MPLS L3VPN is a L3VPN technology used to interconnect geographically dispersed VPN sites. MPLS L3VPN uses BGP to advertise VPN routes and uses MPLS to forward VPN packets over a service provider backbone.

MPLS L3VPN provides flexible networking modes, excellent scalability, and convenient support for MPLS QoS.

Basic MPLS L3VPN architecture

Figure 1 Basic MPLS L3VPN architecture

A basic MPLS L3VPN architecture has the following types of devices:

· Customer edge device—A CE device resides on a customer network and has one or more interfaces directly connected to a service provider network. It does not support VPN or MPLS.

· Provider edge device—A PE device resides at the edge of a service provider network and connects to one or more CEs. All MPLS VPN services are processed on PEs.

· Provider device—A P device is a core device on a service provider network. It is not directly connected to any CE. A P device has only basic MPLS forwarding capability and does not handle VPN routing information.

MPLS L3VPN concepts

Site

A site has the following features:

· A site is a group of IP systems with IP connectivity that does not rely on any service provider network.

· The classification of a site depends on the topology relationship of the devices, rather than the geographical positions. However, the devices at a site are, in most cases, adjacent to each other geographically.

· The devices at a site can belong to multiple VPNs, which means that a site can belong to multiple VPNs.

· A site is connected to a provider network through one or more CEs. A site can contain multiple CEs, but a CE can belong to only one site.

Sites connected to the same provider network can be classified into different sets by policies. Only the sites in the same set can access each other through the provider network. Such a set is called a VPN.

VPN instance

VPN instances, also called virtual routing and forwarding (VRF) instances, implement route isolation, data independence, and data security for VPNs.

A VPN instance has the following components:

· A separate Label Forwarding Information Base (LFIB).

· An IP routing table.

· Interfaces bound to the VPN instance.

· VPN instance administration information, including route distinguishers (RDs), route targets (RTs), and route filtering policies.

To associate a site with a VPN instance, bind the VPN instance to the PE's interface connected to the site. A site can be associated with only one VPN instance, and different sites can associate with the same VPN instance. A VPN instance contains the VPN membership and routing rules of associated sites.

Address space overlapping

Each VPN independently manages its address space.

The address spaces of VPNs might overlap. For example, if both VPN 1 and VPN 2 use the addresses on subnet 10.110.10.0/24, address space overlapping occurs.

VPN-IPv4 address

BGP cannot process overlapping VPN address spaces. For example, if both VPN 1 and VPN 2 use the subnet 10.110.10.0/24 and each advertise a route destined for the subnet, BGP selects only one of them. This results in the loss of the other route.

Multiprotocol BGP (MP-BGP) can solve this problem by advertising VPN-IPv4 prefixes.

Figure 2 VPN-IPv4 address structure

As shown in Figure 2, a VPN-IPv4 address consists of 12 bytes. The first eight bytes represent the RD, followed by a four-byte IPv4 prefix. The RD and the IPv4 prefix form a unique VPN-IPv4 prefix.

An RD can be in one of the following formats:

· When the Type field is 0, the Administrator subfield occupies two bytes, the Assigned number subfield occupies four bytes, and the RD format is 16-bit AS number:32-bit user-defined number. For example, 100:1.

· When the Type field is 1, the Administrator subfield occupies four bytes, the Assigned number subfield occupies two bytes, and the RD format is 32-bit IPv4 address:16-bit user-defined number. For example, 172.1.1.1:1.

· When the Type field is 2, the Administrator subfield occupies four bytes, the Assigned number subfield occupies two bytes, and the RD format is 32-bit AS number:16-bit user-defined number, where the minimum value of the AS number is 65536. For example, 65536:1.

To guarantee global uniqueness for an RD, do not set the Administrator subfield to any private AS number or private IP address.

Route target attribute

MPLS L3VPN uses route target community attributes to control the advertisement of VPN routing information. A VPN instance on a PE supports the following types of route target attributes:

· Export target attribute—A PE sets the export target attribute for VPN-IPv4 routes learned from directly connected sites before advertising them to other PEs.

· Import target attribute—A PE checks the export target attribute of VPN-IPv4 routes received from other PEs. If the export target attribute matches the import target attribute of a VPN instance, the PE adds the routes to the routing table of the VPN instance.

Route target attributes define which sites can receive VPN-IPv4 routes, and from which sites a PE can receive routes.

Like RDs, route target attributes can be one of the following formats:

· 16-bit AS number:32-bit user-defined number. For example, 100:1.

· 32-bit IPv4 address:16-bit user-defined number. For example, 172.1.1.1:1.

· 32-bit AS number:16-bit user-defined number, where the minimum value of the AS number is 65536. For example, 65536:1.

MP-BGP

MP-BGP supports multiple address families, including IPv4 multicast, IPv6 unicast, IPv6 multicast, and VPN-IPv4 address families.

In MPLS L3VPN, MP-BGP advertises VPN-IPv4 routes for VPN sites between PEs.

MPLS L3VPN route advertisement

In a basic MPLS L3VPN, CEs and PEs are responsible for advertising VPN routing information. P routers maintain only the routes within the backbone. A PE maintains only routing information for directly connected VPNs, rather than for all VPNs.

VPN routing information is advertised from the local CE to the remote CE by using the following process:

1. From the local CE to the ingress PE:

The CE advertises standard IPv4 routing information to the ingress PE over a static route, RIP route, OSPF route, IS-IS route, EBGP route, or IBGP route.

2. From the ingress PE to the egress PE:

The ingress PE does the following:

a. Adds RDs and route target attributes to these standard IPv4 routes to create VPN-IPv4 routes.

b. Saves the VPN-IPv4 routes to the routing table of the VPN instance created for the CE.

c. Advertises the VPN-IPv4 routes to the egress PE through MP-BGP.

3. From the egress PE to the remote CE:

After receiving the VPN-IPv4 routes, the egress PE does the following:

a. Compares the routes' export target attributes with the local import target attributes.

b. Adds the routes to the routing table of the VPN instance if the export and local import target attributes match each other.

c. Restores the VPN-IPv4 routes to the original IPv4 routes.

d. Advertises those routes to the connected CE over a static route, RIP route, OSPF route, IS-IS route, EBGP route, or IBGP route.

MPLS L3VPN packet forwarding

In a basic MPLS L3VPN (within a single AS), a PE adds the following information into VPN packets:

· Outer tag—Identifies the public tunnel from the local PE to the remote PE. The public tunnel can be an LSP tunnel. Based on the outer tag, a VPN packet can be forwarded along the public tunnel to the remote PE. The outer tag is an MPLS label.

· Inner label—Identifies the remote VPN site. The remote PE uses the inner label to forward packets to the target VPN site. MP-BGP advertises inner labels for VPN routes among PEs.

Figure 3 VPN packet forwarding

As shown in Figure 3, a VPN packet is forwarded from Site 1 to Site 2 by using the following process:

1. Site 1 sends an IP packet with the destination address 1.1.1.2. CE 1 transmits the packet to PE 1.

2. PE 1 does the following:

a. Finds the matching VPN route based on the inbound interface and destination address of the packet.

b. Labels the packet with both the inner label and the outer tag.

c. Forwards the packet to the public tunnel.

3. P devices forward the packet to PE 2 by the outer tag. If the outer tag is an MPLS label, the label is removed from the packet at the penultimate hop. If the outer tag is GRE encapsulation, PE 2 removes the GRE encapsulation.

4. PE 2 finds the matching VPN route according to the inner label and destination address of the packet, and then forwards the packet out of the interface to CE 2.

5. CE 2 transmits the packet to the destination through IP forwarding.

When two sites of a VPN are connected to the same PE, the PE directly forwards packets between the two sites through the VPN routing table without adding any tag or label.

For more information about GRE, see Layer 3—IP Services Configuration Guide.

MPLS L3VPN networking schemes

In MPLS L3VPNs, route target attributes are used to control the advertisement and reception of VPN routes between sites. They work independently and can be configured with multiple values to support flexible VPN access control and implement multiple types of VPN networking schemes.

Basic VPN networking scheme

In the simplest case, all users in a VPN form a closed user group. They can forward traffic to each other but cannot communicate with any user outside the VPN.

For the basic VPN networking scheme, you must assign a route target to each VPN for identifying the export target attribute and import target attribute of the VPN. Moreover, this route target cannot be used by any other VPNs.

Figure 4 Network diagram for basic VPN networking scheme

As shown in Figure 4, the route target for VPN 1 is 100:1, while that for VPN 2 is 200:1. The two VPN 1 sites can communicate with each other, and the two VPN 2 sites can communicate with each other. However, the VPN 1 sites cannot communicate with the VPN 2 sites.

Hub and spoke networking scheme

The hub and spoke networking scheme is suitable for a VPN where all users must communicate with each other through an access control device.

In a hub and spoke network as shown in Figure 5, configure route targets as follows:

· On spoke PEs (PEs connected to spoke sites), set the export target to Spoke and the import target to Hub.

· On the hub PE (PE connected to the hub site), use two interfaces or subinterfaces that each belong to a different VPN instance to connect the hub CE. One VPN instance receives routes from spoke PEs and has the import target set to Spoke. The other VPN instance advertises routes to spoke PEs and has the export target set to Hub.

These route targets rules produce the following results:

· The hub PE can receive all VPN-IPv4 routes from spoke PEs.

· All spoke PEs can receive VPN-IPv4 routes advertised by the hub PE.

· The hub PE advertises the routes learned from a spoke PE to the other spoke PEs so the spoke sites can communicate with each other through the hub site.

· The import target attribute of a spoke PE is different from the export target attribute of any other spoke PE. Therefore, any two spoke PEs cannot directly advertise VPN-IPv4 routes to each other or directly access each other.

Figure 5 Network diagram for hub and spoke network

A route in Site 1 is advertised to Site 2 by using the following process:

1. Spoke-CE 1 advertises a route in Site 1 to Spoke-PE 1.

2. Spoke-PE 1 changes the route to a VPN-IPv4 route and advertises the VPN-IPv4 route to Hub-PE through MP-BGP.

3. Hub-PE adds the VPN-IPv4 route into the routing table of VPN 1-in, changes it to the original IPv4 route, and advertises the IPv4 route to Hub-CE.

4. Hub-CE advertises the IPv4 route back to Hub-PE.

5. Hub-PE adds the IPv4 route to the routing table of VPN 1-out, changes it to a VPN-IPv4 route, and advertises the VPN-IPv4 route to Spoke-PE 2 through MP-BGP.

6. Spoke-PE 2 changes the VPN-IPv4 route to the original IPv4 route, and advertises the IPv4 route to Site 2.

After spoke sites exchange routes through the hub site, they can communicate with each other through the hub site.

Extranet networking scheme

The extranet networking scheme allows specific resources in a VPN to be accessed by users not in the VPN.

In this networking scheme, if a VPN instance needs to access a shared site, the export target attribute and the import target attribute of the VPN instance must be contained in the import target attribute and the export target attribute of the VPN instance of the shared site, respectively.

Figure 6 Network diagram for extranet networking scheme

As shown in Figure 6, route targets configured on PEs produce the following results:

· PE 3 can receive VPN-IPv4 routes from PE 1 and PE 2.

· PE 1 and PE 2 can receive VPN-IPv4 routes advertised by PE 3.

· Site 1 and Site 3 of VPN 1 can communicate with each other, and Site 2 of VPN 2 and Site 3 of VPN 1 can communicate with each other.

· PE 3 advertises neither the VPN-IPv4 routes received from PE 1 to PE 2 nor the VPN-IPv4 routes received from PE 2 to PE 1 (routes learned from an IBGP neighbor are not advertised to any other IBGP neighbor). Therefore, Site 1 of VPN 1 and Site 2 of VPN 2 cannot communicate with each other.

Inter-AS VPN

In an inter-AS VPN networking scenario, multiple sites of a VPN are connected to multiple ISPs in different ASs, or to multiple ASs of an ISP.

RFC 2547bis presents the following inter-AS VPN solutions:

· VRF-to-VRF—ASBRs manage VPN routes between them through subinterfaces. This solution is also called inter-AS option A.

· EBGP redistribution of labeled VPN-IPv4 routes—ASBRs advertise labeled VPN-IPv4 routes to each other through MP-EBGP. This solution is also called inter-AS option B.

· Multihop EBGP redistribution of labeled VPN-IPv4 routes—PEs advertise labeled VPN-IPv4 routes to each other through MP-EBGP. This solution is also called inter-AS option C.

Inter-AS option A

In this solution, PEs of two ASs are directly connected, and each PE is also the ASBR of its AS.

The PEs acting as ASBRs are connected through multiple subinterfaces. Each of them treats the other as a CE and advertises IPv4 routes through conventional EBGP. Within an AS, packets are forwarded as VPN packets with two-level labels. Between ASBRs, conventional IP forwarding is used.

Ideally, each inter-AS VPN has a pair of subinterfaces to exchange VPN routing information.

Figure 7 Network diagram for inter-AS option A

Inter-AS option A is easy to carry out because no special configuration is required on the PEs acting as the ASBRs.

However, it has limited scalability because the PEs acting as the ASBRs must manage all the VPN routes and create VPN instances on a per-VPN basis. This leads to excessive VPN-IPv4 routes on the PEs. Creating a separate subinterface for each VPN also requires additional system resources.

Inter-AS option B

In this solution, two ASBRs use MP-EBGP to exchange labeled VPN-IPv4 routes that they obtain from the PEs in their respective ASs.

As shown in Figure 8, the routes are advertised by using the following process:

1. PEs in AS 100 advertise labeled VPN-IPv4 routes to the ASBR-PE of AS 100 or the route reflector (RR) of the ASBR-PE through MP-IBGP.

2. The ASBR-PE advertises labeled VPN-IPv4 routes to the ASBR-PE of AS 200 through MP-EBGP.

3. The ASBR-PE of AS 200 advertises labeled VPN-IPv4 routes to PEs in AS 200 or to the RR of the PEs through MP-IBGP.

The ASBRs must perform special processing on the labeled VPN-IPv4 routes, which is also called ASBR extension method.

Figure 8 Network diagram for inter-AS option B

Inter-AS option B has better scalability than option A.

When adopting the MP-EBGP method, note the following:

· ASBRs do not perform route target filtering on VPN-IPv4 routes that they receive from each other. Therefore, the ISPs in different ASs must agree on the route exchange.

· VPN-IPv4 routes are exchanged only between VPN peers. A VPN site can exchange VPN-IPv4 routes neither with the public network nor with MP-EBGP peers with whom it has not reached agreement on the route exchange.

Inter-AS option C

The Inter-AS option A and option B solutions can meet the needs for inter-AS VPNs. However, they require that the ASBRs maintain and advertise VPN-IPv4 routes. When every AS needs to exchange a great amount of VPN routes, the ASBRs might become bottlenecks, which hinders network extension.

Inter-AS option C can solve the problem by making PEs directly exchange VPN-IPv4 routes without the participation of ASBRs:

· Two ASBRs advertise labeled IPv4 routes to PEs in their respective ASs through IBGP.

· The ASBRs neither maintain VPN-IPv4 routes nor advertise VPN-IPv4 routes to each other.

· An ASBR maintains labeled IPv4 routes of the PEs in the AS and advertises them to the peers in the other ASs. The ASBR of another AS also advertises labeled IPv4 routes. Thus, an LSP is established between the ingress PE and egress PE.

· Between PEs of different ASs, multihop EBGP connections are established to exchange VPN-IPv4 routes.

Figure 9 Network diagram for inter-AS option C

To improve the scalability, you can specify an RR in each AS to maintain all VPN-IPv4 routes and to exchange VPN-IPv4 routes with PEs in the AS. The RRs in two ASs establish an inter-AS VPNv4 connection to advertise VPN-IPv4 routes, as shown in Figure 10.

Figure 10 Network diagram for inter-AS option C using RRs

Carrier's carrier

If a customer of the MPLS L3VPN service provider is also a service provider:

· The MPLS L3VPN service provider is called the provider carrier or the Level 1 carrier.

· The customer is called the customer carrier or the Level 2 carrier.

This networking model is referred to as carrier's carrier. In this model, the Level 2 service provider serves as a CE of the Level 1 service provider.

For good scalability, the Level 1 carrier does not learn the routes of the customer network connected to a Level 2 carrier. It only learns the routes for delivering packets between different sites of the Level 2 carrier. Routes of the customer networks connected to a Level 2 carrier are exchanged through the BGP session established between the routers of the Level 2 carrier. This can greatly reduce the number of routes maintained by the Level 1 carrier network.

Compared with the common MPLS L3VPN, the carrier's carrier is different because of the way in which a CE of a Level 1 carrier (a Level 2 carrier) accesses a PE of the Level 1 carrier:

· If the PE and the CE are in a same AS, you must configure IGP and LDP between them.

· If the PE and the CE are not in the same AS, you must configure MP-EBGP to assign labels to routes exchanged between them.

In either case, you must enable MPLS on the CE of the Level 1 carrier. Moreover, the CE holds the VPN routes of the Level 2 carrier, but it does not advertise the routes to the PE of the Level 1 carrier. It only exchanges the routes with other PEs of the Level 2 carrier.

A Level 2 carrier can be an ordinary ISP or an MPLS L3VPN service provider.

When the Level 2 carrier is an ordinary ISP, its PEs run IGP to communicate with the CEs, rather than MPLS. As shown in Figure 11, PE 3 and PE 4 exchange VPN routes of the Level 2 carrier through an IBGP session.

Figure 11 Scenario where the Level 2 carrier is an ISP

When the Level 2 carrier is an MPLS L3VPN service provider, its PEs must run IGP and LDP to communicate with CEs. As shown in Figure 12, PE 3 and PE 4 exchange VPN routes of the Level 2 carrier through an MP-IBGP session.

Figure 12 Scenario where the Level 2 carrier is an MPLS L3VPN service provider

NOTE:

If equal cost routes exist between the Level 1 carrier and the Level 2 carrier, H3C recommends that you establish equal cost LSPs between them.

Nested VPN

The nested VPN technology exchanges VPNv4 routes between PEs and CEs of the ISP MPLS L3VPN and allows a customer to manage its own internal VPNs. Figure 13 shows a nested VPN network. On the service provider's MPLS VPN network, there is a customer VPN named VPN A. The customer VPN contains two sub-VPNs, VPN A-1 and VPN A-2.

The service provider PEs consider the customer's network as a common VPN user and do not join any sub-VPNs. The service provider CE devices (CE 1 and CE 2) exchange VPNv4 routes including sub-VPN routing information with the service provider PEs, which implements the propagation of the sub-VPN routing information throughout the customer network.

The nested VPN technology supports both symmetric networking and asymmetric networking. Sites of the same VPN can have the same number or different numbers of internal VPNs. Nested VPN also supports multiple-level nesting of internal VPNs.

Figure 13 Network diagram for nested VPN

Propagation of routing information

In a nested VPN network, routing information is propagated by using the following process:

1. A provider PE and its CEs exchange VPNv4 routes, which carry information about customer VPNs.

2. After receiving a VPNv4 route, a provider PE keeps the customer's internal VPN information, and appends the customer's MPLS VPN attributes on the service provider network. It replaces the RD of the VPNv4 route with the RD of the customer's MPLS VPN on the service provider network. It also adds the export route-target (ERT) attribute of the customer's MPLS VPN on the service provider network to the extended community attribute list of the route. The internal VPN information of the customer is maintained on the provider PE.

3. The provider PE advertises VPNv4 routes carrying the comprehensive VPN information to the other PEs of the service provider.

4. After another provider PE receives the VPNv4 routes, it matches the VPNv4 routes to the import targets of its local VPNs. Each local VPN accepts routes of its own and advertises them to provider CEs. If a provider CE (such as CE 7 and CE 8 in Figure 13) is connected to a provider PE through an IPv4 connection, the PE advertises IPv4 routes to the CE. If it is a VPNv4 connection (a customer MPLS VPN network), the PE advertises VPNv4 routes to the CE.

5. After receiving VPNv4 routes from the provider CE, a customer PE matches those routes to local import targets. Each customer VPN accepts only its own routes and advertises them to connected customer CEs (such as CE 3, CE 4, CE 5, and CE 6 in Figure 13).

HoVPN

In MPLS L3VPN solutions, PEs are the key devices, which provide the following functions:

· User access, requiring that the PEs must have a large number of interfaces.

· VPN route management and advertisement, and user packet processing, requiring that a PE must have a large-capacity memory and high forwarding capability.

Most network schemes use a typical hierarchical architecture. For example, the MAN architecture typically contains three layers: core, distribution, and access. From the core layer to the access layer, the performance requirements on the devices decrease while the network expands.

MPLS L3VPN, on the contrary, is a plane model where performance requirements are the same for all PEs. If a certain PE does not have enough performance or scalability, the performance or scalability of the whole network is influenced. Therefore, the plane model is not applicable to the large-scale VPN deployment.

To solve the scalability problem of the plane model, MPLS L3VPN must transition to the hierarchical model. Hierarchy of VPN (HoVPN) was proposed to meet the requirement. With HoVPN, the PE functions can be distributed among multiple PEs, which take different roles for the same functions and form a hierarchical architecture.

As in the typical hierarchical network model, HoVPN has different requirements on the devices at different layers of the hierarchy.

Implementation of HoVPN

Figure 14 Basic architecture of HoVPN

As shown in Figure 14, devices directly connected to CEs are called underlayer PEs (UPEs) or user-end PEs, whereas devices that are connected to UPEs and are in the internal network are called superstratum PEs (SPE) or service provider-end PEs.

Multiple UPEs and SPEs comprise a hierarchical PE.

UPEs and SPEs play the following different roles:

· A UPE provides user access. It maintains the routes of directly connected VPN sites. It does not maintain the routes of the remote sites in the VPN, or it only maintains their summary routes. A UPE assigns inner labels to the routes of its directly connected sites, and advertises the labels along with VPN routes to the SPE through MP-BGP.

· An SPE manages and advertises VPN routes. It maintains all the routes of the VPNs connected through UPEs, including the routes of both the local and remote sites. An SPE advertises routes along with labels to UPEs, including the default routes of VPN instances or summary routes and the routes permitted by the routing policy. By using routing policies, you can control which sites in a VPN can communicate with each other.

Different roles mean different requirements:

· An SPE must have a large routing table capacity and high forwarding performance but needs fewer interface resources.

· A UPE must have higher access capability but needs a small routing table capacity and low forwarding performance.

HoVPN makes full use of both the high performance of SPEs and the high access capability of UPEs.

The concepts of SPE and UPE are relative. In the hierarchical PE architecture, a PE might be the SPE of its underlayer PEs and a UPE of its SPE at the same time.

The HoPE and common PEs can coexist in an MPLS network.

SPE-UPE

Either MP-IBGP or MP-EBGP can run between SPE and UPE.

For MP-IBGP to advertise routes between IBGP peers, the SPE acts as the RR and advertises routes from IBGP peer UPE to IBGP peer SPE. However, it does not act as the RR of the other PEs.

Recursion and extension of HoVPN

HoVPN supports HoPE recursion:

· A HoPE can act as a UPE to form a new HoPE with an SPE.

· A HoPE can act as an SPE to form a new HoPE with multiple UPEs.

· HoVPN supports multilevel recursion.

Figure 15 Recursion of HoPEs

Figure 15 shows a three-level HoPE. The PE in the middle is called the middle-level PE (MPE). MP-BGP runs between SPE and MPE, and between MPE and UPE.

MP-BGP advertises all the VPN routes of UPEs to the SPEs, and advertises the default routes of the VPN instance of the SPEs or the VPN routes permitted by the routing policies to the UPEs.

The SPE maintains the VPN routes of all sites in the HoVPN. Each UPE maintains only VPN routes of its directly connected sites. An MPE has fewer routes than the SPE but has more routes than a UPE.

OSPF VPN extension

This section describes the OSPF VPN extension. For more information about OSPF, see Layer 3—IP Routing Configuration Guide.

OSPF for VPNs on a PE

OSPF is a commonly used IGP protocol. Running OSPF between a PE and a CE can simplify CE configuration and management because the CEs only need to support OSPF. In addition, if the customers require MPLS L3VPN services through a conventional OSPF backbone, using OSPF between a PE and a CE can simplify the transition.

For OSPF to run between CE and PE, the PE must support multiple OSPF processes. Each OSPF process corresponds to a VPN instance and maintains its own interfaces and routing table.

The following describes OSPF configurations between a PE and a CE:

· OSPF area configuration between a PE and a CE:

The OSPF area between a PE and a CE can be either a non-backbone area or a backbone area.

In the OSPF VPN extension application, the MPLS VPN backbone is considered the backbone area (area 0). The area 0 of each VPN site must be connected to the MPLS VPN backbone because OSPF requires that the backbone area be contiguous.

If a VPN site contains an OSPF area 0, the PE must be connected to the backbone area of the VPN site through area 0. You can configure a virtual link to connect the CE to the PE.

· BGP/OSPF interaction:

PEs advertise VPN routes to each other through BGP and to CEs through OSPF.

Conventional OSPF considers that two sites are in different ASs even if they belong to the same VPN. Therefore, the routes that one site learns are advertised to the other as external routes. This results in OSPF traffic and network management problems.

Extended OSPF supports multiple instances to address OSPF traffic and network management problems. When configured correctly, OSPF sites are considered directly connected, and PEs exchange OSPF routing information as they do on a dedicated line. This simplifies network management and makes OSPF applications more effective.

As shown in Figure 16, PE 1 and PE 2 are connected through the MPLS backbone. CE 11, CE 21, and CE 22 belong to VPN 1. Assume that CE 11, CE 21, and CE 22 belong to the same OSPF domain. PEs advertise VPN 1 routes by using the following process:

a. PE 1 redistributes OSPF routes of CE 11 into BGP.

b. PE 1 advertises the VPN routes to PE 2 through BGP.

c. PE 2 redistributes the BGP VPN routes into OSPF and advertises them to CE 21 and CE 22.

Figure 16 Application of OSPF in VPN

With the standard BGP/OSPF interaction, PE 2 advertises the BGP VPN routes to CE 21 and CE 22 in Type 5 LSAs (ASE LSAs). However, CE 11, CE 21, and CE 22 belong to the same OSPF domain, and route advertisements between them should use Type 3 LSAs (inter-area routes).

With the extended BGP/OSPF interaction, PEs advertise routes from one site to another site in Type 3 LSAs. The process requires that extended BGP community attributes include the information for identifying the OSPF attributes.

Each OSPF domain must have a domain ID. H3C recommends that you configure the same domain ID or adopt the default ID for all OSPF processes of the same VPN, so the system can know that VPN routes with the same domain ID are from the same VPN.

· Routing loop detection:

If a CE and a PE are connected through the OSPF backbone area, when a PE advertises BGP VPN routes learned from MPLS/BGP to the VPN site through LSAs, the LSAs might be received by another PE. This results in a routing loop.

To avoid routing loops, when creating Type 3 LSAs, the PE always sets the flag bit DN for BGP VPN routes learned from MPLS/BGP, regardless of whether the PE and the CE are connected through the OSPF backbone. When performing route calculation, the OSPF process of the PE ignores the Type 3 LSAs whose DN bit is set.

If the PE needs to advertise routes from other OSPF domains to a CE, it must indicate that it is the ASBR, and advertise the routes in Type 5 LSAs.

OSPF sham link

On a PE, BGP routes received from the peer PE are redistributed into OSPF, and OSPF advertises these routes in Type 3 summary LSAs (inter-area routes) to the CE. As shown in Figure 17, both site 1 and site 2 belong to VPN 1 and OSPF area 1. Both an intra-area route (called a backdoor link) and an inter-area route exist between the two sites. The inter-area route is not preferred by OSPF because its priority is lower than the intra-area route priority.

Figure 17 Network diagram for sham link

To use the inter-area route, you can establish a sham link between the two PEs to change the inter-area route to an intra-area route. The sham link is advertised in a Type 1 LSA as an intra-area point-to-point link. You can also select the sham link or the backdoor link by adjusting their costs.

The sham link is considered a link between the two VPN instances. Each VPN instance has an endpoint address of the sham link, which is a loopback interface address with a 32-bit mask in the VPN address space. Different sham links of the same OSPF process can share an endpoint address, but sham links of different OSPF processes cannot share an endpoint address.

BGP advertises the endpoint addresses of sham links as VPN-IPv4 addresses. Sham link routes cannot be redistributed into BGP as VPN-IPv4 routes.

A sham link can be configured in any area and can only be manually configured. The local VPN instance must have a route to the destination of the sham link.

BGP AS number substitution

BGP detects routing loops by examining AS numbers. If EBGP runs between PE and CE, you must assign different AS numbers to geographically different sites to ensure correct transmission of routing information.

The BGP AS number substitution function allows physically dispersed CEs to use the same AS number. The function is a BGP outbound policy and affects routes to be advertised.

With the BGP AS number substitution function, when a PE advertises a route to a CE, if an AS number identical to that of the CE exists in the AS_PATH of the route, the PE replaces it with its own AS number.

After you enable the BGP AS number substitution function, the PE performs BGP AS number substitution for all routes and re-advertises them to connected CEs in the peer group.

Figure 18 Application of BGP AS number substitution

As shown in Figure 18, both Site and Site 2 use the AS number 800. AS number substitution is enabled on PE 2 for CE 2. Before advertising updates received from CE 1 to CE 2, PE 2 substitutes its own AS number 100 for the AS number 800. In this way, CE 2 can correctly receive the routing information from CE 1.

Multi-VPN instance CE

BGP/MPLS VPN transmits private network data through MPLS tunnels over the public network. However, the traditional MPLS L3VPN architecture requires that each VPN instance use an exclusive CE to connect to a PE, as shown in Figure 1.

A private network is usually divided into multiple VPNs to isolate services. To meet these requirements, you can configure a CE for each VPN, which increases device expense and maintenance costs. Or, you can configure multiple VPNs to use the same CE and the same routing table, which sacrifices data security.

You can use the Multi-VPN Instance CE (MCE) function in multi-VPN networks. MCE allows you to bind each VPN to a VLAN interface. The MCE creates and maintains a separate routing table for each VPN. This separates the forwarding paths of packets of different VPNs and, in conjunction with the PE, can correctly advertise the routes of each VPN to the peer PE, ensuring the normal transmission of VPN packets over the public network.

Figure 19 Network diagram for the MCE function

As shown in Figure 19, the MCE device creates a routing table for each VPN. VLAN interface 2 binds to VPN 1 and VLAN-interface 3 binds to VPN 2. When receiving a route, the MCE device determines the source of the routing information according to the number of the receiving interface, and then adds it to the corresponding routing table. The MCE connects to PE 1 through a trunk link that permits packets tagged with VLAN 2 or VLAN 3. PE 1 determines the VPN that a received packet belongs to according to the VLAN tag of the packet, and sends the packet through the corresponding tunnel.

You can configure static routes, RIP, OSPF, IS-IS, EBGP, or IBGP between an MCE and a VPN site and between an MCE and a PE.

NOTE:

To implement dynamic IP assignment for DHCP clients in private networks, you can configure DHCP server or DHCP relay agent on the MCE. When the MCE functions as the DHCP server, the IP addresses assigned to different private networks cannot overlap.

Protocols and standards

· RFC 3107, Carrying Label Information in BGP-4

· RFC 4360, BGP Extended Communities Attribute

· RFC 4364, BGP/MPLS IP Virtual Private Networks (VPNs)

· RFC 4577, OSPF as the Provider/Customer Edge Protocol for BGP/MPLS IP Virtual Private Networks (VPNs)

MPLS L3VPN configuration task list

Tasks at a glance
Configuring basic MPLS L3VPN
Configuring inter-AS VPN
Configuring nested VPN
Configuring HoVPN
Configuring an OSPF sham link
Configuring routing on an MCE
Specifying the VPN label processing mode on the egress PE
Configuring BGP AS number substitution
Enabling SNMP notifications for MPLS L3VPN

Configuring basic MPLS L3VPN

Tasks at a glance
Configuring VPN instances: 1. (Required.) Creating a VPN instance 2. (Required.) Associating a VPN instance with an interface 3. (Optional.) Configuring route related attributes for a VPN instance


(Required.) Configuring routing between a PE and a CE
(Required.) Configuring routing between PEs
(Optional.) Configuring BGP VPNv4 route control

Configuration prerequisites

Before you configure basic MPLS L3VPN, complete the following tasks:

· Configure an IGP for the MPLS backbone (on the PEs and Ps) to ensure IP connectivity.

· Configure basic MPLS for the MPLS backbone.

· Configure MPLS LDP for the MPLS backbone so that LDP LSPs can be established.

Configuring VPN instances

VPN instances isolate VPN routes from public network routes and routes among VPNs. This feature allows VPN instances to be used in network scenarios besides MPLS L3VPNs.

All VPN instance configurations are performed on PEs or MCEs.

Creating a VPN instance

A VPN instance is a collection of the VPN membership and routing rules of its associated site. A VPN instance might correspond to more than one VPN.

Follow these guidelines when you specify a reserved VLAN for a VPN instance:

· The reserved VLAN configuration takes effect only when the system is operating in standard mode. For more information about system operating modes, see Fundamentals Configuration Guide.

· When the system is operating in standard mode, you must configure a reserved VLAN for a created VPN instance in the following cases:

¡ The VPN instance does not connect to any CEs.

¡ It is required to configure the multicast VPN function for the VPN instance.

¡ It is required to bind the VPN instance to an IP tunnel.

· When the system is operating in standard mode, if a VPN instance is not configured with a reserved VLAN, you cannot configure URPF on the private network VLAN interface bound to the VPN instance.

To create and configure a VPN instance:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VPN instance and enter VPN instance view.	ip vpn-instance vpn-instance-name	By default, no VPN instance is created.
3. Specify a reserved VLAN for the VPN instance.	reserve-vlan vlan-id	By default, no reserved VLAN is specified for a VPN instance.
4. Configure an RD for the VPN instance.	route-distinguisher route-distinguisher	By default, no RD is specified for a VPN instance.
5. (Optional.) Configure a description for the VPN instance.	description text	By default, no description is configured for a VPN instance.
6. (Optional.) Configure a VPN ID for the VPN instance.	vpn-id vpn-id	By default, no VPN ID is configured for a VPN instance.

Associating a VPN instance with an interface

After creating and configuring a VPN instance, associate the VPN instance with the interface connected to the CE.

To associate a VPN instance with an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Associate a VPN instance with the interface.	ip binding vpn-instance vpn-instance-name	By default, no VPN instance is associated with an interface. The ip binding vpn-instance command deletes the IP address of the current interface. You must reconfigure an IP address for the interface after configuring the command.

Configuring route related attributes for a VPN instance

VPN routes are controlled and advertised on a PE by using the following process:

· When a VPN route learned from a site gets redistributed into BGP, BGP associates it with a route target extended community attribute list, which is usually the export target attribute of the VPN instance associated with the site.

· The VPN instance determines which routes it can accept and redistribute according to the import-extcommunity in the route target.

· The VPN instance determines how to change the route target attributes for routes to be advertised according to the export-extcommunity in the route target.

To configure route related attributes for a VPN instance:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VPN instance view or IPv4 VPN view	· Enter VPN instance view: ip vpn-instance vpn-instance-name · Enter IPv4 VPN view: a. ip vpn-instance vpn-instance-name b. ipv4-family	Configurations made in VPN instance view apply to both IPv4 VPN and IPv6 VPN. IPv4 VPN prefers the configurations in IPv4 VPN view over the configurations in VPN instance view.
3. Configure route targets.	vpn-target vpn-target&<1-8> [ both \| export-extcommunity \| import-extcommunity ]	By default, no route targets are configured.
4. Set the maximum number of active routes.	routing-table limit number { warn-threshold \| simply-alert }	By default, the maximum number of active routes depends on the system operating mode. Setting the maximum number of active routes for a VPN instance can prevent the PE from learning too many routes.
5. Apply an import routing policy.	import route-policy route-policy	By default, all routes matching the import target attribute are accepted. The specified routing policy must have been created. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
6. Apply an export routing policy.	export route-policy route-policy	By default, routes to be advertised are not filtered. The specified routing policy must have been created. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
7. Apply a tunnel policy to the VPN instance.	tnl-policy tunnel-policy-name	By default, only one LSP tunnel is selected (no load balancing). The specified tunnel policy must have been created.

Configuring routing between a PE and a CE

You can configure static routing, RIP, OSPF, IS-IS, EBGP, or IBGP between a PE and a CE.

Configuring static routing between a PE and a CE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a static route for a VPN instance.	ip route-static vpn-instance s-vpn-instance-name dest-address { mask-length \| mask } { interface-type interface-number [ next-hop-address ] \|next-hop-address [ public ] [ track track-entry-number ] \| vpn-instance d-vpn-instance-name next-hop-address [ track track-entry-number ] } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]	By default, no static route is configured for a VPN instance. Perform this configuration on the PE. On the CE, configure a common static route. For more information about static routing, see Layer 3—IP Routing Configuration Guide.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure a static route for a VPN instance.

ip route-static vpn-instance s-vpn-instance-name dest-address { mask-length | mask } { interface-type interface-number [ next-hop-address ] |next-hop-address [ public ] [ track track-entry-number ] | vpn-instance d-vpn-instance-name next-hop-address [ track track-entry-number ] } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]

By default, no static route is configured for a VPN instance.

Perform this configuration on the PE. On the CE, configure a common static route.

For more information about static routing, see Layer 3—IP Routing Configuration Guide.

Configuring RIP between a PE and a CE

A RIP process belongs to the public network or a single VPN instance. If you create a RIP process without binding it to a VPN instance, the process belongs to the public network.

To configure RIP between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIP process for a VPN instance and enter RIP view.	rip [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. On the CE, create a common RIP process.
3. Enable RIP on the interface attached to the specified network.	network network-address	By default, RIP is disabled on an interface.

Configuring OSPF between a PE and a CE

An OSPF process that is bound to a VPN instance does not use the public network router ID configured in system view. Therefore, you must specify a router ID when starting a process or configure an IP address for at least one interface of the VPN instance.

An OSPF process belongs to the public network or a single VPN instance. If you create an OSPF process without binding it to a VPN instance, the process belongs to the public network.

To configure OSPF between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPF process for a VPN instance and enter the OSPF view.	ospf [ process-id \| router-id router-id \| vpn-instance vpn-instance-name ] *	Perform this configuration on the PE. On the CE, create a common OSPF process.
3. (Optional.) Configure an OSPF domain ID.	domain-id domain-id [ secondary ]	The default domain ID is 0. Perform this configuration on the PE. On the CE, configure common OSPF. The domain ID is carried in the routes of the OSPF process. When redistributing routes from the OSPF process, BGP adds the domain ID as an extended community attribute into BGP VPN routes. An OSPF process can be configured with only one domain ID. Domain IDs of different OSPF processes are independent of each other. All OSPF processes of a VPN must be configured with the same domain ID, while OSPF processes on PEs in different VPNs can be configured with domain IDs as desired.
4. Configure the type codes of OSPF extended community attributes.	ext-community-type { domain-id type-code1 \| router-id type-code2 \| route-type type-code3 }	The defaults are as follows: · 0x0005 for Domain ID. · 0x0107 for Router ID. · 0x0306 for Route Type. Perform this configuration on the PE.
5. Create an OSPF area and enter area view.	area area-id	By default, no OSPF area is created.
6. Enable OSPF on the interface attached to the specified network in the area.	network ip-address wildcard-mask	By default, an interface neither belongs to any area nor runs OSPF.

Configuring IS-IS between a PE and a CE

An IS-IS process belongs to the public network or a single VPN instance. If you create an IS-IS process without binding it to a VPN instance, the process belongs to the public network.

To configure IS-IS between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IS-IS process for a VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. On the CE, configure common IS-IS.
3. Configure a network entity title for the IS-IS process.	network-entity net	By default, no NET is configured.
4. Return to system view.	quit	N/A
5. Enter interface view.	interface interface-type interface-number	N/A
6. Enable the IS-IS process on the interface.	isis enable [ process-id ]	By default, no IS-IS process is enabled on the interface.

Configuring EBGP between a PE and a CE

1. Configure the PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable BGP and enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	Configuration commands in BGP-VPN instance view are the same as those in BGP view. For details, see Layer 3—IP Routing Configuration Guide.
4. Configure the CE as the VPN EBGP peer.	peer { group-name \| ip-address } as-number as-number	By default, no BGP peer is configured. For more information about BGP peers and peer groups, see Layer 3—IP Routing Configuration Guide.
5. Create the BGP-VPN IPv4 unicast family and enter its view.	address-family ipv4 [ unicast ]	By default, the BGP-VPN IPv4 unicast family is not created.
6. Enable IPv4 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Redistribute the routes of the local CE.	import-route protocol [ { process-id \| all-processes } [ med med-value \| route-policy route-policy-name ] * ]	A PE must redistribute the routes of the local CE into its VPN routing table so it can advertise them to the peer PE.
8. (Optional.) Allow the local AS number to appear in the AS_PATH attribute of a received route, and set the maximum number of repetitions.	peer { group-name \| ip-address } allow-as-loop [ number ]	By default, BGP discards incoming route updates that contain the local AS number. BGP detects routing loops by examining AS numbers.

2. Configure the CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the PE as a BGP peer.	peer { group-name \| ip-address } as-number as-number	By default, no BGP peer is created.
4. Create the BGP IPv4 unicast family and enter its view.	address-family ipv4 [ unicast ]	By default, the BGP IPv4 unicast family is not created.
5. Enable IPv4 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
6. (Optional.) Configure route redistribution.	import-route protocol [ { process-id \| all-processes } [ med med-value \| route-policy route-policy-name ] * ]	A CE must redistribute its routes to the PE so the PE can advertise them to the peer CE.

Configuring IBGP between a PE and a CE

Use IBGP between PE and CE only in a basic MPLS L3VPN network. In networks such as Hub&Spoke, Extranet, inter-AS VPN, carrier's carrier, nested VPN, and HoVPN, you cannot use IBGP between PE and CE.

1. Configure the PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	Configuration commands in BGP-VPN instance view are the same as those in BGP view. For details, see Layer 3—IP Routing Configuration Guide.
4. Configure the CE as the VPN IBGP peer.	peer { group-name \| ip-address } as-number as-number	By default, no BGP peer is created.
5. Create the BGP-VPN IPv4 unicast family and enter its view.	address-family ipv4 [ unicast ]	By default, the BGP-VPN IPv4 unicast family is not created.
6. Enable IPv4 unicast route exchange with the specified peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Configure the CE as a client of the RR.	peer { group-name \| ip-address } reflect-client	By default, no RR or RR client is configured, and the PE does not advertise routes learned from the IBGP peer CE to other IBGP peers, including VPNv4 IBGP peers. The PE advertises routes learned from the CE to other IBGP peers only when you configure the IBGP peer CE as a client of the RR. Configuring an RR does not change the next hop of a route. To change the next hop of a route, configure an inbound policy on the receiving side.
8. (Optional.) Enable route reflection between clients.	reflect between-clients	Route reflection between clients is enabled by default.
9. (Optional.) Configure the cluster ID for the RR.	reflector cluster-id { cluster-id \| ip-address }	By default, the RR uses its own router ID as the cluster ID. If multiple RRs exist in a cluster, use this command to configure the same cluster ID for all RRs in the cluster to avoid routing loops.

2. Configure the CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the PE as an IBGP peer.	peer { group-name \| ip-address } as-number as-number	By default, no BGP peer is created.
4. Create the BGP IPv4 unicast family and enter its view.	address-family ipv4 [ unicast ]	By default, the BGP IPv4 unicast family is not created.
5. Enable IPv4 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
6. (Optional.) Configure route redistribution.	import-route protocol [ { process-id \| all-processes } [ med med-value \| route-policy route-policy-name ] * ]	A CE must redistribute its routes to the PE so the PE can advertise them to the peer CE.

Configuring routing between PEs

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the remote PE as a BGP peer.	peer { group-name \| ip-address } as-number as-number	By default, no BGP peer is created.
4. Specify the source interface for route updates.	peer { group-name \| ip-address } connect-interface interface-type interface-number	By default, BGP uses the egress interface of the optimal route destined for the peer as the source interface.
5. Create the BGP VPNv4 address family and enter its view.	address-family vpnv4	By default, the BGP VPNv4 address family is not created.
6. Enable BGP-VPNv4 route exchange with the specified peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange BGP-VPNv4 routes with any peer.

Configuring BGP VPNv4 route control

BGP VPNv4 route control is configured similarly with BGP route control, except that it is configured in BGP-VPNv4 address family view. For detailed information about BGP route control, see Layer 3—IP Routing Configuration Guide.

To configure BGP VPNv4 route control:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPNv4 address family view.	address-family vpnv4	N/A
4. Configure filtering of advertised routes.	filter-policy { acl-number \| prefix-list prefix-list-name } export [ protocol process-id ]	By default, BGP does not filter advertised routes.
5. Configure filtering of received routes.	filter-policy { acl-number \| prefix-list prefix-list-name } import	By default, BGP does not filter received routes.
6. Advertise the COMMUNITY attribute to a peer or peer group.	peer { group-name \| ip-address } advertise-community	By default, BGP does not advertise the COMMUNITY attribute to any peers or peer groups.
7. Allow the local AS number to appear in the AS_PATH attribute of routes received from the peer, and set the maximum number of repetitions.	peer { group-name \| ip-address } allow-as-loop [ number ]	By default, BGP discards route updates that contain the local AS number.
8. Filter routes received from or advertised to a peer or peer group based on an AS_PATH list.	peer { group-name \| ip-address } as-path-acl aspath-filter-number { import \| export }	By default, no AS filtering list is applied to a peer or peer group.
9. Advertise a default VPN route to a peer or peer group.	peer { group-name \| ip-address } default-route-advertise vpn-instance vpn-instance-name	By default, no default VPN route is advertised to a peer or peer group.
10. Apply an ACL to filter routes received from or advertised to a peer or peer group.	peer { group-name \| ip-address } filter-policy acl-number { export \| import }	By default, no ACL-based filtering is configured.
11. Save all route updates from a peer or peer group.	peer { group-name \| ip-address } keep-all-routes	By default, BGP does not save route updates from any peer.
12. Specify the router as the next hop of routes sent to a peer or peer group.	peer { group-name \| ip-address } next-hop-local	By default, the router sets itself as the next hop for routes sent to a peer or peer group.
13. Configure BGP to not change the next hop of routes sent to an EBGP peer or peer group.	peer { group-name \| ip-address } next-hop-invariable	By default, the router sets itself as the next hop for routes sent to an EBGP peer or peer group. In an inter-AS option C network where an RR is used to advertise VPNv4 routes, configure this command on the RR so the RR does not change the next hop of routes sent to EBGP peers and clients.
14. Specify a preferred value for routes received from a peer or peer group.	peer { group-name \| ip-address } preferred-value value	By default, the preferred value is 0.
15. Apply a prefix list to filter routes received from or advertised to a peer or peer group.	peer { group-name \| ip-address } prefix-list prefix-list-name { export \| import }	By default, no prefix list based filtering is configured.
16. Configure BGP updates advertised to an EBGP peer or peer group to carry only public AS numbers.	peer { group-name \| ip-address } public-as-only	By default, BGP route updates advertised to an EBGP peer or peer group can carry both public and private AS numbers.
17. Configure the router as a route reflector and specify a peer or peer group as its client.	peer { group-name \| ip-address } reflect-client	By default, no RR is configured.
18. Specify the maximum number of routes BGP can receive from a peer or peer group.	peer { group-name \| ip-address } route-limit prefix-number [ { alert-only \| reconnect reconnect-time } \| percentage-value ] *	By default, the number of routes that BGP can receive from a peer or peer group is not limited.
19. Apply a routing policy to a peer or peer group.	peer { group-name \| ip-address } route-policy route-policy-name { export \| import }	By default, no routing policy is applied to a peer or peer group.
20. Enable route target-based filtering of received VPNv4 routes.	policy vpn-target	By default, this feature is enabled.
21. Enable route reflection between clients.	reflect between-clients	By default, route reflection between clients is enabled on the RR.
22. Configure a cluster ID for the route reflector.	reflector cluster-id { cluster-id \| ip-address }	By default, the RR uses its own router ID as the cluster ID.
23. Configure filtering of reflected routes.	rr-filter extended-community-number	By default, the RR does not filter reflected routes.

Configuring inter-AS VPN

If the MPLS backbone spans multiple ASs, you must configure inter-AS VPN.

Before you configure an inter-AS VPN, complete the following tasks:

· Configure an IGP for the MPLS backbones in each AS.

· Configure basic MPLS for the MPLS backbone of each AS.

· Configure MPLS LDP for the MPLS backbone of each AS so that LDP LSPs can be established.

· Configure basic MPLS L3VPN for each AS.

When configuring basic MPLS L3VPN for each AS, specific configurations might be required on PEs or ASBR-PEs. This depends on the inter-AS VPN solution selected.

Configuring inter-AS option A

Inter-AS option A applies to scenarios with a few VPNs.

To configure inter-AS option A, create VPN instances on PEs and ASBR-PEs. The VPN instances on PEs are used to allow CEs to access the network. The VPN instances on ASBR-PEs are used to access the peer ASBR-PEs. An ASBR-PE considers the peer ASBR-PE as a CE.

The route targets configured on the PEs must match those configured on the ASBR-PEs in the same AS to make sure VPN routes sent by the PEs (or ASBR-PEs) can be received by the ASBR-PEs (or PEs). Route targets configured on the PEs in different ASs do not have such requirements.

For more information, see "Configuring basic MPLS L3VPN."

Configuring inter-AS option B

Inter-AS option B requires that ASBR-PEs maintain all VPNv4 routing information and advertise the information to peer ASBR-PEs. The ASBR-PEs must receive all VPNv4 routing information without performing route target-based filtering.

The route targets for the VPN instances on the PEs in different ASs must match for the same VPN.

An ASBR-PE always sets itself as the next hop of VPNv4 routes advertised to an MP-IBGP peer regardless of the peer next-hop-local command.

ASBR-PEs use BGP to assign labels and create BGP LSPs. There is no need to configure MPLS LDP between ASBR-PEs.

To configure inter-AS option B on an ASBR-PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view of the interface connecting to the remote ASBR-PE.	interface interface-type interface-number	N/A
3. Configure the IP address of the interface.	ip address ip-address { mask \| mask-length }	N/A
4. Return to system view.	quit	N/A
5. Enter BGP view.	bgp as-number	N/A
6. Enter BGP VPNv4 address family view.	address-family vpnv4	N/A
7. Disable route target based filtering of VPNv4 routes.	undo policy vpn-target	By default, the PE filters received VPNv4 routes by route targets. The routes surviving the filtering are added to the routing table, and the others are discarded.

Configuring inter-AS option C

To configure inter-AS option C, perform configurations on PEs and ASBR-PEs, and configure routing policies on the ASBR-PEs.

Configuring a PE

Establish an ordinary IBGP peer relationship between a PE and an ASBR-PE in an AS, and an MP-EBGP peer relationship between PEs of different ASs.

The PEs and ASBR-PEs in an AS must be able to exchange labeled IPv4 routes.

To configure a PE for inter-AS option C:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the ASBR-PE in the same AS as an IBGP peer.	peer { group-name \| ip-address } as-number as-number	By default, no BGP peer is created.
4. Configure the PE of another AS as an EBGP peer.	peer { group-name \| ip-address } as-number as-number	By default, no BGP peer is created.
5. Create the BGP IPv4 unicast address family and enter its view.	address-family ipv4 [ unicast ]	By default, the BGP IPv4 unicast address family is not created.
6. Enable the PE to exchange IPv4 unicast routes with the peer or peer group.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Enable the PE to exchange labeled IPv4 routes with the ASBR-PE in the same AS.	peer { group-name \| ip-address } label-route-capability	By default, BGP does not advertise labeled routes to any IPv4 peer or peer group.
8. Return to BGP view.	quit	N/A
9. Enter BGP VPNv4 address family view.	address-family vpnv4	N/A
10. Enable the PE to exchange VPNv4 routes with the peer or peer group.	peer { group-name \| ip-address } enable	By default, BGP does not exchange VPNv4 routes with any peer.
11. (Optional.) Configure the PE to not change the next hop of routes advertised to the EBGP peer.	peer { group-name \| ip-address } next-hop-invariable	Configure this command on the RR so the RR does not change the next hop of advertised VPNv4 routes.

Configuring an ASBR-PE

In the inter-AS option C solution, an inter-AS LSP is required, and the public network routes advertised between the relevant PEs and ASBRs must carry MPLS label information.

An ASBR-PE establishes common IBGP peer relationships with PEs in the same AS, and a common EBGP peer relationship with the peer ASBR-PE. All of them can exchange labeled IPv4 routes.

Public network routes carrying MPLS labels are advertised through MP-BGP. According to RFC 3107 "Carrying Label Information in BGP-4," the label mapping information for a particular route is piggybacked in the same BGP update message that is used to distribute the route. This capability is implemented through BGP extended attributes and requires that BGP peers can handle labeled IPv4 routes.

To configure an ASBR-PE for inter-AS option C:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the PE in the same AS as an IBGP peer.	peer { group-name \| ip-address } as-number as-number	By default, no BGP peer is created.
4. Configure the peer ASBR-PE as an EBGP peer.	peer { group-name \| ip-address } as-number as-number	By default, no BGP peer is created.
5. Create BGP IPv4 unicast address family and enter its view.	address-family ipv4 [ unicast ]	By default, the BGP IPv4 unicast address family is not created.
6. Enable exchange of IPv4 unicast routes with the peer or peer group.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Enable exchange of labeled IPv4 routes with the PE in the local AS and the peer ASBR-PE.	peer { group-name \| ip-address } label-route-capability	By default, BGP does not advertise labeled routes to any IPv4 peer or peer group.
8. Configure the ASBR-PE to set itself as the next hop of routes advertised to the PE in the local AS.	peer { group-name \| ip-address } next-hop-local	By default, BGP does not use its address as the next hop of routes advertised to an IBGP peer or peer group.

Configuring a routing policy on an ASBR-PE

A routing policy on an ASBR-PE does the following:

· Assigns MPLS labels to routes received from the PEs in the local AS before advertising them to the peer ASBR-PE.

· Assigns new MPLS labels to labeled IPv4 routes advertised to PEs in the local AS.

Which IPv4 routes are assigned with MPLS labels depends on the routing policy. Only routes that meet the criteria are assigned with labels. All other routes are still common IPv4 routes.

To configure a routing policy for inter-AS option C on an ASBR-PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a routing policy and enter routing policy view.	route-policy route-policy-name { deny \| permit } node node-number	By default, no routing policy is created.
3. Match IPv4 routes carrying labels.	if-match mpls-label	By default, no match criterion is configured.
4. Set labels for IPv4 routes.	apply mpls-label	By default, no apply clause is configured.

Configuring nested VPN

For a network with many VPNs, nested VPN is a good solution to implement layered management of VPNs and to conceal the deployment of internal VPNs.

To build a nested VPN network, perform the following configurations:

· Configurations between customer PE and customer CE—Configure VPN instances on the customer PE and configure route exchange between customer PE and customer CE.

· Configurations between customer PE and provider CE—Configure BGP VPNv4 route exchange between them.

· Configurations between provider CE and provider PE—Configure VPN instances and enable nested VPN on the provider PE and configure BGP VPNv4 route exchange between the provider CE and provider PE. To make sure the provider CE can receive all VPNv4 routes, configure the undo policy vpn-target command on the provider CE to not filter VPNv4 routes by RTs.

· Configurations between provider PEs—Configure BGP VPNv4 route exchange between them.

Nested VPN allows a customer PE to directly exchange VPNv4 routes with a provider PE, without needing to deploy a provider CE. In this case, the customer PE also acts as the provider CE. Therefore, you must configure provider CE settings on it.

Configurations on the customer CE, customer PE, and provider CE are similar to basic MPLS L3VPN configurations. This task describes the configurations on the provider PE.

When you configure nested VPN, follow these guidelines:

· The address spaces of sub-VPNs of a VPN cannot overlap.

· Do not assign nested VPN peers addresses that public network peers use.

· Nested VPN does not support multihop EBGP. A provider PE and a provider CE must use the addresses of the directly connected interfaces to establish a neighbor relationship.

To configure nested VPN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP VPNv4 address family view.	address-family vpnv4	N/A
4. Enable nested VPN.	nesting-vpn	By default, nested VPN is disabled.
5. Return to BGP view.	quit	N/A
6. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
7. Specify the peer CE or the peer group of the peer CE.	peer { group-name \| peer-address } as-number as-number	By default, no peer is specified.
8. Create the BGP-VPN VPNv4 address family and enter its view.	address-family vpnv4	By default, the BGP-VPN VPNv4 address family is not created.
9. Enable BGP VPNv4 route exchange with the peer CE or the peer group of the peer CE.	peer { group-name \| peer-address } enable	By default, BGP does not exchange VPNv4 routes with any peer.

Configuring HoVPN

HoVPN is suited to build hierarchical VPNs, reducing performance requirements for PEs.

Before you configure HoVPN, complete basic MPLS L3VPN settings on UPE and SPE.

Do not configure the peer default-route-advertise vpn-instance and peer upe route-policy commands at the same time.

To configure HoVPN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Specify a BGP peer or peer group.	peer { group-name \| peer-address } as-number as-number	By default, no BGP peer is specified.
4. Enter BGP-VPN VPNv4 address family view.	address-family vpnv4	N/A
5. Enable BGP-VPNv4 route exchange with the peer or peer group.	peer { group-name \| ip-address } enable	By default, BGP does not exchange VPNv4 routes with any peer.
6. Specify the BGP peer or peer group as a UPE.	peer { group-name \| ip-address } upe	By default, no peer is a UPE.
7. Advertise routes to the UPE.	· Advertise a default VPN route to the UPE: peer { group-name \| ip-address } default-route-advertise vpn-instance vpn-instance-name · Advertise routes permitted by a routing policy to the UPE: peer { group-name \| ip-address } upe route-policy route-policy-name export	By default, no route is advertised to the UPE. Do not configure both commands. The peer default-route-advertise vpn-instance command advertises a default route using the local address as the next hop to the UPE, regardless of whether the default route is present in the local routing table. However, if the specified peer is not a UPE, the command does not advertise a default route.

Configuring an OSPF sham link

When a backdoor link exists between the two sites of a VPN, you can create a sham link between PEs to forward VPN traffic through the sham link on the backbone rather than the backdoor link. A sham link is considered an OSPF intra-area route.

The source and destination addresses of the sham link must be loopback interface addresses with 32-bit masks. The loopback interfaces must be bound to VPN instances, and their addresses are advertised through BGP.

Before you configure an OSPF sham link, complete the following tasks:

· Configure basic MPLS L3VPN (OSPF is used between PE and CE).

· Configure OSPF in the LAN where customer CEs reside.

Configuring a loopback interface

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a loopback interface and enter loopback interface view.	interface loopback interface-number	N/A
3. Bind the loopback interface to a VPN instance.	ip binding vpn-instance vpn-instance-name	By default, the interface is associated with no VPN instance.
4. Configure the address of the loopback interface.	ip address ip-address { mask \| mask-length }	N/A

Redistributing the loopback interface route

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Enter BGP-VPN IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
5. Redistribute direct routes into BGP (including the loopback interface route).	import-route direct	By default, no direct routes are redistributed into BGP.

Creating a sham link

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter OSPF view.	ospf [ process-id \| router-id router-id \| vpn-instance vpn-instance-name ] *	H3C recommends that you specify a router ID.
3. Configure the external route tag for imported VPN routes.	route-tag tag-value	N/A
4. Enter OSPF area view.	area area-id	N/A
5. Configure a sham link.	sham-link source-ip-address destination-ip-address [ cost cost \| dead dead-interval \| hello hello-interval \| { { hmac-md5 \| md5 } key-id { cipher cipher-string \| plain plain-string } \| simple { cipher cipher-string \| plain plain-string } } \| retransmit retrans-interval \| trans-delay delay ] *	By default, no sham link is configured.

Configuring routing on an MCE

MCE implements service isolation through route isolation. MCE routing configuration includes the following:

· MCE-VPN site routing configuration.

· MCE-PE routing configuration.

On the PE, do the following:

· Disable routing loop detection to avoid route loss during route calculation.

· Disable route redistribution between routing protocols to save system resources.

Before you configure routing on an MCE, complete the following tasks:

· Configure VPN instances, and bind the VPN instances to the interfaces connected to the VPN sites and the PE.

· Configure the link layer and network layer protocols on related interfaces to ensure IP connectivity.

Configuring routing between an MCE and a VPN site

You can configure static routing, RIP, OSPF, IS-IS, EBGP or IBGP between an MCE and a VPN site.

Configuring static routing between an MCE and a VPN site

An MCE can reach a VPN site through a static route. Static routing on a traditional CE is globally effective and does not support address overlapping among VPNs. An MCE supports binding a static route to a VPN instance, so that the static routes of different VPN instances can be isolated from each other.

To configure a static route to a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a static route for a VPN instance.	ip route-static vpn-instance s-vpn-instance-name dest-address { mask-length \| mask } { interface-type interface-number [ next-hop-address ] \| next-hop-address [ public ] [ track track-entry-number ] \| vpn-instance d-vpn-instance-name next-hop-address [ track track-entry-number ] } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]	By default, no static route is configured. Perform this configuration on the MCE. On the VPN site, configure a common static route.
3. (Optional.) Configure the default preference for static routes.	ip route-static default-preference default-preference-value	The default preference is 60.

Configuring RIP between an MCE and a VPN site

A RIP process belongs to the public network or a single VPN instance. If you create a RIP process without binding it to a VPN instance, the process belongs to the public network. Binding RIP processes to VPN instances can isolate routes of different VPNs. For more information about RIP, see Layer 3—IP Routing Configuration Guide.

To configure RIP between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIP process for a VPN instance and enter RIP view.	rip [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the MCE. On a VPN site, create a common RIP process.
3. Enable RIP on the interface attached to the specified network.	network network-address	By default, RIP is disabled on an interface.
4. Redistribute remote site routes advertised by the PE into RIP.	import-route protocol [ process-id ] [ allow-ibgp ] [ cost cost \| route-policy route-policy-name \| tag tag ] *	By default, no route is redistributed into RIP.
5. (Optional.) Configure the default cost value for the redistributed routes.	default cost value	The default cost is 0.

Configuring OSPF between an MCE and a VPN site

An OSPF process belongs to the public network or a single VPN instance. If you create an OSPF process without binding it to a VPN instance, the process belongs to the public network.

Binding OSPF processes to VPN instances can isolate routes of different VPNs. For more information about OSPF, see Layer 3—IP Routing Configuration Guide.

To configure OSPF between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPF process for a VPN instance and enter OSPF view.	ospf [ process-id \| router-id router-id \| vpn-instance vpn-instance-name ] *	Perform this configuration on the MCE. On a VPN site, create a common OSPF process. An OSPF process bound to a VPN instance does not use the public network router ID configured in system view. Therefore, configure a router ID for the OSPF process. An OSPF process can belong to only one VPN instance, but one VPN instance can use multiple OSPF processes to advertise VPN routes.
3. (Optional.) Configure the OSPF domain ID.	domain-id domain-id [ secondary ]	The default domain ID is 0. Perform this configuration on the MCE. All OSPF processes of the same VPN instance must be configured with the same OSPF domain ID to ensure correct route advertisement.
4. Redistribute remote site routes advertised by the PE into OSPF.	import-route protocol [ process-id \| all-processes \| allow-ibgp ] [ cost cost \| route-policy route-policy-name \| tag tag \| type type ] *	By default, no routes are redistributed into OSPF.
5. Create an OSPF area and enter OSPF area view.	area area-id	By default, no OSPF area is created.
6. Enable OSPF on the interface attached to the specified network in the area.	network ip-address wildcard-mask	By default, an interface neither belongs to any area nor runs OSPF.

Configuring IS-IS between an MCE and a VPN site

An IS-IS process belongs to the public network or a single VPN instance. If you create an IS-IS process without binding it to a VPN instance, the process belongs to the public network.

Binding IS-IS processes to VPN instances can isolate routes of different VPNs. For more information about IS-IS, see Layer 3—IP Routing Configuration Guide.

To configure IS-IS between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IS-IS process for a VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the MCE. On a VPN site, configure a common IS-IS process.
3. Configure a network entity title.	network-entity net	By default, no NET is configured.
4. Redistribute remote site routes advertised by the PE into IS-IS.	import-route protocol [ process-id \| all-processes \| allow-ibgp ] [ cost cost \| cost-type { external \| internal } \| [ level-1 \| level-1-2 \| level-2 ] \| route-policy route-policy-name \| tag tag ] *	By default, IS-IS does not redistribute routes from any other routing protocol. If you do not specify the route level in the command, the command redistributes routes to the level-2 routing table by default.
5. Return to system view.	quit	N/A
6. Enter interface view.	interface interface-type interface-number	N/A
7. Enable the IS-IS process on the interface.	isis enable [ process-id ]	IS-IS is disabled by default.

Configuring EBGP between an MCE and a VPN site

To run EBGP between an MCE and a VPN site, you must configure a BGP peer for each VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on the VPN site.

You can configure filtering policies to filter received routes and advertised routes.

1. Configure the MCE:

Routes redistributed from OSPF to BGP have their OSPF attributes removed. To enable BGP to distinguish routes redistributed from different OSPF domains, you must enable the redistributed routes to carry the OSPF domain ID by configuring the domain-id command in OSPF view. The domain ID is added to BGP VPN routes as an extended community attribute.

To configure the MCE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	Configuration commands in BGP-VPN instance view are the same as those in BGP view. For details, see Layer 3—IP Routing Configuration Guide.
4. Configure an EBGP peer.	peer { group-name \| ip-address } as-number as-number	By default, no BGP peer is configured.
5. Enter BGP-VPN IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
6. Enable BGP to exchange IPv4 unicast routes with the peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Allow the local AS number to appear in the AS_PATH attribute of routes received from the peer, and set the maximum number of repetitions.	peer { group-name \| ip-address } allow-as-loop [ number ]	By default, BGP discards incoming route updates that contain the local AS number. BGP detects routing loops by examining AS numbers. The routing information the MCE advertises to a site carries the local AS number. Therefore, the route updates that the MCE receives from the site also include the local AS number. This causes the MCE to be unable to receive the route updates. In this case, you must configure this command to allow routing loops.
8. Redistribute remote site routes advertised by the PE into BGP.	import-route protocol [ { process-id \| all-processes } [ med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP.
9. (Optional.) Configure filtering of advertised routes.	filter-policy { acl-number \| prefix-list prefix-list-name } export [ protocol process-id ]	By default, BGP does not filter advertised routes.
10. (Optional.) Configure filtering of received routes.	filter-policy { acl-number \| prefix-list prefix-list-name } import	By default, BGP does not filter received routes.

2. Configure a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the MCE as an EBGP peer.	peer { group-name \| ip-address } as-number as-number	N/A
4. Enter BGP-VPN IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
5. Enable BGP to exchange IPv4 unicast routes with the peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
6. Redistribute the IGP routes of the VPN into BGP.	import-route protocol [ { process-id \| all-processes } [ med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP. A VPN site must advertise the VPN network addresses it can reach to the connected MCE.

Configuring IBGP between MCE and VPN site

To run IBGP between an MCE and a VPN site, you must configure a BGP peer for each VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on the VPN site.

1. Configure the MCE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Configure an IBGP peer.	peer { group-name \| ip-address } as-number as-number	N/A
5. Enter BGP-VPN IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
6. Enable BGP to exchange IPv4 unicast routes with the peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. (Optional.) Configure the system to be the RR, and specify the peer as the client of the RR.	peer { group-name \| ip-address } reflect-client	By default, no RR or RR client is configured. After you configure a VPN site as an IBGP peer, the MCE does not advertise the BGP routes learned from the VPN site to other IBGP peers, including VPNv4 peers. The MCE advertises routes learned from a VPN site only when you configure the VPN site as a client of the RR (the MCE).
8. Redistribute remote site routes advertised by the PE into BGP.	import-route protocol [ process-id \| all-processes ] [ med med-value \| route-policy route-policy-name ] *	By default, no routes are redistributed into BGP.
9. (Optional.) Configure filtering of advertised routes.	filter-policy { acl-number \| prefix-list prefix-list-name } export [ protocol process-id ]	By default, BGP does not filter advertised routes.
10. (Optional.) Configure filtering of received routes.	filter-policy { acl-number \| prefix-list prefix-list-name } import	By default, BGP does not filter received routes.

2. Configure a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the MCE as an IBGP peer.	peer { group-name \| ip-address } as-number as-number	N/A
4. Enter BGP-VPN IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
5. Enable BGP to exchange IPv4 unicast routes with the peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
6. Redistribute the IGP routes of the VPN into BGP.	import-route protocol [ { process-id \| all-processes } [ med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP. A VPN site must advertise VPN network addresses to the connected MCE.

Configuring routing between an MCE and a PE

MCE-PE routing configuration includes these tasks:

· Binding the MCE-PE interfaces to VPN instances.

· Performing route configurations.

· Redistributing VPN routes into the routing protocol running between the MCE and the PE.

Perform the following configurations on the MCE. For information about how to configure the PE, see "Configuring routing between a PE and a CE."

Configuring static routing between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a static route for a VPN instance.	ip route-static vpn-instance s-vpn-instance-name dest-address { mask-length \| mask } { interface-type interface-number [ next-hop-address ] \| next-hop-address [ public ] [ track track-entry-number ] \| vpn-instance d-vpn-instance-name next-hop-address [ track track-entry-number ] } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]	By default, no static route is configured.
3. (Optional.) Configure the default preference for static routes.	ip route-static default-preference default-preference-value	The default preference is 60.

Configuring RIP between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIP process for a VPN instance and enter RIP view.	rip [ process-id ] vpn-instance vpn-instance-name	N/A
3. Enable RIP on the interface attached to the specified network.	network network-address	By default, RIP is disabled on an interface.
4. Redistribute the VPN routes.	import-route protocol [ process-id \| all-processes \| allow-ibgp ] [ cost cost \| route-policy route-policy-name \| tag tag ] *	By default, no routes are redistributed into RIP.
5. (Optional.) Configure the default cost for redistributed routes.	default cost value	The default cost is 0.

Configuring OSPF between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPF process for a VPN instance and enter OSPF view.	ospf [ process-id \| router-id router-id \| vpn-instance vpn-instance-name ] *	N/A
3. Disable routing loop detection.	vpn-instance-capability simple	By default, routing loop detection is enabled. You must disable routing loop detection for a VPN OSPF process on the MCE. Otherwise, the MCE cannot receive OSPF routes from the PE.
4. (Optional.) Configure the OSPF domain ID.	domain-id domain-id [ secondary ]	The default domain ID is 0.
5. Redistribute the VPN routes.	import-route protocol [ process-id \| all-processes \| allow-ibgp ] [ cost cost \| route-policy route-policy-name \| tag tag \| type type ] *	By default, no routes are redistributed into OSPF.
6. (Optional.) Configure filtering of advertised routes.	filter-policy { acl-number \| prefix-list prefix-list-name } export [ protocol [ process-id ] ]	By default, redistributed routes are not filtered.
7. (Optional.) Configure the default parameters for redistributed routes (cost, route number, tag, and type).	default { cost cost \| tag tag \| type type } *	The default cost is 1, the default tag is 1, and default type of redistributed routes is Type-2.
8. Create an OSPF area and enter OSPF area view.	area area-id	By default, no OSPF area is created.
9. Enable OSPF on the interface attached to the specified network in the area.	network ip-address wildcard-mask	By default, an interface neither belongs to any area nor runs OSPF.

Configuring IS-IS between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IS-IS process for a VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	N/A
3. Configure a network entity title.	network-entity net	By default, no NET is configured.
4. Redistribute VPN routes.	import-route protocol [ process-id \| all-processes \| allow-ibgp ] [ cost cost \| cost-type { external \| internal } \| [ level-1 \| level-1-2 \| level-2 ] \| route-policy route-policy-name \| tag tag ] *	By default, IS-IS does not redistribute routes from any other routing protocol. If you do not specify the route level in the command, the command redistributes routes to the level-2 routing table by default.
5. (Optional.) Configure filtering of advertised routes.	filter-policy { acl-number \| prefix-list prefix-list-name \| route-policy route-policy-name } export [ protocol [ process-id ] ]	By default, IS-IS does not filter advertised routes.
6. Return to system view.	quit	N/A
7. Enter interface view.	interface interface-type interface-number	N/A
8. Enable the IS-IS process on the interface.	isis enable [ process-id ]	By default, no IS-IS process is enabled.

Configuring EBGP between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Configure the PE as an EBGP peer.	peer { group-name \| ip-address } as-number as-number	N/A
5. Enter BGP-VPN IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
6. Enable BGP to exchange IPv4 unicast routes with the peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Redistribute the VPN routes of the VPN site.	import-route protocol [ process-id \| all-processes ] [ med med-value \| route-policy route-policy-name ] *	By default, no routes are redistributed into BGP.
8. (Optional.) Configure filtering of advertised routes.	filter-policy { acl-number \| prefix-list prefix-list-name } export [ protocol process-id ]	By default, BGP does not filter advertised routes.
9. (Optional.) Configure filtering of received routes.	filter-policy { acl-number \| prefix-list prefix-list-name } import	By default, BGP does not filter received routes.

Configuring IBGP between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Configure the PE as an IBGP peer.	peer { group-name \| ip-address } as-number as-number	N/A
5. Enter BGP-VPN IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
6. Enable BGP to exchange IPv4 unicast routes with the peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Redistribute the VPN routes of the VPN site.	import-route protocol [ process-id \| all-processes ] [ med med-value \| route-policy route-policy-name ] *	By default, no routes are redistributed into BGP.
8. (Optional.) Configure filtering of advertised routes.	filter-policy { acl-number \| prefix-list prefix-list-name } export [ protocol process-id ]	By default, BGP does not filter advertised routes.
9. (Optional.) Configure filtering of received routes.	filter-policy { acl-number \| prefix-list prefix-list-name } import	By default, BGP does not filter received routes.

Specifying the VPN label processing mode on the egress PE

An egress PE can process VPN labels in either POPGO or POP mode:

· POPGO forwarding—Pops the label and forwards the packet out of the egress interface corresponding to the label.

· POP forwarding—Pops the label and forwards the packet through the FIB table.

To add two switches to an IRF fabric, configure the same VPN label processing mode (POPGO by using vpn popgo or POP by using undo vpn popgo) for the two switches. Otherwise, the two switches cannot form an IRF fabric. For more information about IRF, see Virtual Technologies Configuration Guide.

To specify the VPN label processing mode on an egress PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Specify the VPN label processing mode as POPGO forwarding.	vpn popgo	The default is POP forwarding.

Configuring BGP AS number substitution

When CEs at different sites have the same AS number, configure the BGP AS number substitution function to avoid route loss. If the AS_PATH attribute of a route contains the AS number of the specified CE, the PE replaces the AS number with its own AS number before advertising the route to that CE.

Before you configure BGP AS number substitution, complete basic MPLS L3VPN configuration.

To configure BGP AS number substitution:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Configure a BGP peer or peer group.	peer { group-name \| ip-address } as-number as-number	N/A
5. Enable the BGP AS number substitution function.	peer { ip-address \| group-name } substitute-as	By default, BGP AS number substitution is disabled. For more information about this command, see Layer 3—IP Routing Command Reference.

Enabling SNMP notifications for MPLS L3VPN

This feature enables MPLS L3VPN to generate SNMP notifications. The generated SNMP notifications are sent to the SNMP module.

For more information about SNMP notifications, see Network Management and Monitoring Configuration Guide.

To enable SNMP notifications for MPLS L3VPN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notifications for MPLS L3VPN.	snmp-agent trap enable l3vpn	By default, SNMP notifications for MPLS L3VPN are enabled.

Displaying and maintaining MPLS L3VPN

You can soft-reset or reset BGP sessions to apply new BGP configurations. A soft reset operation updates BGP routing information without tearing down BGP connections. A reset operation updates BGP routing information by tearing down, and then re-establishing BGP connections. Soft reset requires that BGP peers have route refresh capability.

Execute the following commands in user view to soft reset or reset BGP connections:

Task	Command
Manually soft reset BGP sessions for VPNv4 address family.	refresh bgp { ip-address \| all \| external \| group group-name \| internal } { export \| import } vpnv4 [ vpn-instance vpn-instance-name ]
Reset BGP sessions for VPNv4 address family.	reset bgp { as-number \| ip-address \| all \| external \| internal \| group group-name } vpnv4 [ vpn-instance vpn-instance-name ]

Execute the following commands in any view to display MPLS L3VPN:

Task	Command
Display the routing table for a VPN instance.	display ip routing-table vpn-instance vpn-instance-name [ statistics \| verbose ]
Display information about a specified or all VPN instances.	display ip vpn-instance [ instance-name vpn-instance-name ]
Display the FIB of a VPN instance.	display fib vpn-instance vpn-instance-name
Display FIB entries that match the specified destination IP address in the specified VPN instance.	display fib vpn-instance vpn-instance-name ip-address [ mask \| mask-length ]
Display BGP VPNv4 peer group information.	display bgp group vpnv4 [ vpn-instance vpn-instance-name ] [ group-name group-name ]
Display BGP VPNv4 peer information.	display bgp peer vpnv4 [ vpn-instance vpn-instance-name ] [ ip-address mask-length \| { ip-address \| group-name group-name } log-info \| [ ip-address ] verbose ]
Display BGP VPNv4 routes.	display bgp routing-table vpnv4 [ route-distinguisher route-distinguisher ] [ network-address [ { mask \| mask-length } [ longest-match ] ] ]
Display BGP VPNv4 route advertisement information.	display bgp routing-table vpnv4 [ route-distinguisher route-distinguisher ] network-address [ mask \| mask-length ] advertise-info
Display BGP VPNv4 routes matching the specified AS PATH list.	display bgp routing-table vpnv4 [ route-distinguisher route-distinguisher ] as-path-acl as-path-acl-number
Display BGP VPNv4 routes matching the specified BGP community list.	display bgp routing-table vpnv4 [ route-distinguisher route-distinguisher ] community-list { { basic-community-list-number \| comm-list-name } [ whole-match ] \| adv-community-list-number }
Display BGP VPNv4 routes advertised to or received from the specified BGP peer.	display bgp routing-table vpnv4 [ vpn-instance vpn-instance-name ] peer ip-address { advertised-routes \| received-routes } [ network-address [ mask \| mask-length ] \| statistics ]
Display incoming labels for BGP IPv4 unicast routes.	display bgp routing-table ipv4 [ unicast ] [ vpn-instance vpn-instance-name ] inlabel
Display outgoing labels for BGP IPv4 unicast routes.	display bgp routing-table ipv4 [ unicast ] [ vpn-instance vpn-instance-name ] outlabel
Display incoming labels for BGP VPNv4 routes.	display bgp routing-table vpnv4 inlabel
Display outgoing labels for BGP VPNv4 routes.	display bgp routing-table vpnv4 outlabel
Display BGP VPNv4 route statistics.	display bgp routing-table vpnv4 statistics
Display BGP VPNv4 address family update group information.	display bgp update-group vpnv4 [ vpn-instance vpn-instance-name ] [ ip-address ]
Display OSPF sham link information (in standalone mode).	display ospf [ process-id ] sham-link [ area area-id ] [ standby slot slot-number ]
Display OSPF sham link information (in IRF mode).	display ospf [ process-id ] sham-link [ area area-id ] [ standby chassis chassis-number slot slot-number ]

For more information about the display ip routing-table, display bgp group vpnv4, display bgp peer vpnv4, and display bgp update-group vpnv4 commands, see Layer 3—IP Routing Command Reference.

MPLS L3VPN configuration examples

By default, Ethernet, VLAN, and aggregate interfaces are shut down. You must use the undo shutdown command to bring them up. These examples assume that all these interfaces are already up.

Configuring basic MPLS L3VPN

Network requirements

CE 1 and CE 3 belong to VPN 1. CE 2 and CE 4 belong to VPN 2.

VPN 1 uses route target attribute 111:1. VPN 2 uses route target attribute 222:2. Users of different VPNs cannot access each other.

EBGP is used to exchange VPN routing information between CE and PE.

PEs use OSPF to communicate with each other and use MP-IBGP to exchange VPN routing information.

Figure 20 Network diagram

Table 1 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int11	10.1.1.1/24	P	Loop0	2.2.2.9/32
PE 1	Loop0	1.1.1.9/32		Vlan-int12	172.2.1.1/24
	Vlan-int11	10.1.1.2/24		Vlan-int13	172.1.1.2/24
	Vlan-int13	172.1.1.1/24	PE 2	Loop0	3.3.3.9/32
	Vlan-int12	10.2.1.2/24		Vlan-int12	172.2.1.2/24
CE 2	Vlan-int12	10.2.1.1/24		Vlan-int11	10.3.1.2/24
CE 3	Vlan-int11	10.3.1.1/24		Vlan-int13	10.4.1.2/24
CE 4	Vlan-int13	10.4.1.1/24

Configuration procedure

1. Configure an IGP on the MPLS backbone to ensure IP connectivity within the backbone:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.9 32

[PE1-LoopBack0] quit

[PE1] interface vlan-interface 13

[PE1-Vlan-interface13] ip address 172.1.1.1 24

[PE1-Vlan-interface13] quit

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Configure the P device.

<P> system-view

[P] interface loopback 0

[P-LoopBack0] ip address 2.2.2.9 32

[P-LoopBack0] quit

[P] interface vlan-interface 13

[P-Vlan-interface13] ip address 172.1.1.2 24

[P- Vlan-interface13] quit

[P] interface vlan-interface 12

[P-Vlan-interface12] ip address 172.2.1.1 24

[P-Vlan-interface12] quit

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

# Configure PE 2.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 3.3.3.9 32

[PE2-LoopBack0] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] ip address 172.2.1.2 24

[PE2-Vlan-interface12] quit

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

# On PE 1, verify that the PEs have learned the routes to the loopback interfaces of each other.

[PE1] display ip routing-table protocol ospf

Summary Count : 5

OSPF Routing table Status : <Active>

Summary Count : 3

Destination/Mask Proto Pre Cost NextHop Interface

2.2.2.9/32 OSPF 10 1 172.1.1.2 Vlan13

3.3.3.9/32 OSPF 10 2 172.1.1.2 Vlan13

172.2.1.0/24 OSPF 10 2 172.1.1.2 Vlan13

OSPF Routing table Status : <Inactive>

Summary Count : 2

Destination/Mask Proto Pre Cost NextHop Interface

1.1.1.9/32 OSPF 10 0 1.1.1.9 Loop0

172.1.1.0/24 OSPF 10 1 172.1.1.1 Vlan13

# On PE 1, verify that OSPF adjacencies in Full state have been established between PE 1, P, and PE 2.

[PE1] display ospf peer verbose

OSPF Process 1 with Router ID 1.1.1.9

Neighbors

Area 0.0.0.0 interface 172.1.1.1(Vlan-interface13)'s neighbors

Router ID: 2.2.2.9 Address: 172.1.1.2 GR State: Normal

State: Full Mode: Nbr is Master Priority: 1

DR: 172.1.1.2 BDR: 172.1.1.1 MTU: 0

Options is 0x02 (-|-|-|-|-|-|E|-)

Dead timer due in 39 sec

Neighbor is up for 00:00:29

Authentication Sequence: [ 0 ]

Neighbor state change count: 6

2. Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs:

# Configure PE 1.

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface vlan-interface 13

[PE1-Vlan-interface13] mpls enable

[PE1-Vlan-interface13] mpls ldp enable

[PE1-Vlan-interface13] quit

# Configure the P device.

[P] mpls lsr-id 2.2.2.9

[P] mpls ldp

[P-ldp] quit

[P] interface vlan-interface 13

[P-Vlan-interface13] mpls enable

[P-Vlan-interface13] mpls ldp enable

[P-Vlan-interface13] quit

[P] interface vlan-interface 12

[P-Vlan-interface12] mpls enable

[P-Vlan-interface12] mpls ldp enable

[P-Vlan-interface12] quit

# Configure PE 2.

[PE2] mpls lsr-id 3.3.3.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] mpls enable

[PE2-Vlan-interface12] mpls ldp enable

[PE2-Vlan-interface12] quit

# On PE 1, verify that LDP sessions in Operational state have been established between PE 1, P, and PE 2.

[PE1] display mpls ldp peer

Total number of peers: 1

Peer LDP ID State LAM Role GR MD5 KA Sent/Rcvd

2.2.2.9:0 Operational DU Passive Off Off 5/5

# On PE 1, verify that the LSPs have been established by LDP.

[PE1] display mpls ldp lsp

Status codes: * - stale, L - liberal

Statistics:

FECs: 3 Ingress LSPs: 2 Transit LSPs: 2 Egress LSPs: 1

FEC In/Out Label Nexthop OutInterface

1.1.1.9/32 3/-

-/1151(L)

2.2.2.9/32 -/3 172.1.1.2 Vlan-interface13

1151/3 172.1.1.2 Vlan-interface13

3.3.3.9/32 -/1150 172.1.1.2 Vlan-interface13

1150/1150 172.1.1.2 Vlan-interface13

3. Configure VPN instances on PEs:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 111:1

[PE1-vpn-instance-vpn1] quit

[PE1] ip vpn-instance vpn2

[PE1-vpn-instance-vpn2] route-distinguisher 100:2

[PE1-vpn-instance-vpn2] vpn-target 222:2

[PE1-vpn-instance-vpn2] quit

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip binding vpn-instance vpn1

[PE1-Vlan-interface11] ip address 10.1.1.2 24

[PE1-Vlan-interface11] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip binding vpn-instance vpn2

[PE1-Vlan-interface12] ip address 10.2.1.2 24

[PE1-Vlan-interface12] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 200:1

[PE2-vpn-instance-vpn1] vpn-target 111:1

[PE2-vpn-instance-vpn1] quit

[PE2] ip vpn-instance vpn2

[PE2-vpn-instance-vpn2] route-distinguisher 200:2

[PE2-vpn-instance-vpn2] vpn-target 222:2

[PE2-vpn-instance-vpn2] quit

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] ip binding vpn-instance vpn1

[PE2-Vlan-interface11] ip address 10.3.1.2 24

[PE2-Vlan-interface11] quit

[PE2] interface vlan-interface 13

[PE2-Vlan-interface13] ip binding vpn-instance vpn2

[PE2-Vlan-interface13] ip address 10.4.1.2 24

[PE2-Vlan-interface13] quit

# Configure IP addresses for the CEs according to Figure 20. (Details not shown.)

# Execute the display ip vpn-instance command on the PEs to display the configuration of the VPN instance, for example, on PE 1.

[PE1] display ip vpn-instance

Total VPN-Instances configured : 2

VPN-Instance Name RD Create time

vpn1 100:1 2012/02/13 12:49:08

vpn2 100:2 2012/02/13 12:49:20

# Use the ping command on the PEs to verify that the PEs can ping their attached CEs, for example, on PE 1.

[PE1] ping -vpn-instance vpn1 10.1.1.1

Ping 10.1.1.1 (10.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 10.1.1.1: icmp_seq=0 ttl=255 time=1.000 ms

56 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=2.000 ms

56 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=0.000 ms

56 bytes from 10.1.1.1: icmp_seq=3 ttl=255 time=1.000 ms

56 bytes from 10.1.1.1: icmp_seq=4 ttl=255 time=0.000 ms

--- Ping statistics for 10.1.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std dev = 0.000/0.800/2.000/0.748 ms

4. Establish EBGP peer relationships between PEs and CEs, and redistribute VPN routes into BGP:

# Configure CE 1.

<CE1> system-view

[CE1] bgp 65410

[CE1-bgp] peer 10.1.1.2 as-number 100

[CE1-bgp] address-family ipv4 unicast

[CE1-bgp-ipv4] peer 10.1.1.2 enable

[CE1-bgp-ipv4] import-route direct

[CE1-bgp-ipv4] quit

[CE1-bgp] quit

# Configure the other three CEs in the same way that CE 1 is configured. (Details not shown.)

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410

[PE1-bgp-vpn1] address-family ipv4 unicast

[PE1-bgp-ipv4-vpn1] peer 10.1.1.1 enable

[PE1-bgp-ipv4-vpn1] import-route direct

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] ip vpn-instance vpn2

[PE1-bgp-vpn2] peer 10.2.1.1 as-number 65420

[PE1-bgp-vpn2] address-family ipv4 unicast

[PE1-bgp-ipv4-vpn1] peer 10.2.1.1 enable

[PE1-bgp-ipv4-vpn2] import-route direct

[PE1-bgp-ipv4-vpn2] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure PE 2 in the same way that PE 1 is configured. (Details not shown.)

# Verify that a BGP peer relationship in Established state has been established between a PE and a CE on PEs, for example, on PE 1.

[PE1] display bgp peer ipv4 vpn-instance vpn1

BGP local router ID: 1.1.1.9

Local AS number: 100

Total number of peers: 1 Peers in established state: 1

Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

10.1.1.1 65410 4 4 0 2 00:00:22 Established

5. Establish an MP-IBGP peer relationship between PEs:

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] peer 3.3.3.9 as-number 100

[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv4

[PE1-bgp-vpnv4] peer 3.3.3.9 enable

[PE1-bgp-vpnv4] quit

[PE1-bgp] quit

# Configure PE 2.

[PE2] bgp 100

[PE2-bgp] peer 1.1.1.9 as-number 100

[PE2-bgp] peer 1.1.1.9 connect-interface loopback 0

[PE2-bgp] address-family vpnv4

[PE2-bgp-vpnv4] peer 1.1.1.9 enable

[PE2-bgp-vpnv4] quit

[PE2-bgp] quit

# Verify that a BGP peer relationship in Established state has been established between the PEs on PEs, for example, on PE 1.

[PE1] display bgp peer vpnv4

BGP local router ID: 1.1.1.9

Local AS number: 100

Total number of peers: 1 Peers in established state: 1

Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

3.3.3.9 100 3 6 0 0 00:00:32 Established

Verifying the configuration

# Execute the display ip routing-table vpn-instance command on the PEs.

[PE1] display ip routing-table vpn-instance vpn1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 Direct 0 0 10.1.1.2 Vlan11

10.1.1.0/32 Direct 0 0 10.1.1.2 Vlan11

10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.2 Vlan11

10.3.1.0/24 BGP 255 0 3.3.3.9 Vlan13

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

The output shows that PE 1 has a route to the remote CE. Output on PE 2 is similar.

# Verify that CEs of the same VPN can ping each other, whereas those of different VPNs cannot. For example, CE 1 can ping CE 3 (10.3.1.1) but cannot ping CE 4 (10.4.1.1). (Details not shown.)

Configuring a hub-spoke network

Network requirements

The Spoke-CEs cannot communicate directly. They can communicate only through Hub-CE.

Configure EBGP between the Spoke-CEs and Spoke-PEs and between Hub-CE and Hub-PE to exchange VPN routing information.

Configure OSPF between the Spoke-PEs and Hub-PE to implement communication between the PEs, and configure MP-IBGP between them to exchange VPN routing information.

Figure 21 Network diagram

Table 2 Interface and IP assignment

Device	Interface	IP address	Device	Interface	IP address
Spoke-CE 1	Vlan-int2	10.1.1.1/24	Hub-CE	Vlan-int6	10.3.1.1/24
Spoke-PE 1	Loop0	1.1.1.9/32		Vlan-int7	10.4.1.1/24
	Vlan-int2	10.1.1.2/24	Hub-PE	Loop0	2.2.2.9/32
	Vlan-int4	172.1.1.1/24		Vlan-int4	172.1.1.2/24
Spoke-CE 2	Vlan-int3	10.2.1.1/24		Vlan-int5	172.2.1.2/24
Spoke-PE 2	Loop0	3.3.3.9/32		Vlan-int6	10.3.1.2/24
	Vlan-int3	10.2.1.2/24		Vlan-int7	10.4.1.2/24
	Vlan-int5	172.2.1.1/24

Configuration procedure

Before configuration, disable the spanning tree feature globally or map each VLAN to an MSTI.

1. Configure an IGP on the MPLS backbone to ensure IP connectivity within the backbone:

# Configure Spoke-PE 1.

<Spoke-PE1> system-view

[Spoke-PE1] interface loopback 0

[Spoke-PE1-LoopBack0] ip address 1.1.1.9 32

[Spoke-PE1-LoopBack0] quit

[Spoke-PE1] interface vlan-interface 4

[Spoke-PE1-Vlan-interface4] ip address 172.1.1.1 24

[Spoke-PE1-Vlan-interface4] quit

[Spoke-PE1] ospf

[Spoke-PE1-ospf-1] area 0

[Spoke-PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[Spoke-PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[Spoke-PE1-ospf-1-area-0.0.0.0] quit

[Spoke-PE1-ospf-1] quit

# Configure Spoke-PE 2.

<Spoke-PE2> system-view

[Spoke-PE2] interface loopback 0

[Spoke-PE2-LoopBack0] ip address 3.3.3.9 32

[Spoke-PE2-LoopBack0] quit

[Spoke-PE2] interface vlan-interface 5

[Spoke-PE2-Vlan-interface5] ip address 172.2.1.1 24

[Spoke-PE2-Vlan-interface5] quit

[Spoke-PE2] ospf

[Spoke-PE2-ospf-1] area 0

[Spoke-PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[Spoke-PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[Spoke-PE2-ospf-1-area-0.0.0.0] quit

[Spoke-PE2-ospf-1] quit

# Configure Hub-PE.

<Hub-PE> system-view

[Hub-PE] interface loopback 0

[Hub-PE-LoopBack0] ip address 2.2.2.9 32

[Hub-PE-LoopBack0] quit

[Hub-PE] interface vlan-interface 4

[Hub-PE-Vlan-interface4] ip address 172.1.1.2 24

[Hub-PE-Vlan-interface4] quit

[Hub-PE] interface vlan-interface 5

[Hub-PE-Vlan-interface5] ip address 172.2.1.2 24

[Hub-PE-Vlan-interface5] quit

[Hub-PE] ospf

[Hub-PE-ospf-1] area 0

[Hub-PE-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[Hub-PE-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[Hub-PE-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[Hub-PE-ospf-1-area-0.0.0.0] quit

[Hub-PE-ospf-1] quit

# Execute the display ospf peer command on the devices to verify that OSPF adjacencies in Full state have been established between Spoke-PE 1, Spoke-PE 2, and Hub-PE. Execute the display ip routing-table command on the devices to verify that the PEs have learned the routes to the loopback interfaces of each other. (Details not shown.)

2. Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs:

# Configure Spoke-PE 1.

[Spoke-PE1] mpls lsr-id 1.1.1.9

[Spoke-PE1] mpls ldp

[Spoke-PE1-ldp] quit

[Spoke-PE1] interface vlan-interface 4

[Spoke-PE1-Vlan-interface4] mpls enable

[Spoke-PE1-Vlan-interface4] mpls ldp enable

[Spoke-PE1-Vlan-interface4] quit

# Configure Spoke-PE 2.

[Spoke-PE2] mpls lsr-id 3.3.3.9

[Spoke-PE2] mpls ldp

[Spoke-PE2-ldp] quit

[Spoke-PE2] interface vlan-interface 5

[Spoke-PE2-Vlan-interface5] mpls enable

[Spoke-PE2-Vlan-interface5] mpls ldp enable

[Spoke-PE2-Vlan-interface5] quit

# Configure Hub-PE.

[Hub-PE] mpls lsr-id 2.2.2.9

[Hub-PE] mpls ldp

[Hub-PE-ldp] quit

[Hub-PE] interface vlan-interface 4

[Hub-PE-Vlan-interface4] mpls enable

[Hub-PE-Vlan-interface4] mpls ldp enable

[Hub-PE-Vlan-interface4] quit

[Hub-PE] interface vlan-interface 5

[Hub-PE-Vlan-interface5] mpls enable

[Hub-PE-Vlan-interface5] mpls ldp enable

[Hub-PE-Vlan-interface5] quit

# Execute the display mpls ldp peer command on the devices to verify that LDP sessions in Operational state have been established between Spoke-PE 1, Spoke-PE 2, and Hub-PE. Execute the display mpls ldp lsp command on the devices to verify that the LSPs have been established by LDP. (Details not shown.)

3. Configure VPN instances on the Spoke-PEs and Hub-PE:

# Configure Spoke-PE 1.

[Spoke-PE1] ip vpn-instance vpn1

[Spoke-PE1-vpn-instance-vpn1] route-distinguisher 100:1

[Spoke-PE1-vpn-instance-vpn1] vpn-target 111:1 import-extcommunity

[Spoke-PE1-vpn-instance-vpn1] vpn-target 222:2 export-extcommunity

[Spoke-PE1-vpn-instance-vpn1] quit

[Spoke-PE1] interface vlan-interface 2

[Spoke-PE1-Vlan-interface2] ip binding vpn-instance vpn1

[Spoke-PE1-Vlan-interface2] ip address 10.1.1.2 24

[Spoke-PE1-Vlan-interface2] quit

# Configure Spoke-PE 2.

[Spoke-PE2] ip vpn-instance vpn1

[Spoke-PE2-vpn-instance-vpn1] route-distinguisher 100:2

[Spoke-PE2-vpn-instance-vpn1] vpn-target 111:1 import-extcommunity

[Spoke-PE2-vpn-instance-vpn1] vpn-target 222:2 export-extcommunity

[Spoke-PE2-vpn-instance-vpn1] quit

[Spoke-PE2] interface vlan-interface 3

[Spoke-PE2-Vlan-interface3] ip binding vpn-instance vpn1

[Spoke-PE2-Vlan-interface3] ip address 10.2.1.2 24

[Spoke-PE2-Vlan-interface3] quit

# Configure Hub-PE.

[Hub-PE] ip vpn-instance vpn1-in

[Hub-PE-vpn-instance-vpn1-in] route-distinguisher 100:3

[Hub-PE-vpn-instance-vpn1-in] vpn-target 222:2 import-extcommunity

[Hub-PE-vpn-instance-vpn1-in] quit

[Hub-PE] ip vpn-instance vpn1-out

[Hub-PE-vpn-instance-vpn1-out] route-distinguisher 100:4

[Hub-PE-vpn-instance-vpn1-out] vpn-target 111:1 export-extcommunity

[Hub-PE-vpn-instance-vpn1-out] quit

[Hub-PE] interface vlan-interface 6

[Hub-PE-Vlan-interface6] ip binding vpn-instance vpn1-in

[Hub-PE-Vlan-interface6] ip address 10.3.1.2 24

[Hub-PE-Vlan-interface6] quit

[Hub-PE] interface vlan-interface 7

[Hub-PE-Vlan-interface7] ip binding vpn-instance vpn1-out

[Hub-PE-Vlan-interface7] ip address 10.4.1.2 24

[Hub-PE-Vlan-interface7] quit

# Configure IP addresses for the CEs according to Figure 21. (Details not shown.)

# Execute the display ip vpn-instance command on the PEs to display the configuration of the VPN instance, for example, on Spoke-PE 1.

[Spoke-PE1] display ip vpn-instance

Total VPN-Instances configured : 1

VPN-Instance Name RD Create time

vpn1 100:1 2009/04/08 10:55:07

# Use the ping command on the PEs to verify that the PEs can ping their attached CEs, for example, on Spoke-PE 1.

[Spoke-PE1] ping -vpn-instance vpn1 10.1.1.1

Ping 10.1.1.1 (10.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 10.1.1.1: icmp_seq=0 ttl=128 time=1.913 ms

56 bytes from 10.1.1.1: icmp_seq=1 ttl=128 time=2.381 ms

56 bytes from 10.1.1.1: icmp_seq=2 ttl=128 time=1.707 ms

56 bytes from 10.1.1.1: icmp_seq=3 ttl=128 time=1.666 ms

56 bytes from 10.1.1.1: icmp_seq=4 ttl=128 time=2.710 ms

--- Ping statistics for 10.1.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.666/2.075/2.710/0.406 ms

4. Establish EBGP peer relationships between the PEs and CEs, and redistribute VPN routes into BGP:

# Configure Spoke-CE 1.

<Spoke-CE1> system-view

[Spoke-CE1] bgp 65410

[Spoke-CE1-bgp] peer 10.1.1.2 as-number 100

[Spoke-CE1-bgp] address-family ipv4

[Spoke-CE1-bgp-ipv4] peer 10.1.1.2 enable

[Spoke-CE1-bgp-ipv4] import-route direct

[Spoke-CE1-bgp-ipv4] quit

[Spoke-CE1-bgp] quit

# Configure Spoke-CE 2.

<Spoke-CE2> system-view

[Spoke-CE2] bgp 65420

[Spoke-CE2-bgp] peer 10.2.1.2 as-number 100

[Spoke-CE2-bgp] address-family ipv4

[Spoke-CE2-bgp-ipv4] peer 10.2.1.2 enable

[Spoke-CE2-bgp-ipv4] import-route direct

[Spoke-CE2-bgp-ipv4] quit

[Spoke-CE2-bgp] quit

# Configure Hub-CE.

<Hub-CE> system-view

[Hub-CE] bgp 65430

[Hub-CE-bgp] peer 10.3.1.2 as-number 100

[Hub-CE-bgp] peer 10.4.1.2 as-number 100

[Hub-CE-bgp] address-family ipv4

[Hub-CE-bgp-ipv4] peer 10.3.1.2 enable

[Hub-CE-bgp-ipv4] peer 10.4.1.2 enable

[Hub-CE-bgp-ipv4] import-route direct

[Hub-CE-bgp-ipv4] quit

[Hub-CE-bgp] quit

# Configure Spoke-PE 1.

[Spoke-PE1] bgp 100

[Spoke-PE1-bgp] ip vpn-instance vpn1

[Spoke-PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410

[Spoke-PE1-bgp-vpn1] address-family ipv4

[Spoke-PE1-bgp-ipv4-vpn1] peer 10.1.1.1 enable

[Spoke-PE1-bgp-ipv4-vpn1] import-route direct

[Spoke-PE1-bgp-ipv4-vpn1] quit

[Spoke-PE1-bgp-vpn1] quit

[Spoke-PE1-bgp] quit

# Configure Spoke-PE 2.

[Spoke-PE2] bgp 100

[Spoke-PE2-bgp] ip vpn-instance vpn1

[Spoke-PE2-bgp-vpn1] peer 10.2.1.1 as-number 65420

[Spoke-PE2-bgp-vpn1] address-family ipv4

[Spoke-PE2-bgp-ipv4-vpn1] peer 10.2.1.1 enable

[Spoke-PE2-bgp-ipv4-vpn1] import-route direct

[Spoke-PE2-bgp-ipv4-vpn1] quit

[Spoke-PE2-bgp-vpn1] quit

[Spoke-PE2-bgp] quit

# Configure Hub-PE.

[Hub-PE] bgp 100

[Hub-PE-bgp] ip vpn-instance vpn1-in

[Hub-PE-bgp-vpn1-in] peer 10.3.1.1 as-number 65430

[Hub-PE-bgp-vpn1-in] address-family ipv4

[Hub-PE-bgp-ipv4-vpn1-in] peer 10.3.1.1 enable

[Hub-PE-bgp-ipv4-vpn1-in] import-route direct

[Hub-PE-bgp-ipv4-vpn1-in] quit

[Hub-PE-bgp-vpn1-in] quit

[Hub-PE-bgp] ip vpn-instance vpn1-out

[Hub-PE-bgp-vpn1-out] peer 10.4.1.1 as-number 65430

[Hub-PE-bgp-vpn1-out] address-family ipv4

[Hub-PE-bgp-ipv4-vpn1-out] peer 10.4.1.1 enable

[Hub-PE-bgp-ipv4-vpn1-out] import-route direct

[Hub-PE-bgp-ipv4-vpn1-out] quit

[Hub-PE-bgp-vpn1-out] quit

[Hub-PE-bgp] quit

# Execute the display bgp peer ipv4 vpn-instance command on the PEs to verify that a BGP peer relationship in Established state has been established between a PE and a CE. (Details not shown.)

5. Establish an MP-IBGP peer relationship between the Spoke-PEs and Hub-PE:

# Configure Spoke-PE 1.

[Spoke-PE1] bgp 100

[Spoke-PE1-bgp] peer 2.2.2.9 as-number 100

[Spoke-PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[Spoke-PE1-bgp] address-family vpnv4

[Spoke-PE1-bgp-vpnv4] peer 2.2.2.9 enable

[Spoke-PE1-bgp-vpnv4] quit

[Spoke-PE1-bgp] quit

# Configure Spoke-PE 2.

[Spoke-PE2] bgp 100

[Spoke-PE2-bgp] peer 2.2.2.9 as-number 100

[Spoke-PE2-bgp] peer 2.2.2.9 connect-interface loopback 0

[Spoke-PE2-bgp] address-family vpnv4

[Spoke-PE2-bgp-vpnv4] peer 2.2.2.9 enable

[Spoke-PE2-bgp-vpnv4] quit

[Spoke-PE2-bgp] quit

# Configure Hub-PE.

[Hub-PE] bgp 100

[Hub-PE-bgp] peer 1.1.1.9 as-number 100

[Hub-PE-bgp] peer 1.1.1.9 connect-interface loopback 0

[Hub-PE-bgp] peer 3.3.3.9 as-number 100

[Hub-PE-bgp] peer 3.3.3.9 connect-interface loopback 0

[Hub-PE-bgp] address-family vpnv4

[Hub-PE-bgp-vpnv4] peer 1.1.1.9 enable

[Hub-PE-bgp-vpnv4] peer 3.3.3.9 enable

[Hub-PE-bgp-vpnv4] quit

[Hub-PE-bgp] quit

# Execute the display bgp peer vpnv4 command on the PEs to verify that a BGP peer relationship in Established state has been established between the PEs. (Details not shown.)

Verifying the configuration

# Execute the display ip routing-table vpn-instance command on the PEs to display the routes to the CEs. This example uses Spoke-PE 1 to verify that the next hop of the route from a Spoke-PE to its connected Spoke-CE is Hub-PE.

[Spoke-PE1] display ip routing-table vpn-instance vpn1

Routing Tables: vpn1

Destinations : 8 Routes : 8

Destination/Mask Proto Pre Cost NextHop Interface

10.0.0.0/24 BGP 255 0 2.2.2.9 NULL0

10.1.1.0/24 Direct 0 0 10.1.1.2 Vlan2

10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

10.2.1.0/24 BGP 255 0 2.2.2.9 NULL0

10.3.1.0/24 BGP 255 0 2.2.2.9 NULL0

10.4.1.0/24 BGP 255 0 2.2.2.9 NULL0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that Spoke-CE 1 and Spoke-CE 2 can ping each other. The TTL value indicates that traffic from Spoke-CE 1 to Spoke-CE 2 passes six hops (255-250+1) and is forwarded through Hub-CE. This example uses Spoke-CE 1 to verify their connectivity.

[Spoke-CE1] ping 10.2.1.1

PING 10.2.1.1: 56 data bytes, press CTRL_C to break

56 bytes from 10.2.1.1: icmp_seq=0 ttl=255 time=1.688 ms

56 bytes from 10.2.1.1: icmp_seq=1 ttl=255 time=1.362 ms

56 bytes from 10.2.1.1: icmp_seq=2 ttl=255 time=1.393 ms

56 bytes from 10.2.1.1: icmp_seq=3 ttl=255 time=1.343 ms

56 bytes from 10.2.1.1: icmp_seq=4 ttl=255 time=1.411 ms

--- Ping statistics for 10.2.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.343/1.439/1.688/0.127 ms

Configuring MPLS L3VPN inter-AS option A

Network requirements

CE 1 and CE 2 belong to the same VPN. CE 1 accesses the network through PE 1 in AS 100, and CE 2 accesses the network through PE 2 in AS 200.

Configure MPLS L3VPN inter-AS option A, and use the VRF-to-VRF method to manage VPN routes.

Run OSPF on the MPLS backbone in each AS.

Figure 22 Network diagram

Table 3 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int12	10.1.1.1/24	CE 2	Vlan-int12	10.2.1.1/24
PE 1	Loop0	1.1.1.9/32	PE 2	Loop0	4.4.4.9/32
	Vlan-int12	10.1.1.2/24		Vlan-int12	10.2.1.2/24
	Vlan-int11	172.1.1.2/24		Vlan-int11	162.1.1.2/24
ASBR-PE 1	Loop0	2.2.2.9/32	ASBR-PE 2	Loop0	3.3.3.9/32
	Vlan-int11	172.1.1.1/24		Vlan-int11	162.1.1.1/24
	Vlan-int12	192.1.1.1/24		Vlan-int12	192.1.1.2/24

Configuration procedure

1. Configure an IGP on the MPLS backbone to implement the connectivity in the backbone:

This example uses OSPF. (Details not shown.)

# Execute the display ospf peer command to verify that each ASBR-PE has established an OSPF adjacency in Full state with the PE in the same AS, and that PEs and ASBR-PEs in the same AS have learned the routes to the loopback interfaces of each other. Verify that each ASBR-PE and the PE in the same AS can ping each other. (Details not shown.)

2. Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs:

# Configure basic MPLS on PE 1 and enable MPLS LDP on the interface connected to ASBR-PE 1.

<PE1> system-view

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] quit

# Configure basic MPLS on ASBR-PE 1 and enable MPLS LDP on the interface connected to PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] mpls lsr-id 2.2.2.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

[ASBR-PE1] interface vlan-interface 11

[ASBR-PE1-Vlan-interface11] mpls enable

[ASBR-PE1-Vlan-interface11] mpls ldp enable

[ASBR-PE1-Vlan-interface11] quit

# Configure basic MPLS on ASBR-PE 2, and enable MPLS LDP on the interface connected to PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] mpls lsr-id 3.3.3.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

[ASBR-PE2] interface vlan-interface 11

[ASBR-PE2-Vlan-interface11] mpls enable

[ASBR-PE2-Vlan-interface11] mpls ldp enable

[ASBR-PE2-Vlan-interface11] quit

# Configure basic MPLS on PE 2 and enable MPLS LDP on the interface connected to ASBR-PE 2.

<PE2> system-view

[PE2] mpls lsr-id 4.4.4.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] mpls enable

[PE2-Vlan-interface11] mpls ldp enable

[PE2-Vlan-interface11] quit

# Execute the display mpls ldp peer command on the devices to verify that the session status is Operational, and that each PE and the ASBR-PE in the same AS have established a neighbor relationship. (Details not shown.)

3. Configure VPN instances on PEs:

For the same VPN, the route targets for the VPN instance on the PE must match those for the VPN instance on the ASBR-PE in the same AS. This is not required for PEs in different ASs.

# Configure CE 1.

<CE1> system-view

[CE1] interface vlan-interface 12

[CE1-Vlan-interface12] ip address 10.1.1.1 24

[CE1-Vlan-interface12] quit

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 100:1 both

[PE1-vpn-instance-vpn1] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip binding vpn-instance vpn1

[PE1-Vlan-interface12] ip address 10.1.1.2 24

[PE1-Vlan-interface12] quit

# Configure CE 2.

<CE2> system-view

[CE2] interface vlan-interface 12

[CE2-Vlan-interface12] ip address 10.2.1.1 24

[CE2-Vlan-interface12] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance] route-distinguisher 200:2

[PE2-vpn-instance] vpn-target 100:1 both

[PE2-vpn-instance] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] ip binding vpn-instance vpn1

[PE2-Vlan-interface12] ip address 10.2.1.2 24

[PE2-Vlan-interface12] quit

# On ASBR-PE 1, create a VPN instance, and bind the instance to the interface connected to ASBR-PE 2. ASBR-PE 1 considers ASBR-PE 2 to be its CE.

[ASBR-PE1] ip vpn-instance vpn1

[ASBR-PE1-vpn-instance-vpn1] route-distinguisher 100:1

[ASBR-PE1-vpn-instance-vpn1] vpn-target 100:1 both

[ASBR-PE1-vpn-instance-vpn1] quit

[ASBR-PE1] interface vlan-interface 12

[ASBR-PE1-Vlan-interface12] ip binding vpn-instance vpn1

[ASBR-PE1-Vlan-interface12] ip address 192.1.1.1 24

[ASBR-PE1-Vlan-interface12] quit

# On ASBR-PE 2, create a VPN instance, and bind the instance to the interface connected to ASBR-PE 1. ASBR-PE 2 considers ASBR-PE 1 to be its CE.

[ASBR-PE2] ip vpn-instance vpn1

[ASBR-PE2-vpn-vpn-vpn1] route-distinguisher 200:1

[ASBR-PE2-vpn-vpn-vpn1] vpn-target 100:1 both

[ASBR-PE2-vpn-vpn-vpn1] quit

[ASBR-PE2] interface vlan-interface 12

[ASBR-PE2-Vlan-interface12] ip binding vpn-instance vpn1

[ASBR-PE2-Vlan-interface12] ip address 192.1.1.2 24

[ASBR-PE2-Vlan-interface12] quit

# Execute the display ip vpn-instance command to display VPN instance configurations. Verify that the PEs can ping the CEs, and the ASBR-PEs can ping each other. (Details not shown.)

4. Establish EBGP peer relationships between PEs and CEs, and redistribute VPN routes into BGP:

# Configure CE 1.

[CE1] bgp 65001

[CE1-bgp] peer 10.1.1.2 as-number 100

[CE1-bgp] address-family ipv4 unicast

[CE1-bgp-ipv4] peer 10.1.1.2 enable

[CE1-bgp-ipv4] import-route direct

[CE1-bgp-ipv4] quit

[CE1-bgp] quit

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65001

[PE1-bgp-vpn1] address-family ipv4 unicast

[PE1-bgp-ipv4-vpn1] peer 10.1.1.1 enable

[PE1-bgp-ipv4-vpn1] import-route direct

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure CE 2.

[CE2] bgp 65002

[CE2-bgp] peer 10.2.1.2 as-number 200

[CE2-bgp] address-family ipv4 unicast

[CE2-bgp-ipv4] peer 10.2.1.2 enable

[CE2-bgp-ipv4] import-route direct

[CE2-bgp-ipv4] quit

[CE2-bgp] quit

# Configure PE 2.

[PE2] bgp 200

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] peer 10.2.1.1 as-number 65002

[PE2-bgp-vpn1] address-family ipv4 unicast

[PE2-bgp-ipv4-vpn1] peer 10.2.1.1 enable

[PE2-bgp-ipv4-vpn1] import-route direct

[PE2-bgp-ipv4-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

5. Establish an MP-IBGP peer relationship between each PE and the ASBR-PE in the same AS, and an EBGP peer relationship between the ASBR-PEs:

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] peer 2.2.2.9 as-number 100

[PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv4

[PE1-bgp-vpnv4] peer 2.2.2.9 enable

[PE1-bgp-vpnv4] peer 2.2.2.9 next-hop-local

[PE1-bgp-vpnv4] quit

[PE1-bgp] quit

# Configure ASBR-PE 1.

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp] ip vpn-instance vpn1

[ASBR-PE1-bgp-vpn1] peer 192.1.1.2 as-number 200

[ASBR-PE2-bgp-vpn1] address-family ipv4 unicast

[ASBR-PE2-bgp-ipv4-vpn1] peer 192.1.1.2 enable

[ASBR-PE2-bgp-ipv4-vpn1] quit

[ASBR-PE1-bgp-vpn1] quit

[ASBR-PE1-bgp] peer 1.1.1.9 as-number 100

[ASBR-PE1-bgp] peer 1.1.1.9 connect-interface loopback 0

[ASBR-PE1-bgp] address-family vpnv4

[ASBR-PE1-bgp-vpnv4] peer 1.1.1.9 enable

[ASBR-PE1-bgp-vpnv4] peer 1.1.1.9 next-hop-local

[ASBR-PE1-bgp-vpnv4] quit

[ASBR-PE1-bgp] quit

# Configure ASBR-PE 2.

[ASBR-PE2] bgp 200

[ASBR-PE2-bgp] ip vpn-instance vpn1

[ASBR-PE2-bgp-vpn1] peer 192.1.1.1 as-number 100

[ASBR-PE2-bgp-vpn1] address-family ipv4 unicast

[ASBR-PE2-bgp-ipv4-vpn1] peer 192.1.1.1 enable

[ASBR-PE2-bgp-ipv4-vpn1] quit

[ASBR-PE2-bgp-vpn1] quit

[ASBR-PE2-bgp] peer 4.4.4.9 as-number 200

[ASBR-PE2-bgp] peer 4.4.4.9 connect-interface loopback 0

[ASBR-PE2-bgp] address-family vpnv4

[ASBR-PE2-bgp-vpnv4] peer 4.4.4.9 enable

[ASBR-PE2-bgp-vpnv4] peer 4.4.4.9 next-hop-local

[ASBR-PE2-bgp-vpnv4] quit

[ASBR-PE2-bgp] quit

# Configure PE 2.

[PE2] bgp 200

[PE2-bgp] peer 3.3.3.9 as-number 200

[PE2-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE2-bgp] address-family vpnv4

[PE2-bgp-vpnv4] peer 3.3.3.9 enable

[PE2-bgp-vpnv4] peer 3.3.3.9 next-hop-local

[PE2-bgp-vpnv4] quit

[PE2-bgp] quit

Verifying the configuration

# Verify that the CEs can learn the interface routes from each other and ping each other. (Details not shown.)

Configuring MPLS L3VPN inter-AS option B

Network requirements

Site 1 and Site 2 belong to the same VPN. CE 1 of Site 1 accesses the network through PE 1 in AS 100, and CE 2 of Site 2 accesses the network through PE 2 in AS 600. PEs in the same AS run IS-IS.

PE 1 and ASBR-PE 1 exchange VPNv4 routes through MP-IBGP. PE 2 and ASBR-PE 2 exchange VPNv4 routes through MP-IBGP. ASBR-PE 1 and ASBR-PE 2 exchange VPNv4 routes through MP-EBGP.

ASBRs do not perform route target filtering of received VPN-IPv4 routes.

Figure 23 Network diagram

Table 4 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
PE 1	Loop0	2.2.2.9/32	PE 2	Loop0	5.5.5.9/32
	Vlan-int12	30.0.0.1/8		Vlan-int12	20.0.0.1/8
	Vlan-int11	1.1.1.2/8		Vlan-int11	9.1.1.2/8
ASBR-PE 1	Loop0	3.3.3.9/32	ASBR-PE 2	Loop0	4.4.4.9/32
	Vlan-int11	1.1.1.1/8		Vlan-int11	9.1.1.1/8
	Vlan-int12	11.0.0.2/8		Vlan-int12	11.0.0.1/8

Configuration procedure

1. Configure PE 1:

# Configure IS-IS on PE 1.

<PE1> system-view

[PE1] isis 1

[PE1-isis-1] network-entity 10.111.111.111.111.00

[PE1-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[PE1] mpls lsr-id 2.2.2.9

[PE1] mpls ldp

[PE1-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip address 1.1.1.2 255.0.0.0

[PE1-Vlan-interface11] isis enable 1

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] quit

# Configure interface Loopback 0 and enable IS-IS on it.

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 2.2.2.9 32

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

# Create VPN instance vpn1, and configure the RD and route target attributes.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 11:11

[PE1-vpn-instance-vpn1] vpn-target 1:1 2:2 3:3 import-extcommunity

[PE1-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE1-vpn-instance-vpn1] quit

# Bind the interface connected to CE 1 to the created VPN instance.

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip binding vpn-instance vpn1

[PE1-Vlan-interface12] ip address 30.0.0.1 8

[PE1-Vlan-interface12] quit

# Enable BGP on PE 1.

[PE1] bgp 100

# Configure IBGP peer 3.3.3.9 as a VPNv4 peer.

[PE1-bgp] peer 3.3.3.9 as-number 100

[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv4

[PE1-bgp-vpnv4] peer 3.3.3.9 enable

[PE1-bgp-vpnv4] quit

# Redistribute direct routes to the VPN routing table of vpn1.

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] address-family ipv4 unicast

[PE1-bgp-ipv4-vpn1] import-route direct

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

2. Configure ASBR-PE 1:

# Enable IS-IS on ASBR-PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] isis 1

[ASBR-PE1-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE1-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[ASBR-PE1] mpls lsr-id 3.3.3.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE1] interface vlan-interface11

[ASBR-PE1-Vlan-interface11] ip address 1.1.1.1 255.0.0.0

[ASBR-PE1-Vlan-interface11] isis enable 1

[ASBR-PE1-Vlan-interface11] mpls enable

[ASBR-PE1-Vlan-interface11] mpls ldp enable

[ASBR-PE1-Vlan-interface11] quit

# Configure interface VLAN-interface 12 and enable MPLS on it.

[ASBR-PE1] interface vlan-interface 12

[ASBR-PE1-Vlan-interface12] ip address 11.0.0.2 255.0.0.0

[ASBR-PE1-Vlan-interface12] mpls enable

[ASBR-PE1-Vlan-interface12] quit

# Configure interface Loopback 0 and enable IS-IS on it.

[ASBR-PE1] interface loopback 0

[ASBR-PE1-LoopBack0] ip address 3.3.3.9 32

[ASBR-PE1-LoopBack0] isis enable 1

[ASBR-PE1-LoopBack0] quit

# Enable BGP on ASBR-PE 1.

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp] peer 2.2.2.9 as-number 100

[ASBR-PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[ASBR-PE1-bgp] peer 11.0.0.1 as-number 600

[ASBR-PE1-bgp] peer 11.0.0.1 connect-interface vlan-interface 12

# Disable route target based filtering of received VPNv4 routes.

[ASBR-PE1-bgp] address-family vpnv4

[ASBR-PE1-bgp-vpnv4] undo policy vpn-target

# Configure both IBGP peer 2.2.2.0 and EBGP peer 11.0.0.1 as VPNv4 peers.

[ASBR-PE1-bgp-vpnv4] peer 11.0.0.1 enable

[ASBR-PE1-bgp-vpnv4] peer 2.2.2.9 enable

[ASBR-PE1-bgp-vpnv4] quit

3. Configure ASBR-PE 2:

# Enable IS-IS on ASBR-PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] isis 1

[ASBR-PE2-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE2-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[ASBR-PE2] mpls lsr-id 4.4.4.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE2] interface vlan-interface 11

[ASBR-PE2-Vlan-interface11] ip address 9.1.1.1 255.0.0.0

[ASBR-PE2-Vlan-interface11] isis enable 1

[ASBR-PE2-Vlan-interface11] mpls enable

[ASBR-PE2-Vlan-interface11] mpls ldp enable

[ASBR-PE2-Vlan-interface11] quit

# Configure interface VLAN-interface 12 and enable MPLS on it.

[ASBR-PE2] interface vlan-interface 12

[ASBR-PE2-Vlan-interface12] ip address 11.0.0.1 255.0.0.0

[ASBR-PE2-Vlan-interface12] mpls enable

[ASBR-PE2-Vlan-interface12] quit

# Configure interface Loopback 0 and enable IS-IS on it.

[ASBR-PE2] interface loopback 0

[ASBR-PE2-LoopBack0] ip address 4.4.4.9 32

[ASBR-PE2-LoopBack0] isis enable 1

[ASBR-PE2-LoopBack0] quit

# Enable BGP on ASBR-PE 2.

[ASBR-PE2] bgp 600

[ASBR-PE2-bgp] peer 11.0.0.2 as-number 100

[ASBR-PE2-bgp] peer 11.0.0.2 connect-interface vlan-interface 12

[ASBR-PE2-bgp] peer 5.5.5.9 as-number 600

[ASBR-PE2-bgp] peer 5.5.5.9 connect-interface loopback 0

# Disable route target based filtering of received VPNv4 routes.

[ASBR-PE2-bgp] address-family vpnv4

[ASBR-PE2-bgp-vpnv4] undo policy vpn-target

# Configure both IBGP peer 5.5.5.9 and EBGP peer 11.0.0.2 as VPNv4 peers.

[ASBR-PE2-bgp-vpnv4] peer 11.0.0.2 enable

[ASBR-PE2-bgp-vpnv4] peer 5.5.5.9 enable

[ASBR-PE2-bgp-vpnv4] quit

[ASBR-PE2-bgp] quit

4. Configure PE 2:

# Enable IS-IS on PE 2.

<PE2> system-view

[PE2] isis 1

[PE2-isis-1] network-entity 10.111.111.111.111.00

[PE2-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[PE2] mpls lsr-id 5.5.5.9

[PE2] mpls ldp

[PE2-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] ip address 9.1.1.2 255.0.0.0

[PE2-Vlan-interface11] isis enable 1

[PE2-Vlan-interface11] mpls enable

[PE2-Vlan-interface11] mpls ldp enable

[PE2-Vlan-interface11] quit

# Configure interface Loopback 0 and enable IS-IS on it.

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 5.5.5.9 32

[PE2-LoopBack0] isis enable 1

[PE2-LoopBack0] quit

# Create VPN instance vpn1, and configure the RD and route target attributes.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 12:12

[PE2-vpn-instance-vpn1] vpn-target 1:1 2:2 3:3 import-extcommunity

[PE2-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE2-vpn-instance-vpn1] quit

# Bind the interface connected to CE 2 to the created VPN instance.

[PE2] interface Vlan-interface12

[PE2-Vlan-interface12] ip binding vpn-instance vpn1

[PE2-Vlan-interface12] ip address 20.0.0.1 8

[PE2-Vlan-interface12] quit

# Enable BGP on PE 2.

[PE2] bgp 600

# Configure IBGP peer 4.4.4.9 as a VPNv4 peer.

[PE2-bgp] peer 4.4.4.9 as-number 600

[PE2-bgp] peer 4.4.4.9 connect-interface loopback 0

[PE2-bgp] address-family vpnv4

[PE2-bgp-vpnv4] peer 4.4.4.9 enable

[PE2-bgp-vpnv4] quit

# Redistribute direct routes to the VPN routing table of vpn1.

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] address-family ipv4 unicast

[PE2-bgp-ipv4-vpn1] import-route direct

[PE2-bgp-ipv4-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

Verifying the configuration

# Verify that PE 1 and PE 2 can ping each other.

[PE1] ping -a 30.0.0.1 -vpn-instance vpn1 20.0.0.1

Ping 20.0.0.1 (20.0.0.1) from 30.0.0.1: 56 data bytes, press CTRL_C to break

56 bytes from 20.0.0.1: icmp_seq=0 ttl=255 time=1.208 ms

56 bytes from 20.0.0.1: icmp_seq=1 ttl=255 time=0.867 ms

56 bytes from 20.0.0.1: icmp_seq=2 ttl=255 time=0.551 ms

56 bytes from 20.0.0.1: icmp_seq=3 ttl=255 time=0.566 ms

56 bytes from 20.0.0.1: icmp_seq=4 ttl=255 time=0.570 ms

--- Ping statistics for 20.0.0.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.551/0.752/1.208/0.257 ms

Configuring MPLS L3VPN inter-AS option C

Network requirements

Site 1 and Site 2 belong to the same VPN. Site 1 accesses the network through PE 1 in AS 100, and Site 2 accesses the network through PE 2 in AS 600. PEs in the same AS run IS-IS.

PE 1 and ASBR-PE 1 exchange labeled IPv4 routes through MP-IBGP. PE 2 and ASBR-PE 2 exchange labeled IPv4 routes through IBGP. PE 1 and PE 2 exchange VPNv4 routes through EBGP.

ASBR-PE 1 and ASBR-PE 2 use their respective routing policies and label routes received from each other.

ASBR-PE 1 and ASBR-PE 2 use EBGP to exchange labeled IPv4 routes.

Figure 24 Network diagram

Table 5 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
PE 1	Loop0	2.2.2.9/32	PE 2	Loop0	5.5.5.9/32
	Loop1	30.0.0.1/32		Loop1	20.0.0.1/32
	Vlan-int11	1.1.1.2/8		Vlan-int11	9.1.1.2/8
ASBR-PE 1	Loop0	3.3.3.9/32	ASBR-PE 2	Loop0	4.4.4.9/32
	Vlan-int11	1.1.1.1/8		Vlan-int11	9.1.1.1/8
	Vlan-int12	11.0.0.2/8		Vlan-int12	11.0.0.1/8

Configuration procedure

1. Configure PE 1:

# Configure IS-IS on PE 1.

<PE1> system-view

[PE1] isis 1

[PE1-isis-1] network-entity 10.111.111.111.111.00

[PE1-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[PE1] mpls lsr-id 2.2.2.9

[PE1] mpls ldp

[PE1-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip address 1.1.1.2 255.0.0.0

[PE1-Vlan-interface11] isis enable 1

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] quit

# Configure interface Loopback 0 and enable IS-IS on it.

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 2.2.2.9 32

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

# Create VPN instance vpn1, and configure the RD and route target attributes.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 11:11

[PE1-vpn-instance-vpn1] vpn-target 1:1 2:2 3:3 import-extcommunity

[PE1-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE1-vpn-instance-vpn1] quit

# Configure interface Loopback 1 and bind the interface to VPN instance vpn1.

[PE1] interface loopback 1

[PE1-LoopBack1] ip binding vpn-instance vpn1

[PE1-LoopBack1] ip address 30.0.0.1 32

[PE1-LoopBack1] quit

# Enable BGP on PE 1.

[PE1] bgp 100

# Enable the capability to advertise labeled routes to IBGP peer 3.3.3.9 and to receive labeled routes from the peer.

[PE1-bgp] peer 3.3.3.9 as-number 100

[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp] address-family ipv4 unicast

[PE1-bgp-ipv4] peer 3.3.3.9 enable

[PE1-bgp-ipv4] peer 3.3.3.9 label-route-capability

[PE1-bgp-ipv4] quit

# Configure the maximum hop count from PE 1 to EBGP peer 5.5.5.9 as 10.

[PE1-bgp] peer 5.5.5.9 as-number 600

[PE1-bgp] peer 5.5.5.9 connect-interface loopback 0

[PE1-bgp] peer 5.5.5.9 ebgp-max-hop 10

# Configure peer 5.5.5.9 as a VPNv4 peer.

[PE1-bgp] address-family vpnv4

[PE1-bgp-vpnv4] peer 5.5.5.9 enable

[PE1-bgp-vpnv4] quit

# Redistribute direct routes to the routing table of vpn1.

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] address-family ipv4 unicast

[PE1-bgp-ipv4-vpn1] import-route direct

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

2. Configure ASBR-PE 1:

# Enable IS-IS on ASBR-PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] isis 1

[ASBR-PE1-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE1-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[ASBR-PE1] mpls lsr-id 3.3.3.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE1] interface vlan-interface 11

[ASBR-PE1-Vlan-interface11] ip address 1.1.1.1 255.0.0.0

[ASBR-PE1-Vlan-interface11] isis enable 1

[ASBR-PE1-Vlan-interface11] mpls enable

[ASBR-PE1-Vlan-interface11] mpls ldp enable

[ASBR-PE1-Vlan-interface11] quit

# Configure interface VLAN-interface 12 and enable MPLS on it.

[ASBR-PE1] interface vlan-interface 12

[ASBR-PE1-Vlan-interface12] ip address 11.0.0.2 255.0.0.0

[ASBR-PE1-Vlan-interface12] mpls enable

[ASBR-PE1-Vlan-interface12] quit

# Configure interface Loopback 0 and enable IS-IS on it.

[ASBR-PE1] interface loopback 0

[ASBR-PE1-LoopBack0] ip address 3.3.3.9 32

[ASBR-PE1-LoopBack0] isis enable 1

[ASBR-PE1-LoopBack0] quit

# Create routing policies.

[ASBR-PE1] route-policy policy1 permit node 1

[ASBR-PE1-route-policy-policy1-1] apply mpls-label

[ASBR-PE1-route-policy-policy1-1] quit

[ASBR-PE1] route-policy policy2 permit node 1

[ASBR-PE1-route-policy-policy2-1] if-match mpls-label

[ASBR-PE1-route-policy-policy2-1] apply mpls-label

[ASBR-PE1-route-policy-policy2-1] quit

# Enable BGP on ASBR-PE 1 and apply the routing policy policy2 to routes advertised to IBGP peer 2.2.2.9.

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp] peer 2.2.2.9 as-number 100

[ASBR-PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[ASBR-PE1-bgp] address-family ipv4 unicast

[ASBR-PE1-bgp-ipv4] peer 2.2.2.9 enable

[ASBR-PE1-bgp-ipv4] peer 2.2.2.9 route-policy policy2 export

# Enable the capability to advertise labeled routes to IBGP peer 2.2.2.9 and to receive labeled routes from the peer.

[ASBR-PE1-bgp-ipv4] peer 2.2.2.9 label-route-capability

# Redistribute routes from IS-IS process 1 to BGP.

[ASBR-PE1-bgp-ipv4] import-route isis 1

[ASBR-PE1-bgp-ipv4] quit

# Apply the routing policy policy1 to routes advertised to EBGP peer 11.0.0.1.

[ASBR-PE1-bgp] peer 11.0.0.1 as-number 600

[ASBR-PE1-bgp] address-family ipv4 unicast

[ASBR-PE1-bgp-ipv4] peer 11.0.0.1 enable

[ASBR-PE1-bgp-ipv4] peer 11.0.0.1 route-policy policy1 export

# Enable the capability to advertise labeled routes to EBGP peer 11.0.0.1 and to receive labeled routes from the peer.

[ASBR-PE1-bgp-ipv4] peer 11.0.0.1 label-route-capability

[ASBR-PE1-bgp-ipv4] quit

[ASBR-PE1-bgp] quit

3. Configure ASBR-PE 2:

# Enable IS-IS on ASBR-PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] isis 1

[ASBR-PE2-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE2-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[ASBR-PE2] mpls lsr-id 4.4.4.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE2] interface vlan-interface 11

[ASBR-PE2-Vlan-interface11] ip address 9.1.1.1 255.0.0.0

[ASBR-PE2-Vlan-interface11] isis enable 1

[ASBR-PE2-Vlan-interface11] mpls enable

[ASBR-PE2-Vlan-interface11] mpls ldp enable

[ASBR-PE2-Vlan-interface11] quit

# Configure interface Loopback 0 and enable IS-IS on it.

[ASBR-PE2] interface loopback 0

[ASBR-PE2-LoopBack0] ip address 4.4.4.9 32

[ASBR-PE2-LoopBack0] isis enable 1

[ASBR-PE2-LoopBack0] quit

# Configure interface VLAN-interface 12 and enable MPLS on it.

[ASBR-PE2] interface vlan-interface 12

[ASBR-PE2-Vlan-interface12] ip address 11.0.0.1 255.0.0.0

[ASBR-PE2-Vlan-interface12] mpls enable

[ASBR-PE2-Vlan-interface12] quit

# Create routing policies.

[ASBR-PE2] route-policy policy1 permit node 1

[ASBR-PE2-route-policy-policy1-1] apply mpls-label

[ASBR-PE2-route-policy-policy1-1] quit

[ASBR-PE2] route-policy policy2 permit node 1

[ASBR-PE2-route-policy-policy2-1] if-match mpls-label

[ASBR-PE2-route-policy-policy2-1] apply mpls-label

[ASBR-PE2-route-policy-policy2-1] quit

# Enable BGP on ASBR-PE 2, and enable the capability to advertise labeled routes to IBGP peer 5.5.5.9 and to receive labeled routes from the peer.

[ASBR-PE2] bgp 600

[ASBR-PE2-bgp] peer 5.5.5.9 as-number 600

[ASBR-PE2-bgp] peer 5.5.5.9 connect-interface loopback 0

[ASBR-PE2-bgp] address-family ipv4 unicast

[ASBR-PE2-bgp-ipv4] peer 5.5.5.9 enable

[ASBR-PE2-bgp-ipv4] peer 5.5.5.9 label-route-capability

# Apply the routing policy policy2 to routes advertised to IBGP peer 5.5.5.9.

[ASBR-PE2-bgp-ipv4] peer 5.5.5.9 route-policy policy2 export

# Redistribute routes from IS-IS process 1 into BGP.

[ASBR-PE2-bgp-ipv4] import-route isis 1

[ASBR-PE2-bgp-ipv4] quit

# Apply the routing policy policy1 to routes advertised to EBGP peer 11.0.0.2.

[ASBR-PE2-bgp] peer 11.0.0.2 as-number 100

[ASBR-PE2-bgp] address-family ipv4 unicast

[ASBR-PE2-bgp-ipv4] peer 11.0.0.2 enable

[ASBR-PE2-bgp-ipv4] peer 11.0.0.2 route-policy policy1 export

# Enable the capability to advertise labeled routes to EBGP peer 11.0.0.2 and to receive labeled routes from the peer.

[ASBR-PE2-bgp-ipv4] peer 11.0.0.2 label-route-capability

[ASBR-PE2-bgp-ipv4] quit

[ASBR-PE2-bgp] quit

4. Configure PE 2:

# Enable IS-IS on PE 2.

<PE2> system-view

[PE2] isis 1

[PE2-isis-1] network-entity 10.111.111.111.111.00

[PE2-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[PE2] mpls lsr-id 5.5.5.9

[PE2] mpls ldp

[PE2-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] ip address 9.1.1.2 255.0.0.0

[PE2-Vlan-interface11] isis enable 1

[PE2-Vlan-interface11] mpls enable

[PE2-Vlan-interface11] mpls ldp enable

[PE2-Vlan-interface11] quit

# Configure interface Loopback 0 and enable IS-IS on it.

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 5.5.5.9 32

[PE2-LoopBack0] isis enable 1

[PE2-LoopBack0] quit

# Create VPN instance vpn1, and configure the RD and route target attributes.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 11:11

[PE2-vpn-instance-vpn1] vpn-target 1:1 2:2 3:3 import-extcommunity

[PE2-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE2-vpn-instance-vpn1] quit

# Configure interface Loopback 1 and bind the interface to VPN instance vpn1.

[PE2] interface loopback 1

[PE2-LoopBack1] ip binding vpn-instance vpn1

[PE2-LoopBack1] ip address 20.0.0.1 32

[PE2-LoopBack1] quit

# Enable BGP on PE 2.

[PE2] bgp 600

# Enable the capability to advertise labeled routes to IBGP peer 4.4.4.9 and to receive labeled routes from the peer.

[PE2-bgp] peer 4.4.4.9 as-number 600

[PE2-bgp] peer 4.4.4.9 connect-interface loopback 0

[PE2-bgp] address-family ipv4 unicast

[PE2-bgp-ipv4] peer 4.4.4.9 enable

[PE2-bgp-ipv4] peer 4.4.4.9 label-route-capability

[PE2-bgp-ipv4] quit

# Configure the maximum hop count from PE 2 to EBGP peer 2.2.2.9 as 10.

[PE2-bgp] peer 2.2.2.9 as-number 100

[PE2-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE2-bgp] peer 2.2.2.9 ebgp-max-hop 10

# Configure peer 2.2.2.9 as a VPNv4 peer.

[PE2-bgp] address-family vpnv4

[PE2-bgp-vpnv4] peer 2.2.2.9 enable

[PE2-bgp-vpnv4] quit

# Redistribute direct routes to the routing table of vpn1.

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] address-family ipv4 unicast

[PE2-bgp-ipv4-vpn1] import-route direct

[PE2-bgp-ipv4-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

Verifying the configuration

# Verify that PE 1 and PE 2 can ping each other.

[PE1] ping -a 30.0.0.1 -vpn-instance vpn1 20.0.0.1

Ping 20.0.0.1 (20.0.0.1) from 30.0.0.1: 56 data bytes, press CTRL_C to break

56 bytes from 20.0.0.1: icmp_seq=0 ttl=255 time=1.208 ms

56 bytes from 20.0.0.1: icmp_seq=1 ttl=255 time=0.867 ms

56 bytes from 20.0.0.1: icmp_seq=2 ttl=255 time=0.551 ms

56 bytes from 20.0.0.1: icmp_seq=3 ttl=255 time=0.566 ms

56 bytes from 20.0.0.1: icmp_seq=4 ttl=255 time=0.570 ms

--- Ping statistics for 20.0.0.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.551/0.752/1.208/0.257 ms

Configuring MPLS L3VPN carrier's carrier

Network requirements

Configure carrier's carrier for the scenario shown in Figure 25. In this scenario:

· PE 1 and PE 2 are the provider carrier's PE switches. They provide VPN services for the customer carrier.

· CE 1 and CE 2 are the customer carrier's switches. They are connected to the provider carrier's backbone as CE switches.

· PE 3 and PE 4 are the customer carrier's PE switches. They provide MPLS L3VPN services for the end customers.

· CE 3 and CE 4 are customers of the customer carrier.

The key to carrier's carrier deployment is to configure exchange of two kinds of routes:

· Exchange of the customer carrier's internal routes on the provider carrier's backbone.

· Exchange of the end customers' VPN routes between PE 3 and PE 4, the PEs of the customer carrier. In this process, an MP-IBGP peer relationship must be established between PE 3 and PE 4.

Figure 25 Network diagram

Table 6 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 3	Vlan-int11	100.1.1.1/24	CE 4	Vlan-int11	120.1.1.1/24
PE 3	Loop0	1.1.1.9/32	PE 4	Loop0	6.6.6.9/32
	Vlan-int11	100.1.1.2/24		Vlan-int11	120.1.1.2/24
	Vlan-int12	10.1.1.1/24		Vlan-int12	20.1.1.2/24
CE 1	Loop0	2.2.2.9/32	CE 2	Loop0	5.5.5.9/32
	Vlan-int12	10.1.1.2/24		Vlan-int11	21.1.1.2/24
	Vlan-int11	11.1.1.1/24		Vlan-int12	20.1.1.1/24
PE 1	Loop0	3.3.3.9/32	PE 2	Loop0	4.4.4.9/32
	Vlan-int11	11.1.1.2/24		Vlan-int12	30.1.1.2/24
	Vlan-int12	30.1.1.1/24		Vlan-int11	21.1.1.1/24

Configuration procedure

1. Configure MPLS L3VPN on the provider carrier backbone. Enable IS-IS as the IGP, enable LDP between PE 1 and PE 2, and establish an MP-IBGP peer relationship between the PEs:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 3.3.3.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 3.3.3.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] isis 1

[PE1-isis-1] network-entity 10.0000.0000.0000.0004.00

[PE1-isis-1] quit

[PE1] interface loopback 0

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip address 30.1.1.1 24

[PE1-Vlan-interface12] isis enable 1

[PE1-Vlan-interface12] mpls enable

[PE1-Vlan-interface12] mpls ldp enable

[PE1-Vlan-interface12] mpls ldp transport-address interface

[PE1-Vlan-interface12] quit

[PE1] bgp 100

[PE1-bgp] peer 4.4.4.9 as-number 100

[PE1-bgp] peer 4.4.4.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv4

[PE1-bgp-vpnv4] peer 4.4.4.9 enable

[PE1-bgp-vpnv4] quit

[PE1-bgp] quit

# Configure PE 2 in the same way that PE 1 is configured. (Details not shown.)

# On PE 1, verify that the LDP session has been established.

[PE1] display mpls ldp peer

Total number of peers: 1

Peer LDP ID State LAM Role GR MD5 KA Sent/Rcvd

4.4.4.9:0 Operational DU Active Off Off 8/8

# On PE 1, verify that the BGP peer relationship in Established state has been established.

[PE1] display bgp peer vpnv4

BGP local router ID: 3.3.3.9

Local AS number: 100

Total number of peers: 1 Peers in established state: 1

Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

4.4.4.9 100 3 6 0 0 00:00:32 Established

# On PE 1, verify that the IS-IS neighbor relationship has been set up.

[PE1] display isis peer

Peer information for ISIS(1)

----------------------------

System Id: 0000.0000.0005

Interface: Vlan-interface12 Circuit Id: 0000.0000.0005.02

State: Up HoldTime: 8s Type: L1(L1L2) PRI: 64

System Id: 0000.0000.0005

Interface: Vlan-interface12 Circuit Id: 0000.0000.0005.02

State: Up HoldTime: 8s Type: L2(L1L2) PRI: 64

2. Configure the customer carrier network. Enable IS-IS as the IGP, and enable LDP between PE 3 and CE 1, and between PE 4 and CE 2:

# Configure PE 3.

<PE3> system-view

[PE3] interface loopback 0

[PE3-LoopBack0] ip address 1.1.1.9 32

[PE3-LoopBack0] quit

[PE3] mpls lsr-id 1.1.1.9

[PE3] mpls ldp

[PE3-ldp] quit

[PE3] isis 2

[PE3-isis-2] network-entity 10.0000.0000.0000.0001.00

[PE3-isis-2] quit

[PE3] interface loopback 0

[PE3-LoopBack0] isis enable 2

[PE3-LoopBack0] quit

[PE3] interface vlan-interface 12

[PE3-Vlan-interface12] ip address 10.1.1.1 24

[PE3-Vlan-interface12] isis enable 2

[PE3-Vlan-interface12] mpls enable

[PE3-Vlan-interface12] mpls ldp enable

[PE3-Vlan-interface12] mpls ldp transport-address interface

[PE3-Vlan-interface12] quit

# Configure CE 1.

<CE1> system-view

[CE1] interface loopback 0

[CE1-LoopBack0] ip address 2.2.2.9 32

[CE1-LoopBack0] quit

[CE1] mpls lsr-id 2.2.2.9

[CE1] mpls ldp

[CE1-ldp] quit

[CE1] isis 2

[CE1-isis-2] network-entity 10.0000.0000.0000.0002.00

[CE1-isis-2] quit

[CE1] interface loopback 0

[CE1-LoopBack0] isis enable 2

[CE1-LoopBack0] quit

[CE1] interface vlan-interface 12

[CE1-Vlan-interface12] ip address 10.1.1.2 24

[CE1-Vlan-interface12] isis enable 2

[CE1-Vlan-interface12] mpls enable

[CE1-Vlan-interface12] mpls ldp enable

[CE1-Vlan-interface12] mpls ldp transport-address interface

[CE1-Vlan-interface12] quit

PE 3 and CE 1 can establish an LDP session and IS-IS neighbor relationship between them.

# Configure PE 4 and CE 2 in the same way that PE 3 and CE 1 are configured. (Details not shown.)

3. Perform configurations to allow CEs of the customer carrier to access PEs of the provider carrier, and redistribute IS-IS routes to BGP and BGP routes to IS-IS on the PEs:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 200:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] mpls ldp

[PE1-ldp] vpn-instance vpn1

[PE1-ldp-vpn-instance-vpn1] quit

[PE1-ldp] quit

[PE1] isis 2 vpn-instance vpn1

[PE1-isis-2] network-entity 10.0000.0000.0000.0003.00

[PE1-isis-2] import-route bgp

[PE1-isis-2] quit

[PE1] interface vlan-interface11

[PE1-Vlan-interface11] ip binding vpn-instance vpn1

[PE1-Vlan-interface11] ip address 11.1.1.2 24

[PE1-Vlan-interface11] isis enable 2

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] mpls ldp transport-address interface

[PE1-Vlan-interface11] quit

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] address-family ipv4 unicast

[PE1-bgp-ipv4-vpn1] import isis 2

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure CE 1.

[CE1] interface vlan-interface11

[CE1-Vlan-interface11] ip address 11.1.1.1 24

[CE1-Vlan-interface11] isis enable 2

[CE1-Vlan-interface11] mpls enable

[CE1-Vlan-interface11] mpls ldp enable

[CE1-Vlan-interface11] mpls ldp transport-address interface

[CE1-Vlan-interface11] quit

PE 1 and CE 1 can establish an LDP session and an IS-IS neighbor relationship between them.

# Configure PE 2 and CE 2 in the same way that PE 1 and CE 1 are configured. (Details not shown.)

4. Perform configuration to connect the CEs of the end customers to the PEs of the customer carrier:

# Configure CE 3.

<CE3> system-view

[CE3] interface vlan-interface11

[CE3-Vlan-interface11] ip address 100.1.1.1 24

[CE3-Vlan-interface11] quit

[CE3] bgp 65410

[CE3-bgp] peer 100.1.1.2 as-number 100

[CE3-bgp] address-family ipv4 unicast

[CE3-bgp-ipv4] peer 100.1.1.2 enable

[CE3-bgp-ipv4] import-route direct

[CE3-bgp-ipv4] quit

[CE3-bgp] quit

# Configure PE 3.

[PE3] ip vpn-instance vpn1

[PE3-vpn-instance-vpn1] route-distinguisher 100:1

[PE3-vpn-instance-vpn1] vpn-target 1:1

[PE3-vpn-instance-vpn1] quit

[PE3] interface Vlan-interface11

[PE3-Vlan-interface11] ip binding vpn-instance vpn1

[PE3-Vlan-interface11] ip address 100.1.1.2 24

[PE3-Vlan-interface11] quit

[PE3] bgp 100

[PE3-bgp] ip vpn-instance vpn1

[PE3-bgp-vpn1] peer 100.1.1.1 as-number 65410

[PE3-bgp-vpn1] address-family ipv4 unicast

[PE3-bgp-ipv4-vpn1] peer 100.1.1.1 enable

[PE3-bgp-ipv4-vpn1] import-route direct

[PE3-bgp-ipv4-vpn1] quit

[PE3-bgp-vpn1] quit

[PE3-bgp] quit

# Configure PE 4 and CE 4 in the same way that PE 3 and CE 3 are configured. (Details not shown.)

5. Configure MP-IBGP peer relationship between the PEs of the customer carrier to exchange the end customers' VPN routes:

# Configure PE 3.

[PE3] bgp 100

[PE3-bgp] peer 6.6.6.9 as-number 100

[PE3-bgp] peer 6.6.6.9 connect-interface loopback 0

[PE3-bgp] address-family vpnv4

[PE3-bgp-vpnv4] peer 6.6.6.9 enable

[PE3-bgp-vpnv4] quit

[PE3-bgp] quit

# Configure PE 4 in the same way that PE 3 is configured. (Details not shown.)

Verifying the configuration

1. Display the public network routing table and VPN routing table on the provider carrier PEs, for example, on PE 1:

# Verify that the public network routing table contains only routes of the provider carrier network.

[PE1] display ip routing-table

Routing Tables: Public

Destinations : 15 Routes : 15

Destination/Mask Proto Pre Cost NextHop Interface

3.3.3.9/32 Direct 0 0 127.0.0.1 InLoop0

4.4.4.9/32 ISIS 15 10 30.1.1.2 Vlan12

30.1.1.0/24 Direct 0 0 30.1.1.1 Vlan12

30.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.2/32 Direct 0 0 30.1.1.2 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VPN routing table contains the internal routes of the customer carrier network, but it does not contain the VPN routes that the customer carrier maintains.

[PE1] display ip routing-table vpn-instance vpn1

Routing Tables: vpn1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

1.1.1.9/32 ISIS 15 20 11.1.1.1 Vlan11

2.2.2.9/32 ISIS 15 10 11.1.1.1 Vlan11

5.5.5.9/32 BGP 255 0 4.4.4.9 NULL0

6.6.6.9/32 BGP 255 0 4.4.4.9 NULL0

10.1.1.0/24 ISIS 15 20 11.1.1.1 Vlan11

11.1.1.0/24 Direct 0 0 11.1.1.1 Vlan11

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.2/32 Direct 0 0 11.1.1.2 Vlan11

20.1.1.0/24 BGP 255 0 4.4.4.9 NULL0

21.1.1.0/24 BGP 255 0 4.4.4.9 NULL0

21.1.1.2/32 BGP 255 0 4.4.4.9 NULL0

2. Display the routing table on the customer carrier CEs, for example, on CE 1:

# Verify that the routing table contains the internal routes of the customer carrier network, but it does not contain the VPN routes that the customer carrier maintains.

[CE1] display ip routing-table

Routing Tables: Public

Destinations : 16 Routes : 16

Destination/Mask Proto Pre Cost NextHop Interface

1.1.1.9/32 ISIS 15 10 10.1.1.2 Vlan12

2.2.2.9/32 Direct 0 0 127.0.0.1 InLoop0

5.5.5.9/32 ISIS 15 74 11.1.1.2 Vlan11

6.6.6.9/32 ISIS 15 74 11.1.1.2 Vlan11

10.1.1.0/24 Direct 0 0 10.1.1.2 Vlan12

10.1.1.1/32 Direct 0 0 10.1.1.1 Vlan12

10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.0/24 Direct 0 0 11.1.1.1 Vlan11

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.2/32 Direct 0 0 11.1.1.2 Vlan11

20.1.1.0/24 ISIS 15 74 11.1.1.2 Vlan11

21.1.1.0/24 ISIS 15 74 11.1.1.2 Vlan11

21.1.1.2/32 ISIS 15 74 11.1.1.2 Vlan11

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

3. Display the public network routing table and VPN routing table on the customer carrier PEs, for example, on PE 3:

# Verify that the public network routing table contains the internal routes of the customer carrier network.

[PE3] display ip routing-table

Routing Tables: Public

Destinations : 11 Routes : 11

Destination/Mask Proto Pre Cost NextHop Interface

1.1.1.9/32 Direct 0 0 127.0.0.1 InLoop0

2.2.2.9/32 ISIS 15 10 10.1.1.2 Vlan12

5.5.5.9/32 ISIS 15 84 10.1.1.2 Vlan12

6.6.6.9/32 ISIS 15 84 10.1.1.2 Vlan12

10.1.1.0/24 Direct 0 0 10.1.1.1 Vlan12

10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.2/32 Direct 0 0 10.1.1.2 Vlan12

11.1.1.0/24 ISIS 15 20 10.1.1.2 Vlan12

20.1.1.0/24 ISIS 15 84 10.1.1.2 Vlan12

21.1.1.0/24 ISIS 15 84 10.1.1.2 Vlan12

21.1.1.2/32 ISIS 15 84 10.1.1.2 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VPN routing table contains the route to the remote VPN customer.

[PE3] display ip routing-table vpn-instance vpn1

Routing Tables: vpn1

Destinations : 3 Routes : 3

Destination/Mask Proto Pre Cost NextHop Interface

100.1.1.0/24 Direct 0 0 100.1.1.2 Vlan11

100.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

120.1.1.0/24 BGP 255 0 6.6.6.9 NULL0

4. Verify that PE 3 and PE 4 can ping each other. (Details not shown.)

5. Verify that CE 3 and CE 4 can ping each other. (Details not shown.)

Configuring nested VPN

Network requirements

The service provider provides nested VPN services for users, as shown in Figure 26.

· PE 1 and PE 2 are PE devices on the service provider backbone. Both of them support the nested VPN function.

· CE 1 and CE 2 are connected to the service provider backbone. Both of them support VPNv4 routes.

· PE 3 and PE 4 are PE devices of the customer VPN. Both of them support MPLS L3VPN.

· CE 3 through CE 6 are CE devices of the sub-VPNs for the customer VPN.

The key of nested VPN configuration is to understand the processing of routes of sub-VPNs on the service provider PEs:

· When receiving a VPNv4 route from a CE (CE 1 or CE 2 in this example), a service provider PE does the following:

a. Replaces the RD of the VPNv4 route with the RD of the MPLS VPN on the service provider network where the CE resides.

b. Adds the export target attribute of the MPLS VPN on the service provider network to the extended community attribute list.

c. Forwards the VPNv4 route.

· To implement exchange of sub-VPN routes between customer PEs and service provider PEs, MP-EBGP peers must be established between service provider PEs and customer CEs.

Figure 26 Network diagram

Table 7 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Loop0	2.2.2.9/32	CE 2	Loop0	5.5.5.9/32
	Vlan-int2	10.1.1.2/24		Vlan-int1	21.1.1.2/24
	Vlan-int1	11.1.1.1/24		Vlan-int2	20.1.1.1/24
CE 3	Vlan-int1	100.1.1.1/24	CE 4	Vlan-int1	120.1.1.1/24
CE 5	Vlan-int3	110.1.1.1/24	CE 6	Vlan-int3	130.1.1.1/24
PE 1	Loop0	3.3.3.9/32	PE 2	Loop0	4.4.4.9/32
	Vlan-int1	11.1.1.2/24		Vlan-int1	21.1.1.1/24
	Vlan-int2	30.1.1.1/24		Vlan-int2	30.1.1.2/24
PE 3	Loop0	1.1.1.9/32	PE 4	Loop0	6.6.6.9/32
	Vlan-int1	100.1.1.2/24		Vlan-int1	120.1.1.2/24
	Vlan-int2	10.1.1.1/24		Vlan-int2	20.1.1.2/24
	Vlan-int3	110.1.1.2/24		Vlan-int3	130.1.1.2/24

Configuration procedure

1. Configure MPLS L3VPN on the service provider backbone. Enable IS-IS, enable LDP, and establish an MP-IBGP peer relationship between PE 1 and PE 2:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 3.3.3.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 3.3.3.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] isis 1

[PE1-isis-1] network-entity 10.0000.0000.0000.0004.00

[PE1-isis-1] quit

[PE1] interface loopback 0

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

[PE1] interface vlan-interface 2

[PE1-Vlan-interface2] ip address 30.1.1.1 24

[PE1-Vlan-interface2] isis enable 1

[PE1-Vlan-interface2] mpls enable

[PE1-Vlan-interface2] mpls ldp enable

[PE1-Vlan-interface2] quit

[PE1] bgp 100

[PE1-bgp] peer 4.4.4.9 as-number 100

[PE1-bgp] peer 4.4.4.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv4

[PE1-bgp-vpnv4] peer 4.4.4.9 enable

[PE1-bgp-vpnv4] quit

[PE1-bgp] quit

# Configure PE 2 in the same way that PE 1 is configured. (Details not shown.)

# On PE 1, verify that the LDP session has been established.

[PE1] display mpls ldp peer

Total number of peers: 1

Peer LDP ID State LAM Role GR MD5 KA Sent/Rcvd

4.4.4.9:0 Operational DU Active Off Off 8/8

# On PE 1, verify that the BGP peer relationship in Established state has been established.

[PE1] display bgp peer vpnv4

BGP local router ID: 3.3.3.9

Local AS number: 100

Total number of peers: 1 Peers in established state: 1

Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

4.4.4.9 100 3 6 0 0 00:00:32 Established

# On PE 1, verify that the IS-IS neighbor relationship has been established.

[PE1] display isis peer

Peer information for ISIS(1)

----------------------------

System Id: 0000.0000.0005

Interface: Vlan-interface2 Circuit Id: 0000.0000.0005.02

State: Up HoldTime: 8s Type: L1(L1L2) PRI: 64

System Id: 0000.0000.0005

Interface: Vlan-interface2 Circuit Id: 0000.0000.0005.02

State: Up HoldTime: 8s Type: L2(L1L2) PRI: 64

2. Configure the customer VPN. Enable IS-IS, and enable LDP between PE 3 and CE 1, and between PE 4 and CE 2:

# Configure PE 3.

<PE3> system-view

[PE3] interface loopback 0

[PE3-LoopBack0] ip address 1.1.1.9 32

[PE3-LoopBack0] quit

[PE3] mpls lsr-id 1.1.1.9

[PE3] mpls ldp

[PE3-ldp] quit

[PE3] isis 2

[PE3-isis-2] network-entity 10.0000.0000.0000.0001.00

[PE3-isis-2] quit

[PE3] interface loopback 0

[PE3-LoopBack0] isis enable 2

[PE3-LoopBack0] quit

[PE3-Vlan-interface2] ip address 10.1.1.1 24

[PE3-Vlan-interface2] isis enable 2

[PE3-Vlan-interface2] mpls enable

[PE3-Vlan-interface2] mpls ldp enable

[PE3-Vlan-interface2] quit

# Configure CE 1.

<CE1> system-view

[CE1] interface loopback 0

[CE1-LoopBack0] ip address 2.2.2.9 32

[CE1-LoopBack0] quit

[CE1] mpls lsr-id 2.2.2.9

[CE1] mpls ldp

[CE1-ldp] quit

[CE1] isis 2

[CE1-isis-2] network-entity 10.0000.0000.0000.0002.00

[CE1-isis-2] quit

[CE1] interface loopback 0

[CE1-LoopBack0] isis enable 2

[CE1-LoopBack0] quit

[CE1] interface vlan-interface 2

[CE1-Vlan-interface2] ip address 10.1.1.2 24

[CE1-Vlan-interface2] isis enable 2

[CE1-Vlan-interface2] mpls enable

[CE1-Vlan-interface2] mpls ldp enable

[CE1-Vlan-interface2] quit

An LDP session and an IS-IS neighbor relationship can be established between PE 3 and CE 1.

# Configure PE 4 and CE 2 in the same way that PE 3 and CE 1 are configured. (Details not shown.)

3. Connect CE 1 and CE 2 to service provider PEs:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 200:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] interface vlan-interface1

[PE1-Vlan-interface1] ip binding vpn-instance vpn1

[PE1-Vlan-interface1] ip address 11.1.1.2 24

[PE1-Vlan-interface1] mpls enable

[PE1-Vlan-interface1] quit

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 11.1.1.1 as-number 200

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure CE 1.

[CE1] interface vlan-interface 1

[CE1-Vlan-interface1] ip address 11.1.1.1 24

[CE1-Vlan-interface1] mpls enable

[CE1-Vlan-interface1] quit

[CE1] bgp 200

[CE1-bgp] peer 11.1.1.2 as-number 100

[CE1-bgp] quit

# Configure PE 2 and CE 2 in the same way that PE 1 and CE 1 are configured. (Details not shown.)

4. Connect sub-VPN CEs to the customer VPN PEs:

# Configure CE 3.

<CE3> system-view

[CE3] interface vlan-interface 1

[CE3-Vlan-interface1] ip address 100.1.1.1 24

[CE3-Vlan-interface1] quit

[CE3] bgp 65410

[CE3-bgp] peer 100.1.1.2 as-number 200

[CE3-bgp] address-family ipv4 unicast

[CE3-bgp-ipv4] peer 100.1.1.2 enable

[CE3-bgp-ipv4] import-route direct

[CE3-bgp-ipv4] quit

[CE3-bgp] quit

# Configure CE 5.

<CE5> system-view

[CE5] interface vlan-interface 3

[CE5-Vlan-interface3] ip address 110.1.1.1 24

[CE5-Vlan-interface3] quit

[CE5] bgp 65411

[CE5-bgp] peer 110.1.1.2 as-number 200

[CE5-bgp] address-family ipv4 unicast

[CE5-bgp-ipv4] peer 110.1.1.2 enable

[CE5-bgp-ipv4] import-route direct

[CE5-bgp-ipv4] quit

[CE5-bgp] quit

# Configure PE 3.

[PE3] ip vpn-instance SUB_VPN1

[PE3-vpn-instance-SUB_VPN1] route-distinguisher 100:1

[PE3-vpn-instance-SUB_VPN1] vpn-target 2:1

[PE3-vpn-instance-SUB_VPN1] quit

[PE3] interface vlan-interface 1

[PE3-Vlan-interface1] ip binding vpn-instance SUB_VPN1

[PE3-Vlan-interface1] ip address 100.1.1.2 24

[PE3-Vlan-interface1] quit

[PE3] ip vpn-instance SUB_VPN2

[PE3-vpn-instance-SUB_VPN2] route-distinguisher 101:1

[PE3-vpn-instance-SUB_VPN2] vpn-target 2:2

[PE3-vpn-instance-SUB_VPN2] quit

[PE3] interface vlan-interface 3

[PE3-Vlan-interface3] ip binding vpn-instance SUB_VPN2

[PE3-Vlan-interface3] ip address 110.1.1.2 24

[PE3-Vlan-interface3] quit

[PE3] bgp 200

[PE3-bgp] ip vpn-instance SUB_VPN1

[PE3-bgp-SUB_VPN1] peer 100.1.1.1 as-number 65410

[PE3-bgp-SUB_VPN1] address-family ipv4 unicast

[PE3-bgp-ipv4-SUB_VPN1] peer 100.1.1.1 enable

[PE3-bgp-ipv4-SUB_VPN1] import-route direct

[PE3-bgp-ipv4-SUB_VPN1] quit

[PE3-bgp-SUB_VPN1] quit

[PE3-bgp] ip vpn-instance SUB_VPN2

[PE3-bgp-SUB_VPN2] peer 100.1.1.1 as-number 65411

[PE3-bgp-SUB_VPN2] address-family ipv4 unicast

[PE3-bgp-ipv4-SUB_VPN2] peer 110.1.1.1 enable

[PE3-bgp-ipv4-SUB_VPN2] import-route direct

[PE3-bgp-ipv4-SUB_VPN2] quit

[PE3-bgp-SUB_VPN2] quit

[PE3-bgp] quit

# Configure PE 4, CE 4, and CE 6 in the same way that PE 3, CE 3, and CE 5 are configured. (Details not shown.)

5. Establish MP-EBGP peer relationships between service provider PEs and their CEs to exchange user VPNv4 routes:

# On PE 1, enable nested VPN and VPNv4 route exchange with CE 1.

[PE1] bgp 100

[PE1-bgp] address-family vpnv4

[PE1-bgp-vpnv4] nesting-vpn

[PE1-bgp-vpnv4] quit

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] address-family vpnv4

[PE1-bgp-vpnv4-vpn1] peer 11.1.1.1 enable

[PE1-bgp-vpnv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Enable CE 1 to exchange VPNv4 routes with PE 1.

[CE1] bgp 200

[CE1-bgp] address-family vpnv4

[CE1-bgp-vpnv4] peer 11.1.1.2 enable

# Allow the local AS number to appear in the AS-PATH attribute of the routes received.

[CE1-bgp-vpnv4] peer 11.1.1.2 allow-as-loop 2

# Disable route target based filtering of received VPNv4 routes.

[CE1-bgp-vpnv4] undo policy vpn-target

[CE1-bgp-vpnv4] quit

[CE1-bgp] quit

# Configure PE 2 and CE 2 in the same way that PE 1 and CE 1 are configured. (Details not shown.)

6. Establish MP-IBGP peer relationships between sub-VPN PEs and CEs of the customer VPN to exchange VPNv4 routes of sub-VPNs:

# Configure PE 3.

[PE3] bgp 200

[PE3-bgp] peer 2.2.2.9 as-number 200

[PE3-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE3-bgp] address-family vpnv4

[PE3-bgp-vpnv4] peer 2.2.2.9 enable

# Allow the local AS number to appear in the AS-PATH attribute of the routes received.

[PE3-bgp-vpnv4] peer 2.2.2.9 allow-as-loop 2

[PE3-bgp-vpnv4] quit

[PE3-bgp] quit

# Configure CE 1.

[CE1] bgp 200

[CE1-bgp] peer 1.1.1.9 as-number 200

[CE1-bgp] peer 1.1.1.9 connect-interface loopback 0

[CE1-bgp] address-family vpnv4

[CE1-bgp-vpnv4] peer 1.1.1.9 enable

[CE1-bgp-vpnv4] undo policy vpn-target

[CE1-bgp-vpnv4] quit

[CE1-bgp] quit

# Configure PE 4 and CE 2 in the same way that PE 3 and CE 1 are configured. (Details not shown.)

Verifying the configuration

1. Display the public routing table and VPN routing table on the provider PEs, for example, on PE 1:

# Verify that the public routing table contains only routes on the service provider network.

[PE1] display ip routing-table

Destinations : 15 Routes : 15

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

3.3.3.9/32 Direct 0 0 127.0.0.1 InLoop0

4.4.4.9/32 ISIS 15 10 30.1.1.2 Vlan2

30.1.1.0/24 Direct 0 0 30.1.1.1 Vlan2

30.1.1.0/32 Direct 0 0 30.1.1.1 Vlan2

30.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.255/32 Direct 0 0 30.1.1.1 Vlan2

30.1.1.2/32 Direct 0 0 30.1.1.2 Vlan2

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VPN routing table contains sub-VPN routes.

[PE1] display ip routing-table vpn-instance vpn1

Destinations : 17 Routes : 17

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.0/24 Direct 0 0 11.1.1.1 Vlan1

11.1.1.0/32 Direct 0 0 11.1.1.1 Vlan1

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.255/32 Direct 0 0 11.1.1.1 Vlan1

11.1.1.2/32 Direct 0 0 11.1.1.2 Vlan1

100.1.1.0/24 BGP 255 0 11.1.1.1 NULL0

110.1.1.0/24 BGP 255 0 11.1.1.1 NULL0

120.1.1.0/24 BGP 255 0 4.4.4.9 NULL0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

130.1.1.0/24 BGP 255 0 4.4.4.9 NULL0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

2. Display the VPNv4 routing table on the provider CEs, for example, on CE 1.

# Verify that the VPNv4 routing table on the customer VPN contains internal sub-VPN routes.

[CE1] display bgp routing-table vpnv4

BGP Local router ID is 11.11.11.11

Status codes: * - valid, > - best, d - damped, h - history,

s - suppressed, S - Stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Total number of routes from all PEs: 4

Route Distinguisher: 100:1

Total number of routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn

* > 100.1.1.0/24 1.1.1.9 0 200 65410?

Route Distinguisher: 101:1

Total number of routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn

* > 110.1.1.0/24 1.1.1.9 0 200 65411?

Route Distinguisher: 200:1

Total number of routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn

* > 120.1.1.0/24 11.1.1.2 0 100 200

65420?

Route Distinguisher: 201:1

Total number of routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn

* > 130.1.1.0/24 11.1.1.2 0 100 200

65421?

3. Display the VPN routing table on the customer PEs, for example, on PE 3:

# Verify that the VPN routing table contains routes sent by the provider PE to the sub-VPN.

[PE3] display ip routing-table vpn-instance SUB_VPN1

Destinations : 11 Routes : 11

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.0/24 Direct 0 0 100.1.1.2 Vlan1

100.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

120.1.1.0/24 BGP 255 0 2.2.2.9 NULL0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

4. Display the routing table on the CEs of sub-VPNs in the customer VPN, for example, on CE 3 and CE 5:

# Verify that the routing table contains the route to the remote sub-VPN on CE 3.

[CE3] display ip routing-table

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.0/24 Direct 0 0 100.1.1.1 Vlan1

100.1.1.0/32 Direct 0 0 100.1.1.1 Vlan1

100.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.255/32 Direct 0 0 100.1.1.1 Vlan1

120.1.1.0/24 BGP 255 0 100.1.1.2 Vlan1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the routing table contains the route to the remote sub-VPN on CE 5.

[CE5] display ip routing-table

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

110.1.1.0/24 Direct 0 0 110.1.1.1 Vlan1

110.1.1.0/32 Direct 0 0 110.1.1.1 Vlan1

110.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

110.1.1.255/32 Direct 0 0 110.1.1.1 Vlan1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

130.1.1.0/24 BGP 255 0 110.1.1.2 Vlan1

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

5. Verify that CE 3 and CE 4 can ping each other. (Details not shown.)

6. Verify that CE5 and CE 6 can ping each other. Details not shown.)

7. Verify that CE 3 and CE 6 cannot ping each other. Details not shown.)

Configuring HoVPN

Network requirements

There are two levels of networks, the backbone and the MPLS VPN networks, as shown in Figure 27.

· SPEs act as PEs to allow MPLS VPNs to access the backbone.

· UPEs act as PEs of the MPLS VPNs to allow end users to access the VPNs.

· Performance requirements for the UPEs are lower than those for the SPEs.

· SPEs advertise routes permitted by the routing policies to UPEs, permitting CE 1 and CE 3 in VPN 1 to communicate with each other, and forbidding CE 2 and CE 4 in VPN 2 from communicating with each other.

Figure 27 Network diagram

Table 8 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int12	10.2.1.1/24	CE 3	Vlan-int12	10.1.1.1/24
CE 2	Vlan-int13	10.4.1.1/24	CE 4	Vlan-int13	10.3.1.1/24
UPE 1	Loop0	1.1.1.9/32	UPE 2	Loop0	4.4.4.9/32
	Vlan-int11	172.1.1.1/24		Vlan-int11	172.2.1.1/24
	Vlan-int12	10.2.1.2/24		Vlan-int12	10.1.1.2/24
	Vlan-int13	10.4.1.2/24		Vlan-int13	10.3.1.2/24
SPE 1	Loop0	2.2.2.9/32	SPE 2	Loop0	3.3.3.9/32
	Vlan-int11	172.1.1.2/24		Vlan-int11	172.2.1.2/24
	Vlan-int12	180.1.1.1/24		Vlan-int12	180.1.1.2/24

Configuration procedure

1. Configure UPE 1:

# Configure basic MPLS and MPLS LDP to establish LDP LSPs.

<UPE1> system-view

[UPE1] interface loopback 0

[UPE1-LoopBack0] ip address 1.1.1.9 32

[UPE1-LoopBack0] quit

[UPE1] mpls lsr-id 1.1.1.9

[UPE1] mpls ldp

[UPE1-ldp] quit

[UPE1] interface vlan-interface 11

[UPE1-Vlan-interface11] ip address 172.1.1.1 24

[UPE1-Vlan-interface11] mpls enable

[UPE1-Vlan-interface11] mpls ldp enable

[UPE1-Vlan-interface11] quit

# Configure the IGP protocol (OSPF, in this example).

[UPE1] ospf

[UPE1-ospf-1] area 0

[UPE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[UPE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[UPE1-ospf-1-area-0.0.0.0] quit

[UPE1-ospf-1] quit

# Configure VPN instances vpn1 and vpn2, allowing CE 1 and CE 2 to access UPE 1.

[UPE1] ip vpn-instance vpn1

[UPE1-vpn-instance-vpn1] route-distinguisher 100:1

[UPE1-vpn-instance-vpn1] vpn-target 100:1 both

[UPE1-vpn-instance-vpn1] quit

[UPE1] ip vpn-instance vpn2

[UPE1-vpn-instance-vpn2] route-distinguisher 100:2

[UPE1-vpn-instance-vpn2] vpn-target 100:2 both

[UPE1-vpn-instance-vpn2] quit

[UPE1] interface vlan-interface 12

[UPE1-Vlan-interface12] ip binding vpn-instance vpn1

[UPE1-Vlan-interface12] ip address 10.2.1.2 24

[UPE1-Vlan-interface12] quit

[UPE1] interface vlan-interface 13

[UPE1-Vlan-interface13] ip binding vpn-instance vpn2

[UPE1-Vlan-interface13] ip address 10.4.1.2 24

[UPE1-Vlan-interface13] quit

# Establish an MP-IBGP peer relationship with SPE 1.

[UPE1] bgp 100

[UPE1-bgp] peer 2.2.2.9 as-number 100

[UPE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[UPE1-bgp] address-family vpnv4

[UPE1-bgp-vpnv4] peer 2.2.2.9 enable

[UPE1-bgp-vpnv4] quit

# Establish an EBGP peer relationship with CE 1 and redistribute VPN routes into BGP.

[UPE1-bgp] ip vpn-instance vpn1

[UPE1-bgp-vpn1] peer 10.2.1.1 as-number 65410

[UPE1-bgp-vpn1] address-family ipv4 unicast

[UPE1-bgp-ipv4-vpn1] peer 10.2.1.1 enable

[UPE1-bgp-ipv4-vpn1] import-route direct

[UPE1-bgp-ipv4-vpn1] quit

[UPE1-bgp-vpn1] quit

# Establish an EBGP peer relationship with CE 2 and redistribute VPN routes into BGP.

[UPE1-bgp] ip vpn-instance vpn2

[UPE1-bgp-vpn2] peer 10.4.1.1 as-number 65420

[UPE1-bgp-vpn2] address-family ipv4 unicast

[UPE1-bgp-ipv4-vpn2] peer 10.4.1.1 enable

[UPE1-bgp-ipv4-vpn2] import-route direct

[UPE1-bgp-ipv4-vpn2] quit

[UPE1-bgp-vpn2] quit

[UPE1-bgp] quit

2. Configure CE 1.

<CE1> system-view

[CE1] interface vlan-interface 12

[CE1-Vlan-interface12] ip address 10.2.1.1 255.255.255.0

[CE1-Vlan-interface12] quit

[CE1] bgp 65410

[CE1-bgp] peer 10.2.1.2 as-number 100

[CE1-bgp] address-family ipv4 unicast

[CE1-bgp-ipv4] peer 10.2.1.2 enable

[CE1-bgp-ipv4] import-route direct

[CE1-bgp-ipv4] quit

[CE1-bgp] quit

3. Configure CE 2.

<CE2> system-view

[CE2] interface vlan-interface 13

[CE2-Vlan-interface13] ip address 10.4.1.1 255.255.255.0

[CE2-Vlan-interface13] quit

[CE2] bgp 65420

[CE2-bgp] peer 10.4.1.2 as-number 100

[CE2-bgp] address-family ipv4 unicast

[CE2-bgp-ipv4] peer 10.4.1.2 enable

[CE2-bgp-ipv4] import-route direct

[CE2-bgp-ipv4] quit

[CE2-bgp] quit

4. Configure UPE 2:

# Configure basic MPLS and MPLS LDP to establish LDP LSPs.

<UPE2> system-view

[UPE2] interface loopback 0

[UPE2-Loopback0] ip address 4.4.4.9 32

[UPE2-Loopback0] quit

[UPE2] mpls lsr-id 4.4.4.9

[UPE2] mpls ldp

[UPE2-ldp] quit

[UPE2] interface vlan-interface 11

[UPE2-Vlan-interface11] ip address 172.2.1.1 24

[UPE2-Vlan-interface11] mpls enable

[UPE2-Vlan-interface11] mpls ldp enable

[UPE2-Vlan-interface11] quit

# Configure the IGP protocol (OSPF, in this example).

[UPE2] ospf

[UPE2-ospf-1] area 0

[UPE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[UPE2-ospf-1-area-0.0.0.0] network 4.4.4.9 0.0.0.0

[UPE2-ospf-1-area-0.0.0.0] quit

[UPE2-ospf-1] quit

# Configure VPN instances vpn1 and vpn2, allowing CE 3 and CE 4 to access UPE 2.

[UPE2] ip vpn-instance vpn1

[UPE2-vpn-instance-vpn1] route-distinguisher 300:1

[UPE2-vpn-instance-vpn1] vpn-target 100:1 both

[UPE2-vpn-instance-vpn1] quit

[UPE2] ip vpn-instance vpn2

[UPE2-vpn-instance-vpn2] route-distinguisher 400:2

[UPE2-vpn-instance-vpn2] vpn-target 100:2 both

[UPE2-vpn-instance-vpn2] quit

[UPE2] interface vlan-interface 12

[UPE2-Vlan-interface12] ip binding vpn-instance vpn1

[UPE2-Vlan-interface12] ip address 10.1.1.2 24

[UPE2-Vlan-interface12] quit

[UPE2] interface vlan-interface 13

[UPE2-Vlan-interface13] ip binding vpn-instance vpn2

[UPE2-Vlan-interface13] ip address 10.3.1.2 24

[UPE2-Vlan-interface13] quit

# Establish an MP-IBGP peer relationship with SPE 2.

[UPE2] bgp 100

[UPE2-bgp] peer 3.3.3.9 as-number 100

[UPE2-bgp] peer 3.3.3.9 connect-interface loopback 0

[UPE2-bgp] address-family vpnv4

[UPE2-bgp-vpnv4] peer 3.3.3.9 enable

[UPE2-bgp-vpnv4] quit

# Establish an EBGP peer relationship with CE 3 and redistribute VPN routes.

[UPE2-bgp] ip vpn-instance vpn1

[UPE2-bgp-vpn1] peer 10.1.1.1 as-number 65430

[UPE2-bgp-vpn1] address-family ipv4 unicast

[UPE2-bgp-ipv4-vpn1] peer 10.1.1.1 enable

[UPE2-bgp-ipv4-vpn1] import-route direct

[UPE2-bgp-ipv4-vpn1] quit

[UPE2-bgp-vpn1] quit

# Establish an EBGP peer relationship with CE 4 and redistribute VPN routes into BGP.

[UPE2-bgp] ip vpn-instance vpn2

[UPE2-bgp-vpn2] peer 10.3.1.1 as-number 65440

[UPE2-bgp-vpn2] address-family ipv4 unicast

[UPE2-bgp-ipv4-vpn2] peer 10.3.1.1 enable

[UPE2-bgp-ipv4-vpn2] import-route direct

[UPE2-bgp-ipv4-vpn2] quit

[UPE2-bgp-vpn2] quit

[UPE2-bgp] quit

5. Configure CE 3.

<CE3> system-view

[CE3] interface vlan-interface 12

[CE3-Vlan-interface12] ip address 10.1.1.1 255.255.255.0

[CE3-Vlan-interface12] quit

[CE3] bgp 65430

[CE3-bgp] peer 10.1.1.2 as-number 100

[CE3-bgp] address-family ipv4 unicast

[CE3-bgp-ipv4] peer 10.1.1.2 enable

[CE3-bgp-ipv4] import-route direct

[CE3-bgp-ipv4] quit

[CE3-bgp] quit

6. Configure CE 4.

<CE4> system-view

[CE4] interface vlan-interface 13

[CE4-Vlan-interface13] ip address 10.3.1.1 255.255.255.0

[CE4-Vlan-interface13] quit

[CE4] bgp 65440

[CE4-bgp] peer 10.3.1.2 as-number 100

[CE4-bgp] address-family ipv4 unicast

[CE4-bgp-ipv4] peer 10.3.1.2 enable

[CE4-bgp-ipv4] import-route direct

[CE4-bgp-ipv4] quit

[CE4-bgp] quit

7. Configure SPE 1:

# Configure basic MPLS and MPLS LDP to establish LDP LSPs.

<SPE1> system-view

[SPE1] interface loopback 0

[SPE1-LoopBack0] ip address 2.2.2.9 32

[SPE1-LoopBack0] quit

[SPE1] mpls lsr-id 2.2.2.9

[SPE1] mpls ldp

[SPE1-ldp] quit

[SPE1] interface vlan-interface 11

[SPE1-Vlan-interface11] ip address 172.1.1.2 24

[SPE1-Vlan-interface11] mpls enable

[SPE1-Vlan-interface11] mpls ldp enable

[SPE1-Vlan-interface11] quit

[SPE1] interface vlan-interface 12

[SPE1-Vlan-interface12] ip address 180.1.1.1 24

[SPE1-Vlan-interface12] mpls enable

[SPE1-Vlan-interface12] mpls ldp enable

[SPE1-Vlan-interface12] quit

# Configure the IGP protocol (OSPF, in this example).

[SPE1] ospf

[SPE1-ospf-1] area 0

[SPE1-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[SPE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[SPE1-ospf-1-area-0.0.0.0] network 180.1.1.0 0.0.0.255

[SPE1-ospf-1-area-0.0.0.0] quit

[SPE1-ospf-1] quit

# Configure VPN instances vpn1 and vpn2.

[SPE1] ip vpn-instance vpn1

[SPE1-vpn-instance-vpn1] route-distinguisher 500:1

[SPE1-vpn-instance-vpn1] vpn-target 100:1 both

[SPE1-vpn-instance-vpn1] quit

[SPE1] ip vpn-instance vpn2

[SPE1-vpn-instance-vpn2] route-distinguisher 700:1

[SPE1-vpn-instance-vpn2] vpn-target 100:2 both

[SPE1-vpn-instance-vpn2] quit

# Establish an MP-IBGP peer relationship with UPE 1 and redistribute VPN routes.

[SPE1] bgp 100

[SPE1-bgp] peer 1.1.1.9 as-number 100

[SPE1-bgp] peer 1.1.1.9 connect-interface loopback 0

[SPE1-bgp] peer 3.3.3.9 as-number 100

[SPE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[SPE1-bgp] address-family vpnv4

[SPE1-bgp-vpnv4] peer 3.3.3.9 enable

[SPE1-bgp-vpnv4] peer 1.1.1.9 enable

[SPE1-bgp-vpnv4] peer 1.1.1.9 upe

[SPE1-bgp-vpnv4] peer 1.1.1.9 next-hop-local

[SPE1-bgp-vpnv4] quit

[SPE1-bgp] ip vpn-instance vpn1

[SPE1-bgp-vpn1] quit

[SPE1-bgp] ip vpn-instance vpn2

[SPE1-bgp-vpn2] quit

[SPE1-bgp] quit

# Advertise to UPE 1 the routes permitted by a routing policy (the routes of CE 3).

[SPE1] ip prefix-list hope index 10 permit 10.1.1.1 24

[SPE1] route-policy hope permit node 0

[SPE1-route-policy-hope-0] if-match ip address prefix-list hope

[SPE1-route-policy-hope-0] quit

[SPE1] bgp 100

[SPE1-bgp] address-family vpnv4

[SPE1-bgp-vpnv4] peer 1.1.1.9 upe route-policy hope export

8. Configure SPE 2:

# Configure basic MPLS and MPLS LDP to establish LDP LSPs.

<SPE2> system-view

[SPE2] interface loopback 0

[SPE2-LoopBack0] ip address 3.3.3.9 32

[SPE2-LoopBack0] quit

[SPE2] mpls lsr-id 3.3.3.9

[SPE2] mpls ldp

[SPE2-ldp] quit

[SPE2] interface vlan-interface 12

[SPE2-Vlan-interface12] ip address 180.1.1.2 24

[SPE2-Vlan-interface12] mpls enable

[SPE2-Vlan-interface12] mpls ldp enable

[SPE2-Vlan-interface12] quit

[SPE2] interface vlan-interface 11

[SPE2-Vlan-interface11] ip address 172.2.1.2 24

[SPE2-Vlan-interface11] mpls enable

[SPE2-Vlan-interface11] mpls ldp enable

[SPE2-Vlan-interface11] quit

# Configure the IGP protocol (OSPF, in this example).

[SPE2] ospf

[SPE2-ospf-1] area 0

[SPE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[SPE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[SPE2-ospf-1-area-0.0.0.0] network 180.1.1.0 0.0.0.255

[SPE2-ospf-1-area-0.0.0.0] quit

[SPE2-ospf-1] quit

# Configure VPN instances vpn1 and vpn2.

[SPE2] ip vpn-instance vpn1

[SPE2-vpn-instance-vpn1] route-distinguisher 600:1

[SPE2-vpn-instance-vpn1] vpn-target 100:1 both

[SPE2-vpn-instance-vpn1] quit

[SPE2] ip vpn-instance vpn2

[SPE2-vpn-instance-vpn2] route-distinguisher 800:1

[SPE2-vpn-instance-vpn2] vpn-target 100:2 both

[SPE2-vpn-instance-vpn2] quit

# Establish an MP-IBGP peer relationship with UPE 2 and redistribute VPN routes into BGP.

[SPE2] bgp 100

[SPE2-bgp] peer 4.4.4.9 as-number 100

[SPE2-bgp] peer 4.4.4.9 connect-interface loopback 0

[SPE2-bgp] peer 2.2.2.9 as-number 100

[SPE2-bgp] peer 2.2.2.9 connect-interface loopback 0

[SPE2-bgp] address-family vpnv4

[SPE2-bgp-vpnv4] peer 2.2.2.9 enable

[SPE2-bgp-vpnv4] peer 4.4.4.9 enable

[SPE2-bgp-vpnv4] peer 4.4.4.9 upe

[SPE2-bgp-vpnv4] peer 4.4.4.9 next-hop-local

[SPE2-bgp-vpnv4] quit

[SPE2-bgp] ip vpn-instance vpn1

[SPE2-bgp-vpn1] quit

[SPE2-bgp] ip vpn-instance vpn2

[SPE2-bgp-vpn2] quit

[SPE2-bgp] quit

# Advertise to UPE 2 the routes permitted by a routing policy (the routes of CE 1).

[SPE2] ip prefix-list hope index 10 permit 10.2.1.1 24

[SPE2] route-policy hope permit node 0

[SPE2-route-policy-hope-0] if-match ip address prefix-list hope

[SPE2-route-policy-hope-0] quit

[SPE2] bgp 100

[SPE2-bgp] address-family vpnv4

[SPE2-bgp-vpnv4] peer 4.4.4.9 upe route-policy hope export

Verifying the configuration

# Verify that CE 1 and CE3 can learn each other's interface routes and can ping each other. CE 2 and CE 4 cannot learn each other's interface routes and cannot ping each other. (Details not shown.)

Configuring an OSPF sham link

Network requirements

As shown in Figure 28, CE 1 and CE 2 belong to VPN 1. Configure an OSPF sham link between PE 1 and PE 2 so traffic between CE 1 and CE 2 is forwarded through the MPLS backbone, instead of the backdoor link.

Figure 28 Network diagram

Table 9 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int11	100.1.1.1/24	CE 2	Vlan-int11	120.1.1.1/24
	Vlan-int13	20.1.1.1/24		Vlan-int12	30.1.1.2/24
PE 1	Loop0	1.1.1.9/32	PE 2	Loop0	2.2.2.9/32
	Loop1	3.3.3.3/32		Loop1	5.5.5.5/32
	Vlan-int11	100.1.1.2/24		Vlan-int11	120.1.1.2/24
	Vlan-int12	10.1.1.1/24		Vlan-int12	10.1.1.2/24
Switch A	Vlan-int11	20.1.1.2/24
	Vlan-int12	30.1.1.1/24

Configuration procedure

Before configuration, disable the spanning tree feature globally or map each VLAN to an MSTI.

1. Configure OSPF on the customer networks:

Configure conventional OSPF on CE 1, Switch A, and CE 2 to advertise subnet addresses of the interfaces as shown in Figure 28. Execute the display ip routing-table command to verify that CE 1 and CE 2 have learned the route to each other. (Details not shown.)

2. Configure MPLS L3VPN on the backbone:

# Configure basic MPLS and MPLS LDP on PE 1 to establish LDP LSPs.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip address 10.1.1.1 24

[PE1-Vlan-interface12] mpls enable

[PE1-Vlan-interface12] mpls ldp enable

[PE1-Vlan-interface12] quit

# Configure PE 1 to take PE 2 as an MP-IBGP peer.

[PE1] bgp 100

[PE1-bgp] peer 2.2.2.9 as-number 100

[PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv4

[PE1-bgp-vpnv4] peer 2.2.2.9 enable

[PE1-bgp-vpnv4] quit

[PE1-bgp] quit

# Configure OSPF on PE 1.

[PE1]ospf 1

[PE1-ospf-1]area 0

[PE1-ospf-1-area-0.0.0.0]network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0]quit

[PE1-ospf-1]quit

# Configure basic MPLS and MPLS LDP on PE 2 to establish LDP LSPs.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 2.2.2.9 32

[PE2-LoopBack0] quit

[PE2] mpls lsr-id 2.2.2.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] ip address 10.1.1.2 24

[PE2-Vlan-interface12] mpls enable

[PE2-Vlan-interface12] mpls ldp enable

[PE2-Vlan-interface12] quit

# Configure PE 2 to take PE 1 as an MP-IBGP peer.

[PE2] bgp 100

[PE2-bgp] peer 1.1.1.9 as-number 100

[PE2-bgp] peer 1.1.1.9 connect-interface loopback 0

[PE2-bgp] address-family vpnv4

[PE2-bgp-vpnv4] peer 1.1.1.9 enable

[PE2-bgp-vpnv4] quit

[PE2-bgp] quit

# Configure OSPF on PE 2.

[PE2]ospf 1

[PE2-ospf-1]area 0

[PE2-ospf-1-area-0.0.0.0]network 2.2.2.9 0.0.0.0

[PE2-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0]quit

[PE2-ospf-1]quit

3. Configure PEs to allow CE access:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip binding vpn-instance vpn1

[PE1-Vlan-interface11] ip address 100.1.1.2 24

[PE1-Vlan-interface11] quit

[PE1] ospf 100 vpn-instance vpn1

[PE1-ospf-100] domain-id 10

[PE1-ospf-100] area 1

[PE1-ospf-100-area-0.0.0.1] network 100.1.1.0 0.0.0.255

[PE1-ospf-100-area-0.0.0.1] quit

[PE1-ospf-100] quit

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] address-family ipv4 unicast

[PE1-bgp-ipv4-vpn1] import-route ospf 100

[PE1-bgp-ipv4-vpn1] import-route direct

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 100:2

[PE2-vpn-instance-vpn1] vpn-target 1:1

[PE2-vpn-instance-vpn1] quit

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] ip binding vpn-instance vpn1

[PE2-Vlan-interface11] ip address 120.1.1.2 24

[PE2-Vlan-interface11] quit

[PE2] ospf 100 vpn-instance vpn1

[PE2-ospf-100] domain-id 10

[PE2-ospf-100] area 1

[PE2-ospf-100-area-0.0.0.1] network 120.1.1.0 0.0.0.255

[PE2-ospf-100-area-0.0.0.1] quit

[PE2-ospf-100] quit

[PE2] bgp 100

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] address-family ipv4 unicast

[PE2-bgp-ipv4-vpn1] import-route ospf 100

[PE2-bgp-ipv4-vpn1] import-route direct

[PE2-bgp-ipv4-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

# Execute the display ip routing-table vpn-instance command on the PEs to verify that the path to the peer CE is along the OSPF route across the customer networks, instead of the BGP route across the backbone. (Details not shown.)

4. Configure a sham link:

# Configure PE 1.

[PE1] interface loopback 1

[PE1-LoopBack1] ip binding vpn-instance vpn1

[PE1-LoopBack1] ip address 3.3.3.3 32

[PE1-LoopBack1] quit

[PE1] ospf 100

[PE1-ospf-100] area 1

[PE1-ospf-100-area-0.0.0.1] sham-link 3.3.3.3 5.5.5.5 cost 10

[PE1-ospf-100-area-0.0.0.1] quit

[PE1-ospf-100] quit

# Configure PE 2.

[PE2] interface loopback 1

[PE2-LoopBack1] ip binding vpn-instance vpn1

[PE2-LoopBack1] ip address 5.5.5.5 32

[PE2-LoopBack1] quit

[PE2] ospf 100

[PE2-ospf-100] area 1

[PE2-ospf-100-area-0.0.0.1] sham-link 5.5.5.5 3.3.3.3 cost 10

[PE2-ospf-100-area-0.0.0.1] quit

[PE2-ospf-100] quit

Verifying the configuration

# Execute the display ip routing-table vpn-instance command on the PEs to verify the following results: (Details not shown.)

· The path to the peer CE is now along the BGP route across the backbone.

· A route to the sham link destination address exists.

# Execute the display ip routing-table command on the CEs to verify that the next hop of the OSPF route to the peer CE is the VLAN interface 11 connected to the PE. The VPN traffic to the peer is forwarded over the backbone. (Details not shown.)

# Verify that a sham link has been established on PEs, for example, on PE 1.

[PE1] display ospf sham-link

OSPF Process 100 with Router ID 100.1.1.2

Sham link

Area Neighbor ID Source IP Destination IP State Cost

0.0.0.1 120.1.1.2 3.3.3.3 5.5.5.5 P-2-P 10

# Verify that the peer state is Full on PE 1.

[PE1] display ospf sham-link area 1

OSPF Process 100 with Router ID 100.1.1.2

Sham-Link: 3.3.3.3 --> 5.5.5.5

Neighbor ID: 120.1.1.2 State: Full

Area: 0.0.0.1

Cost: 10 State: P-2-P Type: Sham

Timers: Hello 10s, Dead 40s, Retransmit 5s, Transmit Delay 1s

Request list: 0 Retransmit list: 0

Configuring MCE that uses OSPF to advertise VPN routes to the PE

Network requirements

As shown in Figure 29, the MCE device is connected to VPN 1 through VLAN-interface 10 and is connected with VPN 2 through VLAN-interface 20. OSPF runs in VPN 2.

Configure the MCE device to separate routes from different VPNs and to advertise the VPN routes to PE 1 through OSPF.

Figure 29 Network diagram

Configuration procedure

Assume that the system name of the MCE device is MCE, the system names of the edge devices of VPN 1 and VPN 2 are VR1 and VR2, respectively, and the system name of PE 1 is PE1.

1. Configure the VPN instances on the MCE and PE 1:

# On the MCE, configure VPN instances vpn1 and vpn2, and specify an RD and route targets for each VPN instance.

<MCE> system-view

[MCE] ip vpn-instance vpn1

[MCE-vpn-instance-vpn1] route-distinguisher 10:1

[MCE-vpn-instance-vpn1] vpn-target 10:1

[MCE-vpn-instance-vpn1] quit

[MCE] ip vpn-instance vpn2

[MCE-vpn-instance-vpn2] route-distinguisher 20:1

[MCE-vpn-instance-vpn2] vpn-target 20:1

[MCE-vpn-instance-vpn2] quit

# Create VLAN 10, add port GigabitEthernet 3/0/1 to VLAN 10, and create VLAN-interface 10.

[MCE] vlan 10

[MCE-vlan10] port GigabitEthernet 3/0/1

[MCE-vlan10] quit

[MCE] interface vlan-interface 10

# Bind VLAN-interface 10 to VPN instance vpn1 and configure an IP address for VLAN-interface 10.

[MCE-Vlan-interface10] ip binding vpn-instance vpn1

[MCE-Vlan-interface10] ip address 10.214.10.3 24

# Configure VLAN 20, add port GigabitEthernet 3/0/2 to VLAN 20.

[MCE-Vlan-interface10] quit

[MCE] vlan 20

[MCE-vlan20] port GigabitEthernet 3/0/2

[MCE-vlan20] quit

# Bind VLAN-interface 20 to VPN instance vpn2.

[MCE] interface vlan-interface 20

[MCE-Vlan-interface20] ip binding vpn-instance vpn2

# Specify an IP address for VLAN-interface 20.

[MCE-Vlan-interface20] ip address 10.214.20.3 24

[MCE-Vlan-interface20] quit

# On PE 1, configure VPN instances vpn1 and vpn2, and specify an RD and route targets for each VPN instance.

<PE1> system-view

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 30:1

[PE1-vpn-instance-vpn1] vpn-target 10:1

[PE1-vpn-instance-vpn1] quit

[PE1] ip vpn-instance vpn2

[PE1-vpn-instance-vpn2] route-distinguisher 40:1

[PE1-vpn-instance-vpn2] vpn-target 20:1

[PE1-vpn-instance-vpn2] quit

2. Configure routing between the MCE and VPN sites:

The MCE is connected to VPN 1 directly, and no routing protocol is enabled in VPN 1. Therefore, you can configure static routes.

# On VR 1, assign IP address 10.214.10.2/24 to the interface connected to MCE and 192.168.0.1/24 to the interface connected to VPN 1. Add ports to VLANs correctly. (Details not shown.)

# On VR 1, configure a default route with the next hop being 10.214.10.3.

<VR1> system-view

[VR1] ip route-static 0.0.0.0 0.0.0.0 10.214.10.3

# On the MCE, configure a static route to 192.168.0.0/24 with the next hop 10.214.10.2. Bind the static route to VPN instance vpn1.

[MCE] ip route-static vpn-instance vpn1 192.168.0.0 24 10.214.10.2

# On the MCE, display the routing information maintained for VPN instance vpn1.

[MCE] display ip routing-table vpn-instance vpn1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.214.10.0/24 Direct 0 0 10.214.10.3 Vlan10

10.214.10.0/32 Direct 0 0 10.214.10.3 Vlan10

10.214.10.3/32 Direct 0 0 127.0.0.1 InLoop0

10.214.10.255/32 Direct 0 0 10.214.10.3 Vlan10

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.0.0/24 Static 60 0 10.214.10.2 Vlan10

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

The output shows that the MCE has a static route for VPN instance vpn1.

# Run OSPF in VPN 2. Create OSPF process 20 and bind it to VPN instance vpn2 on the MCE, so that the MCE can learn the routes of VPN 2 and add them to the routing table of the VPN instance vpn2.

[MCE] ospf 2 vpn-instance vpn2

# Advertise subnet 10.214.20.0.

[MCE-ospf-2] area 0

[MCE-ospf-2-area-0.0.0.0] network 10.214.20.0 0.0.0.255

[MCE-ospf-2-area-0.0.0.0] quit

[MCE-ospf-2] quit

# On VR 2, assign IP address 10.214.20.2/24 to the interface connected to MCE and 192.168.10.1/24 to the interface connected to VPN 2. (Details not shown.)

# Configure OSPF process 2, and advertise subnets 192.168.10.0 and 10.214.20.0.

<VR2> system-view

[VR2] ospf 2

[VR2-ospf-2] area 0

[VR2-ospf-2-area-0.0.0.0] network 192.168.10.0 0.0.0.255

[VR2-ospf-2-area-0.0.0.0] network 10.214.20.0 0.0.0.255

[VR2-ospf-2-area-0.0.0.0] quit

[VR2-ospf-2] quit

# On the MCE, display the routing information maintained for VPN instance vpn2.

[MCE] display ip routing-table vpn-instance vpn2

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.214.20.0/24 Direct 0 0 10.214.20.3 Vlan20

10.214.20.0/32 Direct 0 0 10.214.20.3 Vlan20

10.214.20.3/32 Direct 0 0 127.0.0.1 InLoop0

10.214.20.255/32 Direct 0 0 10.214.20.3 Vlan20

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.10.0/24 OSPF 10 2 10.214.20.2 Vlan20

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

The output shows that the MCE has learned the private routes of VPN 2. The MCE maintains the routes of VPN 1 and those of VPN2 in two different routing tables. In this way, routes from different VPNs are separated.

3. Configure routing between the MCE and PE 1:

# The MCE uses port GigabitEthernet 3/0/3 to connect to PE's port GigabitEthernet 3/0/1. Configure the two ports as trunk ports, and configure them to permit packets carrying VLAN tags 30 and 40 to pass.

[MCE] interface GigabitEthernet 3/0/3

[MCE-GigabitEthernet3/0/3] port link-type trunk

[MCE-GigabitEthernet3/0/3] port trunk permit vlan 30 40

[MCE-GigabitEthernet3/0/3] quit

# Configure port GigabitEthernet 3/0/1 on the PE.

[PE1] interface GigabitEthernet 3/0/1

[PE1-GigabitEthernet3/0/1] port link-type trunk

[PE1-GigabitEthernet3/0/1] port trunk permit vlan 30 40

[PE1-GigabitEthernet3/0/1] quit

# On the MCE, create VLAN 30 and VLAN-interface 30.

[MCE] vlan 30

[MCE-vlan30] quit

[MCE] interface vlan-interface 30

# Bind the VLAN interface to VPN instance vpn1.

[MCE-Vlan-interface30] ip binding vpn-instance vpn1

# Configure an IP address for the VLAN interface.

[MCE-Vlan-interface30] ip address 30.1.1.1 24

[MCE-Vlan-interface30] quit

# On the MCE, create VLAN 40 and VLAN-interface 40.

[MCE] vlan 40

[MCE-vlan40] quit

[MCE] interface vlan-interface 40

# Bind the VLAN interface to VPN instance vpn2.

[MCE-Vlan-interface40] ip binding vpn-instance vpn2

# Configure an IP address for the VLAN interface.

[MCE-Vlan-interface40] ip address 40.1.1.1 24

[MCE-Vlan-interface40] quit

# On PE 1, create VLAN 30 and VLAN-interface 30.

[PE1] vlan 30

[PE1-vlan30] quit

[PE1] interface vlan-interface 30

# Bind the VLAN interface to VPN instance vpn1.

[PE1-Vlan-interface30] ip binding vpn-instance vpn1

# Configure an IP address for the VLAN interface.

[PE1-Vlan-interface30] ip address 30.1.1.2 24

[PE1-Vlan-interface30] quit

# On PE 1, create VLAN 40 and VLAN-interface 40.

[PE1] vlan 40

[PE1-vlan40] quit

[PE1] interface vlan-interface 40

# Bind the VLAN interface to VPN instance vpn2.

[PE1-Vlan-interface40] ip binding vpn-instance vpn2

# Configure an IP address for the VLAN interface.

[PE1-Vlan-interface40] ip address 40.1.1.2 24

[PE1-Vlan-interface40] quit

# Configure the IP address of the interface Loopback0 as 101.101.10.1 for the MCE and as 100.100.10.1 for PE 1. Specify the loopback interface address as the router ID for the MCE and PE 1. (Details not shown.)

# Enable OSPF process 10 on the MCE, bind the process to VPN instance vpn1, and set the domain ID to 10.

[MCE] ospf 10 router-id 101.101.10.1 vpn-instance vpn1

[MCE-ospf-10] vpn-instance-capability simple

[MCE-ospf-10] domain-id 10

# On the MCE, advertise subnet 30.1.1.0 in area 0, and redistribute the static route of VPN 1.

[MCE-ospf-10] area 0

[MCE-ospf-10-area-0.0.0.0] network 30.1.1.0 0.0.0.255

[MCE-ospf-10-area-0.0.0.0] quit

[MCE-ospf-10] import-route static

# On PE 1, enable OSPF process 10, and bind the process to VPN instance vpn1.

[PE1] ospf 10 router-id 100.100.10.1 vpn-instance vpn1

# Set the domain ID to 10.

[PE1-ospf-10] domain-id 10

# Advertise subnet 30.1.1.0 in area 0.

[PE1-ospf-10] area 0

[PE1-ospf-10-area-0.0.0.0] network 30.1.1.0 0.0.0.255

[PE1-ospf-10-area-0.0.0.0] quit

[PE1-ospf-10] quit

# Use similar procedures to configure OSPF process 20 between MCE and PE 1 and redistribute VPN 2's routing information. (Details not shown.)

Verifying the configuration

# Verify that PE 1 has learned the static route of VPN 1 through OSPF.

[PE1] display ip routing-table vpn-instance vpn1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.0/24 Direct 0 0 30.1.1.2 Vlan30

30.1.1.0/32 Direct 0 0 30.1.1.2 Vlan30

30.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.255/32 Direct 0 0 30.1.1.2 Vlan30

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.0.0/24 OSPF 150 1 30.1.1.1 Vlan30

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that PE 1 has learned the routes of OSPF process 20 in VPN 2 through OSPF.

[PE1] display ip routing-table vpn-instance vpn2

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

40.1.1.0/24 Direct 0 0 40.1.1.2 Vlan40

40.1.1.0/32 Direct 0 0 40.1.1.2 Vlan40

40.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

40.1.1.255/32 Direct 0 0 40.1.1.2 Vlan40

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.10.0/24 OSPF 150 1 40.1.1.1 Vlan40

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

The routing information of the two VPNs has been redistributed into the routing tables on PE 1.

Configuring MCE that uses EBGP to advertise VPN routes to the PE

Network requirements

As shown in Figure 30, configure the MCE to advertise the routes of VPNs 1 and 2 to PE 1, so that the sites of each VPN can communicate with each other over the MPLS backbone.

Run OSPF in both VPN 1 and VPN 2. Run EBGP between the MCE and PE 1.

Figure 30 Network diagram

Configuration procedure

1. Configure VPN instances:

# Create VPN instances on the MCE and PE 1, and bind the VPN instances to VLAN interfaces. For the configuration procedure, see "Configuring MCE that uses OSPF to advertise VPN routes to the PE."

2. Configure routing between the MCE and VPN sites:

# Enable an OSPF process on the devices in the two VPNs and advertise the subnets. (Details not shown.)

# Configure OSPF on the MCE, and bind OSPF process 10 to VPN instance vpn1 to learn the routes of VPN 1.

<MCE> system-view

[MCE] ospf 10 router-id 10.10.10.1 vpn-instance vpn1

[MCE-ospf-10] area 0

[MCE-ospf-10-area-0.0.0.0] network 10.214.10.0 0.0.0.255

[MCE-ospf-10-area-0.0.0.0] quit

[MCE-ospf-10] quit

# Display the routing table of VPN 1 on the MCE.

[MCE] display ip routing-table vpn-instance vpn1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.214.10.0/24 Direct 0 0 10.214.10.3 Vlan10

10.214.10.0/32 Direct 0 0 10.214.10.3 Vlan10

10.214.10.3/32 Direct 0 0 127.0.0.1 InLoop0

10.214.10.255/32 Direct 0 0 10.214.10.3 Vlan10

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.0.0/24 OSPF 10 2 10.214.10.2 Vlan10

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

The output shows that the MCE has learned the private route of VPN 1 through OSPF process 10.

# On the MCE, bind OSPF process 20 to VPN instance vpn2 to learn the routes of VPN 2. The configuration procedure is similar to that for OSPF process 10.

The following output shows that the MCE has learned the private route of VPN 2 through OSPF:

[MCE] display ip routing-table vpn-instance vpn2

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.214.20.0/24 Direct 0 0 10.214.20.3 Vlan20

10.214.20.0/32 Direct 0 0 10.214.20.3 Vlan20

10.214.20.3/32 Direct 0 0 127.0.0.1 InLoop0

10.214.20.255/32 Direct 0 0 10.214.20.3 Vlan20

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.10.0/24 OSPF 10 2 10.214.20.2 Vlan20

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

3. Configure routing between the MCE and PE 1:

# Configure the ports between the MCE and PE 1 as trunk ports. The configuration procedure is similar to that described in "Configuring MCE that uses OSPF to advertise VPN routes to the PE." (Details not shown.)

# Enable BGP in AS 100 on the MCE.

[MCE] bgp 100

# Enter the IPv4 address family view of VPN instance vpn1.

[MCE-bgp] ip vpn-instance vpn1

# Specify the EBGP peer PE 1 in AS 200.

[MCE-bgp-vpn1] peer 30.1.1.2 as-number 200

# Activate the EBGP VPNv4 peer PE 1, and redistribute routing information from OSPF process 10 to BGP.

[MCE-bgp-vpn1] address-family ipv4

[MCE-bgp-ipv4-vpn1] peer 30.1.1.2 enable

[MCE-bgp-ipv4-vpn1] import-route ospf 10

# On PE 1, enable BGP in AS 200, and specify the MCE as its EBGP peer.

[PE1] bgp 200

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 30.1.1.1 as-number 100

[PE1-bgp-vpn1] address-family ipv4

[PE1-bgp-ipv4-vpn1] peer 30.1.1.1 enable

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Use similar procedures to configure VPN 2 settings on MCE and PE 1. (Details not shown.)

Verifying the configuration

# Verify that PE 1 has learned the OSPF route of VPN 1 through BGP.

[PE1] display ip routing-table vpn-instance vpn1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.0/24 Direct 0 0 30.1.1.2 Vlan30

30.1.1.0/32 Direct 0 0 30.1.1.2 Vlan30

30.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.255/32 Direct 0 0 30.1.1.2 Vlan30

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.0.0/24 BGP 255 3 30.1.1.1 Vlan30

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that PE 1 has learned the OSPF route of VPN 2 through BGP.

[PE1] display ip routing-table vpn-instance vpn2

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

40.1.1.0/24 Direct 0 0 40.1.1.2 Vlan40

40.1.1.0/32 Direct 0 0 40.1.1.2 Vlan40

40.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

40.1.1.255/32 Direct 0 0 40.1.1.2 Vlan40

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.10.0/24 BGP 255 3 40.1.1.1 Vlan40

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

The MCE has redistributed the OSPF routes of the two VPN instances into the EBGP routing tables of PE 1.

Configuring BGP AS number substitution

Network requirements

As shown in Figure 31, CE 1 and CE 2 belong to VPN 1 and are connected to PE 1 and PE 2, respectively. The two CEs have the same AS number, 600. Configure BGP AS number substitution on the PEs to enable the CEs to communicate with each other.

Figure 31 Network diagram

Table 10 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int11	10.1.1.1/24	P	Loop0	2.2.2.9/32
	Vlan-int12	100.1.1.1/24		Vlan-int11	30.1.1.1/24
PE 1	Loop0	1.1.1.9/32		Vlan-int12	20.1.1.2/24
	Vlan-int11	10.1.1.2/24	PE 2	Loop0	3.3.3.9/32
	Vlan-int12	20.1.1.1/24		Vlan-int11	30.1.1.2/24
CE 2	Vlan-int12	10.2.1.1/24		Vlan-int12	10.2.1.2/24
	Vlan-int13	200.1.1.1/24

Configuration procedure

1. Configuring basic MPLS L3VPN:

¡ Configure OSPF on the MPLS backbone to allow the PEs and P device to learn the routes of the loopback interfaces from each other.

¡ Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs.

¡ Establish an MP-IBGP peer relationship between the PEs to advertise VPNv4 routes.

¡ Configure the VPN instance of VPN 1 on PE 2 to allow CE 2 to access the network.

¡ Configure the VPN instance of VPN 1 on PE 1 to allow CE 1 to access the network.

¡ Configure BGP as the PE-CE routing protocol, and redistribute routes of the CEs into the PEs.

For more information about basic MPLS L3VPN configurations, see "Configuring basic MPLS L3VPN."

# Execute the display ip routing-table command on CE 2. The output shows that CE 2 has learned the route to network 10.1.1.0/24, where the interface used by CE 1 to access PE 1 resides. However, it has not learned the route to the VPN (100.1.1.0/24) behind CE 1.

<CE2> display ip routing-table

Destinations : 17 Routes : 17

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 BGP 255 0 10.2.1.2 Vlan12

10.2.1.0/24 Direct 0 0 10.2.1.1 Vlan12

10.2.1.0/32 Direct 0 0 10.2.1.1 Vlan12

10.2.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.2.1.255/32 Direct 0 0 10.2.1.1 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.0/24 Direct 0 0 200.1.1.1 Vlan13

200.1.1.0/32 Direct 0 0 200.1.1.1 Vlan13

200.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.255/24 Direct 0 0 200.1.1.1 Vlan13

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Execute the display ip routing-table command on CE 1 to verify that CE 1 has not learned the route to the VPN behind CE 2. (Details not shown.)

# Execute the display ip routing-table vpn-instance command on the PEs. The output shows the route to the VPN behind the peer CE. This example uses PE 2.

<PE2> display ip routing-table vpn-instance vpn1

Destinations : 15 Routes : 15

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 BGP 255 0 1.1.1.9 Vlan11

10.2.1.0/24 Direct 0 0 10.2.1.2 Vlan12

10.2.1.0/32 Direct 0 0 10.2.1.2 Vlan12

10.2.1.2/32 Direct 0 0 127.0.0.1 InLoop0

10.2.1.255/32 Direct 0 0 10.2.1.2 Vlan12

100.1.1.0/24 BGP 255 0 1.1.1.9 Vlan11

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.0/24 BGP 255 0 10.2.1.1 Vlan12

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Enable BGP update packet debugging on PE 2. The output shows that PE 2 advertises the route to 100.1.1.1/32, and the AS_PATH is 100 600.

<PE2> terminal monitor

<PE2> terminal logging level 7

<PE2> debugging bgp update vpn-instance vpn1 10.2.1.1 ipv4

<PE2> refresh bgp all export ipv4 vpn-instance vpn1

*Jun 13 16:12:52:096 2012 PE2 BGP/7/DEBUG: -MDC=1;

BGP.vpn1: Send UPDATE to peer 10.2.1.1 for following destinations:

Origin : Incomplete

AS Path : 100 600

Next Hop : 10.2.1.2

100.1.1.0/24,

# Execute the display bgp routing-table ipv4 peer received-routes command on CE 2. The output shows that CE 2 has not received the route to 100.1.1.0/24.

<CE2> display bgp routing-table ipv4 peer 10.2.1.2 received-routes

Total number of routes: 2

BGP local router ID is 200.1.1.1

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e 10.1.1.0/24 10.2.1.2 0 100?

* e 10.2.1.0/24 10.2.1.2 0 0 100?

2. Configure BGP AS number substitution on PE 2.

<PE2> system-view

[PE2] bgp 100

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] peer 10.2.1.1 substitute-as

[PE2-bgp-vpn1] address-family ipv4 unicast

[PE2-bgp-ipv4-vpn1] peer 10.2.1.1 enable

[PE2-bgp-ipv4-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

Verifying the configuration

# The output shows that among the routes advertised by PE 2 to CE 2, the AS_PATH of 100.1.1.0/24 has changed from 100 600 to 100 100.

*Jun 13 16:15:59:456 2012 PE2 BGP/7/DEBUG: -MDC=1;

BGP.vpn1: Send UPDATE to peer 10.2.1.1 for following destinations:

Origin : Incomplete

AS Path : 100 100

Next Hop : 10.2.1.2

100.1.1.0/24,

# Display again the routing information that CE 2 has received and the routing table.

<CE2> display bgp routing-table ipv4 peer 10.2.1.2 received-routes

Total number of routes: 3

BGP local router ID is 200.1.1.1

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e 10.1.1.0/24 10.2.1.2 0 100?

* e 10.2.1.0/24 10.2.1.2 0 0 100?

* >e 100.1.1.0/24 10.2.1.2 0 100 100?

<CE2> display ip routing-table

Destinations : 18 Routes : 18

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 BGP 255 0 10.2.1.2 Vlan12

10.2.1.0/24 Direct 0 0 10.2.1.1 Vlan12

10.2.1.0/32 Direct 0 0 10.2.1.1 Vlan12

10.2.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.2.1.255/32 Direct 0 0 10.2.1.1 Vlan12

100.1.1.0/24 BGP 255 0 10.2.1.2 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.0/24 Direct 0 0 200.1.1.1 Vlan13

200.1.1.0/32 Direct 0 0 200.1.1.1 Vlan13

200.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.255/32 Direct 0 0 200.1.1.1 Vlan13

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VLAN interfaces of CE 1 and CE 2 can ping each other. (Details not shown.)

Configuring IPv6 MPLS L3VPN

Overview

IPv6 MPLS L3VPN uses BGP to advertise IPv6 VPN routes and uses MPLS to forward IPv6 VPN packets on the service provider backbone.

Figure 32 shows a typical IPv6 MPLS L3VPN model. The service provider backbone in the IPv6 MPLS L3VPN model is an IPv4 network. IPv6 runs inside the VPNs and between CE and PE. Therefore, PEs must support both IPv4 and IPv6. The PE-CE interfaces of a PE run IPv6, and the PE-P interface of a PE runs IPv4.

Figure 32 Network diagram for the IPv6 MPLS L3VPN model

IPv6 MPLS L3VPN packet forwarding

Figure 33 IPv6 MPLS L3VPN packet forwarding diagram

As shown in Figure 33, the IPv6 MPLS L3VPN packet forwarding procedure is as follows:

1. The PC at Site 1 sends an IPv6 packet destined for 2001:2::1, the PC at Site 2. CE 1 transmits the packet to PE 1.

2. Based on the inbound interface and destination address of the packet, PE 1 finds a matching entry from the routing table of the VPN instance, labels the packet with both a private network label (inner label) and a public network label (outer label), and forwards the packet out.

3. The MPLS backbone transmits the packet to PE 2 by outer label. The outer label is removed from the packet at the penultimate hop.

4. According to the inner label and destination address of the packet, PE 2 searches the routing table of the VPN instance to determine the outbound interface, and then forwards the packet out of the interface to CE 2.

5. CE 2 forwards the packet to the destination by IPv6 forwarding.

IPv6 MPLS L3VPN routing information advertisement

The routing information of a local CE is advertised to the remote CE by using the following process:

1. From the local CE to the ingress PE.

The local CE advertises standard IPv6 routing information to the ingress PE over an IPv6 static route, RIPng route, OSPFv3 route, IPv6 IS-IS route, IBGP route, or EBGP route.

2. From the ingress PE to the egress PE.

After receiving the standard IPv6 routes from the CE, the ingress PE does the following:

a. Adds RDs and route targets to create VPN-IPv6 routes.

b. Saves the routes to the routing table of the VPN instance created for the CE.

c. Assigns VPN labels for the VPN-IPv6 routes.

d. Advertises the VPN-IPv6 routes to the egress PE through MP-BGP.

The egress PE does the following:

a. Compares the export target attributes of the VPN-IPv6 routes with the import target attributes that it maintains for the VPN instance.

b. Adds the routes to the routing table of the VPN instance if the export and import target attributes are the same.

The PEs use an IGP to ensure the connectivity between them.

3. From the egress PE to the remote peer CE.

The egress PE restores the original IPv6 routes and advertises them to the remote CE over an IPv6 static route, RIPng route, OSPFv3 route, IPv6 IS-IS route, EBGP, or IBGP route.

IPv6 MPLS L3VPN network schemes and features

IPv6 MPLS L3VPN supports the following network schemes and features:

· Basic VPN.

· Inter-AS VPN option A.

· Inter-AS VPN option C.

· Carrier's carrier.

· Multi-VPN instance CE.

· OSPFv3 VPN extension. (OSPFv3 Type 3, Type 5, and Type 7 LSAs support the DN bit. By default, OSPFv3 VPN extension uses the DN bit to avoid routing loops.)

Protocols and standards

· RFC 4659, BGP-MPLS IP Virtual Private Network (VPN) Extension for IPv6 VPN

· RFC 6565, OSPFv3 as a Provider Edge to Customer Edge (PE-CE) Routing Protocol

IPv6 MPLS L3VPN configuration task list

By configuring basic IPv6 MPLS L3VPN, you can construct a simple IPv6 VPN network over an MPLS backbone.

To deploy special IPv6 MPLS L3VPN networks, such as inter-AS VPN, you must also perform specific configurations in addition to the basic IPv6 MPLS L3VPN configuration. For details, see the related sections.

Tasks at a glance
Configuring basic IPv6 MPLS L3VPN
Configuring inter-AS IPv6 VPN
Configuring routing on an MCE

Tasks at a glance
Configuring basic IPv6 MPLS L3VPN
Configuring inter-AS IPv6 VPN
Configuring routing on an MCE
Configuring an OSPFv3 sham link

Configuring basic IPv6 MPLS L3VPN

The key task in IPv6 MPLS L3VPN configuration is to manage the advertisement of IPv6 VPN routes on the MPLS backbone, including management of PE-CE route exchange and PE-PE route exchange.

To configure basic IPv6 MPLS L3VPN:

Tasks at a glance
Configuring VPN instances: 1. (Required.) Creating a VPN instance 2. (Required.) Associating a VPN instance with an interface 3. (Optional.) Configuring route related attributes for a VPN instance




(Required.) Configuring routing between a PE and a CE
(Required.) Configuring routing between PEs
(Optional.) Configuring BGP VPNv6 route control

Before configuring basic IPv6 MPLS L3VPN, complete the following tasks:

· Configure an IGP on the PEs and Ps to ensure IP connectivity within the MPLS backbone.

· Configure basic MPLS for the MPLS backbone.

· Configure MPLS LDP on PEs and Ps to establish LDP LSPs.

Configuring VPN instances

By configuring VPN instances on a PE, you isolate not only VPN routes from public network routes, but also routes between VPNs. This feature allows VPN instances to be used in network scenarios besides MPLS L3VPNs.

All VPN instance configurations are performed on PEs or MCEs.

Creating a VPN instance

A VPN instance is associated with a site. It is a collection of the VPN membership and routing rules of its associated site. A VPN instance might correspond to more than one VPN.

To create and configure a VPN instance:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VPN instance and enter VPN instance view.	ip vpn-instance vpn-instance-name	By default, no VPN instance is created.
3. Specify a reserved VLAN for the VPN instance.	reserve-vlan vlan-id	By default, no reserved VLAN is specified for a VPN instance.
4. Configure an RD for the VPN instance.	route-distinguisher route-distinguisher	By default, no RD is specified.
5. (Optional.) Configure a description for the VPN instance.	description text	By default, no description is configured for a VPN instance. The description should contain the VPN instance's related information, such as its relationship with a certain VPN.
6. (Optional.) Configure an ID for the VPN instance.	vpn-id vpn-id	By default, no ID is configured for a VPN instance.

Associating a VPN instance with an interface

After creating and configuring a VPN instance, associate the VPN instance with the interface connected to the CE.

To associate a VPN instance with an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Associate a VPN instance with the interface.	ip binding vpn-instance vpn-instance-name	By default, no VPN instance is associated with an interface. The ip binding vpn-instance command clears the IP address of the interface. Therefore, reconfigure an IP address for the interface after configuring this command.

Configuring route related attributes for a VPN instance

VPN routes are controlled and advertised on a PE by using the following process:

· When a VPN route learned from a CE gets redistributed into BGP, BGP associates it with a route target extended community attribute list, which is usually the export target attribute of the VPN instance associated with the CE.

· The VPN instance determines which routes it can accept and redistribute according to the import-extcommunity in the route target.

· The VPN instance determines how to change the route target attributes for routes to be advertised according to the export-extcommunity in the route target.

To configure route related attributes for a VPN instance:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VPN instance view or IPv6 VPN view.	· Enter VPN instance view: ip vpn-instance vpn-instance-name · Enter IPv6 VPN view: address-family ipv6	Configurations made in VPN instance view apply to both IPv4 VPN and IPv6 VPN. IPv6 VPN prefers the configurations in IPv6 VPN view over the configurations in VPN instance view.
3. Configure route targets.	vpn-target vpn-target&<1-8> [ both \| export-extcommunity \| import-extcommunity ]	By default, no route targets are configured.
4. Set the maximum number of active routes supported.	routing-table limit number { warn-threshold \| simply-alert }	By default, the maximum number of active routes depends on the system operating mode. Setting the maximum number of active routes for a VPN instance can prevent the PE from storing too many routes.
5. Apply an import routing policy.	import route-policy route-policy	By default, all routes matching the import target attribute are accepted. Make sure the routing policy already exists. Otherwise, the device does not filter received routes. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
6. Apply an export routing policy.	export route-policy route-policy	By default, routes to be advertised are not filtered. Make sure the routing policy already exists. Otherwise, the device does not filter routes to be advertised. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
7. Apply a tunnel policy to the VPN instance.	tnl-policy tunnel-policy-name	By default, only one LSP tunnel is selected (no load balancing). The specified tunnel policy must have been created.

Configuring routing between a PE and a CE

You can configure IPv6 static routing, RIPng, OSPFv3, IPv6 IS-IS, EBGP, or IBGP between a PE and a CE.

Configuring IPv6 static routing between a PE and a CE

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure an IPv6 static route for a VPN instance.

ipv6 route-static vpn-instance s-vpn-instance-name ipv6-address prefix-length { nexthop-address [ public ] interface-type interface-number [ next-hop-address ] | vpn-instance d-vpn-instance-name nexthop-address } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]

By default, no IPv6 static route is configured for a VPN instance.

Perform this configuration on the PE. On the CE, configure a common IPv6 static route.

For more information about IPv6 static routing, see Layer 3—IP Routing Configuration Guide.

Configuring RIPng between a PE and a CE

A RIPng process belongs to the public network or a single VPN instance. If you create a RIPng process without binding it to a VPN instance, the process belongs to the public network.

For more information about RIPng, see Layer 3—IP Routing Configuration Guide.

To configure RIPng between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIPng process for a VPN instance and enter RIPng view.	ripng [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. On the CE, create a common RIPng process.
3. Return to system view.	quit	N/A
4. Enter interface view.	interface interface-type interface-number	N/A
5. Enable RIPng on the interface.	ripng process-id enable	By default, RIPng is disabled on an interface.

Configuring OSPFv3 between a PE and a CE

An OSPFv3 process belongs to the public network or a single VPN instance. If you create an OSPF process without binding it to a VPN instance, the process belongs to the public network.

For more information about OSPFv3, see Layer 3—IP Routing Configuration Guide.

To configure OSPFv3 between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPFv3 process for a VPN instance and enter OSPFv3 view.	ospfv3 [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. On the CE, create a common OSPF process. Deleting a VPN instance also deletes all related OSPFv3 processes.
3. Set the router ID.	router-id router-id	N/A
4. (Optional.) Configure an OSPFv3 domain ID.	domain-id { domain-id [ secondary ] \| null }	The default domain ID is 0. Perform this configuration on the PE. When you redistribute OSPFv3 routes into BGP, BGP adds the primary domain ID to the redistributed BGP VPNv6 routes as a BGP extended community attribute. You can configure the same domain ID for different OSPFv3 processes. All OSPF processes of the same VPN must be configured with the same OSPF domain ID to ensure correct route advertisement.
5. (Optional.) Configure the type code of an OSPFv3 extended community attribute.	ext-community-type { domain-id type-code1 \| route-type type-code2 \| router-id type-code3 }	By default, the type codes for domain ID, route type, and router ID are hexadecimal numbers 0005, 0306, and 0107, respectively. Perform this configuration on the PE.
6. (Optional.) Configure an external route tag for redistributed VPN routes.	route-tag tag-value	By default, if BGP runs within an MPLS backbone, and the BGP AS number is not greater than 65535, the first two octets of the external route tag are 0xD000. The last two octets are the local BGP AS number. If the AS number is greater than 65535, the external route tag is 0. Perform this configuration on the PE.
7. (Optional.) Disable setting the DN bit in OSPFv3 LSAs.	disable-dn-bit-set	By default, when a PE redistributes BGP routes into OSPFv3 and creates OSPFv3 LSAs, it sets the DN bit for the LSAs. Before using this command, make sure it does not cause any routing loops. Perform this configuration on the PE.
8. (Optional.) Ignore the DN bit in OSPFv3 LSAs.	disable-dn-bit-check	By default, the PE checks the DN bit in OSPFv3 LSAs. Before using this command, make sure it does not cause any routing loops. Perform this configuration on the PE.
9. (Optional.) Enable the external route check function for OSPFv3 LSAs.	route-tag-check enable	By default, the PE checks the DN bit in OSPFv3 LSAs to avoid routing loops. This command is compatible with the old protocol (RFC 4577). H3C recommends not using this command in the current software version. Perform this configuration on the PE.
10. Return to system view.	quit	N/A
11. Enter interface view.	interface interface-type interface-number	N/A
12. Enable OSPFv3 on the interface.	ospfv3 process-id area area-id [ instance instance-id ]	By default, OSPFv3 is disabled on an interface. Perform this configuration on the PE.

Configuring IPv6 IS-IS between a PE and a CE

An IPv6 IS-IS process belongs to the public network or a single VPN instance. If you create an IPv6 IS-IS process without binding it to a VPN instance, the process belongs to the public network.

For more information about IPv6 IS-IS, see Layer 3—IP Routing Configuration Guide.

To configure IPv6 IS-IS between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IPv6 IS-IS process for a VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. On the CE, create a common IPv6 IS-IS process.
3. Configure a network entity title for the IS-IS process.	network-entity net	By default, no NET is configured.
4. Enable IPv6 for the IS-IS process.	ipv6 enable	IPv6 is disabled by default.
5. Return to system view.	quit	N/A
6. Enter interface view.	interface interface-type interface-number	N/A
7. Enable IPv6 for the IS-IS process on the interface.	isis ipv6 enable [ process-id ]	IPv6 is disabled on an interface by default.

Configuring EBGP between a PE and a CE

1. Configure the PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable BGP and enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Configure the CE as the VPN EBGP peer.	peer { group-name \| ipv6-address } as-number as-number	By default, no BGP peer is configured.
5. Create the BGP-VPN IPv6 unicast address family and enter its view.	address-family ipv6 [ unicast ]	By default, the BGP-VPN IPv6 unicast address family is not created. Configuration commands in BGP-VPN IPv6 unicast address family view are the same as those in BGP IPv6 unicast address family view. For details, see Layer 3—IP Routing Configuration Guide.
6. Enable IPv6 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
7. Redistribute the routes of the local CE.	import-route protocol [ process-id [ med med-value \| route-policy route-policy-name ] * ]	A PE must redistribute the routes of the local CE into its VPN routing table so that it can advertise them to the peer PE.
8. (Optional.) Configure filtering of advertised routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } export [ protocol process-id ]	By default, BGP does not filter advertised routes.
9. (Optional.) Configure filtering of received routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } import	By default, the PE does not filter received routes.

2. Configure the CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the PE as an EBGP peer.	peer { group-name \| ipv6-address } as-number as-number	By default, no BGP peer is configured.
4. Create the BGP IPv6 unicast address family and enter its view.	address-family ipv6 [ unicast ]	By default, the BGP IPv6 unicast address family is not created.
5. Enable IPv6 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
6. (Optional.) Configure route redistribution.	import-route protocol [ process-id [ med med-value \| route-policy route-policy-name ] * ]	A CE must advertise its VPN routes to the connected PE so that the PE can advertise them to the peer CE.

Configuring IBGP between a PE and a CE

Use IBGP between PE and CE only in a basic IPv6 MPLS L3VPN network. In networks such as inter-AS VPN and carrier's carrier, you cannot configure IBGP between PE and CE.

1. Configure the PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	Configuration commands in BGP-VPN instance view are the same as those in BGP view. For details, see Layer 3—IP Routing Configuration Guide.
4. Configure the CE as the VPN IBGP peer.	peer { group-name \| ipv6-address } as-number as-number	By default, no BGP peer is created.
5. Create the BGP-VPN IPv6 unicast family and enter its view.	address-family ipv6 [ unicast ]	By default, the BGP-VPN IPv6 unicast family is not created.
6. Enable IPv6 unicast route exchange with the specified peer.	peer { group-name \| ipv6-address } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
7. Configure the CE as a client of the RR.	peer { group-name \| ipv6-address } reflect-client	By default, no RR or RR client is configured, and the PE does not advertise routes learned from the IBGP peer CE to other IBGP peers, including VPNv6 IBGP peers. The PE advertises routes learned from the CE to other IBGP peers only when you configure the IBGP peer CE as a client of the RR. Configuring an RR does not change the next hop of a route. To change the next hop of a route, configure an inbound policy on the receiving side.
8. (Optional.) Enable route reflection between clients.	reflect between-clients	By default, route reflection between clients is enabled.
9. (Optional.) Configure the cluster ID for the RR.	reflector cluster-id { cluster-id \| ip-address }	By default, the RR uses its own router ID as the cluster ID. If multiple RRs exist in a cluster, use this command to configure the same cluster ID for all RRs in the cluster to avoid routing loops.

2. Configure the CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the PE as an IBGP peer.	peer { group-name \| ipv6-address } as-number as-number	By default, no BGP peer is created.
4. Create the BGP IPv6 unicast family and enter its view.	address-family ipv6 [ unicast ]	By default, the BGP IPv6 unicast family is not created.
5. Enable IPv6 unicast route exchange with the specified peer or peer group.	peer { group-name \| ipv6-address } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
6. (Optional.) Configure route redistribution.	import-route protocol [ process-id [ med med-value \| route-policy route-policy-name ] * ]	A CE must redistribute its routes to the PE so the PE can advertise them to the peer CE.

Configuring routing between PEs

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the remote PE as the peer.	peer { group-name \| ipv6-address } as-number as-number	By default, no BGP peer is configured.
4. Specify the source interface for route update packets sent to the specified peer.	peer { group-name \| ip-address } connect-interface interface-type interface-number	By default, BGP uses the outbound interface of the best route destined to the BGP peer as the source interface.
5. Create the BGP VPNv6 address family and enter its view.	address-family vpnv6	By default, the BGP VPNv6 address family is not created.
6. Enable BGP-VPNv6 route exchange with the specified peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange BGP-VPNv6 routes with any peer.

Configuring BGP VPNv6 route control

BGP VPNv6 route control is configured similarly with BGP route control, except that it is configured in BGP-VPNv6 address family view. For detailed information about BGP route control, see Layer 3—IP Routing Configuration Guide.

To configure BGP VPNv6 route control:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPNv6 address family view.	address-family vpnv6	N/A
4. Configure filtering of advertised routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } export [ protocol process-id ]	By default, BGP does not filter advertised routes.
5. Configure filtering of received routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } import	By default, BGP does not filter received routes.
6. Advertise the COMMUNITY attribute to a peer or peer group.	peer { group-name \| ip-address [ mask-length ] } advertise-community	By default, BGP does not advertise the COMMUNITY attribute to any peers or peer groups.
7. Configure ACL-based route filtering for the specified peer or peer group.	peer { group-name \| ip-address } filter-policy acl6-number { export \| import }	By default, no ACL-based route filtering is configured.
8. Configure IPv6 prefix list-based route filtering for the specified peer or peer group.	peer { group-name \| ip-address } prefix-list ipv6-prefix-name { export \| import }	By default, no IPv6 prefix list-based route filtering is configured.
9. Specify a preferred value for routes received from the peer or peer group.	peer { group-name \| ip-address } preferred-value value	The default preferred value is 0.
10. Configure BGP updates sent to the peer to carry only public AS numbers.	peer { group-name \| ip-address } public-as-only	By default, a BGP update carries both public and private AS numbers.
11. Apply a routing policy to routes advertised to or received from the peer or peer group.	peer { group-name \| ip-address } route-policy route-policy-name { export \| import }	By default, no routing policy is applied for a peer.
12. Enable route target filtering for received BGP-VPNv6 routes.	policy vpn-target	By default, route target filtering is enabled.
13. Configure the local PE as the route reflector and specify the peer as the client.	peer { group-name \| ip-address } reflect-client	By default, no route reflector or client is configured.
14. Enable route reflection between clients.	reflect between-clients	By default, route reflection between clients is enabled.
15. Configure a cluster ID for the route reflector.	reflector cluster-id { cluster-id \| ip-address }	By default, an RR uses its own router ID as the cluster ID. If more than one RR exists in a cluster, use this command to configure the same cluster ID for all RRs in the cluster to avoid routing loops.
16. Configure filtering of reflected routes.	rr-filter extended-community-number	By default, an RR does not filter reflected routes. Only IBGP routes whose extended community attribute matches the specified community list are reflected. By configuring different filtering policies on RRs, you can implement load balancing among the RRs.

Configuring inter-AS IPv6 VPN

If the MPLS backbone spans multiple ASs, you must configure inter-AS IPv6 VPN.

There are three inter-AS VPN solutions (for more information, see "Configuring MPLS L3VPN"). IPv6 MPLS L3VPN supports only inter-AS VPN option A and option C.

Before configuring inter-AS IPv6 VPN, complete these tasks:

· Configure an IGP for the MPLS backbone in each AS to ensure IP connectivity.

· Configure basic MPLS for the MPLS backbone of each AS.

· Configure MPLS LDP for the MPLS backbones so that LDP LSPs can be established.

The following sections describe inter-AS IPv6 VPN option A and option C. Select one according to your network scenario.

Configuring inter-AS IPv6 VPN option A

Inter-AS IPv6 VPN option A applies to scenarios where the number of VPNs and that of VPN routes on the PEs are relatively small.

To configure inter-AS IPv6 option A:

· Configure basic IPv6 MPLS L3VPN on each AS.

· Configure VPN instances on both PEs and ASBR-PEs. The VPN instances on PEs allow CEs to access the network, and those on ASBR-PEs are for access of the peer ASBR-PEs.

For more configuration information, see "IPv6 MPLS L3VPN configuration task list."

In the inter-AS IPv6 VPN option A solution, for the same IPv6 VPN, the route targets configured on the PEs must match those configured on the ASBR-PEs in the same AS. This makes sure VPN routes sent by the PEs (or ASBR-PEs) can be received by the ASBR-PEs (or PEs). Route targets configured on the PEs in different ASs do not have such requirements.

Configuring inter-AS IPv6 VPN option C

To configure inter-AS IPv6 VPN option C, perform proper configurations on PEs and ASBR-PEs, and configure routing policies on the ASBR-PEs.

Configuring the PEs

Establish an IBGP peer relationship between a PE and an ASBR-PE in an AS, and an MP-EBGP peer relationship between PEs in different ASs.

The PEs and ASBR-PEs in an AS must be able to exchange labeled routes.

To configure a PE for inter-AS IPv6 VPN option C:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the ASBR-PE in the same AS as an IBGP peer.	peer { group-name \| ip-address } as-number as-number	By default, no BGP peer is configured.
4. Enter BGP IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
5. Enable the PE to exchange BGP IPv4 unicast routes with the ASBR-PE in the same AS.	peer { group-name \| ip-address } enable	By default, the PE does not exchange BGP IPv4 unicast routes with any peer.
6. Enable the PE to exchange labeled routes with the ASBR-PE in the same AS.	peer { group-name \| ip-address } label-route-capability	By default, the PE does not advertise labeled routes to any IPv4 peer/peer group.
7. Return to BGP view.	quit	N/A
8. Configure the PE of another AS as the EBGP peer.	peer { group-name \| ip-address } as-number as-number	N/A
9. Enter BGP VPNv6 address family view.	address-family vpnv6	N/A
10. Enable the PE to exchange BGP VPNv6 routing information with the EBGP peer.	peer ip-address enable	By default, the PE does not exchange labeled routes with any IPv4 peer/peer group.

Configuring the ASBR-PEs

In the inter-AS IPv6 VPN option C solution, an inter-AS LSP is needed, and the routes advertised between the PEs and ASBRs must carry MPLS label information. The configuration is the same as that in the Inter-AS IPv4 VPN option C solution. For more information, see "Configuring MPLS L3VPN."

Configuring the routing policy

A routing policy on an ASBR-PE does the following:

· Assigns MPLS labels to routes received from the PEs in the same AS before advertising them to the peer ASBR-PE.

· Assigns new MPLS labels to the labeled routes to be advertised to the PEs in the same AS.

The configuration is the same as that in the Inter-AS IPv4 VPN option C solution. For more information, see "Configuring MPLS L3VPN."

Configuring routing on an MCE

An MCE implements service isolation through route isolation. MCE routing configuration includes the following:

· MCE-VPN site routing configuration

· MCE-PE routing configuration

On a PE in an MCE network environment, do the following:

· Disable routing loop detection to avoid route loss during route calculation.

· Disable route redistribution between routing protocols to save system resources.

Before you configure routing on an MCE, complete the following tasks:

· On the MCE, configure VPN instances, and bind the VPN instances to the interfaces connected to the VPN sites and those connected to the PE.

· Configure the link layer and network layer protocols on related interfaces to ensure IP connectivity.

Configuring routing between an MCE and a VPN site

You can configure static routing, RIPng, OSPFv3, IPv6 IS-IS, or EBGP between an MCE and a VPN site.

Configuring IPv6 static routing between an MCE and a VPN site

An MCE can reach a VPN site through an IPv6 static route. IPv6 static routing on a traditional CE is globally effective and does not support address overlapping among VPNs. An MCE supports binding an IPv6 static route to an IPv6 VPN instance, so that the IPv6 static routes of different IPv6 VPN instances can be isolated from each other.

To configure IPv6 static routing between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure an IPv6 static route for an IPv6 VPN instance.	ipv6 route-static vpn-instance s-vpn-instance-name ipv6-address prefix-length { nexthop-address [ public ] interface-type interface-number [ next-hop-address ] \| vpn-instance d-vpn-instance-name nexthop-address } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]	By default, no static route is configured. Perform this configuration on the MCE. On a VPN site, configure normal IPv6 static routes.
3. (Optional.) Configure the default preference for IPv6 static routes.	ipv6 route-static default-preference default-preference-value	The default preference for IPv6 static routes is 60.

Configuring RIPng between an MCE and a VPN site

A RIPng process belongs to the public network or a single IPv6 VPN instance. If you create a RIPng process without binding it to an IPv6 VPN instance, the process belongs to the public network. By configuring RIPng process-to-IPv6 VPN instance bindings on a MCE, you allow routes of different VPNs to be exchanged between the MCE and the sites through different RIPng processes, ensuring the separation and security of IPv6 VPN routes.

For more information about RIPng, see Layer 3—IP Routing Configuration Guide.

To configure RIPng between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIPng process for a VPN instance and enter RIPng view.	ripng [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the MCE. On a VPN site, configure normal RIPng.
3. Redistribute remote site routes advertised by the PE.	import-route protocol [ process-id ] [ allow-ibgp ] [ cost cost \| route-policy route-policy-name ] *	By default, no routes are redistributed into RIPng.
4. (Optional.) Configure the default cost value for the redistributed routes.	default cost value	The default value is 0.
5. Return to system view.	quit	N/A
6. Enter interface view.	interface interface-type interface-number	N/A
7. Enable RIPng on the interface.	ripng process-id enable	RIPng is disabled by default.

Configuring OSPFv3 between an MCE and a VPN site

An OSPFv3 process belongs to the public network or a single IPv6 VPN instance. If you create an OSPFv3 process without binding it to an IPv6 VPN instance, the process belongs to the public network.

By configuring OSPFv3 process-to-IPv6 VPN instance bindings on a MCE, you allow routes of different IPv6 VPNs to be exchanged between the MCE and the sites through different OSPFv3 processes, ensuring the separation and security of IPv6 VPN routes.

For more information about OSPFv3, see Layer 3—IP Routing Configuration Guide.

To configure OSPFv3 between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPFv3 process for a VPN instance and enter OSPFv3 view.	ospfv3 [ process-id \| vpn-instance vpn-instance-name ] *	Perform this configuration on the MCE. On a VPN site, configure common OSPFv3. Deleting a VPN instance also deletes all related OSPFv3 processes.
3. Set the router ID.	router-id router-id	N/A
4. Redistribute remote site routes advertised by the PE.	import-route protocol [ process-id \| all-processes \| allow-ibgp ] [ cost cost \| route-policy route-policy-name \| type type ] *	By default, no routes are redistributed into OSPFv3.
5. Return to system view.	quit	N/A
6. Enter interface view.	interface interface-type interface-number	N/A
7. Enable OSPFv3 on the interface.	ospfv3 process-id area area-id [ instance instance-id ]	By default, OSPFv3 is disabled on an interface.

Configuring IPv6 IS-IS between an MCE and a VPN site

An IPv6 IS-IS process belongs to the public network or a single IPv6 VPN instance. If you create an IPv6 IS-IS process without binding it to an IPv6 VPN instance, the process belongs to the public network.

By configuring IPv6 IS-IS process-to-IPv6 VPN instance bindings on a MCE, you allow routes of different IPv6 VPNs to be exchanged between the MCE and the sites through different IPv6 IS-IS processes. This ensures the separation and security of IPv6 VPN routes. For more information about IPv6 IS-IS, see Layer 3—IP Routing Configuration Guide.

To configure IPv6 IS-IS between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IPv6 IS-IS process for a VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the MCE. On a VPN site, configure common IPv6 IS-IS.
3. Configure a network entity title for the IS-IS process.	network-entity net	By default, no NET is configured.
4. Enable IPv6 for the IPv6 IS-IS process.	ipv6 enable	By default, IPv6 is disabled.
5. (Optional.) Redistribute remote site routes advertised by the PE.	ipv6 import-route protocol [ process-id ] [ allow-ibgp ] [ cost cost \| [ level-1 \| level-1-2 \| level-2 ] \| route-policy route-policy-name \| tag tag ] *	By default, no routes are redistributed to IPv6 IS-IS. If you do not specify the route level in the command, redistributed routes are added to the level-2 routing table.
6. Return to system view.	quit	N/A
7. Enter interface view.	interface interface-type interface-number	N/A
8. Enable the IPv6 IS-IS process on the interface.	isis ipv6 enable [ process-id ]	By default, no IPv6 IS-IS process is enabled.

Configuring EBGP between an MCE and a VPN site

To use EBGP between an MCE and IPv6 VPN sites, you must configure a BGP peer for each IPv6 VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on the IPv6 VPN sites. You can also configure the filtering of received and advertised routes.

1. Configure the MCE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Specify an IPv6 BGP peer in an AS.	peer { group-name \| ipv6-address } as-number as-number	By default, no BGP peer is configured.
5. Enter BGP-VPN IPv6 unicast address family view.	address-family ipv6 [ unicast ]	N/A
6. Enable BGP to exchange IPv6 unicast routes with the specified peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
7. Redistribute remote site routes advertised by the PE.	import-route protocol [ process-id [ med med-value \| route-policy route-policy-name ] * ]	By default, no route redistribution is configured.
8. (Optional.) Configure filtering of advertised routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } export [ protocol process-id ]	By default, BGP does not filter advertised routes.
9. (Optional.) Configure filtering of received routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } import	By default, BGP does not filter received routes.

2. Configure a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the MCE as an EBGP peer.	peer { group-name \| ipv6-address } as-number as-number	By default, no BGP peer is configured.
4. Enter BGP IPv6 unicast address family view.	address-family ipv6 [ unicast ]	N/A
5. Enable BGP to exchange IPv6 unicast routes with the specified peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
6. Redistribute the IGP routes of the VPN.	import-route protocol [ process-id [ med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP. A VPN site must advertise IPv6 VPN network addresses it can reach to the connected MCE.

Configuring IBGP between an MCE and a VPN site

To use IBGP between an MCE and a VPN site, you must configure a BGP peer for each IPv6 VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on the VPN site.

1. Configure the MCE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Configure an IBGP peer.	peer { group-name \| ipv6-address } as-number as-number	N/A
5. Enter BGP-VPN IPv6 unicast address family view.	address-family ipv6 [ unicast ]	N/A
6. Enable BGP to exchange IPv6 unicast routes with the peer.	peer { group-name \| ipv6-address } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
7. (Optional.) Configure the system to be the RR, and specify the peer as the client of the RR.	peer { group-name \| ipv6-address } reflect-client	By default, no RR or RR client is configured. After you configure a VPN site as an IBGP peer, the MCE does not advertise the BGP routes learned from the VPN site to other IBGP peers, including VPNv6 peers. The MCE advertises routes learned from a VPN site only when you configure the VPN site as a client of the RR (the MCE).
8. Redistribute remote site routes advertised by the PE into BGP.	import-route protocol [ process-id [ med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP.
9. (Optional.) Configure filtering of advertised routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } export [ protocol process-id ]	By default, BGP does not filter advertised routes.
10. (Optional.) Configure filtering of received routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } import	By default, BGP does not filter received routes.

2. Configure a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the MCE as an IBGP peer.	peer { group-name \| ipv6-address } as-number as-number	N/A
4. Enter BGP-VPN IPv6 unicast address family view.	address-family ipv6 [ unicast ]	N/A
5. Enable BGP to exchange IPv6 unicast routes with the peer.	peer { group-name \| ipv6-address } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
6. Redistribute the IGP routes of the VPN into BGP.	import-route protocol [ process-id [ med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP. A VPN site must advertise VPN network addresses to the connected MCE.

Configuring routing between an MCE and a PE

MCE-PE routing configuration includes these tasks:

· Binding the MCE-PE interfaces to IPv6 VPN instances.

· Performing routing configurations.

· Redistributing IPv6 VPN routes into the routing protocol running between the MCE and the PE.

Perform the following configuration tasks on the MCE. Configurations on the PE are similar to those on the PE in common IPv6 MPLS L3VPN networks. For more information, see "Configuring routing between a PE and a CE."

Configuring IPv6 static routing between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure an IPv6 static route for an IPv6 VPN instance.	ipv6 route-static vpn-instance s-vpn-instance-name ipv6-address prefix-length { nexthop-address [ public ] interface-type interface-number [ next-hop-address ] \| vpn-instance d-vpn-instance-name nexthop-address } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]	By default, no IPv6 static route is configured.
3. (Optional.) Configure the default preference for IPv6 static routes.	ipv6 route-static default-preference default-preference-value	The default value is 60.

Configuring RIPng between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIPng process for an IPv6 VPN instance and enter RIPng view.	ripng [ process-id ] vpn-instance vpn-instance-name	N/A
3. Redistribute VPN routes.	import-route protocol [ process-id ] [ allow-ibgp ] [ cost cost \| route-policy route-policy-name ] *	By default, no routes are redistributed into RIPng.
4. (Optional.) Configure the default cost value for redistributed routes.	default cost value	The default value is 0.
5. Return to system view.	quit	N/A
6. Enter interface view.	interface interface-type interface-number	N/A
7. Enable the RIPng process on the interface.	ripng process-id enable	By default, RIPng is disabled on an interface.

Configuring OSPFv3 between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPFv3 process for an IPv6 VPN instance and enter OSPFv3 view.	ospfv3 [ process-id \| vpn-instance vpn-instance-name ] *	N/A
3. Set the router ID.	router-id router-id	N/A
4. Redistribute VPN routes.	import-route protocol [ process-id \| all-processes \| allow-ibgp ] [ cost cost \| route-policy route-policy-name \| type type ] *	By default, no routes are redistributed into OSPFv3.
5. (Optional.) Configure filtering of advertised routes.	filter-policy { acl6-number \| ipv6-prefix ipv6-prefix-name } export [ bgp4+ \| direct \| isisv6 process-id \| ospfv3 process-id \| ripng process-id \| static ]	By default, redistributed routes are not filtered.
6. Return to system view.	quit	N/A
7. Enter interface view.	interface interface-type interface-number	N/A
8. Enable the OSPFv3 process on the interface.	ospfv3 process-id area area-id [ instance instance-id ]	By default, OSPFv3 is disabled on an interface.

Configuring IPv6 IS-IS between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IS-IS process for an IPv6 VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	N/A
3. Configure a network entity title.	network-entity net	By default, no NET is configured.
4. Enable IPv6 for the IS-IS process.	ipv6 enable	By default, IPv6 is disabled.
5. (Optional.) Redistribute VPN routes.	ipv6 import-route protocol [ process-id ] [ allow-ibgp ] [ cost cost \| [ level-1 \| level-1-2 \| level-2 ] \| route-policy route-policy-name \| tag tag ] *	By default, IPv6 IS-IS does not redistribute routes from any other routing protocol. If you do not specify the route level in the command, the command redistributes routes to the level-2 routing table.
6. (Optional.) Configure filtering of advertised routes.	ipv6 filter-policy { acl6-number \| prefix-list prefix-list-name \| route-policy route-policy-name } export [ protocol [ process-id ] ]	By default, IPv6 IS-IS does not filter advertised routes.
7. Return to system view.	quit	N/A
8. Enter interface view.	interface interface-type interface-number	N/A
9. Enable the IPv6 IS-IS process on the interface.	isis ipv6 enable [ process-id ]	By default, IPv6 IS-IS is disabled on an interface.

Configuring EBGP between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Configure the PE as an EBGP peer.	peer { group-name \| ipv6-address } as-number as-number	By default, no BGP peer is configured.
5. Enter BGP-VPN IPv6 unicast address family view.	address-family ipv6 [ unicast ]	N/A
6. Enable BGP to exchange IPv6 unicast routes with the specified peer.	peer { group-name \| ip-address } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
7. Redistribute VPN routes.	import-route protocol [ process-id [ med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP.
8. (Optional.) Configure filtering of advertised routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } export [ protocol process-id ]	By default, BGP does not filter advertised routes.
9. (Optional.) Configure filtering of received routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } import	By default, BGP does not filter received routes.

Configuring IBGP between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Configure the PE as an IBGP peer.	peer { group-name \| ip-address } as-number as-number	N/A
5. Enter BGP-VPN IPv6 unicast address family view.	address-family ipv6 [ unicast ]	N/A
6. Enable BGP to exchange IPv6 unicast routes with the peer.	peer { group-name \| ipv6-address } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
7. Redistribute the VPN routes of the VPN site.	import-route protocol [ process-id [ med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP.
8. (Optional.) Configure filtering of advertised routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } export [ protocol process-id ]	By default, BGP does not filter advertised routes.
9. (Optional.) Configure filtering of received routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } import	By default, BGP does not filter received routes.

Configuring an OSPFv3 sham link

Before you configure an OSPFv3 sham link, configure basic IPv6 MPLS L3VPN (OSPFv3 is used between PE and CE).

Configuring a loopback interface

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a loopback interface and enter loopback interface view.	interface loopback interface-number	By default, no loopback interface is created.
3. Associate the loopback interface with a VPN instance.	ip binding vpn-instance vpn-instance-name	By default, the interface is associated with no VPN instance.
4. Configure an IPv6 address for the loopback interface.	See Layer 3—IP Services Configuration Guide.	By default, no IPv6 address is configured for the loopback interface.

Redistributing the loopback interface address

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Enter BGP-VPN IPv6 unicast address family view.	address-family ipv6 [ unicast ]	N/A
5. Redistribute direct routes into BGP (including the loopback interface address).	import-route direct	By default, no direct routes are redistributed into BGP.

Creating a sham link

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter OSPFv3 view.	ospfv3 [ process-id \| vpn-instance vpn-instance-name ] *	N/A
3. Enter OSPFv3 area view.	area area-id	N/A
4. Configure an OSPFv3 sham link.	sham-link source-ipv6-address destination-ipv6-address [ cost cost \| dead dead-interval \| hello hello-interval \| instance instance-id \| ipsec-profile profile-name \| retransmit retrans-interval \| trans-delay delay ] *	By default, no sham link is configured.

Displaying and maintaining IPv6 MPLS L3VPN

Execute the following commands in user view to soft reset or reset BGP connections:

Task	Command
Manually soft reset BGP sessions for VPNv6 address family.	refresh bgp { ip-address \| all \| external \| group group-name \| internal } { export \| import } vpnv6
Reset BGP sessions for VPNv6 address family.	reset bgp { as-number \| ip-address \| all \| external \| internal \| group group-name } vpnv6

Execute the following commands in any view to display IPv6 MPLS L3VPN:

Task	Command
Display the IPv6 routing table for a VPN instance.	display ipv6 routing-table vpn-instance vpn-instance-name [ verbose ]
Display information about a specified VPN instance or all VPN instances.	display ip vpn-instance [ instance-name vpn-instance-name ]
Display the IPv6 FIB information of a VPN instance.	display ipv6 fib vpn-instance vpn-instance-name [ acl6 acl6-number \| ipv6-prefix ipv6-prefix-name ]
Display FIB entries that match the specified destination IP address in the specified VPN instance.	display ipv6 fib vpn-instance vpn-instance-name ipv6-address [ prefix-length ]
Display BGP VPNv6 peer group information.	display bgp group vpnv6 [ group-name group-name ]
Display BGP VPNv6 peer information.	display bgp peer vpnv6 [ ip-address mask-length \| { ip-address \| group-name group-name } log-info \| [ ip-address ] verbose ]
Display BGP VPNv6 routes.	display bgp routing-table vpnv6 [ route-distinguisher route-distinguisher ] [ network-address prefix-length ]
Display BGP VPNv6 route advertisement information.	display bgp routing-table vpnv6 network-address prefix-length advertise-info
Display BGP VPNv6 routes matching the specified AS PATH list.	display bgp routing-table vpnv6 [ route-distinguisher route-distinguisher ] as-path-acl as-path-acl-number
Display BGP VPNv6 routes matching the specified BGP community list.	display bgp routing-table vpnv6 [ route-distinguisher route-distinguisher ] community-list { { basic-community-list-number \| comm-list-name } [ whole-match ] \| adv-community-list-number }
Display BGP VPNv6 routes advertised to or received from the specified BGP peer.	display bgp routing-table vpnv6 peer ip-address { advertised-routes \| received-routes } [ network-address prefix-length \| statistics ]
Display incoming labels for all BGP VPNv6 routes.	display bgp routing-table vpnv6 inlabel
Display outgoing labels for all BGP VPNv6 routes.	display bgp routing-table vpnv6 outlabel
Display BGP VPNv6 route statistics.	display bgp routing-table vpnv6 statistics
Display BGP VPNv6 address family update group information.	display bgp update-group vpnv6 [ ip-address ]
Display OSPFv3 sham link information.	display ospfv3 [ process-id ] [ area area-id ] sham-link [ verbose ]

For more information about the display ipv6 routing-table, display bgp group vpnv6, display bgp peer vpnv6, and display bgp update-group vpnv6 commands, see Layer 3—IP Routing Command Reference.

IPv6 MPLS L3VPN configuration examples

By default, Ethernet, VLAN, and aggregate interfaces are shut down. You must use the undo shutdown command to bring them up. These examples assume that all these interfaces are already up.

Configuring IPv6 MPLS L3VPNs

Network requirements

CE 1 and CE 3 belong to VPN 1. CE 2 and CE 4 belong to VPN 2.

VPN 1 uses route target attributes 111:1. VPN 2 uses route target attributes 222:2. Users of different VPNs cannot access each other.

Run EBGP between CE and PE switches to exchange VPN routing information.

PEs use OSPF to communicate with each other and use MP-IBGP to exchange VPN routing information.

Figure 34 Network diagram

Table 11 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int11	2001:1::1/96	P	Loop0	2.2.2.9/32
PE 1	Loop0	1.1.1.9/32		Vlan-int12	172.2.1.1/24
	Vlan-int11	2001:1::2/96		Vlan-int13	172.1.1.2/24
	Vlan-int13	172.1.1.1/24	PE 2	Loop0	3.3.3.9/32
	Vlan-int12	2001:2::2/96		Vlan-int12	172.2.1.2/24
CE 2	Vlan-int12	2001:2::1/96		Vlan-int11	2001:3::2/96
CE 3	Vlan-int11	2001:3::1/96		Vlan-int13	2001:4::2/96
CE 4	Vlan-int13	2001:4::1/96

Configuration procedure

1. Configure OSPF on the MPLS backbone to ensure IP connectivity among the PEs and the P switch:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.9 32

[PE1-LoopBack0] quit

[PE1] interface vlan-interface 13

[PE1-Vlan-interface13] ip address 172.1.1.1 24

[PE1- Vlan-interface13] quit

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Configure the P switch.

<P> system-view

[P] interface loopback 0

[P-LoopBack0] ip address 2.2.2.9 32

[P-LoopBack0] quit

[P] interface vlan-interface 13

[P-Vlan-interface13] ip address 172.1.1.2 24

[P- Vlan-interface13] quit

[P] interface vlan-interface 12

[P-Vlan-interface12] ip address 172.2.1.1 24

[P-Vlan-interface12] quit

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

# Configure PE 2.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 3.3.3.9 32

[PE2-LoopBack0] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] ip address 172.2.1.2 24

[PE2-Vlan-interface12] quit

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

# On PE 1, verify that the PEs have learned the routes to the loopback interfaces of each other.

[PE1] display ip routing-table

display ip routing-table protocol ospf

Summary Count : 5

OSPF Routing table Status : <Active>

Summary Count : 3

Destination/Mask Proto Pre Cost NextHop Interface

2.2.2.9/32 OSPF 10 1 172.1.1.2 Vlan13

3.3.3.9/32 OSPF 10 2 172.1.1.2 Vlan13

172.2.1.0/24 OSPF 10 2 172.1.1.2 Vlan13

OSPF Routing table Status : <Inactive>

Summary Count : 2

Destination/Mask Proto Pre Cost NextHop Interface

1.1.1.9/32 OSPF 10 0 1.1.1.9 Loop0

172.1.1.0/24 OSPF 10 1 172.1.1.1 Vlan13

# On PE 1, verify that that OSPF adjacencies in Full state have been established between PE 1, P, and PE 2.

[PE1] display ospf peer verbose

OSPF Process 1 with Router ID 1.1.1.9

Neighbors

Area 0.0.0.0 interface 172.1.1.1(Vlan-interface13)'s neighbors

Router ID: 2.2.2.9 Address: 172.1.1.2 GR State: Normal

State: Full Mode: Nbr is Master Priority: 1

DR: 172.1.1.2 BDR: 172.1.1.1 MTU: 0

Options is 0x02 (-|-|-|-|-|-|E|-)

Dead timer due in 39 sec

Neighbor is up for 00:00:29

Authentication Sequence: [ 0 ]

Neighbor state change count: 6

2. Configure basic MPLS and enable MPLS LDP on the MPLS backbone to establish LDP LSPs:

# Configure PE 1.

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface vlan-interface 13

[PE1-Vlan-interface13] mpls enable

[PE1-Vlan-interface13] mpls ldp enable

[PE1-Vlan-interface13] quit

# Configure the P switch.

[P] mpls lsr-id 2.2.2.9

[P] mpls ldp

[P-ldp] quit

[P] interface vlan-interface 13

[P-Vlan-interface13] mpls enable

[P-Vlan-interface13] mpls ldp enable

[P-Vlan-interface13] quit

[P] interface vlan-interface 12

[P-Vlan-interface12] mpls enable

[P-Vlan0interface12] mpls ldp enable

[P-Vlan-interface12] quit

# Configure PE 2.

[PE2] mpls lsr-id 3.3.3.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] mpls enable

[PE2-Vlan-interface12] mpls ldp enable

[PE2-Vlan-interface12] quit

# On PE 1, verify that LDP sessions in Operational state have been established between PE 1, P, and PE 2.

[PE1] display mpls ldp peer

Total number of peers: 1

Peer LDP ID State LAM Role GR MD5 KA Sent/Rcvd

2.2.2.9:0 Operational DU Passive Off Off 5/5

# On PE 1, verify that the LSPs have been established by LDP.

[PE1] display mpls ldp lsp

Status codes: * - stale, L - liberal

Statistics:

FECs: 3 Ingress LSPs: 2 Transit LSPs: 2 Egress LSPs: 1

FEC In/Out Label Nexthop OutInterface

1.1.1.9/32 3/-

-/1151(L)

2.2.2.9/32 -/3 172.1.1.2 Vlan-interface13

1151/3 172.1.1.2 Vlan-interface13

3.3.3.9/32 -/1150 172.1.1.2 Vlan-interface13

1150/1150 172.1.1.2 Vlan-interface13

3. Configure VPN instances on the PEs:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 111:1

[PE1-vpn-instance-vpn1] quit

[PE1] ip vpn-instance vpn2

[PE1-vpn-instance-vpn2] route-distinguisher 100:2

[PE1-vpn-instance-vpn2] vpn-target 222:2

[PE1-vpn-instance-vpn2] quit

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip binding vpn-instance vpn1

[PE1-Vlan-interface11] ipv6 address 2001:1::2 96

[PE1-Vlan-interface11] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip binding vpn-instance vpn2

[PE1-Vlan-interface12] ipv6 address 2001:2::2 96

[PE1-Vlan-interface12] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 200:1

[PE2-vpn-instance-vpn1] vpn-target 111:1

[PE2-vpn-instance-vpn1] quit

[PE2] ip vpn-instance vpn2

[PE2-vpn-instance-vpn2] route-distinguisher 200:2

[PE2-vpn-instance-vpn2] vpn-target 222:2

[PE2-vpn-instance-vpn2] quit

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] ip binding vpn-instance vpn1

[PE2-Vlan-interface11] ipv6 address 2001:3::2 96

[PE2-Vlan-interface11] quit

[PE2] interface vlan-interface 13

[PE2-Vlan-interface13] ip binding vpn-instance vpn2

[PE2-Vlan-interface13] ipv6 address 2001:4::2 96

[PE2-Vlan-interface13] quit

# Configure IP addresses for the CEs according to Figure 34. (Details not shown.)

# Execute the display ip vpn-instance command on the PEs to display information about the VPN instances, for example, on PE 1.

[PE1] display ip vpn-instance

Total VPN-Instances configured : 2

VPN-Instance Name RD Create time

vpn1 100:1 2012/02/13 12:49:08

vpn2 100:2 2012/02/13 12:49:20

# Use the ping command on the PEs to verify that the PEs can ping their attached CEs, for example, on PE 1.

[PE1] ping ipv6 -vpn-instance vpn1 2001:1::1

Ping6(56 bytes) 2001:1::2 --> 2001:1::1, press CTRL_C to break

56 bytes from 2001:1::1, icmp_seq=0 hlim=64 time=9.000 ms

56 bytes from 2001:1::1, icmp_seq=1 hlim=64 time=1.000 ms

56 bytes from 2001:1::1, icmp_seq=2 hlim=64 time=0.000 ms

56 bytes from 2001:1::1, icmp_seq=3 hlim=64 time=0.000 ms

56 bytes from 2001:1::1, icmp_seq=4 hlim=64 time=0.000 ms

--- Ping6 statistics for 2001:1::1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/2.000/9.000/3.521 ms

4. Establish EBGP peer relationships between the PEs and CEs to exchange VPN routes:

# Configure CE 1.

<CE1> system-view

[CE1] bgp 65410

[CE1-bgp] peer 2001:1::2 as-number 100

[CE1-bgp] address-family ipv6 unicast

[CE1-bgp-ipv6] peer 2001:1::2 enable

[CE1-bgp-ipv6] import-route direct

[CE1-bgp-ipv6] quit

[CE1-bgp] quit

# Configure the other three CEs (CE 2 through CE 4) in the same way that CE 1 is configured. (Details not shown.)

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 2001:1::1 as-number 65410

[PE1-bgp-vpn1] address-family ipv6 unicast

[PE1-bgp-ipv6-vpn1] peer 2001:1::1 enable

[PE1-bgp-ipv6-vpn1] import-route direct

[PE1-bgp-ipv6-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] ip vpn-instance vpn2

[PE1-bgp-vpn2] peer 2001:2::1 as-number 65420

[PE1-bgp-vpn2] address-family ipv6 unicast

[PE1-bgp-ipv6-vpn2] peer 2001:2::1 enable

[PE1-bgp-ipv6-vpn2] import-route direct

[PE1-bgp-ipv6-vpn2] quit

[PE1-bgp-vpn2] quit

[PE1-bgp] quit

# Configure PE 2 in the same way that PE 1 is configured. (Details not shown.)

# Execute the display bgp peer ipv6 vpn-instance command on the PEs to verify that a BGP peer relationship in Established state has been established between a PE and a CE. (Details not shown.)

5. Configure an MP-IBGP peer relationship between the PEs:

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] peer 3.3.3.9 as-number 100

[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv6

[PE1-bgp-af-vpnv6] peer 3.3.3.9 enable

[PE1-bgp-af-vpnv6] quit

[PE1-bgp] quit

# Configure PE 2.

[PE2] bgp 100

[PE2-bgp] peer 1.1.1.9 as-number 100

[PE2-bgp] peer 1.1.1.9 connect-interface loopback 0

[PE2-bgp] address-family vpnv6

[PE2-bgp-af-vpnv6] peer 1.1.1.9 enable

[PE2-bgp-af-vpnv6] quit

[PE2-bgp] quit

# Execute the display bgp peer vpnv6 command on the PEs to verify that a BGP peer relationship in Established state has been established between the PEs. (Details not shown.)

Verifying the configuration

# Execute the display ipv6 routing-table vpn-instance command on the PEs.

[PE1] display ipv6 routing-table vpn-instance vpn1

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:1::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan11 Cost : 0

Destination: 2001:1::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:3::/96 Protocol : BGP4+

NextHop : ::FFFF:3.3.3.9 Preference: 255

Interface : Vlan13 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

[PE1] display ipv6 routing-table vpn-instance vpn2

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:2::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan12 Cost : 0

Destination: 2001:2::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:4::/96 Protocol : BGP4+

NextHop : ::FFFF:3.3.3.9 Preference: 255

Interface : Vlan13 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

The output shows that PE 1 has routes to the remote CEs. Output on PE 2 is similar.

# Verify that CEs of the same VPN can ping each other, and CEs of different VPNs cannot ping each other. For example, CE 1 can ping CE 3 (2001:3::1), but cannot ping CE 4 (2001:4::1). (Details not shown.)

Configuring IPv6 MPLS L3VPN inter-AS option A

Network requirements

CE 1 and CE 2 belong to the same VPN. CE 1 accesses the network through PE 1 in AS 100, and CE 2 accesses the network through PE 2 in AS 200.

Configure IPv6 MPLS L3VPN inter-AS option A, and use the VRF-to-VRF method to manage VPN routes.

Run OSPF on the MPLS backbone of each AS.

Figure 35 Network diagram

Table 12 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int12	2001:1::1/96	CE 2	Vlan-int12	2001:2::1/96
PE 1	Loop0	1.1.1.9/32	PE 2	Loop0	4.4.4.9/32
	Vlan-int12	2001:1::2/96		Vlan-int12	2001:2::2/96
	Vlan-int11	172.1.1.2/24		Vlan-int11	162.1.1.2/24
ASBR-PE 1	Loop0	2.2.2.9/32	ASBR-PE 2	Loop0	3.3.3.9/32
	Vlan-int11	172.1.1.1/24		Vlan-int11	162.1.1.1/24
	Vlan-int12	2002:1::1/96		Vlan-int12	2002:1::2/96

Configuration procedure

1. Configure an IGP on each MPLS backbone to ensure IP connectivity within the backbone:

This example uses OSPF. (Details not shown.)

# Execute the display ospf peer command to verify that each ASBR-PE has established an OSPF adjacency in Full state with the PE in the same AS, and that the PEs and ASBR-PEs in the same AS have learned the routes to the loopback interfaces of each other. Verify that each ASBR-PE and the PE in the same AS can ping each other. (Details not shown.)

2. Configure basic MPLS and enable MPLS LDP on each MPLS backbone to establish LDP LSPs:

# Configure basic MPLS on PE 1 and enable MPLS LDP for the interface connected to ASBR-PE 1.

<PE1> system-view

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] quit

# Configure basic MPLS on ASBR-PE 1 and enable MPLS LDP for the interface connected to PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] mpls lsr-id 2.2.2.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

[ASBR-PE1] interface vlan-interface 11

[ASBR-PE1-Vlan-interface11] mpls enable

[ASBR-PE1-Vlan-interface11] mpls ldp enable

[ASBR-PE1-Vlan-interface11] quit

# Configure basic MPLS on ASBR-PE 2 and enable MPLS LDP for the interface connected to PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] mpls lsr-id 3.3.3.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

[ASBR-PE2] interface vlan-interface 11

[ASBR-PE2-Vlan-interface11] mpls enable

[ASBR-PE2-Vlan-interface11] mpls ldp enable

[ASBR-PE2-Vlan-interface11] quit

# Configure basic MPLS on PE 2 and enable MPLS LDP for the interface connected to ASBR-PE 2.

<PE2> system-view

[PE2] mpls lsr-id 4.4.4.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] mpls enable

[PE2-Vlan-interface11] mpls ldp enable

[PE2-Vlan-interface11] quit

# Each PE and the ASBR-PE in the same AS can establish an LDP neighbor relationship. Execute the display mpls ldp peer command on the switches to verify that the session status is Operational. (Details not shown.)

3. Configure a VPN instance on the PEs:

For the same VPN, the route targets for the VPN instance on the PE must match those for the VPN instance of the ASBR-PE in the same AS. This is not required for PEs in different ASs.

# Configure CE 1.

<CE1> system-view

[CE1] interface vlan-interface 12

[CE1-Vlan-interface12] ipv6 address 2001:1::1 96

[CE1-Vlan-interface12] quit

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 100:1 both

[PE1-vpn-instance-vpn1] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip binding vpn-instance vpn1

[PE1-Vlan-interface12] ipv6 address 2001:1::2 96

[PE1-Vlan-interface12] quit

# Configure CE 2.

<CE2> system-view

[CE2] interface vlan-interface 12

[CE2-Vlan-interface12] ipv6 address 2001:2::1 96

[CE2-Vlan-interface12] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance] route-distinguisher 200:2

[PE2-vpn-instance] vpn-target 100:1 both

[PE2-vpn-instance] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] ip binding vpn-instance vpn1

[PE2-Vlan-interface12] ipv6 address 2001:2::2 96

[PE2-Vlan-interface12] quit

# On ASBR-PE 1, create a VPN instance and bind the VPN instance to the interface connected to ASBR-PE 2. ASBR-PE 1 considers ASBR-PE 2 to be its attached CE.

[ASBR-PE1] ip vpn-instance vpn1

[ASBR-PE1-vpn-instance-vpn1] route-distinguisher 100:1

[ASBR-PE1-vpn-instance-vpn1] vpn-target 100:1 both

[ASBR-PE1-vpn-instance-vpn1] quit

[ASBR-PE1] interface vlan-interface 12

[ASBR-PE1-Vlan-interface12] ip binding vpn-instance vpn1

[ASBR-PE1-Vlan-interface12] ipv6 address 2002:1::1 96

[ASBR-PE1-Vlan-interface12] quit

# On ASBR-PE 2, create a VPN instance and bind the VPN instance to the interface connected to ASBR-PE 1. ASBR-PE 2 considers ASBR-PE 1 to be its attached CE.

[ASBR-PE2] ip vpn-instance vpn1

[ASBR-PE2-vpn-vpn-vpn1] route-distinguisher 200:1

[ASBR-PE2-vpn-vpn-vpn1] vpn-target 100:1 both

[ASBR-PE2-vpn-vpn-vpn1] quit

[ASBR-PE2] interface vlan-interface 12

[ASBR-PE2-Vlan-interface12] ip binding vpn-instance vpn1

[ASBR-PE2-Vlan-interface12] ipv6 address 2002:1::2 96

[ASBR-PE2-Vlan-interface12] quit

# Execute the display ip vpn-instance command to display VPN instance configurations. Verify that each PE can ping its attached CE, and ASBR-PE 1 and ASBR-PE 2 can ping each other. (Details not shown.)

4. Establish an EBGP peer relationship between PE and CE switches, and redistribute VPN routes into BGP:

# Configure CE 1.

[CE1] bgp 65001

[CE1-bgp] peer 2001:1::2 as-number 100

[CE1-bgp] address-family ipv6 unicast

[CE1-bgp-ipv6] peer 2001:1::2 enable

[CE1-bgp-ipv6] import-route direct

[CE1-bgp-ipv6] quit

[CE1-bgp] quit

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 2001:1::1 as-number 65001

[PE1-bgp-vpn1] address-family ipv6 unicast

[PE1-bgp-ipv6-vpn1] peer 2001:1::1 enable

[PE1-bgp-ipv6-vpn1] import-route direct

[PE1-bgp-ipv6-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure CE 2.

[CE2] bgp 65002

[CE2-bgp] peer 2001:2::2 as-number 200

[CE2-bgp] address-family ipv6

[CE2-bgp-ipv6] peer 2001:2::2 enable

[CE2-bgp-ipv6] import-route direct

[CE2-bgp-ipv6] quit

[CE2-bgp] quit

# Configure PE 2.

[PE2] bgp 200

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] peer 2001:2::1 as-number 65002

[PE2-bgp-vpn1] address-family ipv6 unicast

[PE2-bgp-ipv6-vpn1] peer 2001:2::1 enable

[PE2-bgp-ipv6-vpn1] import-route direct

[PE2-bgp-ipv6-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

5. Establish an IBGP peer relationship between each PE and the ASBR-PE in the same AS, and an EBGP peer relationship between the ASBR-PEs:

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] peer 2.2.2.9 as-number 100

[PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv6

[PE1-bgp-vpnv6] peer 2.2.2.9 enable

[PE1-bgp-vpnv6] quit

[PE1-bgp] quit

# Configure ASBR-PE 1.

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp] ip vpn-instance vpn1

[ASBR-PE1-bgp-vpn1] peer 2002:1::2 as-number 200

[ASBR-PE1-bgp-vpn1] address-family ipv6 unicast

[ASBR-PE1-bgp-ipv6-vpn1] peer 2002:1::2 enable

[ASBR-PE1-bgp-ipv6-vpn1] quit

[ASBR-PE1-bgp-vpn1] quit

[ASBR-PE1-bgp] peer 1.1.1.9 as-number 100

[ASBR-PE1-bgp] peer 1.1.1.9 connect-interface loopback 0

[ASBR-PE1-bgp] address-family vpnv6

[ASBR-PE1-bgp-vpnv6] peer 1.1.1.9 enable

[ASBR-PE1-bgp-vpnv6] quit

[ASBR-PE1-bgp] quit

# Configure ASBR-PE 2.

[ASBR-PE2] bgp 200

[ASBR-PE2-bgp] ip vpn-instance vpn1

[ASBR-PE2-bgp-vpn1] peer 2002:1::1 as-number 100

[ASBR-PE2-bgp-vpn1] address-family ipv6 unicast

[ASBR-PE2-bgp-ipv6-vpn1] peer 2002:1::1 enable

[ASBR-PE2-bgp-ipv6-vpn1] quit

[ASBR-PE2-bgp-vpn1] quit

[ASBR-PE2-bgp] peer 4.4.4.9 as-number 200

[ASBR-PE2-bgp] peer 4.4.4.9 connect-interface loopback 0

[ASBR-PE2-bgp] address-family vpnv6

[ASBR-PE2-bgp-vpnv6] peer 4.4.4.9 enable

[ASBR-PE2-bgp-vpnv6] quit

[ASBR-PE2-bgp] quit

# Configure PE 2.

[PE2] bgp 200

[PE2-bgp] peer 3.3.3.9 as-number 200

[PE2-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE2-bgp] address-family vpnv6

[PE2-bgp-vpnv6] peer 3.3.3.9 enable

[PE2-bgp-vpnv6] quit

[PE2-bgp] quit

Verifying the configuration

# Verify that the CEs can learn the route to each other and can ping each other. (Details not shown.)

Configuring IPv6 MPLS L3VPN inter-AS option C

Network requirements

Site 1 and Site 2 belong to the same VPN. Site 1 accesses the network through PE 1 in AS 100. Site 2 accesses the network through PE 2 in AS 600. PEs in the same AS run IS-IS.

PE 1 and ASBR-PE 1 exchange labeled IPv4 routes by MP-IBGP. PE 2 and ASBR-PE 2 exchange labeled IPv4 routes by IBGP. PE 1 and PE 2 use EBGP to exchange VPNv6 routes.

ASBR-PE 1 and ASBR-PE 2 use their respective routing policies and label the routes received from each other.

ASBR-PE 1 and ASBR-PE 2 use EBGP to exchange labeled IPv4 routes.

Figure 36 Network diagram

Table 13 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
PE 1	Loop0	2.2.2.9/32	PE 2	Loop0	5.5.5.9/32
	Loop1	2001:1::1/128		Loop1	2001:1::2/128
	Vlan-int11	1.1.1.2/8		Vlan-int11	9.1.1.2/8
ASBR-PE 1	Loop0	3.3.3.9/32	ASBR-PE 2	Loop0	4.4.4.9/32
	Vlan-int11	1.1.1.1/8		Vlan-int11	9.1.1.1/8
	Vlan-int12	11.0.0.2/8		Vlan-int12	11.0.0.1/8

Configuration procedure

1. Configure PE 1:

# Run IS-IS on PE 1.

<PE1> system-view

[PE1] isis 1

[PE1-isis-1] network-entity 10.111.111.111.111.00

[PE1-isis-1] quit

# Configure an LSR ID, and enable MPLS and LDP.

[PE1] mpls lsr-id 2.2.2.9

[PE1] mpls ldp

[PE1-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip address 1.1.1.2 255.0.0.0

[PE1-Vlan-interface11] isis enable 1

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] quit

# Configure interface Loopback 0 and start IS-IS on it.

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 2.2.2.9 32

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

# Create VPN instance vpn1, and configure the RD and route target attributes for it.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 11:11

[PE1-vpn-instance-vpn1] vpn-target 3:3 import-extcommunity

[PE1-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE1-vpn-instance-vpn1] quit

# Configure interface Loopback 1 and bind the interface to VPN instance vpn1.

[PE1] interface loopback 1

[PE1-LoopBack1] ip binding vpn-instance vpn1

[PE1-LoopBack1] ipv6 address 2001:1::1 128

[PE1-LoopBack1] quit

# Start BGP.

[PE1] bgp 100

# Enable the capability to advertise labeled routes to and receive labeled routes from the IBGP peer 3.3.3.9.

[PE1-bgp] peer 3.3.3.9 as-number 100

[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp] address-family ipv4 unicast

[PE1-bgp-ipv4] peer 3.3.3.9 enable

[PE1-bgp-ipv4] peer 3.3.3.9 label-route-capability

[PE1-bgp-ipv4] quit

# Configure the maximum hop count from PE 1 to EBGP peer 5.5.5.9 as 10.

[PE1-bgp] peer 5.5.5.9 as-number 600

[PE1-bgp] peer 5.5.5.9 connect-interface loopback 0

[PE1-bgp] peer 5.5.5.9 ebgp-max-hop 10

# Configure peer 5.5.5.9 as a VPNv6 peer.

[PE1-bgp] address-family vpnv6

[PE1-bgp-vpnv6] peer 5.5.5.9 enable

[PE1-bgp-vpnv6] quit

# Redistribute direct routes to the routing table of vpn1.

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] address-family ipv6 unicast

[PE1-bgp-ipv6-vpn1] import-route direct

[PE1-bgp-ipv6-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

2. Configure ASBR-PE 1:

# Start IS-IS on ASBR-PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] isis 1

[ASBR-PE1-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE1-isis-1] quit

# Configure an LSR ID, and enable MPLS and LDP.

[ASBR-PE1] mpls lsr-id 3.3.3.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE1] interface vlan-interface 11

[ASBR-PE1-Vlan-interface11] ip address 1.1.1.1 255.0.0.0

[ASBR-PE1-Vlan-interface11] isis enable 1

[ASBR-PE1-Vlan-interface11] mpls enable

[ASBR-PE1-Vlan-interface11] mpls ldp enable

[ASBR-PE1-Vlan-interface11] quit

# Configure interface VLAN-interface 12 and enable MPLS on it.

[ASBR-PE1] interface vlan-interface 12

[ASBR-PE1-Vlan-interface12] ip address 11.0.0.2 255.0.0.0

[ASBR-PE1-Vlan-interface12] mpls enable

[ASBR-PE1-Vlan-interface12] quit

# Configure interface Loopback 0 and start IS-IS on it.

[ASBR-PE1] interface loopback 0

[ASBR-PE1-LoopBack0] ip address 3.3.3.9 32

[ASBR-PE1-LoopBack0] isis enable 1

[ASBR-PE1-LoopBack0] quit

# Create routing policies.

[ASBR-PE1] route-policy policy1 permit node 1

[ASBR-PE1-route-policy-policy1-1] apply mpls-label

[ASBR-PE1-route-policy-policy1-1] quit

[ASBR-PE1] route-policy policy2 permit node 1

[ASBR-PE1-route-policy-policy2-1] if-match mpls-label

[ASBR-PE1-route-policy-policy2-1] apply mpls-label

[ASBR-PE1-route-policy-policy2-1] quit

# Start BGP on ASBR-PE 1 and apply routing policy policy2 to routes advertised to IBGP peer 2.2.2.9

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp] peer 2.2.2.9 as-number 100

[ASBR-PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[ASBR-PE1-bgp] address-family ipv4 unicast

[ASBR-PE1-bgp-ipv4] peer 2.2.2.9 enable

[ASBR-PE1-bgp-ipv4] peer 2.2.2.9 route-policy policy2 export

# Enable the capability to advertise labeled routes to and receive labeled routes from IBGP peer 2.2.2.9.

[ASBR-PE1-bgp-ipv4] peer 2.2.2.9 label-route-capability

# Redistribute routes from IS-IS process 1.

[ASBR-PE1-bgp-ipv4] import-route isis 1

[ASBR-PE1-bgp-ipv4] quit

# Apply routing policy policy1 to routes advertised to EBGP peer 11.0.0.1.

[ASBR-PE1-bgp] peer 11.0.0.1 as-number 600

[ASBR-PE1-bgp] address-family ipv4 unicast

[ASBR-PE1-bgp-ipv4] peer 11.0.0.1 enable

[ASBR-PE1-bgp-ipv4] peer 11.0.0.1 route-policy policy1 export

# Enable the capability to advertise labeled routes to and receive labeled routes from EBGP peer 11.0.0.1.

[ASBR-PE1-bgp-ipv4] peer 11.0.0.1 label-route-capability

[ASBR-PE1-bgp-ipv4] quit

[ASBR-PE1-bgp] quit

3. Configure ASBR-PE 2:

# Start IS-IS on ASBR-PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] isis 1

[ASBR-PE2-isis-1] network-entity 10.333.333.333.333.00

[ASBR-PE2-isis-1] quit

# Configure an LSR ID, and enable MPLS and LDP.

[ASBR-PE2] mpls lsr-id 4.4.4.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE2] interface vlan-interface 11

[ASBR-PE2-Vlan-interface11] ip address 9.1.1.1 255.0.0.0

[ASBR-PE2-Vlan-interface11] isis enable 1

[ASBR-PE2-Vlan-interface11] mpls enable

[ASBR-PE2-Vlan-interface11] mpls ldp enable

[ASBR-PE2-Vlan-interface11] quit

# Configure interface Loopback 0 and start IS-IS on it.

[ASBR-PE2] interface loopback 0

[ASBR-PE2-LoopBack0] ip address 4.4.4.9 32

[ASBR-PE2-LoopBack0] isis enable 1

[ASBR-PE2-LoopBack0] quit

# Configure interface VLAN-interface 12 and enable MPLS on it.

[ASBR-PE2] interface vlan-interface 12

[ASBR-PE2-Vlan-interface12] ip address 11.0.0.1 255.0.0.0

[ASBR-PE2-Vlan-interface12] mpls enable

[ASBR-PE2-Vlan-interface12] quit

# Create routing policies.

[ASBR-PE2] route-policy policy1 permit node 1

[ASBR-PE2-route-policy-policy1-1] apply mpls-label

[ASBR-PE2-route-policy-policy1-1] quit

[ASBR-PE2] route-policy policy2 permit node 1

[ASBR-PE2-route-policy-policy2-1] if-match mpls-label

[ASBR-PE2-route-policy-policy2-1] apply mpls-label

[ASBR-PE2-route-policy-policy2-1] quit

# Start BGP on ASBR-PE 2, and enable the capability to advertise labeled routes to and receive labeled routes from IBGP peer 5.5.5.9.

[ASBR-PE2] bgp 600

[ASBR-PE2-bgp] peer 5.5.5.9 as-number 600

[ASBR-PE2-bgp] peer 5.5.5.9 connect-interface loopback 0

[ASBR-PE2-bgp] address-family ipv4 unicast

[ASBR-PE2-bgp-ipv4] peer 5.5.5.9 enable

[ASBR-PE2-bgp-ipv4] peer 5.5.5.9 label-route-capability

# Apply routing policy policy2 to routes advertised to IBGP peer 5.5.5.9.

[ASBR-PE2-bgp-ipv4] peer 5.5.5.9 route-policy policy2 export

# Redistribute routes from IS-IS process 1

[ASBR-PE2-bgp-ipv4] import-route isis 1

[ASBR-PE2-bgp-ipv4] quit

# Apply routing policy policy1 to routes advertised to EBGP peer 11.0.0.2.

[ASBR-PE2-bgp] peer 11.0.0.2 as-number 100

[ASBR-PE2-bgp] address-family ipv4 unicast

[ASBR-PE2-bgp-ipv4] peer 11.0.0.2 enable

[ASBR-PE2-bgp-ipv4] peer 11.0.0.2 route-policy policy1 export

# Enable the capability to advertise labeled routes to and receive labeled routes from EBGP peer 11.0.0.2.

[ASBR-PE2-bgp-ipv4] peer 11.0.0.2 label-route-capability

[ASBR-PE2-bgp-ipv4] quit

[ASBR-PE2-bgp] quit

4. Configure PE 2:

# Start IS-IS on PE 2.

<PE2> system-view

[PE2] isis 1

[PE2-isis-1] network-entity 10.444.444.444.444.00

[PE2-isis-1] quit

# Configure an LSR ID, and enable MPLS and LDP.

[PE2] mpls lsr-id 5.5.5.9

[PE2] mpls ldp

[PE2-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] ip address 9.1.1.2 255.0.0.0

[PE2-Vlan-interface11] isis enable 1

[PE2-Vlan-interface11] mpls enable

[PE2-Vlan-interface11] mpls ldp enable

[PE2-Vlan-interface11] quit

# Configure interface Loopback 0 and start IS-IS on it.

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 5.5.5.9 32

[PE2-LoopBack0] isis enable 1

[PE2-LoopBack0] quit

# Create VPN instance vpn1, and configure the RD and route target attributes for it.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 11:11

[PE2-vpn-instance-vpn1] vpn-target 3:3 import-extcommunity

[PE2-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE2-vpn-instance-vpn1] quit

# Configure interface Loopback 1 and bind the interface to VPN instance vpn1.

[PE2] interface loopback 1

[PE2-LoopBack1] ip binding vpn-instance vpn1

[PE2-LoopBack1] ipv6 address 2001:1::2 128

[PE2-LoopBack1] quit

# Start BGP on PE 2.

[PE2] bgp 600

# Configure the capability to advertise labeled routes to IBGP peer 4.4.4.9 and to receive labeled routes from the peer.

[PE2-bgp] peer 4.4.4.9 as-number 600

[PE2-bgp] peer 4.4.4.9 connect-interface loopback 0

[PE2-bgp] address-family ipv4 unicast

[PE2-bgp-ipv4] peer 4.4.4.9 enable

[PE2-bgp-ipv4] peer 4.4.4.9 label-route-capability

[PE2-bgp-ipv4] quit

# Configure the maximum hop count from PE 2 to EBGP peer 2.2.2.9 as 10.

[PE2-bgp] peer 2.2.2.9 as-number 100

[PE2-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE2-bgp] peer 2.2.2.9 ebgp-max-hop 10

# Configure peer 2.2.2.9 as a VPNv6 peer.

[PE2-bgp] address-family vpnv6

[PE2-bgp-vpnv6] peer 2.2.2.9 enable

[PE2-bgp-vpnv6] quit

# Redistribute direct routes to the routing table of vpn1.

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] address-family ipv6 unicast

[PE2-bgp-ipv6-vpn1] import-route direct

[PE2-bgp-ipv6-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

Verifying the configuration

# Verify that PE 1 and PE 2 can ping each other.

[PE1] ping ipv6 -a 2001:1::1 -vpn-instance vpn1 2001:1::2

Ping6(56 bytes) 2001:1::1 --> 2001:1::2, press CTRL_C to break

56 bytes from 2001:1::2, icmp_seq=0 hlim=64 time=1.000 ms

56 bytes from 2001:1::2, icmp_seq=1 hlim=64 time=0.000 ms

56 bytes from 2001:1::2, icmp_seq=2 hlim=64 time=0.000 ms

56 bytes from 2001:1::2, icmp_seq=3 hlim=64 time=0.000 ms

56 bytes from 2001:1::2, icmp_seq=4 hlim=64 time=0.000 ms

--- Ping6 statistics for 2001:1::2 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms

Configuring IPv6 MPLS L3VPN carrier's carrier

Network requirements

Configure carrier's carrier for the scenario shown in Figure 37. In this scenario:

· PE 1 and PE 2 are the provider carrier's PE switches. They provide VPN services for the customer carrier.

· CE 1 and CE 2 are the customer carrier's switches. They connect to the provider carrier's backbone as CE switches.

· PE 3 and PE 4 are the customer carrier's PE switches. They provide IPv6 MPLS L3VPN services for end customers.

· CE 3 and CE 4 are customers of the customer carrier.

The key to the carrier's carrier deployment is to configure exchange of two kinds of routes:

· Exchange of the customer carrier's internal routes on the provider carrier's backbone.

· Exchange of the end customers' internal routes between PE 3 and PE 4, the PEs of the customer carrier. An MP-IBGP peer relationship must be established between PE 3 and PE 4.

Figure 37 Network diagram

Configuration procedure

1. Configure MPLS L3VPN on the provider carrier backbone. Start IS-IS as the IGP, enable LDP on PE 1 and PE 2, and establish an MP-IBGP peer relationship between the PEs:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 3.3.3.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 3.3.3.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] isis 1

[PE1-isis-1] network-entity 10.0000.0000.0000.0004.00

[PE1-isis-1] quit

[PE1] interface loopback 0

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip address 30.1.1.1 24

[PE1-Vlan-interface12] isis enable 1

[PE1-Vlan-interface12] mpls enable

[PE1-Vlan-interface12] mpls ldp enable

[PE1-Vlan-interface12] mpls ldp transport-address interface

[PE1-Vlan-interface12] quit

[PE1] bgp 100

[PE1-bgp] peer 4.4.4.9 as-number 100

[PE1-bgp] peer 4.4.4.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv4

[PE1-bgp-vpnv4] peer 4.4.4.9 enable

[PE1-bgp-vpnv4] quit

[PE1-bgp] quit

# Configure PE 2 in the same way that PE 1 is configured. (Details not shown.)

# On PE 1, verify that the LDP session between PE 1 and PE 2 has been successfully established.

[PE1] display mpls ldp peer

Total number of peers: 1

Peer LDP ID State LAM Role GR MD5 KA Sent/Rcvd

4.4.4.9:0 Operational DU Active Off Off 8/8

# On PE 1, verify that a BGP peer relationship in Established state has been established.

[PE1] display bgp peer

BGP local router ID: 3.3.3.9

Local AS number: 100

Total number of peers: 1 Peers in established state: 1

Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

4.4.4.9 100 3 6 0 0 00:00:32 Established

# On PE 1, verify that the IS-IS neighbor relationship has been set up.

[PE1] display isis peer

Peer information for ISIS(1)

----------------------------

System Id: 0000.0000.0005

Interface: Vlan-interface12 Circuit Id: 0000.0000.0005.02

State: Up HoldTime: 8s Type: L1(L1L2) PRI: 64

System Id: 0000.0000.0005

Interface: Vlan-interface12 Circuit Id: 0000.0000.0005.02

State: Up HoldTime: 8s Type: L2(L1L2) PRI: 64

2. Configure the customer carrier network. Start IS-IS as the IGP, and enable LDP between PE 3 and CE 1, and between PE 4 and CE 2:

# Configure PE 3.

<PE3> system-view

[PE3] interface loopback 0

[PE3-LoopBack0] ip address 1.1.1.9 32

[PE3-LoopBack0] quit

[PE3] mpls lsr-id 1.1.1.9

[PE3] mpls ldp

[PE3-ldp] quit

[PE3] isis 2

[PE3-isis-2] network-entity 10.0000.0000.0000.0001.00

[PE3-isis-2] quit

[PE3] interface loopback 0

[PE3-LoopBack0] isis enable 2

[PE3-LoopBack0] quit

[PE3] interface vlan-interface 12

[PE3-Vlan-interface12] ip address 10.1.1.1 24

[PE3-Vlan-interface12] isis enable 2

[PE3-Vlan-interface12] mpls enable

[PE3-Vlan-interface12] mpls ldp enable

[PE3-Vlan-interface12] mpls ldp transport-address interface

[PE3-Vlan-interface12] quit

# Configure CE 1.

<CE1> system-view

[CE1] interface loopback 0

[CE1-LoopBack0] ip address 2.2.2.9 32

[CE1-LoopBack0] quit

[CE1] mpls lsr-id 2.2.2.9

[CE1] mpls ldp

[CE1-ldp] quit

[CE1] isis 2

[CE1-isis-2] network-entity 10.0000.0000.0000.0002.00

[CE1-isis-2] quit

[CE1] interface loopback 0

[CE1-LoopBack0] isis enable 2

[CE1-LoopBack0] quit

[CE1] interface vlan-interface 12

[CE1-Vlan-interface12] ip address 10.1.1.2 24

[CE1-Vlan-interface12] isis enable 2

[CE1-Vlan-interface12] mpls enable

[CE1-Vlan-interface12] mpls ldp enable

[CE1-Vlan-interface12] mpls ldp transport-address interface

[CE1-Vlan-interface12] quit

PE 3 and CE 1 can establish an LDP session and IS-IS neighbor relationship between them.

# Configure PE 4 and CE 2 in the same way that PE 3 and CE 1 are configured. (Details not shown.)

3. Connect the customer carrier to the provider carrier:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 200:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] mpls ldp

[PE1-ldp] vpn-instance vpn1

[PE1-ldp-vpn-instance-vpn1] quit

[PE1-ldp] quit

[PE1] isis 2 vpn-instance vpn1

[PE1-isis-2] network-entity 10.0000.0000.0000.0003.00

[PE1-isis-2] import-route bgp allow-ibgp

[PE1-isis-2] quit

[PE1] interface vlan-interface11

[PE1-Vlan-interface11] ip binding vpn-instance vpn1

[PE1-Vlan-interface11] ip address 11.1.1.2 24

[PE1-Vlan-interface11] isis enable 2

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] mpls ldp transport-address interface

[PE1-Vlan-interface11] quit

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] address-family ipv4 unicast

[PE1-bgp-ipv4-vpn1] import isis 2

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure CE 1.

[CE1] interface vlan-interface11

[CE1-Vlan-interface11] ip address 11.1.1.1 24

[CE1-Vlan-interface11] isis enable 2

[CE1-Vlan-interface11] mpls enable

[CE1-Vlan-interface11] mpls ldp enable

[CE1-Vlan-interface11] mpls ldp transport-address interface

[CE1-Vlan-interface11] quit

PE 1 and CE 1 can establish an LDP session and IS-IS neighbor relationship between them.

# Configure PE 2 and CE 2 in the same way that PE 1 and CE 1 are configured. (Details not shown.)

4. Connect end customers to the customer carrier:

# Configure CE 3.

<CE3> system-view

[CE3] interface vlan-interface11

[CE3-Vlan-interface11] ipv6 address 2001:1::1 96

[CE3-Vlan-interface11] quit

[CE3] bgp 65410

[CE3-bgp] peer 2001:1::2 as-number 100

[CE3-bgp] address-family ipv6

[CE3-bgp-ipv6] peer 2001:1::2 enable

[CE3-bgp-ipv6] import-route direct

[CE3-bgp-ipv6] quit

[CE3-bgp] quit

# Configure PE 3.

[PE3] ip vpn-instance vpn1

[PE3-vpn-instance-vpn1] route-distinguisher 100:1

[PE3-vpn-instance-vpn1] vpn-target 1:1

[PE3-vpn-instance-vpn1] quit

[PE3] interface Vlan-interface11

[PE3-Vlan-interface11] ip binding vpn-instance vpn1

[PE3-Vlan-interface11] ipv6 address 2001:1::2 96

[PE3-Vlan-interface11] quit

[PE3] bgp 100

[PE3-bgp] ip vpn-instance vpn1

[PE3-bgp-vpn1] peer 2001:1::1 as-number 65410

[PE3-bgp-vpn1] address-family ipv6 unicast

[PE3-bgp-ipv6-vpn1] peer 2001:1::1 enable

[PE3-bgp-ipv6-vpn1] import-route direct

[PE3-bgp-ipv6-vpn1] quit

[PE3-bgp-vpn1] quit

[PE3-bgp] quit

# Configure PE 4 and CE 4 in the same way that PE 3 and CE 3 are configured. (Details not shown.)

5. Establish an MP-IBGP peer relationship between PEs of the customer carrier to exchange the VPN routes of the customer carrier's customers:

# Configure PE 3.

[PE3] bgp 100

[PE3-bgp] peer 6.6.6.9 as-number 100

[PE3-bgp] peer 6.6.6.9 connect-interface loopback 0

[PE3-bgp] address-family vpnv6

[PE3-bgp-vpnv6] peer 6.6.6.9 enable

[PE3-bgp-vpnv6] quit

[PE3-bgp] quit

# Configure PE 3 in the same way that PE 3 is configured. (Details not shown.)

Verifying the configuration

1. Display the public network routing table and VPN routing table on the provider carrier PEs, for example, on PE 1:

# Verify that the public network routing table contains only routes of the provider carrier network.

[PE1] display ip routing-table

Routing Tables: Public

Destinations : 7 Routes : 7

Destination/Mask Proto Pre Cost NextHop Interface

3.3.3.9/32 Direct 0 0 127.0.0.1 InLoop0

4.4.4.9/32 ISIS 15 10 30.1.1.2 Vlan12

30.1.1.0/24 Direct 0 0 30.1.1.1 Vlan12

30.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.2/32 Direct 0 0 30.1.1.2 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VPN routing table contains the internal routes of the customer carrier network.

[PE1] display ip routing-table vpn-instance vpn1

Routing Tables: vpn1

Destinations : 11 Routes : 11

Destination/Mask Proto Pre Cost NextHop Interface

1.1.1.9/32 ISIS 15 20 11.1.1.1 Vlan11

2.2.2.9/32 ISIS 15 10 11.1.1.1 Vlan11

5.5.5.9/32 BGP 255 0 4.4.4.9 NULL0

6.6.6.9/32 BGP 255 0 4.4.4.9 NULL0

10.1.1.0/24 ISIS 15 20 11.1.1.1 Vlan11

11.1.1.0/24 Direct 0 0 11.1.1.1 Vlan11

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.2/32 Direct 0 0 11.1.1.2 Vlan11

20.1.1.0/24 BGP 255 0 4.4.4.9 NULL0

21.1.1.0/24 BGP 255 0 4.4.4.9 NULL0

21.1.1.2/32 BGP 255 0 4.4.4.9 NULL0

2. Display the routing table on the customer carrier CEs, for example, on CE 1:

# Verify that the routing table contains the internal routes of the customer carrier network.

[CE1] display ip routing-table

Routing Tables: Public

Destinations : 15 Routes : 15

Destination/Mask Proto Pre Cost NextHop Interface

1.1.1.9/32 ISIS 15 10 10.1.1.2 Vlan12

2.2.2.9/32 Direct 0 0 127.0.0.1 InLoop0

5.5.5.9/32 ISIS 15 74 11.1.1.2 Vlan11

6.6.6.9/32 ISIS 15 74 11.1.1.2 Vlan11

10.1.1.0/24 Direct 0 0 10.1.1.2 Vlan12

10.1.1.1/32 Direct 0 0 10.1.1.1 Vlan12

10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.0/24 Direct 0 0 11.1.1.1 Vlan11

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.2/32 Direct 0 0 11.1.1.2 Vlan11

20.1.1.0/24 ISIS 15 74 11.1.1.2 Vlan11

21.1.1.0/24 ISIS 15 74 11.1.1.2 Vlan11

21.1.1.2/32 ISIS 15 74 11.1.1.2 Vlan11

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

3. Display the public network routing table and VPN routing table on the customer carrier PEs, for example, on PE 3:

# Verify that the public network routing table contains the internal routes of the customer carrier network.

[PE3] display ip routing-table

Routing Tables: Public

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

1.1.1.9/32 Direct 0 0 127.0.0.1 InLoop0

2.2.2.9/32 ISIS 15 10 10.1.1.2 Vlan12

5.5.5.9/32 ISIS 15 84 10.1.1.2 Vlan12

6.6.6.9/32 ISIS 15 84 10.1.1.2 Vlan12

10.1.1.0/24 Direct 0 0 10.1.1.1 Vlan12

10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.2/32 Direct 0 0 10.1.1.2 Vlan12

11.1.1.0/24 ISIS 15 20 10.1.1.2 Vlan12

20.1.1.0/24 ISIS 15 84 10.1.1.2 Vlan12

21.1.1.0/24 ISIS 15 84 10.1.1.2 Vlan12

21.1.1.2/32 ISIS 15 84 10.1.1.2 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VPN routing table contains the remote VPN route.

[PE3] display ipv6 routing-table vpn-instance vpn1

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:1::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan11 Cost : 0

Destination: 2001:1::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:2::/96 Protocol : BGP4+

NextHop : ::FFFF:606:609 Preference: 0

Interface : NULL0 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

4. Verify that PE 3 and PE 4 can ping each other. (Details not shown.)

5. Verify that CE 3 and CE 4 can ping each other. (Details not shown.)

Configuring IPv6 MCE

Network requirements

As shown in Figure 38, the MCE device is connected to VPN 1 through VLAN-interface 10 and to VPN 2 through VLAN-interface 20. RIPng runs in VPN 2.

Configure the MCE to separate routes from different VPNs and advertise VPN routes to PE 1 through OSPFv3.

Figure 38 Network diagram

Configuration procedure

Assume that the system name of the MCE device is MCE, the system names of the edge devices of VPN 1 and VPN 2 are VR1 and VR2, respectively, and the system name of PE 1 is PE1.

1. Configure the VPN instances on the MCE and PE 1:

# On the MCE, configure VPN instances vpn1 and vpn2, and specify an RD and route targets for each VPN instance.

<MCE> system-view

[MCE] ip vpn-instance vpn1

[MCE-vpn-instance-vpn1] route-distinguisher 10:1

[MCE-vpn-instance-vpn1] vpn-target 10:1

[MCE-vpn-instance-vpn1] quit

[MCE] ip vpn-instance vpn2

[MCE-vpn-instance-vpn2] route-distinguisher 20:1

[MCE-vpn-instance-vpn2] vpn-target 20:1

[MCE-vpn-instance-vpn2] quit

# Create VLAN 10, add port GigabitEthernet 3/0/1 to VLAN 10, and create VLAN-interface 10.

[MCE] vlan 10

[MCE-vlan10] port GigabitEthernet 3/0/1

[MCE-vlan10] quit

# Bind VLAN-interface 10 to VPN instance vpn1 and configure an IPv6 address for the VLAN interface.

[MCE] interface vlan-interface 10

[MCE-Vlan-interface10] ip binding vpn-instance vpn1

[MCE-Vlan-interface10] ipv6 address 2001:1::1 64

[MCE-Vlan-interface10] quit

# Configure VLAN 20, add port GigabitEthernet 3/0/2 to VLAN 20, bind VLAN-interface 20 to VPN instance vpn2, and assign an IPv6 address to VLAN-interface 20.

[MCE] vlan 20

[MCE-vlan20] port GigabitEthernet 3/0/2

[MCE-vlan20] quit

[MCE] interface vlan-interface 20

[MCE-Vlan-interface20] ip binding vpn-instance vpn2

[MCE-Vlan-interface20] ipv6 address 2002:1::1 64

[MCE-Vlan-interface20] quit

# On PE 1, configure VPN instances vpn1 and vpn2, and specify an RD and route targets for each VPN instance.

<PE1> system-view

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 30:1

[PE1-vpn-instance-vpn1] vpn-target 10:1

[PE1-vpn-instance-vpn1] quit

[PE1] ip vpn-instance vpn2

[PE1-vpn-instance-vpn2] route-distinguisher 40:1

[PE1-vpn-instance-vpn2] vpn-target 20:1

[PE1-vpn-instance-vpn2] quit

2. Configure routing between the MCE and VPN sites:

The MCE is connected to VPN 1 directly, and no routing protocol is enabled in VPN 1. Therefore, you can configure IPv6 static routes.

# On VR 1, assign IPv6 address 2001:1::2/64 to the interface connected to the MCE and 2012:1::2/64 to the interface connected to VPN 1. Add ports to VLANs. (Details not shown.)

# On VR 1, configure a default route with the next hop being 2001:1::1.

<VR1> system-view

[VR1] ipv6 route-static :: 0 2001:1::1

# On the MCE, configure an IPv6 static route to 2012:1::/64 with the next hop 2001:1::2. Bind the static route to VPN instance vpn1.

[MCE] ipv6 route-static vpn-instance vpn1 2012:1:: 64 2001:1::2

# Run RIPng in VPN 2. Configure RIPng process 20 for VPN instance vpn2 on the MCE, so that the MCE can learn the routes of VPN 2 and add them to the routing table of VPN instance vpn2.

[MCE] ripng 20 vpn-instance vpn2

# Advertise subnet 2002:1::/64 through RIPng.

[MCE] interface vlan-interface 20

[MCE-Vlan-interface20] ripng 20 enable

[MCE-Vlan-interface20] quit

# On VR 2, assign IPv6 address 2002:1::2/64 to the interface connected to the MCE and 2012::2/64 to the interface connected to VPN 2. (Details not shown.)

# Configure RIPng, and advertise subnets 2012::/64 and 2002:1::/64.

<VR2> system-view

[VR2] ripng 20

[VR2-ripng-20] quit

[VR2] interface vlan-interface 20

[VR2-Vlan-interface20] ripng 20 enable

[VR2-Vlan-interface20] quit

[VR2] interface vlan-interface 21

[VR2-Vlan-interface21] ripng 20 enable

[VR2-Vlan-interface21] quit

# On the MCE, display the routing tables of VPN instances vpn1 and vpn2.

[MCE] display ipv6 routing-table vpn-instance vpn1

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:1::/64 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan10 Cost : 0

Destination: 2001:1::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2012:1::/64 Protocol : Static

NextHop : 2001:1::2 Preference: 60

Interface : Vlan10 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

[MCE] display ipv6 routing-table vpn-instance vpn2

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2002:1::/64 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan20 Cost : 0

Destination: 2002:1::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2012::/64 Protocol : RIPng

NextHop : FE80::20C:29FF:FE40:701 Preference: 100

Interface : Vlan20 Cost : 1

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

The output shows that the MCE has learned the private route of VPN 2. The MCE maintains the routes of VPN 1 and VPN 2 in two different routing tables. In this way, routes from different VPNs are separated.

3. Configure routing between the MCE and PE 1:

# On the MCE, configure the port connected to PE 1 as a trunk port, and configure it to permit packets of VLAN 30 and VLAN 40 to pass with VLAN tags.

[MCE] interface GigabitEthernet 3/0/3

[MCE-GigabitEthernet3/0/3] port link-type trunk

[MCE-GigabitEthernet3/0/3] port trunk permit vlan 30 40

[MCE-GigabitEthernet3/0/3] quit

# On PE 1, configure the port connected to MCE as a trunk port, and configure it to permit packets of VLAN 30 and VLAN 40 to pass with VLAN tags.

[PE1] interface GigabitEthernet 3/0/1

[PE1-GigabitEthernet3/0/1] port link-type trunk

[PE1-GigabitEthernet3/0/1] port trunk permit vlan 30 40

[PE1-GigabitEthernet3/0/1] quit

# On the MCE, create VLAN 30 and VLAN-interface 30, bind VLAN-interface 30 to VPN instance vpn1, and configure an IPv6 address for the VLAN-interface 30.

[MCE] vlan 30

[MCE-vlan30] quit

[MCE] interface vlan-interface 30

[MCE-Vlan-interface30] ip binding vpn-instance vpn1

[MCE-Vlan-interface30] ipv6 address 30::1 64

[MCE-Vlan-interface30] quit

# On the MCE, create VLAN 40 and VLAN-interface 40, bind VLAN-interface 40 to VPN instance vpn2, and configure an IPv6 address for the VLAN-interface 40.

[MCE] vlan 40

[MCE-vlan40] quit

[MCE] interface vlan-interface 40

[MCE-Vlan-interface40] ip binding vpn-instance vpn2

[MCE-Vlan-interface40] ipv6 address 40::1 64

[MCE-Vlan-interface40] quit

# On PE 1, create VLAN 30 and VLAN-interface 30, bind VLAN-interface 30 to VPN instance vpn1, and configure an IPv6 address for the VLAN-interface 30.

[PE1] vlan 30

[PE1-vlan30] quit

[PE1] interface vlan-interface 30

[PE1-Vlan-interface30] ip binding vpn-instance vpn1

[PE1-Vlan-interface30] ipv6 address 30::2 64

[PE1-Vlan-interface30] quit

# On PE 1, create VLAN 40 and VLAN-interface 40, bind VLAN-interface 40 to VPN instance vpn2, and configure an IPv6 address for the VLAN-interface 40.

[PE1] vlan 40

[PE1-vlan40] quit

[PE1] interface vlan-interface 40

[PE1-Vlan-interface40] ip binding vpn-instance vpn2

[PE1-Vlan-interface40] ipv6 address 40::2 64

[PE1-Vlan-interface40] quit

# Enable OSPFv3 process 10 on the MCE, bind the process to VPN instance vpn1, and redistribute the IPv6 static route of VPN 1.

[MCE] ospfv3 10 vpn-instance vpn1

[MCE-ospf-10] router-id 101.101.10.1

[MCE-ospf-10] import-route static

[MCE-ospf-10] quit

# Enable OSPFv3 on VLAN-interface 30.

[MCE] interface vlan-interface 30

[MCE-Vlan-interface30] ospfv3 10 area 0.0.0.0

[MCE-Vlan-interface30] quit

# On PE 1, enable OSPFv3 process 10 and bind the process to VPN instance vpn1.

[PE1] ospfv3 10 vpn-instance vpn1

[PE1-ospf-10] router-id 100.100.10.1

[PE1-ospf-10] quit

# Enable OSPFv3 on VLAN-interface 30.

[PE1] interface vlan-interface 30

[PE1-Vlan-interface30] ospfv3 10 area 0.0.0.0

[PE1-Vlan-interface30] quit

# Use similar procedures to configure OSPFv3 process 20 between the MCE and PE 1 and redistribute VPN 2's routes from RIPng process 20 into the OSPFv3 routing table of the MCE. (Details not shown.)

Verifying the configuration

# Verify that PE 1 has learned the private route of VPN 1 through OSPFv3.

[PE1] display ipv6 routing-table vpn-instance vpn1

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 30::/64 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan30 Cost : 0

Destination: 30::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2012:1::/64 Protocol : OSPFv3

NextHop : FE80::202:FF:FE02:2 Preference: 150

Interface : Vlan30 Cost : 1

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

# Verify that PE 1 has learned the private route of VPN 2 through OSPFv3.

[PE1] display ipv6 routing-table vpn-instance vpn2

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 40::/64 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan40 Cost : 0

Destination: 40::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2012::/64 Protocol : OSPFv3

NextHop : FE80::200:FF:FE0F:5 Preference: 150

Interface : Vlan40 Cost : 1

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

The routing information of the two VPNs has been added into the routing tables on PE 1.

Configuring an OSPFv3 sham link

Network requirements

As shown in Figure 39, CE 1 and CE 2 belong to VPN 1. Configure an OSPFv3 sham link between PE 1 and PE 2 so traffic between CE 1 and CE 2 is forwarded through the MPLS backbone, instead of the backdoor link.

Figure 39 Network diagram

Table 14 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int11	100::1/64	CE 2	Vlan-int11	120::1/64
	Vlan-int13	20::1/64		Vlan-int12	30::2/64
PE 1	Loop0	1.1.1.9/32	PE 2	Loop0	2.2.2.9/32
	Loop1	3::3/128		Loop1	5::5/128
	Vlan-int11	100::2/64		Vlan-int11	120::2/64
	Vlan-int12	10.1.1.1/24		Vlan-int12	10.1.1.2/24
Switch A	Vlan-int11	30::1/64
	Vlan-int12	20::2/64

Configuration procedure

1. Configure OSPFv3 on the customer networks.

Configure conventional OSPFv3 on CE 1, Switch A, and CE 2 to advertise subnet addresses of the interfaces as shown in Figure 39. Set the cost value to 2 for both the link between CE 1 and Switch A, and the link between CE 2 and Switch A. Execute the display ipv6 routing-table command to verify that CE 1 and CE 2 have each learned the OSPFv3 route to VLAN-interface 11 of the other. (Details not shown.)

2. Configure IPv6 MPLS L3VPN on the backbone:

# Configure basic MPLS and MPLS LDP on PE 1 to establish LDP LSPs.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip address 10.1.1.1 24

[PE1-Vlan-interface12] mpls enable

[PE1-Vlan-interface12] mpls ldp enable

[PE1-Vlan-interface12] quit

# Configure PE 1 to take PE 2 as an MP-IBGP peer.

[PE1] bgp 100

[PE1-bgp] peer 2.2.2.9 as-number 100

[PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv6

[PE1-bgp-vpnv6] peer 2.2.2.9 enable

[PE1-bgp-vpnv6] quit

[PE1-bgp] quit

# Configure OSPF on PE 1.

[PE1] ospf 1

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Configure basic MPLS and MPLS LDP on PE 2 to establish LDP LSPs.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 2.2.2.9 32

[PE2-LoopBack0] quit

[PE2] mpls lsr-id 2.2.2.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] ip address 10.1.1.2 24

[PE2-Vlan-interface12] mpls enable

[PE2-Vlan-interface12] mpls ldp enable

[PE2-Vlan-interface12] quit

# Configure PE 2 to take PE 1 as an MP-IBGP peer.

[PE2] bgp 100

[PE2-bgp] peer 1.1.1.9 as-number 100

[PE2-bgp] peer 1.1.1.9 connect-interface loopback 0

[PE2-bgp] address-family vpnv6

[PE2-bgp-vpnv6] peer 1.1.1.9 enable

[PE2-bgp-vpnv6] quit

[PE2-bgp] quit

# Configure OSPF on PE 2.

[PE2] ospf 1

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

3. Configure PEs to allow CE access:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip binding vpn-instance vpn1

[PE1-Vlan-interface11] ipv6 address 100::2 64

[PE1-Vlan-interface11] ospfv3 100 area 1

[PE1-Vlan-interface11] quit

[PE1] ospfv3 100

[PE1-ospfv3-100] router-id 100.1.1.1

[PE1-ospfv3-100] domain-id 10

[PE1-ospfv3-100] quit

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] address-family ipv6 unicast

[PE1-bgp-ipv6-vpn1] import-route ospfv3 100

[PE1-bgp-ipv6-vpn1] import-route direct

[PE1-bgp-ipv6-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 100:2

[PE2-vpn-instance-vpn1] vpn-target 1:1

[PE2-vpn-instance-vpn1] quit

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] ip binding vpn-instance vpn1

[PE2-Vlan-interface11] ipv6 address 120::2 64

[PE2-Vlan-interface11] ospfv3 100 area 1

[PE2-Vlan-interface11] quit

[PE2] ospfv3 100

[PE2-ospfv3-100] router-id 120.1.1.1

[PE2-ospfv3-100] domain-id 10

[PE2-ospfv3-100] quit

[PE2] bgp 100

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] address-family ipv6 unicast

[PE2-bgp-ipv6-vpn1] import-route ospfv3 100

[PE2-bgp-ipv6-vpn1] import-route direct

[PE2-bgp-ipv6-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

# Execute the display ipv6 routing-table vpn-instance command on the PEs to verify that the path to the peer CE is along the OSPFv3 route across the customer networks, instead of the IPv6 BGP route across the backbone. (Details not shown.)

4. Configure a sham link:

# Configure PE 1.

[PE1] interface loopback 1

[PE1-LoopBack1] ip binding vpn-instance vpn1

[PE1-LoopBack1] ipv6 address 3::3 128

[PE1-LoopBack1] quit

[PE1] ospfv3 100

[PE1-ospfv3-100] area 1

[PE1-ospfv3-100-area-0.0.0.1] sham-link 3::3 5::5

[PE1-ospfv3-100-area-0.0.0.1] quit

[PE1-ospfv3-100] quit

# Configure PE 2.

[PE2] interface loopback 1

[PE2-LoopBack1] ip binding vpn-instance vpn1

[PE2-LoopBack1] ipv6 address 5::5 128

[PE2-LoopBack1] quit

[PE2] ospfv3 100

[PE2-ospfv3-100] area 1

[PE2-ospfv3-100-area-0.0.0.1] sham-link 5::5 3::3

[PE2-ospfv3-100-area-0.0.0.1] quit

[PE2-ospfv3-100] quit

Verifying the configuration

# Execute the display ipv6 routing-table vpn-instance command on the PEs to verify the following results (details not shown):

· The path to the peer CE is now along the IPv6 BGP route across the backbone.

· A route to the sham link destination address exists.

# Execute the display ipv6 routing-table command on the CEs to verify that the next hop of the OSPFv3 route to the peer CE is the VLAN interface connected to the PE. The VPN traffic to the peer is forwarded over the backbone. (Details not shown.)

# Verify that a sham link has been established on PEs, for example, on PE 1.

[PE1] display ospfv3 sham-link

OSPFv3 Process 100 with Router ID 100.1.1.1

Sham-link (Area: 0.0.0.1)

Neighbor ID State Instance ID Destination address

120.1.1.1 P-2-P 0 5::5

# Verify that the peer state is Full on PE 1.

[PE1] display ospfv3 sham-link verbose

OSPFv3 Process 100 with Router ID 100.1.1.1

Sham-link (Area: 0.0.0.1)

Source : 3::3

Destination : 5::5

Interface ID: 2147483649

Neighbor ID : 120.1.1.1, Neighbor state: Full

Cost: 1 State: P-2-P Type: Sham Instance ID: 0

Timers: Hello 10, Dead 40, Retransmit 5, Transmit delay 1

Request list: 0 Retransmit list: 0

08-MPLS Configuration Guide

Overview

MPLS L3VPN concepts

Site

VPN instance

Address space overlapping

VPN-IPv4 address

Route target attribute

MP-BGP

MPLS L3VPN route advertisement

Basic VPN networking scheme

Hub and spoke networking scheme

Extranet networking scheme

Inter-AS VPN

Inter-AS option A

Inter-AS option B

Inter-AS option C

Carrier's carrier

Propagation of routing information

HoVPN

Implementation of HoVPN

SPE-UPE

Recursion and extension of HoVPN

OSPF VPN extension

OSPF for VPNs on a PE

OSPF sham link

BGP AS number substitution

Protocols and standards

Configuring basic MPLS L3VPN

Configuring VPN instances

Configuring routing between a PE and a CE

Configuring static routing between a PE and a CE

Configuring RIP between a PE and a CE

Configuring OSPF between a PE and a CE

Configuring IS-IS between a PE and a CE

Configuring EBGP between a PE and a CE

Configuring IBGP between a PE and a CE

Configuring routing between PEs

Configuring inter-AS VPN

Configuring a PE

Configuring an ASBR-PE

Configuring a routing policy on an ASBR-PE

Configuring nested VPN

Configuring HoVPN

Configuring an OSPF sham link

Configuring a loopback interface

Redistributing the loopback interface route

Creating a sham link

Configuring routing on an MCE

Configuring routing between an MCE and a VPN site

Configuring static routing between an MCE and a VPN site

Configuring RIP between an MCE and a VPN site

Configuring OSPF between an MCE and a VPN site

Configuring IS-IS between an MCE and a VPN site

Configuring EBGP between an MCE and a VPN site

Configuring IBGP between MCE and VPN site

Configuring static routing between an MCE and a PE

Configuring RIP between an MCE and a PE

Configuring OSPF between an MCE and a PE

Configuring IS-IS between an MCE and a PE

Configuring EBGP between an MCE and a PE

Configuring IBGP between an MCE and a PE

Specifying the VPN label processing mode on the egress PE

Configuring BGP AS number substitution

Enabling SNMP notifications for MPLS L3VPN

Configuring basic MPLS L3VPN

Network requirements

Configuration procedure

Verifying the configuration

Configuring a hub-spoke network

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Network requirements