BGP-Based VPN
Understanding Carrier-of-Carriers VPNs
The customer of a VPN service provider might be a service provider for the end customer. The following are the two main types of carrier-of-carriers VPNs (as described in RFC 4364:
Internet Service Provider as the Customer—The VPN customer is an ISP that uses the VPN service provider’s network to connect its geographically disparate regional networks. The customer does not have to configure MPLS within its regional networks.
VPN Service Provider as the Customer—The VPN customer is itself a VPN service provider offering VPN service to its customers. The carrier-of-carriers VPN service customer relies on the backbone VPN service provider for inter-site connectivity. The customer VPN service provider is required to run MPLS within its regional networks.
Figure 1 illustrates the network architecture used for a carrier-of-carriers VPN service.
This topic covers the following:
Internet Service Provider as the Customer
In this type of carrier-of-carriers VPN configuration, ISP A configures its network to provide Internet service to ISP B. ISP B provides the connection to the customer wanting Internet service, but the actual Internet service is provided by ISP A.
This type of carrier-of-carriers VPN configuration has the following characteristics:
The carrier-of-carriers VPN service customer (ISP B) does not need to configure MPLS on its network.
The carrier-of-carriers VPN service provider (ISP A) must configure MPLS on its network.
MPLS must also be configured on the CE routers and PE routers connected together in the carrier-of-carriers VPN service customer’s and carrier-of-carriers VPN service provider’s networks.
VPN Service Provider as the Customer
A VPN service provider can have customers that are themselves VPN service providers. In this type of configuration, also called a hierarchical or recursive VPN, the customer VPN service provider’s VPN-IPv4 routes are considered external routes, and the backbone VPN service provider does not import them into its VRF table. The backbone VPN service provider imports only the customer VPN service provider’s internal routes into its VRF table.
The similarities and differences between interprovider and carrier-of-carriers VPNs are shown in Table 1.
Feature |
ISP Customer |
VPN Service Provider Customer |
|---|---|---|
Customer edge device |
AS border router |
PE router |
IBGP sessions |
Carry IPv4 routes |
Carry external VPN-IPv4 routes with associated labels |
Forwarding within the customer network |
MPLS is optional |
MPLS is required |
Support for VPN service as the customer is supported on QFX10000 switches starting with Junos OS Release 17.1R1.
Understanding Interprovider and Carrier-of-Carriers VPNs
All interprovider and carrier-of-carriers VPNs share the following characteristics:
Each interprovider or carrier-of-carriers VPN customer must distinguish between internal and external customer routes.
Internal customer routes must be maintained by the VPN service provider in its PE routers.
External customer routes are carried only by the customer’s routing platforms, not by the VPN service provider’s routing platforms.
The key difference between interprovider and carrier-of-carriers VPNs is whether the customer sites belong to the same AS or to separate ASs:
Interprovider VPNs—The customer sites belong to different ASs. You need to configure EBGP to exchange the customer’s external routes.
Understanding Carrier-of-Carriers VPNs—The customer sites belong to the same AS. You need to configure IBGP to exchange the customer’s external routes.
In general, each service provider in a VPN hierarchy is required to maintain its own internal routes in its P routers, and the internal routes of its customers in its PE routers. By recursively applying this rule, it is possible to create a hierarchy of VPNs.
The following are definitions of the types of PE routers specific to interprovider and carrier-of-carriers VPNs:
The AS border router is located at the AS border and handles traffic leaving and entering the AS.
The end PE router is the PE router in the customer VPN; it is connected to the CE router at the end customer’s site.
Configuring Carrier-of-Carriers VPNs for Customers That Provide VPN Service
You can configure a carrier-of-carriers VPN service for customers who want VPN service.
To configure the routers (or switches) in the customer’s and provider’s networks to enable carrier-of-carriers VPN service, perform the steps in the following sections:
- Configuring the Carrier-of-Carriers Customer’s PE Router
- Configuring the Carrier-of-Carriers Customer’s CE Router (or switch)
- Configuring the Provider’s PE Router or Switch
Configuring the Carrier-of-Carriers Customer’s PE Router
The carrier-of-carriers customer’s PE router (or switch) is connected to the end customer’s CE router (or switch).
The following sections describe how to configure the carrier-of-carriers customer’s PE router (or switch):
- Configuring MPLS
- Configuring BGP
- Configuring OSPF
- Configuring LDP
- Configuring VPN Service in the Routing Instance
- Configuring Policy Options
Configuring MPLS
To configure MPLS on the carrier-of-carriers customer’s
PE router (or switch), include the mpls statement:
mpls {
interface interface-name;
interface interface-name;
}
You can include this statement at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring BGP
Include the labeled-unicast statement in the configuration
for the IBGP session to the carrier-of-carriers customer’s CE
router (or switch) ),
and include the family-inet-vpn statement in the configuration
for the IBGP session to the carrier-of-carriers PE router (or switch)
on the other side of the network:
bgp {
group group-name {
type internal;
local-address address;
neighbor address {
family inet {
labeled-unicast;
resolve-vpn;
}
}
}
neighbor address {
family inet-vpn {
any;
}
}
}
You can include these statements at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring OSPF
To configure OSPF on the carrier-of-carriers customer’s
PE router (or switch), include the ospf statement:
ospf {
area area-id {
interface interface-name {
passive;
}
interface interface-name;
}
}
You can include this statement at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring LDP
To configure LDP on the carrier-of-carriers customer’s
PE router (or switch), include the ldp statement:
ldp {
interface interface-name;
}
You can include this statement at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring VPN Service in the Routing Instance
To configure VPN service for the end customer’s CE router (or switch) on the carrier-of-carriers customer’s PE router (or switch), include the following statements:
instance-type vrf;
interface interface-name;
route-distinguisher address;
vrf-import policy-name;
vrf-export policy-name;
protocols {
bgp {
group group-name {
peer-as as-number;
neighbor address;
}
}
}
You can include these statements at the following hierarchy levels:
[edit routing-instances routing-instance-name][edit logical-systems logical-system-name routing-instances routing-instance-name]
Configuring Policy Options
To configure policy options to import and export routes to and
from the end customer’s CE router (or switch), include
the policy-statement and community statements:
policy-statement policy-name {
term term-name {
from {
protocol bgp;
community community-name;
}
then accept;
}
term term-name {
then reject;
}
}
policy-statement policy-name {
term term-name {
from protocol bgp;
then {
community add community-name;
accept;
}
}
term term-name {
then reject;
}
}
community community-name members value;
You can include these statements at the following hierarchy levels:
[edit policy-options][edit logical-systems logical-system-name policy-options]
Configuring the Carrier-of-Carriers Customer’s CE Router (or switch)
The carrier-of-carriers customer’s CE router (or switch) connects to the provider’s PE router (or switch). Complete the instructions in the following sections to configure the carrier-of-carriers customers’ CE router (or switch):
Configuring MPLS
In the MPLS configuration for the carrier-of-carriers customer’s CE router (or switch), include the interfaces to the provider’s PE router (or switch) and to a P router (or switch) in the customer’s network:
mpls {
traffic-engineering bgp-igp;
interface interface-name;
interface interface-name;
}
You can include these statements at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring BGP
In the BGP configuration for the carrier-of-carriers
customer’s CE router (or switch), configure a group that includes
the labeled-unicast statement to extend VPN service to
the PE router (or switch)connected to the end customer’s CE router
(or switch):
bgp {
group group-name {
type internal;
local-address address;
neighbor address {
family inet {
labeled-unicast;
}
}
}
}
You can include the bgp statement at the following
hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
To configure a group to send labeled internal routes to the
provider’s PE router (or switch), include the bgp statement:
bgp {
group group-name {
export internal;
peer-as as-number;
neighbor address {
family inet {
labeled-unicast;
}
}
}
}
You can include this statement at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring OSPF and LDP
To configure OSPF and LDP on the carrier-of-carriers customer’s
CE router (or switch), include the ospf and ldp statements:
ospf {
area area-id {
interface interface-name {
passive;
}
interface interface-name;
}
}
ldp {
interface interface-name;
}
You can include these statements at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring Policy Options
To configure the policy options on the carrier-of-carriers customer’s
CE router (or switch), include the policy-statement statement:
policy-statement policy-statement-name {
term term-name {
from protocol [ ospf direct ldp ];
then accept;
}
term term-name {
then reject;
}
}
You can include this statement at the following hierarchy levels:
[edit policy-options][edit logical-systems logical-system-name policy-options]
Configuring the Provider’s PE Router or Switch
The carrier-of-carriers provider’s PE routers (or switches) connect to the carrier customer’s CE routers (or switches) . Complete the instructions in the following sections to configure the provider’s PE router (or switch):
- Configuring MPLS
- Configuring a PE-to-PE BGP Session
- Configuring IS-IS and LDP
- Configuring Policy Options
- Configuring a Routing Instance to Send Routes to the CE Router
Configuring MPLS
In the MPLS configuration, specify at least two interfaces—one to the customer’s CE router (or switch)and one to connect to the provider’s PE router (or switch)on the other side of the provider’s network:
interface interface-name; interface interface-name;
You can include these statements at the following hierarchy levels:
[edit protocols mpls][edit logical-systems logical-system-name protocols mpls]
Configuring a PE-to-PE BGP Session
To configure a PE-to-PE BGP session on the provider’s
PE routers (or switches) to allow VPN-IPv4 routes to pass between
the PE routers (or switches, include the bgp statement:
bgp {
group group-name {
type internal;
local-address address;
family inet-vpn {
any;
}
neighbor address;
}
}
You can include this statement at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring IS-IS and LDP
To configure IS-IS and LDP on the provider’s PE routers
(or switches), include the isis and ldp statements:
isis {
interface interface-name;
interface interface-name {
passive;
}
}
ldp {
interface interface-name;
}
You can include these statements at the following hierarchy levels:
[edit protocols][edit logical-systems logical-system-name protocols]
Configuring Policy Options
To configure policy statements on the provider’s PE router
(or switch) to export routes to and import routes from the carrier
customer’s network, include the policy-statement and community statements:
policy-statement statement-name {
term term-name {
from {
protocol bgp;
community community-name;
}
then accept;
}
term term-name {
then reject;
}
}
policy-statement statement-name {
term term-name {
from protocol bgp;
then {
community add community-name;
accept;
}
}
term term-name {
then reject;
}
}
community community-name members value;
You can include these statements at the following hierarchy levels:
[edit policy-options][edit logical-systems logical-system-name policy-options]
Configuring a Routing Instance to Send Routes to the CE Router
To configure the routing instance on the provider’s PE router (or switch) to send labeled routes to the carrier customer’s CE router (or switch), include the following statements:
instance-type vrf;
interface interface-name;
route-distinguisher value;
vrf-import policy-name;
vrf-export policy-name;
protocols {
bgp {
group group-name {
peer-as as-number;
neighbor address {
family inet {
labeled-unicast;
}
}
}
}
}
You can include these statements at the following hierarchy levels:
[edit routing-instances routing-instance-name][edit logical-systems logical-system-name routing-instances routing-instance-name]
See Also
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.