Interprovider L3VPN Option B on a vMX

Implementation Description

In this article, I will build an Interprovider L3VPN Option B setup on a single vMX. Each individual router will be configured as a logical router. The vMX router has a back-to-back connection between ge-0/0/0 and ge-0/0/1 ports. For each different link, a different VLAN number will be configured to separate the traffic generated based on router ID number.

Network Diagram

IP Allocation

  • AS 20: 192.168.20.0/16
    • CE 21: 192.168.0.21/32
    • CE 22: 192.168.0.22/32
    • Link 1121: 192.168.20.0/31
    • Link 1622: 192.168.20.2/31
  • AS 30: 192.168.30.0/16
    • CE 31: 192.168.0.31/32
    • CE 32: 192.168.0.32/32
    • Link 1131: 192.168.30.0/31
    • Link 1632: 192.168.30.2/31
  • AS 100: 10.100.0.0/16
    • PE 11: 10.100.0.11/32
    • P 12: 10.100.0.12/32
    • ASBR 13: 10.100.0.13/32
    • Internal Links: 10.100.1.0/16
  • AS 200: 10.200.0.0/16
    • PE 16: 10.200.0.16/32
    • P 15: 10.200.0.15/32
    • ASBR 14: 10.200.0.14/32
    • Internal Links: 10.200.1.0/16
  • Inter-ASBR link:
    • Link 1314: 172.167.12.0/31

Full Configuration

## Last changed: 2018-03-07 07:03:07 UTC
version 15.1F4.15;
groups {
    isis {
        logical-systems {
            <*> {
                protocols {
                    isis {
                        level 1 disable;
                        interface <*> {
                            point-to-point;
                        }
                    }
                }
            }
        }
    }
}
apply-groups isis;
system {
    host-name MX;
    root-authentication {
        encrypted-password "$5$L3F31155$kVyagZl2v/WM9s32/hi7VCXxM5o0vupYD.LO3uvCif4"; ## SECRET-DATA
    }
    services {
        ssh;
        netconf {
            ssh;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
logical-systems {
    11-PE {
        interfaces {
            ge-0/0/0 {
                unit 1112 {
                    vlan-id 1112;
                    family inet {
                        address 10.100.1.0/31;
                    }
                    family iso;
                    family mpls;
                }
                unit 1121 {
                    vlan-id 1121;
                    family inet {
                        address 192.168.20.0/31;
                    }
                }
                unit 1131 {
                    vlan-id 1131;
                    family inet {
                        address 192.168.30.0/31;
                    }
                }
            }
            lo0 {
                unit 11 {
                    family inet {
                        address 10.100.0.11/32;
                    }
                    family iso {
                        address 49.0100.0101.0000.0011.00;
                    }
                }
            }
        }
        protocols {
            mpls {
                interface all;
            }
            bgp {
                group internal {
                    type internal;
                    local-address 10.100.0.11;
                    family inet-vpn {
                        any;
                    }
                    neighbor 10.100.0.13;
                }
            }
            isis {
                interface ge-0/0/0.1112;
                interface lo0.11;
            }
            ldp {
                interface all;
            }
        }
        routing-instances {
            Cust-20 {
                instance-type vrf;
                interface ge-0/0/0.1121;
                route-distinguisher 10.100.0.11:20;
                vrf-target target:0.0.100.200:20;
                protocols {
                    bgp {
                        group to-Cust {
                            type external;
                            peer-as 20;
                            as-override;
                            neighbor 192.168.20.1;
                        }
                    }
                }
            }
            Cust-30 {
                instance-type vrf;
                interface ge-0/0/0.1131;
                route-distinguisher 10.100.0.11:30;
                vrf-target target:0.0.100.200:30;
                protocols {
                    bgp {
                        group to-Cust {
                            type external;
                            peer-as 30;
                            as-override;
                            neighbor 192.168.30.1;
                        }
                    }
                }
            }
        }
        routing-options {
            autonomous-system 100;
        }
    }
    12-P {
        interfaces {
            ge-0/0/0 {
                unit 1213 {
                    vlan-id 1213;
                    family inet {
                        address 10.100.1.2/31;
                    }
                    family iso;
                    family mpls;
                }
            }
            ge-0/0/1 {
                unit 1112 {
                    vlan-id 1112;
                    family inet {
                        address 10.100.1.1/31;
                    }
                    family iso;
                    family mpls;
                }
            }
            lo0 {
                unit 12 {
                    family inet {
                        address 10.100.0.12/32;
                    }
                    family iso {
                        address 49.0100.0101.0000.0012.00;
                    }
                }
            }
        }
        protocols {
            mpls {
                interface all;
            }
            isis {
                interface all;
            }
            ldp {
                interface all;
            }
        }
        routing-options {
            autonomous-system 100;
        }
    }
    13-ASBR {
        interfaces {
            ge-0/0/0 {
                unit 1314 {
                    vlan-id 1314;
                    family inet {
                        address 172.167.12.0/31;
                    }
                    family mpls;
                }
            }
            ge-0/0/1 {
                unit 1213 {
                    vlan-id 1213;
                    family inet {
                        address 10.100.1.3/31;
                    }
                    family iso;
                    family mpls;
                }
            }
            lo0 {
                unit 13 {
                    family inet {
                        address 10.100.0.13/32;
                    }
                    family iso {
                        address 49.0100.0101.0000.0013.00;
                    }
                }
            }
        }
        protocols {
            mpls {
                interface all;
            }
            bgp {
                group internal {
                    type internal;
                    local-address 10.100.0.13;
                    family inet-vpn {
                        any;
                    }
                    neighbor 10.100.0.11;
                }
                group to-AS200 {
                    type external;
                    family inet-vpn {
                        any;
                    }
                    peer-as 200;
                    neighbor 172.167.12.1;
                }
            }
            isis {
                interface all;
            }
            ldp {
                interface ge-0/0/1.1213;
                interface lo0.13;
            }
        }
        routing-options {
            autonomous-system 100;
        }
    }
    14-ASBR {
        interfaces {
            ge-0/0/0 {
                unit 1415 {
                    vlan-id 1415;
                    family inet {
                        address 10.200.1.4/31;
                    }
                    family iso;
                    family mpls;
                }
            }
            ge-0/0/1 {
                unit 1314 {
                    vlan-id 1314;
                    family inet {
                        address 172.167.12.1/31;
                    }
                    family mpls;
                }
            }
            lo0 {
                unit 14 {
                    family inet {
                        address 10.200.0.14/32;
                    }
                    family iso {
                        address 49.0200.0102.0000.0014.00;
                    }
                }
            }
        }
        protocols {
            mpls {
                interface all;
            }
            bgp {
                group internal {
                    type internal;
                    local-address 10.200.0.14;
                    family inet-vpn {
                        any;
                    }
                    neighbor 10.200.0.16;
                }
                group to-AS100 {
                    type external;
                    family inet-vpn {
                        any;
                    }
                    peer-as 100;
                    neighbor 172.167.12.0;
                }
            }
            isis {
                interface all;
            }
            ldp {
                interface ge-0/0/0.1415;
                interface lo0.14;
            }
        }
        routing-options {
            autonomous-system 200;
        }
    }
    15-P {
        interfaces {
            ge-0/0/0 {
                unit 1516 {
                    vlan-id 1516;
                    family inet {
                        address 10.200.1.6/31;
                    }
                    family iso;
                    family mpls;
                }
            }
            ge-0/0/1 {
                unit 1415 {
                    vlan-id 1415;
                    family inet {
                        address 10.200.1.5/31;
                    }
                    family iso;
                    family mpls;
                }
            }
            lo0 {
                unit 15 {
                    family inet {
                        address 10.200.0.15/32;
                    }
                    family iso {
                        address 49.0200.0102.0000.0015.00;
                    }
                }
            }
        }
        protocols {
            mpls {
                interface all;
            }
            isis {
                interface all;
            }
            ldp {
                interface all;
            }
        }
    }
    16-PE {
        interfaces {
            ge-0/0/0 {
                unit 1622 {
                    vlan-id 1622;
                    family inet {
                        address 192.168.20.2/31;
                    }
                }
                unit 1632 {
                    vlan-id 1632;
                    family inet {
                        address 192.168.30.2/31;
                    }
                }
            }
            ge-0/0/1 {
                unit 1516 {
                    vlan-id 1516;
                    family inet {
                        address 10.200.1.7/31;
                    }
                    family iso;
                    family mpls;
                }
            }
            lo0 {
                unit 16 {
                    family inet {
                        address 10.200.0.16/32;
                    }
                    family iso {
                        address 49.0200.0102.0000.0016.00;
                    }
                }
            }
        }
        protocols {
            mpls {
                interface all;
            }
            bgp {
                group internal {
                    type internal;
                    local-address 10.200.0.16;
                    family inet-vpn {
                        any;
                    }
                    neighbor 10.200.0.14;
                }
            }
            isis {
                interface all;
            }
            ldp {
                interface all;
            }
        }
        routing-instances {
            Cust-20 {
                instance-type vrf;
                interface ge-0/0/0.1622;
                route-distinguisher 10.100.0.16:20;
                vrf-target target:0.0.100.200:20;
                protocols {
                    bgp {
                        group to-Cust {
                            type external;
                            peer-as 20;
                            as-override;
                            neighbor 192.168.20.3;
                        }
                    }
                }
            }
            Cust-30 {
                instance-type vrf;
                interface ge-0/0/0.1632;
                route-distinguisher 10.100.0.16:30;
                vrf-target target:0.0.100.200:30;
                protocols {
                    bgp {
                        group to-Cust {
                            type external;
                            peer-as 30;
                            as-override;
                            neighbor 192.168.30.3;
                        }
                    }
                }
            }
        }
        routing-options {
            autonomous-system 200;
        }
    }
    21-CE {
        interfaces {
            ge-0/0/1 {
                unit 1121 {
                    vlan-id 1121;
                    family inet {
                        address 192.168.20.1/31;
                    }
                }
            }
            lo0 {
                unit 21 {
                    family inet {
                        address 192.168.0.21/32;
                    }
                }
            }
        }
        protocols {
            bgp {
                group AS100 {
                    type external;
                    export to-bgp;
                    peer-as 100;
                    neighbor 192.168.20.0;
                }
            }
        }
        policy-options {
            policy-statement to-bgp {
                from protocol direct;
                then accept;
            }
        }
        routing-options {
            autonomous-system 20;
        }
    }
    22-CE {
        interfaces {
            ge-0/0/1 {
                unit 1622 {
                    vlan-id 1622;
                    family inet {
                        address 192.168.20.3/31;
                    }
                }
            }
            lo0 {
                unit 22 {
                    family inet {
                        address 192.168.0.22/32;
                    }
                }
            }
        }
        protocols {
            bgp {
                group AS200 {
                    type external;
                    export to-bgp;
                    peer-as 200;
                    neighbor 192.168.20.2;
                }
            }
        }
        policy-options {
            policy-statement to-bgp {
                from protocol direct;
                then accept;
            }
        }
        routing-options {
            autonomous-system 20;
        }
    }
    31-CE {
        interfaces {
            ge-0/0/1 {
                unit 1131 {
                    vlan-id 1131;
                    family inet {
                        address 192.168.30.1/31;
                    }
                }
            }
            lo0 {
                unit 31 {
                    family inet {
                        address 192.168.0.31/32;
                    }
                }
            }
        }
        protocols {
            bgp {
                group AS100 {
                    type external;
                    export to-bgp;
                    peer-as 100;
                    neighbor 192.168.30.0;
                }
            }
        }
        policy-options {
            policy-statement to-bgp {
                from protocol direct;
                then accept;
            }
        }
        routing-options {
            autonomous-system 30;
        }
    }
    32-CE {
        interfaces {
            ge-0/0/1 {
                unit 1632 {
                    vlan-id 1632;
                    family inet {
                        address 192.168.30.3/31;
                    }
                }
            }
            lo0 {
                unit 32 {
                    family inet {
                        address 192.168.0.32/32;
                    }
                }
            }
        }
        protocols {
            bgp {
                group AS200 {
                    type external;
                    export to-bgp;
                    peer-as 200;
                    neighbor 192.168.30.2;
                }
            }
        }
        policy-options {
            policy-statement to-bgp {
                from protocol direct;
                then accept;
            }
        }
        routing-options {
            autonomous-system 30;
        }
    }
}
interfaces {
    ge-0/0/0 {
        description "to ge-0/0/1";
        vlan-tagging;
    }
    ge-0/0/1 {
        description "to ge-0/0/0";
        vlan-tagging;
    }
    ge-0/0/2 {
        description "to ge-0/0/3";
        vlan-tagging;
    }
    ge-0/0/3 {
        description "to ge-0/0/2";
        vlan-tagging;
    }
    ge-0/0/4 {
        description "to ge-0/0/5";
        vlan-tagging;
    }
    ge-0/0/5 {
        description "to ge-0/0/4";
        vlan-tagging;
    }
    ge-0/0/6 {
        description "to ge-0/0/7";
        vlan-tagging;
    }
    ge-0/0/7 {
        description "to ge-0/0/6";
        vlan-tagging;
    }
    ge-0/0/8 {
        description "to eth1";
    }
    ge-0/0/9 {
        description "to eth2";
    }
    fxp0 {
        unit 0 {
            family inet {
                address 192.168.83.11/24;
            }
        }
    }
}

Verification

root@MX:21-CE> show route    

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.0.21/32    *[Direct/0] 00:09:22
                    > via lo0.21
192.168.0.22/32    *[BGP/170] 00:00:14, localpref 100
                      AS path: 100 200 100 I, validation-state: unverified
                    > to 192.168.20.0 via ge-0/0/1.1121
192.168.20.0/31    *[Direct/0] 00:08:44
                    > via ge-0/0/1.1121
192.168.20.1/32    *[Local/0] 00:08:44
                      Local via ge-0/0/1.1121
192.168.20.2/31    *[BGP/170] 00:00:13, localpref 100
                      AS path: 100 200 I, validation-state: unverified
                    > to 192.168.20.0 via ge-0/0/1.1121

root@MX:21-CE> ping 192.168.0.22 count 3 source 192.168.0.21  
PING 192.168.0.22 (192.168.0.22): 56 data bytes
64 bytes from 192.168.0.22: icmp_seq=0 ttl=52 time=11.001 ms
64 bytes from 192.168.0.22: icmp_seq=1 ttl=52 time=11.744 ms
64 bytes from 192.168.0.22: icmp_seq=2 ttl=52 time=12.737 ms

--- 192.168.0.22 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 11.001/11.827/12.737/0.711 ms

Label Operation

1. Customer router will send simple traffic.

root@MX:21-CE> show route 192.168.0.22 

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.0.22/32    *[BGP/170] 00:05:25, localpref 100
                      AS path: 100 200 100 I, validation-state: unverified
                    > to 192.168.20.0 via ge-0/0/1.1121

2. Router 11-PE will add two labels to the traffic, L3VPN label and LDP transport label.

root@MX:11-PE> show route 192.168.0.22 

Cust-20.inet.0: 5 destinations, 6 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.0.22/32    *[BGP/170] 00:06:06, localpref 100, from 10.100.0.13
                      AS path: 200 20 I, validation-state: unverified
                    > to 10.100.1.1 via ge-0/0/0.1112, Push 299840, Push 299792(top)

root@MX:11-PE> show route table mpls 

mpls.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0                  *[MPLS/0] 00:16:38, metric 1
                      Receive
1                  *[MPLS/0] 00:16:38, metric 1
                      Receive
2                  *[MPLS/0] 00:16:38, metric 1
                      Receive
13                 *[MPLS/0] 00:16:38, metric 1
                      Receive
299776             *[LDP/9] 00:15:38, metric 1
                    > to 10.100.1.1 via ge-0/0/0.1112, Pop      
299776(S=0)        *[LDP/9] 00:15:38, metric 1
                    > to 10.100.1.1 via ge-0/0/0.1112, Pop      
299792             *[LDP/9] 00:15:13, metric 1
                    > to 10.100.1.1 via ge-0/0/0.1112, Swap 299792
299808             *[VPN/170] 00:14:21
                    > to 192.168.20.1 via ge-0/0/0.1121, Pop      
299824             *[VPN/170] 00:14:21
                    > to 192.168.30.1 via ge-0/0/0.1131, Pop      

3. Router 12-P is PHP and will pop the LDP label.

root@MX:12-P> show route 192.168.0.22  

root@MX:12-P> show route label 299792 

root@MX:12-P> show route label 299792 

mpls.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

299792             *[LDP/9] 00:16:25, metric 1
                    > to 10.100.1.3 via ge-0/0/0.1213, Pop      
299792(S=0)        *[LDP/9] 00:16:25, metric 1
                    > to 10.100.1.3 via ge-0/0/0.1213, Pop      

4. Router 13-ASBR will swap the L3VPN label.

root@MX:13-ASBR> show route table bgp.l3vpn.0                                  

bgp.l3vpn.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

[...]
10.100.0.16:20:192.168.0.22/32                
                   *[BGP/170] 00:11:44, localpref 100
                      AS path: 200 20 I, validation-state: unverified
                    > to 172.167.12.1 via ge-0/0/0.1314, Push 299808
[...]


root@MX:13-ASBR> show route label 299840 

mpls.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

299840             *[VPN/170] 00:21:11
                    > to 172.167.12.1 via ge-0/0/0.1314, Swap 299808

5. Router 14-ASBR will swap L3VPN label and will push LDP label.

root@MX:14-ASBR> show route table bgp.l3vpn.0 

bgp.l3vpn.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

[...]
10.100.0.16:20:192.168.0.22/32                
                   *[BGP/170] 00:20:30, localpref 100, from 10.200.0.16
                      AS path: 20 I, validation-state: unverified
                    > to 10.200.1.5 via ge-0/0/0.1415, Push 299808, Push 299776(top)
[...]

root@MX:14-ASBR> show route label 299808                     

mpls.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

299808             *[VPN/170] 00:27:53, metric2 1, from 10.200.0.16
                    > to 10.200.1.5 via ge-0/0/0.1415, Swap 299808, Push 299776(top)

6. Router 15-P is PHP and will pop the LDP label.

root@MX:15-P> show route 192.168.0.22 

root@MX:15-P> show route label 299776    

mpls.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

299776             *[LDP/9] 00:33:15, metric 1
                    > to 10.200.1.7 via ge-0/0/0.1516, Pop      
299776(S=0)        *[LDP/9] 00:33:15, metric 1
                    > to 10.200.1.7 via ge-0/0/0.1516, Pop 

7. Router 16-PE will pop L3VPN label and will forward simple traffic to the end customer.

root@MX:16-PE> show route label 299808 

mpls.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

299808             *[VPN/170] 00:33:13
                    > to 192.168.20.3 via ge-0/0/0.1622, Pop      

root@MX:16-PE> show route 192.168.0.22    

Cust-20.inet.0: 5 destinations, 6 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.0.22/32    *[BGP/170] 00:34:52, localpref 100
                      AS path: 20 I, validation-state: unverified
                    > to 192.168.20.3 via ge-0/0/0.1622

The Factors that Limit the Scalability of this Method

  • In this solution, ASBR routers keep all VPN-IPv4 routes in the routing information base (RIB), and the labels associated with the prefixes are kept in the forwarding information base (FIB). Because the RIB and FIB tables can take too much of the respective allocated memory, this solution is not very scalable for an interprovider VPN.
  • If a transit SP is used between SP1 and SP2, the transit SP also has to keep all VPN-IPv4 routes in the RIB and the corresponding labels in the FIB. The ASBRs at the transit SP have the same functionality as ASBRs at SP1 or SP2 in this solution.

Sources: