Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

VPNs and VPLS

A VPN is an encrypted connection over the Internet from a device to a network which prevents unauthorized access eavesdropping on the traffic, and allows the user to conduct work remotely. For more information, see the following topics:

Introduction to VPLS

VPLS is an Ethernet-based point-to-multipoint Layer 2 VPN. It allows you to connect geographically dispersed Ethernet local area networks (LAN) sites to each other across an MPLS backbone. For customers who implement VPLS, all sites appear to be in the same Ethernet LAN even though traffic travels across the service provider's network.

Note:

In ACX Series routers, VPLS configuration is supported only on ACX5048, ACX5096, and ACX5448 routers.

VPLS, in its implementation and configuration, has much in common with a Layer 2 VPN. In VPLS, a packet originating within a service provider customer’s network is sent first to a customer edge (CE) device (for example, a router or Ethernet switch). It is then sent to a provider edge (PE) router within the service provider’s network. The packet traverses the service provider’s network over a MPLS label-switched path (LSP). It arrives at the egress PE router, which then forwards the traffic to the CE device at the destination customer site.

Note:

In the VPLS documentation, the word router in terms such as PE router is used to refer to any device that provides routing functions.

The difference is that for VPLS, packets can traverse the service provider’s network in point-to-multipoint fashion, meaning that a packet originating from a CE device can be broadcast to all the PE routers participating in a VPLS routing instance. In contrast, a Layer 2 VPN forwards packets in point-to-point fashion only.

The paths carrying VPLS traffic between each PE router participating in a routing instance are called pseudowires. The pseudowires are signaled using either BGP or LDP.

Example: Using Logical Systems to Configure Provider Edge and Provider Routers in a Layer 3 VPN and VPLS Scenario

This example provides step-by-step procedures to configure provider edge (PE) and provider (P) routers in a VPN and VPLS scenario using logical systems.

Requirements

In this example, no special configuration beyond device initialization is required.

Overview

In this example, VPNs are used to separate customer traffic across a provider backbone.

Topology

Figure 1 shows four pairs of CE routers that are connected across an MPLS backbone:

  • Routers CE1 and CE5 are part of the red VPN.

  • Routers CE2 and CE6 are in the blue VPN.

  • Routers CE3 and CE7 belong to a VPLS domain.

  • Routers CE4 and CE8 are connected with standard protocols.

Two logical systems are configured on PE routers PE1 and PE2 and provider core Router P0. Each of these three routers has two logical systems: LS1 and LS2. To illustrate the concept of a logical system, both VPNs are part of Logical System LS1, the VPLS instance belongs to Logical System LS2, and the remaining routers use the main router portion of routers PE1, P0, and PE2.

Figure 1: Provider Edge and Provider Logical System Topology DiagramProvider Edge and Provider Logical System Topology Diagram

On Router PE1, two VPN routing and forwarding (VRF) routing instances are created in Logical System LS1. The routing instances are called red and blue. The example configures the customer edge (CE)-facing logical interfaces so that traffic from Router CE1 is placed in the red VPN, and traffic from Router CE2 is placed in the blue VPN. A logical interface at fe-0/0/1.1 connects to Logical System LS1 on Router P0. A VPLS routing instance is in Logical System LS2. The logical interface is configured so that traffic from Router CE3 is sent into the VPLS domain. This logical interface connects to Logical System LS2 on Router P0. The example also contains an administrator for Logical System LS1. The logical system administrator is responsible for the maintenance of this logical system. Finally, the example shows how to configure a logical interface to interconnect Router CE4 with the main router portion of Router PE1.

Router PE2 has the two VRF routing instances in Logical System LS1: red and blue. The CE-facing logical interfaces enable traffic from Router CE5 to be placed in the red VPN, and traffic from Router CE6 in the blue VPN. One logical interface on so-1/2/0.1 connects to Logical System LS1 on Router P0. The VPLS routing instance is configured in Logical System LS2. A logical interface enables traffic from Router CE7 to be sent into the VPLS domain and connects to Logical System LS2 on Router P0. The example shows how to configure a logical interface to interconnect Router CE8 with the main router portion of Router P0. Finally, you can optionally create a logical system administrator that has configuration privileges for Logical System LS1 and viewing privileges for Logical System LS2.

On Router P0, the example shows how to configure Logical Systems LS1, LS2, and the main router. You must configure physical interface properties at the main router [edit interfaces] hierarchy level. Next, the example shows how to configure protocols (such as RSVP, MPLS, BGP, and IS-IS), routing options, and policy options for the logical systems. Last, the example shows how to configure the same administrator for Logical System LS1 that is configured on Router PE1. This system administrator for Logical System LS2 has permission to view the LS2 configuration, but not change the configuration for Logical System LS2.

Logical System LS1 transports traffic for the red VPN that exists between routers CE1 and CE5. Logical System LS1 also connects the blue VPN that exists between routers CE2 and CE6. Logical System LS2 transports VPLS traffic between routers CE3 and CE7. For the main router on Router P0, you can configure the router as usual. The main router transports traffic between routers CE4 and CE8. The example shows how to configure the interfaces and routing protocols (OSPF, BGP) to connect to the main router portion of routers PE1 and PE2.

Configuration

To configure the PE and P routers in logical systems involves performing the following tasks:

Configuring Interfaces on the Customer Edge Devices

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. On Router CE1, configure OSPF to connect to the red VPN in Logical System LS1 on Router PE1.

  2. On Router CE2, configure BGP to connect to the blue VPN in Logical System LS1 on Router PE1.

  3. On Router CE3, configure the Fast Ethernet interface in VLAN 600 to connect with the VPLS routing instance in Logical System LS2 on Router PE1.

  4. On Router CE4, configure the Fast Ethernet interface to connect with the main router at Router PE1.

  5. On Router CE5, configure OSPF to connect to the red VPN in Logical System LS1 on Router PE2.

  6. On Router CE6, configure BGP to connect to the blue VPN in Logical System LS1 on Router PE2.

  7. On Router CE7, configure the Fast Ethernet interface in VLAN 600 to connect with the VPLS routing instance in Logical System LS2 on Router PE2.

  8. On Router CE8, configure the Fast Ethernet interface to connect with the main router at Router PE2.

Configuring Router PE1

Step-by-Step Procedure
  1. Configure the main router on Router PE1.

  2. Configure Logical System LS1 on Router PE1.

  3. Configure Logical System LS2 on Router PE1.

Configuring Router PE2

Step-by-Step Procedure
  1. Configure the main router on Router PE2.

  2. Configure Logical System LS1 on Router PE2.

  3. Configure Logical System LS2 on Router PE2.

Configuring Router P0

Step-by-Step Procedure
  1. Configure the main router on Router P0.

  2. Configure Logical System LS1 on Router P0.

  3. Configure Logical System LS2 on Router P0.

Results

On Router CE1, configure OSPF to connect to the red VPN in Logical System LS1 on Router PE1:

Router CE1

On Router CE2, configure BGP to connect to the blue VPN in Logical System LS1 on Router PE1:

Router CE2

On Router CE3, configure the Fast Ethernet interface in VLAN 600 to connect with the VPLS routing instance in Logical System LS2 on Router PE1:

Router CE3

On Router CE4, configure the Fast Ethernet interface to connect with the main router at Router PE1:

Router CE4

On Router PE1, create two VPN routing and forwarding (VRF) routing instances in Logical System LS1: red and blue. Configure the CE-facing logical interfaces so that traffic from Router CE1 is placed in the red VPN, and traffic from Router CE2 is placed in the blue VPN. Next, create a logical interface at fe-0/0/1.1 to connect to Logical System LS1 on Router P0.

Also on Router PE1, create a VPLS routing instance in Logical System LS2. Configure a logical interface so that traffic from Router CE3 is sent into the VPLS domain and connects to Logical System LS2 on Router P0.

Create an administrator for Logical System LS1. The logical system administrator can be responsible for the maintenance of this logical system.

Finally, configure a logical interface to interconnect Router CE4 with the main router portion of Router P0.

Router PE1

On Router P0, configure Logical Systems LS1, LS2, and the main router. For the logical system, you must configure physical interface properties at the main router [edit interfaces] hierarchy level and assign the logical interfaces to the logical systems. Next, you must configure protocols (such as RSVP, MPLS, BGP, and IS-IS), routing options, and policy options for the logical systems. Last, configure the same administrator for Logical System LS1 that you configured on Router PE1. Configure this same administrator for Logical System LS2 to have permission to view the LS2 configuration, but not change the configuration for LS2.

In this example, Logical System LS1 transports traffic for the red VPN that exists between routers CE1 and CE5. Logical System LS1 also connects the blue VPN that exists between routers CE2 and CE6. Logical System LS2 transports VPLS traffic between routers CE3 and CE7.

For the main router on Router P0, you can configure the router as usual. In this example, the main router transports traffic between routers CE4 and CE8. As a result, configure the interfaces and routing protocols (OSPF, BGP) to connect to the main router portion of routers PE1 and PE2.

Router P0

On Router PE2, create two VRF routing instances in Logical System LS1: red and blue. Configure the CE-facing logical interfaces so that traffic from Router CE5 is placed in the red VPN and traffic from Router CE6 is placed in the blue VPN. Next, create one logical interface on so-1/2/0.1 to connect to Logical System LS1 on Router P0.

Also on Router PE2, create a VPLS routing instance in Logical System LS2. Configure a logical interface so that traffic from Router CE7 is sent into the VPLS domain and connects to Logical System LS2 on Router P0.

Configure a logical interface to interconnect Router CE8 with the main router portion of Router P0.

Finally, you can optionally create a logical system administrator that has configuration privileges for Logical System LS1 and viewing privileges for Logical System LS2.

Router PE2

On Router CE5, configure OSPF to connect to the red VPN in Logical System LS1 on Router PE2:

Router CE5

On Router CE6, configure BGP to connect to the blue VPN in Logical System LS1 on Router PE2:

Router CE6

On Router CE7, configure the Fast Ethernet interface in VLAN 600 to connect with the VPLS routing instance in Logical System LS2 on Router PE2:

Router CE7

On Router CE8, configure the Fast Ethernet interface to connect with the main router at Router PE2:

Router CE8

Verification

Confirm that the configuration is working properly by running these commands:

  • show bgp summary (logical-system logical-system-name)

  • show isis adjacency (logical-system logical-system-name)

  • show mpls lsp (logical-system logical-system-name)

  • show (ospf | ospf3) neighbor (logical-system logical-system-name)

  • show route (logical-system logical-system-name)

  • show route protocol (logical-system logical-system-name)

  • show rsvp session (logical-system logical-system-name )

The following sections show the output of commands used with the configuration example:

Router CE1 Status

Purpose

Verify connectivity.

Action

Router CE2 Status

Purpose

Verify connectivity.

Action

Router CE3 Status

Purpose

Verify connectivity.

Action

Router PE1 Status: Main Router

Purpose

Verify BGP operation.

Action

Router PE1 Status: Logical System LS1

Purpose

Verify BGP operation.

Action

Red VPN

The primary administrator or logical system administrator can issue the following command to view the output for a specific logical system.

Blue VPN

The primary administrator or logical system administrator can issue the following command to view the output for a specific logical system.

Router PE1 Status: Logical System LS2

Purpose

Verify VPLS operation.

Action

Router P0 Status: Main Router

Purpose

Verify connectivity.

Action

Router P0 Status: Main Router

Purpose

Verify routing protocols operation.

Action

Router P0 Status: Logical System LS1

Purpose

Verify routing protocols operation.

Action

Router P0 Status: Logical System LS2

Purpose

Verify routing protocols operation.

Action

Router PE2 Status: Main Router

Purpose

Verify routing protocols operation.

Action

Router PE2 Status: Logical System LS1

Purpose

Verify routing protocols operation.

Action

Red VPN

Blue VPN

Router PE2 Status: Logical System LS2

Purpose

Verify routing protocols operation.

Action

Router CE5 Status

Purpose

Verify connectivity.

Action

Router CE6 Status

Purpose

Verify connectivity.

Action

Router CE7 Status

Purpose

Verify connectivity.

Action

Logical System Administrator Verification Output

Purpose

Because logical system administrators only have access to the configuration information of the logical systems to which they are assigned, the verification output is limited to these logical systems as well. The following output shows what the logical system administrator LS1-admin in this example configuration would see.

To verify that each pair of CE routers has end-to-end connectivity, issue the ping command on Routers CE1, CE2, and CE3:

Action

From CE1, ping CE5 (the Red VPN).

From CE2, ping CE6 (the Blue VPN).

From CE3, ping CE7 (the VPLS).