Login
- Table of Contents
-
- 09-MPLS Configuration Guide
- 00-Preface
- 01-Basic MPLS configuration
- 02-IPv6 MPLS L3VPN configuration examples
- 03-IPv6 MPLS L3VPN configuration
- 04-L2VPN access to L3VPN or IP backbone configuration
- 05-LDP configuration
- 06-MCE configuration
- 07-MPLS L2VPN configuration examples
- 08-MPLS L2VPN configuration
- 09-MPLS L3VPN configuration examples
- 10-MPLS L3VPN configuration
- 11-MPLS OAM configuration
- 12-MPLS TE configuration
- 13-RSVP configuration
- 14-Static CRLSP configuration
- 15-Static LSP configuration
- 16-Tunnel policy configuration
- 17-VPLS configuration examples
- 18-VPLS configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-IPv6 MPLS L3VPN configuration | 667.24 KB |
Configuring IPv6 MPLS L3VPN
About IPv6 MPLS L3VPN
IPv6 MPLS L3VPN, also known as IPv6 VPN Provider Edge (6VPE), uses BGP to advertise IPv6 VPN routes and uses MPLS to forward IPv6 VPN packets on the service provider backbone.
IPv6 MPLS L3VPN network diagram
Figure 1 shows a typical IPv6 MPLS L3VPN model. The service provider backbone in the IPv6 MPLS L3VPN model is an IPv4 network. IPv6 runs inside the VPNs and between CE and PE. Therefore, PEs must support both IPv4 and IPv6. The PE-CE interfaces of a PE run IPv6, and the PE-P interface of a PE runs IPv4.
Figure 1 Network diagram for the IPv6 MPLS L3VPN model
IPv6 MPLS L3VPN packet forwarding
As shown in Figure 2, the IPv6 MPLS L3VPN packet forwarding procedure is as follows:
1. The PC at Site 1 sends an IPv6 packet destined for 2001:2::1, the PC at Site 2. CE 1 transmits the packet to PE 1.
2. Based on the inbound interface and destination address of the packet, PE 1 finds a matching entry from the routing table of the VPN instance, labels the packet with both a private network label (inner label) and a public network label (outer label), and forwards the packet out.
3. The MPLS backbone transmits the packet to PE 2 by outer label. The outer label is removed from the packet at the penultimate hop.
4. According to the inner label and destination address of the packet, PE 2 searches the routing table of the VPN instance to determine the outbound interface, and then forwards the packet out of the interface to CE 2.
5. CE 2 forwards the packet to the destination by IPv6 forwarding.
Figure 2 IPv6 MPLS L3VPN packet forwarding diagram
IPv6 MPLS L3VPN routing information advertisement
The routing information is advertised through the path local CE—ingress PE—egress PE—remote CE.
Routing information advertisement from the local CE to the ingress PE.
The local CE advertises standard IPv6 routing information to the ingress PE over an IPv6 static route, RIPng route, OSPFv3 route, IPv6 IS-IS route, IBGP route, or EBGP route.
Routing information advertisement from the ingress PE to the egress PE.
After receiving the standard IPv6 routes from the CE, the ingress PE performs the following operations:
1. Adds RDs and route targets to create VPN-IPv6 routes.
2. Saves the routes to the routing table of the VPN instance created for the CE.
3. Assigns VPN labels for the routes.
4. Advertises the VPN-IPv6 routes to the egress PE through MP-BGP.
The egress PE performs the following operations:
5. Compares the export target attributes of the VPN-IPv6 routes with the import target attributes that it maintains for the VPN instance.
6. Adds the routes to the routing table of the VPN instance if the export and import target attributes are the same.
The PEs use an IGP to ensure the connectivity between them.
Routing information advertisement from the egress PE to the remote peer CE.
The egress PE restores the original IPv6 routes and advertises them to the remote CE over an IPv6 static route, RIPng route, OSPFv3 route, IPv6 IS-IS route, EBGP, or IBGP route.
IPv6 MPLS L3VPN network schemes and features
IPv6 MPLS L3VPN supports the following network schemes and features:
· Basic VPN.
· Inter-AS VPN option A.
· Inter-AS VPN option B.
· Inter-AS VPN option C.
· Carrier's carrier.
· HoVPN.
· OSPFv3 VPN extension. (OSPFv3 Type 3, Type 5, and Type 7 LSAs support the DN bit. By default, OSPFv3 VPN extension uses the DN bit to avoid routing loops.)
· BGP AS number substitution and SoO.
· IPv6 MPLS L3VPN FRR.
Protocols and standards
· RFC 4659, BGP-MPLS IP Virtual Private Network (VPN) Extension for IPv6 VPN
· RFC 6565, OSPFv3 as a Provider Edge to Customer Edge (PE-CE) Routing Protocol
IPv6 MPLS L3VPN tasks at a glance
Unless otherwise indicated, configure IPv6 MPLS L3VPN on PEs.
To configure IPv6 MPLS L3VPN, perform the following tasks:
1. Configuring IPv6 MPLS L3VPN basics:
b. Configuring routing between a PE and a CE
c. Configuring routing between PEs
d. (Optional.) Configuring BGP VPNv6 route control
2. Configuring advanced IPv6 MPLS L3VPN networks
¡ Configuring inter-AS IPv6 VPN
Perform this task when sites of a VPN are connected to different ASs of an ISP.
3. (Optional.) Configuring IPv6 MPLS L3VPN FRR
4. (Optional.) Controlling MPLS L3VPN route advertisement and reception
¡ Configuring an OSPFv3 sham link
¡ Configuring BGP AS number substitution and SoO attribute
¡ Configuring the AIGP attribute
¡ Configuring BGP RT filtering
¡ Configuring the BGP additional path feature
¡ Enabling the VPN Prefix ORF feature
¡ Configuring route replication
¡ Enabling redistribution of multiple same-prefix routes with the same RD
¡ Enabling prioritized withdrawal of specific routes
5. (Optional.) Enabling logging for BGP route flapping
Restrictions and guidelines: IPv6 MPLS L3VPN configuration
The public tunnels for IPv6 MPLS L3VPN can be LSP, MPLS TE, and GRE tunnels. In the current software version, the device does not support using GRE/IPv6 tunnels as public tunnels for IPv6 MPLS L3VPN.
Prerequisites for IPv6 MPLS L3VPN
Before configuring IPv6 MPLS L3VPN, perform the following tasks:
1. Configure an IGP on the PEs and P devices to ensure IP connectivity within the MPLS backbone.
2. Configure basic MPLS for the MPLS backbone.
3. Configure MPLS LDP on PEs and P devices to establish LDP LSPs.
Configuring VPN instances
Creating a VPN instance
About this task
A VPN instance is a collection of the VPN membership and routing rules of its associated site. A VPN instance might correspond to more than one VPN.
Restrictions and guidelines
You can configure an RD in VPN instance view and each address family view of the VPN instance. The RD configured in address family view takes precedence over the RD configured in VPN instance view. An address family uses the RD configured in VPN instance view only when no RD is configured in the address family view.
Editing an RD will delete some configuration related to the VPN instance from the BGP process. Please be cautious.
Follow these restrictions and guidelines when deleting RDs:
· When you delete the RD configured in VPN instance view, settings configured in an address family view of the BGP-VPN instance will be deleted if no RD is configured in the address family view. For example, when you delete the RD of VPN instance vpna, settings configured in BGP-VPN IPv6 unicast address family view of VPN instance vpna will be deleted if no RD is configured in VPN instance IPv6 address family view.
· When you delete an RD configured in an address family view of the VPN instance, settings configured in the address family view of the BGP-VPN instance will be deleted if the RD configured in the address family view is different from the RD configured in VPN instance view.
· If you configure an RD for an address family that inherits the RD of the VPN instance and the two RDs are different, settings configured in the address family view of the BGP-VPN instance will be deleted.
Procedure
1. Enter system view.
system-view
2. Set an MPLS label range for all VPN instances.
mpls per-vrf-label range minimum maximum
By default, no MPLS label range is configured for VPN instances.
3. Create a VPN instance and enter VPN instance view.
ip vpn-instance vpn-instance-name
4. Configure an RD for the VPN instance.
route-distinguisher route-distinguisher
By default, no RD is configured for a VPN instance.
5. (Optional.) Configure a description for the VPN instance.
description text
By default, no description is configured for a VPN instance.
6. (Optional.) Set an ID for the VPN instance.
vpn-id vpn-id
By default, no ID is configured for a VPN instance.
7. (Optional.) Configure an SNMP context for the VPN instance.
snmp context-name context-name
By default, no SNMP context is configured.
8. Enter VPN instance IPv6 address family view.
address-family ipv6
9. Configure an RD.
route-distinguisher route-distinguisher
By default, no RD is configured.
10. Specify a label allocation mode.
apply-label { per-instance [ static static-label-value ] | per-route }
By default, BGP allocates a label to each next hop.
|
|
CAUTION: Executing this command will re-advertise all routes in the VPN instance, which will cause temporary interruption of running services in the VPN instance. Please be cautious. |
Associating a VPN instance with a Layer 3 interface
Restrictions and guidelines
If an interface is associated with a VSI or cross-connect, the interface (including its subinterfaces) cannot associate with a VPN instance.
If a subinterface is associated with a VSI or cross-connect, the subinterface cannot associate with a VPN instance.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Associate a VPN instance with the interface.
ip binding vpn-instance vpn-instance-name
By default, an interface is not associated with a VPN instance and belongs to the public network.
|
|
CAUTION: Associating a VPN instance with an interface or disassociating a VPN instance from an interface will clear the IP address and routing protocol settings of the interface. |
The ip binding vpn-instance command clears the IPv6 address of the interface. Therefore, reconfigure an IPv6 address for the interface after configuring this command.
Configuring route related attributes for a VPN instance
Restrictions and guidelines
Configurations made in VPN instance view apply to both IPv4 VPN and IPv6 VPN.
IPv6 VPN prefers the configurations in VPN instance IPv6 address family view over the configurations in VPN instance view.
Prerequisites
Before you perform this task, create the routing policies to be used by this task. For information about routing policies, see Layer 3—IP Routing Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter VPN instance view or VPN instance IPv6 address family view.
¡ Enter VPN instance view.
ip vpn-instance vpn-instance-name
¡ Execute the following commands in sequence to enter VPN instance IPv6 address family view:
ip vpn-instance vpn-instance-name
address-family ipv6
3. Configure route targets.
vpn-target vpn-target&<1-8> [ both | export-extcommunity | import-extcommunity ]
By default, no route targets are configured.
4. Set the maximum number of active routes.
routing-table limit number { warn-threshold | simply-alert }
By default, the number of active routes in a VPN instance is not limited.
Setting the maximum number of active routes for a VPN instance can prevent the PE from storing too many routes.
5. Apply an import routing policy.
import route-policy route-policy
By default, all routes matching the import target attribute are accepted.
6. Apply an export routing policy.
export route-policy route-policy
By default, routes to be advertised are not filtered.
7. Bind a tunnel policy to the VPN instance.
tnl-policy tunnel-policy-name
By default, no tunnel policy is bound to a VPN instance.
If no tunnel policy is bount to a VPN instance or the bound tunnel policy is not configured, the VPN instance uses the default load sharing policy for tunnel selection. For more information about tunnel policies and the default load sharing policy, see "Configuring tunnel policies."
Configuring routing between a PE and a CE
Configuring IPv6 static routing between a PE and a CE
About this task
Perform this configuration on the PE. On the CE, configure a common IPv6 static route.
For more information about IPv6 static routing, see Layer 3—IP Routing Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Configure an IPv6 static route for a VPN instance.
ipv6 route-static vpn-instance s-vpn-instance-name ipv6-address prefix-length { interface-type interface-number [ next-hop-address ] | nexthop-address [ public ] | vpn-instance d-vpn-instance-name nexthop-address } [ permanent ] [ preference preference ] [ tag tag-value ] [ description text ]
Configuring RIPng between a PE and a CE
About this task
Perform this configuration on the PE. On the CE, configure a common RIPng process.
For more information about RIPng, see Layer 3—IP Routing Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Create a RIPng process for a VPN instance and enter RIPng view.
ripng [ process-id ] vpn-instance vpn-instance-name
A RIPng process can belong to only one VPN instance.
3. Redistribute BGP routes.
import-route bgp4+ [ as-number ] [ allow-ibgp ] [ cost cost-value | route-policy route-policy-name ] *
By default, RIPng does not redistribute routes from other routing protocols.
4. Return to system view.
quit
5. Enter interface view.
interface interface-type interface-number
6. Enable RIPng on the interface.
ripng process-id enable
By default, RIPng is disabled on an interface.
Configuring OSPFv3 between a PE and a CE
About this task
Perform this configuration on the PE. On the CE, configure a common OSPFv3 process.
For more information about OSPFv3, see Layer 3—IP Routing Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Create an OSPFv3 process for a VPN instance and enter OSPFv3 view.
ospfv3 [ process-id | vpn-instance vpn-instance-name ] *
An OSPFv3 process can belong to only one VPN instance.
Deleting a VPN instance also deletes all related OSPFv3 processes.
3. Set the router ID.
router-id router-id
4. Redistribute BGP routes.
import-route bgp4+ [ as-number ] [ allow-ibgp ] [ cost cost-value | nssa-only | route-policy route-policy-name | tag tag | type type ] *
By default, OSPFv3 does not redistribute routes from other routing protocols.
If the vpn-instance-capability simple command is not configured for the OSPFv3 process, the allow-ibgp keyword is optional to redistribute VPNv6 routes learned from MP-IBGP peers. In any other cases, if you do not specify the allow-ibgp keyword, the OSPFv3 process does not redistribute VPNv6 routes learned from MP-IBGP peers.
5. (Optional.) Configure OSPFv3 route attributes:
a. Set an OSPFv3 domain ID.
domain-id { domain-id [ secondary ] | null }
The default domain ID is 0.
|
Description |
Restrictions and guidelines |
|
When you redistribute OSPFv3 routes into BGP, BGP adds the primary domain ID to the redistributed BGP routes as a BGP extended community attribute. |
You can configure the same domain ID for different OSPFv3 processes. You must configure the same domain ID for all OSPFv3 processes of the same VPN to ensure correct route advertisement. |
b. Configure the type code of an OSPFv3 extended community attribute.
ext-community-type { domain-id type-code1 | route-type type-code2 | router-id type-code3 }
By default, the type codes for domain ID, route type, and router ID are 0x0005, 0x0306, 0x0107, respectively.
c. Configure an external route tag for redistributed VPN routes.
route-tag tag-value
By default, if BGP runs within an MPLS backbone, and the BGP AS number is not greater than 65535, the first two octets of the external route tag are 0xD000. The last two octets are the local BGP AS number. If the AS number is greater than 65535, the external route tag is 0.
d. Disable setting the DN bit in OSPFv3 LSAs.
disable-dn-bit-set
By default, when a PE redistributes BGP routes into OSPFv3 and creates OSPFv3 LSAs, it sets the DN bit for the LSAs.
This command might cause routing loops. Use it with caution.
e. Ignore the DN bit in OSPFv3 LSAs.
disable-dn-bit-check
By default, the PE checks the DN bit in OSPFv3 LSAs.
This command might cause routing loops. Use it with caution.
f. Enable the external route check feature for OSPFv3 LSAs.
route-tag-check enable
By default, the PE does not check the external route tag but checks the DN bit in OSPFv3 LSAs to avoid routing loops.
This command is only for backward compatibility with the old protocol (RFC 4577).
g. Return to system view.
quit
6. Enter interface view.
interface interface-type interface-number
7. Enable OSPFv3 on the interface.
ospfv3 process-id area area-id [ instance instance-id ]
By default, OSPFv3 is disabled on an interface.
For the command to be executed successfully, make sure the VPN instance to which the OSPFv3 process belongs is the VPN instance bound to the interface.
Configuring IPv6 IS-IS between a PE and a CE
About this task
Perform this configuration on the PE. On the CE, configure a common IPv6 IS-IS process.
For more information about IPv6 IS-IS, see Layer 3—IP Routing Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Create an IPv6 IS-IS process for a VPN instance and enter IS-IS view.
isis [ process-id ] vpn-instance vpn-instance-name
An IPv6 IS-IS process can belong to only one VPN instance.
3. Configure a network entity title for the IS-IS process.
network-entity net
By default, no NET is configured.
4. Create the IS-IS IPv6 unicast address family and enter its view.
address-family ipv6 [ unicast ]
5. Redistribute BGP routes.
import-route bgp4+ [ as-number ] [ allow-ibgp ] [ [ cost cost-value | inherit-cost ] | [ level-1 | level-1-2 | level-2 ] | route-policy route-policy-name | tag tag ] *
By default, IPv6 IS-IS does not redistribute routes from other routing protocols.
6. Return to system view.
quit
quit
7. Enter interface view.
interface interface-type interface-number
8. Enable IPv6 for the IS-IS process on the interface.
isis ipv6 enable [ process-id ]
By default, IPv6 is disabled for the IS-IS process on the interface.
Configuring EBGP between a PE and a CE
Restrictions and guidelines for configuring EBGP between a PE and a CE
After you edit or delete the RD in VPN instance view or VPN instance IPv6 address family view, the device automatically deletes the BGP-VPN IPv6 unicast address family view and all its configuration. To avoid route flapping, do not edit or delete the RD if you have configured EBGP between a PE and a CE.
Configuring the PE
1. Enter system view.
system-view
2. Enable a BGP instance and enter BGP instance view.
bgp as-number [ instance instance-name ]
By default, BGP is not enabled.
3. Enter BGP-VPN instance view.
ip vpn-instance vpn-instance-name
4. Configure the CE as the VPN EBGP peer.
peer { group-name | ipv6-address [ prefix-length ] } as-number as-number
5. Create the BGP-VPN IPv6 unicast address family and enter its view.
address-family ipv6 [ unicast ]
Configuration commands in BGP-VPN IPv6 unicast address family view are the same as those in BGP IPv6 unicast address family view. For more information, see BGP in Layer 3—IP Routing Configuration Guide.
6. Enable IPv6 unicast route exchange with the specified peer.
peer { group-name | ip-address [ prefix-length ] } enable
By default, BGP does not exchange IPv6 unicast routes with a peer.
7. Redistribute the routes of the local CE.
import-route protocol [ { process-id | all-processes } [ allow-direct | med med-value | route-policy route-policy-name ] * ]
A PE must redistribute the routes of the local CE into its VPN routing table so that it can advertise them to the peer PE.
8. (Optional.) Allow the local AS number to appear in the AS_PATH attribute of a received route, and set the maximum number of repetitions.
peer { group-name | ipv6-address [ prefix-length ] } allow-as-loop [ number ]
By default, BGP discards incoming route updates that contain the local AS number.
Execute this command in a hub-spoke network where EBGP is running between a PE and a CE to enable the PE to receive the route updates from the CE.
Configuring the CE
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Configure the PE as an EBGP peer.
peer { group-name | ipv6-address [ prefix-length ] } as-number as-number
4. Create the BGP IPv6 unicast address family and enter its view.
address-family ipv6 [ unicast ]
5. Enable IPv6 unicast route exchange with the specified peer.
peer { group-name | ip-address [ prefix-length ] } enable
By default, BGP does not exchange IPv6 unicast routes with a peer.
6. Configure route redistribution.
import-route protocol [ { process-id | all-processes } [ allow-direct | med med-value | route-policy route-policy-name ] * ]
A CE must advertise its VPN routes to the connected PE so that the PE can advertise them to the peer CE.
Configuring IBGP between a PE and a CE
Restrictions and guidelines for configuring IBGP between a PE and a CE
Use IBGP between PE and CE only in a basic IPv6 MPLS L3VPN network. In networks such as inter-AS VPN and carrier's carrier, you cannot configure IBGP between PE and CE.
After you edit or delete the RD in VPN instance view or VPN instance IPv6 address family view, the device automatically deletes the BGP-VPN IPv6 unicast address family view and all its configuration. To avoid route flapping, do not edit or delete the RD if you have configured IBGP between a PE and a CE.
Configuring the PE
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP-VPN instance view.
ip vpn-instance vpn-instance-name
Configuration commands in BGP-VPN instance view are the same as those in BGP instance view. For more information, see Layer 3—IP Routing Configuration Guide.
4. Configure the CE as the VPN IBGP peer.
peer { group-name | ipv6-address [ prefix-length ] } as-number as-number
5. Create the BGP-VPN IPv6 unicast address family and enter its view.
address-family ipv6 [ unicast ]
6. Enable IPv6 unicast route exchange with the specified peer.
peer { group-name | ipv6-address [ prefix-length ] } enable
By default, BGP does not exchange IPv6 unicast routes with a peer.
7. Configure the CE as a client of the RR to enable the PE to advertise routes learned from the IBGP peer CE to other IBGP peers.
peer { group-name | ipv6-address [ prefix-length ] } reflect-client
By default, no RR or RR client is configured.
Configuring an RR does not change the next hop of a route. To change the next hop of a route, configure an inbound policy on the receiving side.
8. (Optional.) Enable route reflection between clients.
reflect between-clients
By default, route reflection between clients is enabled.
9. (Optional.) Configure the cluster ID for the RR.
reflector cluster-id { cluster-id | ip-address }
By default, the RR uses its own router ID as the cluster ID.
If multiple RRs exist in a cluster, use this command to configure the same cluster ID for all RRs in the cluster to avoid routing loops.
Configuring the CE
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Configure the PE as an IBGP peer.
peer { group-name | ipv6-address [ prefix-length ] } as-number as-number
4. Create the BGP IPv6 unicast family and enter its view.
address-family ipv6 [ unicast ]
5. Enable IPv6 unicast route exchange with the specified peer.
peer { group-name | ipv6-address [ prefix-length ] } enable
By default, BGP does not exchange IPv6 unicast routes with a peer.
6. Configure route redistribution.
import-route protocol [ { process-id | all-processes } [ allow-direct | med med-value | route-policy route-policy-name ] * ]
A CE must redistribute its routes to the PE so the PE can advertise them to the peer CE.
Configuring routing between PEs
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Configure the remote PE as the peer.
peer { group-name | ipv4-address [ mask-length ] } as-number as-number
4. Specify the source interface for TCP connections.
peer { group-name | ipv4-address [ mask-length ] } connect-interface interface-type interface-number
By default, BGP uses the outbound interface of the best route to the BGP peer as the source interface.
5. Create the BGP VPNv6 address family and enter its view.
address-family vpnv6
6. Enable BGP VPNv6 route exchange with the specified peer.
peer { group-name | ipv4-address [ mask-length ] } enable
By default, BGP does not exchange BGP VPNv6 routes with any peer.
Configuring BGP VPNv6 route control
About BGP VPNv6 route control
BGP VPNv6 route control is configured similarly with BGP route control, except that it is configured in BGP VPNv6 address family view. For more information about BGP route control, see Layer 3—IP Routing Configuration Guide.
Controlling BGP VPNv6 route saving
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP VPNv6 address family view.
address-family vpnv6
4. Save all route updates from a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } keep-all-routes
By default, BGP does not save route updates from a peer.
Specifying a preferred value for BGP VPNv6 routes
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP VPNv6 address family view.
address-family vpnv6
4. Specify a preferred value for routes received from a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } preferred-value value
The default preferred value is 0.
Setting the maximum number of received routes
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP VPNv6 address family view.
address-family vpnv6
4. Set the maximum number of routes BGP can receive from a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } route-limit prefix-number [ { alert-only | discard | reconnect reconnect-time } | percentage-value ] *
By default, the number of routes that BGP can receive from a peer or peer group is not limited.
Configuring BGP VPNv6 route reflection
About this task
To ensure the connectivity of IBGP peers, you must establish full-mesh IBGP connections, which costs massive network and CPU resources.
To reduce IBGP connections in the network, you can configure a router as a route reflector (RR) and configure other routers as its clients. You only need to establish IBGP connections between the RR and its clients to enable the RR to forward routes to the clients.
Procedure
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP VPNv6 address family view.
address-family vpnv6
4. Configure the local PE as the RR and specify the peer as the client.
peer { group-name | ipv4-address [ mask-length ] } reflect-client
By default, no RR or client is configured.
5. (Optional.) Enable route reflection between clients.
reflect between-clients
By default, route reflection between clients is enabled.
6. (Optional.) Configure a cluster ID for the RR.
reflector cluster-id { cluster-id | ip-address }
By default, an RR uses its own router ID as the cluster ID.
If multiple RRs exist in a cluster, use this command to configure the same cluster ID for all RRs in the cluster to avoid routing loops.
7. (Optional.) Configure a filtering policy for reflected routes.
rr-filter { ext-comm-list-number | ext-comm-list-name }
By default, an RR does not filter reflected routes.
Only IBGP routes whose extended community attribute matches the specified community list are reflected.
By configuring different filtering policies on RRs, you can implement load balancing among the RRs.
8. (Optional.) Allow the RR to change the attributes of routes to be reflected.
reflect change-path-attribute
By default, RR cannot change the attributes of routes to be reflected.
9. (Optional.) Specify a peer or peer group as a client of the nearby cluster.
peer { group-name | ipv4-address [ mask-length ] } reflect-nearby-group
By default, the nearby cluster does not have any clients.
The RR does not change the next hop of routes reflected to clients in the nearby cluster.
Configuring BGP VPNv6 route attributes
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP VPNv6 address family view.
address-family vpnv6
4. Configure the NEXT_HOP attribute.
¡ Set the device as the next hop for routes sent to a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } next-hop-local
¡ Configure the device to not change the next hop of routes advertised to a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } next-hop-invariable
By default, the device uses its address as the next hop of routes advertised to peers.
On an RR in an inter-AS option C scenario, you must configure this command to not change the next hop of VPNv6 routes advertised to BGP peers and RR clients.
5. Configure the AS_PATH attribute.
¡ Allow the local AS number to appear in the AS_PATH attribute of routes received from a peer or peer group and set the maximum number of repetitions.
peer { group-name | ipv4-address [ mask-length ] } allow-as-loop [ number ]
By default, BGP discards route updates that contain the local AS number.
¡ Remove private AS numbers in BGP updates sent to an EBGP peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } public-as-only [ { force | limited } [ replace ] [ include-peer-as ] ]
By default, BGP updates sent to an EBGP peer or peer group can carry both public and private AS numbers.
For more information about this command, see BGP commands in Layer 3—IP Routing Command Reference.
6. Advertise the COMMUNITY attribute to a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } advertise-community
By default, BGP does not advertise the COMMUNITY attribute to any peers or peer groups.
7. Advertise the Large community attribute to a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } advertise-large-community
By default, BGP does not advertise the Large community attribute to any peers or peer groups.
8. Configure the SoO attribute for a peer for peer group.
peer { group-name | ipv4-address [ mask-length ] } soo site-of-origin
By default, the SoO attribute is not configured.
9. Configure BGP to add the link bandwidth attribute to routes received from an EBGP peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } bandwidth
By default, BGP does not add the link bandwidth attribute to routes received from an EBGP peer or peer group.
10. Configure BGP to carry the user group ID in BGP routes sent to a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } advertise user-group-id
By default, BGP does not carry the user group ID in BGP routes sent to a peer or peer group.
Configuring BGP VPNv6 route filtering
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP VPNv6 address family view.
address-family vpnv6
4. Filter advertised routes.
filter-policy { ipv6-acl-number | name ipv6-acl-name | prefix-list ipv6-prefix-name } export [ protocol process-id ]
By default, BGP does not filter advertised routes.
5. Filter received routes.
filter-policy { ipv6-acl-number | name ipv6-acl-name | prefix-list ipv6-prefix-name } import
By default, BGP does not filter received routes.
6. Configure AS_PATH list-based route filtering for a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } as-path-acl as-path-acl-number { export | import }
By default, AS_PATH list-based route filtering is not configured.
7. Configure ACL-based route filtering for a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } filter-policy { ipv6-acl-number | name ipv6-acl-name } { export | import }
By default, ACL-based route filtering is not configured.
8. Configure IPv6 prefix list-based route filtering for a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } prefix-list ipv6-prefix-name { export | import }
By default, IPv6 prefix list-based route filtering is not configured.
9. Apply a routing policy to routes advertised to or received from a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } route-policy route-policy-name { export | import }
By default, no routing policy is applied.
10. Enable route target filtering for received BGP VPNv6 routes.
policy vpn-target
By default, route target filtering is enabled for received VPNv6 routes. Only VPNv6 routes whose export route target attribute matches the local import route target attribute are added to the routing table.
Configuring BGP VPNv6 route dampening
About this task
This feature enables BGP to not select unstable routes as optimal routes.
Restrictions and guidelines
If a BGP peer goes down after you configure this feature, VPNv6 routes coming from the peer are dampened but not deleted.
Procedure
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP VPNv6 address family view.
address-family vpnv6
4. Configure BGP VPNv6 route dampening.
¡ Configure EBGP route dampening.
dampening [ half-life-reachable half-life-unreachable reuse suppress ceiling | route-policy route-policy-name ] *
For more information about this command, see BGP commands in Layer 3—IP Routing Command Reference.
¡ Configure IBGP route dampening.
dampening ibgp[ half-life-reachable half-life-unreachable reuse suppress ceiling | route-policy route-policy-name ] *
By default, BGP VPNv6 route dampening is not configured.
Configuring BGP VPNv6 optimal route selection delay
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP VPNv6 address family view.
address-family vpnv6
4. Set the BGP VPNv6 optimal route selection delay timer.
route-select delay delay-value
By default, the BGP VPNv6 optimal route selection delay timer is 0 seconds, which means optimal route selection is not delayed.
Setting the delay time for responding to BGP VPNv6 recursive next hop changes
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP VPNv6 address family view.
address-family vpnv6
4. Set the delay time for responding to recursive next hop changes.
nexthop recursive-lookup [ non-critical-event ] delay [ delay-value ]
By default, BGP responds to recursive next hop changes immediately.
For more information about this command, see BGP commands in Layer 3—IP Routing Command Reference.
Configuring BGP VPNv6 routes to use private network next hops
About this task
By default, the device does not change the next hop attribute of a received BGP VPNv6 route. The next hop address of a BGP VPNv6 route is a public address. This feature changes the next hop of a BGP VPNv6 route received from a peer or peer group to an IP address in the VPN instance. The outgoing label of the VPNv6 route is also changed to an invalid value. For example, the device received a VPNv6 route and its next hop address is 10.1.1.1, which is a public address by default. After this feature is configured, the next hop address changes to private address 10.1.1.1.
Restrictions and guidelines
After you configure this feature, the following applies:
· The device re-establishes the BGP sessions to the specified peer or to all peers in the specified peer group.
· The device receives a BGP VPNv6 route only when its RD is the same as a local RD.
· When advertising a BGP VPNv6 route received from the specified peer or peer group, the device does not change the route target attribute of the route.
· If you delete a VPN instance or its RD, BGP VPNv6 routes received from the specified peer or peer group and in the VPN instance will be deleted.
Procedure
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP VPNv6 address family view.
address-family vpnv6
4. Change the next hop of a BGP VPNv6 route received from a peer or peer group to a VPN instance address.
peer { group-name | ipv4-address [ mask-length ] } next-hop-vpn
By default, the device does not change the next hop attribute of a received BGP VPNv6 route, and the next hop belongs to the public network.
Changing the BGP VPNv6 route selection rules
About this task
For the priority of the settings configured by this feature in BGP route selection, see BGP overview in Layer 3—IP Routing Configuration Guide.
Preferring routes learned from a peer or peer group during optimal route selection
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP VPNv6 address family view.
address-family vpnv6
4. Prefer routes learned from the specified peer or peer group during optimal route selection.
peer { group-name | ipv4-address [ mask-length ] } high-priority [ preferred ]
By default, routes learned from a peer or peer group do not take precedence over routes learned from other peers or peer groups.
This command takes effect only on BGP routes that are learned in the current address family, and it does not take effect on BGP routes that are added to other BGP routing tables.
Preferring routes with the specified type of next hop addresses during optimal route selection
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP VPNv6 address family view.
address-family vpnv6
4. Prefer routes with the specified type of next hop addresses during optimal route selection.
bestroute nexthop-priority { ipv4 | ipv6 } [ preferred ]
By default, BGP prefers routes with IPv4 next hop addresses.
If you execute this command multiple times, the most recent configuration takes effect.
Advertising BGP RPKI validation state to a peer or peer group
Restrictions and guidelines
BGP advertises the BGP RPKI validation state to a peer or peer group through the extended community attribute. For more information about BGP RPKI, see BGP configuration in Layer 3—IP Routing Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP VPNv6 address family view.
address-family vpnv6
4. Advertise the BGP RPKI validation state to the specified peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } advertise origin-as-validation
By default, BGP does not advertise the BGP RPKI validation state.
Configuring inter-AS IPv6 VPN
Configuring inter-AS IPv6 VPN option A
Inter-AS IPv6 VPN option A applies to scenarios where the number of VPNs and that of VPN routes on the PEs are relatively small.
To configure inter-AS IPv6 option A, perform the following tasks:
· Configure basic IPv6 MPLS L3VPN on each AS.
· Configure VPN instances on both PEs and ASBRs. The VPN instances on PEs allow CEs to access the network, and those on ASBRs are for access of the peer ASBRs.
In the inter-AS IPv6 VPN option A solution, for the same IPv6 VPN, the route targets configured on the PEs must match those configured on the ASBRs in the same AS. This makes sure VPN routes sent by the PEs (or ASBRs) can be received by the ASBRs (or PEs). Route targets configured on the PEs in different ASs do not have such requirements.
Configuring inter-AS IPv6 VPN option B
Restrictions and guidelines
An ASBR always uses its address as the next hop of VPNv6 routes advertised to an MP-IBGP peer regardless of the configuration of the peer next-hop-local command.
Configuring a PE
Configure basic IPv6 MPLS L3VPN, and specify the ASBR in the same AS as an MP-IBGP peer. The route targets for the VPN instances on the PEs in different ASs must match for the same IPv6 VPN.
Configuring an ASBR
1. Enter system view.
system-view
2. Enable MPLS and LDP on the interface connected to an internal router of the AS:
a. Configure an LSR ID for the local LSR.
mpls lsr-id lsr-id
By default, no LSR ID is configured.
b. Enable LDP on the local LSR and enter LDP view.
mpls ldp
By default, LDP is disabled.
c. Return to system view.
quit
d. Enter interface view of the interface connected to an internal router of the AS.
interface interface-type interface-number
e. Enable MPLS on the interface.
mpls enable
By default, MPLS is disabled on the interface.
f. Enable MPLS LDP on the interface.
mpls ldp enable
By default, MPLS LDP is disabled on the interface.
g. Return to system view.
quit
3. Enable MPLS on the interface connected to the remote ASBR:
a. Enter interface view of the interface connected to the remote ASBR.
interface interface-type interface-number
b. Enable MPLS on the interface.
mpls enable
By default, MPLS is disabled on the interface.
c. Return to system view.
quit
4. Enter BGP instance view.
bgp as-number [ instance instance-name ]
5. Configure PEs in the same AS as IBGP peers and ASBRs in different ASs as EBGP peers.
peer { group-name | ipv4-address [ mask-length ] } as-number as-number
6. Enter BGP VPNv6 address family view.
address-family vpnv6
7. Enable BGP to exchange VPNv6 routes with the PE in the same AS and the ASBR in another AS.
peer { group-name | ipv4-address [ mask-length ] } enable
By default, BGP cannot exchange VPNv6 routing information with a peer.
8. Disable route target filtering of received VPNv6 routes.
undo policy vpn-target
By default, route target filtering is enabled for received VPNv6 routes.
Configuring inter-AS IPv6 VPN option C (method 1)
Prerequisites
Before you configure inter-AS option C, perform the following tasks:
· Configure BGP on the PE or ASBR to advertise the route to the PE. For more information, see BGP configuration in Layer 3—IP Routing Configuration Guide.
· Configure a VPN instance on the PE.
· Configure routing between the PE and CE.
Configuring a PE
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Configure the ASBR in the same AS as an IBGP peer and the PE in another AS as an EBGP peer
peer { group-name | ipv4-address [ mask-length ] } as-number as-number
4. Enter BGP IPv4 unicast address family view.
address-family ipv4 [ unicast ]
5. Enable BGP to exchange BGP IPv4 unicast routes with the ASBR in the same AS.
peer { group-name | ipv4-address [ mask-length ] } enable
By default, the PE does not exchange BGP IPv4 unicast routes with any peer.
6. Enable BGP to exchange labeled routes with the ASBR in the same AS.
peer { group-name | ipv4-address [ mask-length ] } label-route-capability
By default, the PE does not advertise labeled routes to any IPv4 peer or peer group.
7. Return to BGP instance view.
quit
8. Enter BGP VPNv6 address family view.
address-family vpnv6
9. Enable BGP to exchange BGP VPNv6 routing information with the EBGP peer.
peer ipv4-address [ mask-length ] enable
By default, the PE does not exchange labeled routes with an IPv4 peer.
10. (Optional.) Configure the PE to not change the next hop of routes advertised to the peer.
peer { group-name | ipv4-address [ mask-length ] } next-hop-invariable
By default, the device uses its address as the next hop of routes advertised to peers.
Execute this command on the RR so the RR does not change the next hop of advertised VPNv6 routes.
Configuring an ASBR-PE
1. Enter system view.
system-view
2. Configure a routing policy:
a. Create a routing policy, and enter routing policy view.
route-policy route-policy-name { deny | permit } node node-number
b. Match IPv4 routes carrying labels.
if-match mpls-label
By default, no MPLS label match criterion is configured.
You can configure if-match clauses in the routing policy to filter routes. Routes surviving the filtering are assigned labels, and all others are advertised as common IPv4 routes.
c. Set labels for IPv4 routes.
apply mpls-label
By default, no MPLS label is set for IPv4 routes.
d. Return to system view.
quit
3. Enable MPLS and LDP on the interface connected to an internal router of the AS:
a. Configure an LSR ID for the local LSR.
mpls lsr-id lsr-id
By default, no LSR ID is configured.
By default, no LSR
b. Enable LDP for the local LSR and enter LDP view.
mpls ldp
By default, LDP is disabled.
c. Return to system view.
quit
d. Enter interface view of the interface connected to an internal router of the AS.
interface interface-type interface-number
e. Enable MPLS on the interface.
mpls enable
By default, MPLS is disabled on the interface.
f. Enable MPLS LDP on the interface.
mpls ldp enable
By default, MPLS LDP is disabled on the interface.
g. Return to system view.
quit
4. Enable MPLS on the interface connected to the remote ASBR:
a. Enter interface view of the interface connected to the remote ASBR.
interface interface-type interface-number
b. Enable MPLS on the interface.
mpls enable
By default, MPLS is disabled on the interface.
c. Return to system view.
quit
5. Enter BGP instance view.
bgp as-number [ instance instance-name ]
6. Configure the PE in the same AS as an IBGP peer and the ASBR in another AS as an EBGP peer.
peer { group-name | ipv4-address [ mask-length ] } as-number as-number
7. Create the BGP IPv4 unicast address family and enter its view.
address-family ipv4 [ unicast ]
8. Enable IPv4 unicast route exchange with the PE in the same AS and the ASBR in another AS.
peer { group-name | ipv4-address [ mask-length ] } enable
By default, BGP cannot exchange IPv4 unicast routes with any peer.
9. Enable labeled IPv4 route exchange with the PE in the same AS and the ASBR in another AS.
peer { group-name | ipv4-address [ mask-length ] } label-route-capability
By default, BGP cannot exchange labeled IPv4 routes with any peer.
10. Configure the ASBR to set itself as the next hop of routes advertised to the PE in the local AS.
peer { group-name | ipv4-address [ mask-length ] } next-hop-local
By default, BGP does not use its address as the next hop of routes.
11. Apply a routing policy to routes incoming from or outgoing to a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } route-policy route-policy-name { export | import }
By default, no routing policy is applied.
Configuring inter-AS IPv6 VPN option C (method 2)
Prerequisites
Before you configure inter-AS option C (method 2), perform the following tasks:
· Configure BGP on the PE or ASBR to advertise the route to the PE. For more information, see BGP configuration in Layer 3—IP Routing Configuration Guide.
· Configure a VPN instance on the PE.
· Configure routing between the PE and CE.
Configuring a PE
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Configure the PE in another AS as an EBGP peer.
peer { group-name | ipv4-address [ mask-length ] } as-number as-number
4. Enter BGP VPNv6 address family view.
address-family vpnv6
5. Enable BGP to exchange BGP VPNv6 routing information with the EBGP peer.
peer ipv4-address [ mask-length ] enable
By default, the PE does not exchange VPNv6 routes with a peer.
6. (Optional.) Configure the PE to not change the next hop of routes advertised to the peer.
peer { group-name | ipv4-address [ mask-length ] } next-hop-invariable
By default, the device uses its address as the next hop of routes advertised to peers.
Execute this command on the RR so the RR does not change the next hop of advertised VPNv6 routes.
Configuring an ASBR-PE
1. Enter system view.
system-view
2. Configure a routing policy:
a. Create a routing policy, and enter routing policy view.
route-policy route-policy-name { deny | permit } node node-number
b. Match IPv4 routes carrying labels.
if-match mpls-label
By default, no MPLS label match criterion is configured.
You can configure if-match clauses in the routing policy to filter routes. Routes surviving the filtering are assigned labels, and all others are advertised as common IPv4 routes.
c. Set labels for IPv4 routes.
apply mpls-label
By default, no MPLS label is set for IPv4 routes.
d. Return to system view.
quit
3. Enable MPLS and LDP on the interface connected to an internal router of the AS:
a. Configure an LSR ID for the local LSR.
mpls lsr-id lsr-id
By default, no LSR ID is configured.
b. Enable LDP for the local LSR and enter LDP view.
mpls ldp
By default, LDP is disabled.
c. Return to system view.
quit
d. Enter interface view of the interface connected to an internal router of the AS.
interface interface-type interface-number
e. Enable MPLS on the interface.
mpls enable
By default, MPLS is disabled on the interface.
f. Enable MPLS LDP on the interface.
mpls ldp enable
By default, MPLS LDP is disabled on the interface.
g. Return to system view.
quit
4. Enable MPLS on the interface connected to the remote ASBR:
a. Enter interface view of the interface connected to the remote ASBR.
interface interface-type interface-number
b. Enable MPLS on the interface.
mpls enable
By default, MPLS is disabled on the interface.
c. Return to system view.
quit
5. Enter BGP instance view.
bgp as-number [ instance instance-name ]
6. Configure the ASBR in another AS as an EBGP peer.
peer { group-name | ipv4-address [ mask-length ] } as-number as-number
7. Create the BGP IPv4 unicast address family and enter its view.
address-family ipv4 [ unicast ]
8. Enable IPv4 unicast route exchange with the ASBR in another AS.
peer { group-name | ipv4-address [ mask-length ] } enable
By default, BGP cannot exchange IPv4 unicast routes with a peer.
9. Enable labeled IPv4 route exchange with the ASBR in another AS.
peer { group-name | ipv4-address [ mask-length ] } label-route-capability
By default, BGP cannot exchange labeled IPv4 routes with a peer.
10. Configure the ASBR to set itself as the next hop of routes advertised to the PE in the local AS.
peer { group-name | ipv4-address [ mask-length ] } next-hop-local
By default, BGP does not use its address as the next hop of routes advertised to IBGP peers and peer groups.
11. Apply a routing policy to routes incoming from or outgoing to a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } route-policy route-policy-name { export | import }
By default, no routing policy is applied.
Configuring HoVPN
Configuring the UPE
Configure basic MPLS L3VPN settings on the UPE.
Configuring the SPE
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Specify a BGP peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } as-number as-number
4. Enter BGP VPNv6 address family view.
address-family vpnv6
5. Enable BGP VPNv4 route exchange with the peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } enable
By default, BGP does not exchange VPNv4 routes with any peer.
6. Specify the BGP peer or peer group as a UPE.
peer { group-name | ipv4-address [ mask-length ] } upe
By default, no peer is a UPE.
7. Advertise routes to the UPE.
¡ Advertise a default VPN route to the UPE.
peer { group-name | ipv4-address [ mask-length ] } default-route-advertise vpn-instance vpn-instance-name
The device advertises a default route using the local address as the next hop to the UPE, regardless of whether the default route exists in the local routing table.
¡ Advertise routes permitted by a routing policy to the UPE.
peer { group-name | ipv4-address [ mask-length ] } upe route-policy route-policy-name export
By default, no route is advertised to the UPE.
Do not execute both commands.
8. Return to BGP instance view.
quit
9. Create a BGP-VPN instance and enter BGP-VPN instance view.
ip vpn-instance vpn-instance-name
You do not need to associate the VPN instance to an interface on the SPE.
This step adds the learned VPNv4 routes to the BGP routing table of the VPN instance.
Configuring route re-origination
About this task
In an HoVPN network, different UPEs communicate with each other through MPEs and SPEs. You can configure route re-origination on MPEs to reduce the number of private network labels that a UPE receives for VPNv6 routes.
As shown in Figure 3, if a network contains many UPEs that use the per-VPN-instance label allocation mode, and the MPEs in the network use the per-next-hop label allocation mode, the SPE will receive a large number of labels, which might cause traffic forwarding errors.
To resolve this issue, you can configure route re-origination on MPEs. The MPEs then can redistribute the BGP routes received from UPEs into local VPN instances and reoriginate these routes. The MPEs can modify the information of the reoriginated routes. After setting the per-VPN instance label allocation mode, the MPEs only need to allocate the number of VPN labels equal to the number of local VPN instances, regardless of the number of UPEs. The SPE only needs to receive the VPN labels allocated by the MPEs, significantly reducing the resource load on the SPE.
Restrictions and guidelines
This feature can reoriginate the BGP routes that are imported into a local VPN instance and have a different RD from that of the local VPN instance. It cannot reoriginate the BGP routes that are received from remote peers and have the same RD as that of the local VPN instance.
Procedure
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP-VPN instance view.
ip vpn-instance vpn-instance-name
4. Enter BGP-VPN IPv6 unicast address family view.
address-family ipv6 [ unicast ]
5. Configure the device to re-originate the optimal routes in the VPN instance and advertise the re-originated routes to VPNv6 peers.
advertise route-reoriginate [ route-policy route-policy-name ] [ replace-rt ]
By default, the device does not re-originate the optimal routes in a VPN instance, and it sends the original VPNv6 routes to VPNv6 peers.
Configuring IPv6 MPLS L3VPN FRR
About IPv6 MPLS L3VPN FRR
You can use the following methods to configure IPv6 MPLS L3VPN FRR:
· Method 1—Execute the pic command in BGP-VPN IPv6 unicast address family view or BGP VPNv6 address family view. The device calculates a backup next hop for each BGP route in the VPN instance if there are two or more unequal-cost routes to reach the destination.
· Method 2—Execute the fast-reroute route-policy command in BGP-VPN IPv6 unicast address family view to use a routing policy. In the routing policy, specify a backup next hop by using the apply fast-reroute backup-nexthop command. The backup next hop calculated by the device must be the same as the specified backup next hop. Otherwise, the device does not generate a backup next hop for the primary route. You can also configure if-match clauses in the routing policy to identify the routes protected by FRR.
If both methods are configured, Method 2 takes precedence over Method 1.
Restrictions and guidelines
Executing the pic command in BGP-VPN IPv6 unicast address family view or BGP VPNv6 address family view might cause routing loops. Use it with caution.
Configuring FRR by using a routing policy
1. Enter system view.
system-view
2. Configure BFD.
¡ Enable MPLS BFD.
mpls bfd enable
By default, MPLS BFD is disabled.
The mpls bfd enable command applies to VPNv6 route backup for a VPNv6 route and IPv6 route backup for a VPNv6 route.
For more information about this command, see MPLS Command Reference.
¡ Configure the source IP address for BFD echo packets.
bfd echo-source-ip ip-address
By default, the source IP address for BFD echo packets is not configured.
This command is required when echo-mode BFD is used to detect primary route connectivity in VPNv6 route backup for an IPv6 route. For more information about this command, see High Availability Command Reference.
3. Use BFD to test the connectivity of an LSP or MPLS TE tunnel.
¡ Configure BFD to test the connectivity of the LSP for the specified FEC.
mpls tunnel-bfd dest-addr mask-length [ discriminator local local-id remote remote-id [ bgp-lsp | isis-srlsp | ldp-lsp | ospf-srlsp | static-lsp ] | echo | nil-fec | ldp-fec ] [ template template-name ]
¡ Execute the following commands in sequence to configure BFD to test the connectivity of the MPLS TE tunnel for the tunnel interface:
interface tunnel number mode mpls-te
mpls tunnel-bfd [ discriminator local local-id remote remote-id | echo | reverse-lsp binding-sid label label-value ] [ template template-name ]
quit
By default, BFD is not configured to test the connectivity of the LSP or MPLS TE tunnel.
This step is required for VPNv6 route backup for a VPNv6 route and IPv6 route backup for a VPNv6 route.
For more information about the commands in this step, see MPLS Command Reference.
4. Configure a routing policy:
a. Create a routing policy and enter routing policy view.
route-policy route-policy-name permit node node-number
b. Set the backup next hop for FRR.
apply ipv6 fast-reroute backup-nexthop ipv6-address
By default, no backup next hop address is set for FRR.
c. Return to system view.
quit
For more information about the commands, see Layer 3—IP Routing Command Reference
5. Enter BGP instance view.
bgp as-number [ instance instance-name ]
6. (Optional.) Use echo-mode BFD to detect the connectivity to the next hop of the primary route.
primary-path-detect bfd echo
By default, ARP is used to detect the connectivity to the next hop.
Use this command if necessary in VPNv6 route backup an IPv6 route.
For more information about this command, see Layer 3—IP Routing Command Reference.
7. Enter BGP-VPN instance view.
ip vpn-instance vpn-instance-name
8. Enter BGP-VPN IPv6 unicast address family view.
address-family ipv6 [ unicast ]
9. Apply a routing policy to FRR.
fast-reroute route-policy route-policy-name
By default, no routing policy is applied to FRR.
The apply ipv6 fast-reroute backup-nexthop command can take effect in the routing policy that is being used. Other apply commands do not take effect.
For more information about the command, see BGP commands in Layer 3—IP Routing Command Reference.
Enabling MPLS L3VPN FRR for BGP-VPN IPv6 unicast address family or BGP VPNv6 address family
1. Enter system view.
system-view
2. Configure BFD.
¡ Enable MPLS BFD.
mpls bfd enable
By default, MPLS BFD is disabled.
This command applies to VPNv6 route backup for a VPNv6 route and IPv6 route backup for a VPNv6 route. For more information about this command, see MPLS OAM commands in MPLS Command Reference.
¡ Configure the source IP address for BFD echo packets.
bfd echo-source-ip ip-address
By default, the source IP address for BFD echo packets is not configured.
This command is required when echo-mode BFD is used to detect primary route connectivity in VPNv6 route backup for an IPv6 route. For more information about this command, see BFD commands in High Availability Command Reference.
3. Use BFD to test the connectivity of an LSP or MPLS TE tunnel.
¡ Use BFD to test the connectivity of the LSP for the specified FEC.
mpls tunnel-bfd dest-addr mask-length [ discriminator local local-id remote remote-id [ bgp-lsp | isis-srlsp | ldp-lsp | ospf-srlsp | static-lsp ] | echo | nil-fec | ldp-fec ] [ template template-name ]
¡ Execute the following commands in sequence to configure BFD to test the connectivity of the MPLS TE tunnel for the tunnel interface:
interface tunnel number mode mpls-te
mpls tunnel-bfd [ discriminator local local-id remote remote-id | echo | reverse-lsp binding-sid label label-value ] [ template template-name ]
quit
By default, BFD is not used to test the connectivity of the LSP or MPLS TE tunnel.
This command applies to VPNv6 route backup for a VPNv6 route and IPv6 route backup for a VPNv6 route.
For more information about the commands, see MPLS OAM commands in MPLS Command Reference.
4. Enter BGP instance view.
bgp as-number [ instance instance-name ]
5. (Optional.) Use echo-mode BFD to detect the connectivity to the next hop of the primary route.
primary-path-detect bfd echo
By default, ARP is used to detect the connectivity to the next hop.
Use this command if necessary in VPNv6 route backup an IPv6 route.
For more information about this command, see BGP commands in Layer 3—IP Routing Command Reference.
6. Enter BGP-VPN IPv6 unicast address family view or BGP VPNv6 address family view.
¡ Enter BGP-VPN IPv6 unicast address family view.
ip vpn-instance vpn-instance-name
address-family ipv6 [ unicast ]
¡ Enter BGP VPNv6 address family view.
address-family vpnv6
7. Enable FRR for the address family.
pic
By default, FRR is disabled.
For more information about this command, see BGP commands in Layer 3—IP Routing Command Reference.
Configuring an OSPFv3 sham link
Prerequisites
Before you configure an OSPFv3 sham link, perform the following tasks:
· Configure basic IPv6 MPLS L3VPN (OSPFv3 is used between PE and CE).
· Configure OSPFv3 in the LAN where customer CEs reside.
Redistributing the loopback interface address
1. Enter system view.
system-view
2. Create a loopback interface and enter loopback interface view.
interface loopback interface-number
3. Associate the loopback interface with a VPN instance.
ip binding vpn-instance vpn-instance-name
By default, the interface is not associated with any VPN instances and belongs to the public network.
4. Configure an IPv6 address for the loopback interface.
See Layer 3—IP Services Configuration Guide.
By default, no IPv6 address is configured for the loopback interface.
5. Enter BGP instance view.
bgp as-number [ instance instance-name ]
6. Enter BGP-VPN instance view.
ip vpn-instance vpn-instance-name
7. Enter BGP-VPN IPv6 unicast address family view.
address-family ipv6 [ unicast ]
8. Redistribute direct routes into BGP (including the loopback interface address).
import-route direct
By default, no direct routes are redistributed into BGP.
Creating a sham link
1. Enter system view.
system-view
2. Enter OSPFv3 view.
ospfv3 [ process-id | vpn-instance vpn-instance-name ] *
3. Enter OSPFv3 area view.
area area-id
4. Configure an OSPFv3 sham link.
sham-link source-ipv6-address destination-ipv6-address [ cost cost-value | dead dead-interval | hello hello-interval | instance instance-id | ipsec-profile profile-name | { hmac-sha-256 | hmac-sm3 } key-id { cipher | plain } string | keychain keychain-name | retransmit retrans-interval | trans-delay delay ] *
Configuring BGP AS number substitution and SoO attribute
About this task
When CEs at different sites have the same AS number, configure the BGP AS number substitution feature to avoid route loss.
When a PE uses different interfaces to connect different CEs in a site, the BGP AS number substitution feature introduces a routing loop. To remove the routing loop, configure the SoO attribute on the PE.
For more information about the BGP AS number substitution feature and the SoO attribute, see BGP configuration in Layer 3—IP Routing Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP-VPN instance view.
ip vpn-instance vpn-instance-name
4. Enable the BGP AS number substitution feature.
peer { group-name | ipv6-address [ prefix-length ] } substitute-as
By default, BGP AS number substitution is disabled.
5. Enter BGP-VPN IPv6 unicast address family view.
address-family ipv6 [ unicast ]
6. (Optional.) Configure the SoO attribute for a BGP peer or peer group.
peer { group-name | ipv6-address [ prefix-length ] } soo site-of-origin
By default, the SoO attribute is not configured.
Configuring the AIGP attribute
About this task
An Accumulated Interior Gateway Protocol (AIGP) administrative domain is a collection of multiple ASs that run the same IGP under one administrative control. Within the domain, BGP accumulates the IGP metrics all along the forwarding path for a route. Then, it uses the accumulated value as the AIGP attribute for the route to implement metric-based route selection.
By default, BGP does not advertise the AIGP attribute to its peers or peer groups. When BGP receives a route carrying the AIGP attribute, it ignores and removes the attribute before advertising the route to other peers or peer groups. Perform this task to enable BGP to advertise the AIGP attribute to its peers or peer groups.
With this feature enabled, a router processes the AIGP attribute in a received route as follows:
· If the router sets itself as the next hop for the route, it adds to the AIGP attribute value the IGP metric from itself to the original next hop and advertises the new AIGP attribute value.
· If the router does not set itself as the next hop for the route, it does not change the AIGP attribute value.
BGP uses the AIGP attribute to select the optimal route as follows:
· A route carrying the AIGP attribute takes precedence over a route not carrying the AIGP attribute.
· A route that has a smaller computed AIGP attribute value has a higher priority.
When the AIGP attribute of a route changes, BGP sends update messages for the route.
Restrictions and guidelines
As a best practice, do not configure the peer aigp command on border routers of an AIGP administrative domain.
When a router receives a route not carrying the AIGP attribute, it does not advertise the AIGP attribute to a peer or peer group if you execute only the peer aigp command. To enable the router to advertise the AIGP attribute, you must execute both the peer aigp and apply aigp commands. For information about the apply aigp command, see the routing policy configuration in Layer 3—IP Routing Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP VPNv6 address family view.
address-family vpnv6
4. Configure BGP to advertise the AIGP attribute to the specified peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } aigp
By default, BGP does not advertise the AIGP attribute to a peer or peer group and ignores the AIGP attributes in routes received from the peer or peer group.
5. (Optional.) Replace the MED value with AIGP value in routes advertised to the specified peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } aigp send med
By default, BGP does not replace the MED value with AIGP value in routes advertised to a peer or peer group.
Use this command to send the AIGP attribute to a peer or peer group that does not support AIGP.
Configuring BGP RT filtering
About this task
The BGP RT filtering feature reduces the number of routes advertised in an MPLS L3VPN.
After RT filtering is configured, a PE advertises its import target attribute to the peer PEs in the RT filter address family. The peer PEs use the received import target attribute to filter routes and advertise only the routes that match the attribute to the PE.
When a large number of IBGP peers exist, the BGP RT filtering and the route reflection features are used together as a best practice. Route reflection reduces the number of IBGP connections. BGP RT filtering reduces the number of routes advertised in the network.
For more information about the BGP RT filtering commands, see Layer 3—IP Routing Command Reference.
Procedure
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP IPv4 RT filter address family view.
address-family ipv4 rtfilter
4. Enable the device to exchange routing information with a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } enable
By default, the device cannot exchange routing information with a peer or peer group.
5. (Optional.) Advertise a default route to a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } default-route-advertise [ route-policy route-policy-name ]
By default, no default route is advertised.
6. (Optional.) Set the maximum number of routes that can be received from the specified peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } route-limit prefix-number [ { alert-only | discard | reconnect reconnect-time } | percentage-value ] *
By default, no limit is set for the number of routes that can be received from a peer or peer group.
7. (Optional.) Set a preferred value for routes received from a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } preferred-value value
By default, the preferred value for routes received from a peer or peer group is 0.
8. (Optional.) Prefer routes learned from the specified peer or peer group during optimal route selection.
peer { group-name | ipv4-address [ mask-length ] } high-priority [ preferred ]
By default, routes learned from a peer or peer group do not take precedence over routes learned from other peers or peer groups.
9. (Optional.) Configure the device as a route reflector and specify a peer or peer group as its client.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } reflect-client
By default, no route reflector or client is configured.
10. (Optional.) Enable route reflection between clients.
reflect between-clients
By default, route reflection between clients is enabled.
11. (Optional.) Configure the cluster ID of the route reflector.
reflector cluster-id { cluster-id | ipv4-address }
By default, a route reflector uses its own router ID as the cluster ID.
Configuring the BGP additional path feature
About this task
By default, BGP advertises only one optimal route. When the optimal route fails, traffic forwarding will be interrupted until route convergence completes.
The BGP additional path (Add-Path) feature enables BGP to advertise multiple routes with the same prefix and different next hops to a peer or peer group. When the optimal route fails, the suboptimal route becomes the optimal route, shortening the traffic interruption time.
You can enable the BGP additional path sending, receiving, or both sending and receiving capabilities on a BGP router. For two BGP peers to successfully negotiate the additional path capabilities, make sure one end has the sending capability and the other end has the receiving capability.
Procedure
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP VPNv6 address family view.
address-family vpnv6
4. Configure the BGP additional path capabilities.
peer { group-name | ipv4-address [ mask-length ] } additional-paths { receive | send } *
By default, no BGP additional path capabilities are configured.
5. Set the maximum number of Add-Path optimal routes that can be advertised to a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } advertise additional-paths best number
By default, the maximum number of Add-Path optimal routes that can be advertised to a peer or peer group is 1.
6. Set the maximum total number of Add-Path optimal routes that can be advertised to all peers.
additional-paths select-best best-number
By default, the maximum total number of Add-Path optimal routes that can be advertised to all peers is 1.
Configuring the rule for adding BGP routes to the IP routing table and the route advertisement rule for VPN instances
About this task
Perform this task to configure the following features:
· Route adding rule—For multiple BGP routes to the same destination, BGP adds the optimal route with matching route targets of a VPN instance to the IP routing table of the VPN instance.
After the undo policy vpn-target command is executed, VPNv6 routes without matching route targets of the local VPN instance can be received. If the VPNv6 routes have the same RD as the local VPN instance, these routes can be selected in the BGP VPNv6 routing table as optimal routes. However, routes without matching route targets are invisible and unavailable in the BGP-VPN instance routing table and cannot be added to the routing table of the VPN instance. The BGP-VPN instance routing table uses the same optimal route selection result as the BGP VPNv6 routing table. Therefore, if a route without matching route targets is selected as the only optimal route in the BGP VPNv6 routing table, no optimal route can be added to the BGP-VPN instance routing table. Only the optimal route in the BGP-VPN instance routing table can be added to the VPN instance IP routing table. Therefore, the BGP route without matching route targets cannot be added to the VPN instance IP routing table, so packets destined for the destination address of that route cannot be forwarded.
You can configure this feature to resolve this issue. With this feature configured, for BGP routes to the same destination address, BGP adds the optimal route with the same route targets as a VPN instance to the IP routing table of the VPN instance.
For example, the import target of VPN instance vpna is 10:1. The BGP routing table of VPN instance vpna contains two routes to destination address 3::3, which are 3::3 <RT: 10:1> and 3::3 <RT: 20:1>, and 3::3 <RT: 20:1>is the optimal route. After you configure this feature, BGP will add 3::3 <RT: 10:1> to the IP routing table of VPN instance vpna, because this route has the same import target as the VPN instance.
· Route advertisement rule—When the optimal route to a destination address cannot be advertised to peers, the device advertises the suboptimal route to the destination address from the routes that can be advertised. The device does not advertise any route for a destination address only if no routes to the destination address can be advertised.
The BGP routing table of a VPN instance contains the routes in the IP routing table of the VPN instance, so the routing table of a BGP address family might contain routes that are not learned from that address family. For example, an IP prefix advertisement route learned from the BGP EVPN address family is added to the IP routing table of a VPN instance, and the route also exists in the BGP routing tables of the BGP-VPN IPv6 unicast address family and BGP VPNv6 address family in the VPN instance. BGP cannot advertise the optimal route to peers in an address family if the optimal route is not learned from that address family, making the destination address of the route unreachable.
After you configure this feature, if the optimal route to a destination address cannot be advertised to peers, the device advertises the suboptimal route, and so forth until a route to the destination address is advertised successfully. The device does not advertise any route for a destination address only if no routes to the destination address can be advertised.
For example, the device learns the route with IP prefix 3::3/128 from both the BGP VPNv6 address family and BGP EVPN address family. Therefore, there will be two routes to destination address 3::3/128 in the BGP routing table of the BGP VPNv6 address family, and the one learned from the BGP EVPN address family is the optimal route. However, this optimal route cannot be advertised to BGP VPNv6 peers, because it was learned from the BGP EVPN address family. As a result, network nodes deployed with only BGP VPNv6 cannot obtain the route with IP prefix 3::3/128. After you configure this feature, the device will advertise the route with IP prefix 3::3/128 learned from the BGP VPNv6 address family to BGP VPNv6 peers, although this route is not the optimal route.
Restrictions and guidelines
The bestroute same-rd command takes effect on BGP routes of all VPN instances. Use caution when you execute this command.
Procedure
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Configure BGP to add the optimal routes with the same route targets as a VPN instance to the IP routing table of the VPN instance, and allow BGP to advertise non-optimal routes to its peers.
bestroute same-rd
By default, BGP adds the optimal routes in the BGP routing table to the IP routing table of a VPN instance and advertises only the optimal routes to its peers.
Enabling the VPN Prefix ORF feature
About VPN Prefix ORF
VPN Prefix ORF introduction
By default, in large-scale networks with route reflectors, the BGP VPNv6 routes reflected by the RR usually include the VPN routes from all BGP-VPN instances on the route originating device. The current route limit measures can take effect only on address families. When the number of routes for RR reflection reaches the limit, unwanted BGP-VPN instance routes might occupy most of the receiving end's received routes, resulting in the receiving end not being able to receive the necessary BGP-VPN instance routes.
To resolve this issue, it is required to allow the RR to filter routes based on the BGP-VPN instances of the routes on the originator, implementing router filtering at the granularity of BGP-VPN instances in the BGP VPNv6 address families. Enabling the VPN Prefix Outbound Route Filtering (ORF) feature can resolve the above issue. This feature uses route-refresh messages to send VPN Prefix ORF entries (which contain information for route matching) to peers. Peers will withdraw all previously advertised routes that match the VPN Prefix ORF entries and when sending new routes to the local device, they must filter the routes using both the routing policy on the peer device and the received VPN Prefix ORF entries. Only routes that pass both filters will be sent to the local device. VPN Prefix ORF realizes the advertisement and reception of route control at the BGP-VPN instance granularity. It limits the number of routes at the source of route sending to reduce route exchanges between BGP peers and save network resources.
VPN Prefix ORF operating mechanism
After configuring this feature, the BGP session between the local device and the specified peer/peer group will be disconnected and reestablished for VPN Prefix ORF capability negotiation via Open messages. Negotiation can be successful only if the peer capability-advertise orf vpn-prefix command is configured on both ends of the BGP session. After successful negotiation, the device will be able to parse the route-refresh messages carrying VPN Prefix ORF entries sent by the remote end. A VPN Prefix ORF entry contains a <RD value, source device address> tuple.
|
|
NOTE: If the devices in the BGP session do not support the exchange of route-refresh messages, the VPN Prefix ORF entries will not be successfully sent. Configure the peer capability-advertise route-refresh command on both ends of the BGP session to enable the capability of exchanging route-refresh messages. For more information the peer capability-advertise route-refresh command, see BGP commands in Layer 3—IP Routing Command Reference. |
The VPN Prefix ORF feature uses the following conditions to determine whether to trigger sending VPN Prefix ORF entries:
· The <RD, source device address> tuple used to match VPN routes and the alarm threshold for the matching VPN routes, which are set by using the vpn-prefix-quota command.
· The maximum number of routes supported by a BGP-VPN instance, which is set by using the route-limit command.
After these conditions are set on the device, when the number of IPv4 or IPv6 unicast routes in a BGP-VPN instance exceeds the route limit, and the percentage of the routes that match the tuple in the BGP-VPN instance exceeds the alarm threshold:
1. The device checks if there are other BGP-VPN instances configured with the same tuple.
¡ If yes, go to step 2.
¡ If not, go to step 3.
2. The device checks if the number of routes in these BGP-VPN instances has exceeded the route limit and if the number of routes matching the tuple has exceeded the alarm threshold.
¡ If yes, go to step 3.
¡ If not, the BGP-VPN instance that contains routes exceeding the route limit will continue to receive routes and repeat step 2.
3. The device sends a route-refresh message with VPN Prefix ORF entries to the peer/peer group specified by the peer capability-advertise orf vpn-prefix command.
|
|
TIP: Among the BGP-VPN instances configured with the same tuple, if the number of routes matching the tuple in some BGP-VPN instances has exceeded the alarm threshold, while some BGP-VPN instances have not received any routes matching the tuple, it indicates that these instances cannot receive routes matching the tuple. The device will not consider these BGP-VPN instances when determining whether to trigger sending VPN Prefix ORF entries. |
A VPN Prefix ORF entry contains a <RD value, source device address> tuple. The values of RD and source device address are those specified by using the vpn-prefix-quota command.
After receiving a route-refresh message carrying a VPN Prefix ORF entry from the local device, the specified peer/peer group operates as follows:
· Withdraws all BGP VPNv6 routes that match both the RD and source device address in the VPN Prefix ORF entry. (The route information matching the source device address in the VPN Prefix ORF entry is the next hop attribute of the route.)
· No longer sends BGP VPNv6 routes that match the VPN Prefix ORF entry to the local device.
If the device has previously advertised VPN Prefix ORF entries, the entries will remain effective on the peer to filter route advertisement. You can execute the clear bgp vpn-prefix-orf command to withdraw the previously advertised VPN Prefix ORF entries, so that the peer can re-advertise routes that were withdrawn or filtered due to the VPN Prefix ORF entries.
VPN Prefix ORF networking example
As shown in Figure 4, VPN instances are configured on each PE. The RR reflects routes from PE 1, PE 2, and PE 3 within the same AS. Both PE 1 and PE 2 have successfully negotiated the VPN Prefix ORF capabilities with the RR. PE 1 specifies the tuple as <RD31, PE3> and the alarm threshold as 70% in the BGP-VPN instances corresponding to VPN1 and VPN2 by using the vpn-prefix-quota command. PE 2 specifies the tuple as <RD31, PE3> and the alarm threshold as 70% in the BGP-VPN instance corresponding to VPN1 by using the vpn-prefix-quota command.
Figure 4 VPN Prefix ORF application network diagram
PE 3 advertises routes of VPN1 through BGP VPNv6. When the advertised routes cause BGP-VPN instances on PE 1 and PE 2 to exceed the route limit, VPN Prefix ORF will function on PE 1 and PE 2 as follows:
· On PE 1
The number of routes in the BGP-VPN instance for VPN1 exceeded the limit, and the number of routes matching <RD31, PE3> exceeded 70% of the total routes. However, PE 1 would not send route-refresh messages carrying the VPN Prefix ORF entries because the BGP-VPN instances for VPN2 and VPN1 have the same tuple <RD31, PE3>, and PE 1 could still receive VPN1 routes carrying RT 1 and RT 2 from PE 3 for the BGP-VPN instance corresponding to VPN2. PE 1 will send a route-refresh message carrying a VPN Prefix ORF entry to the RR only when both the BGP-VPN instances for VPN1 and VPN2 have exceeded the route limit and the VPN routes matching the <RD31, PE3> tuple have also exceeded the alarm threshold. The advertised VPN Prefix ORF entry contains the following information: <RD31, min (maximum route count supported by BGP-VPN instance for VPN1, maximum route count supported by BGP-VPN instance for VPN2), PE3 address>.
After receiving the route-refresh message with VPN Prefix ORF entry, the RR will withdraw the advertised routes that meet the following conditions from PE 1 and will no longer advertise the routes that meet the following conditions:
¡ The RD carried by the routes is RD31.
¡ The next hop address of the routes is the address of PE 3.
Figure 5 VPN Prefix ORF taking effect
· On PE 2
When the number of routes in the BGP-VPN instance for VPN1 exceeds the limit, PE 2 will immediately send a route-refresh message carrying a VPN Prefix ORF entry to the RR because no other BGP-VPN instances have specified the same tuple. The advertised VPN Prefix ORF entry contains the following information: <RD31, maximum route count supported by BGP-VPN instance for VPN1, PE3 address>.
After receiving the route-refresh message carrying the VPN Prefix ORF entry, the RR will withdraw the advertised routes that meet the following conditions from PE 2 and will no longer advertise routes that meet the following conditions to PE 2:
¡ The RD carried by the routes is RD31.
¡ The next hop address of the routes is the address of PE 3.
Restrictions and guidelines
In the current software version, only VPN Prefix ORF within the same AS is supported. VPN Prefix ORF across ASs is not supported.
You must configure the route-limit, vpn-prefix-quota route-distinguisher, and peer capability-advertise orf vpn-prefix commands at the same time for VPN Prefix ORF to operate properly.
Procedure
Configuring a VPN instance
1. Enter system view.
system-view
2. Create a VPN instance and enter its view.
ip vpn-instance vpn-instance-name
3. Configure an RD for the VPN instance.
route-distinguisher route-distinguisher
By default, no RD is configured for a VPN instance.
4. Configure route targets for the VPN instance.
vpn-target vpn-target&<1-8> [ both | export-extcommunity | import-extcommunity ]
By default, no route targets are configured for a VPN instance.
Configure the conditions that trigger the VPN Prefix ORF mechanism
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
For more information about this command, see BGP commands in Layer 3—IP Routing Command Reference.
3. Enter BGP-VPN instance view.
ip vpn-instance vpn-instance-name
For more information about this command, see BGP commands in Layer 3—IP Routing Command Reference.
4. Enter BGP-VPN IPv6 unicast address family view.
address-family ipv6 [ unicast ]
For more information about this command, see BGP commands in Layer 3—IP Routing Command Reference.
5. Set the maximum number of routes supported by the BGP-VPN instance.
route-limit limit
By default, no limit is set to the number of routes supported by a BGP-VPN instance.
6. Set the tuple for routing matching and set the alarm threshold for the routes matching the tuple.
vpn-prefix-quota route-distinguisher route-distinguisher source-address { ipv4-address | ipv6-address } quota threshold
By default, no tuple or alarm threshold is set, and no alarm information will be triggered for tuple-matching routes.
Enabling the VPN Prefix ORF feature
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP VPNv6 address family view.
address-family vpnv6
4. Enable negotiating VPN Prefix ORF capabilities with the specified BGP peer or peer group.
peer { group-name | ipv4-address [ mask-length ] } capability-advertise orf vpn-prefix { both | send | receive }
By default, the local end does not negotiate VPN Prefix ORF capabilities with BGP peer/peer group.
5. (Optional.) Withdraw the advertised VPN Prefix ORF entries.
a. Execute the following commands in sequence to return to user view:
quit
quit
quit
b. Withdraw the advertised VPN Prefix ORF entries.
clear bgp [ instance instance-name ] vpn-prefix-orf [ vpn-instance vpn-instance-name | route-distinguisher route-distinguisher source-address { ipv4-address | ipv6-address } ]
Configuring route replication
Configuring the public instance
About this task
Configure the public instance to enable the mutual access between public network and private network users.
Restrictions and guidelines
In an IPv6 MPLS L3VPN network, for the public network and the VPN network to communicate with each other through route target matching, perform the following tasks:
· Configure matching route targets for the public instance and VPN instance.
· Use the route-replicate enable command in BGP instance view to enable mutual BGP route replication between the public and VPN instances.
Procedure
1. Enter system view.
system-view
2. Enter public instance view.
ip public-instance
3. Configure an RD for the public instance.
route-distinguisher route-distinguisher
By default, no RD is configured for the public instance.
4. Configure a route target for the public instance.
vpn-target vpn-target&<1-8> [ both | export-extcommunity | import-extcommunity ]
By default, no route target is configured for the public instance.
5. Enter public instance IPv6 address family view.
address-family ipv6
6. Configure a route target for the IPv6 address family view of the public instance.
vpn-target vpn-target&<1-8> [ both | export-extcommunity | import-extcommunity ]
By default, no route target is configured for the IPv6 address family view of the public instance.
7. Apply an import routing policy to the public instance.
import route-policy route-policy
By default, all routes matching the import target attribute are accepted.
8. Apply an export routing policy to the public instance.
export route-policy route-policy
By default, routes to be advertised are not filtered.
9. (Optional.) Set the maximum number of active route prefixes supported by the public instance. Choose one or more of the following tasks:
¡ Execute the following commands in sequence to set the maximum number of active route prefixes supported by the public instance:
quit
routing-table limit number { warn-threshold | simply-alert }
¡ Set the maximum number of IPv6 route prefixes supported by the public instance.
routing-table limit number { warn-threshold | simply-alert }
By default, no limit is set for the number of active route prefixes supported by the public network instance.
The configuration in public instance IPv6 address family view takes precedence over the configuration in public instance view.
Configuring route replication for public and VPN instances
About this task
In an IPv6 BGP/IPv6 MPLS L3VPN network, only VPN instances that have matching route targets can communicate with each other.
The route replication feature provides the following functions:
· Enables a VPN instance to communicate with the public network or other VPN instances by replicating routes from the public network or other VPN instances.
· Enables the public network to communicate with a VPN instance by replicating routes from the VPN instance.
In an intelligent traffic control network, traffic of different tenants is assigned to different VPNs. To enable the tenants to communicate with the public network, configure this feature to replicate routes from the public network to the VPN instances.
VLINK direct routes are generated based on ND entries learned by interfaces. The route-replicate from vpn-instance protocol direct or route-replicate from public protocol direct command replicates VLINK direct routes, but the VLINK direct routes cannot be added to the IPv6 FIB, causing traffic forwarding failures. To address this issue, you can specify the vlink-direct keyword to replicate VLINK direct routes and add the routes to the IPv6 FIB.
Configuring a VPN instance to replicate routes from the public network or another VPN instance
1. Enter system view.
system-view
2. Enter VPN instance view.
ip vpn-instance vpn-instance-name
3. Enter VPN instance IPv6 address family view.
address-family ipv6
4. Replicate routes from the public network or other VPN instances.
route-replicate from { public | vpn-instance vpn-instance-name } protocol { bgp4+ as-number | direct | static | unr | vlink-direct | { isisv6 | ospfv3 | ripng } process-id } [ advertise ] [ route-policy route-policy-name ]
By default, a VPN instance cannot replicate routes from the public network or other VPN instances.
Replicating routes from a VPN instance to the public network
1. Enter system view.
system-view
2. Enter public instance view.
ip public-instance
3. Enter public instance IPv6 address family view.
address-family ipv6
4. Replicate routes from a VPN instance to the public network.
route-replicate from vpn-instance vpn-instance-name protocol { bgp4+ as-number | direct | static | unr | vlink-direct | { isisv6 | ospfv3 | ripng } process-id } [ advertise ] [ route-policy route-policy-name ]
By default, the public network cannot replicate routes from VPN instances.
Configuring BGP route replication between public and VPN instances
About this task
In traffic cleaning scenarios, traffic between the public and private networks are filtered by firewalls and traffic of different tenants is assigned to different VPNs. To enable the tenants to communicate with the public network under the protection of firewalls, BGP route replication between public and VPN instances is required.
By default, only VPN instances that have matching route targets can redistribute BGP routes from each other, while the public instance and VPN instances cannot. After you configure this feature, the public instance and VPN instances that have matching route targets can replicate BGP routes from each other, enabling communication between the public network and VPN users.
This feature also replicates the BGP route attributes, so that the device can select proper forwarding paths according to the route attributes.
Restrictions and guidelines
After this feature is enabled, the public network and VPNs cannot be isolated. Configure this feature only in specific scenarios, for example, the traffic cleaning scenario.
To use this feature to implement IPv6 route replication between the public instance and a VPN instance, make sure the VPN instance and the BGP IPv6 unicast address family have been created.
Procedure
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enable BGP route replication between public and VPN instances.
route-replicate enable
By default, BGP route replication between public and VPN instances is disabled.
Enabling redistribution of multiple same-prefix routes with the same RD
About this task
Typically, if multiple same-prefix BGP routes have the same RD as a local BGP VPN instance or the BGP public instance, BGP redistributes only the best one of them into the routing table of that BGP VPN instance or the BGP public instance.
To redistribute multiple same-prefix routes with the same RD into a BGP routing table, perform this task.
This feature enables redistribution of multiple active same-prefix BGP routes that have the same RD, as follows:
· If these routes are in the routing table of a BGP VPN instance or the BGP public instance, BGP redistributes them into the BGP VPNv4, VPNv6, or EVPN routing table, regardless of their route priorities.
· If these routes are in the BGP VPNv4, VPNv6, or EVPN routing table, BGP redistributes them into the BGP VPN instance or the BGP public instance when the following conditions are met, regardless of their route priorities:
¡ The routes have the same RD as the VPN or public instance.
¡ The routes match the import RTs of the VPN or public instance.
Restrictions and guidelines
When enabled in BGP instance view, this feature applies to redistribution of routes from a BGP VPN instance or the BGP public instance into the BGP VPNv4, VPNv6, or EVPN routing table, and vice versa.
When enabled in the view of an address family, this feature takes effect only on redistribution of routes into the BGP routing table for that address family.
Procedure
1. Enter system view.
system-view
2. Enter a BGP address family view.
¡ Enter BGP instance view.
bgp as-number [ instance instance-name ]
¡ Execute the following commands in sequence to enter BGP IPv6 unicast address family view:
bgp as-number [ instance instance-name ]
address-family ipv6 [ unicast ]
¡ Execute the following commands in sequence to enter BGP-VPN IPv6 unicast address family view:
bgp as-number [ instance instance-name ]
ip vpn-instance vpn-instance-name
address-family ipv6 [ unicast ]
¡ Execute the following commands in sequence to enter BGP VPNv6 address family view:
bgp as-number [ instance instance-name ]
address-family vpnv6
3. Enable redistribution of multiple same-prefix routes with the same RD.
vpn-route cross multipath
By default, redistribution of multiple same-prefix routes with the same RD is disabled.
Enabling prioritized withdrawal of specific routes
About this task
This feature enables BGP to send the withdrawal messages of specific routes prior to other routes. This can achieve fast switchover of traffic on the specified routes to available routes to reduce the traffic interruption time.
Procedure
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP VPNv6 address family view.
address-family vpnv6
4. Enable prioritized withdrawal of the routes that match the specified routing policy.
update-first route-policy route-policy-name
By default, BGP does not send the withdrawal messages of specific routes prior to other routes.
Enabling logging for BGP route flapping
About this task
This feature enables BGP to generate logs for BGP route flappings that trigger log generation. The generated logs are sent to the information center. For the logs to be output correctly, you must also configure information center on the device. For more information about the information center, see Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter BGP instance view.
bgp as-number [ instance instance-name ]
3. Enter BGP VPNv6 address family view.
address-family vpnv6
4. Enable logging for BGP route flapping.
log-route-flap monitor-time monitor-count [ log-count-limit | route-policy route-policy-name ] *
By default, logging for BGP route flapping is disabled.
Display and maintenance commands for IPv6 MPLS L3VPN
Resetting BGP connections
You can soft-reset or reset BGP sessions to apply new BGP configurations. A soft reset operation updates BGP routing information without tearing down BGP connections. A reset operation updates BGP routing information by tearing down, and then re-establishing BGP connections. Soft reset requires that BGP peers have route refresh capability.
Execute the following commands in user view to soft reset or reset BGP connections:
|
Task |
Command |
|
Manually soft reset BGP sessions for VPNv6 address family. |
refresh bgp [ instance instance-name ] { ipv4-address [ mask-length ] | all | external | group group-name | internal } { export | import } vpnv6 |
|
Reset BGP sessions for VPNv6 address family. |
reset bgp [ instance instance-name ] { as-number | ipv4-address [ mask-length ] | all | external | internal | group group-name } vpnv6 |
For more information about the refresh bgp vpnv6 and reset bgp vpnv6 commands, see Layer 3—IP Routing Command Reference.
Displaying and maintaining IPv6 MPLS L3VPN information
Execute the display commands in any view and reset commands in user view to display and maintain IPv6 MPLS L3VPN:
|
Task |
Command |
|
Display BGP VPNv6 peer group information. |
display bgp [ instance instance-name ] group vpnv6 [ group-name group-name ] |
|
Display BGP VPNv6 peer information. |
display bgp [ instance instance-name ] peer vpnv6 [ ipv4-address mask-length | { ipv4-address | group-name group-name } log-info | [ ipv4-address ] verbose ] |
|
Display BGP VPNv6 routes. |
display bgp [ instance instance-name ] routing-table vpnv6 [ [ route-distinguisher route-distinguisher ] [ ipv6-address prefix-length [ advertise-info ] | as-path-acl as-path-acl-number | as-path-regular-expression regular-expression | [ statistics ] { community [ community-number&<1-32> | aa:nn&<1-32> ] [ internet | no-advertise | no-export | no-export-subconfed ] [ whole-match ] | community-list { { basic-community-list-number | comm-list-name } [ whole-match ] | adv-community-list-number } ] | peer { ipv4-address | ipv6-address } { advertised-routes | received-routes } [ ipv6-address prefix-length [ verbose ] | statistics ] | statistics ] display bgp [ instance instance-name ] routing-table vpnv6 [ route-distinguisher route-distinguisher ] [ ipv6-address prefix-length ] [ statistics ] { large-community [ aa:bb:cc&<1-32> ] | large-community-list { basic-large-comm-list-number | adv-large-comm-list-number | large-comm-list-name } } [ whole-match ] display bgp [ instance instance-name ] routing-table vpnv6 [ route-distinguisher route-distinguisher ] [ ipv6-address prefix-length ] statistics source { evpn-remote-import | local | local-import | remote-import } display bgp [ instance instance-name ] routing-table vpnv6 [ same-rd-selected ] display bgp [ instance instance-name ] routing-table vpnv6 peer { ipv4-address | ipv6-address } { accepted-routes | not-accepted-routes } display bgp [ instance instance-name ] routing-table vpnv6 [ route-distinguisher route-distinguisher ] time-range min-time max-time |
|
Display BGP VPNv6 route dampening parameters. |
display bgp [ instance instance-name ] dampening parameter vpnv6 |
|
Display information about dampened BGP VPNv6 routes. |
display bgp [ instance instance-name ] routing-table dampened vpnv6 |
|
Display BGP VPNv6 route flapping information. |
display bgp [ instance instance-name ] routing-table flap-info vpnv6 [ ipv6-address prefix-length | as-path-acl { as-path-acl-number | as-path-acl-name } ] |
|
Display BGP VPNv6 route source information. |
display bgp [ instance instance-name ] routing-table vpnv6 source-type |
|
Display incoming labels for all BGP VPNv6 routes. |
display bgp [ instance instance-name ] routing-table vpnv6 inlabel |
|
Display outgoing labels for all BGP VPNv6 routes. |
display bgp [ instance instance-name ] routing-table vpnv6 outlabel |
|
Display BGP VPNv6 address family update group information. |
display bgp [ instance instance-name ] update-group vpnv6 [ ipv4-address ] |
|
Display BGP peer and routing summary information. |
display bgp [ instance instance-name ] vpnv6 summary |
|
Display route targets sourcing from a VPN instance. |
display bgp [ instance instance-name ] route-target l3vpn [ ipv6 ] [ vpn-instance vpn-instance-name ] |
|
Display received and advertised VPN Prefix ORF entries. |
display bgp [ instance instance-name ] vpn-prefix-orf [ route-distinguisher route-distinguisher source-address { ipv4-address | ipv6-address } ] evpn |
|
Display information about a specified VPN instance or all VPN instances. |
display ip vpn-instance [ instance-name vpn-instance-name | count ] |
|
Display IPv6 FIB information for a VPN instance. |
display ipv6 fib vpn-instance vpn-instance-name [ ipv6-address [ prefix-length ] ] |
|
Display the IPv6 routing table for a VPN instance. |
display ipv6 routing-table vpn-instance vpn-instance-name [ verbose ] |
|
Display OSPFv3 sham link information. |
display ospfv3 [ process-id ] [ area area-id ] sham-link [ verbose ] |
|
Clear BGP VPNv6 route dampening information and release dampened routes. |
reset bgp [ instance instance-name ] dampening vpnv6 [ ipv6-address prefix-length ] |
|
Clear BGP VPNv6 route flapping statistics. |
reset bgp [ instance instance-name ] flap-info vpnv6 [ ipv6-address prefix-length | as-path-acl { as-path-acl-number | as-path-acl-name } | peer [ ipv4-address [ mask-length ] | peer ipv6-address [ prefix-length ] ] ] |
For more information about the display ipv6 routing-table, display bgp group vpnv6, display bgp peer vpnv6, and display bgp update-group vpnv6 commands, see Layer 3—IP Routing Command Reference.