routers. By using LDP instead of BGP, the carrier customer shields its other internal routers from the Internet at large. Multiple-instance LDP is also useful when a carrier customer wants to provide Layer 3 VPN or Layer 2 VPN services to its customers.

For an example of how to configure multiple LDP routing instances for carrier-of-carriers VPNs, see the Junos Feature Guide on the product documentation page of the Juniper Networks website, located at https://www.juniper.net/.

Release History Table
Release
Description
Support for VPN service as the customer is supported on QFX10000 switches starting with Junos OS Release 17.1R1.