No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S1720, S2700, S5700, and S6720 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
BGP/MPLS IP VPN Configuration Commands

BGP/MPLS IP VPN Configuration Commands

Command Support

The following describes command support of S sereis switches. For details about support for some specific commands or parameters, see the commands.

Product

Supporting working as a PE or an MCE

S6720EI, S6720S-EI, S5720HI, S5720EI

Working as a PE

S6720EI, S6720S-EI, S5720HI, S5720EI, S6720SI, S6720S-SI, S5730SI, S5730S-EI, S5720SI, S5720S-SI, S6720LI, S6720S-LI, S5720LI, S5720S-LI, S2720EI, S1720X-E, S1720GW-E, S1720GWR-E, S1720GW, S1720GWR, S1720X

Working as an MCE

S5710-X-LI, S5700LI, S5700S-LI, S2750EI, S1720GFR

Not supported

apply tunnel-policy (tunnel-selector view)

Function

The apply tunnel-policy command applies a tunnel policy to routes filtered by the if-match clause.

The undo apply tunnel-policy command cancels the setting.

By default, no tunnel policy is configured for filtered routes.

Format

apply tunnel-policy tunnel-policy-name

undo apply tunnel-policy

Parameters

Parameter Description Value
tunnel-policy-name Specifies the name of a tunnel policy to be applied to the routes that match the if-match clause. The value is a string of 1 to 39 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

Tunnel selector view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In BGP/MPLS IP VPN networking, by default, LSPs are selected for VPNv4 and BGP labeled routes without performing load balancing. If you want to select other types of tunnels or configure load balancing for VPNv4 or BGP labeled routes, run the apply tunnel-policy command to apply a tunnel policy. The apply tunnel-policy command can be used in the following situations:
  • The RR on the backbone network of a VPN needs to apply a tunnel policy to VPNv4 routes learned from PEs.

If you want to apply a tunnel policy to only specific VPNv4 or BGP labeled routes in the situations mentioned above, first use the if-match clause to filter routes. The if-match commands that can be used are listed below:

Prerequisite

The tunnel-selector command is run to create a tunnel selector; if-match clauses are configured as required.

Follow-up Procedure

If the tunnel policy specified in the apply tunnel-policy command does not exist in the system, run the tunnel-policy command to create the tunnel policy.

Example

# Select policy1 for the VPN routes that are filtered by RD in the tunnel selector view.

<HUAWEI> system-view
[HUAWEI] tunnel-policy policy1
[HUAWEI-tunnel-policy-policy1] tunnel select-seq cr-lsp lsp load-balance-number 1 
[HUAWEI-tunnel-policy-policy1] quit
[HUAWEI] tunnel-selector tps permit node 10
[HUAWEI-tunnel-selector] if-match rd-filter 1
[HUAWEI-tunnel-selector] apply tunnel-policy policy1

apply-label per-instance

Function

The apply-label per-instance command sets the label allocation mode to one label per instance. In this mode, all the routes of the VPN instance address family destined for the remote PE are assigned the same label.

The undo apply-label per-instance command restores the default configuration.

By default, the VPN instance address family assigns the same label to all routes to be sent to the peer PE.

Format

apply-label per-instance

undo apply-label per-instance

Parameters

None

Views

VPN instance view, VPN instance IPv4 address family view, VPN instance IPv6 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In BGP/MPLS IP VPN networking, if VPN routes on PE are numerous but MPLS label resources are insufficient, the apply-label per-instance command can be run to minimize MPLS label consumption on PE.

When a large number of routes of the VPN instance IPv4 address family need to apply for labels, the apply-label per-instance command saves label resources of PEs and lowers the requirements for PE capacities.

By default, the system applies for a label for each route in a VPN instance enabled with the IPv4 or IPv6 address family. After the apply-label per-instance command is run in the IPv4 or IPv6 address family view of the VPN instance, the routes of the VPN instance enabled with the corresponding address family will be allocated the same label. For example, a PE is configured with two VPN instances that have 20000 routes in total. By default, 20000 MPLS labels will be allocated to the routes. If the apply-label per-instance command is run, only two MPLS labels will be allocated to the routes.

You can run the display fib statistics command to check the number of VPN routes.

Prerequisites

  1. The ip vpn-instance command has been executed to create a VPN instance and enter the VPN instance view.
  2. The ipv4-family or ipv6-family command has been executed to enter the IPv4 or IPv6 VPN instance address family view.
  3. The route distinguisher command has been executed to set the RD of the VPN instance.

Precautions

The change of the label allocation mode leads to the re-advertising of VPN routes. The services may be interrupted temporarily. Therefore, use the apply-label per-instance and undo apply-label per-instance commands with caution.

NOTE:

If there are a large number of VPN routes in the system, frequently executing this command will cause flapping of many routes. Route flapping results in a high CPU usage but does not affect real-time services in the system.

Example

# Assign one label to all routes of the IPv4 address family of the VPN instance named vpn1.

<HUAWEI> system-view
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] ipv4-family
[HUAWEI-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[HUAWEI-vpn-instance-vpn1-af-ipv4] apply-label per-instance

apply-label per-nexthop

Function

The apply-label per-nexthop command enables the ASBR to allocate labels for IPv4 VPN routes or IPv6 VPN routes based on the next hop.

The undo apply-label per-nexthop command disables the ASBR from allocating labels for IPv4 VPN routes or IPv6 VPN routes based on the next hop.

By default, next-hop-based label allocation for VPN routes is disabled on the ASBR, and a label is allocated to each VPN instance.

Format

apply-label per-nexthop

undo apply-label per-nexthop

Parameters

None

Views

BGP-VPNv4 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In inter-AS VPN Option B or HoVPN networking, if MPLS label resources on the ASBR or SPE are insufficient for the advertised VPNv4 or VPNv6 routes to use, the apply-label per-nexthop command can be run to minimize MPLS label consumption on the ASBR or SPE.

By default, the ASBR or SPE allocates a label to each VPNv4 or VPNv6 route when advertising it to an MP-BGP peer. If the apply-label per-nexthop command is run, the ASBR or SPE will allocate one label to all the routes with the same next hop and outgoing label. To make the routes learned from the same next hop have the same outgoing label, run the apply-label per-instance command on the PE. Otherwise, the effect of the apply-label per-nexthop command will be affected.

Configuration Impact

After next-hop-based label allocation is enabled or disabled, the label allocated by the ASBR to a route changes, which leads to a transient loss of VPN packets.

Example

# In the BGP-VPNv4 view, enable the ASBR to allocate labels to IPv4 VPN routes based on the next hop.

<HUAWEI> system-view
[HUAWEI] bgp 100
[HUAWEI-bgp] ipv4-family vpnv4
[HUAWEI-bgp-af-vpnv4] apply-label per-nexthop

apply-label per-route

Function

The apply-label per-route command enables the one-label-per-route mode. The VPN instance address family assigns a unique label to each route to be sent to the peer PE.

The undo apply-label per-route command disables the one-label-per-route mode.

By default, the VPN instance address family assigns the same label to all routes to be sent to the peer PE.

Format

apply-label per-route

undo apply-label per-route

Parameters

None

Views

VPN instance view, VPN instance IPv4 address family view, VPN instance IPv6 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If you want to change the label allocation mode from one-label-per-instance to one-label-per-route, run the apply-label per-route command.

Prerequisite

The route-distinguisher command is run to configure an RD for the VPN instance enabled with the IPv4 or IPv6 address family.

Configuration Impact

The change of the label allocation mode leads to the re-advertising of VPN routes. The services may be interrupted temporarily. Exercise caution when running the apply-label per-route or undo apply-label per-route command.

The apply-label per-instance and apply-label per-route commands are mutually exclusive. If both commands are run, the latest configuration overrides the previous one.

Example

# Enable the one-label-per-route mode for routes of vpn1.

<HUAWEI> system-view
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] ipv4-family
[HUAWEI-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[HUAWEI-vpn-instance-vpn1-af-ipv4] apply-label per-route

arp vpn-cross enable

Function

The arp vpn-cross enable command enables direct ARP entry delivery for mutual access between local VPNs.

The undo arp vpn-cross enable command disables direct ARP entry delivery for mutual access between local VPNs.

By default, direct ARP entry delivery is disabled for mutual access between local VPNs.

Format

arp vpn-cross enable

undo arp vpn-cross enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The initial traffic between two local VPNs triggers ARP Miss messages and ARP learning. If a PE device fails to timely process the ARP Miss messages due to some reasons, mutual access traffic between the VPNs cannot be transmitted.

After direct ARP entry delivery is enabled on the PE device, the PE device delivers ARP entries before the mutual access traffic triggers ARP Miss messages and ARP learning. This ensures normal traffic transmission between local VPNs.

Precautions

ARP entry delivery before triggering of ARP Miss messages and ARP learning consumes ARP entries. Configure this command only when required.

Example

# Enable direct ARP entry delivery for mutual access between local VPNs.

<HUAWEI> system-view
[HUAWEI] arp vpn-cross enable

as-number

Function

The as-number command configures an AS number for a VPN instance.

The undo as-number command restores the default setting.

By default, a VPN instance uses the AS number of BGP.

Format

as-number { as-number-plain | as-number-dot }

undo as-number

Parameters

Parameter Description Value
as-number-plain Integral AS number The value is an integer ranging from 1 to 4294967295.
as-number-dot AS number in dotted notation The value is in the format of x.y, where x and y are integers that range from 1 to 65535 and from 0 to 65535, respectively.

Views

BGP-VPN instance IPv4 address family view, BGP-VPN instance IPv6 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

During network transfer or service identification, a device needs to be simulated as multiple BGP devices logically. In this case, you can run the as-number command to configure an AS number for each VPN instance.

After the as-number command is used:
  • BGP peer relationships in the VPN instance are established by using the configured AS number.
  • The configured AS number is used to generate the aggregator attribute during route aggregation.
  • When advertising routes to an EBGP peer, the local device carries the AS number configured in the VPN instance.

Prerequisites

If a BGP peer or a BGP peer group is configured in the VPN instance, you need to delete the configuration of the BGP peer or peer group before configuring or deleting an AS number.

Precautions

A VPN instance configured with an AS number cannot be configured with BGP confederation. Conversely, a VPN instance configured with BGP confederation cannot be configured with an AS number.

NOTE:

The AS number configured in the BGP-VPN instance view cannot be the same as the AS number configured in the BGP view.

Example

# Set the AS number of the VPN instance named vpna to 65001.

<HUAWEI> system-view
[HUAWEI] bgp 100
[HUAWEI-bgp] ipv4-family vpn-instance vpna
[HUAWEI-bgp-vpna] as-number 65001

auto-frr

Function

The auto-frr command enables BGP Auto FRR.

The undo auto-frr command disables BGP Auto FRR.

By default, BGP Auto FRR is disabled.

Format

auto-frr

undo auto-frr

Parameters

None

Views

BGP-VPN instance IPv4 address family view, BGP-VPN instance IPv6 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

This function is applicable to networks that require a low packet loss ratio and a short delay.

Using BGP Auto FRR together with BFD is recommended. They can rapidly detect a link fault and switch traffic to a standby link if a fault occurs.

Example

# Enable BGP Auto FRR for unicast routes.

<HUAWEI> system-view
[HUAWEI] bgp 100
[HUAWEI-bgp] ipv4-family vpn-instance vpna
[HUAWEI-bgp-vpna] auto-frr

auto-frr (BGP-VPNv4 address family view)

Function

The auto-frr command enables VPNv4 FRR.

The undo auto-frr command restores the default configuration.

By default, VPNv4 FRR is disabled.

Format

auto-frr

undo auto-frr

Parameters

None.

Views

BGP-VPNv4 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Running the auto-frr command in the BGP-VPNv4 address family view enables VPNv4 FRR and improves network reliability. After VPNv4 FRR is configured, traffic can be switched to the backup LSP (Label Switched Path) immediately after the primary LSP to which a VPNv4 route is iterated becomes faulty. VPNv4 FRR applies to HVPN scenarios.

  • In an HVPN scenario, VPNv4 FRR is deployed on SPEs.

Prerequisites

BGP has been enabled.

Precautions

If used with BFD, VPNv4 FRR can rapidly detect link faults and switch services to the standby link for transmission.

Do not configure the apply-label per-nexthop command in the BGP-VPNv4 address family view if VPNv4 FRR is enabled, or VPNv4 FRR will fail to take effect.

If the auto-frr command is configured in the BGP-VPNv4 address family view, the bestroute nexthop-resolved tunnel command must also be configured, so that packets will not get lost during traffic switchback.

Example

# Enable VPNv4 FRR.

<HUAWEI> system-view
[HUAWEI] bgp 100
[HUAWEI-bgp] ipv4-family vpnv4
[HUAWEI-bgp-af-vpnv4] auto-frr

description (VPN instance view)

Function

The description command specifies the description of the current VPN instance.

The undo description command deletes the description of the current VPN instance.

By default, no description is specified for a VPN instance.

Format

description description-information

undo description

Parameters

Parameter Description Value
description-information Specifies the description of a VPN instance. The value is a string of 1 to 242 case-sensitive characters with spaces.

Views

VPN instance view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To record the purpose of creating a VPN instance and the CEs with which the VPN instance is associated, you can run the description command to specify the description of the VPN instance.

To check the description of a VPN instance, run the display ip vpn-instance command.

Precautions

If you run the description command several times, the latest configuration overrides the previous configurations.

Example

# Specify the description of a VPN instance named vpn1.

<HUAWEI> system-view
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] description OnlyForAB

description (tunnel interface view)

Function

The description command sets the description of the current tunnel interface.

The undo description command deletes the description of the current tunnel interface.

By default, a tunnel interface does not have a description.

Format

description text

undo description

Parameters

Parameter Description Value
text Specifies the description of a tunnel interface. The value is a string of 1 to 242 case-sensitive characters, with spaces supported.

Views

Tunnel interface view

Default Level

2: Configuration level

Usage Guidelines

After using the interface tunnel command to create a tunnel interface, you can run the description command to configure a description of the tunnel interface to facilitate later query.

To check the description of a tunnel interface, run the display this interface command in the tunnel interface view or the display interface tunnel command.

Example

# Configure the description of Tunnel 1.
<HUAWEI> system-view
[HUAWEI] interface tunnel 1
[HUAWEI-Tunnel1] description This is a tunnel from 10.1.1.1 to 10.2.2.2
# Delete the description of Tunnel 1.
<HUAWEI> system-view
[HUAWEI] interface tunnel 1
[HUAWEI-Tunnel1] undo description

description (tunnel-policy view)

Function

The description command configures the description of the current tunnel policy.

The undo description command cancels the setting.

By default, a tunnel policy does not have a description.

Format

description description-information

undo description

Parameters

Parameter Description Value
description-information Specifies the description of the tunnel policy. The value is a string of 1 to 80 case-sensitive characters with spaces.

Views

Tunnel policy view

Default Level

2: Configuration level

Usage Guidelines

After using the tunnel-policy (system view) command to create a tunnel policy, you can run the description command to configure a description of the tunnel policy to facilitate later query.

To check tunnel policy configurations, run the display tunnel-policy-config command.

Example

# Configure the description of the tunnel policy named test1.

<HUAWEI> system-view
[HUAWEI] tunnel-policy test1
[HUAWEI-tunnel-policy-test1] description two TE tunnels are used

destination

Function

The destination command specifies the destination IP address of a tunnel interface.

The undo destination command deletes the destination IP address of a tunnel interface.

By default, no destination address is configured.

Format

destination [ vpn-instance vpn-instance-name ] dest-ip-address

undo destination

Parameters

Parameter Description Value
vpn-instance vpn-instance-name Specifies the name of the VPN instance that the destination address of a tunnel belongs to. When the tunnel interface uses GRE, you can specify vpn-instance vpn-instance-name.

The value is the name of an existing VPN instance.

dest-ip-address Specifies the destination IP address of a tunnel interface.

The IPv4 address is in dotted decimal notation.

The IPv6 address is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

Views

Tunnel interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When configuring a GRE, MPLS TE, IPv4 over IPv6 tunnel or manual IPv6 over IPv4 tunnel, create a tunnel interface. After a tunnel interface is created, run the destination command to specify the destination IP address for the tunnel interface.

When using the destination command on a PE to specify the destination address of a GRE tunnel bound for a CE, you need to set vpn-instance vpn-instance-name in the command to specify the name of the VPN instance to which the destination address belongs.

Prerequisites

A tunnel interface has been created using the interface tunnel command, and the encapsulation mode is set to GRE, MPLS TE, IPv4 over IPv6 or IPv6 over IPv4 of manual mode using the tunnel-protocol command.

Precautions

Two tunnel interfaces with the same encapsulation mode, source address, and destination address cannot be configured simultaneously.

You can configure a main interface working in Layer 3 mode as the source tunnel interface.

On the GRE, MPLS TE, IPv6 over IPv4 tunnel or manual IPv6 over IPv4 tunnel, the destination address of the local tunnel interface is the source address of the remote tunnel interface, and the source address of the local tunnel interface is the destination address of the remote tunnel interface.

Example

# Establish a manual IPv6 over IPv4 tunnel between VLANIF 10 at 10.1.1.1 on switch HUAWEI1 and VLANIF 20 at 10.2.1.1 on switch HUAWEI2.
<HUAWEI1> system-view
[HUAWEI1] interface tunnel 1
[HUAWEI1-Tunnel1] tunnel-protocol ipv6-ipv4
[HUAWEI1-Tunnel1] source 10.1.1.1
[HUAWEI1-Tunnel1] destination 10.2.1.1
<HUAWEI2> system-view
[HUAWEI2] interface tunnel 1
[HUAWEI2-Tunnel1] tunnel-protocol ipv6-ipv4
[HUAWEI2-Tunnel1] source 10.2.1.1
[HUAWEI2-Tunnel1] destination 10.1.1.1
# Set the destination address of the GRE tunnel Tunnel1 to 10.1.1.1 that belongs to vpn1.
<HUAWEI> system-view
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] ipv4-family
[HUAWEI-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[HUAWEI-vpn-instance-vpn1-af-ipv4] quit
[HUAWEI-vpn-instance-vpn1] quit
[HUAWEI] interface tunnel 1
[HUAWEI-Tunnel1] tunnel-protocol gre
[HUAWEI-Tunnel1] destination vpn-instance vpn1 10.1.1.1

display default-parameter l3vpn

Function

The display default-parameter l3vpn command displays the default configuration of L3VPN during initialization.

Format

display default-parameter l3vpn

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Scenario

You can run this command to check the default configuration of L3VPN during initialization, for example, default label allocation mode in a VPN instance.

Precautions

This command displays only the default configuration of L3VPN during initialization. The command output shows the default configuration of L3VPN during initialization even when the default configuration is changed.

Example

# Display the default configuration of L3VPN during initialization.

<HUAWEI> display default-parameter l3vpn 
 Apply label mode          :                                                
     IPv4-family           : label per instance                                 
     IPv6-family           : label per instance 
Table 10-28  Description of the display default-parameter l3vpn command output

Item

Description

Apply label mode

Default label allocation mode.

IPv4-family

IPv4 address family.

IPv6-family

IPv6 address family.

label per instance

The default label allocation mode is label per instance.

display ip prefix-limit statistics

Function

The display ip prefix-limit statistics command displays the statistics of the prefix limits of VPN instances.

Format

display ip prefix-limit { all-vpn-instance | vpn-instance vpn-instance-name } statistics

Parameters

Parameter Description Value
all-vpn-instance Indicates all VPN instances. -
vpn-instance vpn-instance-name Specifies the name of a VPN instance. The value is the name of an existing VPN instance.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display ip prefix-limit statistics command to view the number of times that a protocol re-adds or deletes routes according to the prefix limit of a specified VPN instance.

Example

# Display the statistics of the prefix limits of all VPN instances.

<HUAWEI> display ip prefix-limit all-vpn-instance statistics
-------------------------------------------------------------------------------
VPN instance name: vrf1
           DenyAdd TryAddInDelState NotifyDelAll NotifyDelFinish NotifyAddRoute
DIRECT           0                0            0               0              0
STATIC           0                0            0               0              0
UNR              0                0            0               0              0
OSPF             0                0            0               0              0
IS-IS            0                0            0               0              0
RIP              0                0            0               0              0
BGP              0                0            0               0              0
MSR              0                0            0               0              0
-------------------------------------------------------------------------------
VPN instance name: vrf2
           DenyAdd TryAddInDelState NotifyDelAll NotifyDelFinish NotifyAddRoute
DIRECT           0                0            0               0              0
STATIC           0                0            0               0              0
UNR              0                0            0               0              0
OSPF             0                0            0               0              0
IS-IS            0                0            0               0              0
RIP              0                0            0               0              0
BGP              0                0            0               0              0
MSR              0                0            0               0              0

# Display the statistics of the prefix limit of the VPN instance named vrf1.

<HUAWEI> display ip prefix-limit vpn-instance vrf1 statistics
-------------------------------------------------------------------------------
VPN instance name: vrf2
           DenyAdd TryAddInDelState NotifyDelAll NotifyDelFinish NotifyAddRoute
DIRECT           0                0            0               0              0
STATIC           0                0            0               0              0
UNR              0                0            0               0              0
OSPF             0                0            0               0              0
IS-IS            0                0            0               0              0
RIP              0                0            0               0              0
BGP              0                0            0               0              0
MSR              0                0            0               0              0
Table 10-29  Description of the display ip prefix-limit statistics command output

Item

Description

DenyAdd

Number of routes that the protocol fails to add to the RIB because of the prefix limit.

TryAddInDelState

Number of routes that the protocol fails to add to the RIB because the RIB is in the process of deleting routes.

NotifyDelAll

Number of times that the RIB notifies the protocol of deleting routes when the prefix limit is decreased.

NotifyDelFinish

Number of times that the protocol notifies the RIB of completion of deleting routes.

NotifyAddRoute

Number of times that the RIB notifies the protocol of re-adding routes.

display ipv6 prefix-limit statistics

Function

The display ipv6 prefix-limit statistics command displays the statistics of the prefix limits of IPv6 VPN instances.

Format

display ipv6 prefix-limit { all-vpn-instance | vpn-instance vpn-instance-name } statistics

Parameters

Parameter Description Value
all-vpn-instance Indicates all IPv6 VPN instances. -
vpn-instance vpn-instance-name Specifies the name of an IPv6 VPN instance. The value is the name of an existing IPv6 VPN instance.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display ipv6 prefix-limit statistics command to view the number of times that a protocol re-adds or deletes routes according to the prefix limit of a specified IPv6 VPN instance.

Example

# Display the statistics of the prefix limits of all IPv6 VPN instances.

<HUAWEI> display ipv6 prefix-limit all-vpn-instance statistics
-------------------------------------------------------------------------------
IPv6 VPN instance name: vrf1
           DenyAdd TryAddInDelState NotifyDelAll NotifyDelFinish NotifyAddRoute
DIRECT           0                0            0               0              0
STATIC           0                0            0               0              0
UNR              0                0            0               0              0
OSPFv3           0                0            0               0              0
IS-IS            0                0            0               0              0
RIPng            0                0            0               0              0
BGP              0                0            0               0              0
-------------------------------------------------------------------------------
IPv6 VPN instance name: vrf2
           DenyAdd TryAddInDelState NotifyDelAll NotifyDelFinish NotifyAddRoute
DIRECT           0                0            0               0              0
STATIC           0                0            0               0              0
UNR              0                0            0               0              0
OSPFv3           0                0            0               0              0
IS-IS            0                0            0               0              0
RIPng            0                0            0               0              0
BGP              0                0            0               0              0

# Display the statistics of the prefix limit of the IPv6 VPN instance named vrf1.

<HUAWEI> display ipv6 prefix-limit vpn-instance vrf1 statistics
-------------------------------------------------------------------------------
IPv6 VPN instance name: vrf1
           DenyAdd TryAddInDelState NotifyDelAll NotifyDelFinish NotifyAddRoute
DIRECT           0                0            0               0              0
STATIC           0                0            0               0              0
UNR              0                0            0               0              0
OSPFv3           0                0            0               0              0
IS-IS            0                0            0               0              0
RIPng            0                0            0               0              0
BGP              0                0            0               0              0
Table 10-30  Description of the display ipv6 prefix-limit statistics command output

Item

Description

DenyAdd

Number of routes that the protocol fails to add to the RIB because of the prefix limit.

TryAddInDelState

Number of routes that the protocol fails to add to the RIB because the RIB is in the process of deleting routes.

NotifyDelAll

Number of times that the RIB notifies the protocol of deleting routes when the prefix limit is decreased.

NotifyDelFinish

Number of times that the protocol notifies the RIB of completion of deleting routes.

NotifyAddRoute

Number of times that the RIB notifies the protocol of re-adding routes.

display ip vpn-instance

Function

The display ip vpn-instance command displays configurations of VPN instances.

Format

display ip vpn-instance [ verbose ] [ vpn-instance-name ]

display ip vpn-instance [ vpn-instance-name ] interface

display ip vpn-instance [ vpn-instance-name ] tunnel-info

Parameters

Parameter Description Value
verbose Displays detailed information about VPN instances. -
vpn-instance-name Specifies the name of a VPN instance. The value is the name of an existing VPN instance.
interface Displays information about the interfaces bound to the VPN instance. -
tunnel-info Displays information about the LSP associated with the VPN instance. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

If you want to check the configurations of VPN instances, interfaces bound to them, and LSPs associated with them, run the display ip vpn-instance command. Since VPN instances support both IPv4 and IPv6 address families, the display ip vpn-instance command displays the information of different address families separately.

If vpn-instance-name is not specified, the display ip vpn-instance command displays information about all configured VPN instances on the device.

If interface is specified, the display ip vpn-instance command displays all interfaces bound to the specified VPN instance.

If tunnel-info is specified, the display ip vpn-instance command displays information about the LSPs to which the routes of the VPN instance enabled with the IPv4 or IPv6 address family are iterated (in other words, information about the LSPs between PEs). If the tunnels between PEs are not LSPs, the display ip vpn-instance command does not display tunnel information.

Precautions

If the VPN instance to be displayed is not created, the system prompts that the VPN instance does not exist.

Example

# Display brief information about all VPN instances.

<HUAWEI> display ip vpn-instance
 Total VPN-Instances configured      : 3                                        
 Total IPv4 VPN-Instances configured : 2                                        
 Total IPv6 VPN-Instances configured : 0                                        
                                                                                
  VPN-Instance Name               RD                    Address-family          
  vpn1                                                                          
  vpna                            100:1                 IPv4                    
  vpnb                            100:2                 IPv4                    
Table 10-31  Description of the display ip vpn-instance command output

Item

Description

Total VPN-Instances configured

Total number of VPN instances configured on the local end.

Total IPv4 VPN-Instances configured

Total number of locally configured VPN instances for which IPv4 address families are enabled.

Total IPv6 VPN-Instances configured

Total number of locally configured VPN instances for which IPv6 address families are enabled.

VPN-Instance Name

Name of the VPN instance.

RD

RD of the VPN instance IPv4 address family or IPv6 address family.

Address-family

Address family enabled for the VPN instance. The address family can be:
  • Null, if no address family is enabled.
  • IPv4, if only the IPv4 address family is enabled.
  • IPv6, if only the IPv6 address family is enabled.

# Display detailed information about all VPN instances.

<HUAWEI> display ip vpn-instance verbose
 Total VPN-Instances configured      : 1                                        
 Total IPv4 VPN-Instances configured : 1                                        
 Total IPv6 VPN-Instances configured : 1                                        
                                                                                
 VPN-Instance Name and ID : vpna, 6                                             
  Description : vpna-1                                                          
  Service ID : 12  
  Interfaces : Vlanif10                                             
 Address family ipv4                                                            
  Create date : 2013-03-06 15:20:43+08:00                                    
  Up time : 6 days, 04 hours, 41 minutes and 57 seconds                         
  Route Distinguisher : 100:1                                                   
  Export VPN Targets :  1:1                                                     
  Import VPN Targets :  1:1                                                     
  Label Policy : label per instance                                             
  Per-Instance Label : 1024                                                     
  IP FRR Route Policy : 20
  VPN FRR Route Policy : 12 
  Import Route Policy : 10                                                      
  Export Route Policy : 20                                                      
  Tunnel Policy : bindTE
  Maximum Routes Limit : 2000                                                   
  Threshold Routes Limit : 80%                                                  
  Maximum Prefixes Limit : 1024                                                 
  Threshold Prefixes Limit : 50%                                                
  Install Mode : route-unchanged 
  Log Interval : 10                                                             
 Address family ipv6                                                            
  Create date : 2013-03-06 15:20:43+08:00
  Up time : 6 days, 04 hours, 41 minutes and 57 seconds                         
  Log Interval : 5                                                              
                                                                                
Table 10-32  Description of the display ip vpn-instance verbose command output

Item

Description

Total VPN-Instances configured

Total number of VPN instances configured on the local end.

Total IPv4 VPN-Instances configured

Total number of locally configured VPN instances for which IPv4 address families are enabled.

Total IPv6 VPN-Instances configured

Total number of locally configured VPN instances for which IPv6 address families are enabled.

VPN-Instance Name and ID

Name and ID of the VPN instance. The ID is assigned by the system, which facilitates indexing.

Description

Description of the VPN instance. This field is displayed in the command output only when the description (VPN instance view)command is used.

Service ID

Service ID of the VPN instance. This item is displayed only after the service-id (VPN instance view) command is run in the VPN instance view.

Interfaces

Interfaces bound to the VPN instance. This field is displayed only after the ip binding vpn-instance command is configured on these interfaces.

Address family ipv4

Information about the IPv4 address family enabled for the VPN instance.

Address family ipv6

Information about the IPv6 address family enabled for the VPN instance.

Create date

Time when the VPN instance is created.

Up time

Period during which the VPN instance maintains in the Up state.

Route Distinguisher

RD of the VPN instance IPv4 address family or IPv6 address family. To specify a RD, run the route-distinguisher command.

Export VPN Targets

Route Target list in the outbound direction. To set the VPN target, run the vpn-target command.

Import VPN Targets

Route Target list in the inbound direction. To set the VPN target, run the vpn-target command.

Label Policy

Label policy:
  • label per instance: indicates that the same label is allocated to routes of a VPN instance. This field is displayed in the command output only when the apply-label per-instance command is run in the VPN instance view.

  • label per route: indicates that each route of a VPN instance is assigned a label.

Per-Instance Label

Label value used when all VPN routes of the VPN instance address family share one label. This field is displayed only after the apply-label per-instance command is run in the VPN instance address family view.

IP FRR Route Policy

IP FRR route policy used for the address family. This item is displayed only after the ip frr command is run in the VPN instance IPv4 address family view.

VPN FRR Route Policy

VPN FRR route policy used for the address family. This item is displayed only after the vpn frr command is run in the VPN instance IPv4 address family view.

Import Route Policy

Import Route-Policy applied to the VPN instance. This field is displayed only after the import route-policy command is run in the VPN instance address family view.

Export Route Policy

Export Route-Policy applied to the VPN instance. This field is displayed only after the export route-policy command is run in the VPN instance address family view.

Tunnel Policy

Tunnel policy applied to the VPN instance. This field is displayed only after the tnl-policy command is run in the VPN instance address family view.

Maximum Routes Limit

Maximum number of routes supported by the current address family. This field is displayed only after the routing-table limit command is run in the VPN instance address family view.

Threshold Routes Limit

Percentage of the maximum number of routes specified for the current address family. When the maximum number of routes reaches the percentage threshold, an alarm is generated.This field is displayed only after the routing-table limit command is run in the VPN instance address family view.

Maximum Prefixes Limit

Maximum number of prefixes supported by the current address family of the VPN instanceThis field is displayed only after the prefix limit command is run in the VPN instance address family view.

Threshold Prefixes Limit

Percentage of the maximum number of prefixes specified for the current address family of the VPN instance. When the maximum number of prefixes reaches the percentage threshold, an alarm is generated.This field is displayed only after the prefix limit command is run in the VPN instance address family view.

Install Mode

Method of processing routes. The prefix limit command can be used to specify the route processing method when the threshold is lowered due to the number of route prefixes exceeding the upper threshold.
  • If route-unchanged is configured, routes in the routing information base (RIB) table remain unchanged.
  • If route-unchanged is not configured, all routes in the RIB table are deleted and the routes are re-installed in the RIB table.

Log Interval

Interval for displaying log messages when the number of VPN instance routes exceeds the maximum value. The default interval is 5 seconds. The value can be set by the command limit-log-interval.

# Display information about the interface bound to the VPN instance named vrf1.

<HUAWEI> display ip vpn-instance vrf1 interface
 VPN-Instance Name and ID : vrf1, 1
  Interface Number : 1
  Interface list : Vlanif40
Table 10-33  Description of the display ip vpn-instance interface command output

Item

Description

Interface Number

Number of interfaces bound to the VPN instance

Interface list

List of interfaces bound to the VPN instance

# Display information about the LSP associated with the vrf1 VPN instance.

<HUAWEI> display ip vpn-instance vrf1 tunnel-info
 VPN-Instance Name and ID : vrf1, 1
 Address family ipv4
  Nexthop Address                Tunnel ID
  1.1.1.1                        0x3  
 Address family ipv6   
  Nexthop Address                Tunnel ID
  1.1.1.1                        0x3  
Table 10-34  Description of the display ip vpn-instance tunnel-info command output

Item

Description

Nexthop Address

Indicates the next-hop address of the route learned by the VPN instance from the peer PE.

Tunnel ID

Indicates the ID of the LSP corresponding to the next-hop address of the route learned by the VPN instance from the peer PE.

display ip vpn-instance import-vt

Function

The display ip vpn-instance import-vt command displays all VPN instances with the specified import vpn-target attribute.

Format

display ip vpn-instance import-vt ivt-value

Parameters

Parameter Description Value
ivt-value Specifies the value of the import VPN-target attribute. The forms of VPN targets are as follows:
  • 2-byte AS number: 4-byte user-defined number, for example, 1:3. The AS number ranges from 0 to 65535. The user-defined number ranges from 0 to 4294967295. The AS number and the user-defined number cannot both be 0. That is, a VPN target cannot be 0:0.

  • IPv4-address: 2-byte user-defined number, for example, 192.168.122.15:1. The IP address ranges from 0.0.0.0 to 255.255.255.255. The user-defined number ranges from 0 to 65535.

  • Integral 4-byte AS number:2-byte user-defined number, for example, 65537:3. An AS number ranges from 65536 to 4294967295. A user-defined number ranges from 0 to 65535. The AS number and user-defined number cannot be both 0s. That is, a VPN target cannot be 0:0.

  • 4-byte AS number in dotted notation:2-byte user-defined number, for example, 0.0:3 or 0.1:0. A 4-byte AS number in dotted notation is in the format of x.y, where x and y are integers that range from 0 to 65535 and from 0 to 65535, respectively. A user-defined number ranges from 0 to 65535. The AS number and user-defined number cannot be both 0s. That is, a VPN target cannot be 0.0:0.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

If a PE is configured with multiple VPN instances, the display ip vpn-instance import-vt command can be run on the PE to check into which VPN instances a VPNv4 route with a specified VPN target can be imported.

The VPN target controls route learning between VPN instances. A VPN target may be either an import VPN target or an export VPN target. An export VPN target is contained in a VPNv4 route to be advertised to a remote MP-BGP peer. Receiving a VPNv4 route, an MP-BGP peer compares the received export VPN target with the local import VPN target to determine whether the VPNv4 route can be added to the routing table of the local VPN instance IPv4 address family.

Precautions

At present, this command cannot be used to view the VPN instance with multiple import VPN-target attributes specified.

Example

# Display the VPN instance with the import VPN-target attribute being 1:1.

<HUAWEI> display ip vpn-instance import-vt 1:1
The number of ipv4-family matched the import-vt : 3
 VPN-Instance Name and ID : vrf1, 1
 VPN-Instance Name and ID : vrf4, 5
 VPN-Instance Name and ID : vrf5, 4

The number of ipv6-family matched the import-vt : 2
 VPN-Instance Name and ID : vrf1, 1
 VPN-Instance Name and ID : vrf5, 4
Table 10-35  Description of the display ip vpn-instance import-vt command output

Item

Description

The number of ipv4-family matched the import-vt

Number of VPN instances with the specified import VPN-target attribute in the VPN instance IPv4 address family view.

The number of ipv6-family matched the import-vt

Number of VPN instances with the specified import VPN-target attribute in the VPN instance IPv6 address family view.

VPN-Instance Name and ID

Name and ID of the VPN instance.

display interface tunnel

Function

The display interface tunnel command displays details of the tunnel interface.

Format

display interface tunnel [ interface-number | main ]

Parameters

Parameter

Description

Value

interface-number

Specifies the number of the tunnel interface.If this parameter is not specified, the command displays information about all tunnel interfaces.

The value must be the number a tunnel interface that has been created.

main

Displays status and traffic statistics about main interface. The interface has no sub-interfaces. Status and traffic statistics about the interface are displayed whether you specify the main parameter or not.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

To check status of tunnels or diagnose the fault in these tunnels, run the display interface tunnel command. You can run this command to obtain tunnel interface information when configuring tunnels or when locating the fault on these tunnels.

Prerequisites

Before run display interface tunnel, please ensure that tunnel interface has been created using the interface tunnel command.

Example

# Display the details of the tunnel interface.

<HUAWEI> display interface tunnel 1
Tunnel1 current state : UP             
Line protocol current state : UP                                                
Last line protocol up time : 2012-11-16 19:16:33 UTC+08:00                      
Description:                                                                    
Route Port,The Maximum Transmit Unit is 1500                                    
Internet Address is 10.3.1.2/24                                                 
Encapsulation is TUNNEL, loopback not set                                       
Tunnel source 10.2.1.2 (Vlanif1234), destination 10.2.1.1                       
Tunnel protocol/transport GRE/IP, key disabled                                  
keepalive enable period 5 retry-times 3                                         
Checksumming of packets disabled                                                
Current system time: 2012-11-16 19:17:39+08:00                                  
Last 300 seconds input rate 16 bits/sec, 0 packets/sec                          
Last 300 seconds output rate 0 bits/sec, 0 packets/sec                          
Input:  5 packets, 650 bytes                                                    
Output:  0 packets, 0 bytes                                                     
    Input bandwidth utilization  :    0%                                        
    Output bandwidth utilization :    0%    
Table 10-36  Description of the display interface tunnel command output

Item

Description

Tunnel1 current state

Physical layer status of the tunnel interface:
  • UP: The interface is in normal state.

  • Administratively DOWN: The network administrator executes the shutdown command on the interface.

After a tunnel interface is created, its physical layer status is Up.

Line protocol current state

Link protocol status:
  • Up: The link layer protocol of the tunnel interface works normally.

  • Down: The link layer protocol of the tunnel interface is abnormal.

Last line protocol up time

Last time the link layer protocol of the tunnel interface goes UP.

NOTE:

This field is displayed only when the link layer protocol status of the tunnel interface is UP.

Description

Description of the tunnel interface.

Route Port

Indicates the Layer 3 interface.

The Maximum Transmit Unit is 1500

MTU of tunnel interfaces, which is 1500 bytes by default. Any packet larger than the MTU is fragmented before being sent. If non-fragmentation is configured, the packet is discarded.

Internet Address is 10.3.1.2/24

IP address of the tunnel interface is 10.3.1.2.

The mask is 24 bits, that is, 255.255.255.0.

Encapsulation is TUNNEL,

Encapsulation type of packets on a tunnel interface.

Packet encapsulation protects a whole IP packet.

loopback not set

The tunnel interface does not support a loopback test.

Tunnel source 10.2.1.2 (Vlanif1234)

The source address of the tunnel is 10.2.1.2. That is, the IP address of the VLANIF 1234 interface sending packets at the source side is 10.2.1.2.

destination 10.2.1.1

Destination address of the tunnel.

Tunnel protocol/transport GRE/IP, key disabled

The tunnel encapsulation protocol is the GRE protocol, and the transport protocol is the IP protocol.

Encapsulation protocol types of a tunnel are as follows:

  • GRE: indicates Generic Routing Encapsulation.

  • MPLS: encapsulates packets into MPLS packets.

  • IPv6 over IPv4: encapsulates IPv6 packets into IPv4 packets.

  • IPv4 over IPv6: encapsulates IPv4 packets into IPv6 packets.

  • none: indicates no encapsulation. This is the default mode of the tunnel interface.

key disabled: the key word recognition function of GRE is not enabled.

keepalive enable period 5 retry-times 3

The keepalive function of GRE.

Checksumming of packets disabled

The check sum function of GRE is not enabled.

Current system time

Current system time.

If the time zone is configured and the daylight saving time is used, the time is in YYYY/MM/DD HH:MM:SS UTC±HH:MM DST format.

Last 300 seconds input rate

Incoming packet rate (bits per second and packets per second) within the last 300 seconds.

Last 300 seconds output rate

Outgoing packet rate (bits per second and packets per second) within the last 300 seconds.

Input

Total number of received packets.

Output

Total number of sent packets.

Input bandwidth utilization : --

Input bandwidth usage.

Output bandwidth utilization : --

Output bandwidth usage.

Related Topics

display l3vpn vpn-list tunnel-policy

Function

The display l3vpn vpn-list tunnel-policy command displays all the VPN instances to which a specified tunnel policy is applied.

Format

display l3vpn vpn-list tunnel-policy tunnel-policy-name

Parameters

Parameter Description Value
tunnel-policy-name Specifies the name of a tunnel policy. The value is the name of an existing tunnel policy.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To have its routes iterated to tunnels, a VPN instance needs to apply a tunnel policy. If the tunnel policy used by a VPN instance is changed or the status of tunnels selected based on the tunnel policy changes, the iterated tunnels may change. The display l3vpn vpn-list tunnel-policy command displays all the VPN instances to which a specified tunnel policy is applied. The command output will show the VPN instances that will be affected by changes in the tunnel policy.

Example

# Display the referential relationship between a tunnel policy and a VPN instance.

<HUAWEI> display l3vpn vpn-list tunnel-policy p1
Codes: *(Tunnel policy is not configured) 
Tunnel Policy Name: p1
Total VPN Instance(s) number: 1 
VPN(s) using the tunnel policy: 
vrf1
Table 10-37  Description of the display l3vpn vpn-list tunnel-policy command output

Item

Description

Codes

Comments

Tunnel Policy Name

Name of a tunnel policy

Total VPN Instance(s) number

Number of VPN instances specified with tunnel policies

VPN(s) using the tunnel policy

Name of VPN instances specified with tunnel policies

display mpls label-stack vpn-instance

Function

The display mpls label-stack vpn-instance command displays information about L3VPN label stacks.

Format

display mpls label-stack vpn-instance vpn-instance-name ip-address

Parameters

Parameter Description Value
vpn-instance-name Specifies the name of a VPN instance. The value is the name of an existing VPN instance.
ip-address Specifies a private IPv4 address. The value is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

In a non-inter-AS L3VPN scenario, this command allows you to query label stack information on PEs based on VPN instance names and private IP addresses.

Example

# Display label stack information about the VPN instance named vpna.

<HUAWEI> display mpls label-stack vpn-instance vpna 10.12.12.1
Label-stack  : 1
Level        : 1
Type         : VPN
Label        : 1033
Level        : 2
Type         : LDP
Label        : 1041
OutInterface : Vlanif100
Table 10-38  Description of the display mpls label-stack vpn-instance command output

Item

Description

Label-stack

Number of label stacks

Level

Number of labels

Type

Tunnel type

Label

Value of the outgoing label

OutInterface

Outbound interface

display snmp-agent trap feature-name l3vpn all

Function

The display snmp-agent trap feature-name l3vpn all command displays whether the trap function is enabled for the L3VPN module and the excessive trap flag.

Format

display snmp-agent trap feature-name l3vpn all

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display snmp-agent trap feature-name l3vpn all command displays the following information:
  • Trap names supported by the L3VPN module. The trap names are the same as the trap names specified by the snmp-agent trap enable feature-name l3vpn command. Each trap name corresponds to a network element abnormality.
  • Trap status of the L3VPN module. You can check whether the trap is reported based on the trap name.

Example

# Display whether the trap function is enabled for the L3VPN module and the excessive trap flag.

<HUAWEI> display snmp-agent trap feature-name l3vpn all
------------------------------------------------------------------------------
Feature name: l3vpn
Trap number : 6
------------------------------------------------------------------------------
Trap name                       Default switch status   Current switch status
L3VPN_MIB_TRAP_VRF_UP           off                     off
L3VPN_MIB_TRAP_VRF_DOWN         off                     off
L3VPN_MIB_TRAP_THRESH_CLEARED   off                     off
L3VPN_MIB_TRAP_THRESH_EXCEED    off                     off
L3VPN_MIB_TRAP_MID_THRESH_EXCEED
                                off                     off
Table 10-39  Description of the display snmp-agent trap feature-name l3vpn all command output

Item

Description

Feature name

Name of the module.

Trap number

Number of trap messages.

Trap name

Types of trap messages:

  • L3VPN_MIB_TRAP_MID_THRESH_EXCEED: The number of VPN routes exceeds the maximum number of route prefixes allowed.
  • L3VPN_MIB_TRAP_THRESH_CLEARED: The number of VPN routes falls below the threshold.
  • L3VPN_MIB_TRAP_THRESH_EXCEED: The number of VPN routes exceeds the threshold.
  • L3VPN_MIB_TRAP_VRF_DOWN: a trap message indicating a VRF Down event.
  • L3VPN_MIB_TRAP_VRF_UP: a trap message indicating a VRF Up event.

Default switch status

Default status of a trap message:

  • on: indicates that the trap function is enabled by default.
  • off: indicates that the trap function is disabled by default.

Current switch status

Status of a trap message:

  • on: indicates that the trap function is enabled.
  • off: indicates that the trap function is disabled.

display tunnel-info

Function

The display tunnel-info command displays the tunnel information.

Format

display tunnel-info { tunnel-id tunnel-id | all | statistics [ slots ] }

Parameters

Parameter Description Value
tunnel-id tunnel-id Specifies the tunnel ID. If the specified ID does not exist, the system prompts errors. A hexadecimal integer ranging from 1 to FFFFFFFE.
all Displays information about all the tunnels. -
statistics Displays statistics about all tunnels. -
slots Displays tunnel statistics in the order of slots. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display tunnel-info all command displays existing tunnel IDs, tunnel types, destination IP addresses, and Token information about all tunnels.

The display tunnel-info tunnel-id tunnel-id command displays detail information about a tunnel when you only know the tunnel ID.

The display tunnel-info statistics command displays the number of tunnels configured on the switch.

Example

# View information about the tunnel.

<HUAWEI> display tunnel-info tunnel-id 2
Tunnel ID:                    0x2 
Tunnel Token:                 2 
Type:                         cr lsp
Destination:                  1.1.1.1 
Out Slot:                     0 
Instance ID:                  0 
Interface:                    Tunnel1 
Sub Tunnel ID:                0x0
<HUAWEI> display tunnel-info tunnel-id 3
Tunnel ID:                    0x3
Tunnel Token:                 3
Type:                         lsp
Destination:                  10.20.10.10
Out Slot:                     0
Instance ID:                  0
Out Interface:                Vlanif1024
Out Label:                    3
Next Hop:                     10.24.10.200
Lsp Index:                    2048
<HUAWEI> display tunnel-info tunnel-id 10006
Tunnel ID:                    0x10006
Tunnel Token:                 2
Type:                         lsp
Destination:                  6.6.6.6
Out Slot:                     0
Instance ID:                  0
Out Interface:                Vlanif15
Lsp Index:                    0
SubTunnel Type:               L2VPN QoS Token
Table 10-40  Description of the display tunnel-info tunnel-id command output

Item

Description

Tunnel ID

Tunnel ID in hexadecimal notation that is assigned by the system.

Tunnel Token

Token value used for MPLS forwarding that is a part of tunnel ID and is assigned by the system.

Type

Type of a tunnel, such as GRE, MPLS LSP, or CR-LSP. The command output varies according to the tunnel type.

Destination

Destination IP address of the tunnel.

Out Slot

Number of the slot that is used when the switch sends packets.

Instance ID

VPN instance ID (0 indicates that a tunnel is a public network tunnel).

Interface

Local tunnel interface.

Sub Tunnel ID

Sub-tunnel ID of VPN QoS in hexadecimal notation that is automatically assigned by the system.

Out Label

Out label value.

Next Hop

Next hop.

Lsp Index

LSP index, which is allocated by MPLS.

Out Interface

Local outbound interface of the tunnel.

SubTunnel Type

Types of tokens of sub-tunnels:

  • LDP LSP over TE QoS Token
  • LDP LSP QoS Token
  • BGP LSP over TE QoS Token
  • BGP LSP QoS Token
  • Static LSP QoS Token
  • CR-LSP over TE QoS Token
  • L2VPN over TE QoS Token
  • L2VPN QoS Token

This field is displayed only for sub-tunnels.

# Display all tunnel information.
<HUAWEI> display tunnel-info all
 * -> Allocated VC Token
Tunnel ID           Type                 Destination           Token
----------------------------------------------------------------------
0x10006             lsp                   10.2.1.1               6
# Display tunnel statistics.
<HUAWEI> display tunnel-info statistics
LSP/32bit LSP :                         0/0
GRE :                                   2
CRLSP :                                 0
LOCAL IFNET :                           0
MPLS LOCAL IFNET :                      0
VPN QOS LSP :                           0
Reserved :                              0
Table 10-41  Description of the display tunnel-info statistics command output

Item

Description

LSP/32bit LSP

Number of LSP tunnels created in the system view/Number of LSP tunnels triggered by the route of host with the 32-bit mask address.

GRE

Number of tunnel IDs allocated to the GRE tunnels.

CRLSP

Number of tunnel IDs allocated to the CR-LSP tunnels.

LOCAL IFNET

Number of tunnels used by the VPN internal module.

MPLS LOCAL IFNET

Number of tunnels used by the MPLS internal module.

VPN QOS LSP

Number of the tunnel ID allocated to the LSP used in VPN QoS.

Reserved

Number of the tunnel ID allocated to the product.

# Display tunnel statistics in the order of slots.

<HUAWEI> display tunnel-info statistics slots
----------------------------------------------------------------- 
Slot              LSP     CR      GRE     LCL     MPLS-L  VPN 
Num                       LSP             IFNET   IFNET   QOS 
-----------------------------------------------------------------
0                 6       1       0       1       0       0 
Logic Slot: 0                     Total:  8                 
Table 10-42  Description of the display tunnel-info statistics slots command output

Item

Description

Slot Num

Slot number used by the device to send packets.

LSP

Total LSP tunnels set up by the device.

CR LSP

Number of CR-LSPs created on the device.

GRE

Number of GRE tunnels created on the device.

LCL IFNET

Number of tunnels used by the VPN module.

MPLS-L IFNET

Number of tunnels used by the MPLS module.

VPN QOS

Number of tunnels used for VPN QoS.

display tunnel-policy

Function

The display tunnel-policy command displays the configurations of tunnel policies.

Format

display tunnel-policy [ tunnel-policy-name ]

Parameters

Parameter Description Value
tunnel-policy-name Specifies the name of tunnel policy. If policy-name is specified, information about the specified tunnel policy is displayed. The value is the name of an existing tunnel policy.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Using the display tunnel-policy command, you can check the configured tunnel policy and information about a tunnel policy before applying it.

Example

# Display information about all the tunnel policies.

<HUAWEI> display tunnel-policy
Total   tunnel policy num:              3
Sel-Seq tunnel policy num:              1
Binding tunnel policy num:              1
Invalid tunnel policy num:              1

Tunnel Policy Name                      Select-Seq                        Load balance No
-----------------------------------------------------------------------------------------
po2                                     CR-LSP LSP                        3


Tunnel Policy Name                      Destination     Tunnel Intf       Ignore-dest-check   Down switch
-------------------------------------------------------------------------------------------------------------
po2                                     1.1.1.9         Tunnel2            Disable             Enable
Table 10-43  Description of the display tunnel-policy command output

Item

Description

Total tunnel policy num

Total number of tunnel policies.

Sel-Seq tunnel policy num

Total number of tunnel policies in select-sequence mode.

Binding tunnel policy num

Total number of tunnel policies in tunnel binding mode.

Invalid tunnel policy num

Total number of invalid tunnel policies.

Tunnel Policy Name

Name of tunnel policies.

Select-Seq

Priorities of tunnel types in descending order.

Load balance No

Number of tunnels for load balancing. The default value is 1.

Destination

Destination IP addresses of the bound tunnels, that is, IP addresses of the peer interfaces that receive packets.

Tunnel Intf

Local tunnel interface of the bound tunnel.

Ignore-dest-check

Check is disabled regardless of whether the destination IP address specified in a tunnel policy is consistent with the actual destination address of the tunnel to be bound to the tunnel policy.

Down switch

Tunnel switch over status:
  • Enable indicates that the function is enabled
  • Disable indicates that the function is disabled

# Display information about the tunnel policy.

<HUAWEI> display tunnel-policy p1
The number of binding:1
Tunnel Policy Name                      Destination     Tunnel Intf       Ignore-dest-check   Down Switch
-------------------------------------------------------------------------------------------------------------
p1                                      1.1.1.1         Tunnel2            Disable             Enable
Table 10-44  Description of the display tunnel-policy tunnel-policy-name command output

Item

Description

The number of binding

Number of the bound destination addresses.

display tunnel-policy-config

Function

The display tunnel-policy-config command displays the configuration of tunnel policies.

Format

display tunnel-policy-config [ tunnel-policy-name ]

Parameters

Parameter Description Value
tunnel-policy-name Indicates the name of the tunnel policy. The value is the name of an existing tunnel policy.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After tunnel policies are configured, you can view the configuration of a tunnel policy by using the display tunnel-policy-config command. If you do not specify the tunnel policy to be displayed, the configurations of all tunnel policies are displayed.

Example

# Display the configurations of all tunnel policies.

<HUAWEI> display tunnel-policy-config 
#                                                                               
tunnel-policy whm1                                                              
 description 1.1.1.1                                                            
#                                                                               
tunnel-policy whm2                                                              
 description 1.1.1.1                                                            
 tunnel select-seq cr-lsp lsp load-balance-number 3                             
#                                                                               
tunnel-policy whm3                                                              
 tunnel binding destination 1.1.1.1 te Tunnel2                            
#                                                                               
return                                                                          

# Display the configuration of the tunnel policy named p1.

<HUAWEI> display tunnel-policy-config p1
#
tunnel-policy p1
 tunnel select-seq cr-lsp lsp load-balance-number 1
#
return

display tunnel-policy subscriber statistics

Function

The display tunnel-policy subscriber statistics command displays the number of times a tunnel policy is used by external services.

Format

display tunnel-policy tunnel-policy-name subscriber statistics

Parameters

Parameter Description Value
tunnel-policy-name Specify the name of a tunnel policy. The value is the name of an existing tunnel policy.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

A system has many tunnel policies that can be used by different services. The display tunnel-policy subscriber statistics command can be used to view the number of times a tunnel policy is used by external services. This prevents the tunnel policy from being deleted mistakenly.

Example

# View the number of times a tunnel policy is used by external services.

<HUAWEI> display tunnel-policy nms-vrf-vpna subscriber statistics
The specified tunnel policy does not exist.
Total 0 applications subscribed the tunnel policy.

# View the number of times a tunnel policy is used by external services.

<HUAWEI> display tunnel-policy nms-vrf-vpna subscriber statistics
Total 200 applications subscribed the tunnel policy.
Table 10-45  Description of the display tunnel-policy subscriber statistics command output

Item

Description

The specified tunnel policy does not exist. Total 0 applications subscribed the tunnel policy.

The tunnel policy does not exist and is not used by applications.

Total 200 applications subscribed the tunnel policy.

The tunnel policy exists and is used by 200 applications.

display tunnel-selector

Function

The display tunnel-selector command displays the configurations of tunnel selectors of a system.

Format

display tunnel-selector [ tunnel-selector-name ]

Parameters

Parameter Description Value
tunnel-selector-name Specifies the name of a tunnel selector. The value is the name of an existing tunnel selector.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

If tunnel-selector-name is not specified in the command, the command displays the configurations of all the tunnel selectors of the system.

Example

# Display information about a tunnel selector named tps.

<HUAWEI> display tunnel-selector tps
Tunnel-selector : tps
  permit : 10 (matched counts: 0)
    Match clauses :
      if-match ip next-hop ip-prefix ipv4prefix
    Apply clauses :
      apply tunnel-policy policy1
Table 10-46  Description of the display tunnel-selector command output

Item

Description

Tunnel-selector

Name of a tunnel selector

permit : 10

Matching mode and number of the node of the tunnel selector

Match clauses

if-match clauses

Apply clauses

apply causes

export route-policy

Function

The export route-policy command associates the current VPN instance address family with an export Route-Policy.

The undo export route-policy command disassociates the current VPN instance address family from the export Route-Policy.

By default, the current VPN instance address family is not associated with any export Route-Policy.

Format

export route-policy policy-name

undo export route-policy

Parameters

Parameter Description Value
policy-name Specifies the name of the export Route-Policy to be associated with the VPN instance address family. The name is a string of 1 to 40 case-sensitive characters, with spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

VPN instance view, VPN instance IPv4 address family view, VPN instance IPv6 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can implement a more accurate advertisement of the routes of the VPN instance address family based on the export Route-Policy than that based on the extended community attribute. The export Route-Policy is used to filter the routing information and to set the routing attributes of the routes that pass the filtering.

The export route-policy command advertises local routes of the VPN instance address family to other VPN instances address family. The peer route-policy command or the filter-policy command run in the BGP VPN instance address family view filters routes of the VPN instance address family advertised to or received from CE neighbors.

In local cross scenarios, you can run the export route-policy command to filter out locally crossed routes and set the attributes of these routes. Locally crossed routes include both locally imported routes and routes learned from VPN peers.

Prerequisites

The route-distinguisher command has been executed to set the RD of the VPN instance.

Precautions

The current VPN instance address family can be associated with only one export Route-Policy. If the export route-policy command is run several times, the latest configuration overrides the previous configurations.

If the route policy does not exist, you need to configure the route policy.

Creating a route-policy before it is referenced is recommended. By default, nonexistent route-policies cannot be referenced using the command. If the route-policy nonexistent-config-check disable command is run in the system view and a nonexistent route-policy is referenced using the current command in the VPN instance view or BGP-VPN instance IPv4 address family view, all routes in the VPN instance address family can be crossed to the VPNv4 address family. If the route-policy nonexistent-config-check disable command is run in the system view and a nonexistent route-policy is referenced using the current command in the BGP-VPN instance IPv6 address family view, all routes in the BGP-VPN instance IPv6 address family can be crossed to the VPNv6 address family.

Example

# Apply an export Route-Policy named poly-1 to the IPv4 address family of the VPN instance named vrf1.

<HUAWEI> system-view
[HUAWEI] ip vpn-instance vrf1
[HUAWEI-vpn-instance-vrf1] ipv4-family
[HUAWEI-vpn-instance-vrf1-af-ipv4] route-distinguisher 100:1
[HUAWEI-vpn-instance-vrf1-af-ipv4] export route-policy poly-1
Related Topics

if-match ip next-hop (tunnel-selector view)

Function

The if-match ip next-hop command configures route filtering based on the next hop.

The undo if-match ip next-hop command cancels the setting.

By default, route filtering based on the next hop is not configured.

Format

if-match ip next-hop { acl { acl-number | acl-name } | ip-prefix ip-prefix-name }

undo if-match ip next-hop [ acl { acl-number | acl-name } | ip-prefix ip-prefix-name ]

Parameters

Parameter Description Value
acl acl-number Specifies the number of a basic ACL. The value is an integer ranging from 2000 to 2999.
acl acl-name Specifies the name of a named ACL.

The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter.

ip-prefix ip-prefix-name Specifies the name of an IP prefix list. The name is a string of 1 to 169 case-sensitive characters, with spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

Tunnel selector view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

This command can be run in the tunnel selector view on the SPE in HVPN networking needs to apply a tunnel policy to VPNv4 routes to, for example, have the VPNv4 routes iterated to MPLS TE tunnels.

The if-match ip next-hop command is used to apply a tunnel policy to the VPNv4 or BGP-IPv4 labeled routes with a specified next hop, not all VPNv4 or BGP-IPv4 labeled routes.

Either an ACL or IP prefix list can be used to filter routes by next hop.

Prerequisite

The tunnel-selector (system view) command is run to create a tunnel selector.

An IP prefix list is configured using the ip ip-prefix command, or an ACL is configured using the acl command in the system view or the acl name command to specify the next hop.

Follow-up Procedure

Run the apply tunnel-policy (tunnel-selector view) command in the tunnel selector view to apply a tunnel policy to the routes that pass the filtering.

Precautions

Creating an ACL before it is referenced is recommended. If a nonexistent ACL is referenced using the command, all routes match the ACL.

Creating an IP prefix list before it is referenced is recommended. By default, nonexistent IP prefix lists cannot be referenced using the command. If the route-policy nonexistent-config-check disable command is run in the system view and a nonexistent IP prefix list is referenced using the current command, all routes match the IP prefix list.

Example

# Configure route filtering based on the next hop.

<HUAWEI> system-view
[HUAWEI] tunnel-selector abc permit node 10
[HUAWEI-tunnel-selector] if-match ip next-hop acl 2000

if-match ipv6 next-hop (tunnel-selector view)

Function

The if-match ipv6 next-hop command configures the filtering of IPv6 routes based on the next hop.

The undo if-match ipv6 next-hop command cancels the setting.

By default, the filtering of IPv6 routes based on the next hop is not configured.

Format

if-match ipv6 next-hop prefix-list ipv6-prefix-name

undo if-match ipv6 next-hop prefix-list ipv6-prefix-name

Parameters

Parameter Description Value
prefix-list ipv6-prefix-name Specifies the name of an IPv6 prefix list. The name is a string of 1 to 169 case-sensitive characters, with spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

tunnel selector view

Default Level

2: Configuration level

Usage Guidelines

You can run the if-match ipv6 next-hop command if it is required to filter IPv6 routes based on the next hop. When you run the if-match ipv6 next-hop command in the tunnel selector view, you can use an apply clause to apply a tunnel policy to the IPv6 routes filtered based on the next hop.

The next hop can be specified by the IPv6 prefix list.

Example

# Configure filtering of IPv6 routes based on the next hop.

<HUAWEI> system-view
[HUAWEI] tunnel-selector abc permit node 10
[HUAWEI-tunnel-selector] if-match ipv6 next-hop prefix-list ipv6prefix
Related Topics

import route-policy

Function

The import route-policy command associates the current VPN instance address family with an import Route-Policy.

The undo import route-policy command disassociates the current VPN instance address family from an import Route-Policy.

By default, the current VPN instance address family is not associated with any import Route-Policy.

Format

import route-policy policy-name

undo import route-policy

Parameters

Parameter Description Value
policy-name Specifies the name of the import Route-Policy to be associated with the VPN instance address family. The name is a string of 1 to 40 case-sensitive characters, with spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

VPN instance view, VPN instance IPv4 address family view, or VPN instance IPv6 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When no import Route-Policy is configured, routes that match the export VPN target attribute of the received routes and the import VPN target attribute of the local VPN instance address family are added to the VPN instance address family. To control the import of the routes into the VPN instance address family more accurately, you can use the import Route-Policy. The import Route-Policy is used to filter the imported routing information and to set the routing attributes of the routes that pass the filtering.

The import route-policy command controls the VPN routes that are cross added to the VPN instance address family. The peer route-policy command or the filter-policy command run in the BGP VPN instance address family view filters routes of the VPN instance address family advertised to or received from CE neighbors.

Prerequisites

The route-distinguisher command has been executed to set the RD of the VPN instance.

Precautions

The current VPN instance address family can be associated with only one import Route-Policy. If the import route-policy command is run several times, the latest configuration overrides the previous configurations.

If the route policy to be associated with the VPN instance address family does not exist, you need to configure the route policy.

Creating a route-policy before it is referenced is recommended. By default, nonexistent route-policies cannot be referenced using the command. If the route-policy nonexistent-config-check disable command is run in the system view and a nonexistent route-policy is referenced using the current command in the VPN instance view or BGP-VPN instance IPv4 address family view, all routes in the VPNv4 address family can be crossed to the VPN instance address family. If the route-policy nonexistent-config-check disable command is run in the system view and a nonexistent route-policy is referenced using the current command in the BGP-VPN instance IPv6 address family view, all routes in the VPNv6 address family can be crossed to the VPN instance address family.

Example

# Apply an import Route-Policy named poly-1 to the IPv4 address family of the VPN instance named vrf1.

<HUAWEI> system-view
[HUAWEI] ip vpn-instance vrf1
[HUAWEI-vpn-instance-vrf1] ipv4-family
[HUAWEI-vpn-instance-vrf1-af-ipv4] route-distinguisher 100:1
[HUAWEI-vpn-instance-vrf1-af-ipv4] import route-policy poly-1
Related Topics

ingress-lsp trigger

Function

The ingress-lsp trigger command specifies a routing policy to control the creation of ingress LSPs based on BGP labeled routes.

The undo ingress-lsp trigger command restores the default setting.

By default, ingress LSPs are created based on all received BGP labeled routes.

Format

ingress-lsp trigger route-policy route-policy-name

undo ingress-lsp trigger

Parameters

Parameter Description Value
route-policy route-policy-name

Specifies the name of a routing policy to be used to create ingress LSPs based on BGP labeled routes.

The name is a string of 1 to 40 case-sensitive characters, with spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

BGP view, BGP-IPv4 unicast address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In a MAN where the hybrid access mode is used, a large number of BGP labeled routes are used to establish end-to-end LSPs. On certain intermediate nodes where VPN services do not need to be supported, excessive ingress LSPs are created, causing the waste of network resources. In this case, you can run the ingress-lsp trigger command to create ingress LSPs based on a routing policy to save network resources.

Precautions

If the ingress-lsp trigger command is run more than once, the latest configuration overrides the previous ones.

Creating a route-policy before it is referenced is recommended. By default, nonexistent route-policies cannot be referenced using the command. If the route-policy nonexistent-config-check disable command is run in the system view and a nonexistent route-policy is referenced using the current command, ingress LSPs are established for all labeled routes.

Example

# Specify a routing policy named test-policy to control the creation of ingress LSPs based on labeled IPv4 routes.

<HUAWEI> system-view
[HUAWEI] bgp 100
[HUAWEI-bgp] ipv4-family unicast
[HUAWEI-bgp-af-ipv4] ingress-lsp trigger route-policy test-policy
Related Topics

interface tunnel

Function

The interface tunnel command creates a tunnel interface.

The undo interface tunnel command deletes the configured tunnel interface.

By default, no tunnel interface is configured.

Format

interface tunnel interface-number

undo interface tunnel interface-number

Parameters

Parameter

Description

Value

interface-number

Specifies the number of the tunnel interface.

The value is an integer that ranges from 0 to

2047

.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To forward data over a tunnel, ensure that the tunnel has been created. The system supports the following types of tunnels:
  • LSP (Static LSP, BGP LSP, LDP LSP)

  • MPLS TE

  • GRE

  • IPv6 over IPv4

  • IPv4 over IPv6

You must use the interface tunnel command to create a tunnel interface when creating a tunnel except for LSP tunnels.

Precautions

Tunnel interface numbers are valid on the local device only. You can configure different numbers for the tunnel interfaces on the two ends.

Follow-up Procedure

After a tunnel interface is created, you need to configure an IP address and encapsulation type for the tunnel interface.

To save IP addresses, run the ip address unnumbered command to configure the tunnel interface to borrow an IP address of another interface.

The tunnel-protocol command configures an encapsulation protocol for the tunnel interface. Then basic configurations are performed based on the encapsulation protocol:

Example

# Create a tunnel interface.

<HUAWEI> system-view
[HUAWEI] interface tunnel 1
[HUAWEI-Tunnel1]

ip binding vpn-instance

Function

The ip binding vpn-instance command associates an interface on a PE with a VPN instance.

The undo ip binding vpn-instance command disables the association between a VPN instance and an interface.

By default, an interface is a public network interface and is not associated with any VPN instance.

Format

ip binding vpn-instance vpn-instance-name

undo ip binding vpn-instance vpn-instance-name

Parameters

Parameter Description Value
vpn-instance-name Specifies the name of the VPN instance that is associated with the interface. The value must be an existing VPN instance name.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a VPN instance is created, you need to associate the PE interface connecting to the VPN with the VPN instance. Then, the interface is used as a private network interface on which a private network address and a private network routing protocol can be configured.

Prerequisites

The ip vpn-instance command has been executed to create a VPN instance

Precautions

Binding an interface to a VPN instance or deleting the binding will result in the deletion of the IP address of the interface, Layer 3 features, and IP-related routing protocols. These features must be re-configured if needed.

An interface cannot be bound to any VPN instance that is not enabled with any address family.

Using the undo ipv4-family or undo ipv6-family command to disable the IPv4 or IPv6 address family also deletes the IPv4 or IPv6 configurations of the interfaces bound to the VPN instance.

Example

# Associate the VLANIF 10 interface with the VPN instance named vrf1.

<HUAWEI> system-view
[HUAWEI] ip vpn-instance vrf1
[HUAWEI-vpn-instance-vrf1] ipv4-family
[HUAWEI-vpn-instance-vrf1-af-ipv4] route-distinguisher 100:1
[HUAWEI-vpn-instance-vrf1-af-ipv4] quit
[HUAWEI-vpn-instance-vrf1] quit
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] ip binding vpn-instance vrf1
# Associate the GE0/0/1 interface with the VPN instance named vrf1.
<HUAWEI> system-view
[HUAWEI] ip vpn-instance vrf1
[HUAWEI-vpn-instance-vrf1] ipv4-family
[HUAWEI-vpn-instance-vrf1-af-ipv4] route-distinguisher 100:1
[HUAWEI-vpn-instance-vrf1-af-ipv4] quit
[HUAWEI-vpn-instance-vrf1] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] ip binding vpn-instance vrf1

ip frr (VPN instance view)

Function

The ip frr command enables IP FRR of a private network in the VPN instance IPv4 address family view.

The undo ip frr command disables IP FRR of a private network in the VPN instance IPv4 address family view.

By default, IP FRR of a private network is disabled in the VPN instance IPv4 address family view.

Format

ip frr route-policy route-policy-name

undo ip frr

Parameters

Parameter Description Value
route-policy route-policy-name Enables IP FRR for the private routes matching the specified route-policy. The name is a string of 1 to 40 case-sensitive characters, with spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

VPN instance view, VPN instance IPv4 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

With the development of the network, services such as audio,online video, and finance have more requirements for real time. Generally, active/standby links are deployed on the network to ensure service stability.

However, under traditional forwarding modes, when multiple routes to the same destination exist, the system selects the optimal route, which is delivered to FIB table to direct data forwarding. When the optimal link is faulty, the system waits for the completion of route convergence, then selects another optimal route, and then deliver the route to the FIB table. Then the service is recovered. This process leads to a long-time service interruption and cannot meet service requirements.

Using the ip frr command, you can enable IP FRR of the private network. IP FRR can specify a backup next hop and a backup interface and set backup forwarding information for IPv4 routes. When the active link is faulty, the system can switch the traffic immediately to the backup link. This process is irrelevant to route convergence and therefore services are interrupted for short time.

Pre-configuration Tasks

It is recommended to use the route-policy command to create Route-Policy at first, in which the apply backup-interface command and the apply backup-nexthop command are used to set a backup outbound interface and a backup next hop for IPv4 route of the private network.

The ip frr command should be used with the apply backup-interface command and the apply backup-nexthop command.
  • To configure IP FRR for a private network, you need to run the route-policy command to create Route-Policy first. Then set a backup outbound interface and next hop for IPv4 routes of the private network using the apply backup-interface and apply backup-nexthop commands.
  • To configure IP+VPN hybrid FRR, you need to run the route-policy command to create Route-Policy first. Then set a backup next hop for IPv4 routes of the private network using the apply backup-nexthop command.
NOTE:

The differences between the IP FRR configuration and IP+VPN hybrid FRR configuration is as follows:

  • If the backup next hop and the backup outgoing interface are specified at the same time, the configurations are for IP FRR.

  • If only the backup next hop is specified, the configurations are for IP+VPN hybrid FRR. Based on the backup next hop, a matched VPNv4 route from another PE is found. Then a hybrid FRR entry is formed according to the fields of Token, BackupToken, and Label in the route.

  • It is invalid to only specify the backup outgoing interface.

Precautions

Only one policy can be used at one time. New configuration will replace the previous one if another policy is configured. Configuration in the system view and that in the VPN instance view will not interfere each other.

Example

# Specify a backup outbound interface and a backup next hop in route-policy ip_frr_rp and enable IP FRR for private routes in the VPN instance view.
<HUAWEI> system-view
[HUAWEI] route-policy ip_frr_rp permit node 10
[HUAWEI-route-policy] apply backup-interface vlanif 100
[HUAWEI-route-policy] apply backup-nexthop 192.168.20.2
[HUAWEI-route-policy] quit
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] ip frr route-policy ip_frr_rp

ip vpn-instance

Function

The ip vpn-instance command creates a VPN instance and displays the VPN instance view.

The undo ip vpn-instance command deletes a specified VPN instance.

By default, no VPN instance is configured.

Format

ip vpn-instance vpn-instance-name

undo ip vpn-instance vpn-instance-name

Parameters

Parameter Description Value
vpn-instance-name Specifies the name of a VPN instance.

The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When private network data needs to travel across a public network, you need to configure a VPN instance on the PE of the public network. The public network mentioned here is an MPLS backbone network.

A multi-VPN-instance CE (MCE) device can connect to multiple VPNs. The MCE solution isolates services of different VPNs while reducing cost of network devices. Before configuring an MCE device, configure a VPN instance on the MCE device.

VPN instances are required for all L3VPN configurations.

Precautions

After the ip vpn-instance command is run, a virtual routing table is created on the PE or MCE and consumes resources on the PE or MCE.

After the undo ip vpn-instance command is used to delete a VPN instance, all configurations of this VPN instance are deleted.

Follow-up Procedure

After creating a VPN instance, perform the following configurations in the VPN instance view:

  • Enable the IPv4 or IPv6 address family for the VPN instance. A VPN instance supports both the IPv4 and IPv6 address families. You need to run the ipv4-family (VPN instance view) or ipv6-family (VPN instance view) command to enable the IPv4 or IPv6 address family based on the type of the protocol stack used to advertise VPN routes in the VPN instance.
  • Configure an RD for the IPv4 address family of the VPN instance. You are allowed to perform VPN configurations in the address family view only after using the route-distinguisher command to configure an RD for the address family.
  • Configure a VPN target for the VPN instance using the vpn-target command. The VPN target controls route learning between VPN instances.
  • Bind the VPN instance to the PE or MCE interface connected to the VPN using the ip binding vpn-instance command. After an interface is bound to a VPN instance, the interface becomes a part of the VPN. Packets entering the interface will be forwarded based on the VRF table of the VPN.

Example

# Create a VPN instance named vrf1.

<HUAWEI> system-view
[HUAWEI] ip vpn-instance vrf1
[HUAWEI-vpn-instance-vrf1]

ipv4-family (VPN instance view)

Function

The ipv4-family command enables the IPv4 address family for a VPN instance and displays the VPN instance IPv4 address family view.

The undo ipv4-family command disables the IPv4 address family for a VPN instance.

By default, VPN instances are disabled with the IPv4 address family.

Format

ipv4-family

undo ipv4-family

Parameters

None.

Views

VPN instance view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In BGP/MPLS IP VPN networking, after running the ip vpn-instance command to create a VPN instance, you can run the ipv4-family command to enable the IPv4 address family for the VPN instance. You can then perform VPN configurations in the address family view to advertise IPv4 VPN routes and allow IPv4 VPN data to be forwarded.

Follow-up Procedure

Run the route-distinguisher command to configure an RD for the IPv4 address family of the VPN instance. Before performing VPN configurations in the IPv4 address family view, configure an RD for the IPv4 address family of the VPN instance.

Precautions

Configurations of the commands run in the VPN instance view, except the description and service id command, are automatically synchronized to the VPN instance IPv4 address family view.

Example

# Enable the IPv4 address family for a VPN instance.

<HUAWEI> system-view
[HUAWEI] ip vpn-instance vrf1
[HUAWEI-vpn-instance-vrf1] ipv4-family
[HUAWEI-vpn-instance-vrf1-af-ipv4]

ipv6-family (VPN instance view)

Function

The ipv6-family command enables the IPv6 address family for a VPN instance and displays the VPN instance IPv6 address family view.

The undo ipv6-family command disables the IPv6 address family for a VPN instance.

By default, the IPv6 address family is disabled for a VPN instance.

Format

ipv6-family

undo ipv6-family

Parameters

None

Views

VPN instance view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In BGP/MPLS IPv6 VPN networking, after running the ip vpn-instance command to create a VPN instance, you can run the ipv6-family command to enable the IPv6 address family for the VPN instance and perform VPN configurations in the address family view if you want to have IPv6 VPN routes advertised and IPv6 VPN data forwarded.

Follow-up Procedure

Run the route-distinguisher command to configure an RD for the IPv6 address family of the VPN instance. VPN configurations can be performed in the IPv6 address family view only after an RD is configured for the IPv6 address family of the VPN instance.

Example

# Enable the IPv6 address family for the VPN instance named vrf1.

<HUAWEI> system-view
[HUAWEI] ip vpn-instance vrf1
[HUAWEI-vpn-instance-vrf1] ipv6-family
[HUAWEI-vpn-instance-vrf1-af-ipv6]
Related Topics

limit-log-interval

Function

The limit-log-interval command configures the interval for displaying logs when the number of routes exceeds the threshold.

The undo limit-log-interval command restores the default setting.

By default, the interval for displaying logs when the number of routes exceeds the threshold is 5 seconds.

Format

limit-log-interval interval

undo limit-log-interval

Parameters

Parameter Description Value
interval Specifies the interval for displaying logs when the number of routes exceeds the threshold. An integer ranging from 1 to 60, in seconds.

Views

VPN instance view, VPN instance IPv4 address family view or VPN instance IPv6 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the routes or prefixes in the IPv4 or IPv6 address family of a VPN instance reach the maximum, the system will generate logs at intervals (defaulting to 5 seconds). To prevent logs from being displayed frequently, run the limit-log-interval command to prolong the interval of log generation.

The maximum number of routes or prefixes that the IPv4 or IPv6 address family of a VPN instance supports can be configured using the routing-table limit or prefix limit command.

Prerequisites

  1. The ip vpn-instance command has been executed to create a VPN instance and enter the VPN instance view.
  2. The ipv4-family or ipv6-family command has been executed to create a VPN instance and enter the VPN instance IPv4 or IPv6 address family view.
  3. The route distinguisher command has been executed to set the RD of the VPN instance.

Precautions

If a log is generated to record the event that routes or prefixes in the IPv4 or IPv6 address family of a VPN instance reach the maximum, no more routes can be added to the routing table of the IPv4 or IPv6 address family of the VPN instance. Instead, the routes will be discarded.

Example

# Set the interval for displaying logs to 8 seconds when the number of routes in the IPv4 address family of the VPN instance named vpn1 exceeds the threshold.

<HUAWEI> system-view
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] ipv4-family
[HUAWEI-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[HUAWEI-vpn-instance-vpn1-af-ipv4] limit-log-interval 8

mpls te reserved-for-binding

Function

The mpls te reserved-for-binding command reserves an MPLS TE tunnel for VPN binding.

The undo mpls te reserved-for-binding command removes the configuration.

By default, an MPLS TE tunnel can be selected based on any type of tunnel policy.

Format

mpls te reserved-for-binding

undo mpls te reserved-for-binding

Parameters

None

Views

Tunnel interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a VPN has high requirements for bandwidth, you can apply a tunnel binding policy to the VPN to have the routes of the VPN iterated to MPLS TE tunnels. Before applying that tunnel binding policy to the VPN, you need to run the mpls te reserved-for-binding command to reserve MPLS TE tunnels for VPN binding.

Prerequisites

MPLS TE tunnels are available in the system.

Configuration Impact

After the mpls te reserved-for-binding command is configured on an MPLS TE tunnel, the tunnel can be selected based on a tunnel binding policy only. Even if no tunnel binding policy is configured, a tunnel type prioritizing policy created using the tunnel select-seq command will not select the MPLS TE tunnel for which the mpls te reserved-for-binding command has been configured.

Follow-up Procedure

Run the tunnel-policy command to create a tunnel policy and the tunnel binding command to bind the policy to the MPLS TE tunnel.

Example

# Reserve Tunnel1 for VPN binding.
<HUAWEI> system-view
[HUAWEI] interface tunnel 1
[HUAWEI-Tunnel1] tunnel-protocol mpls te
[HUAWEI-Tunnel1] mpls te reserved-for-binding
# Delete the configuration of a tunnel that is reserved for VPN binding.
<HUAWEI> system-view
[HUAWEI] interface tunnel 1
[HUAWEI-Tunnel1] undo mpls te reserved-for-binding
Related Topics

peer default-originate vpn-instance

Function

The peer default-originate vpn-instance command configures BGP to advertise all default routes related to the specified VPN instance to the specified VPNv4 peer or peer group.

The undo peer default-originate vpn-instance command removes the configuration.

By default, BGP does not advertise its default route to the VPNv4 peer or peer group.

Format

peer { ipv4-address | group-name } default-originate vpn-instance vpn-instance-name

undo peer { ipv4-address | group-name } default-originate vpn-instance vpn-instance-name

Parameters

Parameter Description Value
ipv4-address Specifies the IPv4 address of a peer. It is in dotted decimal notation.
group-name Specifies the name of the peer group. The name is a string of 1 to 47 case-sensitive characters, with spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.
vpn-instance-name Specifies the name of a VPN instance. The value must be an existing VPN instance name.

Views

BGP-VPNv4 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

HoVPN refers to a hierarchical VPN, with multiple PEs functioning as different roles to form a hierarchical architecture and provide functions of a single PE. In this manner, the performance requirement on PEs is lowered. If the the peer default-originate vpn-instance command is used, SPE sends the default route with the address of the next hop as the local address, regardless of whether there is a default route in the local routing table. The UPE then only needs to maintain the local VPN routes, whereas all remote routes are replaced by the default route. The workload of the UPE is reduced.

Precautions

The default routes on the UPE can be obtained through the following methods:
  • Run the peer default-originate vpn-instance command on the SPE to configure routes for the neighboring UPE.

  • Import routes through the import-route (BGP) or network (BGP) command on the UPE.

The priority of the default route obtained through the former method is higher than that through the latter method. If the former method is adopted, the UPE sends neither update nor withdraw packets in the latter method.

Example

# Advertise default routes of vpn1 to VPNv4 peer 1.1.1.1.

<HUAWEI> system-view
[HUAWEI] bgp 100
[HUAWEI-bgp] peer 1.1.1.1 as-number 100
[HUAWEI-bgp] ipv4-family vpnv4
[HUAWEI-bgp-af-vpnv4] peer 1.1.1.1 enable
[HUAWEI-bgp-af-vpnv4] peer 1.1.1.1 upe
[HUAWEI-bgp-af-vpnv4] peer 1.1.1.1 default-originate vpn-instance vpn1

peer mpls-local-ifnet disable

Function

The peer mpls-local-ifnet disable command disables EBGP peers from establishing an MPLS local ifnet tunnel between them.

The undo peer mpls-local-ifnet disable command enables EBGP peers to establish an MPLS local ifnet tunnel between them.

By default, EBGP peers can automatically establish MPLS local ifnet tunnels between them if one of the following conditions is met:
  • EBGP peers are enabled to exchange labeled routes.

  • EBGP peers are configured in the BGP-VPLS address families.

  • EBGP peers are configured in the BGP-VPNv4 or BGP-VPNv6 address family.

Format

peer { group-name | ipv4-address } mpls-local-ifnet disable

undo peer { group-name | ipv4-address } mpls-local-ifnet disable

Parameters

Parameter Description Value
group-name Specifies the name of a BGP peer group. The name is a string of 1 to 47 case-sensitive characters, with spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.
ipv4-address Specifies the IPv4 address of a BGP peer. The value is in dotted decimal notation.

Views

BGP view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

MPLS local ifnet tunnel: In inter-AS VPN Option B or Option C scenarios, the VPN routes with L2VPN label block information that ASBRs advertise to BGP peers must contain public-network tunnel information. However, no tunnels are configured between ASBRs. To allow EBGP routes to be advertised to IBGP peers, an MPLS local ifnet tunnel is generated between MPLS interfaces of ASBRs.

In the L3VPN over inter-as seamless MPLS or VPLS scenario, EBGP peer relationships are established between BGP peers. The BGP peers can be endpoint PEs in the VPLS scenario or the CSG and MASG in the inter-AS seamless MPLS scenario. These EBGP peers automatically establish MPLS local ifnet tunnels between them. The E2E MPLS local ifnet tunnel fails to transmit traffic if the two peers are indirectly connected.

If a fault occurs on a tunnel between the two EBGP peers, traffic is iterated to the MPLS local ifnet tunnel, not an FRR bypass tunnel. As the MPLS local ifnet tunnel cannot forward traffic, traffic is interrupted. To prevent the traffic interruption, run this command to disable the establishment of an MPLS local ifnet tunnel between the EBGP peers.

Prerequisites

The EBGP peer relationship must be in the Established between PEs.

Example

# Disable EBGP peers from establishing an MPLS local ifnet tunnel.

<HUAWEI> system-view
[HUAWEI] bgp 100
[HUAWEI-bgp] peer 10.1.1.1 as-number 200
[HUAWEI-bgp] peer 10.1.1.1 mpls-local-ifnet disable

peer upe

Function

The peer upe command specifies a BGP peer or peer group as UPE of HoVPN.

The undo peer upe command cancels the configuration.

Format

peer { group-name | ipv4-address } upe

undo peer { group-name | ipv4-address } upe

Parameters

Parameter Description Value
group-name Specifies the name of the peer group. The name is a string of 1 to 47 case-sensitive characters, with spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.
ipv4-address Specifies the IPv4 address of a peer. -

Views

BGP-VPNv4 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a UPE is specified on the SPE through the peer upe command, the SPE does not send a specific route to the UPE. If the peer route-policy export command is run on the SPE to configure routing policies for the UPE and certain specific routes can pass the filtration of routing policies, these specific routes can be sent to the UPE.

Prerequisites

Before you run the peer upe command, the peer as-number command should be used to create a peer or peer group.

Precautions

The BGP peer relationship is interrupted after you run the peer upe command. So, confirm the action before you use the command.

Follow-up Procedure

After the peer upe command is configured, to send the default route 0.0.0.0 to the UPE, you need to run the peer default-originate vpn-instance command on the SPE.

Example

# Specify the peer 1.1.1.2 as UPE.

<HUAWEI> system-view
[HUAWEI] bgp 100
[HUAWEI-bgp] peer 1.1.1.2 as-number 100
[HUAWEI-bgp] ipv4-family vpnv4
[HUAWEI-bgp-af-vpnv4] peer 1.1.1.2 enable
[HUAWEI-bgp-af-vpnv4] peer 1.1.1.2 upe

peer substitute-as

Function

The peer substitute-as command enables AS number substitution. This command enables a device to replace the AS number of the peer specified in the AS_Path attribute with the local AS number.

The undo peer substitute-as command disables AS number substitution.

By default, AS number substitution is disabled.

Format

peer { group-name | ipv4-address | ipv6-address } substitute-as

undo peer { group-name | ipv4-address | ipv6-address } substitute-as

Parameters

Parameter Description Value
group-name Specifies the name of a peer group. The name is a string of 1 to 47 case-sensitive characters, with spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.
ipv4-address Specifies the IPv4 address of a peer. It is in dotted decimal notation.
ipv6-address Specifies the IPv6 address of a peer. The address is in the format of X:X:X:X:X:X:X:X.

Views

BGP-VPN instance IPv4 address family view or BGP-VPN instance IPv6 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In a BGP/MPLS IP VPN scenario, if the ASs to which two VPN sites belong use private AS numbers, the AS numbers of the two VPN sites may be the same. If a CE in a VPN site sends a VPN route to the connected PE using EBGP and the PE then sends the route to the remote PE, the remote CE will discard the route because the AS number carried by the route is the same as the local AS number. As a result, different sites of the same VPN cannot communicate. The peer substitute-as command can be used on the PE to enable AS number substitution to address this problem. After that, the PE replaces the AS number carried in the VPN route with the local AS number. As a result, the remote CE will not discard the route due to identical AS numbers.

Pre-configuration Tasks

Run the peer as-number command to create a peer or configure an AS number for a specified peer group.

Example

# Configure a device to replace the AS number of a specified peer in the AS_Path of a route with the local AS number.

<HUAWEI> system-view
[HUAWEI] bgp 100
[HUAWEI-bgp] ipv4-family vpn-instance vpn1
[HUAWEI-bgp-vpn1] peer 10.1.1.2 as-number 200
[HUAWEI-bgp-vpn1] peer 10.1.1.2 substitute-as

policy vpn-target

Function

The policy vpn-target command configures a device to implement VPN target-based filtering for received routes.

The undo policy vpn-target command cancels VPN target-based filtering.

By default, the VPN-Target filtering is enabled.

Format

policy vpn-target

undo policy vpn-target

Parameters

None

Views

BGP-VPNv4 address family view or BGP-VPNv6 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In the networking of BGP/MPLS IP VPN, Kompella VLL, and Kompella VPLS, VPN target attributes are used to filter received VPN routes or label blocks. If VPN target attributes are not configured, received VPN routes or label blocks are discarded.

VPNs and VPN target attributes are not configured on the following devices in certain networking scenarios:
  • RRs in BGP/MPLS IP VPN, Kompella VPLS, or Kompella VLL
  • ASBRs (not functioning as PEs) in inter-AS BGP/MPLS IP VPN OptionB
In this case, VPN routes or label blocks are not saved on the RRs or ASBRs.

The RRs or ASBRs, however, need to save all VPN routes or label blocks sent from PEs. Therefore, the undo policy vpn-target command can be configured on the RRs or ASBRs to disable the filtering of VPN routes or label blocks.

Precautions

Running the undo policy vpn-target makes all VPN routes or label blocks from PEs received. Therefore, this command is configured only on devices of particular rols (RRs or ASBRs)

Example

# Configure a device to implement VPN target-based filtering for received VPNv4 routes.

<HUAWEI> system-view
[HUAWEI] bgp 100
[HUAWEI-bgp] ipv4-family vpnv4
[HUAWEI-bgp-af-vpnv4] policy vpn-target

prefix limit

Function

The prefix limit command sets a limit on the maximum number of prefixes supported in the existing VPN instance address family, preventing the PE from importing excessive VPN route prefixes.

The undo prefix limit command restores the default setting.

By default, the maximum number of VPN route prefixes is not limited.

Format

prefix limit number { alert-percent [ route-unchanged ] | simply-alert }

undo prefix limit

Parameters

Parameter Description Value
number Specifies the maximum number of prefixes supported in the VPN instance address family. The value is an integer, and the minimum value is 1. The maximum number is determined by the license file.
alert-percent Specifies the proportion of the alarm threshold to the maximum number of prefixes. When the number of prefixes in theVPN instance address family exceeds number x alert-percent/100, alarms are displayed. The VPN route prefixes, however, can still join the VPN routing table. When the number of the prefixes exceeds the number, the subsequent prefixes are discarded. The value is an integer ranging from 1 to 100.
route-unchanged Indicates that the routing table remains unchanged. By default, route-unchanged is not configured. When the number of prefixes in the routing table is greater than the value of the parameter number, routes are processed as follows:
  • If route-unchanged is configured, routes in the routing table remain unchanged.
  • If route-unchanged is not configured, all routes in the routing table are deleted and then re-added.
-
simply-alert Indicates that when the number of VPN route prefixes exceeds number, prefixes can still join the VPN routing table and alarms are displayed. On the device, however, the subsequent VPN route prefixes are discarded after the total number of the unicast prefixes of the private network and the public network reaches the upper limit. -

Views

VPN instance view, VPN instance IPv4 address family view or VPN instance IPv6 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If many useless route prefixes imported into a VPN instance constitute a large proportion of the route prefixes on a device, run the prefix limit command to set a limit on the maximum number of prefixes supported by the VPN instance. After the prefix limit command is run in the current VPN instance address family, if the number of route prefixes reaches the set limit, the system will generate an alarm to instruct the user to check the validity of route prefixes of the VPN instance.

The prefix limit command enables the system to display a message when the number of route prefixes added to the routing table of the VPN instance IPv6 address family exceeds the limit. If you run the prefix limit command to increase the maximum number of route prefixes in the VPN instance IPv6 address family or run the undo prefix limit command to cancel the limit, the system adds the excess route prefixes to the VPN IP routing table.

When the number of route prefixes exceeds the limit, direct routes and static routes can still be added to the routing table of the VPN instance IPv6 address family.

Prerequisites

The route-distinguisher command has been executed to set the RD of the VPN instance.

Precautions

The prefix limit command can prevent the routing table of the current VPN instance address family on a PE from importing too many route prefixes, but cannot prevent the PE from importing excessive route prefixes from other PEs. Therefore, configuring both the prefix limit and peer route-limit commands is recommended.

Do not run both the routing-table limit (the command restricts the number of routes) and prefix limit (the command restricts the number of route prefixes) commands in the current VPN instance address family. Configure either one of them based on your need.

Example

# Configure the system to only generate alarms when the number of prefixes exceeds the maximum number 1000 in the VPN instance named vpn1.

<HUAWEI> system-view
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] ipv4-family
[HUAWEI-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[HUAWEI-vpn-instance-vpn1-af-ipv4] prefix limit 1000 simply-alert

route-distinguisher

Function

The route-distinguisher command configures a route distinguisher (RD) for a VPN instance address family.

By default, no RD is configured for the VPN instance address family.

Format

route-distinguisher route-distinguisher

Parameters

Parameter Description Value
route-distinguisher Specifies the value of an RD. The forms of RD are as follows:
  • 2-byte AS number:4-byte user-defined number, for example, 101:3. An AS number ranges from 0 to 65535. A user-defined number ranges from 0 to 4294967295. The AS number and the user-defined number cannot be 0s at the same time. That is, an RD cannot be 0:0.

  • Integral 4-byte AS number:2-byte user-defined number, for example, 65537:3. An AS number ranges from 65536 to 4294967295. A user-defined number ranges from 0 to 65535. The AS number and user-defined number cannot be both 0s. That is, an RD cannot be 0:0.

  • 4-byte AS number in dotted notation:2-byte user-defined number, for example, 0.0:3 or 0.1:0. A 4-byte AS number in dotted notation is in the format of x.y, where x and y are integers that range from 0 to 65535 and from 0 to 65535, respectively. A user-defined number ranges from 0 to 65535. The AS number and user-defined number cannot be both 0s. That is, an RD cannot be 0.0:0.

  • IPv4-address:2-byte user-defined number, for example, 192.168.122.15:1. An IP address ranges from 0.0.0.0 to 255.255.255.255. A user-defined number ranges from 0 to 65535.

-

Views

VPN instance view, VPN instance IPv4 address family view, VPN instance IPv6 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After creating a VPN instance and enabling the IPv4 or IPv6 address family for the VPN instance, you need to run the route-distinguisher command to configure an RD for the address family.

Different VPN instances may have the same route prefix. To allow a PE to determine to which VPN instance a route belongs, run the route-distinguisher command to configure an RD for an address family of a VPN instance on the PE. After the configuration, the PE will add an RD to the route received from the VPN instance, and then the route prefix becomes a globally unique VPNv4 or VPNv6 route.

Configuration Impact

An RD configured for the IPv4 or IPv6 address family of a VPN instance cannot be directly modified or deleted. Before modifying an RD, you need to disable the IPv4 or IPv6 address family of the VPN instance or delete the VPN instance and then reconfigure the address family or the VPN instance.

Precautions

Configuring a unique RD for the IPv4 or IPv6 address family of a VPN instance is recommended; otherwise, route overlap may occur.

When the route-distinguisher command is run in the VPN instance view, an ipv4-family command is created at the same time by default. The command results are equivalent to running the ipv4-family command in the VPN instance view and then running the route-distinguisher command in the VPN instance IPv4 address family view. For example:
[HUAWEI-vpn-instance-vpn1] route-distinguisher 200:1
[HUAWEI-vpn-instance-vpn1-af-ipv4] display this 
#  
 ipv4-family
  route-distinguisher 200:1
#
return

Example

# Configure an RD for the VPN instance named vpn1.

<HUAWEI> system-view
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] ipv4-family
[HUAWEI-vpn-instance-vpn1-af-ipv4] route-distinguisher 22:1

routing-table limit

Function

The routing-table limit command sets the maximum number of routes that the current VPN instance address family supports.

The undo routing-table limit command restores the maximum number of routes that the current VPN instance address family can support to the default setting.

By default, there is no limit on the maximum number of routes that the current VPN instance address family can support, but the total number of private network and public network routes on a device cannot exceed the allowed maximum number of unicast routes.

Format

routing-table limit number { alert-percent | simply-alert }

undo routing-table limit

Parameters

Parameter Description Value
number Specifies the maximum number of routes supported by a VPN instance. The value is an integer, and the minimum value is 1. The maximum number is determined by the license file.
alert-percent Specifies the percentage of the maximum number of routes. When the maximum number of routes that join the VPN instance is up to the value (number*alert-percent)/100, the system prompts alarms. The VPN routes can be still added to the routing table, but after the number of routes reaches number, the subsequent routes are dropped. An integer ranging from 1 to 100.
simply-alert Indicates that when VPN routes exceed number, routes can still be added into the routing table, but the system prompts alarms. However, after the total number of VPN routes and network public routes reaches the unicast route limit specified in the License, the subsequent VPN routes are dropped. -

Views

VPN instance view, VPN instance IPv4 address family view or VPN instance IPv6 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If many useless routes imported into a VPN instance constitute a large proportion of the routes on a device, run the routing-table limit command to set a limit on the maximum number of routes supported by the VPN instance. After the routing-table limit command is run in the current VPN instance address family, if the number of routes of the VPN instance reaches the set limit, the system will generate an alarm to instruct the user to check the validity of routes of the VPN instance.

The routing-table limit command enables the system to display a message when the number of routes added to the routing table of the VPN instance IPv6 address family exceeds the limit. If you run the routing-table limit command to increase the maximum number of routes in the VPN instance IPv6 address family or run the undo routing-table limit command to cancel the limit, the system adds the excess routes to the VPN IP routing table.

Prerequisites

  1. The ip vpn-instance command has been executed to create a VPN instance and enter the VPN instance view.
  2. The ipv4-family or ipv6-family command has been executed to enter the IPv4 or IPv6 VPN instance address family view.
  3. The route distinguisher command has been executed to set the RD of the VPN instance.

Precautions

Using the routing-table limit command prevents the routing table of the current VPN instance address family on a PE from importing too many routes, but cannot prevent the PE from importing excessive routes from other PEs. Therefore, configuring both the routing-table limit and peer route-limit commands is recommended.

Do not run both the routing-table limit (the command restricts the number of routes) and prefix limit (the command restricts the number of route prefixes) commands in the current VPN instance address family. Configure either one of them based on your need.

If the remote cross routes learned using MP-IBGP and the BGP routes learned from CEs failed to be added to the routing table, the system automatically refreshes the routing table to add these routes.

Example

# Configure the maximum number of routes for the IPv4 address family of the VPN instance named vpn1 to 1000, and when VPN routes exceed 1000, routes can still be added into the routing table, but the system prompts alarms.

<HUAWEI> system-view
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] ipv4-family
[HUAWEI-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[HUAWEI-vpn-instance-vpn1-af-ipv4] routing-table limit 1000 simply-alert

rr-filter

Function

The rr-filter command creates a reflection policy for the route reflectors.

The undo rr-filter command removes the configuration.

By default, no reflection policy for a route reflectors is created.

Format

rr-filter { extcomm-filter-number | extcomm-filter-name }

undo rr-filter

Parameters

Parameter Description Value
extcomm-filter-number specifies the number of the extended community filter supported by the route-reflector group. You can specify only one extended community filter each time. It is an integer that ranges from 1 to 399.
extcomm-filter-name specifies the name of the extended community filter supported by the route-reflector group. You can specify only one extended community filter each time. The name is a string of 1 to 51 characters without any space. It is case-sensitive. When double quotation marks are used around the string, spaces are allowed in the string.

Views

BGP-VPNv4 address family view or BGP-VPNv6 address family view

Default Level

2: Configuration level

Usage Guidelines

Full-mesh connections need to be established between IBGP peers in an AS to ensure the connectivity between the IBGP peers. When there are many IBGP peers, it is costly to establish a fully-meshed network. An RR or a confederation can be used to solve the problem. Only the IBGP route of which route-target extended community attribute meets the matching rules can be reflected. This allows load balancing among RRs.

Example

# Create a route-reflector group, and enable the automatic filtering for VPNv4 route updates on the outbound interface. The group should be created on the basis of the permitted route target extended community attributes.

<HUAWEI> system-view
[HUAWEI] bgp 100
[HUAWEI-bgp] ipv4-family vpnv4
[HUAWEI-bgp-af-vpnv4] rr-filter 10

service-id (VPN instance view)

Function

The service-id command sets a service ID for a VPN instance.

The undo service-id command deletes the service ID of a VPN instance.

By default, no service ID is set for a VPN instance.

Format

service-id service-id

undo service-id

Parameters

Parameter Description Value
service-id Specifies the service ID of a VPN instance. An integer ranging from 1 to 4294967295.

Views

VPN instance view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A service ID set in the view of a VPN instance identifies the service of the VPN instance, which facilitates later service query using the NMS.

A service ID is unique on a device. It distinguishes a VPN service from other VPN services on the network. A service ID used by a VPN instance cannot be allocated to other VPN instances.

Configuration Impact

If the service-id command is run repeatedly, the last configuration overrides the previous ones.

Example

# Set a service ID for a VPN instance.

<HUAWEI> system-view
[HUAWEI] ip vpn-instance vrf1
[HUAWEI-vpn-instance-vrf1] service-id 123

snmp-agent trap enable feature-name l3vpn

Function

The snmp-agent trap enable feature-name l3vpn command enables the trap function for the L3VPN module.

The undo snmp-agent trap enable feature-name l3vpn command disables the trap function for the L3VPN module.

By default, the trap function for the L3VPN module is disabled.

Format

snmp-agent trap enable feature-name l3vpn [ trap-name { l3vpn_mib_trap_mid_thresh_exceed | l3vpn_mib_trap_thresh_cleared | l3vpn_mib_trap_thresh_exceed | l3vpn_mib_trap_vrf_down | l3vpn_mib_trap_vrf_up } ]

undo snmp-agent trap enable feature-name l3vpn [ trap-name { l3vpn_mib_trap_mid_thresh_exceed | l3vpn_mib_trap_thresh_cleared | l3vpn_mib_trap_thresh_exceed | l3vpn_mib_trap_tunnel_updown_event | l3vpn_mib_trap_vrf_down | l3vpn_mib_trap_vrf_up } ]

Parameters

Parameter Description Value
trap-name Enables the traps of L3VPN events of specified types. -
l3vpn_mib_trap_mid_thresh_exceed Enables the trap of the event indicating that the number of private route prefixes exceeds the middle threshold which is set by the prefix limit command. -
l3vpn_mib_trap_thresh_cleared Enables the trap of the event indicating that the number of private route prefixes falls below the threshold which is set by the prefix limit command. -
l3vpn_mib_trap_thresh_exceed Enables the trap of the event indicating that the number of private route prefixes exceeds the upper limit which is set by the prefix limit command. -
l3vpn_mib_trap_vrf_down Enables the trap of VRF Down event. -
l3vpn_mib_trap_vrf_up Enables the trap of VRF Up event. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The Simple Network Management Protocol (SNMP) is a standard network management protocol widely used on TCP/IP networks. It uses a central computer (a network management station) that runs network management software to manage network elements. The management agent on the network element automatically reports traps to the network management station. After that, the network administrator immediately takes measures to resolve the problem.

The snmp-agent trap enable feature-name l3vpn command enables the trap function for L3VPN modules.

Precautions

To enable the trap function of one or more types of trap messages, specify trap-name.

Example

# Enable the trap of VRF Down event in the system view.

<HUAWEI> system-view
[HUAWEI] snmp-agent trap enable feature-name l3vpn trap-name l3vpn_mib_trap_vrf_down

# Disable the trap of VRF Down event in the system view.

<HUAWEI> system-view
[HUAWEI] undo snmp-agent trap enable feature-name l3vpn trap-name l3vpn_mib_trap_vrf_down

source

Function

The source command configures the source address or source interface of the tunnel.

The undo source command deletes the configured source address or source interface.

The source address and source interface of a tunnel are not specified by default.

Format

source { source-ip-address | interface-type interface-number }

undo source

Parameters

Parameter

Description

Value

source-ip-address

Specifies the source address of a tunnel interface. If a tunnel interface works in IPv4-IPv6 mode, specify an IPv6 address as the source address of the tunnel interface.

The IPv4 address is in dotted decimal notation.

The IPv6 address is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

interface-type interface-number

Specifies the type and the number of the source interface of the tunnel. The following types of interfaces are often used: VLNAIF and loopback.

-

Views

Tunnel interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When configuring a GRE, MPLS TE, IPv4 over IPv6 tunnel or manual IPv6 over IPv4 tunnel, create a tunnel interface. After a tunnel interface is created, run the source command to specify the source IP address for the tunnel interface.

Prerequisites

A tunnel interface has been created using the interface tunnel command, and the encapsulation mode is set to GRE, MPLS TE, IPv4 over IPv6 or IPv6 over IPv4 of manual mode using the tunnel-protocol command.

Precautions

Two tunnel interfaces with the same encapsulation mode, source address, and destination address cannot be configured simultaneously.

You can configure a main interface working in Layer 3 mode as the source tunnel interface.

On the GRE, MPLS TE, IPv6 over IPv4 tunnel or manual IPv6 over IPv4 tunnel, the source address of the local tunnel interface is the destination address of the remote tunnel interface, and the destination address of the local tunnel interface is the source address of the remote tunnel interface.

Example

# Set the tunnel type of Tunnel1 to IPv6 over IPv4 of manual mode and configure the source IP address of Tunnel1 as 10.1.1.1.
<HUAWEI> system-view
[HUAWEI] interface tunnel 1
[HUAWEI-Tunnel1] tunnel-protocol ipv6-ipv4
[HUAWEI-Tunnel1] source 10.1.1.1
# Configure Tunnel1 of GRE and use Loopback1 address as the interface address.
<HUAWEI> system-view
[HUAWEI] interface Loopback 1
[HUAWEI-LoopBack1] ip address 10.2.1.1 32
[HUAWEI-LoopBack1] quit
[HUAWEI] interface tunnel 1
[HUAWEI-Tunnel1] tunnel-protocol gre
[HUAWEI-Tunnel1] source loopback 1

supernet label-route advertise

Function

The supernet label-route advertise disable command disables a BGP device from advertising BGP supernet labeled routes.

The undo supernet label-route advertise disable or supernet label-route advertise enable command restores the default configuration.

By default, BGP supernet labeled routes can be preferentially selected and advertised.

Format

supernet label-route advertise disable

supernet label-route advertise enable

undo supernet label-route advertise disable

Parameters

None

Views

BGP view, BGP-IPv4 unicast address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A BGP supernet route has the same destination address and next hop address or has a more detailed destination address than the next hop address. Any route that meets one of the following conditions is a BGP supernet route.
  • If you perform bitwise AND operations on the destination address mask with the destination address and next hop address, respectively, the calculated network addresses are the same, and the destination address mask is greater than or equal to the next hop address mask.
  • If you perform bitwise AND operations on the destination address mask with the destination address and next hop address, respectively, the calculated network addresses are different. However, if you perform bitwise AND operations on the next hop address mask with the destination address and next hop address, respectively, the calculated network addresses are the same.

For example, the route destined for 10.6.6.6 in the following command output is a BGP supernet route.

<HUAWEI> display bgp routing-table
 BGP Local router ID is 10.1.1.2
 Status codes: * - valid, > - best, d - damped,
               h - history,  i - internal, s - suppressed, S - Stale
               Origin : i - IGP, e - EGP, ? - incomplete

 Total Number of Routes: 1
        Network            NextHop        MED        LocPrf    PrefVal Path/Ogn
   *>i  10.6.6.6/32        10.6.6.6       0          100       0       ? 

Example

# Disable a BGP device from advertising BGP supernet labeled routes.

<HUAWEI> system-view
[HUAWEI] bgp 100
[HUAWEI-bgp] ipv4-family unicast
[HUAWEI-bgp-af-ipv4] supernet label-route advertise disable

tunnel binding

Function

The tunnel binding command binds a specified tunnel to the destination IP address. Therefore, the tunnel can be used by a specified VPN.

The undo tunnel binding command cancels the binding.

By default, a tunnel is not bound to any IP address.

Format

tunnel binding destination dest-ip-address te { tunnel interface-number } &<1-6> [ ignore-destination-check ] [ down-switch ]

undo tunnel binding destination dest-ip-address

Parameters

Parameter Description Value
dest-ip-address Specifies the destination address of the tunnel. -
interface-number Specifies the interface number of the bound tunnel interface. -
ignore-destination-check Specifies whether to ignore destination consistency check. If this parameter is enabled, a tunnel policy selects a TE tunnel for route iteration even if the destination address of that TE tunnel is different from the destination address specified in the tunnel policy. -
down-switch Indicates that the tunnel switchover is enabled. After this parameter is configured, an available tunnel, with the priority as LSP, CR-LSP, is adopted when the bound TE tunnel fails. -

Views

Tunnel policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A tunnel policy determines the selection of proper tunnels for VPN services. There are two types of tunnel policies. Only one policy type can be configured in the tunnel policy view.
  • Tunnel type prioritizing policy: Such a policy specifies the sequence in which different types of tunnels are selected. The tunnel select-seq command is used to configure a tunnel type prioritizing policy.
  • Tunnel binding policy: Such a policy binds a tunnel to a VPN for service transmission. The tunnel binding command is used to configure a tunnel binding policy.

Only MPLS TE tunnels can be bound to VPNs. The tunnel binding command can specify the MPLS TE tunnels that are used for VPN binding, facilitating QoS deployment. If some VPN services have high requirements for QoS, run the tunnel binding command to use specific MPLS TE tunnels to transmit these VPN services.

Prerequisites

The tunnel-policy command is run to create a tunnel policy.

The mpls te reserved-for-binding command is run in the view of the tunnel interface to be bound to an MPLS TE tunnel.

Precautions

The tunnel binding command can be run repeatedly in the tunnel policy view so long as the value of dest-ip-address varies.

Apply the tunnel binding policy to the VPN instance so that the VPN instance can have its routes iterated to the bound MPLS TE tunnel.

Example

# Bind the IP address of the remote PE, 10.2.2.9, to the local tunnel interface Tunnel1 in the tunnel policy view.

<HUAWEI> system-view
[HUAWEI] tunnel-policy tnlpolicyname
[HUAWEI-tunnel-policy-tnlpolicyname] tunnel binding destination 10.2.2.9 te tunnel 1

tunnel-selector (system view)

Function

The tunnel-selector command creates a tunnel selector and displays the tunnel selector view.

The undo tunnel-selector command cancels the setting.

By default, no tunnel selector is created.

Format

tunnel-selector tunnel-selector-name { permit | deny } node node

undo tunnel-selector tunnel-selector-name [ node node ]

Parameters

Parameter Description Value
tunnel-selector-name Specifies the name of a tunnel selector. The value is a string of 1 to 40 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.
permit

Specifies the matching mode of the tunnel selector to permit. If a route matches all the if-match clauses of a node, the route matches the node and all the actions defined by the apply clause are performed on the route. If a route does not match one if-match clause of a node, the route continues to match the next node.

-
deny

Specifies the matching mode of the tunnel selector to deny. If a route matches all the if-match clauses of a node, the route is denied and does not match the next node.

-
node node

Specifies the index of the node of the tunnel selector. The route first matches the node with a smaller index value.

The value is an integer ranging from 0 to 65535.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The tunnel-selector command is often used in BGP/MPLS IP VPN networking. A tunnel selector needs to be created in the following scenarios:

  • The SPE in the HVPN networking needs to apply a tunnel policy to VPNv4 routes that are received from UPEs.

Follow-up Procedure

Configure the following clauses after creating a tunnel selector (each node of the tunnel selector consists of two parts):

In addition, the system will have routes iterated to expected tunnels only after applying a tunnel selector. The tunnel-selector (BGP view) command can be run in the BGP view for the application of a tunnel selector.

Precautions

A change in the tunnel selector may cause VPN services to be interrupted because BGP-VPNv4 or BGP labeled routes may fail to be iterated to tunnels.

Example

# Create a tunnel selector named tps, and set the node number to 10 and the matching mode to permit.

<HUAWEI> system-view
[HUAWEI] tunnel-selector tps permit node 10
[HUAWEI-tunnel-selector] 

tunnel-selector (BGP view)

Function

The tunnel-selector command applies a tunnel selector to BGP-VPNv4 or BGP labeled routes.

The undo tunnel-selector command cancels the configuration.

By default, no tunnel selector is applied to BGP-VPNv4 or BGP labeled routes. BGP-VPNv4 or BGP labeled route are only iterated to LSPs.

Format

tunnel-selector tunnel-selector-name

undo tunnel-selector

Parameters

Parameter Description Value
tunnel-selector-name Specifies the name of a tunnel policy selector. The value is a string of 1 to 40 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

BGP view, BGP-IPv4 unicast address family view or BGP-VPNv4 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The tunnel-selector command is often used in BGP/MPLS IP VPN networking. It can be used in the following scenarios to apply a tunnel selector to BGP-VPNv4 or BGP labeled routes:

  • The SPE in the HVPN networking needs to apply a tunnel policy to VPNv4 routes that are received from UPEs.

Prerequisites

The tunnel-selector (system view) command is run to create a tunnel selector.

Precautions

Deleting the tunnel selector applied to BGP-VPNv4 or BGP labeled routes may cause VPN service interruption because the BGP-VPNv4 or BGP labeled routes may fail to be iterated to tunnels.

Example

# Apply a tunnel selector to BGP labeled routes.

<HUAWEI> system-view
[HUAWEI] bgp 100
[HUAWEI-bgp] ipv4-family unicast
[HUAWEI-bgp-af-ipv4] tunnel-selector tps 

tunnel select-seq

Function

The tunnel select-seq command specifies the priority sequence of the tunnels taking part in load balancing.

The undo tunnel select-seq load-balance-number command restores the default setting.

By default, only LDP LSPs, BGP LSP or static LSPs are selected and no load balancing is performed.

Format

tunnel select-seq { gre | lsp | cr-lsp } * load-balance-number load-balance-number

undo tunnel select-seq

Parameters

Parameter Description Value
gre Specifies a GRE tunnel.
NOTE:

This parameter is not supported in this version.

-
lsp Specifies the LDP LSPs, BGP LSP or static LSPs. -
cr-lsp Specifies the CR-LSP tunnel. -
load-balance-number Specifies the number of tunnels taking part in load balancing.

The value is an integer that ranges from 1 to 6.

Views

Tunnel policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, a VPN instance uses LSPs for service transmission on the backbone network. To use other types of tunnels or configure load balancing for service transmission of the VPN instance, you need to apply a tunnel policy to the VPN instance.

Precautions

A tunnel policy determines the selection of proper tunnels for VPN services. There are two types of tunnel policies.
  • Tunnel type prioritizing policy: Such a policy specifies the sequence in which different types of tunnels are selected. The tunnel select-seq command is used to configure a tunnel type prioritizing policy.
  • Tunnel binding policy: Such a policy binds a tunnel to a VPN for service transmission. The tunnel binding command is used to configure a tunnel binding policy.
If the tunnel select-seq command is run, the VPN instance preferably selects the tunnel type with the highest priority according to the specified sequence. For example, after the tunnel select-seq cr-lsp lsp load-balance-number 2 command is run in the tunnel policy view, the VPN instance will select CR-LSPs to transmit services on the backbone network.
  • If two or more CR-LSPs are available on the network, the VPN instance randomly selects two of them for service transmission.
  • If no CR-LSP or only one CR-LSP is available on the network, the VPN instance selects LSPs as substitutes with the existing CR-LSP for service transmission.
  • If the number of tunnels used by the VPN instance is reduced to 1, the VPN instance uses the tunnel policy to re-select tunnels.
If lsp is specified in the command, three types of LSPs can serve as candidate tunnels: LDP LSP, BGP LSP, and static LSP. The priority sequence of these LSPs taking part in load balancing is LDP LSP > BGP LSP > static LSP. For example, if the tunnel select-seq lsp cr-lsp load-balance-number 3 command is configured for the tunnel policy:
  • If three or more LDP LSPs are available on the network, the VPN instance randomly selects three of them for service transmission.

  • If less than three LDP LSPs are available on the network, the VPN instance selects BGP LSPs as substitutes to ensure that three LSPs work in load balancing mode to transmit services.

  • If the total number of LDP and BGP LSPs available on the network is less than 3, the VPN instance selects static LSPs as substitutes to ensure that three LSPs work in load balancing mode to transmit services.

After the tunnel select-seq command is executed, apply the configured tunnel policy to the VPN instance so that the VPN instance can select tunnels based on the tunnel policy and have its services load-balanced across tunnels.

The load balancing mode configured using the tunnel select-seq command in a tunnel policy takes effect only for L3VPN.

Example

# Configure a tunnel policy that only LDP LSPs, BGP LSP or static LSPs can be used and no load balancing is performed.

<HUAWEI> system-view
[HUAWEI] tunnel-policy l2
[HUAWEI-tunnel-policy-l2] tunnel select-seq lsp load-balance-number 1

tunnel-policy nonexistent-config-check

Function

The tunnel-policy nonexistent-config-check command configures whether a nonexistent tunnel policy can be specified in a command.

The undo tunnel-policy nonexistent-config-check disable command configures only an existing tunnel policy can be specified in a command.

By default, only an existing tunnel policy can be specified in a command.

Format

tunnel-policy nonexistent-config-check { disable | enable }

undo tunnel-policy nonexistent-config-check disable

Parameters

Parameter Description Value
disable Indicates that a nonexistent tunnel policy can be specified in a command. -
enable Indicates that only an existing tunnel policy can be specified in a command. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, if you specify a nonexistent tunnel policy in a command, the command does not take effect.

If you need the nonexistent tunnel policy can be specified in a command, run the tunnel-policy nonexistent-config-check disable command.

Example

# Indicates that a nonexistent tunnel policy can be specified in a command.

<HUAWEI> system-view
[HUAWEI] tunnel-policy nonexistent-config-check disable

tunnel-policy (system view)

Function

The tunnel-policy command creates a tunnel policy and displays the tunnel policy view.

The undo tunnel-policy command deletes the specified tunnel policy.

By default, no tunnel policy is created in the system.

Format

tunnel-policy policy-name

undo tunnel-policy policy-name

Parameters

Parameter Description Value
policy-name Displays the name of a tunnel policy. The value is a string of 1 to 39 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, a VPN instance selects LSPs without performing load balancing based on the default tunnel policy. If you want to make a change, run the tunnel-policy command to create a tunnel policy.

There are two types of tunnel policies:
  • Tunnel type prioritizing policy: It specifies the sequence in which different types of tunnels are selected and the number of tunnels taking part in load balancing.
  • Tunnel binding policy: It binds a tunnel to a destination address. In this manner, the VPN traffic bound for the destination address enters the bound tunnel only, and as a result, QoS is guaranteed for the VPN traffic.

Precautions

If you change the tunnel policy in a VPN instance, VPN services may be interrupted due to a possibility of iteration failures.

Run one of the following commands to perform further configuration on the created tunnel policy:
  • To configure the tunnel policy as a tunnel type prioritizing policy, run the tunnel select-seq command.
  • To configure the tunnel policy as a tunnel binding policy, run the tunnel binding command.

The system can select tunnels for a VPN instance based on a tunnel policy only after the tunnel policy is applied to the VPN instance. The mode in which a tunnel policy is applied to a VPN instance varies according to the VPN type.

Example

# Create a tunnel policy named policy1 and enter the tunnel policy view.

<HUAWEI> system-view
[HUAWEI] tunnel-policy policy1
[HUAWEI-tunnel-policy-policy1]

tunnel-protocol

Function

The tunnel-protocol command configures the tunnel protocol on a tunnel interface.

The undo tunnel-protocol command restores the tunnel protocol to the default configuration.

By default, no tunnel protocol is used on a tunnel interface.

Format

tunnel-protocol { gre | ipv6-ipv4 [ 6to4 | isatap ] | ipv4-ipv6 | mpls te | none }

undo tunnel-protocol

Parameters

Parameter Description Value
gre

Indicate that the GRE tunnel protocol is configured on a tunnel interface.

NOTE:

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support the parameter.

-
ipv4-ipv6

Indicate that the IPv4 to IPv6 tunnel protocol is configured on a tunnel interface.

NOTE:

Only the S5720HI supports the parameter.

-
ipv6-ipv4 [ 6to4 | isatap ]

Configure the tunnel protocol of the tunnel interface as ipv6-ipv4:

  • ipv6-ipv4 : use a manual IPv6 over IPv4 tunnel
  • ipv6-ipv4 6to4 : using 6to4 tunnel
  • ipv6-ipv4 isatap : using isatap tunnel
NOTE:

Only the S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720EI, S5720HI, S6720EI, and S6720S-EI support these parameter.

-
mpls te

Indicate that the MPLS TE tunnel protocol is configured on a tunnel interface.

NOTE:

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support the parameter.

-
none

Indicate that no tunnel protocol is configured on a tunnel interface.

-

Views

Tunnel interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After creating a tunnel interface using the interface tunnel command, run the tunnel-protocol command to configure the tunnel encapsulation mode for the tunnel interface.

The following tunnel encapsulation modes are available:
  • GRE: encapsulates packets of some network layer protocols such as IP or IPX to enable these encapsulated packets to be transmitted on networks running other protocols such as IP.
  • IPv4-IPv6: creates tunnels on the IPv6 networks to connect IPv4 isolated sites so that IPv4 isolated sites can access other IPv4 networks through the IPv6 public network.
  • IPv6-IPv4: creates tunnels on the IPv4 networks to connect IPv6 isolated sites so that IPv6 packets can be transmitted on IPv4 networks.
  • MPLS TE: integrates the MPLS technology with traffic engineering. It can reserve resources by setting up LSP tunnels for a specified path in an attempt to avoid network congestion and balance network traffic.

Precautions

  • The none mode indicates the initial configuration, that is, no tunnel encapsulation mode is configured. In practice, you must select another tunnel encapsulation mode.
  • You must configure the tunnel encapsulation mode before setting the source IP address or other parameters for a tunnel interface. Changing the encapsulation mode of a tunnel interface deletes other parameters of the tunnel interface.

Example

# Set the tunnel encapsulation mode of Tunnel2 to GRE.
<HUAWEI> system-view
[HUAWEI] interface tunnel 2
[HUAWEI-Tunnel2] tunnel-protocol gre
Related Topics

tnl-policy

Function

The tnl-policy command associates a tunnel policy with the current VPN instance address family.

The undo tnl-policy command dissociates the current VPN instance address family from a tunnel policy.

By default, no tunnel policy is associated with the VPN instance address family. By default, a tunnel is selected for a VPN in the sequence of the LSP, CR-LSP, and Local_IfNet, and no load balancing is performed.

Format

tnl-policy policy-name

undo tnl-policy

Parameters

Parameter Description Value
policy-name Specifies the name of the tunnel policy to be associated with the VPN instance address family. The value is a string of 1 to 39 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

VPN instance view, VPN instance IPv4 address family view, VPN instance IPv6 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, a device only uses an LSP tunnel to forward data on the backbone network and cannot implement multi-path load balancing at the same time. To ensure transmission quality of services and specify a TE tunnel to transmit VPN services, or to improve transmission efficiency and implement load balancing, run the tunnel-policy command to configure a tunnel policy and run the tnl-policy command to reference the tunnel policy in the VPN address family view.

Prerequisites

  1. The ip vpn-instance command has been executed to create a VPN instance and enter the VPN instance view.
  2. The ipv4-family command has been executed to create a VPN instance and enter the VPN instance IPv4 address family view.
  3. The route distinguisher command has been executed to set the RD of the VPN instance.

Precautions

If the tunnel policy associated with a VPN instance enabled with the address family cannot match an existing tunnel on the network, the routes in the VPN instance enabled with the address family will have routes iterated to tunnels based on the default tunnel policy. If the iteration fails, services will be interrupted.

If the address family of a VPN instance changes or the associated tunnel policy is deleted, VPN services will be interrupted for a short time even if tunnels matching the tunnel policy are available on the network. Therefore, use the tnl-policy command with caution.

Follow-up Procedure

If the associated tunnel policy does not exist, run the tunnel-policy command to create the tunnel policy.

Example

# Associate a tunnel policy named po1 with the VPN instance named vpn2.

<HUAWEI> system-view
[HUAWEI] tunnel-policy po1
[HUAWEI-tunnel-policy-po1] tunnel select-seq lsp load-balance-number 2
[HUAWEI-tunnel-policy-po1] quit
[HUAWEI] ip vpn-instance vpn2
[HUAWEI-vpn-instance-vpn2] ipv4-family
[HUAWEI-vpn-instance-vpn2-af-ipv4] route-distinguisher 100:1
[HUAWEI-vpn-instance-vpn2-af-ipv4] tnl-policy po1

transit-vpn

Function

The transit-vpn command ensures that the status of a VRF (VPN Routing and Forwarding table) obtained from MIB is always Up, no matter whether this VRF is bound to interfaces.

The undo transit-vpn command restores the default setting.

By default, the status of a VRF obtained from MIB is Up only if it is bound to at least one interface in the Up state.

Format

transit-vpn

undo transit-vpn

Parameters

None.

Views

VPN instance view or VPN instance IPv4 address family view

Level

2: Configuration level

Usage Guidelines

Usage Scenario

According to RFC, the status of a VRF obtained from MIB is Up only if it is bound to at least one interface in the Up state. In the HoVPN or H-VPN networking, however, a VRF does not need to be bound to any interface. If the VRF is not bound to an interface in this networking, the status of the VRF obtained from MIB is Down by default.

In this case, you can run the transit-vpn command to ensure that the status of a VRF obtained from MIB is always Up.

Prerequisites

The route-distinguisher command has been executed to set the RD of the VPN instance.

Example

# Configure the status of the VRF vpna obtained from MIB to be always Up, no matter whether the VRF is bound to interfaces.

<HUAWEI> system-view
[HUAWEI] ip vpn-instance vpna
[HUAWEI-vpn-instance-vpna] ipv4-family
[HUAWEI-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[HUAWEI-vpn-instance-vpna-af-ipv4] transit-vpn

undo vpn frr all

Function

Using the undo vpn frr all command, you can disable VPN FRR in all the VPN instances.

Format

undo vpn frr all

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The VPN FRR function may be configured in multiple VPN instances on a device. The undo vpn frr command takes a long time to cancel the VPN FRR function of all VPN instances one by one.

In the system view, run the undo vpn frr all command to simultaneously cancel the VPN FRR function of IPv4 and IPv6 address families in all VPN instances.

Precautions

To cancel the VPN FRR function of a VPN instance, run the undo vpn frr command.

Example

# Disable VPN FRR of all the VPN instances in the system view.

<HUAWEI> system-view
[HUAWEI] undo vpn frr all
Related Topics

vpn-route cross multipath

Function

The vpn-route cross multipath command adds multiple VPNv4 or VPNv6 routes to a VPN instance with a different RD from these routes' RDs.

The undo vpn-route cross multipath command restores the default configuration.

By default, if the RDs of multiple VPNv4 or VPNv6 routes are different from the RD of a VPN instance, only the optimal route is added to the VPN instance.

Format

vpn-route cross multipath

undo vpn-route cross multipath

Parameters

None

Views

BGP-VPN instance IPv4 address family view or BGP-VPN instance IPv6 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, if the RD of the VPN instance on the local PE is different from the RDs of the VPN instances on multiple remote PEs, and the RDs of the VPN instances on remote PEs are the same, the local PE adds only the optimal route to the VPN instance after receiving VPNv4 or VPNv6 routes with the same destination address from the remote PEs. As a result, load balancing or VPN FRR does not take effect. To resolve this problem, run the vpn-route cross multipath command on the local PE.

Configuration Impact

After you run the vpn-route cross multipath command, the local PE adds multiple VPNv4 or VPNv6 routes to a VPN instance with a different RD from these routes' RDs. The number of VPNv4 or VPNv6 routes that can be added to the VPN instance depends on whether load balancing or VPN FRR is configured.
  • If no load balancing is configured, a maximum of two VPNv4 or VPNv6 routes can be added to the VPN instance.

  • If you set the maximum number of equal-cost routes for load balancing to n using the maximum load-balancing command, n VPNv4 or VPNv6 routes can be added to the VPN instance.

  • If you configure VPN FRR and set the maximum number of equal-cost routes for load balancing to n using the maximum load-balancing and auto-frr command, n + 1 VPNv4 or VPNv6 routes can be added to the VPN instance.

Example

# Add multiple VPNv4 routes to a VPN instance with a different RD from these routes' RDs.
<HUAWEI> system-view
[HUAWEI] bgp 100
[HUAWEI-bgp] ipv4-family vpn-instance vrf1
[HUAWEI-bgp-vrf1] vpn-route cross multipath
# Add multiple VPNv6 routes to a VPN instance with a different RD from these routes' RDs.
<HUAWEI> system-view
[HUAWEI] bgp 100
[HUAWEI-bgp] ipv6-family vpn-instance vrf1
[HUAWEI-bgp6-vrf1] vpn-route cross multipath

vpn-target

Function

The vpn-target command configures the export or import VPN target extended community attribute for the VPN instance address family.

The undo vpn-target command deletes the setting.

By default, no export or import VPN target extended community list is configured for the VPN instance address family.

Format

vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

undo vpn-target { all | vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ] }

Parameters

Parameter Description Value
vpn-target Specifies the VPN target extended community attribute to be added to the VPN target extended community list of the VPN instance address family. The forms of VPN targets are as follows:
  • 2-byte AS number: 4-byte user-defined number, for example, 1:3. The AS number ranges from 0 to 65535. The user-defined number ranges from 0 to 4294967295. The AS number and the user-defined number cannot both be 0. That is, a VPN target cannot be 0:0.

  • IPv4-address: 2-byte user-defined number, for example, 192.168.122.15:1. The IP address ranges from 0.0.0.0 to 255.255.255.255. The user-defined number ranges from 0 to 65535.

  • Integral 4-byte AS number:2-byte user-defined number, for example, 65537:3. An AS number ranges from 65536 to 4294967295. A user-defined number ranges from 0 to 65535. The AS number and user-defined number cannot be both 0s. That is, a VPN target cannot be 0:0.

  • 4-byte AS number in dotted notation:2-byte user-defined number, for example, 0.0:3 or 0.1:0. A 4-byte AS number in dotted notation is in the format of x.y, where x and y are integers that range from 0 to 65535 and from 0 to 65535, respectively. A user-defined number ranges from 0 to 65535. The AS number and user-defined number cannot be both 0s. That is, a VPN target cannot be 0.0:0.

-
both Adds the VPN target extended community attribute to the export and import VPN target extended community lists of the VPN instance address family. If none of both, export-extcommunity, or import-extcommunity is specified, both is adopted by default. -
export-extcommunity Adds the VPN target extended community attribute to the export VPN target extended community lists of the VPN instance address family. -
import-extcommunity Adds the VPN target extended community attribute to the import VPN target extended community lists of the VPN instance address family. -
all Delete all the VPN targets of the VPN instance IPv4 address family. -

Views

VPN instance view, VPN instance IPv4 address family view, VPN instance IPv6 address family view, VPN instance IPv6 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a VPN instance is configured on a PE, the vpn-target command must be used to configure a VPN target for the IPv4 or IPv6 address family of the VPN instance.

The VPN target controls route learning between VPN sites. A VPN target may be either an import VPN target or an export VPN target. An export VPN target is contained in a VPNv4 or IPv6 route to be advertised to a remote MP-BGP peer. After receiving a VPNv4 or IPv6 route, an MP-BGP peer compares the received export VPN target with the local import VPN target to determine whether the VPNv4 or IPv6 route can be added to the routing table of the local VPN instance enabled with the IPv4 or IPv6 address family.

Prerequisites

The route-distinguisher command has been executed to set the RD of the VPN instance.

Precautions

A VPN target configured using the vpn-target command will not overwrite any previously configured VPN target. If the number of configured VPN targets has reached the maximum limit, no VPN target can be added by using the vpn-target command.

After a VPN target is configured for the IPv4 or IPv6 address family of a VPN instance, only the routes that match the VPN target will be accepted by the IPv4 or IPv6 address family of the VPN instance.

If all the VPN targets of the IPv4 or IPv6 address family of a VPN instance are deleted using the undo vpn-target command, all routes learned by the IPv4 or IPv6 address family of the VPN instance from other VPN instances will be deleted.

Multiple VPN targets can be configured for the IPv4 or IPv6 address family of a VPN instance. One vpn-target command can configure a maximum of eight VPN targets at a time. If you want to configure more VPN targets in the VPN instance IPv4 or IPv6 address family view, run the vpn-target command multiple times. When VPN routes are advertised between VPN instances, if one of the VPN targets carried in the VPNv4 or IPv6 routes matches the import VPN target of the IPv4 or IPv6 address family of a local VPN instance, the routes will be added to the routing table of the local VPN instance.

Example

# Add 3:3 to the export VPN target extended community list and 4:4 to the import VPN target extended community list of the VPN instance named vrf1.

<HUAWEI> system-view
[HUAWEI] ip vpn-instance vrf1
[HUAWEI-vpn-instance-vrf1] ipv4-family
[HUAWEI-vpn-instance-vrf1-af-ipv4] route-distinguisher 100:1
[HUAWEI-vpn-instance-vrf1-af-ipv4] vpn-target 3:3 export-extcommunity
[HUAWEI-vpn-instance-vrf1-af-ipv4] vpn-target 4:4 import-extcommunity

vpn frr

Function

Using the vpn frr command, you can enable VPN FRR.

Using the undo vpn frr command, you can disable VPN FRR.

By default, VPN FRR is disabled.

Format

vpn frr route-policy route-policy-name

undo vpn frr

Parameters

Parameter Description Value
route-policy route-policy-name Specifies the name of the route-policy. The name is a string of 1 to 40 case-sensitive characters, with spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

VPN instance view, VPN instance IPv4 address family view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

VPN FRR is applied on a VPN where a CE is dual-homed to two PEs. VPN FRR uses a secondary tunnel to back up the primary tunnel and detects the connectivity of the primary tunnel in combination with rapid detection technologies such as BFD. When a fault occurs on the primary tunnel, a PE configured with VPN FRR can switch VPN traffic to the secondary tunnel before the VPN routes are converged. This improves reliability of data forwarding on the public network.

VPN FRR has two modes: VPN static FRR and VPN auto FRR. The vpn frr command configures manual VPN FRR and the auto-frr command configures VPN Auto FRR.

Compared with VPN Auto FRR, manual VPN FRR specifies backup next hop more precisely. If manual VPN FRR and VPN Auto FRR are configured simultaneously, manual VPN FRR takes preference over VPN Auto FRR. If manual VPN FRR fails, VPN Auto FRR takes effect.

Prerequisites

Manual VPN FRR function takes effect after the backup next hop is manually specified. It is recommended that you run the route-policy command to specify the backup next hop for VPN routes before configuring Manual VPN FRR function.

Follow-up Procedure

After configuring Manual VPN FRR function, run the display ip routing-table vpn-instance vpn-instance-name ip-address verbose command to check whether the route has a secondary tunnel and a backup label.

Precautions

NOTE:

The undo vpn frr command cancels the VPN FRR function of only the specified VPN instance. In the system view, run the undo vpn frr all command to simultaneously cancel the VPN FRR function of IPv4 and IPv6 address families in all VPN instances.

Example

# Specify the IP address of the backup next hop in the route-policy named vpn_frr_rp, and enable VPN FRR in the VPN instance view.
<HUAWEI> system-view
[HUAWEI] route-policy vpn_frr_rp permit node 10
[HUAWEI-route-policy] apply backup-nexthop 10.2.2.9
[HUAWEI-route-policy] quit
[HUAWEI] ip vpn-instance vpn1
[HUAWEI-vpn-instance-vpn1] ipv4-family
[HUAWEI-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[HUAWEI-vpn-instance-vpn1-af-ipv4] vpn frr route-policy vpn_frr_rp
[HUAWEI-vpn-instance-vpn1-af-ipv4] quit
Related Topics
Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178165

Views: 55243

Downloads: 1196

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next