Technical Documentation

Example: Configuring Overlapping VPNs

Figure 1: Overlapping VPNs Topology Diagram

Image g017154.gif

Figure 1 shows a standard Multiprotocol Label Switching (MPLS) VPN topology. Routers PE1 and PE2 are acting as PE routers, CE1 and CE2 are CE routers, and P0 and P1 are core provider routers. You will establish three VRF instances: A, B, and AB. You will also configure auto-export as the method of sharing routing information between instances.

This example focuses on the interinstance and policy statements. As a result, some information has been omitted.

  • Because PE1 uses static routing instances, the router configuration for CE1 is not included in this example.
  • Most routers display a minimal configuration. Interface addresses and loopback addresses are assumed to have been enabled properly.

For more information about VPNs, see the JUNOS VPNs Configuration Guide.

Routers PE1 and PE2 contain the bulk of the configuration. At PE1, initiate an IBGP connection to PE2 and open a VPN connection to CE Router CE1 through three VRF instances: A, B, and AB.

The auto-export policy is applied to all instances simultaneously by means of a configuration group. Another method of enabling this option is to configure the auto-export statement individually on each VRF instance.

Finally, the policy statements add the appropriate communities to each instance and accept traffic coming from the desired community. For example, the policy for  VRF A sets community A on all outbound traffic leaving the instance, and only accepts traffic from PE2 that is tagged with community A.

Router PE1

[edit]groups {vrf-export on {routing-instances {<*> {routing-options {auto-export;}}}}}interfaces {t1-0/0/0 description “ to vpn02 t1-3/0/0”;dce;encapsulation frame-relay;unit 0 {dlci 100;family inet {address 192.255.197.38/30;}}unit 1 {dlci 101;family inet {address 10.3.0.1/30;}}unit 2 {dlci 102;family inet {address 10.3.0.5/30;}}}lo0unit 0family inet {address 10.255.255.180/32;}protocols {mpls {interface all;}bgp {group pepe {type internal;neighbor 10.255.255.182 {family inet-vpn {unicast;}}}}ospf {area 0.0.0.0 {interface t3-0/3/3.0;interface lo0.0 {passive;}}}ldp {interface all;}}policy-options {policy-statement A-in {from community A;then accept;}policy-statement A-out {then {community add A;accept;}}policy-statement B-in {from community B;then accept;}policy-statement B-out {then {community add B;accept;}}policy-statement AB-in {from community [A B];then accept;}policy-statement AB-out {then {community add A;community add B;accept;}}community A members target:69:1;community B members target:69:2;}routing-instances {apply-groups vrf-export-on;A {instance-type vrf;interface t1-0/0/0.0;route-distinguisher 10.255.255.180:69;vrf-import A-in;vrf-export A-out;routing-options {static {route 1.1.1.1/32 next-hop t1-0/0/0.0;route 1.1.1.2/32 next-hop t1-0/0/0.0;}}}AB {instance-type vrf;interface t1-0/0/0.2;route-distinguisher 10.255.255.180:69;vrf-import AB-in;vrf-export AB-out;routing-options {static {route 1.1.3.1/32 next-hop t1-0/0/0.2;route 1.1.3.2/32 next-hop t1-0/0/0.2;}}}B {instance-type vrf;interface t1-0/0/0.1;route-distinguisher 10.255.255.180:69;vrf-import B-in;vrf-export B-out;routing-options {static {route 1.1.2.1/32 next-hop t1-0/0/0.1;route 1.1.2.2/32 next-hop t1-0/0/0.1;}}}}

As a provider core transit router, Router P0 only needs to provide connectivity to the PE routers. You configure OSPF, MPLS, and LDP on the interfaces pointing to both PE routers.

Router P0

[edit]protocols {mpls {interface all;}ospf {area 0.0.0.0 {interface t3-0/0/3.0;interface t1-0/1/1.0;}}ldp {interface all;}}

Like Router P0, Router P1 also needs to provide basic core connectivity for the PE routers. You can configure OSPF, MPLS, and LDP on the interfaces pointing toward routers P0 and PE2.

Router P1

[edit]protocols {mpls {interface all;}ospf {area 0.0.0.0 {interface t1-0/1/1.0;interface t3-0/0/3.0;}}ldp {interface all;}}

At Router PE2, complete your IBGP connection to PE1 and finish the VPN connection to CE Router CE2 through VRF instance AB. The VRF import policy named AB-in is the same as the export policy used for the OSPF protocol in the AB VRF instance. The policy statements add communities A and B to all outbound routes and accept any traffic coming from these communities.

Router PE2

[edit]interfaces {lo0unit 0family inet {address 10.255.255.182/32;}}protocols {mpls {interface all;}bgp {keep all;group pepe {type internal;neighbor 10.255.255.180 {family inet-vpn {unicast;}}}}ospf {area 0.0.0.0 {interface t3-0/0/3.0;interface lo0.0 {passive;}}}ldp {interface all;}}policy-options {policy-statement AB-in {from community [A B];then accept;}policy-statement AB-out {then {community add A;community add B;accept;}}community A members target:69:1;community B members target:69:2;}routing-instances {AB {instance-type vrf;interface t3-0/0/0.0;route-distinguisher 10.255.255.182:69;vrf-import AB-in;vrf-export AB-out;protocols {ospf {export AB-in;area 0.0.0.0 {interface all;}}}}}

At Router CE2, advertise the 10.255.255.174 loopback address into the VPN. Look for this route when you check the routing tables for the A, B, and AB instances on Router PE1. If the route appears in these instances, interinstance route sharing is successful.

Router CE2

[edit]interfaces {lo0unit 0family inet {address 10.255.255.174/32;}}protocols {ospf {area 0.0.0.0 {interface t3-0/1/3.0;interface lo0.0;}}}

Verifying Your Work

To verify that your overlapping VPN configuration is functioning properly, use the following commands:

  • show route export table table-name (brief | detail)
  • show route export instance instance-name (brief | detail)
  • show route export vrf-target (community community-regular-expression) (brief | detail)

The following section shows the output of these commands as used with the configuration example.

Router PE1 Status


user@PE1> show route export
Table                            Export           Routes
A.inet.0                         Y                     4
AB.inet.0                        Y                      4
B.inet.0                         Y                      4

user@PE1>  show route export detail
A.inet.0                                         Routes:        4
  Flags: <vrf>
AB.inet.0                                        Routes:        4
  Flags: <vrf>
B.inet.0                                         Routes:        4
  Flags: <vrf>

user@PE1>  show route export instance detail
Instance: A                              Type: vrf
  Flags: <config> Options: <unicast multicast>
Instance: AB                             Type: vrf
  Flags: <config> Options: <unicast multicast>
Instance: B                             Type: vrf
  Flags: <config> Options: <unicast multicast>

user@PE1>  show route table A.inet.0

A.inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.1.1/32         *[Static/5] 02:08:14
                    > via t1-0/0/0.0
1.1.1.2/32         *[Static/5] 02:08:14
                    > via t1-0/0/0.0
1.1.3.1/32         *[Static/5] 02:08:14
                    > via t1-0/0/0.2
1.1.3.2/32         *[Static/5] 02:08:14
                    > via t1-0/0/0.2
10.3.0.4/30        *[Direct/0] 02:08:14
                    > via t1-0/0/0.2
10.3.0.5/32        *[Local/0] 02:08:14
                      Local via t1-0/0/0.2
10.255.255.174/32   *[BGP/170] 00:18:08, MED 2, localpref 100, from 10.255.255.182
                      AS path: I
                    > via t3-0/3/3.0, Push 100004, Push 100017(top)
192.255.197.36/30  *[Direct/0] 02:08:14
                    > via t1-0/0/0.0
192.255.197.38/32  *[Local/0] 02:08:14
                      Local via t1-0/0/0.0
192.255.197.248/30 *[BGP/170] 00:18:18, localpref 100, from 10.255.255.182
                      AS path: I
                    > via t3-0/3/3.0, Push 100003, Push 100017(top)

user@PE1>  show route table B.inet.0

B.inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.2.1/32         *[Static/5] 02:09:28
                    > via t1-0/0/0.1
1.1.2.2/32         *[Static/5] 02:09:28
                    > via t1-0/0/0.1
1.1.3.1/32         *[Static/5] 02:09:28
                    > via t1-0/0/0.2
1.1.3.2/32         *[Static/5] 02:09:28
                    > via t1-0/0/0.2
10.3.0.0/30        *[Direct/0] 02:09:28
                    > via t1-0/0/0.1
10.3.0.1/32        *[Local/0] 02:09:28
                      Local via t1-0/0/0.1
10.3.0.4/30        *[Direct/0] 02:09:28
                    > via t1-0/0/0.2
10.3.0.5/32        *[Local/0] 02:09:28
                      Local via t1-0/0/0.2
10.255.255.174/32   *[BGP/170] 00:19:22, MED 2, localpref 100, from 10.255.255.182
                      AS path: I
                    > via t3-0/3/3.0, Push 100004, Push 100017(top)
192.255.197.248/30 *[BGP/170] 00:19:32, localpref 100, from 10.255.255.182
                      AS path: I
                    > via t3-0/3/3.0, Push 100003, Push 100017(top)

user@PE1>  show route table AB.inet.0
AB.inet.0: 14 destinations, 14 routes (14 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.1.1/32         *[Static/5] 02:09:43
                    > via t1-0/0/0.0
1.1.1.2/32         *[Static/5] 02:09:43
                    > via t1-0/0/0.0
1.1.2.1/32         *[Static/5] 02:09:43
                    > via t1-0/0/0.1
1.1.2.2/32         *[Static/5] 02:09:43
                    > via t1-0/0/0.1
1.1.3.1/32         *[Static/5] 02:09:43
                    > via t1-0/0/0.2
1.1.3.2/32         *[Static/5] 02:09:43
                    > via t1-0/0/0.2
10.3.0.0/30        *[Direct/0] 02:09:43
                    > via t1-0/0/0.1
10.3.0.1/32        *[Local/0] 02:09:43
                      Local via t1-0/0/0.1
10.3.0.4/30        *[Direct/0] 02:09:43
                    > via t1-0/0/0.2
10.3.0.5/32        *[Local/0] 02:09:43
                      Local via t1-0/0/0.2
10.255.255.174/32   *[BGP/170] 00:19:37, MED 2, localpref 100, from 10.255.255.182
                      AS path: I
                    > via t3-0/3/3.0, Push 100004, Push 100017(top)
192.255.197.36/30  *[Direct/0] 02:09:43
                    > via t1-0/0/0.0
192.255.197.38/32  *[Local/0] 02:09:43
                      Local via t1-0/0/0.0
192.255.197.248/30 *[BGP/170] 00:19:47, localpref 100, from 10.255.255.182
                      AS path: I
                    > via t3-0/3/3.0, Push 100003, Push 100017(top)

user@PE1>  show route export vrf-target detail
Target: 69:1                              inet     unicast
   Import table(s): A.inet.0 AB.inet.0
  Export table(s): A.inet.0 AB.inet.0
Target: 69:2                              inet     unicast
  Import table(s): AB.inet.0 B.inet.0
  Export table(s): AB.inet.0 B.inet.0

Published: 2010-04-15