L3 (Layer 3) VPN

The L3 VPN is based on the IETF RFC 2547bis draft. To configure a L3 VPN (full-meshed version), the user would perform the following sequence of steps. Additional steps that are applicable only to configuring a L3 Hub-and-Spoke VPN are described in the subsequent section.

Assign a VPN/VRF name by bringing up the Add VPN window and selecting Layer 3. Then type in a name for the VPN (e.g. L3VPN_ph44).

Click on Next to bring up the window where you would choose the PEs of the VPN from the “Available PE Device(s)” list and add them to the right hand side “Selected PE Device(s)” list. Note that a node must be an iBGP speaker in order to make it into this list.

Here, you can also assign the Route Distinguisher, Route Target Exports, and Route Target Imports for the selected AS. The program automatically recommends initial values, which you may change.

Figure 1: Adding a Full Meshed L3 VPN VPN configuration wizard step 2 labeled Topology. VPN name customer_1. Type Customer Edge. Locations available include BERLIN and PARIS. Selected locations are DUBLIN and LONDON. Navigation buttons Back and Next present.

VPN configuration wizard step 2 labeled Topology. VPN name customer_1. Type Customer Edge. Locations available include BERLIN and PARIS. Selected locations are DUBLIN and LONDON. Navigation buttons Back and Next present.

Additionally, you may look up a list of Route Targets that are defined in the network by clicking on the magnifying glass icon to the right of the Import field to bring up the Route Targets Table shown below, which lists all the RTs (grouped by VPNs) in the network.

Figure 2: Route Targets Table Route Targets configuration window showing a table with VPN Name, Exports, and Imports columns for VPNs like SOMERSET and TEST_VRF. Below are fields for filtering, modifying route targets, and options to reverse or apply changes.

Route Targets configuration window showing a table with VPN Name, Exports, and Imports columns for VPNs like SOMERSET and TEST_VRF. Below are fields for filtering, modifying route targets, and options to reverse or apply changes.

The Export Route Targets list and Import Route Targets list are populated with the route targets for the particular VPN selected. You may then choose any or all of the route targets to either append to or replace the route targets of the VPN you are currently adding. The Route Targets Table will help you to construct a VPN with various export/import relationships (e.g. extranet or hub-and-spoke type of relationships) with other VPNs. For our current example, we will be constructing a simple full-meshed L3 VPN, so we will not need to use the Route Targets table now.

Clicking on Next takes you to the following screen, in which you can configure a Hub-and-Spoke VPN. Since we are configuring a full-meshed L3 VPN, click Next to skip over this step.

Figure 3: Click Next to skip over Hub-and-Spoke configuration step Configuration window for setting up a Hub-and-Spoke MPLS VPN topology with options for selecting devices and setting route targets.

Configuration window for setting up a Hub-and-Spoke MPLS VPN topology with options for selecting devices and setting route targets.

Click on Next to bring up the following window where you may add more PEs and assign the PE facing CE interfaces.

The middle part of the window shows the topology area, where selected PE routers are placed.
The Selected Objects area, as the name implies, lists those routers that have been selected as PEs.
The Available Devices box lists those routers for the currently chosen AS that are eligible (i.e., they must be iBGP speakers) to be selected as PE routers.
The Properties box lists all the interfaces for a particular router when it is highlighted (a router is highlighted when it is clicked on either from the Available Devices list, the topology area of the window, or from the Selected Objects list).

The window is designed to be as user-friendly as possible, with drag/drop capabilities built in. The following figure shows the four PEs that we have already added in the previous step.

Figure 4: Assigning more PEs and PE facing CE Interfaces Screenshot of a network configuration interface for a Layer 3 VPN named L3VPN_ph44 with four devices: BP_R1, BP_R2, E_V1, E_V2 connected to Autonomous System 65532. The VPN exports and imports route targets 65532:65012. Selected devices have no interface configured. Navigation buttons at the bottom.

Screenshot of a network configuration interface for a Layer 3 VPN named L3VPN_ph44 with four devices: BP_R1, BP_R2, E_V1, E_V2 connected to Autonomous System 65532. The VPN exports and imports route targets 65532:65012. Selected devices have no interface configured. Navigation buttons at the bottom.

In more detail, you may add additional PE routers to the VPN from the Available Devices box via one of two methods:

Select one or more routers (at which point the icon that has the left arrow with a circle around it will change color from gray to blue), and then click on the blue arrow/circle icon to move it to the topology area part of the window (middle of the window).
Alternatively, you could simply drag and drop PEs from the Available Devices list into the topology area of the window.

The following figure shows you the result of adding the fifth PE router (E_V3) to the VPN.

Figure 5: An L3 VPN with five PEs Network configuration interface for L3VPN in AS65532. Shows central cloud, backbone routers BP_R1 and BP_R2, edge devices E_V1 to E_V5. Route target: export and import 65532:65012. 5 PE devices. Selected objects and available devices listed. Interface configuration for E_V3. Options: Add, Modify, Finish, Cancel, Help.

Network configuration interface for L3VPN in AS65532. Shows central cloud, backbone routers BP_R1 and BP_R2, edge devices E_V1 to E_V5. Route target: export and import 65532:65012. 5 PE devices. Selected objects and available devices listed. Interface configuration for E_V3. Options: Add, Modify, Finish, Cancel, Help.

To assign the PE facing CE interfaces, first select a particular PE router in order to have all its interfaces shown in the Properties box. A PE is selected when it is clicked on from the Selected Objects list or from the topology area of the map. As shown in the following figure, the Properties box is now renamed as Interfaces in BP_R1, since the PE router BP_R1 has been selected. Another icon worth mentioning is the “–“/”+” button next to the arrow/circle button. Click on it to switch between “-“ and “+”. “-“ means to show all interfaces, while “+” means to only display interfaces that are unassigned or not shutdown.

Figure 6: How to assign interfaces to PEs Network configuration interface showing a Layer 3 VPN setup with AS65532. Devices BP_R1, BP_R2, E_V1, E_V2, E_V3, E_V4, and FL1_1 are connected. BP_R1 interfaces listed with IPs and VRF details. Route targets 65532:65012 shown. Buttons for navigation: Back, Finish, Cancel.

Network configuration interface showing a Layer 3 VPN setup with AS65532. Devices BP_R1, BP_R2, E_V1, E_V2, E_V3, E_V4, and FL1_1 are connected. BP_R1 interfaces listed with IPs and VRF details. Route targets 65532:65012 shown. Buttons for navigation: Back, Finish, Cancel.

To assign an interface, you need to drag and drop a particular interface over to a no interface item under a particular PE. Alternatively, you can select the PE from the left hand side, and then select an interface from the interface list on the bottom right hand side, and click the blue arrow in the Interfaces section. The following figure shows the window after the interfaces have been assigned to the PE routers.

Figure 7: Assigning Interfaces to the PEs Layer 3 VPN configuration interface within AS65532 showing central cloud AS65532, connected devices BP_R1 BP_R2 E_V1 E_V2 E_V3 E_V4, selected objects, route targets 65532:65012, properties of FastEthernet0/22, available devices list, and navigation buttons.

Layer 3 VPN configuration interface within AS65532 showing central cloud AS65532, connected devices BP_R1 BP_R2 E_V1 E_V2 E_V3 E_V4, selected objects, route targets 65532:65012, properties of FastEthernet0/22, available devices list, and navigation buttons.

Note also the Add and Modify buttons in the Interface section. This can be used to add an additional interface, e.g., if you need to add a new subinterface, or to modify an existing interface.

Next click on the Details tab to assign the PE-CE protocol. After selecting a row, you can choose OSPF, RIP, Static, BGP or connected as the protocol. The following figure shows OSPF being assigned as the PE-CE protocol.

Figure 8: Assigning the PE-CE Protocol in the Details tab Network configuration interface for adding L3VPN named L3VPN_ph44. Shows nodes with VRF names, interfaces, RD, export/import targets, and OSPF protocol. Node E_V3 highlighted with FastEthernet0/22 and CE IP E172.31.2.8. Includes Back, Finish, Cancel, and Help buttons.

Network configuration interface for adding L3VPN named L3VPN_ph44. Shows nodes with VRF names, interfaces, RD, export/import targets, and OSPF protocol. Node E_V3 highlighted with FastEthernet0/22 and CE IP E172.31.2.8. Includes Back, Finish, Cancel, and Help buttons.

To assign BGP as the PE-CE protocol, first click on the BGP checkbox and then bring up the Add BGP Neighbor window (click on the icon to the left of PE->CE Neighbor IP or the icon to the left of CE->PE Neighbor IP), shown in the following figure. For more information about how to create BGP neighboring relationships, see NorthStar Planner Border Gateway Protocol Overview.

Figure 9: Add BGP Neighbor window Add BGP Neighbor GUI for configuring BGP settings with fields for AS numbers, nodes, interface, status, IP address, Route Reflector settings, and more.

Add BGP Neighbor GUI for configuring BGP settings with fields for AS numbers, nodes, interface, status, IP address, Route Reflector settings, and more.

To assign Static as the PE-CE protocol, first click on the Static checkbox and then click on the icon to the right of Static to bring up the Add Static Route window.

To assign OSPF as the PE-CE protocol, first click on the OSPF checkbox and then click on the icon to the right of OSPF to bring up a dialog prompt, which allows you to enter in the associated OSPF PID (Cisco-only) and OSPF Protocol. The OSPF PID should be different from that of the network core, and the area should match the CE’s area.

Finally, click Finish to complete the adding of the L3VPN. The summary window then displays the VPN that you just added, as shown in the following figure.

Figure 10: L3VPN_ph44 has been added Network management tool interface for Layer 3 VPNs, highlighting VPN L3VPN_PH44 with details on configuration, topology, and device properties.

Network management tool interface for Layer 3 VPNs, highlighting VPN L3VPN_PH44 with details on configuration, topology, and device properties.

With the detailed view shown (select the Detailed tab) in the upper portion of the window, click the Configlet tab (next to the Details tab) to generate and display the configlet for the VPN that you just added.