Multiprotocol Label Switching (MPLS) provides connection-oriented label switching over connectionless IP backbone networks. It integrates both the flexibility of IP routing and the simplicity of Layer 2 switching.

Overview

MPLS has the following features:

· High speed and efficiency—MPLS uses short- and fixed-length labels to forward packets, avoiding complicated routing table lookups.

· Multiprotocol support—MPLS resides between the link layer and the network layer. It can work over various link layer protocols (for example, PPP, ATM, frame relay, and Ethernet) to provide connection-oriented services for various network layer protocols (for example, IPv4, IPv6, and IPX).

· Good scalability—The connection-oriented switching and multilayer label stack features enable MPLS to deliver various extended services, such as VPN, traffic engineering, and QoS.

Basic concepts

FEC

MPLS groups packets with the same characteristics (such as packets with the same destination or service class) into a forwarding equivalence class (FEC). Packets of the same FEC are handled in the same way on an MPLS network.

Label

A label uniquely identifies an FEC and has local significance.

Figure 1 Format of a label

A label is encapsulated between the Layer 2 header and Layer 3 header of a packet. It is four bytes long and consists of the following fields:

· Label—20-bit label value.

· TC—3-bit traffic class, used for QoS. It is also called Exp.

· S—1-bit bottom of stack flag. A label stack can contain multiple labels. The label nearest to the Layer 2 header is called the top label, and the label nearest to the Layer 3 header is called the bottom label. The S field is set to 1 if the label is the bottom label and set to 0 if not.

· TTL—8-bit time to live field used for MPLS loop prevention.

LSR

A router that performs MPLS forwarding is a label switching router (LSR).

LSP

A label switched path (LSP) is the path along which packets of an FEC travel through an MPLS network.

An LSP is a unidirectional packet forwarding path. Two neighboring LSRs are called the upstream LSR and downstream LSR along the direction of an LSP. As shown in Figure 2, LSR B is the downstream LSR of LSR A, and LSR A is the upstream LSR of LSR B.

Figure 2 Label switched path

LFIB

The Label Forwarding Information Base (LFIB) on an MPLS network functions like the Forwarding Information Base (FIB) on an IP network. When an LSR receives a labeled packet, it searches the LFIB to obtain information for forwarding the packet. The information includes the label operation type, the outgoing label value, and the next hop.

Control plane and forwarding plane

An MPLS node consists of a control plane and a forwarding plane.

· Control plane—Assigns labels, distributes FEC-label mappings to neighbor LSRs, creates the LFIB, and establishes and removes LSPs.

· Forwarding plane—Forwards packets according to the LFIB.

MPLS network architecture

An MPLS network has the following types of LSRs:

· Ingress LSR—Ingress LSR of packets. It labels packets entering into the MPLS network.

· Transit LSR—Intermediate LSRs in the MPLS network. The transit LSRs on an LSP forward packets to the egress LSR according to labels.

· Egress LSR—Egress LSR of packets. It removes labels from packets and forwards the packets to their destination networks.

Figure 3 MPLS network architecture

LSP establishment

LSPs include static and dynamic LSPs.

· Static LSP—To establish a static LSP, you must configure an LFIB entry on each LSR along the LSP. Establishing static LSPs consumes fewer resources than establishing dynamic LSPs, but static LSPs cannot automatically adapt to network topology changes. Therefore, static LSPs are suitable for small-scale networks with simple, stable topologies.

· Dynamic LSP—Established by a label distribution protocol (also called an MPLS signaling protocol). A label distribution protocol classifies FECs, distributes FEC-label mappings, and establishes and maintains LSPs. Label distribution protocols include protocols designed specifically for label distribution, such as the Label Distribution Protocol (LDP), and protocols extended to support label distribution, such as MP-BGP and RSVP-TE.

In this document, the term "label distribution protocols" refers to all protocols for label distribution. The term "LDP" refers to the RFC 5036 LDP.

A dynamic LSP is established in the following steps:

1. A downstream LSR classifies FECs according to destination addresses.

2. The downstream LSR assigns a label for each FEC, and distributes the FEC-label binding to its upstream LSR.

3. The upstream LSR establishes an LFIB entry for the FEC according to the binding information.

After all LSRs along the LSP establish an LFIB entry for the FEC, a dynamic LSP is established for the packets of this FEC.

Figure 4 Dynamic LSP establishment

MPLS forwarding

As shown in Figure 5, a packet is forwarded over the MPLS network as follows:

1. Router B (the ingress LSR) receives a packet with no label. Then, it performs the following operations:

a. Identifies the FIB entry that matches the destination address of the packet.

b. Adds the outgoing label (40, in this example) to the packet.

c. Forwards the labeled packet out of the interface GigabitEthernet 1/0/2 to the next hop LSR Router C.

2. When receiving the labeled packet, Router C processes the packet as follows:

a. Identifies the LFIB entry that has an incoming label of 40.

b. Uses the outgoing label 50 of the entry to replace label 40 in the packet.

c. Forwards the labeled packet out of the outgoing interface GigabitEthernet 1/0/2 to the next hop LSR Router D.

3. When receiving the labeled packet, Router D (the egress LSR) processes the packet as follows:

a. Identifies the LFIB entry that has an incoming label of 50.

b. Removes the label from the packet.

c. Forwards the packet out of the outgoing interface GigabitEthernet 1/0/2 to the next hop LSR Router E.

If the LFIB entry records no outgoing interface or next hop information, Router D performs the following operations:

d. Identifies the FIB entry by the IP header.

e. Forwards the packet according to the FIB entry.

Figure 5 MPLS forwarding

PHP

An egress node must perform two forwarding table lookups to forward a packet:

· Two LFIB lookups (if the packet has more than one label).

· One LFIB lookup and one FIB lookup (if the packet has only one label).

The penultimate hop popping (PHP) feature can pop the label at the penultimate node, so the egress node only performs one table lookup.

A PHP-capable egress node sends the penultimate node an implicit null label of 3. This label never appears in the label stack of packets. If an incoming packet matches an LFIB entry containing the implicit null label, the penultimate node pops the top label and forwards the packet to the egress node. The egress node directly forwards the packet.

Sometimes, the egress node must use the TC field in the label to perform QoS. To keep the TC information, you can configure the egress node to send the penultimate node an explicit null label of 0. If an incoming packet matches an LFIB entry containing the explicit null label, the penultimate hop replaces the top label value with value 0, and forwards the packet to the egress node. The egress node gets the TC information, pops the label of the packet, and forwards the packet.

Protocols and standards

· RFC 3031, Multiprotocol Label Switching Architecture

· RFC 3032, MPLS Label Stack Encoding

· RFC 5462, Multiprotocol Label Switching (MPLS) Label Stack Entry: "EXP" Field Renamed to "Traffic Class" Field

Compatibility information

Feature and hardware compatibility

Hardware	Basic MPLS compatibility
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS	No
MSR2600-6-X1/2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28/3600-51	Yes
MSR3600-28-SI/3600-51-SI	Yes
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC	Yes
MSR 3610/3620/3620-DP/3640/3660	Yes
MSR5620/5660/5680	Yes

Hardware	Basic MPLS compatibility
MSR810-LM-GL	No
MSR810-W-LM-GL	No
MSR830-6EI-GL	No
MSR830-10EI-GL	No
MSR830-6HI-GL	No
MSR830-10HI-GL	No
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	Yes

Command and hardware compatibility

Commands and descriptions for centralized devices apply to the following routers:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/ 810-LMS/810-LUS.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3600-28-SI/3600-51-SI.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

· MSR 3610/3620/3620-DP/3640/3660.

· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.

Commands and descriptions for distributed devices apply to the following routers:

· MSR5620.

· MSR 5660.

· MSR 5680.

IPv6-related parameters are not supported on the MSR3600-28-SI/3600-51-SI routers.

MPLS configuration task list

Tasks at a glance
(Required.) Enabling MPLS
(Optional.) Setting MPLS MTU
(Optional.) Specifying the label type advertised by egress
(Optional.) Configuring TTL propagation
(Optional.) Enabling sending MPLS TTL-expired messages
(Optional.) Enabling MPLS forwarding statistics
(Optional.) Enabling split horizon for MPLS forwarding
(Optional.) Enabling SNMP notifications for MPLS

Enabling MPLS

Before you enable MPLS, perform the following tasks:

· Configure link layer protocols to ensure connectivity at the link layer.

· Configure IP addresses for interfaces to ensure IP connectivity between neighboring nodes.

· Configure static routes or an IGP protocol to ensure IP connectivity among LSRs.

To enable MPLS:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure an LSR ID for the local node.	mpls lsr-id lsr-id	By default, no LSR ID is configured. An LSR ID must be unique in an MPLS network and in IP address format. As a best practice, use the IP address of a loopback interface as an LSR ID.
3. Enter the view of the interface that needs to perform MPLS forwarding.	interface interface-type interface-number	N/A
4. Enable MPLS on the interface.	mpls enable	By default, MPLS is disabled on the interface.

Setting MPLS MTU

MPLS adds the label stack between the link layer header and network layer header of each packet. To make sure the size of MPLS labeled packets is smaller than the MTU of an interface, configure an MPLS MTU on the interface.

MPLS compares each MPLS packet against the interface MPLS MTU. When the packet exceeds the MPLS MTU:

· If fragmentation is allowed, MPLS performs the following operations:

a. Removes the label stack from the packet.

b. Fragments the IP packet. The length of a fragment is the MPLS MTU minus the length of the label stack.

c. Adds the label stack to each fragment, and forwards the fragments.

· If fragmentation is not allowed, the LSR directly forwards the packet.

To set an MPLS MTU for an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Set an MPLS MTU for the interface.	mpls mtu size	By default, no MPLS MTU is set on an interface.

The following applies when an interface handles MPLS packets:

· MPLS packets carrying L2VPN or IPv6 packets are always forwarded by an interface, even if the length of the MPLS packets exceeds the MPLS MTU of the interface. Whether the forwarding can succeed depends on the actual forwarding capacity of the interface.

· If the MPLS MTU of an interface is greater than the MTU of the interface, data forwarding might fail on the interface.

· If you do not configure the MPLS MTU of an interface, fragmentation for MPLS packets is based on the IP MTU. If IP MTU is not configured, fragmentation for MPLS packets is based on the MTU of the interface. The length of a fragment does not include that of the MPLS label. Thus, after an MPLS label is added into a fragment, the length of the MPLS fragment might exceed the interface MTU.

Specifying the label type advertised by egress

In an MPLS network, an egress can advertise the following types of labels:

· Implicit null label with a value of 3.

· Explicit null label with a value of 0.

· Non-null label.

For LSPs established by a label distribution protocol, the label advertised by the egress determines how the penultimate hop processes a labeled packet.

· If the egress advertises an implicit null label, the penultimate hop directly pops the top label of a matching packet.

· If the egress advertises an explicit null label, the penultimate hop swaps the top label value of a matching packet with the explicit null label.

· If the egress advertises a non-null label, the penultimate hop swaps the top label of a matching packet with the label assigned by the egress.

Configuration guidelines

As a best practice, configure the egress node to advertise an implicit null label to the penultimate hop if the penultimate hop supports PHP. If you want to simplify packet forwarding on the egress but keep labels to determine QoS policies, configure the egress node to advertise an explicit null label to the penultimate hop. Use non-null labels only in particular scenarios. For example, when OAM is configured on the egress, the egress can get the OAM function entity status only through non-null labels.

As a penultimate hop, the device accepts the implicit null label, explicit null label, or normal label advertised by the egress device.

For LDP LSPs, the mpls label advertise command triggers LDP to delete the LSPs established before the command is executed and re-establishes new LSPs.

For BGP LSPs, the mpls label advertise command takes effect only on the BGP LSPs established after the command is executed. To apply the new setting to BGP LSPs established before the command is executed, delete the routes corresponding to the BGP LSPs, and then redistribute the routes.

Configuration procedure

To specify the type of label that the egress node will advertise to the penultimate hop:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Specify the label type advertised by the egress to the penultimate hop.	mpls label advertise { explicit-null \| implicit-null \| non-null }	By default, an egress advertises an implicit null label to the penultimate hop.

Configuring TTL propagation

When TTL propagation is enabled, the ingress node copies the TTL value of an IP packet to the TTL field of the label. Each LSR on the LSP decreases the label TTL value by 1. The LSR that pops the label copies the remaining label TTL value back to the IP TTL of the packet. The IP TTL value can reflect how many hops the packet has traversed in the MPLS network. The IP tracert facility can show the real path along which the packet has traveled.

Figure 6 TTL propagation

When TTL propagation is disabled, the ingress node sets the label TTL to 255. Each LSR on the LSP decreases the label TTL value by 1. The LSR that pops the label does not change the IP TTL value when popping the label. Therefore, the MPLS backbone nodes are invisible to user networks, and the IP tracert facility cannot show the real path in the MPLS network.

Figure 7 Without TTL propagation

Follow these guidelines when you configure TTL propagation:

· As a best practice, set the same TTL processing mode on all LSRs of an LSP.

· To enable TTL propagation for a VPN, you must enable it on all PE devices in the VPN. Then, you can get the same traceroute result (hop count) from those PEs.

To enable TTL propagation:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable TTL propagation.	mpls ttl propagate { public \| vpn }	By default, TTL propagation is enabled for public network packets and is disabled for VPN packets. This command affects only the propagation between IP TTL and label TTL. Within an MPLS network, TTL is always copied between the labels of an MPLS packet.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable TTL propagation.

mpls ttl propagate { public | vpn }

By default, TTL propagation is enabled for public network packets and is disabled for VPN packets.

This command affects only the propagation between IP TTL and label TTL. Within an MPLS network, TTL is always copied between the labels of an MPLS packet.

Enabling sending MPLS TTL-expired messages

This feature enables an LSR to generate an ICMP TTL-expired message upon receiving an MPLS packet with a TTL of 1. If the MPLS packet has only one label, the LSR sends the ICMP TTL-expired message back to the source through IP routing. If the MPLS packet has multiple labels, the LSR sends it along the LSP to the egress node, which then sends the message back to the source.

To enable sending MPLS TTL-expired messages:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable sending MPLS TTL-expired messages.	mpls ttl expiration enable	By default, this feature is enabled.

Enabling MPLS forwarding statistics

Enabling FTN forwarding statistics

FEC-to-NHLFE map (FTN) entries are FIB entries that contain outgoing labels used for FTN forwarding. When an LSR receives an unlabeled packet, it searches for the corresponding FTN entry based on the destination IP address. If a match is found, the LSR adds the outgoing label in the FTN entry to the packet and forwards the labeled packet.

After FTN forwarding statistics is enabled, you can view the statistics from the MIB.

To enable FTN forwarding statistics:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter RIB view.	rib	N/A
3. Create a RIB IPv4 address family and enter RIB IPv4 address family view.	address-family ipv4	By default, no RIB IPv4 address family is created.
4. Enable the device to maintain FTN entries in the RIB.	ftn enable	By default, the device does not maintain FTN entries in the RIB.
5. Enable FTN forwarding statistics for a destination network.	mpls-forwarding statistics prefix-list prefix-list-name	By default, FTN forwarding statistics is disabled for all destination networks.

Enabling MPLS label forwarding statistics

MPLS label forwarding forwards a labeled packet based on its incoming label.

Perform this task to enable MPLS label forwarding statistics and set the statistics collection interval. Then, you can use the display mpls lsp verbose command to view MPLS label forwarding statistics.

To enable MPLS label forwarding statistics:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable MPLS label forwarding statistics for specific LSPs.	mpls statistics { all \| [ vpn-instance vpn-instance-name ] { ipv4 ipv4-address mask-length \| ipv6 ipv6-address prefix-length } \| static \| te ingress-lsr-id tunnel-id }	By default, MPLS label forwarding statistics is disabled for all LSPs.
3. Set the MPLS label forwarding statistics collection interval.	mpls statistics interval interval	By default, the MPLS label forwarding statistics collection interval is not set.

Enabling split horizon for MPLS forwarding

This feature prevents MPLS packets received from an interface from being forwarded back to that interface to provide loop-free forwarding.

To enable split horizon for MPLS forwarding:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable split horizon for MPLS forwarding.	mpls forwarding split-horizon	By default, split horizon is disabled for MPLS forwarding.

Enabling SNMP notifications for MPLS

To report critical MPLS events to an NMS, enable SNMP notifications for MPLS. For MPLS event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see the network management and monitoring configuration guide for the device.

To enable SNMP notifications for MPLS:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notifications for MPLS.	snmp-agent trap enable mpls	By default, SNMP notifications for MPLS are disabled.

Displaying and maintaining MPLS

Execute display commands in any view and reset commands in user view.

Task	Command
Display MPLS interface information.	display mpls interface [ interface-type interface-number ]
Display usage information for MPLS labels.	display mpls label { label-value1 [ to label-value2 ] \| all }
Display LSP information.	display mpls lsp [ egress \| in-label label-value \| ingress \| outgoing-interface interface-type interface-number \| protocol { bgp \| ldp \| local \| rsvp-te \| static \| static-cr } \| transit ] [ vpn-instance vpn-instance-name ] [ ipv4-address mask-length \| ipv6 [ ipv6-address prefix-length ] ] [ verbose ]
Display MPLS Nexthop Information Base (NIB) information.	display mpls nib [ nib-id ]
Display usage information for NIDs.	display mpls nid [ nid-value1 [ to nid-value2 ] ]
Display LSP statistics.	display mpls lsp statistics [ ipv6 ]
Display MPLS summary information.	display mpls summary
Display ILM entries (centralized devices in standalone mode).	display mpls forwarding ilm [ label ]
Display ILM entries (distributed devices in standalone mode/centralized devices in IRF mode).	display mpls forwarding ilm [ label ] [ slot slot-number ]
Display ILM entries (distributed devices in IRF mode).	display mpls forwarding ilm [ label ] [ chassis chassis-number slot slot-number ]
Display NHLFE entries (centralized devices in standalone mode).	display mpls forwarding nhlfe [ nid ]
Display NHLFE entries (distributed devices in standalone mode/centralized devices in IRF mode).	display mpls forwarding nhlfe [ nid ] [ slot slot-number ]
Display NHLFE entries (distributed devices in IRF mode).	display mpls forwarding nhlfe [ nid ] [ chassis chassis-number slot slot-number ]
Clear MPLS forwarding statistics for the specified LSPs.	reset mpls statistics { all \| [ vpn-instance vpn-instance-name ] { ipv4 ipv4-address mask-length \| ipv6 ipv6-address prefix-length } \| static \| te ingress-lsr-id tunnel-id }

Configuring a static LSP

Overview

A static label switched path (LSP) is established by manually specifying the incoming label and outgoing label on each node (ingress, transit, or egress node) of the forwarding path.

Static LSPs consume fewer resources, but they cannot automatically adapt to network topology changes. Therefore, static LSPs are suitable for small and stable networks with simple topologies.

The ingress node of a static LSP performs the following operations:

1. Determines an FEC for a packet according to the destination address.

2. Adds the label for that FEC into the packet.

3. Forwards the packet to the next hop or out of the outgoing interface.

A transit node swaps the label carried in a received packet with a label, and forwards the packet to the next hop or out of the outgoing interface.

If PHP is not configured, an egress node pops the incoming label of a packet, and performs label forwarding according to the inner label or IP forwarding.

Feature and hardware compatibility

Hardware	Static LSP compatibility
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS	No
MSR2600-6-X1/2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28/3600-51	Yes
MSR3600-28-SI/3600-51-SI	Yes
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC	Yes
MSR 3610/3620/3620-DP/3640/3660	Yes
MSR5620/5660/5680	Yes

Hardware	Static LSP compatibility
MSR810-LM-GL	No
MSR810-W-LM-GL	No
MSR830-6EI-GL	No
MSR830-10EI-GL	No
MSR830-6HI-GL	No
MSR830-10HI-GL	No
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	Yes

Configuration guidelines

Follow these guidelines when you establish a static LSP:

· On the ingress node, you must specify the outgoing label for the destination address (the FEC) and the next hop or the outgoing interface.

· On each transit node, you must specify the incoming label, the outgoing label, and the next hop or the outgoing interface.

· On the egress node, you must specify the incoming label.

· You can associate a static LSP with an LDP LSP to simplify packet processing when the following conditions are met:

? Packets are forwarded over the static LSP and the LDP LSP to the destination.

? The egress node of the static LSP is also the ingress node of the LDP LSP.

After receiving a packet with the specified incoming label, the egress node of the static LSP swaps the label with the outgoing label for the LDP LSP. Then, the node forwards the packet to the next hop.

To associate a static LSP with an LDP LSP, specify the incoming label and destination address on the egress node of the static LSP.

· The outgoing label specified on an LSR must be the same as the incoming label specified on the directly connected downstream LSR.

Configuration prerequisites

Before you configure a static LSP, perform the following tasks:

· Identify the ingress node, transit nodes, and egress node of the LSP.

· Enable MPLS on all interfaces that participate in MPLS forwarding. For more information, see "Configuring basic MPLS."

· Make sure the ingress node has a route to the destination address of the LSP.

· If you want to associate the static LSP with an LDP LSP, make sure the egress node of the static LSP has a route to the destination.

Configuration procedure

To configure a static LSP:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the ingress node of the static LSP.	static-lsp ingress lsp-name destination ip-address { mask \| mask-length } { nexthop next-hop-ip-address \| outgoing-interface interface-type interface-number } out-label out-label	If you specify a next hop for the static LSP, make sure the ingress node has an active route to the specified next hop address.
3. Configure the transit node of the static LSP.	static-lsp transit lsp-name in-label in-label { nexthop next-hop-ip-address \| outgoing-interface interface-type interface-number } out-label out-label	If you specify a next hop for the static LSP, make sure the transit node has an active route to the specified next hop address.
4. Configure the egress node of the static LSP.	static-lsp egress lsp-name in-label in-label [ destination ip-address { mask \| mask-length } ]	You do not need to configure this command if the outgoing label configured on the penultimate hop of the static LSP is 0 or 3.

Displaying static LSPs

Execute display commands in any view.

Task	Command
Display static LSP information.	display mpls static-lsp [ lsp-name lsp-name ]

Static LSP configuration example

Network requirements

Router A, Router B, and Router C all support MPLS.

Establish static LSPs between Router A and Router C, so that subnets 11.1.1.0/24 and 21.1.1.0/24 can access each other over MPLS.

Figure 8 Network diagram

Configuration restrictions and guidelines

· For an LSP, the outgoing label specified on an LSR must be identical with the incoming label specified on the downstream LSR.

· LSPs are unidirectional. You must configure an LSP for each direction of the data forwarding path.

· A route to the destination address of the LSP must be available on the ingress and egress nodes, but it is not needed on transit nodes. Therefore, you do not need to configure a routing protocol to ensure IP connectivity among all routers.

Configuration procedure

1. Configure IP addresses for all interfaces, including the loopback interfaces, as shown in Figure 8. (Details not shown.)

2. Configure a static route to the destination address of each LSP:

# On Router A, configure a static route to network 21.1.1.0/24.

<RouterA> system-view

[RouterA] ip route-static 21.1.1.0 24 10.1.1.2

# On Router C, configure a static route to network 11.1.1.0/24.

<RouterC> system-view

[RouterC] ip route-static 11.1.1.0 255.255.255.0 20.1.1.1

3. Configure basic MPLS on the routers:

# Configure Router A.

[RouterA] mpls lsr-id 1.1.1.9

[RouterA] interface serial 2/1/0

[RouterA-Serial2/1/0] mpls enable

[RouterA-Serial2/1/0] quit

# Configure Router B.

[RouterB] mpls lsr-id 2.2.2.9

[RouterB] interface serial 2/1/0

[RouterB-Serial2/1/0] mpls enable

[RouterB-Serial2/1/0] quit

[RouterB] interface serial 2/1/1

[RouterB-Serial2/1/1] mpls enable

[RouterB-Serial2/1/1] quit

# Configure Router C.

[RouterC] mpls lsr-id 3.3.3.9

[RouterC] interface serial 2/1/0

[RouterC-Serial2/1/0] mpls enable

[RouterC-Serial2/1/0] quit

4. Configure a static LSP from Router A to Router C:

# Configure the LSP ingress node, Router A.

[RouterA] static-lsp ingress AtoC destination 21.1.1.0 24 nexthop 10.1.1.2 out-label 30

# Configure the LSP transit node, Router B.

[RouterB] static-lsp transit AtoC in-label 30 nexthop 20.1.1.2 out-label 50

# Configure the LSP egress node, Router C.

[RouterC] static-lsp egress AtoC in-label 50

5. Create a static LSP from Router C to Router A:

# Configure the LSP ingress node, Router C.

[RouterC] static-lsp ingress CtoA destination 11.1.1.0 24 nexthop 20.1.1.1 out-label 40

# Configure the LSP transit node, Router B.

[RouterB] static-lsp transit CtoA in-label 40 nexthop 10.1.1.1 out-label 70

# Configure the LSP egress node, Router A.

[RouterA] static-lsp egress CtoA in-label 70

Verifying the configuration

# Display static LSP information on routers, for example, on Router A.

[RouterA] display mpls static-lsp

Total: 2

Name FEC In/Out Label Nexthop/Out Interface State

AtoC 21.1.1.0/24 NULL/30 10.1.1.2 Up

CtoA -/- 70/NULL - Up

# Test the connectivity of the LSP from Router A to Router C.

[RouterA] ping mpls -a 11.1.1.1 ipv4 21.1.1.0 24

MPLS ping FEC 21.1.1.0/24 with 100 bytes of data:

100 bytes from 20.1.1.2: Sequence=1 time=4 ms

100 bytes from 20.1.1.2: Sequence=2 time=1 ms

100 bytes from 20.1.1.2: Sequence=3 time=1 ms

100 bytes from 20.1.1.2: Sequence=4 time=1 ms

100 bytes from 20.1.1.2: Sequence=5 time=1 ms

--- Ping statistics for FEC 21.1.1.0/24 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

Round-trip min/avg/max = 1/1/4 ms

# Test the connectivity of the LSP from Router C to Router A.

[RouterC] ping mpls -a 21.1.1.1 ipv4 11.1.1.0 24

MPLS ping FEC 11.1.1.0/24 with 100 bytes of data:

100 bytes from 10.1.1.1: Sequence=1 time=5 ms

100 bytes from 10.1.1.1: Sequence=2 time=1 ms

100 bytes from 10.1.1.1: Sequence=3 time=1 ms

100 bytes from 10.1.1.1: Sequence=4 time=1 ms

100 bytes from 10.1.1.1: Sequence=5 time=1 ms

--- Ping statistics for FEC 11.1.1.0/24 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

Round-trip min/avg/max = 1/1/5 ms

Configuring LDP

Overview

The Label Distribution Protocol (LDP) dynamically distributes FEC-label mapping information between LSRs to establish LSPs.

Terminology

LDP session

Two LSRs establish a TCP-based LDP session to exchange FEC-label mappings.

LDP peer

Two LSRs that use LDP to exchange FEC-label mappings are LSR peers.

Label spaces and LDP identifiers

Label spaces include the following types:

· Per-interface label space—Each interface uses a single, independent label space. Different interfaces can use the same label values.

· Per-platform label space—Each LSR uses a single label space. The device only supports the per-platform label space.

A six-byte LDP Identifier (LDP ID) identifies a label space on an LSR. It is in the format of <LSR ID>:<label space number>, where:

· The LSR ID takes four bytes to identity the LSR.

· The label space number takes two bytes to identify a label space within the LSR.

A label space number of 0 indicates that the label space is a per-platform label space. A label space number other than 0 indicates a per-interface label space.

LDP uses the same LDP ID format on IPv4 and IPv6 networks. An LDP ID must be globally unique.

FECs and FEC-label mappings

MPLS groups packets with the same characteristics (such as the same destination or service class) into a class, called an FEC. The packets of the same FEC are handled in the same way on an MPLS network.

LDP can classify FECs by destination IP address and by PW. This document describes FEC classification by destination IP address. For information about FEC classification by PW, see "Configuring MPLS L2VPN" and "Configuring VPLS."

An LSR assigns a label for an FEC and advertises the FEC-label mapping, or FEC-label binding, to its peers in a Label Mapping message.

LDP messages

LDP mainly uses the following types of messages:

· Discovery messages—Declare and maintain the presence of LSRs, such as Hello messages.

· Session messages—Establish, maintain, and terminate sessions between LDP peers, such as Initialization messages used for parameter negotiation and Keepalive messages used to maintain sessions.

· Advertisement messages—Create, alter, and remove FEC-label mappings, such as Label Mapping messages used to advertise FEC-label mappings.

· Notification messages—Provide advisory information and notify errors, such as Notification messages.

LDP uses UDP to transport discovery messages for efficiency, and uses TCP to transport session, advertisement, and notification messages for reliability.

LDP operation

LDP can operate on an IPv4 or IPv6 network, or a network where IPv4 coexists with IPv6. LDP operates similarly on IPv4 and IPv6 networks.

LDP operates in the following phases:

Discovering and maintaining LDP peers

LDP discovers peers in the following ways:

· Basic Discovery—Discovers directly connected LSRs.

? On an IPv4 network, an LSR sends IPv4 Link Hello messages to multicast address 224.0.0.2. All directly connected LSRs can discover the LSR and establish an IPv4 Link Hello adjacency.

? On an IPv6 network, an LSR sends IPv6 Link Hello messages to FF02:0:0:0:0:0:0:2. All directly connected LSRs can discover the LSR and establish an IPv6 Link Hello adjacency.

? On a network where IPv4 and IPv6 coexist, an LSR sends both IPv4 and IPv6 Link Hello messages to each directly connected LSR and keeps both the IPv4 and IPv6 Link Hello adjacencies with a neighbor.

· Extended Discovery—Sends LDP IPv4 Targeted Hello messages to an IPv4 address or LDP IPv6 Targeted Hello messages to an IPv6 address. The destination LSR can discover the LSR and establish a hello adjacency. This mechanism is typically used in LDP session protection, LDP over MPLS TE, MPLS L2VPN, and VPLS. For more information about MPLS L2VPN and VPLS, see "Configuring MPLS L2VPN," and "Configuring VPLS."

LDP can establish two hello adjacencies with a directly connected neighbor through both discovery mechanisms. It sends Hello messages at the hello interval to maintain a hello adjacency. If LDP receives no Hello message from a hello adjacency before the hello hold timer expires, it removes the hello adjacency.

Establishing and maintaining LDP sessions

LDP establishes a session to a peer in the following steps:

1. Establishes a TCP connection to the neighbor.

On a network where IPv4 and IPv6 coexist, LDP establishes an IPv6 TCP connection. If LDP fails to establish the IPv6 TCP connection, LDP tries to establish an IPv4 TCP connection.

2. Negotiates session parameters such as LDP version, label distribution method, and Keepalive timer, and establishes an LDP session to the neighbor if the negotiation succeeds.

After a session is established, LDP sends LDP PDUs (an LDP PDU carries one or more LDP messages) to maintain the session. If no information is exchanged between the LDP peers within the Keepalive interval, LDP sends Keepalive messages at the Keepalive interval to maintain the session. If LDP receives no LDP PDU from a neighbor before the keepalive hold timer expires, or the last hello adjacency with the neighbor is removed, LDP terminates the session.

LDP can also send a Shutdown message to a neighbor to terminate the LDP session.

An LSR can establish only one LDP session to a neighbor. The session can be used to exchange IPv4 and IPv6 FEC-label mappings at the same time.

Establishing LSPs

LDP classifies FECs according to destination IP addresses in IP routing entries, creates FEC-label mappings, and advertises the mappings to LDP peers through LDP sessions. After an LDP peer receives an FEC-label mapping, it uses the received label and the label locally assigned to that FEC to create an LFIB entry for that FEC. When all LSRs (from the Ingress to the Egress) establish an LFIB entry for the FEC, an LSP is established exclusively for the FEC.

Figure 9 Dynamically establishing an LSP

Label distribution and control

Label advertisement modes

LDP advertises label-FEC mappings in one of the following ways:

· Downstream Unsolicited (DU) mode—Distributes FEC-label mappings to the upstream LSR, without waiting for label requests. The device supports only the DU mode.

· Downstream on Demand (DoD) mode—Sends a label request for an FEC to the downstream LSR. After receiving the label request, the downstream LSR distributes the FEC-label mapping for that FEC to the upstream LSR.

Figure 10 Label advertisement modes

NOTE:

To successfully establish an LSP, a pair of upstream and downstream LSRs must use the same label advertisement mode.

Label distribution control

LDP controls label distribution in one of the following ways:

· Independent label distribution—Distributes an FEC-label mapping to an upstream LSR at any time. An LSR might distribute a mapping for an FEC to its upstream LSR before it receives a label mapping for that FEC from its downstream LSR. As shown in Figure 11, in DU mode, each LSR distributes a label mapping for an FEC to its upstream LSR whenever it is ready to label-switch the FEC. The LSRs do not need to wait for a label mapping for the FEC from its downstream LSR. In DoD mode, an LSR distributes a label mapping for an FEC to its upstream LSR after it receives a label request for the FEC. The LSR does not need to wait for a label mapping for the FEC from its downstream LSR.

Figure 11 Independent label distribution control mode

· Ordered label distribution—Distributes a label mapping for an FEC to its upstream LSR only after it receives a label mapping for that FEC from its downstream LSR unless the local node is the egress node of the FEC. As shown in Figure 10, in DU mode, an LSR distributes a label mapping for an FEC to its upstream LSR only if it receives a label mapping for the FEC from its downstream LSR. In DoD mode, when an LSR (Transit) receives a label request for an FEC from its upstream LSR (Ingress), it continues to send a label request for the FEC to its downstream LSR (Egress). After the transit LSR receives a label mapping for the FEC from the egress LSR, it distributes a label mapping for the FEC to the ingress LSR.

Label retention mode

The label retention mode specifies whether an LSR maintains a label mapping for an FEC learned from a neighbor that is not its next hop.

· Liberal label retention—Retains a received label mapping for an FEC regardless of whether the advertising LSR is the next hop of the FEC. This mechanism allows for quicker adaptation to topology changes, but it wastes system resources because LDP has to keep useless labels. The device only supports liberal label retention.

· Conservative label retention—Retains a received label mapping for an FEC only when the advertising LSR is the next hop of the FEC. This mechanism saves label resources, but it cannot quickly adapt to topology changes.

LDP GR

LDP Graceful Restart (GR) preserves label forwarding information when the signaling protocol or control plane fails, so that LSRs can still forward packets according to forwarding entries.

As shown in Figure 12, GR defines the following roles:

· GR restarter—An LSR that performs GR. It must be GR-capable.

· GR helper—A neighbor LSR that helps the GR restarter to complete GR.

The device can act as a GR restarter or a GR helper.

Figure 12 LDP GR

As shown in Figure 13, LDP GR operates as follows:

1. LSRs establish an LDP session. The L flag of the Fault Tolerance TLV in their Initialization messages is set to 1 to indicate that they support LDP GR.

2. When LDP restarts, the GR restarter starts the MPLS Forwarding State Holding timer, and marks the MPLS forwarding entries as stale. When the GR helper detects that the LDP session to the GR restarter goes down, it performs the following operations:

a. Marks the FEC-label mappings learned from the session as stale.

b. Starts the Reconnect timer received from the GR restarter.

3. After LDP completes restart, the GR restarter re-establishes an LDP session to the GR helper.

? If the LDP session is not set up before the Reconnect timer expires, the GR helper deletes the stale FEC-label mappings and the corresponding MPLS forwarding entries.

? If the LDP session is successfully set up before the Reconnect timer expires, the GR restarter sends the remaining time of the MPLS Forwarding State Holding timer to the GR helper.

The remaining time is sent as the LDP Recovery time.

4. After the LDP session is re-established, the GR helper starts the LDP Recovery timer.

5. The GR restarter and the GR helper exchange label mappings and update their MPLS forwarding tables.

The GR restarter compares each received label mapping against stale MPLS forwarding entries. If a match is found, the restarter deletes the stale mark for the matching entry. Otherwise, it adds a new entry for the label mapping.

The GR helper compares each received label mapping against stale FEC-label mappings. If a match is found, the helper deletes the stale mark for the matching mapping. Otherwise, it adds the received FEC-label mapping and a new MPLS forwarding entry for the mapping.

6. When the MPLS Forwarding State Holding timer expires, the GR restarter deletes all stale MPLS forwarding entries.

7. When the LDP Recovery timer expires, the GR helper deletes all stale FEC-label mappings.

Figure 13 LDP GR operation

LDP NSR

LDP nonstop routing (NSR) backs up protocol states and data (including LDP session and LSP information) from the active process to the standby process. When the LDP active process fails, the standby process becomes active and takes over processing seamlessly. The LDP peers are not notified of the LDP interruption. The LDP session stays in Operational state, and the forwarding is not interrupted.

The LDP active process fails when one of the following situations occurs:

· The active process restarts.

· The MPU where the active process resides fails.

· The MPU where the active process resides performs an ISSU.

· The LDP process' position determined by the process placement feature is different from the position where the LDP process is operating.

To use LDP NSR, the device must have two or more MPUs, and the active and standby processes for LDP reside on different MPUs.

LDP-IGP synchronization

Basic operating mechanism

LDP establishes LSPs based on the IGP optimal route. If LDP is not synchronized with IGP, MPLS traffic forwarding might be interrupted.

LDP is not synchronized with IGP when one of the following situations occurs:

· A link is up, and IGP advertises and uses this link. However, LDP LSPs on this link have not been established.

· An LDP session on a link is down, and LDP LSPs on the link have been removed. However, IGP still uses this link.

· The Ordered label distribution control mode is used. IGP used the link before the local device received the label mappings from the downstream LSR to establish LDP LSPs.

After LDP-IGP synchronization is enabled, IGP advertises the actual cost of a link only when LDP convergence on the link is completed. Before LDP convergence is completed, IGP advertises the maximum cost of the link. In this way, the link is visible on the IGP topology, but IGP does not select this link as the optimal route when other links are available. Therefore, the device can avoid discarding MPLS packets when there is not an LDP LSP established on the optimal route.

LDP convergence on a link is completed when both the following situations occur:

· The local device establishes an LDP session to a minimum of one peer, and the LDP session is already in Operational state.

· The local device has distributed the label mappings to a minimum of one peer.

Notification delay for LDP convergence completion

By default, LDP immediately sends a notification to IGP that LDP convergence has completed. However, immediate notifications might cause MPLS traffic forwarding interruptions in one of the following scenarios:

· LDP peers use the Ordered label distribution control mode. The device has not received a label mapping from downstream at the time LDP notifies IGP that LDP convergence has completed.

· A large number of label mappings are distributed from downstream. Label advertisement is not completed when LDP notifies IGP that LDP convergence has completed.

To avoid traffic forwarding interruptions in these scenarios, configure the notification delay. When LDP convergence on a link is completed, LDP waits before notifying IGP.

Notification delay for LDP restart or active/standby switchover

When an LDP restart or an active/standby switchover occurs, LDP takes time to converge, and LDP notifies IGP of the LDP-IGP synchronization status as follows:

· If a notification delay is not configured, LDP immediately notifies IGP of the current synchronization states during convergence, and then updates the states after LDP convergence. This could impact IGP processing.

· If a notification delay is configured, LDP notifies IGP of the LDP-IGP synchronization states in bulk when one of the following events occurs:

? LDP recovers to the state before the restart or switchover.

? The maximum delay timer expires.

LDP FRR

A link or router failure on a path can cause packet loss until LDP establishes a new LSP on the new path. LDP FRR enables fast rerouting to minimize the failover time. LDP FRR is based on IP FRR and is enabled automatically after IP FRR is enabled.

You can use one of the following methods to enable IP FRR:

· Configure an IGP to automatically calculate a backup next hop.

· Configure an IGP to specify a backup next hop by using a routing policy.

As shown in Figure 14, configure IP FRR on LSR A. The IGP automatically calculates a backup next hop or it specifies a backup next hop through a routing policy. LDP creates a primary LSP and a backup LSP according to the primary route and the backup route calculated by IGP. When the primary LSP operates correctly, it forwards the MPLS packets. When the primary LSP fails, LDP directs packets to the backup LSP.

When packets are forwarded through the backup LSP, IGP calculates the optimal path based on the new network topology. When IGP route convergence occurs, LDP establishes a new LSP according to the optimal path. If a new LSP is not established after IGP route convergence, traffic forwarding might be interrupted. As a best practice, enable LDP-IGP synchronization to work with LDP FRR to reduce traffic interruption.

Figure 14 Network diagram for LDP FRR

LDP over MPLS TE

As shown in Figure 15, in a layered network, MPLS TE is deployed in the core layer, and the distribution layer uses LDP as the label distribution protocol. To set up an LDP LSP across the core layer, you can establish the LDP LSP over the existing MPLS TE tunnel to simplify configuration. You only need to enable LDP on the tunnel interfaces of the ingress and egress nodes for the MPLS TE tunnel. An LDP session will be established between the tunnel ingress and egress. Label Mapping messages are advertised through the session and an LDP LSP is established. The LDP LSP is carried on the MPLS TE LSP, creating a hierarchical LSP. For more information about MPLS TE tunnels, see "Configuring MPLS TE."

Figure 15 LDP over MPLS TE

Protocols

· RFC 5036, LDP Specification

· draft-ietf-mpls-ldp-ipv6-09.txt

Feature and hardware compatibility

Hardware	LDP compatibility
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS	No
MSR2600-6-X1/2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28/3600-51	Yes
MSR3600-28-SI/3600-51-SI	Yes
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC	Yes
MSR 3610/3620/3620-DP/3640/3660	Yes
MSR5620/5660/5680	Yes

Hardware	LDP compatibility
MSR810-LM-GL	No
MSR810-W-LM-GL	No
MSR830-6EI-GL	No
MSR830-10EI-GL	No
MSR830-6HI-GL	No
MSR830-10HI-GL	No
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	Yes

Command and hardware compatibility

Commands and descriptions for centralized devices apply to the following routers:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3600-28-SI/3600-51-SI.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

· MSR 3610/3620/3620-DP/3640/3660.

· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.

Commands and descriptions for distributed devices apply to the following routers:

· MSR5620.

· MSR 5660.

· MSR 5680.

IPv6-related parameters are not supported on the MSR3600-28-SI/3600-51-SI routers.

LDP configuration task list

Tasks at a glance
Enable LDP: 1. (Required.) Enabling LDP globally 2. (Required.) Enabling LDP on an interface
(Optional.) Configuring Hello parameters
(Optional.) Configuring LDP session parameters
(Optional.) Configuring LDP backoff
(Optional.) Configuring LDP MD5 authentication
(Optional.) Configuring LDP to redistribute BGP unicast routes
(Optional.) Configuring an LSP generation policy
(Optional.) Configuring the LDP label distribution control mode
(Optional.) Configuring a label advertisement policy
(Optional.) Configuring a label acceptance policy
(Optional.) Configuring LDP loop detection
(Optional.) Configuring LDP session protection
(Optional.) Configuring LDP GR
(Optional.) Configuring LDP NSR
(Optional.) Configuring LDP-IGP synchronization
(Optional.) Configuring LDP FRR
(Optional.) Setting a DSCP value for outgoing LDP packets
(Optional.) Resetting LDP sessions
(Optional.) Enabling SNMP notifications for LDP

Enabling LDP

To enable LDP, you must first enable LDP globally. Then, enable LDP on relevant interfaces or configure IGP to automatically enable LDP on those interfaces.

Enabling LDP globally

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable LDP for the local node or for a VPN.	· Enable LDP for the local node and enter LDP view: mpls ldp · Enable LDP for a VPN and enter LDP-VPN instance view: a. mpls ldp b. vpn-instance vpn-instance-name	By default, LDP is globally disabled.
3. Configure an LDP LSR ID.	lsr-id lsr-id	By default, the LDP LSR ID is the same as the MPLS LSR ID.

Enabling LDP on an interface

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	If the interface is bound to a VPN instance, you must enable LDP for the VPN instance by using the vpn-instance command in LDP view.
3. Enable IPv4 LDP on the interface.	mpls ldp enable	By default, IPv4 LDP is disabled on an interface.
4. Enable IPv6 LDP on the interface.	mpls ldp ipv6 enable	By default, IPv6 LDP is disabled on an interface.

Configuring Hello parameters

Perform this task to set the following hello timers:

· Link Hello hold time and Link Hello interval.

If an interface is enabled with both IPv4 LDP and IPv6 LDP, the parameters configured on the interface can be used for both IPv4 and IPv6 Link Hello messages.

· Targeted Hello hold time and Targeted Hello interval for a peer.

Setting Link Hello timers

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter the view of the interface where you want to establish an LDP session.	interface interface-type interface-number	N/A
3. Set the Link Hello hold time.	mpls ldp timer hello-hold timeout	By default, the Link Hello hold time is 15 seconds.
4. Set the Link Hello interval.	mpls ldp timer hello-interval interval	By default, the Link Hello interval is 5 seconds.

Setting Targeted Hello timers for an LDP peer

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter LDP view.	mpls ldp	N/A
3. Specify an LDP peer and enter LDP peer view. The device will send unsolicited Targeted Hellos to the peer and can respond to the Targeted Hellos received from the peer.	targeted-peer { ipv4-address \| ipv6-address }	By default, the device does not send Targeted Hellos to any peers, or respond to Targeted Hellos received from any peers.
4. Set the Targeted Hello hold time.	mpls ldp timer hello-hold timeout	By default, the Targeted Hello hold time is 45 seconds.
5. Set the Target Hello interval.	mpls ldp timer hello-interval interval	By default, the Targeted Hello interval is 15 seconds.

Configuring LDP session parameters

This task configures the following LDP session parameters:

· Keepalive hold time and Keepalive interval.

· LDP transport address—IP address for establishing TCP connections.

LDP uses Basic Discovery and Extended Discovery mechanisms to discovery LDP peers and establish LDP sessions with them.

When you configure LDP session parameters, follow these guidelines:

· The configured LDP transport address must be the IP address of an up interface on the device. Otherwise, no LDP session can be established.

· Make sure the LDP transport addresses of the local and peer LSRs can reach each other. Otherwise, no TCP connection can be established.

Configuring LDP sessions parameters for Basic Discovery mechanism

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Set the Keepalive hold time.	mpls ldp timer keepalive-hold timeout	By default, the Keepalive hold time is 45 seconds.
4. Set the Keepalive interval.	mpls ldp timer keepalive-interval interval	By default, the Keepalive interval is 15 seconds.
5. Configure the LDP transport address.	mpls ldp transport-address { ipv4-address \| ipv6-address \| interface }	By default, the LDP transport address is the LSR ID of the local device if the interface where you want to establish an LDP session belongs to the public network. If the interface belongs to a VPN, the LDP transport address is the primary IP address of the interface. If the interface where you want to establish an LDP session is bound to a VPN instance, the interface with the IP address specified with this command must be bound to the same VPN instance.

Configuring LDP IPv4 sessions parameters for Extended Discovery mechanism

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter LDP view.	mpls ldp	N/A
3. Specify an IPv4 LDP peer and enter LDP peer view. The device will send unsolicited IPv4 Targeted Hellos to the peer and can respond to IPv4 Targeted Hellos received from the targeted peer.	targeted-peer ipv4-address	By default, the device does not send IPv4 Targeted Hellos to any peers, or respond to IPv4 Targeted Hellos received from any peers.
4. Set the Keepalive hold time.	mpls ldp timer keepalive-hold timeout	By default, the Keepalive hold time is 45 seconds.
5. Set the Keepalive interval.	mpls ldp timer keepalive-interval interval	By default, the Keepalive interval is 15 seconds.
6. Configure the LDP transport address.	mpls ldp transport-address ipv4-address	By default, the LDP transport address is the LSR ID of the local device.

Configuring LDP IPv6 sessions parameters for Extended Discovery mechanism

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter LDP view.	mpls ldp	N/A
3. Specify an IPv6 LDP peer and enter LDP peer view. The device will send unsolicited IPv6 Targeted Hellos to the peer and can respond to IPv6 Targeted Hellos received from the targeted IPv6 peer.	targeted-peer ipv6-address	By default, the device does not send IPv6 Targeted Hellos to any peers, or respond to IPv6 Targeted Hellos received from any peers.
4. Set the Keepalive hold time.	mpls ldp timer keepalive-hold timeout	By default, the Keepalive hold time is 45 seconds.
5. Set the Keepalive interval.	mpls ldp timer keepalive-interval interval	By default, the Keepalive interval is 15 seconds.
6. Configure the LDP transport address.	mpls ldp transport-address ipv6-address	By default, the LDP IPv6 transport address is not configured.

Configuring LDP backoff

If LDP session parameters (for example, the label advertisement mode) are incompatible, two LDP peers cannot establish a session, and they will keep negotiating with each other.

The LDP backoff mechanism can mitigate this problem by using an initial delay timer and a maximum delay timer. After failing to establish a session to a peer LSR for the first time, LDP does not start an attempt until the initial delay timer expires. If the session setup fails again, LDP waits for two times the initial delay before the next attempt, and so forth until the maximum delay time is reached. After that, the maximum delay time will always take effect.

To configure LDP backoff:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter LDP view or enter LDP-VPN instance view.	· Enter LDP view: mpls ldp · Enter LDP-VPN instance view: a. mpls ldp b. vpn-instance vpn-instance-name	N/A
3. Set the initial delay time and maximum delay time.	backoff initial initial-time maximum maximum-time	By default, the initial delay time is 15 seconds, and the maximum delay time is 120 seconds.

Configuring LDP MD5 authentication

To improve security for LDP sessions, you can configure MD5 authentication for the underlying TCP connections to check the integrity of LDP messages.

For two LDP peers to establish an LDP session successfully, make sure the LDP MD5 authentication configurations on the LDP peers are consistent.

To configure LDP MD5 authentication:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter LDP view or enter LDP-VPN instance view.	· Enter LDP view: mpls ldp · Enter LDP-VPN instance view: a. mpls ldp b. vpn-instance vpn-instance-name	N/A
3. Enable LDP MD5 authentication.	md5-authentication peer-lsr-id { cipher \| plain } string	By default, LDP MD5 authentication is disabled.

Configuring LDP to redistribute BGP unicast routes

By default, LDP automatically redistributes IGP routes, including the BGP routes that have been redistributed into IGP. Then, LDP assigns labels to the IGP routes and labeled BGP routes, if these routes are permitted by an LSP generation policy. LDP does not automatically redistribute BGP unicast routes if the routes are not redistributed into the IGP.

For example, on a carrier's carrier network where IGP is not configured between a PE of a Level 1 carrier and a CE of a Level 2 carrier, LDP cannot redistribute BGP unicast routes to assign labels to them. For this network to operate correctly, you can enable LDP to redistribute BGP unicast routes. If the routes are permitted by an LSP generation policy, LDP assigns labels to them to establish LSPs. For more information about carrier's carrier, see "Configuring MPLS L3VPN."

To configure LDP to redistribute BGP unicast routes:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter LDP view or enter LDP-VPN instance view.	· Enter LDP view: mpls ldp · Enter LDP-VPN instance view: a. mpls ldp b. vpn-instance vpn-instance-name	N/A
3. Enable LDP to redistribute BGP IPv4 unicast routes.	import bgp [ as-number ]	By default, LDP does not redistribute BGP IPv4 unicast routes.
4. Enable LDP to redistribute BGP IPv6 unicast routes.	ipv6 import bgp [ as-number ]	By default, LDP does not redistribute BGP IPv6 unicast routes.

Configuring an LSP generation policy

LDP assigns labels to the routes that have been redistributed into LDP to generate LSPs. An LSP generation policy specifies which redistributed routes can be used by LDP to generate LSPs to control the number of LSPs, as follows:

· Use all routes to establish LSPs.

· Use the routes permitted by an IP prefix list to establish LSPs. For information about IP prefix list configuration, see Layer 3—IP Routing Configuration Guide.

· Use only IPv4 host routes with a 32-bit mask or IPv6 host routes with a 128-bit mask to establish LSPs.

By default, LDP uses only IPv4 host routes with a 32-bit mask or IPv6 host routes with a 128-bit mask to establish LSPs. The other two methods can result in more LSPs than the default policy. To change the policy, make sure the system resources and bandwidth resources are sufficient.

To configure an LSP generation policy:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter LDP view or enter LDP-VPN instance view.	· Enter LDP view: mpls ldp · Enter LDP-VPN instance view: a. mpls ldp b. vpn-instance vpn-instance-name	N/A
3. Configure an IPv4 LSP generation policy.	lsp-trigger { all \| prefix-list prefix-list-name }	By default, LDP uses only the redistributed IPv4 routes with a 32-bit mask to establish LSPs.
4. Configure an IPv6 LSP generation policy.	ipv6 lsp-trigger { all \| prefix-list prefix-list-name }	By default, LDP uses only the redistributed IPv6 routes with a 128-bit mask to establish LSPs.

Configuring the LDP label distribution control mode

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter LDP view or enter LDP-VPN instance view.	· Enter LDP view: mpls ldp · Enter LDP-VPN instance view: a. mpls ldp b. vpn-instance vpn-instance-name	N/A
3. Configure the label distribution control mode.	label-distribution { independent \| ordered }	By default, the Ordered label distribution mode is used.

Configuring a label advertisement policy

A label advertisement policy uses IP prefix lists to control the FEC-label mappings advertised to peers.

As shown in Figure 16, LSR A advertises label mappings for FECs permitted by IP prefix list B to LSR B. It advertises label mappings for FECs permitted by IP prefix list C to LSR C.

Figure 16 Label advertisement control diagram

A label advertisement policy on an LSR and a label acceptance policy on its upstream LSR can achieve the same purpose. As a best practice, use label advertisement policies to reduce network load if downstream LSRs support label advertisement control.

Before you configure an LDP label advertisement policy, create an IP prefix list. For information about IP prefix list configuration, see Layer 3—IP Routing Configuration Guide.

To configure a label advertisement policy:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter LDP view or enter LDP-VPN instance view.	· Enter LDP view: mpls ldp · Enter LDP-VPN instance view: a. mpls ldp b. vpn-instance vpn-instance-name	N/A
3. Configure an IPv4 label advertisement policy.	advertise-label prefix-list prefix-list-name [ peer peer-prefix-list-name ]	By default, LDP advertises all IPv4 FEC-label mappings permitted by the LSP generation policy to all peers.
4. Configure an IPv6 label advertisement policy.	ipv6 advertise-label prefix-list prefix-list-name [ peer peer-prefix-list-name ]	By default, LDP advertises all IPv6 FEC-label mappings permitted by the LSP generation policy to all peers.

Configuring a label acceptance policy

A label acceptance policy uses an IP prefix list to control the label mappings received from a peer.

As shown in Figure 17, LSR A uses an IP prefix list to filter label mappings from LSR B, and it does not filter label mappings from LSR C.

Figure 17 Label acceptance control diagram

A label advertisement policy on an LSR and a label acceptance policy on its upstream LSR can achieve the same purpose. As a best practice, use the label advertisement policy to reduce network load.

You must create an IP prefix list before you configure a label acceptance policy. For information about IP prefix list configuration, see Layer 3—IP Routing Configuration Guide.

To configure a label acceptance policy:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter LDP view or enter LDP-VPN instance view.	· Enter LDP view: mpls ldp · Enter LDP-VPN instance view: a. mpls ldp b. vpn-instance vpn-instance-name	N/A
3. Configure an IPv4 label acceptance policy.	accept-label peer peer-lsr-id prefix-list prefix-list-name	By default, LDP accepts all IPv4 FEC-label mappings.
4. Configure an IPv6 label acceptance policy.	ipv6 accept-label peer peer-lsr-id prefix-list prefix-list-name	By default, LDP accepts all IPv6 FEC-label mappings.

Configuring LDP loop detection

About LDP loop detection

The LDP loop detection feature enables LDP to detect loops during an LSP establishment. If LDP detects a loop, it terminates the LSP establishment. This feature is applicable to an MPLS network where most of the devices do not support the TTL mechanism, such as ATM switches.

LDP uses both the following methods to detect and terminate LSP loops:

· Maximum hop count loop detection—LDP adds a hop count in a label request or label mapping message. The hop count value increments by 1 on each LSR. When the maximum hop count is reached, LDP considers that a loop has occurred and terminates the LSP establishment.

· Path vector loop detection—LDP adds LSR ID information in a label request or label mapping message. Each LSR checks whether its LSR ID is contained in the message. If it is not, the LSR adds its own LSR ID into the message. If it is, the LSR considers that a loop has occurred and terminates LSP establishment. In addition, when the number of LSR IDs in the message reaches the path vector limit, LDP also considers that a loop has occurred and terminates LSP establishment.

Restrictions and guidelines

To use this feature, you must enable it on all LSRs that the LSP passes through.

To avoid extra LDP overhead, do not use this feature if most of the devices in an MPLS network support the TTL mechanism. Using the TTL mechanism can prevent endless routing loops.

Configuration procedure

To configure LDP loop detection:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter LDP view or enter LDP-VPN instance view.	· Enter LDP view: mpls ldp · Enter LDP-VPN instance view: a. mpls ldp b. vpn-instance vpn-instance-name	N/A
3. Enable loop detection.	loop-detect	By default, loop detection is disabled. After loop detection is enabled, the device uses both the maximum hop count and the path vector methods to detect loops.
4. Set the maximum hop count.	maxhops hop-number	By default, the maximum hop count is 32.
5. Set the path vector limit.	pv-limit pv-number	By default, the path vector limit is 32.

Configuring LDP session protection

If two LDP peers have both a direct link and an indirect link in between, you can configure this feature to protect their LDP session when the direct link fails.

LDP establishes both a Link Hello adjacency over the direct link and a Targeted Hello adjacency over the indirect link with the peer. When the direct link fails, LDP deletes the Link Hello adjacency but still maintains the Targeted Hello adjacency. In this way, the LDP session between the two peers is kept available, and the FEC-label mappings based on this session are not deleted. When the direct link recovers, the LDP peers do not need to re-establish the LDP session or re-learn the FEC-label mappings.

When you enable the session protection feature, you can also specify the session protection duration. If the Link Hello adjacency does not recover within the duration, LDP deletes the Targeted Hello adjacency and the LDP session. If you do not specify the session protection duration, the two peers will always maintain the LDP session over the Targeted Hello adjacency.

LDP session protection is applicable only to IPv4 networks.

To configure LDP session protection:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter LDP view.	mpls ldp	N/A
3. Enable the session protection feature.	session protection [ duration time ] [ peer peer-prefix-list-name ]	By default, session protection is disabled.

Configuring LDP GR

Before you configure LDP GR, enable LDP on the GR restarter and GR helpers.

To configure LDP GR:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter LDP view.	mpls ldp	N/A
3. Enable LDP GR.	graceful-restart	By default, LDP GR is disabled.
4. Set the Reconnect timer for LDP GR.	graceful-restart timer reconnect reconnect-time	By default, the Reconnect time is 120 seconds.
5. Set the MPLS Forwarding State Holding timer for LDP GR.	graceful-restart timer forwarding-hold hold-time	By default, the MPLS Forwarding State Holding time is 180 seconds.

Configuring LDP NSR

The following matrix shows the feature and hardware compatibility:

Hardware	LDP NSR compatibility
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS	No
MSR2600-6-X1/2600-10-X1	· In standalone mode: No · In IRF mode: Yes
MSR 2630	· In standalone mode: No · In IRF mode: Yes
MSR3600-28/3620-DP/3600-51	· In standalone mode: No · In IRF mode: Yes
MSR3600-28-SI/3600-51-SI	No
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC	· In standalone mode: No · In IRF mode: Yes
MSR 3610/3620/3640/3660	· In standalone mode: No · In IRF mode: Yes
MSR5620/5660/5680	Yes

Hardware	LDP NSR compatibility
MSR810-LM-GL	No
MSR810-W-LM-GL	No
MSR830-6EI-GL	No
MSR830-10EI-GL	No
MSR830-6HI-GL	No
MSR830-10HI-GL	No
MSR2600-6-X1-GL	No
MSR3600-28-SI-GL	No

To configure LDP NSR:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter LDP view.	mpls ldp	N/A
3. Enable LDP NSR.	non-stop-routing	By default, LDP NSR is disabled.

Configuring LDP-IGP synchronization

After you enable LDP-IGP synchronization for an OSPF process, OSPF area, or an IS-IS process, LDP-IGP synchronization is enabled on the OSPF process interfaces or the IS-IS process interfaces.

You can execute the mpls ldp igp sync disable command to disable LDP-IGP synchronization on interfaces where LDP-IGP synchronization is not required.

LDP-IGP synchronization protection is only applicable to an IPv4 network.

Configuring LDP-OSPF synchronization

LDP-IGP synchronization is not supported for an OSPF process and its OSPF areas if the OSPF process belongs to a VPN instance.

To configure LDP-OSPF synchronization for an OSPF process:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter OSPF view.	ospf [ process-id \| router-id router-id ] *	N/A
3. Enable LDP-OSPF synchronization.	mpls ldp sync	By default, LDP-OSPF synchronization is disabled.
4. Return to system view.	quit	N/A
5. Enter interface view.	interface interface-type interface-number	N/A
6. (Optional.) Disable LDP-IGP synchronization on the interface.	mpls ldp igp sync disable	By default, LDP-IGP synchronization is enabled on an interface.
7. Return to system view.	quit	N/A
8. Enter LDP view.	mpls ldp	N/A
9. (Optional.) Set the delay for LDP to notify IGP of the LDP convergence.	igp sync delay time	By default, LDP immediately notifies IGP of the LDP convergence completion.
10. (Optional.) Set the maximum delay for LDP to notify IGP of the LDP-IGP synchronization status after an LDP restart or active/standby switchover.	igp sync delay on-restart time	By default, the maximum notification delay is 90 seconds.

To configure LDP-OSPF synchronization for an OSPF area:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter OSPF view.	ospf [ process-id \| router-id router-id ] *	N/A
3. Enter area view.	area area-id	N/A
4. Enable LDP-OSPF synchronization.	mpls ldp sync	By default, LDP-OSPF synchronization is disabled.
5. Return to system view.	quit	N/A
6. Enter interface view.	interface interface-type interface-number	N/A
7. (Optional.) Disable LDP-IGP synchronization on the interface.	mpls ldp igp sync disable	By default, LDP-IGP synchronization is enabled on an interface.
8. Return to system view.	quit	N/A
9. Enter LDP view.	mpls ldp	N/A
10. (Optional.) Set the delay for LDP to notify IGP of the LDP convergence.	igp sync delay time	By default, LDP immediately notifies IGP of the LDP convergence completion.
11. (Optional.) Set the maximum delay for LDP to notify IGP of the LDP-IGP synchronization status after an LDP restart or active/standby switchover.	igp sync delay on-restart time	By default, the maximum notification delay is 90 seconds.

Configuring LDP IS-IS synchronization

LDP-IGP synchronization is not supported for an IS-IS process that belongs to a VPN instance.

To configure LDP-ISIS synchronization for an IS-IS process:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter IS-IS view.	isis [ process-id ]	N/A
3. Enable LDP-ISIS synchronization.	mpls ldp sync [ level-1 \| level-2 ]	By default, LDP-ISIS synchronization is disabled.
4. Return to system view.	quit	N/A
5. Enter interface view.	interface interface-type interface-number	N/A
6. (Optional.) Disable LDP-IGP synchronization on the interface.	mpls ldp igp sync disable	By default, LDP-IGP synchronization is enabled on an interface.
7. Return to system view.	quit	N/A
8. Enter LDP view.	mpls ldp	N/A
9. (Optional.) Set the delay for LDP to notify IGP of the LDP convergence completion.	igp sync delay time	By default, LDP immediately notifies IGP of the LDP convergence completion.
10. (Optional.) Set the maximum delay for LDP to notify IGP of the LDP-IGP synchronization status after an LDP restart or an active/standby switchover occurs.	igp sync delay on-restart time	By default, the maximum notification delay is 90 seconds.

Configuring LDP FRR

LDP FRR is based on IP FRR, and is enabled automatically after IP FRR is enabled. For information about configuring IP FRR, see Layer 3—IP Routing Configuration Guide.

Setting a DSCP value for outgoing LDP packets

To control the transmission preference of outgoing LDP packets, set a DSCP value for outgoing LDP packets.

To set a DSCP value for outgoing LDP packets:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter LDP view.	mpls ldp	N/A
3. Set a DSCP value for outgoing LDP packets.	dscp dscp-value	By default, the DSCP value for outgoing LDP packets is 48.

Resetting LDP sessions

Changes to LDP session parameters take effect only on new LDP sessions. To apply the changes to an existing LDP session, you must reset all LDP sessions by executing the reset mpls ldp command.

Execute the reset mpls ldp command in user view.

Task	Command	Remarks
Reset LDP sessions.	reset mpls ldp [ vpn-instance vpn-instance-name ] [ peer peer-id ]	If you specify the peer keyword, this command resets the LDP session to the specified peer without validating the session parameter changes.

Enabling SNMP notifications for LDP

This command enables generating SNMP notifications for LDP upon LDP session changes, as defined in RFC 3815. For LDP event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see the network management and monitoring configuration guide for the device.

To enable SNMP notifications for LDP:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notifications for LDP.	snmp-agent trap enable ldp	By default, SNMP notifications for LDP are enabled.

Displaying and maintaining LDP

Execute display commands in any view.

Task	Command
Display LDP discovery information.	display mpls ldp discovery [ vpn-instance vpn-instance-name ] [ [ interface interface-type interface-number \| peer peer-lsr-id ] [ ipv6 ] \| [ targeted-peer { ipv4-address \| ipv6-address } ] ] [ verbose ]
Display LDP FEC-label mapping information.	display mpls ldp fec [ vpn-instance vpn-instance-name ] [ ipv4-address mask-length \| ipv6-address prefix-length \| [ ipv6 ] [ summary ] ]
Display LDP-IGP synchronization information.	display mpls ldp igp sync [ interface interface-type interface-number ]
Display LDP interface information.	display mpls ldp interface [ vpn-instance vpn-instance-name ] [ interface-type interface-number ] [ ipv6 ]
Display LDP LSP information.	display mpls ldp lsp [ vpn-instance vpn-instance-name ] [ ipv4-address mask-length \| ipv6-address prefix-length \| ipv6 ]
Display LDP running parameters.	display mpls ldp parameter [ vpn-instance vpn-instance-name ]
Display LDP peer and session information.	display mpls ldp peer [ vpn-instance vpn-instance-name ] [ peer-lsr-id ] [ verbose ]
Display LDP summary information.	display mpls ldp summary [ all \| vpn-instance vpn-instance-name ]

IPv4 LDP configuration examples

LDP LSP configuration example

Network requirements

Router A, Router B, and Router C all support MPLS.

Configure LDP to establish LSPs between Router A and Router C, so subnets 11.1.1.0/24 and 21.1.1.0/24 can reach each other over MPLS.

Configure LDP to establish LSPs only for destinations 1.1.1.9/32, 2.2.2.9/32, 3.3.3.9/32, 11.1.1.0/24, and 21.1.1.0/24 on Router A, Router B, and Router C.

Figure 18 Network diagram

Requirements analysis

· To ensure that the LSRs establish IPv4 LSPs automatically, enable IPv4 LDP on each LSR.

· To establish IPv4 LDP LSPs, configure an IPv4 routing protocol to ensure IP connectivity between the LSRs. This example uses OSPF.

· To control the number of IPv4 LSPs, configure an IPv4 LSP generation policy on each LSR.

Configuration procedure

1. Configure IP addresses and masks for interfaces, including the loopback interfaces, as shown in Figure 18. (Details not shown.)

2. Configure OSPF on each router to ensure IP connectivity between them:

# Configure Router A.

<RouterA> system-view

[RouterA] ospf

[RouterA-ospf-1] area 0

[RouterA-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[RouterA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[RouterA-ospf-1-area-0.0.0.0] network 11.1.1.0 0.0.0.255

[RouterA-ospf-1-area-0.0.0.0] quit

[RouterA-ospf-1] quit

# Configure Router B.

<RouterB> system-view

[RouterB] ospf

[RouterB-ospf-1] area 0

[RouterB-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[RouterB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[RouterB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255

[RouterB-ospf-1-area-0.0.0.0] quit

[RouterB-ospf-1] quit

# Configure Router C.

<RouterC> system-view

[RouterC] ospf

[RouterC-ospf-1] area 0

[RouterC-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[RouterC-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255

[RouterC-ospf-1-area-0.0.0.0] network 21.1.1.0 0.0.0.255

[RouterC-ospf-1-area-0.0.0.0] quit

[RouterC-ospf-1] quit

# Verify that the routers have learned the routes to each other. This example uses Router A.

[RouterA] display ip routing-table

Destinations : 21 Routes : 21

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.9/32 Direct 0 0 127.0.0.1 InLoop0

2.2.2.9/32 O_INTRA 10 1 10.1.1.2 Ser2/1/0

3.3.3.9/32 O_INTRA 10 2 10.1.1.2 Ser2/1/0

10.1.1.0/24 Direct 0 0 10.1.1.1 Ser2/1/0

10.1.1.0/32 Direct 0 0 10.1.1.1 Ser2/1/0

10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.1 Ser2/1/0

11.1.1.0/24 Direct 0 0 11.1.1.1 GE2/0/1

11.1.1.0/32 Direct 0 0 11.1.1.1 GE2/0/1

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.255/32 Direct 0 0 11.1.1.1 GE2/0/1

20.1.1.0/24 O_INTRA 10 2 10.1.1.2 Ser2/1/0

21.1.1.0/24 O_INTRA 10 3 10.1.1.2 Ser2/1/0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

3. Enable MPLS and IPv4 LDP:

# Configure Router A.

[RouterA] mpls lsr-id 1.1.1.9

[RouterA] mpls ldp

[RouterA-ldp] quit

[RouterA] interface serial 2/1/0

[RouterA-Serial2/1/0] mpls enable

[RouterA-Serial2/1/0] mpls ldp enable

[RouterA-Serial2/1/0] quit

# Configure Router B.

[RouterB] mpls lsr-id 2.2.2.9

[RouterB] mpls ldp

[RouterB-ldp] quit

[RouterB] interface serial 2/1/0

[RouterB-Serial2/1/0] mpls enable

[RouterB-Serial2/1/0] mpls ldp enable

[RouterB-Serial2/1/0] quit

[RouterB] interface serial 2/1/1

[RouterB-Serial2/1/1] mpls enable

[RouterB-Serial2/1/1] mpls ldp enable

[RouterB-Serial2/1/1] quit

# Configure Router C.

[RouterC] mpls lsr-id 3.3.3.9

[RouterC] mpls ldp

[RouterC-ldp] quit

[RouterC] interface serial 2/1/0

[RouterC-Serial2/1/0] mpls enable

[RouterC-Serial2/1/0] mpls ldp enable

[RouterC-Serial2/1/0] quit

4. Configure IPv4 LSP generation policies:

# On Router A, create IP prefix list routera, and configure LDP to use only the routes permitted by the prefix list to establish LSPs.

[RouterA] ip prefix-list routera index 10 permit 1.1.1.9 32

[RouterA] ip prefix-list routera index 20 permit 2.2.2.9 32

[RouterA] ip prefix-list routera index 30 permit 3.3.3.9 32

[RouterA] ip prefix-list routera index 40 permit 11.1.1.0 24

[RouterA] ip prefix-list routera index 50 permit 21.1.1.0 24

[RouterA] mpls ldp

[RouterA-ldp] lsp-trigger prefix-list routera

[RouterA-ldp] quit

# On Router B, create IP prefix list routerb, and configure LDP to use only the routes permitted by the prefix list to establish LSPs.

[RouterB] ip prefix-list routerb index 10 permit 1.1.1.9 32

[RouterB] ip prefix-list routerb index 20 permit 2.2.2.9 32

[RouterB] ip prefix-list routerb index 30 permit 3.3.3.9 32

[RouterB] ip prefix-list routerb index 40 permit 11.1.1.0 24

[RouterB] ip prefix-list routerb index 50 permit 21.1.1.0 24

[RouterB] mpls ldp

[RouterB-ldp] lsp-trigger prefix-list routerb

[RouterB-ldp] quit

# On Router C, create IP prefix list routerc, and configure LDP to use only the routes permitted by the prefix list to establish LSPs.

[RouterC] ip prefix-list routerc index 10 permit 1.1.1.9 32

[RouterC] ip prefix-list routerc index 20 permit 2.2.2.9 32

[RouterC] ip prefix-list routerc index 30 permit 3.3.3.9 32

[RouterC] ip prefix-list routerc index 40 permit 11.1.1.0 24

[RouterC] ip prefix-list routerc index 50 permit 21.1.1.0 24

[RouterC] mpls ldp

[RouterC-ldp] lsp-trigger prefix-list routerc

[RouterC-ldp] quit

Verifying the configuration

# Display LDP LSP information on the routers, for example, on Router A.

[RouterA] display mpls ldp lsp

Status Flags: * - stale, L - liberal, B - backup

FECs: 5 Ingress: 3 Transit: 3 Egress: 2

FEC In/Out Label Nexthop OutInterface

1.1.1.9/32 3/-

-/1279(L)

2.2.2.9/32 -/3 10.1.1.2 Ser2/1/0

1279/3 10.1.1.2 Ser2/1/0

3.3.3.9/32 -/1278 10.1.1.2 Ser2/1/0

1278/1278 10.1.1.2 Ser2/1/0

11.1.1.0/24 1277/-

-/1277(L)

21.1.1.0/24 -/1276 10.1.1.2 Ser2/1/0

1276/1276 10.1.1.2 Ser2/1/0

# Test the connectivity of the LDP LSP from Router A to Router C.

[RouterA] ping mpls -a 11.1.1.1 ipv4 21.1.1.0 24

MPLS ping FEC 21.1.1.0/24 with 100 bytes of data

100 bytes from 20.1.1.2: Sequence=1 time=1 ms

100 bytes from 20.1.1.2: Sequence=2 time=1 ms

100 bytes from 20.1.1.2: Sequence=3 time=8 ms

100 bytes from 20.1.1.2: Sequence=4 time=2 ms

100 bytes from 20.1.1.2: Sequence=5 time=1 ms

--- Ping statistics for FEC 21.1.1.0/24 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

Round-trip min/avg/max = 1/2/8 ms

# Test the connectivity of the LDP LSP from Router C to Router A.

[RouterC] ping mpls -a 21.1.1.1 ipv4 11.1.1.0 24

MPLS ping FEC 11.1.1.0/24 with 100 bytes of data

100 bytes from 10.1.1.1: Sequence=1 time=1 ms

100 bytes from 10.1.1.1: Sequence=2 time=1 ms

100 bytes from 10.1.1.1: Sequence=3 time=1 ms

100 bytes from 10.1.1.1: Sequence=4 time=1 ms

100 bytes from 10.1.1.1: Sequence=5 time=1 ms

--- Ping statistics for FEC 11.1.1.0/24 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

Round-trip min/avg/max = 1/1/1 ms

Label acceptance control configuration example

Network requirements

Two links, Router A—Router B—Router C and Router A—Router D—Router C, exist between subnets 11.1.1.0/24 and 21.1.1.0/24.

Configure LDP to establish LSPs only for routes to subnets 11.1.1.0/24 and 21.1.1.0/24.

Configure LDP to establish LSPs only on the link Router A—Router B—Router C to forward traffic between subnets 11.1.1.0/24 and 21.1.1.0/24.

Figure 19 Network diagram

Requirements analysis

· To ensure that the LSRs establish IPv4 LSPs automatically, enable IPv4 LDP on each LSR.

· To establish IPv4 LDP LSPs, configure an IPv4 routing protocol to ensure IP connectivity between the LSRs. This example uses OSPF.

· To ensure that LDP establishes IPv4 LSPs only for the routes 11.1.1.0/24 and 21.1.1.0/24, configure IPv4 LSP generation policies on each LSR.

· To ensure that LDP establishes IPv4 LSPs only over the link Router A—Router B—Router C, configure IPv4 label acceptance policies as follows:

? Router A accepts only the label mapping for FEC 21.1.1.0/24 received from Router B. Router A denies the label mapping for FEC 21.1.1.0/24 received from Router D.

? Router C accepts only the label mapping for FEC 11.1.1.0/24 received from Router B. Router C denies the label mapping for FEC 11.1.1.0/24 received from Router D.

Configuration procedure

1. Configure IP addresses and masks for interfaces, including the loopback interfaces, as shown in Figure 19. (Details not shown.)

2. Configure OSPF on each router to ensure IP connectivity between them. (Details not shown.)

3. Enable MPLS and IPv4 LDP:

# Configure Router A.

<RouterA> system-view

[RouterA] mpls lsr-id 1.1.1.9

[RouterA] mpls ldp

[RouterA-ldp] quit

[RouterA] interface serial 2/1/0

[RouterA-Serial2/1/0] mpls enable

[RouterA-Serial2/1/0] mpls ldp enable

[RouterA-Serial2/1/0] quit

[RouterA] interface serial 2/1/1

[RouterA-Serial2/1/1] mpls enable

[RouterA-Serial2/1/1] mpls ldp enable

[RouterA-Serial2/1/1] quit

# Configure Router B.

<RouterB> system-view

[RouterB] mpls lsr-id 2.2.2.9

[RouterB] mpls ldp

[RouterB-ldp] quit

[RouterB] interface serial 2/1/0

[RouterB-Serial2/1/0] mpls enable

[RouterB-Serial2/1/0] mpls ldp enable

[RouterB-Serial2/1/0] quit

[RouterB] interface serial 2/1/1

[RouterB-Serial2/1/1] mpls enable

[RouterB-Serial2/1/1] mpls ldp enable

[RouterB-Serial2/1/1] quit

# Configure Router C.

<RouterC> system-view

[RouterC] mpls lsr-id 3.3.3.9

[RouterC] mpls ldp

[RouterC-ldp] quit

[RouterC] interface serial 2/1/0

[RouterC-Serial2/1/0] mpls enable

[RouterC-Serial2/1/0] mpls ldp enable

[RouterC-Serial2/1/0] quit

[RouterC] interface serial 2/1/1

[RouterC-Serial2/1/1] mpls enable

[RouterC-Serial2/1/1] mpls ldp enable

[RouterC-Serial2/1/1] quit

# Configure Router D.

<RouterD> system-view

[RouterD] mpls lsr-id 4.4.4.9

[RouterD] mpls ldp

[RouterD-ldp] quit

[RouterD] interface serial 2/1/0

[RouterD-Serial2/1/0] mpls enable

[RouterD-Serial2/1/0] mpls ldp enable

[RouterD-Serial2/1/0] quit

[RouterD] interface serial 2/1/1

[RouterD-Serial2/1/1] mpls enable

[RouterD-Serial2/1/1] mpls ldp enable

[RouterD-Serial2/1/1] quit

4. Configure IPv4 LSP generation policies:

# On Router A, create IP prefix list routera, and configure LDP to use only the routes permitted by the prefix list to establish LSPs.

[RouterA] ip prefix-list routera index 10 permit 11.1.1.0 24

[RouterA] ip prefix-list routera index 20 permit 21.1.1.0 24

[RouterA] mpls ldp

[RouterA-ldp] lsp-trigger prefix-list routera

[RouterA-ldp] quit

# On Router B, create IP prefix list routerb, and configure LDP to use only the routes permitted by the prefix list to establish LSPs.

[RouterB] ip prefix-list routerb index 10 permit 11.1.1.0 24

[RouterB] ip prefix-list routerb index 20 permit 21.1.1.0 24

[RouterB] mpls ldp

[RouterB-ldp] lsp-trigger prefix-list routerb

[RouterB-ldp] quit

# On Router C, create IP prefix list routerc, and configure LDP to use only the routes permitted by the prefix list to establish LSPs.

[RouterC] ip prefix-list routerc index 10 permit 11.1.1.0 24

[RouterC] ip prefix-list routerc index 20 permit 21.1.1.0 24

[RouterC] mpls ldp

[RouterC-ldp] lsp-trigger prefix-list routerc

[RouterC-ldp] quit

# On Router D, create IP prefix list routerd, and configure LDP to use only the routes permitted by the prefix list to establish LSPs.

[RouterD] ip prefix-list routerd index 10 permit 11.1.1.0 24

[RouterD] ip prefix-list routerd index 20 permit 21.1.1.0 24

[RouterD] mpls ldp

[RouterD-ldp] lsp-trigger prefix-list routerd

[RouterD-ldp] quit

5. Configure IPv4 label acceptance policies:

# On Router A, create IP prefix list prefix-from-b to permit subnet 21.1.1.0/24. Router A uses this list to filter FEC-label mappings received from Router B.

[RouterA] ip prefix-list prefix-from-b index 10 permit 21.1.1.0 24

# On Router A, create IP prefix list prefix-from-d to deny subnet 21.1.1.0/24. Router A uses this list to filter FEC-label mappings received from Router D.

[RouterA] ip prefix-list prefix-from-d index 10 deny 21.1.1.0 24

# On Router A, configure label acceptance policies to filter FEC-label mappings received from Router B and Router D.

[RouterA] mpls ldp

[RouterA-ldp] accept-label peer 2.2.2.9 prefix-list prefix-from-b

[RouterA-ldp] accept-label peer 4.4.4.9 prefix-list prefix-from-d

[RouterA-ldp] quit

# On Router C, create IP prefix list prefix-from-b to permit subnet 11.1.1.0/24. Router C uses this list to filter FEC-label mappings received from Router B.

[RouterC] ip prefix-list prefix-from-b index 10 permit 11.1.1.0 24

# On Router C, create IP prefix list prefix-from-d to deny subnet 11.1.1.0/24. Router A uses this list to filter FEC-label mappings received from Router D.

[RouterC] ip prefix-list prefix-from-d index 10 deny 11.1.1.0 24

# On Router C, configure label acceptance policies to filter FEC-label mappings received from Router B and Router D.

[RouterC] mpls ldp

[RouterC-ldp] accept-label peer 2.2.2.9 prefix-list prefix-from-b

[RouterC-ldp] accept-label peer 4.4.4.9 prefix-list prefix-from-d

[RouterC-ldp] quit

Verifying the configuration

# Display LDP LSP information on the routers, for example, on Router A.

[RouterA] display mpls ldp lsp

Status Flags: * - stale, L - liberal, B - backup

FECs: 2 Ingress: 1 Transit 1 Egress: 1

FEC In/Out Label Nexthop OutInterface

11.1.1.0/24 1277/-

-/1148(L)

21.1.1.0/24 -/1276 10.1.1.2 Ser2/1/0

1276/1276 10.1.1.2 Ser2/1/0

The output shows that the next hop of the LSP for FEC 21.1.1.0/24 is Router B (10.1.1.2). The LSP has been established over the link Router A—Router B—Router C, not over the link Router A—Router D—Router C.

# Test the connectivity of the LDP LSP from Router A to Router C.

[RouterA] ping mpls -a 11.1.1.1 ipv4 21.1.1.0 24

MPLS ping FEC 21.1.1.0/24 with 100 bytes of data

100 bytes from 20.1.1.2: Sequence=1 time=1 ms

100 bytes from 20.1.1.2: Sequence=2 time=1 ms

100 bytes from 20.1.1.2: Sequence=3 time=8 ms

100 bytes from 20.1.1.2: Sequence=4 time=2 ms

100 bytes from 20.1.1.2: Sequence=5 time=1 ms

--- Ping statistics for FEC 21.1.1.0/24 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

Round-trip min/avg/max = 1/2/8 ms

# Test the connectivity of the LDP LSP from Router C to Router A.

[RouterC] ping mpls -a 21.1.1.1 ipv4 11.1.1.0 24

MPLS ping FEC 11.1.1.0/24 with 100 bytes of data

100 bytes from 10.1.1.1: Sequence=1 time=1 ms

100 bytes from 10.1.1.1: Sequence=2 time=1 ms

100 bytes from 10.1.1.1: Sequence=3 time=1 ms

100 bytes from 10.1.1.1: Sequence=4 time=1 ms

100 bytes from 10.1.1.1: Sequence=5 time=1 ms

--- Ping statistics for FEC 11.1.1.0/24 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

Round-trip min/avg/max = 1/1/1 ms

Label advertisement control configuration example

Network requirements

Two links, Router A—Router B—Router C and Router A—Router D—Router C, exist between subnets 11.1.1.0/24 and 21.1.1.0/24.

Configure LDP to establish LSPs only for routes to subnets 11.1.1.0/24 and 21.1.1.0/24.

Configure LDP to establish LSPs only on the link Router A—Router B—Router C to forward traffic between subnets 11.1.1.0/24 and 21.1.1.0/24.

Figure 20 Network diagram

Requirements analysis

· To ensure that the LSRs establish IPv4 LSPs automatically, enable IPv4 LDP on each LSR.

· To establish IPv4 LDP LSPs, configure an IPv4 routing protocol to ensure IP connectivity between the LSRs. This example uses OSPF.

· To ensure that LDP establishes IPv4 LSPs only for the routes 11.1.1.0/24 and 21.1.1.0/24, configure IPv4 LSP generation policies on each LSR.

· To ensure that LDP establishes IPv4 LSPs only over the link Router A—Router B—Router C, configure IPv4 label advertisement policies as follows:

? Router A advertises only the label mapping for FEC 11.1.1.0/24 to Router B.

? Router C advertises only the label mapping for FEC 21.1.1.0/24 to Router B.

? Router D does not advertise label mapping for FEC 21.1.1.0/24 to Router A. Router D does not advertise label mapping for FEC 11.1.1.0/24 to Router C.

Configuration procedure

1. Configure IP addresses and masks for interfaces, including the loopback interfaces, as shown in Figure 20. (Details not shown.)

2. Configure OSPF on each router to ensure IP connectivity between them. (Details not shown.)

3. Enable MPLS and IPv4 LDP:

# Configure Router A.

<RouterA> system-view

[RouterA] mpls lsr-id 1.1.1.9

[RouterA] mpls ldp

[RouterA-ldp] quit

[RouterA] interface serial 2/1/0

[RouterA-Serial2/1/0] mpls enable

[RouterA-Serial2/1/0] mpls ldp enable

[RouterA-Serial2/1/0] quit

[RouterA] interface serial 2/1/1

[RouterA-Serial2/1/1] mpls enable

[RouterA-Serial2/1/1] mpls ldp enable

[RouterA-Serial2/1/1] quit

# Configure Router B.

<RouterB> system-view

[RouterB] mpls lsr-id 2.2.2.9

[RouterB] mpls ldp

[RouterB-ldp] quit

[RouterB] interface serial 2/1/0

[RouterB-Serial2/1/0] mpls enable

[RouterB-Serial2/1/0] mpls ldp enable

[RouterB-Serial2/1/0] quit

[RouterB] interface serial 2/1/1

[RouterB-Serial2/1/1] mpls enable

[RouterB-Serial2/1/1] mpls ldp enable

[RouterB-Serial2/1/1] quit

# Configure Router C.

<RouterC> system-view

[RouterC] mpls lsr-id 3.3.3.9

[RouterC] mpls ldp

[RouterC-ldp] quit

[RouterC] interface serial 2/1/0

[RouterC-Serial2/1/0] mpls enable

[RouterC-Serial2/1/0] mpls ldp enable

[RouterC-Serial2/1/0] quit

[RouterC] interface serial 2/1/1

[RouterC-Serial2/1/1] mpls enable

[RouterC-Serial2/1/1] mpls ldp enable

[RouterC-Serial2/1/1] quit

# Configure Router D.

<RouterD> system-view

[RouterD] mpls lsr-id 4.4.4.9

[RouterD] mpls ldp

[RouterD-ldp] quit

[RouterD] interface serial 2/1/0

[RouterD-Serial2/1/0] mpls enable

[RouterD-Serial2/1/0] mpls ldp enable

[RouterD-Serial2/1/0] quit

[RouterD] interface serial 2/1/1

[RouterD-Serial2/1/1] mpls enable

[RouterD-Serial2/1/1] mpls ldp enable

[RouterD-Serial2/1/1] quit

4. Configure IPv4 LSP generation policies:

# On Router A, create IP prefix list routera, and configure LDP to use only the routes permitted by the prefix list to establish LSPs.

[RouterA] ip prefix-list routera index 10 permit 11.1.1.0 24

[RouterA] ip prefix-list routera index 20 permit 21.1.1.0 24

[RouterA] mpls ldp

[RouterA-ldp] lsp-trigger prefix-list routera

[RouterA-ldp] quit

# On Router B, create IP prefix list routerb, and configure LDP to use only the routes permitted by the prefix list to establish LSPs.

[RouterB] ip prefix-list routerb index 10 permit 11.1.1.0 24

[RouterB] ip prefix-list routerb index 20 permit 21.1.1.0 24

[RouterB] mpls ldp

[RouterB-ldp] lsp-trigger prefix-list routerb

[RouterB-ldp] quit

# On Router C, create IP prefix list routerc, and configure LDP to use only the routes permitted by the prefix list to establish LSPs.

[RouterC] ip prefix-list routerc index 10 permit 11.1.1.0 24

[RouterC] ip prefix-list routerc index 20 permit 21.1.1.0 24

[RouterC] mpls ldp

[RouterC-ldp] lsp-trigger prefix-list routerc

[RouterC-ldp] quit

# On Router D, create IP prefix list routerd, and configure LDP to use only the routes permitted by the prefix list to establish LSPs.

[RouterD] ip prefix-list routerd index 10 permit 11.1.1.0 24

[RouterD] ip prefix-list routerd index 20 permit 21.1.1.0 24

[RouterD] mpls ldp

[RouterD-ldp] lsp-trigger prefix-list routerd

[RouterD-ldp] quit

5. Configure IPv4 label advertisement policies:

# On Router A, create IP prefix list prefix-to-b to permit subnet 11.1.1.0/24. Router A uses this list to filter FEC-label mappings advertised to Router B.

[RouterA] ip prefix-list prefix-to-b index 10 permit 11.1.1.0 24

# On Router A, create IP prefix list peer-b to permit 2.2.2.9/32. Router A uses this list to filter peers.

[RouterA] ip prefix-list peer-b index 10 permit 2.2.2.9 32

# On Router A, configure a label advertisement policy to advertise only the label mapping for FEC 11.1.1.0/24 to Router B.

[RouterA] mpls ldp

[RouterA-ldp] advertise-label prefix-list prefix-to-b peer peer-b

[RouterA-ldp] quit

# On Router C, create IP prefix list prefix-to-b to permit subnet 21.1.1.0/24. Router C uses this list to filter FEC-label mappings advertised to Router B.

[RouterC] ip prefix-list prefix-to-b index 10 permit 21.1.1.0 24

# On Router C, create IP prefix list peer-b to permit 2.2.2.9/32. Router C uses this list to filter peers.

[RouterC] ip prefix-list peer-b index 10 permit 2.2.2.9 32

# On Router C, configure a label advertisement policy to advertise only the label mapping for FEC 21.1.1.0/24 to Router B.

[RouterC] mpls ldp

[RouterC-ldp] advertise-label prefix-list prefix-to-b peer peer-b

[RouterC-ldp] quit

# On Router D, create IP prefix list prefix-to-a to deny subnet 21.1.1.0/24. Router D uses this list to filter FEC-label mappings to be advertised to Router A.

[RouterD] ip prefix-list prefix-to-a index 10 deny 21.1.1.0 24

[RouterD] ip prefix-list prefix-to-a index 20 permit 0.0.0.0 0 less-equal 32

# On Router D, create IP prefix list peer-a to permit 1.1.1.9/32. Router D uses this list to filter peers.

[RouterD] ip prefix-list peer-a index 10 permit 1.1.1.9 32

# On Router D, create IP prefix list prefix-to-c to deny subnet 11.1.1.0/24. Router D uses this list to filter FEC-label mappings to be advertised to Router C.

[RouterD] ip prefix-list prefix-to-c index 10 deny 11.1.1.0 24

[RouterD] ip prefix-list prefix-to-c index 20 permit 0.0.0.0 0 less-equal 32

# On Router D, create IP prefix list peer-c to permit subnet 3.3.3.9/32. Router D uses this list to filter peers.

[RouterD] ip prefix-list peer-c index 10 permit 3.3.3.9 32

# On Router D, configure a label advertisement policy. This policy ensures that Router D does not advertise label mappings for FEC 21.1.1.0/24 to Router A, and does not advertise label mappings for FEC 11.1.1.0/24 to Router C.

[RouterD] mpls ldp

[RouterD-ldp] advertise-label prefix-list prefix-to-a peer peer-a

[RouterD-ldp] advertise-label prefix-list prefix-to-c peer peer-c

[RouterD-ldp] quit

Verifying the configuration

# Display LDP LSP information on each router.

[RouterA] display mpls ldp lsp

Status Flags: * - stale, L - liberal, B - backup

FECs: 2 Ingress: 1 Transit: 1 Egress: 1

FEC In/Out Label Nexthop OutInterface

11.1.1.0/24 1277/-

-/1151(L)

-/1277(L)

21.1.1.0/24 -/1276 10.1.1.2 Ser2/1/0

1276/1276 10.1.1.2 Ser2/1/0

[RouterB] display mpls ldp lsp

Status Flags: * - stale, L - liberal, B - backup

FECs: 2 Ingress: 2 Transit: 2 Egress: 0

FEC In/Out Label Nexthop OutInterface

11.1.1.0/24 -/1277 10.1.1.1 Ser2/1/0

1277/1277 10.1.1.1 Ser2/1/0

21.1.1.0/24 -/1149 20.1.1.2 Ser2/1/1

1276/1149 20.1.1.2 Ser2/1/1

[RouterC] display mpls ldp lsp

Status Flags: * - stale, L - liberal, B - backup

FECs: 2 Ingress: 1 Transit: 1 Egress: 1

FEC In/Out Label Nexthop OutInterface

11.1.1.0/24 -/1277 20.1.1.1 Ser2/1/0

1148/1277 20.1.1.1 Ser2/1/0

21.1.1.0/24 1149/-

-/1276(L)

-/1150(L)

[RouterD] display mpls ldp lsp

Status Flags: * - stale, L - liberal, B - backup

FECs: 2 Ingress: 0 Transit: 0 Egress: 2

FEC In/Out Label Nexthop OutInterface

11.1.1.0/24 1151/-

-/1277(L)

21.1.1.0/24 1150/-

The output shows that Router A and Router C have received FEC-label mappings only from Router B. Router B has received FEC-label mappings from both Router A and Router C. Router D does not receive FEC-label mappings from Router A or Router C. LDP has established an LSP only over the link Router A—Router B—Router C.

# Test the connectivity of the LDP LSP from Router A to Router C.

[RouterA] ping mpls -a 11.1.1.1 ipv4 21.1.1.0 24

MPLS ping FEC 21.1.1.0/24 with 100 bytes of data

100 bytes from 20.1.1.2: Sequence=1 time=1 ms

100 bytes from 20.1.1.2: Sequence=2 time=1 ms

100 bytes from 20.1.1.2: Sequence=3 time=8 ms

100 bytes from 20.1.1.2: Sequence=4 time=2 ms

100 bytes from 20.1.1.2: Sequence=5 time=1 ms

--- Ping statistics for FEC 21.1.1.0/24 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

Round-trip min/avg/max = 1/2/8 ms

# Test the connectivity of the LDP LSP from Router C to Router A.

[RouterC] ping mpls -a 21.1.1.1 ipv4 11.1.1.0 24

MPLS ping FEC 11.1.1.0/24 with 100 bytes of data

100 bytes from 10.1.1.1: Sequence=1 time=1 ms

100 bytes from 10.1.1.1: Sequence=2 time=1 ms

100 bytes from 10.1.1.1: Sequence=3 time=1 ms

100 bytes from 10.1.1.1: Sequence=4 time=1 ms

100 bytes from 10.1.1.1: Sequence=5 time=1 ms

--- Ping statistics for FEC 11.1.1.0/24 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

Round-trip min/avg/max = 1/1/1 ms

LDP FRR configuration example

Network requirements

Router S, Router A, and Router D reside in the same OSPF domain. Configure OSPF FRR so LDP can establish a primary LSP and a backup LSP on the Router S—Router D and the Router S—Router A—Router D links, respectively.

When the primary LSP operates correctly, traffic between subnets 11.1.1.0/24 and 21.1.1.0/24 is forwarded through the LSP.

When the primary LSP fails, traffic between the two subnets can be immediately switched to the backup LSP.

Figure 21 Network diagram

Requirements analysis

· To ensure that the LSRs establish IPv4 LSPs automatically, enable IPv4 LDP on each LSR.

· To establish IPv4 LDP LSPs, configure an IPv4 routing protocol to ensure IP connectivity between the LSRs. This example uses OSPF.

· To ensure that LDP establishes IPv4 LSPs only for the routes 11.1.1.0/24 and 21.1.1.0/24, configure IPv4 LSP generation policies on each LSR.

· To allow LDP to establish backup LSRs, configure OSPF FRR on Router S and Router D.

Configuration procedure

1. Configure IP addresses and masks for interfaces, including the loopback interfaces, as shown in Figure 21. (Details not shown.)

2. Configure OSPF on each router to ensure IP connectivity between them. (Details not shown.)

3. Configure OSPF FRR by using one of the following methods:

? (Method 1.) Enable OSPF FRR to calculate a backup next hop by using the LFA algorithm:

# Configure Router S.

<RouterS> system-view

[RouterS] bfd echo-source-ip 10.10.10.10

[RouterS] ospf 1

[RouterS-ospf-1] fast-reroute lfa

[RouterS-ospf-1] quit

# Configure Router D.

<RouterD> system-view

[RouterD] bfd echo-source-ip 11.11.11.11

[RouterD] ospf 1

[RouterD-ospf-1] fast-reroute lfa

[RouterD-ospf-1] quit

? (Method 2.) Enable OSPF FRR to specify a backup next hop by using a routing policy:

# Configure Router S.

<RouterS> system-view

[RouterS] bfd echo-source-ip 10.10.10.10

[RouterS] ip prefix-list abc index 10 permit 21.1.1.0 24

[RouterS] route-policy frr permit node 10

[RouterS-route-policy] if-match ip address prefix-list abc

[RouterS-route-policy] apply fast-reroute backup-interface gigabitethernet 2/0/1 backup-nexthop 12.12.12.2

[RouterS-route-policy] quit

[RouterS] ospf 1

[RouterS-ospf-1] fast-reroute route-policy frr

[RouterS-ospf-1] quit

# Configure Router D.

<RouterD> system-view

[RouterD] bfd echo-source-ip 10.10.10.10

[RouterD] ip prefix-list abc index 10 permit 11.1.1.0 24

[RouterD] route-policy frr permit node 10

[RouterD-route-policy] if-match ip address prefix-list abc

[RouterD-route-policy] apply fast-reroute backup-interface gigabitethernet 2/0/1 backup-nexthop 24.24.24.2

[RouterD-route-policy] quit

[RouterD] ospf 1

[RouterD-ospf-1] fast-reroute route-policy frr

[RouterD-ospf-1] quit

4. Enable MPLS and IPv4 LDP:

# Configure Router S.

[RouterS] mpls lsr-id 1.1.1.1

[RouterS] mpls ldp

[RouterS-mpls-ldp] quit

[RouterS] interface gigabitethernet 2/0/1

[RouterS-GigabitEthernet2/0/1] mpls enable

[RouterS-GigabitEthernet2/0/1] mpls ldp enable

[RouterS-GigabitEthernet2/0/1] quit

[RouterS] interface gigabitethernet 2/0/2

[RouterS-GigabitEthernet2/0/2] mpls enable

[RouterS-GigabitEthernet2/0/2] mpls ldp enable

[RouterS-GigabitEthernet2/0/2] quit

# Configure Router D.

[RouterD] mpls lsr-id 3.3.3.3

[RouterD] mpls ldp

[RouterD-mpls-ldp] quit

[RouterD] interface gigabitethernet 2/0/1

[RouterD-GigabitEthernet2/0/1] mpls enable

[RouterD-GigabitEthernet2/0/1] mpls ldp enable

[RouterD-GigabitEthernet2/0/1] quit

[RouterD] interface gigabitethernet 2/0/2

[RouterD-GigabitEthernet2/0/2] mpls enable

[RouterD-GigabitEthernet2/0/2] mpls ldp enable

[RouterD-GigabitEthernet2/0/2] quit

# Configure Router A.

[RouterA] mpls lsr-id 2.2.2.2

[RouterA] mpls ldp

[RouterA-mpls-ldp] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls enable

[RouterA-GigabitEthernet2/0/1] mpls ldp enable

[RouterA-GigabitEthernet2/0/1] quit

[RouterA] interface gigabitethernet 2/0/2

[RouterA-GigabitEthernet2/0/2] mpls enable

[RouterA-GigabitEthernet2/0/2] mpls ldp enable

[RouterA-GigabitEthernet2/0/2] quit

5. Configure IPv4 LSP generation policies so LDP uses all static routes and IGP routes to establish LSPs:

# Configure Router S.

[RouterS] mpls ldp

[RouterS-ldp] lsp-trigger all

[RouterS-ldp] quit

# Configure Router D.

[RouterD] mpls ldp

[RouterD-ldp] lsp-trigger all

[RouterD-ldp] quit

# Configure Router A.

[RouterA] mpls ldp

[RouterA-ldp] lsp-trigger all

[RouterA-ldp] quit

Verifying the configuration

# Verify that primary and backup LSPs have been established.

[RouterS] display mpls ldp lsp 21.1.1.0 24

Status Flags: * - stale, L - liberal, B - backup

FECs: 1 Ingress: 2 Transit: 2 Egress: 0

FEC In/Out Label Nexthop OutInterface

21.1.1.0/24 -/1276 13.13.13.2 GE2/0/2

2174/1276 13.13.13.2 GE2/0/2

-/1276(B) 12.12.12.2 GE2/0/1

2174/1276(B) 12.12.12.2 GE2/0/1

IPv6 LDP configuration examples

IPv6 LDP LSP configuration example

Network requirements

Router A, Router B, and Router C all support MPLS.

Configure LDP to establish IPv6 LSPs between Router A and Router C, so subnets 11::0/64 and 21::0/64 can reach each other over MPLS.

Configure LDP to establish LSPs only for destinations 100::1/128, 100::2/128, 100::3/128, 11::0/64, and 21::0/64 on Router A, Router B, and Router C.

Figure 22 Network diagram

Requirements analysis

· To ensure that the LSRs establish IPv6 LSPs automatically, enable IPv6 LDP on each LSR.

· To establish IPv6 LDP LSPs, configure an IPv6 routing protocol to ensure IP connectivity between the LSRs. This example uses OSPFv3.

· To control the number of IPv6 LSPs, configure an IPv6 LSP generation policy on each LSR.

Configuration procedure

1. Configure IPv6 addresses and masks for interfaces, including the loopback interfaces, as shown in Figure 22. (Details not shown.)

2. Configure OSPFv3 on each router to ensure IP connectivity between them:

# Configure Router A.

<RouterA> system-view

[RouterA] ospfv3

[RouterA-ospfv3-1] router-id 1.1.1.9

[RouterA-ospfv3-1] area 0

[RouterA-ospfv3-1-area-0.0.0.0] quit

[RouterA-ospfv3-1] quit

[RouterA] interface loopback 0

[RouterA-LoopBack0] ospfv3 1 area 0.0.0.0

[RouterA-LoopBack0] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] ospfv3 1 area 0.0.0.0

[RouterA-GigabitEthernet2/0/1] quit

[RouterA] interface serial 2/1/0

[RouterA-Serial2/1/0] ospfv3 1 area 0.0.0.0

[RouterA-Serial2/1/0] quit

# Configure Router B.

<RouterB> system-view

[RouterB] ospfv3

[RouterB-ospfv3-1] router-id 2.2.2.9

[RouterB-ospfv3-1] area 0

[RouterB-ospfv3-1-area-0.0.0.0] quit

[RouterB-ospfv3-1] quit

[RouterB] interface loopback 0

[RouterB-LoopBack0] ospfv3 1 area 0.0.0.0

[RouterB-LoopBack0] quit

[RouterB] interface serial 2/1/0

[RouterB-Serial2/1/0] ospfv3 1 area 0.0.0.0

[RouterB-Serial2/1/0] quit

[RouterB] interface serial 2/1/1

[RouterB-Serial2/1/1] ospfv3 1 area 0.0.0.0

[RouterB-Serial2/1/1] quit

# Configure Router C.

<RouterC> system-view

[RouterC] ospfv3

[RouterC-ospfv3-1] router-id 3.3.3.9

[RouterC-ospfv3-1] area 0

[RouterC-ospfv3-1-area-0.0.0.0] quit

[RouterC-ospfv3-1] quit

[RouterC] interface loopback 0

[RouterC-LoopBack0] ospfv3 1 area 0.0.0.0

[RouterC-LoopBack0] quit

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] ospfv3 1 area 0.0.0.0

[RouterC-GigabitEthernet2/0/1] quit

[RouterC] interface serial 2/1/0

[RouterC-Serial2/1/0] ospfv3 1 area 0.0.0.0

[RouterC-Serial2/1/0] quit

# Verify that the routers have learned the routes to each other. This example uses Router A.

[RouterA] display ipv6 routing-table

Destinations : 12 Routes : 12

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 10::/64 Protocol : Direct

NextHop : :: Preference: 0

Interface : Ser2/1/0 Cost : 0

Destination: 10::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 11::/64 Protocol : Direct

NextHop : :: Preference: 0

Interface : GE2/0/1 Cost : 0

Destination: 11::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 20::/64 Protocol : O_INTRA

NextHop : FE80::20C:29FF:FE9D:EAC0 Preference: 10

Interface : Ser2/1/0 Cost : 2

Destination: 21::/64 Protocol : O_INTRA

NextHop : FE80::20C:29FF:FE9D:EAC0 Preference: 10

Interface : Ser2/1/0 Cost : 3

Destination: 100::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 100::2/128 Protocol : O_INTRA

NextHop : FE80::20C:29FF:FE9D:EAC0 Preference: 10

Interface : Ser2/1/0 Cost : 1

Destination: 100::3/128 Protocol : O_INTRA

NextHop : FE80::20C:29FF:FE9D:EAC0 Preference: 10

Interface : Ser2/1/0 Cost : 2

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : InLoop0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

3. Enable MPLS and IPv6 LDP:

# Configure Router A.

[RouterA] mpls lsr-id 1.1.1.9

[RouterA] mpls ldp

[RouterA-ldp] quit

[RouterA] interface serial 2/1/0

[RouterA-Serial2/1/0] mpls enable

[RouterA-Serial2/1/0] mpls ldp ipv6 enable

[RouterA-Serial2/1/0] mpls ldp transport-address 10::1

[RouterA-Serial2/1/0] quit

# Configure Router B.

[RouterB] mpls lsr-id 2.2.2.9

[RouterB] mpls ldp

[RouterB-ldp] quit

[RouterB] interface serial 2/1/0

[RouterB-Serial2/1/0] mpls enable

[RouterB-Serial2/1/0] mpls ldp ipv6 enable

[RouterB-Serial2/1/0] mpls ldp transport-address 10::2

[RouterB-Serial2/1/0] quit

[RouterB] interface serial 2/1/1

[RouterB-Serial2/1/1] mpls enable

[RouterB-Serial2/1/1] mpls ldp ipv6 enable

[RouterB-Serial2/1/1] mpls ldp transport-address 20::1

[RouterB-Serial2/1/1] quit

# Configure Router C.

[RouterC] mpls lsr-id 3.3.3.9

[RouterC] mpls ldp

[RouterC-ldp] quit

[RouterC] interface serial 2/1/0

[RouterC-Serial2/1/0] mpls enable

[RouterC-Serial2/1/0] mpls ldp ipv6 enable

[RouterC-Serial2/1/0] mpls ldp transport-address 20::2

[RouterC-Serial2/1/0] quit

4. Configure IPv6 LSP generation policies:

# On Router A, create IPv6 prefix list routera, and configure LDP to use only the routes permitted by the prefix list to establish IPv6 LSPs.

[RouterA] ipv6 prefix-list routera index 10 permit 100::1 128

[RouterA] ipv6 prefix-list routera index 20 permit 100::2 128

[RouterA] ipv6 prefix-list routera index 30 permit 100::3 128

[RouterA] ipv6 prefix-list routera index 40 permit 11::0 64

[RouterA] ipv6 prefix-list routera index 50 permit 21::0 64

[RouterA] mpls ldp

[RouterA-ldp] ipv6 lsp-trigger prefix-list routera

[RouterA-ldp] quit

# On Router B, create IPv6 prefix list routerb, and configure LDP to use only the routes permitted by the prefix list to establish IPv6 LSPs.

[RouterB] ipv6 prefix-list routerb index 10 permit 100::1 128

[RouterB] ipv6 prefix-list routerb index 20 permit 100::2 128

[RouterB] ipv6 prefix-list routerb index 30 permit 100::3 128

[RouterB] ipv6 prefix-list routerb index 40 permit 11::0 64

[RouterB] ipv6 prefix-list routerb index 50 permit 21::0 64

[RouterB] mpls ldp

[RouterB-ldp] ipv6 lsp-trigger prefix-list routerb

[RouterB-ldp] quit

# On Router C, create IPv6 prefix list routerc, and configure LDP to use only the routes permitted by the prefix list to establish IPv6 LSPs.

[RouterC] ipv6 prefix-list routerc index 10 permit 100::1 128

[RouterC] ipv6 prefix-list routerc index 20 permit 100::2 128

[RouterC] ipv6 prefix-list routerc index 30 permit 100::3 128

[RouterC] ipv6 prefix-list routerc index 40 permit 11::0 64

[RouterC] ipv6 prefix-list routerc index 50 permit 21::0 64

[RouterC] mpls ldp

[RouterC-ldp] ipv6 lsp-trigger prefix-list routerc

[RouterC-ldp] quit

Verifying the configuration

# Display IPv6 LDP LSP information on the routers, for example, on Router A.

[RouterA] display mpls ldp lsp ipv6

Status Flags: * - stale, L - liberal, B - backup

FECs: 5 Ingress: 3 Transit: 3 Egress: 2

FEC: 11::/64

In/Out Label: 2426/- OutInterface : -

Nexthop : -

In/Out Label: -/2424(L) OutInterface : -

Nexthop : -

FEC: 21::/64

In/Out Label: -/2425 OutInterface : Ser2/1/0

Nexthop : FE80::20C:29FF:FE9D:EAC0

In/Out Label: 2423/2425 OutInterface : Ser2/1/0

Nexthop : FE80::20C:29FF:FE9D:EAC0

FEC: 100::1/128

In/Out Label: 1040377/- OutInterface : -

Nexthop : -

In/Out Label: -/2426(L) OutInterface : -

Nexthop : -

FEC: 100::2/128

In/Out Label: -/1040379 OutInterface : Ser2/1/0

Nexthop : FE80::20C:29FF:FE9D:EAC0

In/Out Label: 2425/1040379 OutInterface : Ser2/1/0

Nexthop : FE80::20C:29FF:FE9D:EAC0

FEC: 100::3/128

In/Out Label: -/2427 OutInterface : Ser2/1/0

Nexthop : FE80::20C:29FF:FE9D:EAC0

In/Out Label: 2424/2427 OutInterface : Ser2/1/0

Nexthop : FE80::20C:29FF:FE9D:EAC0

# Test the connectivity of the IPv6 LDP LSP from Router A to Router C.

[RouterA] ping ipv6 -a 11::1 21::1

Ping6(56 data bytes) 11::1 --> 21::1, press CTRL_C to break

56 bytes from 21::1, icmp_seq=0 hlim=63 time=2.000 ms

56 bytes from 21::1, icmp_seq=1 hlim=63 time=1.000 ms

56 bytes from 21::1, icmp_seq=2 hlim=63 time=3.000 ms

56 bytes from 21::1, icmp_seq=3 hlim=63 time=3.000 ms

56 bytes from 21::1, icmp_seq=4 hlim=63 time=2.000 ms

--- Ping6 statistics for 21::1 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/2.200/3.000/0.748 ms

# Test the connectivity of the IPv6 LDP LSP from Router C to Router A.

[RouterC] ping ipv6 -a 21::1 11::1

Ping6(56 data bytes) 21::1 --> 11::1, press CTRL_C to break

56 bytes from 11::1, icmp_seq=0 hlim=63 time=2.000 ms

56 bytes from 11::1, icmp_seq=1 hlim=63 time=1.000 ms

56 bytes from 11::1, icmp_seq=2 hlim=63 time=1.000 ms

56 bytes from 11::1, icmp_seq=3 hlim=63 time=1.000 ms

56 bytes from 11::1, icmp_seq=4 hlim=63 time=1.000 ms

--- Ping6 statistics for 11::1 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.200/2.000/0.400 ms

IPv6 label acceptance control configuration example

Network requirements

Two links, Router A—Router B—Router C and Router A—Router D—Router C, exist between subnets 11::0/64 and 21::0/64.

Configure LDP to establish LSPs only for routes to subnets 11::0/64 and 21::0/64.

Configure LDP to establish LSPs only on the link Router A—Router B—Router C to forward traffic between subnets 11::0/64 and 21::0/64.

Figure 23 Network diagram

Requirements analysis

· To ensure that the LSRs establish IPv6 LSPs automatically, enable IPv6 LDP on each LSR.

· To establish IPv6 LDP LSPs, configure an IPv6 routing protocol to ensure IP connectivity between the LSRs. This example uses OSPFv3.

· To ensure that LDP establishes IPv6 LSPs only for the routes 11::0/64 and 21::0/64, configure IPv6 LSP generation policies on each LSR.

· To ensure that LDP establishes IPv6 LSPs only over the link Router A—Router B—Router C, configure IPv6 label acceptance policies as follows:

? Router A accepts only the label mapping for FEC 21::0/64 received from Router B. Router A denies the label mapping for FEC 21::0/64 received from Router D.

? Router C accepts only the label mapping for FEC 11::0/64 received from Router B. Router C denies the label mapping for FEC 11::0/64 received from Router D.

Configuration procedure

1. Configure IPv6 addresses and masks for interfaces, including the loopback interfaces, as shown in Figure 23. (Details not shown.)

2. Configure OSPFv3 on each router to ensure IP connectivity between them. (Details not shown.)

3. Enable MPLS and IPv6 LDP:

# Configure Router A.

<RouterA> system-view

[RouterA] mpls lsr-id 1.1.1.9

[RouterA] mpls ldp

[RouterA-ldp] quit

[RouterA] interface serial 2/1/0

[RouterA-Serial2/1/0] mpls enable

[RouterA-Serial2/1/0] mpls ldp ipv6 enable

[RouterA-Serial2/1/0] mpls ldp transport-address 10::1

[RouterA-Serial2/1/0] quit

[RouterA] interface serial 2/1/1

[RouterA-Serial2/1/1] mpls enable

[RouterA-Serial2/1/1] mpls ldp ipv6 enable

[RouterA-Serial2/1/1] mpls ldp transport-address 30::1

[RouterA-Serial2/1/1] quit

# Configure Router B.

<RouterB> system-view

[RouterB] mpls lsr-id 2.2.2.9

[RouterB] mpls ldp

[RouterB-ldp] quit

[RouterB] interface serial 2/1/0

[RouterB-Serial2/1/0] mpls enable

[RouterB-Serial2/1/0] mpls ldp ipv6 enable

[RouterB-Serial2/1/0] mpls ldp transport-address 10::2

[RouterB-Serial2/1/0] quit

[RouterB] interface serial 2/1/1

[RouterB-Serial2/1/1] mpls enable

[RouterB-Serial2/1/1] mpls ldp ipv6 enable

[RouterB-Serial2/1/1] mpls ldp transport-address 20::1

[RouterB-Serial2/1/1] quit

# Configure Router C.

<RouterC> system-view

[RouterC] mpls lsr-id 3.3.3.9

[RouterC] mpls ldp

[RouterC-ldp] quit

[RouterC] interface serial 2/1/0

[RouterC-Serial2/1/0] mpls enable

[RouterC-Serial2/1/0] mpls ldp ipv6 enable

[RouterC-Serial2/1/0] mpls ldp transport-address 20::2

[RouterC-Serial2/1/0] quit

[RouterC] interface serial 2/1/1

[RouterC-Serial2/1/1] mpls enable

[RouterC-Serial2/1/1] mpls ldp ipv6 enable

[RouterC-Serial2/1/1] mpls ldp transport-address 40::2

[RouterC-Serial2/1/1] quit

# Configure Router D.

<RouterD> system-view

[RouterD] mpls lsr-id 4.4.4.9

[RouterD] mpls ldp

[RouterD-ldp] quit

[RouterD] interface serial 2/1/0

[RouterD-Serial2/1/0] mpls enable

[RouterD-Serial2/1/0] mpls ldp ipv6 enable

[RouterD-Serial2/1/0] mpls ldp transport-address 30::2

[RouterD-Serial2/1/0] quit

[RouterD] interface serial 2/1/1

[RouterD-Serial2/1/1] mpls enable

[RouterD-Serial2/1/1] mpls ldp ipv6 enable

[RouterD-Serial2/1/1] mpls ldp transport-address 40::1

[RouterD-Serial2/1/1] quit

4. Configure IPv6 LSP generation policies:

# On Router A, create IPv6 prefix list routera, and configure LDP to use only the routes permitted by the prefix list to establish IPv6 LSPs.

[RouterA] ipv6 prefix-list routera index 10 permit 11::0 64

[RouterA] ipv6 prefix-list routera index 20 permit 21::0 64

[RouterA] mpls ldp

[RouterA-ldp] ipv6 lsp-trigger prefix-list routera

[RouterA-ldp] quit

# On Router B, create IPv6 prefix list routerb, and configure LDP to use only the routes permitted by the prefix list to establish IPv6 LSPs.

[RouterB] ipv6 prefix-list routerb index 10 permit 11::0 64

[RouterB] ipv6 prefix-list routerb index 20 permit 21::0 64

[RouterB] mpls ldp

[RouterB-ldp] ipv6 lsp-trigger prefix-list routerb

[RouterB-ldp] quit

# On Router C, create IPv6 prefix list routerc, and configure LDP to use only the routes permitted by the prefix list to establish IPv6 LSPs.

[RouterC] ipv6 prefix-list routerc index 10 permit 11::0 64

[RouterC] ipv6 prefix-list routerc index 20 permit 21::0 64

[RouterC] mpls ldp

[RouterC-ldp] ipv6 lsp-trigger prefix-list routerc

[RouterC-ldp] quit

# On Router D, create IPv6 prefix list routerd, and configure LDP to use only the routes permitted by the prefix list to establish IPv6 LSPs.

[RouterD] ipv6 prefix-list routerd index 10 permit 11::0 64

[RouterD] ipv6 prefix-list routerd index 20 permit 21::0 64

[RouterD] mpls ldp

[RouterD-ldp] ipv6 lsp-trigger prefix-list routerd

[RouterD-ldp] quit

5. Configure IPv6 label acceptance policies:

# On Router A, create IPv6 prefix list prefix-from-b to permit subnet 21::0/64. Router A uses this list to filter FEC-label mappings received from Router B.

[RouterA] ipv6 prefix-list prefix-from-b index 10 permit 21::0 64

# On Router A, create IPv6 prefix list prefix-from-d to deny subnet 21::0/64. Router A uses this list to filter FEC-label mappings received from Router D.

[RouterA] ipv6 prefix-list prefix-from-d index 10 deny 21::0 64

# On Router A, configure IPv6 label acceptance policies to filter FEC-label mappings received from Router B and Router D.

[RouterA] mpls ldp

[RouterA-ldp] ipv6 accept-label peer 2.2.2.9 prefix-list prefix-from-b

[RouterA-ldp] ipv6 accept-label peer 4.4.4.9 prefix-list prefix-from-d

[RouterA-ldp] quit

# On Router C, create IPv6 prefix list prefix-from-b to permit subnet 11::0/64. Router C uses this list to filter FEC-label mappings received from Router B.

[RouterC] ipv6 prefix-list prefix-from-b index 10 permit 11::0 64

# On Router C, create IPv6 prefix list prefix-from-d to deny subnet 11::0/64. Router A uses this list to filter FEC-label mappings received from Router D.

[RouterC] ipv6 prefix-list prefix-from-d index 10 deny 11::0 64

# On Router C, configure IPv6 label acceptance policies to filter FEC-label mappings received from Router B and Router D.

[RouterC] mpls ldp

[RouterC-ldp] ipv6 accept-label peer 2.2.2.9 prefix-list prefix-from-b

[RouterC-ldp] ipv6 accept-label peer 4.4.4.9 prefix-list prefix-from-d

[RouterC-ldp] quit

Verifying the configuration

# Display IPv6 LDP LSP information on the routers, for example, on Router A.

[RouterA] display mpls ldp lsp ipv6

Status Flags: * - stale, L - liberal, B - backup

FECs: 2 Ingress: 1 Transit 1 Egress: 1

FEC: 11::/64

In/Out Label: 2417/- OutInterface : -

Nexthop : -

FEC: 21::/64

In/Out Label: -/2416 OutInterface : Ser2/1/0

Nexthop : FE80::20C:29FF:FE9D:EAC0

In/Out Label: 2415/2416 OutInterface : Ser2/1/0

Nexthop : FE80::20C:29FF:FE9D:EAC0

The output shows that the next hop of the IPv6 LSP for FEC 21::0/64 is Router B (FE80::20C:29FF:FE9D:EAC0). The IPv6 LSP has been established over the link Router A—Router B—Router C, not over the link Router A—Router D—Router C.

# Test the connectivity of the IPv6 LDP LSP from Router A to Router C.

[RouterA] ping ipv6 -a 11::1 21::1

Ping6(56 data bytes) 11::1 --> 21::1, press CTRL_C to break

56 bytes from 21::1, icmp_seq=0 hlim=63 time=4.000 ms

56 bytes from 21::1, icmp_seq=1 hlim=63 time=3.000 ms

56 bytes from 21::1, icmp_seq=2 hlim=63 time=3.000 ms

56 bytes from 21::1, icmp_seq=3 hlim=63 time=2.000 ms

56 bytes from 21::1, icmp_seq=4 hlim=63 time=1.000 ms

--- Ping6 statistics for 21::1 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/2.600/4.000/1.020 ms

# Test the connectivity of the IPv6 LDP LSP from Router C to Router A.

[RouterC] ping ipv6 -a 21::1 11::1

Ping6(56 data bytes) 21::1 --> 11::1, press CTRL_C to break

56 bytes from 11::1, icmp_seq=0 hlim=63 time=1.000 ms

56 bytes from 11::1, icmp_seq=1 hlim=63 time=2.000 ms

56 bytes from 11::1, icmp_seq=2 hlim=63 time=1.000 ms

56 bytes from 11::1, icmp_seq=3 hlim=63 time=2.000 ms

56 bytes from 11::1, icmp_seq=4 hlim=63 time=1.000 ms

--- Ping6 statistics for 11::1 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.400/2.000/0.490 ms

IPv6 label advertisement control configuration example

Network requirements

Two links, Router A—Router B—Router C and Router A—Router D—Router C, exist between subnets 11::0/64 and 21::0/64.

Configure LDP to establish LSPs only for routes to subnets 11::0/64 and 21::0/64.

Configure LDP to establish LSPs only on the link Router A—Router B—Router C to forward traffic between subnets 11::0/64 and 21::0/64.

Figure 24 Network diagram

Requirements analysis

· To ensure that the LSRs establish IPv6 LSPs automatically, enable IPv6 LDP on each LSR.

· To establish IPv6 LDP LSPs, configure an IPv6 routing protocol to ensure IP connectivity between the LSRs. This example uses OSPFv3.

· To ensure that LDP establishes IPv6 LSPs only for the routes 11::0/64 and 21::0/64, configure IPv6 LSP generation policies on each LSR.

· To ensure that LDP establishes IPv6 LSPs only over the link Router A—Router B—Router C, configure IPv6 label advertisement policies as follows:

? Router A advertises only the label mapping for FEC 11::0/64 to Router B.

? Router C advertises only the label mapping for FEC 21::0/64 to Router B.

? Router D does not advertise label mapping for FEC 21::0/64 to Router A. Router D does not advertise label mapping for FEC 11::0/64 to Router C.

Configuration procedure

1. Configure IPv6 addresses and masks for interfaces, including the loopback interfaces, as shown in Figure 24. (Details not shown.)

2. Configure OSPFv3 on each router to ensure IP connectivity between them. (Details not shown.)

3. Enable MPLS and IPv6 LDP:

# Configure Router A.

<RouterA> system-view

[RouterA] mpls lsr-id 1.1.1.9

[RouterA] mpls ldp

[RouterA-ldp] quit

[RouterA] interface serial 2/1/0

[RouterA-Serial2/1/0] mpls enable

[RouterA-Serial2/1/0] mpls ldp ipv6 enable

[RouterA-Serial2/1/0] mpls ldp transport-address 10::1

[RouterA-Serial2/1/0] quit

[RouterA] interface serial 2/1/1

[RouterA-Serial2/1/1] mpls enable

[RouterA-Serial2/1/1] mpls ldp ipv6 enable

[RouterA-Serial2/1/1] mpls ldp transport-address 30::1

[RouterA-Serial2/1/1] quit

# Configure Router B.

<RouterB> system-view

[RouterB] mpls lsr-id 2.2.2.9

[RouterB] mpls ldp

[RouterB-ldp] quit

[RouterB] interface serial 2/1/0

[RouterB-Serial2/1/0] mpls enable

[RouterB-Serial2/1/0] mpls ldp ipv6 enable

[RouterB-Serial2/1/0] mpls ldp transport-address 10::2

[RouterB-Serial2/1/0] quit

[RouterB] interface serial 2/1/1

[RouterB-Serial2/1/1] mpls enable

[RouterB-Serial2/1/1] mpls ldp ipv6 enable

[RouterB-Serial2/1/1] mpls ldp transport-address 20::1

[RouterB-Serial2/1/1] quit

# Configure Router C.

<RouterC> system-view

[RouterC] mpls lsr-id 3.3.3.9

[RouterC] mpls ldp

[RouterC-ldp] quit

[RouterC] interface serial 2/1/0

[RouterC-Serial2/1/0] mpls enable

[RouterC-Serial2/1/0] mpls ldp ipv6 enable

[RouterC-Serial2/1/0] mpls ldp transport-address 20::2

[RouterC-Serial2/1/0] quit

[RouterC] interface serial 2/1/1

[RouterC-Serial2/1/1] mpls enable

[RouterC-Serial2/1/1] mpls ldp ipv6 enable

[RouterC-Serial2/1/1] mpls ldp transport-address 40::2

[RouterC-Serial2/1/1] quit

# Configure Router D.

<RouterD> system-view

[RouterD] mpls lsr-id 4.4.4.9

[RouterD] mpls ldp

[RouterD-ldp] quit

[RouterD] interface serial 2/1/0

[RouterD-Serial2/1/0] mpls enable

[RouterD-Serial2/1/0] mpls ldp ipv6 enable

[RouterD-Serial2/1/0] mpls ldp transport-address 30::2

[RouterD-Serial2/1/0] quit

[RouterD] interface serial 2/1/1

[RouterD-Serial2/1/1] mpls enable

[RouterD-Serial2/1/1] mpls ldp ipv6 enable

[RouterD-Serial2/1/1] mpls ldp transport-address 40::1

[RouterD-Serial2/1/1] quit

4. Configure IPv6 LSP generation policies:

# On Router A, create IPv6 prefix list routera, and configure LDP to use only the routes permitted by the prefix list to establish IPv6 LSPs.

[RouterA] ipv6 prefix-list routera index 10 permit 11::0 64

[RouterA] ipv6 prefix-list routera index 20 permit 21::0 64

[RouterA] mpls ldp

[RouterA-ldp] ipv6 lsp-trigger prefix-list routera

[RouterA-ldp] quit

# On Router B, create IPv6 prefix list routerb, and configure LDP to use only the routes permitted by the prefix list to establish IPv6 LSPs.

[RouterB] ipv6 prefix-list routerb index 10 permit 11::0 64

[RouterB] ipv6 prefix-list routerb index 20 permit 21::0 64

[RouterB] mpls ldp

[RouterB-ldp] ipv6 lsp-trigger prefix-list routerb

[RouterB-ldp] quit

# On Router C, create IPv6 prefix list routerc, and configure LDP to use only the routes permitted by the prefix list to establish IPv6 LSPs.

[RouterC] ipv6 prefix-list routerc index 10 permit 11::0 64

[RouterC] ipv6 prefix-list routerc index 20 permit 21::0 64

[RouterC] mpls ldp

[RouterC-ldp] ipv6 lsp-trigger prefix-list routerc

[RouterC-ldp] quit

# On Router D, create IPv6 prefix list routerd, and configure LDP to use only the routes permitted by the prefix list to establish IPv6 LSPs.

[RouterD] ipv6 prefix-list routerd index 10 permit 11::0 64

[RouterD] ipv6 prefix-list routerd index 20 permit 21::0 64

[RouterD] mpls ldp

[RouterD-ldp] ipv6 lsp-trigger prefix-list routerd

[RouterD-ldp] quit

5. Configure IPv6 label advertisement policies:

# On Router A, create IPv6 prefix list prefix-to-b to permit subnet 11::0/64. Router A uses this list to filter FEC-label mappings advertised to Router B.

[RouterA] ipv6 prefix-list prefix-to-b index 10 permit 11::0 64

# On Router A, create IP prefix list peer-b to permit 2.2.2.9/32. Router A uses this list to filter peers.

[RouterA] ip prefix-list peer-b index 10 permit 2.2.2.9 32

# On Router A, configure an IPv6 label advertisement policy to advertise only the label mapping for FEC 11::0/64 to Router B.

[RouterA] mpls ldp

[RouterA-ldp] ipv6 advertise-label prefix-list prefix-to-b peer peer-b

[RouterA-ldp] quit

# On Router C, create IPv6 prefix list prefix-to-b to permit subnet 21::0/64. Router C uses this list to filter FEC-label mappings advertised to Router B.

[RouterC] ipv6 prefix-list prefix-to-b index 10 permit 21::0 64

# On Router C, create IP prefix list peer-b to permit 2.2.2.9/32. Router C uses this list to filter peers.

[RouterC] ip prefix-list peer-b index 10 permit 2.2.2.9 32

# On Router C, configure an IPv6 label advertisement policy to advertise only the label mapping for FEC 21::0/64 to Router B.

[RouterC] mpls ldp

[RouterC-ldp] ipv6 advertise-label prefix-list prefix-to-b peer peer-b

[RouterC-ldp] quit

# On Router D, create IPv6 prefix list prefix-to-a to deny subnet 21::0/64. Router D uses this list to filter FEC-label mappings to be advertised to Router A.

[RouterD] ipv6 prefix-list prefix-to-a index 10 deny 21::0 64

[RouterD] ipv6 prefix-list prefix-to-a index 20 permit 0::0 0 less-equal 128

# On Router D, create IP prefix list peer-a to permit 1.1.1.9/32. Router D uses this list to filter peers.

[RouterD] ip prefix-list peer-a index 10 permit 1.1.1.9 32

# On Router D, create IPv6 prefix list prefix-to-c to deny subnet 11::0/64. Router D uses this list to filter FEC-label mappings to be advertised to Router C.

[RouterD] ipv6 prefix-list prefix-to-c index 10 deny 11::0 64

[RouterD] ipv6 prefix-list prefix-to-c index 20 permit 0::0 0 less-equal 128

# On Router D, create IP prefix list peer-c to permit subnet 3.3.3.9/32. Router D uses this list to filter peers.

[RouterD] ip prefix-list peer-c index 10 permit 3.3.3.9 32

# On Router D, configure an IPv6 label advertisement policy. This policy ensures that Router D does not advertise label mappings for FEC 21::0/64 to Router A, and does not advertise label mappings for FEC 11::0/64 to Router C.

[RouterD] mpls ldp

[RouterD-ldp] ipv6 advertise-label prefix-list prefix-to-a peer peer-a

[RouterD-ldp] ipv6 advertise-label prefix-list prefix-to-c peer peer-c

[RouterD-ldp] quit

Verifying the configuration

# Display LDP LSP information on the routers, for example, on Router A.

[RouterA] display mpls ldp lsp ipv6

Status Flags: * - stale, L - liberal, B - backup

FECs: 2 Ingress: 1 Transit: 1 Egress: 1

FEC: 11::/64

In/Out Label: 2417/- OutInterface : -

Nexthop : -

In/Out Label: -/1098(L) OutInterface : -

Nexthop : -

In/Out Label: -/2418(L) OutInterface : -

Nexthop : -

FEC: 21::/64

In/Out Label: -/2416 OutInterface : Ser2/1/0

Nexthop : FE80::20C:29FF:FE9D:EAC0

In/Out Label: 2415/2416 OutInterface : Ser2/1/0

Nexthop : FE80::20C:29FF:FE9D:EAC0

[RouterB] display mpls ldp lsp ipv6

Status Flags: * - stale, L - liberal, B - backup

FECs: 2 Ingress: 2 Transit: 2 Egress: 0

FEC: 11::/64

In/Out Label: -/2417 OutInterface : Ser2/1/0

Nexthop : FE80::20C:29FF:FE9D:EA8E

In/Out Label: 2418/2417 OutInterface : Ser2/1/0

Nexthop : FE80::20C:29FF:FE9D:EA8E

FEC: 21::/64

In/Out Label: -/1099 OutInterface : Ser2/1/1

Nexthop : FE80::20C:29FF:FE05:1C01

In/Out Label: 2416/1099 OutInterface : Ser2/1/1

Nexthop : FE80::20C:29FF:FE05:1C01

[RouterC] display mpls ldp lsp ipv6

Status Flags: * - stale, L - liberal, B - backup

FECs: 2 Ingress: 1 Transit: 1 Egress: 1

FEC: 11::/64

In/Out Label: -/2418 OutInterface : Ser2/1/0

Nexthop : FE80::20C:29FF:FE9D:EAA2

In/Out Label: 1098/2418 OutInterface : Ser2/1/0

Nexthop : FE80::20C:29FF:FE9D:EAA2

FEC: 21::/64

In/Out Label: 1099/- OutInterface : -

Nexthop : -

In/Out Label: -/2416(L) OutInterface : -

Nexthop : -

In/Out Label: -/1097(L) OutInterface : -

Nexthop : -

[RouterD] display mpls ldp lsp ipv6

Status Flags: * - stale, L - liberal, B - backup

FECs: 2 Ingress: 0 Transit: 0 Egress: 2

FEC: 11::/64

In/Out Label: 1098/- OutInterface : -

Nexthop : -

FEC: 21::/64

In/Out Label: 1097/- OutInterface : -

Nexthop : -

The output shows that Router A and Router C have received FEC-label mappings only from Router B. Router B has received FEC-label mappings from both Router A and Router C. Router D does not receive FEC-label mappings from Router A or Router C. LDP has established an IPv6 LSP only over the link Router A—Router B—Router C.

# Test the connectivity of the IPv6 LDP LSP from Router A to Router C.

[RouterA] ping ipv6 -a 11::1 21::1

Ping6(56 data bytes) 11::1 --> 21::1, press CTRL_C to break

56 bytes from 21::1, icmp_seq=0 hlim=63 time=4.000 ms

56 bytes from 21::1, icmp_seq=1 hlim=63 time=3.000 ms

56 bytes from 21::1, icmp_seq=2 hlim=63 time=3.000 ms

56 bytes from 21::1, icmp_seq=3 hlim=63 time=2.000 ms

56 bytes from 21::1, icmp_seq=4 hlim=63 time=1.000 ms

--- Ping6 statistics for 21::1 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/2.600/4.000/1.020 ms

# Test the connectivity of the IPv6 LDP LSP from Router C to Router A.

[RouterC] ping ipv6 -a 21::1 11::1

Ping6(56 data bytes) 21::1 --> 11::1, press CTRL_C to break

56 bytes from 11::1, icmp_seq=0 hlim=63 time=1.000 ms

56 bytes from 11::1, icmp_seq=1 hlim=63 time=2.000 ms

56 bytes from 11::1, icmp_seq=2 hlim=63 time=1.000 ms

56 bytes from 11::1, icmp_seq=3 hlim=63 time=2.000 ms

56 bytes from 11::1, icmp_seq=4 hlim=63 time=1.000 ms

--- Ping6 statistics for 11::1 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.400/2.000/0.490 ms

Configuring MPLS TE

Overview

TE and MPLS TE

Network congestion can degrade the network backbone performance. It might occur when network resources are inadequate or when load distribution is unbalanced. Traffic engineering (TE) is intended to avoid the latter situation where partial congestion might occur because of improper resource allocation.

TE can make the best use of network resources and avoid uneven load distribution by using the following functionalities:

· Real-time monitoring of traffic and traffic load on network elements.

· Dynamic tuning of traffic management attributes, routing parameters, and resources constraints.

MPLS TE combines the MPLS technology and traffic engineering. It reserves resources by establishing LSP tunnels along the specified paths, allowing traffic to bypass congested nodes to achieve appropriate load distribution.

With MPLS TE, a service provider can deploy traffic engineering on the existing MPLS backbone to provide various services and optimize network resources management.

MPLS TE basic concepts

· CRLSP—Constraint-based Routed Label Switched Path. To establish a CRLSP, you must configure routing, and specify constraints, such as the bandwidth and explicit paths.

· MPLS TE tunnel—A virtual point-to-point connection from the ingress node to the egress node. Typically, an MPLS TE tunnel consists of one CRLSP. To deploy CRLSP backup or transmit traffic over multiple paths, you need to establish multiple CRLSPs for one class of traffic. In this case, an MPLS TE tunnel consists of a set of CRLSPs. An MPLS TE tunnel is identified by an MPLS TE tunnel interface on the ingress node. When the outgoing interface of a traffic flow is an MPLS TE tunnel interface, the traffic flow is forwarded through the CRLSP of the MPLS TE tunnel.

Static CRLSP establishment

A static CRLSP is established by manually specifying the incoming label, outgoing label, and other constraints on each hop along the path that the traffic travels. Static CRLSPs feature simple configuration, but they cannot automatically adapt to network changes.

For more information about static CRLSPs, see "Configuring a static CRLSP."

Dynamic CRLSP establishment

Dynamic CRLSPs are dynamically established as follows:

1. An IGP advertises TE attributes for links.

2. MPLS TE uses the CSPF algorithm to calculate the shortest path to the tunnel destination.

The path must meet constraints such as bandwidth and explicit routing.

3. A label distribution protocol (such as RSVP-TE) advertises labels to establish CRLSPs and reserves bandwidth resources on each node along the calculated path.

Dynamic CRLSPs adapt to network changes and support CRLSP backup and fast reroute, but they require complicated configurations.

Advertising TE attributes

MPLS TE uses extended link state IGPs, such as OSPF and IS-IS, to advertise TE attributes for links.

TE attributes include the maximum bandwidth, maximum reservable bandwidth, non-reserved bandwidth for each priority, and the link attribute. The IGP floods TE attributes on the network. Each node collects the TE attributes of all links on all routers within the local area or at the same level to build up a TE database (TEDB).

Calculating paths

Based on the TEDB, MPLS TE uses the Constraint-based Shortest Path First (CSPF) algorithm, an improved SPF algorithm, to calculate the shortest, TE constraints-compliant path to the tunnel destination.

CSPF first prunes TE constraints-incompliant links from the TEDB, and then it performs SPF calculation to identify the shortest path (a set of LSR addresses) to an egress. CSPF calculation is usually performed on the ingress node of an MPLS TE tunnel.

TE constraints include the bandwidth, affinity, setup and holding priorities, and explicit path. They are configured on the ingress node of an MPLS TE tunnel.

· Bandwidth

Bandwidth constraints specify the service class and the required bandwidth for the traffic to be forwarded along the MPLS TE tunnel. A link complies with the bandwidth constraints when the reservable bandwidth for the class type is greater than or equal to the bandwidth required by the class type.

· Affinity

Affinity determines which links a tunnel can use. The affinity attribute and its mask, and the link attribute are all 32-bit long. A link is available for a tunnel if the link attribute meets the following requirements:

? The link attribute bits corresponding to the affinity attribute's 1 bits whose mask bits are 1 must have a minimum of one bit set to 1.

? The link attribute bits corresponding to the affinity attribute's 0 bits whose mask bits are 1 must have no bit set to 1.

The link attribute bits corresponding to the 0 bits in the affinity mask are not checked.

For example, if the affinity attribute is 0xFFFFFFF0 and its mask is 0x0000FFFF, a link is available for the tunnel when its link attribute bits meet the following requirements:

? The highest 16 bits each can be 0 or 1 (no requirements).

? The 17th through 28th bits must have a minimum of one bit whose value is 1.

? The lowest four bits must be 0.

· Setup priority and holding priority

If MPLS TE cannot find a qualified path to set up an MPLS TE tunnel, it removes an existing MPLS TE tunnel and preempts its bandwidth.

MPLS TE uses the setup priority and holding priority to make preemption decisions. For a new MPLS TE tunnel to preempt an existing MPLS TE tunnel, the setup priority of the new tunnel must be higher than the holding priority of the existing tunnel. Both setup and holding priorities are in the range of 0 to 7. A smaller value represents a higher priority.

To avoid flapping caused by improper preemptions, the setup priority value of a tunnel must be equal to or greater than the holding priority value.

· Explicit path

Explicit path specifies the nodes to pass and the nodes to not pass for a tunnel.

Explicit paths include the following types:

? Strict explicit path—Among the nodes that the path must traverse, a node and its previous hop must be directly connected. Strict explicit path precisely specifies the path that an MPLS TE tunnel must traverse.

? Loose explicit path—Among the nodes that the path must traverse, a node and its previous hop can be indirectly connected. Loose explicit path vaguely specifies the path that an MPLS TE tunnel must traverse.

Strict explicit path and loose explicit path can be used together to specify that some nodes are directly connected and some nodes have other nodes in between.

Setting up a CRLSP through RSVP-TE

After calculating a path by using CSPF, MPLS TE uses a label distribution protocol to set up the CRLSP and reserves resources on each node of the path.

The device supports the label distribution protocol of RSVP-TE for MPLS TE. Resource Reservation Protocol (RSVP) reserves resources on each node along a path. Extended RSVP can support MPLS label distribution and allow resource reservation information to be transmitted with label bindings. This extended RSVP is called RSVP-TE.

For more information about RSVP, see "Configuring RSVP."

CRLSP establishment using PCE path calculation

On an MPLS TE network, a Path Computation Client (PCC), usually an LSR, uses the path calculated by Path Computation Elements (PCEs) to establish a CRLSP through RSVP-TE.

Basic concepts

· PCE—An entity that can calculate a path based on the TEDB, bandwidth, and other MPLS TE tunnel constraints. A PCE can provide intra-area or inter-area path calculation. A PCE can be manually specified on a PCC or automatically discovered through the PCE information advertised by OSPF TE.

· PCC—A PCC sends a request to PCEs for path calculation and uses the path information returned by PCEs to establish a CRLSP.

· PCEP—Path Computation Element Communication Protocol. PCEP runs between a PCC and a PCE, or between PCEs. It is used to establish PCEP sessions to exchange PCEP messages over TCP connections.

PCE path calculation

PCE path calculation has the following types:

· EPC—External Path Computation. EPC path calculation is performed by one PCE. It is applicable to intra-area path calculation.

· BRPC—Backward-Recursive PCE-Based Computation. BRPC path calculation is performed by multiple PCEs. It is applicable to inter-area path calculation.

As shown in Figure 25, PCE 1 is the ABR that can calculate paths in Area 0 and Area 1. PCE 2 is the ABR that can calculate paths in Area 1 and Area 2. The CRLSP that PCC uses to reach a destination in Area 2 is established as follows:

1. PCC sends a path calculation request to PCE 1 to request the path to the CRLSP destination.

2. PCE 1 forwards the request to PCE 2.

PCE 1 cannot calculate paths in Area 2, so it forwards the request to PCE 2, the PCE responsible for Area 2 that contains the CRLSP destination.

3. After receiving the request from PCE 1, PCE 2 calculates potential paths to the CRLSP destination and sends the path information back to PCE 1 in a reply.

4. PCE 1 uses the local and received path information to select an end-to-end path for the PCC to reach the CRLSP destination, and sends the path to PCC as a reply.

5. PCC uses the path calculated by PCEs to establish the CRLSP through RSVP-TE.

Figure 25 BRPC path calculation

Traffic forwarding

After an MPLS TE tunnel is established, traffic is not forwarded on the tunnel automatically. You must direct the traffic to the tunnel by using one of the following methods:

Static routing

You can direct traffic to an MPLS TE tunnel by creating a static route that reaches the destination through the tunnel interface. This is the easiest way to implement MPLS TE tunnel forwarding. When traffic to multiple networks is to be forwarded through the MPLS TE tunnel, you must configure multiple static routes, which are complicated to configure and difficult to maintain.

For more information about static routing, see Layer 3—IP Routing Configuration Guide.

Policy-based routing

You can configure PBR on the ingress interface of traffic to direct the traffic that matches an ACL to the MPLS TE tunnel interface.

PBR can match the traffic to be forwarded on the tunnel not only by destination IP address, but also by source IP address, protocol type, and other criteria. Compared with static routing, PBR is more flexible but requires more complicated configuration.

For more information about policy-based routing, see Layer 3—IP Routing Configuration Guide.

Automatic route advertisement

You can also configure automatic route advertisement to forward traffic through an MPLS TE tunnel. Automatic route advertisement distributes the MPLS TE tunnel to the IGP (OSPF or IS-IS), so the MPLS TE tunnel can participate in IGP routing calculation. Automatic route advertisement is easy to configure and maintain.

Automatic route advertisement can be implemented by using the following methods:

· IGP shortcut—Also known as AutoRoute Announce. It considers the MPLS TE tunnel as a link that directly connects the tunnel ingress node and the egress node. Only the ingress node uses the MPLS TE tunnel during IGP route calculation.

· Forwarding adjacency—Considers the MPLS TE tunnel as a link that directly connects the tunnel ingress node and the egress node, and advertises the link to the network through an IGP. Every node in the network uses the MPLS TE tunnel during IGP route calculation.

As shown in Figure 26, an MPLS TE tunnel exists from Router D to Router C. IGP shortcut enables only the ingress node Router D to use the MPLS TE tunnel in the IGP route calculation. Router A cannot use this tunnel to reach Router C. With forwarding adjacency enabled, Router A can learn this MPLS TE tunnel and transfer traffic to Router C by forwarding the traffic to Router D.

Figure 26 IGP shortcut and forwarding adjacency diagram

Make-before-break

Make-before-break is a mechanism to change an MPLS TE tunnel with minimum data loss and without using extra bandwidth.

In cases of tunnel reoptimization and automatic bandwidth adjustment, traffic forwarding is interrupted if the existing CRLSP is removed before a new CRLSP is established. The make-before-break mechanism ensures that the existing CRLSP is removed after the new CRLSP is established and the traffic is switched to the new CRLSP. However, this wastes bandwidth resources if some links on the old and new CRLSPs are the same. This is because you need to reserve bandwidth on these links for the old and new CRLSPs separately. The make-before-break mechanism uses the SE resource reservation style to address this problem.

The resource reservation style refers to the style in which RSVP-TE reserves bandwidth resources during CRLSP establishment. The resource reservation style used by an MPLS TE tunnel is determined by the ingress node, and is advertised to other nodes through RSVP.

The device supports the following resource reservation styles:

· FF—Fixed-filter, where resources are reserved for individual senders and cannot be shared among senders on the same session.

· SE—Shared-explicit, where resources are reserved for senders on the same session and shared among them. SE is mainly used for make-before-break.

As shown in Figure 27, a CRLSP with 30 M reserved bandwidth has been set up from Router A to Router D through the path Router A—Router B—Router C—Router D.

To increase the reserved bandwidth to 40 M, a new CRLSP must be set up through the path Router A—Router E—Router C—Router D. To achieve this purpose, RSVP-TE needs to reserve 30 M bandwidth for the old CRLSP and 40 M bandwidth for the new CRLSP on the link Router C—Router D. However, there is not enough bandwidth.

After the make-before-break mechanism is used, the new CRLSP can share the bandwidth reserved for the old CRLSP. After the new CRLSP is set up, traffic is switched to the new CRLSP without service interruption, and then the old CRLSP is removed.

Figure 27 Diagram for make-before-break

Route pinning

Route pinning enables CRLSPs to always use the original optimal path even if a new optimal route has been learned.

On a network where route changes frequently occur, you can use route pinning to avoid re-establishing CRLSPs upon route changes.

Tunnel reoptimization

Tunnel reoptimization allows you to manually or dynamically trigger the ingress node to recalculate a path. If the ingress node recalculates a better path, it creates a new CRLSP, switches traffic from the old CRLSP to the new, and then deletes the old CRLSP.

MPLS TE uses the tunnel reoptimization feature to implement dynamic CRLSP optimization. For example, if a link on the optimal path does not have enough reservable bandwidth, MPLS TE sets up the tunnel on another path. When the link has enough bandwidth, the tunnel optimization feature can switch the MPLS TE tunnel to the optimal path.

Automatic bandwidth adjustment

Because users cannot estimate accurately how much traffic they need to transmit through a service provider network, the service provider should be able to perform the following operations:

· Create MPLS TE tunnels with the bandwidth initially requested by the users.

· Automatically tune the bandwidth resources when user traffic increases.

MPLS TE uses the automatic bandwidth adjustment feature to meet this requirement. After the automatic bandwidth adjustment is enabled, the device periodically samples the output rate of the tunnel and computes the average output rate within the sampling interval. When the auto bandwidth adjustment frequency timer expires, MPLS TE resizes the tunnel bandwidth to the maximum average output rate sampled during the adjustment time for new CRLSP establishment. If the new CRLSP is set up successfully, MPLS TE switches traffic to the new CRLSP and clears the old CRLSP.

You can use a command to limit the maximum and minimum bandwidth. If the tunnel bandwidth calculated by auto bandwidth adjustment is greater than the maximum bandwidth, MPLS TE uses the maximum bandwidth to set up the new CRLSP. If it is smaller than the minimum bandwidth, MPLS TE uses the minimum bandwidth to set up the new CRLSP.

CRLSP backup

CRLSP backup uses a CRLSP to back up a primary CRLSP. When the ingress detects that the primary CRLSP fails, it switches traffic to the backup CRLSP. When the primary CRLSP recovers, the ingress switches traffic back.

CRLSP backup has the following modes:

· Hot standby—A backup CRLSP is created immediately after a primary CRLSP is created.

· Ordinary—A backup CRLSP is created after the primary CRLSP fails.

FRR

Fast reroute (FRR) protects CRLSPs from link and node failures. FRR can implement 50-millisecond CRLSP failover.

After FRR is enabled for an MPLS TE tunnel, once a link or node fails on the primary CRLSP, FRR reroutes the traffic to a bypass tunnel. The ingress node attempts to set up a new CRLSP. After the new CRLSP is set up, traffic is forwarded on the new CRLSP.

CRLSP backup provides end-to-end path protection for a CRLSP without time limitation. FRR provides quick but temporary protection for a link or node on a CRLSP.

Basic concepts

· Primary CRLSP—Protected CRLSP.

· Bypass tunnel—An MPLS TE tunnel used to protect a link or node of the primary CRLSP.

· Point of local repair—A PLR is the ingress node of the bypass tunnel. It must be located on the primary CRLSP but must not be the egress node of the primary CRLSP.

· Merge point—An MP is the egress node of the bypass tunnel. It must be located on the primary CRLSP but must not be the ingress node of the primary CRLSP.

Protection modes

FRR provides the following protection modes:

· Link protection—The PLR and the MP are connected through a direct link and the primary CRLSP traverses this link. When the link fails, traffic is switched to the bypass tunnel. As shown in Figure 28, the primary CRLSP is Router A—Router B—Router C—Router D, and the bypass tunnel is Router B—Router F—Router C. This mode is also called next-hop (NHOP) protection.

Figure 28 FRR link protection

· Node protection—The PLR and the MP are connected through a device and the primary CRLSP traverses this device. When the device fails, traffic is switched to the bypass tunnel. As shown in Figure 29, the primary CRLSP is Router A—Router B—Router C—Router D—Router E, and the bypass tunnel is Router B—Router F—Router D. Router C is the protected device. This mode is also called next-next-hop (NNHOP) protection.

Figure 29 FRR node protection

DiffServ-aware TE

DiffServ is a model that provides differentiated QoS guarantees based on service class. MPLS TE is a traffic engineering solution that focuses on optimizing network resources allocation.

DiffServ-aware TE (DS-TE) combines DiffServ and TE to optimize network resources allocation on a per-service class basis. DS-TE defines different bandwidth constraints for class types. It maps each traffic class type to the CRLSP that is constraint-compliant for the class type.

The device supports the following DS-TE modes:

· Prestandard mode—H3C proprietary DS-TE.

· IETF mode—Complies with RFC 4124, RFC 4125, and RFC 4127.

Basic concepts

· CT—Class Type. DS-TE allocates link bandwidth, implements constraint-based routing, and performs admission control on a per-class type basis. A given traffic flow belongs to the same CT on all links.

· BC—Bandwidth Constraint. BC restricts the bandwidth for one or more CTs.

· Bandwidth constraint model—Algorithm for implementing bandwidth constraints on different CTs. A BC model contains two factors, the maximum number of BCs (MaxBC) and the mappings between BCs and CTs. DS-TE supports two BC models, Russian Dolls Model (RDM) and Maximum Allocation Model (MAM).

· TE class—Defines a CT and a priority. The setup priority or holding priority of an MPLS TE tunnel for a CT must be the same as the priority of the TE class.

The prestandard and IETF modes of DS-TE have the following differences:

· The prestandard mode supports two CTs (CT 0 and CT 1), eight priorities, and a maximum of 16 TE classes. The IETF mode supports four CTs (CT 0 through CT 3), eight priorities, and a maximum of eight TE classes.

· The prestandard mode does not allow you to configure TE classes. The IETF mode allows for TE class configuration.

· The prestandard mode supports only RDM. The IETF mode supports both RDM and MAM.

· A device operating in prestandard mode cannot communicate with devices from some vendors. A device operating in IETF mode can communicate with devices from other vendors.

How DS-TE operates

A device takes the following steps to establish an MPLS TE tunnel for a CT:

1. Determines the CT.

A device classifies traffic according to your configuration:

? When configuring a dynamic MPLS TE tunnel, you can use the mpls te bandwidth command on the tunnel interface to specify a CT for the traffic to be forwarded by the tunnel.

? When configuring a static MPLS TE tunnel, you can use the bandwidth keyword to specify a CT for the traffic to be forwarded along the tunnel.

2. Verifies that bandwidth is enough for the CT.

You can use the mpls te max-reservable-bandwidth command on an interface to configure the bandwidth constraints of the interface. The device determines whether the bandwidth is enough to establish an MPLS TE tunnel for the CT.

The relation between BCs and CTs varies by BC model.

? In RDM model, a BC constrains the total bandwidth of multiple CTs, as shown in Figure 30:

- BC 2 is for CT 2. The total bandwidth for CT 2 cannot exceed BC 2.

- BC 1 is for CT 2 and CT 1. The total bandwidth for CT 2 and CT 1 cannot exceed BC 1.

- BC 0 is for CT 2, CT 1, and CT 0. The total bandwidth for CT 2, CT 1, and CT 0 cannot exceed BC 0. In this model, BC 0 equals the maximum reservable bandwidth of the link.

In cooperation with priority preemption, the RDM model can also implement bandwidth isolation between CTs. RDM is suitable for networks where traffic is unstable and traffic bursts might occur.

Figure 30 RDM bandwidth constraints model

? In MAM model, a BC constrains the bandwidth for only one CT. This ensures bandwidth isolation among CTs no matter whether preemption is used or not. Compared with RDM, MAM is easier to configure. MAM is suitable for networks where traffic of each CT is stable and no traffic bursts occur. Figure 31 shows an example:

- BC 0 is for CT 0. The bandwidth occupied by the traffic of CT 0 cannot exceed BC 0.

- BC 1 is for CT 1. The bandwidth occupied by the traffic of CT 1 cannot exceed BC 1.

- BC 2 is for CT 2. The bandwidth occupied by the traffic of CT 2 cannot exceed BC 2.

- The total bandwidth occupied by CT 0, CT 1, and CT 2 cannot exceed the maximum reservable bandwidth.

Figure 31 MAM bandwidth constraints model

3. Verifies that the CT and the LSP setup/holding priority match an existing TE class.

An MPLS TE tunnel can be established for the CT only when the following conditions are met:

? Every node along the tunnel has a TE class that matches the CT and the LSP setup priority.

? Every node along the tunnel has a TE class that matches the CT and the LSP holding priority.

Bidirectional MPLS TE tunnel

MPLS Transport Profile (MPLS-TP) uses bidirectional MPLS TE tunnels to implement 1:1 and 1+1 protection switching, and to support in-band detection tools and signaling protocols such as OAM and PSC.

A bidirectional MPLS TE tunnel includes a pair of CRLSPs in opposite directions. It can be established in the following modes:

· Co-routed mode—Uses the extended RSVP-TE protocol to establish a bidirectional MPLS TE tunnel. RSVP-TE uses a Path message to advertise the labels assigned by the upstream LSR to the downstream LSR. RSVP-TE uses a Resv message to advertise the labels assigned by the downstream LSR to the upstream LSR. During the delivery of the path message, a CRLSP in one direction is established. During the delivery of the Resv message, a CRLSP in the other direction is established. The CRLSPs of a bidirectional MPLS TE tunnel established in co-routed mode use the same path.

· Associated mode—In this mode, you establish a bidirectional MPLS TE tunnel by binding two unidirectional CRLSPs in opposite directions. The two CRLSPs can be established in different modes and use different paths. For example, one CRLSP is established statically and the other CRLSP is established dynamically by RSVP-TE.

For more information about establishing MPLS TE tunnel through RSVP-TE, the Path message, and the Resv message, see "Configuring RSVP."

CBTS

About CBTS

Class Based Tunnel Selection (CBTS) enables dynamic routing and forwarding of traffic with different service class values over different MPLS TE tunnels between the same tunnel headend and tailend. Unlike load sharing that selects multiple tunnels to forward the matching traffic, CBTS uses a dedicated tunnel for a certain service class.

How CBTS works

CBTS processes incoming traffic on the device as follows:

1. Uses a traffic behavior to set a service class value for the traffic. For more information about traffic behaviors, see QoS configuration in ACL and QoS Configuration Guide.

2. Compares the service class of the traffic with the service classes of the MPLS TE tunnels and forwards the traffic to a matching tunnel.

MPLS TE tunnel selection rules

CBTS uses the following rules to select an MPLS TE tunnel for the incoming traffic:

· If the traffic matches an MPLS TE tunnel, CBTS uses this tunnel.

· If the traffic matches multiple MPLS TE tunnels, CBTS randomly selects a matching tunnel.

· If the traffic does not match any MPLS TE tunnels, CBTS randomly selects a tunnel from all tunnels with the lowest priority.

The smaller the service class value, the lower the tunnel priority. An MPLS TE tunnel that is not configured with a service class has the lowest priority.

CBTS application scenario

As shown in Figure 32, CBTS selects MPLS TE tunnels for the incoming traffic as follows:

· Uses Tunnel 2 to forward traffic with service class 3.

· Uses Tunnel 3 to forward traffic with service class 6.

· Uses Tunnel 1 to forward traffic with no service class values.

Figure 32 CBTS application scenario

Protocols and standards

· RFC 2702, Requirements for Traffic Engineering Over MPLS

· RFC 3564, Requirements for Support of Differentiated Service-aware MPLS Traffic Engineering

· RFC 3812, Multiprotocol Label Switching (MPLS) Traffic Engineering (TE) Management Information Base (MIB)

· RFC 4124, Protocol Extensions for Support of Diffserv-aware MPLS Traffic Engineering

· RFC 4125, Maximum Allocation Bandwidth Constraints Model for Diffserv-aware MPLS Traffic Engineering

· RFC 4127, Russian Dolls Bandwidth Constraints Model for Diffserv-aware MPLS Traffic Engineering

· ITU-T Recommendation Y.1720, Protection switching for MPLS networks

· RFC 4655, A Path Computation Element (PCE)-Based Architecture

· RFC 5088, OSPF Protocol Extensions for Path Computation Element Discovery

· RFC 5440, Path Computation Element (PCE) Communication Protocol (PCEP)

· RFC 5441, A Backward-Recursive PCE-Based Computation (BRPC) Procedure to Compute Shortest Constrained Inter-Domain Traffic Engineering LSP

· RFC 5455, Diffserv-Aware Class-Type Object for the Path Computation Element Communication Protocol

· RFC 5521, Extensions to the Path Computation Element Communication Protocol (PCEP) for Route Exclusions

· RFC 5886, A Set of Monitoring Tools for Path Computation Element (PCE)-Based Architecture

· draft-ietf-pce-stateful-pce-07

Feature and hardware compatibility

Hardware	MPLS TE compatibility
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS	No
MSR2600-6-X1/2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28/3600-51	Yes
MSR3600-28-SI/3600-51-SI	No
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC	Yes
MSR 3610/3620/3620-DP/3640/3660	Yes
MSR5620/5660/5680	Yes

Hardware	MPLS TE compatibility
MSR810-LM-GL	No
MSR810-W-LM-GL	No
MSR830-6EI-GL	No
MSR830-10EI-GL	No
MSR830-6HI-GL	No
MSR830-10HI-GL	No
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	No

MPLS TE configuration task list

To configure an MPLS TE tunnel to use a static CRLSP, perform the following tasks:

1. Enable MPLS TE on each node and interface that the MPLS TE tunnel traverses.

2. Create a tunnel interface on the ingress node of the MPLS TE tunnel, and specify the tunnel destination address—the address of the egress node.

3. Create a static CRLSP on each node that the MPLS TE tunnel traverses.

For information about creating a static CRLSP, see "Configuring a static CRLSP."

4. On the ingress node of the MPLS TE tunnel, configure the tunnel interface to use the created static CRLSP.

5. On the ingress node of the MPLS TE tunnel, configure static routing, PBR, or automatic route advertisement to direct traffic to the MPLS TE tunnel.

To configure an MPLS TE tunnel to use a CRLSP dynamically established by RSVP-TE, perform the following tasks:

6. Enable MPLS TE and RSVP on each node and interface that the MPLS TE tunnel traverses.

For information about enabling RSVP, see "Configuring RSVP."

7. Create a tunnel interface on the ingress node of the MPLS TE tunnel. On the tunnel interface, specify the tunnel destination address (the egress node IP address), and configure MPLS TE tunnel constraints (such as the tunnel bandwidth constraints and affinity).

8. Configure the link TE attributes (such as the maximum link bandwidth and link attribute) on each interface that the MPLS TE tunnel traverses.

9. Configure an IGP on each node that the MPLS TE tunnel traverses, and configure the IGP to support MPLS TE. Then, the nodes can advertise the link TE attributes through the IGP.

10. On the ingress node of the MPLS TE tunnel, configure RSVP-TE to establish a CRLSP based on the tunnel constraints and link TE attributes.

11. On the ingress node of the MPLS TE tunnel, configure static routing, PBR, or automatic route advertisement to direct traffic to the MPLS TE tunnel.

To configure an MPLS TE tunnel to use a PCE-calculated path to establish a CRLSP, perform the following tasks:

12. Enable MPLS TE and RSVP on each node and interface that the MPLS TE tunnel traverses.

For information about enabling RSVP, see "Configuring RSVP."

13. Specify an LSR as a PCE and configure an IP address for the PCE.

14. Create a tunnel interface on the ingress node of the MPLS TE tunnel. On the tunnel interface, specify the tunnel destination address (the egress node IP address), and configure MPLS TE tunnel constraints (such as the tunnel bandwidth constraints and affinity).

15. Configure link TE attributes (such as the maximum link bandwidth and link attribute) on each interface that the MPLS TE tunnel traverses.

16. Configure an IGP on each node that the MPLS TE tunnel traverses, and configure the IGP to support MPLS TE. Then, the nodes can advertise the link TE attributes through the IGP.

17. Configure the ingress node of the MPLS TE tunnel to use the path calculated by the PCE. Manually specify the PCE or configure OSPF TE to dynamically discover the PCE on the ingress node (PCC).

18. On the ingress node of the MPLS TE tunnel, configure RSVP-TE to establish a CRLSP based on the path calculated by the PCE.

19. On the ingress node of the MPLS TE tunnel, configure static routing, PBR, or automatic route advertisement to direct traffic to the MPLS TE tunnel.

You can also configure other MPLS TE features such as the DS-TE, automatic bandwidth adjustment, and FRR as needed.

To configure MPLS TE, perform the following tasks:

Tasks at a glance
(Required.) Enabling MPLS TE
(Required.) Configuring a tunnel interface
(Optional.) Configuring DS-TE
(Required.) Perform one of the following tasks to configure an MPLS TE tunnel: · Configuring an MPLS TE tunnel to use a static CRLSP · Configuring an MPLS TE tunnel to use a dynamic CRLSP · Configuring an MPLS TE tunnel to use a CRLSP calculated by PCEs
(Optional.) Configuring load sharing for an MPLS TE tunnel
(Required.) Configuring traffic forwarding: · Configuring static routing to direct traffic to an MPLS TE tunnel or tunnel bundle · Configuring PBR to direct traffic to an MPLS TE tunnel or tunnel bundle · Configuring automatic route advertisement to direct traffic to an MPLS TE tunnel or tunnel bundle
(Optional.) Configuring a bidirectional MPLS TE tunnel
(Optional.) Configuring CRLSP backup Only MPLS TE tunnels established by RSVP-TE support this configuration.
(Optional.) Configuring MPLS TE FRR Only MPLS TE tunnels established by RSVP-TE support this configuration.
(Optional.) Configuring CBTS
(Optional.) Enabling SNMP notifications for MPLS TE

Enabling MPLS TE

Enable MPLS TE on each node and interface that the MPLS TE tunnel traverses.

Before you enable MPLS TE, perform the following tasks:

· Configure static routing or IGP to ensure that all LSRs can reach each other.

· Enable MPLS. For information about enabling MPLS, see "Configuring basic MPLS."

To enable MPLS TE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE view.	mpls te	By default, MPLS TE is disabled.
3. Return to system view.	quit	N/A
4. Enter interface view.	interface interface-type interface-number	N/A
5. Enable MPLS TE for the interface.	mpls te enable	By default, MPLS TE is disabled on an interface.

Configuring a tunnel interface

To configure an MPLS TE tunnel, you must create an MPLS TE tunnel interface and enter tunnel interface view. All MPLS TE tunnel attributes are configured in tunnel interface view. For more information about tunnel interfaces, see Layer 3—IP Services Configuration Guide.

Perform this task on the ingress node of the MPLS TE tunnel.

To configure a tunnel interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an MPLS TE tunnel interface and enter tunnel interface view.	interface tunnel tunnel-number mode mpls-te	By default, no tunnel interfaces exist.
3. Configure an IP address for the tunnel interface.	ip address ip-address { mask-length \| mask }	By default, a tunnel interface does not have an IP address.
4. Specify the tunnel destination address.	destination ip-address	By default, no tunnel destination address is specified.

Configuring DS-TE

DS-TE is configurable on any node that an MPLS TE tunnel traverses.

To configure DS-TE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE view.	mpls te	N/A
3. (Optional.) Configure the DS-TE mode as IETF.	ds-te mode ietf	By default, the DS-TE mode is prestandard.
4. (Optional.) Configure the BC model of IETF DS-TE as MAM.	ds-te bc-model mam	By default, the BC model of IETF DS-TE is RDM.
5. Configure a TE class.	ds-te te-class te-class-index class-type class-type-number priority priority	The default TE classes for IETF mode are shown in Table 1. In prestandard mode, you cannot configure TE classes.

Table 1 Default TE classes in IETF mode

TE Class	CT	Priority
0	0	7
1	1	7
2	2	7
3	3	7
4	0	0
5	1	0
6	2	0
7	3	0

Configuring an MPLS TE tunnel to use a static CRLSP

To configure an MPLS TE tunnel to use a static CRLSP, perform the following tasks:

· Establish the static CRLSP.

· Specify the MPLS TE tunnel establishment mode as static.

· Configure the MPLS TE tunnel to use the static CRLSP.

Other configurations, such as tunnel constraints and IGP extension, are not needed.

To configure an MPLS TE tunnel to use a static CRLSP:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a static CRLSP.	See "Configuring a static CRLSP."	N/A
3. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	Execute this command on the ingress node.
4. Specify the MPLS TE tunnel establishment mode as static.	mpls te signaling static	By default, MPLS TE uses RSVP-TE to establish a tunnel.
5. Apply the static CRLSP to the tunnel interface.	mpls te static-cr-lsp lsp-name	By default, a tunnel does not use any static CRLSP.

Configuring an MPLS TE tunnel to use a dynamic CRLSP

To configure an MPLS TE tunnel to use a CRLSP dynamically established by RSVP-TE, perform the following tasks:

· Configure MPLS TE attributes for the links.

· Configure IGP TE extension to advertise link TE attributes, so as to generate a TEDB on each node.

· Configure tunnel constraints.

· Establish the CRLSP by using the signaling protocol RSVP-TE.

You must configure the IGP TE extension to form a TEDB. Otherwise, the path is created based on IGP routing rather than computed by CSPF.

Configuration task list

To establish an MPLS TE tunnel by using a dynamic CRLSP:

Tasks at a glance
(Required.) Configuring MPLS TE attributes for a link
(Required.) Advertising link TE attributes by using IGP TE extension
(Required.) Configuring MPLS TE tunnel constraints
(Required.) Establishing an MPLS TE tunnel by using RSVP-TE
(Optional.) Controlling CRLSP path selection
(Optional.) Controlling MPLS TE tunnel setup

Configuring MPLS TE attributes for a link

MPLS TE attributes for a link include the maximum link bandwidth, the maximum reservable bandwidth, and the link attribute.

Perform this task on each interface that the MPLS TE tunnel traverses.

To configure the link TE attributes:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Set the maximum link bandwidth for MPLS TE traffic.	mpls te max-link-bandwidth bandwidth-value	By default, the maximum link bandwidth for MPLS TE traffic is 0.
4. Set the maximum reservable bandwidth.	· Configure the maximum reservable bandwidth of the link (BC 0) and BC 1 in RDM model of the prestandard DS-TE: mpls te max-reservable-bandwidth bandwidth-value [ bc1 bc1-bandwidth ] · Configure the maximum reservable bandwidth of the link and the BCs in MAM model of the IETF DS-TE: mpls te max-reservable-bandwidth mam bandwidth-value { bc0 bc0-bandwidth \| bc1 bc1-bandwidth \| bc2 bc2-bandwidth \| bc3 bc3-bandwidth } * · Configure the maximum reservable bandwidth of the link and the BCs in RDM model of the IETF DS-TE: mpls te max-reservable-bandwidth rdm bandwidth-value [ bc1 bc1-bandwidth ] [ bc2 bc2-bandwidth ] [ bc3 bc3-bandwidth ]	Use one command according to the DS-TE mode and BC model configured in "Configuring DS-TE." By default, the maximum reservable bandwidth of a link is 0 kbps and each BC is 0 kbps. In RDM model, BC 0 is the maximum reservable bandwidth of a link.
5. Set the link attribute.	mpls te link-attribute attribute-value	By default, the link attribute value is 0x00000000.

Advertising link TE attributes by using IGP TE extension

Both OSPF and IS-IS are extended to advertise link TE attributes. The extensions are called OSPF TE and IS-IS TE. If both OSPF TE and IS-IS TE are available, OSPF TE takes precedence.

Configuring OSPF TE

OSPF TE uses Type-10 opaque LSAs to carry the TE attributes for a link. Before you configure OSPF TE, you must enable opaque LSA advertisement and reception by using the opaque-capability enable command. For more information about opaque LSA advertisement and reception, see Layer 3—IP Routing Configuration Guide.

MPLS TE cannot reserve resources and distribute labels for an OSPF virtual link, and cannot establish a CRLSP through an OSPF virtual link. Therefore, make sure no virtual link exists in an OSPF area before you configure MPLS TE.

To configure OSPF TE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter OSPF view.	ospf [ process-id ]	N/A
3. Enable opaque LSA advertisement and reception.	opaque-capability enable	By default, opaque LSA advertisement and reception are enabled. For more information about this command, see Layer 3—IP Routing Command Reference.
4. Enter area view.	area area-id	N/A
5. Enable MPLS TE for the OSPF area.	mpls te enable	By default, MPLS TE is disabled for an OSPF area.

Configuring IS-IS TE

IS-IS TE uses a sub-TLV of the extended IS reachability TLV (type 22) to carry TE attributes. Because the extended IS reachability TLV carries wide metrics, specify a wide metric-compatible metric style for the IS-IS process before enabling IS-IS TE. Available metric styles for IS-IS TE include wide, compatible, or wide-compatible. For more information about IS-IS, see Layer 3—IP Routing Configuration Guide.

On IS-IS enabled interfaces, set the MTU to a minimum of 512 bytes to ensure that IS-IS LSPs of different lengths can be flooded to the network.

To configure IS-IS TE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IS-IS process and enter IS-IS view.	isis [ process-id ]	By default, no IS-IS process exists.
3. Specify a metric style.	cost-style { narrow \| wide \| wide-compatible \| { compatible \| narrow-compatible } [ relax-spf-limit ] }	By default, only narrow metric style packets can be received and sent. For more information about this command, see Layer 3—IP Routing Command Reference.
4. Enable MPLS TE for the IS-IS process.	mpls te enable [ Level-1 \| Level-2 ]	By default, MPLS TE is disabled for an IS-IS process.
5. Specify the types of the sub-TLVs for carrying DS-TE parameters.	te-subtlv { bw-constraint value \| unreserved-subpool-bw value } *	By default, the bw-constraint parameter is carried in sub-TLV 252, and the unreserved-bw-sub-pool parameter is carried in sub-TLV 251.

Configuring MPLS TE tunnel constraints

Perform this task on the ingress node of the MPLS TE tunnel.

Configuring bandwidth constraints for an MPLS TE tunnel

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Configure bandwidth required for the tunnel, and specify a CT for the tunnel's traffic.	mpls te bandwidth [ ct0 \| ct1 \| ct2 \| ct3 ] bandwidth	By default, no bandwidth is assigned, and the class type is CT 0.

Configuring the affinity attribute for an MPLS TE tunnel

The associations between the link attribute and the affinity attribute might vary by vendor. To ensure the successful establishment of a tunnel between two devices from different vendors, correctly configure their respective link attribute and affinity attribute.

To configure the affinity attribute for an MPLS TE tunnel:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Set an affinity for the MPLS TE tunnel.	mpls te affinity-attribute attribute-value [ mask mask-value ]	By default, the affinity is 0x00000000, and the mask is 0x00000000. The default affinity matches all link attributes.

Setting a setup priority and a holding priority for an MPLS TE tunnel

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Set a setup priority and a holding priority for the MPLS TE tunnel.	mpls te priority setup-priority [ hold-priority ]	By default, the setup priority and the holding priority are both 7 for an MPLS TE tunnel.

Configuring an explicit path for an MPLS TE tunnel

An explicit path is a set of nodes. The relationship between any two neighboring nodes on an explicit path can be either strict or loose.

· Strict—The two nodes must be directly connected.

· Loose—The two nodes can have devices in between.

When establishing an MPLS TE tunnel between areas or ASs, you must perform the following tasks:

· Use a loose explicit path.

· Specify the ABR or ASBR as the next hop of the path.

· Make sure the tunnel's ingress node and the ABR or ASBR can reach each other.

To configure an explicit path for a MPLS TE tunnel:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an explicit path and enter its view.	explicit-path path-name	By default, no explicit paths exist.
3. Enable the explicit path.	undo disable	By default, an explicit path is enabled.
4. Add or modify a node in the explicit path.	nexthop [ index index-number ] ip-address [ exclude \| include [ loose \| strict ] ]	By default, an explicit path does not include any node. You can specify the include keyword to have the CRLSP traverse the specified node or the exclude keyword to have the CRLSP bypass the specified node.
5. Return to system view.	quit	N/A
6. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
7. Configure the MPLS TE tunnel interface to use the explicit path, and specify a preference value for the explicit path.	mpls te path preference value explicit-path path-name [ no-cspf ]	By default, MPLS TE uses the calculated path to establish a CRLSP.

Establishing an MPLS TE tunnel by using RSVP-TE

Before you configure this task, you must use the rsvp command and the rsvp enable command to enable RSVP on all nodes and interfaces that the MPLS TE tunnel traverses.

Perform this task on the ingress node of the MPLS TE tunnel.

To configure RSVP-TE to establish an MPLS TE tunnel:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Configure MPLS TE to use RSVP-TE to establish the tunnel.	mpls te signaling rsvp-te	By default, MPLS TE uses RSVP-TE to establish a tunnel.
4. Specify an explicit path for the MPLS TE tunnel, and specify the path preference value.	mpls te path preference value { dynamic \| explicit-path path-name } [ no-cspf ]	By default, MPLS TE uses the calculated path to establish a CRLSP.

Controlling CRLSP path selection

Before performing the configuration tasks in this section, be aware of each configuration objective and its impact on your device.

MPLS TE uses CSPF to calculate a path according to the TEDB and constraints and sets up the CRLSP through RSVP-TE. MPLS TE provides measures that affect the CSPF calculation. You can use these measures to tune the path selection for CRLSP.

Configuring the metric type for path selection

Each MPLS TE link has two metrics: IGP metric and TE metric. By planning the two metrics, you can select different tunnels for different classes of traffic. For example, use the IGP metric to represent a link delay (a smaller IGP metric value indicates a lower link delay), and use the TE metric to represent a link bandwidth value (a smaller TE metric value indicates a bigger link bandwidth value).

You can establish two MPLS TE tunnels: Tunnel 1 for voice traffic and Tunnel 2 for video traffic. Configure Tunnel 1 to use IGP metrics for path selection, and configure Tunnel 2 to use TE metrics for path selection. As a result, the video service (with larger traffic) travels through the path that has larger bandwidth, and the voice traffic travels through the path that has lower delay.

To configure the metric type for tunnel path selection:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE view.	mpls te	N/A
3. Specify the metric type to use when no metric type is explicitly configured for a tunnel.	path-metric-type { igp \| te }	By default, a tunnel uses the TE metric for path selection. Execute this command on the ingress node of an MPLS TE tunnel.
4. Return to system view.	quit	N/A
5. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
6. Specify the metric type for path selection.	mpls te path-metric-type { igp \| te }	By default, no link metric type is specified and the one specified in MPLS TE view is used. Execute this command on the ingress node of an MPLS TE tunnel.
7. Return to system view.	quit	N/A
8. Enter interface view.	interface interface-type interface-number	N/A
9. Assign a TE metric to the link.	mpls te metric value	By default, the link uses its IGP metric as the TE metric. This command is available on every interface that the MPLS TE tunnel traverses.

Configuring route pinning

When route pinning is enabled, MPLS TE tunnel reoptimization and automatic bandwidth adjustment are not available.

Perform this task on the ingress node of an MPLS TE tunnel.

To configure route pinning:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Enable route pinning.	mpls te route-pinning	By default, route pinning is disabled.

Configuring tunnel reoptimization

Tunnel reoptimization allows you to manually or dynamically trigger the ingress node to recalculate a path. If the ingress node recalculates a better path, it creates a new CRLSP, switches the traffic from the old CRLSP to the new CRLSP, and then deletes the old CRLSP.

Perform this task on the ingress node of an MPLS TE tunnel.

To configure tunnel reoptimization:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Enable tunnel reoptimization.	mpls te reoptimization [ frequency seconds ]	By default, tunnel reoptimization is disabled.
4. Return to user view.	return	N/A
5. (Optional.) Immediately reoptimize all MPLS TE tunnels that are enabled with the tunnel reoptimization feature.	mpls te reoptimization	N/A

Setting TE flooding thresholds and interval

When the bandwidth of an MPLS TE link changes, IGP floods the new bandwidth information, so the ingress node can use CSPF to recalculate the path.

To prevent such recalculations from consuming too many resources, you can configure IGP to flood only significant bandwidth changes by setting the following flooding thresholds:

· Up threshold—When the percentage of the reservable-bandwidth increase to the maximum reservable bandwidth reaches the threshold, IGP floods the TE information.

· Down threshold—When the percentage of the reservable-bandwidth decrease to the maximum reservable bandwidth reaches the threshold, IGP floods the TE information.

You can also set the flooding interval at which bandwidth changes that cannot trigger immediate flooding are flooded.

This task can be performed on all nodes that the MPLS TE tunnel traverses.

To set TE flooding thresholds and the flooding interval:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Set the up/down threshold.	mpls te bandwidth change thresholds { down \| up } percent	By default, the up/down threshold is 10% of the link reservable bandwidth.
4. Return to system view.	quit	N/A
5. Enter MPLS TE view.	mpls te	N/A
6. Set the flooding interval.	link-management periodic-flooding timer interval	By default, the flooding interval is 180 seconds.

Controlling MPLS TE tunnel setup

Before performing the configuration tasks in this section, be aware of each configuration objective and its impact on your device.

Perform the tasks in this section on the ingress node of the MPLS TE tunnel.

Enabling route and label recording

Perform this task to record the nodes that an MPLS TE tunnel traverses and the label assigned by each node. The recorded information helps you know about the path used by the MPLS TE tunnel and the label distribution information, and when the tunnel fails, it helps you locate the fault.

To enable route and label recording:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Record routes or record both routes and labels.	· To record routes: mpls te record-route · To record both routes and labels: mpls te record-route label	By default, both route recording and label recording are disabled.

Enabling loop detection

Enabling loop detection also enables the route recording feature, regardless of whether you have configured the mpls te record-route command. Loop detection enables each node of the tunnel to detect whether a loop has occurred according to the recorded route information.

To enable loop detection:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Enable loop detection.	mpls te loop-detection	By default, loop detection is disabled.

Setting tunnel setup retry

If the ingress node fails to establish an MPLS TE tunnel, it waits for the retry interval, and then tries to set up the tunnel again. It repeats this process until the tunnel is established or until the number of attempts reaches the maximum. If the tunnel cannot be established when the number of attempts reaches the maximum, the ingress waits for a longer period and then repeats the previous process.

To set tunnel setup retry:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Set the maximum number of tunnel setup attempts.	mpls te retry retries	By default, the maximum number of attempts is 3.
4. Set the retry interval.	mpls te timer retry seconds	By default, the retry interval is 2 seconds.

Configuring automatic bandwidth adjustment

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE view.	mpls te	N/A
3. Enable automatic bandwidth adjustment globally, and configure the output rate sampling interval.	auto-bandwidth enable [ sample-interval interval ]	By default, the global auto bandwidth adjustment is disabled. The sampling interval configured in MPLS TE view applies to all MPLS TE tunnels. The output rates of all MPLS TE tunnels are recorded every sampling interval to calculate the actual average bandwidth of each MPLS TE tunnel in one sampling interval.
4. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
5. Enable automatic bandwidth adjustment or output rate sampling for the MPLS TE tunnel.	· To enable automatic bandwidth adjustment: mpls te auto-bandwidth adjustment [ frequency seconds ] [ max-bw max-bandwidth \| min-bw min-bandwidth ] * · To enable output rate sampling: mpls te auto-bandwidth collect-bw [ frequency seconds ]	By default, automatic bandwidth adjustment and output rate sampling are disabled for an MPLS TE tunnel.
6. Return to user view.	return	N/A
7. (Optional.) Reset the automatic bandwidth adjustment.	reset mpls te auto-bandwidth-adjustment timers	After this command is executed, the system clears the output rate sampling information and the remaining time to the next bandwidth adjustment to start a new output rate sampling and bandwidth adjustment.

Configuring RSVP resource reservation style

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Configure the resources reservation style for the tunnel.	mpls te resv-style { ff \| se }	By default, the resource reservation style is SE. In current MPLS TE applications, tunnels are established usually by using the make-before-break mechanism. As a best practice, use the SE style.

Configuring an MPLS TE tunnel to use a CRLSP calculated by PCEs

Configuring a PCE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE view.	mpls te	N/A
3. Configure a PCE IP address.	pce address ip-address	By default, no PCE address is configured.

Discovering PCEs

After the PCE is manually specified or dynamically discovered, a PCC sends a PCEP connection request to the PCE, but it does not accept a request from the PCE.

Manually specifying a PCE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE view.	mpls te	N/A
3. Specify the IP address of the PCE.	pce static ip-address	By default, no PCE peers exist.

Dynamically discovering PCEs

OSPF TE advertises PCE IP addresses for PCCs and other PCEs to dynamically discover the PCEs and establish PCEP sessions to them. For OSPF TE configuration, see "Configuring OSPF TE."

Establishing a CRLSP by using the path calculated by PCEs

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Establish a CRLSP by using the path calculated by PCEs.	mpls te path preference value dynamic pce [ ip-address ]&<0-8>	By default, the automatically calculated path is used to establish a CRLSP. After this command is executed, the local device acts as a PCC and establishes PCEP sessions to the specified PCEs. If you do not specify a PCE, the local device establishes PCEP sessions to all discovered PCEs.

Establishing a backup CRLSP by using the path calculated by PCEs

Perform this task to enable the specified PCEs to calculate a backup CRLSP for the PCC. When the primary CRLSP fails, traffic is switched to the backup CRLSP to ensure continuous traffic forwarding.

To establish a backup CRLSP by using the path calculated by PCEs:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Enable tunnel backup and specify the backup mode.	mpls te backup { hot-standby \| ordinary }	By default, tunnel backup is disabled.
4. Establish a backup CRLSP by using the path calculated by PCEs.	mpls te backup-path preference value dynamic pce [ ip-address ]&<0-8>	By default, the automatically calculated path is used to establish a backup CRLSP. After this command is executed, the local device acts as a PCC and establishes PCEP sessions to the specified PCEs. If you do not specify a PCE, the local device establishes PCEP sessions to all discovered PCEs.

Configuring PCEP session parameters

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE view.	mpls te	N/A
3. Set the path calculation request timeout time.	pce request-timeout value	By default, the request timeout time is 10 seconds.
4. Set the PCEP session deadtimer.	pce deadtimer value	By default, the PCEP session deadtimer is 120 seconds.
5. Set the keepalive interval for PCEP sessions.	pce keepalive interval	By default, the keepalive interval is 30 seconds.
6. Set the minimum acceptable keepalive interval and the maximum number of allowed unknown messages received from the peer.	pce tolerance { min-keepalive value \| max-unknown-messages value }	By default, the minimum acceptable keepalive interval is 10 seconds, and the maximum number of allowed unknown messages in a minute is 5.

Configuring load sharing for an MPLS TE tunnel

MPLS TE tunnel load sharing specifies multiple member interfaces (MPLS TE tunnel interfaces) for a tunnel bundle interface in load sharing mode. The member interfaces form a tunnel bundle. When the outgoing interface is the tunnel bundle interface, traffic can be forwarded through multiple MPLS TE tunnels, and load sharing is implemented.

Perform this task on the ingress node of the MPLS TE tunnel.

To configure load sharing for an MPLS TE tunnel:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a tunnel bundle interface in load sharing mode, and enter tunnel bundle interface view.	interface tunnel-bundle number	By default, no tunnel bundle interfaces exist.
3. Configure an IP address for the tunnel bundle interface.	ip address ip-address { mask-length \| mask }	By default, no IP address is configured for a tunnel bundle interface.
4. Configure the destination address for the tunnel bundle interface.	destination ip-address	By default, no destination address is configured for a tunnel bundle interface. As a best practice, configure the same destination address for a tunnel bundle interface and its member interfaces. Otherwise, traffic cannot be forwarded unless the tunnel bundle interface's destination address can be reached through the member interfaces.
5. Specify a member interface for the tunnel bundle interface.	member interface tunnel tunnel-number [ load-share value ]	By default, no member interface is configured for a tunnel bundle interface. You can specify multiple member interfaces. The load-share keyword specifies the weight of the member interface for load sharing. For example, a tunnel bundle interface has three member interfaces. If the weights of the member interfaces are 1, 1, and 2, the proportions of traffic forwarded by them are 1/4, 1/4, and 1/2.

Configuring traffic forwarding

Perform the tasks in this section on the ingress node of the MPLS TE tunnel.

Configuring static routing to direct traffic to an MPLS TE tunnel or tunnel bundle

Creating a static route to direct traffic to an MPLS TE tunnel/tunnel bundle

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure a static route to direct traffic to an MPLS TE tunnel or tunnel bundle.

See Layer 3—IP Routing Command Reference.

By default, no static routes exist.

The interface specified in this command must be an MPLS TE tunnel interface or a tunnel bundle interface in load sharing mode.

Configuring automatic static route advertisement to direct traffic to an MPLS TE tunnel

IGP shortcut or forwarding adjacency is usually configured to direct traffic to an MPLS TE tunnel. On a network that contains multiple IGP areas, however, configuring IGP shortcut and forwarding adjacency causes route convergence failure. As a result, traffic cannot be forwarded over the MPLS TE tunnel. To direct traffic to an MPLS TE tunnel in this scenario, you can execute the tunnel route-static command on the ingress node of the MPLS TE tunnel. This command creates a static route whose destination address and output interface are the tunnel destination address and the tunnel interface, respectively.

To configure automatic static route advertisement to direct traffic to an MPLS TE tunnel:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Configure automatic static route advertisement.	tunnel route-static [ preference preference-value ]	By default, automatic static route advertisement is not configured.

Configuring PBR to direct traffic to an MPLS TE tunnel or tunnel bundle

For more information about the commands in this task, see Layer 3—IP Routing Command Reference.

To configure PBR to direct traffic to an MPLS TE tunnel or tunnel bundle:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a PBR policy node and enter policy node view.	policy-based-route policy-name [ deny \| permit ] node node-number	By default, no PBR policies node exist.
3. Configure an ACL match criterion.	if-match acl { acl-number \| name acl-name }	By default, no ACL match criterion is configured.
4. Specify a tunnel interface or a tunnel bundle interface as the packet output interface.	apply output-interface { { tunnel tunnel-number \| tunnel-bundle number } [ track track-entry-number ] }&<1-2>	N/A
5. Return to system view.	quit	N/A
6. Apply the PBR policy.	· To apply the policy to the local device: ip local policy-based-route policy-name · To apply the policy to an interface: a. interface interface-type interface-number b. ip policy-based-route policy-name	By default, no policy is applied.

Configuring automatic route advertisement to direct traffic to an MPLS TE tunnel or tunnel bundle

You can use either IGP shortcut or forwarding adjacency to implement automatic route advertisement. When you use IGP shortcut, you can specify a metric for the TE tunnel or the tunnel bundle. If you assign an absolute metric, the metric is directly used as the MPLS TE tunnel's or tunnel bundle's metric. If you assign a relative metric, the MPLS TE tunnel or tunnel bundle's metric is the assigned metric plus the IGP link metric.

Before configuring automatic route advertisement, perform the following tasks:

· Enable OSPF or IS-IS on the tunnel interface or tunnel bundle interface to advertise the tunnel interface address (or the tunnel bundle interface address) to OSPF or IS-IS.

· Enable MPLS TE for an OSPF area or an IS-IS process by executing the mpls te enable command in OSPF area view or IS-IS view.

Follow these restrictions and guidelines when you configure automatic route advertisement:

· The destination address of the MPLS TE tunnel or tunnel bundle can be the LSR ID of the egress node or the primary IP address of an interface on the egress node. As a best practice, configure the destination address of the MPLS TE tunnel or tunnel bundle as the LSR ID of the egress node.

· If you configure the tunnel destination address as the primary IP address of an interface on the egress node, you must enable MPLS TE, and configure OSPF or IS-IS on that interface. This makes sure the primary IP address of the interface can be advertised to its peer.

· The route to the tunnel interface address (or the tunnel bundle interface address) and the route to the tunnel destination must be in the same OSPF area or at the same IS-IS level.

Configuring IGP shortcut

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	· Enter MPLS TE tunnel interface view: interface tunnel tunnel-number [ mode mpls-te ] · Enter the view of tunnel bundle interface in load sharing mode: interface tunnel-bundle number	N/A
3. Enable IGP shortcut.	mpls te igp shortcut [ isis \| ospf ]	By default, IGP shortcut is disabled. If no IGP is specified, both OSPF and IS-IS will include the MPLS TE tunnel or tunnel bundle in route calculation.
4. Assign a metric to the MPLS TE tunnel or tunnel bundle.	mpls te igp metric { absolute value \| relative value }	By default, the metric of an MPLS TE tunnel or tunnel bundle equals its IGP metric.

Configuring forwarding adjacency

To use forwarding adjacency, you must establish two MPLS TE tunnels or tunnel bundles in opposite directions between two nodes, and configure forwarding adjacency on both the nodes.

To configure forwarding adjacency in tunnel interface view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Enable forwarding adjacency.	mpls te igp advertise [ hold-time value ]	By default, forwarding adjacency is disabled.

To configure forwarding adjacency in tunnel bundle interface view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter the view of tunnel bundle interface in load sharing mode.	interface tunnel-bundle number	N/A
3. Enable forwarding adjacency.	mpls te igp advertise	By default, forwarding adjacency is disabled.

Configuring a bidirectional MPLS TE tunnel

Restrictions and guidelines

To create a bidirectional MPLS TE tunnel, create an MPLS TE tunnel interface on both ends of the tunnel and enable the bidirectional tunnel feature on the tunnel interfaces:

· For a co-routed bidirectional tunnel, configure one end of the tunnel as the active end and the other end as the passive end, and specify the reverse CRLSP at the passive end.

· For an associated bidirectional tunnel, specify a reverse CRLSP at both ends of the tunnel.

Prerequisites

Before you create a bidirectional MPLS TE tunnel, perform the following tasks:

· Disable the PHP feature on both ends of the tunnel.

· To set up a bidirectional MPLS TE tunnel in co-routed mode, you must specify the signaling protocol as RSVP-TE.

Configuring the active end of a co-routed bidirectional MPLS TE tunnel

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Configure a co-routed bidirectional MPLS TE tunnel and specify the local end as the active end of the tunnel.	mpls te bidirectional co-routed active	By default, bidirectional tunnel is disabled on the tunnel interface, and tunnels established on the tunnel interface are unidirectional MPLS TE tunnels.

Configuring the passive end of a co-routed bidirectional MPLS TE tunnel

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Configure a co-routed bidirectional MPLS TE tunnel and specify the local end as the passive end of the tunnel.	mpls te bidirectional co-routed passive reverse-lsp lsr-id ingress-lsr-id tunnel-id tunnel-id	By default, bidirectional tunnel is disabled on the tunnel interface, and tunnels established on the tunnel interface are unidirectional MPLS TE tunnels.

Configuring an associated bidirectional MPLS TE tunnel

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Configure an associated bidirectional MPLS TE tunnel.	mpls te bidirectional associated reverse-lsp { lsp-name lsp-name \| lsr-id ingress-lsr-id tunnel-id tunnel-id } }	By default, bidirectional tunnel is disabled on the tunnel interface, and tunnels established on the tunnel interface are unidirectional MPLS TE tunnels.

Configuring CRLSP backup

CRLSP backup provides end-to-end CRLSP protection. Only MPLS TE tunnels established through RSVP-TE support CRLSP backup.

Perform this task on the ingress node of an MPLS TE tunnel.

To configure CRLSP backup:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Enable tunnel backup and specify the backup mode.	mpls te backup { hot-standby \| ordinary }	By default, tunnel backup is disabled.
4. Specify a path for the primary CRLSP and set the preference of the path.	mpls te path preference value { dynamic \| explicit-path path-name } [ no-cspf ]	By default, MPLS TE uses the dynamically calculated path to set up the primary CRLSP.
5. Specify a path for the backup CRLSP and set the preference of the path.	mpls te backup-path preference value { dynamic \| explicit-path path-name } [ no-cspf ]	By default, MPLS TE uses the dynamically calculated path to set up the backup CRLSP.

Configuring MPLS TE FRR

MPLS TE FRR provides temporary link or node protection on a CRLSP. When you configure FRR, follow these restrictions and guidelines:

· Do not configure both FRR and RSVP authentication on the same interface.

· Only MPLS TE tunnels established through RSVP-TE support FRR.

Enabling FRR

Perform this task on the ingress node of a primary CRLSP.

To enable FRR:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter tunnel interface view of the primary CRLSP.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Enable FRR.	mpls te fast-reroute [ bandwidth ]	By default, FRR is disabled. If you specify the bandwidth keyword, the primary CRLSP must have bandwidth protection.

Configuring a bypass tunnel on the PLR

Overview

To configure FRR, you must configure bypass tunnels for primary CRLSPs on the PLR by using the following methods:

· Manually configuring a bypass tunnel on the PLR—Create an MPLS TE tunnel on the PLR, and configure the tunnel as a bypass tunnel for a primary CRLSP. You need to specify the bandwidth and CT that the bypass tunnel can protect, and bind the bypass tunnel to the egress interface of the primary CRLSP.

You can configure a maximum of three bypass tunnels for a primary CRLSP.

· Configuring the PLR to set up bypass tunnels automatically—Configure the automatic bypass tunnel setup feature (also referred to as the auto FRR feature) on the PLR. The PLR automatically sets up two bypass tunnels for each of its primary CRLSPs: one in link protection mode and the other in node protection mode. Automatically created bypass tunnels can be used to protect any type of CT, but they cannot provide bandwidth protection.

A primary tunnel can have both manually configured and automatically created bypass tunnels. The PLR will select one bypass tunnel to protect the primary CRLSP. The selected bypass tunnel is bound to the primary CRLSP.

Manually created bypass tunnels take precedence over automatically created bypass tunnels. An automatically created bypass tunnel in node protection mode takes precedence over an automatically created bypass tunnel in link protection mode. Among manually created bypass tunnels, the PLR selects the bypass tunnel for protecting the primary CRLSP by following these rules:

1. Selects a bypass tunnel according to the principles, as shown in Table 2.

2. Prefers the bypass tunnel in node protection mode over the one in link protection mode.

3. Prefers the bypass tunnel with a smaller ID over the one with a bigger tunnel ID.

Table 2 FRR protection principles

Bandwidth required by primary CRLSP	Primary CRLSP requires bandwidth protection or not	Bypass tunnel providing bandwidth protection	Bypass tunnel providing no bandwidth protection
0	Yes	The primary CRLSP cannot be bound to the bypass tunnel.	The primary CRLSP can be bound to the bypass tunnel if CT 0 or no CT is specified for the bypass tunnel. After binding, the RRO message does not carry the bandwidth protection flag. The bypass tunnel does not provide bandwidth protection for the primary CRLSP, and performs best-effort forwarding for traffic of the primary CRLSP.
0	No	The primary CRLSP cannot be bound to the bypass tunnel.
None-zero	Yes	The primary CRLSP can be bound to the bypass tunnel when all the following conditions are met: · The bandwidth that the bypass tunnel can protect is no less than the bandwidth required by the primary CRLSP. · There is not a CT specified for the bypass tunnel, or the specified CT is the same as that specified for the primary CRLSP. After binding, the RRO message carries the bandwidth protection flag, and the bypass tunnel provides bandwidth protection for the primary CRLSP. The primary CRLSP prefers bypass tunnels that provide bandwidth protection over those providing no bandwidth protection.	The primary CRLSP can be bound to the bypass tunnel when one of the following conditions is met: · No CT is specified for the bypass tunnel. · The specified CT is the same as that specified for the primary CRLSP. After binding, the RRO message does not carry the bandwidth protection flag. This bypass tunnel is selected only when no bypass tunnel that provides bandwidth protection can be bound to the primary CRLSP.
Non-zero	No	The primary CRLSP can be bound to the bypass tunnel when all the following conditions are met: · The bandwidth that the bypass tunnel can protect is no less than the bandwidth required by the primary CRLSP. · No CT that the bypass tunnel can protect is specified, or the specified CT is the same as that of the traffic on the primary CRLSP. After binding, the RRO message carries the bandwidth protection flag. This bypass tunnel is selected only when no bypass tunnel that does not provide bandwidth protection can be bound to the primary CRLSP.	The primary CRLSP can be bound to the bypass tunnel when one of the following conditions is met: · No CT is specified for the bypass tunnel. · The specified CT is the same as that of the traffic on the primary CRLSP. After binding, the RRO message does not carry the bandwidth protection flag. The primary CRLSP prefers bypass tunnels that does not provide bandwidth protection over those providing bandwidth protection.

Configuration restrictions and guidelines

When you configure a bypass tunnel on the PLR, follow these restrictions and guidelines:

· Use bypass tunnels to protect only critical interfaces or links when bandwidth is insufficient. Bypass tunnels are pre-established and require extra bandwidth.

· Make sure the bandwidth assigned to the bypass tunnel is no less than the total bandwidth needed by all primary CRLSPs to be protected by the bypass tunnel. Otherwise, some primary CRLSPs might not be protected by the bypass tunnel.

· A bypass tunnel typically does not forward data when the primary CRLSP operates correctly. For a bypass tunnel to also forward data during tunnel protection, you must assign adequate bandwidth to the bypass tunnel.

· A bypass tunnel cannot be used for services such as VPN.

· You cannot configure FRR for a bypass tunnel. A bypass tunnel cannot act as a primary CRLSP.

· Make sure the protected node or interface is not on the bypass tunnel.

· After you associate a primary CRLSP that does not require bandwidth protection with a bypass tunnel that provides bandwidth protection, the primary CRLSP occupies the bandwidth that the bypass tunnel protects. The bandwidth is protected on a first-come-first-served basis. The primary CRLSP that needs bandwidth protection cannot preempt the one that does not need bandwidth protection.

· After an FRR, the primary CRLSP will be down if you modify the bandwidth that the bypass tunnel can protect and your modification results in one of the following:

? The CT type changes.

? The bypass tunnel cannot protect adequate bandwidth as configured.

? FRR protection type (whether or not to provide bandwidth protection for the primary CRLSP) changes.

Manually configuring a bypass tunnel

The bypass tunnel setup method is the same as a normal MPLS TE tunnel. This section describes only FRR-related configurations.

To configure a bypass tunnel on the PLR:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter tunnel interface view of the bypass tunnel.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Specify the destination address of the bypass tunnel.	destination ip-address	The bypass tunnel destination address is the LSR ID of the MP.
4. Configure the bandwidth and the CT to be protected by the bypass tunnel.	mpls te backup bandwidth [ ct0 \| ct1 \| ct2 \| ct3 ] { bandwidth \| un-limited }	By default, the bandwidth and the CT to be protected by the bypass tunnel are not specified.
5. Return to system view.	quit	N/A
6. Enter interface view of the egress interface of a primary CRLSP.	interface interface-type interface-number	N/A
7. Specify a bypass tunnel for the protected interface (the current interface).	mpls te fast-reroute bypass-tunnel tunnel tunnel-number	By default, no bypass tunnel is specified for an interface.

Automatically setting up bypass tunnels

With auto FRR, if the PLR is the penultimate node of a primary CRLSP, the PLR does not create a node-protection bypass tunnel for the primary CRLSP.

An automatically created bypass tunnel can protect multiple primary CRLSPs. A bypass tunnel is unused when the bypass tunnel is not bound to any primary CRLSP. When a bypass tunnel is unused for the period of time configured by the timers removal unused command, MPLS TE removes the bypass tunnel.

To configure auto FRR on the PLR:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE view.	mpls te	N/A
3. Enable the auto FRR feature globally.	auto-tunnel backup	By default, the auto FRR feature is disabled globally.
4. Specify an interface number range for the automatically created bypass tunnels.	tunnel-number min min-number max max-number	By default, no interface number range is specified, and the PLR cannot set up a bypass tunnel automatically.
5. (Optional.) Configure the PLR to create only link-protection bypass tunnels.	nhop-only	By default, the PLR automatically creates both a link-protection and a node-protection bypass tunnel for each of its primary CRLSPs. Execution of this command deletes all existing node-protection bypass tunnels automatically created for MPLS TE auto FRR.
6. (Optional.) Set a removal timer for unused bypass tunnels.	timers removal unused seconds	By default, a bypass tunnel is removed after it is unused for 3600 seconds.
7. (Optional.) Return to system view.	quit	N/A
8. (Optional.) Enter interface view.	interface interface-type interface-number	N/A
9. (Optional.) Disable the auto FRR feature on the interface.	mpls te auto-tunnel backup disable	By default, the auto FRR feature is enabled on all RSVP-enabled interfaces after it is enabled globally. Execution of this command deletes all existing bypass tunnels automatically created on the interface for MPLS TE auto FRR.

Configuring node fault detection

Perform this task to configure the RSVP hello mechanism or BFD on the PLR and the protected node to detect the node faults caused by signaling protocol faults. FRR does not need to use the RSVP hello mechanism or BFD to detect the node faults caused by the link faults between the PLR and the protected node.

You do not need to perform this task for FRR link protection.

To configure node fault detection:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	On the PLR, enter the view of the interface connected to the protected node. On the protected node, enter the view of the interface connected to the PLR.
3. Configure node fault detection.	· (Method 1) Enable RSVP hello extension on the interface: rsvp hello enable · (Method 2) Enable BFD on the interface: rsvp bfd enable	By default, RSVP hello extension is disabled, and BFD is not configured. For more information about the rsvp hello enable command and the rsvp bfd enable command, see "Configuring RSVP."

Setting the optimal bypass tunnel selection interval

If you have specified multiple bypass tunnels for a primary CRLSP, MPLS TE selects an optimal bypass tunnel to protect the primary CRLSP. Sometimes, a bypass tunnel might become better than the current optimal bypass tunnel because, for example, the reservable bandwidth changes. Therefore, MPLS TE needs to poll the bypass tunnels periodically to update the optimal bypass tunnel.

Perform this task on the PLR to set the interval for selecting an optimal bypass tunnel:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE view.	mpls te	N/A
3. Set the interval for selecting an optimal bypass tunnel.	fast-reroute timer interval	By default, the interval is 300 seconds.

Configuring CBTS

CBTS is mutually exclusive with WAAS. For more information about WAAS, see Layer 3—IP Services Configuration Guide

Before configuring CBTS, you must create QoS traffic behaviors to mark the MPLS TE service classes for packets. For more information, see QoS configuration in ACL and QoS Configuration Guide.

To configure CBTS:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Set a service class for the MPLS TE tunnel.	mpls te service-class service-class-value	By default, no service class is set for an MPLS TE tunnel.

Enabling SNMP notifications for MPLS TE

This feature enables generating SNMP notifications for MPLS TE upon MPLS TE state changes, as defined in RFC 3812. For MPLS TE event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see the network management and monitoring configuration guide for the device.

To enable SNMP notifications for MPLS TE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notifications for MPLS TE.	snmp-agent trap enable te	By default, SNMP notifications for MPLS TE are disabled.

Displaying and maintaining MPLS TE

Execute display commands in any view and reset commands in user view.

Task	Command
Display information about explicit paths.	display explicit-path [ path-name ]
Display link and node information in an IS-IS TEDB.	display isis mpls te advertisement [ [ level-1 \| level-2 ] \| [ originate-system system-id \| local ] \| verbose ] * [ process-id ]
Display sub-TLV information for IS-IS TE.	display isis mpls te configured-sub-tlvs [ process-id ]
Display network information in an IS-IS TEDB.	display isis mpls te network [ [ level-1 \| level-2 ] \| local \| lsp-id lsp-id ]* [ process-id ]
Display IS-IS tunnel interface information.	display isis mpls te tunnel [ level-1 \| level-2 ] [ process-id ]
Display DS-TE information.	display mpls te ds-te
Display bandwidth information on MPLS TE-enabled interfaces.	display mpls te link-management bandwidth-allocation [ interface interface-type interface-number ]
Display information about discovered PCEs.	display mpls te pce discovery [ ip-address ] [ verbose ]
Display PCC and PCE peer information.	display mpls te pce peer [ ip-address ] [ verbose ]
Display PCC and PCE statistics.	display mpls te pce statistics [ ip-address ]
Display MPLS TEDB information.	display mpls te tedb { { isis { level-1 \| level-2 } \| ospf area area-id } \| link ip-address \| network \| node [ local \| mpls-lsr-id ] \| summary }
Display information about MPLS TE tunnel interfaces.	display mpls te tunnel-interface [ tunnel number ]
Display information about PCEs discovered by OSPF.	display ospf [ process-id ] [ area area-id ] mpls te pce [ originate-router advertising-router-id \| self-originate ]
Display link and node information in an OSPF TEDB.	display ospf [ process-id ] [ area area-id ] mpls te advertisement [ originate-router advertising-router-id \| self-originate ]
Display network information in an OSPF TEDB.	display ospf [ process-id ] [ area area-id ] mpls te network [ originate-router advertising-router-id \| self-originate ]
Display OSPF tunnel interface information.	display ospf [ process-id ] [ area area-id ] mpls te tunnel
Display information about tunnel bundle interfaces and their member interfaces.	display tunnel-bundle [ number ]
Reset the automatic bandwidth adjustment feature.	reset mpls te auto-bandwidth-adjustment timers
Clear PCC and PCE statistics.	reset mpls te pce statistics [ ip-address ]

MPLS TE configuration examples

Establishing an MPLS TE tunnel over a static CRLSP

Network requirements

Router A, Router B, and Router C run IS-IS.

Establish an MPLS TE tunnel over a static CRLSP from Router A to Router C to transmit data between the two IP networks.

The MPLS TE tunnel requires a bandwidth of 2000 kbps. The maximum bandwidth of the link that the tunnel traverses is 10000 kbps. The maximum reservable bandwidth of the link is 5000 kbps.

Figure 33 Network diagram

Configuration procedure

1. Configure IP addresses and masks for interfaces. (Details not shown.)

2. Configure IS-IS to advertise interface addresses, including the loopback interface address:

# Configure Router A.

<RouterA> system-view

[RouterA] isis 1

[RouterA-isis-1] network-entity 00.0005.0000.0000.0001.00

[RouterA-isis-1] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] isis enable 1

[RouterA-GigabitEthernet2/0/1] quit

[RouterA] interface loopback 0

[RouterA-LoopBack0] isis enable 1

[RouterA-LoopBack0] quit

# Configure Router B.

<RouterB> system-view

[RouterB] isis 1

[RouterB-isis-1] network-entity 00.0005.0000.0000.0002.00

[RouterB-isis-1] quit

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] isis enable 1

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface gigabitethernet 2/0/2

[RouterB-GigabitEthernet2/0/2] isis enable 1

[RouterB-GigabitEthernet2/0/2] quit

[RouterB] interface loopback 0

[RouterB-LoopBack0] isis enable 1

[RouterB-LoopBack0] quit

# Configure Router C.

<RouterC> system-view

[RouterC] isis 1

[RouterC-isis-1] network-entity 00.0005.0000.0000.0003.00

[RouterC-isis-1] quit

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] isis enable 1

[RouterC-GigabitEthernet2/0/1] quit

[RouterC] interface loopback 0

[RouterC-LoopBack0] isis enable 1

[RouterC-LoopBack0] quit

# Execute the display ip routing-table command on each router to verify that the routers have learned the routes to one another, including the routes to the loopback interfaces. (Details not shown.)

3. Configure an LSR ID, and enable MPLS and MPLS TE:

# Configure Router A.

[RouterA] mpls lsr-id 1.1.1.1

[RouterA] mpls te

[RouterA-te] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls enable

[RouterA-GigabitEthernet2/0/1] mpls te enable

[RouterA-GigabitEthernet2/0/1] quit

# Configure Router B.

[RouterB] mpls lsr-id 2.2.2.2

[RouterB] mpls te

[RouterB-te] quit

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] mpls enable

[RouterB-GigabitEthernet2/0/1] mpls te enable

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface gigabitethernet 2/0/2

[RouterB-GigabitEthernet2/0/2] mpls enable

[RouterB-GigabitEthernet2/0/2] mpls te enable

[RouterB-GigabitEthernet2/0/2] quit

# Configure Router C.

[RouterC] mpls lsr-id 3.3.3.3

[RouterC] mpls te

[RouterC-te] quit

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] mpls enable

[RouterC-GigabitEthernet2/0/1] mpls te enable

[RouterC-GigabitEthernet2/0/1] quit

4. Configure MPLS TE attributes of links:

# Set the maximum link bandwidth and maximum reservable bandwidth on Router A.

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterA-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth 5000

[RouterA-GigabitEthernet2/0/1] quit

# Set the maximum link bandwidth and maximum reservable bandwidth on Router B.

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterB-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth 5000

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface gigabitethernet 2/0/2

[RouterB-GigabitEthernet2/0/2] mpls te max-link-bandwidth 10000

[RouterB-GigabitEthernet2/0/2] mpls te max-reservable-bandwidth 5000

[RouterB-GigabitEthernet2/0/2] quit

# Set the maximum link bandwidth and maximum reservable bandwidth on Router C.

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterC-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth 5000

[RouterC-GigabitEthernet2/0/1] quit

5. Configure an MPLS TE tunnel on Router A:

# Configure the MPLS TE tunnel interface Tunnel 0.

[RouterA] interface tunnel 0 mode mpls-te

[RouterA-Tunnel0] ip address 6.1.1.1 255.255.255.0

# Specify the tunnel destination address as the LSR ID of Router C.

[RouterA-Tunnel0] destination 3.3.3.3

# Configure MPLS TE to use a static CRLSP to establish the tunnel.

[RouterA-Tunnel0] mpls te signaling static

[RouterA-Tunnel0] quit

6. Create a static CRLSP:

# Configure Router A as the ingress node of the static CRLSP, and specify the next hop address as 2.1.1.2, outgoing label as 20, and bandwidth for the tunnel as 2000 kbps.

[RouterA] static-cr-lsp ingress static-cr-lsp-1 nexthop 2.1.1.2 out-label 20 bandwidth 2000

# On Router A, configure Tunnel 0 to use the static CRLSP static-cr-lsp-1.

[RouterA] interface tunnel0

[RouterA-Tunnel0] mpls te static-cr-lsp static-cr-lsp-1

[RouterA-Tunnel0] quit

# Configure Router B as the transit node of the static CRLSP, and specify the incoming label as 20, next hop address as 3.2.1.2, outgoing label as 30, and bandwidth for the tunnel as 2000 kbps.

[RouterB] static-cr-lsp transit static-cr-lsp-1 in-label 20 nexthop 3.2.1.2 out-label 30 bandwidth 2000

# Configure Router C as the egress node of the static CRLSP, and specify the incoming label as 30.

[RouterC] static-cr-lsp egress static-cr-lsp-1 in-label 30

7. Configure a static route on Router A to direct traffic destined for subnet 100.1.2.0/24 to MPLS TE tunnel 0.

[RouterA] ip route-static 100.1.2.0 24 tunnel 0 preference 1

Verifying the configuration

# Verify that the tunnel interface is up on Router A.

[RouterA] display interface tunnel

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64kbps

Maximum transmission unit: 1496

Internet address: 6.1.1.1/24 (primary)

Tunnel source unknown, destination 3.3.3.3

Tunnel TTL 255

Tunnel protocol/transport CR_LSP

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Display detailed information about the MPLS TE tunnel on Router A.

[RouterA] display mpls te tunnel-interface

Tunnel Name : Tunnel 0

Tunnel State : Up (Main CRLSP up)

Tunnel Attributes :

LSP ID : 1 Tunnel ID : 0

Admin State : Normal

Ingress LSR ID : 1.1.1.1 Egress LSR ID : 3.3.3.3

Signaling : Static Static CRLSP Name : static-cr-lsp-1

Static SRLSP Name : -/-

Resv Style : -

Tunnel mode : -

Reverse-LSP name : -

Reverse-LSP LSR ID : - Reverse-LSP Tunnel ID: -

Class Type : - Tunnel Bandwidth : -

Reserved Bandwidth : -

Setup Priority : 0 Holding Priority : 0

Affinity Attr/Mask : -/-

Explicit Path : -

Backup Explicit Path : -

Metric Type : TE

Record Route : - Record Label : -

FRR Flag : - Bandwidth Protection : -

Backup Bandwidth Flag: - Backup Bandwidth Type: -

Backup Bandwidth : -

Bypass Tunnel : - Auto Created : -

Route Pinning : -

Retry Limit : 3 Retry Interval : 2 sec

Reoptimization : - Reoptimization Freq : -

Backup Type : - Backup LSP ID : -

Auto Bandwidth : - Auto Bandwidth Freq : -

Min Bandwidth : - Max Bandwidth : -

Collected Bandwidth : - Service-Class : -

# Display static CRLSP information on each router.

[RouterA] display mpls lsp

FEC Proto In/Out Label Interface/Out NHLFE

1.1.1.1/0/1 StaticCR -/20 GE2/0/1

2.1.1.2 Local -/- GE2/0/1

Tunnel0 Local -/- NHLFE1025

[RouterB] display mpls lsp

FEC Proto In/Out Label Interface/Out NHLFE

- StaticCR 20/30 GE2/0/2

3.2.1.2 Local -/- GE2/0/2

[RouterC] display mpls lsp

FEC Proto In/Out Label Interface/Out NHLFE

- StaticCR 30/- -

[RouterA] display mpls static-cr-lsp

Name LSR Type In/Out Label Out Interface State

static-cr-lsp-1 Ingress -/20 GE2/0/1 Up

[RouterB] display mpls static-cr-lsp

Name LSR Type In/Out Label Out Interface State

static-cr-lsp-1 Transit 20/30 GE2/0/2 Up

[RouterC] display mpls static-cr-lsp

Name LSR Type In/Out Label Out Interface State

static-cr-lsp-1 Egress 30/- - Up

# Execute the display ip routing-table command on Router A. The output shows a static route entry with interface Tunnel 0 as the output interface. (Details not shown.)

Establishing an MPLS TE tunnel with RSVP-TE

Network requirements

Router A, Router B, Router C, and Router D run IS-IS and all of them are Level-2 routers.

Use RSVP-TE to establish an MPLS TE tunnel from Router A to Router D to transmit data between the two IP networks. The MPLS TE tunnel requires a bandwidth of 2000 kbps.

The maximum bandwidth of the link that the tunnel traverses is 10000 kbps and the maximum reservable bandwidth of the link is 5000 kbps.

Figure 34 Network diagram

Table 3 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
Router A	Loop0	1.1.1.9/32	Router C	Loop0	3.3.3.9/32
	GE2/0/1	10.1.1.1/24		GE2/0/1	30.1.1.1/24
	GE2/0/2	100.1.1.1/24		POS2/2/0	20.1.1.2/24
Router B	Loop0	2.2.2.9/32	Router D	Loop0	4.4.4.9/32
	GE2/0/1	10.1.1.2/24		GE2/0/1	30.1.1.2/24
	POS2/2/0	20.1.1.1/24		GE2/0/2	100.1.2.1/24

Configuration procedure

1. Configure IP addresses and masks for interfaces. (Details not shown.)

2. Configure IS-IS to advertise interface addresses, including the loopback interface address:

# Configure Router A.

<RouterA> system-view

[RouterA] isis 1

[RouterA-isis-1] network-entity 00.0005.0000.0000.0001.00

[RouterA-isis-1] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] isis enable 1

[RouterA-GigabitEthernet2/0/1] isis circuit-level level-2

[RouterA-GigabitEthernet2/0/1] quit

[RouterA] interface loopback 0

[RouterA-LoopBack0] isis enable 1

[RouterA-LoopBack0] isis circuit-level level-2

[RouterA-LoopBack0] quit

# Configure Router B.

<RouterB> system-view

[RouterB] isis 1

[RouterB-isis-1] network-entity 00.0005.0000.0000.0002.00

[RouterB-isis-1] quit

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] isis enable 1

[RouterB-GigabitEthernet2/0/1] isis circuit-level level-2

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface pos 2/2/0

[RouterB-POS2/2/0] isis enable 1

[RouterB-POS2/2/0] isis circuit-level level-2

[RouterB-POS2/2/0] quit

[RouterB] interface loopback 0

[RouterB-LoopBack0] isis enable 1

[RouterB-LoopBack0] isis circuit-level level-2

[RouterB-LoopBack0] quit

# Configure Router C.

<RouterC> system-view

[RouterC] isis 1

[RouterC-isis-1] network-entity 00.0005.0000.0000.0003.00

[RouterC-isis-1] quit

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] isis enable 1

[RouterC-GigabitEthernet2/0/1] isis circuit-level level-2

[RouterC-GigabitEthernet2/0/1] quit

[RouterC] interface pos 2/2/0

[RouterC-POS2/2/0] isis enable 1

[RouterC-POS2/2/0] isis circuit-level level-2

[RouterC-POS2/2/0] quit

[RouterC] interface loopback 0

[RouterC-LoopBack0] isis enable 1

[RouterC-LoopBack0] isis circuit-level level-2

[RouterC-LoopBack0] quit

# Configure Router D.

<RouterD> system-view

[RouterD] isis 1

[RouterD-isis-1] network-entity 00.0005.0000.0000.0004.00

[RouterD-isis-1] quit

[RouterD] interface gigabitethernet 2/0/1

[RouterD-GigabitEthernet2/0/1] isis enable 1

[RouterD-GigabitEthernet2/0/1] isis circuit-level level-2

[RouterD-GigabitEthernet2/0/1] quit

[RouterD] interface loopback 0

[RouterD-LoopBack0] isis enable 1

[RouterD-LoopBack0] isis circuit-level level-2

[RouterD-LoopBack0] quit

# Execute the display ip routing-table command on each router to verify that the routers have learned the routes to one another, including the routes to the loopback interfaces. (Details not shown.)

3. Configure an LSR ID, and enable MPLS, MPLS TE, and RSVP-TE:

# Configure Router A.

[RouterA] mpls lsr-id 1.1.1.9

[RouterA] mpls te

[RouterA-te] quit

[RouterA] rsvp

[RouterA-rsvp] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls enable

[RouterA-GigabitEthernet2/0/1] mpls te enable

[RouterA-GigabitEthernet2/0/1] rsvp enable

[RouterA-GigabitEthernet2/0/1] quit

# Configure Router B.

[RouterB] mpls lsr-id 2.2.2.9

[RouterB] mpls te

[RouterB-te] quit

[RouterB] rsvp

[RouterB-rsvp] quit

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] mpls enable

[RouterB-GigabitEthernet2/0/1] mpls te enable

[RouterB-GigabitEthernet2/0/1] rsvp enable

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface pos 2/2/0

[RouterB-POS2/2/0] mpls enable

[RouterB-POS2/2/0] mpls te enable

[RouterB-POS2/2/0] rsvp enable

[RouterB-POS2/2/0] quit

# Configure Router C.

[RouterC] mpls lsr-id 3.3.3.9

[RouterC] mpls te

[RouterC-te] quit

[RouterC] rsvp

[RouterC-rsvp] quit

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] mpls enable

[RouterC-GigabitEthernet2/0/1] mpls te enable

[RouterC-GigabitEthernet2/0/1] rsvp enable

[RouterC-GigabitEthernet2/0/1] quit

[RouterC] interface pos 2/2/0

[RouterC-POS2/2/0] mpls enable

[RouterC-POS2/2/0] mpls te enable

[RouterC-POS2/2/0] rsvp enable

[RouterC-POS2/2/0] quit

# Configure Router D.

[RouterD] mpls lsr-id 4.4.4.9

[RouterD] mpls te

[RouterD-te] quit

[RouterD] rsvp

[RouterD-rsvp] quit

[RouterD] interface gigabitethernet 2/0/1

[RouterD-GigabitEthernet2/0/1] mpls enable

[RouterD-GigabitEthernet2/0/1] mpls te enable

[RouterD-GigabitEthernet2/0/1] rsvp enable

[RouterD-GigabitEthernet2/0/1] quit

4. Configure IS-IS TE:

# Configure Router A.

[RouterA] isis 1

[RouterA-isis-1] cost-style wide

[RouterA-isis-1] mpls te enable level-2

[RouterA-isis-1] quit

# Configure Router B.

[RouterB] isis 1

[RouterB-isis-1] cost-style wide

[RouterB-isis-1] mpls te enable level-2

[RouterB-isis-1] quit

# Configure Router C.

[RouterC] isis 1

[RouterC-isis-1] cost-style wide

[RouterC-isis-1] mpls te enable level-2

[RouterC-isis-1] quit

# Configure Router D.

[RouterD] isis 1

[RouterD-isis-1] cost-style wide

[RouterD-isis-1] mpls te enable level-2

[RouterD-isis-1] quit

5. Configure MPLS TE attributes of links:

# Set the maximum link bandwidth and maximum reservable bandwidth on Router A.

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterA-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth 5000

[RouterA-GigabitEthernet2/0/1] quit

# Set the maximum link bandwidth and maximum reservable bandwidth on Router B.

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterB-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth 5000

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface pos 2/2/0

[RouterB-POS2/2/0] mpls te max-link-bandwidth 10000

[RouterB-POS2/2/0] mpls te max-reservable-bandwidth 5000

[RouterB-POS2/2/0] quit

# Set the maximum link bandwidth and maximum reservable bandwidth on Router C.

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterC-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth 5000

[RouterC-GigabitEthernet2/0/1] quit

[RouterC] interface pos 2/2/0

[RouterC-POS2/2/0] mpls te max-link-bandwidth 10000

[RouterC-POS2/2/0] mpls te max-reservable-bandwidth 5000

[RouterC-POS2/2/0] quit

# Set the maximum link bandwidth and maximum reservable bandwidth on Router D.

[RouterD] interface gigabitethernet 2/0/1

[RouterD-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterD-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth 5000

[RouterD-GigabitEthernet2/0/1] quit

6. Configure an MPLS TE tunnel on Router A:

# Configure MPLS TE tunnel interface Tunnel 1.

[RouterA] interface tunnel 1 mode mpls-te

[RouterA-Tunnel1] ip address 7.1.1.1 255.255.255.0

# Specify the tunnel destination address as the LSR ID of Router D.

[RouterA-Tunnel1] destination 4.4.4.9

# Configure MPLS TE to use RSVP-TE to establish the tunnel.

[RouterA-Tunnel1] mpls te signaling rsvp-te

# Assign 2000 kbps bandwidth to the tunnel.

[RouterA-Tunnel1] mpls te bandwidth 2000

[RouterA-Tunnel1] quit

7. Configure a static route on Router A to direct the traffic destined for subnet 100.1.2.0/24 to MPLS TE tunnel 1.

[RouterA] ip route-static 100.1.2.0 24 tunnel 1 preference 1

Verifying the configuration

# Verify that the tunnel interface is up on Router A.

[RouterA] display interface tunnel

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64kbps

Maximum transmission unit: 1496

Internet address: 7.1.1.1/24 (primary)

Tunnel source unknown, destination 4.4.4.9

Tunnel TTL 255

Tunnel protocol/transport CR_LSP

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Last 300 seconds input: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Display detailed information about the MPLS TE tunnel on Router A.

[RouterA] display mpls te tunnel-interface

Tunnel Name : Tunnel 1

Tunnel State : Up (Main CRLSP up, Shared-resource CRLSP down)

Tunnel Attributes :

LSP ID : 23331 Tunnel ID : 1

Admin State : Normal

Ingress LSR ID : 1.1.1.9 Egress LSR ID : 4.4.4.9

Signaling : RSVP-TE Static CRLSP Name : -

Static SRLSP Name : -/-

Resv Style : SE

Tunnel mode : -

Reverse-LSP name : -

Reverse-LSP LSR ID : - Reverse-LSP Tunnel ID: -

Class Type : CT0 Tunnel Bandwidth : 2000 kbps

Reserved Bandwidth : 2000 kbps

Setup Priority : 7 Holding Priority : 7

Affinity Attr/Mask : 0/0

Explicit Path : -

Backup Explicit Path : -

Metric Type : TE

Record Route : Disabled Record Label : Disabled

FRR Flag : Disabled Bandwidth Protection : Disabled

Backup Bandwidth Flag: Disabled Backup Bandwidth Type: -

Backup Bandwidth : -

Bypass Tunnel : No Auto Created : No

Route Pinning : Disabled

Retry Limit : 10 Retry Interval : 2 sec

Reoptimization : Disabled Reoptimization Freq : -

Backup Type : None Backup LSP ID : -

Auto Bandwidth : Disabled Auto Bandwidth Freq : -

Min Bandwidth : - Max Bandwidth : -

Collected Bandwidth : - Service-Class : -

# Execute the display ip routing-table command on Router A. The output shows a static route entry with interface Tunnel 1 as the output interface. (Details not shown.)

Establishing an inter-AS MPLS TE tunnel with RSVP-TE

Network requirements

Router A and Router B are in AS 100. Router C and Router D are in AS 200. AS 100 and AS 200 use OSPF as the IGP.

Establish an EBGP connection between ASBRs Router B and Router C. Redistribute BGP routes into OSPF and OSPF routes into BGP, so that AS 100 and AS 200 can reach each other.

Use RSVP-TE to establish an MPLS TE tunnel from Router A to Router D to transmit data between the two IP networks. The tunnel requires a bandwidth of 2000 kbps. The maximum bandwidth of the link that the tunnel traverses is 10000 kbps, and the maximum reservable bandwidth of the link is 5000 kbps.

Figure 35 Network diagram

Table 4 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
Router A	Loop0	1.1.1.9/32	Router C	Loop0	3.3.3.9/32
	GE2/0/1	10.1.1.1/24		GE2/0/1	30.1.1.1/24
	GE2/0/2	100.1.1.0/24		POS2/2/0	20.1.1.2/24
Router B	Loop0	2.2.2.9/32	Router D	Loop0	4.4.4.9/32
	GE2/0/1	10.1.1.2/24		GE2/0/1	30.1.1.2/24
	POS2/2/0	20.1.1.1/24		GE2/0/2	100.1.2.0/24

Configuration procedure

1. Configure IP addresses and masks for interfaces. (Details not shown.)

2. Configure OSPF to advertise routes within the ASs, and redistribute the direct and BGP routes into OSPF on Router B and Router C:

# Configure Router A.

<RouterA> system-view

[RouterA] ospf

[RouterA-ospf-1] area 0

[RouterA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[RouterA-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[RouterA-ospf-1-area-0.0.0.0] quit

[RouterA-ospf-1] quit

# Configure Router B.

<RouterB> system-view

[RouterB] ospf

[RouterB-ospf-1] import-route direct

[RouterB-ospf-1] import-route bgp

[RouterB-ospf-1] area 0

[RouterB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[RouterB-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[RouterB-ospf-1-area-0.0.0.0] quit

[RouterB-ospf-1] quit

# Configure Router C.

<RouterC> system-view

[RouterC] ospf

[RouterC-ospf-1] import-route direct

[RouterC-ospf-1] import-route bgp

[RouterC-ospf-1] area 0

[RouterC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255

[RouterC-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[RouterC-ospf-1-area-0.0.0.0] quit

[RouterC-ospf-1] quit

# Configure Router D.

<RouterD> system-view

[RouterD] ospf

[RouterD-ospf-1] area 0

[RouterD-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255

[RouterD-ospf-1-area-0.0.0.0] network 4.4.4.9 0.0.0.0

[RouterD-ospf-1-area-0.0.0.0] quit

[RouterD-ospf-1] quit

# Verify that the routers have learned the routes to one another, including the routes to the loopback interfaces. This example uses Router A.

[RouterA] display ip routing-table

Destinations : 7 Routes : 7

Destination/Mask Proto Pre Cost NextHop Interfac

1.1.1.9/32 Direct 0 0 127.0.0.1 InLoop0

2.2.2.9/32 O_INTRA 10 1 10.1.1.2 GE2/0/1

10.1.1.0/24 Direct 0 0 10.1.1.1 GE2/0/1

10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.0/24 Direct 0 0 100.1.1.1 Loop1

100.1.1.0/32 Direct 0 0 100.1.1.1 Loop1

100.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.255/32 Direct 0 0 100.1.1.1 Loop1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

3. Configure BGP on Router B and Router C to ensure that the ASs can communicate with each other:

# Configure Router B.

[RouterB] bgp 100

[RouterB-bgp] peer 20.1.1.2 as-number 200

[RouterB-bgp] address-family ipv4 unicast

[RouterB-bgp-ipv4] peer 20.1.1.2 enable

[RouterB-bgp-ipv4] import-route ospf

[RouterB-bgp-ipv4] import-route direct

[RouterB-bgp-ipv4] quit

[RouterB-bgp] quit

# Configure Router C.

[RouterC] bgp 200

[RouterC-bgp] peer 20.1.1.1 as-number 100

[RouterC-bgp] address-family ipv4 unicast

[RouterC-bgp-ipv4] peer 20.1.1.1 enable

[RouterC-bgp-ipv4] import-route ospf

[RouterC-bgp-ipv4] import-route direct

[RouterC-bgp-ipv4] quit

[RouterC-bgp] quit

# Verify that the routers have learned the AS-external routes. This example uses Router A.

[RouterA] display ip routing-table

Destinations : 11 Routes : 11

Destination/Mask Proto Pre Cost NextHop Interface

1.1.1.9/32 Direct 0 0 127.0.0.1 InLoop0

2.2.2.9/32 O_INTRA 10 1 10.1.1.2 GE2/0/1

3.3.3.9/32 O_ASE 150 1 10.1.1.2 GE2/0/1

4.4.4.9/32 O_ASE 150 1 10.1.1.2 GE2/0/1

10.1.1.0/24 Direct 0 0 10.1.1.1 GE2/0/1

10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.0/24 Direct 0 0 100.1.1.1 Loop1

100.1.1.0/32 Direct 0 0 100.1.1.1 Loop1

100.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.255/32 Direct 0 0 100.1.1.1 Loop1

20.1.1.0/24 O_ASE 150 1 10.1.1.2 GE2/0/1

30.1.1.0/24 O_ASE 150 1 10.1.1.2 GE2/0/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

4. Configure an LSR ID, and enable MPLS, MPLS TE, and RSVP-TE:

# Configure Router A.

[RouterA] mpls lsr-id 1.1.1.9

[RouterA] mpls te

[RouterA-te] quit

[RouterA] rsvp

[RouterA-rsvp] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls enable

[RouterA-GigabitEthernet2/0/1] mpls te enable

[RouterA-GigabitEthernet2/0/1] rsvp enable

[RouterA-GigabitEthernet2/0/1] quit

# Configure Router B.

[RouterB] mpls lsr-id 2.2.2.9

[RouterB] mpls te

[RouterB-te] quit

[RouterB] rsvp

[RouterB-rsvp] quit

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] mpls enable

[RouterB-GigabitEthernet2/0/1] mpls te enable

[RouterB-GigabitEthernet2/0/1] rsvp enable

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface pos 2/2/0

[RouterB-POS2/2/0] mpls enable

[RouterB-POS2/2/0] mpls te enable

[RouterB-POS2/2/0] rsvp enable

[RouterB-POS2/2/0] quit

# Configure Router C.

[RouterC] mpls lsr-id 3.3.3.9

[RouterC] mpls te

[RouterC-te] quit

[RouterC] rsvp

[RouterC-rsvp] quit

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] mpls enable

[RouterC-GigabitEthernet2/0/1] mpls te enable

[RouterC-GigabitEthernet2/0/1] rsvp enable

[RouterC-GigabitEthernet2/0/1] quit

[RouterC] interface pos 2/2/0

[RouterC-POS2/2/0] mpls enable

[RouterC-POS2/2/0] mpls te enable

[RouterC-POS2/2/0] rsvp enable

[RouterC-POS2/2/0] quit

# Configure Router D.

[RouterD] mpls lsr-id 4.4.4.9

[RouterD] mpls te

[RouterD-te] quit

[RouterD] rsvp

[RouterD-rsvp] quit

[RouterD] interface gigabitethernet 2/0/1

[RouterD-GigabitEthernet2/0/1] mpls enable

[RouterD-GigabitEthernet2/0/1] mpls te enable

[RouterD-GigabitEthernet2/0/1] rsvp enable

[RouterD-GigabitEthernet2/0/1] quit

5. Configure OSPF TE:

# Configure Router A.

[RouterA] ospf

[RouterA-ospf-1] opaque-capability enable

[RouterA-ospf-1] area 0

[RouterA-ospf-1-area-0.0.0.0] mpls te enable

[RouterA-ospf-1-area-0.0.0.0] quit

[RouterA-ospf-1] quit

# Configure Router B.

[RouterB] ospf

[RouterB-ospf-1] opaque-capability enable

[RouterB-ospf-1] area 0

[RouterB-ospf-1-area-0.0.0.0] mpls te enable

[RouterB-ospf-1-area-0.0.0.0] quit

[RouterB-ospf-1] quit

# Configure Router C.

[RouterC] ospf

[RouterC-ospf-1] opaque-capability enable

[RouterC-ospf-1] area 0

[RouterC-ospf-1-area-0.0.0.0] mpls te enable

[RouterC-ospf-1-area-0.0.0.0] quit

[RouterC-ospf-1] quit

# Configure Router D.

[RouterD] ospf

[RouterD-ospf-1] opaque-capability enable

[RouterD-ospf-1] area 0

[RouterD-ospf-1-area-0.0.0.0] mpls te enable

[RouterD-ospf-1-area-0.0.0.0] quit

[RouterD-ospf-1] quit

6. Configure an explicit path on Router A. Specify Router B and Router D as loose nodes, and Router C as a strict node.

[RouterA] explicit-path atod

[RouterA-explicit-path-atod] nexthop 10.1.1.2 include loose

[RouterA-explicit-path-atod] nexthop 20.1.1.2 include strict

[RouterA-explicit-path-atod] nexthop 30.1.1.2 include loose

[RouterA-explicit-path-atod] quit

7. Configure MPLS TE attributes of links:

# Set the maximum link bandwidth and maximum reservable bandwidth on Router A.

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterA-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth 5000

[RouterA-GigabitEthernet2/0/1] quit

# Set the maximum link bandwidth and maximum reservable bandwidth on Router B.

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterB-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth 5000

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface pos 2/2/0

[RouterB-POS2/2/0] mpls te max-link-bandwidth 10000

[RouterB-POS2/2/0] mpls te max-reservable-bandwidth 5000

[RouterB-POS2/2/0] quit

# Set the maximum link bandwidth and maximum reservable bandwidth on Router C.

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterC-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth 5000

[RouterC-GigabitEthernet2/0/1] quit

[RouterC] interface pos 2/2/0

[RouterC-POS2/2/0] mpls te max-link-bandwidth 10000

[RouterC-POS2/2/0] mpls te max-reservable-bandwidth 5000

[RouterC-POS2/2/0] quit

# Set the maximum link bandwidth and maximum reservable bandwidth on Router D.

[RouterD] interface gigabitethernet 2/0/1

[RouterD-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterD-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth 5000

[RouterD-GigabitEthernet2/0/1] quit

8. Configure an MPLS TE tunnel on Router A:

# Configure MPLS TE tunnel interface Tunnel 1.

[RouterA] interface tunnel 1 mode mpls-te

[RouterA-Tunnel1] ip address 7.1.1.1 255.255.255.0

# Specify the tunnel destination address as the LSR ID of Router D.

[RouterA-Tunnel1] destination 4.4.4.9

# Configure MPLS TE to use RSVP-TE to establish the tunnel.

[RouterA-Tunnel1] mpls te signaling rsvp-te

# Assign 2000 kbps bandwidth to the tunnel.

[RouterA-Tunnel1] mpls te bandwidth 2000

# Specify the explicit path atod for the tunnel.

[RouterA-Tunnel1] mpls te path preference 5 explicit-path atod

[RouterA-Tunnel1] quit

9. Configure a static route on Router A to direct the traffic destined for subnet 100.1.2.0/24 to MPLS TE tunnel 1.

[RouterA] ip route-static 100.1.2.0 24 tunnel 1 preference 1

Verifying the configuration

# Verify that the tunnel interface is up on Router A.

[RouterA] display interface tunnel 1

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64kbps

Maximum transmission unit: 1496

Internet address: 7.1.1.1/24 (primary)

Tunnel source unknown, destination 4.4.4.9

Tunnel TTL 255

Tunnel protocol/transport CR_LSP

Output queue - Urgent queuing: Size/Length/Discards 0/1024/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Last 300 seconds input: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Display detailed information about the MPLS TE tunnel on Router A.

[RouterA] display mpls te tunnel-interface

Tunnel Name : Tunnel 1

Tunnel State : Up (Main CRLSP up, Shared-resource CRLSP down)

Tunnel Attributes :

LSP ID : 23549 Tunnel ID : 1

Admin State : Normal

Ingress LSR ID : 1.1.1.9 Egress LSR ID : 4.4.4.9

Signaling : RSVP-TE Static CRLSP Name : -

Static SRLSP Name : -/-

Resv Style : SE

Tunnel mode : -

Reverse-LSP name : -

Reverse-LSP LSR ID : - Reverse-LSP Tunnel ID: -

Class Type : CT0 Tunnel Bandwidth : 2000 kbps

Reserved Bandwidth : 2000 kbps

Setup Priority : 7 Holding Priority : 7

Affinity Attr/Mask : 0/0

Explicit Path : atod

Backup Explicit Path : -

Metric Type : TE

Record Route : Enabled Record Label : Disabled

FRR Flag : Disabled Bandwidth Protection : Disabled

Backup Bandwidth Flag: Disabled Backup Bandwidth Type: -

Backup Bandwidth : -

Bypass Tunnel : No Auto Created : No

Route Pinning : Disabled

Retry Limit : 3 Retry Interval : 2 sec

Reoptimization : Disabled Reoptimization Freq : -

Backup Type : None Backup LSP ID : -

Auto Bandwidth : Disabled Auto Bandwidth Freq : -

Min Bandwidth : - Max Bandwidth : -

Collected Bandwidth : - Service-Class : -

# Verify that Router A has a static route entry with interface Tunnel 1 as the output interface.

[RouterA] display ip routing-table

Destinations : 14 Routes : 14

Destination/Mask Proto Pre Cost NextHop Interface

1.1.1.9/32 Direct 0 0 127.0.0.1 InLoop0

2.2.2.9/32 O_INTRA 10 1 10.1.1.2 GE2/0/1

3.3.3.9/32 O_ASE 150 1 10.1.1.2 GE2/0/1

4.4.4.9/32 O_ASE 150 1 10.1.1.2 GE2/0/1

7.1.1.0/24 Direct 0 0 7.1.1.1 Tun1

7.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 Direct 0 0 10.1.1.1 GE2/0/1

10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

20.1.1.0/24 O_ASE 150 1 10.1.1.2 GE2/0/1

100.1.1.0/24 Direct 0 0 100.1.1.1 Loop1

100.1.1.0/32 Direct 0 0 100.1.1.1 Loop1

100.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.255/32 Direct 0 0 100.1.1.1 Loop1

100.1.2.0/24 Static 1 0 0.0.0.0 Tun1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

Establishing an inter-area MPLS TE tunnel over a CRLSP calculated by PCEs

Network requirements

Router A, Router B, Router C, and Router D support MPLS TE and run OSPF.

Configure Router A and Router B as PCEs, and configure Router C as a PCC to automatically discover the PCEs.

Establish an MPLS TE tunnel over a CRLSP from Router C to Router D that uses the inter-area path calculated by PCEs.

Figure 36 Network diagram

Configuration procedure

1. Configure IP addresses and masks for interfaces. (Details not shown.)

2. Configure LSR IDs and enable MPLS, MPLS TE, and RSVP-TE:

# Configure Router A.

[RouterA] mpls lsr-id 1.1.1.1

[RouterA] mpls te

[RouterA-te] quit

[RouterA] rsvp

[RouterA-rsvp] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls enable

[RouterA-GigabitEthernet2/0/1] mpls te enable

[RouterA-GigabitEthernet2/0/1] rsvp enable

[RouterA-GigabitEthernet2/0/1] quit

[RouterA] interface gigabitethernet 2/0/2

[RouterA-GigabitEthernet2/0/2] mpls enable

[RouterA-GigabitEthernet2/0/2] mpls te enable

[RouterA-GigabitEthernet2/0/2] rsvp enable

[RouterA-GigabitEthernet2/0/2] quit

# Configure Router B.

[RouterB] mpls lsr-id 2.2.2.2

[RouterB] mpls te

[RouterB-te] quit

[RouterB] rsvp

[RouterB-rsvp] quit

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] mpls enable

[RouterB-GigabitEthernet2/0/1] mpls te enable

[RouterB-GigabitEthernet2/0/1] rsvp enable

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface gigabitethernet 2/0/2

[RouterB-GigabitEthernet2/0/2] mpls enable

[RouterB-GigabitEthernet2/0/2] mpls te enable

[RouterB-GigabitEthernet2/0/2] rsvp enable

[RouterB-GigabitEthernet2/0/2] quit

# Configure Router C.

[RouterC] mpls lsr-id 3.3.3.3

[RouterC] mpls te

[RouterC-te] quit

[RouterC] rsvp

[RouterC-rsvp] quit

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] mpls enable

[RouterC-GigabitEthernet2/0/1] mpls te enable

[RouterC-GigabitEthernet2/0/1] rsvp enable

[RouterC-GigabitEthernet2/0/1] quit

# Configure Router D.

[RouterD] mpls lsr-id 4.4.4.4

[RouterD] mpls te

[RouterD-te] quit

[RouterD] rsvp

[RouterD-rsvp] quit

[RouterD] interface gigabitethernet 2/0/1

[RouterD-GigabitEthernet2/0/1] mpls enable

[RouterD-GigabitEthernet2/0/1] mpls te enable

[RouterD-GigabitEthernet2/0/1] rsvp enable

[RouterD-GigabitEthernet2/0/1] quit

3. Configure OSPF to advertise interface addresses and configure OSPF TE:

# Configure Router A.

<RouterA> system-view

[RouterA] ospf

[RouterA-ospf-1] area 0

[RouterA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[RouterA-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0

[RouterA-ospf-1-area-0.0.0.0] mpls te enable

[RouterA-ospf-1-area-0.0.0.0] quit

[RouterA-ospf-1] area 1

[RouterA-ospf-1-area-0.0.0.1] network 10.3.1.0 0.0.0.255

[RouterA-ospf-1-area-0.0.0.1] mpls te enable

[RouterA-ospf-1-area-0.0.0.1] quit

[RouterA-ospf-1] quit

# Configure Router B.

<RouterB> system-view

[RouterB] ospf

[RouterB-ospf-1] area 0

[RouterB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[RouterB-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0

[RouterB-ospf-1-area-0.0.0.0] mpls te enable

[RouterB-ospf-1-area-0.0.0.0] quit

[RouterB-ospf-1] area 2

[RouterB-ospf-1-area-0.0.0.2] network 10.3.2.0 0.0.0.255

[RouterB-ospf-1-area-0.0.0.2] mpls te enable

[RouterB-ospf-1-area-0.0.0.2] quit

[RouterB-ospf-1] quit

# Configure Router C.

<RouterC> system-view

[RouterC] ospf

[RouterC-ospf-1] area 1

[RouterC-ospf-1-area-0.0.0.1] network 10.3.1.0 0.0.0.255

[RouterC-ospf-1-area-0.0.0.1] network 3.3.3.3 0.0.0.0

[RouterC-ospf-1-area-0.0.0.1] mpls te enable

[RouterC-ospf-1-area-0.0.0.1] quit

[RouterC-ospf-1] quit

# Configure Router D.

<RouterD> system-view

[RouterD] ospf

[RouterD-ospf-1] area 2

[RouterD-ospf-1-area-0.0.0.2] network 10.3.2.0 0.0.0.255

[RouterD-ospf-1-area-0.0.0.2] network 4.4.4.4 0.0.0.0

[RouterD-ospf-1-area-0.0.0.2] mpls te enable

[RouterD-ospf-1-area-0.0.0.2] quit

[RouterD-ospf-1] quit

4. Configure Router A and Router B as PCEs:

# Configure Router A.

[RouterA] mpls te

[RouterA-te] pce address 1.1.1.1

# Configure Router B.

[RouterB] mpls te

[RouterB-te] pce address 2.2.2.2

5. Configure Router C as a PCC to use the path calculated by PCEs:

# Configure MPLS TE tunnel interface Tunnel 1.

[RouterC] interface tunnel 1 mode mpls-te

[RouterC-Tunnel1] ip address 7.1.1.1 255.255.255.0

# Specify the tunnel destination address as the LSR ID of Router D.

[RouterC-Tunnel1] destination 4.4.4.4

# Configure MPLS TE to use RSVP-TE to establish the tunnel.

[RouterC-Tunnel1] mpls te signaling rsvp-te

# Configure the tunnel to use the path calculated by PCEs.

[RouterC-Tunnel1] mpls te path preference 2 dynamic pce 1.1.1.1 2.2.2.2

[RouterC-Tunnel1] quit

Verifying the configuration

# Display discovered PCE information on each router. This example uses Router A.

[RouterA] display mpls te pce discovery verbose

PCE address: 2.2.2.2

Discovery methods: OSPF

Path scopes:

Path scope Preference

Compute intra-area paths 7

Act as PCE for inter-area TE LSP computation 6

Act as a default PCE for inter-area TE LSP computation 6

Capabilities:

Bidirectional path computation

Support for request prioritization

Support for multiple requests per message

Domains:

OSPF 1 area 0.0.0.0

OSPF 1 area 0.0.0.2

# Verify that PCEP sessions have been established on each router. This example uses Router A.

[RouterA] display mpls te pce peer verbose

Peer address: 2.2.2.2

TCP connection : 1.1.1.1:29507 -> 2.2.2.2:4189

Peer type : PCE

Session type : Stateless

Session state : UP

Mastership : Normal

Role : Active

Session up time : 0000 days 00 hours 00 minutes

Session ID : Local 0, Peer 0

Keepalive interval : Local 30 sec, Peer 30 sec

Recommended DeadTimer : Local 120 sec, Peer 120 sec

Tolerance:

Min keepalive interval: 10 sec

Max unknown messages : 5

Request timeout : 10 sec

Peer address: 3.3.3.3

TCP connection : 3.3.3.3:29507 -> 1.1.1.1:4189

Peer type : PCC

Session type : Stateless

Session state : UP

Mastership : Normal

Role : Passive

Session up time : 0000 days 00 hours 00 minutes

Session ID : Local 2, Peer 0

Keepalive interval : Local 30 sec, Peer 30 sec

Recommended DeadTimer : Local 120 sec, Peer 120 sec

Tolerance:

Min keepalive interval: 10 sec

Max unknown messages : 5

Request timeout : 10 sec

Bidirectional MPLS TE tunnel configuration example

Network requirements

Router A, Router B, Router C, and Router D all run IS-IS and they are all level-2 routers.

Use RSVP-TE to establish a bidirectional MPLS TE tunnel between Router A and Router D.

Figure 37 Network diagram

Table 5 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
Router A	Loop0	1.1.1.9/32	Router C	Loop0	3.3.3.9/32
	GE2/0/1	10.1.1.1/24		GE2/0/1	30.1.1.1/24
	GE2/0/2	100.1.1.1/24		POS2/2/0	20.1.1.2/24
Router B	Loop0	2.2.2.9/32	Router D	Loop0	4.4.4.9/32
	GE2/0/1	10.1.1.2/24		GE2/0/1	30.1.1.2/24
	POS2/2/0	20.1.1.1/24		GE2/0/2	100.1.2.1/24

Configuration procedure

1. Configure IP addresses and masks for interfaces. (Details not shown.)

2. Configure IS-IS to advertise interface addresses, including the loopback interface address:

For more information, see "Establishing an MPLS TE tunnel with RSVP-TE."

3. Configure an LSR ID, and enable MPLS, MPLS TE, and RSVP-TE on each router. Configure Router A and Router D to assign a non-null label to the penultimate hop:

# Configure Router A.

<RouterA> system-view

[RouterA] mpls lsr-id 1.1.1.9

[RouterA] mpls label advertise non-null

[RouterA] mpls te

[RouterA-te] quit

[RouterA] rsvp

[RouterA-rsvp] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls enable

[RouterA-GigabitEthernet2/0/1] mpls te enable

[RouterA-GigabitEthernet2/0/1] rsvp enable

[RouterA-GigabitEthernet2/0/1] quit

# Configure Router B.

<RouterB> system-view

[RouterB] mpls lsr-id 2.2.2.9

[RouterB] mpls te

[RouterB-te] quit

[RouterB] rsvp

[RouterB-rsvp] quit

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] mpls enable

[RouterB-GigabitEthernet2/0/1] mpls te enable

[RouterB-GigabitEthernet2/0/1] rsvp enable

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface pos 2/2/0

[RouterB-POS2/2/0] mpls enable

[RouterB-POS2/2/0] mpls te enable

[RouterB-POS2/2/0] rsvp enable

[RouterB-POS2/2/0] quit

# Configure Router C.

<RouterC> system-view

[RouterC] mpls lsr-id 3.3.3.9

[RouterC] mpls te

[RouterC-te] quit

[RouterC-] rsvp

[RouterC-rsvp] quit

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] mpls enable

[RouterC-GigabitEthernet2/0/1] mpls te enable

[RouterC-GigabitEthernet2/0/1] rsvp enable

[RouterC-GigabitEthernet2/0/1] quit

[RouterC] interface pos 2/2/0

[RouterC-POS2/2/0] mpls enable

[RouterC-POS2/2/0] mpls te enable

[RouterC-POS2/2/0] rsvp enable

[RouterC-POS2/2/0] quit

# Configure Router D.

<RouterD> system-view

[RouterD] mpls lsr-id 4.4.4.9

[RouterD] mpls label advertise non-null

[RouterD] mpls te

[RouterD-te] quit

[RouterD] rsvp

[RouterD-rsvp] quit

[RouterD] interface gigabitethernet 2/0/1

[RouterD-GigabitEthernet2/0/1] mpls enable

[RouterD-GigabitEthernet2/0/1] mpls te enable

[RouterD-GigabitEthernet2/0/1] rsvp enable

[RouterD-GigabitEthernet2/0/1] quit

4. Configure IS-IS TE:

# Configure Router A.

[RouterA] isis 1

[RouterA-isis-1] cost-style wide

[RouterA-isis-1] mpls te enable level-2

[RouterA-isis-1] quit

# Configure Router B.

[RouterB] isis 1

[RouterB-isis-1] cost-style wide

[RouterB-isis-1] mpls te enable level-2

[RouterB-isis-1] quit

# Configure Router C.

[RouterC] isis 1

[RouterC-isis-1] cost-style wide

[RouterC-isis-1] mpls te enable level-2

[RouterC-isis-1] quit

# Configure Router D.

[RouterD] isis 1

[RouterD-isis-1] cost-style wide

[RouterD-isis-1] mpls te enable level-2

[RouterD-isis-1] quit

5. Configure a co-routed bidirectional MPLS TE tunnel:

# Configure Router A as the active end of the co-routed bidirectional tunnel.

[RouterA] interface tunnel 1 mode mpls-te

[RouterA-Tunnel1] ip address 7.1.1.1 255.255.255.0

[RouterA-Tunnel1] destination 4.4.4.9

[RouterA-Tunnel1] mpls te signaling rsvp-te

[RouterA-Tunnel1] mpls te resv-style ff

[RouterA-Tunnel1] mpls te bidirectional co-routed active

[RouterA-Tunnel1] quit

# Configure Router D as the passive end of the co-routed bidirectional tunnel.

[RouterD] interface tunnel 4 mode mpls-te

[RouterD-Tunnel4] ip address 8.1.1.1 255.255.255.0

[RouterD-Tunnel4] destination 1.1.1.9

[RouterD-Tunnel4] mpls te signaling rsvp-te

[RouterD-Tunnel4] mpls te resv-style ff

[RouterD-Tunnel4] mpls te bidirectional co-routed passive reverse-lsp lsr-id 1.1.1.9 tunnel-id 1

[RouterD-Tunnel4] quit

6. Create static routes to direct the traffic to the MPLS TE tunnels:

# Create a static route on Router A to direct traffic destined for 100.1.2.0/24 to MPLS TE tunnel 1.

[RouterA] ip route-static 100.1.2.0 24 tunnel 1 preference 1

# Create a static route on Router D to direct traffic destined for 100.1.1.0/24 to MPLS TE tunnel 4.

[RouterD] ip route-static 100.1.1.0 24 tunnel 4 preference 1

Verifying the configuration

# Verify that the tunnel interface is up on Router A.

[RouterA] display interface tunnel

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64kbps

Maximum transmission unit: 1496

Internet address: 7.1.1.1/24 (primary)

Tunnel source unknown, destination 4.4.4.9

Tunnel TTL 255

Tunnel protocol/transport CR_LSP

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Display detailed information about the MPLS TE tunnel on Router A.

[RouterA] display mpls te tunnel-interface

Tunnel Name : Tunnel 1

Tunnel State : Up (Main CRLSP up, Reverse CRLSP up)

Tunnel Attributes :

LSP ID : 30478 Tunnel ID : 1

Admin State : Normal

Ingress LSR ID : 1.1.1.9 Egress LSR ID : 4.4.4.9

Signaling : RSVP-TE Static CRLSP Name : -

Static SRLSP Name : -/-

Resv Style : FF

Tunnel mode : Co-routed, active

Reverse-LSP name : -

Reverse-LSP LSR ID : - Reverse-LSP Tunnel ID: -

Class Type : CT0 Tunnel Bandwidth : 0 kbps

Reserved Bandwidth : 0 kbps

Setup Priority : 7 Holding Priority : 7

Affinity Attr/Mask : 0/0

Explicit Path : -

Backup Explicit Path : -

Metric Type : TE

Record Route : Disabled Record Label : Disabled

FRR Flag : Disabled Bandwidth Protection : Disabled

Backup Bandwidth Flag: Disabled Backup Bandwidth Type: -

Backup Bandwidth : -

Bypass Tunnel : No Auto Created : No

Route Pinning : Disabled

Retry Limit : 3 Retry Interval : 2 sec

Reoptimization : Disabled Reoptimization Freq : -

Backup Type : None Backup LSP ID : -

Auto Bandwidth : Disabled Auto Bandwidth Freq : -

Min Bandwidth : - Max Bandwidth : -

Collected Bandwidth : - Service-Class : -

# Display detailed information about the bidirectional MPLS TE tunnel on Router A.

[RouterA] display mpls lsp verbose

Destination : 4.4.4.9

FEC : 1.1.1.9/1/30478

Protocol : RSVP

LSR Type : Ingress

Service : -

NHLFE ID : 1027

State : Active

Out-Label : 1149

Nexthop : 10.1.1.2

Out-Interface: GE2/0/1

Destination : 4.4.4.9

FEC : 1.1.1.9/1/30478

Protocol : RSVP

LSR Type : Egress

Service : -

In-Label : 1151

State : Active

Nexthop : 127.0.0.1

Out-Interface: -

Destination : 10.1.1.2

FEC : 10.1.1.2

Protocol : Local

LSR Type : Ingress

Service : -

NHLFE ID : 1026

State : Active

Nexthop : 10.1.1.2

Out-Interface: GE2/0/1

Destination : 4.4.4.9

FEC : Tunnel1

Protocol : Local

LSR Type : Ingress

Service : -

NHLFE ID : 268435457

State : Active

Out-Interface: NHLFE74

# Verify that the tunnel interface is up on Router D.

[RouterD] display interface tunnel

Tunnel4

Current state: UP

Line protocol state: UP

Description: Tunnel4 Interface

Bandwidth: 64kbps

Maximum transmission unit: 1496

Internet address: 8.1.1.1/24 (primary)

Tunnel source unknown, destination 1.1.1.9

Tunnel TTL 255

Tunnel protocol/transport CR_LSP

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Display detailed information about the MPLS TE tunnel on Router D.

[RouterD] display mpls te tunnel-interface

Tunnel Name : Tunnel 4

Tunnel State : Up (Main CRLSP up, Reverse CRLSP up)

Tunnel Attributes :

LSP ID : - Tunnel ID : 8

Admin State : Normal

Ingress LSR ID : - Egress LSR ID : -

Signaling : RSVP-TE Static CRLSP Name : -

Static SRLSP Name : -/-

Resv Style : FF

Tunnel mode : Co-routed, passive

Reverse-LSP name : -

Reverse-LSP LSR ID : 1.1.1.9 Reverse-LSP Tunnel ID: 1

Class Type : - Tunnel Bandwidth : -

Reserved Bandwidth : -

Setup Priority : - Holding Priority : -

Affinity Attr/Mask : -/-

Explicit Path : -

Backup Explicit Path : -

Metric Type : -

Record Route : - Record Label : -

FRR Flag : - Bandwidth Protection : -

Backup Bandwidth Flag: - Backup Bandwidth Type: -

Backup Bandwidth : -

Bypass Tunnel : - Auto Created : -

Route Pinning : -

Retry Limit : - Retry Interval : -

Reoptimization : - Reoptimization Freq : -

Backup Type : - Backup LSP ID : -

Auto Bandwidth : - Auto Bandwidth Freq : -

Min Bandwidth : - Max Bandwidth : -

Collected Bandwidth : - Service-Class : -

# Display detailed information about the bidirectional MPLS TE tunnel on Router D.

[RouterD] display mpls lsp verbose

Destination : 4.4.4.9

FEC : 1.1.1.9/1/30478

Protocol : RSVP

LSR Type : Egress

Service : -

In-Label : 3

State : Active

Nexthop : 127.0.0.1

Out-Interface: -

Destination : 4.4.4.9

FEC : 1.1.1.9/1/30478

Protocol : RSVP

LSR Type : Ingress

Service : -

NHLFE ID : 1025

State : Active

Out-Label : 1150

Nexthop : 30.1.1.1

Out-Interface: GE2/0/1

Destination : 30.1.1.1

FEC : 30.1.1.1

Protocol : Local

LSR Type : Ingress

Service : -

NHLFE ID : 1024

State : Active

Nexthop : 30.1.1.1

Out-Interface: GE2/0/1

Destination : 4.4.4.9

FEC : Tunnel1

Protocol : Local

LSR Type : Ingress

Service : -

NHLFE ID : 268435457

State : Active

Out-Interface: NHLFE74

CRLSP backup configuration example

Network requirements

Router A, Router B, Router C, and Router D run IS-IS and IS-IS TE.

Use RSVP-TE to establish an MPLS TE tunnel from Router A to Router C to transmit data between the two IP networks. Enable CRLSP hot backup for the tunnel to simultaneously establish a primary CRLSP and a backup CRLSP. When the primary CRLSP fails, traffic is switched to the backup CRLSP.

Figure 38 Network diagram

Table 6 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
Router A	Loop0	1.1.1.9/32	Router D	Loop0	4.4.4.9/32
	GE2/0/1	10.1.1.1/24		POS2/2/0	30.1.1.2/24
	GE2/0/2	100.1.1.1/24		POS2/2/1	40.1.1.1/24
	POS2/2/1	30.1.1.1/24	Router C	Loop0	3.3.3.9/32
Router B	Loop0	2.2.2.9/32		GE2/0/1	20.1.1.2/24
	GE2/0/1	10.1.1.2/24		GE2/0/2	100.1.2.1/24
	GE2/0/2	20.1.1.1/24		POS2/2/1	40.1.1.2/24

Configuration procedure

1. Configure IP addresses and masks for interfaces. (Details not shown.)

2. Configure IS-IS to advertise interface addresses, including the loopback interface address, and configure IS-IS TE. (Details not shown.)

3. Configure an LSR ID, and enable MPLS, MPLS TE, and RSVP-TE:

# Configure Router A.

<RouterA> system-view

[RouterA] mpls lsr-id 1.1.1.9

[RouterA] mpls te

[RouterA-te] quit

[RouterA] rsvp

[RouterA-rsvp] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls enable

[RouterA-GigabitEthernet2/0/1] mpls te enable

[RouterA-GigabitEthernet2/0/1] rsvp enable

[RouterA-GigabitEthernet2/0/1] quit

[RouterA] interface pos 2/2/1

[RouterA-POS2/2/1] mpls enable

[RouterA-POS2/2/1] mpls te enable

[RouterA-POS2/2/1] rsvp enable

[RouterA-POS2/2/1] quit

# Configure Router B, Router C, and Router D in the same way that Router A is configured. (Details not shown.)

4. Configure an MPLS TE tunnel on Router A:

# Configure MPLS TE tunnel interface Tunnel 3.

[RouterA] interface tunnel 3 mode mpls-te

[RouterA-Tunnel3] ip address 9.1.1.1 255.255.255.0

# Specify the tunnel destination address as the LSR ID of Router C.

[RouterA-Tunnel3] destination 3.3.3.9

# Configure MPLS TE to use RSVP-TE to establish the tunnel.

[RouterA-Tunnel3] mpls te signaling rsvp-te

# Enable CRLSP hot backup for the tunnel.

[RouterA-Tunnel3] mpls te backup hot-standby

[RouterA-Tunnel3] quit

5. Configure a static route on Router A to direct the traffic destined for subnet 100.1.2.0/24 to MPLS TE tunnel 3.

[RouterA] ip route-static 100.1.2.0 24 tunnel 3 preference 1

Verifying the configuration

# Verify that the tunnel interface Tunnel 3 is up on Router A.

[RouterA] display interface tunnel

Tunnel3

Current state: UP

Line protocol state: UP

Description: Tunnel3 Interface

Bandwidth: 64kbps

Maximum transmission unit: 1496

Internet address: 9.1.1.1/24 (primary)

Tunnel source unknown, destination 3.3.3.9

Tunnel TTL 255

Tunnel protocol/transport CR_LSP

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Verify that two CRLSPs exist on Router A, one with the output interface GigabitEthernet 2/0/1 and the other with the output interface POS 2/2/1.

[RouterA] display mpls lsp

FEC Proto In/Out Label Interface/Out NHLFE

1.1.1.9/3/34311 RSVP -/1150 GE2/0/1

1.1.1.9/3/34312 RSVP -/1151 POS2/2/1

10.1.1.2 Local -/- GE2/0/1

30.1.1.2 Local -/- POS2/2/1

Tunnel3 Local -/- NHLFE1026

Backup -/- NHLFE1028

# Display the paths used by the two CRLSPs on Router A.

[RouterA] display rsvp lsp verbose

Tunnel name: RouterA_t1

Destination: 3.3.3.9 Source: 1.1.1.9

Tunnel ID: 3 LSP ID: 30106

LSR type: Ingress Direction: Unidirectional

Setup priority: 7 Holding priority: 7

In-Label: - Out-Label: 1137

In-Interface: - Out-Interface: GE2/0/1

Nexthop: 10.1.1.2 Exclude-any: 0

Include-Any: 0 Include-all: 0

Mean rate (CIR): 0 kbps Mean burst size (CBS): 1000.00 bytes

Path MTU: 1500 Class type: CT0

RRO number: 6

10.1.1.1/32 Flag: 0x00 (No FRR)

10.1.1.2/32 Flag: 0x00 (No FRR/In-Int)

2.2.2.9/32 Flag: 0x20 (No FRR/Node-ID)

20.1.1.1/32 Flag: 0x00 (No FRR)

20.1.1.2/32 Flag: 0x00 (No FRR/In-Int)

3.3.3.9/32 Flag: 0x20 (No FRR/Node-ID)

Fast Reroute protection: None

Tunnel name: Tunnel3

Destination: 3.3.3.9 Source: 1.1.1.9

Tunnel ID: 3 LSP ID: 30107

LSR type: Ingress Direction: Unidirectional

Setup priority: 7 Holding priority: 7

In-Label: - Out-Label: 1150

In-Interface: - Out-Interface: GE2/0/4

Nexthop: 30.1.1.2 Exclude-any: 0

Include-Any: 0 Include-all: 0

Mean rate (CIR): 0 kbps Mean burst size (CBS): 1000.00 bytes

Path MTU: 1500 Class type: CT0

RRO number: 6

30.1.1.1/32 Flag: 0x00 (No FRR)

30.1.1.2/32 Flag: 0x00 (No FRR/In-Int)

4.4.4.9/32 Flag: 0x20 (No FRR/Node-ID)

40.1.1.1/32 Flag: 0x00 (No FRR)

40.1.1.2/32 Flag: 0x00 (No FRR/In-Int)

3.3.3.9/32 Flag: 0x20 (No FRR/Node-ID)

Fast Reroute protection: None

# Trace the path that MPLS TE tunnel 3 traverses. The output shows that the used CRLSP is the one that traverses Router B.

[RouterA] tracert mpls te tunnel 3

MPLS trace route TE tunnel Tunnel3

TTL Replier Time Type Downstream

0 Ingress 10.1.1.2/[1147]

1 10.1.1.2 1 ms Transit 20.1.1.2/[3]

2 20.1.1.2 2 ms Egress

# Shut down interface GigabitEthernet 2/0/2 on Router B, and then tracert tunnel 3. The output shows that packets are forwarded on the CRLSP that traverses Router D.

[RouterA] tracert mpls te tunnel 3

MPLS trace route TE tunnel Tunnel3

TTL Replier Time Type Downstream

0 Ingress 30.1.1.2/[1148]

1 30.1.1.2 2 ms Transit 40.1.1.2/[3]

2 40.1.1.2 3 ms Egress

# Verify that only one CRLSP exists on Router A.

[RouterA] display mpls lsp

FEC Proto In/Out Label Interface/Out NHLFE

1.1.1.9/3/34313 RSVP -/1150 POS2/2/1

30.1.1.2 Local -/- POS2/2/1

Tunnel3 Local -/- NHLFE1029

# Execute the display ip routing-table command on Router A. The output shows a static route entry with interface Tunnel 3 as the output interface. (Details not shown.)

Manual bypass tunnel for FRR configuration example

Network requirements

On the primary CRLSP Router A—Router B—Router C—Router D, use FRR to protect the link Router B—Router C.

Use RSVP-TE to establish the primary CRLSP and bypass tunnel based on the constraints of the explicit paths to transmit data between the two IP networks. The bypass tunnel uses path Router B—Router E—Router C. Router B is the PLR and Router C is the MP.

Configure BFD for RSVP-TE between Router B and Router C. When the link between Router B and Router C fails, BFD can detect the failure quickly and notify RSVP-TE of the failure, so RSVP-TE can switch traffic to the bypass tunnel.

Figure 39 Network diagram

Table 7 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
Router A	Loop0	1.1.1.1/32	Router B	Loop0	2.2.2.2/32
	GE2/0/1	2.1.1.1/24		GE2/0/1	2.1.1.2/24
	GE2/0/2	100.1.1.1/24		GE2/0/2	3.1.1.1/24
Router D	Loop0	4.4.4.4/32		POS2/2/0	3.2.1.1/24
	GE2/0/1	4.1.1.2/24	Router C	Loop0	3.3.3.3/32
	GE2/0/2	100.1.2.1/24		GE2/0/1	4.1.1.1/24
Router E	Loop0	5.5.5.5/32		GE2/0/2	3.1.1.2/24
	POS2/2/0	3.2.1.2/24		POS2/2/0	3.3.1.2/24
	POS2/2/1	3.3.1.1/24

Configuration procedure

1. Configure IP addresses and masks for interfaces. (Details not shown.)

2. Configure IS-IS to advertise interface addresses, including the loopback interface address. (Details not shown.)

3. Configure an LSR ID, and enable MPLS, MPLS TE, and RSVP-TE on each router. Enable BFD for RSVP-TE on Router B and Router C:

# Configure Router A.

<RouterA> system-view

[RouterA] mpls lsr-id 1.1.1.1

[RouterA] mpls te

[RouterA-te] quit

[RouterA] rsvp

[RouterA-rsvp] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls enable

[RouterA-GigabitEthernet2/0/1] mpls te enable

[RouterA-GigabitEthernet2/0/1] rsvp enable

[RouterA-GigabitEthernet2/0/1] quit

# Configure Router B.

<RouterB> system-view

[RouterB] mpls lsr-id 2.2.2.2

[RouterB] mpls te

[RouterB-te] quit

[RouterB] rsvp

[RouterB-rsvp] quit

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] mpls enable

[RouterB-GigabitEthernet2/0/1] mpls te enable

[RouterB-GigabitEthernet2/0/1] rsvp enable

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface gigabitethernet 2/0/2

[RouterB-GigabitEthernet2/0/2] mpls enable

[RouterB-GigabitEthernet2/0/2] mpls te enable

[RouterB-GigabitEthernet2/0/2] rsvp enable

[RouterB-GigabitEthernet2/0/2] rsvp bfd enable

[RouterB-GigabitEthernet2/0/2] quit

[RouterB] interface pos 2/2/0

[RouterB-POS2/2/0] mpls enable

[RouterB-POS2/2/0] mpls te enable

[RouterB-POS2/2/0] rsvp enable

[RouterB-POS2/2/0] quit

# Configure Router C in the same way that Router B is configured. Configure Router D and Router E in the same way that Router A is configured. (Details not shown.)

4. Configure an MPLS TE tunnel on Router A, the ingress node of the primary CRLSP:

# Configure an explicit path for the primary CRLSP.

[RouterA] explicit-path pri-path

[RouterA-explicit-path-pri-path] nexthop 2.1.1.2

[RouterA-explicit-path-pri-path] nexthop 3.1.1.2

[RouterA-explicit-path-pri-path] nexthop 4.1.1.2

[RouterA-explicit-path-pri-path] nexthop 4.4.4.4

[RouterA-explicit-path-pri-path] quit

# Create MPLS TE tunnel interface Tunnel 4 for the primary CRLSP.

[RouterA] interface tunnel 4 mode mpls-te

[RouterA-Tunnel4] ip address 10.1.1.1 255.255.255.0

# Specify the tunnel destination address as the LSR ID of Router D.

[RouterA-Tunnel4] destination 4.4.4.4

# Specify the tunnel signaling protocol as RSVP-TE.

[RouterA-Tunnel4] mpls te signaling rsvp-te

# Specify the explicit path as pri-path.

[RouterA-Tunnel4] mpls te path preference 1 explicit-path pri-path

# Enable FRR for the MPLS TE tunnel.

[RouterA-Tunnel4] mpls te fast-reroute

[RouterA-Tunnel4] quit

# Verify that the tunnel interface Tunnel 4 is up on Router A.

[RouterA] display interface tunnel

Tunnel4

Current state: UP

Line protocol state: UP

Description: Tunnel4 Interface

Bandwidth: 64kbps

Maximum transmission unit: 1496

Internet address: 10.1.1.1/24 (primary)

Tunnel source unknown, destination 4.4.4.4

Tunnel TTL 255

Tunnel protocol/transport CR_LSP

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 1911 bytes/sec, 15288 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 1526 packets, 22356852 bytes, 0 drops

# Display detailed information about the MPLS TE tunnel on Router A.

[RouterA] display mpls te tunnel-interface

Tunnel Name : Tunnel 4

Tunnel State : Up (Main CRLSP up, Shared-resource CRLSP down)

Tunnel Attributes :

LSP ID : 48960 Tunnel ID : 4

Admin State : Normal

Ingress LSR ID : 1.1.1.1 Egress LSR ID : 4.4.4.4

Signaling : RSVP-TE Static CRLSP Name : -

Static SRLSP Name : -/-

Resv Style : SE

Tunnel mode : -

Reverse-LSP name : -

Reverse-LSP LSR ID : - Reverse-LSP Tunnel ID: -

Class Type : CT0 Tunnel Bandwidth : 0 kbps

Reserved Bandwidth : 0 kbps

Setup Priority : 7 Holding Priority : 7

Affinity Attr/Mask : 0/0

Explicit Path : pri-path

Backup Explicit Path : -

Metric Type : TE

Record Route : Enabled Record Label : Enabled

FRR Flag : Enabled Bandwidth Protection : Disabled

Backup Bandwidth Flag: Disabled Backup Bandwidth Type: -

Backup Bandwidth : -

Bypass Tunnel : No Auto Created : No

Route Pinning : Disabled

Retry Limit : 3 Retry Interval : 2 sec

Reoptimization : Disabled Reoptimization Freq : -

Backup Type : None Backup LSP ID : -

Auto Bandwidth : Disabled Auto Bandwidth Freq : -

Min Bandwidth : - Max Bandwidth : -

Collected Bandwidth : - Service-Class : -

5. Configure a bypass tunnel on Router B (the PLR):

# Configure an explicit path for the bypass tunnel.

[RouterB] explicit-path by-path

[RouterB-explicit-path-by-path] nexthop 3.2.1.2

[RouterB-explicit-path-by-path] nexthop 3.3.1.2

[RouterB-explicit-path-by-path] nexthop 3.3.3.3

[RouterB-explicit-path-by-path] quit

# Create MPLS TE tunnel interface Tunnel 5 for the bypass tunnel.

[RouterB] interface tunnel 5 mode mpls-te

[RouterB-Tunnel5] ip address 11.1.1.1 255.255.255.0

# Specify the tunnel destination address as LSR ID of Router C.

[RouterB-Tunnel5] destination 3.3.3.3

# Specify the tunnel signaling protocol as RSVP-TE.

[RouterB-Tunnel5] mpls te signaling rsvp-te

# Specify the explicit path to be used as by-path.

[RouterB-Tunnel5] mpls te path preference 1 explicit-path by-path

# Set the bandwidth that the bypass tunnel can protect.

[RouterB-Tunnel5] mpls te backup bandwidth un-limited

[RouterB-Tunnel5] quit

# Bind the bypass tunnel to the protected interface.

[RouterB] interface gigabitethernet 2/0/2

[RouterB-GigabitEthernet2/0/2] mpls te fast-reroute bypass-tunnel tunnel 5

[RouterB-GigabitEthernet2/0/2] quit

# Execute the display interface tunnel command on Router B. The output shows that the tunnel interface Tunnel 5 is up. (Details not shown.)

6. Configure a static route on Router A to direct the traffic destined for subnet 100.1.2.0/24 to MPLS TE tunnel 4.

[RouterA] ip route-static 100.1.2.0 24 tunnel 4 preference 1

Verifying the configuration

# Display LSP entries on each router to verify that Router B and Router C each have two CRLSPs and the bypass tunnel backs up the primary CRLSP.

[RouterA] display mpls lsp

FEC Proto In/Out Label Interface/Out NHLFE

1.1.1.1/4/19126 RSVP -/24122 GE2/0/1

2.1.1.2 Local -/- GE2/0/1

Tunnel4 Local -/- NHLFE53

[RouterB] display mpls lsp

FEC Proto In/Out Label Interface/Out NHLFE

1.1.1.1/4/48960 RSVP 1245/3 GE2/0/2

Backup 1245/3 Tun5

2.2.2.2/5/31857 RSVP -/3 GE2/0/2

3.2.1.2 Local -/- POS2/2/0

3.1.1.2 Local -/- GE2/0/2

Tunnel5 Local -/- NHLFE55

# Shut down the protected interface GigabitEthernet 2/0/2 on the PLR (Router B).

[RouterB] interface gigabitethernet 2/0/2

[RouterB-GigabitEthernet2/0/2] shutdown

[RouterB-GigabitEthernet2/0/2] quit

# Execute the display interface tunnel 4 command on Router A to display information about the primary CRLSP. The output shows that the tunnel interface is still up. (Details not shown.)

# Display detailed information about the tunnel interface on Router A.

[RouterA] display mpls te tunnel-interface

Tunnel Name : Tunnel 4

Tunnel State : Up (Main CRLSP up, Shared-resource CRLSP being set up)

Tunnel Attributes :

LSP ID : 18753 Tunnel ID : 4

Admin State : Normal

Ingress LSR ID : 1.1.1.1 Egress LSR ID : 4.4.4.4

Signaling : RSVP-TE Static CRLSP Name : -

Static SRLSP Name : -/-

Resv Style : SE

Tunnel mode : -

Reverse-LSP name : -

Reverse-LSP LSR ID : - Reverse-LSP Tunnel ID: -

Class Type : CT0 Tunnel Bandwidth : 0 kbps

Reserved Bandwidth : 0 kbps

Setup Priority : 7 Holding Priority : 7

Affinity Attr/Mask : 0/0

Explicit Path : pri-path

Backup Explicit Path : -

Metric Type : TE

Record Route : Enabled Record Label : Enabled

FRR Flag : Enabled Bandwidth Protection : Disabled

Backup Bandwidth Flag: Disabled Backup Bandwidth Type: -

Backup Bandwidth : -

Bypass Tunnel : No Auto Created : No

Route Pinning : Disabled

Retry Limit : 3 Retry Interval : 2 sec

Reoptimization : Disabled Reoptimization Freq : -

Backup Type : None Backup LSP ID : -

Auto Bandwidth : Disabled Auto Bandwidth Freq : -

Min Bandwidth : - Max Bandwidth : -

Collected Bandwidth : - Service-Class : -

NOTE:

If you execute the display mpls te tunnel-interface command immediately after an FRR, you can see two CRLSPs in up state. This is because FRR uses the make-before-break mechanism to set up a new LSP, and the old LSP is deleted after the new one has been established for a while.

# Verify that the bypass tunnel is in use on Router B.

[RouterB] display mpls lsp

FEC Proto In/Out Label Interface/Out NHLFE

1.1.1.1/4/18753 RSVP 1122/3 Tun5

2.2.2.2/5/40312 RSVP -/1150 GE2/0/4

3.2.1.2 Local -/- GE2/0/4

Tunnel5 Local -/- NHLFE55

# On the PLR, set the interval for selecting an optimal bypass tunnel to 5 seconds.

[RouterB] mpls te

[RouterB-te] fast-reroute timer 5

[RouterB-te] quit

# On the PLR, bring up the protected interface GigabitEthernet 2/0/2.

[RouterB] interface gigabitethernet 2/0/2

[RouterB-GigabitEthernet2/0/2] undo shutdown

[RouterB-GigabitEthernet2/0/2] quit

# Execute the display interface tunnel 4 command on Router A to display information about the primary CRLSP. The output shows that the tunnel interface is in up state. (Details not shown.)

# Wait for about 5 seconds, execute the display mpls lsp verbose command on Router B to display the status change of the interface for Tunnel 4. (Details not shown.)

# Execute the display ip routing-table command on Router A. The output shows a static route entry with interface Tunnel 4 as the output interface. (Details not shown.)

Auto FRR configuration example

Network requirements

Use RSVP-TE to set up a primary CRLSP that explicitly uses path Router A—Router B—Router C—Router D.

Configure auto FRR on Router B to automatically set up bypass tunnels for the primary CRLSP.

Figure 40 Network diagram

Table 8 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
Router A	Loop0	1.1.1.1/32	Router E	Loop0	5.5.5.5/32
	GE2/0/1	2.1.1.1/24		POS2/2/0	3.2.1.2/24
Router B	Loop0	2.2.2.2/32		POS2/2/1	3.4.1.1/24
	GE2/0/1	2.1.1.2/24	Router C	Loop0	3.3.3.3/32
	GE2/0/2	3.1.1.1/24		GE2/0/1	4.1.1.1/24
	POS2/2/0	3.2.1.1/24		GE2/0/2	3.1.1.2/24
	POS2/2/1	3.3.1.1/24		POS2/2/0	3.4.1.2/24
Router D	Loop0	4.4.4.4/32	Router F	Loop0	6.6.6.6/32
	GE2/0/1	4.1.1.2/24		POS2/2/0	3.3.1.2/24
	POS2/2/0	4.2.1.2/24		POS2/2/1	4.2.1.1/24

Configuration procedure

1. Configure IP addresses and masks for interfaces. (Details not shown.)

2. Configure IS-IS to advertise interface addresses, including the loopback interface address. (Details not shown.)

3. Configure an LSR ID, and enable MPLS, MPLS TE, and RSVP-TE on each router. Enable BFD for RSVP-TE on Router B and Router C:

# Configure Router A.

<RouterA> system-view

[RouterA] mpls lsr-id 1.1.1.1

[RouterA] mpls te

[RouterA-te] quit

[RouterA] rsvp

[RouterA-rsvp] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls enable

[RouterA-GigabitEthernet2/0/1] mpls te enable

[RouterA-GigabitEthernet2/0/1] rsvp enable

[RouterA-GigabitEthernet2/0/1] quit

# Configure Router B.

<RouterB> system-view

[RouterB] mpls lsr-id 2.2.2.2

[RouterB] mpls te

[RouterB-te] quit

[RouterB] rsvp

[RouterB-rsvp] quit

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] mpls enable

[RouterB-GigabitEthernet2/0/1] mpls te enable

[RouterB-GigabitEthernet2/0/1] rsvp enable

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface gigabitethernet 2/0/2

[RouterB-GigabitEthernet2/0/2] mpls enable

[RouterB-GigabitEthernet2/0/2] mpls te enable

[RouterB-GigabitEthernet2/0/2] rsvp enable

[RouterB-GigabitEthernet2/0/2] rsvp bfd enable

[RouterB-GigabitEthernet2/0/2] quit

[RouterB] interface pos 2/2/0

[RouterB-POS2/2/0] mpls enable

[RouterB-POS2/2/0] mpls te enable

[RouterB-POS2/2/0] rsvp enable

[RouterB-POS2/2/0] quit

[RouterB] interface pos 2/2/1

[RouterB-POS2/2/1] mpls enable

[RouterB-POS2/2/1] mpls te enable

[RouterB-POS2/2/1] rsvp enable

[RouterB-POS2/2/1] quit

# Configure Router C in the same way that Router B is configured. Configure Router D, Router E, and Router F in the same way that Router A is configured. (Details not shown.)

4. Configure an MPLS TE tunnel on Router A, the ingress node of the primary CRLSP:

# Configure an explicit path named pri-path for the primary CRLSP.

[RouterA] explicit-path pri-path

[RouterA-explicit-path-pri-path] nexthop 2.1.1.2

[RouterA-explicit-path-pri-path] nexthop 3.1.1.2

[RouterA-explicit-path-pri-path] nexthop 4.1.1.2

[RouterA-explicit-path-pri-path] nexthop 4.4.4.4

[RouterA-explicit-path-pri-path] quit

# Create MPLS TE tunnel interface Tunnel 1 for the primary CRLSP.

[RouterA] interface tunnel 1 mode mpls-te

[RouterA-Tunnel1] ip address 10.1.1.1 255.255.255.0

# Specify the tunnel destination address as the LSR ID of Router D.

[RouterA-Tunnel1] destination 4.4.4.4

# Specify the tunnel signaling protocol as RSVP-TE.

[RouterA-Tunnel1] mpls te signaling rsvp-te

# Specify the explicit path as pri-path.

[RouterA-Tunnel1] mpls te path preference 1 explicit-path pri-path

# Enable FRR for the MPLS TE tunnel.

[RouterA-Tunnel1] mpls te fast-reroute

[RouterA-Tunnel1] quit

# Verify that the MPLS TE interface Tunnel 1 is up on Router A.

[RouterA] display interface tunnel

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel4 Interface

Bandwidth: 64kbps

Maximum transmission unit: 1496

Internet address: 10.1.1.1/24 (primary)

Tunnel source unknown, destination 4.4.4.4

Tunnel TTL 255

Tunnel protocol/transport CR_LSP

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 1911 bytes/sec, 15288 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 1526 packets, 22356852 bytes, 0 drops

# Display detailed information about the MPLS TE tunnel interface on Router A.

[RouterA] display mpls te tunnel-interface

Tunnel Name : Tunnel 1

Tunnel State : Up (Main CRLSP up, Shared-resource CRLSP down)

Tunnel Attributes :

LSP ID : 16802 Tunnel ID : 1

Admin State : Normal

Ingress LSR ID : 2.2.2.2 Egress LSR ID : 4.4.4.4

Signaling : RSVP-TE Static CRLSP Name : -

Static SRLSP Name : -/-

Resv Style : SE

Tunnel mode : -

Reverse-LSP name : -

Reverse-LSP LSR ID : - Reverse-LSP Tunnel ID: -

Class Type : CT0 Tunnel Bandwidth : 0 kbps

Reserved Bandwidth : 0 kbps

Setup Priority : 7 Holding Priority : 7

Affinity Attr/Mask : 0/0

Explicit Path : pri-path

Backup Explicit Path : -

Metric Type : TE

Record Route : Enabled Record Label : Enabled

FRR Flag : Enabled Bandwidth Protection : Disabled

Backup Bandwidth Flag: Disabled Backup Bandwidth Type: -

Backup Bandwidth : -

Bypass Tunnel : No Auto Created : No

Route Pinning : Disabled

Retry Limit : 3 Retry Interval : 2 sec

Reoptimization : Disabled Reoptimization Freq : -

Backup Type : None Backup LSP ID : -

Auto Bandwidth : Disabled Auto Bandwidth Freq : -

Min Bandwidth : - Max Bandwidth : -

Collected Bandwidth : - Service-Class : -

5. Configure auto FRR on Router B (the PLR):

# Enable the automatic bypass tunnel setup feature globally.

[RouterB] mpls te

[RouterB-te] auto-tunnel backup

# Specify interface numbers 50 to 100 for the automatically created bypass tunnels.

[RouterB-te-auto-bk] tunnel-number min 50 max 100

[RouterB-te-auto-bk] quit

Verifying the configuration

# Verify that two tunnels have been created automatically on Router B.

[RouterB] display interface tunnel brief

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface Link Protocol Primary IP Description

Tun50 UP DOWN --

Tun51 UP DOWN --

# Display information about Tunnel 50 and Tunnel 51 on Router B. The output shows that Tunnel 50 and Tunnel 51 are automatically created bypass tunnels. Tunnel 50 is a node-protection bypass tunnel (egress LSR ID is 4.4.4.4, the LSR ID of Router D). Tunnel 51 is a link-protection bypass tunnel (egress LSR ID is 3.3.3.3, the LSR ID of Router C).

[RouterB] display mpls te tunnel-interface tunnel 50

Tunnel Name : Tunnel 50

Tunnel State : Up (Main CRLSP up, Shared-resource CRLSP down)

Tunnel Attributes :

LSP ID : 16802 Tunnel ID : 50

Admin State : Normal

Ingress LSR ID : 2.2.2.2 Egress LSR ID : 4.4.4.4

Signaling : RSVP-TE Static CRLSP Name : -

Static SRLSP Name : -/-

Resv Style : SE

Tunnel mode : -

Reverse-LSP name : -

Reverse-LSP LSR ID : - Reverse-LSP Tunnel ID: -

Class Type : CT0 Tunnel Bandwidth : 0 kbps

Reserved Bandwidth : 0 kbps

Setup Priority : 7 Holding Priority : 7

Affinity Attr/Mask : 0/0

Explicit Path : -

Backup Explicit Path : -

Metric Type : TE

Record Route : Enabled Record Label : Disabled

FRR Flag : Disabled Bandwidth Protection : Disabled

Backup Bandwidth Flag: Disabled Backup Bandwidth Type: -

Backup Bandwidth : -

Bypass Tunnel : Yes Auto Created : Yes

Route Pinning : Disabled

Retry Limit : 3 Retry Interval : 2 sec

Reoptimization : Disabled Reoptimization Freq : -

Backup Type : None Backup LSP ID : -

Auto Bandwidth : Disabled Auto Bandwidth Freq : -

Min Bandwidth : - Max Bandwidth : -

Collected Bandwidth : - Service-Class : -

[RouterB] display mpls te tunnel-interface tunnel 51

Tunnel Name : Tunnel 51

Tunnel State : Up (Main CRLSP up, Shared-resource CRLSP down)

Tunnel Attributes :

LSP ID : 16802 Tunnel ID : 51

Admin State : Normal

Ingress LSR ID : 2.2.2.2 Egress LSR ID : 3.3.3.3

Signaling : RSVP-TE Static CRLSP Name : -

Static SRLSP Name : -/-

Resv Style : SE

Tunnel mode : -

Reverse-LSP name : -

Reverse-LSP LSR ID : - Reverse-LSP Tunnel ID: -

Class Type : CT0 Tunnel Bandwidth : 0 kbps

Reserved Bandwidth : 0 kbps

Setup Priority : 7 Holding Priority : 7

Affinity Attr/Mask : 0/0

Explicit Path : -

Backup Explicit Path : -

Metric Type : TE

Record Route : Enabled Record Label : Disabled

FRR Flag : Disabled Bandwidth Protection : Disabled

Backup Bandwidth Flag: Disabled Backup Bandwidth Type: -

Backup Bandwidth : -

Bypass Tunnel : Yes Auto Created : Yes

Route Pinning : Disabled

Retry Limit : 3 Retry Interval : 2 sec

Reoptimization : Disabled Reoptimization Freq : -

Backup Type : None Backup LSP ID : -

Auto Bandwidth : Disabled Auto Bandwidth Freq : -

Min Bandwidth : - Max Bandwidth : -

Collected Bandwidth : - Service-Class : -

# Verify that the current bypass tunnel that protects the primary CRLSP is Tunnel 50.

[RouterB] display mpls lsp

FEC Proto In/Out Label Interface/Out NHLFE

2.2.2.2/51/16802 RSVP -/3 POS2/2/0

2.2.2.2/1/16802 RSVP -/1151 GE2/0/2

Backup -/3 Tun50

2.2.2.2/50/16802 RSVP -/3 POS2/2/1

3.2.1.2 Local -/- POS2/2/1

3.3.1.2 Local -/- POS2/2/0

Tunnel50 Local -/- NHLFE61

Tunnel51 Local -/- NHLFE63

# Display detailed information about MPLS TE tunnel 1 (the tunnel for the primary CRLSP) on Router B. The output shows that Tunnel1 is protected by the bypass tunnel Tunnel50, and the protected node is 3.1.1.1.

[RouterB] display rsvp lsp tunnel-id 1 verbose

Tunnel name: Sysname_t1

Destination: 4.4.4.4 Source: 1.1.1.1

Tunnel ID: 1 LSP ID: 16802

LSR type: Transit Direction: Unidirectional

Setup priority: 7 Holding priority: 7

In-Label: 1150 Out-Label: 1151

In-Interface: GE2/0/1 Out-Interface: GE2/0/2

Nexthop: 3.1.1.2 Exclude-any: 0

Include-Any: 0 Include-all: 0

Average bitrate: 0 kbps Maximum burst: 1000.00 bytes

Path MTU: 1500 Class type: CT0

RRO number: 12

2.1.1.1/32 Flag: 0x00 (No FRR)

2.1.1.2/32 Flag: 0x40 (No FRR/In-Int)

24118 Flag: 0x01 (Global label)

2.2.2.2/32 Flag: 0x29 (FRR Avail/Node-Prot/Node-ID)

24118 Flag: 0x01 (Global label)

3.1.1.1/32 Flag: 0x09 (FRR Avail/Node-Prot)

3.1.1.2/32 Flag: 0x40 (No FRR/In-Int)

24122 Flag: 0x01 (Global label)

3.3.3.3/32 Flag: 0x20 (No FRR/Node-ID)

24122 Flag: 0x01 (Global label)

4.1.1.1/32 Flag: 0x00 (No FRR)

4.1.1.2/32 Flag: 0x40 (No FRR/In-Int)

3 Flag: 0x01 (Global label)

4.4.4.4/32 Flag: 0x20 (No FRR/Node-ID)

3 Flag: 0x01 (Global label)

Fast Reroute protection: Ready

FRR inner label: 3 Bypass tunnel: Tunnel50

IETF DS-TE configuration example

Network requirements

Router A, Router B, Router C, and Router D run IS-IS and all of them are Level-2 routers.

Use RSVP-TE to establish an MPLS TE tunnel from Router A to Router D to transmit data between the two IP networks. Traffic of the tunnel belongs to CT 2, and the tunnel needs a bandwidth of 4000 kbps.

The maximum bandwidth of the link that the tunnel traverses is 10000 kbps and the maximum reservable bandwidth of the link is 10000 kbps. BC 1, BC 2, and BC 3 are 8000 kbps, 5000 kbps, and 2000 kbps.

Figure 41 Network diagram

Table 9 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
Router A	Loop0	1.1.1.9/32	Router C	Loop0	3.3.3.9/32
	GE2/0/1	10.1.1.1/24		GE2/0/1	30.1.1.1/24
	GE2/0/2	100.1.1.1/24		POS2/2/0	20.1.1.2/24
Router B	Loop0	2.2.2.9/32	Router D	Loop0	4.4.4.9/32
	GE2/0/1	10.1.1.2/24		GE2/0/1	30.1.1.2/24
	POS2/2/0	20.1.1.1/24		GE2/0/2	100.1.2.1/24

Configuration procedure

1. Configure IP addresses and masks for interfaces. (Details not shown.)

2. Configure IS-IS to advertise interface addresses, including the loopback interface address:

# Configure Router A.

<RouterA> system-view

[RouterA] isis 1

[RouterA-isis-1] network-entity 00.0005.0000.0000.0001.00

[RouterA-isis-1] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] isis enable 1

[RouterA-GigabitEthernet2/0/1] isis circuit-level level-2

[RouterA-GigabitEthernet2/0/1] quit

[RouterA] interface loopback 0

[RouterA-LoopBack0] isis enable 1

[RouterA-LoopBack0] isis circuit-level level-2

[RouterA-LoopBack0] quit

# Configure Router B.

<RouterB> system-view

[RouterB] isis 1

[RouterB-isis-1] network-entity 00.0005.0000.0000.0002.00

[RouterB-isis-1] quit

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] isis enable 1

[RouterB-GigabitEthernet2/0/1] isis circuit-level level-2

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface pos 2/2/0

[RouterB-POS2/2/0] isis enable 1

[RouterB-POS2/2/0] isis circuit-level level-2

[RouterB-POS2/2/0] quit

[RouterB] interface loopback 0

[RouterB-LoopBack0] isis enable 1

[RouterB-LoopBack0] isis circuit-level level-2

[RouterB-LoopBack0] quit

# Configure Router C.

<RouterC> system-view

[RouterC] isis 1

[RouterC-isis-1] network-entity 00.0005.0000.0000.0003.00

[RouterC-isis-1] quit

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] isis enable 1

[RouterC-GigabitEthernet2/0/1] isis circuit-level level-2

[RouterC-GigabitEthernet2/0/1] quit

[RouterC] interface pos 2/2/0

[RouterC-POS2/2/0] isis enable 1

[RouterC-POS2/2/0] isis circuit-level level-2

[RouterC-POS2/2/0] quit

[RouterC] interface loopback 0

[RouterC-LoopBack0] isis enable 1

[RouterC-LoopBack0] isis circuit-level level-2

[RouterC-LoopBack0] quit

# Configure Router D.

<RouterD> system-view

[RouterD] isis 1

[RouterD-isis-1] network-entity 00.0005.0000.0000.0004.00

[RouterD-isis-1] quit

[RouterD] interface gigabitethernet 2/0/1

[RouterD-GigabitEthernet2/0/1] isis enable 1

[RouterD-GigabitEthernet2/0/1] isis circuit-level level-2

[RouterD-GigabitEthernet2/0/1] quit

[RouterD] interface loopback 0

[RouterD-LoopBack0] isis enable 1

[RouterD-LoopBack0] isis circuit-level level-2

[RouterD-LoopBack0] quit

# Verify that the routers have learned the routes to one another, including the routes to the loopback interfaces. This example uses Router A.

[RouterA] display ip routing-table

Destinations : 10 Routes : 10

Destination/Mask Proto Pre Cost NextHop Interface

1.1.1.9/32 Direct 0 0 127.0.0.1 InLoop0

2.2.2.9/32 IS_L1 15 10 10.1.1.2 GE2/0/1

3.3.3.9/32 IS_L1 15 20 10.1.1.2 GE2/0/1

4.4.4.9/32 IS_L1 15 30 10.1.1.2 GE2/0/1

10.1.1.0/24 Direct 0 0 10.1.1.1 GE2/0/1

10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

20.1.1.0/24 IS_L1 15 20 10.1.1.2 GE2/0/1

30.1.1.0/24 IS_L1 15 30 10.1.1.2 GE2/0/1

100.1.1.0/24 Direct 0 0 100.1.1.1 Loop1

100.1.1.0/32 Direct 0 0 100.1.1.1 Loop1

100.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.255/32 Direct 0 0 100.1.1.1 Loop1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

3. Configure an LSR ID, enable MPLS, MPLS TE, and RSVP-TE, and configure the DS-TE mode as IETF:

# Configure Router A.

[RouterA] mpls lsr-id 1.1.1.9

[RouterA] mpls te

[RouterA-te] ds-te mode ietf

[RouterA-te] quit

[RouterA] rsvp

[RouterA-rsvp] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls enable

[RouterA-GigabitEthernet2/0/1] mpls te enable

[RouterA-GigabitEthernet2/0/1] rsvp enable

[RouterA-GigabitEthernet2/0/1] quit

# Configure Router B.

[RouterB] mpls lsr-id 2.2.2.9

[RouterB] mpls te

[RouterB-te] ds-te mode ietf

[RouterB-te] quit

[RouterB] rsvp

[RouterB-rsvp] quit

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] mpls enable

[RouterB-GigabitEthernet2/0/1] mpls te enable

[RouterB-GigabitEthernet2/0/1] rsvp enable

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface pos 2/2/0

[RouterB-POS2/2/0] mpls enable

[RouterB-POS2/2/0] mpls te enable

[RouterB-POS2/2/0] rsvp enable

[RouterB-POS2/2/0] quit

# Configure Router C.

[RouterC] mpls lsr-id 3.3.3.9

[RouterC] mpls te

[RouterC-te] ds-te mode ietf

[RouterC-te] quit

[RouterC] rsvp

[RouterC-rsvp] quit

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] mpls enable

[RouterC-GigabitEthernet2/0/1] mpls te enable

[RouterC-GigabitEthernet2/0/1] rsvp enable

[RouterC-GigabitEthernet2/0/1] quit

[RouterC] interface pos 2/2/0

[RouterC-POS2/2/0] mpls enable

[RouterC-POS2/2/0] mpls te enable

[RouterC-POS2/2/0] rsvp enable

[RouterC-POS2/2/0] quit

# Configure Router D.

[RouterD] mpls lsr-id 4.4.4.9

[RouterD] mpls te

[RouterD-te] ds-te mode ietf

[RouterD-te] quit

[RouterD] rsvp

[RouterD-rsvp] quit

[RouterD] interface gigabitethernet 2/0/1

[RouterD-GigabitEthernet2/0/1] mpls enable

[RouterD-GigabitEthernet2/0/1] mpls te enable

[RouterD-GigabitEthernet2/0/1] rsvp enable

[RouterD-GigabitEthernet2/0/1] quit

4. Enable IS-IS TE, and configure IS-IS to receive and send only packets whose cost style is wide:

# Configure Router A.

[RouterA] isis 1

[RouterA-isis-1] cost-style wide

[RouterA-isis-1] mpls te enable level-2

[RouterA-isis-1] quit

# Configure Router B.

[RouterB] isis 1

[RouterB-isis-1] cost-style wide

[RouterB-isis-1] mpls te enable level-2

[RouterB-isis-1] quit

# Configure Router C.

[RouterC] isis 1

[RouterC-isis-1] cost-style wide

[RouterC-isis-1] mpls te enable level-2

[RouterC-isis-1] quit

# Configure Router D.

[RouterD] isis 1

[RouterD-isis-1] cost-style wide

[RouterD-isis-1] mpls te enable level-2

[RouterD-isis-1] quit

5. Configure MPLS TE attributes of links:

# Set the maximum bandwidth, maximum reservable bandwidth, and bandwidth constraints on Router A.

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterA-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth rdm 10000 bc1 8000 bc2 5000 bc3 2000

[RouterA-GigabitEthernet2/0/1] quit

# Set the maximum bandwidth, maximum reservable bandwidth, and bandwidth constraints on Router B.

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterB-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth rdm 10000 bc1 8000 bc2 5000 bc3 2000

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface pos 2/2/0

[RouterB-POS2/2/0] mpls te max-link-bandwidth 10000

[RouterB-POS2/2/0] mpls te max-reservable-bandwidth rdm 10000 bc1 8000 bc2 5000 bc3 2000

[RouterB-POS2/2/0] quit

# Set the maximum bandwidth, maximum reservable bandwidth, and bandwidth constraints on Router C.

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterC-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth rdm 10000 bc1 8000 bc2 5000 bc3 2000

[RouterC-GigabitEthernet2/0/1] quit

[RouterC] interface pos 2/2/0

[RouterC-POS2/2/0] mpls te max-link-bandwidth 10000

[RouterC-POS2/2/0] mpls te max-reservable-bandwidth rdm 10000 bc1 8000 bc2 5000 bc3 2000

[RouterC-POS2/2/0] quit

# Set the maximum bandwidth, maximum reservable bandwidth, and bandwidth constraints on Router D.

[RouterD] interface gigabitethernet 2/0/1

[RouterD-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterD-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth rdm 10000 bc1 8000 bc2 5000 bc3 2000

[RouterD-GigabitEthernet2/0/1] quit

6. Configure an MPLS TE tunnel on Router A:

# Create MPLS TE tunnel interface Tunnel 1.

[RouterA] interface Tunnel 1 mode mpls-te

[RouterA-Tunnel1] ip address 7.1.1.1 255.255.255.0

# Specify the tunnel destination address as the LSR ID of Router D.

[RouterA-Tunnel1] destination 4.4.4.9

# Configure MPLS TE to use RSVP-TE to establish the tunnel.

[RouterA-Tunnel1] mpls te signaling rsvp-te

# Assign 4000 kbps bandwidth to CT 2 for the tunnel.

[RouterA-Tunnel1] mpls te bandwidth ct2 4000

# Set the tunnel setup priority and holding priority both to 0.

[RouterA-Tunnel1] mpls te priority 0

[RouterA-Tunnel1] quit

7. Configure a static route on Router A to direct the traffic destined for subnet 100.1.2.0/24 to MPLS TE tunnel 1.

[RouterA] ip route-static 100.1.2.0 24 tunnel 1 preference 1

Verifying the configuration

# Verify that the tunnel interface is up on Router A.

[RouterA] display interface tunnel

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64kbps

Maximum transmission unit: 1496

Internet address: 7.1.1.1/24 (primary)

Tunnel source unknown, destination 4.4.4.9

Tunnel TTL 255

Tunnel protocol/transport CR_LSP

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets input, 0 bytes 0 drops

Output: 0 packets output, 0 bytes 0 drops

# Display detailed information about the MPLS TE tunnel on Router A.

[RouterA] display mpls te tunnel-interface

Tunnel Name : Tunnel 1

Tunnel State : Up (Main CRLSP up, Shared-resource CRLSP down)

Tunnel Attributes :

LSP ID : 36882 Tunnel ID : 1

Admin State : Normal

Ingress LSR ID : 1.1.1.9 Egress LSR ID : 4.4.4.9

Signaling : RSVP-TE Static CRLSP Name : -

Static SRLSP Name : -/-

Resv Style : SE

Tunnel mode : -

Reverse-LSP name : -

Reverse-LSP LSR ID : - Reverse-LSP Tunnel ID: -

Class Type : CT2 Tunnel Bandwidth : 4000 kbps

Reserved Bandwidth : 4000 kbps

Setup Priority : 0 Holding Priority : 0

Affinity Attr/Mask : 0/0

Explicit Path : -

Backup Explicit Path : -

Metric Type : TE

Record Route : Disabled Record Label : Disabled

FRR Flag : Disabled Bandwidth Protection : Disabled

Backup Bandwidth Flag: Disabled Backup Bandwidth Type: -

Backup Bandwidth : -

Bypass Tunnel : No Auto Created : No

Route Pinning : Disabled

Retry Limit : 3 Retry Interval : 2 sec

Reoptimization : Disabled Reoptimization Freq : -

Backup Type : None Backup LSP ID : -

Auto Bandwidth : Disabled Auto Bandwidth Freq : -

Min Bandwidth : - Max Bandwidth : -

Collected Bandwidth : - Service-Class : -

# Display bandwidth information on interface GigabitEthernet 2/0/1 on Router A.

[RouterA] display mpls te link-management bandwidth-allocation interface gigabitethernet 2/0/1

Interface: GigabitEthernet2/0/1

Max Link Bandwidth : 10000 kbps

Max Reservable Bandwidth of Prestandard RDM : 0 kbps

Max Reservable Bandwidth of IETF RDM : 10000 kbps

Max Reservable Bandwidth of IETF MAM : 0 kbps

Allocated Bandwidth-Item Count : 1

Allocated Bandwidth : 4000 kbps

Physical Link Status : Up

BC Prestandard RDM(kbps) IETF RDM(kbps) IETF MAM(kbps)

0 0 10000 0

1 0 8000 0

2 - 5000 0

3 - 2000 0

TE Class Class Type Priority BW Reserved(kbps) BW Available(kbps)

0 0 7 0 6000

1 1 7 0 4000

2 2 7 0 1000

3 3 7 0 1000

4 0 0 0 6000

5 1 0 0 4000

6 2 0 4000 1000

7 3 0 0 1000

# Execute the display ip routing-table command on Router A. The output shows a static route entry with interface Tunnel1 as the output interface. (Details not shown.)

CBTS configuration example

Network requirements

As shown in Figure 42, all routers run IS-IS.

Use RSVP-TE to establish the following MPLS TE tunnels between Router A and Router E:

· Router A—Router B—Router E.

· Router A—Router C—Router E.

· Router A—Router D—Router E.

Assign the MPLS TE tunnels different service classes for different classes of services.

Figure 42 Network diagram

Table 10 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
Router A	Loop0	1.1.1.1/32	Router D	Loop0	4.4.4.4/32
	GE1/0/1	10.1.1.1/24		GE1/0/1	30.1.1.2/24
	GE1/0/2	20.1.1.1/24		GE1/0/2	40.1.1.1/24
	GE1/0/3	30.1.1.1/24	Router E	Loop0	5.5.5.5/32
	GE1/0/4	100.1.1.1/24		GE1/0/1	100.1.1.2/24
Router B	Loop0	2.2.2.2/32		GE1/0/2	200.1.1.2/24
	GE1/0/1	10.1.1.2/24		GE1/0/3	40.1.1.1.2/24
	GE1/0/2	100.1.1.1/24
Router C	Loop0	3.3.3.3/32
	GE1/0/1	20.1.1.2/24
	GE1/0/2	200.1.1.1/24

Configuration procedure

1. Configure IP addresses and masks for interfaces, including the loopback interfaces, as shown in Table 10. (Details not shown.)

2. Configure IS-IS to advertise interface addresses including loopback interface addresses, and configure IS-IS TE. (Details not shown.)

3. Configure an LSR ID, and enable MPLS, MPLS TE, and RSVP-TE on each router. (Details not shown.)

4. Use RSVP-TE to establish three MPLS TE tunnels: Tunnel 1, Tunnel 2, and Tunnel 3. Tunnel 1 uses path Router A—Router B—Router E. Tunnel 2 uses path Router A—Router C—Router E. Tunnel 3 uses path Router A—Router D—Router E. (Details not shown.)

5. Configure a QoS policy on Router A.

# Create a traffic class.

<RouterA> system-view

[RouterA] traffic classifier class

[RouterA-classifier-class] if-match any

[RouterA-classifier-class] quit

# Create a traffic behavior.

[RouterA] traffic behavior behave

[RouterA-behavior-behave] remark service-class 3

[RouterA-behavior-behave] quit

# Create a QoS policy.

[RouterA] qos policy policy

[RouterA-qospolicy-policy] classifier class behavior behave

[RouterA-qospolicy-policy] quit

# Apply the QoS policy to GigabitEthernet 1/0/4.

[RouterA] interface GigabitEthernet 1/0/4

[RouterA-GigabitEthernet1/0/4] qos apply policy policy inbound

[RouterA-GigabitEthernet1/0/4] quit

6. Specify the service classes for the MPLS TE tunnels.

# Specify the service class as 3 for Tunnel 2.

[RouterA] interface tunnel 2 mode mpls-te

[RouterA-Tunnel2] mpls te service-class 3

[RouterA-Tunnel2] quit

# Specify the service class as 6 for Tunnel 3.

[RouterA] interface tunnel 3 mode mpls-te

[RouterA-Tunnel3] mpls te service-class 6

[RouterA-Tunnel3] quit

Verifying the configuration

# Display information about Tunnel 1 on Router A.

[RouterA] display mpls te tunnel-interface Tunnel 1

Tunnel Name : Tunnel 1

Tunnel State : Up (Main CRLSP up)

Tunnel Attributes :

LSP ID : 17419 Tunnel ID : 1

Admin State : Normal

Ingress LSR ID : 10.1.1.1 Egress LSR ID : 40.1.1.1

Signaling : RSVP-TE Static CRLSP Name : -

Static SRLSP Name : main1/-

Resv Style : -

Tunnel mode : -

Reverse-LSP name : -

Reverse-LSP LSR ID : - Reverse-LSP Tunnel ID: -

Class Type : - Tunnel Bandwidth : -

Reserved Bandwidth : -

Setup Priority : 0 Holding Priority : 0

Affinity Attr/Mask : -/-

Explicit Path : -

Backup Explicit Path : -

Metric Type : TE

Record Route : - Record Label : -

FRR Flag : - Bandwidth Protection : -

Backup Bandwidth Flag: - Backup Bandwidth Type: -

Backup Bandwidth : -

Bypass Tunnel : - Auto Created : -

Route Pinning : -

Retry Limit : 3 Retry Interval : 2 sec

Reoptimization : - Reoptimization Freq : -

Backup Type : - Backup LSP ID : -

Auto Bandwidth : - Auto Bandwidth Freq : -

Min Bandwidth : - Max Bandwidth : -

Collected Bandwidth : - Service-Class : -

The Service-Class field has no value, indicating that no service class is set for Tunnel 1.

# Display information about Tunnel 2 and Tunnel 3 on Router A.

[RouterA] display mpls te tunnel-interface Tunnel 2

Tunnel Name : Tunnel 2

Tunnel State : Up (Main CRLSP up)

Tunnel Attributes :

LSP ID : 17418 Tunnel ID : 2

Admin State : Normal

Ingress LSR ID : 10.1.1.1 Egress LSR ID : 40.1.1.1

Signaling : RSVP-TE Static CRLSP Name : -

Static SRLSP Name : main2/-

Resv Style : -

Tunnel mode : -

Reverse-LSP name : -

Reverse-LSP LSR ID : - Reverse-LSP Tunnel ID: -

Class Type : - Tunnel Bandwidth : -

Reserved Bandwidth : -

Setup Priority : 0 Holding Priority : 0

Affinity Attr/Mask : -/-

Explicit Path : -

Backup Explicit Path : -

Metric Type : TE

Record Route : - Record Label : -

FRR Flag : - Bandwidth Protection : -

Backup Bandwidth Flag: - Backup Bandwidth Type: -

Backup Bandwidth : -

Bypass Tunnel : - Auto Created : -

Route Pinning : -

Retry Limit : 3 Retry Interval : 2 sec

Reoptimization : - Reoptimization Freq : -

Backup Type : - Backup LSP ID : -

Auto Bandwidth : - Auto Bandwidth Freq : -

Min Bandwidth : - Max Bandwidth : -

Collected Bandwidth : - Service-Class : 3

[RouterA]display mpls te tunnel-interface Tunnel 3

Tunnel Name : Tunnel 3

Tunnel State : Up (Main CRLSP up)

Tunnel Attributes :

LSP ID : 17418 Tunnel ID : 3

Admin State : Normal

Ingress LSR ID : 10.1.1.1 Egress LSR ID : 40.1.1.1

Signaling : RSVP-TE Static CRLSP Name : -

Static SRLSP Name : main3/-

Resv Style : -

Tunnel mode : -

Reverse-LSP name : -

Reverse-LSP LSR ID : - Reverse-LSP Tunnel ID: -

Class Type : - Tunnel Bandwidth : -

Reserved Bandwidth : -

Setup Priority : 0 Holding Priority : 0

Affinity Attr/Mask : -/-

Explicit Path : -

Backup Explicit Path : -

Metric Type : TE

Record Route : - Record Label : -

FRR Flag : - Bandwidth Protection : -

Backup Bandwidth Flag: - Backup Bandwidth Type: -

Backup Bandwidth : -

Bypass Tunnel : - Auto Created : -

Route Pinning : -

Retry Limit : 3 Retry Interval : 2 sec

Reoptimization : - Reoptimization Freq : -

Backup Type : - Backup LSP ID : -

Auto Bandwidth : - Auto Bandwidth Freq : -

Min Bandwidth : - Max Bandwidth : -

Collected Bandwidth : - Service-Class : 6

The Service-Class fields show that the service class values of Tunnel 2 and Tunnel 3 are 3 and 6, respectively. According to the QoS policy, traffic arrives at GigabitEthernet 1/0/4 of Router A is assigned service class 3. So CBTS uses Tunnel 2 to forward the traffic.

Troubleshooting MPLS TE

No TE LSA generated

Symptom

OSPF TE is configured but no TE LSAs can be generated to describe MPLS TE attributes.

Analysis

For TE LSAs to be generated, a minimum of one OSPF neighbor must reach FULL state.

Solution

1. To resolve the problem:

a. Use the display current-configuration command to verify that MPLS TE is configured on involved interfaces.

b. Use the debugging ospf mpls-te command to verify that OSPF can receive the TE LINK establishment message.

c. Use the display ospf peer command to verify that OSPF neighbors are established correctly.

2. If the problem persists, contact H3C Support.

Configuring a static CRLSP

Overview

A static Constraint-based Routed Label Switched Path (CRLSP) is established by manually specifying CRLSP setup information on the ingress, transit, and egress nodes of the forwarding path. The CRLSP setup information includes the incoming label, outgoing label, and required bandwidth. If the device does not have enough bandwidth resources required by a CRLSP, the CRLSP cannot be established.

Static CRLSPs consume fewer resources, but they cannot automatically adapt to network topology changes. Therefore, static CRLSPs are suitable for small and stable networks with simple topologies.

Follow these guidelines to establish a static CRLSP:

· Configure the ingress node as follows:

? Specify the outgoing label for the CRLSP, the next hop or the outgoing interface to the next hop, and the required bandwidth.

? Create an MPLS TE tunnel interface.

? Specify the static CRLSP for the tunnel interface.

The tunnel interface adds the outgoing label of the static CRLSP to each packet, and forwards the packet to the next hop or out of the outgoing interface.

· A transit node swaps the label carried in a received packet with a label. It forwards the packet to the next hop or out of the outgoing interface. You must specify the incoming label, the outgoing label, the next hop or the outgoing interface, and the required bandwidth on each transit node.

· If it is not configured with the penultimate hop popping function, an egress node pops the incoming label of a packet. It performs label forwarding according to the inner label or IP forwarding. You are only required to specify the incoming label on the egress node.

· The outgoing label specified on an LSR must be the same as the incoming label specified on the directly connected downstream LSR.

Feature and hardware compatibility

Hardware	Static CRLSP compatibility
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS	No
MSR2600-6-X1/2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28/3600-51	Yes
MSR3600-28-SI/3600-51-SI	No
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC	Yes
MSR 3610/3620/3620-DP/3640/3660	Yes
MSR5620/5660/5680	Yes

Hardware	Static CRLSP compatibility
MSR810-LM-GL	No
MSR810-W-LM-GL	No
MSR830-6EI-GL	No
MSR830-10EI-GL	No
MSR830-6HI-GL	No
MSR830-10HI-GL	No
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	No

Configuration procedure

Static CRLSPs are special static LSPs. They use the same label space as static LSPs. On a device, a static CRLSP and a static LSP cannot use the same incoming label.

A static CRLSP can forward MPLS TE traffic only after you create an MPLS TE tunnel interface on the ingress node and specify the static CRLSP for the tunnel interface. For more information about MPLS TE, see "Configuring MPLS TE."

Before you configure a static CRLSP, perform the following tasks:

1. Identify the ingress node, transit nodes, and egress node of the CRLSP.

2. Enable MPLS on all interfaces that participate in MPLS forwarding. For more information, see "Configuring basic MPLS."

3. Enable MPLS TE for each node and interface that the CRLSP traverses. For more information, see "Configuring MPLS TE."

To configure a static CRLSP:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create a static CRLSP.

· Configure the ingress node:
static-cr-lsp ingress lsp-name { nexthop ip-address | outgoing-interface interface-type interface-number } out-label out-label-value [ bandwidth [ ct0 | ct1 | ct2 | ct3 ] bandwidth-value ]

· Configure a transit node:
static-cr-lsp transit lsp-name in-label in-label-value { nexthop ip-address | outgoing-interface interface-type interface-number } out-label out-label-value [ bandwidth [ ct0 | ct1 | ct2 | ct3 ] bandwidth-value ]

· Configure the egress node:
static-cr-lsp egress lsp-name in-label in-label-value

Use one command according to the position of a device on the network.

By default, no static CRLSPs exist.

Do not configure the next hop address as a local public IP address when configuring the static CRLSP on the ingress node or a transit node.

You do not need to execute the static-cr-lsp egress command on the egress node if the outgoing label configured on the penultimate hop of the static CRLSP is 0 or 3.

Displaying static CRLSPs

Execute display commands in any view.

Task	Command
Display static CRLSP information.	display mpls static-cr-lsp [ lsp-name lsp-name ] [ verbose ]

Static CRLSP configuration example

Network requirements

Router A, Router B, and Router C run IS-IS.

Establish an MPLS TE tunnel over a static CRLSP from Router A to Router C to transmit data between the two IP networks. The required bandwidth for the tunnel is 2000 kbps.

The maximum bandwidth for MPLS TE traffic is 10000 kbps, and the maximum reservable bandwidth is 5000 kbps.

Figure 43 Network diagram

Configuration procedure

1. Configure IP addresses and masks for interfaces. (Details not shown.)

2. Configure IS-IS to advertise interface addresses, including the loopback interface address:

# Configure Router A.

<RouterA> system-view

[RouterA] isis 1

[RouterA-isis-1] network-entity 00.0005.0000.0000.0001.00

[RouterA-isis-1] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] isis enable 1

[RouterA-GigabitEthernet2/0/1] quit

[RouterA] interface loopback 0

[RouterA-LoopBack0] isis enable 1

[RouterA-LoopBack0] quit

# Configure Router B.

<RouterB> system-view

[RouterB] isis 1

[RouterB-isis-1] network-entity 00.0005.0000.0000.0002.00

[RouterB-isis-1] quit

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] isis enable 1

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface gigabitethernet 2/0/2

[RouterB-GigabitEthernet2/0/2] isis enable 1

[RouterB-GigabitEthernet2/0/2] quit

[RouterB] interface loopback 0

[RouterB-LoopBack0] isis enable 1

[RouterB-LoopBack0] quit

# Configure Router C.

<RouterC> system-view

[RouterC] isis 1

[RouterC-isis-1] network-entity 00.0005.0000.0000.0003.00

[RouterC-isis-1] quit

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] isis enable 1

[RouterC-GigabitEthernet2/0/1] quit

[RouterC] interface loopback 0

[RouterC-LoopBack0] isis enable 1

[RouterC-LoopBack0] quit

# Execute the display ip routing-table command on each router to verify that the routers have learned the routes to one another, including the routes to the loopback interfaces. (Details not shown.)

3. Configure an LSR ID, and enable MPLS and MPLS TE:

# Configure Router A.

[RouterA] mpls lsr-id 1.1.1.1

[RouterA] mpls te

[RouterA-te] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls enable

[RouterA-GigabitEthernet2/0/1] mpls te enable

[RouterA-GigabitEthernet2/0/1] quit

# Configure Router B.

[RouterB] mpls lsr-id 2.2.2.2

[RouterB] mpls te

[RouterB-te] quit

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] mpls enable

[RouterB-GigabitEthernet2/0/1] mpls te enable

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface gigabitethernet 2/0/2

[RouterB-GigabitEthernet2/0/2] mpls enable

[RouterB-GigabitEthernet2/0/2] mpls te enable

[RouterB-GigabitEthernet2/0/2] quit

# Configure Router C.

[RouterC] mpls lsr-id 3.3.3.3

[RouterC] mpls te

[RouterC-te] quit

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] mpls enable

[RouterC-GigabitEthernet2/0/1] mpls te enable

[RouterC-GigabitEthernet2/0/1] quit

4. Configure MPLS TE attributes:

# On Router A, set the maximum bandwidth and the maximum reservable bandwidth.

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterA-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth 5000

[RouterA-GigabitEthernet2/0/1] quit

# On Router B, set the maximum bandwidth and the maximum reservable bandwidth.

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterB-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth 5000

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface gigabitethernet 2/0/2

[RouterB-GigabitEthernet2/0/2] mpls te max-link-bandwidth 10000

[RouterB-GigabitEthernet2/0/2] mpls te max-reservable-bandwidth 5000

[RouterB-GigabitEthernet2/0/2] quit

# On Router C, set the maximum bandwidth and the maximum reservable bandwidth.

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterC-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth 5000

[RouterC-GigabitEthernet2/0/1] quit

5. Configure an MPLS TE tunnel on Router A:

# Configure the MPLS TE tunnel interface Tunnel 0.

[RouterA] interface tunnel 0 mode mpls-te

[RouterA-Tunnel0] ip address 6.1.1.1 255.255.255.0

# Specify the tunnel destination address as the LSR ID of Router C.

[RouterA-Tunnel0] destination 3.3.3.3

# Configure MPLS TE to use a static CRLSP to establish the tunnel.

[RouterA-Tunnel0] mpls te signaling static

[RouterA-Tunnel0] quit

6. Create a static CRLSP:

# Configure Router A as the ingress node of the static CRLSP, and specify the next hop address as 2.1.1.2, outgoing label as 20, and required bandwidth as 2000 kbps.

[RouterA] static-cr-lsp ingress static-cr-lsp-1 nexthop 2.1.1.2 out-label 20 bandwidth 2000

# On Router A, configure tunnel 0 to use the static CRLSP static-cr-lsp-1.

[RouterA] interface Tunnel0

[RouterA-Tunnel0] mpls te static-cr-lsp static-cr-lsp-1

[RouterA-Tunnel0] quit

# Configure Router B as the transit node of the static CRLSP, and specify the incoming label as 20, next hop address as 3.2.1.2, outgoing label as 30, and required bandwidth as 2000 kbps.

[RouterB] static-cr-lsp transit static-cr-lsp-1 in-label 20 nexthop 3.2.1.2 out-label 30 bandwidth 2000

# Configure Router C as the egress node of the static CRLSP, and specify the incoming label as 30.

[RouterC] static-cr-lsp egress static-cr-lsp-1 in-label 30

7. Configure a static route on Router A to direct traffic destined for subnet 100.1.2.0/24 to MPLS TE tunnel 0.

[RouterA] ip route-static 100.1.2.0 24 tunnel 0 preference 1

Verifying the configuration

# Verify that the tunnel interface is up on Router A.

[RouterA] display interface tunnel

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64kbps

Maximum transmission unit: 1496

Internet address: 6.1.1.1/24 (primary)

Tunnel source unknown, destination 3.3.3.3

Tunnel TTL 255

Tunnel protocol/transport CR_LSP

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Display detailed information about the MPLS TE tunnel on Router A.

[RouterA] display mpls te tunnel-interface

Tunnel Name : Tunnel 0

Tunnel State : Up (Main CRLSP up)

Tunnel Attributes :

LSP ID : 1 Tunnel ID : 0

Admin State : Normal

Ingress LSR ID : 1.1.1.1 Egress LSR ID : 3.3.3.3

Signaling : Static Static CRLSP Name : static-cr-lsp-1

Static SRLSP Name : -/-

Resv Style : -

Tunnel mode : -

Reverse-LSP name : -

Reverse-LSP LSR ID : - Reverse-LSP Tunnel ID: -

Class Type : - Tunnel Bandwidth : -

Reserved Bandwidth : -

Setup Priority : 0 Holding Priority : 0

Affinity Attr/Mask : -/-

Explicit Path : -

Backup Explicit Path : -

Metric Type : TE

Record Route : - Record Label : -

FRR Flag : - Bandwidth Protection : -

Backup Bandwidth Flag: - Backup Bandwidth Type: -

Backup Bandwidth : -

Bypass Tunnel : - Auto Created : -

Route Pinning : -

Retry Limit : 3 Retry Interval : 2 sec

Reoptimization : - Reoptimization Freq : -

Backup Type : - Backup LSP ID : -

Auto Bandwidth : - Auto Bandwidth Freq : -

Min Bandwidth : - Max Bandwidth : -

Collected Bandwidth : - Service-Class : -

# Display static CRLSP information on each router.

[RouterA] display mpls lsp

FEC Proto In/Out Label Interface/Out NHLFE

1.1.1.2/0/1 StaticCR -/20 GE2/0/1

2.1.1.2 Local -/- GE2/0/1

Tunnel0 Local -/- NHLFE65

[RouterB] display mpls lsp

FEC Proto In/Out Label Interface/Out NHLFE

- StaticCR 20/30 GE2/0/2

3.2.1.2 Local -/- GE2/0/2

[RouterC] display mpls lsp

FEC Proto In/Out Label Interface/Out NHLFE

- StaticCR 30/- -

[RouterA] display mpls static-cr-lsp

Name LSR Type In/Out Label Out Interface State

static-cr-lsp-1 Ingress Null/20 GE2/0/1 Up

[RouterB] display mpls static-cr-lsp

Name LSR Type In/Out Label Out Interface State

static-cr-lsp-1 Ingress Null/20 GE2/0/1 Up

[RouterC] display mpls static-cr-lsp

Name LSR Type In/Out Label Out Interface State

static-cr-lsp-1 Egress 30/Null - Up

# Verify that Router A has a static route entry with interface Tunnel 0 as the output interface.

[RouterA] display ip routing-table

Destinations : 25 Routes : 25

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

2.1.1.0/24 Direct 0 0 2.1.1.1 GE0/2

2.1.1.0/32 Direct 0 0 2.1.1.1 GE0/2

2.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

2.1.1.255/32 Direct 0 0 2.1.1.1 GE0/2

2.2.2.2/32 IS_L1 15 10 2.1.1.2 GE0/2

3.2.1.0/24 IS_L1 15 20 2.1.1.2 GE0/2

3.3.3.3/32 IS_L1 15 20 2.1.1.2 GE0/2

6.1.1.0/24 Direct 0 0 6.1.1.1 Tun0

6.1.1.0/32 Direct 0 0 6.1.1.1 Tun0

6.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

6.1.1.255/32 Direct 0 0 6.1.1.1 Tun0

100.1.1.0/24 Direct 0 0 100.1.1.1 Loop1

100.1.1.0/32 Direct 0 0 100.1.1.1 Loop1

100.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.255/32 Direct 0 0 100.1.1.1 Loop1

100.1.2.0/24 Static 1 0 0.0.0.0 Tun0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

Configuring RSVP

Overview

The Resource Reservation Protocol (RSVP) is a signaling protocol that reserves resources on a network. Extended RSVP supports MPLS label distribution and allows resource reservation information to be transmitted with label bindings. This extended RSVP is called RSVP-TE. RSVP-TE is a label distribution protocol for MPLS TE. It distributes MPLS labels and reserves resources on the nodes of a specific path to establish a CRLSP.

RSVP messages

RSVP uses the following types of messages:

· Path messages—Sent by the sender downstream along the data transmission path to save path state information on each node along the path.

· Resv messages—Sent by the receiver upstream towards the sender to request resource reservation and to create and maintain reservation state on each node along the reverse data transmission path.

· PathTear messages—Sent downstream by the sender or a transit node to remove the path state and related reservation state on each node along the path.

· ResvTear messages—Sent upstream by the receiver or a transit node to remove the reservation state on each node along the path.

· PathErr messages—Sent upstream by the receiver or a transit node to report Path message processing errors to the sender. They do not affect the state of the nodes along the path.

· ResvErr messages—Sent downstream by the sender or a transit node to notify the downstream nodes of an Resv message processing error or of a reservation error caused by preemption.

· ResvConf messages—Sent to the receiver to confirm Resv messages.

· Hello messages—Sent between any two directly connected RSVP neighbors to set up and maintain the neighbor relationship. Hello messages are sent only when the RSVP hello extension has been enabled.

RSVP-TE extends RSVP by adding new objects to Path and Resv messages. In addition to label bindings, these objects also carry routing constraints to support CRLSP and FRR.

New objects added to the Path message include:

· LABEL_REQUEST—Requests the downstream node to allocate a label.

· EXPLICIT_ROUTE—Carries the path information calculated by the ingress node, making sure the CRLSP is set up along that path.

· RECORD_ROUTE—Records the path that the CRLSP actually traverses and the label allocated by each node on the path.

· SESSION_ATTRIBUTE—Carries the MPLS TE tunnel attributes, such as the setup priority, holding priority, and affinity.

New objects added to the Resv message include:

· LABEL—Advertises the label allocated by the downstream node to the upstream node.

· RECORD_ROUTE—Records the path that the CRLSP actually traverses and the label allocated by each node on the path.

CRLSP setup procedure

As shown in Figure 44, a CRLSP is set up by using the following steps:

1. The ingress LSR generates a Path message that carries LABEL_REQUEST, and then forwards the message along the path calculated by CSPF hop-by-hop towards the egress LSR.

2. After receiving the Path message, the egress LSR generates a Resv message carrying the reservation information and the LABEL object. It forwards the Resv message to the ingress LSR along the reverse direction of the path that the Path message traveled.

The Resv message advertises labels, reserves resources, and creates a reserve state on each LSR it passes, so QoS can be guaranteed for services transmitted on the CRLSP.

3. When the ingress LSR receives the Resv message, the CRLSP is established.

Figure 44 Setting up a CRLSP

RSVP refresh mechanism

Refresh messages

RSVP maintains resource reservation states on a node by periodically sending messages.

The resource reservation states include path states and reservation states. A path state is saved in a path state block (PSB), and a reservation state is saved in a reservation state block (RSB). A PSB is created by a Path message and saves the LABEL_REQUEST object. A RSB is created by a Resv message and saves the LABEL object.

The path states and reservation states are refreshed periodically by Path and Resv messages. A state is removed if no refresh messages for the state are received in a certain interval, and the CRLSP established based on this state is also removed.

The Path and Resv messages for refreshing the resource reservation states are collectively referred to as refresh messages. Refresh messages can also be used to recover from lost RSVP messages.

When multiple RSVP sessions exist on a network, a short refresh interval can cause network degradation, but a long refresh interval cannot meet the requirements of delay sensitive applications. To find an appropriate balance, you can use the summary refresh (Srefresh) and the reliable RSVP message delivery features.

Srefresh

Srefresh is implemented by adding a Message_ID object to a Path or Resv message to uniquely identify the message. To refresh Path and Resv states, RSVP does not need to send standard Path and Resv messages. Instead, it sends an Srefresh message carrying a set of Message_ID objects that identify the Path and Resv states to be refreshed. The Srefresh feature reduces the number of refresh messages on the network and speeds up refresh message processing.

Reliable RSVP message delivery

An RSVP sender cannot know or retransmit lost RSVP messages. The reliable RSVP message delivery mechanism is designed to ensure reliable transmission.

This mechanism requires the peer device to acknowledge each RSVP message received from the local device. If no acknowledgment is received, the local device retransmits the message.

To implement reliable RSVP message delivery, a node sends an RSVP message that includes a Message_ID object in which the ACK_Desired flag is set. The receiver needs to confirm the delivery by sending back a message that includes the Message_ID_ACK object. If the sender does not receive a Message_ID_ACK within the retransmission interval (Rf), it performs the following tasks:

· Retransmits the message when Rf expires.

· Sets the next transmission interval to (1 + delta) × Rf.

The sender repeats this process until it receives the Message_ID_ACK before the retransmission time expires or it has transmitted the message three times.

RSVP authentication

RSVP authentication ensures integrity of RSVP messages, and prevents false resource reservation requests from occupying network resources.

With RSVP authentication, the sender uses the MD5 algorithm and the authentication key to calculate a message digest for an RSVP message, and inserts the digest to the RSVP message. When the receiver receives the message, it performs the same calculation and compares the result with the message digest. If they match, the receiver accepts the message. Otherwise, it drops the message.

By carrying a sequence number in a message, RSVP authentication can also prevent packet replay attacks. The device records the sequence number of a received RSVP message, and determines whether the subsequent messages are valid according to the recorded sequence number. If the sequence number of a subsequent message is within the valid range, the device accepts the message. Otherwise, it drops the message.

RSVP GR

RSVP Graceful Restart (GR) preserves soft state and label forwarding information when the signaling protocol or control plane fails, so that LSRs can still forward packets according to forwarding entries.

RSVP GR defines the following roles:

· GR restarter—Router that gracefully restarts due to a manually configured command or a fault. It must be GR-capable.

· GR helper—Neighbor of the GR restarter. A GR helper maintains the neighbor relationship with the GR restarter and helps the GR restarter restore its LFIB information. A GR helper must be GR-capable.

The device can act only as a RSVP GR helper.

The RSVP GR feature depends on the extended hello capability of RSVP. A GR-capable device advertises its GR capability and relevant time parameters to its neighbors in RSVP hello packets. If a device and all its neighbors have the RSVP GR capability and have exchanged GR parameters, each of them can function as the GR helper of another device.

A GR helper considers that a GR restarter is rebooting when the number of consecutive lost hellos or erroneous hellos reaches the value configured by the hello lost command. When a GR restarter is rebooting, the GR helpers perform the following operations:

· Retain soft state information about the GR restarter.

· Continue sending hello packets periodically to the GR restarter until the restart timer expires.

If a GR helper receives a hello message from the GR restarter before the restart timer expires, the recovery timer is started and signaling packet exchange is triggered to restore the original soft state. Otherwise, all RSVP soft state information and forwarding entries relevant to the neighbor are removed. When the recovery timer expires, soft state information and forwarding entries that are not restored are removed.

Protocols and standards

· RFC 2205, Resource ReSerVation Protocol

· RFC 3209, RSVP-TE: Extensions to RSVP for LSP Tunnels

· RFC 2961, RSVP Refresh Overhead Reduction Extensions

Feature and hardware compatibility

Hardware	RSVP compatibility
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS	No
MSR2600-6-X1/2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28/3600-51	Yes
MSR3600-28-SI/3600-51-SI	No
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC	Yes
MSR 3610/3620/3620-DP/3640/3660	Yes
MSR5620/5660/5680	Yes

Hardware	RSVP compatibility
MSR810-LM-GL	No
MSR810-W-LM-GL	No
MSR830-6EI-GL	No
MSR830-10EI-GL	No
MSR830-6HI-GL	No
MSR830-10HI-GL	No
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	No

RSVP configuration task list

Tasks at a glance

(Required.) Enabling RSVP

(Optional.) Perform the following tasks on each node of an MPLS TE tunnel according to your network requirements:

· Configuring RSVP refresh

· Configuring RSVP Srefresh and reliable RSVP message delivery

· Configuring RSVP hello extension

· Configuring RSVP authentication

· Setting a DSCP value for outgoing RSVP packets

· Configuring RSVP GR

· Enabling BFD for RSVP

Enabling RSVP

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable global RSVP and enter RSVP view.	rsvp	By default, global RSVP is disabled.
3. Return to system view.	quit	N/A
4. Enter interface view.	interface interface-type interface-number	N/A
5. Enable RSVP on the interface.	rsvp enable	By default, RSVP is disabled on the interface.

Configuring RSVP refresh

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter RSVP view.	rsvp	N/A
3. Set the refresh interval for Path and Resv messages.	refresh interval interval	By default, the refresh interval is 30 seconds for both path and Resv messages.
4. Set the PSB and RSB timeout multiplier.	keep-multiplier number	By default, the PSB and RSB timeout multiplier is 3.

Configuring RSVP Srefresh and reliable RSVP message delivery

After Srefresh is enabled, RSVP maintains the path and reservation states by sending Srefresh messages rather than standard refresh messages.

To configure Srefresh and reliable RSVP message delivery:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable Srefresh and reliable RSVP message delivery.	rsvp reduction srefresh [ reliability ]	By default, Srefresh and reliable RSVP message delivery are disabled.
4. Set the retransmission increment value for reliable RSVP message delivery.	rsvp reduction retransmit increment increment-value	By default, the RSVP message retransmission increment is 1. This command takes effect after reliable RSVP message delivery is enabled by using the rsvp reduction srefresh reliability command.
5. Set the retransmission interval for reliable RSVP message delivery.	rsvp reduction retransmit interval interval	By default, the RSVP message retransmission interval is 500 milliseconds. This command takes effect after reliable RSVP message delivery is enabled by using the rsvp reduction srefresh reliability command.

Configuring RSVP hello extension

When RSVP hello extension is enabled on an interface, the device receives and sends hello messages through the interface to detect the neighbor's status.

If the device receives a hello request from the neighbor, the device replies with a hello ACK message. If the device receives no hello request from the neighbor within the interval specified by the hello interval command, the device sends hello requests to the neighbor.

When the number of consecutive lost hellos or erroneous hellos from the neighbor reaches the maximum (specified by the hello lost command), the device determines the neighbor is in fault. If GR is configured, the device acts as a GR helper to help the neighbor to restart. If FRR is configured, the device performs an FRR. For more information about FRR, see "Configuring MPLS TE."

To configure RSVP hello extension:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter RSVP view.	rsvp	N/A
3. Set the maximum number of consecutive lost or erroneous hellos.	hello lost times	By default, the maximum number is 4.
4. Set the interval for sending hello requests.	hello interval interval	By default, hello requests are sent every 5 seconds.
5. Return to system view.	quit	N/A
6. Enter interface view.	interface interface-type interface-number	N/A
7. Enable RSVP hello extension.	rsvp hello enable	By default, RSVP hello extension is disabled.

Configuring RSVP authentication

RSVP adopts hop-by-hop authentication to prevent fake resource reservation requests from occupying network resources. The interfaces at the two ends of a link must use the same authentication key.

RSVP authentication can be configured in the following views:

· RSVP view—Configuration applies to all RSVP security associations.

· RSVP neighbor view—Configuration applies only to RSVP security associations with the specified RSVP neighbor.

· Interface view—Configuration applies only to RSVP security associations established on the current interface.

Configurations in RSVP neighbor view, interface view, and RSVP view are in descending order of priority.

To configure RSVP authentication in RSVP neighbor view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter RSVP view.	rsvp	N/A
3. Create an RSVP authentication neighbor and enter RSVP neighbor view.	peer ip-address	By default, no RSVP authentication neighbors exist.
4. Enable RSVP authentication for the RSVP neighbor and specify the authentication key.	authentication key { cipher \| plain } string	By default, RSVP authentication is disabled.
5. Enable challenge-response handshake for the RSVP neighbor.	authentication challenge	By default, the challenge-response handshake feature is disabled.
6. Set the idle timeout for the RSVP security associations with the RSVP neighbor.	authentication lifetime life-time	By default, the idle timeout is 1800 seconds (30 minutes).
7. Set the maximum number of out-of-sequence RSVP authentication messages that can be received from the RSVP neighbor.	authentication window-size number	By default, only one RSVP authenticated message can be received out of sequence.

To configure RSVP authentication in interface view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable RSVP authentication on the interface and configure the authentication key.	rsvp authentication key { cipher \| plain } string	By default, RSVP authentication is disabled. Do not enable both RSVP authentication and FRR on the same interface.
4. Enable challenge-response handshake on the interface.	rsvp authentication challenge	By default, the challenge-response handshake feature is disabled.
5. Set the idle timeout for RSVP security associations on the interface.	rsvp authentication lifetime life-time	By default, the idle timeout is 1800 seconds (30 minutes).
6. Set the maximum number of out-of-sequence RSVP authentication messages that can be received on the interface.	rsvp authentication window-size number	By default, only one RSVP authenticated message can be received out of sequence.

To configure RSVP authentication in RSVP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter RSVP view.	rsvp	N/A
3. Enable RSVP authentication globally and configure the authentication key.	authentication key { cipher \| plain } string	By default, RSVP authentication is disabled.
4. Enable challenge-response handshake globally.	authentication challenge	By default, the challenge-response handshake feature is disabled.
5. Set the global idle timeout for RSVP security associations.	authentication lifetime life-time	By default, the idle timeout is 1800 seconds (30 minutes).
6. Set the global RSVP authentication window size (the maximum number of RSVP authenticated messages that can be received out of sequence).	authentication window-size number	By default, only one RSVP authenticated message can be received out of sequence.

Setting a DSCP value for outgoing RSVP packets

The DSCP value of an IP packet specifies the priority level of the packet and affects the transmission priority of the packet.

To set a DSCP value for outgoing RSVP packets:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter RSVP view.	rsvp	N/A
3. Set a DSCP value for outgoing RSVP packets.	dscp dscp-value	By default, the DSCP value is 48.

Configuring RSVP GR

RSVP GR depends on the RSVP hello extension feature. When configuring RSVP GR, you must enable RSVP hello extension.

Perform this task on GR-capable devices.

To configure RSVP GR:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter RSVP view.	rsvp	N/A
3. Enable GR for RSVP.	graceful-restart enable	By default, RSVP GR is disabled.
4. Return to system view.	quit	N/A
5. Enter interface view.	interface interface-type interface-number	N/A
6. Enable RSVP hello extension.	rsvp hello enable	By default, RSVP hello extension is disabled.

Enabling BFD for RSVP

If a link fails, MPLS TE tunnels over the link fail to forward packets. MPLS TE cannot quickly detect a link failure. To address this issue, you can enable BFD for RSVP so MPLS TE can quickly switch data from the primary path to the backup path upon a link failure.

To enable BFD for RSVP:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	You must enable RSVP on the interface.
3. Enable BFD for the RSVP neighbor on the interface.	rsvp bfd enable	By default, RSVP BFD is disabled.

Displaying and maintaining RSVP

Execute display commands in any view and reset commands in user view.

Task	Command
Display RSVP information.	display rsvp [ interface [ interface-type interface-number ] ]
Display information about the security associations established with RSVP neighbors.	display rsvp authentication [ from ip-address ] [ to ip-address ] [ verbose ]
Display information about CRLSPs established through RSVP.	display rsvp lsp [ destination ip-address ] [ source ip-address ] [ tunnel-id tunnel-id ] [ lsp-id lsp-id ] [ verbose ]
Display information about RSVP neighbors.	display rsvp peer [ interface interface-type interface-number ] [ ip ip-address ] [ verbose ]
Display information about RSVP resource reservation requests sent to upstream devices.	display rsvp request [ destination ip-address ] [ source ip-address ] [ tunnel-id tunnel-id ] [ prevhop ip-address ] [ verbose ]
Display information about RSVP resource reservation states.	display rsvp reservation [ destination ip-address ] [ source ip-address ] [ tunnel-id tunnel-id ] [ nexthop ip-address ] [ verbose ]
Display information about RSVP path states.	display rsvp sender [ destination ip-address ] [ source ip-address ] [ tunnel-id tunnel-id ] [ lsp-id lsp-id ] [ verbose ]
Display RSVP statistics.	display rsvp statistics [ interface [ interface-type interface-number ] ]
Clear RSVP security associations.	reset rsvp authentication [ from ip-address to ip-address ]
Clear RSVP statistics.	reset rsvp statistics [ interface [ interface-type interface-number ]

RSVP configuration examples

Establishing an MPLS TE tunnel with RSVP-TE

Network requirements

Router A, Router B, Router C, and Router D run IS-IS and all of them are Layer 2 routers.

Use RSVP-TE to establish an MPLS TE tunnel from Router A to Router D to transmit data between the two IP networks. The MPLS TE tunnel requires a bandwidth of 2000 kbps.

The maximum bandwidth of the link that the tunnel traverses is 10000 kbps and the maximum reservable bandwidth of the link is 5000 kbps.

Figure 45 Network diagram

Table 11 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
Router A	Loop0	1.1.1.9/32	Router C	Loop0	3.3.3.9/32
	GE2/0/1	10.1.1.1/24		GE2/0/1	30.1.1.1/24
	GE2/0/2	100.1.1.1/24		POS2/2/0	20.1.1.2/24
Router B	Loop0	2.2.2.9/32	Router D	Loop0	4.4.4.9/32
	GE2/0/1	10.1.1.2/24		GE2/0/1	30.1.1.2/24
	POS2/2/0	20.1.1.1/24		GE2/0/2	100.1.2.1/24

Configuration procedure

1. Configure IP addresses and masks for interfaces. (Details not shown.)

2. Configure IS-IS to advertise interface addresses, including the loopback interface address:

# Configure Router A.

<RouterA> system-view

[RouterA] isis 1

[RouterA-isis-1] network-entity 00.0005.0000.0000.0001.00

[RouterA-isis-1] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] isis enable 1

[RouterA-GigabitEthernet2/0/1] isis circuit-level level-2

[RouterA-GigabitEthernet2/0/1] quit

[RouterA] interface loopback 0

[RouterA-LoopBack0] isis enable 1

[RouterA-LoopBack0] isis circuit-level level-2

[RouterA-LoopBack0] quit

# Configure Router B.

<RouterB> system-view

[RouterB] isis 1

[RouterB-isis-1] network-entity 00.0005.0000.0000.0002.00

[RouterB-isis-1] quit

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] isis enable 1

[RouterB-GigabitEthernet2/0/1] isis circuit-level level-2

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface pos 2/2/0

[RouterB-POS2/2/0] isis enable 1

[RouterB-POS2/2/0] isis circuit-level level-2

[RouterB-POS2/2/0] quit

[RouterB] interface loopback 0

[RouterB-LoopBack0] isis enable 1

[RouterB-LoopBack0] isis circuit-level level-2

[RouterB-LoopBack0] quit

# Configure Router C.

<RouterC> system-view

[RouterC] isis 1

[RouterC-isis-1] network-entity 00.0005.0000.0000.0003.00

[RouterC-isis-1] quit

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] isis enable 1

[RouterC-GigabitEthernet2/0/1] isis circuit-level level-2

[RouterC-GigabitEthernet2/0/1] quit

[RouterC] interface pos 2/2/0

[RouterC-POS2/2/0] isis enable 1

[RouterC-POS2/2/0] isis circuit-level level-2

[RouterC-POS2/2/0] quit

[RouterC] interface loopback 0

[RouterC-LoopBack0] isis enable 1

[RouterC-LoopBack0] isis circuit-level level-2

[RouterC-LoopBack0] quit

# Configure Router D.

<RouterD> system-view

[RouterD] isis 1

[RouterD-isis-1] network-entity 00.0005.0000.0000.0004.00

[RouterD-isis-1] quit

[RouterD] interface gigabitethernet 2/0/1

[RouterD-GigabitEthernet2/0/1] isis enable 1

[RouterD-GigabitEthernet2/0/1] isis circuit-level level-2

[RouterD-GigabitEthernet2/0/1] quit

[RouterD] interface loopback 0

[RouterD-LoopBack0] isis enable 1

[RouterD-LoopBack0] isis circuit-level level-2

[RouterD-LoopBack0] quit

# Execute the display ip routing-table command on each router to verify that the routers have learned the routes to one another, including the routes to the loopback interfaces. (Details not shown.)

3. Configure an LSR ID, and enable MPLS, MPLS TE, and RSVP:

# Configure Router A.

[RouterA] mpls lsr-id 1.1.1.9

[RouterA] mpls te

[RouterA-te] quit

[RouterA] rsvp

[RouterA-rsvp] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls enable

[RouterA-GigabitEthernet2/0/1] mpls te enable

[RouterA-GigabitEthernet2/0/1] rsvp enable

[RouterA-GigabitEthernet2/0/1] quit

# Configure Router B.

[RouterB] mpls lsr-id 2.2.2.9

[RouterB] mpls te

[RouterB-te] quit

[RouterB] rsvp

[RouterB-rsvp] quit

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] mpls enable

[RouterB-GigabitEthernet2/0/1] mpls te enable

[RouterB-GigabitEthernet2/0/1] rsvp enable

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface pos 2/2/0

[RouterB-POS2/2/0] mpls enable

[RouterB-POS2/2/0] mpls te enable

[RouterB-POS2/2/0] rsvp enable

[RouterB-POS2/2/0] quit

# Configure Router C.

[RouterC] mpls lsr-id 3.3.3.9

[RouterC] mpls te

[RouterC-te] quit

[RouterC] rsvp

[RouterC-rsvp] quit

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] mpls enable

[RouterC-GigabitEthernet2/0/1] mpls te enable

[RouterC-GigabitEthernet2/0/1] rsvp enable

[RouterC-GigabitEthernet2/0/1] quit

[RouterC] interface pos 2/2/0

[RouterC-POS2/2/0] mpls enable

[RouterC-POS2/2/0] mpls te enable

[RouterC-POS2/2/0] rsvp enable

[RouterC-POS2/2/0] quit

# Configure Router D.

[RouterD] mpls lsr-id 4.4.4.9

[RouterD] mpls te

[RouterD-te] quit

[RouterD] rsvp

[RouterD-rsvp] quit

[RouterD] interface gigabitethernet 2/0/1

[RouterD-GigabitEthernet2/0/1] mpls enable

[RouterD-GigabitEthernet2/0/1] mpls te enable

[RouterD-GigabitEthernet2/0/1] rsvp enable

[RouterD-GigabitEthernet2/0/1] quit

4. Configure IS-IS TE:

# Configure Router A.

[RouterA] isis 1

[RouterA-isis-1] cost-style wide

[RouterA-isis-1] mpls te enable level-2

[RouterA-isis-1] quit

# Configure Router B.

[RouterB] isis 1

[RouterB-isis-1] cost-style wide

[RouterB-isis-1] mpls te enable level-2

[RouterB-isis-1] quit

# Configure Router C.

[RouterC] isis 1

[RouterC-isis-1] cost-style wide

[RouterC-isis-1] mpls te enable level-2

[RouterC-isis-1] quit

# Configure Router D.

[RouterD] isis 1

[RouterD-isis-1] cost-style wide

[RouterD-isis-1] mpls te enable level-2

[RouterD-isis-1] quit

5. Configure MPLS TE attributes of links:

# Set the maximum link bandwidth and maximum reservable bandwidth on Router A.

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterA-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth 5000

[RouterA-GigabitEthernet2/0/1] quit

# Set the maximum link bandwidth and maximum reservable bandwidth on Router B.

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterB-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth 5000

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface pos 2/2/0

[RouterB-POS2/2/0] mpls te max-link-bandwidth 10000

[RouterB-POS2/2/0] mpls te max-reservable-bandwidth 5000

[RouterB-POS2/2/0] quit

# Set the maximum link bandwidth and maximum reservable bandwidth on Router C.

[RouterC] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterC-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth 5000

[RouterC-GigabitEthernet2/0/1] quit

[RouterC] interface pos 2/2/0

[RouterC-POS2/2/0] mpls te max-link-bandwidth 10000

[RouterC-POS2/2/0] mpls te max-reservable-bandwidth 5000

[RouterC-POS2/2/0] quit

# Set the maximum link bandwidth and maximum reservable bandwidth on Router D.

[RouterD] interface gigabitethernet 2/0/1

[RouterD-GigabitEthernet2/0/1] mpls te max-link-bandwidth 10000

[RouterD-GigabitEthernet2/0/1] mpls te max-reservable-bandwidth 5000

[RouterD-GigabitEthernet2/0/1] quit

6. Configure an MPLS TE tunnel on Router A:

# Configure MPLS TE tunnel interface Tunnel 1.

[RouterA] interface tunnel 1 mode mpls-te

[RouterA-Tunnel1] ip address 7.1.1.1 255.255.255.0

# Specify the tunnel destination address as the LSR ID of Router D.

[RouterA-Tunnel1] destination 4.4.4.9

# Configure MPLS TE to use RSVP-TE to establish the tunnel.

[RouterA-Tunnel1] mpls te signaling rsvp-te

# Assign 2000 kbps bandwidth to the tunnel.

[RouterA-Tunnel1] mpls te bandwidth 2000

[RouterA-Tunnel1] quit

7. Configure a static route on Router A to direct the traffic destined for subnet 100.1.2.0/24 to MPLS TE tunnel 1.

[RouterA] ip route-static 100.1.2.0 24 tunnel 1 preference 1

Verifying the configuration

# Verify that the tunnel interface is up on Router A.

[RouterA] display interface tunnel

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64kbps

Maximum transmission unit: 64000

Internet address: 7.1.1.1/24 (primary)

Tunnel source unknown, destination 4.4.4.9

Tunnel TTL 255

Tunnel protocol/transport CR_LSP

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Display detailed information about the MPLS TE tunnel on Router A.

[RouterA] display mpls te tunnel-interface

Tunnel Name : Tunnel 1

Tunnel State : Up (Main CRLSP up, Shared-resource CRLSP down)

Tunnel Attributes :

LSP ID : 23331 Tunnel ID : 1

Admin State : Normal

Ingress LSR ID : 1.1.1.9 Egress LSR ID : 4.4.4.9

Signaling : RSVP-TE Static CRLSP Name : -

Static SRLSP Name : -/-

Resv Style : SE

Tunnel mode : -

Reverse-LSP name : -

Reverse-LSP LSR ID : - Reverse-LSP Tunnel ID: -

Class Type : CT0 Tunnel Bandwidth : 2000 kbps

Reserved Bandwidth : 2000 kbps

Setup Priority : 7 Holding Priority : 7

Affinity Attr/Mask : 0/0

Explicit Path : -

Backup Explicit Path : -

Metric Type : TE

Record Route : - Record Label : -

FRR Flag : - Bandwidth Protection : -

Backup Bandwidth Flag: - Backup Bandwidth Type: -

Backup Bandwidth : -

Bypass Tunnel : - Auto Created : -

Route Pinning : -

Retry Limit : 3 Retry Interval : 2 sec

Reoptimization : - Reoptimization Freq : -

Backup Type : - Backup LSP ID : -

Auto Bandwidth : - Auto Bandwidth Freq : -

Min Bandwidth : - Max Bandwidth : -

Collected Bandwidth : - Service-Class : -

# Execute the display ip routing-table command on Router A to verify that a static route entry with interface Tunnel 1 as the output interface exists. (Details not shown.)

RSVP GR configuration example

Network requirements

Router A, Router B, and Router C run IS-IS, and all of them are Layer 2 devices.

Use RSVP-TE to establish a TE tunnel from Router A to Router C.

Configure RSVP GR on the routers to ensure continuous forwarding when a router reboots.

Figure 46 Network diagram

Configuration procedure

1. Configure IP addresses and masks for interfaces. (Details not shown.)

2. Configure IS-IS to advertise interface addresses, including the loopback interface address. (Details not shown.)

3. Configure an LSR ID, enable MPLS, MPLS TE, RSVP, and RSVP hello extension:

# Configure Router A.

<RouterA> system-view

[RouterA] mpls lsr-id 1.1.1.9

[RouterA] mpls te

[RouterA-te] quit

[RouterA] rsvp

[RouterA-rsvp] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls enable

[RouterA-GigabitEthernet2/0/1] mpls te enable

[RouterA-GigabitEthernet2/0/1] rsvp enable

[RouterA-GigabitEthernet2/0/1] rsvp hello enable

[RouterA-GigabitEthernet2/0/1] quit

# Configure Router B.

<RouterB> system-view

[RouterB] mpls lsr-id 2.2.2.9

[RouterB] mpls te

[RouterB-te] quit

[RouterB] rsvp

[RouterB] quit

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] mpls enable

[RouterB-GigabitEthernet2/0/1] mpls te enable

[RouterB-GigabitEthernet2/0/1] rsvp enable

[RouterB-GigabitEthernet2/0/1] rsvp hello enable

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface gigabitethernet 2/0/2

[RouterB-GigabitEthernet2/0/2] mpls enable

[RouterB-GigabitEthernet2/0/2] mpls te enable

[RouterB-GigabitEthernet2/0/2] rsvp enable

[RouterB-GigabitEthernet2/0/2] rsvp hello enable

[RouterB-GigabitEthernet2/0/2] quit

# Configure Router C.

<RouterC> system-view

[RouterC] mpls lsr-id 3.3.3.9

[RouterC] mpls te

[RouterC-te] quit

[RouterC] rsvp

[RouterC-rsvp] rsvp

[RouterC-mpls] interface gigabitethernet 2/0/1

[RouterC-GigabitEthernet2/0/1] mpls enable

[RouterC-GigabitEthernet2/0/1] mpls te enable

[RouterC-GigabitEthernet2/0/1] rsvp enable

[RouterC-GigabitEthernet2/0/1] rsvp hello enable

[RouterC-GigabitEthernet2/0/1] quit

4. Configure IS-IS TE. (Details not shown.)

5. Configure an MPLS TE tunnel. (Details not shown.)

6. Configure RSVP GR:

# Configure Router A.

[RouterA] rsvp

[RouterA-rsvp] graceful-restart enable

# Configure Router B.

[RouterB] rsvp

[RouterB-rsvp] graceful-restart enable

# Configure Router C.

[RouterC] rsvp

[RouterC-rsvp] graceful-restart enable

Verifying the configuration

After a tunnel is established from Router A to Router C, display detailed RSVP neighbor information on Router A.

<RouterA> display rsvp peer verbose

Peer: 10.1.1.2 Interface: GE2/0/1

Hello state: Up Hello type: Active

PSB count: 0 RSB count: 1

Src instance: 0x1f08 Dst instance: 0x22

Summary refresh: Disabled Graceful Restart state: Ready

Peer GR restart time: 120000 ms Peer GR recovery time: 0 ms

The output shows that the neighbor's GR state is Ready.

Configuring tunnel policies

Overview

Tunnel policies enable a PE to forward traffic for each MPLS VPN over a preferred tunnel or over multiple tunnels. The tunnels supported by MPLS VPN include MPLS LSPs, MPLS TE tunnels, and GRE tunnels.

To enhance availability, you can associate multiple MPLS TE tunnels to a tunnel bundle, and specify the tunnel bundle as a preferred tunnel.

For more information about MPLS TE, see "Configuring MPLS TE." For more information about GRE, see Layer 3—IP Services Configuration Guide. For more information about MPLS VPNs, see "Configuring MPLS L3VPN," "Configuring MPLS L2VPN," and "Configuring VPLS." For more information about tunnel bundles, see "Configuring MPLS TE," and "Configuring MPLS protection switching."

Feature and hardware compatibility

Hardware	Tunnel policy compatibility
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS	No
MSR2600-6-X1/2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28/3600-51	Yes
MSR3600-28-SI/3600-51-SI	No
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC	Yes
MSR 3610/3620/3620-DP/3640/3660	Yes
MSR5620/5660/5680	Yes

Hardware	Tunnel policy compatibility
MSR810-LM-GL	No
MSR810-W-LM-GL	No
MSR830-6EI-GL	No
MSR830-10EI-GL	No
MSR830-6HI-GL	No
MSR830-10HI-GL	No
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	No

Configuring a tunnel policy

Configuration guidelines

When you configure a tunnel policy, follow these guidelines:

· To select a preferred tunnel, create a tunnel policy and configure the preferred tunnel with the preferred-path command. The destination address of the preferred tunnel identifies a peer PE so the PE will forward traffic destined for that peer PE over the preferred tunnel.

? If you configure multiple preferred tunnels that have the same destination address in a tunnel policy, only the first configured tunnel takes effect.

? If the first tunnel is not available, the second tunnel is used, and so forth. No load balancing will be performed on these tunnels.

This method explicitly specifies an MPLS TE tunnel, GRE tunnel, or tunnel bundle for an MPLS VPN, facilitating traffic planning. As a best practice, use this method.

· To select multiple tunnels for load sharing, create a tunnel policy and specify the tunnel selection order and the number of tunnels by using the select-seq load-balance-number command. A tunnel type closer to the select-seq keyword has a higher priority. For example, the select-seq lsp gre load-balance-number 3 command gives LSP higher priority over GRE. If no LSP is available or the number of LSPs is less than 3, VPN uses GRE tunnels. The tunnels selected by this method are not fixed, complicating traffic planning. As a best practice, do not use this method.

If you configure both methods for a tunnel policy, the tunnel policy selects tunnels in the following steps:

1. If the destination address of a preferred tunnel identifies a peer PE, the tunnel policy uses the preferred tunnel to forward traffic destined for the peer PE.

2. If not, the tunnel policy selects tunnels as configured by the select-seq load-balance-number command.

As shown in Figure 47, PE 1 and PE 2 have multiple tunnels in between and they are connected to multiple MPLS VPNs. You can control the paths for VPN traffic by using one of the following methods:

· Configure multiple tunnel policies, and specify a preferred tunnel for each policy by using the preferred-path command. Apply these policies to different MPLS VPNs to forward the traffic of each VPN over a specific tunnel.

· Configure one tunnel policy, and use the select-seq load-balance-number command to specify the tunnel selection order and the number of tunnels for load balancing. Apply the tunnel policy to MPLS VPNs to forward the traffic of every VPN over multiple tunnels.

The second method distributes traffic of a single VPN to multiple tunnels. The transmission delays on different tunnels can vary by a large amount. Therefore, the destination device or the upper layer application might take a great time to sequence the packets. As a best practice, do not use the second method.

Figure 47 MPLS VPN tunnel selection diagram

Configuration procedure

To configure a tunnel policy:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a tunnel policy, and enter tunnel policy view.	tunnel-policy tunnel-policy-name	By default, no tunnel policies exist.
3. Configure tunnel selection methods.	· (Method 1) Configure a tunnel or a tunnel bundle as a preferred tunnel: preferred-path { tunnel number \| tunnel-bundle number } · (Method 2) Configure the tunnel selection order and the number of tunnels for load balancing: select-seq { cr-lsp \| gre \| lsp } * load-balance-number number	Configure one or both methods. By default, no preferred tunnels are configured. By default, only one tunnel is selected in LSP—GRE—CRLSP order.

NOTE:

For a VPN to exclusively use a tunnel, you can specify the tunnel as the preferred tunnel in a tunnel policy, and apply the policy only to that VPN.

Displaying tunnel information

Execute display commands in any view.

Task	Command
Display tunnel information.	display mpls tunnel { all \| statistics \| [ vpn-instance vpn-instance-name ] destination { ipv4-address \| ipv6-address } }

Tunnel policy configuration examples

Preferred tunnel configuration example

Network requirements

PE 1 has multiple tunnels to reach PE 2: one MPLS TE tunnel on interface Tunnel 1, one GRE tunnel on interface Tunnel 2, and one LDP LSP tunnel.

Two MPLS VPN instances, vpna and vpnb, exist on PE 1. Configure PE 1 to use the MPLS TE tunnel to forward traffic for both VPNs.

Configuration procedure

1. Create a tunnel policy named preferredte1, and configure tunnel 1 as the preferred tunnel.

<PE1> system-view

[PE1] tunnel-policy preferredte1

[PE1-tunnel-policy-preferredte1] preferred-path tunnel 1

[PE1-tunnel-policy-preferredte1] quit

2. Configure MPLS VPN instances and apply the tunnel policy to the VPN instances:

# Create MPLS VPN instance vpna, and apply tunnel policy preferredte1 to it.

[PE1] ip vpn-instance vpna

[PE1-vpn-instance-vpna] route-distinguisher 100:1

[PE1-vpn-instance-vpna] vpn-target 100:1

[PE1-vpn-instance-vpna] tnl-policy preferredte1

[PE1-vpn-instance-vpna] quit

# Create MPLS VPN instance vpnb, and apply tunnel policy preferredte1 to it.

[PE1] ip vpn-instance vpnb

[PE1-vpn-instance-vpnb] route-distinguisher 100:2

[PE1-vpn-instance-vpnb] vpn-target 100:2

[PE1-vpn-instance-vpnb] tnl-policy preferredte1

Exclusive tunnel configuration example

Network requirements

PE 1 has multiple tunnels to reach PE 2: one MPLS TE tunnel on interface Tunnel 1, one GRE tunnel on interface Tunnel 2, and one LDP LSP tunnel.

Two MPLS VPNs, vpna and vpnb, exist on PE 1. The VPN vpna exclusively uses the MPLS TE tunnel, and the VPN vpnb exclusively uses the GRE tunnel.

Configuration procedure

1. Configure tunnel policies on PE 1:

# Create tunnel policy preferredte1, and configure tunnel 1 as the preferred tunnel.

<PE1> system-view

[PE1] tunnel-policy preferredte1

[PE1-tunnel-policy-preferredte1] preferred-path tunnel 1

[PE1-tunnel-policy-preferredte1] quit

# Create tunnel policy preferredgre2, and configure tunnel 2 as the preferred tunnel.

[PE1] tunnel-policy preferredgre2

[PE1-tunnel-policy-preferredgre2] preferred-path tunnel 2

[PE1-tunnel-policy-preferredgre2] quit

2. Configure MPLS VPN instances and apply tunnel policies to the VPN instances:

# Create MPLS VPN instance vpna, and apply tunnel policy preferredte1 to it.

[PE1] ip vpn-instance vpna

[PE1-vpn-instance-vpna] route-distinguisher 100:1

[PE1-vpn-instance-vpna] vpn-target 100:1

[PE1-vpn-instance-vpna] tnl-policy preferredte1

[PE1-vpn-instance-vpna] quit

# Create MPLS VPN instance vpnb, and apply tunnel policy preferredgre2 to it.

[PE1] ip vpn-instance vpnb

[PE1-vpn-instance-vpnb] route-distinguisher 100:2

[PE1-vpn-instance-vpnb] vpn-target 100:2

[PE1-vpn-instance-vpnb] tnl-policy preferredgre2

Tunnel selection order configuration example

Network requirements

PE 1 has multiple tunnels to reach PE 2: one MPLS TE tunnel on interface Tunnel 1, one GRE tunnel on interface Tunnel 2, and one LDP LSP tunnel.

Only one MPLS VPN, vpna, exists on PE 1. Select only one tunnel in LDP LSP-MPLS TE-GRE order for this VPN.

Configuration procedure

# Create tunnel policy seq-lsp-te-gre.

<PE1> system-view

[PE1] tunnel-policy seq-lsp-te-gre

# Specify the tunnel selection order, and set the number of tunnels for load balancing to 1—no load balancing.

[PE1-tunnel-policy-seq-lsp-te-gre] select-seq lsp cr-lsp gre load-balance-number 1

[PE1-tunnel-policy-seq-lsp-te-gre] quit

# Create MPLS VPN instance vpna, and apply tunnel policy seq-lsp-te-gre to it.

[PE1] ip vpn-instance vpna

[PE1-vpn-instance-vpna] route-distinguisher 100:1

[PE1-vpn-instance-vpna] vpn-target 100:1

[PE1-vpn-instance-vpna] tnl-policy seq-lsp-te-gre

Preferred tunnel and tunnel selection order configuration example

Network requirements

PE 1 has multiple tunnels to reach PE 2: two MPLS TE tunnels on interfaces Tunnel 1 and Tunnel 3, one GRE tunnel on interface Tunnel 2, and one LDP LSP tunnel.

PE 1 has multiple MPLS VPN instances: vpna, vpnb, vpnc, vpnd, vpne, vpnf, and vpng. Table 12 shows the tunnel policy that PE 1 uses for each VPN instance.

Table 12 Tunnel policies used for VPN instances

VPN instance	Tunnel policy
vpna, vpnb	Use MPLS TE tunnel Tunnel1 as the preferred tunnel.
vpnc, vpnd	Use MPLS TE tunnel Tunnel3 as the preferred tunnel.
vpne, vpnf	Use GRE tunnel Tunnel2 as the preferred tunnel.
vpng	Uses one tunnel selected in LDP LSP-GRE-MPLS TE order.

Configuration procedure

1. Configure tunnel policies on PE 1:

# Create tunnel policy preferredte1, and configure tunnel 1 as the preferred tunnel.

<PE1> system-view

[PE1] tunnel-policy preferredte1

[PE1-tunnel-policy-preferredte1] preferred-path tunnel 1

[PE1-tunnel-policy-preferredte1] quit

# Create tunnel policy preferredte3, and configure tunnel 3 as the preferred tunnel.

[PE1] tunnel-policy preferredte3

[PE1-tunnel-policy-preferredte3] preferred-path tunnel 3

[PE1-tunnel-policy-preferredte3] quit

# Create tunnel policy preferredgre2, and configure tunnel 2 as the preferred tunnel.

[PE1] tunnel-policy preferredgre2

[PE1-tunnel-policy-preferredgre2] preferred-path tunnel 2

[PE1-tunnel-policy-preferredgre2] quit

# Create tunnel policy select-lsp.

[PE1] tunnel-policy select-lsp

# Configure the policy to select only one tunnel in LDP LSP-GRE-MPLS TE order.

[PE1-tunnel-policy-select-lsp] select-seq lsp gre cr-lsp load-balance-number 1

[PE1-tunnel-policy-select-lsp] quit

2. Configure MPLS VPN instances and apply tunnel policies to the VPN instances:

# Create MPLS VPN instances vpna and vpnb, and apply tunnel policy preferredte1 to them.

[PE1] ip vpn-instance vpna

[PE1-vpn-instance-vpna] route-distinguisher 100:1

[PE1-vpn-instance-vpna] vpn-target 100:1

[PE1-vpn-instance-vpna] tnl-policy preferredte1

[PE1-vpn-instance-vpna] quit

[PE1] ip vpn-instance vpnb

[PE1-vpn-instance-vpnb] route-distinguisher 100:2

[PE1-vpn-instance-vpnb] vpn-target 100:2

[PE1-vpn-instance-vpnb] tnl-policy preferredte1

[PE1-vpn-instance-vpnb] quit

# Create MPLS VPN instances vpnc and vpnd, and apply tunnel policy preferredte3 to them.

[PE1] ip vpn-instance vpnc

[PE1-vpn-instance-vpnc] route-distinguisher 100:3

[PE1-vpn-instance-vpnc] vpn-target 100:3

[PE1-vpn-instance-vpnc] tnl-policy preferredte3

[PE1-vpn-instance-vpnc] quit

[PE1] ip vpn-instance vpnd

[PE1-vpn-instance-vpnd] route-distinguisher 100:4

[PE1-vpn-instance-vpnd] vpn-target 100:4

[PE1-vpn-instance-vpnd] tnl-policy preferredte3

[PE1-vpn-instance-vpnd] quit

# Create MPLS VPN instances vpne and vpnf, and apply tunnel policy preferredgre2 to them.

[PE1] ip vpn-instance vpne

[PE1-vpn-instance-vpne] route-distinguisher 100:5

[PE1-vpn-instance-vpne] vpn-target 100:5

[PE1-vpn-instance-vpne] tnl-policy preferredgre2

[PE1-vpn-instance-vpne] quit

[PE1] ip vpn-instance vpnf

[PE1-vpn-instance-vpnf] route-distinguisher 100:6

[PE1-vpn-instance-vpnf] vpn-target 100:6

[PE1-vpn-instance-vpnf] tnl-policy preferredgre2

[PE1-vpn-instance-vpnf] quit

# Create MPLS VPN instance vpng, and apply tunnel policy select-lsp to it.

[PE1] ip vpn-instance vpng

[PE1-vpn-instance-vpng] route-distinguisher 100:7

[PE1-vpn-instance-vpng] vpn-target 100:7

[PE1-vpn-instance-vpng] tnl-policy select-lsp

Configuring MPLS L3VPN

Overview

MPLS L3VPN is a L3VPN technology used to interconnect geographically dispersed VPN sites. MPLS L3VPN uses BGP to advertise VPN routes and uses MPLS to forward VPN packets over a service provider backbone.

MPLS L3VPN provides flexible networking modes, excellent scalability, and convenient support for MPLS QoS and MPLS TE.

Basic MPLS L3VPN architecture

Figure 48 Basic MPLS L3VPN architecture

A basic MPLS L3VPN architecture has the following types of devices:

· Customer edge device—A CE device resides on a customer network and has one or more interfaces directly connected to a service provider network. It does not support MPLS.

· Provider edge device—A PE device resides at the edge of a service provider network and is connected to one or more CEs. All MPLS VPN services are processed on PEs.

· Provider device—A P device is a core device on a service provider network. It is not directly connected to any CEs. A P device has only basic MPLS forwarding capability and does not handle VPN routing information.

MPLS L3VPN concepts

Site

A site has the following features:

· A site is a group of IP systems with IP connectivity that does not rely on any service provider networks.

· The classification of a site depends on the topology relationship of the devices, rather than the geographical positions. However, the devices at a site are, in most cases, adjacent to each other geographically.

· The devices at a site can belong to multiple VPNs, which means that a site can belong to multiple VPNs.

· A site is connected to a provider network through one or more CEs. A site can contain multiple CEs, but a CE can belong to only one site.

Sites connected to the same provider network can be classified into different sets by policies. Only the sites in the same set can access each other through the provider network. Such a set is called a VPN.

VPN instance

VPN instances implement route isolation, data independence, and data security for VPNs.

A VPN instance has the following components:

· A separate Label Forwarding Information Base (LFIB).

· An IP routing table.

· Interfaces bound to the VPN instance.

· VPN instance administration information, including route distinguishers (RDs), route targets (RTs), and route filtering policies.

To associate a site with a VPN instance, bind the VPN instance to the PE's interface connected to the site. A site can be associated with only one VPN instance, and different sites can be associated with the same VPN instance. A VPN instance contains the VPN membership and routing rules of associated sites.

VPN-IPv4 address

Each VPN independently manages its address space. The address spaces of VPNs might overlap. For example, if both VPN 1 and VPN 2 use the addresses on subnet 10.110.10.0/24, address space overlapping occurs.

BGP cannot process overlapping VPN address spaces. For example, if both VPN 1 and VPN 2 use the subnet 10.110.10.0/24 and each advertise a route destined for the subnet, BGP selects only one of them. This results in the loss of the other route.

Multiprotocol BGP (MP-BGP) can solve this problem by advertising VPN-IPv4 addresses (also called VPNv4 addresses).

Figure 49 VPN-IPv4 address structure

As shown in Figure 49, a VPN-IPv4 address consists of 12 bytes. The first eight bytes represent the RD, followed by a four-byte IPv4 prefix. The RD and the IPv4 prefix form a unique VPN-IPv4 prefix.

An RD can be in one of the following formats:

· When the Type field is 0, the Administrator subfield occupies two bytes, the Assigned number subfield occupies four bytes, and the RD format is 16-bit AS number:32-bit user-defined number. For example, 100:1.

· When the Type field is 1, the Administrator subfield occupies four bytes, the Assigned number subfield occupies two bytes, and the RD format is 32-bit IPv4 address:16-bit user-defined number. For example, 172.1.1.1:1.

· When the Type field is 2, the Administrator subfield occupies four bytes, the Assigned number subfield occupies two bytes, and the RD format is 32-bit AS number:16-bit user-defined number, where the minimum value of the AS number is 65536. For example, 65536:1.

To guarantee global uniqueness for a VPN-IPv4 address, do not set the Administrator subfield to any private AS number or private IP address.

Route target attribute

MPLS L3VPN uses route target community attributes to control the advertisement of VPN routing information. A VPN instance on a PE supports the following types of route target attributes:

· Export target attribute—A PE sets the export target attribute for VPN-IPv4 routes learned from directly connected sites before advertising them to other PEs.

· Import target attribute—A PE checks the export target attribute of VPN-IPv4 routes received from other PEs. If the export target attribute matches the import target attribute of a VPN instance, the PE adds the routes to the routing table of the VPN instance.

Route target attributes define which sites can receive VPN-IPv4 routes, and from which sites a PE can receive routes.

Like RDs, route target attributes can be one of the following formats:

· 16-bit AS number:32-bit user-defined number. For example, 100:1.

· 32-bit IPv4 address:16-bit user-defined number. For example, 172.1.1.1:1.

· 32-bit AS number:16-bit user-defined number, where the minimum value of the AS number is 65536. For example, 65536:1.

MP-BGP

MP-BGP supports multiple address families, including IPv4 multicast, IPv6 unicast, IPv6 multicast, and VPN-IPv4 address families.

In MPLS L3VPN, MP-BGP advertises VPN-IPv4 routes for VPN sites between PEs.

MPLS L3VPN route advertisement

In a basic MPLS L3VPN, CEs and PEs are responsible for advertising VPN routing information. P routers maintain only the routes within the backbone. A PE maintains only routing information for directly connected VPNs, rather than for all VPNs.

VPN routing information is advertised from the local CE to the remote CE by using the following process:

1. From the local CE to the ingress PE:

The CE advertises standard IPv4 routing information to the ingress PE over a static route, RIP route, OSPF route, IS-IS route, EBGP route, or IBGP route.

2. From the ingress PE to the egress PE:

The ingress PE performs the following operations:

a. Adds RDs and route target attributes to these standard IPv4 routes to create VPN-IPv4 routes.

b. Saves the VPN-IPv4 routes to the routing table of the VPN instance created for the CE.

c. Advertises the VPN-IPv4 routes to the egress PE through MP-BGP.

3. From the egress PE to the remote CE:

After receiving the VPN-IPv4 routes, the egress PE performs the following operations:

a. Compares the routes' export target attributes with the local import target attributes.

b. Adds the routes to the routing table of the VPN instance if the export and local import target attributes match each other.

c. Restores the VPN-IPv4 routes to the original IPv4 routes.

d. Advertises those routes to the connected CE over a static route, RIP route, OSPF route, IS-IS route, EBGP route, or IBGP route.

MPLS L3VPN packet forwarding

In a basic MPLS L3VPN (within a single AS), a PE adds the following information into VPN packets:

· Outer tag—Identifies the public tunnel from the local PE to the remote PE. The public tunnel can be an LSP, an MPLS TE tunnel, or a GRE tunnel. Based on the outer tag, a VPN packet can be forwarded along the public tunnel to the remote PE. For a GRE public tunnel, the outer tag is the GRE encapsulation. For an LSP or MPLS TE tunnel, the outer tag is an MPLS label.

· Inner label—Identifies the remote VPN site. The remote PE uses the inner label to forward packets to the target VPN site. MP-BGP advertises inner labels for VPN-IPv4 routes among PEs.

Figure 50 VPN packet forwarding

As shown in Figure 50, a VPN packet is forwarded from Site 1 to Site 2 by using the following process:

1. Site 1 sends an IP packet with the destination address 1.1.1.2. CE 1 transmits the packet to PE 1.

2. PE 1 performs the following operations:

a. Finds the matching VPN route based on the inbound interface and destination address of the packet.

b. Labels the packet with both the inner label and the outer tag.

c. Forwards the packet to the public tunnel.

3. P devices forward the packet to PE 2 by the outer tag.

? If the outer tag is an MPLS label, the label is removed from the packet at the penultimate hop.

? If the outer tag is GRE encapsulation, PE 2 removes the GRE encapsulation.

4. PE 2 performs the following operations:

a. Uses the inner label to find the matching VPN instance to which the destination address of the packet belongs.

b. Looks up the routing table of the VPN instance for the output interface.

c. Removes the inner label and forwards the packet out of the interface to CE 2.

5. CE 2 transmits the packet to the destination through IP forwarding.

When two sites of a VPN are connected to the same PE, the PE directly forwards packets between the two sites through the VPN routing table without adding any tag or label.

For more information about GRE, see Layer 3—IP Services Configuration Guide.

MPLS L3VPN networking schemes

In MPLS L3VPNs, route target attributes are used to control the advertisement and reception of VPN routes between sites. They work independently and can be configured with multiple values to support flexible VPN access control and implement multiple types of VPN networking schemes.

Basic VPN networking scheme

In the simplest case, all users in a VPN form a closed user group. They can forward traffic to each other but cannot communicate with any user outside the VPN.

For the basic VPN networking scheme, you must assign a route target to each VPN for identifying the export target attribute and import target attribute of the VPN. Moreover, this route target cannot be used by any other VPNs.

Figure 51 Network diagram for basic VPN networking scheme

As shown in Figure 51, the route target for VPN 1 is 100:1, while that for VPN 2 is 200:1. The two VPN 1 sites can communicate with each other, and the two VPN 2 sites can communicate with each other. However, the VPN 1 sites cannot communicate with the VPN 2 sites.

Hub and spoke networking scheme

The hub and spoke networking scheme is suitable for a VPN where all users must communicate with each other through an access control device.

In a hub and spoke network as shown in Figure 52, configure route targets as follows:

· On spoke PEs (PEs connected to spoke sites), set the export target to Spoke and the import target to Hub.

· On the hub PE (PE connected to the hub site), use two interfaces that each belong to a different VPN instance to connect the hub CE. One VPN instance receives routes from spoke PEs and has the import target set to Spoke. The other VPN instance advertises routes to spoke PEs and has the export target set to Hub.

These route targets rules produce the following results:

· The hub PE can receive all VPN-IPv4 routes from spoke PEs.

· All spoke PEs can receive VPN-IPv4 routes advertised by the hub PE.

· The hub PE advertises the routes learned from a spoke PE to the other spoke PEs so the spoke sites can communicate with each other through the hub site.

· The import target attribute of a spoke PE is different from the export target attribute of any other spoke PE. Any two spoke PEs do not directly advertise VPN-IPv4 routes to each other. Therefore, they cannot directly access each other.

Figure 52 Network diagram for hub and spoke network

A route in Site 1 is advertised to Site 2 by using the following process:

1. Spoke-CE 1 advertises a route in Site 1 to Spoke-PE 1.

2. Spoke-PE 1 changes the route to a VPN-IPv4 route and advertises the VPN-IPv4 route to Hub-PE through MP-BGP.

3. Hub-PE adds the VPN-IPv4 route into the routing table of VPN 1-in, changes it to the original IPv4 route, and advertises the IPv4 route to Hub-CE.

4. Hub-CE advertises the IPv4 route back to Hub-PE.

5. Hub-PE adds the IPv4 route to the routing table of VPN 1-out, changes it to a VPN-IPv4 route, and advertises the VPN-IPv4 route to Spoke-PE 2 through MP-BGP.

6. Spoke-PE 2 changes the VPN-IPv4 route to the original IPv4 route, and advertises the IPv4 route to Site 2.

After spoke sites exchange routes through the hub site, they can communicate with each other through the hub site.

Extranet networking scheme

The extranet networking scheme allows specific resources in a VPN to be accessed by users not in the VPN.

In this networking scheme, if a VPN instance needs to access a shared site, the export target attribute and the import target attribute of the VPN instance must be contained in the import target attribute and the export target attribute of the VPN instance of the shared site, respectively.

Figure 53 Network diagram for extranet networking scheme

As shown in Figure 53, route targets configured on PEs produce the following results:

· PE 3 can receive VPN-IPv4 routes from PE 1 and PE 2.

· PE 1 and PE 2 can receive VPN-IPv4 routes advertised by PE 3.

· Site 1 and Site 3 of VPN 1 can communicate with each other, and Site 2 of VPN 2 and Site 3 of VPN 1 can communicate with each other.

· PE 3 advertises neither the VPN-IPv4 routes received from PE 1 to PE 2 nor the VPN-IPv4 routes received from PE 2 to PE 1 (routes learned from an IBGP neighbor are not advertised to any other IBGP neighbor). Therefore, Site 1 of VPN 1 and Site 2 of VPN 2 cannot communicate with each other.

Inter-AS VPN

In an inter-AS VPN networking scenario, multiple sites of a VPN are connected to multiple ISPs in different ASs, or to multiple ASs of an ISP.

Inter AS-VPN provides the following solutions:

· VRF-to-VRF connections between ASBRs—This solution is also called inter-AS option A.

· EBGP redistribution of labeled VPN-IPv4 routes between ASBRs—ASBRs advertise VPN-IPv4 routes to each other through MP-EBGP. This solution is also called inter-AS option B.

· Multihop EBGP redistribution of labeled VPN-IPv4 routes between PE routers—PEs advertise VPN-IPv4 routes to each other through MP-EBGP. This solution is also called inter-AS option C.

Inter-AS option A

In this solution, PEs of two ASs are directly connected, and each PE is also the ASBR of its AS. Each PE treats the other as a CE and advertises unlabeled IPv4 unicast routes through EBGP. The PEs associate a VPN instance with a minimum of one interface.

Figure 54 Network diagram for inter-AS option A

As shown in Figure 54, in VPN 1, routes are advertised from CE 1 to CE 3 by using the following process:

1. PE 1 advertises the VPN routes learned from CE 1 to ASBR 1 through MP-IBGP.

2. ASBR 1 performs the following operations:

a. Adds the routes to the routing table of the VPN instance whose import target attribute matches the export target attribute of the routes.

b. Advertises the routes as IPv4 unicast routes to its CE (ASBR 2) through EBGP.

3. ASBR 2 adds the IPv4 unicast routes to the routing table of the VPN instance that is bound to the receiving interface, and advertises the routes to PE 3 through MP-IBGP.

4. PE 3 advertises the received routes to CE 3.

Packets forwarded within an AS are VPN packets that carry two labels. Packets forwarded between ASBRs are common IP packets.

Inter-AS option A is easy to carry out because no special configuration is required on the PEs acting as the ASBRs.

However, it has limited scalability because the PEs acting as the ASBRs must manage all the VPN routes and create VPN instances on a per-VPN basis. This leads to excessive VPN-IPv4 routes on the PEs. Associating a separate interface with each VPN also requires additional system resources.

Inter-AS option B

In this solution, two ASBRs use MP-EBGP to exchange VPN-IPv4 routes that they obtain from the PEs in their respective ASs.

Figure 55 Network diagram for inter-AS option B

As shown in Figure 55, in VPN 1, routes are advertised from CE 1 to CE 3 by using the following process:

1. PE 1 advertises the VPN routes learned from CE 1 to ASBR 1 through MP-IBGP.

Assume that the inner label assigned by PE 1 for the routes is L1.

2. ASBR 1 advertises the VPN-IPv4 routes to ASBR 2 through MP-EBGP.

Before advertising the routes, ASBR 1 modifies the next hop as its own address, assigns a new inner label (L2) to the routes, and associates L1 with L2.

3. ASBR 2 advertises the VPN-IPv4 routes to PE 3 through MP-IBGP.

Before advertising the routes, ASBR 2 modifies the next hop as its own address, assigns a new inner label (L3) to the routes, and associates L2 with L3.

4. PE 3 advertises the received routes to CE 3.

A packet is forwarded from CE 3 to CE 1 by using the following process:

5. PE 3 encapsulates the received packet with two labels, and forwards the encapsulated packet to ASBR 2.

One of the labels is L3, and the other is the outer tag for the public tunnel from PE 3 to ASBR 2.

6. ASBR 2 removes the outer tag, replaces L3 with L2, and forwards the packet to ASBR 1.

Packets between ASBR 1 and ASBR 2 carry only one inner label.

7. ASBR 1 replaces L2 with L1, adds the outer tag of the public tunnel from ASBR 1 to PE 1, and forwards the packet to PE 1.

8. PE 1 removes the inner label and outer tag and forwards the packet to CE 1.

In this solution, ASBRs must receive all inter-AS VPN routes. Therefore, ASBRs cannot filter incoming VPN-IPv4 routes by route targets.

Inter-AS option B has better scalability than option A. However, it requires that ASBRs maintain and advertise VPN routes.

Inter-AS option C

The Inter-AS option A and option B solutions require that the ASBRs maintain and advertise VPN-IPv4 routes. When every AS needs to exchange a great amount of VPN routes, the ASBRs might become bottlenecks, which hinders network extension. Inter-AS option C has better scalability because it makes PEs directly exchange VPN-IPv4 routes.

In this solution, PEs exchange VPN-IPv4 routes over a multihop MP-EBGP session. Each PE must have a route to the peer PE and a label for the route so that the inter-AS public tunnel between the PEs can be set up. Inter-AS option C sets up a public tunnel by using the following methods:

· A label distribution protocol within the AS, for example, LDP.

· Labeled IPv4 unicast route advertisement by ASBRs through BGP.

Labeled IPv4 unicast route advertisement refers to the process of assigning MPLS labels to IPv4 unicast routes and advertising IPv4 unicast routes and their labels.

Figure 56 Network diagram for inter-AS option C

As shown in Figure 56, in VPN 1, routes are advertised from CE 1 to CE 3 by using the following process:

1. PE 1 advertises the VPN routes learned from CE 1 as VPN-IPv4 routes to PE 3 through multihop MP-EBGP.

Assume that the inner label assigned by PE 1 for the routes is Lx.

2. PE 3 advertises the received routes to CE 3.

Setting up an inter-AS public tunnel is difficult in this solution. A public tunnel, for example, the one from PE 3 to PE 1, is set up by using the following process:

3. Within AS 100, the public tunnel from ASBR 1 to PE 1 is set up by using a label distribution protocol, for example, LDP.

Assume that the outgoing label for the public tunnel on ASBR 1 is L1.

4. ASBR 1 advertises labeled IPv4 unicast routes to ASBR 2 through EBGP.

The route destined for PE 1 and the label (L2) assigned by ASBR 1 for the route are advertised from ASBR 1 to ASBR 2. The next hop of the route is ASBR 1. The public tunnel from ASBR 2 to ASBR 1 is set up. The incoming label for the public tunnel on ASBR 1 is L2.

5. ASBR 2 advertises labeled IPv4 unicast routes to PE 3 through IBGP.

The route destined for PE 1 and the label (L3) assigned by ASBR 2 for the route are advertised from ASBR 2 to PE 3. The next hop for the route is ASBR 2. The public tunnel from PE 3 to ASBR 2 is set up. The incoming label for the public tunnel on ASBR 2 is L3, and the outgoing label is L2.

6. MPLS packets cannot be forwarded directly from PE 3 to ASBR 2. Within AS 200, the public tunnel from PE 3 to ASBR 2 is required to be set up hop by hop through a label distribution protocol, for example, LDP.

Assume that the outgoing label for the public tunnel on PE 3 is Lv.

After route advertisement and public tunnel setup, a packet is forwarded from CE 3 to CE 1 by using the following process:

7. PE 3 performs the following routing table lookups for the packet:

a. Finds a matching route with next hop PE 1 and inner label Lx, and encapsulates the packet with label Lx.

b. Finds the route to PE 1 with next hop ASBR 2 and label L3, and encapsulates the packet with label L3 as the outer label.

c. Finds the route to ASBR 2 with outgoing label Lv, and encapsulates the packet with label Lv as the outmost label.

8. AS 200 transmits the packet to ASBR 2 by the outmost label.

9. ASBR 2 removes the outmost label, replaces L3 with L2, and forwards the packet to ASBR 1.

10. ASBR 1 replaces L2 with L1, and forwards the packet.

11. AS 100 transmits the packet to PE 1 by the outer label.

12. PE 1 removes the outer label, and forwards the packet to CE 1 according to the inner label Lx.

As shown in Figure 57, to improve scalability, you can specify a route reflector (RR) in each AS to exchange VPN-IPv4 routes with PEs in the same AS. The RR in each AS maintains all VPN-IPv4 routes. The RRs in two ASs establish a multihop MP-EBGP session to advertise VPN-IPv4 routes.

Figure 57 Network diagram for inter-AS option C using RRs

Carrier's carrier

If a customer of an MPLS L3VPN service provider is also a service provider:

· The MPLS L3VPN service provider is called the provider carrier or the Level 1 carrier.

· The customer is called the customer carrier or the Level 2 carrier.

This networking model is referred to as carrier's carrier.

The PEs of the Level 2 carrier directly exchange customer networks over a BGP session. The Level 1 carrier only learns the backbone networks of the Level 2 carrier, without learning customer networks.

For packets between customer networks to travel through the Level 1 carrier, the PE of the Level 1 carrier and the CE of the Level 2 carrier must assign labels to the backbone networks of the Level 2 carrier. The CE of the Level 2 carrier is a PE within the Level 2 carrier network.

Follow these guidelines to assign labels:

· If the PE and the CE are in the same AS, you must configure IGP and LDP between them. If they are in different ASs, you must configure MP-EBGP to assign labels to IPv4 unicast routes exchanged between them.

· You must enable MPLS on the CE of the Level 2 carrier regardless of whether the PE and CE are in the same AS.

A Level 2 carrier can be an ordinary ISP or an MPLS L3VPN service provider.

As shown in Figure 58, when the customer carrier is an ordinary ISP, its PEs and CEs run IGP to communicate with each other. The PEs do not need to run MPLS. PE 3 and PE 4 exchange customer network routes (IPv4 unicast routes) through an IBGP session.

Figure 58 Scenario where the Level 2 carrier is an ISP

As shown in Figure 59, when the customer carrier is an MPLS L3VPN service provider, its PEs and CEs must run IGP and LDP to communicate with each other. PE 3 and PE 4 exchange customer network routes (VPN-IPv4 routes) through an MP-IBGP session.

Figure 59 Scenario where the Level 2 carrier is an MPLS L3VPN service provider

NOTE:

As a best practice, establish equal cost LSPs between the Level 1 carrier and the Level 2 carrier if equal cost routes exist between them.

Nested VPN

The nested VPN technology exchanges VPNv4 routes between PEs and CEs of the ISP MPLS L3VPN and allows a customer to manage its own internal VPNs. Figure 60 shows a nested VPN network. On the service provider's MPLS VPN network, there is a customer VPN named VPN A. The customer VPN contains two sub-VPNs, VPN A-1 and VPN A-2.

The service provider PEs consider the customer's network as a common VPN user and do not join any sub-VPNs. The service provider CE devices (CE 1 and CE 2) exchange VPNv4 routes including sub-VPN routing information with the service provider PEs, which implements the propagation of the sub-VPN routing information throughout the customer network.

The nested VPN technology supports both symmetric networking and asymmetric networking. Sites of the same VPN can have the same number or different numbers of internal VPNs. Nested VPN also supports multiple-level nesting of internal VPNs.

Figure 60 Network diagram for nested VPN

Propagation of routing information

In a nested VPN network, routing information is propagated by using the following process:

1. After receiving VPN routes from customer CEs, a customer PE advertises VPN-IPv4 routes to the provider CEs through MP-BGP.

2. The provider CEs advertise the VPN-IPv4 routes to a provider PE through MP-BGP.

3. After receiving a VPN-IPv4 route, the provider PE keeps the customer's internal VPN information, and appends the customer's MPLS VPN attributes on the service provider network. It replaces the RD of the VPN-IPv4 route with the RD of the customer's MPLS VPN on the service provider network. It also adds the export route-target (ERT) attribute of the customer's MPLS VPN on the service provider network to the extended community attribute list of the route. The internal VPN information for the customer is maintained on the provider PE.

4. The provider PE advertises VPN-IPv4 routes carrying the comprehensive VPN information to the other PEs of the service provider.

5. After another provider PE receives the VPN-IPv4 routes, it matches the VPN-IPv4 routes to the import targets of its local VPNs. Each local VPN accepts routes of its own and advertises them to provider CEs. If a provider CE (such as CE 7 and CE 8 in Figure 60) is connected to a provider PE through an IPv4 connection, the PE advertises IPv4 routes to the CE. If it is a VPN-IPv4 connection (a customer MPLS VPN network), the PE advertises VPN-IPv4 routes to the CE.

6. After receiving VPN-IPv4 routes from the provider CE, a customer PE matches those routes to local import targets. Each customer VPN accepts only its own routes and advertises them to connected customer CEs (such as CE 3, CE 4, CE 5, and CE 6 in Figure 60).

Multirole host

Typically, hosts in the same VPN can communicate with each other, and those in different VPNs cannot. However, a host or server in a site might need to access VPNs in addition to the VPN to which the host or server belongs. To simplify configuration, you can use the multirole host feature.

The multirole host feature enables a PE to use PBR to provide multiple VPN access for a host or server. The host or server is called a multirole host.

Figure 61 Network diagram

As shown in Figure 61, the multirole host in site 1 needs to access both VPN 1 and VPN 2. Other hosts in site 1 only need to access VPN 1. To configure the multirole host feature, configure PE 1 as follows:

· Create VPN instances vpn1 and vpn2 for VPN 1 and VPN 2, respectively.

· Associate VPN instance vpn1 with the interface connected to CE 1.

· Configure PBR to route packets from CE 1 first by the routing table of the associated VPN instance (vpn1). Then, if no matching route is found, route the packets according to the routing table of VPN instance vpn2. This configuration ensures that packets from Site 1 can be forwarded in both VPN 1 and VPN 2.

· Configure a static route for VPN instance vpn2 to reach the multirole host. Specify the next hop of the route as the IP address of CE 1 and specify the VPN instance to which the next hop belongs as VPN 1. This configuration ensures that packets from VPN 2 can be routed to the multirole host.

Configure static routes for all VPN instances that the multirole host needs to access, except the associated VPN instance.

IMPORTANT:

IP addresses in all VPNs that the multirole host can access must not overlap.

HoVPN

Hierarchy of VPN (HoVPN), also called Hierarchy of PE (HoPE), prevents PEs from being bottlenecks and is applicable to large-scale VPN deployment.

HoVPN divides PEs into underlayer PEs (UPEs) or user-end PEs, and superstratum PEs (SPEs) or service provider-end PEs. UPEs and SPEs have different functions and comprise a hierarchical PE. The HoPE and common PEs can coexist in an MPLS network.

Figure 62 Basic architecture of HoVPN

As shown in Figure 62, UPEs and SPEs play the following different roles:

· A UPE is directly connected to CEs. It provides user access. It maintains the routes of directly connected VPN sites. It does not maintain the routes of the remote sites in the VPN, or it only maintains their summary routes. A UPE assigns inner labels to the routes of its directly connected sites, and advertises the labels along with VPN routes to the SPE through MP-BGP. A UPE features high access capability, small routing table capacity, and low forwarding performance.

· An SPE is connected to UPEs and resides inside the service provider network. It manages and advertises VPN routes. It maintains all the routes of the VPNs connected through UPEs, including the routes of both the local and remote sites. An SPE advertises routes along with labels to UPEs, including the default routes of VPN instances or summary routes and the routes permitted by the routing policy. By using routing policies, you can control which sites in a VPN can communicate with each other. An SPE features large routing table capacity, high forwarding performance, and fewer interface resources.

Either MP-IBGP or MP-EBGP can run between SPE and UPE. When MP-IBGP runs between SPE and UPEs, the SPE acts as the RR of multiple UPEs and reflects routes between UPEs.

HoVPN supports HoPE recursion:

· An HoPE can act as a UPE to form a new HoPE with an SPE.

· An HoPE can act as an SPE to form a new HoPE with multiple UPEs.

HoVPN supports multilevel recursion. In HoPE recursion, the concepts of SPE and UPE are relative. A PE might be the SPE of its underlayer PEs and a UPE of its SPE at the same time.

Figure 63 Recursion of HoPEs

Figure 63 shows a three-level HoPE. The PE in the middle is called the middle-level PE (MPE). MP-BGP runs between SPE and MPE, and between MPE and UPE.

MP-BGP advertises the following routes:

· All the VPN routes of UPEs to the SPEs.

· The default routes of the VPN instance of the SPEs or the VPN routes permitted by the routing policies to the UPEs.

The SPE maintains the VPN routes of all sites in the HoVPN. Each UPE maintains only VPN routes of its directly connected sites. An MPE has fewer routes than the SPE but has more routes than a UPE.

OSPF VPN extension

This section describes the OSPF VPN extension. For more information about OSPF, see Layer 3—IP Routing Configuration Guide.

OSPF for VPNs on a PE

If OSPF runs between a CE and a PE to exchange VPN routes, the PE must support multiple OSPF instances to create independent routing tables for VPN instances. Each OSPF process is bound to a VPN instance. Routes learned by an OSPF process are added into the routing table of the bound VPN instance.

OSPF area configuration between a PE and a CE

The OSPF area between a PE and a CE can be either a non-backbone area or a backbone area.

In the OSPF VPN extension application, the MPLS VPN backbone is considered the backbone area (area 0). The area 0 of each site must be connected to the MPLS VPN backbone (physically connected or logically connected through a virtual link) because OSPF requires that the backbone area be contiguous.

BGP/OSPF interaction

If OSPF runs between PEs and CEs, each PE redistributes BGP routes to OSPF and advertises the routes to CEs through OSPF. OSPF considers the routes redistributed from BGP as external routes but the OSPF routes actually belong to the same OSPF domain. This problem can be resolved by configuring the same domain ID for sites in an OSPF domain.

Figure 64 Network diagram for BGP/OSPF interaction

As shown in Figure 64, CE 11, CE 21, and CE 22 belong to the same VPN and the same OSPF domain.

Before domain ID configuration, VPN 1 routes are advertised from CE 11 to CE 21 and CE 22 by using the following process:

1. PE 1 redistributes OSPF routes from CE 11 into BGP, and advertises the VPN routes to PE 2 through BGP.

2. PE 2 redistributes the BGP routes to OSPF, and advertises them to CE 21 and CE 22 in AS External LSAs (Type 5) or NSSA External LSAs (Type 7).

After domain ID configuration, VPN 1 routes are advertised from CE 11 to CE 21 and CE 22 by using the following process:

3. PE 1 redistributes OSPF routes into BGP, adds the domain ID to the redistributed BGP VPNv4 routes as a BGP extended community attribute, and advertises the routes to PE 2.

4. PE 2 compares the domain ID in the received routes with the locally configured domain ID. If they are the same and the received routes are intra-area or inter-area routes, OSPF advertises these routes in Network Summary LSAs (Type 3). Otherwise, OSPF advertises these routes in AS External LSAs (Type 5) or NSSA External LSAs (Type 7).

Routing loop avoidance

Figure 65 Network diagram for routing loop avoidance

As shown in Figure 65, Site 1 is connected to two PEs. When a PE advertises VPN routes learned from MP-BGP to Site 1 through OSPF, the routes might be received by the other PE. This results in a routing loop.

OSPF VPN extension uses the following tags to avoid routing loops:

· DN bit (for Type 3 LSAs)—When a PE redistributes BGP routes into OSPF and creates Type 3 LSAs, it sets the DN bit for the LSAs. When receiving the Type 3 LSAs advertised by CE 11, the other PE ignores the LSAs whose DN bit is set to avoid routing loops.

· Route tag (for Type 5 or 7 LSAs)—The two PEs use the same route tag. When a PE redistributes BGP routes into OSPF and creates Type 5 or 7 LSAs, it adds the route tag to the LSAs. When receiving the Type 5 or 7 LSAs advertised by CE 11, the other PE compares the route tag in the LSAs against the local route tag. If they are the same, the PE ignores the LSAs to avoid routing loops.

OSPF sham link

As shown in Figure 66, two routes exist between Site 1 and Site 2 of VPN 1:

· A route over MPLS backbone—It is an inter-area route if PE 1 and PE 2 have the same domain ID, or is an external route if PE 1 and PE 2 are configured with no domain ID or with different domain IDs.

· A direct route between CEs—It is an intra-area route that is called a backdoor link.

VPN traffic is always forwarded through the backdoor link because it has a higher priority than the inter-area route. To forward VPN traffic over the inter-area route, you can establish a sham link between the two PEs to change the inter-area route to an intra-area route.

Figure 66 Network diagram for sham link

A sham link is considered a virtual point-to-point link within a VPN and is advertised in a Type 1 LSA. It is identified by the source IP address and destination IP address that are the local PE address and the remote PE address in the VPN address space. Typically, the source and destination addresses are loopback interface addresses with a 32-bit mask.

To add a route to the destination IP address of a sham link to a VPN instance, the remote PE must advertise the source IP address of the sham link as a VPN-IPv4 address through MP-BGP. To avoid routing loops, a PE does not advertise the sham link's destination address.

BGP AS number substitution and SoO attribute

BGP detects routing loops by examining AS numbers. If EBGP runs between PE and CE, you must assign different AS numbers to geographically different sites or configure the BGP AS number substitution feature to ensure correct transmission of routing information.

The BGP AS number substitution feature allows geographically different CEs to use the same AS number. If the AS_PATH of a route contains the AS number of a CE, the PE replaces the AS number with its own AS number before advertising the route to that CE.

After you enable the BGP AS number substitution feature, the PE performs BGP AS number substitution for all routes and re-advertises them to connected CEs in the peer group.

Figure 67 Application of BGP AS number substitution and SoO attribute

As shown in Figure 67, both Site 1 and Site 2 use the AS number 800. AS number substitution is enabled on PE 2 for CE 2. Before advertising updates received from CE 1 to CE 2, PE 2 substitutes its own AS number 100 for the AS number 800. In this way, CE 2 can correctly receive the routing information from CE 1.

However, the AS number substitution feature also introduces a routing loop in Site 2 because route updates originated from CE 3 can be advertised back to Site 2 through PE 2 and CE 2. To remove the routing loop, you can configure the same SoO attribute on PE 2 for CE 2 and CE 3. PE 2 adds the SoO attribute to route updates received from CE 2 or CE 3, and checks the SoO attribute of route updates to be advertised to CE 2 or CE 3. The SoO attribute of the route updates from CE 3 is the same as the SoO attribute for CE 2, and PE 2 does not advertise route updates to CE 2.

For more information about the SoO attribute, see Layer 3—IP Routing Configuration Guide.

MPLS L3VPN FRR

MPLS L3VPN Fast Reroute (FRR) is applicable to a dual-homed scenario, as shown in Figure 68. By using BFD to detect the primary link, FRR enables a PE to use the backup link when the primary link fails. The PE then selects a new optimal route, and uses the new optimal route to forward traffic.

MPLS L3VPN FRR supports the following types of backup:

· VPNv4 route backup for a VPNv4 route.

· VPNv4 route backup for an IPv4 route.

· IPv4 route backup for a VPNv4 route.

VPNv4 route backup for a VPNv4 route

Figure 68 Network diagram

As shown in Figure 68, configure FRR on the ingress node PE 1, and specify the backup next hop for VPN 1 as PE 3. When PE 1 receives a VPNv4 route to CE 2 from both PE 2 and PE 3, it uses the route from PE 2 as the primary link, and the route from PE 3 as the backup link.

Configure BFD for LSPs or MPLS TE tunnels on PE 1 to detect the connectivity of the public tunnel from PE 1 to PE 2. When the tunnel PE 1—PE 2 operates correctly, traffic from CE 1 to CE 2 goes through the path CE 1—PE 1—PE 2—CE 2. When the tunnel fails, the traffic goes through the path CE 1—PE 1—PE 3—CE 2.

In this scenario, PE 1 is responsible for primary link detection and traffic switchover.

For more information about BFD for LSPs or MPLS TE tunnels, see "Configuring MPLS OAM."

VPNv4 route backup for an IPv4 route

Figure 69 Network diagram

As shown in Figure 69, configure FRR on the egress node PE 2, and specify the backup next hop for VPN 1 as PE 3. When PE 2 receives an IPv4 route from CE 2 and a VPNv4 route from PE 3 (both routes are destined for VPN 1 connected to CE 2), PE 2 uses the IPv4 route as the primary link, and the VPNv4 route as the backup link.

PE 2 uses ARP or echo-mode BFD to detect the connectivity of the link from PE 2 to CE 2. When the link operates correctly, traffic from CE 1 to CE 2 goes through the path CE 1—PE 1—PE 2—CE 2. When the link fails, PE 2 switches traffic to the link PE 2—PE 3—CE 2, and traffic from CE 1 to CE 2 goes through the path CE 1—PE 1—PE 2—PE 3—CE 2. This avoids traffic interruption before route convergence completes (switching to the link CE 1—PE 1—PE 3—CE 2).

In this scenario, PE 2 is responsible for primary link detection and traffic switchover.

IPv4 route backup for a VPNv4 route

Figure 70 Network diagram

As shown in Figure 70, configure FRR on the egress node PE 2, and specify the backup next hop for VPN 1 as CE 2. When PE 2 receives an IPv4 route from CE 2 and a VPNv4 route from PE 3 (both routes are destined for VPN 1 connected to CE 2), PE 2 uses the VPNv4 route as the primary link, and the IPv4 route as the backup link.

Configure BFD for LSPs or MPLS TE tunnels on PE 2 to detect the connectivity of the public tunnel from PE 2 to PE 3. When the tunnel operates correctly, traffic from CE 1 to CE 2 goes through the path CE 1—PE 1—PE 2—PE 3—CE 2. When the tunnel fails, the traffic goes through the path CE 1—PE 1—PE 2—CE 2.

In this scenario, PE 2 is responsible for primary link detection and traffic switchover.

ECMP VPN route redistribution

This feature enables a VPN instance to redistribute all routes that have the same prefix and RD into its routing table. Based on the ECMP routes, the device can perform load sharing (as configured by the balance command) or MPLS L3VPN FRR. For more information about the balance command, see BGP in Layer 3—IP Routing Command Reference.

Figure 71 Network diagram

As shown in Figure 71, CE 1 accesses the backbone network through VPN instance VPN1 created on PE 1. The RD of VPN instance VPN1 is 1:1. CE 2 accesses the backbone network through VPN instances created on PE 2 and PE 3. The VPN instances created on PE 2 and PE 3 have the same name VPN2 and the same RD 1:2. VPN instances VPN1 and VPN2 can communicate with each other.

Both PE 2 and PE 3 can advertise routes from CE 2 to PE 1, and the advertised routes have the same RD 1:2. By default, BGP redistributes only the optimal route into the routing table of VPN instance VPN1. After you enable ECMP VPN route redistribution on VPN instance VPN1, BGP redistributes routes from both PE 2 and PE 3 to the routing table of VPN instance VPN1.

Protocols and standards

· RFC 3107, Carrying Label Information in BGP-4

· RFC 4360, BGP Extended Communities Attribute

· RFC 4364, BGP/MPLS IP Virtual Private Networks (VPNs)

· RFC 4577, OSPF as the Provider/Customer Edge Protocol for BGP/MPLS IP Virtual Private Networks (VPNs)

Feature and hardware compatibility

Hardware	MPLS L3VPN compatibility
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS	No
MSR2600-6-X1/2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28/3600-51	Yes
MSR3600-28-SI/3600-51-SI	Yes
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC	Yes
MSR 3610/3620/3620-DP/3640/3660	Yes
MSR5620/5660/5680	Yes

Hardware	MPLS L3VPN compatibility
MSR810-LM-GL	No
MSR810-W-LM-GL	No
MSR830-6EI-GL	No
MSR830-10EI-GL	No
MSR830-6HI-GL	No
MSR830-10HI-GL	No
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	Yes

Configuration restrictions and guidelines

If both MPLS L3VPN and OpenFlow are configured, you must execute the default table-miss permit command to ensure forwarding of MPLS L3VPN packets. For more information about the default table-miss permit command, see OpenFlow Command Reference.

MPLS L3VPN configuration task list

Tasks at a glance
(Required.) Configuring basic MPLS L3VPN
(Optional.) Configuring inter-AS VPN
(Optional.) Configuring nested VPN
(Optional.) Configuring multirole host
(Optional.) Configuring HoVPN
(Optional.) Configuring an OSPF sham link
(Optional.) Specifying the VPN label processing mode on the egress PE
(Optional.) Configuring BGP AS number substitution and SoO attribute
(Optional.) Configuring MPLS L3VPN FRR
(Optional.) Configuring BGP RT filtering
(Optional.) Configuring route replication
(Optional.) Enabling ECMP VPN route redistribution
(Optional.) Enabling SNMP notifications for MPLS L3VPN

Configuring basic MPLS L3VPN

Tasks at a glance
Configuring VPN instances: (Required.) Creating a VPN instance (Required.) Associating a VPN instance with an interface (Optional.) Configuring route related attributes for a VPN instance


(Required.) Configuring routing between a PE and a CE
(Required.) Configuring routing between PEs
(Optional.) Configuring BGP VPNv4 route control

Configuration prerequisites

Before you configure basic MPLS L3VPN, perform the following tasks:

1. Configure an IGP on the PEs and P devices to ensure IP connectivity within the MPLS backbone.

2. Configure basic MPLS for the MPLS backbone.

3. Configure static LSP or LDP on the PEs and P devices to establish public tunnels.

Configuring VPN instances

VPN instances isolate VPN routes from public network routes and routes among VPNs. This feature allows VPN instances to be used in network scenarios in addition to MPLS L3VPNs.

All VPN instance configurations are performed on PEs or MCEs.

Creating a VPN instance

A VPN instance is a collection of the VPN membership and routing rules of its associated site. A VPN instance might correspond to more than one VPN.

To create and configure a VPN instance:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VPN instance and enter VPN instance view.	ip vpn-instance vpn-instance-name	By default, no VPN instances exist.
3. Configure an RD for the VPN instance.	route-distinguisher route-distinguisher	By default, no RD is configured for a VPN instance.
4. (Optional.) Configure a description for the VPN instance.	description text	By default, no description is configured for a VPN instance.
5. (Optional.) Configure a VPN ID for the VPN instance.	vpn-id vpn-id	By default, no VPN ID is configured for a VPN instance.
6. (Optional.) Configure an SNMP context for the VPN instance.	snmp context-name context-name	By default, no SNMP context is configured.

Associating a VPN instance with an interface

After creating and configuring a VPN instance, associate the VPN instance with the interface connected to the CE.

To associate a VPN instance with an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Associate a VPN instance with the interface.	ip binding vpn-instance vpn-instance-name	By default, an interface is not associated with a VPN instance and belongs to the public network. The ip binding vpn-instance command deletes the IP address of the current interface. You must reconfigure an IP address for the interface after configuring the command.

Configuring route related attributes for a VPN instance

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VPN instance view or IPv4 VPN view	· Enter VPN instance view: ip vpn-instance vpn-instance-name · Enter IPv4 VPN view: a. ip vpn-instance vpn-instance-name b. address-family ipv4	Configurations made in VPN instance view apply to both IPv4 VPN and IPv6 VPN. IPv4 VPN prefers the configurations in IPv4 VPN view over the configurations in VPN instance view.
3. Configure route targets.	vpn-target vpn-target&<1-8> [ both \| export-extcommunity \| import-extcommunity ]	By default, no route targets are configured.
4. Set the maximum number of active routes.	routing-table limit number { warn-threshold \| simply-alert }	For the default setting of this command, see MPLS Command Reference. Setting the maximum number of active routes for a VPN instance can prevent the PE from learning too many routes.
5. Apply an import routing policy.	import route-policy route-policy	By default, all routes matching the import target attribute are accepted. The specified routing policy must have been created. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
6. Apply an export routing policy.	export route-policy route-policy	By default, routes to be advertised are not filtered. The specified routing policy must have been created. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
7. Apply a tunnel policy to the VPN instance.	tnl-policy tunnel-policy-name	By default, only one tunnel is selected (no load balancing) in this order: LSP tunnel, GRE tunnel, and CR-LSP tunnel. The specified tunnel policy must have been created. For information about tunnel policies, see "Configuring tunnel policies."

Configuring routing between a PE and a CE

You can configure static routing, RIP, OSPF, IS-IS, EBGP, or IBGP between a PE and a CE.

Configuring static routing between a PE and a CE

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure a static route for a VPN instance.

ip route-static vpn-instance s-vpn-instance-name dest-address { mask-length | mask } { interface-type interface-number [ next-hop-address ] |next-hop-address [ public ] [ track track-entry-number ] | vpn-instance d-vpn-instance-name next-hop-address [ track track-entry-number ] } [ permanent ] [ preference preference ] [ tag tag-value ] [ description text ]

By default, no static route is configured for a VPN instance.

Perform this configuration on the PE. On the CE, configure a common static route.

For more information about static routing, see Layer 3—IP Routing Configuration Guide.

Configuring RIP between a PE and a CE

A RIP process belongs to the public network or a single VPN instance. If you create a RIP process without binding it to a VPN instance, the process belongs to the public network.

To configure RIP between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIP process for a VPN instance and enter RIP view.	rip [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. On the CE, create a common RIP process.
3. Enable RIP on the interface attached to the specified network.	network network-address [ wildcard-mask ]	By default, RIP is disabled on an interface.

Configuring OSPF between a PE and a CE

An OSPF process that is bound to a VPN instance does not use the public network router ID configured in system view. Therefore, you must specify a router ID when creating a process or configure an IP address for a minimum of one interface in the VPN instance.

An OSPF process belongs to the public network or a single VPN instance. If you create an OSPF process without binding it to a VPN instance, the process belongs to the public network.

To configure OSPF between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPF process for a VPN instance and enter the OSPF view.	ospf [ process-id \| router-id router-id \| vpn-instance vpn-instance-name ] *	Perform this configuration on the PE. On the CE, create a common OSPF process. Deleting a VPN instance also deletes all related OSPF processes.
3. Redistribute BGP routes.	import-route bgp [ as-number ] [ allow-ibgp ] [ cost cost-value \| nssa-only \| route-policy route-policy-name \| tag tag \| type type ] *	By default, OSPF does not redistribute routes from other routing protocols. If the vpn-instance-capability simple command is not configured for the OSPF process, the allow-ibgp keyword is optional to redistribute VPNv4 routes learned from MP-IBGP peers. In any other cases, if you do not specify the allow-ibgp keyword, the OSPF process does not redistribute VPNv4 routes learned from MP-IBGP peers.
4. (Optional.) Set an OSPF domain ID.	domain-id domain-id [ secondary ]	The default domain ID is 0. Perform this configuration on the PE. The domain ID is carried in the routes of the OSPF process. When redistributing routes from the OSPF process, BGP adds the domain ID as an extended community attribute into BGP routes. An OSPF process can be configured with only one primary domain ID. Domain IDs of different OSPF processes can be the same. All OSPF processes of a VPN must be configured with the same domain ID.
5. Configure the type codes of OSPF extended community attributes.	ext-community-type { domain-id type-code1 \| router-id type-code2 \| route-type type-code3 }	The defaults are as follows: · 0x0005 for Domain ID. · 0x0107 for Router ID. · 0x0306 for Route Type. Perform this configuration on the PE.
6. Create an OSPF area and enter area view.	area area-id	By default, no OSPF areas exist.
7. Enable OSPF on the interface attached to the specified network in the area.	network ip-address wildcard-mask	By default, an interface neither belongs to any area nor runs OSPF.

Configuring IS-IS between a PE and a CE

An IS-IS process belongs to the public network or a single VPN instance. If you create an IS-IS process without binding it to a VPN instance, the process belongs to the public network.

To configure IS-IS between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IS-IS process for a VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. On the CE, configure common IS-IS.
3. Configure a network entity title for the IS-IS process.	network-entity net	By default, no NET is configured.
4. Return to system view.	quit	N/A
5. Enter interface view.	interface interface-type interface-number	N/A
6. Enable the IS-IS process on the interface.	isis enable [ process-id ]	By default, no IS-IS process is enabled on the interface.

Configuring EBGP between a PE and a CE

1. Configure the PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	Configuration commands in BGP-VPN instance view are the same as those in BGP instance view. For more information, see Layer 3—IP Routing Configuration Guide.
4. Configure the CE as the VPN EBGP peer.	peer { group-name \| ip-address [ mask-length ] } as-number as-number	By default, no BGP peers exist. For more information about BGP peers and peer groups, see Layer 3—IP Routing Configuration Guide.
5. Create the BGP-VPN IPv4 unicast family and enter its view.	address-family ipv4 [ unicast ]	By default, the BGP-VPN IPv4 unicast family is not created.
6. Enable IPv4 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address [ mask-length ] } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Redistribute the routes of the local CE.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	A PE must redistribute the routes of the local CE into its VPN routing table so it can advertise them to the peer PE.
8. (Optional.) Allow the local AS number to appear in the AS_PATH attribute of a received route, and set the maximum number of repetitions.	peer { group-name \| ip-address [ mask-length ] } allow-as-loop [ number ]	By default, BGP discards incoming route updates that contain the local AS number. BGP detects routing loops by examining AS numbers. In a hub-spoke network where EBGP is running between a PE and a CE, the routing information the PE advertises to a CE carries the AS number of the PE. Therefore, the route updates that the PE receives from the CE also include the AS number of the PE. This causes the PE to be unable to receive the route updates. In this case, you must configure this command to allow routing loops.

2. Configure the CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Configure the PE as a BGP peer.	peer { group-name \| ip-address [ mask-length ] } as-number as-number	By default, no BGP peers exist.
4. Create the BGP IPv4 unicast family and enter its view.	address-family ipv4 [ unicast ]	By default, the BGP IPv4 unicast family is not created.
5. Enable IPv4 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address [ mask-length ] } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
6. (Optional.) Configure route redistribution.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	A CE must redistribute its routes to the PE so the PE can advertise them to the peer CE.

Configuring IBGP between a PE and a CE

Use IBGP between PE and CE only in a basic MPLS L3VPN network. In networks such as Hub&Spoke, Extranet, inter-AS VPN, carrier's carrier, nested VPN, and HoVPN, you cannot use IBGP between PE and CE.

1. Configure the PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	Configuration commands in BGP-VPN instance view are the same as those in BGP instance view. For more information, see Layer 3—IP Routing Configuration Guide.
4. Configure the CE as the VPN IBGP peer.	peer { group-name \| ip-address [ mask-length ] } as-number as-number	By default, no BGP peers exist.
5. Create the BGP-VPN IPv4 unicast family and enter its view.	address-family ipv4 [ unicast ]	By default, the BGP-VPN IPv4 unicast family is not created.
6. Enable IPv4 unicast route exchange with the specified peer.	peer { group-name \| ip-address [ mask-length ] } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.

2. Configure the CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Configure the PE as an IBGP peer.	peer { group-name \| ip-address [ mask-length ] } as-number as-number	By default, no BGP peers exist.
4. Create the BGP IPv4 unicast family and enter its view.	address-family ipv4 [ unicast ]	By default, the BGP IPv4 unicast family is not created.
5. Enable IPv4 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address [ mask-length ] } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
6. (Optional.) Configure route redistribution.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	A CE must redistribute its routes to the PE so the PE can advertise them to the peer CE.

Configuring routing between PEs

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Configure the remote PE as a BGP peer.	peer { group-name \| ip-address [ mask-length ] } as-number as-number	By default, no BGP peers exist.
4. (Optional.) Specify the source interface for route updates.	peer { group-name \| ip-address [ mask-length ] } connect-interface interface-type interface-number	By default, BGP uses the egress interface of the optimal route destined for the peer as the source interface.
5. Create the BGP VPNv4 address family and enter its view.	address-family vpnv4	By default, the BGP VPNv4 address family is not created.
6. Enable BGP VPNv4 route exchange with the specified peer.	peer { group-name \| ip-address [ mask-length ] } enable	By default, BGP does not exchange BGP VPNv4 routes with any peer.

Configuring BGP VPNv4 route control

BGP VPNv4 route control is configured similarly with BGP route control, except that it is configured in BGP VPNv4 address family view. For more information about BGP route control, see Layer 3—IP Routing Configuration Guide.

To configure BGP VPNv4 route control:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP VPNv4 address family view.	address-family vpnv4	N/A
4. Configure filtering of advertised routes.	filter-policy { ipv4-acl-number \| prefix-list prefix-list-name } export [ protocol process-id ]	By default, BGP does not filter advertised routes.
5. Configure filtering of received routes.	filter-policy { ipv4-acl-number \| prefix-list prefix-list-name } import	By default, BGP does not filter received routes.
6. Advertise the COMMUNITY attribute to a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } advertise-community	By default, BGP does not advertise the COMMUNITY attribute to any peers or peer groups.
7. Allow the local AS number to appear in the AS_PATH attribute of routes received from the peer, and set the maximum number of repetitions.	peer { group-name \| ipv4-address [ mask-length ] } allow-as-loop [ number ]	By default, BGP discards route updates that contain the local AS number.
8. Filter routes received from or advertised to a peer or peer group based on an AS_PATH list.	peer { group-name \| ipv4-address [ mask-length ] } as-path-acl aspath-filter-number { import \| export }	By default, no AS filtering list is applied to a peer or peer group.
9. Advertise a default VPN route to a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } default-route-advertise vpn-instance vpn-instance-name	By default, no default VPN route is advertised to a peer or peer group.
10. Apply an ACL to filter routes received from or advertised to a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } filter-policy ipv4-acl-number { export \| import }	By default, no ACL-based filtering is configured.
11. Save all route updates from a peer or peer group.	peer { group-name \| ip-address [ mask-length ] } keep-all-routes	By default, BGP does not save route updates from any peer.
12. Specify the router as the next hop of routes sent to a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } next-hop-local	By default, the router sets itself as the next hop for routes sent to a peer or peer group.
13. Configure BGP to not change the next hop of routes sent to a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } next-hop-invariable	By default, the router sets itself as the next hop for routes sent to a peer or peer group. In an inter-AS option C network where an RR is used to advertise VPNv4 routes, configure this command on the RR so the RR does not change the next hop of routes sent to peers and clients.
14. Set a preferred value for routes received from a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } preferred-value value	By default, the preferred value is 0.
15. Apply a prefix list to filter routes received from or advertised to a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } prefix-list prefix-list-name { export \| import }	By default, no prefix list based filtering is configured.
16. Configure BGP updates advertised to an EBGP peer or peer group to carry only public AS numbers.	peer { group-name \| ipv4-address [ mask-length ] } public-as-only	By default, BGP route updates advertised to an EBGP peer or peer group can carry both public and private AS numbers.
17. Configure the router as an RR and specify a peer or peer group as its client.	peer { group-name \| ipv4-address [ mask-length ] } reflect-client	By default, no RR is configured.
18. Set the maximum number of routes BGP can receive from a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } route-limit prefix-number [ { alert-only \| discard \| reconnect reconnect-time } \| percentage-value ] *	By default, the number of routes that BGP can receive from a peer or peer group is not limited.
19. Apply a routing policy to a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } route-policy route-policy-name { export \| import }	By default, no routing policy is applied to a peer or peer group.
20. Enable route target filtering of received VPNv4 routes.	policy vpn-target	By default, route target filtering is enabled for received VPNv4 routes. Only VPNv4 routes whose export route target attribute matches local import route target attribute are added to the routing table.
21. Enable route reflection between clients.	reflect between-clients	By default, route reflection between clients is enabled on the RR.
22. Configure a cluster ID for the RR.	reflector cluster-id { cluster-id \| ip-address }	By default, the RR uses its own router ID as the cluster ID.
23. Configure filtering of reflected routes.	rr-filter ext-comm-list-number	By default, the RR does not filter reflected routes.
24. Configure the SoO attribute for a BGP peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } soo site-of-origin	By default, the SoO attribute is not configured.

Configuring inter-AS VPN

If the MPLS backbone spans multiple ASs, you must configure inter-AS VPN.

Configuring inter-AS option A

Inter-AS option A applies to scenarios with a few VPNs.

To configure inter-AS option A, create VPN instances on PEs and ASBRs. The VPN instances on PEs are used to allow CEs to access the network, The VPN instances on ASBRs are used to access the peer ASBRs. An ASBR considers the peer ASBR as a CE.

The route targets configured on the PEs must match those configured on the ASBRs in the same AS to make sure VPN routes sent by the PEs (or ASBRs) can be received by the ASBRs (or PEs). Route targets configured on the PEs in different ASs do not have such requirements.

For more information, see "Configuring basic MPLS L3VPN."

Configuring inter-AS option B

To configure inter-AS option B, perform configurations on PEs and ASBRs.

· PE configuration:

Configure basic MPLS L3VPN, and specify the ASBR in the same AS as an MP-IBGP peer. The route targets for the VPN instances on the PEs in different ASs must match for the same VPN. For information about PE configuration, see "Configuring basic MPLS L3VPN."

· ASBR configuration:

? Configure a routing protocol, and enable MPLS and LDP on the interface connected to an internal router of the AS.

? Specify the PE in the same AS as an MP-IBGP peer, and the ASBR in a different AS as an MP-EBGP peer.

? Disable VPN target filtering for VPNv4 routes so the ASBR can maintain all VPNv4 routes and advertise the routes to the peer ASBR.

? Enable MPLS capability on the interface connected to the ASBR in another AS. There is no need to configure a label distribution protocol, for example, LDP.

An ASBR always sets itself as the next hop of VPNv4 routes advertised to an MP-IBGP peer regardless of the peer next-hop-local command.

To configure inter-AS option B on an ASBR:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view of the interface connected to an internal router of the AS.	interface interface-type interface-number	N/A
3. Enable MPLS on the interface.	mpls enable	By default, MPLS is disabled on the interface.
4. Enable MPLS LDP on the interface.	mpls ldp enable	By default, MPLS LDP is disabled on the interface.
5. Return to system view.	quit	N/A
6. Enter interface view of the interface connected to the remote ASBR.	interface interface-type interface-number	N/A
7. Enable MPLS on the interface.	mpls enable	By default, MPLS is disabled on the interface.
8. Return to system view.	quit	N/A
9. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
10. Create a BGP peer.	peer { group-name \| ipv4-address [ mask-length ] } as-number as-number	By default, no BGP peers exist. Configure PEs in the same AS as IBGP peers, and ASBRs in different ASs as EBGP peers.
11. Enter BGP VPNv4 address family view.	address-family vpnv4	N/A
12. Enable BGP to exchange VPNv4 routes with the PE in the same AS and the ASBR in different ASs.	peer { group-name \| ipv4-address [ mask-length ] } enable	By default, BGP cannot exchange VPNv4 routing information with a peer.
13. Disable route target filtering of VPNv4 routes.	undo policy vpn-target	By default, route target filtering is enabled for received VPNv4 routes. Only VPNv4 routes whose export route target attribute matches local import route target attribute are added to the routing table.

Configuring inter-AS option C

To configure inter-AS option C, perform configurations on PEs and ASBRs.

· PE configuration:

? Configure basic MPLS L3VPN, and specify the PE in another AS as an MP-EBGP peer. The route targets for the VPN instances on the PEs in different ASs must match for the same VPN. For information about PE configuration, see "Configuring basic MPLS L3VPN."

? Execute the peer ebgp-max-hop command to enable the local router to establish an EBGP session to an indirectly-connected peer, because the PEs are not directly connected.

? Specify the ASBR in the same AS as an IBGP peer, and enable BGP to exchange labeled IPv4 unicast routes with the ASBR.

· ASBR configuration:

? Configure a routing protocol, and enable MPLS and LDP on the interface connected to an internal router of the AS.

? Specify the PE in the same AS as an IBGP peer, and the ASBR in a different AS as an EBGP peer.

? Enable BGP to exchange labeled IPv4 unicast routes with the PE in the same AS and the ASBR in different AS.

? Enable MPLS capability on the interface connected to the ASBR in another AS. There is no need to configure a label distribution protocol, for example, LDP.

? (Optional.) Configure a routing policy to determine which IPv4 unicast routes are advertised to the IBGP or EBGP peer with MPLS labels.

In addition, configure BGP to advertise routes destined for a PE on PEs or ASBRs. For more information, see Layer 3—IP Routing Configuration Guide.

Configuring a PE

To configure a PE for inter-AS option C:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Configure the ASBR in the same AS as an IBGP peer.	peer { group-name \| ipv4-address [ mask-length ] } as-number as-number	By default, no BGP peers exist.
4. Configure the PE of another AS as an EBGP peer.	peer { group-name \| ipv4-address [ mask-length ] } as-number as-number	By default, no BGP peers exist.
5. Create the BGP IPv4 unicast address family and enter its view.	address-family ipv4 [ unicast ]	By default, the BGP IPv4 unicast address family is not created.
6. Enable BGP to exchange IPv4 unicast routes with the ASBR in the same AS.	peer { group-name \| ipv4-address [ mask-length ] } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Enable BGP to exchange labeled IPv4 routes with the ASBR in the same AS.	peer { group-name \| ipv4-address [ mask-length ] } label-route-capability	By default, BGP cannot exchange labeled routes with any IPv4 peer or peer group.
8. Return to BGP instance view.	quit	N/A
9. Enter BGP VPNv4 address family view.	address-family vpnv4	N/A
10. Enable BGP to exchange VPNv4 routes with the PE in different ASs.	peer { group-name \| ipv4-address [ mask-length ] } enable	By default, BGP cannot exchange VPNv4 routes with any peer.
11. (Optional.) Configure the PE to not change the next hop of routes advertised to the EBGP peer.	peer { group-name \| ipv4-address [ mask-length ] } next-hop-invariable	Configure this command on the RR so the RR does not change the next hop of advertised VPNv4 routes.

Configuring an ASBR

To set up an inter-AS public tunnel for the inter-AS option C solution, an ASBR must assign an MPLS label to the route destined for a PE, and advertise the label along with the route. Typically, the routes advertised by an ASBR through BGP include the PE address as well as other routes. You can configure a routing policy to filter routes. Routes surviving the filtering are assigned labels, and all others are advertised as common IPv4 routes.

To configure a routing policy, use the following commands:

· if-match mpls-label—Matches routes carrying MPLS labels.

· apply mpls-label—Sets MPLS labels for IPv4 routes advertised to a peer. You can use this command together with if-match clauses. For example, the apply mpls-label command works together with the if-match mpls-label command to set new MPLS labels for routes with MPLS labels. The newly assigned labels are advertised along with the routes.

For more information about routing policy configuration, see Layer 3—IP Routing Configuration Guide.

To configure an ASBR for inter-AS option C:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. (Optional.) Create a routing policy, and enter routing policy view.	route-policy route-policy-name { deny \| permit } node node-number	By default, no routing policies exist.
3. (Optional.) Match IPv4 routes carrying labels.	if-match mpls-label	By default, no MPLS label match criterion is configured.
4. (Optional.) Set labels for IPv4 routes.	apply mpls-label	By default, no MPLS label is set for IPv4 routes.
5. Return to system view.	quit	N/A
6. Enter interface view of the interface connected to an internal router of the AS.	interface interface-type interface-number	N/A
7. Enable MPLS on the interface.	mpls enable	By default, MPLS is disabled on the interface.
8. Enable MPLS LDP on the interface.	mpls ldp enable	By default, MPLS LDP is disabled on the interface.
9. Return to system view.	quit	N/A
10. Enter interface view of the interface connected to the remote ASBR.	interface interface-type interface-number	N/A
11. Enable MPLS on the interface.	mpls enable	By default, MPLS is disabled on the interface.
12. Return to system view.	quit	N/A
13. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
14. Configure the PE in the same AS as an IBGP peer.	peer { group-name \| ipv4-address [ mask-length ] } as-number as-number	By default, no BGP peers exist.
15. Configure the ASBR in another AS as an EBGP peer.	peer { group-name \| ipv4-address [ mask-length ] } as-number as-number	By default, no BGP peers exist.
16. Create the BGP IPv4 unicast address family and enter its view.	address-family ipv4 [ unicast ]	By default, the BGP IPv4 unicast address family is not created.
17. Enable exchange of IPv4 unicast routes with the PE in the same AS and the ASBR in another AS.	peer { group-name \| ipv4-address [ mask-length ] } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
18. Enable exchange of labeled IPv4 routes with the PE in the same AS and the ASBR in another AS.	peer { group-name \| ipv4-address [ mask-length ] } label-route-capability	By default, BGP cannot advertise labeled routes to any IPv4 peer or peer group.
19. Configure the ASBR to set itself as the next hop of routes advertised to the PE in the local AS.	peer { group-name \| ipv4-address [ mask-length ] } next-hop-local	By default, BGP does not use its address as the next hop of routes advertised to an IBGP peer or peer group.
20. (Optional.) Apply a routing policy to routes incoming from or outgoing to a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } route-policy route-policy-name { export \| import }	By default, no routing policy is applied.

Configuring nested VPN

For a network with many VPNs, nested VPN is a good solution to implement layered management of VPNs and to conceal the deployment of internal VPNs.

To build a nested VPN network, perform the following configurations:

· Configurations between customer PE and customer CE—Configure VPN instances on the customer PE and configure route exchange between customer PE and customer CE.

· Configurations between customer PE and provider CE—Configure BGP VPNv4 route exchange between them. To make sure the provider CE can receive all VPNv4 routes, configure the undo policy vpn-target command on the provider CE to not filter VPNv4 routes by RTs.

· Configurations between provider CE and provider PE—Configure VPN instances and enable nested VPN on the provider PE and configure BGP VPNv4 route exchange between the provider CE and provider PE.

· Configurations between provider PEs—Configure BGP VPNv4 route exchange between them.

Nested VPN allows a customer PE to directly exchange VPNv4 routes with a provider PE, without needing to deploy a provider CE. In this case, the customer PE also acts as the provider CE. Therefore, you must configure provider CE settings on it.

Configurations on the customer CE, customer PE, and provider CE are similar to basic MPLS L3VPN configurations. This task describes the configurations on the provider PE.

When you configure nested VPN, follow these guidelines:

· The address spaces of sub-VPNs of a VPN cannot overlap.

· Do not assign nested VPN peers addresses that public network peers use.

· Nested VPN does not support multihop EBGP. A provider PE and a provider CE must use the addresses of the directly connected interfaces to establish a neighbor relationship.

To configure nested VPN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP VPNv4 address family view.	address-family vpnv4	N/A
4. Enable nested VPN.	nesting-vpn	By default, nested VPN is disabled.
5. Return to BGP instance view.	quit	N/A
6. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
7. Specify the peer CE or the peer group of the peer CE.	peer { group-name \| ipv4-address [ mask-length ] } as-number as-number	By default, no peer is specified.
8. Create the BGP-VPN VPNv4 address family and enter its view.	address-family vpnv4	By default, the BGP-VPN VPNv4 address family is not created.
9. Enable BGP VPNv4 route exchange with the peer CE or the peer group of the peer CE.	peer { group-name \| ipv4-address [ mask-length ] } enable	By default, BGP does not exchange VPNv4 routes with any peer.
10. (Optional.) Configure the SoO attribute for the BGP peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } soo site-of-origin	By default, the SoO attribute is not configured.

Configuring multirole host

To configure the multirole host feature, perform the following tasks on the PE connected to the CE in the site where the multirole host resides:

· Configure and apply PBR.

· Configure static routes.

Configuring and applying PBR

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a policy node and enter policy node view.	policy-based-route policy-name { deny \| permit } node node-number	By default, no policy nodes exist.
3. Configure match criteria for the node.	See Layer 3—IP Routing Configuration Guide.	By default, no match criterion is configured. All packets match the criteria for the node. This step matches packets from the multirole host.
4. Specify the VPN instances for forwarding the matching packets.	apply access-vpn vpn-instance vpn-instance-name&<1-n>	By default, no VPN instance is specified. You must specify multiple VPN instances for the node. The first one is the VPN instance to which the multirole host belongs, and others are the VPN instances to be accessed by the multirole host. A matching packet is forwarded according to the routing table of the first VPN instance that has a matching route for that packet.
5. Return to system view.	quit	N/A
6. Enter the view of the interface connected to the CE.	interface interface-type interface-number	N/A
7. Apply the policy to the interface.	ip policy-based-route policy-name	By default, no policy is applied to the interface.

Configuring a static route

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure a static route for a VPN instance to reach the multirole host.

ip route-static vpn-instance s-vpn-instance-name dest-address { mask-length | mask } vpn-instance d-vpn-instance-name next-hop-address [ track track-entry-number ] [ permanent ] [ preference preference ] [ tag tag-value ] [ description text ]

By default, no static routes are configured.

The d-vpn-instance-name argument represents the VPN instance to which the multirole host belongs. The next-hop-address argument represents the IP address of the CE in the site where the multirole host resides.

Configuring HoVPN

In a HoVPN networking scenario, perform basic MPLS L3VPN settings on UPE and SPE. In addition, configure the following settings on the SPE:

· Specify the BGP peer or peer group as a UPE.

· Advertise the default route of the specified VPN instance or routes matching a routing policy to the UPE.

· Create a BGP-VPN instance so the learned VPNv4 routes can be added into the BGP routing table of the corresponding VPN instance by comparing RTs.

Associating an interface with a VPN instance is not required on the SPE because no interface on the SPE is directly connected to the customer network.

As a best practice, do not configure the peer default-route-advertise vpn-instance and peer upe route-policy commands at the same time.

To configure SPE for HoVPN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Specify a BGP peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } as-number as-number	By default, no BGP peers exist.
4. Enter BGP-VPN VPNv4 address family view.	address-family vpnv4	N/A
5. Enable BGP VPNv4 route exchange with the peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } enable	By default, BGP does not exchange VPNv4 routes with any peer.
6. Specify the BGP peer or peer group as a UPE.	peer { group-name \| ipv4-address [ mask-length ] } upe	By default, no peer is a UPE.
7. Advertise routes to the UPE.	· Advertise a default VPN route to the UPE: peer { group-name \| ipv4-address [ mask-length ] } default-route-advertise vpn-instance vpn-instance-name · Advertise routes permitted by a routing policy to the UPE: peer { group-name \| ipv4-address [ mask-length ] } upe route-policy route-policy-name export	By default, no route is advertised to the UPE. Do not configure both commands. The peer default-route-advertise vpn-instance command advertises a default route using the local address as the next hop to the UPE, regardless of whether the default route exists in the local routing table. However, if the specified peer is not a UPE, the command does not advertise a default route.
8. Return to BGP instance view.	quit	N/A
9. Create a BGP-VPN instance, and enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	By default, no BGP-VPN instances exist.

Configuring an OSPF sham link

When a backdoor link exists between the two sites of a VPN, you can create a sham link between PEs to forward VPN traffic through the sham link on the backbone rather than the backdoor link. A sham link is considered an OSPF intra-area route.

The source and destination addresses of the sham link must be loopback interface addresses with 32-bit masks. The loopback interfaces must be bound to VPN instances, and their addresses are advertised through BGP.

Before you configure an OSPF sham link, perform the following tasks:

· Configure basic MPLS L3VPN (OSPF is used between PE and CE).

· Configure OSPF in the LAN where customer CEs reside.

Configuring a loopback interface

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a loopback interface and enter loopback interface view.	interface loopback interface-number	By default, no loopback interfaces exist.
3. Associate the loopback interface with a VPN instance.	ip binding vpn-instance vpn-instance-name	By default, the interface is associated with no VPN instance.
4. Configure an IP address for the loopback interface.	ip address ip-address { mask \| mask-length }	By default, no IP address is configured for the loopback interface.

Redistributing the loopback interface address

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Enter BGP-VPN IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
5. Redistribute direct routes into BGP (including the loopback interface route).	import-route direct	By default, no direct routes are redistributed into BGP.

Creating a sham link

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter OSPF view.	ospf [ process-id \| router-id router-id \| vpn-instance vpn-instance-name ] *	As a best practice, specify a router ID.
3. Set the external route tag for imported VPN routes.	route-tag tag-value	By default, if BGP runs within an MPLS backbone, and the BGP AS number is not greater than 65535, the first two octets of the external route tag are 0xD000 and the last two octets are the local BGP AS number. If the AS number is greater than 65535, the external route tag is 0.
4. Enter OSPF area view.	area area-id	N/A
5. Configure a sham link.	sham-link source-ip-address destination-ip-address [ cost cost-value \| dead dead-interval \| hello hello-interval \| { { hmac-md5 \| md5 } key-id { cipher \| plain } string \| simple { cipher \| plain } string } \| retransmit retrans-interval \| trans-delay delay \| ttl-security hops hop-count ] *	By default, no sham links exist.

Specifying the VPN label processing mode on the egress PE

An egress PE can process VPN labels in either POPGO or POP mode:

· POPGO forwarding—Pops the label and forwards the packet out of the egress interface corresponding to the label.

· POP forwarding—Pops the label and forwards the packet through the FIB table.

The POPGO forwarding mode (vpn popgo) and per-VPN instance label allocation mode (label-allocation-mode per-vrf) are mutually exclusive. Do not configure both modes in a BGP instance. For more information about the label-allocation-mode command, see BGP commands in Layer 3—IP Routing Command Reference.

To specify the VPN label processing mode on an egress PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Specify the VPN label processing mode as POPGO forwarding.	vpn popgo	The default is POP forwarding.

Configuring BGP AS number substitution and SoO attribute

When CEs at different sites have the same AS number, configure the BGP AS number substitution feature to avoid route loss.

When a PE uses different interfaces to connect different CEs in a site, the BGP AS number substitution feature introduces a routing loop. To remove the routing loop, configure the SoO attribute on the PE.

For more information about the BGP AS number substitution feature and the SoO attribute, see "BGP AS number substitution and SoO attribute."

To configure BGP AS number substitution and SoO attribute:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Enable the BGP AS number substitution feature.	peer { ipv4-address [ mask-length ] \| group-name } substitute-as	By default, BGP AS number substitution is disabled.
5. Enter BGP-VPN IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
6. (Optional.) Configure the SoO attribute for a BGP peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } soo site-of-origin	By default, the SoO attribute is not configured.

For more information about the commands in this section, see Layer 3—IP Routing Command Reference.

Configuring MPLS L3VPN FRR

You can use the following methods to configure MPLS L3VPN FRR:

· Method 1—Execute the pic command in BGP-VPN IPv4 unicast address family view. The device calculates a backup next hop for each BGP route in the VPN instance if there are two or more unequal-cost routes to reach the destination.

· Method 2—Execute the fast-reroute route-policy command in BGP-VPN IPv4 unicast address family view to use a routing policy. In the routing policy, specify a backup next hop by using the apply fast-reroute backup-nexthop command. The backup next hop calculated by the device must be the same as the specified backup next hop. Otherwise, the device does not generate a backup next hop for the primary route. You can also configure if-match clauses in the routing policy to identify the routes protected by FRR.

If both methods are configured, Method 2 takes precedence over Method 1.

To configure MPLS L3VPN FRR:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable MPLS BFD.	mpls bfd enable	The mpls bfd enable command applies to VPNv4 route backup for a VPNv4 route and IPv4 route backup for a VPNv4 route. For more information about this command, see MPLS Command Reference.
3. Configure the source IP address for BFD echo packets.	bfd echo-source-ip ip-address	The bfd echo-source-ip command is required when echo-mode BFD is used to detect primary route connectivity in VPNv4 route backup for an IPv4 route. For more information about this command, see High Availability Command Reference.
4. Use BFD to test the connectivity of an LSP or MPLS TE tunnel.	· Configure BFD to test the connectivity of the LSP for the specified FEC: mpls bfd dest-addr mask-length [ nexthop nexthop-address [ discriminator local local-id remote remote-id ] ] [ template template-name ] · Configure BFD to test the connectivity of the MPLS TE tunnel for the tunnel interface: a. interface tunnel number mode mpls-te b. mpls bfd [ discriminator local local-id remote remote-id ] [ template template-name ] c. quit	By default, BFD is not configured to test the connectivity of the LSP or MPLS TE tunnel. This step is required for VPNv4 route backup for a VPNv4 route and IPv4 route backup for a VPNv4 route. Use either command depending on the public tunnel type. For more information about the commands in this step, see MPLS Command Reference.
5. Create a routing policy and enter routing policy view.	route-policy route-policy-name permit node node-number	By default, no routing policies exist. This step is required to enable MPLS L3VPN FRR in Method 2. For more information about this command, see Layer 3—IP Routing Command Reference.
6. Set the backup next hop for FRR.	apply fast-reroute backup-nexthop ip-address	By default, no backup next hop address is set for FRR. This step is required to enable MPLS L3VPN FRR in Method 2. For more information about this command, see Layer 3—IP Routing Command Reference.
7. Return to system view.	quit	N/A
8. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
9. (Optional.) Use echo-mode BFD to detect the connectivity to the next hop of the primary route.	primary-path-detect bfd echo	By default, ARP is used to detect the connectivity to the next hop. Use this command if necessary in VPNv4 route backup an IPv4 route. For more information about this command, see Layer 3—IP Routing Command Reference.
10. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
11. Enter BGP-VPN IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
12. Enable MPLS L3VPN FRR.	· (Method 1) Enable MPLS L3VPN FRR for the address family: pic · (Method 2) Use a routing policy to specify a backup next hop for the address family: fast-reroute route-policy route-policy-name	By default, MPLS L3VPN FRR is disabled. Method 1 might result in routing loops. Use it with caution. By default, no routing policy is used. The apply fast-reroute backup-nexthop command can take effect in the routing policy that is being used. Other apply commands do not take effect. For more information about the command, see Layer 3—IP Routing Command Reference.

Configuring BGP RT filtering

The BGP RT filtering feature reduces the number of routes advertised in an MPLS L3VPN.

After RT filtering is configured, a PE advertises its import target attribute to the peer PEs in the RT filter address family. The peer PEs use the received import target attribute to filter routes and advertise only the routes that match the attribute to the PE.

When a large number of IBGP peers exist, the BGP RT filtering and the route reflection features are used together as a best practice. Route reflection reduces the number of IBGP connections. BGP RT filtering reduces the number of routes advertised in the network.

For more information about the BGP RT filtering commands, see Layer 3—IP Routing Command Reference.

To configure BGP RT filtering:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP IPv4 RT filter address family view.	address-family ipv4 rtfilter	N/A
4. Enable the device to exchange routing information with a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } enable	By default, the device cannot exchange routing information with a peer or peer group.
5. (Optional.) Advertise a default route to a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } default-route-advertise [ route-policy route-policy-name ]	By default, no default route is advertised.
6. (Optional.) Configure the device as a route reflector and specify a peer or peer group as its client.	peer { group-name \| ipv4-address [ mask-length ] } reflect-client	By default, no route reflector or client is configured.
7. (Optional.) Enable route reflection between clients.	reflect between-clients	By default, route reflection between clients is enabled.
8. (Optional.) Configure the cluster ID of the route reflector.	reflector cluster-id { cluster-id \| ip-address }	By default, a route reflector uses its own router ID as the cluster ID.

Configuring route replication

About route replication

In a BGP/MPLS L3VPN network, only VPN instances that have matching route targets can communicate with each other. The route replication feature enables a VPN instance to communicate with the public network or other VPN instances by replicating routes from the public network or other VPN instances.

In an intelligent traffic control network, traffic of different tenants is assigned to different VPNs. To enable the tenants to communicate with the public network, configure this feature to replicate routes from the public network to the VPN instances.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VPN instance view.	ip vpn-instance vpn-instance-name	N/A
3. Enter IPv4 VPN view.	address-family ipv4	N/A
4. Replicate routes from the public network or other VPN instances.	route-replicate from { public \| vpn-instance vpn-instance-name } protocol bgp as-number [ route-policy route-policy-name ] route-replicate from { public \| vpn-instance vpn-instance-name } protocol { direct \| static \| { isis \| ospf \| rip } process-id } [ advertise ] [ route-policy route-policy-name ]	By default, a VPN instance cannot replicate routes from the public network or other VPN instances.

Enabling ECMP VPN route redistribution

For multiple routes that have the same prefix and RD, a VPN instance redistributes only the optimal route into its routing table by default. This feature enables a VPN instance to redistribute all routes that have the same prefix and RD into its routing table to perform load sharing or MPLS L3VPN FRR.

To enable ECMP VPN route redistribution:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP IPv4 unicast address family view, BGP-VPN IPv4 unicast address family view, BGP IPv6 unicast address family view, or BGP-VPN IPv6 unicast address family view.	· Enter BGP IPv4 unicast address family view: a. bgp as-number [ instance instance-name ] b. address-family ipv4 [ unicast ] · Enter BGP-VPN IPv4 unicast address family view: c. bgp as-number [ instance instance-name ] d. ip vpn-instance vpn-instance-name e. address-family ipv4 [ unicast ] · Enter BGP IPv6 unicast address family view: f. bgp as-number [ instance instance-name ] g. address-family ipv6 [ unicast ] · Enter BGP-VPN IPv6 unicast address family view: h. bgp as-number [ instance instance-name ] i. ip vpn-instance vpn-instance-name j. address-family ipv6 [ unicast ]	N/A
3. Enable ECMP VPN route redistribution.	vpn-route cross multipath	By default, ECMP VPN route redistribution is disabled. If multiple routes have the same prefix and RD, a VPN instance redistributes only the optimal route into its routing table. In BGP IPv4 unicast address family view and BGP IPv6 unicast address family view, this command redistributes ECMP routes to the routing table of the public instance. For more information about the public instance, see EVPN Configuration Guide.

Enabling SNMP notifications for MPLS L3VPN

To report critical MPLS L3VPN events to an NMS, enable SNMP notifications for MPLS L3VPN. For MPLS L3VPN event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see the network management and monitoring configuration guide for the device.

To enable SNMP notifications for MPLS L3VPN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notifications for MPLS L3VPN.	snmp-agent trap enable l3vpn	By default, SNMP notifications for MPLS L3VPN are enabled.

Displaying and maintaining MPLS L3VPN

You can soft-reset or reset BGP sessions to apply new BGP configurations. A soft reset operation updates BGP routing information without tearing down BGP connections. A reset operation updates BGP routing information by tearing down, and then re-establishing BGP connections. Soft reset requires that BGP peers have route refresh capability.

Execute the following commands in user view to soft reset or reset BGP connections:

Task	Command
Soft-reset BGP sessions for the BGP IPv4 RT filter address family.	refresh bgp [ instance instance-name ] { ipv4-address [ mask-length ] \| all \| external \| group group-name \| internal } { export \| import } ipv4 rtfilter
Manually soft reset BGP sessions for VPNv4 address family.	refresh bgp [ instance instance-name ] { ipv4-address [ mask-length ] \| all \| external \| group group-name \| internal } { export \| import } vpnv4 [ vpn-instance vpn-instance-name ]
Reset BGP sessions for the BGP IPv4 RT filter address family.	reset bgp [ instance instance-name ] { as-number \| ipv4-address [ mask-length ] \| all \| external \| internal \| group group-name } ipv4 rtfilter
Reset BGP sessions for VPNv4 address family.	reset bgp [ instance instance-name ] { as-number \| ipv4-address [ mask-length ] \| all \| external \| internal \| group group-name } vpnv4 [ vpn-instance vpn-instance-name ]

For more information about the refresh bgp vpnv4 and reset bgp vpnv4 commands, see Layer 3—IP Routing Command Reference.

Execute the following commands in any view to display MPLS L3VPN:

Task	Command
Display BGP IPv4 RT filter peer group information.	display bgp [ instance instance-name ] group ipv4 rtfilter [ group-name group-name ]
Display BGP VPNv4 peer group information.	display bgp [ instance instance-name ] group vpnv4 [ vpn-instance vpn-instance-name ] [ group-name group-name ]
Display BGP IPv4 RT filter information.	display bgp [ instance instance-name ] ipv4 rtfilter [ peer ipv4-address [ statistics ] \| statistics ]
Display BGP IPv4 RT filter peer information.	display bgp [ instance instance-name ] peer ipv4 rtfilter [ ipv4-address mask-length \| { ipv4-address \| group-name group-name } log-info \| [ ipv4-address ] verbose ]
Display BGP VPNv4 peer information.	display bgp [ instance instance-name ] peer vpnv4 [ vpn-instance vpn-instance-name ] [ ipv4-address mask-length \| { ipv4-address \| group-name group-name } log-info \| [ ipv4-address ] verbose ]
Display outgoing labels for BGP IPv4 unicast routes.	display bgp [ instance instance-name ] routing-table ipv4 [ unicast ] [ vpn-instance vpn-instance-name ] outlabel
Display incoming labels for BGP IPv4 unicast routes.	display bgp [ instance instance-name ] routing-table ipv4 [ unicast ] [ vpn-instance vpn-instance-name ] inlabel
Display BGP IPv4 RT filter routing information.	display bgp [ instance instance-name ] routing-table ipv4 rtfilter [ default-rt [ advertise-info ] \| [ origin-as as-number ] [ route-target [ advertise-info ] ] \| peer ipv4-address { advertised-routes \| received-routes } [ default-rt \| [ origin-as as-number ] [ route-target ] \| statistics ] \| statistics ]
Display information about BGP VPNv4 routes.	display bgp [ instance instance-name ] routing-table vpnv4 [ [ route-distinguisher route-distinguisher ] [ ipv4-address [ { mask \| mask-length } [ longest-match ] ] \| ipv4-address [ mask \| mask-length ] advertise-info \| as-path-acl as-path-acl-number \| community-list { { basic-community-list-number \| comm-list-name } [ whole-match ] \| adv-community-list-number } ] \| [ vpn-instance vpn-instance-name ] peer ipv4-address { advertised-routes \| received-routes } [ ipv4-address [ mask \| mask-length ] \| statistics ] \| statistics ]
Display incoming labels for BGP VPNv4 routes.	display bgp [ instance instance-name ] routing-table vpnv4 inlabel
Display outgoing labels for BGP VPNv4 routes.	display bgp [ instance instance-name ] routing-table vpnv4 outlabel
Display BGP IPv4 RT filter address family update group information.	display bgp [ instance instance-name ] update-group ipv4 rtfilter [ ipv4-address ]
Display BGP VPNv4 address family update group information.	display bgp [ instance instance-name ] update-group vpnv4 [ vpn-instance vpn-instance-name ] [ ipv4-address ]
Display the FIB of a VPN instance.	display fib vpn-instance vpn-instance-name
Display FIB entries that match the specified destination IP address in the specified VPN instance.	display fib vpn-instance vpn-instance-name ip-address [ mask \| mask-length ]
Display the routing table for a VPN instance.	display ip routing-table vpn-instance vpn-instance-name [ statistics \| verbose ]
Display information about a specific or all VPN instances.	display ip vpn-instance [ instance-name vpn-instance-name ]
Display OSPF sham link information.	display ospf [ process-id ] sham-link [ area area-id ]
Display VPN peer information.	display vpn-peer [ peer-id vpn-peer-id \| peer-name vpn-peer-name \| verbose ]

For more information about the display ip routing-table, display bgp group vpnv4, display bgp peer vpnv4, and display bgp update-group vpnv4, and RT filter display commands, see Layer 3—IP Routing Command Reference.

MPLS L3VPN configuration examples

Configuring basic MPLS L3VPN

Network requirements

CE 1 and CE 3 belong to VPN 1. CE 2 and CE 4 belong to VPN 2.

VPN 1 uses route target attribute 111:1. VPN 2 uses route target attribute 222:2. Users of different VPNs cannot access each other.

A PE and its connected CE use EBGP to exchange VPN routing information.

PEs use OSPF to communicate with each other and use MP-IBGP to exchange VPN routing information.

Figure 72 Network diagram

Table 13 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	GE2/0/1	10.1.1.1/24	P	Loop0	2.2.2.9/32
PE 1	Loop0	1.1.1.9/32		POS2/2/0	172.1.1.2/24
	GE2/0/1	10.1.1.2/24		POS2/2/1	172.2.1.1/24
	GE2/0/2	10.2.1.2/24	PE 2	Loop0	3.3.3.9/32
	POS2/2/0	172.1.1.1/24		GE2/0/1	10.3.1.2/24
CE 2	GE2/0/1	10.2.1.1/24		GE2/0/2	10.4.1.2/24
CE 3	GE2/0/1	10.3.1.1/24		POS2/2/0	172.2.1.2/24
CE 4	GE2/0/1	10.4.1.1/24

Configuration procedure

1. Configure OSPF on the MPLS backbone to ensure IP connectivity within the backbone:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.9 32

[PE1-LoopBack0] quit

[PE1] interface pos 2/2/0

[PE1-Pos2/2/0] ip address 172.1.1.1 24

[PE1-Pos2/2/0] quit

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Configure the P device.

system-view

[P] interface loopback 0

[P-LoopBack0] ip address 2.2.2.9 32

[P-LoopBack0] quit

[P] interface pos 2/2/0

[P-Pos2/2/0] ip address 172.1.1.2 24

[P-Pos2/2/0] quit

[P] interface pos 2/2/1

[P-Pos2/2/1] ip address 172.2.1.1 24

[P-Pos2/2/1] quit

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

# Configure PE 2.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 3.3.3.9 32

[PE2-LoopBack0] quit

[PE2] interface pos 2/2/0

[PE2-Pos2/2/0] ip address 172.2.1.2 24

[PE2-Pos2/2/0] quit

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

# Execute the display ospf peer command to verify that OSPF adjacencies in Full state have been established between PE 1, P, and PE 2. Execute the display ip routing-table command to verify that the PEs have learned the routes to the loopback interfaces of each other. (Details not shown.)

2. Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs:

# Configure PE 1.

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface pos 2/2/0

[PE1-Pos2/2/0] mpls enable

[PE1-Pos2/2/0] mpls ldp enable

[PE1-Pos2/2/0] quit

# Configure the P device.

[P] mpls lsr-id 2.2.2.9

[P] mpls ldp

[P-ldp] quit

[P] interface pos 2/2/0

[P-Pos2/2/0] mpls enable

[P-Pos2/2/0] mpls ldp enable

[P-Pos2/2/0] quit

[P] interface pos 2/2/1

[P-Pos2/2/1] mpls enable

[P-Pos2/2/1] mpls ldp enable

[P-Pos2/2/1] quit

# Configure PE 2.

[PE2] mpls lsr-id 3.3.3.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface pos 2/2/0

[PE2-Pos2/2/0] mpls enable

[PE2-Pos2/2/0] mpls ldp enable

[PE2-Pos2/2/0] quit

# Execute the display mpls ldp peer command to verify that LDP sessions in Operational state have been established between PE 1, P, and PE 2. Execute the display mpls ldp lsp command to verify that the LSPs have been established by LDP. (Details not shown.)

3. Configure VPN instances on PEs to allow CE access:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 111:1

[PE1-vpn-instance-vpn1] quit

[PE1] ip vpn-instance vpn2

[PE1-vpn-instance-vpn2] route-distinguisher 100:2

[PE1-vpn-instance-vpn2] vpn-target 222:2

[PE1-vpn-instance-vpn2] quit

[PE1] interface gigabitethernet 2/0/1

[PE1-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE1-GigabitEthernet2/0/1] ip address 10.1.1.2 24

[PE1-GigabitEthernet2/0/1] quit

[PE1] interface gigabitethernet 2/0/2

[PE1-GigabitEthernet2/0/2] ip binding vpn-instance vpn2

[PE1-GigabitEthernet2/0/2] ip address 10.2.1.2 24

[PE1-GigabitEthernet2/0/2] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 200:1

[PE2-vpn-instance-vpn1] vpn-target 111:1

[PE2-vpn-instance-vpn1] quit

[PE2] ip vpn-instance vpn2

[PE2-vpn-instance-vpn2] route-distinguisher 200:2

[PE2-vpn-instance-vpn2] vpn-target 222:2

[PE2-vpn-instance-vpn2] quit

[PE2] interface gigabitethernet 2/0/1

[PE2-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE2-GigabitEthernet2/0/1] ip address 10.3.1.2 24

[PE2-GigabitEthernet2/0/1] quit

[PE2] interface gigabitethernet 2/0/2

[PE2-GigabitEthernet2/0/2] ip binding vpn-instance vpn2

[PE2-GigabitEthernet2/0/2] ip address 10.4.1.2 24

[PE2-GigabitEthernet2/0/2] quit

# Configure IP addresses for the CEs according to Table 13. (Details not shown.)

# Execute the display ip vpn-instance command on the PEs to display the configuration of the VPN instance, for example, on PE 1.

[PE1] display ip vpn-instance

Total VPN-Instances configured : 2

VPN-Instance Name RD Create time

vpn1 100:1 2012/02/13 12:49:08

vpn2 100:2 2012/02/13 12:49:20

# Use the ping command on the PEs to verify that the PEs can ping their attached CEs, for example, on PE 1.

[PE1] ping -vpn-instance vpn1 10.1.1.1

Ping 10.1.1.1 (10.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 10.1.1.1: icmp_seq=0 ttl=255 time=1.000 ms

56 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=2.000 ms

56 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=0.000 ms

56 bytes from 10.1.1.1: icmp_seq=3 ttl=255 time=1.000 ms

56 bytes from 10.1.1.1: icmp_seq=4 ttl=255 time=0.000 ms

--- Ping statistics for 10.1.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.800/2.000/0.748 ms

4. Establish EBGP peer relationships between PEs and CEs, and redistribute VPN routes into BGP:

# Configure CE 1.

<CE1> system-view

[CE1] bgp 65410

[CE1-bgp-default] peer 10.1.1.2 as-number 100

[CE1-bgp-default] address-family ipv4 unicast

[CE1-bgp-default-ipv4] peer 10.1.1.2 enable

[CE1-bgp-default-ipv4] import-route direct

[CE1-bgp-default-ipv4] quit

[CE1-bgp-default] quit

# Configure the other three CEs in the same way that CE 1 is configured. (Details not shown.)

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] peer 10.1.1.1 as-number 65410

[PE1-bgp-default-vpn1] address-family ipv4 unicast

[PE1-bgp-default-ipv4-vpn1] peer 10.1.1.1 enable

[PE1-bgp-default-ipv4-vpn1] quit

[PE1-bgp-default-vpn1] quit

[PE1-bgp-default] ip vpn-instance vpn2

[PE1-bgp-default-vpn2] peer 10.2.1.1 as-number 65420

[PE1-bgp-default-vpn2] address-family ipv4 unicast

[PE1-bgp-default-ipv4-vpn2] peer 10.2.1.1 enable

[PE1-bgp-default-ipv4-vpn2] quit

[PE1-bgp-default-vpn1] quit

[PE1-bgp-default] quit

# Configure PE 2 in the same way that PE 1 is configured. (Details not shown.)

# Execute the display bgp peer ipv4 vpn-instance command on the PEs to verify that a BGP peer relationship in Established state has been established between a PE and a CE. (Details not shown.)

5. Create an MP-IBGP peer relationship between PEs:

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp-default] peer 3.3.3.9 as-number 100

[PE1-bgp-default] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp-default] address-family vpnv4

[PE1-bgp-default-vpnv4] peer 3.3.3.9 enable

[PE1-bgp-default-vpnv4] quit

[PE1-bgp-default] quit

# Configure PE 2.

[PE2] bgp 100

[PE2-bgp-default] peer 1.1.1.9 as-number 100

[PE2-bgp-default] peer 1.1.1.9 connect-interface loopback 0

[PE2-bgp-default] address-family vpnv4

[PE2-bgp-default-vpnv4] peer 1.1.1.9 enable

[PE2-bgp-default-vpnv4] quit

[PE2-bgp-default] quit

# Execute the display bgp peer vpnv4 command on the PEs to verify that a BGP peer relationship in Established state has been established between the PEs. (Details not shown.)

Verifying the configuration

# Execute the display ip routing-table vpn-instance command on the PEs.

[PE1] display ip routing-table vpn-instance vpn1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 Direct 0 0 10.1.1.2 GE2/0/1

10.1.1.0/32 Direct 0 0 10.1.1.2 GE2/0/1

10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.2 GE2/0/1

10.3.1.0/24 BGP 255 0 3.3.3.9 POS2/2/0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

The output shows that PE 1 has a route to the remote CE. Output on PE 2 is similar.

# Verify that CEs of the same VPN can ping each other, whereas those of different VPNs cannot. For example, CE 1 can ping CE 3 (10.3.1.1), but it cannot ping CE 4 (10.4.1.1). (Details not shown.)

Configuring MPLS L3VPN over a GRE tunnel

Network requirements

CE 1 and CE 2 belong to VPN 1. The PEs support MPLS. The P router does not support MPLS and provides only IP features.

On the backbone, use a GRE tunnel to encapsulate and forward VPN packets to implement MPLS L3VPN.

Configure tunnel policies on the PEs, and specify the tunnel type for VPN traffic as GRE.

Figure 73 Network diagram

Table 14 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	GE2/0/1	10.1.1.1/24	P	POS2/2/0	172.1.1.2/24
PE 1	Loop0	1.1.1.9/32		POS2/2/1	172.2.1.1/24
	GE2/0/1	10.1.1.2/24	PE 2	Loop0	2.2.2.9/32
	POS2/2/1	172.1.1.1/24		GE2/0/1	10.2.1.2/24
	Tunnel0	20.1.1.1/24		POS2/2/0	172.2.1.2/24
CE 2	GE2/0/1	10.2.1.1/24		Tunnel0	20.1.1.2/24

Configuration procedure

1. Configure an IGP on the MPLS backbone to ensure IP connectivity within the backbone.

This example uses OSPF. (Details not shown.)

2. Configure basic MPLS on the PEs:

# Configure PE 1.

<PE1> system-view

[PE1] mpls lsr-id 1.1.1.9

# Configure PE 2.

<PE2> system-view

[PE2] mpls lsr-id 2.2.2.9

3. Configure VPN instances on PEs to allow CE access, and apply tunnel policies to the VPN instances, using a GRE tunnel for VPN packet forwarding:

# Configure PE 1.

[PE1] tunnel-policy gre1

[PE1-tunnel-policy-gre1] select-seq gre load-balance-number 1

[PE1-tunnel-policy-gre1] quit

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 100:1 both

[PE1-vpn-instance-vpn1] tnl-policy gre1

[PE1-vpn-instance-vpn1] quit

[PE1] interface gigabitethernet 2/0/1

[PE1-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE1-GigabitEthernet2/0/1] ip address 10.1.1.2 24

[PE1-GigabitEthernet2/0/1] quit

# Configure PE 2.

[PE2] tunnel-policy gre1

[PE2-tunnel-policy-gre1] select-seq gre load-balance-number 1

[PE2-tunnel-policy-gre1] quit

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 100:2

[PE2-vpn-instance-vpn1] vpn-target 100:1 both

[PE2-vpn-instance-vpn1] tnl-policy gre1

[PE2-vpn-instance-vpn1] quit

[PE2] interface gigabitethernet 2/0/1

[PE2-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE2-GigabitEthernet2/0/1] ip address 10.2.1.2 24

[PE2-GigabitEthernet2/0/1] quit

# Configure CE 1.

<CE1> system-view

[CE1] interface gigabitethernet 2/0/1

[CE1-GigabitEthernet2/0/1] ip address 10.1.1.1 24

[CE1-GigabitEthernet2/0/1] quit

# Configure CE 2.

<CE2> system-view

[CE2] interface gigabitethernet 2/0/1

[CE2-GigabitEthernet2/0/1] ip address 10.2.1.1 24

[CE2-GigabitEthernet2/0/1] quit

# Execute the display ip vpn-instance command on the PEs to display the configuration of the VPN instance, for example, on PE 1.

[PE1] display ip vpn-instance

Total VPN-Instances configured : 1

VPN-Instance Name RD Create time

vpn1 100:1 2012/02/13 15:59:50

# Use the ping command on the PEs to verify that the PEs can ping their attached CEs, for example, on PE 1.

[PE1] ping -vpn-instance vpn1 10.1.1.1

Ping 10.1.1.1 (10.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 10.1.1.1: icmp_seq=0 ttl=255 time=1.000 ms

56 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=0.000 ms

56 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=0.000 ms

56 bytes from 10.1.1.1: icmp_seq=3 ttl=255 time=0.000 ms

56 bytes from 10.1.1.1: icmp_seq=4 ttl=255 time=0.000 ms

--- Ping statistics for 10.1.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms

4. Establish EBGP peer relationships between PEs and CEs, and redistribute VPN routes into BGP:

# Configure CE 1.

[CE1] bgp 65410

[CE1-bgp-default] peer 10.1.1.2 as-number 100

[CE1-bgp-default] address-family ipv4 unicast

[CE1-bgp-default-ipv4] peer 10.1.1.2 enable

[CE1-bgp-default-ipv4] import-route direct

[CE1-bgp-default-ipv4] quit

[CE1-bgp-default] quit

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] peer 10.1.1.1 as-number 65410

[PE1-bgp-default-vpn1] address-family ipv4 unicast

[PE1-bgp-default-ipv4-vpn1] peer 10.1.1.1 enable

[PE1-bgp-default-ipv4-vpn1] peer 10.1.1.1 next-hop-local

[PE1-bgp-default-ipv4-vpn1] quit

[PE1-bgp-default-vpn1] quit

[PE1-bgp-default] quit

# Configure CE 2 and PE 2 in the same way that CE 1 and PE 1 are configured. (Details not shown.)

# Execute the display bgp peer ipv4 vpn-instance command on the PEs to verify that a BGP peer relationship in Established state has been established between a PE and a CE. (Details not shown.)

5. Configure an MP-IBGP peer relationship between PEs:

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp-default] peer 2.2.2.9 as-number 100

[PE1-bgp-default] peer 2.2.2.9 connect-interface loopback 0

[PE1-bgp-default] address-family vpnv4

[PE1-bgp-default-vpnv4] peer 2.2.2.9 enable

[PE1-bgp-default-vpnv4] quit

[PE1-bgp-default] quit

# Configure PE 2 in the same way that PE 1 is configured. (Details not shown.)

# Execute the display bgp peer vpnv4 command on the PEs to verify that a BGP peer relationship in Established state has been established between the PEs. (Details not shown.)

6. Configure a GRE tunnel:

# Configure PE 1.

[PE1] interface tunnel 0 mode gre

[PE1-Tunnel0] source loopback 0

[PE1-Tunnel0] destination 2.2.2.9

[PE1-Tunnel0] ip address 20.1.1.1 24

[PE1-Tunnel0] mpls enable

[PE1-Tunnel0] quit

# Configure PE 2.

[PE2] interface tunnel 0 mode gre

[PE2-Tunnel0] source loopback 0

[PE2-Tunnel0] destination 1.1.1.9

[PE2-Tunnel0] ip address 20.1.1.2 24

[PE2-Tunnel0] mpls enable

[PE2-Tunnel0] quit

Verifying the configuration

# Use the following command on CE 1 to verify that the CEs have learned the interface route from each other.

[CE1] display ip routing-table

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 Direct 0 0 10.1.1.1 GE2/0/1

10.1.1.0/32 Direct 0 0 10.1.1.1 GE2/0/1

10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.1 GE2/0/1

10.2.1.0/24 BGP 255 0 10.1.1.2 GE2/0/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that CE 1 and CE 2 can ping each other. (Details not shown.)

Configuring a hub-spoke network

Network requirements

The Spoke-CEs cannot communicate directly. They can communicate only through Hub-CE.

Configure EBGP between the Spoke-CEs and Spoke-PEs and between Hub-CE and Hub-PE to exchange VPN routing information.

Configure OSPF between the Spoke-PEs and Hub-PE to implement communication between the PEs, and configure MP-IBGP between them to exchange VPN routing information.

Figure 74 Network diagram

Table 15 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
Spoke-CE 1	GE2/0/1	10.1.1.1/24	Hub-CE	GE2/0/1	10.3.1.1/24
Spoke-PE 1	Loop0	1.1.1.9/32		GE2/0/2	10.4.1.1/24
	GE2/0/1	10.1.1.2/24	Hub-PE	Loop0	2.2.2.9/32
	POS2/2/0	172.1.1.1/24		POS2/2/0	172.1.1.2/24
Spoke-CE 2	GE2/0/1	10.2.1.1/24		POS2/2/1	172.2.1.2/24
Spoke-PE 2	Loop0	3.3.3.9/32		GE2/0/1	10.3.1.2/24
	GE2/0/1	10.2.1.2/24		GE2/0/2	10.4.1.2/24
	POS2/2/0	172.2.1.1/24

Configuration procedure

1. Configure an IGP on the MPLS backbone to ensure IP connectivity within the backbone:

# Configure Spoke-PE 1.

<Spoke-PE1> system-view

[Spoke-PE1] interface loopback 0

[Spoke-PE1-LoopBack0] ip address 1.1.1.9 32

[Spoke-PE1-LoopBack0] quit

[Spoke-PE1] interface pos 2/2/0

[Spoke-PE1-Pos2/2/0] ip address 172.1.1.1 24

[Spoke-PE1-Pos2/2/0] quit

[Spoke-PE1] ospf

[Spoke-PE1-ospf-1] area 0

[Spoke-PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[Spoke-PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[Spoke-PE1-ospf-1-area-0.0.0.0] quit

[Spoke-PE1-ospf-1] quit

# Configure Spoke-PE 2.

<Spoke-PE2> system-view

[Spoke-PE2] interface loopback 0

[Spoke-PE2-LoopBack0] ip address 3.3.3.9 32

[Spoke-PE2-LoopBack0] quit

[Spoke-PE2] interface pos 2/2/0

[Spoke-PE2-Pos2/2/0] ip address 172.2.1.1 24

[Spoke-PE2-Pos2/2/0] quit

[Spoke-PE2] ospf

[Spoke-PE2-ospf-1] area 0

[Spoke-PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[Spoke-PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[Spoke-PE2-ospf-1-area-0.0.0.0] quit

[Spoke-PE2-ospf-1] quit

# Configure Hub-PE.

<Hub-PE> system-view

[Hub-PE] interface loopback 0

[Hub-PE-LoopBack0] ip address 2.2.2.9 32

[Hub-PE-LoopBack0] quit

[Hub-PE] interface pos 2/2/0

[Hub-PE-Pos2/2/0] ip address 172.1.1.2 24

[Hub-PE-Pos2/2/0] quit

[Hub-PE] interface pos 2/2/1

[Hub-PE-Pos2/2/1] ip address 172.2.1.2 24

[Hub-PE-Pos2/2/1] quit

[Hub-PE] ospf

[Hub-PE-ospf-1] area 0

[Hub-PE-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[Hub-PE-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[Hub-PE-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[Hub-PE-ospf-1-area-0.0.0.0] quit

[Hub-PE-ospf-1] quit

# Execute the display ospf peer command on the devices to verify that OSPF adjacencies in Full state have been established between Spoke-PE 1, Spoke-PE 2, and Hub-PE. Execute the display ip routing-table command on the devices to verify that the PEs have learned the routes to the loopback interfaces of each other. (Details not shown.)

2. Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs:

# Configure Spoke-PE 1.

[Spoke-PE1] mpls lsr-id 1.1.1.9

[Spoke-PE1] mpls ldp

[Spoke-PE1-ldp] quit

[Spoke-PE1] interface pos 2/2/0

[Spoke-PE1-Pos2/2/0] mpls enable

[Spoke-PE1-Pos2/2/0] mpls ldp enable

[Spoke-PE1-Pos2/2/0] quit

# Configure Spoke-PE 2.

[Spoke-PE2] mpls lsr-id 3.3.3.9

[Spoke-PE2] mpls ldp

[Spoke-PE2-ldp] quit

[Spoke-PE2] interface pos 2/2/0

[Spoke-PE2-Pos2/2/0] mpls enable

[Spoke-PE2-Pos2/2/0] mpls ldp enable

[Spoke-PE2-Pos2/2/0] quit

# Configure Hub-PE.

[Hub-PE] mpls lsr-id 2.2.2.9

[Hub-PE] mpls ldp

[Hub-PE-ldp] quit

[Hub-PE] interface pos 2/2/0

[Hub-PE-Pos2/2/0] mpls enable

[Hub-PE-Pos2/2/0] mpls ldp enable

[Hub-PE-Pos2/2/0] quit

[Hub-PE] interface pos 2/2/1

[Hub-PE-Pos2/2/1] mpls enable

[Hub-PE-Pos2/2/1] mpls ldp enable

[Hub-PE-Pos2/2/1] quit

# Execute the display mpls ldp peer command on the devices to verify that that LDP sessions in Operational state have been established between Spoke-PE 1, Spoke-PE 2, and Hub-PE. Execute the display mpls ldp lsp command on the devices to verify that the LSPs have been established by LDP. (Details not shown.)

3. Configure VPN instances on the Spoke-PEs and Hub-PE:

# Configure Spoke-PE 1.

[Spoke-PE1] ip vpn-instance vpn1

[Spoke-PE1-vpn-instance-vpn1] route-distinguisher 100:1

[Spoke-PE1-vpn-instance-vpn1] vpn-target 111:1 import-extcommunity

[Spoke-PE1-vpn-instance-vpn1] vpn-target 222:2 export-extcommunity

[Spoke-PE1-vpn-instance-vpn1] quit

[Spoke-PE1] interface gigabitethernet 2/0/1

[Spoke-PE1-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[Spoke-PE1-GigabitEthernet2/0/1] ip address 10.1.1.2 24

[Spoke-PE1-GigabitEthernet2/0/1] quit

# Configure Spoke-PE 2.

[Spoke-PE2] ip vpn-instance vpn1

[Spoke-PE2-vpn-instance-vpn1] route-distinguisher 100:2

[Spoke-PE2-vpn-instance-vpn1] vpn-target 111:1 import-extcommunity

[Spoke-PE2-vpn-instance-vpn1] vpn-target 222:2 export-extcommunity

[Spoke-PE2-vpn-instance-vpn1] quit

[Spoke-PE2] interface gigabitethernet 2/0/1

[Spoke-PE2-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[Spoke-PE2-GigabitEthernet2/0/1] ip address 10.2.1.2 24

[Spoke-PE2-GigabitEthernet2/0/1] quit

# Configure Hub-PE.

[Hub-PE] ip vpn-instance vpn1-in

[Hub-PE-vpn-instance-vpn1-in] route-distinguisher 100:3

[Hub-PE-vpn-instance-vpn1-in] vpn-target 222:2 import-extcommunity

[Hub-PE-vpn-instance-vpn1-in] quit

[Hub-PE] ip vpn-instance vpn1-out

[Hub-PE-vpn-instance-vpn1-out] route-distinguisher 100:4

[Hub-PE-vpn-instance-vpn1-out] vpn-target 111:1 export-extcommunity

[Hub-PE-vpn-instance-vpn1-out] quit

[Hub-PE] interface gigabitethernet 2/0/1

[Hub-PE-GigabitEthernet2/0/1] ip binding vpn-instance vpn1-in

[Hub-PE-GigabitEthernet2/0/1] ip address 10.3.1.2 24

[Hub-PE-GigabitEthernet2/0/1] quit

[Hub-PE] interface gigabitethernet 2/0/2

[Hub-PE-GigabitEthernet2/0/2] ip binding vpn-instance vpn1-out

[Hub-PE-GigabitEthernet2/0/2] ip address 10.4.1.2 24

[Hub-PE-GigabitEthernet2/0/2] quit

# Configure IP addresses for the CEs according to Table 15. (Details not shown.)

# Execute the display ip vpn-instance command on the PEs to display the configuration of the VPN instance, for example, on Spoke-PE 1.

[Spoke-PE1] display ip vpn-instance

Total VPN-Instances configured : 1

VPN-Instance Name RD Create time

vpn1 100:1 2009/04/08 10:55:07

# Use the ping command on the PEs to verify that the PEs can ping their attached CEs, for example, on Spoke-PE 1.

[Spoke-PE1] ping -vpn-instance vpn1 10.1.1.1

Ping 10.1.1.1 (10.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 10.1.1.1: icmp_seq=0 ttl=128 time=1.913 ms

56 bytes from 10.1.1.1: icmp_seq=1 ttl=128 time=2.381 ms

56 bytes from 10.1.1.1: icmp_seq=2 ttl=128 time=1.707 ms

56 bytes from 10.1.1.1: icmp_seq=3 ttl=128 time=1.666 ms

56 bytes from 10.1.1.1: icmp_seq=4 ttl=128 time=2.710 ms

--- Ping statistics for 10.1.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.666/2.075/2.710/0.406 ms

4. Establish EBGP peer relationships between the PEs and CEs, and redistribute VPN routes into BGP:

# Configure Spoke-CE 1.

<Spoke-CE1> system-view

[Spoke-CE1] bgp 65410

[Spoke-CE1-bgp-default] peer 10.1.1.2 as-number 100

[Spoke-CE1-bgp-default] address-family ipv4

[Spoke-CE1-bgp-default-ipv4] peer 10.1.1.2 enable

[Spoke-CE1-bgp-default-ipv4] import-route direct

[Spoke-CE1-bgp-default-ipv4] quit

[Spoke-CE1-bgp-default] quit

# Configure Spoke-CE 2.

<Spoke-CE2> system-view

[Spoke-CE2] bgp 65420

[Spoke-CE2-bgp-default] peer 10.2.1.2 as-number 100

[Spoke-CE2-bgp-default] address-family ipv4

[Spoke-CE2-bgp-default-ipv4] peer 10.2.1.2 enable

[Spoke-CE2-bgp-default-ipv4] import-route direct

[Spoke-CE2-bgp-default-ipv4] quit

[Spoke-CE2-bgp-default] quit

# Configure Hub-CE.

<Hub-CE> system-view

[Hub-CE] bgp 65430

[Hub-CE-bgp-default] peer 10.3.1.2 as-number 100

[Hub-CE-bgp-default] peer 10.4.1.2 as-number 100

[Hub-CE-bgp-default] address-family ipv4

[Hub-CE-bgp-default-ipv4] peer 10.3.1.2 enable

[Hub-CE-bgp-default-ipv4] peer 10.4.1.2 enable

[Hub-CE-bgp-default-ipv4] import-route direct

[Hub-CE-bgp-default-ipv4] quit

[Hub-CE-bgp-default] quit

# Configure Spoke-PE 1.

[Spoke-PE1] bgp 100

[Spoke-PE1-bgp-default] ip vpn-instance vpn1

[Spoke-PE1-bgp-default-vpn1] peer 10.1.1.1 as-number 65410

[Spoke-PE1-bgp-default-vpn1] address-family ipv4

[Spoke-PE1-bgp-default-ipv4-vpn1] peer 10.1.1.1 enable

[Spoke-PE1-bgp-default-ipv4-vpn1] quit

[Spoke-PE1-bgp-default-vpn1] quit

[Spoke-PE1-bgp-default] quit

# Configure Spoke-PE 2.

[Spoke-PE2] bgp 100

[Spoke-PE2-bgp-default] ip vpn-instance vpn1

[Spoke-PE2-bgp-default-vpn1] peer 10.2.1.1 as-number 65420

[Spoke-PE2-bgp-default-vpn1] address-family ipv4

[Spoke-PE2-bgp-default-ipv4-vpn1] peer 10.2.1.1 enable

[Spoke-PE2-bgp-default-ipv4-vpn1] quit

[Spoke-PE2-bgp-default-vpn1] quit

[Spoke-PE2-bgp-default] quit

# Configure Hub-PE.

[Hub-PE] bgp 100

[Hub-PE-bgp-default] ip vpn-instance vpn1-in

[Hub-PE-bgp-default-vpn1-in] peer 10.3.1.1 as-number 65430

[Hub-PE-bgp-default-vpn1-in] address-family ipv4

[Hub-PE-bgp-default-ipv4-vpn1-in] peer 10.3.1.1 enable

[Hub-PE-bgp-default-ipv4-vpn1-in] quit

[Hub-PE-bgp-default-vpn1-in] quit

[Hub-PE-bgp-default] ip vpn-instance vpn1-out

[Hub-PE-bgp-default-vpn1-out] peer 10.4.1.1 as-number 65430

[Hub-PE-bgp-default-vpn1-out] address-family ipv4

[Hub-PE-bgp-default-ipv4-vpn1-out] peer 10.4.1.1 enable

[Hub-PE-bgp-default-ipv4-vpn1-out] peer 10.4.1.1 allow-as-loop 2

[Hub-PE-bgp-default-ipv4-vpn1-out] quit

[Hub-PE-bgp-default-vpn1-out] quit

[Hub-PE-bgp-default] quit

# Execute the display bgp peer ipv4 vpn-instance command on the PEs to verify that a BGP peer relationship in Established state has been established between a PE and a CE. (Details not shown.)

5. Establish an MP-IBGP peer relationship between the Spoke-PEs and Hub-PE:

# Configure Spoke-PE 1.

[Spoke-PE1] bgp 100

[Spoke-PE1-bgp-default] peer 2.2.2.9 as-number 100

[Spoke-PE1-bgp-default] peer 2.2.2.9 connect-interface loopback 0

[Spoke-PE1-bgp-default] address-family vpnv4

[Spoke-PE1-bgp-default-vpnv4] peer 2.2.2.9 enable

[Spoke-PE1-bgp-default-vpnv4] quit

[Spoke-PE1-bgp-default] quit

# Configure Spoke-PE 2.

[Spoke-PE2] bgp 100

[Spoke-PE2-bgp-default] peer 2.2.2.9 as-number 100

[Spoke-PE2-bgp-default] peer 2.2.2.9 connect-interface loopback 0

[Spoke-PE2-bgp-default] address-family vpnv4

[Spoke-PE2-bgp-default-vpnv4] peer 2.2.2.9 enable

[Spoke-PE2-bgp-default-vpnv4] quit

[Spoke-PE2-bgp-default] quit

# Configure Hub-PE.

[Hub-PE] bgp 100

[Hub-PE-bgp-default] peer 1.1.1.9 as-number 100

[Hub-PE-bgp-default] peer 1.1.1.9 connect-interface loopback 0

[Hub-PE-bgp-default] peer 3.3.3.9 as-number 100

[Hub-PE-bgp-default] peer 3.3.3.9 connect-interface loopback 0

[Hub-PE-bgp-default] address-family vpnv4

[Hub-PE-bgp-default-vpnv4] peer 1.1.1.9 enable

[Hub-PE-bgp-default-vpnv4] peer 3.3.3.9 enable

[Hub-PE-bgp-default-vpnv4] quit

[Hub-PE-bgp-default] quit

# Execute the display bgp peer vpnv4 command on the PEs to verify that a BGP peer relationship in Established state has been established between the PEs. (Details not shown.)

Verifying the configuration

# Execute the display ip routing-table vpn-instance command on the PEs to display the routes to the CEs. This example uses Spoke-PE 1 to verify that the next hop of the route from a Spoke-PE to its connected Spoke-CE is Hub-PE.

[Spoke-PE1] display ip routing-table vpn-instance vpn1

Destinations : 15 Routes : 15

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 Direct 0 0 10.1.1.2 GE2/0/1

10.1.1.0/32 Direct 0 0 10.1.1.2 GE2/0/1

10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.2 GE2/0/1

10.2.1.0/24 BGP 255 0 2.2.2.9 POS2/2/0

10.3.1.0/24 BGP 255 0 2.2.2.9 POS2/2/0

10.4.1.0/24 BGP 255 0 2.2.2.9 POS2/2/0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that Spoke-CE 1 and Spoke-CE 2 can ping each other. The TTL value indicates that traffic from Spoke-CE 1 to Spoke-CE 2 passes six hops (255-250+1) and is forwarded through Hub-CE. This example uses Spoke-CE 1 to verify their connectivity.

[Spoke-CE1] ping 10.2.1.1

Ping 10.2.1.1 (10.2.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 10.2.1.1: icmp_seq=0 ttl=250 time=1.000 ms

56 bytes from 10.2.1.1: icmp_seq=1 ttl=250 time=2.000 ms

56 bytes from 10.2.1.1: icmp_seq=2 ttl=250 time=0.000 ms

56 bytes from 10.2.1.1: icmp_seq=3 ttl=250 time=1.000 ms

56 bytes from 10.2.1.1: icmp_seq=4 ttl=250 time=0.000 ms

--- Ping statistics for 10.2.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.800/2.000/0.748 ms

Configuring MPLS L3VPN inter-AS option A

Network requirements

CE 1 and CE 2 belong to the same VPN. CE 1 accesses the network through PE 1 in AS 100, and CE 2 accesses the network through PE 2 in AS 200.

Configure inter-AS option A MPLS L3VPN, and use the VRF-to-VRF method to manage VPN routes.

Run OSPF on the MPLS backbone of each AS.

Figure 75 Network diagram

Table 16 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	GE2/0/1	10.1.1.1/24	CE 2	GE2/0/1	10.2.1.1/24
PE 1	Loop0	1.1.1.9/32	PE 2	Loop0	4.4.4.9/32
	GE2/0/1	10.1.1.2/24		GE2/0/1	10.2.1.2/24
	POS2/2/0	172.1.1.2/24		POS2/2/0	162.1.1.2/24
ASBR-PE1	Loop0	2.2.2.9/32	ASBR-PE2	Loop0	3.3.3.9/32
	POS2/2/0	172.1.1.1/24		POS2/2/0	162.1.1.1/24
	POS2/2/1	192.1.1.1/24		POS2/2/1	192.1.1.2/24

Configuration procedure

1. Configure IGP on the MPLS backbone.

This example uses OSPF. (Details not shown.)

# Execute the display ospf peer command to verify that each ASBR-PE has established an OSPF adjacency in Full state with the PE in the same AS, and that PEs and ASBR-PEs in the same AS have learned the routes to the loopback interfaces of each other. Verify that each ASBR-PE and the PE in the same AS can ping each other. (Details not shown.)

2. Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs:

# Configure basic MPLS on PE 1, and enable MPLS LDP on the interface connected to ASBR-PE 1.

<PE1> system-view

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface pos 2/2/0

[PE1-Pos2/2/0] mpls enable

[PE1-Pos2/2/0] mpls ldp enable

[PE1-Pos2/2/0] quit

# Configure basic MPLS on ASBR-PE 1, and enable MPLS LDP on the interface connected to PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] mpls lsr-id 2.2.2.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

[ASBR-PE1] interface pos 2/2/0

[ASBR-PE1-Pos2/2/0] mpls enable

[ASBR-PE1-Pos2/2/0] mpls ldp enable

[ASBR-PE1-Pos2/2/0] quit

# Configure basic MPLS on ASBR-PE 2, and enable MPLS LDP on the interface connected to PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] mpls lsr-id 3.3.3.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

[ASBR-PE2] interface pos 2/2/0

[ASBR-PE2-Pos2/2/0] mpls enable

[ASBR-PE2-Pos2/2/0] mpls ldp enable

[ASBR-PE2-Pos2/2/0] quit

# Configure basic MPLS on PE 2, and enable MPLS LDP on the interface connected to ASBR-PE 2.

<PE2> system-view

[PE2] mpls lsr-id 4.4.4.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface pos 2/2/0

[PE2-Pos2/2/0] mpls enable

[PE2-Pos2/2/0] mpls ldp enable

[PE2-Pos2/2/0] quit

# Execute the display mpls ldp peer command on the devices to verify that the LDP session status is Operational, and that each PE and the ASBR-PE in the same AS have established an LDP neighbor relationship. (Details not shown.)

3. Configure VPN instances on PEs:

For the same VPN, the route targets for the VPN instance on the PE must match those for the VPN instance on the ASBR-PE in the same AS. This is not required for PEs in different ASs.

# Configure CE 1.

<CE1> system-view

[CE1] interface gigabitethernet 2/0/1

[CE1-GigabitEthernet2/0/1] ip address 10.1.1.1 24

[CE1-GigabitEthernet2/0/1] quit

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 100:1 both

[PE1-vpn-instance-vpn1] quit

[PE1] interface gigabitethernet 2/0/1

[PE1-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE1-GigabitEthernet2/0/1] ip address 10.1.1.2 24

[PE1-GigabitEthernet2/0/1] quit

# Configure CE 2.

<CE2> system-view

[CE2] interface gigabitethernet 2/0/1

[CE2-GigabitEthernet2/0/1] ip address 10.2.1.1 24

[CE2-GigabitEthernet2/0/1] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 200:2

[PE2-vpn-instance-vpn1] vpn-target 200:1 both

[PE2-vpn-instance-vpn1] quit

[PE2] interface gigabitethernet 2/0/1

[PE2-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE2-GigabitEthernet2/0/1] ip address 10.2.1.2 24

[PE2-GigabitEthernet2/0/1] quit

# On ASBR-PE 1, create a VPN instance, and bind the instance to the interface connected to ASBR-PE 2. ASBR-PE 1 considers ASBR-PE 2 to be its CE.

[ASBR-PE1] ip vpn-instance vpn1

[ASBR-PE1-vpn-vpn1] route-distinguisher 100:1

[ASBR-PE1-vpn-vpn1] vpn-target 100:1 both

[ASBR-PE1-vpn-vpn1] quit

[ASBR-PE1] interface pos 2/2/1

[ASBR-PE1-Pos2/2/1] ip binding vpn-instance vpn1

[ASBR-PE1-Pos2/2/1] ip address 192.1.1.1 24

[ASBR-PE1-Pos2/2/1] quit

# On ASBR-PE 2, create a VPN instance, and bind the instance to the interface connected to ASBR-PE 1. ASBR-PE 2 considers ASBR-PE 1 to be its CE.

[ASBR-PE2] ip vpn-instance vpn1

[ASBR-PE2-vpn-vpn1] route-distinguisher 200:1

[ASBR-PE2-vpn-vpn1] vpn-target 200:1 both

[ASBR-PE2-vpn-vpn1] quit

[ASBR-PE2] interface pos 2/2/1

[ASBR-PE2-Pos2/2/1] ip binding vpn-instance vpn1

[ASBR-PE2-Pos2/2/1] ip address 192.1.1.2 24

[ASBR-PE2-Pos2/2/1] quit

# Execute the display ip vpn-instance command to display VPN instance configurations. Verify that the PEs can ping their attached CEs, and the ASBR-PEs can ping each other. (Details not shown.)

4. Establish EBGP peer relationships between PEs and CEs, and redistribute VPN routes into BGP:

# Configure CE 1.

[CE1] bgp 65001

[CE1-bgp-default] peer 10.1.1.2 as-number 100

[CE1-bgp-default] address-family ipv4 unicast

[CE1-bgp-default-ipv4] peer 10.1.1.2 enable

[CE1-bgp-default-ipv4] import-route direct

[CE1-bgp-default-ipv4] quit

[CE1-bgp-default] quit

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] peer 10.1.1.1 as-number 65001

[PE1-bgp-default-vpn1] address-family ipv4 unicast

[PE1-bgp-default-ipv4-vpn1] peer 10.1.1.1 enable

[PE1-bgp-default-ipv4-vpn1] quit

[PE1-bgp-default-vpn1] quit

[PE1-bgp-default] quit

# Configure CE 2.

[CE2] bgp 65002

[CE2-bgp-default] peer 10.2.1.2 as-number 200

[CE2-bgp-default] address-family ipv4 unicast

[CE2-bgp-default-ipv4] peer 10.2.1.2 enable

[CE2-bgp-default-ipv4] import-route direct

[CE2-bgp-default-ipv4] quit

[CE2-bgp-default] quit

# Configure PE 2.

[PE2] bgp 200

[PE2-bgp-default] ip vpn-instance vpn1

[PE2-bgp-default-vpn1] peer 10.2.1.1 as-number 65002

[PE2-bgp-default-vpn1] address-family ipv4 unicast

[PE2-bgp-default-ipv4-vpn1] peer 10.2.1.1 enable

[PE2-bgp-default-ipv4-vpn1] quit

[PE2-bgp-default-vpn1] quit

[PE2-bgp-default] quit

5. Establish an MP-IBGP peer relationship between each PE and the ASBR-PE in the same AS, and an EBGP peer relationship between the ASBR-PEs:

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp-default] peer 2.2.2.9 as-number 100

[PE1-bgp-default] peer 2.2.2.9 connect-interface loopback 0

[PE1-bgp-default] address-family vpnv4

[PE1-bgp-default-vpnv4] peer 2.2.2.9 enable

[PE1-bgp-default-vpnv4] peer 2.2.2.9 next-hop-local

[PE1-bgp-default-vpnv4] quit

[PE1-bgp-default] quit

# Configure ASBR-PE 1.

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp-default] ip vpn-instance vpn1

[ASBR-PE1-bgp-default-vpn1] peer 192.1.1.2 as-number 200

[ASBR-PE1-bgp-default-vpn1] address-family ipv4 unicast

[ASBR-PE1-bgp-default-ipv4-vpn1] peer 192.1.1.2 enable

[ASBR-PE1-bgp-default-ipv4-vpn1] quit

[ASBR-PE1-bgp-default-vpn1] quit

[ASBR-PE1-bgp-default] peer 1.1.1.9 as-number 100

[ASBR-PE1-bgp-default] peer 1.1.1.9 connect-interface loopback 0

[ASBR-PE1-bgp-default] address-family vpnv4

[ASBR-PE1-bgp-default-vpnv4] peer 1.1.1.9 enable

[ASBR-PE1-bgp-default-vpnv4] peer 1.1.1.9 next-hop-local

[ASBR-PE1-bgp-default-vpnv4] quit

[ASBR-PE1-bgp-default] quit

# Configure ASBR-PE 2.

[ASBR-PE2] bgp 200

[ASBR-PE2-bgp-default] ip vpn-instance vpn1

[ASBR-PE2-bgp-default-vpn1] peer 192.1.1.1 as-number 100

[ASBR-PE2-bgp-default-vpn1] address-family ipv4 unicast

[ASBR-PE2-bgp-default-ipv4-vpn1] peer 192.1.1.1 enable

[ASBR-PE2-bgp-default-ipv4-vpn1] quit

[ASBR-PE2-bgp-default-vpn1] quit

[ASBR-PE2-bgp-default] peer 4.4.4.9 as-number 200

[ASBR-PE2-bgp-default] peer 4.4.4.9 connect-interface loopback 0

[ASBR-PE2-bgp-default] address-family vpnv4

[ASBR-PE2-bgp-default-vpnv4] peer 4.4.4.9 enable

[ASBR-PE2-bgp-default-vpnv4] peer 4.4.4.9 next-hop-local

[ASBR-PE2-bgp-default-vpnv4] quit

[ASBR-PE2-bgp-default] quit

# Configure PE 2.

[PE2] bgp 200

[PE2-bgp-default] peer 3.3.3.9 as-number 200

[PE2-bgp-default] peer 3.3.3.9 connect-interface loopback 0

[PE2-bgp-default] address-family vpnv4

[PE2-bgp-default-vpnv4] peer 3.3.3.9 enable

[PE2-bgp-default-vpnv4] peer 3.3.3.9 next-hop-local

[PE2-bgp-default-vpnv4] quit

[PE2-bgp-default] quit

Verifying the configuration

# Verify that the CEs can learn the interface routes from each other and ping each other. (Details not shown.)

Configuring MPLS L3VPN inter-AS option B

Network requirements

Site 1 and Site 2 belong to the same VPN. CE 1 of Site 1 accesses the network through PE 1 in AS 100, and CE 2 of Site 2 accesses the network through PE 2 in AS 600.

PEs in the same AS run IS-IS.

PE 1 and ASBR-PE 1 exchange VPNv4 routes through MP-IBGP. PE 2 and ASBR-PE 2 exchange VPNv4 routes through MP-IBGP. ASBR-PE 1 and ASBR-PE 2 exchange VPNv4 routes through MP-EBGP.

ASBRs do not perform route target filtering of received VPN-IPv4 routes.

Figure 76 Network diagram

Table 17 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
PE 1	Loop0	2.2.2.9/32	PE 2	Loop0	5.5.5.9/32
	GE2/0/1	30.0.0.1/8		GE2/0/1	20.0.0.1/8
	S2/1/0	1.1.1.2/8		S2/1/0	9.1.1.2/8
ASBR-PE 1	Loop0	3.3.3.9/32	ASBR-PE 2	Loop0	4.4.4.9/32
	S2/1/0	1.1.1.1/8		S2/1/0	9.1.1.1/8
	S2/1/1	11.0.0.2/8		S2/1/1	11.0.0.1/8

Configuration procedure

1. Configure PE 1:

# Configure IS-IS on PE 1.

<PE1> system-view

[PE1] isis 1

[PE1-isis-1] network-entity 10.111.111.111.111.00

[PE1-isis-1] quit

# Configure LSR ID, and enable MPLS and LDP.

[PE1] mpls lsr-id 2.2.2.9

[PE1] mpls ldp

[PE1-ldp] quit

# Configure interface Serial 2/1/0, and enable IS-IS, MPLS, and LDP on the interface.

[PE1] interface serial 2/1/0

[PE1-Serial2/1/0] ip address 1.1.1.2 255.0.0.0

[PE1-Serial2/1/0] isis enable 1

[PE1-Serial2/1/0] mpls enable

[PE1-Serial2/1/0] mpls ldp enable

[PE1-Serial2/1/0] quit

# Configure interface Loopback 0, and enable IS-IS on it.

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 2.2.2.9 32

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

# Create VPN instance vpn1, and configure the RD and route target attributes.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 11:11

[PE1-vpn-instance-vpn1] vpn-target 1:1 2:2 3:3 import-extcommunity

[PE1-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE1-vpn-instance-vpn1] quit

# Bind the interface connected to CE 1 to the created VPN instance.

[PE1] interface gigabitethernet 2/0/1

[PE1-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE1-GigabitEthernet2/0/1] ip address 30.0.0.1 8

[PE1-GigabitEthernet2/0/1] quit

# Enable BGP on PE 1.

[PE1] bgp 100

# Configure IBGP peer 3.3.3.9 as a VPNv4 peer.

[PE1-bgp-default] peer 3.3.3.9 as-number 100

[PE1-bgp-default] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp-default] address-family vpnv4

[PE1-bgp-default-vpnv4] peer 3.3.3.9 enable

[PE1-bgp-default-vpnv4] quit

# Redistribute direct routes to the VPN routing table of vpn1.

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] address-family ipv4 unicast

[PE1-bgp-default-ipv4-vpn1] import-route direct

[PE1-bgp-default-ipv4-vpn1] quit

[PE1-bgp-default-vpn1] quit

[PE1-bgp-default] quit

2. Configure ASBR-PE 1:

# Enable IS-IS on ASBR-PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] isis 1

[ASBR-PE1-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE1-isis-1] quit

# Configure LSR ID, and enable MPLS and LDP.

[ASBR-PE1] mpls lsr-id 3.3.3.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

# Configure interface Serial 2/1/0, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE1] interface serial 2/1/0

[ASBR-PE1-Serial2/1/0] ip address 1.1.1.1 255.0.0.0

[ASBR-PE1-Serial2/1/0] isis enable 1

[ASBR-PE1-Serial2/1/0] mpls enable

[ASBR-PE1-Serial2/1/0] mpls ldp enable

[ASBR-PE1-Serial2/1/0] quit

# Configure interface Serial 2/1/1, and enable MPLS.

[ASBR-PE1] interface serial 2/1/1

[ASBR-PE1-Serial2/1/1] ip address 11.0.0.2 255.0.0.0

[ASBR-PE1-Serial2/1/1] mpls enable

[ASBR-PE1-Serial2/1/1] quit

# Configure interface Loopback 0, and enable IS-IS on it.

[ASBR-PE1] interface loopback 0

[ASBR-PE1-LoopBack0] ip address 3.3.3.9 32

[ASBR-PE1-LoopBack0] isis enable 1

[ASBR-PE1-LoopBack0] quit

# Enable BGP on ASBR-PE 1.

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp-default] peer 2.2.2.9 as-number 100

[ASBR-PE1-bgp-default] peer 2.2.2.9 connect-interface loopback 0

[ASBR-PE1-bgp-default] peer 11.0.0.1 as-number 600

[ASBR-PE1-bgp-default] peer 11.0.0.1 connect-interface serial 2/1/1

# Disable route target based filtering of received VPNv4 routes.

[ASBR-PE1-bgp-default] address-family vpnv4

[ASBR-PE1-bgp-default-vpnv4] undo policy vpn-target

# Configure both IBGP peer 2.2.2.9 and EBGP peer 11.0.0.1 as VPNv4 peers.

[ASBR-PE1-bgp-default-vpnv4] peer 11.0.0.1 enable

[ASBR-PE1-bgp-default-vpnv4] peer 2.2.2.9 enable

[ASBR-PE1-bgp-default-vpnv4] quit

3. Configure ASBR-PE 2:

# Enable IS-IS on ASBR-PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] isis 1

[ASBR-PE2-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE2-isis-1] quit

# Configure LSR ID, and enable MPLS and LDP.

[ASBR-PE2] mpls lsr-id 4.4.4.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

# Configure interface Serial 2/1/0, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE2] interface serial 2/1/0

[ASBR-PE2-Serial2/1/0] ip address 9.1.1.1 255.0.0.0

[ASBR-PE2-Serial2/1/0] isis enable 1

[ASBR-PE2-Serial2/1/0] mpls enable

[ASBR-PE2-Serial2/1/0] mpls ldp enable

[ASBR-PE2-Serial2/1/0] quit

# Configure interface Serial 2/1/1, and enable MPLS.

[ASBR-PE2] interface serial 2/1/1

[ASBR-PE2-Serial2/1/1] ip address 11.0.0.1 255.0.0.0

[ASBR-PE2-Serial2/1/1] mpls enable

[ASBR-PE2-Serial2/1/1] quit

# Configure interface Loopback 0, and enable IS-IS on it.

[ASBR-PE2] interface loopback 0

[ASBR-PE2-LoopBack0] ip address 4.4.4.9 32

[ASBR-PE2-LoopBack0] isis enable 1

[ASBR-PE2-LoopBack0] quit

# Enable BGP on ASBR-PE 2.

[ASBR-PE2] bgp 600

[ASBR-PE2-bgp-default] peer 11.0.0.2 as-number 100

[ASBR-PE2-bgp-default] peer 11.0.0.2 connect-interface serial 2/1/1

[ASBR-PE2-bgp-default] peer 5.5.5.9 as-number 600

[ASBR-PE2-bgp-default] peer 5.5.5.9 connect-interface loopback 0

# Disable route target based filtering of received VPNv4 routes.

[ASBR-PE2-bgp-default] address-family vpnv4

[ASBR-PE2-bgp-default-vpnv4] undo policy vpn-target

# Configure both IBGP peer 5.5.5.9 and EBGP peer 11.0.0.2 as VPNv4 peers.

[ASBR-PE2-bgp-default-vpnv4] peer 11.0.0.2 enable

[ASBR-PE2-bgp-default-vpnv4] peer 5.5.5.9 enable

[ASBR-PE2-bgp-default-vpnv4] quit

[ASBR-PE2-bgp-default] quit

4. Configure PE 2:

# Enable IS-IS on PE 2.

<PE2> system-view

[PE2] isis 1

[PE2-isis-1] network-entity 10.111.111.111.111.00

[PE2-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[PE2] mpls lsr-id 5.5.5.9

[PE2] mpls ldp

[PE2-ldp] quit

# Configure interface Serial 2/1/0, and enable IS-IS, MPLS, and LDP on the interface.

[PE2] interface serial 2/1/0

[PE2-Serial2/1/0] ip address 9.1.1.2 255.0.0.0

[PE2-Serial2/1/0] isis enable 1

[PE2-Serial2/1/0] mpls enable

[PE2-Serial2/1/0] mpls ldp enable

[PE2-Serial2/1/0] quit

# Configure interface Loopback 0, and enable IS-IS on it.

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 5.5.5.9 32

[PE2-LoopBack0] isis enable 1

[PE2-LoopBack0] quit

# Create VPN instance vpn1, and configure the RD and route target attributes.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 12:12

[PE2-vpn-instance-vpn1] vpn-target 1:1 2:2 3:3 import-extcommunity

[PE2-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE2-vpn-instance-vpn1] quit

# Bind the interface connected to CE 1 to the created VPN instance.

[PE2] interface gigabitethernet 2/0/1

[PE2-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE2-GigabitEthernet2/0/1] ip address 20.0.0.1 8

[PE2-GigabitEthernet2/0/1] quit

# Enable BGP on PE 2.

[PE2] bgp 600

# Configure IBGP peer 4.4.4.9 as a VPNv4 peer.

[PE2-bgp-default] peer 4.4.4.9 as-number 600

[PE2-bgp-default] peer 4.4.4.9 connect-interface loopback 0

[PE2-bgp-default] address-family vpnv4

[PE2-bgp-default-vpnv4] peer 4.4.4.9 enable

[PE2-bgp-default-vpnv4] quit

# Redistribute direct routes to the VPN routing table of vpn1.

[PE2-bgp-default] peer 4.4.4.9 as-number 600

[PE2-bgp-default] peer 4.4.4.9 connect-interface loopback 0

[PE2-bgp-default] address-family vpnv4

[PE2-bgp-default-vpnv4] peer 4.4.4.9 enable

[PE2-bgp-default-vpnv4] quit

Verifying the configuration

# Use the following command on PE 1 to verify its connectivity to PE 2.

[PE1] ping -a 30.0.0.1 -vpn-instance vpn1 20.0.0.1

Ping 20.0.0.1 (20.0.0.1) from 30.0.0.1: 56 data bytes, press CTRL_C to break

56 bytes from 20.0.0.1: icmp_seq=0 ttl=255 time=1.208 ms

56 bytes from 20.0.0.1: icmp_seq=1 ttl=255 time=0.867 ms

56 bytes from 20.0.0.1: icmp_seq=2 ttl=255 time=0.551 ms

56 bytes from 20.0.0.1: icmp_seq=3 ttl=255 time=0.566 ms

56 bytes from 20.0.0.1: icmp_seq=4 ttl=255 time=0.570 ms

--- Ping statistics for 20.0.0.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.551/0.752/1.208/0.257 ms

Configuring MPLS L3VPN inter-AS option C

Network requirements

Site 1 and Site 2 belong to the same VPN. Site 1 accesses the network through PE 1 in AS 100, and Site 2 accesses the network through PE 2 in AS 600. PEs in the same AS run IS-IS.

PE 1 and ASBR-PE 1 exchange labeled IPv4 routes through IBGP. PE 2 and ASBR-PE 2 exchange labeled IPv4 routes through IBGP. PE 1 and PE 2 are MP-EBGP peers and exchange VPNv4 routes.

ASBR-PE 1 and ASBR-PE 2 use routing policies and label the routes received from each other.

ASBR-PE 1 and ASBR-PE 2 use EBGP to exchange labeled IPv4 routes.

Figure 77 Network diagram

Table 18 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
PE 1	Loop0	2.2.2.9/32	PE 2	Loop0	5.5.5.9/32
	GE2/0/1	30.0.0.1/24		GE2/0/1	20.0.0.1/24
	S2/1/0	1.1.1.2/8		S2/1/0	9.1.1.2/8
ASBR-PE 1	Loop0	3.3.3.9/32	ASBR-PE 2	Loop0	4.4.4.9/32
	S2/1/0	1.1.1.1/8		S2/1/0	9.1.1.1/8
	S2/1/1	11.0.0.2/8		S2/1/1	11.0.0.1/8
CE 1	GE2/0/1	30.0.0.2/24	CE 2	GE2/0/1	20.0.0.2/24

Configuration procedure

1. Configure CE 1:

# Configure an IP address for GigabitEthernet 2/0/1.

<CE1> system-view

[CE1] interface gigabitethernet 2/0/1

[CE1-GigabitEthernet2/0/1] ip address 30.0.0.2 24

[CE1-GigabitEthernet2/0/1] quit

# Establish an EBGP peer relationship with PE 1, and redistribute VPN routes.

[CE1] bgp 65001

[CE1-bgp-default] peer 30.0.0.1 as-number 100

[CE1-bgp-default] address-family ipv4 unicast

[CE1-bgp-default-ipv4] peer 30.0.0.1 enable

[CE1-bgp-default-ipv4] import-route direct

[CE1-bgp-default-ipv4] quit

[CE1-bgp-default] quit

2. Configure PE 1:

# Configure IS-IS on PE 1.

<PE1> system-view

[PE1] isis 1

[PE1-isis-1] network-entity 10.111.111.111.111.00

[PE1-isis-1] quit

# Configure LSR ID, and enable MPLS and LDP.

[PE1] mpls lsr-id 2.2.2.9

[PE1] mpls ldp

[PE1-ldp] quit

# Configure interface Serial 2/1/0, and enable IS-IS, MPLS, and LDP on the interface.

[PE1] interface serial 2/1/0

[PE1-Serial2/1/0] ip address 1.1.1.2 255.0.0.0

[PE1-Serial2/1/0] isis enable 1

[PE1-Serial2/1/0] mpls enable

[PE1-Serial2/1/0] mpls ldp enable

[PE1-Serial2/1/0] quit

# Configure interface Loopback 0, and start IS-IS on it.

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 2.2.2.9 32

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

# Create VPN instance vpn1, and configure the RD and route target attributes.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 11:11

[PE1-vpn-instance-vpn1] vpn-target 1:1 2:2 3:3 import-extcommunity

[PE1-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE1-vpn-instance-vpn1] quit

# Associate interface GigabitEthernet 2/0/1 with VPN instance vpn1, and specify the IP address for the interface.

[PE1] interface gigabitethernet 2/0/1

[PE1-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE1-GigabitEthernet2/0/1] ip address 30.0.0.1 24

[PE1-GigabitEthernet2/0/1] quit

# Start BGP on PE 1.

[PE1] bgp 100

# Enable the capability to advertise labeled routes to IBGP peer 3.3.3.9 and to receive labeled routes from the peer.

[PE1-bgp-default] peer 3.3.3.9 as-number 100

[PE1-bgp-default] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp-default] address-family ipv4 unicast

[PE1-bgp-default-ipv4] peer 3.3.3.9 enable

[PE1-bgp-default-ipv4] peer 3.3.3.9 label-route-capability

[PE1-bgp-default-ipv4] quit

# Configure the maximum hop count from PE 1 to EBGP peer 5.5.5.9 as 10.

[PE1-bgp-default] peer 5.5.5.9 as-number 600

[PE1-bgp-default] peer 5.5.5.9 connect-interface loopback 0

[PE1-bgp-default] peer 5.5.5.9 ebgp-max-hop 10

# Configure peer 5.5.5.9 as a VPNv4 peer.

[PE1-bgp-default] address-family vpnv4

[PE1-bgp-default-vpnv4] peer 5.5.5.9 enable

[PE1-bgp-default-vpnv4] quit

# Establish an EBGP peer relationship with CE 1, and add the learned BGP routes to the routing table of VPN instance vpn1.

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] peer 30.0.0.2 as-number 65001

[PE1-bgp-default-vpn1] address-family ipv4 unicast

[PE1-bgp-default-ipv4-vpn1] peer 30.0.0.2 enable

[PE1-bgp-default-ipv4-vpn1] quit

[PE1-bgp-default-vpn1] quit

[PE1-bgp-default] quit

3. Configure ASBR-PE 1:

# Start IS-IS on ASBR-PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] isis 1

[ASBR-PE1-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE1-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[ASBR-PE1] mpls lsr-id 3.3.3.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

# Configure interface Serial 2/1/0, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE1] interface serial 2/1/0

[ASBR-PE1-Serial2/1/0] ip address 1.1.1.1 255.0.0.0

[ASBR-PE1-Serial2/1/0] isis enable 1

[ASBR-PE1-Serial2/1/0] mpls enable

[ASBR-PE1-Serial2/1/0] mpls ldp enable

[ASBR-PE1-Serial2/1/0] quit

# Configure interface Serial 2/1/1, and enable MPLS on it.

[ASBR-PE1] interface serial 2/1/1

[ASBR-PE1-Serial2/1/1] ip address 11.0.0.2 255.0.0.0

[ASBR-PE1-Serial2/1/1] mpls enable

[ASBR-PE1-Serial2/1/1] quit

# Configure interface Loopback 0, and start IS-IS on it.

[ASBR-PE1] interface loopback 0

[ASBR-PE1-LoopBack0] ip address 3.3.3.9 32

[ASBR-PE1-LoopBack0] isis enable 1

[ASBR-PE1-LoopBack0] quit

# Create routing policies.

[ASBR-PE1] route-policy policy1 permit node 1

[ASBR-PE1-route-policy-policy1-1] apply mpls-label

[ASBR-PE1-route-policy-policy1-1] quit

[ASBR-PE1] route-policy policy2 permit node 1

[ASBR-PE1-route-policy-policy2-1] if-match mpls-label

[ASBR-PE1-route-policy-policy2-1] apply mpls-label

[ASBR-PE1-route-policy-policy2-1] quit

# Start BGP on ASBR-PE 1, and apply the routing policy policy2 to routes advertised to IBGP peer 2.2.2.9.

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp-default] peer 2.2.2.9 as-number 100

[ASBR-PE1-bgp-default] peer 2.2.2.9 connect-interface loopback 0

[ASBR-PE1-bgp-default] address-family ipv4 unicast

[ASBR-PE1-bgp-default-ipv4] peer 2.2.2.9 enable

[ASBR-PE1-bgp-default-ipv4] peer 2.2.2.9 route-policy policy2 export

# Enable the capability to advertise labeled routes to IBGP peer 2.2.2.9 and to receive labeled routes from the peer.

[ASBR-PE1-bgp-default-ipv4] peer 2.2.2.9 label-route-capability

# Redistribute routes from IS-IS process 1 to BGP.

[ASBR-PE1-bgp-default-ipv4] import-route isis 1

[ASBR-PE1-bgp-default-ipv4] quit

# Apply the routing policy policy1 to routes advertised to EBGP peer 11.0.0.1.

[ASBR-PE1-bgp-default] peer 11.0.0.1 as-number 600

[ASBR-PE1-bgp-default] address-family ipv4 unicast

[ASBR-PE1-bgp-default-ipv4] peer 11.0.0.1 enable

[ASBR-PE1-bgp-default-ipv4] peer 11.0.0.1 route-policy policy1 export

# Enable the capability to advertise labeled routes to EBGP peer 11.0.0.1 and to receive labeled routes from the peer.

[ASBR-PE1-bgp-default-ipv4] peer 11.0.0.1 label-route-capability

[ASBR-PE1-bgp-default-ipv4] quit

[ASBR-PE1-bgp-default] quit

4. Configure ASBR-PE 2:

# Enable IS-IS on ASBR-PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] isis 1

[ASBR-PE2-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE2-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[ASBR-PE2] mpls lsr-id 4.4.4.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

# Configure interface Serial 2/1/0, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE2] interface serial 2/1/0

[ASBR-PE2-Serial2/1/0] ip address 9.1.1.1 255.0.0.0

[ASBR-PE2-Serial2/1/0] isis enable 1

[ASBR-PE2-Serial2/1/0] mpls enable

[ASBR-PE2-Serial2/1/0] mpls ldp enable

[ASBR-PE2-Serial2/1/0] quit

# Configure interface Loopback 0, and enable IS-IS on it.

[ASBR-PE2] interface loopback 0

[ASBR-PE2-LoopBack0] ip address 4.4.4.9 32

[ASBR-PE2-LoopBack0] isis enable 1

[ASBR-PE2-LoopBack0] quit

# Configure interface Serial 2/1/1, and enable MPLS on the interface.

[ASBR-PE2] interface serial 2/1/1

[ASBR-PE2-Serial2/1/1] ip address 11.0.0.1 255.0.0.0

[ASBR-PE2-Serial2/1/1] mpls enable

[ASBR-PE2-Serial2/1/1] quit

# Create routing policies.

[ASBR-PE2] route-policy policy1 permit node 1

[ASBR-PE2-route-policy-policy1-1] apply mpls-label

[ASBR-PE2-route-policy-policy1-1] quit

[ASBR-PE2] route-policy policy2 permit node 1

[ASBR-PE2-route-policy-policy2-1] if-match mpls-label

[ASBR-PE2-route-policy-policy2-1] apply mpls-label

[ASBR-PE2-route-policy-policy2-1] quit

# Enable BGP on ASBR-PE 2, and enable the capability to advertise labeled routes to IBGP peer 5.5.5.9 and to receive labeled routes from the peer.

[ASBR-PE2] bgp 600

[ASBR-PE2-bgp-default] peer 5.5.5.9 as-number 600

[ASBR-PE2-bgp-default] peer 5.5.5.9 connect-interface loopback 0

[ASBR-PE2-bgp-default] address-family ipv4 unicast

[ASBR-PE2-bgp-default-ipv4] peer 5.5.5.9 enable

[ASBR-PE2-bgp-default-ipv4] peer 5.5.5.9 label-route-capability

# Apply the routing policy policy2 to routes advertised to IBGP peer 5.5.5.9.

[ASBR-PE2-bgp-default-ipv4] peer 5.5.5.9 route-policy policy2 export

# Redistribute routes from IS-IS process 1.

[ASBR-PE2-bgp-default-ipv4] import-route isis 1

[ASBR-PE2-bgp-default-ipv4] quit

# Apply the routing policy policy1 to routes advertised to EBGP peer 11.0.0.2.

[ASBR-PE2-bgp-default] peer 11.0.0.2 as-number 100

[ASBR-PE2-bgp-default] address-family ipv4 unicast

[ASBR-PE2-bgp-default-ipv4] peer 11.0.0.2 enable

[ASBR-PE2-bgp-default-ipv4] peer 11.0.0.2 route-policy policy1 export

# Enable the capability to advertise labeled routes to EBGP peer 11.0.0.2 and to receive labeled routes from the peer.

[ASBR-PE2-bgp-default-ipv4] peer 11.0.0.2 label-route-capability

[ASBR-PE2-bgp-default-ipv4] quit

[ASBR-PE2-bgp-default] quit

5. Configure PE 2:

# Enable IS-IS on PE 2.

<PE2> system-view

[PE2] isis 1

[PE2-isis-1] network-entity 10.111.111.111.111.00

[PE2-isis-1] quit

# Configure the LSR ID, and enable MPLS and LDP.

[PE2] mpls lsr-id 5.5.5.9

[PE2] mpls ldp

[PE2-ldp] quit

# Configure interface Serial 2/1/0, and enable IS-IS, MPLS, and LDP on the interface.

[PE2] interface serial 2/1/0

[PE2-Serial2/1/0] ip address 9.1.1.2 255.0.0.0

[PE2-Serial2/1/0] isis enable 1

[PE2-Serial2/1/0] mpls enable

[PE2-Serial2/1/0] mpls ldp enable

[PE2-Serial2/1/0] quit

# Configure the interface Loopback 0, and enable IS-IS on it.

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 5.5.5.9 32

[PE2-LoopBack0] isis enable 1

[PE2-LoopBack0] quit

# Create VPN instance vpn1, and configure the RD and route target attributes.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 11:11

[PE2-vpn-instance-vpn1] vpn-target 1:1 2:2 3:3 import-extcommunity

[PE2-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE2-vpn-instance-vpn1] quit

# Associate interface GigabitEthernet 2/0/1 with VPN instance vpn1, and specify the IP address for the interface.

[PE2] interface gigabitethernet 2/0/1

[PE2-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE2-GigabitEthernet2/0/1] ip address 20.0.0.1 24

[PE2-GigabitEthernet2/0/1] quit

# Enable BGP on PE 2.

[PE2] bgp 600

# Enable the capability to advertise labeled routes to IBGP peer 4.4.4.9 and to receive labeled routes from the peer.

[PE2-bgp-default] peer 4.4.4.9 as-number 600

[PE2-bgp-default] peer 4.4.4.9 connect-interface loopback 0

[PE2-bgp-default] address-family ipv4 unicast

[PE2-bgp-default-ipv4] peer 4.4.4.9 enable

[PE2-bgp-default-ipv4] peer 4.4.4.9 label-route-capability

[PE2-bgp-default-ipv4] quit

# Configure the maximum hop count from PE 2 to EBGP peer 2.2.2.9 as 10.

[PE2-bgp-default] peer 2.2.2.9 as-number 100

[PE2-bgp-default] peer 2.2.2.9 connect-interface loopback 0

[PE2-bgp-default] peer 2.2.2.9 ebgp-max-hop 10

# Configure peer 2.2.2.9 as a VPNv4 peer.

[PE2-bgp-default] address-family vpnv4

[PE2-bgp-default-vpnv4] peer 2.2.2.9 enable

[PE2-bgp-default-vpnv4] quit

# Establish an EBGP peer relationship with CE 2, and add the learned BGP routes to the routing table of VPN instance vpn1.

[PE2-bgp-default] ip vpn-instance vpn1

[PE2-bgp-default-vpn1] peer 20.0.0.2 as-number 65002

[PE2-bgp-default-vpn1] address-family ipv4 unicast

[PE2-bgp-default-ipv4-vpn1] peer 20.0.0.2 enable

[PE2-bgp-default-ipv4-vpn1] quit

[PE2-bgp-default-vpn1] quit

[PE2-bgp-default] quit

6. Configure CE 2:

# Configure an IP address for GigabitEthernet 2/0/1.

<CE2> system-view

[CE2] interface gigabitethernet 2/0/1

[CE2-GigabitEthernet2/0/1] ip address 20.0.0.2 24

[CE2-GigabitEthernet2/0/1] quit

# Establish an EBGP peer relationship with PE 2, and redistribute VPN routes.

[CE2] bgp 65002

[CE2-bgp-default] peer 20.0.0.1 as-number 600

[CE2-bgp-default] address-family ipv4 unicast

[CE2-bgp-default-ipv4] peer 20.0.0.1 enable

[CE2-bgp-default-ipv4] import-route direct

[CE2-bgp-default-ipv4] quit

[CE2-bgp-default] quit

Verifying the configuration

# Execute the display ip routing table command on CE 1 and CE 2 to verify that CE 1 and CE 2 have a route to each other. Verify that CE 1 and CE 2 can ping each other. (Details not shown.)

Configuring MPLS L3VPN carrier's carrier in the same AS

Network requirements

Configure carrier's carrier for the scenario shown in Figure 78. In this scenario:

· PE 1 and PE 2 are the provider carrier's PE routers. They provide VPN services for the customer carrier.

· CE 1 and CE 2 are the customer carrier's routers. They are connected to the provider carrier's backbone as CE routers.

· PE 3 and PE 4 are the customer carrier's PE routers. They provide MPLS L3VPN services for the end customers.

· CE 3 and CE 4 are customers of the customer carrier.

· The customer carrier and the provider carrier reside in the same AS.

The key to carrier's carrier deployment is to configure exchange of two kinds of routes:

· Exchange of the customer carrier's internal routes on the provider carrier's backbone.

· Exchange of the end customers' VPN routes between PE 3 and PE 4, the PEs of the customer carrier. In this process, an MP-IBGP peer relationship must be established between PE 3 and PE 4.

Figure 78 Network diagram

Table 19 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 3	GE2/0/1	100.1.1.1/24	CE 4	GE2/0/1	120.1.1.1/24
PE 3	Loop0	1.1.1.9/32	PE 4	Loop0	6.6.6.9/32
	GE2/0/1	100.1.1.2/24		GE2/0/1	120.1.1.2/24
	POS2/2/1	10.1.1.1/24		POS2/2/1	20.1.1.2/24
CE 1	Loop0	2.2.2.9/32	CE 2	Loop0	5.5.5.9/32
	POS2/2/0	10.1.1.2/24		POS2/2/0	21.1.1.2/24
	POS2/2/1	11.1.1.1/24		POS2/2/1	20.1.1.1/24
PE 1	Loop0	3.3.3.9/32	PE 2	Loop0	4.4.4.9/32
	POS2/2/0	11.1.1.2/24		POS2/2/0	30.1.1.2/24
	POS2/2/1	30.1.1.1/24		POS2/2/1	21.1.1.1/24

Configuration procedure

1. Configure MPLS L3VPN on the provider carrier backbone. Enable IS-IS as the IGP, enable LDP between PE 1 and PE 2, and establish an MP-IBGP peer relationship between the PEs:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 3.3.3.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 3.3.3.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] isis 1

[PE1-isis-1] network-entity 10.0000.0000.0000.0004.00

[PE1-isis-1] quit

[PE1] interface loopback 0

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

[PE1] interface pos 2/2/1

[PE1-Pos2/2/1] ip address 30.1.1.1 24

[PE1-Pos2/2/1] isis enable 1

[PE1-Pos2/2/1] mpls enable

[PE1-Pos2/2/1] mpls ldp enable

[PE1-Pos2/2/1] mpls ldp transport-address interface

[PE1-Pos2/2/1] quit

[PE1] bgp 100

[PE1-bgp-default] peer 4.4.4.9 as-number 100

[PE1-bgp-default] peer 4.4.4.9 connect-interface loopback 0

[PE1-bgp-default] address-family vpnv4

[PE1-bgp-default-vpnv4] peer 4.4.4.9 enable

[PE1-bgp-default-vpnv4] quit

[PE1-bgp-default] quit

# Configure PE 2 in the same way that PE 1 is configured. (Details not shown.)

# On PE 1 or PE 2, execute the following commands:

? Execute the display mpls ldp peer command to verify that an LDP session in Operational state has been established between PE 1 and PE 2. (Details not shown.)

? Execute the display bgp peer vpnv4 command to verify that a BGP peer relationship in Established state has been established between PE 1 and PE 2. (Details not shown.)

? Execute the display isis peer command to verify that the IS-IS neighbor relationship has been established between PE 1 and PE 2. (Details not shown.)

2. Configure the customer carrier network. Enable IS-IS as the IGP, and enable LDP between PE 3 and CE 1, and between PE 4 and CE 2:

# Configure PE 3.

<PE3> system-view

[PE3] interface loopback 0

[PE3-LoopBack0] ip address 1.1.1.9 32

[PE3-LoopBack0] quit

[PE3] mpls lsr-id 1.1.1.9

[PE3] mpls ldp

[PE3-ldp] quit

[PE3] isis 2

[PE3-isis-2] network-entity 10.0000.0000.0000.0001.00

[PE3-isis-2] quit

[PE3] interface loopback 0

[PE3-LoopBack0] isis enable 2

[PE3-LoopBack0] quit

[PE3] interface pos 2/2/1

[PE3-Pos2/2/1] ip address 10.1.1.1 24

[PE3-Pos2/2/1] isis enable 2

[PE3-Pos2/2/1] mpls enable

[PE3-Pos2/2/1] mpls ldp enable

[PE3-Pos2/2/1] mpls ldp transport-address interface

[PE3-Pos2/2/1] quit

# Configure CE 1.

<CE1> system-view

[CE1] interface loopback 0

[CE1-LoopBack0] ip address 2.2.2.9 32

[CE1-LoopBack0] quit

[CE1] mpls lsr-id 2.2.2.9

[CE1] mpls ldp

[CE1-ldp] quit

[CE1] isis 2

[CE1-isis-2] network-entity 10.0000.0000.0000.0002.00

[CE1-isis-2] quit

[CE1] interface loopback 0

[CE1-LoopBack0] isis enable 2

[CE1-LoopBack0] quit

[CE1] interface pos 2/2/0

[CE1-Pos2/2/0] ip address 10.1.1.2 24

[CE1-Pos2/2/0] isis enable 2

[CE1-Pos2/2/0] mpls enable

[CE1-Pos2/2/0] mpls ldp enable

[CE1-Pos2/2/0] mpls ldp transport-address interface

[CE1-Pos2/2/0] quit

PE 3 and CE 1 can establish an LDP session and IS-IS neighbor relationship between them.

# Configure PE 4 and CE 2 in the same way that PE 3 and CE 1 are configured. (Details not shown.)

3. Allow CEs of the customer carrier to access PEs of the provider carrier, and redistribute IS-IS routes to BGP and BGP routes to IS-IS on the PEs:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 200:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] mpls ldp

[PE1-ldp] vpn-instance vpn1

[PE1-ldp-vpn-instance-vpn1] quit

[PE1-ldp] quit

[PE1] isis 2 vpn-instance vpn1

[PE1-isis-2] network-entity 10.0000.0000.0000.0003.00

[PE1-isis-2] address-family ipv4

[PE1-isis-2-ipv4] import-route bgp

[PE1-isis-2-ipv4] quit

[PE1-isis-2] quit

[PE1] interface pos 2/2/0

[PE1-Pos2/2/0] ip binding vpn-instance vpn1

[PE1-Pos2/2/0] ip address 11.1.1.2 24

[PE1-Pos2/2/0] isis enable 2

[PE1-Pos2/2/0] mpls enable

[PE1-Pos2/2/0] mpls ldp enable

[PE1-Pos2/2/0] mpls ldp transport-address interface

[PE1-Pos2/2/0] quit

[PE1] bgp 100

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] address-family ipv4 unicast

[PE1-bgp-default-ipv4-vpn1] import isis 2

[PE1-bgp-default-ipv4-vpn1] quit

[PE1-bgp-default-vpn1] quit

[PE1-bgp-default] quit

# Configure CE 1.

[CE1] interface pos 2/2/1

[CE1-Pos2/2/1] ip address 11.1.1.1 24

[CE1-Pos2/2/1] isis enable 2

[CE1-Pos2/2/1] mpls enable

[CE1-Pos2/2/1] mpls ldp enable

[CE1-Pos2/2/1] mpls ldp transport-address interface

[CE1-Pos2/2/1] quit

PE 1 and CE 1 can establish an LDP session and IS-IS neighbor relationship between them.

# Configure PE 2 and CE 2 in the same way that PE 1 and CE 1 are configured. (Details not shown.)

4. Connect CEs of the end customers and the PEs of the customer carrier:

# Configure CE 3.

<CE3> system-view

[CE3] interface gigabitethernet 2/0/1

[CE3-GigabitEthernet2/0/1] ip address 100.1.1.1 24

[CE3-GigabitEthernet2/0/1] quit

[CE3] bgp 65410

[CE3-bgp-default] peer 100.1.1.2 as-number 100

[CE3-bgp-default] address-family ipv4 unicast

[CE3-bgp-default-ipv4] peer 100.1.1.2 enable

[CE3-bgp-default-ipv4] import-route direct

[CE3-bgp-default-ipv4] quit

[CE3-bgp-default] quit

# Configure PE 3.

[PE3] ip vpn-instance vpn1

[PE3-vpn-instance-vpn1] route-distinguisher 100:1

[PE3-vpn-instance-vpn1] vpn-target 1:1

[PE3-vpn-instance-vpn1] quit

[PE3] interface gigabitethernet 2/0/1

[PE3-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE3-GigabitEthernet2/0/1] ip address 100.1.1.2 24

[PE3-GigabitEthernet2/0/1] quit

[PE3] bgp 100

[PE3-bgp-default] ip vpn-instance vpn1

[PE3-bgp-default-vpn1] peer 100.1.1.1 as-number 65410

[PE3-bgp-default-vpn1] address-family ipv4 unicast

[PE3-bgp-default-ipv4-vpn1] peer 100.1.1.1 enable

[PE3-bgp-default-ipv4-vpn1] quit

[PE3-bgp-default-vpn1] quit

[PE3-bgp-default] quit

# Configure PE 4 and CE 4 in the same way that PE 3 and CE 3 are configured. (Details not shown.)

5. Configure an MP-IBGP peer relationship between the PEs of the customer carrier to exchange the VPN routes of the end customers:

# Configure PE 3.

[PE3] bgp 100

[PE3-bgp-default] peer 6.6.6.9 as-number 100

[PE3-bgp-default] peer 6.6.6.9 connect-interface loopback 0

[PE3-bgp-default] address-family vpnv4

[PE3-bgp-default-vpnv4] peer 6.6.6.9 enable

[PE3-bgp-default-vpnv4] quit

[PE3-bgp-default] quit

# Configure PE 4 in the same way that PE 3 is configured. (Details not shown.)

Verifying the configuration

1. Display the public network routing table and VPN routing table on the provider carrier PEs, for example, on PE 1:

# Verify that the public network routing table contains only routes of the provider carrier network.

[PE1] display ip routing-table

Destinations : 14 Routes : 14

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

3.3.3.9/32 Direct 0 0 127.0.0.1 InLoop0

4.4.4.9/32 IS_L1 15 10 30.1.1.2 POS2/2/1

30.1.1.0/24 Direct 0 0 30.1.1.1 POS2/2/1

30.1.1.0/32 Direct 0 0 30.1.1.1 POS2/2/1

30.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.255/32 Direct 0 0 30.1.1.1 POS2/2/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VPN routing table contains the internal routes of the customer carrier, but it does not contain the VPN routes that the customer carrier maintains.

[PE1] display ip routing-table vpn-instance vpn1

Destinations : 18 Routes : 18

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.9/32 IS_L1 15 20 11.1.1.1 POS2/2/0

2.2.2.9/32 IS_L1 15 10 11.1.1.1 POS2/2/0

5.5.5.9/32 BGP 255 10 4.4.4.9 POS2/2/1

6.6.6.9/32 BGP 255 20 4.4.4.9 POS2/2/1

10.1.1.0/24 IS_L1 15 20 11.1.1.1 POS2/2/0

11.1.1.0/24 Direct 0 0 11.1.1.2 POS2/2/0

11.1.1.0/32 Direct 0 0 11.1.1.2 POS2/2/0

11.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.255/32 Direct 0 0 11.1.1.2 POS2/2/0

20.1.1.0/24 BGP 255 20 4.4.4.9 POS2/2/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

2. Display the routing table on the customer carrier CEs, for example, on CE 1:

# Verify that the routing table contains the internal routes of the customer carrier network, but it does not contain the VPN routes that the customer carrier maintains.

[CE1] display ip routing-table

Destinations : 21 Routes : 21

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.9/32 IS_L1 15 10 10.1.1.1 POS2/2/0

2.2.2.9/32 Direct 0 0 127.0.0.1 InLoop0

5.5.5.9/32 IS_L2 15 74 11.1.1.2 POS2/2/1

6.6.6.9/32 IS_L2 15 74 11.1.1.2 POS2/2/1

10.1.1.0/24 Direct 0 0 10.1.1.2 POS2/2/0

10.1.1.0/32 Direct 0 0 10.1.1.2 POS2/2/0

10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.2 POS2/2/0

11.1.1.0/24 Direct 0 0 11.1.1.1 POS2/2/1

11.1.1.0/32 Direct 0 0 11.1.1.1 POS2/2/1

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.255/32 Direct 0 0 11.1.1.1 POS2/2/1

20.1.1.0/24 IS_L2 15 74 11.1.1.2 POS2/2/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

3. Display the public network routing table and VPN routing table on the customer carrier PEs, for example, on PE 3:

# Verify that the public network routing table contains the internal routes of the customer carrier network.

[PE3] display ip routing-table

Destinations : 18 Routes : 18

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.9/32 Direct 0 0 127.0.0.1 InLoop0

2.2.2.9/32 IS_L1 15 10 10.1.1.2 POS2/2/1

5.5.5.9/32 IS_L2 15 84 10.1.1.2 POS2/2/1

6.6.6.9/32 IS_L2 15 84 10.1.1.2 POS2/2/1

10.1.1.0/24 Direct 0 0 10.1.1.1 POS2/2/1

10.1.1.0/32 Direct 0 0 10.1.1.1 POS2/2/1

10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.1 POS2/2/1

11.1.1.0/24 IS_L1 15 20 10.1.1.2 POS2/2/1

20.1.1.0/24 IS_L2 15 84 10.1.1.2 POS2/2/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VPN routing table contains the route to the remote VPN customer.

[PE3] display ip routing-table vpn-instance vpn1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.0/24 Direct 0 0 100.1.1.2 GE2/0/1

100.1.1.0/32 Direct 0 0 100.1.1.2 GE2/0/1

100.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.255/32 Direct 0 0 100.1.1.2 GE2/0/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

120.1.1.0/24 BGP 255 0 6.6.6.9 POS2/2/1

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

4. Verify that PE 3 and PE 4 can ping each other. (Details not shown.)

5. Verify that CE 3 and CE 4 can ping each other. (Details not shown.)

Configuring MPLS L3VPN carrier's carrier in different ASs

Network requirements

Configure carrier's carrier for the scenario shown in Figure 79. In this scenario:

· PE 1 and PE 2 are the provider carrier's PE routers. They provide VPN services for the customer carrier.

· CE 1 and CE 2 are the customer carrier's routers. They are connected to the provider carrier's backbone as CE routers.

· PE 3 and PE 4 are the customer carrier's PE routers. They provide MPLS L3VPN services for the end customers.

· CE 3 and CE 4 are customers of the customer carrier.

· The customer carrier and the provider carrier reside in different ASs.

The key to carrier's carrier deployment is to configure exchange of two kinds of routes:

· Exchange of the customer carrier's internal routes on the provider carrier's backbone.

· Exchange of the end customers' VPN routes between PE 3 and PE 4, the PEs of the customer carrier. In this process, an MP-EBGP peer relationship must be established between PE 3 and PE 4.

Figure 79 Network diagram

Table 20 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 3	GE2/0/1	100.1.1.1/24	CE 4	GE2/0/1	120.1.1.1/24
PE 3	Loop0	1.1.1.9/32	PE 4	Loop0	6.6.6.9/32
	GE2/0/1	100.1.1.2/24		GE2/0/1	120.1.1.2/24
	POS2/2/1	10.1.1.1/24		POS2/2/1	20.1.1.2/24
CE 1	Loop0	2.2.2.9/32	CE 2	Loop0	5.5.5.9/32
	POS2/2/0	10.1.1.2/24		POS2/2/0	21.1.1.2/24
	POS2/2/1	11.1.1.1/24		POS2/2/1	20.1.1.1/24
PE 1	Loop0	3.3.3.9/32	PE 2	Loop0	4.4.4.9/32
	POS2/2/0	11.1.1.2/24		POS2/2/0	30.1.1.2/24
	POS2/2/1	30.1.1.1/24		POS2/2/1	21.1.1.1/24

Configuration procedure

1. Configure MPLS L3VPN on the provider carrier backbone. Enable IS-IS as the IGP, enable LDP between PE 1 and PE 2, and establish an MP-IBGP peer relationship between the PEs:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 3.3.3.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 3.3.3.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] isis 1

[PE1-isis-1] network-entity 10.0000.0000.0000.0004.00

[PE1-isis-1] quit

[PE1] interface loopback 0

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

[PE1] interface pos 2/2/1

[PE1-Pos2/2/1] ip address 30.1.1.1 24

[PE1-Pos2/2/1] isis enable 1

[PE1-Pos2/2/1] mpls enable

[PE1-Pos2/2/1] mpls ldp enable

[PE1-Pos2/2/1] mpls ldp transport-address interface

[PE1-Pos2/2/1] quit

[PE1] bgp 200

[PE1-bgp-default] peer 4.4.4.9 as-number 200

[PE1-bgp-default] peer 4.4.4.9 connect-interface loopback 0

[PE1-bgp-default] address-family vpnv4

[PE1-bgp-default-vpnv4] peer 4.4.4.9 enable

[PE1-bgp-default-vpnv4] quit

[PE1-bgp-default] quit

# Configure PE 2 in the same way that PE 1 is configured. (Details not shown.)

# On PE 1 or PE 2, execute the following commands:

? Execute the display mpls ldp peer command to verify that an LDP session in Operational state has been established between PE 1 and PE 2. (Details not shown.)

? Execute the display bgp peer vpnv4 command to verify that a BGP peer relationship in Established state has been established between PE 1 and PE 2. (Details not shown.)

? Execute the display isis peer command to verify that the IS-IS neighbor relationship has been established between PE 1 and PE 2. (Details not shown.)

2. Configure the customer carrier network. Enable IS-IS as the IGP, and enable LDP between PE 3 and CE 1, and between PE 4 and CE 2:

# Configure PE 3.

<PE3> system-view

[PE3] interface loopback 0

[PE3-LoopBack0] ip address 1.1.1.9 32

[PE3-LoopBack0] quit

[PE3] mpls lsr-id 1.1.1.9

[PE3] mpls ldp

[PE3-ldp] quit

[PE3] isis 2

[PE3-isis-2] network-entity 10.0000.0000.0000.0001.00

[PE3-isis-2] quit

[PE3] interface loopback 0

[PE3-LoopBack0] isis enable 2

[PE3-LoopBack0] quit

[PE3] interface pos 2/2/1

[PE3-Pos2/2/1] ip address 10.1.1.1 24

[PE3-Pos2/2/1] isis enable 2

[PE3-Pos2/2/1] mpls enable

[PE3-Pos2/2/1] mpls ldp enable

[PE3-Pos2/2/1] mpls ldp transport-address interface

[PE3-Pos2/2/1] quit

# Configure CE 1.

<CE1> system-view

[CE1] interface loopback 0

[CE1-LoopBack0] ip address 2.2.2.9 32

[CE1-LoopBack0] quit

[CE1] mpls lsr-id 2.2.2.9

[CE1] mpls ldp

[CE1-ldp] import bgp

[CE1-ldp] quit

[CE1] isis 2

[CE1-isis-2] network-entity 10.0000.0000.0000.0002.00

[CE1-isis-2] address-family ipv4

[CE1-isis-2-ipv4] import-route bgp

[CE1-isis-2-ipv4] quit

[CE1-isis-2] quit

[CE1] interface loopback 0

[CE1-LoopBack0] isis enable 2

[CE1-LoopBack0] quit

[CE1] interface pos 2/2/0

[CE1-Pos2/2/0] ip address 10.1.1.2 24

[CE1-Pos2/2/0] isis enable 2

[CE1-Pos2/2/0] mpls enable

[CE1-Pos2/2/0] mpls ldp enable

[CE1-Pos2/2/0] mpls ldp transport-address interface

[CE1-Pos2/2/0] quit

PE 3 and CE 1 can establish an LDP session and IS-IS neighbor relationship between them.

# Configure PE 4 and CE 2 in the same way that PE 3 and CE 1 are configured. (Details not shown.)

3. Allow CEs of the customer carrier to access PEs of the provider carrier:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 200:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] interface pos 2/2/0

[PE1-Pos2/2/0] ip binding vpn-instance vpn1

[PE1-Pos2/2/0] ip address 11.1.1.2 24

[PE1-Pos2/2/0] mpls enable

[PE1-Pos2/2/0] quit

[PE1] bgp 200

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] peer 11.1.1.1 as-number 100

[PE1-bgp-default-vpn1] address-family ipv4 unicast

[PE1-bgp-default-ipv4-vpn1] peer 11.1.1.1 enable

[PE1-bgp-default-ipv4-vpn1] peer 11.1.1.1 label-route-capability

[PE1-bgp-default-ipv4-vpn1] peer 11.1.1.1 route-policy csc export

[PE1-bgp-default-ipv4-vpn1] quit

[PE1-bgp-default-vpn1] quit

[PE1-bgp-default] quit

[PE1] route-policy csc permit node 0

[PE1-route-policy-csc-0] apply mpls-label

[PE1-route-policy-csc-0] quit

# Configure CE 1.

[CE1] interface pos 2/2/1

[CE1-Pos2/2/1] ip address 11.1.1.1 24

[CE1-Pos2/2/1] mpls enable

[CE1-Pos2/2/1] quit

[CE1] bgp 100

[CE1-bgp-default] peer 11.1.1.2 as-number 200

[CE1-bgp-default] address-family ipv4 unicast

[CE1-bgp-default-ipv4] peer 11.1.1.2 enable

[CE1-bgp-default-ipv4] peer 11.1.1.2 label-route-capability

[CE1-bgp-default-ipv4] peer 11.1.1.2 route-policy csc export

[CE1-bgp-default-ipv4] import isis 2

[CE1-bgp-default-ipv4] quit

[CE1-bgp-default] quit

[CE1] route-policy csc permit node 0

[CE1-route-policy-csc-0] apply mpls-label

[CE1-route-policy-csc-0] quit

PE 1 and CE 1 can establish a BGP session and exchange labeled IPv4 unicast routes through BGP.

# Configure PE 2 and CE 2 in the same way that PE 1 and CE 1 are configured. (Details not shown.)

4. Connect CEs of the end customers and the PEs of the customer carrier:

# Configure CE 3.

<CE3> system-view

[CE3] interface gigabitethernet 2/0/1

[CE3-GigabitEthernet2/0/1] ip address 100.1.1.1 24

[CE3-GigabitEthernet2/0/1] quit

[CE3] bgp 65410

[CE3-bgp-default] peer 100.1.1.2 as-number 100

[CE3-bgp-default] address-family ipv4 unicast

[CE3-bgp-default-ipv4] peer 100.1.1.2 enable

[CE3-bgp-default-ipv4] import-route direct

[CE3-bgp-default-ipv4] quit

[CE3-bgp-default] quit

# Configure PE 3.

[PE3] ip vpn-instance vpn1

[PE3-vpn-instance-vpn1] route-distinguisher 100:1

[PE3-vpn-instance-vpn1] vpn-target 1:1

[PE3-vpn-instance-vpn1] quit

[PE3] interface gigabitethernet 2/0/1

[PE3-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE3-GigabitEthernet2/0/1] ip address 100.1.1.2 24

[PE3-GigabitEthernet2/0/1] quit

[PE3] bgp 100

[PE3-bgp-default] ip vpn-instance vpn1

[PE3-bgp-default-vpn1] peer 100.1.1.1 as-number 65410

[PE3-bgp-default-vpn1] address-family ipv4 unicast

[PE3-bgp-default-ipv4-vpn1] peer 100.1.1.1 enable

[PE3-bgp-default-ipv4-vpn1] quit

[PE3-bgp-default-vpn1] quit

[PE3-bgp-default] quit

# Configure PE 4 and CE 4 in the same way that PE 3 and CE 3 are configured. (Details not shown.)

5. Configure an MP-EBGP peer relationship between the PEs of the customer carrier to exchange the VPN routes of the end customers:

# Configure PE 3.

[PE3] bgp 100

[PE3-bgp-default] peer 6.6.6.9 as-number 300

[PE3-bgp-default] peer 6.6.6.9 connect-interface loopback 0

[PE3-bgp-default] peer 6.6.6.9 ebgp-max-hop 10

[PE3-bgp-default] address-family vpnv4

[PE3-bgp-default-vpnv4] peer 6.6.6.9 enable

[PE3-bgp-default-vpnv4] quit

[PE3-bgp-default] quit

# Configure PE 4 in the same way that PE 3 is configured. (Details not shown.)

Verifying the configuration

1. Display the public network routing table and VPN routing table on the provider carrier PEs, for example, on PE 1:

# Verify that the public network routing table contains only routes of the provider carrier network.

[PE1] display ip routing-table

Destinations : 14 Routes : 14

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

3.3.3.9/32 Direct 0 0 127.0.0.1 InLoop0

4.4.4.9/32 IS_L1 15 10 30.1.1.2 POS2/2/1

30.1.1.0/24 Direct 0 0 30.1.1.1 POS2/2/1

30.1.1.0/32 Direct 0 0 30.1.1.1 POS2/2/1

30.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.255/32 Direct 0 0 30.1.1.1 POS2/2/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VPN routing table contains the internal routes of the customer carrier, but it does not contain the VPN routes that the customer carrier maintains.

[PE1] display ip routing-table vpn-instance vpn1

Destinations : 14 Routes : 14

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.9/32 BGP 255 10 11.1.1.1 POS2/2/0

6.6.6.9/32 BGP 255 10 4.4.4.9 POS2/2/1

11.1.1.0/24 Direct 0 0 11.1.1.2 POS2/2/0

11.1.1.0/32 Direct 0 0 11.1.1.2 POS2/2/0

11.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.255/32 Direct 0 0 11.1.1.2 POS2/2/0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

2. Display the routing table on the customer carrier CEs, for example, on CE 1.

# Verify that the routing table contains the internal routes of the customer carrier network, but it does not contain the VPN routes that the customer carrier maintains.

[CE1] display ip routing-table

Destinations : 19 Routes : 19

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.9/32 IS_L1 15 10 10.1.1.1 POS2/2/0

2.2.2.9/32 Direct 0 0 127.0.0.1 InLoop0

6.6.6.9/32 BGP 255 0 11.1.1.2 POS2/2/1

10.1.1.0/24 Direct 0 0 10.1.1.2 POS2/2/0

10.1.1.0/32 Direct 0 0 10.1.1.2 POS2/2/0

10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.2 POS2/2/0

11.1.1.0/24 Direct 0 0 11.1.1.1 POS2/2/1

11.1.1.0/32 Direct 0 0 11.1.1.1 POS2/2/1

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.255/32 Direct 0 0 11.1.1.1 POS2/2/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

3. Display the public network routing table and VPN routing table on the customer carrier PEs, for example, on PE 3:

# Verify that the public network routing table contains the internal routes of the customer carrier network.

[PE3] display ip routing-table

Destinations : 15 Routes : 15

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.9/32 Direct 0 0 127.0.0.1 InLoop0

2.2.2.9/32 IS_L1 15 10 10.1.1.2 POS2/2/1

6.6.6.9/32 IS_L2 15 74 10.1.1.2 POS2/2/1

10.1.1.0/24 Direct 0 0 10.1.1.1 POS2/2/1

10.1.1.0/32 Direct 0 0 10.1.1.1 POS2/2/1

10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.1 POS2/2/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VPN routing table contains the route to the remote VPN customer.

[PE3] display ip routing-table vpn-instance vpn1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.0/24 Direct 0 0 100.1.1.2 GE2/0/1

100.1.1.0/32 Direct 0 0 100.1.1.2 GE2/0/1

100.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.255/32 Direct 0 0 100.1.1.2 GE2/0/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

120.1.1.0/24 BGP 255 0 6.6.6.9 POS2/2/1

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

4. Verify that PE 3 and PE 4 can ping each other. (Details not shown.)

5. Verify that CE 3 and CE 4 can ping each other. (Details not shown.)

Configuring nested VPN

Network requirements

The service provider provides nested VPN services for users, as shown in Figure 80.

· PE 1 and PE 2 are PE devices on the service provider backbone. Both of them support the nested VPN feature.

· CE 1 and CE 2 are provider CEs connected to the service provider backbone. Both of them support VPNv4 routes.

· PE 3 and PE 4 are PE devices of the customer VPN. Both of them support MPLS L3VPN.

· CE 3 through CE 6 are CE devices of sub-VPNs in the customer VPN.

The key of nested VPN configuration is to understand the processing of routes of sub-VPNs on the service provider PEs:

· When receiving a VPNv4 route from a provider CE (CE 1 or CE 2, in this example), a provider PE performs the following operations:

a. Replaces the RD of the VPNv4 route with the RD of the MPLS VPN on the service provider network.

b. Adds the export target attribute of the MPLS VPN on the service provider network to the extended community attribute list.

c. Forwards the VPNv4 route.

· To implement exchange of sub-VPN routes between customer PEs and service provider PEs, MP-EBGP peers must be established between provider PEs and provider CEs.

Figure 80 Network diagram

Table 21 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Loop0	2.2.2.9/32	CE 2	Loop0	5.5.5.9/32
	POS2/2/0	10.1.1.2/24		POS2/2/0	21.1.1.2/24
	POS2/2/1	11.1.1.1/24		POS2/2/1	20.1.1.1/24
CE 3	GE2/0/1	100.1.1.1/24	CE 4	GE2/0/1	120.1.1.1/24
CE 5	GE2/0/1	110.1.1.1/24	CE 6	GE2/0/1	130.1.1.1/24
PE 1	Loop0	3.3.3.9/32	PE 2	Loop0	4.4.4.9/32
	POS2/2/0	11.1.1.2/24		POS2/2/0	30.1.1.2/24
	POS2/2/1	30.1.1.1/24		POS2/2/1	21.1.1.1/24
PE 3	Loop0	1.1.1.9/32	PE 4	Loop0	6.6.6.9/32
	GE2/0/1	100.1.1.2/24		GE2/0/1	120.1.1.2/24
	GE2/0/2	110.1.1.2/24		GE2/0/2	130.1.1.2/24
	POS2/2/1	10.1.1.1/24		POS2/2/1	20.1.1.2/24

Configuration procedure

1. Configure MPLS L3VPN on the service provider backbone. Enable IS-IS, enable LDP, and establish an MP-IBGP peer relationship between PE 1 and PE 2:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 3.3.3.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 3.3.3.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] isis 1

[PE1-isis-1] network-entity 10.0000.0000.0000.0004.00

[PE1-isis-1] quit

[PE1] interface loopback 0

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

[PE1] interface pos 2/2/1

[PE1-Pos2/2/1] ip address 30.1.1.1 24

[PE1-Pos2/2/1] isis enable 1

[PE1-Pos2/2/1] mpls enable

[PE1-Pos2/2/1] mpls ldp enable

[PE1-Pos2/2/1] mpls ldp transport-address interface

[PE1-Pos2/2/1] quit

[PE1] bgp 100

[PE1-bgp-default] peer 4.4.4.9 as-number 100

[PE1-bgp-default] peer 4.4.4.9 connect-interface loopback 0

[PE1-bgp-default] address-family vpnv4

[PE1-bgp-default-vpnv4] peer 4.4.4.9 enable

[PE1-bgp-default-vpnv4] quit

[PE1-bgp-default] quit

# Configure PE 2 in the same way that PE 1 is configured. (Details not shown.)

# On PE 1 or PE 2, execute the following commands:

? Execute the display mpls ldp peer command to verify that an LDP session in Operational state has been established between PE 1 and PE 2. (Details not shown.)

? Execute the display bgp peer vpnv4 command to verify that a BGP peer relationship in Established state has been established between PE 1 and PE 2. (Details not shown.)

? Execute the display isis peer command to verify that the IS-IS neighbor relationship has been established between PE 1 and PE 2. (Details not shown.)

2. Configure the customer VPN. Enable IS-IS, and enable LDP between PE 3 and CE 1, and between PE 4 and CE 2:

# Configure PE 3.

<PE3> system-view

[PE3] interface loopback 0

[PE3-LoopBack0] ip address 1.1.1.9 32

[PE3-LoopBack0] quit

[PE3] mpls lsr-id 1.1.1.9

[PE3] mpls ldp

[PE3-ldp] quit

[PE3] isis 2

[PE3-isis-2] network-entity 10.0000.0000.0000.0001.00

[PE3-isis-2] quit

[PE3] interface loopback 0

[PE3-LoopBack0] isis enable 2

[PE3-LoopBack0] quit

[PE3] interface pos 2/2/1

[PE3-Pos2/2/1] ip address 10.1.1.1 24

[PE3-Pos2/2/1] isis enable 2

[PE3-Pos2/2/1] mpls enable

[PE3-Pos2/2/1] mpls ldp enable

[PE3-Pos2/2/1] quit

# Configure CE 1.

<CE1> system-view

[CE1] interface loopback 0

[CE1-LoopBack0] ip address 2.2.2.9 32

[CE1-LoopBack0] quit

[CE1] mpls lsr-id 2.2.2.9

[CE1] mpls ldp

[CE1-ldp] quit

[CE1] isis 2

[CE1-isis-2] network-entity 10.0000.0000.0000.0002.00

[CE1-isis-2] quit

[CE1] interface loopback 0

[CE1-LoopBack0] isis enable 2

[CE1-LoopBack0] quit

[CE1] interface pos 2/2/0

[CE1-Pos2/2/0] ip address 10.1.1.2 24

[CE1-Pos2/2/0] isis enable 2

[CE1-Pos2/2/0] mpls enable

[CE1-Pos2/2/0] mpls ldp enable

[CE1-Pos2/2/0] quit

An LDP session and IS-IS neighbor relationship can be established between PE 3 and CE 1.

# Configure PE 4 and CE 2 in the same way that PE 3 and CE 1 are configured. (Details not shown.)

3. Connect CE 1 and CE 2 to service provider PEs:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 200:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] interface pos 2/2/0

[PE1-Pos2/2/0] ip binding vpn-instance vpn1

[PE1-Pos2/2/0] ip address 11.1.1.2 24

[PE1-Pos2/2/0] mpls enable

[PE1-Pos2/2/0] quit

[PE1] bgp 100

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] peer 11.1.1.1 as-number 200

[PE1-bgp-default-vpn1] address-family ipv4

[PE1-bgp-default-ipv4-vpn1] peer 11.1.1.1 enable

[PE1-bgp-default-ipv4-vpn1] quit

[PE1-bgp-default-vpn1] quit

[PE1-bgp-default] quit

# Configure CE 1.

[CE1] interface pos 2/2/1

[CE1-Pos2/2/1] ip address 11.1.1.1 24

[CE1-Pos2/2/1] mpls enable

[CE1-Pos2/2/1] quit

[CE1] bgp 200

[CE1-bgp-default] peer 11.1.1.2 as-number 100

[CE1-bgp-default] address-family ipv4

[CE1-bgp-default-ipv4] peer 11.1.1.2 enable

[CE1-bgp-default-ipv4] quit

[CE1-bgp-default] quit

# Configure PE 2 and CE 2 in the same way that PE 1 and CE 1 are configured. (Details not shown.)

4. Connect sub-VPN CEs to the customer VPN PEs:

# Configure CE 3.

<CE3> system-view

[CE3] interface gigabitethernet 2/0/1

[CE3-GigabitEthernet2/0/1] ip address 100.1.1.1 24

[CE3-GigabitEthernet2/0/1] quit

[CE3] bgp 65410

[CE3-bgp-default] peer 100.1.1.2 as-number 200

[CE3-bgp-default] address-family ipv4 unicast

[CE3-bgp-default-ipv4] peer 100.1.1.2 enable

[CE3-bgp-default-ipv4] import-route direct

[CE3-bgp-default-ipv4] quit

[CE3-bgp-default] quit

# Configure CE 5.

<CE5> system-view

[CE5] interface gigabitethernet 2/0/1

[CE5-GigabitEthernet2/0/1] ip address 110.1.1.1 24

[CE5-GigabitEthernet2/0/1] quit

[CE5] bgp 65411

[CE5-bgp-default] peer 110.1.1.2 as-number 200

[CE5-bgp-default] address-family ipv4 unicast

[CE5-bgp-default-ipv4] peer 110.1.1.2 enable

[CE5-bgp-default-ipv4] import-route direct

[CE5-bgp-default-ipv4] quit

[CE5-bgp-default] quit

# Configure PE 3.

[PE3] ip vpn-instance SUB_VPN1

[PE3-vpn-instance-SUB_VPN1] route-distinguisher 100:1

[PE3-vpn-instance-SUB_VPN1] vpn-target 2:1

[PE3-vpn-instance-SUB_VPN1] quit

[PE3] interface gigabitethernet 2/0/1

[PE3-GigabitEthernet2/0/1] ip binding vpn-instance SUB_VPN1

[PE3-GigabitEthernet2/0/1] ip address 100.1.1.2 24

[PE3-GigabitEthernet2/0/1] quit

[PE3] ip vpn-instance SUB_VPN2

[PE3-vpn-instance-SUB_VPN2] route-distinguisher 101:1

[PE3-vpn-instance-SUB_VPN2] vpn-target 2:2

[PE3-vpn-instance-SUB_VPN2] quit

[PE3] interface gigabitethernet 2/0/2

[PE3-GigabitEthernet2/0/2] ip binding vpn-instance SUB_VPN2

[PE3-GigabitEthernet2/0/2] ip address 110.1.1.2 24

[PE3-GigabitEthernet2/0/2] quit

[PE3] bgp 200

[PE3-bgp-default] ip vpn-instance SUB_VPN1

[PE3-bgp-default-SUB_VPN1] peer 100.1.1.1 as-number 65410

[PE3-bgp-default-SUB_VPN1] address-family ipv4 unicast

[PE3-bgp-default-ipv4-SUB_VPN1] peer 100.1.1.1 enable

[PE3-bgp-default-ipv4-SUB_VPN1] quit

[PE3-bgp-default-SUB_VPN1] quit

[PE3-bgp-default] ip vpn-instance SUB_VPN2

[PE3-bgp-default-SUB_VPN2] peer 110.1.1.1 as-number 65411

[PE3-bgp-default-SUB_VPN2] address-family ipv4 unicast

[PE3-bgp-default-ipv4-SUB_VPN2] peer 110.1.1.1 enable

[PE3-bgp-default-ipv4-SUB_VPN2] quit

[PE3-bgp-default-SUB_VPN2] quit

[PE3-bgp-default] quit

# Configure PE 4, CE 4 and CE 6 in the same way that PE 3, CE 3, and CE 5 are configured. (Details not shown.)

5. Establish MP-EBGP peer relationship between service provider PEs and their CEs to exchange user VPNv4 routes:

# On PE 1, enable nested VPN, and enable VPNv4 route exchange with CE 1.

[PE1] bgp 100

[PE1-bgp-default] address-family vpnv4

[PE1-bgp-default-vpnv4] nesting-vpn

[PE1-bgp-default-vpnv4] quit

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] address-family vpnv4

[PE1-bgp-default-vpnv4-vpn1] peer 11.1.1.1 enable

[PE1-bgp-default-vpnv4-vpn1] quit

[PE1-bgp-default-vpn1] quit

[PE1-bgp-default] quit

# On CE 1, enable VPNv4 route exchange with PE 1.

[CE1] bgp 200

[CE1-bgp-default] address-family vpnv4

[CE1-bgp-default-vpnv4] peer 11.1.1.2 enable

# Allow the local AS number to appear in the AS-PATH attribute of the routes received.

[CE1-bgp-default-vpnv4] peer 11.1.1.2 allow-as-loop 2

# Disable route target based filtering of received VPNv4 routes.

[CE1-bgp-default-vpnv4] undo policy vpn-target

[CE1-bgp-default-vpnv4] quit

[CE1-bgp-default] quit

# Configure PE 2 and CE 2 in the same way that PE 1 and CE 1 are configured. (Details not shown.)

6. Establish MP-IBGP peer relationships between sub-VPN PEs and CEs of the customer VPN to exchange VPNv4 routes of sub-VPNs:

# Configure PE 3.

[PE3] bgp 200

[PE3-bgp-default] peer 2.2.2.9 as-number 200

[PE3-bgp-default] peer 2.2.2.9 connect-interface loopback 0

[PE3-bgp-default] address-family vpnv4

[PE3-bgp-default-vpnv4] peer 2.2.2.9 enable

# Allow the local AS number to appear in the AS-PATH attribute of the routes received.

[PE3-bgp-default-vpnv4] peer 2.2.2.9 allow-as-loop 2

[PE3-bgp-default-vpnv4] quit

[PE3-bgp-default] quit

# Configure CE 1.

[CE1] bgp 200

[CE1-bgp-default] peer 1.1.1.9 as-number 200

[CE1-bgp-default] peer 1.1.1.9 connect-interface loopback 0

[CE1-bgp-default] address-family vpnv4

[CE1-bgp-default-vpnv4] peer 1.1.1.9 enable

[CE1-bgp-default-vpnv4] undo policy vpn-target

[CE1-bgp-default-vpnv4] quit

[CE1-bgp-default] quit

# Configure PE 4 and CE 2 in the same way that PE 3 and CE 1 are configured. (Details not shown.)

Verifying the configuration

1. Display the public routing table and VPN routing table on the provider PEs, for example, on PE 1:

# Verify that the public routing table contains only routes on the service provider network.

[PE1] display ip routing-table

Destinations : 14 Routes : 14

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

3.3.3.9/32 Direct 0 0 127.0.0.1 InLoop0

4.4.4.9/32 IS_L1 15 10 30.1.1.2 POS2/2/1

30.1.1.0/24 Direct 0 0 30.1.1.1 POS2/2/1

30.1.1.0/32 Direct 0 0 30.1.1.1 POS2/2/1

30.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.255/32 Direct 0 0 30.1.1.1 POS2/2/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VPN routing table contains sub-VPN routes.

[PE1] display ip routing-table vpn-instance vpn1

Destinations : 16 Routes : 16

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.0/24 Direct 0 0 11.1.1.2 POS2/2/0

11.1.1.0/32 Direct 0 0 11.1.1.2 POS2/2/0

11.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.255/32 Direct 0 0 11.1.1.2 POS2/2/0

100.1.1.0/24 BGP 255 0 11.1.1.1 POS2/2/0

110.1.1.0/24 BGP 255 0 11.1.1.1 POS2/2/0

120.1.1.0/24 BGP 255 0 4.4.4.9 POS2/2/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

130.1.1.0/24 BGP 255 0 4.4.4.9 POS2/2/1

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

2. Display the VPNv4 routing table on the provider CEs, for example, on CE 1.

# Verify that the VPNv4 routing table on the customer VPN contains internal sub-VPN routes.

[CE1] display bgp routing-table vpnv4

BGP local router ID is 2.2.2.9

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Total number of routes from all PEs: 4

Route distinguisher: 100:1

Total number of routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn

* >i 100.1.1.0/24 1.1.1.9 0 100 0 200 65410?

Route distinguisher: 101:1

Total number of routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn

* >i 110.1.1.0/24 1.1.1.9 0 100 0 200 65411?

Route distinguisher: 200:1

Total number of routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e 120.1.1.0/24 11.1.1.2 0 100 200

65420?

Route Distinguisher: 201:1

Total number of routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e 130.1.1.0/24 11.1.1.2 0 100 200

65421?

3. Display the VPN routing table on the customer PEs, for example, on PE 3:

# Verify that the VPN routing table contains routes sent by the provider PE to the sub-VPN.

[PE3] display ip routing-table vpn-instance SUB_VPN1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.0/24 Direct 0 0 100.1.1.2 GE2/0/1

100.1.1.0/32 Direct 0 0 100.1.1.2 GE2/0/1

100.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.255/32 Direct 0 0 100.1.1.2 GE2/0/1

120.1.1.0/24 BGP 255 0 2.2.2.9 POS2/2/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

4. Display the routing table on the CEs of sub-VPNs in the customer VPN, for example, on CE 3 and CE 5:

# Verify that the routing table contains the route to the remote sub-VPN on CE 3.

[CE3] display ip routing-table

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.0/24 Direct 0 0 100.1.1.1 GE2/0/1

100.1.1.0/32 Direct 0 0 100.1.1.1 GE2/0/1

100.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

100.1.1.255/24 Direct 0 0 100.1.1.1 GE2/0/1

120.1.1.0/24 BGP 255 0 100.1.1.2 GE2/0/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the routing table contains the route to the remote sub-VPN on CE 5.

[CE5] display ip routing-table

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

110.1.1.0/24 Direct 0 0 110.1.1.1 GE2/0/1

110.1.1.0/32 Direct 0 0 110.1.1.1 GE2/0/1

110.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

110.1.1.255/32 Direct 0 0 110.1.1.1 GE2/0/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

130.1.1.0/24 BGP 255 0 110.1.1.2 GE2/0/1

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

5. Verify that CE 3 and CE 4 can ping each other. (Details not shown.)

6. Verify that CE 5 and CE 6 can ping each other. (Details not shown.)

7. Verify that CE 3 and CE 6 cannot ping each other. (Details not shown.)

Configuring multirole host

Network requirements

Configure the multirole host feature to allow Host A to access VPN 1 and VPN 2 and Host B to access only VPN 1.

Figure 81 Network diagram

Configuration procedure

1. Configure CE 1:

# Configure IP addresses for interfaces.

<CE1> system-view

[CE1] interface gigabitethernet 2/0/1

[CE1-GigabitEthernet2/0/1] ip address 100.1.1.1 24

[CE1-GigabitEthernet2/0/1] quit

[CE1] interface serial 2/1/0

[CE1-Serial2/1/0] ip address 1.1.1.2 24

[CE1-Serial2/1/0] quit

# Configure a default route to PE 1.

[CE1] ip route-static 0.0.0.0 0 1.1.1.1

2. Configure PE 1:

# Create VPN instances vpn1 and vpn2 for VPN 1 and VPN 2, respectively, and configure different RDs and route targets for the VPN instances.

<PE1> system-view

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 100:1 both

[PE1-vpn-instance-vpn1] quit

[PE1] ip vpn-instance vpn2

[PE1-vpn-instance-vpn2] route-distinguisher 100:2

[PE1-vpn-instance-vpn2] vpn-target 100:2 both

[PE1-vpn-instance-vpn2] quit

# Associate VPN instance vpn1 with Serial 2/1/1 (the interface connected to CE 1).

[PE1] interface serial 2/1/1

[PE1-Serial2/1/1] ip binding vpn-instance vpn1

[PE1-Serial2/1/1] ip address 1.1.1.1 255.255.255.0

[PE1-Serial2/1/1] quit

# Configure a static route for VPN 2 to reach Host A and redistribute the route to BGP. This configuration ensures that packets from VPN 2 to Host A can be forwarded through the correct route in the routing table of VPN instance vpn1.

[PE1] ip route-static vpn-instance vpn2 100.1.1.0 24 vpn-instance vpn1 1.1.1.2

[PE1] bgp 100

[PE1-bgp-default] ip vpn-instance vpn2

[PE1-bgp-default-vpn2] address-family ipv4

[PE1-bgp-default-ipv4-vpn2] import-route static

[PE1-bgp-default-ipv4-vpn2] quit

[PE1-bgp-default-vpn2] quit

[PE1-bgp-default] quit

# Configure PBR to route packets from Host A according to the routing tables of both VPN instances vpn1 and vpn2.

[PE1] acl advanced 3001

[PE1-acl-ipv4-adv-3001] rule 0 permit ip vpn-instance vpn1 source 100.1.1.2 0

[PE1-acl-ipv4-adv-3001] quit

[PE1] policy-based-route policy1 permit node 10

[PE1-policy-based-route] if-match acl 3001

[PE1-policy-based-route] apply access-vpn vpn-instance vpn1 vpn2

[PE1-policy-based-route] quit

# Apply policy policy1 to Serial 2/1/1.

[PE1] interface serial 2/1/1

[PE1-Serial2/1/1] ip policy-based-route policy1

3. Configure basic MPLS L3VPN. (Details not shown.)

Verifying the configuration

# Verify that Host A can ping Host C, and that Host B cannot ping Host C. (Details not shown.)

Configuring HoVPN

Network requirements

As shown in Figure 82, there are two levels of networks: the backbone and the MPLS VPN networks.

· SPEs act as PEs to allow MPLS VPNs to access the backbone.

· UPEs act as PEs of the MPLS VPNs to allow end users to access the VPNs.

· Performance requirements for the UPEs are lower than those for the SPEs.

· SPEs advertise routes permitted by routing policies to UPEs, permitting CE 1 and CE 3 in VPN 1 to communicate with each other and forbidding CE 2 and CE 4 in VPN 2 from communicating with each other.

Figure 82 Network diagram

Table 22 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	GE2/0/1	10.2.1.1/24	CE 3	GE2/0/1	10.1.1.1/24
CE 2	GE2/0/1	10.4.1.1/24	CE 4	GE2/0/1	10.3.1.1/24
UPE 1	Loop0	1.1.1.9/32	UPE 2	Loop0	4.4.4.9/32
	GE2/0/1	10.2.1.2/24		GE2/0/1	172.2.1.1/24
	GE2/0/2	10.4.1.2/24		GE2/0/2	10.1.1.2/24
	GE2/0/3	172.1.1.1/24		GE2/0/3	10.3.1.2/24
SPE 1	Loop0	2.2.2.9/32	SPE 2	Loop0	3.3.3.9/32
	GE2/0/1	172.1.1.2/24		GE2/0/1	180.1.1.2/24
	GE2/0/2	180.1.1.1/24		GE2/0/2	172.2.1.2/24

Configuration procedure

1. Configure UPE 1:

# Configure basic MPLS and MPLS LDP to establish LDP LSPs.

<UPE1> system-view

[UPE1] interface loopback 0

[UPE1-LoopBack0] ip address 1.1.1.9 32

[UPE1-LoopBack0] quit

[UPE1] mpls lsr-id 1.1.1.9

[UPE1] mpls ldp

[UPE1-ldp] quit

[UPE1] interface gigabitethernet 2/0/3

[UPE1-GigabitEthernet2/0/3] ip address 172.1.1.1 24

[UPE1-GigabitEthernet2/0/3] mpls enable

[UPE1-GigabitEthernet2/0/3] mpls ldp enable

[UPE1-GigabitEthernet2/0/3] quit

# Configure the IGP protocol (OSPF, in this example).

[UPE1] ospf

[UPE1-ospf-1] area 0

[UPE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[UPE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[UPE1-ospf-1-area-0.0.0.0] quit

[UPE1-ospf-1] quit

# Configure VPN instances vpn1 and vpn2, allowing CE 1 and CE 2 to access UPE 1.

[UPE1] ip vpn-instance vpn1

[UPE1-vpn-instance-vpn1] route-distinguisher 100:1

[UPE1-vpn-instance-vpn1] vpn-target 100:1 both

[UPE1-vpn-instance-vpn1] quit

[UPE1] ip vpn-instance vpn2

[UPE1-vpn-instance-vpn2] route-distinguisher 100:2

[UPE1-vpn-instance-vpn2] vpn-target 100:2 both

[UPE1-vpn-instance-vpn2] quit

[UPE1] interface gigabitethernet 2/0/1

[UPE1-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[UPE1-GigabitEthernet2/0/1] ip address 10.2.1.2 24

[UPE1-GigabitEthernet2/0/1] quit

[UPE1] interface gigabitethernet 2/0/2

[UPE1-GigabitEthernet2/0/2] ip binding vpn-instance vpn2

[UPE1-GigabitEthernet2/0/2] ip address 10.4.1.2 24

[UPE1-GigabitEthernet2/0/2] quit

# Establish an MP-IBGP peer relationship with SPE 1.

[UPE1] bgp 100

[UPE1-bgp-default] peer 2.2.2.9 as-number 100

[UPE1-bgp-default] peer 2.2.2.9 connect-interface loopback 0

[UPE1-bgp-default] address-family vpnv4

[UPE1-bgp-default-vpnv4] peer 2.2.2.9 enable

[UPE1-bgp-default-vpnv4] quit

# Establish an EBGP peer relationship with CE 1.

[UPE1-bgp-default] ip vpn-instance vpn1

[UPE1-bgp-default-vpn1] peer 10.2.1.1 as-number 65410

[UPE1-bgp-default-vpn1] address-family ipv4 unicast

[UPE1-bgp-default-ipv4-vpn1] peer 10.2.1.1 enable

[UPE1-bgp-default-ipv4-vpn1] quit

[UPE1-bgp-default-vpn1] quit

# Establish an EBGP peer relationship with CE 2.

[UPE1-bgp-default] ip vpn-instance vpn2

[UPE1-bgp-default-vpn2] peer 10.4.1.1 as-number 65420

[UPE1-bgp-default-vpn2] address-family ipv4 unicast

[UPE1-bgp-default-ipv4-vpn2] peer 10.4.1.1 enable

[UPE1-bgp-default-ipv4-vpn2] quit

[UPE1-bgp-default-vpn2] quit

[UPE1-bgp-default] quit

2. Configure CE 1.

<CE1> system-view

[CE1] interface gigabitethernet 2/0/1

[CE1-GigabitEthernet2/0/1] ip address 10.2.1.1 255.255.255.0

[CE1-GigabitEthernet2/0/1] quit

[CE1] bgp 65410

[CE1-bgp-default] peer 10.2.1.2 as-number 100

[CE1-bgp-default] address-family ipv4 unicast

[CE1-bgp-default-ipv4] peer 10.2.1.2 enable

[CE1-bgp-default-ipv4] import-route direct

[CE1-bgp-default-ipv4] quit

[CE1-bgp-default] quit

3. Configure CE 2.

<CE2> system-view

[CE2] interface gigabitethernet 2/0/1

[CE2-GigabitEthernet2/0/1] ip address 10.4.1.1 255.255.255.0

[CE2-GigabitEthernet2/0/1] quit

[CE2] bgp 65420

[CE2-bgp-default] peer 10.4.1.2 as-number 100

[CE2-bgp-default] address-family ipv4 unicast

[CE2-bgp-default-ipv4] peer 10.4.1.2 enable

[CE2-bgp-default-ipv4] import-route direct

[CE2-bgp-default-ipv4] quit

[CE2-bgp-default] quit

4. Configure UPE 2:

# Configure basic MPLS and MPLS LDP to establish LDP LSPs.

<UPE2> system-view

[UPE2] interface loopback 0

[UPE2-LoopBack0] ip address 4.4.4.9 32

[UPE2-LoopBack0] quit

[UPE2] mpls lsr-id 4.4.4.9

[UPE2] mpls ldp

[UPE2-ldp] quit

[UPE2] interface gigabitethernet 2/0/1

[UPE2-GigabitEthernet2/0/1] ip address 172.2.1.1 24

[UPE2-GigabitEthernet2/0/1] mpls enable

[UPE2-GigabitEthernet2/0/1] mpls ldp enable

[UPE2-GigabitEthernet2/0/1] quit

# Configure the IGP protocol (OSPF, in this example).

[UPE2] ospf

[UPE2-ospf-1] area 0

[UPE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[UPE2-ospf-1-area-0.0.0.0] network 4.4.4.9 0.0.0.0

[UPE2-ospf-1-area-0.0.0.0] quit

[UPE2-ospf-1] quit

# Configure VPN instances vpn1 and vpn2, allowing CE 3 and CE 4 to access UPE 2.

[UPE2] ip vpn-instance vpn1

[UPE2-vpn-instance-vpn1] route-distinguisher 300:1

[UPE2-vpn-instance-vpn1] vpn-target 100:1 both

[UPE2-vpn-instance-vpn1] quit

[UPE2] ip vpn-instance vpn2

[UPE2-vpn-instance-vpn2] route-distinguisher 400:2

[UPE2-vpn-instance-vpn2] vpn-target 100:2 both

[UPE2-vpn-instance-vpn2] quit

[UPE2] interface gigabitethernet 2/0/2

[UPE2-GigabitEthernet2/0/2] ip binding vpn-instance vpn1

[UPE2-GigabitEthernet2/0/2] ip address 10.1.1.2 24

[UPE2-GigabitEthernet2/0/2] quit

[UPE2] interface gigabitethernet 2/0/3

[UPE2-GigabitEthernet2/0/3] ip binding vpn-instance vpn2

[UPE2-GigabitEthernet2/0/3] ip address 10.3.1.2 24

[UPE2-GigabitEthernet2/0/3] quit

# Establish an MP-IBGP peer relationship with SPE 2.

[UPE2] bgp 100

[UPE2-bgp-default] peer 3.3.3.9 as-number 100

[UPE2-bgp-default] peer 3.3.3.9 connect-interface loopback 0

[UPE2-bgp-default] address-family vpnv4

[UPE2-bgp-default-vpnv4] peer 3.3.3.9 enable

[UPE2-bgp-default-vpnv4] quit

# Establish an EBGP peer relationship with CE 3.

[UPE2-bgp-default] ip vpn-instance vpn1

[UPE2-bgp-default-vpn1] peer 10.1.1.1 as-number 65430

[UPE2-bgp-default-vpn1] address-family ipv4 unicast

[UPE2-bgp-default-ipv4-vpn1] peer 10.1.1.1 enable

[UPE2-bgp-default-ipv4-vpn1] quit

[UPE2-bgp-default-vpn1] quit

# Establish an EBGP peer relationship with CE 4.

[UPE2-bgp-default] ip vpn-instance vpn2

[UPE2-bgp-default-vpn2] peer 10.3.1.1 as-number 65440

[UPE2-bgp-default-vpn2] address-family ipv4 unicast

[UPE2-bgp-default-ipv4-vpn2] peer 10.3.1.1 enable

[UPE2-bgp-default-ipv4-vpn2] quit

[UPE2-bgp-default-vpn2] quit

[UPE2-bgp-default] quit

5. Configure CE 3.

<CE3> system-view

[CE3] interface gigabitethernet 2/0/1

[CE3-GigabitEthernet2/0/1] ip address 10.1.1.1 255.255.255.0

[CE3-GigabitEthernet2/0/1] quit

[CE3] bgp 65430

[CE3-bgp-default] peer 10.1.1.2 as-number 100

[CE3-bgp-default] address-family ipv4 unicast

[CE3-bgp-default-ipv4] peer 10.1.1.2 enable

[CE3-bgp-default-ipv4] import-route direct

[CE3-bgp-default-ipv4] quit

[CE3-bgp-default] quit

6. Configure CE 4.

<CE4> system-view

[CE4] interface gigabitethernet 2/0/1

[CE4-GigabitEthernet2/0/1] ip address 10.3.1.1 255.255.255.0

[CE4-GigabitEthernet2/0/1] quit

[CE4] bgp 65440

[CE4-bgp-default] peer 10.3.1.2 as-number 100

[CE4-bgp-default] address-family ipv4 unicast

[CE4-bgp-default-ipv4] peer 10.3.1.2 enable

[CE4-bgp-default-ipv4] import-route direct

[CE4-bgp-default-ipv4] quit

[CE4-bgp-default] quit

7. Configure SPE 1:

# Configure basic MPLS and MPLS LDP to establish LDP LSPs.

<SPE1> system-view

[SPE1] interface loopback 0

[SPE1-LoopBack0] ip address 2.2.2.9 32

[SPE1-LoopBack0] quit

[SPE1] mpls lsr-id 2.2.2.9

[SPE1] mpls ldp

[SPE1-ldp] quit

[SPE1] interface gigabitethernet 2/0/1

[SPE1-GigabitEthernet2/0/1] ip address 172.1.1.2 24

[SPE1-GigabitEthernet2/0/1] mpls enable

[SPE1-GigabitEthernet2/0/1] mpls ldp enable

[SPE1-GigabitEthernet2/0/1] quit

[SPE1] interface gigabitethernet 2/0/2

[SPE1-GigabitEthernet2/0/2] ip address 180.1.1.1 24

[SPE1-GigabitEthernet2/0/2] mpls enable

[SPE1-GigabitEthernet2/0/2] mpls ldp enable

[SPE1-GigabitEthernet2/0/2] quit

# Configure the IGP protocol, OSPF, in this example.

[SPE1] ospf

[SPE1-ospf-1] area 0

[SPE1-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[SPE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[SPE1-ospf-1-area-0.0.0.0] network 180.1.1.0 0.0.0.255

[SPE1-ospf-1-area-0.0.0.0] quit

[SPE1-ospf-1] quit

# Configure VPN instances vpn1 and vpn2.

[SPE1] ip vpn-instance vpn1

[SPE1-vpn-instance-vpn1] route-distinguisher 500:1

[SPE1-vpn-instance-vpn1] vpn-target 100:1 both

[SPE1-vpn-instance-vpn1] quit

[SPE1] ip vpn-instance vpn2

[SPE1-vpn-instance-vpn2] route-distinguisher 700:1

[SPE1-vpn-instance-vpn2] vpn-target 100:2 both

[SPE1-vpn-instance-vpn2] quit

# Establish MP-IBGP peer relationships with SPE 2 and UPE 1, and specify UPE 1 as a UPE.

[SPE1] bgp 100

[SPE1-bgp-default] peer 1.1.1.9 as-number 100

[SPE1-bgp-default] peer 1.1.1.9 connect-interface loopback 0

[SPE1-bgp-default] peer 3.3.3.9 as-number 100

[SPE1-bgp-default] peer 3.3.3.9 connect-interface loopback 0

[SPE1-bgp-default] address-family vpnv4

[SPE1-bgp-default-vpnv4] peer 3.3.3.9 enable

[SPE1-bgp-default-vpnv4] peer 1.1.1.9 enable

[SPE1-bgp-default-vpnv4] peer 1.1.1.9 upe

[SPE1-bgp-default-vpnv4] peer 1.1.1.9 next-hop-local

[SPE1-bgp-default-vpnv4] quit

# Create BGP-VPN instances for VPN instances vpn1 and vpn2, so the VPNv4 routes learned according to the RT attributes can be added into the BGP routing tables of the corresponding VPN instances.

[SPE1-bgp-default] ip vpn-instance vpn1

[SPE1-bgp-default-vpn1] quit

[SPE1-bgp-default] ip vpn-instance vpn2

[SPE1-bgp-default-vpn2] quit

[SPE1-bgp-default] quit

# Advertise to UPE 1 the routes permitted by a routing policy (the routes of CE 3).

[SPE1] ip prefix-list hope index 10 permit 10.1.1.1 24

[SPE1] route-policy hope permit node 0

[SPE1-route-policy-hope-0] if-match ip address prefix-list hope

[SPE1-route-policy-hope-0] quit

[SPE1] bgp 100

[SPE1-bgp-default] address-family vpnv4

[SPE1-bgp-default-vpnv4] peer 1.1.1.9 upe route-policy hope export

8. Configure SPE 2:

# Configure basic MPLS and MPLS LDP to establish LDP LSPs.

<SPE2> system-view

[SPE2] interface loopback 0

[SPE2-LoopBack0] ip address 3.3.3.9 32

[SPE2-LoopBack0] quit

[SPE2] mpls lsr-id 3.3.3.9

[SPE2] mpls ldp

[SPE2-ldp] quit

[SPE2] interface gigabitethernet 2/0/1

[SPE2-GigabitEthernet2/0/1] ip address 180.1.1.2 24

[SPE2-GigabitEthernet2/0/1] mpls enable

[SPE2-GigabitEthernet2/0/1] mpls ldp enable

[SPE2-GigabitEthernet2/0/1] quit

[SPE2] interface gigabitethernet 2/0/2

[SPE2-GigabitEthernet2/0/2] ip address 172.2.1.2 24

[SPE2-GigabitEthernet2/0/2] mpls enable

[SPE2-GigabitEthernet2/0/2] mpls ldp enable

[SPE2-GigabitEthernet2/0/2] quit

# Configure the IGP protocol, OSPF, in this example.

[SPE2] ospf

[SPE2-ospf-1] area 0

[SPE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[SPE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[SPE2-ospf-1-area-0.0.0.0] network 180.1.1.0 0.0.0.255

[SPE2-ospf-1-area-0.0.0.0] quit

[SPE2-ospf-1] quit

# Configure VPN instances vpn1 and vpn2.

[SPE2] ip vpn-instance vpn1

[SPE2-vpn-instance-vpn1] route-distinguisher 600:1

[SPE2-vpn-instance-vpn1] vpn-target 100:1 both

[SPE2-vpn-instance-vpn1] quit

[SPE2] ip vpn-instance vpn2

[SPE2-vpn-instance-vpn2] route-distinguisher 800:1

[SPE2-vpn-instance-vpn2] vpn-target 100:2 both

[SPE2-vpn-instance-vpn2] quit

# Establish MP-IBGP peer relationships with SPE 1 and UPE 2, and specify UPE 2 as a UPE.

[SPE2] bgp 100

[SPE2-bgp-default] peer 4.4.4.9 as-number 100

[SPE2-bgp-default] peer 4.4.4.9 connect-interface loopback 0

[SPE2-bgp-default] peer 2.2.2.9 as-number 100

[SPE2-bgp-default] peer 2.2.2.9 connect-interface loopback 0

[SPE2-bgp-default] address-family vpnv4

[SPE2-bgp-default-vpnv4] peer 2.2.2.9 enable

[SPE2-bgp-default-vpnv4] peer 4.4.4.9 enable

[SPE2-bgp-default-vpnv4] peer 4.4.4.9 upe

[SPE2-bgp-default-vpnv4] peer 4.4.4.9 next-hop-local

[SPE2-bgp-default-vpnv4] quit

# Create BGP-VPN instances for VPN instances vpn1 and vpn2, so the VPNv4 routes learned according to the RT attributes can be added into the BGP routing tables of the corresponding VPN instances.

[SPE2-bgp-default] ip vpn-instance vpn1

[SPE2-bgp-default-vpn1] quit

[SPE2-bgp-default] ip vpn-instance vpn2

[SPE2-bgp-default-vpn2] quit

[SPE2-bgp-default] quit

# Advertise to UPE 2 the routes permitted by a routing policy (the routes of CE 1).

[SPE2] ip prefix-list hope index 10 permit 10.2.1.1 24

[SPE2] route-policy hope permit node 0

[SPE2-route-policy-hope-0] if-match ip address prefix-list hope

[SPE2-route-policy-hope-0] quit

[SPE2] bgp 100

[SPE2-bgp-default] address-family vpnv4

[SPE2-bgp-default-vpnv4] peer 4.4.4.9 upe route-policy hope export

Verifying the configuration

# Verify that CE 1 and CE3 can learn each other's interface routes and can ping each other. CE 2 and CE 4 cannot learn each other's interface routes and cannot ping each other. (Details not shown.)

Configuring an OSPF sham link

Network requirements

As shown in Figure 83, CE 1 and CE 2 belong to VPN 1. Configure an OSPF sham link between PE 1 and PE 2 so traffic between the CEs is forwarded through the MPLS backbone instead of the backdoor link.

Figure 83 Network diagram

Table 23 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	GE2/0/1	100.1.1.1/24	CE 2	GE2/0/1	120.1.1.1/24
	S2/1/1	20.1.1.1/24		S2/1/1	30.1.1.2/24
PE 1	Loop0	1.1.1.9/32	PE 2	Loop0	2.2.2.9/32
	Loop1	3.3.3.3/32		Loop1	5.5.5.5/32
	GE2/0/1	100.1.1.2/24		GE2/0/1	120.1.1.2/24
	S2/1/1	10.1.1.1/24		S2/1/0	10.1.1.2/24
Router A	S2/1/0	30.1.1.1/24
	S2/1/1	20.1.1.2/24

Configuration procedure

1. Configure OSPF on the customer networks:

# Configure conventional OSPF on CE 1, Router A, and CE 2 to advertise addresses of the interfaces (see Table 23). (Details not shown.)

# Set the cost value to 2 for both the link between CE 1 and Router A, and the link between CE 2 and Router A. (Details not shown.)

# Execute the display ip routing-table command to verify that CE 1 and CE 2 have learned the route to each other. (Details not shown.)

2. Configure MPLS L3VPN on the backbone:

# Configure basic MPLS and MPLS LDP on PE 1 to establish LDP LSPs.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface serial 2/1/1

[PE1-Serial2/1/1] ip address 10.1.1.1 24

[PE1-Serial2/1/1] mpls enable

[PE1-Serial2/1/1] mpls ldp enable

[PE1-Serial2/1/1] quit

# Configure PE 1 to take PE 2 as an MP-IBGP peer.

[PE1] bgp 100

[PE1-bgp-default] peer 2.2.2.9 as-number 100

[PE1-bgp-default] peer 2.2.2.9 connect-interface loopback 0

[PE1-bgp-default] address-family vpnv4

[PE1-bgp-default-vpnv4] peer 2.2.2.9 enable

[PE1-bgp-default-vpnv4] quit

[PE1-bgp-default] quit

# Configure OSPF on PE 1.

[PE1]ospf 1

[PE1-ospf-1]area 0

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Configure basic MPLS and MPLS LDP on PE 2 to establish LDP LSPs.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 2.2.2.9 32

[PE2-LoopBack0] quit

[PE2] mpls lsr-id 2.2.2.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface serial 2/1/1

[PE2-Serial2/1/1] ip address 10.1.1.2 24

[PE2-Serial2/1/1] mpls enable

[PE2-Serial2/1/1] mpls ldp enable

[PE2-Serial2/1/1] quit

# Configure PE 2 to take PE 1 as an MP-IBGP peer.

[PE2] bgp 100

[PE2-bgp-default] peer 1.1.1.9 as-number 100

[PE2-bgp-default] peer 1.1.1.9 connect-interface loopback 0

[PE2-bgp-default] address-family vpnv4

[PE2-bgp-default-vpnv4] peer 1.1.1.9 enable

[PE2-bgp-default-vpnv4] quit

[PE2-bgp-default] quit

# Configure OSPF on PE 2.

[PE2] ospf 1

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

3. Configure PEs to allow CE access:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] interface gigabitethernet 2/0/1

[PE1-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE1-GigabitEthernet2/0/1] ip address 100.1.1.2 24

[PE1-GigabitEthernet2/0/1] quit

[PE1] ospf 100 vpn-instance vpn1

[PE1-ospf-100] domain-id 10

[PE1-ospf-100] area 1

[PE1-ospf-100-area-0.0.0.1] network 100.1.1.0 0.0.0.255

[PE1-ospf-100-area-0.0.0.1] quit

[PE1-ospf-100] quit

[PE1] bgp 100

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] address-family ipv4 unicast

[PE1-bgp-default-ipv4-vpn1] import-route ospf 100

[PE1-bgp-default-ipv4-vpn1] import-route direct

[PE1-bgp-default-ipv4-vpn1] quit

[PE1-bgp-default-vpn1] quit

[PE1-bgp-default] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 100:2

[PE2-vpn-instance-vpn1] vpn-target 1:1

[PE2-vpn-instance-vpn1] quit

[PE2] interface gigabitethernet 2/0/1

[PE2-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE2-GigabitEthernet2/0/1] ip address 120.1.1.2 24

[PE2-GigabitEthernet2/0/1] quit

[PE2] ospf 100 vpn-instance vpn1

[PE2-ospf-100] domain-id 10

[PE2-ospf-100] area 1

[PE2-ospf-100-area-0.0.0.1] network 120.1.1.0 0.0.0.255

[PE2-ospf-100-area-0.0.0.1] quit

[PE2-ospf-100] quit

[PE2] bgp 100

[PE2-bgp-default] ip vpn-instance vpn1

[PE2-bgp-default-vpn1] address-family ipv4 unicast

[PE2-bgp-default-ipv4-vpn1] import-route ospf 100

[PE2-bgp-default-ipv4-vpn1] import-route direct

[PE2-bgp-default-ipv4-vpn1] quit

[PE2-bgp-default-vpn1] quit

[PE2-bgp-default] quit

# Execute the display ip routing-table vpn-instance command on the PEs. Verify that the path to the peer CE is along the OSPF route across the customer networks, instead of the BGP route across the backbone. (Details not shown.)

4. Configure a sham link:

# Configure PE 1.

[PE1] interface loopback 1

[PE1-LoopBack1] ip binding vpn-instance vpn1

[PE1-LoopBack1] ip address 3.3.3.3 32

[PE1-LoopBack1] quit

[PE1] ospf 100

[PE1-ospf-100] area 1

[PE1-ospf-100-area-0.0.0.1] sham-link 3.3.3.3 5.5.5.5

[PE1-ospf-100-area-0.0.0.1] quit

[PE1-ospf-100] quit

# Configure PE 2.

[PE2] interface loopback 1

[PE2-LoopBack1] ip binding vpn-instance vpn1

[PE2-LoopBack1] ip address 5.5.5.5 32

[PE2-LoopBack1] quit

[PE2] ospf 100

[PE2-ospf-100] area 1

[PE2-ospf-100-area-0.0.0.1] sham-link 5.5.5.5 3.3.3.3

[PE2-ospf-100-area-0.0.0.1] quit

[PE2-ospf-100] quit

Verifying the configuration

# Execute the display ip routing-table vpn-instance command on the PEs to verify the following results (details not shown):

· The path to the peer CE is now along the BGP route across the backbone.

· A route to the sham link destination address exists.

# Execute the display ip routing-table command on the CEs. Verify that the next hop of the OSPF route to the peer CE is the interface connected to the PE (GigabitEthernet 2/0/1). This means that VPN traffic to the peer CE is forwarded over the backbone. (Details not shown.)

# Verify that a sham link has been established on PEs, for example, on PE 1.

[PE1] display ospf sham-link

OSPF Process 100 with Router ID 100.1.1.2

Sham link

Area Neighbor ID Source IP Destination IP State Cost

0.0.0.1 120.1.1.2 3.3.3.3 5.5.5.5 P-2-P 1

# Verify that the peer state is Full on PE 1.

[PE1] display ospf sham-link area 1

OSPF Process 100 with Router ID 100.1.1.2

Sham link: 3.3.3.3 --> 5.5.5.5

Neighbor ID: 120.1.1.2 State: Full

Area: 0.0.0.1

Cost: 1 State: P-2-P Type: Sham

Timers: Hello 10, Dead 40, Retransmit 5, Transmit Delay 1

Request list: 0 Retransmit list: 0

Configuring BGP AS number substitution

Network requirements

As shown in Figure 84, CE 1 and CE 2 belong to VPN 1 and are connected to PE 1 and PE 2, respectively. The two CEs have the same AS number, 600.

Configure BGP AS number substitution on the PEs to enable the CEs to communicate with each other.

Figure 84 Network diagram

Table 24 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	GE2/0/1	10.1.1.1/24	P	Loop0	2.2.2.9/32
	GE2/0/2	100.1.1.1/24		GE2/0/1	20.1.1.2/24
PE 1	Loop0	1.1.1.9/32		GE2/0/2	30.1.1.1/24
	GE2/0/1	10.1.1.2/24	PE 2	Loop0	3.3.3.9/32
	GE2/0/2	20.1.1.1/24		GE2/0/1	10.2.1.2/24
CE 2	GE2/0/1	10.2.1.1/24		GE2/0/2	30.1.1.2/24
	GE2/0/2	200.1.1.1/24

Configuration procedure

1. Configure basic MPLS L3VPN:

? Configure OSPF on the MPLS backbone to allow the PEs and P device to learn the routes of the loopback interfaces from each other.

? Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs.

? Establish MP-IBGP peer relationship between the PEs to advertise VPN IPv4 routes.

? Configure the VPN instance of VPN 1 on PE 2 to allow CE 2 to access the network.

? Configure the VPN instance of VPN 1 on PE 1 to allow CE 1 to access the network.

? Configure BGP as the PE-CE routing protocol, and redistribute routes of CEs into PEs.

For more information about basic MPLS L3VPN configurations, see "Configuring basic MPLS L3VPN."

# Execute the display ip routing-table command on CE 2. The output shows that CE 2 has learned the route to network 10.1.1.0/24, where the interface used by CE 1 to access PE 1 resides. However, it has not learned the route to the VPN (100.1.1.0/24) behind CE 1.

<CE2> display ip routing-table

Destinations : 17 Routes : 17

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 BGP 255 0 10.2.1.2 GE2/0/1

10.2.1.0/24 Direct 0 0 10.2.1.1 GE2/0/1

10.2.1.0/32 Direct 0 0 10.2.1.1 GE2/0/1

10.2.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.2.1.255/32 Direct 0 0 10.2.1.1 GE2/0/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.0/24 Direct 0 0 200.1.1.1 GE2/0/2

200.1.1.0/32 Direct 0 0 200.1.1.1 GE2/0/2

200.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.255/24 Direct 0 0 200.1.1.1 GE2/0/2

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Execute the display ip routing-table command on CE 1 to verify that CE 1 has not learned the route to the VPN behind CE 2. (Details not shown.)

# Execute the display ip routing-table vpn-instance command on the PEs. The output shows the route to the VPN behind the peer CE. This example uses PE 2.

<PE2> display ip routing-table vpn-instance vpn1

Destinations : 15 Routes : 15

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 BGP 255 0 1.1.1.9 GE2/0/2

10.2.1.0/24 Direct 0 0 10.2.1.2 GE2/0/1

10.2.1.0/32 Direct 0 0 10.2.1.2 GE2/0/1

10.2.1.2/32 Direct 0 0 127.0.0.1 InLoop0

10.2.1.255/32 Direct 0 0 10.2.1.2 GE2/0/1

100.1.1.0/24 BGP 255 0 1.1.1.9 GE2/0/2

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.0/24 BGP 255 0 10.2.1.1 GE2/0/1

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Enable BGP update packet debugging on PE 2. The output shows that PE 2 advertises the route to 100.1.1.0/24, and the AS_PATH is 100 600.

<PE2> terminal monitor

<PE2> terminal logging level 7

<PE2> debugging bgp update vpn-instance vpn1 10.2.1.1 ipv4

<PE2> refresh bgp all export ipv4 vpn-instance vpn1

*Jun 13 16:12:52:096 2012 PE2 BGP/7/DEBUG:

BGP.vpn1: Send UPDATE to peer 10.2.1.1 for following destinations:

Origin : Incomplete

AS Path : 100 600

Next Hop : 10.2.1.2

100.1.1.0/24,

# Execute the display bgp routing-table ipv4 peer received-routes command on CE 2 to verify that CE 2 has not received the route to 100.1.1.0/24.

<CE2> display bgp routing-table ipv4 peer 10.2.1.2 received-routes

Total number of routes: 2

BGP local router ID is 200.1.1.1

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e 10.1.1.0/24 10.2.1.2 0 100?

* e 10.2.1.0/24 10.2.1.2 0 0 100?

2. Configure BGP AS number substitution on PE 2.

<PE2> system-view

[PE2] bgp 100

[PE2-bgp-default] ip vpn-instance vpn1

[PE2-bgp-default-vpn1] peer 10.2.1.1 substitute-as

[PE2-bgp-default-vpn1] address-family ipv4 unicast

[PE2-bgp-default-ipv4-vpn1] peer 10.2.1.1 enable

[PE2-bgp-default-ipv4-vpn1] quit

[PE2-bgp-default-vpn1] quit

[PE2-bgp-default] quit

Verifying the configuration

# The output shows that among the routes advertised by PE 2 to CE 2, the AS_PATH of 100.1.1.0/24 has changed from 100 600 to 100 100.

*Jun 13 16:15:59:456 2012 PE2 BGP/7/DEBUG:

BGP.vpn1: Send UPDATE to peer 10.2.1.1 for following destinations:

Origin : Incomplete

AS Path : 100 100

Next Hop : 10.2.1.2

100.1.1.0/24,

# Display again the routing information that CE 2 has received, and the routing table.

<CE2> display bgp routing-table ipv4 peer 10.2.1.2 received-routes

Total number of routes: 3

BGP local router ID is 200.1.1.1

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e 10.1.1.0/24 10.2.1.2 0 100?

* e 10.2.1.0/24 10.2.1.2 0 0 100?

* >e 100.1.1.0/24 10.2.1.2 0 100 100?

<CE2> display ip routing-table

Destinations : 18 Routes : 18

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.0/24 BGP 255 0 10.2.1.2 GE2/0/1

10.2.1.0/24 Direct 0 0 10.2.1.1 GE2/0/1

10.2.1.0/32 Direct 0 0 10.2.1.1 GE2/0/1

10.2.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.2.1.255/32 Direct 0 0 10.2.1.1 GE2/0/1

100.1.1.0/24 BGP 255 0 10.2.1.2 GE2/0/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.0/24 Direct 0 0 200.1.1.1 GE2/0/2

200.1.1.0/32 Direct 0 0 200.1.1.1 GE2/0/2

200.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.255/32 Direct 0 0 200.1.1.1 GE2/0/2

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# After you also configure BGP AS substitution on PE 1, verify that the GigabitEthernet interfaces of CE 1 and CE 2 can ping each other. (Details not shown.)

Configuring BGP AS number substitution and SoO attribute

Network requirements

CE 1, CE 2, and CE 3 belong to VPN 1, and are connected to PE1, PE 2, and PE 3, respectively.

CE 1 and CE 2 reside in the same site. CE1, CE2, and CE 3 all use AS number 600.

· To avoid route loss, configure BGP AS number substitution on PEs.

· To avoid routing loops, configure the same SoO attribute on PE 1 and PE 2 for CE 1 and CE 2.

Figure 85 Network diagram

Table 25 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Loop0	100.1.1.1/32	CE 3	Loop0	200.1.1.1 /32
	GE2/0/1	10.1.1.1/24		GE2/0/1	10.3.1.1/24
CE 2	GE2/0/1	10.2.1.1/24	PE 2	Loop0	2.2.2.9/32
PE 1	Loop0	1.1.1.9/32		GE2/0/1	10.2.1.2/24
	GE2/0/1	10.1.1.2/24		GE2/0/2	40.1.1.1/24
	GE2/0/2	20.1.1.1/24		GE2/0/3	20.1.1.2/24
	GE2/0/3	30.1.1.1/24	P	Loop0	3.3.3.9/32
PE 3	Loop0	4.4.4.9/32		GE2/0/1	30.1.1.2/24
	GE2/0/1	10.3.1.2/24		GE2/0/2	40.1.1.2/24
	GE2/0/2	50.1.1.2/24		GE2/0/3	50.1.1.1/24

Configuration procedure

1. Configure basic MPLS L3VPN:

? Configure OSPF on the MPLS backbone to allow the PEs and P device to learn the routes of the loopback interfaces from each other.

? Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs.

? Establish MP-IBGP peer relationship between the PEs to advertise VPN IPv4 routes.

? Configure the VPN instance of VPN 1 on PE 1 to allow CE 1 to access the network.

? Configure the VPN instance of VPN 1 on PE 2 to allow CE 2 to access the network.

? Configure the VPN instance of VPN 1 on PE 3 to allow CE 3 to access the network.

? Configure BGP as the PE-CE routing protocol, and redistribute routes of CEs into PEs.

For more information about basic MPLS L3VPN configurations, see "Configuring basic MPLS L3VPN."

2. Configure BGP AS number substitution:

# Configure BGP AS number substitution on PE 1, PE 2, and PE 3. For more information about the configuration, see "Configuring BGP AS number substitution."

# Display routing information on CE 2. The output shows that CE 2 has learned the route for 100.1.1.1/32 from CE 1. A routing loop has occurred because CE 1 and CE 2 reside in the same site.

<CE2> display bgp routing-table ipv4 peer 10.2.1.2 received-routes

Total number of routes: 6

BGP local router ID is 1.1.1.9

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

Network NextHop MED LocPrf PrefVal Path/Ogn

* >e 10.1.1.0/24 10.2.1.2 0 100?

* 10.2.1.0/24 10.2.1.2 0 0 100?

* 10.2.1.1/32 10.2.1.2 0 0 100?

* >e 10.3.1.0/24 10.2.1.2 0 100?

* >e 100.1.1.1/32 10.2.1.2 0 100 100?

* >e 200.1.1.1/32 10.2.1.2 0 100 100?

3. Configure BGP SoO attribute:

# On PE 1, configure the SoO attribute as 1:100 for CE 1.

<PE1> system-view

[PE1] bgp 100

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] address-family ipv4

[PE1-bgp-default-ipv4-vpn1] peer 10.1.1.1 soo 1:100

# On PE 2, configure the SoO attribute as 1:100 for CE 2.

<PE2> system-view

[PE2] bgp 100

[PE2-bgp-default] ip vpn-instance vpn1

[PE2-bgp-default-vpn1] address-family ipv4

[PE2-bgp-default-ipv4-vpn1] peer 10.2.1.1 soo 1:100

Verifying the configuration

# PE 2 does not advertise routes received from CE 1 to CE 2 because the same SoO attribute has been configured for the CEs. Display the routing table of CE 2. The output shows that the route 100.1.1.1/32 has been removed.

<CE2> display ip routing-table

Destinations : 14 Routes : 14

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.2.1.0/24 Direct 0 0 10.2.1.1 GE2/0/1

10.2.1.0/32 Direct 0 0 10.2.1.1 GE2/0/1

10.2.1.1/32 Direct 0 0 127.0.0.1 Inloop0

10.2.1.255/32 Direct 0 0 10.2.1.1 GE2/0/1

10.3.1.0/24 BGP 255 0 10.2.1.2 GE2/0/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

200.1.1.1/32 BGP 255 0 10.2.1.2 GE2/0/1

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

Configuring MPLS L3VPN FRR through VPNv4 route backup for a VPNv4 route

Network requirements

CE 1 and CE 2 belong to VPN 1.

Configure EBGP between CEs and PEs to exchange VPN routes.

Configure OSPF to ensure connectivity between PEs, and configure MP-IBGP to exchange VPNv4 routing information between PEs.

Configure MPLS L3VPN FRR on PE 1 to achieve the following purposes:

· When the link PE 1—PE 2 operates correctly, traffic from CE 1 to CE 2 goes through the path CE 1—PE 1—PE 2—CE 2.

· When BFD detects that the LSP between PE 1 and PE 2 fails, traffic from CE 1 to CE 2 goes through the path CE 1—PE 1—PE 3—CE 2.

Figure 86 Network diagram

Table 26 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Loop0	5.5.5.5/32	PE 1	Loop0	1.1.1.1/32
	GE2/0/1	10.2.1.1/24		GE2/0/1	10.2.1.2/24
PE 2	Loop0	2.2.2.2/32		GE2/0/2	172.1.1.1/24
	GE2/0/1	172.1.1.2/24		GE2/0/3	172.2.1.1/24
	GE2/0/2	10.1.1.2/24	CE 2	Loop0	4.4.4.4/32
PE 3	Loop0	3.3.3.3/32		GE2/0/1	10.1.1.1/24
	GE2/0/1	172.2.1.3/24		GE2/0/2	10.3.1.1/24
	GE2/0/2	10.3.1.2/24

Configuration procedure

1. Configure IP addresses and masks for interfaces as shown in Table 26, and configure BGP and MPLS L3VPN. (Details not shown.)

For more information about configuring basic MPLS L3VPN, see "Configuring basic MPLS L3VPN."

2. Configure MPLS L3VPN FRR on PE 1:

# Configure BFD to test the connectivity of the LSP to 2.2.2.2/32.

<PE1> system-view

[PE1] mpls bfd enable

[PE1] mpls bfd 2.2.2.2 32

# Create routing policy frr, and specify the backup next hop as 3.3.3.3 for the route to 4.4.4.4/32.

[PE1] ip prefix-list abc index 10 permit 4.4.4.4 32

[PE1] route-policy frr permit node 10

[PE1-route-policy] if-match ip address prefix-list abc

[PE1-route-policy] apply fast-reroute backup-nexthop 3.3.3.3

[PE1-route-policy] quit

# Configure FRR for VPN instance vpn1 to use routing policy frr.

[PE1] bgp 100

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] address-family ipv4 unicast

[PE1-bgp-default-ipv4-vpn1] fast-reroute route-policy frr

[PE1-bgp-default-ipv4-vpn1] quit

[PE1-bgp-default-vpn1] quit

# Specify the preferred value as 100 for routes received from PE 2. This value is greater than the preferred value (0) for routes from PE 3, so PE 1 prefers the routes from PE 2.

[PE1-bgp-default] address-family vpnv4

[PE1-bgp-default-vpnv4] peer 2.2.2.2 preferred-value 100

[PE1-bgp-default-vpnv4] quit

[PE1-bgp-default] quit

3. Enable MPLS BFD on PE 2.

<PE2> system-view

[PE2] mpls bfd enable

Verifying the configuration

# Display detailed information about the route to 4.4.4.4/32 on PE 1. The output shows the backup next hop for the route.

[PE1] display ip routing-table vpn-instance vpn1 4.4.4.4 32 verbose

Summary Count : 1

Destination: 4.4.4.4/32

Protocol: BGP

Process ID: 0

SubProtID: 0x1 Age: 00h00m03s

Cost: 0 Preference: 255

IpPre: N/A QosLocalID: N/A

Tag: 0 State: Active Adv

OrigTblID: 0x0 OrigVrf: default-vrf

TableID: 0x102 OrigAs: 300

NibID: 0x15000002 LastAs: 300

AttrID: 0x2 Neighbor: 2.2.2.2

Flags: 0x110060 OrigNextHop: 2.2.2.2

Label: 1146 RealNextHop: 172.1.1.2

BkLabel: 1275 BkNextHop: 172.2.1.3

Tunnel ID: Invalid Interface: GE2/0/2

BkTunnel ID: Invalid BkInterface: GE2/0/3

FtnIndex: 0x0 TrafficIndex: N/A

Connector: N/A

Configuring MPLS L3VPN FRR through VPNv4 route backup for an IPv4 route

Network requirements

CE 1 and CE 2 belong to VPN 1.

Configure EBGP between CEs and PEs to exchange VPN routes.

Configure OSPF to ensure connectivity between PEs, and configure MP-IBGP to exchange VPNv4 routing information between PEs.

Configure MPLS L3VPN FRR on PE 2 to achieve the following purposes:

· When the link PE 2—CE 2 operates correctly, traffic from CE 1 to CE 2 goes through the path CE 1—PE 1—PE 2—CE 2.

· When BFD detects that the link between PE 2 and CE 2 fails, traffic from CE 1 to CE 2 goes through the path CE 1—PE 1—PE 2—PE 3—CE 2.

Figure 87 Network diagram

Table 27 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Loop0	5.5.5.5/32	PE 2	Loop0	2.2.2.2/32
	GE2/0/1	10.2.1.1/24		GE2/0/1	172.1.1.2/24
PE 1	Loop0	1.1.1.1/32		GE2/0/2	10.1.1.2/24
	GE2/0/1	10.2.1.2/24		GE2/0/3	172.3.1.2/24
	GE2/0/2	172.1.1.1/24	PE 3	Loop0	3.3.3.3/32
	GE2/0/3	172.2.1.1/24		GE2/0/1	172.2.1.3/24
CE 2	Loop0	4.4.4.4/32		GE2/0/2	10.3.1.2/24
	GE2/0/1	10.1.1.1/24		GE2/0/3	172.3.1.3/24
	GE2/0/2	10.3.1.1/24

Configuration procedure

1. Configure IP addresses and masks for interfaces as shown in Table 27, and configure BGP and MPLS L3VPN. (Details not shown.)

For more information about configuring basic MPLS L3VPN, see "Configuring basic MPLS L3VPN."

2. Configure MPLS L3VPN FRR on PE 2:

# Configure the source IP address of BFD echo packets as 12.1.1.1.

<PE2> system-view

[PE2] bfd echo-source-ip 12.1.1.1

# Create routing policy frr, and specify the backup next hop as 3.3.3.3 for the route to 4.4.4.4/32.

[PE2] ip prefix-list abc index 10 permit 4.4.4.4 32

[PE2] route-policy frr permit node 10

[PE2-route-policy] if-match ip address prefix-list abc

[PE2-route-policy] apply fast-reroute backup-nexthop 3.3.3.3

[PE2-route-policy] quit

# Use echo-mode BFD to detect the primary route connectivity.

[PE2] bgp 100

[PE2-bgp-default] primary-path-detect bfd echo

# Configure FRR for VPN instance vpn1 to use routing policy frr.

[PE2-bgp-default] ip vpn-instance vpn1

[PE2-bgp-default-vpn1] address-family ipv4 unicast

[PE2-bgp-default-ipv4-vpn1] fast-reroute route-policy frr

# Specify the preferred value as 200 for BGP routes received from CE 2. This value is greater than the preferred value (0) for routes from PE 3, so PE 2 prefers the routes from CE 2.

[PE2-bgp-default-ipv4-vpn1] peer 10.1.1.1 preferred-value 200

[PE2-bgp-default-vpn1] quit

[PE2-bgp-default] quit

Verifying the configuration

# Display detailed information about the route to 4.4.4.4/32 on PE 2. The output shows the backup next hop for the route.

[PE2] display ip routing-table vpn-instance vpn1 4.4.4.4 32 verbose

Summary Count : 1

Destination: 4.4.4.4/32

Protocol: BGP

Process ID: 0

SubProtID: 0x2 Age: 01h54m24s

Cost: 0 Preference: 10

IpPre: N/A QosLocalID: N/A

Tag: 0 State: Active Adv

OrigTblID: 0x0 OrigVrf: vpn1

TableID: 0x102 OrigAs: 300

NibID: 0x15000002 LastAs: 300

AttrID: 0x0 Neighbor: 10.1.1.1

Flags: 0x10060 OrigNextHop: 10.1.1.1

Label: NULL RealNextHop: 10.1.1.1

BkLabel: 1275 BkNextHop: 172.3.1.3

Tunnel ID: Invalid Interface: GE2/0/2

BkTunnel ID: 0x409 BkInterface: GE2/0/3

FtnIndex: 0x0 TrafficIndex: N/A

Connector: N/A

Configuring MPLS L3VPN FRR through IPv4 route backup for a VPNv4 route

Network requirements

CE 1 and CE 2 belong to VPN 1.

Configure EBGP between CEs and PEs to exchange VPN routes.

Configure OSPF to ensure connectivity between PEs, and configure MP-IBGP to exchange VPNv4 routing information between PEs.

Configure MPLS L3VPN FRR on PE 2 to achieve the following purposes:

· When the link PE 2—PE 3 operates correctly, traffic from CE 1 to CE 2 goes through the path CE 1—PE 1—PE 2—PE 3—CE 2.

· When BFD detects that the link between PE 2 and PE 3 fails, traffic from CE 1 to CE 2 goes through the path CE 1—PE 1—PE 2—CE 2.

Figure 88 Network diagram

Table 28 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Loop0	5.5.5.5/32	PE 2	Loop0	2.2.2.2/32
	GE2/0/1	10.2.1.1/24		GE2/0/1	172.1.1.2/24
PE 1	Loop0	1.1.1.1/32		GE2/0/2	10.1.1.2/24
	GE2/0/1	10.2.1.2/24		GE2/0/3	172.3.1.2/24
	GE2/0/2	172.1.1.1/24	PE 3	Loop0	3.3.3.3/32
	GE2/0/3	172.2.1.1/24		GE2/0/1	172.2.1.3/24
CE 2	Loop0	4.4.4.4/32		GE2/0/2	10.3.1.2/24
	GE2/0/1	10.1.1.1/24		GE2/0/3	172.3.1.3/24
	GE2/0/2	10.3.1.1/24

Configuration procedure

1. Configure IP addresses and masks for interfaces as shown in Table 28, and configure BGP and MPLS L3VPN. (Details not shown.)

For more information about configuring basic MPLS L3VPN, see "Configuring basic MPLS L3VPN."

2. Configure MPLS L3VPN FRR on PE 2:

# Configure BFD to test the connectivity of the LSP to 3.3.3.3/32.

<PE2> system-view

[PE2] mpls bfd enable

[PE2] mpls bfd 3.3.3.3 32

# Create routing policy frr, and specify the backup next hop as 10.1.1.1 for the route to 4.4.4.4/32.

[PE2] ip prefix-list abc index 10 permit 4.4.4.4 32

[PE2] route-policy frr permit node 10

[PE2-route-policy] if-match ip address prefix-list abc

[PE2-route-policy] apply fast-reroute backup-nexthop 10.1.1.1

[PE2-route-policy] quit

# Configure FRR for VPN instance vpn1 to use routing policy frr.

[PE2] bgp 100

[PE2-bgp-default] ip vpn-instance vpn1

[PE2-bgp-default-vpn1] address-family ipv4 unicast

[PE2-bgp-default-ipv4-vpn1] fast-reroute route-policy frr

[PE2-bgp-default-ipv4-vpn1] quit

[PE2-bgp-default-vpn1] quit

# Specify the preferred value as 200 for BGP VPNv4 routes received from PE 3. This value is greater than the preferred value (0) for IPv4 unicast routes from CE 2, so PE 2 prefers the routes from PE 3.

[PE2-bgp-default] address-family vpnv4

[PE2-bgp-default-vpnv4] peer 3.3.3.3 preferred-value 200

[PE2-bgp-default-vpnv4] quit

[PE2-bgp-default] quit

3. Enable MPLS BFD on PE 3.

<PE3> system-view

[PE3] mpls bfd enable

Verifying the configuration

# Display detailed information about the route to 4.4.4.4/32 on PE 2. The output shows the backup next hop for the route.

[PE2] display ip routing-table vpn-instance vpn1 4.4.4.4 32 verbose

Summary Count : 1

Destination: 4.4.4.4/32

Protocol: BGP

Process ID: 0

SubProtID: 0x1 Age: 00h00m04s

Cost: 0 Preference: 255

IpPre: N/A QosLocalID: N/A

Tag: 0 State: Active Adv

OrigTblID: 0x0 OrigVrf: default-vrf

TableID: 0x102 OrigAs: 300

NibID: 0x15000004 LastAs: 300

AttrID: 0x1 Neighbor: 3.3.3.3

Flags: 0x110060 OrigNextHop: 3.3.3.3

Label: 1275 RealNextHop: 172.3.1.3

BkLabel: NULL BkNextHop: 10.1.1.1

Tunnel ID: 0x409 Interface: GE2/0/3

BkTunnel ID: Invalid BkInterface: GE2/0/2

FtnIndex: 0x0 TrafficIndex: N/A

Connector: N/A

Configuring IPv6 MPLS L3VPN

Overview

IPv6 MPLS L3VPN uses BGP to advertise IPv6 VPN routes and uses MPLS to forward IPv6 VPN packets on the service provider backbone.

Figure 89 shows a typical IPv6 MPLS L3VPN model. The service provider backbone in the IPv6 MPLS L3VPN model is an IPv4 network. IPv6 runs inside the VPNs and between CE and PE. Therefore, PEs must support both IPv4 and IPv6. The PE-CE interfaces of a PE run IPv6, and the PE-P interface of a PE runs IPv4.

Figure 89 Network diagram for the IPv6 MPLS L3VPN model

IPv6 MPLS L3VPN packet forwarding

Figure 90 IPv6 MPLS L3VPN packet forwarding diagram

As shown in Figure 90, the IPv6 MPLS L3VPN packet forwarding procedure is as follows:

1. The PC at Site 1 sends an IPv6 packet destined for 2001:2::1, the PC at Site 2. CE 1 transmits the packet to PE 1.

2. Based on the inbound interface and destination address of the packet, PE 1 finds a matching entry from the routing table of the VPN instance, labels the packet with both a private network label (inner label) and a public network label (outer label), and forwards the packet out.

3. The MPLS backbone transmits the packet to PE 2 by outer label. The outer label is removed from the packet at the penultimate hop.

4. According to the inner label and destination address of the packet, PE 2 searches the routing table of the VPN instance to determine the outbound interface, and then forwards the packet out of the interface to CE 2.

5. CE 2 forwards the packet to the destination by IPv6 forwarding.

IPv6 MPLS L3VPN routing information advertisement

The routing information for a local CE is advertised to the remote CE by using the following process:

1. From the local CE to the ingress PE.

The local CE advertises standard IPv6 routing information to the ingress PE over an IPv6 static route, RIPng route, OSPFv3 route, IPv6 IS-IS route, IBGP route, or EBGP route.

2. From the ingress PE to the egress PE.

After receiving the standard IPv6 routes from the CE, the ingress PE performs the following operations:

a. Adds RDs and route targets to create VPN-IPv6 routes.

b. Saves the routes to the routing table of the VPN instance created for the CE.

c. Assigns VPN labels for the routes.

d. Advertises the VPN-IPv6 routes to the egress PE through MP-BGP.

The egress PE performs the following operations:

e. Compares the export target attributes of the VPN-IPv6 routes with the import target attributes that it maintains for the VPN instance.

f. Adds the routes to the routing table of the VPN instance if the export and import target attributes are the same.

The PEs use an IGP to ensure the connectivity between them.

3. From the egress PE to the remote peer CE.

The egress PE restores the original IPv6 routes and advertises them to the remote CE over an IPv6 static route, RIPng route, OSPFv3 route, IPv6 IS-IS route, EBGP, or IBGP route.

IPv6 MPLS L3VPN network schemes and features

IPv6 MPLS L3VPN supports the following network schemes and features:

· Basic VPN.

· Inter-AS VPN option A.

· Inter-AS VPN option C.

· Carrier's carrier.

· Multirole host.

· OSPFv3 VPN extension. (OSPFv3 Type 3, Type 5, and Type 7 LSAs support the DN bit. By default, OSPFv3 VPN extension uses the DN bit to avoid routing loops.)

· BGP AS number substitution and SoO.

Protocols and standards

· RFC 4659, BGP-MPLS IP Virtual Private Network (VPN) Extension for IPv6 VPN

· RFC 6565, OSPFv3 as a Provider Edge to Customer Edge (PE-CE) Routing Protocol

Feature and hardware compatibility

Hardware	IPv6 MPLS L3VPN compatibility
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS	No
MSR2600-6-X1/2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28/3600-51	Yes
MSR3600-28-SI/3600-51-SI	No
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC	Yes
MSR 3610/3620/3620-DP/3640/3660	Yes
MSR5620/5660/5680	Yes

Hardware	IPv6 MPLS L3VPN compatibility
MSR810-LM-GL	No
MSR810-W-LM-GL	No
MSR830-6EI-GL	No
MSR830-10EI-GL	No
MSR830-6HI-GL	No
MSR830-10HI-GL	No
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	No

IPv6 MPLS L3VPN configuration task list

Tasks at a glance
(Required.) Configuring basic IPv6 MPLS L3VPN
(Optional.) Configuring inter-AS IPv6 VPN
(Optional.) Configuring multirole host
(Optional.) Configuring an OSPFv3 sham link
(Optional.) Configuring BGP AS number substitution and SoO attribute

Configuring basic IPv6 MPLS L3VPN

The key task in IPv6 MPLS L3VPN configuration is to manage the advertisement of IPv6 VPN routes on the MPLS backbone, including management of PE-CE route exchange and PE-PE route exchange.

To configure basic IPv6 MPLS L3VPN:

Tasks at a glance
Configuring VPN instances: 1. (Required.) Creating a VPN instance 2. (Required.) Associating a VPN instance with an interface 3. (Optional.) Configuring route related attributes for a VPN instance


(Required.) Configuring routing between a PE and a CE
(Required.) Configuring routing between PEs
(Optional.) Configuring BGP VPNv6 route control

Configuration prerequisites

Before configuring basic IPv6 MPLS L3VPN, perform the following tasks:

1. Configure an IGP on the PEs and P devices to ensure IP connectivity within the MPLS backbone.

2. Configure basic MPLS for the MPLS backbone.

3. Configure MPLS LDP on PEs and P devices to establish LDP LSPs.

Configuring VPN instances

By configuring VPN instances on a PE, you isolate not only VPN routes from public network routes, but also routes between VPNs. This feature allows VPN instances to be used in MPLS L3VPNs and other network scenarios as well.

All VPN instance configurations are performed on PEs or MCEs.

Creating a VPN instance

A VPN instance is a collection of the VPN membership and routing rules of its associated site. A VPN instance might correspond to more than one VPN.

To create and configure a VPN instance:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VPN instance and enter VPN instance view.	ip vpn-instance vpn-instance-name	By default, no VPN instances exist.
3. Configure an RD for the VPN instance.	route-distinguisher route-distinguisher	By default, no RD is configured for a VPN instance.
4. (Optional.) Configure a description for the VPN instance.	description text	By default, no description is configured for a VPN instance. The description should contain the VPN instance's related information, such as its relationship with a certain VPN.
5. (Optional.) Set an ID for the VPN instance.	vpn-id vpn-id	By default, no ID is configured for a VPN instance.
6. (Optional.) Configure an SNMP context for the VPN instance.	snmp context-name context-name	By default, no SNMP context is configured.

Associating a VPN instance with an interface

After creating and configuring a VPN instance, associate the VPN instance with the interface connected to the CE.

To associate a VPN instance with an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Associate a VPN instance with the interface.	ip binding vpn-instance vpn-instance-name	By default, an interface is not associated with a VPN instance and belongs to the public network. The ip binding vpn-instance command clears the IP address of the interface. Therefore, reconfigure an IP address for the interface after configuring this command.

Configuring route related attributes for a VPN instance

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VPN instance view or IPv6 VPN view.	· Enter VPN instance view: ip vpn-instance vpn-instance-name · Enter IPv6 VPN view: a. ip vpn-instance vpn-instance-name b. address-family ipv6	Configurations made in VPN instance view apply to both IPv4 VPN and IPv6 VPN. IPv6 VPN prefers the configurations in IPv6 VPN view over the configurations in VPN instance view.
3. Configure route targets.	vpn-target vpn-target&<1-8> [ both \| export-extcommunity \| import-extcommunity ]	By default, no route targets are configured.
4. Set the maximum number of active routes.	routing-table limit number { warn-threshold \| simply-alert }	For the default setting of this command, see MPLS Command Reference. Setting the maximum number of active routes for a VPN instance can prevent the PE from storing too many routes.
5. Apply an import routing policy.	import route-policy route-policy	By default, all routes matching the import target attribute are accepted. Make sure the routing policy already exists. Otherwise, the device does not filter received routes. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
6. Apply an export routing policy.	export route-policy route-policy	By default, routes to be advertised are not filtered. Make sure the routing policy already exists. Otherwise, the device does not filter routes to be advertised. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
7. Apply a tunnel policy to the VPN instance.	tnl-policy tunnel-policy-name	By default, only one tunnel is selected (no load balancing) in this order: LSP tunnel, GRE tunnel, and CR-LSP tunnel. The specified tunnel policy must have been created. For information about tunnel policies, see "Configuring tunnel policies."

Configuring routing between a PE and a CE

You can configure IPv6 static routing, RIPng, OSPFv3, IPv6 IS-IS, EBGP, or IBGP between a PE and a CE.

Configuring IPv6 static routing between a PE and a CE

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure an IPv6 static route for a VPN instance.

ipv6 route-static vpn-instance s-vpn-instance-name ipv6-address prefix-length { interface-type interface-number [ next-hop-address ] | nexthop-address [ public ] | vpn-instance d-vpn-instance-name nexthop-address } [ permanent ] [ preference preference ] [ tag tag-value ] [ description text ]

By default, no IPv6 static route is configured for a VPN instance.

Perform this configuration on the PE. On the CE, configure a common IPv6 static route.

For more information about IPv6 static routing, see Layer 3—IP Routing Configuration Guide.

Configuring RIPng between a PE and a CE

A RIPng process belongs to the public network or a single VPN instance. If you create a RIPng process without binding it to a VPN instance, the process belongs to the public network.

For more information about RIPng, see Layer 3—IP Routing Configuration Guide.

To configure RIPng between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIPng process for a VPN instance and enter RIPng view.	ripng [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. On the CE, create a common RIPng process.
3. Return to system view.	quit	N/A
4. Enter interface view.	interface interface-type interface-number	N/A
5. Enable RIPng on the interface.	ripng process-id enable	By default, RIPng is disabled on an interface.

Configuring OSPFv3 between a PE and a CE

An OSPFv3 process belongs to the public network or a single VPN instance. If you create an OSPF process without binding it to a VPN instance, the process belongs to the public network.

For more information about OSPFv3, see Layer 3—IP Routing Configuration Guide.

To configure OSPFv3 between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPFv3 process for a VPN instance and enter OSPFv3 view.	ospfv3 [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. Deleting a VPN instance also deletes all related OSPFv3 processes.
3. Set the router ID.	router-id router-id	N/A
4. Redistribute BGP routes.	import-route bgp4+ [ as-number ] [ allow-ibgp ] [ cost cost-value \| nssa-only \| route-policy route-policy-name \| tag tag \| type type ] *	By default, OSPFv3 does not redistribute routes from other routing protocols. If the vpn-instance-capability simple command is not configured for the OSPFv3 process, the allow-ibgp keyword is optional to redistribute VPNv6 routes learned from MP-IBGP peers. In any other cases, if you do not specify the allow-ibgp keyword, the OSPFv3 process does not redistribute VPNv6 routes learned from MP-IBGP peers.
5. (Optional.) Set an OSPFv3 domain ID.	domain-id { domain-id [ secondary ] \| null }	The default domain ID is 0. Perform this configuration on the PE. When you redistribute OSPFv3 routes into BGP, BGP adds the primary domain ID to the redistributed BGP VPNv6 routes as a BGP extended community attribute. You can configure the same domain ID for different OSPFv3 processes. You must configure the same domain ID for all OSPFv3 processes of the same VPN to ensure correct route advertisement.
6. (Optional.) Configure the type code of an OSPFv3 extended community attribute.	ext-community-type { domain-id type-code1 \| route-type type-code2 \| router-id type-code3 }	By default, the type codes for domain ID, route type, and router ID are hexadecimal numbers 0005, 0306, and 0107, respectively. Perform this configuration on the PE.
7. (Optional.) Configure an external route tag for redistributed VPN routes.	route-tag tag-value	By default, if BGP runs within an MPLS backbone, and the BGP AS number is not greater than 65535, the first two octets of the external route tag are 0xD000. The last two octets are the local BGP AS number. If the AS number is greater than 65535, the external route tag is 0. Perform this configuration on the PE.
8. (Optional.) Disable setting the DN bit in OSPFv3 LSAs.	disable-dn-bit-set	By default, when a PE redistributes BGP routes into OSPFv3 and creates OSPFv3 LSAs, it sets the DN bit for the LSAs. Before using this command, make sure it does not cause any routing loops. Perform this configuration on the PE.
9. (Optional.) Ignore the DN bit in OSPFv3 LSAs.	disable-dn-bit-check	By default, the PE checks the DN bit in OSPFv3 LSAs. Before using this command, make sure it does not cause any routing loops. Perform this configuration on the PE.
10. (Optional.) Enable the external route check feature for OSPFv3 LSAs.	route-tag-check enable	By default, the PE does not check the external route tag but checks the DN bit in OSPFv3 LSAs to avoid routing loops. This command is only for backward compatibility with the old protocol (RFC 4577). If the device supports the DN bit, use the DN bit to avoid routing loops. Perform this configuration on the PE.
11. Return to system view.	quit	N/A
12. Enter interface view.	interface interface-type interface-number	N/A
13. Enable OSPFv3 on the interface.	ospfv3 process-id area area-id [ instance instance-id ]	By default, OSPFv3 is disabled on an interface. Perform this configuration on the PE.

Configuring IPv6 IS-IS between a PE and a CE

An IPv6 IS-IS process belongs to the public network or a single VPN instance. If you create an IPv6 IS-IS process without binding it to a VPN instance, the process belongs to the public network.

For more information about IPv6 IS-IS, see Layer 3—IP Routing Configuration Guide.

To configure IPv6 IS-IS between a PE and a CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IPv6 IS-IS process for a VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the PE. On the CE, create a common IPv6 IS-IS process.
3. Configure a network entity title for the IS-IS process.	network-entity net	By default, no NET is configured.
4. Create the IS-IS IPv6 unicast address family and enter its view.	address-family ipv6 [ unicast ]	By default, the IS-IS IPv6 unicast address family is not created.
5. Return to system view.	quit	N/A
6. Enter interface view.	interface interface-type interface-number	N/A
7. Enable IPv6 for the IS-IS process on the interface.	isis ipv6 enable [ process-id ]	By default, IPv6 is disabled for the IS-IS process on the interface.

Configuring EBGP between a PE and a CE

1. Configure the PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Configure the CE as the VPN EBGP peer.	peer { group-name \| ipv6-address [ prefix-length ] } as-number as-number	By default, no BGP peers exist.
5. Create the BGP-VPN IPv6 unicast address family and enter its view.	address-family ipv6 [ unicast ]	By default, the BGP-VPN IPv6 unicast address family is not created. Configuration commands in BGP-VPN IPv6 unicast address family view are the same as those in BGP IPv6 unicast address family view. For more information, see Layer 3—IP Routing Configuration Guide.
6. Enable IPv6 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address [ prefix-length ] } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
7. Redistribute the routes of the local CE.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	A PE must redistribute the routes of the local CE into its VPN routing table so that it can advertise them to the peer PE.

2. Configure the CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Configure the PE as an EBGP peer.	peer { group-name \| ipv6-address [ prefix-length ] } as-number as-number	By default, no BGP peers exist.
4. Create the BGP IPv6 unicast address family and enter its view.	address-family ipv6 [ unicast ]	By default, the BGP IPv6 unicast address family is not created.
5. Enable IPv6 unicast route exchange with the specified peer or peer group.	peer { group-name \| ip-address [ prefix-length ] } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
6. (Optional.) Configure route redistribution.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	A CE must advertise its VPN routes to the connected PE so that the PE can advertise them to the peer CE.

Configuring IBGP between a PE and a CE

Use IBGP between PE and CE only in a basic IPv6 MPLS L3VPN network. In networks such as inter-AS VPN and carrier's carrier, you cannot configure IBGP between PE and CE.

1. Configure the PE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	Configuration commands in BGP-VPN instance view are the same as those in BGP instance view. For more information, see Layer 3—IP Routing Configuration Guide.
4. Configure the CE as the VPN IBGP peer.	peer { group-name \| ipv6-address [ prefix-length ] } as-number as-number	By default, no BGP peers exist.
5. Create the BGP-VPN IPv6 unicast family and enter its view.	address-family ipv6 [ unicast ]	By default, the BGP-VPN IPv6 unicast family is not created.
6. Enable IPv6 unicast route exchange with the specified peer.	peer { group-name \| ipv6-address [ prefix-length ] } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.

2. Configure the CE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Configure the PE as an IBGP peer.	peer { group-name \| ipv6-address [ prefix-length ] } as-number as-number	By default, no BGP peers exist.
4. Create the BGP IPv6 unicast family and enter its view.	address-family ipv6 [ unicast ]	By default, the BGP IPv6 unicast family is not created.
5. Enable IPv6 unicast route exchange with the specified peer or peer group.	peer { group-name \| ipv6-address [ prefix-length ] } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
6. (Optional.) Configure route redistribution.	import-route protocol [ { process-id \| all-processes } [ allow-direct \|med med-value \| route-policy route-policy-name ] * ]	A CE must redistribute its routes to the PE so the PE can advertise them to the peer CE.

Configuring routing between PEs

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Configure the remote PE as the peer.	peer { group-name \| ipv4-address [ mask-length ] } as-number as-number	By default, no BGP peers exist.
4. Specify the source interface for route update packets sent to the specified peer.	peer { group-name \| ipv4-address [ mask-length ] } connect-interface interface-type interface-number	By default, BGP uses the outbound interface of the best route to the BGP peer as the source interface.
5. Create the BGP VPNv6 address family and enter its view.	address-family vpnv6	By default, the BGP VPNv6 address family is not created.
6. Enable BGP VPNv6 route exchange with the specified peer.	peer { group-name \| ipv4-address [ mask-length ] } enable	By default, BGP does not exchange BGP VPNv6 routes with any peer.

Configuring BGP VPNv6 route control

BGP VPNv6 route control is configured similarly with BGP route control, except that it is configured in BGP VPNv6 address family view. For more information about BGP route control, see Layer 3—IP Routing Configuration Guide.

To configure BGP VPNv6 route control:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP VPNv6 address family view.	address-family vpnv6	N/A
4. Configure filtering of advertised routes.	filter-policy { ipv6-acl-number \| prefix-list ipv6-prefix-name } export [ protocol process-id ]	By default, BGP does not filter advertised routes.
5. Configure filtering of received routes.	filter-policy { ipv6-acl-number \| prefix-list ipv6-prefix-name } import	By default, BGP does not filter received routes.
6. Advertise the COMMUNITY attribute to a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } advertise-community	By default, BGP does not advertise the COMMUNITY attribute to any peers or peer groups.
7. Configure ACL-based route filtering for the specified peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } filter-policy ipv6-acl-number { export \| import }	By default, no ACL-based route filtering is configured.
8. Configure BGP to not change the next hop of routes sent to a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } next-hop-invariable	By default, the router sets itself as the next hop for routes sent to a peer or peer group. In an inter-AS option C network where an RR is used to advertise VPNv6 routes, configure this command on the RR so the RR does not change the next hop of routes sent to peers and clients.
9. Configure IPv6 prefix list-based route filtering for the specified peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } prefix-list ipv6-prefix-name { export \| import }	By default, no IPv6 prefix list-based route filtering is configured.
10. Specify a preferred value for routes received from the peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } preferred-value value	The default preferred value is 0.
11. Configure BGP updates sent to the peer to carry only public AS numbers.	peer { group-name \| ipv4-address [ mask-length ] } public-as-only	By default, a BGP update carries both public and private AS numbers.
12. Apply a routing policy to routes advertised to or received from the peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } route-policy route-policy-name { export \| import }	By default, no routing policy is applied for a peer.
13. Enable route target filtering for received BGP VPNv6 routes.	policy vpn-target	By default, route target filtering is enabled for received VPNv6 routes. Only VPNv6 routes whose export route target attribute matches local import route target attribute are added to the routing table.
14. Configure the local PE as the RR and specify the peer as the client.	peer { group-name \| ipv4-address [ mask-length ] } reflect-client	By default, no RR or client is configured.
15. Set the maximum number of routes BGP can receive from a peer or peer group.	peer { group-name \| ipv4-address [ mask-length ] } route-limit prefix-number [ { alert-only \| discard \| reconnect reconnect-time } \| percentage-value ] *	By default, the number of routes that BGP can receive from a peer or peer group is not limited.
16. Enable route reflection between clients.	reflect between-clients	By default, route reflection between clients is enabled.
17. Configure a cluster ID for the RR.	reflector cluster-id { cluster-id \| ip-address }	By default, an RR uses its own router ID as the cluster ID. If more than one RR exists in a cluster, use this command to configure the same cluster ID for all RRs in the cluster to avoid routing loops.
18. Configure filtering of reflected routes.	rr-filter ext-comm-list-number	By default, an RR does not filter reflected routes. Only IBGP routes whose extended community attribute matches the specified community list are reflected. By configuring different filtering policies on RRs, you can implement load balancing among the RRs.
19. Configure the SoO attribute for a BGP peer for peer group.	peer { group-name \| ipv4-address [ mask-length ] } soo site-of-origin	By default, the SoO attribute is not configured.

Configuring inter-AS IPv6 VPN

If the MPLS backbone spans multiple ASs, you must configure inter-AS IPv6 VPN.

There are three inter-AS VPN solutions (for more information, see "Configuring MPLS L3VPN"). IPv6 MPLS L3VPN supports only inter-AS VPN option A and option C.

Before configuring inter-AS IPv6 VPN, perform the following tasks:

· Configure an IGP for the MPLS backbone in each AS to ensure IP connectivity.

· Configure basic MPLS for the MPLS backbone of each AS.

· Configure MPLS LDP for the MPLS backbones so that LDP LSPs can be established.

The following sections describe inter-AS IPv6 VPN option A and option C. Select one according to your network scenario.

Configuring inter-AS IPv6 VPN option A

Inter-AS IPv6 VPN option A applies to scenarios where the number of VPNs and that of VPN routes on the PEs are relatively small.

To configure inter-AS IPv6 option A, perform the following tasks:

· Configure basic IPv6 MPLS L3VPN on each AS.

· Configure VPN instances on both PEs and ASBRs. The VPN instances on PEs allow CEs to access the network, and those on ASBRs are for access of the peer ASBRs.

For more configuration information, see "Configuring MPLS L3VPN."

In the inter-AS IPv6 VPN option A solution, for the same IPv6 VPN, the route targets configured on the PEs must match those configured on the ASBRs in the same AS. This makes sure VPN routes sent by the PEs (or ASBRs) can be received by the ASBRs (or PEs). Route targets configured on the PEs in different ASs do not have such requirements.

Configuring inter-AS IPv6 VPN option C

To configure inter-AS IPv6 VPN option C, perform proper configurations on PEs and ASBRs, and configure routing policies on the ASBRs.

Configuring the PEs

Establish an IBGP peer relationship between a PE and an ASBR in an AS, and an MP-EBGP peer relationship between PEs in different ASs.

The PEs and ASBRs in an AS must be able to exchange labeled routes.

To configure a PE for inter-AS IPv6 VPN option C:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Configure the ASBR in the same AS as an IBGP peer.	peer { group-name \| ipv4-address [ mask-length ] } as-number as-number	By default, no BGP peers exist.
4. Configure the PE in another AS as an EBGP peer.	peer { group-name \| ipv4-address [ mask-length ] } as-number as-number	By default, no BGP peers exist.
5. Enter BGP IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
6. Enable BGP to exchange BGP IPv4 unicast routes with the ASBR in the same AS.	peer { group-name \| ipv4-address [ mask-length ] } enable	By default, the PE does not exchange BGP IPv4 unicast routes with any peer.
7. Enable BGP to exchange labeled routes with the ASBR in the same AS.	peer { group-name \| ipv4-address [ mask-length ] } label-route-capability	By default, the PE does not advertise labeled routes to any IPv4 peer or peer group.
8. Return to BGP instance view.	quit	N/A
9. Enter BGP VPNv6 address family view.	address-family vpnv6	N/A
10. Enable BGP to exchange BGP VPNv6 routing information with the EBGP peer.	peer ipv4-address [ mask-length ] enable	By default, the PE does not exchange labeled routes with any IPv4 peer or peer group.

Configuring the ASBRs

In the inter-AS IPv6 VPN option C solution, an inter-AS LSP is needed, and the routes advertised between the PEs and ASBRs must carry MPLS label information. The configuration is the same as that in the Inter-AS IPv4 VPN option C solution. For more information, see "Configuring MPLS L3VPN."

Configuring the routing policy

A routing policy on an ASBR performs the following operations:

· Assigns MPLS labels to routes received from the PEs in the same AS before advertising them to the peer ASBR.

· Assigns new MPLS labels to the labeled routes to be advertised to the PEs in the same AS.

The configuration is the same as that in the Inter-AS IPv4 VPN option C solution. For more information, see "Configuring MPLS L3VPN."

Configuring multirole host

To configure the multirole host feature for IPv6 networks, perform the following tasks on the PE connected to the CE in the site where the multirole host resides:

· Configure and apply IPv6 PBR.

· Configure IPv6 static routes.

Configuring and applying IPv6 PBR

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IPv6 policy node and enter IPv6 policy node view.	ipv6 policy-based-route policy-name { deny \| permit } node node-number	By default, no IPv6 policy nodes exist.
3. Configure match criteria for the node.	See Layer 3—IP Routing Configuration Guide.	By default, no match criterion is configured. All packets match the criteria for the node. This step matches packets from the multirole host.
4. Specify the VPN instances for forwarding the matching packets.	apply access-vpn vpn-instance vpn-instance-name&<1-n>	By default, no VPN instance is specified. You must specify multiple VPN instances for the node. The first one is the VPN instance to which the multirole host belongs, and others are the VPN instances to be accessed by the multirole host. A matching packet is forwarded according to the routing table of the first VPN instance that has a matching route for that packet.
5. Return to system view.	quit	N/A
6. Enter the view of the interface connected to the CE.	interface interface-type interface-number	N/A
7. Apply the policy to the interface.	ipv6 policy-based-route policy-name	By default, no policy is applied to the interface.

Configuring an IPv6 static route

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure an IPv6 static route for a VPN instance to reach the multirole host.

ipv6 route-static vpn-instance s-vpn-instance-name ipv6-address prefix-length vpn-instance d-vpn-instance-name nexthop-address [ permanent ] [ preference preference ] [ tag tag-value ] [ description text ]

By default, no IPv6 static routes are configured.

The d-vpn-instance-name argument represents the VPN instance to which the multirole host belongs. The next-hop-address argument represents the IPv6 address of the CE in the site where the multirole host resides.

Configuring an OSPFv3 sham link

Before you configure an OSPFv3 sham link, configure basic IPv6 MPLS L3VPN (OSPFv3 is used between PE and CE).

Configuring a loopback interface

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a loopback interface and enter loopback interface view.	interface loopback interface-number	By default, no loopback interfaces exist.
3. Associate the loopback interface with a VPN instance.	ip binding vpn-instance vpn-instance-name	By default, the interface is associated with no VPN instance.
4. Configure an IPv6 address for the loopback interface.	For configuration details, see Layer 3—IP Services Configuration Guide.	By default, no IPv6 address is configured for the loopback interface.

Redistributing the loopback interface address

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Enter BGP-VPN IPv6 unicast address family view.	address-family ipv6 [ unicast ]	N/A
5. Redistribute direct routes into BGP (including the loopback interface address).	import-route direct	By default, no direct routes are redistributed into BGP.

Creating a sham link

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter OSPFv3 view.	ospfv3 [ process-id \| vpn-instance vpn-instance-name ] *	N/A
3. Enter OSPFv3 area view.	area area-id	N/A
4. Configure an OSPFv3 sham link.	sham-link source-ipv6-address destination-ipv6-address [ cost cost-value \| dead dead-interval \| hello hello-interval \| instance instance-id \| ipsec-profile profile-name \| retransmit retrans-interval \| trans-delay delay ] *	By default, no sham links exist.

Configuring BGP AS number substitution and SoO attribute

When CEs at different sites have the same AS number, configure the BGP AS number substitution feature to avoid route loss.

For more information about the BGP AS number substitution feature and the SoO attribute, see "BGP AS number substitution and SoO attribute."

To configure BGP AS number substitution and SoO attribute:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Enable the BGP AS number substitution feature.	peer { group-name \| ipv6-address [ prefix-length ] } substitute-as	By default, BGP AS number substitution is disabled.
5. Enter BGP-VPN IPv6 unicast address family view.	address-family ipv6 [ unicast ]	N/A
6. (Optional.) Configure the SoO attribute for a BGP peer or peer group.	peer { group-name \| ipv6-address [ prefix-length ] } soo site-of-origin	By default, the SoO attribute is not configured.

For more information about the commands in this section, see Layer 3—IP Routing Command Reference.

Displaying and maintaining IPv6 MPLS L3VPN

Execute the following commands in user view to soft reset or reset BGP connections:

Task	Command
Manually soft reset BGP sessions for VPNv6 address family.	refresh bgp [ instance instance-name ] { ipv4-address [ mask-length ] \| all \| external \| group group-name \| internal } { export \| import } vpnv6
Reset BGP sessions for VPNv6 address family.	reset bgp [ instance instance-name ] { as-number \| ipv4-address [ mask-length ] \| all \| external \| internal \| group group-name } vpnv6

For more information about the refresh bgp vpnv6 and reset bgp vpnv6 commands, see Layer 3—IP Routing Command Reference.

Execute the following commands in any view to display IPv6 MPLS L3VPN:

Task	Command
Display the IPv6 routing table for a VPN instance.	display ipv6 routing-table vpn-instance vpn-instance-name [ verbose ]
Display information about a specified VPN instance or all VPN instances.	display ip vpn-instance [ instance-name vpn-instance-name ]
Display IPv6 FIB information for a VPN instance.	display ipv6 fib vpn-instance vpn-instance-name [ ipv6-address [ prefix-length ] ]
Display BGP VPNv6 peer group information.	display bgp [ instance instance-name ] group vpnv6 [ group-name group-name ]
Display BGP VPNv6 peer information.	display bgp [ instance instance-name ] peer vpnv6 [ ipv4-address mask-length \| { ipv4-address \| group-name group-name } log-info \| [ ipv4-address ] verbose ]
Display BGP VPNv6 routes.	display bgp [ instance instance-name ] routing-table vpnv6 [ [ route-distinguisher route-distinguisher ] [ ipv6-address prefix-length [ advertise-info ] \| as-path-acl as-path-acl-number \| community-list { { basic-community-list-number \| comm-list-name } [ whole-match ] \| adv-community-list-number } ] \| peer ipv4-address { advertised-routes \| received-routes } [ ipv6-address prefix-length \| statistics ] \| statistics ]
Display incoming labels for all BGP VPNv6 routes.	display bgp [ instance instance-name ] routing-table vpnv6 inlabel
Display outgoing labels for all BGP VPNv6 routes.	display bgp [ instance instance-name ] routing-table vpnv6 outlabel
Display BGP VPNv6 address family update group information.	display bgp [ instance instance-name ] update-group vpnv6 [ ipv4-address ]
Display OSPFv3 sham link information.	display ospfv3 [ process-id ] [ area area-id ] sham-link [ verbose ]

For more information about the display ipv6 routing-table, display bgp group vpnv6, display bgp peer vpnv6, and display bgp update-group vpnv6 commands, see Layer 3—IP Routing Command Reference.

IPv6 MPLS L3VPN configuration examples

Configuring IPv6 MPLS L3VPNs

Network requirements

CE 1 and CE 3 belong to VPN 1. CE 2 and CE 4 belong to VPN 2.

VPN 1 uses route target attributes 111:1. VPN 2 uses route target attributes 222:2. Users of different VPNs cannot access each other.

Run EBGP between CEs and PEs to exchange VPN routing information.

PEs use OSPF to communicate with each other and use MP-IBGP to exchange VPN routing information.

Figure 91 Network diagram

Table 29 Interface and IP address assignment

Device	Interface			IP address	Device		Interface	IP address
CE 1		GE2/0/1	2001:1::1/96			P	Loop0	2.2.2.9/32
PE 1		Loop0	1.1.1.9/32				POS2/2/0	172.1.1.2/24
		GE2/0/1	2001:1::2/96				POS2/2/1	172.2.1.1/24
		GE2/0/2	2001:2::2/96			PE 2	Loop0	3.3.3.9/32
		POS2/2/0	172.1.1.1/24				GE2/0/1	2001:3::2/96
CE 2		GE2/0/1	2001:2::1/96				GE2/0/2	2001:4::2/96
CE 3		GE2/0/1	2001:3::1/96				POS2/2/0	172.2.1.2/24
CE 4		GE2/0/1	2001:4::1/96

Configuration procedure

1. Configure OSPF on the MPLS backbone to ensure IP connectivity among the PEs and the P router:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.9 32

[PE1-LoopBack0] quit

[PE1] interface pos 2/2/0

[PE1-Pos2/2/0] ip address 172.1.1.1 24

[PE1-Pos2/2/0] quit

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Configure the P router.

system-view

[P] interface loopback 0

[P-LoopBack0] ip address 2.2.2.9 32

[P-LoopBack0] quit

[P] interface pos 2/2/0

[P-Pos2/2/0] ip address 172.1.1.2 24

[P-Pos2/2/0] quit

[P] interface pos 2/2/1

[P-Pos2/2/1] ip address 172.2.1.1 24

[P-Pos2/2/1] quit

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

# Configure PE 2.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 3.3.3.9 32

[PE2-LoopBack0] quit

[PE2] interface pos 2/2/0

[PE2-Pos2/2/0] ip address 172.2.1.2 24

[PE2-Pos2/2/0] quit

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

2. Configure basic MPLS and enable MPLS LDP on the MPLS backbone to establish LDP LSPs:

# Configure PE 1.

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface pos 2/2/0

[PE1-Pos2/2/0] mpls enable

[PE1-Pos2/2/0] mpls ldp enable

[PE1-Pos2/2/0] quit

# Configure the P router.

[P] mpls lsr-id 2.2.2.9

[P] mpls ldp

[P-ldp] quit

[P] interface pos 2/2/0

[P-Pos2/2/0] mpls enable

[P-Pos2/2/0] mpls ldp enable

[P-Pos2/2/0] quit

[P] interface pos 2/2/1

[P-Pos2/2/1] mpls enable

[P-Pos2/2/1] mpls ldp enable

[P-Pos2/2/1] quit

# Configure PE 2.

[PE2] mpls lsr-id 3.3.3.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface pos 2/2/0

[PE2-Pos2/2/0] mpls enable

[PE2-Pos2/2/0] mpls ldp enable

[PE2-Pos2/2/0] quit

3. Configure IPv6 VPN instances on the PEs to allow CE access:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 111:1

[PE1-vpn-instance-vpn1] quit

[PE1] ip vpn-instance vpn2

[PE1-vpn-instance-vpn2] route-distinguisher 100:2

[PE1-vpn-instance-vpn2] vpn-target 222:2

[PE1-vpn-instance-vpn2] quit

[PE1] interface gigabitethernet 2/0/1

[PE1-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE1-GigabitEthernet2/0/1] ipv6 address 2001:1::2 96

[PE1-GigabitEthernet2/0/1] quit

[PE1] interface gigabitethernet 2/0/2

[PE1-GigabitEthernet2/0/2] ip binding vpn-instance vpn2

[PE1-GigabitEthernet2/0/2] ipv6 address 2001:2::2 96

[PE1-GigabitEthernet2/0/2] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 200:1

[PE2-vpn-instance-vpn1] vpn-target 111:1

[PE2-vpn-instance-vpn1] quit

[PE2] ip vpn-instance vpn2

[PE2-vpn-instance-vpn2] route-distinguisher 200:2

[PE2-vpn-instance-vpn2] vpn-target 222:2

[PE2-vpn-instance-vpn2] quit

[PE2] interface gigabitethernet 2/0/1

[PE2-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE2-GigabitEthernet2/0/1] ipv6 address 2001:3::2 96

[PE2-GigabitEthernet2/0/1] quit

[PE2] interface gigabitethernet 2/0/2

[PE2-GigabitEthernet2/0/2] ip binding vpn-instance vpn2

[PE2-GigabitEthernet2/0/2] ipv6 address 2001:4::2 96

[PE2-GigabitEthernet2/0/2] quit

# Configure IP addresses for the CEs according to Table 29. (Details not shown.)

# Execute the display ip vpn-instance command on the PEs to display information about the VPN instances, for example, on PE 1.

[PE1] display ip vpn-instance

Total VPN-Instances configured : 2

VPN-Instance Name RD Create time

vpn1 100:1 2012/02/13 12:49:08

vpn2 100:2 2012/02/13 12:49:20

# Use the ping command on the PEs to verify that the PEs can ping their attached CEs, for example, on PE 1.

[PE1] ping ipv6 -vpn-instance vpn1 2001:1::1

Ping6(56 bytes) 2001:1::2 --> 2001:1::1, press CTRL_C to break

56 bytes from 2001:1::1, icmp_seq=0 hlim=64 time=9.000 ms

56 bytes from 2001:1::1, icmp_seq=1 hlim=64 time=1.000 ms

56 bytes from 2001:1::1, icmp_seq=2 hlim=64 time=0.000 ms

56 bytes from 2001:1::1, icmp_seq=3 hlim=64 time=0.000 ms

56 bytes from 2001:1::1, icmp_seq=4 hlim=64 time=0.000 ms

--- Ping6 statistics for 2001:1::1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/2.000/9.000/3.521 ms

4. Establish EBGP peer relationships between the PEs and CEs to allow them to exchange VPN routes:

# Configure CE 1.

<CE1> system-view

[CE1] bgp 65410

[CE1-bgp-default] peer 2001:1::2 as-number 100

[CE1-bgp-default] address-family ipv6 unicast

[CE1-bgp-default-ipv6] peer 2001:1::2 enable

[CE1-bgp-default-ipv6] import-route direct

[CE1-bgp-default-ipv6] quit

[CE1-bgp-default] quit

# Configure the other CEs (CE 2 through CE 4) in the same way that CE 1 is configured. (Details not shown.)

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] peer 2001:1::1 as-number 65410

[PE1-bgp-default-vpn1] address-family ipv6 unicast

[PE1-bgp-default-ipv6-vpn1] peer 2001:1::1 enable

[PE1-bgp-default-ipv6-vpn1] quit

[PE1-bgp-default-vpn1] quit

[PE1-bgp-default] ip vpn-instance vpn2

[PE1-bgp-default-vpn2] peer 2001:2::1 as-number 65420

[PE1-bgp-default-vpn2] address-family ipv6 unicast

[PE1-bgp-default-ipv6-vpn2] peer 2001:2::1 enable

[PE1-bgp-default-ipv6-vpn2] quit

[PE1-bgp-default-vpn2] quit

[PE1-bgp-default] quit

# Configure PE 2 in the same way that PE 1 is configured. (Details not shown.)

# Execute the display bgp peer ipv6 vpn-instance command on the PEs to verify that a BGP peer relationship in Established state has been established between a PE and a CE. (Details not shown.)

5. Configure an MP-IBGP peer relationship between the PEs:

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp-default] peer 3.3.3.9 as-number 100

[PE1-bgp-default] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp-default] address-family vpnv6

[PE1-bgp-default-vpnv6] peer 3.3.3.9 enable

[PE1-bgp-default-vpnv6] quit

[PE1-bgp-default] quit

# Configure PE 2.

[PE2] bgp 100

[PE2-bgp-default] peer 1.1.1.9 as-number 100

[PE2-bgp-default] peer 1.1.1.9 connect-interface loopback 0

[PE2-bgp-default] address-family vpnv6

[PE2-bgp-default-vpnv6] peer 1.1.1.9 enable

[PE2-bgp-default-vpnv6] quit

[PE2-bgp-default] quit

# Execute the display bgp peer vpnv6 command on the PEs to verify that a BGP peer relationship in Established state has been established between the PEs. (Details not shown.)

Verifying the configuration

# Execute the display ipv6 routing-table vpn-instance command on the PEs.

[PE1] display ipv6 routing-table vpn-instance vpn1

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:1::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : GE2/0/1 Cost : 0

Destination: 2001:1::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:3::/96 Protocol : BGP4+

NextHop : ::FFFF:3.3.3.9 Preference: 255

Interface : POS2/2/0 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

[PE1] display ipv6 routing-table vpn-instance vpn2

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:2::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : GE2/0/2 Cost : 0

Destination: 2001:2::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:4::/96 Protocol : BGP4+

NextHop : ::FFFF:3.3.3.9 Preference: 255

Interface : POS2/2/0 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

The output shows that PE 1 has routes to the remote CEs. Output on PE 2 is similar.

# Verify that CEs of the same VPN can ping each other, whereas those of different VPNs cannot. For example, CE 1 can ping CE 3 (2001:3::1), but cannot ping CE 4 (2001:4::1). (Details not shown.)

Configuring an IPv6 MPLS L3VPN over a GRE tunnel

Network requirements

CE 1 and CE 2 belong to VPN 1. The PEs support MPLS, while the P router does not support MPLS and provides only IP features.

On the backbone, use a GRE tunnel to encapsulate and forward packets for IPv6 MPLS L3VPN.

Configure tunnel policies on the PEs, and specify the tunnel type for VPN traffic as GRE.

Figure 92 Network diagram

Table 30 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	GE2/0/1	2001:1::1/96	P	POS2/2/0	172.1.1.2/24
PE 1	Loop0	1.1.1.9/32		POS2/2/1	172.2.1.1/24
	GE2/0/1	2001:1::2/96	PE 2	Loop0	2.2.2.9/32
	POS2/2/1	172.1.1.1/24		GE2/0/1	2001:2::2/96
	Tunnel0	20.1.1.1/24		POS2/2/0	172.2.1.2/24
CE 2	GE2/0/1	2001:2::1/96		Tunnel0	20.1.1.2/24

Configuration procedure

1. Configure an IGP on the MPLS backbone to ensure IP connectivity among the PEs and the P router.

This example uses OSPF. (Details not shown.)

2. Configure basic MPLS on the PEs:

# Configure PE 1.

<PE1> system-view

[PE1] mpls lsr-id 1.1.1.9

# Configure PE 2.

<PE2> system-view

[PE2] mpls lsr-id 2.2.2.9

3. Configure VPN instances on the PEs to allow CE access, and apply tunnel policies to the VPN instances to use a GRE tunnel for VPN packet forwarding:

# Configure PE 1.

[PE1] tunnel-policy gre1

[PE1-tunnel-policy-gre1] tunnel select-seq gre load-balance-number 1

[PE1-tunnel-policy-gre1] quit

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 100:1 both

[PE1-vpn-instance-vpn1] tnl-policy gre1

[PE1-vpn-instance-vpn1] quit

[PE1] interface gigabitethernet 2/0/1

[PE1-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE1-GigabitEthernet2/0/1] ipv6 address 2001:1::2 96

[PE1-GigabitEthernet2/0/1] quit

# Configure PE 2.

[PE2] tunnel-policy gre1

[PE2-tunnel-policy-gre1] tunnel select-seq gre load-balance-number 1

[PE2-tunnel-policy-gre1] quit

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 100:2

[PE2-vpn-instance-vpn1] vpn-target 100:1 both

[PE2-vpn-instance-vpn1] tnl-policy gre1

[PE2-vpn-instance-vpn1] quit

[PE2] interface gigabitethernet 2/0/1

[PE2-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE2-GigabitEthernet2/0/1] ipv6 address 2001:2::2 96

[PE2-GigabitEthernet2/0/1] quit

# Configure CE 1.

<CE1> system-view

[CE1] interface gigabitethernet 2/0/1

[CE1-GigabitEthernet2/0/1] ipv6 address 2001:1::1 96

[CE1-GigabitEthernet2/0/1] quit

# Configure CE 2.

<CE2> system-view

[CE2] interface gigabitethernet 2/0/1

[CE2-GigabitEthernet2/0/1] ipv6 address 2001:2::1 96

[CE2-GigabitEthernet2/0/1] quit

# Execute the display ip vpn-instance command on the PEs to display information about the VPN instance, for example, on PE 1.

[PE1] display ip vpn-instance

Total VPN-Instances configured : 1

VPN-Instance Name RD Create time

vpn1 100:1 2012/02/13 15:59:50

# Use the ping command on the PEs to verify that the PEs can ping their attached CEs, for example, on PE 1.

[PE1] ping ipv6 -vpn-instance vpn1 2001:1::1

Ping6(56 bytes) 2001:1::2 --> 2001:1::1, press CTRL_C to break

56 bytes from 2001:1::1, icmp_seq=0 hlim=64 time=0.000 ms

56 bytes from 2001:1::1, icmp_seq=1 hlim=64 time=1.000 ms

56 bytes from 2001:1::1, icmp_seq=2 hlim=64 time=0.000 ms

56 bytes from 2001:1::1, icmp_seq=3 hlim=64 time=1.000 ms

56 bytes from 2001:1::1, icmp_seq=4 hlim=64 time=0.000 ms

--- Ping6 statistics for 2001:1::1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.400/1.000/0.490 ms

4. Establish EBGP peer relationships between PEs and CEs to allow them to exchange VPN routes:

# Configure CE 1.

[CE1] bgp 65410

[CE1-bgp-default] peer 2001:1::2 as-number 100

[CE1-bgp-default] address-family ipv6 unicast

[CE1-bgp-default-ipv6] peer 2001:1::2 enable

[CE1-bgp-default-ipv6] import-route direct

[CE1-bgp-default-ipv6] quit

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] peer 2001:1::1 as-number 65410

[PE1-bgp-default-vpn1] address-family ipv6 unicast

[PE1-bgp-default-ipv6-vpn1] peer 2001:1::1 enable

[PE1-bgp-default-ipv6-vpn1] quit

[PE1-bgp-default-vpn1] quit

[PE1-bgp-default] quit

# Configure CE 2 and PE 2 in the same way that CE 1 and PE 1 are configured. (Details not shown.)

# Execute the display bgp peer ipv6 vpn-instance command on the PEs to verify that a BGP peer relationship in Established state has been established between a PE and a CE. (Details not shown.)

5. Configure an MP-IBGP peer relationship between the PEs:

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp-default] peer 2.2.2.9 as-number 100

[PE1-bgp-default] peer 2.2.2.9 connect-interface loopback 0

[PE1-bgp-default] address-family vpnv6

[PE1-bgp-default-vpnv6] peer 2.2.2.9 enable

[PE1-bgp-default-vpnv6] quit

[PE1-bgp-default] quit

# Configure PE 2 in the same way that PE 1 is configured. (Details not shown.)

# Execute the display bgp peer vpnv6 command on the PEs to verify that a BGP peer relationship in Established state has been established between the PEs. (Details not shown.)

6. Configure a GRE tunnel:

# Configure PE 1.

[PE1] interface tunnel 0 mode gre

[PE1-Tunnel0] source loopback 0

[PE1-Tunnel0] destination 2.2.2.9

[PE1-Tunnel0] ip address 20.1.1.1 24

[PE1-Tunnel0] mpls enable

[PE1-Tunnel0] quit

# Configure PE 2.

[PE2] interface tunnel 0 mode gre

[PE2-Tunnel0] source loopback 0

[PE2-Tunnel0] destination 1.1.1.9

[PE2-Tunnel0] ip address 20.1.1.2 24

[PE2-Tunnel0] mpls enable

[PE2-Tunnel0] quit

Verifying the configuration

# Verify that the CEs have learned the route to each other and can ping each other. (Details not shown.)

Configuring IPv6 MPLS L3VPN inter-AS option A

Network requirements

CE 1 and CE 2 belong to the same VPN. CE 1 accesses the network through PE 1 in AS 100 and CE 2 accesses the network through PE 2 in AS 200.

Configure IPv6 MPLS L3VPN inter-AS option A, and use VRF-to-VRF method to manage VPN routes.

Run OSPF on the MPLS backbone of each AS.

Figure 93 Network diagram

Table 31 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	GE2/0/1	2001:1::1/96	CE 2	GE2/0/1	2001:2::1/96
PE 1	Loop0	1.1.1.9/32	PE 2	Loop0	4.4.4.9/32
	GE2/0/1	2001:1::2/96		GE2/0/1	2001:2::2/96
	POS2/2/0	172.1.1.2/24		POS2/2/0	162.1.1.2/24
ASBR-PE1	Loop0	2.2.2.9/32	ASBR-PE2	Loop0	3.3.3.9/32
	POS2/2/0	172.1.1.1/24		POS2/2/0	162.1.1.1/24
	POS2/2/1	2002:1::1/96		POS2/2/1	2002:1::2/96

Configuration procedure

1. Configure an IGP on each MPLS backbone to ensure IP connectivity within the backbone.

This example uses OSPF. Be sure to advertise the route to the 32-bit loopback interface address of each router through OSPF. Use the loopback interface address of a router as the router's LSR ID. (Details not shown.)

# Execute the display ospf peer command to verify that each ASBR-PE has established an OSPF adjacency in Full state with the PE in the same AS, and that the PEs and ASBR-PEs in the same AS have learned the routes to the loopback interfaces of each other. Execute the ping command to verify that the PEs and ASBR-PEs in the same AS can ping each other. (Details not shown.)

2. Configure basic MPLS and enable MPLS LDP on each MPLS backbone to establish LDP LSPs:

# Configure basic MPLS on PE 1, and enable MPLS LDP for both PE 1 and the interface connected to ASBR-PE 1.

<PE1> system-view

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface pos 2/2/0

[PE1-Pos2/2/0] mpls enable

[PE1-Pos2/2/0] mpls ldp enable

[PE1-Pos2/2/0] quit

# Configure basic MPLS on ASBR-PE 1, and enable MPLS LDP for both ASBR-PE 1 and the interface connected to PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] mpls lsr-id 2.2.2.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

[ASBR-PE1] interface pos 2/2/0

[ASBR-PE1-Pos2/2/0] mpls enable

[ASBR-PE1-Pos2/2/0] mpls ldp enable

[ASBR-PE1-Pos2/2/0] quit

# Configure basic MPLS on ASBR-PE 2, and enable MPLS LDP for both ASBR-PE 2 and the interface connected to PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] mpls lsr-id 3.3.3.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

[ASBR-PE2] interface pos 2/2/0

[ASBR-PE2-Pos2/2/0] mpls enable

[ASBR-PE2-Pos2/2/0] mpls ldp enable

[ASBR-PE2-Pos2/2/0] quit

# Configure basic MPLS on PE 2, and enable MPLS LDP for both PE 2 and the interface connected to ASBR-PE 2.

<PE2> system-view

[PE2] mpls lsr-id 4.4.4.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface pos 2/2/0

[PE2-Pos2/2/0] mpls enable

[PE2-Pos2/2/0] mpls ldp enable

[PE2-Pos2/2/0] quit

# Execute the display mpls ldp session command on the routers to verify that the session status is Operational, and that each PE and the ASBR-PE in the same AS have established an LDP neighbor relationship. (Details not shown.)

3. Configure a VPN instance on the PEs:

For the same VPN, the route targets for the VPN instance on the PE must match those for the VPN instance on the ASBR-PE in the same AS. This is not required for PEs in different ASs.

# Configure CE 1.

<CE1> system-view

[CE1] interface gigabitethernet 2/0/1

[CE1-GigabitEthernet2/0/1] ipv6 address 2001:1::1 96

[CE1-GigabitEthernet2/0/1] quit

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 100:1 both

[PE1-vpn-instance-vpn1] quit

[PE1] interface gigabitethernet 2/0/1

[PE1-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE1-GigabitEthernet2/0/1] ipv6 address 2001:1::2 96

[PE1-GigabitEthernet2/0/1] quit

# Configure CE 2.

<CE2> system-view

[CE2] interface gigabitethernet 2/0/1

[CE2-GigabitEthernet2/0/1] ipv6 address 2001:2::1 96

[CE2-GigabitEthernet2/0/1] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 200:1

[PE2-vpn-instance-vpn1] vpn-target 200:1 both

[PE2-vpn-instance-vpn1] quit

[PE2] interface gigabitethernet 2/0/1

[PE2-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE2-GigabitEthernet2/0/1] ipv6 address 2001:2::2 96

[PE2-GigabitEthernet2/0/1] quit

# On ASBR-PE 1, create a VPN instance, and bind the VPN instance to the interface connected to ASBR-PE 2. ASBR-PE 1 considers ASBR-PE 2 to be its attached CE.

[ASBR-PE1] ip vpn-instance vpn1

[ASBR-PE1-vpn-vpn1] route-distinguisher 100:1

[ASBR-PE1-vpn-vpn1] vpn-target 100:1 both

[ASBR-PE1-vpn-vpn1] quit

[ASBR-PE1] interface pos 2/2/1

[ASBR-PE1-Pos2/2/1] ip binding vpn-instance vpn1

[ASBR-PE1-Pos2/2/1] ipv6 address 2002:1::1 96

[ASBR-PE1-Pos2/2/1] quit

# On ASBR-PE 2, create a VPN instance, and bind the VPN instance to the interface connected to ASBR-PE 1. ASBR-PE 2 considers ASBR-PE 1 to be its attached CE.

[ASBR-PE2] ip vpn-instance vpn1

[ASBR-PE2-vpn-vpn1] route-distinguisher 200:1

[ASBR-PE2-vpn-vpn1] vpn-target 200:1 both

[ASBR-PE2-vpn-vpn1] quit

[ASBR-PE2] interface pos 2/2/1

[ASBR-PE2-Pos2/2/1] ip binding vpn-instance vpn1

[ASBR-PE2-Pos2/2/1] ipv6 address 2002:1::2 96

[ASBR-PE2-Pos2/2/1] quit

# Execute the display ip vpn-instance command to display VPN instance information. Verify that each PE can ping its attached CE, and that ASBR-PE 1 and ASBR-PE 2 can ping each other. (Details not shown.)

4. Establish EBGP peer relationships between PEs and CEs to allow them to exchange VPN routes:

# Configure CE 1.

[CE1] bgp 65001

[CE1-bgp-default] peer 2001:1::2 as-number 100

[CE1-bgp-default] address-family ipv6 unicast

[CE1-bgp-default-ipv6] peer 2001:1::2 enable

[CE1-bgp-default-ipv6] import-route direct

[CE1-bgp-default-ipv6] quit

[CE1-bgp-default] quit

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] peer 2001:1::1 as-number 65001

[PE1-bgp-default-vpn1] address-family ipv6 unicast

[PE1-bgp-default-ipv6-vpn1] peer 2001:1::1 enable

[PE1-bgp-default-ipv6-vpn1] quit

[PE1-bgp-default-vpn1] quit

[PE1-bgp-default] quit

# Configure CE 2.

[CE2] bgp 65002

[CE2-bgp-default] peer 2001:2::2 as-number 200

[CE2-bgp-default] address-family ipv6

[CE2-bgp-default-ipv6] peer 2001:2::2 enable

[CE2-bgp-default-ipv6] import-route direct

[CE2-bgp-default-ipv6] quit

[CE2-bgp-default] quit

# Configure PE 2.

[PE2] bgp 200

[PE2-bgp-default] ip vpn-instance vpn1

[PE2-bgp-default-vpn1] peer 2001:2::1 as-number 65002

[PE2-bgp-default-vpn1] address-family ipv6 unicast

[PE2-bgp-default-ipv6-vpn1] peer 2001:2::1 enable

[PE2-bgp-default-ipv6-vpn1] quit

[PE2-bgp-default-vpn1] quit

[PE2-bgp-default] quit

5. Establish an IBGP peer relationship between each PE and the ASBR-PE in the same AS and an EBGP peer relationship between the ASBR-PEs:

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp-default] peer 2.2.2.9 as-number 100

[PE1-bgp-default] peer 2.2.2.9 connect-interface loopback 0

[PE1-bgp-default] address-family vpnv6

[PE1-bgp-default-vpnv6] peer 2.2.2.9 enable

[PE1-bgp-default-vpnv6] quit

[PE1-bgp-default] quit

# Configure ASBR-PE 1.

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp-default] ip vpn-instance vpn1

[ASBR-PE1-bgp-default-vpn1] peer 2002:1::2 as-number 200

[ASBR-PE1-bgp-default-vpn1] address-family ipv6 unicast

[ASBR-PE1-bgp-default-ipv6-vpn1] peer 2002:1::2 enable

[ASBR-PE1-bgp-default-ipv6-vpn1] quit

[ASBR-PE1-bgp-default-vpn1] quit

[ASBR-PE1-bgp-default] peer 1.1.1.9 as-number 100

[ASBR-PE1-bgp-default] peer 1.1.1.9 connect-interface loopback 0

[ASBR-PE1-bgp-default] address-family vpnv6

[ASBR-PE1-bgp-default-vpnv6] peer 1.1.1.9 enable

[ASBR-PE1-bgp-default-vpnv6] quit

[ASBR-PE1-bgp-default] quit

# Configure ASBR-PE 2.

[ASBR-PE2] bgp 200

[ASBR-PE2-bgp-default] ip vpn-instance vpn1

[ASBR-PE2-bgp-default-vpn1] peer 2002:1::1 as-number 100

[ASBR-PE2-bgp-default-vpn1] address-family ipv6 unicast

[ASBR-PE2-bgp-default-ipv6-vpn1] peer 2002:1::1 enable

[ASBR-PE2-bgp-default-ipv6-vpn1] quit

[ASBR-PE2-bgp-default-vpn1] quit

[ASBR-PE2-bgp-default] peer 4.4.4.9 as-number 200

[ASBR-PE2-bgp-default] peer 4.4.4.9 connect-interface loopback 0

[ASBR-PE2-bgp-default] address-family vpnv6

[ASBR-PE2-bgp-default-vpnv6] peer 4.4.4.9 enable

[ASBR-PE2-bgp-default-vpnv6] quit

[ASBR-PE2-bgp-default] quit

# Configure PE 2.

[PE2] bgp 200

[PE2-bgp-default] peer 3.3.3.9 as-number 200

[PE2-bgp-default] peer 3.3.3.9 connect-interface loopback 0

[PE2-bgp-default] address-family vpnv6

[PE2-bgp-default-vpnv6] peer 3.3.3.9 enable

[PE2-bgp-default-vpnv6] quit

[PE2-bgp-default] quit

Verifying the configuration

# Verify that the CEs can learn the route to each other and can ping each other. (Details not shown.)

Configuring IPv6 MPLS L3VPN inter-AS option C

Network requirements

Site 1 and Site 2 belong to the same VPN. Site 1 accesses the network through PE 1 in AS 100. Site 2 accesses the network through PE 2 in AS 600. PEs in the same AS run IS-IS.

PE 1 and ASBR-PE 1 exchange labeled IPv4 routes by IBGP. PE 2 and ASBR-PE 2 exchange labeled IPv4 routes by IBGP. PE 1 and PE 2 are MP-EBGP peers to exchange VPNv6 routes.

ASBR-PE 1 and ASBR-PE 2 use their respective routing policies and label the routes received from each other.

ASBR-PE 1 and ASBR-PE 2 use EBGP to exchange labeled IPv4 routes.

Figure 94 Network diagram

Table 32 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
PE 1	Loop0	2.2.2.9/32	PE 2	Loop0	5.5.5.9/32
	GE2/0/1	2001::1/64		GE2/0/1	2002::1/64
	S2/1/0	1.1.1.2/8		S2/1/0	9.1.1.2/8
ASBR-PE 1	Loop0	3.3.3.9/32	ASBR-PE 2	Loop0	4.4.4.9/32
	S2/1/0	1.1.1.1/8		S2/1/0	9.1.1.1/8
	S2/1/1	11.0.0.2/8		S2/1/1	11.0.0.1/8
CE 1	GE2/0/1	2001::2/64	CE 1	GE2/0/1	2002::2/64

Configuration procedure

1. Configure CE 1:

# Configure an IPv6 address for GigabitEthernet 2/0/1.

<CE1> system-view

[CE1] interface gigabitethernet 2/0/1

[CE1-GigabitEthernet2/0/1] ipv6 address 2001::2 64

[CE1-GigabitEthernet2/0/1] quit

# Establish an EBGP peer relationship with PE 1, and redistribute VPN routes.

[CE1] bgp 65001

[CE1-bgp-default] peer 2001::1 as-number 100

[CE1-bgp-default] address-family ipv6 unicast

[CE1-bgp-default-ipv6] peer 2001::1 enable

[CE1-bgp-default-ipv6] import-route direct

[CE1-bgp-default-ipv6] quit

[CE1-bgp-default] quit

2. Configure PE 1:

# Configure IS-IS on PE 1.

<PE1> system-view

[PE1] isis 1

[PE1-isis-1] network-entity 10.111.111.111.111.00

[PE1-isis-1] quit

# Configure an LSR ID, and enable MPLS and LDP.

[PE1] mpls lsr-id 2.2.2.9

[PE1] mpls ldp

[PE1-ldp] quit

# Configure interface Serial 2/1/0, and enable IS-IS, MPLS, and LDP on the interface.

[PE1] interface serial 2/1/0

[PE1-Serial2/1/0] ip address 1.1.1.2 255.0.0.0

[PE1-Serial2/1/0] isis enable 1

[PE1-Serial2/1/0] mpls enable

[PE1-Serial2/1/0] mpls ldp enable

[PE1-Serial2/1/0] quit

# Configure interface Loopback 0 and start IS-IS on it.

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 2.2.2.9 32

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

# Create VPN instance vpn1, and configure the RD and route target attributes for it.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 11:11

[PE1-vpn-instance-vpn1] vpn-target 3:3 import-extcommunity

[PE1-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE1-vpn-instance-vpn1] quit

# Associate interface GigabitEthernet 2/0/1 with VPN instance vpn1, and specify the IPv6 address for the interface.

[PE1] interface gigabitethernet 2/0/1

[PE1-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE1-GigabitEthernet2/0/1] ipv6 address 2001::1 64

[PE1-GigabitEthernet2/0/1] quit

# Start BGP on PE 1.

[PE1] bgp 100

# Enable the capability to advertise labeled routes to and receive labeled routes from IBGP peer 3.3.3.9.

[PE1-bgp-default] peer 3.3.3.9 as-number 100

[PE1-bgp-default] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp-default] address-family ipv4 unicast

[PE1-bgp-default-ipv4] peer 3.3.3.9 enable

[PE1-bgp-default-ipv4] peer 3.3.3.9 label-route-capability

[PE1-bgp-default-ipv4] quit

# Configure the maximum hop count from PE 1 to EBGP peer 5.5.5.9 as 10.

[PE1-bgp-default] peer 5.5.5.9 as-number 600

[PE1-bgp-default] peer 5.5.5.9 connect-interface loopback 0

[PE1-bgp-default] peer 5.5.5.9 ebgp-max-hop 10

# Configure peer 5.5.5.9 as a VPNv6 peer.

[PE1-bgp-default] address-family vpnv6

[PE1-bgp-default-af-vpnv6] peer 5.5.5.9 enable

[PE1-bgp-default-af-vpnv6] quit

# Establish an EBGP peer relationship with CE 1, and add the learned BGP routes to the routing table of VPN instance vpn1.

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] peer 2001::2 as-number 65001

[PE1-bgp-default-vpn1] address-family ipv6 unicast

[PE1-bgp-default-ipv6-vpn1] peer 2001::2 enable

[PE1-bgp-default-ipv6-vpn1] quit

[PE1-bgp-default-vpn1] quit

[PE1-bgp-default] quit

3. Configure ASBR-PE 1:

# Start IS-IS on ASBR-PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] isis 1

[ASBR-PE1-isis-1] network-entity 10.222.222.222.222.00

[ASBR-PE1-isis-1] quit

# Configure an LSR ID, and enable MPLS and LDP.

[ASBR-PE1] mpls lsr-id 3.3.3.9

[ASBR-PE1] mpls ldp

[ASBR-PE1-ldp] quit

# Configure interface Serial 2/1/0, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE1] interface serial 2/1/0

[ASBR-PE1-Serial2/1/0] ip address 1.1.1.1 255.0.0.0

[ASBR-PE1-Serial2/1/0] isis enable 1

[ASBR-PE1-Serial2/1/0] mpls enable

[ASBR-PE1-Serial2/1/0] mpls ldp enable

[ASBR-PE1-Serial2/1/0] quit

# Configure interface Serial 2/1/1, and enable MPLS on it.

[ASBR-PE1] interface serial 2/1/1

[ASBR-PE1-Serial2/1/1] ip address 11.0.0.2 255.0.0.0

[ASBR-PE1-Serial2/1/1] mpls enable

[ASBR-PE1-Serial2/1/1] quit

# Configure interface Loopback 0, and start IS-IS on it.

[ASBR-PE1] interface loopback 0

[ASBR-PE1-LoopBack0] ip address 3.3.3.9 32

[ASBR-PE1-LoopBack0] isis enable 1

[ASBR-PE1-LoopBack0] quit

# Create routing policies.

[ASBR-PE1] route-policy policy1 permit node 1

[ASBR-PE1-route-policy-policy1-1] apply mpls-label

[ASBR-PE1-route-policy-policy1-1] quit

[ASBR-PE1] route-policy policy2 permit node 1

[ASBR-PE1-route-policy-policy2-1] if-match mpls-label

[ASBR-PE1-route-policy-policy2-1] apply mpls-label

[ASBR-PE1-route-policy-policy2-1] quit

# Start BGP on ASBR-PE 1, and apply routing policy policy2 to routes advertised to IBGP peer 2.2.2.9.

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp-default] peer 2.2.2.9 as-number 100

[ASBR-PE1-bgp-default] peer 2.2.2.9 connect-interface loopback 0

[ASBR-PE1-bgp-default] address-family ipv4 unicast

[ASBR-PE1-bgp-default-ipv4] peer 2.2.2.9 enable

[ASBR-PE1-bgp-default-ipv4] peer 2.2.2.9 route-policy policy2 export

# Enable the capability to advertise labeled routes to and receive labeled routes from IBGP peer 2.2.2.9.

[ASBR-PE1-bgp-default-ipv4] peer 2.2.2.9 label-route-capability

# Redistribute routes from IS-IS process 1

[ASBR-PE1-bgp-default-ipv4] import-route isis 1

[ASBR-PE1-bgp-default-ipv4] quit

# Apply routing policy policy1 to routes advertised to EBGP peer 11.0.0.1.

[ASBR-PE1-bgp-default] peer 11.0.0.1 as-number 600

[ASBR-PE1-bgp-default] address-family ipv4 unicast

[ASBR-PE1-bgp-default-ipv4] peer 11.0.0.1 enable

[ASBR-PE1-bgp-default-ipv4] peer 11.0.0.1 route-policy policy1 export

# Enable the capability to advertise labeled routes to and receive labeled routes from EBGP peer 11.0.0.1.

[ASBR-PE1-bgp-default-ipv4] peer 11.0.0.1 label-route-capability

[ASBR-PE1-bgp-default-ipv4] quit

[ASBR-PE1-bgp-default] quit

4. Configure ASBR-PE 2:

# Start IS-IS on ASBR-PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] isis 1

[ASBR-PE2-isis-1] network-entity 10.333.333.333.333.00

[ASBR-PE2-isis-1] quit

# Configure an LSR ID, and enable MPLS and LDP.

[ASBR-PE2] mpls lsr-id 4.4.4.9

[ASBR-PE2] mpls ldp

[ASBR-PE2-ldp] quit

# Configure interface Serial 2/1/0, and enable IS-IS, MPLS, and LDP on the interface.

[ASBR-PE2] interface serial 2/1/0

[ASBR-PE2-Serial2/1/0] ip address 9.1.1.1 255.0.0.0

[ASBR-PE2-Serial2/1/0] isis enable 1

[ASBR-PE2-Serial2/1/0] mpls enable

[ASBR-PE2-Serial2/1/0] mpls ldp enable

[ASBR-PE2-Serial2/1/0] quit

# Configure interface Loopback 0, and start IS-IS on it.

[ASBR-PE2] interface loopback 0

[ASBR-PE2-LoopBack0] ip address 4.4.4.9 32

[ASBR-PE2-LoopBack0] isis enable 1

[ASBR-PE2-LoopBack0] quit

# Configure interface Serial 2/1/1, and enable MPLS on it.

[ASBR-PE2] interface serial 2/1/1

[ASBR-PE2-Serial2/1/1] ip address 11.0.0.1 255.0.0.0

[ASBR-PE2-Serial2/1/1] mpls enable

[ASBR-PE2-Serial2/1/1] quit

# Create routing policies.

[ASBR-PE2] route-policy policy1 permit node 1

[ASBR-PE2-route-policy-policy1-1] apply mpls-label

[ASBR-PE2-route-policy-policy1-1] quit

[ASBR-PE2] route-policy policy2 permit node 1

[ASBR-PE2-route-policy-policy2-1] if-match mpls-label

[ASBR-PE2-route-policy-policy2-1] apply mpls-label

[ASBR-PE2-route-policy-policy2-1] quit

# Start BGP on ASBR-PE 2, and enable the capability to advertise labeled routes to and receive labeled routes from IBGP peer 5.5.5.9.

[ASBR-PE2] bgp 600

[ASBR-PE2-bgp-default] peer 5.5.5.9 as-number 600

[ASBR-PE2-bgp-default] peer 5.5.5.9 connect-interface loopback 0

[ASBR-PE2-bgp-default] address-family ipv4 unicast

[ASBR-PE2-bgp-default-ipv4] peer 5.5.5.9 enable

[ASBR-PE2-bgp-default-ipv4] peer 5.5.5.9 label-route-capability

# Apply routing policy policy2 to routes advertised to IBGP peer 5.5.5.9.

[ASBR-PE2-bgp-default-ipv4] peer 5.5.5.9 route-policy policy2 export

# Redistribute routes from IS-IS process 1.

[ASBR-PE2-bgp-default-ipv4] import-route isis 1

[ASBR-PE2-bgp-default-ipv4] quit

# Apply routing policy policy1 to routes advertised to EBGP peer 11.0.0.2.

[ASBR-PE2-bgp-default] peer 11.0.0.2 as-number 100

[ASBR-PE2-bgp-default] address-family ipv4 unicast

[ASBR-PE2-bgp-default-ipv4] peer 11.0.0.2 enable

[ASBR-PE2-bgp-default-ipv4] peer 11.0.0.2 route-policy policy1 export

# Enable the capability to advertise labeled routes to and receive labeled routes from EBGP peer 11.0.0.2.

[ASBR-PE2-bgp-default-ipv4] peer 11.0.0.2 label-route-capability

[ASBR-PE2-bgp-default-ipv4] quit

[ASBR-PE2-bgp-default] quit

5. Configure PE 2:

# Start IS-IS on PE 2.

<PE2> system-view

[PE2] isis 1

[PE2-isis-1] network-entity 10.444.444.444.444.00

[PE2-isis-1] quit

# Configure an LSR ID, and enable MPLS and LDP.

[PE2] mpls lsr-id 5.5.5.9

[PE2] mpls ldp

[PE2-ldp] quit

# Configure interface Serial 2/1/0, and enable IS-IS, MPLS, and LDP on the interface.

[PE2] interface serial 2/1/0

[PE2-Serial2/1/0] ip address 9.1.1.2 255.0.0.0

[PE2-Serial2/1/0] isis enable 1

[PE2-Serial2/1/0] mpls enable

[PE2-Serial2/1/0] mpls ldp enable

[PE2-Serial2/1/0] quit

# Configure interface Loopback 0, and start IS-IS on it.

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 5.5.5.9 32

[PE2-LoopBack0] isis enable 1

[PE2-LoopBack0] quit

# Create VPN instance vpn1, and configure the RD and route target attributes for it.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 11:11

[PE2-vpn-instance-vpn1] vpn-target 3:3 import-extcommunity

[PE2-vpn-instance-vpn1] vpn-target 3:3 export-extcommunity

[PE2-vpn-instance-vpn1] quit

# Associate interface GigabitEthernet 2/0/1 with VPN instance vpn1, and specify the IPv6 address for the interface.

[PE2] interface gigabitethernet 2/0/1

[PE2-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE2-GigabitEthernet2/0/1] ipv6 address 2002::1 64

[PE2-GigabitEthernet2/0/1] quit

# Start BGP.

[PE2] bgp 600

# Enable the capability to advertise labeled routes to and receive labeled routes from IBGP peer 4.4.4.9.

[PE2-bgp-default] peer 4.4.4.9 as-number 600

[PE2-bgp-default] peer 4.4.4.9 connect-interface loopback 0

[PE2-bgp-default] address-family ipv4 unicast

[PE2-bgp-default-ipv4] peer 4.4.4.9 enable

[PE2-bgp-default-ipv4] peer 4.4.4.9 label-route-capability

[PE2-bgp-default-ipv4] quit

# Configure the maximum hop count from PE 2 to EBGP peer 2.2.2.9 as 10.

[PE2-bgp-default] peer 2.2.2.9 as-number 100

[PE2-bgp-default] peer 2.2.2.9 connect-interface loopback 0

[PE2-bgp-default] peer 2.2.2.9 ebgp-max-hop 10

# Configure peer 2.2.2.9 as a VPNv6 peer.

[PE2-bgp-default] address-family vpnv6

[PE2-bgp-default-af-vpnv6] peer 2.2.2.9 enable

[PE2-bgp-default-af-vpnv6] quit

# Establish an EBGP peer relationship with CE 2, and add the learned BGP routes to the routing table of VPN instance vpn1.

[PE2-bgp-default] ip vpn-instance vpn1

[PE2-bgp-default-vpn1] peer 2002::2 as-number 65002

[PE2-bgp-default-vpn1] address-family ipv6 unicast

[PE2-bgp-default-ipv6-vpn1] peer 2002::2 enable

[PE2-bgp-default-ipv6-vpn1] quit

[PE2-bgp-default-vpn1] quit

[PE2-bgp-default] quit

6. Configure CE 2:

# Configure an IPv6 address for GigabitEthernet 2/0/1.

<CE2> system-view

[CE2] interface gigabitethernet 2/0/1

[CE2-GigabitEthernet2/0/1] ipv6 address 2002::2 64

[CE2-GigabitEthernet2/0/1] quit

# Establish an EBGP peer relationship with PE 2, and redistribute VPN routes.

[CE2] bgp 65002

[CE2-bgp-default] peer 2002::1 as-number 600

[CE2-bgp-default] address-family ipv6 unicast

[CE2-bgp-default-ipv6] peer 2002::1 enable

[CE2-bgp-default-ipv6] import-route direct

[CE2-bgp-default-ipv6] quit

[CE2-bgp-default] quit

Verifying the configuration

# Execute the display ipv6 routing table command on CE 1 and CE 2 to verify that CE 1 and CE 2 have a route to each other. Verify that CE 1 and CE 2 can ping each other. (Details not shown.)

Configuring IPv6 MPLS L3VPN carrier's carrier in the same AS

Network requirements

Configure carrier's carrier for the scenario shown in Figure 95. In this scenario:

· PE 1 and PE 2 are the provider carrier's PE routers. They provide VPN services to the customer carrier.

· CE 1 and CE 2 are the customer carrier's routers. They are connected to the provider carrier's backbone as CE routers.

· PE 3 and PE 4 are the customer carrier's PE routers. They provide IPv6 MPLS L3VPN services to end customers.

· CE 3 and CE 4 are customers of the customer carrier.

· The customer carrier and the provider carrier reside in the same AS.

The key to the carrier's carrier deployment is to configure exchange of two kinds of routes:

· Exchange of the customer carrier's internal routes on the provider carrier's backbone.

· Exchange of the end customers' internal routes between PE 3 and PE 4, the PEs of the customer carrier. In this process, an MP-IBGP peer relationship must be established between PE 3 and PE 4.

Figure 95 Network diagram

Table 33 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 3	GE2/0/1	2001:1::1/96	CE 4	GE2/0/1	2001:2::1/96
PE 3	Loop0	1.1.1.9/32	PE 4	Loop0	6.6.6.9/32
	GE2/0/1	2001:1::2/96		GE2/0/1	2001:2::2/96
	POS2/2/1	10.1.1.1/24		POS2/2/1	20.1.1.2/24
CE 1	Loop0	2.2.2.9/32	CE 2	Loop0	5.5.5.9/32
	POS2/2/0	10.1.1.2/24		POS2/2/0	21.1.1.2/24
	POS2/2/1	11.1.1.1/24		POS2/2/1	20.1.1.1/24
PE 1	Loop0	3.3.3.9/32	PE 2	Loop0	4.4.4.9/32
	POS2/2/0	11.1.1.2/24		POS2/2/0	30.1.1.2/24
	POS2/2/1	30.1.1.1/24		POS2/2/1	21.1.1.1/24

Configuration procedure

1. Configure MPLS L3VPN on the provider carrier backbone. Start IS-IS as the IGP, enable LDP on PE 1 and PE 2, and establish an MP-IBGP peer relationship between the PEs:

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 3.3.3.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 3.3.3.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] isis 1

[PE1-isis-1] network-entity 10.0000.0000.0000.0004.00

[PE1-isis-1] quit

[PE1] interface loopback 0

[PE1-LoopBack0] isis enable 1

[PE1-LoopBack0] quit

[PE1] interface pos 2/2/1

[PE1-POS2/2/1] ip address 30.1.1.1 24

[PE1-POS2/2/1] isis enable 1

[PE1-POS2/2/1] mpls enable

[PE1-POS2/2/1] mpls ldp enable

[PE1-POS2/2/1] mpls ldp transport-address interface

[PE1-POS2/2/1] quit

[PE1] bgp 100

[PE1-bgp-default] peer 4.4.4.9 as-number 100

[PE1-bgp-default] peer 4.4.4.9 connect-interface loopback 0

[PE1-bgp-default] address-family vpnv4

[PE1-bgp-default-vpnv4] peer 4.4.4.9 enable

[PE1-bgp-default-vpnv4] quit

[PE1-bgp-default] quit

# Configure PE 2 in the same way that PE 1 is configured. (Details not shown.)

# On PE 1 or PE 2, execute the following commands:

? Execute the display mpls ldp peer command to verify that an LDP session in Operational state has been established between PE 1 and PE 2. (Details not shown.)

? Execute the display bgp peer vpnv4 command to verify that a BGP peer relationship in Established state has been established between PE 1 and PE 2. (Details not shown.)

? Execute the display isis peer command to verify that the IS-IS neighbor relationship has been established between PE 1 and PE 2. (Details not shown.)

2. Configure the customer carrier network. Start IS-IS as the IGP, and enable LDP between PE 3 and CE 1, and between PE 4 and CE 2:

# Configure PE 3.

<PE3> system-view

[PE3] interface loopback 0

[PE3-LoopBack0] ip address 1.1.1.9 32

[PE3-LoopBack0] quit

[PE3] mpls lsr-id 1.1.1.9

[PE3] mpls ldp

[PE3-ldp] quit

[PE3] isis 2

[PE3-isis-2] network-entity 10.0000.0000.0000.0001.00

[PE3-isis-2] quit

[PE3] interface loopback 0

[PE3-LoopBack0] isis enable 2

[PE3-LoopBack0] quit

[PE3] interface pos 2/2/1

[PE3-Pos2/2/1] ip address 10.1.1.1 24

[PE3-Pos2/2/1] isis enable 2

[PE3-Pos2/2/1] mpls enable

[PE3-Pos2/2/1] mpls ldp enable

[PE3-Pos2/2/1] mpls ldp transport-address interface

[PE3-Pos2/2/1] quit

# Configure CE 1.

<CE1> system-view

[CE1] interface loopback 0

[CE1-LoopBack0] ip address 2.2.2.9 32

[CE1-LoopBack0] quit

[CE1] mpls lsr-id 2.2.2.9

[CE1] mpls ldp

[CE1-ldp] quit

[CE1] isis 2

[CE1-isis-2] network-entity 10.0000.0000.0000.0002.00

[CE1-isis-2] quit

[CE1] interface loopback 0

[CE1-LoopBack0] isis enable 2

[CE1-LoopBack0] quit

[CE1] interface pos 2/2/0

[CE1-Pos2/2/0] ip address 10.1.1.2 24

[CE1-Pos2/2/0] isis enable 2

[CE1-Pos2/2/0] mpls enable

[CE1-Pos2/2/0] mpls ldp enable

[CE1-Pos2/2/0] mpls ldp transport-address interface

[CE1-Pos2/2/0] quit

PE 3 and CE 1 can establish an LDP session and IS-IS neighbor relationship between them.

# Configure PE 4 and CE 2 in the same way that PE 3 and CE 1 are configured. (Details not shown.)

3. Connect the customer carrier and the provider carrier:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 200:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] mpls ldp

[PE1-ldp] vpn-instance vpn1

[PE1-ldp-vpn-instance-vpn1] quit

[PE1-ldp] quit

[PE1] isis 2 vpn-instance vpn1

[PE1-isis-2] network-entity 10.0000.0000.0000.0003.00

[PE1-isis-2] address-family ipv4

[PE1-isis-2-ipv4] import-route bgp allow-ibgp

[PE1-isis-2-ipv4] quit

[PE1-isis-2] quit

[PE1] interface pos 2/2/0

[PE1-Pos2/2/0] ip binding vpn-instance vpn1

[PE1-Pos2/2/0] ip address 11.1.1.2 24

[PE1-Pos2/2/0] isis enable 2

[PE1-Pos2/2/0] mpls enable

[PE1-Pos2/2/0] mpls ldp enable

[PE1-Pos2/2/0] mpls ldp transport-address interface

[PE1-Pos2/2/0] quit

[PE1] bgp 100

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] address-family ipv4 unicast

[PE1-bgp-default-ipv4-vpn1] import isis 2

[PE1-bgp-default-ipv4-vpn1] quit

[PE1-bgp-default-vpn1] quit

[PE1-bgp-default] quit

# Configure CE 1.

[CE1] interface pos 2/2/1

[CE1-Pos2/2/1] ip address 11.1.1.1 24

[CE1-Pos2/2/1] isis enable 2

[CE1-Pos2/2/1] mpls enable

[CE1-Pos2/2/1] mpls ldp enable

[CE1-Pos2/2/1] mpls ldp transport-address interface

[CE1-Pos2/2/1] quit

PE 1 and CE 1 can establish an LDP session and IS-IS neighbor relationship between them.

# Configure PE 2 and CE 2 in the same way that PE 1 and CE 1 are configured. (Details not shown.)

4. Connect end customers and the customer carrier:

# Configure CE 3.

<CE3> system-view

[CE3] interface gigabitethernet 2/0/1

[CE3-GigabitEthernet2/0/1] ipv6 address 2001:1::1 96

[CE3-GigabitEthernet2/0/1] quit

[CE3] bgp 65410

[CE3-bgp-default] peer 2001:1::2 as-number 100

[CE3-bgp-default] address-family ipv6

[CE3-bgp-default-ipv6] peer 2001:1::2 enable

[CE3-bgp-default-ipv6] import-route direct

[CE3-bgp-default-ipv6] quit

[CE3-bgp-default] quit

# Configure PE 3.

[PE3] ip vpn-instance vpn1

[PE3-vpn-instance-vpn1] route-distinguisher 100:1

[PE3-vpn-instance-vpn1] vpn-target 1:1

[PE3-vpn-instance-vpn1] quit

[PE3] interface gigabitethernet 2/0/1

[PE3-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE3-GigabitEthernet2/0/1] ipv6 address 2001:1::2 96

[PE3-GigabitEthernet2/0/1] quit

[PE3] bgp 100

[PE3-bgp-default] ip vpn-instance vpn1

[PE3-bgp-default-vpn1] peer 2001:1::1 as-number 65410

[PE3-bgp-default-vpn1] address-family ipv6 unicast

[PE3-bgp-default-ipv6-vpn1] peer 2001:1::1 enable

[PE3-bgp-default-ipv6-vpn1] quit

[PE3-bgp-default-vpn1] quit

[PE3-bgp-default] quit

# Configure PE 4 and CE 4 in the same way that PE 3 and CE 3 are configured. (Details not shown.)

5. Configure an MP-IBGP peer relationship between the PEs of the customer carrier to exchange the VPN routes of the end customers:

# Configure PE 3.

[PE3] bgp 100

[PE3-bgp-default] peer 6.6.6.9 as-number 100

[PE3-bgp-default] peer 6.6.6.9 connect-interface loopback 0

[PE3-bgp-default] address-family vpnv6

[PE3-bgp-default-af-vpnv6] peer 6.6.6.9 enable

[PE3-bgp-default-af-vpnv6] quit

[PE3-bgp-default] quit

# Configure PE 4 in the same way that PE 3 is configured. (Details not shown.)

Verifying the configuration

1. Display the public network routing table and VPN routing table on the provider carrier PEs, for example, on PE 1:

# Verify that the public network routing table contains only routes of the provider carrier network.

[PE1] display ip routing-table

Destinations : 14 Routes : 14

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

3.3.3.9/32 Direct 0 0 127.0.0.1 InLoop0

4.4.4.9/32 IS_L1 15 10 30.1.1.2 POS2/2/1

30.1.1.0/24 Direct 0 0 30.1.1.1 POS2/2/1

30.1.1.0/32 Direct 0 0 30.1.1.1 POS2/2/1

30.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.255/32 Direct 0 0 30.1.1.1 POS2/2/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VPN routing table contains the internal routes of the customer carrier network.

[PE1] display ip routing-table vpn-instance vpn1

Destinations : 18 Routes : 18

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.9/32 IS_L1 15 20 11.1.1.1 POS2/2/0

2.2.2.9/32 IS_L1 15 10 11.1.1.1 POS2/2/0

5.5.5.9/32 BGP 255 10 4.4.4.9 POS2/2/1

6.6.6.9/32 BGP 255 20 4.4.4.9 POS2/2/1

10.1.1.0/24 IS_L1 15 20 11.1.1.1 POS2/2/0

11.1.1.0/24 Direct 0 0 11.1.1.2 POS2/2/0

11.1.1.0/32 Direct 0 0 11.1.1.2 POS2/2/0

11.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.255/32 Direct 0 0 11.1.1.2 POS2/2/0

20.1.1.0/24 BGP 255 20 4.4.4.9 POS2/2/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

2. Display the routing table on the customer carrier CEs, for example, on CE 1:

# Verify that the routing table contains the internal routes of the customer carrier network.

[CE1] display ip routing-table

Destinations : 21 Routes : 21

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.9/32 IS_L1 15 10 10.1.1.1 POS2/2/0

2.2.2.9/32 Direct 0 0 127.0.0.1 InLoop0

5.5.5.9/32 IS_L2 15 74 11.1.1.2 POS2/2/1

6.6.6.9/32 IS_L2 15 74 11.1.1.2 POS2/2/1

10.1.1.0/24 Direct 0 0 10.1.1.2 POS2/2/0

10.1.1.0/32 Direct 0 0 10.1.1.2 POS2/2/0

10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.2 POS2/2/0

11.1.1.0/24 Direct 0 0 11.1.1.1 POS2/2/1

11.1.1.0/32 Direct 0 0 11.1.1.1 POS2/2/1

11.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

11.1.1.255/32 Direct 0 0 11.1.1.1 POS2/2/1

20.1.1.0/24 IS_L2 15 74 11.1.1.2 POS2/2/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

3. Display the public network routing table and VPN routing table on the customer carrier PEs, for example, on PE 3:

# Verify that the public network routing table contains the internal routes of the customer carrier network.

[PE3] display ip routing-table

Destinations : 18 Routes : 18

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

1.1.1.9/32 Direct 0 0 127.0.0.1 InLoop0

2.2.2.9/32 IS_L1 15 10 10.1.1.2 POS2/2/1

5.5.5.9/32 IS_L2 15 84 10.1.1.2 POS2/2/1

6.6.6.9/32 IS_L2 15 84 10.1.1.2 POS2/2/1

10.1.1.0/24 Direct 0 0 10.1.1.1 POS2/2/1

10.1.1.0/32 Direct 0 0 10.1.1.1 POS2/2/1

10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

10.1.1.255/32 Direct 0 0 10.1.1.1 POS2/2/1

11.1.1.0/24 IS_L1 15 20 10.1.1.2 POS2/2/1

20.1.1.0/24 IS_L2 15 84 10.1.1.2 POS2/2/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that the VPN routing table has the remote VPN route.

[PE3] display ipv6 routing-table vpn-instance vpn1

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:1::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : GE2/0/1 Cost : 0

Destination: 2001:1::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:2::/96 Protocol : BGP4+

NextHop : ::FFFF:6.6.6.9 Preference: 255

Interface : POS2/2/1 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : InLoop0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

4. Verify that PE 3 and PE 4 can ping each other. (Details not shown.)

5. Verify that CE 3 and CE 4 can ping each other. (Details not shown.)

Configuring multirole host

Network requirements

Configure the multirole host feature to allow Host A to access VPN 1 and VPN 2 and Host B to access only VPN 1.

Figure 96 Network diagram

Configuration procedure

1. Configure CE 1:

# Configure IPv6 addresses for interfaces.

<CE1> system-view

[CE1] interface gigabitethernet 2/0/1

[CE1-GigabitEthernet2/0/1] ipv6 address 100::1 64

[CE1-GigabitEthernet2/0/1] quit

[CE1] interface serial 2/1/0

[CE1-Serial2/1/0] ipv6 address 1::2 64

[CE1-Serial2/1/0] quit

# Configure an IPv6 default route to PE 1.

[CE1] ipv6 route-static :: 0 1::1

2. Configure PE 1:

# Create VPN instances vpn1 and vpn2 for VPN 1 and VPN 2, respectively, and configure different RDs and route targets for the VPN instances.

<PE1> system-view

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 100:1 both

[PE1-vpn-instance-vpn1] quit

[PE1] ip vpn-instance vpn2

[PE1-vpn-instance-vpn2] route-distinguisher 100:2

[PE1-vpn-instance-vpn2] vpn-target 100:2 both

[PE1-vpn-instance-vpn2] quit

# Associate VPN instance vpn1 with Serial 2/1/1 (the interface connected to CE 1).

[PE1] interface serial 2/1/1

[PE1-Serial2/1/1] ip binding vpn-instance vpn1

[PE1-Serial2/1/1] ipv6 address 1::1 64

[PE1-Serial2/1/1] quit

# Configure an IPv6 static route for VPN 2 to reach Host A and redistribute the route to BGP. This configuration ensures that packets from VPN 2 to Host A can be forwarded through the correct route in the routing table of VPN instance vpn1.

[PE1] ipv6 route-static vpn-instance vpn2 100:: 64 vpn-instance vpn1 1::2

[PE1] bgp 100

[PE1-bgp-default] ip vpn-instance vpn2

[PE1-bgp-default-vpn2] address-family ipv6

[PE1-bgp-default-ipv6-vpn2] import-route static

[PE1-bgp-default-ipv6-vpn2] quit

[PE1-bgp-default-vpn2] quit

[PE1-bgp-default] quit

# Configure PBR to route packets from Host A according to the routing tables of both VPN instances vpn1 and vpn2.

[PE1] acl ipv6 advanced 3001

[PE1-acl-ipv6-adv-3001] rule 0 permit ipv6 vpn-instance vpn1 source 100::2 128

[PE1-acl-ipv6-adv-3001] quit

[PE1] ipv6 policy-based-route policy1 permit node 10

[PE1-policy-based-route] if-match acl 3001

[PE1-policy-based-route] apply access-vpn vpn-instance vpn1 vpn2

[PE1-policy-based-route] quit

# Apply policy policy1 to Serial 2/1/1.

[PE1] interface serial 2/1/1

[PE1-Serial2/1/1] ipv6 policy-based-route policy1

3. Configure basic IPv6 MPLS L3VPN. (Details not shown.)

Verifying the configuration

# Verify that Host A can ping Host C, and that Host B cannot ping Host C. (Details not shown.)

Configuring an OSPFv3 sham link

Network requirements

As shown in Figure 97, CE 1 and CE 2 belong to VPN 1. Configure an OSPFv3 sham link between PE 1 and PE 2 so traffic between the CEs is forwarded through the MPLS backbone instead of the backdoor link.

Figure 97 Network diagram

Table 34 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	GE2/0/1	100::1/64	CE 2	GE2/0/1	120::1/64
	S2/1/1	20::1/64		S2/1/1	30::2/64
PE 1	Loop0	1.1.1.9/32	PE 2	Loop0	2.2.2.9/32
	Loop1	3::3/128		Loop1	5::5/128
	GE2/0/1	100::2/64		GE2/0/1	120::2/64
	S2/1/1	10.1.1.1/24		S2/1/0	10.1.1.2/24
Router A	S2/1/0	30::1/64
	S2/1/1	20::2/64

Configuration procedure

1. Configure OSPFv3 on the customer networks:

# Configure conventional OSPFv3 on CE 1, Router A, and CE 2 to advertise addresses of the interfaces (see Table 34). (Details not shown.)

# Set the cost value to 2 for both the link between CE 1 and Router A, and the link between CE 2 and Router A. (Details not shown.)

# Execute the display ipv6 routing-table command to verify that CE 1 and CE 2 have learned the route to each other. (Details not shown.)

2. Configure IPv6 MPLS L3VPN on the backbone:

# Configure basic MPLS and MPLS LDP on PE 1 to establish LDP LSPs.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.9 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface serial 2/1/1

[PE1-Serial2/1/1] ip address 10.1.1.1 24

[PE1-Serial2/1/1] mpls enable

[PE1-Serial2/1/1] mpls ldp enable

[PE1-Serial2/1/1] quit

# Configure PE 1 to take PE 2 as an MP-IBGP peer.

[PE1] bgp 100

[PE1-bgp-default] peer 2.2.2.9 as-number 100

[PE1-bgp-default] peer 2.2.2.9 connect-interface loopback 0

[PE1-bgp-default] address-family vpnv6

[PE1-bgp-default-vpnv6] peer 2.2.2.9 enable

[PE1-bgp-default-vpnv6] quit

[PE1-bgp-default] quit

# Configure OSPF on PE 1.

[PE1] ospf 1

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Configure basic MPLS and MPLS LDP on PE 2 to establish LDP LSPs.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 2.2.2.9 32

[PE2-LoopBack0] quit

[PE2] mpls lsr-id 2.2.2.9

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface serial 2/1/1

[PE2-Serial2/1/1] ip address 10.1.1.2 24

[PE2-Serial2/1/1] mpls enable

[PE2-Serial2/1/1] mpls ldp enable

[PE2-Serial2/1/1] quit

# Configure PE 2 to take PE 1 as an MP-IBGP peer.

[PE2] bgp 100

[PE2-bgp-default] peer 1.1.1.9 as-number 100

[PE2-bgp-default] peer 1.1.1.9 connect-interface loopback 0

[PE2-bgp-default] address-family vpnv6

[PE2-bgp-default-vpnv6] peer 1.1.1.9 enable

[PE2-bgp-default-vpnv6] quit

[PE2-bgp-default] quit

# Configure OSPF on PE 2.

[PE2] ospf 1

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

3. Configure PEs to allow CE access:

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 1:1

[PE1-vpn-instance-vpn1] quit

[PE1] interface gigabitethernet 2/0/1

[PE1-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE1-GigabitEthernet2/0/1] ipv6 address 100::2 64

[PE1-GigabitEthernet2/0/1] ospfv3 100 area 1

[PE1-GigabitEthernet2/0/1] quit

[PE1] ospfv3 100

[PE1-ospfv3-100] router-id 100.1.1.1

[PE1-ospfv3-100] domain-id 10

[PE1-ospfv3-100] quit

[PE1] bgp 100

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] address-family ipv6 unicast

[PE1-bgp-default-ipv6-vpn1] import-route ospfv3 100

[PE1-bgp-default-ipv6-vpn1] import-route direct

[PE1-bgp-default-ipv6-vpn1] quit

[PE1-bgp-default-vpn1] quit

[PE1-bgp-default] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 100:2

[PE2-vpn-instance-vpn1] vpn-target 1:1

[PE2-vpn-instance-vpn1] quit

[PE2] interface gigabitethernet 2/0/1

[PE2-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[PE2-GigabitEthernet2/0/1] ipv6 address 120::2 64

[PE2-GigabitEthernet2/0/1] ospfv3 100 area 1

[PE2-GigabitEthernet2/0/1] quit

[PE2] ospfv3 100

[PE2-ospfv3-100] router-id 120.1.1.1

[PE2-ospfv3-100] domain-id 10

[PE2-ospfv3-100] quit

[PE2] bgp 100

[PE2-bgp-default] ip vpn-instance vpn1

[PE2-bgp-default-vpn1] address-family ipv6 unicast

[PE2-bgp-default-ipv6-vpn1] import-route ospfv3 100

[PE2-bgp-default-ipv6-vpn1] import-route direct

[PE2-bgp-default-ipv6-vpn1] quit

[PE2-bgp-default-vpn1] quit

[PE2-bgp-default] quit

# Execute the display ipv6 routing-table vpn-instance command on the PEs. Verify that the path to the peer CE is along the OSPFv3 route across the customer networks, instead of the IPv6 BGP route across the backbone. (Details not shown.)

4. Configure a sham link:

# Configure PE 1.

[PE1] interface loopback 1

[PE1-LoopBack1] ip binding vpn-instance vpn1

[PE1-LoopBack1] ipv6 address 3::3 128

[PE1-LoopBack1] quit

[PE1] ospfv3 100

[PE1-ospfv3-100] area 1

[PE1-ospfv3-100-area-0.0.0.1] sham-link 3::3 5::5

[PE1-ospfv3-100-area-0.0.0.1] quit

[PE1-ospfv3-100] quit

# Configure PE 2.

[PE2] interface loopback 1

[PE2-LoopBack1] ip binding vpn-instance vpn1

[PE2-LoopBack1] ipv6 address 5::5 128

[PE2-LoopBack1] quit

[PE2] ospfv3 100

[PE2-ospfv3-100] area 1

[PE2-ospfv3-100-area-0.0.0.1] sham-link 5::5 3::3

[PE2-ospfv3-100-area-0.0.0.1] quit

[PE2-ospfv3-100] quit

Verifying the configuration

# Execute the display ipv6 routing-table vpn-instance command on the PEs to verify the following results (details not shown):

· The path to the peer CE is now along the IPv6 BGP route across the backbone.

· A route to the sham link destination address exists.

# Execute the display ipv6 routing-table command on the CEs. Verify that the next hop of the OSPFv3 route to the peer CE is the interface connected to the PE (GigabitEthernet 2/0/1). This means that the VPN traffic to the peer CE is forwarded over the backbone. (Details not shown.)

# Verify that a sham link has been established on PEs, for example, on PE 1.

[PE1] display ospfv3 sham-link

OSPFv3 Process 100 with Router ID 100.1.1.1

Sham-link (Area: 0.0.0.1)

Neighbor ID State Instance ID Destination address

120.1.1.1 P-2-P 0 5::5

# Verify that the peer state is Full on PE 1.

[PE1] display ospfv3 sham-link verbose

OSPFv3 Process 100 with Router ID 100.1.1.1

Sham-link (Area: 0.0.0.1)

Source : 3::3

Destination : 5::5

Interface ID: 2147483649

Neighbor ID : 120.1.1.1, Neighbor state: Full

Cost: 1 State: P-2-P Type: Sham Instance ID: 0

Timers: Hello 10, Dead 40, Retransmit 5, Transmit delay 1

Request list: 0 Retransmit list: 0

Configuring BGP AS number substitution

Network requirements

As shown in Figure 98, CE 1 and CE 2 belong to VPN 1, and are connected to PE 1 and PE 2. The two CEs have the same AS number, 600. Configure BGP AS number substitution on the PEs to avoid route loss.

Figure 98 Network diagram

Table 35 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	GE2/0/1	10:1::2/96	P	Loop0	2.2.2.9/32
	GE2/0/2	100::1/96		GE2/0/1	20.1.1.2/24
PE 1	Loop0	10.1.1.1/32		GE2/0/2	30.1.1.1/24
	GE2/0/1	10:1::1/96	PE 2	Loop0	10.1.1.2/32
	GE2/0/2	20.1.1.1/24		GE2/0/1	10:2::1/96
CE 2	GE2/0/1	10:2::2/96		GE2/0/2	30.1.1.2/24
	GE2/0/2	200::1/96

Configuration procedure

1. Configuring basic IPv6 MPLS L3VPN:

? Configure OSPF on the MPLS backbone to allow the PEs and P device to learn the routes of the loopback interfaces from each other.

? Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs.

? Establish an MP-IBGP peer relationship between the PEs to advertise VPN IPv6 routes.

? Configure the VPN instance of VPN 1 on PE 1 to allow CE 1 to access the network.

? Configure the VPN instance of VPN 1 on PE 2 to allow CE 2 to access the network.

? Configure BGP as the PE-CE routing protocol, and redistribute routes of the CEs into the PEs.

For more information about basic IPv6 MPLS L3VPN configurations, see "Configuring IPv6 MPLS L3VPNs."

# Execute the display ipv6 routing-table command on CE 2 to verify that CE 2 has not learned the route to the VPN (100::/96) behind CE 1.

<CE2> display ipv6 routing-table

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 10:2::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : GE2/0/1 Cost : 0

Destination: 10:2::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 200::/96 Protocol : Static

NextHop : :: Preference: 60

Interface : NULL0 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

# Execute the display ipv6 routing-table command on CE 1 to verify that CE 1 has not learned the route to the VPN behind CE 2. (Details not shown.)

# Execute the display ipv6 routing-table vpn-instance command on the PEs. The output shows the route to the VPN behind the peer CE. This example uses PE 2.

<PE2> display ipv6 routing-table vpn-instance vpn1

Destinations : 7 Routes : 7

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 10:2::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : GE2/0/1 Cost : 0

Destination: 10:2::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 100::/96 Protocol : BGP4+

NextHop : ::FFFF:10.1.1.1 Preference: 255

Interface : GE2/0/2 Cost : 0

Destination: 200::/96 Protocol : BGP4+

NextHop : 10:2::2 Preference: 255

Interface : GE2/0/1 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

# Enable BGP update packet debugging on PE 2. The output shows that PE 2 has advertised the route for 100::/96, and the AS_PATH is 100 600.

<PE2> terminal monitor

<PE2> terminal logging level 7

<PE2> debugging bgp update vpn-instance vpn1 10:2::2 ipv6

<PE2> refresh bgp all export ipv6 vpn-instance vpn1

*Jun 13 16:12:52:096 2012 PE2 BGP/7/DEBUG:

BGP_IPV6.vpn1: Send UPDATE to update-group 0 for following destinations:

Origin : Incomplete

AS path : 100 600

Next hop : ::FFFF:10.1.1.1

100::/96,

*Jun 13 16:12:53:024 2012 PE2 BGP/7/DEBUG:

BGP.vpn1: Send UPDATE MSG to peer 10:2::2(IPv6-UNC) NextHop: 10:2::1.

# Execute the display bgp routing-table ipv6 peer received-routes command on CE 2 to verify that CE 2 has not received the route to 100::/96.

<CE2> display bgp routing-table ipv6 peer 10:2::1 received-routes

Total number of routes: 0

2. Configure BGP AS number substitution:

# Configure BGP AS number substitution on PE 1.

<PE1> system-view

[PE1] bgp 100

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] peer 10:1::2 substitute-as

[PE1-bgp-default-vpn1] quit

[PE1-bgp-default] quit

# Configure BGP AS number substitution on PE 2.

<PE2> system-view

[PE2] bgp 100

[PE2-bgp-default] ip vpn-instance vpn1

[PE2-bgp-default-vpn1] peer 10:2::2 substitute-as

[PE2-bgp-default-vpn1] quit

[PE2-bgp-default] quit

Verifying the configuration

# The output shows that among the routes advertised by PE 2 to CE 2, the AS_PATH of 100::/96 has changed from 100 600 to 100 100.

*Jun 27 18:07:34:420 2013 PE2 BGP/7/DEBUG:

BGP_IPV6.vpn1: Send UPDATE to peer 10:2::2 for following destinations:

Origin : Incomplete

AS path : 100 100

Next hop : 10:2::1

100::/96,

# Display again the routing information that CE 2 has received, and the routing table. The output shows that CE 2 has learned the route 100::/96.

<CE2> display bgp routing-table ipv6 peer 10:2::1 received-routes

Total number of routes: 1

BGP local router ID is 12.1.1.3

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

* >e Network : 100:: PrefixLen : 96

NextHop : 10:2::1 LocPrf :

PrefVal : 0 OutLabel : NULL

MED :

Path/Ogn: 100 100?

<CE2> display ipv6 routing-table

Destinations : 7 Routes : 7

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 10:2::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : GE2/0/1 Cost : 0

Destination: 10:2::2/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 100::/96 Protocol : BGP4+

NextHop : 10:2::1 Preference: 255

Interface : GE2/0/1 Cost : 0

Destination: 200::/96 Protocol : Static

NextHop : :: Preference: 60

Interface : NULL0 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

# Verify that GigabitEthernet 2/0/2 of CE 1 and GigabitEthernet 2/0/2 of CE 2 can ping each other. (Details not shown.)

Configuring BGP AS number substitution and SoO attribute

Network requirements

CE 1, CE 2, and CE 3 belong to VPN 1, and are connected to PE1, PE 2, and PE 3. CE 1 and CE 2 reside in the same site. CE1, CE2, and CE 3 all use AS number 600.

To avoid route loss, configure BGP AS number substitution on PEs.

To avoid routing loops, configure the same SoO attribute on PE 1 and PE 2 for CE 1 and CE 2.

Figure 99 Network diagram

Table 36 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Loop0	100::1/96	CE 3	Loop0	200::1/96
	GE2/0/1	10:1::1/96		GE2/0/1	10:3::1/96
CE 2	GE2/0/1	10:2::1/96	PE 2	Loop0	2.2.2.9/32
PE 1	Loop0	1.1.1.9/32		GE2/0/1	10:2::2/96
	GE2/0/1	10:1::2/96		GE2/0/2	40.1.1.1/24
	GE2/0/2	20.1.1.1/24		GE2/0/3	20.1.1.2/24
	GE2/0/3	30.1.1.1/24	P	Loop0	3.3.3.9/32
PE 3	Loop0	4.4.4.9/32		GE2/0/1	30.1.1.2/24
	GE2/0/1	10:3::2/96		GE2/0/2	40.1.1.2/24
	GE2/0/2	50.1.1.2/24		GE2/0/3	50.1.1.1/24

Configuration procedure

1. Configure basic IPv6 MPLS L3VPN:

? Configure OSPF on the MPLS backbone to allow the PEs and P device to learn the routes of the loopback interfaces from each other.

? Configure basic MPLS and MPLS LDP on the MPLS backbone to establish LDP LSPs.

? Establish an MP-IBGP peer relationship between the PEs to advertise VPN IPv6 routes.

? Configure the VPN instance of VPN 1 on PE 1 to allow CE 1 to access the network.

? Configure the VPN instance of VPN 1 on PE 2 to allow CE 2 to access the network.

? Configure the VPN instance of VPN 1 on PE 3 to allow CE 3 to access the network.

? Configure BGP as the PE-CE routing protocol, and redistribute routes of the CEs into the PEs.

For more information about basic MPLS L3VPN configurations, see "Configuring IPv6 MPLS L3VPNs."

2. Configure BGP AS number substitution:

# Configure BGP AS number substitution on PE 1, PE 2, and PE 3. For more information about the configuration, see "Configuring BGP AS number substitution."

# Display routing information on CE 2. The output shows that CE 2 has learned the route 100::/96 from CE 1. A routing loop has occurred because CE 1 and CE 2 reside in the same site.

<CE2> display bgp routing-table ipv6 peer 10:2::2 received-routes

Total number of routes: 2

BGP local router ID is 12.1.1.3

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

Origin: i - IGP, e - EGP, ? - incomplete

* >e Network : 100:: PrefixLen : 96

NextHop : 10:2::2 LocPrf :

PrefVal : 0 OutLabel : NULL

MED :

Path/Ogn: 100 100?

* >e Network : 200:: PrefixLen : 96

NextHop : 10:2::2 LocPrf :

PrefVal : 0 OutLabel : NULL

MED :

Path/Ogn: 100 100?

3. Configure BGP SoO attribute:

# On PE 1, configure the SoO attribute as 1:100 for CE 1.

<PE1> system-view

[PE1] bgp 100

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] address-family ipv6

[PE1-bgp-default-ipv6-vpn1] peer 10:1::1 soo 1:100

# On PE 2, configure the SoO attribute as 1:100 for CE 2.

[PE2] bgp 100

[PE2-bgp-default] ip vpn-instance vpn1

[PE2-bgp-default-vpn1] address-family ipv6

[PE2-bgp-default-ipv6-vpn1] peer 10:2::1 soo 1:100

Verifying the configuration

# PE 2 does not advertise routes received from CE 1 to CE 2 because the same SoO attribute has been configured. Display the routing table of CE 2. The output shows that the route 100::/96 has been removed.

<CE2> display ipv6 routing-table

Destinations : 4 Routes : 4

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 10:2::/96 Protocol : Direct

NextHop : :: Preference: 0

Interface : GE2/0/1 Cost : 0

Destination: 10:2::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 200::/96 Protocol : Static

NextHop : :: Preference: 60

Interface : NULL0 Cost : 0

Configuring MPLS L2VPN

MPLS L2VPN provides point-to-point and point-to-multipoint connections. This chapter describes only the MPLS L2VPN technologies that provide point-to-point connections. For information about the MPLS L2VPN technologies that provide point-to-multipoint connections, see "Configuring VPLS."

Overview

MPLS L2VPN is an implementation of Pseudo Wire Emulation Edge-to-Edge (PWE3). It offers Layer 2 VPN services over an MPLS or IP backbone. MPLS L2VPN can transparently transmit Layer 2 data for different data link layer protocols, including Ethernet, VLAN, ATM, FR, and PPP.

From a user's perspective, the MPLS or IP backbone is a Layer 2 switched network. For example, when two Ethernet networks are connected through MPLS L2VPN over an MPLS backbone, Ethernet users think they are connected directly through an Ethernet.

Basic concepts of MPLS L2VPN

· Customer edge—A CE is a customer device directly connected to the service provider network.

· Provider edge—A PE is a service provider device connected to one or more CEs. It provides VPN access by mapping and forwarding packets between user networks and public tunnels.

· Attachment circuit—An AC is a link between a CE and a PE, such as an FR DLCI, ATM VPI/VCI, Ethernet interface, VLAN, or PPP connection.

· Pseudowire—A PW is a virtual bidirectional connection between two PEs. An MPLS PW comprises a pair of LSPs in opposite directions.

· Public tunnel—A public tunnel is a connection that carries one or more PWs across the MPLS or IP backbone. It can be an LSP tunnel, an MPLS TE tunnel, or a GRE tunnel.

· Cross-connect—A cross-connect connects two physical or virtual circuits such as ACs and PWs. It switches packets between the two physical or virtual circuits. Cross-connects include AC to AC cross-connect, AC to PW cross-connect, and PW to PW cross-connect.

· Site ID—A site ID uniquely identifies a site in a VPN. Sites in different VPNs can have the same site ID.

· Route distinguisher—A route distinguisher (RD) is added before a site ID to distinguish the sites that have the same site ID but reside in different VPNs. An RD and a site ID uniquely identify a VPN site.

· Label block—A label block is a set of labels. It includes the following parameters:

? Label base—The LB specifies the initial label value of the label block. A PE automatically selects an LB value that cannot be manually modified.

? Label range—The LR specifies the number of labels that the label block contains. The LB and LR determine the labels contained in the label block. For example, if the LB is 1000 and the LR is 5, the label block contains labels 1000 through 1004.

? Label-block offset—The LO specifies the offset of a label block. If the existing label block becomes insufficient as the VPN sites increase, you can add a new label block to enlarge the label range. A PE uses an LO to identify the position of the new label block. The LO value of a label block is the sum of the LRs of all previously assigned label blocks. For example, if the LR and LO of the first label block are 10 and 0, the LO of the second label block is 10. If the LR of the second label block is 20, the LO of the third label block is 30.

A label block with LB, LO, and LR as 1000, 10, and 5, respectively, is represented as 1000/10/5.

For example, a VPN has 10 sites, and a PE assigns the first label block LB1/0/10 to the VPN. When another 15 sites are added, the PE keeps the first label block and assigns the second label block LB2/10/15 to extend the network. LB1 and LB2 are the initial label values that are randomly selected by the PE.

· Route target—PEs use the BGP route target attribute (also called VPN target attribute) to manage BGP L2VPN information advertisement. PEs support the following types of route target attributes:

? Export target attribute—When a PE sends L2VPN information to the peer PE in a BGP update message, it sets the route target attribute in the update message to an export target. L2VPN information includes the site ID, RD, and label block.

? Import target attribute—When a PE receives an update message from the peer PE, it checks the route target attribute in the update message. If the route target value matches an import target, the PE accepts the L2VPN information in the update message.

Route target attributes determine from which PEs a PE can receive L2VPN information.

MPLS L2VPN network models

MPLS L2VPN network models include the remote connection and local connection models.

Remote connection model

As shown in Figure 100, this model connects two CEs through a PW on an MPLS or IP backbone.

Figure 100 Remote connection model

Local connection model

As shown in Figure 101, this model connects two CEs to the same PE so the CEs can communicate through the PE.

Figure 101 Local connection model

Remote connection establishment

To set up a remote MPLS L2VPN connection:

1. Set up a public tunnel to carry one or more PWs between PEs:

The public tunnel can be an LSP, MPLS TE, or GRE tunnel.

If multiple public tunnels exist between two PEs, you can configure a tunnel policy to control tunnel selection. For more information about tunnel policies, see "Configuring tunnel policies."

If a PW is established over an LSP or MPLS TE tunnel, packets on the PW have two labels. The outer label is the public LSP or MPLS TE tunnel label that MPLS uses to forward the packet to the peer PE. The inner label is the PW label that the peer PE uses to forward the packet to the destination CE.

2. Set up a PW to connect customer networks:

PWs include static PWs, LDP PWs, BGP PWs, and Circuit Cross Connect (CCC) PWs.

To establish a static PW, configure the peer PE address, and the incoming and outgoing PW labels for the PW on the two PEs. Static PWs consume a small amount of resources but have complex configurations.

To establish an LDP PW, configure LDP and specify the peer PE address on the two PEs. LDP defines a new FEC type named PW ID FEC for PEs to exchange PW-label bindings. The new FEC type uses a PW ID and a PW type to identify a PW. The PW ID is the ID of the PW between PEs. The PW type specifies the encapsulation type for data transmitted over the PW, such as ATM, FR, Ethernet, or VLAN. PEs advertise the PW label and PW ID FEC in label mapping messages to create a PW. Dynamic PWs have simple configurations but consume more resources than static PWs.

To establish BGP PWs, BGP advertises label block information in an extended BGP update to PEs in the same VPN. Each PE uses the received label block information to calculate outgoing labels and uses its own label block to calculate incoming labels. After two PEs complete label calculation, a BGP PW is established between them. BGP PWs have the following features:

? Simplified configuration—There is no need to manually specify peer PEs. A PE automatically find peer PEs after receiving label block information from the peer PEs.

? Reduced workload—Label block advertisement enables assigning labels for multiple PWs at one time.

To establish a CCC PW, manually specify the incoming and outgoing labels for the PW on the PEs, and create two static LSPs in opposite directions on P devices between PEs. There is no need to configure a public tunnel for the CCC PW. CCC employs only one level of label to transfer packets. The static LSPs on the P devices transfer data only for the CCC PW. They cannot be used by other connections or MPLS L3VPN.

3. Set up an AC between a PE and a CE:

Set up an AC by configuring a link layer connection (such as a PPP connection) between a PE and a CE.

An AC can be one of the following types:

? Layer 3 physical interface or Layer 3 virtual interface—Transparently forwards received packets over the bound PW. The interface can be an Ethernet interface, an ATM interface, or an FR interface.

? Layer 3 subinterface—Forwards packets received from the corresponding link (VLAN, ATM VPC, ATM VCC, or FR DLCI) to the bound PW. In this mode, VLANs are unique on a per interface basis rather than on a global basis.

NOTE:

When VLANs are globally unique, packets with the same VLAN ID are forwarded over the PW bound with that VLAN ID regardless of the receiving interfaces. If VLANs are unique on a per interface basis, packets with the same VLAN ID from different interfaces can be forwarded over different PWs.

4. Bind the AC to the PW:

Bind the Layer 3 physical interface or Layer 3 subinterface to the PW, so the PE forwards packets between the AC and the PW.

Local connection establishment

To set up a local MPLS L2VPN connection between two CEs:

1. Set up ACs:

Configure the link layer protocol to set up an AC between the PE and each CE. For more information, see "Set up an AC between a PE and a CE:."

2. Bind the two ACs:

Bind the PE's interfaces connected to the two CEs so the PE can forward packets between CEs.

PW types

MPLS L2VPN transports Layer 2 data of different data link layer protocols through PWs. A PE encapsulates a Layer 2 packet received from an AC according to the PW type. The PW type is determined by the link type of the AC, as shown in Table 37.

Table 37 Relationship between AC types and PW types

AC type	PW type
Ethernet	Ethernet
Ethernet	VLAN
PPP	PPP
HDLC	HDLC

Ethernet over MPLS

Ethernet over MPLS uses MPLS L2VPN to connect Ethernets, and delivers Ethernet packets through a PW over the MPLS backbone.

The following PW types are available for Ethernet over MPLS:

· Ethernet—P-tag is not transferred on a PW.

? For a packet from a CE:

- If the packet contains a P-tag, the PE removes the P-tag, and adds a PW label and an outer tag into the packet before forwarding it.

- If the packet contains no P-tag, the PE directly adds a PW label and an outer tag into the packet before forwarding it.

? For a packet to a CE:

- If the access mode is configured as VLAN by using the ac interface command, the PE adds a P-tag into the packet before sending it to the CE.

- If the access mode is configured as Ethernet by using the ac interface command, the PE directly sends the packet to the CE.

You cannot rewrite or remove existing tags.

· VLAN—Packets transmitted over a PW must carry a P-tag.

? For a packet from a CE:

- If the peer PE does not require the ingress to rewrite the P-tag, the PE keeps the P-tag unchanged for the packet, and then encapsulates the packet. If the packet contains no P-tag, the PE adds a null label (the label value is 0) into the packet, and then encapsulates the packet.

- If the peer PE requires the ingress to rewrite the P-tag, the PE changes the P-tag to the expected VLAN tag (the tag value might be 0), and then adds a PW label and an outer tag into the packet. If the packet contains no P-tag, the PE adds a VLAN tag expected by the peer PE (the tag value might be 0), and then adds a PW label and an outer tag into the packet.

? For a packet to a CE:

- If the access mode is configured as VLAN by using the ac interface command, the PE rewrites or retains the P-tag before forwarding the packet.

- If the access mode is configured as Ethernet by using the ac interface command, the PE removes the P-tag before forwarding the packet.

Ethernet over MPLS supports the following modes:

· Port mode—A Layer 3 Ethernet interface is bound to a PW. Packets received from the Layer 3 Ethernet interface are forwarded through the bound PW. The default PW type for port mode is Ethernet.

Figure 102 Packet encapsulation in port mode

· VLAN mode—A Layer 3 Ethernet subinterface is bound to a PW. Packets received from the VLAN are forwarded through the bound PW. The peer PE can modify the VLAN tag as needed. The default PW type for VLAN mode is VLAN.

PPP/HDLC over MPLS

PPP/HDLC over MPLS uses MPLS L2VPN to connect PPPs or HDLC networks, and delivers PPP or HDLC packets through a PW over the MPLS backbone.

If the link type of the AC is PPP, the PW type is PPP. If the link type of the AC is HDLC, the PW type is HDLC.

PPP/HDLC over MPLS supports only the port mode. You can associate a Layer 3 interface whose encapsulation type is PPP or HDLC with a PW.

In a PPP/HDLC over MPLS network, a PE processes a PPP or HDLC packet as follows:

1. After receiving a packet from a Layer 3 interface, the PE searches for the PW bound to the interface.

2. The PE encapsulates the packet and sends the packet to the peer PE through the PW.

3. The peer PE removes the outer encapsulation to get the original PPP or HDLC packet, and then forwards the packet to the user network.

Control word

The control word field is between the MPLS label stack and the Layer 2 data. It carries control information for the Layer 2 frame, for example, the sequence number.

The control word feature has the following functions:

· Avoids fragment disorder. In multipath forwarding, fragments received might be disordered. The control word feature reorders the fragments according to the sequence number carried in the control word field.

· Transfers specific Layer 2 frame flags, such as the FECN bit and BECN bit of Frame Relay.

· Identifies the original payload length for packets that include padding.

When the PW type is FR DLCI or ATM AAL5 SDU VCC, packets on the PW always carry the control word field, and the control word feature cannot be disabled.

When the PW type is Ethernet or VLAN, the control word field is optional. You can configure whether to carry the control word field in packets sent on the PW. If you enable the control word feature on both PEs, packets transmitted on the PW carry the control word field. Otherwise, the packets do not carry the control word field.

MPLS L2VPN interworking

CEs might connect to PEs through various types of links, such as ATM, FR, HDLC, Ethernet, and PPP. MPLS L2VPN interworking connects such CEs and allow them to communicate.

MPLS L2VPN supports Ethernet interworking and IP interworking modes. The device only supports IP interworking. Only local MPLS L2VPN connections, static PWs, LDP PWs, and remote CCC connections support the interworking feature.

Figure 103 Ethernet to PPP interworking

As shown in Figure 103, a packet in an MPLS L2VPN interworking scenario is forwarded as follows:

1. CE 1 sends an Ethernet frame destined for CE 2 to PE 1.

2. PE 1 checks whether the packet encapsulated in the received Ethernet frame is an IP packet.

? If yes, PE 1 removes the Ethernet header, adds PW label V and tunnel label T to the IP packet, and forwards the packet to PE 2 through the tunnel.

? If not, PE 1 drops the frame.

3. PE 2 obtains the output interface according to the PW label V in the received packet, removes the PW label, adds an PPP header, and forwards the PPP frame through the output interface to CE 2.

In an MPLS L2VPN interworking scenario, link layer negotiation packets cannot be delivered on the backbone network. Therefore, Layer 2 connections cannot be established between CEs. CEs must establish Layer 2 connections with the PEs. For example, CE 2 and PE 2 must perform PPP negotiation to establish a PPP connection.

PW redundancy

PW redundancy provides redundant links between PEs so that the customer networks can communicate when the path over one PW fails. As shown in Figure 104, PE 1 establishes two PWs (one primary and one backup). The CEs communicate through the primary PW. When the primary PW fails, PE 1 brings up the backup PW and forwards packets from CE 1 to CE 2 through the backup PW. When CE 2 receives the packets, it updates its MAC address table, so that packets from CE 2 to CE 1 also travel through the backup PW. Only static PWs and LDP PWs support PW redundancy.

Figure 104 PW redundancy

The MPLS L2VPN determines whether the primary PW fails according to the LDP session status or the BFD result. The backup PW is used when one of the following conditions exists:

· The public tunnel of the primary PW is deleted, or BFD detects that the public tunnel has failed.

· The primary PW is deleted because the LDP session between PEs goes down, or BFD detects that the primary PW has failed.

· A manual PW switchover is performed.

Multi-segment PW

A multi-segment PW includes multiple concatenated static or LDP PWs. Creating two PWs for a cross-connect on a PE can concatenate the two PWs. Upon receiving a packet from one PW, the PE removes the tunnel ID and PW label of the packet, adds the PW label of the other PW, and forwards the packet over the public tunnel. Only static and LDP PWs can form a multi-segment PW.

As shown in Figure 105, to create a multi-segment PW between PE 1 and PE 4, you can concatenate PW 1 and PW 2 on PE 2, and PW 2 and PW 3 on PE 3.

Figure 105 Multi-segment PW

Multi-segment PWs include intra-domain multi-segment PWs and inter-domain multi-segment PWs.

Intra-domain multi-segment PW

An intra-domain multi-segment PW has concatenated PWs within an AS. You can create an intra-domain multi-segment PW between two PEs that have no public tunnel to each other.

As shown in Figure 106, there is no public tunnel between PE 1 and PE 4. There is a public tunnel between PE 1 and PE 2 and a public tunnel between PE 2 and PE 4. To create an intra-domain multi-segment PW between PE 1 and PE 4, you can perform the following operations:

1. Create a PW between PE 1 and PE 2 (PW 1) and a PW between PE 2 and PE 4 (PW 2).

2. Concatenate the two PWs on PE 2.

Intra-domain multi-segment PWs can fully use existing public tunnels to reduce end-to-end public tunnels.

Figure 106 Intra-domain multi-segment PW

Inter-domain multi-segment PW

An inter-domain multi-segment PW has concatenated PWs in different ASs, and is a method for inter-AS option B networking.

As shown in Figure 107, to create an inter-domain multi-segment PW between PE 1 and PE 2 in different ASs, you can perform the following operations:

· Concatenate PW 1 and PW 2 on ASBR 1.

· Concatenate PW 2 and PW 3 on ASBR 2.

Figure 107 Inter-domain multi-segment PW

VCCV

Virtual Circuit Connectivity Verification (VCCV) is an OAM feature for L2VPN. It verifies the connectivity of PWs on the data plane. VCCV includes the following modes:

· Manual mode—Use the ping mpls pw command to manually test the connectivity of a PW.

· Auto mode—Configure BFD or Raw BFD to automatically test the connectivity of a PW.

For more information about VCCV, see "Configuring MPLS OAM."

Compatibility information

Feature and hardware compatibility

Hardware	MPLS L2VPN compatibility
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS	No
MSR2600-6-X1/2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28/3600-51	Yes
MSR3600-28-SI/3600-51-SI	No
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC	Yes
MSR 3610/3620/3620-DP/3640/3660	Yes
MSR5620/5660/5680	Yes

Hardware	MPLS L2VPN compatibility
MSR810-LM-GL	No
MSR810-W-LM-GL	No
MSR830-6EI-GL	No
MSR830-10EI-GL	No
MSR830-6HI-GL	No
MSR830-10HI-GL	No
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	No

Command and hardware compatibility

Commands and descriptions for centralized devices apply to the following routers:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3600-28-SI/3600-51-SI.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

· MSR 3610/3620/3620-DP/3640/3660.

· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.

Commands and descriptions for distributed devices apply to the following routers:

· MSR5620.

· MSR 5660.

· MSR 5680.

MPLS L2VPN configuration task list

To establish an MPLS L2VPN, you must perform the following tasks:

1. Configure an IGP to achieve IP connectivity within the backbone.

2. Configure basic MPLS, LDP, GRE, or MPLS TE to set up public tunnels across the backbone.

3. Configure MPLS L2VPN on the PEs, including setting up PWs, and binding ACs to PWs.

This chapter only describes MPLS L2VPN configurations on the PEs.

MPLS L2VPN configurations vary by scenario:

· Remote connection—To create a remote connection, configure an AC, configure a PW in cross-connect view or auto-discovery cross-connect view, and bind the AC to the PW in cross-connect view or auto-discovery cross-connect view.

· Local connection—To create a local connection, configure two ACs and bind the two ACs in cross-connect view.

· Multi-segment PW—To create a multi-segment PW, configure two PWs and bind the two PWs in cross-connect view.

To configure MPLS L2VPN on a PE:

Tasks at a glance	Remarks
(Required.) Enabling L2VPN	N/A
(Required.) Configuring an AC	For multi-segment PWs, skip this task.
(Required.) Configuring a cross-connect	N/A
Configuring a PW: · (Optional.) Configuring a PW class · (Required.) Choose either of the following tasks to configure a PW: ? Configuring a static PW ? Configuring an LDP PW ? Configuring a BGP PW ? Configuring a remote CCC connection	Choose a PW configuration method depending on the MPLS L2VPN implementation. Skip these tasks for local connection configuration.
(Required.) Binding an AC to a cross-connect	For multi-segment PWs, skip this task.
(Optional.) Configuring PW redundancy: · Configuring static PW redundancy · Configuring LDP PW redundancy	Choose either task to configure PW redundancy.
(Optional.) Configuring interworking for a cross-connect	N/A
(Optional.) Enabling SNMP notifications for L2VPN PW	N/A

Enabling L2VPN

Before you enable L2VPN, perform the following tasks:

· Configure an LSR ID for the PE with the mpls lsr-id command.

· Enable MPLS with the mpls enable command on the core-facing interface of the PE.

To enable L2VPN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable L2VPN.	l2vpn enable	By default, L2VPN is disabled.

Configuring an AC

An AC can be a Layer 3 interface or Layer 3 subinterface.

To create a Layer 2 link between a PE and CE, configure the Layer 3 interface that connects the PE to the CE.

The PE forwards packets received from a Layer 3 interface through the bound PW without network layer processing. Therefore, the Layer 3 interface does not need an IP address.

Configuring the interface with Ethernet or VLAN encapsulation

On a Layer 3 Ethernet interface (including Layer 3 Ethernet interface, Layer 3 virtual Ethernet interface, and VE-L2VPN interface), both the default PW type and default access mode are Ethernet. On a Layer 3 Ethernet subinterface, both the default PW type and default access mode are VLAN.

The PW type and AC access mode determine how the VLAN tag is processed by a PE. Therefore, the PW types and AC access modes on the local PE and the peer PE must match.

To configure the interface with Ethernet or VLAN encapsulation:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. (Optional.) Specify the default next hop IP address or MAC address.	default-nexthop { ip ip-address \| mac { mac-address \| broadcast } }	Required for MPLS L2VPN interworking. By default, no default next hop is specified.

Configuring the interface with PPP encapsulation

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface { serial \| pos } number	N/A
3. Configure the link layer protocol.	link-protocol ppp	By default, the link layer protocol is PPP.
4. (Optional.) Configure IPCP negotiation without an IP address or specify the IPCP proxy IP address.	· To configure IPCP negotiation without an IP address: ppp ipcp ignore local-ip · To specify the IPCP proxy IP address: ppp ipcp proxy ip-address	By default, IPCP negotiation without an IP address is not supported and no IPCP proxy address is specified.

Configuring the interface with HDLC encapsulation

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface { serial \| pos } number	N/A
3. Configure the link layer protocol.	link-protocol hdlc	By default, the link layer protocol is PPP.

Configuring a cross-connect

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a cross-connect group and enter cross-connect group view.	xconnect-group group-name	By default, no cross-connect groups exist.
3. (Optional.) Configure a description for the cross-connect group.	description text	By default, no description is configured for the cross-connect group.
4. (Optional.) Enable the cross-connect group.	undo shutdown	By default, the cross-connect group is enabled.
5. Create a cross-connect and enter cross-connect view.	connection connection-name	By default, no cross-connects exist.
6. Set an MTU for the PW.	mtu size	The default MTU is 1500 bytes. The two PEs on an LDP PW must have the same MTU configured for the PW. Otherwise, the PW cannot come up.

Configuring a PW

Configuring a PW class

You can configure PW attributes such as the PW type and enable control word in a PW class. PWs with the same attributes can use the same PW class.

To configure a PW class:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a PW class and enter PW class view.	pw-class class-name	By default, no PW classes exist.
3. (Optional.) Enable control word.	control-word enable	By default, control word is disabled.
4. (Optional.) Specify the PW type.	pw-type { ethernet \| vlan }	By default, the PW type is VLAN.
5. (Optional.) Enable sequencing for both incoming and outgoing packets on the PW.	sequencing both	By default, sequencing is disabled.

Configuring a static PW

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter cross-connect group view.	xconnect-group group-name	N/A
3. Enter cross-connect view.	connection connection-name	N/A
4. Configure a static PW, and enter cross-connect PW view.	peer ip-address pw-id pw-id in-label label-value out-label label-value [ pw-class class-name \| tunnel-policy tunnel-policy-name ] *	By default, no static PWs exist.
5. Set the expected bandwidth for the PW.	bandwidth bandwidth-value	By default, the expected value is 10000000 kbps.

Configuring an LDP PW

Before you configure an LDP PW, enable global and interface MPLS LDP on the PE. For information about MPLS LDP configuration, see "Configuring LDP."

To configure an LDP PW:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter cross-connect group view.	xconnect-group group-name	N/A
3. Enter cross-connect view.	connection connection-name	N/A
4. Configure an LDP PW, and enter cross-connect PW view.	peer ip-address pw-id pw-id [ pw-class class-name \| tunnel-policy tunnel-policy-name ] *	By default, no LDP PWs exist. After an LDP PW is created, the PE automatically sends a targeted hello to create an LDP session to the peer PE. Then, the PE exchanges the PW ID FEC and PW label mapping with the peer.
5. Set the expected bandwidth for the PW.	bandwidth bandwidth-value	By default, the expected bandwidth is 10000000 kbps.

Configuring a BGP PW

To configure a BGP PW, perform the following configurations on PEs:

· Configure BGP to advertise MPLS L2VPN label block information.

· Create a BGP PW.

Configuring BGP to advertise MPLS L2VPN label block information

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable BGP instance and enter BGP instance view.	bgp as-number [ instance instance-name ]	By default, BGP is disabled.
3. Configure the remote PE as a BGP peer.	peer { group-name \| ip-address [ mask-length ] } as-number as-number	By default, no BGP peers exist.
4. Create the BGP L2VPN address family and enter BGP L2VPN address family view.	address-family l2vpn	By default, no BGP L2VPN address family exists.
5. Enable BGP to exchange BGP L2VPN information with the specified peer or peer group.	peer { group-name \| ip-address [ mask-length ] } enable	By default, BGP cannot exchange BGP L2VPN information with any peer or peer group.
6. Enable BGP to exchange label block information with the specified peer or peer group.	peer { group-name \| ip-address [ mask-length ] } signaling [ non-standard ]	By default, BGP can exchange label block information with a BGP L2VPN peer or peer group by using RFC 4761 MP_REACH_NLRI.
7. (Optional.) Permit the local AS number to appear in routes from the specified peer or peer group and specify the appearance times.	peer { group-name \| ip-address [ mask-length ] } allow-as-loop [ number ]	By default, the local AS number is not allowed in routes from a peer or peer group.
8. (Optional.) Enable route target-based filtering of incoming BGP L2VPN information.	policy vpn-target	By default, route target-based filtering of incoming BGP L2VPN information is enabled.
9. (Optional.) Configure the router as a route reflector and specify a peer or peer group as its client.	peer { group-name \| ip-address [ mask-length ] } reflect-client	By default, no route reflector or client is configured.
10. (Optional.) Enable L2VPN information reflection between clients.	reflect between-clients	By default, L2VPN information reflection is enabled between clients.
11. (Optional.) Configure the cluster ID of the route reflector.	reflector cluster-id { cluster-id \| ip-address }	By default, a route reflector uses its own router ID as the cluster ID.
12. (Optional.) Configure the filtering of reflected L2VPN information.	rr-filter extended-community-number	By default, the route reflector does not filter reflected L2VPN information.
13. (Optional.) Return to user view.	return	N/A
14. (Optional.) Soft-reset L2VPN BGP sessions.	refresh bgp [ instance instance-name ] { ip-address [ mask-length ] \| all \| external \| group group-name \| internal } { export \| import } l2vpn	N/A
15. (Optional.) Reset L2VPN BGP sessions.	reset bgp [ instance instance-name ] { as-number \| ip-address [ mask-length ] \| all \| external \| group group-name \| internal } l2vpn	N/A

For more information about the peer as-number, peer enable, peer allow-as-loop, peer reflect-client, reflect between-clients, reflector cluster-id, refresh bgp l2vpn, and reset bgp l2vpn commands, see Layer 3—IP Routing Command Reference.

Creating a BGP PW

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter cross-connect group view.	xconnect-group group-name	N/A
3. Configure the cross-connect group to automatically discover neighbors and create PWs through BGP and enter auto-discovery cross-connect group view.	auto-discovery bgp	By default, a cross-connect group does not automatically discover neighbors or create PWs through BGP.
4. Configure an RD for the cross-connect group.	route-distinguisher route-distinguisher	By default, no RD is configured for the cross-connect group.
5. Configure route targets for the cross-connect group.	vpn-target vpn-target&<1-8> [ both \| export-extcommunity \| import-extcommunity ]	By default, no route targets are configured for the cross-connect group.
6. (Optional.) Specify a PW class for the auto-discovery cross-connect group.	pw-class class-name	By default, no PW class is specified.
7. (Optional.) Set an MTU for the PW.	mtu size	The default MTU is 1500 bytes.
8. Create a local site and enter site view.	site site-id [ range range-value ] [ default-offset default-offset ]	By default, no local sites exist.
9. Create a cross-connect and enter auto-discovery cross-connect view.	connection remote-site-id remote-site-id	By default, no cross-connects exist. After you execute this command, a PW to the specified remote site is created and is bound to the cross-connect.
10. (Optional.) Specify a tunnel policy for the auto-discovery cross-connect.	tunnel-policy tunnel-policy-name	By default, no tunnel policy is specified.

Configuring a remote CCC connection

To configure a remote CCC connection, perform the following configurations on the PE and P devices:

· On the two PEs, use the ccc command to specify the incoming and outgoing labels.

· On each P device between the two PEs, use the static-lsp transit command to configure a static LSP for each direction of the CCC connection. For more information about the static-lsp transit command, see MPLS Command Reference.

Follow these guidelines when you configure a remote CCC connection:

· The outgoing label specified on a device must be the same as the incoming label specified on the next-hop device.

· CCC connection settings such as the encapsulation type and control word feature must be consistent on the two PEs. Otherwise, the PEs might fail to forward packets over the CCC connection.

To configure a remote CCC connection:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter cross-connect group view.	xconnect-group group-name	N/A
3. Enter cross-connect view.	connection connection-name	N/A
4. Create a remote CCC connection.	ccc in-label in-label-value out-label out-label-value { nexthop nexthop \| out-interface interface-type interface-number } [ pw-class class-name ]	By default, no remote CCC connections exist. Use the out-interface keyword to specify the outgoing interface only on a point-to-point link. On other types of interfaces such as Layer 3 Ethernet interface, VLAN interface, and Layer 3 aggregate interface, you must use the nexthop keyword to specify the IP address of the next hop.

Binding an AC to a cross-connect

This task is mutually exclusive with Ethernet link aggregation. If a Layer 3 Ethernet interface has been added to a link aggregation group, you cannot bind the interface to a cross-connect, and vice versa.

When you bind an AC to a cross-connect, you can associate Track with the AC. Then, the AC is up only when one or more of the associated track entries are positive.

Associating Track with an AC helps detecting AC failure. For example, when an AC is a VE-L2VPN interface, the AC interface will not go down upon a link failure because the interface is a virtual interface. To resolve the problem, you can associate Track with the AC to detect failures on the link that connects the PE-agg to the L3VPN or IP backbone. When a failure occurs on the link, the VE-L2VPN interface is set to down. Consequently, the PW bound to the AC goes down. If the PW has a backup PW, traffic can be switched to the backup PW. For more information about VE-L2VPN interfaces and L2VPN access to L3VPN or IP backbone, see "Configuring L2VPN access to L3VPN or IP backbone."

After you bind a Layer 3 interface to a cross-connect, packets received from the Layer 3 interface are forwarded through the PW or another AC bound to the cross-connect.

To bind a Layer 3 interface to a non-BGP cross-connect:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter cross-connect group view.	xconnect-group group-name	N/A
3. Enter cross-connect view.	connection connection-name	N/A
4. Bind the Layer 3 interface to the cross-connect.	ac interface interface-type interface-number [ track track-entry-number&<1-3> ]	By default, no Layer 3 interface is bound to the cross-connect.

To bind a Layer 3 interface to a BGP cross-connect:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter cross-connect group view.	xconnect-group group-name	N/A
3. Enter auto-discovery cross-connect group view.	auto-discovery bgp	N/A
4. Enter site view.	site site-id [ range range-value ] [ default-offset default-offset-value ]	N/A
5. Enter auto-discovery cross-connect view.	connection remote-site-id remote-site-id	N/A
6. Bind the Layer 3 interface to the BGP cross-connect.	ac interface interface-type interface-number [ track track-entry-number&<1-3> ]	By default, no Layer 3 interface is bound to the BGP cross-connect.

Configuring PW redundancy

This task includes the following configurations:

· Create a backup PW for the primary PW.

· Specify whether to switch traffic from the backup PW to the primary PW when the primary PW recovers, and specify the wait time for the switchover.

· Manually perform a PW switchover.

Configuring static PW redundancy

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter cross-connect group view.	xconnect-group group-name	N/A
3. Enter cross-connect view.	connection connection-name	N/A
4. (Optional.) Specify the switchover mode and set the wait time for the switchover.	revertive { wtr wtr-time \| never }	By default, the switchover mode is revertive and the switchover wait time is 0 seconds.
5. Configure the dual receive feature for PW redundancy.	protection dual-receive	By default, the dual receive feature is disabled. When the primary PW is normal, the backup PW does not send or receive packets.
6. Enter cross-connect PW view.	peer ip-address pw-id pw-id [ in-label label-value out-label label-value ] [ pw-class class-name \| tunnel-policy tunnel-policy-name ] *	N/A
7. Configure a backup cross-connect PW and enter backup cross-connect PW view.	backup-peer ip-address pw-id pw-id in-label label-value out-label label-value [ pw-class class-name \| tunnel-policy tunnel-policy-name ] *	By default, no backup PW exists.
8. Return to user view.	return	N/A
9. Manually perform a PW switchover.	l2vpn switchover peer ip-address pw-id pw-id	N/A

Configuring LDP PW redundancy

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter cross-connect group view.	xconnect-group group-name	N/A
3. Enter cross-connect view.	connection connection-name	N/A
4. (Optional.) Specify the switchover mode and set the wait time for the switchover.	revertive { wtr wtr-time \| never }	By default, the switchover mode is revertive and the switchover wait time is 0 seconds.
5. Configure the dual receive feature for PW redundancy.	protection dual-receive	By default, the dual receive feature is disabled. When the primary PW is normal, the backup PW does not send or receive packets.
6. Enter cross-connect PW view.	peer ip-address pw-id pw-id [ pw-class class-name \| tunnel-policy tunnel-policy-name ] *	N/A
7. Configure a backup LDP PW and enter backup cross-connect PW view.	backup-peer ip-address pw-id pw-id [ pw-class class-name \| tunnel-policy tunnel-policy-name ] *	By default, no backup LDP PW exists.
8. Return to user view.	return	N/A
9. Manually switch traffic to the backup PW of the specified PW.	l2vpn switchover peer ip-address pw-id pw-id	N/A

Configuring interworking for a cross-connect

Interworking enables a PW to connect ACs that have different link types, including ATM, FR, HDLC, Ethernet, and PPP. In an IPv4 interworking scenario, a PE extracts IPv4 packets from frames received from the AC and sends the packets to the peer PE through the PW. The peer PE uses the link protocol of the connected AC to encapsulate the IPv4 packets, and sends the packets through the AC. This method hides the link types of ACs at the two ends.

To configure MPLS L2VPN interworking, follow these restrictions and guidelines:

· When a CE is connected to a PE through an Ethernet or VLAN link:

? On the Ethernet network or in the VLAN, the CE and PE must be the only Layer 3 network devices.

? On the PE's interface connected to the CE, use the default-nexthop command to configure the default next hop address. This allows the PE to correctly encapsulate a link layer header for packets destined for the CE.

- If you specify the unicast MAC address (the MAC address of the CE) or a broadcast MAC address as the default next hop, the PE uses the MAC address as the destination address of the outgoing packets.

- If you specify the IP address of the CE as the default next hop, the PE resolves the IP address to a MAC address through gratuitous ARP, and then uses the resolved MAC address as the destination MAC address of the outgoing packets.

? After you enable interworking for a cross-connect, the PE responds to all ARP requests from the CE with its own MAC address. After you disable interworking on the PE, you must use the reset arp command to clear the ARP entries on the CE before the CE can learn new ARP entries.

· When a CE is connected to a PE through a PPP link:

If the PE's interface connected to the CE has an IP address, the IPCP negotiation is performed.

If the interface does not have an IP address, perform one of the following operations:

? Use the ppp ipcp ignore local-ip command to configure the PE to support IPCP negotiation without an IP address.

? Use the ppp ipcp proxy command to specify the IP address for IPCP negotiation with the CE.

To configure interworking for a cross-connect:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter cross-connect group view.	xconnect-group group-name	N/A
3. Enter cross-connect view.	connection connection-name	N/A
4. Enable interworking for the cross-connect.	interworking ipv4	By default, interworking is disabled for a cross-connect.

Enabling SNMP notifications for L2VPN PW

This feature enables L2VPN to generate SNMP notifications when PW deletions, PW switchovers, or PW status changes occur. For L2VPN event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see the network management and monitoring configuration guide for the device.

To enable SNMP notifications for L2VPN PW:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notifications for L2VPN PW.	snmp-agent trap enable l2vpn [ pw-delete \| pw-switch \| pw-up-down ] *	By default, SNMP notifications for L2VPN PW are disabled.

Displaying and maintaining MPLS L2VPN

Execute display commands in any view and reset commands in user view.

Task	Command
Display LDP PW label information.	display l2vpn ldp [ peer ip-address [ pw-id pw-id ] \| xconnect-group group-name ] [ verbose ]
Display cross-connect forwarding information (centralized devices in standalone mode).	display l2vpn forwarding { ac \| pw } [ xconnect-group group-name ] [ verbose ]
Display cross-connect forwarding information (distributed devices in standalone mode/centralized devices in IRF mode).	display l2vpn forwarding { ac \| pw } [ xconnect-group group-name ] [ slot slot-number ] [ verbose ]
Display cross-connect forwarding information (distributed devices in IRF mode).	display l2vpn forwarding { ac \| pw } [ xconnect-group group-name ] [ chassis chassis-number slot slot-number ] [ verbose ]
Display L2VPN information for Layer 3 interfaces bound to cross-connects.	display l2vpn interface [ xconnect-group group-name \| interface-type interface-number ] [ verbose ]
Display L2VPN PW information.	display l2vpn pw [ xconnect-group group-name ] [ protocol { bgp \| ldp \| static } ] [ verbose ]
Display PW class information.	display l2vpn pw-class [ class-name ]
Display cross-connect group information.	display l2vpn xconnect-group [ name group-name ] [ verbose ]
Display L2VPN label block information.	display l2vpn bgp [ peer ip-address \| local ] [ xconnect-group group-name ] [ verbose ]
Display BGP L2VPN peer group information.	display bgp [ instance instance-name ] group l2vpn [ group-name group-name ]
Display L2VPN label block information discovered by BGP.	display bgp [ instance instance-name ] l2vpn signaling [ peer ip-address { advertised \| received } [ statistics ] \| route-distinguisher route-distinguisher [ site-id site-id [ label-offset label-offset [ advertise-info ] ] ] \| statistics ]
Display BGP L2VPN peer information.	display bgp [ instance instance-name ] peer l2vpn [ ip-address mask-length \| group-name group-name log-info \| ip-address { log-info \| verbose } \| verbose ]
Display BGP L2VPN update group information.	display bgp [ instance instance-name ] update-group l2vpn [ ip-address ]
Reset BGP sessions for L2VPN.	reset bgp [ instance instance-name ] { as-number \| ip-address [ mask-length ] \| all \| external \| group group-name \| internal } l2vpn

For more information about the display bgp group l2vpn, display bgp peer l2vpn, display bgp update-group l2vpn, and reset bgp l2vpn commands, see Layer 3—IP Routing Command Reference.

MPLS L2VPN configuration examples

Configuring local MPLS L2VPN connections

Network requirements

Configure local MPLS L2VPN connections between the PE and CEs to allow Layer 2 communication between CE 1 and CE 2.

Figure 108 Network diagram

Configuration procedure

1. Configure CE 1.

<CE1> system-view

[CE1] interface gigabitethernet 2/0/1

[CE1-GigabitEthernet2/0/1] ip address 100.1.1.1 24

[CE1-GigabitEthernet2/0/1] quit

2. Configure CE 2.

<CE2> system-view

[CE2] interface gigabitethernet 2/0/1

[CE2-GigabitEthernet2/0/1] ip address 100.1.1.2 24

[CE2-GigabitEthernet2/0/1] quit

3. Configure PE:

# Enable L2VPN.

<PE> system-view

[PE] l2vpn enable

# Create a cross-connect group named vpn1, create a cross-connect named vpn1 in the group, and bind GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2 to the cross-connect.

[PE] xconnect-group vpn1

[PE-xcg-vpn1] connection vpn1

[PE-xcg-vpn1-vpn1] ac interface gigabitethernet 2/0/1

[PE-xcg-vpn1-vpn1] ac interface gigabitethernet 2/0/2

[PE-xcg-vpn1-vpn1] quit

Verifying the configuration

# Verify that two AC forwarding entries exist on the PE.

[PE] display l2vpn forwarding ac

Total number of cross-connections: 1

Total number of ACs: 2

AC Xconnect-group Name Link ID

GE2/0/1 vpn1 0

GE2/0/2 vpn1 1

# Verify that CE 1 and CE 2 can ping each other. (Details not shown.)

Configuring IP interworking over local MPLS L2VPN connections

Network requirements

CE 1 and PE are connected through Ethernet interfaces. CE 2 and PE are connected through serial interfaces, and they use PPP as the link layer protocol.

Configure local MPLS L2VPN connections between the PE and CEs and enable interworking on the PE to allow communication between CE 1 and CE 2.

Figure 109 Network diagram

Configuration procedure

1. Configure CE 1.

<CE1> system-view

[CE1] interface gigabitethernet 2/0/1

[CE1-GigabitEthernet2/0/1] ip address 10.1.1.1 24

[CE1-GigabitEthernet2/0/1] quit

2. Configure CE 2.

<CE2> system-view

[CE2] interface serial 2/1/0

[CE2-Serial2/1/0] link-protocol ppp

[CE2-Serial2/1/0] ip address 10.1.1.2 24

[CE2-Serial2/1/0] quit

3. Configure PE:

# Enable L2VPN.

<PE> system-view

[PE] l2vpn enable

# Configure the default next hop IP address as 10.1.1.1 on GigabitEthernet 2/0/1 (the interface connected to CE 1). This interface does not need an IP address.

[PE] interface gigabitethernet 2/0/1

[PE-GigabitEthernet2/0/1] default-nexthop ip 10.1.1.1

[PE-GigabitEthernet2/0/1] quit

# Configure the IPCP proxy IP address as the IP address of CE 1 on Serial 2/1/0 (the interface connected to CE 2). This interface does not need an IP address.

[PE] interface serial 2/1/0

[PE-Serial2/1/0] link-protocol ppp

[PE-Serial2/1/0] ppp ipcp proxy 10.1.1.1

[PE-Serial2/1/0] quit

# Create a cross-connect group named vpn1, create a cross-connect named vpn1 in the group, and enable interworking for the cross-connect.

[PE] xconnect-group vpn1

[PE-xcg-vpn1] connection vpn1

[PE-xcg-vpn1-vpn1] interworking ipv4

# Bind GigabitEthernet 2/0/1 and Serial 2/1/0 to the cross-connect.

[PE-xcg-vpn1-vpn1] ac interface gigabitethernet 2/0/1

[PE-xcg-vpn1-vpn1] ac interface serial 2/1/0

[PE-xcg-vpn1-vpn1] quit

[PE-xcg-vpn1] quit

Verifying the configuration

# Verify that two AC forwarding entries exist on the PE.

[PE] display l2vpn forwarding ac

Total number of cross-connections: 1

Total number of ACs: 2

AC Xconnect-group Name Link ID

GE2/0/1 vpn1 0

Ser2/1/0 vpn1 1

# Verify that CE 1 and CE 2 can ping each other. (Details not shown.)

Configuring a static PW

Network requirements

Create a static PW between PE 1 and PE 2 over the backbone to allow communication between CE 1 and CE 2.

Figure 110 Network diagram

Table 38 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	GE2/0/1	100.1.1.1/24	P	Loop0	192.4.4.4/32
PE 1	Loop0	192.2.2.2/32		GE2/0/1	10.1.1.2/24
	GE2/0/1	-		GE2/0/2	10.2.2.2/24
	GE2/0/2	10.1.1.1/24	PE 2	Loop0	192.3.3.3/32
CE 2	GE2/0/1	100.1.1.2/24		GE2/0/1	-
				GE2/0/2	10.2.2.1/24

Configuration procedure

1. Configure CE 1.

<CE1> system-view

[CE1] interface gigabitethernet 2/0/1

[CE1-GigabitEthernet2/0/1] ip address 100.1.1.1 24

[CE1-GigabitEthernet2/0/1] quit

2. Configure PE 1:

# Configure an LSR ID.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 192.2.2.2 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 192.2.2.2

# Enable L2VPN.

[PE1] l2vpn enable

# Enable global LDP.

[PE1] mpls ldp

[PE1-ldp] quit

# Configure GigabitEthernet 2/0/2 (the interface connected to the P device), and enable LDP on the interface.

[PE1] interface gigabitethernet 2/0/2

[PE1-GigabitEthernet2/0/2] ip address 10.1.1.1 24

[PE1-GigabitEthernet2/0/2] mpls enable

[PE1-GigabitEthernet2/0/2] mpls ldp enable

[PE1-GigabitEthernet2/0/2] quit

# Configure OSPF for LDP to create LSPs.

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 10.1.1.1 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] network 192.2.2.2 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Create a cross-connect group named vpna, create a cross-connect named svc in the group, and bind GigabitEthernet 2/0/1 to the cross-connect.

[PE1] xconnect-group vpna

[PE1-xcg-vpna] connection svc

[PE1-xcg-vpna-svc] ac interface gigabitethernet 2/0/1

# Create a static PW for the cross-connect to bind the AC to the PW.

[PE1-xcg-vpna-svc] peer 192.3.3.3 pw-id 3 in-label 100 out-label 200

[PE1-xcg-vpna-svc-192.3.3.3-3] quit

[PE1-xcg-vpna-svc] quit

[PE1-xcg-vpna] quit

3. Configure the P device:

# Configure an LSR ID.

system-view

[P] interface loopback 0

[P-LoopBack0] ip address 192.4.4.4 32

[P-LoopBack0] quit

[P] mpls lsr-id 192.4.4.4

# Enable global LDP.

[P] mpls ldp

[P-ldp] quit

# Configure GigabitEthernet 2/0/1 (the interface connected to PE 1), and enable LDP on the interface.

[P] interface gigabitethernet 2/0/1

[P-GigabitEthernet2/0/1] ip address 10.1.1.2 24

[P-GigabitEthernet2/0/1] mpls enable

[P-GigabitEthernet2/0/1] mpls ldp enable

[P-GigabitEthernet2/0/1] quit

# Configure GigabitEthernet 2/0/2 (the interface connected to PE 2), and enable LDP on the interface.

[P] interface gigabitethernet 2/0/2

[P-GigabitEthernet2/0/2] ip address 10.2.2.2 24

[P-GigabitEthernet2/0/2] mpls enable

[P-GigabitEthernet2/0/2] mpls ldp enable

[P-GigabitEthernet2/0/2] quit

# Configure OSPF for LDP to create LSPs.

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 10.2.2.2 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 192.4.4.4 0.0.0.0

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

4. Configure PE 2:

# Configure an LSR ID.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 192.3.3.3 32

[PE2-LoopBack0] quit

[PE2] mpls lsr-id 192.3.3.3

# Enable L2VPN.

[PE2] l2vpn enable

# Enable globally LDP.

[PE2] mpls ldp

[PE2-ldp] quit

# Configure GigabitEthernet 2/0/2 (the interface connected to the P device), and enable LDP on the interface.

[PE2] interface gigabitethernet 2/0/2

[PE2-GigabitEthernet2/0/2] ip address 10.2.2.1 24

[PE2-GigabitEthernet2/0/2] mpls enable

[PE2-GigabitEthernet2/0/2] mpls ldp enable

[PE2-GigabitEthernet2/0/2] quit

# Configure OSPF for LDP to create LSPs.

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 10.2.2.1 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] network 192.3.3.3 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

# Create a cross-connect group named vpna, create a cross-connect named svc in the group, and bind GigabitEthernet 2/0/1 to the cross-connect.

[PE2] xconnect-group vpna

[PE2-xcg-vpna] connection svc

[PE2-xcg-vpna-svc] ac interface gigabitethernet 2/0/1

# Create a static PW for the cross-connect to bind the AC to the PW.

[PE2-xcg-vpna-svc] peer 192.2.2.2 pw-id 3 in-label 200 out-label 100

[PE2-xcg-vpna-svc-192.2.2.2-3] quit

[PE2-xcg-vpna-svc] quit

[PE2-xcg-vpna] quit

5. Configure CE 2.

<CE2> system-view

[CE2] interface gigabitethernet 2/0/1

[CE2-GigabitEthernet2/0/1] ip address 100.1.1.2 24

[CE2-GigabitEthernet2/0/1] quit

Verifying the configuration

# Verify that a static PW has been established on PE 1.

[PE1] display l2vpn pw

Flags: M - main, B - backup, BY - bypass, H - hub link, S - spoke link, N - no split horizon

Total number of PWs: 1

1 up, 0 blocked, 0 down, 0 defect, 0 idle, 0 duplicate

Xconnect-group Name: vpna

Peer PW ID/Rmt Site In/Out Label Proto Flag Link ID State

192.3.3.3 3 100/200 Static M 0 Up

# Verify that a static PW has been established on PE 2.

[PE2] display l2vpn pw

Flags: M - main, B - backup, BY - bypass, H - hub link, S - spoke link, N - no split horizon

Total number of PWs: 1

1 up, 0 blocked, 0 down, 0 defect, 0 idle, 0 duplicate

Xconnect-group Name: vpna

Peer PW ID/Rmt Site In/Out Label Proto Flag Link ID State

192.2.2.2 3 200/100 Static M 0 Up

# Verify that CE 1 and CE 2 can ping each other. (Details not shown.)

Configuring an LDP PW

Network requirements

Create an LDP PW between PE 1 and PE 2 over the backbone to allow communication between CE 1 and CE 2.

Figure 111 Network diagram

Table 39 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	GE2/0/1	100.1.1.1/24	P	Loop0	192.4.4.4/32
PE 1	Loop0	192.2.2.2/32		GE2/0/1	10.1.1.2/24
	GE2/0/1	-		GE2/0/2	10.2.2.2/24
	GE2/0/2	10.1.1.1/24	PE 2	Loop0	192.3.3.3/32
CE 2	GE2/0/1	100.1.1.2/24		GE2/0/1	-
				GE2/0/2	10.2.2.1/24

Configuration procedure

1. Configure CE 1.

<CE1> system-view

[CE1] interface gigabitethernet 2/0/1

[CE1-GigabitEthernet2/0/1] ip address 100.1.1.1 24

[CE1-GigabitEthernet2/0/1] quit

2. Configure PE 1:

# Configure an LSR ID.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 192.2.2.2 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 192.2.2.2

# Enable L2VPN.

[PE1] l2vpn enable

# Enable global LDP.

[PE1] mpls ldp

[PE1-ldp] quit

# Configure GigabitEthernet 2/0/2 (the interface connected to the P device), and enable LDP on the interface.

[PE1] interface gigabitethernet 2/0/2

[PE1-GigabitEthernet2/0/2] ip address 10.1.1.1 24

[PE1-GigabitEthernet2/0/2] mpls enable

[PE1-GigabitEthernet2/0/2] mpls ldp enable

[PE1-GigabitEthernet2/0/2] quit

# Configure OSPF for LDP to create LSPs.

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 10.1.1.1 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] network 192.2.2.2 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Create a cross-connect group named vpna, create a cross-connect named ldp in the group, and bind GigabitEthernet 2/0/1 to the cross-connect.

[PE1] xconnect-group vpna

[PE1-xcg-vpna] connection ldp

[PE1-xcg-vpna-ldp] ac interface gigabitethernet 2/0/1

# Create an LDP PW for the cross-connect to bind the AC to the PW.

[PE1-xcg-vpna-ldp] peer 192.3.3.3 pw-id 3

[PE1-xcg-vpna-ldp-192.3.3.3-3] quit

[PE1-xcg-vpna-ldp] quit

[PE1-xcg-vpna] quit

3. Configure the P device:

# Configure an LSR ID.

system-view

[P] interface loopback 0

[P-LoopBack0] ip address 192.4.4.4 32

[P-LoopBack0] quit

[P] mpls lsr-id 192.4.4.4

# Enable global LDP.

[P] mpls ldp

[P-ldp] quit

# Configure GigabitEthernet 2/0/1 (the interface connected to PE 1), and enable LDP on the interface.

[P] interface gigabitethernet 2/0/1

[P-GigabitEthernet2/0/1] ip address 10.1.1.2 24

[P-GigabitEthernet2/0/1] mpls enable

[P-GigabitEthernet2/0/1] mpls ldp enable

[P-GigabitEthernet2/0/1] quit

# Configure GigabitEthernet 2/0/2 (the interface connected to PE 2), and enable LDP on the interface.

[P] interface gigabitethernet 2/0/2

[P-GigabitEthernet2/0/2] ip address 10.2.2.2 24

[P-GigabitEthernet2/0/2] mpls enable

[P-GigabitEthernet2/0/2] mpls ldp enable

[P-GigabitEthernet2/0/2] quit

# Configure OSPF for LDP to create LSPs.

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 10.2.2.2 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 192.4.4.4 0.0.0.0

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

4. Configure PE 2:

# Configure an LSR ID.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 192.3.3.3 32

[PE2-LoopBack0] quit

[PE2] mpls lsr-id 192.3.3.3

# Enable L2VPN.

[PE2] l2vpn enable

# Enable global LDP.

[PE2] mpls ldp

[PE2-ldp] quit

# Configure GigabitEthernet 2/0/2 (the interface connected to the P device), and enable LDP on the interface.

[PE2] interface gigabitethernet 2/0/2

[PE2-GigabitEthernet2/0/2] ip address 10.2.2.1 24

[PE2-GigabitEthernet2/0/2] mpls enable

[PE2-GigabitEthernet2/0/2] mpls ldp enable

[PE2-GigabitEthernet2/0/2] quit

# Configure OSPF for LDP to create LSPs.

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 192.3.3.3 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] network 10.2.2.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

# Create a cross-connect group named vpna, create a cross-connect named ldp in the group, and bind GigabitEthernet 2/0/1 to the cross-connect.

[PE2] xconnect-group vpna

[PE2-xcg-vpna] connection ldp

[PE2-xcg-vpna-ldp] ac interface gigabitethernet 2/0/1

# Create an LDP PW for the cross-connect to bind the AC to the PW.

[PE2-xcg-vpna-ldp] peer 192.2.2.2 pw-id 3

[PE2-xcg-vpna-ldp-192.2.2.2-3] quit

[PE2-xcg-vpna-ldp] quit

[PE2-xcg-vpna] quit

5. Configure CE 2.

<CE2> system-view

[CE2] interface gigabitethernet 2/0/1

[CE2-GigabitEthernet2/0/1] ip address 100.1.1.2 24

[CE2-GigabitEthernet2/0/1] quit

Verifying the configuration

# Verify that an LDP PW has been established on PE 1.

[PE1] display l2vpn pw

Flags: M - main, B - backup, BY - bypass, H - hub link, S - spoke link, N - no split horizon

Total number of PWs: 1

1 up, 0 blocked, 0 down, 0 defect, 0 idle, 0 duplicate

Xconnect-group Name: vpna

Peer PW ID/Rmt Site In/Out Label Proto Flag Link ID State

192.3.3.3 3 1279/1279 LDP M 1 Up

# Verify that an LDP PW has been established on PE 2.

[PE2] display l2vpn pw

Flags: M - main, B - backup, BY - bypass, H - hub link, S - spoke link, N - no split horizon

Total number of PWs: 1

1 up, 0 blocked, 0 down, 0 defect, 0 idle, 0 duplicate

Xconnect-group Name: vpna

Peer PW ID/Rmt Site In/Out Label Proto Flag Link ID State

192.2.2.2 3 1279/1279 LDP M 1 Up

# Verify that CE 1 and CE 2 can ping each other. (Details not shown.)

Configuring IP interworking over an LDP PW

Network requirements

CE 1 and PE 1 are connected through Ethernet interfaces. CE 2 and PE 2 are connected through serial interfaces, and they use PPP as the link layer protocol.

Configure an LDP PW between PE 1 and PE 2 and enable interworking on PEs to allow communication between CE 1 and CE 2.

Figure 112 Network diagram

Table 40 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	GE2/0/1	100.1.1.1/24	P	Loop0	192.4.4.4/32
PE 1	Loop0	192.2.2.2/32		GE2/0/1	10.1.1.2/24
	GE2/0/1	-		GE2/0/2	10.2.2.2/24
	GE2/0/2	10.1.1.1/24	PE 2	Loop0	192.3.3.3/32
CE 2	Ser2/1/0	100.1.1.2/24		Ser2/1/0	-
				GE2/0/1	10.2.2.1/24

Configuration procedure

1. Configure CE 1.

<CE1> system-view

[CE1] interface gigabitethernet 2/0/1

[CE1-GigabitEthernet2/0/1] ip address 100.1.1.1 24

[CE1-GigabitEthernet2/0/1] quit

2. Configure PE 1:

# Configure an LSR ID.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 192.2.2.2 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 192.2.2.2

# Enable L2VPN.

[PE1] l2vpn enable

# Enable global LDP.

[PE1] mpls ldp

[PE1-ldp] quit

# Configure the default next hop IP address as 100.1.1.1 on GigabitEthernet 2/0/1 (the interface connected to CE 1. This interface does not need an IP address.

[PE1] interface gigabitethernet 2/0/1

[PE1-GigabitEthernet2/0/1] default-nexthop ip 100.1.1.1

[PE1-GigabitEthernet2/0/1] quit

# Configure GigabitEthernet 2/0/2 (the interface connected to the P device), and enable LDP on the interface.

[PE1] interface gigabitethernet 2/0/2

[PE1-GigabitEthernet2/0/2] ip address 10.1.1.1 24

[PE1-GigabitEthernet2/0/2] mpls enable

[PE1-GigabitEthernet2/0/2] mpls ldp enable

[PE1-GigabitEthernet2/0/2] quit

# Configure OSPF for LDP to create LSPs.

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 10.1.1.1 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] network 192.2.2.2 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Create a cross-connect group named vpna, create a cross-connect named ldp in the group, enable interworking for the cross-connect, and bind GigabitEthernet 2/0/1 to the cross-connect.

[PE1] xconnect-group vpna

[PE1-xcg-vpna] connection ldp

[PE1-xcg-vpna-ldp] interworking ipv4

[PE1-xcg-vpna-ldp] ac interface gigabitethernet 2/0/1

# Create an LDP PW for the cross-connect to bind the AC to the PW.

[PE1-xcg-vpna-ldp] peer 192.3.3.3 pw-id 3

[PE1-xcg-vpna-ldp-192.3.3.3-3] quit

[PE1-xcg-vpna-ldp] quit

[PE1-xcg-vpna] quit

3. Configure the P device:

# Configure an LSR ID.

system-view

[P] interface loopback 0

[P-LoopBack0] ip address 192.4.4.4 32

[P-LoopBack0] quit

[P] mpls lsr-id 192.4.4.4

# Enable global LDP.

[P] mpls ldp

[P-ldp] quit

# Configure GigabitEthernet 2/0/1 (the interface connected to PE 1), and enable LDP on the interface.

[P] interface gigabitethernet 2/0/1

[P-GigabitEthernet2/0/1] ip address 10.1.1.2 24

[P-GigabitEthernet2/0/1] mpls enable

[P-GigabitEthernet2/0/1] mpls ldp enable

[P-GigabitEthernet2/0/1] quit

# Configure GigabitEthernet 2/0/2 (the interface connected to PE 2), and enable LDP on the interface.

[P] interface gigabitethernet 2/0/2

[P-GigabitEthernet2/0/2] ip address 10.2.2.2 24

[P-GigabitEthernet2/0/2] mpls enable

[P-GigabitEthernet2/0/2] mpls ldp enable

[P-GigabitEthernet2/0/2] quit

# Configure OSPF for LDP to create LSPs.

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 10.2.2.2 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 192.4.4.4 0.0.0.0

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

4. Configure PE 2:

# Configure an LSR ID.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 192.3.3.3 32

[PE2-LoopBack0] quit

[PE2] mpls lsr-id 192.3.3.3

# Enable L2VPN.

[PE2] l2vpn enable

# Enable global LDP.

[PE2] mpls ldp

[PE2-ldp] quit

# Configure GigabitEthernet 2/0/1 (the interface connected to the P device), and enable LDP on the interface.

[PE2] interface gigabitethernet 2/0/1

[PE2-GigabitEthernet2/0/1] ip address 10.2.2.1 24

[PE2-GigabitEthernet2/0/1] mpls enable

[PE2-GigabitEthernet2/0/1] mpls ldp enable

[PE2-GigabitEthernet2/0/1] quit

# Configure OSPF for LDP to create LSPs.

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 192.3.3.3 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] network 10.2.2.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

# Configure the IPCP proxy IP address as the IP address of CE 1 on Serial 2/1/0 (the interface connected to CE 2). This interface does not need an IP address.

[PE2] interface serial 2/1/0

[PE2-Serial2/1/0] link-protocol ppp

[PE2-Serial2/1/0] ppp ipcp proxy 100.1.1.1

[PE2-Serial2/1/0] quit

# Create a cross-connect group named vpna, create a cross-connect named ldp in the group, enable interworking for the cross-connect, and bind Serial 2/1/0 to the cross-connect.

[PE2] xconnect-group vpna

[PE2-xcg-vpna] connection ldp

[PE2-xcg-vpna-ldp] interworking ipv4

[PE2-xcg-vpna-ldp] ac interface serial 2/1/0

# Create an LDP PW for the cross-connect to bind the AC to the PW.

[PE2-xcg-vpna-ldp] peer 192.2.2.2 pw-id 3

[PE2-xcg-vpna-ldp-192.2.2.2-3] quit

[PE2-xcg-vpna-ldp] quit

[PE2-xcg-vpna] quit

5. Configure CE 2.

<CE2> system-view

[CE2] interface serial 2/1/0

[CE2-Serial2/1/0] link-protocol ppp

[CE2-Serial2/1/0] ip address 100.1.1.2 24

[CE2-Serial2/1/0] quit

Verifying the configuration

# Verify that an LDP PW has been established on PE 1.

[PE1] display l2vpn pw

Flags: M - main, B - backup, BY - bypass, H - hub link, S - spoke link, N - no split horizon

Total number of PWs: 1

1 up, 0 blocked, 0 down, 0 defect, 0 idle, 0 duplicate

Xconnect-group Name: vpna

Peer PW ID/Rmt Site In/Out Label Proto Flag Link ID State

192.3.3.3 3 1279/1279 LDP M 1 Up

# Verify that an LDP PW has been established on PE 2.

[PE2] display l2vpn pw

Flags: M - main, B - backup, BY - bypass, H - hub link, S - spoke link, N - no split horizon

Total number of PWs: 1

1 up, 0 blocked, 0 down, 0 defect, 0 idle, 0 duplicate

Xconnect-group Name: vpna

Peer PW ID/Rmt Site In/Out Label Proto Flag Link ID State

192.2.2.2 3 1279/1279 LDP M 1 Up

# Verify that CE 1 and CE 2 can ping each other. (Details not shown.)

Configuring a BGP PW

Network requirements

Create a BGP PW between PE 1 and PE 2 to allow communication between CE 1 and CE 2.

Figure 113 Network diagram

Table 41 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	GE2/0/1	100.1.1.1/24	P	Loop0	192.4.4.4/32
PE 1	Loop0	192.2.2.2/32		GE2/0/1	10.1.1.2/24
	GE2/0/1	-		GE2/0/2	10.2.2.2/24
	GE2/0/2	10.1.1.1/24	PE 2	Loop0	192.3.3.3/32
CE 2	GE2/0/1	100.1.1.2/24		GE2/0/1	-
				GE2/0/2	10.2.2.1/24

Configuration procedure

1. Configure CE 1.

<CE1> system-view

[CE1] interface gigabitethernet 2/0/1

[CE1-GigabitEthernet2/0/1] ip address 100.1.1.1 24

[CE1-GigabitEthernet2/0/1] quit

2. Configure PE 1:

# Configure an LSR ID.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 192.2.2.2 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 192.2.2.2

# Enable L2VPN.

[PE1] l2vpn enable

# Enable global LDP.

[PE1] mpls ldp

[PE1-ldp] quit

# Configure GigabitEthernet 2/0/2 (the interface connected to the P device), and enable LDP on the interface.

[PE1] interface gigabitethernet 2/0/2

[PE1-GigabitEthernet2/0/2] ip address 10.1.1.1 24

[PE1-GigabitEthernet2/0/2] mpls enable

[PE1-GigabitEthernet2/0/2] mpls ldp enable

[PE1-GigabitEthernet2/0/2] quit

# Configure OSPF for LDP to create LSPs.

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 10.1.1.1 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] network 192.2.2.2 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Create an IBGP connection to PE 2, and enable BGP to advertise L2VPN information to PE 2.

[PE1] bgp 100

[PE1-bgp-default] peer 192.3.3.3 as-number 100

[PE1-bgp-default] peer 192.3.3.3 connect-interface loopback 0

[PE1-bgp-default] address-family l2vpn

[PE1-bgp-default-l2vpn] peer 192.3.3.3 enable

[PE1-bgp-default-l2vpn] quit

[PE1-bgp-default] quit

# Create a cross-connect group named vpnb, create a local site named site 1, and create a BGP PW from site 1 to the remote site site 2.

[PE1] xconnect-group vpnb

[PE1-xcg-vpnb] auto-discovery bgp

[PE1-xcg-vpnb-auto] route-distinguisher 2:2

[PE1-xcg-vpnb-auto] vpn-target 2:2 export-extcommunity

[PE1-xcg-vpnb-auto] vpn-target 2:2 import-extcommunity

[PE1-xcg-vpnb-auto] site 1 range 10 default-offset 0

[PE1-xcg-vpnb-auto-1] connection remote-site-id 2

# Bind GigabitEthernet 2/0/1 to the PW.

[PE1-xcg-vpnb-auto-1-2] ac interface gigabitethernet 2/0/1

[PE1-xcg-vpnb-auto-1-2] return

3. Configure the P device:

# Configure an LSR ID.

system-view

[P] interface loopback 0

[P-LoopBack0] ip address 192.4.4.4 32

[P-LoopBack0] quit

[P] mpls lsr-id 192.4.4.4

# Enable global LDP.

[P] mpls ldp

[P-ldp] quit

# Configure GigabitEthernet 2/0/1 (the interface connected to PE 1), and enable LDP on the interface.

[P] interface gigabitethernet 2/0/1

[P-GigabitEthernet2/0/1] ip address 10.1.1.2 24

[P-GigabitEthernet2/0/1] mpls enable

[P-GigabitEthernet2/0/1] mpls ldp enable

[P-GigabitEthernet2/0/1] quit

# Configure GigabitEthernet 2/0/2 (the interface connected to PE 2), and enable LDP on the interface.

[P] interface gigabitethernet 2/0/2

[P-GigabitEthernet2/0/2] ip address 10.2.2.2 24

[P-GigabitEthernet2/0/2] mpls enable

[P-GigabitEthernet2/0/2] mpls ldp enable

[P-GigabitEthernet2/0/2] quit

# Configure OSPF for LDP to create LSPs.

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 10.2.2.2 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 192.4.4.4 0.0.0.0

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

4. Configure PE 2:

# Configure an LSR ID.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 192.3.3.3 32

[PE2-LoopBack0] quit

[PE2] mpls lsr-id 192.3.3.3

# Enable L2VPN.

[PE2] l2vpn enable

# Enable global LDP.

[PE2] mpls ldp

[PE2-ldp] quit

# Configure GigabitEthernet 2/0/2 (the interface connected to the P device), and enable LDP on the interface.

[PE2] interface gigabitethernet 2/0/2

[PE2-GigabitEthernet2/0/2] ip address 10.2.2.1 24

[PE2-GigabitEthernet2/0/2] mpls enable

[PE2-GigabitEthernet2/0/2] mpls ldp enable

[PE2-GigabitEthernet2/0/2] quit

# Configure OSPF for LDP to create LSPs.

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 192.3.3.3 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] network 10.2.2.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

# Create an IBGP connection to PE 1, and enable BGP to advertise L2VPN information to PE 1.

[PE2] bgp 100

[PE2-bgp-default] peer 192.2.2.2 as-number 100

[PE2-bgp-default] peer 192.2.2.2 connect-interface loopback 0

[PE2-bgp-default] address-family l2vpn

[PE2-bgp-default-l2vpn] peer 192.2.2.2 enable

[PE2-bgp-default-l2vpn] quit

[PE2-bgp-default] quit

# Create a cross-connect group named vpnb, create a local site named site 2, and create a BGP PW from site 2 to the remote site site 1.

[PE2] xconnect-group vpnb

[PE2-xcg-vpnb] auto-discovery bgp

[PE2-xcg-vpnb-auto] route-distinguisher 2:2

[PE2-xcg-vpnb-auto] vpn-target 2:2 export-extcommunity

[PE2-xcg-vpnb-auto] vpn-target 2:2 import-extcommunity

[PE2-xcg-vpnb-auto] site 2 range 10 default-offset 0

[PE2-xcg-vpnb-auto-2] connection remote-site-id 1

# Bind GigabitEthernet 2/0/1 to the PW.

[PE2-xcg-vpnb-auto-2-1] ac interface gigabitethernet 2/0/1

[PE2-xcg-vpnb-auto-2-1] return

5. Configure CE 2.

<CE2> system-view

[CE2] interface gigabitethernet 2/0/1

[CE2-GigabitEthernet2/0/1] ip address 100.1.1.2 24

[CE2-GigabitEthernet2/0/1] quit

Verifying the configuration

# Verify that a BGP PW has been established on PE 1.

<PE1> display l2vpn pw

Flags: M - main, B - backup, BY - bypass, H - hub link, S - spoke link, N - no split horizon

Total number of PWs: 1

1 up, 0 blocked, 0 down, 0 defect, 0 idle, 0 duplicate

Xconnect-group Name: vpnb

Peer PW ID/Rmt Site In/Out Label Proto Flag Link ID State

192.3.3.3 2 1036/1025 BGP M 1 Up

# Verify that a BGP PW has been established on PE 2.

<PE2> display l2vpn pw

Flags: M - main, B - backup, BY - bypass, H - hub link, S - spoke link, N - no split horizon

Total number of PWs: 1

1 up, 0 blocked, 0 down, 0 defect, 0 idle, 0 duplicate

Xconnect-group Name: vpnb

Peer PW ID/Rmt Site In/Out Label Proto Flag Link ID State

192.2.2.2 1 1025/1036 BGP M 1 Up

# Verify that CE 1 and CE 2 can ping each other. (Details not shown.)

Configuring a remote CCC connection

Network requirements

Create a remote CCC connection between PE 1 and PE 2 to allow communication between CE 1 and CE 2.

Figure 114 Network diagram

Table 42 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	GE2/0/1	100.1.1.1/24	P	Loop0	192.4.4.4/32
PE 1	Loop0	192.2.2.2/32		GE2/0/1	10.1.1.2/24
	GE2/0/1	-		GE2/0/2	10.2.2.2/24
	GE2/0/2	10.1.1.1/24	PE 2	Loop0	192.3.3.3/32
CE 2	GE2/0/1	100.1.1.2/24		GE2/0/1	-
				GE2/0/2	10.2.2.1/24

Configuration procedure

1. Configure CE 1.

<CE1> system-view

[CE1] interface gigabitethernet 2/0/1

[CE1-GigabitEthernet2/0/1] ip address 100.1.1.1 24

[CE1-GigabitEthernet2/0/1] quit

2. Configure PE 1:

# Configure an LSR ID.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 192.2.2.2 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 192.2.2.2

# Enable L2VPN.

[PE1] l2vpn enable

# Configure GigabitEthernet 2/0/2 (the interface connected to the P device), and enable MPLS on the interface.

[PE1] interface gigabitethernet 2/0/2

[PE1-GigabitEthernet2/0/2] ip address 10.1.1.1 24

[PE1-GigabitEthernet2/0/2] mpls enable

[PE1-GigabitEthernet2/0/2] quit

# Configure OSPF.

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 10.1.1.1 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] network 192.2.2.2 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Create a cross-connect group named ccc, and create a remote CCC connection that has incoming label 101, outgoing label 201, and next hop 10.1.1.2.

[PE1] xconnect-group ccc

[PE1-xcg-ccc] connection ccc

[PE1-xcg-ccc-ccc] ccc in-label 101 out-label 201 nexthop 10.1.1.2

# Bind GigabitEthernet 2/0/1 to the CCC connection.

[PE1-xcg-ccc-ccc] ac interface gigabitethernet 2/0/1

[PE1-xcg-ccc-ccc] quit

[PE1-xcg-ccc] quit

3. Configure the P device:

# Configure an LSR ID.

system-view

[P] interface loopback 0

[P-LoopBack0] ip address 192.4.4.4 32

[P-LoopBack0] quit

[P] mpls lsr-id 192.4.4.4

# Configure GigabitEthernet 2/0/1 (the interface connected to PE 1), and enable MPLS on the interface.

[P] interface gigabitethernet 2/0/1

[P-GigabitEthernet2/0/1] ip address 10.1.1.2 24

[P-GigabitEthernet2/0/1] mpls enable

[P-GigabitEthernet2/0/1] quit

# Configure GigabitEthernet 2/0/2 (the interface connected to PE 2), and enable MPLS on the interface.

[P] interface gigabitethernet 2/0/2

[P-GigabitEthernet2/0/2] ip address 10.2.2.2 24

[P-GigabitEthernet2/0/2] mpls enable

[P-GigabitEthernet2/0/2] quit

# Configure a static LSP to forward packets from PE 1 to PE 2.

[P] static-lsp transit pe1-pe2 in-label 201 nexthop 10.2.2.1 out-label 202

# Configure a static LSP to forward packets from PE 2 to PE 1.

[P] static-lsp transit pe2-pe1 in-label 102 nexthop 10.1.1.1 out-label 101

# Configure OSPF.

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 10.2.2.2 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 192.4.4.4 0.0.0.0

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

4. Configure PE 2:

# Configure an LSR ID.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 192.3.3.3 32

[PE2-LoopBack0] quit

[PE2] mpls lsr-id 192.3.3.3

# Enable L2VPN.

[PE2] l2vpn enable

# Configure GigabitEthernet 2/0/2 (the interface connected to the P device), and enable MPLS on the interface.

[PE2] interface gigabitethernet 2/0/2

[PE2-GigabitEthernet2/0/2] ip address 10.2.2.1 24

[PE2-GigabitEthernet2/0/2] mpls enable

[PE2-GigabitEthernet2/0/2] quit

# Configure OSPF.

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 10.2.2.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] network 192.3.3.3 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

# Create a cross-connect group named ccc, and create a remote CCC connection that has incoming label 202, outgoing label 102, and next hop 10.2.2.2.

[PE2] xconnect-group ccc

[PE2-xcg-ccc] connection ccc

[PE2-xcg-ccc-ccc] ccc in-label 202 out-label 102 nexthop 10.2.2.2

# Bind GigabitEthernet 2/0/1 to the CCC connection.

[PE2-xcg-ccc-ccc] ac interface gigabitethernet 2/0/1

[PE2-xcg-ccc-ccc] quit

[PE2-xcg-ccc] quit

5. Configure CE 2.

<CE2> system-view

[CE2] interface gigabitethernet 2/0/1

[CE2-GigabitEthernet2/0/1] ip address 100.1.1.2 24

[CE2-GigabitEthernet2/0/1] quit

Verifying the configuration

# Verify that a remote CCC connection (identified by PW ID/Rmt Site "-" and Proto Static) has been established on PE 1.

[PE1] display l2vpn pw

Flags: M - main, B - backup, BY - bypass, H - hub link, S - spoke link, N - no split horizon

Total number of PWs: 1

1 up, 0 blocked, 0 down, 0 defect, 0 idle, 0 duplicate

Xconnect-group Name: ccc

Peer PW ID/Rmt Site In/Out Label Proto Flag Link ID State

10.1.1.2 - 101/201 Static M 0 Up

# Verify that a remote CCC connection has been established on PE 2.

[PE2] display l2vpn pw

Flags: M - main, B - backup, BY - bypass, H - hub link, S - spoke link, N - no split horizon

Total number of PWs: 1

1 up, 0 blocked, 0 down, 0 defect, 0 idle, 0 duplicate

Xconnect-group Name: ccc

Peer PW ID/Rmt Site In/Out Label Proto Flag Link ID State

10.2.2.2 - 202/102 Static M 0 Up

# Verify that CE 1 and CE 2 can ping each other. (Details not shown.)

Configuring an intra-domain multi-segment PW

Network requirements

As shown in Figure 115, there is no public tunnel between PE 1 and PE 2. There is an MPLS TE tunnel between PE 1 and P, and an MPLS TE tunnel between P and PE 2.

Configure a multi-segment PW within the backbone to allow communication between CE 1 and CE 2. The multi-segment PW includes an LDP PW between PE 1 and P, and a static PW between P and PE 2. The two PWs are concatenated on P.

Figure 115 Network diagram

Table 43 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	GE2/0/1	100.1.1.1/24	P	Loop0	192.4.4.4/32
PE 1	Loop0	192.2.2.2/32		GE2/0/1	23.1.1.2/24
	GE2/0/2	23.1.1.1/24		GE2/0/2	26.2.2.2/24
CE 2	GE2/0/1	100.1.1.2/24	PE 2	Loop0	192.3.3.3/32
				GE2/0/2	26.2.2.1/24

Configuration procedure

1. Configure CE 1.

<CE1> system-view

[CE1] interface gigabitethernet 2/0/1

[CE1-GigabitEthernet2/0/1] ip address 100.1.1.1 24

[CE1-GigabitEthernet2/0/1] quit

2. Configure PE 1:

# Configure an LSR ID.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 192.2.2.2 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 192.2.2.2

# Enable L2VPN.

[PE1] l2vpn enable

# Enable LDP globally.

[PE1] mpls ldp

[PE1-ldp] quit

# Configure MPLS TE to establish an MPLS TE tunnel between PE 1 and P. For more information, see "Configuring MPLS TE."

# Create a cross-connect group named vpn1, create a cross-connect named ldp in the group, and bind GigabitEthernet 2/0/1 to the cross-connect.

[PE1] xconnect-group vpn1

[PE1-xcg-vpn1] connection ldp

[PE1-xcg-vpn1-ldp] ac interface gigabitethernet 2/0/1

# Create an LDP PW for the cross-connect to bind the AC to the PW.

[PE1-xcg-vpn1-ldp] peer 192.4.4.4 pw-id 1000

[PE1-xcg-vpn1-ldp-192.4.4.4-1000] quit

[PE1-xcg-vpn1-ldp] quit

[PE1-xcg-vpn1] quit

3. Configure the P device:

# Configure an LSR ID.

system-view

[P] interface loopback 0

[P-LoopBack0] ip address 192.4.4.4 32

[P-LoopBack0] quit

[P] mpls lsr-id 192.4.4.4

# Enable L2VPN.

[P] l2vpn enable

# Enable LDP globally.

[P] mpls ldp

[P-ldp] quit

# Create a PW class named pwa, and configure the PW type as ethernet.

[P] pw-class pwa

[P-pw-pwa] pw-type ethernet

[P-pw-pwa] quit

# Configure MPLS TE to establish an MPLS TE tunnel between PE 1 and P, and between P and PE 2. For more information, see "Configuring MPLS TE."

# Create a cross-connect group named vpn1, create a cross-connect named ldpsvc in the group, and create an LDP PW and a static PW for the cross-connect to form a multi-segment PW.

[P] xconnect-group vpn1

[P-xcg-vpn1] connection ldpsvc

[P-xcg-vpn1-ldpsvc] peer 192.2.2.2 pw-id 1000 pw-class pwa

[P-xcg-vpn1-ldpsvc-192.2.2.2-1000] quit

[P-xcg-vpn1-ldpsvc] peer 192.3.3.3 pw-id 1000 in-label 100 out-label 200 pw-class pwa

[P-xcg-vpn1-ldpsvc-192.3.3.3-1000] quit

[P-xcg-vpn1-ldpsvc] quit

[P-xcg-vpn1] quit

4. Configure PE 2:

# Configure an LSR ID.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 192.3.3.3 32

[PE2-LoopBack0] quit

[PE2] mpls lsr-id 192.3.3.3

# Enable L2VPN.

[PE2] l2vpn enable

# Configure MPLS TE to establish an MPLS TE tunnel between P and PE 2. For more information, see "Configuring MPLS TE."

# Create a cross-connect group named vpn1, create a cross-connect named svc in the group, and bind GigabitEthernet 2/0/1 to the cross-connect.

[PE2] xconnect-group vpn1

[PE2-xcg-vpn1] connection svc

[PE2-xcg-vpn1-svc] ac interface gigabitethernet 2/0/1

# Create a static PW for the cross-connect to bind the AC to the PW.

[PE2-xcg-vpn1-svc] peer 192.4.4.4 pw-id 1000 in-label 200 out-label 100

[PE2-xcg-vpn1-svc-192.4.4.4-1000] quit

[PE2-xcg-vpn1-svc] quit

[PE2-xcg-vpn1] quit

5. Configure CE 2.

<CE2> system-view

[CE2] interface gigabitethernet 2/0/1

[CE2-GigabitEthernet2/0/1] ip address 100.1.1.2 24

[CE2-GigabitEthernet2/0/1] quit

Verifying the configuration

# Verify that two PWs have been created to form a multi-segment PW on the P device.

[P] display l2vpn pw

Flags: M - main, B - backup, BY - bypass, H - hub link, S - spoke link, N - no split horizon

Total number of PWs: 2

2 up, 0 blocked, 0 down, 0 defect, 0 idle, 0 duplicate

Xconnect-group Name: vpn1

Peer PW ID/Rmt Site In/Out Label Proto Flag Link ID State

192.2.2.2 1000 1279/1150 LDP M 0 Up

192.3.3.3 1000 100/200 Static M 1 Up

# Verify that a PW has been created on PE 1.

[PE1] display l2vpn pw

Flags: M - main, B - backup, BY - bypass, H - hub link, S - spoke link, N - no split horizon

Total number of PWs: 1

1 up, 0 blocked, 0 down, 0 defect, 0 idle, 0 duplicate

Xconnect-group Name: vpn1

Peer PW ID/Rmt Site In/Out Label Proto Flag Link ID State

192.4.4.4 1000 1150/1279 LDP M 1 Up

# Verify that a PW has been created on PE 2.

[PE2] display l2vpn pw

Flags: M - main, B - backup, BY - bypass, H - hub link, S - spoke link, N - no split horizon

Total number of PWs: 1

1 up, 0 blocked, 0 down, 0 defect, 0 idle, 0 duplicate

Xconnect-group Name: vpn1

Peer PW ID/Rmt Site In/Out Label Proto Flag Link ID State

192.4.4.4 1000 200/100 Static M 1 Up

# Verify that CE 1 and CE 2 can ping each other. (Details not shown.)

Configuring an inter-domain multi-segment PW

Network requirements

PE 1 and ASBR 1 belong to AS 100. PE 2 and ASBR 2 belong to AS 200.

Set up an inter-domain multi-segment PW (a method for inter-AS Option B networking) within the backbone to allow communication between CE 1 and CE 2.

Configure the inter-domain multi-segment PW as follows:

· Configure LDP PWs between PE 1 and ASBR 1, and between PE 2 and ASBR 2, and configure public tunnels through LDP to carry the PWs.

· Configure an LDP PW between ASBR 1 and ASBR 2. Advertise labeled IPv4 routes between ASBR 1 and ASBR 2 through BGP to set up the public tunnel to carry the LDP PW.

· Concatenate the two PWs on ASBR 1.

· Concatenate the two PWs on ASBR 2.

Figure 116 Network diagram

Table 44 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	GE2/0/1	100.1.1.1/24	ASBR 1	Loop0	192.2.2.2/32
PE 1	Loop0	192.1.1.1/32		GE2/0/2	23.1.1.2/24
	GE2/0/2	23.1.1.1/24		GE2/0/1	26.2.2.2/24
PE 2	Loop0	192.4.4.4/32	ASBR 2	Loop0	192.3.3.3/32
	GE2/0/2	22.2.2.1/24		GE2/0/1	26.2.2.3/24
CE 2	GE2/0/1	100.1.1.2/24		GE2/0/2	22.2.2.3/24

Configuration procedure

1. Configure CE 1.

<CE1> system-view

[CE1] interface gigabitethernet 2/0/1

[CE1-GigabitEthernet2/0/1] ip address 100.1.1.1 24

[CE1-GigabitEthernet2/0/1] quit

2. Configure PE 1:

# Configure an LSR ID.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 192.1.1.1 32

[PE1-LoopBack0] quit

[PE1] mpls lsr-id 192.1.1.1

# Enable L2VPN.

[PE1] l2vpn enable

# Enable global LDP.

[PE1] mpls ldp

[PE1-ldp] quit

# Configure GigabitEthernet 2/0/2 (the interface connected to ASBR 1), and enable LDP on the interface.

[PE1] interface gigabitethernet 2/0/2

[PE1-GigabitEthernet2/0/2] ip address 23.1.1.1 24

[PE1-GigabitEthernet2/0/2] mpls enable

[PE1-GigabitEthernet2/0/2] mpls ldp enable

[PE1-GigabitEthernet2/0/2] quit

# Configure OSPF for LDP to create LSPs.

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 23.1.1.1 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] network 192.1.1.1 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Create a cross-connect group named vpn1, create a cross-connect named ldp in the group, and bind GigabitEthernet 2/0/1 to the cross-connect.

[PE1] xconnect-group vpn1

[PE1-xcg-vpn1] connection ldp

[PE1-xcg-vpn1-ldp] ac interface gigabitethernet 2/0/1

# Create an LDP PW for the cross-connect to bind the AC to the PW.

[PE1-xcg-vpn1-ldp] peer 192.2.2.2 pw-id 1000

[PE1-xcg-vpn1-ldp-192.2.2.2-1000] quit

[PE1-xcg-vpn1-ldp] quit

[PE1-xcg-vpn1] quit

3. Configure ASBR 1:

# Configure an LSR ID.

<ASBR1> system-view

[ASBR1] interface loopback 0

[ASBR1-LoopBack0] ip address 192.2.2.2 32

[ASBR1-LoopBack0] quit

[ASBR1] mpls lsr-id 192.2.2.2

# Enable L2VPN.

[ASBR1] l2vpn enable

# Enable global LDP.

[ASBR1] mpls ldp

[ASBR1-ldp] quit

# Configure GigabitEthernet 2/0/2 (the interface connected to PE 1), and enable LDP on the interface.

[ASBR1] interface gigabitethernet 2/0/2

[ASBR1-GigabitEthernet2/0/2] ip address 23.1.1.2 24

[ASBR1-GigabitEthernet2/0/2] mpls enable

[ASBR1-GigabitEthernet2/0/2] mpls ldp enable

[ASBR1-GigabitEthernet2/0/2] quit

# Configure GigabitEthernet 2/0/1 (the interface connected to ASBR 2), and enable MPLS on the interface.

[ASBR1] interface gigabitethernet 2/0/1

[ASBR1-GigabitEthernet2/0/1] ip address 26.2.2.2 24

[ASBR1-GigabitEthernet2/0/1] mpls enable

[ASBR1-GigabitEthernet2/0/1] quit

# Configure OSPF for LDP to create LSPs.

[ASBR1] ospf

[ASBR1-ospf-1] area 0

[ASBR1-ospf-1-area-0.0.0.0] network 23.1.1.2 0.0.0.255

[ASBR1-ospf-1-area-0.0.0.0] network 192.2.2.2 0.0.0.0

[ASBR1-ospf-1-area-0.0.0.0] quit

[ASBR1-ospf-1] quit

# Configure BGP to advertise labeled routes on ASBR 1.

[ASBR1] bgp 100

[ASBR1-bgp-default] peer 26.2.2.3 as-number 200

[ASBR1-bgp-default] address-family ipv4 unicast

[ASBR1-bgp-default-ipv4] import-route direct

[ASBR1-bgp-default-ipv4] peer 26.2.2.3 enable

[ASBR1-bgp-default-ipv4] peer 26.2.2.3 route-policy policy1 export

[ASBR1-bgp-default-ipv4] peer 26.2.2.3 label-route-capability

[ASBR1-bgp-default-ipv4] quit

[ASBR1-bgp-default] quit

[ASBR1] route-policy policy1 permit node 1

[ASBR1-route-policy-policy1-1] apply mpls-label

[ASBR1-route-policy-policy1-1] quit

# Create a cross-connect group named vpn1, create a cross-connect named ldp in the group, and create two LDP PWs for the cross-connect to form a multi-segment PW.

[ASBR1] xconnect-group vpn1

[ASBR1-xcg-vpn1] connection ldp

[ASBR1-xcg-vpn1-ldp] peer 192.1.1.1 pw-id 1000

[ASBR1-xcg-vpn1-ldp-192.1.1.1-1000] quit

[ASBR1-xcg-vpn1-ldp] peer 192.3.3.3 pw-id 1000

[ASBR1-xcg-vpn1-ldp-192.3.3.3-1000] quit

[ASBR1-xcg-vpn1-ldp] quit

[ASBR1-xcg-vpn1] quit

4. Configure ASBR 2:

# Configure an LSR ID.

<ASBR2> system-view

[ASBR2] interface loopback 0

[ASBR2-LoopBack0] ip address 192.3.3.3 32

[ASBR2-LoopBack0] quit

[ASBR2] mpls lsr-id 192.3.3.3

# Enable L2VPN.

[ASBR2] l2vpn enable

# Enable global LDP.

[ASBR2] mpls ldp

[ASBR2-ldp] quit

# Configure GigabitEthernet 2/0/2 (the interface connected to PE 2), and enable LDP on the interface.

[ASBR2] interface gigabitethernet 2/0/2

[ASBR2-GigabitEthernet2/0/2] ip address 22.2.2.3 24

[ASBR2-GigabitEthernet2/0/2] mpls enable

[ASBR2-GigabitEthernet2/0/2] mpls ldp enable

[ASBR2-GigabitEthernet2/0/2] quit

# Configure GigabitEthernet 2/0/1 (the interface connected to ASBR 1), and enable MPLS on the interface.

[ASBR2] interface gigabitethernet 2/0/1

[ASBR2-GigabitEthernet2/0/1] ip address 26.2.2.3 24

[ASBR2-GigabitEthernet2/0/1] mpls enable

[ASBR2-GigabitEthernet2/0/1] quit

# Configure OSPF for LDP to create LSPs.

[ASBR2] ospf

[ASBR2-ospf-1] area 0

[ASBR2-ospf-1-area-0.0.0.0] network 22.2.2.3 0.0.0.255

[ASBR2-ospf-1-area-0.0.0.0] network 192.3.3.3 0.0.0.0

[ASBR2-ospf-1-area-0.0.0.0] quit

[ASBR2-ospf-1] quit

# Configure BGP to advertise labeled routes on ASBR 2.

[ASBR2] bgp 200

[ASBR2-bgp-default] peer 26.2.2.2 as-number 100

[ASBR2-bgp-default] address-family ipv4 unicast

[ASBR2-bgp-default-ipv4] import-route direct

[ASBR2-bgp-default-ipv4] peer 26.2.2.2 enable

[ASBR2-bgp-default-ipv4] peer 26.2.2.2 route-policy policy1 export

[ASBR2-bgp-default-ipv4] peer 26.2.2.2 label-route-capability

[ASBR2-bgp-default-ipv4] quit

[ASBR2-bgp-default] quit

[ASBR2] route-policy policy1 permit node 1

[ASBR2-route-policy-policy1-1] apply mpls-label

[ASBR2-route-policy-policy1-1] quit

# Create a cross-connect group named vpn1, create a cross-connect named ldp in the group, and create two LDP PWs for the cross-connect to form a multi-segment PW.

[ASBR2] xconnect-group vpn1

[ASBR2-xcg-vpn1] connection ldp

[ASBR2-xcg-vpn1-ldp] peer 192.2.2.2 pw-id 1000

[ASBR2-xcg-vpn1-ldp-192.2.2.2-1000] quit

[ASBR2-xcg-vpn1-ldp] peer 192.4.4.4 pw-id 1000

[ASBR2-xcg-vpn1-ldp-192.4.4.4-1000] quit

[ASBR2-xcg-vpn1-ldp] quit

[ASBR2-xcg-vpn1] quit

5. Configure PE 2:

# Configure an LSR ID.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 192.4.4.4 32

[PE2-LoopBack0] quit

[PE2] mpls lsr-id 192.4.4.4

# Enable L2VPN.

[PE2] l2vpn enable

# Enable global LDP.

[PE2] mpls ldp

[PE2-ldp] quit

# Configure GigabitEthernet 2/0/2 (the interface connected to ASBR 2), and enable LDP on the interface.

[PE2] interface gigabitethernet 2/0/2

[PE2-GigabitEthernet2/0/2] ip address 22.2.2.1 24

[PE2-GigabitEthernet2/0/2] mpls enable

[PE2-GigabitEthernet2/0/2] mpls ldp enable

[PE2-GigabitEthernet2/0/2] quit

# Configure OSPF for LDP to create LSPs.

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 192.4.4.4 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] network 22.2.2.1 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

# Create a cross-connect group named vpn1, create a cross-connect named ldp in the group, and bind GigabitEthernet 2/0/1 to the cross-connect.

[PE2] xconnect-group vpn1

[PE2-xcg-vpn1] connection ldp

[PE2-xcg-vpn1-ldp] ac interface gigabitethernet 2/0/1

# Create an LDP PW for the cross-connect to bind the AC to the PW.

[PE2-xcg-vpn1-ldp] peer 192.3.3.3 pw-id 1000

[PE2-xcg-vpn1-ldp-192.3.3.3-1000] quit

[PE2-xcg-vpn1-ldp] quit

[PE2-xcg-vpn1] quit

6. Configure CE 2.

<CE2> system-view

[CE2] interface gigabitethernet 2/0/1

[CE2-GigabitEthernet2/0/1] ip address 100.1.1.2 24

[CE2-GigabitEthernet2/0/1] quit

Verifying the configuration

# Verify that an LDP PW has been created on PE 1.

[PE1] display l2vpn pw

Flags: M - main, B - backup, BY - bypass, H - hub link, S - spoke link, N - no split horizon

Total number of PWs: 1

1 up, 0 blocked, 0 down, 0 defect, 0 idle, 0 duplicate

Xconnect-group Name: vpn1

Peer PW ID/Rmt Site In/Out Label Proto Flag Link ID State

192.2.2.2 1000 1151/1279 LDP M 1 Up

# Verify that two LDP PWs have been created to form a multi-segment PW on ASBR 1.

[ASBR1] display l2vpn pw

Flags: M - main, B - backup, BY - bypass, H - hub link, S - spoke link, N - no split horizon

Total number of PWs: 2

2 up, 0 blocked, 0 down, 0 defect, 0 idle, 0 duplicate

Xconnect-group Name: vpn1

Peer PW ID/Rmt Site In/Out Label Proto Flag Link ID State

192.1.1.1 1000 1279/1151 LDP M 0 Up

192.3.3.3 1000 1278/1151 LDP M 1 Up

# Verify that two LDP PWs have been created to form a multi-segment PW on ASBR 2.

[ASBR2] display l2vpn pw

Flags: M - main, B - backup, BY - bypass, H - hub link, S - spoke link, N - no split horizon

Total number of PWs: 2

2 up, 0 blocked, 0 down, 0 defect, 0 idle, 0 duplicate

Xconnect-group Name: vpn1

Peer PW ID/Rmt Site In/Out Label Proto Flag Link ID State

192.2.2.2 1000 1151/1278 LDP M 0 Up

192.4.4.4 1000 1150/1279 LDP M 1 Up

# Verify that an LDP PW has been created on PE 2.

[PE2] display l2vpn pw

Flags: M - main, B - backup, BY - bypass, H - hub link, S - spoke link, N - no split horizon

Total number of PWs: 1

1 up, 0 blocked, 0 down, 0 defect, 0 idle, 0 duplicate

Xconnect-group Name: vpn1

Peer PW ID/Rmt Site In/Out Label Proto Flag Link ID State

192.3.3.3 1000 1279/1150 LDP M 1 Up

# Verify that CE 1 and CE 2 can ping each other. (Details not shown.)

Configuring L2VPN access to L3VPN or IP backbone

Both MPLS L2VPN and VPLS support the L2VPN access to L3VPN or IP backbone feature. MPLS L2VPN provides point-to-point connections, and VPLS provides point-to-multipoint connections.

Unless otherwise specified, the term "MPLS L2VPN" in this document refers to both MPLS L2VPN and VPLS.

For more information about MPLS L2VPN, VPLS, and MPLS L3VPN, see "Configuring MPLS L2VPN," "Configuring VPLS," and "Configuring MPLS L3VPN."

Overview

MPLS L2VPN transparently transfers Layer 2 data across an MPLS network. From the perspective of users, an MPLS L2VPN network is transparent, and an MPLS L2VPN connection is a direct physical link.

MPLS L2VPN can also act as an access network to connect users to an MPLS L3VPN or IP backbone. An MPLS L2VPN access network has the following features:

· Transparency—MPLS L2VPN is transparent to users and can be regarded as a physical link that directly connects users to the backbone.

· Cost reduction—MPLS L2VPN only requires PEs to identify users and user services, and P devices only forward packets based on labels. Therefore, you can use low-end devices as P devices to reduce your investment.

· Flexible networking—MPLS L2VPN supports various user access modes, such as Ethernet, ATM, and frame relay. It allows links that run different link layer protocols to communicate with each other through interworking.

L2VPN access to L3VPN or IP backbone can be implemented in two modes: conventional and improved.

Conventional L2VPN access to L3VPN or IP backbone

As shown in Figure 117, the access network is an MPLS L2VPN. PE 1 and PE 2 are PE devices in the MPLS L2VPN. PE 1 is connected to VPN site 1. PE 2 is connected to the MPLS L3VPN/IP backbone through PE 3. PE 3 acts as a PE in the MPLS L3VPN/IP backbone and as a CE in the MPLS L2VPN at the same time.

A packet from VPN site 1 to VPN site 2 is forwarded as follows:

1. A user in VPN site 1 sends a packet to PE 1.

2. PE 1 adds an MPLS label to the packet and sends the packet through a PW to PE 2.

3. PE 2 removes the MPLS label from the packet to obtain the original Layer 2 packet, and sends the packet to the connected CE (PE 3).

4. PE 3 looks up the routing table, and forwards the packet to the destination through the MPLS L3VPN or IP backbone.

Figure 117 Network diagram

In the conventional networking mode, two devices are required to connect the MPLS L2VPN and the MPLS L3VPN or IP backbone (PE 2 and PE 3 in this example). One (PE 2) is required for terminating the MPLS L2VPN, and the other (PE 3) is required for accessing the MPLS L3VPN or IP backbone.

Improved L2VPN access to L3VPN or IP backbone

In the improved networking mode, the functions of the two devices that connect the MPLS L2VPN and the MPLS L3VPN or IP backbone can be implemented on one device. Thus, you can reduce the number of devices to be deployed, and lower the networking cost and the network deployment complexity.

As shown in Figure 118, the PE Aggregation (PE-agg) device connects the MPLS L2VPN with the MPLS L3VPN or IP backbone. PE-agg terminates the MPLS L2VPN and provides access to the MPLS L3VPN or IP backbone.

Configure the PE-agg as follows so the PE-agg can implement the functions of both PE 2 and PE 3 in Figure 117:

1. Create a terminating virtual Ethernet (VE) interface on the PE-agg to terminate MPLS L2VPN packets.

This interface is referred to as the VE-L2VPN (L2VE) interface. The functions and configurations of the interface are similar to those of the terminating interface (Terminating int) in Figure 117.

2. Create an access VE interface on the PE-agg to provide access to the backbone, and configure the interface and the L2VE interface have the same interface number.

This interface is referred to as the VE-L3VPN (L3VE) interface. The functions and configurations of the interface are similar to those of the access interface (Access int) in Figure 117. The IP address of the L3VE interface must be in the same network segment as the AC interface of CE 1. When the backbone is an MPLS L3VPN, bind the VPN instance to the L3VE interface. The interface can then forward user packets through the VPN routes.

The L2VE interface directly delivers the obtained Layer 2 packets to the L3VE interface. The two VE interfaces can be considered directly connected through a physical link, like the physical link between the L2VE interface and the L3VE interface in Figure 117.

Figure 118 Network diagram

The PE-agg connects the MPLS L2VPN and the backbone through the L2VE interface and the L3VE interface. You can assume that the MPLS L2VPN is connected to the backbone through an Ethernet or VLAN link. If a user is not connected to the MPLS L2VPN through Ethernet or VLAN, you must configure MPLS L2VPN interworking on the user access PE (PE 1) and the L2VE interface of the PE-agg.

Feature and hardware compatibility

Hardware	L2VPN access to L3VPN or IP backbone compatibility
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS	No
MSR2600-6-X1/2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28/3600-51	Yes
MSR3600-28-SI/3600-51-SI	No
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC	Yes
MSR 3610/3620/3620-DP/3640/3660	Yes
MSR5620/5660/5680	Yes

Hardware	L2VPN access to L3VPN or IP backbone compatibility
MSR810-LM-GL	No
MSR810-W-LM-GL	No
MSR830-6EI-GL	No
MSR830-10EI-GL	No
MSR830-6HI-GL	No
MSR830-10HI-GL	No
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	No

Configuring conventional L2VPN access to L3VPN or IP backbone

As shown in Figure 117, perform the following tasks to configure conventional L2VPN access to L3VPN or IP backbone:

1. Configure the MPLS L2VPN:

? Configure PE 1 and PE 2 as PE devices in the MPLS L2VPN.

? Configure CE 1 and PE 3 as CE devices in the MPLS L2VPN.

For more information about MPLS L2VPN configuration, see "Configuring MPLS L2VPN" and "Configuring VPLS."

2. Configure the MPLS L3VPN or IP backbone:

? Configure PE 3 and PE 4 as PE devices in the MPLS L3VPN or IP backbone.

? Configure CE 1 and CE 2 as CE devices in the MPLS L3VPN or IP backbone.

For more information about MPLS L3VPN configuration, see "Configuring MPLS L3VPN."

Configuring improved L2VPN access to L3VPN or IP backbone

As shown in Figure 118, configurations required on PE 1, PE 4, CE 1, and CE 2 are similar to those on the devices in the conventional L2VPN access scenario. The PE-agg requires the following configurations:

· Create an L2VE interface and an L3VE interface that have the same interface number.

· Configure MPLS L2VPN. For more information, see "Configuring MPLS L2VPN" and "Configuring VPLS."

· Configure MPLS L3VPN or IP routes. For more information about MPLS L3VPN configuration, see "Configuring MPLS L3VPN."

Configuring an L2VE interface

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an L2VE interface and enter its view.	interface ve-l2vpn interface-number	By default, no L2VE interfaces exist.
3. (Optional.) Configure a description for the interface.	description text	By default, the description for the interface is VE-L2VPNnumber Interface, for example, VE-L2VPN100 Interface.
4. (Optional.) Set the MTU for the interface.	mtu size	By default, the MTU is 1500 bytes for an interface.
5. (Optional.) Set the expected bandwidth for the interface.	bandwidth bandwidth-value	By default, the expected bandwidth is 100000 kbps for an interface.
6. (Optional.) Restore the default settings for the interface.	default	N/A
7. (Optional.) Bring up the interface.	undo shutdown	By default, the interface is up.

Configuring an L3VE interface

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an L3VE interface and enter its view.	interface ve-l3vpn interface-number	By default, no L3VE interfaces exist.
3. (Optional.) Configure a description for the interface.	description text	By default, the description for the interface is VE-L3VPNnumber Interface, for example, VE-L3VPN100 Interface.
4. (Optional.) Set the MTU for the interface.	mtu size	By default, the MTU is 1500 bytes for an interface.
5. (Optional.) Set the expected bandwidth for the interface.	bandwidth bandwidth-value	By default, the expected bandwidth is 100000 kbps for an interface.
6. (Optional.) Restore the default settings for the interface.	default	N/A
7. (Optional.) Bring up the interface.	undo shutdown	By default, the interface is up.

Displaying and maintaining L2VPN access to L3VPN or IP backbone

Execute display commands in any view and reset commands in user view.

Task	Command
Display information about L2VE interfaces or L3VE interfaces.	display interface [ ve-l2vpn [ interface-number ] \| ve-l3vpn [ interface-number ] ] [ brief [ description \| down ] ]
Clear interface statistics.	reset counters interface [ ve-l2vpn [ interface-number ] \| ve-l3vpn [ interface-number ] ]

Improved L2VPN access to L3VPN or IP backbone configuration examples

Access to MPLS L3VPN through an LDP MPLS L2VPN

The MPLS L2VPN in this configuration example is a point-to-point MPLS L2VPN that provides PPP-to-Ethernet interworking.

Network requirements

The backbone is an MPLS L3VPN, which advertises VPN routes through BGP and forwards VPN packets based on MPLS labels.

CE 1 and CE 2 belong to VPN 1 whose route target is 111:1 and RD is 200:1. CE 1 is connected to PE 1 through interface Serial 2/1/0, which uses PPP encapsulation. CE 2 is connected to the MPLS L3VPN through interface GigabitEthernet 2/0/1.

Perform the following configurations to allow communication between CE 1 and CE 2:

· Set up an LDP PW between PE 1 and PE-agg, so that CE 1 can access the MPLS L3VPN through MPLS L2VPN.

· Configure MPLS L2VPN interworking on interface Serial 2/1/0 of PE 1 and the L2VE interface of PE-agg.

This configuration is required because CE 1 is connected to the MPLS L2VPN through PPP, not Ethernet or VLAN.

· Run EBGP between CE 1 and PE-agg and between CE 2 and PE 2 to exchange VPN routing information.

· Run MP-IBGP between PE-agg and PE 2 to exchange VPN routing information.

· Run IS-IS between PE-agg and PE 2 to ensure IP connectivity within the backbone.

· Run OSPF among PE 1, P, and PE-agg to ensure IP connectivity between the PEs.

Figure 119 Network diagram

Table 45 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	Ser2/1/0	100.1.1.1/24	PE-agg	Loop0	3.3.3.9/32
PE 1	Loop0	1.1.1.9/32		POS2/2/0	10.2.2.2/24
	POS2/2/0	10.2.1.1/24		POS2/2/1	10.3.3.1/24
P	Loop0	2.2.2.9/32		VE-L3VPN1	100.1.1.2/24
	POS2/2/0	10.2.1.2/24	PE 2	Loop0	4.4.4.9/32
	POS2/2/1	10.2.2.1/24		POS2/2/0	10.3.3.2/24
CE 2	GE2/0/1	100.2.1.2/24		GE2/0/1	100.2.1.1/24

Configuration procedure

1. Configure IP addresses for interfaces as shown in Table 45. (Details not shown.)

2. Create interfaces VE-L2VPN 1 and VE-L3VPN 1 on PE-agg:

# Create interface VE-L2VPN 1.

<PEagg> system-view

[PEagg] interface ve-l2vpn 1

[PEagg-VE-L2VPN1] quit

# Create interface VE-L3VPN 1.

[PEagg] interface ve-l3vpn 1

[PEagg-VE-L3VPN1] quit

3. Configure MPLS L2VPN:

a. Configure OSPF on PE 1, P, and PE-agg, and advertise interface addresses:

# Configure PE 1.

<PE1> system-view

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Configure the P device.

system-view

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[P-ospf-1-area-0.0.0.0] network 10.2.2.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

# Configure PE-agg.

[PEagg] ospf

[PEagg-ospf-1] area 0

[PEagg-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[PEagg-ospf-1-area-0.0.0.0] network 10.2.2.0 0.0.0.255

[PEagg-ospf-1-area-0.0.0.0] quit

[PEagg-ospf-1] quit

b. Configure basic MPLS and MPLS LDP on PE 1, P, and PE-agg:

# Configure PE 1.

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] lsp-trigger all

[PE1-ldp] quit

[PE1] interface pos 2/2/0

[PE1-Pos2/2/0] mpls enable

[PE1-Pos2/2/0] mpls ldp enable

[PE1-Pos2/2/0] quit

# Configure the P device.

[P] mpls lsr-id 2.2.2.9

[P] mpls ldp

[P-ldp] lsp-trigger all

[P-ldp] quit

[P] interface pos 2/2/0

[P-Pos2/2/0] mpls enable

[P-Pos2/2/0] mpls ldp enable

[P-Pos2/2/0] quit

[P] interface pos 2/2/1

[P-Pos2/2/1] mpls enable

[P-Pos2/2/1] mpls ldp enable

[P-Pos2/2/1] quit

# Configure PE-agg.

[PEagg] mpls lsr-id 3.3.3.9

[PEagg] mpls ldp

[PEagg-ldp] lsp-trigger all

[PEagg-ldp] quit

[PEagg] interface pos 2/2/0

[PEagg-Pos2/2/0] mpls enable

[PEagg-Pos2/2/0] mpls ldp enable

[PEagg-Pos2/2/0] quit

c. Enable L2VPN on PE 1 and PE-agg:

# Configure PE 1.

[PE1] l2vpn enable

# Configure PE-agg.

[PEagg] l2vpn enable

d. Configure the AC interfaces of PE 1 and PE-agg, create PWs that support interworking, and bind the interface to the PWs:

# On Serial 2/1/0 of PE 1, configure PPP to support IPCP negotiation without IP address.

[PE1] interface serial 2/1/0

[PE1-Serial2/1/0] link-protocol ppp

[PE1-Serial2/1/0] ppp ipcp ignore local-ip

[PE1-Serial2/1/0] quit

# On PE 1, create a PW that supports interworking in the group, and bind Serial 2/1/0 to the PW.

[PE1] xconnect-group 1

[PE1-xcg-1] connection 1

[PE1-xcg-1-1] ac interface serial 2/1/0

[PE1-xcg-1-1] interworking ipv4

[PE1-xcg-1-1] peer 3.3.3.9 pw-id 101

[PE1-xcg-1-1-3.3.3.9-101] quit

# On the L2VE interface of PE-agg, specify the default next hop as 100.1.1.2.

[PEagg] interface ve-l2vpn 1

[PEagg-VE-L2VPN1] default-nexthop ip 100.1.1.2

[PEagg-VE-L2VPN1] quit

# On PE-agg, create a PW that supports interworking in the group, and bind VE-L2VPN 1 to the PW.

[PEagg] xconnect-group 1

[PEagg-xcg-1] connection 1

[PEagg-xcg-1-1] ac interface ve-l2vpn 1

[PEagg-xcg-1-1] interworking ipv4

[PEagg-xcg-1-1] peer 1.1.1.9 pw-id 101

[PEagg-xcg-1-1-1.1.1.9-101] quit

e. Configure the AC interface of CE 1 (Serial 2/1/0).

<CE1> system-view

[CE1] interface serial 2/1/0

[CE1-Serial2/1/0] link-protocol ppp

[CE1-Serial2/1/0] ip address 100.1.1.1 24

4. Configure MPLS L3VPN:

a. Configure IS-IS on PE 2 and PE-agg, and advertise interface addresses:

# Configure PE-agg.

[PEagg] isis 1

[PEagg-isis-1] network-entity 10.0000.0000.0001.00

[PEagg-isis-1] quit

[PEagg] interface pos 2/2/1

[PEagg-Pos2/2/1] isis enable 1

[PEagg-Pos2/2/1] quit

[PEagg] interface loopback 0

[PEagg-LoopBack0] isis enable 1

[PEagg-LoopBack0] quit

# Configure PE 2.

[PE2] isis 1

[PE2-isis-1] network-entity 10.0000.0000.0002.00

[PE2-isis-1] quit

[PE2] interface pos 2/2/0

[PE2-Pos2/2/0] isis enable 1

[PE2-Pos2/2/0] quit

[PE2] interface loopback 0

[PE2-LoopBack0] isis enable 1

[PE2-LoopBack0] quit

b. Configure basic MPLS and MPLS LDP on PE-agg and PE 2:

# Configure PE-agg.

[PEagg] interface pos 2/2/1

[PEagg-Pos2/2/1] mpls enable

[PEagg-Pos2/2/1] mpls ldp enable

[PEagg-Pos2/2/1] quit

# Configure PE 2.

[PE2] mpls lsr-id 4.4.4.9

[PE2] mpls ldp

[PE2-ldp] lsp-trigger all

[PE2-ldp] quit

[PE2] interface pos 2/2/0

[PE2-Pos2/2/0] mpls enable

[PE2-Pos2/2/0] mpls ldp enable

[PE2-Pos2/2/0] quit

c. On PE-agg and PE 2, create VPN instance VPN1, and bind the VPN instance to the interface connected to the CE:

# Configure PE-agg.

[PEagg] ip vpn-instance VPN1

[PEagg-vpn-instance-VPN1] route-distinguisher 200:1

[PEagg-vpn-instance-VPN1] vpn-target 111:1 both

[PEagg-vpn-instance-VPN1] quit

[PEagg] interface ve-l3vpn 1

[PEagg-VE-L3VPN1] ip binding vpn-instance VPN1

[PEagg-VE-L3VPN1] ip address 100.1.1.2 24

# Configure PE 2.

[PE2] ip vpn-instance VPN1

[PE2-vpn-instance-VPN1] route-distinguisher 200:1

[PE2-vpn-instance-VPN1] vpn-target 111:1 both

[PE2-vpn-instance-VPN1] quit

[PE2] interface gigabitethernet 2/0/1

[PE2-GigabitEthernet2/0/1] ip binding vpn-instance VPN1

[PE2-GigabitEthernet2/0/1] ip address 100.2.1.1 24

[PE2-GigabitEthernet2/0/1] quit

d. Establish EBGP peer relationships between CE 1 and PE-agg, and between CE 2 and PE 2 to redistribute VPN routes:

# Configure CE 1 and specify PE-agg as the peer.

<CE1> system-view

[CE1] bgp 65010

[CE1-bgp] peer 100.1.1.2 as-number 100

[CE1-bgp] address-family ipv4

[CE1-bgp-ipv4] peer 100.1.1.2 enable

[CE1-bgp-ipv4] import-route direct

[CE1-bgp-ipv4] quit

[CE1-bgp] quit

# Configure PE-agg and specify CE 1 as the peer.

[PEagg] bgp 100

[PEagg-bgp] ip vpn-instance VPN1

[PEagg-bgp-VPN1] peer 100.1.1.1 as-number 65010

[PEagg-bgp-VPN1] address-family ipv4

[PEagg-bgp-ipv4-VPN1] peer 100.1.1.1 enable

[PEagg-bgp-ipv4-VPN1] import-route direct

[PEagg-bgp-ipv4-VPN1] quit

[PEagg-bgp-VPN1] quit

[PEagg-bgp] quit

# Configure CE 2 and specify PE 2 as the peer.

[CE2] bgp 65020

[CE2-bgp] peer 100.2.1.1 as-number 100

[CE2-bgp] address-family ipv4

[CE2-bgp-ipv4] peer 100.2.1.1 enable

[CE2-bgp-ipv4] import-route direct

[CE2-bgp-ipv4] quit

[CE2-bgp] quit

# Configure PE 2 and specify CE 2 as the peer.

[PE2] bgp 100

[PE2-bgp] ip vpn-instance VPN1

[PE2-bgp-VPN1] peer 100.2.1.2 as-number 65020

[PE2-bgp-VPN1] address-family ipv4

[PE2-bgp-ipv4-VPN1] peer 100.2.1.2 enable

[PE2-bgp-ipv4-VPN1] import-route direct

[PE2-bgp-ipv4-VPN1] quit

[PE2-bgp-VPN1] quit

[PE2-bgp] quit

e. Establish an MP-IBGP peer relationship between PE-agg and PE 2:

# Configure PE-agg.

[PEagg] bgp 100

[PEagg-bgp] peer 4.4.4.9 as-number 100

[PEagg-bgp] peer 4.4.4.9 connect-interface loopback 0

[PEagg-bgp] address-family vpnv4

[PEagg-bgp-vpnv4] peer 4.4.4.9 enable

[PEagg-bgp-vpnv4] quit

[PEagg-bgp] quit

# Configure PE 2.

[PE2] bgp 100

[PE2-bgp] peer 3.3.3.9 as-number 100

[PE2-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE2-bgp] address-family vpnv4

[PE2-bgp-vpnv4] peer 3.3.3.9 enable

[PE2-bgp-vpnv4] quit

[PE2-bgp] quit

5. The default MTU value varies by interface type. To avoid packet fragmentation, set the MTU value for each POS interface on each device to 1500 bytes. The following shows the MTU configuration on PE 1.

[PE1] interface pos 2/2/0

[PE1-Pos2/2/0] mtu 1500

[PE1-Pos2/2/0] shutdown

[PE1-Pos2/2/0] undo shutdown

Verifying the configuration

# Ping CE 2 from CE 1 to verify their connectivity.

<CE1> ping 100.2.1.2

Ping 100.2.1.2 (100.2.1.2): 56 data bytes, press CTRL_C to break

56 bytes from 100.2.1.2: icmp_seq=0 ttl=128 time=1.073 ms

56 bytes from 100.2.1.2: icmp_seq=1 ttl=128 time=1.428 ms

56 bytes from 100.2.1.2: icmp_seq=2 ttl=128 time=19.367 ms

56 bytes from 100.2.1.2: icmp_seq=3 ttl=128 time=1.013 ms

56 bytes from 100.2.1.2: icmp_seq=4 ttl=128 time=0.684 ms

--- Ping statistics for 100.2.1.2 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.684/4.713/19.367/7.331 ms

Access to IP backbone through an LDP VPLS

Network requirements

Create an LDP PW between PE 1 and PE-agg on the VPLS access network, so that CE 1 can access the IP backbone through the PW.

Configure OSPF process 2 to advertise routing information on the IP backbone.

Figure 120 Network diagram

Table 46 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
CE 1	GE2/0/1	100.1.1.1/24	PE-agg	Loop0	3.3.3.9/32
PE 1	Loop0	1.1.1.9/32		POS2/2/0	10.2.2.2/24
	POS2/2/0	10.2.1.1/24		POS2/2/1	10.3.3.1/24
P	Loop0	2.2.2.9/32		VE-L3VPN1	100.1.1.2/24
	POS2/2/0	10.2.1.2/24	PE 2	POS2/2/0	10.3.3.2/24
	POS2/2/1	10.2.2.1/24		GE2/0/1	100.2.1.1/24
CE 2	GE2/0/1	100.2.1.2/24

Configuration procedure

1. Configure IP addresses for interfaces as shown in Table 46. (Details not shown.)

2. Create interfaces VE-L2VPN 1 and VE-L3VPN 1 on PE-agg:

# Create interface VE-L2VPN 1.

<PEagg> system-view

[PEagg] interface ve-l2vpn 1

[PEagg-VE-L2VPN1] quit

# Create interface VE-L3VPN 1, and configure an IP address for the interface.

[PEagg] interface ve-l3vpn 1

[PEagg-VE-L3VPN1] ip address 100.1.1.2 24

[PEagg-VE-L3VPN1] quit

3. Configure MPLS L2VPN:

a. Configure OSPF on PE 1, P, and PE-agg, and advertise interface addresses:

# Configure PE 1.

<PE1> system-view

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Configure the P device.

system-view

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[P-ospf-1-area-0.0.0.0] network 10.2.2.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

# Configure PE-agg.

[PEagg] ospf

[PEagg-ospf-1] area 0

[PEagg-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[PEagg-ospf-1-area-0.0.0.0] network 10.2.2.0 0.0.0.255

[PEagg-ospf-1-area-0.0.0.0] quit

[PEagg-ospf-1] quit

b. Configure basic MPLS and MPLS LDP on PE 1, P, and PE-agg:

# Configure PE 1.

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls ldp

[PE1-ldp] lsp-trigger all

[PE1-ldp] quit

[PE1] interface pos 2/2/0

[PE1-Pos2/2/0] mpls enable

[PE1-Pos2/2/0] mpls ldp enable

[PE1-Pos2/2/0] quit

# Configure the P device.

[P] mpls lsr-id 2.2.2.9

[P] mpls ldp

[P-ldp] lsp-trigger all

[P-ldp] quit

[P] interface pos 2/2/0

[P-Pos2/2/0] mpls enable

[P-Pos2/2/0] mpls ldp enable

[P-Pos2/2/0] quit

[P] interface pos 2/2/1

[P-Pos2/2/1] mpls enable

[P-Pos2/2/1] mpls ldp enable

[P-Pos2/2/1] quit

# Configure PE-agg.

[PEagg] mpls lsr-id 3.3.3.9

[PEagg] mpls ldp

[PEagg-ldp] lsp-trigger all

[PEagg-ldp] quit

[PEagg] interface pos 2/2/0

[PEagg-Pos2/2/0] mpls enable

[PEagg-Pos2/2/0] mpls ldp enable

[PEagg-Pos2/2/0] quit

c. Enable L2VPN on PE 1 and PE-agg:

# Configure PE 1.

[PE1] l2vpn enable

# Configure PE-agg.

[PEagg] l2vpn enable

d. Create VSIs on PE 1 and PE-agg:

# On PE 1, create VSI vpna, and specify the PW signaling protocol for the VSI as LDP.

[PE1] vsi vpna

[PE1-vsi-vpna] pwsignaling ldp

# On PE 1, create LDP PW 500 to the peer PE 3.3.3.9.

[PE1-vsi-vpna-ldp] peer 3.3.3.9 pw-id 500

[PE1-vsi-vpna-ldp-3.3.3.9-500] quit

[PE1-vsi-vpna-ldp] quit

[PE1-vsi-vpna] quit

# On PE-agg, create VSI vpna, and specify the PW signaling protocol for the VSI as LDP.

[PEagg] vsi vpna

[PEagg-vsi-vpna] pwsignaling ldp

# On PE-agg, create an LDP PW: specify the peer PE address as 1.1.1.9, and set the PW ID to 500.

[PEagg-vsi-vpna-ldp] peer 1.1.1.9 pw-id 500

[PEagg-vsi-vpna-ldp-1.1.1.9-500] quit

[PEagg-vsi-vpna-ldp] quit

[PEagg-vsi-vpna] quit

e. Bind the AC interface to the VSI on PE 1 and PE-agg:

# On PE 1, bind GigabitEthernet 2/0/1 to VSI vpna.

[PE1] interface gigabitethernet 2/0/1

[PE1-GigabitEthernet2/0/1] xconnect vsi vpna

# On PE-agg, bind VE-L2VPN 1 to VSI vpna.

[PEagg] interface ve-l2vpn 1

[PEagg-VE-L2VPN1] xconnect vsi vpna

4. Configure OSPF process 2 to advertise routing information on the IP backbone:

# Configure CE 1.

[CE1] ospf 2

[CE1-ospf-2] area 0

[CE1-ospf-2-area-0.0.0.0] network 100.1.1.0 0.0.0.255

[CE1-ospf-2-area-0.0.0.0] quit

[CE1-ospf-2] quit

# Configure PE-agg.

[PEagg] ospf 2

[PEagg-ospf-2] area 0

[PEagg-ospf-2-area-0.0.0.0] network 100.1.1.0 0.0.0.255

[PEagg-ospf-2-area-0.0.0.0] network 10.3.3.0 0.0.0.255

[PEagg-ospf-2-area-0.0.0.0] quit

[PEagg-ospf-2] quit

# Configure PE 2.

<PE2> system-view

[PE2] ospf 2

[PE2-ospf-2] area 0

[PE2-ospf-2-area-0.0.0.0] network 100.2.1.0 0.0.0.255

[PE2-ospf-2-area-0.0.0.0] network 10.3.3.0 0.0.0.255

[PE2-ospf-2-area-0.0.0.0] quit

[PE2-ospf-2] quit

# Configure CE 2.

<CE2> system-view

[CE2] ospf 2

[CE2-ospf-2] area 0

[CE2-ospf-2-area-0.0.0.0] network 100.2.1.0 0.0.0.255

[CE2-ospf-2-area-0.0.0.0] quit

[CE2-ospf-2] quit

[PE1] int pos 2/2/0

[PE1-Pos2/2/0] mtu 1500

[PE1-Pos2/2/0] shutdown

[PE1-Pos2/2/0] undo shutdown

Verifying the configuration

# Ping CE 2 from CE 1 to verify their connectivity.

<CE1> ping 100.2.1.2

Ping 100.2.1.2 (100.2.1.2): 56 data bytes, press CTRL_C to break

56 bytes from 100.2.1.2: icmp_seq=0 ttl=128 time=1.073 ms

56 bytes from 100.2.1.2: icmp_seq=1 ttl=128 time=1.428 ms

56 bytes from 100.2.1.2: icmp_seq=2 ttl=128 time=19.367 ms

56 bytes from 100.2.1.2: icmp_seq=3 ttl=128 time=1.013 ms

56 bytes from 100.2.1.2: icmp_seq=4 ttl=128 time=0.684 ms

--- Ping statistics for 100.2.1.2 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.684/4.713/19.367/7.331 ms

Configuring MPLS OAM

Overview

MPLS Operation, Administration, and Maintenance (OAM) provides fault management tools for the following purposes:

· MPLS data plane connectivity verification.

· Data plane and control plane consistency verification.

· Fault locating.

These fault management tools include the following types:

· On-demand tools—Tools that must be triggered manually, such as MPLS ping and MPLS tracert.

· Proactive tools—Tools that are triggered by the system automatically, such as BFD for MPLS, and periodic MPLS tracert.

You can use these tools to detect and locate faults of LSPs, MPLS TE tunnels, and MPLS PWs.

MPLS ping

MPLS ping tests the connectivity of an LSP tunnel, an MPLS TE tunnel, or a PW. At the ingress node, MPLS ping adds the label associated with a tunnel into an MPLS echo request and sends it to the egress node over the tunnel. The egress node processes the request and returns an MPLS echo reply to the ingress node. An MPLS echo reply with a success notification indicates that the tunnel is available for data forwarding. An MPLS echo reply with an error code indicates that the tunnel has failed.

MPLS tracert

MPLS tracert displays the path that an MPLS LSP tunnel or an MPLS TE tunnel travels from the ingress to the egress to locate errors on the tunnel. MPLS tracert consecutively sends MPLS echo requests along the LSP tunnel, with the TTL increasing from 1 to a specific value. Each hop along the tunnel returns an MPLS echo reply to the ingress due to TTL timeout so the ingress can collect information about each hop along the tunnel. This information allows you to locate the failed node or access information for each hop, for example, the label allocated by each downstream hop.

BFD for MPLS

BFD for MPLS uses a BFD session to proactively verify the connectivity of an LSP tunnel, an MPLS TE tunnel, or a PW tunnel.

BFD for MPLS performs the following operations:

1. Establishes a BFD session between the ingress and egress of the tunnel to be inspected.

2. Adds the label associated with the tunnel into a BFD control packet at the ingress.

3. Sends the packet to the egress node over the tunnel.

4. Determines the tunnel status according to the BFD control packet returned by the egress.

When BFD detects a connectivity failure, it triggers the pre-configured action, such as FRR or path protection switching, to ensure uninterrupted traffic forwarding.

A BFD session for LSP, MPLS TE tunnel, or PW connectivity verification can be established in one of the following modes:

· Static mode—You manually specify the local and remote discriminators through command lines to establish the BFD session.

· Dynamic mode—The system automatically runs MPLS ping to negotiate the discriminators to establish the BFD session.

In static mode, the egress node returns a BFD control packet to the ingress node through the reverse tunnel. If no reverse tunnel exists, the ingress node cannot receive the BFD control packet, resulting in a verification failure.

In dynamic mode, the egress node returns a BFD control packet to the ingress node through the reverse tunnel. If no reverse tunnel exists, the egress mode returns a BFD packet through IP routing.

Use the static mode to test the connectivity of a pair of LSPs or MPLS TE tunnels in opposite directions between two devices. Use the dynamic mode to test the connectivity of one LSP or MPLS TE tunnel from the local device to the remote device.

A PW is bidirectional. You will get the correct result using either the static or dynamic mode.

Periodic MPLS tracert

The periodic MPLS tracert feature automatically traces an LSP tunnel at intervals. It locates errors on the LSP tunnel, verifies the consistency of the data plane and control plane, and records the detected errors in system logs. You can check the logs to monitor LSP connectivity.

If both BFD and periodic MPLS tracert are configured for an LSP, and the periodic tracert feature detects a data plane and control plane inconsistency, the device performs the following tasks:

1. Deletes the BFD session for the LSP.

2. Re-establishes the BFD session based on the control plane.

Protocols and standards

· RFC 4379, Detecting Multi-Protocol Label Switched (MPLS) Data Plane Failures

· RFC 5085, Pseudowire Virtual Circuit Connectivity Verification (VCCV): A Control Channel for Pseudowires

· RFC 5885, Bidirectional Forwarding Detection (BFD) for the Pseudowire Virtual Circuit Connectivity Verification (VCCV)

Feature and hardware compatibility

Hardware	MPLS OAM compatibility
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS	No
MSR 2600-6-X1/2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28/3600-51	Yes
MSR3600-28-SI/3600-51-SI	No
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC	Yes
MSR 3610/3620/3620-DP/3640/3660	Yes
MSR5620/5660/5680	Yes

Hardware	MPLS OAM compatibility
MSR810-LM-GL	No
MSR810-W-LM-GL	No
MSR830-6EI-GL	No
MSR830-10EI-GL	No
MSR830-6HI-GL	No
MSR830-10HI-GL	No
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	No

Configuring MPLS OAM for LSP tunnels

To verify LSP connectivity, you can use one of the following methods:

· Use the ping mpls ipv4 command or the tracert mpls ipv4 command to trigger LSP connectivity verification as needed.

· Configure BFD or periodic MPLS tracert for the system to automatically verify LSP connectivity.

Configuring MPLS ping for LSPs

Perform the following task in any view:

Task	Command
Use MPLS ping to verify MPLS LSP connectivity for an IPv4 prefix.	ping mpls [ -a source-ip \| -c count \| -exp exp-value \| -h ttl-value \| -m wait-time \| -r reply-mode \| -rtos tos-value \| -s packet-size \| -t time-out \| -v ] * ipv4 ipv4-address mask-length [ destination start-address [ end-address [ address-increment ] ] ]

Configuring MPLS tracert for LSPs

Perform the following task in any view:

Task	Command
Use MPLS tracert to trace the LSPs for an IPv4 prefix.	tracert mpls [ -a source-ip \| -exp exp-value \| -h ttl-value \| -r reply-mode \| -rtos tos-value \| -t time-out \| -v \| fec-check ] * ipv4 ipv4-address mask-length [ destination start-address [ end-address [ address-increment ] ] ]

Configuring BFD for LSPs

To configure BFD for an LSP, configure both the local and remote devices as described in Table 47.

Table 47 Configurations on the local and remote devices

BFD session establishment mode	Node type	Execute the "mpls bfd enable" command?	Execute the "mpls bfd" command?	Configure the discriminator keyword?
Static mode	Local	Yes	Yes	Yes
Static mode	Remote	Yes	Yes	Yes
Dynamic mode	Local	Yes	Yes	No
Dynamic mode	Remote	Yes	No	N/A

Follow these guidelines to configure BFD for an LSP tunnel:

· To establish a static BFD session, ensure that the local and remote discriminators configured locally are identical with the remote and local discriminators configured on the remote device, respectively.

· The source address of the BFD session is the MPLS LSR ID of the local device. Before configuring BFD for the LSP tunnel, perform the following tasks:

a. Configure an MPLS LSR ID for the local device.

b. Make sure a route is available on the remote device to reach the MPLS LSR ID.

· If multiple LSPs exist for an FEC, you can perform one of the following tasks:

? Create a BFD session for an LSP by specifying the next hop of the LSP.

This configuration is not available for nested LSP connectivity verification.

? Create a BFD session for each LSP without specifying a next hop.

· On a BFD session established in static mode, the ingress node and egress node both operate in active mode. On a BFD session established in dynamic mode, the egress node operates in active mode and the ingress node operates in passive mode. Executing the bfd session init-mode command on the ingress or egress node does not change the node's operating mode.

To configure BFD for LSPs:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable BFD for MPLS.	mpls bfd enable	By default, BFD for MPLS is disabled.
3. (Optional.) Remove the Router Alert option in BFD packets.	undo bfd ip-router-alert	By default, the device sends BFD packets carrying the Router Alert option to detect an LSP. Execute this command on the local device if the peer device cannot identify the Router Alert option in BFD packets. This command takes effect only on BFD sessions that come up after this command is executed.
4. Configure BFD to verify LSP connectivity for an FEC.	mpls bfd dest-addr mask-length [ nexthop nexthop-address [ discriminator local local-id remote remote-id ] ] [ template template-name ]	By default, BFD is not configured to verify LSP connectivity for an FEC.

Configuring periodic MPLS tracert for LSPs

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable BFD for MPLS.	mpls bfd enable	By default, BFD for MPLS is disabled.
3. Enable periodic LSP tracert for an FEC.	mpls periodic-tracert dest-addr mask-length [ -a source-ip \| -exp exp-value \| -h ttl-value \| -m wait-time \| -rtos tos-value \| -t time-out \| -u retry-attempt \| fec-check ] *	By default, periodic LSP tracert is disabled.

Configuring MPLS OAM for MPLS TE tunnels

To verify MPLS TE tunnel connectivity, you can use one of the following methods:

· Use ping mpls te command or the tracert mpls te command to trigger MPLS TE tunnel connectivity verification as needed.

· Configure BFD for the system to automatically verify MPLS TE tunnel connectivity.

Configuring MPLS ping for MPLS TE tunnels

Perform the following task in any view:

Task	Command
Use MPLS ping to verify MPLS TE tunnel connectivity.	ping mpls [ -a source-ip \| -c count \| -exp exp-value \| -h ttl-value \| -m wait-time \| -r reply-mode \| -rtos tos-value \| -s packet-size \| -t time-out \| -v ] * te tunnel interface-number

Configuring MPLS tracert for MPLS TE tunnels

Perform the following task in any view:

Task	Command
Use MPLS tracert to trace an MPLS TE tunnel.	tracert mpls [ -a source-ip \| -exp exp-value \| -h ttl-value \| -r reply-mode \| -rtos tos-value \| -t time-out \| -v \| fec-check ] * te tunnel interface-number

Configuring BFD for MPLS TE tunnels

To run BFD on an MPLS TE tunnel, configure both the local and remote devices as described in Table 48.

Table 48 Configurations on the local and remote devices

BFD session establishment mode	Node type	Execute the "mpls bfd enable" command?	Execute the "mpls bfd" command?	Configure the discriminator keyword?
Static mode	Local	Yes	Yes	Yes
Static mode	Remote	Yes	Yes	Yes
Dynamic mode	Local	Yes	Yes	No
Dynamic mode	Remote	Yes	No	N/A

Follow these guidelines to configure BFD for an MPLS TE tunnel:

· The source address of the BFD session is the MPLS LSR ID of the local device. Before you configure BFD for the LSP tunnel, configure an MPLS LSR ID for the local device. Make sure a route is available on the remote device to reach the MPLS LSR ID.

· If both BFD and FRR are enabled for an MPLS TE tunnel, set the BFD detection interval for tunnel connectivity verification to be longer than that for FRR. Otherwise, the BFD session for MPLS TE tunnel connectivity verification will be down during an FRR switchover.

To configure BFD for MPLS TE tunnels:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable BFD for MPLS.	mpls bfd enable	By default, BFD for MPLS is disabled.
3. Enter the view of the MPLS TE tunnel interface.	interface tunnel number	N/A
4. Configure BFD to verify MPLS TE tunnel connectivity.	mpls bfd [ discriminator local local-id remote remote-id ] [ template template-name ]	By default, BFD is not configured to verify MPLS TE tunnel connectivity.

Configuring MPLS OAM for a PW

Virtual Circuit Connectivity Verification (VCCV) is an L2VPN PW OAM feature to verify PW connectivity in data plane. VCCV can be implemented in the following modes:

· On-demand mode—Execute the ping mpls pw command to trigger PW connectivity detection.

· Proactive mode—Configure BFD or raw-BFD for a PW to test PW connectivity.

The packets used to verify PW connectivity are collectively referred to as VCCV packets. A PE transfers VCCV packets through a control channel (CC).

CCs include the following types:

· Control word—Identifies VCCV packets through the control word (PW-ACH, PW Associated Channel Header). You can use this CC type only when the PW supports control word. For more information about control word, see "Configuring MPLS L2VPN."

· MPLS router alert label—Identifies a VCCV packet by adding an MPLS router alert label before the PW label.

Connectivity Verification (CV) tools include the following types:

· MPLS ping—Uses MPLS ping to verify PW connectivity.

· BFD—Uses BFD to verify PW connectivity. BFD packets use IP/UDP encapsulation (with IP/UDP headers).

· Raw-BFD—Uses BFD to verify PW connectivity. BFD packets use PW-ACH encapsulation (without IP/UDP headers). Raw-BFD takes effect only when the CC type is control-word.

Configuring MPLS ping for a PW

Before you configure MPLS ping for a PW, perform the following tasks:

1. Create a PW class, and use the vccv cc command to configure the VCCV CC type in PW class view.

2. Create the PW, and use the PW class created in the previous step for the PW.

Perform the following task in any view:

Task	Command
Use MPLS ping to verify the connectivity of a PW.	ping mpls [ -a source-ip \| -c count \| -exp exp-value \| -h ttl-value \| -m wait-time \| -r reply-mode \| -rtos tos-value \| -s packet-size \| -t time-out \| -v ] * pw ip-address pw-id pw-id

Configuring BFD for a PW

Follow these steps to configure BFD for a PW:

1. Enable BFD for MPLS.

2. Create a PW class, and configure BFD for PW connectivity verification in PW class view.

3. Create the PW, and use the PW class created in the previous step for the PW.

If both PEs of the PW have configured BFD and use the same BFD packet encapsulation type, the PEs use the specified encapsulation type to verify PW connectivity. Otherwise, the PEs do not use BFD to verify PW connectivity.

If both PEs have specified the same VCCV CC type, the specified VCCV CC type is used. Otherwise, the PEs do not use any CC and they cannot establish a BFD session for the PW.

Configuring BFD for an MPLS L2VPN PW

Perform this task to use BFD to verify the connectivity of a static PW or an LDP PW of MPLS L2VPN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable BFD for MPLS.	mpls bfd enable	By default, BFD for MPLS is disabled.
3. Create a PW class and enter PW class view.	pw-class class-name	By default, no PW class is created. To use BFD to verify connectivity of a PW, you must create a PW class for the PW and configure VCCV settings in PW class view.
4. Use BFD to verify PW connectivity.	vccv bfd [ raw-bfd ] [ template template-name ]	By default, BFD is not used to verify PW connectivity. If you specify the raw-bfd keyword in this command, make sure you specify the VCCV CC type as control-word.
5. Specify the VCCV CC type.	vccv cc { control-word \| router-alert }	By default, no VCCV CC type is specified.
6. Return to system view.	quit	N/A
7. Enter cross-connect group view.	xconnect-group group-name	N/A
8. Enter cross-connect view.	connection connection-name	N/A
9. Configure a PW, specify the created PW class for it, and enter PW view.	peer ip-address pw-id pw-id [ in-label label-value out-label label-value ] pw-class class-name [ tunnel-policy tunnel-policy-name ]	By default, no PW is configured.
10. (Optional.) Set the local and remote discriminators for the BFD session used to verify PW connectivity.	bfd discriminator local local-id remote remote-id	By default, no local and remote discriminators are set. Make sure the local discriminator and remote discriminator configured on the local PE are the same as the remote discriminator and local discriminator configured on the remote PE, respectively.
11. (Optional.) Configure a backup PW, specify the PW class for the backup PW, and enter backup PW view.	backup-peer ip-address pw-id pw-id [ in-label label-value out-label label-value ] pw-class class-name [ tunnel-policy tunnel-policy-name ]	By default, no backup PW is configured.
12. (Optional.) Set the local and remote discriminators for the BFD session used to verify the connectivity of the backup PW.	bfd discriminator local local-id remote remote-id	By default, no local and remote discriminators are configured. Make sure the local discriminator and remote discriminator configured on the local PE are the same as the remote discriminator and local discriminator configured on the remote PE, respectively.

Configuring BFD for a VPLS static PW

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable BFD for MPLS.	mpls bfd enable	By default, BFD for MPLS is disabled.
3. Create a PW class and enter PW class view.	pw-class class-name	By default, no PW class is created. To use BFD to verify connectivity of a PW, you must create a PW class for the PW and configure VCCV settings in PW class view.
4. Use BFD to verify PW connectivity.	vccv bfd [ raw-bfd ] [ template template-name ]	By default, BFD is not used to verify PW connectivity. If you specify the raw-bfd keyword in this command, make sure you specify the VCCV CC type as control-word.
5. Specify the VCCV CC type.	vccv cc { control-word \| router-alert }	By default, no VCCV CC type is specified.
6. Return to system view.	quit	N/A
7. Enter VSI view.	vsi vsi-name [ hub-spoke ]	N/A
8. Configure the VSI to establish static PWs and enter VSI static view.	pwsignaling static	N/A
9. Configure a VPLS PW, specify the created PW class for it, and enter VSI static PW view.	peer ip-address pw-id pw-id in-label label-value out-label label-value pw-class class-name [ hub \| no-split-horizon \| tunnel-policy tunnel-policy-name ] *	By default, no VPLS PW is configured.
10. (Optional.) Set the local and remote discriminators for the BFD session used to verify PW connectivity.	bfd discriminator local local-id remote remote-id	By default, no local and remote discriminators are set. Make sure the local discriminator and remote discriminator configured on the local PE are the same as the remote discriminator and local discriminator configured on the remote PE, respectively.
11. (Optional.) Configure a static backup PW, specify the PW class for the backup PW, and enter VSI static backup PW view.	backup-peer ip-address pw-id pw-id in-label label-value out-label label-value pw-class class-name [ tunnel-policy tunnel-policy-name ]	By default, no backup VPLS PW is configured.
12. (Optional.) Set the local and remote discriminators for the BFD session used to verify the connectivity of the backup PW.	bfd discriminator local local-id remote remote-id	By default, no local and remote discriminators are set. Make sure the local discriminator and remote discriminator configured on the local PE are the same as the remote discriminator and local discriminator configured on the remote PE, respectively.

Configuring BFD for a VPLS LDP PW

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable BFD for MPLS.	mpls bfd enable	By default, BFD for MPLS is disabled.
3. Create a PW class and enter PW class view.	pw-class class-name	By default, no PW class is created. To use BFD to verify connectivity of a PW, you must create a PW class for the PW and configure VCCV settings in PW class view.
4. Use BFD to verify PW connectivity.	vccv bfd [ raw-bfd ] [ template template-name ]	By default, BFD is not used to verify PW connectivity. If you specify the raw-bfd keyword in this command, make sure you specify the VCCV CC type as control-word.
5. Specify the VCCV CC type.	vccv cc { control-word \| router-alert }	By default, no VCCV CC type is specified.
6. Return to system view.	quit	N/A
7. Enter VSI view.	vsi vsi-name [ hub-spoke ]	N/A
8. Configure the VSI to establish PWs using LDP and enter VSI LDP view.	pwsignaling ldp	N/A
9. Configure a VPLS PW, specify the created PW class for it, and enter VSI LDP PW view.	peer ip-address pw-id pw-id pw-class class-name [ hub \| no-split-horizon \| tnl-policy tunnel-policy-name ] *	By default, no VPLS PW is configured.
10. (Optional.) Set the local and remote discriminators for the BFD session used to verify PW connectivity.	bfd discriminator local local-id remote remote-id	By default, no local and remote discriminators are set. Make sure the local discriminator and remote discriminator configured on the local PE are the same as the remote discriminator and local discriminator configured on the remote PE, respectively.
11. (Optional.) Configure an LDP backup PW, specify the PW class for the backup PW, and enter VSI LDP backup PW view.	backup-peer ip-address pw-id pw-id pw-class class-name [ tunnel-policy tunnel-policy-name ]	By default, no backup VPLS PW is configured.
12. (Optional.) Set the local and remote discriminators for the BFD session used to verify the connectivity of the backup PW.	bfd discriminator local local-id remote remote-id	By default, no local and remote discriminators are set. Make sure the local discriminator and remote discriminator configured on the local PE are the same as the remote discriminator and local discriminator configured on the remote PE, respectively.

Displaying MPLS OAM

Execute display commands in any view.

Task	Command
Display BFD information for LSP tunnels or MPLS TE tunnels.	display mpls bfd [ ipv4 ipv4-address mask-length \| te tunnel tunnel-number ]
Display BFD information for PWs.	display l2vpn pw bfd [ peer peer-ip pw-id pw-id ]

BFD for LSP configuration example

Network requirements

Use LDP to establish an LSP from 1.1.1.9/32 to 3.3.3.9/32 and an LSP from 3.3.3.9/32 to 1.1.1.9/32. Use BFD to verify LSP connectivity.

Figure 121 Network diagram

Configuration procedure

1. Configure IP addresses for interfaces. (Details not shown.)

2. Configure OSPF to ensure IP connectivity between the routers:

# Configure Router A.

<RouterA> system-view

[RouterA] ospf

[RouterA-ospf-1] area 0

[RouterA-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[RouterA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[RouterA-ospf-1-area-0.0.0.0] quit

[RouterA-ospf-1] quit

# Configure Router B.

<RouterB> system-view

[RouterB] ospf

[RouterB-ospf-1] area 0

[RouterB-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[RouterB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[RouterB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255

[RouterB-ospf-1-area-0.0.0.0] quit

[RouterB-ospf-1] quit

# Configure Router C.

<RouterC> system-view

[RouterC] ospf

[RouterC-ospf-1] area 0

[RouterC-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[RouterC-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255

[RouterC-ospf-1-area-0.0.0.0] quit

[RouterC-ospf-1] quit

3. Enable MPLS and LDP:

# Configure Router A.

[RouterA] mpls lsr-id 1.1.1.9

[RouterA] mpls ldp

[RouterA-ldp] quit

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] mpls enable

[RouterA-GigabitEthernet2/0/1] mpls ldp enable

[RouterA-GigabitEthernet2/0/1] quit

# Configure Router B.

[RouterB] mpls lsr-id 2.2.2.9

[RouterB] mpls ldp

[RouterB-ldp] quit

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] mpls enable

[RouterB-GigabitEthernet2/0/1] mpls ldp enable

[RouterB-GigabitEthernet2/0/1] quit

[RouterB] interface gigabitethernet 2/0/2

[RouterB-GigabitEthernet2/0/2] mpls enable

[RouterB-GigabitEthernet2/0/2] mpls ldp enable

[RouterB-GigabitEthernet2/0/2] quit

# Configure Router C.

[RouterC] mpls lsr-id 3.3.3.9

[RouterC] mpls ldp

[RouterC-ldp] quit

[RouterC] interface gigabitethernet 2/0/2

[RouterC-GigabitEthernet2/0/2] mpls enable

[RouterC-GigabitEthernet2/0/2] mpls ldp enable

[RouterC-GigabitEthernet2/0/2] quit

4. Enable BFD for MPLS, and configure BFD to verify LSP connectivity:

# Configure Router A.

[RouterA] mpls bfd enable

[RouterA] mpls bfd 3.3.3.9 32

# Configure Router C.

[RouterC] mpls bfd enable

[RouterC] mpls bfd 1.1.1.9 32

Verifying the configuration

# Display BFD information for LSPs on Router A and Router C, for example, on Router A.

[RouterA] display mpls bfd

Total number of sessions: 2, 2 up, 0 down, 0 init

FEC Type: LSP

FEC Info:

Destination: 1.1.1.9

Mask Length: 32

NHLFE ID: -

Local Discr: 513 Remote Discr: 513

Source IP: 1.1.1.9 Destination IP: 3.3.3.9

Session State: Up Session Role: Active

Template Name: -

FEC Type: LSP

FEC Info:

Destination: 3.3.3.9

Mask Length: 32

NHLFE ID: 1042

Local Discr: 514 Remote Discr: 514

Source IP: 1.1.1.9 Destination IP: 127.0.0.1

Session State: Up Session Role: Passive

Template Name: -

The output shows that two BFD sessions have been established between Router A and Router C. One session verifies the connectivity of the LSP from 3.3.3.9/32 to 1.1.1.9/32, and the other session verifies the connectivity of the LSP from 1.1.1.9/32 to 3.3.3.9/32.

Configuring MPLS protection switching

Overview

MPLS Protection Switching (PS) provides an end-to-end linear protection mechanism for MPLS TE tunnels. It associates an MPLS TE tunnel (working tunnel) with another MPLS TE tunnel (protection tunnel) to form a protection group. When the working tunnel fails, traffic is immediately switched to the protection tunnel, ensuring continuous traffic forwarding.

Protection switching triggering modes

A failure on the working tunnel triggers a protection switching. Protection switching can also be triggered by a command or a signal fail indication.

· Command switching (external switching)—A PS is triggered by an externally configured switching command, which can define the following switching actions (in the descending order of priority):

? Clear—Clears all configured switching actions.

? Lockout of protection—Always uses the working tunnel to forward traffic.

? Forced switch—Forces traffic to be switched from the working tunnel to the protection tunnel.

? Manual switch—Manually switches traffic from the working tunnel to the protection tunnel. If a failure has occurred on the protection tunnel, traffic is not switched.

· Signal fail switching—A PS is automatically triggered by a signal fail indication. The signaling can be BFD detection for MPLS TE tunnels or interface state (up/down) detection through link layer. For more information about configuring BFD for MPLS TE tunnels, see "Configuring MPLS OAM."

The following shows the protection switching triggers in the descending order of priority:

· Clear.

· Lockout of protection.

· Forced switch.

· Signal fail on the protection tunnel—The signaling protocol detected a failure on the protection tunnel.

· Signal fail on the working tunnel—The signaling protocol detected a failure on the working tunnel.

· Clear signal fail—The signaling protocol detected that the working or protection tunnel has recovered.

· Manual switch.

If multiple triggers exist, the one with the highest priority determines the tunnel for traffic forwarding.

Protection switching modes

MPLS PS supports the following protection switching modes:

· 1:1 protection switching—Typically, traffic travels along the working tunnel. When either of the following events occurs, the ingress node selects the traffic forwarding tunnel (working or protection tunnel) according to the protection state:

? The ingress or egress node detects a failure on the working tunnel.

? An external switching command is executed on the node.

· 1+1 protection switching—Typically, traffic travels along both the working and protection tunnels, and the egress node receives traffic from the working tunnel. When either of the following events occurs, the egress node determines from which tunnel it receives traffic according to the protection state:

? The ingress or egress node detects a failure on the working tunnel.

? An external switching command is executed on the node.

NOTE:

· The tunnel ingress or egress node can detect tunnel failures through BFD for MPLS or other detection mechanisms. For more information about BFD for MPLS, see "Configuring MPLS OAM."

· The protection state indicates the comprehensive status of a PS protection group. For more information, see the display mpls forwarding protection command in MPLS Command Reference.

Path switching modes

A bidirectional MPLS TE tunnel switches the traffic forwarding path in one of the following modes:

· Unidirectional path switching—When an external switching command or a signal fail triggers protection switching for traffic in one direction, PS switches the traffic forwarding tunnel only in this direction. The traffic forwarding tunnel in the other direction does not change.

· Bidirectional path switching—When an external switching command or a signal fail triggers protection switching for traffic in one direction, PS switches the traffic forwarding tunnels in both directions.

The ingress node and the egress node periodically send Protection State Coordination (PSC) packets to each other to coordinate the protection state. When one tunnel end performs a PS, the other end also performs a PS.

1:1 protection switching supports both unidirectional and bidirectional path switching. 1+1 protection switching supports only bidirectional path switching.

Protocols and standards

· RFC 6372, MPLS Transport Profile (MPLS-TP) Survivability Framework

· RFC 6378, MPLS Transport Profile (MPLS-TP) Linear Protection

Feature and hardware compatibility

Hardware	MPLS protection switching compatibility
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS	No
MSR2600-6-X1/2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28/3600-51	Yes
MSR3600-28-SI/3600-51-SI	No
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC	Yes
MSR 3610/3620/3620-DP/3640/3660	Yes
MSR5620/5660/5680	Yes

Hardware	MPLS protection switching compatibility
MSR810-LM-GL	No
MSR810-W-LM-GL	No
MSR830-6EI-GL	No
MSR830-10EI-GL	No
MSR830-6HI-GL	No
MSR830-10HI-GL	No
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	No

Command and hardware compatibility

Commands and descriptions for centralized devices apply to the following routers:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3600-28-SI/3600-51-SI.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

· MSR 3610/3620/3620-DP/3640/3660.

· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL

Commands and descriptions for distributed devices apply to the following routers:

· MSR5620.

· MSR 5660.

· MSR 5680.

MPLS protection switching configuration task list

Before configuring MPLS protection switching, create two MPLS TE tunnels: one as the working tunnel, and the other as the protection tunnel. For information about creating an MPLS TE tunnel, see "Configuring MPLS TE."

To configure MPLS protection switching, perform the following tasks:

Tasks at a glance	Remarks
(Required.) Enabling MPLS protection switching	N/A
(Required.) Creating a protection group	N/A
(Optional.) Configuring PS attributes for the protection group	N/A
(Optional.) Configuring command switching for the protection group	N/A
(Optional.) Configuring signal switching for the protection group	By default, the device supports protection switching triggered by interface state. To detect the working or protection tunnel state by using MPLS OAM, configure MPLS OAM on the working or protection tunnel. For information about configuring MPLS OAM, see "Configuring MPLS OAM."
(Optional.) Setting the PSC message sending interval	N/A
(Required.) Configuring traffic forwarding through the protection group: · Configuring static routing to direct traffic to a tunnel bundle interface · Configuring PBR to direct traffic to a tunnel bundle interface · Configuring automatic route advertisement to direct traffic to a tunnel bundle interface	For more information, see "Configuring MPLS TE."

Enabling MPLS protection switching

Before you execute MPLS protection switching commands, you must enable MPLS protection switching.

To enable MPLS protection switching:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable MPLS protection switching and enter its view.	mpls protection	By default, MPLS protection switching is disabled.

Creating a protection group

To create an MPLS TE protection group, perform the following tasks:

1. Create a tunnel bundle interface in protection switching mode.

2. Specify two member interfaces for the tunnel bundle interface by using the member interface command: one for the working tunnel, and the other for the protection tunnel.

In the protection group, the device determines the tunnel for traffic forwarding according to the external switching command and the signal fail.

Follow these restrictions and guidelines when you create a protection group:

· The tunnel bundle interface is up after the IP address and tunnel destination address for the interface are configured and any one of its member interfaces is up.

· As a best practice, configure the same tunnel destination address for the tunnel bundle interface and its member interfaces. If they have different tunnel destination addresses, make sure the member interfaces have a route to the tunnel bundle interface. Otherwise, traffic forwarding will fail.

· The member interfaces for the tunnel bundle interface must be MPLS TE tunnel interfaces.

· The member interfaces forward only traffic whose output interface is the tunnel bundle interface.

To create a protection group:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a tunnel bundle interface in protection switching mode, and enter its view.	interface tunnel-bundle number protection { oneplusone \| onetoone }	By default, no tunnel bundle interfaces exist.
3. Specify a primary member interface.	member interface tunnel tunnel-number	By default, no primary member interface is specified. The MPLS TE tunnel for a primary member interface is a working tunnel.
4. Specify a backup member interface.	member interface tunnel tunnel-number protection	By default, no backup member interface is specified. The MPLS TE tunnel for a backup member interface is a protection tunnel.
5. Configure an IPv4 address for the tunnel bundle interface.	ip address ip-address { mask \| mask-length } [ sub ]	By default, no IPv4 address is configured.
6. Configure the destination address for the tunnel bundle interface.	destination ip-address	By default, no tunnel destination address is configured.
7. (Optional.) Configure a description for the tunnel bundle interface.	description text	By default, the description for a tunnel bundle interface is Tunnel-Bundle number Interface, for example, Tunnel-Bundle1 Interface.
8. (Optional.) Set the expected bandwidth for the tunnel bundle interface.	bandwidth bandwidth-value	By default, the expected bandwidth is 64 kbps.
9. (Optional.) Specify a primary traffic processing slot for the interface.	· Distributed devices in standalone mode/centralized devices in IRF mode: service slot slot-number · Distributed devices in IRF mode: service chassis chassis-number slot slot-number	By default, no primary traffic processing slot is specified for an interface.
10. (Optional.) Specify a backup traffic processing slot for the interface.	· Distributed devices in standalone mode/centralized devices in IRF mode: service standby slot slot-number · Distributed devices in IRF mode: service standby chassis chassis-number slot slot-number	By default, no backup traffic processing slot is specified for an interface.
11. (Optional.) Bring up the tunnel bundle interface.	undo shutdown	By default, a tunnel bundle interface is up.

Configuring PS attributes for the protection group

By default, when the working tunnel fails, traffic is immediately switched from the working tunnel to the protection tunnel to avoid traffic interruption. When the working tunnel recovers, traffic is immediately switched from the protection tunnel to the working tunnel. On an unstable network where the working and protection tunnels are up and down frequently, immediate switchovers might affect traffic forwarding and burden the device.

To resolve the problem, use the following methods:

· Delay switching—After the working tunnel fails, traffic is switched to the protection tunnel when the switching holdoff timer expires. Traffic is not switched to the protection tunnel if the working tunnel recovers within the holdoff time.

· Disable reverting—After the working tunnel recovers, the protection group continues to use the protection tunnel as long as the protection group is operating correctly.

· Delay reverting—After the working tunnel recovers, the wait timer starts. If the working tunnel is still operating correctly when the wait time expires, traffic is switched from the protection tunnel to the working tunnel.

To configure attributes for the protection group:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter the view of a tunnel bundle interface in protection switching mode.	interface tunnel-bundle number [ protection { oneplusone \| onetoone } ]	N/A
3. Set the switching holdoff time when a working tunnel failure is detected.	protection holdoff holdoff-time	By default, the hold time is 0 seconds. When the working tunnel fails, traffic is immediately switched from the working tunnel to the protection tunnel.
4. Specify whether to switch traffic from the protection tunnel to the working tunnel when the working tunnel recovers, and set the wait time for the switchover.	protection revertive { never \| wtr [ wtr-time ] }	By default, when the working tunnel recovers, traffic is immediately switched from the protection tunnel to the working tunnel.
5. Configure the protection group to use bidirectional path switching.	protection switching-mode bidirectional	This command can be configured only on the tunnel bundle interface in 1:1 protection switching mode. By default, the protection group in 1:1 protection switching mode uses unidirectional path switching. 1+1 protection switching mode supports only bidirectional path switching.

Configuring command switching for the protection group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter the view of the tunnel bundle interface in the protection group.	interface tunnel-bundle number [ protection { onetoone \| oneplusone } ]	It is not required to specify the protection switching mode when you enter the view of an existing tunnel bundle interface.
3. Configure a switching action.	protection switch { clear \| force \| lock \| manual }	By default, no switching action is configured.

Setting the PSC message sending interval

The two ends of a tunnel periodically send PSC messages to coordinate the protection state for bidirectional path switching.

You can prevent PSC messages from occupying too much bandwidth and resources by modifying the sending interval as needed.

To set the PSC message sending interval:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS protection switching view.	mpls protection	N/A
3. Set the PSC message sending interval.	psc message-interval interval	By default, the sending interval is 5 seconds.

Displaying and maintaining MPLS protection switching

Execute display commands in any view and reset commands in user view.

Task	Command
Display tunnel bundle interface information.	display interface [ tunnel-bundle [ number ] ] [ brief [ description \| down ] ]
Display forwarding state information for MPLS protection groups (centralized devices in standalone mode).	display mpls forwarding protection [ tunnel-bundle number ]
Display forwarding state information for MPLS protection groups (distributed devices in standalone mode/centralized devices in IRF mode).	display mpls forwarding protection [ tunnel-bundle number ] [ slot slot-number ]
Display forwarding state information for MPLS protection groups (distributed devices in IRF mode).	display mpls forwarding protection [ tunnel-bundle number ] [ chassis chassis-number slot slot-number ]
Display the current state and related information for MPLS protection groups.	display mpls protection [ tunnel-bundle number ] [ verbose ]
Display information about tunnel bundle interfaces and their member interfaces.	display tunnel-bundle [ number ]
Clear tunnel bundle interface statistics.	reset counters interface [ tunnel-bundle [ number ] ]

MPLS protection switching configuration example

Network requirements

Router A, Router B, Router C, and Router D run IS-IS.

Establish two MPLS TE tunnels (Tunnel 1 and Tunnel 2) from Router A to Router D to allow communication between two IP networks over the MPLS TE tunnels. Tunnel 1 uses the path Router A—Router B—Router D. Tunnel 2 uses the path Router A—Router C—Router D.

Configure protection switching on Router A by creating an MPLS protection group, and specify Tunnel 1 as the working tunnel and Tunnel 2 as the protection tunnel.

Figure 122 Network diagram

Table 49 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
Router A	Loop0	1.1.1.1/32	Router D	Loop0	4.4.4.4/32
	GE2/0/1	2.1.1.1/24		GE2/0/1	4.1.1.2/24
	GE2/0/2	3.1.1.1/24		GE2/0/2	5.1.1.2/24
	GE2/0/3	100.1.1.1/24		GE2/0/3	100.1.2.1/24
Router B	Loop0	2.2.2.2/32	Router C	Loop0	3.3.3.3/32
	GE2/0/1	2.1.1.2/24		GE2/0/1	3.1.1.2/24
	GE2/0/2	4.1.1.1/24		GE2/0/2	5.1.1.1/24

Configuration procedure

1. Configure IP addresses and masks for interfaces as shown in Figure 122. (Details not shown.)

2. Create MPLS TE tunnels on Router A:

# Create two MPLS TE tunnels (Tunnel 1 and Tunnel 2) to Router D. For more information, see "Configuring MPLS TE."

# Display information about the two MPLS TE tunnels on Router A.

<RouterA> display mpls tunnel all

Destination Type Tunnel/NHLFE VPN Instance

4.4.4.4 CRLSP Tunnel1 -

4.4.4.4 CRLSP Tunnel2 -

# Display tunnel interface information on Router A. The output shows that the tunnel interface is up. This example uses Tunnel 1.

<RouterA> display interface tunnel 1

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64kbps

Maximum Transmit Unit: 1496

Internet Address is 10.1.10.1/24 Primary

Tunnel source unknown, destination 4.4.4.4

Tunnel TTL 255

Tunnel protocol/transport CR_LSP

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

3. Configure a tunnel bundle interface for the protection group:

# Enable MPLS protection switching.

<RouterA> system-view

[RouterA] mpls protection

[RouterA-mpls-protection] quit

# Create a tunnel bundle interface in 1:1 protection switching mode.

[RouterA] interface tunnel-bundle 0 protection onetoone

# Specify 4.4.4.4 (Router D's LSR ID) as the tunnel destination address.

[RouterA-Tunnel-Bundle0] destination 4.4.4.4

# Configure an IP address for the tunnel bundle interface. This example uses 101.1.101.1/24.

[RouterA-Tunnel-Bundle0] ip address 101.1.101.1 24

# Specify tunnel interface Tunnel 1 as the primary member interface, and Tunnel 2 as the backup member interface.

[RouterA-Tunnel-Bundle0] member interface tunnel 1

[RouterA-Tunnel-Bundle0] member interface tunnel 2 protection

[RouterA-Tunnel-Bundle0] quit

4. Configure BFD for the protection group:

# Enable BFD for MPLS.

[RouterA] mpls bfd enable

# Enable BFD for the primary member interface Tunnel 1 to test the connectivity of the working tunnel.

[RouterA] interface tunnel 1

[RouterA-Tunnel1] mpls bfd

[RouterA-Tunnel1] quit

# Enable BFD for the backup member interface Tunnel 2 to test the connectivity of the protection tunnel.

[RouterA] interface tunnel 2

[RouterA-Tunnel2] mpls bfd

[RouterA-Tunnel2] quit

# Display BFD information for the MPLS TE tunnels on Router A.

[RouterA] display bfd session

Total Session Num: 2 Up Session Num: 2 Init Mode: Active

IPv4 Session Working Under Ctrl Mode:

LD/RD SourceAddr DestAddr State Holdtime Interface

513/513 1.1.1.1 127.0.0.1 Up 2297ms Tunnel1

514/514 1.1.1.1 127.0.0.1 Up 1127ms Tunnel2

5. Configure a static route to 100.1.2.0/24 through Tunnel-Bundle 0.

[RouterA] ip route-static 100.1.2.0 24 tunnel-bundle 0 preference 1

Verifying the configuration

# Display information about the tunnel bundle interface and its member interfaces on Router A.

[RouterA] display tunnel-bundle

Total number of tunnel bundles: 1, 1 up, 0 down

Tunnel bundle name: Tunnel-Bundle 0

Bundle state : Up

Bundle attributes :

Working mode : 1:1

Tunnel type : CR-LSP

Tunnel destination : 4.4.4.4

Bundle members:

Member State Role

Tunnel1 Up Working

Tunnel2 Up Protection

# Display information about the tunnel bundle for the tunnel bundle interface on Router A.

[RouterA] display mpls tunnel all

Destination Type Tunnel/NHLFE VPN Instance

4.4.4.4 CRLSP Tunnel-Bundle0 -

# Display information about local LSPs for the tunnel bundle interface on Router A.

[RouterA] display mpls lsp protocol local verbose

Destination : 4.4.4.4

FEC : Tunnel-Bundle0

Protocol : Local

LSR Type : Ingress

Service : -

NHLFE ID : 536870912

State : Active

Out-Interface: Tun1

BkInterface : Tun2

# Display MPLS protection group information on Router A.

[RouterA] display mpls protection

Total number of protection-groups: 1

State:

N: Normal UA: Unavailable PA: Protecting administrative

PF: Protecting failure WTR: Wait-to-Restore DNR: Do-not-Revert

M: Manual switch F: Forced switch P: Protection tunnel failure

W: Working tunnel failure HO: Hold off LO: Lockout of protection

L: Local R: Remote

Group ID Type Working tunnel Protection tunnel State

0 Tunnel bundle 1 2 N

Configuring MCE

This chapter describes MCE configuration.

MPLS L3VPN overview

MPLS L3VPN provides flexible networking modes, excellent scalability, and convenient support for MPLS QoS and MPLS TE.

Basic MPLS L3VPN architecture

A basic MPLS L3VPN architecture has the following types of devices:

· Customer edge device—A CE device resides on a customer network and has one or more interfaces directly connected to a service provider network. It does not support MPLS.

· Provider edge device—A PE device resides at the edge of a service provider network and is connected to one or more CEs. All MPLS VPN services are processed on PEs.

Figure 123 Basic MPLS L3VPN architecture

MPLS L3VPN concepts

Site

A site has the following features:

· A site is a group of IP systems with IP connectivity that does not rely on any service provider networks.

· The devices at a site can belong to multiple VPNs, which means that a site can belong to multiple VPNs.

· A site is connected to a provider network through one or more CEs. A site can contain multiple CEs, but a CE can belong to only one site.

VPN instance

VPN instances implement route isolation, data independence, and data security for VPNs.

A VPN instance has the following components:

· A separate Label Forwarding Information Base (LFIB).

· An IP routing table.

· Interfaces bound to the VPN instance.

· VPN instance administration information, including route distinguishers (RDs), route targets (RTs), and route filtering policies.

VPN-IPv4 address

Multiprotocol BGP (MP-BGP) can solve this problem by advertising VPN-IPv4 addresses (also called VPNv4 addresses).

As shown in Figure 124, a VPN-IPv4 address consists of 12 bytes. The first eight bytes represent the RD, followed by a four-byte IPv4 prefix. The RD and the IPv4 prefix form a unique VPN-IPv4 prefix.

Figure 124 VPN-IPv4 address structure

An RD can be in one of the following formats:

To guarantee global uniqueness for a VPN-IPv4 address, do not set the Administrator subfield to any private AS number or private IP address.

Route target attribute

MPLS L3VPN uses route target community attributes to control the advertisement of VPN routing information. A VPN instance on a PE supports the following types of route target attributes:

· Export target attribute—A PE sets the export target attribute for VPN-IPv4 routes learned from directly connected sites before advertising them to other PEs.

Route target attributes define which sites can receive VPN-IPv4 routes, and from which sites a PE can receive routes.

Like RDs, route target attributes can be one of the following formats:

· 16-bit AS number:32-bit user-defined number. For example, 100:1.

· 32-bit IPv4 address:16-bit user-defined number. For example, 172.1.1.1:1.

· 32-bit AS number:16-bit user-defined number, where the minimum value of the AS number is 65536. For example, 65536:1.

MCE overview

The Multi-VPN Instance CE (MCE) feature allows you to create multiple VPN instances on a CE. The VPN instances each have an independent routing table and an address space to achieve service isolation.

As shown in Figure 125, the MCE exchanges private routes with VPN sites and PE 1, and adds the private routes to the routing tables of corresponding VPN instances.

· Route exchange between MCE and VPN site—Create VPN instances VPN 1 and VPN 2 on the MCE. Bind GigabitEthernet 2/0/1 to VPN 1, and GigabitEthernet 2/0/2 to VPN 2. The MCE adds a received route to the routing table of the VPN instance that is bound to the receiving interface.

· Route exchange between MCE and PE—The MCE connects to PE 1 through Ethernet subinterfaces. On the MCE, bind GigabitEthernet 2/0/3.1 to VPN 1 and GigabitEthernet 2/0/3.2 to VPN 2. On PE 1, create VPN instances for VPN 1 and VPN 2. Bind GigabitEthernet 2/0/1.1 to VPN 1 and GigabitEthernet 2/0/1.2 to VPN 2. The MCE and PE add a received route to the routing table of the VPN instance that is bound to the receiving interface.

Figure 125 Network diagram for the MCE feature

You can configure static routes, RIP, OSPF, IS-IS, EBGP, or IBGP between an MCE and a VPN site and between an MCE and a PE.

NOTE:

To implement dynamic IP assignment for DHCP clients in private networks, you can configure DHCP server or DHCP relay agent on the MCE. When the MCE functions as the DHCP server, the IP addresses assigned to different private networks cannot overlap.

Feature and hardware compatibility

Hardware	MCE compatibility
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS	No
MSR2600-6-X1/2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28/3600-51	Yes
MSR3600-28-SI/3600-51-SI	No
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC	Yes
MSR 3610/3620/3620-DP/3640/3660	Yes
MSR5620/5660/5680	Yes

Hardware	MCE compatibility
MSR810-LM-GL	No
MSR810-W-LM-GL	No
MSR830-6EI-GL	No
MSR830-10EI-GL	No
MSR830-6HI-GL	No
MSR830-10HI-GL	No
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	No

MCE configuration task list

Tasks at a glance
Configuring VPN instances: (Required.) Creating a VPN instance (Required.) Associating a VPN instance with an interface (Optional.) Configuring route related attributes for a VPN instance


Configuring routing on an MCE: (Required.) Configuring routing between an MCE and a VPN site (Required.) Configuring static routing between an MCE and a PE

Configuring VPN instances

VPN instances isolate VPN routes from public network routes and routes among VPNs. This feature allows VPN instances to be used in network scenarios in addition to MPLS L3VPNs.

All VPN instance configurations are performed on PEs or MCEs.

Creating a VPN instance

A VPN instance is a collection of the VPN membership and routing rules of its associated site. A VPN instance might correspond to more than one VPN.

To create and configure a VPN instance:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VPN instance and enter VPN instance view.	ip vpn-instance vpn-instance-name	By default, no VPN instances exist.
3. Configure an RD for the VPN instance.	route-distinguisher route-distinguisher	By default, no RD is configured for a VPN instance.
4. (Optional.) Configure a description for the VPN instance.	description text	By default, no description is configured for a VPN instance.
5. (Optional.) Configure a VPN ID for the VPN instance.	vpn-id vpn-id	By default, no VPN ID is configured for a VPN instance.
6. (Optional.) Configure an SNMP context for the VPN instance.	snmp context-name context-name	By default, no SNMP context is configured.

Associating a VPN instance with an interface

After creating and configuring a VPN instance, associate the VPN instance with the interface connected to the CE.

To associate a VPN instance with an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Associate a VPN instance with the interface.	ip binding vpn-instance vpn-instance-name	By default, an interface is not associated with a VPN instance and belongs to the public network. The ip binding vpn-instance command deletes the IP address of the current interface. You must reconfigure an IP address for the interface after configuring the command.

Configuring route related attributes for a VPN instance

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VPN instance view or IPv4 VPN view	· Enter VPN instance view: ip vpn-instance vpn-instance-name · Enter IPv4 VPN view: a. ip vpn-instance vpn-instance-name b. address-family ipv4	Configurations made in VPN instance view apply to both IPv4 VPN and IPv6 VPN. IPv4 VPN prefers the configurations in IPv4 VPN view over the configurations in VPN instance view.
3. Configure route targets.	vpn-target vpn-target&<1-8> [ both \| export-extcommunity \| import-extcommunity ]	By default, no route targets are configured.
4. Set the maximum number of active routes.	routing-table limit number { warn-threshold \| simply-alert }	For the default setting of this command, see MPLS Command Reference. Setting the maximum number of active routes for a VPN instance can prevent the PE from learning too many routes.
5. Apply an import routing policy.	import route-policy route-policy	By default, all routes matching the import target attribute are accepted. The specified routing policy must have been created. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
6. Apply an export routing policy.	export route-policy route-policy	By default, routes to be advertised are not filtered. The specified routing policy must have been created. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
7. Apply a tunnel policy to the VPN instance.	tnl-policy tunnel-policy-name	By default, only one tunnel is selected (no load balancing) in this order: LSP tunnel, GRE tunnel, and CR-LSP tunnel. The specified tunnel policy must have been created. For information about tunnel policies, see "Configuring tunnel policies."

Configuring routing on an MCE

MCE implements service isolation through route isolation. MCE routing configuration includes the following:

· MCE-VPN site routing configuration.

· MCE-PE routing configuration.

On the PE, perform the following tasks:

· Disable routing loop detection to avoid route loss during route calculation.

· Disable route redistribution between routing protocols to save system resources.

Before you configure routing on an MCE, configure VPN instances, and bind the VPN instances to the interfaces connected to the VPN sites and the PE.

Configuring routing between an MCE and a VPN site

You can configure static routing, RIP, OSPF, IS-IS, EBGP or IBGP between an MCE and a VPN site.

Configuring static routing between an MCE and a VPN site

An MCE can reach a VPN site through a static route. Static routing on a traditional CE is globally effective and does not support address overlapping among VPNs. An MCE supports binding a static route to a VPN instance, so that the static routes of different VPN instances can be isolated from each other.

To configure a static route to a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a static route for a VPN instance.	ip route-static vpn-instance s-vpn-instance-name dest-address { mask-length \| mask } { interface-type interface-number [ next-hop-address ] \| next-hop-address [ public ] [ track track-entry-number ] \| vpn-instance d-vpn-instance-name next-hop-address [ track track-entry-number ] } [ permanent ] [ preference preference ] [ tag tag-value ] [ description text ]	By default, no static routes are configured. Perform this configuration on the MCE. On the VPN site, configure a common static route.
3. (Optional.) Configure the default preference for static routes.	ip route-static default-preference default-preference	The default preference is 60.

Configuring RIP between an MCE and a VPN site

A RIP process belongs to the public network or a single VPN instance. If you create a RIP process without binding it to a VPN instance, the process belongs to the public network. Binding RIP processes to VPN instances can isolate routes of different VPNs. For more information about RIP, see Layer 3—IP Routing Configuration Guide.

To configure RIP between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIP process for a VPN instance and enter RIP view.	rip [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the MCE. On a VPN site, create a common RIP process.
3. Enable RIP on the interface attached to the specified network.	network network-address [ wildcard-mask ]	By default, RIP is disabled on an interface.
4. Redistribute remote site routes advertised by the PE into RIP.	import-route protocol [ as-number ] [ process-id \| all-processes \| allow-ibgp ] [ allow-direct \| cost cost-value \| route-policy route-policy-name \| tag tag ] *	By default, no route is redistributed into RIP.

Configuring OSPF between an MCE and a VPN site

An OSPF process belongs to the public network or a single VPN instance. If you create an OSPF process without binding it to a VPN instance, the process belongs to the public network.

Binding OSPF processes to VPN instances can isolate routes of different VPNs. For more information about OSPF, see Layer 3—IP Routing Configuration Guide.

To configure OSPF between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPF process for a VPN instance and enter OSPF view.	ospf [ process-id \| router-id router-id \| vpn-instance vpn-instance-name ] *	Perform this configuration on the MCE. On a VPN site, create a common OSPF process. An OSPF process bound to a VPN instance does not use the public network router ID configured in system view. Therefore, configure a router ID for the OSPF process. An OSPF process can belong to only one VPN instance, but one VPN instance can use multiple OSPF processes to advertise VPN routes.
3. Redistribute remote site routes advertised by the PE into OSPF.	import-route protocol [ as-number ] [ process-id \| all-processes \| allow-ibgp ] [ allow-direct \| cost cost-value \| nssa-only \| route-policy route-policy-name \| tag tag \| type type ] *	By default, no routes are redistributed into OSPF.
4. Create an OSPF area and enter OSPF area view.	area area-id	By default, no OSPF areas exist.
5. Enable OSPF on the interface attached to the specified network in the area.	network ip-address wildcard-mask	By default, an interface neither belongs to any area nor runs OSPF.

Configuring IS-IS between an MCE and a VPN site

An IS-IS process belongs to the public network or a single VPN instance. If you create an IS-IS process without binding it to a VPN instance, the process belongs to the public network.

Binding IS-IS processes to VPN instances can isolate routes of different VPNs. For more information about IS-IS, see Layer 3—IP Routing Configuration Guide.

To configure IS-IS between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IS-IS process for a VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the MCE. On a VPN site, configure a common IS-IS process.
3. Configure a network entity title.	network-entity net	By default, no NET is configured.
4. Create the IS-IS IPv4 unicast address family and enter its view.	address-family ipv4 [ unicast ]	By default, the IS-IS IPv4 unicast address family is not created.
5. Redistribute remote site routes advertised by the PE into IS-IS.	import-route protocol [ as-number ] [ process-id \| all-processes \| allow-ibgp ] [ allow-direct \| cost cost-value \| cost-type { external \| internal } \| [ level-1 \| level-1-2 \| level-2 ] \| route-policy route-policy-name \| tag tag ] *	By default, IS-IS does not redistribute routes from any other routing protocol. If you do not specify the route level in the command, the command redistributes routes to the level-2 routing table by default.
6. Return to system view.	quit	N/A
7. Enter interface view.	interface interface-type interface-number	N/A
8. Enable the IS-IS process on the interface.	isis enable [ process-id ]	By default, no IS-IS process is enabled on the interface.

Configuring EBGP between an MCE and a VPN site

To run EBGP between an MCE and a VPN site, you must configure a BGP peer for each VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on the VPN site.

1. Configure the MCE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	By default, BGP is not enabled.
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	Configuration commands in BGP-VPN instance view are the same as those in BGP instance view. For more information, see Layer 3—IP Routing Configuration Guide.
4. Configure an EBGP peer.	peer { group-name \| ipv4-address [ mask-length ] } as-number as-number	By default, no BGP peers or peer groups exist.
5. Enter BGP-VPN IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
6. Enable BGP to exchange IPv4 unicast routes with the peer.	peer { group-name \| ipv4-address [ mask-length ] } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Allow the local AS number to appear in the AS_PATH attribute of routes received from the peer, and set the maximum number of repetitions.	peer { group-name \| ipv4-address [ mask-length ] } allow-as-loop [ number ]	By default, BGP discards incoming route updates that contain the local AS number.
8. Redistribute remote site routes advertised by the PE into BGP.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP.

2. Configure a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	By default, BGP is not enabled.
3. Configure the MCE as an EBGP peer.	peer { group-name \| ipv4-address [ mask-length ] } as-number as-number	By default, no BGP peers or peer groups exist.
4. Enter BGP IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
5. Enable BGP to exchange IPv4 unicast routes with the peer.	peer { group-name \| ipv4-address [ mask-length ] } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
6. Redistribute the IGP routes of the VPN into BGP.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP. A VPN site must advertise the VPN network addresses it can reach to the connected MCE.

Configuring IBGP between MCE and VPN site

To run IBGP between an MCE and a VPN site, you must configure a BGP peer for each VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on the VPN site.

1. Configure the MCE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	By default, BGP is not enabled.
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Configure an IBGP peer.	peer { group-name \| ipv4-address [ mask-length ] } as-number as-number	By default, no BGP peers or peer groups exist.
5. Enter BGP-VPN IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
6. Enable BGP to exchange IPv4 unicast routes with the peer.	peer { group-name \| ipv4-address [ mask-length ] } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. (Optional.) Configure the system to be the RR, and specify the peer as the client of the RR.	peer { group-name \| ipv4-address [ mask-length ] } reflect-client	By default, no RR or RR client is configured. After you configure a VPN site as an IBGP peer, the MCE does not advertise the BGP routes learned from the VPN site to other IBGP peers, including VPNv4 peers. The MCE advertises routes learned from a VPN site only when you configure the VPN site as a client of the RR (the MCE).
8. Redistribute remote site routes advertised by the PE into BGP.	import-route protocol [ process-id \| all-processes ] [ allow-direct \| med med-value \| route-policy route-policy-name ] *	By default, no routes are redistributed into BGP.

2. Configure a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	By default, BGP is not enabled.
3. Configure the MCE as an IBGP peer.	peer { group-name \| ipv4-address [ mask-length ] } as-number as-number	By default, no BGP peers or peer groups exist.
4. Enter BGP IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
5. Enable BGP to exchange IPv4 unicast routes with the peer.	peer { group-name \| ipv4-address [ mask-length ] } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
6. Redistribute the IGP routes of the VPN into BGP.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP. A VPN site must advertise VPN network addresses to the connected MCE.

Configuring routing between an MCE and a PE

MCE-PE routing configuration includes these tasks:

· Binding the MCE-PE interfaces to VPN instances.

· Performing route configurations.

· Redistributing VPN routes into the routing protocol running between the MCE and the PE.

Perform the following configurations on the MCE. Configure the PE in the same way that you configure a PE in a basic MPLS L3VPN. For more information about configuring the PE, see "Configuring MPLS L3VPN."

Configuring static routing between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a static route for a VPN instance.	ip route-static vpn-instance s-vpn-instance-name dest-address { mask-length \| mask } { interface-type interface-number [ next-hop-address ] \| next-hop-address [ public ] [ track track-entry-number ] \| vpn-instance d-vpn-instance-name next-hop-address [ track track-entry-number ] } [ permanent ] [ preference preference ] [ tag tag-value ] [ description text ]	By default, no static routes are configured.
3. (Optional.) Set the default preference for static routes.	ip route-static default-preference default-preference	The default preference is 60.

Configuring RIP between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIP process for a VPN instance and enter RIP view.	rip [ process-id ] vpn-instance vpn-instance-name	N/A
3. Enable RIP on the interface attached to the specified network.	network network-address [ wildcard-mask ]	By default, RIP is disabled on an interface.
4. Redistribute the VPN routes.	import-route protocol [ as-number ] [ process-id \| all-processes \| allow-ibgp ] [ allow-direct \| cost cost-value \| route-policy route-policy-name \| tag tag ] *	By default, no routes are redistributed into RIP.

Configuring OSPF between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPF process for a VPN instance and enter OSPF view.	ospf [ process-id \| router-id router-id \| vpn-instance vpn-instance-name ] *	N/A
3. Disable routing loop detection.	vpn-instance-capability simple	By default, routing loop detection is enabled. You must disable routing loop detection for a VPN OSPF process on the MCE. Otherwise, the MCE does not receive OSPF routes from the PE.
4. Redistribute the VPN routes.	import-route protocol [ as-number ] [ process-id \| all-processes \| allow-ibgp ] [ allow-direct \| cost cost-value \| nssa-only \| route-policy route-policy-name \| tag tag \| type type ] *	By default, no routes are redistributed into OSPF.
5. Create an OSPF area and enter OSPF area view.	area area-id	By default, no OSPF areas exist.
6. Enable OSPF on the interface attached to the specified network in the area.	network ip-address wildcard-mask	By default, an interface neither belongs to any area nor runs OSPF.

Configuring IS-IS between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IS-IS process for a VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	N/A
3. Configure a network entity title.	network-entity net	By default, no NET is configured.
4. Create the IS-IS IPv4 unicast address family and enter its view.	address-family ipv4 [ unicast ]	By default, the IS-IS IPv4 unicast address family is not created.
5. Redistribute VPN routes.	import-route protocol [ as-number ] [ process-id \| all-processes \| allow-ibgp ] [ allow-direct \| cost cost-value \| cost-type { external \| internal } \| [ level-1 \| level-1-2 \| level-2 ] \| route-policy route-policy-name \| tag tag ] *	By default, IS-IS does not redistribute routes from any other routing protocol. If you do not specify the route level in the command, the command redistributes routes to the level-2 routing table by default.
6. Return to system view.	quit	N/A
7. Enter interface view.	interface interface-type interface-number	N/A
8. Enable the IS-IS process on the interface.	isis enable [ process-id ]	By default, no IS-IS process is enabled on the interface.

Configuring EBGP between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	By default, BGP is not enabled.
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Configure the PE as an EBGP peer.	peer { group-name \| ipv4-address [ mask-length ] } as-number as-number	By default, no BGP peers or peer groups exist.
5. Enter BGP-VPN IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
6. Enable BGP to exchange IPv4 unicast routes with the peer.	peer { group-name \| ipv4-address [ mask-length ] } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Redistribute the VPN routes of the VPN site.	import-route protocol [ process-id \| all-processes ] [ allow-direct \| med med-value \| route-policy route-policy-name ] *	By default, no routes are redistributed into BGP.

Configuring IBGP between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	By default, BGP is not enabled.
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Configure the PE as an IBGP peer.	peer { group-name \| ipv4-address [ mask-length ] } as-number as-number	By default, no BGP peers or peer groups exist.
5. Enter BGP-VPN IPv4 unicast address family view.	address-family ipv4 [ unicast ]	N/A
6. Enable BGP to exchange IPv4 unicast routes with the peer.	peer { group-name \| ipv4-address [ mask-length ] } enable	By default, BGP does not exchange IPv4 unicast routes with any peer.
7. Redistribute the VPN routes of the VPN site.	import-route protocol [ process-id \| all-processes ] [ allow-direct \| med med-value \| route-policy route-policy-name ] *	By default, no routes are redistributed into BGP.

Displaying and maintaining MCE

Execute display commands in any view.

Task	Command
Display VPN instance information.	display ip vpn-instance [ instance-name vpn-instance-name ]

For commands that display routing tables for VPN instances, see Layer 3—IP Routing Command Reference.

MCE configuration example

Network requirements

As shown in Figure 126, VPN 2 runs RIP. Configure the MCE device to separate routes from different VPNs and to advertise the VPN routes to PE 1 through OSPF.

Figure 126 Network diagram

Configuration procedure

Assume that:

· The system name of the MCE device is MCE.

· The system names of the edge routers of VPN 1 and VPN 2 are VR 1 and VR 2, respectively.

· The system name of PE 1 is PE1.

1. Configure VPN instances on the MCE and PE 1:

# On the MCE, configure VPN instances vpn1 and vpn2, and specify an RD and route targets for each VPN instance.

<MCE> system-view

[MCE] ip vpn-instance vpn1

[MCE-vpn-instance-vpn1] route-distinguisher 10:1

[MCE-vpn-instance-vpn1] vpn-target 10:1

[MCE-vpn-instance-vpn1] quit

[MCE] ip vpn-instance vpn2

[MCE-vpn-instance-vpn2] route-distinguisher 20:1

[MCE-vpn-instance-vpn2] vpn-target 20:1

[MCE-vpn-instance-vpn2] quit

# Bind interface GigabitEthernet 2/0/1 to VPN instance vpn1, and configure an IP address for the interface.

[MCE] interface gigabitethernet 2/0/1

[MCE-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[MCE-GigabitEthernet2/0/1] ip address 10.214.10.3 24

[MCE-GigabitEthernet2/0/1] quit

# Bind interface GigabitEthernet 2/0/2 to VPN instance vpn2, and configure an IP address for the interface.

[MCE] interface gigabitethernet 2/0/2

[MCE-GigabitEthernet2/0/2] ip binding vpn-instance vpn2

[MCE-GigabitEthernet2/0/2] ip address 10.214.20.3 24

[MCE-GigabitEthernet2/0/2] quit

# On PE 1, configure VPN instances vpn1 and vpn2, and specify an RD and route targets for each VPN instance.

<PE1> system-view

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 10:1

[PE1-vpn-instance-vpn1] vpn-target 10:1

[PE1-vpn-instance-vpn1] quit

[PE1] ip vpn-instance vpn2

[PE1-vpn-instance-vpn2] route-distinguisher 20:1

[PE1-vpn-instance-vpn2] vpn-target 20:1

[PE1-vpn-instance-vpn2] quit

2. Configure routing between the MCE and VPN sites:

The MCE is connected to VPN 1 directly, and no routing protocol is enabled in VPN 1. Therefore, you can configure static routes.

# On VR 1, assign IP address 10.214.10.2/24 to the interface connected to MCE and 192.168.0.1/24 to the interface connected to VPN 1. (Details not shown.)

# On VR 1, configure a default route with the next hop as 10.214.10.3.

<VR1> system-view

[VR1] ip route-static 0.0.0.0 0.0.0.0 10.214.10.3

# On the MCE, configure a static route to 192.168.0.0/24, specify the next hop as 10.214.10.2, and bind the static route to VPN instance vpn1.

[MCE] ip route-static vpn-instance vpn1 192.168.0.0 24 10.214.10.2

# Run RIP in VPN 2. Configure RIP process 20 for the VPN instance vpn2 on MCE, so that MCE can learn the routes of VPN 2 and add them to the routing table of the VPN instance vpn2.

[MCE] rip 20 vpn-instance vpn2

# Advertise subnet 10.214.10.0.

[MCE-rip-20] network 10.214.20.0

[MCE-rip-20] quit

# On VR 2, assign IP address 10.214.20.2/24 to the interface connected to the MCE and 192.168.10.1/24 to the interface connected to VPN 2. (Details not shown.)

# Configure RIP, and advertise subnets 192.168.10.0 and 10.214.20.0.

<VR2> system-view

[VR2] rip 20

[VR2-rip-20] network 192.168.10.0

[VR2-rip-20] network 10.214.20.0

# On MCE, display the routing tables of VPN instances vpn1 and vpn2.

[MCE] display ip routing-table vpn-instance vpn1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.214.10.0/24 Direct 0 0 10.214.10.3 GE2/0/1

10.214.10.0/32 Direct 0 0 10.214.10.3 GE2/0/1

10.214.10.3/32 Direct 0 0 127.0.0.1 InLoop0

10.214.10.255/32 Direct 0 0 10.214.10.3 GE2/0/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.0.0/24 Static 60 0 10.214.10.2 GE2/0/1

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

[MCE] display ip routing-table vpn-instance vpn2

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.214.20.0/24 Direct 0 0 10.214.20.3 GE2/0/2

10.214.20.0/32 Direct 0 0 10.214.20.3 GE2/0/2

10.214.20.3/32 Direct 0 0 127.0.0.1 InLoop0

10.214.20.255/32 Direct 0 0 10.214.20.3 GE2/0/2

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.10.0/24 RIP 100 1 10.214.20.2 GE2/0/2

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

The output shows that the MCE has learned the private route of VPN 2 through RIP. MCE maintains the routes of VPN 1 and those of VPN 2 in two different routing tables. In this way, routes from different VPNs are separated.

3. Configure routing between the MCE and PE 1:

# The MCE is connected to PE 1 through subinterfaces. On MCE, bind subinterface GigabitEthernet 2/0/3.1 to the VPN instance vpn1.

[MCE] interface gigabitethernet 2/0/3.1

[MCE-GigabitEthernet2/0/3.1] ip binding vpn-instance vpn1

# Configure the subinterface to terminate VLAN 10.

[MCE-GigabitEthernet2/0/3.1] vlan-type dot1q vid 10

# Configure an IP address for the subinterface.

[MCE-GigabitEthernet2/0/3.1] ip address 20.1.1.1 24

[MCE-GigabitEthernet2/0/3.1] quit

# On the MCE, bind subinterface GigabitEthernet 2/0/3.2 to the VPN instance vpn2.

[MCE] interface gigabitethernet 2/0/3.2

[MCE-GigabitEthernet2/0/3.2] ip binding vpn-instance vpn2

# Configure the subinterface to terminate VLAN 20.

[MCE-GigabitEthernet2/0/3.2] vlan-type dot1q vid 20

# Configure an IP address for the subinterface.

[MCE-GigabitEthernet2/0/3.2] ip address 30.1.1.1 24

[MCE-GigabitEthernet2/0/3.2] quit

# On PE 1, bind subinterface GigabitEthernet 2/0/1.1 to the VPN instance vpn1.

[PE1] interface gigabitethernet 2/0/1.1

[PE1-GigabitEthernet2/0/1.1] ip binding vpn-instance vpn1

# Configure the subinterface to terminate VLAN 10.

[PE1-GigabitEthernet2/0/1.1] vlan-type dot1q vid 10

# Configure an IP address for the subinterface.

[PE1-GigabitEthernet2/0/1.1] ip address 20.1.1.2 24

[PE1-GigabitEthernet2/0/1.1] quit

# On PE 1, bind subinterface GigabitEthernet 2/0/1.2 to the VPN instance vpn2.

[PE1] interface gigabitethernet 2/0/1.2

[PE1-GigabitEthernet2/0/1.2] ip binding vpn-instance vpn2

# Configure the subinterface to terminate VLAN 20.

[PE1-GigabitEthernet2/0/1.2] vlan-type dot1q vid 20

# Configure an IP address for the subinterface.

[PE1-GigabitEthernet2/0/1.2] ip address 30.1.1.2 24

[PE1-GigabitEthernet2/0/1.2] quit

# Configure the IP address of the interface Loopback 0 as 101.101.10.1 for the MCE and as 100.100.10.1 for PE 1. Specify the loopback interface address as the router ID for the MCE and PE 1. (Details not shown.)

# Enable OSPF process 10 on the MCE, and bind the process to VPN instance vpn1.

[MCE] ospf 10 router-id 101.101.10.1 vpn-instance vpn1

# Disable OSPF routing loop detection for the VPN instance.

[MCE-ospf-10] vpn-instance-capability simple

# Set the domain ID to 10.

[MCE-ospf-10] domain-id 10

# Advertise subnet 20.1.1.0/24 in area 0, and redistribute the static route of VPN 1.

[MCE-ospf-10] area 0

[MCE-ospf-10-area-0.0.0.0] network 20.1.1.0 0.0.0.255

[MCE-ospf-10-area-0.0.0.0] quit

[MCE-ospf-10] import-route static

# On PE 1, enable OSPF process 10, and bind the process to VPN instance vpn1.

[PE1] ospf 10 router-id 100.100.10.1 vpn-instance vpn1

# Set the domain ID to 10.

[PE1-ospf-10] domain-id 10

# Advertise subnet 20.1.1.0/24 in area 0.

[PE1-ospf-10] area 0

[PE1-ospf-10-area-0.0.0.0] network 20.1.1.0 0.0.0.255

[PE1-ospf-10-area-0.0.0.0] quit

[PE1-ospf-10] quit

# Configure OSPF process 20 between MCE and PE 1, and redistribute routes from RIP process 20 into OSPF. (Details not shown.)

Verifying the configuration

# Verify that PE 1 has learned the static route of VPN 1 through OSPF.

[PE1] display ip routing-table vpn-instance vpn1

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

20.1.1.0/24 Direct 0 0 20.1.1.2 GE2/0/1.1

20.1.1.0/32 Direct 0 0 20.1.1.2 GE2/0/1.1

20.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

20.1.1.255/32 Direct 0 0 20.1.1.2 GE2/0/1.1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.0.0/24 O_ASE2 150 1 20.1.1.1 GE2/0/1.1

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

# Verify that PE 1 has learned the RIP route of VPN 2 through OSPF.

[PE1] display ip routing-table vpn-instance vpn2

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.0/24 Direct 0 0 30.1.1.2 GE2/0/1.2

30.1.1.0/32 Direct 0 0 30.1.1.2 GE2/0/1.2

30.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

30.1.1.255/32 Direct 0 0 30.1.1.2 GE2/0/1.2

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

192.168.10.0/24 O_ASE2 150 1 30.1.1.1 GE2/0/1.2

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

The routing information for the two VPNs has been redistributed into the routing tables on PE 1.

Configuring IPv6 MCE

This chapter describes IPv6 MCE configuration.

IPv6 MPLS L3VPN overview

IPv6 MPLS L3VPN uses BGP to advertise IPv6 VPN routes and uses MPLS to forward IPv6 VPN packets on the service provider backbone.

Figure 127 shows a typical IPv6 MPLS L3VPN model. The service provider backbone in the IPv6 MPLS L3VPN model is an IPv4 network. IPv6 runs inside the VPNs and between CE and PE. Therefore, PEs must support both IPv4 and IPv6. The PE-CE interfaces of a PE run IPv6, and the PE-P interface of a PE runs IPv4.

Figure 127 Network diagram for the IPv6 MPLS L3VPN model

IPv6 MCE overview

In IPv6 MPLS L3VPN networks, IPv6 MCE advertises IPv6 routes between internal networks and PEs, and forwards IPv6 packets. The fundamentals of IPv6 MCE are the same as those of MCE. For more information, see "MCE overview."

Feature and hardware compatibility

Hardware	IPv6 MCE compatibility
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS	No
MSR2600-6-X1/2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28/3600-51	Yes
MSR3600-28-SI/3600-51-SI	No
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC	Yes
MSR 3610/3620/3620-DP/3640/3660	Yes
MSR5620/5660/5680	Yes

IPv6 MCE configuration task list

Tasks at a glance
Configuring VPN instances: (Required.) Creating a VPN instance (Required.) Associating a VPN instance with an interface (Optional.) Configuring route related attributes for a VPN instance


Configuring routing on an MCE: (Required.) Configuring routing between an MCE and a VPN site (Required.) Configuring routing between an MCE and a PE

Configuring VPN instances

By configuring VPN instances on a PE, you isolate not only VPN routes from public network routes, but also routes between VPNs. This feature allows VPN instances to be used in network scenarios in addition to MPLS L3VPNs.

All VPN instance configurations are performed on PEs or MCEs.

Creating a VPN instance

A VPN instance is a collection of the VPN membership and routing rules of its associated site. A VPN instance might correspond to more than one VPN.

To create and configure a VPN instance:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VPN instance and enter VPN instance view.	ip vpn-instance vpn-instance-name	By default, no VPN instances exist.
3. Configure an RD for the VPN instance.	route-distinguisher route-distinguisher	By default, no RD is configured for a VPN instance.
4. (Optional.) Configure a description for the VPN instance.	description text	By default, no description is configured for a VPN instance. The description should contain the VPN instance's related information, such as its relationship with a certain VPN.
5. (Optional.) Set an ID for the VPN instance.	vpn-id vpn-id	By default, no ID is configured for a VPN instance.
6. (Optional.) Configure an SNMP context for the VPN instance.	snmp context-name context-name	By default, no SNMP context is configured.

Associating a VPN instance with an interface

After creating and configuring a VPN instance, associate the VPN instance with the interface connected to the CE.

To associate a VPN instance with an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Associate a VPN instance with the interface.	ip binding vpn-instance vpn-instance-name	By default, an interface is not associated with a VPN instance and belongs to the public network. The ip binding vpn-instance command clears the IP address of the interface. Therefore, reconfigure an IP address for the interface after configuring this command.

Configuring route related attributes for a VPN instance

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VPN instance view or IPv6 VPN view.	· Enter VPN instance view: ip vpn-instance vpn-instance-name · Enter IPv6 VPN view: a. ip vpn-instance vpn-instance-name b. address-family ipv6	Configurations made in VPN instance view apply to both IPv4 VPN and IPv6 VPN. IPv6 VPN prefers the configurations in IPv6 VPN view over the configurations in VPN instance view.
3. Configure route targets.	vpn-target vpn-target&<1-8> [ both \| export-extcommunity \| import-extcommunity ]	By default, no route targets are configured.
4. Set the maximum number of active routes.	routing-table limit number { warn-threshold \| simply-alert }	For the default setting of this command, see MPLS Command Reference. Setting the maximum number of active routes for a VPN instance can prevent the PE from storing too many routes.
5. Apply an import routing policy.	import route-policy route-policy	By default, all routes matching the import target attribute are accepted. Make sure the routing policy already exists. Otherwise, the device does not filter received routes. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
6. Apply an export routing policy.	export route-policy route-policy	By default, routes to be advertised are not filtered. Make sure the routing policy already exists. Otherwise, the device does not filter routes to be advertised. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
7. Apply a tunnel policy to the VPN instance.	tnl-policy tunnel-policy-name	By default, only one tunnel is selected (no load balancing) in this order: LSP tunnel, GRE tunnel, and CR-LSP tunnel. The specified tunnel policy must have been created. For information about tunnel policies, see "Configuring tunnel policies."

Configuring routing on an MCE

An MCE implements service isolation through route isolation. MCE routing configuration includes the following:

· MCE-VPN site routing configuration.

· MCE-PE routing configuration.

On a PE in an MCE network environment, perform the following tasks:

· Disable routing loop detection to avoid route loss during route calculation.

· Disable route redistribution between routing protocols to save system resources.

Before you configure routing on an MCE, perform the following tasks:

· On the MCE, configure VPN instances, and bind the VPN instances to the interfaces connected to the VPN sites and those connected to the PE.

· Configure the link layer and network layer protocols on related interfaces to ensure IP connectivity.

Configuring routing between an MCE and a VPN site

You can configure IPv6 static routing, RIPng, OSPFv3, IPv6 IS-IS, or EBGP between an MCE and a VPN site.

Configuring IPv6 static routing between an MCE and a VPN site

An MCE can reach a VPN site through an IPv6 static route. IPv6 static routing on a traditional CE is globally effective and does not support address overlapping among VPNs. An MCE supports binding an IPv6 static route with an IPv6 VPN instance, so that the IPv6 static routes of different IPv6 VPN instances can be isolated from each other.

To configure IPv6 static routing between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure an IPv6 static route for an IPv6 VPN instance.	ipv6 route-static vpn-instance s-vpn-instance-name ipv6-address prefix-length { interface-type interface-number [ next-hop-address ] \| nexthop-address [ public ] \| vpn-instance d-vpn-instance-name nexthop-address } [ permanent ] [ preference preference ] [ tag tag-value ] [ description text ]	By default, no IPv6 static routes are configured. Perform this configuration on the MCE. On a VPN site, configure normal IPv6 static routes.
3. (Optional.) Configure the default preference for IPv6 static routes.	ipv6 route-static default-preference default-preference	The default preference for IPv6 static routes is 60.

Configuring RIPng between an MCE and a VPN site

A RIPng process belongs to the public network or a single IPv6 VPN instance. If you create a RIPng process without binding it to an IPv6 VPN instance, the process belongs to the public network. By configuring RIPng process-to-IPv6 VPN instance bindings on a MCE, you allow routes of different VPNs to be exchanged between the MCE and the sites through different RIPng processes, ensuring the separation and security of IPv6 VPN routes.

For more information about RIPng, see Layer 3—IP Routing Configuration Guide.

To configure RIPng between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIPng process for a VPN instance and enter RIPng view.	ripng [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the MCE. On a VPN site, configure normal RIPng.
3. Redistribute remote site routes advertised by the PE.	import-route protocol [ as-number \| process-id ] [ allow-ibgp ] [ allow-direct \| cost cost-value \| route-policy route-policy-name ] *	By default, no routes are redistributed into RIPng.
4. Return to system view.	quit	N/A
5. Enter interface view.	interface interface-type interface-number	N/A
6. Enable RIPng on the interface.	ripng process-id enable	By default, RIPng is disabled.

Configuring OSPFv3 between an MCE and a VPN site

An OSPFv3 process belongs to the public network or a single IPv6 VPN instance. If you create an OSPFv3 process without binding it to an IPv6 VPN instance, the process belongs to the public network.

By configuring OSPFv3 process-to-IPv6 VPN instance bindings on a MCE, you allow routes of different IPv6 VPNs to be exchanged between the MCE and the sites through different OSPFv3 processes, ensuring the separation and security of IPv6 VPN routes.

For more information about OSPFv3, see Layer 3—IP Routing Configuration Guide.

To configure OSPFv3 between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPFv3 process for a VPN instance and enter OSPFv3 view.	ospfv3 [ process-id \| vpn-instance vpn-instance-name ] *	Perform this configuration on the MCE. On a VPN site, configure common OSPFv3. Deleting a VPN instance also deletes all related OSPFv3 processes.
3. Set the router ID.	router-id router-id	N/A
4. Redistribute remote site routes advertised by the PE.	import-route protocol [ as-number ] [ process-id \| all-processes \| allow-ibgp ] [ allow-direct \| cost cost-value \| nssa-only \| route-policy route-policy-name \| tag tag \| type type ] *	By default, no routes are redistributed into OSPFv3.
5. Return to system view.	quit	N/A
6. Enter interface view.	interface interface-type interface-number	N/A
7. Enable OSPFv3 on the interface.	ospfv3 process-id area area-id [ instance instance-id ]	By default, OSPFv3 is disabled on an interface.

Configuring IPv6 IS-IS between an MCE and a VPN site

An IPv6 IS-IS process belongs to the public network or a single IPv6 VPN instance. If you create an IPv6 IS-IS process without binding it to an IPv6 VPN instance, the process belongs to the public network.

By configuring IPv6 IS-IS process-to-IPv6 VPN instance bindings on a MCE, you allow routes of different IPv6 VPNs to be exchanged between the MCE and the sites through different IPv6 IS-IS processes. This ensures the separation and security of IPv6 VPN routes. For more information about IPv6 IS-IS, see Layer 3—IP Routing Configuration Guide.

To configure IPv6 IS-IS between an MCE and a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IPv6 IS-IS process for a VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	Perform this configuration on the MCE. On a VPN site, configure common IPv6 IS-IS.
3. Configure a network entity title for the IS-IS process.	network-entity net	By default, no NET is configured.
4. Create the IS-IS IPv6 unicast address family and enter its view.	address-family ipv6 [ unicast ]	By default, the IS-IS IPv6 unicast address family is not created.
5. (Optional.) Redistribute remote site routes advertised by the PE.	import-route protocol [ as-number \| process-id ] [ allow-ibgp ] [ allow-direct \| cost cost-value \| [ level-1 \| level-1-2 \| level-2 ] \| route-policy route-policy-name \| tag tag ] *	By default, no routes are redistributed to IPv6 IS-IS. If you do not specify the route level in the command, redistributed routes are added to the level-2 routing table.
6. Return to system view.	quit	N/A
7. Enter interface view.	interface interface-type interface-number	N/A
8. Enable the IPv6 IS-IS process on the interface.	isis ipv6 enable [ process-id ]	By default, no IPv6 IS-IS process is enabled on the interface.

Configuring EBGP between an MCE and a VPN site

To use EBGP between an MCE and IPv6 VPN sites, you must configure a BGP peer for each IPv6 VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on the IPv6 VPN sites.

1. Configure the MCE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Specify an IPv6 BGP peer in an AS.	peer { group-name \| ipv6-address [ prefix-length ] } as-number as-number	By default, no BGP peers exist.
5. Enter BGP-VPN IPv6 unicast address family view.	address-family ipv6 [ unicast ]	N/A
6. Enable BGP to exchange IPv6 unicast routes with the specified peer.	peer { group-name \| ipv6-address [ prefix-length ] } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
7. Redistribute remote site routes advertised by the PE.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	By default, no route redistribution is configured.

2. Configure a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Configure the MCE as an EBGP peer.	peer { group-name \| ipv6-address [ prefix-length ] } as-number as-number	By default, no BGP peers exist.
4. Enter BGP IPv6 unicast address family view.	address-family ipv6 [ unicast ]	N/A
5. Enable BGP to exchange IPv6 unicast routes with the specified peer.	peer { group-name \| ipv6-address [ prefix-length ] } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
6. Redistribute the IGP routes of the VPN.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP. A VPN site must advertise IPv6 VPN network addresses it can reach to the connected MCE.

Configuring IBGP between an MCE and a VPN site

To use IBGP between an MCE and a VPN site, you must configure a BGP peer for each IPv6 VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on the VPN site.

1. Configure the MCE:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	By default, BGP is not enabled.
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Configure an IBGP peer.	peer { group-name \| ipv6-address [ prefix-length ] } as-number as-number	By default, no BGP peers or peer groups exist.
5. Enter BGP-VPN IPv6 unicast address family view.	address-family ipv6 [ unicast ]	N/A
6. Enable BGP to exchange IPv6 unicast routes with the peer.	peer { group-name \| ipv6-address [ prefix-length ] } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
7. (Optional.) Configure the system to be the RR, and specify the peer as the client of the RR.	peer { group-name \| ipv6-address [ prefix-length ] } reflect-client	By default, no RR or RR client is configured. After you configure a VPN site as an IBGP peer, the MCE does not advertise the BGP routes learned from the VPN site to other IBGP peers, including VPNv6 peers. The MCE advertises routes learned from a VPN site only when you configure the VPN site as a client of the RR (the MCE).
8. Redistribute remote site routes advertised by the PE into BGP.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP.

2. Configure a VPN site:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	By default, BGP is not enabled.
3. Configure the MCE as an IBGP peer.	peer { group-name \| ipv6-address [ prefix-length ] } as-number as-number	By default, no BGP peers or peer groups exist.
4. Enter BGP IPv6 unicast address family view.	address-family ipv6 [ unicast ]	N/A
5. Enable BGP to exchange IPv6 unicast routes with the peer.	peer { group-name \| ipv6-address [ prefix-length ] } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
6. Redistribute the IGP routes of the VPN into BGP.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP. A VPN site must advertise VPN network addresses to the connected MCE.

Configuring routing between an MCE and a PE

MCE-PE routing configuration includes the following tasks:

· Binding the MCE-PE interfaces to IPv6 VPN instances.

· Performing routing configurations.

· Redistributing IPv6 VPN routes into the routing protocol running between the MCE and the PE.

Perform the following configuration tasks on the MCE. Configure the PE in the same way that you configure a PE in a basic IPv6 MPLS L3VPN. For more information about configuring the PE, see "Configuring IPv6 MPLS L3VPN."

Configuring IPv6 static routing between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure an IPv6 static route for an IPv6 VPN instance.	ipv6 route-static vpn-instance s-vpn-instance-name ipv6-address prefix-length { interface-type interface-number [ next-hop-address ] \| nexthop-address [ public ] \| vpn-instance d-vpn-instance-name nexthop-address } [ permanent ] [ preference preference ] [ tag tag-value ] [ description text ]	By default, no IPv6 static routes are configured.
3. (Optional.) Set the default preference for IPv6 static routes.	ipv6 route-static default-preference default-preference	The default value is 60.

Configuring RIPng between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a RIPng process for an IPv6 VPN instance and enter RIPng view.	ripng [ process-id ] vpn-instance vpn-instance-name	N/A
3. Redistribute VPN routes.	import-route protocol [ as-number \| process-id ] [ allow-ibgp ] [ allow-direct \| cost cost-value \| route-policy route-policy-name ] *	By default, no routes are redistributed into RIPng.
4. Return to system view.	quit	N/A
5. Enter interface view.	interface interface-type interface-number	N/A
6. Enable the RIPng process on the interface.	ripng process-id enable	By default, RIPng is disabled on an interface.

Configuring OSPFv3 between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an OSPFv3 process for an IPv6 VPN instance and enter OSPFv3 view.	ospfv3 [ process-id \| vpn-instance vpn-instance-name ] *	N/A
3. Set the router ID.	router-id router-id	N/A
4. Disable routing loop detection.	vpn-instance-capability simple	By default, routing loop detection is enabled. On an MCE network, you must disable routing loop detection for a VPN OSPFv3 process. Otherwise, the MCE does not receive OSPFv3 routes from the PE.
5. Redistribute VPN routes.	import-route protocol [ as-number ] [ process-id \| all-processes \| allow-ibgp ] [ allow-direct \| cost cost-value \| nssa-only \| route-policy route-policy-name \| tag tag \| type type ] *	By default, no routes are redistributed into OSPFv3.
6. Return to system view.	quit	N/A
7. Enter interface view.	interface interface-type interface-number	N/A
8. Enable the OSPFv3 process on the interface.	ospfv3 process-id area area-id [ instance instance-id ]	By default, OSPFv3 is disabled on an interface.

Configuring IPv6 IS-IS between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IS-IS process for an IPv6 VPN instance and enter IS-IS view.	isis [ process-id ] vpn-instance vpn-instance-name	N/A
3. Configure a network entity title.	network-entity net	By default, no NET is configured.
4. Create the IS-IS IPv6 unicast address family and enter its view.	address-family ipv6 [ unicast ]	By default, the IS-IS IPv6 unicast address family is not created.
5. Redistribute VPN routes.	import-route protocol [ as-number \| process-id ] [ allow-ibgp ] [ allow-direct \| cost cost-value \| [ level-1 \| level-1-2 \| level-2 ] \| route-policy route-policy-name \| tag tag ] *	By default, IPv6 IS-IS does not redistribute routes from any other routing protocol. If you do not specify the route level in the command, the command redistributes routes to the level-2 routing table.
6. Return to system view.	quit	N/A
7. Enter interface view.	interface interface-type interface-number	N/A
8. Enable the IPv6 IS-IS process on the interface.	isis ipv6 enable [ process-id ]	By default, no IPv6 IS-IS process is enabled on the interface.

Configuring EBGP between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	N/A
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Configure the PE as an EBGP peer.	peer { group-name \| ipv6-address [ prefix-length ] } as-number as-number	By default, no BGP peers exist.
5. Enter BGP-VPN IPv6 unicast address family view.	address-family ipv6 [ unicast ]	N/A
6. Enable BGP to exchange IPv6 unicast routes with the specified peer.	peer { group-name \| ipv6-address [ prefix-length ] } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
7. Redistribute VPN routes.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP.

Configuring IBGP between an MCE and a PE

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view.	bgp as-number [ instance instance-name ]	By default, BGP is not enabled.
3. Enter BGP-VPN instance view.	ip vpn-instance vpn-instance-name	N/A
4. Configure the PE as an IBGP peer.	peer { group-name \| ipv6-address [ prefix-length ] } as-number as-number	By default, no BGP peers or peer groups exist.
5. Enter BGP-VPN IPv6 unicast address family view.	address-family ipv6 [ unicast ]	N/A
6. Enable BGP to exchange IPv6 unicast routes with the peer.	peer { group-name \| ipv6-address [ prefix-length ] } enable	By default, BGP does not exchange IPv6 unicast routes with any peer.
7. Redistribute the VPN routes of the VPN site.	import-route protocol [ { process-id \| all-processes } [ allow-direct \| med med-value \| route-policy route-policy-name ] * ]	By default, no routes are redistributed into BGP.

Displaying and maintaining IPv6 MCE

Execute display commands in any view.

Task	Command
Display VPN instance information.	display ip vpn-instance [ instance-name vpn-instance-name ]

For commands that display routing tables for VPN instances, see Layer 3—IP Routing Command Reference.

IPv6 MCE configuration example

Network requirements

As shown in Figure 128, VPN 2 runs RIPng. Configure the MCE device to separate routes from different VPNs and advertise the VPN routes to PE 1 through OSPFv3.

Figure 128 Network diagram

Configuration procedure

Assume that the system name of the MCE device is MCE, the system names of the edge routers of VPN 1 and VPN 2 are VR1 and VR2, and the system name of PE 1 is PE1.

1. Configure VPN instances on the MCE and PE 1:

# On MCE, configure VPN instances vpn1 and vpn2, and specify an RD and route targets for each VPN instance.

<MCE> system-view

[MCE] ip vpn-instance vpn1

[MCE-vpn-instance-vpn1] route-distinguisher 10:1

[MCE-vpn-instance-vpn1] vpn-target 10:1

[MCE-vpn-instance-vpn1] quit

[MCE] ip vpn-instance vpn2

[MCE-vpn-instance-vpn2] route-distinguisher 20:1

[MCE-vpn-instance-vpn2] vpn-target 20:1

[MCE-vpn-instance-vpn2] quit

# Bind interface GigabitEthernet 2/0/1 to VPN instance vpn1, and configure an IPv6 address for the interface.

[MCE] interface gigabitethernet 2/0/1

[MCE-GigabitEthernet2/0/1] ip binding vpn-instance vpn1

[MCE-GigabitEthernet2/0/1] ipv6 address 2001:1::1 64

[MCE-GigabitEthernet2/0/1] quit

# Bind interface GigabitEthernet 2/0/2 to VPN instance vpn2, and configure an IPv6 address for the interface.

[MCE] interface gigabitethernet 2/0/2

[MCE-GigabitEthernet2/0/2] ip binding vpn-instance vpn2

[MCE-GigabitEthernet2/0/2] ipv6 address 2002:1::1 64

[MCE-GigabitEthernet2/0/2] quit

# On PE 1, configure VPN instances vpn1 and vpn2, and specify an RD and route targets for each VPN instance.

<PE1> system-view

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 10:1

[PE1-vpn-instance-vpn1] vpn-target 10:1

[PE1-vpn-instance-vpn1] quit

[PE1] ip vpn-instance vpn2

[PE1-vpn-instance-vpn2] route-distinguisher 20:1

[PE1-vpn-instance-vpn2] vpn-target 20:1

[PE1-vpn-instance-vpn2] quit

2. Configure routing between the MCE and VPN sites:

The MCE is connected to VPN 1 directly, and no routing protocol is enabled in VPN 1. Therefore, you can configure IPv6 static routes.

# On VR 1, assign IPv6 address 2001:1::2/64 to the interface connected to the MCE and 2012:1::2/64 to the interface connected to VPN 1. (Details not shown.)

# On VR 1, configure a default route with the next hop as 2001:1::1.

<VR1> system-view

[VR1] ipv6 route-static :: 0 2001:1::1

# On the MCE, configure an IPv6 static route to 2012:1::/64 with the next hop 2001:1::2. Bind the static route to VPN instance vpn1.

[MCE] ipv6 route-static vpn-instance vpn1 2012:1:: 64 2001:1::2

# Run RIPng in VPN 2. Configure RIPng process 20 for the VPN instance vpn2 on the MCE, so that the MCE can learn the routes of VPN 2 and add them to the routing table of the VPN instance vpn2.

[MCE] ripng 20 vpn-instance vpn2

# Advertise subnet 2002:1::/64.

[MCE] interface gigabitethernet 2/0/2

[MCE-GigabitEthernet2/0/2] ripng 20 enable

[MCE-GigabitEthernet2/0/2] quit

# On VR 2, assign IPv6 address 2002:1::2/64 to the interface connected to the MCE. (Details not shown.)

# On VR 2, configure RIPng and advertise subnets 2012::/64 and 2002:1::/64.

<VR2> system-view

[VR2] ripng 20

[VR2-ripng-20] quit

[VR2] interface gigabitethernet 2/0/1

[VR2-GigabitEthernet2/0/1] ripng 20 enable

[VR2-GigabitEthernet2/0/1] quit

[VR2] interface gigabitethernet 2/0/2

[VR2-GigabitEthernet2/0/2] ripng 20 enable

[VR2-GigabitEthernet2/0/2] quit

# On the MCE, display the routing tables of the VPN instances vpn1 and vpn2.

[MCE] display ipv6 routing-table vpn-instance vpn1

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:1::/64 Protocol : Direct

NextHop : :: Preference: 0

Interface : GE2/0/1 Cost : 0

Destination: 2001:1::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2012:1::/64 Protocol : Static

NextHop : 2001:1::2 Preference: 60

Interface : GE2/0/1 Cost : 0

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

[MCE] display ipv6 routing-table vpn-instance vpn2

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2002:1::/64 Protocol : Direct

NextHop : :: Preference: 0

Interface : GE2/0/2 Cost : 0

Destination: 2002:1::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2012::/64 Protocol : RIPng

NextHop : FE80::20C:29FF:FE40:701 Preference: 100

Interface : GE2/0/2 Cost : 1

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

The output shows that the MCE has learned the private route of VPN 2 through RIPng. The MCE maintains the routes of VPN 1 and VPN 2 in two different routing tables. In this way, routes from different VPNs are separated.

3. Configure routing between the MCE and PE 1:

# The MCE is connected to PE 1 through subinterfaces. On the MCE, bind subinterface GigabitEthernet 2/0/3.1 to the VPN instance vpn1.

[MCE] interface gigabitethernet 2/0/3.1

[MCE-GigabitEthernet2/0/3.1] ip binding vpn-instance vpn1

# Configure the subinterface to terminate VLAN 10.

[MCE-GigabitEthernet2/0/3.1] vlan-type dot1q vid 10

# Configure an IPv6 address for the subinterface.

[MCE-GigabitEthernet2/0/3.1] ipv6 address 2001:2::3 64

[MCE-GigabitEthernet2/0/3.1] quit

# On the MCE, bind subinterface GigabitEthernet 2/0/3.2 to the VPN instance vpn2.

[MCE] interface gigabitethernet 2/0/3.2

[MCE-GigabitEthernet2/0/3.2] ip binding vpn-instance vpn2

# Configure the subinterface to terminate VLAN 20.

[MCE-GigabitEthernet2/0/3.2] vlan-type dot1q vid 20

# Configure an IPv6 address for the subinterface.

[MCE-GigabitEthernet2/0/3.2] ipv6 address 2002:2::3 64

[MCE-GigabitEthernet2/0/3.2] quit

# On PE 1, bind subinterface GigabitEthernet 2/0/1.1 to the VPN instance vpn1.

[PE1] interface gigabitethernet 2/0/1.1

[PE1-GigabitEthernet2/0/1.1] ip binding vpn-instance vpn1

# Configure the subinterface to terminate VLAN 10.

[PE1-GigabitEthernet2/0/1.1] vlan-type dot1q vid 10

# Configure an IPv6 address for the subinterface.

[PE1-GigabitEthernet2/0/1.1] ipv6 address 2001:2::4 64

[PE1-GigabitEthernet2/0/1.1] quit

# On PE 1, bind subinterface GigabitEthernet 2/0/1.2 to the VPN instance vpn2.

[PE1] interface gigabitethernet 2/0/1.2

[PE1-GigabitEthernet2/0/1.2] ip binding vpn-instance vpn2

# Configure the subinterface to terminate VLAN 20.

[PE1-GigabitEthernet2/0/1.2] vlan-type dot1q vid 20

# Configure an IPv6 address for the subinterface.

[PE1-GigabitEthernet2/0/1.2] ipv6 address 2002:2::4 64

[PE1-GigabitEthernet2/0/1.2] quit

# Enable OSPFv3 process 10 on the MCE, and bind the process to VPN instance vpn1.

[MCE] ospfv3 10 vpn-instance vpn1

# Redistribute the IPv6 static route of VPN 1.

[MCE-ospf-10] router-id 101.101.10.1

[MCE-ospf-10] import-route static

[MCE-ospf-10] quit

# Enable OSPFv3 on interface GigabitEthernet 2/0/3.1.

[MCE] interface gigabitethernet 2/0/3.1

[MCE-GigabitEthernet2/0/3.1] ospfv3 10 area 0.0.0.0

[MCE-GigabitEthernet2/0/3.1] quit

# On PE 1, enable OSPFv3 process 10 and bind it to VPN instance vpn1.

[PE1] ospfv3 10 vpn-instance vpn1

[PE1-ospf-10] router-id 100.100.10.1

[PE1-ospf-10] quit

# Enable OSPFv3 on subinterface GigabitEthernet 2/0/1.1.

[PE1] interface gigabitethernet 2/0/1.1

[PE1-GigabitEthernet2/0/1.1] ospfv3 10 area 0.0.0.0

[PE1-GigabitEthernet2/0/1.1] quit

Verifying the configuration

# Verify that PE 1 has learned the private route of VPN 1 through OSPFv3.

[PE1] display ipv6 routing-table vpn-instance vpn1

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2001:2::/64 Protocol : Direct

NextHop : :: Preference: 0

Interface : GE2/0/1.1 Cost : 0

Destination: 2001:2::4/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2012:1::/64 Protocol : O_ASE2

NextHop : FE80::200:5EFF:FE01:1C05 Preference: 15

Interface : GE2/0/1.1 Cost : 10

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

# Verify that PE 1 has learned the private route of VPN 2 through OSPFv3.

[PE1] display ipv6 routing-table vpn-instance vpn2

Destinations : 6 Routes : 6

Destination: ::1/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2002:2::/64 Protocol : Direct

NextHop : :: Preference: 0

Interface : GE2/0/1.2 Cost : 0

Destination: 2002:2::4/128 Protocol : Direct

NextHop : ::1 Preference: 0

Interface : InLoop0 Cost : 0

Destination: 2012::/64 Protocol : O_ASE2

NextHop : FE80::200:5EFF:FE01:1C06 Preference: 15

Interface : GE2/0/1.2 Cost : 10

Destination: FE80::/10 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

Destination: FF00::/8 Protocol : Direct

NextHop : :: Preference: 0

Interface : NULL0 Cost : 0

The routing information for the two VPNs has been redistributed into the routing table on PE 1.

Configuring static SR over MPLS

Overview

About SR and SRLSP

Segment Routing (SR) is a source routing technology. The source node selects a path for the packets, and then encodes the path as a list of segments in the packets. Each segment is identified by a segment identifier (SID). The SR nodes forward the arriving packets based on the SIDs in the packets. Only the source node needs to maintain the path status.

There are the following types of segments:

· Prefix segment—SIDs are assigned to nodes based on destination address prefix. The nodes create prefix-specific forwarding entries.

· Adjacency segment—SIDs are assigned to nodes based on adjacency.

SR can operate with MPLS. In an MPLS network, SR uses MPLS labels as SIDs to forward packets on an LSP. Such an LSP is referred to as a segment routing label switched path (SRLSP).

SRLSPs are special CRLSPs established based on SR. An MPLS TE tunnel can contain one or multiple SRLSPs. The source node (ingress node of an MPLS TE tunnel) forwards packets that are routed to the MPLS TE tunnel interface through the SRLSPs.

How static SR over MPLS works

Static SR over MPLS provides the following methods for establishing static SRLSPs:

· Prefix segment method—Each node on the SRLSP has segment information for the destination IP address. The segment information is manually configured and includes the incoming label, outgoing label, and next hop.

· Adjacency segment method—Each node on the SRLSP has segment information for the adjacency to its neighbor. The segment information is manually configured and includes the incoming label and next hop. The label stack on the ingress node specifies all labels of the segments that the forwarding path traverses.

NOTE:

The device supports only the adjacency method for static SRLSP establishment.

Prefix SID-based packet forwarding

Figure 129 shows how static SRLSP forwards a packet when prefix SIDs (prefix labels) are used.

1. Ingress node Device A adds label 16000 (the prefix label of the destination IP address) to the packet and then forwards the packet to the next hop (Device B).

2. When transit node Device B receives the packet, it compares the label in the packet (label 16000) with the incoming label. The label matches the incoming label. Device B then performs the following operations:

a. Removes the label from the packet.

b. Adds the outgoing label (label 16000) to the packet.

c. Forwards the packet to the next hop (Device C).

3. Transit nodes Device C and Device D process the packet in the same way Device B does.

4. When egress node Device E receives the packet, it compares the label in the packet (label 16000) with the incoming label. The label matches the incoming label. Device E then removes the label and forwards the packet to the destination IP address.

Figure 129 Prefix SID-based packet forwarding

Adjacency SID-based packet forwarding

Figure 130 shows how static SRLSP forwards a packet when adjacency SIDs (adjacency labels) are used.

1. Ingress node Device A adds a label stack (201, 202, and 203) to the packet and then forwards it to the next hop (Device B).

The label stack lists labels of the adjacency segments in the order that the SRLSP traverses.

2. When transit node Device B receives the packet, it compares the top label in the packet (label 201) with the incoming label. The top label matches the incoming label. Device B then removes the top label from the packet and forwards the packet to the next hop (Device C).

3. When transit node Device C receives the packet, it compares the top label in the packet (label 202) with the incoming label. The top label matches the incoming label. Device C then removes the top label from the packet and forwards the packet to the next hop (Device D).

4. When transit node Device D receives the packet, it compares the top label in the packet (label 203) with the incoming label. The top label matches the incoming label. Device D then removes the top label from the packet and forwards the packet to the next hop (Device E).

5. When egress node Device E receives the packet, it forwards the packet to the destination IP address.

Figure 130 Adjacency SID-based packet forwarding

Prefix and adjacency SID-based packet forwarding

As shown in Figure 131, a static SRLSP with a label stack (16000, 16, and 17) has been established to Device E on Device A.

· A prefix segment is configured on Device A. The incoming label and outgoing label of the segment is 16000 and 16000, respectively. The next hop of the segment is Device B.

· A prefix segment is configured on Device B. The incoming label and outgoing label of the segment is 16000 and 16001, respectively. The next hop of the segment is Device C.

· A prefix segment and an adjacency segment are configured on Device C. The incoming label of the prefix segment is 16001. The incoming label of the adjacency segment is 16. The next hop of the adjacency segment is Device D.

· An adjacency segment is configured on Device D. The incoming label of the segment is 17 and the next hop of the segment is Device E.

A packet is forwarded over the SRLSP as follows:

1. Ingress node Device A adds a label stack (16000, 16, and 17) to the packet and then forwards the packet to the next hop (Device B).

The label stack lists labels of the segments in the order that the SRLSP traverses.

2. When Device B receives the packet, it compares the top label in the packet (label 16000) with the incoming label of the prefix segment. The top label matches the incoming label. Device B then performs the following operations:

a. Removes the top label from the packet.

b. Adds the outgoing label (label 16001) to the packet.

c. Forwards the packet to the next hop (Device C).

3. When Device C receives the packet, it performs the following operations:

a. Compares the top label (label 16001) with the incoming labels of the prefix and adjacency segments. The top label matches the incoming label of the prefix segment.

b. Removes the top label from the packet.

c. Compares the next label (label 16) with the incoming labels of the prefix and adjacency segments because the prefix label information does not include a next hop. The label matches the incoming label of the adjacency segment.

d. Removes the label from the packet.

e. Forwards the packet to the next hop (Device D) of the adjacency segment.

4. When Device D receives the packet, it compares the top label in the packet (label 17) with the incoming label. The top label matches the incoming label. Device D then removes the label from the packet and forwards the packet to the next hop (Device E).

5. When egress node Device E receives the packet, it forwards the packet to the destination IP address.

Figure 131 Prefix and adjacency SID-based packet forwarding

Protocols and standards

· draft-ietf-spring-segment-routing-mpls-00

· draft-ietf-spring-segment-routing-02

Feature and hardware compatibility

Hardware	Static SR over MPLS compatibility
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS	No
MSR2600-6-X1/2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28/3600-51	Yes
MSR3600-28-SI/3600-51-SI	No
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC	Yes
MSR 3610/3620/3620-DP/3640/3660	Yes
MSR5620/5660/5680	Yes

Hardware	Static SR over MPLS compatibility
MSR810-LM-GL	No
MSR810-W-LM-GL	No
MSR830-6EI-GL	No
MSR830-10EI-GL	No
MSR830-6HI-GL	No
MSR830-10HI-GL	No
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	No

Static SR over MPLS configuration task list

To configure static SR over MPLS, perform the following tasks:

1. Enable MPLS TE on all nodes and enable MPLS on all interfaces that will participate in MPLS TE forwarding.

2. Configure adjacency segments or prefix segments on all nodes that the SRLSP might traverse.

You can configure both prefix and adjacency segments on a node.

3. Create a static SRLSP on the ingress node of the MPLS TE tunnel.

4. Create a tunnel interface on the ingress node of the MPLS TE tunnel, and specify the tunnel destination address.

5. On the ingress node of the MPLS TE tunnel, bind the created static SRLSP to the MPLS TE tunnel interface.

6. On the ingress node of the MPLS TE tunnel, configure static routing or PBR to direct traffic to the MPLS TE tunnel.

For information about configuring MPLS TE, see "Configuring MPLS TE."

The following table lists the SRLSP-specific tasks:

Tasks at a glance
Configuring an adjacency or prefix segment: · Configuring an adjacency segment · Configuring a prefix segment
Configuring a static SRLSP
Binding a static SRLSP to an MPLS TE tunnel interface

Prerequisites

Before you configure static SR over MPLS, perform the following tasks:

· Determine the ingress node, transit nodes, and egress node of a static SRLSP.

· Determine the incoming label for the adjacency segment from a node to next hop of the node. Determine the incoming label for the destination IP address for the prefix segment on each node. On a device, a static SRLSP, a static LSP, and a static CRLSP cannot use the same incoming label.

· Enable MPLS on all nodes and interfaces that will participate in MPLS forwarding. For information about enabling MPLS, see "Configuring basic MPLS."

Configuring an adjacency segment

Perform this task on all nodes that a static SRLSP might traverse.

Multiple static SRLSPs can share an adjacency segment.

To configure an adjacency segment:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure an adjacency segment.

static-sr-mpls adjacency adjacency-path-name in-label label-value { nexthop ip-address | outgoing-interface interface-type interface-number }

By default, no adjacency segments exist.

Do not specify a local public IP address as the next hop address when configuring an adjacency segment.

Configuring a prefix segment

Multiple static SRLSPs to the same destination can share a prefix segment.

To configure a prefix segment:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure a prefix segment.

static-sr-mpls prefix prefix-path-name destination ip-address { mask | mask-length } in-label in-label-value [ { nexthop ip-address | output-interface interface-type interface-number } out-label out-label-value ]

By default, no prefix segments exist.

Do not specify a local public IP address as the next hop address when configuring a prefix segment.

Configuring a static SRLSP

Perform this task only on the ingress node of a static SRLSP.

To configure a static SRLSP:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a static SRLSP.	static-sr-mpls lsp lsp-name out-label out-label-value&<1-5>	By default, no static SRLSPs exist.

Binding a static SRLSP to an MPLS TE tunnel interface

Perform this task only on the ingress node of a static SRLSP.

To bind a static SRLSP to an MPLS TE tunnel interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MPLS TE tunnel interface view.	interface tunnel tunnel-number [ mode mpls-te ]	N/A
3. Set the MPLS TE tunnel establishment mode to static.	mpls te signaling static	By default, MPLS TE uses RSVP-TE to establish a tunnel.
4. Bind a static SRLSP to the MPLS TE tunnel interface.	mpls te static-sr-lsp lsp-name	By default, an MPLS TE tunnel does not use a static SRLSP.

Displaying and maintaining static SRLSP

Execute display commands in any view.

Task	Command
Display static SRLSP and adjacency segment information.	display mpls static-sr-lsp [ lsp lsp-name \| adjacency adjacency-path-name ]

Static SRLSP configuration examples

Network requirements

As shown in Figure 132, Router A, Router B, Router C, Router D, and Router E run IS-IS.

Establish an MPLS TE tunnel over a static SRLSP from Router A to Router D to transmit data between the IP networks. The static SRLSP traverses three segments: Router A-Router B, Router B-Router C, and Router C-Router D.

Establish an MPLS TE tunnel over a static SRLSP from Router A to Router E to transmit data between the IP networks. The static SRLSP traverses three segments: Router A-Router B, Router B-Router C, and Router C-Router E.

Figure 132 Network diagram

‌

Table 50 Interface and IP address assignment

Device	Interface	IP address	Device	Interface	IP address
Router A	Loop0	1.1.1.9/32	Router B	Loop0	2.2.2.9/32
	GE1/0/1	100.1.1.1/24		GE1/0/1	10.1.1.2/24
	GE1/0/2	10.1.1.1/24		GE1/0/2	20.1.1.1/24
Router C	Loop0	3.3.3.9/32		GE1/0/3	60.1.1.1/24
	GE1/0/1	30.1.1.1/24	Router D	Loop0	4.4.4.9/32
	GE1/0/2	20.1.1.2/24		GE1/0/1	100.1.2.1/24
	GE1/0/3	50.1.1.1/24		GE1/0/2	30.1.1.2/24
	GE1/0/4	60.1.1.2/24
Router E	Loop0	5.5.5.9/32
	GE1/0/1	200.1.2.1/24
	GE1/0/2	50.1.1.2/24

Configuration procedure

1. Configure IP addresses and masks for interfaces. (Details not shown.)

2. Configure IS-IS to advertise interface addresses, including the loopback interface address. (Details not shown.)

3. Execute the display ip routing-table command on each router to verify that the routers have learned the routes to one another, including the routes to the loopback interfaces. (Details not shown.)

4. Configure LSR IDs, and enable MPLS and MPLS TE:

# Configure Router A

[RouterA] mpls lsr-id 1.1.1.9

[RouterA] mpls te

[RouterA-te] quit

[RouterA] interface gigabitethernet 1/0/2

[RouterA-GigabitEthernet1/0/2] mpls enable

[RouterA-GigabitEthernet1/0/2] quit

# Configure Router B.

[RouterB] mpls lsr-id 2.2.2.9

[RouterB] mpls te

[RouterB-te] quit

[RouterB] interface gigabitethernet 1/0/1

[RouterB-GigabitEthernet1/0/1] mpls enable

[RouterB-GigabitEthernet1/0/1] quit

[RouterB] interface gigabitethernet 1/0/2

[RouterB-GigabitEthernet1/0/2] mpls enable

[RouterB-GigabitEthernet1/0/2] quit

[RouterB] interface gigabitethernet 1/0/3

[RouterB-GigabitEthernet1/0/3] mpls enable

[RouterB-GigabitEthernet1/0/3] quit

# Configure Router C.

[RouterC] mpls lsr-id 3.3.3.9

[RouterC] mpls te

[RouterC-te] quit

[RouterC] interface gigabitethernet 1/0/1

[RouterC-GigabitEthernet1/0/1] mpls enable

[RouterC-GigabitEthernet1/0/1] quit

[RouterC] interface gigabitethernet 1/0/2

[RouterC-GigabitEthernet1/0/2] mpls enable

[RouterC-GigabitEthernet1/0/2] quit

[RouterC] interface gigabitethernet 1/0/3

[RouterC-GigabitEthernet1/0/3] mpls enable

[RouterC-GigabitEthernet1/0/3] quit

[RouterC] interface gigabitethernet 1/0/4

[RouterC-GigabitEthernet1/0/4] mpls enable

[RouterC-GigabitEthernet1/0/4] quit

# Configure Router D.

[RouterD] mpls lsr-id 4.4.4.9

[RouterD] mpls te

[RouterD-te] quit

[RouterD] interface gigabitethernet 1/0/2

[RouterD-GigabitEthernet1/0/2] mpls enable

[RouterD-GigabitEthernet1/0/2] quit

# Configure Router E.

[RouterE] mpls lsr-id 5.5.5.9

[RouterE] mpls te

[RouterE-te] quit

[RouterE] interface gigabitethernet 1/0/2

[RouterE-GigabitEthernet1/0/2] mpls enable

[RouterE-GigabitEthernet1/0/2] quit

5. Configure adjacency and prefix segments on the nodes:

# On Router A, create adjacency segment adjacency-1, and bind incoming label 16 to next hop address 10.1.1.2.

[RouterA] static-sr-mpls adjacency adjacency-1 in-label 16 nexthop 10.1.1.2

# On Router B, create adjacency segment adjacency-2, and bind incoming label 21 to next hop address 20.1.1.2.

[RouterB] static-sr-mpls adjacency adjacency-2 in-label 21 nexthop 20.1.1.2

# On Router B, create prefix segments named prefix-1 to destination IP address 5.5.5.9, bind incoming label 16000 to next hop addresses 20.1.1.2 and 60.1.1.2, and specify the outgoing label as 16001.

[RouterB] static-sr-mpls prefix prefix-1 destination 5.5.5.9 32 in-label 16000 nexthop 20.1.1.2 out-label 16001

[RouterB] static-sr-mpls prefix prefix-1 destination 5.5.5.9 32 in-label 16000 nexthop 60.1.1.2 out-label 16001

# On Router C, create adjacency segment adjacency-1, and bind incoming label 30 to next hop address 30.1.1.2. Create adjacency segment adjacency-2, and bind incoming label 31 to next hop address 50.1.1.2.

[RouterC] static-sr-mpls adjacency adjacency-1 in-label 30 nexthop 30.1.1.2

[RouterC] static-sr-mpls adjacency adjacency-2 in-label 31 nexthop 50.1.1.2

# On Router C, create prefix segment named prefix-1 to destination IP address 5.5.5.9, and specify the incoming label as 16001.

[RouterC] static-sr-mpls prefix prefix-1 destination 5.5.5.9 32 in-label 16001

6. On Router A, establish static SRLSP static-sr-lsp-1 to Router D and static SRLSP static-sr-lsp-2 to Router E:

# Configure Router A as the ingress node of static SRLSP static-sr-lsp-1 and configure a label stack of [16, 21, 30].

[RouterA] static-sr-mpls lsp static-sr-lsp-1 out-label 16 21 30

# Configure Router A as the ingress node of static SRLSP static-sr-lsp-2 and configure a label stack of [16, 16000, 31].

[RouterA] static-sr-mpls lsp static-sr-lsp-2 out-label 16 16000 31

7. Configure MPLS TE tunnels over static SRLSPs on Router A:

# Establish static MPLS TE tunnel 0 to Router D and specify the tunnel destination address as the LSR ID of Router D. Bind static SRLSP static-sr-lsp-1 to MPLS TE tunnel interface 0.

[RouterA] interface tunnel 0 mode mpls-te

[RouterA-Tunnel0] ip address 6.1.1.1 255.255.255.0

[RouterA-Tunnel0] destination 4.4.4.9

[RouterA-Tunnel0] mpls te signaling static

[RouterA-Tunnel0] mpls te static-sr-mpls static-sr-lsp-1

[RouterA-Tunnel0] quit

# Establish static MPLS TE tunnel 1 to Router E and specify the tunnel destination address as the LSR ID of Router E. Bind static SRLSP static-sr-lsp-2 to MPLS TE tunnel interface 1.

[RouterA] interface tunnel 1 mode mpls-te

[RouterA-Tunnel1] ip address 7.1.1.1 255.255.255.0

[RouterA-Tunnel1] destination 5.5.5.9

[RouterA-Tunnel1] mpls te signaling static

[RouterA-Tunnel1] mpls te static-sr-mpls static-sr-lsp-2

[RouterA-Tunnel1] quit

8. On Router A, configure two static routes to direct traffic destined for 100.1.2.0/24 and 200.1.2.0/24 to MPLS TE tunnel 0 and tunnel 1, respectively.

[RouterA] ip route-static 100.1.2.0 24 tunnel 0 preference 1

[RouterA] ip route-static 200.1.2.0 24 tunnel 1 preference 1

Verifying the configuration

# Display the MPLS TE tunnel information on Router A.

[RouterA] display mpls te tunnel-interface

Tunnel Name : Tunnel 0

Tunnel State : Up (Main CRLSP up)

Tunnel Attributes :

LSP ID : 1 Tunnel ID : 0

Admin State : Normal

Ingress LSR ID : 1.1.1.9 Egress LSR ID : 4.4.4.9

Signaling : Static Static CRLSP Name : -

Static SRLSP Name : static-sr-lsp-1/-

Resv Style : -

Tunnel mode : -

Reverse-LSP name : -

Reverse-LSP LSR ID : - Reverse-LSP Tunnel ID: -

Class Type : - Tunnel Bandwidth : -

Reserved Bandwidth : -

Setup Priority : 0 Holding Priority : 0

Affinity Attr/Mask : -/-

Explicit Path : -

Backup Explicit Path : -

Metric Type : TE

Record Route : - Record Label : -

FRR Flag : - Bandwidth Protection : -

Backup Bandwidth Flag: - Backup Bandwidth Type : -

Backup Bandwidth : -

Bypass Tunnel : - Auto Created : -

Route Pinning : -

Retry Limit : 3 Retry Interval : 2 sec

Reoptimization : - Reoptimization Freq : -

Backup Type : - Backup LSP ID : -

Auto Bandwidth : - Auto Bandwidth Freq : -

Min Bandwidth : - Max Bandwidth : -

Collected Bandwidth : -

Tunnel Name : Tunnel 1

Tunnel State : Up (Main CRLSP up)

Tunnel Attributes :

LSP ID : 1 Tunnel ID : 0

Admin State : Normal

Ingress LSR ID : 1.1.1.9 Egress LSR ID : 5.5.5.9

Signaling : Static Static CRLSP Name : -

Static SRLSP Name : static-sr-lsp-2/-

Resv Style : -

Tunnel mode : -

Reverse-LSP name : -

Reverse-LSP LSR ID : - Reverse-LSP Tunnel ID: -

Class Type : - Tunnel Bandwidth : -

Reserved Bandwidth : -

Setup Priority : 0 Holding Priority : 0

Affinity Attr/Mask : -/-

Explicit Path : -

Backup Explicit Path : -

Metric Type : TE

Record Route : - Record Label : -

FRR Flag : - Bandwidth Protection : -

Backup Bandwidth Flag: - Backup Bandwidth Type: -

Backup Bandwidth : -

Bypass Tunnel : - Auto Created : -

Route Pinning : -

Retry Limit : 3 Retry Interval : 2 sec

Reoptimization : - Reoptimization Freq : -

Backup Type : - Backup LSP ID : -

Auto Bandwidth : - Auto Bandwidth Freq : -

Min Bandwidth : - Max Bandwidth : -

Collected Bandwidth : -

# Display static SRLSP establishment on each router by using the display mpls lsp or display mpls static-sr-lsp command.

[RouterA] display mpls lsp

FEC Proto In/Out Label Interface/Out NHLFE

1.1.1.9/0/1 StaticCR 16/21 GE1/0/1

1.1.1.9/1/2 StaticCR 16/16000 GE1/0/1

[RouterB] display mpls lsp

FEC Proto In/Out Label Interface/Out NHLFE

- StaticCR 21/- GE1/0/2

5.5.5.9/32 StaticCR 16000/16001 GE1/0/2

5.5.5.9/32 StaticCR 16000/16001 GE1/0/4

[RouterC] display mpls lsp

FEC Proto In/Out Label Interface/Out NHLFE

- StaticCR 30/- GE1/0/1

- StaticCR 31/- GE1/0/3

5.5.5.9/32 StaticCR 16001/- -

Index

B C D E F I L M O P R S T

BFD for LSP configuration example,463

Binding a static SRLSP to an MPLS TE tunnel interface,518

Binding an AC to a cross-connect,404

Command and hardware compatibility,26

Command and hardware compatibility,468

Compatibility information,397

Compatibility information,6

Configuration guidelines,13

Configuration prerequisites,14

Configuration procedure,14

Configuration procedure,168

Configuration restrictions and guidelines,220

Configuring a bidirectional MPLS TE tunnel,101

Configuring a cross-connect,400

Configuring a label acceptance policy,33

Configuring a label advertisement policy,33

Configuring a prefix segment,517

Configuring a PW,401

Configuring a static SRLSP,517

Configuring a tunnel interface,85

Configuring a tunnel policy,192

Configuring an AC,399

Configuring an adjacency segment,517

Configuring an LSP generation policy,32

Configuring an MPLS TE tunnel to use a CRLSP calculated by PCEs,95

Configuring an MPLS TE tunnel to use a dynamic CRLSP,87

Configuring an MPLS TE tunnel to use a static CRLSP,86

Configuring an OSPF sham link,237

Configuring an OSPFv3 sham link,344

Configuring basic IPv6 MPLS L3VPN,331

Configuring basic MPLS L3VPN,221

Configuring BGP AS number substitution and SoO attribute,239

Configuring BGP AS number substitution and SoO attribute,345

Configuring BGP RT filtering,241

Configuring CBTS,107

Configuring command switching for the protection group,471

Configuring conventional L2VPN access to L3VPN or IP backbone,441

Configuring CRLSP backup,102

Configuring DS-TE,85

Configuring Hello parameters,28

Configuring HoVPN,236

Configuring improved L2VPN access to L3VPN or IP backbone,442

Configuring inter-AS IPv6 VPN,341

Configuring inter-AS VPN,230

Configuring interworking for a cross-connect,407

Configuring LDP backoff,30

Configuring LDP FRR,39

Configuring LDP GR,36

Configuring LDP loop detection,34

Configuring LDP MD5 authentication,30

Configuring LDP NSR,36

Configuring LDP session parameters,28

Configuring LDP session protection,35

Configuring LDP to redistribute BGP unicast routes,31

Configuring LDP-IGP synchronization,37

Configuring load sharing for an MPLS TE tunnel,97

Configuring MPLS L3VPN FRR,239

Configuring MPLS OAM for a PW,459

Configuring MPLS OAM for LSP tunnels,456

Configuring MPLS OAM for MPLS TE tunnels,457

Configuring MPLS TE FRR,102

Configuring multirole host,235

Configuring multirole host,342

Configuring nested VPN,234

Configuring PS attributes for the protection group,470

Configuring PW redundancy,405

Configuring route replication,242

Configuring routing on an MCE,483

Configuring routing on an MCE,499

Configuring RSVP authentication,180

Configuring RSVP GR,182

Configuring RSVP hello extension,180

Configuring RSVP refresh,179

Configuring RSVP Srefresh and reliable RSVP message delivery,179

Configuring the LDP label distribution control mode,32

Configuring traffic forwarding,98

Configuring TTL propagation,9

Configuring VPN instances,497

Configuring VPN instances,481

Creating a protection group,469

Displaying and maintaining IPv6 MCE,506

Displaying and maintaining IPv6 MPLS L3VPN,345

Displaying and maintaining L2VPN access to L3VPN or IP backbone,443

Displaying and maintaining LDP,40

Displaying and maintaining MCE,490

Displaying and maintaining MPLS,12

Displaying and maintaining MPLS L2VPN,408

Displaying and maintaining MPLS L3VPN,244

Displaying and maintaining MPLS protection switching,472

Displaying and maintaining MPLS TE,108

Displaying and maintaining RSVP,183

Displaying and maintaining static SRLSP,518

Displaying MPLS OAM,463

Displaying static CRLSPs,168

Displaying static LSPs,14

Displaying tunnel information,194

Enabling BFD for RSVP,182

Enabling ECMP VPN route redistribution,242

Enabling L2VPN,399

Enabling LDP,27

Enabling MPLS,7

Enabling MPLS forwarding statistics,10

Enabling MPLS protection switching,469

Enabling MPLS TE,84

Enabling RSVP,178

Enabling sending MPLS TTL-expired messages,10

Enabling SNMP notifications for L2VPN PW,408

Enabling SNMP notifications for LDP,39

Enabling SNMP notifications for MPLS,11

Enabling SNMP notifications for MPLS L3VPN,243

Enabling SNMP notifications for MPLS TE,108

Enabling split horizon for MPLS forwarding,11

Feature and hardware compatibility,467

Feature and hardware compatibility,441

Feature and hardware compatibility,83

Feature and hardware compatibility,167

Feature and hardware compatibility,480

Feature and hardware compatibility,331

Feature and hardware compatibility,192

Feature and hardware compatibility,220

Feature and hardware compatibility,25

Feature and hardware compatibility,178

Feature and hardware compatibility,516

Feature and hardware compatibility,455

Feature and hardware compatibility,13

Feature and hardware compatibility,496

Improved L2VPN access to L3VPN or IP backbone configuration examples,443

IPv4 LDP configuration examples,40

IPv6 LDP configuration examples,56

IPv6 MCE configuration example,507

IPv6 MCE configuration task list,497

IPv6 MCE overview,496

IPv6 MPLS L3VPN configuration examples,346

IPv6 MPLS L3VPN configuration task list,331

IPv6 MPLS L3VPN overview,496

LDP configuration task list,26

MCE configuration example,490

MCE configuration task list,480

MCE overview,479

MPLS configuration task list,6

MPLS L2VPN configuration examples,409

MPLS L2VPN configuration task list,398

MPLS L3VPN configuration examples,245

MPLS L3VPN configuration task list,220

MPLS L3VPN overview,477

MPLS protection switching configuration example,472

MPLS protection switching configuration task list,468

MPLS TE configuration examples,109

MPLS TE configuration task list,83

Overview,192

Overview,198

Overview,513

Overview,72

Overview,439

Overview,18

Overview,466

Overview,454

Overview,329

Overview,175

Overview,1

Overview,13

Overview,389

Overview,167

Prerequisites,516

Protocols and standards,467

Protocols and standards,455

Resetting LDP sessions,39

RSVP configuration examples,183

RSVP configuration task list,178

Setting a DSCP value for outgoing LDP packets,39

Setting a DSCP value for outgoing RSVP packets,182

Setting MPLS MTU,7

Setting the PSC message sending interval,472

Specifying the label type advertised by egress,8

Specifying the VPN label processing mode on the egress PE,238

Static CRLSP configuration example,168

Static LSP configuration example,15

Static SR over MPLS configuration task list,516

Static SRLSP configuration examples,518

Troubleshooting MPLS TE,166

Tunnel policy configuration examples,194

10-MPLS Configuration Guide

Overview

FEC

Label

LSR

LSP

LFIB

Control plane and forwarding plane

MPLS network architecture

LSP establishment

Compatibility information

Setting MPLS MTU

Configuration guidelines

Configuration procedure

Enabling MPLS forwarding statistics

Displaying and maintaining MPLS

Network requirements

Configuration restrictions and guidelines

Configuration procedure

Verifying the configuration

LDP session

LDP peer

Label spaces and LDP identifiers

FECs and FEC-label mappings

Discovering and maintaining LDP peers

Establishing and maintaining LDP sessions

Establishing LSPs

Label advertisement modes

Label distribution control

Label retention mode

Basic operating mechanism

Notification delay for LDP convergence completion

Notification delay for LDP restart or active/standby switchover

Setting Link Hello timers

Setting Targeted Hello timers for an LDP peer

Configuring LDP sessions parameters for Basic Discovery mechanism

Configuring LDP IPv4 sessions parameters for Extended Discovery mechanism

Configuring LDP loop detection

About LDP loop detection

Restrictions and guidelines

Configuration procedure

Configuring LDP-IGP synchronization

Network requirements

Requirements analysis

Configuration procedure

Verifying the configuration

Network requirements

Requirements analysis

Configuration procedure

Verifying the configuration

Network requirements

Requirements analysis

Configuration procedure

Verifying the configuration

Network requirements

Requirements analysis

Configuration procedure

Verifying the configuration

Network requirements

Requirements analysis

Configuration procedure

Verifying the configuration

Network requirements

Requirements analysis

Configuration procedure

Verifying the configuration

Network requirements

Requirements analysis

Configuration procedure

Verifying the configuration

MPLS TE basic concepts

Advertising TE attributes

Calculating paths

Setting up a CRLSP through RSVP-TE