Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

BGP-Based VPN

Understanding Carrier-of-Carriers VPNs

The customer of a VPN service provider might be a service provider for the end customer. The following are the two main types of carrier-of-carriers VPNs (as described in RFC 4364:

  • Internet Service Provider as the Customer—The VPN customer is an ISP that uses the VPN service provider’s network to connect its geographically disparate regional networks. The customer does not have to configure MPLS within its regional networks.

  • VPN Service Provider as the Customer—The VPN customer is itself a VPN service provider offering VPN service to its customers. The carrier-of-carriers VPN service customer relies on the backbone VPN service provider for inter-site connectivity. The customer VPN service provider is required to run MPLS within its regional networks.

Figure 1 illustrates the network architecture used for a carrier-of-carriers VPN service.

Figure 1: Carrier-of-Carriers VPN ArchitectureCarrier-of-Carriers VPN Architecture

This topic covers the following:

Internet Service Provider as the Customer

In this type of carrier-of-carriers VPN configuration, ISP A configures its network to provide Internet service to ISP B. ISP B provides the connection to the customer wanting Internet service, but the actual Internet service is provided by ISP A.

This type of carrier-of-carriers VPN configuration has the following characteristics:

  • The carrier-of-carriers VPN service customer (ISP B) does not need to configure MPLS on its network.

  • The carrier-of-carriers VPN service provider (ISP A) must configure MPLS on its network.

  • MPLS must also be configured on the CE routers and PE routers connected together in the carrier-of-carriers VPN service customer’s and carrier-of-carriers VPN service provider’s networks.

VPN Service Provider as the Customer

A VPN service provider can have customers that are themselves VPN service providers. In this type of configuration, also called a hierarchical or recursive VPN, the customer VPN service provider’s VPN-IPv4 routes are considered external routes, and the backbone VPN service provider does not import them into its VRF table. The backbone VPN service provider imports only the customer VPN service provider’s internal routes into its VRF table.

The similarities and differences between interprovider and carrier-of-carriers VPNs are shown in Table 1.

Table 1: Comparison of Interprovider and Carrier-of-Carriers VPNs

Feature

ISP Customer

VPN Service Provider Customer

Customer edge device

AS border router

PE router

IBGP sessions

Carry IPv4 routes

Carry external VPN-IPv4 routes with associated labels

Forwarding within the customer network

MPLS is optional

MPLS is required

Support for VPN service as the customer is supported on QFX10000 switches starting with Junos OS Release 17.1R1.

Understanding Interprovider and Carrier-of-Carriers VPNs

All interprovider and carrier-of-carriers VPNs share the following characteristics:

  • Each interprovider or carrier-of-carriers VPN customer must distinguish between internal and external customer routes.

  • Internal customer routes must be maintained by the VPN service provider in its PE routers.

  • External customer routes are carried only by the customer’s routing platforms, not by the VPN service provider’s routing platforms.

The key difference between interprovider and carrier-of-carriers VPNs is whether the customer sites belong to the same AS or to separate ASs:

  • Interprovider VPNs—The customer sites belong to different ASs. You need to configure EBGP to exchange the customer’s external routes.

  • Understanding Carrier-of-Carriers VPNs—The customer sites belong to the same AS. You need to configure IBGP to exchange the customer’s external routes.

In general, each service provider in a VPN hierarchy is required to maintain its own internal routes in its P routers, and the internal routes of its customers in its PE routers. By recursively applying this rule, it is possible to create a hierarchy of VPNs.

The following are definitions of the types of PE routers specific to interprovider and carrier-of-carriers VPNs:

  • The AS border router is located at the AS border and handles traffic leaving and entering the AS.

  • The end PE router is the PE router in the customer VPN; it is connected to the CE router at the end customer’s site.

Configuring Carrier-of-Carriers VPNs for Customers That Provide VPN Service

You can configure a carrier-of-carriers VPN service for customers who want VPN service.

To configure the routers (or switches) in the customer’s and provider’s networks to enable carrier-of-carriers VPN service, perform the steps in the following sections:

Configuring the Carrier-of-Carriers Customer’s PE Router

The carrier-of-carriers customer’s PE router (or switch) is connected to the end customer’s CE router (or switch).

The following sections describe how to configure the carrier-of-carriers customer’s PE router (or switch):

Configuring MPLS

To configure MPLS on the carrier-of-carriers customer’s PE router (or switch), include the mpls statement:

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring BGP

Include the labeled-unicast statement in the configuration for the IBGP session to the carrier-of-carriers customer’s CE router (or switch) ), and include the family-inet-vpn statement in the configuration for the IBGP session to the carrier-of-carriers PE router (or switch) on the other side of the network:

You can include these statements at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring OSPF

To configure OSPF on the carrier-of-carriers customer’s PE router (or switch), include the ospf statement:

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring LDP

To configure LDP on the carrier-of-carriers customer’s PE router (or switch), include the ldp statement:

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring VPN Service in the Routing Instance

To configure VPN service for the end customer’s CE router (or switch) on the carrier-of-carriers customer’s PE router (or switch), include the following statements:

You can include these statements at the following hierarchy levels:

  • [edit routing-instances routing-instance-name]

  • [edit logical-systems logical-system-name routing-instances routing-instance-name]

Configuring Policy Options

To configure policy options to import and export routes to and from the end customer’s CE router (or switch), include the policy-statement and community statements:

You can include these statements at the following hierarchy levels:

  • [edit policy-options]

  • [edit logical-systems logical-system-name policy-options]

Configuring the Carrier-of-Carriers Customer’s CE Router (or switch)

The carrier-of-carriers customer’s CE router (or switch) connects to the provider’s PE router (or switch). Complete the instructions in the following sections to configure the carrier-of-carriers customers’ CE router (or switch):

Configuring MPLS

In the MPLS configuration for the carrier-of-carriers customer’s CE router (or switch), include the interfaces to the provider’s PE router (or switch) and to a P router (or switch) in the customer’s network:

You can include these statements at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring BGP

In the BGP configuration for the carrier-of-carriers customer’s CE router (or switch), configure a group that includes the labeled-unicast statement to extend VPN service to the PE router (or switch)connected to the end customer’s CE router (or switch):

You can include the bgp statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

To configure a group to send labeled internal routes to the provider’s PE router (or switch), include the bgp statement:

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring OSPF and LDP

To configure OSPF and LDP on the carrier-of-carriers customer’s CE router (or switch), include the ospf and ldp statements:

You can include these statements at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring Policy Options

To configure the policy options on the carrier-of-carriers customer’s CE router (or switch), include the policy-statement statement:

You can include this statement at the following hierarchy levels:

  • [edit policy-options]

  • [edit logical-systems logical-system-name policy-options]

Configuring the Provider’s PE Router or Switch

The carrier-of-carriers provider’s PE routers (or switches) connect to the carrier customer’s CE routers (or switches) . Complete the instructions in the following sections to configure the provider’s PE router (or switch):

Configuring MPLS

In the MPLS configuration, specify at least two interfaces—one to the customer’s CE router (or switch)and one to connect to the provider’s PE router (or switch)on the other side of the provider’s network:

You can include these statements at the following hierarchy levels:

  • [edit protocols mpls]

  • [edit logical-systems logical-system-name protocols mpls]

Configuring a PE-to-PE BGP Session

To configure a PE-to-PE BGP session on the provider’s PE routers (or switches) to allow VPN-IPv4 routes to pass between the PE routers (or switches, include the bgp statement:

You can include this statement at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring IS-IS and LDP

To configure IS-IS and LDP on the provider’s PE routers (or switches), include the isis and ldp statements:

You can include these statements at the following hierarchy levels:

  • [edit protocols]

  • [edit logical-systems logical-system-name protocols]

Configuring Policy Options

To configure policy statements on the provider’s PE router (or switch) to export routes to and import routes from the carrier customer’s network, include the policy-statement and community statements:

You can include these statements at the following hierarchy levels:

  • [edit policy-options]

  • [edit logical-systems logical-system-name policy-options]

Configuring a Routing Instance to Send Routes to the CE Router

To configure the routing instance on the provider’s PE router (or switch) to send labeled routes to the carrier customer’s CE router (or switch), include the following statements:

You can include these statements at the following hierarchy levels:

  • [edit routing-instances routing-instance-name]

  • [edit logical-systems logical-system-name routing-instances routing-instance-name]

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
17.1R1
Support for VPN service as the customer is supported on QFX10000 switches starting with Junos OS Release 17.1R1.