No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN

CloudEngine 12800 and 12800E V200R005C10

This document describes the configurations of VPN, including GRE, BGP/MPLS IP VPN, BGP/MPLS IPv6 VPN, VLL, PWE3, and VPLS.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring the BGP SoO Attribute

Example for Configuring the BGP SoO Attribute

Networking Requirements

When multiple CE devices in a VPN site connect to different PE devices, VPN routes advertised from the CE devices to the PE devices may be sent back to the VPN site after the routes traverse the backbone network. This may cause routing loops in the VPN site.

As shown in Figure 2-50, CE1 and CE2 belong to site 1; CE2 and CE3 connect to PE2. Site 1 and site 2 have the same AS number. The PE and CE devices run EBGP. PE1 uses MP-IGBP to advertise the routes learned from CE1 to PE2. Then PE2 advertises these routes to CE2 and CE3. However, CE2 has learned the routes through IGP in site 1. As a result, a routing loop may occur in site 1.

To prevent routing loops in site 1, configure the BGP Site of Origin (SoO) attribute on the PE devices. When PE2 advertises routes to CE2, PE2 checks whether the SoO attribute of the routes is the same as the locally configured SoO attribute. If so, PE2 does not advertise these routes to CE2. PE2 can then advertise the routes to CE3.

Figure 2-50 BGP SoO networking

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an IP address for each interface and an IGP on the backbone network so that PE devices can communicate.

  2. Enable MPLS and MPLS LDP on the backbone network so that LDP LSPs can be established between the PE devices.

  3. Establish an MP-IBGP peer relationship between the PE devices.

  4. Configure VPN instances on PE devices and bind the instances to the PE interfaces connected to CE devices.

  5. Set up EBGP peer relationships between the PE and CE devices and enable AS number substitution on the PE devices.

  6. On the PE devices, configure the BGP SoO attribute for the connected CE devices.

Procedure

  1. Configure an IP address for each interface and an IGP on the backbone network so that PE devices can learn the route to the loopback interface of each other.

    In this example, OSPF is configured.

    # Configure PE1.

    <HUAWEI> system-view
    [~HUAWEI] sysname PE1
    [*HUAWEI] commit
    [~PE1] interface loopback 1
    [*PE1-LoopBack1] ip address 1.1.1.1 32
    [*PE1-LoopBack1] quit
    [*PE1] vlan batch 20 40
    [*PE1] interface 10ge 1/0/1
    [*PE1-10GE1/0/1] port link-type trunk
    [*PE1-10GE1/0/1] port trunk allow-pass vlan 20
    [*PE1-10GE1/0/1] quit
    [*PE1] interface 10ge 2/0/2
    [*PE1-10GE2/0/2] port link-type trunk
    [*PE1-10GE2/0/2] port trunk allow-pass vlan 40
    [*PE1-10GE2/0/2] quit
    [*PE1] interface vlanif 40
    [*PE1-Vlanif40] ip address 10.1.1.1 30
    [*PE1-Vlanif40] quit
    [*PE1] ospf 1
    [*PE1-ospf-1] area 0
    [*PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.3
    [*PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
    [*PE1-ospf-1-area-0.0.0.0] quit
    [*PE1-ospf-1] quit
    [*PE1] commit

    The configurations of PE2 and CE devices are the same as that of PE1.

    After the configuration is complete, run the display ip routing-table command on the PE devices. You can see that the PE devices have learned the route to loopback interfaces of each other.

  2. Enable MPLS and MPLS LDP on the backbone network so that LDP LSPs can be established between the PE devices.

    Enable MPLS and MPLS LDP globally and on interfaces of the PE devices.

    # Configure PE1.

    [~PE1] mpls lsr-id 1.1.1.1
    [*PE1] mpls
    [*PE1-mpls] quit
    [*PE1] mpls ldp
    [*PE1-mpls-ldp] quit
    [*PE1] interface vlanif 40
    [*PE1-Vlanif40] mpls
    [*PE1-Vlanif40] mpls ldp
    [*PE1-Vlanif40] quit
    [*PE1] commit

    The configuration of PE2 is the same as that of PE1.

    After the configuration is complete, run the display mpls ldp lsp command on the PE devices. You can see the labels assigned to the routes to loopback interfaces on the remote PE devices. Take the display on PE1 as an example:

    [~PE1] display mpls ldp lsp
     LDP LSP Information
     An asterisk (*) before an LSP means the LSP is not established
     An asterisk (*) before a Label means the USCB or DSCB is stale
     An asterisk (*) before a UpstreamPeer means the session is in GR state
     An asterisk (*) before a DS means the session is in GR state
     An asterisk (*) before a NextHop means the LSP is FRR LSP
     -------------------------------------------------------------------------------
     DestAddress/Mask   In/OutLabel    UpstreamPeer    NextHop          OutInterface
     -------------------------------------------------------------------------------
            1.1.1.1/32   3/NULL         2.2.2.2         127.0.0.1        Loop1
            2.2.2.2/32   NULL/3         -               10.1.1.2         Vlanif40
     -------------------------------------------------------------------------------
     TOTAL: 2 Normal LSP(s) Found, 0 Liberal LSP(s) Found
            0 FRR LSP(s) Found.

  3. Set up an MP-IBGP peer relationship between the PE devices.

    # Configure PE1.

    [~PE1] bgp 100
    [*PE1-bgp] peer 2.2.2.2 as-number 100
    [*PE1-bgp] peer 2.2.2.2 connect-interface loopback1
    [*PE1-bgp] ipv4-family vpnv4
    [*PE1-bgp-af-vpnv4] peer 2.2.2.2 enable
    [*PE1-bgp-af-vpnv4] quit
    [*PE1-bgp] quit
    [*PE1] commit

    The configuration of PE2 is the same as that of PE1. For configuration details, see "Configuration Files."

    After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer command on the PE devices. You can see that the BGP peer relationships have been established between the PE devices. Take the display on PE1 as an example:

    [~PE1] display bgp peer
    
     BGP local router ID : 10.1.1.1
     Local AS number : 100
     Total number of peers : 1                 Peers in established state : 1
    
      Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State  PrefRcv
      2.2.2.2         4         100      187      186     0 02:44:06 Established        1

  4. On each PE device, configure a VPN instance, enable the IPv4 address family in the instance, and bind the instance to the interfaces connected to the CE devices.

    # Configure PE1.

    [~PE1] ip vpn-instance vpna
    [*PE1-vpn-instance-vpna] ipv4-family
    [*PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
    [*PE1-vpn-instance-vpna-af-ipv4] vpn-target 100:100
    [*PE1-vpn-instance-vpna-af-ipv4] quit
    [*PE1-vpn-instance-vpna] quit
    [*PE1] interface vlanif 20
    [*PE1-Vlanif20] ip binding vpn-instance vpna
    [*PE1-Vlanif20] ip address 192.168.1.1 30
    [*PE1-Vlanif20] quit
    [*PE1] commit

    # Configure PE2.

    [~PE2] ip vpn-instance vpna
    [*PE2-vpn-instance-vpna] ipv4-family
    [*PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 100:2
    [*PE2-vpn-instance-vpna-af-ipv4] vpn-target 100:100
    [*PE2-vpn-instance-vpna-af-ipv4] quit
    [*PE2-vpn-instance-vpna] quit
    [*PE2] interface vlanif 10
    [*PE2-Vlanif10] ip binding vpn-instance vpna
    [*PE2-Vlanif10] ip address 192.168.2.1 30
    [*PE2-Vlanif10] quit
    [*PE2] interface vlanif 50
    [*PE2-Vlanif50] ip binding vpn-instance vpna
    [*PE2-Vlanif50] ip address 192.168.3.1 30
    [*PE2-Vlanif50] quit
    [*PE2] commit

    After the configuration is complete, run the display ip vpn-instance verbose command on the PE devices to view the configuration of VPN instances.

  5. Establish EBGP peer relationships between PE and CE devices, enable AS number substitution on the PE devices, and configure PE devices to import routes from CE devices.

    In this configuration example, the two VPN sites have the same AS number. Therefore, AS number substitution needs to be enabled on PE1 and PE2.

    # Configure PE1.

    [~PE1] bgp 100
    [~PE1-bgp] ipv4-family vpn-instance vpna
    [*PE1-bgp-vpna] peer 192.168.1.2 as-number 65410
    [*PE1-bgp-vpna] peer 192.168.1.2 substitute-as
    [*PE1-bgp-vpna] import-route direct
    [*PE1-bgp-vpna] quit
    [*PE1-bgp] quit
    [*PE1] commit

    # Configure CE1 connected to Site 1.

    [~CE1] bgp 65410
    [*CE1-bgp] peer 192.168.1.1 as-number 100
    [*CE1-bgp] network 11.11.11.11 32
    [*CE1-bgp] network 192.168.4.0 30
    [*CE1-bgp] quit
    [*CE1] commit

    # Configure PE2.

    [~PE2] bgp 100
    [~PE2-bgp] ipv4-family vpn-instance vpna
    [*PE2-bgp-vpna] peer 192.168.2.2 as-number 65410
    [*PE2-bgp-vpna] peer 192.168.3.2 as-number 65410
    [*PE2-bgp-vpna] peer 192.168.2.2 substitute-as
    [*PE2-bgp-vpna] peer 192.168.3.2 substitute-as
    [*PE2-bgp-vpna] import-route direct
    [*PE2-bgp-vpna] quit
    [*PE2-bgp] quit
    [*PE2] commit

    # Configure CE2 connected to Site 1.

    [~CE2] bgp 65410
    [*CE2-bgp] peer 192.168.2.1 as-number 100
    [*CE2-bgp] network 22.22.22.22 32
    [*CE2-bgp] network 192.168.4.0 30
    [*CE2-bgp] quit
    [*CE2] commit

    # Configure CE3 connected to Site 2.

    [~CE3] bgp 65410
    [*CE3-bgp] peer 192.168.3.1 as-number 100
    [*CE3-bgp] network 33.33.33.33 32
    [*CE3-bgp] quit
    [*CE3] commit

    After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command on the PE devices. You can see that the status of EBGP peer relationships between PE and CE devices is Established. This indicates that EBGP peer relationships have been established between PE and CE devices. Take the display on PE1 as an example:

    [~PE1] display bgp vpnv4 vpn-instance vpna peer
    
     BGP local router ID : 10.1.1.1
     Local AS number : 100
    
     VPN-Instance vpna, Router ID 10.1.1.1:
     Total number of peers : 1                 Peers in established state : 1
    
      Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State  PrefRcv
      192.168.1.2     4       65410      224      231     0 03:02:12 Established        1

    Run the display bgp vpnv4 routing-table command on the PE devices. You can see the routes sent from the PE devices to the CE devices. The following shows the routes sent from PE2 to CE2.

    [~PE2] display bgp vpnv4 vpn-instance vpna routing-table peer 192.168.2.2 advertised-routes
    
     BGP Local router ID is 2.2.2.2
     Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
                   h - history,  i - internal, s - suppressed, S - Stale
                   Origin : i - IGP, e - EGP, ? - incomplete
     RPKI validation codes: V - valid, I - invalid, N - not-found
    
    
     VPN-Instance vpna, Router ID 8.1.1.1:
    
     Total Number of Routes: 7
           Network            NextHop        MED        LocPrf    PrefVal Path/Ogn
    
     *>i   11.11.11.11/32     1.1.1.1                               0      100 100i
     *>    22.22.22.22/32     196.168.2.2                           0      100 100i
     *>    33.33.33.33/32     196.168.3.2                           0      100 100i
     *>i   196.168.1.0/30     1.1.1.1                               0      100?
     *>    196.168.2.0/30     0.0.0.0         0                     0      100?
     *>    196.168.3.0/30     0.0.0.0         0                     0      100?
     *>    196.168.4.0/30     196.168.2.2                           0      100 100i

  6. Configure the BGP SoO attribute on the PE devices.

    CE1 and CE2 belong to the same site, so you need to set the same BGP SoO attribute value for the two CE devices on PE1 and PE2. PE2 connects to two VPN sites, so you need to set different SoO attribute values for the CE devices.

    # Configure PE1.

    [~PE1] bgp 100
    [~PE1-bgp] ipv4-family vpn-instance vpna
    [~PE1-bgp-vpna] peer 192.168.1.2 soo 100:101
    [*PE1-bgp-vpna] quit
    [*PE1-bgp] quit
    [*PE1] commit

    # Configure PE2.

    [~PE2] bgp 100
    [~PE2-bgp] ipv4-family vpn-instance vpna
    [~PE2-bgp-vpna] peer 192.168.2.2 soo 100:101
    [*PE2-bgp-vpna] peer 192.168.3.2 soo 100:102
    [*PE2-bgp-vpna] quit
    [*PE2-bgp] quit
    [*PE2] commit

  7. Verify the configuration.

    After the configuration is complete, run the display bgp vpnv4 routing-table command on PE2 again. You can see that PE2 does not send any VPN route to CE2 and the routes sent from PE2 to CE3 remain unchanged.

    [~PE2] display bgp vpnv4 vpn-instance vpna routing-table peer 192.168.3.2 advertised-routes
    
     BGP Local router ID is 2.2.2.2
     Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
                   h - history,  i - internal, s - suppressed, S - Stale
                   Origin : i - IGP, e - EGP, ? - incomplete
     RPKI validation codes: V - valid, I - invalid, N - not-found
    
    
     VPN-Instance vpna, Router ID 2.2.2.2:
    
     Total Number of Routes: 6
           Network            NextHop        MED        LocPrf    PrefVal Path/Ogn
    
     *>i   11.11.11.11/32     1.1.1.1                               0      100 100i
     *>    22.22.22.22/32     196.168.2.2                           0      100 100i
     *>i   196.168.1.0/30     1.1.1.1                               0      100?
     *>    196.168.2.0/30     0.0.0.0         0                     0      100?
     *>    196.168.3.0/30     0.0.0.0         0                     0      100?
     *>    196.168.4.0/30     196.168.2.2                           0      100 100i   

    Run the display bgp vpnv4 routing-table command on PE2. You can see the SoO attribute carried in the routes sent from PE2 to CE3.

    [~PE2] display bgp vpnv4 vpn-instance vpna routing-table 11.11.11.11 32
    
     BGP local router ID : 2.2.2.2
     Local AS number : 100
    
     VPN-Instance vpna, Router ID 2.2.2.2:
     Paths:   1 available, 1 best, 1 select, 0 best-external
     BGP routing table entry information of 11.11.11.11/32:
     Remote-Cross route
     Label information (Received/Applied): 16/NULL
     From: 1.1.1.1 (10.1.1.1)
     Route Duration: 0d00h07m49s
     Relay Tunnel Name: LDP LSP
     Original nexthop: 1.1.1.1
     Qos information : 0x0
     Ext-Community: RT <100 : 100>, SoO <100 : 101>
     AS-path 65410, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, select, pre 255
     Advertised to such 1 peers:
        196.168.3.2         

    The preceding command output shows that after the BGP SoO attribute is configured, the VPN routes received from CE devices carry the SoO attribute, and PE2 does not send any route to CE2. This indicates that the configured BGP SoO attribute has taken effect.

Configuration Files

  • CE1 configuration file (connected to Site 1)

    #
    sysname CE1
    #
    vlan batch 20 30
    #
    interface Vlanif20
     ip address 192.168.1.2 255.255.255.252
    #
    interface Vlanif30
     ip address 192.168.4.1 255.255.255.252
    #
    interface 10GE1/0/1
     port link-type trunk
     port trunk allow-pass vlan 20
    #
    interface 10GE2/0/2
     port link-type trunk
     port trunk allow-pass vlan 30
    #
    interface LoopBack1
     ip address 11.11.11.11 255.255.255.255
    #
    bgp 65410
     peer 192.168.1.1 as-number 100
     #
     ipv4-family unicast
      network 11.11.11.11 255.255.255.255
      network 192.168.4.0 255.255.255.252
      peer 192.168.1.1 enable
    #
    return 
  • CE2 configuration file (connected to Site 1)

    #
    sysname CE2
    #
    vlan batch 10 30
    #
    interface Vlanif10
     ip address 192.168.2.2 255.255.255.252
    #
    interface Vlanif30
     ip address 192.168.4.2 255.255.255.252
    #
    interface 10GE1/0/1
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    interface 10GE2/0/2
     port link-type trunk
     port trunk allow-pass vlan 30
    #
    interface LoopBack1
     ip address 22.22.22.22 255.255.255.255
    #
    bgp 65410
     peer 192.168.2.1 as-number 100
     #
     ipv4-family unicast
      network 22.22.22.22 255.255.255.255
      network 192.168.4.0 255.255.255.252
      peer 192.168.2.1 enable
    #
    return
  • PE1 configuration file
    #
    sysname PE1
    #
    vlan batch 20 40
    #
    ip vpn-instance vpna
     ipv4-family
      route-distinguisher 100:1
      vpn-target 100:100 export-extcommunity
      vpn-target 100:100 import-extcommunity
    #
    mpls lsr-id 1.1.1.1
    #
    mpls
    #
    mpls ldp
     #
     ipv4-family
    #
    interface Vlanif20
     ip binding vpn-instance vpna
     ip address 192.168.1.1 255.255.255.252
    #
    interface Vlanif40
     ip address 10.1.1.1 255.255.255.252
     mpls
     mpls ldp
    #
    interface 10GE1/0/1
     port link-type trunk
     port trunk allow-pass vlan 20
    # 
    interface 10GE2/0/2
     port link-type trunk
     port trunk allow-pass vlan 40
    # 
    interface LoopBack1
     ip address 1.1.1.1 255.255.255.255
    #
    bgp 100
     peer 2.2.2.2 as-number 100
     peer 2.2.2.2 connect-interface LoopBack1
     #
     ipv4-family unicast
      peer 2.2.2.2 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 2.2.2.2 enable
     #
     ipv4-family vpn-instance vpna
      import-route direct
      peer 192.168.1.2 as-number 65410
      peer 192.168.1.2 substitute-as
      peer 192.168.1.2 soo 100:101
    #
    ospf 1
     area 0.0.0.0
      network 1.1.1.1 0.0.0.0
      network 10.1.1.0 0.0.0.3
    #
    return
  • PE2 configuration file
    #
    sysname PE2
    #
    vlan batch 10 40 50
    #
    ip vpn-instance vpna
     ipv4-family
      route-distinguisher 100:2
      vpn-target 100:100 export-extcommunity
      vpn-target 100:100 import-extcommunity
    #
    mpls lsr-id 2.2.2.2
    #
    mpls
    #
    mpls ldp
     #
     ipv4-family
    #
    interface Vlanif10
     ip binding vpn-instance vpna
     ip address 192.168.2.1 255.255.255.252
    #
    interface Vlanif40
     ip address 10.1.1.2 255.255.255.252
     mpls
     mpls ldp
    #
    interface Vlanif50
     ip binding vpn-instance vpna
     ip address 192.168.3.1 255.255.255.252
    #
    interface 10GE1/0/1
     port link-type trunk
     port trunk allow-pass vlan 10
    # 
    interface 10GE2/0/2
     port link-type trunk
     port trunk allow-pass vlan 50
    # 
    interface 10GE3/0/3
     port link-type trunk
     port trunk allow-pass vlan 40
    # 
    interface LoopBack1
     ip address 2.2.2.2 255.255.255.255
    #
    bgp 100
     peer 1.1.1.1 as-number 100
     peer 1.1.1.1 connect-interface LoopBack1
     #
     ipv4-family unicast
      peer 1.1.1.1 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 1.1.1.1 enable
     #
     ipv4-family vpn-instance vpna
      import-route direct
      peer 192.168.2.2 as-number 65410
      peer 192.168.2.2 substitute-as
      peer 192.168.2.2 soo 100:101
      peer 192.168.3.2 as-number 65410
      peer 192.168.3.2 substitute-as
      peer 192.168.3.2 soo 100:102
    #
    ospf 1
     area 0.0.0.0
      network 2.2.2.2 0.0.0.0
      network 10.1.1.0 0.0.0.3
    #
    return  
  • CE3 configuration file (connected to Site 2)

    #
     sysname CE3
    #
     vlan 50
    #
    interface Vlanif50
     ip address 192.168.3.2 255.255.255.252
    #
    interface 10GE1/0/1
     port link-type trunk
     port trunk allow-pass vlan 50
    #
    interface LoopBack1
     ip address 33.33.33.33 255.255.255.255
    #
    bgp 65410
     peer 192.168.3.1 as-number 100
     #
     ipv4-family unicast
      network 33.33.33.33 255.255.255.255
      peer 192.168.3.1 enable
    #
    return
Translation
Download
Updated: 2019-04-03

Document ID: EDOC1100075353

Views: 14185

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next