Introduction to Configuring Layer 3 VPNs
To configure Layer 3 virtual private network (VPN) functionality, you must enable VPN support on the provider edge (PE) router. You must also configure any provider (P) routers that service the VPN, and you must configure the customer edge (CE) routers so that their routes are distributed into the VPN.
To configure Layer 3 VPNs, you include the following statements:
description text; instance-type vrf; interface interface-name; protocols { bgp { group group-name { peer-as as-number; neighbor ip-address; } multihop ttl-value; } (ospf | ospf3) { area area { interface interface-name; } domain-id domain-id; domain-vpn-tag number; sham-link { local address; } sham-link-remote address <metric number>; } rip { rip-configuration; } } route-distinguisher (as-number:id | ip-address:id); router-id address; routing-options { autonomous-system autonomous-system { independent-domain; loops number; } forwarding-table { export [ policy-names ]; } interface-routes { rib-group group-name; } martians { destination-prefix match-type <allow>; } maximum-paths { path-limit; log-interval interval; log-only; threshold percentage; } maximum-prefixes { prefix-limit; log-interval interval; log-only; threshold percentage; } multipath { vpn-unequal-cost; } options { syslog (level level | upto level); } rib routing-table-name { martians { destination-prefix match-type <allow>; } multipath { vpn-unequal-cost; } static { defaults { static-options; } route destination-prefix { next-hop [next-hops]; static-options; } } } } static { defaults { static-options; } route destination-prefix { policy [ policy-names ]; static-options; } } vrf-advertise-selective { family { inet-mvpn; inet6-mvpn; } } vrf-export [ policy-names ]; vrf-import [ policy-names ]; vrf-target (community | export community-name | import community-name); vrf-table-label;
You can include these statements at the following hierarchy levels:
[edit routing-instances routing-instance-name]
[edit logical-systems logical-system-name routing-instances routing-instance-name]
The [edit logical-systems]
hierarchy level
is not applicable in ACX Series routers.
The sham-link
, sham-link-remote
, and vrf-advertise-selective
statements are not applicable in ACX
Series routers.
For Layer 3 VPNs, only some of the statements in the [edit routing-instances]
hierarchy are valid. For the full
hierarchy, see Junos OS Routing Protocols
Library.
In addition to these statements, you must enable a signaling protocol, IBGP sessions between the PE routers, and an interior gateway protocol (IGP) on the PE and P routers.
By default, Layer 3 VPNs are disabled.
Many of the configuration procedures for Layer 3 VPNs are common to all types of VPNs.