· Customer edge device—A CE device resides on a customer network and has one or more interfaces directly connected to a service provider network. It can be a router, a switch, or a host. It can neither "sense" the presence of any VPN nor does it need to support MPLS.

· Provider edge device—A PE device resides at the edge of a service provider network and connects to one or more CEs. All MPLS VPN services are processed on PEs.

· Provider device—A P device is a core device on a service provider network. It is not directly connected to any CE. It has only basic MPLS forwarding capability.

Figure 1 Network diagram for MPLS L3VPN

CEs and PEs mark the boundary between the service provider network and the customer network.

After a CE establishes an adjacency with a directly connected PE, it advertises its VPN routes to the PE and learns remote VPN routes from the PE. A CE and a PE can use BGP, an IGP, or static routing to exchange routing information.

After a PE learns VPN routing information from a CE, it uses BGP to exchange VPN routing information to other PEs. A PE maintains routing information only for directly connected VPNs rather than all VPNs on the provider network.

A P router maintains only routes to PEs and does not deal with VPN routing information.

When VPN traffic travels over the MPLS backbone, the ingress PE functions as the ingress Label Switching Router (LSR), the egress PE functions as the egress LSR, and P routers function as the transit LSRs.

MPLS L3VPN concepts

Site

A site has the following features:

· A site is a group of IP systems with IP connectivity that does not rely on any service provider network.

· The classification of a site depends on the topology relationship of the devices, rather than the geographical positions, though the devices at a site are, in most cases, adjacent to each other geographically.

· The devices at a site can belong to multiple VPNs, which means that a site can belong to multiple VPNs.

· A site is connected to a provider network through one or more CEs. A site can contain multiple CEs, but a CE can belong to only one site.

Sites connected to the same provider network can be classified into different sets by policies. Only the sites in the same set can access each other through the provider network. Such a set is called a VPN.

Address space overlapping

Each VPN independently manages its address space.

The address spaces of VPNs may overlap. For example, if both VPN 1 and VPN 2 use the addresses on subnet 10.110.10.0/24, address space overlapping occurs.

VPN instance

In MPLS VPN, routes of different VPNs are identified by VPN instances.

A PE creates and maintains a separate VPN instance for each directly connected site. Each VPN instance contains the VPN membership and routing rules of the corresponding site. If a user at a site belongs to multiple VPNs, the VPN instance of the site contains information about all the VPNs.

For independence and security of VPN data, each VPN instance on a PE has a routing table and a label forwarding information base (LFIB).

A VPN instance contains the following information: an LFIB, an IP routing table, interfaces bound to the VPN instance, and administration information of the VPN instance. The administration information includes the route distinguisher (RD), route filtering policy, and member interface list.

VPN-IPv4 address

MPLS L3VPN uses VPN-IPv4 addresses to solve the VPN routes overlapping problem.

Figure 2 VPN-IPv4 address structure

A VPN-IPv4 address consists of 12 bytes. The first eight bytes represent the RD, followed by a four-byte IPv4 prefix. By prefixing a distinct RD to a specific IPv4 address prefix, you get a globally unique VPN IPv4 address prefix.

Upon receiving an IPv4 route from a CE, a PE changes the route to a VPN-IPv4 route by adding an RD and then advertises the VPN-IPv4 route to the peer PE through MP-BGP. The RD ensures the uniqueness of the VPN route.

Each service provider can independently assign unique RDs. A PE can advertise routes for VPNs even if the VPNs are from different service providers and are using the same IPv4 address space.

Configure a distinct RD for each VPN instance on a PE, so that routes to the same CE use the same RD. A VPN-IPv4 address with an RD of 0 equals a globally unique IPv4 address.

An RD can be related to an autonomous system (AS) number, in which case it is the combination of the AS number and a discretionary number. Or it can be related to an IP address, in which case it is the combination of the IP address and a discretionary number.

An RD can be in one of the following formats distinguished by the Type field:

· When the Type field is 0, the Administrator subfield occupies two bytes, the Assigned number subfield occupies four bytes, and the RD format is 16-bit AS number:32-bit user-defined number. For example, 100:1.

· When the Type field is 1, the Administrator subfield occupies four bytes, the Assigned number subfield occupies two bytes, and the RD format is 32-bit IPv4 address:16-bit user-defined number. For example, 172.1.1.1:1.

· When the Type field is 2, the Administrator subfield occupies four bytes, the Assigned number subfield occupies two bytes, and the RD format is 32-bit AS number:16-bit user-defined number, where the minimum value of the AS number is 65536. For example, 65536:1.

To guarantee global uniqueness for an RD, do not set the Administrator subfield to any private AS number or private IP address.

Route target attribute

MPLS L3VPN uses route target community attributes to control the advertisement of VPN routing information. A VPN instance on a PE supports the following types of route target attributes:

· Export target attribute—A PE sets the export target attribute for VPN-IPv4 routes learned from directly connected sites before advertising them to other PEs.

· Import target attribute—A PE checks the export target attribute of VPN-IPv4 routes received from other PEs. If the export target attribute matches the import target attribute of the VPN instance, the PE adds the routes to the VPN routing table.

Route target attributes define which sites can receive VPN-IPv4 routes, and from which sites a PE can receive routes.

Like RDs, route target attributes can be of the following formats:

· 16-bit AS number:32-bit user-defined number. For example, 100:1.

· 32-bit IPv4 address:16-bit user-defined number. For example, 172.1.1.1:1.

· 32-bit AS number:16-bit user-defined number, where the minimum value of the AS number is 65536. For example, 65536:1.

MP-BGP

MP-BGP advertises VPN composition and routing information between PEs. It is backward compatible and supports both traditional IPv4 address family and other address families, such as VPN-IPv4 address family.

MP-BGP guarantees that private routes of a VPN are advertised only in the VPN and implements communications between MPLS VPN members.

Routing policy

You can configure import and export routing policies to control the receipt and advertisement of VPN routes.

An import routing policy filters incoming routes by import target attributes. An export routing policy filters outgoing routes by export target attributes.

After creating a VPN instance, you can configure an import routing policy, an export routing policy, or both as needed.

Tunnel policy

A tunnel policy is used to select tunnels for the packets of a specific VPN instance.

After creating a VPN instance, you can configure a tunnel policy for the VPN instance. By default, only one LSP tunnel is selected (no load balancing). A tunnel policy takes effect only within the local AS.

MPLS L3VPN packet forwarding

For basic MPLS L3VPN applications in a single AS, VPN packets are forwarded with two labels:

· Layer 1 label—Outer label, used for label switching within the backbone. It indicates the LSP from the local PE to the remote PE so . Based on the Layer 1 label, a VPN packet can be label switched along the LSP to the remote PE.

· Layer 2 label—Inner label, used for forwarding packets from the remote PE to the remote CE. An inner label indicates to which site, or more precisely, to which CE the packet should be sent. A PE finds the interface for forwarding a packet according to the inner label.

If two CEs belong to the same VPN and are connected to the same PE, each CE only needs to know how to reach the other CE.

Figure 3 VPN packet forwarding

A VPN packet is forwarded in the following steps:

1. Site 1 sends an IP packet with the destination address 1.1.1.2. CE 1 transmits the packet to PE 1.

2. PE 1 finds the matching VPN route based on the inbound interface and destination address of the packet, labels the packet with both the inner and outer labels, and forwards the packet out.

3. The MPLS backbone transmits the packet to PE 2 by the outer label. The outer label is removed from the packet at the penultimate hop.

4. PE 2 finds the matching VPN route according to the inner label and destination address of the packet, and then forwards the packet out of the interface to CE 2.

5. CE 2 transmits the packet to the destination through IP forwarding.

MPLS L3VPN networking schemes

In MPLS L3VPNs, route target attributes are used to control the advertisement and reception of VPN routes between sites. They work independently and can be configured with multiple values to support flexible VPN access control and implement multiple types of VPN networking schemes.

Basic VPN networking scheme

In the simplest case, all users in a VPN form a closed user group. They can forward traffic to each other but cannot communicate with any user outside the VPN.

For the basic VPN networking scheme, you must assign a route target to each VPN for identifying the export target attribute and import target attribute of the VPN. Moreover, this route target cannot be used by any other VPNs.

Figure 4 Network diagram for basic VPN networking scheme

In Figure 4, the route target for VPN 1 is 100:1, while that for VPN 2 is 200:1. The two VPN 1 sites can communicate with each other, and the two VPN 2 sites can communicate with each other. However, the VPN 1 sites cannot communicate with the VPN 2 sites.

Hub and spoke networking scheme

The hub and spoke networking scheme is suitable for a VPN where all users must communicate with each other through an access control device.

This networking scheme requires two route targets: one for the hub and the other for the spoke.

In a hub and spoke network, configure route targets as follows:

· On spoke PEs (PEs connected to spoke sites), set the export target attribute to Spoke and the import target attribute to Hub.

· On the hub PE (PE connected to the hub site), specify two interfaces or subinterfaces, one for receiving routes from spoke PEs, and the other for advertising routes to spoke PEs. Set the import target attribute for the former to Spoke, and the export target attribute for the latter to Hub.

Figure 5 Network diagram for hub and spoke network

In Figure 5, the spoke sites communicate with each other through the hub site. The arrows in the figure indicate the advertising path of routes from Site 2 to Site 1:

· The hub PE can receive all VPN-IPv4 routes advertised by spoke PEs.

· All spoke PEs can receive VPN-IPv4 routes advertised by the hub PE.

· The hub PE advertises the routes learned from a spoke PE to the other spoke PEs. The spoke sites can communicate with each other through the hub site.

· The import target attribute of a spoke PE is different from the export target attribute of any other spoke PE. Therefore, any two spoke PEs cannot directly advertise VPN-IPv4 routes to each other or directly access each other.

Extranet networking scheme

The extranet networking scheme allows specific resources in a VPN to be accessed by users not in the VPN.

In this kind of networking scheme, if a VPN must access a shared site, the export target attribute and the import target attribute of the VPN must be contained respectively in the import target attribute and the export target attribute of the VPN instance of the shared site.

Figure 6 Network diagram for extranet networking scheme

In Figure 6, VPN 1 and VPN 2 can access Site 3 of VPN 1.

· PE 3 can receive VPN-IPv4 routes advertised by PE 1 and PE 2.

· PE 1 and PE 2 can receive VPN-IPv4 routes advertised by PE 3.

· Site 1 and Site 3 of VPN 1 can communicate with each other, and Site 2 of VPN 2 and Site 3 of VPN 1 can communicate with each other.

PE 3 advertises neither the VPN-IPv4 routes received from PE 1 to PE 2, nor the VPN-IPv4 routes received from PE 2 to PE 1 (that is, routes learned from an IBGP neighbor are not advertised to any other IBGP neighbor). Therefore, Site 1 of VPN 1 and Site 2 of VPN 2 cannot communicate with each other.

MPLS L3VPN route advertisement

In basic MPLS L3VPN networking, the advertisement of VPN routing information involves CEs and PEs. A P router maintains only the routes of the backbone and does not need to know any VPN routing information. A PE maintains only routing information for directly connected VPNs, rather than for all VPNs. Therefore, MPLS L3VPN has excellent scalability.

VPN routing information is advertised from the local CE to the remote CE in the following steps:

1. From the local CE to the ingress PE.

After establishing an adjacency with the directly connected PE, a CE advertises its VPN routing information to the PE over a static route, RIP route, OSPF route, IS-IS route, EBGP route, or IBGP route. No matter which routing protocol is used, the CE always advertises standard IPv4 routes to the PE.

2. From the ingress PE to the egress PE.

After learning the VPN routing information from the CE, the ingress PE adds RD and route target attributes for these standard IPv4 routes to create VPN-IPv4 routes, saves them to the routing table of the VPN instance created for the CE, and advertises the VPN-IPv4 routes to the egress PE through MP-BGP.

PEs use IGP to ensure the connectivity between them.

3. From the egress PE to the remote CE.

After receiving the VPN-IPv4 routes, the egress PE compares their export target attribute with the local import target attribute, and, if they match, adds the routes to the routing table of the VPN instance. Then the egress PE retores the VPN-IPv4 routes to the original VPN routes and advertises those routes to the connected CE over a static route, RIP route, OSPF route, IS-IS route, EBGP route, or IBGP route.

In this way, the local CE and the remote CE can learn routes from each other through the MPLS backbone.

Inter-AS VPN

In an inter-AS VPN networking scenario, multiple sites of a VPN are connected to multiple ISPs in different ASs, or to multiple ASs of an ISP.

RFC 2547bis presents the following inter-AS VPN solutions:

· VRF-to-VRF—ASBRs manage VPN routes between them through subinterfaces. This solution is also called "inter-AS option A."

· EBGP redistribution of labeled VPN-IPv4 routes—ASBRs advertise labeled VPN-IPv4 routes to each other through MP-EBGP. This solution is also called "inter-AS option B."

· Multihop EBGP redistribution of labeled VPN-IPv4 routes—PEs advertise labeled VPN-IPv4 routes to each other through MP-EBGP. This solution is also called "inter-AS option C."

Inter-AS option A

In this solution, PEs of two ASs are directly connected and each PE is also the ASBR of its AS.

The PEs acting as ASBRs are connected through multiple subinterfaces. Each of them treats the other as a CE and advertises IPv4 routes through conventional EBGP. Within an AS, packets are forwarded as VPN packets with two-level labels. Between ASBRs, conventional IP forwarding is used.

Ideally, each inter-AS VPN has a pair of subinterfaces to exchange VPN routing information.

Figure 7 Network diagram for inter-AS option A

Inter-AS option A is easy to carry out because no special configuration is required on the PEs acting as the ASBRs.

However, it has limited scalability because the PEs acting as the ASBRs must manage all the VPN routes and create VPN instances on a per-VPN basis. This leads to excessive VPN-IPv4 routes on the PEs. Moreover, creating a separate subinterface for each VPN calls for higher performance.

Inter-AS option B

In this solution, two ASBRs use MP-EBGP to exchange labeled VPN-IPv4 routes that they obtain from the PEs in their respective ASs.

As shown in Figure 8, the routes are advertised through the following steps:

1. PEs in AS 100 advertise labeled VPN-IPv4 routes to the ASBR PE of AS 100 or the route reflector (RR) of the ASBR PE through MP-IBGP.

2. The ASBR PE advertises labeled VPN-IPv4 routes to the ASBR PE of AS 200 through MP-EBGP.

3. The ASBR PE of AS 200 advertises labeled VPN-IPv4 routes to PEs in AS 200 or to the RR of the PEs through MP-IBGP.

The ASBRs must perform special processing on the labeled VPN-IPv4 routes, which is also called ASBR extension method.

Figure 8 Network diagram for inter-AS option B

Inter-AS option B has better scalability than option A.

When adopting the MP-EBGP method, note the following:

· ASBRs do not perform route target filtering on VPN-IPv4 routes that they receive from each other. Therefore, the ISPs in different ASs must agree on the route exchange.

· VPN-IPv4 routes are exchanged only between VPN peers. A VPN site can exchange VPN-IPv4 routes neither with the public network nor with MP-EBGP peers with whom it has not reached agreement on the route exchange.

Inter-AS option C

The Inter-AS option A and option B solutions can satisfy the needs for inter-AS VPNs. However, they require that the ASBRs maintain and advertise VPN-IPv4 routes. When every AS needs to exchange a great amount of VPN routes, the ASBRs may become bottlenecks hindering network extension.

Inter-AS option C can solve the problem by making PEs directly exchange VPN-IPv4 routes without the participation of ASBRs:

· Two ASBRs advertise labeled IPv4 routes to PEs in their respective ASs through MP-IBGP.

· The ASBRs neither maintain VPN-IPv4 routes nor advertise VPN-IPv4 routes to each other.

· An ASBR maintains labeled IPv4 routes of the PEs in the AS and advertises them to the peers in the other ASs. The ASBR of another AS also advertises labeled IPv4 routes. Thus, an LSP is established between the ingress PE and egress PE.

· Between PEs of different ASs, multi-hop EBGP connections are established to exchange VPN-IPv4 routes.

Figure 9 Network diagram for inter-AS option C

To improve the scalability, you can specify an RR in each AS to maintain all VPN-IPv4 routes and to exchange VPN-IPv4 routes with PEs in the AS. The RRs in two ASs establish an inter-AS VPNv4 connection to advertise VPN-IPv4 routes, as shown in Figure 10.

Figure 10 Network diagram for inter-AS option C using RRs

Carrier's carrier

If a customer of the MPLS L3VPN service provider is also a service provider, the MPLS L3VPN service provider is called the provider carrier or the Level 1 carrier, while the customer is called the customer carrier or the Level 2 carrier. This networking model is referred to as carrier's carrier. In this model, the Level 2 service provider serves as a CE of the Level 1 service provider.

For good scalability, the Level 1 carrier does not learn the routes of the customer network connected to a Level 2 carrier. It only learns the routes for delivering packets between different sites of the Level 2 carrier. Routes of the customer networks connected to a Level 2 carrier are exchanged through the BGP session established between the routers of the Level 2 carrier. This can greatly reduce the number of routes maintained by the Level 1 carrier network.

Compared with the common MPLS L3VPN, the carrier's carrier is different because of the way in which a CE of a Level 1 carrier, that is, a Level 2 carrier, accesses a PE of the Level 1 carrier:

· If the PE and the CE are in a same AS, you must configure IGP and LDP between them.

· If the PE and the CE are not in the same AS, you must configure MP-EBGP to assign labels to routes exchanged between them.

In either case, you must enable MPLS on the CE of the Level 1 carrier. Moreover, the CE holds the VPN routes of the Level 2 carrier, but it does not advertise the routes to the PE of the Level 1 carrier. It only exchanges the routes with other PEs of the Level 2 carrier.

A Level 2 carrier can be an ordinary ISP or an MPLS L3VPN service provider.

When the Level 2 carrier is an ordinary ISP, its PEs run IGP to communicate with the CEs, rather than MPLS. As shown in Figure 11, PE 3 and PE 4 exchange VPN routes of the Level 2 carrier through an IBGP session.

Figure 11 Scenario where the Level 2 carrier is an ISP

When the Level 2 carrier is an MPLS L3VPN service provider, its PEs must run IGP and LDP to communicate with CEs. As shown in Figure 12, PE 3 and PE 4 exchange VPN routes of the Level 2 carrier through an MP-IBGP session.

Figure 12 Scenario where the Level 2 carrier is an MPLS L3VPN service provider

NOTE:

If equal cost routes exist between the Level 1 carrier and the Level 2 carrier, H3C recommends establishing equal cost LSPs between them.

Nested VPN

In an MPLS L3VPN network, generally a service provider runs an MPLS L3VPN backbone and provides VPN services through PEs. Different sites of a VPN customer are connected to the PEs through CEs. In this scenario, a customer's networks are ordinary IP networks and cannot be further divided into sub-VPNs.

However, in actual applications, customer networks can be dramatically different in form and complexity, and a customer network may need to use VPNs to further group its users. The traditional solution to this request is to implement internal VPN configuration on the service provider's PEs. This solution is easy to deploy, but it increases the network operation cost and brings issues on management and security because of the following:

· The number of VPNs that PEs must support increases sharply.

· Any modification of an internal VPN must be done through the service provider.

The nested VPN technology offers a better solution. It exchanges VPNv4 routes between PEs and CEs of the ISP MPLS L3VPN and allows a customer to manage its own internal VPNs. Figure 13 depicts a nested VPN network. On the service provider's MPLS VPN network, there is a customer VPN named VPN A. The customer VPN contains two sub-VPNs, VPN A-1 and VPN A-2. The service provider PEs treat the customer's network as a common VPN user and do not join any sub-VPNs. The service provider CE devices (CE 1 and CE 2) exchange VPNv4 routes including sub-VPN routing information with the service provider PEs, implementing the propagation of the sub-VPN routing information throughout the customer network.

Figure 13 Network diagram for nested VPN

Propagation of routing information

In a nested VPN network, routing information is propagated as follows:

1. A provider PE and its CEs exchange VPNv4 routes, which carry information about customer VPNs.

2. After receiving a VPNv4 route, a provider PE keeps the customer's internal VPN information, and appends the customer's MPLS VPN attributes on the service provider network. That is, it replaces the RD of the VPNv4 route with the RD of the customer's MPLS VPN on the service provider network and adds the export route-target (ERT) attribute of the customer's MPLS VPN on the service provider network to the extended community attribute list of the route. The internal VPN information of the customer is maintained on the provider PE.

3. The provider PE advertises VPNv4 routes carrying the comprehensive VPN information to the other PEs of the service provider.

4. After another provider PE receives the VPNv4 routes, it matches the VPNv4 routes to the import targets of its local VPNs. Each local VPN accepts routes of its own and advertises them to provider CEs. If a provider CE (such as CE 7 and CE 8 in Figure 13) is connected to a provider PE through an IPv4 connection, the PE advertises IPv4 routes to the CE. If it is a VPNv4 connection (a customer MPLS VPN network), the PE advertises VPNv4 routes to the CE.

5. After receiving VPNv4 routes from the provider CE, a customer PE matches those routes to local import targets. Each customer VPN accepts only its own routes and advertises them to connected customer CEs (such as CE 3, CE 4, CE5, and CE 6 in Figure 13).

Benefits

The nested VPN technology brings the following benefits:

· Support for VPN aggregation. It can aggregate a customer's internal VPNs into one VPN on the service provider's MPLS VPN network.

· Support for both symmetric networking and asymmetric networking. Sites of the same VPN can have the same number or different numbers of internal VPNs.

· Support for multiple-level nesting of internal VPNs.

Nested VPN is flexible and easy to implement. It reduces networking costs, provides diversified VPN networking methods for customers, and allows for multi-level hierarchical access control over internal VPNs.

HoVPN

In MPLS L3VPN solutions, PEs are the key devices, which provide the following functions:

· User access. This means that the PEs must have a large amount of interfaces.

· VPN route management and advertisement, and user packet processing, requiring that a PE must have a large-capacity memory and high forwarding capability.

Most of the current network schemes use the typical hierarchical architecture. For example, the MAN architecture contains typically three layers, the core layer, distribution layer, and access layer. From the core layer to the access layer, the performance requirements on the devices decrease while the network expands.

MPLS L3VPN, on the contrary, is a plane model where performance requirements are the same for all PEs. If a certain PE does not have enough performance or scalability, the performance or scalability of the whole network is influenced. Therefore, the plane model is not applicable to the large-scale VPN deployment.

To solve the scalability problem of the plane model, MPLS L3VPN must transition to the hierarchical model. Hierarchy of VPN (HoVPN) was proposed to meet the requirement. With HoVPN, the PE functions can be distributed among multiple PEs, which take different roles for the same functions and form a hierarchical architecture.

As in the typical hierarchical network model, HoVPN has different requirements on the devices at different layers of the hierarchy.

Implementation of HoVPN

Figure 14 Basic architecture of HoVPN

As shown in Figure 14, devices directly connected to CEs are called underlayer PEs (UPEs) or user-end PEs, whereas devices that are connected to UPEs and are in the internal network are called superstratum PEs (SPE) or service provider-end PEs.

Multiple UPEs and SPEs comprise a hierarchical PE.

UPEs and SPEs play the following different roles:

· A UPE provides user access. It maintains the routes of directly connected VPN sites. It does not maintain the routes of the remote sites in the VPN, or only maintains their summary routes. A UPE assigns inner labels to the routes of its directly connected sites, and advertises the labels along with VPN routes to the SPE through MP-BGP.

· An SPE manages and advertises VPN routes. It maintains all the routes of the VPNs connected through UPEs, including the routes of both the local and remote sites. An SPE advertises routes along with labels to UPEs, including the default routes of VPN instances or summary routes and the routes permitted by the routing policy. By using routing policies, you can control which sites in a VPN can communicate with each other.

Different roles mean different requirements:

· An SPE must have a large routing table capacity and high forwarding performance, but needs fewer interface resources.

· A UPE must have higher access capability but needs a small routing table capacity and low forwarding performance.

HoVPN makes full use of both the high performance of SPEs and the high access capability of UPEs.

The concepts of SPE and UPE are relative. In the hierarchical PE architecture, a PE may be the SPE of its underlayer PEs and a UPE of its SPE at the same time.

The HoPE and common PEs can coexist in an MPLS network.

SPE-UPE

Either MP-IBGP or MP-EBGP MP-BGP can run between SPE and UPE. Which one to use depends on whether the UPE and SPE belong to the same AS.

For MP-IBGP to advertise routes between IBGP peers, the SPE acts as the RR and advertises routes from IBGP peer UPE to IBGP peer SPE. However, it does not act as the RR of the other PEs.

Recursion and extension of HoVPN

HoVPN supports HoPE recursion:

· A HoPE can act as a UPE to form a new HoPE with an SPE.

· A HoPE can act as an SPE to form a new HoPE with multiple UPEs.

· HoVPN supports multi-level recursion.

With recursion of HoPEs, a VPN can be extended infinitely in theory.

Figure 15 Recursion of HoPEs

Figure 15 shows a three-level HoPE. The PE in the middle is called the "middle-level PE (MPE)." MP-BGP runs between SPE and MPE, and between MPE and UPE.

NOTE:

The term "MPE" does not really exist in a HoVPN model. It is used here just for the convenience of description.

MP-BGP advertises all the VPN routes of UPEs to the SPEs, and advertises the default routes of the VPN instance of the SPEs or the VPN routes permitted by the routing policies to the UPEs.

The SPE maintains the VPN routes of all sites in the HoVPN. Each UPE maintains only VPN routes of its directly connected sites. An MPE has fewer routes than the SPE but has more routes than a UPE.

OSPF VPN extension

This section focuses on the OSPF VPN extension. For more information about OSPF, see Layer 3—IP Routing Configuration Guide.

OSPF for VPNs on a PE

OSPF is a prevalent IGP protocol. Running OSPF between a PE and a CE can simplify CE configuration and management because the CEs only need to support OSPF. In addition, if the customers require MPLS L3VPN services through conventional OSPF backbone, using OSPF between a PE and a CE can simplify the transition.

For OSPF to run between CE and PE, the PE must support multiple OSPF processes. Each OSPF process corresponds to a VPN instance and maintains its own interfaces and routing table.

The following describes OSPF configurations between a PE and a CE.

· OSPF area configuration between a PE and a CE

The OSPF area between a PE and a CE can be either a non-backbone area or a backbone area.

In the OSPF VPN extension application, the MPLS VPN backbone is considered the backbone area (area 0). The area 0 of each VPN site must be connected to the MPLS VPN backbone because OSPF requires that the backbone area be contiguous.

If a VPN site contains an OSPF area 0, the PE must be connected to the backbone area of the VPN site through area 0. You can configure a virtual link to connect the CE to the PE.

· BGP/OSPF interaction

PEs advertise VPN routes to each other through BGP and to CEs through OSPF.

Conventional OSPF considers two sites are in different ASs even if they belong to the same VPN. Therefore, the routes that one site learns are advertised to the other as external routes. This results in more OSPF traffic and network management problems.

The extended OSPF protocol supports multiple instances to address the problems. Properly configured, OSPF sites are considered directly connected, and PEs can exchange OSPF routing information as they are using dedicated lines. This simplifies network management and makes OSPF applications more effective.

As shown in Figure 16, PE 1 and PE 2 are connected through the MPLS backbone. CE 11, CE 21, and CE 22 belong to VPN 1. Assume that CE 11, CE 21, and CE 22 belong to the same OSPF domain. PEs advertise VPN 1 routes in the following procedure:

a. PE 1 redistributes OSPF routes of CE 11 into BGP.

b. PE 1 advertises the VPN routes to PE 2 through BGP.

c. PE 2 redistributes the BGP VPN routes into OSPF and advertises them to CE 21 and CE 22.

Figure 16 Application of OSPF in VPN

With the standard BGP/OSPF interaction, PE 2 advertises the BGP VPN routes to CE 21 and CE 22 in Type 5 LSAs (ASE LSAs). However, CE 11, CE 21, and CE 22 belong to the same OSPF domain, and route advertisements between them should use Type 3 LSAs (inter-AS routes).

To solve the problem, the PE uses an extended BGP/OSPF interaction process called BGP/OSPF interoperability to advertise routes from one site to another, differentiating the routes from real AS-External routes. The process requires that extended BGP community attributes carry the information for identifying the OSPF attributes.

Each OSPF domain must have a configurable domain ID. H3C recommends that you configure the same domain ID or adopt the default ID for all OSPF processes of the same VPN, so the system can know that VPN routes with the same domain ID are from the same VPN.

· Routing loop detection

If a CE and a PE are connected through the OSPF backbone area, when a PE advertises BGP VPN routes learned from MPLS/BGP to the VPN site through LSAs, the LSAs might be received by another PE, resulting in a routing loop.

To avoid routing loops, when creating Type 3 LSAs, the PE always sets the flag bit DN for BGP VPN routes learned from MPLS/BGP, regardless of whether the PE and the CE are connected through the OSPF backbone. When performing route calculation, the OSPF process of the PE ignores the Type 3 LSAs whose DN bit is set.

If the PE needs to advertise routes from other OSPF domains to a CE, it must indicate that it is the ASBR, and advertise the routes in Type 5 LSAs.

BGP AS number substitution

BGP detects routing loops by examining AS numbers. If EBGP runs between PE and CE, you must assign different AS numbers to geographically different sites to ensure correct transmission of routing information.

The BGP AS number substitution function allows physically dispersed CEs to use the same AS number. The function is a BGP outbound policy and affects routes to be advertised.

With the BGP AS number substitution function, when a PE advertises a route to a CE, if an AS number identical to that of the CE exists in the AS_PATH of the route, the PE replaces it with its own AS number.

After you enable the BGP AS number substitution function, the PE performs BGP AS number substitution for all routes and re-advertises them to connected CEs in the peer group.

Figure 17 Application of BGP AS number substitution

In Figure 17, both Site and Site 2 use the AS number 800. AS number substitution is enabled on PE 2 for CE 2. Before advertising updates received from CE 1 to CE 2, PE 2 substitutes its own AS number 100 for the AS number 800. In this way, CE 2 can normally receive the routing information from CE 1.

However, the AS number substitution function also introduces a routing loop in Site 2 because route updates originated from CE3 can be advertised back to Site 2 through PE 2 and CE2. To remove the routing loop, you can configure a routing policy on PE2 to add the SoO attribute to route updates received from CE 2 and CE 3 so that PE 2 does not advertise route updates from CE 3 to CE 2.

Multi-VPN-instance CE

BGP/MPLS VPN transmits private network data through MPLS tunnels over the public network. However, the traditional MPLS L3VPN architecture requires that each VPN instance use an exclusive CE to connect to a PE, as shown in Figure 1.

For better services and higher security, a private network is usually divided into multiple VPNs to isolate services. To meet these requirements, you can configure a CE for each VPN, which increases device expense and maintenance costs. Or, you can configure multiple VPNs to use the same CE and the same routing table, which sacrifices data security.

Using the Multi-VPN-Instance CE (MCE) function, you can remove the contradiction of low cost and high security in multi-VPN networks. MCE allows you to bind each VPN to a VLAN interface. The MCE creates and maintains a separate routing table for each VPN. This separates the forwarding paths of packets of different VPNs and, in conjunction with the PE, can correctly advertise the routes of each VPN to the peer PE, ensuring the normal transmission of VPN packets over the public network.

The following uses Figure 18 to describe how an MCE maintains the routing tables for multiple VPNs and exchanges VPN routes with PEs.

Figure 18 Network diagram for the MCE function

Establish a tunnel between the two sites of each VPN.

Create a routing table for VPN 1 and VPN 2, respectively, on the MCE device, and bind VLAN-interface 2 to VPN 1 and VLAN-interface 3 to VPN 2. When receiving a route, the MCE device determines the source of the routing information according to the number of the receiving interface, and then adds it to the corresponding routing table.

You must also bind PE 1's interfaces/subinterfaces connected to the MCE to the VPNs in the same way. The MCE connects to PE 1 through a trunk link, which permits packets of VLAN 2 and VLAN 3 with VLAN tags carried. In this way, PE 1 determines the VPN that a received packet belongs to according to the VLAN tag of the packet and sends the packet through the corresponding tunnel.

You can configure static routes, RIP, OSPF, IS-IS, EBGP, or IBGP between MCE and VPN site and between an MCE and a PE.

NOTE:

To implement dynamic IP assignment for DHCP clients in private networks, you can configure DHCP server or DHCP relay agent on the MCE. The IP address spaces for different private networks cannot overlap.

MPLS L3VPN configuration task list

Complete basic MPLS L3VPN configuration to construct a basic MPLS VPN network.

To deploy special MPLS L3VPN networks, such as inter-AS VPN, nested VPN, and multi-role host, you must also perform specific configurations described in related sections.

Tasks at a glance
Configuring basic MPLS L3VPN
Configuring inter-AS VPN
Configuring nested VPN
Configuring HoVPN
Configuring routing on an MCE
Specifying the VPN label processing mode
Configuring BGP AS number substitution

Configuring basic MPLS L3VPN

The key task in MPLS L3VPN configuration is to control the advertisement of VPN routes on the MPLS backbone, including PE-CE route exchange and PE-PE route exchange.

To configure basic MPLS L3VPN:

Tasks at a glance
Configuring VPN instances: · (Required.) Creating a VPN instance · (Required.) Associating a VPN instance with an interface · (Optional.) Configuring route related attributes for a VPN instance
(Required.) Configuring routing between a PE and a CE
(Required.) Configuring routing between PEs
(Optional.) Configuring BGP VPNv4 route control

Configuration prerequisites

Before you configure basic MPLS L3VPN, complete the following tasks:

· Configure an IGP for the MPLS backbone (on the PEs and Ps) to achieve IP connectivity.

· Configure basic MPLS for the MPLS backbone.

· Configure MPLS LDP for the MPLS backbone so that LDP LSPs can be established.

· Configure IP addresses for CE interfaces connected to PEs.

Configuring VPN instances

VPN instances isolate not only VPN routes from public network routes, but also routes among VPNs. This feature allows VPN instances to be used in network scenarios besides MPLS L3VPNs.

All VPN instance configurations are performed on PEs or MCEs.

Creating a VPN instance

A VPN instance is associated with a site. It is a collection of the VPN membership and routing rules of its associated site. A VPN instance does not necessarily correspond to one VPN.

To create and configure a VPN instance:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VPN instance and enter VPN instance view.	ip vpn-instance vpn-instance-name	No VPN instance is created by default.
3. Specify a reserved VLAN for the VPN instance.	reserve-vlan vlan-id	No reserved VLAN is specified for a VPN instance by default. The reserved VLAN configuration takes effect only when the system is operating in standard mode. For more information about system operating modes, see Fundamentals Configuration Guide. When the system is operating in standard mode, you must configure a reserved VLAN for a created VPN instance in the following cases: · The VPN instance is connected to no CEs. · There is no need to configure the multicast VPN function for the VPN instance. · There is no need to bind the VPN instance to an IP tunnel. When the system is operating in standard mode, if a VPN instance is not configured with a reserved VLAN, you cannot configure URPF on the private network VLAN interface bound to the VPN instance.
4. Configure an RD for the VPN instance.	route-distinguisher route-distinguisher	No RD is specified for a VPN instance by default.
5. (Optional.) Configure a description for the VPN instance.	description text	No description is configured for a VPN instance by default.

Associating a VPN instance with an interface

After creating and configuring a VPN instance, associate the VPN instance with the interface connected to the CE.

To associate a VPN instance with an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Associate a VPN instance with the interface.	ip binding vpn-instance vpn-instance-name	No VPN instance is associated with an interface by default. The ip binding vpn-instance command deletes the IP address of the current interface. You must re-configure an IP address for the interface after configuring the command.

Configuring route related attributes for a VPN instance

VPN routes are controlled and advertised on a PE as follows:

· When a VPN route learned from a site gets redistributed into BGP, BGP associates it with a route target extended community attribute list, which is usually the export target attribute of the VPN instance associated with the site.

· The VPN instance determines which routes it can accept and redistribute according to the import-extcommunity in the route target.

· The VPN instance determines how to change the route target attributes for routes to be advertised according to the export-extcommunity in the route target.

To configure route related attributes for a VPN instance:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VPN instance view or IPv4 VPN view.	· To enter VPN instance view: ip vpn-instance vpn-instance-name · To enter IPv4 VPN view: a. ip vpn-instance vpn-instance-name b. ipv4-family	Configurations made in VPN instance view apply to both IPv4 VPN and IPv6 VPN. IPv4 VPN prefers the configurations in IPv4 VPN view over the configurations in VPN instance view.
3. Configure route targets.	vpn-target vpn-target&<1-8> [ both \| export-extcommunity \| import-extcommunity ]	No route targets are configured by default.
4. Set the maximum number of routes allowed.	routing-table limit number { warn-threshold \| simply-alert }	The default depends on the system operating mode. Setting the maximum number of routes for a VPN instance can prevent the PE from learning too many routes.
5. Apply an import routing policy.	import route-policy route-policy	By default, all routes matching the import target attribute are accepted. The specified routing policy must have been created. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
6. Apply an export routing policy.	export route-policy route-policy	By default, routes to be advertised are not filtered. The specified routing policy must have been created. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
7. Apply a tunnel policy to the VPN instance.	tnl-policy tunnel-policy-name	By default, only one LSP tunnel is selected (no load balancing). The specified tunnel policy must have been created.

Configuring routing between a PE and a CE

You can configure static routing, RIP, OSPF, IS-IS, EBGP, or IBGP between a PE and a CE.

Configuring static routing between a PE and a CE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a static route for a VPN instance.	ip route-static vpn-instance s-vpn-instance-name dest-address { mask \| mask-length } { next-hop-address [ public ] [ track track-entry-number ] \| interface-type interface-number [ next-hop-address ] \| vpn-instance d-vpn-instance-name next-hop-address [ track track-entry-number ] } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]	No static route is configured for a VPN instance by default. Perform this configuration on the PE. On the CE, configure a normal static route. For more information about static routing, see Layer 3—IP Routing Configuration Guide.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure a static route for a VPN instance.

ip route-static vpn-instance s-vpn-instance-name dest-address { mask | mask-length } { next-hop-address [ public ] [ track track-entry-number ] | interface-type interface-number [ next-hop-address ] | vpn-instance d-vpn-instance-name next-hop-address [ track track-entry-number ] } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]

No static route is configured for a VPN instance by default.

Perform this configuration on the PE. On the CE, configure a normal static route.

For more information about static routing, see Layer 3—IP Routing Configuration Guide.

Configuring RIP between a PE and a CE

A RIP process belongs to the public network or a single VPN instance. If you create a RIP process without binding it to a VPN instance, the process belongs to the public network.

To configure RIP between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIP process for a VPN instance and enter RIP view.	rip [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. On the CE, create a normal RIP process.
3. Enable RIP on the interface attached to the specified network.	network network-address	By default, RIP is disabled on an interface.

Configuring OSPF between a PE and a CE

An OSPF process that is bound to a VPN instance does not use the public network router ID configured in system view. Therefore, you must specify a router ID when starting a process or configure an IP address for at least one interface of the VPN instance.

An OSPF process belongs to the public network or a single VPN instance. If you create an OSPF process without binding it to a VPN instance, the process belongs to the public network.

To configure OSPF between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPF process for a VPN instance and enter the OSPF view.	ospf [ process-id \| router-id router-id \| vpn-instance vpn-instance-name ] *	Perform this configuration on the PE. On the CE, create a normal OSPF process. Deleting a VPN instance also deletes all OSPF instances associated with the VPN instance.
3. (Optional.) Configure an OSPF domain ID.	domain-id domain-id [ secondary ]	The default domain ID is 0. Perform this configuration on the PE. On the CE, configure commom OSPF. The domain ID is carried in the routes of the OSPF process. When redistributing routes from the OSPF process, BGP adds the domain ID as an extended community attribute into BGP VPN routes. An OSPF process can be configured with only one domain ID. Domain IDs of different OSPF processes are independent of each other. All OSPF processes of a VPN must be configured with the same domain ID, while OSPF processes on PEs in different VPNs can be configured with domain IDs as desired.
4. Configure the type codes of OSPF extended community attributes.	ext-community-type { domain-id type-code1 \| router-id type-code2 \| route-type type-code3 }	The defaults are as follows: · 0x0005 for Domain ID. · 0x0107 for Router ID. · 0x0306 for Route Type. Perform this configuration on the PE.
5. Create an OSPF area and enter area view.	area area-id	By default, no OSPF area is created.
6. Enable OSPF on the interface attached to the specified network in the area.	network ip-address wildcard-mask	By default, an interface neither belongs to any area nor runs OSPF.

Configuring IS-IS between a PE and a CE

An IS-IS process belongs to the public network or a single VPN instance. If you create an IS-IS process without binding it to a VPN instance, the process belongs to the public network.

To configure IS-IS between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IS-IS process for a VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. On the CE, configure common IS-IS.
3. Configure a network entity title for the IS-IS process.	network-entity net	No NET is configured by default.
4. Return to system view.	quit	N/A
5. Enter interface view.	interface interface-type interface-number	N/A
6. Enable the IS-IS process on the interface.	isis enable [ process-id ]	No IS-IS process is enabled on the interface by default.

Configuring EBGP between a PE and a CE

1. Configure the PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable BGP and enter BGP view.	bgp as-number	N/A
3. Enter BGP VPN view.	ip vpn-instance vpn-instance-name	Configuration commands in BGP VPN view are the same as those in BGP view. For details, see Layer 3—IP Routing Configuration Guide.
4. Configure the CE as the VPN EBGP peer.	peer { group-name \| ip-address } as-number as-number	No BGP peer is configured by default. For more information about BGP peers and peer groups, see Layer 3—IP Routing Configuration Guide.
5. Create and enter BGP-VPN IPv4 unicast address family ew.	ipv4-family [ unicast ]	N/A
6. Enable IPv4 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Redistribute the routes of the local CE.	import-route protocol [ { process-id \| all-processes } [ med med-value \| route-policy route-policy-name ] * ]	A PE must redistribute the routes of the local CE into its VPN routing table so it can advertise them to the peer PE.
8. (Optional.) Allow the local AS number to appear in the AS_PATH attribute of a received route and set the maximum number of repetitions.	peer { group-name \| ip-address } allow-as-loop [ number ]	By default, BGP discards incoming route updates that contain the local AS number. BGP detects routing loops by examining AS numbers.

2. Configure the CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the PE as a BGP peer.	peer { group-name \| ip-address } as-number as-number	No BGP peer is created by default.
4. Create and enter BGP IPv4 unicast address family view.	ipv4-family [ unicast ]	N/A
5. Enable IPv4 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
6. (Optional.) Configure route redistribution.	import-route protocol [ { process-id \| all-processes } [ med med-value \| route-policy route-policy-name ] * ]	A CE must redistribute its routes to the PE so the PE can advertise them to the peer CE.

Configuring IBGP between a PE and a CE

Use IBGP between PE and CE in only common MPLS L3VPN networks. In networks such as Extranet, inter-AS VPN, carrier's carrier, nested VPN, and HoVPN, you cannot use IBGP between PE and CE.

1. Configure the PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP VPN view.	ip vpn-instance vpn-instance-name	Configuration commands in BGP VPN view are the same as those in BGP view. For details, see Layer 3—IP Routing Configuration Guide.
4. Configure the CE as the VPN IBGP peer.	peer { group-name \| ip-address } as-number as-number	No BGP peer is created by default.
5. Create and enter BGP-VPN IPv4 unicast address family view.	ipv4-family [ unicast ]	N/A
6. Enable IPv4 unicast route exchange with the specified peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Configure the CE as a client of the RR.	peer { group-name \| ip-address } reflect-client	By default, no RR or RR client is configured, and the PE does not advertise routes learned from the IBGP peer CE to other IBGP peers, including VPNv4 IBGP peers. Only when you configure the IBGP peer CE as a client of the RR, does the PE advertise routes learned from the CE to other IBGP peers. Configuring an RR does not change the next hop of a route. To change the next hop of a route, configure an inbound policy on the receiving side.
8. (Optional.) Enable route reflection between clients.	reflect between-clients	Route reflection between clients is enabled by default.
9. (Optional.) Configure the cluster ID for the RR.	reflector cluster-id { cluster-id \| ip-address }	By default, the RR uses its own router ID as the cluster ID. If multiple RRs exist in a cluster, use this command to configure the same cluster ID for all RRs in the cluster to avoid routing loops.

2. Configure the CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the PE as an IBGP peer.	peer { group-name \| ip-address } as-number as-number	No BGP peer is created by default.
4. Create and enter BGP IPv4 unicast address family view.	ipv4-family [ unicast ]	N/A
5. Enable IPv4 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
6. (Optional.) Configure route redistribution.	import-route protocol [ { process-id \| all-processes } [ med med-value \| route-policy route-policy-name ] * ]	A CE must redistribute its routes to the PE so the PE can advertise them to the peer CE.

Configuring routing between PEs

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the remote PE as a BGP peer.	peer { group-name \| ip-address } as-number as-number	No BGP peer is created by default.
4. Specify the source interface for route updates.	peer { group-name \| ip-address } connect-interface interface-type interface-number	By default, BGP uses the egress interface of the optimal route destined for the peer as the source interface.
5. Create and enter BGP-VPNv4 address family view.	ipv4-family vpnv4	N/A
6. Enable BGP-VPNv4 route exchange with the specified peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange BGP-VPNv4 routes with any peer.

Configuring BGP VPNv4 route control

BGP VPNv4 route control is configured similarly with BGP route control, except that it is configured in BGP-VPNv4 address family view. For detailed information about BGP route control, see Layer 3—IP Routing Configuration Guide.

To configure BGP VPNv4 route control:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Create and enter BGP-VPNv4 address family view.	ipv4-family vpnv4	N/A
4. Configure filtering of redistributed routes.	filter-policy { acl-number \| prefix-list prefix-list-name } export [ protocol process-id ]	By default, BGP does not filter redistributed routes.
5. Configure filtering of received routes.	filter-policy { acl-number \| prefix-list prefix-list-name } import	By default, BGP does not filter received routes.
6. Advertise community attributes to a peer or peer group.	peer { group-name \| ip-address } advertise-community	By default, no community attributes are advertised to any peer or peer group.
7. Allow the local AS number to appear in the AS_PATH attribute of routes received from the peer and set the maximum number of repetitions.	peer { group-name \| ip-address } allow-as-loop [ number ]	By default, BGP discards route updates that contain the local AS number.
8. Filter routes received from or advertised to a peer or peer group based on an AS_PATH list.	peer { group-name \| ip-address } as-path-acl aspath-filter-number { import \| export }	By default, no AS filtering list is applied to a peer or peer group.
9. Advertise a default VPN route to a peer or peer group.	peer { group-name \| ip-address } default-route-advertise vpn-instance vpn-instance-name	By default, no default VPN route is advertised to a peer or peer group.
10. Apply an ACL to filter routes received from or advertised to a peer or peer group.	peer { group-name \| ip-address } filter-policy acl-number { export \| import }	By default, no ACL-based filtering is configured.
11. Save all route updates from a peer or peer group.	peer { group-name \| ip-address } keep-all-routes	By default, BGP does not save route updates from any peer.
12. Specify the router as the next hop of routes sent to a peer or peer group.	peer { group-name \| ip-address } next-hop-local	By default, the router sets it as the next hop for routes sent to an EBGP peer or peer group, but does not change the next hop for routes sent to an IBGP peer or peer group.
13. Configure BGP to not change the next hop of routes sent to an EBGP peer or peer group.	peer { group-name \| ip-address } next-hop-invariable	By default, the router sets it as the next hop for routes sent to an EBGP peer or peer group. In an inter-AS option C network where an RR is used to advertise VPNv4 routes, configure this command on the RR so the RR does not change the next hop of routes sent to EBGP peers and clients.
14. Specify a preferred value for routes received from a peer or peer group.	peer { group-name \| ip-address } preferred-value value	By default, the preferred value is 0.
15. Apply a prefix list to filter routes received from or advertised to a peer or peer group.	peer { group-name \| ip-address } prefix-list prefix-list-name { export \| import }	No prefix list based filtering is configured.
16. Configure BGP updates advertised to an EBGP peer or peer group to carry only public AS numbers.	peer { group-name \| ip-address } public-as-only	By default, BGP route updates advertised to an EBGP peer or peer group can carry both public and private AS numbers.
17. Configure the router as a route reflector and specify a peer or peer group as its client.	peer { group-name \| ip-address } reflect-client	No RR is configured by default.
18. Specify the maximum number of routes BGP can receive from a peer or peer group.	peer { group-name \| ip-address } route-limit prefix-number [ { alert-only \| reconnect reconnect-time } \| percentage-value ] *	By default, the number of routes that BGP can receive from a peer or peer group is not limited.
19. Apply a routing policy to a peer or peer group.	peer { group-name \| ip-address } route-policy route-policy-name { export \| import }	By default, no routing policy is applied to a peer or peer group.
20. Enable route target-based filtering of received VPNv4 routes.	policy vpn-target	By default, this feature is enabled.
21. Enable route reflection between clients.	reflect between-clients	By default, route reflection between clients is enabled on the RR.
22. Configure a cluster ID for the route reflector.	reflector cluster-id { cluster-id \| ip-address }	By default, the RR uses its own router ID as the cluster ID.
23. Configure filtering of reflected routes.	rr-filter extended-community-list-number	By defaut, the RR does not filter reflected routes.

Configuring inter-AS VPN

If the MPLS backbone spans multiple ASs, you must configure inter-AS VPN.

Three inter-AS VPN solutions are available. You can choose them as required.

Before you configure an inter-AS VPN, complete the following tasks:

· Configure an IGP for the MPLS backbones in each AS.

· Configure basic MPLS for the MPLS backbone of each AS.

· Configure MPLS LDP for the MPLS backbone of each AS so that LDP LSPs can be established.

· Configure basic MPLS L3VPN for each AS.

When configuring basic MPLS L3VPN for each AS, specific configurations may be required on PEs or ASBR PEs. This depends on the inter-AS VPN solution selected.

Configuring inter-AS option A

Inter-AS option A applies to scenarios where the number of VPNs and VPN routes on the PEs are relatively small. It is simple to implement.

To configure inter-AS option A, complete the following tasks:

· Configure basic MPLS L3VPN on each AS.

· Configure each ASBR-PE, taking the peer ASBR-PE as its CE.

In other words, configure VPN instances on PEs and ASBR PEs respectively. The VPN instances on PEs are used to allow CEs to access the network, and those on ASBR PEs are used to access the peer ASBR PEs. For more information, see "Configuring basic MPLS L3VPN."

In the inter-AS option A solution, for the same VPN, the route targets configured on the PEs must match those configured on the ASBR-PEs in the same AS to make sure VPN routes sent by the PEs (or ASBR-PEs) can be received by the ASBR-PEs (or PEs). Route targets configured on the PEs in different ASs do not have such requirements.

Configuring inter-AS option B

In the inter-AS option B solution, the ASBR PEs must maintain all VPNv4 routing information and advertise the information to peer ASBR PEs. In this case, the ASBR PEs must receive all VPNv4 routing information without performing route target-based filtering.

In the inter-AS option B solution, for the same VPN, the route targets for the VPN instances on the PEs in different ASs must match.

For inter-AS option B, two configuration methods are available:

· Do not change the next hop on an ASBR. With this method, you must configure MPLS LDP between ASBRs.

· Change the next hop on an ASBR. With this method, MPLS LDP is not required between ASBRs.

Only the second method is supported. Therefore, MP-EBGP routes get their next hops changed by default before being redistributed to MP-IBGP. However, normal EBGP routes to be advertised to IBGP do not have their next hops changed by default. To change the next hop to a local address, use the peer { ip-address | group-name } next-hop-local command. For more information about the command, see Layer 3—IP Routing Configuration Guide.

To configure inter-AS option B on the ASBR PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view of the interface connecting to the remote ASBR-PE.	interface interface-type interface-number	N/A
3. Configure the IP address of the interface.	ip address ip-address { mask \| mask-length }	N/A
4. Return to system view.	quit	N/A
5. Enter BGP view.	bgp as-number	N/A
6. Enter BGP-VPNv4 address family view.	ipv4-family vpnv4	N/A
7. Disable route target based filtering of VPNv4 routes.	undo policy vpn-target	By default, the PE filters received VPNv4 routes by route targets. The routes surviving the filtering are added to the routing table, and the others are discarded.

Configuring inter-AS option C

To configure inter-AS option C, perform configurations on PEs and ASBR PEs, and configure routing policies on the ASBR PEs.

Configuring a PE

Establish an ordinary IBGP peer relationship between a PE and an ASBR PE in an AS and an MP-EBGP peer relationship between PEs of different ASs.

The PEs and ASBR PEs in an AS must be able to exchange labeled IPv4 routes.

To configure a PE for inter-AS option C:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the ASBR PE in the same AS as an IBGP peer.	peer { group-name \| ip-address } as-number as-number	No BGP peer is created by default.
4. Configure the PE of another AS as an EBGP peer.	peer { group-name \| ip-address } as-number as-number	No BGP peer is created by default.
5. Enter BGP IPv4 unicast address family view.	ipv4-family [ unicast ]	N/A
6. Enable the PE to exchange IPv4 unicast routes with the peer or peer group.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Enable the PE to exchange labeled IPv4 routes with the ASBR PE in the same AS.	peer { group-name \| ip-address } label-route-capability	By default, BGP does not advertise labeled routes to any IPv4 peer or peer group.
8. Return to BGP view.	quit	N/A
9. Enter BGP-VPNv4 address family view.	ipv4-family vpnv4	N/A
10. Enable the PE to exchange VPNv4 routes with the peer or peer group.	peer { group-name \| ip-address } enable	By default, BGP does not exchange VPNv4 routes with any peer.
11. (Optional.) Configure the PE to not change the next hop of routes advertised to the EBGP peer.	peer { group-name \| ip-address } next-hop-invariable	Configure this command on the RR so the RR does not change the next hop of advertised VPNv4 routes.

Configuring an ASBR PE

In the inter-AS option C solution, an inter-AS LSP is required, and the public network routes advertised between the relevant PEs and ASBRs must carry MPLS label information.

An ASBR-PE establishes common IBGP peer relationships with PEs in the same AS, and a common EBGP peer relationship with the peer ASBR PE. All of them can exchange labeled IPv4 routes.

Public network routes carrying MPLS labels are advertised through MP-BGP. According to RFC 3107 "Carrying Label Information in BGP-4," the label mapping information for a particular route is piggybacked in the same BGP update message that is used to distribute the route. This capability is implemented through BGP extended attributes and requires that BGP peers can handle labeled IPv4 routes.

To configure an ASBR PE for inter-AS option C:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the PE in the same AS as an IBGP peer.	peer { group-name \| ip-address } as-number as-number	No BGP peer is created by default.
4. Configure the peer ASBR PE as an EBGP peer.	peer { group-name \| ip-address } as-number as-number	No BGP peer is created by default.
5. Enter BGP IPv4 unicast address family view.	ipv4-family [ unicast ]	N/A
6. Enable exchange of IPv4 unicast routes with the peer or peer group.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Enable exchange of labeled IPv4 routes with the PE in the local AS and the peer ASBR PE.	peer { group-name \| ip-address } label-route-capability	By default, BGP does not advertise labeled routes to any IPv4 peer or peer group.
8. Configure the ASBR PE to set itself as the next hop of routes advertised to the PE in the local AS.	peer { group-name \| ip-address } next-hop-local	By default, BGP does not use its address as the next hop of routes advertised to an IBGP peer or peer group.

Configuring a routing policy on an ASBR PE

A routing policy on an ASBR PE does the following:

· Assigns MPLS labels to routes received from the PEs in the local AS before advertising them to the peer ASBR PE.

· Assigns new MPLS labels to labeled IPv4 routes advertised to PEs in the local AS.

Which IPv4 routes are assigned with MPLS labels depends on the routing policy. Only routes that satisfy the criteria are assigned with labels. All other routes are still common IPv4 routes.

To configure a routing policy for inter-AS option C on an ASBR PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a routing policy and enter routing policy view.	route-policy policy-name permit node seq-number	No routing policy is created by default.
3. Match IPv4 routes carrying labels.	if-match mpls-label	No match criterion is configured by default.
4. Set labels for IPv4 routes.	apply mpls-label	No apply clause is configured by default.

Configuring nested VPN

For a network with many VPNs, nested VPN is a good solution to implement layered management of VPNs and to conceal the deployment of internal VPNs.

To build a nested VPN network, perform the following configurations:

· Configurations between customer PE and customer CE—Configure VPN instances on the customer PE and configure route exchange between customer PE and customer CE.

· Configurations between customer PE and provider CE—Configure BGP VPN4 route exchange between them.

· Configurations between provider CE and provider PE—Configure VPN instances and enable nested VPN on the provider PE and configure BGP VPNv4 route exchange between the provider CE and provider PE. To make sure the provider CE can receive all VPNv4 routes, configure the undo policy vpn-target command on the provider CE to not filter VPNv4 routes by RTs.

· Configurations between provider PEs—Configure BGP VPNv4 route exchange between them.

Nested VPN allows a customer PE to directly exchange VPNv4 routes with a provider PE, without needing to deploy a provider CE. In this case, the customer PE also acts as the provider CE. Therefore, you must configure provider CE settings on it.

Configurations on the customer CE, customer PE, and provider CE are similar with basic MPLS L3VPN configurations. Configurations on the provider PE have some differences from basic MPLS L3VPN configurations, and are described in the following table.

When you configure nested VPN, follow these guidelines:

· The address spaces of sub-VPNs of a VPN cannot overlap.

· Do not assign nested VPN peers addresses that public network peers use.

· Nested VPN does not support multi-hop EBGP. A provider PE and a provider CE must use the addresses of the directly connected interfaces to establish a neighbor relationship.

To configure nested VPN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN VPNv4 address family view.	ipv4-family vpnv4	N/A
4. Enable nested VPN.	nesting-vpn	Nested VPN is disabled by default.
5. Return to BGP view.	quit	N/A
6. Enter BGP-VPN view.	ip vpn-instance vpn-instance-name	N/A
7. Specify the peer CE or the peer group of the peer CE.	peer { group-name \| peer-address } as-number as-number	No peer is specified by default.
8. Enter BGP-VPN VPNv4 address family view.	ipv4-family vpnv4	N/A
9. Enable BGP VPNv4 route exchange with the peer CE or the peer group of the peer CE.	peer { group-name \| peer-address } enable	By default, BGP does not exchange VPNv4 routes with any peer.

Configuring HoVPN

HoVPN is suited to build hierarchical VPNs, reducing performance requirements for PEs.

Before you configure HoVPN, complete basic MPLS L3VPN settings on UPE and SPE.

Do not configure the peer default-route-advertise vpn-instance and peer upe route-policy commands at the same time.

Do not connect an SPE to a CE directly. If an SPE must be directly connected to a CE, the VPN instance on the SPE and that on the UPE must be configured with different RDs.

To configure HoVPN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Specify a BGP peer or peer group.	peer { group-name \| peer-address } as-number as-number	No BGP peer is specified by default.
4. Enter BGP-VPN VPNv4 address family view.	ipv4-family vpnv4	N/A
5. Enable BGP-VPNv4 route exchange with the peer or peer group.	peer { group-name \| ip-address } enable	By default, BGP does not exchange VPNv4 routes with any peer.
6. Specify the BGP peer or peer group as a UPE.	peer { group-name \| ip-address } upe	By default, no peer is a UPE.
7. Advertise a default VPN route to the UPE.	peer { group-name \| ip-address } default-route-advertise vpn-instance vpn-instance-name	Use either command. By default, no route is advertised to the UPE. Do not configure both commands. The peer default-route-advertise vpn-instance command advertises a default route using the local address as the next hop to the UPE, regardless of whether the default route is present in the local routing table. However, if the specified peer is not a UPE, the command does not advertise a default route.
8. Advertise routes permitted by a routing policy to the UPE.	peer { group-name \| ip-address } upe route-policy route-policy-name export

Configuring routing on an MCE

MCE implements service isolation through route isolation. MCE routing configuration includes:

· MCE-VPN site routing configuration

· MCE-PE routing configuration

On the PE, disable routing loop detection to avoid route loss during route calculation and disable route redistribution between routing protocols to save system resources.

Before you configure routing on an MCE, complete the following tasks:

· Configure VPN instances, and bind the VPN instances with the interfaces connected to the VPN sites and the PE.

· Configure the link layer and network layer protocols on related interfaces to ensure IP connectivity.

Configuring routing between an MCE and a VPN site

You can configure static routing, RIP, OSPF, IS-IS, EBGP or IBGP between an MCE and a VPN site.

Configuring static routing between an MCE and a VPN site

An MCE can reach a VPN site through a static route. Static routing on a traditional CE is globally effective and thus does not support address overlapping among VPNs. An MCE supports binding a static route to a VPN instance, so that the static routes of different VPN instances can be isolated from each other.

To configure a static route to a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a static route for a VPN instance.	ip route-static vpn-instance s-vpn-instance-name dest-address { mask \| mask-length } { next-hop-address [ public ] [ track track-entry-number ] \| interface-type interface-number [ next-hop-address ] \| vpn-instance d-vpn-instance-name next-hop-address [ track track-entry-number ] } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]	By default, no static route is configured. Perform this configuration on the MCE. On the VPN site, configure a normal static route.
3. (Optional.) Configure the default preference for static routes.	ip route-static default-preference default-preference-value	The default preference is 60.

Configuring RIP between an MCE and a VPN site

A RIP process belongs to the public network or a single VPN instance. If you create a RIP process without binding it to a VPN instance, the process belongs to the public network. Binding RIP processes to VPN instances can isolate routes of different VPNs. For more information about RIP, see Layer 3—IP Routing Configuration Guide.

To configure RIP between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIP process for a VPN instance and enter RIP view.	rip [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the MCE. On a VPN site, create a normal RIP process.
3. Enable RIP on the interface attached to the specified network.	network network-address	By default, RIP is disabled on an interface.
4. Redistribute remote site routes advertised by the PE into RIP.	import-route protocol [ process-id ] [ allow-ibgp ] [ cost cost \| route-policy route-policy-name \| tag tag ] *	By default, no route is redistributed into RIP.
5. (Optional.) Configure the default cost value for the redistributed routes.	default cost value	The default cost is 0.

Configuring OSPF between an MCE and a VPN site

An OSPF process belongs to the public network or a single VPN instance. If you create an OSPF process without binding it to a VPN instance, the process belongs to the public network.

Binding OSPF processes to VPN instances can isolate routes of different VPNs. For more information about OSPF, see Layer 3—IP Routing Configuration Guide.

To configure OSPF between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPF process for a VPN instance and enter OSPF view.	ospf [ process-id \| router-id router-id \| vpn-instance vpn-instance-name ] *	Perform this configuration on the MCE. On a VPN site, create a normal OSPF process. An OSPF process bound to a VPN instance does not use the public network router ID configured in system view. Therefore, configure a router ID for the OSPF process. An OSPF process can belong to only one VPN instance, but one VPN instance can use multiple OSPF processes to advertise VPN routes.
3. (Optional.) Configure the OSPF domain ID.	domain-id domain-id [ secondary ]	The default domain ID is 0. Perform this configuration on the MCE. All OSPF processes of the same VPN instance must be configured with the same OSPF domain ID to ensure correct route advertisement.
4. Redistribute remote site routes advertised by the PE into OSPF.	import-route protocol [ process-id \| all-processes \| allow-ibgp ] [ cost cost \| route-policy route-policy-name \| tag tag \| type type ] *	By default, no routes are redistributed into OSPF.
5. Create an OSPF area and enter OSPF area view.	area area-id	By default, no OSPF area is created.
6. Enable OSPF on the interface attached to the specified network in the area.	network ip-address wildcard-mask	By default, an interface neither belongs to any area nor runs OSPF.

Configuring IS-IS between an MCE and a VPN site

An IS-IS process belongs to the public network or a single VPN instance. If you create an IS-IS process without binding it to a VPN instance, the process belongs to the public network.

Binding IS-IS processes to VPN instances can isolate routes of different VPNs. For more information about IS-IS, see Layer 3—IP Routing Configuration Guide.

To configure IS-IS between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IS-IS process for a VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the MCE. On a VPN site, configure a normal IS-IS process.
3. Configure a network entity title.	network-entity net	No NET is configured by default.
4. Redistribute remote site routes advertised by the PE into IS-IS.	import-route protocol [ process-id \| all-processes \| allow-ibgp ] [ cost cost \| cost-type { external \| internal } \| [ level-1 \| level-1-2 \| level-2 ] \| route-policy route-policy-name \| tag tag ] *	By default, IS-IS does not redistribute routes from any other routing protocol. If you do not specify the route level in the command, the command redistributes routes to the level-2 routing table by default.
5. Return to system view.	quit	N/A
6. Enter interface view.	interface interface-type interface-number	N/A
7. Enable the IS-IS process on the interface.	isis enable [ process-id ]	IS-IS is disabled by default.

Configuring EBGP between an MCE and a VPN site

To run EBGP between an MCE and a VPN site, you must configure a BGP peer for each VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on the VPN site.

You can configure filtering policies to filter received routes and advertised routes.

1. Configure the MCE:

Routes redistributed from OSPF to BGP have their OSPF attributes removed. To enable BGP to distinguish routes redistributed from different OSPF domains, you must enable the redistributed routes to carry the OSPF domain ID by configuring the domain-id command in OSPF view. The domain ID is added to BGP VPN routes as an extended community attribute.

To configure the MCE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN view.	ip vpn-instance vpn-instance-name	N/A
4. Configure an EBGP peer.	peer { group-name \| ip-address } as-number as-number	By default, no BGP peer is configured.
5. Enter BGP-VPN IPv4 unicast address family view.	ipv4-family [ unicast ]	N/A
6. Enable BGP to exchange IPv4 unicast routes with the peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Allow the local AS number to appear in the AS_PATH attribute of routes received from the peer and set the maximum number of repetitions.	peer { group-name \| ip-address } allow-as-loop [ number ]	By default, BGP discards incoming route updates that contain the local AS number. BGP detects routing loops by examining AS numbers. The routing information the MCE advertised to a site carries the local AS number. Therefore, the route updates that the MCE receives from the site also include the local AS number. This causes the MCE unable to receive the route updates. In this case, you must configure this command to allow routing loops.
8. Redistribute remote site routes advertised by the PE into BGP.	import-route protocol [ { process-id \| all-processes } [ med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP.
9. (Optional.) Configure filtering of redistributed routes.	filter-policy { acl-number \| prefix-list prefix-list-name } export [ protocol process-id ]	By default, BGP does not filter redistributed routes.
10. (Optional.) Configure filtering of received routes.	filter-policy { acl-number \| prefix-list prefix-list-name } import	By default, BGP does not filter received routes.

2. Configure a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the MCE as an EBGP peer.	peer { group-name \| ip-address } as-number as-number	N/A
4. Enter BGP-VPN IPv4 unicast address family view.	ipv4-family [ unicast ]	N/A
5. Enable BGP to exchange IPv4 unicast routes with the peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
6. Redistribute the IGP routes of the VPN into BGP.	import-route protocol [ { process-id \| all-processes } [ med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP. A VPN site must advertise the VPN network addresses it can reach to the connected MCE.

Configuring IBGP beween MCE and VPN site

To run IBGP between an MCE and a VPN site, you must configure a BGP peer for each VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on the VPN site.

1. Configure the MCE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN view.	ip vpn-instance vpn-instance-name	N/A
4. Configure an IBGP peer.	peer { group-name \| ip-address } as-number as-number	N/A
5. Enter BGP-VPN IPv4 unicast address family view.	ipv4-family [ unicast ]	N/A
6. Enable BGP to exchange IPv4 unicast routes with the peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. (Optional.) Configure the system to be the RR and specify the peer as the client of the RR.	peer { group-name \| ip-address } reflect-client	By default, no RR or RR client is configured. After you configure a VPN site as an IBGP peer, the MCE does not advertise the BGP routes learned from the VPN site to other IBGP peers, including VPNv4 peers. Only when you configure the VPN site as a client of the RR (the MCE), does the MCE advertise routes learned from it to other IBGP peers.
8. Redistribute remote site routes advertised by the PE into BGP.	import-route protocol [ process-id \| all-processes ] [ med med-value \| route-policy route-policy-name ] *	By default, no routes are redistributed into BGP.
9. (Optional.) Configure filtering of redistributed routes.	filter-policy { acl-number \| prefix-list prefix-list-name } export [ protocol process-id ]	By default, BGP does not filter redistributed routes.
10. (Optional.) Configure filtering of received routes.	filter-policy { acl-number \| prefix-list prefix-list-name } import	By default, BGP does not filter received routes.

2. Configure a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the MCE as an IBGP peer.	peer { group-name \| ip-address } as-number as-number	N/A
4. Enter BGP-VPN IPv4 unicast address family view.	ipv4-family [ unicast ]	N/A
5. Enable BGP to exchange IPv4 unicast routes with the peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
6. Redistribute the IGP routes of the VPN into BGP.	import-route protocol [ { process-id \| all-processes } [ med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP. A VPN site must advertise VPN network addresses to the connected MCE.

Configuring routing between an MCE and a PE

MCE-PE routing configuration includes these tasks:

· Bind the MCE-PE interfaces to VPN instances.

· Perform route configurations.

· Redistribute VPN routes into the routing protocol running between the MCE and the PE.

Perform the following configurations on the MCE. For how to configure the PE, see "Configuring routing between a PE and a CE."

Configuring static routing between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a static route for a VPN instance.	ip route-static vpn-instance s-vpn-instance-name dest-address { mask \| mask-length } { next-hop-address [ public ] [ track track-entry-number ] \| interface-type interface-number [ next-hop-address ] \| vpn-instance d-vpn-instance-name next-hop-address [ track track-entry-number ] } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]	By default, no static route is configured.
3. (Optional.) Configure the default preference for static routes.	ip route-static default-preference default-preference-value	The default preference is 60.

Configuring RIP between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIP process for a VPN instance and enter RIP view.	rip [ process-id ] vpn-instance vpn-instance-name	N/A
3. Enable RIP on the interface attached to the specified network.	network network-address	By default, RIP is disabled on an interface.
4. Redistribute the VPN routes.	import-route protocol [ process-id \| all-processes \| allow-ibgp ] [ cost cost \| route-policy route-policy-name \| tag tag ] *	By default, no routes are redistributed into RIP.
5. (Optional.) Configure the default cost for redistributed routes.	default cost value	The default cost is 0.

Configuring OSPF between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPF process for a VPN instance and enter OSPF view.	ospf [ process-id \| router-id router-id \| vpn-instance vpn-instance-name ] *	N/A
3. Disable routing loop detection.	vpn-instance-capability simple	Routing loop detection is enabled by default. You must disable routing loop detection for a VPN OSPF process on the MCE. Otherwise, the MCE cannot receive OSPF routes from the PE.
4. (Optional.) Configure the OSPF domain ID.	domain-id domain-id [ secondary ]	The default domain ID is 0.
5. Redistribute the VPN routes.	import-route protocol [ process-id \| all-processes \| allow-ibgp ] [ cost cost \| route-policy route-policy-name \| tag tag \| type type ] *	By default, no routes are redistributed into OSPF.
6. (Optional.) Configure filtering of redistributed routes.	filter-policy { acl-number \| prefix-list prefix-list-name } export [ protocol [ process-id ] ]	By default, redistributed routes are not filtered.
7. (Optional.) Configure the default parameters for redistributed routes (cost, route number, tag, and type).	default { cost cost \| tag tag \| type type } *	The default cost is 1, the default tag is 1, and default type of redistributed routes is Type-2.
8. Create an OSPF area and enter OSPF area view.	area area-id	By default, no OSPF area is created.
9. Enable OSPF on the interface attached to the specified network in the area.	network ip-address wildcard-mask	By default, an interface neither belongs to any area nor runs OSPF.

Configuring IS-IS between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IS-IS process for a VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	N/A
3. Configure a network entity title.	network-entity net	No NET is configured by default.
4. Redistribute VPN routes.	import-route protocol [ process-id \| all-processes \| allow-ibgp ] [ cost cost \| cost-type { external \| internal } \| [ level-1 \| level-1-2 \| level-2 ] \| route-policy route-policy-name \| tag tag ] *	By default, IS-IS does not redistribute routes from any other routing protocol. If you do not specify the route level in the command, the command redistributes routes to the level-2 routing table by default.
5. (Optional.) Configure filtering of redistributed routes.	filter-policy { acl-number \| prefix-list prefix-list-name \| route-policy route-policy-name } export [ protocol [ process-id ] ]	By default, IS-IS does not filter redistributed routes.
6. Return to system view.	quit	N/A
7. Enter interface view.	interface interface-type interface-number	N/A
8. Enable the IS-IS process on the interface.	isis enable [ process-id ]	No IS-IS process is enabled by default.

Configuring EBGP between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN view.	ip vpn-instance vpn-instance-name	N/A
4. Configure the PE as an EBGP peer.	peer { group-name \| ip-address } as-number as-number	N/A
5. Enter BGP-VPN IPv4 unicast address family view.	ipv4-family [ unicast ]	N/A
6. Enable BGP to exchange IPv4 unicast routes with the peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Redistribute the VPN routes of the VPN site.	import-route protocol [ process-id \| all-processes ] [ med med-value \| route-policy route-policy-name ] *	By default, no routes are redistributed into BGP.
8. (Optional.) Configure filtering of redistributed routes.	filter-policy { acl-number \| prefix-list prefix-list-name } export [ protocol process-id ]	By default, BGP does not filter redistributed routes.
9. (Optional.) Configure filtering of received routes.	filter-policy { acl-number \| prefix-list prefix-list-name } import	Optional. By default, BGP does not filter received routes.

Configuring IBGP between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN view.	ip vpn-instance vpn-instance-name	N/A
4. Configure the PE as an IBGP peer.	peer { group-name \| ip-address } as-number as-number	N/A
5. Enter BGP-VPN IPv4 unicast address family view.	ipv4-family [ unicast ]	N/A
6. Enable BGP to exchange IPv4 unicast routes with the peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Redistribute the VPN routes of the VPN site.	import-route protocol [ process-id \| all-processes ] [ med med-value \| route-policy route-policy-name ] *	By default, no routes are redistributed into BGP.
8. (Optional.) Configure filtering of redistributed routes.	filter-policy { acl-number \| prefix-list prefix-list-name } export [ protocol process-id ]	By default, BGP does not filter redistributed routes.
9. (Optional.) Configure filtering of received routes.	filter-policy { acl-number \| prefix-list prefix-list-name } import	Optional. By default, BGP does not filter received routes.

Specifying the VPN label processing mode on the egress PE

An egress PE can process VPN labels in either POPGO or POP mode:

· POPGO forwarding—Pops the label and forwards the packet out of the egress interface corresponding to the label.

· POP forwarding—Pops the label and forwards the packet through the FIB table.

To add two switches to an IRF fabric, configure the same VPN label processing mode (POPGO by using vpn popgo or POP by using undo vpn popgo) for the two switches. Otherwise, the two switches cannot form an IRF fabric. For more information about IRF, see IRF Configuration Guide.

To specify the VPN label processing mode on an egress PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Specify the VPN label processing mode as POPGO forwarding.	vpn popgo	The default is POP forwarding.

Configuring BGP AS number substitution

When CEs at different sites have the same AS number, configure the BGP AS number substitution function to avoid route loss. If the AS_PATH attribute of a route contains the AS number of the specified CE, the PE replaces the AS number with its own AS number before advertising the route to that CE.

Before you configure BGP AS number substitution, complete basic MPLS L3VPN configuration.

To configure BGP AS number substitution:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN view.	ip vpn-instance vpn-instance-name	N/A
4. Configure a BGP peer or peer group.	peer { group-name \| ip-address } as-number as-number	N/A
5. Enable the BGP AS number substitution function.	peer { ip-address \| group-name } substitute-as	BGP AS number substitution is disabled by default. For more information about this command, see Layer 3—IP Routing Command Reference.

Displaying and maintaining MPLS L3VPN

You can soft-reset or reset BGP connections to apply new BGP configurations. Soft reset requires that BGP peers have route refresh capability (supporting Route-Refresh messages).

Execute the refresh and reset commands in user view.

Task	Command
Soft reset BGP VPNv4 connections.	refresh bgp { ip-address \| all \| external \| group group-name \| internal } { export \| import } vpnv4 [ vpn-instance vpn-instance-name ]
Reset BGP VPNv4 connections.	reset bgp { as-number \| ip-address \| all \| external \| internal \| group group-name } vpnv4 [ vpn-instance vpn-instance-name ]

Use the following commands in any view to display MPLS L3VPN:

Task	Command
Display the routing table for a VPN instance. For more information about this command, see Layer 3—IP Routing Command Reference.	display ip routing-table vpn-instance vpn-instance-name [ statistics \| verbose ]
Display information about a specified or all VPN instances.	display ip vpn-instance [ instance-name vpn-instance-name ]
Display the FIB of a VPN instance.	display fib vpn-instance vpn-instance-name
Display FIB entries that match the specified destination IP address in the specified VPN instance.	display fib vpn-instance vpn-instance-name ip-address [ mask \| mask-length ]
Display BGP VPNv4 peer group information.	display bgp group vpnv4 [ vpn-instance vpn-instance-name ] [ group-name ]
Display BGP VPNv4 peer information.	display bgp peer vpnv4 [ vpn-instance vpn-instance-name ] [ group-name log-info \| ip-address { log-info \| verbose } \| verbose ]
Display BGP VPNv4 routes.	display bgp routing-table vpnv4 [ route-distinguisher route-distinguishe ] [ network-address [ { mask \| mask-length } [ longest-match ] ] ]
Display BGP VPNv4 route advertisement information.	display bgp routing-table vpnv4 [ route-distinguisher route-distinguishe ] network-address [ mask \| mask-length ] advertise-info
Display BGP VPNv4 routes matching the specified AS PATH list.	display bgp routing-table vpnv4 [ route-distinguisher route-distinguishe ] as-path-acl as-path-acl-number
Display BGP VPNv4 routes matching the specified BGP community list.	display bgp routing-table vpnv4 [ route-distinguisher route-distinguishe ] community-list { { basic-community-list-number \| comm-list-name } [ whole-match ] \| adv-community-list-number }
Display BGP VPNv4 routes advertised to or received from the specified BGP peer.	display bgp routing-table vpnv4 [ vpn-instance vpn-instance-name ] peer ip-address { advertised-routes \| received-routes } [ network-address [ mask \| mask-length ] \| statistics ]
Display incoming labels for BGP IPv4 unicast routes.	display bgp routing-table ipv4 [ unicast ] [ vpn-instance vpn-instance-name ] inlabel
Display outgoing labels for BGP IPv4 unicast routes.	display bgp routing-table ipv4 [ unicast ] [ vpn-instance vpn-instance-name ] outlabel
Display incoming labels for BGP VPNv4 routes.	display bgp routing-table vpnv4 inlabel
Display outgoing labels for BGP VPNv4 routes.	display bgp routing-table vpnv4 outlabel
Display BGP VPNv4 route statistics.	display bgp routing-table vpnv4 statistics

MPLS L3VPN configuration examples

By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in down state. To configure such an interface, first use the undo shutdown command to bring the interface up.

Configuring basic MPLS L3VPN

Network requirements

CE 1 and CE 3 belong to VPN 1. CE 2 and CE 4 belong to VPN 2. PEs and P are MPLS-capable devices.

VPN 1 uses route target attribute 111:1. VPN 2 uses route target attribute 222:2. Users of different VPNs cannot access each other.

EBGP is used to exchange VPN routing information between CE and PE.

PEs use OSPF to communicate with each other and use MP-IBGP to exchange VPN routing information.

Figure 19 Network diagram

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int11	10.1.1.1/24	P	Loop0	2.2.2.9/32
PE 1	Loop0	1.1.1.9/32		Vlan-int12	172.2.1.1/24
	Vlan-int11	10.1.1.2/24		Vlan-int13	172.1.1.2/24
	Vlan-int13	172.1.1.1/24	PE 2	Loop0	3.3.3.9/32
	Vlan-int12	10.2.1.2/24		Vlan-int12	172.2.1.2/24
CE 2	Vlan-int12	10.2.1.1/24		Vlan-int11	10.3.1.2/24
CE 3	Vlan-int11	10.3.1.1/24		Vlan-int13	10.4.1.2/24
CE 4	Vlan-int13	10.4.1.1/24

Configuration procedure

1. Configure an IGP on the MPLS backbone to ensure IP connectivity within the backbone:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.9 32

[PE1-LoopBack0] quit

[PE1] interface vlan-interface 13

[PE1-Vlan-interface13] ip address 172.1.1.1 24

[PE1-Vlan-interface13] quit

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Configure the P device.

<P> system-view

[P] interface loopback 0

[P-LoopBack0] ip address 2.2.2.9 32

[P-LoopBack0] quit

[P] interface vlan-interface 13

[P-Vlan-interface13] ip address 172.1.1.2 24

[P- Vlan-interface13] quit

[P] interface vlan-interface 12

[P-Vlan-interface12] ip address 172.2.1.1 24

[P-Vlan-interface12] quit

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

# Configure PE 2.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 3.3.3.9 32

[PE2-LoopBack0] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] ip address 172.2.1.2 24

[PE2-Vlan-interface12] quit

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

After the configurations, OSPF adjacencies are established between PE 1, P, and PE 2. Execute the display ospf peer command. The output shows that the adjacency status is Full. Execute the display ip routing-table command. The output shows that the PEs have learned the routes to the loopback interfaces of each other. Take PE 1 as an example:

[PE1] display ip routing-table protocol ospf

Summary Count : 5

OSPF Routing table Status : <Active>

Summary Count : 3

Destination/Mask Proto Pre Cost NextHop Interface

2.2.2.9/32 OSPF 10 1 172.1.1.2 Vlan13

3.3.3.9/32 OSPF 10 2 172.1.1.2 Vlan13

172.2.1.0/24 OSPF 10 2 172.1.1.2 Vlan13

OSPF Routing table Status : <Inactive>

Summary Count : 2

Destination/Mask Proto Pre Cost NextHop Interface

1.1.1.9/32 OSPF 10 0 1.1.1.9 Loop0

172.1.1.0/24 OSPF 10 1 172.1.1.1 Vlan13

[PE1] display ospf peer verbose

OSPF Process 1 with Router ID 1.1.1.9

Neighbors

Area 0.0.0.0 interface 172.1.1.1(Vlan-interface13)'s neighbors

Router ID: 2.2.2.9 Address: 172.1.1.2 GR State: Normal

State: Full Mode: Nbr is Master Priority: 1

DR: 172.1.1.2 BDR: 172.1.1.1 MTU: 0

Options is 0x02 (-|-|-|-|-|-|E|-)

Dead timer due in 39 sec

Neighbor is up for 00:00:29

Authentication Sequence: [ 0 ]

Neighbor state change count: 6

2. Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs:

# Configure PE 1.

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface vlan-interface 13

[PE1-Vlan-interface13] mpls enable

[PE1-Vlan-interface13] mpls ldp enable

[PE1-Vlan-interface13] quit

# Configure the P device.

[P] mpls lsr-id 2.2.2.9

[P] mpls ldp

[P-ldp] quit

[P] interface vlan-interface 13

[P-Vlan-interface13] mpls enable

[P-Vlan-interface13] mpls ldp enable

[P-Vlan-interface13] quit

[P] interface vlan-interface 12

[P-Vlan-interface12] mpls enable

[P-Vlan0interface12] mpls ldp enable

[P-Vlan-interface12] quit

# Configure PE 2.

[PE2] mpls lsr-id 3.3.3.9

[PE2] mpls ldp

[PE2-mpls-ldp] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] mpls enable

[PE2-Vlan-interface12] mpls ldp enable

[PE2-Vlan-interface12] quit

After the configurations, LDP sessions are established between PE 1, P, and PE 2. Execute the display mpls ldp peer command. The output shows that the session status is Operational. Execute the display mpls ldp lsp command. The output shows the LSPs established by LDP. Take PE 1 as an example:

[PE1] display mpls ldp peer

Total number of peers: 1

Peer LDP ID State LAM Role GR MD5 KA Sent/Rcvd

2.2.2.9:0 Operational DU Passive Off Off 5/5

[PE1] display mpls ldp lsp

Status codes: * - stale, L - liberal

Statistics:

FECs: 3 Ingress LSPs: 2 Transit LSPs: 2 Egress LSPs: 1

FEC In/Out Label Nexthop OutInterface

1.1.1.9/32 3/-

-/1151(L)

2.2.2.9/32 -/3 172.1.1.2 Vlan-interface13

1151/3 172.1.1.2 Vlan-interface13

3.3.3.9/32 -/1150 172.1.1.2 Vlan-interface13

1150/1150 172.1.1.2 Vlan-interface13

3. Configure VPN instances on PEs:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 111:1

[PE1-vpn-instance-vpn1] quit

[PE1] ip vpn-instance vpn2

[PE1-vpn-instance-vpn2] route-distinguisher 100:2

[PE1-vpn-instance-vpn2] vpn-target 222:2

[PE1-vpn-instance-vpn2] quit

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip binding vpn-instance vpn1

[PE1-Vlan-interface11] ip address 10.1.1.2 24

[PE1-Vlan-interface11] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip binding vpn-instance vpn2

[PE1-Vlan-interface12] ip address 10.2.1.2 24

[PE1-Vlan-interface12] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 200:1

[PE2-vpn-instance-vpn1] vpn-target 111:1

[PE2-vpn-instance-vpn1] quit

[PE2] ip vpn-instance vpn2

[PE2-vpn-instance-vpn2] route-distinguisher 200:2

[PE2-vpn-instance-vpn2] vpn-target 222:2

[PE2-vpn-instance-vpn2] quit

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] ip binding vpn-instance vpn1

[PE2-Vlan-interface11] ip address 10.3.1.2 24

[PE2-Vlan-interface11] quit

[PE2] interface vlan-interface 13

[PE2-Vlan-interface13] ip binding vpn-instance vpn2

[PE2-Vlan-interface13] ip address 10.4.1.2 24

[PE2-Vlan-interface13] quit

# Configure IP addresses for the CEs according to Figure 19. (Details not shown.)

After completing the configurations, execute the display ip vpn-instance command on the PEs to view the configuration of the VPN instance. Use the ping command to test connectivity between the PEs and their attached CEs. The PEs can ping their attached CEs. Take PE 1 as an example:

[PE1] display ip vpn-instance

Total VPN-Instances configured : 2

VPN-Instance Name RD Create time

vpn1 100:1 2012/02/13 12:49:08

vpn2 100:2 2012/02/13 12:49:20

[PE1] ping -vpn-instance vpn1 10.1.1.1

PING 10.1.1.1 (10.1.1.1): 56 data bytes

56 bytes from 10.1.1.1: icmp_seq=0 ttl=255 time=1.000 ms

56 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=2.000 ms

56 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=0.000 ms

56 bytes from 10.1.1.1: icmp_seq=3 ttl=255 time=1.000 ms

56 bytes from 10.1.1.1: icmp_seq=4 ttl=255 time=0.000 ms

--- 10.1.1.1 ping statistics ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/stddev = 0.000/0.800/2.000/0.748 ms

4. Establish EBGP peer relationships between PEs and CEs and redistribute VPN routes:

# Configure CE 1.

<CE1> system-view

[CE1] bgp 65410

[CE1-bgp] peer 10.1.1.2 as-number 100

[CE1-bgp] ipv4-family unicast

[CE1-bgp-ipv4] peer 10.1.1.2 enable

[CE1-bgp-ipv4] import-route direct

[CE1-bgp-ipv4] quit

[CE1-bgp] quit

# Configure the other three CEs in a similar way to configuring CE 1. (Details not shown.)

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410

[PE1-bgp-vpn1] ipv4-family unicast

[PE1-bgp-ipv4-vpn1] peer 10.1.1.1 enable

[PE1-bgp-ipv4-vpn1] import-route direct

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] ip vpn-instance vpn2

[PE1-bgp-vpn2] peer 10.2.1.1 as-number 65420

[PE1-bgp-vpn2] ipv4-family unicast

[PE1-bgp-ipv4-vpn1] peer 10.2.1.1 enable

[PE1-bgp-ipv4-vpn2] import-route direct

[PE1-bgp-ipv4-vpn2] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure PE 2 in a similar way to configuring PE 1. (Details not shown.)

After completing the configurations, execute the display bgp peer ipv4 vpn-instance command on the PEs. The output shows that a BGP peer relationship has been established between a PE and a CE, and has reached the Established state. Take PE 1 as an example:

[PE1] display bgp peer ipv4 vpn-instance vpn1

BGP local router ID: 1.1.1.9

Local AS number: 100

Total number of peers: 1 Peers in established state: 1

Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

10.1.1.1 65410 4 4 0 2 00:00:22 Established

5. Establish an MP-IBGP peer relationship between PEs:

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] peer 3.3.3.9 as-number 100

[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp] ipv4-family vpnv4

[PE1-bgp-vpnv4] peer 3.3.3.9 enable

[PE1-bgp-vpnv4] quit

[PE1-bgp] quit

# Configure PE 2.

[PE2] bgp 100

[PE2-bgp] peer 1.1.1.9 as-number 100

[PE2-bgp] peer 1.1.1.9 connect-interface loopback 0

[PE2-bgp] ipv4-family vpnv4

[PE2-bgp-vpnv4] peer 1.1.1.9 enable

[PE2-bgp-vpnv4] quit

[PE2-bgp] quit

After completing the configuration, execute the display bgp peer vpnv4 command on the PEs. The output shows that a BGP peer relationship has been established between the PEs, and has reached Established state.

[PE1] display bgp peer vpnv4

BGP local router ID: 1.1.1.9

Local AS number: 100

Total number of peers: 1 Peers in established state: 1

Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

3.3.3.9 100 3 6 0 0 00:00:32 Established

6. Verify the configuration:

Execute the display ip routing-table vpn-instance command on the PEs. The output shows the routes to the CEs. Take PE 1 as an example:

[PE1] display ip routing-table vpn-instance vpn1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 Direct 0 0 10.1.1.2 Vlan11

10.1.1.0/32 Direct 0 0 10.1.1.2 Vlan11

10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.2 Vlan11

10.3.1.0/24 BGP 255 0 3.3.3.9 Vlan13

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

CEs of the same VPN can ping each other, whereas those of different VPNs can not. For example, CE 1 can ping CE 3 (10.3.1.1) but cannot ping CE 4 (10.4.1.1):

[CE1] ping 10.3.1.1

PING 10.3.1.1 (10.3.1.1): 56 data bytes

56 bytes from 10.3.1.1: icmp_seq=0 ttl=254 time=5.000 ms

56 bytes from 10.3.1.1: icmp_seq=1 ttl=254 time=2.000 ms

56 bytes from 10.3.1.1: icmp_seq=2 ttl=254 time=3.000 ms

56 bytes from 10.3.1.1: icmp_seq=3 ttl=254 time=1.000 ms

56 bytes from 10.3.1.1: icmp_seq=4 ttl=254 time=2.000 ms

--- 10.3.1.1 ping statistics ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/stddev = 1.000/2.600/5.000/1.356 ms

[CE1] ping 10.4.1.1

PING 10.4.1.1 (10.4.1.1): 56 data bytes

Request time out

--- 10.4.1.1 ping statistics ---

5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss

Configuring MPLS L3VPN inter-AS option A

Network requirements

CE 1 and CE 2 belong to the same VPN. CE 1 accesses the network through PE 1 in AS 100 and CE 2 accesses the network through PE 2 in AS 200.

Configure MPLS L3VPN inter-AS option A and use the VRF-to-VRF method to manage VPN routes.

Run OSPF on the MPLS backbone in each AS.

Figure 20 Network diagram

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int12	10.1.1.1/24	CE 2	Vlan-int12	10.2.1.1/24
PE 1	Loop0	1.1.1.9/32	PE 2	Loop0	4.4.4.9/32
	Vlan-int12	10.1.1.2/24		Vlan-int12	10.2.1.2/24
	Vlan-int11	172.1.1.2/24		Vlan-int11	162.1.1.2/24
ASBR-PE 1	Loop0	2.2.2.9/32	ASBR-PE 2	Loop0	3.3.3.9/32
	Vlan-int11	172.1.1.1/24		Vlan-int11	162.1.1.1/24
	Vlan-int12	192.1.1.1/24		Vlan-int12	192.1.1.2/24

Configuration procedure

1. Configure IGP on the MPLS backbone to implement the connectivity in the backbone:

This example uses OSPF. (Details not shown.)

After the configurations, each ASBR PE and the PE in the same AS can establish OSPF adjacencies. Execute the display ospf peer command. The output shows that the adjacencies are in Full state, and that PEs can learn the routes to the loopback interfaces of each other.

Each ASBR PE and the PE in the same AS can ping each other.

2. Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs:

# Configure basic MPLS on PE 1 and enable MPLS LDP on the interface connected to ASBR PE 1.

<PE1> system-view

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] quit

# Configure basic MPLS on ASBR PE 1 and enable MPLS LDP on the interface connected to PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] mpls lsr-id 2.2.2.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

[ASBR-PE1] interface vlan-interface 11

[ASBR-PE1-Vlan-interface11] mpls enable

[ASBR-PE1-Vlan-interface11] mpls ldp enable

[ASBR-PE1-Vlan-interface11] quit

# Configure basic MPLS on ASBR PE 2 and enable MPLS LDP on the interface connected to PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] mpls lsr-id 3.3.3.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

[ASBR-PE2] interface vlan-interface 11

[ASBR-PE2-Vlan-interface11] mpls enable

[ASBR-PE2-Vlan-interface11] mpls ldp enable

[ASBR-PE2-Vlan-interface11] quit

# Configure basic MPLS on PE 2 and enable MPLS LDP on the interface connected to ASBR PE 2.

<PE2> system-view

[PE2] mpls lsr-id 4.4.4.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] mpls enable

[PE2-Vlan-interface11] mpls ldp enable

[PE2-Vlan-interface11] quit

After the configurations, each PE and the ASBR PE in the same AS can establish a neighbor relationship. Execute the display mpls ldp peer command on the devices. The output shows that the session status is Operational.

3. Configure VPN instances on PEs:

For the same VPN, the route targets for the VPN instance on the PE must match those for the VPN instance on the ASBR-PE in the same AS. This is not required for PEs in different ASs.

# Configure CE 1.

<CE1> system-view

[CE1] interface vlan-interface 12

[CE1-Vlan-interface12] ip address 10.1.1.1 24

[CE1-Vlan-interface12] quit

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 100:1 both

[PE1-vpn-instance-vpn1] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip binding vpn-instance vpn1

[PE1-Vlan-interface12] ip address 10.1.1.2 24

[PE1-Vlan-interface12] quit

# Configure CE 2.

<CE2> system-view

[CE2] interface vlan-interface 12

[CE2-Vlan-interface12] ip address 10.2.1.1 24

[CE2-Vlan-interface12] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance] route-distinguisher 200:2

[PE2-vpn-instance] vpn-target 100:1 both

[PE2-vpn-instance] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] ip binding vpn-instance vpn1

[PE2-Vlan-interface12] ip address 10.2.1.2 24

[PE2-Vlan-interface12] quit

# On ASBR PE 1, create a VPN instance and bind the instance to the interface connected to ASBR PE 2. (ASBR PE 1 considers ASBR PE 2 its CE.)

[ASBR-PE1] ip vpn-instance vpn1

[ASBR-PE1-vpn-instance-vpn1] route-distinguisher 100:1

[ASBR-PE1-vpn-instance-vpn1] vpn-target 100:1 both

[ASBR-PE1-vpn-instance-vpn1] quit

[ASBR-PE1] interface vlan-interface 12

[ASBR-PE1-Vlan-interface12] ip binding vpn-instance vpn1

[ASBR-PE1-Vlan-interface12] ip address 192.1.1.1 24

[ASBR-PE1-Vlan-interface12] quit

# On ASBR PE 2, create a VPN instance and bind the instance to the interface connected to ASBR PE 1. (ASBR PE 2 considers ASBR PE 1 its CE.)

[ASBR-PE2] ip vpn-instance vpn1

[ASBR-PE2-vpn-vpn-vpn1] route-distinguisher 200:1

[ASBR-PE2-vpn-vpn-vpn1] vpn-target 100:1 both

[ASBR-PE2-vpn-vpn-vpn1] quit

[ASBR-PE2] interface vlan-interface 12

[ASBR-PE2-Vlan-interface12] ip binding vpn-instance vpn1

[ASBR-PE2-Vlan-interface12] ip address 192.1.1.2 24

[ASBR-PE2-Vlan-interface12] quit

After completing the configurations, you can view the VPN instance configurations by issuing the display ip vpn-instance command.

The PEs can ping the CEs and the ASBR PEs can ping each other.

4. Establish EBGP peer relationships between PEs and CEs and redistribute VPN routes:

# Configure CE 1.

[CE1] bgp 65001

[CE1-bgp] peer 10.1.1.2 as-number 100

[CE1-bgp] ipv4-family unicast

[CE1-bgp-ipv4] peer 10.1.1.2 enable

[CE1-bgp-ipv4] import-route direct

[CE1-bgp-ipv4] quit

[CE1-bgp] quit

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65001

[PE1-bgp-vpn1] ipv4-family unicast

[PE1-bgp-ipv4-vpn1] peer 10.1.1.1 enable

[PE1-bgp-ipv4-vpn1] import-route direct

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure CE 2.

[CE2] bgp 65002

[CE2-bgp] peer 10.2.1.2 as-number 200

[CE2-bgp] ipv4-family unicast

[CE2-bgp-ipv4] peer 10.2.1.2 enable

[CE2-bgp-ipv4] import-route direct

[CE2-bgp-ipv4] quit

[CE2-bgp] quit

# Configure PE 2.

[PE2] bgp 200

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] peer 10.2.1.1 as-number 65002

[PE2-bgp-vpn1] ipv4-family unicast

[PE2-bgp-ipv4-vpn1] peer 10.2.1.1 enable

[PE2-bgp-ipv4-vpn1] import-route direct

[PE2-bgp-ipv4-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

5. Establish an MP-IBGP peer relationship between each PE and the ASBR-PE in the same AS and an EBGP peer relationship between the ASBR PEs:

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] peer 2.2.2.9 as-number 100

[PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE1-bgp] ipv4-family vpnv4

[PE1-bgp-vpnv4] peer 2.2.2.9 enable

[PE1-bgp-vpnv4] peer 2.2.2.9 next-hop-local

[PE1-bgp-vpnv4] quit

[PE1-bgp] quit

# Configure ASBR-PE 1.

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp] ip vpn-instance vpn1

[ASBR-PE1-bgp-vpn1] peer 192.1.1.2 as-number 200

[ASBR-PE2-bgp-vpn1] ipv4-family unicast

[ASBR-PE2-bgp-ipv4-vpn1] peer 192.1.1.2 enable

[ASBR-PE2-bgp-ipv4-vpn1] quit

[ASBR-PE1-bgp-vpn1] quit

[ASBR-PE1-bgp] peer 1.1.1.9 as-number 100

[ASBR-PE1-bgp] peer 1.1.1.9 connect-interface loopback 0

[ASBR-PE1-bgp] ipv4-family vpnv4

[ASBR-PE1-bgp-vpnv4] peer 1.1.1.9 enable

[ASBR-PE1-bgp-vpnv4] peer 1.1.1.9 next-hop-local

[ASBR-PE1-bgp-vpnv4] quit

[ASBR-PE1-bgp] quit

# Configure ASBR-PE 2.

[ASBR-PE2] bgp 200

[ASBR-PE2-bgp] ip vpn-instance vpn1

[ASBR-PE2-bgp-vpn1] peer 192.1.1.1 as-number 100

[ASBR-PE2-bgp-vpn1] ipv4-family unicast

[ASBR-PE2-bgp-ipv4-vpn1] peer 192.1.1.1 enable

[ASBR-PE2-bgp-ipv4-vpn1] quit

[ASBR-PE2-bgp-vpn1] quit

[ASBR-PE2-bgp] peer 4.4.4.9 as-number 200

[ASBR-PE2-bgp] peer 4.4.4.9 connect-interface loopback 0

[ASBR-PE2-bgp] ipv4-family vpnv4

[ASBR-PE2-bgp-vpnv4] peer 4.4.4.9 enable

[ASBR-PE2-bgp-vpnv4] peer 4.4.4.9 next-hop-local

[ASBR-PE2-bgp-vpnv4] quit

[ASBR-PE2-bgp] quit

# Configure PE 2.

[PE2] bgp 200

[PE2-bgp] peer 3.3.3.9 as-number 200

[PE2-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE2-bgp] ipv4-family vpnv4

[PE2-bgp-vpnv4] peer 3.3.3.9 enable

[PE2-bgp-vpnv4] peer 3.3.3.9 next-hop-local

[PE2-bgp-vpnv4] quit

[PE2-bgp] quit

6. Verify the configuration:

After the configurations, the CEs can learn the interface routes from each other and ping each other.

Configuring MPLS L3VPN inter-AS option B

Network requirements

Site 1 and Site 2 belong to the same VPN. CE 1 of Site 1 accesses the network through PE 1 in AS 100 and CE 2 of Site 2 accesses the network through PE 2 in AS 600. PEs in the same AS run IS-IS.

PE 1 and ASBR-PE 1 exchange VPNv4 routes through MP-IBGP. PE 2 and ASBR-PE 2 exchange VPNv4 routes through MP-IBGP. ASBR-PE 1 and ASBR-PE 2 exchange VPNv4 routes through MP-EBGP.

ASBRs do not perform route target filtering of received VPN-IPv4 routes.

Figure 21 Network diagram

Device	Interface	IP address	Device	Interface	IP address
PE 1	Loop0	2.2.2.9/32	PE 2	Loop0	5.5.5.9/32
	Vlan-int12	30.0.0.1/8		Vlan-int12	20.0.0.1/8
	Vlan-int11	1.1.1.2/8		Vlan-int11	9.1.1.2/8
ASBR-PE 1	Loop0	3.3.3.9/32	ASBR-PE 2	Loop0	4.4.4.9/32
	Vlan-int11	1.1.1.1/8		Vlan-int11	9.1.1.1/8
	Vlan-int12	11.0.0.2/8		Vlan-int12	11.0.0.1/8

Configuration procedure

1. Configure PE 1:

# Configure IS-IS on PE 1.

<PE1> system-view

[PE1] isis 1

[PE1-isis-1] network-entity 10.111.111.111.111.00

[PE1-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[PE1] mpls lsr-id 2.2.2.9

[PE1] mpls ldp

[PE1-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip address 1.1.1.2 255.0.0.0

[PE1-Vlan-interface11] isis enable 1

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] quit

# Configure interface Loopback 0 and enable IS-IS on it.

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 2.2.2.9 32

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

# Create VPN instance vpn1 and configure the RD and route target attributes.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 11:11

[PE1-vpn-instance-vpn1] vpn-target 1:1 2:2 3:3 import-extcommunity

[PE1-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE1-vpn-instance-vpn1] quit

# Bind the interface connected with CE 1 to the created VPN instance.

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip binding vpn-instance vpn1

[PE1-Vlan-interface12] ip address 30.0.0.1 8

[PE1-Vlan-interface12] quit

# Enable BGP on PE 1.

[PE1] bgp 100

# Configure IBGP peer 3.3.3.9 as a VPNv4 peer.

[PE1-bgp] peer 3.3.3.9 as-number 100

[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp] ipv4-family vpnv4

[PE1-bgp-vpnv4] peer 3.3.3.9 enable

[PE1-bgp-vpnv4] quit

# Redistribute direct routes to the VPN routing table of vpn1.

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] ipv4-family unicast

[PE1-bgp-ipv4-vpn1] import-route direct

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

2. Configure ASBR-PE 1:

# Enable IS-IS on ASBR-PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] isis 1

[ASBR-PE1-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE1-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[ASBR-PE1] mpls lsr-id 3.3.3.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE1] interface vlan-interface11

[ASBR-PE1-Vlan-interface11] ip address 1.1.1.1 255.0.0.0

[ASBR-PE1-Vlan-interface11] isis enable 1

[ASBR-PE1-Vlan-interface11] mpls enable

[ASBR-PE1-Vlan-interface11] mpls ldp enable

[ASBR-PE1-Vlan-interface11] quit

# Configure interface VLAN-interface 12 and enable MPLS on it.

[ASBR-PE1] interface vlan-interface 12

[ASBR-PE1-Vlan-interface12] ip address 11.0.0.2 255.0.0.0

[ASBR-PE1-Vlan-interface12] mpls enable

[ASBR-PE1-Vlan-interface12] quit

# Configure interface Loopback 0 and enable IS-IS on it.

[ASBR-PE1] interface loopback 0

[ASBR-PE1-LoopBack0] ip address 3.3.3.9 32

[ASBR-PE1-LoopBack0] isis enable 1

[ASBR-PE1-LoopBack0] quit

# Enable BGP on ASBR-PE 1.

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp] peer 2.2.2.9 as-number 100

[ASBR-PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[ASBR-PE1-bgp] peer 11.0.0.1 as-number 600

[ASBR-PE1-bgp] peer 11.0.0.1 connect-interface vlan-interface 12

# Disable route target based filtering of received VPNv4 routes.

[ASBR-PE1-bgp] ipv4-family vpnv4

[ASBR-PE1-bgp-vpnv4] undo policy vpn-target

# Configure both IBGP peer 2.2.2.0 and EBGP peer 11.0.0.1 as VPNv4 peers.

[ASBR-PE1-bgp-vpnv4] peer 11.0.0.1 enable

[ASBR-PE1-bgp-vpnv4] peer 2.2.2.9 enable

[ASBR-PE1-bgp-vpnv4] quit

3. Configure ASBR-PE 2:

# Enable IS-IS on ASBR-PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] isis 1

[ASBR-PE2-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE2-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[ASBR-PE2] mpls lsr-id 4.4.4.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE2] interface vlan-interface 11

[ASBR-PE2-Vlan-interface11] ip address 9.1.1.1 255.0.0.0

[ASBR-PE2-Vlan-interface11] isis enable 1

[ASBR-PE2-Vlan-interface11] mpls enable

[ASBR-PE2-Vlan-interface11] mpls ldp enable

[ASBR-PE2-Vlan-interface11] quit

# Configure interface VLAN-interface 12 and enable MPLS on it.

[ASBR-PE2] interface vlan-interface 12

[ASBR-PE2-Vlan-interface12] ip address 11.0.0.1 255.0.0.0

[ASBR-PE2-Vlan-interface12] mpls enable

[ASBR-PE2-Vlan-interface12] quit

# Configure interface Loopback 0 and enable IS-IS on it.

[ASBR-PE2] interface loopback 0

[ASBR-PE2-LoopBack0] ip address 4.4.4.9 32

[ASBR-PE2-LoopBack0] isis enable 1

[ASBR-PE2-LoopBack0] quit

# Enable BGP on ASBR-PE 2.

[ASBR-PE2] bgp 600

[ASBR-PE2-bgp] peer 11.0.0.2 as-number 100

[ASBR-PE2-bgp] peer 11.0.0.2 connect-interface vlan-interface 12

[ASBR-PE2-bgp] peer 5.5.5.9 as-number 600

[ASBR-PE2-bgp] peer 5.5.5.9 connect-interface loopback 0

# Disable route target based filtering of received VPNv4 routes.

[ASBR-PE2-bgp] ipv4-family vpnv4

[ASBR-PE2-bgp-vpnv4] undo policy vpn-target

# Configure both IBGP peer 5.5.5.9 and EBGP peer 11.0.0.2 as VPNv4 peers.

[ASBR-PE2-bgp-vpnv4] peer 11.0.0.2 enable

[ASBR-PE2-bgp-vpnv4] peer 5.5.5.9 enable

[ASBR-PE2-bgp-vpnv4] quit

[ASBR-PE2-bgp] quit

4. Configure PE 2:

# Enable IS-IS on PE 2.

<PE2> system-view

[PE2] isis 1

[PE2-isis-1] network-entity 10.111.111.111.111.00

[PE2-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[PE2] mpls lsr-id 5.5.5.9

[PE2] mpls ldp

[PE2-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] ip address 9.1.1.2 255.0.0.0

[PE2-Vlan-interface11] isis enable 1

[PE2-Vlan-interface11] mpls enable

[PE2-Vlan-interface11] mpls ldp enable

[PE2-Vlan-interface11] quit

# Configure interface Loopback 0 and enable IS-IS on it.

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 5.5.5.9 32

[PE2-LoopBack0] isis enable 1

[PE2-LoopBack0] quit

# Create VPN instance vpn1 and configure the RD and route target attributes.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 12:12

[PE2-vpn-instance-vpn1] vpn-target 1:1 2:2 3:3 import-extcommunity

[PE2-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE2-vpn-instance-vpn1] quit

# Bind the interface connected with CE 2 to the created VPN instance.

[PE2] interface Vlan-interface12

[PE2-Vlan-interface12] ip binding vpn-instance vpn1

[PE2-Vlan-interface12] ip address 20.0.0.1 8

[PE2-Vlan-interface12] quit

# Enable BGP on PE 2.

[PE2] bgp 600

# Configure IBGP peer 4.4.4.9 as a VPNv4 peer.

[PE2-bgp] peer 4.4.4.9 as-number 600

[PE2-bgp] peer 4.4.4.9 connect-interface loopback 0

[PE2-bgp] ipv4-family vpnv4

[PE2-bgp-vpnv4] peer 4.4.4.9 enable

[PE2-bgp-vpnv4] quit

# Redistribute direct routes to the VPN routing table of vpn1.

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] ipv4-family unicast

[PE2-bgp-ipv4-vpn1] import-route direct

[PE2-bgp-ipv4-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

5. Verify the configuration:

Ping PE 1 and PE 2 can ping each other. Take PE 1 as an example.

[PE1] ping -a 30.0.0.1 -vpn-instance vpn1 20.0.0.1

PING 20.0.0.1 (20.0.0.1) from 30.0.0.1: 56 data bytes

56 bytes from 20.0.0.1: icmp_seq=0 ttl=255 time=0.000 ms

56 bytes from 20.0.0.1: icmp_seq=1 ttl=255 time=0.000 ms

56 bytes from 20.0.0.1: icmp_seq=2 ttl=255 time=0.000 ms

56 bytes from 20.0.0.1: icmp_seq=3 ttl=255 time=0.000 ms

56 bytes from 20.0.0.1: icmp_seq=4 ttl=255 time=0.000 ms

--- 20.0.0.1 ping statistics ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/stddev = 0.000/0.000/0.000/0.000 ms

Configuring MPLS L3VPN inter-AS option C

Network requirements

Site 1 and Site 2 belong to the same VPN. Site 1 accesses the network through PE 1 in AS 100 and Site 2 accesses the network through PE 2 in AS 600. PEs in the same AS run IS-IS.

PE 1 and ASBR-PE 1 exchange labeled IPv4 routes through MP-IBGP. PE 2 and ASBR-PE 2 exchange labeled IPv4 routes through MP-IBGP. PE 1 and PE 2 exchange VPNv4 routes through MP-EBGP.

ASBR-PE 1 and ASBR-PE 2 use their respective routing policies and label routes received from each other.

ASBR-PE 1 and ASBR-PE 2 use MP-EBGP to exchange labeled IPv4 routes.

Figure 22 Network diagram

Device	Interface	IP address	Device	Interface	IP address
PE 1	Loop0	2.2.2.9/32	PE 2	Loop0	5.5.5.9/32
	Loop1	30.0.0.1/32		Loop1	20.0.0.1/32
	Vlan-int11	1.1.1.2/8		Vlan-int11	9.1.1.2/8
ASBR-PE 1	Loop0	3.3.3.9/32	ASBR-PE 2	Loop0	4.4.4.9/32
	Vlan-int11	1.1.1.1/8		Vlan-int11	9.1.1.1/8
	Vlan-int12	11.0.0.2/8		Vlan-int12	11.0.0.1/8

Configuration procedure

1. Configure PE 1:

# Configure IS-IS on PE 1.

<PE1> system-view

[PE1] isis 1

[PE1-isis-1] network-entity 10.111.111.111.111.00

[PE1-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[PE1] mpls lsr-id 2.2.2.9

[PE1] mpls ldp

[PE1-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip address 1.1.1.2 255.0.0.0

[PE1-Vlan-interface11] isis enable 1

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] quit

# Configure interface Loopback 0 and enable IS-IS on it.

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 2.2.2.9 32

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

# Create VPN instance vpn1 and configure the RD and route target attributes.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 11:11

[PE1-vpn-instance-vpn1] vpn-target 1:1 2:2 3:3 import-extcommunity

[PE1-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE1-vpn-instance-vpn1] quit

# Configure interface Loopback 1 and bind the interface to VPN instance vpn1.

[PE1] interface loopback 1

[PE1-LoopBack1] ip binding vpn-instance vpn1

[PE1-LoopBack1] ip address 30.0.0.1 32

[PE1-LoopBack1] quit

# Enable BGP on PE 1.

[PE1] bgp 100

# Enable the capability to advertise labeled routes to IBGP peer 3.3.3.9 and to receive labeled routes from the peer.

[PE1-bgp] peer 3.3.3.9 as-number 100

[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp] ipv4-family unicast

[PE1-bgp-ipv4] peer 3.3.3.9 enable

[PE1-bgp-ipv4] peer 3.3.3.9 label-route-capability

[PE1-bgp-ipv4] quit

# Configure the maximum hop count from PE 1 to EBGP peer 5.5.5.9 as 10.

[PE1-bgp] peer 5.5.5.9 as-number 600

[PE1-bgp] peer 5.5.5.9 connect-interface loopback 0

[PE1-bgp] peer 5.5.5.9 ebgp-max-hop 10

# Configure peer 5.5.5.9 as a VPNv4 peer.

[PE1-bgp] ipv4-family vpnv4

[PE1-bgp-vpnv4] peer 5.5.5.9 enable

[PE1-bgp-vpnv4] quit

# Redistribute direct routes to the routing table of vpn1.

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] ipv4-family unicast

[PE1-bgp-ipv4-vpn1] import-route direct

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

2. Configure ASBR-PE 1:

# Enable IS-IS on ASBR-PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] isis 1

[ASBR-PE1-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE1-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[ASBR-PE1] mpls lsr-id 3.3.3.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE1] interface vlan-interface 11

[ASBR-PE1-Vlan-interface11] ip address 1.1.1.1 255.0.0.0

[ASBR-PE1-Vlan-interface11] isis enable 1

[ASBR-PE1-Vlan-interface11] mpls enable

[ASBR-PE1-Vlan-interface11] mpls ldp enable

[ASBR-PE1-Vlan-interface11] quit

# Configure interface VLAN-interface 12 and enable MPLS on it.

[ASBR-PE1] interface vlan-interface 12

[ASBR-PE1-Vlan-interface12] ip address 11.0.0.2 255.0.0.0

[ASBR-PE1-Vlan-interface12] mpls enable

[ASBR-PE1-Vlan-interface12] quit

# Configure interface Loopback 0 and enable IS-IS on it.

[ASBR-PE1] interface loopback 0

[ASBR-PE1-LoopBack0] ip address 3.3.3.9 32

[ASBR-PE1-LoopBack0] isis enable 1

[ASBR-PE1-LoopBack0] quit

# Create routing policies.

[ASBR-PE1] route-policy policy1 permit node 1

[ASBR-PE1-route-policy-policy1-1] apply mpls-label

[ASBR-PE1-route-policy-policy1-1] quit

[ASBR-PE1] route-policy policy2 permit node 1

[ASBR-PE1-route-policy-policy2-1] if-match mpls-label

[ASBR-PE1-route-policy-policy2-1] apply mpls-label

[ASBR-PE1-route-policy-policy2-1] quit

# Enable BGP on ASBR-PE 1 and apply the routing policy policy2 to routes advertised to IBGP peer 2.2.2.9.

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp] peer 2.2.2.9 as-number 100

[ASBR-PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[ASBR-PE1-bgp] ipv4-family unicast

[ASBR-PE1-bgp-ipv4] peer 2.2.2.9 enable

[ASBR-PE1-bgp-ipv4] peer 2.2.2.9 route-policy policy2 export

# Enable the capability to advertise labeled routes to IBGP peer 2.2.2.9 and to receive labeled routes from the peer.

[ASBR-PE1-bgp-ipv4] peer 2.2.2.9 label-route-capability

# Redistribute routes from IS-IS process 1 to BGP.

[ASBR-PE1-bgp-ipv4] import-route isis 1

[ASBR-PE1-bgp-ipv4] quit

# Apply the routing policy policy1 to routes advertised to EBGP peer 11.0.0.1.

[ASBR-PE1-bgp] peer 11.0.0.1 as-number 600

[ASBR-PE1-bgp] ipv4-family unicast

[ASBR-PE1-bgp-ipv4] peer 11.0.0.1 enable

[ASBR-PE1-bgp-ipv4] peer 11.0.0.1 route-policy policy1 export

# Enable the capability to advertise labeled routes to EBGP peer 11.0.0.1 and to receive labeled routes from the peer.

[ASBR-PE1-bgp-ipv4] peer 11.0.0.1 label-route-capability

[ASBR-PE1-bgp-ipv4] quit

[ASBR-PE1-bgp] quit

3. Configure ASBR-PE 2:

# Enable IS-IS on ASBR-PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] isis 1

[ASBR-PE2-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE2-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[ASBR-PE2] mpls lsr-id 4.4.4.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE2] interface vlan-interface 11

[ASBR-PE2-Vlan-interface11] ip address 9.1.1.1 255.0.0.0

[ASBR-PE2-Vlan-interface11] isis enable 1

[ASBR-PE2-Vlan-interface11] mpls enable

[ASBR-PE2-Vlan-interface11] mpls ldp enable

[ASBR-PE2-Vlan-interface11] quit

# Configure interface Loopback 0 and enable IS-IS on it.

[ASBR-PE2] interface loopback 0

[ASBR-PE2-LoopBack0] ip address 4.4.4.9 32

[ASBR-PE2-LoopBack0] isis enable 1

[ASBR-PE2-LoopBack0] quit

# Configure interface VLAN-interface 12 and enable MPLS on it.

[ASBR-PE2] interface vlan-interface 12

[ASBR-PE2-Vlan-interface12] ip address 11.0.0.1 255.0.0.0

[ASBR-PE2-Vlan-interface12] mpls enable

[ASBR-PE2-Vlan-interface12] quit

# Create routing policies.

[ASBR-PE2] route-policy policy1 permit node 1

New Sequence of this List

[ASBR-PE2-route-policy-policy1-1] apply mpls-label

[ASBR-PE2-route-policy-policy1-1] quit

[ASBR-PE2] route-policy policy2 permit node 1

[ASBR-PE2-route-policy-policy2-1] if-match mpls-label

[ASBR-PE2-route-policy-policy2-1] apply mpls-label

[ASBR-PE2-route-policy-policy2-1] quit

# Enable BGP on ASBR-PE 2 and enable the capability to advertise labeled routes to IBGP peer 5.5.5.9 and to receive labeled routes from the peer..

[ASBR-PE2] bgp 600

[ASBR-PE2-bgp] peer 5.5.5.9 as-number 600

[ASBR-PE2-bgp] peer 5.5.5.9 connect-interface loopback 0

[ASBR-PE2-bgp] ipv4-family unicast

[ASBR-PE2-bgp-ipv4] peer 5.5.5.9 enable

[ASBR-PE2-bgp-ipv4] peer 5.5.5.9 label-route-capability

# Apply the routing policy policy2 to routes advertised to IBGP peer 5.5.5.9.

[ASBR-PE2-bgp-ipv4] peer 5.5.5.9 route-policy policy2 export

# Redistribute routes from IS-IS process 1 into BGP.

[ASBR-PE2-bgp-ipv4] import-route isis 1

[ASBR-PE2-bgp-ipv4] quit

# Apply the routing policy policy1 to routes advertised to EBGP peer 11.0.0.2.

[ASBR-PE2-bgp] peer 11.0.0.2 as-number 100

[ASBR-PE2-bgp] ipv4-family unicast

[ASBR-PE2-bgp-ipv4] peer 11.0.0.2 enable

[ASBR-PE2-bgp-ipv4] peer 11.0.0.2 route-policy policy1 export

# Enable the capability to advertise labeled routes to EBGP peer 11.0.0.2 and to receive labeled routes from the peer.

[ASBR-PE2-bgp-ipv4] peer 11.0.0.2 label-route-capability

[ASBR-PE2-bgp-ipv4] quit

[ASBR-PE2-bgp] quit

4. Configure PE 2:

# Enable IS-IS on PE 2.

<PE2> system-view

[PE2] isis 1

[PE2-isis-1] network-entity 10.111.111.111.111.00

[PE2-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[PE2] mpls lsr-id 5.5.5.9

[PE2] mpls ldp

[PE2-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] ip address 9.1.1.2 255.0.0.0

[PE2-Vlan-interface11] isis enable 1

[PE2-Vlan-interface11] mpls enable

[PE2-Vlan-interface11] mpls ldp enable

[PE2-Vlan-interface11] quit

# Configure interface Loopback 0 and enable IS-IS on it.

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 5.5.5.9 32

[PE2-LoopBack0] isis enable 1

[PE2-LoopBack0] quit

# Create VPN instance vpn1 and configure the RD and route target attributes.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 11:11

[PE2-vpn-instance-vpn1] vpn-target 1:1 2:2 3:3 import-extcommunity

[PE2-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE2-vpn-instance-vpn1] quit

# Configure interface Loopback 1 and bind the interface to VPN instance vpn1.

[PE2] interface loopback 1

[PE2-LoopBack1] ip binding vpn-instance vpn1

[PE2-LoopBack1] ip address 20.0.0.1 32

[PE2-LoopBack1] quit

# Enable BGP on PE 2.

[PE2] bgp 600

# Enable the capability to advertise labeled routes to IBGP peer 4.4.4.9 and to receive labeled routes from the peer.

[PE2-bgp] peer 4.4.4.9 as-number 600

[PE2-bgp] peer 4.4.4.9 connect-interface loopback 0

[PE2-bgp] ipv4-family unicast

[PE2-bgp-ipv4] peer 4.4.4.9 enable

[PE2-bgp-ipv4] peer 4.4.4.9 label-route-capability

[PE2-bgp-ipv4] quit

# Configure the maximum hop count from PE 2 to EBGP peer 2.2.2.9 as 10.

[PE2-bgp] peer 2.2.2.9 as-number 100

[PE2-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE2-bgp] peer 2.2.2.9 ebgp-max-hop 10

# Configure peer 2.2.2.9 as a VPNv4 peer.

[PE2-bgp] ipv4-family vpnv4

[PE2-bgp-vpnv4] peer 2.2.2.9 enable

[PE2-bgp-vpnv4] quit

# Redistribute direct routes to the routing table of vpn1.

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] ipv4-family unicast

[PE2-bgp-ipv4-vpn1] import-route direct

[PE2-bgp-ipv4-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

5. Verify the configuration:

# After the configurations, PE 1 and PE 2 can ping each other. Take PE 1 as an example:

[PE1] ping -a 30.0.0.1 -vpn-instance vpn1 20.0.0.1

PING 20.0.0.1 (20.0.0.1) from 30.0.0.1: 56 data bytes

56 bytes from 20.0.0.1: icmp_seq=0 ttl=255 time=0.000 ms

56 bytes from 20.0.0.1: icmp_seq=1 ttl=255 time=0.000 ms

56 bytes from 20.0.0.1: icmp_seq=2 ttl=255 time=0.000 ms

56 bytes from 20.0.0.1: icmp_seq=3 ttl=255 time=0.000 ms

56 bytes from 20.0.0.1: icmp_seq=4 ttl=255 time=0.000 ms

--- 20.0.0.1 ping statistics ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/stddev = 0.000/0.000/0.000/0.000 ms

Configuring MPLS L3VPN carrier's carrier

Network requirements

Configure carrier's carrier for the scenario shown in Figure 23. In this scenario:

· PE 1 and PE 2 are the provider carrier's PE switches. They provide VPN services for the customer carrier.

· CE 1 and CE 2 are the customer carrier's switches. They are connected to the provider carrier's backbone as CE switches.

· PE 3 and PE 4 are the customer carrier's PE switches. They provide MPLS L3VPN services for the end customers.

· CE 3 and CE 4 are customers of the customer carrier.

The key to carrier's carrier deployment is to configure exchange of two kinds of routes:

· Exchange of the customer carrier's internal routes on the provider carrier's backbone.

· Exchange of the end customers' VPN routes between PE 3 and PE 4, the PEs of the customer carrier. In this process, an MP-IBGP peer relationship must be established between PE 3 and PE 4.

Figure 23 Network diagram

Device	Interface	IP address	Device	Interface	IP address
CE 3	Vlan-int11	100.1.1.1/24	CE 4	Vlan-int11	120.1.1.1/24
PE 3	Loop0	1.1.1.9/32	PE 4	Loop0	6.6.6.9/32
	Vlan-int11	100.1.1.2/24		Vlan-int11	120.1.1.2/24
	Vlan-int12	10.1.1.1/24		Vlan-int12	20.1.1.2/24
CE 1	Loop0	2.2.2.9/32	CE 2	Loop0	5.5.5.9/32
	Vlan-int12	10.1.1.2/24		Vlan-int11	21.1.1.2/24
	Vlan-int11	11.1.1.1/24		Vlan-int12	20.1.1.1/24
PE 1	Loop0	3.3.3.9/32	PE 2	Loop0	4.4.4.9/32
	Vlan-int11	11.1.1.2/24		Vlan-int12	30.1.1.2/24
	Vlan-int12	30.1.1.1/24		Vlan-int11	21.1.1.1/24

Configuration procedure

1. Configure MPLS L3VPN on the provider carrier backbone: enable IS-IS as the IGP, enable LDP between PE 1 and PE 2, and establish an MP-IBGP peer relationship between the PEs:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 3.3.3.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 3.3.3.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] isis 1

[PE1-isis-1] network-entity 10.0000.0000.0000.0004.00

[PE1-isis-1] quit

[PE1] interface loopback 0

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip address 30.1.1.1 24

[PE1-Vlan-interface12] isis enable 1

[PE1-Vlan-interface12] mpls enable

[PE1-Vlan-interface12] mpls ldp enable

[PE1-Vlan-interface12] mpls ldp transport-address interface

[PE1-Vlan-interface12] quit

[PE1] bgp 100

[PE1-bgp] peer 4.4.4.9 as-number 100

[PE1-bgp] peer 4.4.4.9 connect-interface loopback 0

[PE1-bgp] ipv4-family vpnv4

[PE1-bgp-vpnv4] peer 4.4.4.9 enable

[PE1-bgp-vpnv4] quit

[PE1-bgp] quit

# Configure PE 2 is a similar way to configuring PE 1. (Details not shown.)

After completing the configurations, execute the display mpls ldp peer command on PE 1 or PE 2 and you can see that the LDP session has been established. Execute the display bgp peer vpnv4 command, and you can see that the BGP peer relationship has been established and has reached Established state. Execute the display isis peer command, and you can see that the IS-IS neighbor relationship has been set up. Take PE 1 as an example:

[PE1] display mpls ldp peer

Total number of peers: 1

Peer LDP ID State LAM Role GR MD5 KA Sent/Rcvd

4.4.4.9:0 Operational DU Active Off Off 8/8

[PE1] display bgp peer vpnv4

BGP local router ID: 3.3.3.9

Local AS number: 100

Total number of peers: 1 Peers in established state: 1

Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

4.4.4.9 100 3 6 0 0 00:00:32 Established

[PE1] display isis peer

Peer information for ISIS(1)

----------------------------

System Id: 0000.0000.0005

Interface: Vlan-interface12 Circuit Id: 0000.0000.0005.02

State: Up HoldTime: 8s Type: L1(L1L2) PRI: 64

System Id: 0000.0000.0005

Interface: Vlan-interface12 Circuit Id: 0000.0000.0005.02

State: Up HoldTime: 8s Type: L2(L1L2) PRI: 64

2. Configure the customer carrier network—enable IS-IS as the IGP and enable LDP between PE 3 and CE 1, and between PE 4 and CE 2:

# Configure PE 3.

<PE3> system-view

[PE3] interface loopback 0

[PE3-LoopBack0] ip address 1.1.1.9 32

[PE3-LoopBack0] quit

[PE3] mpls lsr-id 1.1.1.9

[PE3] mpls ldp

[PE3-ldp] quit

[PE3] isis 2

[PE3-isis-2] network-entity 10.0000.0000.0000.0001.00

[PE3-isis-2] quit

[PE3] interface loopback 0

[PE3-LoopBack0] isis enable 2

[PE3-LoopBack0] quit

[PE3] interface vlan-interface 12

[PE3-Vlan-interface12] ip address 10.1.1.1 24

[PE3-Vlan-interface12] isis enable 2

[PE3-Vlan-interface12] mpls enable

[PE3-Vlan-interface12] mpls ldp enable

[PE3-Vlan-interface12] mpls ldp transport-address interface

[PE3-Vlan-interface12] quit

# Configure CE 1.

<CE1> system-view

[CE1] interface loopback 0

[CE1-LoopBack0] ip address 2.2.2.9 32

[CE1-LoopBack0] quit

[CE1] mpls lsr-id 2.2.2.9

[CE1] mpls ldp

[CE1-ldp] quit

[CE1] isis 2

[CE1-isis-2] network-entity 10.0000.0000.0000.0002.00

[CE1-isis-2] quit

[CE1] interface loopback 0

[CE1-LoopBack0] isis enable 2

[CE1-LoopBack0] quit

[CE1] interface vlan-interface 12

[CE1-Vlan-interface12] ip address 10.1.1.2 24

[CE1-Vlan-interface12] isis enable 2

[CE1-Vlan-interface12] mpls enable

[CE1-Vlan-interface12] mpls ldp enable

[CE1-Vlan-interface12] mpls ldp transport-address interface

[CE1-Vlan-interface12] quit

After the configurations, PE 3 and CE 1 can establish an LDP session and IS-IS neighbor relationship between them.

# Configure PE 4 and CE 2 is a similar way to configuring PE 3 and CE 1. (Details not shown.)

3. Perform configuration to allow CEs of the customer carrier to access PEs of the provider carrier, and redistribute IS-IS routes to BGP and BGP routes to IS-IS on the PEs:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 200:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] mpls ldp

[PE1-ldp] vpn-instance vpn1

[PE1-ldp-vpn-instance-vpn1] quit

[PE1-ldp] quit

[PE1] isis 2 vpn-instance vpn1

[PE1-isis-2] network-entity 10.0000.0000.0000.0003.00

[PE1-isis-2] import-route bgp

[PE1-isis-2] quit

[PE1] interface vlan-interface11

[PE1-Vlan-interface11] ip binding vpn-instance vpn1

[PE1-Vlan-interface11] ip address 11.1.1.2 24

[PE1-Vlan-interface11] isis enable 2

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] mpls ldp transport-address interface

[PE1-Vlan-interface11] quit

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] ipv4-family unicast

[PE1-bgp-ipv4-vpn1] import isis 2

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure CE 1.

[CE1] interface vlan-interface11

[CE1-Vlan-interface11] ip address 11.1.1.1 24

[CE1-Vlan-interface11] isis enable 2

[CE1-Vlan-interface11] mpls enable

[CE1-Vlan-interface11] mpls ldp enable

[CE1-Vlan-interface11] mpls ldp transport-address interface

[CE1-Vlan-interface11] quit

After the configurations, PE 1 and CE 1 can establish an LDP session and an IS-IS neighbor relationship between them.

# Configure PE 2 and CE 2 is a similar way to configuring PE 1 and CE 1. (Details not shown.)

4. Perform configuration to connect the CEs of the end customers to the PEs of the customer carrier:

# Configure CE 3.

<CE3> system-view

[CE3] interface vlan-interface11

[CE3-Vlan-interface11] ip address 100.1.1.1 24

[CE3-Vlan-interface11] quit

[CE3] bgp 65410

[CE3-bgp] peer 100.1.1.2 as-number 100

[CE3-bgp] ipv4-family unicast

[CE3-bgp-ipv4] peer 100.1.1.2 enable

[CE3-bgp-ipv4] import-route direct

[CE3-bgp-ipv4] quit

[CE3-bgp] quit

# Configure PE 3.

[PE3] ip vpn-instance vpn1

[PE3-vpn-instance-vpn1] route-distinguisher 100:1

[PE3-vpn-instance-vpn1] vpn-target 1:1

[PE3-vpn-instance-vpn1] quit

[PE3] interface Vlan-interface11

[PE3-Vlan-interface11] ip binding vpn-instance vpn1

[PE3-Vlan-interface11] ip address 100.1.1.2 24

[PE3-Vlan-interface11] quit

[PE3] bgp 100

[PE3-bgp] ip vpn-instance vpn1

[PE3-bgp-vpn1] peer 100.1.1.1 as-number 65410

[PE3-bgp-vpn1] ipv4-family unicast

[PE3-bgp-ipv4-vpn1] peer 100.1.1.1 enable

[PE3-bgp-ipv4-vpn1] import-route direct

[PE3-bgp-ipv4-vpn1] quit

[PE3-bgp-vpn1] quit

[PE3-bgp] quit

# Configure PE 4 and CE 4 is a similar way to configuring PE 3 and CE 3. (Details not shown.)

5. Configure MP-IBGP peer relationship between the PEs of the customer carrier to exchange the end customers' VPN routes:

# Configure PE 3.

[PE3] bgp 100

[PE3-bgp] peer 6.6.6.9 as-number 100

[PE3-bgp] peer 6.6.6.9 connect-interface loopback 0

[PE3-bgp] ipv4-family vpnv4

[PE3-bgp-vpnv4] peer 6.6.6.9 enable

[PE3-bgp-vpnv4] quit

[PE3-bgp] quit

# Configure PE 4 is a similar way to configuring PE 3. (Details not shown.)

6. Verify the configuration:

Execute the display ip routing-table command on PE 1 and PE 2. The output shows that only routes of the provider carrier network are present in the public network routing table of PE 1 and PE 2. Take PE 1 as an example:

[PE1] display ip routing-table

Routing Tables: Public

Destinations : 7 Routes : 7

Destination/Mask Proto Pre Cost NextHop Interface

3.3.3.9/32 Direct 0 0 127.0.0.1 InLoop0

4.4.4.9/32 ISIS 15 10 30.1.1.2 Vlan12

30.1.1.0/24 Direct 0 0 30.1.1.1 Vlan12

30.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.2/32 Direct 0 0 30.1.1.2 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

# Execute the display ip routing-table vpn-instance command on PE 1 and PE 2. The output shows that the internal routes of the customer carrier network are present in the VPN routing tables, but the VPN routes that the customer carrier maintains are not. Take PE 1 as an example:

[PE1] display ip routing-table vpn-instance vpn1

Routing Tables: vpn1

Destinations : 11 Routes : 11

Destination/Mask Proto Pre Cost NextHop Interface

1.1.1.9/32 ISIS 15 20 11.1.1.1 Vlan11

2.2.2.9/32 ISIS 15 10 11.1.1.1 Vlan11

5.5.5.9/32 BGP 255 0 4.4.4.9 NULL0

6.6.6.9/32 BGP 255 0 4.4.4.9 NULL0

10.1.1.0/24 ISIS 15 20 11.1.1.1 Vlan11

11.1.1.0/24 Direct 0 0 11.1.1.1 Vlan11

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.2/32 Direct 0 0 11.1.1.2 Vlan11

20.1.1.0/24 BGP 255 0 4.4.4.9 NULL0

21.1.1.0/24 BGP 255 0 4.4.4.9 NULL0

21.1.1.2/32 BGP 255 0 4.4.4.9 NULL0

# Execute the display ip routing-table command on CE 1 and CE 2. The output shows that the internal routes of the customer carrier network are present in the public network routing tables, but the VPN routes that the customer carrier maintains are not. Take CE 1 as an example:

[CE1] display ip routing-table

Routing Tables: Public

Destinations : 16 Routes : 16

Destination/Mask Proto Pre Cost NextHop Interface

1.1.1.9/32 ISIS 15 10 10.1.1.2 Vlan12

2.2.2.9/32 Direct 0 0 127.0.0.1 InLoop0

5.5.5.9/32 ISIS 15 74 11.1.1.2 Vlan11

6.6.6.9/32 ISIS 15 74 11.1.1.2 Vlan11

10.1.1.0/24 Direct 0 0 10.1.1.2 Vlan12

10.1.1.1/32 Direct 0 0 10.1.1.1 Vlan12

10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.0/24 Direct 0 0 11.1.1.1 Vlan11

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.2/32 Direct 0 0 11.1.1.2 Vlan11

20.1.1.0/24 ISIS 15 74 11.1.1.2 Vlan11

21.1.1.0/24 ISIS 15 74 11.1.1.2 Vlan11

21.1.1.2/32 ISIS 15 74 11.1.1.2 Vlan11

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

# Execute the display ip routing-table command on PE 3 and PE 4. The output shows that the internal routes of the customer carrier network are present in the public network routing tables. Take PE 3 as an example:

[PE3] display ip routing-table

Routing Tables: Public

Destinations : 11 Routes : 11

Destination/Mask Proto Pre Cost NextHop Interface

1.1.1.9/32 Direct 0 0 127.0.0.1 InLoop0

2.2.2.9/32 ISIS 15 10 10.1.1.2 Vlan12

5.5.5.9/32 ISIS 15 84 10.1.1.2 Vlan12

6.6.6.9/32 ISIS 15 84 10.1.1.2 Vlan12

10.1.1.0/24 Direct 0 0 10.1.1.1 Vlan12

10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.2/32 Direct 0 0 10.1.1.2 Vlan12

11.1.1.0/24 ISIS 15 20 10.1.1.2 Vlan12

20.1.1.0/24 ISIS 15 84 10.1.1.2 Vlan12

21.1.1.0/24 ISIS 15 84 10.1.1.2 Vlan12

21.1.1.2/32 ISIS 15 84 10.1.1.2 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

# Execute the display ip routing-table vpn-instance command on PE 3 and PE 4. The output shows that the routes of the remote VPN customers are present in the VPN routing tables. Take PE 3 as an example:

[PE3] display ip routing-table vpn-instance vpn1

Routing Tables: vpn1

Destinations : 3 Routes : 3

Destination/Mask Proto Pre Cost NextHop Interface

100.1.1.0/24 Direct 0 0 100.1.1.2 Vlan11

100.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

120.1.1.0/24 BGP 255 0 6.6.6.9 NULL0

# PE 3 and PE 4 can ping each other. Take PE 3 as an example:

[PE3] ping 20.1.1.2

PING 20.1.1.2 (20.1.1.2): 56 data bytes

56 bytes from 20.1.1.2: icmp_seq=0 ttl=255 time=2.000 ms

56 bytes from 20.1.1.2: icmp_seq=1 ttl=255 time=0.000 ms

56 bytes from 20.1.1.2: icmp_seq=2 ttl=255 time=0.000 ms

56 bytes from 20.1.1.2: icmp_seq=3 ttl=255 time=0.000 ms

56 bytes from 20.1.1.2: icmp_seq=4 ttl=255 time=0.000 ms

--- 20.1.1.2 ping statistics ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/stddev = 0.000/0.400/2.000/0.800 ms

# CE 3 and CE 4 can ping each other. Take CE 3 as an example:

[CE3] ping 120.1.1.1

PING 120.1.1.1 (120.1.1.1): 56 data bytes

56 bytes from 120.1.1.1: icmp_seq=0 ttl=255 time=1.000 ms

56 bytes from 120.1.1.1: icmp_seq=1 ttl=255 time=0.000 ms

56 bytes from 120.1.1.1: icmp_seq=2 ttl=255 time=0.000 ms

56 bytes from 120.1.1.1: icmp_seq=3 ttl=255 time=0.000 ms

56 bytes from 120.1.1.1: icmp_seq=4 ttl=255 time=0.000 ms

--- 120.1.1.1 ping statistics ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/stddev = 0.000/0.200/1.000/0.400 ms

Configuring nested VPN

Network requirements

The service provider provides nested VPN services for users, as shown in Figure 24.

· PE 1 and PE 2 are PE devices on the service provider backbone. Both of them support the nested VPN function.

· CE 1 and CE 2 are connected to the service provider backbone. Both of them support VPNv4 routes.

· PE 3 and PE 4 are PE devices of the customer VPN. Both of them support MPLS L3VPN.

· CE 3 through CE 6 are CE devices of the sub-VPNs for the customer VPN.

The key of nested VPN configuration is to understand the processing of routes of sub-VPNs on the service provider PEs, which is described as follows:

· When receiving a VPNv4 route from a CE (CE 1 or CE 2 in this example), a service provider PE replaces the RD of the VPNv4 route with the RD of the MPLS VPN on the service provider network where the CE resides, adds the export target attribute of the MPLS VPN on the service provider network to the extended community attribute list, and then forwards the VPNv4 route.

· To implement exchange of sub-VPN routes between customer PEs and service provider PEs, MP-EBGP peers must be established between service provider PEs and customer CEs.

Figure 24 Network diagram

Device	Interface	IP address	Device	Interface	IP address
CE 1	Loop0	2.2.2.9/32	CE 2	Loop0	5.5.5.9/32
	Vlan-int2	10.1.1.2/24		Vlan-int1	21.1.1.2/24
	Vlan-int1	11.1.1.1/24		Vlan-int2	20.1.1.1/24
CE 3	Vlan-int1	100.1.1.1/24	CE 4	Vlan-int1	120.1.1.1/24
CE 5	Vlan-int3	110.1.1.1/24	CE 6	Vlan-int3	130.1.1.1/24
PE 1	Loop0	3.3.3.9/32	PE 2	Loop0	4.4.4.9/32
	Vlan-int1	11.1.1.2/24		Vlan-int1	21.1.1.1/24
	Vlan-int2	30.1.1.1/24		Vlan-int2	30.1.1.2/24
PE 3	Loop0	1.1.1.9/32	PE 4	Loop0	6.6.6.9/32
	Vlan-int1	100.1.1.2/24		Vlan-int1	120.1.1.2/24
	Vlan-int2	10.1.1.1/24		Vlan-int2	20.1.1.2/24
	Vlan-int3	110.1.1.2/24		Vlan-int3	130.1.1.2/24

Configuration procedure

1. Configure MPLS L3VPN on the service provider backbone—use IS-IS as the IGP protocol, enable LDP, and establish an MP-IBGP peer relationship between PE 1 and PE 2:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 3.3.3.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 3.3.3.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] isis 1

[PE1-isis-1] network-entity 10.0000.0000.0000.0004.00

[PE1-isis-1] quit

[PE1] interface loopback 0

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

[PE1] interface vlan-interface 2

[PE1-Vlan-interface2] ip address 30.1.1.1 24

[PE1-Vlan-interface2] isis enable 1

[PE1-Vlan-interface2] mpls enable

[PE1-Vlan-interface2] mpls ldp enable

[PE1-Vlan-interface2] quit

[PE1] bgp 100

[PE1-bgp] peer 4.4.4.9 as-number 100

[PE1-bgp] peer 4.4.4.9 connect-interface loopback 0

[PE1-bgp] ipv4-family vpnv4

[PE1-bgp-vpnv4] peer 4.4.4.9 enable

[PE1-bgp-vpnv4] quit

[PE1-bgp] quit

# Configure PE 2 is a similar way to configuring PE 1. (Details not shown.)

After completing the configurations, execute commands display mpls ldp peer, display bgp peer vpnv4 and display isis peer respectively on either PE 1 or PE 2. The output shows that the LDP session, the BGP peer relationship, and the IS-IS neighbor relationship have been established.

Take PE 1 as an example.

[PE1] display mpls ldp peer

Total number of peers: 1

Peer LDP ID State LAM Role GR MD5 KA Sent/Rcvd

4.4.4.9:0 Operational DU Active Off Off 8/8

[PE1] display bgp peer vpnv4

BGP local router ID: 3.3.3.9

Local AS number: 100

Total number of peers: 1 Peers in established state: 1

Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

4.4.4.9 100 3 6 0 0 00:00:32 Established

[PE1] display isis peer

Peer information for ISIS(1)

----------------------------

System Id: 0000.0000.0005

Interface: Vlan-interface2 Circuit Id: 0000.0000.0005.02

State: Up HoldTime: 8s Type: L1(L1L2) PRI: 64

System Id: 0000.0000.0005

Interface: Vlan-interface2 Circuit Id: 0000.0000.0005.02

State: Up HoldTime: 8s Type: L2(L1L2) PRI: 64

2. Configure the customer VPN—use IS-IS as the IGP protocol, and enable LDP between PE 3 and CE 1, and between PE 4 and CE 2:

# Configure PE 3.

<PE3> system-view

[PE3] interface loopback 0

[PE3-LoopBack0] ip address 1.1.1.9 32

[PE3-LoopBack0] quit

[PE3] mpls lsr-id 1.1.1.9

[PE3] mpls ldp

[PE3-ldp] quit

[PE3] isis 2

[PE3-isis-2] network-entity 10.0000.0000.0000.0001.00

[PE3-isis-2] quit

[PE3] interface loopback 0

[PE3-LoopBack0] isis enable 2

[PE3-LoopBack0] quit

[PE3-Vlan-interface2] ip address 10.1.1.1 24

[PE3-Vlan-interface2] isis enable 2

[PE3-Vlan-interface2] mpls enable

[PE3-Vlan-interface2] mpls ldp enable

[PE3-Vlan-interface2] quit

# Configure CE 1.

<CE1> system-view

[CE1] interface loopback 0

[CE1-LoopBack0] ip address 2.2.2.9 32

[CE1-LoopBack0] quit

[CE1] mpls lsr-id 2.2.2.9

[CE1] mpls ldp

[CE1-ldp] quit

[CE1] isis 2

[CE1-isis-2] network-entity 10.0000.0000.0000.0002.00

[CE1-isis-2] quit

[CE1] interface loopback 0

[CE1-LoopBack0] isis enable 2

[CE1-LoopBack0] quit

[CE1] interface vlan-interface 2

[CE1-Vlan-interface2] ip address 10.1.1.2 24

[CE1-Vlan-interface2] isis enable 2

[CE1-Vlan-interface2] mpls enable

[CE1-Vlan-interface2] mpls ldp enable

[CE1-Vlan-interface2] quit

After the configurations, an LDP session and an IS-IS neighbor relationship can be established between PE 3 and CE 1.

# Configure PE 4 and CE 2 is a similar way to configuring PE 3 and CE 1. (Details not shown.)

3. Connect CE 1 and CE 2 to service provider PEs:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 200:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] interface vlan-interface1

[PE1-Vlan-interface1] ip binding vpn-instance vpn1

[PE1-Vlan-interface1] ip address 11.1.1.2 24

[PE1-Vlan-interface1] mpls enable

[PE1-Vlan-interface1] quit

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 11.1.1.1 as-number 200

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure CE 1.

[CE1] interface vlan-interface 1

[CE1-Vlan-interface1] ip address 11.1.1.1 24

[CE1-Vlan-interface1] mpls enable

[CE1-Vlan-interface1] quit

[CE1] bgp 200

[CE1-bgp] peer 11.1.1.2 as-number 100

[CE1-bgp] quit

# Configure PE 2 and CE 2 is a similar way to configuring PE 1 and CE 1. (Details not shown.)

4. Connect sub-VPN CEs to the customer VPN PEs:

# Configure CE 3.

<CE3> system-view

[CE3] interface vlan-interface 1

[CE3-Vlan-interface1] ip address 100.1.1.1 24

[CE3-Vlan-interface1] quit

[CE3] bgp 65410

[CE3-bgp] peer 100.1.1.2 as-number 200

[CE3-bgp] ipv4-family unicast

[CE3-bgp-ipv4] peer 100.1.1.2 enable

[CE3-bgp-ipv4] import-route direct

[CE3-bgp-ipv4] quit

[CE3-bgp] quit

# Configure CE 5.

<CE5> system-view

[CE5] interface vlan-interface 3

[CE5-Vlan-interface3] ip address 110.1.1.1 24

[CE5-Vlan-interface3] quit

[CE5] bgp 65411

[CE5-bgp] peer 110.1.1.2 as-number 200

[CE5-bgp] ipv4-family unicast

[CE5-bgp-ipv4] peer 110.1.1.2 enable

[CE5-bgp-ipv4] import-route direct

[CE5-bgp-ipv4] quit

[CE5-bgp] quit

# Configure PE 3.

[PE3] ip vpn-instance SUB_VPN1

[PE3-vpn-instance-SUB_VPN1] route-distinguisher 100:1

[PE3-vpn-instance-SUB_VPN1] vpn-target 2:1

[PE3-vpn-instance-SUB_VPN1] quit

[PE3] interface vlan-interface 1

[PE3-Vlan-interface1] ip binding vpn-instance SUB_VPN1

[PE3-Vlan-interface1] ip address 100.1.1.2 24

[PE3-Vlan-interface1] quit

[PE3] ip vpn-instance SUB_VPN2

[PE3-vpn-instance-SUB_VPN2] route-distinguisher 101:1

[PE3-vpn-instance-SUB_VPN2] vpn-target 2:2

[PE3-vpn-instance-SUB_VPN2] quit

[PE3] interface vlan-interface 3

[PE3-Vlan-interface3] ip binding vpn-instance SUB_VPN2

[PE3-Vlan-interface3] ip address 110.1.1.2 24

[PE3-Vlan-interface3] quit

[PE3] bgp 200

[PE3-bgp] ip vpn-instance SUB_VPN1

[PE3-bgp-SUB_VPN1] peer 100.1.1.1 as-number 65410

[PE3-bgp-SUB_VPN1] ipv4-family unicast

[PE3-bgp-ipv4-SUB_VPN1] peer 100.1.1.1 enable

[PE3-bgp-ipv4-SUB_VPN1] import-route direct

[PE3-bgp-ipv4-SUB_VPN1] quit

[PE3-bgp-SUB_VPN1] quit

[PE3-bgp] ip vpn-instance SUB_VPN2

[PE3-bgp-SUB_VPN2] peer 100.1.1.1 as-number 65411

[PE3-bgp-SUB_VPN2] ipv4-family unicast

[PE3-bgp-ipv4-SUB_VPN2] peer 110.1.1.1 enable

[PE3-bgp-ipv4-SUB_VPN2] import-route direct

[PE3-bgp-ipv4-SUB_VPN2] quit

[PE3-bgp-SUB_VPN2] quit

[PE3-bgp] quit

# Configure PE 4, CE 4, and CE 6 is a similar way to configuring PE 3, CE 3, and CE 5. (Details not shown.)

5. Establish MP-EBGP peer relationships between service provider PEs and their CEs to exchange user VPNv4 routes:

# On PE 1, enable nested VPN and VPNv4 route exchange with CE 1.

[PE1] bgp 100

[PE1-bgp] ipv4-family vpnv4

[PE1-bgp-vpnv4] nesting-vpn

[PE1-bgp-vpnv4] quit

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] ipv4-family vpnv4

[PE1-bgp-vpnv4-vpn1] peer 11.1.1.1 enable

[PE1-bgp-vpnv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Enable CE 1 to exchange VPNv4 routes with PE 1.

[CE1] bgp 200

[CE1-bgp] ipv4-family vpnv4

[CE1-bgp-vpnv4] peer 11.1.1.2 enable

# Allow the local AS number to appear in the AS-PATH attribute of the routes received.

[CE1-bgp-vpnv4] peer 11.1.1.2 allow-as-loop 2

# Disable route target based filtering of received VPNv4 routes.

[CE1-bgp-vpnv4] undo policy vpn-target

[CE1-bgp-vpnv4] quit

[CE1-bgp] quit

# Configure PE 2 and CE 2 is a similar way to configuring PE 1 and CE 1. (Details not shown.)

6. Establish MP-IBGP peer relationships between sub-VPN PEs and CEs of the customer VPN to exchange VPNv4 routes of sub-VPNs:

# Configure PE 3.

[PE3] bgp 200

[PE3-bgp] peer 2.2.2.9 as-number 200

[PE3-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE3-bgp] ipv4-family vpnv4

[PE3-bgp-vpnv4] peer 2.2.2.9 enable

# Allow the local AS number to appear in the AS-PATH attribute of the routes received.

[PE3-bgp-vpnv4] peer 2.2.2.9 allow-as-loop 2

[PE3-bgp-vpnv4] quit

[PE3-bgp] quit

# Configure CE 1.

[CE1] bgp 200

[CE1-bgp] peer 1.1.1.9 as-number 200

[CE1-bgp] peer 1.1.1.9 connect-interface loopback 0

[CE1-bgp] ipv4-family vpnv4

[CE1-bgp-vpnv4] peer 1.1.1.9 enable

[CE1-bgp-vpnv4] undo policy vpn-target

[CE1-bgp-vpnv4] quit

[CE1-bgp] quit

# Configure PE 4 and CE 2 is a similar way to configuring PE 3 and CE 1. (Details not shown.)

7. Verify the configurations:

Execute the display ip routing-table command on PE 1 and PE 2 to verify that the public routing tables contain only routes on the service provider network. Take PE 1 as an example.

[PE1] display ip routing-table

Destinations : 15 Routes : 15

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

3.3.3.9/32 Direct 0 0 127.0.0.1 InLoop0

4.4.4.9/32 ISIS 15 10 30.1.1.2 Vlan2

30.1.1.0/24 Direct 0 0 30.1.1.1 Vlan2

30.1.1.0/32 Direct 0 0 30.1.1.1 Vlan2

30.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.255/32 Direct 0 0 30.1.1.1 Vlan2

30.1.1.2/32 Direct 0 0 30.1.1.2 Vlan2

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Execute the display ip routing-table vpn-instance command on PE 1 and PE 2 to verify that the VPN routing tables contain sub-VPN routes. Take PE 1 as an example.

[PE1] display ip routing-table vpn-instance vpn1

Destinations : 9 Routes : 9

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.0/24 Direct 0 0 11.1.1.1 Vlan1

11.1.1.0/32 Direct 0 0 11.1.1.1 Vlan1

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.255/32 Direct 0 0 11.1.1.1 Vlan1

11.1.1.2/32 Direct 0 0 11.1.1.2 Vlan1

100.1.1.0/24 BGP 255 0 11.1.1.1 NULL0

110.1.1.0/24 BGP 255 0 11.1.1.1 NULL0

120.1.1.0/24 BGP 255 0 4.4.4.9 NULL0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

130.1.1.0/24 BGP 255 0 4.4.4.9 NULL0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Execute the display bgp routing-table vpnv4 command on CE 1 and CE 2 to verify that the VPNv4 routing tables on the customer VPN contain internal sub-VPN routes. Take CE 1 as an example.

[CE1] display bgp routing-table vpnv4

BGP Local router ID is 11.11.11.11

Status codes: * - valid, > - best, d - damped, h - history,

s - suppressed, S - Stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Total number of routes from all PEs: 4

Route Distinguisher: 100:1

Total number of routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn

*> 100.1.1.0/24 1.1.1.9 0 200 65410?

Route Distinguisher: 101:1

Total number of routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn

*> 110.1.1.0/24 1.1.1.9 0 200 65411?

Route Distinguisher: 200:1

Total number of routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn

*> 120.1.1.0/24 11.1.1.2 0 100 200

65420?

Route Distinguisher: 201:1

Total number of routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn

*> 130.1.1.0/24 11.1.1.2 0 100 200

65421?

# Execute the display ip routing-table vpn-instance SUB_VPN1 command on PE 3 and PE 4 to verify that the VPN routing tables contain routes sent by the provider PE to user sub-VPN. Take PE 3 as an example.

[PE3] display ip routing-table vpn-instance SUB_VPN1

Destinations : 11 Routes : 11

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.0/24 Direct 0 0 100.1.1.2 Vlan1

100.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

120.1.1.0/24 BGP 255 0 2.2.2.9 NULL0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Execute the display ip routing-table command on CE 3 and CE 4 to verify that the routing tables contain routes of remote sub-VPNs. Take CE 3 as an example.

[CE3] display ip routing-table

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.0/24 Direct 0 0 100.1.1.1 Vlan1

100.1.1.0/32 Direct 0 0 100.1.1.1 Vlan1

100.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.255/32 Direct 0 0 100.1.1.1 Vlan1

120.1.1.0/24 BGP 255 0 100.1.1.2 Vlan1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Execute the display ip routing-table command on CE5 and CE 6 to verify that the routing tables contain routes of remote sub-VPNs. Take CE5 as an example.

[CE5] display ip routing-table

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

110.1.1.0/24 Direct 0 0 110.1.1.1 Vlan1

110.1.1.0/32 Direct 0 0 110.1.1.1 Vlan1

110.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

110.1.1.255/32 Direct 0 0 110.1.1.1 Vlan1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

130.1.1.0/24 BGP 255 0 110.1.1.2 Vlan1

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# CE 3 and CE 4 can ping each other.

[CE3] ping 120.1.1.1

PING 120.1.1.1 (120.1.1.1): 56 data bytes

56 bytes from 120.1.1.1: icmp_seq=0 ttl=252 time=102.000 ms

56 bytes from 120.1.1.1: icmp_seq=1 ttl=252 time=69.000 ms

56 bytes from 120.1.1.1: icmp_seq=2 ttl=252 time=105.000 ms

56 bytes from 120.1.1.1: icmp_seq=3 ttl=252 time=88.000 ms

56 bytes from 120.1.1.1: icmp_seq=4 ttl=252 time=87.000 ms

--- 13.1.1.1 ping statistics ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/stddev = 69.000/90.200/105.000/180.400 ms

# CE5 and CE 6 can ping each other.

[CE5] ping 130.1.1.1

PING 130.1.1.1 (130.1.1.1): 56 data bytes

56 bytes from 130.1.1.1: icmp_seq=0 ttl=252 time=102.000 ms

56 bytes from 130.1.1.1: icmp_seq=1 ttl=252 time=69.000 ms

56 bytes from 130.1.1.1: icmp_seq=2 ttl=252 time=105.000 ms

56 bytes from 130.1.1.1: icmp_seq=3 ttl=252 time=88.000 ms

56 bytes from 130.1.1.1: icmp_seq=4 ttl=252 time=87.000 ms

--- 130.1.1.1 ping statistics ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/stddev = 69.000/90.200/105.000/180.400 ms

# CE 3 and CE 6 cannot ping each other.

[CE3] ping 130.1.1.1

PING 130.1.1.1 (130.1.1.1): 56 data bytes

ping: sendto: No route to host

--- 130.1.1.1 ping statistics ---

5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss

Configuring HoVPN

Network requirements

There are two levels of networks, the backbone and the MPLS VPN networks, as shown in Figure 25.

· SPEs act as PEs to allow MPLS VPNs to access the backbone.

· UPEs act as PEs of the MPLS VPNs to allow end users to access the VPNs.

· Performance requirements for the UPEs are lower than those for the SPEs.

· SPEs advertise routes permitted by the routing policies to UPEs, permitting CE 1 and CE 3 in VPN 1 to communicate with each other and forbidding CE 2 and CE 4 in VPN 2 to communicate with each other.

Figure 25 Network diagram

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int12	10.2.1.1/24	CE 3	Vlan-int12	10.1.1.1/24
CE 2	Vlan-int13	10.4.1.1/24	CE 4	Vlan-int13	10.3.1.1/24
UPE 1	Loop0	1.1.1.9/32	UPE 2	Loop0	4.4.4.9/32
	Vlan-int11	172.1.1.1/24		Vlan-int11	172.2.1.1/24
	Vlan-int12	10.2.1.2/24		Vlan-int12	10.1.1.2/24
	Vlan-int13	10.4.1.2/24		Vlan-int13	10.3.1.2/24
SPE 1	Loop0	2.2.2.9/32	SPE 2	Loop0	3.3.3.9/32
	Vlan-int11	172.1.1.2/24		Vlan-int11	172.2.1.2/24
	Vlan-int12	180.1.1.1/24		Vlan-int12	180.1.1.2/24

Configuration procedure

1. Configure UPE 1:

# Configure basic MPLS and MPLS LDP to establish LDP LSPs.

<UPE1> system-view

[UPE1] interface loopback 0

[UPE1-LoopBack0] ip address 1.1.1.9 32

[UPE1-LoopBack0] quit

[UPE1] mpls lsr-id 1.1.1.9

[UPE1] mpls ldp

[UPE1-ldp] quit

[UPE1] interface vlan-interface 11

[UPE1-Vlan-interface11] ip address 172.1.1.1 24

[UPE1-Vlan-interface11] mpls enable

[UPE1-Vlan-interface11] mpls ldp enable

[UPE1-Vlan-interface11] quit

# Configure the IGP protocol, OSPF, in this example.

[UPE1] ospf

[UPE1-ospf-1] area 0

[UPE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[UPE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[UPE1-ospf-1-area-0.0.0.0] quit

[UPE1-ospf-1] quit

# Configure VPN instances vpn1 and vpn2, allowing CE 1 and CE 2 to access UPE 1.

[UPE1] ip vpn-instance vpn1

[UPE1-vpn-instance-vpn1] route-distinguisher 100:1

[UPE1-vpn-instance-vpn1] vpn-target 100:1 both

[UPE1-vpn-instance-vpn1] quit

[UPE1] ip vpn-instance vpn2

[UPE1-vpn-instance-vpn2] route-distinguisher 100:2

[UPE1-vpn-instance-vpn2] vpn-target 100:2 both

[UPE1-vpn-instance-vpn2] quit

[UPE1] interface vlan-interface 12

[UPE1-Vlan-interface12] ip binding vpn-instance vpn1

[UPE1-Vlan-interface12] ip address 10.2.1.2 24

[UPE1-Vlan-interface12] quit

[UPE1] interface vlan-interface 13

[UPE1-Vlan-interface13] ip binding vpn-instance vpn2

[UPE1-Vlan-interface13] ip address 10.4.1.2 24

[UPE1-Vlan-interface13] quit

# Configure UPE 1 to establish an MP-IBGP peer relationship with SPE 1.

[UPE1] bgp 100

[UPE1-bgp] peer 2.2.2.9 as-number 100

[UPE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[UPE1-bgp] ipv4-family vpnv4

[UPE1-bgp-vpnv4] peer 2.2.2.9 enable

[UPE1-bgp-vpnv4] quit

# Configure UPE 1 to establish an EBGP peer relationship with CE 1 and redistribute VPN routes.

[UPE1-bgp] ip vpn-instance vpn1

[UPE1-bgp-vpn1] peer 10.2.1.1 as-number 65410

[UPE1-bgp-vpn1] ipv4-family unicast

[UPE1-bgp-ipv4-vpn1] peer 10.2.1.1 enable

[UPE1-bgp-ipv4-vpn1] import-route direct

[UPE1-bgp-ipv4-vpn1] quit

[UPE1-bgp-vpn1] quit

# Configure UPE 1 to establish an EBGP peer relationship with CE 2 and redistribute VPN routes.

[UPE1-bgp] ip vpn-instance vpn2

[UPE1-bgp-vpn2] peer 10.4.1.1 as-number 65420

[UPE1-bgp-vpn2] ipv4-family unicast

[UPE1-bgp-ipv4-vpn2] peer 10.4.1.1 enable

[UPE1-bgp-ipv4-vpn2] import-route direct

[UPE1-bgp-ipv4-vpn2] quit

[UPE1-bgp-vpn2] quit

[UPE1-bgp] quit

2. Configure CE 1:

<CE1> system-view

[CE1] interface vlan-interface 12

[CE1-Vlan-interface12] ip address 10.2.1.1 255.255.255.0

[CE1-Vlan-interface12] quit

[CE1] bgp 65410

[CE1-bgp] peer 10.2.1.2 as-number 100

[CE1-bgp] ipv4-family unicast

[CE1-bgp-ipv4] peer 10.2.1.2 enable

[CE1-bgp-ipv4] import-route direct

[CE1-bgp-ipv4] quit

[CE1-bgp] quit

3. Configure CE 2:

<CE2> system-view

[CE2] interface vlan-interface 13

[CE2-Vlan-interface13] ip address 10.4.1.1 255.255.255.0

[CE2-Vlan-interface13] quit

[CE2] bgp 65420

[CE2-bgp] peer 10.4.1.2 as-number 100

[CE2-bgp] ipv4-family unicast

[CE2-bgp-ipv4] peer 10.4.1.2 enable

[CE2-bgp-ipv4] import-route direct

[CE2-bgp-ipv4] quit

[CE2-bgp] quit

4. Configure UPE 2:

# Configure basic MPLS and MPLS LDP to establish LDP LSPs.

<UPE2> system-view

[UPE2] interface loopback 0

[UPE2-Loopback0] ip address 4.4.4.9 32

[UPE2-Loopback0] quit

[UPE2] mpls lsr-id 4.4.4.9

[UPE2] mpls ldp

[UPE2-ldp] quit

[UPE2] interface vlan-interface 11

[UPE2-Vlan-interface11] ip address 172.2.1.1 24

[UPE2-Vlan-interface11] mpls enable

[UPE2-Vlan-interface11] mpls ldp enable

[UPE2-Vlan-interface11] quit

# Configure the IGP protocol, OSPF, in this example.

[UPE2] ospf

[UPE2-ospf-1] area 0

[UPE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[UPE2-ospf-1-area-0.0.0.0] network 4.4.4.9 0.0.0.0

[UPE2-ospf-1-area-0.0.0.0] quit

[UPE2-ospf-1] quit

# Configure VPN instances vpn1 and vpn2, allowing CE 3 and CE 4 to access UPE 2.

[UPE2] ip vpn-instance vpn1

[UPE2-vpn-instance-vpn1] route-distinguisher 300:1

[UPE2-vpn-instance-vpn1] vpn-target 100:1 both

[UPE2-vpn-instance-vpn1] quit

[UPE2] ip vpn-instance vpn2

[UPE2-vpn-instance-vpn2] route-distinguisher 400:2

[UPE2-vpn-instance-vpn2] vpn-target 100:2 both

[UPE2-vpn-instance-vpn2] quit

[UPE2] interface vlan-interface 12

[UPE2-Vlan-interface12] ip binding vpn-instance vpn1

[UPE2-Vlan-interface12] ip address 10.1.1.2 24

[UPE2-Vlan-interface12] quit

[UPE2] interface vlan-interface 13

[UPE2-Vlan-interface13] ip binding vpn-instance vpn2

[UPE2-Vlan-interface13] ip address 10.3.1.2 24

[UPE2-Vlan-interface13] quit

# Configure UPE 2 to establish an MP-IBGP peer relationship with SPE 2.

[UPE2] bgp 100

[UPE2-bgp] peer 3.3.3.9 as-number 100

[UPE2-bgp] peer 3.3.3.9 connect-interface loopback 0

[UPE2-bgp] ipv4-family vpnv4

[UPE2-bgp-vpnv4] peer 3.3.3.9 enable

[UPE2-bgp-vpnv4] quit

# Configure UPE 2 to establish an EBGP peer relationship with CE 3 and redistribute VPN routes.

[UPE2-bgp] ip vpn-instance vpn1

[UPE2-bgp-vpn1] peer 10.1.1.1 as-number 65430

[UPE2-bgp-vpn1] ipv4-family unicast

[UPE2-bgp-ipv4-vpn1] peer 10.1.1.1 enable

[UPE2-bgp-ipv4-vpn1] import-route direct

[UPE2-bgp-ipv4-vpn1] quit

[UPE2-bgp-vpn1] quit

# Configure UPE 2 to establish an EBGP peer relationship with CE 4 and redistribute VPN routes.

[UPE2-bgp] ip vpn-instance vpn2

[UPE2-bgp-vpn2] peer 10.3.1.1 as-number 65440

[UPE2-bgp-vpn2] ipv4-family unicast

[UPE2-bgp-ipv4-vpn2] peer 10.3.1.1 enable

[UPE2-bgp-ipv4-vpn2] import-route direct

[UPE2-bgp-ipv4-vpn2] quit

[UPE2-bgp-vpn2] quit

[UPE2-bgp] quit

5. Configure CE 3:

<CE3> system-view

[CE3] interface vlan-interface 12

[CE3-Vlan-interface12] ip address 10.1.1.1 255.255.255.0

[CE3-Vlan-interface12] quit

[CE3] bgp 65430

[CE3-bgp] peer 10.1.1.2 as-number 100

[CE3-bgp] ipv4-family unicast

[CE3-bgp-ipv4] peer 10.1.1.2 enable

[CE3-bgp-ipv4] import-route direct

[CE3-bgp-ipv4] quit

[CE3-bgp] quit

6. Configure CE 4:

<CE4> system-view

[CE4] interface vlan-interface 13

[CE4-Vlan-interface13] ip address 10.3.1.1 255.255.255.0

[CE4-Vlan-interface13] quit

[CE4] bgp 65440

[CE4-bgp] peer 10.3.1.2 as-number 100

[CE4-bgp] ipv4-family unicast

[CE4-bgp-ipv4] peer 10.3.1.2 enable

[CE4-bgp-ipv4] import-route direct

[CE4-bgp-ipv4] quit

[CE4-bgp] quit

7. Configure SPE 1:

# Configure basic MPLS and MPLS LDP to establish LDP LSPs.

<SPE1> system-view

[SPE1] interface loopback 0

[SPE1-LoopBack0] ip address 2.2.2.9 32

[SPE1-LoopBack0] quit

[SPE1] mpls lsr-id 2.2.2.9

[SPE1] mpls ldp

[SPE1-ldp] quit

[SPE1] interface vlan-interface 11

[SPE1-Vlan-interface11] ip address 172.1.1.2 24

[SPE1-Vlan-interface11] mpls enable

[SPE1-Vlan-interface11] mpls ldp enable

[SPE1-Vlan-interface11] quit

[SPE1] interface vlan-interface 12

[SPE1-Vlan-interface12] ip address 180.1.1.1 24

[SPE1-Vlan-interface12] mpls enable

[SPE1-Vlan-interface12] mpls ldp enable

[SPE1-Vlan-interface12] quit

# Configure the IGP protocol, OSPF, in this example.

[SPE1] ospf

[SPE1-ospf-1] area 0

[SPE1-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[SPE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[SPE1-ospf-1-area-0.0.0.0] network 180.1.1.0 0.0.0.255

[SPE1-ospf-1-area-0.0.0.0] quit

[SPE1-ospf-1] quit

# Configure VPN instances vpn1 and vpn2.

[SPE1] ip vpn-instance vpn1

[SPE1-vpn-instance-vpn1] route-distinguisher 500:1

[SPE1-vpn-instance-vpn1] vpn-target 100:1 both

[SPE1-vpn-instance-vpn1] quit

[SPE1] ip vpn-instance vpn2

[SPE1-vpn-instance-vpn2] route-distinguisher 700:1

[SPE1-vpn-instance-vpn2] vpn-target 100:2 both

[SPE1-vpn-instance-vpn2] quit

# Configure SPE 1 to establish an MP-IBGP peer relationship with UPE 1 and redistribute VPN routes.

[SPE1] bgp 100

[SPE1-bgp] peer 1.1.1.9 as-number 100

[SPE1-bgp] peer 1.1.1.9 connect-interface loopback 0

[SPE1-bgp] peer 3.3.3.9 as-number 100

[SPE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[SPE1-bgp] ipv4-family vpnv4

[SPE1-bgp-vpnv4] peer 3.3.3.9 enable

[SPE1-bgp-vpnv4] peer 1.1.1.9 enable

[SPE1-bgp-vpnv4] peer 1.1.1.9 upe

[SPE1-bgp-vpnv4] peer 1.1.1.9 next-hop-local

[SPE1-bgp-vpnv4] quit

[SPE1-bgp] ip vpn-instance vpn1

[SPE1-bgp-vpn1] quit

[SPE1-bgp] ip vpn-instance vpn2

[SPE1-bgp-vpn2] quit

[SPE1-bgp] quit

# Configure SPE 1 to advertise to UPE 1 the routes permitted by a routing policy, that is, the routes of CE 3.

[SPE1] ip prefix-list hope index 10 permit 10.1.1.1 24

[SPE1] route-policy hope permit node 0

[SPE1-route-policy-hope-0] if-match ip address prefix-list hope

[SPE1-route-policy-hope-0] quit

[SPE1] bgp 100

[SPE1-bgp] ipv4-family vpnv4

[SPE1-bgp-vpnv4] peer 1.1.1.9 upe route-policy hope export

8. Configure SPE 2:

# Configure basic MPLS and MPLS LDP to establish LDP LSPs.

<SPE2> system-view

[SPE2] interface loopback 0

[SPE2-LoopBack0] ip address 3.3.3.9 32

[SPE2-LoopBack0] quit

[SPE2] mpls lsr-id 3.3.3.9

[SPE2] mpls ldp

[SPE2-ldp] quit

[SPE2] interface vlan-interface 12

[SPE2-Vlan-interface12] ip address 180.1.1.2 24

[SPE2-Vlan-interface12] mpls enable

[SPE2-Vlan-interface12] mpls ldp enable

[SPE2-Vlan-interface12] quit

[SPE2] interface vlan-interface 11

[SPE2-Vlan-interface11] ip address 172.2.1.2 24

[SPE2-Vlan-interface11] mpls enable

[SPE2-Vlan-interface11] mpls ldp enable

[SPE2-Vlan-interface11] quit

# Configure the IGP protocol, OSPF, in this example.

[SPE2] ospf

[SPE2-ospf-1] area 0

[SPE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[SPE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[SPE2-ospf-1-area-0.0.0.0] network 180.1.1.0 0.0.0.255

[SPE2-ospf-1-area-0.0.0.0] quit

[SPE2-ospf-1] quit

# Configure VPN instances vpn1 and vpn2.

[SPE2] ip vpn-instance vpn1

[SPE2-vpn-instance-vpn1] route-distinguisher 600:1

[SPE2-vpn-instance-vpn1] vpn-target 100:1 both

[SPE2-vpn-instance-vpn1] quit

[SPE2] ip vpn-instance vpn2

[SPE2-vpn-instance-vpn2] route-distinguisher 800:1

[SPE2-vpn-instance-vpn2] vpn-target 100:2 both

[SPE2-vpn-instance-vpn2] quit

# Configure SPE 2 to establish an MP-IBGP peer relationship with UPE 2 and redistribute VPN routes.

[SPE2] bgp 100

[SPE2-bgp] peer 4.4.4.9 as-number 100

[SPE2-bgp] peer 4.4.4.9 connect-interface loopback 0

[SPE2-bgp] peer 2.2.2.9 as-number 100

[SPE2-bgp] peer 2.2.2.9 connect-interface loopback 0

[SPE2-bgp] ipv4-family vpnv4

[SPE2-bgp-vpnv4] peer 2.2.2.9 enable

[SPE2-bgp-vpnv4] peer 4.4.4.9 enable

[SPE2-bgp-vpnv4] peer 4.4.4.9 upe

[SPE2-bgp-vpnv4] peer 4.4.4.9 next-hop-local

[SPE2-bgp-vpnv4] quit

[SPE2-bgp] ip vpn-instance vpn1

[SPE2-bgp-vpn1] quit

[SPE2-bgp] ip vpn-instance vpn2

[SPE2-bgp-vpn2] quit

[SPE2-bgp] quit

# Configure SPE 2 to advertise to UPE 2 the routes permitted by a routing policy, that is, the routes of CE 1.

[SPE2] ip prefix-list hope index 10 permit 10.2.1.1 24

[SPE2] route-policy hope permit node 0

[SPE2-route-policy-hope-0] if-match ip address prefix-list hope

[SPE2-route-policy-hope-0] quit

[SPE2] bgp 100

[SPE2-bgp] ipv4-family vpnv4

[SPE2-bgp-vpnv4] peer 4.4.4.9 upe route-policy hope export

9. Verify the configurations:

After completing all the configurations, CE 1 and CE3 can learn each other's interface routes and can ping each other. CE 2 and CE 4 cannot learn each other's interface routes and cannot ping each other.

Example 1 for configuring MCE

Network requirements

As shown in Figure 26, the MCE device is connected to VPN 1 through VLAN-interface 10 and is connected to VPN 2 through VLAN-interface 20. RIP runs in VPN 2.

Configure the MCE device to separate routes from different VPNs and advertise the VPN routes to PE 1 through OSPF.

Figure 26 Network diagram

Configuration procedure

Assume that the system name of the MCE device is MCE, the system names of the edge devices of VPN 1 and VPN 2 are VR1 and VR2, respectively, and the system name of PE 1 is PE1.

1. Configure the VPN instances on the MCE and PE 1:

# On the MCE, configure VPN instances vpn1 and vpn2, and specify an RD and route targets for each VPN instance.

<MCE> system-view

[MCE] ip vpn-instance vpn1

[MCE-vpn-instance-vpn1] route-distinguisher 10:1

[MCE-vpn-instance-vpn1] vpn-target 10:1

[MCE-vpn-instance-vpn1] quit

[MCE] ip vpn-instance vpn2

[MCE-vpn-instance-vpn2] route-distinguisher 20:1

[MCE-vpn-instance-vpn2] vpn-target 20:1

[MCE-vpn-instance-vpn2] quit

# Create VLAN 10, add port GigabitEthernet 3/0/1 to VLAN 10, and create VLAN-interface 10.

[MCE] vlan 10

[MCE-vlan10] port GigabitEthernet 3/0/1

[MCE-vlan10] quit

[MCE] interface vlan-interface 10

# Bind VLAN-interface 10 with VPN instance vpn1, and configure an IP address for VLAN-interface 10.

[MCE-Vlan-interface10] ip binding vpn-instance vpn1

[MCE-Vlan-interface10] ip address 10.214.10.3 24

# Configure VLAN 20, add port GigabitEthernet 3/0/2 to VLAN 20, bind VLAN-interface 20 with VPN instance vpn2, and specify an IP address for VLAN-interface 20.

[MCE-Vlan-interface10] quit

[MCE] vlan 20

[MCE-vlan20] port GigabitEthernet 3/0/2

[MCE-vlan20] quit

[MCE] interface vlan-interface 20

[MCE-Vlan-interface20] ip binding vpn-instance vpn2

[MCE-Vlan-interface20] ip address 10.214.20.3 24

[MCE-Vlan-interface20] quit

# On PE 1, configure VPN instances vpn1 and vpn2, specify an RD and route targets for each VPN instance.

<PE1> system-view

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 30:1

[PE1-vpn-instance-vpn1] vpn-target 10:1

[PE1-vpn-instance-vpn1] quit

[PE1] ip vpn-instance vpn2

[PE1-vpn-instance-vpn2] route-distinguisher 40:1

[PE1-vpn-instance-vpn2] vpn-target 20:1

[PE1-vpn-instance-vpn2] quit

2. Configure routing between the MCE and VPN sites:

The MCE is connected to VPN 1 directly, and no routing protocol is enabled in VPN 1. Therefore, you can configure static routes.

# On VR 1, assign IP address 10.214.10.2/24 to the interface connected to MCE and 192.168.0.1/24 to the interface connected to VPN 1. Add ports to VLANs correctly. (Details not shown.)

# On VR 1, configure a default route with the next hop being 10.214.10.3.

<VR1> system-view

[VR1] ip route-static 0.0.0.0 0.0.0.0 10.214.10.3

# On the MCE, configure a static route to 192.168.0.0/24, specify the next hop as 10.214.10.2, and bind the static route with VPN instance vpn1.

[MCE] ip route-static vpn-instance vpn1 192.168.0.0 24 10.214.10.2

# On the MCE, display the routing information maintained for VPN instance vpn1.

[MCE] display ip routing-table vpn-instance vpn1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.214.10.0/24 Direct 0 0 10.214.10.3 Vlan10

10.214.10.0/32 Direct 0 0 10.214.10.3 Vlan10

10.214.10.3/32 Direct 0 0 127.0.0.1 InLoop0

10.214.10.255/32 Direct 0 0 10.214.10.3 Vlan10

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.0.0/24 Static 60 0 10.214.10.2 Vlan10

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

The output shows that the MCE has a static route for VPN instance vpn1.

# Run OSPF in VPN 2. Create OSPF process 20 and bind it with VPN instance vpn2 on the MCE, so that the MCE can learn the routes of VPN 2 and add them to the routing table of the VPN instance vpn2.

[MCE] ospf 2 vpn-instance vpn2

# Advertise subnet 10.214.20.0.

[MCE-ospf-2] area 0

[MCE-ospf-2-area-0.0.0.0] network 10.214.20.0 0.0.0.255

[MCE-ospf-2-area-0.0.0.0] quit

[MCE-ospf-2] quit

# On VR 2, assign IP address 10.214.20.2/24 to the interface connected to MCE and 192.168.10.1/24 to the interface connected to VPN 2. (Details not shown.)

# Configure OSPF process 2, and advertise subnets 192.168.10.0 and 10.214.20.0.

<VR2> system-view

[VR2] ospf 2

[VR2-ospf-2] area 0

[VR2-ospf-2-area-0.0.0.0] network 192.168.10.0 0.0.0.255

[VR2-ospf-2-area-0.0.0.0] network 10.214.20.0 0.0.0.255

[VR2-ospf-2-area-0.0.0.0] quit

[VR2-ospf-2] quit

# On the MCE, display the routing information maintained for VPN instance vpn2.

[MCE] display ip routing-table vpn-instance vpn2

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.214.20.0/24 Direct 0 0 10.214.20.3 Vlan20

10.214.20.0/32 Direct 0 0 10.214.20.3 Vlan20

10.214.20.3/32 Direct 0 0 127.0.0.1 InLoop0

10.214.20.255/32 Direct 0 0 10.214.20.3 Vlan20

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.10.0/24 OSPF 10 2 10.214.20.2 Vlan20

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

The output shows that the MCE has learned the private routes of VPN 2. The MCE maintains the routes of VPN 1 and those of VPN2 in two different routing tables. In this way, routes from different VPNs are separated.

3. Configure routing between the MCE and PE 1:

# The MCE uses port GigabitEthernet 3/0/3 to connect to PE's port GigabitEthernet 3/0/1. Configure the two ports as trunk ports, and configure them to permit packets carrying VLAN tags 30 and 40 to pass.

[MCE] interface GigabitEthernet 3/0//3

[MCE-GigabitEthernet3/0/3] port link-type trunk

[MCE-GigabitEthernet3/0/3] port trunk permit vlan 30 40

[MCE-GigabitEthernet3/0/3] quit

# Configure port GigabitEthernet 3/0/1 on the PE.

[PE1] interface GigabitEthernet 3/0/1

[PE1-GigabitEthernet3/0/1] port link-type trunk

[PE1-GigabitEthernet3/0/1] port trunk permit vlan 30 40

[PE1-GigabitEthernet3/0/1] quit

# On the MCE, create VLAN 30 and VLAN-interface 30, bind the VLAN interface with VPN instance vpn1, and configure an IP address for the VLAN interface.

[MCE] vlan 30

[MCE-vlan30] quit

[MCE] interface vlan-interface 30

[MCE-Vlan-interface30] ip binding vpn-instance vpn1

[MCE-Vlan-interface30] ip address 30.1.1.1 24

[MCE-Vlan-interface30] quit

# On the MCE, create VLAN 40 and VLAN-interface 40, bind the VLAN interface with VPN instance vpn2, and configure an IP address for the VLAN interface.

[MCE] vlan 40

[MCE-vlan40] quit

[MCE] interface vlan-interface 40

[MCE-Vlan-interface40] ip binding vpn-instance vpn2

[MCE-Vlan-interface40] ip address 40.1.1.1 24

[MCE-Vlan-interface40] quit

# On PE 1, create VLAN 30 and VLAN-interface 30, bind the VLAN interface with VPN instance vpn1, and configure an IP address for the VLAN interface.

[PE1] vlan 30

[PE1-vlan30] quit

[PE1] interface vlan-interface 30

[PE1-Vlan-interface30] ip binding vpn-instance vpn1

[PE1-Vlan-interface30] ip address 30.1.1.2 24

[PE1-Vlan-interface30] quit

# On PE 1, create VLAN 40 and VLAN-interface 40, bind the VLAN interface with VPN instance vpn2, and configure an IP address for the VLAN interface.

[PE1] vlan 40

[PE1-vlan40] quit

[PE1] interface vlan-interface 40

[PE1-Vlan-interface40] ip binding vpn-instance vpn2

[PE1-Vlan-interface40] ip address 40.1.1.2 24

[PE1-Vlan-interface40] quit

# Configure the IP address of the interface Loopback0 as 101.101.10.1 for the MCE and as 100.100.10.1 for PE 1. Specify the loopback interface address as the router ID for the MCE and PE 1. (Details not shown.)

# Enable OSPF process 10 on the MCE, bind the process to VPN instance vpn1, and set the domain ID to 10.

[MCE] ospf 10 router-id 101.101.10.1 vpn-instance vpn1

[MCE-ospf-10] vpn-instance-capability simple

[MCE-ospf-10] domain-id 10

# On the MCE, advertise subnet 30.1.1.0 in area 0, and redistribute the static route of VPN 1.

[MCE-ospf-10] area 0

[MCE-ospf-10-area-0.0.0.0] network 30.1.1.0 0.0.0.255

[MCE-ospf-10-area-0.0.0.0] quit

[MCE-ospf-10] import-route static

# On PE 1, enable OSPF process 10, bind the process with VPN instance vpn1, set the domain ID to 10, and advertise subnet 30.1.1.0 in area 0.

[PE1] ospf 10 router-id 100.100.10.1 vpn-instance vpn1

[PE1-ospf-10] domain-id 10

[PE1-ospf-10] area 0

[PE1-ospf-10-area-0.0.0.0] network 30.1.1.0 0.0.0.255

[PE1-ospf-10-area-0.0.0.0] quit

[PE1-ospf-10] quit

# Take similar procedures to configure OSPF process 20 between MCE and PE 1 and redistribute VPN 2's routing information. (Details not shown.)

4. Verify the configuration:

# On PE 1, display the routing information of VPN 1. The output shows that the static route of VPN 1 has been redistributed to the OSPF routing table of PE 1.

[PE1] display ip routing-table vpn-instance vpn1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.0/24 Direct 0 0 30.1.1.2 Vlan30

30.1.1.0/32 Direct 0 0 30.1.1.2 Vlan30

30.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.255/32 Direct 0 0 30.1.1.2 Vlan30

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.0.0/24 OSPF 150 1 30.1.1.1 Vlan30

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# On PE 1, display the routing information of VPN 2. The output shows that the routes of OSPF process 2 in VPN 2 have been redistributed to the OSPF routing table of PE 1.

[PE1] display ip routing-table vpn-instance vpn2

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

40.1.1.0/24 Direct 0 0 40.1.1.2 Vlan40

40.1.1.0/32 Direct 0 0 40.1.1.2 Vlan40

40.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

40.1.1.255/32 Direct 0 0 40.1.1.2 Vlan40

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.10.0/24 OSPF 150 1 40.1.1.1 Vlan40

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

Now, the routing information of the two VPNs has been redistributed into the routing tables on PE 1.

Example 2 for configuring MCE

Network requirements

As shown in Figure 27, configure the MCE to advertise the routes of VPNs 1 and 2 to PE 1, so that the sites of each VPN can communicate with each other over the MPLS backbone.

Run OSPF in both VPN 1 and VPN 2. Run EBGP between the MCE and PE 1.

Figure 27 Network diagram

Configuraton procedure

1. Configure VPN instances:

# Create VPN instances on the MCE and PE 1, and bind the VPN instances with VLAN interfaces. For the configuration procedure, see "Configure the VPN instances on the MCE and PE 1:"

2. Configure routing between the MCE and VPN sites:

# Enable an OSPF process on the devices in the two VPNs and advertise the subnets. (Details not shown.)

# Configure OSPF on the MCE, and bind OSPF process 10 with VPN instance vpn1 to learn the routes of VPN 1.

<MCE> system-view

[MCE] ospf 10 router-id 10.10.10.1 vpn-instance vpn1

[MCE-ospf-10] area 0

[MCE-ospf-10-area-0.0.0.0] network 10.214.10.0 0.0.0.255

[MCE-ospf-10-area-0.0.0.0] quit

[MCE-ospf-10] quit

# Display the routing table of VPN 1 on the MCE.

[MCE] display ip routing-table vpn-instance vpn1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.214.10.0/24 Direct 0 0 10.214.10.3 Vlan10

10.214.10.0/32 Direct 0 0 10.214.10.3 Vlan10

10.214.10.3/32 Direct 0 0 127.0.0.1 InLoop0

10.214.10.255/32 Direct 0 0 10.214.10.3 Vlan10

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.0.0/24 OSPF 10 2 10.214.10.2 Vlan10

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

The output shows that the MCE has learned the private route of VPN 1 through OSPF process 10.

# On the MCE, bind OSPF process 20 with VPN instance vpn2 to learn the routes of VPN 2. The configuration procedure is similar to that for OSPF process 10.

The following output shows that the MCE has learned the private route of VPN 2 through OSPF:

[MCE] display ip routing-table vpn-instance vpn2

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.214.20.0/24 Direct 0 0 10.214.20.3 Vlan20

10.214.20.0/32 Direct 0 0 10.214.20.3 Vlan20

10.214.20.3/32 Direct 0 0 127.0.0.1 InLoop0

10.214.20.255/32 Direct 0 0 10.214.20.3 Vlan20

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.10.0/24 OSPF 10 2 10.214.20.2 Vlan20

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

3. Configure routing between the MCE and PE 1:

# Configure the ports between the MCE and PE 1 as trunk ports. The configuration procedure is similar to that described in "Configure routing between the MCE and PE 1:" (Details not shown.)

# Enable BGP in AS 100 on the MCE, enter the IPv4 address family view of VPN instance vpn1, and specify the EBGP peer PE 1 in AS 200.

[MCE] bgp 100

[MCE-bgp] ip vpn-instance vpn1

[MCE-bgp-vpn1] peer 30.1.1.2 as-number 200

# Activate the EBGP VPNv4 peer PE 1 and redistribute routing information from OSPF process 10 to BGP

[MCE-bgp-vpn1] ipv4-family

[MCE-bgp-ipv4-vpn1] peer 30.1.1.2 enable

[MCE-bgp-ipv4-vpn1] import-route ospf 10

# On PE 1, enable BGP in AS 200 and specify the MCE as its EBGP peer.

[PE1] bgp 200

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 30.1.1.1 as-number 100

[PE1-bgp-vpn1] ipv4-family

[PE1-bgp-ipv4-vpn1] peer 30.1.1.1 enable

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Take similar procedures to configure VPN 2 settings on MCE and PE 1. (Details not shown.)

4. Verify the configuration:

# Display the routing information for VPN 1 on PE 1.

[PE1] display ip routing-table vpn-instance vpn1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.0/24 Direct 0 0 30.1.1.2 Vlan30

30.1.1.0/32 Direct 0 0 30.1.1.2 Vlan30

30.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.255/32 Direct 0 0 30.1.1.2 Vlan30

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.0.0/24 BGP 255 3 30.1.1.1 Vlan30

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Display the routing information for VPN 2 on PE 1.

[PE1] display ip routing-table vpn-instance vpn2

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

40.1.1.0/24 Direct 0 0 40.1.1.2 Vlan40

40.1.1.0/32 Direct 0 0 40.1.1.2 Vlan40

40.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

40.1.1.255/32 Direct 0 0 40.1.1.2 Vlan40

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.10.0/24 BGP 255 3 40.1.1.1 Vlan40

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

Now, the MCE has redistributed the OSPF routes of the two VPN instances into the EBGP routing tables of PE 1.

Configuring BGP AS number substitution

Network requirements

As shown in Figure 28, CE 1 and CE 2 belong to VPN 1 and are connected to PE 1 and PE 2 respectively. The two CEs have the same AS number 600. Configure BGP AS number substitution on the PEs to enable the CEs to communicate with each other.

Figure 28 Network diagram

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int11	10.1.1.1/24	P	Loop0	2.2.2.9/32
	Vlan-int12	100.1.1.1/24		Vlan-int11	30.1.1.1/24
PE 1	Loop0	1.1.1.9/32		Vlan-int12	20.1.1.2/24
	Vlan-int11	10.1.1.2/24	PE 2	Loop0	3.3.3.9/32
	Vlan-int12	20.1.1.1/24		Vlan-int11	30.1.1.2/24
CE 2	Vlan-int12	10.2.1.1/24		Vlan-int12	10.2.1.2/24
	Vlan-int13	200.1.1.1/24

Configuration procedure

1. Configuring basic MPLS L3VPN:

¡ Configure OSPF on the MPLS backbone to allow the PEs and P device to learn the routes of the loopback interfaces from each other.

¡ Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs.

¡ Establish MP-IBGP peer relationship between the PEs to advertise VPNv4 routes.

¡ Configure the VPN instance of VPN 1 on PE 2 to allow CE 2 to access the network.

¡ Configure the VPN instance of VPN 1 on PE 1 to allow CE 1 to access the network.

¡ Configure BGP between PE 1 and CE 1, and between PE 2 and CE 2 and redistribute routes of CEs into PEs.

After completing the configurations, execute the display ip routing-table command on CE 2. You can see that CE 2 has learned the route to network 10.1.1.0/24, where the interface used by CE 1 to access PE 1 resides, but it has not learned the route to the VPN (100.1.1.0/24) behind CE 1. The situation on CE 1 is similar.

<CE2> display ip routing-table

Destinations : 17 Routes : 17

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 BGP 255 0 10.2.1.2 Vlan12

10.2.1.0/24 Direct 0 0 10.2.1.1 Vlan12

10.2.1.0/32 Direct 0 0 10.2.1.1 Vlan12

10.2.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.2.1.255/32 Direct 0 0 10.2.1.1 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.0/24 Direct 0 0 200.1.1.1 Vlan13

200.1.1.0/32 Direct 0 0 200.1.1.1 Vlan13

200.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.255/24 Direct 0 0 200.1.1.1 Vlan13

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Execute the display ip routing-table vpn-instance command on the PEs. You can see the route to the VPN behind the peer CE. Take PE 2 as an example:

<PE2> display ip routing-table vpn-instance vpn1

Destinations : 15 Routes : 15

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 BGP 255 0 1.1.1.9 Vlan11

10.2.1.0/24 Direct 0 0 10.2.1.2 Vlan12

10.2.1.0/32 Direct 0 0 10.2.1.2 Vlan12

10.2.1.2/32 Direct 0 0 127.0.0.1 InLoop0

10.2.1.255/32 Direct 0 0 10.2.1.2 Vlan12

100.1.1.0/24 BGP 255 0 1.1.1.9 Vlan11

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.0/24 BGP 255 0 10.2.1.1 Vlan12

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Enabling BGP update packet debugging on PE 2, you can see that PE 2 advertises the route to 100.1.1.1/32, and the AS_PATH is 100 600.

<PE2> terminal monitor

<PE2> terminal logging level 7

<PE2> debugging bgp update vpn-instance vpn1 10.2.1.1 ipv4

<PE2> refresh bgp all export ipv4 vpn-instance vpn1

*Jun 13 16:12:52:096 2012 PE2 BGP/7/DEBUG: -MDC=1;

BGP.vpn1: Send UPDATE to peer 10.2.1.1 for following destinations:

Origin : Incomplete

AS Path : 100 600

Next Hop : 10.2.1.2

100.1.1.0/24,

# Execute the display bgp routing-table ipv4 peer received-routes command on CE 2. You can see that CE 2 has not received the route to 100.1.1.0/24.

<CE2> display bgp routing-table ipv4 peer 10.2.1.2 received-routes

Total number of routes: 2

BGP local router ID is 200.1.1.1

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf PrefVal Path/Ogn

>e 10.1.1.0/24 10.2.1.2 0 100?

* e 10.2.1.0/24 10.2.1.2 0 0 100?

2. Configure BGP AS number substitution on PE 2:

<PE2> system-view

[PE2] bgp 100

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] peer 10.2.1.1 substitute-as

[PE2-bgp-vpn1] ipv4-family unicast

[PE2-bgp-ipv4-vpn1] peer 10.2.1.1 enable

[PE2-bgp-ipv4-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

3. Verify the configuration:

# The output shows that among the routes advertised by PE 2 to CE 2, the AS_PATH of 100.1.1.0/24 has changed from 100 600 to 100 100:

*Jun 13 16:15:59:456 2012 PE2 BGP/7/DEBUG: -MDC=1;

BGP.vpn1: Send UPDATE to peer 10.2.1.1 for following destinations:

Origin : Incomplete

AS Path : 100 100

Next Hop : 10.2.1.2

100.1.1.0/24,

# Display again the routing information that CE 2 has received and the routing table:

<CE2> display bgp routing-table ipv4 peer 10.2.1.2 received-routes

Total number of routes: 3

BGP local router ID is 200.1.1.1

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf PrefVal Path/Ogn

>e 10.1.1.0/24 10.2.1.2 0 100?

* e 10.2.1.0/24 10.2.1.2 0 0 100?

>e 100.1.1.0/24 10.2.1.2 0 100 100?

<CE2> display ip routing-table

Destinations : 18 Routes : 18

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 BGP 255 0 10.2.1.2 Vlan12

10.2.1.0/24 Direct 0 0 10.2.1.1 Vlan12

10.2.1.0/32 Direct 0 0 10.2.1.1 Vlan12

10.2.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.2.1.255/32 Direct 0 0 10.2.1.1 Vlan12

100.1.1.0/24 BGP 255 0 10.2.1.2 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.0/24 Direct 0 0 200.1.1.1 Vlan13

200.1.1.0/32 Direct 0 0 200.1.1.1 Vlan13

200.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.255/32 Direct 0 0 200.1.1.1 Vlan13

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# After you also configure BGP AS substitution on PE 1, the VLAN interfaces of CE 1 and CE 2 can ping each other.

Configuring IPv6 MPLS L3VPN

Overview

IPv6 MPLS L3VPN uses BGP to advertise IPv6 VPN routes and uses MPLS to forward IPv6 VPN packets on the service provider backbone.

Figure 29 shows a typical IPv6 MPLS L3VPN model. The service provider backbone in the IPv6 MPLS L3VPN model is an IPv4 network. IPv6 runs inside the VPNs and between CE and PE. Therefore, PEs must support both IPv4 and IPv6. The PE-CE interfaces of a PE run IPv6 and the PE-P interface of a PE runs IPv4.

Figure 29 Network diagram for the IPv6 MPLS L3VPN model

IPv6 MPLS L3VPN packet forwarding

Figure 30 IPv6 MPLS L3VPN packet forwarding diagram

As shown in Figure 30, the IPv6 MPLS L3VPN packet forwarding procedure is as follows:

1. The PC at Site 1 sends an IPv6 packet destined for 2001:2::1, the PC at Site 2. CE 1 transmits the packet to PE 1.

2. Based on the inbound interface and destination address of the packet, PE 1 finds a matching entry from the routing table of the VPN instance, labels the packet with both inner and outer labels, and forwards the packet out.

3. The MPLS backbone transmits the packet to PE 2 by outer label. The outer label is removed from the packet at the penultimate hop.

4. According to the inner label and destination address of the packet, PE 2 searches the routing table of the VPN instance to determine the outbound interface and then forwards the packet out of the interface to CE 2.

5. CE 2 forwards the packet to the destination by IPv6 forwarding.

IPv6 MPLS L3VPN routing information advertisement

The IPv6 VPN routing information of a local CE is advertised in the following steps:

1. From the local CE to the ingress PE.

2. From the ingress PE to the egress PE.

3. From the egress PE to the remote peer CE.

Routing information advertisement from the local CE to the ingress PE

After establishing an adjacency with the directly connected PE, a CE advertises its IPv6 VPN routes to the PE over an IPv6 static route, RIPng route, OSPFv3 route, IPv6 IS-IS route, or EBGP route. No matter which routing protocol is used, the CE always advertises standard IPv6 routes to the PE.

Routing information advertisement from the ingress PE to the egress PE

After learning the IPv6 VPN routes from the CE, the ingress PE adds RDs and route targets for these standard IPv6 routes to create VPN-IPv6 routes, saves them to the routing table of the VPN instance created for the CE, and then triggers MPLS to assign VPN labels for them.

Then, the ingress PE advertises the VPN-IPv6 routes to the egress PE through MP-BGP.

The egress PE compares the export target attributes of the VPN-IPv6 routes with the import target attributes that it maintains for the VPN instance and, if they are the same, adds the routes to the routing table of the VPN instance.

The PEs use an IGP to ensure the connectivity between them.

Routing information advertisement from the egress PE to the remote CE

The egress PE restores the original IPv6 routes and advertises them to the remote CE over an IPv6 static route, RIPng route, OSPFv3 route, IPv6 IS-IS route, or EBGP route.

IPv6 MPLS L3VPN network schemes and functions

IPv6 MPLS L3VPN supports the following network schemes and functions:

· Basic VPN

· Inter-AS VPN option A

· Inter-AS VPN option C

· Carrier's carrier

· Multi-VPN-instance CE

IPv6 MPLS L3VPN configuration task list

By configuring basic IPv6 MPLS L3VPN, you can construct a simple IPv6 VPN network over an MPLS backbone.

To deploy special IPv6 MPLS L3VPN networks, such as inter-AS VPN, you must also perform specific configurations in addition to the basic IPv6 MPLS L3VPN configuration. For details, see the related sections.

Tasks at a glance
Configuring basic IPv6 MPLS L3VPN
Configuring inter-AS IPv6 VPN
Configuring routing on an MCE

Configuring basic IPv6 MPLS L3VPN

The key task in IPv6 MPLS L3VPN configuration is to manage the advertisement of IPv6 VPN routes on the MPLS backbone, including management of PE-CE route exchange and PE-PE route exchange.

To configure basic IPv6 MPLS L3VPN:

Tasks at a glance
Configuring VPN instances · (Required.) Creating a VPN instance · (Required.) Associating a VPN instance with an interface · (Optional.) Configuring route related attributes for a VPN instance




(Required.) Configuring routing between a PE and a CE
(Required.) Configuring routing between PEs
(Optional.) Configuring BGP VPNv6 route control

Before configuring basic IPv6 MPLS L3VPN, complete the following tasks:

· Configure an IGP on the PEs and Ps to ensure IP connectivity within the MPLS backbone.

· Configure basic MPLS for the MPLS backbone

· Configure MPLS LDP on PEs and Ps to establish LDP LSPs

Configuring VPN instances

By configuring VPN instances on a PE, you isolate not only VPN routes from public network routes, but also routes between VPNs. This feature allows VPN instances to be used in network scenarios besides MPLS L3VPNs.

All VPN instance configurations are performed on PEs or MCEs.

Creating a VPN instance

A VPN instance is associated with a site. It is a collection of the VPN membership and routing rules of its associated site. A VPN instance does not necessarily correspond to one VPN.

To create and configure a VPN instance:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VPN instance and enter VPN instance view.	ip vpn-instance vpn-instance-name	No VPN instance is created by default.
3. Specify a reserved VLAN for the VPN instance.	reserve-vlan vlan-id	N/A
4. Configure an RD for the VPN instance.	route-distinguisher route-distinguisher	No RD is specified by default.
5. (Optional.) Configure a description for the VPN instance.	description text	No description is configured for a VPN instance by default. The description should contain the VPN instance's related information, such as its relationship with a certain VPN.

Associating a VPN instance with an interface

After creating and configuring a VPN instance, associate the VPN instance with the interface connected to the CE.

To associate a VPN instance with an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Associate a VPN instance with the interface.	ip binding vpn-instance vpn-instance-name	No VPN instance is associated with an interface by default. The ip binding vpn-instance command clears the IP address of the interface. Therefore, be sure to re-configure an IP address for the interface after configuring this command.

Configuring route related attributes for a VPN instance

VPN routes are controlled and advertised on a PE as follows:

· When a VPN route learned from a CE gets redistributed into BGP, BGP associates it with a route target extended community attribute list, which is usually the export target attribute of the VPN instance associated with the CE.

· The VPN instance determines which routes it can accept and redistribute according to the import-extcommunity in the route target.

· The VPN instance determines how to change the route targets attributes for routes to be advertised according to the export-extcommunity in the route target.

To configure route related attributes for a VPN instance:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VPN instance view or IPv6 VPN view.	· To enter VPN instance view: ip vpn-instance vpn-instance-name · To enter IPv6 VPN view: a. ip vpn-instance vpn-instance-name b. ipv6-family	Configurations made in VPN instance view apply to both IPv4 VPN and IPv6 VPN. IPv6 VPN prefers the configurations in IPv6 VPN view over the configurations in VPN instance view.
3. Configure route targets.	vpn-target vpn-target&<1-8> [ both \| export-extcommunity \| import-extcommunity ]	No route targets are configured by default.
4. Set the maximum number of routes supported.	routing-table limit number { warn-threshold \| simply-alert }	Setting the maximum number of routes for a VPN instance can prevent the PE from storing too many routes.
5. Apply an import routing policy.	import route-policy route-policy	By default, all routes matching the import target attribute are accepted. Make sure the routing policy already exists. Otherwise, the device does not filter receirved routes. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
6. Apply an export routing policy.	export route-policy route-policy	By default, routes to be advertised are not filtered. Make sure the routing policy already exists. Otherwise, the device does not filter routes to be advertised. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
7. Apply a tunnel policy to the VPN instance.	tnl-policy tunnel-policy-name	By default, only one LSP tunnel is selected (no load balancing). The specified tunnel policy must have been created.

Configuring routing between a PE and a CE

You can configure IPv6 static routing, RIPng, OSPFv3, IPv6 IS-IS, or EBGP between a PE and a CE.

Configuring IPv6 static routing between a PE and a CE

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure an IPv6 static route for a VPN instance.

ipv6 route-static vpn-instance s-vpn-instance-name ipv6-address prefix-length { interface-type interface-number [ next-hop-address ] | nexthop-address [ public ] | vpn-instance d-vpn-instance-name nexthop-address } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]

No IPv6 static route is configured for a VPN instance by default.

Perform this configuration on the PE. On the CE, configure a normal IPv6 static route.

For more information about IPv6 static routing, see Layer 3—IP Routing Configuration Guide.

Configuring RIPng between a PE and a CE

A RIPng process belongs to the public network or a single VPN instance. If you create a RIPng process without binding it to a VPN instance, the process belongs to the public network.

For more information about RIPng, see Layer 3—IP Routing Configuration Guide.

To configure RIPng between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIPng process for a VPN instance and enter RIPng view.	ripng [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. On the CE, create a normal RIPng process.
3. Return to system view.	quit	N/A
4. Enter interface view.	interface interface-type interface-number	N/A
5. Enable RIPng on the interface.	ripng process-id enable	By default, RIPng is disabled on an interface.

Configuring OSPFv3 between a PE and a CE

An OSPFv3 process belongs to the public network or a single VPN instance. If you create an OSPF process without binding it to a VPN instance, the process belongs to the public network.

For more information about OSPFv3, see Layer 3—IP Routing Configuration Guide.

To configure OSPFv3 between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPFv3 process for a VPN instance and enter OSPFv3 view.	ospfv3 [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. On the CE, create a normal OSPF process. Deleting a VPN instance also deletes all related OSPFv3 processes.
3. Set the router ID.	router-id router-id	N/A
4. Return to system view.	quit	N/A
5. Enter interface view.	interface interface-type interface-number	N/A
6. Enable OSPFv3 on the interface.	ospfv3 process-id area area-id [ instance instance-id ]	By default, OSPFv3 is disabled on an interface. Perform this configuration on the PE.

Configuring IPv6 IS-IS between a PE and a CE

An IPv6 IS-IS process belongs to the public network or a single VPN instance. If you create an IPv6 IS-IS process without binding it to a VPN instance, the process belongs to the public network.

For more information about IPv6 IS-IS, see Layer 3—IP Routing Configuration Guide.

To configure IPv6 IS-IS between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IPv6 IS-IS process for a VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. On the CE, create a normal IPv6 IS-IS process.
3. Configure a network entity title for the IS-IS process.	network-entity net	No NET is configured by default.
4. Enable IPv6 for the IS-IS process.	ipv6 enable	IPv6 is disabled by default.
5. Return to system view.	quit	N/A
6. Enter interface view.	interface interface-type interface-number	N/A
7. Enable IPv6 for the IS-IS process on the interface.	isis ipv6 enable [ process-id ]	IPv6 is disabled on an interface by default.

Configuring EBGP between a PE and a CE

1. Configure the PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable BGP and enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN view.	ip vpn-instance vpn-instance-name	N/A
4. Configure the CE as the VPN EBGP peer.	peer { group-name \| ipv6-address } as-number as-number	No BGP peer is configured by default.
5. Create and enter BGP-VPN IPv6 unicast address family view.	ipv6-family [ unicast ]	Configuration commands in BGP-VPN IPv6 unicast address family view are the same as those in BGP IPv6 unicast address family view. For details, see Layer 3—IP Routing Configuration Guide.
6. Enable IPv6 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
7. Redistribute the routes of the local CE.	import-route protocol [ process-id [ med med-value \| route-policy route-policy-name ] * ]	A PE must redistribute the routes of the local CE into its VPN routing table so that it can advertise them to the peer PE.
8. (Optional.) Configure filtering of redistributed routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } export [ protocol process-id ]	By default, BGP does not filter redistributed routes.
9. (Optional.) Configure filtering of received routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } import	By default, the PE does not filter received routes.

2. Configure the CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the PE as an EBGP peer.	peer { group-name \| ipv6-address } as-number as-number	No BGP peer is configured by default.
4. Create and enter BGP IPv6 unicast address family view.	ipv6-family [ unicast ]	N/A
5. Enable IPv6 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
6. (Optional.) Configure route redistribution.	import-route protocol [ process-id [ med med-value \| route-policy route-policy-name ] * ]	A CE must advertise its VPN routes to the connected PE so that the PE can advertise them to the peer CE.

Configuring routing between PEs

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the remote PE as the peer.	peer { group-name \| ipv6-address } as-number as-number	No BGP peer is configured by default.
4. Specify the source interface for route update packets sent to the specified peer.	peer { group-name \| ip-address } connect-interface interface-type interface-number	By default, BGP uses the outbound interface of the best route destined to the BGP peer as the soure interface.
5. Enter BGP-VPNv6 address family view.	ipv6-family vpnv6	N/A
6. Enable BGP-VPNv6 route exchange with the specified peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange BGP-VPNv6 routes with any peer.

Configuring BGP VPNv6 route control

BGP VPNv6 route control is configured similarly with BGP route control, except that it configured in BGP-VPNv6 address family view. For detailed information about BGP route control, see Layer 3—IP Routing Configuration Guide.

To configure BGP VPNv6 route control:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPNv6 address family view.	ipv6-family vpnv6	N/A
4. Configure filtering of redistributed routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } export [ protocol process-id ]	By default, the PE does not filter redistributed routes.
5. Configure filtering of received routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } import	By default, the PE does not filter received routes.
6. Configure ACL-based route filtering for the specified peer or peer group.	peer { group-name \| ip-address } filter-policy acl6-number { export \| import }	No ACL-based route filtering is configured.
7. Configure IPv6 prefix list-based route filtering for the specified peer or peer group.	peer { group-name \| ip-address } prefix-list ipv6-prefix-name { export \| import }	No IPv6 prefix list-based route filtering is configured.
8. Specify a prefered value for routes received from the peer or peer group.	peer { group-name \| ip-address } preferred-value value	The default preferred value is 0.
9. Configure BGP updates sent to the peer to carry only public AS numbers.	peer { group-name \| ip-address } public-as-only	By default, a BGP update carries both public and private AS numbers.
10. Apply a routing policy to routes advertised to or received from the peer or peer group.	peer { group-name \| ip-address } route-policy route-policy-name { export \| import }	By default, no routing policy is applied for a peer.
11. Enable route target filtering for received BGP-VPNv6 routes.	policy vpn-target	Route target filtering is enabled by default.
12. Configure the local PE as the route reflector and specify the peer as the client.	peer { group-name \| ip-address } reflect-client	No route reflector or client is configured by default.
13. Enable route reflection between clients.	reflect between-clients	Route reflection between clients is enabled by default.
14. Configure a cluster ID for the route reflector.	reflector cluster-id { cluster-id \| ip-address }	By default, an RR uses its own router ID as the cluster ID. If more than one RR exists in a cluster, use this command to configure the same cluster ID for all RRs in the cluster to avoid routing loops.
15. Configure filtering of reflected routes.	rr-filter extended-community-list-number	By default, an RR does not filter reflected routes. Only IBGP routes whose extended community attribute matches the specified community list are reflected. By configuring different filtering policies on RRs, you can implement load balancing among the RRs.

Configuring inter-AS IPv6 VPN

If the MPLS backbone spans multiple ASs, you must configure inter-AS IPv6 VPN.

There are three inter-AS VPN solutions (for more information, see "Configuring MPLS L3VPN"). Currently, IPv6 MPLS L3VPN supports only inter-AS VPN option A and option C.

Before configuring inter-AS IPv6 VPN, complete these tasks:

· Configuring an IGP for the MPLS backbone in each AS to ensure IP connectivity

· Configuring basic MPLS for the MPLS backbone of each AS

· Configuring MPLS LDP for the MPLS backbones so that LDP LSPs can be established

The following sections describe inter-AS IPv6 VPN option A and option C. Select one according to your network scenario.

Configuring inter-AS IPv6 VPN option A

Inter-AS IPv6 VPN option A applies to scenarios where the number of VPNs and that of VPN routes on the PEs are relatively small.

To configure inter-AS IPv6 option A:

· Configure basic IPv6 MPLS L3VPN on each AS.

· Configure VPN instances on both PEs and ASBR PEs. The VPN instances on PEs allow CEs to access the network, and those on ASBR PEs are for access of the peer ASBR PEs.

For more configuration information, see "Configuring MPLS L3VPN."

In the inter-AS IPv6 VPN option A solution, for the same IPv6 VPN, the route targets configured on the PEs must match those configured on the ASBR-PEs in the same AS to make sure VPN routes sent by the PEs (or ASBR-PEs) can be received by the ASBR-PEs (or PEs). Route targets configured on the PEs in different ASs do not have such requirements.

Configuring inter-AS IPv6 VPN option C

To configure inter-AS IPv6 VPN option C, perform proper configurations on PEs and ASBR PEs, and configure routing policies on the ASBR PEs.

Configuring the PEs

Establish an IBGP peer relationship between a PE and an ASBR PE in an AS and an MP-EBGP peer relationship between PEs in different ASs.

The PEs and ASBR PEs in an AS must be able to exchange labeled routes.

To configure a PE for inter-AS IPv6 VPN option C:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the ASBR PE in the same AS as an IBGP peer.	peer { group-name \| ip-address } as-number as-number	No BGP peer is configured by default.
4. Enter BGP IPv4 unicast address family view.	ipv4-family [ unicast ]	N/A
5. Enable the PE to exchange BGP IPv4 unicast routes with the ASBR PE in the same AS.	peer { group-name \| ip-address } enable	By default, the PE does not exchange BGP IPv4 unicast routes with any peer.
6. Enable the PE to exchange labeled routes with the ASBR PE in the same AS.	peer { group-name \| ip-address } label-route-capability	By default, the PE does not advertise labeled routes to any IPv4 peer/peer group.
7. Return to BGP view.	quit	N/A
8. Configure the PE of another AS as the EBGP peer.	peer { group-name \| ip-address } as-number as-number	N/A
9. Enter BGP-VPNv6 address family view.	ipv6-family vpnv6	N/A
10. Enable the PE to exchange BGP VPNv6 routing information with the EBGP peer.	peer ip-address enable	By default, the PE does not exchange labeled routes with any IPv4 peer/peer group.

Configuring the ASBR PEs

In the inter-AS IPv6 VPN option C solution, an inter-AS LSP is needed, and the routes advertised between the PEs and ASBRs must carry MPLS label information. The configuration is the same as that in the Inter-AS IPv4 VPN option C solution. For more information, see "Configuring MPLS L3VPN."

Configuring the routing policy

A routing policy on an ASBR PE does the following:

· Assigns MPLS labels to routes received from the PEs in the same AS before advertising them to the peer ASBR PE.

· Assigns new MPLS labels to the labeled routes to be advertised to the PEs in the same AS.

The configuration is the same as that in the Inter-AS IPv4 VPN option C solution. For more information, see "Configuring MPLS L3VPN."

Configuring routing on an MCE

An MCE implements service isolation through route isolation. MCE routing configuration includes:

· MCE-VPN site routing configuration

· MCE-PE routing configuration

On a PE in an MCE network environment, disable routing loop detection to avoid route loss during route calculation and disable route redistribution between routing protocols to save system resources.

Before you configure routing on an MCE, complete the following tasks:

· On the MCE, configure VPN instances, and bind the VPN instances with the interfaces connected to the VPN sites and those connected to the PE.

· Configure the link layer and network layer protocols on related interfaces to ensure IP connectivity.

Configuring routing between an MCE and a VPN site

You can configure static routing, RIPng, OSPFv3, IPv6 IS-IS, or EBGP between an MCE and a VPN site.

Configuring static routing between an MCE and a VPN site

An MCE can reach a VPN site through an IPv6 static route. IPv6 static routing on a traditional CE is globally effective and thus does not support address overlapping among VPNs. An MCE supports binding an IPv6 static route with an IPv6 VPN instance, so that the IPv6 static routes of different IPv6 VPN instances can be isolated from each other.

To configure IPv6 static routing between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure an IPv6 static route for an IPv6 VPN instance.	ipv6 route-static vpn-instance s-vpn-instance-name ipv6-address prefix-length { interface-type interface-number [ next-hop-address ] \| nexthop-address [ public ] \| vpn-instance d-vpn-instance-name nexthop-address } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]	Use either command as needed. Perform this configuration on the MCE. On a VPN site, configure normal IPv6 static routes.
3. (Optional.) Configure the default preference for IPv6 static routes.	ipv6 route-static default-preference default-preference-value	The default preference for IPv6 static routes is 60.

Configuring RIPng between an MCE and a VPN site

A RIPng process belongs to the public network or a single IPv6 VPN instance. If you create a RIPng process without binding it to an IPv6 VPN instance, the process belongs to the public network. By configuring RIPng process-to-IPv6 VPN instance bindings on a MCE, you allow routes of different VPNs to be exchanged between the MCE and the sites through different RIPng processes, ensuring the separation and security of IPv6 VPN routes.

For more information about RIPng, see Layer 3—IP Routing Configuration Guide.

To configure RIPng between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIPng process for a VPN instance and enter RIPng view.	ripng [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the MCE. On a VPN site, configure normal RIPng.
3. Redistribute remote site routes advertised by the PE.	import-route protocol [ process-id ] [ allow-ibgp ] [ cost cost \| route-policy route-policy-name ] *	By default, no routes are redistributed into RIPng.
4. (Optional.) Configure the default cost value for the redistributed routes.	default cost value	The default value is 0.
5. Return to system view.	quit	N/A
6. Enter interface view.	interface interface-type interface-number	N/A
7. Enable RIPng on the interface.	ripng process-id enable	RIPng is disabled by default.

Configuring OSPFv3 between an MCE and a VPN site

An OSPFv3 process belongs to the public network or a single IPv6 VPN instance. If you create an OSPFv3 process without binding it to an IPv6 VPN instance, the process belongs to the public network.

By configuring OSPFv3 process-to-IPv6 VPN instance bindings on a MCE, you allow routes of different IPv6 VPNs to be exchanged between the MCE and the sites through different OSPFv3 processes, ensuring the separation and security of IPv6 VPN routes.

For more information about OSPFv3, see Layer 3—IP Routing Configuration Guide.

To configure OSPFv3 between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPFv3 process for a VPN instance and enter OSPFv3 view.	ospfv3 [ process-id \| vpn-instance vpn-instance-name ] *	Perform this configuration on the MCE. On a VPN site, configure common OSPFv3. Deleting a VPN instance also deletes all related OSPFv3 processes.
3. Set the router ID.	router-id router-id	N/A
4. Redistribute remote site routes advertised by the PE.	import-route protocol [ process-id \| all-processes \| allow-ibgp ] [ cost cost \| route-policy route-policy-name \| type type ] *	By default, no routes are redistributed into OSPFv3.
5. Return to system view.	quit	N/A
6. Enter interface view.	interface interface-type interface-number	N/A
7. Enable OSPFv3 on the interface.	ospfv3 process-id area area-id [ instance instance-id ]	By default, OSPFv3 is disabled on an interface.

Configuring IPv6 IS-IS between an MCE and a VPN site

An IPv6 IS-IS process belongs to the public network or a single IPv6 VPN instance. If you create an IPv6 IS-IS process without binding it to an IPv6 VPN instance, the process belongs to the public network.

By configuring IPv6 IS-IS process-to-IPv6 VPN instance bindings on a MCE, you allow routes of different IPv6 VPNs to be exchanged between the MCE and the sites through different IPv6 IS-IS processes, ensuring the separation and security of IPv6 VPN routes. For more information about IPv6 IS-IS, see Layer 3—IP Routing Configuration Guide.

To configure IPv6 IS-IS between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IPv6 IS-IS process for a VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the MCE. On a VPN site, configure common IPv6 IS-IS.
3. Configure a network entity title for the IS-IS process.	network-entity net	No NET is configured by default.
4. Enable IPv6 for the IPv6 IS-IS process.	ipv6 enable	IPv6 is disabled by default.
5. (Optional.) Redistribute remote site routes advertised by the PE.	ipv6 import-route protocol [ process-id ] [ allow-ibgp ] [ cost cost \| [ level-1 \| level-1-2 \| level-2 ] \| route-policy route-policy-name \| tag tag ] *	By default, no routes are redistributed to IPv6 IS-IS. If you do not specify the route level in the command, redistributed routes are added to the level-2 routing table.
6. Return to system view.	quit	N/A
7. Enter interface view.	interface interface-type interface-number	N/A
8. Enable the IPv6 IS-IS process on the interface.	isis ipv6 enable [ process-id ]	No IPv6 IS-IS process is enabled by default.

Configuring EBGP between an MCE and a VPN site

To use EBGP between an MCE and IPv6 VPN sites, you must configure a BGP peer for each IPv6 VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on the IPv6 VPN sites. You can also configure filtering of received routes and redistributed routes.

1. Configure the MCE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN view.	ip vpn-instance vpn-instance-name	N/A
4. Specify an IPv6 BGP peer in an AS.	peer { group-name \| ipv6-address } as-number as-number	No BGP peer is configured by default.
5. Enter BGP-VPN IPv6 unicast address family view.	ipv6-family [ unicast ]	N/A
6. Enable BGP to exchange IPv6 unicast routes with the specified peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
7. Redistribute remote site routes advertised by the PE.	import-route protocol [ process-id [ med med-value \| route-policy route-policy-name ] * ]	By default, no route redistribution is configured.
8. (Optional.) Configure filtering of redistributed routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } export [ protocol process-id ]	By default, BGP does not filter redistributed routes.
9. (Optional.) Configure filtering of received routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } import	By default, BGP does not filter received routes.

2. Configure a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the MCE as an EBGP peer.	peer { group-name \| ipv6-address } as-number as-number	By default, no BGP peer is configured.
4. Enter BGP IPv6 unicast address family view.	ipv6-family [ unicast ]	N/A
5. Enable BGP to exchange IPv6 unicast routes with the specified peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
6. Redistribute the IGP routes of the VPN.	import-route protocol [ process-id [ med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP. A VPN site must advertise IPv6 VPN network addresses it can reach to the connected MCE.

Configuring routing between an MCE and a PE

MCE-PE routing configuration includes these tasks:

· Bind the MCE-PE interfaces to IPv6 VPN instances

· Perform routing configurations

· Redistribute IPv6 VPN routes into the routing protocol running between the MCE and the PE.

Perform the following configuration tasks on the MCE. Configurations on the PE are similar to those on the PE in common IPv6 MPLS L3VPN networks. For more information, see "Configuring routing between a PE and a CE."

Configuring IPv6 static routing between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure an IPv6 static route for an IPv6 VPN instance.	ipv6 route-static vpn-instance s-vpn-instance-name ipv6-address prefix-length { interface-type interface-number [ next-hop-address ] \| nexthop-address [ public ] \| vpn-instance d-vpn-instance-name nexthop-address } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]	By default, no IPv6 static route is configured.
3. (Optional.) Configure the default preference for IPv6 static routes.	ipv6 route-static default-preference default-preference-value	The default value is 60.

Configuring RIPng between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIPng process for an IPv6 VPN instance and enter RIPng view.	ripng [ process-id ] vpn-instance vpn-instance-name	N/A
3. Redistribute VPN routes.	import-route protocol [ process-id ] [ allow-ibgp ] [ cost cost \| route-policy route-policy-name ] *	By default, no routes are redistributed into RIPng.
4. (Optional.) Configure the default cost value for redistributed routes.	default cost value	The default value is 0.
5. Return to system view.	quit	N/A
6. Enter interface view.	interface interface-type interface-number	N/A
7. Enable the RIPng process on the interface.	ripng process-id enable	By default, RIPng is disabled on an interface.

Configuring OSPFv3 between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPFv3 process for an IPv6 VPN instance and enter OSPFv3 view.	ospfv3 [ process-id \| vpn-instance vpn-instance-name ] *	N/A
3. Set the router ID.	router-id router-id	N/A
4. Redistribute VPN routes.	import-route protocol [ process-id \| all-processes \| allow-ibgp ] [ cost cost \| route-policy route-policy-name \| type type ] *	By default, no routes are redistributed into OSPFv3.
5. (Optional.) Configure filtering of redistributed routes.	filter-policy { acl6-number \| ipv6-prefix ipv6-prefix-name } export [ bgp4+ \| direct \| isisv6 process-id \| ospfv3 process-id \| ripng process-id \| static ]	By default, redistributed routes are not filtered.
6. Return to system view.	quit	N/A
7. Enter interface view.	interface interface-type interface-number	N/A
8. Enable the OSPFv3 process on the interface.	ospfv3 process-id area area-id [ instance instance-id ]	By default, OSPFv3 is disabled on an interface.

Configuring IPv6 IS-IS between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IS-IS process for an IPv6 VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	N/A
3. Configure a network entity title.	network-entity net	No NET is configured by default.
4. Enable IPv6 for the IS-IS process.	ipv6 enable	IPv6 is disabled by default.
5. (Optional.) Redistribute VPN routes.	ipv6 import-route protocol [ process-id ] [ allow-ibgp ] [ cost cost \| [ level-1 \| level-1-2 \| level-2 ] \| route-policy route-policy-name \| tag tag ] *	By default, IPv6 IS-IS does not redistribute routes from any other routing protocol. If you do not specify the route level in the command, the command redistributes routes to the level-2 routing table.
6. (Optional.) Configure filtering of redistributed routes.	ipv6 filter-policy { acl6-number \| prefix-list prefix-list-name \| route-policy route-policy-name } export [ protocol [ process-id ] ]	By default, IPv6 IS-IS does not filter redistributed routes.
7. Return to system view.	quit	N/A
8. Enter interface view.	interface interface-type interface-number	N/A
9. Enable the IPv6 IS-IS process on the interface.	isis ipv6 enable [ process-id ]	IPv6 IS-IS is disabled on an interface by default.

Configuring EBGP between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN view.	ip vpn-instance vpn-instance-name	N/A
4. Configure the PE as an EBGP peer.	peer { group-name \| ipv6-address } as-number as-number	No BGP peer is configured by default.
5. Enter BGP-VPN IPv6 unicast address family view.	ipv6-family [ unicast ]	N/A
6. Enable BGP to exchange IPv6 unicast routes with the specified peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
7. Redistribute VPN routes.	import-route protocol [ process-id [ med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP.
8. (Optional.) Configure filtering of redistributed routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } export [ protocol process-id ]	By default, BGP does not filter redistributed routes.
9. (Optional.) Configure filtering of received routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } import	By default, BGP does not filter received routes.

Displaying and maintaining IPv6 MPLS L3VPN

You can soft-reset or reset BGP connections to apply new BGP configurations. Soft reset requires that BGP peers have route refresh capability (supporting Route-Refresh messages).

NOTE:

Soft reset of BGP connections updates BGP routing information without breaking BGP neighbor relationships. Reset of BGP connections updates BGP routing information by breaking and then reestablishing BGP neighbor relationships.

Use the following commands in user view to reset or soft reset BGP connections:

Task	Command
Soft reset BGP VPNv6 connections.	refresh bgp { ip-address \| all \| external \| group group-name \| internal } { export \| import } vpnv6
Reset BGP VPNv6 connections.	reset bgp { as-number \| ip-address \| all \| external \| internal \| group group-name } vpnv6

Use the following commands in any view to display IPv6 MPLS L3VPN:

Task	Command
Display the IPv6 routing table for a VPN instance. For more information about this command, see Layer 3—IP Routing Command Reference.	display ipv6 routing-table vpn-instance vpn-instance-name [ verbose ]
Display information about a specified VPN instance or all VPN instances.	display ip vpn-instance [ instance-name vpn-instance-name ]
Display FIB entries that match the specified destination IP address in the specified VPN instance.	display ipv6 fib vpn-instance vpn-instance-name ipv6-address [ prefix-length ]
Display BGP VPNv6 peer group information.	display bgp group vpnv6 [ group-name ]
Display BGP VPNv6 peer information.	display bgp peer vpnv6 [ group-name log-info \| ip-address { log-info \| verbose } \| verbose ]
Display BGP VPNv6 routes.	display bgp routing-table vpnv6 [ route-distinguisher route-distinguishe ] [ network-address prefix-length ]
Display BGP VPNv6 route advertisement information.	display bgp routing-table vpnv6 network-address prefix-length advertise-info
Display BGP VPNv6 routes matching the specified AS PATH list.	display bgp routing-table vpnv6 [ route-distinguisher route-distinguishe ] as-path-acl as-path-acl-number
Display BGP VPNv6 routes matching the specified BGP community list.	display bgp routing-table vpnv6 [ route-distinguisher route-distinguishe ] community-list { { basic-community-list-number \| comm-list-name } [ whole-match ] \| adv-community-list-number }
Display BGP VPNv6 routes advertised to or received from the specified BGP peer.	display bgp routing-table vpnv6 peer ip-address { advertised-routes \| received-routes } [ network-address prefix-length \| statistics ]
Display incoming labels for all BGP VPNv6 routes.	display bgp routing-table vpnv6 inlabel
Display outgoing labels for all BGP VPNv6 routes.	display bgp routing-table vpnv6 outlabel
Display BGP VPNv6 route statistics.	display bgp routing-table vpnv6 statistics

IPv6 MPLS L3VPN configuration examples

Configuring IPv6 MPLS L3VPNs

Network requirements

CE 1 and CE 3 belong to VPN 1. CE 2 and CE 4 belong to VPN 2.

VPN 1 uses route target attributes 111:1. VPN 2 uses route target attributes 222:2. Users of different VPNs cannot access each other.

Run EBGP between CE and PE switches to exchange VPN routing information.

PEs use OSPF to communicate with each other and use MP-IBGP to exchange VPN routing information.

Figure 31 Network diagram

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int11	2001:1::1/96	P	Loop0	2.2.2.9/32
PE 1	Loop0	1.1.1.9/32		Vlan-int12	172.2.1.1/24
	Vlan-int11	2001:1::2/96		Vlan-int13	172.1.1.2/24
	Vlan-int13	172.1.1.1/24	PE 2	Loop0	3.3.3.9/32
	Vlan-int12	2001:2::2/96		Vlan-int12	172.2.1.2/24
CE 2	Vlan-int12	2001:2::1/96		Vlan-int11	2001:3::2/96
CE 3	Vlan-int11	2001:3::1/96		Vlan-int13	2001:4::2/96
CE 4	Vlan-int13	2001:4::1/96

Configuration procedure

1. Configure OSPF on the MPLS backbone to achieve IP connectivity among the PEs and the P switch:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.9 32

[PE1-LoopBack0] quit

[PE1] interface vlan-interface 13

[PE1-Vlan-interface13] ip address 172.1.1.1 24

[PE1- Vlan-interface13] quit

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Configure the P switch.

<P> system-view

[P] interface loopback 0

[P-LoopBack0] ip address 2.2.2.9 32

[P-LoopBack0] quit

[P] interface vlan-interface 13

[P-Vlan-interface13] ip address 172.1.1.2 24

[P-Vlan-interface13] quit

[P] interface vlan-interface 12

[P-Vlan-interface12] ip address 172.2.1.1 24

[P-Vlan-interface12] quit

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

# Configure PE 2.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 3.3.3.9 32

[PE2-LoopBack0] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] ip address 172.2.1.2 24

[PE2-Vlan-interface12] quit

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

[PE1] display ip routing-table

display ip routing-table protocol ospf

Summary Count : 5

OSPF Routing table Status : <Active>

Summary Count : 3

Destination/Mask Proto Pre Cost NextHop Interface

2.2.2.9/32 OSPF 10 1 172.1.1.2 Vlan13

3.3.3.9/32 OSPF 10 2 172.1.1.2 Vlan13

172.2.1.0/24 OSPF 10 2 172.1.1.2 Vlan13

OSPF Routing table Status : <Inactive>

Summary Count : 2

Destination/Mask Proto Pre Cost NextHop Interface

1.1.1.9/32 OSPF 10 0 1.1.1.9 Loop0

172.1.1.0/24 OSPF 10 1 172.1.1.1 Vlan13

[PE1] display ospf peer verbose

OSPF Process 1 with Router ID 1.1.1.9

Neighbors

Area 0.0.0.0 interface 172.1.1.1(Vlan-interface13)'s neighbors

Router ID: 2.2.2.9 Address: 172.1.1.2 GR State: Normal

State: Full Mode: Nbr is Master Priority: 1

DR: 172.1.1.2 BDR: 172.1.1.1 MTU: 0

Options is 0x02 (-|-|-|-|-|-|E|-)

Dead timer due in 39 sec

Neighbor is up for 00:00:29

Authentication Sequence: [ 0 ]

Neighbor state change count: 6

2. Configure basic MPLS and enable MPLS LDP on the MPLS backbone to establish LDP LSPs:

# Configure PE 1.

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface vlan-interface 13

[PE1-Vlan-interface13] mpls enable

[PE1-Vlan-interface13] mpls ldp enable

[PE1-Vlan-interface13] quit

# Configure the P switch.

[P] mpls lsr-id 2.2.2.9

[P] mpls ldp

[P-ldp] quit

[P] interface vlan-interface 13

[P-Vlan-interface13] mpls enable

[P-Vlan-interface13] mpls ldp enable

[P-Vlan-interface13] quit

[P] interface vlan-interface 12

[P-Vlan-interface12] mpls enable

[P-Vlan0interface12] mpls ldp enable

[P-Vlan-interface12] quit

# Configure PE 2.

[PE2] mpls lsr-id 3.3.3.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] mpls enable

[PE2-Vlan-interface12] mpls ldp enable

[PE2-Vlan-interface12] quit

[PE1] display mpls ldp peer

Total number of peers: 1

Peer LDP ID State LAM Role GR MD5 KA Sent/Rcvd

2.2.2.9:0 Operational DU Passive Off Off 5/5

[PE1] display mpls ldp lsp

Status codes: * - stale, L - liberal

Statistics:

FECs: 3 Ingress LSPs: 2 Transit LSPs: 2 Egress LSPs: 1

FEC In/Out Label Nexthop OutInterface

1.1.1.9/32 3/-

-/1151(L)

2.2.2.9/32 -/3 172.1.1.2 Vlan-interface13

1151/3 172.1.1.2 Vlan-interface13

3.3.3.9/32 -/1150 172.1.1.2 Vlan-interface13

1150/1150 172.1.1.2 Vlan-interface13

3. Configure VPN instances on the PEs:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 111:1

[PE1-vpn-instance-vpn1] quit

[PE1] ip vpn-instance vpn2

[PE1-vpn-instance-vpn2] route-distinguisher 100:2

[PE1-vpn-instance-vpn2] vpn-target 222:2

[PE1-vpn-instance-vpn2] quit

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip binding vpn-instance vpn1

[PE1-Vlan-interface11] ipv6 address 2001:1::2 96

[PE1-Vlan-interface11] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip binding vpn-instance vpn2

[PE1-Vlan-interface12] ipv6 address 2001:2::2 96

[PE1-Vlan-interface12] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 200:1

[PE2-vpn-instance-vpn1] vpn-target 111:1

[PE2-vpn-instance-vpn1] quit

[PE2] ip vpn-instance vpn2

[PE2-vpn-instance-vpn2] route-distinguisher 200:2

[PE2-vpn-instance-vpn2] vpn-target 222:2

[PE2-vpn-instance-vpn2] quit

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] ip binding vpn-instance vpn1

[PE2-Vlan-interface11] ipv6 address 2001:3::2 96

[PE2-Vlan-interface11] quit

[PE2] interface vlan-interface 13

[PE2-Vlan-interface13] ip binding vpn-instance vpn2

[PE2-Vlan-interface13] ipv6 address 2001:4::2 96

[PE2-Vlan-interface13] quit

# Configure IP addresses for the CEs according to Figure 31. (Details not shown.)

[PE1] display ip vpn-instance

Total VPN-Instances configured : 2

VPN-Instance Name RD Create time

vpn1 100:1 2012/02/13 12:49:08

vpn2 100:2 2012/02/13 12:49:20

[PE1] ping ipv6 -vpn-instance vpn1 2001:1::1

PING6(104=40+8+56 bytes) 2001:1::2 --> 2001:1::1

56 bytes from 2001:1::1, icmp_seq=0 hlim=64 time=9.000 ms

56 bytes from 2001:1::1, icmp_seq=1 hlim=64 time=1.000 ms

56 bytes from 2001:1::1, icmp_seq=2 hlim=64 time=0.000 ms

56 bytes from 2001:1::1, icmp_seq=3 hlim=64 time=0.000 ms

56 bytes from 2001:1::1, icmp_seq=4 hlim=64 time=0.000 ms

--- 2001:1::1 ping6 statistics ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/2.000/9.000/3.521 ms

4. Establish EBGP peer relationships between the PEs and CEs to exchange VPN routes:

# Configure CE 1.

<CE1> system-view

[CE1] bgp 65410

[CE1-bgp] peer 2001:1::2 as-number 100

[CE1-bgp] ipv6-family unicast

[CE1-bgp-ipv6] peer 2001:1::2 enable

[CE1-bgp-ipv6] import-route direct

[CE1-bgp-ipv6] quit

[CE1-bgp] quit

# Configure the other three CEs (CE 2 through CE 4) in a similar way to configuring CE 1. (Details not shown.)

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 2001:1::1 as-number 65410

[PE1-bgp-vpn1] ipv6-family unicast

[PE1-bgp-ipv6-vpn1] peer 2001:1::1 enable

[PE1-bgp-ipv6-vpn1] import-route direct

[PE1-bgp-ipv6-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] ip vpn-instance vpn2

[PE1-bgp-vpn2] peer 2001:2::1 as-number 65420

[PE1-bgp-vpn2] ipv6-family unicast

[PE1-bgp-ipv6-vpn2] peer 2001:2::1 enable

[PE1-bgp-ipv6-vpn2] import-route direct

[PE1-bgp-ipv6-vpn2] quit

[PE1-bgp-vpn2] quit

[PE1-bgp] quit

# Configure PE 2 in a similar way to configuring PE 1. (Details not shown.)

After completing the configurations, execute the display bgp peer ipv6 vpn-instance command on the PEs. The output shows that a BGP peer relationship has been established between a PE and a CE, and has reached Established state.

5. Configure an MP-IBGP peer relationship between the PEs:

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] peer 3.3.3.9 as-number 100

[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp] ipv6-family vpnv6

[PE1-bgp-af-vpnv6] peer 3.3.3.9 enable

[PE1-bgp-af-vpnv6] quit

[PE1-bgp] quit

# Configure PE 2.

[PE2] bgp 100

[PE2-bgp] peer 1.1.1.9 as-number 100

[PE2-bgp] peer 1.1.1.9 connect-interface loopback 0

[PE2-bgp] ipv6-family vpnv6

[PE2-bgp-af-vpnv6] peer 1.1.1.9 enable

[PE2-bgp-af-vpnv6] quit

[PE2-bgp] quit

After completing the configurations, execute the display bgp peer vpnv6 command on the PEs. The output shows a BGP peer relationship has been established between the PEs, and has reached the Established state.

6. Verify the configuration:

# Execute the display ipv6 routing-table vpn-instance command on the PEs. The output shows the routes to the CEs. Take PE 1 as an example:

[PE1] display ipv6 routing-table vpn-instance vpn1

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:1::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan11 Cost : 0

Destination: 2001:1::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:3::/96 Protocol : BGP4+

NextHop : ::FFFF:3.3.3.9 Preference: 255

Interface : Vlan13 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

[PE1] display ipv6 routing-table vpn-instance vpn2

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:2::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan12 Cost : 0

Destination: 2001:2::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:4::/96 Protocol : BGP4+

NextHop : ::FFFF:3.3.3.9 Preference: 255

Interface : Vlan13 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

# CEs of the same VPN can ping each other, and CEs of different VPNs cannot ping each other. For example, CE 1 can ping CE 3 (2001:3::1), but cannot ping CE 4 (2001:4::1):

Configuring IPv6 MPLS L3VPN inter-AS option A

Network requirements

CE 1 and CE 2 belong to the same VPN. CE 1 accesses the network through PE 1 in AS 100 and CE 2 accesses the network through PE 2 in AS 200.

Configure IPv6 MPLS L3VPN inter-AS option A, and use VRF-to-VRF method to manage VPN routes.

Run OSPF on the MPLS backbone of each AS.

Figure 32 Network diagram

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int12	2001:1::1/96	CE 2	Vlan-int12	2001:2::1/96
PE 1	Loop0	1.1.1.9/32	PE 2	Loop0	4.4.4.9/32
	Vlan-int12	2001:1::2/96		Vlan-int12	2001:2::2/96
	Vlan-int11	172.1.1.2/24		Vlan-int11	162.1.1.2/24
ASBR-PE 1	Loop0	2.2.2.9/32	ASBR-PE 2	Loop0	3.3.3.9/32
	Vlan-int11	172.1.1.1/24		Vlan-int11	162.1.1.1/24
	Vlan-int12	2002:1::1/96		Vlan-int12	2002:1::2/96

Configuration procedure

1. Configure an IGP on each MPLS backbone to ensure IP connectivity within the backbone:

This example uses OSPF. (Details not shown.)

After the configurations, each ASBR PE and the PE in the same AS can establish OSPF adjacencies. Execute the display ospf peer command. The output shows that the adjacencies are in Full state, and that PE and ASBR PE routers in the same AS can learn the routes to the loopback interfaces of each other.

Each ASBR PE and the PE in the same AS can ping each other.

2. Configure basic MPLS and enable MPLS LDP on each MPLS backbone to establish LDP LSPs:

# Configure basic MPLS on PE 1 and enable MPLS LDP for the interface connected to ASBR-PE 1.

<PE1> system-view

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] quit

# Configure basic MPLS on ASBR-PE 1 and enable MPLS LDP for the interface connected to PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] mpls lsr-id 2.2.2.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

[ASBR-PE1] interface vlan-interface 11

[ASBR-PE1-Vlan-interface11] mpls enable

[ASBR-PE1-Vlan-interface11] mpls ldp enable

[ASBR-PE1-Vlan-interface11] quit

# Configure basic MPLS on ASBR-PE 2 and enable MPLS LDP for the interface connected to PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] mpls lsr-id 3.3.3.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

[ASBR-PE2] interface vlan-interface 11

[ASBR-PE2-Vlan-interface11] mpls enable

[ASBR-PE2-Vlan-interface11] mpls ldp enable

[ASBR-PE2-Vlan-interface11] quit

# Configure basic MPLS on PE 2 and enable MPLS LDP for the interface connected to ASBR-PE 2.

<PE2> system-view

[PE2] mpls lsr-id 4.4.4.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] mpls enable

[PE2-Vlan-interface11] mpls ldp enable

[PE2-Vlan-interface11] quit

After the configurations, each PE and the ASBR PE in the same AS can establish an LDP neighbor relationship. Execute the display mpls ldp peer command on the switches. The output shows that the session status is Operational.

3. Configure a VPN instance on the PEs:

For the same VPN, the route targets for the VPN instance on the PE must match those for the VPN instance of the ASBR-PE in the same AS. This is not required for PEs in different ASs.

# Configure CE 1.

<CE1> system-view

[CE1] interface vlan-interface 12

[CE1-Vlan-interface12] ipv6 address 2001:1::1 96

[CE1-Vlan-interface12] quit

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 100:1 both

[PE1-vpn-instance-vpn1] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip binding vpn-instance vpn1

[PE1-Vlan-interface12] ipv6 address 2001:1::2 96

[PE1-Vlan-interface12] quit

# Configure CE 2.

<CE2> system-view

[CE2] interface vlan-interface 12

[CE2-Vlan-interface12] ipv6 address 2001:2::1 96

[CE2-Vlan-interface12] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance] route-distinguisher 200:2

[PE2-vpn-instance] vpn-target 100:1 both

[PE2-vpn-instance] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] ip binding vpn-instance vpn1

[PE2-Vlan-interface12] ipv6 address 2001:2::2 96

[PE2-Vlan-interface12] quit

# Configure ASBR-PE 1, creating a VPN instance and binding the VPN instance to the interface connected to ASBR-PE 2 (ASBR-PE 1 considers ASBR-PE 2 its attached CE).

[ASBR-PE1] ip vpn-instance vpn1

[ASBR-PE1-vpn-instance-vpn1] route-distinguisher 100:1

[ASBR-PE1-vpn-instance-vpn1] vpn-target 100:1 both

[ASBR-PE1-vpn-instance-vpn1] quit

[ASBR-PE1] interface vlan-interface 12

[ASBR-PE1-Vlan-interface12] ip binding vpn-instance vpn1

[ASBR-PE1-Vlan-interface12] ipv6 address 2002:1::1 96

[ASBR-PE1-Vlan-interface12] quit

# Configure ASBR-PE 2, creating a VPN instance and binding the VPN instance to the interface connected to ASBR-PE 1 (ASBR-PE 2 considers ASBR-PE 1 its attached CE).

[ASBR-PE2] ip vpn-instance vpn1

[ASBR-PE2-vpn-vpn-vpn1] route-distinguisher 200:1

[ASBR-PE2-vpn-vpn-vpn1] vpn-target 100:1 both

[ASBR-PE2-vpn-vpn-vpn1] quit

[ASBR-PE2] interface vlan-interface 12

[ASBR-PE2-Vlan-interface12] ip binding vpn-instance vpn1

[ASBR-PE2-Vlan-interface12] ipv6 address 2002:1::2 96

[ASBR-PE2-Vlan-interface12] quit

After completing the configurations, you can view the VPN instance configurations by issuing the display ip vpn-instance command.

Each PE can ping its attached CE, and ASBR-PE 1 and ASBR-PE 2 can ping each other.

4. Establish an EBGP peer relationship between PE and CE switches and redistribute VPN routes:

# Configure CE 1.

[CE1] bgp 65001

[CE1-bgp] peer 2001:1::2 as-number 100

[CE1-bgp] ipv6-family unicast

[CE1-bgp-ipv6] peer 2001:1::2 enable

[CE1-bgp-ipv6] import-route direct

[CE1-bgp-ipv6] quit

[CE1-bgp] quit

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 2001:1::1 as-number 65001

[PE1-bgp-vpn1] ipv6-family unicast

[PE1-bgp-ipv6-vpn1] peer 2001:1::1 enable

[PE1-bgp-ipv6-vpn1] import-route direct

[PE1-bgp-ipv6-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure CE 2.

[CE2] bgp 65002

[CE2-bgp] peer 2001:2::2 as-number 200

[CE2-bgp] ipv6-family

[CE2-bgp-ipv6] peer 2001:2::2 enable

[CE2-bgp-ipv6] import-route direct

[CE2-bgp-ipv6] quit

[CE2-bgp] quit

# Configure PE 2.

[PE2] bgp 200

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] peer 2001:2::1 as-number 65002

[PE2-bgp-vpn1] ipv6-family unicast

[PE2-bgp-ipv6-vpn1] peer 2001:2::1 enable

[PE2-bgp-ipv6-vpn1] import-route direct

[PE2-bgp-ipv6-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

5. Establish an IBGP peer relationship between each PE and the ASBR-PE in the same AS and an EBGP peer relationship between the ASBR PEs:

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] peer 2.2.2.9 as-number 100

[PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE1-bgp] ipv6-family vpnv6

[PE1-bgp-vpnv6] peer 2.2.2.9 enable

[PE1-bgp-vpnv6] quit

[PE1-bgp] quit

# Configure ASBR-PE 1.

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp] ip vpn-instance vpn1

[ASBR-PE1-bgp-vpn1] peer 2002:1::2 as-number 200

[ASBR-PE1-bgp-vpn1] ipv6-family unicast

[ASBR-PE1-bgp-ipv6-vpn1] peer 2002:1::2 enable

[ASBR-PE1-bgp-ipv6-vpn1] quit

[ASBR-PE1-bgp-vpn1] quit

[ASBR-PE1-bgp] peer 1.1.1.9 as-number 100

[ASBR-PE1-bgp] peer 1.1.1.9 connect-interface loopback 0

[ASBR-PE1-bgp] ipv6-family vpnv6

[ASBR-PE1-bgp-vpnv6] peer 1.1.1.9 enable

[ASBR-PE1-bgp-vpnv6] quit

[ASBR-PE1-bgp] quit

# Configure ASBR-PE 2.

[ASBR-PE2] bgp 200

[ASBR-PE2-bgp] ip vpn-instance vpn1

[ASBR-PE2-bgp-vpn1] peer 2002:1::1 as-number 100

[ASBR-PE2-bgp-vpn1] ipv6-family unicast

[ASBR-PE2-bgp-ipv6-vpn1] peer 2002:1::1 enable

[ASBR-PE2-bgp-ipv6-vpn1] quit

[ASBR-PE2-bgp-vpn1] quit

[ASBR-PE2-bgp] peer 4.4.4.9 as-number 200

[ASBR-PE2-bgp] peer 4.4.4.9 connect-interface loopback 0

[ASBR-PE2-bgp] ipv6-family vpnv6

[ASBR-PE2-bgp-vpnv6] peer 4.4.4.9 enable

[ASBR-PE2-bgp-vpnv6] quit

[ASBR-PE2-bgp] quit

# Configure PE 2.

[PE2] bgp 200

[PE2-bgp] peer 3.3.3.9 as-number 200

[PE2-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE2-bgp] ipv6-family vpnv6

[PE2-bgp-vpnv6] peer 3.3.3.9 enable

[PE2-bgp-vpnv6] quit

[PE2-bgp] quit

6. Verify the configuration:

After the configurations, the CEs can learn the route to each other and can ping each other.

Configuring IPv6 MPLS L3VPN inter-AS option C

Network requirements

Site 1 and Site 2 belong to the same VPN. Site 1 accesses the network through PE 1 in AS 100 and Site 2 accesses the network through PE 2 in AS 600. PEs in the same AS run IS-IS.

PE 1 and ASBR-PE 1 exchange labeled IPv4 routes by MP-IBGP. PE 2 and ASBR-PE 2 exchange labeled IPv4 routes by MP-IBGP. PE 1 and PE 2 use MP-EBGP to exchange VPNv6 routes.

ASBR-PE 1 and ASBR-PE 2 use their respective routing policies and label the routes received from each other.

ASBR-PE 1 and ASBR-PE 2 use MP-EBGP to exchange labeled IPv4 routes.

Figure 33 Network diagram

Device	Interface	IP address	Device	Interface	IP address
PE 1	Loop0	2.2.2.9/32	PE 2	Loop0	5.5.5.9/32
	Loop1	2001:1::1/128		Loop1	2001:1::2/128
	Vlan-int11	1.1.1.2/8		Vlan-int11	9.1.1.2/8
ASBR-PE 1	Loop0	3.3.3.9/32	ASBR-PE 2	Loop0	4.4.4.9/32
	Vlan-int11	1.1.1.1/8		Vlan-int11	9.1.1.1/8
	Vlan-int12	11.0.0.2/8		Vlan-int12	11.0.0.1/8

Configuration procedure

1. Configure PE 1:

# Run IS-IS on PE 1.

<PE1> system-view

[PE1] isis 1

[PE1-isis-1] network-entity 10.111.111.111.111.00

[PE1-isis-1] quit

# Configure an LSR ID, and enable MPLS and LDP.

[PE1] mpls lsr-id 2.2.2.9

[PE1] mpls ldp

[PE1-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip address 1.1.1.2 255.0.0.0

[PE1-Vlan-interface11] isis enable 1

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] quit

# Configure interface Loopback 0 and start IS-IS on it.

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 2.2.2.9 32

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

# Create VPN instance vpn1 and configure the RD and route target attributes for it.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 11:11

[PE1-vpn-instance-vpn1] vpn-target 3:3 import-extcommunity

[PE1-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE1-vpn-instance-vpn1] quit

# Configure interface Loopback 1 and bind the interface to VPN instance vpn1.

[PE1] interface loopback 1

[PE1-LoopBack1] ip binding vpn-instance vpn1

[PE1-LoopBack1] ipv6 address 2001:1::1 128

[PE1-LoopBack1] quit

# Start BGP.

[PE1] bgp 100

# Enable the capability to advertise labeled routes to and receive labeled routes from the IBGP peer 3.3.3.9.

[PE1-bgp] peer 3.3.3.9 as-number 100

[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp] ipv4-family unicast

[PE1-bgp-ipv4] peer 3.3.3.9 enable

[PE1-bgp-ipv4] peer 3.3.3.9 label-route-capability

[PE1-bgp-ipv4] quit

# Configure the maximum hop count from PE 1 to EBGP peer 5.5.5.9 as 10.

[PE1-bgp] peer 5.5.5.9 as-number 600

[PE1-bgp] peer 5.5.5.9 connect-interface loopback 0

[PE1-bgp] peer 5.5.5.9 ebgp-max-hop 10

# Configure peer 5.5.5.9 as a VPNv6 peer.

[PE1-bgp] ipv6-family vpnv6

[PE1-bgp-vpnv6] peer 5.5.5.9 enable

[PE1-bgp-vpnv6] quit

# Redistribute direct routes to the routing table of vpn1.

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] ipv6-family unicast

[PE1-bgp-ipv6-vpn1] import-route direct

[PE1-bgp-ipv6-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

2. Configure ASBR-PE 1:

# Start IS-IS on ASBR-PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] isis 1

[ASBR-PE1-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE1-isis-1] quit

# Configure an LSR ID, and enable MPLS and LDP.

[ASBR-PE1] mpls lsr-id 3.3.3.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE1] interface vlan-interface 11

[ASBR-PE1-Vlan-interface11] ip address 1.1.1.1 255.0.0.0

[ASBR-PE1-Vlan-interface11] isis enable 1

[ASBR-PE1-Vlan-interface11] mpls enable

[ASBR-PE1-Vlan-interface11] mpls ldp enable

[ASBR-PE1-Vlan-interface11] quit

# Configure interface VLAN-interface 12 and enable MPLS on it.

[ASBR-PE1] interface vlan-interface 12

[ASBR-PE1-Vlan-interface12] ip address 11.0.0.2 255.0.0.0

[ASBR-PE1-Vlan-interface12] mpls enable

[ASBR-PE1-Vlan-interface12] quit

# Configure interface Loopback 0 and start IS-IS on it.

[ASBR-PE1] interface loopback 0

[ASBR-PE1-LoopBack0] ip address 3.3.3.9 32

[ASBR-PE1-LoopBack0] isis enable 1

[ASBR-PE1-LoopBack0] quit

# Create routing policies.

[ASBR-PE1] route-policy policy1 permit node 1

[ASBR-PE1-route-policy-policy1-1] apply mpls-label

[ASBR-PE1-route-policy-policy1-1] quit

[ASBR-PE1] route-policy policy2 permit node 1

[ASBR-PE1-route-policy-policy2-1] if-match mpls-label

[ASBR-PE1-route-policy-policy2-1] apply mpls-label

[ASBR-PE1-route-policy-policy2-1] quit

# Start BGP on ASBR-PE 1 and apply routing policy policy2 to routes advertised to IBGP peer 2.2.2.9

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp] peer 2.2.2.9 as-number 100

[ASBR-PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[ASBR-PE1-bgp] ipv4-family unicast

[ASBR-PE1-bgp-ipv4] peer 2.2.2.9 enable

[ASBR-PE1-bgp-ipv4] peer 2.2.2.9 route-policy policy2 export

# Enable the capability to advertise labeled routes to and receive labeled routes from IBGP peer 2.2.2.9.

[ASBR-PE1-bgp-ipv4] peer 2.2.2.9 label-route-capability

# Redistribute routes from IS-IS process 1.

[ASBR-PE1-bgp-ipv4] import-route isis 1

[ASBR-PE1-bgp-ipv4] quit

# Apply routing policy policy1 to routes advertised to EBGP peer 11.0.0.1.

[ASBR-PE1-bgp] peer 11.0.0.1 as-number 600

[ASBR-PE1-bgp] ipv4-family unicast

[ASBR-PE1-bgp-ipv4] peer 11.0.0.1 enable

[ASBR-PE1-bgp-ipv4] peer 11.0.0.1 route-policy policy1 export

# Enable the capability to advertise labeled routes to and receive labeled routes from EBGP peer 11.0.0.1.

[ASBR-PE1-bgp-ipv4] peer 11.0.0.1 label-route-capability

[ASBR-PE1-bgp-ipv4] quit

[ASBR-PE1-bgp] quit

3. Configure ASBR-PE 2:

# Start IS-IS on ASBR-PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] isis 1

[ASBR-PE2-isis-1] network-entity 10.333.333.333.333.00

[ASBR-PE2-isis-1] quit

# Configure an LSR ID, enable MPLS and LDP.

[ASBR-PE2] mpls lsr-id 4.4.4.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE2] interface vlan-interface 11

[ASBR-PE2-Vlan-interface11] ip address 9.1.1.1 255.0.0.0

[ASBR-PE2-Vlan-interface11] isis enable 1

[ASBR-PE2-Vlan-interface11] mpls enable

[ASBR-PE2-Vlan-interface11] mpls ldp enable

[ASBR-PE2-Vlan-interface11] quit

# Configure interface Loopback 0 and start IS-IS on it.

[ASBR-PE2] interface loopback 0

[ASBR-PE2-LoopBack0] ip address 4.4.4.9 32

[ASBR-PE2-LoopBack0] isis enable 1

[ASBR-PE2-LoopBack0] quit

# Configure interface VLAN-interface 12 and enable MPLS on it.

[ASBR-PE2] interface vlan-interface 12

[ASBR-PE2-Vlan-interface12] ip address 11.0.0.1 255.0.0.0

[ASBR-PE2-Vlan-interface12] mpls enable

[ASBR-PE2-Vlan-interface12] quit

# Create routing policies.

[ASBR-PE2] route-policy policy1 permit node 1

[ASBR-PE2-route-policy-policy1-1] apply mpls-label

[ASBR-PE2-route-policy-policy1-1] quit

[ASBR-PE2] route-policy policy2 permit node 1

[ASBR-PE2-route-policy-policy2-1] if-match mpls-label

[ASBR-PE2-route-policy-policy2-1] apply mpls-label

[ASBR-PE2-route-policy-policy2-1] quit

# Start BGP on ASBR-PE 2 and enable the capability to advertise labeled routes to and receive labeled routes from IBGP peer 5.5.5.9.

[ASBR-PE2] bgp 600

[ASBR-PE2-bgp] peer 5.5.5.9 as-number 600

[ASBR-PE2-bgp] peer 5.5.5.9 connect-interface loopback 0

[ASBR-PE2-bgp] ipv4-family unicast

[ASBR-PE2-bgp-ipv4] peer 5.5.5.9 enable

[ASBR-PE2-bgp-ipv4] peer 5.5.5.9 label-route-capability

# Apply routing policy policy2 to routes advertised to IBGP peer 5.5.5.9.

[ASBR-PE2-bgp-ipv4] peer 5.5.5.9 route-policy policy2 export

# Redistribute routes from IS-IS process 1

[ASBR-PE2-bgp-ipv4] import-route isis 1

[ASBR-PE2-bgp-ipv4] quit

# Apply routing policy policy1 to routes advertised to EBGP peer 11.0.0.2.

[ASBR-PE2-bgp] peer 11.0.0.2 as-number 100

[ASBR-PE2-bgp] ipv4-family unicast

[ASBR-PE2-bgp-ipv4] peer 11.0.0.2 enable

[ASBR-PE2-bgp-ipv4] peer 11.0.0.2 route-policy policy1 export

# Enable the capability to advertise labeled routes to and receive labeled routes from EBGP peer 11.0.0.2.

[ASBR-PE2-bgp-ipv4] peer 11.0.0.2 label-route-capability

[ASBR-PE2-bgp-ipv4] quit

[ASBR-PE2-bgp] quit

4. Configure PE 2:

# Start IS-IS on PE 2.

<PE2> system-view

[PE2] isis 1

[PE2-isis-1] network-entity 10.444.444.444.444.00

[PE2-isis-1] quit

# Configure an LSR ID, and enable MPLS and LDP.

[PE2] mpls lsr-id 5.5.5.9

[PE2] mpls ldp

[PE2-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] ip address 9.1.1.2 255.0.0.0

[PE2-Vlan-interface11] isis enable 1

[PE2-Vlan-interface11] mpls enable

[PE2-Vlan-interface11] mpls ldp enable

[PE2-Vlan-interface11] quit

# Configure interface Loopback 0 and start IS-IS on it.

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 5.5.5.9 32

[PE2-LoopBack0] isis enable 1

[PE2-LoopBack0] quit

# Create VPN instance vpn1 and configure the RD and route target attributes for it.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 11:11

[PE2-vpn-instance-vpn1] vpn-target 3:3 import-extcommunity

[PE2-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE2-vpn-instance-vpn1] quit

# Configure interface Loopback 1 and bind the interface to VPN instance vpn1.

[PE2] interface loopback 1

[PE2-LoopBack1] ip binding vpn-instance vpn1

[PE2-LoopBack1] ipv6 address 2001:1::2 128

[PE2-LoopBack1] quit

# Start BGP on PE 2.

[PE2] bgp 600

# Configure the capability to advertise labeled routes to IBGP peer 4.4.4.9 and to receive labeled routes from the peer.

[PE2-bgp] peer 4.4.4.9 as-number 600

[PE2-bgp] peer 4.4.4.9 connect-interface loopback 0

[PE2-bgp] ipv4-family unicast

[PE2-bgp-ipv4] peer 4.4.4.9 enable

[PE2-bgp-ipv4] peer 4.4.4.9 label-route-capability

[PE2-bgp-ipv4] quit

# Configure the maximum hop count from PE 2 to EBGP peer 2.2.2.9 as 10.

[PE2-bgp] peer 2.2.2.9 as-number 100

[PE2-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE2-bgp] peer 2.2.2.9 ebgp-max-hop 10

# Configure peer 2.2.2.9 as a VPNv6 peer.

[PE2-bgp] ipv6-family vpnv6

[PE2-bgp-vpnv6] peer 2.2.2.9 enable

[PE2-bgp-vpnv6] quit

# Redistribute direct routes to the routing table of vpn1.

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] ipv6-family unicast

[PE2-bgp-ipv6-vpn1] import-route direct

[PE2-bgp-ipv6-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

5. Verify the configuration:

# PE 1 and PE 2 can ping each other. Take PE 1 as an example.

[PE1] ping ipv6 -a 2001:1::1 -vpn-instance vpn1 2001:1::2

PING6(104=40+8+56 bytes) 2001:1::1 --> 2001:1::2

56 bytes from 2001:1::2, icmp_seq=0 hlim=64 time=1.000 ms

56 bytes from 2001:1::2, icmp_seq=1 hlim=64 time=0.000 ms

56 bytes from 2001:1::2, icmp_seq=2 hlim=64 time=0.000 ms

56 bytes from 2001:1::2, icmp_seq=3 hlim=64 time=0.000 ms

56 bytes from 2001:1::2, icmp_seq=4 hlim=64 time=0.000 ms

--- 2001:1::2 ping6 statistics ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms

Configuring IPv6 MPLS L3VPN carrier's carrier

Network requirements

Configure carrier's carrier for the scenario shown in Figure 34. In this scenario:

· PE 1 and PE 2 are the provider carrier's PE switches. They provide VPN services for the customer carrier.

· CE 1 and CE 2 are the customer carrier's switches. They connect to the provider carrier's backbone as CE switches.

· PE 3 and PE 4 are the customer carrier's PE switches. They provide IPv6 MPLS L3VPN services for end customers.

· CE 3 and CE 4 are customers of the customer carrier.

The key to the carrier's carrier deployment is to configure exchange of two kinds of routes:

· Exchange of the customer carrier's internal routes on the provider carrier's backbone.

· Exchange of the end customers' internal routes between PE 3 and PE 4, the PEs of the customer carrier. An MP-IBGP peer relationship must be established between PE 3 and PE 4.

Figure 34 Network diagram

Device	Interface	IP address	Device	Interface	IP address
CE 3	Vlan-int11	2001:1::1/96	CE 4	Vlan-int11	2001:2::1/96
PE 3	Loop0	1.1.1.9/32	PE 4	Loop0	6.6.6.9/32
	Vlan-int11	2001:1::2/96		Vlan-int11	2001:2::2/96
	Vlan-int12	10.1.1.1/24		Vlan-int12	20.1.1.2/24
CE 1	Loop0	2.2.2.9/32	CE 2	Loop0	5.5.5.9/32
	Vlan-int12	10.1.1.2/24		Vlan-int11	21.1.1.2/24
	Vlan-int11	11.1.1.1/24		Vlan-int12	20.1.1.1/24
PE 1	Loop0	3.3.3.9/32	PE 2	Loop0	4.4.4.9/32
	Vlan-int11	11.1.1.2/24		Vlan-int12	30.1.1.2/24
	Vlan-int12	30.1.1.1/24		Vlan-int11	21.1.1.1/24

Configuration procedure

1. Configure MPLS L3VPN on the provider carrier backbone—start IS-IS as the IGP, enable LDP on PE 1 and PE 2, and establish an MP-IBGP peer relationship between the PEs:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 3.3.3.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 3.3.3.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] isis 1

[PE1-isis-1] network-entity 10.0000.0000.0000.0004.00

[PE1-isis-1] quit

[PE1] interface loopback 0

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip address 30.1.1.1 24

[PE1-Vlan-interface12] isis enable 1

[PE1-Vlan-interface12] mpls enable

[PE1-Vlan-interface12] mpls ldp enable

[PE1-Vlan-interface12] mpls ldp transport-address interface

[PE1-Vlan-interface12] quit

[PE1] bgp 100

[PE1-bgp] peer 4.4.4.9 as-number 100

[PE1-bgp] peer 4.4.4.9 connect-interface loopback 0

[PE1-bgp] ipv4-family vpnv4

[PE1-bgp-vpnv4] peer 4.4.4.9 enable

[PE1-bgp-vpnv4] quit

[PE1-bgp] quit

# Configure PE 2 in a similar way to configuring PE 1. (Details not shown.)

After you complete the configurations, execute the display mpls ldp peer command on PE 1 or PE 2, and you can see that the LDP session has been established. Execute the display bgp peer vpnv4 command and you can see that a BGP peer relationship has been established and has reached Established state. Execute the display isis peer command and you can see that an IS-IS neighbor relationship has been set up. Take PE 1 as an example:

[PE1] display mpls ldp peer

Total number of peers: 1

Peer LDP ID State LAM Role GR MD5 KA Sent/Rcvd

4.4.4.9:0 Operational DU Active Off Off 8/8

[PE1] display bgp peer

BGP local router ID: 3.3.3.9

Local AS number: 100

Total number of peers: 1 Peers in established state: 1

Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

4.4.4.9 100 3 6 0 0 00:00:32 Established

[PE1] display isis peer

Peer information for ISIS(1)

----------------------------

System Id: 0000.0000.0005

Interface: Vlan-interface12 Circuit Id: 0000.0000.0005.02

State: Up HoldTime: 8s Type: L1(L1L2) PRI: 64

System Id: 0000.0000.0005

Interface: Vlan-interface12 Circuit Id: 0000.0000.0005.02

State: Up HoldTime: 8s Type: L2(L1L2) PRI: 64

2. Configure the customer carrier network—start IS-IS as the IGP, and enable LDP between PE 3 and CE 1, and between PE 4 and CE 2:

# Configure PE 3.

<PE3> system-view

[PE3] interface loopback 0

[PE3-LoopBack0] ip address 1.1.1.9 32

[PE3-LoopBack0] quit

[PE3] mpls lsr-id 1.1.1.9

[PE3] mpls ldp

[PE3-ldp] quit

[PE3] isis 2

[PE3-isis-2] network-entity 10.0000.0000.0000.0001.00

[PE3-isis-2] quit

[PE3] interface loopback 0

[PE3-LoopBack0] isis enable 2

[PE3-LoopBack0] quit

[PE3] interface vlan-interface 12

[PE3-Vlan-interface12] ip address 10.1.1.1 24

[PE3-Vlan-interface12] isis enable 2

[PE3-Vlan-interface12] mpls enable

[PE3-Vlan-interface12] mpls ldp enable

[PE3-Vlan-interface12] mpls ldp transport-address interface

[PE3-Vlan-interface12] quit

# Configure CE 1.

<CE1> system-view

[CE1] interface loopback 0

[CE1-LoopBack0] ip address 2.2.2.9 32

[CE1-LoopBack0] quit

[CE1] mpls lsr-id 2.2.2.9

[CE1] mpls ldp

[CE1-ldp] quit

[CE1] isis 2

[CE1-isis-2] network-entity 10.0000.0000.0000.0002.00

[CE1-isis-2] quit

[CE1] interface loopback 0

[CE1-LoopBack0] isis enable 2

[CE1-LoopBack0] quit

[CE1] interface vlan-interface 12

[CE1-Vlan-interface12] ip address 10.1.1.2 24

[CE1-Vlan-interface12] isis enable 2

[CE1-Vlan-interface12] mpls enable

[CE1-Vlan-interface12] mpls ldp enable

[CE1-Vlan-interface12] mpls ldp transport-address interface

[CE1-Vlan-interface12] quit

After the configurations, PE 3 and CE 1 can establish an LDP session and IS-IS neighbor relationship between them.

# Configure PE 4 and CE 2 in a similar way to configuring PE 3 and CE 1. (Details not shown.)

3. Connect the customer carrier to the provider carrier:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 200:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] mpls ldp

[PE1-ldp] vpn-instance vpn1

[PE1-ldp-vpn-instance-vpn1] quit

[PE1-ldp] quit

[PE1] isis 2 vpn-instance vpn1

[PE1-isis-2] network-entity 10.0000.0000.0000.0003.00

[PE1-isis-2] import-route bgp allow-ibgp

[PE1-isis-2] quit

[PE1] interface vlan-interface11

[PE1-Vlan-interface11] ip binding vpn-instance vpn1

[PE1-Vlan-interface11] ip address 11.1.1.2 24

[PE1-Vlan-interface11] isis enable 2

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] mpls ldp transport-address interface

[PE1-Vlan-interface11] quit

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] ipv4-family unicast

[PE1-bgp-ipv4-vpn1] import isis 2

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure CE 1.

[CE1] interface vlan-interface11

[CE1-Vlan-interface11] ip address 11.1.1.1 24

[CE1-Vlan-interface11] isis enable 2

[CE1-Vlan-interface11] mpls enable

[CE1-Vlan-interface11] mpls ldp enable

[CE1-Vlan-interface11] mpls ldp transport-address interface

[CE1-Vlan-interface11] quit

After the configurations, PE 1 and CE 1 can establish an LDP session and IS-IS neighbor relationship between them.

# Configure PE 2 and CE 2 in a similar way to configuring PE 1 and CE 1. (Details not shown.)

4. Connect end customers to the customer carrier:

# Configure CE 3.

<CE3> system-view

[CE3] interface vlan-interface11

[CE3-Vlan-interface11] ipv6 address 2001:1::1 96

[CE3-Vlan-interface11] quit

[CE3] bgp 65410

[CE3-bgp] peer 2001:1::2 as-number 100

[CE3-bgp] ipv6-family

[CE3-bgp-ipv6] peer 2001:1::2 enable

[CE3-bgp-ipv6] import-route direct

[CE3-bgp-ipv6] quit

[CE3-bgp] quit

# Configure PE 3.

[PE3] ip vpn-instance vpn1

[PE3-vpn-instance-vpn1] route-distinguisher 100:1

[PE3-vpn-instance-vpn1] vpn-target 1:1

[PE3-vpn-instance-vpn1] quit

[PE3] interface Vlan-interface11

[PE3-Vlan-interface11] ip binding vpn-instance vpn1

[PE3-Vlan-interface11] ipv6 address 2001:1::2 96

[PE3-Vlan-interface11] quit

[PE3] bgp 100

[PE3-bgp] ip vpn-instance vpn1

[PE3-bgp-vpn1] peer 2001:1::1 as-number 65410

[PE3-bgp-vpn1] ipv6-family unicast

[PE3-bgp-ipv6-vpn1] peer 2001:1::1 enable

[PE3-bgp-ipv6-vpn1] import-route direct

[PE3-bgp-ipv6-vpn1] quit

[PE3-bgp-vpn1] quit

[PE3-bgp] quit

# Configure PE 4 and CE 4 in a similar way to configuring PE 3 and CE 3. (Details not shown.)

5. Establish an MP-IBGP peer relationship between PEs of the customer carrier to exchange the VPN routes of the customer carrier's customers:

# Configure PE 3.

[PE3] bgp 100

[PE3-bgp] peer 6.6.6.9 as-number 100

[PE3-bgp] peer 6.6.6.9 connect-interface loopback 0

[PE3-bgp] ipv6-family vpnv6

[PE3-bgp-vpnv6] peer 6.6.6.9 enable

[PE3-bgp-vpnv6] quit

[PE3-bgp] quit

# Configure PE 3 in a similar way to configuring PE 3. (Details not shown.)

6. Verify the configuration:

# Execute the display ip routing-table command on PE 1 and PE 2. The output shows that only routes of the provider carrier network are present in the public network routing table of PE 1 and PE 2. Take PE 1 as an example:

[PE1] display ip routing-table

Routing Tables: Public

Destinations : 7 Routes : 7

Destination/Mask Proto Pre Cost NextHop Interface

3.3.3.9/32 Direct 0 0 127.0.0.1 InLoop0

4.4.4.9/32 ISIS 15 10 30.1.1.2 Vlan12

30.1.1.0/24 Direct 0 0 30.1.1.1 Vlan12

30.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.2/32 Direct 0 0 30.1.1.2 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

[PE1] display ip routing-table vpn-instance vpn1

Routing Tables: vpn1

Destinations : 11 Routes : 11

Destination/Mask Proto Pre Cost NextHop Interface

1.1.1.9/32 ISIS 15 20 11.1.1.1 Vlan11

2.2.2.9/32 ISIS 15 10 11.1.1.1 Vlan11

5.5.5.9/32 BGP 255 0 4.4.4.9 NULL0

6.6.6.9/32 BGP 255 0 4.4.4.9 NULL0

10.1.1.0/24 ISIS 15 20 11.1.1.1 Vlan11

11.1.1.0/24 Direct 0 0 11.1.1.1 Vlan11

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.2/32 Direct 0 0 11.1.1.2 Vlan11

20.1.1.0/24 BGP 255 0 4.4.4.9 NULL0

21.1.1.0/24 BGP 255 0 4.4.4.9 NULL0

21.1.1.2/32 BGP 255 0 4.4.4.9 NULL0

[CE1] display ip routing-table

Routing Tables: Public

Destinations : 16 Routes : 16

Destination/Mask Proto Pre Cost NextHop Interface

1.1.1.9/32 ISIS 15 10 10.1.1.2 Vlan12

2.2.2.9/32 Direct 0 0 127.0.0.1 InLoop0

5.5.5.9/32 ISIS 15 74 11.1.1.2 Vlan11

6.6.6.9/32 ISIS 15 74 11.1.1.2 Vlan11

10.1.1.0/24 Direct 0 0 10.1.1.2 Vlan12

10.1.1.1/32 Direct 0 0 10.1.1.1 Vlan12

10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.0/24 Direct 0 0 11.1.1.1 Vlan11

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.2/32 Direct 0 0 11.1.1.2 Vlan11

20.1.1.0/24 ISIS 15 74 11.1.1.2 Vlan11

21.1.1.0/24 ISIS 15 74 11.1.1.2 Vlan11

21.1.1.2/32 ISIS 15 74 11.1.1.2 Vlan11

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

# Execute the display ipv6 routing-table vpn-instance command on PE 3 and PE 4. The output shows that the remote VPN route is present in the VPN routing table. Take PE 3 as an example:

[PE3] display ipv6 routing-table vpn-instance vpn1

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:1::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan11 Cost : 0

Destination: 2001:1::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:2::/96 Protocol : BGP4+

NextHop : ::FFFF:606:609 Preference: 0

Interface : NULL0 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

# PE 3 and PE 4 can ping each other:

# CE 3 and CE 4 can ping each other:

Configuring IPv6 MCE

Network requirements

As shown in Figure 35, the MCE device is connected to VPN 1 through VLAN-interface 10 and to VPN 2 through VLAN-interface 20. RIPng runs in VPN 2.

Configure the MCE to separate routes from different VPNs and advertise VPN routes to PE 1 through OSPFv3.

Figure 35 Network diagram

Configuration procedure

Assume that the system name of the MCE device is MCE, the system names of the edge devices of VPN 1 and VPN 2 are VR1 and VR2 respectively, and the system name of PE 1 is PE1.

1. Configure the VPN instances on the MCE and PE 1:

# On the MCE, configure VPN instances vpn1 and vpn2, and specify a RD and route targets for each VPN instance.

<MCE> system-view

[MCE] ip vpn-instance vpn1

[MCE-vpn-instance-vpn1] route-distinguisher 10:1

[MCE-vpn-instance-vpn1] vpn-target 10:1

[MCE-vpn-instance-vpn1] quit

[MCE] ip vpn-instance vpn2

[MCE-vpn-instance-vpn2] route-distinguisher 20:1

[MCE-vpn-instance-vpn2] vpn-target 20:1

[MCE-vpn-instance-vpn2] quit

# Create VLAN 10, add port GigabitEthernet 3/0/1 to VLAN 10, and create VLAN-interface 10.

[MCE] vlan 10

[MCE-vlan10] port GigabitEthernet 3/0/1

[MCE-vlan10] quit

# Bind VLAN-interface 10 with VPN instance vpn1, and configure an IPv6 address for the VLAN interface.

[MCE] interface vlan-interface 10

[MCE-Vlan-interface10] ip binding vpn-instance vpn1

[MCE-Vlan-interface10] ipv6 address 2001:1::1 64

[MCE-Vlan-interface10] quit

# Configure VLAN 20, add port GigabitEthernet 3/0/2 to VLAN 20, bind VLAN-interface 20 with VPN instance vpn2, and assign an IPv6 address to VLAN-interface 20.

[MCE] vlan 20

[MCE-vlan20] port GigabitEthernet 3/0/2

[MCE-vlan20] quit

[MCE] interface vlan-interface 20

[MCE-Vlan-interface20] ip binding vpn-instance vpn2

[MCE-Vlan-interface20] ipv6 address 2002:1::1 64

[MCE-Vlan-interface20] quit

# On PE 1, configure VPN instances vpn1 and vpn2, and specify an RD and route targets for each VPN instance.

<PE1> system-view

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 30:1

[PE1-vpn-instance-vpn1] vpn-target 10:1

[PE1-vpn-instance-vpn1] quit

[PE1] ip vpn-instance vpn2

[PE1-vpn-instance-vpn2] route-distinguisher 40:1

[PE1-vpn-instance-vpn2] vpn-target 20:1

[PE1-vpn-instance-vpn2] quit

2. Configure routing between the MCE and VPN sites:

The MCE is connected to VPN 1 directly, and no routing protocol is enabled in VPN 1. Therefore, you can configure IPv6 static routes.

# On VR 1, assign IPv6 address 2001:1::2/64 to the interface connected to the MCE and 2012:1::2/64 to the interface connected to VPN 1. Add ports to VLANs. (Details not shown.)

# On VR 1, configure a default route with the next hop being 2001:1::1.

<VR1> system-view

[VR1] ipv6 route-static :: 0 2001:1::1

# On the MCE, configure an IPv6 static route to 2012:1::/64, specify the next hop as 2001:1::2, and bind the static route with VPN instance vpn1.

[MCE] ipv6 route-static vpn-instance vpn1 2012:1:: 64 2001:1::2

# Run RIPng in VPN 2. Configure RIPng process 20 for VPN instance vpn2 on the MCE, so that the MCE can learn the routes of VPN 2 and add them to the routing table of VPN instance vpn2.

[MCE] ripng 20 vpn-instance vpn2

# Advertise subnet 2002:1::/64 through RIPng.

[MCE] interface vlan-interface 20

[MCE-Vlan-interface20] ripng 20 enable

[MCE-Vlan-interface20] quit

# On VR 2, assign IPv6 address 2002:1::2/64 to the interface connected to the MCE and 2012::2/64 to the interface connected to VPN 2. (Details not shown.)

# Configure RIPng, and advertise subnets 2012::/64 and 2002:1::/64.

<VR2> system-view

[VR2] ripng 20

[VR2-ripng-20] quit

[VR2] interface vlan-interface 20

[VR2-Vlan-interface20] ripng 20 enable

[VR2-Vlan-interface20] quit

[VR2] interface vlan-interface 21

[VR2-Vlan-interface21] ripng 20 enable

[VR2-Vlan-interface21] quit

# On the MCE, display the routing tables of VPN instances vpn1 and vpn2.

[MCE] display ipv6 routing-table vpn-instance vpn1

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:1::/64 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan10 Cost : 0

Destination: 2001:1::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2012:1::/64 Protocol : Static

NextHop : 2001:1::2 Preference: 60

Interface : Vlan10 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

[MCE] display ipv6 routing-table vpn-instance vpn2

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2002:1::/64 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan20 Cost : 0

Destination: 2002:1::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2012::/64 Protocol : RIPng

NextHop : FE80::20C:29FF:FE40:701 Preference: 100

Interface : Vlan20 Cost : 1

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

The output shows that the MCE has learned the private route of VPN 2. The MCE maintains the routes of VPN 1 and VPN 2 in two different routing tables. In this way, routes from different VPNs are separated.

3. Configure routing between the MCE and PE 1:

# On the MCE, configure the port connected to PE 1 as a trunk port, and configure it to permit packets of VLAN 30 and VLAN 40 to pass with VLAN tags.

[MCE] interface GigabitEthernet 3/0/3

[MCE-GigabitEthernet3/0/3] port link-type trunk

[MCE-GigabitEthernet3/0/3] port trunk permit vlan 30 40

[MCE-GigabitEthernet3/0/3] quit

# On PE 1, configure the port connected to MCE as a trunk port, and configure it to permit packets of VLAN 30 and VLAN 40 to pass with VLAN tags.

[PE1] interface GigabitEthernet 3/0/1

[PE1-GigabitEthernet3/0/1] port link-type trunk

[PE1-GigabitEthernet3/0/1] port trunk permit vlan 30 40

[PE1-GigabitEthernet3/0/1] quit

# On the MCE, create VLAN 30 and VLAN-interface 30, bind VLAN-interface 30 with VPN instance vpn1 and configure an IPv6 address for the VLAN-interface 30.

[MCE] vlan 30

[MCE-vlan30] quit

[MCE] interface vlan-interface 30

[MCE-Vlan-interface30] ip binding vpn-instance vpn1

[MCE-Vlan-interface30] ipv6 address 30::1 64

[MCE-Vlan-interface30] quit

# On the MCE, create VLAN 40 and VLAN-interface 40, bind VLAN-interface 40 with VPN instance vpn2, and configure an IPv6 address for the VLAN-interface 40.

[MCE] vlan 40

[MCE-vlan40] quit

[MCE] interface vlan-interface 40

[MCE-Vlan-interface40] ip binding vpn-instance vpn2

[MCE-Vlan-interface40] ipv6 address 40::1 64

[MCE-Vlan-interface40] quit

# On PE 1, create VLAN 30 and VLAN-interface 30, bind VLAN-interface 30 with VPN instance vpn1, and configure an IPv6 address for the VLAN-interface 30.

[PE1] vlan 30

[PE1-vlan30] quit

[PE1] interface vlan-interface 30

[PE1-Vlan-interface30] ip binding vpn-instance vpn1

[PE1-Vlan-interface30] ipv6 address 30::2 64

[PE1-Vlan-interface30] quit

# On PE 1, create VLAN 40 and VLAN-interface 40, bind VLAN-interface 40 with VPN instance vpn2, and configure an IPv6 address for the VLAN-interface 40.

[PE1] vlan 40

[PE1-vlan40] quit

[PE1] interface vlan-interface 40

[PE1-Vlan-interface40] ip binding vpn-instance vpn2

[PE1-Vlan-interface40] ipv6 address 40::2 64

[PE1-Vlan-interface40] quit

# Enable OSPFv3 process 10 on the MCE, bind the process to VPN instance vpn1, and redistribute the IPv6 static route of VPN 1.

[MCE] ospfv3 10 vpn-instance vpn1

[MCE-ospf-10] router-id 101.101.10.1

[MCE-ospf-10] import-route static

[MCE-ospf-10] quit

# Enable OSPFv3 on VLAN-interface 30.

[MCE] interface vlan-interface 30

[MCE-Vlan-interface30] ospfv3 10 area 0.0.0.0

[MCE-Vlan-interface30] quit

# On PE 1, enable OSPFv3 process 10 and bind the process to VPN instance vpn1.

[PE1] ospfv3 10 vpn-instance vpn1

[PE1-ospf-10] router-id 100.100.10.1

[PE1-ospf-10] quit

# Enable OSPFv3 on VLAN-interface 30.

[PE1] interface vlan-interface 30

[PE1-Vlan-interface30] ospfv3 10 area 0.0.0.0

[PE1-Vlan-interface30] quit

# Take similar procedures to configure OSPFv3 process 20 between the MCE and PE 1 and redistribute VPN 2's routes from RIPng process 20 into the OSPFv3 routing table of the MCE. (Details not shown.)

4. Verify the configuration:

# The following output shows that PE 1 has learned the private route of VPN 1 through OSPFv3.

[PE1] display ipv6 routing-table vpn-instance vpn1

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 30::/64 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan30 Cost : 0

Destination: 30::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2012:1::/64 Protocol : OSPFv3

NextHop : FE80::202:FF:FE02:2 Preference: 150

Interface : Vlan30 Cost : 1

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

# The following output shows that PE 1 has learned the private route of VPN 2 through OSPFv3.

[PE1] display ipv6 routing-table vpn-instance vpn2

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 40::/64 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan40 Cost : 0

Destination: 40::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2012::/64 Protocol : OSPFv3

NextHop : FE80::200:FF:FE0F:5 Preference: 150

Interface : Vlan40 Cost : 1

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Now, the routing information of the two VPNs has been added into the routing tables on PE 1.

08-MPLS Configuration Guide

Overview

MPLS L3VPN concepts

Site

Address space overlapping

VPN instance

VPN-IPv4 address

Route target attribute

MP-BGP

Routing policy

Tunnel policy

MPLS L3VPN packet forwarding

MPLS L3VPN networking schemes

Basic VPN networking scheme

Hub and spoke networking scheme

Extranet networking scheme

MPLS L3VPN route advertisement

Inter-AS VPN

Inter-AS option A

Inter-AS option B

Inter-AS option C

Carrier's carrier

Propagation of routing information

Benefits

HoVPN

Implementation of HoVPN

SPE-UPE

Recursion and extension of HoVPN

OSPF VPN extension

OSPF for VPNs on a PE

BGP AS number substitution

MPLS L3VPN configuration task list

Configuring basic MPLS L3VPN

Configuring VPN instances

Configuring routing between a PE and a CE

Configuring static routing between a PE and a CE

Configuring RIP between a PE and a CE

Configuring OSPF between a PE and a CE

Configuring IS-IS between a PE and a CE

Configuring EBGP between a PE and a CE

Configuring IBGP between a PE and a CE

Configuring routing between PEs

Configuring inter-AS VPN

Configuring a PE

Configuring an ASBR PE

Configuring a routing policy on an ASBR PE

Configuring nested VPN

Configuring HoVPN

Configuring routing on an MCE

Configuring routing between an MCE and a VPN site

Configuring static routing between an MCE and a VPN site

Configuring RIP between an MCE and a VPN site

Configuring OSPF between an MCE and a VPN site

Configuring IS-IS between an MCE and a VPN site

Configuring EBGP between an MCE and a VPN site

Configuring IBGP beween MCE and VPN site

Configuring static routing between an MCE and a PE

Configuring RIP between an MCE and a PE

Configuring OSPF between an MCE and a PE

Configuring IS-IS between an MCE and a PE

Configuring EBGP between an MCE and a PE

Configuring IBGP between an MCE and a PE

Specifying the VPN label processing mode on the egress PE

Configuring BGP AS number substitution

Displaying and maintaining MPLS L3VPN

MPLS L3VPN configuration examples

Network requirements

Configuration procedure

Configuring MPLS L3VPN inter-AS option A

Network requirements

Configuration procedure

Network requirements

Configuration procedure

Network requirements

Configuration procedure

Configuring MPLS L3VPN carrier's carrier

Network requirements

Configuration procedure

Configuring nested VPN

Network requirements