No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN

S9300, S9300E, and S9300X V200R010C00

This document describes the VPN configuration procedures and provides configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Route Exchange Between PE and CE Devices

Configuring Route Exchange Between PE and CE Devices

Context

In BGP/MPLS IP VPN, a routing protocol or static routes must be configured between a PE and a CE to allow them to communicate and allow the CE to obtain routes to other CEs. The routing protocol can be EBGP (External/Exterior BGP), IBGP (Internal/Interior BGP), RIP (Routing Information Protocol), OSPF (Open Shortest Path First), or IS-IS (Intermediate System to Intermediate System). Choose one of the following configurations as needed:
The routing protocol configurations on the CE and PE are different:
  • The CE is located at the client side. It does not know the existence of a VPN. Therefore, you do not need to configure VPN parameters when configuring a routing protocol on the CE device.
  • The PE device is located at the edge of the carrier's network. It connects to a CE device and exchanges VPN routing information with other PE devices. If the CE devices that access a PE device belong to different VPNs, the PE must maintain different VRF tables. When configuring a routing protocol on the PE device, specify the name of the VPN instance to which the routing protocol applies and configure the routing protocol and MP-BGP to import routes from each other.

Configure EBGP Between a PE and a CE

Perform the following configuration on the PE device.
Table 2-7  PE configuration

Action

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv4 address family view.

ipv4-family vpn-instance vpn-instance-name

-

(Optional) Configure a unique AS number for the VPN instance IPv4 address family.

as-number as-number

A VPN instance uses the AS number of BGP by default.

To smoothly re-assign a device to another AS or transmit different services in different instances, run this command to configure a different AS number for each VPN instance IPv4 address family.
NOTE:

The AS number configured in the BGP-VPN instance IPv4 address family view must be different from the AS number configured in the BGP view.

Configure a CE device as a VPN peer.

peer ipv4-address as-number as-number

-

(Optional) Set the maximum number of hops of an EBGP connection.

peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]

Generally, EBGP peers are connected by a directly physical link. If no directly physical link is available, this command must be used to allow EBGP peers to establish a multi-hop TCP connection.

The default value of hop-count is 255. If the maximum number of hops is set to 1, the PE cannot establish an EBGP connection with a peer if they are not directly connected.

(Optional) Import direct routes destined for the local CE device into the routing table of the IPv4 VPN instance.

Use either of the following commands:
  • import-route direct [ med med | route-policy route-policy-name ] *
  • network ipv4-address [ mask | mask-length ] [ route-policy route-policy-name ]

The PE device needs to import the routes destined for the local CE device into its VPN routing table so that it can advertise the routes to the remote PE device.

NOTE:

The PE device can automatically learn the direct routes destined for the local CE device. The learned routes take precedence over the direct routes advertised from the local CE device using EBGP. If this step is not performed, the PE does not use MP-BGP to advertise the direct routes destined for the local CE device to the remote PE device.

(Optional) Configure the Site-of-Origin (SoO) attribute for a CE device.

peer { group-name | ipv4-address | ipv6-address } soo site-of-origin

Several CE devices at a VPN site may establish BGP connections with different PE devices. The VPN routes advertised from the CE devices to the PE devices may be re-advertised to the same VPN site after the routes traverse the backbone network. This will cause route loops at the VPN site.

If the SoO attribute is configured for a specified CE device, the PE device adds the attribute to a route sent from the CE device and advertises the route to the remote PE. The remote PE device checks the SoO attribute of the route before sending it to its attached CE device. If the SoO attribute is the same as the local SoO attribute on the remote PE device, the remote PE device does not send the route to its attached CE device.

(Optional) Enable BGP AS number substitution.

peer ipv4-address substitute-as

BGP uses AS numbers to detect routing loops. Sites located at different geographical locations must be assigned different AS numbers to ensure correct transmission of routing information. If CE devices scattered at different geographical locations use the same AS number, configure BGP AS number substitution on the PE devices.

Enabling BGP AS number substitution may cause route loops in a CE multi-homing network.

Return to the BGP view.

quit

-

(Optional) Disable the function of adding BGP VPN routes to the IP VPN routing table.

routing-table rib-only [ route-policy route-policy-name ]

If the BGP routing table has large numbers of VPN routes, these routes will consume large numbers of memory resources after being delivered to the IP VPN routing table. If these routes are not used in traffic forwarding, you can run the routing-table rib-only command to prevent these routes from being added to the IP VPN routing table. If some of these routes are not used in traffic forwarding, you can run the routing-table rib-only route-policy command to prevent this part of routes from being added to the IP VPN routing table.

If traffic is interrupted after the routing-table rib-only command is run, you can configure a static route or default route to guide traffic forwarding.

Perform the following configurations on the CE device.
Table 2-8  CE configuration

Action

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Configure the PE device as a VPN peer.

peer ipv4-address as-number as-number

-

(Optional) Set the maximum number of hops of an EBGP connection.

peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]

Generally, EBGP peers are connected by a directly physical link. If no directly physical link is available, this command must be used to allow EBGP peers to establish a multi-hop TCP connection.

The default value of hop-count is 255. If the maximum number of hops is set to 1, the PE cannot establish an EBGP connection with a peer if they are not directly connected.

Import routes of the local sites.

import-route protocol [ process-id ] [ med med | route-policy route-policy-name ] *

The CE device advertises the routes of its own VPN network segment to the connected PE device. The PE device forwards the routes to the remote CE device. The type of routes imported at this step may vary according to the networking mode.

Configure IBGP Between a PE and a CE

Perform the following configuration on the PE device.
Table 2-9  PE configuration

Action

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv4 address family view.

ipv4-family vpn-instance vpn-instance-name

-

(Optional) Configure a unique AS number for the VPN instance IPv4 address family.

as-number as-number

A VPN instance uses the AS number of BGP by default.

To smoothly re-assign a device to another AS or transmit different services in different instances, run this command to configure a different AS number for each VPN instance IPv4 address family.
NOTE:

The AS number configured in the BGP-VPN instance IPv4 address family view must be different from the AS number configured in the BGP view.

Configure a CE device as a VPN peer.

peer ipv4-address as-number as-number

-

(Optional) Import direct routes destined for the local CE device into the routing table of the IPv4 VPN instance.

Use either of the following commands:
  • import-route direct [ med med | route-policy route-policy-name ] *
  • network ipv4-address [ mask | mask-length ] [ route-policy route-policy-name ]

The PE device needs to import the routes destined for the local CE device into its VPN routing table so that it can advertise the routes to the remote PE device.

NOTE:

The PE device can automatically learn the direct routes destined for the local CE device. The learned routes take precedence over the direct routes advertised from the local CE device using IBGP. If this step is not performed, the PE does not use MP-BGP to advertise the direct routes destined for the local CE device to the remote PE device.

Return to the BGP view.

quit

-

(Optional) Disable the function of adding BGP VPN routes to the IP VPN routing table.

routing-table rib-only [ route-policy route-policy-name ]

If the BGP routing table has large numbers of VPN routes, these routes will consume large numbers of memory resources after being delivered to the IP VPN routing table. If these routes are not used in traffic forwarding, you can run the routing-table rib-only command to prevent these routes from being added to the IP VPN routing table. If some of these routes are not used in traffic forwarding, you can run the routing-table rib-only route-policy command to prevent this part of routes from being added to the IP VPN routing table.

If traffic is interrupted after the routing-table rib-only command is run, you can configure a static route or default route to guide traffic forwarding.

Perform the following configurations on the CE device.
Table 2-10  CE configuration

Action

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Configure the PE device as a VPN peer.

peer ipv4-address as-number as-number

-

Import routes of the local sites.

import-route protocol [ process-id ] [ med med | route-policy route-policy-name ] *

The CE device advertises the routes of its own VPN network segment to the connected PE device. The PE device forwards the routes to the remote CE device. The type of routes imported at this step may vary according to the networking mode.

When many CE devices connect to a PE device, the PE device can function as an RR and the CE devices function as clients. This reduces the number of IBGP connections between CE devices and facilitates route maintenance and management.

Configure Static Routes Between a PE and a CE

Perform the following configuration on the PE device. The procedure for configuring static routes on the CE device is not provided here. For details about how to configure a static route, see Static Route Configuration in the S9300, S9300E, and S9300X V200R010C00 Configuration Guide - IP Unicast Routing.

Table 2-11  PE configuration

Action

Command

Description

Enter the system view.

system-view

-

Configure a static route for a VPN instance.

ip route-static vpn-instance vpn-source-name destination-address { mask | mask-length } interface-type interface-number [ nexthop-address ] [ preference preference | tag tag ] *

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv4 address family view.

ipv4-family vpn-instance vpn-instance-name

-

Import the configured static route to the routing table of the BGP-VPN instance IPv4 address family.

import-route static [ med med | route-policy route-policy-name ] *

After this command is run in the BGP-VPN instance IPv4 address family view, the PE will import the VPN routes learned from the attached CE into the BGP routing table and advertise VPNv4 routes to the remote PE.

Configure RIP between a PE and a CE

Perform the following configuration on the PE device. Configure RIPv1 or RIPv2 on the CE, and the CE configuration details are not provided here. For details on how to configure RIP, see RIP Configuration in the S9300, S9300E, and S9300X V200R010C00 Configuration Guide - IP Unicast Routing.

Deleting a VPN instance or disabling a VPN instance IPv4 address family will delete all the RIP processes bound to the VPN instance or the VPN instance IPv4 address family on the PE device.

Table 2-12  PE configuration

Action

Command

Description

Enter the system view.

system-view

-

Create a RIP process running between the PE and CE devices and enter the RIP view.

rip process-id vpn-instance vpn-instance-name

A RIP process can be bound to only one VPN instance. If a RIP process is not bound to any VPN instance before it is started, this process becomes a public network process and can no longer be bound to a VPN instance.

Enable RIP on the network segment of the interface to which the VPN instance is bound.

network network-address

-

Import BGP routes to the RIP routing table.

import-route bgp [ cost { cost | transparent } | route-policy route-policy-name ] *

After this command is executed in the RIP view, the PE device can import the VPNv4 routes learned from the remote PE device into the RIP routing table and advertise them to the attached CE device.

Return to system view.

quit

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv4 address family view.

ipv4-family vpn-instance vpn-instance-name

-

Import RIP routes into the routing table of the BGP-VPN instance IPv4 address family.

import-route rip process-id [ med med | route-policy route-policy-name ] *

After this command is run in the BGP-VPN instance IPv4 address family view, the PE will import the VPN routes learned from the attached CE into the BGP routing table and advertise VPNv4 routes to the remote PE.

Configure OSPF Between a PE and a CE

Configure OSPF on the CE, and the CE configuration details are not provided here. Perform the following configuration on the PE device. For details on how to configure OSPF, see OSPF Configuration in the S9300, S9300E, and S9300X V200R010C00 Configuration Guide - IP Unicast Routing.

Deleting a VPN instance or disabling a VPN instance IPv4 address family will delete all the OSPF processes bound to the VPN instance or the VPN instance IPv4 address family on the PE device.

Table 2-13  PE configuration

Action

Command

Description

Enter the system view.

system-view

-

Create an OSPF process running between the PE and CE device and enter the OSPF view.

ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name

An OSPF process can be bound to only one VPN instance. If an OSPF process is not bound to any VPN instance before it is started, this process becomes a public network process and can no longer be bound to a VPN instance.

A router ID needs to be specified when an OSPF process is started after it is bound to a VPN instance. The router ID must be different from the public network router ID configured in the system view. If the router ID is not specified, OSPF selects the IP address of one of the interfaces bound to the VPN instance as the router ID based on a certain rule.

(Optional) Configure a domain ID for the OSPF process.

domain-id domain-id [ secondary ]

The domain ID of an OSPF process is contained in the routes generated by the process. When OSPF routes are imported into BGP, the domain ID is added to the BGP VPN routes and forwarded as the BGP extended community attribute.

There are no restrictions on the domain IDs of the OSPF processes of different VPNs on a PE device. The OSPF processes of the same VPN must be configured with the same domain ID to ensure proper route advertisement.

The default domain ID is 0.

(Optional) Configure a VPN route tag.

route-tag tag

The VPN route tag prevents loops of Type-5 LSAs in CE dual-homing networking.

By default, the VPN route tag is calculated using the BGP AS number. If BGP is not configured, the VPN route tag is 0.

Import BGP routes to the OSPF routing table.

import-route bgp [ cost cost | route-policy route-policy-name | tag tag | type type ] *

After this command is executed in the OSPF view, the PE can import the VPNv4 routes learned from the remote PE into the OSPF routing table and advertise them to the attached CE.

Enter the OSPF area view.

area area-id

-

Enable OSPF on the network segment of the interface to which the VPN instance is bound.

network ip-address wildcard-mask

-

Return to the OSPF view.

quit

-

Return to system view.

quit

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv4 address family view.

ipv4-family vpn-instance vpn-instance-name

-

Import OSPF routes into the routing table of the BGP-VPN instance IPv4 address family.

import-route ospf process-id [ med med | route-policy route-policy-name ] *

After this command is run in the BGP-VPN instance IPv4 address family view, the PE will import the VPN routes learned from the attached CE into the BGP routing table and advertise VPNv4 routes to the remote PE.

Configure IS-IS Between a PE and a CE

Configure IS-IS on the CE, and the CE configuration details are not provided here. Perform the following configuration on the PE device. For details on how to configure IS-IS, see IPv4 IS-IS Configuration in the S9300, S9300E, and S9300X V200R010C00 Configuration Guide - IP Unicast Routing.

Deleting a VPN instance or disabling a VPN instance IPv4 address family will delete all the IS-IS processes bound to the VPN instance or the VPN instance IPv4 address family on the PE device.

Table 2-14  PE configuration

Action

Command

Description

Enter the system view.

system-view

-

Create an IS-IS process running between the PE and CE devices and enter the IS-IS view.

isis process-id vpn-instance vpn-instance-name

An IS-IS process can be bound to only one VPN instance. If an IS-IS process is not bound to any VPN instance before it is started, this process becomes a public network process and can no longer be bound to a VPN instance.

Set a network entity title (NET) for the IS-IS process.

network-entity net

A NET specifies the current IS-IS area address and the system ID of the switch. An IS-IS process on one switch can be configured with a maximum of three NETs.

(Optional) Set the level of the PE device.

is-level { level-1 | level-1-2 | level-2 }

By default, the IS-IS level of the switch is Level-1-2.

Import BGP routes to the IS-IS routing table.

Use either of the following commands:
  • import-route bgp [ cost-type { external | internal } | cost cost | tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ] *

  • import-route bgp [ permit-ibgp ] inherit-cost [ { level-1 | level-2 | level-1-2 } | tag tag | route-policy route-policy-name ] *

If the IS-IS level is not specified in the command, BGP routes will be imported into the Level-2 IS-IS routing table.

After this command is executed in the ISIS view, the PE can import the VPNv4 routes learned from the remote PE into the IS-IS routing table and advertise them to the attached CE.

Return to system view.

quit

-

Enter the view of the interface to which the VPN instance is bound.

interface interface-type interface-number

-

Enable IS-IS on the interface.

isis enable [ process-id ]

-

Return to system view.

quit

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv4 address family view.

ipv4-family vpn-instance vpn-instance-name

-

Import IS-IS routes into the routing table of the BGP-VPN instance IPv4 address family.

import-route isis process-id [ med med | route-policy route-policy-name ] *

After this command is run in the BGP-VPN instance IPv4 address family view, the PE will import the VPN routes learned from the attached CE into the BGP routing table and advertise VPNv4 routes to the remote PE.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000142068

Views: 119621

Downloads: 212

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next