Configuring a Simple Full-Mesh VPN Topology

This example shows how to set up a simple full-mesh service provider VPN configuration, which consists of the following components (see Figure 21):

• Two separate VPNs (VPN-A and VPN-B)
• Two provider edge (PE) routers, both of which service VPN-A and VPN-B
• Resource Reservation Protocol (RSVP) as the signaling protocol
• One RSVP label-switched path (LSP) that tunnels between the two PE routers through one provider (P) router

Figure 21: Example of a Simple VPN Topology

In this configuration, route distribution in VPN A from Router VPN-A-Paris to Router VPN-A-Tokyo occurs as follows:

1. The customer edge (CE) router VPN-A-Paris announces routes to the PE router Router A.
2. Router A installs the received announced routes into its VPN routing and forwarding (VRF) table, VPN-A.inet.0.
3. Router A creates a Multiprotocol Label Switching (MPLS) label for the interface between it and Router VPN-A-Paris.
4. Router A checks its VRF export policy.
5. Router A converts the Internet Protocol version 4 (IPv4) routes from Router VPN-A-Paris into VPN IPv4 format using its route distinguisher and announces these routes to PE Router C over the internal BGP (IBGP) between the two PE routers.
6. Router C checks its VRF import policy and installs all routes that match the policy into its bgp.l3vpn.0 routing table. (Any routes that do not match are discarded.)
7. Router C checks its VRF import policy and installs all routes that match into its VPN-A.inet.0 routing table. The routes are installed in IPv4 format.
8. Router C announces its routes to the CE router Router VPN-A-Tokyo, which installs them into its master routing table. (For routing platforms running JUNOS software, the master routing table is inet.0.)
9. Router C uses the LSP between it and Router A to route all packets from Router VPN-A-Tokyo that are destined for Router VPN-A-Paris.

The final section in this example, Simple VPN Configuration Summarized by Router, consolidates the statements needed to configure VPN functionality on each of the service P routers shown in Figure 21.

Note: In this example, a private autonomous system (AS) number is used for the route distinguisher and the route target. This number is used for illustration only. When you are configuring VPNs, you should use an assigned AS number.

The following sections explain how to configure the VPN functionality on the PE and P routers. The CE routers have no information about the VPN, so you configure them normally.

• Enabling an IGP on the PE and P Routers
• Enabling RSVP and MPLS on the P Router
• Configuring the MPLS LSP Tunnel Between the PE Routers
• Configuring IBGP on the PE Routers
• Configuring Routing Instances for VPNs on the PE Routers
• Configuring VPN Policy on the PE Routers
• Simple VPN Configuration Summarized by Router

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.