Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Example: Configuring Overlapping VPNs

Figure 1: Overlapping VPNs Topology Diagram
Overlapping VPNs Topology Diagram

Figure 1 shows a standard Multiprotocol Label Switching (MPLS) VPN topology. Routers PE1 and PE2 are acting as PE routers, CE1 and CE2 are CE routers, and P0 and P1 are core provider routers. You will establish three VRF instances: A, B, and AB. You will also configure auto-export as the method of sharing routing information between instances.

This example focuses on the interinstance and policy statements. As a result, some information has been omitted.

  • Because PE1 uses static routing instances, the router configuration for CE1 is not included in this example.

  • Most routers display a minimal configuration. Interface addresses and loopback addresses are assumed to have been enabled properly.

For more information about VPNs, see the Junos VPNs Configuration Guide.

Routers PE1 and PE2 contain the bulk of the configuration. At PE1, initiate an IBGP connection to PE2 and open a VPN connection to CE Router CE1 through three VRF instances: A, B, and AB.

The auto-export policy is applied to all instances simultaneously by means of a configuration group. Another method of enabling this option is to configure the auto-export statement individually on each VRF instance.

Finally, the policy statements add the appropriate communities to each instance and accept traffic coming from the desired community. For example, the policy for  VRF A sets community A on all outbound traffic leaving the instance, and only accepts traffic from PE2 that is tagged with community A.

Router PE1

As a provider core transit router, Router P0 only needs to provide connectivity to the PE routers. You configure OSPF, MPLS, and LDP on the interfaces pointing to both PE routers.

Router P0

Like Router P0, Router P1 also needs to provide basic core connectivity for the PE routers. You can configure OSPF, MPLS, and LDP on the interfaces pointing toward routers P0 and PE2.

Router P1

At Router PE2, complete your IBGP connection to PE1 and finish the VPN connection to CE Router CE2 through VRF instance AB. The VRF import policy named AB-in is the same as the export policy used for the OSPF protocol in the AB VRF instance. The policy statements add communities A and B to all outbound routes and accept any traffic coming from these communities.

Router PE2

At Router CE2, advertise the loopback address into the VPN. Look for this route when you check the routing tables for the A, B, and AB instances on Router PE1. If the route appears in these instances, interinstance route sharing is successful.

Router CE2

Verifying Your Work

To verify that your overlapping VPN configuration is functioning properly, use the following commands:

  • show route export table table-name (brief | detail)

  • show route export instance instance-name (brief | detail)

  • show route export vrf-target (community community-regular-expression) (brief | detail)

The following section shows the output of these commands as used with the configuration example.

Router PE1 Status

user@PE1> show route export