No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN

S1720, S2700, S5700, and S6720 V200R010C00

This document describes the VPN configuration procedures and provides configuration examples.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Route Exchange Between PEs and CEs

Configuring Route Exchange Between PEs and CEs

Context

In a BGP/MPLS IPv6 VPN, a routing protocol must be configured between a PE and a CE to allow them to communicate and allow the CE to obtain routes to other CEs. The routing protocol can be EBGP, IBGP, static routing, RIPng, OSPFv3, or IS-ISv6. Choose one of the following configurations as required:
The routing protocol configurations on the CE and PE are different:
  • The CE is located at the client side. It does not know the existence of a VPN. Therefore, you do not need to configure VPN parameters when configuring a routing protocol on the CE.
  • The PE is located at the edge of the carrier's network. It connects to a CE and exchanges VPN routing information with other PEs. If the CEs that access a PE belong to different VPNs, the PE must maintain different VRF tables. When configuring a routing protocol on the PE, specify the name of the VPN instance to which the routing protocol applies and configure the routing protocol and MP-BGP to import routes from each other.

Configuring EBGP Between a PE and a CE

Perform the following steps on the PEs:
Table 4-4  PE configuration

Operation

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv6 address family view.

ipv6-family vpn-instance vpn-instance-name

-

(Optional) Configure a unique AS number for the VPN instance IPv6 address family.

as-number as-number

A VPN instance uses the AS number of BGP by default.

To smoothly re-assign a device to another AS or transmit different services in different instances, run this command to configure a different AS number for each VPN instance IPv6 address family.
NOTE:

The AS number configured in the BGP-VPN instance IPv6 address family view must be different from the AS number configured in the BGP view.

Configure a CE as a VPN peer.

peer ipv6-address as-number as-number

-

(Optional) Set the maximum number of hops of an EBGP connection.

peer { ipv6-address | group-name } ebgp-max-hop [ hop-count ]

Generally, EBGP peers are connected by a directly physical link. If no directly physical link is available, this command must be used to allow EBGP peers to establish a multi-hop TCP connection.

The default value of hop-count is 255. If the maximum number of hops is set to 1, the PE cannot establish an EBGP connection with a peer if they are not directly connected.

(Optional) Import direct routes destined for the local CE into the routing table of the VPN instance.

Use either of the following commands:
  • import-route direct [ med med | route-policy route-policy-name ] *
  • network ipv6-address prefix-length [ route-policy route-policy-name ]
The PE needs to import the routes destined for the local CE into its VPN routing table so that it can advertise the routes to the remote PE.
NOTE:

The PE can automatically learn the direct routes destined for the local CE. The learned routes take precedence over the direct routes advertised from the local CE using EBGP. If this step is not performed, the PE does not use MP-BGP to advertise the direct routes destined for the local CE to the remote PE.

(Optional) Enable BGP AS number substitution.

peer { group-name | ipv6-address } substitute-as

BGP uses AS numbers to detect routing loops. Sites located at different geographical locations must be assigned different AS numbers to ensure correct transmission of routing information. If CEs scattered at different geographical locations use the same AS number, configure BGP AS number substitution on PEs.

Enabling BGP AS number substitution may cause route loops in a CE multi-homing network.

Return to the BGP view.

quit

-

(Optional) Disable the function of adding BGP VPN routes to the IP VPN routing table.

routing-table rib-only [ route-policy route-policy-name ]

If the BGP routing table has large numbers of VPN routes, these routes will consume large numbers of memory resources after being delivered to the IP VPN routing table. If these routes are not used in traffic forwarding, you can run the routing-table rib-only command to prevent these routes from being added to the IP VPN routing table. If some of these routes are not used in traffic forwarding, you can run the routing-table rib-only route-policy command to prevent this part of routes from being added to the IP VPN routing table.

If traffic is interrupted after the routing-table rib-only command is run, you can configure a static route or default route to guide traffic forwarding.

Perform the following steps on the CE:
Table 4-5  CE configuration

Operation

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

(Optional) Set the ID of the local CE.

router-id ipv4-address

If no interface on the local CE is configured with an IPv4 address, you need to set the router ID for the local CE.

Configure a PE as a VPN peer.

peer ipv6-address as-number as-number

-

(Optional) Set the maximum number of hops of an EBGP connection.

peer { ipv6-address | group-name } ebgp-max-hop [ hop-count ]

Generally, EBGP peers are connected by a directly physical link. If no directly physical link is available, this command must be used to allow EBGP peers to establish a multi-hop TCP connection.

The default value of hop-count is 255. If the maximum number of hops is set to 1, the PE cannot establish an EBGP connection with a peer if they are not directly connected.

Enter the BGP-IPv6 unicast address family view.

ipv6-family unicast

-

Enable BGP IPv6 peers to exchange BGP routing information.

peer ipv6-address enable

-

Import routes of the local sites.

import-route { direct | static | ripng process-id | ospfv3 process-id | isis process-id } [ med med | route-policy route-policy-name ] *

The CE advertises the routes of its own VPN network segment to the connected PE. The PE forwards the routes to the remote CE. The type of route imported at this step may vary according to the networking mode.

Configuring IBGP Between a PE and a CE

Perform the following steps on the PEs:
Table 4-6  PE configuration

Operation

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv6 address family view.

ipv6-family vpn-instance vpn-instance-name

-

Configure a CE as a VPN peer.

peer ipv6-address as-number as-number

-

(Optional) Import direct routes destined for the local CE into the routing table of the VPN instance.

Use either of the following commands:
  • import-route direct [ med med | route-policy route-policy-name ] *
  • network ipv6-address prefix-length [ route-policy route-policy-name ]
The PE needs to import the routes destined for the local CE into its VPN routing table so that it can advertise the routes to the remote PE.
NOTE:

The PE can automatically learn the direct routes destined for the local CE. The learned routes take precedence over the direct routes advertised from the local CE using EBGP. If this step is not performed, the PE does not use MP-BGP to advertise the direct routes destined for the local CE to the remote PE.

Return to the BGP view.

quit

-

(Optional) Disable the function of adding BGP VPN routes to the IP VPN routing table.

routing-table rib-only [ route-policy route-policy-name ]

If the BGP routing table has large numbers of VPN routes, these routes will consume large numbers of memory resources after being delivered to the IP VPN routing table. If these routes are not used in traffic forwarding, you can run the routing-table rib-only command to prevent these routes from being added to the IP VPN routing table. If some of these routes are not used in traffic forwarding, you can run the routing-table rib-only route-policy command to prevent this part of routes from being added to the IP VPN routing table.

If traffic is interrupted after the routing-table rib-only command is run, you can configure a static route or default route to guide traffic forwarding.

Perform the following steps on the CE:
Table 4-7  CE configuration

Operation

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Configure a PE as a VPN peer.

peer ipv6-address as-number as-number

-

Enter the BGP-IPv6 unicast address family view.

ipv6-family unicast

-

Enable BGP IPv6 peers to exchange BGP routing information.

peer ipv6-address enable

-

Import routes of the local sites.

import-route { direct | static | ripng process-id | ospfv3 process-id | isis process-id } [ med med | route-policy route-policy-name ] *

The CE advertises the routes of its own VPN network segment to the connected PE. The PE forwards the routes to the remote CE. The type of route imported at this step may vary according to the networking mode.

Configuring a Static Route Between a PE and a CE

Configure a static route on the CE, and the CE configuration details are not provided here. Perform the following steps on the PEs. For details about how to configure a static route, see Static Route Configuration in the S1720, S2700, S5700, and S6720 V200R010C00 Configuration Guide - IP Unicast Routing.

Table 4-8  PE configuration

Operation

Command

Description

Enter the system view.

system-view

-

Configure a static route for a specified VPN instance IPv6 address family.

ipv6 route-static vpn-instance vpn-instance-name dest-ipv6-address prefix-length { interface-type interface-number | vpn-instance vpn-destination-name nexthop-ipv6-address | nexthop-ipv6-address [ public ] } [ preference preference | tag tag ]* [ description text ]

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv6 address family view.

ipv6-family vpn-instance vpn-instance-name

-

Import the configured static route to the routing table of the BGP-VPN instance IPv6 address family.

import-route static [ med med | route-policy route-policy-name ] *

After this command is run in the BGP-VPN instance IPv6 address family view, the PE will import the VPN routes learned from the connected CE into the BGP routing table and advertise VPNv6 routes to the remote PE.

Configuring RIPng Between a PE and a CE

Configure RIPng on the CE, and the CE configuration details are not provided here. Perform the following steps on the PEs. For details on how to configure RIPng, see RIPng Configuration in the S1720, S2700, S5700, and S6720 V200R010C00 Configuration Guide - IP Unicast Routing.

Table 4-9  PE configuration

Operation

Command

Description

Enter the system view.

system-view

-

Create a RIP process running between the PE and CE and enter the RIP view.

ripng process-id vpn-instance vpn-instance-name

A RIPng process can be bound to only one VPN instance. If a RIPng process is not bound to any VPN instance before it is started, this process becomes a public network process and cannot be bound to a VPN instance later.

Import BGP routes.

import-route bgp [ cost cost | route-policy route-policy-name ] *

After this command is run in the RIPng view, the PE can import the VPNv6 routes learned from the remote PE into the RIPng routing table and advertise them to the connected CE.

Return to system view.

quit

-

Enter the interface view of connected CE.

interface interface-type interface-number

-

Enable RIPng on the interface.

ripng process-id enable

Before running this command, ensure that IPv6 has been enabled in the interface view.

Return to system view.

quit

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv6 address family view.

ipv6-family vpn-instance vpn-instance-name

-

Import RIPng routes into the routing table of the BGP-VPN instance IPv6 address family.

import-route ripng process-id [ med med | route-policy route-policy-name ] *

After this command is run in the BGP-VPN instance IPv6 address family view, the PE will import the VPN routes learned from the connected CE into the BGP routing table and advertise VPNv6 routes to the remote PE.

  • If a RIPng multi-instance process is deleted, RIPng will be disabled on all the interfaces in the process.
  • Deleting a VPN instance or disabling a VPN instance IPv6 address family will delete all the RIPng processes bound to the VPN instance or the VPN instance IPv6 address family on the PE.

Configuring OSPFv3 Between a PE and a CE

Configure OSPFv3 on the CE, and the CE configuration details are not provided here. Perform the following steps on the PEs. For details on how to configure OSPFv3, see OSPF Configuration in the S1720, S2700, S5700, and S6720 V200R010C00 Configuration Guide - IP Unicast Routing.

Table 4-10  PE configuration

Operation

Command

Description

Enter the system view.

system-view

-

Create an OSPFv3 process running between the PE and CE and enter the OSPFv3 view.

ospfv3 process-id vpn-instance vpn-instance-name

An OSPFv3 process can be bound to only one VPN instance. If an OSPFv3 process is not bound to any VPN instance before it is started, this process becomes a public network process and can no longer be bound to a VPN instance.

(Optional) Configure a domain ID for the OSPFv3 process.

domain-id domain-id [ secondary ]

The domain ID of an OSPFv3 process is contained in the routes generated by the process. When OSPFv3 routes are imported into BGP, the domain ID is added to the BGP VPN routes and forwarded as the BGP extended community attribute.

There are no restrictions on the domain IDs of the OSPFv3 processes of different VPNs on a PE. The OSPFv3 processes of the same VPN must be configured with the same domain ID to ensure proper route advertisement.

The default domain ID is 0.

(Optional) Configure a VPN route tag.

route-tag tag

The VPN route tag prevents loops of Type-5 LSAs in CE dual-homing networking.

By default, the VPN route tag is calculated using the BGP AS number. If BGP is not configured, the VPN route tag is 0.

Configure Router ID

router-id router-id

If the router ID is not specified, OSPFv3 selects the IP address of one of the interfaces bound to the VPN instance as the router ID based on a certain rule.

Import BGP routes.

import-route bgp [ cost cost | route-policy route-policy-name | tag tag | type type ] *

After this command is run in the OSPFv3 view, the PE imports the VPNv6 routes learned from the peer into OSPFv3 and advertises the routes to the connected CE.

Return to system view.

quit

-

Enter the view of the interface that is bound to the VPN instance.

interface interface-type interface-number

-

Enable OSPFv3 on the interface.

ospfv3 process-id area area-id [ instance instance-id ]

-

Return to system view.

quit

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv6 address family view.

ipv6-family vpn-instance vpn-instance-name

-

Import OSPFv3 routes into the routing table of the BGP-VPN instance IPv6 address family.

import-route ospfv3 process-id [ med med | route-policy route-policy-name ] *

After this command is run in the BGP-VPN instance IPv6 address family view, the PE will import the VPN routes learned from the connected CE into the BGP routing table and advertise VPNv6 routes to the remote PE.

Deleting a VPN instance or disabling a VPN instance IPv6 address family will delete all the OSPF processes bound to the VPN instance or the VPN instance IPv6 address family on the PE.

Configuring IS-ISv6 Between a PE and a CE

Configure IS-IS on the CE, and the CE configuration details are not provided here. Perform the following steps on the PEs. For details on how to configure IS-ISv6, see IPv6 IS-IS Configuration in the S1720, S2700, S5700, and S6720 V200R010C00 Configuration Guide - IP Unicast Routing.

Table 4-11  PE configuration

Operation

Command

Description

Enter the system view.

system-view

-

Create an IS-IS process running between the PE and CE and enter the IS-IS view.

isis process-id vpn-instance vpn-instance-name

An IS-IS process can be bound to only one VPN instance. If an IS-IS process is not bound to any VPN instance before it is started, this process becomes a public network process and cannot be bound to a VPN instance later.

Set a network entity title (NET) for the IS-IS process.

network-entity net

A NET specifies the current IS-IS area address and the system ID of the switch. An IS-IS process on one switch can be configured with a maximum of three NETs.

(Optional) Set the IS-IS level.

is-level { level-1 | level-1-2 | level-2 }

By default, the IS-IS level of the switch is Level-1-2.

Enable IPv6 for the IS-IS process.

ipv6 enable

Before enabling IPv6 for the IS-IS process, enable IPv6 in the system view.

Import BGP routes.

ipv6 import-route bgp inherit-cost [ tag tag | route-policy route-policy-name | [  level-1 | level-2 | level-1-2 ] ]*
BGP routes are imported.

If the IS-IS level is not specified in the command, BGP routes will be imported into the Level-2 IS-IS routing table.

After this command is run in the IS-IS view, the PE imports the VPNv6 routes learned from the remote PE to IS-IS and advertises them to the connected CE.

Return to system view.

quit

-

Enter the view of the interface that is bound to the VPN instance.

interface interface-type interface-number

-

Enable IS-IS on the interface.

isis ipv6 enable [ process-id ]

-

Return to system view.

quit

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv6 address family view.

ipv6-family vpn-instance vpn-instance-name

-

Import IS-IS routes into the routing table of the BGP-VPN instance IPv6 address family.

import-route isis process-id [ med med | route-policy route-policy-name ] *

After this command is run in the BGP-VPN instance IPv6 address family view, the PE will import the VPN routes learned from the connected CE into the BGP routing table and advertise VPNv6 routes to the remote PE.

Deleting a VPN instance or disabling a VPN instance IPv6 address family will delete all the IS-IS processes bound to the VPN instance or the VPN instance IPv6 address family on the PE.

Translation
Download
Updated: 2019-04-18

Document ID: EDOC1000141944

Views: 72184

Downloads: 507

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next