[j-nsp] MPLS for management VPN question

Truman Boyes truman at suspicious.org
Thu Jun 4 09:46:25 EDT 2009 

Some notes inline:

On 4/06/2009, at 9:13 PM, Jeff Meyers wrote:

> Truman Boyes schrieb:
>
> Hi,
>
> thanks for your answer so far.
>
>> You then need to define a route-distinguisher, and route targets  
>> (or simply vrf-target under the VRF) to import/export the routes  
>> for this VPN from other PEs.
>
> Can you provide an example for that? That would be a L3VPN, right?  
> Why would I need any routes to be known on the router? Basically I  
> only need 192.168.0.0/16 to be the management subnet globally  
> without any default gateways.

Ok, so if I understand this correctly, you have a management network  
that you want to carry across your MPLS network and you want to make  
all the devices on the management network be able to reach each other?

If the "management network" exists in multiple places, then it will  
need to be appropriate subnets at each location. For example, you  
might decide to break up the 192.168.0.0/16 network by assigning /24's  
to each site. Then you can route between the subnets with a L3 VPN,  
using the PE/MPLS Cloud as the gateway(s). You mention that you don't  
need gateways ... so if you simply want to connect a management  
network at layer 2 across the MPLS network, then you have about 3  
options:

You can build VPLS instances (multipoint)
You can build L2VPNs (point to point)
You can build L2Circuits (point to point)

In the past I have built management networks in L3VPNs because it  
provides the flexibility to allow some of these routes to be leaked  
into other VRFs. However, if all you want to do is make your MPLS  
network carry the management network just like a ethernet switch  
would, then VPLS will be your friend.

Take a look at the documentation on L3VPN and VPLS, it should walk you  
through the steps to building the configuration.

Kind regards,
Truman




>> Later on you might want to connect some of your NMS/OSS systems  
>> into the VRF so they can reach the the devices on the management VPN.
>
> So I simply add the devices to the vlan 100 on the existing ae Link  
> with .1q tagged vlans? No special encapsulation needed on juniper  
> side?

If you are terminating VLANs, you need vlan-tagging on the major  
interface, and a vlan id on the unit. Nothing special here. This is  
for routing (ie. L3VPNs). When doing VPLS you need to change the  
encapsulation to allow the router to grab the whole ethernet frame.

>
> Thanks,
> Jeff
>

More information about the juniper-nsp mailing list