Documentation main page FRINX Features User Guide main page

L3VPN Service Module User Guide

Usage - Setup

FRINX ODL - Install features

  1. First, start FRINX ODL.
    • Wait for 3 minutes to ensure the start up process is complete.
  2. Once the karaf terminal is running, install the following features:
feature:install frinx-l3vpn-app cli-southbound-all-units unified-topology-all-units

Postman - Import collection

  1. To download and use FRINX pre-configured Postman REST calls with L3VPN - see this page.
  2. Follow that guide to import the file postman_collection_L3VPN_service.json from the directory L3VPN Service Module.
  3. Configure an environment in Postman where you set a value for odl_ip.

Your system is now ready. To provision L3VPN see the Usage - Operations Guide below.


The goal of this project is to automate provisioning of Layer 3 Virtual Private Networks (L3VPN) on Service Provider (SP) routers.

L3VPN Service

Problem definition and L3VPN

A company needs to reconnect multiple sites via a Service Provider which provides L3 connectivity for the company.

For example, Host1 and Host2 are two different sites for the same company and they both connect to the Service Provider using a separate connection. They need to interconnect two of their sites.

Two company's sites connected to SP

In this case L3VPN provides site-to-site connectivity and the SP network behaves as a router between the company’s sites. The company’s routes are exchanged via the SP network.

Solution with L3VPN between sites.


The following terms are often used in the L3VPN domain:

Terminology in picture


Common topologies used in L3VPN.

Any to Any

Sites can forward traffic directly to each other in a VPN. Communication is restricted to a particular VPN so it is not possible to communicate with sites on different VPNs.

Any to Any topology example

Hub and Spoke

Spoke sites in the VPN can communicate with each other only through the hub site. This is usually used when all sites must communicate through an access control device.

Hub and Spoke topology example

Usage - Operations Guide

To import the necessary Postman collection file see the section Postman - Import collection at the top of this page.

That file contains several REST calls for establishing a PE-routers connection and creating or deleting L3VPN instances, for which we provide guidance below:

Set up an L3VPN connection

Three steps are required to create a L3VPN connection between two routers (we demonstrate this on Huawei NE5000E router connected to FRINX ODL via cli interface and on Cisco XR6 router connected via NETCONF). We will configure L3VPN services using Postman collection:

1. Establish PE-routers connection

This is between FRINX ODL and each of the two routers which we’ll use for the L3VPN.

  "node": [
      "node-id": "xr6-pe",
      "netconf-node-topology:host": "",//Edit according to your setup
      "netconf-node-topology:port": 830,
      "netconf-node-topology:keepalive-delay": 0,
      "netconf-node-topology:tcp-only": false,
      "netconf-node-topology:username": "cisco",//Edit according to your setup
      "netconf-node-topology:password": "cisco",//Edit according to your setup

      "node-extension:reconcile": false


connect xr6


    "cli-topology:host":"",//Edit according to your setup


    "cli-topology:username":"huawei",//Edit according to your setup
    "cli-topology:password":"huawei",//Edit according to your setup



connect huawei

2. Create VPN service

This will be used in the next step when we create the L3VPN sites.


create vpn service

3. Create sites

Use the Postman REST calls: L3VPN Service/create site cus1_ce1 and L3VPN Service/create site cus1_ce2

Note: Route policy with name RPL_PASS_ALL must exist on the router before this invocation.

Delete the L3VPN connection

If you want to remove the L3VPN connection:

  1. Delete the L3VPN service by:
    • Using the Postman REST call: L3VPN Service/delete vpn service cus1_vpn1. There is no body to the call.
  2. Delete the sites by:
    • Using the Postman REST call L3VPN Service/delete site cus1_ce1. There is no body to the call.
    • Repeat this for the second site using the REST callL3VPN Service/delete site cus1_ce2.
  3. Commit by RPC: Issue the Postman REST call: L3VPN Service/RPC commit-l3vpn-svc. There is no body to the call.
    • In the Response body you should receive “status”: “complete”. This shows the deletion has been competed successfully.

L3VPN Provider

L3VPN Provider is an implementation which automatically provisions L3VPN on PE routers based on intended L3VPN service.

Use Case Specification

L3VPN Provider can be used on a network where:

Use case example

L3VPN Provider sits on top of uniconfig as well as unified topology layers. L3VPN provider works only with the devices that have translation units for following frinx-openconfig modules available:

<thead </thead>
Name Revision
frinx-openconfig-interfaces 2016-12-22
frinx-openconfig-if-ip 2016-12-22
frinx-openconfig-network-instance 2017-02-28
frinx-openconfig-bgp 2017-02-02
frinx-openconfig-routing-policy 2017-07-14

The avalaible translation units for a device are resolved by unified topology during device connection.

A list of potential PE nodes can be obtained from (replacing with the IP of the system on which you’re running FRINX ODL):

GET http://:8181/restconf/config/network-topology:network-topology/topology/uniconfig/

You can see the if the particular node is suitable as PE router by calling (replacing odl_ip with the IP of the system on which you’re running FRINX ODL and with id of the particular PE node):

GET http://:8181/restconf/operational/network-topology:network-topology/topology/unified/

You should see the above mentioned modules in the node’s “capability” list.


L3VPN Provider is composed of multiple components and takes advantage of the UniConfig framework. The high level architecture is shown in the picture below.


API description

The API is described using YANG modules. An external application can consume the API via RESTCONF, NETCONF, or JAVA.

ietf-l3vpn-svc@2018-01-19.yang (Click link to download)

The original YANG is from RFC 8299. This YANG module is modified in order to reuse its parts and is extended with L3VPN Provider elements.

The YANG module contains one root statement and one RPC:

l3vpn-svc-aug@2018-04-04.yang (Click link to download)

Augments ietf-l3vpn-svc module with statements which are needed for configuration of L3VPN.

Known Limitations

Other limitations:

Feature Guide    
Feature introduced in FRINX 2.3.0 VPN service module implementation with support for L3VPN and IOS XR (Version 6.1.2) NEP via NETCONF
RFC 8299 support added in FRINX 3.1.3 VPN service module now suports RFC 8299 and implementation sits on the top of the Uniconfig framework