MPLS L3VPN is a L3VPN technology used to interconnect geographically dispersed VPN sites. MPLS L3VPN uses BGP to advertise VPN routes and uses MPLS to forward VPN packets over a service provider backbone.

MPLS L3VPN provides flexible networking modes, excellent scalability, and convenient support for MPLS TE.

Basic MPLS L3VPN architecture

Figure 1 Basic MPLS L3VPN architecture

A basic MPLS L3VPN architecture has the following types of devices:

· Customer edge device—A CE device resides on a customer network and has one or more interfaces directly connected to a service provider network. It does not support MPLS.

· Provider edge device—A PE device resides at the edge of a service provider network and connects to one or more CEs. All MPLS VPN services are processed on PEs.

· Provider device—A P device is a core device on a service provider network. It is not directly connected to any CE. A P device has only basic MPLS forwarding capability and does not handle VPN routing information.

MPLS L3VPN concepts

Site

A site has the following features:

· A site is a group of IP systems with IP connectivity that does not rely on any service provider network.

· The classification of a site depends on the topology relationship of the devices, rather than the geographical positions. However, the devices at a site are, in most cases, adjacent to each other geographically.

· The devices at a site can belong to multiple VPNs, which means that a site can belong to multiple VPNs.

· A site is connected to a provider network through one or more CEs. A site can contain multiple CEs, but a CE can belong to only one site.

Sites connected to the same provider network can be classified into different sets by policies. Only the sites in the same set can access each other through the provider network. Such a set is called a VPN.

VPN instance

VPN instances, also called virtual routing and forwarding (VRF) instances, implement route isolation, data independence, and data security for VPNs.

A VPN instance has the following components:

· A separate Label Forwarding Information Base (LFIB).

· An IP routing table.

· Interfaces bound to the VPN instance.

· VPN instance administration information, including route distinguishers (RDs), route targets (RTs), and route filtering policies.

To associate a site with a VPN instance, bind the VPN instance to the PE's interface connected to the site. A site can be associated with only one VPN instance, and different sites can associate with the same VPN instance. A VPN instance contains the VPN membership and routing rules of associated sites.

VPN-IPv4 address

Each VPN independently manages its address space. The address spaces of VPNs might overlap. For example, if both VPN 1 and VPN 2 use the addresses on subnet 10.110.10.0/24, address space overlapping occurs.

BGP cannot process overlapping VPN address spaces. For example, if both VPN 1 and VPN 2 use the subnet 10.110.10.0/24 and each advertise a route destined for the subnet, BGP selects only one of them. This results in the loss of the other route.

Multiprotocol BGP (MP-BGP) can solve this problem by advertising VPN-IPv4 addresses (also called VPNv4 addresses).

Figure 2 VPN-IPv4 address structure

As shown in Figure 2, a VPN-IPv4 address consists of 12 bytes. The first eight bytes represent the RD, followed by a four-byte IPv4 prefix. The RD and the IPv4 prefix form a unique VPN-IPv4 prefix.

An RD can be in one of the following formats:

· When the Type field is 0, the Administrator subfield occupies two bytes, the Assigned number subfield occupies four bytes, and the RD format is 16-bit AS number:32-bit user-defined number. For example, 100:1.

· When the Type field is 1, the Administrator subfield occupies four bytes, the Assigned number subfield occupies two bytes, and the RD format is 32-bit IPv4 address:16-bit user-defined number. For example, 172.1.1.1:1.

· When the Type field is 2, the Administrator subfield occupies four bytes, the Assigned number subfield occupies two bytes, and the RD format is 32-bit AS number:16-bit user-defined number, where the minimum value of the AS number is 65536. For example, 65536:1.

To guarantee global uniqueness for a VPN-IPv4 address, do not set the Administrator subfield to any private AS number or private IP address.

Route target attribute

MPLS L3VPN uses route target community attributes to control the advertisement of VPN routing information. A VPN instance on a PE supports the following types of route target attributes:

· Export target attribute—A PE sets the export target attribute for VPN-IPv4 routes learned from directly connected sites before advertising them to other PEs.

· Import target attribute—A PE checks the export target attribute of VPN-IPv4 routes received from other PEs. If the export target attribute matches the import target attribute of a VPN instance, the PE adds the routes to the routing table of the VPN instance.

Route target attributes define which sites can receive VPN-IPv4 routes, and from which sites a PE can receive routes.

Like RDs, route target attributes can be one of the following formats:

· 16-bit AS number:32-bit user-defined number. For example, 100:1.

· 32-bit IPv4 address:16-bit user-defined number. For example, 172.1.1.1:1.

· 32-bit AS number:16-bit user-defined number, where the minimum value of the AS number is 65536. For example, 65536:1.

MP-BGP

MP-BGP supports multiple address families, including IPv4 multicast, IPv6 unicast, IPv6 multicast, and VPN-IPv4 address families.

In MPLS L3VPN, MP-BGP advertises VPN-IPv4 routes for VPN sites between PEs.

MPLS L3VPN route advertisement

In a basic MPLS L3VPN, CEs and PEs are responsible for advertising VPN routing information. P routers maintain only the routes within the backbone. A PE maintains only routing information for directly connected VPNs, rather than for all VPNs.

VPN routing information is advertised from the local CE to the remote CE by using the following process:

1. From the local CE to the ingress PE:

The CE advertises standard IPv4 routing information to the ingress PE over a static route, RIP route, OSPF route, IS-IS route, EBGP route, or IBGP route.

2. From the ingress PE to the egress PE:

The ingress PE performs the following operations:

a. Adds RDs and route target attributes to these standard IPv4 routes to create VPN-IPv4 routes.

b. Saves the VPN-IPv4 routes to the routing table of the VPN instance created for the CE.

c. Advertises the VPN-IPv4 routes to the egress PE through MP-BGP.

3. From the egress PE to the remote CE:

After receiving the VPN-IPv4 routes, the egress PE performs the following operations:

a. Compares the routes' export target attributes with the local import target attributes.

b. Adds the routes to the routing table of the VPN instance if the export and local import target attributes match each other.

c. Restores the VPN-IPv4 routes to the original IPv4 routes.

d. Advertises those routes to the connected CE over a static route, RIP route, OSPF route, IS-IS route, EBGP route, or IBGP route.

MPLS L3VPN packet forwarding

In a basic MPLS L3VPN (within a single AS), a PE adds the following information into VPN packets:

· Outer tag—Identifies the public tunnel from the local PE to the remote PE. The public tunnel can be an LSP or an MPLS TE tunnel. Based on the outer tag, a VPN packet can be forwarded along the public tunnel to the remote PE. The outer tag is an MPLS label.

· Inner label—Identifies the remote VPN site. The remote PE uses the inner label to forward packets to the target VPN site. MP-BGP advertises inner labels for VPN-IPv4 routes among PEs.

Figure 3 VPN packet forwarding

As shown in Figure 3, a VPN packet is forwarded from Site 1 to Site 2 by using the following process:

1. Site 1 sends an IP packet with the destination address 1.1.1.2. CE 1 transmits the packet to PE 1.

2. PE 1 performs the following operations:

a. Finds the matching VPN route based on the inbound interface and destination address of the packet.

b. Labels the packet with both the inner label and the outer tag.

c. Forwards the packet to the public tunnel.

3. P devices forward the packet to PE 2 by the outer tag. The outer tag is removed from the packet at the penultimate hop.

4. PE 2 performs the following operations:

a. Uses the inner label to find the matching VPN instance to which the destination address of the packet belongs.

b. Looks up the routing table of the VPN instance for the output interface.

c. Removes the inner label and forwards the packet out of the interface to CE 2.

5. CE 2 transmits the packet to the destination through IP forwarding.

When two sites of a VPN are connected to the same PE, the PE directly forwards packets between the two sites through the VPN routing table without adding any tag or label.

MPLS L3VPN networking schemes

In MPLS L3VPNs, route target attributes are used to control the advertisement and reception of VPN routes between sites. They work independently and can be configured with multiple values to support flexible VPN access control and implement multiple types of VPN networking schemes.

Basic VPN networking scheme

In the simplest case, all users in a VPN form a closed user group. They can forward traffic to each other but cannot communicate with any user outside the VPN.

For the basic VPN networking scheme, you must assign a route target to each VPN for identifying the export target attribute and import target attribute of the VPN. Moreover, this route target cannot be used by any other VPNs.

Figure 4 Network diagram for basic VPN networking scheme

As shown in Figure 4, the route target for VPN 1 is 100:1, while that for VPN 2 is 200:1. The two VPN 1 sites can communicate with each other, and the two VPN 2 sites can communicate with each other. However, the VPN 1 sites cannot communicate with the VPN 2 sites.

Hub and spoke networking scheme

The hub and spoke networking scheme is suitable for a VPN where all users must communicate with each other through an access control device.

In a hub and spoke network as shown in Figure 5, configure route targets as follows:

· On spoke PEs (PEs connected to spoke sites), set the export target to Spoke and the import target to Hub.

· On the hub PE (PE connected to the hub site), use two interfaces or subinterfaces that each belong to a different VPN instance to connect the hub CE. One VPN instance receives routes from spoke PEs and has the import target set to Spoke. The other VPN instance advertises routes to spoke PEs and has the export target set to Hub.

These route targets rules produce the following results:

· The hub PE can receive all VPN-IPv4 routes from spoke PEs.

· All spoke PEs can receive VPN-IPv4 routes advertised by the hub PE.

· The hub PE advertises the routes learned from a spoke PE to the other spoke PEs so the spoke sites can communicate with each other through the hub site.

· The import target attribute of a spoke PE is different from the export target attribute of any other spoke PE. Any two spoke PEs do not directly advertise VPN-IPv4 routes to each other. Therefore, they cannot directly access each other.

Figure 5 Network diagram for hub and spoke network

A route in Site 1 is advertised to Site 2 by using the following process:

1. Spoke-CE 1 advertises a route in Site 1 to Spoke-PE 1.

2. Spoke-PE 1 changes the route to a VPN-IPv4 route and advertises the VPN-IPv4 route to Hub-PE through MP-BGP.

3. Hub-PE adds the VPN-IPv4 route into the routing table of VPN 1-in, changes it to the original IPv4 route, and advertises the IPv4 route to Hub-CE.

4. Hub-CE advertises the IPv4 route back to Hub-PE.

5. Hub-PE adds the IPv4 route to the routing table of VPN 1-out, changes it to a VPN-IPv4 route, and advertises the VPN-IPv4 route to Spoke-PE 2 through MP-BGP.

6. Spoke-PE 2 changes the VPN-IPv4 route to the original IPv4 route, and advertises the IPv4 route to Site 2.

After spoke sites exchange routes through the hub site, they can communicate with each other through the hub site.

Extranet networking scheme

The extranet networking scheme allows specific resources in a VPN to be accessed by users not in the VPN.

In this networking scheme, if a VPN instance needs to access a shared site, the export target attribute and the import target attribute of the VPN instance must be contained in the import target attribute and the export target attribute of the VPN instance of the shared site, respectively.

Figure 6 Network diagram for extranet networking scheme

As shown in Figure 6, route targets configured on PEs produce the following results:

· PE 3 can receive VPN-IPv4 routes from PE 1 and PE 2.

· PE 1 and PE 2 can receive VPN-IPv4 routes advertised by PE 3.

· Site 1 and Site 3 of VPN 1 can communicate with each other, and Site 2 of VPN 2 and Site 3 of VPN 1 can communicate with each other.

· PE 3 advertises neither the VPN-IPv4 routes received from PE 1 to PE 2 nor the VPN-IPv4 routes received from PE 2 to PE 1 (routes learned from an IBGP neighbor are not advertised to any other IBGP neighbor). Therefore, Site 1 of VPN 1 and Site 2 of VPN 2 cannot communicate with each other.

Inter-AS VPN

In an inter-AS VPN networking scenario, multiple sites of a VPN are connected to multiple ISPs in different ASs, or to multiple ASs of an ISP.

Inter AS-VPN provides the following solutions:

· VRF-to-VRF connections between ASBRs—This solution is also called inter-AS option A.

· EBGP redistribution of labeled VPN-IPv4 routes between ASBRs—ASBRs advertise VPN-IPv4 routes to each other through MP-EBGP. This solution is also called inter-AS option B.

· Multihop EBGP redistribution of labeled VPN-IPv4 routes between PE routers—PEs advertise VPN-IPv4 routes to each other through MP-EBGP. This solution is also called inter-AS option C.

Inter-AS option A

In this solution, PEs of two ASs are directly connected through multiple subinterfaces, and each PE is also the ASBR of its AS. Each PE treats the other as a CE and advertises unlabeled IPv4 unicast routes through EBGP. The PEs associate a VPN instance with at least one subinterface.

Figure 7 Network diagram for inter-AS option A

As shown in Figure 7, in VPN 1, routes are advertised from CE 1 to CE 3 by using the following process:

1. PE 1 advertises the VPN routes learned from CE 1 to ASBR 1 through MP-IBGP.

2. ASBR 1 performs the following operations:

a. Adds the routes to the routing table of the VPN instance whose import target attribute matches the export target attribute of the routes.

b. Advertises the routes as IPv4 unicast routes to its CE (ASBR 2) through EBGP.

3. ASBR 2 adds the IPv4 unicast routes to the routing table of the VPN instance that is bound to the receiving subinterface, and advertises the routes to PE 3 through MP-IBGP.

4. PE 3 advertises the received routes to CE 3.

Packets forwarded within an AS are VPN packets that carry two labels. Packets forwarded between ASBRs are common IP packets.

Inter-AS option A is easy to carry out because no special configuration is required on the PEs acting as the ASBRs.

However, it has limited scalability because the PEs acting as the ASBRs must manage all the VPN routes and create VPN instances on a per-VPN basis. This leads to excessive VPN-IPv4 routes on the PEs. Creating a separate subinterface for each VPN also requires additional system resources.

Inter-AS option B

In this solution, two ASBRs use MP-EBGP to exchange VPN-IPv4 routes that they obtain from the PEs in their respective ASs.

Figure 8 Network diagram for inter-AS option B

As shown in Figure 8, in VPN 1, routes are advertised from CE 1 to CE 3 by using the following process:

1. PE 1 advertises the VPN routes learned from CE 1 to ASBR 1 through MP-IBGP.

Assume that the inner label assigned by PE 1 for the routes is L1.

2. ASBR 1 advertises the VPN-IPv4 routes to ASBR 2 through MP-EBGP.

Before advertising the routes, ASBR 1 modifies the next hop as its own address, assigns a new inner label (L2) to the routes, and associates L1 with L2.

3. ASBR 2 advertises the VPN-IPv4 routes to PE 3 through MP-IBGP.

Before advertising the routes, ASBR 2 modifies the next hop as its own address, assigns a new inner label (L3) to the routes, and associates L2 with L3.

4. PE 3 advertises the received routes to CE 3.

A packet is forwarded from CE 3 to CE 1 by using the following process:

1. PE 3 encapsulates the received packet with two labels, and forwards the encapsulated packet to ASBR 2.

One of the labels is L3, and the other is the outer tag for the public tunnel from PE 3 to ASBR 2.

2. ASBR 2 removes the outer tag, replaces L3 with L2, and forwards the packet to ASBR 1.

Packets between ASBR 1 and ASBR 2 carry only one inner label.

3. ASBR 1 replaces L2 with L1, adds the outer tag of the public tunnel from ASBR 1 to PE 1, and forwards the packet to PE 1.

4. PE 1 removes the inner label and outer tag and forwards the packet to CE 1.

In this solution, ASBRs must receive all inter-AS VPN routes. Therefore, ASBRs cannot filter incoming VPN-IPv4 routes by route targets.

Inter-AS option B has better scalability than option A. However, it requires that ASBRs maintain and advertise VPN routes.

Inter-AS option C

The Inter-AS option A and option B solutions require that the ASBRs maintain and advertise VPN-IPv4 routes. When every AS needs to exchange a great amount of VPN routes, the ASBRs might become bottlenecks, which hinders network extension. Inter-AS option C has better scalability because it makes PEs directly exchange VPN-IPv4 routes.

In this solution, PEs exchange VPN-IPv4 routes over a multihop MP-EBGP session. Each PE must have a route to the peer PE and a label for the route so that the inter-AS public tunnel between the PEs can be set up. Inter-AS option C sets up a public tunnel by using the following methods:

· A label distribution protocol within the AS, for example, LDP.

· Labeled IPv4 unicast route advertisement by ASBRs through BGP.

Labeled IPv4 unicast route advertisement refers to the process of assigning MPLS labels to IPv4 unicast routes and advertising IPv4 unicast routes and their labels.

Figure 9 Network diagram for inter-AS option C

As shown in Figure 9, in VPN 1, routes are advertised from CE 1 to CE 3 by using the following process:

1. PE 1 advertises the VPN routes learned from CE 1 as VPN-IPv4 routes to PE 3 through multihop MP-EBGP.

Assume that the inner label assigned by PE 1 for the routes is Lx.

2. PE 3 advertises the received routes to CE 3.

Setting up an inter-AS public tunnel is difficult in this solution. A public tunnel, for example, the one from PE 3 to PE 1, is set up by using the following process:

1. Within AS 100, the public tunnel from ASBR 1 to PE 1 is set up by using a label distribution protocol, for example, LDP.

Assume that the outgoing label for the public tunnel on ASBR 1 is L1.

2. ASBR 1 advertises labeled IPv4 unicast routes to ASBR 2 through EBGP.

The route destined for PE 1 and the label (L2) assigned by ASBR 1 for the route are advertised from ASBR 1 to ASBR 2. The next hop of the route is ASBR 1. The public tunnel from ASBR 2 to ASBR 1 is set up. The incoming label for the public tunnel on ASBR 1 is L2.

3. ASBR 2 advertises labeled IPv4 unicast routes to PE 3 through IBGP.

The route destined for PE 1 and the label (L3) assigned by ASBR 2 for the route are advertised from ASBR 2 to PE 3. The next hop for the route is ASBR 2. The public tunnel from PE 3 to ASBR 2 is set up. The incoming label for the public tunnel on ASBR 2 is L3, and the outgoing label is L2.

4. MPLS packets cannot be forwarded directly from PE 3 to ASBR 2. Within AS 200, the public tunnel from PE 3 to ASBR 2 is required to be set up hop by hop through a label distribution protocol, for example, LDP.

Assume that the outgoing label for the public tunnel on PE 3 is Lv.

After route advertisement and public tunnel setup, a packet is forwarded from CE 3 to CE 1 by using the following process:

1. PE 3 performs the following routing table lookups for the packet:

a. Finds a matching route with next hop PE 1 and inner label Lx, and encapsulates the packet with label Lx.

b. Finds the route to PE 1 with next hop ASBR 2 and label L3, and encapsulates the packet with label L3 as the outer label.

c. Finds the route to ASBR 2 with outgoing label Lv, and encapsulates the packet with label Lv as the outmost label.

2. AS 200 transmits the packet to ASBR 2 by the outmost label.

3. ASBR 2 removes the outmost label, replaces L3 with L2, and forwards the packet to ASBR 1.

4. ASBR 1 replaces L2 with L1, and forwards the packet.

5. AS 100 transmits the packet to PE 1 by the outer label.

6. PE 1 removes the outer label, and forwards the packet to CE 1 according to the inner label Lx.

As shown in Figure 10, to improve scalability, you can specify an RR in each AS to exchange VPN-IPv4 routes with PEs in the same AS. The RR in each AS maintains all VPN-IPv4 routes. The RRs in two ASs establish a multihop MP-EBGP session to advertise VPN-IPv4 routes.

Figure 10 Network diagram for inter-AS option C using RRs

Carrier's carrier

If a customer of an MPLS L3VPN service provider is also a service provider:

· The MPLS L3VPN service provider is called the provider carrier or the Level 1 carrier.

· The customer is called the customer carrier or the Level 2 carrier.

This networking model is referred to as carrier's carrier.

The PEs of the Level 2 carrier directly exchange customer networks over a BGP session. The Level 1 carrier only learns the backbone networks of the Level 2 carrier, without learning customer networks.

For packets between customer networks to travel through the Level 1 carrier, the PE of the Level 1 carrier and the CE of the Level 2 carrier must assign labels to the backbone networks of the Level 2 carrier. The CE of the Level 2 carrier is a PE within the Level 2 carrier network.

Follow these guidelines to assign labels:

· If the PE and the CE are in the same AS, you must configure IGP and LDP between them. If they are in different ASs, you must configure MP-EBGP to assign labels to IPv4 unicast routes exchanged between them.

· You must enable MPLS on the CE of the Level 2 carrier regardless of whether the PE and CE are in the same AS.

A Level 2 carrier can be an ordinary ISP or an MPLS L3VPN service provider.

As shown in Figure 11, when the customer carrier is an ordinary ISP, its PEs and CEs run IGP to communicate with each other. The PEs do not need to run MPLS. PE 3 and PE 4 exchange customer network routes (IPv4 unicast routes) through an IBGP session.

Figure 11 Scenario where the Level 2 carrier is an ISP

As shown in Figure 12, when the customer carrier is an MPLS L3VPN service provider, its PEs and CEs must run IGP and LDP to communicate with each other. PE 3 and PE 4 exchange customer network routes (VPN-IPv4 routes) through an MP-IBGP session.

Figure 12 Scenario where the Level 2 carrier is an MPLS L3VPN service provider

NOTE:

As a best practice, establish equal cost LSPs between the Level 1 carrier and the Level 2 carrier if equal cost routes exist between them.

Nested VPN

The nested VPN technology exchanges VPNv4 routes between PEs and CEs of the ISP MPLS L3VPN and allows a customer to manage its own internal VPNs. Figure 13 shows a nested VPN network. On the service provider's MPLS VPN network, there is a customer VPN named VPN A. The customer VPN contains two sub-VPNs, VPN A-1 and VPN A-2.

The service provider PEs consider the customer's network as a common VPN user and do not join any sub-VPNs. The service provider CE devices (CE 1 and CE 2) exchange VPNv4 routes including sub-VPN routing information with the service provider PEs, which implements the propagation of the sub-VPN routing information throughout the customer network.

The nested VPN technology supports both symmetric networking and asymmetric networking. Sites of the same VPN can have the same number or different numbers of internal VPNs. Nested VPN also supports multiple-level nesting of internal VPNs.

Figure 13 Network diagram for nested VPN

Propagation of routing information

In a nested VPN network, routing information is propagated by using the following process:

1. After receiving VPN routes from customer CEs, a customer PE advertises VPN-IPv4 routes to the provider CEs through MP-BGP.

2. The provider CEs advertise the VPN-IPv4 routes to a provider PE through MP-BGP.

3. After receiving a VPN-IPv4 route, the provider PE keeps the customer's internal VPN information, and appends the customer's MPLS VPN attributes on the service provider network. It replaces the RD of the VPN-IPv4 route with the RD of the customer's MPLS VPN on the service provider network. It also adds the export route-target (ERT) attribute of the customer's MPLS VPN on the service provider network to the extended community attribute list of the route. The internal VPN information for the customer is maintained on the provider PE.

4. The provider PE advertises VPN-IPv4 routes carrying the comprehensive VPN information to the other PEs of the service provider.

5. After another provider PE receives the VPN-IPv4 routes, it matches the VPN-IPv4 routes to the import targets of its local VPNs. Each local VPN accepts routes of its own and advertises them to provider CEs. If a provider CE (such as CE 7 and CE 8 in Figure 13) is connected to a provider PE through an IPv4 connection, the PE advertises IPv4 routes to the CE. If it is a VPN-IPv4 connection (a customer MPLS VPN network), the PE advertises VPN-IPv4 routes to the CE.

6. After receiving VPN-IPv4 routes from the provider CE, a customer PE matches those routes to local import targets. Each customer VPN accepts only its own routes and advertises them to connected customer CEs (such as CE 3, CE 4, CE 5, and CE 6 in Figure 13).

HoVPN

Hierarchy of VPN (HoVPN), also called Hierarchy of PE (HoPE), prevents PEs from being bottlenecks and is applicable to large-scale VPN deployment.

HoVPN divides PEs into underlayer PEs (UPEs) or user-end PEs, and superstratum PEs (SPEs) or service provider-end PEs. UPEs and SPEs have different functions and comprise a hierarchical PE. The HoPE and common PEs can coexist in an MPLS network.

Figure 14 Basic architecture of HoVPN

As shown in Figure 14, UPEs and SPEs play the following different roles:

· A UPE is directly connected to CEs. It provides user access. It maintains the routes of directly connected VPN sites. It does not maintain the routes of the remote sites in the VPN, or it only maintains their summary routes. A UPE assigns inner labels to the routes of its directly connected sites, and advertises the labels along with VPN routes to the SPE through MP-BGP. A UPE features high access capability, small routing table capacity, and low forwarding performance.

· An SPE is connected to UPEs and resides inside the service provider network. It manages and advertises VPN routes. It maintains all the routes of the VPNs connected through UPEs, including the routes of both the local and remote sites. An SPE advertises routes along with labels to UPEs, including the default routes of VPN instances or summary routes and the routes permitted by the routing policy. By using routing policies, you can control which sites in a VPN can communicate with each other. An SPE features large routing table capacity, high forwarding performance, and fewer interface resources.

Either MP-IBGP or MP-EBGP can run between SPE and UPE. When MP-IBGP runs between SPE and UPEs, the SPE acts as the RR of multiple UPEs and reflects routes between UPEs.

HoVPN supports HoPE recursion:

· An HoPE can act as a UPE to form a new HoPE with an SPE.

· An HoPE can act as an SPE to form a new HoPE with multiple UPEs.

HoVPN supports multilevel recursion. In HoPE recursion, the concepts of SPE and UPE are relative. A PE might be the SPE of its underlayer PEs and a UPE of its SPE at the same time.

Figure 15 Recursion of HoPEs

Figure 15 shows a three-level HoPE. The PE in the middle is called the middle-level PE (MPE). MP-BGP runs between SPE and MPE, and between MPE and UPE.

MP-BGP advertises the following routes:

· All the VPN routes of UPEs to the SPEs.

· The default routes of the VPN instance of the SPEs or the VPN routes permitted by the routing policies to the UPEs.

The SPE maintains the VPN routes of all sites in the HoVPN. Each UPE maintains only VPN routes of its directly connected sites. An MPE has fewer routes than the SPE but has more routes than a UPE.

OSPF VPN extension

This section describes the OSPF VPN extension. For more information about OSPF, see Layer 3—IP Routing Configuration Guide.

OSPF for VPNs on a PE

If OSPF runs between a CE and a PE to exchange VPN routes, the PE must support multiple OSPF instances to create independent routing tables for VPN instances. Each OSPF process is bound to a VPN instance. Routes learned by an OSPF process are added into the routing table of the bound VPN instance.

OSPF area configuration between a PE and a CE

The OSPF area between a PE and a CE can be either a non-backbone area or a backbone area.

In the OSPF VPN extension application, the MPLS VPN backbone is considered the backbone area (area 0). The area 0 of each site must be connected to the MPLS VPN backbone (physically connected or logically connected through a virtual link) because OSPF requires that the backbone area be contiguous.

BGP/OSPF interaction

If OSPF runs between PEs and CEs, each PE redistributes BGP routes to OSPF and advertises the routes to CEs through OSPF. OSPF considers the routes redistributed from BGP as external routes but the OSPF routes actually belong to the same OSPF domain. This problem can be resolved by configuring the same domain ID for sites in an OSPF domain.

Figure 16 Network diagram for BGP/OSPF interaction

As shown in Figure 16, CE 11, CE 21, and CE 22 belong to the same VPN and the same OSPF domain.

Before domain ID configuration, VPN 1 routes are advertised from CE 11 to CE 21 and CE 22 by using the following process:

1. PE 1 redistributes OSPF routes from CE 11 into BGP, and advertises the VPN routes to PE 2 through BGP.

2. PE 2 redistributes the BGP routes to OSPF, and advertises them to CE 21 and CE 22 in AS External LSAs (Type 5) or NSSA External LSAs (Type 7).

After domain ID configuration, VPN 1 routes are advertised from CE 11 to CE 21 and CE 22 by using the following process:

1. PE 1 redistributes OSPF routes into BGP, adds the domain ID to the redistributed BGP VPNv4 routes as a BGP extended community attribute, and advertises the routes to PE 2.

2. PE 2 compares the domain ID in the received routes with the locally configured domain ID. If they are the same and the received routes are intra-area or inter-area routes, OSPF advertises these routes in Network Summary LSAs (Type 3). Otherwise, OSPF advertises these routes in AS External LSAs (Type 5) or NSSA External LSAs (Type 7).

Routing loop avoidance

Figure 17 Network diagram for routing loop avoidance

As shown in Figure 17, Site 1 is connected to two PEs. When a PE advertises VPN routes learned from MP-BGP to Site 1 through OSPF, the routes might be received by the other PE. This results in a routing loop.

OSPF VPN extension uses the following tags to avoid routing loops:

· DN bit (for Type 3 LSAs)—When a PE redistributes BGP routes into OSPF and creates Type 3 LSAs, it sets the DN bit for the LSAs. When receiving the Type 3 LSAs advertised by CE 11, the other PE ignores the LSAs whose DN bit is set to avoid routing loops.

· Route tag (for Type 5 or 7 LSAs)—The two PEs use the same route tag. When a PE redistributes BGP routes into OSPF and creates Type 5 or 7 LSAs, it adds the route tag to the LSAs. When receiving the Type 5 or 7 LSAs advertised by CE 11, the other PE compares the route tag in the LSAs against the local route tag. If they are the same, the PE ignores the LSAs to avoid routing loops.

OSPF sham link

As shown in Figure 18, two routes exist between Site 1 and Site 2 of VPN 1:

· A route over MPLS backbone—It is an inter-area route if PE 1 and PE 2 have the same domain ID, or is an external route if PE 1 and PE 2 are configured with no domain ID or with different domain IDs.

· A direct route between CEs—It is an intra-area route that is called a backdoor link.

VPN traffic is always forwarded through the backdoor link because it has a higher priority than the inter-area route. To forward VPN traffic over the inter-area route, you can establish a sham link between the two PEs to change the inter-area route to an intra-area route.

Figure 18 Network diagram for sham link

A sham link is considered a virtual point-to-point link within a VPN and is advertised in a Type 1 LSA. It is identified by the source IP address and destination IP address that are the local PE address and the remote PE address in the VPN address space. Typically, the source and destination addresses are loopback interface addresses with a 32-bit mask.

To add a route to the destination IP address of a sham link to a VPN instance, the remote PE must advertise the source IP address of the sham link as a VPN-IPv4 address through MP-BGP. To avoid routing loops, a PE does not advertise the sham link's destination address.

BGP AS number substitution and SoO attribute

BGP detects routing loops by examining AS numbers. If EBGP runs between PE and CE, you must assign different AS numbers to geographically different sites or configure the BGP AS number substitution feature to ensure correct transmission of routing information.

The BGP AS number substitution feature allows geographically different CEs to use the same AS number. If the AS_PATH of a route contains the AS number of a CE, the PE replaces the AS number with its own AS number before advertising the route to that CE.

After you enable the BGP AS number substitution feature, the PE performs BGP AS number substitution for all routes and re-advertises them to connected CEs in the peer group.

Figure 19 Application of BGP AS number substitution and SoO attribute

As shown in Figure 19, both Site 1 and Site 2 use the AS number 800. AS number substitution is enabled on PE 2 for CE 2. Before advertising updates received from CE 1 to CE 2, PE 2 substitutes its own AS number 100 for the AS number 800. In this way, CE 2 can correctly receive the routing information from CE 1.

However, the AS number substitution feature also introduces a routing loop in Site 2 because route updates originated from CE 3 can be advertised back to Site 2 through PE 2 and CE 2. To remove the routing loop, you can configure the same SoO attribute on PE 2 for CE 2 and CE 3. PE 2 adds the SoO attribute to route updates received from CE 2 or CE 3, and checks the SoO attribute of route updates to be advertised to CE 2 or CE 3. The SoO attribute of the route updates from CE 3 is the same as the SoO attribute for CE 2, and PE 2 does not advertise route updates to CE 2.

For more information about the SoO attribute, see Layer 3—IP Routing Configuration Guide.

Protocols and standards

· RFC 3107, Carrying Label Information in BGP-4

· RFC 4360, BGP Extended Communities Attribute

· RFC 4364, BGP/MPLS IP Virtual Private Networks (VPNs)

· RFC 4577, OSPF as the Provider/Customer Edge Protocol for BGP/MPLS IP Virtual Private Networks (VPNs)

Configuration restrictions and guidelines

MPLS L3VPN is exclusive with EVI and VXLAN.

MPLS L3VPN configuration task list

Tasks at a glance
(Required.) Configuring basic MPLS L3VPN
(Optional.) Configuring inter-AS VPN
(Optional.) Configuring nested VPN
(Optional.) Configuring HoVPN
(Optional.) Configuring an OSPF sham link
(Optional.) Specifying the VPN label processing mode on the egress PE
(Optional.) Configuring BGP AS number substitution and SoO attribute
(Optional.) Enabling SNMP notifications for MPLS L3VPN
(Optional.) Enabling logging for BGP route flapping

Configuring basic MPLS L3VPN

Tasks at a glance
Configuring VPN instances: (Required.) Creating a VPN instance (Required.) Associating a VPN instance with an interface (Optional.) Configuring route related attributes for a VPN instance


(Required.) Configuring routing between a PE and a CE
(Required.) Configuring routing between PEs
(Optional.) Configuring BGP VPNv4 route control

Configuration prerequisites

Before you configure basic MPLS L3VPN, perform the following tasks:

1. Configure an IGP on the PEs and P devices to ensure IP connectivity within the MPLS backbone.

2. Configure basic MPLS for the MPLS backbone.

3. Configure MPLS LDP on the PEs and P devices to establish LDP LSPs.

Configuring VPN instances

VPN instances isolate VPN routes from public network routes and routes among VPNs. This feature allows VPN instances to be used in network scenarios besides MPLS L3VPNs.

All VPN instance configurations are performed on PEs.

Creating a VPN instance

A VPN instance is a collection of the VPN membership and routing rules of its associated site. A VPN instance might correspond to more than one VPN.

To create and configure a VPN instance:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VPN instance and enter VPN instance view.	ip vpn-instance vpn-instance-name	By default, no VPN instance is created.
3. Configure an RD for the VPN instance.	route-distinguisher route-distinguisher	By default, no RD is specified for a VPN instance.
4. (Optional.) Configure a description for the VPN instance.	description text	By default, no description is configured for a VPN instance.
5. (Optional.) Configure a VPN ID for the VPN instance.	vpn-id vpn-id	By default, no VPN ID is configured for a VPN instance.

Associating a VPN instance with an interface

After creating and configuring a VPN instance, associate the VPN instance with the interface connected to the CE.

To associate a VPN instance with an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
1. Enter interface view.	interface interface-type interface-number	N/A
2. Associate a VPN instance with the interface.	ip binding vpn-instance vpn-instance-name	By default, an interface is not associated with a VPN instance. The ip binding vpn-instance command deletes the IP address of the current interface. You must reconfigure an IP address for the interface after configuring the command.

Configuring route related attributes for a VPN instance

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VPN instance view or IPv4 VPN view	· Enter VPN instance view: ip vpn-instance vpn-instance-name · Enter IPv4 VPN view: a. ip vpn-instance vpn-instance-name b. address-family ipv4	Configurations made in VPN instance view apply to both IPv4 VPN and IPv6 VPN. IPv4 VPN prefers the configurations in IPv4 VPN view over the configurations in VPN instance view.
3. Configure route targets.	vpn-target vpn-target&<1-8> [ both \| export-extcommunity \| import-extcommunity ]	By default, no route targets are configured.
4. Set the maximum number of active routes allowed.	routing-table limit number { warn-threshold \| simply-alert }	By default, the maximum number of active routes is not configured. Setting the maximum number of active routes for a VPN instance can prevent the PE from learning too many routes.
5. Apply an import routing policy.	import route-policy route-policy	By default, all routes matching the import target attribute are accepted. The specified routing policy must have been created. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
6. Apply an export routing policy.	export route-policy route-policy	By default, routes to be advertised are not filtered. The specified routing policy must have been created. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
7. Apply a tunnel policy to the VPN instance.	tnl-policy tunnel-policy-name	By default, only one tunnel is selected (no load balancing) in this order: LSP tunnel and CRLSP tunnel. The specified tunnel policy must have been created. For information about tunnel policies, see "Configuring tunnel policies."

Configuring routing between a PE and a CE

You can configure static routing, RIP, OSPF, IS-IS, EBGP, or IBGP between a PE and a CE.

Configuring static routing between a PE and a CE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a static route for a VPN instance.	ip route-static vpn-instance s-vpn-instance-name dest-address { mask-length \| mask } { interface-type interface-number [ next-hop-address ] \|next-hop-address [ public ] [ track track-entry-number ] \| vpn-instance d-vpn-instance-name next-hop-address [ track track-entry-number ] } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]	By default, no static route is configured for a VPN instance. Perform this configuration on the PE. On the CE, configure a common static route. For more information about static routing, see Layer 3—IP Routing Configuration Guide.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure a static route for a VPN instance.

ip route-static vpn-instance s-vpn-instance-name dest-address { mask-length | mask } { interface-type interface-number [ next-hop-address ] |next-hop-address [ public ] [ track track-entry-number ] | vpn-instance d-vpn-instance-name next-hop-address [ track track-entry-number ] } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]

By default, no static route is configured for a VPN instance.

Perform this configuration on the PE. On the CE, configure a common static route.

For more information about static routing, see Layer 3—IP Routing Configuration Guide.

Configuring RIP between a PE and a CE

A RIP process belongs to the public network or a single VPN instance. If you create a RIP process without binding it to a VPN instance, the process belongs to the public network.

To configure RIP between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIP process for a VPN instance and enter RIP view.	rip [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. On the CE, create a common RIP process.
3. Enable RIP on the interface attached to the specified network.	network network-address	By default, RIP is disabled on an interface.

Configuring OSPF between a PE and a CE

An OSPF process that is bound to a VPN instance does not use the public network router ID configured in system view. Therefore, you must specify a router ID when starting a process or configure an IP address for at least one interface of the VPN instance.

An OSPF process belongs to the public network or a single VPN instance. If you create an OSPF process without binding it to a VPN instance, the process belongs to the public network.

To configure OSPF between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPF process for a VPN instance and enter the OSPF view.	ospf [ process-id \| router-id router-id \| vpn-instance vpn-instance-name ] *	Perform this configuration on the PE. On the CE, create a common OSPF process. Deleting a VPN instance also deletes all related OSPF processes.
3. (Optional.) Set an OSPF domain ID.	domain-id domain-id [ secondary ]	The default domain ID is 0. Perform this configuration on the PE. The domain ID is carried in the routes of the OSPF process. When redistributing routes from the OSPF process, BGP adds the domain ID as an extended community attribute into BGP routes. An OSPF process can be configured with only one domain ID. Domain IDs of different OSPF processes can be the same. All OSPF processes of a VPN must be configured with the same domain ID.
4. Configure the type codes of OSPF extended community attributes.	ext-community-type { domain-id type-code1 \| router-id type-code2 \| route-type type-code3 }	The defaults are as follows: · 0x0005 for Domain ID. · 0x0107 for Router ID. · 0x0306 for Route Type. Perform this configuration on the PE.
5. Create an OSPF area and enter area view.	area area-id	By default, no OSPF area is created.
6. Enable OSPF on the interface attached to the specified network in the area.	network ip-address wildcard-mask	By default, an interface neither belongs to any area nor runs OSPF.

Configuring IS-IS between a PE and a CE

An IS-IS process belongs to the public network or a single VPN instance. If you create an IS-IS process without binding it to a VPN instance, the process belongs to the public network.

To configure IS-IS between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IS-IS process for a VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. On the CE, configure common IS-IS.
3. Configure a network entity title for the IS-IS process.	network-entity net	By default, no NET is configured.
4. Return to system view.	quit	N/A
5. Enter interface view.	interface interface-type interface-number	N/A
6. Enable the IS-IS process on the interface.	isis enable [ process-id ]	By default, no IS-IS process is enabled on the interface.

Configuring EBGP between a PE and a CE

1. Configure the PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable BGP and enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	Configuration commands in BGP-VPN instance view are the same as those in BGP view. For more information, see Layer 3—IP Routing Configuration Guide.
4. Configure the CE as the VPN EBGP peer.	peer { group-name \| ip-address [ mask-length ] } as-number as-number	By default, no BGP peer is configured. For more information about BGP peers and peer groups, see Layer 3—IP Routing Configuration Guide.
5. Create the BGP-VPN IPv4 unicast family and enter its view.	address-family ipv4 [ unicast ]	By default, the BGP-VPN IPv4 unicast family is not created.
6. Enable IPv4 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address [ mask-length ] } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Redistribute the routes of the local CE.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	A PE must redistribute the routes of the local CE into its VPN routing table so it can advertise them to the peer PE.
8. (Optional.) Allow the local AS number to appear in the AS_PATH attribute of a received route, and set the maximum number of repetitions.	peer { group-name \| ip-address [ mask-length ] } allow-as-loop [ number ]	By default, BGP discards incoming route updates that contain the local AS number. BGP detects routing loops by examining AS numbers. In a hub-spoke network where EBGP is running between a PE and a CE, the routing information the PE advertises to a CE carries the AS number of the PE. Therefore, the route updates that the PE receives from the CE also include the AS number of the PE. This causes the PE to be unable to receive the route updates. In this case, you must configure this command to allow routing loops.

2. Configure the CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the PE as a BGP peer.	peer { group-name \| ip-address [ mask-length ] } as-number as-number	By default, no BGP peer is created.
4. Create the BGP IPv4 unicast family and enter its view.	address-family ipv4 [ unicast ]	By default, the BGP IPv4 unicast family is not created.
5. Enable IPv4 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address [ mask-length ] } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
6. (Optional.) Configure route redistribution.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	A CE must redistribute its routes to the PE so the PE can advertise them to the peer CE.

Configuring IBGP between a PE and a CE

Use IBGP between PE and CE only in a basic MPLS L3VPN network. In networks such as Hub&Spoke, Extranet, inter-AS VPN, carrier's carrier, nested VPN, and HoVPN, you cannot use IBGP between PE and CE.

1. Configure the PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	Configuration commands in BGP-VPN instance view are the same as those in BGP view. For more information, see Layer 3—IP Routing Configuration Guide.
4. Configure the CE as the VPN IBGP peer.	peer { group-name \| ip-address [ mask-length ] } as-number as-number	By default, no BGP peer is created.
5. Create the BGP-VPN IPv4 unicast family and enter its view.	address-family ipv4 [ unicast ]	By default, the BGP-VPN IPv4 unicast family is not created.
6. Enable IPv4 unicast route exchange with the specified peer.	peer { group-name \| ip-address [ mask-length ] } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Configure the CE as a client of the RR.	peer { group-name \| ip-address [ mask-length ] } reflect-client	By default, no RR or RR client is configured, and the PE does not advertise routes learned from the IBGP peer CE to other IBGP peers, including VPNv4 IBGP peers. The PE advertises routes learned from the CE to other IBGP peers only when you configure the IBGP peer CE as a client of the RR. Configuring an RR does not change the next hop of a route. To change the next hop of a route, configure an inbound policy on the receiving side.
8. (Optional.) Enable route reflection between clients.	reflect between-clients	Route reflection between clients is enabled by default.
9. (Optional.) Configure the cluster ID for the RR.	reflector cluster-id { cluster-id \| ip-address }	By default, the RR uses its own router ID as the cluster ID. If multiple RRs exist in a cluster, use this command to configure the same cluster ID for all RRs in the cluster to avoid routing loops.

2. Configure the CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the PE as an IBGP peer.	peer { group-name \| ip-address [ mask-length ] } as-number as-number	By default, no BGP peer is created.
4. Create the BGP IPv4 unicast family and enter its view.	address-family ipv4 [ unicast ]	By default, the BGP IPv4 unicast family is not created.
5. Enable IPv4 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address [ mask-length ] } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
6. (Optional.) Configure route redistribution.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	A CE must redistribute its routes to the PE so the PE can advertise them to the peer CE.

Configuring routing between PEs

Step	Command	Remarks
7. Enter system view.	system-view	N/A
8. Enter BGP view.	bgp as-number	N/A
9. Configure the remote PE as a BGP peer.	peer { group-name \| ip-address [ mask-length ] } as-number as-number	By default, no BGP peer is created.
10. Specify the source interface for route updates.	peer { group-name \| ip-address [ mask-length ] } connect-interface interface-type interface-number	By default, BGP uses the egress interface of the optimal route destined for the peer as the source interface.
11. Create the BGP VPNv4 address family and enter its view.	address-family vpnv4	By default, the BGP VPNv4 address family is not created.
12. Enable BGP VPNv4 route exchange with the specified peer.	peer { group-name \| ip-address [ mask-length ] } enable	By default, BGP does not exchange BGP VPNv4 routes with any peer.

Configuring BGP VPNv4 route control

BGP VPNv4 route control is configured similarly with BGP route control, except that it is configured in BGP VPNv4 address family view. For detailed information about BGP route control, see Layer 3—IP Routing Configuration Guide.

To configure BGP VPNv4 route control:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP VPNv4 address family view.	address-family vpnv4	N/A
4. Configure filtering of advertised routes.	filter-policy { acl-number \| prefix-list prefix-list-name } export [ protocol process-id ]	By default, BGP does not filter advertised routes.
5. Configure filtering of received routes.	filter-policy { acl-number \| prefix-list prefix-list-name } import	By default, BGP does not filter received routes.
6. Advertise community attributes to a peer or peer group.	peer { group-name \| ip-address [ mask-length ] } advertise-community	By default, no community attributes are advertised to any peer or peer group.
7. Allow the local AS number to appear in the AS_PATH attribute of routes received from the peer, and set the maximum number of repetitions.	peer { group-name \| ip-address [ mask-length ] } allow-as-loop [ number ]	By default, BGP discards route updates that contain the local AS number.
8. Filter routes received from or advertised to a peer or peer group based on an AS_PATH list.	peer { group-name \| ip-address [ mask-length ] } as-path-acl aspath-filter-number { import \| export }	By default, no AS filtering list is applied to a peer or peer group.
9. Advertise a default VPN route to a peer or peer group.	peer { group-name \| ip-address [ mask-length ] } default-route-advertise vpn-instance vpn-instance-name	By default, no default VPN route is advertised to a peer or peer group.
10. Apply an ACL to filter routes received from or advertised to a peer or peer group.	peer { group-name \| ip-address [ mask-length ] } filter-policy acl-number { export \| import }	By default, no ACL-based filtering is configured.
11. Save all route updates from a peer or peer group.	peer { group-name \| ip-address [ mask-length ] } keep-all-routes	By default, BGP does not save route updates from any peer.
12. Specify the router as the next hop of routes sent to a peer or peer group.	peer { group-name \| ip-address [ mask-length ] } next-hop-local	By default, the router sets itself as the next hop for routes sent to a peer or peer group.
13. Configure BGP to not change the next hop of routes sent to a peer or peer group.	peer { group-name \| ip-address [ mask-length ] } next-hop-invariable	By default, the router sets itself as the next hop for routes sent to an EBGP peer or peer group. On an RR in an inter-AS option C scenario, you must configure this command to not change the next hop of VPNv4 routes advertised to BGP peers and RR clients.
14. Specify a preferred value for routes received from a peer or peer group.	peer { group-name \| ip-address [ mask-length ] } preferred-value value	By default, the preferred value is 0.
15. Apply a prefix list to filter routes received from or advertised to a peer or peer group.	peer { group-name \| ip-address [ mask-length ] } prefix-list prefix-list-name { export \| import }	By default, no prefix list based filtering is configured.
16. Configure BGP updates advertised to an EBGP peer or peer group to carry only public AS numbers.	peer { group-name \| ip-address [ mask-length ] } public-as-only	By default, BGP route updates advertised to an EBGP peer or peer group can carry both public and private AS numbers.
17. Configure the router as a route reflector and specify a peer or peer group as its client.	peer { group-name \| ip-address [ mask-length ] } reflect-client	By default, no RR is configured.
18. Set the maximum number of routes BGP can receive from a peer or peer group.	peer { group-name \| ip-address [ mask-length ] } route-limit prefix-number [ { alert-only \| discard \| reconnect reconnect-time } \| percentage-value ] *	By default, the number of routes that BGP can receive from a peer or peer group is not limited.
19. Apply a routing policy to a peer or peer group.	peer { group-name \| ip-address [ mask-length ] } route-policy route-policy-name { export \| import }	By default, no routing policy is applied to a peer or peer group.
20. Enable route target-based filtering of received VPNv4 routes.	policy vpn-target	By default, this feature is enabled.
21. Enable route reflection between clients.	reflect between-clients	By default, route reflection between clients is enabled on the RR.
22. Configure a cluster ID for the route reflector.	reflector cluster-id { cluster-id \| ip-address }	By default, the RR uses its own router ID as the cluster ID.
23. Configure filtering of reflected routes.	rr-filter extended-community-number	By default, the RR does not filter reflected routes.
24. Configure the SoO attribute for a BGP peer or peer group.	peer { group-name \| ip-address [ mask-length ] } soo site-of-origin	By default, the SoO attribute is not configured.

Configuring inter-AS VPN

If the MPLS backbone spans multiple ASs, you must configure inter-AS VPN.

Configuring inter-AS option A

Inter-AS option A applies to scenarios with a few VPNs.

To configure inter-AS option A, create VPN instances on PEs and ASBRs. The VPN instances on PEs are used to allow CEs to access the network, The VPN instances on ASBRs are used to access the peer ASBRs. An ASBR considers the peer ASBR as a CE.

The route targets configured on the PEs must match those configured on the ASBRs in the same AS to make sure VPN routes sent by the PEs (or ASBRs) can be received by the ASBRs (or PEs). Route targets configured on the PEs in different ASs do not have such requirements.

For more information, see "Configuring basic MPLS L3VPN."

Configuring inter-AS option B

To configure inter-AS option B, perform configurations on PEs and ASBRs.

· PE configuration:

Configure basic MPLS L3VPN, and specify the ASBR in the same AS as an MP-IBGP peer. The route targets for the VPN instances on the PEs in different ASs must match for the same VPN. For information about PE configuration, see "Configuring basic MPLS L3VPN."

· ASBR configuration:

¡ Configure a routing protocol, and enable MPLS and LDP on the interface connected to an internal router of the AS.

¡ Specify the PE in the same AS as an MP-IBGP peer, and the ASBR in a different AS as an MP-EBGP peer.

¡ Disable VPN target filtering for VPNv4 routes so the ASBR can maintain all VPNv4 routes and advertise the routes to the peer ASBR.

¡ Enable MPLS capability on the interface connected to the ASBR in another AS. There is no need to configure a label distribution protocol, for example, LDP.

An ASBR always sets itself as the next hop of VPNv4 routes advertised to an MP-IBGP peer regardless of the peer next-hop-local command.

To configure inter-AS option B on an ASBR:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view of the interface connected to an internal router of the AS.	interface interface-type interface-number	N/A
3. Enable MPLS on the interface.	mpls enable	By default, MPLS is disabled on the interface.
4. Enable MPLS LDP on the interface.	mpls ldp enable	By default, MPLS LDP is disabled on the interface.
5. Return to system view.	quit	N/A
6. Enter interface view of the interface connected to the remote ASBR.	interface interface-type interface-number	N/A
7. Enable MPLS on the interface.	mpls enable	By default, MPLS is disabled on the interface.
8. Return to system view.	quit	N/A
9. Enter BGP view.	bgp as-number	N/A
10. Create a BGP peer.	peer { group-name \| ip-address [ mask-length ] } as-number as-number	By default, no BGP peer is configured. Configure PEs in the same AS as IBGP peers, and ASBRs in different ASs as EBGP peers.
11. Enter BGP VPNv4 address family view.	address-family vpnv4	N/A
12. Enable BGP to exchange VPNv4 routes with the PE in the same AS and the ASBR in different ASs.	peer { group-name \| ip-address [ mask-length ] } enable	By default, BGP cannot exchange VPNv4 routing information with a peer.
13. Disable route target based filtering of VPNv4 routes.	undo policy vpn-target	By default, the PE filters received VPNv4 routes by route targets. The routes surviving the filtering are added to the routing table, and the others are discarded.

Configuring inter-AS option C

To configure inter-AS option C, perform configurations on PEs and ASBRs.

· PE configuration:

¡ Configure basic MPLS L3VPN, and specify the PE in another AS as an MP-EBGP peer. The route targets for the VPN instances on the PEs in different ASs must match for the same VPN. For information about PE configuration, see "Configuring basic MPLS L3VPN."

¡ Execute the peer ebgp-max-hop command to enable the local router to establish an EBGP session to an indirectly-connected peer, because the PEs are not directly connected.

¡ Specify the ASBR in the same AS as an IBGP peer, and enable BGP to exchange labeled IPv4 unicast routes with the ASBR.

· ASBR configuration:

¡ Configure a routing protocol, and enable MPLS and LDP on the interface connected to an internal router of the AS.

¡ Specify the PE in the same AS as an IBGP peer, and the ASBR in a different AS as an EBGP peer.

¡ Enable BGP to exchange labeled IPv4 unicast routes with the PE in the same AS and the ASBR in different AS.

¡ Enable MPLS capability on the interface connected to the ASBR in another AS. There is no need to configure a label distribution protocol, for example, LDP.

¡ (Optional.) Configure a routing policy to determine which IPv4 unicast routes are advertised to the IBGP or EBGP peer with MPLS labels.

In addition, configure BGP to advertise routes destined for a PE on PEs or ASBRs. For more information, see Layer 3—IP Routing Configuration Guide.

Configuring a PE

To configure a PE for inter-AS option C:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the ASBR in the same AS as an IBGP peer.	peer { group-name \| ip-address [ mask-length ] } as-number as-number	By default, no BGP peer is created.
4. Configure the PE of another AS as an EBGP peer.	peer { group-name \| ip-address [ mask-length ] } as-number as-number	By default, no BGP peer is created.
5. Create the BGP IPv4 unicast address family and enter its view.	address-family ipv4 [ unicast ]	By default, the BGP IPv4 unicast address family is not created.
6. Enable BGP to exchange IPv4 unicast routes with the ASBR in the same AS.	peer { group-name \| ip-address [ mask-length ] } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Enable BGP to exchange labeled IPv4 routes with the ASBR in the same AS.	peer { group-name \| ip-address [ mask-length ] } label-route-capability	By default, BGP cannot exchange labeled routes with any IPv4 peer or peer group.
8. Return to BGP view.	quit	N/A
9. Enter BGP VPNv4 address family view.	address-family vpnv4	N/A
10. Enable BGP to exchange VPNv4 routes with the PE in different ASs.	peer { group-name \| ip-address [ mask-length ] } enable	By default, BGP cannot exchange VPNv4 routes with any peer.
11. (Optional.) Configure the PE to not change the next hop of routes advertised to the peer.	peer { group-name \| ip-address [ mask-length ] } next-hop-invariable	Configure this command on the RR so the RR does not change the next hop of advertised VPNv4 routes.

Configuring an ASBR

To set up an inter-AS public tunnel for the inter-AS option C solution, an ASBR must assign an MPLS label to the route destined for a PE, and advertise the label along with the route. Typically, the routes advertised by an ASBR through BGP include the PE address as well as other routes. You can configure a routing policy to filter routes. Routes surviving the filtering are assigned labels, and all others are advertised as common IPv4 routes.

To configure a routing policy, use the following commands:

· if-match mpls-label—Matches routes carrying MPLS labels.

· apply mpls-label—Sets MPLS labels for IPv4 routes advertised to a peer. You can use this command together with if-match clauses. For example, the apply mpls-label command works together with the if-match mpls-label command to set new MPLS labels for routes with MPLS labels. The newly assigned labels are advertised along with the routes.

For more information about routing policy configuration, see Layer 3—IP Routing Configuration Guide.

To configure an ASBR-PE for inter-AS option C:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. (Optional.) Create a routing policy, and enter routing policy view.	route-policy route-policy-name { deny \| permit } node node-number	By default, no routing policy is created.
3. (Optional.) Match IPv4 routes carrying labels.	if-match mpls-label	By default, no MPLS label match criterion is configured.
4. (Optional.) Set labels for IPv4 routes.	apply mpls-label	By default, no MPLS label is set for IPv4 routes.
5. Return to system view.	quit	N/A
6. Enter interface view of the interface connected to an internal router of the AS.	interface interface-type interface-number	N/A
7. Enable MPLS on the interface.	mpls enable	By default, MPLS is disabled on the interface.
8. Enable MPLS LDP on the interface.	mpls ldp enable	By default, MPLS LDP is disabled on the interface.
9. Return to system view.	quit	N/A
10. Enter interface view of the interface connected to the remote ASBR.	interface interface-type interface-number	N/A
11. Enable MPLS on the interface.	mpls enable	By default, MPLS is disabled on the interface.
12. Return to system view.	quit	N/A
13. Enter BGP view.	bgp as-number	N/A
14. Configure the PE in the same AS as an IBGP peer.	peer { group-name \| ip-address [ mask-length ] } as-number as-number	By default, no BGP peer is created.
15. Configure the ASBR in another AS as an EBGP peer.	peer { group-name \| ip-address [ mask-length ] } as-number as-number	By default, no BGP peer is created.
16. Create the BGP IPv4 unicast address family and enter its view.	address-family ipv4 [ unicast ]	By default, the BGP IPv4 unicast address family is not created.
17. Enable exchange of IPv4 unicast routes with the PE in the same AS and the ASBR in another AS.	peer { group-name \| ip-address [ mask-length ] } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
18. Enable exchange of labeled IPv4 routes with the PE in the same AS and the ASBR in another AS.	peer { group-name \| ip-address [ mask-length ] } label-route-capability	By default, BGP cannot advertise labeled routes to any IPv4 peer or peer group.
19. Configure the ASBR-PE to set itself as the next hop of routes advertised to the PE in the local AS.	peer { group-name \| ip-address [ mask-length ] } next-hop-local	By default, BGP does not use its address as the next hop of routes advertised to an IBGP peer or peer group.
20. (Optional.) Apply a routing policy to routes incoming from or outgoing to a peer or peer group.	peer { group-name \| ip-address [ mask-length ] } route-policy route-policy-name { export \| import }	By default, no routing policy is applied.

Configuring nested VPN

For a network with many VPNs, nested VPN is a good solution to implement layered management of VPNs and to conceal the deployment of internal VPNs.

To build a nested VPN network, perform the following configurations:

· Configurations between customer PE and customer CE—Configure VPN instances on the customer PE and configure route exchange between customer PE and customer CE.

· Configurations between customer PE and provider CE—Configure BGP VPNv4 route exchange between them. To make sure the provider CE can receive all VPNv4 routes, configure the undo policy vpn-target command on the provider CE to not filter VPNv4 routes by RTs.

· Configurations between provider CE and provider PE—Configure VPN instances and enable nested VPN on the provider PE and configure BGP VPNv4 route exchange between the provider CE and provider PE.

· Configurations between provider PEs—Configure BGP VPNv4 route exchange between them.

Nested VPN allows a customer PE to directly exchange VPNv4 routes with a provider PE, without needing to deploy a provider CE. In this case, the customer PE also acts as the provider CE. Therefore, you must configure provider CE settings on it.

Configurations on the customer CE, customer PE, and provider CE are similar to basic MPLS L3VPN configurations. This task describes the configurations on the provider PE.

When you configure nested VPN, follow these guidelines:

· The address spaces of sub-VPNs of a VPN cannot overlap.

· Do not assign nested VPN peers addresses that public network peers use.

· Nested VPN does not support multihop EBGP. A provider PE and a provider CE must use the addresses of the directly connected interfaces to establish a neighbor relationship.

To configure nested VPN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP VPNv4 address family view.	address-family vpnv4	N/A
4. Enable nested VPN.	nesting-vpn	By default, nested VPN is disabled.
5. Return to BGP view.	quit	N/A
6. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
7. Specify the peer CE or the peer group of the peer CE.	peer { group-name \| peer-address [ mask-length ] } as-number as-number	By default, no peer is specified.
8. Create the BGP-VPN VPNv4 address family and enter its view.	address-family vpnv4	By default, the BGP-VPN VPNv4 address family is not created.
9. Enable BGP VPNv4 route exchange with the peer CE or the peer group of the peer CE.	peer { group-name \| peer-address [ mask-length ] } enable	By default, BGP does not exchange VPNv4 routes with any peer.
10. (Optional.) Configure the SoO attribute for the BGP peer or peer group.	peer { group-name \| ip-address [ mask-length ] } soo site-of-origin	By default, the SoO attribute is not configured.

Configuring HoVPN

In a HoVPN networking scenario, perform basic MPLS L3VPN settings on UPE and SPE. In addition, configure the following settings on the SPE:

· Specify the BGP peer or peer group as a UPE.

· Advertise the default route of the specified VPN instance or routes matching a routing policy to the UPE.

· Create a BGP-VPN instance so the learned VPNv4 routes can be added into the BGP routing table of the corresponding VPN instance by comparing RTs.

Associating an interface with a VPN instance is not required on the SPE because no interface on the SPE is directly connected to the customer network.

As a best practice, do not configure the peer default-route-advertise vpn-instance and peer upe route-policy commands at the same time.

To configure SPE for HoVPN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Specify a BGP peer or peer group.	peer { group-name \| peer-address [ mask-length ] } as-number as-number	By default, no BGP peer is specified.
4. Enter BGP-VPN VPNv4 address family view.	address-family vpnv4	N/A
5. Enable BGP VPNv4 route exchange with the peer or peer group.	peer { group-name \| ip-address [ mask-length ] } enable	By default, BGP does not exchange VPNv4 routes with any peer.
6. Specify the BGP peer or peer group as a UPE.	peer { group-name \| ip-address [ mask-length ] } upe	By default, no peer is a UPE.
7. Advertise routes to the UPE.	· Advertise a default VPN route to the UPE: peer { group-name \| ip-address [ mask-length ] } default-route-advertise vpn-instance vpn-instance-name · Advertise routes permitted by a routing policy to the UPE: peer { group-name \| ip-address [ mask-length ] } upe route-policy route-policy-name export	By default, no route is advertised to the UPE. Do not configure both commands. The peer default-route-advertise vpn-instance command advertises a default route using the local address as the next hop to the UPE, regardless of whether the default route exists in the local routing table. However, if the specified peer is not a UPE, the command does not advertise a default route.
8. Return to BGP view.	quit	N/A
9. Create a BGP-VPN instance, and enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	By default, no BGP-VPN instance is created.

Configuring an OSPF sham link

When a backdoor link exists between the two sites of a VPN, you can create a sham link between PEs to forward VPN traffic through the sham link on the backbone rather than the backdoor link. A sham link is considered an OSPF intra-area route.

The source and destination addresses of the sham link must be loopback interface addresses with 32-bit masks. The loopback interfaces must be bound to VPN instances, and their addresses are advertised through BGP.

Before you configure an OSPF sham link, perform the following tasks:

· Configure basic MPLS L3VPN (OSPF is used between PE and CE).

· Configure OSPF in the LAN where customer CEs reside.

Configuring a loopback interface

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a loopback interface and enter loopback interface view.	interface loopback interface-number	By default, no loopback interface is created.
3. Associate the loopback interface with a VPN instance.	ip binding vpn-instance vpn-instance-name	By default, the interface is associated with no VPN instance.
4. Configure an IP address for the loopback interface.	ip address ip-address { mask \| mask-length }	By default, no IP address is configured for the loopback interface.

Redistributing the loopback interface address

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Enter BGP-VPN IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
5. Redistribute direct routes into BGP (including the loopback interface route).	import-route direct	By default, no direct routes are redistributed into BGP.

Creating a sham link

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter OSPF view.	ospf [ process-id \| router-id router-id \| vpn-instance vpn-instance-name ] *	As a best practice, specify a router ID.
3. Configure the external route tag for imported VPN routes.	route-tag tag-value	By default, if BGP runs within an MPLS backbone, and the BGP AS number is not greater than 65535, the first two octets of the external route tag are 0xD000 and the last two octets are the local BGP AS number. If the AS number is greater than 65535, the external route tag is 0.
4. Enter OSPF area view.	area area-id	N/A
5. Configure a sham link.	sham-link source-ip-address destination-ip-address [ cost cost \| dead dead-interval \| hello hello-interval \| { { hmac-md5 \| md5 } key-id { cipher cipher-string \| plain plain-string } \| simple { cipher cipher-string \| plain plain-string } } \| retransmit retrans-interval \| trans-delay delay ] *	By default, no sham link is configured.

Specifying the VPN label processing mode on the egress PE

An egress PE can process VPN labels in either POPGO or POP mode:

· POPGO forwarding—Pops the label and forwards the packet out of the egress interface corresponding to the label.

· POP forwarding—Pops the label and forwards the packet through the FIB table.

To specify the VPN label processing mode on an egress PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Specify the VPN label processing mode as POPGO forwarding.	vpn popgo	The default is POP forwarding.

Configuring BGP AS number substitution and SoO attribute

When CEs at different sites have the same AS number, configure the BGP AS number substitution feature to avoid route loss.

When a PE uses different interfaces to connect different CEs in a site, the BGP AS number substitution feature introduces a routing loop. To remove the routing loop, configure the SoO attribute on the PE.

For more information about the BGP AS number substitution feature and the SoO attribute, see "BGP AS number substitution and SoO attribute."

To configure BGP AS number substitution and SoO attribute:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Enable the BGP AS number substitution feature.	peer { ip-address [ mask-length ] \| group-name } substitute-as	By default, BGP AS number substitution is disabled.
5. Enter BGP-VPN IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
6. (Optional.) Configure the SoO attribute for a BGP peer or peer group.	peer { group-name \| ip-address [ mask-length ] } soo site-of-origin	By default, the SoO attribute is not configured.

For more information about the commands in this section, see Layer 3—IP Routing Command Reference.

Enabling SNMP notifications for MPLS L3VPN

This feature enables MPLS L3VPN to generate SNMP notifications. The generated SNMP notifications are sent to the SNMP module.

For more information about SNMP notifications, see Network Management and Monitoring Configuration Guide.

To enable SNMP notifications for MPLS L3VPN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notifications for MPLS L3VPN.	snmp-agent trap enable l3vpn	By default, SNMP notifications for MPLS L3VPN are enabled.

Enabling logging for BGP route flapping

This feature enables BGP to generate logs for BGP route flappings that trigger log generation. The generated logs are sent to the information center. For the logs to be output correctly, you must also configure information center on the device. For more information about the information center, see Network Management and Monitoring Configuration Guide.

To enable logging for BGP route flapping:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP VPNv4 address family view or BGP-VPN VPNv4 address family view.	· Enter BGP VPNv4 address family view: a. bgp as-number b. address-family vpnv4 · Enter BGP-VPN VPNv4 address family view: a. bgp as-number b. ip vpn-instance vpn-instance-name c. address-family vpnv4	N/A
3. Enable logging for BGP route flapping.	log-route-flap monitor-time monitor-count [ log-count-limit \| route-policy route-policy-name ] *	By default, logging for BGP route flapping is disabled.

Displaying and maintaining MPLS L3VPN

You can soft-reset or reset BGP sessions to apply new BGP configurations. A soft reset operation updates BGP routing information without tearing down BGP connections. A reset operation updates BGP routing information by tearing down, and then re-establishing BGP connections. Soft reset requires that BGP peers have route refresh capability.

Execute the following commands in user view to soft reset or reset BGP connections:

Task	Command
Manually soft reset BGP sessions for VPNv4 address family.	refresh bgp { ip-address [ mask-length ] \| all \| external \| group group-name \| internal } { export \| import } vpnv4 [ vpn-instance vpn-instance-name ]
Reset BGP sessions for VPNv4 address family.	reset bgp { as-number \| ip-address [ mask-length ] \| all \| external \| internal \| group group-name } vpnv4 [ vpn-instance vpn-instance-name ]

For more information about the refresh bgp vpnv4 and reset bgp vpnv4 commands, see Layer 3—IP Routing Command Reference.

Execute the following commands in any view to display MPLS L3VPN:

Task	Command
Display the routing table for a VPN instance.	display ip routing-table vpn-instance vpn-instance-name [ statistics \| verbose ]
Display information about a specified or all VPN instances.	display ip vpn-instance [ instance-name vpn-instance-name ]
Display the FIB of a VPN instance.	display fib vpn-instance vpn-instance-name
Display FIB entries that match the specified destination IP address in the specified VPN instance.	display fib vpn-instance vpn-instance-name ip-address [ mask \| mask-length ]
Display BGP VPNv4 peer group information.	display bgp group vpnv4 [ vpn-instance vpn-instance-name ] [ group-name group-name ]
Display BGP VPNv4 peer information.	display bgp peer vpnv4 [ vpn-instance vpn-instance-name ] [ ip-address mask-length \| { ip-address \| group-name group-name } log-info \| [ ip-address ] verbose ]
Display BGP VPNv4 routes.	display bgp routing-table vpnv4 [ [ route-distinguisher route-distinguisher ] [ network-address [ { mask \| mask-length } [ longest-match ] ] \| network-address [ mask \| mask-length ] advertise-info \| as-path-acl as-path-acl-number \| community-list { { basic-community-list-number \| comm-list-name } [ whole-match ] \| adv-community-list-number } ] \| [ vpn-instance vpn-instance-name ] peer ip-address { advertised-routes \| received-routes } [ network-address [ mask \| mask-length ] \| statistics ] \| statistics ]
Display incoming labels for BGP IPv4 unicast routes.	display bgp routing-table ipv4 [ unicast ] [ vpn-instance vpn-instance-name ] inlabel
Display outgoing labels for BGP IPv4 unicast routes (in standalone mode).	display bgp routing-table ipv4 [ unicast ] [ vpn-instance vpn-instance-name ] outlabel [ standby slot slot-number ]
Display outgoing labels for BGP IPv4 unicast routes (in IRF mode).	display bgp routing-table ipv4 [ unicast ] [ vpn-instance vpn-instance-name ] outlabel [ standby chassis chassis-number slot slot-number ]
Display incoming labels for BGP VPNv4 routes.	display bgp routing-table vpnv4 inlabel
Display outgoing labels for BGP VPNv4 routes (in standalone mode).	display bgp routing-table vpnv4 outlabel [ standby slot slot-number ]
Display outgoing labels for BGP VPNv4 routes (in IRF mode).	display bgp routing-table vpnv4 outlabel [ standby chassis chassis-number slot slot-number ]
Display BGP VPNv4 address family update group information.	display bgp update-group vpnv4 [ vpn-instance vpn-instance-name ] [ ip-address ]
Display OSPF sham link information (in standalone mode).	display ospf [ process-id ] sham-link [ area area-id ] [ standby slot slot-number ]
Display OSPF sham link information (in IRF mode).	display ospf [ process-id ] sham-link [ area area-id ] [ standby chassis chassis-number slot slot-number ]

For more information about the display ip routing-table, display bgp group vpnv4, display bgp peer vpnv4, and display bgp update-group vpnv4 commands, see Layer 3—IP Routing Command Reference.

MPLS L3VPN configuration examples

Configuring basic MPLS L3VPN

Network requirements

CE 1 and CE 3 belong to VPN 1. CE 2 and CE 4 belong to VPN 2.

VPN 1 uses route target attribute 111:1. VPN 2 uses route target attribute 222:2. Users of different VPNs cannot access each other.

EBGP is used to exchange VPN routing information between CE and PE.

PEs use OSPF to communicate with each other and use MP-IBGP to exchange VPN routing information.

Figure 20 Network diagram

Table 1 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int11	10.1.1.1/24	P	Loop0	2.2.2.9/32
PE 1	Loop0	1.1.1.9/32		Vlan-int12	172.2.1.1/24
	Vlan-int11	10.1.1.2/24		Vlan-int13	172.1.1.2/24
	Vlan-int13	172.1.1.1/24	PE 2	Loop0	3.3.3.9/32
	Vlan-int12	10.2.1.2/24		Vlan-int12	172.2.1.2/24
CE 2	Vlan-int12	10.2.1.1/24		Vlan-int11	10.3.1.2/24
CE 3	Vlan-int11	10.3.1.1/24		Vlan-int13	10.4.1.2/24
CE 4	Vlan-int13	10.4.1.1/24

Configuration procedure

1. Configure an IGP on the MPLS backbone to ensure IP connectivity within the backbone:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.9 32

[PE1-LoopBack0] quit

[PE1] interface vlan-interface 13

[PE1-Vlan-interface13] ip address 172.1.1.1 24

[PE1-Vlan-interface13] quit

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Configure the P device.

<P> system-view

[P] interface loopback 0

[P-LoopBack0] ip address 2.2.2.9 32

[P-LoopBack0] quit

[P] interface vlan-interface 13

[P-Vlan-interface13] ip address 172.1.1.2 24

[P- Vlan-interface13] quit

[P] interface vlan-interface 12

[P-Vlan-interface12] ip address 172.2.1.1 24

[P-Vlan-interface12] quit

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

# Configure PE 2.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 3.3.3.9 32

[PE2-LoopBack0] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] ip address 172.2.1.2 24

[PE2-Vlan-interface12] quit

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

# Execute the display ospf peer command to verify that OSPF adjacencies in Full state have been established between PE 1, P, and PE 2. Execute the display ip routing-table command to verify that the PEs have learned the routes to the loopback interfaces of each other. (Details not shown.)

2. Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs:

# Configure PE 1.

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface vlan-interface 13

[PE1-Vlan-interface13] mpls enable

[PE1-Vlan-interface13] mpls ldp enable

[PE1-Vlan-interface13] quit

# Configure the P device.

[P] mpls lsr-id 2.2.2.9

[P] mpls ldp

[P-ldp] quit

[P] interface vlan-interface 13

[P-Vlan-interface13] mpls enable

[P-Vlan-interface13] mpls ldp enable

[P-Vlan-interface13] quit

[P] interface vlan-interface 12

[P-Vlan-interface12] mpls enable

[P-Vlan-interface12] mpls ldp enable

[P-Vlan-interface12] quit

# Configure PE 2.

[PE2] mpls lsr-id 3.3.3.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] mpls enable

[PE2-Vlan-interface12] mpls ldp enable

[PE2-Vlan-interface12] quit

# Execute the display mpls ldp peer command to verify that LDP sessions in Operational state have been established between PE 1, P, and PE 2. Execute the display mpls ldp lsp command to verify that the LSPs have been established by LDP. (Details not shown.)

3. Configure VPN instances on PEs:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 111:1

[PE1-vpn-instance-vpn1] quit

[PE1] ip vpn-instance vpn2

[PE1-vpn-instance-vpn2] route-distinguisher 100:2

[PE1-vpn-instance-vpn2] vpn-target 222:2

[PE1-vpn-instance-vpn2] quit

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip binding vpn-instance vpn1

[PE1-Vlan-interface11] ip address 10.1.1.2 24

[PE1-Vlan-interface11] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip binding vpn-instance vpn2

[PE1-Vlan-interface12] ip address 10.2.1.2 24

[PE1-Vlan-interface12] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 200:1

[PE2-vpn-instance-vpn1] vpn-target 111:1

[PE2-vpn-instance-vpn1] quit

[PE2] ip vpn-instance vpn2

[PE2-vpn-instance-vpn2] route-distinguisher 200:2

[PE2-vpn-instance-vpn2] vpn-target 222:2

[PE2-vpn-instance-vpn2] quit

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] ip binding vpn-instance vpn1

[PE2-Vlan-interface11] ip address 10.3.1.2 24

[PE2-Vlan-interface11] quit

[PE2] interface vlan-interface 13

[PE2-Vlan-interface13] ip binding vpn-instance vpn2

[PE2-Vlan-interface13] ip address 10.4.1.2 24

[PE2-Vlan-interface13] quit

# Configure IP addresses for the CEs according to Figure 20. (Details not shown.)

# Execute the display ip vpn-instance command on the PEs to display the configuration of the VPN instance, for example, on PE 1.

[PE1] display ip vpn-instance

Total VPN-Instances configured : 2

VPN-Instance Name RD Create time

vpn1 100:1 2012/02/13 12:49:08

vpn2 100:2 2012/02/13 12:49:20

# Use the ping command on the PEs to verify that the PEs can ping their attached CEs, for example, on PE 1.

[PE1] ping -vpn-instance vpn1 10.1.1.1

Ping 10.1.1.1 (10.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 10.1.1.1: icmp_seq=0 ttl=255 time=1.000 ms

56 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=2.000 ms

56 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=0.000 ms

56 bytes from 10.1.1.1: icmp_seq=3 ttl=255 time=1.000 ms

56 bytes from 10.1.1.1: icmp_seq=4 ttl=255 time=0.000 ms

--- Ping statistics for 10.1.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.800/2.000/0.748 ms

4. Establish EBGP peer relationships between PEs and CEs, and redistribute VPN routes into BGP:

# Configure CE 1.

<CE1> system-view

[CE1] bgp 65410

[CE1-bgp] peer 10.1.1.2 as-number 100

[CE1-bgp] address-family ipv4 unicast

[CE1-bgp-ipv4] peer 10.1.1.2 enable

[CE1-bgp-ipv4] import-route direct

[CE1-bgp-ipv4] quit

[CE1-bgp] quit

# Configure the other three CEs in the same way that CE 1 is configured. (Details not shown.)

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410

[PE1-bgp-vpn1] address-family ipv4 unicast

[PE1-bgp-ipv4-vpn1] peer 10.1.1.1 enable

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] ip vpn-instance vpn2

[PE1-bgp-vpn2] peer 10.2.1.1 as-number 65420

[PE1-bgp-vpn2] address-family ipv4 unicast

[PE1-bgp-ipv4-vpn1] peer 10.2.1.1 enable

[PE1-bgp-ipv4-vpn2] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure PE 2 in the same way that PE 1 is configured. (Details not shown.)

# Execute the display bgp peer ipv4 vpn-instance command on the PEs to verify that a BGP peer relationship in Established state has been established between a PE and a CE. (Details not shown.)

5. Establish an MP-IBGP peer relationship between PEs:

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] peer 3.3.3.9 as-number 100

[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv4

[PE1-bgp-vpnv4] peer 3.3.3.9 enable

[PE1-bgp-vpnv4] quit

[PE1-bgp] quit

# Configure PE 2.

[PE2] bgp 100

[PE2-bgp] peer 1.1.1.9 as-number 100

[PE2-bgp] peer 1.1.1.9 connect-interface loopback 0

[PE2-bgp] address-family vpnv4

[PE2-bgp-vpnv4] peer 1.1.1.9 enable

[PE2-bgp-vpnv4] quit

[PE2-bgp] quit

# Execute the display bgp peer vpnv4 command on the PEs to verify that a BGP peer relationship in Established state has been established between the PEs. (Details not shown.)

Verifying the configuration

# Execute the display ip routing-table vpn-instance command on the PEs.

[PE1] display ip routing-table vpn-instance vpn1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 Direct 0 0 10.1.1.2 Vlan11

10.1.1.0/32 Direct 0 0 10.1.1.2 Vlan11

10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.2 Vlan11

10.3.1.0/24 BGP 255 0 3.3.3.9 Vlan13

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

The output shows that PE 1 has a route to the remote CE. Output on PE 2 is similar.

# Verify that CEs of the same VPN can ping each other, whereas those of different VPNs cannot. For example, CE 1 can ping CE 3 (10.3.1.1) but cannot ping CE 4 (10.4.1.1). (Details not shown.)

Configuring a hub-spoke network

Network requirements

The Spoke-CEs cannot communicate directly. They can communicate only through the Hub-CE.

Configure EBGP between the Spoke-CEs and Spoke-PEs and between the Hub-CE and Hub-PE to exchange VPN routing information.

Configure OSPF between the Spoke-PEs and Hub-PE to implement communication between the PEs. Configure MP-IBGP between the Spoke-PEs and Hub-PE to exchange VPN routing information.

Figure 21 Network diagram

Table 2 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
Spoke-CE 1	Vlan-int2	10.1.1.1/24	Hub-CE	Vlan-int6	10.3.1.1/24
Spoke-PE 1	Loop0	1.1.1.9/32		Vlan-int7	10.4.1.1/24
	Vlan-int2	10.1.1.2/24	Hub-PE	Loop0	2.2.2.9/32
	Vlan-int4	172.1.1.1/24		Vlan-int4	172.1.1.2/24
Spoke-CE 2	Vlan-int3	10.2.1.1/24		Vlan-int5	172.2.1.2/24
Spoke-PE 2	Loop0	3.3.3.9/32		Vlan-int6	10.3.1.2/24
	Vlan-int3	10.2.1.2/24		Vlan-int7	10.4.1.2/24
	Vlan-int5	172.2.1.1/24

Configuration procedure

1. Configure an IGP on the MPLS backbone to ensure IP connectivity within the backbone:

# Configure Spoke-PE 1.

<Spoke-PE1> system-view

[Spoke-PE1] interface loopback 0

[Spoke-PE1-LoopBack0] ip address 1.1.1.9 32

[Spoke-PE1-LoopBack0] quit

[Spoke-PE1] interface vlan-interface 4

[Spoke-PE1-Vlan-interface4] ip address 172.1.1.1 24

[Spoke-PE1-Vlan-interface4] quit

[Spoke-PE1] ospf

[Spoke-PE1-ospf-1] area 0

[Spoke-PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[Spoke-PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[Spoke-PE1-ospf-1-area-0.0.0.0] quit

[Spoke-PE1-ospf-1] quit

# Configure Spoke-PE 2.

<Spoke-PE2> system-view

[Spoke-PE2] interface loopback 0

[Spoke-PE2-LoopBack0] ip address 3.3.3.9 32

[Spoke-PE2-LoopBack0] quit

[Spoke-PE2] interface vlan-interface 5

[Spoke-PE2-Vlan-interface5] ip address 172.2.1.1 24

[Spoke-PE2-Vlan-interface5] quit

[Spoke-PE2] ospf

[Spoke-PE2-ospf-1] area 0

[Spoke-PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[Spoke-PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[Spoke-PE2-ospf-1-area-0.0.0.0] quit

[Spoke-PE2-ospf-1] quit

# Configure Hub-PE.

<Hub-PE> system-view

[Hub-PE] interface loopback 0

[Hub-PE-LoopBack0] ip address 2.2.2.9 32

[Hub-PE-LoopBack0] quit

[Hub-PE] interface vlan-interface 4

[Hub-PE-Vlan-interface4] ip address 172.1.1.2 24

[Hub-PE-Vlan-interface4] quit

[Hub-PE] interface vlan-interface 5

[Hub-PE-Vlan-interface5] ip address 172.2.1.2 24

[Hub-PE-Vlan-interface5] quit

[Hub-PE] ospf

[Hub-PE-ospf-1] area 0

[Hub-PE-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[Hub-PE-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[Hub-PE-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[Hub-PE-ospf-1-area-0.0.0.0] quit

[Hub-PE-ospf-1] quit

# Execute the display ospf peer command on the PEs to verify that OSPF adjacencies in Full state have been established between the PEs. Execute the display ip routing-table command on the PEs to verify that the PEs have learned the routes to the loopback interfaces of each other. (Details not shown.)

2. Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs:

# Configure Spoke-PE 1.

[Spoke-PE1] mpls lsr-id 1.1.1.9

[Spoke-PE1] mpls ldp

[Spoke-PE1-ldp] quit

[Spoke-PE1] interface vlan-interface 4

[Spoke-PE1-Vlan-interface4] mpls enable

[Spoke-PE1-Vlan-interface4] mpls ldp enable

[Spoke-PE1-Vlan-interface4] quit

# Configure Spoke-PE 2.

[Spoke-PE2] mpls lsr-id 3.3.3.9

[Spoke-PE2] mpls ldp

[Spoke-PE2-ldp] quit

[Spoke-PE2] interface vlan-interface 5

[Spoke-PE2-Vlan-interface5] mpls enable

[Spoke-PE2-Vlan-interface5] mpls ldp enable

[Spoke-PE2-Vlan-interface5] quit

# Configure Hub-PE.

[Hub-PE] mpls lsr-id 2.2.2.9

[Hub-PE] mpls ldp

[Hub-PE-ldp] quit

[Hub-PE] interface vlan-interface 4

[Hub-PE-Vlan-interface4] mpls enable

[Hub-PE-Vlan-interface4] mpls ldp enable

[Hub-PE-Vlan-interface4] quit

[Hub-PE] interface vlan-interface 5

[Hub-PE-Vlan-interface5] mpls enable

[Hub-PE-Vlan-interface5] mpls ldp enable

[Hub-PE-Vlan-interface5] quit

# Execute the display mpls ldp peer command on the PEs to verify that LDP sessions in Operational state have been established between the PEs. Execute the display mpls ldp lsp command on the PEs to verify that the LSPs have been established by LDP. (Details not shown.)

3. Configure VPN instances on the Spoke-PEs and Hub-PE:

# Configure Spoke-PE 1.

[Spoke-PE1] ip vpn-instance vpn1

[Spoke-PE1-vpn-instance-vpn1] route-distinguisher 100:1

[Spoke-PE1-vpn-instance-vpn1] vpn-target 111:1 import-extcommunity

[Spoke-PE1-vpn-instance-vpn1] vpn-target 222:2 export-extcommunity

[Spoke-PE1-vpn-instance-vpn1] quit

[Spoke-PE1] interface vlan-interface 2

[Spoke-PE1-Vlan-interface2] ip binding vpn-instance vpn1

[Spoke-PE1-Vlan-interface2] ip address 10.1.1.2 24

[Spoke-PE1-Vlan-interface2] quit

# Configure Spoke-PE 2.

[Spoke-PE2] ip vpn-instance vpn1

[Spoke-PE2-vpn-instance-vpn1] route-distinguisher 100:2

[Spoke-PE2-vpn-instance-vpn1] vpn-target 111:1 import-extcommunity

[Spoke-PE2-vpn-instance-vpn1] vpn-target 222:2 export-extcommunity

[Spoke-PE2-vpn-instance-vpn1] quit

[Spoke-PE2] interface vlan-interface 3

[Spoke-PE2-Vlan-interface3] ip binding vpn-instance vpn1

[Spoke-PE2-Vlan-interface3] ip address 10.2.1.2 24

[Spoke-PE2-Vlan-interface3] quit

# Configure Hub-PE.

[Hub-PE] ip vpn-instance vpn1-in

[Hub-PE-vpn-instance-vpn1-in] route-distinguisher 100:3

[Hub-PE-vpn-instance-vpn1-in] vpn-target 222:2 import-extcommunity

[Hub-PE-vpn-instance-vpn1-in] quit

[Hub-PE] ip vpn-instance vpn1-out

[Hub-PE-vpn-instance-vpn1-out] route-distinguisher 100:4

[Hub-PE-vpn-instance-vpn1-out] vpn-target 111:1 export-extcommunity

[Hub-PE-vpn-instance-vpn1-out] quit

[Hub-PE] interface vlan-interface 6

[Hub-PE-Vlan-interface6] ip binding vpn-instance vpn1-in

[Hub-PE-Vlan-interface6] ip address 10.3.1.2 24

[Hub-PE-Vlan-interface6] quit

[Hub-PE] interface vlan-interface 7

[Hub-PE-Vlan-interface7] ip binding vpn-instance vpn1-out

[Hub-PE-Vlan-interface7] ip address 10.4.1.2 24

[Hub-PE-Vlan-interface7] quit

# Configure IP addresses for the CEs according to Figure 21. (Details not shown.)

# Execute the display ip vpn-instance command on the PEs to display the VPN instance configuration. This example uses Spoke-PE 1.

[Spoke-PE1] display ip vpn-instance

Total VPN-Instances configured : 1

VPN-Instance Name RD Create time

vpn1 100:1 2009/04/08 10:55:07

# Use the ping command on the PEs to verify that the PEs can ping their attached CEs. This example uses Spoke-PE 1.

[Spoke-PE1] ping -vpn-instance vpn1 10.1.1.1

Ping 10.1.1.1 (10.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 10.1.1.1: icmp_seq=0 ttl=128 time=1.913 ms

56 bytes from 10.1.1.1: icmp_seq=1 ttl=128 time=2.381 ms

56 bytes from 10.1.1.1: icmp_seq=2 ttl=128 time=1.707 ms

56 bytes from 10.1.1.1: icmp_seq=3 ttl=128 time=1.666 ms

56 bytes from 10.1.1.1: icmp_seq=4 ttl=128 time=2.710 ms

--- Ping statistics for 10.1.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.666/2.075/2.710/0.406 ms

4. Establish EBGP peer relationships between the PEs and CEs, and redistribute VPN routes into BGP:

# Configure Spoke-CE 1.

<Spoke-CE1> system-view

[Spoke-CE1] bgp 65410

[Spoke-CE1-bgp] peer 10.1.1.2 as-number 100

[Spoke-CE1-bgp] address-family ipv4

[Spoke-CE1-bgp-ipv4] peer 10.1.1.2 enable

[Spoke-CE1-bgp-ipv4] import-route direct

[Spoke-CE1-bgp-ipv4] quit

[Spoke-CE1-bgp] quit

# Configure Spoke-CE 2.

<Spoke-CE2> system-view

[Spoke-CE2] bgp 65420

[Spoke-CE2-bgp] peer 10.2.1.2 as-number 100

[Spoke-CE2-bgp] address-family ipv4

[Spoke-CE2-bgp-ipv4] peer 10.2.1.2 enable

[Spoke-CE2-bgp-ipv4] import-route direct

[Spoke-CE2-bgp-ipv4] quit

[Spoke-CE2-bgp] quit

# Configure Hub-CE.

<Hub-CE> system-view

[Hub-CE] bgp 65430

[Hub-CE-bgp] peer 10.3.1.2 as-number 100

[Hub-CE-bgp] peer 10.4.1.2 as-number 100

[Hub-CE-bgp] address-family ipv4

[Hub-CE-bgp-ipv4] peer 10.3.1.2 enable

[Hub-CE-bgp-ipv4] peer 10.4.1.2 enable

[Hub-CE-bgp-ipv4] import-route direct

[Hub-CE-bgp-ipv4] quit

[Hub-CE-bgp] quit

# Configure Spoke-PE 1.

[Spoke-PE1] bgp 100

[Spoke-PE1-bgp] ip vpn-instance vpn1

[Spoke-PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410

[Spoke-PE1-bgp-vpn1] address-family ipv4

[Spoke-PE1-bgp-ipv4-vpn1] peer 10.1.1.1 enable

[Spoke-PE1-bgp-ipv4-vpn1] quit

[Spoke-PE1-bgp-vpn1] quit

[Spoke-PE1-bgp] quit

# Configure Spoke-PE 2.

[Spoke-PE2] bgp 100

[Spoke-PE2-bgp] ip vpn-instance vpn1

[Spoke-PE2-bgp-vpn1] peer 10.2.1.1 as-number 65420

[Spoke-PE2-bgp-vpn1] address-family ipv4

[Spoke-PE2-bgp-ipv4-vpn1] peer 10.2.1.1 enable

[Spoke-PE2-bgp-ipv4-vpn1] quit

[Spoke-PE2-bgp-vpn1] quit

[Spoke-PE2-bgp] quit

# Configure Hub-PE.

[Hub-PE] bgp 100

[Hub-PE-bgp] ip vpn-instance vpn1-in

[Hub-PE-bgp-vpn1-in] peer 10.3.1.1 as-number 65430

[Hub-PE-bgp-vpn1-in] address-family ipv4

[Hub-PE-bgp-ipv4-vpn1-in] peer 10.3.1.1 enable

[Hub-PE-bgp-ipv4-vpn1-in] quit

[Hub-PE-bgp-vpn1-in] quit

[Hub-PE-bgp] ip vpn-instance vpn1-out

[Hub-PE-bgp-vpn1-out] peer 10.4.1.1 as-number 65430

[Hub-PE-bgp-vpn1-out] address-family ipv4

[Hub-PE-bgp-ipv4-vpn1-out] peer 10.4.1.1 enable

[Hub-PE-bgp-ipv4-vpn1-out] peer 10.4.1.1 allow-as-loop 2

[Hub-PE-bgp-ipv4-vpn1-out] quit

[Hub-PE-bgp-vpn1-out] quit

[Hub-PE-bgp] quit

# Execute the display bgp peer ipv4 vpn-instance command on the PEs to verify that a BGP peer relationship in Established state has been established between a PE and a CE. (Details not shown.)

5. Establish an MP-IBGP peer relationship between the Spoke-PEs and Hub-PE:

# Configure Spoke-PE 1.

[Spoke-PE1] bgp 100

[Spoke-PE1-bgp] peer 2.2.2.9 as-number 100

[Spoke-PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[Spoke-PE1-bgp] address-family vpnv4

[Spoke-PE1-bgp-vpnv4] peer 2.2.2.9 enable

[Spoke-PE1-bgp-vpnv4] quit

[Spoke-PE1-bgp] quit

# Configure Spoke-PE 2.

[Spoke-PE2] bgp 100

[Spoke-PE2-bgp] peer 2.2.2.9 as-number 100

[Spoke-PE2-bgp] peer 2.2.2.9 connect-interface loopback 0

[Spoke-PE2-bgp] address-family vpnv4

[Spoke-PE2-bgp-vpnv4] peer 2.2.2.9 enable

[Spoke-PE2-bgp-vpnv4] quit

[Spoke-PE2-bgp] quit

# Configure Hub-PE.

[Hub-PE] bgp 100

[Hub-PE-bgp] peer 1.1.1.9 as-number 100

[Hub-PE-bgp] peer 1.1.1.9 connect-interface loopback 0

[Hub-PE-bgp] peer 3.3.3.9 as-number 100

[Hub-PE-bgp] peer 3.3.3.9 connect-interface loopback 0

[Hub-PE-bgp] address-family vpnv4

[Hub-PE-bgp-vpnv4] peer 1.1.1.9 enable

[Hub-PE-bgp-vpnv4] peer 3.3.3.9 enable

[Hub-PE-bgp-vpnv4] quit

[Hub-PE-bgp] quit

# Execute the display bgp peer vpnv4 command on the PEs to verify that a BGP peer relationship in Established state has been established between the PEs. (Details not shown.)

Verifying the configuration

# Execute the display ip routing-table vpn-instance command on the PEs to display the routes to the CEs. This example uses Spoke-PE 1 to verify that the next hop of the route from a Spoke-PE to its connected Spoke-CE is Hub-PE.

[Spoke-PE1] display ip routing-table vpn-instance vpn1

Destinations : 15 Routes : 15

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 Direct 0 0 10.1.1.2 Vlan2

10.1.1.0/32 Direct 0 0 10.1.1.2 Vlan2

10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.2 Vlan2

10.2.1.0/24 BGP 255 0 2.2.2.9 Vlan4

10.3.1.0/24 BGP 255 0 2.2.2.9 Vlan4

10.4.1.0/24 BGP 255 0 2.2.2.9 Vlan4

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that Spoke-CE 1 and Spoke-CE 2 can ping each other. The TTL value indicates that traffic from Spoke-CE 1 to Spoke-CE 2 passes six hops (255-250+1) and is forwarded through Hub-CE. This example uses Spoke-CE 1.

[Spoke-CE1] ping 10.2.1.1

Ping 10.2.1.1 (10.2.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 10.2.1.1: icmp_seq=0 ttl=250 time=1.000 ms

56 bytes from 10.2.1.1: icmp_seq=1 ttl=250 time=2.000 ms

56 bytes from 10.2.1.1: icmp_seq=2 ttl=250 time=0.000 ms

56 bytes from 10.2.1.1: icmp_seq=3 ttl=250 time=1.000 ms

56 bytes from 10.2.1.1: icmp_seq=4 ttl=250 time=0.000 ms

--- Ping statistics for 10.2.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.800/2.000/0.748 ms

Configuring MPLS L3VPN inter-AS option A

Network requirements

CE 1 and CE 2 belong to the same VPN. CE 1 accesses the network through PE 1 in AS 100, and CE 2 accesses the network through PE 2 in AS 200.

Configure MPLS L3VPN inter-AS option A, and use the VRF-to-VRF method to manage VPN routes.

Run OSPF on the MPLS backbone in each AS.

Figure 22 Network diagram

Table 3 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int12	10.1.1.1/24	CE 2	Vlan-int12	10.2.1.1/24
PE 1	Loop0	1.1.1.9/32	PE 2	Loop0	4.4.4.9/32
	Vlan-int12	10.1.1.2/24		Vlan-int12	10.2.1.2/24
	Vlan-int11	172.1.1.2/24		Vlan-int11	162.1.1.2/24
ASBR-PE 1	Loop0	2.2.2.9/32	ASBR-PE 2	Loop0	3.3.3.9/32
	Vlan-int11	172.1.1.1/24		Vlan-int11	162.1.1.1/24
	Vlan-int12	192.1.1.1/24		Vlan-int12	192.1.1.2/24

Configuration procedure

1. Configure IGP on the MPLS backbone to implement the connectivity in the backbone.

This example uses OSPF. (Details not shown.)

# Execute the display ospf peer command to verify that each ASBR-PE has established an OSPF adjacency in Full state with the PE in the same AS, and that PEs and ASBR-PEs in the same AS have learned the routes to the loopback interfaces of each other. Verify that each ASBR-PE and the PE in the same AS can ping each other. (Details not shown.)

2. Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs:

# Configure basic MPLS on PE 1, and enable MPLS LDP on the interface connected to ASBR-PE 1.

<PE1> system-view

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] quit

# Configure basic MPLS on ASBR-PE 1, and enable MPLS LDP on the interface connected to PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] mpls lsr-id 2.2.2.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

[ASBR-PE1] interface vlan-interface 11

[ASBR-PE1-Vlan-interface11] mpls enable

[ASBR-PE1-Vlan-interface11] mpls ldp enable

[ASBR-PE1-Vlan-interface11] quit

# Configure basic MPLS on ASBR-PE 2, and enable MPLS LDP on the interface connected to PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] mpls lsr-id 3.3.3.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

[ASBR-PE2] interface vlan-interface 11

[ASBR-PE2-Vlan-interface11] mpls enable

[ASBR-PE2-Vlan-interface11] mpls ldp enable

[ASBR-PE2-Vlan-interface11] quit

# Configure basic MPLS on PE 2, and enable MPLS LDP on the interface connected to ASBR-PE 2.

<PE2> system-view

[PE2] mpls lsr-id 4.4.4.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] mpls enable

[PE2-Vlan-interface11] mpls ldp enable

[PE2-Vlan-interface11] quit

# Execute the display mpls ldp peer command on the devices to verify that the session status is Operational, and that each PE and the ASBR-PE in the same AS have established a neighbor relationship. (Details not shown.)

3. Configure VPN instances on PEs:

For the same VPN, the route targets for the VPN instance on the PE must match those for the VPN instance on the ASBR-PE in the same AS. This is not required for PEs in different ASs.

# Configure CE 1.

<CE1> system-view

[CE1] interface vlan-interface 12

[CE1-Vlan-interface12] ip address 10.1.1.1 24

[CE1-Vlan-interface12] quit

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 100:1 both

[PE1-vpn-instance-vpn1] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip binding vpn-instance vpn1

[PE1-Vlan-interface12] ip address 10.1.1.2 24

[PE1-Vlan-interface12] quit

# Configure CE 2.

<CE2> system-view

[CE2] interface vlan-interface 12

[CE2-Vlan-interface12] ip address 10.2.1.1 24

[CE2-Vlan-interface12] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance] route-distinguisher 200:2

[PE2-vpn-instance] vpn-target 200:1 both

[PE2-vpn-instance] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] ip binding vpn-instance vpn1

[PE2-Vlan-interface12] ip address 10.2.1.2 24

[PE2-Vlan-interface12] quit

# On ASBR-PE 1, create a VPN instance, and bind the instance to the interface connected to ASBR-PE 2. ASBR-PE 1 considers ASBR-PE 2 to be its CE.

[ASBR-PE1] ip vpn-instance vpn1

[ASBR-PE1-vpn-instance-vpn1] route-distinguisher 100:1

[ASBR-PE1-vpn-instance-vpn1] vpn-target 100:1 both

[ASBR-PE1-vpn-instance-vpn1] quit

[ASBR-PE1] interface vlan-interface 12

[ASBR-PE1-Vlan-interface12] ip binding vpn-instance vpn1

[ASBR-PE1-Vlan-interface12] ip address 192.1.1.1 24

[ASBR-PE1-Vlan-interface12] quit

# On ASBR-PE 2, create a VPN instance, and bind the instance to the interface connected to ASBR-PE 1. ASBR-PE 2 considers ASBR-PE 1 to be its CE.

[ASBR-PE2] ip vpn-instance vpn1

[ASBR-PE2-vpn-vpn-vpn1] route-distinguisher 200:1

[ASBR-PE2-vpn-vpn-vpn1] vpn-target 200:1 both

[ASBR-PE2-vpn-vpn-vpn1] quit

[ASBR-PE2] interface vlan-interface 12

[ASBR-PE2-Vlan-interface12] ip binding vpn-instance vpn1

[ASBR-PE2-Vlan-interface12] ip address 192.1.1.2 24

[ASBR-PE2-Vlan-interface12] quit

# Execute the display ip vpn-instance command to display VPN instance configurations. Verify that the PEs can ping the CEs, and the ASBR-PEs can ping each other. (Details not shown.)

4. Establish EBGP peer relationships between PEs and CEs, and redistribute VPN routes into BGP:

# Configure CE 1.

[CE1] bgp 65001

[CE1-bgp] peer 10.1.1.2 as-number 100

[CE1-bgp] address-family ipv4 unicast

[CE1-bgp-ipv4] peer 10.1.1.2 enable

[CE1-bgp-ipv4] import-route direct

[CE1-bgp-ipv4] quit

[CE1-bgp] quit

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65001

[PE1-bgp-vpn1] address-family ipv4 unicast

[PE1-bgp-ipv4-vpn1] peer 10.1.1.1 enable

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure CE 2.

[CE2] bgp 65002

[CE2-bgp] peer 10.2.1.2 as-number 200

[CE2-bgp] address-family ipv4 unicast

[CE2-bgp-ipv4] peer 10.2.1.2 enable

[CE2-bgp-ipv4] import-route direct

[CE2-bgp-ipv4] quit

[CE2-bgp] quit

# Configure PE 2.

[PE2] bgp 200

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] peer 10.2.1.1 as-number 65002

[PE2-bgp-vpn1] address-family ipv4 unicast

[PE2-bgp-ipv4-vpn1] peer 10.2.1.1 enable

[PE2-bgp-ipv4-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

5. Establish an MP-IBGP peer relationship between each PE and the ASBR-PE in the same AS, and an EBGP peer relationship between the ASBR-PEs:

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] peer 2.2.2.9 as-number 100

[PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv4

[PE1-bgp-vpnv4] peer 2.2.2.9 enable

[PE1-bgp-vpnv4] peer 2.2.2.9 next-hop-local

[PE1-bgp-vpnv4] quit

[PE1-bgp] quit

# Configure ASBR-PE 1.

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp] ip vpn-instance vpn1

[ASBR-PE1-bgp-vpn1] peer 192.1.1.2 as-number 200

[ASBR-PE1-bgp-vpn1] address-family ipv4 unicast

[ASBR-PE1-bgp-ipv4-vpn1] peer 192.1.1.2 enable

[ASBR-PE1-bgp-ipv4-vpn1] quit

[ASBR-PE1-bgp-vpn1] quit

[ASBR-PE1-bgp] peer 1.1.1.9 as-number 100

[ASBR-PE1-bgp] peer 1.1.1.9 connect-interface loopback 0

[ASBR-PE1-bgp] address-family vpnv4

[ASBR-PE1-bgp-vpnv4] peer 1.1.1.9 enable

[ASBR-PE1-bgp-vpnv4] peer 1.1.1.9 next-hop-local

[ASBR-PE1-bgp-vpnv4] quit

[ASBR-PE1-bgp] quit

# Configure ASBR-PE 2.

[ASBR-PE2] bgp 200

[ASBR-PE2-bgp] ip vpn-instance vpn1

[ASBR-PE2-bgp-vpn1] peer 192.1.1.1 as-number 100

[ASBR-PE2-bgp-vpn1] address-family ipv4 unicast

[ASBR-PE2-bgp-ipv4-vpn1] peer 192.1.1.1 enable

[ASBR-PE2-bgp-ipv4-vpn1] quit

[ASBR-PE2-bgp-vpn1] quit

[ASBR-PE2-bgp] peer 4.4.4.9 as-number 200

[ASBR-PE2-bgp] peer 4.4.4.9 connect-interface loopback 0

[ASBR-PE2-bgp] address-family vpnv4

[ASBR-PE2-bgp-vpnv4] peer 4.4.4.9 enable

[ASBR-PE2-bgp-vpnv4] peer 4.4.4.9 next-hop-local

[ASBR-PE2-bgp-vpnv4] quit

[ASBR-PE2-bgp] quit

# Configure PE 2.

[PE2] bgp 200

[PE2-bgp] peer 3.3.3.9 as-number 200

[PE2-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE2-bgp] address-family vpnv4

[PE2-bgp-vpnv4] peer 3.3.3.9 enable

[PE2-bgp-vpnv4] peer 3.3.3.9 next-hop-local

[PE2-bgp-vpnv4] quit

[PE2-bgp] quit

Verifying the configuration

# Verify that the CEs can learn the interface routes from each other and ping each other. (Details not shown.)

Configuring MPLS L3VPN inter-AS option B

Network requirements

Site 1 and Site 2 belong to the same VPN. CE 1 of Site 1 accesses the network through PE 1 in AS 100. CE 2 of Site 2 accesses the network through PE 2 in AS 600. PEs in the same AS run IS-IS.

PE 1 and ASBR-PE 1 exchange VPNv4 routes through MP-IBGP. PE 2 and ASBR-PE 2 exchange VPNv4 routes through MP-IBGP. ASBR-PE 1 and ASBR-PE 2 exchange VPNv4 routes through MP-EBGP.

ASBRs do not perform route target filtering of received VPN-IPv4 routes.

Figure 23 Network diagram

Table 4 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
PE 1	Loop0	2.2.2.9/32	PE 2	Loop0	5.5.5.9/32
	Vlan-int12	30.0.0.1/8		Vlan-int12	20.0.0.1/8
	Vlan-int11	1.1.1.2/8		Vlan-int11	9.1.1.2/8
ASBR-PE 1	Loop0	3.3.3.9/32	ASBR-PE 2	Loop0	4.4.4.9/32
	Vlan-int11	1.1.1.1/8		Vlan-int11	9.1.1.1/8
	Vlan-int12	11.0.0.2/8		Vlan-int12	11.0.0.1/8

Configuration procedure

1. Configure PE 1:

# Configure IS-IS on PE 1.

<PE1> system-view

[PE1] isis 1

[PE1-isis-1] network-entity 10.111.111.111.111.00

[PE1-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[PE1] mpls lsr-id 2.2.2.9

[PE1] mpls ldp

[PE1-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip address 1.1.1.2 255.0.0.0

[PE1-Vlan-interface11] isis enable 1

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] quit

# Configure interface Loopback 0, and enable IS-IS on it.

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 2.2.2.9 32

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

# Create VPN instance vpn1, and configure the RD and route target attributes.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 11:11

[PE1-vpn-instance-vpn1] vpn-target 1:1 2:2 3:3 import-extcommunity

[PE1-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE1-vpn-instance-vpn1] quit

# Bind the interface connected to CE 1 to the created VPN instance.

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip binding vpn-instance vpn1

[PE1-Vlan-interface12] ip address 30.0.0.1 8

[PE1-Vlan-interface12] quit

# Enable BGP on PE 1.

[PE1] bgp 100

# Configure IBGP peer 3.3.3.9 as a VPNv4 peer.

[PE1-bgp] peer 3.3.3.9 as-number 100

[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv4

[PE1-bgp-vpnv4] peer 3.3.3.9 enable

[PE1-bgp-vpnv4] quit

# Redistribute direct routes to the VPN routing table of vpn1.

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] address-family ipv4 unicast

[PE1-bgp-ipv4-vpn1] import-route direct

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

2. Configure ASBR-PE 1:

# Enable IS-IS on ASBR-PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] isis 1

[ASBR-PE1-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE1-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[ASBR-PE1] mpls lsr-id 3.3.3.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE1] interface vlan-interface11

[ASBR-PE1-Vlan-interface11] ip address 1.1.1.1 255.0.0.0

[ASBR-PE1-Vlan-interface11] isis enable 1

[ASBR-PE1-Vlan-interface11] mpls enable

[ASBR-PE1-Vlan-interface11] mpls ldp enable

[ASBR-PE1-Vlan-interface11] quit

# Configure interface VLAN-interface 12, and enable MPLS on it.

[ASBR-PE1] interface vlan-interface 12

[ASBR-PE1-Vlan-interface12] ip address 11.0.0.2 255.0.0.0

[ASBR-PE1-Vlan-interface12] mpls enable

[ASBR-PE1-Vlan-interface12] quit

# Configure interface Loopback 0, and enable IS-IS on it.

[ASBR-PE1] interface loopback 0

[ASBR-PE1-LoopBack0] ip address 3.3.3.9 32

[ASBR-PE1-LoopBack0] isis enable 1

[ASBR-PE1-LoopBack0] quit

# Enable BGP on ASBR-PE 1.

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp] peer 2.2.2.9 as-number 100

[ASBR-PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[ASBR-PE1-bgp] peer 11.0.0.1 as-number 600

[ASBR-PE1-bgp] peer 11.0.0.1 connect-interface vlan-interface 12

# Disable route target based filtering of received VPNv4 routes.

[ASBR-PE1-bgp] address-family vpnv4

[ASBR-PE1-bgp-vpnv4] undo policy vpn-target

# Configure both IBGP peer 2.2.2.0 and EBGP peer 11.0.0.1 as VPNv4 peers.

[ASBR-PE1-bgp-vpnv4] peer 11.0.0.1 enable

[ASBR-PE1-bgp-vpnv4] peer 2.2.2.9 enable

[ASBR-PE1-bgp-vpnv4] quit

3. Configure ASBR-PE 2:

# Enable IS-IS on ASBR-PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] isis 1

[ASBR-PE2-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE2-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[ASBR-PE2] mpls lsr-id 4.4.4.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE2] interface vlan-interface 11

[ASBR-PE2-Vlan-interface11] ip address 9.1.1.1 255.0.0.0

[ASBR-PE2-Vlan-interface11] isis enable 1

[ASBR-PE2-Vlan-interface11] mpls enable

[ASBR-PE2-Vlan-interface11] mpls ldp enable

[ASBR-PE2-Vlan-interface11] quit

# Configure interface VLAN-interface 12, and enable MPLS on it.

[ASBR-PE2] interface vlan-interface 12

[ASBR-PE2-Vlan-interface12] ip address 11.0.0.1 255.0.0.0

[ASBR-PE2-Vlan-interface12] mpls enable

[ASBR-PE2-Vlan-interface12] quit

# Configure interface Loopback 0, and enable IS-IS on it.

[ASBR-PE2] interface loopback 0

[ASBR-PE2-LoopBack0] ip address 4.4.4.9 32

[ASBR-PE2-LoopBack0] isis enable 1

[ASBR-PE2-LoopBack0] quit

# Enable BGP on ASBR-PE 2.

[ASBR-PE2] bgp 600

[ASBR-PE2-bgp] peer 11.0.0.2 as-number 100

[ASBR-PE2-bgp] peer 11.0.0.2 connect-interface vlan-interface 12

[ASBR-PE2-bgp] peer 5.5.5.9 as-number 600

[ASBR-PE2-bgp] peer 5.5.5.9 connect-interface loopback 0

# Disable route target based filtering of received VPNv4 routes.

[ASBR-PE2-bgp] address-family vpnv4

[ASBR-PE2-bgp-vpnv4] undo policy vpn-target

# Configure both IBGP peer 5.5.5.9 and EBGP peer 11.0.0.2 as VPNv4 peers.

[ASBR-PE2-bgp-vpnv4] peer 11.0.0.2 enable

[ASBR-PE2-bgp-vpnv4] peer 5.5.5.9 enable

[ASBR-PE2-bgp-vpnv4] quit

[ASBR-PE2-bgp] quit

4. Configure PE 2:

# Enable IS-IS on PE 2.

<PE2> system-view

[PE2] isis 1

[PE2-isis-1] network-entity 10.111.111.111.111.00

[PE2-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[PE2] mpls lsr-id 5.5.5.9

[PE2] mpls ldp

[PE2-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] ip address 9.1.1.2 255.0.0.0

[PE2-Vlan-interface11] isis enable 1

[PE2-Vlan-interface11] mpls enable

[PE2-Vlan-interface11] mpls ldp enable

[PE2-Vlan-interface11] quit

# Configure interface Loopback 0, and enable IS-IS on it.

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 5.5.5.9 32

[PE2-LoopBack0] isis enable 1

[PE2-LoopBack0] quit

# Create VPN instance vpn1, and configure the RD and route target attributes.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 12:12

[PE2-vpn-instance-vpn1] vpn-target 1:1 2:2 3:3 import-extcommunity

[PE2-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE2-vpn-instance-vpn1] quit

# Bind the interface connected to CE 2 to the created VPN instance.

[PE2] interface vlan-interface12

[PE2-Vlan-interface12] ip binding vpn-instance vpn1

[PE2-Vlan-interface12] ip address 20.0.0.1 8

[PE2-Vlan-interface12] quit

# Enable BGP on PE 2.

[PE2] bgp 600

# Configure IBGP peer 4.4.4.9 as a VPNv4 peer.

[PE2-bgp] peer 4.4.4.9 as-number 600

[PE2-bgp] peer 4.4.4.9 connect-interface loopback 0

[PE2-bgp] address-family vpnv4

[PE2-bgp-vpnv4] peer 4.4.4.9 enable

[PE2-bgp-vpnv4] quit

# Redistribute direct routes to the VPN routing table of vpn1.

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] address-family ipv4 unicast

[PE2-bgp-ipv4-vpn1] import-route direct

[PE2-bgp-ipv4-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

Verifying the configuration

# Use the following command on PE 1 to verify its connectivity to PE 2.

[PE1] ping -a 30.0.0.1 -vpn-instance vpn1 20.0.0.1

Ping 20.0.0.1 (20.0.0.1) from 30.0.0.1: 56 data bytes, press CTRL_C to break

56 bytes from 20.0.0.1: icmp_seq=0 ttl=255 time=1.208 ms

56 bytes from 20.0.0.1: icmp_seq=1 ttl=255 time=0.867 ms

56 bytes from 20.0.0.1: icmp_seq=2 ttl=255 time=0.551 ms

56 bytes from 20.0.0.1: icmp_seq=3 ttl=255 time=0.566 ms

56 bytes from 20.0.0.1: icmp_seq=4 ttl=255 time=0.570 ms

--- Ping statistics for 20.0.0.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.551/0.752/1.208/0.257 ms

Configuring MPLS L3VPN inter-AS option C

Network requirements

Site 1 and Site 2 belong to the same VPN. Site 1 accesses the network through PE 1 in AS 100. Site 2 accesses the network through PE 2 in AS 600. PEs in the same AS run IS-IS.

PE 1 and ASBR-PE 1 exchange labeled IPv4 routes through IBGP. PE 2 and ASBR-PE 2 exchange labeled IPv4 routes through IBGP. PE 1 and PE 2 exchange VPNv4 routes through MP-EBGP.

ASBR-PE 1 and ASBR-PE 2 use their respective routing policies and label routes received from each other.

ASBR-PE 1 and ASBR-PE 2 use EBGP to exchange labeled IPv4 routes.

Figure 24 Network diagram

Table 5 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
PE 1	Loop0	2.2.2.9/32	PE 2	Loop0	5.5.5.9/32
	Vlan-int11	1.1.1.2/8		Vlan-int11	9.1.1.2/8
	Vlan-int12	30.0.0.1/24		Vlan-int12	20.0.0.1/24
ASBR-PE 1	Loop0	3.3.3.9/32	ASBR-PE 2	Loop0	4.4.4.9/32
	Vlan-int11	1.1.1.1/8		Vlan-int11	9.1.1.1/8
	Vlan-int12	11.0.0.2/8		Vlan-int12	11.0.0.1/8
CE 1	Vlan-int12	30.0.0.2/24	CE 2	Vlan-int12	20.0.0.2/24

Configuration procedure

1. Configure CE 1:

# Configure an IP address for VLAN-interface 12.

<CE1> system-view

[CE1] interface vlan-interface 12

[CE1-Vlan-interface12] ip address 30.0.0.2 24

[CE1-Vlan-interface12] quit

# Establish an EBGP peer relationship with PE 1, and redistribute VPN routes.

[CE1] bgp 65001

[CE1-bgp] peer 30.0.0.1 as-number 100

[CE1-bgp] address-family ipv4 unicast

[CE1-bgp-ipv4] peer 30.0.0.1 enable

[CE1-bgp-ipv4] import-route direct

[CE1-bgp-ipv4] quit

[CE1-bgp] quit

2. Configure PE 1:

# Configure IS-IS on PE 1.

<PE1> system-view

[PE1] isis 1

[PE1-isis-1] network-entity 10.111.111.111.111.00

[PE1-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[PE1] mpls lsr-id 2.2.2.9

[PE1] mpls ldp

[PE1-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip address 1.1.1.2 255.0.0.0

[PE1-Vlan-interface11] isis enable 1

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] quit

# Configure interface Loopback 0, and enable IS-IS on it.

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 2.2.2.9 32

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

# Create VPN instance vpn1, and configure the RD and route target attributes.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 11:11

[PE1-vpn-instance-vpn1] vpn-target 1:1 2:2 3:3 import-extcommunity

[PE1-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE1-vpn-instance-vpn1] quit

# Associate VLAN-interface 12 with VPN instance vpn1, and specify the IP address for the interface.

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip binding vpn-instance vpn1

[PE1-Vlan-interface12] ip address 30.0.0.1 24

[PE1-Vlan-interface12] quit

# Enable BGP on PE 1.

[PE1] bgp 100

# Enable the capability to advertise labeled routes to IBGP peer 3.3.3.9 and to receive labeled routes from the peer.

[PE1-bgp] peer 3.3.3.9 as-number 100

[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp] address-family ipv4 unicast

[PE1-bgp-ipv4] peer 3.3.3.9 enable

[PE1-bgp-ipv4] peer 3.3.3.9 label-route-capability

[PE1-bgp-ipv4] quit

# Configure the maximum hop count from PE 1 to EBGP peer 5.5.5.9 as 10.

[PE1-bgp] peer 5.5.5.9 as-number 600

[PE1-bgp] peer 5.5.5.9 connect-interface loopback 0

[PE1-bgp] peer 5.5.5.9 ebgp-max-hop 10

# Configure peer 5.5.5.9 as a VPNv4 peer.

[PE1-bgp] address-family vpnv4

[PE1-bgp-vpnv4] peer 5.5.5.9 enable

[PE1-bgp-vpnv4] quit

# Establish an EBGP peer relationship with CE 1, and add the learned BGP routes to the routing table of VPN instance vpn1.

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 30.0.0.2 as-number 65001

[PE1-bgp-vpn1] address-family ipv4 unicast

[PE1-bgp-ipv4-vpn1] peer 30.0.0.2 enable

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

3. Configure ASBR-PE 1:

# Enable IS-IS on ASBR-PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] isis 1

[ASBR-PE1-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE1-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[ASBR-PE1] mpls lsr-id 3.3.3.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE1] interface vlan-interface 11

[ASBR-PE1-Vlan-interface11] ip address 1.1.1.1 255.0.0.0

[ASBR-PE1-Vlan-interface11] isis enable 1

[ASBR-PE1-Vlan-interface11] mpls enable

[ASBR-PE1-Vlan-interface11] mpls ldp enable

[ASBR-PE1-Vlan-interface11] quit

# Configure interface VLAN-interface 12, and enable MPLS on it.

[ASBR-PE1] interface vlan-interface 12

[ASBR-PE1-Vlan-interface12] ip address 11.0.0.2 255.0.0.0

[ASBR-PE1-Vlan-interface12] mpls enable

[ASBR-PE1-Vlan-interface12] quit

# Configure interface Loopback 0, and enable IS-IS on it.

[ASBR-PE1] interface loopback 0

[ASBR-PE1-LoopBack0] ip address 3.3.3.9 32

[ASBR-PE1-LoopBack0] isis enable 1

[ASBR-PE1-LoopBack0] quit

# Create routing policies.

[ASBR-PE1] route-policy policy1 permit node 1

[ASBR-PE1-route-policy-policy1-1] apply mpls-label

[ASBR-PE1-route-policy-policy1-1] quit

[ASBR-PE1] route-policy policy2 permit node 1

[ASBR-PE1-route-policy-policy2-1] if-match mpls-label

[ASBR-PE1-route-policy-policy2-1] apply mpls-label

[ASBR-PE1-route-policy-policy2-1] quit

# Enable BGP on ASBR-PE 1, and apply the routing policy policy2 to routes advertised to IBGP peer 2.2.2.9.

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp] peer 2.2.2.9 as-number 100

[ASBR-PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[ASBR-PE1-bgp] address-family ipv4 unicast

[ASBR-PE1-bgp-ipv4] peer 2.2.2.9 enable

[ASBR-PE1-bgp-ipv4] peer 2.2.2.9 route-policy policy2 export

# Enable the capability to advertise labeled routes to IBGP peer 2.2.2.9 and to receive labeled routes from the peer.

[ASBR-PE1-bgp-ipv4] peer 2.2.2.9 label-route-capability

# Redistribute routes from IS-IS process 1 to BGP.

[ASBR-PE1-bgp-ipv4] import-route isis 1

[ASBR-PE1-bgp-ipv4] quit

# Apply the routing policy policy1 to routes advertised to EBGP peer 11.0.0.1.

[ASBR-PE1-bgp] peer 11.0.0.1 as-number 600

[ASBR-PE1-bgp] address-family ipv4 unicast

[ASBR-PE1-bgp-ipv4] peer 11.0.0.1 enable

[ASBR-PE1-bgp-ipv4] peer 11.0.0.1 route-policy policy1 export

# Enable the capability to advertise labeled routes to EBGP peer 11.0.0.1 and to receive labeled routes from the peer.

[ASBR-PE1-bgp-ipv4] peer 11.0.0.1 label-route-capability

[ASBR-PE1-bgp-ipv4] quit

[ASBR-PE1-bgp] quit

4. Configure ASBR-PE 2:

# Enable IS-IS on ASBR-PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] isis 1

[ASBR-PE2-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE2-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[ASBR-PE2] mpls lsr-id 4.4.4.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE2] interface vlan-interface 11

[ASBR-PE2-Vlan-interface11] ip address 9.1.1.1 255.0.0.0

[ASBR-PE2-Vlan-interface11] isis enable 1

[ASBR-PE2-Vlan-interface11] mpls enable

[ASBR-PE2-Vlan-interface11] mpls ldp enable

[ASBR-PE2-Vlan-interface11] quit

# Configure interface Loopback 0, and enable IS-IS on it.

[ASBR-PE2] interface loopback 0

[ASBR-PE2-LoopBack0] ip address 4.4.4.9 32

[ASBR-PE2-LoopBack0] isis enable 1

[ASBR-PE2-LoopBack0] quit

# Configure interface VLAN-interface 12, and enable MPLS on it.

[ASBR-PE2] interface vlan-interface 12

[ASBR-PE2-Vlan-interface12] ip address 11.0.0.1 255.0.0.0

[ASBR-PE2-Vlan-interface12] mpls enable

[ASBR-PE2-Vlan-interface12] quit

# Create routing policies.

[ASBR-PE2] route-policy policy1 permit node 1

[ASBR-PE2-route-policy-policy1-1] apply mpls-label

[ASBR-PE2-route-policy-policy1-1] quit

[ASBR-PE2] route-policy policy2 permit node 1

[ASBR-PE2-route-policy-policy2-1] if-match mpls-label

[ASBR-PE2-route-policy-policy2-1] apply mpls-label

[ASBR-PE2-route-policy-policy2-1] quit

# Enable BGP on ASBR-PE 2, and enable the capability to advertise labeled routes to IBGP peer 5.5.5.9 and to receive labeled routes from the peer.

[ASBR-PE2] bgp 600

[ASBR-PE2-bgp] peer 5.5.5.9 as-number 600

[ASBR-PE2-bgp] peer 5.5.5.9 connect-interface loopback 0

[ASBR-PE2-bgp] address-family ipv4 unicast

[ASBR-PE2-bgp-ipv4] peer 5.5.5.9 enable

[ASBR-PE2-bgp-ipv4] peer 5.5.5.9 label-route-capability

# Apply the routing policy policy2 to routes advertised to IBGP peer 5.5.5.9.

[ASBR-PE2-bgp-ipv4] peer 5.5.5.9 route-policy policy2 export

# Redistribute routes from IS-IS process 1 into BGP.

[ASBR-PE2-bgp-ipv4] import-route isis 1

[ASBR-PE2-bgp-ipv4] quit

# Apply the routing policy policy1 to routes advertised to EBGP peer 11.0.0.2.

[ASBR-PE2-bgp] peer 11.0.0.2 as-number 100

[ASBR-PE2-bgp] address-family ipv4 unicast

[ASBR-PE2-bgp-ipv4] peer 11.0.0.2 enable

[ASBR-PE2-bgp-ipv4] peer 11.0.0.2 route-policy policy1 export

# Enable the capability to advertise labeled routes to EBGP peer 11.0.0.2 and to receive labeled routes from the peer.

[ASBR-PE2-bgp-ipv4] peer 11.0.0.2 label-route-capability

[ASBR-PE2-bgp-ipv4] quit

[ASBR-PE2-bgp] quit

5. Configure PE 2:

# Enable IS-IS on PE 2.

<PE2> system-view

[PE2] isis 1

[PE2-isis-1] network-entity 10.111.111.111.111.00

[PE2-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[PE2] mpls lsr-id 5.5.5.9

[PE2] mpls ldp

[PE2-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] ip address 9.1.1.2 255.0.0.0

[PE2-Vlan-interface11] isis enable 1

[PE2-Vlan-interface11] mpls enable

[PE2-Vlan-interface11] mpls ldp enable

[PE2-Vlan-interface11] quit

# Configure interface Loopback 0, and enable IS-IS on it.

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 5.5.5.9 32

[PE2-LoopBack0] isis enable 1

[PE2-LoopBack0] quit

# Create VPN instance vpn1, and configure the RD and route target attributes.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 11:11

[PE2-vpn-instance-vpn1] vpn-target 1:1 2:2 3:3 import-extcommunity

[PE2-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE2-vpn-instance-vpn1] quit

# Associate VLAN-interface 12 with VPN instance vpn1, and specify the IP address for the interface.

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] ip binding vpn-instance vpn1

[PE2-Vlan-interface12] ip address 20.0.0.1 24

[PE2-Vlan-interface12] quit

# Enable BGP on PE 2.

[PE2] bgp 600

# Enable the capability to advertise labeled routes to IBGP peer 4.4.4.9 and to receive labeled routes from the peer.

[PE2-bgp] peer 4.4.4.9 as-number 600

[PE2-bgp] peer 4.4.4.9 connect-interface loopback 0

[PE2-bgp] address-family ipv4 unicast

[PE2-bgp-ipv4] peer 4.4.4.9 enable

[PE2-bgp-ipv4] peer 4.4.4.9 label-route-capability

[PE2-bgp-ipv4] quit

# Configure the maximum hop count from PE 2 to EBGP peer 2.2.2.9 as 10.

[PE2-bgp] peer 2.2.2.9 as-number 100

[PE2-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE2-bgp] peer 2.2.2.9 ebgp-max-hop 10

# Configure peer 2.2.2.9 as a VPNv4 peer.

[PE2-bgp] address-family vpnv4

[PE2-bgp-vpnv4] peer 2.2.2.9 enable

[PE2-bgp-vpnv4] quit

# Establish an EBGP peer relationship with CE 2, and add the learned BGP routes to the routing table of VPN instance vpn1.

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] peer 20.0.0.2 as-number 65002

[PE2-bgp-vpn1] address-family ipv4 unicast

[PE2-bgp-ipv4-vpn1] peer 20.0.0.2 enable

[PE2-bgp-ipv4-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

6. Configure CE 2:

# Configure an IP address for VLAN-interface 12.

<CE2> system-view

[CE2] interface vlan-interface 12

[CE2-Vlan-interface12] ip address 20.0.0.2 24

[CE2-Vlan-interface12] quit

# Establish an EBGP peer relationship with PE 2, and redistribute VPN routes.

[CE2] bgp 65002

[CE2-bgp] peer 20.0.0.1 as-number 600

[CE2-bgp] address-family ipv4 unicast

[CE2-bgp-ipv4] peer 20.0.0.1 enable

[CE2-bgp-ipv4] import-route direct

[CE2-bgp-ipv4] quit

[CE2-bgp] quit

Verifying the configuration

# Execute the display ip routing table command on CE 1 and CE 2 to verify that CE 1 and CE 2 have a route to each other. Verify that CE 1 and CE 2 can ping each other. (Details not shown.)

Configuring MPLS L3VPN carrier's carrier in the same AS

Network requirements

Configure carrier's carrier for the scenario shown in Figure 25. In this scenario:

· PE 1 and PE 2 are the provider carrier's PE switches. They provide VPN services for the customer carrier.

· CE 1 and CE 2 are the customer carrier's switches. They are connected to the provider carrier's backbone as CE switches.

· PE 3 and PE 4 are the customer carrier's PE switches. They provide MPLS L3VPN services for the end customers.

· CE 3 and CE 4 are customers of the customer carrier.

· The customer carrier and the provider carrier reside in the same AS.

The key to carrier's carrier deployment is to configure exchange of two kinds of routes:

· Exchange of the customer carrier's internal routes on the provider carrier's backbone.

· Exchange of the end customers' VPN routes between PE 3 and PE 4, the PEs of the customer carrier. In this process, an MP-IBGP peer relationship must be established between PE 3 and PE 4.

Figure 25 Network diagram

Table 6 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 3	Vlan-int11	100.1.1.1/24	CE 4	Vlan-int11	120.1.1.1/24
PE 3	Loop0	1.1.1.9/32	PE 4	Loop0	6.6.6.9/32
	Vlan-int11	100.1.1.2/24		Vlan-int11	120.1.1.2/24
	Vlan-int12	10.1.1.1/24		Vlan-int12	20.1.1.2/24
CE 1	Loop0	2.2.2.9/32	CE 2	Loop0	5.5.5.9/32
	Vlan-int12	10.1.1.2/24		Vlan-int11	21.1.1.2/24
	Vlan-int11	11.1.1.1/24		Vlan-int12	20.1.1.1/24
PE 1	Loop0	3.3.3.9/32	PE 2	Loop0	4.4.4.9/32
	Vlan-int11	11.1.1.2/24		Vlan-int12	30.1.1.2/24
	Vlan-int12	30.1.1.1/24		Vlan-int11	21.1.1.1/24

Configuration procedure

1. Configure MPLS L3VPN on the provider carrier backbone. Enable IS-IS as the IGP, enable LDP between PE 1 and PE 2, and establish an MP-IBGP peer relationship between the PEs:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 3.3.3.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 3.3.3.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] isis 1

[PE1-isis-1] network-entity 10.0000.0000.0000.0004.00

[PE1-isis-1] quit

[PE1] interface loopback 0

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip address 30.1.1.1 24

[PE1-Vlan-interface12] isis enable 1

[PE1-Vlan-interface12] mpls enable

[PE1-Vlan-interface12] mpls ldp enable

[PE1-Vlan-interface12] mpls ldp transport-address interface

[PE1-Vlan-interface12] quit

[PE1] bgp 100

[PE1-bgp] peer 4.4.4.9 as-number 100

[PE1-bgp] peer 4.4.4.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv4

[PE1-bgp-vpnv4] peer 4.4.4.9 enable

[PE1-bgp-vpnv4] quit

[PE1-bgp] quit

# Configure PE 2 in the same way that PE 1 is configured. (Details not shown.)

# On PE 1 or PE 2, execute the following commands:

¡ Execute the display mpls ldp peer command to verify that an LDP session in Operational state has been established between PE 1 and PE 2. (Details not shown.)

¡ Execute the display bgp peer vpnv4 command to verify that a BGP peer relationship in Established state has been established between PE 1 and PE 2. (Details not shown.)

¡ Execute the display isis peer command to verify that the IS-IS neighbor relationship has been established between PE 1 and PE 2. (Details not shown.)

2. Configure the customer carrier network. Enable IS-IS as the IGP, and enable LDP between PE 3 and CE 1, and between PE 4 and CE 2:

# Configure PE 3.

<PE3> system-view

[PE3] interface loopback 0

[PE3-LoopBack0] ip address 1.1.1.9 32

[PE3-LoopBack0] quit

[PE3] mpls lsr-id 1.1.1.9

[PE3] mpls ldp

[PE3-ldp] quit

[PE3] isis 2

[PE3-isis-2] network-entity 10.0000.0000.0000.0001.00

[PE3-isis-2] quit

[PE3] interface loopback 0

[PE3-LoopBack0] isis enable 2

[PE3-LoopBack0] quit

[PE3] interface vlan-interface 12

[PE3-Vlan-interface12] ip address 10.1.1.1 24

[PE3-Vlan-interface12] isis enable 2

[PE3-Vlan-interface12] mpls enable

[PE3-Vlan-interface12] mpls ldp enable

[PE3-Vlan-interface12] mpls ldp transport-address interface

[PE3-Vlan-interface12] quit

# Configure CE 1.

<CE1> system-view

[CE1] interface loopback 0

[CE1-LoopBack0] ip address 2.2.2.9 32

[CE1-LoopBack0] quit

[CE1] mpls lsr-id 2.2.2.9

[CE1] mpls ldp

[CE1-ldp] quit

[CE1] isis 2

[CE1-isis-2] network-entity 10.0000.0000.0000.0002.00

[CE1-isis-2] quit

[CE1] interface loopback 0

[CE1-LoopBack0] isis enable 2

[CE1-LoopBack0] quit

[CE1] interface vlan-interface 12

[CE1-Vlan-interface12] ip address 10.1.1.2 24

[CE1-Vlan-interface12] isis enable 2

[CE1-Vlan-interface12] mpls enable

[CE1-Vlan-interface12] mpls ldp enable

[CE1-Vlan-interface12] mpls ldp transport-address interface

[CE1-Vlan-interface12] quit

PE 3 and CE 1 can establish an LDP session and IS-IS neighbor relationship between them.

# Configure PE 4 and CE 2 in the same way that PE 3 and CE 1 are configured. (Details not shown.)

3. Allow CEs of the customer carrier to access PEs of the provider carrier, and redistribute IS-IS routes to BGP and BGP routes to IS-IS on the PEs:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 200:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] mpls ldp

[PE1-ldp] vpn-instance vpn1

[PE1-ldp-vpn-instance-vpn1] quit

[PE1-ldp] quit

[PE1] isis 2 vpn-instance vpn1

[PE1-isis-2] network-entity 10.0000.0000.0000.0003.00

[PE1-isis-2] address-family ipv4

[PE1-isis-2-ipv4] import-route bgp

[PE1-isis-2-ipv4] quit

[PE1-isis-2] quit

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip binding vpn-instance vpn1

[PE1-Vlan-interface11] ip address 11.1.1.2 24

[PE1-Vlan-interface11] isis enable 2

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] mpls ldp transport-address interface

[PE1-Vlan-interface11] quit

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] address-family ipv4 unicast

[PE1-bgp-ipv4-vpn1] import isis 2

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure CE 1.

[CE1] interface vlan-interface 11

[CE1-Vlan-interface11] ip address 11.1.1.1 24

[CE1-Vlan-interface11] isis enable 2

[CE1-Vlan-interface11] mpls enable

[CE1-Vlan-interface11] mpls ldp enable

[CE1-Vlan-interface11] mpls ldp transport-address interface

[CE1-Vlan-interface11] quit

PE 1 and CE 1 can establish an LDP session and an IS-IS neighbor relationship between them.

# Configure PE 2 and CE 2 in the same way that PE 1 and CE 1 are configured. (Details not shown.)

4. Connect the CEs of the end customers and the PEs of the customer carrier:

# Configure CE 3.

<CE3> system-view

[CE3] interface vlan-interface11

[CE3-Vlan-interface11] ip address 100.1.1.1 24

[CE3-Vlan-interface11] quit

[CE3] bgp 65410

[CE3-bgp] peer 100.1.1.2 as-number 100

[CE3-bgp] address-family ipv4 unicast

[CE3-bgp-ipv4] peer 100.1.1.2 enable

[CE3-bgp-ipv4] import-route direct

[CE3-bgp-ipv4] quit

[CE3-bgp] quit

# Configure PE 3.

[PE3] ip vpn-instance vpn1

[PE3-vpn-instance-vpn1] route-distinguisher 100:1

[PE3-vpn-instance-vpn1] vpn-target 1:1

[PE3-vpn-instance-vpn1] quit

[PE3] interface Vlan-interface 11

[PE3-Vlan-interface11] ip binding vpn-instance vpn1

[PE3-Vlan-interface11] ip address 100.1.1.2 24

[PE3-Vlan-interface11] quit

[PE3] bgp 100

[PE3-bgp] ip vpn-instance vpn1

[PE3-bgp-vpn1] peer 100.1.1.1 as-number 65410

[PE3-bgp-vpn1] address-family ipv4 unicast

[PE3-bgp-ipv4-vpn1] peer 100.1.1.1 enable

[PE3-bgp-ipv4-vpn1] quit

[PE3-bgp-vpn1] quit

[PE3-bgp] quit

# Configure PE 4 and CE 4 in the same way that PE 3 and CE 3 are configured. (Details not shown.)

5. Configure MP-IBGP peer relationship between the PEs of the customer carrier to exchange the end customers' VPN routes:

# Configure PE 3.

[PE3] bgp 100

[PE3-bgp] peer 6.6.6.9 as-number 100

[PE3-bgp] peer 6.6.6.9 connect-interface loopback 0

[PE3-bgp] address-family vpnv4

[PE3-bgp-vpnv4] peer 6.6.6.9 enable

[PE3-bgp-vpnv4] quit

[PE3-bgp] quit

# Configure PE 4 in the same way that PE 3 is configured. (Details not shown.)

Verifying the configuration

1. Display the public network routing table and VPN routing table on the provider carrier PEs, for example, on PE 1:

# Verify that the public network routing table contains only routes of the provider carrier network.

[PE1] display ip routing-table

Destinations : 14 Routes : 14

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

3.3.3.9/32 Direct 0 0 127.0.0.1 InLoop0

4.4.4.9/32 ISIS 15 10 30.1.1.2 Vlan12

30.1.1.0/24 Direct 0 0 30.1.1.1 Vlan12

30.1.1.0/32 Direct 0 0 30.1.1.1 Vlan12

30.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.255/32 Direct 0 0 30.1.1.1 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VPN routing table contains the internal routes of the customer carrier network, but it does not contain the VPN routes that the customer carrier maintains.

[PE1] display ip routing-table vpn-instance vpn1

Destinations : 18 Routes : 18

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.9/32 ISIS 15 20 11.1.1.1 Vlan11

2.2.2.9/32 ISIS 15 10 11.1.1.1 Vlan11

5.5.5.9/32 BGP 255 10 4.4.4.9 Vlan12

6.6.6.9/32 BGP 255 20 4.4.4.9 Vlan12

10.1.1.0/24 ISIS 15 20 11.1.1.1 Vlan11

11.1.1.0/24 Direct 0 0 11.1.1.2 Vlan11

11.1.1.0/32 Direct 0 0 11.1.1.2 Vlan11

11.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.255/32 Direct 0 0 11.1.1.2 Vlan11

20.1.1.0/24 BGP 255 20 4.4.4.9 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

2. Display the routing table on the customer carrier CEs, for example, on CE 1:

# Verify that the routing table contains the internal routes of the customer carrier network, but it does not contain the VPN routes that the customer carrier maintains.

[CE1] display ip routing-table

Destinations : 21 Routes : 21

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.9/32 ISIS 15 10 10.1.1.1 Vlan12

2.2.2.9/32 Direct 0 0 127.0.0.1 InLoop0

5.5.5.9/32 ISIS 15 74 11.1.1.2 Vlan11

6.6.6.9/32 ISIS 15 74 11.1.1.2 Vlan11

10.1.1.0/24 Direct 0 0 10.1.1.2 Vlan12

10.1.1.0/32 Direct 0 0 10.1.1.2 Vlan12

10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.2 Vlan12

11.1.1.0/24 Direct 0 0 11.1.1.1 Vlan11

11.1.1.0/32 Direct 0 0 11.1.1.1 Vlan11

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.255/32 Direct 0 0 11.1.1.1 Vlan11

20.1.1.0/24 ISIS 15 74 11.1.1.2 Vlan11

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

3. Display the public network routing table and VPN routing table on the customer carrier PEs, for example, on PE 3:

# Verify that the public network routing table contains the internal routes of the customer carrier network.

[PE3] display ip routing-table

Destinations : 18 Routes : 18

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.9/32 Direct 0 0 127.0.0.1 InLoop0

2.2.2.9/32 ISIS 15 10 10.1.1.2 Vlan12

5.5.5.9/32 ISIS 15 84 10.1.1.2 Vlan12

6.6.6.9/32 ISIS 15 84 10.1.1.2 Vlan12

10.1.1.0/24 Direct 0 0 10.1.1.1 Vlan12

10.1.1.0/32 Direct 0 0 10.1.1.1 Vlan12

10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.1 Vlan12

11.1.1.0/24 ISIS 15 20 10.1.1.2 Vlan12

20.1.1.0/24 ISIS 15 84 10.1.1.2 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VPN routing table contains the route to the remote VPN customer.

[PE3] display ip routing-table vpn-instance vpn1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.0/24 Direct 0 0 100.1.1.2 Vlan11

100.1.1.0/32 Direct 0 0 100.1.1.2 Vlan11

100.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.255/32 Direct 0 0 100.1.1.2 Vlan11

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

120.1.1.0/24 BGP 255 0 6.6.6.9 Vlan12

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

4. Verify that PE 3 and PE 4 can ping each other. (Details not shown.)

5. Verify that CE 3 and CE 4 can ping each other. (Details not shown.)

Configuring MPLS L3VPN carrier's carrier in different ASs

Network requirements

Configure carrier's carrier for the scenario shown in Figure 26. In this scenario:

· PE 1 and PE 2 are the provider carrier's PE switches. They provide VPN services for the customer carrier.

· CE 1 and CE 2 are the customer carrier's switches. They are connected to the provider carrier's backbone as CE switches.

· PE 3 and PE 4 are the customer carrier's PE switches. They provide MPLS L3VPN services for the end customers.

· CE 3 and CE 4 are customers of the customer carrier.

· The customer carrier and the provider carrier reside in different ASs.

The key to carrier's carrier deployment is to configure exchange of two kinds of routes:

· Exchange of the customer carrier's internal routes on the provider carrier's backbone.

· Exchange of the end customers' VPN routes between PE 3 and PE 4, the PEs of the customer carrier. In this process, an MP-EBGP peer relationship must be established between PE 3 and PE 4.

Figure 26 Network diagram

Table 7 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 3	Vlan-int11	100.1.1.1/24	CE 4	Vlan-int11	120.1.1.1/24
PE 3	Loop0	1.1.1.9/32	PE 4	Loop0	6.6.6.9/32
	Vlan-int11	100.1.1.2/24		Vlan-int11	120.1.1.2/24
	Vlan-int12	10.1.1.1/24		Vlan-int12	20.1.1.2/24
CE 1	Loop0	2.2.2.9/32	CE 2	Loop0	5.5.5.9/32
	Vlan-int12	10.1.1.2/24		Vlan-int11	21.1.1.2/24
	Vlan-int11	11.1.1.1/24		Vlan-int12	20.1.1.1/24
PE 1	Loop0	3.3.3.9/32	PE 2	Loop0	4.4.4.9/32
	Vlan-int11	11.1.1.2/24		Vlan-int12	30.1.1.2/24
	Vlan-int12	30.1.1.1/24		Vlan-int11	21.1.1.1/24

Configuration procedure

1. Configure MPLS L3VPN on the provider carrier backbone. Enable IS-IS as the IGP, enable LDP between PE 1 and PE 2, and establish an MP-IBGP peer relationship between the PEs:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 3.3.3.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 3.3.3.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] isis 1

[PE1-isis-1] network-entity 10.0000.0000.0000.0004.00

[PE1-isis-1] quit

[PE1] interface loopback 0

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip address 30.1.1.1 24

[PE1-Vlan-interface12] isis enable 1

[PE1-Vlan-interface12] mpls enable

[PE1-Vlan-interface12] mpls ldp enable

[PE1-Vlan-interface12] mpls ldp transport-address interface

[PE1-Vlan-interface12] quit

[PE1] bgp 100

[PE1-bgp] peer 4.4.4.9 as-number 100

[PE1-bgp] peer 4.4.4.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv4

[PE1-bgp-vpnv4] peer 4.4.4.9 enable

[PE1-bgp-vpnv4] quit

[PE1-bgp] quit

# Configure PE 2 in the same way that PE 1 is configured. (Details not shown.)

# On PE 1 or PE 2, execute the following commands:

¡ Execute the display mpls ldp peer command to verify that an LDP session in Operational state has been established between PE 1 and PE 2. (Details not shown.)

¡ Execute the display bgp peer vpnv4 command to verify that a BGP peer relationship in Established state has been established between PE 1 and PE 2. (Details not shown.)

¡ Execute the display isis peer command to verify that the IS-IS neighbor relationship has been established between PE 1 and PE 2. (Details not shown.)

2. Configure the customer carrier network. Enable IS-IS as the IGP, and enable LDP between PE 3 and CE 1, and between PE 4 and CE 2:

# Configure PE 3.

<PE3> system-view

[PE3] interface loopback 0

[PE3-LoopBack0] ip address 1.1.1.9 32

[PE3-LoopBack0] quit

[PE3] mpls lsr-id 1.1.1.9

[PE3] mpls ldp

[PE3-ldp] quit

[PE3] isis 2

[PE3-isis-2] network-entity 10.0000.0000.0000.0001.00

[PE3-isis-2] quit

[PE3] interface loopback 0

[PE3-LoopBack0] isis enable 2

[PE3-LoopBack0] quit

[PE3] interface vlan-interface 12

[PE3-Vlan-interface12] ip address 10.1.1.1 24

[PE3-Vlan-interface12] isis enable 2

[PE3-Vlan-interface12] mpls enable

[PE3-Vlan-interface12] mpls ldp enable

[PE3-Vlan-interface12] mpls ldp transport-address interface

[PE3-Vlan-interface12] quit

# Configure CE 1.

<CE1> system-view

[CE1] interface loopback 0

[CE1-LoopBack0] ip address 2.2.2.9 32

[CE1-LoopBack0] quit

[CE1] mpls lsr-id 2.2.2.9

[CE1] mpls ldp

[CE1-ldp] import bgp

[CE1-ldp] quit

[CE1] isis 2

[CE1-isis-2] network-entity 10.0000.0000.0000.0002.00

[CE1-isis-2] address-family ipv4

[CE1-isis-2-ipv4] import-route bgp

[CE1-isis-2-ipv4] quit

[CE1-isis-2] quit

[CE1] interface loopback 0

[CE1-LoopBack0] isis enable 2

[CE1-LoopBack0] quit

[CE1] interface vlan-interface 12

[CE1-Vlan-interface12] ip address 10.1.1.2 24

[CE1-Vlan-interface12] isis enable 2

[CE1-Vlan-interface12] mpls enable

[CE1-Vlan-interface12] mpls ldp enable

[CE1-Vlan-interface12] mpls ldp transport-address interface

[CE1-Vlan-interface12] quit

PE 3 and CE 1 can establish an LDP session and IS-IS neighbor relationship between them.

# Configure PE 4 and CE 2 in the same way that PE 3 and CE 1 are configured. (Details not shown.)

3. Allow CEs of the customer carrier to access PEs of the provider carrier:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 200:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip binding vpn-instance vpn1

[PE1-Vlan-interface11] ip address 11.1.1.2 24

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] quit

[PE1] bgp 200

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 11.1.1.1 as-number 100

[PE1-bgp-vpn1] address-family ipv4 unicast

[PE1-bgp-ipv4-vpn1] peer 11.1.1.1 enable

[PE1-bgp-ipv4-vpn1] peer 11.1.1.1 label-route-capability

[PE1-bgp-ipv4-vpn1] peer 11.1.1.1 route-policy csc export

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

[PE1] route-policy csc permit node 0

[PE1-route-policy-csc-0] apply mpls-label

[PE1-route-policy-csc-0] quit

# Configure CE 1.

[CE1] interface vlan-interface 11

[CE1-Vlan-interface11] ip address 11.1.1.1 24

[CE1-Vlan-interface11] mpls enable

[CE1-Vlan-interface11] quit

[CE1] bgp 100

[CE1-bgp] peer 11.1.1.2 as-number 200

[CE1-bgp] address-family ipv4 unicast

[CE1-bgp-ipv4] peer 11.1.1.2 enable

[CE1-bgp-ipv4] peer 11.1.1.2 label-route-capability

[PE1-bgp-ipv4] peer 11.1.1.2 route-policy csc export

[CE1-bgp-ipv4] import isis 2

[CE1-bgp-ipv4] quit

[CE1-bgp] quit

[CE1] route-policy csc permit node 0

[CE1-route-policy-csc-0] apply mpls-label

[CE1-route-policy-csc-0] quit

PE 1 and CE 1 can establish a BGP session and exchange labeled IPv4 unicast routes through BGP.

# Configure PE 2 and CE 2 in the same way that PE 1 and CE 1 are configured. (Details not shown.)

4. Connect CEs of the end customers and the PEs of the customer carrier:

# Configure CE 3.

<CE3> system-view

[CE3] interface vlan-interface 11

[CE3-Vlan-interface11] ip address 100.1.1.1 24

[CE3-Vlan-interface11] quit

[CE3] bgp 65410

[CE3-bgp] peer 100.1.1.2 as-number 100

[CE3-bgp] address-family ipv4 unicast

[CE3-bgp-ipv4] peer 100.1.1.2 enable

[CE3-bgp-ipv4] import-route direct

[CE3-bgp-ipv4] quit

[CE3-bgp] quit

# Configure PE 3.

[PE3] ip vpn-instance vpn1

[PE3-vpn-instance-vpn1] route-distinguisher 100:1

[PE3-vpn-instance-vpn1] vpn-target 1:1

[PE3-vpn-instance-vpn1] quit

[PE3] interface vlan-interface 11

[PE3-Vlan-interface11] ip binding vpn-instance vpn1

[PE3-Vlan-interface11] ip address 100.1.1.2 24

[PE3-Vlan-interface11] quit

[PE3] bgp 100

[PE3-bgp] ip vpn-instance vpn1

[PE3-bgp-vpn1] peer 100.1.1.1 as-number 65410

[PE3-bgp-vpn1] address-family ipv4 unicast

[PE3-bgp-ipv4-vpn1] peer 100.1.1.1 enable

[PE3-bgp-ipv4-vpn1] quit

[PE3-bgp-vpn1] quit

[PE3-bgp] quit

# Configure PE 4 and CE 4 in the same way that PE 3 and CE 3 are configured. (Details not shown.)

5. Configure an MP-EBGP peer relationship between the PEs of the customer carrier to exchange the VPN routes of the end customers:

# Configure PE 3.

[PE3] bgp 100

[PE3-bgp] peer 6.6.6.9 as-number 300

[PE3-bgp] peer 6.6.6.9 connect-interface loopback 0

[PE3-bgp] peer 6.6.6.9 ebgp-max-hop 10

[PE3-bgp] address-family vpnv4

[PE3-bgp-vpnv4] peer 6.6.6.9 enable

[PE3-bgp-vpnv4] quit

[PE3-bgp] quit

# Configure PE 4 in the same way that PE 3 is configured. (Details not shown.)

Verifying the configuration

1. Display the public network routing table and VPN routing table on the provider carrier PEs, for example, on PE 1:

# Verify that the public network routing table contains only routes of the provider carrier network.

[PE1] display ip routing-table

Destinations : 14 Routes : 14

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

3.3.3.9/32 Direct 0 0 127.0.0.1 InLoop0

4.4.4.9/32 ISIS 15 10 30.1.1.2 Vlan12

30.1.1.0/24 Direct 0 0 30.1.1.1 Vlan12

30.1.1.0/32 Direct 0 0 30.1.1.1 Vlan12

30.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.255/32 Direct 0 0 30.1.1.1 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VPN routing table contains the internal routes of the customer carrier, but it does not contain the VPN routes that the customer carrier maintains.

[PE1] display ip routing-table vpn-instance vpn1

Destinations : 14 Routes : 14

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.9/32 BGP 255 10 11.1.1.1 Vlan11

6.6.6.9/32 BGP 255 10 4.4.4.9 Vlan12

11.1.1.0/24 Direct 0 0 11.1.1.2 Vlan11

11.1.1.0/32 Direct 0 0 11.1.1.2 Vlan11

11.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.255/32 Direct 0 0 11.1.1.2 Vlan11

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

2. Display the routing table on the customer carrier CEs, for example, on CE 1.

# Verify that the routing table contains the internal routes of the customer carrier network, but it does not contain the VPN routes that the customer carrier maintains.

[CE1] display ip routing-table

Destinations : 19 Routes : 19

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.9/32 ISIS 15 10 10.1.1.1 Vlan12

2.2.2.9/32 Direct 0 0 127.0.0.1 InLoop0

6.6.6.9/32 BGP 255 0 11.1.1.2 Vlan11

10.1.1.0/24 Direct 0 0 10.1.1.2 Vlan12

10.1.1.0/32 Direct 0 0 10.1.1.2 Vlan12

10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.2 Vlan12

11.1.1.0/24 Direct 0 0 11.1.1.1 Vlan11

11.1.1.0/32 Direct 0 0 11.1.1.1 Vlan11

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.255/32 Direct 0 0 11.1.1.1 Vlan11

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

3. Display the public network routing table and VPN routing table on the customer carrier PEs, for example, on PE 3:

# Verify that the public network routing table contains the internal routes of the customer carrier network.

[PE3] display ip routing-table

Destinations : 15 Routes : 15

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.9/32 Direct 0 0 127.0.0.1 InLoop0

2.2.2.9/32 ISIS 15 10 10.1.1.2 Vlan12

6.6.6.9/32 ISIS 15 74 10.1.1.2 Vlan12

10.1.1.0/24 Direct 0 0 10.1.1.1 Vlan12

10.1.1.0/32 Direct 0 0 10.1.1.1 Vlan12

10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.1 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VPN routing table contains the route to the remote VPN customer.

[PE3] display ip routing-table vpn-instance vpn1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.0/24 Direct 0 0 100.1.1.2 Vlan11

100.1.1.0/32 Direct 0 0 100.1.1.2 Vlan11

100.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.255/32 Direct 0 0 100.1.1.2 Vlan11

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

120.1.1.0/24 BGP 255 0 6.6.6.9 Vlan12

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

4. Verify that PE 3 and PE 4 can ping each other. (Details not shown.)

5. Verify that CE 3 and CE 4 can ping each other. (Details not shown.)

Configuring nested VPN

Network requirements

The service provider provides nested VPN services for users, as shown in Figure 27.

· PE 1 and PE 2 are PE devices on the service provider backbone. Both of them support the nested VPN feature.

· CE 1 and CE 2 are connected to the service provider backbone. Both of them support VPNv4 routes.

· PE 3 and PE 4 are PE devices of the customer VPN. Both of them support MPLS L3VPN.

· CE 3 through CE 6 are CE devices of the sub-VPNs for the customer VPN.

The key of nested VPN configuration is to understand the processing of routes of sub-VPNs on the service provider PEs:

· When receiving a VPNv4 route from a CE (CE 1 or CE 2 in this example), a service provider PE performs the following operations:

a. Replaces the RD of the VPNv4 route with the RD of the MPLS VPN on the service provider network where the CE resides.

b. Adds the export target attribute of the MPLS VPN on the service provider network to the extended community attribute list.

c. Forwards the VPNv4 route.

· To implement exchange of sub-VPN routes between customer PEs and service provider PEs, MP-EBGP peers must be established between service provider PEs and customer CEs.

Figure 27 Network diagram

Table 8 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Loop0	2.2.2.9/32	CE 2	Loop0	5.5.5.9/32
	Vlan-int2	10.1.1.2/24		Vlan-int1	21.1.1.2/24
	Vlan-int1	11.1.1.1/24		Vlan-int2	20.1.1.1/24
CE 3	Vlan-int1	100.1.1.1/24	CE 4	Vlan-int1	120.1.1.1/24
CE 5	Vlan-int3	110.1.1.1/24	CE 6	Vlan-int3	130.1.1.1/24
PE 1	Loop0	3.3.3.9/32	PE 2	Loop0	4.4.4.9/32
	Vlan-int1	11.1.1.2/24		Vlan-int1	21.1.1.1/24
	Vlan-int2	30.1.1.1/24		Vlan-int2	30.1.1.2/24
PE 3	Loop0	1.1.1.9/32	PE 4	Loop0	6.6.6.9/32
	Vlan-int1	100.1.1.2/24		Vlan-int1	120.1.1.2/24
	Vlan-int2	10.1.1.1/24		Vlan-int2	20.1.1.2/24
	Vlan-int3	110.1.1.2/24		Vlan-int3	130.1.1.2/24

Configuration procedure

1. Configure MPLS L3VPN on the service provider backbone. Use IS-IS as the IGP protocol, enable LDP, and establish an MP-IBGP peer relationship between PE 1 and PE 2:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 3.3.3.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 3.3.3.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] isis 1

[PE1-isis-1] network-entity 10.0000.0000.0000.0004.00

[PE1-isis-1] quit

[PE1] interface loopback 0

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

[PE1] interface vlan-interface 2

[PE1-Vlan-interface2] ip address 30.1.1.1 24

[PE1-Vlan-interface2] isis enable 1

[PE1-Vlan-interface2] mpls enable

[PE1-Vlan-interface2] mpls ldp enable

[PE1-Vlan-interface2] quit

[PE1] bgp 100

[PE1-bgp] peer 4.4.4.9 as-number 100

[PE1-bgp] peer 4.4.4.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv4

[PE1-bgp-vpnv4] peer 4.4.4.9 enable

[PE1-bgp-vpnv4] quit

[PE1-bgp] quit

# Configure PE 2 in the same way that PE 1 is configured. (Details not shown.)

# On PE 1 or PE 2, execute the following commands:

¡ Execute the display mpls ldp peer command to verify that an LDP session in Operational state has been established between PE 1 and PE 2. (Details not shown.)

¡ Execute the display bgp peer vpnv4 command to verify that a BGP peer relationship in Established state has been established between PE 1 and PE 2. (Details not shown.)

¡ Execute the display isis peer command to verify that the IS-IS neighbor relationship has been established between PE 1 and PE 2. (Details not shown.)

2. Configure the customer VPN. Use IS-IS as the IGP protocol, and enable LDP between PE 3 and CE 1, and between PE 4 and CE 2:

# Configure PE 3.

<PE3> system-view

[PE3] interface loopback 0

[PE3-LoopBack0] ip address 1.1.1.9 32

[PE3-LoopBack0] quit

[PE3] mpls lsr-id 1.1.1.9

[PE3] mpls ldp

[PE3-ldp] quit

[PE3] isis 2

[PE3-isis-2] network-entity 10.0000.0000.0000.0001.00

[PE3-isis-2] quit

[PE3] interface loopback 0

[PE3-LoopBack0] isis enable 2

[PE3-LoopBack0] quit

[PE3] interface vlan-interface 2

[PE3-Vlan-interface2] ip address 10.1.1.1 24

[PE3-Vlan-interface2] isis enable 2

[PE3-Vlan-interface2] mpls enable

[PE3-Vlan-interface2] mpls ldp enable

[PE3-Vlan-interface2] quit

# Configure CE 1.

<CE1> system-view

[CE1] interface loopback 0

[CE1-LoopBack0] ip address 2.2.2.9 32

[CE1-LoopBack0] quit

[CE1] mpls lsr-id 2.2.2.9

[CE1] mpls ldp

[CE1-ldp] quit

[CE1] isis 2

[CE1-isis-2] network-entity 10.0000.0000.0000.0002.00

[CE1-isis-2] quit

[CE1] interface loopback 0

[CE1-LoopBack0] isis enable 2

[CE1-LoopBack0] quit

[CE1] interface vlan-interface 2

[CE1-Vlan-interface2] ip address 10.1.1.2 24

[CE1-Vlan-interface2] isis enable 2

[CE1-Vlan-interface2] mpls enable

[CE1-Vlan-interface2] mpls ldp enable

[CE1-Vlan-interface2] quit

An LDP session and an IS-IS neighbor relationship can be established between PE 3 and CE 1.

# Configure PE 4 and CE 2 in the same way that PE 3 and CE 1 are configured. (Details not shown.)

3. Connect CE 1 and CE 2 to service provider PEs:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 200:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] interface vlan-interface 1

[PE1-Vlan-interface1] ip binding vpn-instance vpn1

[PE1-Vlan-interface1] ip address 11.1.1.2 24

[PE1-Vlan-interface1] mpls enable

[PE1-Vlan-interface1] quit

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 11.1.1.1 as-number 200

[PE1-bgp-vpn1] address-family ipv4

[PE1-bgp-ipv4-vpn1] peer 11.1.1.1 enable

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure CE 1.

[CE1] interface vlan-interface 1

[CE1-Vlan-interface1] ip address 11.1.1.1 24

[CE1-Vlan-interface1] mpls enable

[CE1-Vlan-interface1] quit

[CE1] bgp 200

[CE1-bgp] peer 11.1.1.2 as-number 100

[CE1-bgp-vpn1] address-family ipv4

[CE1-bgp-ipv4-vpn1] peer 11.1.1.2 enable

[CE1-bgp-ipv4-vpn1] quit

[CE1-bgp] quit

# Configure PE 2 and CE 2 in the same way that PE 1 and CE 1 are configured. (Details not shown.)

4. Connect sub-VPN CEs to the customer VPN PEs:

# Configure CE 3.

<CE3> system-view

[CE3] interface vlan-interface 1

[CE3-Vlan-interface1] ip address 100.1.1.1 24

[CE3-Vlan-interface1] quit

[CE3] bgp 65410

[CE3-bgp] peer 100.1.1.2 as-number 200

[CE3-bgp] address-family ipv4 unicast

[CE3-bgp-ipv4] peer 100.1.1.2 enable

[CE3-bgp-ipv4] import-route direct

[CE3-bgp-ipv4] quit

[CE3-bgp] quit

# Configure CE 5.

<CE5> system-view

[CE5] interface vlan-interface 3

[CE5-Vlan-interface3] ip address 110.1.1.1 24

[CE5-Vlan-interface3] quit

[CE5] bgp 65411

[CE5-bgp] peer 110.1.1.2 as-number 200

[CE5-bgp] address-family ipv4 unicast

[CE5-bgp-ipv4] peer 110.1.1.2 enable

[CE5-bgp-ipv4] import-route direct

[CE5-bgp-ipv4] quit

[CE5-bgp] quit

# Configure PE 3.

[PE3] ip vpn-instance SUB_VPN1

[PE3-vpn-instance-SUB_VPN1] route-distinguisher 100:1

[PE3-vpn-instance-SUB_VPN1] vpn-target 2:1

[PE3-vpn-instance-SUB_VPN1] quit

[PE3] interface vlan-interface 1

[PE3-Vlan-interface1] ip binding vpn-instance SUB_VPN1

[PE3-Vlan-interface1] ip address 100.1.1.2 24

[PE3-Vlan-interface1] quit

[PE3] ip vpn-instance SUB_VPN2

[PE3-vpn-instance-SUB_VPN2] route-distinguisher 101:1

[PE3-vpn-instance-SUB_VPN2] vpn-target 2:2

[PE3-vpn-instance-SUB_VPN2] quit

[PE3] interface vlan-interface 3

[PE3-Vlan-interface3] ip binding vpn-instance SUB_VPN2

[PE3-Vlan-interface3] ip address 110.1.1.2 24

[PE3-Vlan-interface3] quit

[PE3] bgp 200

[PE3-bgp] ip vpn-instance SUB_VPN1

[PE3-bgp-SUB_VPN1] peer 100.1.1.1 as-number 65410

[PE3-bgp-SUB_VPN1] address-family ipv4 unicast

[PE3-bgp-ipv4-SUB_VPN1] peer 100.1.1.1 enable

[PE3-bgp-ipv4-SUB_VPN1] quit

[PE3-bgp-SUB_VPN1] quit

[PE3-bgp] ip vpn-instance SUB_VPN2

[PE3-bgp-SUB_VPN2] peer 100.1.1.1 as-number 65411

[PE3-bgp-SUB_VPN2] address-family ipv4 unicast

[PE3-bgp-ipv4-SUB_VPN2] peer 110.1.1.1 enable

[PE3-bgp-ipv4-SUB_VPN2] quit

[PE3-bgp-SUB_VPN2] quit

[PE3-bgp] quit

# Configure PE 4, CE 4, and CE 6 in the same way that PE 3, CE 3, and CE 5 are configured. (Details not shown.)

5. Establish MP-EBGP peer relationships between service provider PEs and their CEs to exchange user VPNv4 routes:

# On PE 1, enable nested VPN and VPNv4 route exchange with CE 1.

[PE1] bgp 100

[PE1-bgp] address-family vpnv4

[PE1-bgp-vpnv4] nesting-vpn

[PE1-bgp-vpnv4] quit

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] address-family vpnv4

[PE1-bgp-vpnv4-vpn1] peer 11.1.1.1 enable

[PE1-bgp-vpnv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Enable CE 1 to exchange VPNv4 routes with PE 1.

[CE1] bgp 200

[CE1-bgp] address-family vpnv4

[CE1-bgp-vpnv4] peer 11.1.1.2 enable

# Allow the local AS number to appear in the AS-PATH attribute of the routes received.

[CE1-bgp-vpnv4] peer 11.1.1.2 allow-as-loop 2

# Disable route target based filtering of received VPNv4 routes.

[CE1-bgp-vpnv4] undo policy vpn-target

[CE1-bgp-vpnv4] quit

[CE1-bgp] quit

# Configure PE 2 and CE 2 in the same way that PE 1 and CE 1 are configured. (Details not shown.)

6. Establish MP-IBGP peer relationships between sub-VPN PEs and CEs of the customer VPN to exchange VPNv4 routes of sub-VPNs:

# Configure PE 3.

[PE3] bgp 200

[PE3-bgp] peer 2.2.2.9 as-number 200

[PE3-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE3-bgp] address-family vpnv4

[PE3-bgp-vpnv4] peer 2.2.2.9 enable

# Allow the local AS number to appear in the AS-PATH attribute of the routes received.

[PE3-bgp-vpnv4] peer 2.2.2.9 allow-as-loop 2

[PE3-bgp-vpnv4] quit

[PE3-bgp] quit

# Configure CE 1.

[CE1] bgp 200

[CE1-bgp] peer 1.1.1.9 as-number 200

[CE1-bgp] peer 1.1.1.9 connect-interface loopback 0

[CE1-bgp] address-family vpnv4

[CE1-bgp-vpnv4] peer 1.1.1.9 enable

[CE1-bgp-vpnv4] undo policy vpn-target

[CE1-bgp-vpnv4] quit

[CE1-bgp] quit

# Configure PE 4 and CE 2 in the same way that PE 3 and CE 1 are configured. (Details not shown.)

Verifying the configuration

1. Display the public routing table and VPN routing table on the provider PEs, for example, on PE 1:

# Verify that the public routing table contains only routes on the service provider network.

[PE1] display ip routing-table

Destinations : 14 Routes : 14

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

3.3.3.9/32 Direct 0 0 127.0.0.1 InLoop0

4.4.4.9/32 ISIS 15 10 30.1.1.2 Vlan2

30.1.1.0/24 Direct 0 0 30.1.1.1 Vlan2

30.1.1.0/32 Direct 0 0 30.1.1.1 Vlan2

30.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.255/32 Direct 0 0 30.1.1.1 Vlan2

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VPN routing table contains sub-VPN routes.

[PE1] display ip routing-table vpn-instance vpn1

Destinations : 17 Routes : 17

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.0/24 Direct 0 0 11.1.1.2 Vlan1

11.1.1.0/32 Direct 0 0 11.1.1.2 Vlan1

11.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.255/32 Direct 0 0 11.1.1.2 Vlan1

100.1.1.0/24 BGP 255 0 11.1.1.1 Vlan1

110.1.1.0/24 BGP 255 0 11.1.1.1 Vlan1

120.1.1.0/24 BGP 255 0 4.4.4.9 Vlan2

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

130.1.1.0/24 BGP 255 0 4.4.4.9 Vlan2

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

2. Display the VPNv4 routing table on the provider CEs, for example, on CE 1.

# Verify that the VPNv4 routing table on the customer VPN contains internal sub-VPN routes.

[CE1] display bgp routing-table vpnv4

BGP local router ID is 2.2.2.9

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Total number of routes from all PEs: 4

Route distinguisher: 100:1

Total number of routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn

* >i 100.1.1.0/24 1.1.1.9 0 100 0 200 65410?

Route distinguisher: 101:1

Total number of routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn

* >i 110.1.1.0/24 1.1.1.9 0 100 0 200 65411?

Route distinguisher: 200:1

Total number of routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e 120.1.1.0/24 11.1.1.2 0 100 200

65420?

Route Distinguisher: 201:1

Total number of routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e 130.1.1.0/24 11.1.1.2 0 100 200

65421?

3. Display the VPN routing table on the customer PEs, for example, on PE 3:

# Verify that the VPN routing table contains routes sent by the provider PE to the sub-VPN.

[PE3] display ip routing-table vpn-instance SUB_VPN1

Destinations : 11 Routes : 11

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.0/24 Direct 0 0 100.1.1.2 Vlan1

100.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

120.1.1.0/24 BGP 255 0 2.2.2.9 Vlan2

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

4. Display the routing table on the CEs of sub-VPNs in the customer VPN, for example, on CE 3 and CE 5:

# Verify that the routing table contains the route to the remote sub-VPN on CE 3.

[CE3] display ip routing-table

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.0/24 Direct 0 0 100.1.1.1 Vlan1

100.1.1.0/32 Direct 0 0 100.1.1.1 Vlan1

100.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.255/32 Direct 0 0 100.1.1.1 Vlan1

120.1.1.0/24 BGP 255 0 100.1.1.2 Vlan1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the routing table contains the route to the remote sub-VPN on CE 5.

[CE5] display ip routing-table

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

110.1.1.0/24 Direct 0 0 110.1.1.1 Vlan1

110.1.1.0/32 Direct 0 0 110.1.1.1 Vlan1

110.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

110.1.1.255/32 Direct 0 0 110.1.1.1 Vlan1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

130.1.1.0/24 BGP 255 0 110.1.1.2 Vlan1

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

5. Verify that CE 3 and CE 4 can ping each other. (Details not shown.)

6. Verify that CE5 and CE 6 can ping each other. (Details not shown.)

7. Verify that CE 3 and CE 6 cannot ping each other. (Details not shown.)

Configuring HoVPN

Network requirements

There are two levels of networks, the backbone and the MPLS VPN networks, as shown in Figure 28.

· SPEs act as PEs to allow MPLS VPNs to access the backbone.

· UPEs act as PEs of the MPLS VPNs to allow end users to access the VPNs.

· Performance requirements for the UPEs are lower than those for the SPEs.

· SPEs advertise routes permitted by the routing policies to UPEs, permitting CE 1 and CE 3 in VPN 1 to communicate with each other, and forbidding CE 2 and CE 4 in VPN 2 from communicating with each other.

Figure 28 Network diagram

Table 9 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int12	10.2.1.1/24	CE 3	Vlan-int12	10.1.1.1/24
CE 2	Vlan-int13	10.4.1.1/24	CE 4	Vlan-int13	10.3.1.1/24
UPE 1	Loop0	1.1.1.9/32	UPE 2	Loop0	4.4.4.9/32
	Vlan-int11	172.1.1.1/24		Vlan-int11	172.2.1.1/24
	Vlan-int12	10.2.1.2/24		Vlan-int12	10.1.1.2/24
	Vlan-int13	10.4.1.2/24		Vlan-int13	10.3.1.2/24
SPE 1	Loop0	2.2.2.9/32	SPE 2	Loop0	3.3.3.9/32
	Vlan-int11	172.1.1.2/24		Vlan-int11	172.2.1.2/24
	Vlan-int12	180.1.1.1/24		Vlan-int12	180.1.1.2/24

Configuration procedure

1. Configure UPE 1:

# Configure basic MPLS and MPLS LDP to establish LDP LSPs.

<UPE1> system-view

[UPE1] interface loopback 0

[UPE1-LoopBack0] ip address 1.1.1.9 32

[UPE1-LoopBack0] quit

[UPE1] mpls lsr-id 1.1.1.9

[UPE1] mpls ldp

[UPE1-ldp] quit

[UPE1] interface vlan-interface 11

[UPE1-Vlan-interface11] ip address 172.1.1.1 24

[UPE1-Vlan-interface11] mpls enable

[UPE1-Vlan-interface11] mpls ldp enable

[UPE1-Vlan-interface11] quit

# Configure the IGP protocol (OSPF, in this example).

[UPE1] ospf

[UPE1-ospf-1] area 0

[UPE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[UPE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[UPE1-ospf-1-area-0.0.0.0] quit

[UPE1-ospf-1] quit

# Configure VPN instances vpn1 and vpn2, allowing CE 1 and CE 2 to access UPE 1.

[UPE1] ip vpn-instance vpn1

[UPE1-vpn-instance-vpn1] route-distinguisher 100:1

[UPE1-vpn-instance-vpn1] vpn-target 100:1 both

[UPE1-vpn-instance-vpn1] quit

[UPE1] ip vpn-instance vpn2

[UPE1-vpn-instance-vpn2] route-distinguisher 100:2

[UPE1-vpn-instance-vpn2] vpn-target 100:2 both

[UPE1-vpn-instance-vpn2] quit

[UPE1] interface vlan-interface 12

[UPE1-Vlan-interface12] ip binding vpn-instance vpn1

[UPE1-Vlan-interface12] ip address 10.2.1.2 24

[UPE1-Vlan-interface12] quit

[UPE1] interface vlan-interface 13

[UPE1-Vlan-interface13] ip binding vpn-instance vpn2

[UPE1-Vlan-interface13] ip address 10.4.1.2 24

[UPE1-Vlan-interface13] quit

# Establish an MP-IBGP peer relationship with SPE 1.

[UPE1] bgp 100

[UPE1-bgp] peer 2.2.2.9 as-number 100

[UPE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[UPE1-bgp] address-family vpnv4

[UPE1-bgp-vpnv4] peer 2.2.2.9 enable

[UPE1-bgp-vpnv4] quit

# Establish an EBGP peer relationship with CE 1.

[UPE1-bgp] ip vpn-instance vpn1

[UPE1-bgp-vpn1] peer 10.2.1.1 as-number 65410

[UPE1-bgp-vpn1] address-family ipv4 unicast

[UPE1-bgp-ipv4-vpn1] peer 10.2.1.1 enable

[UPE1-bgp-ipv4-vpn1] quit

[UPE1-bgp-vpn1] quit

# Establish an EBGP peer relationship with CE 2.

[UPE1-bgp] ip vpn-instance vpn2

[UPE1-bgp-vpn2] peer 10.4.1.1 as-number 65420

[UPE1-bgp-vpn2] address-family ipv4 unicast

[UPE1-bgp-ipv4-vpn2] peer 10.4.1.1 enable

[UPE1-bgp-ipv4-vpn2] quit

[UPE1-bgp-vpn2] quit

[UPE1-bgp] quit

2. Configure CE 1.

<CE1> system-view

[CE1] interface vlan-interface 12

[CE1-Vlan-interface12] ip address 10.2.1.1 255.255.255.0

[CE1-Vlan-interface12] quit

[CE1] bgp 65410

[CE1-bgp] peer 10.2.1.2 as-number 100

[CE1-bgp] address-family ipv4 unicast

[CE1-bgp-ipv4] peer 10.2.1.2 enable

[CE1-bgp-ipv4] import-route direct

[CE1-bgp-ipv4] quit

[CE1-bgp] quit

3. Configure CE 2.

<CE2> system-view

[CE2] interface vlan-interface 13

[CE2-Vlan-interface13] ip address 10.4.1.1 255.255.255.0

[CE2-Vlan-interface13] quit

[CE2] bgp 65420

[CE2-bgp] peer 10.4.1.2 as-number 100

[CE2-bgp] address-family ipv4 unicast

[CE2-bgp-ipv4] peer 10.4.1.2 enable

[CE2-bgp-ipv4] import-route direct

[CE2-bgp-ipv4] quit

[CE2-bgp] quit

4. Configure UPE 2:

# Configure basic MPLS and MPLS LDP to establish LDP LSPs.

<UPE2> system-view

[UPE2] interface loopback 0

[UPE2-Loopback0] ip address 4.4.4.9 32

[UPE2-Loopback0] quit

[UPE2] mpls lsr-id 4.4.4.9

[UPE2] mpls ldp

[UPE2-ldp] quit

[UPE2] interface vlan-interface 11

[UPE2-Vlan-interface11] ip address 172.2.1.1 24

[UPE2-Vlan-interface11] mpls enable

[UPE2-Vlan-interface11] mpls ldp enable

[UPE2-Vlan-interface11] quit

# Configure the IGP protocol (OSPF, in this example).

[UPE2] ospf

[UPE2-ospf-1] area 0

[UPE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[UPE2-ospf-1-area-0.0.0.0] network 4.4.4.9 0.0.0.0

[UPE2-ospf-1-area-0.0.0.0] quit

[UPE2-ospf-1] quit

# Configure VPN instances vpn1 and vpn2, allowing CE 3 and CE 4 to access UPE 2.

[UPE2] ip vpn-instance vpn1

[UPE2-vpn-instance-vpn1] route-distinguisher 300:1

[UPE2-vpn-instance-vpn1] vpn-target 100:1 both

[UPE2-vpn-instance-vpn1] quit

[UPE2] ip vpn-instance vpn2

[UPE2-vpn-instance-vpn2] route-distinguisher 400:2

[UPE2-vpn-instance-vpn2] vpn-target 100:2 both

[UPE2-vpn-instance-vpn2] quit

[UPE2] interface vlan-interface 12

[UPE2-Vlan-interface12] ip binding vpn-instance vpn1

[UPE2-Vlan-interface12] ip address 10.1.1.2 24

[UPE2-Vlan-interface12] quit

[UPE2] interface vlan-interface 13

[UPE2-Vlan-interface13] ip binding vpn-instance vpn2

[UPE2-Vlan-interface13] ip address 10.3.1.2 24

[UPE2-Vlan-interface13] quit

# Establish an MP-IBGP peer relationship with SPE 2.

[UPE2] bgp 100

[UPE2-bgp] peer 3.3.3.9 as-number 100

[UPE2-bgp] peer 3.3.3.9 connect-interface loopback 0

[UPE2-bgp] address-family vpnv4

[UPE2-bgp-vpnv4] peer 3.3.3.9 enable

[UPE2-bgp-vpnv4] quit

# Establish an EBGP peer relationship with CE 3.

[UPE2-bgp] ip vpn-instance vpn1

[UPE2-bgp-vpn1] peer 10.1.1.1 as-number 65430

[UPE2-bgp-vpn1] address-family ipv4 unicast

[UPE2-bgp-ipv4-vpn1] peer 10.1.1.1 enable

[UPE2-bgp-ipv4-vpn1] quit

[UPE2-bgp-vpn1] quit

# Establish an EBGP peer relationship with CE 4.

[UPE2-bgp] ip vpn-instance vpn2

[UPE2-bgp-vpn2] peer 10.3.1.1 as-number 65440

[UPE2-bgp-vpn2] address-family ipv4 unicast

[UPE2-bgp-ipv4-vpn2] peer 10.3.1.1 enable

[UPE2-bgp-ipv4-vpn2] quit

[UPE2-bgp-vpn2] quit

[UPE2-bgp] quit

5. Configure CE 3.

<CE3> system-view

[CE3] interface vlan-interface 12

[CE3-Vlan-interface12] ip address 10.1.1.1 255.255.255.0

[CE3-Vlan-interface12] quit

[CE3] bgp 65430

[CE3-bgp] peer 10.1.1.2 as-number 100

[CE3-bgp] address-family ipv4 unicast

[CE3-bgp-ipv4] peer 10.1.1.2 enable

[CE3-bgp-ipv4] import-route direct

[CE3-bgp-ipv4] quit

[CE3-bgp] quit

6. Configure CE 4.

<CE4> system-view

[CE4] interface vlan-interface 13

[CE4-Vlan-interface13] ip address 10.3.1.1 255.255.255.0

[CE4-Vlan-interface13] quit

[CE4] bgp 65440

[CE4-bgp] peer 10.3.1.2 as-number 100

[CE4-bgp] address-family ipv4 unicast

[CE4-bgp-ipv4] peer 10.3.1.2 enable

[CE4-bgp-ipv4] import-route direct

[CE4-bgp-ipv4] quit

[CE4-bgp] quit

7. Configure SPE 1:

# Configure basic MPLS and MPLS LDP to establish LDP LSPs.

<SPE1> system-view

[SPE1] interface loopback 0

[SPE1-LoopBack0] ip address 2.2.2.9 32

[SPE1-LoopBack0] quit

[SPE1] mpls lsr-id 2.2.2.9

[SPE1] mpls ldp

[SPE1-ldp] quit

[SPE1] interface vlan-interface 11

[SPE1-Vlan-interface11] ip address 172.1.1.2 24

[SPE1-Vlan-interface11] mpls enable

[SPE1-Vlan-interface11] mpls ldp enable

[SPE1-Vlan-interface11] quit

[SPE1] interface vlan-interface 12

[SPE1-Vlan-interface12] ip address 180.1.1.1 24

[SPE1-Vlan-interface12] mpls enable

[SPE1-Vlan-interface12] mpls ldp enable

[SPE1-Vlan-interface12] quit

# Configure the IGP protocol (OSPF, in this example).

[SPE1] ospf

[SPE1-ospf-1] area 0

[SPE1-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[SPE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[SPE1-ospf-1-area-0.0.0.0] network 180.1.1.0 0.0.0.255

[SPE1-ospf-1-area-0.0.0.0] quit

[SPE1-ospf-1] quit

# Configure VPN instances vpn1 and vpn2.

[SPE1] ip vpn-instance vpn1

[SPE1-vpn-instance-vpn1] route-distinguisher 500:1

[SPE1-vpn-instance-vpn1] vpn-target 100:1 both

[SPE1-vpn-instance-vpn1] quit

[SPE1] ip vpn-instance vpn2

[SPE1-vpn-instance-vpn2] route-distinguisher 700:1

[SPE1-vpn-instance-vpn2] vpn-target 100:2 both

[SPE1-vpn-instance-vpn2] quit

# Establish MP-IBGP peer relationships with SPE 2 and UPE 1, and specify UPE 1 as a UPE.

[SPE1] bgp 100

[SPE1-bgp] peer 1.1.1.9 as-number 100

[SPE1-bgp] peer 1.1.1.9 connect-interface loopback 0

[SPE1-bgp] peer 3.3.3.9 as-number 100

[SPE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[SPE1-bgp] address-family vpnv4

[SPE1-bgp-vpnv4] peer 3.3.3.9 enable

[SPE1-bgp-vpnv4] peer 1.1.1.9 enable

[SPE1-bgp-vpnv4] peer 1.1.1.9 upe

[SPE1-bgp-vpnv4] peer 1.1.1.9 next-hop-local

[SPE1-bgp-vpnv4] quit

# Create BGP-VPN instances for VPN instances vpn1 and vpn2, so the VPNv4 routes learned according to the RT attributes can be added into the BGP routing tables of the corresponding VPN instances.

[SPE1-bgp] ip vpn-instance vpn1

[SPE1-bgp-vpn1] quit

[SPE1-bgp] ip vpn-instance vpn2

[SPE1-bgp-vpn2] quit

[SPE1-bgp] quit

# Advertise to UPE 1 the routes permitted by a routing policy (the routes of CE 3).

[SPE1] ip prefix-list hope index 10 permit 10.1.1.1 24

[SPE1] route-policy hope permit node 0

[SPE1-route-policy-hope-0] if-match ip address prefix-list hope

[SPE1-route-policy-hope-0] quit

[SPE1] bgp 100

[SPE1-bgp] address-family vpnv4

[SPE1-bgp-vpnv4] peer 1.1.1.9 upe route-policy hope export

8. Configure SPE 2:

# Configure basic MPLS and MPLS LDP to establish LDP LSPs.

<SPE2> system-view

[SPE2] interface loopback 0

[SPE2-LoopBack0] ip address 3.3.3.9 32

[SPE2-LoopBack0] quit

[SPE2] mpls lsr-id 3.3.3.9

[SPE2] mpls ldp

[SPE2-ldp] quit

[SPE2] interface vlan-interface 12

[SPE2-Vlan-interface12] ip address 180.1.1.2 24

[SPE2-Vlan-interface12] mpls enable

[SPE2-Vlan-interface12] mpls ldp enable

[SPE2-Vlan-interface12] quit

[SPE2] interface vlan-interface 11

[SPE2-Vlan-interface11] ip address 172.2.1.2 24

[SPE2-Vlan-interface11] mpls enable

[SPE2-Vlan-interface11] mpls ldp enable

[SPE2-Vlan-interface11] quit

# Configure the IGP protocol (OSPF, in this example).

[SPE2] ospf

[SPE2-ospf-1] area 0

[SPE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[SPE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[SPE2-ospf-1-area-0.0.0.0] network 180.1.1.0 0.0.0.255

[SPE2-ospf-1-area-0.0.0.0] quit

[SPE2-ospf-1] quit

# Configure VPN instances vpn1 and vpn2.

[SPE2] ip vpn-instance vpn1

[SPE2-vpn-instance-vpn1] route-distinguisher 600:1

[SPE2-vpn-instance-vpn1] vpn-target 100:1 both

[SPE2-vpn-instance-vpn1] quit

[SPE2] ip vpn-instance vpn2

[SPE2-vpn-instance-vpn2] route-distinguisher 800:1

[SPE2-vpn-instance-vpn2] vpn-target 100:2 both

[SPE2-vpn-instance-vpn2] quit

# Establish MP-IBGP peer relationships with SPE 1 and UPE 2, and specify UPE 2 as a UPE.

[SPE2] bgp 100

[SPE2-bgp] peer 4.4.4.9 as-number 100

[SPE2-bgp] peer 4.4.4.9 connect-interface loopback 0

[SPE2-bgp] peer 2.2.2.9 as-number 100

[SPE2-bgp] peer 2.2.2.9 connect-interface loopback 0

[SPE2-bgp] address-family vpnv4

[SPE2-bgp-vpnv4] peer 2.2.2.9 enable

[SPE2-bgp-vpnv4] peer 4.4.4.9 enable

[SPE2-bgp-vpnv4] peer 4.4.4.9 upe

[SPE2-bgp-vpnv4] peer 4.4.4.9 next-hop-local

[SPE2-bgp-vpnv4] quit

# Create BGP-VPN instances for VPN instances vpn1 and vpn2, so the VPNv4 routes learned according to the RT attributes can be added into the BGP routing tables of the corresponding VPN instances.

[SPE2-bgp] ip vpn-instance vpn1

[SPE2-bgp-vpn1] quit

[SPE2-bgp] ip vpn-instance vpn2

[SPE2-bgp-vpn2] quit

[SPE2-bgp] quit

# Advertise to UPE 2 the routes permitted by a routing policy (the routes of CE 1).

[SPE2] ip prefix-list hope index 10 permit 10.2.1.1 24

[SPE2] route-policy hope permit node 0

[SPE2-route-policy-hope-0] if-match ip address prefix-list hope

[SPE2-route-policy-hope-0] quit

[SPE2] bgp 100

[SPE2-bgp] address-family vpnv4

[SPE2-bgp-vpnv4] peer 4.4.4.9 upe route-policy hope export

Verifying the configuration

# Verify that CE 1 and CE3 can learn each other's interface routes and can ping each other. CE 2 and CE 4 cannot learn each other's interface routes and cannot ping each other. (Details not shown.)

Configuring an OSPF sham link

Network requirements

As shown in Figure 29, CE 1 and CE 2 belong to VPN 1. Configure an OSPF sham link between PE 1 and PE 2 so traffic between CE 1 and CE 2 is forwarded through the MPLS backbone, instead of the backdoor link.

Figure 29 Network diagram

Table 10 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int11	100.1.1.1/24	CE 2	Vlan-int11	120.1.1.1/24
	Vlan-int13	20.1.1.1/24		Vlan-int12	30.1.1.2/24
PE 1	Loop0	1.1.1.9/32	PE 2	Loop0	2.2.2.9/32
	Loop1	3.3.3.3/32		Loop1	5.5.5.5/32
	Vlan-int11	100.1.1.2/24		Vlan-int11	120.1.1.2/24
	Vlan-int12	10.1.1.1/24		Vlan-int12	10.1.1.2/24
Switch A	Vlan-int11	20.1.1.2/24
	Vlan-int12	30.1.1.1/24

Configuration procedure

1. Configure OSPF on the customer networks.

Configure conventional OSPF on CE 1, Switch A, and CE 2 to advertise subnet addresses of the interfaces as shown in Figure 29. Set the cost value to 2 for both the link between CE 1 and Switch A, and the link between CE 2 and Switch A. Execute the display ip routing-table command to verify that CE 1 and CE 2 have learned the route to each other. (Details not shown.)

2. Configure MPLS L3VPN on the backbone:

# Configure basic MPLS and MPLS LDP on PE 1 to establish LDP LSPs.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip address 10.1.1.1 24

[PE1-Vlan-interface12] mpls enable

[PE1-Vlan-interface12] mpls ldp enable

[PE1-Vlan-interface12] quit

# Configure PE 1 to take PE 2 as an MP-IBGP peer.

[PE1] bgp 100

[PE1-bgp] peer 2.2.2.9 as-number 100

[PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv4

[PE1-bgp-vpnv4] peer 2.2.2.9 enable

[PE1-bgp-vpnv4] quit

[PE1-bgp] quit

# Configure OSPF on PE 1.

[PE1]ospf 1

[PE1-ospf-1]area 0

[PE1-ospf-1-area-0.0.0.0]network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0]quit

[PE1-ospf-1]quit

# Configure basic MPLS and MPLS LDP on PE 2 to establish LDP LSPs.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 2.2.2.9 32

[PE2-LoopBack0] quit

[PE2] mpls lsr-id 2.2.2.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] ip address 10.1.1.2 24

[PE2-Vlan-interface12] mpls enable

[PE2-Vlan-interface12] mpls ldp enable

[PE2-Vlan-interface12] quit

# Configure PE 2 to take PE 1 as an MP-IBGP peer.

[PE2] bgp 100

[PE2-bgp] peer 1.1.1.9 as-number 100

[PE2-bgp] peer 1.1.1.9 connect-interface loopback 0

[PE2-bgp] address-family vpnv4

[PE2-bgp-vpnv4] peer 1.1.1.9 enable

[PE2-bgp-vpnv4] quit

[PE2-bgp] quit

# Configure OSPF on PE 2.

[PE2]ospf 1

[PE2-ospf-1]area 0

[PE2-ospf-1-area-0.0.0.0]network 2.2.2.9 0.0.0.0

[PE2-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0]quit

[PE2-ospf-1]quit

3. Configure PEs to allow CE access:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip binding vpn-instance vpn1

[PE1-Vlan-interface11] ip address 100.1.1.2 24

[PE1-Vlan-interface11] quit

[PE1] ospf 100 vpn-instance vpn1

[PE1-ospf-100] domain-id 10

[PE1-ospf-100] area 1

[PE1-ospf-100-area-0.0.0.1] network 100.1.1.0 0.0.0.255

[PE1-ospf-100-area-0.0.0.1] quit

[PE1-ospf-100] quit

[PE2] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] address-family ipv4 unicast

[PE1-bgp-ipv4-vpn1] import-route ospf 100

[PE1-bgp-ipv4-vpn1] import-route direct

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 100:2

[PE2-vpn-instance-vpn1] vpn-target 1:1

[PE2-vpn-instance-vpn1] quit

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] ip binding vpn-instance vpn1

[PE2-Vlan-interface11] ip address 120.1.1.2 24

[PE2-Vlan-interface11] quit

[PE2] ospf 100 vpn-instance vpn1

[PE2-ospf-100] domain-id 10

[PE2-ospf-100] area 1

[PE2-ospf-100-area-0.0.0.1] network 120.1.1.0 0.0.0.255

[PE2-ospf-100-area-0.0.0.1] quit

[PE2-ospf-100] quit

[PE2] bgp 100

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] address-family ipv4 unicast

[PE2-bgp-ipv4-vpn1] import-route ospf 100

[PE2-bgp-ipv4-vpn1] import-route direct

[PE2-bgp-ipv4-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

# Execute the display ip routing-table vpn-instance command on the PEs to verify that the path to the peer CE is along the OSPF route across the customer networks, instead of the BGP route across the backbone. (Details not shown.)

4. Configure a sham link:

# Configure PE 1.

[PE1] interface loopback 1

[PE1-LoopBack1] ip binding vpn-instance vpn1

[PE1-LoopBack1] ip address 3.3.3.3 32

[PE1-LoopBack1] quit

[PE1] ospf 100

[PE1-ospf-100] area 1

[PE1-ospf-100-area-0.0.0.1] sham-link 3.3.3.3 5.5.5.5

[PE1-ospf-100-area-0.0.0.1] quit

[PE1-ospf-100] quit

# Configure PE 2.

[PE2] interface loopback 1

[PE2-LoopBack1] ip binding vpn-instance vpn1

[PE2-LoopBack1] ip address 5.5.5.5 32

[PE2-LoopBack1] quit

[PE2] ospf 100

[PE2-ospf-100] area 1

[PE2-ospf-100-area-0.0.0.1] sham-link 5.5.5.5 3.3.3.3

[PE2-ospf-100-area-0.0.0.1] quit

[PE2-ospf-100] quit

Verifying the configuration

# Execute the display ip routing-table vpn-instance command on the PEs to verify the following results: (Details not shown.)

· The path to the peer CE is now along the BGP route across the backbone.

· A route to the sham link destination address exists.

# Execute the display ip routing-table command on the CEs to verify that the next hop of the OSPF route to the peer CE is the VLAN interface 11 connected to the PE. The VPN traffic to the peer is forwarded over the backbone. (Details not shown.)

# Verify that a sham link has been established on PEs, for example, on PE 1.

[PE1] display ospf sham-link

OSPF Process 100 with Router ID 100.1.1.2

Sham link

Area Neighbor ID Source IP Destination IP State Cost

0.0.0.1 120.1.1.2 3.3.3.3 5.5.5.5 P-2-P 1

# Verify that the peer state is Full on PE 1.

[PE1] display ospf sham-link area 1

OSPF Process 100 with Router ID 100.1.1.2

Sham link: 3.3.3.3 --> 5.5.5.5

Neighbor ID: 120.1.1.2 State: Full

Area: 0.0.0.1

Cost: 1 State: P-2-P Type: Sham

Timers: Hello 10, Dead 40, Retransmit 5, Transmit Delay 1

Request list: 0 Retransmit list: 0

Configuring BGP AS number substitution

Network requirements

As shown in Figure 30, CE 1 and CE 2 belong to VPN 1, and are connected to PE 1 and PE 2, respectively. The two CEs have the same AS number, 600.

Configure BGP AS number substitution on the PEs to enable the CEs to communicate with each other.

Figure 30 Network diagram

Table 11 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int11	10.1.1.1/24	P	Loop0	2.2.2.9/32
	Vlan-int12	100.1.1.1/24		Vlan-int11	30.1.1.1/24
PE 1	Loop0	1.1.1.9/32		Vlan-int12	20.1.1.2/24
	Vlan-int11	10.1.1.2/24	PE 2	Loop0	3.3.3.9/32
	Vlan-int12	20.1.1.1/24		Vlan-int11	30.1.1.2/24
CE 2	Vlan-int12	10.2.1.1/24		Vlan-int12	10.2.1.2/24
	Vlan-int13	200.1.1.1/24

Configuration procedure

1. Configuring basic MPLS L3VPN:

¡ Configure OSPF on the MPLS backbone to allow the PEs and P device to learn the routes of the loopback interfaces from each other.

¡ Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs.

¡ Establish an MP-IBGP peer relationship between the PEs to advertise VPNv4 routes.

¡ Configure the VPN instance of VPN 1 on PE 2 to allow CE 2 to access the network.

¡ Configure the VPN instance of VPN 1 on PE 1 to allow CE 1 to access the network.

¡ Configure BGP as the PE-CE routing protocol, and redistribute routes of the CEs into the PEs.

For more information about basic MPLS L3VPN configurations, see "Configuring basic MPLS L3VPN."

# Execute the display ip routing-table command on CE 2. The output shows that CE 2 has learned the route to network 10.1.1.0/24, where the interface used by CE 1 to access PE 1 resides. However, it has not learned the route to the VPN (100.1.1.0/24) behind CE 1.

<CE2> display ip routing-table

Destinations : 17 Routes : 17

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 BGP 255 0 10.2.1.2 Vlan12

10.2.1.0/24 Direct 0 0 10.2.1.1 Vlan12

10.2.1.0/32 Direct 0 0 10.2.1.1 Vlan12

10.2.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.2.1.255/32 Direct 0 0 10.2.1.1 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.0/24 Direct 0 0 200.1.1.1 Vlan13

200.1.1.0/32 Direct 0 0 200.1.1.1 Vlan13

200.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.255/24 Direct 0 0 200.1.1.1 Vlan13

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Execute the display ip routing-table command on CE 1 to verify that CE 1 has not learned the route to the VPN behind CE 2. (Details not shown.)

# Execute the display ip routing-table vpn-instance command on the PEs. The output shows the route to the VPN behind the peer CE. This example uses PE 2.

<PE2> display ip routing-table vpn-instance vpn1

Destinations : 15 Routes : 15

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 BGP 255 0 1.1.1.9 Vlan11

10.2.1.0/24 Direct 0 0 10.2.1.2 Vlan12

10.2.1.0/32 Direct 0 0 10.2.1.2 Vlan12

10.2.1.2/32 Direct 0 0 127.0.0.1 InLoop0

10.2.1.255/32 Direct 0 0 10.2.1.2 Vlan12

100.1.1.0/24 BGP 255 0 1.1.1.9 Vlan11

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.0/24 BGP 255 0 10.2.1.1 Vlan12

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Enable BGP update packet debugging on PE 2. The output shows that PE 2 has advertised the route for 100.1.1.1/32, and the AS_PATH is 100 600.

<PE2> terminal monitor

<PE2> terminal logging level 7

<PE2> debugging bgp update vpn-instance vpn1 10.2.1.1 ipv4

<PE2> refresh bgp all export ipv4 vpn-instance vpn1

*Jun 13 16:12:52:096 2012 PE2 BGP/7/DEBUG: -MDC=1;

BGP.vpn1: Send UPDATE to peer 10.2.1.1 for following destinations:

Origin : Incomplete

AS Path : 100 600

Next Hop : 10.2.1.2

100.1.1.0/24,

# Execute the display bgp routing-table ipv4 peer received-routes command on CE 2 to verify that CE 2 has not received the route to 100.1.1.0/24.

<CE2> display bgp routing-table ipv4 peer 10.2.1.2 received-routes

Total number of routes: 2

BGP local router ID is 200.1.1.1

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e 10.1.1.0/24 10.2.1.2 0 100?

* e 10.2.1.0/24 10.2.1.2 0 0 100?

2. Configure BGP AS number substitution on PE 2.

<PE2> system-view

[PE2] bgp 100

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] peer 10.2.1.1 substitute-as

[PE2-bgp-vpn1] address-family ipv4 unicast

[PE2-bgp-ipv4-vpn1] peer 10.2.1.1 enable

[PE2-bgp-ipv4-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

Verifying the configuration

# The output shows that among the routes advertised by PE 2 to CE 2, the AS_PATH of 100.1.1.0/24 has changed from 100 600 to 100 100.

*Jun 13 16:15:59:456 2012 PE2 BGP/7/DEBUG: -MDC=1;

BGP.vpn1: Send UPDATE to peer 10.2.1.1 for following destinations:

Origin : Incomplete

AS Path : 100 100

Next Hop : 10.2.1.2

100.1.1.0/24,

# Display again the routing information that CE 2 has received, and the routing table.

<CE2> display bgp routing-table ipv4 peer 10.2.1.2 received-routes

Total number of routes: 3

BGP local router ID is 200.1.1.1

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e 10.1.1.0/24 10.2.1.2 0 100?

* e 10.2.1.0/24 10.2.1.2 0 0 100?

* >e 100.1.1.0/24 10.2.1.2 0 100 100?

<CE2> display ip routing-table

Destinations : 18 Routes : 18

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 BGP 255 0 10.2.1.2 Vlan12

10.2.1.0/24 Direct 0 0 10.2.1.1 Vlan12

10.2.1.0/32 Direct 0 0 10.2.1.1 Vlan12

10.2.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.2.1.255/32 Direct 0 0 10.2.1.1 Vlan12

100.1.1.0/24 BGP 255 0 10.2.1.2 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.0/24 Direct 0 0 200.1.1.1 Vlan13

200.1.1.0/32 Direct 0 0 200.1.1.1 Vlan13

200.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.255/32 Direct 0 0 200.1.1.1 Vlan13

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VLAN interfaces of CE 1 and CE 2 can ping each other. (Details not shown.)

Configuring BGP AS number substitution and SoO attribute

Network requirements

CE 1, CE 2, and CE 3 belong to VPN 1, and are connected to PE1, PE 2, and PE 3, respectively.

CE 1 and CE 2 reside in the same site. CE1, CE2, and CE 3 all use AS number 600.

· To avoid route loss, configure BGP AS number substitution on PEs.

· To avoid routing loops, configure the same SoO attribute on PE 1 and PE 2 for CE 1 and CE 2.

Figure 31 Network diagram

Table 12 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Loop0	100.1.1.1/32	CE 3	Loop0	200.1.1.1/32
	Vlan-int2	10.1.1.1/24		Vlan-int7	10.3.1.1/24
CE 2	Vlan-int2	10.2.1.1/24	PE 2	Loop0	2.2.2.9/32
PE 1	Loop0	1.1.1.9/32		Vlan-int2	10.2.1.2/24
	Vlan-int2	10.1.1.2/24		Vlan-int4	40.1.1.2/24
	Vlan-int3	30.1.1.1/24		Vlan-int5	50.1.1.1/24
	Vlan-int4	40.1.1.1/24	P	Loop0	3.3.3.9/32
PE 3	Loop0	4.4.4.9/32		Vlan-int3	30.1.1.2/24
	Vlan-int6	60.1.1.2/24		Vlan-int5	50.1.1.2/24
	Vlan-int7	10.3.1.2/24		Vlan-int6	60.1.1.1/24

Configuration procedure

1. Configure basic MPLS L3VPN:

¡ Configure OSPF on the MPLS backbone to allow the PEs and P device to learn the routes of the loopback interfaces from each other.

¡ Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs.

¡ Establish an MP-IBGP peer relationship between the PEs to advertise VPN IPv4 routes.

¡ Configure the VPN instance of VPN 1 on PE 1 to allow CE 1 to access the network.

¡ Configure the VPN instance of VPN 1 on PE 2 to allow CE 2 to access the network.

¡ Configure the VPN instance of VPN 1 on PE 3 to allow CE 3 to access the network.

¡ Configure BGP as the PE-CE routing protocol, and redistribute routes of the CEs into the PEs.

For more information about basic MPLS L3VPN configurations, see "Configuring basic MPLS L3VPN."

2. Configure BGP AS number substitution:

# Configure BGP AS number substitution on PE 1, PE 2, and PE 3. For more information about the configuration, see "Configuring BGP AS number substitution."

# Display routing information on CE 2. The output shows that CE 2 has learned the route for 100.1.1.1/32 from CE 1. A routing loop has occurred because CE1 and CE 2 reside in the same site.

<CE2> display bgp routing-table ipv4 peer 10.2.1.2 received-routes

Total number of routes: 6

BGP local router ID is 1.1.1.9

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e 10.1.1.0/24 10.2.1.2 0 100?

* 10.2.1.0/24 10.2.1.2 0 0 100?

* 10.2.1.1/32 10.2.1.2 0 0 100?

* >e 10.3.1.0/24 10.2.1.2 0 100?

* >e 100.1.1.1/32 10.2.1.2 0 100 100?

* >e 200.1.1.1/32 10.2.1.2 0 100 100?

3. Configure BGP SoO attribute:

# On PE 1, configure the SoO attribute as 1:100 for CE 1.

<PE1> system-view

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] address-family ipv4

[PE1-bgp-ipv4-vpn1] peer 10.1.1.1 soo 1:100

# On PE 2, configure the SoO attribute as 1:100 for CE 2.

<PE2> system-view

[PE2] bgp 100

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] address-family ipv4

[PE2-bgp-ipv4-vpn1] peer 10.2.1.1 soo 1:100

Verifying the configuration

# PE 2 does not advertise routes received from CE 1 to CE 2 because the same SoO attribute has been configured for the CEs. Display the routing table of CE 2. The output shows that the route 100.1.1.1/32 has been removed.

<CE2> display ip routing-table

Destinations : 14 Routes : 14

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.2.1.0/24 Direct 0 0 10.2.1.1 Vlan2

10.2.1.0/32 Direct 0 0 10.2.1.1 Vlan2

10.2.1.1/32 Direct 0 0 127.0.0.1 Inloop0

10.2.1.255/32 Direct 0 0 10.2.1.1 Vlan2

10.3.1.0/24 BGP 255 0 10.2.1.2 Vlan2

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.1/32 BGP 255 0 10.2.1.2 Vlan2

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

Configuring IPv6 MPLS L3VPN

Overview

IPv6 MPLS L3VPN uses BGP to advertise IPv6 VPN routes and uses MPLS to forward IPv6 VPN packets on the service provider backbone.

Figure 32 shows a typical IPv6 MPLS L3VPN model. The service provider backbone in the IPv6 MPLS L3VPN model is an IPv4 network. IPv6 runs inside the VPNs and between CE and PE. Therefore, PEs must support both IPv4 and IPv6. The PE-CE interfaces of a PE run IPv6, and the PE-P interface of a PE runs IPv4.

Figure 32 Network diagram for the IPv6 MPLS L3VPN model

IPv6 MPLS L3VPN packet forwarding

Figure 33 IPv6 MPLS L3VPN packet forwarding diagram

As shown in Figure 33, the IPv6 MPLS L3VPN packet forwarding procedure is as follows:

1. The PC at Site 1 sends an IPv6 packet destined for 2001:2::1, the PC at Site 2. CE 1 transmits the packet to PE 1.

2. Based on the inbound interface and destination address of the packet, PE 1 finds a matching entry from the routing table of the VPN instance, labels the packet with both a private network label (inner label) and a public network label (outer label), and forwards the packet out.

3. The MPLS backbone transmits the packet to PE 2 by outer label. The outer label is removed from the packet at the penultimate hop.

4. According to the inner label and destination address of the packet, PE 2 searches the routing table of the VPN instance to determine the outbound interface, and then forwards the packet out of the interface to CE 2.

5. CE 2 forwards the packet to the destination by IPv6 forwarding.

IPv6 MPLS L3VPN routing information advertisement

The routing information for a local CE is advertised to the remote CE by using the following process:

1. From the local CE to the ingress PE.

The local CE advertises standard IPv6 routing information to the ingress PE over an IPv6 static route, RIPng route, OSPFv3 route, IPv6 IS-IS route, IBGP route, or EBGP route.

2. From the ingress PE to the egress PE.

After receiving the standard IPv6 routes from the CE, the ingress PE performs the following operations:

a. Adds RDs and route targets to create VPN-IPv6 routes.

b. Saves the routes to the routing table of the VPN instance created for the CE.

c. Assigns VPN labels for the routes.

d. Advertises the VPN-IPv6 routes to the egress PE through MP-BGP.

The egress PE performs the following operations:

a. Compares the export target attributes of the VPN-IPv6 routes with the import target attributes that it maintains for the VPN instance.

b. Adds the routes to the routing table of the VPN instance if the export and import target attributes are the same.

The PEs use an IGP to ensure the connectivity between them.

3. From the egress PE to the remote peer CE.

The egress PE restores the original IPv6 routes and advertises them to the remote CE over an IPv6 static route, RIPng route, OSPFv3 route, IPv6 IS-IS route, EBGP, or IBGP route.

IPv6 MPLS L3VPN network schemes and features

IPv6 MPLS L3VPN supports the following network schemes and features:

· Basic VPN.

· Inter-AS VPN option A.

· Inter-AS VPN option C.

· Carrier's carrier.

· OSPFv3 VPN extension. (OSPFv3 Type 3, Type 5, and Type 7 LSAs support the DN bit. By default, OSPFv3 VPN extension uses the DN bit to avoid routing loops.)

· Multi-VPN instance CE.

· BGP AS number substitution and SoO.

Protocols and standards

· RFC 4659, BGP-MPLS IP Virtual Private Network (VPN) Extension for IPv6 VPN

· RFC 6565, OSPFv3 as a Provider Edge to Customer Edge (PE-CE) Routing Protocol

Configuration restrictions and guidelines

IPv6 MPLS L3VPN is exclusive with EVI and VXLAN.

IPv6 MPLS L3VPN configuration task list

Tasks at a glance
(Required.) Configuring basic IPv6 MPLS L3VPN
(Optional.) Configuring inter-AS IPv6 VPN
(Optional.) Configuring an OSPFv3 sham link
(Optional.) Configuring BGP AS number substitution and SoO attribute
(Optional.) Enabling logging for BGP route flapping

Configuring basic IPv6 MPLS L3VPN

The key task in IPv6 MPLS L3VPN configuration is to manage the advertisement of IPv6 VPN routes on the MPLS backbone, including management of PE-CE route exchange and PE-PE route exchange.

To configure basic IPv6 MPLS L3VPN:

Tasks at a glance
Configuring VPN instances: 1. (Required.) Creating a VPN instance 2. (Required.) Associating a VPN instance with an interface 3. (Optional.) Configuring route related attributes for a VPN instance




(Required.) Configuring routing between a PE and a CE
(Required.) Configuring routing between PEs
(Optional.) Configuring BGP VPNv6 route control

Configuration prerequisites

Before configuring basic IPv6 MPLS L3VPN, perform the following tasks:

1. Configure an IGP on the PEs and P devices to ensure IP connectivity within the MPLS backbone.

2. Configure basic MPLS for the MPLS backbone.

3. Configure MPLS LDP on PEs and P devices to establish LDP LSPs.

Configuring VPN instances

By configuring VPN instances on a PE, you isolate not only VPN routes from public network routes, but also routes between VPNs. This feature allows VPN instances to be used in MPLS L3VPNs and other network scenarios as well.

All VPN instance configurations are performed on PEs.

Creating a VPN instance

A VPN instance is a collection of the VPN membership and routing rules of its associated site. A VPN instance might correspond to more than one VPN.

To create and configure a VPN instance:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VPN instance and enter VPN instance view.	ip vpn-instance vpn-instance-name	By default, no VPN instance is created.
3. Configure an RD for the VPN instance.	route-distinguisher route-distinguisher	By default, no RD is specified.
4. (Optional.) Configure a description for the VPN instance.	description text	By default, no description is configured for a VPN instance. The description should contain the VPN instance's related information, such as its relationship with a certain VPN.
5. (Optional.) Configure an ID for the VPN instance.	vpn-id vpn-id	By default, no ID is configured for a VPN instance.

Associating a VPN instance with an interface

After creating and configuring a VPN instance, associate the VPN instance with the interface connected to the CE.

To associate a VPN instance with an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Associate a VPN instance with the interface.	ip binding vpn-instance vpn-instance-name	By default, an interface is not associated with a VPN instance. The ip binding vpn-instance command clears the IP address of the interface. Therefore, reconfigure an IP address for the interface after configuring this command.

Configuring route related attributes for a VPN instance

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VPN instance view or IPv6 VPN view.	· Enter VPN instance view: ip vpn-instance vpn-instance-name · Enter IPv6 VPN view: a. ip vpn-instance vpn-instance-name b. address-family ipv6	Configurations made in VPN instance view apply to both IPv4 VPN and IPv6 VPN. IPv6 VPN prefers the configurations in IPv6 VPN view over the configurations in VPN instance view.
3. Configure route targets.	vpn-target vpn-target&<1-8> [ both \| export-extcommunity \| import-extcommunity ]	By default, no route targets are configured.
4. Set the maximum number of active routes supported.	routing-table limit number { warn-threshold \| simply-alert }	By default, the maximum number of active routes is not configured. Setting the maximum number of active routes for a VPN instance can prevent the PE from storing too many routes.
5. Apply an import routing policy.	import route-policy route-policy	By default, all routes matching the import target attribute are accepted. Make sure the routing policy already exists. Otherwise, the device does not filter received routes. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
6. Apply an export routing policy.	export route-policy route-policy	By default, routes to be advertised are not filtered. Make sure the routing policy already exists. Otherwise, the device does not filter routes to be advertised. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
7. Apply a tunnel policy to the VPN instance.	tnl-policy tunnel-policy-name	By default, only one tunnel is selected (no load balancing) in this order: LSP tunnel and CRLSP tunnel. The specified tunnel policy must have been created. For information about tunnel policies, see "Configuring tunnel policies."

Configuring routing between a PE and a CE

You can configure IPv6 static routing, RIPng, OSPFv3, IPv6 IS-IS, EBGP, or IBGP between a PE and a CE.

Configuring IPv6 static routing between a PE and a CE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure an IPv6 static route for a VPN instance.	ipv6 route-static vpn-instance s-vpn-instance-name ipv6-address prefix-length { interface-type interface-number [ next-hop-address ] \| nexthop-address [ public ] \| vpn-instance d-vpn-instance-name nexthop-address } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]	By default, no IPv6 static route is configured for a VPN instance. Perform this configuration on the PE. On the CE, configure a common IPv6 static route. For more information about IPv6 static routing, see Layer 3—IP Routing Configuration Guide.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure an IPv6 static route for a VPN instance.

ipv6 route-static vpn-instance s-vpn-instance-name ipv6-address prefix-length { interface-type interface-number [ next-hop-address ] | nexthop-address [ public ] | vpn-instance d-vpn-instance-name nexthop-address } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]

By default, no IPv6 static route is configured for a VPN instance.

Perform this configuration on the PE. On the CE, configure a common IPv6 static route.

For more information about IPv6 static routing, see Layer 3—IP Routing Configuration Guide.

Configuring RIPng between a PE and a CE

A RIPng process belongs to the public network or a single VPN instance. If you create a RIPng process without binding it to a VPN instance, the process belongs to the public network.

For more information about RIPng, see Layer 3—IP Routing Configuration Guide.

To configure RIPng between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIPng process for a VPN instance and enter RIPng view.	ripng [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. On the CE, create a common RIPng process.
3. Return to system view.	quit	N/A
4. Enter interface view.	interface interface-type interface-number	N/A
5. Enable RIPng on the interface.	ripng process-id enable	By default, RIPng is disabled on an interface.

Configuring OSPFv3 between a PE and a CE

An OSPFv3 process belongs to the public network or a single VPN instance. If you create an OSPF process without binding it to a VPN instance, the process belongs to the public network.

For more information about OSPFv3, see Layer 3—IP Routing Configuration Guide.

To configure OSPFv3 between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPFv3 process for a VPN instance and enter OSPFv3 view.	ospfv3 [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. Deleting a VPN instance also deletes all related OSPFv3 processes.
3. Set the router ID.	router-id router-id	N/A
4. (Optional.) Set an OSPFv3 domain ID.	domain-id { domain-id [ secondary ] \| null }	The default domain ID is 0. Perform this configuration on the PE. When you redistribute OSPFv3 routes into BGP, BGP adds the primary domain ID to the redistributed BGP VPNv6 routes as a BGP extended community attribute. You can configure the same domain ID for different OSPFv3 processes. All OSPF processes of the same VPN must be configured with the same OSPF domain ID to ensure correct route advertisement.
5. (Optional.) Configure the type code of an OSPFv3 extended community attribute.	ext-community-type { domain-id type-code1 \| route-type type-code2 \| router-id type-code3 }	By default, the type codes for domain ID, route type, and router ID are hexadecimal numbers 0005, 0306, and 0107, respectively. Perform this configuration on the PE.
6. (Optional.) Configure an external route tag for redistributed VPN routes.	route-tag tag-value	By default, if BGP runs within an MPLS backbone, and the BGP AS number is not greater than 65535, the first two octets of the external route tag are 0xD000. The last two octets are the local BGP AS number. If the AS number is greater than 65535, the external route tag is 0. Perform this configuration on the PE.
7. (Optional.) Disable setting the DN bit in OSPFv3 LSAs.	disable-dn-bit-set	By default, when a PE redistributes BGP routes into OSPFv3 and creates OSPFv3 LSAs, it sets the DN bit for the LSAs. Before using this command, make sure it does not cause any routing loops. Perform this configuration on the PE.
8. (Optional.) Ignore the DN bit in OSPFv3 LSAs.	disable-dn-bit-check	By default, the PE checks the DN bit in OSPFv3 LSAs. Before using this command, make sure it does not cause any routing loops. Perform this configuration on the PE.
9. (Optional.) Enable the external route check feature for OSPFv3 LSAs.	route-tag-check enable	By default, the PE checks the DN bit in OSPFv3 LSAs to avoid routing loops. This command is compatible with the old protocol (RFC 4577). As a best practice, do not use this command in the current software version. Perform this configuration on the PE.
10. Return to system view.	quit	N/A
11. Enter interface view.	interface interface-type interface-number	N/A
12. Enable OSPFv3 on the interface.	ospfv3 process-id area area-id [ instance instance-id ]	By default, OSPFv3 is disabled on an interface. Perform this configuration on the PE.

Configuring IPv6 IS-IS between a PE and a CE

An IPv6 IS-IS process belongs to the public network or a single VPN instance. If you create an IPv6 IS-IS process without binding it to a VPN instance, the process belongs to the public network.

For more information about IPv6 IS-IS, see Layer 3—IP Routing Configuration Guide.

To configure IPv6 IS-IS between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IPv6 IS-IS process for a VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. On the CE, create a common IPv6 IS-IS process.
3. Configure a network entity title for the IS-IS process.	network-entity net	By default, no NET is configured.
4. Create the IS-IS IPv6 unicast address family and enter its view.	address-family ipv6 [ unicast ]	By default, the IS-IS IPv6 unicast address family is not created.
5. Return to system view.	quit	N/A
6. Enter interface view.	interface interface-type interface-number	N/A
7. Enable IPv6 for the IS-IS process on the interface.	isis ipv6 enable [ process-id ]	By default, IPv6 is disabled on an interface.

Configuring EBGP between a PE and a CE

1. Configure the PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable BGP and enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Configure the CE as the VPN EBGP peer.	peer { group-name \| ipv6-address [ prefix-length ] } as-number as-number	By default, no BGP peer is configured.
5. Create the BGP-VPN IPv6 unicast address family and enter its view.	address-family ipv6 [ unicast ]	By default, the BGP-VPN IPv6 unicast address family is not created. Configuration commands in BGP-VPN IPv6 unicast address family view are the same as those in BGP IPv6 unicast address family view. For more information, see Layer 3—IP Routing Configuration Guide.
6. Enable IPv6 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address [ prefix-length ] } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
7. Redistribute the routes of the local CE.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	A PE must redistribute the routes of the local CE into its VPN routing table so that it can advertise them to the peer PE.
8. (Optional.) Configure filtering of advertised routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } export [ protocol process-id ]	By default, BGP does not filter advertised routes.
9. (Optional.) Configure filtering of received routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } import	By default, the PE does not filter received routes.

2. Configure the CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the PE as an EBGP peer.	peer { group-name \| ipv6-address [ prefix-length ] } as-number as-number	By default, no BGP peer is configured.
4. Create the BGP IPv6 unicast address family and enter its view.	address-family ipv6 [ unicast ]	By default, the BGP IPv6 unicast address family is not created.
5. Enable IPv6 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address [ prefix-length ] } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
6. (Optional.) Configure route redistribution.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	A CE must advertise its VPN routes to the connected PE so that the PE can advertise them to the peer CE.

Configuring IBGP between a PE and a CE

Use IBGP between PE and CE only in a basic IPv6 MPLS L3VPN network. In networks such as inter-AS VPN and carrier's carrier, you cannot configure IBGP between PE and CE.

1. Configure the PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	Configuration commands in BGP-VPN instance view are the same as those in BGP view. For more information, see Layer 3—IP Routing Configuration Guide.
4. Configure the CE as the VPN IBGP peer.	peer { group-name \| ipv6-address [ prefix-length ] } as-number as-number	By default, no BGP peer is created.
5. Create the BGP-VPN IPv6 unicast family and enter its view.	address-family ipv6 [ unicast ]	By default, the BGP-VPN IPv6 unicast family is not created.
6. Enable IPv6 unicast route exchange with the specified peer.	peer { group-name \| ipv6-address [ prefix-length ] } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.

2. Configure the CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the PE as an IBGP peer.	peer { group-name \| ipv6-address [ prefix-length ] } as-number as-number	By default, no BGP peer is created.
4. Create the BGP IPv6 unicast family and enter its view.	address-family ipv6 [ unicast ]	By default, the BGP IPv6 unicast family is not created.
5. Enable IPv6 unicast route exchange with the specified peer or peer group.	peer { group-name \| ipv6-address [ prefix-length ] } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
6. (Optional.) Configure route redistribution.	import-route protocol [ { process-id \| all-processes } [ allow-direct \|med med-value \| route-policy route-policy-name ] * ]	A CE must redistribute its routes to the PE so the PE can advertise them to the peer CE.

Configuring routing between PEs

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the remote PE as the peer.	peer { group-name \| ip-address [ mask-length ] } as-number as-number	By default, no BGP peer is configured.
4. Specify the source interface for route update packets sent to the specified peer.	peer { group-name \| ip-address [ mask-length ] } connect-interface interface-type interface-number	By default, BGP uses the outbound interface of the best route to the BGP peer as the source interface.
5. Create the BGP VPNv6 address family and enter its view.	address-family vpnv6	By default, the BGP VPNv6 address family is not created.
6. Enable BGP VPNv6 route exchange with the specified peer.	peer { group-name \| ip-address [ mask-length ] } enable	By default, BGP does not exchange BGP VPNv6 routes with any peer.

Configuring BGP VPNv6 route control

BGP VPNv6 route control is configured similarly with BGP route control, except that it is configured in BGP VPNv6 address family view. For detailed information about BGP route control, see Layer 3—IP Routing Configuration Guide.

To configure BGP VPNv6 route control:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP VPNv6 address family view.	address-family vpnv6	N/A
4. Configure filtering of advertised routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } export [ protocol process-id ]	By default, the PE does not filter advertised routes.
5. Configure filtering of received routes.	filter-policy { acl6-number \| prefix-list ipv6-prefix-name } import	By default, the PE does not filter received routes.
6. Configure ACL-based route filtering for the specified peer or peer group.	peer { group-name \| ip-address [ mask-length ] } filter-policy acl6-number { export \| import }	By default, no ACL-based route filtering is configured.
7. Configure IPv6 prefix list-based route filtering for the specified peer or peer group.	peer { group-name \| ip-address [ mask-length ] } prefix-list ipv6-prefix-name { export \| import }	By default, no IPv6 prefix list-based route filtering is configured.
8. Configure BGP to not change the next hop of routes sent to a peer or peer group.	peer { group-name \| ip-address [ mask-length ] } next-hop-invariable	By default, the router sets itself as the next hop for routes sent to an EBGP peer or peer group. On an RR in an inter-AS option C scenario, you must configure this command to not change the next hop of VPNv6 routes advertised to BGP peers and RR clients.
9. Set a preferred value for routes received from the peer or peer group.	peer { group-name \| ip-address [ mask-length ] } preferred-value value	The default preferred value is 0.
10. Configure BGP updates sent to the peer to carry only public AS numbers.	peer { group-name \| ip-address [ mask-length ] } public-as-only	By default, a BGP update carries both public and private AS numbers.
11. Apply a routing policy to routes advertised to or received from the peer or peer group.	peer { group-name \| ip-address [ mask-length ] } route-policy route-policy-name { export \| import }	By default, no routing policy is applied for a peer.
12. Enable route target filtering for received BGP VPNv6 routes.	policy vpn-target	By default, route target filtering is enabled.
13. Configure the local PE as the route reflector and specify the peer as the client.	peer { group-name \| ip-address [ mask-length ] } reflect-client	By default, no route reflector or client is configured.
14. Set the maximum number of routes BGP can receive from a peer or peer group.	peer { group-name \| ip-address [ mask-length ] } route-limit prefix-number [ { alert-only \| discard \| reconnect reconnect-time } \| percentage-value ] *	By default, the number of routes that BGP can receive from a peer or peer group is not limited.
15. Enable route reflection between clients.	reflect between-clients	By default, route reflection between clients is enabled.
16. Configure a cluster ID for the route reflector.	reflector cluster-id { cluster-id \| ip-address }	By default, an RR uses its own router ID as the cluster ID. If more than one RR exists in a cluster, use this command to configure the same cluster ID for all RRs in the cluster to avoid routing loops.
17. Configure filtering of reflected routes.	rr-filter extended-community-number	By default, an RR does not filter reflected routes. Only IBGP routes whose extended community attribute matches the specified community list are reflected. By configuring different filtering policies on RRs, you can implement load balancing among the RRs.
18. Configure the SoO attribute for a BGP peer for peer group.	peer { group-name \| ip-address [ mask-length ] } soo site-of-origin	By default, the SoO attribute is not configured.

Configuring inter-AS IPv6 VPN

If the MPLS backbone spans multiple ASs, you must configure inter-AS IPv6 VPN.

There are three inter-AS VPN solutions (for more information, see "Configuring MPLS L3VPN"). IPv6 MPLS L3VPN supports only inter-AS VPN option A and option C.

Before configuring inter-AS IPv6 VPN, perform the following tasks:

· Configure an IGP for the MPLS backbone in each AS to ensure IP connectivity.

· Configure basic MPLS for the MPLS backbone of each AS.

· Configure MPLS LDP for the MPLS backbones so that LDP LSPs can be established.

The following sections describe inter-AS IPv6 VPN option A and option C. Select one according to your network scenario.

Configuring inter-AS IPv6 VPN option A

Inter-AS IPv6 VPN option A applies to scenarios where the number of VPNs and that of VPN routes on the PEs are relatively small.

To configure inter-AS IPv6 option A:

· Configure basic IPv6 MPLS L3VPN on each AS.

· Configure VPN instances on both PEs and ASBR-PEs. The VPN instances on PEs allow CEs to access the network, and those on ASBR-PEs are for access of the peer ASBR-PEs.

For more configuration information, see "Configuring MPLS L3VPN."

In the inter-AS IPv6 VPN option A solution, for the same IPv6 VPN, the route targets configured on the PEs must match those configured on the ASBR-PEs in the same AS. This makes sure VPN routes sent by the PEs (or ASBR-PEs) can be received by the ASBR-PEs (or PEs). Route targets configured on the PEs in different ASs do not have such requirements.

Configuring inter-AS IPv6 VPN option C

To configure inter-AS IPv6 VPN option C, perform proper configurations on PEs and ASBR-PEs, and configure routing policies on the ASBR-PEs.

Configuring a PE

Establish an IBGP peer relationship between a PE and an ASBR-PE in an AS, and an MP-EBGP peer relationship between PEs in different ASs.

The PEs and ASBR-PEs in an AS must be able to exchange labeled routes.

To configure a PE for inter-AS IPv6 VPN option C:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Configure the ASBR-PE in the same AS as an IBGP peer.	peer { group-name \| ip-address [ mask-length ] } as-number as-number	By default, no BGP peer is configured.
4. Configure the PE in another AS as an EBGP peer.	peer { group-name \| ip-address [ mask-length ] } as-number as-number	By default, no BGP peer is configured.
5. Enter BGP IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
6. Enable BGP to exchange BGP IPv4 unicast routes with the ASBR-PE in the same AS.	peer { group-name \| ip-address [ mask-length ] } enable	By default, the PE does not exchange BGP IPv4 unicast routes with any peer.
7. Enable BGP to exchange labeled routes with the ASBR-PE in the same AS.	peer { group-name \| ip-address [ mask-length ] } label-route-capability	By default, the PE does not advertise labeled routes to any IPv4 peer/peer group.
8. Return to BGP view.	quit	N/A
9. Enter BGP VPNv6 address family view.	address-family vpnv6	N/A
10. Enable BGP to exchange BGP VPNv6 routing information with the EBGP peer.	peer ip-address [ mask-length ] enable	By default, the PE does not exchange labeled routes with any IPv4 peer/peer group.
11. (Optional.) Configure the PE to not change the next hop of routes advertised to the peer.	peer { group-name \| ip-address [ mask-length ] } next-hop-invariable	Configure this command on the RR so the RR does not change the next hop of advertised VPNv6 routes.

Configuring an ASBR-PE

In the inter-AS IPv6 VPN option C solution, an inter-AS LSP is needed, and the routes advertised between the PEs and ASBRs must carry MPLS label information. The configuration is the same as that in the Inter-AS IPv4 VPN option C solution. For more information, see "Configuring MPLS L3VPN."

Configuring a routing policy

A routing policy on an ASBR-PE performs the following operations:

· Assigns MPLS labels to routes received from the PEs in the same AS before advertising them to the peer ASBR-PE.

· Assigns new MPLS labels to the labeled routes to be advertised to the PEs in the same AS.

The configuration is the same as that in the Inter-AS IPv4 VPN option C solution. For more information, see "Configuring MPLS L3VPN."

Configuring an OSPFv3 sham link

Before you configure an OSPFv3 sham link, configure basic IPv6 MPLS L3VPN (OSPFv3 is used between PE and CE).

Configuring a loopback interface

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a loopback interface and enter loopback interface view.	interface loopback interface-number	By default, no loopback interface is created.
3. Associate the loopback interface with a VPN instance.	ip binding vpn-instance vpn-instance-name	By default, the interface is associated with no VPN instance.
4. Configure an IPv6 address for the loopback interface.	For configuration details, see Layer 3—IP Services Configuration Guide.	By default, no IPv6 address is configured for the loopback interface.

Redistributing the loopback interface address

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Enter BGP-VPN IPv6 unicast address family view.	address-family ipv6 [ unicast ]	N/A
5. Redistribute direct routes into BGP (including the loopback interface address).	import-route direct	By default, no direct routes are redistributed into BGP.

Creating a sham link

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter OSPFv3 view.	ospfv3 [ process-id \| vpn-instance vpn-instance-name ] *	N/A
3. Enter OSPFv3 area view.	area area-id	N/A
4. Configure an OSPFv3 sham link.	sham-link source-ipv6-address destination-ipv6-address [ cost cost \| dead dead-interval \| hello hello-interval \| instance instance-id \| ipsec-profile profile-name \| retransmit retrans-interval \| trans-delay delay ] *	By default, no sham link is configured.

Configuring BGP AS number substitution and SoO attribute

When CEs at different sites have the same AS number, configure the BGP AS number substitution feature to avoid route loss.

For more information about the BGP AS number substitution feature and the SoO attribute, see "BGP AS number substitution and SoO attribute."

To configure BGP AS number substitution and SoO attribute:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Enable the BGP AS number substitution feature.	peer { group-name \| ipv6-address [ prefix-length ] } substitute-as	By default, BGP AS number substitution is disabled.
5. Enter BGP-VPN IPv6 unicast address family view.	address-family ipv6 [ unicast ]	N/A
6. (Optional.) Configure the SoO attribute for a BGP peer or peer group.	peer { group-name \| ipv6-address [ prefix-length ] } soo site-of-origin	By default, the SoO attribute is not configured.

For more information about the commands in this section, see Layer 3—IP Routing Command Reference.

Enabling logging for BGP route flapping

To enable logging for BGP route flapping:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view.	bgp as-number	N/A
3. Enter BGP VPNv6 address family view.	address-family vpnv6	N/A
4. Enable logging for BGP route flapping.	log-route-flap monitor-time monitor-count [ log-count-limit \| route-policy route-policy-name ] *	By default, logging for BGP route flapping is disabled.

Displaying and maintaining IPv6 MPLS L3VPN

Execute the following commands in user view to soft reset or reset BGP connections:

Task	Command
Manually soft reset BGP sessions for VPNv6 address family.	refresh bgp { ip-address [ mask-length ] \| all \| external \| group group-name \| internal } { export \| import } vpnv6
Reset BGP sessions for VPNv6 address family.	reset bgp { as-number \| ip-address [ mask-length ] \| all \| external \| internal \| group group-name } vpnv6

For more information about the refresh bgp vpnv6 and reset bgp vpnv6 commands, see Layer 3—IP Routing Command Reference.

Execute the following commands in any view to display IPv6 MPLS L3VPN:

Task	Command
Display the IPv6 routing table for a VPN instance.	display ipv6 routing-table vpn-instance vpn-instance-name [ verbose ]
Display information about a VPN instance or all VPN instances.	display ip vpn-instance [ instance-name vpn-instance-name ]
Display IPv6 FIB information for a VPN instance.	display ipv6 fib vpn-instance vpn-instance-name [ ipv6-address [ prefix-length ] ]
Display BGP VPNv6 peer group information.	display bgp group vpnv6 [ group-name group-name ]
Display BGP VPNv6 peer information (in standalone mode).	display bgp peer vpnv6 [ { ip-address \| group-name group-name } log-info \| [ [ ip-address ] verbose ] [ standby slot slot-number ] ]
Display BGP VPNv6 peer information (in IRF mode).	display bgp peer vpnv6 [ { ip-address \| group-name group-name } log-info \| [ [ ip-address ] verbose ] [ standby chassis chassis-number slot slot-number ] ]
Display BGP VPNv6 routes (in standalone mode).	display bgp routing-table vpnv6 [ [ route-distinguisher route-distinguisher ] [ network-address prefix-length [ advertise-info ] \| as-path-acl as-path-acl-number \| community-list { { basic-community-list-number \| comm-list-name } [ whole-match ] \| adv-community-list-number } ] \| peer ip-address { advertised-routes \| received-routes } [ network-address prefix-length \| statistics ] \| statistics ] [ standby slot slot-number ]
Display BGP VPNv6 routes (in IRF mode).	display bgp routing-table vpnv6 [ [ route-distinguisher route-distinguisher ] [ network-address prefix-length [ advertise-info ] \| as-path-acl as-path-acl-number \| community-list { { basic-community-list-number \| comm-list-name } [ whole-match ] \| adv-community-list-number } ] \| peer ip-address { advertised-routes \| received-routes } [ network-address prefix-length \| statistics ] \| statistics ] [ standby chassis chassis-number slot slot-number ]
Display incoming labels for all BGP VPNv6 routes.	display bgp routing-table vpnv6 inlabel
Display outgoing labels for all BGP VPNv6 routes (in standalone mode).	display bgp routing-table vpnv6 outlabel [ standby slot slot-number ]
Display outgoing labels for all BGP VPNv6 routes (in IRF mode).	display bgp routing-table vpnv6 outlabel [ standby chassis chassis-number slot slot-number ]
Display BGP VPNv6 address family update group information.	display bgp update-group vpnv6 [ ip-address ]
Display OSPFv3 sham link information.	display ospfv3 [ process-id ] [ area area-id ] sham-link [ verbose ]

For more information about the display ipv6 routing-table, display bgp group vpnv6, display bgp peer vpnv6, and display bgp update-group vpnv6 commands, see Layer 3—IP Routing Command Reference.

IPv6 MPLS L3VPN configuration examples

Configuring IPv6 MPLS L3VPNs

Network requirements

CE 1 and CE 3 belong to VPN 1. CE 2 and CE 4 belong to VPN 2.

VPN 1 uses route target attributes 111:1. VPN 2 uses route target attributes 222:2. Users of different VPNs cannot access each other.

Run EBGP between CE and PE switches to exchange VPN routing information.

PEs use OSPF to communicate with each other and use MP-IBGP to exchange VPN routing information.

Figure 34 Network diagram

Table 13 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int11	2001:1::1/96	P	Loop0	2.2.2.9/32
PE 1	Loop0	1.1.1.9/32		Vlan-int12	172.2.1.1/24
	Vlan-int11	2001:1::2/96		Vlan-int13	172.1.1.2/24
	Vlan-int13	172.1.1.1/24	PE 2	Loop0	3.3.3.9/32
	Vlan-int12	2001:2::2/96		Vlan-int12	172.2.1.2/24
CE 2	Vlan-int12	2001:2::1/96		Vlan-int11	2001:3::2/96
CE 3	Vlan-int11	2001:3::1/96		Vlan-int13	2001:4::2/96
CE 4	Vlan-int13	2001:4::1/96

Configuration procedure

1. Configure OSPF on the MPLS backbone to ensure IP connectivity among the PEs and the P switch:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.9 32

[PE1-LoopBack0] quit

[PE1] interface vlan-interface 13

[PE1-Vlan-interface13] ip address 172.1.1.1 24

[PE1- Vlan-interface13] quit

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Configure the P switch.

<P> system-view

[P] interface loopback 0

[P-LoopBack0] ip address 2.2.2.9 32

[P-LoopBack0] quit

[P] interface vlan-interface 13

[P-Vlan-interface13] ip address 172.1.1.2 24

[P- Vlan-interface13] quit

[P] interface vlan-interface 12

[P-Vlan-interface12] ip address 172.2.1.1 24

[P-Vlan-interface12] quit

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

# Configure PE 2.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 3.3.3.9 32

[PE2-LoopBack0] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] ip address 172.2.1.2 24

[PE2-Vlan-interface12] quit

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

2. Configure basic MPLS and enable MPLS LDP on the MPLS backbone to establish LDP LSPs:

# Configure PE 1.

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface vlan-interface 13

[PE1-Vlan-interface13] mpls enable

[PE1-Vlan-interface13] mpls ldp enable

[PE1-Vlan-interface13] quit

# Configure the P switch.

[P] mpls lsr-id 2.2.2.9

[P] mpls ldp

[P-ldp] quit

[P] interface vlan-interface 13

[P-Vlan-interface13] mpls enable

[P-Vlan-interface13] mpls ldp enable

[P-Vlan-interface13] quit

[P] interface vlan-interface 12

[P-Vlan-interface12] mpls enable

[P-Vlan-interface12] mpls ldp enable

[P-Vlan-interface12] quit

# Configure PE 2.

[PE2] mpls lsr-id 3.3.3.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] mpls enable

[PE2-Vlan-interface12] mpls ldp enable

[PE2-Vlan-interface12] quit

3. Configure VPN instances on the PEs:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 111:1

[PE1-vpn-instance-vpn1] quit

[PE1] ip vpn-instance vpn2

[PE1-vpn-instance-vpn2] route-distinguisher 100:2

[PE1-vpn-instance-vpn2] vpn-target 222:2

[PE1-vpn-instance-vpn2] quit

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip binding vpn-instance vpn1

[PE1-Vlan-interface11] ipv6 address 2001:1::2 96

[PE1-Vlan-interface11] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip binding vpn-instance vpn2

[PE1-Vlan-interface12] ipv6 address 2001:2::2 96

[PE1-Vlan-interface12] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 200:1

[PE2-vpn-instance-vpn1] vpn-target 111:1

[PE2-vpn-instance-vpn1] quit

[PE2] ip vpn-instance vpn2

[PE2-vpn-instance-vpn2] route-distinguisher 200:2

[PE2-vpn-instance-vpn2] vpn-target 222:2

[PE2-vpn-instance-vpn2] quit

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] ip binding vpn-instance vpn1

[PE2-Vlan-interface11] ipv6 address 2001:3::2 96

[PE2-Vlan-interface11] quit

[PE2] interface vlan-interface 13

[PE2-Vlan-interface13] ip binding vpn-instance vpn2

[PE2-Vlan-interface13] ipv6 address 2001:4::2 96

[PE2-Vlan-interface13] quit

# Configure IP addresses for the CEs according to Table 13. (Details not shown.)

# Execute the display ip vpn-instance command on the PEs to display the configuration of the VPN instance, for example, on PE 1.

[PE1] display ip vpn-instance

Total VPN-Instances configured : 2

VPN-Instance Name RD Create time

vpn1 100:1 2012/02/13 12:49:08

vpn2 100:2 2012/02/13 12:49:20

# Use the ping command on the PEs to verify that the PEs can ping their attached CEs, for example, on PE 1.

[PE1] ping ipv6 -vpn-instance vpn1 2001:1::1

Ping6(56 bytes) 2001:1::2 --> 2001:1::1, press CTRL_C to break

56 bytes from 2001:1::1, icmp_seq=0 hlim=64 time=9.000 ms

56 bytes from 2001:1::1, icmp_seq=1 hlim=64 time=1.000 ms

56 bytes from 2001:1::1, icmp_seq=2 hlim=64 time=0.000 ms

56 bytes from 2001:1::1, icmp_seq=3 hlim=64 time=0.000 ms

56 bytes from 2001:1::1, icmp_seq=4 hlim=64 time=0.000 ms

--- Ping6 statistics for 2001:1::1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/2.000/9.000/3.521 ms

4. Establish EBGP peer relationships between the PEs and CEs to exchange VPN routes:

# Configure CE 1.

<CE1> system-view

[CE1] bgp 65410

[CE1-bgp] peer 2001:1::2 as-number 100

[CE1-bgp] address-family ipv6 unicast

[CE1-bgp-ipv6] peer 2001:1::2 enable

[CE1-bgp-ipv6] import-route direct

[CE1-bgp-ipv6] quit

[CE1-bgp] quit

# Configure the other three CEs (CE 2 through CE 4) in the same way that CE 1 is configured. (Details not shown.)

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 2001:1::1 as-number 65410

[PE1-bgp-vpn1] address-family ipv6 unicast

[PE1-bgp-ipv6-vpn1] peer 2001:1::1 enable

[PE1-bgp-ipv6-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] ip vpn-instance vpn2

[PE1-bgp-vpn2] peer 2001:2::1 as-number 65420

[PE1-bgp-vpn2] address-family ipv6 unicast

[PE1-bgp-ipv6-vpn2] peer 2001:2::1 enable

[PE1-bgp-ipv6-vpn2] quit

[PE1-bgp-vpn2] quit

[PE1-bgp] quit

# Configure PE 2 in the same way that PE 1 is configured. (Details not shown.)

# Execute the display bgp peer ipv6 vpn-instance command on the PEs to verify that a BGP peer relationship in Established state has been established between a PE and a CE. (Details not shown.)

5. Configure an MP-IBGP peer relationship between the PEs:

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] peer 3.3.3.9 as-number 100

[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv6

[PE1-bgp-af-vpnv6] peer 3.3.3.9 enable

[PE1-bgp-af-vpnv6] quit

[PE1-bgp] quit

# Configure PE 2.

[PE2] bgp 100

[PE2-bgp] peer 1.1.1.9 as-number 100

[PE2-bgp] peer 1.1.1.9 connect-interface loopback 0

[PE2-bgp] address-family vpnv6

[PE2-bgp-af-vpnv6] peer 1.1.1.9 enable

[PE2-bgp-af-vpnv6] quit

[PE2-bgp] quit

# Execute the display bgp peer vpnv6 command on the PEs to verify that a BGP peer relationship in Established state has been established between the PEs. (Details not shown.)

Verifying the configuration

# Execute the display ipv6 routing-table vpn-instance command on the PEs.

[PE1] display ipv6 routing-table vpn-instance vpn1

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:1::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan11 Cost : 0

Destination: 2001:1::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:3::/96 Protocol : BGP4+

NextHop : ::FFFF:3.3.3.9 Preference: 255

Interface : Vlan13 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

[PE1] display ipv6 routing-table vpn-instance vpn2

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:2::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan12 Cost : 0

Destination: 2001:2::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:4::/96 Protocol : BGP4+

NextHop : ::FFFF:3.3.3.9 Preference: 255

Interface : Vlan13 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

The output shows that PE 1 has routes to the remote CEs. Output on PE 2 is similar.

# Verify that CEs of the same VPN can ping each other, and CEs of different VPNs cannot ping each other. For example, CE 1 can ping CE 3 (2001:3::1), but cannot ping CE 4 (2001:4::1). (Details not shown.)

Configuring IPv6 MPLS L3VPN inter-AS option A

Network requirements

CE 1 and CE 2 belong to the same VPN. CE 1 accesses the network through PE 1 in AS 100, and CE 2 accesses the network through PE 2 in AS 200.

Configure IPv6 MPLS L3VPN inter-AS option A, and use the VRF-to-VRF method to manage VPN routes.

Run OSPF on the MPLS backbone of each AS.

Figure 35 Network diagram

Table 14 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int12	2001:1::1/96	CE 2	Vlan-int12	2001:2::1/96
PE 1	Loop0	1.1.1.9/32	PE 2	Loop0	4.4.4.9/32
	Vlan-int12	2001:1::2/96		Vlan-int12	2001:2::2/96
	Vlan-int11	172.1.1.2/24		Vlan-int11	162.1.1.2/24
ASBR-PE 1	Loop0	2.2.2.9/32	ASBR-PE 2	Loop0	3.3.3.9/32
	Vlan-int11	172.1.1.1/24		Vlan-int11	162.1.1.1/24
	Vlan-int12	2002:1::1/96		Vlan-int12	2002:1::2/96

Configuration procedure

1. Configure an IGP on each MPLS backbone to ensure IP connectivity within the backbone.

This example uses OSPF. (Details not shown.)

# Execute the display ospf peer command to verify that each ASBR-PE has established an OSPF adjacency in Full state with the PE in the same AS, and that PEs and ASBR-PEs in the same AS can learn the routes to the loopback interfaces of each other. Verify that each ASBR-PE and the PE in the same AS can ping each other. (Details not shown.)

2. Configure basic MPLS and enable MPLS LDP on each MPLS backbone to establish LDP LSPs:

# Configure basic MPLS on PE 1, and enable MPLS LDP for the interface connected to ASBR-PE 1.

<PE1> system-view

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] quit

# Configure basic MPLS on ASBR-PE 1, and enable MPLS LDP for the interface connected to PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] mpls lsr-id 2.2.2.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

[ASBR-PE1] interface vlan-interface 11

[ASBR-PE1-Vlan-interface11] mpls enable

[ASBR-PE1-Vlan-interface11] mpls ldp enable

[ASBR-PE1-Vlan-interface11] quit

# Configure basic MPLS on ASBR-PE 2, and enable MPLS LDP for the interface connected to PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] mpls lsr-id 3.3.3.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

[ASBR-PE2] interface vlan-interface 11

[ASBR-PE2-Vlan-interface11] mpls enable

[ASBR-PE2-Vlan-interface11] mpls ldp enable

[ASBR-PE2-Vlan-interface11] quit

# Configure basic MPLS on PE 2, and enable MPLS LDP for the interface connected to ASBR-PE 2.

<PE2> system-view

[PE2] mpls lsr-id 4.4.4.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] mpls enable

[PE2-Vlan-interface11] mpls ldp enable

[PE2-Vlan-interface11] quit

# Execute the display mpls ldp peer command on the switches to verify that the session status is Operational, and that each PE and the ASBR-PE in the same AS have established an LDP neighbor relationship. (Details not shown.)

3. Configure a VPN instance on the PEs:

For the same VPN, the route targets for the VPN instance on the PE must match those for the VPN instance of the ASBR-PE in the same AS. This is not required for PEs in different ASs.

# Configure CE 1.

<CE1> system-view

[CE1] interface vlan-interface 12

[CE1-Vlan-interface12] ipv6 address 2001:1::1 96

[CE1-Vlan-interface12] quit

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 100:1 both

[PE1-vpn-instance-vpn1] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip binding vpn-instance vpn1

[PE1-Vlan-interface12] ipv6 address 2001:1::2 96

[PE1-Vlan-interface12] quit

# Configure CE 2.

<CE2> system-view

[CE2] interface vlan-interface 12

[CE2-Vlan-interface12] ipv6 address 2001:2::1 96

[CE2-Vlan-interface12] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance] route-distinguisher 200:2

[PE2-vpn-instance] vpn-target 200:1 both

[PE2-vpn-instance] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] ip binding vpn-instance vpn1

[PE2-Vlan-interface12] ipv6 address 2001:2::2 96

[PE2-Vlan-interface12] quit

# On ASBR-PE 1, create a VPN instance, and bind the VPN instance to the interface connected to ASBR-PE 2. ASBR-PE 1 considers ASBR-PE 2 to be its attached CE.

[ASBR-PE1] ip vpn-instance vpn1

[ASBR-PE1-vpn-instance-vpn1] route-distinguisher 100:1

[ASBR-PE1-vpn-instance-vpn1] vpn-target 100:1 both

[ASBR-PE1-vpn-instance-vpn1] quit

[ASBR-PE1] interface vlan-interface 12

[ASBR-PE1-Vlan-interface12] ip binding vpn-instance vpn1

[ASBR-PE1-Vlan-interface12] ipv6 address 2002:1::1 96

[ASBR-PE1-Vlan-interface12] quit

# On ASBR-PE 2, create a VPN instance, and bind the VPN instance to the interface connected to ASBR-PE 1. ASBR-PE 2 considers ASBR-PE 1 to be its attached CE.

[ASBR-PE2] ip vpn-instance vpn1

[ASBR-PE2-vpn-vpn-vpn1] route-distinguisher 200:1

[ASBR-PE2-vpn-vpn-vpn1] vpn-target 200:1 both

[ASBR-PE2-vpn-vpn-vpn1] quit

[ASBR-PE2] interface vlan-interface 12

[ASBR-PE2-Vlan-interface12] ip binding vpn-instance vpn1

[ASBR-PE2-Vlan-interface12] ipv6 address 2002:1::2 96

[ASBR-PE2-Vlan-interface12] quit

# Execute the display ip vpn-instance command to display VPN instance configurations. Verify that each PE can ping its attached CE, and that ASBR-PE 1 and ASBR-PE 2 can ping each other. (Details not shown.)

4. Establish an EBGP peer relationship between PE and CE switches, and redistribute VPN routes into BGP:

# Configure CE 1.

[CE1] bgp 65001

[CE1-bgp] peer 2001:1::2 as-number 100

[CE1-bgp] address-family ipv6 unicast

[CE1-bgp-ipv6] peer 2001:1::2 enable

[CE1-bgp-ipv6] import-route direct

[CE1-bgp-ipv6] quit

[CE1-bgp] quit

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 2001:1::1 as-number 65001

[PE1-bgp-vpn1] address-family ipv6 unicast

[PE1-bgp-ipv6-vpn1] peer 2001:1::1 enable

[PE1-bgp-ipv6-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure CE 2.

[CE2] bgp 65002

[CE2-bgp] peer 2001:2::2 as-number 200

[CE2-bgp] address-family ipv6

[CE2-bgp-ipv6] peer 2001:2::2 enable

[CE2-bgp-ipv6] import-route direct

[CE2-bgp-ipv6] quit

[CE2-bgp] quit

# Configure PE 2.

[PE2] bgp 200

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] peer 2001:2::1 as-number 65002

[PE2-bgp-vpn1] address-family ipv6 unicast

[PE2-bgp-ipv6-vpn1] peer 2001:2::1 enable

[PE2-bgp-ipv6-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

5. Establish an IBGP peer relationship between each PE and the ASBR-PE in the same AS, and an EBGP peer relationship between the ASBR-PEs:

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] peer 2.2.2.9 as-number 100

[PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv6

[PE1-bgp-vpnv6] peer 2.2.2.9 enable

[PE1-bgp-vpnv6] quit

[PE1-bgp] quit

# Configure ASBR-PE 1.

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp] ip vpn-instance vpn1

[ASBR-PE1-bgp-vpn1] peer 2002:1::2 as-number 200

[ASBR-PE1-bgp-vpn1] address-family ipv6 unicast

[ASBR-PE1-bgp-ipv6-vpn1] peer 2002:1::2 enable

[ASBR-PE1-bgp-ipv6-vpn1] quit

[ASBR-PE1-bgp-vpn1] quit

[ASBR-PE1-bgp] peer 1.1.1.9 as-number 100

[ASBR-PE1-bgp] peer 1.1.1.9 connect-interface loopback 0

[ASBR-PE1-bgp] address-family vpnv6

[ASBR-PE1-bgp-vpnv6] peer 1.1.1.9 enable

[ASBR-PE1-bgp-vpnv6] quit

[ASBR-PE1-bgp] quit

# Configure ASBR-PE 2.

[ASBR-PE2] bgp 200

[ASBR-PE2-bgp] ip vpn-instance vpn1

[ASBR-PE2-bgp-vpn1] peer 2002:1::1 as-number 100

[ASBR-PE2-bgp-vpn1] address-family ipv6 unicast

[ASBR-PE2-bgp-ipv6-vpn1] peer 2002:1::1 enable

[ASBR-PE2-bgp-ipv6-vpn1] quit

[ASBR-PE2-bgp-vpn1] quit

[ASBR-PE2-bgp] peer 4.4.4.9 as-number 200

[ASBR-PE2-bgp] peer 4.4.4.9 connect-interface loopback 0

[ASBR-PE2-bgp] address-family vpnv6

[ASBR-PE2-bgp-vpnv6] peer 4.4.4.9 enable

[ASBR-PE2-bgp-vpnv6] quit

[ASBR-PE2-bgp] quit

# Configure PE 2.

[PE2] bgp 200

[PE2-bgp] peer 3.3.3.9 as-number 200

[PE2-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE2-bgp] address-family vpnv6

[PE2-bgp-vpnv6] peer 3.3.3.9 enable

[PE2-bgp-vpnv6] quit

[PE2-bgp] quit

Verifying the configuration

# Verify that the CEs can learn the route to each other and can ping each other. (Details not shown.)

Configuring IPv6 MPLS L3VPN inter-AS option C

Network requirements

Site 1 and Site 2 belong to the same VPN. Site 1 accesses the network through PE 1 in AS 100, and Site 2 accesses the network through PE 2 in AS 600. PEs in the same AS run IS-IS.

PE 1 and ASBR-PE 1 exchange labeled IPv4 routes by IBGP. PE 2 and ASBR-PE 2 exchange labeled IPv4 routes by IBGP. PE 1 and PE 2 use MP-EBGP to exchange VPNv6 routes.

ASBR-PE 1 and ASBR-PE 2 use their respective routing policies and label the routes received from each other.

ASBR-PE 1 and ASBR-PE 2 use EBGP to exchange labeled IPv4 routes.

Figure 36 Network diagram

Table 15 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
PE 1	Loop0	2.2.2.9/32	PE 2	Loop0	5.5.5.9/32
	Vlan-int11	1.1.1.2/8		Vlan-int11	9.1.1.2/8
	Vlan-int12	2001::1/64		Vlan-int12	2002::1/64
ASBR-PE 1	Loop0	3.3.3.9/32	ASBR-PE 2	Loop0	4.4.4.9/32
	Vlan-int11	1.1.1.1/8		Vlan-int11	9.1.1.1/8
	Vlan-int12	11.0.0.2/8		Vlan-int12	11.0.0.1/8
CE 1	Vlan-int12	2001::2/64		Vlan-int12	2002::2/64

Configuration procedure

1. Configure CE 1:

# Configure an IPv6 address for VLAN-interface 12.

<CE1> system-view

[CE1] interface vlan-interface 12

[CE1-Vlan-interface12] ipv6 address 2001::2 64

[CE1-Vlan-interface12] quit

# Establish an EBGP peer relationship with PE 1, and redistribute VPN routes.

[CE1] bgp 65001

[CE1-bgp] peer 2001::1 as-number 100

[CE1-bgp] address-family ipv6 unicast

[CE1-bgp-ipv6] peer 2001::1 enable

[CE1-bgp-ipv6] import-route direct

[CE1-bgp-ipv6] quit

[CE1-bgp] quit

2. Configure PE 1:

# Run IS-IS on PE 1.

<PE1> system-view

[PE1] isis 1

[PE1-isis-1] network-entity 10.111.111.111.111.00

[PE1-isis-1] quit

# Configure an LSR ID, and enable MPLS and LDP.

[PE1] mpls lsr-id 2.2.2.9

[PE1] mpls ldp

[PE1-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip address 1.1.1.2 255.0.0.0

[PE1-Vlan-interface11] isis enable 1

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] quit

# Configure interface Loopback 0, and start IS-IS on it.

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 2.2.2.9 32

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

# Create VPN instance vpn1, and configure the RD and route target attributes for it.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 11:11

[PE1-vpn-instance-vpn1] vpn-target 3:3 import-extcommunity

[PE1-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE1-vpn-instance-vpn1] quit

# Associate interface VLAN-interface 12 with VPN instance vpn1, and specify the IPv6 address for the interface.

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip binding vpn-instance vpn1

[PE1-Vlan-interface12] ipv6 address 2001::1 64

[PE1-Vlan-interface12] quit

# Start BGP.

[PE1] bgp 100

# Enable the capability to advertise labeled routes to and receive labeled routes from the IBGP peer 3.3.3.9.

[PE1-bgp] peer 3.3.3.9 as-number 100

[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp] address-family ipv4 unicast

[PE1-bgp-ipv4] peer 3.3.3.9 enable

[PE1-bgp-ipv4] peer 3.3.3.9 label-route-capability

[PE1-bgp-ipv4] quit

# Configure the maximum hop count from PE 1 to EBGP peer 5.5.5.9 as 10.

[PE1-bgp] peer 5.5.5.9 as-number 600

[PE1-bgp] peer 5.5.5.9 connect-interface loopback 0

[PE1-bgp] peer 5.5.5.9 ebgp-max-hop 10

# Configure peer 5.5.5.9 as a VPNv6 peer.

[PE1-bgp] address-family vpnv6

[PE1-bgp-vpnv6] peer 5.5.5.9 enable

[PE1-bgp-vpnv6] quit

# Establish an EBGP peer relationship with CE 1, and add the learned BGP routes to the routing table of VPN instance vpn1.

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 2001::2 as-number 65001

[PE1-bgp-vpn1] address-family ipv6 unicast

[PE1-bgp-ipv6-vpn1] peer 2001::2 enable

[PE1-bgp-ipv6-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

3. Configure ASBR-PE 1:

# Start IS-IS on ASBR-PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] isis 1

[ASBR-PE1-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE1-isis-1] quit

# Configure an LSR ID, and enable MPLS and LDP.

[ASBR-PE1] mpls lsr-id 3.3.3.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE1] interface vlan-interface 11

[ASBR-PE1-Vlan-interface11] ip address 1.1.1.1 255.0.0.0

[ASBR-PE1-Vlan-interface11] isis enable 1

[ASBR-PE1-Vlan-interface11] mpls enable

[ASBR-PE1-Vlan-interface11] mpls ldp enable

[ASBR-PE1-Vlan-interface11] quit

# Configure interface VLAN-interface 12, and enable MPLS on it.

[ASBR-PE1] interface vlan-interface 12

[ASBR-PE1-Vlan-interface12] ip address 11.0.0.2 255.0.0.0

[ASBR-PE1-Vlan-interface12] mpls enable

[ASBR-PE1-Vlan-interface12] quit

# Configure interface Loopback 0, and start IS-IS on it.

[ASBR-PE1] interface loopback 0

[ASBR-PE1-LoopBack0] ip address 3.3.3.9 32

[ASBR-PE1-LoopBack0] isis enable 1

[ASBR-PE1-LoopBack0] quit

# Create routing policies.

[ASBR-PE1] route-policy policy1 permit node 1

[ASBR-PE1-route-policy-policy1-1] apply mpls-label

[ASBR-PE1-route-policy-policy1-1] quit

[ASBR-PE1] route-policy policy2 permit node 1

[ASBR-PE1-route-policy-policy2-1] if-match mpls-label

[ASBR-PE1-route-policy-policy2-1] apply mpls-label

[ASBR-PE1-route-policy-policy2-1] quit

# Start BGP on ASBR-PE 1 and apply routing policy policy2 to routes advertised to IBGP peer 2.2.2.9

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp] peer 2.2.2.9 as-number 100

[ASBR-PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[ASBR-PE1-bgp] address-family ipv4 unicast

[ASBR-PE1-bgp-ipv4] peer 2.2.2.9 enable

[ASBR-PE1-bgp-ipv4] peer 2.2.2.9 route-policy policy2 export

# Enable the capability to advertise labeled routes to and receive labeled routes from IBGP peer 2.2.2.9.

[ASBR-PE1-bgp-ipv4] peer 2.2.2.9 label-route-capability

# Redistribute routes from IS-IS process 1.

[ASBR-PE1-bgp-ipv4] import-route isis 1

[ASBR-PE1-bgp-ipv4] quit

# Apply routing policy policy1 to routes advertised to EBGP peer 11.0.0.1.

[ASBR-PE1-bgp] peer 11.0.0.1 as-number 600

[ASBR-PE1-bgp] address-family ipv4 unicast

[ASBR-PE1-bgp-ipv4] peer 11.0.0.1 enable

[ASBR-PE1-bgp-ipv4] peer 11.0.0.1 route-policy policy1 export

# Enable the capability to advertise labeled routes to and receive labeled routes from EBGP peer 11.0.0.1.

[ASBR-PE1-bgp-ipv4] peer 11.0.0.1 label-route-capability

[ASBR-PE1-bgp-ipv4] quit

[ASBR-PE1-bgp] quit

4. Configure ASBR-PE 2:

# Start IS-IS on ASBR-PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] isis 1

[ASBR-PE2-isis-1] network-entity 10.333.333.333.333.00

[ASBR-PE2-isis-1] quit

# Configure an LSR ID, and enable MPLS and LDP.

[ASBR-PE2] mpls lsr-id 4.4.4.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE2] interface vlan-interface 11

[ASBR-PE2-Vlan-interface11] ip address 9.1.1.1 255.0.0.0

[ASBR-PE2-Vlan-interface11] isis enable 1

[ASBR-PE2-Vlan-interface11] mpls enable

[ASBR-PE2-Vlan-interface11] mpls ldp enable

[ASBR-PE2-Vlan-interface11] quit

# Configure interface Loopback 0, and start IS-IS on it.

[ASBR-PE2] interface loopback 0

[ASBR-PE2-LoopBack0] ip address 4.4.4.9 32

[ASBR-PE2-LoopBack0] isis enable 1

[ASBR-PE2-LoopBack0] quit

# Configure interface VLAN-interface 12, and enable MPLS on it.

[ASBR-PE2] interface vlan-interface 12

[ASBR-PE2-Vlan-interface12] ip address 11.0.0.1 255.0.0.0

[ASBR-PE2-Vlan-interface12] mpls enable

[ASBR-PE2-Vlan-interface12] quit

# Create routing policies.

[ASBR-PE2] route-policy policy1 permit node 1

[ASBR-PE2-route-policy-policy1-1] apply mpls-label

[ASBR-PE2-route-policy-policy1-1] quit

[ASBR-PE2] route-policy policy2 permit node 1

[ASBR-PE2-route-policy-policy2-1] if-match mpls-label

[ASBR-PE2-route-policy-policy2-1] apply mpls-label

[ASBR-PE2-route-policy-policy2-1] quit

# Start BGP on ASBR-PE 2, and enable the capability to advertise labeled routes to and receive labeled routes from IBGP peer 5.5.5.9.

[ASBR-PE2] bgp 600

[ASBR-PE2-bgp] peer 5.5.5.9 as-number 600

[ASBR-PE2-bgp] peer 5.5.5.9 connect-interface loopback 0

[ASBR-PE2-bgp] address-family ipv4 unicast

[ASBR-PE2-bgp-ipv4] peer 5.5.5.9 enable

[ASBR-PE2-bgp-ipv4] peer 5.5.5.9 label-route-capability

# Apply routing policy policy2 to routes advertised to IBGP peer 5.5.5.9.

[ASBR-PE2-bgp-ipv4] peer 5.5.5.9 route-policy policy2 export

# Redistribute routes from IS-IS process 1

[ASBR-PE2-bgp-ipv4] import-route isis 1

[ASBR-PE2-bgp-ipv4] quit

# Apply routing policy policy1 to routes advertised to EBGP peer 11.0.0.2.

[ASBR-PE2-bgp] peer 11.0.0.2 as-number 100

[ASBR-PE2-bgp] address-family ipv4 unicast

[ASBR-PE2-bgp-ipv4] peer 11.0.0.2 enable

[ASBR-PE2-bgp-ipv4] peer 11.0.0.2 route-policy policy1 export

# Enable the capability to advertise labeled routes to and receive labeled routes from EBGP peer 11.0.0.2.

[ASBR-PE2-bgp-ipv4] peer 11.0.0.2 label-route-capability

[ASBR-PE2-bgp-ipv4] quit

[ASBR-PE2-bgp] quit

5. Configure PE 2:

# Start IS-IS on PE 2.

<PE2> system-view

[PE2] isis 1

[PE2-isis-1] network-entity 10.444.444.444.444.00

[PE2-isis-1] quit

# Configure an LSR ID, and enable MPLS and LDP.

[PE2] mpls lsr-id 5.5.5.9

[PE2] mpls ldp

[PE2-ldp] quit

# Configure interface VLAN-interface 11, and enable IS-IS, MPLS, and LDP on the interface.

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] ip address 9.1.1.2 255.0.0.0

[PE2-Vlan-interface11] isis enable 1

[PE2-Vlan-interface11] mpls enable

[PE2-Vlan-interface11] mpls ldp enable

[PE2-Vlan-interface11] quit

# Configure interface Loopback 0, and start IS-IS on it.

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 5.5.5.9 32

[PE2-LoopBack0] isis enable 1

[PE2-LoopBack0] quit

# Create VPN instance vpn1, and configure the RD and route target attributes for it.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 11:11

[PE2-vpn-instance-vpn1] vpn-target 3:3 import-extcommunity

[PE2-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE2-vpn-instance-vpn1] quit

# Associate interface VLAN-interface 12 with VPN instance vpn1, and specify the IPv6 address for the interface.

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] ip binding vpn-instance vpn1

[PE2-Vlan-interface12] ipv6 address 2002::1 64

[PE2-Vlan-interface12] quit

# Start BGP on PE 2.

[PE2] bgp 600

# Configure the capability to advertise labeled routes to IBGP peer 4.4.4.9 and to receive labeled routes from the peer.

[PE2-bgp] peer 4.4.4.9 as-number 600

[PE2-bgp] peer 4.4.4.9 connect-interface loopback 0

[PE2-bgp] address-family ipv4 unicast

[PE2-bgp-ipv4] peer 4.4.4.9 enable

[PE2-bgp-ipv4] peer 4.4.4.9 label-route-capability

[PE2-bgp-ipv4] quit

# Configure the maximum hop count from PE 2 to EBGP peer 2.2.2.9 as 10.

[PE2-bgp] peer 2.2.2.9 as-number 100

[PE2-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE2-bgp] peer 2.2.2.9 ebgp-max-hop 10

# Configure peer 2.2.2.9 as a VPNv6 peer.

[PE2-bgp] address-family vpnv6

[PE2-bgp-vpnv6] peer 2.2.2.9 enable

[PE2-bgp-vpnv6] quit

# Establish an EBGP peer relationship with CE 2, and add the learned BGP routes to the routing table of VPN instance vpn1.

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] peer 2002::2 as-number 65002

[PE2-bgp-vpn1] address-family ipv6 unicast

[PE2-bgp-ipv6-vpn1] peer 2002::2 enable

[PE2-bgp-ipv6-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

6. Configure CE 2:

# Configure an IPv6 address for VLAN-interface 12.

<CE2> system-view

[CE2] interface vlan-interface 12

[CE2-Vlan-interface12] ipv6 address 2002::2 64

[CE2-Vlan-interface12] quit

# Establish an EBGP peer relationship with PE 2, and redistribute VPN routes.

[CE2] bgp 65002

[CE2-bgp] peer 2002::1 as-number 600

[CE2-bgp] address-family ipv6 unicast

[CE2-bgp-ipv6] peer 2002::1 enable

[CE2-bgp-ipv6] import-route direct

[CE2-bgp-ipv6] quit

[CE2-bgp] quit

Verifying the configuration

# Execute the display ipv6 routing table command on CE 1 and CE 2 to verify that CE 1 and CE 2 have a route to each other. Verify that CE 1 and CE 2 can ping each other. (Details not shown.)

Configuring IPv6 MPLS L3VPN carrier's carrier in the same AS

Network requirements

Configure carrier's carrier for the scenario shown in Figure 37. In this scenario:

· PE 1 and PE 2 are the provider carrier's PE switches. They provide VPN services for the customer carrier.

· CE 1 and CE 2 are the customer carrier's switches. They connect to the provider carrier's backbone as CE switches.

· PE 3 and PE 4 are the customer carrier's PE switches. They provide IPv6 MPLS L3VPN services for end customers.

· CE 3 and CE 4 are customers of the customer carrier.

· The customer carrier and the provider carrier reside in the same AS.

The key to the carrier's carrier deployment is to configure exchange of two kinds of routes:

· Exchange of the customer carrier's internal routes on the provider carrier's backbone.

· Exchange of the end customers' internal routes between PE 3 and PE 4, the PEs of the customer carrier. An MP-IBGP peer relationship must be established between PE 3 and PE 4.

Figure 37 Network diagram

Configuration procedure

1. Configure MPLS L3VPN on the provider carrier backbone. Start IS-IS as the IGP, enable LDP on PE 1 and PE 2, and establish an MP-IBGP peer relationship between the PEs:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 3.3.3.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 3.3.3.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] isis 1

[PE1-isis-1] network-entity 10.0000.0000.0000.0004.00

[PE1-isis-1] quit

[PE1] interface loopback 0

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip address 30.1.1.1 24

[PE1-Vlan-interface12] isis enable 1

[PE1-Vlan-interface12] mpls enable

[PE1-Vlan-interface12] mpls ldp enable

[PE1-Vlan-interface12] mpls ldp transport-address interface

[PE1-Vlan-interface12] quit

[PE1] bgp 100

[PE1-bgp] peer 4.4.4.9 as-number 100

[PE1-bgp] peer 4.4.4.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv4

[PE1-bgp-vpnv4] peer 4.4.4.9 enable

[PE1-bgp-vpnv4] quit

[PE1-bgp] quit

# Configure PE 2 in the same way that PE 1 is configured. (Details not shown.)

# On PE 1 or PE 2, execute the following commands:

¡ Execute the display mpls ldp peer command to verify that an LDP session in Operational state has been established between PE 1 and PE 2. (Details not shown.)

¡ Execute the display bgp peer vpnv4 command to verify that a BGP peer relationship in Established state has been established between PE 1 and PE 2. (Details not shown.)

¡ Execute the display isis peer command to verify that the IS-IS neighbor relationship has been established between PE 1 and PE 2. (Details not shown.)

2. Configure the customer carrier network. Start IS-IS as the IGP, and enable LDP between PE 3 and CE 1, and between PE 4 and CE 2:

# Configure PE 3.

<PE3> system-view

[PE3] interface loopback 0

[PE3-LoopBack0] ip address 1.1.1.9 32

[PE3-LoopBack0] quit

[PE3] mpls lsr-id 1.1.1.9

[PE3] mpls ldp

[PE3-ldp] quit

[PE3] isis 2

[PE3-isis-2] network-entity 10.0000.0000.0000.0001.00

[PE3-isis-2] quit

[PE3] interface loopback 0

[PE3-LoopBack0] isis enable 2

[PE3-LoopBack0] quit

[PE3] interface vlan-interface 12

[PE3-Vlan-interface12] ip address 10.1.1.1 24

[PE3-Vlan-interface12] isis enable 2

[PE3-Vlan-interface12] mpls enable

[PE3-Vlan-interface12] mpls ldp enable

[PE3-Vlan-interface12] mpls ldp transport-address interface

[PE3-Vlan-interface12] quit

# Configure CE 1.

<CE1> system-view

[CE1] interface loopback 0

[CE1-LoopBack0] ip address 2.2.2.9 32

[CE1-LoopBack0] quit

[CE1] mpls lsr-id 2.2.2.9

[CE1] mpls ldp

[CE1-ldp] quit

[CE1] isis 2

[CE1-isis-2] network-entity 10.0000.0000.0000.0002.00

[CE1-isis-2] quit

[CE1] interface loopback 0

[CE1-LoopBack0] isis enable 2

[CE1-LoopBack0] quit

[CE1] interface vlan-interface 12

[CE1-Vlan-interface12] ip address 10.1.1.2 24

[CE1-Vlan-interface12] isis enable 2

[CE1-Vlan-interface12] mpls enable

[CE1-Vlan-interface12] mpls ldp enable

[CE1-Vlan-interface12] mpls ldp transport-address interface

[CE1-Vlan-interface12] quit

PE 3 and CE 1 can establish an LDP session and IS-IS neighbor relationship between them.

# Configure PE 4 and CE 2 in the same way that PE 3 and CE 1 are configured. (Details not shown.)

3. Connect the customer carrier and the provider carrier:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 200:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] mpls ldp

[PE1-ldp] vpn-instance vpn1

[PE1-ldp-vpn-instance-vpn1] quit

[PE1-ldp] quit

[PE1] isis 2 vpn-instance vpn1

[PE1-isis-2] network-entity 10.0000.0000.0000.0003.00

[PE1-isis-2] address-family ipv4

[PE1-isis-2-ipv4] import-route bgp allow-ibgp

[PE1-isis-2-ipv4] quit

[PE1-isis-2] quit

[PE1] interface vlan-interface11

[PE1-Vlan-interface11] ip binding vpn-instance vpn1

[PE1-Vlan-interface11] ip address 11.1.1.2 24

[PE1-Vlan-interface11] isis enable 2

[PE1-Vlan-interface11] mpls enable

[PE1-Vlan-interface11] mpls ldp enable

[PE1-Vlan-interface11] mpls ldp transport-address interface

[PE1-Vlan-interface11] quit

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] address-family ipv4 unicast

[PE1-bgp-ipv4-vpn1] import isis 2

[PE1-bgp-ipv4-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure CE 1.

[CE1] interface vlan-interface11

[CE1-Vlan-interface11] ip address 11.1.1.1 24

[CE1-Vlan-interface11] isis enable 2

[CE1-Vlan-interface11] mpls enable

[CE1-Vlan-interface11] mpls ldp enable

[CE1-Vlan-interface11] mpls ldp transport-address interface

[CE1-Vlan-interface11] quit

PE 1 and CE 1 can establish an LDP session and IS-IS neighbor relationship between them.

# Configure PE 2 and CE 2 in the same way that PE 1 and CE 1 are configured. (Details not shown.)

4. Connect end customers and the customer carrier:

# Configure CE 3.

<CE3> system-view

[CE3] interface vlan-interface11

[CE3-Vlan-interface11] ipv6 address 2001:1::1 96

[CE3-Vlan-interface11] quit

[CE3] bgp 65410

[CE3-bgp] peer 2001:1::2 as-number 100

[CE3-bgp] address-family ipv6

[CE3-bgp-ipv6] peer 2001:1::2 enable

[CE3-bgp-ipv6] import-route direct

[CE3-bgp-ipv6] quit

[CE3-bgp] quit

# Configure PE 3.

[PE3] ip vpn-instance vpn1

[PE3-vpn-instance-vpn1] route-distinguisher 100:1

[PE3-vpn-instance-vpn1] vpn-target 1:1

[PE3-vpn-instance-vpn1] quit

[PE3] interface Vlan-interface11

[PE3-Vlan-interface11] ip binding vpn-instance vpn1

[PE3-Vlan-interface11] ipv6 address 2001:1::2 96

[PE3-Vlan-interface11] quit

[PE3] bgp 100

[PE3-bgp] ip vpn-instance vpn1

[PE3-bgp-vpn1] peer 2001:1::1 as-number 65410

[PE3-bgp-vpn1] address-family ipv6 unicast

[PE3-bgp-ipv6-vpn1] peer 2001:1::1 enable

[PE3-bgp-ipv6-vpn1] quit

[PE3-bgp-vpn1] quit

[PE3-bgp] quit

# Configure PE 4 and CE 4 in the same way that PE 3 and CE 3 are configured. (Details not shown.)

5. Establish an MP-IBGP peer relationship between PEs of the customer carrier to exchange the VPN routes of the customer carrier's customers:

# Configure PE 3.

[PE3] bgp 100

[PE3-bgp] peer 6.6.6.9 as-number 100

[PE3-bgp] peer 6.6.6.9 connect-interface loopback 0

[PE3-bgp] address-family vpnv6

[PE3-bgp-vpnv6] peer 6.6.6.9 enable

[PE3-bgp-vpnv6] quit

[PE3-bgp] quit

# Configure PE 3 in the same way that PE 3 is configured. (Details not shown.)

Verifying the configuration

1. Display the public network routing table and VPN routing table on the provider carrier PEs, for example, on PE 1:

# Verify that the public network routing table contains only routes of the provider carrier network.

[PE1] display ip routing-table

Destinations : 14 Routes : 14

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

3.3.3.9/32 Direct 0 0 127.0.0.1 InLoop0

4.4.4.9/32 ISIS 15 10 30.1.1.2 Vlan12

30.1.1.0/24 Direct 0 0 30.1.1.1 Vlan12

30.1.1.0/32 Direct 0 0 30.1.1.1 Vlan12

30.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.255/32 Direct 0 0 30.1.1.1 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VPN routing table contains the internal routes of the customer carrier network.

[PE1] display ip routing-table vpn-instance vpn1

Destinations : 18 Routes : 18

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.9/32 ISIS 15 20 11.1.1.1 Vlan11

2.2.2.9/32 ISIS 15 10 11.1.1.1 Vlan11

5.5.5.9/32 BGP 255 10 4.4.4.9 Vlan12

6.6.6.9/32 BGP 255 20 4.4.4.9 Vlan12

10.1.1.0/24 ISIS 15 20 11.1.1.1 Vlan11

11.1.1.0/24 Direct 0 0 11.1.1.2 Vlan11

11.1.1.0/32 Direct 0 0 11.1.1.2 Vlan11

11.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.255/32 Direct 0 0 11.1.1.2 Vlan11

20.1.1.0/24 BGP 255 20 4.4.4.9 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

2. Display the routing table on the customer carrier CEs, for example, on CE 1:

# Verify that the routing table contains the internal routes of the customer carrier network.

[CE1] display ip routing-table

Destinations : 21 Routes : 21

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.9/32 ISIS 15 10 10.1.1.1 Vlan12

2.2.2.9/32 Direct 0 0 127.0.0.1 InLoop0

5.5.5.9/32 ISIS 15 74 11.1.1.2 Vlan11

6.6.6.9/32 ISIS 15 74 11.1.1.2 Vlan11

10.1.1.0/24 Direct 0 0 10.1.1.2 Vlan12

10.1.1.0/32 Direct 0 0 10.1.1.2 Vlan12

10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.2 Vlan12

11.1.1.0/24 Direct 0 0 11.1.1.1 Vlan11

11.1.1.0/32 Direct 0 0 11.1.1.1 Vlan11

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.255/32 Direct 0 0 11.1.1.1 Vlan11

20.1.1.0/24 ISIS 15 74 11.1.1.2 Vlan11

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

3. Display the public network routing table and VPN routing table on the customer carrier PEs, for example, on PE 3:

# Verify that the public network routing table contains the internal routes of the customer carrier network.

[PE3] display ip routing-table

Destinations : 18 Routes : 18

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.9/32 Direct 0 0 127.0.0.1 InLoop0

2.2.2.9/32 ISIS 15 10 10.1.1.2 Vlan12

5.5.5.9/32 ISIS 15 84 10.1.1.2 Vlan12

6.6.6.9/32 ISIS 15 84 10.1.1.2 Vlan12

10.1.1.0/24 Direct 0 0 10.1.1.1 Vlan12

10.1.1.0/32 Direct 0 0 10.1.1.1 Vlan12

10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.1 Vlan12

11.1.1.0/24 ISIS 15 20 10.1.1.2 Vlan12

20.1.1.0/24 ISIS 15 84 10.1.1.2 Vlan12

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VPN routing table contains the remote VPN route.

[PE3] display ipv6 routing-table vpn-instance vpn1

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:1::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan11 Cost : 0

Destination: 2001:1::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:2::/96 Protocol : BGP4+

NextHop : ::FFFF:6.6.6.9 Preference: 255

Interface : Vlan12 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : InLoop0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

4. Verify that PE 3 and PE 4 can ping each other. (Details not shown.)

5. Verify that CE 3 and CE 4 can ping each other. (Details not shown.)

Configuring an OSPFv3 sham link

Network requirements

As shown in Figure 38, CE 1 and CE 2 belong to VPN 1. Configure an OSPFv3 sham link between PE 1 and PE 2 so traffic between CE 1 and CE 2 is forwarded through the MPLS backbone, instead of the backdoor link.

Figure 38 Network diagram

Table 16 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int11	100::1/64	CE 2	Vlan-int11	120::1/64
	Vlan-int13	20::1/64		Vlan-int12	30::2/64
PE 1	Loop0	1.1.1.9/32	PE 2	Loop0	2.2.2.9/32
	Loop1	3::3/128		Loop1	5::5/128
	Vlan-int11	100::2/64		Vlan-int11	120::2/64
	Vlan-int12	10.1.1.1/24		Vlan-int12	10.1.1.2/24
Switch A	Vlan-int11	30::1/64
	Vlan-int12	20::2/64

Configuration procedure

1. Configure OSPFv3 on the customer networks.

Configure conventional OSPFv3 on CE 1, Switch A, and CE 2 to advertise subnet addresses of the interfaces as shown in Figure 38. Set the cost value to 2 for both the link between CE 1 and Switch A, and the link between CE 2 and Switch A. Execute the display ipv6 routing-table command to verify that CE 1 and CE 2 have each learned the OSPFv3 route to VLAN-interface 11 of the other. (Details not shown.)

2. Configure IPv6 MPLS L3VPN on the backbone:

# Configure basic MPLS and MPLS LDP on PE 1 to establish LDP LSPs.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface vlan-interface 12

[PE1-Vlan-interface12] ip address 10.1.1.1 24

[PE1-Vlan-interface12] mpls enable

[PE1-Vlan-interface12] mpls ldp enable

[PE1-Vlan-interface12] quit

# Configure PE 1 to take PE 2 as an MP-IBGP peer.

[PE1] bgp 100

[PE1-bgp] peer 2.2.2.9 as-number 100

[PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE1-bgp] address-family vpnv6

[PE1-bgp-vpnv6] peer 2.2.2.9 enable

[PE1-bgp-vpnv6] quit

[PE1-bgp] quit

# Configure OSPF on PE 1.

[PE1] ospf 1

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Configure basic MPLS and MPLS LDP on PE 2 to establish LDP LSPs.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 2.2.2.9 32

[PE2-LoopBack0] quit

[PE2] mpls lsr-id 2.2.2.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface vlan-interface 12

[PE2-Vlan-interface12] ip address 10.1.1.2 24

[PE2-Vlan-interface12] mpls enable

[PE2-Vlan-interface12] mpls ldp enable

[PE2-Vlan-interface12] quit

# Configure PE 2 to take PE 1 as an MP-IBGP peer.

[PE2] bgp 100

[PE2-bgp] peer 1.1.1.9 as-number 100

[PE2-bgp] peer 1.1.1.9 connect-interface loopback 0

[PE2-bgp] address-family vpnv6

[PE2-bgp-vpnv6] peer 1.1.1.9 enable

[PE2-bgp-vpnv6] quit

[PE2-bgp] quit

# Configure OSPF on PE 2.

[PE2] ospf 1

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

3. Configure PEs to allow CE access:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] interface vlan-interface 11

[PE1-Vlan-interface11] ip binding vpn-instance vpn1

[PE1-Vlan-interface11] ipv6 address 100::2 64

[PE1-Vlan-interface11] ospfv3 100 area 1

[PE1-Vlan-interface11] quit

[PE1] ospfv3 100

[PE1-ospfv3-100] router-id 100.1.1.1

[PE1-ospfv3-100] domain-id 10

[PE1-ospfv3-100] quit

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] address-family ipv6 unicast

[PE1-bgp-ipv6-vpn1] import-route ospfv3 100

[PE1-bgp-ipv6-vpn1] import-route direct

[PE1-bgp-ipv6-vpn1] quit

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 100:2

[PE2-vpn-instance-vpn1] vpn-target 1:1

[PE2-vpn-instance-vpn1] quit

[PE2] interface vlan-interface 11

[PE2-Vlan-interface11] ip binding vpn-instance vpn1

[PE2-Vlan-interface11] ipv6 address 120::2 64

[PE2-Vlan-interface11] ospfv3 100 area 1

[PE2-Vlan-interface11] quit

[PE2] ospfv3 100

[PE2-ospfv3-100] router-id 120.1.1.1

[PE2-ospfv3-100] domain-id 10

[PE2-ospfv3-100] quit

[PE2] bgp 100

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] address-family ipv6 unicast

[PE2-bgp-ipv6-vpn1] import-route ospfv3 100

[PE2-bgp-ipv6-vpn1] import-route direct

[PE2-bgp-ipv6-vpn1] quit

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

# Execute the display ipv6 routing-table vpn-instance command on the PEs to verify that the path to the peer CE is along the OSPFv3 route across the customer networks, instead of the IPv6 BGP route across the backbone. (Details not shown.)

4. Configure a sham link:

# Configure PE 1.

[PE1] interface loopback 1

[PE1-LoopBack1] ip binding vpn-instance vpn1

[PE1-LoopBack1] ipv6 address 3::3 128

[PE1-LoopBack1] quit

[PE1] ospfv3 100

[PE1-ospfv3-100] area 1

[PE1-ospfv3-100-area-0.0.0.1] sham-link 3::3 5::5

[PE1-ospfv3-100-area-0.0.0.1] quit

[PE1-ospfv3-100] quit

# Configure PE 2.

[PE2] interface loopback 1

[PE2-LoopBack1] ip binding vpn-instance vpn1

[PE2-LoopBack1] ipv6 address 5::5 128

[PE2-LoopBack1] quit

[PE2] ospfv3 100

[PE2-ospfv3-100] area 1

[PE2-ospfv3-100-area-0.0.0.1] sham-link 5::5 3::3

[PE2-ospfv3-100-area-0.0.0.1] quit

[PE2-ospfv3-100] quit

Verifying the configuration

# Execute the display ipv6 routing-table vpn-instance command on the PEs to verify the following results: (Details not shown.)

· The path to the peer CE is now along the IPv6 BGP route across the backbone.

· A route to the sham link destination address exists.

# Execute the display ipv6 routing-table command on the CEs to verify that the next hop of the OSPFv3 route to the peer CE is the VLAN interface connected to the PE. The VPN traffic to the peer is forwarded over the backbone. (Details not shown.)

# Verify that a sham link has been established on PEs, for example, on PE 1.

[PE1] display ospfv3 sham-link

OSPFv3 Process 100 with Router ID 100.1.1.1

Sham-link (Area: 0.0.0.1)

Neighbor ID State Instance ID Destination address

120.1.1.1 P-2-P 0 5::5

# Verify that the peer state is Full on PE 1.

[PE1] display ospfv3 sham-link verbose

OSPFv3 Process 100 with Router ID 100.1.1.1

Sham-link (Area: 0.0.0.1)

Source : 3::3

Destination : 5::5

Interface ID: 2147483649

Neighbor ID : 120.1.1.1, Neighbor state: Full

Cost: 1 State: P-2-P Type: Sham Instance ID: 0

Timers: Hello 10, Dead 40, Retransmit 5, Transmit delay 1

Request list: 0 Retransmit list: 0

Configuring BGP AS number substitution

Network requirements

As shown in Figure 39, CE 1 and CE 2 belong to VPN 1, and are connected to PE 1 and PE 2. The two CEs have the same AS number, 600. Configure BGP AS number substitution on the PEs to avoid route loss.

Figure 39 Network diagram

Table 17 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Vlan-int11	10:1::2/96	P	Loop0	2.2.2.9/32
	Vlan-int12	100::1/96		Vlan-int11	30.1.1.1/24
PE 1	Loop0	10.1.1.1/32		Vlan-int12	20.1.1.2/24
	Vlan-int11	10:1::1/96	PE 2	Loop0	10.1.1.2/32
	Vlan-int12	20.1.1.1/24		Vlan-int11	30.1.1.2/96
CE 2	Vlan-int12	10:2::2/96		Vlan-int12	10:2::1/24
	Vlan-int13	200::1/96

Configuration procedure

1. Configuring basic IPv6 MPLS L3VPN:

¡ Configure OSPF on the MPLS backbone to allow the PEs and P device to learn the routes of the loopback interfaces from each other.

¡ Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs.

¡ Establish an MP-IBGP peer relationship between the PEs to advertise VPN IPv6 routes.

¡ Configure the VPN instance of VPN 1 on PE 1 to allow CE 1 to access the network.

¡ Configure the VPN instance of VPN 1 on PE 2 to allow CE 2 to access the network.

¡ Configure BGP as the PE-CE routing protocol, and redistribute routes of the CEs into the PEs.

For more information about basic IPv6 MPLS L3VPN configurations, see "Configuring IPv6 MPLS L3VPNs."

# Execute the display ipv6 routing-table command on CE 2 to verify that CE 2 has not learned the route to the VPN (100::/96) behind CE 1.

<CE2> display ipv6 routing-table

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 10:2::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan-int12 Cost : 0

Destination: 10:2::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 200::/96 Protocol : Static

NextHop : :: Preference: 60

Interface : NULL0 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

# Execute the display ipv6 routing-table command on CE 1 to verify that CE 1 has not learned the route to the VPN behind CE 2. (Details not shown.)

# Execute the display ipv6 routing-table vpn-instance command on the PEs. The output shows the route to the VPN behind the peer CE. This example uses PE 2.

<PE2> display ipv6 routing-table vpn-instance vpn1

Destinations : 7 Routes : 7

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 10:2::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan-int12 Cost : 0

Destination: 10:2::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 100::/96 Protocol : BGP4+

NextHop : ::FFFF:10.1.1.1 Preference: 255

Interface : Vlan-int11 Cost : 0

Destination: 200::/96 Protocol : BGP4+

NextHop : 10:2::2 Preference: 255

Interface : Vlan-int12 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

# Enable BGP update packet debugging on PE 2. The output shows that PE 2 has advertised the route to 100::/96, and the AS_PATH is 100 600.

<PE2> terminal monitor

<PE2> terminal logging level 7

<PE2> debugging bgp update vpn-instance vpn1 10:2::2 ipv6

<PE2> refresh bgp all export ipv6 vpn-instance vpn1

*Jun 13 16:12:52:096 2012 PE2 BGP/7/DEBUG: -MDC=1;

BGP_IPV6.vpn1: Send UPDATE to update-group 0 for following destinations:

Origin : Incomplete

AS path : 100 600

Next hop : ::FFFF:10.1.1.1

100::/96,

*Jun 13 16:12:53:024 2012 PE2 BGP/7/DEBUG: -MDC=1;

BGP.vpn1: Send UPDATE MSG to peer 10:2::2(IPv6-UNC) NextHop: 10:2::1.

# Execute the display bgp routing-table ipv6 peer received-routes command on CE 2 to verify that CE 2 has not received the route to 100::/96.

<CE2> display bgp routing-table ipv6 peer 10:2::1 received-routes

Total number of routes: 0

2. Configure BGP AS number substitution:

# Configure BGP AS number substitution on PE 1.

<PE1> system-view

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] peer 10:1::2 substitute-as

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure BGP AS number substitution on PE 2.

<PE2> system-view

[PE2] bgp 100

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] peer 10:2::2 substitute-as

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

Verifying the configuration

# The output shows that among the routes advertised by PE 2 to CE 2, the AS_PATH of 100::/96 has changed from 100 600 to 100 100.

*Jun 27 18:07:34:420 2013 PE2 BGP/7/DEBUG: -MDC=1;

BGP_IPV6.vpn1: Send UPDATE to peer 10:2::2 for following destinations:

Origin : Incomplete

AS path : 100 100

Next hop : 10:2::1

100::/96,

# Display again the routing information that CE 2 has received, and the routing table. The output shows that CE 2 has learned the route 100::/96.

<CE2> display bgp routing-table ipv6 peer 10:2::1 received-routes

Total number of routes: 1

BGP local router ID is 12.1.1.3

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

* >e Network : 100:: PrefixLen : 96

NextHop : 10:2::1 LocPrf :

PrefVal : 0 OutLabel : NULL

MED :

Path/Ogn: 100 100?

<CE2> display ipv6 routing-table

Destinations : 7 Routes : 7

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 10:2::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan-int12 Cost : 0

Destination: 10:2::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 100::/96 Protocol : BGP4+

NextHop : 10:2::1 Preference: 255

Interface : Vlan-int12 Cost : 0

Destination: 200::/96 Protocol : Static

NextHop : :: Preference: 60

Interface : NULL0 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

# Verify that VLAN-interface 12 of CE 1 and VLAN-interface 13 of CE 2 can ping each other. (Details not shown.)

Configuring BGP AS number substitution and SoO attribute

Network requirements

CE 1, CE 2, and CE 3 belong to VPN 1, and are connected to PE1, PE 2, and PE 3. CE 1 and CE 2 reside in the same site. CE1, CE2, and CE 3 all use AS number 600.

To avoid route loss, configure BGP AS number substitution on PEs.

To avoid routing loops, configure the same SoO attribute on PE 1 and PE 2 for CE 1 and CE 2.

Figure 40 Network diagram

Table 18 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Loop0	100::1/96	CE 3	Loop0	200::1/96
	Vlan-int2	10:1::1/96		Vlan-int7	10:3::1/96
CE 2	Vlan-int2	10:2::1/96	PE 2	Loop0	2.2.2.9/32
PE 1	Loop0	1.1.1.9/32		Vlan-int2	10:2::2/96
	Vlan-int2	10:1::2/96		Vlan-int4	40.1.1.2/24
	Vlan-int3	30.1.1.1/24		Vlan-int5	50.1.1.1/24
	Vlan-int4	40.1.1.1/24	P	Loop0	3.3.3.9/32
PE 3	Loop0	4.4.4.9/32		Vlan-int3	30.1.1.2/24
	Vlan-int6	60.1.1.2/24		Vlan-int5	50.1.1.2/24
	Vlan-int7	10:3::2/96		Vlan-int6	60.1.1.1/24

Configuration procedure

1. Configure basic IPv6 MPLS L3VPN:

¡ Configure OSPF on the MPLS backbone to allow the PEs and P device to learn the routes of the loopback interfaces from each other.

¡ Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs.

¡ Establish an MP-IBGP peer relationship between the PEs to advertise VPN IPv6 routes.

¡ Configure the VPN instance of VPN 1 on PE 1 to allow CE 1 to access the network.

¡ Configure the VPN instance of VPN 1 on PE 2 to allow CE 2 to access the network.

¡ Configure the VPN instance of VPN 1 on PE 3 to allow CE 3 to access the network.

¡ Configure BGP as the PE-CE routing protocol, and redistribute routes of the CEs into the PEs.

For more information about basic MPLS L3VPN configurations, see "Configuring IPv6 MPLS L3VPNs."

2. Configure BGP AS number substitution:

# Configure BGP AS number substitution on PE 1, PE 2, and PE 3. For more information about the configuration, see "Configuring BGP AS number substitution."

# Display routing information on CE 2. The output shows that CE 2 has learned the route 100::/96 from CE 1. A routing loop has occurred because CE1 and CE 2 reside in the same site.

<CE2> display bgp routing-table ipv6 peer 10:2::2 received-routes

Total number of routes: 2

BGP local router ID is 12.1.1.3

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

* >e Network : 100:: PrefixLen : 96

NextHop : 10:2::2 LocPrf :

PrefVal : 0 OutLabel : NULL

MED :

Path/Ogn: 100 100?

* >e Network : 200:: PrefixLen : 96

NextHop : 10:2::2 LocPrf :

PrefVal : 0 OutLabel : NULL

MED :

Path/Ogn: 100 100?

3. Configure BGP SoO attribute:

# On PE 1, configure the SoO attribute as 1:100 for CE 1.

<PE1> system-view

[PE1] bgp 100

[PE1-bgp] ip vpn-instance vpn1

[PE1-bgp-vpn1] address-family ipv6

[PE1-bgp-ipv6-vpn1] peer 10:1::1 soo 1:100

# On PE 2, configure the SoO attribute as 1:100 for CE 2.

[PE2] bgp 100

[PE2-bgp] ip vpn-instance vpn1

[PE2-bgp-vpn1] address-family ipv6

[PE2-bgp-ipv6-vpn1] peer 10:2::1 soo 1:100

Verifying the configuration

# PE 2 does not advertise routes received from CE 1 to CE 2 because the same SoO attribute has been configured. Display the routing table of CE 2. The output shows that the route 100::/96 has been removed.

<CE2> display ipv6 routing-table

Destinations : 4 Routes : 4

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 10:2::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : Vlan-int2 Cost : 0

Destination: 10:2::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 200::/96 Protocol : Static

NextHop : :: Preference: 60

Interface : NULL0 Cost : 0

08-MPLS Configuration Guide

Overview

MPLS L3VPN concepts

Site

VPN instance

VPN-IPv4 address

Route target attribute

MP-BGP

MPLS L3VPN route advertisement

Basic VPN networking scheme

Hub and spoke networking scheme

Extranet networking scheme

Inter-AS VPN

Inter-AS option A

Inter-AS option B

Inter-AS option C

Carrier's carrier

Propagation of routing information

HoVPN

OSPF VPN extension

OSPF for VPNs on a PE

OSPF area configuration between a PE and a CE

BGP/OSPF interaction

Routing loop avoidance

OSPF sham link

BGP AS number substitution and SoO attribute

Protocols and standards

Configuring basic MPLS L3VPN

Configuring VPN instances

Configuring routing between a PE and a CE

Configuring static routing between a PE and a CE

Configuring RIP between a PE and a CE

Configuring OSPF between a PE and a CE

Configuring IS-IS between a PE and a CE

Configuring EBGP between a PE and a CE

Configuring IBGP between a PE and a CE

Configuring routing between PEs

Configuring inter-AS VPN

Configuring inter-AS option A

Configuring a PE

Configuring an ASBR

Configuring nested VPN

Configuring HoVPN

Configuring an OSPF sham link

Configuring a loopback interface

Redistributing the loopback interface address

Creating a sham link

Specifying the VPN label processing mode on the egress PE

Configuring BGP AS number substitution and SoO attribute

Enabling SNMP notifications for MPLS L3VPN

Configuring basic MPLS L3VPN

Network requirements

Configuration procedure

Verifying the configuration

Configuring a hub-spoke network

Network requirements

Configuration procedure

Verifying the configuration

Configuring MPLS L3VPN inter-AS option A

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Configuring MPLS L3VPN carrier's carrier in the same AS

Network requirements

Configuration procedure

Verifying the configuration

Configuring MPLS L3VPN carrier's carrier in different ASs

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Network requirements