Implementing Layer 3 VPNs over L2TPv3 Tunnels
Layer 3 VPNs can be implemented in conjunction with L2TPv3 tunnels. The solution lends itself to implementation where the SP does not implement MPLS transport mechanism in the core to forward packets. Implementation of L2TPv3 tunnels creates a tunnel network as an overlay to the IP backbone, which interconnects the PE routers to transport VPN traffic. The multipoint tunnel uses BGP to distribute VPNv4 information between PE routers. The advertised next hop in BGP VPNv4 triggers tunnel endpoint discovery. Dynamic L3 VPN implementation over multipoint L2TPv3 tunnels provides the ability for multiple service providers to cooperate and offer a joint VPN service with traffic tunneled directly from the ingress PE router at one service provider directly to the egress PE router at a different service provider site.
When implementing dynamic L3VPNs over L2TPv3 tunnels, the addition of new remote VPN peers is simplified because only the new router needs to be configured. The new address is learned dynamically and propagated to the other nodes in the network.
In Figure 10-9, Customer A routers CE1-A, CE2-A, and CE3-A are to be connected using dynamic Layer 3 VPN over L2TPv3 tunnels by the service provider routers PE1-AS1, PE2-AS1, and PE3-AS1. Static PE to CE is configured for the Customer A CE routers. In addition, no MPLS is configured in the core transport network, and all traffic between Customer A sites is propagated using L2TPv3 tunnels between the PE routers in the SP network.
Figure 10-9 shows the base configuration of devices prior to the implementation of L3VPN over L2TPv3 tunnels. All configurations on the PE routers are the same as in the case of regular static PE to CE configurations. The only difference is that no MPLS is enabled on the core interfaces, and L2TPv3 tunnels are configured to enable route propagation between PE routers that belong to Customer A.
Configuring L3VPN over L2TPv3 Tunnels
Figure 10-10 shows the configuration flowchart for the PE routers in addition to the configuration shown in Figure 10-9. The steps shown in the flowchart are explained here:
Step 1. | Configure an additional VRF that will be used to transport mGRE. |
Step 2. | Configure a tunnel interface and assign the tunnel interface as part of the mGRE associated VRF. Configure an IP address and a tunnel mode to be l3vpn l2tpv3 multipoint. |
Step 3. | Configure a default route for the mGRE VRF pointing to the tunnel interface. |
Step 4. | Configure route-map to set the next-hop resolution to the L2TPv3 VRF. |
Step 5. | Associate the route-map inbound for VPNv4 routes learned from MP-BGP neighbors. |
Step 6. | Configure the IPV4 tunnel SAFI for the MP-BGP peers. Configuration of this SAFI allows BGP to advertise the tunnel endpoints and SAFI-specific attributes (which contain the tunnel type and the tunnel capabilities) between the PE routers. |
Figure 10-11 shows the L3VPN over L2TPv3 tunnels configuration for PE1-AS1, PE2-AS1, and PE3-AS1 routers. The highlighted portion depicts the important configuration steps with relation to implementation of L3VPN over L2TPv3 tunnels.
Verification for L3VPN over L2TPv3 Tunnels
The following steps outline the verification steps for implementation of L3VPN over L2TPv3 tunnels:
Step 1. | Verify the tunnel’s operational state using the show tunnel endpoints command on the PE routers, as shown in Example 10-12. Example 10-12. Verify Tunnel Endpoints of L2TPv3 Tunnel
| |
Step 2. | Verify that routes are received on the Customer A VRF using the L2TPv3 L3VPN VRF, as shown in Example 10-13. Example 10-13. Verify Routes in Customer A VRF
| |
Step 3. | Verify reachability between the CE routers using pings, as illustrated in Example 10-14. Example 10-14. Verify Reachability Using Pings
|
Final Configurations for L3VPN over L2TPv3 Tunnels for PE Routers
Example 10-15 shows the final configuration of the PE routers for the implementation of L3VPN over L2TPv3 tunnels. For configurations of the CE routers and the P1-AS1 router, refer to Figure 10-9.
Example 10-15. Configurations for PE Routers
hostname PE1-AS1 ! ip cef ip vrf CustA rd 100:1 route-target export 100:1 route-target import 100:1 ! ip vrf l3vpn_l2tpv3 rd 100:100 ! interface Loopback0 ip address 10.10.10.101 255.255.255.255 ! interface Tunnel0 ip vrf forwarding l3vpn_l2tpv3 ip address 172.16.1.101 255.255.255.255 tunnel source Loopback0 tunnel mode l3vpn l2tpv3 multipoint ! interface Serial0/0 ip address 10.10.10.1 255.255.255.252 ! interface Serial1/0 description connection to CE1-A ip vrf forwarding CustA ip address 172.16.1.1 255.255.255.252 ! router ospf 100 network 10.0.0.0 0.255.255.255 area 0 ! router bgp 1 no synchronization neighbor 10.10.10.102 remote-as 1 neighbor 10.10.10.102 update-source Loopback0 neighbor 10.10.10.103 remote-as 1 neighbor 10.10.10.103 update-source Loopback0 no auto-summary ! address-family ipv4 tunnel neighbor 10.10.10.102 activate neighbor 10.10.10.103 activate exit-address-family ! address-family vpnv4 neighbor 10.10.10.102 activate neighbor 10.10.10.102 send-community extended neighbor 10.10.10.102 route-map vpn_l2tpv3 in neighbor 10.10.10.103 activate neighbor 10.10.10.103 send-community extended neighbor 10.10.10.103 route-map vpn_l2tpv3 in exit-address-family ! address-family ipv4 vrf CustA redistribute connected redistribute static no auto-summary no synchronization exit-address-family ! ip route vrf CustA 172.16.100.1 255.255.255.255 172.16.1.2 ip route vrf l3vpn_l2tpv3 0.0.0.0 0.0.0.0 Tunnel0 ! route-map vpn_l2tpv3 permit 10 set ip next-hop in-vrf l3vpn_l2tpv3 ________________________________________________________________ hostname PE2-AS1 ! ip cef ip vrf CustA rd 100:1 route-target export 100:1 route-target import 100:1 ! ip vrf l3vpn_l2tpv3 rd 100:100 ! interface Loopback0 ip address 10.10.10.102 255.255.255.255 ! interface Tunnel0 ip vrf forwarding l3vpn_l2tpv3 ip address 172.16.1.102 255.255.255.255 tunnel source Loopback0 tunnel mode l3vpn l2tpv3 multipoint ! interface Serial0/0 ip address 10.10.10.5 255.255.255.252 ! interface Serial1/0 description connection to CE2-A ip vrf forwarding CustA ip address 172.16.2.1 255.255.255.252 ! router ospf 100 network 10.0.0.0 0.255.255.255 area 0 ! router bgp 1 no synchronization neighbor 10.10.10.101 remote-as 1 neighbor 10.10.10.101 update-source Loopback0 neighbor 10.10.10.103 remote-as 1 neighbor 10.10.10.103 update-source Loopback0 no auto-summary ! address-family ipv4 tunnel neighbor 10.10.10.101 activate neighbor 10.10.10.103 activate exit-address-family ! address-family vpnv4 neighbor 10.10.10.101 activate neighbor 10.10.10.101 send-community extended neighbor 10.10.10.101 route-map vpn_l2tpv3 in neighbor 10.10.10.103 activate neighbor 10.10.10.103 send-community extended neighbor 10.10.10.103 route-map vpn_l2tpv3 in exit-address-family ! address-family ipv4 vrf CustA redistribute connected redistribute static no auto-summary no synchronization exit-address-family ! ip route vrf CustA 172.16.100.2 255.255.255.255 172.16.2.2 ip route vrf l3vpn_l2tpv3 0.0.0.0 0.0.0.0 Tunnel0 ! route-map vpn_l2tpv3 permit 10 set ip next-hop in-vrf l3vpn_l2tpv3 ________________________________________________________________ hostname PE3-AS1 ! ip cef ip vrf CustA rd 100:1 route-target export 100:1 route-target import 100:1 ! ip vrf l3vpn_l2tpv3 rd 100:100 ! interface Loopback0 ip address 10.10.10.103 255.255.255.255 ! interface Tunnel0 ip vrf forwarding l3vpn_l2tpv3 ip address 172.16.1.103 255.255.255.255 tunnel source Loopback0 tunnel mode l3vpn l2tpv3 multipoint ! interface Serial0/0 ip address 10.10.10.9 255.255.255.252 ! interface Serial1/0 description connection to CE1-A ip vrf forwarding CustA ip address 172.16.3.1 255.255.255.252 ! router ospf 100 network 10.0.0.0 0.255.255.255 area 0 ! router bgp 1 no synchronization neighbor 10.10.10.101 remote-as 1 neighbor 10.10.10.101 update-source Loopback0 neighbor 10.10.10.102 remote-as 1 neighbor 10.10.10.102 update-source Loopback0 no auto-summary ! address-family ipv4 tunnel neighbor 10.10.10.101 activate neighbor 10.10.10.102 activate exit-address-family ! address-family vpnv4 neighbor 10.10.10.101 activate neighbor 10.10.10.101 send-community extended neighbor 10.10.10.101 route-map vpn_l2tpv3 in neighbor 10.10.10.102 activate neighbor 10.10.10.102 send-community extended neighbor 10.10.10.102 route-map vpn_l2tpv3 in exit-address-family ! address-family ipv4 vrf CustA redistribute connected redistribute static no auto-summary no synchronization exit-address-family ! ip route vrf CustA 172.16.100.3 255.255.255.255 172.16.3.2 ip route vrf l3vpn_l2tpv3 0.0.0.0 0.0.0.0 Tunnel0 ! route-map vpn_l2tpv3 permit 10 set ip next-hop in-vrf l3vpn_l2tpv3 |