Configuring IP-VPN services

IP-VPN services use a combination of MP-BGP and MPLS to distribute IPv4/v6 routing information and provide Layer 3 VPN services.

Each IP-VPN consists of a set of customer end points connected to one or more PE routers. Each associated PE router maintains a separate IP forwarding table for each IP-VPN instance. Additionally, the PE routers exchange the routing information configured or learned from all customer sites via MP-BGP peering. Each route exchanged via the MP-BGP protocol includes a Route Distinguisher (RD), which identifies the IP-VPN association and handles any potential IP address overlap.

Multi-Protocol BGP (MP-BGP) is used to exchange the routes of a particular VPN among the PE routers that are attached to that VPN. This route exchange is done in a way that ensures that routes from different VPNs remain distinct and separate, even if two VPNs have an overlapping address space. When BGP distributes a VPN route it also distributes an MPLS label for that route to identify the advertising IP-VPN instance.

Before a customer data packet travels across the service provider's backbone, it is encapsulated with the MPLS label that corresponds, in the customer's IP-VPN, to the route that best matches the packet's destination address. The MPLS packet is further encapsulated with one or more MPLS labels corresponding to the resolving MPLS path to deliver the packet to the intended egress PE router. The following figure displays an IP-VPN network diagram example.

Figure 1. IP Virtual Private Network

IP-VPN configuration

The following is an example of an IP-VPN configuration.

--{ * candidate shared default }--[  ]--
A:srl1# info interface ethernet-1/2
    interface ethernet-1/2 {
        admin-state enable
        subinterface 1 {
            type routed
            admin-state enable
            ipv4 {
                address 10.30.30.1/24 {
                }
            }
        }
    }
A:srl1# info network-instance Base
    network-instance Base {
        type default
        protocols {
            bgp {
                admin-state enable
                autonomous-system 65550
                router-id 10.10.10.1
                afi-safi l3vpn-ipv4-unicast {
                    admin-state enable
                }
                group base-group {
                }
                neighbor 10.10.10.2 {
                    peer-group base-group
                }
            }
        }
    }

--{ * candidate shared default }--[  ]--
A:srl1# info network-instance ip-vrf-red
    network-instance ip-vrf-red {
        type ip-vrf
        interface ethernet-1/2 {
            interface-ref {
                interface ethernet-1/2
                subinterface 1
            }
        }
        protocols {
            bgp-ipvpn {
                bgp-instance 1 {
                    admin-state enable
                    ecmp 8
                    mpls {
                        next-hop-resolution {
                            allowed-tunnel-types [
                                ldp
                                sr-isis
                            ]
                        }
                    }
                }
            }
            bgp {
                admin-state enable
                autonomous-system 65551
                router-id 10.10.10.1
                afi-safi ipv4-unicast {
                    admin-state enable
                }
                group ip-vrf-red-peers {
                    admin-state enable
                    afi-safi ipv4-unicast {
                    }
                }
                neighbor 10.10.10.3 {
                    peer-group ip-vrf-red-peers
                    }
                }
            }
            bgp-vpn {
                bgp-instance 1 {
                    route-distinguisher {}
                    route-target {}
                }
            }
        }