Version information: SPE NE08E VRP3.3 05xx
UPE AR28 VRP3.4 01xx
Note: NE40 acts as central PE and connects many NE08E as star-type. NE08E attaches AR28 and forms hierarchical PE. Each PE deploys many VPN. One VPN has many export RT and import RT. Central NE40 binds vpn-instance through many logical interfaces and connects with Firewall. Firewall finishes VPN insulation and NAT conversion out of public network. On SPE flood VPN default route for UPE and guides upstream traffic.
Phenomenon: UPE attaches CE users cannot access external network.
1. Check VPN route on UPE and disp ip route vpn-instance ...Default route can be learnt and two default routes can be learnt in one vpn-instance.
2. Check configuration of UPE IP Vpn-instance. It is found that UPE configures many export RT and import RT.
3. Check SPE configuration. SPE has RT mutual import of many VPN. It floods default route learnt from two VPN to UPE through export RT. Default route matches many import RT of IP Vpn-instance of UPE. UPE learns many default routes in one VPN. UPE attaches CE traffic and uplinks to SPE. And then there are many different BGP next-hops. State table cannot be set up on firewall and user cannot access public network.
4. Configure one import RT in each vpn-instance on UPE and one default route can be learnt. UPE users can access public network.
1. UPE does not learn default route.
2. The firewall does not set up state table.
Compared with common PE or SPE, UPE in hierarchical PE only needs default route to guide upstream traffic. When configuring RT, it can configure many export RT but only one import RT.