No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN 01

NE05E and NE08E V300R003C10SPC500

This is NE05E and NE08E V300R003C10SPC500 Configuration Guide - VPN
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Basic BGP/MPLS IPv6 VPN

Configuring a Basic BGP/MPLS IPv6 VPN

A basic BGP/MPLS IPv6 VPN includes PEs, Ps, and CEs with the Ps residing in a single MPLS domain on the backbone network of one carrier. Each device plays only one role, either PE, CE, or P. After a basic BGP/MPLS IPv6 VPN is configured, the network can provide IPv6 VPN services for customers.

Usage Scenario

This section describes how to configure a basic BGP/MPLS IPv6 VPN. After the configurations are complete, the network can provide VPN services for users so that multiple private networks can communicate across the backbone network of the carrier. VPN routes are isolated from the public network routes on the backbone network, and the routes of VPN instances are isolated from each other.

The following functions need to be implemented on the network shown in Figure 6-2:
  • Site1 can communicate with only Site3.

  • Site2 can communicate with only Site4.

  • The MPLS backbone network is unaware of the VPN routes in each site.

To meet the preceding requirements, configure a basic BGP/MPLS IPv6 VPN by adding Site1 and Site3 to a VPN (VPN1) and Site2 and Site4 to another VPN (VPN2). CEs and other devices deployed at sites only advertise and receive VPN routes. They are unaware of the public network. Ps residing on the public network do not receive VPN routes. PEs manage VPN routes and public network routes separately. VPN data packets are transmitted transparently over tunnels between the sites within the same VPN. The devices on the public network do not know the contents of VPN data packets, ensuring VPN data security.
Figure 6-2 BGP/MPLS IPv6 VPN

Pre-configuration Tasks

Before configuring a basic BGP/MPLS IPv6 VPN, complete the following tasks:

  • Configure the import or export routing policy to control the route receiving or sending of the VPN instance IPv6 address family if needed.

  • Enable IPv6 on PEs and related interfaces.

  • Configure an IGP on the PEs and Ps to ensure IP connectivity on the backbone network.

  • Establish non-LDP LSP tunnels based on tunnel policies or LDP LSPs on the MPLS backbone network composed of PEs and Ps.

  • Configure IPv6 addresses on interfaces that connect CEs to PEs.

Configuration Procedures

Figure 6-3 Flowchart for configuring a basic BGP/MPLS IPv6 VPN

Configuring a VPN Instance

An IPv6 VPN instance can be configured to manage IPv6 VPN routes.

Context

A VPN instance, also called a VRF table, is created to comprise the VPN forwarding information for each VPN. This instance is called a VPN instance or a VPN routing and forwarding (VRF) table. In relevant standards, a VPN instance is also called a per-site forwarding table. VPN instances must be created in all BGP/MPLS IPv6 VPN solutions.

VPN instances isolate VPN routes from public network routes and isolate the routes of VPN instances from each other. Perform the following steps on each PE.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ip vpn-instance vpn-instance-name

    A VPN instance is created, and its view is displayed.

    NOTE:

    A VPN instance name is case sensitive. For example, "vpn1" and "VPN1" are different VPN instances.

    Multiple VPN instances can be created on a PE. By default, no VPN instance exists on a PE.

  3. (Optional) Run description description-information

    A description is configured for the VPN instance.

    Similar to a host name or an interface description, the VPN instance description helps users memorize the VPN instance.

  4. (Optional) Run vpn-id vpn-id

    A VPN ID is configured for the VPN instance.

    The vpn-id command creates a globally unique identifier for a VPN instance. In CU separation scenarios, to ensure that the same VPN instances on the control plane and forwarding plane have the same ID, run the vpn-id command to manually set the VPN instance ID.

  5. Run ipv6-family

    The IPv6 address family is enabled for the VPN instance, and the VPN instance IPv6 address family view is displayed.

    VPN instances support both the IPv4 and IPv6 address families. Configurations in a VPN instance can be performed only after an address family is enabled for the VPN instance based on the advertised route and forwarding data type.

  6. Run route-distinguisher route-distinguisher

    An RD is configured for the VPN instance IPv6 address family.

    A VPN instance IPv6 address family takes effect only after being configured with an RD. The RDs of different VPN instances that are enabled with the IPv6 address family on a PE must be different.

    NOTE:

    RDs cannot be modified but can be deleted after being configured. After an RD is deleted, all configurations in the VPN instance IPv6 address family of the corresponding VPN instance will be deleted.

  7. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

    A VPN target is configured for the VPN instance IPv6 address family.

    A VPN target is a BGP extended community attribute. It is used to control the receiving and advertisement of VPN-IPv6 routing information. A maximum of eight VPN targets can be configured using the vpn-target command. If you want to configure more VPN targets in the VPN instance IPv6 address family view, run the vpn-target command multiple times.

  8. (Optional) Run prefix limit number { alert-percent [ route-unchanged ] | simply-alert }

    The allowed maximum number of route prefixes is set for the VPN instance IPv6 address family.

    The configuration restricts the number of route prefixes imported from the CEs and other PEs into a VPN instance IPv6 address family on a PE, preventing the PE from receiving too many route prefixes.
    NOTE:

    After the number of route prefixes exceeds the maximum limit, direct and static routes can still be added to the IPv6 address family routing table of VPN instances.

  9. (Optional) Run import route-policy policy-name

    An import routing policy is configured for the VPN instance IPv6 address family.

    In addition to using a VPN target to control VPN route sending and receiving, an import routing policy can be configured to better control VPN route receiving. An import routing policy filters routes before they are imported into the VPN instance IPv6 address family.

  10. (Optional) Run export route-policy policy-name [ add-ert-first ]

    An export routing policy is configured for the VPN instance IPv6 address family.

    In addition to using a VPN target to control VPN route sending and receiving, an export routing policy can be configured to better control VPN route sending. An export routing policy filters routes before they are advertised to other PEs.

    By default, ERTs are added to VPN routes before these routes are matched against an export routing policy. If the export routing policy contains RT-related filtering rules, these rules cannot apply to these routes. If you want to apply the RT-related filtering rules defined in an export routing policy to VPN routes, run the add-ert-first command to configure the system to add ERTs to VPN routes before matching these routes against the export routing policy.

  11. (Optional) Run import route-filter policy-name

    An import route-filter is configured for the VPN instance IPv6 address family.

    In addition to using a VPN target to control VPN route sending and receiving, an import route-filter can be configured to better control VPN route receiving. An import route-filter filters routes before they are imported into the VPN instance IPv6address family.

  12. (Optional) Run export route-filter policy-name [ add-ert-first ]

    An export route-filter is configured for the VPN instance IPv6 address family.

    In addition to using a VPN target to control VPN route sending and receiving, an export route-filter can be configured to better control VPN route sending. An export route-filter filters routes before they are advertised to other PEs.

    By default, ERTs are added to VPN routes before these routes are matched against an export route-filter. If the export route-filter contains RT-related filtering rules, these rules cannot apply to these routes. If you want to apply the RT-related filtering rules defined in an export route-filter to VPN routes, run the add-ert-first command to configure the system to add ERTs to VPN routes before matching these routes against the export route-filter.

  13. (Optional) Run tnl-policy policy-name

    A tunnel policy is applied to the VPN instance IPv6 address family.

    A tunnel can be specified for IPv6 VPN data forwarding when a tunnel policy is applied to the VPN instance IPv6 address family.

  14. (Optional) Run apply-label per-route pop-go

    The device is configured to assign a unique label to each VPNv6 route sent to its BGP VPNv6 peer and forward the data packets received from its BGP VPNv6 peer through outbound interfaces found in the local ILM.

    By default, the local device assigns a unique label to each VPNv6 route sent to its BGP VPNv6 peer. After the local device receives a labeled data packet from its BGP VPNv6 peer, the local device removes the label, searches the IP forwarding table for a forwarding entry according to the longest-match principle, and sends the packet based on the found forwarding entry.

    After the apply-label per-route pop-go command is configured, the local device records in the ILM the mapping between the label assigned to each VPNv6 route and the outbound interface of the route. Then, after the local device receives a labeled data packet from its BGP VPNv6 peer, the local device directly searches the ILM for an outbound interface based on label information carried in the packet and forwards the packet through the found outbound interface after removing its label. This implementation significantly accelerates packet forwarding.

    The apply-label per-route pop-go command is mutually exclusive to the apply-label per-instance command. If the two commands are both configured, the later configured one prevails.

  15. (Optional) Run apply-label per-instance

    MPLS label distribution based on the VPN instance IPv6 address family (known as one label per instance) is configured. One label is assigned to all the routes of the VPN instance IPv6 address family.

    Generally, one label is assigned per route. If the number of routes is rather large, label resources will be greatly consumed.

    The NE supports one label per instance. All the routes of a VPN instance IPv6 address family are assigned the same label.

  16. Run commit

    The configuration is committed.

Binding Interfaces to a VPN Instance

After an interface is bound to a VPN instance, the interface becomes a part of the VPN. Packets entering the interface will be forwarded based on the VRF table of the VPN.

Context

After a VPN instance is configured on a PE, an interface that belongs to the VPN must be bound to the VPN instance. Otherwise, the interface functions as a public network interface and cannot forward VPN data.

Perform the following steps on the PEs that are connected to CEs:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run ip binding vpn-instance vpn-instance-name

    The interface is bound to the VPN instance.

    NOTE:

    Using the ip binding vpn-instance command will delete Layer 3 (including IPv4 and IPv6) configurations, such as the IP address and routing protocol, on the interface. Reconfigure them after using the ip binding vpn-instance command if needed.

  4. Run ipv6 enable

    IPv6 is enabled on the interface.

  5. Run ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

    An IPv6 address is configured for the interface.

    Some Layer 3 features, such as route exchange between the PE and CE, can be configured only after an IPv6 address is configured for the VPN interface on the PE.

  6. Run commit

    The configuration is committed.

(Optional) Configuring a Router ID for a BGP VPN Instance IPv6 Address Family

You can configure different router IDs for BGP VPN instance IPv6 address families on the same device.

Context

By default, no router ID is configured for a BGP VPN instance IPv6 address family, and the BGP router ID is used. This makes different BGP VPN instance IPv6 address families on the same device have the same router ID. In some cases, different router IDs need to be configured for different BGP VPN instance IPv6 address families. For example, BGP peer relationships need to be established between different BGP VPN instance IPv6 address families on the same PE.

There are two methods of configuring a router ID for a BGP VPN instance IPv6 address family. You can choose either of the two methods as required.
  • Configuring router IDs for all BGP VPN instance IPv6 address families.

  • Configuring a router ID for a specified BGP VPN instance IPv6 address family.

The router ID configured in the BGP VPN instance IPv6 address family view takes precedence over the router ID configured in the BGP view.

If a BGP session has been established in a BGP-VPN instance IPv6 address family, changing or deleting the configured router ID resets the BGP session.

Procedure

  • Configuring router IDs for all BGP VPN instance IPv6 address families
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run router-id { ipv4-address | vpn-instance auto-select }

      Automatic router ID selection is configured for all BGP VPN instance IPv6 address families.

      In the BGP view, the router-id vpn-instance auto-select command takes precedence over the router-id ipv4-address command.

      NOTE:

      Rules for automatically selecting a router ID for a BGP VPN instance IPv6 address family are as follows:

      • If the loopback interfaces configured with IP addresses are bound to the VPN instance enabled with the IPv6 address family, the largest IP address among the IP addresses of the loopback interfaces is selected as the router ID.

      • If no loopback interfaces configured with IP addresses are bound to the VPN instance enabled with the IPv6 address family, the largest IP address among the IP addresses of other interfaces bound to the VPN instance is selected as the router ID, regardless of whether the interface is Up or Down.

    4. Run commit

      The configuration is committed.

  • Configuring a router ID for a specified BGP VPN instance IPv6 address family
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv6-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv6 address family view is displayed.

    4. Run router-id { ipv4-address | auto-select }

      A router ID or automatic route ID selection is configured for the current BGP VPN instance IPv6 address family.

    5. Run commit

      The configuration is committed.

Establishing MP-IBGP Peer Relationships Between PEs

MP-IBGP uses extended community attributes to advertise VPNv6 routes between PEs.

Context

If VPN sites in a basic BGP/MPLS IPv6 VPN need to communicate, PEs must use MP-IBGP to advertise VPNv4 routes with the RD information to each other. Since all the PEs reside in the same AS, MP-IBGP peer relationships can be set up between them. In the current implementation, IPv4 BGP peer relationships are set up between PEs.

Perform the following steps on each PE.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bgp as-number

    The BGP view is displayed.

  3. Run peer ipv4-address as-number as-number

    The peer PE is configured as a BGP peer.

  4. Run peer ipv4-address connect-interface loopback interface-number

    An interface is used to set up a TCP connection with the BGP peer.

    NOTE:

    A PE must use a loopback interface address with a 32-bit mask to set up an MP-IBGP peer relationship with the peer PE so that VPN routes can be iterated to tunnels. The route to the local loopback interface is advertised to the peer PE using an IGP on the MPLS backbone network.

  5. Run ipv6-family vpnv6

    The BGP-VPNv6 address family view is displayed.

  6. Run peer ipv4-address enable

    The function to exchange VPN-IPv6 routes with the BGP peer is enabled.

  7. Run commit

    The configuration is committed.

Configuring Route Exchange Between PEs and CEs

To enable CEs to communicate, the PEs and CEs must be capable of exchanging routes.

Context

In BGP/MPLS IPv6 VPN, a routing protocol or IPv6 static route must be configured between a PE and a CE to allow them to communicate and allow the CE to obtain routes to other CEs. The routing protocol can be BGP4+, RIPng, OSPFv3, or IS-ISv6. Choose one of the following configurations as needed:
The routing protocol configurations on the CE and PE are different:
  • The CE is located at the client side and unaware of the VPN. Therefore, you do not need to configure VPN parameters when configuring a routing protocol on the CE.
  • The PE is located at the edge of the carrier's network. It connects to a CE and exchanges VPN routing information with other PEs. If the CEs that access a PE belong to different VPNs, the PE must maintain different VRF tables. When configuring a routing protocol on the PE, specify the name of the VPN instance to which the routing protocol applies and configure the routing protocol and MP-BGP to import routes from each other.

Procedure

  • Configure BGP4+ between a PE and a CE.

    Perform the following steps on the PE:

    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv6-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv6 address family view is displayed.

    4. (Optional) Run as-number { as-number-plain | as-number-dot }

      An AS number is configured for the VPN instance IPv6 address family.

      A VPN instance uses the AS number of BGP by default.

      To smoothly re-assign a device to another AS or transmit different services in different instances, run the as-number command to configure a different AS number for each VPN instance IPv6 address family.

      NOTE:

      The AS number configured in the VPN instance IPv6 address family view must be different from the AS number configured in the BGP view.

    5. Run peer ipv6-address as-number as-number

      The CE is configured as an IPv6 VPN peer.

    6. (Optional) Run peer { ipv6-address | group-name } ebgp-max-hop [ hop-count ]

      The maximum number of hops between the PE and its EBGP peer (the CE) is specified. This step is mandatory if the PE and CE are not directly connected.

      Generally, EBGP peers are connected by a direct physical link. If no direct physical link is available, the peer ebgp-max-hop command must be used to allow EBGP peers to establish a multi-hop TCP connection.

      The default value of hop-count is 255. If the maximum number of hops is set to 1, the PE cannot establish an EBGP connection with a peer if they are not directly connected.

    7. (Optional) Run peer { group-name | ipv6-address } soo site-of-origin

      The SoO attribute is configured for the CE that has been specified as an IPv6 VPN peer of the PE.

      Several CEs at a VPN site may establish BGP connections with different PEs. The VPN routes advertised from the CEs to the PEs may be re-advertised to the same VPN site after the routes traverse the backbone network. This may cause route loops at the VPN site.

      If the SoO attribute is configured for a specified CE, the PE adds the attribute to a route sent from the CE and advertises the route to the remote PE. The remote PE checks the SoO attribute of the route before sending it to its attached CE. If the SoO attribute is the same as the local SoO attribute on the remote PE, the remote PE does not send the route to its attached CE.

    8. (Optional) Run peer { group-name | ipv6-address } allow-as-loop [ number ]

      Route loops are allowed.

      This step is used in hub & spoke networking.

      The default value of number is 1. Generally, BGP uses the AS number to detect route loops. On a hub & spoke network, if EBGP runs between a Hub-PE and a Hub-CE at a hub site, the route sent from the Hub-PE to the Hub-CE carries the AS number of the Hub-PE. If the Hub-CE sends a route update message to the Hub-PE, the Hub-PE will deny it because the route update message contains the AS number of the Hub-PE. To ensure proper route transmission on a hub & spoke network, configure all the BGP peers along the path (along which the Hub-CE advertises VPN routes to the Spoke-CE) to accept the routes which have the AS number repeated once.

    9. (Optional) Run peer { group-name | ipv6-address } substitute-as

      BGP AS number substitution is enabled.

      Perform this step on the PE in a scenario in which CEs at different sites use the same AS number.

      Enabling BGP AS number substitution may cause routing loops on a CE multi-homing network.

    10. (Optional) To configure the device to advertise specific routes in a BGP VPN routing table to a BGP VPNv6 routing table, run either of the following commands:

      • To configure the device to send only optimal routes in a BGP VPN routing table to a BGP VPNv6 routing table, run the advertise best-route command.

        By default, when a local device receives a route (route A) having the same prefix as that of a route (route B) in the local VPN routing table from the remote end but route A and route B have different RDs, route B is also sent to a BGP VPNv6 routing table even if the route selection priority of route B is lower than that of route A. If route B meets BGP VPNv6 route sending conditions, it is also sent to other BGP VPNv6 peers. In this scenario, if you want only optimal BGP VPN routes to be transmitted between BGP VPNv6 peers on the network, run the advertise best-route command on the local device to send only optimal routes in the BGP VPN routing table to the BGP VPNv6 routing table.

      • To configure the device to send only valid routes in a BGP VPN routing table to a BGP VPNv6 routing table, run the advertise valid-routes command.

        By default, a device running a version earlier than V300R003C10 advertises valid routes in a BGP VPN routing table to a BGP VPNv6 routing table. However, after the device is upgraded to V300R003C10 or later, the device advertises all routes in the BGP VPN routing table to the BGP VPNv6 routing table, which may change the transmission path of service traffic on the network. To ensure that the traffic transmission paths before and after the upgrade are consistent, run the advertise valid-routes command.

    11. Run commit

      The configuration is committed.

    Perform the following steps on the CE:

    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. (Optional) Run router-id ipv4-address

      A router ID is configured for the CE.

      If a CE does not have an IPv4 interface, it needs to be configured with a router ID.

    4. Run peer ipv6-address as-number as-number

      The PE is configured as an IPv6 VPN peer.

    5. (Optional) Run peer { ipv6-address | group-name } ebgp-max-hop [ hop-count ]

      The maximum number of hops between the CE and its EBGP peer (the PE) is set. This step is mandatory if the PE and CE are not directly connected.

      Generally, EBGP peers are connected by a direct physical link. If no direct physical link is available, the peer ebgp-max-hop command must be used to allow EBGP peers to establish a multi-hop TCP connection.

      The default value of hop-count is 255. If the maximum number of hops is set to 1, the CE cannot establish an EBGP connection with a peer if they are not directly connected.

    6. Run ipv6-family unicast

      The BGP-IPv6 unicast address family view is displayed.

    7. Run peer ipv6-address enable

      The function to exchange BGP routing information with the specified BGP IPv6 peer is enabled.

    8. Run import-route { direct | static | ripng process-id | ospfv3 process-id | isis process-id } [ med med | route-policy route-policy-name ]*

      Routes of the local site are imported.

      The CE advertises the routes of its own VPN network segment to the connected PE. The PE forwards the routes to the remote CE. The type of route imported at this step may vary according to the networking mode.

    9. Run commit

      The configuration is committed.

  • Configure an IPv6 static route between a PE and a CE.

    Perform the following steps on the PE:

    NOTE:

    Configuring an IPv6 static route on the CE is not described here. For details about how to configure an IPv6 static route, see "IPv6 Static Route Configuration" in the NE deviceMid-End Router Configuration Guide - IP Routing.

    1. Run system-view

      The system view is displayed.

    2. Run ipv6 route-static vpn-instance vpn-instance-name dest-ipv6-address prefix-length { interface-type interface-number [ nexthop-ipv6-address ] | vpn-instance vpn-destination-name nexthop-ipv6-address | nexthop-ipv6-address [ public ] } [ preference preference | tag tag ] * [ description text ]

      A static route is configured for a specified VPN instance IPv6 address family.

    3. Run bgp as-number

      The BGP view is displayed.

    4. Run ipv6-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv6 address family view is displayed.

    5. Run import-route static [ med med | route-policy route-policy-name ] *

      The configured static route is added to the VRF table of the BGP-VPN instance IPv6 address family.

    6. (Optional) To configure the device to advertise specific routes in a BGP VPN routing table to a BGP VPNv6 routing table, run either of the following commands:

      • To configure the device to send only optimal routes in a BGP VPN routing table to a BGP VPNv6 routing table, run the advertise best-route command.

        By default, when a local device receives a route (route A) having the same prefix as that of a route (route B) in the local VPN routing table from the remote end but route A and route B have different RDs, route B is also sent to a BGP VPNv6 routing table even if the route selection priority of route B is lower than that of route A. If route B meets BGP VPNv6 route sending conditions, it is also sent to other BGP VPNv6 peers. In this scenario, if you want only optimal BGP VPN routes to be transmitted between BGP VPNv6 peers on the network, run the advertise best-route command on the local device to send only optimal routes in the BGP VPN routing table to the BGP VPNv6 routing table.

      • To configure the device to send only valid routes in a BGP VPN routing table to a BGP VPNv6 routing table, run the advertise valid-routes command.

        By default, a device running a version earlier than V300R003C10 advertises valid routes in a BGP VPN routing table to a BGP VPNv6 routing table. However, after the device is upgraded to V300R003C10 or later, the device advertises all routes in the BGP VPN routing table to the BGP VPNv6 routing table, which may change the transmission path of service traffic on the network. To ensure that the traffic transmission paths before and after the upgrade are consistent, run the advertise valid-routes command.

    7. Run commit

      The configuration is committed.

    NOTE:

    A VPN that receives routes outside it from a device other than the PE and advertises the routes to the PE is called a transit VPN. A VPN that receives only routes in it and routes advertised by the PE is called a stub VPN. Generally, a static route is used for route exchange between the CE and PE in a stub VPN only.

  • Configure RIPng between a PE and a CE.

    Perform the following steps on the PE:

    NOTE:

    Configuring RIPng on the CE is not described here. For details about how to configure RIPng, see "RIPng Configuration" in the NE deviceMid-End Router Configuration Guide - IP Routing.

    1. Run system-view

      The system view is displayed.

    2. Run ripng [ process-id ] vpn-instance vpn-instance-name

      A RIPng process is created on the PE.

      A RIPng multi-instance process can be bound to only one VPN instance. If a RIPng process is not bound to any VPN instance before it is started, this process becomes a public network process.

      If only one RIPng process, either a public network RIPng process or a RIPng multi-instance process, runs on the NE, you do not need to specify process-id in the command. The value of process-id is 1 by default.

    3. Run import-route bgp [ permit-ibgp ] [ cost cost | inherit-cost | route-policy route-policy-name ] *

      BGP routes are imported.

      After the import-routebgp command is run in the RIPng view, the PE can import the VPNv6 routes learned from the remote PE into the RIPng routing table and advertise them to the attached CE.

    4. Run quit

      Return to the system view.

    5. Run interface interface-type interface-number

      The interface view is displayed.

    6. Run ripng process-id enable

      RIPng is enabled on the interface.

      NOTE:

      If IPv6 is not enabled, this command cannot be run in the interface view.

    7. Run quit

      Return to the system view.

    8. Run bgp as-number

      The BGP view is displayed.

    9. Run ipv6-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv6 address family view is displayed.

    10. Run import-route ripng process-id [ med med | route-policy route-policy-name ] *

      The configured RIPng route is added to the VRF table of the BGP-VPN instance IPv6 address family.

      After the import-route ripng command is run in the BGP-IPv6 VPN instance IPv6 address family view, the PE imports the IPv6 routes learned from the attached CE into the BGP routing table and advertises VPN-IPv6 routes to the remote PE.

      NOTE:

      If a RIPng multi-instance process is deleted, RIPng will be disabled on all the interfaces in the process.

      Deleting a VPN instance or disabling a VPN instance IPv6 address family will delete all the RIPng processes bound to the VPN instance or the VPN instance IPv6 address family on the PE.

    11. (Optional) To configure the device to advertise specific routes in a BGP VPN routing table to a BGP VPNv6 routing table, run either of the following commands:

      • To configure the device to send only optimal routes in a BGP VPN routing table to a BGP VPNv6 routing table, run the advertise best-route command.

        By default, when a local device receives a route (route A) having the same prefix as that of a route (route B) in the local VPN routing table from the remote end but route A and route B have different RDs, route B is also sent to a BGP VPNv6 routing table even if the route selection priority of route B is lower than that of route A. If route B meets BGP VPNv6 route sending conditions, it is also sent to other BGP VPNv6 peers. In this scenario, if you want only optimal BGP VPN routes to be transmitted between BGP VPNv6 peers on the network, run the advertise best-route command on the local device to send only optimal routes in the BGP VPN routing table to the BGP VPNv6 routing table.

      • To configure the device to send only valid routes in a BGP VPN routing table to a BGP VPNv6 routing table, run the advertise valid-routes command.

        By default, a device running a version earlier than V300R003C10 advertises valid routes in a BGP VPN routing table to a BGP VPNv6 routing table. However, after the device is upgraded to V300R003C10 or later, the device advertises all routes in the BGP VPN routing table to the BGP VPNv6 routing table, which may change the transmission path of service traffic on the network. To ensure that the traffic transmission paths before and after the upgrade are consistent, run the advertise valid-routes command.

    12. Run commit

      The configuration is committed.

  • Configure OSPFv3 between a PE and a CE.

    Perform the following steps on the PE:

    NOTE:

    Configuring OSPFv3 on the CE is not described here. For details about how to configure OSPFv3, see "OSPFv3 Configuration" in the NE deviceMid-End RouterConfiguration Guide - IP Routing.

    1. Run system-view

      The system view is displayed.

    2. Run ospfv3 [ process-id ] [ vpn-instance vpn-instance-name ]

      An OSPFv3 multi-instance process is started, and its view is displayed.

      An OSPFv3 process can be bound to only one VPN instance. If an OSPFv3 process is not bound to any VPN instance before it is started, this process becomes a public network process and cannot be bound to a VPN instance later.

      NOTE:
      Deleting a VPN instance or disabling a VPN instance IPv6 address family will delete all the OSPFv3 processes bound to the VPN instance or the VPN instance IPv6 address family on the PE.

    3. Run router-id router-id

      A router ID is configured.

      The router ID of each OSPFv3 process is unique in an AS. If no router ID is set, no OSPFv3 process can be run.

    4. (Optional) Run domain-id { domain-id-int | domain-id-ipaddr }

      The domain ID is configured.

      The domain ID can be an integer or in dotted decimal notation.

      Generally, the routes that are imported from a PE are advertised as External-LSAs. The routes that belong to different nodes of the same OSPFv3 domain are advertised as Type-3 LSAs (intra-domain routes). This requires that different nodes in the same OSPFv3 domain have the same domain ID.

    5. (Optional) Run route-tag tag-value

      The VPN route tag is configured.

      By default, the first two bytes of the tag value are 0xD000, and the last two bytes are the local BGP AS number. For example, if the local BGP AS number is 100, the default tag value in decimal notation is 3489661028.

    6. Run import-route bgp [ cost cost | route-policy route-policy-name | tag tag | type type ] *

      BGP routes are imported into the OSPFv3 routing table so that the PE can advertise the routes to the CE using OSPFv3.

    7. Run quit

      Return to the system view.

    8. Run interface interface-type interface-number

      The interface view is displayed.

    9. Run ospfv3 process-id area area-id [ instance instance-id ]

      OSPFv3 is enabled on the interface.

    10. Run quit

      Return to the system view.

    11. Run bgp as-number

      The BGP view is displayed.

    12. Run ipv6-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv6 address family view is displayed.

    13. Run import-route ospfv3 process-id [ med med | route-policy route-policy-name ]*

      OSPFv3 routes are imported into the VRF table of the BGP-VPN instance IPv6 address family.

    14. (Optional) To configure the device to advertise specific routes in a BGP VPN routing table to a BGP VPNv6 routing table, run either of the following commands:

      • To configure the device to send only optimal routes in a BGP VPN routing table to a BGP VPNv6 routing table, run the advertise best-route command.

        By default, when a local device receives a route (route A) having the same prefix as that of a route (route B) in the local VPN routing table from the remote end but route A and route B have different RDs, route B is also sent to a BGP VPNv6 routing table even if the route selection priority of route B is lower than that of route A. If route B meets BGP VPNv6 route sending conditions, it is also sent to other BGP VPNv6 peers. In this scenario, if you want only optimal BGP VPN routes to be transmitted between BGP VPNv6 peers on the network, run the advertise best-route command on the local device to send only optimal routes in the BGP VPN routing table to the BGP VPNv6 routing table.

      • To configure the device to send only valid routes in a BGP VPN routing table to a BGP VPNv6 routing table, run the advertise valid-routes command.

        By default, a device running a version earlier than V300R003C10 advertises valid routes in a BGP VPN routing table to a BGP VPNv6 routing table. However, after the device is upgraded to V300R003C10 or later, the device advertises all routes in the BGP VPN routing table to the BGP VPNv6 routing table, which may change the transmission path of service traffic on the network. To ensure that the traffic transmission paths before and after the upgrade are consistent, run the advertise valid-routes command.

    15. Run commit

      The configuration is committed.

  • Configure IS-ISv6 between a PE and a CE.

    Perform the following steps on the PE:

    NOTE:

    Configuring IS-ISv6 on the CE is not described here. For details about how to configure IS-ISv6, see "IS-IS Configuration" in the NE deviceMid-End RouterConfiguration Guide - IP Routing.

    1. Run system-view

      The system view is displayed.

    2. Run isis process-id vpn-instance vpn-instance-name

      An IS-IS process is created on the PE, and the IS-IS view is displayed.

      An IS-IS multi-instance process can be bound to only one VPN instance. If an IS-IS process is not bound to any VPN instance before it is started, this process becomes a public network process.

      If only one IS-IS process, either a public network IS-IS process or a multi-instance IS-IS instance, runs on the NE, you do not need to specify process-id in the command. The value of process-id defaults to 1.

      NOTE:

      If an IS-IS multi-instance process is deleted, IS-IS will be disabled on all the interfaces in the process.

      Deleting a VPN instance or disabling a VPN instance IPv6 address family will delete all the IS-IS processes bound to the VPN instance or the VPN instance IPv6 address family on the PE.

    3. Run network-entity net

      The NET is configured.

      A NET specifies the current IS-IS area address and the system ID of the NE.

    4. (Optional) Run is-level { level-1 | level-1-2 | level-2 }

      The IS-IS level of the NE is specified.

      By default, the IS-IS level of the NE is Level-1-2.

    5. Run isis ipv6 enable

      IPv6 is enabled for the IS-IS process.

      IPv6 can be enabled for an IS-IS process only after being enabled in the system view.

    6. Run ipv6 import-route bgp inherit-cost [ tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ]*

      BGP routes are imported.

    7. Run quit

      Return to the system view.

    8. Run interface interface-type interface-number

      The interface view is displayed.

    9. Run isis ipv6 enable [ process-id ]

      IS-ISv6 is enabled on the interface.

    10. Run quit

      Return to the system view.

    11. Run bgp as-number

      The BGP view is displayed.

    12. Run ipv6-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv6 address family view is displayed.

    13. Run import-route isis process-id [ med med | route-policy route-policy-name ]*

      IS-IS routes are imported into the VRF table of the BGP-VPN instance IPv6 address family.

    14. (Optional) To configure the device to advertise specific routes in a BGP VPN routing table to a BGP VPNv6 routing table, run either of the following commands:

      • To configure the device to send only optimal routes in a BGP VPN routing table to a BGP VPNv6 routing table, run the advertise best-route command.

        By default, when a local device receives a route (route A) having the same prefix as that of a route (route B) in the local VPN routing table from the remote end but route A and route B have different RDs, route B is also sent to a BGP VPNv6 routing table even if the route selection priority of route B is lower than that of route A. If route B meets BGP VPNv6 route sending conditions, it is also sent to other BGP VPNv6 peers. In this scenario, if you want only optimal BGP VPN routes to be transmitted between BGP VPNv6 peers on the network, run the advertise best-route command on the local device to send only optimal routes in the BGP VPN routing table to the BGP VPNv6 routing table.

      • To configure the device to send only valid routes in a BGP VPN routing table to a BGP VPNv6 routing table, run the advertise valid-routes command.

        By default, a device running a version earlier than V300R003C10 advertises valid routes in a BGP VPN routing table to a BGP VPNv6 routing table. However, after the device is upgraded to V300R003C10 or later, the device advertises all routes in the BGP VPN routing table to the BGP VPNv6 routing table, which may change the transmission path of service traffic on the network. To ensure that the traffic transmission paths before and after the upgrade are consistent, run the advertise valid-routes command.

    15. Run commit

      The configuration is committed.

  • Configure a direct route between a PE and a CE.

    A direct route can be configured between a PE and a CE only if the CE is a host and connected to the PE using a VLANIF interface. Note that the direct route only needs to be configured on the PE.

    Perform the following steps on the PE:

    1. Run system-view

      The system view is displayed.

    2. Run ip vpn-instance vpn-instance-name

      The VPN instance view is displayed.

    3. Run ipv6-family

      The VPN instance IPv6 address family view is displayed.

    4. Run nd vlink-direct-route advertise [ route-policy route-policy-name ]

      NDP Vlink direct routes are advertised.

      After the parameter route-policy route-policy-name is specified in the nd vlink-direct-route advertise command, only filtered NDP Vlink direct routes are advertised.

    5. Run quit

      Return to the VPN instance view.

    6. Run quit

      Return to the system view.

    7. Run bgp { as-number-plain | as-number-dot }

      The BGP view is displayed.

    8. Run ipv6-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv6 address family view is displayed.

    9. Run import-route direct [ med med | route-policy route-policy-name ]*

      The direct route to the local CE is imported.

      After the direct route to the local CE is imported to the VPN routing table, the local PE use MP-BGP to advertise the direct route to the remote PE. This allows the remote CE to access the local CE.

    10. (Optional) To configure the device to advertise specific routes in a BGP VPN routing table to a BGP VPNv6 routing table, run either of the following commands:

      • To configure the device to send only optimal routes in a BGP VPN routing table to a BGP VPNv6 routing table, run the advertise best-route command.

        By default, when a local device receives a route (route A) having the same prefix as that of a route (route B) in the local VPN routing table from the remote end but route A and route B have different RDs, route B is also sent to a BGP VPNv6 routing table even if the route selection priority of route B is lower than that of route A. If route B meets BGP VPNv6 route sending conditions, it is also sent to other BGP VPNv6 peers. In this scenario, if you want only optimal BGP VPN routes to be transmitted between BGP VPNv6 peers on the network, run the advertise best-route command on the local device to send only optimal routes in the BGP VPN routing table to the BGP VPNv6 routing table.

      • To configure the device to send only valid routes in a BGP VPN routing table to a BGP VPNv6 routing table, run the advertise valid-routes command.

        By default, a device running a version earlier than V300R003C10 advertises valid routes in a BGP VPN routing table to a BGP VPNv6 routing table. However, after the device is upgraded to V300R003C10 or later, the device advertises all routes in the BGP VPN routing table to the BGP VPNv6 routing table, which may change the transmission path of service traffic on the network. To ensure that the traffic transmission paths before and after the upgrade are consistent, run the advertise valid-routes command.

    11. Run commit

      The configuration is committed.

(Optional) Configuring One-Label-per-Next-Hop Label Distribution

To save label resources on a PE, configure one-label-per-next-hop label distribution on the PE. Only one label is allocated to the VPNv6 routes that have the same next-hop address and outgoing label.

Context

In the scenario where multiple CEs access a PE, if the PE needs to send large numbers of VPNv6 routes to its peer but the MPLS labels are inadequate, configure one-label-per-next-hop label distribution on the PE. Then the PE allocates only one label to the VPNv6 routes that have the same next-hop address and outgoing label, which greatly saves label resources.

Perform the following steps on a PE.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ip vpn-instance vpn-instance-name

    The VPN instance view is displayed.

  3. Run ipv6-family

    The BGP-IPv6 unicast address family view is displayed.

  4. Run apply-label per-nexthop

    One-label-per-next-hop label distribution for VPNv6 routes is enabled on the PE.

    NOTE:
    After one-label-per-next-hop label distribution is enabled or disabled, the label allocated by the PE to a route changes, which leads to a transient loss of VPN packets.

  5. (Optional) Run apply-label per-nexthop pop-go

    The device is configured to assign a unique label to the VPNv6 routes with the same next-hop address sent to its VPNv6 peer and forward the data packets received from its VPNv6 peer through outbound interfaces found in the local ILM.

    NOTE:

    In vpn instance IPv6 address family view, the apply-label per-nexthop pop-go and apply-label per-nexthop commands are overwritten. The latest configuration overrides the previous one.

  6. Run commit

    The configuration is committed.

Checking the Configurations

After completing the configuration, you can run the display ip vpn-instance verbose command to view details on VPN instances.

[~HUAWEI] display ip vpn-instance verbose
 Total VPN-Instances configured      : 1
 Total IPv4 VPN-Instances configured : 0
 Total IPv6 VPN-Instances configured : 1

 VPN-Instance Name and ID : wz, 4
 Address family ipv6
  Create date : 2017-07-03 11:49:51+00:00
  Up time : 0 days, 14 hours, 46 minutes and 52 seconds       
  Route Distinguisher : 2:1
  Label Policy : label per nexthop pop-go
  The diffserv-mode Information is : uniform
  The ttl-mode Information is : pipe

Verifying the Configuration of Basic BGP/MPLS IPv6 VPN

After configuring a basic BGP/MPLS IPv6 VPN, check information about the VPN instance IPv6 address family created on the PE, including the RD and other attributes and also information about the IPv6 VPN routes to the local and remote sites on the PE and CE.

Prerequisites

A basic BGP/MPLS IPv6 VPN has been configured.

Procedure

  • Run the following commands on the PE to check information about the created VPN instance IPv6 address family, including the RD and other attributes.

    • Run the display ip vpn-instance vpn-instance-name command to check brief information about a specified VPN instance.

    • Run the display ip vpn-instance verbose vpn-instance-name command to check detailed information about a specified VPN instance, including information in the IPv4 and IPv6 address families enabled for the VPN instance.

    • Run the display ip vpn-instance import-vt ivt-value command to check information about the VPN instances with the specified import VPN target.

    • Run the display ip vpn-instance [ vpn-instance-name ] interface command to view information about the interface bound to a specified VPN instance.

  • Run the following commands on the PE and CE to check information about the IPv6 VPN routes to the local and remote sites:

    • Run the display ipv6 routing-table vpn-instance vpn-instance-name command on the PE to check the routing information of a specified VPN instance IPv6 address family.
    • Run the display ipv6 routing-table command on the CE to check routing information.

Example

After completing the configurations, run the display ip vpn-instance command on a PE. The command output shows brief information about the VPN instances created on the PE.

# Display brief information about VPN instances.

<HUAWEI> display ip vpn-instance
 Total VPN-Instances configured : 2
 Total IPv4 VPN-Instances configured : 2
 Total IPv6 VPN-Instances configured : 1

  VPN-Instance Name               RD                                  Address-family
  vpn1                            1:1                                 ipv4          
  vpn1                            2:2                                 ipv6          
  vpn2                            1:2                                 ipv4

Run the display ip vpn-instance verbose vpn-instance-name command on a device. The command output shows detailed information about the VPN instances created on the PE.

# Display detailed information about the VPN instance named vpna.

<HUAWEI> display ip vpn-instance verbose vpna
 VPN-Instance Name and ID : vpna, 1
  Description : vpna
  Interfaces : LoopBack1 
Address family ipv6
  Create date : 2010/03/05 16:26:31
  Up time : 0 days, 00 hours, 09 minutes and 08 seconds 
  Vrf Status : UP
  Route Distinguisher : 100:1
  Export VPN Targets :  1:1
  Import VPN Targets :  1:1
  Label Policy : label per instance
  Per-Instance Label : 123
  Import Route Policy : p1
  Export Route Policy : p2
  Tunnel Policy : tnlpolicy1
  Maximum Routes Limit : 300
  Threshold Routes Limit : 80%

Run the display ip vpn-instance import-vt ivt-value command on a PE. The command output shows information about the VPN instances with the specified import VPN target.

# Display information about the VPN instances with the import VPN target of 1:1.

<HUAWEI> display ip vpn-instance import-vt 1:1
The number of ipv4-family matched the import-vt : 3
 VPN-Instance Name and ID : vrf1, 1
 VPN-Instance Name and ID : vrf4, 5
 VPN-Instance Name and ID : vrf5, 4

The number of ipv6-family matched the import-vt : 2
 VPN-Instance Name and ID : vrf1, 1
 VPN-Instance Name and ID : vrf5, 4

Run the display ip vpn-instance [ vpn-instance-name ] interface command on the PE. The command output shows that an interface is bound to the specified VPN instance.

# Display the interface bound to the VPN instance named vpna.

<HUAWEI> display ip vpn-instance vpna interface
 VPN-Instance Name and ID : vpna, 1
  Interface Number : 1
  Interface list : GigabitEthernet0/1/3

Run the display ipv6 routing-table vpn-instance vpn-instance-name command on a PE. The command output shows the routing information of a specified VPN instance, including the VPN routes to CEs.

# Display the routing information of the VPN instance named vpna.

<HUAWEI> display ipv6 routing-table vpn-instance vpna
Routing Table : vpna
         Destinations : 7        Routes : 7

Destination  : ::                                      PrefixLength : 0
NextHop      : ::                                      Preference   : 60
Cost         : 0                                       Protocol     : Static
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : NULL0                                   Flags        : D

Destination  : 50:30:1::                               PrefixLength : 64
NextHop      : 50:30:1::1                              Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : Eth-Trunk1.1                            Flags        : D

Destination  : 50:30:1::1                              PrefixLength : 128
NextHop      : ::1                                     Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : Eth-Trunk1.1                            Flags        : D

Destination  : 200::                                   PrefixLength : 10
NextHop      : ::FFFF:11.11.11.11                      Preference   : 255
Cost         : 0                                       Protocol     : BGP
RelayNextHop : ::                                      TunnelID     : 0x0000000001004c4f41
Interface    : LDP LSP                                 Flags        : RD

Destination  : 200::                                   PrefixLength : 11
NextHop      : ::FFFF:11.11.11.11                      Preference   : 255
Cost         : 0                                       Protocol     : BGP
RelayNextHop : ::                                      TunnelID     : 0x0000000001004c4f41
Interface    : LDP LSP                                 Flags        : RD

Destination  : 200::                                   PrefixLength : 15
NextHop      : ::FFFF:11.11.11.11                      Preference   : 255
Cost         : 0                                       Protocol     : BGP
RelayNextHop : ::                                      TunnelID     : 0x0000000001004c4f41
Interface    : LDP LSP                                 Flags        : RD

Destination  : FE80::                                  PrefixLength : 10
NextHop      : ::                                      Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : NULL0                                   Flags        : D

Run the display ipv6 routing-table command on a CE. The command output shows the routes to other CEs.

# Display the IPv6 routing information on the CE.

<HUAWEI> display ipv6 routing-table
Routing Table : Public
         Destinations : 8        Routes : 8

 Destination  : ::1                             PrefixLength : 128
 NextHop      : ::1                             Preference   : 0
 Cost         : 0                               Protocol     : Direct
 RelayNextHop : ::                              TunnelID     : 0x0
 Interface    : InLoopBack0                     Flags        : D

 Destination  : 1998::                          PrefixLength : 64
 NextHop      : 1998::1                         Preference   : 0
 Cost         : 0                               Protocol     : Direct
 RelayNextHop : ::                              TunnelID     : 0x0
 Interface    : LoopBack1                       Flags        : D

 Destination  : 1998::1                         PrefixLength : 128
 NextHop      : ::1                             Preference   : 0
 Cost         : 0                               Protocol     : Direct
 RelayNextHop : ::                              TunnelID     : 0x0
 Interface    : LoopBack1                       Flags        : D

 Destination  : 1999::                          PrefixLength : 64
 NextHop      : 2001::2                         Preference   : 255
 Cost         : 0                               Protocol     : EBGP
 RelayNextHop : ::                              TunnelID     : 0x0
 Interface    : GigabitEthernet0/1/1            Flags        : D

 Destination  : 2001::                          PrefixLength : 64
 NextHop      : 2001::1                         Preference   : 0
 Cost         : 0                               Protocol     : Direct
 RelayNextHop : ::                              TunnelID     : 0x0
 Interface    : GigabitEthernet0/1/1            Flags        : D

 Destination  : 2001::1                         PrefixLength : 128
 NextHop      : ::1                             Preference   : 0
 Cost         : 0                               Protocol     : Direct
 RelayNextHop : ::                              TunnelID     : 0x0
 Interface    : GigabitEthernet0/1/1            Flags        : D

 Destination  : 2004::                          PrefixLength : 64
 NextHop      : 2001::2                         Preference   : 255
 Cost         : 0                               Protocol     : EBGP
 RelayNextHop : ::                              TunnelID     : 0x0
 Interface    : GigabitEthernet0/1/1            Flags        : D

 Destination  : FE80::                          PrefixLength : 10
 NextHop      : ::                              Preference   : 0
 Cost         : 0                               Protocol     : Direct
 RelayNextHop : ::                              TunnelID     : 0x0
 Interface    : NULL0                           Flags        : D

Translation
Download
Updated: 2019-01-14

Document ID: EDOC1100058925

Views: 31963

Downloads: 59

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next