In this example, the carrier customer must run some form of MPLS (Resource Reservation Protocol[RSVP] or LDP) on its network to provide VPN services to the end customer.In the example below, Router B and Router I act as PE routers (orswitches), and a functioning MPLS path is required between these routersif they exchange VPN-IPv4 routes.
For configuration information see the following sections:
- Network Topology for Carrier-of-Carriers Service
- Configuration for Router A
- Configuration for Router B
- Configuration for Router C
- Configuration for Router D
- Configuration for Router E
- Configuration for Router F
- Configuration for Router G
- Configuration for Router H
- Configuration for Router I
- Configuration for Router J
- Configuration for Router K
- Configuration for Router L
Network Topology for Carrier-of-Carriers Service
A carrier-of-carriers service allows an Internet service provider(ISP) to connect to a transparent outsourced backbone at multiplelocations.
Figure 3 shows the network topologyin this carrier-of-carriers example.
Figure 3: Carrier-of-Carriers VPN Example NetworkTopology
Configuration for Router A
In this example, Router A acts as the CE router for the endcustomer. Configure a default family inet
BGP session onRouter A:
[edit]protocols { bgp { group to-routerB { export attached; peer-as 21; neighbor 192.168.197.169; } }}policy-options { policy-statement attached { from protocol direct; then accept; }}
Configuration for Router B
Because Router B is the PE router for the end customer CE router(Router A), you need to configure a routing instance (vpna
). Configure the labeled-unicast
statement on the IBGPsession to Router D, and configure family-inet-vpn
forthe IBGP session to the other side of the network with Router I:
[edit]protocols { mpls { interface fe-1/0/2.0; interface fe-1/0/3.0; } bgp { group int { type internal; local-address 10.255.14.179; neighbor 10.255.14.175 { family inet { labeled-unicast { resolve-vpn; } } } } neighbor 10.255.14.181 { family inet-vpn { any; } } } ospf { area 0.0.0.0 { interface lo0.0 { passive; } interface fe-1/0/3.0; } } ldp { interface fe-1/0/3.0; }}routing-instances { vpna { instance-type vrf; interface fe-1/0/2.0; route-distinguisher 10.255.14.179:21; vrf-import vpna-import; vrf-export vpna-export; protocols { bgp { group vpna-06 { peer-as 1; neighbor 192.168.197.170; } } } }}policy-options { policy-statement vpna-import { term a { from { protocol bgp; community vpna-comm; } then accept; } term b { then reject; } } policy-statement vpna-export { term a { from protocol bgp; then { community add vpna-comm; accept; } } term b { then reject; } } community vpna-comm members target:100:1001;}
Configuration for Router C
Configure Router C as a label-swapping router within the localAS:
[edit]protocols { mpls { traffic-engineering bgp-igp; } ospf { area 0.0.0.0 { interface lo0.0 { passive; } interface fe-0/3/3.0; interface fe-0/3/0.0; } } ldp { interface fe-0/3/0.0; interface fe-0/3/3.0; }}
Configuration for Router D
Router D acts as the CE router for the VPN services providedby the AS10023 network. In the BGP group configuration for group int
, which handles traffic to RouterB (10.255.14.179),you include the labeled-unicast
statement. You also needto configure the BGP group to-isp-red
to send labeled internalroutes to the PE router (Router E).
[edit]protocols { mpls { traffic-engineering bgp-igp; interface fe-0/3/0.0; interface t3-0/0/0.0; } bgp { group int { type internal; local-address 10.255.14.175; neighbor 10.255.14.179 { family inet { labeled-unicast; } } } group to-isp-red { export internal; peer-as 10023; neighbor 192.168.197.13 { family inet { labeled-unicast; } } } } ospf { area 0.0.0.0 { interface lo0.0 { passive; } interface fe-0/3/0.0; } } ldp { interface fe-0/3/0.0; }}policy-options { policy-statement internal { term a { from protocol [ ospf direct ]; then accept; } term b { then reject; } }}
Configuration for Router E
Router E and Router H are PE routers. Configure a PE-router-to-PE-routerBGP session to allow VPN-IPv4 routes to pass between these two PErouters. Configure the routing instance on Router E to send labeledroutes to the CE router (Router D).
Configure Router E:
[edit]protocols { mpls { interface t3-0/2/0.0; interface at-0/1/0.0; } bgp { group pe-pe { type internal; local-address 10.255.14.171; family inet-vpn { any; } neighbor 10.255.14.173; } } isis { interface at-0/1/0.0; interface lo0.0 { passive; } } ldp { interface at-0/1/0.0; }}policy-options { policy-statement vpn-isp1-import { term a { from { protocol bgp; community vpn-isp1-comm; } then accept; } term b { then reject; } } policy-statement vpn-isp1-export { term a { from protocol bgp; then { community add vpn-isp1-comm; accept; } } term b { then reject; } } community vpn-isp1-comm members target:69:21;}routing-instances { vpn-isp1 { instance-type vrf; interface t3-0/2/0.0; route-distinguisher 10.255.14.171:21; vrf-import vpn-isp1-import; vrf-export vpn-isp1-export; protocols { bgp { group to-isp1 { peer-as 21; neighbor 192.168.197.14 { as-override; family inet { labeled-unicast; } } } } } }}
Configuration for Router F
Configure Router F to swap labels for routes running throughits interfaces:
[edit]protocols { isis { interface so-0/2/0.0; interface at-0/3/0.0; interface lo0.0 { passive; } } ldp { interface so-0/2/0.0; interface at-0/3/0.0; }}
Configuration for Router G
Configure Router G:
[edit]protocols { isis { interface so-0/0/0.0; interface so-1/0/0.0; interface lo0.0 { passive; } } ldp { interface so-0/0/0.0; interface so-1/0/0.0; }}
Configuration for Router H
The configuration for Router H is similar to the configurationfor Router E:
[edit]protocols { mpls { interface fe-1/1/0.0; interface so-1/0/0.0; } bgp { group pe-pe { type internal; local-address 10.255.14.173; family inet-vpn { any; } neighbor 10.255.14.171; } } isis { interface so-1/0/0.0; interface lo0.0 { passive; } } ldp { interface so-1/0/0.0; }}routing-instances { vpn-isp1 { instance-type vrf; interface fe-1/1/0.0; route-distinguisher 10.255.14.173:21; vrf-import vpn-isp1-import; vrf-export vpn-isp1-export; protocols { bgp { group to-isp1 { peer-as 21; neighbor 192.168.197.94 { as-override; family inet { labeled-unicast; } } } } } }}policy-options { policy-statement vpn-isp1-import { term a { from { protocol bgp; community vpn-isp1-comm; } then accept; } term b { then reject; } } policy-statement vpn-isp1-export { term a { from protocol bgp; then { community add vpn-isp1-comm; accept; } } term b { then reject; } } community vpn-isp1-comm members target:69:21;}
Configuration for Router I
Router I acts as the PE router for the end customer. The configurationthat follows is similar to the configuration for Router B:
[edit]protocols { mpls { interface fe-1/0/1.0; interface fe-1/1/3.0; } bgp { group int { type internal; local-address 10.255.14.181; neighbor 10.255.14.177 { family inet { labeled-unicast { resolve-vpn; } } } neighbor 10.255.14.179 { family inet-vpn { any; } } } } ospf { area 0.0.0.0 { interface lo0.0 { passive; } interface fe-1/1/3.0; } } ldp { interface fe-1/1/3.0; }}routing-instances { vpna { instance-type vrf; interface fe-1/0/1.0; route-distinguisher 10.255.14.181:21; vrf-import vpna-import; vrf-export vpna-export; protocols { bgp { group vpna-0 { peer-as 1; neighbor 192.168.197.198; } } } }}policy-options { policy-statement vpna-import { term a { from { protocol bgp; community vpna-comm; } then accept; } term b { then reject; } } policy-statement vpna-export { term a { from protocol bgp; then { community add vpna-comm; accept; } } term b { then reject; } } community vpna-comm members target:100:1001;}
Configuration for Router J
Configure Router J to swap labels for routes running throughits interfaces:
[edit]protocols { mpls { traffic-engineering bgp-igp; } ospf { area 0.0.0.0 { interface lo0.0 { passive; } interface fe-1/0/2.0; interface fe-1/0/3.0; } } ldp { interface fe-1/0/2.0; interface fe-1/0/3.0; }}
Configuration for Router K
The configuration for Router K is similar to the configurationfor Router D:
[edit]protocols { mpls { traffic-engineering bgp-igp; interface fe-1/1/2.0; interface fe-1/0/2.0; } bgp { group int { type internal; local-address 10.255.14.177; neighbor 10.255.14.181 { family inet { labeled-unicast; } } } group to-isp-red { export internal; peer-as 10023; neighbor 192.168.197.93 { family inet { labeled-unicast; } } } } ospf { area 0.0.0.0 { interface lo0.0 { passive; } interface fe-1/0/2.0; } } ldp { interface fe-1/0/2.0; }}policy-options { policy-statement internal { term a { from protocol [ ospf direct ]; then accept; } term b { then reject; } }}
Configuration for Router L
In this example, Router L is the end customer’s CE router.Configure a default family inet
BGP session on Router L:
[edit]protocols { bgp { group to-I { export attached; peer-as 21; neighbor 192.168.197.197; } }}policy-options { policy-statement attached { from protocol direct; then accept; }}