[an error occurred while processing this directive][an error occurred while processing this directive]

Layer 2 VPN Configuration Example

The following sections explain how to configure Layer 2 VPN functionality on the provider edge (PE) routers connected to each site:

Simple Full-Mesh Layer 2 VPN Overview

In the sections that follow, you configure a simple full-mesh Layer 2 VPN spanning three sites: Sunnyvale, Austin, and Portland. Each site connects to a PE router. The customer edge (CE) routers at each site use Frame Relay to carry Layer 2 traffic to the PE routers. Since this example uses a full-mesh topology between all three sites, each site requires two logical interfaces (one for each of the other CE routers), although only one physical link is needed to connect each PE router to each CE router. Figure 1 illustrates the topology of this Layer 2 VPN.

Figure 1: Example of a Simple Full-Mesh Layer 2 VPN Topology

Image g017178.gif

Enabling an IGP on the PE Routers

To allow the PE routers to exchange routing information among themselves, you must configure an interior gateway protocol (IGP) or static routes on these routers. You configure the IGP on the master instance of the routing protocol process (rpd) (that is, at the [edit protocols] hierarchy level), not within the Layer 2 VPN routing instance (that is, not at the [edit routing-instances] hierarchy level). Turn on traffic engineering on the IGP.

You configure the IGP in the standard way. This example does not include this portion of the configuration.

Configuring MPLS LSP Tunnels Between the PE Routers

In this configuration example, RSVP is used for MPLS signaling. Therefore, in addition to configuring RSVP, you must create an MPLS label-switched path (LSP) to tunnel the VPN traffic.

On Router A, enable RSVP and configure one end of the MPLS LSP tunnel to Router B. When configuring the MPLS LSP, include all interfaces using the interface all statement.

[edit]protocols {rsvp {interface all;}mpls {interface all;label-switched-path RouterA-to-RouterB {to 192.168.37.5;primary Path-to-RouterB;}label-switched-path RouterA-to-RouterC {to 192.168.37.10;primary Path-to-RouterC;}}}

On Router B, enable RSVP and configure the other end of the MPLS LSP tunnel. Again, configure the interfaces by using the interface all statement.

[edit]protocols {rsvp {interface all;}mpls {interface all;label-switched-path RouterB-to-RouterA {to 192.168.37.1;primary Path-to-RouterA;}label-switched-path RouterB-to-RouterC {to 192.168.37.10;primary Path-to-RouterC;}}}

On Router C, enable RSVP and configure the other end of the MPLS LSP tunnel. Again, configure all interfaces using the interface all statement.

[edit]protocols {rsvp {interface all;}mpls {interface all;label-switched-path RouterC-to-RouterA {to 192.168.37.1;primary Path-to-RouterA;}label-switched-path RouterC-to-RouterB {to 192.168.37.5;primary Path-to-RouterB;}}}

Configuring IBGP on the PE Routers

On the PE routers, configure an IBGP session with the following parameters:

  • Layer 2 VPN—To indicate that the IBGP session is for a Layer 2 VPN, include the family l2vpn statement.
  • Local address—The IP address in the local-address statement is the same as the address configured in the to statement at the [edit protocols mpls label-switched-path lsp-path-name] hierarchy level on the remote PE router. The IBGP session for Layer 2 VPNs runs through this address.
  • Neighbor address—Include the neighbor statement, specifying the IP address of the neighboring PE router.

On Router A, configure IBGP:

[edit]protocols {bgp {import match-all;export match-all;group pe-pe {type internal;neighbor 192.168.37.5 {local-address 192.168.37.1;family l2vpn {signaling;}}neighbor 192.168.37.10 {local-address 192.168.37.1;family l2vpn {signaling;}}}}}

On Router B, configure IBGP:

[edit]protocols {bgp {local-address 192.168.37.5;import match-all;export match-all;group pe-pe {type internal;neighbor 192.168.37.1 {local-address 192.168.37.5;family l2vpn {signaling;}}neighbor 192.168.37.10 {local-address 192.168.37.5;family l2vpn {signaling;}}}}}

On Router C, configure IBGP:

[edit]protocols {bgp {local-address 192.168.37.10;import match-all;export match-all;group pe-pe {type internal;neighbor 192.168.37.1 {local-address 192.168.37.10;family l2vpn {signaling;}}neighbor 192.168.37.5 {local-address 192.168.37.10;family l2vpn {signaling;}}}}}

Configuring Routing Instances for Layer 2 VPNs on the PE Routers

The three PE routers service the Layer 2 VPN, so you need to configure a routing instance on each router. For the VPN, you must define the following in each routing instance:

  • Route distinguisher, which must be unique for each routing instance on the PE router. It is used to distinguish the addresses in one VPN from those in another VPN.
  • Instance type of l2vpn, which configures the router to run a Layer 2 VPN.
  • Interfaces connected to the CE routers.
  • VPN routing and forwarding (VRF) import and export policies, which must be the same on each PE router that services the same VPN and are used to control the network topology. Unless the import policy contains only a then reject statement, it must include a reference to a community. Otherwise, when you attempt to commit the configuration, the commit operation fails.

On Router A, configure the following routing instance for the Layer 2 VPN:

[edit]routing-instances {VPN-Sunnyvale-Portland-Austin {instance-type l2vpn;interface so-6/0/0.0;interface so-6/0/0.1;route-distinguisher 100:1;vrf-import vpn-SPA-import;vrf-export vpn-SPA-export;protocols {l2vpn {encapsulation-type frame-relay;site Sunnyvale {site-identifier 1;interface so-6/0/0.0 {remote-site-id 2;}interface so-6/0/0.1 {remote-site-id 3;}}}}}}

On Router B, configure the following routing instance for the Layer 2 VPN:

[edit]routing-instances {VPN-Sunnyvale-Portland-Austin {instance-type l2vpn;interface so-6/0/0.2;interface so-6/0/0.3;route-distinguisher 100:1;vrf-import vpn-SPA-import;vrf-export vpn-SPA-export;protocols {l2vpn {encapsulation-type frame-relay;site Austin {site-identifier 2;interface so-6/0/0.2 {remote-site-id 1;}interface so-6/0/0.3 {remote-site-id 3;}}}}}}

On Router C, configure the following routing instance for the Layer 2 VPN:

[edit]routing-instances {VPN-Sunnyvale-Portland-Austin {instance-type l2vpn;interface so-6/0/0.4;interface so-6/0/0.5;route-distinguisher 100:1;vrf-import vpn-SPA-import;vrf-export vpn-SPA-export;protocols {l2vpn {encapsulation-type frame-relay;site Portland {site-identifier 3;interface so-6/0/0.4 {remote-site-id 1;}interface so-6/0/0.5 {remote-site-id 2;}}}}}}

Configuring CCC Encapsulation on the Interfaces

You need to specify a circuit cross-connect (CCC) encapsulation type for each PE-router-to-CE-router interface running in the Layer 2 VPN. This encapsulation type should match the encapsulation type configured under the routing instance.

Configure the following CCC encapsulation types for the interfaces on Router A:

[edit]interfaces so-6/0/0 {encapsulation frame-relay-ccc;unit 0 {encapsulation frame-relay-ccc;}}interfaces so-6/0/0 {encapsulation frame-relay-ccc;unit 1 {encapsulation frame-relay-ccc;}}

Configure the following CCC encapsulation types for the interfaces on Router B:

[edit]interfaces so-6/0/0 {encapsulation frame-relay-ccc;unit 2 {encapsulation frame-relay-ccc;}}interfaces so-6/0/0 {encapsulation frame-relay-ccc;unit 3 {encapsulation frame-relay-ccc;}}

Configure the following CCC encapsulation types for the interfaces on Router C:

[edit]interface so-6/0/0 {encapsulation frame-relay-ccc;unit 4 {encapsulation frame-relay-ccc;}}interface so-6/0/0 {encapsulation frame-relay-ccc;unit 5 {encapsulation frame-relay-ccc;}}

Configuring VPN Policy on the PE Routers

You must configure VPN import and export policies on each of the PE routers so that they install the appropriate routes in their VRF tables, which the routers use to forward packets within the VPN.

Note: Use the community add statement at the [edit policy-options policy statement term] hierarchy level to facilitate Layer 2 VPN VRF export policies.

On Router A, configure the following VPN import and export policies:

[edit]policy-options {policy-statement match-all {term acceptable {then accept;}}policy-statement vpn-SPA-export {term a {then {community add SPA-com;accept;}}term b {then reject;}}policy-statement vpn-SPA-import {term a {from {protocol bgp;community SPA-com;}then accept;}term b {then reject;}}community SPA-com members target:69:100;}

On Router B, configure the following VPN import and export policies:

[edit]policy-options {policy-statement match-all {term acceptable {then accept;}}policy-statement vpn-SPA-import {term a {from {protocol bgp;community SPA-com;}then accept;}term b {then reject;}}policy-statement vpn-SPA-export {term a {then {community add SPA-com;accept;}}term b {then reject;}}community SPA-com members target:69:100;}

On Router C, configure the following VPN import and export policies:

[edit]policy-options {policy-statement match-all {term acceptable {then accept;}}policy-statement vpn-SPA-import {term a {from {protocol bgp;community SPA-com;}then accept;}term b {then reject;}}policy-statement vpn-SPA-export {term a {then {community add SPA-com;accept;}}term b {then reject;}}community SPA-com members target:69:100;}

To apply the VPN policies on the routers, include the vrf-export and vrf-import statements when you configure the routing instance. The VRF import and export policies handle the route distribution across the IBGP session running between the PE routers.

To apply the VPN policies on Router A, include the following statements:

[edit]routing-instances {VPN-Sunnyvale-Portland-Austin {vrf-import vpn-SPA-import;vrf-export vpn-SPA-export;}}

To apply the VPN policies on Router B, include the following statements:

[edit]routing-instances {VPN-Sunnyvale-Portland-Austin {vrf-import vpn-SPA-import;vrf-export vpn-SPA-export;}}

To apply the VPN policies on Router C, include the following statements:

[edit]routing-instances {VPN-Sunnyvale-Portland-Austin {vrf-import vpn-SPA-import;vrf-export vpn-SPA-export;}}

Layer 2 VPN Configuration Summarized by Router

For a summary of the configuration on each router in the examples in this chapter, see the following sections:

Summary for Router A (PE Router for Sunnyvale)

Routing Instance for Layer 2 VPN

[edit]routing-instances {VPN-Sunnyvale-Portland-Austin {instance-type l2vpn;interface so-6/0/0.0;interface so-6/0/0.1;route-distinguisher 100:1;vrf-import vpn-SPA-import;vrf-export vpn-SPA-export;protocols {l2vpn {encapsulation-type frame-relay;site Sunnyvale {site-identifier 1;interface so-6/0/0.0 {remote-site-id 2;}interface so-6/0/0.1 {remote-site-id 3;}}}}}}

Configure CCC Encapsulation Types for Interfaces

interfaces {interface so-6/0/0 {encapsulation frame-relay-ccc;unit 0 {encapsulation frame-relay-ccc;}}interface so-6/0/0 {encapsulation frame-relay-ccc;unit 1 {encapsulation frame-relay-ccc;}}}

Master Protocol Instance

protocols {}

Enable RSVP

rsvp {interface all;}

Configure MPLS LSPs

mpls {label-switched-path RouterA-to-RouterB {to 192.168.37.5;primary Path-to-RouterB {cspf;}}label-switched-path RouterA-to-RouterC {to 192.168.37.10;primary Path-to-RouterC {cspf;}}interface all;}

Configure IBGP

bgp {import match-all;export match-all;group pe-pe {type internal;neighbor 192.168.37.5 {local-address 192.168.37.1;family l2vpn {signaling;}}neighbor 192.168.37.10 {local-address 192.168.37.1;family l2vpn {signaling;}}}}

Configure VPN Policy

policy-options {policy-statement match-all {term acceptable {then accept;}}policy-statement vpn-SPA-export {term a {then {community add SPA-com;accept;}}term b {then reject;}}policy-statement vpn-SPA-import {term a {from {protocol bgp;community SPA-com;}then accept;}term b {then reject;}}community SPA-com members target:69:100;}

Summary for Router B (PE Router for Austin)

Routing Instance for VPN

[edit]routing-instances {VPN-Sunnyvale-Portland-Austin {instance-type l2vpn;interface so-6/0/0.2;interface so-6/0/0.3;route-distinguisher 100:1;vrf-import vpn-SPA-import;vrf-export vpn-SPA-export;}}

Configure Layer 2 VPN

protocols {l2vpn {encapsulation-type frame-relay;site Austin {site-identifier 2;interface so-6/0/0.2 {remote-site-id 1;}interface so-6/0/0.3 {remote-site-id 3;}}}}

Configure CCC Encapsulation Types for Interfaces

[edit]interfaces {interface so-6/0/0 {encapsulation frame-relay-ccc;unit 2 {encapsulation frame-relay-ccc;}}interface so-6/0/0 {encapsulation frame-relay-ccc;unit 3 {encapsulation frame-relay-ccc;}}}

Master Protocol Instance

protocols {}

Enable RSVP

rsvp {interface all;}

Configure MPLS LSPs

mpls {label-switched-path RouterB-to-RouterA {to 192.168.37.1;primary Path-to-RouterA {cspf;}}label-switched-path RouterB-to-RouterC {to 192.168.37.10;primary Path-to-RouterC {cspf;}}interface all;}

Configure IBGP

bgp {local-address 192.168.37.5;import match-all;export match-all;group pe-pe {type internal;neighbor 192.168.37.1 {local-address 192.168.37.5;family l2vpn {signaling;}}neighbor 192.168.37.10 {local-address 192.168.37.5;family l2vpn {signaling;}}}}

Configure VPN Policy

policy-options {policy-statement match-all {term acceptable {then accept;}}policy-statement vpn-SPA-import {term a {from {protocol bgp;community SPA-com;}then accept;}term b {then reject;}}policy-statement vpn-SPA-export {term a {then {community add SPA-com;accept;}}term b {then reject;}}community SPA-com members target:69:100;}

Summary for Router C (PE Router for Portland)

Routing Instance for VPN

[edit]routing-instances {VPN-Sunnyvale-Portland-Austin {instance-type l2vpn;interface so-6/0/0.3;interface so-6/0/0.4;route-distinguisher 100:1;vrf-import vpn-SPA-import;vrf-export vpn-SPA-export;}}

Configure Layer 2 VPN

protocols {l2vpn {encapsulation-type frame-relay;site Portland {site-identifier 3;interface so-6/0/0.4 {remote-site-id 1;}interface so-6/0/0.5 {remote-site-id 2;}}}}

Configure CCC Encapsulation Types for Interfaces

[edit]interfaces {interface so-6/0/0 {encapsulation frame-relay-ccc;unit 4 {encapsulation frame-relay-ccc;}}interface so-6/0/0 {encapsulation frame-relay-ccc;unit 5 {encapsulation frame-relay-ccc;}}}

Master Protocol Instance

protocols {}

Enable RSVP

rsvp {interface all;}

Configure MPLS LSPs

mpls {label-switched-path RouterC-to-RouterA {to 192.168.37.1;primary Path-to-RouterA {cspf;}}label-switched-path RouterC-to-RouterB {to 192.168.37.5;primary Path-to-RouterB {cspf;}}interface all;}

Configure IBGP

bgp {local-address 192.168.37.10;import match-all;export match-all;group pe-pe {type internal;neighbor 192.168.37.1 {local-address 192.168.37.10;family l2vpn {signaling;}}neighbor 192.168.37.5 {local-address 192.168.37.10;family l2vpn {signaling;}}}}

Configure VPN Policy

policy-options {policy-statement match-all {term acceptable {then accept;}}policy-statement vpn-SPA-import {term a {from {protocol bgp;community SPA-com;}then accept;}term b {then reject;}}policy-statement vpn-SPA-export {term a {then {community add SPA-com;accept;}}term b {then reject;}}community SPA-com members target:69:100;}

Published: 2010-04-27

[an error occurred while processing this directive]