Layer 3 VPNs—

Advanced Topics

© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net

Sharing Routes Between VRF Tables

in the Same PE Router
PE

VRF-
VRF-A VRF-
VRF-B
VPN--A/B
VPN VPN--B/A
VPN
Routes Routes

CE-
CE- A CE-
CE-B
VPN-
VPN-A VPN-
VPN-B

Goal: Allow communications between CE-A and CE-B

without placing them into the same VPN

Solution: Use the auto-export command or RIB
groups
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 2

1
 auto-export Example

auto-export command configured in multiple VRF

tables causes router to analyze vrf-import/export
policies or vrf-target statements in those VRF tables
•VPN routes are copied into appropriate local VRF tables
[edit routing-instances] 10.0.21/24
user@PE# show
vpn-a { vpn-b { CE .2 .1 PE
instance-type vrf; instance-type vrf; A 1 ge-
ge-0/0/0
lo0: 192.168.16.1
interface ge-0/0/0.0; interface ge-0/0/3.0;
vrf-target target:65412:100; vrf-target target:65412:100; .1
routing-options { routing-options {
auto-export; auto-export; 10.0.50/24
} }
.2
protocols { protocols {
bgp {
CE
bgp {
group ce-a { group ce-b {
B
peer-as 65000; peer-as 65000;
as-override; as-override;
neighbor 10.0.21.2; neighbor 10.0.50.2
. . . . . .

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 3

VRF RIB Group Example

routing-options {
rib-groups {
a-to-b {
import-rib [ vpn-a.inet.0 vpn-b.inet.0 ];
}
b-to-a {
import-rib [ vpn-b.inet.0 vpn-a.inet.0 ]; 10.0.21/24
}
} CE .2 .1 PE
autonomous-system 65412; A 1 ge-
ge-0/0/0
} lo0: 192.168.16.1
routing-instances { .1
vpn-a {
. . .
routing-options { 10.0.50/24
interface-routes {
.2
rib-group inet a-to-b; CE
}
} B
protocols {
bgp {
group ext {
type external;
family inet {
unicast {
rib-group a-to-b;
}
}
. . .

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4

2
 Verifying the Results
user@PE# run show route table vpn-b

vpn-b.inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

10.0.21.0/24 *[Direct/0] 03:21:27

> via ge-0/0/0.0
[BGP/170] 03:21:27, localpref 100 VRF routes
AS path: 65001 I (local and BGP) from
> to 10.0.21.2 via ge-0/0/0.0 VPN-
VPN-A are now in
10.0.21.1/32 *[Local/0] 03:21:27 VPN-
Local
VPN-B’s VRF table
10.0.50.0/24 *[Direct/0] 00:16:48
> via ge-0/0/3.0
10.0.50.1/32 *[Local/0] 00:16:48
Local
. . . .

VPN-A’s interface and BGP routes are in VPN-B’s VRF

table (although not shown, VPN-B’s interface/BGP
routes are also present in VPN-A’s VRF table)

Traffic can now be forwarded between sites served by
CE-A and CE-B
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 5

Keeping Shared VRF Routes from Other

PE and CE Routers
[edit policy-options policy-statement vpnb-export]
user@PE# show
term 1 {
from {
protocol bgp;
interface ge-0/0/3.0;
}
then {
community add vpnb-target;
accept;
}
}
term 2 {
then reject;
}

VRF export policy for vpn-b matches the routes
learned from interface ge-0/0/3
•Routes copied from the vpn-a VRF table are not sent to
remote PE routers

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6

3
 Hub-and-Spoke Topologies

Reduces the number of BGP sessions and LSPs
required, but the cost is an extra CE router hop
•Spoke-to-spoke communications must transit hub site

Requires two VRF instances in the hub PE router
•Spoke VRF table contains routes received from spoke sites
•Hub VRF table contains routes received from the hub CE device

Requires two VRF interfaces at the hub CE/PE link
•Can be logical units on the same interface

Requires two route targets and possibly two route
distinguishers when supporting route reflectors

Watch for AS path loop detection and OSPF domain ID
problems

Issues might arise when hub PE router has locally
connected spokes, or when multiple spoke sites attach
to the same spoke PE router
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 7

Signaling Flow Between Spokes

Hub
CE
ge-0/0/0.0 4 ge-0/0/0.1
3
Spoke Hub PE Hub
VRF VRF

Target: Target:
Spoke Hub
2 5

Spoke Spoke Spoke Spoke

CE-1 PE-1 PE-2 CE-2
1 6

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 8

4
 Data Flow Between Spokes

Hub
CE
4 3
ge-0/0/0.0 ge-0/0/0.1

Spoke Hub PE Hub

VRF VRF

5 2

Spoke Spoke Spoke Spoke

CE-1 PE-1 PE-2 1 CE-2
6

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 9

Sample Spoke Configuration (1 of 3)

A single routing instance is defined in the spoke sites:

routing-instances {
vpna {
instance-type vrf;
interface ge-0/0/0.0;
route-distinguisher 192.168.16.1:1;
vrf-import vpna-import;
vrf-export vpna-export;
protocols {
bgp {
group ext {
type external;
peer-as 65001;
as-override;
neighbor 10.0.21.2;
}
}
}
}
}

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 10

5
 Sample Spoke Configuration (2 of 3)

A spoke site’s VRF import policy that accepts route

tagged as coming from the hub route target:
policy-options {
policy-statement vpna-import {
term 1 {
from {
protocol bgp;
community hub;
}
then accept;
}
term 2 {
then reject;
}
}
community origin-pe1 members origin:192.168.16.1:1;
community hub members target:65412:100;
community spoke members target:65412:101;
}
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 11

Sample Spoke Configuration (3 of 3)

A spoke site’s export policy and community
definitions:
policy-statement vpna-export {
term 1 {
from protocol [bgp static direct ];
then {
community add origin-pe1;
community add spoke;
accept;
}
}
term 3 {
then reject;
}
}
community origin-pe1 members origin:192.168.16.1:1;
community hub members target:65412:100;
community spoke members target:65412:101;
}

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 12

6
 Sample Hub Configuration (1 of 4)

Multiple interfaces (logical or physical) needed at the

hub location:
interfaces {
ge-0/0/0 {
vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
address 10.0.29.1/24;
}
}
unit 1 {
vlan-id 200;
family inet {
address 10.0.30.1/24;
}
}
}

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 13

Sample Hub Configuration (2 of 4)

The hub instance exports routes learned from the hub

CE device to the remote spokes:
routing-instances {
hub {
instance-type vrf;
interface ge-0/0/0.1;
route-distinguisher 192.168.24.1:1;
vrf-import null;
vrf-export hub-out;
protocols {
bgp {
group ext1 {
type external;
peer-as 65001;
neighbor 10.0.30.2;
}
}
}
}

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 14

7
 Sample Hub Configuration (3 of 4)

The spoke instance imports routes from the remote
spokes and sends them to the hub CE device:
routing-instances {
. . .
spoke {
instance-type vrf;
interface ge-0/0/0.0;
route-distinguisher 192.168.24.1:1;
vrf-import spoke-in;
vrf-export null;
protocols {
bgp {
group ext {
type external;
peer-as 65001;
as-override;
neighbor 10.0.29.2;
}
}

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 15

Sample Hub Configuration (4 of 4)

Sample hub policy (two route targets are used):

policy-options {
policy-statement spoke-in {
from {
protocol bgp;
community spoke;
}
then accept;
}
policy-statement hub-out {
from protocol bgp;
then {
community add hub;
accept;
}
}
policy-statement null {
then reject;
}
community hub members target:65412:100;
community spoke members target:65412:101;
}

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 16

8
 Hub-and-Spoke Troubleshooting

Most problems relate to signaling

•Verify the signaling exchange by confirming the presence of
a spoke route at each stage
•Start with an examination of the hub PE router’s spoke
instance to save time
•Suspect route target mismatches
•Suspect AS loop detection when using EBGP at the hub site

Perform a traceroute from spokes to hub before trying
spoke-to-spoke traceroutes

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 17

VPNs and CoS

Filtering and CoS mapping functions available at
ingress PE router
•Firewall filtering, classification, rate limiting, precedence
mapping

Filtering functions might be unavailable at egress PE
router
•Support of vrf-table-label and vt-interface
allows filtering functions at egress router

VRF label EXP bits can be set based on FW filters,
ingress interface, or IP precedence bits

Outer label (RSVP) can be set statically with
class-of-service configuration option
•Enhanced FPC can write both labels independently

classifiers exp option is available on transit
and egress PE router
•Accommodates WRR and RED functions for labeled packets
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 18

9
 VPNs CoS Configuration Example
user@R1# show interfaces ge-1/0/0
unit 0 {
family inet {
filter {
input test;
}
address 10.0.6.1/24;
. . .
user@R1# show firewall family inet
filter test {
term 1 {
from {
protocol icmp;
}
then forwarding-class assured-forwarding;
}
term 2 {
then accept;
}
. . .
user@R1# show protocols mpls label-switched-path am
to 192.168.24.1;
class-of-service 4;

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 19

VPNs CoS Example: The Result

Frame 12 (106 on wire, 106 captured)
Ethernet II
MultiProtocol Label Switching Header
MPLS Label: Unknown (100003)
MPLS Experimental Bits: 4 Top Label
MPLS Bottom Of Label Stack: 0
MPLS TTL: 254
MultiProtocol Label Switching Header
MPLS Label: Unknown (100001)
MPLS Experimental Bits: 4 Bottom Label
MPLS Bottom Of Label Stack: 1
MPLS TTL: 254
Internet Protocol
Version: 4
Header length: 20 bytes
. . . .

The top (RSVP) label is set using the class-of-
service command under LSP definition

The bottom (VRF) label is set based on firewall
classification at ingress PE router
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 20

10
 VPN Load Balancing/Prefix Mapping

Can balance VPN traffic over equal-cost LSPs

•Export policy applied to main routing instance forwarding
table

Can map VPN traffic to specific LSPs when equal-cost
LSPs exist
•Policy used at ingress or egress nodes
• Tag VPN routes with communities at LSP egress, match these
communities at LSP ingress node
• Manipulate BGP next hop at LSP egress, map LSPs to the correct
BGP next hop at LSP ingress

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 21

VPN Prefix Mapping: Policy Example (1 of 2)

user@R1# show policy-options policy-statement map
term 1 {
from {
community gold; Communities tagged at remote PE router
}
then {
install-nexthop lsp am;
accept;
}
}
term 2 {
from {
community silver;
}
then {
install-nexthop lsp am2;
accept;
}
}
term 3 {
then accept;
}

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 22

11
 VPN Prefix Mapping: Policy Example (2 of 2)

map policy is applied to main routing instance:
user@R1# show routing-options
autonomous-system 65412;
forwarding-table {
export map;
}

And the results...

user@R1> show route forwarding-table vpn vpnb
Routing table:: vpnb.inet
Internet:
Destination Type RtRef Nexthop Type Index NhRef Netif
172.16.4.0/24 user 0 10.0.16.2 Push 100001, Push 100032(top)[4] ge-0/0/1.0
172.16.5.0/24 user 0 10.0.16.2 Push 100001, Push 100032(top)[4] ge-0/0/1.0
172.16.6.0/24 user 0 10.0.16.2 Push 100001, Push 100032(top)[4] ge-0/0/1.0
172.16.7.0/24 user 0 10.0.16.2 Push 100001, Push 100032(top)[4] ge-0/0/1.0
. . .
192.168.53.0/24 user 0 10.0.16.2 Push 100001, Push 100030(top)[4] ge-0/0/1.0
192.168.53.1/32 user 0 10.0.16.2 Push 100001, Push 100030(top)[4] ge-0/0/1.0

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 23

PE-PE GRE Tunnels

Customer Customer
Site 1 Service Site 2
Provider
192.168.8.1 192.168.28.
1
R R R
PE-1 P CE-1 CE-2 P PE-2

GRE Tunnel Between

PE Routers

The Junos OS supports PE-to-PE GRE tunnels

•Allows carrier-of-carriers VPN applications when provider’s
network does not support MPLS
•Requires tunnel services on customer PE routers
•Does not use MPLS forwarding

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 24

12
 PE-PE GRE Tunnel Configuration

Unnumbered GRE tunnel with family mpls
user@pe1# show interfaces gr-1/0/10
unit 0 {
tunnel {
source 192.168.8.1;
destination 192.168.28.1;
}
family inet;
family mpls;
}
user@pe1# show routing-options
rib inet.3 {
static {
route 192.168.28.1/32 next-hop gr-1/0/10.0;
}
}

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 25

PE-CE GRE Tunnels

IP CE
Provider Core PE Network B
OSPF Area 0 2 lo0: 192.168.24.1
ge-0/0/1
1 2 192.168.9.98 192.168.9.97
2
P1 P2 1 24/24
16/24 1/24

AS 65412 GRE Tunnel

Private Addresses

The Junos OS supports PE-to-CE GRE tunnels

•Allows connection to remote CE devices across an IP
backbone
• routing-instance configuration option to associate
GRE tunnel with correct routing instance

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 26

13
 IPsec and Layer 3 VPN Integration
172.20.4/24
ge-0/0/0.0 IP ge-0/0/0.0
CE
Provider Core 2 PE-2 Network B
lo0: 192.168.24.1 200.0.1.1 200.0.0.1
ge-0/0/1
P-n
172.20.0/24
ge-0/0/0 ge-0/0/1 10.0.29.1 IPsec Tunnel 10.0.29.2
CE 2 PE-1
1 1 lo0: 192.168.16.1 1 PE-CE Traffic
A 21/24
CE-CE IPsec Tunnel
CE-CE Traffic

The Junos OS supports IPsec/Layer 3 VPN integration
•IPsec tunnels terminate between the PE and CE routers
•CE-CE IPsec tunnels extend through PE routers
•IPsec tunnels can use manual or dynamic security
associations
•PE and CE routers both require AS PIC or ES PIC
•PE-PE configuration requires no change, firewall filter-based
classification not used

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 27

PE-PE GRE and IPsec Tunnels

ge-0/0/0.0
IP ge-0/0/0.0
CE
Provider Core PE-2
2 lo0: 192.168.24.1 Network B
200.0.0.1
172.20.4/24
P-n ge-0/0/1

PE
ge-0/0/1
2 ge-0/0/0
CE PE-1
HK
1
21/24 1 lo0: 192.168.16.1
A
172.20.0/24

192.168.16.1 PE-PE Traffic 192.168.24.1

Provide BGP/MPLS VPN service without MPLS backbone

•Secure transport across the provider’s backbone when the CE
device does not support IPsec
•Configure GRE and IPsec tunnels between PE routers
•MPLS information encapsulated with IP and IPsec header
•Source address is ingress PE router, destination address is BGP
next hop—the address of the egress PE router
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 28

14
15