Junos® OS Layer 3 VPNs Configuration Guide Peace 12.2 Publched: 2012-09-03, ‘Tonyr@hTO SOE Jones Teta TneJuniper etc Tg. tort athe Avenue Sunnyvab, Calfornia 9059 3a 106-748-2000 \wrajuniernet ‘Thi productinclude the Envoy SIIMP Engjo.deve aged by Esibgue Techrobogy. an Integrated 5ystemz Company Copyright ©1986-1997, Enilgue Technology Corporation. All ightsezerved. Thi progam and tc documentation were developed at privat expense, and no part lofthem icin the publ domain. “The product includes memory allocation software developed by Mark Moraes. copyright ©1968, 1989,1993, Univer of Tort. “Tic product include: Free BED zoftiare develope by the Universit of Calfomia, Bere. and itcontrbutors.Allof the documentation and zoftware included inthe 4ABSD and 4.4850-Lite Feleace ic copytighted by the Pegeats ofthe Unierst ofCalifomia Copyright© 1979,1980,19853,1986, 1988, 1989,1961,1992,1993,1904, The Pegeats ofthe Unhersity of Calfomi, lights recened, GateD coftware copyright ©1995. the Pegpats ofthe Univer. lights msened, Gate Daemon was originated and developed though feleace 30 by ComellUniverty and tz collaborators Gated ic baced on Kiton ESP, UC Beraleyz outing daemon (wed) and DCIs HELLO routing potocol Developme tof Gated haz been supported in party the llational Sckence Fourdation Portoac of the GateD oftware copyright ©1985, Pegpatzof the Unie sty of California light: ecened, Portions of the GateD coftwaw copyright ©1951.D. Us.asrecitee ‘Thi product include: coftware developed by Maler Communications, nc. conyright© 1996, 1997, Maler Communications, he. JunipertletworkJunos, Steel-Belied Padius, letScmen.and Screen are mgicteed tademarizof Juniper Hletwork, lac.inthe United State: and othercountras. The Junge letworks Loge, the Juso: ge, and JupocE ae trademark of Juniper ietwors. nc Allother tademaric, cence matte, egtered tademari, or eglctered cenice marks ar the propertj of thei ezpectie Onna. Juniper letwork aszumes no responsibilty orany inaccuracies inthis document. Juniper lletwors ween the rt to change, modi. ‘vansterorotheruice eve thi publeation without ati. Product: made oF oli by Juniper letworks orcomponents thereof might be covered by one oF mor ofthe follwing patents that ae ned by or beenced to Juniper letvoris: US. Patent loz. 5473599, 5,908 725, 5,908,440, 6192051, 6 333,50, 6359409, 6406 32 6429706,6 459570, 6 493.347, 6538518, 6538899, 6532916, 6567902 6575156, and 6590785, Junos* 05 Layer 3VPN= Configuration Guce 2 Copyright © 2012 Junpertletrks, ne Allright served “The information in thie document ccurentacof the date onthe tte pag. ‘YEAR 20000TICE Junipertle works harsware and software productsare Year 2000 compliant. Junas OS hae no know time relate limations though the 2212038, Hovever.the ITP aplication cknown'e have some dffeuty nthe year 2036, END USER LICENSE AGREEMENT “The Juniper letworks product that ithe cubjectof this technical documentation consi of (ori intended for uc with) Juniper etworks oftware. Use of cuch software iczubjectto the terms and conditions af the End User Licence Agreement ("EULA) posted at htto://www junipennet/support/e ula. html By doweleadingnctalingorusingsuchzoftwarejouagee to the terms andconditions ofthat EULA i CopyREATE TOTS Juniper ebone TTable of Contents About the Decumentation w Documentation and Release Notes w Using the Examples in This Manual w Merging a Full Example x Merging. Snippet xi Documentation Conventions wil Documentation Feedback il Requesting Technical Support xix Self-Help Online Tools and Resources xix OpeningaCase with ITAC wx Part 1 Overview Chapter! Introduction to Layer 3 VPNs 3 Layer 3 VPN Introduction 3 Layer 3 VPN Platform Support 4 Layer 3 VPN Attributes 4 \VPN-IPv4 Addresses and Route Distingulshers 5 IPv6 Layer 3 VPNs 8 VPN Routing and Forwarding, Tables 8 Route Distribution Within a Layer 3 VPN. 2 Distribution of Routes from CEto PERouters 2 Distribution of Routes Between PE Routers 3 Distribution of Routes from PE to CE Routers 15 Forwarding Across the Provider's Core Network 16 v7 Routing Instances for VPNs Multicast over Layer 3 VPNs 18 Multicast over Layer 3 VPNs Overview 18 Sending PIM Hello Messages to the PE Routers 13 Sending PIM Join Messages to the PE Routers 20 Receiving the Multicast Transmission 20 Chapter 2 Introduction to Configuring Layer 3 VPNs Configuring VPN Tunnel for VAF Table Lookup 23 oayr@hTO TOE Juniper Tetons,Layer 3 VPle Configuation ude Part 2 Chapter 3 Configuration Configuring Layer 3 VPNs Introduction to Configuring Layer 3 VPNs Configuring Routing Between PE and CE Routers in Layer 3 VPNs Configuring BGP Between the PE and CE Routers Configuring OSPF Between the PE and CE Routers Configuring OSPF Version 2 Between the PE and CE Routers Configuring OSPF Version 3 Between the PE and CE Routers Configuring OSPF Sham Links for Layer 3 VPNs Configuring an OSPF Domain ID Configuring RIP Between the PE and CE Routers Configuring Static Routes Between the PE and CE Routers, LLimitingthe Number of Paths and Prefixes Accepted from CE Routers in Layer 3 VPNs Configuring Layer 3 VPNs to Carry IPv6 Traffic Configuring IPv6 on the PE Router, Configuring the Connection Between the PE and CE Routers Configuring BGP on the PE Router to Handle IPv6 Routes Configuring BGP on the PE Router for Pv4 and IPv6 Routes Configuring OSPF Version 3 on the PE Router Configuring, Static Routes on the PE Router. Configuring IPv6 on the Interfaces Configuring EBGP Multihop Sessions Between PE and CE Routers in Layer 3 VPNs Configuring Layer 3 VPNs to Carry IBGP Traffic Filtering Packets in Layer 3 VPNs Based on IP Headers Egress Filtering Options Support on Aggyegated and VLAN Interfaces for IP-Based Filtering Support on ATM and Frame Relay Interfaces for IP-Based Filtering Support on Ethernet, SONET/SDH, and T1/T3/E3 Interfaces for IP-Based Filtering. ‘Support on SONET/SDH and DS3/E3 Channelized Enhanced Intelligent ‘Queuing Interfaces for IP-Baced Filtering, ‘Support on Multilink PPP and Multilink Frame Relay Interfaces forIP-Baced Filtering, Support for IP-Based Filtering of Packets with Null Top Labels General Limitations on IP-Based Filtering, Applying Custom MPLS EXP Classifiers to Routing Instances in Layer 3 VPNs Load Balancing and IP Header Filtering for Layer 3 VPNs Example: Load Balancing Layer 3 VPN Traffic While Simultaneously Using IP Header Fitering, Configuring. Label Allocation and Substitution Policy for VPNs Configuring Logical Units on the Loopback interface for Routing instances in Layer 3 VPNs Configuring Multicast Layer 3 VPNs Configuring Packet Forwarding for Layer 3 VPNs 53 54 54 a8 74 78 6 CopyREATE TOTS Juniper ebone T“Table of Contents Chapter 4 CConfiguringGRE Tunnels for Layer 3 VPNs Configuring GRE Tunnels Manually Between PE and CE Routers Configuring the GRE Tunnel Interface on the PE Router, Configuring the GRE Tunnel Interface on the CE Router, Configuring GRE Tunnels Dynamically Configuring an ES Tunnel interface for Layer 3 VPNs Configuring the ES Tunnel interface on the PE Router, Configuring the ES Tunnel Interface on the CE Router CConfiguringIPsec Tunnels Instead of MPLS LSPs Between PE Routers in Layer 3 VPNs Configuring Protocol-independent Load Balancing in Layer 3 VPNs Configuring Load Balancing for Layer 3 VPNs Configuring Load Balancing and Routing Policies Configuring the Algorithm That Determines the Active Route to Evaluate AS Numbers in AS Paths for VPN Routes Configuring Traffic Policing in Layer 3 VPNs Accepting Route Updates with Unique Inner VPN Labels in Layer 3 VPNs Accepting Up to One Million Layer 3 VPN Route Updates Accepting More Than One Million Layer 3 VPN Route Updates Layer 3 VPN Configuration Examples. Configuring, Simple Full-Mesh VPN Topology Enabling an IGP on the PE and P Routers Enabling RSVP and MPLS on the P Router Configuring the MPLS LSP Tunnel Between the PE Routers, Configuring IBGP on the PE Routers Configuring Routing Instances for VPNs on the PE Routers Configuring, VPN Policy on the PE Routers Simple VPN Configuration Summarized by Router Router A (PE Router) Router 6 (P Router) Router C (PE Router) Configuring a Full-Mesh VPN Topology with Route Reflectors Configuring Hub-and-Spoke VPN Topologies: One Interface Configuring Hub CET Configuring Hub PET Configuring the P Router Configuring Spoke PE2 Configuring Spoke PES Configuring Spoke CE2 Configuring, Spoke CE3 Enabling Egress Features on the Hub PE Router Configuring Hub PET Configuring Hub-and-Spoke VPN Topologies: Two Interfaces Enabling.an IGP on the Hub-and-Spoke PE Routers Configuring LOP on the Hub-and-Spoke PE Routers Configuring IBGP on the PE Routers Configuring, VPN Routing Instances on the Hub-and-Spoke PE Routers Configuring, VPN Policy on the PE Routers 78 78 73 60 50 al al 83 53 86 87 88 89 89 30 30 a1 95 7 7 928 99 100 102 105, 105, 107 107 no no mw mm 13 m4 15 116 116 ns 19 2 124 1s 1s 126 129 oayr@hTO TOE Juniper Tetons,Layer 3 VPle Configuation ude Hub-and-Spoke VPN Configuration Summarized by Router Router D (Hub PE Router) Router E (Spoke PE Router) Router F (Spoke PE Router) Configuring an LDP-over-RSVP VPN Topology Enabling an IGP on the PE and P Routers Enabling LOP on the PE and P Routers Enabling RSVP and MPLS on the P Router Configuring the MPLS LSP Tunnel Between the P Routers Configuring IBGP on the PE Routers Configuring Routing Instances for VPNs on the PE Routers, Configuring, VPN Policy on the PE Routers LDP-over-RSVP VPN Configuration Summarized by Router Router PEI Router Pl Router P2 Router P3 Router PE Configuringan Application-Sased Layer 3 VPN Topology Configuration on Router A Configuration on Router E Configuration on Router F Configuring an OSPF Domain ID for a Layer 3 VPN Configuring interfaces on Router PET Configuring Routing Options on Router PEI Configuring Protocols on Router PEI Configuring Policy Options on Router PEI Configuring, the Routing Instance on Router PE] Configuration Summary for Router PEI Configuring Overlapping VPNs Using Routing Table Groups Configuring, Routing Table Groups Configuring Static Routes Between the PE and CE Routers Configuring the Routing Instance for VPN A Configuring the Routing Instance for VPN AB Configuring the Routing Instance for VPN B Configuring VPN Policy Configuring BGP Between the PE and CE Routers Configuring OSPF Between the PE and CE Routers Configuring Static, BGP, and OSPF Routes Between PE and CE Routers: Configuring Overlapping VPNs Using Automatic Route Export Configuring Overlapping VPNs with BGP and Automatic Route Export Configuring Overlapping VPNs and Additional Tables Configuring Automatic Route Export for All VAF Instances Configuring a GRE Tunnel Interface Between PE Routers Configuring.the Routing Instance on Router A Configuring the Routing Instance on Router D Configuring MPLS, BGP. and OSPF on Router A Configuring MPLS. BGP, and OSPF on Router D Configuring the Tunnel interface on Router A 132 132 133 135 17 140. 140 a2 42 3 144 145, 17 17 4s vs va 150 151 153 154 155 156 156 157 157 158 158, 159 161 162 163 163 164 164 165. 168, 169 we v3 74 5 6 6 7 7 18 8 7 CopyREATE TOTS Juniper ebone T“Table of Contents Configuring the Tunnel interface on Router D Configuring the Routing Options on Router A Configuring the Routing Options on Router D Configuration Summary for Router A Configuration Summary for Router D Configuring.a GRE Tunnel interface Between a PE and CE Router: Configuring the Routing Instance Without the Encapsulating Interface Configuringthe Routing Instance on Router PEI Configuring the GRE Tunnel Interface on Router PEI Configuring the Encapsulation Interface on Router PEI Configuring the Routing Instance with the Encapsulating Interface CConfiguringythe Routing Instance on Router PEI Configuring the GRE Tunnel Interface on Router PEI Configuring the Encapsulation Interface on Router PEI Configuring the GRE Tunnel Interface on Router CEI Configuring an ES Tunnel Interface Between a PE and CE Router Configuring IPsec on Router PET Configuring the Routing Inctance Without the Encapsulating interface CConfiguringythe Routing instance on Router PEI Configuring the ES Tunnel interface on Router PEI Configuring the Encapsulating Interface for the ES Tunnel, Configuring the Routing instance with the Encapsulating Interface Configuringythe Routing instance on Router PEI Configuring the ES Tunnel Interface on Router PEI Configuring the Encapsulating Interface on Router PEI Configuring the ES Tunnel Interface on Router CEI Configuring IPsec on Router CEI Example: Disabling Normal TTL Decrementing ina VRF Routing Instance Example: Configuring Layer 3 VPN Protocol Family Qualifiers for Route Filters Example: Configuring Route Resolution on PE Routers Example: Configuring Route Resolution on Route Reflectors Example: Configuring Host Fast Reroute Understanding, Host Fast Reroute Interfaces That Support HFRR Primary Route and Backup Route Candidates Backup Path Selection Policy Characteristics of HFRR Routes Removal of HFRR Routes ARP Prefix Limit and Blackout Supplementary Timeout Example: Configuring Host Fast Reroute Example: Configuring a Layer 3 VPN with Route Reflection and AS Override Example: Configuring MPLS Egyess Protection for Layer 3 VPN Services Egress Protection for Layer 3 VPN Edge Protection Overview Router Functions Protector and Protection Models Example: Configuring Egress Protection for Layer 3 VPN Services v9 v9 9 160 181 182 183 183 183 184 184 184 184 185 185. 185, 186 186 186 187 187 187 188 188 1688. 189 189 189 196 199 201 204 204 205, 206 206 207 207 207 208 219 28 29 231 232 232 oayr@hTO TOE Juniper Tetons,Layer 3 VPle Configuation ude Chapter 5 Example: Configuring Layer 3 VPN Localization for VRFSs Layer 3 VPN Localization Overview Packet Forwarding Engine-Based VPN Label Allocation Example: Configuring Layer 3 VPN Localization Layer 3 VPN Internet Access Examples . Non-VRF Internet Access CE Router Accesses Internet Independently of the PE Router PE Router Provides Layer 2 Internet Service Distributed Internet Access Routing VPN and laternet Traffic Through Different interfaces Configuring interfaces on Router PEI Configuring Routing Options on Router PET Configuring BGP, IS-IS, and LDP Protocols on Router PET Configuring, Routing Instance on Router PEI Configuring, Policy Options on Router PET ‘Traffic Routed by Different Interfaces: Configuration Summarized by Router Router PEI Routing VPN and Outgoing internet Traffic Through the Same interface and Routing Return Internet Traffic Through a Different Interface Configuration for Router PEI Routing VPNand Internet Traffic Through the Same Interface Bidirectionally (VPN Has Public Addresses) Configuring Routing Options on Router PET Configuring Routing Protocols on Router PEI Configuring.the Routing Instance on Router PE] ‘Traffic Routed Through the Same Interface Bidirectionally: Configuration ‘Summarized by Router, Router PEI Routing VPNand Intemet Traffic Through the Same Interface Bidirectionally (VPN Has Private Addresses) Configuring Routing Options for Router PET Configuring, Routing Instance for Router PEI Configuring Policy Options for Router PEI ‘Traffic Routed by the Same Interface Bidirectionally (VPN Has Private Addresses): Configuration Summarized by Router Router PEI Routing Internet Traffic Through a Separate NAT Device Configuring interfaces on Router PEI Configuring Routing Options for Router PEL Configuring Routing Protocols on Router PEI Configuring, Routing instance for Router PEI ‘Traffic Routed by Separate NAT Device: Configuration Summarized by Router Router PEI 240 240 240 241 249 249 250 250 250 251 258, 259 259 260 261 261 262 263 263 264 264 264 266 267 268, 268, 268, 270 270 CopyREATE TOTS Juniper ebone T“Table of Contents Chapter 6 Part 3 Chapter? Chapter 8 Centralized Internet Access 23 Routing Internet Traffic Through a Hub CE Router. 273 Configuring a Routing Instance on Router PEI 274 Configuring Policy Options on Router PEI 275 Internet Traffic Routed by a Hub CE Router. Configuration Summarized by Router 216 Routing Internet Traffic Through Multiple CE Routers 27 Configuring, a Routing Instance on Router PEI 278 Configuring Policy Options on Router PET 278 Configuring, Routing Instance on Router PES 279 Configuring, Policy Options on Router PES 260 Routing Internet Traffic Through Multiple CE Routers: Configuration ‘Summarized by Router 281 Additional Examples . 285 Example: Configuring interprovider Layer 3 VPN Option A 285 Example: Configuring Interprovider Layer 3 VPN Option B 305, Example: Configuring Interprovider Layer 3 VPN Option. 524 Layer 3 VPN Overview 346 Applications for interconnecting a Layer 2Circuit with a Layer 3 VPN 348, Interconnecting Layer 2 VPNs with Layer 3 VPNs Overview 348, Interconnecting Layer 2 VPNs with Layer 3 VPNs Applications 349 Example: Interconnecting a Layer 2 VPN with a Layer 3 VPN, 350 Example: Interconnecting.a Layer 2Clrcuit with a Layer 3 VPN 373 Administration Layer 3 VPNs Reference . 395 Supported Layer 3 VPN Standards 395 397 ‘Summary of Layer 3 VPN Configuration Statements . arp-prefisclimit (Host Fast Reroute) 398 ‘as-path-compare 399 classifiers 400 description (Routing instances) 400 domain-id 401 domain-vpr-tag, 401 dynamic-tunnels 402 egress-protection (MPLS) 403 egress-protection (Routing Instances) 404 egyess-protection (BGP) 405 extended-space 406 forwarding-table 407 slobal-arp-prefix-limit (Host Fast Reroute) 408 sslobal-supplementary-blackout-timer (Host Fast Reroute) 10 ‘group-address (Routing Instances VPN) a2 Independent-domain 13 Ingyess 44 inet6-vpn ans \3ypn a6 oayr@hTO TOE Juniper Tetons,Layer 3 VPle Configuation ude Part 4 Chapter 9 Part 5 label aT Link-protection (Host Fast Reroute) ar localize a8 maximum-paths aig maximum-prefixes 421 metric (Protocols OSPF Sham Link) 422 multihop 423 multipath (Routing Options) 424 no-vef-advertise 425 no-vef-propagate-tt! 426 routing-instances (Class of Service) a7 sham-link 428 sham-link-remote 429 supplementary-blackout-timer (Host Fast Reroute) 430 vpn-unequal-cost 431 vif-propagate-ttl 432 vef-table-label 433 Troubleshooting Troubleshooting Layer 3 VPNs. 437 Diagnosing Common Problems 437 Example: Troublechooting Layer 3 VPNs 440 Index Index 453 CopyREATE TOTS Juniper ebone TList of Figures Part 1 Chapter! Part 2 Chapter 3 Chapter 4 Overview Introduction to Layer 3 VPNs 3 Figure 1: VPN Attributes and Route Distribution 5s Figure 2: Overlapping, Addresses Among Different VPNs 6 Figure 3: Route Dictinguishers 8 Figure 4: VRF Tables 9 Figure 5: Route Distribution Within a VPN 2 Figure 6: Distribution of Routes from CE Routers to PE Routers 3 Figure 7: Distribution of Routes Between PE Routers 4 Figure 8: Distribution of Routes from PE Routers to CE Routers 6 Figure 9: Using MPLS LSPs to Tunnel Between PE Routers v7 Figure 10: Label Stack 7 Figure 1: Multicast Topology Overview 19 Configuration Configuring Layer 3 VPNs Figure 12: SPF Sham Link Figure 13: Layer 3 VPN Load Balancing, Using IP Header Filtering, 58 Figure 14: GRE Tunnel Configured Between the Local CE Router and the PE Router 78 Figure 15: GRE Tunnel Configured Between the Remote CE Router and the PE Router 78 Layer 3 VPN Configuration Examples. Figure 16: Example of a Simple VPN Topology 96 Figure 17: Example of a Hub-and-Spoke VPN Topology withOne Interface ..... 110 Figure 18: Example of a Hub-and-Spoke VPN Topology with Two Interfaces... 123 Figure 19: Route Distribution Between Two Spoke Routers 124 Figure 20: Example of an LDP-over-RSVP VPN Topology 17 Figure 21: Label Pushing and Popping 139 Figure 22: Application-Sased Layer 3 VPN Example Configuration 182 Figure 23: Example of a Configuration Using an OSPF Domain ID 156 Figure 24: Example of an Overlapping VPN Topology 162 Figure 25: PE Routers A and D Connected by a GRE Tunnel interface 6 Figure 26: GRE Tunnel Between the CE Router and the PE Router 182 Figure 27: ES Tunnel interface (IPsec Tunnel) 185, Figure 28: Disabling TTL Propagation fora Single VPN. 191 Figure 29: Host Fast Reroute 204 Figure 30: Host Fast Reroute Topology 210 oayr@hTO TOE Juniper Tetons,Layer 3 VPle Configuation ude Chapter 5 Chapter 6 Part 4 Chapter Figure 31: AS Override Topology 219 Figure 32: Sample Topology for Egress Protection 230 Layer 3 VPN Internet Access Examples . Figure 33: PE Router Does Not Provide Internet Access 250 Figure 34: PE RouterConnects to a Router Connected to the Internet 250 Figure 35: Routing VPN and Internet Traffic Through Different interfaces 251 Figure 36: Example of Internet Traffic Routed Through Separate Interfaces... 251 Figure 37: VPNandOutgoinginternet Taffic Routed Through the Samelnterface ‘and Retumn Internet Traffic Routed Through a Different Interface 257 Figure 38: Interface Configured to Carry Both Internet and VPN Traffic 258, Figure 39: VPNand Internet Traffic Routed Through the Same Interface 262 Figure 40: Internet Traffic Routed Through a Separate NAT Device 266 Figure 41: Internet Traffic Routed Through a NAT Example Topology 266 Figure 42: Internet Access Through a Hub CE Router Performing NAT 273 Figure 43: Internet Access Provided Through a Hub CE Router 24 Figure 44: Two Hub CE Routers Handling Internet Traffic and NAT 27 Additional Examples . Figure 45: Physical Topology of Interprovider Layer 3 VPNOption A 287 Figure 46: Physical Topology of interprovider Layer 3 VPNOption 8 307 Figure 47: Physical Topology of Interprovider Layer 3 VPN Option C 326 Figure 48: Physical Topology of a Layer 2 VPN Terminating into a Layer 3 VPN 352 Figure 49: Logical Topology of a Layer 2 VPN Terminating into a Layer 3 VPN. . 352 Figure 50: Physical Topology of a Layer 2Circut to Layer 3 VPN Interconnection 378 Figure 5I: Logical Topology of a Layer 2Circult to Layer 3 VPN. Interconnection 375. Troubleshooting Troubleshooting Layer 3 VPNs Figure 52: Layer 3 VPN Topology for ping and traceroute Examples 442 CopyREATE TOTS Juniper ebone TList of Tables Part 2 Chapter 3 About the Documentation Table 1: Notice Icons wv Table 2: Text and Syntax Conventions wil Configuration Configuring Layer 3 VPNs Table 3: How a PE Router Redistributes and Advertises Routes 36 Table 4: Support for Agayegated and VLAN Interfaces 51 Table 5: Support for ATM and Frame Relay Interfaces 52 Table 6: Support for Ethernet, SONET/SDH, and TVT3/E3 Interfaces 52 Table7: Support forChannelized IQE Interfaces on M1320 Routers with Enhanced WFPCs 53 Table 8: Support for Multilink PPP and Multilink Frame Relay Interfaces 54 Table 9: Device IP Address Quick Reference 60 oayr@hTO TOE Juniper Tetons,Layer 3 VPle Configuation ude a CopyRETO BOTS Juniper letwora TneAbout the Documentation + Documentation and Release Notes on page xv + Using the Examples in This Manual on page xv + Documentation Conventions on page xvi + Documentation Feedback on page wu + Requesting Technical Support on page xix Documentation and Release Notes To obtain the most current version of all Juniper Networks® technical documentation, see the product documentation page on the Juniper Networks website at http://www junipernet/techpubs/. lf the information in the latest release notes differs from the information in the documentation, follow the product Release Notes. Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture. deployment, and administration. The current list can be viewed at htt:v/wwwuniper.net/books Using the Examples in This Manual If you want to use the examples in this manual, you can use the load merge orthe load ‘marge relative command. These commands cause the software to merge the incoming, configuration into the current candidate configuration. The example does not become active until you commit the candidate configuration, Ifthe example configuration contains the top level of the hierarchy (or multiple hierarchies), the example i a full example. In this case, use the load merge command. Ifthe example configuration does not start at the top level of the hierarchy. the example isa snjopet. In this case. use the load merge relative command. These procedures are described in the following sections, ‘Tonyr@hTO SOE Jones Teta Tne wLayer 3 VPle Configuation ude Merging a Full Example ‘To merge afull example. follow these steps: 1. From the HTML or POF version of the manual. copy a configuration example into a text file, cave the file with aname, and copy the file toa directory on your routing, platform, Forexample,copy thefollowingconfigurationtoafileand name the file ex-script.conf Copy theex-script.conffileto the /var/tmp directory on your routing platform. system scrpts { comet { file ex-script st y y y interfaces { typ disable; unit Of farmiy inet { address 10.0.0.1/24: y y y y 2. Merge the contents ofthe file into your routing platform configuration by issuingthe toad merge configuration mode command: [edit] Uuser@host# load merge /var/tmp/ex-script.conf lbadcompiete Merging. Snippet ‘To merge snippet follow these steps 1. Fromthe HTML or POF version of the manual. copy a configuration snippet into atext file, save the file with a name.and copy the file to directory on your routing platform, For example. copy the following snippet to afile and name the file ‘ex script-snippet.cont. Copy the ex-script-snippet.conf file to the /var/tmp directory on your routing platform. comet { file ex-script-snippet xs} 2. Movetto the hierarchy level that is relevant for this cnippet by iesuingthe following configuration mode command: [edit] Uuser@host# edit system scripts [edit systemscripts] = CopyRETO BOTS Juniper letwora TneAboutthe Documentation 2. Merge the contents of the file into your routing platform configuration by issuingthe {oad merge relative configuration mode command: [eat systemscnipts] User@hast# load marge relative Nat/tmp/ex-script-snippat.cont load complete For more information about the loadcommand, see the unos OS CL! User Guise. Documentation Conventions ‘Table | on pase xvi defines notice icons used inthis guide. Table I: Notice Icons kon Peer e Informational note Indicates important features orinctruction: 0 caution Indicates situation that might d warning, Alerts yout the rickof perzonal injury ordeath. a Lacerwaming, Alerts yout the rickof perzonal injury from a laser ‘Table 2 on pase xvii defines the text and syntax conventions used inthis guide. ‘Table 2: Text and Syntax Convent ee Bold text te this Peprecents text that you type ‘To enterconfiguation mode. type thecontigure command: user@hoct> configure Fixedwidth text ike this Pepecentzoutputthatappearconthe userdhost> showchassie alarms terminal screen. No alarms currently active Italie text ike thie + lntreducezoremphazcerimportant + A policy term icanamed ctructum new term ‘hat define: match conditions and actions, + Hdentifec book names. + entific RAC andIntemetcrafttles, + Junos05 System Bases Confgwation + PFCI997.56PCommunites Attebute ‘Toayr@FTO FOIE Joniar Te wore Te wiLayer 3 VPle Configuation ude ‘Table 2: Text and Syntax Conventions (continued) Italic text he thi Repmcentz variables (options forwhich Configure the machine“ domain name: youubsttute aval) incommands or configuration statements leat] rote set system domain-name ‘domain-name Texte the Repmcentznamezofconfiguation + Toconfigue actub area. include the ‘commands, ies, and stub statement at the[edit protocols fguatonhierarchylevel:, ospfareaarea-i] hierarchy evel corlabelson routing platform + Theconsole portic labeled CONSOLE component: <> (angle braclets) Enclose optional eywordzorvariables. stub ; (pipe symbol) Indicatesachoke betweenthe mutually broadcast | multeast exclusive leywordcorvarableconeither {de of he symbol. The satof choices iz (tring! tring? string 3) offenenckazed in parentheze=forclarty # (pound sen) Indicates acomment cpecifedonthe _avp{ # Required fordynamic MPLSonly amelie acthe conf guation statement te which t applies L] (sauare brackets) Enclose a variable for which youcan ‘community name members [ "obsttue one ormom alles community] Indentonand braces (#7) Wentyatelinthe confgwation ect] herarh rutngontonsé set “(eemesbe) ents ales tate mentata foe ctau configuration hierarchy level. pexthop aderessi main r ? Saveb GUI Conventons Satter the the Repmcentsilebgaphealuar «Inthe Logkallnetacec tox cect ierace (GU) temeyouclckorseuct, AUlmarares + To cance the configuration cick Care > Got fanart bracet) Separates evecinahevachyof tied Inthe confgurationedorherachy sections mest Pataca Osof Documentation Feedback ‘We encourage you to provide feedback, comments, and suggestions so that wecan improve the decumentation. Youcan send yourcomments to techpubs-comments @junipernet, or fill out the documentation feedback form at am CopyREATE TOTS Juniper ebone TAboutthe Documentation hetos-/www junipernet/egi-bin ocbugreport/. f youare using e-mail, be sure to include the following information with your comments: + Document or topic name + URL or page number + Software release version (if applicable) Requesting Technical Support ‘Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). f youare a customer with an active J-Care or INASC support contract, or are covered under warranty, and need post-cales technical support. youcan access ourtools and resources online or openacase with JTAC. + TAC policiesFor a complete understanding of our STAC procedures and polices. review the JTAC User Guide lacated at hetpv/worwrjunipernet/s/en/local/pat esource-guides/7100059-en.pcf + Product warranties—For product warranty information, visit hetev/wwwjuniparnet/suppor/warranty/ + TAC hours of operation—The JTAC centers have resources available 24 hours a day, Tdays.aweek. 365 days a year. Self-Help Online Tools and Resources For quickand easy problem resolution, Juniper Networks has designed an online sel-service portalcalled the Customer Support Center (CSC) that provides you with the following features: + Find CSC offerings: http://www junipernet/custorners/support/ + Search for known bugs: hetpy/www2,unipernet/kb/ + Find product documentation: http:/wwwjunipernes/techpubs/ + Find solutions and answer questions using our Knowledge Base: ito://kbjunipernet/ + Download the latest versions of software and review releace notes: hetp-7www junipernetcustomers/esc/software/ «+ Search technical bulletin for relevant hardware and software notifications: hetpsy»wwwjunipernet/alerts/ + Join and participate in the Juniper Networks Community Forum: hetpv/wwwjuniparnetcompany/communities/ + Open.acase online in the CSC Case Management tool: http://www unipernat/emy Toverify service entitlement by product serial number, use our Serial NumberEntitlement (SNE) Toot https:/oo\s juniper net/SeralNumberentitlementSearch/ ‘Tonyr@hTO SOE Jones Teta Tne ™Layer 3 VPle Configuation ude Opening a Case with STAC Youcan openacase with JTAC on the Web or by telephone. + Usethe Case Management tool inthe CSC at hetp://wwnunigernetcny + Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico) Forintemational or direct-dial options incountries without toll-free numbers, see hetp://wwrw junipernet/ support html. = CopyRETO BOTS Juniper letwora TnePARTI Overview tion to Layer 3 sage 3 ition to Configuring Layer 3V ‘Tonyr@hTO SOE Jones Teta TneLayer 3 VPle Configuation ude CopyRETO BOTS Juniper letwora TneCHAPTER 1 Introduction to Layer 3 VPNs «+ Layer 3 VPN Introduction on page 3 + Layer3 VPN Platform Support on page 4 «+ Layer 3 VPN Attributes on page 4 + VPN-IPvé4 Addresses and Route Distingvishers on page 5 + IPV6 Layer3 VPNs on page 8 + VPN Routingand Fonwarding Tables on page 8 + Route Distribution Withina Layer 3 VPN on page «+ Forwarding Across the Provider's Core Network on page 16 + Routing Instances for VPNs on page 17 + Multicast over Layer3 VPNs on page 18 Layer 3 VPN Introduction InJunos OS, Layer 3 VPNeare based on RFC 4364, RFC 4364 defines a mechanism by which service providers can use their IP backbones to provide VPN services to their customers. A Layer 3 VPN isa set of sites that share common routing information and ‘whose connectivity is controlled by a collection of policies. The sites that make up a Layer 3 VPN are connected overa provider's existing public Internet backbone RFC 4364 VPNs are also known ac BGP/MPLS VPNs because BGP is used to dictribute \VPN routing information across the provider's backbone, and MPLS is used to forward VPN traffic across the backbone to remote VPN sites. Customer networks, because they are private, can use either public addresses or private addresses, asdefinedin RFC 1918, Address Allocation for Private Internets. Whencustomer networks that use private addresses connect to the public Internet infrastructure, the private addresses might overlap with the came private addresses used by other network Users. MPLS/BGP VPNs colve this problem by addinga VPN identifier prefix to each address from aparticular VPNsite, therebycreatingan address that is unique both within the VPNand within the public Internet. In addition, each VPN has its own VPN-cpecific routing table that contains the routing information for that VPN only ‘Tonyr@hTO SOE Jones Teta Tne 3Layer 3 VPle Configuation ude Layer 3 VPN Platform Support Layer3 VPNs are supported on most combinations of Juniper Networks routingplatforms and PICs capable of running the JUNOS Software. MX Series routers configured to be in Ethernet services mode can support some of the Junos OS Layer 3 VPN features. For Layer 3 VPNs, Ethernet services mode supports configuringa loopback interface fora VPN routingand forwarding (VRF) instance. You can configure up to two VRF instances in Ethernet services mode. Each VRF instancecan handle up to 10.000 routes. The ping mpls [vpn operational mode command is also supported Layer 3VPN Attributes Route distribution withina VPNiscontrolled through BGP extended community attributes. RFC 4364 defines the following three attributes used by VPNs: «+ Target VPN—Identifiesa cet of sites within a VPN to which a provider edge (PE) router distributes routes, This attribute is also called the route target. The route target ic used by the egress PE routerto determine whether a received route is destined fora VPN. that the router services Ficure | on page 5 ilustrates the function of the route target. PE Router PEl adds the route target "VPNB' to routes received from the customer edge (CE) routerat Site in VPNB. When it receives the route, the egyess router PE2 examines the route target. determines that the route is fora VPN that it services, and accepts the route. When the egresc router PES receives the same route, it does not accept the route because it does not service any CE routers in VPN. + VPN of origin—Identifies a set of sites and the corresponding route as havingcome from one of the sites in that cet. + Site of origin—Uniquely identifies the set of routes that a PE routerleamed from a particular site. Thicattribute encures that a route learned froma particular ite through a particular PE-CEconnection is nat distributed back to the site through a different PE-CE connection. Its particularly useful f you are using BGP as the routing protocol between the PE and CE routers and if different sites in the VPN have been assigned the same autonomous system (AS) numbers. z CopyREATE TOTS Juniper ebone TChapter: Intoductionto Layer VPI2 Wen Aaates 46 db ob aly © eset cnrany VN ot Ww Aste © Poste Target sehr on ass PE - No connate sis mateh“VPN Bcemnty VPN-IPv4 Addresses and Route Distinguishers Because Layer’3 VPNsconnect private networks—whichcan use either public ada orprivate address Jefined in RFC 1918 (Address Allocation for Private Internets} the public Internet infrastructure, when the private networks use private addi addresses might overlap with the addi another private network Figur .g¢ 6 illustrates how private addre different private networkscan overlap. Here, sites within VPN & and VPN B use the address cpaces 10:.0.0/16, 102.0.0/16, and 103.0.0/16 for their private networks. ‘Tonyr@hTO SOE Jones Teta Tne 3Layer 3 VPle Configuation ude Figure 2: Overlapping Addresses Among Different VPNs vouaste2 ‘ozaan ozone Nee ‘auaare vena stes osante To avoid overlapping private addresses, you can configure the network devices to use public addresses instead of private addresses. However. this isa large and complex Undertaking The solution provided in RFC 4364usesthe existingprivate networkaumbers tocreate a new address that is unambiguous. The new address is part of the VPN-IPv4 address family, whichisa BGP address family added asan extensionto the BGP protocol InVPN-IPv4addresses.a value that identifies the VPN, called a route distinguisher. prefixed to the private Pv4 address, providinganaddress that uniquely identifiesa private Pv4addrecs. Only the PE routers need to support the VPN-IPv4 address extension to BGP. When an Ingyess PE router receives an IPv4 route from a device within a VPN, Itconverts it into.a \VPN-IPv4 route by adding the route distinguisher prefix to the route. The VPN-IPV4 addresses are used only for routes exchanged between PE routers. When an egress PE router receives a VPN-IPv4 route, it converts the VPN-IPV4 route back to an IPV4 route by removingtthe route distinguicher before announcing the route to its connected CE routers. \VPN-IPv4 addresses have the following format: + Route distinguisher isa 6-byte value that youcan specify in one of the following formats: + as-number number, where as-number isan AS number (a 2-byte value) and number Is any 4-byte value. The AS numbercan be inthe range I through 65.535. We recommend that you use an Internet Assigned Numbers Authority (IANA)-assigned, CopyRETO BOTS Juniper letwora TneChapter: Intoductionto Layer VPI2 nonprivate AS number, preferably the Internet service provider's (ISP's) own orthe ‘customer's own AS aumber. + fp-adairess number. where ip-address is an IP address (a 4-byte value) and number is any 2-byte value. The IP address can be any globally unique unicast address. We recommend that you use the address that you configure in the router-id statement, which isa nonprivate address in your assigned prefix range, + IPvdaddress—4-byte address of a device within the VPN. Figure 2 on page 6 illustrates how the AS numbercan be used in the route distinguicher. Suppose that VPN Aisin AS 68535 and that VPN is in AS 666 (both these AS numbers belongtothe!SP).and suppose that the route distinguisher for Site 2in VPNA ic 65535:02 ‘and that the route distinguisher for Site 2 in VPN B is 666:02. When Router PE2 receives a route from the CE router in VPN A, it converts It from ts IP address of 10.2.0.0t0a \VPN-IPv4 address of 65535:02:102.0.0, When the PE router receives a route from VPN B, which uses the same address space as VPN A. it converts it toa VPN-IPv4 address of 666:02:102.0.. Ifthe IP address is used in the route distinguisher, suppose Router PE2's IP address is 172,168.01, When the PE router receives a route from VPN. itconvertsitto a \VPN-IP v4 address of 172.168.01:0:102.0.0/16, and it converts route from VPN Bto 172168.0.0::102.0.06. Route distinguishers are used only among PE routers to IPv4 addresses from different \VPNs. The ingress PE routercreatesa route distinguisherand converts IPv4routesreceived fromCEroutersinto VPN-IPv4addresses. The egress PE routersconvert VPN-IPv4routes Into IPv4 routes before announcing them to the CE router. Because VPN-Pv4addresses areatype of BGP address, you must configure BGP sessions between pairs of PE routers so that the PE routerscan distribute VPN-IPv4 routes within the provider's core network (All PE routers are assumed to be within the same AS.) Youdefine BGP communities toconstrainthe distribution of routesamongthe PE routers. Defining BGP communities does not, by itself, distinguish IPv4 addresses, Ficure 3 on page 6 illustrates how Router PEladds the route distinguicher 10458:22:10.1/16 to routes received from the CE router at Site lin VPN And forwards these routes to the othertwo PE routers. Similarly, Router PEI adds the route distinguisher10458:23:10.2/16 to routes received by the CE routerat Site lin VPN B and forwards these routes to the other PE routers. ‘Tonyr@hTO SOE Jones Teta Tne 7Layer 3 VPle Configuation ude IPv6 Layer 3VPNs Figure 3: Route Distinguishers voase? db 4b, qe an ab at aT VNB ate ovsaze one rows 0.28 ap Ww Aste ‘The interfaces between the PE and CE routers of a Layer 3 VPNecan be configured to carry IP version 6 (|Pv6) traffic. IP allows numerous nodes on different networks to interoperate seamlessly. IPv4 is currently used in intranets and private networks, as well asthe Internet. IPv6 is the cuccescortto IPv4, and is based for the most part on IPv4. Inthe Juniper Networks implementation of IPv6, the service provider implements an MPLS-enabled IPv4 backboneto provide VPNervice for IPvOcustomers. The PE routers have both |Pv4and IPv6 capabilites. They maintain IPv6 VPN routing.and forwarding (VRP) tables fortheir Pv6 sites and encapsulate IPv6 traffic in MPLS frames that are then cent into the MPLS core network IPv6 for Layer 3 VPNs is supported for BGP and for static routes. IPV6 over Layer 3 VPNs is described in RFC 4659, BSP-MPLS/P Virtual Private Network (VPN) Extension for IPV6 VPN. For more information about IPv6, see the unas OS Routing Protocols Configuration Guide VPN Routing and Forwarding Tables To separate a VPNs routes from routes in the public Internet or those in other VPNs, the PE routercreates a separate routing table for each VPN, called a VPN routingand forwarding (VRF) table. The PE routercreates one VAF table for each VPN that has a CopyRETO BOTS Juniper letwora TneChapter: Intoductionto Layer VPI2 connection to CE router. Any customer or site that belongs to the VPNcan access only the routes in the VRF tables forthat VPN, Fisure 4 on page 9 illustrates the VRF tables that are created on the PE routers. The three PE routers have connections to CE routers that are intwo different VPNs, so each PE routercreates two VRF tables. one for each VPN. Figure 4: VRF Tables __veante? abo vw aates PNB ete1 AUF ecto Wh cemecteste a PE eset wnaatea wen asies ‘opulated from routes received from directly connected CE si lated with that VRF routinginstance and from routes received from other PE routers that passed BGP community fitering and are in the same VPN. Each PE router also maintains one global routing table (inet.o) to reach other routers in and outside the provider's core network lated with one VRF ‘consulted for packets from Eachcustomerconnection (that is, each logical interface} table. Only the VRF table associated with a customer si that sit. Youcan configure the router so that if a next hop to a destination is not found in the \VRF table, the router performs lookup in the global routing table, which is used for Internet access. ‘Tonyr@hTO SOE Jones Teta TneLayer 3 VPle Configuation ude ‘The Junos OS uses the following routing tables for VPNs + bep.avpn.0—Stores all VPN-IPv4 unicast routes received from other PE routers. (This table does not store routes received from directly connected CE routers.) This table is present only on PE routers. When a PE router receives a route from another PE router, it places the route into its bep.lavpn.0 routingtable. The route is resolved usingthe informationinthe int.3 routing table. The resultant route is converted into IPv4 format and redistributed to all ‘outing: instance-name.inet.0 routingtables onthe PE router fit matchesthe VRFimport policy. ‘The bep.vpn.otable is also used to resolve routes overthe MPLS tunnelsthat connect, the PE routers. These routes are stored inthe inet.3 routing table, PE-to-PE router connectivity must exist in inet. (not justin inet.0) for VPN routesto be resolved propery When a router is advertising non-local VPN-IPv4 unicast routes and the router isa route reflector or is performing external peering, the VPN-IPv4 unicast routes are automatically exported into the VPN routing table (bgp.\3vpn.0). This enables the router to perform path selection and advertise from the bgp.3vpn.0 routing table ‘To determine whether to add @ route to the bep..2vpn.0 routing table, the JunosOS checks it against the VRF instance import policies forall the VPNs configured on the PE router. if the VPN-IPv4 route matches one of the policies itis added to the bgp .3vpn.0 routing table. To display the routes in the bgp.3vpn.0 routing table, use the show route table bgp.3vpn.ocommand. + routing-nstance-name.inet.0—Stores all unicast IPv4 routes received from directly connected CE routers ina routing instance (that is, Ina single VPN) and all explicitly Configured static routes in the routing instance. This is the VF table and is present only on PE routers. For example, fora routinginstance named VPN-A, the routing table forthat inctance is named VPN-A.inet.0. When aCe router advertises to a PE router, the PE router places the route into the corresponding routing-instance-name.inet.0 routing table and advertises the route to other PE routers if it passes a VRF export policy. Among other things, this policy tags the route with the route distinguisher (route target) that corresponds to the VPN site to which the CE belongs. A label is also allocated and distributed with the route. The bgp 3vpn.0 routing table is not involved in this process. “The routing-instance-name inat.0 table also stores routes announced by a remote PE router that match the VRF import policy for that VPN. The remote PE router redistributed these routes from its bepiavpn.0 table. Routes are not redistributed from the routing-instance-nameinat.o table to the bgp l3vpn.0 table; they are directly advertised to other PE routers. For each rovting-instance-name.inet.0 routingtable, one forwardingtable is maintained Inthe router's Packet Forwarding Engine. This table is maintained in addition to the forwarding tables that correspond to the router's inet.0 and mpls.© routing tables. As with the inet.c and mpls.0 routing tables, the best routes from the ‘routing-instance-name inet.0 routing table are placed into the forwarding table CopyRETO BOTS Juniper letwora TneChapter: Intoductionto Layer VPI2 To display the routes inthe outing-instance-name.inet.o table, use the show route table routing-instance-name.inet.o command. + Inet 3—Stores all MPLS routes learned from LDP and RSVP signaling done for VPN ‘traffic. The routing table stores the MPLS routes only f the taffic-engineering bep-ep option is not enabled For VPN routes to be resolved properly. the inet.3 table must contain routes to all the PE routers inthe VPN. To display the routes in the inet.3 table, use the show route table inet.3 command, + net.o—Stores routes learned by the IBGP sessions between the PE routers. To provide Internet access to the VPN sites, configure the routing-instance-name.inet.0 routing, table to contain a default route to the net.o routing table, To display the routes in the inet.© table, use the show route table inet.O command. ‘The following routing policies, which are defined in VRF import and export statements, care specific to VRF tables + Import policy—Applied to VPN-IPv4,outes learned fromanother PE routerto determine whether the route chould be added to the PE router's bep.3vpn.0 routing table. Each routing instance on a PE router has a VRF import policy. + Export policy—Applied to VPN-IPv4 routes that are announced to other PE routers ‘The VPN-IPv4 routes are IPv4 routes that have been announced by locally connected CE routers \VPNroute processing differs from normal GP route processingin one way. In EGP, routes are accepted f they are not explicitly rejected by import policy. However, because many more VPN routes are expected. the Junos OS does not accept (and hence store) VPN routes unless the route matches at least one VRF import policy. if no VAF import policy explicitly accepts the route, itis discarded and not even stored in the bgp.3vpn.0 table. Asa result, a VPNchange occurs on a PE router—cuch as addinga new VRF table or changing. VRF import policy—the PE router sends a BGP route refresh message to the other PE routers (orto the route reflector if thi is part of the VPN topology) to retrieve all VPN routes s0 they can be reevaluated to determine whether they should be kept or discarded. Related IGP Shortcutsand VPNs Documentation ‘Tonyr@hTO SOE Jones Teta Tne 7Layer 3 VPle Configuation ude Route Distribution Within a Layer 3 VPN Faure S Figure 5: Route Distribution Within a VPN vouaste? ven Aates Ale Ww hates ene Distribution of Routes fromCE to PE Routers ACE routerannounces its routes to the directly connected PE router. The announced routes are in IPv4 format. The PE router places the routes into the VRF table for the VPN. Inthe Junos OS. this is the rovting-instance-name.inet.O routing table, where ‘outing: instance-name is the configured name of the VPN, ‘The connection between the CEand PE routers can be a remote connection (a WAN. connection) ora direct connection (suchas a Frame Relay or Ethernet connection) CE routers can communicate with PE routers using one of the followings + OSPF CopyRETO BOTS Juniper letwora TneChapter: Intoductionto Layer VPI2 + BOP + Static route Figure 6 on page 13 illustrates how routes are distributed from CE routers to PE routers. Router PElisconnected to two CE routers that are in different VPNe. Therefore, creates two VRF tables, one for each VPN, The CE routers announce IPV4 routes. The PE router inctalls these routes into two different VRF tables, one for each VPN. Similarly, Router PE2createstwo VRF tables into which routesare installed from thetwo directly connected CE routers. Router PEScreates one VRF table because its directly connected to only one VPN. Figure 6: Distribution of Routes fromCE Routers to PE Routers vovasiez 4b ab db db SW AP os 1 ae WnDatee a7 VPN Aste veNB ies Distribution of Routes Between PE Routers When one PE router receives routes advertised from a directly connected CE router, it checks the received route against the VRF export policy forthat VPN. fit matches, the route isconvertedto VPN-IPv4format—that isthe 8-byte route distinguisher is prepended to the 4-byte VPN prefix to form a 12-byte VPN-IPv4.address. The route is then tagged with a route target community. The PE router announces the route in VPN-IPv4 format to the remote PE routers for use by VRF import policies. The routes are distributed using, IBGP sessions, which are configured in the provider's core network. ifthe route does not match, itis not exported to other PE routers, but can still be used locally for outing, for example. f two CE routers in the same VPNare directly connected to the same PE router. ‘The remote PE router places the route into its bgp.13vpn.o table ifthe route passes the import policy on the IBGP session between the PE routers. At the same time, it checks ‘Tonyr@hTO SOE Jones Teta TneLayer 3 VPle Configuation ude the route against the VRF import policyfor the VPN. If it matches, the route distinguicher is removed from the route, and its placed into the VRF table (the routing-instance-name.inet.0 table) in IPv4 format. Fiaure 7 on page 14 illustrates how Router PE! distributes routes to the other PE routers inthe provider's corenetwork. Router PE2 and Router PES each have VRF import poll that they use to determine whether to accept routes recelved over the IBGk ‘and inctall them in their VRF tables. Figure 7: Distribution of Routes Between PE Routers vounse? 4b, ab 4b 4b AG ar ar: ) cb win VNB ate Ww Asie Whena PE router receives routes advertised froma directly connected CE router (Router PElin Figure 7 on page 14), it uses the following procedure to examine the route, convert itto.a VPN route, and distribute itto the remote PE routers: 1. The PE routerchecks the received route using the VRF export policy for that VPN. CopyRETO BOTS Juniper letwora TneChapter: Intoductionto Layer VPI2 2. Ifthe received route matches the export policy, the route is processed as follows: a. The route is converted to VPN-IPv4 format—that is, the 6-byte route distinguicher Is prepended to the 4-byte VPN prefix to form the 12-byte VPN-IPv4 address. b. Aroute target community is added to the route, c. The PE routeradvertices the route in VPN-IPv4 format to the remote PE routers. ‘The routesare distributed using IBGP sessions, whichareconfigured inthe provider's core network 3. Ifthe route does not match the export policy itis not exported to the remote PE routers, but can still be used locally for routing—for exampleif two CE routers Inthe same VPNare directly connected to the same PE router. ‘When the remote PE router receives routes advertised from another PE router (Routers PE2 and PES in Figure 7 on page 14), it uses the following procedure to process the route: 1. Ifthe route is accepted by the import policy on the IBGP session between the PE routers, the remote PE router places the route into its bep.vpn.o table 2. The remote PE routerchecks the route's route target community against the VRF import policy for the VPN. 3. fit matches, the route distinguisher is removed from the route, and its placed into the VRF table (the routing-instance-name.inet.o table) in IPv4 format. Distribution of Routes from PE to CE Routers ‘The remote PE router announces the routes in its VRF tables, which are in Pv4 format, toits directly connected CE routers. PE routerscancommunicate with routers usingone of the ollowingrouting protocols: + OSPF + RP + BOP + Static route Figure 8 on page 16 illustrates how the three PE routers announce ther routes to their connected CE routers. ‘Tonyr@hTO SOE Jones Teta Tne =Layer 3 VPle Configuation ude Figure 6: Distribution of Routes from PE Routers to CE Routers Wen Aaates dab db iL aq VNB ate Ww Aste Forwarding Across the Provider's Core Network ‘The PE routers inthe provider's core networkare the only routers that are configured to support VPNsand hence are the only routers to have information about the VPNs. From the point of view of VPNfunctionality, the provider (P) routersinthecore—those P routers thatarenot directlyconnectedtoCE routers—are merely outersalongthetunnel between E routers. ‘The tunnels canbe eitherLDP or MPLS. Any P routers alongthe tunnel must support the forthe tunnel. either LDP or MPLS. When PE-router-to-PE router forwarding is tunneled over MPLS lab! (LSPs), the MPLS packets have a two-level label stack (see Figure 9 on pase 17) + Outerlabel—Label assigned to the addr of the BGP next hop by the IGP next hop + Innerlabel—Label that the BGP next hop assigned forthe packet's destination address ia CopyRETO BOTS Juniper letwora TneChapter: Intoductionto Layer VPI2 Figure 9: Using MPLS LSPs to Tunnel Between PE Routers at Line illustrates how the labels are assigned and removed 1. When CE Router X forwards a packet to Router PEI with a destination of CE Router the PE route identifies the BGP next hop to Router and assigns a label that corresponds to the BGP next hop and identifies the destination CE router. This label isthe inner label, Router PEI then identifies the IGP route to the BGP next hop and assigns a second label that corresponds to the LSP of the BGP next hop. This label isthe outer label 3. The inner label remains the same as the packet traverses the LSP tunnel. The outer, label is swapped at each hop along the LSP and is then popped by the penultimate hop router (the third P router) 4, Router PE2 pops the inner label from the route and forwards the packet to Router Y. Figure 10: Label Stack 2b Mh 4b a 8 ae, ae srr aa Routing Instances for VPNs ‘To implement Layer 3 VPNs in the JUNOS Software, you configure one routing instance for each VPN. Youconfigure the routing instances on PE routers only. Each VPN routing Inctance consists of the followingcamponents: + VRF table—On each PE router. you configure one VRF table for each VPN. + Set of interfaces that use the VRF table—The logical interface to each directly connected CE router must be associated witha VRF table. Youcan associate more ‘than one interface with the same VRF table if more than one CE router ina VPN is directly connected to the PE router. ‘Tonyr@hTO SOE Jones Teta Tne 7Layer 3 VPle Configuation ude + Policy rules—These control the import of routes into and the export of routes from the VRF table, + One or more routing protocols that install routes from CE routers into the VRF table—Youcan use the BGP, OSPF. and RIP routing protocols. and youcan use static routes. Multicast over Layer 3 VPNs Youcanconfigure multicast routing over a network running.a Layer 3 VPN that complies with RFC 4364. This section descrbestthis type of networkapplication and includesthese topics: + Multicast over Layer3 VPNs Overview on page 18 «+ Sending PIM Hello Messages to the PE Routers on page 19, + Sending PIM Join Messages to the PE Routers on page 20 + Receiving the Multicast Transmission on page 20 Multicast over Layer 3 VPNs Overview Inthe unicast environment for Layer3 VPNs, all VPN state information iscontained within the PE routers. However, with multicast for ayer3 VPNs, Protocol Independent Multicast (PIM) adjacencies are established in one of the following ways: + Youcan set PIM adjacencies between the CE router and the PE router through a VRF Instance at the [edit routing-instancas instance-name protocols pim] hierarchy level. ‘You must include the group-addrass statement for the provider tunnel, specifyinga. multicast group. The rendezvous point (RP) listed within the VRF-instance is the VPN customer RP (C-RP). + Youcan also set the master PIM instance and the PE's IGP netghbors by configuring, statements at the [edit protocols pim] hierarchy level. You must add the multicast, ‘group specified in the VAF instance to the master PIM instance. The set of master PIM adjacencies throughout the service provider network makes up the forwarding path that becomes an RP tree rooted at the service provider RP (SP-RP). Therefore, P routers within the providercore must maintain multicast state information for the VPNs. Forthis to work properly. you need two types of RP routers for each VPN. + AC-RP—An RP router located somewhere within the VPN (can be eithera service provider router oracustomer router) + An SP-RP—An RP router located within the service provider network, 0 NOTE APE router canact asthe SP-RP and the C-RP. Movingthese multicast configuration tasks to service provider routers helps to simplify the multicast Layer 3 VPN confuration process for customers. However configuration of both SP-RP and VPN C-RP on the same PE router is nat supported. CopyREATE TOTS Juniper ebone TCchaster': Introduction o Layer’ VPIkz ‘To configure multicast over a Layer 3 VPN, you must install a Tunnel Services Physical Interface Card (IC) on the following devices: «+ Proutersactingas RPs + PE routers configured to run multicast routing, + CE routers actingas designated routers or as VPN-RPS: For more information about running multicast over Layer 3 VPNs, see the following, documents: + Internet draft draft-rosen-ven-mcast-O2 txt. Multicast in MPLS/BGP VPN «+ Junos OS Multicast Protocols Configuration Guide ‘The sections that follow describe the operation of a multicast VPN. Figure Nl on pase 1S illustrates the network topology used. Figure 11: Multicast Topology Overview Sending PIM Hello Messages to the PE Routers ‘The first step in initializing multicast overa Layer 3 VPN is the distribution of a PIM Hello message from aPE router (called PE3 inthis section) toall the other PE routers on which PIM icconfigured. Youconfigure PIM on the Layer 3 VPN routing instance on the PES router. if a Tunnel Services PIC is installed inthe routing platform, a multicast interface is created. This Interface ic used to communicate between the PIM instance within the VRF routing inctance and the master PIM instance, ‘The following occurs when a PIM Hello message is cent to the PE routers: ‘Tonyr@hTO SOE Jones Teta Tne 7Layer 3 VPle Configuation ude 1. APIMHello message is cent from the VRF routinginstance overthe multicact interface. Ageneric routing encapsulation (GRE) headeris prepended tothe PIM Hello message The header message includes the VPN group address and the loopback address of the PES router, A PIM register header is prepended to the Hello message as the packet is looped through the PIM encapsulation interface Thisheadercontains the destination address of the SP-RP and the loopback address of the PE3 router. 3. The packet is sent to the SP-AP. 4 The SP-RP removes the top header from the packet and sends the remaining, GRE-encapsulated Hello message to all the PE routers. 5. The master PIM instance on each PE router handles the GRE encapsulated packet. Because the VPNgroup address is contained inthe packet, the master instance removes the GRE headerfrom the packet and sends the Hello message, whichcontains the proper VPNgroup address within the VRF routing instance. over the multicast interface. Sending PIM Join Messages to the PE Routers To receive a multicast broadcast from a multicast network, a CE router must send a PIM Join message to the C-RP. The process described inthis section refers to Figure 11 on page 19. ‘The CES router needs to receive a multicast broadcast from multicast source 224.0. To receive the broadcast, it sends a PIM Join message to the C-RP (the PE3 router) 1. The PIM Join message is sent through the multicast interface, and a GRE headeris prepended to the message. The GRE header contains the VPN group ID and the loopback address of the PES router. The PIM Join message is then sent through the PIM encapsulation interface anda regjsterheaderis prependedto the packet. The register headercontains the IP address of the SP-RP and the loopback address of the PE3 router. 3. The PIM Join message ic sent to the SP-RP by means of unicast routing, 4 Onthe SP-RP, the register header is stripped off (the GRE header remains) and the packet is sent to all the PE routers. 5. The PE2 router receives the packet, and because the link to the C-RP is through the PE2 router, it sends the packet through the multicast interface to remove the GRE header. 6. Finally, the PIM Join message is sent to the C-RP. Receiving the Multicast Transmission ‘The steps that follow outline how a multicast transmission is propagated across the network: x CopyREATE TOTS Juniper ebone TChapter: Intoductionto Layer VPI2 1. The multicast source connected to the CE! router sends the packet to group 2241.11 (the VPN group address). The packet is encapsulated into a PIM register. Because this packet already includes the PIM header. itis forwarded by means of Unicast routing to the C-RP over the Layer 3 VPN. 3. TheC-RP removes the packet and sends it out the downstream interfaces (which include the interface back to the CE3 router). TheCE3 router also forwards thisto the PES router, 4 The packet is sent through the multicast interface on the PE2 router, inthe process, the GRE header s prepended to the packet. 5. Next, the packet is sent through the PIM encapsulation interface, where the regicter header is prepended to the data packet 6. The packet isthen forwarded to the SP-RP, which removes the register header. leaves the GRE headerintact, and sends the packet to the PE routers. PE routers remove the GRE header and forward the packet to the CE routers that requested the multicast broadcast by sending the PIM Join message. 6 NOTE: PE routers that have nt received requests formulticastbroadcasts from theie connected CE routers stil receive packets forthe broadcast These PE routers drop the packets as they are received. ‘Tonyr@hTO SOE Jones Teta Tne aLayer 3 VPle Configuation ude CopyRETO BOTS Juniper letwora TneCHAPTER 2 Introduction to Configuring Layer 3 VPNs «Configuring VPN Tunnel for VRF Table Lookup on page 23 Configuring a VPN Tunnel for VRF Table Lookup Youcan configure a VPN tunnel to facilitate VRF table lookup based on MPLS labels, ‘You might want to enable this functionality to forward traffic ona PE-router-to-CE-device Interface in a shared medium, where the CE device isa Layer 2 cwitch without IP capabilities (for example. a metro Ethernet switch), orto perform egress fitering.at the egress PE router, For more information about VPN tunnels and VT interfaces, cee the unos OS Services Interfaces Configuration Guide. ‘Tonyr@hTO SOE Jones Teta TneLayer 3 VPle Configuation ude x CopyRETO BOTS Juniper letwora TnePART2 Configuration + Configuring Layer 3 VPI + Layer3 VPN Configurat «+ Layer3 VPN Intemet Acc «+ Additional Example: ‘Tonyr@hTO SOE Jones Teta TneLayer 3 VPle Configuation ude = CopyRETO BOTS Juniper letwora TneCHAPTER 3 Configuring Layer 3 VPNs Introduction to Configuring Layer 3 VPNs on page 28 Configuring Routing Between PE and CE Routers in Layer 3 VPNs on page 30 Limiting.the Number of Paths and Prefixes Accepted from CE Routers in Layer 3 VPNs on page 43, Configuring Layer 3 VPNs to Carry IPV6 Traffic on page 44 Configuring EBGP Multihop Sessions Between PE and CE Routers in Layer 3 VPNs on page 48 Configuring Layer 3 VPNs to Cary IBGP Traffic on page 48, Filtering Packets in Layer 3 VPNs Based on IP Headers on page 50 ApplyingCustom MPLS EXP Classifiersto Routinginstancesin Layer3 VPNs on page 56 Load Balancing and IP Header Filtering for Layer 3 VPNs on page 57 Example: Load Balancing Layer 3 VPN Traffic While Simultaneously Using IP Header Filtering on page 58 Configuringa Label Allocation and Substitution Policy for VPNs on page 72 Configuring Logical Units on the Loopback interface for Routing instances in Layer 3 VPNs on page 74 Configuring Multicast Layer 3 VPNs on page 75 Configuring, Packet Forwarding for Layer 3 VPNs on page 76 Configuring GRE Tunnels for Layer 3 VPNs on page 78 CConfiguringian ES Tunnel Interface for Layer 3 VPNs on page 81 Configuring IPsec Tunnels Instead of MPLS LSPs Between PE Routers in Layer 3 \VPNe on page 83 Configuring Protocol-Independent Load Balancing in Layer 3 VPNs on page 66 Configuring the Algorithm That Determines the Active Route to Evaluate AS Numbers In AS Paths for VPN Routes on page 89 Configuring Traffic Policing in Layer 3 VPNs on page 89 Accepting Route Updates with Unique Inner VPN Labels in Layer 3 VPNs on page 90, oayr@hTO TOE Juniper Tetons,Layer 3 VPle Configuation ude Introduction to Configuring Layer 3 VPNs Toconfigure Layer 3 virtual private network (VPN) functionality, you must enable VPN support onthe provider edge (PE) router. You must also configure any provider (P) routers that service the VPN. and you must configure the customer edge (CE) routers so that their routes are distributed into the VPN. To configure Layer 3 VPNs. you include the following statements: description text Instance-type vif; Interface interface-name; protocols { bepi groupgroup-name { peer-as as-number, neighbor ip-adaress; y multihop tt-value: ¥ (ospf lospt3){ ‘area area { Interface interface-name; ¥ Gomain-id domain-id: rmain-vpn-tag number; sham np ‘ip-configuration; ¥ ¥ rovte-distinguisher (as-numberd | jo-address:d); rovter-idadaress; routing-options { ‘autonomous-systemautonomous-system { Independent-domain; loops number; ¥ forwarding-table { export [policy-names J ¥ Interface-routes { nib-group group-name; martians { destination-prefix match-type : ¥ maximum-paths { path-limit: log-interval interval: = CopyRETO BOTS Juniper letwora TneCchaster 3:Configuringayer3 VPllz bog-only, threshold percentage: y maximum-pretixes { prefix-limit: log-interval interval bog-only, threshold percentage: y multipath £ vpn-unequat-cost; ¥ options { syslog (level evel | upto level): ¥ nb routing-table-name { martians { estination-prefixmarch-type : y muttipath £ vpn-unequal-cost; ¥ rate { etaults £ static-options; y route destination-erefix { next-hop [next-hops} static-options; ¥ ¥ ¥ ¥ rate { etaults £ static-options; y route destination-pref { policy [policy-names }; statie-options; ¥ y Yrf-advertise-selactive { family { Inet-rrwpn; Inete-rrwpn; ¥ ¥ ‘f-expor [ policy-names J: vrt-import [ policy-names | vrf-target (community | export community-name | import community-name) vwif-table-iabels Youcan include these statements at the following hierarchy levels: + [eat rovting-instances routing-instance-name] ‘Tonyr@hTO SOE Jones Teta Tne 3Layer 3 VPle Configuation ude + [edit logical-systems logical-system-name muting-instances routing-Instance-name} For Layer3 VPNs, only some of the statements in the [ect routing-instancas] hierarchy are valid. For the full hierarchy. see the unos OS routing Protocols Configuration Guide Inaddition to these statements, you must enable a signaling protocol, IBGP sessions between the PE routers, and an interior gateway protocol (IGP) on the PE and P routers. By defauit, Layer 3 VPNs are disabled, Many of the configuration procedures for Layer’3 VPNsarecommonto all types of VPNs. Related « Centralized Internet Access on page 273, Documentation | Configuring Hub-and-Spoke VPN Topologies: One interface on page 10 + Configuring Hub-and-Spoke VPN Topologjes: Two Interfaces on page 122 + Configuring Overlapping VPNs Using Automatic Route Export on page 172 + Configuring Overlapping VPNs Using Routing Table Groups on page 161 «+ Configuring Full-Mesh VPN Topology with Route Reflectors on page IO + Configuring GRE Tunnel Interface Between PE Routers on page 176 «+ Configuring GRE Tunnel Interface Between a PEand CE Router on page 162 + Configuring.a Simple Full-Mesh VPN Topology on page 95 + Configuring an Application-Based Layer 3 VPN Topology on page 151 «+ Configuringan ES Tunnel interface Between a PE and CE Router on page 185, «+ Configuringan LDP-over-RSVP VPN Topology on page 137 «+ Configuringan OSPF Domain ID fora Layer 3 VPN on page 156 «+ Distributed internet Access on page 250 + Routing Internet Traffic Through a Separate NAT Device on page 266 + Routing VPN and internet Traffic Through Different interfaces on page 251 + Routing VPNand Internet Traffic Through the Same Interface Bidiectionally (VPN Has Private Addresses) on page 262 + Routing VPNand Internet Traffic Through the Same Interface Bidirectionally (VPN Has Public Addresses) on page 258, + Routing VPN and Outgoing Internet Traffic Through the Same Interface and Routing, Retumn Internet Traffic Through a Different Interface on page 257 + Setting the Forwarding Class of the Ping Packets Configuring Routing Between PE and CE Routers in Layer 3 VPNs Forthe PE routerto distribute VPN-related routesto and fromconnected CE routers. you ‘must configure routing within the VPN routing instance. You can configure a routing, x CopyREATE TOTS Juniper ebone TCchaster 3:Configuringayer3 VPllz protocol—BGP, OSPF. or RIP—ar you can configure static routing. Fortheconnection to each CE router, you can configure only one type of routing. ‘The following sections explain how to configure VPN routing between the PE and CE routers: + Configuring BGP Between the PEand CE Routers on page 31 «+ Configuring OSPF Between the PEand CE Routers on page 32 + Configuring RIP Between the PE and CE Routers on page 41 ters on page 43 «+ Configuring Static Routes Between the PE and CE| Configuring BGP Between the PE andCE Routers To configure BGP as the routing protocol between the PEand the CE routers, include the bep statement bepé groupgroup-name { peer-as as-number; neighbor ip-adaress; ¥ ¥ Youcan include this statement at the following hierarchy levels: + [eat outing-instances routing-instance-name protocols] + [edit logical-systems logical-system-name routing-instances routing-Instance-name protocols] Pleace be aware of the following limitations regarding configuring BGP for routing Instances: + InaVRF routinginstance. donotconfigurethe local autonomous system (AS) number usingan AS number that is already in use by a remote BGP peer ina separate VRF routing instance. Doing co creates an autonomous system loop where all the routes, received from this remote BGP peerare hidden ‘Youconfigure the local AS number using either the autonomous-system statement at the [edit outing-instances routing-instance-name routing-options J hierarchy level or the local-as statement at any of the following hierarchy levels: + [edit routing-instances rovting-instance-name protocols bep] «edit routing-instances routing-instance-name protocols bep groupgroup-name] + [edit outing-instances routing-instance-name protocols bgp groupgroup-name neighbor address] ‘Tonyr@hTO SOE Jones Teta TneLayer 3 VPle Configuation ude ‘Youconfigure the AS numberfora BGP peer usingthe pear-as staterent at the [edit routing-instances routing-nstance-name protocols bgp groupgroup-name ] hierarchy level Configuring OSPF Between the PE andCE Routers YoucanconfigureOSPF (version 2or version 3) to distribute VPN-related routes between PEand CE routers. “The following sections describe how to configure OSPF as a routing protocol between, the PEand the CE routers: figuring OSPF Version 2 Between the PE and CE Routers on page 32 page 32 F Version 3 Between the PE and CE Router figuring O! figuring OSPF Sham Links for Layer 3 VPNs on page 33 figuring an OSPF Domain ID on page 35 Configuring OSPF Version 2 Between the PE and CE Routers Toconfigure OSPF version 2as the routing protocol between a PE and CE router, include the ospf statement: ose i ‘area area { Interface interface-name; ¥ ¥ Youcan include this statement at the following hierarchy levels: + [eat outing-instances routing-instance-name protocols] + [edit logical-systems logical-system-name routing-instances routing-Instance-name protocols] Configuring OSPF Version 3 Between the PE and CE Routers To configure OSPF version 3as the routing protocol between a PE and CE router, include the ospf3 statement: ospf3 { ‘area area { Interface interface-name; ¥ ¥ Youcan include this statement at the following hierarchy levels: + [eat outing-instances routing-instance-name protocols] + [edit logical-systems logical-system-name routing-instances routing-Instance-name protocols] CopyREATE TOTS Juniper ebone TCchaster 3:Configuringayer3 VPllz Configuring OSPF SI 1am Links Layer3 VPNs ‘When youconfigure OSPF between the PE and CE routers of a Layer3 VPN. youcan also configure OSPF sham links to compensate for issues related to OSPF intraarea links. ‘The following sections describe OSPF sham links and how to configure them: + OSPF 1am Links Overview on page 33 + Configuring OSPF Sham Links on page 34 PF +o 1am Links Example on page 34 OSPF Sham Links Overview Ficure 12 on page 33 providesan illustration of when you might configure an OSPF sham link RouterCEland Router CE2are located in the same OSPF area. These CE routersare linked together by a Layer 3 VPN over Router PE1 and Router PE2. In addition, Router CET and Router CE2 are connected by an intraarea link used as a backup. (OSPFtreats the link through the Layer3 VPNas an interarea link By defauit, OSPF prefers Intra-area links to interarea links, so OSPF selects the backup intra-area linkasthe active path. Thisisnot acceptable inconfigurations where the intra-arealinkis not the expected primary path for traffic between the CE routers. An OSPF sham linkis also an intra~area link, except that itis configured between the PE routers as shown in Figure 12 on page 33. Youcanconfigure the metric forthe sham link to ensure that the path overthe Layer 3 VPNs preferred toa backup path over an intra-area link connecting the CE routers. Figure 12: OSPF Sham Link SPF shan Le You chould configure an OSPF sham link under the followingcrcumstances: + Two CE routers are linked together by a Layer 3VPN. + These CE routers are in the same OSPF area. + An intra-area links configured between the two CE routers. lf thereis no intra-area linkbetweenthe CE routers, you do not need toconfigurean OSPF ‘sham link For more information about OSPF sham links, see the Internet draft draft-ietf-\3vpn-ospf-2547-O1 tat, OSPF as the PE/CE Protocol in EGP/MPLS VPNs. ‘Tonyr@hTO SOE Jones Teta Tne 3Layer 3 VPle Configuation ude Configuring OSPF Sham Links ‘The sham link is an unnumbered point-to-point intra-area linkand is advertised by means of atype Ilink-state advertisement (LS). Sham links are valid only forrouting instances and OSPF version 2. Each sham linkis identified by acombination ofthe localand remote sham link end-point address and the OSPFareato whichit belongs. Sham links must beconfigured manually. Youconfigure the sham link between two PE routers, both of which are within the same \VRF routing instance. Youneedto specify the address forthe local end point of the sham link. This address is used asthe source forthe sham link packets and is also used by the remote PErouteras the cham link remote end-point. ‘The OSPF sham links local address must be specified with a loopbackaddress forthe local VPN. The route to this address must be propagated by BGP. Specify the address forthe local end point using the local option of the sharrlink statement: sharin local agaress; ¥ Youcan include this statement at the following hierarchy levels: + [echt routing-instances routing-instance-name protocols ospf] + [edit logical-systems logical-system-name routing-instances routing-Instance-name protocols ospt] ‘The OSPF sham link’s remote address must be specified with a loopback address for the remote VPN. The route to this address must be propagated by BGP. To specify the address for the remote end point. include the sharrlink-remote statement: sharr-tink-remote address : Youcan include this statement at the following hierarchy levels: + [edit outing-instancas routig-instance-name protocols ospf area area-id] + [edit logical-systems logical-system-name routing- instances routing-Instance-name protocols ospf area area-id] Optionally, you can include the metric option to set a metric value forthe remote end point, The metric value specifies the cost of usingtthe link. Routes with lowerttotal path metrics are preferred overthose with higher path metrics. Youcan configure a value from through 65,535. The default value is 1 (OSPF Sham Links Example ‘This example shows how to enable OSPF sham links on a PE router. ‘The following isthe loopbackinterface configuration on the PE router. The address configured is forthe local end point of the OSPF sham link x CopyRETO BOTS Juniper letwora TneCchaster 3:Configuringayer3 VPllz [ear] Interfaces { wot unit family net { ‘address 10.11.32: ¥ ¥ ¥ ¥ ‘The followings the routing instance configuration on the PE router, includingthe configuration for the OSPF sham link The sharrrlink local statement is configured with the address forthe local loopback interface [eat] routing-instances { example-sharrlinks { Instance-type vif; Interface et-1/0/2.0; interface (00.1 rovte-distinguisher3:4; vif-import vpa-red-import: vif-export vpn-rec-export; protocols { ospté sharr-tnk local 10.111; area 0.0.0.0f shart-lnk-temote 10 2.22 metic; Interface e1-1/0/2.0 metric 1; Configuring an OSPF Domain ID For most OSPF configurations involving Layer 3 VPNs, you do not need to configure an (OSPF domain D. However, fora Layer 3 VPNconnecting multiple OSPF domains, configuringOSPF domain Dscanhelp youcontrol SA translation (for Type 3and Type S LSAc) between the OSPF domains and back-door paths. ‘Without the domain IDs, there is no way to identify which domain the routes originated fromafterthe OSPF or OSPFV3 routes are distributed into BGP routes and advertised across the BGP VPN backbone, Distinguishing which OSPF or OSPFv3 domaina route originated from allows classification of routes as Type 3LSAs or Type SLSAs. Each VPN routingand forwarding (VRF) table ina PE router associated with an OSPF instance is configured with the same OSPF domain ID. The default OSPF domain ID is the null value 0.0.0.0. As shown in Table 3 on page 36,a route with a null domain ID is handled differently from a route without any domain ID at al. ‘Tonyr@hTO SOE Jones Teta Tne =Layer 3 VPle Configuation ude ‘Table 3: How a PE Router Redistributes and Advertises Routes Type 3 ute ABCD aco Type 3158 Type Soule ABCD EFGH Type 5 LSA Type 3 ute 0000 00.09 Type 3158 Type 3 ute ut 00.00 Type 3158 Type 3 ute Nut tt Type 3158 Type 3 ute 0000 Nt Type 3158 Type 3 ute ABCD ttt Type 5 LS Type 3oute Nut ABCD Type 5 LS Type 5 mute Hot applicable Notappticable Type 5 LS To summarize + Ifthe receiving PE router sees a Type 3 route with a matching domain ID, the route is redistributed and advertised as a Type 3LSA, + Ifthe receiving PE router sees a Type 3 route without a domain ID (the extended attribute field of the route’s BGP update does not include a domain ID). the route is redistributed and advertised as a Type 3LSA, + Ifthe receiving PE router sees a Type 3 route witha non-matching domain D, the route Is redictributed and advertised ac a Type SLSA, + Ifthe recelving PE router sees a Type 3 route with a domain ID, but the router does not havea domain D configured, the route is redistributed and advertised asa Type SLSA, + Ifthe recelving PE router sees a Type 5 route, the route is redistributed and advertised asa Type SLSA. regardless of the domain ID. Youcan configure an OSPF domain ID for both version 2and version 3 of OSPF. The only difference inthe configurations that youlnelude statements at the [edit routing-instances ‘routing-instance-name protocols ospf J hierarchy level for OSPF version 2 and at the [edit ro uting- instances routing-instance-name protocols ospf3] hierarchy level for OSPF version 3. Theconfiguration descriptions that follow present theOSPF version 2statement only, However, the substatements are also valid for OSPF version 3, ‘To configure a domain ID. perform the following tacks: 1. Specify a domain ID in the BGP extended community ID. 2. Setaroutetype = CopyREATE TOTS Juniper ebone TCchaster 3:Configuringayer3 VPllz 3. Configurea VF export policy to explicitly attach the outbound extended community ID to outbound routes. 4, Definea community with members that possess the community ID ‘The extended community ID can then becarried across the BGP VPN backbone. When the route is redictributed backas an OSPF orOSPFv3 route onthe PErouterandadvertised totheCEnearthe destination. the domain|D identifies which domainthe route originated from. The routing instance checks incoming routes for the domain ID. The route is then propagated a: eithera Type 3 LSA or Type SLSA. To configure an OSPF domain ID, include the domain-i statement domain domain-ta; Fordomain-d, specity eitheran IP address oran IP address and a local identifier using the following format: jp-addresslocal-identifier.f you do not specify localidentifier with the IP address, the identifier is ascumed to have a value of 0. Youcan include this statement at the following hierarchy levels: + [echt routing-instances routing-instance-name protocols ospf] + [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospt] Onthe local PE router, the prefix of the directly connected PE/CE interface isan active direct route. This route isalso an OSPF or OSPFV3 route. Inthe VRF export policy, the direct preficis exported to advertise the route to the remote PE This route isinjected asan AS-External-LSA, much as when a direct route is exported Into OSPF or OSPFV3, Domain | ensuresthat an originated summary LSA artivesat the remote PEasa summary LSA. Domain ID does not translate AS-external-LSAs into summary LSA. Ifthe router ID is not configured in the routing instance, the router ID is derived from an interface address belongingto the routing instance. ‘To prevent routing loops when a domain ID is used as an alternate route preference for the OSPF or OSPFv3 external routes generated by the PE router. the DN bit of the LSA being distributed by the PE router must be set. ifthe route is distributed ina Type SLSA ‘and the DIV bit is not supported by the PE router. the VPN tag is used instead, Youcan set a VPN tag forthe OSPF external routes generated by the PE rauterto prevent looping. By default, this tagis automatically calculated and needs no configuration. However, you can configure the domain VPN tag for Type SLSAs explicitly by including, the domain-vpn-tag statement: cdomain-vpn-tag number; Youcan include this statement at the following hierarchy levels: + [echt routing-instances routing-instance-name protocols ospf] ‘Tonyr@hTO SOE Jones Teta Tne 7Layer 3 VPle Configuation ude + [edit logical-systems logical-system-name routing-instances routing-Instance-name protocols ospt] “The range is 1 through 4.294.967,295 (21). f you set VPN tags manually, you must set the same value for all PE routers in the VPN, Toclear the VPN tag when it isno longer needed (when the DN bit is supported on the PE router), include the no-domain-vpn-tag statement: nno-domain-vpn-tag: ‘The DN bit is not currently supported in OSPFV3, ‘To cet the route type, include the route-type-community statement rovte-type-community (ana | vendor) Youcan include the statement at the following hierarchy levels: + [edt outing-instancas routing-instance-name protocols (ospf |ospf3)] + [edit logical-systems logical-system-name routing-instances routing-Instance-name protocols (ospf | ospf3)] ‘The domain-id setting in the routing instance is for a match on inbound Layer 3 VPN routes. A VRF export policy must be explicitly et for the outbound extended community domain-id attribute. You must configure an export policy to attach the domain ID to outgoing routes. To configure an export policy to attach the domain ID and route distinguisherto the extended community ID on outbound routes, include the community statement: policy-statement policy-name { ‘erm term-name f from protocol (ospf |ospf3) then f ‘community add community-name: accept; ¥ y termb{ then reject; ¥ y ‘Community community-name members [target:target-id domain-ic-domain-id} To define the members of acommunity, include the community statement community name { ‘members [ community-ids ]; ¥ Examples: Configuring an OSPF Domain ID Configure a domain ID asa match condition for inbound Layer 3 VPN routes. Then configure an export policy to tagthe extended community ID and the route distinguisher nto outgoing routes: x CopyRETO BOTS Juniper letwora TneCchaster 3:Configuringayer3 VPllz [ear] routing-instances { CeAL Instance-type vif; Interface ge-0/1/0.0; rmute-distinguisher 1100: vif-import vit import routes: vif-export vif export routes; protocols { ospti ‘domain-id 1.11: match for inbound routes route-type-community vendor; export vif_import routes; area 0.0.0.0 Interface ge-0/1/0.0;, ¥ ¥ ¥ ¥ ¥ Policy-options { policy-statement vit export routes { termat from potocolospf: then f community addexport target; accept; ¥ y termb{ then reject; ¥ y Community export target members [ target-$100 domain-id111.20 J: ¥ Leak a noninctance route inte the instance routing table: [ear] rovting-options { Interface-routes { nib-group inet inet_to_site_A; ¥ ¥ [ear] nib-groups { Inet 0_site_A f Import-nib [ inet.0 site Ainet.0 J; ¥ ¥ [ear] protocols { ospti nib-group inet to_stte A: ¥ ¥ ‘Tonyr@hTO SOE Jones Teta Tne 3Layer 3 VPle Configuation ude [ear] policy-options { policy-statement announce.to_ce { terma{ from{ protocol direct; Interface 100.0; ¥ then accept; ¥ ¥ ¥ [ear] routing-instances { sheaf protocols f ospt{ exportannounce_to_c3e; ¥ ¥ ¥ ¥ Hub-and-Spoke Layer 3 VPNs and OSPF Domain IDs ‘The default behavior of an OSPF domain ID causes some problems for hub-and-spoke Layer 3 VPNs configured with OSPF between the hub PE router and the hub CE router when the routesare not aggregated. A hub-and-spoke configuration has.a hub PE router with direct links to @ hub CE router. The hub PE router receives Layer 3 BGP updates from the other remote spoke PE routers, and these are imported into the spoke routinginstance. From the spoke routing instance, the OSPF LSAs are originated and sent to the hub CE router. ‘The hub CE router typically agaregates these routes, and then sends these newly originated LSAs back to the hub PE router. The hub PE router exports the BGP updates tothe remote spoke PE routers containing the agsyesated prefixes. However. fthere are nonaggregated Type 3 summary LSAs or external LSAs, two issues arise with regard to how the hub PE router originates and sends LSAs to the hub CE router. and how the hub PE router processes LSAs received from the hub CE router: + By default, all LSAs originated by the hub PE router in the spoke routing instance have the DI bit set. Also all externally orginated LSAs have the VPN route tag set. These settings help prevent routing loops. For Type 3 summary LSAs, routing loops are not concern because the hub CE router, as an area border router (ABR). reoriginates the LSAs with the DN bit clear and sends them backto the hub PE router. However. the hub CE router does not reoriginate external LSAs, because they have an AS flooding, scope. Youcan originate the external LSAs (before sending them to the hub CE router) with the DIV bt clear and the VPN route tag set to 0 by altering the hub PE router's routing, inctanceconfiguration. Toclearthe DN bit and set the VPNroute tagto zero on external LSAs originated by a PE router. configure 0 for the domain-vpn-tag statement at the [edit outing-nstances routing-instance-name protocols ospf] hierarchy level. Youshould include this configuration in the routing instance on the hub PE router facing.the hub w CopyRETO BOTS Juniper letwora TneCchaster 3:Configuringayer3 VPllz CE router where the LSAs are sent. When the hub CE router receives external LSAs from the hub PE router and then forwards them back to the hub PE router. the hub PE router can use the LSAs in its OSPF raute calculation. + When LSAs flooded by the hub CE router arriveat the hub PE router's routing instance, the hub PE router, acting.as an ABR, does not consider these LSAs nits OSPF route calculations, even though the LSAs do not have the DN bits set and the external LSAs donot havea VPN route tag set. The LSAs are assumed to befroma disjoint backbone ‘Youcan change the configuration of the PE router's routing instance to cause the PE router to act as a non-ABR by including the disable statement at the [edit routing-instances routing-instance-name protocols ospf domain-id] hierarchy level. You make this configuration change to the hub PE router that receives the LSAs from the hub CE router. Bymakingthisconfigurationchange. the PE router's routinginstanceactsasanon-ABR, ‘The PE routerthen considers the LSAs arriving from the hub CE router asf they were coming from a contiguous nonbackbone area Configuring RIP Between the PE andCE Routers Fora Layer 3 VPN, youcan configure RIP on the PE routerto learn the routes of the CE router orto propagate the routes of the PE routerto the CE router RIP routes learned from neighbors configured at any [edit routing-instances] hierarchy levelare added to the routing instance's inet table (instance name.inat.) To configure RIP as the routing protocol between the PE and the CE router, include the nip statement: mp group group-name { ‘export policy-names: neighbor interface-name; ¥ ¥ Youcan include this statement at the following hierarchy levels: + [eat outing-instances routing-instance-name protocols] + [edit logical-systems logical-system-name routing-instances routing-Instance-name protocols] By defauit, RIP does not advertise the routes it receives. To advertise routes froma PE router to a CE router you need to configure an export policy on the PE routerfor RIP. For information about how to define an export policy, see the Junos OS Policy Framework Configuration Gut ‘To specify an export policy for RIP, include the export statement: export [policy-names I ‘Tonyr@hTO SOE Jones Teta Tne aLayer 3 VPle Configuation ude Youcan include this statement for RIP at the following hierarchy levels: + [eat routing-instances routing-instance-name protocols rip groupgroup-name] + [edit logical-systems logical-system-name routing-instances routing-Instance-name protocols rip groupgroup-name] To install routes learned froma RIP routing instance into multiple routing tables, include the rib-group and group statements: nib-group inet group-name; groupgroup-name { neighbor interface-name; ¥ Youcan include these statements at the following hierarchy levels: + [eat protocols) + [eat outing-instances routing-instance-name protocols] + [edit logical-systems logical-system-name protocols] + [edit logical-systems logical-system-name routing-instances routing-Instance-name protocols] To configure a routingtable group, include the rib-groups statement nib-groups group-name; Youcan include this statement at the following hierarchy levels: + [edit outing-options] + [edit logical-systems logical-system-name muting-options] To add a outing table to a routing table group, Include the import-rib statement. The first routing table name specified under the import-nb statement must be the name of the routingtable you areconfiguring, For more information about howto configure routing tables and routing table groups, see the Junos OS Routing Protocols Configuration Guide. Import-nib [group-names J: Youcan include this statement at the following hierarchy levels: + [et outing-options nib-groups group-name] + [edit logical-systems logical-system-name routing-options rb-groups group-name] RIP instances are supported only for VRF instance types. You can configure multiple instances of RIP for VPN support only. Youcan use RIP in the customer edge-provider edge (CE-PE) environment to learn routes from the CE router and to propagate the PE router's instance routes in the CE router. RIP routes learned from neighbors configured under any instance hierarchy are added to the instance's routing table. instance-name.inet.0 z CopyRETO BOTS Juniper letwora TneCchaster 3:Configuringayer3 VPllz PIP doesnot support routingtable groups; therefore, itcannot import routesinto multiple tablecas the OSPF or OSPFv3 protocol does. Configuring Static Routes Between the PE andCE Routers Youcan configure static (nonchanging) routes between the PE and CE routers of a VPN, routing instance. To configure. static route for a VPN, youneed toconfigure it within the \VPN routing instance configuration at the [edit routing-instancas routing-instance-name routing-options] hierarchy level Toconfigure a static route between the PE and the CE routers, include the static statement: state { route destination-ref { next-hop [ next-hops J; statie-options; ¥ ¥ Youcan include this statement at the following hierarchy levels: + [echt routing-instances routing-instance-name routing-options] + [edit logical-systems logical-system-name routing-instances routing-Instance-name routing-options] For more information about configuring routing protocols and static routes, seethe Junos 0 Routing Protocols Configuration Guide Limiting the Number of Paths and Prefixes Accepted from CE Routers in Layer 3 VPNs Youcan configure a maximum limit on the number of prefixes and paths that can be Inctalled into the routing tables. Using prefix and path limits, youcan curtailthe number of prefixes and paths received froma CE router ina VPN. Preficand path limits apply only to dynamic routing protocols, and are not applicable to static or interface routes To limit the number of paths accepted by a PE router from aCE router, include the maximurn-paths statement rmaximum-paths path-limit ; Fora lst of hierarchy levels at which youcanconfigure this statement, see the statement summary section for this statement. Specify the log-only option to generate warning messages only (anadvisory limit). Specify the threshold option to generate warnings before the limit is reached, Specify the log-interval option to configure the minimum time interval between log messages ‘There are two modes for route limits: advisory and mandatory. An advisory limit tregers ‘warnings. A mandatory limit rejects additional routes after the limit is reached, ‘Tonyr@hTO SOE Jones Teta Tne SLayer 3 VPle Configuation ude © 12% septation oaroute ti mayreutinunpreditabedynamierouting protocol behavior. For example, when the limi is reached and routes are I ejected, BGP may not reinstallthe rejected routes afterthe number of outes drops back below the limit. SP sessions may need tobe cleared To limit the number of prefixes accepted by a PE router froma CE router include the maximurm-prefiies statement maximur-pret ies prefi-limit ; Fora lst of hierarchy levels at which youcanconfigure this statement, see the statement summary section for this statement. ‘There are two modes for route limits: advisory and mandatory. An advisory limit tregers ‘warnings. A mandatory limit rejects additional routes after the limit is reached, 0 NOTE: Application ofaroute mit mayresuit in unpredictable dynamic routing protocol behavior. For example, when the limi is reached and routes are I ejected, BGP may not reinstallthe rejected routes afterthe number of outes drops back below the limit. SP sessions may need tobe cleared A mandatory path or prefix limit, in addition to triggering a warning message. rejects any additional paths or prefixes once the limit is reached. 0 NOTE. Setting path or prefix limit might resut in unpredictable dynamic routing protocel behavior Youcan also configure the following options for both the maximum-paths and maximur-prefiies statements: + log-interval—Specify the intervalat which log messages are sent. This optiongenerates warning messages only (an advisory limit) ‘Specify the log-interval option to configure the minimum time interval between log messages. + log-only—Generate warning messages only. No limit is placed on the number of paths or prefixes stored inthe routing tables + threshold—Generate warning messages afterthe specified percentage of the maximum, paths or prefixes has been reached Configuring Layer 3 VPNs to Carry IPv6 Traffic Youcan configure IP version 6 (IPv6) between the PE and CE routers of a Layer 3 VPN, ‘The PE router must have the PE routerto PE router BGP session configured with the =z CopyREATE TOTS Juniper ebone TCchaster 3:Configuringayer3 VPllz family inat6-vpn statement. The CE router must be capable of receiving IPV6 traffic. You can configure BGP orstatic routes between the PE and CE routers, ‘The following sections explains how to configure IPV6 VPNs between the PE routers: «+ Configuring IPv6 on the PE Router on page 45 + Configuring the Connection Between the PE and CE Routers on page 45 «+ Configuring IPV6 on the interfaces on page 47 Configuring IPvé on the PE Router Toconfigure IPvé betweenthe PEand CE routers, include the family inet6-vpn statement Inthe configuration on the PE router family inet6-von { (any | mutticast | unteast) { ‘aggfegate-label community community-name; prefix-limie maximnurn prefix-limit: nib-grouprib-group-name; ¥ ¥ Fora lst of hierarchy levels at which youcanconfigure this statement, see the statement summary section for this statement. You also must include the ipve-tunneling statement: Ipve-tunneting; Youcan include this statement at the following hierarchy levels: + [eatt protocols mpts] + [eat logical-systems logical-system-name proto cols mpls] Configuring the Connection Between the PE and CE Routers ‘To support IPv6 routes, you must configure BGP. OSPF version 3, orstatic routes forthe connection between the PE and CE routers in the Layer 3 VPN. Youcan configure BGP, to handle just IPV6 routes or both IP version 4 (IPv4) and IPv6 routes. For more information about IPv6, see the unos OS Routing Protocols Configuration Gude. “The following sections explain how to configure BGP and static routes: + Configuring BGP on the PE Routerto Handle IPV6 Routes on page 45 «+ Configuring BGP on the PE Routerfor IPv4 and IPv6 Routes on page 46 + Configuring OSPF Version 3 on the PE Router on page 46 + Configuring Static Routes on the PE Router on page 47 Configuring BGP on the PE Router to Handle IPvé Routes ‘To configure BGP in the Layer 3 VPN routingiinstance to handle IPv6 routes, include the bep statement ‘Tonyr@hTO SOE Jones Teta Tne 3Layer 3 VPle Configuation ude bepé group group-name { local-address IPve-adaress; family nets { unicast; y peer-as as-number; neighbor IPve-addiress; ¥ ¥ Youcan include this statement at the following hierarchy levels: + [eat outing-instances routing-instance-name protocols] + [edit logical-systems logical-system-name routing-instances routing-Instance-name protocols] Configuring BGP on the PE Router for IPv4 and IPvé Routes Toconfigure BGP inthe Layer3 VPN outinginstancete handle both Pv4and IPv6 routes, include the bgp statement: bepé group group-name { local-address IPv4-address; family net { unicast; ¥ family nets { unicast; y peeras as-number; neighbor adress; ¥ ¥ Youcan include this statement at the following hierarchy levels: + [eat outing-instances routing-instance-name protocols] + [edit logical-systems logical-system-name routing-instances routing-Instance-name protocols] F Version 3on the P Configuring iter To configure OSPF version 3 in the Layer 3 VPN routing instance to handle IPv6 routes, include the ospf3 statement: ospf3 { ‘area area-id { Interface interface-name; ¥ ¥ = CopyRETO BOTS Juniper letwora TneCchaster 3:Configuringayer3 VPllz Youcan include this statement at the following hierarchy levels: + [eat outing-instances routing-instance-name protocols] + [edit logical-systems logical-system-name routing-instances routing-Instance-name protocols] Forcompleteconfiguration guidelines forthis statement, seetheunosOS outing protocols Configuration Gut Configuring Static Routes on the PE Router To configure a static route to the CE router in the Layer 3 VPN routing instance, include the routing-options statement: routing-options { nib routing-rable inet6.0 { static { etaults £ static-options; ¥ ¥ ¥ ¥ Youcan include this statement at the following hierarchy levels: + [eat rovting-instances routing-instance-name] + [eat logical-systems logical-system-name muting-instances routing-Instance-name] Configuring IPvé on the Interfaces You need to configure IPv6 on the PE router interfaces to the CE routers and onthe CE router interfaces to the PE routers. To configure the interface to handle IPv6 routes, include the family nets statement: family nets { address ipve-address; ¥ Youcan include this statement at the following hierarchy levels: + [eait interfaces interface-name unit unit-number] + [edit logical-systems logical-system-name interfaces interface-name unit unit-number] If you have configured the Layer 3 VPNto handle both IPv4 and IPv6 routes, configure the interface to handle both IPv4 and IPv6 routes by including the unit statement: unit une-number £ family net { ‘address ipv4-adtiress; ¥ family nets { address ipve-address; ‘Tonyr@hTO SOE Jones Teta Tne aLayer 3 VPle Configuation ude ¥ ¥ Youcan include this statement at the following hierarchy levels: «+ [eit interfaces interface-name] + [edit logical-systems logical-system-name interfaces interface-name] Configuring EBGP Multihop Sessions Between PE and CE Routers in Layer 3 VPNs Youcan configure an EBGP or ISGP multihop session between the PE and CE routers of a Layer3 VPN. This allows you to have one or more routers between the PE and CE routers. UsingIBGP between PE and CE routers doesnot require the configuration of any additional statements. However, using EBGP between the PE and CE routers requires the configuration of the multihop statement. Toconfigure an external 8GP multihop session for the connection between the PEand CE routers, include the multihop statement on the PE router. To help prevent routing, loops. you have to configure a time-to-live (TTL) value for the multihop session: multihop te-value: Forthelist of hierarchy levelsat which youcanconfigure this statement, seethesummary section forthis statement. Configuring Layer 3 VPNs to Carry IBGP Traffic An independent AS domainis separate from the primary routinginstance domain. An AS Isa set of routers that are under single technical administration and that generally use a single IGP and metries to propagate routing information within the set of routers. An AS appears to other ASs to havea single, coherent interior routing plan and presents a Consistent picture of what destinations are reachable through t Configuring.an independent domain allows youto keep the AS paths of the independent domain from being shared with the AS path and AS path attributes of other domains, includingthe master routing instance domain, Hf youare using BGP on the router, you must configure an AS number ‘When you configure BGP as the routing protocol between a PE router and aCE router in a Layer3 VPN. youtypically configure extemal peering sessions betweenthe Layer 3 VPN service provider and the customer network ASs. Ifthe customer network has several sites advertising routes through an external BGP session to the service provider networkand ifthe same AS is used by allthe customer sites, the CE routers reject routes from the other CE routers. They detect a loop inthe BOP AS path attribute ‘To prevent the CE routers from rejecting each other's routes. youcould configure the followings = CopyREATE TOTS Juniper ebone TCchaster 3:Configuringayer3 VPllz + PE routers advertising routes recelved from remote PE routers can remap thecustomer network AS numberto its own AS aumber. + AS path loops can be configured + The customer networkcan beconfigured with different AS numbers at each site ‘These types of configurations can work when there are no BGP routing exchanges between thecustomernetworkand other networks. However. they do have limitations forcustomer networks that use BGP internally for purposes other than carrying traffic between the CE routers and the PE routers. When those routes are advertised outside thecustomer network, the service provider ASs are present in the AS path, ‘To improve the transparency of Layer 3 VPN services for customer networks, youcan configure the routing instance for the Layer 3 VPN to isolate the customer's network attributes from the service provider's networkattributes: ‘When youincludetthe indepencant-dorain statement inthe Layer 3 VPNroutinginstance configuration, BGP attributes received from the customer network (from the CE router) are stored ina BGP attribute (ATTRSET) that functions like a stack When that route is adverticed from the remote PE routerto the remoteCE router. the original SGP attributes are restored. This isthe default behavior for EGP routes that are adverticed to Layer 3 VPNs located in different domains ‘This functionality deseribedintheInternet draft draft-marques-ppvpn-lbgp-version txt, FC 2547bis Networks Using Internal BGPas PE-CE Protocol. Toallowa Layer 3 VPNto transport IBGP traffic, include the independent-dorain statement: Independent-domain; Youcan include this statement at the following hierarchy levels: + [edit outing-instances routing-instance-name routing-options autonomous-system, number] + [edit logical-systems logical-system-name routing-instances routing-Instance-name routing-options avtonomous-system number] 6 NOTE: AILPE routers participating in a Layer 3 VPN with the independent-cormain statement ints configuration must be running Junos OS Release 6:30 later. ‘The independent domain uses the transitive path attribute 126 (attribute set) to tunnel the independent domain's BGP attributes through the Internal BGP (IBGP) core. In unos (OS Release 10.3 and later, if BGP receives attribute 126 and you have nat configured an Independent domain in any routinginstance, BGP treats the received attribute 128 as an unknown attribute. ‘There isa limit of 16 ASs for each domain ‘Tonyr@hTO SOE Jones Teta Tne zLayer 3 VPle Configuation ude Related Documentation + Disabling Attribute Set Messages on Independent AS Domains for BGP Loop Detection Filtering Packets in Layer 3 VPNs Based on IP Headers Including the vrf-table-Label statement in the configuration for a routinginstance makes it possible to map the inner label toa specific VRF routing table; such mapping allows the examination af the encapsulated IP header at an egress VPN router. You might want to enable this functionality so that you can do either of the following: + Forward traffic on a PE-router-to-CE-device interface, ina shared medium, where the CE device isa Layer 2 switch without IP capabilities (for example, a metro Ethernet switch). ‘The first lookup is done on the VPN label to determine which VRF table to referto, and the second lookup is done on the IP header to determine how to forward packets to the correct end hosts on the shared medium, + Perform egress filtering at the egress PE router. ‘The irt lookup onthe VPN label is doneto determine which VRF routingtableto refer to.and the second lockup is done on the IP header to determine how to filterand forward packets. Youcan enable this functionality by configuring output filters on the VRF interfaces, When you include the vef-table-labal statement in the configuration of a VRF routing, table.a label-switched interface (LSI) logical interface label is created and mapped tothe VRF routingtable. Any routes in sucha VRF routing table are advertised with the Li logical interface label allocated for the VRF routingtable. When packets forthis \VPNarrive on acore-facing interface, they are treated as ifthe enclosed IP packet arrived on the LSI interface and are then forwarded and fitered baced on the correct table Tofker traffic based on the IP header, include the ve-table-abal statement vi-table-abot Youcan include the statement atthe following hierarchy level: + [edt outing-instances routing-instance-name] + [eat logical-systems logical-system-name muting-instances routing-Instance-name] Youcan include the vr-table-latel statement for both IPv4 and IPv6 Layer 3 VPNs. If you include the statement for a dual-ctack VRF routingtable (where both IPv4.and IPv6 routes are supported). the statement applies to both the IPv4and IPv6 routes and the same label is advertised for both sets of routes. ‘The following sections provide more information about traffic filtering based on the IP header: + Egyecs Filtering Options on page SI + Support on Aggregated and VLAN Interfaces for P-Based Filtering on page 51 Ea CopyREATE TOTS Juniper ebone T