[j-nsp] l3vpn

Pedro Roque Marques roque at juniper.net
Wed Oct 19 13:41:03 EDT 2005


Alexander Arsenyev GU/ETL wrote:
> OK, how the return packets are going to be routed/forwarded? 

Lets assume a given problem:

	customer 1 ---
			[aggr] --- [pe] --- [vpn network]
	customer 2 ---


We have 2 customers being aggregated by a non VPN capable box... and we 
want to be able to actually deliver VPN service to them bypassing this 
limitation.

So we create 3 VRFs on the PE.
o customer 1
o customer 2
o aggr

The interface(s) go into the aggr VRF.

Then lets assume BGP as PE-CE, just to make things easy.

You have:

routing-instances {
     aggr {
         instance-type vrf;
	vrf-import reject-all;
	vrf-export aggr-export;
	interface foo;			/* switch interface */
	routing-options auto-export;
	no-vrf-advertise;
	forwarding-options family inet filter input <apply-scu>;
	protocols bgp {
	    group pe-ce {
		neighbor <1> {
		    peer-as <1>;
		    import <policy-1>;  /* set customer community*/
		}
		neighbor <2> {
		    peer-as <2>;
		    import <policy-2>;
		}
	    }
	}
     }
     customer-1 {
	instance-type vrf;
	vrf-target target:<vpn-1>;
	routing-options auto-export;
     }
     customer-2 {
	instance-type vrf;
	vrf-target target:<vpn-2>;
	routing-options auto-export;
     }
}

routing-options forwarding-table export <set-scu>;
interfaces foo unit x family inet accounting source-class-usage;

policy-options {
     policy-statement set-scu {
	term a {
	    from community customer-1;
	    then source-class customer-1;
	}
	term b {
	    from community customer-2;
	    then source-class customer-2;
         }
     }
     policy-statment aggr-export {
	term a {
	    from community customer-1;
	    then community add target:<vpn-1>;
	}
	term b {
	    from community customer-2;
	    then community add target:<vpn-2>;
	}
	then reject;
     }
}

firewall filter apply-scu {
     term a {
	from source-class customer-1;
	then routing-instance customer-1;
     }
     term b {
	from source-class customer-2;
	then routing-instance customer-2;
     }
}

In english:
o The aggregation VRF does receive routing from the CEs, and use the 
received routes to do a source lookup and assign traffic to the 
respective VRFs.

o The aggregation vrf-export policy is doing the same thing for control 
information... routes tagged w/ target:<vpn-1> will then be 
auto-exported to the customer-1 vrf, which will give you the return path.

[note that the config above was untested and all from memory... i may 
have goofed up some of the config commands].

have fun,
   Pedro.


More information about the juniper-nsp mailing list