No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Inter-AS VPN Option B

Configuring Inter-AS VPN Option B

If virtual private network (VPN) routes need to be established over a Multiprotocol Label Switching (MPLS) backbone network spanning multiple autonomous areas (ASs), inter-AS VPN is required. If the provider edge (PE) devices connect to many VPNs but the autonomous area border routers (ASBRs) do not have enough interfaces to reserve an interface for each inter-AS VPN, the inter-AS VPN Option B solution can be used on the network.

Pre-configuration Tasks

Before configuring inter-AS VPN Option B, complete the following tasks:

  • Configuring an Interior Gateway Protocol (IGP) for the MPLS backbone network of each AS to ensure IP connectivity on the backbone network within each AS
  • Configuring the basic MPLS functions and MPLS Label Distribution Protocol (LDP) or Resource Reservation Protocol-Traffic Engineering (RSVP-TE) for the MPLS backbone network of each AS
  • In each AS, configuring VPN instances on the PE devices connected to CE devices and associating the VPN instances with PE interfaces connected to CE devices
  • Configuring route exchange between the PE and CE devices in each AS

For details about the configurations, see Configuring Basic BGP/MPLS IP VPN Functions.

Configuration Procedure

(Optional) Configuring Routing Policies to Control VPN Route Advertisement and Acceptance and (Optional) Enabling Next-Hop-based Label Allocation on the ASBR are optional, and other tasks are mandatory. Perform these tasks in this sequence to complete inter-AS VPN Option B configuration.

When VPN services need to be transmitted over TE tunnels or when multiple tunnels need to perform load balancing to fully use network resources, you also need to complete the task of Configuring Tunnel Policies.

NOTE:

In inter-AS VPN Option B, the ASBRs maintain and advertise VPNv4 routes of inter-AS VPNs, and they can also work as PE devices. When the ASBRs work as PE devices, configure VPN instances on the ASBRs to enable them to exchange routing information with CE devices. The configuration is the same as that on common PE devices.

Configuring MP-IBGP Between PE and ASBR in the Same AS

Context

Perform the following steps on the PE and ASBR in the same AS.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bgp { as-number-plain | as-number-dot }

    The BGP view is displayed.

  3. Run peer ipv4-address as-number as-number

    The peer ASBR is specified as the IBGP peer.

  4. Run peer ipv4-address connect-interface loopback interface-number

    The loopback interface is specified as the outgoing interface of the BGP session.

    NOTE:

    The 32-bit mask IP addresses of the loopback interfaces must be used to establish the MP-IBGP peer relationship between PEs. This can ensure that the tunnel can be iterated. The route destined to the loopback interface is advertised to the remote PE based on IGP on the MPLS backbone network.

  5. Run ipv4-family vpnv4 [ unicast ]

    The BGP-VPNv4 address family is displayed.

  6. Run peer ipv4-address enable

    The exchange of VPNv4 routes between the PE and ASBR in the same AS is enabled.

    NOTE:

    When the ASBR sends a VPNv4 route to a PE, the ASBR can automatically change the next hop in the VPNv4 route to the IP address of itself.

Configuring MP-EBGP Between ASBRs in Different ASs

Context

In inter-AS VPN Option B, you need not create VPN instances on ASBRs. The ASBR does not filter the VPNv4 routes received from the PE in the same AS based on VPN targets. Instead, it advertises the received VPNv4 routes to the peer ASBR through MP-EBGP.

In the AR, an ASBR can only change the next-hop address of a VPNv4 route to the ASBR's address before advertising the route to a PE.

Perform the following steps on the ASBR.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The view of the interface connected with the ASBR interface is displayed.

  3. Run ip address ip-address { mask | mask-length }

    The interface IP address is configured.

  4. Run mpls

    The MPLS capability is enabled.

  5. Run quit

    Return to the system view.

  6. Run bgp { as-number-plain | as-number-dot }

    The BGP view is displayed.

  7. Run peer ipv4-address as-number as-number

    The peer ASBR is specified as the EBGP peer.

  8. (Optional) Run peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]

    The maximum number of hops is configured for the EBGP connection.

    Generally, one or multiple directly connected physical links exist between EBGP peers. If the directly connected physical link(s) are not available, run this command to ensure that the TCP connection can be set up between the EBGP peers through multiple hops.

  9. Run ipv4-family vpnv4 [ unicast ]

    The BGP-VPNv4 address family is displayed.

  10. Run peer ipv4-address enable

    The exchange of IPv4 VPN routes with the peer ASBR is enabled.

Disabling an ASBR from Filtering VPNv4 Routes by VPN Targets

Context

By default, the PE performs VPN target filtering on the received IPv4 VPN routes. The routes passing the filter are added to the routing table, and the others are discarded. If the PE is not configured with VPN instance, or the VPN instance is not configured with the VPN target, the PE discards all the received VPN IPv4 routes.

In Inter-AS VPN Option B, you do not need to configure VPN instances on the ASBRs. An ASBR must save all the VPNv4 routes and advertises the VPNv4 routes to the remote ASBR. In this case, the ASBR must accept all the VPNv4 routing information without the VPN target filtering.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bgp { as-number-plain | as-number-dot }

    The BGP view is displayed.

  3. Run ipv4-family vpnv4 [ unicast ]

    The BGP-VPNv4 address family is displayed.

  4. Run undo policy vpn-target

    The VPN IPv4 routes are not filtered by the VPN target.

(Optional) Configuring Routing Policies to Control VPN Route Advertisement and Acceptance

Context

The ASBRs accept all VPNv4 routes after they are configured not to filter VPNv4 routes by VPN targets. When there are many VPN routes on the network, the ASBRs are overburdened.

If only some of VPNs or sites need to communicate across ASs, you can configure a routing policy on the ASBRs to restrict the VPNv4 routes that can be accepted by the ASBRs. This reduces loads on the ASBRs.

This section describes how to configure the following filtering policies to control VPNv4 route advertisement and acceptance:
  • Filtering policy based VPN targets
  • Filtering policy based on RDs

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run either of the following command to configure a route filter.
    1. To configure an extended community filter, run ip extcommunity-filter extcomm-filter-number { permit | deny } { rt { as-number:nn | ipv4-address:nn } } &<1-16>.
    2. To configure an RD filter, run ip rd-filter rd-filter-number { deny | permit } route-distinguisher &<1-10>.
  3. Run route-policy route-policy-name permit node node

    A routing policy is configured.

  4. Run either of the following command to configure an if-match clause in the configured route filter:
    1. If you configured an extended community filter in 2, run the if-match extcommunity-filter { { basic-extcomm-filter-num | advanced-extcomm-filter-num } &<1-16> | advanced-extcomm-filter-name | basic-extcomm-filter-name } command to configure an if-match clause based on the extended community filter in the routing policy.
    2. If you configured an RD filter in 2, run the if-match rd-filter rd-filter-number command to configure an if-match clause based on the RD filter in the routing policy.
  5. Run quit

    Return to the system view.

  6. Run bgp { as-number-plain | as-number-dot }

    The BGP view is displayed.

  7. Run ipv4-family vpnv4 [ unicast ]

    The BGP-VPNv4 address family is displayed.

  8. Run peer ipv4-address route-policy route-policy-name { export | import }

    The routing policy is applied to controlling the VPN IPv4 routing information.

(Optional) Enabling Next-Hop-based Label Allocation on the ASBR

Context

In an inter-AS VPN Option B scenario, ASBRs can be enabled to allocate labels to VPN routes based on next hops. This saves labels on the ASBRs.

Next-hop-based label allocation means to allocate the same label for the routes with the same forwarding behavior. In other words, VPN routes with the same forwarding path and outbound label are assigned the same label. Different from the prefix-based label allocation mode that is used by default, next-hop-based label allocation enrich the label allocation modes and allows for flexible label allocation. In addition, when an ASBR functions as a PE device, next-hop-based label allocation can be used together with one label per instance mode to save labels on the ASBR.

As shown in Figure 7-38, the inter-AS VPN Option B networking is established; two VPN instances, VPN1 and VPN2, are configured on PE1; the label allocation mode is one label per VPN instance. CE1 in VPN1 and CE2 in VPN2 are respectively imported with 1 thousand VPN routes. When the next-hop-based label allocation feature is not enabled for VPN routes on ASBRs, the 2 thousand routes of PE1 advertised by ASBR1 to ASBR2 use 2 thousand labels; after the next-hop-based label allocation feature is enabled for VPN routes on ASBR1, ASBR1 only assigns one label for VPN routes of the same next hop and outgoing label. As a result, ASBR1 needs to allocate only two labels for 2 thousands routes.
Figure 7-38  Next-hop-based label allocation for VPN routes on ASBR

After next-hop-based label allocation is enabled or disabled, the label allocated by the ASBR for a route changes, which leads to packet loss.

Perform the following steps on the ASBR.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bgp { as-number-plain | as-number-dot }

    The BGP view is displayed.

  3. Run ipv4-family vpnv4

    The BGP-VPNv4 view is displayed.

  4. Run apply-label per-nexthop

    The next-hop-based label allocation for IPv4 VPN routes is enabled on the ASBR.

Verifying the Inter-AS VPN Option B Configuration

Prerequisites

The configuration of inter-AS VPN Option B is complete.

Procedure

  • Run the display bgp vpnv4 all peer command on the PE or ASBR. If the status of the IBGP peer between the PE and ASBR in the same AS is "Established", and the status of the EBGP peer between ASBRs in the different AS is "Established", the configuration is successful.
  • Run the display bgp vpnv4 all routing-table command on the ASBR. If the VPN IPv4 routes are displayed, the configuration is successful.
  • Run the display ip routing-table vpn-instance vpn-instance-name command on the PE device. If the VPN routes are displayed, the configuration is successful.
  • Run the display mpls lsp command on the ASBR. If information about the LSP and label is displayed, it means that the configuration succeeds. If the ASBR is enabled with the next-hop-based label allocation, only one label is allocated for the VPN routes with the same next hop and outgoing label.
  • Run the display ip extcommunity-filter command on an ASBR to check the configured extended community filters.
  • Run the display ip rd-filter command on an ASBR to check the configured RD filters.
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 143453

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next