Layer 3 VPNs—

Advanced Topics

© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net

 Sharing Routes Between VRF Tables
in the Same PE Router
PE

VRF-A VRF-B
VPN-A/B VPN-B/A
Routes Routes

CE-A CE-B
VPN-A VPN-B

 Goal: Allow communications between CE-A and CE-B without placing them
into the same VPN
 Solution: Use the auto-export command or RIB groups

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 2

 auto-export Example
 auto-export command configured in multiple VRF
tables causes router to analyze vrf-import/export
policies or vrf-target statements in those VRF tables
• VPN routes are copied into appropriate local VRF tables
[edit routing-instances] 10.0.21/24
user@PE# show
vpn-a { vpn-b { CE .2 .1 PE
instance-type vrf; instance-type vrf; A 1 ge-0/0/0
lo0: 192.168.16.1
interface ge-0/0/0.0; interface ge-0/0/3.0;
vrf-target target:65412:100; .1

3
vrf-target target:65412:100;

0//
-0
routing-options { routing-options {

ge
auto-export; auto-export; 10.0.50/24
} }
.2
protocols { protocols {
bgp {
CE
bgp {
group ce-a { group ce-b {
B
peer-as 65000; peer-as 65000;
as-override; as-override;
neighbor 10.0.21.2; neighbor 10.0.50.2
. . . . . .

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 3

 VRF RIB Group Example
routing-options {
rib-groups {
a-to-b {
import-rib [ vpn-a.inet.0 vpn-b.inet.0 ];
}
b-to-a {
import-rib [ vpn-b.inet.0 vpn-a.inet.0 ]; 10.0.21/24
}
} CE .2 .1 PE
autonomous-system 65412; A 1 ge-0/0/0
} lo0: 192.168.16.1
routing-instances { .1

/3
vpn-a {

0
0/
-
. . .

ge
routing-options { 10.0.50/24
interface-routes {
.2
rib-group inet a-to-b; CE
}
} B
protocols {
bgp {
group ext {
type external;
family inet {
unicast {
rib-group a-to-b;
}
}
. . .

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4

 Verifying the Results
user@PE# run show route table vpn-b

vpn-b.inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

10.0.21.0/24 *[Direct/0] 03:21:27

> via ge-0/0/0.0 VRF routes
[BGP/170] 03:21:27, localpref 100 (local and BGP) from
AS path: 65001 I
> to 10.0.21.2 via ge-0/0/0.0 VPN-A are now in
10.0.21.1/32 *[Local/0] 03:21:27 VPN-B’s VRF table
Local
10.0.50.0/24 *[Direct/0] 00:16:48
> via ge-0/0/3.0
10.0.50.1/32 *[Local/0] 00:16:48
Local
. . . .
 VPN-A’s interface and BGP routes are in VPN-B’s VRF table
(although not shown, VPN-B’s interface/BGP routes are also present in
VPN-A’s VRF table)
 Traffic can now be forwarded between sites served by CE-A and CE-B

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 5

 Keeping Shared VRF Routes from Other
PE and CE Routers
[edit policy-options policy-statement vpnb-export]
user@PE# show
term 1 {
from {
protocol bgp;
interface ge-0/0/3.0;
}
then {
community add vpnb-target;
accept;
}
}
term 2 {
then reject;
}
 VRF export policy for vpn-b matches the routes learned from
interface ge-0/0/3
• Routes copied from the vpn-a VRF table are not sent to remote PE
routers

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6

 Hub-and-Spoke Topologies
 Reduces the number of BGP sessions and LSPs required, but the
cost is an extra CE router hop
• Spoke-to-spoke communications must transit hub site
 Requires two VRF instances in the hub PE router
• Spoke VRF table contains routes received from spoke sites
• Hub VRF table contains routes received from the hub CE device
 Requires two VRF interfaces at the hub CE/PE link
• Can be logical units on the same interface
 Requires two route targets and possibly two route distinguishers
when supporting route reflectors
 Watch for AS path loop detection and OSPF domain ID problems
 Issues might arise when hub PE router has locally connected
spokes, or when multiple spoke sites attach to the same spoke PE
router

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 7

 Signaling Flow Between Spokes

Hub
CE
ge-0/0/0.0 4 ge-0/0/0.1
3
Spoke Hub PE Hub
VRF VRF

Target: Target:
Spoke Hub
2 5

Spoke Spoke
CE-1 CE-2
1 6

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 8

 Data Flow Between Spokes

Hub
CE
4 3
ge-0/0/0.0 ge-0/0/0.1

Spoke Hub PE Hub

VRF VRF

5 2

Spoke Spoke
CE-1 1 CE-2
6

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 9

 Sample Spoke Configuration (1 of 3)
 A single routing instance is defined in the spoke sites:
routing-instances {
vpna {
instance-type vrf;
interface ge-0/0/0.0;
route-distinguisher 192.168.16.1:1;
vrf-import vpna-import;
vrf-export vpna-export;
protocols {
bgp {
group ext {
type external;
peer-as 65001;
as-override;
neighbor 10.0.21.2;
}
}
}
}
}

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 10

 Sample Spoke Configuration (2 of 3)
 A spoke site’s VRF import policy that accepts route
tagged as coming from the hub route target:
policy-options {
policy-statement vpna-import {
term 1 {
from {
protocol bgp;
community hub;
}
then accept;
}
term 2 {
then reject;
}
}
community origin-pe1 members origin:192.168.16.1:1;
community hub members target:65412:100;
community spoke members target:65412:101;
}
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 11
 Sample Spoke Configuration (3 of 3)
 A spoke site’s export policy and community definitions:

policy-statement vpna-export {
term 1 {
from protocol [bgp static direct ];
then {
community add origin-pe1;
community add spoke;
accept;
}
}
term 3 {
then reject;
}
}
community origin-pe1 members origin:192.168.16.1:1;
community hub members target:65412:100;
community spoke members target:65412:101;
}
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 12
 Sample Hub Configuration (1 of 4)
 Multiple interfaces (logical or physical) needed at the
hub location:
interfaces {
ge-0/0/0 {
vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
address 10.0.29.1/24;
}
}
unit 1 {
vlan-id 200;
family inet {
address 10.0.30.1/24;
}
}
}

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 13

 Sample Hub Configuration (2 of 4)
 The hub instance exports routes learned from the hub
CE device to the remote spokes:
routing-instances {
hub {
instance-type vrf;
interface ge-0/0/0.1;
route-distinguisher 192.168.24.1:1;
vrf-import null;
vrf-export hub-out;
protocols {
bgp {
group ext1 {
type external;
peer-as 65001;
neighbor 10.0.30.2;
}
}
}
}

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 14

 Sample Hub Configuration (3 of 4)
 The spoke instance imports routes from the remote
spokes and sends them to the hub CE device:
routing-instances {
. . .
spoke {
instance-type vrf;
interface ge-0/0/0.0;
route-distinguisher 192.168.24.1:1;
vrf-import spoke-in;
vrf-export null;
protocols {
bgp {
group ext {
type external;
peer-as 65001;
as-override;
neighbor 10.0.29.2;
}
}

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 15

 Sample Hub Configuration (4 of 4)
 Sample hub policy (two route targets are used):
policy-options {
policy-statement spoke-in {
from {
protocol bgp;
community spoke;
}
then accept;
}
policy-statement hub-out {
from protocol bgp;
then {
community add hub;
accept;
}
}
policy-statement null {
then reject;
}
community hub members target:65412:100;
community spoke members target:65412:101;
}

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 16

 Hub-and-Spoke Troubleshooting
 Most problems relate to signaling
• Verify the signaling exchange by confirming the presence of a
spoke route at each stage
• Start with an examination of the hub PE router’s spoke instance
to save time
• Suspect route target mismatches
• Suspect AS loop detection when using EBGP at the hub site
 Perform a traceroute from spokes to hub before trying
spoke-to-spoke traceroutes

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 17

 VPNs and CoS
 Filtering and CoS mapping functions available at
ingress PE router
• Firewall filtering, classification, rate limiting, precedence
mapping
 Filtering functions might be unavailable at egress PE
router
• Support of vrf-table-label and vt-interface
allows filtering functions at egress router
 VRF label EXP bits can be set based on FW filters,
ingress interface, or IP precedence bits
 Outer label (RSVP) can be set statically with
class-of-service configuration option
• Enhanced FPC can write both labels independently
 classifiers exp option is available on transit and
egress PE router
• Accommodates WRR and RED functions for labeled packets
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 18
 VPNs CoS Configuration Example
user@R1# show interfaces ge-1/0/0
unit 0 {
family inet {
filter {
input test;
}
address 10.0.6.1/24;
. . .
user@R1# show firewall family inet
filter test {
term 1 {
from {
protocol icmp;
}
then forwarding-class assured-forwarding;
}
term 2 {
then accept;
}
. . .
user@R1# show protocols mpls label-switched-path am
to 192.168.24.1;
class-of-service 4;

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 19

 VPNs CoS Example: The Result
Frame 12 (106 on wire, 106 captured)
Ethernet II
MultiProtocol Label Switching Header
MPLS Label: Unknown (100003)
MPLS Experimental Bits: 4 Top Label
MPLS Bottom Of Label Stack: 0
MPLS TTL: 254
MultiProtocol Label Switching Header
MPLS Label: Unknown (100001)
MPLS Experimental Bits: 4 Bottom Label
MPLS Bottom Of Label Stack: 1
MPLS TTL: 254
Internet Protocol
Version: 4
Header length: 20 bytes
. . . .
 The top (RSVP) label is set using the class-of-service
command under LSP definition
 The bottom (VRF) label is set based on firewall classification
at ingress PE router

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 20

 VPN Load Balancing/Prefix Mapping
 Can balance VPN traffic over equal-cost LSPs
• Export policy applied to main routing instance forwarding
table
 Can map VPN traffic to specific LSPs when equal-cost
LSPs exist
• Policy used at ingress or egress nodes
• Tag VPN routes with communities at LSP egress, match these
communities at LSP ingress node
• Manipulate BGP next hop at LSP egress, map LSPs to the correct
BGP next hop at LSP ingress

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 21

 VPN Prefix Mapping: Policy Example (1 of 2)
user@R1# show policy-options policy-statement map
term 1 {
from {
community gold; Communities tagged at remote PE router
}
then {
install-nexthop lsp am;
accept;
}
}
term 2 {
from {
community silver;
}
then {
install-nexthop lsp am2;
accept;
}
}
term 3 {
then accept;
}

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 22

 VPN Prefix Mapping: Policy Example (2 of 2)
 map policy is applied to main routing instance:
user@R1# show routing-options
autonomous-system 65412;
forwarding-table {
export map;
}

 And the results...

user@R1> show route forwarding-table vpn vpnb
Routing table:: vpnb.inet
Internet:
Destination Type RtRef Nexthop Type Index NhRef Netif
172.16.4.0/24 user 0 10.0.16.2 Push 100001, Push 100032(top)[4] ge-0/0/1.0
172.16.5.0/24 user 0 10.0.16.2 Push 100001, Push 100032(top)[4] ge-0/0/1.0
172.16.6.0/24 user 0 10.0.16.2 Push 100001, Push 100032(top)[4] ge-0/0/1.0
172.16.7.0/24 user 0 10.0.16.2 Push 100001, Push 100032(top)[4] ge-0/0/1.0
. . .
192.168.53.0/24 user 0 10.0.16.2 Push 100001, Push 100030(top)[4] ge-0/0/1.0
192.168.53.1/32 user 0 10.0.16.2 Push 100001, Push 100030(top)[4] ge-0/0/1.0

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 23

 PE-PE GRE Tunnels
Customer Customer
Site 1 Service Site 2
Provider
192.168.8.1 192.168.28.1

R R R
PE-1 P CE-1 CE-2 P PE-2

GRE Tunnel Between

PE Routers

 The Junos OS supports PE-to-PE GRE tunnels

• Allows carrier-of-carriers VPN applications when provider’s
network does not support MPLS
• Requires tunnel services on customer PE routers
• Does not use MPLS forwarding

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 24

 PE-PE GRE Tunnel Configuration
 Unnumbered GRE tunnel with family mpls
user@pe1# show interfaces gr-1/0/10
unit 0 {
tunnel {
source 192.168.8.1;
destination 192.168.28.1;
}
family inet;
family mpls;
}
user@pe1# show routing-options
rib inet.3 {
    static {
        route 192.168.28.1/32 next-hop gr-1/0/10.0;
    }
}

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 25

 PE-CE GRE Tunnels
IP CE
Provider Core PE Network B
OSPF Area 0 2 lo0: 192.168.24.1
ge-0/0/1
1 2 192.168.9.98 192.168.9.97
2
P1 P2 1 24/24
16/24 1/24

AS 65412 GRE Tunnel

Private Addresses

 The Junos OS supports PE-to-CE GRE tunnels

• Allows connection to remote CE devices across an IP
backbone
• routing-instance configuration option to associate GRE
tunnel with correct routing instance

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 26

 IPsec and Layer 3 VPN Integration
172.20.4/24
ge-0/0/0.0 IP ge-0/0/0.0
CE
Provider Core 2 PE-2 Network B
lo0: 192.168.24.1 200.0.1.1 200.0.0.1
P-n ge-0/0/1
172.20.0/24
ge-0/0/0 ge-0/0/1 10.0.29.1 IPsec Tunnel 10.0.29.2
CE 2 PE-1 1
A 1
21/24
1 lo0: 192.168.16.1 PE-CE Traffic
CE-CE IPsec Tunnel
CE-CE Traffic
 The Junos OS supports IPsec/Layer 3 VPN integration
• IPsec tunnels terminate between the PE and CE routers
• CE-CE IPsec tunnels extend through PE routers
• IPsec tunnels can use manual or dynamic security associations
• PE and CE routers both require AS PIC or ES PIC
• PE-PE configuration requires no change, firewall filter-based
classification not used

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 27

 PE-PE GRE and IPsec Tunnels
ge-0/0/0.0
IP ge-0/0/0.0
CE
Provider Core PE-2
2 lo0: 192.168.24.1 Network 200.0.0.1 B
P-n ge-0/0/1 172.20.4/24

PE
ge-0/0/1

nnel
2 ge-0/0/0
CE PE-1
1
u
HK t
A GRE tunnel
21/24 1 lo0: 192.168.16.1

c
IPse
172.20.0/24

192.168.16.1 PE-PE Traffic 192.168.24.1

 Provide BGP/MPLS VPN service without MPLS backbone
• Secure transport across the provider’s backbone when the CE device does not
support IPsec
• Configure GRE and IPsec tunnels between PE routers
• MPLS information encapsulated with IP and IPsec header
• Source address is ingress PE router, destination address is BGP next hop—the
address of the egress PE router

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 28