Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-APN6 configuration | 437.26 KB |
APN ID template and APN ID instance
APN ID-based traffic isolation
APN ID-based traffic steering for SRv6 TE policy groups
Configuring APN ID inheritance
Configuring an APN ID template
Configuring an APN ID instance
Blocking service flows between sites based on APN ID
Configuring traffic statistics for APN isolation policies
Display and maintenance commands for APN6
Example: APN ID-based traffic steering in the IPv4 L3VPN over SRv6 TE policy scenario
Configuring APN6
About APN6
Application-aware IPv6 Networking (APN6) is a new network architecture designed to provide differentiated fine-grained network services for applications. It enables network devices to identify applications and their network requirements by conveying APN attributes in the extension header space in IPv6 packets.
APN6 uses the following attributes to identify applications and their services:
· APN ID—APN service identifier for an application. The IPv6 packets on an APN6 network must convey this information.
· APN parameters—Network performance requirements of the application, such as bandwidth, latency, jitter, and packet loss. This information is optional for IPv6 packets on the APN6 network.
By conveying APN attributes in the IPv6 extension header space, APN6 recouples the network and application attributes that are decoupled to different layers of the TCP/IP protocol stack.
· From the perspective of the network, the network devices can obtain the network performance requirements of applications from IPv6 and provide services as required.
· From the perspective of applications, the programmable space of IPv6 packets is open. Applications can define the APN ID and APN parameters as needed.
APN ID and APN6 packet format
APN6 conveys application attributes in the APN header in the APN option. According to the RFC draft draft-li-apn-header, the APN option is located in the Destination Option Header (DOH) of IPv6 and has a typical Type-Length-Value structure, as shown in Figure 1. In IPv6 encapsulation, the DOH that contains the APN option is placed next to the Segment Routing Header (SRH). This DOH next to the SRH is accessible only to the destination node. Any other nodes along the path cannot access this header.
|
|
NOTE: When APN6 is used in conjunction with the iFIT feature, an IPv6 packet might have two DOH headers if iFIT uses the hop-by-hop measurement mode. |
The DOH that contains the APN option includes the following sections:
· Next Header—8 bits, type of the next header to the DOH.
· Hdr Ext Len—8 bits, length of the DOH in units of 8 bytes, excluding the first 8 bytes.
· Option Type—8 bits, type of the option. The value for the APN Header is 0x13.
· Opt Data Len—8 bits, length of the APN Header.
· APN Header—Variable in length. This section contains the application attributes, including the APN ID and the APN parameters.
The APN Header contains the following fields:
· APN-ID-Type—8 bits, type of the APN ID. The following types of APN IDs are available:
¡ Type 1 APN ID—The type value for Type 1 APN IDs is 1. A Type 1 APN ID is 32 bits in length.
¡ Type 2 APN ID—The type value for Type 2 APN IDs is 2. A Type 2 APN ID is 64 bits in length.
¡ Type 3 APN ID—The type value for Type 3 APN IDs is 3. A Type 3 APN ID is 128 bits in length.
· Flags—8 bits. This field is undefined.
· APN-Para-Type—16 bits. This field indicates types of network performance parameters included in the APN parameters, which can be any combinations of bandwidth, delay, jitter, and packet loss.
· APN ID—Variable in length. An APN ID contains the following segments:
¡ APP-Group-ID—Identifier of an application group.
¡ User-Group-ID—Identifier of a user group.
¡ Reserved—A field reserved for future use.
· Intent (Optional)—An optional field of 32 bits. This field contains the intent requirements proposed by the application to the network.
· APN-Para (Optional)—An optional field of 32 bits. This field contains values for network performance parameters. Each parameter uses 4 bytes.
APN ID template and APN ID instance
The system enables flexible generation of APN IDs based on APN ID templates and APN ID instances.
· APN ID template—Enables creation of flexible structured APN ID plans. As shown in Figure 2, you use an APN ID template to specify the total length of the APN ID space and the maximum lengths of the APP-Group-ID and User-Group-ID spaces. The length of the Reserved field is the total length of the APN ID space minus the total maximum lengths of the APP-Group-ID and User-Group-ID spaces. To represent a sequence of applications and users, divide the APP-Group-ID and User-Group-ID spaces into variable-length fields, respectively. In the template, assign each field an index to identify their order in their respective space, with the lowest index for the leftmost field.
¡ A field in the APP-Group-ID space represents an application or service and is called an APP-Group-ID field.
¡ A field in the User-Group-ID space represents a user and is called a User-Group-ID field.
Figure 2 APN ID template structure
· APN ID instance—Each APN ID instance represents an APN ID. To generate a concrete APN ID, you apply an API ID template to an APN ID instance, and then assign values to the APP-Group-ID and User-Group-ID fields in the template.
Figure 3 shows an APN ID generation example based on an APN ID template named templatex. In this template, the total length of the APN ID space is set to 64 bits. The maximum lengths for the APP-Group-ID and User-Group-ID spaces are set to 32 bits and 16 bits, respectively. The Reserved field is 16 bits. The template defines the following fields:
· An 8-bit APP-Group-ID field named fieldname1 at index 1.
· A 4-bit APP-Group-ID field named fieldname2 at index 2.
· A 4-bit User-Group-ID field named fieldname4 at index 1.
Apply this APN ID template to an APN instance and assign values to the fields defined in the template as follows:
Set the fieldname1 field in the APP-Group-ID space to 103 (0x67 in hexadecimal notation).
Set the fieldname2 field in the APP-Group-ID space to 3 (0x3 in hexadecimal notation).
Set the fieldname4 field in the User-Group-ID space to 10 (0xa in hexadecimal notation).
Execute the display apn-id-ipv6 instance command to verify that the generated APN ID contains the following information:
· The APP-Group-ID value is 0x67300000, with a mask of 0xfff0000.
· The User-Group-ID value is 0xa000, with a mask of 0xf000.
Figure 3 Schematic diagram for generating an APN ID
APN6 network architecture
As shown in Figure 4, an APN6 domain in the network is a set of network devices that provide application-aware services based on the IPv6 packets encapsulated with APN attributes, which are called APN6 packets. An APN6 domain has the following node roles:
· APN-Edge—Connects application endpoints or servers to the APN6 domain. APN-Edge nodes add APN attributes to packets when they enter the APN6 domain and remove APN attributes from packets when they leave the APN6 domain. APN-Edge nodes add APN attributes based on the application attributes in QoS policies, such as the IP five-tuple, outer S-VLAN, and inner C-VLAN.
· APN-Head—Establishes tunnels with APN-Endpoint nodes to transport application workloads over the APN6 domain to their destination. An APN6 network should have a set of tunnels between APN-Head and APN-Endpoint nodes to meet different service level agreements (SLAs). APN-Head nodes steer application workloads to SLA-compliant tunnels based on their APN attributes. APN-Edge and APN-Head nodes can be collocated on the same device.
· APN-Midpoint—APN6 transit nodes. They forward application workloads and provide value-added services such as iFIT and SRv6 SFC based on the application attribute in the APN6 packets.
· APN-Endpoint—Destination node of a tunnel for APN6 packets. An APN-Endpoint node decapsulates the outer header of tunneled APN6 packets. If the outer header of an APN6 packet contains APN attributes, the APN-Endpoint node removes the APN attributes. If the APN6 attributes are conveyed in the inner packet, the APN-Endpoint node continue to forward the APN6 packet. APN-Edge and APN-Endpoint nodes can be collocated on the same device.
· APN-Controller—Provides centralized management and configuration of the APN6 network. On the APN-Controller, administrators plan and manage APN IDs and APN parameters. They also define and deploy forwarding and marking policies for application workloads based on APN IDs.
¡ For APN-Edge nodes, the APN-Controller deploys APN ID marking policies to map the application to an APN ID based on the IP 5-tuple, outer S-VLAN, or inner C-VLAN.
¡ For APN-Head nodes, the APN-Controller deploys forwarding policies to establish mappings between APN IDs and forwarding paths. Then, the APN-Head nodes steer APN packets to an appropriate candidate forwarding path based on the mappings.
Figure 4 APN6 network architecture and device roles
Depending on the role of the node that generates APN attributes, the following solutions are available to build an APN6 network:
· Application-side solution—The application endpoints or servers generate and encapsulate the APN attributes (APN ID and APN parameters) in packets. This solution requires that the application endpoints and servers can recognize different applications. In addition, both the network and applications must be planned and managed by the same organization, so the network devices can trust the APN attributes generated on the application side.
· Network-side solution—The APN-Edge nodes generate and encapsulate the APN attributes (APN ID and APN parameters) in packets. When a packet arrives, an APN-Edge node identifies its packet type and encapsulates its matching APN attributes. This solution does not require application-side support. The network operators can plan and deploy the APN6 network uniformly, with ease.
APN ID-based traffic isolation
Introduction
In an APN6 network, a VPN might transport different types of services between different branch sites, with each service flow identified by a unique APN ID. APN ID-based traffic isolation enables you to block a service flow identified by an APN ID between two sites within the VPN, while allowing other service flows to be forwarded.
Basic concepts
· APN isolation group—Identifies a set of outgoing interfaces or tunnels for traffic from one branch site to another within the same VPN instance.
· APN isolation policy—Contains APN isolation rules that associate APN ID instances with APN isolate groups to prevent a rule matching service flow from reaching the interfaces or tunnels specified in the matching APN isolation group.
APN ID-based mechanism to prevent service flows from reaching an interface
Take the network in Figure 5 for example. This network can be an IP L3VPN over SRv6 or EVPN L3VPN over SRv6 network. On this network, Branch A and B connect to Interface A and Interface B of PE 1, respectively. Branch C connects to PE 2. PE 1 and PE 2 are connected using an SRv6 tunnel. Deploy a VPN on the network to transport traffic between Branches A, B, and C. For example, create VPN instance VPNA on PE 1 and bind Interface A and Interface B to the VPN instance. This VPN instance transports two types of service flows, which are identified by APN ID instances X and Y.
1. Create APN isolation group B, and then assign Interface B to the group by specifying the group on the interface.
2. Configure an APN isolation policy and apply it to VPN instance VPNA to prevent traffic identified by APN ID Y from reaching Interface B. For this purpose, create a rule in the policy to associate APN ID Y with APN isolation group B, which contains Interface B.
3. When a packet from VPNA arrives, PE 1 obtains its APN ID, identifies its outgoing interface or tunnel, and then uses this information to search the APN isolation policy. If a matching APN isolation rule is found, the device does not forward the traffic to the outgoing interface. If the packet does not match any isolation rule, the device forwards the packet out of the interface. In this example, the isolation policy prevents PE 1 from forwarding traffic identified by APN ID Y out of Interface B to reach Branch B. This blocks the service traffic for APN ID Y between Branch A and Branch B, as well as between Branch C and Branch B.
|
|
IMPORTANT: To prevent service flows from reaching a private network interface in an APN isolation group, you must bind that interface to a VPN instance. If you assign an interface to an APN isolation group without binding that interface to a VPN instance, the traffic isolation configuration cannot take effect. |
Figure 5 APN ID-based prevention of service flows from reaching an interface
APN ID-based mechanism to prevent service flows from reaching a tunnel
Take the network in Figure 6 for example. This network can be an IP L3VPN over SRv6 or EVPN L3VPN over SRv6 network. On this network, Branch A and B connect to Interface A and Interface B of PE 1, respectively. Branch C connects to PE 2. PE 1 and PE 2 are connected using an SRv6 tunnel. Deploy a VPN on the network to transport traffic between Branches A, B, and C. For example, create VPN instance VPNA on PE 1 and bind Interface A and Interface B to the VPN instance. This VPN instance transports two types of service flows, which are identified by APN ID instances X and Y.
1. On PE 2, allocate an SRv6 SID for the private VPNA route to Branch C from a local SRv6 locator and advertise the SID to PE 1. Then, PE 1 does recursive routing to forward the traffic that matches the private VPNA route to Branch C through the SRv6 tunnel.
2. On PE 1, define a mapping for VPN instance VPNA, APN isolation group A, and the SRv6 locator. This mapping associates APN isolation group A and the SRv6 tunnel for a VPNA packet sent from PE 1 to PE 2, if its SID matches the specified SRv6 locator.
3. Apply the APN isolation policy to VPN instance VPNA to prevent traffic identified by APN ID Y from reaching the SRv6 tunnel.
4. When a packet from VPNA arrives, PE 1 obtains its APN ID, identifies its outgoing interface or tunnel, and then uses this information to search the APN isolation policy. If a matching APN isolation rule is found, the device does not forward the traffic to the outgoing interface or tunnel. If the packet does not match any isolation rule, the device forwards the packet out of the interface. In this example, the isolation policy prevents PE 1 from forwarding traffic identified by APN ID Y out of the SRv6 tunnel established with PE 2 to reach Branch C. This blocks the service traffic for APN ID Y between Branch A and Branch C.
Figure 6 APN ID-based prevention of service flows from reaching a tunnel
APN ID-based traffic steering for SRv6 TE policy groups
You can specify the APN ID forward type in an SRv6 TE policy group to do APN ID-based traffic steering. This enables the device to steer the service flows identified by an APN ID to an SRv6 TE policy or forward them in SRv6 BE mode. For more information about traffic steering based on APN ID, see SRv6 TE policy configuration in Segment Routing Configuration Guide.
APN6 tasks at a glance
To configure APN6, perform the following tasks:
1. (Optional.) Configuring the basic functionality of APN6
Configuring APN ID inheritance
2. Configuring an APN ID template
3. Configuring an APN ID instance
4. (Optional.) Blocking service flows between sites based on APN ID
5. (Optional.) Configuring traffic statistics for APN isolation policies
Configuring APN ID inheritance
About this task
Enable inheritance mode on the APN-midpoint nodes on the APN6 network. This configuration ensures that the APN attribute can be transported to the APN-endpoint nodes for them to provide application-aware services.
Use non-inheritance mode on APN-edge and APN-endpoint nodes. The downstream devices attached to these nodes do not need the application attribute for identification of application requirements.
Procedure
1. Enter system view.
system-view
2. Enable APN and enter APN view.
apn
3. Enable APN6 and enter APN6 view.
ipv6
4. Configure APN ID inheritance.
apn-id inherit { enable | disable }
By default, the device uses the following APN ID inheritance mechanism:
¡ When the device decapsulates an APN packet, it does not copy the APN ID to the new packet.
¡ When the device encapsulates an APN packet, it copies the APN ID from the inner packet header to the new outer header. This action is required when the device acts as the stitching node to connect SRv6 TE policies based on the BSID.
Configuring an APN ID template
Restrictions and guidelines
· You can set the total APN ID length only to 64 bits for APN ID templates.
· In an APN ID template, the total length of the APP-Group-ID and User-Group-ID cannot exceed the specified total length for an APN ID.
· You cannot add, modify, or delete the total length of the APP-Group-ID space in an APN ID template if you have created User-Group-ID fields by using the user-group index command in that template. To add, modify, or delete the total length of the APP-Group-ID space in this situation, you must first execute the undo user-group index command to delete all the User-Group-ID fields in the APN ID template.
· To successfully modify the total length of the APP-Group-ID or User-Group-ID space in an APN ID template, make sure the new length is higher than the combined length of all existing APP-Group-ID or User-Group-ID fields, respectively.
· You cannot delete an APN ID template if it has been applied to an APN ID instance. To delete that APN ID template, you must first remove the APN ID template from the APN ID instance.
· You can specify the same APP-Group-ID or User-Group-ID field name in different APN ID templates.
· The total length of all APP-Group-ID fields must not exceed the total length of the APP-Group-ID space in the APN ID template. The total length of all User-Group-ID fields must not exceed the total length of the User-Group-ID space in the APN ID template.
· The combined number of APP-Group-ID fields and User-Group-ID fields in an APN ID template cannot exceed eight.
· The name of an APP-Group-ID or User-Group-ID field must be unique among all APP-Group-ID and User-Group-ID fields in the same APN ID template.
· The index for an APP-Group-ID or User-Group-ID field must be unique among all APP-Group-ID or User-Group-ID fields, respectively, in the same APN ID template.
· You cannot delete, rename, or change the length of an APP-Group-ID or User-Group-ID field in an APN ID template after you apply the template to an APN ID instance and assign a value to that field by using the apn-field command.
Procedure
1. Enter system view.
system-view
2. Enable APN and enter APN view.
apn
3. Enable APN6 and enter APN6 view.
ipv6
4. Create an APN ID template and enter its view.
apn-id template template-name [ length total-length { app-group app-group-length | user-group user-group-length } * ]
By default, no APN ID templates exist.
5. Create an APP-Group-ID field to the APN ID template.
app-group index index-value field-name length field-length
You can execute this command multiple times to create multiple APP-Group-ID blocks.
By default, an APN ID template does not contain APP-Group-ID fields.
6. Create a User-Group-ID field in the APN ID template.
user-group index index-value field-name length field-length
You can repeat this command to create multiple User-Group-ID blocks.
By default, an APN ID template does not contain User-Group-ID blocks.
Configuring an APN ID instance
Restrictions and guidelines
· You must create an APN ID template first before you can apply it to an APN ID instance.
· You can apply only one APN ID template to an APN ID instance.
· You cannot delete the APN ID template applied to an APN ID instance if you have executed the apn-field command to assign a value to one of the APP-Group-ID or User-Group-ID fields defined in the template. To delete that template:
a. Execute the undo apn-field command to remove the APP-Group-ID or User-Group-ID fields from the APN ID instance.
b. Execute the undo template command to delete the APN ID template.
· You cannot delete an APN ID instance if it has been specified in an APN isolation rule configured by using the index instance isolate-group behavior command. To delete that APN ID instance, you must first delete the APN isolation rule.
· To execute the apn-field command successfully, you must make sure the specified APP-Group-ID or User-Group-ID field name already exists in the APN ID template applied to the APN ID instance.
· The value assigned to the APP-Group-ID or User-Group-ID field cannot exceed the length specified for it in the APN ID template. For example, if you set the length for an APP-Group-ID field to 4, the maximum value you can assign to it will be 2 to the power of 4 minus 1, which is 15.
· If you do not assign a value to an APP-Group-ID or User-Group-ID field in the APN ID template by using the apn-field command, the value for that field will be set to 0.
Procedure
system-view
2. Enable APN and enter APN view.
apn
3. Enable APN6 and enter APN6 view.
ipv6
4. Create an APN ID instance and enter APN ID instance view.
apn-id instance instance-name
By default, no APN ID instances exist.
5. Apply an APN ID template to the APN ID instance.
template template-name
By default, no APN ID template is applied to an APN ID instance.
6. Assign a value to an APP-Group-ID or User-Group-ID field defined in the APN ID template.
apn-field field-name field-value
By default, no values are assigned to the APP-Group-ID or User-Group-ID fields in the APN ID template applied to an APN ID instance.
Blocking service flows between sites based on APN ID
About this task
In an APN6 network, a single VPN might transport multiple types of service flows between multiple branch sites. APN isolation policies enable you to block a service flow between two sites as needed for flexible service deployment.
The following are the most common APN isolation policy use cases in a multi-site VPN deployment:
· Prevent the device from forwarding the service flow identified by a particular APN ID out of a private network interface bound to a VPN instance.
· Prevent the device from forwarding the service flow identified by a particular APN ID out of an SRv6 tunnel.
Restrictions and guidelines
· You must create an APN ID instance before you can specify it in an APN isolation rule. In addition, make sure you have configured APP-Group-ID fields and User-Group-ID fields for the APN ID template applied to the APN ID instance by using the apn-field command.
· The APN isolation group used in an APN isolation rule must exist.
· The combination of an APN ID instance name and APN isolation group name must be unique across all APN isolation rules in the same APN isolation policy.
· You cannot delete an APN ID instance if it has been specified in an APN isolation rule configured by using the index instance isolate-group behavior command. To delete that APN ID instance, you must first delete the APN isolation rule.
· If an APN ID instance has been specified in an APN isolation rule, you cannot execute the apn-field command to change the values of any APP-Group-ID or User-Group-ID fields in that instance.
· You can only specify the deny action in APN isolation rules to block traffic.
· You can map a VPN instance to different SRv6 locators and APN isolation groups. In this situation, you must make sure the route prefixes calculated for SRv6 locators based on the specified peer-locator-value and prefix-length parameters are unique across all mappings and do not overlap.
· To prevent a service flow from reaching a private network interface, you must bind that interface to a VPN instance, in addition to assigning it to a VPN isolation group.
Preventing the service flow identified by an APN ID from reaching an interface
1. Enter system view.
system-view
2. Enable APN and enter APN view.
apn
3. Enable APN6 and enter APN6 view.
ipv6
4. Create an APN isolation group.
isolate-group name group-name
5. Create an APN isolation policy and enter its view.
apn-id isolate policy policy-name
6. Configure an APN isolation rule.
index index-value instance instance-name isolate-group group-name behavior deny
By default, an APN isolation policy does not contain APN isolation rules.
7. Return to system view.
quit
quit
quit
8. Enter interface view.
interface interface-type interface-number
9. Apply an APN isolation group to the interface.
apn-id-ipv6 isolate-group group-name
By default, no APN isolation groups are applied to interfaces.
10. Return to system view.
quit
11. Create a VPN instance and enter its view.
ip vpn-instance vpn-instance-name
12. Apply an APN isolation policy to the VPN instance.
apn-id-ipv6 isolate-policy policy-name direction
By default, no APN isolation policies are applied to VPN instances.
Preventing the service flow identified by an APN ID from reaching a tunnel
1. Enter system view.
system-view
2. Enable APN and enter APN view.
apn
3. Enable APN6 and enter APN6 view.
ipv6
4. Create an APN isolation group.
isolate-group name group-name
5. Create an APN isolation group and VPN map and enter APN isolation group and VPN mapping view.
isolate-group mapping-vpn
6. Create the mapping of a VPN instance, SRv6 locator at the peer PE, and APN isolation group.
vpn-instance vpn-instance-name peer-locator peer-locator-value prefix-length match isolate-group group-name
7. Return to APN6 view.
quit
8. Create an APN isolation policy and enter its view.
apn-id isolate policy policy-name
9. Configure an APN isolation rule.
index index-value instance instance-name isolate-group group-name behavior deny
By default, an APN isolation policy does not contain APN isolation rules.
10. Return to system view.
quit
quit
quit
11. Enter VPN instance view.
ip vpn-instance vpn-instance-name
12. Apply an APN isolation policy to the VPN instance.
apn-id-ipv6 isolate-policy policy-name direction
By default, no APN isolation policies are applied to VPN instances.
Configuring traffic statistics for APN isolation policies
About this task
Perform this task to collect traffic statistics for an APN isolation policy. The device will collect statistics for flows that match a rule in the APN isolation policy at specified intervals. The statistics include the packet count, rate, byte count, traffic rate in packets per second (PPS) and bytes per second (BPS).
Procedure
1. Enter system view.
system-view
2. Enable APN and enter APN view.
apn
3. Enable APN6 and enter APN6 view.
ipv6
4. Configure the traffic statistics collection interval for APN isolation policies.
statistics interval time
By default, the traffic statistics collection interval for APN isolation policies is 30 seconds.
5. Enter APN isolation policy view.
apn-id isolate policy policy-name
6. Enable traffic statistics for the APN isolation policy.
statistics enable
By default, traffic statistics is disabled for APN isolation policies.
Display and maintenance commands for APN6
Execute display commands in any view to verify the operation of APN6.
Execute reset commands in user view to clear traffic statistics for APN isolation policies.
|
Task |
Command |
|
Display the global APN configuration. |
display apn-id-ipv6 brief |
|
Display information about APN ID instances. |
display apn-id-ipv6 instance [ name instance-name ] |
|
Display the traffic statistics for APN isolation policies and VPN instances. |
display apn-id-ipv6 isolate-policy statistics [ policy policy-name ] [ vpn-instance vpn-instance-name ] |
|
Display the configured IPv6 source address prefixes that contains the slice ID. |
display network-slice slice-prefix [ name prefix-name ] |
|
Display information about APN isolation policies. |
display apn-id-ipv6 isolate-policy [ policy policy-name ] |
|
Display the mappings of VPN instances and APN isolation groups. |
display apn-id-ipv6 vpn-mapping [ vpn vpn-instance-name ] |
|
Display APN isolation group and interface bindings. |
display apn-id-ipv6 binding-list isolate-group [ isolate-group-name ] |
|
Display information about the specified APN isolation group. |
display apn-id-ipv6 forwarding isolate-group isolate-group-name [ slot slot-number ] |
|
Display information about APN isolation policies. |
display apn-id-ipv6 forwarding isolate-policy isolate-policy-name [ reference ] [ slot slot-number ] |
|
Display the VPN instance and APN isolation group mappings acquired by BGP processes. |
display bgp [ instance instance-name ] isolate-group mapping-vpn [ vpn-instance vpn-instance-name ] |
|
Clear the traffic statistics for the specified APN isolation policy. |
reset apn-id-ipv6 isolate-policy statistics [ policy policy-name ] [ vpn-instance vpn-instance-name ] |
APN6 configuration examples
Example: Preventing a service flow from reaching a site based on APN ID on an IPv4 L3VPN over SRv6 network in BE mode
Network configuration
Figure 7 shows an IPv4 L3VPN over SRv6 network in BE mode. On this network, PE 1 and PE 2 establish an SRv6 tunnel for connectivity. Branch sites CE 1 and CE 2 connect to PE 1 and PE 2, respectively. Deploy VPN A to transport traffic between CE 1 and CE 2. There are two types of services between the branch sites: one identified by APN ID 0x1122000033440000 and the other identified by APN ID 0x5566000077880000. Configure APN-ID-based traffic isolation to prevent the service flow identified by APN ID 0x5566000077880000 from being forwarded from PE 1 to PE 2 through the SRv6 tunnel, as follows:
· Run IS-IS between the PE 1, P, and PE 2 devices to establish Layer 3 connectivity. Configure the PEs and CEs to exchange VPN route information via EBGP. Configure a local SRv6 locator on PE 2. Set the prefix for the locator to 200::1:0 and the prefix length to 96.
· Deploy APN isolation group abc on PE 1 and establish a mapping of VPN A, APN isolation group abc, and SRv6 locator 200::1:0.
· Deploy APN isolation policy abc on PE 1 and create an APN isolation rule to associate APN ID 0x5566000077880000 with APN isolation group abc.
· Apply APN isolation policy abc to VPN A.
· On PE 1, configure an ACL to match the service flows. Configure a QoS policy to mark the ACL-matching flows with their APN IDs. Then, apply the QoS policy to the private interfaces that connect to VPN A.
|
Device |
Interface |
IP address |
Device |
Interface |
IP address |
|
CE 1 |
Loop0 |
1.1.1.1/32 |
On PE 2 |
Loop0 |
4::4/128 |
|
|
XGE3/0/1 |
10.1.1.2/24 |
|
XGE3/0/1 |
10.2.1.1/24 |
|
CE 2 |
Loop0 |
2.2.2.2/32 |
|
XGE3/0/3 |
2000::2/96 |
|
|
XGE3/0/1 |
10.2.1.2/24 |
P |
Loop0 |
5::5/128 |
|
On PE 1 |
Loop0 |
3::3/128 |
|
XGE3/0/2 |
1000::2/96 |
|
|
XGE3/0/1 |
10.1.1.1/24 |
|
XGE3/0/3 |
2000::1/96 |
|
|
XGE3/0/2 |
1000::1/96 |
|
|
|
Procedure
1. Configure IPv6 IS-IS on the PE and P devices in the backbone network to establish connectivity between them.
# Configure PE 1.
<PE1> system-view
[PE1] isis 1
[PE1-isis-1] is-level level-1
[PE1-isis-1] cost-style wide
[PE1-isis-1] network-entity 10.1111.1111.1111.00
[PE1-isis-1] address-family ipv6 unicast
[PE1-isis-1-ipv6] quit
[PE1-isis-1] quit
[PE1] interface loopback 0
[PE1-LoopBack0] ipv6 address 3::3 128
[PE1-LoopBack0] isis ipv6 enable 1
[PE1-LoopBack0] quit
[PE1] interface ten-gigabitethernet 3/0/2
[PE1-Ten-GigabitEthernet3/0/2] ipv6 address 1000::1 96
[PE1-Ten-GigabitEthernet3/0/2] isis ipv6 enable
[PE1-Ten-GigabitEthernet3/0/2] quit
# Configure the P device.
<P> system-view
[P] isis 1
[P-isis-1] is-level level-1
[P-isis-1] cost-style wide
[P-isis-1] network-entity 10.2222.2222.2222.00
[P-isis-1] address-family ipv6 unicast
[P-isis-1-ipv6] quit
[P-isis-1] quit
[P] interface loopback 0
[P-LoopBack0] ipv6 address 5::5 128
[P-LoopBack0] isis ipv6 enable
[P-LoopBack0] quit
[P] interface ten-gigabitethernet 3/0/2
[P-Ten-GigabitEthernet3/0/2] ipv6 address 1000::2 96
[P-Ten-GigabitEthernet3/0/2] isis ipv6 enable
[P-Ten-GigabitEthernet3/0/2] quit
[P] interface ten-gigabitethernet 3/0/3
[P-Ten-GigabitEthernet3/0/3] ipv6 address 2000::1 96
[P-Ten-GigabitEthernet3/0/3] isis ipv6 enable
[P-Ten-GigabitEthernet3/0/3] quit
# Configure PE 2.
<PE2> system-view
[PE2] isis
[PE2-isis-1] is-level level-1
[PE2-isis-1] cost-style wide
[PE2-isis-1] network-entity 10.3333.3333.3333.00
[PE2-isis-1] address-family ipv6 unicast
[PE2-isis-1-ipv6] quit
[PE2-isis-1] quit
[PE2] interface loopback 0
[PE2-LoopBack0] ipv6 address 4::4 128
[PE2-LoopBack0] isis ipv6 enable
[PE2-LoopBack0] quit
[PE2] interface ten-gigabitethernet 3/0/3
[PE2-Ten-GigabitEthernet3/0/3] ipv6 address 2000::2 96
[PE2-Ten-GigabitEthernet3/0/3] isis ipv6 enable
[PE2-Ten-GigabitEthernet3/0/3] quit
Verify that the PE 1, P, and PE 2 devices can establish IPv6 IS-IS adjacencies. Execute the display isis peer command to verify that their circuits are in Up state. Execute the display isis route ipv6 command to verify that the PEs can learn the routes to each other's loopback interfaces.
2. Configure VPN instances on PEs to provide network access for CEs.
# Configure PE 1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna] vpn-target 111:1
[PE1-vpn-instance-vpna] quit
[PE1] interface ten-gigabitethernet 3/0/1
[PE1-Ten-GigabitEthernet3/0/1] ip binding vpn-instance vpna
[PE1-Ten-GigabitEthernet3/0/1] ip address 10.1.1.1 24
[PE1-Ten-GigabitEthernet3/0/1] quit
# Configure PE 2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 100:1
[PE2-vpn-instance-vpna] vpn-target 111:1
[PE2-vpn-instance-vpna] quit
[PE2] interface ten-gigabitethernet 3/0/1
[PE2-Ten-GigabitEthernet3/0/1] ip binding vpn-instance vpna
[PE2-Ten-GigabitEthernet3/0/1] ip address 10.2.1.1 24
[PE2-Ten-GigabitEthernet3/0/1] quit
# Assign IP addresses to interfaces on the CEs, as shown in Figure 7. (Details not shown.)
3. Establish EBGP peer relationships between PEs and CEs, and redistribute VPN routes.
# Configure CE 1.
<CE1> system-view
[CE1] bgp 65410
[CE1-bgp-default] peer 10.1.1.1 as-number 100
[CE1-bgp-default] address-family ipv4 unicast
[CE1-bgp-default-ipv4] peer 10.1.1.1 enable
[CE1-bgp-default-ipv4] import-route direct
[CE1-bgp-default-ipv4] network 1.1.1.1 255.255.255.255
[CE1-bgp-default-ipv4] quit
[CE1-bgp-default] quit
# Configure CE 2 in the same way as you configured CE 1. (Details not shown.)
# Configure PE 1.
[PE1] bgp 100
[PE1-bgp-default] router-id 1.1.1.1
[PE1-bgp-default] ip vpn-instance vpna
[PE1-bgp-default-vpna] peer 10.1.1.2 as-number 65410
[PE1-bgp-default-vpna] address-family ipv4 unicast
[PE1-bgp-default-ipv4-vpna] peer 10.1.1.2 enable
[PE1-bgp-default-ipv4-vpna] quit
[PE1-bgp-default-vpna] quit
# Configure PE 2 in the same way as you configured PE 1. (Details not shown.)
Execute the display bgp peer ipv4 vpn-instance command on the PEs to verify that they have BGP peers in Established state with the CEs.
4. Establish MP-IBGP peer relationships between the PEs.
# Configure PE 1.
[PE1] bgp 100
[PE1-bgp-default] peer 4::4 as-number 100
[PE1-bgp-default] peer 4::4 connect-interface loopback 0
[PE1-bgp-default] address-family vpnv4
[PE1-bgp-default-vpnv4] peer 4::4 enable
[PE1-bgp-default-vpnv4] quit
[PE1-bgp-default] quit
# Configure PE 2.
[PE2] bgp 100
[PE2-bgp-default] peer 3::3 as-number 100
[PE2-bgp-default] peer 3::3 connect-interface loopback 0
[PE2-bgp-default] address-family vpnv4
[PE2-bgp-default-vpnv4] peer 3::3 enable
[PE2-bgp-default-vpnv4] quit
[PE2-bgp-default] quit
Execute the display bgp peer vpnv4 command to verify that the PEs have BGP peers in Established state with each other.
5. Specify a source address for the outer IPv6 header of SRv6-encapsulated IP L3VPN packets on the PEs.
# Configure PE 1.
[PE1] segment-routing ipv6
[PE1-segment-routing-ipv6] encapsulation source-address 3::3
# Configure PE 2.
[PE2] segment-routing ipv6
[PE2-segment-routing-ipv6] encapsulation source-address 4::4
6. On the PEs, configure End.DT4 SIDs for the destination addresses in the outer IPv6 header of SRv6-encapsulated IP L3VPN packets.
# Configure PE 1.
[PE1-segment-routing-ipv6] locator aaa ipv6-prefix 100::1:0 96 static 8
[PE1-segment-routing-ipv6-locator-aaa] quit
[PE1-segment-routing-ipv6] quit
[PE1] isis 1
[PE1-isis-1] address-family ipv6 unicast
[PE1-isis-1-ipv6] segment-routing ipv6 locator aaa
[PE1-isis-1-ipv6] quit
[PE1-isis-1] quit
# Configure PE 2.
[PE2-segment-routing-ipv6] locator bbb ipv6-prefix 200::1:0 96 static 8
[PE2-segment-routing-ipv6-locator-bbb] quit
[PE2-segment-routing-ipv6] quit
[PE2] isis 1
[PE2-isis-1] address-family ipv6 unicast
[PE2-isis-1-ipv6] segment-routing ipv6 locator bbb
[PE2-isis-1-ipv6] quit
[PE2-isis-1] quit
Execute the display ipv6 routing-table command on the PEs to verify that the End.DT4 SIDs have been introduced into the routing table and SRv6 routes have been created for them.
7. On the PEs, add End.DT4 SIDs for the VPN routes.
# Configure PE 1.
[PE1] bgp 100
[PE1-bgp-default] ip vpn-instance vpna
[PE1-bgp-default-vpna] address-family ipv4 unicast
[PE1-bgp-default-ipv4-vpna] segment-routing ipv6 locator aaa
[PE1-bgp-default-ipv4-vpna] quit
[PE1-bgp-default-vpna] quit
[PE1-bgp-default] quit
# Configure PE 2.
[PE2] bgp 100
[PE2-bgp-default] ip vpn-instance vpna
[PE2-bgp-default-vpna] address-family ipv4 unicast
[PE2-bgp-default-ipv4-vpna] segment-routing ipv6 locator bbb
[PE2-bgp-default-ipv4-vpna] quit
[PE2-bgp-default-vpna] quit
[PE2-bgp-default] quit
8. On the PEs, enable exchange of End.DT4 SIDs between the IPv6 peers, and resolve the VPN routes through recursive routing to the End.DT4 SID routes.
# Configure PE 1.
[PE1] bgp 100
[PE1-bgp-default] address-family vpnv4
[PE1-bgp-default-vpnv4] peer 4::4 prefix-sid
[PE1-bgp-default-vpnv4] quit
[PE1-bgp-default] ip vpn-instance vpna
[PE1-bgp-default-vpna] address-family ipv4 unicast
[PE1-bgp-default-ipv4-vpna] segment-routing ipv6 best-effort
[PE1-bgp-default-ipv4-vpna] quit
[PE1-bgp-default-vpna quit
[PE1-bgp-default] quit
# Configure PE 2.
[PE2] bgp 100
[PE2-bgp-default] address-family vpnv4
[PE2-bgp-default-vpnv4] peer 3::3 prefix-sid
[PE2-bgp-default-vpnv4] quit
[PE2-bgp-default] ip vpn-instance vpna
[PE2-bgp-default-vpna] address-family ipv4 unicast
[PE2-bgp-default-ipv4-vpna] segment-routing ipv6 best-effort
[PE2-bgp-default-ipv4-vpna] quit
[PE2-bgp-default-vpna] quit
[PE2-bgp-default] quit
Execute the display bgp routing-table vpnv4 command on each PE to view detailed information about the routes received from the remote PE. Verify that these routes have SID attributes.
9. Configure APN ID template a on PE 1. Define APP-Group-ID and User-Group-ID fields in the template.
[PE1] apn
[PE1-apn] ipv6
[PE1-apn-ipv6] apn-id template a length 64 app-group 32 user-group 32
[PE1-apn-ipv6-template-a] app-group index 1 app-group1 length 8
[PE1-apn-ipv6-template-a] app-group index 2 app-group2 length 8
[PE1-apn-ipv6-template-a] user-group index 1 user-group1 length 8
[PE1-apn-ipv6-template-a] user-group index 2 user-group2 length 8
[PE1-apn-ipv6-template-a] quit
10. On PE 1, configure APN ID instances a and b. Apply APN ID template a to APN ID instance a, and set the APN ID to 0x1122000033440000. Apply APN ID template a to APN ID instance b, and set the APN ID to 0x5566000077880000.
[PE1-apn-ipv6] apn-id instance a
[PE1-apn-ipv6-instance-a] template a
[PE1-apn-ipv6-instance-a] apn-field app-group1 17
[PE1-apn-ipv6-instance-a] apn-field app-group2 34
[PE1-apn-ipv6-instance-a] apn-field user-group1 51
[PE1-apn-ipv6-instance-a] apn-field user-group2 68
[PE1-apn-ipv6-instance-a] quit
[PE1-apn-ipv6] apn-id instance b
[PE1-apn-ipv6-instance-b] template a
[PE1-apn-ipv6-instance-b] apn-field app-group1 85
[PE1-apn-ipv6-instance-b] apn-field app-group2 102
[PE1-apn-ipv6-instance-b] apn-field user-group1 119
[PE1-apn-ipv6-instance-b] apn-field user-group2 136
[PE1-apn-ipv6-instance-b] quit
[PE1-apn-ipv6] quit
[PE1-apn] quit
Execute the display apn-id-ipv6 instance command on the PEs to verify the APN ID instance configuration.
11. On PE 1, configure an ACL and QoS policy to mark the service flows destined for TCP port 8090 and UDP port 2000 with APN ID instance a and APN ID instance b, respectively. Apply the QoS policy to the inbound direction of the private interface bound to the VPN instance.
[PE1] acl advanced 3001
[PE1-acl-ipv4-adv-3001] rule 10 permit tcp destination-port eq 8090
[PE1-acl-ipv4-adv-3001] quit
[PE1] acl advanced 3002
[PE1-acl-ipv4-adv-3002] rule 10 permit udp destination-port eq 2000
[PE1-acl-ipv4-adv-3002] quit
[PE1] traffic classifier a
[PE1-classifier-a] if-match acl 3001
[PE1-classifier-a] quit
[PE1] traffic classifier b
[PE1-classifier-b] if-match acl 3002
[PE1-classifier-b] quit
[PE1] traffic behavior a
[PE1-behavior-a] remark apn-id-ipv6 instance a
[PE1-behavior-a] quit
[PE1] traffic behavior b
[PE1-behavior-b] remark apn-id-ipv6 instance b
[PE1-behavior-b] quit
[PE1] qos policy abc
[PE1-qospolicy-abc] classifier a behavior a
[PE1-qospolicy-abc] classifier b behavior b
[PE1-qospolicy-abc] quit
[PE1] interface ten-gigabitethernet 3/0/1
[PE1-Ten-GigabitEthernet3/0/1] qos apply policy abc inbound
[PE1-Ten-GigabitEthernet3/0/1] quit
12. Deploy APN isolation group abc on PE 1 and establish a mapping of VPN A, APN isolation group abc, and SRv6 locator 200::1:0.
[PE1] apn
[PE1-apn] ipv6
[PE1-apn-ipv6] isolate-group name abc
[PE1-apn-ipv6] isolate-group mapping-vpn
[PE1-apn-ipv6-isolate-group-mapping-vpn] vpn-instance vpna peer-locator 200::1:0 96 match isolate-group abc
[PE1-apn-ipv6-isolate-group-mapping-vpn] quit
Execute the display apn-id-ipv6 vpn-mapping command to verify the mappings between the VPN instances and the APN isolation groups.
13. Deploy APN isolation policy abc on PE 1 and create an APN isolation rule to associate APN ID instance b with APN isolation group abc. Enable traffic statistics for APN isolation policies.
# Configure PE 1.
[PE1-apn-ipv6] apn-id isolate policy abc
[Sysname-apn-ipv6-isolate-policy-abc] index 1 instance b isolate-group abc behavior deny
[Sysname-apn-ipv6-isolate-policy-abc] statistics enable
[Sysname-apn-ipv6-isolate-policy-abc] quit
[PE1-apn-ipv6] quit
[PE1-apn] quit
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] apn-id-ipv6 isolate-policy abc inbound
[PE1-vpn-instance-vpna] quit
Verifying the configuration
# Execute the display apn-id-ipv6 isolate-policy command on a PE to display information about the APN isolation policy.
<PE1> display apn-id-ipv6 isolate-policy
Total isolate policy number : 1
Total rules : 1
Isolate policy : abc
Isolate policy ID : 1
Statistic state : Enabled
Statistic interval : 30 s
Isolate rules:
Index Instancename Groupname(ID) Behavior
1 b abc(0) Deny
The command output shows that the service flow destined for UDP port 2000 are tagged with APN ID instance b and cannot be forwarded from PE 1 to PE 2.
# Execute the display apn-id-ipv6 isolate-policy statistics command on the PEs to display the traffic statistics for the APN isolation policy.
<Sysname> display apn-id-ipv6 isolate-policy statistics policy abc
VPN instance : a
APN isolate policy : abc
Item Packets Bytes
Matched 102314 9123717
Last 300 seconds rate
Item PPS BPS
Matched 123 28912
Example: APN ID-based traffic steering in the IPv4 L3VPN over SRv6 TE policy scenario
Network configuration
Figure 8 shows an IPv4 L3VPN over SRv6 network that deploys TE policies. On this network, PE 1 and PE 2 establish SRv6 tunnels for redundant connectivity. On the PEs, two SR TE policies (A and B) that forward traffic on different paths are assigned to an SRv6 TE policy group. Deploy VPN A to transport the traffic between CE 1 and CE 2 for two types of services: one identified by APN ID 0x1122000033440000 and the other identified by APN ID 0x5566000077880000. Steer the service flow identified by APN ID 0x1122000033440000 SRv6 TE policy A and the service identified by APN ID 0x5566000077880000 to SRv6 TE policy B. To address these requirements:
· Run IS-IS between PE 1, P 1, P 2, and PE 2 to establish Layer 3 connectivity. Configure the PEs and CEs to exchange VPN route information via EBGP. Configure a local SRv6 locator on PE 2. Set the prefix for the locator to 200::1:0 and the prefix length to 96.
· Create an SRv6 TE policy group between PE 1 and PE 2 to steer traffic based on APN ID. Maps the APN IDs to the SRv6 TE policies.
· On PE 1, configure an ACL to match the service flows. Configure a QoS policy to mark the ACL-matching flows with their APN IDs. Then, apply the QoS policy to the private interfaces bound to VPN A.
|
Device |
Interface |
IP address |
Device |
Interface |
IP address |
|
CE 1 |
Loop0 |
1.1.1.1/32 |
CE 2 |
Loop0 |
2.2.2.2/32 |
|
|
XGE3/0/1 |
10.1.1.2/24 |
|
XGE3/0/1 |
10.2.1.2/24 |
|
PE 1 |
Loop0 |
3::3/128 |
PE 2 |
Loop0 |
4::4/128 |
|
|
XGE3/0/1 |
10.1.1.1/24 |
|
XGE3/0/1 |
10.2.1.1/24 |
|
|
XGE3/0/2 |
1000::1/96 |
|
XGE3/0/2 |
4000::2/96 |
|
|
XGE3/0/3 |
2000::1/96 |
|
XGE3/0/3 |
3000::2/96 |
|
P 1 |
Loop0 |
5::5/128 |
P 2 |
Loop0 |
6::6/128 |
|
|
XGE3/0/2 |
1000::2/96 |
|
XGE3/0/2 |
4000::1/96 |
|
|
XGE3/0/3 |
3000::1/96 |
|
XGE3/0/3 |
2000::2/96 |
Procedure
1. Configure IPv6 IS-IS on the PE and P devices in the backbone network to establish connectivity between them.
# Configure PE 1.
<PE1> system-view
[PE1] isis 1
[PE1-isis-1] is-level level-1
[PE1-isis-1] cost-style wide
[PE1-isis-1] network-entity 10.1111.1111.1111.00
[PE1-isis-1] address-family ipv6 unicast
[PE1-isis-1-ipv6] quit
[PE1-isis-1] quit
[PE1] interface loopback 0
[PE1-LoopBack0] ipv6 address 3::3 128
[PE1-LoopBack0] isis ipv6 enable 1
[PE1-LoopBack0] quit
[PE1] interface ten-gigabitethernet 3/0/2
[PE1-Ten-GigabitEthernet3/0/2] ipv6 address 1000::1 96
[PE1-Ten-GigabitEthernet3/0/2] isis ipv6 enable
[PE1-Ten-GigabitEthernet3/0/2] quit
[PE1] interface ten-gigabitethernet 3/0/3
[PE1-Ten-GigabitEthernet3/0/3] ipv6 address 2000::1 96
[PE1-Ten-GigabitEthernet3/0/3] isis ipv6 enable
[PE1-Ten-GigabitEthernet3/0/3] quit
# Configure P 1.
<P1> system-view
[P1] isis 1
[P1-isis-1] is-level level-1
[P1-isis-1] cost-style wide
[P1-isis-1] network-entity 10.2222.2222.2222.00
[P1-isis-1] address-family ipv6 unicast
[P1-isis-1-ipv6] quit
[P1-isis-1] quit
[P1] interface loopback 0
[P1-LoopBack0] ipv6 address 5::5 128
[P1-LoopBack0] isis ipv6 enable
[P1-LoopBack0] quit
[P1] interface ten-gigabitethernet 3/0/2
[P1-Ten-GigabitEthernet3/0/2] ipv6 address 1000::2 96
[P1-Ten-GigabitEthernet3/0/2] isis ipv6 enable
[P1-Ten-GigabitEthernet3/0/2] quit
[P1] interface ten-gigabitethernet 3/0/3
[P1-Ten-GigabitEthernet3/0/3] ipv6 address 3000::1 96
[P1-Ten-GigabitEthernet3/0/3] isis ipv6 enable
[P1-Ten-GigabitEthernet3/0/3] quit
# Configure P 2.
<P2> system-view
[P2] isis 1
[P2-isis-1] is-level level-1
[P2-isis-1] cost-style wide
[P2-isis-1] network-entity 10.3333.3333.3333.00
[P2-isis-1] address-family ipv6 unicast
[P2-isis-1-ipv6] quit
[P2-isis-1] quit
[P2] interface loopback 0
[P2-LoopBack0] ipv6 address 6::6 128
[P2-LoopBack0] isis ipv6 enable
[P2-LoopBack0] quit
[P2] interface ten-gigabitethernet 3/0/2
[P2-Ten-GigabitEthernet3/0/2] ipv6 address 4000::1 96
[P2-Ten-GigabitEthernet3/0/2] isis ipv6 enable
[P2-Ten-GigabitEthernet3/0/2] quit
[P2] interface ten-gigabitethernet 3/0/3
[P2-Ten-GigabitEthernet3/0/3] ipv6 address 2000::2 96
[P2-Ten-GigabitEthernet3/0/3] isis ipv6 enable
[P2-Ten-GigabitEthernet3/0/3] quit
# Configure PE 2.
<PE2> system-view
[PE2] isis 1
[PE2-isis-1] is-level level-1
[PE2-isis-1] cost-style wide
[PE2-isis-1] network-entity 10.4444.4444.4444.00
[PE2-isis-1] address-family ipv6 unicast
[PE2-isis-1-ipv6] quit
[PE2-isis-1] quit
[PE2] interface loopback 0
[PE2-LoopBack0] ipv6 address 4::4 128
[PE2-LoopBack0] isis ipv6 enable
[PE2-LoopBack0] quit
[P2] interface ten-gigabitethernet 3/0/2
[P2-Ten-GigabitEthernet3/0/2] ipv6 address 4000::2 96
[P2-Ten-GigabitEthernet3/0/2] isis ipv6 enable
[P2-Ten-GigabitEthernet3/0/2] quit
[PE2] interface ten-gigabitethernet 3/0/3
[PE2-Ten-GigabitEthernet3/0/3] ipv6 address 3000::2 96
[PE2-Ten-GigabitEthernet3/0/3] isis ipv6 enable
[PE2-Ten-GigabitEthernet3/0/3] quit
Verify that the PE 1, P 1, P 2, and PE 2 devices can establish IPv6 IS-IS adjacencies. Execute the display isis peer command to verify that their circuits are in Up state. Execute the display isis route ipv6 command to verify that the PEs can learn the routes to each other's loopback interfaces.
2. Configure VPN instances on the PEs to provide network access for the CEs.
# Configure PE 1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna] vpn-target 111:1
[PE1-vpn-instance-vpna] quit
[PE1] interface ten-gigabitethernet 3/0/1
[PE1-Ten-GigabitEthernet3/0/1] ip binding vpn-instance vpna
[PE1-Ten-GigabitEthernet3/0/1] ip address 10.1.1.1 24
[PE1-Ten-GigabitEthernet3/0/1] quit
# Configure PE 2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 100:1
[PE2-vpn-instance-vpna] vpn-target 111:1
[PE2-vpn-instance-vpna] quit
[PE2] interface ten-gigabitethernet 3/0/1
[PE2-Ten-GigabitEthernet3/0/1] ip binding vpn-instance vpna
[PE2-Ten-GigabitEthernet3/0/1] ip address 10.2.1.1 24
[PE2-Ten-GigabitEthernet3/0/1] quit
# Assign IP addresses to interfaces on the CEs, as shown in Figure 8. (Details not shown.)
3. Establish EBGP peer relationships between PEs and CEs, and redistribute VPN routes.
# Configure CE 1.
<CE1> system-view
[CE1] bgp 65410
[CE1-bgp-default] router-id 2.2.2.2
[CE1-bgp-default] peer 10.1.1.1 as-number 100
[CE1-bgp-default] address-family ipv4 unicast
[CE1-bgp-default-ipv4] peer 10.1.1.1 enable
[CE1-bgp-default-ipv4] import-route direct
[CE1-bgp-default-ipv4] network 1.1.1.1 255.255.255.255
[CE1-bgp-default-ipv4] quit
[CE1-bgp-default] quit
# Configure CE 2 in the same way as you configured CE 1. (Details not shown.)
# Configure PE 1.
[PE1] bgp 100
[PE1-bgp-default] router-id 1.1.1.1
[PE1-bgp-default] ip vpn-instance vpna
[PE1-bgp-default-vpna] peer 10.1.1.2 as-number 65410
[PE1-bgp-default-vpna] address-family ipv4 unicast
[PE1-bgp-default-ipv4-vpna] peer 10.1.1.2 enable
[PE1-bgp-default-ipv4-vpna] quit
[PE1-bgp-default-vpna] quit
# Configure PE 2 in the same way as you configured PE 1. (Details not shown.)
Execute the display bgp peer ipv4 vpn-instance command on the PEs to verify that they have BGP peers in Established state with the CEs.
4. Establish MP-IBGP peers between PEs.
# Configure PE 1.
[PE1] bgp 100
[PE1-bgp-default] peer 4::4 as-number 100
[PE1-bgp-default] peer 4::4 connect-interface loopback 0
[PE1-bgp-default] address-family vpnv4
[PE1-bgp-default-vpnv4] peer 4::4 enable
[PE1-bgp-default-vpnv4] quit
[PE1-bgp-default] quit
# Configure PE 2.
[PE2] bgp 100
[PE2-bgp-default] peer 3::3 as-number 100
[PE2-bgp-default] peer 3::3 connect-interface loopback 0
[PE2-bgp-default] address-family vpnv4
[PE2-bgp-default-vpnv4] peer 3::3 enable
[PE2-bgp-default-vpnv4] quit
[PE2-bgp-default] quit
Execute the display bgp peer vpnv4 command to verify that the PEs have BGP peers in Established state with each other.
5. Specify a source address for the outer IPv6 header of SRv6-encapsulated IP L3VPN packets on the PEs.
# Configure PE 1.
[PE1] segment-routing ipv6
[PE1-segment-routing-ipv6] encapsulation source-address 3::3
# Configure PE 2.
[PE2] segment-routing ipv6
[PE2-segment-routing-ipv6] encapsulation source-address 4::4
6. Configure SRv6 locators on PE 1, PE 2, P 1, and P 2 and configure IS-IS to advertise the SRv6 locators.
# Configure PE 1.
[PE1-segment-routing-ipv6] locator aaa ipv6-prefix 100::1:0 96 static 8
[PE1-segment-routing-ipv6-locator-aaa] quit
[PE1-segment-routing-ipv6] quit
[PE1] isis 1
[PE1-isis-1] address-family ipv6 unicast
[PE1-isis-1-ipv6] segment-routing ipv6 locator aaa
[PE1-isis-1-ipv6] quit
[PE1-isis-1] quit
# Configure PE 2.
[PE2-segment-routing-ipv6] locator bbb ipv6-prefix 200::1:0 96 static 8
[PE2-segment-routing-ipv6-locator-bbb] opcode 1 end no-flavor
[PE2-segment-routing-ipv6-locator-bbb] quit
[PE2-segment-routing-ipv6] quit
[PE2] isis 1
[PE2-isis-1] address-family ipv6 unicast
[PE2-isis-1-ipv6] segment-routing ipv6 locator bbb
[PE2-isis-1-ipv6] quit
[PE2-isis-1] quit
# Configure P 1.
[P1] segment-routing ipv6
[P1-segment-routing-ipv6] locator ccc ipv6-prefix 300::1:0 96 static 8
[P1-segment-routing-ipv6-locator-ccc] opcode 1 end-x interface ten-gigabitethernet 3/0/3 nexthop 3000::2 no-flavor
[P1-segment-routing-ipv6-locator-ccc] quit
[P1-segment-routing-ipv6] quit
[P1] isis 1
[P1-isis-1] address-family ipv6 unicast
[P1-isis-1-ipv6] segment-routing ipv6 locator ccc
[P1-isis-1-ipv6] quit
[P1-isis-1] quit
# Configure P 2.
[P2] segment-routing ipv6
[P2-segment-routing-ipv6] locator ddd ipv6-prefix 400::1:0 96 static 8
[P2-segment-routing-ipv6-locator-ddd] opcode 1 end-x interface ten-gigabitethernet 3/0/2 nexthop 4000::2 no-flavor
[P2-segment-routing-ipv6-locator-ddd] quit
[P2-segment-routing-ipv6] quit
[P2] isis 1
[P2-isis-1] address-family ipv6 unicast
[P2-isis-1-ipv6] segment-routing ipv6 locator ddd
[P2-isis-1-ipv6] quit
[P2-isis-1] quit
Execute the display ipv6 routing-table command on the PEs to verify that they have learned the routes to the SRv6 locators on other devices.
7. On PE 1, configure SRv6 TE policy A and SRv6 TE policy B. The candidate path in SRv6 TE policy A goes from PE 1 through P 1 to PE 2, while the candidate path in SRv6 TE policy B goes from PE 1 through P 2 to PE 2.
# Configure SRv6 TE policy A.
[PE1] segment-routing ipv6
[PE1-segment-routing-ipv6] traffic-engineering
[PE1-srv6-te] srv6-policy locator aaa
[PE1-srv6-te] segment-list s1
[PE1-srv6-te-sl-s1] index 10 ipv6 300::1:1
[PE1-srv6-te-sl-s1] index 20 ipv6 200::1:1
[PE1-srv6-te-sl-s1] quit
[PE1-srv6-te] policy A
[PE1-srv6-te-policy-A] color 10 end-point ipv6 4::4
[PE1-srv6-te-policy-A] candidate-paths
[PE1-srv6-te-policy-A-path] preference 10
[PE1-srv6-te-policy-A-path-pref-10] explicit segment-list s1
[PE1-srv6-te-policy-A-path-pref-10] quit
[PE1-srv6-te-policy-A-path] quit
[PE1-srv6-te-policy-A] quit
# Configure SRv6 TE policy B.
[PE1-srv6-te] segment-list s2
[PE1-srv6-te-sl-s2] index 10 ipv6 400::1:1
[PE1-srv6-te-sl-s2] index 20 ipv6 200::1:1
[PE1-srv6-te-sl-s2] quit
[PE1-srv6-te] policy B
[PE1-srv6-te-policy-B] color 20 end-point ipv6 4::4
[PE1-srv6-te-policy-B] candidate-paths
[PE1-srv6-te-policy-B-path] preference 10
[PE1-srv6-te-policy-B-path-pref-10] explicit segment-list s2
[PE1-srv6-te-policy-B-path-pref-10] quit
[PE1-srv6-te-policy-B-path] quit
[PE1-srv6-te-policy-B] quit
8. On PE 1, configure APN ID template a to define APP-Group-ID fields and User-Group-ID fields.
[PE1] apn
[PE1-apn] ipv6
[PE1-apn-ipv6] apn-id template a length 64 app-group 32 user-group 32
[PE1-apn-ipv6-template-a] app-group index 1 app-group1 length 8
[PE1-apn-ipv6-template-a] app-group index 2 app-group2 length 8
[PE1-apn-ipv6-template-a] user-group index 1 user-group1 length 8
[PE1-apn-ipv6-template-a] user-group index 2 user-group2 length 8
[PE1-apn-ipv6-template-a] quit
9. On PE 1, configure APN ID instances a and b. Apply APN ID template a to APN ID instance a, and set the APN ID to 0x1122000033440000. Apply APN ID template a to APN ID instance b, and set the APN ID to 0x5566000077880000.
[PE1-apn-ipv6] apn-id instance a
[PE1-apn-ipv6-instance-a] template a
[PE1-apn-ipv6-instance-a] apn-field app-group1 17
[PE1-apn-ipv6-instance-a] apn-field app-group2 34
[PE1-apn-ipv6-instance-a] apn-field user-group1 51
[PE1-apn-ipv6-instance-a] apn-field user-group2 68
[PE1-apn-ipv6-instance-a] quit
[PE1-apn-ipv6] apn-id instance b
[PE1-apn-ipv6-instance-b] template a
[PE1-apn-ipv6-instance-b] apn-field app-group1 85
[PE1-apn-ipv6-instance-b] apn-field app-group2 102
[PE1-apn-ipv6-instance-b] apn-field user-group1 119
[PE1-apn-ipv6-instance-b] apn-field user-group2 136
[PE1-apn-ipv6-instance-b] quit
[PE1-apn-ipv6] quit
[PE1-apn] quit
Execute the display apn-id-ipv6 instance command on the PEs to verify the APN ID instance configuration.
10. Configure the on-demand next-hop (ODN) feature to automatically create SRv6 TE policy groups. Specify the APN ID forward type for traffic steering, and map APN ID instances to SRv6 TE policies. If all SRv6 TE policies become invalid, forward traffic in SRv6 BE mode.
[PE1] segment-routing ipv6
[PE1-segment-routing-ipv6] traffic-engineering
[PE1-srv6-te] on-demand-group color 100
[PE1-srv6-te-odn-group-100] forward-type apn-id
[PE1-srv6-te-odn-group-100-apn-id] index 1 apn-id instance a match srv6-policy color 10
[PE1-srv6-te-odn-group-100-apn-id] index 2 apn-id instance b match srv6-policy color 20
[PE1-srv6-te-odn-group-100-apn-id] default match best-effort
[PE1-srv6-te-odn-group-100-apn-id] quit
[PE1-srv6-te-odn-group-100] quit
[PE1-srv6-te] quit
[PE1-segment-routing-ipv6] quit
11. Configure the PE devices to add the End.DT4 SID attribute to VPN routes.
# Configure PE 1.
[PE1] bgp 100
[PE1-bgp-default] ip vpn-instance vpna
[PE1-bgp-default-vpna] address-family ipv4 unicast
[PE1-bgp-default-ipv4-vpna] segment-routing ipv6 locator aaa
[PE1-bgp-default-ipv4-vpna] quit
[PE1-bgp-default-vpna] quit
[PE1-bgp-default] quit
# Configure PE 2.
[PE2] bgp 100
[PE2-bgp-default] ip vpn-instance vpna
[PE2-bgp-default-vpna] address-family ipv4 unicast
[PE2-bgp-default-ipv4-vpna] segment-routing ipv6 locator bbb
[PE2-bgp-default-ipv4-vpna] quit
[PE2-bgp-default-vpna] quit
[PE2-bgp-default] quit
12. On PE 2, configure a routing policy to have PE 2 set the color extended community attribute for the MP-BGP routes advertised to PE 1. Make sure the color attribute values are consistent with the color attribute values in the ODN template for the SRv6 TE policy group. This enables PE 1 to automatically establish an SRv6 TE policy group with the destination address being the next hop of the MP-BGP route, which is the IPv6 address of PE 2's Loopback 0 interface. On PE 1, configure a tunnel policy to steer the VPN traffic to the SRv6 TE policy group.
# Configure PE 2.
[PE2] route-policy a permit node 10
[PE2-route-policy-a-10] apply extcommunity color 00:100
[PE2-route-policy-a-10] quit
[PE2] bgp 100
[PE2-bgp-default] address-family vpnv4
[PE2-bgp-default-vpnv4] peer 3::3 route-policy a export
[PE2-bgp-default-vpnv4] quit
[PE2-bgp-default] quit
# Configure PE 1.
[PE1] tunnel-policy a
[PE1-tunnel-policy-a] select-seq srv6-policy-group load-balance-number 1
[PE1-tunnel-policy-a] quit
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] tnl-policy a
[PE1-vpn-instance-vpna] quit
13. On the PEs, enable the MP-BGP peers to advertise routes with the prefix SID attribute. Enable the PEs to resolve the VPN routes through recursive routing to the End.DT4 SID routes.
# Configure PE 1.
[PE1] bgp 100
[PE1-bgp-default] address-family vpnv4
[PE1-bgp-default-vpnv4] peer 4::4 prefix-sid
[PE1-bgp-default-vpnv4] quit
[PE1-bgp-default] ip vpn-instance vpna
[PE1-bgp-default-vpna] address-family ipv4 unicast
[PE1-bgp-default-ipv4-vpna] segment-routing ipv6 traffic-engineering
[PE1-bgp-default-ipv4-vpna] quit
[PE1-bgp-default-vpna] quit
[PE1-bgp-default] quit
# Configure PE 2.
[PE2] bgp 100
[PE2-bgp-default] address-family vpnv4
[PE2-bgp-default-vpnv4] peer 3::3 prefix-sid
[PE2-bgp-default-vpnv4] quit
[PE2-bgp-default] ip vpn-instance vpna
[PE2-bgp-default-vpna] address-family ipv4 unicast
[PE2-bgp-default-ipv4-vpna] segment-routing ipv6 best-effort
[PE2-bgp-default-ipv4-vpna] quit
[PE2-bgp-default-vpna] quit
[PE2-bgp-default] quit
Execute the display bgp routing-table vpnv4 command on each PE to view detailed information about the routes received from the remote PE. Verify that these routes have SID attributes.
14. On PE 1, configure an ACL and QoS policy to mark the service flows destined for TCP port 8090 and UDP port 2000 with APN ID instance a and APN ID instance b, respectively. Apply the QoS policy to the inbound direction of the private interface bound to the VPN instance.
[PE1] acl advanced 3001
[PE1-acl-ipv4-adv-3001] rule 10 permit tcp destination-port eq 8090
[PE1-acl-ipv4-adv-3001] quit
[PE1] acl advanced 3002
[PE1-acl-ipv4-adv-3002] rule 10 permit udp destination-port eq 2000
[PE1-acl-ipv4-adv-3002] quit
[PE1] traffic classifier a
[PE1-classifier-a] if-match acl 3001
[PE1-classifier-a] quit
[PE1] traffic classifier b
[PE1-classifier-b] if-match acl 3002
[PE1-classifier-b] quit
[PE1] traffic behavior a
[PE1-behavior-a] remark apn-id-ipv6 instance a
[PE1-behavior-a] quit
[PE1] traffic behavior b
[PE1-behavior-b] remark apn-id-ipv6 instance b
[PE1-behavior-b] quit
[PE1] qos policy abc
[PE1-qospolicy-abc] classifier a behavior a
[PE1-qospolicy-abc] classifier b behavior b
[PE1-qospolicy-abc] quit
[PE1] interface ten-gigabitethernet 3/0/1
[PE1-Ten-GigabitEthernet3/0/1] qos apply policy abc inbound
[PE1-Ten-GigabitEthernet3/0/1] quit
Verifying the configuration
# Execute the display segment-routing ipv6 te policy-group verbose command on PE 1 to show detailed information about all SRv6 TE policy groups. Verify that the SRv6 TE policy group created in ODN mode is in UP state and a value exists in the GroupNID field to show the index of the forwarding entry for the SRv6 TE policy group.
[PE1] display segment-routing ipv6 te policy-group verbose
Total number of policy groups: 1
GroupID: 1 GroupState: Up
GroupNID: 2151677955 Referenced: 1
Flags: None Group type: Dynamic APN-ID
Group color: 100
StateChangeTime: 2023-10-18 09:51:39
Endpoint: 4::4
BSID:
Explicit BSID: - Request state: -
Best-effort NID: 2160066563
Drop upon mismatch: Disabled
Delete delay time(ms): 180000
Delete remain time(ms): -
UP/Total Mappings: 3/3
Index APN-ID Color/Best-effort
-- default best-effort
1 10 10
2 20 20
# Execute the display bgp routing-table vpnv4 command on PE 1 to display detailed information about VPN routes. Verify that these routes convey the extended color community attribute and are resolved to the tunnels identified by the same GroupNID as the SRv6 policy group. This indicates that the service flows that match the VPN routes are steered to the SRv6 TE policy group.
[PE1] display bgp routing-table vpnv4 2.2.2.2
BGP local router ID: 1.1.1.1
Local AS number: 100
Route distinguisher: 100:1(vpna)
Total number of routes: 1
Paths: 1 available, 1 best
BGP routing table information of 2.2.2.2/32:
From : 4::4 (3.3.3.3)
Rely nexthop : FE80::661B:AEFF:FE1A:307
Original nexthop: 4::4
Out interface : Ten-GigabitEthernet3/0/2
Route age : 13h48m28s
OutLabel : 3
Ext-Community : <RT: 111:1>, <CO-Flag:Color(00:100)>
RxPathID : 0x0
TxPathID : 0x0
PrefixSID : End.DT4 SID <200::100>
SRv6 Service TLV (37 bytes):
Type: SRV6 L3 Service TLV (5)
Length: 34 bytes, Reserved: 0x0
SRv6 Service Information Sub-TLV (33 bytes):
Type: 1 Length: 30, Rsvdl: 0x0
SID Flags: 0x0 Endpoint behavior: 0x13 Rsvd2: 0x0
SRv6 SID Sub-Sub-TLV:
Type: 1 Len: 6
BL: 96 NL: 0 FL: 32 AL: 0 TL: 0 TO: 0
AS-path : 65420
Origin : igp
Attribute value : MED 0, localpref 100, pref-val 0
State : valid, internal, best
Source type : local
IP precedence : N/A
QoS local ID : N/A
Traffic index : N/A
Tunnel policy : a
Rely tunnel IDs : 2151677955
Use the ping command with source address 1.1.1.1 on CE 1 to verify that CE 1 has connectivity to CE 2 at 2.2.2.2.
