Example: Configuring Overlapping VPNs
Figure 1 shows a standard Multiprotocol Label Switching (MPLS) VPN topology. Routers PE1 and PE2 are acting as PE routers, CE1 and CE2 are CE routers, and P0 and P1 are core provider routers. You will establish three VRF instances: A, B, and AB. You will also configure auto-export as the method of sharing routing information between instances.
This example focuses on the interinstance and policy statements. As a result, some information has been omitted.
Because PE1 uses static routing instances, the router configuration for CE1 is not included in this example.
Most routers display a minimal configuration. Interface addresses and loopback addresses are assumed to have been enabled properly.
For more information about VPNs, see the Junos VPNs Configuration Guide.
Routers PE1 and PE2 contain the bulk of the configuration. At PE1, initiate an IBGP connection to PE2 and open a VPN connection to CE Router CE1 through three VRF instances: A, B, and AB.
The auto-export policy is applied to all instances simultaneously by means of a configuration group. Another method of enabling this option is to configure the auto-export statement individually on each VRF instance.
Finally, the policy statements add the appropriate communities to each instance and accept traffic coming from the desired community. For example, the policy for VRF A sets community A on all outbound traffic leaving the instance, and only accepts traffic from PE2 that is tagged with community A.
Router PE1
As a provider core transit router, Router P0 only needs to provide connectivity to the PE routers. You configure OSPF, MPLS, and LDP on the interfaces pointing to both PE routers.
Router P0
Like Router P0, Router P1 also needs to provide basic core connectivity for the PE routers. You can configure OSPF, MPLS, and LDP on the interfaces pointing toward routers P0 and PE2.
Router P1
At Router PE2, complete your IBGP connection to PE1 and finish the VPN connection to CE Router CE2 through VRF instance AB. The VRF import policy named AB-in is the same as the export policy used for the OSPF protocol in the AB VRF instance. The policy statements add communities A and B to all outbound routes and accept any traffic coming from these communities.
Router PE2
At Router CE2, advertise the 10.255.255.174 loopback address into the VPN. Look for this route when you check the routing tables for the A, B, and AB instances on Router PE1. If the route appears in these instances, interinstance route sharing is successful.
Router CE2
Verifying Your Work
To verify that your overlapping VPN configuration is functioning properly, use the following commands:
show route export table table-name (brief | detail)
show route export instance instance-name (brief | detail)
show route export vrf-target (community community-regular-expression) (brief | detail)
The following section shows the output of these commands as used with the configuration example.
Router PE1 Status
user@PE1> show route export
Table Export Routes
A.inet.0 Y 4
AB.inet.0 Y 4
B.inet.0 Y 4
user@PE1> show route export detail
A.inet.0 Routes: 4
Flags: <vrf>
AB.inet.0 Routes: 4
Flags: <vrf>
B.inet.0 Routes: 4
Flags: <vrf>
user@PE1> show route export instance detail
Instance: A Type: vrf
Flags: <config> Options: <unicast multicast>
Instance: AB Type: vrf
Flags: <config> Options: <unicast multicast>
Instance: B Type: vrf
Flags: <config> Options: <unicast multicast>
user@PE1> show route table A.inet.0
A.inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.1.1/32 *[Static/5] 02:08:14
> via t1-0/0/0.0
1.1.1.2/32 *[Static/5] 02:08:14
> via t1-0/0/0.0
1.1.3.1/32 *[Static/5] 02:08:14
> via t1-0/0/0.2
1.1.3.2/32 *[Static/5] 02:08:14
> via t1-0/0/0.2
10.3.0.4/30 *[Direct/0] 02:08:14
> via t1-0/0/0.2
10.3.0.5/32 *[Local/0] 02:08:14
Local via t1-0/0/0.2
10.255.255.174/32 *[BGP/170] 00:18:08, MED 2, localpref 100, from 10.255.255.182
AS path: I
> via t3-0/3/3.0, Push 100004, Push 100017(top)
192.255.197.36/30 *[Direct/0] 02:08:14
> via t1-0/0/0.0
192.255.197.38/32 *[Local/0] 02:08:14
Local via t1-0/0/0.0
192.255.197.248/30 *[BGP/170] 00:18:18, localpref 100, from 10.255.255.182
AS path: I
> via t3-0/3/3.0, Push 100003, Push 100017(top)
user@PE1> show route table B.inet.0
B.inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.2.1/32 *[Static/5] 02:09:28
> via t1-0/0/0.1
1.1.2.2/32 *[Static/5] 02:09:28
> via t1-0/0/0.1
1.1.3.1/32 *[Static/5] 02:09:28
> via t1-0/0/0.2
1.1.3.2/32 *[Static/5] 02:09:28
> via t1-0/0/0.2
10.3.0.0/30 *[Direct/0] 02:09:28
> via t1-0/0/0.1
10.3.0.1/32 *[Local/0] 02:09:28
Local via t1-0/0/0.1
10.3.0.4/30 *[Direct/0] 02:09:28
> via t1-0/0/0.2
10.3.0.5/32 *[Local/0] 02:09:28
Local via t1-0/0/0.2
10.255.255.174/32 *[BGP/170] 00:19:22, MED 2, localpref 100, from 10.255.255.182
AS path: I
> via t3-0/3/3.0, Push 100004, Push 100017(top)
192.255.197.248/30 *[BGP/170] 00:19:32, localpref 100, from 10.255.255.182
AS path: I
> via t3-0/3/3.0, Push 100003, Push 100017(top)
user@PE1> show route table AB.inet.0
AB.inet.0: 14 destinations, 14 routes (14 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.1.1/32 *[Static/5] 02:09:43
> via t1-0/0/0.0
1.1.1.2/32 *[Static/5] 02:09:43
> via t1-0/0/0.0
1.1.2.1/32 *[Static/5] 02:09:43
> via t1-0/0/0.1
1.1.2.2/32 *[Static/5] 02:09:43
> via t1-0/0/0.1
1.1.3.1/32 *[Static/5] 02:09:43
> via t1-0/0/0.2
1.1.3.2/32 *[Static/5] 02:09:43
> via t1-0/0/0.2
10.3.0.0/30 *[Direct/0] 02:09:43
> via t1-0/0/0.1
10.3.0.1/32 *[Local/0] 02:09:43
Local via t1-0/0/0.1
10.3.0.4/30 *[Direct/0] 02:09:43
> via t1-0/0/0.2
10.3.0.5/32 *[Local/0] 02:09:43
Local via t1-0/0/0.2
10.255.255.174/32 *[BGP/170] 00:19:37, MED 2, localpref 100, from 10.255.255.182
AS path: I
> via t3-0/3/3.0, Push 100004, Push 100017(top)
192.255.197.36/30 *[Direct/0] 02:09:43
> via t1-0/0/0.0
192.255.197.38/32 *[Local/0] 02:09:43
Local via t1-0/0/0.0
192.255.197.248/30 *[BGP/170] 00:19:47, localpref 100, from 10.255.255.182
AS path: I
> via t3-0/3/3.0, Push 100003, Push 100017(top)
user@PE1> show route export vrf-target detail
Target: 69:1 inet unicast
Import table(s): A.inet.0 AB.inet.0
Export table(s): A.inet.0 AB.inet.0
Target: 69:2 inet unicast
Import table(s): AB.inet.0 B.inet.0
Export table(s): AB.inet.0 B.inet.0