No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring the BGP SoO Attribute

Example for Configuring the BGP SoO Attribute

Networking Requirements

When multiple CEs in a VPN site connect to different PEs, VPN routes advertised from the CEs to the PEs may be sent back to the VPN site after the routes traverse the backbone network. This may cause routing loops in the VPN site.

As shown in Figure 7-55, CE1 and CE2 belong to site 1; CE2 and CE3 connect to PE2. Site 1 and site 2 have the same AS number. The PEs and CEs run EBGP. PE1 uses MP-IGBP to advertise the routes learned from CE1 to PE2. Then PE2 advertises these routes to CE2 and CE3. However, CE2 has learned the routes through IGP in site 1. As a result, a routing loop may occur in site 1.

To prevent routing loops in site 1, configure the BGP Site of Origin (SoO) attribute on the PEs. When PE2 advertises routes to CE2, PE2 checks whether the SoO attribute of the routes is the same as the locally configured SoO attribute. If so, PE2 does not advertise these routes to CE2. PE2 can advertise the routes to CE3.

Figure 7-55  Networking diagram for configuring the BGP SoO attribute

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an IP address for each interface and an IGP on the backbone network so that PEs can communicate.

  2. Enable MPLS and MPLS LDP on the backbone network so that LDP LSPs can be established between the PEs.

  3. Set up an MP-IBGP peer relationship between the PEs.

  4. Configure VPN instances on PEs and bind the instances to the interfaces connected to CEs.

  5. Set up EBGP peer relationships between the PEs and CEs and enable AS number substitution on the PEs.

  6. Configure the BGP SoO attribute for the connected CEs on the PEs.

Procedure

  1. Configure an IP address for each interface and an IGP on the backbone network so that PEs can learn routes to loopback interfaces of each other.

    In this example, OSPF is configured.

    # Configure PE1.

    <Huawei> system-view
    [Huawei] sysname PE1
    [PE1] interface loopback 1
    [PE1-LoopBack1] ip address 1.1.1.1 32
    [PE1-LoopBack1] quit
    [PE1] interface gigabitethernet 2/0/0
    [PE1-GigabitEthernet2/0/0] ip address 10.1.1.1 30
    [PE1-GigabitEthernet2/0/0] quit
    [PE1] ospf 1
    [PE1-ospf-1] area 0
    [PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.3
    [PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
    [PE1-ospf-1-area-0.0.0.0] quit
    [PE1-ospf-1] quit
    

    The configuration on PE2 and CEs is similar to the configuration on PE1 and is not mentioned here.

    After the configuration is complete, run the display ip routing-table command on the PEs. The command output shows that the PEs have learned the route to loopback interfaces of each other.

    The information displayed on PE1 is used as an example.

    [PE1] display ip routing-table
    Route Flags:
    R - relay, D - download to fib                                     
    ------------------------------------------------------------------------------  
    Routing Tables: Public                                                          
             Destinations : 9        Routes : 9                                     
                                                                                    
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface      
                                                                                    
            1.1.1.1/32  Direct  0    0           D   127.0.0.1       LoopBack1      
            2.2.2.2/32  OSPF    10   1           D   10.1.1.2        GigabitEthernet2/0/0  
           10.1.1.0/30  Direct  0    0           D   10.1.1.1        GigabitEthernet2/0/0  
           10.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet2/0/0  
           10.1.1.3/32  Direct  0    0           D   127.0.0.1       GigabitEthernet2/0/0  
          127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0    
          127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0    
    127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0    
    255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0   

  2. Enable MPLS and MPLS LDP on the backbone network to set up LDP LSPs.

    Enable MPLS and MPLS LDP globally and on interfaces of the PE.

    # Configure PE1.

    [PE1] mpls lsr-id 1.1.1.1
    [PE1] mpls
    [PE1-mpls] quit
    [PE1] mpls ldp
    [PE1-mpls-ldp] quit
    [PE1] interface gigabitethernet 2/0/0
    [PE1-GigabitEthernet2/0/0] mpls
    [PE1-GigabitEthernet2/0/0] mpls ldp
    [PE1-GigabitEthernet2/0/0] quit
    

    The configuration on PE2 is the same as the configuration on PE1.

    After the configuration is complete, run the display mpls ldp lsp command on the PEs. The command output shows the labels assigned to the routes to loopback interfaces on the peer PEs. The information displayed on PE1 is used as an example.

    [PE1] display mpls ldp lsp
    
     LDP LSP Information
     -------------------------------------------------------------------------------
     DestAddress/Mask   In/OutLabel    UpstreamPeer    NextHop         OutInterface
     -------------------------------------------------------------------------------
     1.1.1.1/32         3/NULL         2.2.2.2         127.0.0.1       InLoop0
    *1.1.1.1/32         Liberal/1024                   DS/2.2.2.2 
     2.2.2.2/32         NULL/3         -               10.1.1.2        GE2/0/0
     2.2.2.2/32         1024/3         2.2.2.2         10.1.1.2        GE2/0/0
     -------------------------------------------------------------------------------
     TOTAL: 3 Normal LSP(s) Found.
     TOTAL: 1 Liberal LSP(s) Found.
     TOTAL: 0 Frr LSP(s) Found.
     A '*' before an LSP means the LSP is not established                           
     A '*' before a Label means the USCB or DSCB is stale                           
     A '*' before a UpstreamPeer means the session is stale                         
     A '*' before a DS means the session is stale                                   
     A '*' before a NextHop means the LSP is FRR LSP
    

  3. Set up an MP-IBGP peer relationship between the PEs.

    # Configure PE1.

    [PE1] bgp 100
    [PE1-bgp] peer 2.2.2.2 as-number 100
    [PE1-bgp] peer 2.2.2.2 connect-interface loopback1
    [PE1-bgp] ipv4-family vpnv4
    [PE1-bgp-af-vpnv4] peer 2.2.2.2 enable
    [PE1-bgp-af-vpnv4] quit
    [PE1-bgp] quit

    The configuration on PE2 is similar to the configuration on PE1 and is not mentioned here. For configuration details, refer to "Configuration Files".

    After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer command on the PEs. The command output shows that BGP peer relationships have been established between the PEs. The information displayed on PE1 is used as an example.

    [PE1] display bgp peer
    
     BGP local router ID : 10.1.1.1
     Local AS number : 100
     Total number of peers : 1                 Peers in established state : 1
    
      Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down State       PrefRcv
    
      2.2.2.2         4         100      187      186     0 02:44:06 Established       1

  4. On each PE, configure a VPN instance, enable the IPv4 address family in the instance, and bind the instance to the interfaces connected to the CEs.

    # Configure PE1.

    [PE1] ip vpn-instance vpna
    [PE1-vpn-instance-vpna] ipv4-family
    [PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
    [PE1-vpn-instance-vpna-af-ipv4] vpn-target 100:100
    [PE1-vpn-instance-vpna-af-ipv4] quit
    [PE1-vpn-instance-vpna] quit
    [PE1] interface gigabitethernet 1/0/0
    [PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
    [PE1-GigabitEthernet1/0/0] ip address 192.168.1.1 30
    [PE1-GigabitEthernet1/0/0] quit
    

    # Configure PE2.

    [PE2] ip vpn-instance vpna
    [PE2-vpn-instance-vpna] ipv4-family
    [PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 100:2
    [PE2-vpn-instance-vpna-af-ipv4] vpn-target 100:100
    [PE2-vpn-instance-vpna-af-ipv4] quit
    [PE2-vpn-instance-vpna] quit
    [PE2] interface gigabitethernet 1/0/0
    [PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpna
    [PE2-GigabitEthernet1/0/0] ip address 192.168.2.1 30
    [PE2-GigabitEthernet1/0/0] quit
    [PE2] interface gigabitethernet 2/0/0
    [PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpna
    [PE2-GigabitEthernet2/0/0] ip address 192.168.3.1 30
    [PE2-GigabitEthernet2/0/0] quit
    

    After the configuration is complete, run the display ip vpn-instance verbose command on the PEs to check the configuration of VPN instances.

  5. Set up EBGP peer relationships between PEs and CEs, enable AS number substitution on the PEs, and configure PEs to import routes from CEs.

    In this configuration example, the two VPN sites have the same AS number. Therefore, AS number substitution needs to be enabled on PE1 and PE2.

    # Configure PE1.

    [PE1] bgp 100
    [PE1-bgp] ipv4-family vpn-instance vpna
    [PE1-bgp-vpna] peer 192.168.1.2 as-number 65410
    [PE1-bgp-vpna] peer 192.168.1.2 substitute-as
    [PE1-bgp-vpna] import-route direct
    [PE1-bgp-vpna] quit
    [PE1-bgp] quit

    # Configure CE1.

    [CE1] bgp 65410
    [CE1-bgp] peer 192.168.1.1 as-number 100
    [CE1-bgp] network 11.11.11.11 32
    [CE1-bgp] network 192.168.4.0 30
    [CE1-bgp] quit

    # Configure PE2.

    [PE2] bgp 100
    [PE2-bgp] ipv4-family vpn-instance vpna
    [PE2-bgp-vpna] peer 192.168.2.2 as-number 65410
    [PE2-bgp-vpna] peer 192.168.3.2 as-number 65410
    [PE2-bgp-vpna] peer 192.168.2.2 substitute-as
    [PE2-bgp-vpna] peer 192.168.3.2 substitute-as
    [PE2-bgp-vpna] import-route direct
    [PE2-bgp-vpna] quit
    [PE2-bgp] quit

    # Configure CE2.

    [CE2] bgp 65410
    [CE2-bgp] peer 192.168.2.1 as-number 100
    [CE2-bgp] network 22.22.22.22 32
    [CE2-bgp] network 192.168.4.0 30
    [CE2-bgp] quit

    # Configure CE3.

    [CE3] bgp 65410
    [CE3-bgp] peer 192.168.3.1 as-number 100
    [CE3-bgp] network 33.33.33.33 32
    [CE3-bgp] quit
    

    After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command on the PEs. The command output shows that the status of EBGP peer relationships between PEs and CEs is Established. This indicates that EBGP peer relationships have been established between PEs and CEs. The information displayed on PE1 is used as an example.

    [PE1] display bgp vpnv4 vpn-instance vpna peer
    
     BGP local router ID : 10.1.1.1
     Local AS number : 100
    
     VPN-Instance vpna, router ID 10.1.1.1:
     Total number of peers : 1                 Peers in established state : 1
    
      Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down    State       PrefRcv
    
      192.168.1.2        4       65410      224      231     0 03:02:12 Established     1

    Run the display bgp vpnv4 routing-table command on the PEs. The command output shows the routes sent from the PEs to the PEs. The following shows the routes sent from PE2 to CE2.

    [PE2] display bgp vpnv4 vpn-instance vpna routing-table peer 192.168.2.2 advertised-routes
                                                                                    
     BGP Local router ID is 2.2.2.2                                                 
     Status codes: * - valid, > - best, d - damped,                                 
                   h - history,  i - internal, s - suppressed, S - Stale            
                   Origin : i - IGP, e - EGP, ? - incomplete                        
                                                                                    
                                                                                    
     VPN-Instance vpna, Router ID 2.2.2.2:                                          
                                                                                    
     Total Number of Routes: 6                                                      
          Network            NextHop        MED        LocPrf    PrefVal Path/Ogn   
                                                                                    
     *>i  11.11.11.11/32     192.168.2.1                           0      100 100i  
     *>   22.22.22.22/32     192.168.2.1                           0      100 100i  
     *>   33.33.33.33/32     192.168.2.1                           0      100 100i  
     *>i  192.168.1.0/30     192.168.2.1                           0      100?      
     *>   192.168.2.0/30     192.168.2.1     0                     0      100?      
     *>   192.168.3.0/30     192.168.2.1     0                     0      100?      

  6. Configure the BGP SoO attribute on the PEs.

    CE1 and CE2 belong to the same site, so you need to set the same BGP SoO attribute value for the two CEs on PE1 and PE2. PE2 connects to two VPN sites, so you need to set different SoO attribute value for the CEs.

    # Configure PE1.

    [PE1] bgp 100
    [PE1-bgp] ipv4-family vpn-instance vpna
    [PE1-bgp-vpna] peer 192.168.1.2 soo 100:101
    [PE1-bgp-vpna] quit
    [PE1-bgp] quit

    # Configure PE2.

    [PE2] bgp 100
    [PE2-bgp] ipv4-family vpn-instance vpna
    [PE2-bgp-vpna] peer 192.168.2.2 soo 100:101
    [PE2-bgp-vpna] peer 192.168.3.2 soo 100:102
    [PE2-bgp-vpna] quit
    [PE2-bgp] quit

  7. Verify the configuration.

    # After the configuration is complete, run the display bgp vpnv4 routing-table command on PE2 again. The command output shows that the routes sent from PE2 to CE2 have changed and the routes sent from PE2 to CE3 remain unchanged.

    [PE2] display bgp vpnv4 vpn-instance vpna routing-table peer 192.168.2.2 advertised-routes
                                                                                    
     BGP Local router ID is 2.2.2.2                                                 
     Status codes: * - valid, > - best, d - damped,                                 
                   h - history,  i - internal, s - suppressed, S - Stale            
                   Origin : i - IGP, e - EGP, ? - incomplete                        
                                                                                    
                                                                                    
     VPN-Instance vpna, Router ID 2.2.2.2:                                          
                                                                                    
     Total Number of Routes: 4                                                      
          Network            NextHop        MED        LocPrf    PrefVal Path/Ogn   
                                                                                    
     *>   33.33.33.33/32     192.168.2.1                           0      100 100i  
     *>i  192.168.1.0/30     192.168.2.1                           0      100?      
     *>   192.168.2.0/30     192.168.2.1     0                     0      100?      
     *>   192.168.3.0/30     192.168.2.1     0                     0      100?      
    [PE2] display bgp vpnv4 vpn-instance vpna routing-table peer 192.168.3.2 advertised-routes
                                                                                    
     BGP Local router ID is 2.2.2.2                                                 
     Status codes: * - valid, > - best, d - damped,                                 
                   h - history,  i - internal, s - suppressed, S - Stale            
                   Origin : i - IGP, e - EGP, ? - incomplete                        
                                                                                    
                                                                                    
     VPN-Instance vpna, Router ID 2.2.2.2:                                          
                                                                                    
     Total Number of Routes: 6                                                      
          Network            NextHop        MED        LocPrf    PrefVal Path/Ogn   
                                                                                    
     *>i  11.11.11.11/32     192.168.3.1                           0      100 100i  
     *>   22.22.22.22/32     192.168.3.1                           0      100 100i  
     *>i  192.168.1.0/30     192.168.3.1                           0      100?      
     *>   192.168.2.0/30     192.168.3.1     0                     0      100?      
     *>   192.168.3.0/30     192.168.3.1     0                     0      100?      
     *>   192.168.4.0/30     192.168.3.1                           0      100 100i  

    # Run the display bgp vpnv4 routing-table command on PE2. The command output shows the SoO attribute carried in the routes sent from PE2 to CE3.

    [PE2] display bgp vpnv4 vpn-instance vpna routing-table 11.11.11.11 32
                                                                                    
     BGP local router ID : 2.2.2.2                                                  
     Local AS number : 100                                                          
                                                                                    
     VPN-Instance vpna, Router ID 2.2.2.2:                                          
     Paths:   1 available, 1 best, 1 select                                         
     BGP routing table entry information of 11.11.11.11/32:                         
     Label information (Received/Applied): 1029/NULL                                
     From: 1.1.1.1 (1.1.1.1)                                                        
     Route Duration: 00h11m51s                                                      
     Relay Tunnel Out-Interface: GigabitEthernet3/0/0                               
     Relay token: 0x3d                                                              
     Original nexthop: 1.1.1.1                                                      
     Qos information : 0x0                                                          
     Ext-Community:RT <100 : 100>, SoO <100 : 101>                                  
     AS-path 65410, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, b
    est, select, active, pre 255, IGP cost 1                                        
     Advertised to such 1 peers:                                                    
        192.168.3.2                                                                 

    # The preceding command output shows that after the BGP SoO attribute is configured, the VPN routes received from CEs carry the SoO attribute, and PE2 does not send any route to CE2. This indicates that the configuration of the BGP SoO attribute has taken effect.

Configuration Files

  • CE1 configuration file
     sysname CE1
    #
    interface GigabitEthernet1/0/0
     ip address 192.168.1.2 255.255.255.252
    #
    interface GigabitEthernet2/0/0
     ip address 192.168.4.1 255.255.255.252
    #
    interface LoopBack1
     ip address 11.11.11.11 255.255.255.255
    #
    bgp 65410
     peer 192.168.1.1 as-number 100
     #
     ipv4-family unicast
      undo synchronization
      network 11.11.11.11 255.255.255.255
      network 192.168.4.0 255.255.255.252
      peer 192.168.1.1 enable
    #
    return 
  • CE2 configuration file

    #
     sysname CE2
    #
    interface GigabitEthernet1/0/0
     ip address 192.168.2.2 255.255.255.252
    #
    interface GigabitEthernet2/0/0
     ip address 192.168.4.2 255.255.255.252
    #
    interface LoopBack1
     ip address 22.22.22.22 255.255.255.255
    #
    bgp 65410
     peer 192.168.2.1 as-number 100
     #
     ipv4-family unicast
      undo synchronization
      network 22.22.22.22 255.255.255.255
      network 192.168.4.0 255.255.255.252
      peer 192.168.2.1 enable
    #
    return
  • PE1 configuration file

    #
     sysname PE1
    #
    ip vpn-instance vpna
     ipv4-family
      route-distinguisher 100:1
      vpn-target 100:100 export-extcommunity
      vpn-target 100:100 import-extcommunity
    #
    mpls lsr-id 1.1.1.1
    mpls
    #
    mpls ldp
    #
    interface GigabitEthernet1/0/0
     ip binding vpn-instance vpna
     ip address 192.168.1.1 255.255.255.252
    # 
    interface GigabitEthernet2/0/0
     ip address 10.1.1.1 255.255.255.252
     mpls
     mpls ldp
    # 
    interface LoopBack1
     ip address 1.1.1.1 255.255.255.255
    #
    bgp 100
     peer 2.2.2.2 as-number 100
     peer 2.2.2.2 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.2 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 2.2.2.2 enable
     #
     ipv4-family vpn-instance vpna
      import-route direct
      peer 192.168.1.2 as-number 65410
      peer 192.168.1.2 substitute-as
      peer 192.168.1.2 soo 100:101
    #
    ospf 1
     area 0.0.0.0
      network 1.1.1.1 0.0.0.0
      network 10.1.1.0 0.0.0.3
    #
    return
  • PE2 configuration file

    #
     sysname PE2
    #
    ip vpn-instance vpna
     ipv4-family
      route-distinguisher 100:2
      vpn-target 100:100 export-extcommunity
      vpn-target 100:100 import-extcommunity
    #
    mpls lsr-id 2.2.2.2
    mpls
    #
    mpls ldp
    #
    interface GigabitEthernet1/0/0
     ip binding vpn-instance vpna
     ip address 192.168.2.1 255.255.255.252
    # 
    interface GigabitEthernet2/0/0
     ip binding vpn-instance vpna
     ip address 192.168.3.1 255.255.255.252
    # 
    interface GigabitEthernet3/0/0
     ip address 10.1.1.2 255.255.255.252
     mpls
     mpls ldp
    # 
    interface LoopBack1
     ip address 2.2.2.2 255.255.255.255
    #
    bgp 100
     peer 1.1.1.1 as-number 100
     peer 1.1.1.1 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 1.1.1.1 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 1.1.1.1 enable
     #
     ipv4-family vpn-instance vpna
      import-route direct
      peer 192.168.2.2 as-number 65410
      peer 192.168.2.2 substitute-as
      peer 192.168.2.2 soo 100:101
      peer 192.168.3.2 as-number 65410
      peer 192.168.3.2 substitute-as
      peer 192.168.3.2 soo 100:102
    #
    ospf 1
     area 0.0.0.0
      network 2.2.2.2 0.0.0.0
      network 10.1.1.0 0.0.0.3
    #
    return  
  • CE3 configuration file

    #
     sysname CE3
    #
    interface GigabitEthernet1/0/0
     ip address 192.168.3.2 255.255.255.252
    #
    interface LoopBack1
     ip address 33.33.33.33 255.255.255.255
    #
    bgp 65410
     peer 192.168.3.1 as-number 100
     #
     ipv4-family unicast
      undo synchronization
      network 33.33.33.33 255.255.255.255
      peer 192.168.3.1 enable
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 144495

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next