No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
S300, S500, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples(V100 and V200)

This document provides campus networks typical configuration examples and feature typical configuration examples. "Campus Networks Typical Configuration Examples" provides typical campus network networking modes and a variety of deployment examples."Feature Typical Configuration Examples" provides typical configuration examples of a single feature on a switch. You can configure required features after deploying a campus network.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Typical BGP/MPLS IP VPN Configurations

Typical BGP/MPLS IP VPN Configurations

Example for Configuring BGP/MPLS IP VPN

BGP/MPLS IP VPN Overview

BGP/MPLS IP VPN is an MPLS-based L3VPN that can be flexibly deployed and easily extended, and is suitable for deployment on a large scale. To add a new site, the network administrator only needs to modify the configuration of the edge nodes serving the new site.

BGP/MPLS IP VPN is suitable for communication between the headquarters and branches in different locations. As communication data needs to traverse the backbone network of the carrier, BGP is used to advertise VPN routes over the backbone network and MPLS is used to forward VPN packets on the backbone network. As different departments of an enterprise need to be isolated, BGP/MPLS IP VPN can isolate route, address space, and access between different VPNs.

Configuration Notes

  • This example applies to the following products and versions:
    • S5700-HI, S5710-EI: V200R002C00 and later versions
    • S5720-EI: V200R009C00 and later versions
    • S5720-HI: V200R007C10 and later versions
    • S5710-HI, S5730-HI, S5731-H, S5731S-H, S5732-H: For the applicable versions, see Table 3-1 in the section "Applicable Products and Versions."
    • S5731-S, S6730-S: V200R022C00 and later versions
    • S6700-EI: V200R005(C00&C01)
    • S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730S-H: For the applicable versions, see Table 3-1 in the section "Applicable Products and Versions."
    • S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712: For the applicable versions, see Table 3-1 in the section "Applicable Products and Versions."
  • The SA series cards do not support the BGP/MPLS IP VPN function. The X1E series cards of V200R006C00 and later versions support the BGP/MPLS IP VPN function.

To view detailed information about software mappings, visit Info-Finder, select a product series or product model, and click Hardware Center.

Networking Requirements

As shown in Figure 3-133:
  • CE1 connects to the headquarters R&D area of a company, and CE3 connects to the branch R&D area. CE1 and CE3 belong to vpna.
  • CE2 connects to the headquarters non-R&D area, and CE4 connects to the branch non-R&D area. CE2 and CE4 belong to vpnb.

BGP/MPLS IP VPN needs to be deployed for the company to ensure secure communication between the headquarters and branch while isolating data between the R&D area and non-R&D area.

Figure 3-133 Networking diagram for configuring BGP/MPLS IP VPN

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure OSPF between the P and PEs to ensure IP connectivity on the backbone network.
  2. Configure basic MPLS capabilities and MPLS LDP on the P and PEs to establish MPLS LSP tunnels for VPN data transmission on the backbone network.
  3. Configure MP-IBGP on PE1 and PE2 to enable them to exchange VPN routing information.
  4. Configure VPN instances vpna and vpnb on PE1 and PE2. Set the VPN target of vpna to 111:1 and the VPN target of vpnb to 222:2. This configuration allows users in the same VPN to communicate with each other and isolates users on different VPNs. Bind the PE interfaces connected to CEs to the corresponding VPN instances to provide access for VPN users.
  5. Configure EBGP on the CEs and PEs to exchange VPN routing information.

Procedure

  1. Configure an IGP on the MPLS backbone network so that PEs and P can communicate with each other.

    # Configure PE1.

    <HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] vlan batch 10 20 30
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port link-type trunk
[PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type trunk
[PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 20 
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] port link-type trunk
[PE1-GigabitEthernet3/0/0] port trunk allow-pass vlan 30 
[PE1-GigabitEthernet3/0/0] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] ip address 172.1.1.1 24
[PE1-Vlanif30] quit
[PE1] ospf 1 router-id 1.1.1.9
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit

    # Configure P.

    <HUAWEI> system-view
[HUAWEI] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.9 32
[P-LoopBack1] quit
[P] vlan batch 30 60
[P] interface gigabitethernet 1/0/0 
[P-GigabitEthernet1/0/0] port link-type trunk
[P-GigabitEthernet1/0/0] port trunk allow-pass vlan 30
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0 
[P-GigabitEthernet2/0/0] port link-type trunk
[P-GigabitEthernet2/0/0] port trunk allow-pass vlan 60
[P-GigabitEthernet2/0/0] quit
[P] interface vlanif 30
[P-Vlanif30] ip address 172.1.1.2 24
[P-Vlanif30] quit
[P] interface vlanif 60
[P-Vlanif60] ip address 172.2.1.1 24
[P-Vlanif60] quit
[P] ospf 1 router-id 2.2.2.9
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit

    # Configure PE2.

    <HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.9 32
[PE2-LoopBack1] quit
[PE2] vlan batch 40 50 60
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type trunk
[PE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 40
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface gigabitethernet 2/0/0 
[PE2-GigabitEthernet2/0/0] port link-type trunk
[PE2-GigabitEthernet2/0/0] port trunk allow-pass vlan 50
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface gigabitethernet 3/0/0 
[PE2-GigabitEthernet3/0/0] port link-type trunk
[PE2-GigabitEthernet3/0/0] port trunk allow-pass vlan 60
[PE2-GigabitEthernet3/0/0] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] ip address 172.2.1.2 24
[PE2-Vlanif60] quit
[PE2] ospf 1 router-id 3.3.3.9
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit

    After the configuration is complete, OSPF neighbor relationships are established between PE1 and P, and between PE2 and P. Run the display ospf peer command. The command output shows that the neighbor status is Full. Run the display ip routing-table command. The command output shows that PEs have learned the routes to Loopback1 of each other.

    The information displayed on PE1 is used as an example.

    [PE1] display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 8       Routes : 8

  Destination/Mask    Proto  Pre  Cost     Flags NextHop         Interface

         1.1.1.9/32   Direct 0    0           D  127.0.0.1       LoopBack1
         2.2.2.9/32   OSPF   10   1           D  172.1.1.2       Vlanif30
         3.3.3.9/32   OSPF   10   2           D  172.1.1.2       Vlanif30
        127.0.0.0/8   Direct 0    0           D  127.0.0.1       InLoopBack0
       127.0.0.1/32   Direct 0    0           D  127.0.0.1       InLoopBack0
       172.1.1.0/24   Direct 0    0           D  172.1.1.1       Vlanif30
       172.1.1.1/32   Direct 0    0           D  127.0.0.1       Vlanif30
       172.2.1.0/24   OSPF   10   2           D  172.1.1.2       Vlanif30

    [PE1] display ospf peer

          OSPF Process 1 with Router ID 1.1.1.9
                  Neighbors

 Area 0.0.0.0 interface 172.1.1.1(Vlanif30)'s neighbors
 Router ID: 2.2.2.9         Address: 172.1.1.2
   State: Full  Mode:Nbr is  Master  Priority: 1
   DR: 172.1.1.2  BDR: 172.1.1.1  MTU: 0 
   Dead timer due in 37  sec
   Retrans timer interval: 5 
   Neighbor is up for 00:16:21
   Authentication Sequence: [ 0 ]

  2. Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network to establish LDP LSPs.

    # Configure PE1.

    [PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] mpls
[PE1-Vlanif30] mpls ldp
[PE1-Vlanif30] quit

    # Configure P.

    [P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
[P] interface vlanif 60
[P-Vlanif60] mpls
[P-Vlanif60] mpls ldp
[P-Vlanif60] quit

    # Configure PE2.

    [PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] mpls
[PE2-Vlanif60] mpls ldp
[PE2-Vlanif60] quit

    After the configuration is complete, LDP sessions are established between PE1 and the P and between the P and PE2. Run the display mpls ldp session command. The command output shows that the Status field is Operational. Run the display mpls ldp lsp command. Information about the established LDP LSPs is displayed.

    The information displayed on PE1 is used as an example.

    [PE1] display mpls ldp session

 LDP Session(s) in Public Network
 Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
 A '*' before a session means the session is being deleted. 
 ------------------------------------------------------------------------------
 PeerID            Status      LAM  SsnRole  SsnAge       KASent/Rcv
 ------------------------------------------------------------------------------
 2.2.2.9:0          Operational DU   Passive  0000:00:01  6/6
 ------------------------------------------------------------------------------
 TOTAL: 1 session(s) Found.


    [PE1] display mpls ldp lsp

LDP LSP Information
 -------------------------------------------------------------------------------
 Flag after Out IF: (I) - LSP Is Only Iterated by RLFA
 -------------------------------------------------------------------------------
 DestAddress/Mask   In/OutLabel   UpstreamPeer     NextHop     OutInterface   
 -------------------------------------------------------------------------------
 1.1.1.9/32         3/NULL        2.2.2.9          127.0.0.1   InLoop0    
*1.1.1.9/32         Liberal/1024                   DS/2.2.2.9
 2.2.2.9/32         NULL/3        -                172.1.1.2   Vlanif30       
 2.2.2.9/32         1024/3        2.2.2.9          172.1.1.2   Vlanif30       
 3.3.3.9/32         NULL/1025     -                172.1.1.2   Vlanif30       
 3.3.3.9/32         1025/1025     2.2.2.9          172.1.1.2   Vlanif30      
 -------------------------------------------------------------------------------
 TOTAL: 5 Normal LSP(s) Found.
 TOTAL: 1 Liberal LSP(s) Found.
 TOTAL: 0 Frr LSP(s) Found.
 A '*' before an LSP means the LSP is not established 
 A '*' before a Label means the USCB or DSCB is stale 
 A '*' before a UpstreamPeer means the session is stale 
 A '*' before a DS means the session is stale 
 A '*' before a NextHop means the LSP is FRR LSP

  3. Configure VPN instances on PEs and bind the interfaces connected to CEs to the VPN instances.

    # Configure PE1.

    [PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip binding vpn-instance vpna
[PE1-Vlanif10] ip address 10.1.1.2 24
[PE1-Vlanif10] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip binding vpn-instance vpnb
[PE1-Vlanif20] ip address 10.2.1.2 24
[PE1-Vlanif20] quit

    # Configure PE2.

    [PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] interface vlanif 40
[PE2-Vlanif40] ip binding vpn-instance vpna
[PE2-Vlanif40] ip address 10.3.1.2 24
[PE2-Vlanif40] quit
[PE2] interface vlanif 50
[PE2-Vlanif50] ip binding vpn-instance vpnb
[PE2-Vlanif50] ip address 10.4.1.2 24
[PE2-Vlanif50] quit

    # Assign IP addresses to the interfaces on the CE1 connecting to the headquarters R&D area according to Figure 3-133. The configurations on CE2, CE3, and CE4 are similar to the configuration on CE1 and are not mentioned here.

    <HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.1.1.1 24
[CE1-Vlanif10] quit

    After the configuration is complete, run the display ip vpn-instance verbose command on the PEs to check the configuration of VPN instances. Each PE can ping its connected CE.

    If a PE has multiple interfaces bound to the same VPN instance, specify a source IP address by setting -a source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command to ping a remote CE. If the source IP address is not specified, the ping fails.

    PE1 is used as an example.

    [PE1] display ip vpn-instance verbose
 Total VPN-Instances configured : 2
 Total IPv4 VPN-Instances configured : 2
 Total IPv6 VPN-Instances configured : 0

 VPN-Instance Name and ID : vpna, 1
  Interfaces : Vlanif10
 Address family ipv4
  Create date : 2014-11-03 02:39:34+00:00
  Up time : 0 days, 22 hours, 24 minutes and 53 seconds
  Route Distinguisher : 100:1
  Export VPN Targets :  111:1
  Import VPN Targets :  111:1
  Label Policy : label per instance
  Per-Instance Label : 4098
  Log Interval : 5

 VPN-Instance Name and ID : vpnb, 2
  Interfaces : Vlanif20
 Address family ipv4
  Create date : 2014-11-03 02:39:34+00:00
  Up time : 0 days, 22 hours, 24 minutes and 53 seconds
  Route Distinguisher : 100:2
  Export VPN Targets :  222:2
  Import VPN Targets :  222:2
  Label Policy : label per instance
  Per-Instance Label : 4098
  Log Interval : 5
  

    [PE1] ping -vpn-instance vpna 10.1.1.1
  PING 10.1.1.1: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=5 ms
    Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=3 ms
    Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=3 ms
    Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=3 ms
    Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=16 ms

  --- 10.1.1.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 3/6/16 ms

  4. Establish EBGP peer relationships between PEs and CEs and import VPN routes into BGP.

    # Configure CE1 connecting to the headquarters R&D area. The configurations on CE2, CE3, and CE4 are similar to the configuration on CE1 and are not mentioned here.

    [CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit

    # Configure PE1. The configuration on PE2 is similar to the configuration on PE1 and is not mentioned here.

    [PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit

    After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command on the PEs. The command output shows that BGP peer relationships have been established between the PEs and CEs.

    The peer relationship between PE1 and CE1 is used as an example.

    [PE1] display bgp vpnv4 vpn-instance vpna peer

 BGP local router ID : 1.1.1.9
 Local AS number : 100
 VPN-Instance vpna, Router ID 1.1.1.9:
 Total number of peers : 1                 Peers in established state : 1

  Peer            V    AS  MsgRcvd  MsgSent  OutQ  Up/Down       State      PrefRcv

  10.1.1.1        4 65410       11        9     0 00:07:25      Established       1

  5. Establish MP-IBGP peer relationships between PEs.

    # Configure PE1.

    [PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit

    # Configure PE2.

    [PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit

    After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer command on the PEs. The command output shows that BGP peer relationships have been established between the PEs.

    [PE1] display bgp peer

 BGP local router ID : 1.1.1.9
 Local AS number : 100
 Total number of peers : 1                 Peers in established state : 1

  Peer            V    AS  MsgRcvd  MsgSent  OutQ  Up/Down       State              PrefRcv

  3.3.3.9         4   100       12        6     0 00:02:21        Established       0
    [PE1] display bgp vpnv4 all peer

BGP local router ID : 1.1.1.9
 Local AS number : 100
 Total number of peers : 3                 Peers in established state : 3

  Peer            V    AS  MsgRcvd  MsgSent    OutQ  Up/Down    State        PrefRcv

  3.3.3.9         4   100   12      18         0     00:09:38   Established   0
  Peer of IPv4-family for vpn instance :

 VPN-Instance vpna, Router ID 1.1.1.9: 
  10.1.1.1        4   65410  25     25         0     00:17:57   Established   1
 VPN-Instance vpnb, Router ID 1.1.1.9: 
  10.2.1.1        4   65420  21     22         0     00:17:10   Established   1

  6. Verify the configuration.

    Run the display ip routing-table vpn-instance command on the PEs to view the routes to the remote CEs.

    The information displayed on PE1 is used as an example.

    [PE1] display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: vpna
         Destinations : 3        Routes : 3

Destination/Mask    Proto  Pre  Cost     Flags NextHop         Interface
     10.1.1.0/24    Direct 0    0        D     10.1.1.2        Vlanif10
     10.1.1.2/32    Direct 0    0        D     127.0.0.1       Vlanif10
    10.3.1.0/24     IBGP   255  0        RD    3.3.3.9         Vlanif30

    [PE1] display ip routing-table vpn-instance vpnb
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: vpnb
         Destinations : 3        Routes : 3

Destination/Mask    Proto  Pre  Cost     Flags NextHop         Interface
     10.2.1.0/24    Direct 0    0        D     10.2.1.2        Vlanif20
     10.2.1.2/32    Direct 0    0        D     127.0.0.1       Vlanif20
    10.4.1.0/24    IBGP    255  0        RD    3.3.3.9         Vlanif30

    CEs in the same VPN can ping each other, whereas CEs in different VPNs cannot.

    For example, CE1 connecting to the headquarters R&D area can ping CE3 connecting to the branch R&D area at 10.3.1.1 but cannot ping CE4 connecting to the branch non-R&D area at 10.4.1.1.

    [CE1] ping 10.3.1.1
  PING 10.3.1.1: 56  data bytes, press CTRL_C to break
    Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms
    Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms
    Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms
    Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms
    Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms
  --- 10.3.1.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 34/48/72 ms

Configuration Files

  • Configuration file of PE1

    #
sysname PE1
#
vlan batch 10 20 30
#
ip vpn-instance vpna
 ipv4-family
  route-distinguisher 100:1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
 ipv4-family
  route-distinguisher 100:2
  vpn-target 222:2 export-extcommunity
  vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
 ip binding vpn-instance vpna
 ip address 10.1.1.2 255.255.255.0
# 
interface Vlanif20
 ip binding vpn-instance vpnb
 ip address 10.2.1.2 255.255.255.0
#
interface Vlanif30
 ip address 172.1.1.1 255.255.255.0
 mpls
 mpls ldp
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 10
# 
interface GigabitEthernet2/0/0
 port link-type trunk
 port trunk allow-pass vlan 20
#
interface GigabitEthernet3/0/0
 port link-type trunk
 port trunk allow-pass vlan 30
#
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
# 
bgp 100
 peer 3.3.3.9 as-number 100
 peer 3.3.3.9 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 3.3.3.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 3.3.3.9 enable
 #
 ipv4-family vpn-instance vpna
  import-route direct
  peer 10.1.1.1 as-number 65410
 #
 ipv4-family vpn-instance vpnb
  import-route direct
  peer 10.2.1.1 as-number 65420
#
ospf 1 router-id 1.1.1.9
 area 0.0.0.0
  network 1.1.1.9 0.0.0.0
  network 172.1.1.0 0.0.0.255
#
return

  • Configuration file of P

    #
sysname P
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
# 
interface Vlanif30
 ip address 172.1.1.2 255.255.255.0
 mpls
 mpls ldp
#
interface Vlanif60
 ip address 172.2.1.1 255.255.255.0
 mpls
 mpls ldp
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 30
# 
interface GigabitEthernet2/0/0
 port link-type trunk
 port trunk allow-pass vlan 60
# 
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
#
ospf 1 router-id 2.2.2.9
 area 0.0.0.0
  network 2.2.2.9 0.0.0.0
  network 172.1.1.0 0.0.0.255
  network 172.2.1.0 0.0.0.255
#
return

  • Configuration file of PE2

    #
sysname PE2
#
vlan batch 40 50 60
#
ip vpn-instance vpna
 ipv4-family
  route-distinguisher 200:1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
 ipv4-family
  route-distinguisher 200:2
  vpn-target 222:2 export-extcommunity
  vpn-target 222:2 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif40
 ip binding vpn-instance vpna
 ip address 10.3.1.2 255.255.255.0
#
interface Vlanif50
 ip binding vpn-instance vpnb
 ip address 10.4.1.2 255.255.255.0
#
interface Vlanif60
 ip address 172.2.1.2 255.255.255.0
 mpls
 mpls ldp
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 40
# 
interface GigabitEthernet2/0/0
 port link-type trunk
 port trunk allow-pass vlan 50
# 
interface GigabitEthernet3/0/0
 port link-type trunk
 port trunk allow-pass vlan 60
# 
interface LoopBack1
 ip address 3.3.3.9 255.255.255.255
#
bgp 100
 peer 1.1.1.9 as-number 100
 peer 1.1.1.9 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 1.1.1.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 1.1.1.9 enable 
 #
 ipv4-family vpn-instance vpna
  import-route direct
  peer 10.3.1.1 as-number 65430
 #
 ipv4-family vpn-instance vpnb
  import-route direct
  peer 10.4.1.1 as-number 65440
#
ospf 1 router-id 3.3.3.9
 area 0.0.0.0
  network 3.3.3.9 0.0.0.0
  network 172.2.1.0 0.0.0.255
# 
return

  • Configuration file of CE1 connecting to the headquarters R&D area

    #
sysname CE1
#
vlan batch 10
#
interface Vlanif10
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 10
#
bgp 65410
 peer 10.1.1.2 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 10.1.1.2 enable
#
return

  • Configuration file of CE2 connecting to the headquarters non-R&D area

    #
sysname CE2
#
vlan batch 20
#
interface Vlanif20
 ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 20
#
bgp 65420
 peer 10.2.1.2 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 10.2.1.2 enable
#
return

  • Configuration file of CE3 connecting to the branch R&D area

    #
sysname CE3
#
vlan batch 40
#
interface Vlanif40
 ip address 10.3.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 40
#
bgp 65430
 peer 10.3.1.2 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 10.3.1.2 enable
#
return

  • Configuration file of CE4 connecting to the branch non-R&D area

    #
sysname CE4
#
vlan batch 50
#
interface Vlanif50
 ip address 10.4.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 50
#
bgp 65440
 peer 10.4.1.2 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 10.4.1.2 enable
#
return

Example for Configuring an MCE

MCE Overview

A multi-VPN-instance customer edge (MCE) device can function as a CE device for multiple VPN instances in BGP/MPLS IP VPN networking. This differs from the traditional BGP/MPLS IP VPN architecture, which requires each VPN instance to use a CE device to connect to a PE device.

MCE is suitable when users on a private network need to be divided into multiple VPNs or when services of users in different VPNs must be completely isolated. Deploying a CE device for each VPN increases the cost of device procurement and maintenance. On the other hand, if multiple VPNs share one CE device, data security cannot be ensured because all the VPNs use the same routing table.

An MCE device creates and maintains an independent VRF for each VPN to ensures data security between different VPNs while reducing network construction and maintenance costs. The Multi-VRF application isolates forwarding paths of different VPNs on a private network and advertises routes of each VPN to the peer PE device, ensuring that VPN packets are correctly transmitted on the public network.

Configuration Notes

  • In V100R006C05, only the S3700-EI supports the MCE function.

    In other versions, all the switch models except the S5700-SI, S5710-C-LI, S5710-X-LI, S5700S-LI, S5700-LI, and S2750-EI support the MCE function.

To view detailed information about software mappings, visit Info-Finder, select a product series or product model, and click Hardware Center.

Networking Requirements

The headquarters and branches of a company need to communicate through MPLS VPN, and two services of the company must be isolated. To reduce hardware costs, the company wants the branch to connect to the PE through just one CE.

As shown in Figure 3-134, the networking requirements are as follows:

  • CE1 and CE2 connect to the headquarters. CE1 belongs to vpna, and CE2 belongs to vpnb.
  • The MCE connects to vpna and vpnb of the branch through SwitchA and SwitchB.

Users in the same VPN need to communicate with each other, whereas users in different VPNs must be isolated.

Figure 3-134 Networking diagram for configuring an MCE

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure OSPF between PEs so that they can communicate and configure MP-IBGP to exchange VPN routing information.
  2. Configure basic MPLS capabilities and MPLS LDP on the PEs to establish LDP LSPs.
  3. Create VPN instances vpna and vpnb on the MCE and PEs to isolate services.
  4. Establish EBGP peer relationships between PE1 and its connected CEs, and import BGP routes to the VPN routing table of PE1.
  5. Configure routing between the MCE and VPN sites and between the MCE and PE2.

Procedure

  1. Configure VLANs on interfaces and assign IP addresses to the VLANIF interfaces and loopback interfaces according to Figure 3-134.

    # Configure PE1.

    <HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] vlan batch 30
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] port link-type trunk
[PE1-GigabitEthernet3/0/0] port trunk allow-pass vlan 30
[PE1-GigabitEthernet3/0/0] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] ip address 172.1.1.1 24
[PE1-Vlanif30] quit

    # Configure PE2.

    <HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 2.2.2.9 32
[PE2-LoopBack1] quit
[PE2] vlan batch 30
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type trunk
[PE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 30
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] ip address 172.1.1.2 24
[PE2-Vlanif30] quit

    # Configure CE1. The configuration on CE2, SwitchA and SwitchB is similar to the configuration on PE1 and is not mentioned here.

    <HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.1.1.1 24
[CE1-Vlanif10] quit

  2. Configure OSPF on PEs of the backbone network.

    # Configure PE1.

    [PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit

    # Configure PE2.

    [PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit

    After the configuration is complete, PEs can obtain Loopback1 address of each other.

    The information displayed on PE2 is used as an example.

    [PE2] display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 6        Routes : 6

  Destination/Mask  Proto  Pre  Cost       Flags  NextHop         Interface

        1.1.1.9/32  OSPF   10   1              D  172.1.1.1        Vlanif30
        2.2.2.9/32  Direct 0    0              D  127.0.0.1        LoopBack1
      127.0.0.0/8   Direct 0    0              D  127.0.0.1        InLoopBack0
      127.0.0.1/32  Direct 0    0              D  127.0.0.1        InLoopBack0
      172.1.1.0/24  Direct 0    0              D  172.1.1.2        Vlanif30
      172.1.1.2/32  Direct 0    0              D  127.0.0.1        Vlanif30

  3. Configure basic MPLS capabilities and MPLS LDP on the PEs to establish LDP LSPs.

    # Configure PE1.

    [PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] mpls
[PE1-Vlanif30] mpls ldp
[PE1-Vlanif30] quit

    # Configure PE2.

    [PE2] mpls lsr-id 2.2.2.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] mpls
[PE2-Vlanif30] mpls ldp
[PE2-Vlanif30] quit

    After the configuration is complete, run the display mpls ldp session command on the PEs. The command output shows that the MPLS LDP session between the PEs is in Operational state.

    The information displayed on PE2 is used as an example.

    [PE2] display mpls ldp session

 LDP Session(s) in Public Network
 Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
 A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID             Status      LAM  SsnRole  SsnAge      KASent/Rcv
------------------------------------------------------------------------------
1.1.1.9:0          Operational DU   Active   0000:00:04  17/17
------------------------------------------------------------------------------
 TOTAL: 1 session(s) Found.

  4. Configure VPN instances on the PEs. On PE1, bind the interfaces connected to CE1 and CE2 to the VPN instances respectively. On PE2, bind the interface connected to the MCE to the VPN instances.

    # Configure PE1.

    [PE1] vlan batch 10 20
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port link-type trunk
[PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type trunk
[PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 20
[PE1-GigabitEthernet2/0/0] quit
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1  //Set the RD to 100:1.
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both      //Add the RT value 100:1 to routes exported from the VPN instance vpna to MP-BGP. Only the routes with the RT value 100:1 can be imported to vpna.
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip binding vpn-instance vpna   //Bind the interface to vpna.
[PE1-Vlanif10] ip address 10.1.1.2 24
[PE1-Vlanif10] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip binding vpn-instance vpnb
[PE1-Vlanif20] ip address 10.2.1.2 24
[PE1-Vlanif20] quit

    # Configure PE2.

    [PE2] vlan batch 100 200
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] port link-type trunk
[PE2-GigabitEthernet2/0/0] port trunk allow-pass vlan 100 200
[PE2-GigabitEthernet2/0/0] quit
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] ipv4-family
[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] interface vlanif 100
[PE2-Vlanif100] ip binding vpn-instance vpna
[PE2-Vlanif100] ip address 10.5.1.1 24
[PE2-Vlanif100] quit
[PE2] interface vlanif 200
[PE2-Vlanif200] ip binding vpn-instance vpnb
[PE2-Vlanif200] ip address 10.6.1.1 24
[PE2-Vlanif200] quit

  5. Configure VPN instances on the MCE and bind the interfaces connected to SwitchA and SwitchB to the VPN instances respectively.

    # Configure MCE.

    <HUAWEI> system-view
[HUAWEI] sysname MCE
[MCE] vlan batch 60 70 100 200
[MCE] interface gigabitethernet 1/0/0
[MCE-GigabitEthernet1/0/0] port link-type trunk
[MCE-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 200
[MCE-GigabitEthernet1/0/0] quit
[MCE] interface gigabitethernet 3/0/0
[MCE-GigabitEthernet3/0/0] port link-type trunk
[MCE-GigabitEthernet3/0/0] port trunk allow-pass vlan 60
[MCE-GigabitEthernet3/0/0] quit
[MCE] interface gigabitethernet 4/0/0
[MCE-GigabitEthernet4/0/0] port link-type trunk
[MCE-GigabitEthernet4/0/0] port trunk allow-pass vlan 70
[MCE-GigabitEthernet4/0/0] quit
[MCE] ip vpn-instance vpna
[MCE-vpn-instance-vpna] ipv4-family
[MCE-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[MCE-vpn-instance-vpna-af-ipv4] quit
[MCE-vpn-instance-vpna] quit
[MCE] ip vpn-instance vpnb
[MCE-vpn-instance-vpnb] ipv4-family
[MCE-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[MCE-vpn-instance-vpnb-af-ipv4] quit
[MCE-vpn-instance-vpnb] quit
[MCE] interface vlanif 60
[MCE-Vlanif60] ip binding vpn-instance vpna
[MCE-Vlanif60] ip address 10.3.1.2 24
[MCE-Vlanif60] quit
[MCE] interface vlanif 70
[MCE-Vlanif70] ip binding vpn-instance vpnb
[MCE-Vlanif70] ip address 10.4.1.2 24
[MCE-Vlanif70] quit
[MCE] interface vlanif 100
[MCE-Vlanif100] ip binding vpn-instance vpna
[MCE-Vlanif100] ip address 10.5.1.2 24
[MCE-Vlanif100] quit
[MCE] interface vlanif 200
[MCE-Vlanif200] ip binding vpn-instance vpnb
[MCE-Vlanif200] ip address 10.6.1.2 24
[MCE-Vlanif200] quit

  6. Establish an MP-IBGP peer relationship between PEs. Establish an EBGP peer relationship between PE1 and CE1, and between PE1 and CE2.

    # Configure PE1. The configuration on PE2 is similar to the configuration on PE1 and is not mentioned here.

    [PE1] bgp 100
[PE1-bgp] peer 2.2.2.9 as-number 100
[PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit

    # Configure CE1. The configuration on CE2 is similar to the configuration on CE1 and is not mentioned here.

    [CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100  //Establish an EBGP peer relationship between PE1 and CE1 and import VPN routes.
[CE1-bgp] import-route direct
[CE1-bgp] quit

    After the configuration is complete, run the display bgp vpnv4 all peer command on PE1. The command output shows that PE1 has established an IBGP peer relationship with PE2 and EBGP peer relationships with CE1 and CE2. The peer relationships are in Established state.

    [PE1] display bgp vpnv4 all peer

 BGP local router ID : 1.1.1.9
 Local AS number : 100
 Total number of peers : 3		  Peers in established state : 3

  Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State PrefRcv

  2.2.2.9         4         100        2        8     0 00:00:29 Established       0

  Peer of IPv4-family for vpn instance :

 VPN-Instance vpna, Router ID 1.1.1.9:
  10.1.1.1        4       65410        4        5     0 00:00:28 Established       2

 VPN-Instance vpnb, Router ID 1.1.1.9:
  10.2.1.1        4       65420        4        5     0 00:00:28 Established       2

  7. Configure routing between the MCE and VPN sites.

    The MCE directly connects to vpna, and no routing protocol is used in vpna. Configure static routes to implement communication between the MCE and vpna.

    • Configure SwitchA.

      Assign IP address 192.168.1.1/24 to the interface connected to vpna. The configuration details are not mentioned here.

      [SwitchA] vlan batch 60
[SwitchA] interface gigabitethernet 1/0/0
[SwitchA-GigabitEthernet1/0/0] port link-type trunk
[SwitchA-GigabitEthernet1/0/0] port trunk allow-pass vlan 60
[SwitchA-GigabitEthernet1/0/0] quit
[SwitchA] interface vlanif 60
[SwitchA-Vlanif60] ip address 10.3.1.1 24
[SwitchA-Vlanif60] quit
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.3.1.2   //Create a default route destined to the MCE for SwitchA.

    • Configure the MCE.

      [MCE] ip route-static vpn-instance vpna 192.168.1.0 24 10.3.1.1 //Create a VPN route destined to SwitchA for the VPN instance vpna.
    • Check the routes of vpna on the MCE.
      [MCE] display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: vpna
         Destinations : 5        Routes : 5

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

       10.3.1.0/24  Direct  0    0           D   10.3.1.2        Vlanif60
       10.3.1.2/32  Direct  0    0           D   127.0.0.1       Vlanif60
       10.5.1.0/24  Direct  0    0           D   10.5.1.2        Vlanif100
       10.5.1.2/32  Direct  0    0           D   127.0.0.1       Vlanif100
    192.168.1.0/24  Static  60   0          RD   10.3.1.1        Vlanif60
      The preceding information shows that the MCE has a static route to vpna.

    The RIP protocol runs in vpnb. Configure RIP process 200 on the MCE and bind it to vpnb so that routes learned by RIP are added to the routing table of vpnb.

    • Configure the MCE.

      [MCE] rip 200 vpn-instance vpnb
[MCE-rip-200] version 2
[MCE-rip-200] network 10.0.0.0
[MCE-rip-200] import-route ospf 200  //Import OSPF routes so that SwitchB can learn routes to the MCE.
[MCE-rip-200] quit

    • Configure SwitchB.

      Assign IP address 192.168.2.1/24 to the interface connected to vpnb. The configuration is not provided here.

      [SwitchB] vlan batch 70
[SwitchB] interface gigabitethernet 1/0/0
[SwitchB-GigabitEthernet1/0/0] port link-type trunk
[SwitchB-GigabitEthernet1/0/0] port trunk allow-pass vlan 70
[SwitchB-GigabitEthernet1/0/0] quit
[SwitchB] interface vlanif 70
[SwitchB-Vlanif70] ip address 10.4.1.1 24
[SwitchB-Vlanif70] quit
[SwitchB] rip 200
[SwitchB-rip-200] version 2
[SwitchB-rip-200] network 10.0.0.0
[SwitchB-rip-200] network 192.168.2.0
[SwitchB-rip-200] quit
    • Check the routes of vpnb on the MCE.
      [MCE] display ip routing-table vpn-instance vpnb
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: vpnb
         Destinations : 5        Routes : 5

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

       10.4.1.0/24  Direct  0    0           D   10.4.1.2        Vlanif70
       10.4.1.2/32  Direct  0    0           D   127.0.0.1       Vlanif70
       10.6.1.0/24  Direct  0    0           D   10.6.1.2        Vlanif200
       10.6.1.2/32  Direct  0    0           D   127.0.0.1       Vlanif200
    192.168.2.0/24  RIP     100  1           D   10.4.1.1        Vlanif70

      The preceding information shows that the MCE has learned the route to vpnb using RIP. The route to vpnb and the route to vpna (192.168.1.0) are maintained in different VPN routing tables so that users in the two VPNs are isolated from each other.

  8. Configure OSPF multi-instance between the MCE and PE2.

    # Configure PE2.

    To configure OSPF multi-instance between the MCE and PE2, complete the following tasks on PE2:
    • In the OSPF view, import BGP routes and advertise VPN routes of PE1 to the MCE.
    • In the BGP view, import routes of the OSPF processes and advertise the VPN routes of the MCE to PE1.
    [PE2] ospf 100 vpn-instance vpna
[PE2-ospf-100] import-route bgp  //Import BGP routes to OSPF 100 in vpna between the PE and MCE, so that the MCE learns routes to CE1.
[PE2-ospf-100] area 0
[PE2-ospf-100-area-0.0.0.0] network 10.5.1.0 0.0.0.255
[PE2-ospf-100-area-0.0.0.0] quit
[PE2-ospf-100] quit
[PE2] ospf 200 vpn-instance vpnb
[PE2-ospf-200] import-route bgp
[PE2-ospf-200] area 0
[PE2-ospf-200-area-0.0.0.0] network 10.6.1.0 0.0.0.255    //Import BGP routes to OSPF 200 in vpnb between the PE and MCE, so that the MCE learns routes to CE2.
[PE2-ospf-200-area-0.0.0.0] quit
[PE2-ospf-200] quit
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpna
[PE2-bgp-vpna] import-route ospf 100  //Import OSPF 100 to BGP so that PE2 adds the VPNv4 prefix to routes and uses MP-IBGP to advertise routes to PE1.
[PE2-bgp-vpna] quit
[PE2-bgp] ipv4-family vpn-instance vpnb
[PE2-bgp-vpnb] import-route ospf 200  //Import OSPF 200 to BGP so that PE2 adds the VPNv4 prefix to routes and uses MP-IBGP to advertise routes to PE1.
[PE2-bgp-vpnb] quit

    # Configure the MCE.

    Import VPN routes to the OSPF processes.

    [MCE] ospf 100 vpn-instance vpna     //Configure dynamic OSPF routes for the VPN instance vpna.
[MCE-ospf-100] import-route static    //Import static private routes of SwitchA to the MCE.
[MCE-ospf-100] vpn-instance-capability simple   //Disable loop detection for OSPF VPN, so that the MCE can learn routes re-advertised from PE2.
[MCE-ospf-100] area 0
[MCE-ospf-100-area-0.0.0.0] network 10.3.1.0 0.0.0.255
[MCE-ospf-100-area-0.0.0.0] network 10.5.1.0 0.0.0.255
[MCE-ospf-100-area-0.0.0.0] quit
[MCE-ospf-100] quit
[MCE] ospf 200 vpn-instance vpnb
[MCE-ospf-200] import-route rip 200
[MCE-ospf-200] vpn-instance-capability simple
[MCE-ospf-200] area 0
[MCE-ospf-200-area-0.0.0.0] network 10.4.1.0 0.0.0.255
[MCE-ospf-200-area-0.0.0.0] network 10.6.1.0 0.0.0.255
[MCE-ospf-200-area-0.0.0.0] quit
[MCE-ospf-200] quit

  9. Verify the configurations.

    After the configuration is complete, run the display ip routing-table vpn-instance command on the MCE to view the routes to the remote CEs. The VPN instance vpna is used as an example.

    [MCE] display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: vpna
         Destinations : 6        Routes : 6

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

       10.1.1.0/24  O_ASE   150  1           D   10.5.1.1        Vlanif100
       10.3.1.0/24  Direct  0    0           D   10.3.1.2        Vlanif60
       10.3.1.2/32  Direct  0    0           D   127.0.0.1       Vlanif60
       10.5.1.0/24  Direct  0    0           D   10.5.1.2        Vlanif100
       10.5.1.2/32  Direct  0    0           D   127.0.0.1       Vlanif100
    192.168.1.0/24  Static  60   0          RD   10.3.1.1        Vlanif60

    Run the display ip routing-table vpn-instance command on the PEs to view the routes to the remote CEs. The VPN instance vpna on PE1 is used as an example.

    [PE1] display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: vpna
         Destinations : 5        Routes : 5

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

       10.1.1.0/24  Direct  0    0           D   10.1.1.2        Vlanif10
       10.1.1.2/32  Direct  0    0           D   127.0.0.1       Vlanif10
       10.3.1.0/24  IBGP    255  3          RD   2.2.2.9         Vlanif30
       10.5.1.0/24  IBGP    255  0          RD   2.2.2.9         Vlanif30
    192.168.1.0/24  IBGP    255  2          RD   2.2.2.9         Vlanif30

    CE1 and SwitchA can communicate with each other. CE2 and SwitchB can communicate with each other. The information displayed on CE1 is used as an example.

    [CE1] ping 10.3.1.1
  PING 10.3.1.1: 56 data bytes, press CTRL_C to break
    Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=252 time=3 ms
    Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=252 time=3 ms
    Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=252 time=3 ms
    Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=252 time=3 ms
    Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=252 time=11 ms

  --- 10.3.1.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 3/4/11 ms

    CE1 cannot ping CE2 or SwitchB. SwitchA cannot ping CE2 or SwitchB. The ping from CE1 to SwitchB is used as an example.

    [CE1] ping 10.4.1.1
  PING 10.4.1.1: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 10.4.1.1 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss

Configuration Files

  • CE1 configuration file

    #
sysname CE1
#
vlan batch 10
#
interface Vlanif10
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 10
#
bgp 65410
 peer 10.1.1.2 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 10.1.1.2 enable
#
return

  • CE2 configuration file

    #
sysname CE2
#
vlan batch 20
#
interface Vlanif20
 ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 20
#
bgp 65420
 peer 10.2.1.2 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 10.2.1.2 enable
#
return

  • PE1 configuration file

    #
sysname PE1
#
vlan batch 10 20 30
#
ip vpn-instance vpna
 ipv4-family
  route-distinguisher 100:1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
 ipv4-family
  route-distinguisher 100:2
  vpn-target 222:2 export-extcommunity
  vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
 ip binding vpn-instance vpna
 ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
 ip binding vpn-instance vpnb
 ip address 10.2.1.2 255.255.255.0
#
interface Vlanif30
 ip address 172.1.1.1 255.255.255.0
 mpls
 mpls ldp
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 10
#
interface GigabitEthernet2/0/0
 port link-type trunk
 port trunk allow-pass vlan 20
#
interface GigabitEthernet3/0/0
 port link-type trunk
 port trunk allow-pass vlan 30
#
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
#
bgp 100
 peer 2.2.2.9 as-number 100
 peer 2.2.2.9 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 2.2.2.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 2.2.2.9 enable
 #
 ipv4-family vpn-instance vpna
  import-route direct
  peer 10.1.1.1 as-number 65410
 #
 ipv4-family vpn-instance vpnb
  import-route direct
  peer 10.2.1.1 as-number 65420
#
ospf 1
 area 0.0.0.0
  network 1.1.1.9 0.0.0.0
  network 172.1.1.0 0.0.0.255
#
return

  • PE2 configuration file

    #
sysname PE2
#
vlan batch 30 100 200
#
ip vpn-instance vpna
 ipv4-family
  route-distinguisher 200:1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
 ipv4-family
  route-distinguisher 200:2
  vpn-target 222:2 export-extcommunity
  vpn-target 222:2 import-extcommunity
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif30
 ip address 172.1.1.2 255.255.255.0
 mpls
 mpls ldp
#
interface Vlanif100
 ip binding vpn-instance vpna
 ip address 10.5.1.1 255.255.255.0
#
interface Vlanif200
 ip binding vpn-instance vpnb
 ip address 10.6.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 30
#
interface GigabitEthernet2/0/0
 port link-type trunk
 port trunk allow-pass vlan 100 200
#
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
#
bgp 100
 peer 1.1.1.9 as-number 100
 peer 1.1.1.9 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 1.1.1.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 1.1.1.9 enable
 #
 ipv4-family vpn-instance vpna
  import-route ospf 100
 #
 ipv4-family vpn-instance vpnb
  import-route ospf 200
#
ospf 1
 area 0.0.0.0
  network 2.2.2.9 0.0.0.0
  network 172.1.1.0 0.0.0.255
#
ospf 100 vpn-instance vpna
 import-route bgp
 area 0.0.0.0
  network 10.5.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
 import-route bgp
 area 0.0.0.0
  network 10.6.1.0 0.0.0.255
#
return

  • MCE configuration file

    #
sysname MCE
#
vlan batch 60 70 100 200
#
ip vpn-instance vpna
 ipv4-family
  route-distinguisher 100:1
#
ip vpn-instance vpnb
 ipv4-family
  route-distinguisher 100:2
#
interface Vlanif60
 ip binding vpn-instance vpna
 ip address 10.3.1.2 255.255.255.0
#
interface Vlanif70
 ip binding vpn-instance vpnb
 ip address 10.4.1.2 255.255.255.0
#
interface Vlanif100
 ip binding vpn-instance vpna
 ip address 10.5.1.2 255.255.255.0
#
interface Vlanif200
 ip binding vpn-instance vpnb
 ip address 10.6.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 100 200
#
interface GigabitEthernet3/0/0
 port link-type trunk
 port trunk allow-pass vlan 60
#
interface GigabitEthernet4/0/0
 port link-type trunk
 port trunk allow-pass vlan 70
#
ospf 100 vpn-instance vpna
 import-route static
 vpn-instance-capability simple
 area 0.0.0.0
  network 10.3.1.0 0.0.0.255
  network 10.5.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
 import-route rip 200
 vpn-instance-capability simple
 area 0.0.0.0
  network 10.4.1.0 0.0.0.255
  network 10.6.1.0 0.0.0.255
#
rip 200 vpn-instance vpnb
 version 2
 network 10.0.0.0
 import-route ospf 200
#
ip route-static vpn-instance vpna 192.168.1.0 255.255.255.0 10.3.1.1
#
return

  • SwitchA configuration file

    #
sysname SwitchA
#
vlan batch 10 60
#
interface Vlanif10
 ip address 192.168.1.1 255.255.255.0
#
interface Vlanif60
 ip address 10.3.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 60
#
interface GigabitEthernet2/0/0
 port link-type trunk
 port trunk allow-pass vlan 10
#
ip route-static 0.0.0.0 0.0.0.0 10.3.1.2
#
return

  • SwitchB configuration file

    #
sysname SwitchB
#
vlan batch 10 70
#
interface Vlanif10
 ip address 192.168.2.1 255.255.255.0
#
interface Vlanif70
 ip address 10.4.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 70
#
interface GigabitEthernet2/0/0
 port link-type trunk
 port trunk allow-pass vlan 10
#
rip 200
 version 2
 network 10.0.0.0
 network 192.168.2.0
#
return

Example for Configuring Multicast VPN Access Through MCE Devices

Multicast VPN Overview

Multicast VPN technology allows multicast services to run on BGP/MPLS IP VPN networks. This technology encapsulates multicast packets from a private network to enable the packets to be forwarded along the multicast distribution tree (MDT) on a public network. When the packets reach the destination network, they are decapsulated and forwarded to receivers as multicast packets of the private network.

Multicast VPN is used to address the following problems occurring during the multicast service deployment on BGP/MPLS IP VPN networks:

  • VPN multicast packets cannot pass the reverse path forwarding (RPF) check on the public network.

    In multicast forwarding, multicast routers perform RPF checks on multicast packets based on the multicast source address and inbound interface. Only multicast packets from the RPF interface are forwarded. Each router needs to know the unicast route to the multicast source. The provider (P) device on a BGP/MPLS IP VPN network does not know the VPN routes; therefore, RPF checks fail on the P device.

  • Overlapping multicast source addresses or group addresses on VPNs lead to inter-VPN communication.

    A BGP/MPLS IP VPN network allows overlapping addresses in sites on each VPN; therefore, the multicast source addresses or group addresses of different VPNs may overlap. A PE device must correctly forward multicast packets from a VPN to only the users at the sites on the same VPN to prevent communication between different VPNs.

  • VPN packets are forwarded in unicast mode on the public network. When the multicast traffic volume is high, loads on the public network increase greatly.

    Multicast technology ensures that each link transmits only one copy of multicast packets. Each device replicates multicast data according to the number of outbound interfaces, and the bandwidth consumed does not increase with the number of receivers. If the public network supports multicast forwarding, multicast packets are replicated only at bifurcation points on the public network. This on-demand replication mechanism reduces loads on the public network and conserves bandwidth.

  • All PE devices on a VPN can receive multicast packets from a multicast source on the same VPN. When the multicast traffic volume is high, loads on the PE devices increase greatly.

    A VPN is composed of multiple sites, each of which connects to a different PE. Some sites may not have receivers. If VPN multicast data is forwarded only to the PE devices with receivers connected, burdens on PE devices are reduced.

Configuration Notes

  • If multicast VPN in multicast domain (MD) mode is used on switches, the PIM-SM SSM model cannot be used on the public network.

  • Multicast VPN cannot be deployed on inter-AS BGP/MPLS IPv4 VPN networks.

  • Multicast VPN cannot be deployed on BGP/MPLS IPv6 VPN networks.

  • Interfaces on the following interface cards cannot be configured as member interfaces of Eth-Trunk multicast loopback interfaces:

    • V200R001 to V200R003: ES0D0G24SA00, ES0D0G24CA00, ES0D0X12SA00, ES1D2G48SBC0, and ES1D2G48TBC0 interface cards for the S7700; EH1D2G24SSA0, EH1D2S24CSA0, EH1D2X12SSA0, EH1D2G48SBC0, and EH1D2G48TBC0 interface cards for the S9700
    • V200R005 to V200R009: X1E series, ES0D0G24SA00, ES0D0G24CA00, ES1D2G48SBC0, and ES1D2G48TBC0 interface cards for the S7700; X1E series, EH1D2G48SBC0, and EH1D2G48TBC0 interface cards for the S9700
  • This example applies to the following products and versions:
    • S5700-HI: V200R005(C01&C02)
    • S5710-HI: V200R005C02
    • S5720-HI, S5720-EI, S6720-EI, S6720S-EI: V200R010C00 and later versions
    • S6720S-EI: V200R010C00 and later versions
    • S6720-HI, S5730-HI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S: For the applicable versions, see Table 3-1 in the section "Applicable Products and Versions."
    • S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712: For the applicable versions, see Table 3-1 in the section "Applicable Products and Versions."

    To view detailed information about software mappings, visit Info-Finder, select a product series or product model, and click Hardware Center.

Networking Requirements

As shown in Figure 3-135, a company deploys two services, data of which is transmitted in multicast mode. The VPN site blue using service A and the VPN site white using service B both connect to the backbone network through the MCE devices. Multicast VPN in MD mode can be deployed to meet the multicast service requirements of the company. This configuration can isolate data of different services and reduces multicast traffic loads on the public network.

Figure 3-135 Multicast VPN access through MCE devices

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure BGP/MPLS IP VPN to ensure connectivity of the VPN network.
  2. Configure multicast loopback interfaces, share-group addresses, and multicast tunnel interfaces (MTIs) for VPN instances on the PE devices to implement multicast VPN in MD mode.
  3. Enable multicast routing and PIM on all the devices. Configure the multicast function in the public network between the PE and P devices. Configure the multicast function in the VPN instances between PE and MCE devices, and between the MCE and CE devices.

Procedure

  1. Configure BGP/MPLS IP VPN.
    1. Configure the Open Shortest Path First (OSPF) protocol on the backbone network to allow communication between the provider edge devices (PE1 and PE2) and intermediate device P.

      # Configure PE1.

      <PE1> system-view
[PE1] interface loopback 0     //Create a loopback interface.
[PE1-LoopBack0] ip address 1.1.1.1 32
[PE1-LoopBack0] quit
[PE1] router id 1.1.1.1     //Set the router ID of PE1 to 1.1.1.1 for route management.
[PE1] vlan batch 30
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type trunk     //Set the link type of the interface to trunk, which is not the default link type.
[PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 30
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface vlanif 30     //Create a VLANIF interface.
[PE1-Vlanif30] ip address 10.1.3.1 24
[PE1-Vlanif30] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255     //Specify that the interface running OSPF is the one connected to the 10.1.3.0 network segment and that the interface belongs to Area 0.
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit

      The configurations on P and PE2 are similar to the configuration of PE1, and are not mentioned here.

      After the configuration is complete, OSPF neighbor relationships can be set up between PE1 and P and between P and PE2. Run the display ospf peer command on PE1, P, and PE2, and you can see that the neighbors are in Full state. Run the display ip routing-table command, and you can see that PE devices have learned the routes to Loopback0 of each other.

    2. Enable basic MPLS capabilities and MPLS LDP on the provider edge devices PE1 and PE2 to set up LDP LSPs on the MPLS backbone network.

      # Configure PE1.

      [PE1] mpls lsr-id 1.1.1.1     //Set the LSR ID of PE1 to 1.1.1.1.
[PE1] mpls     //Enable MPLS globally.
[PE1-mpls] quit
[PE1] mpls ldp     //Enable MPLS LDP globally.
[PE1-mpls-ldp] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] mpls     //Enable MPLS on the VLANIF interface.
[PE1-Vlanif30] mpls ldp     //Enable MPLS LDP on the VLANIF interface.
[PE1-Vlanif30] quit

      The configurations on P and PE2 are similar to the configuration of PE1, and are not mentioned here.

      After the configuration is complete, LDP sessions can be set up between PE1 and P and between P and PE2. Run the display mpls ldp session command on the PE and P devices, and you can see that LDP session is in Operational state.

    3. Establish a Multiprotocol Interior Border Gateway Protocol (MP-IBGP) peer relationship between the provider edge devices PE1 and PE2.

      # Configure PE1.

      [PE1] bgp 100
[PE1-bgp] peer 3.3.3.3 as-number 100     //Create BGP peer 3.3.3.3 and set its AS number to 100.
[PE1-bgp] peer 3.3.3.3 connect-interface loopback 0     //Specify LoopBack0 as the source interface to send BGP packets to BGP peer 3.3.3.3.
[PE1-bgp] ipv4-family vpnv4     //Enter the BGP-VPNv4 address  family view.
[PE1-bgp-af-vpnv4] peer 3.3.3.3 enable     //Enable the local switch to exchange BGP-VPNv4 routes with BGP peer 3.3.3.3.
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit

      # Configure PE2.

      [PE2] bgp 100
[PE2-bgp] peer 1.1.1.1 as-number 100     //Create BGP peer 1.1.1.1 and set its AS number to 100.
[PE2-bgp] peer 1.1.1.1 connect-interface loopback 0     //Specify LoopBack0 as the source interface to send BGP packets to 1.1.1.1.
[PE2-bgp] ipv4-family vpnv4     //Enter the BGP-VPNv4 address  family view.
[PE2-bgp-af-vpnv4] peer 1.1.1.1 enable     ///Enable the local switch to exchange BGP-VPNv4 routes with BGP peer 1.1.1.1.
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit

      After the configuration is complete, run the display bgp vpnv4 all peer command on the PE devices. You can see that a BGP peer relationship has been set up between PE1 and PE2 and is in Established state.

    4. Create VPN instances blue and white on the provider edge devices PE1 and PE2, and aggregate egress devices MCE1 and MCE2 for branches, to connect each service site's egress CE to the PE devices through the MCE devices.

      # Configure PE1.

      [PE1] ip vpn-instance blue     //Create VPN instance blue.
[PE1-vpn-instance-blue] route-distinguisher 100:1     //Set the RD of VPN instance blue to 100:1.
[PE1-vpn-instance-blue-af-ipv4] vpn-target 111:1 both     //Add 111:1 to the export VPN target list and import VPN target list of VPN instance blue.
[PE1-vpn-instance-blue-af-ipv4] quit
[PE1-vpn-instance-blue] quit
[PE1] ip vpn-instance white     //Create VPN instance white.
[PE1-vpn-instance-white] route-distinguisher 200:1     //Set the RD of VPN instance white to 200:1.
[PE1-vpn-instance-white-af-ipv4] vpn-target 222:1 both     //Add 222:1 to the export VPN target list and import VPN target list of VPN instance white.
[PE1-vpn-instance-white-af-ipv4] quit
[PE1-vpn-instance-white] quit
[PE1] vlan batch 10 20
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port link-type trunk     //Set the link type of the interface to trunk, which is not the default link type.
[PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 20
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip binding vpn-instance blue     //Bind VPN instance blue to VLANIF10 so that VLANIF10 becomes a private network interface of VPN instance blue.
[PE1-Vlanif10] ip address 10.1.1.1 24
[PE1-Vlanif10] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip binding vpn-instance white     //Bind VPN instance blue to VLANIF20 so that VLANIF20 becomes a private network interface of VPN instance white.
[PE1-Vlanif20] ip address 10.1.2.1 24
[PE1-Vlanif20] quit

      # Configure MCE1.

      [MCE1] ip vpn-instance blue     //Create VPN instance blue.
[MCE1-vpn-instance-blue] route-distinguisher 100:1     //Set the RD of VPN instance blue to 100:1.
[MCE1-vpn-instance-blue-af-ipv4] vpn-target 111:1 both     //Add 111:1 to the export VPN target list and import VPN target list of VPN instance blue.
[MCE1-vpn-instance-blue-af-ipv4] quit
[MCE1-vpn-instance-blue] quit
[MCE1] ip vpn-instance white     //Create VPN instance white.
[MCE1-vpn-instance-white] route-distinguisher 200:1     //Set the RD of VPN instance white to 200:1.
[MCE1-vpn-instance-white-af-ipv4] vpn-target 222:1 both     //Add 222:1 to the export VPN target list and import VPN target list of VPN instance white.
[MCE1-vpn-instance-white-af-ipv4] quit
[MCE1-vpn-instance-white] quit
[MCE1] vlan batch 10 20 100 200
[MCE1] interface gigabitethernet 1/0/0
[MCE1-GigabitEthernet1/0/0] port link-type trunk     //Set the link type of the interface to trunk, which is not the default link type.
[MCE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 20
[MCE1-GigabitEthernet1/0/0] quit
[MCE1] interface gigabitethernet 1/0/1
[MCE1-GigabitEthernet1/0/1] port link-type trunk     //Set the link type of the interface to trunk, which is not the default link type.
[MCE1-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[MCE1-GigabitEthernet1/0/1] quit
[MCE1] interface gigabitethernet 1/0/2
[MCE1-GigabitEthernet1/0/2] port link-type trunk     //Set the link type of the interface to trunk, which is not the default link type.
[MCE1-GigabitEthernet1/0/2] port trunk allow-pass vlan 200
[MCE1-GigabitEthernet1/0/2] quit
[MCE1] interface vlanif 10
[MCE1-Vlanif10] ip binding vpn-instance blue     //Bind VPN instance blue to VLANIF10 so that VLANIF10 becomes a private network interface of VPN instance blue.
[MCE1-Vlanif10] ip address 10.1.1.2 24
[MCE1-Vlanif10] quit
[MCE1] interface vlanif 20
[MCE1-Vlanif20] ip binding vpn-instance white     //Bind VPN instance white to VLANIF20 so that VLANIF20 becomes a private network interface of VPN instance white.
[MCE1-Vlanif20] ip address 10.1.2.2 24
[MCE1-Vlanif20] quit
[MCE1] interface vlanif 100
[MCE1-Vlanif100] ip binding vpn-instance blue     //Bind VPN instance blue to VLANIF100 so that VLANIF100 becomes a private network interface of VPN instance blue.
[MCE1-Vlanif100] ip address 192.168.1.1 24
[MCE1-Vlanif100] quit
[MCE1] interface vlanif 200
[MCE1-Vlanif200] ip binding vpn-instance white     //Bind VPN instance white to VLANIF200 so that VLANIF200 becomes a private network interface of VPN instance white.
[MCE1-Vlanif200] ip address 192.168.2.1 24
[MCE1-Vlanif200] quit

      # Configure PE2.

      [PE2] ip vpn-instance blue     //Create VPN instance blue.
[PE2-vpn-instance-blue] route-distinguisher 100:1     //Set the RD of VPN instance blue to 100:1.
[PE2-vpn-instance-blue-af-ipv4] vpn-target 111:1 both     //Add 111:1 to the export VPN target list and import VPN target list of VPN instance blue.
[PE2-vpn-instance-blue-af-ipv4] quit
[PE2-vpn-instance-blue] quit
[PE2] ip vpn-instance white     //Create VPN instance white.
[PE2-vpn-instance-white] route-distinguisher 200:1     //Set the RD of VPN instance white to 200:1.
[PE2-vpn-instance-white-af-ipv4] vpn-target 222:1 both     //Add 222:1 to the export VPN target list and import VPN target list of VPN instance white.
[PE2-vpn-instance-white-af-ipv4] quit
[PE2-vpn-instance-white] quit
[PE2] vlan batch 50 60
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type trunk     //Set the link type of the interface to trunk, which is not the default link type.
[PE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 50 60
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface vlanif 50
[PE2-Vlanif50] ip binding vpn-instance blue     //Bind VPN instance blue to VLANIF50 so that VLANIF50 becomes a private network interface of VPN instance blue.
[PE2-Vlanif50] ip address 10.1.5.1 24
[PE2-Vlanif50] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] ip binding vpn-instance white     //Bind VPN instance white to VLANIF60 so that VLANIF60 becomes a private network interface of VPN instance white.
[PE2-Vlanif60] ip address 10.1.6.1 24
[PE2-Vlanif60] quit

      # Configure MCE2.

      [MCE2] ip vpn-instance blue     //Create VPN instance blue.
[MCE2-vpn-instance-blue] route-distinguisher 100:1     //Set the RD of VPN instance blue to 100:1.
[MCE2-vpn-instance-blue-af-ipv4] vpn-target 111:1 both     //Add 111:1 to the export VPN target list and import VPN target list of VPN instance blue.
[MCE2-vpn-instance-blue-af-ipv4] quit
[MCE2-vpn-instance-blue] quit
[MCE2] ip vpn-instance white     //Create VPN instance white.
[MCE2-vpn-instance-white] route-distinguisher 200:1     //Set the RD of VPN instance white to 200:1.
[MCE2-vpn-instance-white-af-ipv4] vpn-target 222:1 both     //Add 222:1 to the export VPN target list and import VPN target list of VPN instance white.
[MCE2-vpn-instance-white-af-ipv4] quit
[MCE2-vpn-instance-white] quit
[MCE2] vlan batch 50 60 300 400
[MCE2] interface gigabitethernet 1/0/0
[MCE2-GigabitEthernet1/0/0] port link-type trunk     //Set the link type of the interface to trunk, which is not the default link type.
[MCE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 50 60
[MCE2-GigabitEthernet1/0/0] quit
[MCE2] interface gigabitethernet 1/0/1
[MCE2-GigabitEthernet1/0/1] port link-type trunk     //Set the link type of the interface to trunk, which is not the default link type.
[MCE2-GigabitEthernet1/0/1] port trunk allow-pass vlan 300
[MCE2-GigabitEthernet1/0/1] quit
[MCE2] interface gigabitethernet 1/0/2
[MCE2-GigabitEthernet1/0/2] port link-type trunk     //Set the link type of the interface to trunk, which is not the default link type.
[MCE2-GigabitEthernet1/0/2] port trunk allow-pass vlan 400
[MCE2-GigabitEthernet1/0/2] quit
[MCE2] interface vlanif 50
[MCE2-Vlanif50] ip binding vpn-instance blue     //Bind VPN instance blue to VLANIF50 so that VLANIF50 becomes a private network interface of VPN instance blue.
[MCE2-Vlanif50] ip address 10.1.5.2 24
[MCE2-Vlanif50] quit
[MCE2] interface vlanif 60
[MCE2-Vlanif60] ip binding vpn-instance white     //Bind VPN instance white to VLANIF60 so that VLANIF60 becomes a private network interface of VPN instance white.
[MCE2-Vlanif60] ip address 10.1.6.2 24
[MCE2-Vlanif60] quit
[MCE2] interface vlanif 300
[MCE2-Vlanif300] ip binding vpn-instance blue     //Bind VPN instance blue to VLANIF300 so that VLANIF300 becomes a private network interface of VPN instance blue.
[MCE2-Vlanif300] ip address 192.168.3.1 24
[MCE2-Vlanif300] quit
[MCE2] interface vlanif 400
[MCE2-Vlanif400] ip binding vpn-instance white     //Bind VPN instance white to VLANIF400 so that VLANIF400 becomes a private network interface of VPN instance white.
[MCE2-Vlanif400] ip address 192.168.4.1 24
[MCE2-Vlanif400] quit

    5. Configure OSPF on the provider edge devices PE1 and PE2, branches' aggregate egress devices MCE1 and MCE2, and each service site's egress CE. Import VPN routes to the OSPF routing table.

      # Configure PE1.

      [PE1] ospf 2 vpn-instance blue     //Create an OSPF process to serve VPN instance blue.
[PE1-ospf-2] import-route bgp     //Import BGP routes.
[PE1-ospf-2] area 0
[PE1-ospf-2-area-0.0.0.0] network 10.1.1.0 0.0.0.255     //Specify that the interface running OSPF is the one connected to the 10.1.1.0 network segment and that the interface belongs to Area 0.
[PE1-ospf-2-area-0.0.0.0] quit
[PE1-ospf-2] quit
[PE1] ospf 3 vpn-instance white     //Create an OSPF process to serve VPN instance white.
[PE1-ospf-3] import-route bgp     //Import BGP routes.
[PE1-ospf-3] area 0
[PE1-ospf-3-area-0.0.0.0] network 10.1.2.0 0.0.0.255     //Specify that the interface running OSPF is the one connected to the 10.1.2.0 network segment and that the interface belongs to Area 0.
[PE1-ospf-3-area-0.0.0.0] quit
[PE1-ospf-3] quit
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance blue     //Enter the IPv4 address family view of BGP-VPN instance blue.
[PE1-bgp-blue] import-route ospf 2     //Import routes of OSPF process 2.
[PE1-bgp-blue] quit
[PE1-bgp] ipv4-family vpn-instance white     //Enter the IPv4 address family view of BGP-VPN instance white
[PE1-bgp-white] import-route ospf 3     //Import routes of OSPF process 3.
[PE1-bgp-white] quit
[PE1-bgp] quit

      # Configure MCE1.

      [MCE1] ospf 1 vpn-instance blue     //Create an OSPF process to serve VPN instance blue.
[MCE1-ospf-1] vpn-instance-capability simple     //Disable OSPF routing loop detection.
[MCE1-ospf-1] area 0
[MCE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255     //Specify that the interface is running OSPF is the one connected to the 10.1.1.0 network segment and that the interface belongs to Area 0.
[MCE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255     //Specify that the interface is running OSPF is the one connected to the 192.168.1.0 network segment and that the interface belongs to Area 0.
[MCE1-ospf-1-area-0.0.0.0] quit
[MCE1-ospf-1] quit
[MCE1] ospf 2 vpn-instance white     //Create an OSPF process to serve VPN instance white.
[MCE1-ospf-2] vpn-instance-capability simple     //Disable OSPF routing loop detection.
[MCE1-ospf-2] area 0
[MCE1-ospf-2-area-0.0.0.0] network 10.1.2.0 0.0.0.255     //Specify that the interface is running OSPF is the one connected to the 10.1.2.0 network segment and that the interface belongs to Area 0.
[MCE1-ospf-2-area-0.0.0.0] network 192.168.2.0 0.0.0.255     //Specify that the interface is running OSPF is the one connected to the 192.168.2.0 network segment and that the interface belongs to Area 0.
[MCE1-ospf-2-area-0.0.0.0] quit
[MCE1-ospf-2] quit

      # Configure PE2.

      [PE2] ospf 2 vpn-instance blue     //Create an OSPF process to serve VPN instance blue.
[PE2-ospf-2] import-route bgp     //Import BGP routes.
[PE2-ospf-2] area 0
[PE2-ospf-2-area-0.0.0.0] network 10.1.5.0 0.0.0.255     //Specify that the interface is running OSPF is the one connected to the 10.1.5.0 network segment and that the interface belongs to Area 0.
[PE2-ospf-2-area-0.0.0.0] quit
[PE2-ospf-2] quit
[PE2] ospf 3 vpn-instance white     //Create an OSPF process to serve VPN instance white.
[PE2-ospf-3] import-route bgp     //Import BGP routes.
[PE2-ospf-3] area 0
[PE2-ospf-3-area-0.0.0.0] network 10.1.6.0 0.0.0.255     //Specify that the interface is running OSPF is the one connected to the 10.1.6.0 network segment and that the interface belongs to Area 0.
[PE2-ospf-3-area-0.0.0.0] quit
[PE2-ospf-3] quit
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance blue     //Enter the IPv4 address family view of BGP-VPN instance blue.
[PE2-bgp-blue] import-route ospf 2     //Import routes of OSPF process 2.
[PE2-bgp-blue] quit
[PE2-bgp] ipv4-family vpn-instance white     //Enter the IPv4 address family view of BGP-VPN instance white.
[PE2-bgp-white] import-route ospf 3     //Import routes of OSPF process 3.
[PE2-bgp-white] quit
[PE2-bgp] quit

      # Configure MCE2.

      [MCE2] ospf 1 vpn-instance blue     //Create an OSPF process to serve VPN instance blue.
[MCE2-ospf-1] vpn-instance-capability simple     //Disable OSPF routing loop detection.
[MCE2-ospf-1] area 0
[MCE2-ospf-1-area-0.0.0.0] network 10.1.5.0 0.0.0.255     //Specify that the interface is running OSPF is the one connected to the 10.1.5.0 network segment and that the interface belongs to Area 0.
[MCE2-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255     //Specify that the interface is running OSPF is the one connected to the 192.168.3.0 network segment and that the interface belongs to Area 0.
[MCE2-ospf-1-area-0.0.0.0] quit
[MCE2-ospf-1] quit
[MCE2] ospf 2 vpn-instance white     //Create an OSPF process to serve VPN instance white.
[MCE2-ospf-2] vpn-instance-capability simple     //Disable OSPF routing loop detection.
[MCE2-ospf-2] area 0
[MCE2-ospf-2-area-0.0.0.0] network 10.1.6.0 0.0.0.255     //Specify that the interface is running OSPF is the one connected to the 10.1.6.0 network segment and that the interface belongs to Area 0.
[MCE2-ospf-2-area-0.0.0.0] network 192.168.4.0 0.0.0.255     //Specify that the interface is running OSPF is the one connected to the 192.168.4.0 network segment and that the interface belongs to Area 0.
[MCE2-ospf-2-area-0.0.0.0] quit
[MCE2-ospf-2] quit

      # Configure CE1, egress for a site of service A.

      [CE1] vlan batch 100 101
[CE1] interface gigabitethernet 1/0/1
[CE1-GigabitEthernet1/0/1] port link-type trunk     //Set the link type of the interface to trunk, which is not the default link type.
[CE1-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[CE1-GigabitEthernet1/0/1] quit
[CE1] interface gigabitethernet 2/0/1
[CE1-GigabitEthernet2/0/1] port link-type trunk     //Set the link type of the interface to trunk, which is not the default link type.
[CE1-GigabitEthernet2/0/1] port trunk allow-pass vlan 101
[CE1-GigabitEthernet2/0/1] quit
[CE1] interface vlanif 100
[CE1-Vlanif100] ip address 192.168.1.2 24
[CE1-Vlanif100] quit
[CE1] interface vlanif 101
[CE1-Vlanif101] ip address 192.168.11.1 24
[CE1-Vlanif101] quit
[CE1] ospf
[CE1-ospf-1] area 0
[CE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255     //Specify that the interface is running OSPF is the one connected to the 192.168.1.0 network segment and that the interface belongs to Area 0.
[CE1-ospf-1-area-0.0.0.0] network 192.168.11.0 0.0.0.255     //Specify that the interface is running OSPF is the one connected to the 192.168.11.0 network segment and that the interface belongs to Area 0.
[CE1-ospf-1-area-0.0.0.0] quit
[CE1-ospf-1] quit

      # Configure CE2, egress for a site of service B.

      [CE2] vlan batch 200 201
[CE2] interface gigabitethernet 1/0/2
[CE2-GigabitEthernet1/0/2] port link-type trunk     //Set the link type of the interface to trunk, which is not the default link type.
[CE2-GigabitEthernet1/0/2] port trunk allow-pass vlan 200
[CE2-GigabitEthernet1/0/2] quit
[CE2] interface gigabitethernet 2/0/1
[CE2-GigabitEthernet2/0/1] port link-type trunk     //Set the link type of the interface to trunk, which is not the default link type.
[CE2-GigabitEthernet2/0/1] port trunk allow-pass vlan 201
[CE2-GigabitEthernet2/0/1] quit
[CE2] interface vlanif 200
[CE2-Vlanif200] ip address 192.168.2.2 24
[CE2-Vlanif200] quit
[CE2] interface vlanif 201
[CE2-Vlanif201] ip address 192.168.12.1 24
[CE2-Vlanif201] quit
[CE2] ospf
[CE2-ospf-1] area 0
[CE2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255     //Specify that the interface is running OSPF is the one connected to the 192.168.2.0 network segment and that the interface belongs to Area 0.
[CE2-ospf-1-area-0.0.0.0] network 192.168.12.0 0.0.0.255     //Specify that the interface is running OSPF is the one connected to the 192.168.12.0 network segment and that the interface belongs to Area 0.
[CE2-ospf-1-area-0.0.0.0] quit
[CE2-ospf-1] quit

      # Configure CE3, egress for a site of service A.

      [CE3] vlan batch 300 301
[CE3] interface gigabitethernet 1/0/1
[CE3-GigabitEthernet1/0/1] port link-type trunk     //Set the link type of the interface to trunk, which is not the default link type.
[CE3-GigabitEthernet1/0/1] port trunk allow-pass vlan 300
[CE3-GigabitEthernet1/0/1] quit
[CE3] interface gigabitethernet 2/0/1
[CE3-GigabitEthernet2/0/1] port link-type trunk     //Set the link type of the interface to trunk, which is not the default link type.
[CE3-GigabitEthernet2/0/1] port trunk allow-pass vlan 301
[CE3-GigabitEthernet2/0/1] quit
[CE3] interface vlanif 300
[CE3-Vlanif300] ip address 192.168.3.2 24
[CE3-Vlanif300] quit
[CE3] interface vlanif 301
[CE3-Vlanif301] ip address 192.168.13.1 24
[CE3-Vlanif301] quit
[CE3] ospf
[CE3-ospf-1] area 0
[CE3-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255     //Specify that the interface is running OSPF is the one connected to the 192.168.3.0 network segment and that the interface belongs to Area 0.
[CE3-ospf-1-area-0.0.0.0] network 192.168.13.0 0.0.0.255     //Specify that the interface is running OSPF is the one connected to the 192.168.13.0 network segment and that the interface belongs to Area 0.
[CE3-ospf-1-area-0.0.0.0] quit
[CE3-ospf-1] quit

      # Configure CE4, egress for a site of service B.

      [CE4] vlan batch 400 401
[CE4] interface gigabitethernet 1/0/2
[CE4-GigabitEthernet1/0/2] port link-type trunk     //Set the link type of the interface to trunk, which is not the default link type.
[CE4-GigabitEthernet1/0/2] port trunk allow-pass vlan 400
[CE4-GigabitEthernet1/0/2] quit
[CE4] interface gigabitethernet 2/0/1
[CE4-GigabitEthernet2/0/1] port link-type trunk     //Set the link type of the interface to trunk, which is not the default link type.
[CE4-GigabitEthernet2/0/1] port trunk allow-pass vlan 401
[CE4-GigabitEthernet2/0/1] quit
[CE4] interface vlanif 400
[CE4-Vlanif400] ip address 192.168.4.2 24
[CE4-Vlanif400] quit
[CE4] interface vlanif 401
[CE4-Vlanif401] ip address 192.168.14.1 24
[CE4-Vlanif401] quit
[CE4] ospf
[CE4-ospf-1] area 0
[CE4-ospf-1-area-0.0.0.0] network 192.168.4.0 0.0.0.255     //Specify that the interface is running OSPF is the one connected to the 192.168.4.0 network segment and that the interface belongs to Area 0.
[CE4-ospf-1-area-0.0.0.0] network 192.168.14.0 0.0.0.255     //Specify that the interface is running OSPF is the one connected to the 192.168.14.0 network segment and that the interface belongs to Area 0.
[CE4-ospf-1-area-0.0.0.0] quit
[CE4-ospf-1] quit

      After the configuration is complete, run the display ip routing-table vpn-instance vpn-instance-name command on the PE or MCE devices. You can see that the local PE or MCE device has a VPN route to the remote PE. Run the display ip routing-table protocol ospf command on the CE devices. You can see that CE1 and CE3 have learned routes to each other, and CE2 and CE4 have learned routes to each other.

  2. Configure multicast loopback interfaces, share-group addresses, and MTIs for VPN instances on the provider edge devices PE1 and PE2.

    # Configure PE1.

    [PE1] interface eth-trunk 10
[PE1-Eth-Trunk10] service type multicast-tunnel     //Configure Eth-Trunk 10 as a multicast loopback interface.
[PE1-Eth-Trunk10] trunkport gigabitethernet 3/0/5     //Bind member interface GE3/0/5 to Eth-Trunk 10.
[PE1-Eth-Trunk10] quit
[PE1] ip vpn-instance blue
[PE1-vpn-instance-blue] multicast routing-enable      //Enable multicast routing in VPN instance blue.
[PE1-vpn-instance-blue] multicast-domain share-group 239.1.1.1 binding mtunnel 0     //Specify 239.1.1.1 as the Share-Group for VPN instance blue and bind it to multicast tunnel interface MTI0.
[PE1-vpn-instance-blue] ipv4-family
[PE1-vpn-instance-blue-af-ipv4] multicast-domain source-interface loopback 0     //Configure the MTI to use the address of Loopback0 as the default address.
[PE1-vpn-instance-blue-af-ipv4] quit
[PE1-vpn-instance-blue] quit
[PE1] ip vpn-instance white
[PE1-vpn-instance-white] multicast routing-enable      //Enable multicast routing in VPN instance white.
[PE1-vpn-instance-white] multicast-domain share-group 239.1.2.1 binding mtunnel 10     //Specify 239.1.2.1 as the Share-Group for VPN instance white and bind it to multicast tunnel interface MTI0.
[PE1-vpn-instance-white] ipv4-family
[PE1-vpn-instance-white-af-ipv4] multicast-domain source-interface loopback 0     //Configure the MTI to use the address of Loopback0 as the default address.
[PE1-vpn-instance-white-af-ipv4] quit
[PE1-vpn-instance-white] quit

    # Configure PE2.

    [PE2] interface eth-trunk 10
[PE2-Eth-Trunk10] service type multicast-tunnel     //Configure Eth-Trunk 10 as a multicast loopback interface.
[PE2-Eth-Trunk10] trunkport gigabitethernet 3/0/5     //Bind member interface GE3/0/5 to Eth-Trunk 10.
[PE2-Eth-Trunk10] quit
[PE2] ip vpn-instance blue
[PE2-vpn-instance-blue] multicast routing-enable      //Enable multicast routing in VPN instance blue.
[PE2-vpn-instance-blue] multicast-domain share-group 239.1.1.1 binding mtunnel 0     //Specify 239.1.1.1 as the Share-Group for VPN instance blue and bind it to multicast tunnel interface MTI0.
[PE2-vpn-instance-blue] ipv4-family
[PE2-vpn-instance-blue-af-ipv4] multicast-domain source-interface loopback 0     //Configure the MTI to use the address of Loopback0 as the default address.
[PE2-vpn-instance-blue-af-ipv4] quit
[PE2-vpn-instance-blue] quit
[PE2] ip vpn-instance white
[PE2-vpn-instance-white] multicast routing-enable      //Enable multicast routing in VPN instance white.
[PE2-vpn-instance-white] multicast-domain share-group 239.1.2.1 binding mtunnel 10     //Specify 239.1.2.1 as the Share-Group for VPN instance white and bind it to multicast tunnel interface MTI0.
[PE2-vpn-instance-white] ipv4-family
[PE2-vpn-instance-white-af-ipv4] multicast-domain source-interface loopback 0     //Configure the MTI to use the address of Loopback0 as the default address.
[PE2-vpn-instance-white-af-ipv4] quit
[PE2-vpn-instance-white] quit

  3. Configure the multicast function on the public and private networks.
    1. Configure the multicast function on the public network.

      Enable PIM-SM on the public network. Configure Loopback0 of the provider's intermediate device P as a candidate bootstrap router (C-BSR) and candidate rendezvous point (C-RP) on the public network.

      # Configure PE1.

      [PE1] multicast routing-enable     //Enable multicast routing globally.
[PE1] interface vlanif 30
[PE1-Vlanif30] pim sm     //Enable PIM-SM on VLANIF30.
[PE1-Vlanif30] quit
[PE1] interface loopback 0
[PE1-LoopBack0] pim sm     //Enable PIM-SM on Loopback0.
[PE1-LoopBack0] quit

      # Configure PE2.

      [PE2] multicast routing-enable     //Enable multicast routing globally.
[PE2] interface vlanif 40
[PE2-Vlanif40] pim sm     //Enable PIM-SM on VLANIF40.
[PE2-Vlanif40] quit
[PE2] interface loopback 0
[PE2-LoopBack0] pim sm     //Enable PIM-SM on Loopback0.
[PE2-LoopBack0] quit

      # Configure P.

      [P] multicast routing-enable     //Enable multicast routing globally.
[P] interface vlanif 30
[P-Vlanif30] pim sm     //Enable PIM-SM on VLANIF30.
[P-Vlanif30] quit
[P] interface vlanif 40
[P-Vlanif40] pim sm     //Enable PIM-SM on VLANIF40.
[P-Vlanif40] quit
[P] interface loopback 0
[P-LoopBack0] pim sm     //Enable PIM-SM on Loopback0.
[P-LoopBack0] quit
[P] pim
[P-pim] c-bsr loopback 0      //Configure Loopback0 as a C-BSR interface.
[P-pim] c-rp loopback 0     //Configure Loopback0 as a C-RP interface.

    2. Configure the multicast function on the private network.

      Enable PIM-SM on the private networks. Configure VLANIF 10 of provider edge PE1 as a C-BSR and C-RP of VPN instance blue, and configure VLANIF 20 of PE1 as a C-BSR and C-RP of VPN instance white. Configure IGMP on VLANIF 301 of service site egress CE3 and VLANIF 401 of service site egress CE4. (The two VLANIF interfaces are connected to network segments of receivers.)

      # Configure PE1.

      [PE1] interface vlanif 10
[PE1-Vlanif10] pim sm     //Enable PIM-SM on VLANIF10.
[PE1-Vlanif10] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] pim sm     //Enable PIM-SM on VLANIF20.
[PE1-Vlanif20] quit
[PE1] pim vpn-instance blue
[PE1-pim-blue] c-bsr vlanif 10     //Configure VLANIF10 as a C-BSR interface for VPN instance blue.
[PE1-pim-blue] c-rp vlanif 10     //Configure VLANIF10 as a C-RP interface for VPN instance blue.
[PE1-pim-blue] quit
[PE1] pim vpn-instance white
[PE1-pim-white] c-bsr vlanif 20     //Configure VLANIF20 as a C-BSR interface for VPN instance white.
[PE1-pim-white] c-rp vlanif 20     //Configure VLANIF20 as a C-RP interface for VPN instance white.
[PE1-pim-white] quit

      # Configure MCE1.

      [MCE1] multicast routing-enable     //Enable multicast routing globally.
[MCE1] ip vpn-instance blue
[MCE1-vpn-instance-blue] multicast routing-enable     //Enable multicast routing in VPN instance blue.
[MCE1-vpn-instance-blue] quit
[MCE1] ip vpn-instance white
[MCE1-vpn-instance-white] multicast routing-enable     //Enable multicast routing in VPN instance white.
[MCE1-vpn-instance-white] quit
[MCE1] interface vlanif 10
[MCE1-Vlanif10] pim sm     //Enable PIM-SM on VLANIF10.
[MCE1-Vlanif10] quit
[MCE1] interface vlanif 20
[MCE1-Vlanif20] pim sm     //Enable PIM-SM on VLANIF20.
[MCE1-Vlanif20] quit
[MCE1] interface vlanif 100
[MCE1-Vlanif100] pim sm     //Enable PIM-SM on VLANIF100.
[MCE1-Vlanif100] quit
[MCE1] interface vlanif 200
[MCE1-Vlanif200] pim sm     //Enable PIM-SM on VLANIF200.
[MCE1-Vlanif200] quit

      # Configure PE2.

      [PE2] interface vlanif 50
[PE2-Vlanif50] pim sm     //Enable PIM-SM on VLANIF50.
[PE2-Vlanif50] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] pim sm     //Enable PIM-SM on VLANIF60.
[PE2-Vlanif60] quit

      # Configure MCE2.

      [MCE2] multicast routing-enable     //Enable multicast routing globally.
[MCE2] ip vpn-instance blue
[MCE2-vpn-instance-blue] multicast routing-enable     //Enable multicast routing in VPN instance blue.
[MCE2-vpn-instance-blue] quit
[MCE2] ip vpn-instance white
[MCE2-vpn-instance-white] multicast routing-enable     //Enable multicast routing in VPN instance white.
[MCE2-vpn-instance-white] quit
[MCE2] interface vlanif 50     //Enable PIM-SM on VLANIF50.
[MCE2-Vlanif50] pim sm
[MCE2-Vlanif50] quit
[MCE2] interface vlanif 60     //Enable PIM-SM on VLANIF60.
[MCE2-Vlanif60] pim sm
[MCE2-Vlanif60] quit
[MCE2] interface vlanif 300     //Enable PIM-SM on VLANIF300.
[MCE2-Vlanif300] pim sm
[MCE2-Vlanif300] quit
[MCE2] interface vlanif 400     //Enable PIM-SM on VLANIF400.
[MCE2-Vlanif400] pim sm
[MCE2-Vlanif400] quit

      # Configure CE1, egress for a site of service A.

      [CE1] multicast routing-enable     //Enable multicast routing globally.
[CE1] interface vlanif 100
[CE1-Vlanif100] pim sm     //Enable PIM-SM on VLANIF100.
[CE1-Vlanif100] quit
[CE1] interface vlanif 101
[CE1-Vlanif101] pim sm     //Enable PIM-SM on VLANIF101.
[CE1-Vlanif101] quit

      # Configure CE2, egress for a site of service B.

      [CE2] multicast routing-enable     //Enable multicast routing globally.
[CE2] interface vlanif 200
[CE2-Vlanif200] pim sm     //Enable PIM-SM on VLANIF200.
[CE2-Vlanif200] quit
[CE2] interface vlanif 201
[CE2-Vlanif201] pim sm     //Enable PIM-SM on VLANIF201.
[CE2-Vlanif201] quit

      # Configure CE3, egress for a site of service A.

      [CE3] multicast routing-enable     //Enable multicast routing globally.
[CE3] interface vlanif 300
[CE3-Vlanif300] pim sm     //Enable PIM-SM on VLANIF300.
[CE3-Vlanif300] quit
[CE3] interface vlanif 301
[CE3-Vlanif301] pim sm     //Enable PIM-SM on VLANIF301.
[CE3-Vlanif301] igmp enable     //Enable PIM-SM on VLANIF301.
[CE3-Vlanif301] quit

      # Configure CE4, egress for a site of service B.

      [CE4] multicast routing-enable     //Enable multicast routing globally.
[CE4] interface vlanif 400
[CE4-Vlanif400] pim sm     //Enable PIM-SM on VLANIF400.
[CE4-Vlanif400] quit
[CE4] interface vlanif 401
[CE4-Vlanif401] pim sm     //Enable PIM-SM on VLANIF401.
[CE4-Vlanif401] igmp enable     //Enable IGMP VLANIF401.
[CE4-Vlanif401] quit

  4. Verify the configuration.

    After the configuration is complete, receivers on the private networks can receive multicast data from the multicast source.

Configuration Files

  • Configuration file of provider edge PE1

    #
sysname PE1
#
router id 1.1.1.1
#
vlan batch 10 20 30
#
multicast routing-enable
#
ip vpn-instance blue
 ipv4-family
  route-distinguisher 100:1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
  multicast routing-enable
  multicast-domain source-interface LoopBack0
  multicast-domain share-group 239.1.1.1 binding mtunnel 0
#
ip vpn-instance white
 ipv4-family
  route-distinguisher 200:1
  vpn-target 222:1 export-extcommunity
  vpn-target 222:1 import-extcommunity
  multicast routing-enable
  multicast-domain source-interface LoopBack0
  multicast-domain share-group 239.1.2.1 binding mtunnel 10
#
 mpls lsr-id 1.1.1.1
 mpls
#
 mpls ldp
#
interface Vlanif10 
 ip binding vpn-instance blue
 ip address 10.1.1.1 255.255.255.0
 pim sm
#
interface Vlanif20 
 ip binding vpn-instance white
 ip address 10.1.2.1 255.255.255.0
 pim sm
#
interface Vlanif30
 ip address 10.1.3.1 255.255.255.0
 pim sm
 mpls
 mpls ldp
#
interface Eth-Trunk10
 stp disable
 service type multicast-tunnel
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet2/0/0
 port link-type trunk
 port trunk allow-pass vlan 30
#
interface GigabitEthernet3/0/5
 eth-trunk 10
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255
 pim sm
#
interface MTunnel0
 ip binding vpn-instance blue
#
interface MTunnel10
 ip binding vpn-instance white
#
bgp 100
 peer 3.3.3.3 as-number 100
 peer 3.3.3.3 connect-interface LoopBack0
 #
 ipv4-family unicast
  undo synchronization
  peer 3.3.3.3 enable 
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 3.3.3.3 enable
 #
 ipv4-family vpn-instance blue
  import-route ospf 2
 #
 ipv4-family vpn-instance white
  import-route ospf 3
#
ospf 1 
 area 0.0.0.0
  network 1.1.1.1 0.0.0.0
  network 10.1.3.0 0.0.0.255 
#
ospf 2 vpn-instance blue
 import-route bgp 
 area 0.0.0.0 
  network 10.1.1.0 0.0.0.255
#
ospf 3 vpn-instance white
 import-route bgp 
 area 0.0.0.0 
  network 10.1.2.0 0.0.0.255
#
pim vpn-instance blue
 c-bsr Vlanif10
 c-rp Vlanif10
#
pim vpn-instance white
 c-bsr Vlanif20
 c-rp Vlanif20
#
return

  • Configuration file of provider edge PE2

    #
sysname PE2
#
router id 3.3.3.3
#
vlan batch 40 50 60
#
multicast routing-enable
#
ip vpn-instance blue
 ipv4-family
  route-distinguisher 100:1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
  multicast routing-enable
  multicast-domain source-interface LoopBack0
  multicast-domain share-group 239.1.1.1 binding mtunnel 0
#
ip vpn-instance white
 ipv4-family
  route-distinguisher 200:1
  vpn-target 222:1 export-extcommunity
  vpn-target 222:1 import-extcommunity
  multicast routing-enable
  multicast-domain source-interface LoopBack0
  multicast-domain share-group 239.1.2.1 binding mtunnel 10
#
 mpls lsr-id 3.3.3.3
 mpls
#
 mpls ldp
#
interface Vlanif40
 ip address 10.1.4.2 255.255.255.0
 pim sm
 mpls
 mpls ldp
#
interface Vlanif50 
 ip binding vpn-instance blue
 ip address 10.1.5.1 255.255.255.0
 pim sm
#
interface Vlanif60 
 ip binding vpn-instance white
 ip address 10.1.6.1 255.255.255.0
 pim sm
#
interface Eth-Trunk10
 stp disable
 service type multicast-tunnel
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 50 60
#
interface GigabitEthernet3/0/0
 port link-type trunk
 port trunk allow-pass vlan 40
#
interface GigabitEthernet3/0/5
 eth-trunk 10
#
interface LoopBack0
 ip address 3.3.3.3 255.255.255.255
 pim sm
#
interface MTunnel0
 ip binding vpn-instance blue
#
interface MTunnel10
 ip binding vpn-instance white
#
bgp 100
 peer 1.1.1.1 as-number 100
 peer 1.1.1.1 connect-interface LoopBack0
 #
 ipv4-family unicast
  undo synchronization
  peer 1.1.1.1 enable 
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 1.1.1.1 enable
 #
 ipv4-family vpn-instance blue
  import-route ospf 2
 #
 ipv4-family vpn-instance white
  import-route ospf 3
#
ospf 1 
 area 0.0.0.0
  network 3.3.3.3 0.0.0.0 
  network 10.1.4.0 0.0.0.255 
#
ospf 2 vpn-instance blue
 import-route bgp
 area 0.0.0.0 
  network 10.1.5.0 0.0.0.255
#
ospf 3 vpn-instance white
 import-route bgp
 area 0.0.0.0 
  network 10.1.6.0 0.0.0.255
#
return

  • Configuration file of provider intermediate device P

    #
 sysname P
#
 router id 2.2.2.2
#
vlan batch 30 40
# 
 multicast routing-enable
#
 mpls lsr-id 2.2.2.2
 mpls
#
 mpls ldp
#
interface Vlanif30 
 ip address 10.1.3.2 255.255.255.0
 pim sm
 mpls
 mpls ldp
#
interface Vlanif40
 ip address 10.1.4.1 255.255.255.0
 pim sm
 mpls
 mpls ldp
#
interface GigabitEthernet2/0/0
 port link-type trunk
 port trunk allow-pass vlan 30
#
interface GigabitEthernet3/0/0
 port link-type trunk
 port trunk allow-pass vlan 40
#
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255
 pim sm
#
ospf 1 
 area 0.0.0.0
  network 2.2.2.2 0.0.0.0 
  network 10.1.3.0 0.0.0.255 
  network 10.1.4.0 0.0.0.255 
#
pim
 c-bsr LoopBack0
 c-rp LoopBack0
#
return

  • Configuration file of branches' aggregate egress MCE1

    #
sysname MCE1
#
vlan batch 10 20 100 200
#
multicast routing-enable
#
ip vpn-instance blue
 ipv4-family
  route-distinguisher 100:1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
  multicast routing-enable
#
ip vpn-instance white
 ipv4-family
  route-distinguisher 200:1
  vpn-target 222:1 export-extcommunity
  vpn-target 222:1 import-extcommunity
  multicast routing-enable
#
interface Vlanif10 
 ip binding vpn-instance blue
 ip address 10.1.1.2 255.255.255.0
 pim sm
#
interface Vlanif20 
 ip binding vpn-instance white
 ip address 10.1.2.2 255.255.255.0
 pim sm
#
interface Vlanif100
 ip binding vpn-instance blue
 ip address 192.168.1.1 255.255.255.0
 pim sm
#
interface Vlanif200
 ip binding vpn-instance white
 ip address 192.168.2.1 255.255.255.0
 pim sm
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk allow-pass vlan 200
#
ospf 1 vpn-instance blue
 vpn-instance-capability simple
 area 0.0.0.0 
  network 10.1.1.0 0.0.0.255
  network 192.168.1.0 0.0.0.255
#
ospf 2 vpn-instance white
 vpn-instance-capability simple
 area 0.0.0.0 
  network 10.1.2.0 0.0.0.255
  network 192.168.2.0 0.0.0.255
#
return

  • Configuration file of branches' aggregate egress MCE2

    #
sysname MCE2
#
vlan batch 50 60 300 400
#
multicast routing-enable
#
ip vpn-instance blue
 ipv4-family
  route-distinguisher 100:1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
  multicast routing-enable
#
ip vpn-instance white
 ipv4-family
  route-distinguisher 200:1
  vpn-target 222:1 export-extcommunity
  vpn-target 222:1 import-extcommunity
  multicast routing-enable
#
interface Vlanif50 
 ip binding vpn-instance blue
 ip address 10.1.5.2 255.255.255.0
 pim sm
#
interface Vlanif60 
 ip binding vpn-instance white
 ip address 10.1.6.2 255.255.255.0
 pim sm
#
interface Vlanif300
 ip binding vpn-instance blue
 ip address 192.168.3.1 255.255.255.0
 pim sm
#
interface Vlanif400
 ip binding vpn-instance white
 ip address 192.168.4.1 255.255.255.0
 pim sm
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 50 60
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 300
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk allow-pass vlan 400
#
ospf 1 vpn-instance blue
 vpn-instance-capability simple
 area 0.0.0.0 
  network 10.1.5.0 0.0.0.255
  network 192.168.3.0 0.0.0.255
#
ospf 2 vpn-instance white
 vpn-instance-capability simple
 area 0.0.0.0 
  network 10.1.6.0 0.0.0.255
  network 192.168.4.0 0.0.0.255
#
return

  • Configuration file of CE1, egress for a site of service A

    #
 sysname CE1
#
vlan batch 100 to 101
# 
 multicast routing-enable
#
interface Vlanif100
 ip address 192.168.1.2 255.255.255.0
 pim sm
#
interface Vlanif101
 ip address 192.168.11.1 255.255.255.0
 pim sm
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet2/0/1
 port link-type trunk
 port trunk allow-pass vlan 101
#
ospf 1 
 area 0.0.0.0
  network 192.168.1.0 0.0.0.255
  network 192.168.11.0 0.0.0.255
#
return

  • Configuration file of CE2, egress for a site of service B

    #
 sysname CE2
#
vlan batch 200 to 201
# 
 multicast routing-enable
#
interface Vlanif200 
 ip address 192.168.2.2 255.255.255.0
 pim sm
#
interface Vlanif201
 ip address 192.168.12.1 255.255.255.0
 pim sm
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk allow-pass vlan 200
#
interface GigabitEthernet2/0/1
 port link-type trunk
 port trunk allow-pass vlan 201
#
ospf 1 
 area 0.0.0.0
  network 192.168.2.0 0.0.0.255
  network 192.168.12.0 0.0.0.255
#
return

  • Configuration file of CE3, egress for a site of service A.

    #
 sysname CE3
#
vlan batch 300 to 301
# 
 multicast routing-enable
#
interface Vlanif300 
 ip address 192.168.3.2 255.255.255.0
 pim sm
#
interface Vlanif301
 ip address 192.168.13.1 255.255.255.0
 pim sm
 igmp enable
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 300
#
interface GigabitEthernet2/0/1
 port link-type trunk
 port trunk allow-pass vlan 301
#
ospf 1 
 area 0.0.0.0
  network 192.168.3.0 0.0.0.255
  network 192.168.13.0 0.0.0.255
#
return

  • Configuration file of CE4, egress for a site of service B

    #
 sysname CE4
#
vlan batch 400 to 401
# 
 multicast routing-enable
#
interface Vlanif400 
 ip address 192.168.4.2 255.255.255.0
 pim sm
#
interface Vlanif401
 ip address 192.168.14.1 255.255.255.0
 pim sm
 igmp enable
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk allow-pass vlan 400
#
interface GigabitEthernet2/0/1
 port link-type trunk
 port trunk allow-pass vlan 401
#
ospf 1 
 area 0.0.0.0
  network 192.168.4.0 0.0.0.255
  network 192.168.14.0 0.0.0.255
#
return

Example for Configuring L3VPN and VRRP

L3VPN and VRRP Overview

L3VPN is suitable for communication between the headquarters and branches in different locations. As communication data needs to traverse the backbone network of the ISP, BGP is used to advertise VPN routes and MPLS is used to forward VPN packets on the backbone network. As different departments of an enterprise need to be isolated, BGP/MPLS IP VPN can implement route isolation, address space isolation, and access isolation between different VPNs.

Generally, all hosts on the same network segment have the same default route with the gateway address as the next hop address. The hosts use the default route to send packets to the gateway and the gateway forwards the packets to other network segments. When the gateway fails, the hosts with the same default route cannot communicate with external networks. Configuring multiple egress gateways is a common method to improve system reliability. However, route selection between the gateways becomes an issue.

VRRP solves the problem. VRRP virtualizes multiple routing devices into a virtual router without changing the networking, and uses the virtual router IP address as the default gateway address to implement gateway backup. When the master in the virtual router fails, VRRP uses a backup to transmit service traffic.

It is recommended that you set the preemption delay of the backup in a VRRP group to 0, configure the master in preemption mode, and set the preemption delay to be longer than 15s. These settings allow a period of time for status synchronization between the uplink and downlink on an unstable network. If the preceding settings are not used, two masters may coexist and user devices may learn incorrect address of the master. As a result, traffic is interrupted.

  • Preemption mode: A backup preempts to be the master when its priority is higher than the master.

  • Non-preemption mode: As long as the master is working properly, the backup with a higher priority cannot become the master.

Configuration Notes

  • Ensure that each device of the same VRRP group is configured with the same VRID.

  • In V200R003 and earlier versions, VRRP can be configured only on the VLANIF interface.

    In V200R005 and later versions, VRRP can be configured on the VLANIF interface and Layer 3 Ethernet interface.

    For a modular switch in V200R006 and later versions, VRRP can be configured on the VLANIF interface, Layer 3 Ethernet interface, Dot1q termination sub-interface, and QinQ termination sub-interface.

    For a fixed switch in V200R009 and later versions, VRRP can be configured on the VLANIF interface, Layer 3 Ethernet interface, and sub-interface.

  • This example applies to the following products and versions:
    • S5700-HI, S5710-EI: V200R002C00 and later versions
    • S5720-EI: V200R009C00 and later versions
    • S5720-HI: V200R007C10 and later versions
    • S5710-HI, S5730-HI, S5731-H, S5731S-H, S5732-H: For the applicable versions, see Table 3-1 in the section "Applicable Products and Versions."
    • S5731-S, S6730-S: V200R022C00 and later versions
    • S6700-EI: V200R005(C00&C01)
    • S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730S-H: For the applicable versions, see Table 3-1 in the section "Applicable Products and Versions."
    • S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712: For the applicable versions, see Table 3-1 in the section "Applicable Products and Versions."
  • The SA series cards do not support the BGP/MPLS IP VPN function. The X1E series cards of V200R006C00 and later versions support the BGP/MPLS IP VPN function.

To view detailed information about software mappings, visit Info-Finder, select a product series or product model, and click Hardware Center.

Networking Requirements

In Figure 3-136, CE1 and CE2 belong to vpna, and CE1 is dual-homed to PE1 and PE2 through the switch. The requirements are as follows:

  • Normally, CE1 uses PE1 as the default gateway to communicate with CE2. When PE1 becomes faulty, PE2 takes over PE1, implementing gateway redundancy.

  • After PE1 recovers, it preempts to be the master to transmit data after a preemption delay of 20s.

In this scenario, to avoid loops, ensure that all connected interfaces have STP disabled and connected interfaces are removed from VLAN 1. If STP is enabled and VLANIF interfaces of switches are used to construct a Layer 3 ring network, an interface on the network will be blocked. As a result, Layer 3 services on the network cannot run normally.

Figure 3-136 Networking for configuring L3VPN and VRRP

Device

Interface

VLANIF Interface

IP Address

PE1

GE1/0/1

VLANIF 300

192.168.1.1/24

GE1/0/2

VLANIF 100

10.1.1.1/24

GE1/0/5

VLANIF 100

10.1.1.1/24

PE2

GE1/0/1

VLANIF 200

192.168.2.1/24

GE1/0/2

VLANIF 100

10.1.1.2/24

GE1/0/5

VLANIF 100

10.1.1.2/24

PE3

GE1/0/1

VLANIF 300

192.168.1.2/24

GE1/0/2

VLANIF 200

192.168.2.2/24

GE1/0/3

VLANIF 400

172.16.1.100/24

CE1

GE1/0/3

VLANIF 100

10.1.1.100/24

CE2

GE1/0/3

VLANIF 400

172.16.1.200/24

Configuration Roadmap

VRRP is configured to implement gateway redundancy on the L3VPN. The configuration roadmap is as follows:

  1. Configure OSPF between PEs to implement IP connectivity on the backbone network.
  2. Configure basic MPLS functions and MPLS LDP on PEs so that MPLS LSPs can be established to transmit VPN data.
  3. Configure VPN instances on PEs to implement connectivity between VPNs. Bind VPN instances to PE interfaces connected to CEs so that VPN users can be connected.
  4. Configure MP-IBGP between PE1 and PE3, and between PE2 and PE3 to exchange VPN routing information.
  5. Configure EBGP between CEs and PEs to exchange VPN routing information.
  6. Configure a loop prevention protocol on PE1, PE2, and switch to prevent loops. Here, MSTP is used.
  7. Configure a VRRP group on PE1 and PE2. Set a higher priority for PE1 so that PE1 functions as the master to forward traffic, and set the preemption delay to 20s on PE1. Set a lower priority for PE2 so that PE2 functions as the backup.

Procedure

  1. Configure an IGP protocol on the MPLS backbone network so that the PEs can communicate with each other.

    # Configure PE1.

    <HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan 300
[PE1-vlan300] quit
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type hybrid
[PE1-GigabitEthernet1/0/1] port hybrid pvid vlan 300
[PE1-GigabitEthernet1/0/1] port hybrid untagged vlan 300
[PE1-GigabitEthernet1/0/1] quit
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] interface vlanif 300
[PE1-Vlanif300] ip address 192.168.1.1 24
[PE1-Vlanif300] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit

    # Configure PE2.

    <HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan 200
[PE2-vlan200] quit
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] port link-type hybrid
[PE2-GigabitEthernet1/0/1] port hybrid pvid vlan 200
[PE2-GigabitEthernet1/0/1] port hybrid untagged vlan 200
[PE2-GigabitEthernet1/0/1] quit
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 2.2.2.2 32
[PE2-LoopBack1] quit
[PE2] interface vlanif 200
[PE2-Vlanif200] ip address 192.168.2.1 24
[PE2-Vlanif200] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit

    # Configure PE3.

    <HUAWEI> system-view
[HUAWEI] sysname PE3
[PE3] vlan batch 200 300
[PE3] interface gigabitethernet 1/0/1
[PE3-GigabitEthernet1/0/1] port link-type hybrid
[PE3-GigabitEthernet1/0/1] port hybrid pvid vlan 300
[PE3-GigabitEthernet1/0/1] port hybrid untagged vlan 300
[PE3-GigabitEthernet1/0/1] quit
[PE3] interface gigabitethernet 1/0/2
[PE3-GigabitEthernet1/0/2] port link-type hybrid
[PE3-GigabitEthernet1/0/2] port hybrid pvid vlan 200
[PE3-GigabitEthernet1/0/2] port hybrid untagged vlan 200
[PE3-GigabitEthernet1/0/2] quit
[PE3] interface loopback 1
[PE3-LoopBack1] ip address 3.3.3.3 32
[PE3-LoopBack1] quit
[PE3] interface vlanif 200
[PE3-Vlanif200] ip address 192.168.2.2 24
[PE3-Vlanif200] quit
[PE3] interface vlanif 300
[PE3-Vlanif300] ip address 192.168.1.2 24
[PE3-Vlanif300] quit
[PE3] ospf 1
[PE3-ospf-1] area 0
[PE3-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[PE3-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[PE3-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE3-ospf-1-area-0.0.0.0] quit
[PE3-ospf-1] quit

  2. Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS backbone network.

    # Configure PE1.

    [PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 300
[PE1-Vlanif300] mpls
[PE1-Vlanif300] mpls ldp
[PE1-Vlanif300] quit

    # Configure PE2.

    [PE2] mpls lsr-id 2.2.2.2
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 200
[PE2-Vlanif200] mpls
[PE2-Vlanif200] mpls ldp
[PE2-Vlanif200] quit

    # Configure PE3.

    [PE3] mpls lsr-id 3.3.3.3
[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit
[PE3] interface vlanif 200
[PE3-Vlanif200] mpls
[PE3-Vlanif200] mpls ldp
[PE3-Vlanif200] quit
[PE3] interface vlanif 300
[PE3-Vlanif300] mpls
[PE3-Vlanif300] mpls ldp
[PE3-Vlanif300] quit

  3. Configure a VPN instance on each PE and connect CEs to PEs.

    # Configure the switch.

    <HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 100
[Switch-vlan100] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type hybrid
[Switch-GigabitEthernet1/0/1] port hybrid pvid vlan 100
[Switch-GigabitEthernet1/0/1] port hybrid untagged vlan 100
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type hybrid
[Switch-GigabitEthernet1/0/2] port hybrid pvid vlan 100
[Switch-GigabitEthernet1/0/2] port hybrid untagged vlan 100
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] port link-type hybrid
[Switch-GigabitEthernet1/0/3] port hybrid pvid vlan 100
[Switch-GigabitEthernet1/0/3] port hybrid untagged vlan 100
[Switch-GigabitEthernet1/0/3] quit

    # Configure PE1.

    [PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port link-type hybrid
[PE1-GigabitEthernet1/0/2] port hybrid pvid vlan 100
[PE1-GigabitEthernet1/0/2] port hybrid untagged vlan 100
[PE1-GigabitEthernet1/0/2] quit
[PE1] interface gigabitethernet 1/0/5
[PE1-GigabitEthernet1/0/5] port link-type hybrid
[PE1-GigabitEthernet1/0/5] port hybrid pvid vlan 100
[PE1-GigabitEthernet1/0/5] port hybrid untagged vlan 100
[PE1-GigabitEthernet1/0/5] quit
[PE1] interface vlanif 100
[PE1-Vlanif100] ip binding vpn-instance vpna
[PE1-Vlanif100] ip address 10.1.1.1 24
[PE1-Vlanif100] quit

    # Configure PE2.

    [PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 100:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] vlan 100
[PE2-vlan100] quit
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] port link-type hybrid
[PE2-GigabitEthernet1/0/2] port hybrid pvid vlan 100
[PE2-GigabitEthernet1/0/2] port hybrid untagged vlan 100
[PE2-GigabitEthernet1/0/2] quit
[PE2] interface gigabitethernet 1/0/5
[PE2-GigabitEthernet1/0/5] port link-type hybrid
[PE2-GigabitEthernet1/0/5] port hybrid pvid vlan 100
[PE2-GigabitEthernet1/0/5] port hybrid untagged vlan 100
[PE2-GigabitEthernet1/0/5] quit
[PE2] interface vlanif 100
[PE2-Vlanif100] ip binding vpn-instance vpna
[PE2-Vlanif100] ip address 10.1.1.2 24
[PE2-Vlanif100] quit

    # Configure PE3.

    [PE3] ip vpn-instance vpna
[PE3-vpn-instance-vpna] route-distinguisher 100:1
[PE3-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE3-vpn-instance-vpna-af-ipv4] quit
[PE3-vpn-instance-vpna] quit
[PE3] vlan 400
[PE3-vlan400] quit
[PE3] interface gigabitethernet 1/0/3
[PE3-GigabitEthernet1/0/3] port link-type hybrid
[PE3-GigabitEthernet1/0/3] port hybrid pvid vlan 400
[PE3-GigabitEthernet1/0/3] port hybrid untagged vlan 400
[PE3-GigabitEthernet1/0/3] quit
[PE3] interface vlanif 400
[PE3-Vlanif400] ip binding vpn-instance vpna
[PE3-Vlanif400] ip address 172.16.1.100 24
[PE3-Vlanif400] quit

    # Configure CE1.

    <HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan 100
[CE1-vlan100] quit
[CE1] interface gigabitethernet 1/0/3
[CE1-GigabitEthernet1/0/3] port link-type hybrid
[CE1-GigabitEthernet1/0/3] port hybrid pvid vlan 100
[CE1-GigabitEthernet1/0/3] port hybrid untagged vlan 100
[CE1-GigabitEthernet1/0/3] quit
[CE1] interface vlanif 100
[CE1-Vlanif100] ip address 10.1.1.100 24
[CE1-Vlanif100] quit

    # Configure CE2.

    <HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] vlan 400
[CE2-vlan400] quit
[CE2] interface gigabitethernet 1/0/3
[CE2-GigabitEthernet1/0/3] port link-type hybrid
[CE2-GigabitEthernet1/0/3] port hybrid pvid vlan 400
[CE2-GigabitEthernet1/0/3] port hybrid untagged vlan 400
[CE2-GigabitEthernet1/0/3] quit
[CE2] interface vlanif 400
[CE2-Vlanif400] ip address 172.16.1.200 24
[CE2-Vlanif400] quit

  4. Set up EBGP peer relationships between PEs and CEs and import VPN routes.

    # Configure CE1.

    [CE1] bgp 65410
[CE1-bgp] peer 10.1.1.111 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit

    # Configure CE2.

    [CE2] bgp 65430
[CE2-bgp] peer 172.16.1.100 as-number 100
[CE2-bgp] import-route direct
[CE2-bgp] quit

    # Configure PE1.

    [PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.100 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] quit

    # Configure PE2.

    [PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpna
[PE2-bgp-vpna] peer 10.1.1.100 as-number 65410
[PE2-bgp-vpna] import-route direct
[PE2-bgp-vpna] quit
[PE2-bgp] quit

    # Configure PE3.

    [PE3] bgp 100
[PE3-bgp] ipv4-family vpn-instance vpna
[PE3-bgp-vpna] peer 172.16.1.200 as-number 65430
[PE3-bgp-vpna] import-route direct
[PE3-bgp-vpna] quit
[PE3-bgp] quit

  5. Set up MP-IBGP peer relationships between PEs.

    # Configure PE1.

    [PE1] bgp 100
[PE1-bgp] peer 3.3.3.3 as-number 100
[PE1-bgp] peer 3.3.3.3 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.3 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit

    # Configure PE2.

    [PE2] bgp 100
[PE2-bgp] peer 3.3.3.3 as-number 100
[PE2-bgp] peer 3.3.3.3 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 3.3.3.3 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit

    # Configure PE3.

    [PE3] bgp 100
[PE3-bgp] peer 1.1.1.1 as-number 100
[PE3-bgp] peer 2.2.2.2 as-number 100
[PE3-bgp] peer 1.1.1.1 connect-interface loopback 1
[PE3-bgp] peer 2.2.2.2 connect-interface loopback 1
[PE3-bgp] ipv4-family vpnv4
[PE3-bgp-af-vpnv4] peer 1.1.1.1 enable
[PE3-bgp-af-vpnv4] peer 2.2.2.2 enable
[PE3-bgp-af-vpnv4] quit
[PE3-bgp] quit

  6. Configure MSTP to block the link between PE2 and the switch and prevent loops.

    # Configure PE1 to work in MSTP mode.

    [PE1] stp mode mstp

    # Configure PE2 to work in MSTP mode.

    [PE2] stp mode mstp

    # Configure the switch to work in MSTP mode.

    [Switch] stp mode mstp

    # Configure PE1 as the root bridge.

    [PE1] stp root primary

    # Configure PE2 as the secondary root bridge.

    [PE2] stp root secondary

    # Set the path cost of the port connecting PE2 and the switch to 400000 to block the link between PE2 and the switch.

    [PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] stp cost 400000
[PE2-GigabitEthernet1/0/2] quit
    [Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] stp cost 400000
[Switch-GigabitEthernet1/0/2] quit

    # Disable STP on GigabitEthernet1/0/3 connecting SwitchA and CE1.

    [Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] stp disable
[Switch-GigabitEthernet1/0/3] quit

    # Enable STP on PE1 globally.

    [PE1] stp enable

    # Enable STP on PE2 globally.

    [PE2] stp enable

    # Enable STP on the switch globally.

    [Switch] stp enable

    # After the configuration is complete, run the display stp brief command on the switch. You can see that GE1/0/2 is the alternate port and in DISCARDING state.

    [Switch] display stp brief
 MSTID  Port                        Role  STP State     Protection
   0    GigabitEthernet1/0/1        ROOT  FORWARDING      NONE     
   0    GigabitEthernet1/0/2        ALTE  DISCARDING      NONE

  7. Configure a VRRP group.

    # Configure VRRP group 1 on PE1, and set the priority of PE1 to 120 and the preemption delay to 20s.

    [PE1] interface vlanif 100
[PE1-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111   //Create VRRP group 1.
[PE1-Vlanif100] vrrp vrid 1 priority 120   //Set the priority to 120.
[PE1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 20   //Set the preemption delay to 20s.
[PE1-Vlanif100] quit

    # Configure VRRP group 1 on PE2. PE2 uses default value 100.

    [PE2] interface vlanif 100
[PE2-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111   //Create VRRP group 1.
[PE2-Vlanif100] quit

  8. Verify the configuration.

    # After the configuration is complete, run the display vrrp command on PE1 and PE2. You can see that PE1 is in Master state and PE2 is in Backup state.

    [PE1] display vrrp
  Vlanif100 | Virtual Router 1
    State : Master
    Virtual IP : 10.1.1.111
    Master IP : 10.1.1.1
    PriorityRun : 120
    PriorityConfig : 120                                                        
    MasterPriority : 120                                                        
    Preempt : YES   Delay Time : 20 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE                                                            
    Virtual MAC : 0000-5e00-0101                                                
    Check TTL : YES                                                             
    Config type : normal-vrrp                                                   
    Backup-forward : disabled
    Create time : 2012-01-12 20:15:46
    Last change time : 2012-01-12 20:15:46
    [PE2] display vrrp
  Vlanif100 | Virtual Router 1
    State : Backup
    Virtual IP : 10.1.1.111
    Master IP : 10.1.1.1
    PriorityRun : 100
    PriorityConfig : 100                                                        
    MasterPriority : 120                                                        
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE                                                            
    Virtual MAC : 0000-5e00-0101                                                
    Check TTL : YES                                                             
    Config type : normal-vrrp                                                   
    Backup-forward : disabled
    Create time : 2012-01-12 20:15:46
    Last change time : 2012-01-12 20:15:46

    # Run the shutdown command on GE1/0/2 and GE1/0/5 of PE1 to simulate a link fault.

    [PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] shutdown
[PE1-GigabitEthernet1/0/2] quit
    [PE1] interface gigabitethernet 1/0/5
[PE1-GigabitEthernet1/0/5] shutdown
[PE1-GigabitEthernet1/0/5] quit

    # Run the display vrrp command on PE2 to check the VRRP status. The command output shows that PE2 is in Master state.

    [PE2] display vrrp
  Vlanif100 | Virtual Router 1
    State : Master
    Virtual IP : 10.1.1.111
    Master IP : 10.1.1.2
    PriorityRun : 100
    PriorityConfig : 100                                                        
    MasterPriority : 100                                                        
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE                                                            
    Virtual MAC : 0000-5e00-0101                                                
    Check TTL : YES                                                             
    Config type : normal-vrrp                                                   
    Backup-forward : disabled
    Create time : 2012-01-12 20:15:46
    Last change time : 2012-01-12 20:18:40

    # Run the undo shutdown command on GE1/0/2 and GE1/0/5 of PE1. After 20s, run the display vrrp command on PE1 to check the VRRP status. PE1 restores to be in Master state.

    [PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] undo shutdown
[PE1-GigabitEthernet1/0/2] quit
    [PE1] interface gigabitethernet 1/0/5
[PE1-GigabitEthernet1/0/5] undo shutdown
[PE1-GigabitEthernet1/0/5] quit
    [PE1] display vrrp
  Vlanif100 | Virtual Router 1
    State : Master
    Virtual IP : 10.1.1.111
    Master IP : 10.1.1.1
    PriorityRun : 120
    PriorityConfig : 120                                                        
    MasterPriority : 120                                                        
    Preempt : YES   Delay Time : 20 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE                                                            
    Virtual MAC : 0000-5e00-0101                                                
    Check TTL : YES                                                             
    Config type : normal-vrrp                                                   
    Backup-forward : disabled
    Create time : 2012-01-12 20:15:46
    Last change time : 2012-01-12 20:20:56

Configuration Files

  • Configuration file of PE1

    #
sysname PE1
#
vlan batch 100 300
#
stp instance 0 root primary
#
ip vpn-instance vpna
 ipv4-family
  route-distinguisher 100:1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif100
 ip binding vpn-instance vpna
 ip address 10.1.1.1 255.255.255.0
 vrrp vrid 1 virtual-ip 10.1.1.111
 vrrp vrid 1 priority 120
 vrrp vrid 1 preempt-mode timer delay 20
#
interface Vlanif300
 ip address 192.168.1.1 255.255.255.0
 mpls
 mpls ldp
#
interface GigabitEthernet1/0/1
 port link-type hybrid
 port hybrid pvid vlan 300
 port hybrid untagged vlan 300
#
interface GigabitEthernet1/0/2
 port link-type hybrid
 port hybrid pvid vlan 100
 port hybrid untagged vlan 100
#
interface GigabitEthernet1/0/5
 port link-type hybrid
 port hybrid pvid vlan 100
 port hybrid untagged vlan 100
#
interface LoopBack1
 ip address 1.1.1.1 255.255.255.255
#
bgp 100
 peer 3.3.3.3 as-number 100
 peer 3.3.3.3 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 3.3.3.3 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 3.3.3.3 enable 
 #
 ipv4-family vpn-instance vpna
  import-route direct
  peer 10.1.1.100 as-number 65410
#
ospf 1
 area 0.0.0.0
  network 1.1.1.1 0.0.0.0
  network 192.168.1.0 0.0.0.255
#
return

  • Configuration file of PE2

    #
sysname PE2
#
vlan batch 100 200
#
stp instance 0 root secondary
#
ip vpn-instance vpna
 ipv4-family
  route-distinguisher 100:1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif100
 ip binding vpn-instance vpna
 ip address 10.1.1.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.1.1.111
#
interface Vlanif200
 ip address 192.168.2.1 255.255.255.0
 mpls
 mpls ldp
#
interface GigabitEthernet1/0/1
 port link-type hybrid
 port hybrid pvid vlan 200
 port hybrid untagged vlan 200
#
interface GigabitEthernet1/0/2
 port link-type hybrid
 port hybrid pvid vlan 100
 port hybrid untagged vlan 100
 stp instance 0 cost 400000 
#
interface GigabitEthernet1/0/5
 port link-type hybrid
 port hybrid pvid vlan 100
 port hybrid untagged vlan 100
#
interface LoopBack1
 ip address 2.2.2.2 255.255.255.255
#
bgp 100
 peer 3.3.3.3 as-number 100
 peer 3.3.3.3 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 3.3.3.3 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 3.3.3.3 enable 
 #
 ipv4-family vpn-instance vpna
  import-route direct
  peer 10.1.1.100 as-number 65410
#
ospf 1
 area 0.0.0.0
  network 2.2.2.2 0.0.0.0
  network 192.168.2.0 0.0.0.255
#
return

  • Configuration file of PE3

    #
sysname PE3
#
vlan batch 200 300 400
#
ip vpn-instance vpna
 ipv4-family
  route-distinguisher 100:1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif200
 ip address 192.168.2.2 255.255.255.0
 mpls
 mpls ldp
#
interface Vlanif300
 ip address 192.168.1.2 255.255.255.0
 mpls
 mpls ldp
#
interface Vlanif400
 ip binding vpn-instance vpna
 ip address 172.16.1.100 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type hybrid
 port hybrid pvid vlan 300
 port hybrid untagged vlan 300
#
interface GigabitEthernet1/0/2
 port link-type hybrid
 port hybrid pvid vlan 200
 port hybrid untagged vlan 200
#
interface GigabitEthernet1/0/3
 port link-type hybrid
 port hybrid pvid vlan 400
 port hybrid untagged vlan 400
#
interface LoopBack1
 ip address 3.3.3.3 255.255.255.255
#
bgp 100
 peer 1.1.1.1 as-number 100
 peer 1.1.1.1 connect-interface LoopBack1
 peer 2.2.2.2 as-number 100
 peer 2.2.2.2 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 1.1.1.1 enable
  peer 2.2.2.2 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 1.1.1.1 enable
  peer 2.2.2.2 enable
 #
 ipv4-family vpn-instance vpna
  import-route direct
  peer 172.16.1.200 as-number 65430
#
ospf 1
 area 0.0.0.0
  network 3.3.3.3 0.0.0.0
  network 192.168.1.0 0.0.0.255
  network 192.168.2.0 0.0.0.255
#
return

  • Configuration file of the switch

    #
sysname Switch
#
vlan batch 100
#
interface GigabitEthernet1/0/1
 port link-type hybrid
 port hybrid pvid vlan 100
 port hybrid untagged vlan 100
#
interface GigabitEthernet1/0/2
 port link-type hybrid
 port hybrid pvid vlan 100
 port hybrid untagged vlan 100
 stp instance 0 cost 400000 
#
interface GigabitEthernet1/0/3
 port link-type hybrid
 port hybrid pvid vlan 100
 port hybrid untagged vlan 100
 stp disable
#
return

  • Configuration file of CE1

    #
sysname CE1
#
vlan batch 100
#
interface Vlanif100
 ip address 10.1.1.100 255.255.255.0
#
interface GigabitEthernet1/0/3
 port link-type hybrid
 port hybrid pvid vlan 100
 port hybrid untagged vlan 100
#
bgp 65410
 peer 10.1.1.111 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 10.1.1.111 enable
#
return

  • Configuration file of CE2

    #
sysname CE2
#
vlan batch 400
#
interface Vlanif400
 ip address 172.16.1.200 255.255.255.0
#
interface GigabitEthernet1/0/3
 port link-type hybrid
 port hybrid pvid vlan 400
 port hybrid untagged vlan 400
#
bgp 65430
 peer 172.16.1.100 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 172.16.1.100 enable
#
return

Example for Configuring Routing Policies to Control Mutual Access Between L3VPN Users

Overview

BGP/MPLS IP VPN is an MPLS-based L3VPN that can be flexibly deployed and easily extended, and is suitable for deployment on a large scale. BGP/MPLS IP VPN technology can be used to implement secure communication or isolation between branches in different locations.

Routing policies are used to filter routes and set route attributes. You can change route attributes to change a route over which network traffic is transmitted.

BGP/MPLS IP VPN can be combined with routing policies to control the receiving and advertisement of VPN routes, implementing mutual access between specific branch users.

Configuration Notes

  • This example applies to the following products and versions:
    • S5700-HI, S5710-EI: V200R002C00 and later versions
    • S5720-EI: V200R009C00 and later versions
    • S5720-HI: V200R007C10 and later versions
    • S5710-HI, S5730-HI, S5731-H, S5731S-H, S5732-H: For the applicable versions, see Table 3-1 in the section "Applicable Products and Versions."
    • S5731-S, S6730-S: V200R022C00 and later versions
    • S6700-EI: V200R005(C00&C01)
    • S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730S-H: For the applicable versions, see Table 3-1 in the section "Applicable Products and Versions."
    • S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712: For the applicable versions, see Table 3-1 in the section "Applicable Products and Versions."
  • The SA series cards do not support the BGP/MPLS IP VPN function. The X1E series cards of V200R006C00 and later versions support the BGP/MPLS IP VPN function.

To view detailed information about software mappings, visit Info-Finder, select a product series or product model, and click Hardware Center.

Networking Requirements

As shown in Figure 3-137, CE1 is connected to the branch Site 1, and CE2 is connected to the branch Site 2. Site 1 and Site 2 communicate with each other over the ISP backbone network. The enterprise requires that L3VPN users on some network segments can securely communicate with each other to meet service requirements.

Figure 3-137 Configuring routing policies to control mutual access between L3VPN users

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure OSPF between the PE devices to ensure IP connectivity on the backbone network.
  2. Enable basic MPLS capabilities and MPLS LDP on the PE devices to set up MPLS LSP tunnels for VPN data transmission on the backbone network.
  3. Create VPN instances on the PE devices, bind CE interfaces to the VPN instances, and assign different VPN targets to the VPN instances to isolate users from different branches.
  4. Configure routing policies on the PE devices and change the VPN targets of routes filtered out based on specified routing policies to implement communication between branch users on a specified network segment.
  5. Set up EBGP peer relationships between the CE and PE devices so that they can exchange VPN routing information.
  6. Configure MP-IBGP between the PE devices to enable them to exchange VPN routing information.

Procedure

  1. Configure an IGP protocol on the MPLS backbone network so that the PE devices can communicate with each other.

    # Configure PE1.

    <HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] vlan batch 10 100
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port link-type trunk
[PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type trunk
[PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 100
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface vlanif 100
[PE1-Vlanif100] ip address 172.10.1.1 24
[PE1-Vlanif100] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 172.10.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit

    # Configure PE2.

    <HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 2.2.2.9 32
[PE2-LoopBack1] quit
[PE2] vlan batch 10 100
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type trunk
[PE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] port link-type trunk
[PE2-GigabitEthernet2/0/0] port trunk allow-pass vlan 100
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface vlanif 100
[PE2-Vlanif100] ip address 172.10.1.2 24
[PE2-Vlanif100] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 172.10.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit

    After the configuration is complete, run the display ospf peer command. The command output shows that OSPF neighbor relationship has been set up between PE1 and PE2, and the neighbor status is Full. Run the display ip routing-table command on PE1 and PE2, and you can view that PE1 and PE2 have learned the routes to each other's Loopback1 address.

  2. Enable basic MPLS capabilities and MPLS LDP on the PE devices to set up LDP LSPs on the MPLS backbone network.

    # Configure PE1.

    [PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 100
[PE1-Vlanif100] mpls
[PE1-Vlanif100] mpls ldp
[PE1-Vlanif100] quit

    # Configure PE2.

    [PE2] mpls lsr-id 2.2.2.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 100
[PE2-Vlanif100] mpls
[PE2-Vlanif100] mpls ldp
[PE2-Vlanif100] quit

    After the configuration is complete, PE1 and PE2 have established LDP sessions. Run the display mpls ldp session command, and you can view that the LDP session status is Operational.

  3. Configure a VPN instance on each PE device and connect the CE devices to the PE devices.

    # Configure PE1.

    [PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip binding vpn-instance vpna
[PE1-Vlanif10] ip address 192.168.1.1 24
[PE1-Vlanif10] quit

    # Configure PE2.

    [PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 222:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] interface vlanif 10
[PE2-Vlanif10] ip binding vpn-instance vpna
[PE2-Vlanif10] ip address 192.168.2.1 24
[PE2-Vlanif10] quit

    # Assign IP addresses to interfaces on CE1 and CE2 according to Figure 3-137.

    <HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 192.168.1.2 24
[CE1-Vlanif10] quit
    <HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] vlan batch 10
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port link-type trunk
[CE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE2-GigabitEthernet1/0/0] quit
[CE2] interface vlanif 10
[CE2-Vlanif10] ip address 192.168.2.2 24
[CE2-Vlanif10] quit

    After the configuration is complete, run the display ip vpn-instance verbose command on PE1 and PE2 to view VPN instance configuration. The PE devices can ping CE devices attached to them.

    If a PE device has multiple interfaces bound to the same VPN instance, you need to specify a source IP address when pinging the CE device connected to the remote PE device. To specify the source IP address, set the -a source-ip-address parameter in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command. If no source IP address is specified, the ping operation fails.

  4. Configure routing policies.

    # Configure PE1.

    [PE1] ip ip-prefix ipPrefix1 index 10 permit 192.168.1.0 24 greater-equal 24 less-equal 32
[PE1] route-policy vpnroute permit node 1
[PE1-route-policy] if-match ip-prefix ipPrefix1
[PE1-route-policy] apply extcommunity rt 222:1
[PE1-route-policy] quit
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] export route-policy vpnroute
[PE1-vpn-instance-vpna] quit

    # Configure PE2.

    [PE2] ip ip-prefix ipPrefix1 index 10 permit 192.168.2.0 24 greater-equal 24 less-equal 32
[PE2] route-policy vpnroute permit node 1
[PE2-route-policy] if-match ip-prefix ipPrefix1
[PE2-route-policy] apply extcommunity rt 111:1
[PE2-route-policy] quit
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] export route-policy vpnroute
[PE2-vpn-instance-vpna] quit

  5. Set up EBGP peer relationships between the PE and CE devices and import VPN routes.

    # Configure CE1. The configuration of CE2 is similar to that of CE1, and is not mentioned here.

    [CE1] bgp 65410
[CE1-bgp] peer 192.168.1.1 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit

    # Configure PE1. The configuration of PE2 is similar to that of PE1, and is not mentioned here.

    [PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 192.168.1.2 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] quit

    After the configuration is complete, run the display bgp vpnv4 vpn-instance vpna peer command on PE1 and PE2. You can view that BGP peer relationships between PE and CE devices have been established and are in the Established state.

  6. Set up an MP-IBGP peer relationship between PE1 and PE2.

    # Configure PE1.

    [PE1] bgp 100
[PE1-bgp] peer 2.2.2.9 as-number 100
[PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit

    # Configure PE2.

    [PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit

    After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer command on PE1 and PE2. You can view that the BGP peer relationships have been established between the PE devices and are in the Established state.

  7. Verify the configuration.

    # Run the ping -vpn-instance command on PE1 and PE2. You can successfully ping the CE site that is attached to the peer PE device.

    The display on PE1 is used as an example:

    [PE1] ping -vpn-instance vpna 192.168.2.2 
  PING 192.168.2.2: 56  data bytes, press CTRL_C to break                 
    Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=254 time=6 ms               
    Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=254 time=5 ms               
    Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=254 time=7 ms             
    Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=254 time=6 ms              
    Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=254 time=5 ms         
                                  
  --- 192.168.2.2 ping statistics ---               
    5 packet(s) transmitted                     
    5 packet(s) received                   
    0.00% packet loss                       
    round-trip min/avg/max = 5/5/7 ms

Configuration Files

  • Configuration file of PE1

    #
sysname PE1
#
vlan batch 10 100
#
ip vpn-instance vpna  
 ipv4-family
  route-distinguisher 100:1
  export route-policy vpnroute  
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.9   
mpls          
#
mpls ldp      
#
interface Vlanif10
 ip binding vpn-instance vpna   
 ip address 192.168.1.1 255.255.255.0
# 
interface Vlanif100
 ip address 172.10.1.1 255.255.255.0
 mpls
 mpls ldp
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 10
# 
interface GigabitEthernet2/0/0
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
# 
bgp 100            
 peer 2.2.2.9 as-number 100   
 peer 2.2.2.9 connect-interface LoopBack1 
 #
 ipv4-family unicast
  undo synchronization
  peer 2.2.2.9 enable
 #
 ipv4-family vpnv4  
  policy vpn-target
  peer 2.2.2.9 enable   
 #
 ipv4-family vpn-instance vpna
  import-route direct   
  peer 192.168.1.2 as-number 65410
#
ospf 1       
 area 0.0.0.0
  network 1.1.1.9 0.0.0.0
  network 172.10.1.0 0.0.0.255
#
route-policy vpnroute permit node 1
 if-match ip-prefix ipPrefix1
 apply extcommunity rt 222:1
#  
ip ip-prefix ipPrefix1 index 10 permit 192.168.1.0 24 greater-equal 24 less-equal 32
# 
return

  • Configuration file of PE2

    #
sysname PE2
#
 vlan batch 10 100
#
ip vpn-instance vpna
 ipv4-family
 route-distinguisher 200:1
 export route-policy vpnroute
 vpn-target 222:1 export-extcommunity
 vpn-target 222:1 import-extcommunity
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif10
 ip binding vpn-instance vpna
 ip address 192.168.2.1 255.255.255.0
# 
interface Vlanif100
 ip address 172.10.1.2 255.255.255.0 
 mpls
 mpls ldp
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 10
#
interface GigabitEthernet2/0/0
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
#
bgp 100
 peer 1.1.1.9 as-number 100
 peer 1.1.1.9 connect-interface LoopBack1
  #
 ipv4-family unicast
  undo synchronization
  peer 1.1.1.9 enable
  #
 ipv4-family vpnv4
  policy vpn-target
  peer 1.1.1.9 enable
 #
 ipv4-family vpn-instance vpna
  import-route direct
  peer 192.168.2.2 as-number 65420
#
ospf 1
 area 0.0.0.0
  network 2.2.2.9 0.0.0.0
  network 172.10.1.0 0.0.0.255
#
route-policy vpnroute permit node 1
 if-match ip-prefix ipPrefix1
 apply extcommunity rt 111:1
#  
ip ip-prefix ipPrefix1 index 10 permit 192.168.2.0 24 greater-equal 24 less-equal 32
# 
return

  • Configuration file of CE1

    #
sysname CE1
#
vlan batch 10
#
interface Vlanif10
 ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 10
#
bgp 65410
 peer 192.168.1.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 192.168.1.1 enable
#
return

    Configuration file of CE2

    #
sysname CE2
#
vlan batch 10
#
interface Vlanif10
 ip address 192.168.2.2 255.255.255.0
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 10
#
bgp 65420
 peer 192.168.2.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 192.168.2.1 enable
#
return
Translation
Español 日本語 Русский 简体中文
Download
Updated: 2023-07-29

Document ID: EDOC1000069520

Views: 1863484

Downloads: 41244

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :