No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN

CloudEngine 12800 and 12800E V200R005C10

This document describes the configurations of VPN, including GRE, BGP/MPLS IP VPN, BGP/MPLS IPv6 VPN, VLL, PWE3, and VPLS.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Route Exchange Between PE and CE Devices

Configuring Route Exchange Between PE and CE Devices

Context

In a BGP/MPLS IPv6 VPN, a routing protocol must be configured between a PE and a CE to allow them to communicate and allow the CE to obtain routes to other CEs. The routing protocol can be EBGP, IBGP, static routes, RIPng, OSPFv3, or IS-ISv6. Choose one of the following configurations as required:
The routing protocol configurations on the CE and PE are different:
  • The CE is located at the client side. It is unaware of whether a VPN exists. Therefore, you do not need to configure VPN parameters when configuring a routing protocol on the CE.
  • The PE is located at the edge of the carrier's network. It connects to a CE and exchanges VPN routing information with other PEs. If the CEs that access a PE belong to different VPNs, the PE must maintain different VRF tables. When configuring a routing protocol on the PE, specify the name of the VPN instance to which the routing protocol applies, and configure the routing protocol and MP-BGP to import routes from each other.

Configuring EBGP Between PE and CE Devices

Perform the following steps on the PEs:
Table 3-5 PE configuration

Operation

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv6 address family view.

ipv6-family vpn-instance vpn-instance-name

-

Configure a router ID or automatically select a router ID.

router-id { ipv4-address | auto-select }

By default, no router ID is configured for a BGP VPN instance IPv6 address family, and the BGP router ID is used. This means that different VPN instance IPv6 address families on the same device have the same router ID. In certain scenarios, you need to configure different router IDs for VPN instance IPv6 address families on the same device.

NOTE:
  • Run the router-id { ipv4-address | vpn-instance auto-select } command in the BGP view to configure router IDs for all the BGP VPN instance IPv6 address families on the device.

  • In the BGP view, the router-id vpn-instance auto-select command takes precedence over the router-id ipv4-address command.

  • Rules for automatically selecting a router ID for a BGP VPN instance IPv6 address family are as follows:
    • If the loopback interfaces configured with IP addresses are bound to the VPN instance enabled with the IPv6 address family, the highest IP address among the IP addresses of the loopback interfaces is selected as the router ID.

    • If no loopback interfaces configured with IP addresses are bound to the VPN instance enabled with the IPv6 address family, the highest IP address among the IP addresses of other interfaces bound to the VPN instance is selected as the router ID, regardless of whether the interface is Up or Down.

(Optional) Configure a unique AS number for the VPN instance IPv6 address family.

as-number as-number

A VPN instance uses the AS number of BGP by default.

To re-assign a device to another AS or transmit different services in different instances, run this command to configure a different AS number for each VPN instance IPv6 address family.
NOTE:

The AS number configured in the VPN instance IPv6 address family view must be different from the AS number configured in the BGP view.

Configure a CE as a VPN peer.

peer ipv6-address as-number as-number

-

(Optional) Set the maximum number of hops of an EBGP connection.

peer { ipv6-address | group-name } ebgp-max-hop [ hop-count ]

Generally, EBGP peers are directly connected by a physical link. If such a link is not available, this command must be used to allow EBGP peers to establish a multi-hop TCP connection.

The default value of hop-count is 255. If the maximum number of hops is set to 1, the PE cannot establish an EBGP connection with a peer if they are not directly connected.

(Optional) Import direct routes destined for the local CE into the routing table of the VPN instance.

Use either of the following commands:
  • import-route direct [ med med | route-policy route-policy-name ] *
  • network ipv6-address prefix-length [ route-policy route-policy-name ]
The PE needs to import the routes destined for the local CE into its VPN routing table so that it can advertise the routes to the remote PE.
NOTE:

The PE can automatically learn the direct routes destined for the local CE. The learned routes take precedence over the direct routes advertised from the local CE using EBGP. If this step is not performed, the PE does not use MP-BGP to advertise the direct routes destined for the local CE to the remote PE.

(Optional) Configure the Site-of-Origin (SoO) attribute for a CE.

peer { group-name | ipv6-address } soo site-of-origin

Several CEs at a VPN site may establish BGP connections with different PEs. The VPN routes advertised from the CEs to the PEs may be re-advertised to the same VPN site after the routes traverse the backbone network. This may cause route loops at the VPN site.

If the SoO attribute is configured for a specified CE, the PE adds the attribute to a route sent from the CE and advertises the route to the remote PE. The remote PE checks the SoO attribute of the route before sending it to its connected CE. If the SoO attribute is the same as the local SoO attribute on the remote PE, the remote PE does not send the route to its connected CE.

(Optional) Enable BGP AS number substitution.

peer { group-name | ipv6-address } substitute-as

BGP uses AS numbers to detect routing loops. Sites located at different geographical locations must be assigned different AS numbers to ensure correct transmission of routing information. If CEs scattered at different geographical locations use the same AS number, configure BGP AS number substitution on PEs.

NOTICE:

Enabling BGP AS number substitution may cause route loops in a CE multi-homing network.

(Optional) Configure a device to send only valid routes in a BGP VPN routing table to a BGP VPNv6 routing table.

advertise valid-routes

By default, a device running a version earlier than V200R005C00 advertises valid routes in a BGP VPN routing table to a BGP VPNv6 routing table. However, after the device is upgraded to V200R005C00 or later, the device advertises all routes in the BGP VPN routing table to the BGP VPNv6 routing table, which may change the transmission path of service traffic on the network. To ensure that the traffic transmission paths before and after the upgrade are consistent, run the advertise valid-routes command.

Commit the configuration.

commit

-

Perform the following steps on the CE:
Table 3-6 CE configuration

Operation

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

(Optional) Set the ID of the local CE.

router-id ipv4-address

If no interface on the local CE is configured with an IPv4 address, you need to set the router ID for the local CE.

Configure a PE as a VPN peer.

peer ipv6-address as-number as-number

-

(Optional) Set the maximum number of hops of an EBGP connection.

peer { ipv6-address | group-name } ebgp-max-hop [ hop-count ]

Generally, EBGP peers are directly connected by a physical link. If such a link is not available, this command must be used to allow EBGP peers to establish a multi-hop TCP connection.

The default value of hop-count is 255. If the maximum number of hops is set to 1, the PE cannot establish an EBGP connection with a peer if they are not directly connected.

Enter the BGP-IPv6 unicast address family view.

ipv6-family unicast

-

Enable BGP IPv6 peers to exchange BGP routing information.

peer ipv6-address enable

-

Import routes of the local sites.

import-route { direct | static | ripng process-id | ospfv3 process-id | isis process-id } [ med med | route-policy route-policy-name ] *

The CE advertises the routes of its own VPN network segment to the connected PE. The PE forwards the routes to the remote CE. The type of route imported during this step may vary according to the networking mode.

Commit the configuration.

commit

-

Configuring IBGP Between PE and CE Devices

Perform the following steps on the PEs:
Table 3-7 PE configuration

Operation

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv6 address family view.

ipv6-family vpn-instance vpn-instance-name

-

Configure a router ID or automatically select a router ID.

router-id { ipv4-address | auto-select }

By default, no router ID is configured for a BGP VPN instance IPv6 address family, and the BGP router ID is used. This means that different VPN instance IPv6 address families on the same device have the same router ID. In certain scenarios, you need to configure different router IDs for VPN instance IPv6 address families on the same device.

NOTE:
  • Run the router-id { ipv4-address | vpn-instance auto-select } command in the BGP view to configure router IDs for all the BGP VPN instance IPv6 address families on the device.

  • In the BGP view, the router-id vpn-instance auto-select command takes precedence over the router-id ipv4-address command.

  • Rules for automatically selecting a router ID for a BGP VPN instance IPv6 address family are as follows:
    • If the loopback interfaces configured with IP addresses are bound to the VPN instance enabled with the IPv6 address family, the highest IP address among the IP addresses of the loopback interfaces is selected as the router ID.

    • If no loopback interfaces configured with IP addresses are bound to the VPN instance enabled with the IPv6 address family, the highest IP address among the IP addresses of other interfaces bound to the VPN instance is selected as the router ID, regardless of whether the interface is Up or Down.

(Optional) Configure a unique AS number for the VPN instance IPv6 address family.

as-number as-number

A VPN instance uses the AS number of BGP by default.

To re-assign a device to another AS or transmit different services in different instances, run this command to configure a different AS number for each VPN instance IPv6 address family.
NOTE:

The AS number configured in the VPN instance IPv6 address family view must be different from the AS number configured in the BGP view.

Configure a CE as a VPN peer.

peer ipv6-address as-number as-number

-

(Optional) Import direct routes destined for the local CE into the routing table of the VPN instance.

Use either of the following commands:
  • import-route direct [ med med | route-policy route-policy-name ] *
  • network ipv6-address prefix-length [ route-policy route-policy-name ]
The PE needs to import the routes destined for the local CE into its VPN routing table so that it can advertise the routes to the remote PE.
NOTE:

The PE can automatically learn the direct routes destined for the local CE. The learned routes take precedence over the direct routes advertised from the local CE using EBGP. If this step is not performed, the PE does not use MP-BGP to advertise the direct routes destined for the local CE to the remote PE.

(Optional) Configure a device to send only valid routes in a BGP VPN routing table to a BGP VPNv6 routing table.

advertise valid-routes

By default, a device running a version earlier than V200R005C00 advertises valid routes in a BGP VPN routing table to a BGP VPNv6 routing table. However, after the device is upgraded to V200R005C00 or later, the device advertises all routes in the BGP VPN routing table to the BGP VPNv6 routing table, which may change the transmission path of service traffic on the network. To ensure that the traffic transmission paths before and after the upgrade are consistent, run the advertise valid-routes command.

Commit the configuration.

commit

-

Perform the following steps on the CE:
Table 3-8 CE configuration

Operation

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Configure a PE as a VPN peer.

peer ipv6-address as-number as-number

-

Enter the BGP-IPv6 unicast address family view.

ipv6-family unicast

-

Enable BGP IPv6 peers to exchange BGP routing information.

peer ipv6-address enable

-

Import routes of the local sites.

import-route { direct | static | ripng process-id | ospfv3 process-id | isis process-id } [ med med | route-policy route-policy-name ] *

The CE advertises the routes of its own VPN network segment to the connected PE. The PE forwards the routes to the remote CE. The type of route imported during this step may vary according to the networking mode.

Commit the configuration.

commit

-

Configuring Static Routes Between PE and CE Devices

Perform the following steps on the PE device. The procedure for configuring static routes on the CE device is not provided here. For details about how to configure a static route, see Static Route Configuration in the CloudEngine 12800 and 12800E Series Switches Configuration Guide - IP Routing.

Table 3-9 PE configuration

Operation

Command

Description

Enter the system view.

system-view

-

Configure a static route for a specified VPN instance IPv6 address family.

ipv6 route-static vpn-instance vpn-instance-name dest-ipv6-address prefix-length { interface-type interface-number | vpn-instance vpn-destination-name nexthop-ipv6-address | nexthop-ipv6-address [ public ] } [ preference preference | tag tag ]* [ description text ]

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv6 address family view.

ipv6-family vpn-instance vpn-instance-name

-

Import the configured static route to the routing table of the BGP-VPN instance IPv6 address family.

import-route static [ med med | route-policy route-policy-name ] *

After this command is run in the BGP-VPN instance IPv6 address family view, the PE will import the VPN routes learned from the connected CE into the BGP routing table and advertise VPNv6 routes to the remote PE.

(Optional) Configure a device to send only valid routes in a BGP VPN routing table to a BGP VPNv6 routing table.

advertise valid-routes

By default, a device running a version earlier than V200R005C00 advertises valid routes in a BGP VPN routing table to a BGP VPNv6 routing table. However, after the device is upgraded to V200R005C00 or later, the device advertises all routes in the BGP VPN routing table to the BGP VPNv6 routing table, which may change the transmission path of service traffic on the network. To ensure that the traffic transmission paths before and after the upgrade are consistent, run the advertise valid-routes command.

Commit the configuration.

commit

-

Configuring RIPng Between PE and CE Devices

Perform the following configuration on the PE device. Configure RIPng on the CE device. The CE configuration details are not provided here. For details about how to configure RIPng, see RIPng Configuration in the CloudEngine 12800 and 12800E Series Switches Configuration Guide - IP Routing.

Table 3-10 PE configuration

Operation

Command

Description

Enter the system view.

system-view

-

Create a RIP process running between the PE and CE and enter the RIP view.

ripng process-id vpn-instance vpn-instance-name

A RIPng process can be bound to only one VPN instance. If a RIPng process is not bound to any VPN instance before it is started, this process becomes a public network process and cannot be bound to a VPN instance later.

Import BGP routes.

import-route bgp [ cost cost | route-policy route-policy-name ] *

After this command is run in the RIPng view, the PE can import the VPNv6 routes learned from the remote PE into the RIPng routing table and advertise them to the connected CE.

Return to the system view.

quit

-

Enter the interface view of connected CE.

interface interface-type interface-number

-

(For an Ethernet interface) Switch the interface to Layer 3 mode.

undo portswitch

If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.
NOTE:

If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

Enable RIPng on the interface.

ripng process-id enable

Before running this command, ensure that IPv6 has been enabled in the interface view.

Return to the system view.

quit

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv6 address family view.

ipv6-family vpn-instance vpn-instance-name

-

Import RIPng routes into the routing table of the BGP-VPN instance IPv6 address family.

import-route ripng process-id [ med med | route-policy route-policy-name ] *

After this command is run in the BGP-VPN instance IPv6 address family view, the PE will import the VPN routes learned from the connected CE into the BGP routing table and advertise VPNv6 routes to the remote PE.

(Optional) Configure a device to send only valid routes in a BGP VPN routing table to a BGP VPNv6 routing table.

advertise valid-routes

By default, a device running a version earlier than V200R005C00 advertises valid routes in a BGP VPN routing table to a BGP VPNv6 routing table. However, after the device is upgraded to V200R005C00 or later, the device advertises all routes in the BGP VPN routing table to the BGP VPNv6 routing table, which may change the transmission path of service traffic on the network. To ensure that the traffic transmission paths before and after the upgrade are consistent, run the advertise valid-routes command.

Commit the configuration.

commit

-

  • If a RIPng multi-instance process is deleted, RIPng will be disabled on all the interfaces in the process.
  • Deleting a VPN instance or disabling a VPN instance IPv6 address family will delete all the RIPng processes bound to the VPN instance or the VPN instance IPv6 address family on the PE.

Configuring OSPFv3 Between PE and CE Devices

Perform the following steps on the PE device. Configure OSPFv3 on the CE device. The CE configuration details are not provided here. For details about how to configure OSPFv3, see OSPFv3 Configuration in the CloudEngine 12800 and 12800E Series Switches Configuration Guide - IP Routing.

Table 3-11 PE configuration

Operation

Command

Description

Enter the system view.

system-view

-

Create an OSPFv3 process running between the PE and CE and enter the OSPFv3 view.

ospfv3 process-id vpn-instance vpn-instance-name

An OSPFv3 process can be bound to only one VPN instance. If an OSPFv3 process is not bound to any VPN instance before it is started, this process becomes a public network process and can no longer be bound to a VPN instance.

(Optional) Configure a domain ID for the OSPFv3 process.

domain-id domain-id [ secondary ]

The domain ID of an OSPFv3 process is contained in the routes generated by the process. When OSPFv3 routes are imported into BGP, the domain ID is added to the BGP VPN routes and forwarded as the BGP extended community attribute.

There are no restrictions on the domain IDs of the OSPFv3 processes of different VPNs on a PE. The OSPFv3 processes of the same VPN must be configured with the same domain ID to ensure proper route advertisement.

The default domain ID is 0.

(Optional) Configure a VPN route tag.

route-tag tag

The VPN route tag prevents loops of Type-5 LSAs in CE dual-homing networking.

By default, the VPN route tag is calculated using the BGP AS number. If BGP is not configured, the VPN route tag is 0.

Configure a router ID

router-id router-id

The router ID of each OSPFv3 process is unique in an AS. If no router ID is set, no OSPFv3 process can be run.

Import BGP routes.

import-route bgp [ cost cost | route-policy route-policy-name | tag tag | type type ] *

After this command is run in the OSPFv3 view, the PE imports the VPNv6 routes learned from the peer into OSPFv3 and advertises them to the attached CE.

Return to the system view.

quit

-

Enter the view of the interface that is bound to the VPN instance.

interface interface-type interface-number

-

(For an Ethernet interface) Switch the interface to Layer 3 mode.

undo portswitch

If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.
NOTE:

If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

Enable OSPFv3 on the interface.

ospfv3 process-id area area-id [ instance instance-id ]

-

Return to the system view.

quit

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv6 address family view.

ipv6-family vpn-instance vpn-instance-name

-

Import OSPFv3 routes into the routing table of the BGP-VPN instance IPv6 address family.

import-route ospfv3 process-id [ med med | route-policy route-policy-name ] *

After this command is run in the BGP-VPN instance IPv6 address family view, the PE will import the VPN routes learned from the connected CE into the BGP routing table and advertise VPNv6 routes to the remote PE.

(Optional) Configure a device to send only valid routes in a BGP VPN routing table to a BGP VPNv6 routing table.

advertise valid-routes

By default, a device running a version earlier than V200R005C00 advertises valid routes in a BGP VPN routing table to a BGP VPNv6 routing table. However, after the device is upgraded to V200R005C00 or later, the device advertises all routes in the BGP VPN routing table to the BGP VPNv6 routing table, which may change the transmission path of service traffic on the network. To ensure that the traffic transmission paths before and after the upgrade are consistent, run the advertise valid-routes command.

Commit the configuration.

commit

-

Deleting a VPN instance or disabling a VPN instance IPv6 address family will delete all the OSPF processes bound to the VPN instance or the VPN instance IPv6 address family on the PE.

Configuring IS-ISv6 Between PE and CE Devices

Perform the following steps on the PE device. Configure IS-ISv6 on the CE device. The CE configuration details are not provided here. For details about how to configure IS-ISv6, see IS-IS (IPv6) Configuration in the CloudEngine 12800 and 12800E Series Switches Configuration Guide - IP Routing.

Table 3-12 PE configuration

Operation

Command

Description

Enter the system view.

system-view

-

Create an IS-IS process running between the PE and CE and enter the IS-IS view.

isis process-id vpn-instance vpn-instance-name

An IS-IS process can be bound to only one VPN instance. If an IS-IS process is not bound to any VPN instance before it is started, this process becomes a public network process and cannot be bound to a VPN instance later.

Set a network entity title (NET) for the IS-IS process.

network-entity net

A NET specifies the current IS-IS area address and the system ID of the switch. An IS-IS process on one switch can be configured with a maximum of three NETs.

(Optional) Set the IS-IS level.

is-level { level-1 | level-1-2 | level-2 }

By default, the IS-IS level of the switch is Level-1-2.

Enable IPv6 for the IS-IS process.

ipv6 enable

Before enabling IPv6 for the IS-IS process, enable IPv6 in the system view.

Import BGP routes.

ipv6 import-route bgp inherit-cost [ tag tag | route-policy route-policy-name | [  level-1 | level-2 | level-1-2 ] ]*
BGP routes are imported.

If the IS-IS level is not specified in the command, BGP routes will be imported into the Level-2 IS-IS routing table.

After this command is run in the IS-IS view, the PE imports the VPNv6 routes learned from the remote PE to IS-IS and advertises them to the attached CE.

Return to the system view.

quit

-

Enter the view of the interface that is bound to the VPN instance.

interface interface-type interface-number

-

(For an Ethernet interface) Switch the interface to Layer 3 mode.

undo portswitch

If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.
NOTE:

If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

Enable IS-ISv6 on the interface.

isis ipv6 enable [ process-id ]

-

Return to the system view.

quit

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv6 address family view.

ipv6-family vpn-instance vpn-instance-name

-

Import IS-IS routes into the routing table of the BGP-VPN instance IPv6 address family.

import-route isis process-id [ med med | route-policy route-policy-name ] *

After this command is run in the BGP-VPN instance IPv6 address family view, the PE will import the VPN routes learned from the connected CE into the BGP routing table and advertise VPNv6 routes to the remote PE.

(Optional) Configure a device to send only valid routes in a BGP VPN routing table to a BGP VPNv6 routing table.

advertise valid-routes

By default, a device running a version earlier than V200R005C00 advertises valid routes in a BGP VPN routing table to a BGP VPNv6 routing table. However, after the device is upgraded to V200R005C00 or later, the device advertises all routes in the BGP VPN routing table to the BGP VPNv6 routing table, which may change the transmission path of service traffic on the network. To ensure that the traffic transmission paths before and after the upgrade are consistent, run the advertise valid-routes command.

Commit the configuration.

commit

-

Deleting a VPN instance or disabling a VPN instance IPv6 address family will delete all the IS-IS processes bound to the VPN instance or the VPN instance IPv6 address family on the PE.

Translation
Download
Updated: 2019-04-03

Document ID: EDOC1100075353

Views: 16408

Downloads: 26

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next