[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring a VPN Routing Policy

Layer 2 and Layer 3 VPNs require a routing policy that describes which packets are sent and received across the VPN. Layer 2 circuits do not use a policy, and therefore, Layer 2 circuits send and receive all packets. For Layer 2 VPNs, the routing policy resides on the PE Services Routers. For the Layer 3 VPN example, the routing policy resides on the CE Services Routers.

This section contains the following topics. For more information about configuring routing policies, see Configuring Routing Policies and the JUNOS Routing Protocols Configuration Guide.

Configuring a Routing Policy for Layer 2 VPNs

If the routing instance uses a policy for accepting and rejecting packets instead of a route target, you must specify the import and export routing policies and the community on each PE Services Router.

To configure a Layer 2 VPN routing policy on a PE Services Router:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 18 and Table 19 on each PE router.
  3. If you are finished configuring the router, commit the configuration.
  4. To verify the configuration, see Verifying a VPN Configuration.

Table 18: Configuring an Import Routing Policy for Layer 2 VPNs

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the top of the configuration hierarchy and configure the import routing policy.

(PE Services Router)
  1. In the J-Web interface, select Configuration>View and Edit>Edit Configuration.
  2. Next to Policy options, click Configure or Edit.
  3. Next to Policy statement, click Add new entry.
  4. In the Policy name box, type the policy name—for example, import_vpn.

From the [edit] hierarchy level, enter

edit policy-options policy-statement import-policy-name

Define the term for accepting packets.

(PE Services Router)
  1. Next to Term group, click Add new entry.
  2. In the Term name box, type a term name—for example, 10.
  3. Next to From, click Configure.
  4. Click Add new entry.
  5. Click Protocol and select bgp from the Value menu.
  6. Click OK.
  7. Next to Community, click Add new entry.
  8. Type the community-name value in the Community Name box.
  9. Click OK.
  10. Next to Then, click Configure.
  11. From the Accept reject list, select accept.
  12. Click OK until you are at the Policy statement page.
  1. Enter

    set termterm-name-accept from protocol bgp community community-name

  2. Enter

    set termterm-name-accept then accept

Define the term for rejecting packets.

(PE Services Router)
  1. Next to the Term group, click Add new entry.
  2. In the Term name box, type a term name—for example, 20.
  3. Next to Then, click Configure.
  4. From the Accept list, select reject.
  5. Click OK until you return to the Policy options page.

Enter

set term term-name-reject then reject

After configuring an import routing policy for a Layer 2 VPN, configure an export routing policy for the Layer 2 VPN. The export routing policy defines how routes are exported from the PE Services Router routing table. An export policy is applied to routes sent to other PE Services Routers in the VPN. The export policy must also evaluate all routes received over the routing protocol session with the CE Services Router. The export policy must also contain a second term for rejecting all other routes.

Table 19: Configuring an Export Routing Policy for Layer 2 VPNs

Task

J-Web Configuration Editor

CLI Configuration Editor

Configure the export routing policy.

(PE Services Router)
  1. In the J-Web interface, select Configuration>View and Edit>Edit Configuration.
  2. Next to Policy options, click Configure or Edit.
  3. Next to Policy statement, click Add new entry.
  4. In the Policy name box, type the policy name—for example, export_vpn.

From the [edit] hierarchy level, enter

edit policy-options policy-statement export-policy-name

Define the term for accepting packets.

(PE Services Router)
  1. Next to the Term group, click Add new entry.
  2. In the Term name box, type a term name—for example, 10.
  3. Next to From, click Configure.
  4. Next to Community, click Add new entry.
  5. Type the community-name value in the Community Name box.
  6. Click OK.
  7. Next to Then, click Configure.
  8. From the Accept reject list, select accept.
  9. Click OK twice until you are at the Policy statement page.
  1. Enter

    set termterm-name-accept from community add community-name

  2. Enter

    set termterm-name-accept then accept

Define the term for rejecting packets.

(PE Services Router)
  1. Next to the Term group, click Add new entry.
  2. In the Term name box, type a term name—for example, 20.
  3. Next to Then, click Configure.
  4. From the Accept reject list, select reject.
  5. Click OK until you return to the Policy options page.
  1. Enter

    set termterm-name-reject from community add community-name

  2. Enter

    set termterm-name-reject then reject

Define the community.

(PE Services Router)
  1. In the Community group, click Add new entry.
  2. In the Community name box, type a community name—for example, VPN.
  3. In the Members group, click Add new entry.
  4. In the Value box, type target:community-id, where community-id is as-number:number or ip-address:number.
  5. Click OK until you return to the Policy options page.

Type the following commands:

communitycommunity-nametarget:as-number or ip-address:number

Configuring a Routing Policy for Layer 3 VPNs

To configure a Layer 3 VPN routing policy on a CE Services Router:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 20 on each CE Services Router.
  3. If you are finished configuring the router, commit the configuration.
  4. To verify the configuration, see Verifying a VPN Configuration.

Table 20: Configuring a Routing Policy for Layer 3 VPNs

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the top of the configuration hierarchy and configure the routing policy for the loopback interface.

(CE Services Router)
  1. In the J-Web interface, select Configuration>View and Edit>Edit Configuration.
  2. Next to Policy options, click Configure or Edit.
  3. Next to Policy statement, click Configure or Edit.
  4. In the Policy name box, type the policy name—for example, loopback.

From the [edit] hierarchy level, enter

edit policy-options policy-statement policy-name

Define the term for accepting packets.

(CE Services Router)
  1. In the Term group, click Add new entry.
  2. In the Term name box, type a term name—for example, 1.
  3. Next to From, click Configure.
  4. Click protocol, then Add new entry.
  5. Select direct from the Value menu, and click OK.
  7. Next to Route Filter, click Add new entry.
  8. Type local-loopback-address/netmask in the Address box.
  9. Select exact from the Modifier list.
  10. Click OK twice.
  11. Next to Then, click Configure.
  12. From the Accept reject list, select accept.
  13. Click OK until you are at the Policy statement page.
  1. Enter

    set termterm-name-accept from protocol direct route-filter local-loopback-address/netmask exact

  2. Enter

    set termterm-name-accept then accept

Define the term for rejecting packets.

(CE Services Router)
  1. Next to the Term group, click Add new entry.
  2. In the Term name box, type a term name—for example, 2.
  3. Next to Then, click Configure.
  4. From the Accept reject list, select reject.
  5. Click OK until you return to the Policy options page.

Enter

set termterm-name-reject then reject

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]