No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN

CloudEngine 12800 and 12800E V200R005C10

This document describes the configurations of VPN, including GRE, BGP/MPLS IP VPN, BGP/MPLS IPv6 VPN, VLL, PWE3, and VPLS.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Route Exchange Between PE and CE Devices

Configuring Route Exchange Between PE and CE Devices

Context

In BGP/MPLS IP VPN, a routing protocol or static routes must be configured between PE and CE devices to allow them to communicate and allow the CE device to obtain routes to other CE devices. The routing protocol can be External/Exterior BGP (EBGP), Internal/Interior BGP (IBGP), Routing Information Protocol (RIP), Open Shortest Path First (OSPF), or Intermediate System to Intermediate System (IS-IS). Choose one of the following configurations as needed:
The routing protocol configurations on the CE device and PE device are different:
  • The CE device is located at the client side. It is unaware of whether a VPN exists. Therefore, you do not need to configure VPN parameters when configuring a routing protocol on the CE device.
  • The PE device is located at the edge of the carrier network. It connects to a CE device and exchanges VPN routing information with other PE devices. If the CE devices that access a PE device belong to different VPNs, the PE device must maintain different VRF tables. When configuring a routing protocol on the PE devices, specify the name of the VPN instance to which the routing protocol applies, and configure the routing protocol and MP-BGP to import routes from each other.

Configuring EBGP Between PE and CE Devices

Perform the following configuration on the PE device.
Table 2-7 PE configuration

Action

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv4 address family view.

ipv4-family vpn-instance vpn-instance-name

-

Configure a router ID or automatically select a router ID.

router-id { ipv4-address | auto-select }

By default, no router ID is configured for a BGP VPN instance IPv4 address family, and the BGP router ID is used. This means that different VPN instance IPv4 address families on the same device have the same router ID. In certain scenarios, you need to configure different router IDs for VPN instance IPv4 address families on the same device.

NOTE:
  • Run the router-id { ipv4-address | vpn-instance auto-select } command in the BGP view to configure router IDs for all the BGP VPN instance IPv4 address families on the device.

  • In the BGP view, the router-id vpn-instance auto-select command takes precedence over the router-id ipv4-address command.

  • Rules for automatically selecting a router ID for a BGP VPN instance IPv4 address family are as follows:
    • If the loopback interfaces configured with IP addresses are bound to the VPN instance enabled with the IPv4 address family, the highest IP address among the IP addresses of the loopback interfaces is selected as the router ID.

    • If no loopback interfaces configured with IP addresses are bound to the VPN instance enabled with the IPv4 address family, the highest IP address among the IP addresses of other interfaces bound to the VPN instance is selected as the router ID, regardless of whether the interface is Up or Down.

(Optional) Configure an AS number for the VPN instance IPv4 address family.

as-number { as-number-plain | as-number-dot }

A VPN instance uses the AS number of BGP by default.

To re-assign a device to another AS or transmit different services in different instances, run this command to configure a different AS number for each VPN instance IPv4 address family.
NOTE:

The AS number configured in the VPN instance IPv4 address family view must be different from that configured in the BGP view.

Configure a CE device as a VPN peer.

peer ipv4-address as-number { as-number-plain | as-number-dot }

-

Set the maximum number of hops of an EBGP connection.

peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]

Generally, EBGP peers are directly connected by a physical link. If such a link is not available, this command must be used to allow EBGP peers to establish a multi-hop TCP connection.

The default value of hop-count is 255. If the maximum number of hops is set to 1, the PE device cannot establish an EBGP connection with a peer if they are not directly connected.

(Optional) Import direct routes destined for the local CE device into the routing table of the IPv4 VPN instance.

Use either of the following commands:
  • import-route direct [ med med | route-policy route-policy-name ] *
  • network ipv4-address [ mask | mask-length ] [ route-policy route-policy-name ]

The PE device needs to import the routes destined for the local CE device into its VPN routing table so that it can advertise the routes to the remote PE device.

NOTE:

The PE device can automatically learn the direct routes destined for the local CE device. The learned routes take precedence over the direct routes advertised from the local CE device using EBGP. If this step is not performed, the PE device does not use MP-BGP to advertise the direct routes destined for the local CE device to the remote PE device.

(Optional) Configure the Site-of-Origin (SoO) attribute for a CE device.

peer { group-name | ipv4-address } soo site-of-origin

Several CE devices at a VPN site may establish BGP connections with different PE devices. The VPN routes advertised from the CE devices to the PE devices may be re-advertised to the same VPN site after the routes traverse the backbone network. This may cause route loops at the VPN site.

If the SoO attribute is configured for a specified CE device, the PE device adds the attribute to a route sent from the CE device and advertises the route to the remote PE device. The remote PE device checks the SoO attribute of the route before sending it to its attached CE device. If the SoO attribute is the same as the local SoO attribute on the remote PE device, the remote PE device does not send the route to its attached CE device.

(Optional) Enable BGP AS number substitution.

peer ipv4-address substitute-as

BGP uses AS numbers to detect routing loops. Sites located at different geographical locations must be assigned different AS numbers to ensure correct transmission of routing information. If CE devices scattered at different geographical locations use the same AS number, configure BGP AS number substitution on the PE devices.

NOTICE:

Enabling BGP AS number substitution may cause route loops in a CE multi-homing network.

(Optional) Configure a device to send only valid routes in a BGP VPN routing table to a BGP VPNv4 routing table.

advertise valid-routes

By default, a device running a version earlier than V200R005C00 advertises valid routes in a BGP VPN routing table to a BGP VPNv4 routing table. However, after the device is upgraded to V200R005C00 or later, the device advertises all routes in the BGP VPN routing table to the BGP VPNv4 routing table, which may change the transmission path of service traffic on the network. To ensure that the traffic transmission paths before and after the upgrade are consistent, run the advertise valid-routes command.

Commit the configuration.

commit

-

Perform the following configurations on the CE device.
Table 2-8 CE configuration

Action

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Configure the PE device as a VPN peer.

peer ipv4-address as-number { as-number-plain | as-number-dot }

-

Set the maximum number of hops of an EBGP connection.

peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]

Generally, EBGP peers are directly connected by a physical link. If such a link is not available, this command must be used to allow EBGP peers to establish a multi-hop TCP connection.

The default value of hop-count is 255. If the maximum number of hops is set to 1, the PE device cannot establish an EBGP connection with a peer if they are not directly connected.

Import routes of the local site.

import-route protocol [ process-id ] [ med med | route-policy route-policy-name ] *

The CE device advertises the routes of its own VPN network segment to the connected PE device. The PE device forwards the routes to the remote CE device. The type of routes imported during this step may vary according to the networking mode.

Commit the configuration.

commit

-

Configuring IBGP Between PE and CE Devices

Perform the following configuration on the PE device.
Table 2-9 PE configuration

Action

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv4 address family view.

ipv4-family vpn-instance vpn-instance-name

-

Configure a router ID or automatically select a router ID.

router-id { ipv4-address | auto-select }

By default, no router ID is configured for a BGP VPN instance IPv4 address family, and the BGP router ID is used. This means that different VPN instance IPv4 address families on the same device have the same router ID. In certain scenarios, you need to configure different router IDs for VPN instance IPv4 address families on the same device.

NOTE:
  • Run the router-id { ipv4-address | vpn-instance auto-select } command in the BGP view to configure router IDs for all the BGP VPN instance IPv4 address families on the device.

  • In the BGP view, the router-id vpn-instance auto-select command takes precedence over the router-id ipv4-address command.

  • Rules for automatically selecting a router ID for a BGP VPN instance IPv4 address family are as follows:
    • If the loopback interfaces configured with IP addresses are bound to the VPN instance enabled with the IPv4 address family, the highest IP address among the IP addresses of the loopback interfaces is selected as the router ID.

    • If no loopback interfaces configured with IP addresses are bound to the VPN instance enabled with the IPv4 address family, the highest IP address among the IP addresses of other interfaces bound to the VPN instance is selected as the router ID, regardless of whether the interface is Up or Down.

(Optional) Configure an AS number for the VPN instance IPv4 address family.

as-number { as-number-plain | as-number-dot }

A VPN instance uses the AS number of BGP by default.

To re-assign a device to another AS or transmit different services in different instances, run this command to configure a different AS number for each VPN instance IPv4 address family.
NOTE:

The AS number configured in the VPN instance IPv4 address family view must be different from that configured in the BGP view.

Configure a CE device as a VPN peer.

peer ipv4-address as-number { as-number-plain | as-number-dot }

-

(Optional) Import direct routes destined for the local CE device into the routing table of the IPv4 VPN instance.

Use either of the following commands:
  • import-route direct [ med med | route-policy route-policy-name ] *
  • network ipv4-address [ mask | mask-length ] [ route-policy route-policy-name ]

The PE device needs to import the routes destined for the local CE device into its VPN routing table so that it can advertise the routes to the remote PE device.

NOTE:

The PE device can automatically learn the direct routes destined for the local CE device. The learned routes take precedence over the direct routes advertised from the local CE device using IBGP. If this step is not performed, the PE does not use MP-BGP to advertise the direct routes destined for the local CE device to the remote PE device.

(Optional) Configure a device to send only valid routes in a BGP VPN routing table to a BGP VPNv4 routing table.

advertise valid-routes

By default, a device running a version earlier than V200R005C00 advertises valid routes in a BGP VPN routing table to a BGP VPNv4 routing table. However, after the device is upgraded to V200R005C00 or later, the device advertises all routes in the BGP VPN routing table to the BGP VPNv4 routing table, which may change the transmission path of service traffic on the network. To ensure that the traffic transmission paths before and after the upgrade are consistent, run the advertise valid-routes command.

Commit the configuration.

commit

-

Perform the following configurations on the CE device.
Table 2-10 CE configuration

Action

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Configure the PE device as a VPN peer.

peer ipv4-address as-number { as-number-plain | as-number-dot }

-

Import routes of the local site.

import-route protocol [ process-id ] [ med med | route-policy route-policy-name ] *

The CE device advertises the routes of its own VPN network segment to the connected PE device. The PE device forwards the routes to the remote CE device. The type of routes imported during this step may vary according to the networking mode.

Commit the configuration.

commit

-

If many CE devices connect to a PE device, the PE device can function as an RR and the CE devices function as clients. This reduces the number of IBGP connections between CE devices and facilitates route maintenance and management.

Configuring Static Routes Between PE and CE Devices

Perform the following configuration on the PE device. The procedure for configuring static routes on the CE device is not provided here. For details about how to configure a static route, see Static Route Configuration in the CloudEngine 12800 and 12800E Series Switches Configuration Guide - IP Routing.

Table 2-11 PE configuration

Action

Command

Description

Enter the system view.

system-view

-

Configure a static route for a VPN instance.

ip route-static vpn-instance vpn-source-name destination-address { mask | mask-length } interface-type interface-number [ nexthop-address ] [ preference preference | tag tag ] *

-

(Optional) Disable the device from iterating a static route to a remote private cross route.

ip route recursive-lookup bgp-vpnv4-route disable

The switch cannot iterate a static route to a remote private cross route before an upgrade, but supports the iteration after an upgrade. As a result, traffic is forwarded along different paths before and after an upgrade. To enable the AGG to forward traffic along the same path before and after an upgrade, run the ip route recursive-lookup bgp-vpnv4-route disable command.

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv4 address family view.

ipv4-family vpn-instance vpn-instance-name

-

Import the configured static route to the routing table of the BGP-VPN instance IPv4 address family.

import-route static [ med med | route-policy route-policy-name ] *

After this command is run in the BGP-VPN instance IPv4 address family view, the PE device will import the VPN routes learned from the attached CE device into the BGP routing table and advertise VPNv4 routes to the remote PE device.

(Optional) Configure a device to send only valid routes in a BGP VPN routing table to a BGP VPNv4 routing table.

advertise valid-routes

By default, a device running a version earlier than V200R005C00 advertises valid routes in a BGP VPN routing table to a BGP VPNv4 routing table. However, after the device is upgraded to V200R005C00 or later, the device advertises all routes in the BGP VPN routing table to the BGP VPNv4 routing table, which may change the transmission path of service traffic on the network. To ensure that the traffic transmission paths before and after the upgrade are consistent, run the advertise valid-routes command.

Commit the configuration.

commit

-

Configuring RIP Between PE and CE Devices

Perform the following configuration on the PE device. Configure RIPv1 or RIPv2 on the CE device. The CE configuration details are not provided here. For details about how to configure RIP, see RIP Configuration in the CloudEngine 12800 and 12800E Series Switches Configuration Guide - IP Routing.

Deleting a VPN instance or disabling a VPN instance IPv4 address family will delete all the RIP processes bound to the VPN instance or the VPN instance IPv4 address family on the PE device.

Table 2-12 PE configuration

Action

Command

Description

Enter the system view.

system-view

-

Create a RIP process running between the PE and CE devices and enter the RIP view.

rip process-id vpn-instance vpn-instance-name

A RIP process can be bound to only one VPN instance. If a RIP process is not bound to any VPN instance before it is started, this process becomes a public network process and can no longer be bound to a VPN instance.

Enable RIP on the network segment of the interface to which the VPN instance is bound.

network network-address

-

Import BGP routes to the RIP routing table.

import-route bgp [ cost { cost | transparent } | route-policy route-policy-name ] *

After this command is executed in the RIP view, the PE device can import the VPNv4 routes learned from the remote PE device into the RIP routing table and advertise them to the attached CE device.

Return to the system view.

quit

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv4 address family view.

ipv4-family vpn-instance vpn-instance-name

-

Import RIP routes into the routing table of the BGP-VPN instance IPv4 address family.

import-route rip process-id [ med med | route-policy route-policy-name ] *

After this command is run in the BGP-VPN instance IPv4 address family view, the PE device will import the VPN routes learned from the attached CE device into the BGP routing table and advertise VPNv4 routes to the remote PE device.

(Optional) Configure a device to send only valid routes in a BGP VPN routing table to a BGP VPNv4 routing table.

advertise valid-routes

By default, a device running a version earlier than V200R005C00 advertises valid routes in a BGP VPN routing table to a BGP VPNv4 routing table. However, after the device is upgraded to V200R005C00 or later, the device advertises all routes in the BGP VPN routing table to the BGP VPNv4 routing table, which may change the transmission path of service traffic on the network. To ensure that the traffic transmission paths before and after the upgrade are consistent, run the advertise valid-routes command.

Commit the configuration.

commit

-

Configuring OSPF Between PE and CE Devices

Perform the following configuration on the PE device. Configure OSPF on the CE device. The CE configuration details are not provided here. For details about how to configure OSPF, see OSPF Configuration in the CloudEngine 12800 and 12800E Series Switches Configuration Guide - IP Routing.

Deleting a VPN instance or disabling a VPN instance IPv4 address family will delete all the OSPF processes bound to the VPN instance or the VPN instance IPv4 address family on the PE device.

Table 2-13 PE configuration

Action

Command

Description

Enter the system view.

system-view

-

Create an OSPF process running between the PE and CE devices and enter the OSPF view.

ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name

An OSPF process can be bound to only one VPN instance. If an OSPF process is not bound to any VPN instance before it is started, this process becomes a public network process and can no longer be bound to a VPN instance.

A router ID needs to be specified when an OSPF process is started after it is bound to a VPN instance. The router ID must be different from the public network router ID configured in the system view. If the router ID is not specified, OSPF selects the IP address of one of the interfaces bound to the VPN instance as the router ID based on certain rules.

(Optional) Configure a domain ID for the OSPF process.

domain-id domain-id [ secondary ]

The domain ID of an OSPF process is contained in the routes generated by the process. When OSPF routes are imported into BGP, the domain ID is added to the BGP VPN routes and forwarded as the BGP extended community attribute.

There are no restrictions on the domain IDs of the OSPF processes of different VPNs on a PE device. The OSPF processes of the same VPN must be configured with the same domain ID to ensure proper route advertisement.

The default domain ID is 0.

(Optional) Configure a VPN route tag.

route-tag tag

The VPN route tag prevents loops of Type-5 LSAs in CE dual-homing networking.

By default, the VPN route tag is calculated using the BGP AS number. If BGP is not configured, the VPN route tag is 0.

Import BGP routes to the OSPF routing table.

import-route bgp [ permit-ibgp ] [ cost cost | route-policy route-policy-name | tag tag | type type ] *

After this command is executed in the OSPF view, the PE device can import the VPNv4 routes learned from the remote PE device into the OSPF routing table and advertise them to the attached CE device.

Enter the OSPF area view.

area area-id

-

Enable OSPF on the network segment of the interface to which the VPN instance is bound.

network ip-address wildcard-mask

-

Return to the OSPF view.

quit

-

Return to the system view.

quit

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv4 address family view.

ipv4-family vpn-instance vpn-instance-name

-

Import OSPF routes into the routing table of the BGP-VPN instance IPv4 address family.

import-route ospf process-id [ med med | route-policy route-policy-name ] *

After this command is run in the BGP-VPN instance IPv4 address family view, the PE device will import the VPN routes learned from the attached CE device into the BGP routing table and advertise VPNv4 routes to the remote PE device.

(Optional) Configure a device to send only valid routes in a BGP VPN routing table to a BGP VPNv4 routing table.

advertise valid-routes

By default, a device running a version earlier than V200R005C00 advertises valid routes in a BGP VPN routing table to a BGP VPNv4 routing table. However, after the device is upgraded to V200R005C00 or later, the device advertises all routes in the BGP VPN routing table to the BGP VPNv4 routing table, which may change the transmission path of service traffic on the network. To ensure that the traffic transmission paths before and after the upgrade are consistent, run the advertise valid-routes command.

Commit the configuration.

commit

-

Configuring IS-IS Between PE and CE Devices

Perform the following configuration on the PE device. Configure IS-IS on the CE device. The CE configuration details are not provided here. For details about how to configure IS-IS, see "IPv4 IS-IS Configuration" in the CloudEngine 12800 and 12800E Series Switches Configuration Guide - IP Routing.

Deleting a VPN instance or disabling a VPN instance IPv4 address family will delete all the IS-IS processes bound to the VPN instance or the VPN instance IPv4 address family on the PE device.

Table 2-14 PE configuration

Action

Command

Description

Enter the system view.

system-view

-

Create an IS-IS process running between the PE and CE devices and enter the IS-IS view.

isis process-id vpn-instance vpn-instance-name

An IS-IS process can be bound to only one VPN instance. If an IS-IS process is not bound to any VPN instance before it is started, this process becomes a public network process and can no longer be bound to a VPN instance.

Set a network entity title (NET) for the IS-IS process.

network-entity net

A NET specifies the current IS-IS area address and the system ID of the switch. An IS-IS process on one switch can be configured with a maximum of three NETs.

(Optional) Set the level of the PE device.

is-level { level-1 | level-1-2 | level-2 }

By default, the IS-IS level of the switch is Level-1-2.

Import BGP routes to the IS-IS routing table.

Use either of the following commands:

  • import-route bgp [ cost-type { external | internal } | cost cost | tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ] *

  • import-route bgp inherit-cost [ { level-1 | level-2 | level-1-2 } | tag tag | route-policy route-policy-name ] *

If the IS-IS level is not specified in the command, BGP routes will be imported into the Level-2 IS-IS routing table.

After this command is executed in the IS-IS view, the PE device can import the VPNv4 routes learned from the remote PE device into the IS-IS routing table and advertise them to the attached CE device.

Return to the system view.

quit

-

Enter the view of the interface to which the VPN instance is bound.

interface interface-type interface-number

-

Enable IS-IS on the interface.

isis enable [ process-id ]

-

Return to the system view.

quit

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv4 address family view.

ipv4-family vpn-instance vpn-instance-name

-

Import IS-IS routes into the routing table of the BGP-VPN instance IPv4 address family.

import-route isis process-id [ med med | route-policy route-policy-name ] *

After this command is run in the BGP-VPN instance IPv4 address family view, the PE device will import the VPN routes learned from the attached CE device into the BGP routing table and advertise VPNv4 routes to the remote PE device.

(Optional) Configure a device to send only valid routes in a BGP VPN routing table to a BGP VPNv4 routing table.

advertise valid-routes

By default, a device running a version earlier than V200R005C00 advertises valid routes in a BGP VPN routing table to a BGP VPNv4 routing table. However, after the device is upgraded to V200R005C00 or later, the device advertises all routes in the BGP VPN routing table to the BGP VPNv4 routing table, which may change the transmission path of service traffic on the network. To ensure that the traffic transmission paths before and after the upgrade are consistent, run the advertise valid-routes command.

Commit the configuration.

commit

-

Translation
Download
Updated: 2019-04-03

Document ID: EDOC1100075353

Views: 14296

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next