Config Guide Vpns

8/7/2019 Config Guide Vpns

1/635


2/635


3/635


4/635


5/635


6/635


7/635


8/635


9/635


10/635


11/635


12/635


13/635


14/635


15/635


16/635


17/635


18/635


19/635


20/635


21/635


22/635


23/635


24/635


25/635


26/635


27/635


28/635


29/635


30/635


31/635


32/635


33/635


34/635


35/635


36/635


37/635


38/635


39/635


40/635


41/635


42/635


43/635


44/635


45/635


46/635


47/635


48/635


49/635


50/635


51/635


52/635


53/635


54/635


55/635


56/635


57/635


58/635


59/635


60/635


61/635


62/635


63/635


64/635


65/635


66/635


67/635


68/635


69/635


70/635


71/635


72/635


73/635


74/635


75/635


76/635


77/635


78/635


79/635


80/635


81/635


82/635


83/635


84/635


85/635


86/635


87/635


88/635


89/635


90/635


91/635


92/635


93/635


94/635


95/635


96/635


97/635


98/635


99/635


100/635


101/635


102/635


103/635


104/635


105/635


106/635


107/635


108/635


109/635


110/635


111/635


112/635


113/635


114/635


115/635


116/635


117/635


118/635


119/635


120/635


121/635


122/635


123/635


124/635


125/635


126/635


127/635


128/635


129/635


130/635


131/635


132/635


133/635


134/635


135/635


136/635


137/635


138/635


139/635


140/635


141/635


142/635


143/635


144/635


145/635


146/635


147/635


148/635


149/635


150/635


151/635


152/635


153/635


154/635


155/635


156/635


157/635


158/635


159/635


160/635


161/635


162/635


163/635


164/635


165/635


166/635


167/635


168/635


169/635


170/635


171/635


172/635


173/635


174/635


175/635


176/635


177/635


178/635


179/635


180/635


181/635


182/635


183/635


184/635


185/635


186/635


187/635


188/635


189/635


190/635


191/635


192/635


193/635


194/635


195/635


196/635


197/635


198/635


199/635


200/635


201/635


202/635


203/635


204/635


205/635


206/635


207/635


208/635


209/635


210/635


211/635


212/635


213/635


214/635


215/635


216/635


217/635


218/635


219/635


220/635


221/635


222/635


223/635


224/635


225/635


226/635


227/635


228/635


229/635


230/635


231/635


232/635


233/635


234/635


235/635


236/635


237/635


238/635


239/635


240/635


241/635


242/635


243/635


244/635


245/635


246/635


247/635


248/635


249/635


250/635


251/635


252/635


253/635


254/635


255/635


256/635


257/635


258/635


259/635


260/635


261/635


262/635


263/635


264/635


265/635


266/635


267/635


268/635


269/635


270/635


271/635


272/635


273/635


274/635


275/635


276/635


277/635


278/635


279/635


280/635


281/635


282/635


283/635


284/635


285/635


286/635


287/635


288/635


289/635


290/635


291/635


292/635


293/635


294/635


295/635


296/635


297/635


298/635


299/635


300/635


301/635


302/635


303/635


304/635


305/635


306/635


307/635


308/635


309/635


310/635


311/635


312/635


313/635


314/635


315/635


316/635


317/635


318/635


319/635


320/635


321/635


322/635


323/635


324/635


325/635


326/635


327/635


328/635


329/635


330/635


331/635


332/635


333/635


334/635


335/635


336/635


337/635


338/635


339/635


340/635


341/635


342/635


343/635


344/635


345/635


346/635


347/635


348/635


349/635


350/635


351/635


352/635


353/635


354/635


355/635


356/635


357/635


358/635


359/635


360/635


361/635


362/635


363/635


364/635


365/635


366/635


367/635


368/635


369/635


370/635


371/635


372/635


373/635


374/635


375/635


376/635


377/635


378/635


379/635


380/635


381/635


382/635


383/635


384/635


385/635


386/635


387/635


388/635


389/635


390/635


391/635


392/635


393/635


394/635


395/635


396/635


397/635


398/635


399/635


400/635


401/635


402/635


403/635


404/635


405/635


406/635


407/635


408/635


409/635


410/635


411/635


412/635


413/635


414/635


415/635


416/635


417/635


418/635


419/635


420/635


421/635


422/635


423/635


424/635


425/635


426/635


427/635


428/635


429/635


430/635


431/635


432/635


433/635


434/635


435/635


436/635


437/635


438/635


439/635


440/635


441/635


442/635


443/635


444/635


445/635


446/635


447/635


448/635


449/635


450/635


451/635


452/635


453/635


454/635


455/635


456/635


457/635


458/635


459/635


460/635


461/635


462/635


463/635


464/635


465/635


466/635


467/635


468/635


469/635


470/635


471/635


472/635


473/635


474/635


475/635


476/635


477/635


478/635


479/635


480/635


481/635


482/635


483/635


484/635


485/635


486/635


487/635


488/635


489/635


490/635


491/635


492/635


493/635


494/635


495/635


496/635


497/635


498/635


499/635


500/635


501/635


502/635


503/635


504/635


505/635


506/635


507/635


508/635


509/635


510/635


511/635


512/635


513/635


514/635


515/635


516/635


517/635


518/635

Configuring the AS Border Routers

The configuration of the AS border routers in each AS is nearly identical. To configureeach AS border router, you perform the steps in the following sections: Configuring BGP on page 476 Configuring Policy Options on page 476

Configuring BGP

Configure BGP on the AS border routers. To configure a group for IBGP to the PErouter, include the bgp statement:

bgp {group group-name {

type internal;local-address address ;family inet {

labeled-unicast {resolve-vpn;

}}neighbor address ;

}}

To configure a group for EBGP to the AS border router in the adjacent AS router,include the bgp statement:


type external;family inet {

labeled-unicast ;}export internal;neighbor address {

peer-as as-number ;}

}}

You can include this statement at the following hierarchy levels: [edit protocols] [edit logical-systems logical-system-name protocols]

Configuring Policy Options

For the policy configuration on the AS border routers, you only need to advertise theloopbacks of the PE routers. If the AS border router is also a PE router, configure

476 Configuring Interprovider VPNs

JUNOS 9.6 VPNs Configuration Guide


519/635

from protocol ospf direct at the [edit policy-options policy-statement policy-name termterm-name ] hierarchy level.

To configure the policy options on the AS border routers, include thepolicy-statementstatement:

policy-statement policy-name {term term-name {

from {protocol ospf direct;route-filter pe-router-loopback-address exact accept;

}then reject;

}}

You can include these statements at the following hierarchy levels:

[edit policy-options] [edit logical-systems logical-system-name policy-options]

Configuring the PE Router

Configure a multihop MP-EBGP session on the PE router connected to the endcustomer s CE router.

To pass labeled IPv4 routes, include thelabeled-unicast statement:


}You can include this statement at the following hierarchy levels: [edit protocols bgp group group-name family inet]

[edit logical-systems logical-system-name protocols bgp group group-name familyinet]

To configure a group to handle an EBGP multihop session with the remote PE router(that is, to pass VPN-IPv4 routes), include thebgp statement:


multihop {ttl 10;}family inet-vpn {

unicast;}

}neighbor address {

peer-as as-number ;}

Configuring Interprovider VPNs 477

Chapter 22: Configuring Interprovider and Carrier-of-Carriers VPNs


520/635

}

You can include this statement at the following hierarchy levels: [edit protocols]

[edit logical-systems logical-system-name protocols]

Configuring Carrier-of-Carriers VPNs for Customers That Provide Internet Service

You can configure a carrier-of-carriers VPN service for customers who want to providebasic Internet service. The carrier-of-carriers VPN service provider must configureMPLS in its network, although this configuration is optional for the carrier servicecustomer. Figure 50 on page 469shows how the routers in this type of serviceinterconnect.

To configure a carrier-of-carriers VPN, perform the tasks described in the followingsections: Configuring the Carrier-of-Carriers VPN Service Customer s CE Router on page 478 Configuring the Carrier-of-Carriers VPN Service Provider s PE Routers on page 480

Configuring the Carrier-of-Carriers VPN Service Customer s CE Router

The carrier-of-carriers VPN service customer s router acts as a CE router with respectto the service provider s PE router. The following sections describe how to configurethe carrier-of-carriers VPN service customer s CE router: Configuring MPLS on page 478 Configuring BGP on page 478 Configuring OSPF on page 479 Configuring Policy Options on page 480

Configuring MPLS

To configure MPLS on the customer s CE router, include thempls statement:

mpls {traffic-engineering bgp-igp;interface interface-name ;

}



Configuring BGP

To configure a group to collate the customer s internal routes, include the bgpstatement:

478 Configuring Carrier-of-Carriers VPNs for Customers That Provide Internet Service



521/635


type internal;local-address address ;

neighbor address ;}}



The customer s CE router must be able to send labels to the VPN service provider srouter. Enable this by including thelabeled-unicast statement in the configurationfor the BGP group:

bgp {group group-name {export internal;peer-as as-number ;neighbor address {

family inet {labeled-unicast ;

}}

}}

You can include thebgp statement at the following hierarchy levels:

[edit protocols] [edit logical-systems logical-system-name protocols]

Configuring OSPF

To configure OSPF on the customer s CE router, include theospf statement:

ospf {area area-id {

interface interface-name {passive;

}interface interface-name ;

}}



Configuring Carrier-of-Carriers VPNs for Customers That Provide Internet Service 479



522/635


To configure policy options on the customer s CE router, include thepolicy-statementstatement:

policy-statement statement-name {term term-name {

from protocol [ospf direct ldp];then accept;

}term term-name {

then reject;}

}

You can include this statement at the following hierarchy levels: [edit policy-options] [edit logical-systems logical-system-name policy-options]

Configuring the Carrier-of-Carriers VPN Service Provider s PE Routers

The service provider s PE routers connect to the customer s CE routers and forwardthe customer s VPN traffic across the provider s network.

The following sections describe how to configure the carrier-of-carriers VPN serviceprovider s PE routers: Configuring MPLS on page 480 Configuring BGP on page 481 Configuring IS-IS on page 481 Configuring LDP on page 481 Configuring a Routing Instance on page 482 Configuring Policy Options on page 482

Configuring MPLS

To configure MPLS on the provider s PE routers, include thempls statement:

mpls {interface interface-name ;interface interface-name ;

}






523/635

Configuring BGP

To configure a BGP session with the provider PE router at the other end of theprovider s network, include the bgp statement:


type internal;local-address address ;family inet-vpn {

any;}neighbor address ;

}}



Configuring IS-IS

To configure IS-IS on the provider s PE routers, include the isis statement:

isis {interface interface-name ;interface interface-name {

passive;

}}



Configuring LDP

To configure LDP on the provider s PE routers, include the ldp statement:

ldp {interface interface-name ;

}



Configuring Carrier-of-Carriers VPNs for Customers That Provide Internet Service 481



524/635

Configuring a Routing Instance

To configure Layer 3 VPN service with the customer s CE router, include thelabeled-unicast statement in the configuration for the routing instance so the PE routercan send labels to the customer s CE router:

routing-instance-name {instance-type vrf;interface interface-name ;route-distinguisher address ;vrf-import policy-name ;vrf-export policy-name ;protocols {


peer-as as-number ;neighbor address {


}}

}}

}}

You can include these statements at the following hierarchy levels: [edit routing-instances]

[edit logical-systems logical-system-name routing-instances]


To configure a policy statement to import routes from the customer s CE router,include the policy-statement statement:


from {protocol bgp;community community-name ;

}then accept;

}term term-name {

then reject;}

}

You can include this statement at the following hierarchy levels: [edit policy-options]




525/635

[edit logical-systems logical-system-name policy-options]

To configure a policy statement to export routes to the customer s CE router, includethe policy-statement and community statements:


from protocol bgp;then {

community add community-name ;accept;

}}term term-name {

then reject;}

}

communitycommunity-name

membersvalue

;You can include these statements at the following hierarchy levels: [edit policy-options]


Configuring Carrier-of-Carriers VPNs for Customers That Provide VPN Service

You can configure a carrier-of-carriers VPN service for customers who want to VPNservice. Figure 50 on page 469shows how the routers in this type of serviceinterconnect.

To configure the following routers in the customer s and provider s networks toenable carrier-of-carriers VPN service, you perform the steps in the following sections: Configuring the Carrier-of-Carriers Customer s PE Router on page 483 Configuring the Carrier-of-Carriers Customer s CE Router on page 486 Configuring the Provider s PE Router on page 489

Configuring the Carrier-of-Carriers Customer s PE Router

The carrier-of-carriers customer s PE router is connected to the end customer s CErouter.

The following sections describe how to configure the carrier-of-carriers customer sPE router: Configuring MPLS on page 484 Configuring BGP on page 484 Configuring OSPF on page 485 Configuring LDP on page 485

Configuring Carrier-of-Carriers VPNs for Customers That Provide VPN Service 483



526/635

Configuring VPN Service in the Routing Instance on page 485 Configuring Policy Options on page 486

Configuring MPLS

To configure MPLS on the carrier-of-carriers customer s PE router, include themplsstatement:

mpls {interface interface-name ;interface interface-name ;

}



Configuring BGP

Include the labeled-unicast statement in the configuration for the IBGP session to thecarrier-of-carriers customer s CE router (see Configuring the Carrier-of-CarriersCustomer s CE Router on page 486), and include the family-inet-vpnstatement in theconfiguration for the IBGP session to the carrier-of-carriers PE router on the otherside of the network:


type internal;

local-address address ;neighbor address {family inet {

labeled-unicast ;resolve-vpn;

}}

}neighbor address {

family inet-vpn {any;

}}

}

You can include these statements at the following hierarchy levels: [edit protocols]


484 Configuring Carrier-of-Carriers VPNs for Customers That Provide VPN Service



527/635

Configuring OSPF

To configure OSPF on the carrier-of-carriers customer s PE router, include theospf statement:




}}



Configuring LDP

To configure LDP on the carrier-of-carriers customer s PE router, include the ldpstatement:

ldp {interface interface-name ;

}

You can include this statement at the following hierarchy levels: [edit protocols] [edit logical-systems logical-system-name protocols]

Configuring VPN Service in the Routing Instance

To configure VPN service for the end customer s CE router on the carrier-of-carrierscustomer s PE router, include the following statements:

instance-type vrf;interface interface-name ;route-distinguisher address ;vrf-import policy-name ;vrf-export policy-name ;protocols {


peer-as as-number ;neighbor address ;

}}

}




528/635

You can include these statements at the following hierarchy levels: [edit routing-instances routing-instance-name ]

[edit logical-systems logical-system-name routing-instances routing-instance-name ]


To configure policy options to import and export routes to and from the endcustomer s CE router, include thepolicy-statement and community statements:



}then accept;

}term term-name {

then reject;}

}policy-statement policy-name {

term term-name {from protocol bgp;then {


}}term term-name {

then reject;}

}community community-name members value ;

You can include these statements at the following hierarchy levels: [edit policy-options]


Configuring the Carrier-of-Carriers Customer s CE Router

The carrier-of-carriers customer s CE router connects to the provider s PE router.Complete the instructions in the following sections to configure the carrier-of-carrierscustomers CE router: Configuring MPLS on page 487 Configuring BGP on page 487 Configuring OSPF and LDP on page 488 Configuring Policy Options on page 488




529/635

Configuring MPLS

In the MPLS configuration for the carrier-of-carriers customer s CE router, includethe interfaces to the provider s PE router and to a P router in the customer s network:

mpls {traffic-engineering bgp-igp;interface interface-name ;interface interface-name ;

}



Configuring BGP

In the BGP configuration for the carrier-of-carriers customer s CE router, configurea group that includes the labeled-unicast statement to extend VPN service to the PErouter connected to the end customer s CE router:


type internal;local-address address ;neighbor address {


}}

}}

You can include thebgp statement at the following hierarchy levels: [edit protocols]


To configure a group to send labeled internal routes to the provider s PE router,include the bgp statement:


export internal;peer-as as-number ;neighbor address {


}}

}




530/635

}



Configuring OSPF and LDP

To configure OSPF and LDP on the carrier-of-carriers customer s CE router, includethe ospf and ldp statements:




}}ldp {

interface interface-name ;}



Configuring Policy OptionsTo configure the policy options on the carrier-of-carriers customer s CE router, includethe policy-statement statement:

policy-statement policy-statement-name {term term-name {

from protocol [ ospf direct ldp ];then accept;

}term term-name {

then reject;}

}

You can include this statement at the following hierarchy levels: [edit policy-options]





531/635

Configuring the Provider s PE Router

The carrier-of-carriers provider s PE routers connect to the carrier customer s CErouters. Complete the instructions in the following sections to configure the provider sPE router: Configuring MPLS on page 489 Configuring a PE-Router-to-PE-Router BGP Session on page 489 Configuring IS-IS and LDP on page 490 Configuring Policy Options on page 490 Configuring a Routing Instance to Send Routes to the CE Router on page 491

Configuring MPLS

In the MPLS configuration, specify at least two interfaces

one to the customer

s CErouter and one to connect to the provider s PE router on the other side of theprovider s network:

interface interface-name ;interface interface-name ;

You can include these statements at the following hierarchy levels: [edit protocols mpls]

[edit logical-systems logical-system-name protocols mpls]

Configuring a PE-Router-to-PE-Router BGP Session

To configure a PE-router-to-PE-router BGP session on the provider s PE routers toallow VPN-IPv4 routes to pass between the PE routers, include thebgp statement:


type internal;local-address address ;family inet-vpn {

any;}neighbor address ;

}}






532/635

Configuring IS-IS and LDP

To configure IS-IS and LDP on the provider s PE routers, include the isis and ldpstatements:

isis {interface interface-name ;interface interface-name {

passive;}

}ldp {

interface interface-name ;}

You can include these statements at the following hierarchy levels: [edit protocols] [edit logical-systems logical-system-name protocols]


To configure policy statements on the provider s PE router to export routes to andimport routes from the carrier customer s network, include the policy-statement andcommunity statements:

policy-statement statement-name {term term-name {


}then accept;

}term term-name {

then reject;}

}policy-statement statement-name {

term term-name {from protocol bgp;then {


}}term term-name {

then reject;}

}community community-name members value ;




533/635

You can include these statements at the following hierarchy levels: [edit policy-options]


Configuring a Routing Instance to Send Routes to the CE Router

To configure the routing instance on the provider s PE router to send labeled routesto the carrier customer s CE router, include the following statements:

instance-type vrf;interface interface-name ;route-distinguisher value ;vrf-import policy-name ;vrf-export policy-name ;protocols {


peer-as as-number ;neighbor address {


}}

}}

}

You can include these statements at the following hierarchy levels: [edit routing-instances routing-instance-name ]

[edit logical-systems logical-system-name routing-instances routing-instance-name ]

Configuring BGP to Gather Interprovider and Carrier-of-Carriers VPNs Statistics

You can configure BGP to gather traffic statistics for interprovider andcarrier-of-carriers VPNs.

To configure BGP to gather traffic statistics for interprovider and carrier-of-carriersVPNs, include thetraffic-statistics statement:

traffic-statistics {file filename ;interval seconds ;

}

For a list of the hierarchy levels at which you can include this statement, see thesummary section for this statement.

Configuring BGP to Gather Interprovider and Carrier-of-Carriers VPNs Statistics 491



534/635

NOTE: Traffic statistics for interprovider and carrier-of-carriers VPNs are availableonly for IPv4. IPv6 is not supported.

If you do not specify a filename, the statistics are not written to a file. However, if you have included thetraffic-statistics statement in the BGP configuration, the statisticsare still available and can be accessed by means of theshow bgp group traffic-statistics

group-name command.

To account for traffic from each customer separately, separate labels must beadvertised for the same prefix to the peer routers in different groups. To enableseparate traffic accounting, you need to include theper-group-label statement in theconfiguration for each BGP group. By including this statement, statistics are collectedand displayed that account for traffic sent by the peers of the specified BGP group.

If you configure the statement at the [edit protocols bgp family inet] hierarchy level,

rather than configuring it for a specific BGP group, then the traffic statistics are sharedwith all BGP groups configured with thetraffic-statistics statement but not configuredwith the per-group-label statement.

To account for traffic from each customer separately, include theper-group-labelstatement in the configuration for each BGP group:

per-group-label ;

For a list of the hierarchy levels at which you can include this statement, see thesummary section for this statement.

The following shows a sample of the output to the traffic statistics file:

Dec 19 10:39:54 Statistics for BGP group ext2 (Index 1) NLRI inet-labeled-unicastDec 19 10:39:54 FEC Packets Bytes EgressAS FECLabelDec 19 10:39:54 10.255.245.55 0 0 I 100160Dec 19 10:39:54 10.255.245.57 0 0 I 100112Dec 19 10:39:54 100.101.0.0 0 0 25 100080Dec 19 10:39:54 100.102.0.0 0 0 25 100080Dec 19 10:39:54 100.103.0.0 109 9592 25 100048Dec 19 10:39:54 100.104.0.0 109 9592 25 100048Dec 19 10:39:54 192.168.25.0 0 0 I 100064Dec 19 10:39:54 Dec 19 10:39:54, read statistics for 5 FECs in 00:00:00 seconds

(10 queries) for BGP group ext2 (Index 1) NLRI inet-labeled-unicast

492 Configuring BGP to Gather Interprovider and Carrier-of-Carriers VPNs Statistics



535/635

Chapter 23

Configuration Examples for Interproviderand Carrier-of-Carriers VPNs

This chapter contains examples that illustrate how to configure interprovider andcarrier-of-carriers virtual private networks (VPNs). It includes the following sections:

Example Terminology on page 493 Interprovider VPN Example MP-EBGP Between ISP Peer Routers on page 494 Interprovider VPN Example Multihop MP-EBGP with P Routers on page 501 Carrier-of-Carriers VPN Examples on page 509 Carrier-of-Carriers VPN Example Customer Provides Internet Service on page 509 Carrier-of-Carriers VPN Example Customer Provides VPN Service on page 519 Multiple Instances for LDP and Carrier-of-Carriers VPNs on page 530

Example Terminology

B

bgp.l3vpn.0 The table on the provider edge (PE) router in which the VPN-IPv4 routes that arereceived from another PE router are stored. Incoming routes are checked againstthe vrf-importstatements from all the VPNs configured on the PE router. If there is amatch, the VPN Internet Protocol version 4 (IPv4) route is added to thebgp.l3vpn.0 table. To view thebgp.l3vpn.0 table, issue the show route tablebgp.l3vpn.0 command.

M

MP-EBGP The multiprotocol external BGP (MP-EBGP) mechanism is used to export VPN-IPv4routes across an autonomous system (AS) boundary. To apply this mechanism, usethe labeled-unicast statement at the [edit protocols bgp group group-name family inet]hierarchy level.

R

Example Terminology 493


536/635

routing-instance-name .inet.0 The routing table for a specific routing instance. For example, a routing instancecalledVPN-Ahas a routing table calledVPN-A.inet.0. Routes are added to this tablein the following ways: They are sent from a customer edge (CE) router configured within the VPN-A

routing instance. They are advertised from a remote PE router that passes thevrf-importpolicy

configured within VPN-A (to view the route, run theshow route command).IPv4 (not VPN-IPv4) routes are stored in this table.

V

vrf-export policy-name An export policy configured on a particular routing instance on a PE router. It isrequired for the configuration of interprovider and carrier-of-carriers VPNs. It isapplied to VPN-IPv4 routes (originally learned from locally connected CE routers as

IPv4 routes), which are advertised to another PE router or route reflector.

vrf-import policy-name An import policy configured on a particular routing instance on a PE router. Thispolicy is required for the configuration of interprovider and carrier-of-carriers VPNs.It is applied to VPN-IPv4 routes learned from another PE router or a route reflector.

Interprovider VPN Example MP-EBGP Between ISP Peer Routers

In this example, all routes learned from the CE routers are sent over both serviceprovider networks as VPN-IPv4 routes. The routes are initially learned by the PErouters (Router B and Router E) from the CE routers (Router A and Router F) and areannounced by the PE routers to the AS border routers (Router C and Router D). TheAS border routers are then configured with an MP-EBGP session, enabling them topass the VPN-IPv4 routes with each other. When an AS border router Router C forexample learns VPN-IPv4 routes from an IBGP PE, the following occurs:1. Router C sets itself as the next hop for the route and creates a label for that route.2. Router C advertises the VPN-IPv4 route to PE Router D in AS 10045.3. Router D sets the next hop to itself, creates another label, and then forwards the

label and the route to its IBGP PE router (Router E).

This example has scaling limitations because of restrictions on the number of labelseach PE router needs to allocate at the AS border.

Figure 51 on page 495 illustrates the network topology used in this VPN example.

494 V



537/635

Figure 51: Network Topology of Interprovider VPN Example

For configuration information see the following sections: Configuration for Router A on page 495 Configuration for Router B on page 496 Configuration for Router C on page 497 Configuration for Router D on page 498 Configuration for Router E on page 499 Configuration for Router F on page 501

Configuration for Router A

Configure a familyinet EBGP session with Router B and export the direct routes:

[edit]protocols {

bgp {group to-provider {

export attached;peer-as 10023;neighbor 192.168.198.2;

}}

}policy-options {

policy-statement attached {from protocol direct;then accept;

}}

Interprovider VPN Example

MP-EBGP Between ISP Peer Routers 495

Chapter 23: Configuration Examples for Interprovider and Carrier-of-Carriers VPNs


538/635

Configuration for Router B

Router A is configured as a CE router (using therouting-instances statement) in theconfiguration for Router B. Because they exchange VPN-IPv4 routes, Router D andRouter C are configured as PE routers.

Configure Router B:

[edit]protocols {

rsvp {interface t3-0/0/0.0;

}mpls {

label-switched-path to-routerC {to 10.255.14.171;

description "to-routerC for use with VPNs";}interface t3-0/0/0.0;interface so-1/2/0.0;

}bgp {

group to-ibgp {type internal;local-address 10.255.14.175;family inet-vpn {

unicast;}neighbor 10.255.14.171;

}

}ospf {traffic-engineering;reference-bandwidth 4g;area 0.0.0.0 {

interface t3-0/0/0.0;interface lo0.0 {

passive;}

}}

}routing-instances {

vpna {

instance-type vrf;interface so-1/2/0.0;route-distinguisher 10.255.14.175:9;vrf-import vpna-import;vrf-export vpna-export;protocols {

bgp {group to-ce {

peer-as 9;neighbor 192.168.198.1;

496 Interprovider VPN Example

MP-EBGP Between ISP Peer Routers



539/635

}}

}}

}policy-options {policy-statement vpna-import {

term 1 {from {

protocol bgp;community vpna-comm;

}then accept;

}term 2 {

then reject;}

}

policy-statement vpna-export {term 1 {from protocol bgp;then {

community add vpna-comm;accept;

}}term 2 {

then reject;}

}community vpna-comm members target:100:1001;

}

Configuration for Router C

In the BGP protocol configuration for Router C, include thekeep all statement. Whenthis statement is included, BGP must store every route learned through BGP. Configuretwo BGP sessions (configurefamily inet-vpn on both sessions): IBGP session to Router B (groupto-ibgp in this example) EBGP session to Router D (groupto-ebgp-pe in this example)

Interface t3-0/2/0 is added at the [edit protocols mpls] hierarchy level, allowing BGPto announce routes with labels over the EBGP session.

Configure Router C:

[edit]protocols {

rsvp {interface t3-0/2/0.0;

}mpls {

label-switched-path to-routerB {





540/635

to 10.255.14.175;description "to-routerB for use with vpns";

}interface t3-0/2/0.0;

interface so-0/0/0.0;}bgp {

keep all;group to-ibgp {

type internal;local-address 10.255.14.171;family inet-vpn {


}group to-ebgp-pe {

type external;

family inet-vpn {unicast;}neighbor 192.168.197.22 {

peer-as 10045;}

}}ospf {

traffic-engineering;reference-bandwidth 4g;area 0.0.0.0 {


passive;}}

}}

Configuration for Router D

The configuration for Router D is almost identical to that of Router C:

[edit]protocols {

rsvp {

interface fe-1/1/0.0;}mpls {

label-switched-path to-E {to 10.255.14.177;description "to-routerE for vpna";

}interface fe-1/1/0.0;interface so-0/1/0.0;

}





541/635

bgp {keep all;group to-ibgp-pe {

type internal;

family inet-vpn {unicast;}neighbor 10.255.14.177;

}group to-ebgp-pe {

type external;family inet-vpn {

unicast;}peer-as 10023;neighbor 192.168.197.21;

}}

ospf {traffic-engineering;reference-bandwidth 4g;area 0.0.0.0 {

interface fe-1/1/0.0;interface lo0.0 {

passive;}

}}

}

Configuration for Router E

The configuration for Router E is very similar to the configuration for Router B:

[edit]protocols {

rsvp {interface fe-1/1/2.0;

}mpls {

label-switched-path to-routerD {to 10.255.14.173;description "to-routerD for use with VPNa";

}interface fe-1/1/2.0;

interface so-1/2/0.0;}bgp {

group to-ibgp-pe {type internal;local-address 10.255.14.177;family inet-vpn {






542/635

}}ospf {

traffic-engineering;

reference-bandwidth 4g;area 0.0.0.0 {interface fe-1/1/2.0;interface lo0.0 {

passive;}

}}


vpna {instance-type vrf;interface so-1/2/0.0;route-distinguisher 10.255.14.177:11;

vrf-import vpna-import;vrf-export vpna-export;protocols {

bgp {group to-routerF-ce {

neighbor 192.168.198.14 {peer-as 11;

}}

}}

}}policy-options {

policy-statement vpna-import {term 1 {from {


}then accept;

}term 2 {

then reject;}

}policy-statement vpna-export {

term 1 {from protocol bgp;then {


}}term 2 {

then reject;}

}





543/635

community vpna-comm members target:100:1001;}

Configuration for Router F

Configure Router F as a CE router; the configuration is similar to that for Router A:

[edit]protocols {

bgp {group to-provider {

type external;export attached;neighbor 192.168.198.13 {

peer-as 10045;}

}}

}policy-options {


}}

}

Interprovider VPN Example Multihop MP-EBGP with P Routers

In this example, labeled IPv4 (not VPN-IPv4), routes are exchanged by the AS borderrouters (Router C and Router D) to provide MPLS connectivity between the PE routers.Router G and H are provider routers.

Figure 52 on page 502 illustrates the network topology used in this VPN example.


Multihop MP-EBGP with P Routers 501



544/635

Figure 52: Network Topology of Interprovider VPN Example Multihop MP-EBGP

Only routes internal to the service provider networks should be announced betweenRouter C and Router D. Configure this by including thefamily inet labeled-unicaststatement in the IBGP and EBGP configuration on the PE routers. When you setfamilyinet labeled-unicast , the local router announces internal routes from inet.0 in thefollowing manner: If a label exists for the route, the local router creates a label, performs a swap,

and announces the route from inet.0 with the label. If a label does not exist for the route, the local router creates a label, performs

a pop, and announces the route from inet.0 with the label.

Routes learned from the labeled-unicast session are placed into the inet.0 routingtable.

In addition, you configure a multihop MP-EBGP session between the end PE routers(Router B and Router E). This additional MP-EBGP session allows the announcementof VPN-IPv4 routes, and allows you to maintain VPN connectivity while keepingVPN-IPv4 routes out of the core of the network.

For configuration information, see the following sections: Configuration for Router A on page 503 Configuration for Router B on page 503 Configuration for Router C on page 505

Configuration for Router D on page 506 Configuration for Router E on page 507 Configuration for Router F on page 509


Multihop MP-EBGP with P Routers



545/635


The configuration for Router A in this example is identical to the configuration forRouter A in the section Interprovider VPN Example MP-EBGP Between ISP PeerRouters on page 494. See Configuration for Router A on page 495.


Router A is configured as a CE router (using therouting-instances statement) in theconfiguration for Router B. Because they exchange VPN-IPv4 routes, Router C andRouter D are configured as PE routers.

In the BGP groupto-ibgp, include the family inet labeled-unicast statement to passlabeled IPv4 routes, and configure an EBGP multihop session to pass VPN-IPv4 routes:

[edit]protocols {

bgp {group to-ibgp {

type internal;local-address 10.255.14.175;family inet {


}}neighbor 10.255.14.171;

}group to-remote-pe {

multihop {ttl 10;}family inet-vpn {

unicast;}neighbor 10.255.14.177 {

peer-as 10045;}

}mpls {

label-switched-path to-routerC {to 10.255.14.171;description "to-routerC for use with VPNs";

}interface t3-0/0/0.0;interface so-1/2/0.0;

}ospf {







546/635

passive;}

}}

rsvp {interface t3-0/0/0.0;}


vpna {instance-type vrf;interface so-1/2/0.0;route-distinguisher 10.255.14.175:9;vrf-import vpna-import;vrf-export vpna-export;protocols {

bgp {group to-ce {

peer-as 9;neighbor 192.168.198.1;}

}}

}}policy-options {

policy-statement vpna-import {term 1 {

from {protocol bgp;community vpna-comm;

}

then accept;}term 2 {

then reject;}




}}term 2 {

then reject;}


}}





547/635


Configure two BGP sessions (configurefamily inet-vpn on both sessions): IBGP session to Router B (groupto-ibgp in this example) EBGP session to Router D (groupto-ebgp-pe in this example)

Interface t3-0/2/0 is added at the [edit protocols mpls] hierarchy level, allowing BGPto announce routes with labels over the EBGP session.

Configure Router C:

[edit]protocols {

bgp {group to-ibgp {


labeled-unicast;}neighbor 10.255.14.175;

}group to-ebgp-pe {

type external;family inet {

labeled-unicast;}export internal;neighbor 192.168.197.22 {

peer-as 10045;}

}mpls {

label-switched-path to-routerB {to 10.255.14.175;description "to-routerB for use with vpns";

}interface t3-0/2/0.0;interface so-0/0/0.0;traffic-engineering bgp-igp;

}rsvp {

interface t3-0/2/0.0;}ospf {



passive;}





548/635

}}

}policy-options {

policy-statement internal {term 1 {from protocol [ospf direct ldp];then accept;

}term 2 {

then reject;}

}}

}


Configure Router D:

[edit]protocols {

bgp {group to-ibgp-pe {

type internal;family inet {


}group to-ebgp-pe {

type external;family inet {labeled-unicast;

}export internal;peer-as 10023;neighbor 192.168.197.21;

}mpls {

label-switched-path to-E {to 10.255.14.177;description "to-routerE for vpna";


interface so-0/1/0.0;traffic-engineering bgp-igp;}ospf {


interface fe-1/1/0.0;interface lo0.0 {

passive;





549/635

}}

}rsvp {

interface fe-1/1/0.0;}}policy-options {

policy-statement internal {term 1 {

from protocol [ospf direct ldp];then accept;

}term 2 {

then reject;}

}}

}

Configuration for Router E

The configuration for Router E is very similar to the configuration for Router B:

[edit]protocols {

bgp {group to-ibgp-pe {



}group to-remote-pe {

multihop {ttl 10;

}family inet-vpn {

unicast;}neighbor 10.255.14.175 {

peer-as 10023;}

}mpls {label-switched-path to-routerD {

to 10.255.14.173;description "to-routerD for use with VPNa";

}interface fe-1/1/2.0;interface so-1/2/0.0;

}ospf {





550/635


interface fe-1/1/2.0;

interface lo0.0 {passive;}

}}rsvp {

interface fe-1/1/2.0;}


vpna {instance-type vrf;interface so-1/2/0.0;route-distinguisher 10.255.14.177:11;

vrf-import vpna-import;vrf-export vpna-export;protocols {

bgp {group to-routerF-ce {

neighbor 192.168.198.14 {peer-as 11;

}}

}}

}}policy-options {

policy-statement vpna-import {term 1 {from {


}then accept;

}term 2 {

then reject;}




}}term 2 {

then reject;}

}





551/635

community vpna-comm members target:100:1001;}

}


The configuration for Router F in this example is identical to the configuration forRouter F in the section Interprovider VPN Example MP-EBGP Between ISP PeerRouters on page 494. See Configuration for Router F on page 501.

Carrier-of-Carriers VPN Examples

A carrier-of-carriers service allows an Internet service provider (ISP) to connect to atransparent outsourced backbone at multiple locations.

Figure 53 on page 509shows the network topology in both carrier-of-carriers examples.

Figure 53: Carrier-of-Carriers VPN Example Network Topology

Carrier-of-Carriers VPN Example Customer Provides Internet Service

In this example, the carrier customer is not required to configure MPLS and LDP onits network. However, the carrier provider must configure MPLS and LDP on its

network.For configuration information see the following sections: Configuration for Router A on page 510 Configuration for Router B on page 510 Configuration for Router C on page 511 Configuration for Router D on page 511

Carrier-of-Carriers VPN Examples 509



552/635

Configuration for Router E on page 512 Configuration for Router F on page 514 Configuration for Router G on page 514 Configuration for Router H on page 515 Configuration for Router I on page 516 Configuration for Router J on page 517 Configuration for Router K on page 517 Configuration for Router L on page 518


In this example, Router A represents an end customer. You configure this router asa CE device.

[edit]protocols {

bgp {group to-routerB {


}}

}policy-options {


}}


Router B can act as the gateway router, responsible for aggregating end customersand connecting them to the network. If a full-mesh IBGP session is configured, youcan use route reflectors.

[edit]protocols {

bgp {group int {

type internal;local-address 10.255.14.179;neighbor 10.255.14.175;neighbor 10.255.14.181;neighbor 10.255.14.176;neighbor 10.255.14.178;neighbor 10.255.14.177;

}group to-vpn-blue {

peer-as 1;

510 Carrier-of-Carriers VPN Example

Customer Provides Internet Service



553/635

neighbor 192.168.197.170;}

}ospf {

area 0.0.0.0 {interface lo0.0 {passive;

}interface fe-1/0/3.0;interface fe-1/0/2.0 {

passive;}

}}

}


Configure Router C:

[edit]protocols {

bgp {group int {


}}ospf {

area 0.0.0.0 {interface lo0.0 {

passive;}interface fe-0/3/3.0;interface fe-0/3/0.0;

}}

}


Router D is the CE router with respect to AS 10023. In a carrier-of-carriers VPN, theCE router must be able to send labels to the carrier provider; this is done with thelabeled-unicast statement in group to-isp-red.

[edit]protocols {

mpls {interface t3-0/0/0.0;

Carrier-of-Carriers VPN Example

Customer Provides Internet Service 511



554/635

}bgp {

group int {type internal;

local-address 10.255.14.175;neighbor 10.255.14.179;neighbor 10.255.14.176;neighbor 10.255.14.177;neighbor 10.255.14.178;neighbor 10.255.14.181;

}group to-isp-red {

export internal;peer-as 10023;neighbor 192.168.197.13 {

family inet {labeled-unicast;

}

}}}ospf {


passive;}interface fe-0/3/0.0;interface t3-0/0/0.0 {

passive;}

}}

}policy options {policy-statement internal {

term a {from protocol [ ospf direct ];then accept;

}term b {

then reject;}

}}

Configuration for Router E This configuration sets up theinet-vpn IBGP session with Router H and the PE routerportion of the VPN with Router D. Because Router D is required to send labels in thisexample, configure the BGP session with thelabeled-unicast statement within theVPN routing and forwarding (VRF) table.

[edit]protocols {

mpls {





555/635

interface t3-0/2/0.0;interface at-0/1/0.0;

}bgp {

group pe-pe {type internal;local-address 10.255.14.171;family inet-vpn {

any;}neighbor 10.255.14.173;

}}isis {

interface at-0/1/0.0;interface lo0.0 {

passive;}

}ldp {interface at-0/1/0.0;

}}routing-instances {

vpn-isp1 {instance-type vrf;interface t3-0/2/0.0;route-distinguisher 10.255.14.171:21;vrf-import vpn-isp1-import;vrf-export vpn-isp1-export;protocols {

bgp {

group to-isp1 {peer-as 21;neighbor 192.168.197.14 {


}}

}}

}}

}policy-options {

policy-statement vpn-isp1-import {term a {

from {protocol bgp;community vpn-isp1-comm;

}then accept;

}term b {

then reject;}





556/635

}policy-statement vpn-isp1-export {

term a {from protocol bgp;

then {community add vpn-isp1-comm;accept;

}}term b {

then reject;}

}community vpn-isp1-comm members target:69:21;

}


Configure Router F to act as a label-swapping router:

[edit]protocols {

isis {interface so-0/2/0.0;interface at-0/3/0.0;interface lo0.0 {

passive;}

}ldp {

interface so-0/2/0.0;

interface at-0/3/0.0;}}

Configuration for Router G

Configure Router G to act as a label-swapping router:

[edit]protocols {

isis {interface so-0/0/0.0;interface so-1/0/0.0;interface lo0.0 {

passive;}

}ldp {

interface so-0/0/0.0;interface so-1/0/0.0;

}}





557/635

Configuration for Router H

Router H acts as the PE router for AS 10023. The configuration that follows is similarto that for Router F:

[edit]protocols {

mpls {interface fe-1/1/0.0;interface so-1/0/0.0;

}bgp {

group pe-pe {type internal;local-address 10.255.14.173;family inet-vpn {

any;}neighbor 10.255.14.171;

}}isis {

interface so-1/0/0.0;interface lo0.0 {

passive;}

}ldp {

interface so-1/0/0.0;}

}routing-instances {vpn-isp1 {

instance-type vrf;interface fe-1/1/0.0;route-distinguisher 10.255.14.173:21;vrf-import vpn-isp1-import;vrf-export vpn-isp1-export;protocols {

bgp {group to-isp1 {

peer-as 21;neighbor 192.168.197.94 {

family inet {

labeled-unicast;}}

}}

}}

}policy-options {

policy-statement vpn-isp1-import {





558/635

term a {from {

protocol bgp;community vpn-isp1-comm;

}then accept;}term b {

then reject;}

}policy-statement vpn-isp1-export {

term a {from protocol bgp;then {

community add vpn-isp1-comm;accept;

}

}term b {then reject;

}}community vpn-isp1-comm members target:69:21;

}

Configuration for Router I

Configure Router I to connect to the basic Internet service customer (Router L):

[edit]

protocols {mpls {interface fe-1/0/1.0;interface fe-1/1/3.0;

}bgp {

group int {type internal;local-address 10.255.14.181;neighbor 10.255.14.177;neighbor 10.255.14.179;neighbor 10.255.14.175;neighbor 10.255.14.176;neighbor 10.255.14.178;

}group to-vpn-green {peer-as 1;neighbor 192.168.197.198;

}}ospf {


passive;





559/635

}interface fe-1/0/1.0 {

passive;}

interface fe-1/1/3.0;}}

}

Configuration for Router J

Configure Router J as a label-swapping router:

[edit]protocols {

bgp {group int {


}}

}ospf {


passive;

}interface fe-1/0/2.0;interface fe-1/0/3.0;

}}

Configuration for Router K

Router K acts as the CE router at the end of the connection to the carrier provider.As in the configuration for Router D, include thelabeled-unicast statement for theEBGP session:

[edit]protocols {

mpls {interface fe-1/1/2.0;interface fe-1/0/2.0;

}bgp {

group int {type internal;local-address 10.255.14.177;neighbor 10.255.14.181;





560/635

neighbor 10.255.14.178;neighbor 10.255.14.175;neighbor 10.255.14.176;neighbor 10.255.14.179;

}group to-isp-red {export internal;peer-as 10023;neighbor 192.168.197.93 {


}}

}}ospf {


passive;}interface fe-1/0/2.0;interface fe-1/1/2.0 {

passive;}

}}

}policy-options {

policy-statement internal {term a {

from protocol [ ospf direct ];then accept;

}term b {then reject;

}}

}

Configuration for Router L

Configure Router L to act as the end customer for the carrier-of-carriers VPN service:

[edit]protocols {

bgp {group to-routerI {export attached;peer-as 21;neighbor 192.168.197.197;

}}

}policy-options {

policy-statement attached {





561/635

from protocol direct;then accept;

}}

Carrier-of-Carriers VPN Example Customer Provides VPN Service

In this example, the carrier customer must run some form of MPLS (ResourceReservation Protocol [RSVP] or LDP) on its network to provide VPN services to theend customer. In the example below, Router B and Router I act as PE routers, anda functioning MPLS path is required between these routers if they exchange VPN-IPv4routes.

For configuration information see the following sections: Configuration for Router A on page 519 Configuration for Router B on page 520 Configuration for Router C on page 521 Configuration for Router D on page 522 Configuration for Router E on page 523 Configuration for Router F on page 524 Configuration for Router G on page 525 Configuration for Router H on page 525 Configuration for Router I on page 526 Configuration for Router J on page 528 Configuration for Router K on page 528 Configuration for Router L on page 529


In this example, Router A acts as the CE router for the end customer. Configure adefault familyinet BGP session on Router A:

[edit]protocols {

bgp {group to-routerB {


}}

}policy-options {


}}


Customer Provides VPN Service 519



562/635


Because Router B is the PE router for the end customer CE router (Router A), youneed to configure a routing instance (vpna). Configure thelabeled-unicast statementon the IBGP session to Router D, and configurefamily-inet-vpnfor the IBGP sessionto the other side of the network (seeFigure 53 on page 509) with Router I:

[edit]protocols {

mpls {interface fe-1/0/2.0;interface fe-1/0/3.0;

}bgp {

group int {type internal;

local-address 10.255.14.179;neighbor 10.255.14.175 {family inet {


}}

}}neighbor 10.255.14.181 {

family inet-vpn {any;

}}

}ospf {area 0.0.0.0 {

interface lo0.0 {passive;


}}ldp {

interface fe-1/0/3.0;}


vpna {instance-type vrf;interface fe-1/0/2.0;route-distinguisher 10.255.14.179:21;vrf-import vpna-import;vrf-export vpna-export;protocols {

bgp {group vpna-06 {

peer-as 1;


Customer Provides VPN Service



563/635

neighbor 192.168.197.170;}

}}

}}policy-options {

policy-statement vpna-import {term a {

from {protocol bgp;community vpna-comm;

}then accept;

}term b {

then reject;}

}policy-statement vpna-export {term a {

from protocol bgp;then {


}}term b {

then reject;}


}


Configure Router C as a label-swapping router within the local AS:

[edit]protocols {

mpls {traffic-engineering bgp-igp;

}ospf {

area 0.0.0.0 {

interface lo0.0 {passive;}interface fe-0/3/3.0;interface fe-0/3/0.0;

}}ldp {

interface fe-0/3/0.0;interface fe-0/3/3.0;


Customer Provides VPN Service 521



564/635

}}


Router D acts as the CE router for the VPN services provided by the AS 10023network. In the BGP group

Config Guide Vpns

Documents

Transcript of Config Guide Vpns