Example: Configuring Interprovider Layer 3 VPN Option B

 

Interprovider Layer 3 VPN Option B provides interprovider EBGP redistribution of labeled VPN-IPv4 routes from AS to neighboring AS. This solution is considered to be more scalable than Option A, but not as scalable as Option C.

This example provides a step-by-step procedure to configure interprovider layer 3 VPN option B, which is one of the recommended implementations of an MPLS VPN when that service is required by a customer that has more than one AS, but not all of the customer’s ASs can be serviced by the same service provider. It is organized in the following sections:

Requirements

This example uses the following hardware and software components:

  • Junos OS Release 9.5 or later.

  • Eight M Series, T Series, TX Series, or MX Series Juniper Networks routers.

Note

This configuration example has been tested using the software release listed and is assumed to work on all later releases.

Configuration Overview and Topology

Interprovider layer 3 VPN option B is a somewhat scalable solution to the problem of providing VPN services to a customer that has different sites, not all of which can use the same service provider. RFC 4364, section 10, refers to this method as interprovider EBGP redistribution of labeled VPN-IPv4 routes from AS to neighboring AS.

In the topology shown in Figure 1, the following events occur:

  • The PE routers use IBGP to redistribute labeled VPN-IPv4 routes either to an ASBR, or to a route reflector of which an ASBR is a client.

  • The ASBR then uses EBGP to redistribute those labeled VPN-IPv4 routes to an ASBR in another AS, which distributes them to the PE routers in that AS, or to another ASBR for distribution.

  • Labeled VPN-IPv4 routes are distributed between ASBR routers on each site. There is no need to define a separate VPN routing and forwarding instance (VRF) for each common VPN that resides on two different SPs.

  • Router PE2 distributes VPN-IPv4 routes to Router ASBR2 using MP-IBGP.

  • Router ASBR2 distributes these labeled VPN-IPv4 routes to Router ASBR1, using the MP-EBGP session between them.

  • Router ASBR1 redistributes those routes to Router PE1, using MP-IBGP. Each time a label is advertised, routers change the next-hop information and labels.

  • An MPLS path is established between Router PE1 and Router PE2. This path enables changing of the next-hop attribute for the routes that are learned from the neighbor SP router and map the incoming label for the given routes to the outgoing label advertised to PE routers in the internal network.

  • The ingress PE router inserts two labels onto the IP packet coming from the end customer. The inner label is for the VPN-IPv4 routes learned from internal ASBRs and the outer label is for the route to the internal ASBR, obtained through resource reservation protocol (RSVP) or label distribution protocol (LDP).

  • When a packet arrives at the ASBR, it removes the outer label (when explicit-null signaling is used; otherwise, penultimate hop-popping (PHP) pops the label) and swaps the inner label with the label obtained from the neighbor ASBR through MP-EBGP label and prefix advertisements.

  • The second ASBR swaps the VPN-IPv4 label and pushes another label to reach the PE router in its own AS.

  • The remaining process is the same as for a regular VPN.

Note

In this solution, ASBR routers keep all VPN-IPv4 routes in the routing information base (RIB), and the labels associated with the prefixes are kept in the forwarding information base (FIB). Because the RIB and FIB tables can take occupy much of the respective allocated memory, this solution is not very scalable for an interprovider VPN.

If a transit SP is used between SP1 and SP2, the transit SP also has to keep all VPN-IPv4 routes in the RIB and the corresponding labels in the FIB. The ASBRs at the transit SP have the same functionality as ASBRs in the SP1 or SP2 networks in this solution.

The topology of the network is shown in Figure 1.

Figure 1: Physical Topology of Interprovider Layer 3 VPN Option B
Physical Topology of Interprovider Layer 3 VPN Option B

Configuration

Note

The procedure presented here is written with the assumption that the reader is already familiar with MPLS MVPN configuration. This example focuses on explaining the unique configuration required for carrier-of-carriers solutions for VPN services to different sites.

To configure layer 3 VPN option B, perform the following tasks:

Configuring Router CE1

Step-by-Step Procedure

  1. On Router CE1, configure the IP address and protocol family on the Fast Ethernet interface for the link between Router CE1 and Router PE1. Specify the inet address family type.
  2. On Router CE1, configure the IP address and protocol family on the loopback interface. Specify the inet address family type.
  3. On Router CE1, configure an IGP. Include the logical interface for the link between Router CE1 and Router PE1 and the logical loopback interface of Router CE1. The IGP can be a static route, RIP, OSPF, ISIS, or EBGP. In this example we configure OSPF.

Configuring Router PE1

Step-by-Step Procedure

  1. On Router PE1, configure IPv4 addresses on the SONET, Fast Ethernet, and logical loopback interfaces. Specify the inet address family on all of the interfaces. Specify the mpls address family on the SONET and Fast Ethernet interfaces.
  2. On Router PE1, configure the routing instance for VPN2. Specify the vrf instance type and specify the customer-facing Fast Ethernet interface. Configure a route distinguisher to create a unique VPN-IPv4 address prefix. Apply the VRF import and export policies to enable the sending and receiving of route targets. Configure the OSPF protocol within the VRF. Specify the customer-facing Fast Ethernet interface and specify the export policy to export BGP routes into OSPF.
  3. On Router PE1, configure the RSVP and MPLS protocols to support the label-switched path (LSP). Configure the LSP to Router ASBR1 and specify the IP address of the logical loopback interface on Router ASBR1. Configure a BGP group. Specify the group type as internal. Specify the local address as the logical loopback interface on Router PE1. Specify the neighbor address as the logical loopback interface on Router ASBR1. Specify the inet-vpn address family and unicast traffic type to enable BGP to carry IPv4 network layer reachability information (NLRI) for VPN routes. Configure the OSPF protocol. Specify the core-facing SONET interface and specify the logical loopback interface on Router PE1.
  4. On Router PE1, configure the BGP local autonomous system number.
  5. On Router PE1, configure a policy to export the BGP routes into OSPF.
  6. On Router PE1, configure a policy to add the VRF route target to the routes being advertised for this VPN.
  7. On Router PE1, configure a policy to import routes from BGP that have the test_comm community attached.
  8. On Router PE1, define the test_comm BGP community with a route target.

Configuring Router P1

Step-by-Step Procedure

  1. On Router P1, configure IP addresses for the SONET and Gigabit Ethernet interfaces. Enable the interfaces to process the inet and mpls address families. Configure the IP addresses for the lo0.0 loopback interface and enable the interface to process the inet address family.
  2. On Router P1, configure the RSVP and MPLS protocols to support the LSP. Specify the SONET and Gigabit Ethernet interfaces.

    Configure the OSPF protocol. Specify the SONET and Gigabit Ethernet interfaces and specify the logical loopback interface. Enable OSPF to support traffic engineering extensions.

Configuring Router ASBR1

Step-by-Step Procedure

  1. On Router ASBR1, configure IP addresses for the Gigabit Ethernet interfaces. Enable the interfaces to process the inet and mpls addresses families. Configure the IP addresses for the lo0.0 loopback interface and enable the interface to process the inet address family.
  2. On Router ASBR1, configure the RSVP and MPLS protocols to support the LSP. Specify the Gigabit Ethernet interfaces and the lo0.0 logical loopback interface.

    Configure the OSPF protocol. Specify the SONET and Gigabit Ethernet interfaces and specify the logical loopback interface. Enable OSPF to support traffic engineering extensions.

  3. On Router ASBR1, create the To-PE1 internal BGP peer group. Specify the local IP peer address as the local lo0.0 address. Specify the neighbor IP peer address as the lo0.0 interface address of Router PE1.
  4. On Router ASBR1, create the To-ASBR2 external BGP peer group. Enable the router to use BGP to advertise NLRI for unicast routes. Specify the neighbor IP peer address as the Gigabit Ethernet interface address of Router ASBR2.

Configuring Router ASBR2

Step-by-Step Procedure

  1. On Router ASBR2, configure IP addresses for the Gigabit Ethernet interfaces. Enable the interfaces to process the inet and mpls address families. Configure the IP address for the lo0.0 loopback interface and enable the interface to process the inet address family.
  2. On Router ASBR2, configure the RSVP and MPLS protocols to support the LSP. Specify the Gigabit Ethernet interfaces.

    Configure the OSPF protocol. Specify the SONET and Gigabit Ethernet interfaces and specify the logical loopback interface. Enable OSPF to support traffic engineering extensions.

  3. On Router ASBR2, create the To-PE2 internal BGP peer group. Specify the local IP peer address as the local lo0.0 address. Specify the neighbor IP peer address as the lo0.0 interface address of Router PE2.
  4. On Router ASBR2, create the To-ASBR1 external BGP peer group. Enable the router to use BGP to advertise NLRI for unicast routes. Specify the neighbor IP peer address as the Gigabit Ethernet interface on Router ASBR1.

Configuring Router P2

Step-by-Step Procedure

  1. On Router P2, configure IP addresses for the SONET and Gigabit Ethernet interfaces. Enable the interfaces to process the inet and mpls addresses families. Configure the IP addresses for the lo0.0 loopback interface and enable the interface to process the inet address family.
  2. On Router P2, configure the RSVP and MPLS protocols to support the LSP. Specify the SONET and Gigabit Ethernet interfaces.

    Configure the OSPF protocol. Specify the SONET and Gigabit Ethernet interfaces and specify the logical loopback interface. Enable OSPF to support traffic engineering extensions.

Configuring Router PE2

Step-by-Step Procedure

  1. On Router PE2, configure IPv4 addresses on the SONET, Fast Ethernet, and logical loopback interfaces. Specify the inet address family on all of the interfaces. Specify the mpls address family on the SONET and Fast Ethernet interfaces.
  2. On Router PE2, configure the routing instance for VPN2. Specify the vrf instance type and specify the customer-facing Fast Ethernet interface. Configure a route distinguisher to create a unique VPN-IPv4 address prefix. Apply the VRF import and export policies to enable the sending and receiving of route targets. Configure the BGP peer group within the VRF. Specify AS 20 as the peer AS and specify the IP address of the Fast Ethernet interface on Router CE1 as the neighbor address.
  3. On Router PE2, configure the RSVP and MPLS protocols to support the LSP. Configure the LSP to ASBR2 and specify the IP address of the logical loopback interface on Router ASBR2. Configure a BGP group. Specify the group type as internal. Specify the local address as the logical loopback interface on Router PE2. Specify the neighbor address as the logical loopback interface on the Router ASBR2. Specify the inet-vpn address family and unicast traffic type to enable BGP to carry IPv4 NLRI for VPN routes. Configure the OSPF protocol. Specify the core-facing SONET interface and the logical loopback interface on Router PE2.
  4. On Router PE2, configure the BGP local autonomous system number.
  5. On Router PE2, configure a policy to add the VRF route target to the routes being advertised for this VPN.
  6. On Router PE2, configure a policy to import routes from BGP that have the test_comm community attached.
  7. On Router PE1, define the test_comm BGP community with a route target.

Configuring Router CE2

Step-by-Step Procedure

  1. On Router CE2, configure the IP address and protocol family on the Fast Ethernet interface for the link between Router CE2 and Router PE2. Specify the inet address family type.
  2. On Router CE2, configure the IP address and protocol family on the loopback interface. Specify the inet address family type.
  3. On Router CE2, configure an IGP. The IGP can be a static route, RIP, OSPF, ISIS, or EBGP. In this example, we configure EBGP. Specify AS 200 as the peer AS and specify the BGP neighbor IP address as the Fast Ethernet interface of Router PE2. Include the export statement.

Verifying the VPN Operation

Step-by-Step Procedure

  1. Commit the configuration on each router.Note

    The MPLS labels shown in this example will be different than the labels used in your configuration.

  2. On Router PE1, display the routes for the vpn2CE1 routing instance using the show ospf route command. Verify that the 1.1.1.1 route is learned from OSPF.
    user@PE1> show ospf route instance vpn2CE1
  3. On Router PE1, use the show route advertising-protocol command to verify that Router PE1 advertises the 1.1.1.1 route to Router ASBR1 using MP-BGP with the VPN MPLS label.
    user@PE1> show route advertising-protocol bgp 4.4.4.4 extensive
  4. On Router ASBR1, use the show route receive-protocol command to verify that the router receives and accepts the 1.1.1.1 route and places it in the bgp.l3vpn.0 routing table.
    user@ASBR1> show route receive-protocol bgp 2.2.2.2 extensive
  5. On Router ASBR1, use the show route advertising-protocol command to verify that Router ASBR1 advertises the 1.1.1.1 route to Router ASBR2.
    user@ASBR1> show route advertising-protocol bgp 21.21.21.2 extensive
  6. On Router ASBR2, use the show route receive-protocol command to verify that the router receives and accepts the 1.1.1.1 route and places it in the bgp.l3vpn.0 routing table.
    user@ASBR2> show route receive-protocol bgp 21.21.21.1 extensive
  7. On Router ASBR2, use the show route advertising-protocol command to verify that Router ASBR2 advertises the 1.1.1.1 route to Router PE2 in the To-PE2 routing instance.
    user@ASBR2> show route advertising-protocol bgp 7.7.7.7 extensive
  8. On Router PE2, use the show route receive-protocol command to verify that the router receives and accepts the 1.1.1.1 route and places it in the To_CE2.inet.0 routing table.
    user@PE2> show route receive-protocol bgp 5.5.5.5 extensive
  9. On Router PE2, use the show route advertising-protocol command to verify that Router PE2 advertises the 1.1.1.1 route to Router CE2 through the To_CE2 peer group.
    user@PE2> show route advertising-protocol bgp 24.24.24.2 extensive
  10. On Router CE2, use the show route command to verify that Router CE2 receives the 1.1.1.1 route from Router PE2.
    user@CE2> show route 1.1.1.1
  11. On Router CE2, use the ping command and specify 8.8.8.8 as the source of the ping packets to verify connectivity with Router CE1.
    user@CE2> ping 1.1.1.1 source 8.8.8.8
  12. On Router PE2, use the show route command to verify that the traffic is sent with an inner label of 300048 and a top label of 299776.
    user@PE2> show route 1.1.1.1 detail
  13. On Router ASBR2, use the show route table command to verify that Router ASBR2 receives the traffic after the top label is popped by Router P2, that label 300048 is swapped with label 299984, and that the packet is sent toward Router ASBR1 through interface ge-0/1/1.0.
    user@ASBR2> show route table mpls.0 detail
  14. On Router ASBR1, use the show route table command to verify that Router ASBR1 receives the traffic with label 299984, swaps the label with 299952, and pushes a new top label of 299792.
    user@ASBR1> show route table mpls.0 detail
  15. On Router PE1, use the show route table command to verify that Router PE1 receives the traffic with label 299952, and then pops the inner label.
    user@PE1> show route route table mpls.0 detail