Documentation main page FRINX Features User Guide main page

L3VPN Service Module User Guide

Usage - Setup

FRINX ODL - Install features

  1. First, start FRINX ODL.
    • Wait for 3 minutes to ensure the start up process is complete.
  2. Then, in the karaf terminal which will have started, install two features - RESTCONF and the l3vpn provider:
feature:install odl-restconf frinx-l3vpn-iosxrv

Postman - Import collection

  1. To download and use FRINX pre-configured Postman REST calls with L3VPN - see this page.
  2. Follow that guide to import the file postman_collection_L3VPN_IOS-XRv.json from the directory L3VPN Service Module.
  3. Configure an environment in Postman where you set a value for odl_ip.

Your system is now ready. To provision L3VPN see the Usage - Operations Guide below.


The goal of this project is to automate provisioning of Layer 3 Virtual Private Network (L3VPN) on Service Provider (SP) routers.

L3VPN Service

Problem definition and L3VPN

A company needs to reconnect multiple sites with each other via a Service Provider which provides L3 connectivity to the company.

Host1 and Host2 are two different sites for the same company and they both connect to the Service Provider using a separate connection. They need to interconnect two of their sites.

Two company's sites connected to SP

In this case L3VPN provides site-to-site connectivity and the SP network behaves as a router between the company’s sites. The company’s routes are exchanged via the SP network.

Solution with L3VPN between sites.


The following terms are often used in the L3VPN domain:

Terminology in picture


Common topologies used in L3VPN.

Any to Any

Sites can forward traffic directly among each other in a VPN. Communication is restricted to a particular VPN so it is not possible to communicate with sites on different VPNs.

Any to Any topology example

Hub and Spoke

Spoke sites in the VPN can communicate with each other only through the hub site. This is usually used when all sites must communicate through an access control device.

Hub and Spoke topology example

Usage - Operations Guide

To import the necessary Postman collection file see the section Postman - Import collection at the top of this page.

That file contains several REST calls for establishing a NETCONF connection and creating or deleting L3VPN instances, for which we provide guidance below:

Set up an L3VPN connection

Three steps are required to create an l3vpn connection between two routers (we perform these steps in our video by commandline. Below we will make it easier by using Postman collections):

1. Establish a NETCONF connection

This is between FRINX ODL and each of the two routers which we’ll use for the L3VPN.

  "node": [
      "node-id": "pe1",
      "netconf-node-topology:host": "",//Edit this according to your setup
      "netconf-node-topology:port": 830,
      "netconf-node-topology:keepalive-delay": 0,
      "netconf-node-topology:tcp-only": false,
      "netconf-node-topology:username": "cisco",//Edit this according to your setup
      "netconf-node-topology:password": "cisco"//Edit this according to your setup

connect pe1

2. Create VPN service

This will be used in the next step when we create the L3VPN sites.


create vpn service

3. Create sites

Use the Postman REST calls: L3VPN Service/create site cus1_ce1 and L3VPN Service/create site cus1_ce2

Delete the L3VPN connection

If you want to remove the L3VPN connection:

  1. Delete the L3VPN service by:
    • using the Postman REST call: L3VPN Service/delete vpn service cus1_vpn1. There is no body to the call.
    • commit by RPC: Issue the Postman REST call: L3VPN Service/RPC commit-l3vpn-svc. There is no body to the call.
      • In the Response body you should receive “status”: “complete”. This shows the deletion has been competed successfully.
  2. Delete the sites by:
    • using the Postman REST call L3VPN Service/delete site cus1_ce1. There is no body to the call.
    • commit by RPC: Issue the Postman REST call: L3VPN Service/RPC commit-l3vpn-svc. There is no body to the call.
      • In the Response body you should receive “status”: “complete”. This shows the deletion has been competed successfully.

Repeat Step 2. for L3VPN Service/delete site cus1_ce2.


Karaf installation:

feature:install frinx-l3vpn-testing   

Installs L3VPN Provider with Mock NEP and RESTCONF. This feature can be used for testing and demonstration purposes where real PE devices are not available.

FRINX L3VPN demo video

See our video

L3VPN Provider

L3VPN Provider is an implementation which automatically provisions L3VPN on PE routers based on intended L3VPN service.

Use Case Specification

L3VPN Provider can be used on a network where:

Use case example

L3VPN Provider works only with devices which have these capabilities:

Name Revision
Cisco-IOS-XR-infra-rsi-cfg 2015-07-30
Cisco-IOS-XR-ifmgr-cfg 2015-07-30
Cisco-IOS-XR-ipv4-bgp-cfg 2015-08-27

The capabilities are sent from XR to ODL automatically during device connection via NETCONF. You can see the NETCONF capabilities under each node by calling (replacing odl_ip with the IP of the system on which you’re running FRINX ODL):

GET http://odl_ip:8181/restconf/operational/network-topology:network-topology/topology/topology-netconf

A list of PE nodes can be obtained from (replacing odl_ip with the IP of the system on which you’re running FRINX ODL):

GET http://odl_ip:8181/restconf/operational/network-topology:network-topology/topology/l3vpn-provider-edge-topology


L3VPN Provider is composed of multiple components. The high level architecture is shown in the picture below.


As mentioned above, NEP registers network elements to L3VPN Provider. L3VPN Provider stores network elements as nodes to abstract topology provider-edge-topology and this topology is a source of nodes which can be used for L3VPN configuration.

API description

The API is described using YANG modules. An external application can consume the API via RESTCONF, NETCONF, or JAVA.

ietf-l3vpn-svc@2017-05-02.yang (Click link to download)

The original YANG is from RFC 8049. Supported statements are shown in generated UML from the original YANG. This YANG module is modified in order to reuse its parts and is extended with L3VPN Provider elements.

The YANG module contains 3 root statements and one RPC:

l3vpn-svc-aug@2017-05-02.yang (Click link to download)

Augments ietf-l3vpn-svc module with statements which are needed for configuration of L3VPN.

Network Element Plugin

The Network Element Plugin (NEP) is a unit which implements SPI from the L3VPN Provider. The NEP is device API specific and is responsible for:

IOS-XRv Network Element Plugin

This plugin configures L3VPN on IOS-XRv using NETCONF.


Here is an example of L3VPN configuration on IOS-XRv (parameters encapsulated in ** are specific for VPN or site):

vrf **CE1**
 address-family ipv4 unicast
  import route-target
  export route-target

interface **GigabitEthernet0/0/0/1**
 vrf **CE1**
 ipv4 address ****
 no shut

router bgp **65000**
 vrf **CE1**
  rd **1:1**
  address-family ipv4 unicast
   network ****
  neighbor ****
   remote-as **65111**
   address-family ipv4 unicast
    route-policy **RPL_PASS_ALL** in
    route-policy **RPL_PASS_ALL** out

NETCONF session configuration in IOS XR to allow ODL to connect:

crypto key generate dsa
crypto key generate rsa
(config)#ssh server v2
(config)#ssh server netconf port 830
(config)#ssh timeout 120
(config)#netconf-yang agent ssh
(config)#ssh server netconf vrf default

Mock Network Element Plugin

The purpose of this plugin is to mock functionality of the Network Element Plugin. It is used mainly for testing when you do not need to connect real devices.

Mock NEP

Known Limitations

Other limitations:

Feature Guide    
Feature introduced in FRINX 2.3.0 VPN service module implementation with support for L3VPN and IOS XR (Version 6.1.2) NEP via NETCONF