Sie sind auf Seite 1von 833

Quidway S7700 Smart Routing Switch

V100R006C00

Configuration Guide - VPN

Issue 01
Date 2011-07-15

HUAWEI TECHNOLOGIES CO., LTD.


Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.


Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website: http://www.huawei.com
Email: support@huawei.com

Issue 01 (2011-07-15) Huawei Proprietary and Confidential i


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN About This Document

About This Document

Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the VPN feature supported by the S7700 device.
This document describes how to configure the VPN feature.

NOTE

S7700 is controlled by the license. By default, the MPLS function is disabled on the S7700. To use the
MPLS function of the S7700,buy the license from the Huawei local office.

This document is intended for:


l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers

Symbol Conventions
The symbols that may be found in this document are defined as follows.

Symbol Description

Indicates a hazard with a high level of risk, which if not


avoided, will result in death or serious injury.
DANGER

Indicates a hazard with a medium or low level of risk, which


if not avoided, could result in minor or moderate injury.
WARNING

Indicates a potentially hazardous situation, which if not


avoided, could result in equipment damage, data loss,
CAUTION
performance degradation, or unexpected results.
TIP Indicates a tip that may help you solve a problem or save
time.

NOTE Provides additional information to emphasize or supplement


important points of the main text.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential ii


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN About This Document

Command Conventions
The command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by


vertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated by


vertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated by


vertical bars. A minimum of one item or a maximum of all
items can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated by


vertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.

Changes in Issue 01 (2011-07-15)


Initial commercial release.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential iii


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN Contents

Contents

About This Document.....................................................................................................................ii


1 VPN Tunnel Management Configuration................................................................................1
1.1 Introduction to VPN Tunnels.............................................................................................................................3
1.2 VPN Tunnel Features Supported by the S7700..................................................................................................4
1.3 Configuring a Tunnel Interface..........................................................................................................................5
1.3.1 Establishing the Configuration Task.........................................................................................................6
1.3.2 Creating Tunnel Interfaces........................................................................................................................6
1.3.3 Configuring a Tunnel.................................................................................................................................7
1.3.4 Checking the Configuration.......................................................................................................................8
1.4 Configuring Tunnel Policies Applied to L3VPN...............................................................................................9
1.4.1 Establishing the Configuration Task.........................................................................................................9
1.4.2 Configuring a Tunnel Policy...................................................................................................................10
1.4.3 Applying the Tunnel Policy to L3VPN...................................................................................................11
1.4.4 Checking the Configuration.....................................................................................................................11
1.5 Configuring Tunnel Policies Applied to L2VPN.............................................................................................13
1.5.1 Establishing the Configuration Task.......................................................................................................13
1.5.2 Configuring a Tunnel Policy...................................................................................................................14
1.5.3 Applying the Tunnel Policy to L2VPN...................................................................................................15
1.5.4 Checking the Configuration.....................................................................................................................17
1.6 Configuring L3VPN Tunnel Binding...............................................................................................................19
1.6.1 Establishing the Configuration Task.......................................................................................................19
1.6.2 Enabling the VPN Binding for a Tunnel.................................................................................................20
1.6.3 Configuring the VPN Binding of the Tunnel Policy...............................................................................21
1.6.4 Applying the Tunnel Policy to the L3VPN.............................................................................................21
1.6.5 Checking the Configuration.....................................................................................................................22
1.7 Configuring L2VPN Tunnel Binding...............................................................................................................24
1.7.1 Establishing the Configuration Task.......................................................................................................24
1.7.2 Enabling the VPN Binding for a Tunnel.................................................................................................25
1.7.3 Configuring the VPN Binding of the Tunnel Policy...............................................................................25
1.7.4 Applying the Tunnel Policy to the Martini L2VPN................................................................................26
1.7.5 Checking the Configuration.....................................................................................................................26
1.8 Maintaining a VPN Tunnel...............................................................................................................................28
1.8.1 Monitoring the Running Status of a Tunnel............................................................................................28

Issue 01 (2011-07-15) Huawei Proprietary and Confidential iv


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN Contents

1.8.2 Debugging a Tunnel................................................................................................................................29


1.9 Configuration Examples...................................................................................................................................29
1.9.1 Example for Configuring Tunnel Policies for the L3VPN......................................................................29
1.9.2 Example for Binding a Tunnel to the Martini L2VPN............................................................................42

2 GRE Configuration.....................................................................................................................57
2.1 Introduction to GRE.........................................................................................................................................59
2.2 GRE Features Supported by the S7700............................................................................................................59
2.3 Configuring GRE..............................................................................................................................................61
2.3.1 Establishing the Configuration Task.......................................................................................................61
2.3.2 Configuring a Tunnel Interface...............................................................................................................61
2.3.3 Configuring Routes for the Tunnel..........................................................................................................63
2.3.4 Checking the Configuration.....................................................................................................................64
2.4 Configuring a GRE Tunnel Between CE and PE.............................................................................................65
2.4.1 Establishing the Configuration Task.......................................................................................................65
2.4.2 Configuring the GRE Tunnel Interface on CE........................................................................................66
2.4.3 Configuring the GRE Tunnel Interface on PE.........................................................................................67
2.4.4 Binding the GRE Tunnel with the VPN to Which CE belongs on PE....................................................68
2.4.5 Checking the Configuration.....................................................................................................................69
2.5 Configuring the Keepalive Function................................................................................................................70
2.5.1 Establishing the Configuration Task.......................................................................................................70
2.5.2 Enabling the Keepalive Function............................................................................................................71
2.5.3 Checking the Configuration.....................................................................................................................72
2.6 Maintaining GRE..............................................................................................................................................73
2.6.1 Resetting the Statistics of a Tunnel Interface..........................................................................................73
2.6.2 Monitoring the Running Status of GRE..................................................................................................73
2.6.3 Debugging GRE......................................................................................................................................74
2.7 Configuration Examples...................................................................................................................................74
2.7.1 Example for Configuring Static Routes on the GRE Tunnel..................................................................74
2.7.2 Example for Configuring the Dynamic Routing Protocol on the GRE Tunnel.......................................79
2.7.3 Example for Configuring the CE to Access a VPN Through a GRE Tunnel of the Public Network
..........................................................................................................................................................................84
2.7.4 Example for Configuring the Keepalive Function for GRE....................................................................92

3 BGP MPLS IP VPN Configuration..........................................................................................95


3.1 Introduction to BGP/MPLS IP VPN................................................................................................................97
3.2 BGP/MPLS IP VPN Features Supported by the S7700...................................................................................97
3.3 Configuring a VPN Instance.............................................................................................................................99
3.3.1 Establishing the Configuration Task.....................................................................................................100
3.3.2 Creating a VPN Instance.......................................................................................................................100
3.3.3 Configuring Attributes for the VPN Instance .......................................................................................101
3.3.4 (Optional) Applying a Tunnel Policy to the VPN Instance...................................................................103
3.3.5 (Optional) Configuring MPLS Label Allocation Based on the VPN Instance......................................103
3.3.6 Checking the Configuration...................................................................................................................104

Issue 01 (2011-07-15) Huawei Proprietary and Confidential v


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN Contents

3.4 Configuring Basic BGP/MPLS IP VPN.........................................................................................................105


3.4.1 Establishing the Configuration Task.....................................................................................................105
3.4.2 Configuring a VPN Instance..................................................................................................................106
3.4.3 Binding an Interface with a VPN Instance............................................................................................106
3.4.4 Configuring MP-IBGP Between PEs....................................................................................................107
3.4.5 Configuring a Routing Protocol Between a PE and a CE.....................................................................108
3.4.6 Checking the Configuration...................................................................................................................117
3.5 Configuring Hub and Spoke...........................................................................................................................117
3.5.1 Establishing the Configuration Task.....................................................................................................117
3.5.2 Creating a VPN Instance.......................................................................................................................118
3.5.3 Configuring Route Attributes of the VPN Instance...............................................................................120
3.5.4 Binding an Interface with the VPN Instance.........................................................................................121
3.5.5 Configuring MP-IBGP Between Hub-PE and Spoke-PE......................................................................122
3.5.6 Configuring Route Exchange Between PE and CE...............................................................................123
3.5.7 Checking the Configuration...................................................................................................................124
3.6 Configuring Inter-AS VPN Option A.............................................................................................................125
3.6.1 Establishing the Configuration Task.....................................................................................................125
3.6.2 Configuring Inter-AS VPN Option A....................................................................................................126
3.6.3 Checking the Configuration...................................................................................................................127
3.7 Configuring Inter-AS VPN Option B.............................................................................................................127
3.7.1 Establishing the Configuration Task.....................................................................................................127
3.7.2 Configuring MP-IBGP Between PEs and ASBRs in the Same AS......................................................128
3.7.3 Configuring MP-EBGP Between ASBRs in Different ASs..................................................................129
3.7.4 Controlling the Receiving and Sending of VPN Routes by Using Routing Policies............................130
3.7.5 (Optional) Storing Information About the VPN Instance on the ASBR...............................................132
3.7.6 (Optional) Enabling Next-Hop-based Label Allocation on the ASBR.................................................133
3.7.7 Configuring the Routing Protocol Between CE and PE........................................................................134
3.7.8 Checking the Configuration...................................................................................................................134
3.8 Configuring HoVPN.......................................................................................................................................135
3.8.1 Establishing the Configuration Task.....................................................................................................135
3.8.2 Specifying UPE.....................................................................................................................................135
3.8.3 Advertising Default Routes of a VPN Instance.....................................................................................136
3.8.4 Checking the Configuration...................................................................................................................137
3.9 Configuring OSPF Sham Link.......................................................................................................................137
3.9.1 Establishing the Configuration Task.....................................................................................................137
3.9.2 Configuring the Loopback Address of the Sham Link..........................................................................138
3.9.3 Advertising Routes of End Address of the Sham Link.........................................................................139
3.9.4 Creating a Sham Link............................................................................................................................140
3.9.5 Checking the Configuration...................................................................................................................141
3.10 Configuring a Multi-VPN-Instance CE........................................................................................................141
3.10.1 Establishing the Configuration Task...................................................................................................141
3.10.2 Configuring the OSPF Multi-Instance on the PE................................................................................142

Issue 01 (2011-07-15) Huawei Proprietary and Confidential vi


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN Contents

3.10.3 Configuring the OSPF Multi-Instance on the Multi-Instance CE.......................................................143


3.10.4 Canceling the Loop Detection on the Multi-Instance CE....................................................................144
3.10.5 Checking the Configuration.................................................................................................................144
3.11 Connecting VPN and the Internet.................................................................................................................145
3.11.1 Establishing the Configuration Task...................................................................................................145
3.11.2 Configuring the Static Route on the CE..............................................................................................146
3.11.3 Configuring the Private Network Static Route on the PE...................................................................146
3.11.4 Configuring the Static Route to VPN on the Device of the Public Network......................................147
3.11.5 Checking the Configuration.................................................................................................................147
3.12 Configuring VPN FRR.................................................................................................................................148
3.12.1 Establishing the Configuration Task...................................................................................................148
3.12.2 Configuring Manual VPN FRR...........................................................................................................149
3.12.3 Configuring VPN Auto FRR...............................................................................................................150
3.12.4 Checking the Configuration.................................................................................................................150
3.13 Configuring VPN GR...................................................................................................................................151
3.13.1 Establishing the Configuration Task...................................................................................................151
3.13.2 Configuring IGP GR on the Backbone Network.................................................................................152
3.13.3 Configuring MPLS GR on the Backbone Network.............................................................................153
3.13.4 Configuring GR of the Routing Protocol Between PEs and CEs........................................................156
3.13.5 Configuring BGP GR for MP-BGP.....................................................................................................158
3.13.6 Checking the Configuration.................................................................................................................158
3.14 Configuring Route Reflection to Optimize the VPN Backbone Layer........................................................160
3.14.1 Establishing the Configuration Task...................................................................................................161
3.14.2 Configuring the Client PEs to Establish MP IBGP Connections with the RR....................................161
3.14.3 Configuring the RR to Establish MP IBGP Connections with the Client PEs....................................162
3.14.4 Configuring Route Reflection for BGP IPv4 VPN routes...................................................................164
3.14.5 Checking the Configuration.................................................................................................................164
3.15 Configuring Route Reflection to Optimize the VPN Access Layer.............................................................165
3.15.1 Establishing the Configuration Task...................................................................................................165
3.15.2 Configuring All Client CEs to Establish IBGP Connections with the RR..........................................166
3.15.3 Configuring the RR to Establish MP IBGP Connections with All Client CEs...................................167
3.15.4 Configuring Route Reflection for the Routes of the BGP VPN Instance...........................................168
3.15.5 Checking the Configuration.................................................................................................................169
3.16 Maintaining BGP/MPLS IP VPN.................................................................................................................170
3.16.1 Viewing the Integrated Route Statistics of All IPv4 VPN Instances..................................................170
3.16.2 Displaying BGP/MPLS IP VPN Information......................................................................................170
3.16.3 Checking the Network Connectivity and Reachability.......................................................................171
3.16.4 Resetting BGP Statistics of a VPN Instance.......................................................................................172
3.16.5 Resetting BGP Connections................................................................................................................172
3.16.6 Debugging BGP/MPLS IP VPN..........................................................................................................173
3.17 Configuration Examples...............................................................................................................................173
3.17.1 Example for Configuring the BGP/MPLS IP VPN.............................................................................174

Issue 01 (2011-07-15) Huawei Proprietary and Confidential vii


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN Contents

3.17.2 Example for Configuring Overlapping Addresses in Two BGP/MPLS IP VPNs..............................186


3.17.3 Example for Configuring Mutual Access Between VPNs on S7700..................................................196
3.17.4 Example for Configuring Mutual Access for Local VPNs on SPU Board.........................................201
3.17.5 Example for Configuring BGP ASN Substitution...............................................................................204
3.17.6 Example for Configuring Hub&Spoke................................................................................................211
3.17.7 Example for Configuring Inter-AS VPN Option A.............................................................................220
3.17.8 Example for Configuring Inter-AS VPN Option B.............................................................................230
3.17.9 Example for Configuring the HoVPN.................................................................................................237
3.17.10 Example for Configuring the OSPF Sham Link................................................................................245
3.17.11 Example for Configuring the Multi-VPN-Instance CE.....................................................................257
3.17.12 Example for Connecting a VPN to the Internet.................................................................................269
3.17.13 Example for Configuring CE Dual-Homing.....................................................................................276
3.17.14 Example for Configuring VPN FRR.................................................................................................291
3.17.15 Example for Configuring VPN GR...................................................................................................299
3.17.16 Example for Configuring Double RRs to Optimize VPN Backbone Layer......................................310

4 BGP MPLS IPv6 VPN Configuration....................................................................................321


4.1 Introduction to BGP/MPLS IPv6 VPN..........................................................................................................323
4.2 BGP/MPLS IPv6 VPN Features Supported by the S7700.............................................................................324
4.3 Configuring an IPv6 VPN Instances..............................................................................................................324
4.3.1 Establishing the Configuration Task.....................................................................................................324
4.3.2 Creating an IPv6 VPN Instance.............................................................................................................325
4.3.3 Configuring Attributes for the IPv6 VPN Instance...............................................................................326
4.3.4 (Optional) Configuring MPLS Label Allocation Based on the IPv6 VPN Instance.............................327
4.3.5 Checking the Configuration...................................................................................................................328
4.4 Configuring Basic BGP/MPLS IPv6 VPN.....................................................................................................329
4.4.1 Establishing the Configuration Task.....................................................................................................329
4.4.2 Configuring an IPv6 VPN Instance.......................................................................................................330
4.4.3 Binding an Interface to an IPv6 VPN Instance......................................................................................330
4.4.4 Configuring MP-IBGP Between PEs....................................................................................................331
4.4.5 Configuring Route Exchange Between PE and CE...............................................................................332
4.4.6 Checking the Configuration...................................................................................................................339
4.5 Configuring Hub and Spoke...........................................................................................................................340
4.5.1 Establishing the Configuration Task.....................................................................................................340
4.5.2 Configuring an IPv6 VPN Instance.......................................................................................................341
4.5.3 Configuring Route Related Attributes of an IPv6 VPN Instance..........................................................342
4.5.4 Binding an Interface to an IPv6 VPN Instance......................................................................................344
4.5.5 Configuring MP-IBGP Between Hub-PE and Spoke-PE......................................................................345
4.5.6 Configuring Route Exchange Between PE and CE...............................................................................346
4.5.7 Checking the Configuration...................................................................................................................347
4.6 Configuring a Tunnel Policy applied to BGP/MPLS IPv6 VPN....................................................................348
4.6.1 Establishing the Configuration Task.....................................................................................................348
4.6.2 Configuring a Tunnel Policy.................................................................................................................349

Issue 01 (2011-07-15) Huawei Proprietary and Confidential viii


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN Contents

4.6.3 Applying the Tunnel Policy to the IPv6 VPN.......................................................................................350


4.6.4 Checking the Configuration...................................................................................................................350
4.7 Configuring Inter-AS IPv6 VPN-Option A....................................................................................................351
4.7.1 Establishing the Configuration Task.....................................................................................................351
4.7.2 Configuring Inter-AS IPv6 VPN Option A...........................................................................................352
4.7.3 Checking the Configuration...................................................................................................................353
4.8 Configuring Inter-AS IPv6 VPN-Option B....................................................................................................353
4.8.1 Establishing the Configuration Task.....................................................................................................354
4.8.2 Configuring MP-IBGP Between PEs and ASBRs in the Same AS......................................................355
4.8.3 Configuring MP-EBGP Between ASBRs in Different ASs..................................................................355
4.8.4 Controlling the Receiving and Sending of VPN Routes.......................................................................356
4.8.5 (Optional) Storing Information About the IPv6 VPN instance on the ASBRs.....................................357
4.8.6 (Optional) Enabling Next-Hop-based Label Allocation on the ASBR.................................................358
4.8.7 Configuring Route Exchange Between PE and CE...............................................................................359
4.8.8 Checking the Configuration...................................................................................................................359
4.9 Configuring Route Reflection for BGP VPNv6 Routes.................................................................................360
4.9.1 Establishing the Configuration Task.....................................................................................................360
4.9.2 Configuring the Client PEs to Establish MP IBGP Connections with the RR......................................361
4.9.3 Configuring the RR to Establish MP IBGP Connections with All Client PEs......................................362
4.9.4 Configuring Route Reflection for BGP VPNv6 Routes........................................................................363
4.9.5 Checking the Configuration...................................................................................................................364
4.10 Maintaining BGP/MPLS IPv6 VPN.............................................................................................................365
4.10.1 Displaying BGP/MPLS IPv6 VPN Information..................................................................................365
4.10.2 Checking the Network Connectivity and Reachability.......................................................................366
4.10.3 Viewing the Integrated Route Statistics of all IPv6 VPN Instances....................................................367
4.10.4 Resetting BGP Statistics of IPv6 VPN instance..................................................................................367
4.10.5 Resetting BGP Connections................................................................................................................367
4.10.6 Debugging BGP/MPLS IPv6 VPN......................................................................................................368
4.11 Configuration Examples...............................................................................................................................369
4.11.1 Example for Configure Basic BGP/MPLS IPv6 VPN........................................................................369
4.11.2 Example for Configuring Hub&Spoke (Using BGP4+ Between PE and CE)....................................383
4.11.3 Example for Configuring Hub&Spoke (Using the Default Route Between Hub-PE and Hub-CE)
........................................................................................................................................................................395
4.11.4 Example for Configuring Inter-AS IPv6 VPN Option A....................................................................408
4.11.5 Example for Configuring Dual-Homed CEs.......................................................................................419
4.11.6 Example for Configuring a VPNv6 RR...............................................................................................438

5 VLL Configuration....................................................................................................................446
5.1 Introduction to VLL........................................................................................................................................448
5.2 VLL Features Supported by the S7700..........................................................................................................449
5.3 Configuring CCC VLL...................................................................................................................................454
5.3.1 Establishing the Configuration Task.....................................................................................................454
5.3.2 Enabling the MPLS L2VPN..................................................................................................................455

Issue 01 (2011-07-15) Huawei Proprietary and Confidential ix


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN Contents

5.3.3 Creating a Local CCC Connection........................................................................................................455


5.3.4 Creating a Remote CCC Connection.....................................................................................................456
5.3.5 Checking the Configuration...................................................................................................................457
5.4 Configuring the SVC VLL.............................................................................................................................458
5.4.1 Establishing the Configuration Task.....................................................................................................458
5.4.2 Enabling MPLS L2VPN........................................................................................................................459
5.4.3 Creating an SVC VLL Connection........................................................................................................459
5.4.4 Checking the Configuration...................................................................................................................460
5.5 Configuring Martini VLL...............................................................................................................................461
5.5.1 Establishing the Configuration Task.....................................................................................................461
5.5.2 Enabling MPLS L2VPN........................................................................................................................462
5.5.3 Creating a Martini VLL Connection.....................................................................................................462
5.5.4 Checking the Configuration...................................................................................................................463
5.6 Configuring Kompella VLL...........................................................................................................................464
5.6.1 Establishing the Configuration Task.....................................................................................................464
5.6.2 Enabling MPLS L2VPN........................................................................................................................465
5.6.3 Configuring BGP/MPLS L2VPN..........................................................................................................466
5.6.4 Configuring a VPN................................................................................................................................466
5.6.5 Creating a CE Connection.....................................................................................................................468
5.6.6 (Optional) Configuring BGP L2VPN Features.....................................................................................469
5.6.7 Checking the Configuration...................................................................................................................471
5.7 Configuring Inter-AS Martini VLL................................................................................................................472
5.7.1 Establishing the Configuration Task.....................................................................................................472
5.7.2 Configuring Inter-AS Option A.............................................................................................................473
5.7.3 Checking the Configuration...................................................................................................................473
5.8 Configuring the Inter-AS Kompella VLL......................................................................................................474
5.8.1 Establishing the Configuration Task.....................................................................................................474
5.8.2 Configuring the Inter-AS Kompella VLL Option A.............................................................................475
5.8.3 Checking the Configuration...................................................................................................................476
5.9 Configuring VLL FRR...................................................................................................................................477
5.9.1 Establishing the Configuration Task.....................................................................................................477
5.9.2 Configuring Master and Backup PWs...................................................................................................478
5.9.3 (Optional) Configuring Fast Fault Notification - Physical Layer Fault Notification............................480
5.9.4 (Optional) Configuring BFD for PW.....................................................................................................481
5.9.5 (Optional) Configuring the Revertive Switchover................................................................................481
5.9.6 Checking the Configuration...................................................................................................................482
5.10 Maintaining VLL..........................................................................................................................................485
5.10.1 Enabling Traffic Statistics on the VLL................................................................................................485
5.10.2 Viewing Traffic Statistics on the VLL................................................................................................486
5.10.3 Resetting Traffic Statistics on the VLL...............................................................................................486
5.10.4 Resetting BGP TCP Connections of VLL...........................................................................................486
5.10.5 Monitoring the Running Status of VLL..............................................................................................487

Issue 01 (2011-07-15) Huawei Proprietary and Confidential x


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN Contents

5.10.6 Debugging VLL...................................................................................................................................487


5.10.7 Checking Connectivity of the VLL Network......................................................................................488
5.11 Configuration Examples...............................................................................................................................489
5.11.1 Example for Configuring a Local CCC Connection...........................................................................489
5.11.2 Example for Configuring a Remote CCC Connection........................................................................493
5.11.3 Example for Configuring an SVC VLL..............................................................................................499
5.11.4 Example for Configuring a Martini VLL............................................................................................505
5.11.5 Example for Configuring a Local Kompella VLL..............................................................................511
5.11.6 Example for Configuring a Remote Kompella Connection................................................................514
5.11.7 Example for Configuring the Inter-AS Martini VLL Option A..........................................................521
5.11.8 Example for Configuring the Inter-AS Kompella VLL Option A......................................................528

6 PWE3 Configuration.................................................................................................................539
6.1 Introduction to PWE3.....................................................................................................................................541
6.2 PWE3 Features Supported by the S7700........................................................................................................542
6.3 Configuring the Attributes of a PW Template................................................................................................551
6.3.1 Establishing the Configuration Task.....................................................................................................551
6.3.2 Creating a PW Template........................................................................................................................552
6.3.3 Setting the Attributes for a PW Template.............................................................................................553
6.3.4 Checking the Configuration...................................................................................................................554
6.4 Configuring a Static PW.................................................................................................................................554
6.4.1 Establishing the Configuration Task.....................................................................................................555
6.4.2 Enabling MPLS L2VPN........................................................................................................................555
6.4.3 Creating a Static PW..............................................................................................................................556
6.4.4 Checking the Configuration...................................................................................................................556
6.5 Configuring a Dynamic PW...........................................................................................................................557
6.5.1 Establishing the Configuration Task.....................................................................................................557
6.5.2 Enabling MPLS L2VPN........................................................................................................................558
6.5.3 Creating a Dynamic PW........................................................................................................................558
6.5.4 Checking the Configuration...................................................................................................................559
6.6 Configuring PW Switching............................................................................................................................560
6.6.1 Establishing the Configuration Task.....................................................................................................560
6.6.2 Configuring PW Switching...................................................................................................................561
6.6.3 Checking the Configuration...................................................................................................................563
6.7 Configuring a Backup PW..............................................................................................................................564
6.7.1 Establishing the Configuration Task.....................................................................................................564
6.7.2 Configuring a Backup PW.....................................................................................................................565
6.7.3 Checking the Configuration...................................................................................................................566
6.8 Configuring Static BFD for PW.....................................................................................................................568
6.8.1 Establishing the Configuration Task.....................................................................................................568
6.8.2 Enabling BFD Globally.........................................................................................................................569
6.8.3 Enabling the Sending of BFD for PW Packets to the Protocol Stack...................................................569
6.8.4 Configuring BFD for PW......................................................................................................................569

Issue 01 (2011-07-15) Huawei Proprietary and Confidential xi


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN Contents

6.8.5 Checking the Configuration...................................................................................................................570


6.9 Configuring Dynamic BFD for PW................................................................................................................571
6.9.1 Establishing the Configuration Task.....................................................................................................572
6.9.2 Enabling BFD Globally.........................................................................................................................572
6.9.3 Enabling the Sending of BFD for PW Packets to the Protocol Stack...................................................573
6.9.4 Configuring the Attributes of a PW Template.......................................................................................573
6.9.5 (Optional) Adjusting BFD Parameters..................................................................................................574
6.9.6 Configuring PWs...................................................................................................................................574
6.9.7 Triggering Dynamic BFD for PW.........................................................................................................574
6.9.8 Checking the Configuration...................................................................................................................575
6.10 Configuring PWE3 FRR...............................................................................................................................576
6.10.1 Establishing the Configuration Task...................................................................................................576
6.10.2 Configuring Primary and Backup PWs...............................................................................................577
6.10.3 (Optional) Configuring BFD for PW...................................................................................................579
6.10.4 (Optional) Configuring the Revertive Switchover..............................................................................579
6.10.5 Checking the Configuration.................................................................................................................580
6.11 Configuring Inter-AS PWE3........................................................................................................................583
6.11.1 Establishing the Configuration Task...................................................................................................583
6.11.2 Configuring Inter-AS PWE3-Option A...............................................................................................584
6.11.3 Checking the Configuration.................................................................................................................584
6.12 Maintaining PWE3.......................................................................................................................................586
6.12.1 Verifying the Connectivity of a PW....................................................................................................586
6.12.2 Locating a Fault of a PW.....................................................................................................................587
6.12.3 Debugging a PWE3.............................................................................................................................588
6.13 Configuration Examples...............................................................................................................................588
6.13.1 Example for Configuring a Dynamic SH-PW.....................................................................................589
6.13.2 Example for Configuring a Static MH-PW.........................................................................................595
6.13.3 Example for Configuring a Dynamic MH-PW....................................................................................602
6.13.4 Example for Configuring a Mixed MH-PW........................................................................................613
6.13.5 Example for Configuring Static BFD for PW.....................................................................................620
6.13.6 Example for Configuring Dynamic BFD for SH-PW.........................................................................635
6.13.7 Example for Configuring Dynamic BFD for MH-PW........................................................................645
6.13.8 Example for Configuring Inter-AS PWE3-Option A..........................................................................659

7 VPLS Configuration..................................................................................................................667
7.1 Introduction to VPLS......................................................................................................................................669
7.2 VPLS Features Supported by the S7700........................................................................................................670
7.3 Configuring Kompella VPLS.........................................................................................................................681
7.3.1 Establishing the Configuration Task.....................................................................................................681
7.3.2 Enabling the BGP Peer to Exchange VPLS Information......................................................................682
7.3.3 Creating a VSI and Configuring BGP Signaling...................................................................................683
7.3.4 (Optional) Configuring Huawei Devices to Communicate with Non-Huawei Devices........................685
7.3.5 Binding the VSI to an AC Interface......................................................................................................686

Issue 01 (2011-07-15) Huawei Proprietary and Confidential xii


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN Contents

7.3.6 (Optional) Configuring the Features of Kompella VPLS......................................................................688


7.3.7 Checking the Configuration...................................................................................................................689
7.4 Configuring Martini VPLS.............................................................................................................................691
7.4.1 Establishing the Configuration Task.....................................................................................................691
7.4.2 Creating a VSI and Configuring LDP Signaling...................................................................................692
7.4.3 Binding the VSI to an AC Interface......................................................................................................693
7.4.4 Checking the Configuration...................................................................................................................695
7.5 Configuring LDP HVPLS..............................................................................................................................697
7.5.1 Establishing the Configuration Task.....................................................................................................697
7.5.2 Configuring SPE....................................................................................................................................698
7.5.3 Configuring UPE...................................................................................................................................699
7.5.4 Checking the Configuration...................................................................................................................699
7.6 Configuring the Static VLL to Access the VPLS Network............................................................................700
7.6.1 Establishing the Configuration Task.....................................................................................................700
7.6.2 Configuring a UPE to Access an SPE Through a Static VLL...............................................................701
7.6.3 Configuring the UPE to Access the SPE Through the Static VLL.......................................................701
7.6.4 Binding the VSI of the SPE with the VLL............................................................................................702
7.6.5 Checking the Configuration...................................................................................................................703
7.7 Configuring Inter-AS Kompella VPLS..........................................................................................................705
7.7.1 Establishing the Configuration Task.....................................................................................................705
7.7.2 Configuring Inter-AS Kompella VPLS Option A.................................................................................706
7.7.3 Checking the Configuration...................................................................................................................707
7.8 Configuring Inter-AS Martini VPLS..............................................................................................................709
7.8.1 Establishing the Configuration Task.....................................................................................................709
7.8.2 Configuring Inter-AS Martini VPLS Option A.....................................................................................709
7.8.3 Checking the Configuration...................................................................................................................710
7.9 Configuring Dual-homed Kompella VPLS....................................................................................................712
7.9.1 Establishing the Configuration Task.....................................................................................................713
7.9.2 Creating VSIs and Configuring BGP Signaling....................................................................................713
7.9.3 Configuring the Multi-homed Preference for a VSI..............................................................................715
7.9.4 Binding a VSI to an AC Interface.........................................................................................................716
7.9.5 Checking the Configuration...................................................................................................................716
7.10 Configuring Related Parameters of a VSI....................................................................................................717
7.10.1 Establishing the Configuration Task...................................................................................................717
7.10.2 Configuring General Parameters of the VSI........................................................................................717
7.10.3 Configuring MAC Address Learning..................................................................................................718
7.10.4 Configuring a VSI to Ignore the AC Status.........................................................................................720
7.11 Configuring Suppression on VPLS Traffic..................................................................................................721
7.11.1 Establishing the Configuration Task...................................................................................................721
7.11.2 Configuring VSI-based Traffic Suppression.......................................................................................722
7.11.3 Checking the Configuration.................................................................................................................723
7.12 Maintaining VPLS........................................................................................................................................724

Issue 01 (2011-07-15) Huawei Proprietary and Confidential xiii


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN Contents

7.12.1 Collecting the Statistics of the Traffic on a VPLS PW.......................................................................724


7.12.2 Checking the Traffic on a VPLS PW..................................................................................................725
7.12.3 Clearing the Traffic Statistics..............................................................................................................725
7.12.4 Checking the Consistency of VPN Configurations(Service Ping)......................................................726
7.12.5 Debugging VPLS.................................................................................................................................726
7.12.6 Enabling or Disabling VSI..................................................................................................................727
7.12.7 Clearing MAC Address Entries...........................................................................................................727
7.12.8 Checking the MAC Address Learning Capability...............................................................................728
7.12.9 Checking Connectivity of the VPLS Network....................................................................................729
7.13 Configuration Examples...............................................................................................................................730
7.13.1 Example for Configuring Martini VPLS.............................................................................................730
7.13.2 Example for Configuring Kompella VPLS.........................................................................................737
7.13.3 Example for Configuring VPLS over TE in Martini Mode.................................................................744
7.13.4 Example for Configuring LDP HVPLS...............................................................................................754
7.13.5 Example for Configuring Static VLLs to Access a VPLS Network...................................................761
7.13.6 Example for Configuring Dynamic VLLs to Access a VPLS Network..............................................772
7.13.7 Example for Configuring Inter-AS Martini VPLS Option A..............................................................781
7.13.8 Example for Configuring Inter-AS Kompella VPLS Option A..........................................................788

8 VPLS Convergence Configuration.........................................................................................799


8.1 VPLS Convergence Overview........................................................................................................................800
8.2 VPLS Convergence Supported by the S7700.................................................................................................800
8.3 Configuring VPLS Convergence (UPE Directly Connected to the NPE)......................................................804
8.3.1 Establishing the Configuration Task.....................................................................................................804
8.3.2 Configuring the mVSI...........................................................................................................................805
8.3.3 Configuring the Binding Relations for the mVSI..................................................................................806
8.3.4 Checking the Configuration...................................................................................................................807
8.4 Configuring BFD for VSI PW........................................................................................................................807
8.4.1 Establishing the Configuration Task.....................................................................................................807
8.4.2 Enabling BFD Globally.........................................................................................................................808
8.4.3 Enabling the Sending of BFD for VSI-PW Packets to the Protocol Stack............................................808
8.4.4 Establishing BFD Sessions....................................................................................................................809
8.4.5 Checking the Configuration...................................................................................................................809
8.5 Maintaining VPLS Convergence....................................................................................................................810
8.5.1 Debugging VPLS Convergence.............................................................................................................810
8.6 Configuration Examples.................................................................................................................................811
8.6.1 Example for Configuring the mVSI......................................................................................................811

Issue 01 (2011-07-15) Huawei Proprietary and Confidential xiv


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

1 VPN Tunnel Management Configuration

About This Chapter

VPN tunnel management involves the creation, management, and maintenance of VPN tunnels.

1.1 Introduction to VPN Tunnels


This part briefly introduces VPN tunnels, including such commonly-used VPN tunnels as LSPs,
TE tunnels, and GRE tunnels, and the configuration and management of these VPN tunnels.
1.2 VPN Tunnel Features Supported by the S7700
The S7700 supports such VPN tunnel features as the select-sequence tunnel policy and tunnel
binding policy.
1.3 Configuring a Tunnel Interface
Tunnel interfaces are point-to-point virtual interfaces that are used for encapsulating packets.
Similar to loopback interfaces, tunnel interfaces are logical interfaces.
1.4 Configuring Tunnel Policies Applied to L3VPN
By default, the system selects an LSP and performs no load balancing. If load balancing or other
types of tunnels are required, you need to configure a select-sequence tunnel policy and apply
the tunnel policy.
1.5 Configuring Tunnel Policies Applied to L2VPN
By default, the system selects LSPs for a VPN and no load balancing is carried out. If load
balancing or other types of tunnels are required, you need to configure a tunnel policy and bind
the tunnel policy to the tunnels.
1.6 Configuring L3VPN Tunnel Binding
VPN tunnel binding refers to the binding between a TE tunnel and a VPN. After the binding,
the TE tunnel is exclusively used by the VPN.
1.7 Configuring L2VPN Tunnel Binding
L2VPN tunnel binding refers to the binding between a TE tunnel and a VPN. After the binding,
the TE tunnel is exclusively used by the VPN.
1.8 Maintaining a VPN Tunnel
Monitor the running status of the VPN tunnel.
1.9 Configuration Examples

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 1


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

This section provides examples for applying a tunnel policy to the L3VPN or L2VPN.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 2


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

1.1 Introduction to VPN Tunnels


This part briefly introduces VPN tunnels, including such commonly-used VPN tunnels as LSPs,
TE tunnels, and GRE tunnels, and the configuration and management of these VPN tunnels.

In Virtual Private Networks (VPNs), based on the tunnel technology, dedicated transmission
channels, namely, tunnels, can be set up in backbone networks. Packets can then be transparently
transmitted through the tunnels.

Common VPN Tunnels


Common VPN tunnels are described as follows:

l LSP
When LSPs are adopted as tunnels on the public network of Multi-Protocol Label Switching
(MPLS) VPN, IP packet headers are analyzed only on Provider Edges (PEs), rather than
on each device along which VPN packets are transmitted. In this manner, the time to process
VPN packets shortens and the delay of packet transmission decreases. In addition, MPLS
labels are supported by all link layer protocols. A Label Switched Path (LSP) is similar to
an Asynchronous Transfer Mode (ATM) Virtual Circuit (VC)or a Frame Relay (FR) VC
in function and security.
l MPLS TE
Generally, carriers are required to provide VPN users with Quality of Service (QoS)
guarantee for various end-to-end services, such as the voice service, video service, key data
service, and Internet access service. To meet users' requirements, carriers offer the MPLS
Traffic Engineering (MPLS TE) tunnels, which can optimize network resources and offer
users with QoS guaranteed services.
l GRE
In an MPLS Layer 3 VPN (MPLS L3VPN), a CE and a PEmust have a direct connection.
If they are not directly connected, a GRE tunnel is generally set up between the CE and the
PE to ensure the CE can access MPLS VPN.

Tunnel Configuration Management


The setup and management of tunnels vary with the tunnel type. For example, GRE tunnels and
MPLS TE tunnels, both of which are Constraint-based Routed LSP (CR-LSP) tunnels, are
managed by using tunnel interfaces, whereas MPLS LSP tunnels are managed without using
tunnel interfaces.

This chapter describes the configurations of tunnel interfaces and general tunnel management.

l Tunnel management: informs the current application about the tunnel status and checks the
tunnel and tunnel policy based on the destination IP address reported by the application.
l Tunnel policy: selects a tunnel based on the destination IP address.

An application selects tunnels according to the tunnel policy. If no tunnel policy is configured,
the default tunnel policy is selected. By default, no load balancing can be performed among
tunnels, and only one LSP tunnel can be selected.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 3


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

1.2 VPN Tunnel Features Supported by the S7700


The S7700 supports such VPN tunnel features as the select-sequence tunnel policy and tunnel
binding policy.

An application (such as VPN) selects tunnels according to the tunnel policy. If no tunnel policy
is configured, the tunnel management module selects the tunnel according to the default tunnel
policy.

The tunnel policy can be in either of two modes:


l Select-sequence
l Tunnel binding

These two modes are mutually exclusive.

Select-sequence Mode
With the tunnel policy of the select-sequence mode, you can specify the sequence to select the
tunnel types, and the number of tunnels participating in load balancing.

In the tunnel policy, tunnels are selected in sequence. If a tunnel listed earlier is Up and not
bound, it is selected irrespective of whether another service has selected it. The subsequent tunnel
is not selected in most cases, except that load balancing is carried out, or the preceding tunnels
are in the Down state.

For example, in a tunnel policy, both LSPs and CR-LSPs to the same destination can be selected,
and LSPs are prior to CR-LSPs. If LSPs do not exist, a VPN chooses CR-LSPs. After an LSP
is set up, the VPN selects the LSP and does not use CR-LSPs anymore.

If there are multiple eligible tunnels of the same type, one or more tunnels are chosen randomly
in the tunnel policy.

In select-sequence mode, if both CR-LSPs and LSPs can be selected, CR-LSPs are prior to LSPs,
and the number of tunnels in load balancing is 3, the policies to select tunnels are shown as
below:

l The CR-LSP in the Up state is preferred. If the number of CR-LSPs that are Up is smaller
than 3 (CR-LSPs are not sufficient or CR-LSPs are sufficient whereas their status is Down),
LSPs in the Up state are also selected.
l Suppose three tunnels have been selected, one of which is a LSP. If a CR-LSP tunnel is
added or a CR-LSP in the Down state goes Up, the CR-LSP is selected and the LSP quits
the load balancing.
l If the number of tunnels in load balancing at the moment is smaller than the configured
number, the newly added CR-LSP or LSP in the Up state participates in load balancing.
l The number of tunnels in load balancing is decided by the number of the eligible tunnels.
For example, if only one CR-LSP and one LSP in the Up state, load balancing is performed
between them. The tunnels of other types are not selected even if they are Up.
l The load balancing for tunnels differs from the load balancing for routes. For example,
when three CR-LSPs are used for load balancing, they may be on the same path. While
three routes are used for load balancing, different three paths are used actually.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 4


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

NOTE

In IPv4 VPN networking, you can configure a maximum of six tunnels for load balancing. And in IPv6
VPN networking,the S7700 does not support load balancing by tunnels, that is, the number of tunnels for
load balancing is 1.

Tunnel Binding Mode


Tunnel binding indicates that a certain TE tunnel can only be applied for a specific VPN service.
As shown in Figure 1-1, two MPLS TEs, namely, Tunnel1 and Tunnel2, are set up between
PE1 and PE3.

Figure 1-1 Networking example using VPN primary tunnel binding

VPNA VPNA

CE1 CE3 Site3


Site1
VPN Backbone

TE Tunnel1 for VPNA


PE1 PE3
TE Tunnel2 for VPNB

Site4
Site2
CE2 CE4

VPNB VPNB

The QoS of both VPN A and VPN B is guaranteed if you configure the VPN primary tunnel
binding, that is, binding VPN A with Tunnel 1 and binding VPN B with Tunnel 2. After the
configuration, both VPN A and VPN B use separate TE tunnels. In this manner, services of VPN
A and VPN B are not affected by each other or other services.
The VPN primary tunnel binding has the following features:
l The VPN data to a specific peer PE is always transmitted through the bound TE tunnel.
l The bound TE tunnel cannot be used in select-sequence mode or in load balancing.
l VPN primary tunnel binding can only use the bound primary tunnel for the specific peer
PE. Other peer PEs, however, adopt the default tunnel policy.
You can arrange network resources by creating MPLS TE tunnels of different QoS features.
Then you can manually configure each TE tunnel to carry the corresponding VPN service.
Therefore, network resources can be optimally used.

1.3 Configuring a Tunnel Interface


Tunnel interfaces are point-to-point virtual interfaces that are used for encapsulating packets.
Similar to loopback interfaces, tunnel interfaces are logical interfaces.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 5


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

1.3.1 Establishing the Configuration Task


Before configuring a tunnel interface, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This can help you complete
the configuration task quickly and accurately.

Applicable Environments
Tunnels such as GRE and MPLS TE tunnels use a kind of virtual logical interface, that is, tunnel
interface, to forward packets. You must create the tunnel interfaces before using these tunnels.
The source address and destination address of a GRE tunnel uniquely identify the GRE tunnel.
The destination address of a GRE tunnel is the IP address of the real interface that receives
packets. In a GRE tunnel, the source address of the local end is the destination address of the
remote end; the destination address of the local end is the source address of the remote end.
For different purposes, a tunnel interface can be encapsulated differently.

Pre-configuration Tasks
Before configuring a tunnel interface, complete the following tasks:
l Connecting the interfaces, and configuring physical parameters for the interfaces to ensure
that the physical status of the interfaces is Up
l Configuring parameters of the link layer protocol and IP addresses for the interfaces to
ensure that the status of the link layer protocol on the interfaces is Up
l If configure TE tunnel, enable MPLS and MPLS TE globally firstly

Data Preparation
To configure a tunnel interface, you need the following data.

No. Data

1 Number of the tunnel interface

2 Encapsulation type of the tunnel, source address,source interface, and destination


address of the tunnel interface

1.3.2 Creating Tunnel Interfaces


You can manage such tunnels as GRE tunnels and TE tunnels by creating tunnel interfaces.

Context
Do as follows on switchs at two ends of a tunnel.

Procedure
Step 1 Run:
system-view

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 6


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

The system view is displayed.


Step 2 Run:
interface tunnel interface-number

A tunnel interface is created.


TIP

When creating the tunnel interfaces, you are recommended to set the slot numbers of the tunnel interfaces
the same as the slot number of the interface sending the packets, that is, the interface at the source end. In
this manner, the packet forwarding efficiency can be improved.

----End

1.3.3 Configuring a Tunnel


Tunnel interfaces of different types have different configurations. The command for a specific
feature can be configured on tunnel interfaces only after these tunnel interfaces are configured
with encapsulation modes.

Context
Do as follows on switchs with tunnel interfaces.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
interface tunnel interface-number

The tunnel interface view is displayed.


Step 3 Run:
tunnel-protocol { gre | mpls te | ipv6-ipv4 [ 6to4 | auto-tunnel | isatap ] | ipv4-
ipv6 | none }

The encapsulation type of the tunnel is configured.


By default, the encapsulation protocol of a tunnel interface is none.
The related commands of an encapsulation protocol can be run only after the protocol is
encapsulated on the tunnel interface. For example, you can run MPLS TE commands in a tunnel
interface view after the tunnel-protocol mpls te command is configured on the tunnel interface.
Before using the tunnel-protocol mpls te command, enable global MPLS and MPLS TE first.
Step 4 Run:
destination [ vpn-instance vpn-instance-name ] dest-ip-address

The destination address is configured for the tunnel.


The parameter vpn-instance vpn-instance-name is valid only for GRE.
Step 5 (Optional) Run:
source { source-ip-address | loopback interface-number }

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 7


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

The source address or source interface of the tunnel is configured.


Different tunnel interfaces encapsulated with one protocol cannot be configured with the same
source address and destination address.
Whether a source address or a destination address is necessary for a tunnel interface depends on
the tunnel type. For example, an MPLS TE tunnel interface requires only a destination address.
If you use interface-type interface-number to specify the source address of a tunnel, the specified
interface cannot be the local tunnel interface.
Step 6 (Optional) Run:
mtu mtu

The MTU of the interface is configured.


The newly configured MTU is validated only after you run the shutdown command and the
undo shutdown command on the interface in sequence.
Step 7 Choose one of the following methods to configure the IP address of a tunnel interface.
l Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IP
address of a tunnel interface.
l Run the ip address unnumbered interface interface-type interface-number command to
configure IP unnumbered on the tunnel interface.
NOTE

For details, refer to the chapter "IP Addresses Configuration" in the Quidway S7700 Smart Routing Switch
Configuration Guide - IP Services.

----End

1.3.4 Checking the Configuration


After a tunnel interface is configured, you can view detailed information about the tunnel
interface and the specified tunnel.

Prerequisite
The configurations of the tunnel interface function are complete.

Procedure
l Run the display interface tunnel interface-number command to check information about
a tunnel interface.
l Run the display tunnel-info all command to check information about all tunnels.
l Run the display tunnel-info tunnel-id tunnel-id command to check detailed information
about a specific tunnel.
----End

Example
Run the display interface tunnel command to see that "Line protocol current state" of the tunnel
interface is "UP". For example:
[Quidway] display interface tunnel 1/0/0
Tunnel1/0/0 current state : UP
Line protocol current state : UP

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 8


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Last line protocol up time : 2008-02-09 17:05:25 UTC-05:00


Description:HUAWEI, Quidway Series, Tunnel1/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is unnumbered, using address of LoopBack0(9.9.9.9/32)
Encapsulation is TUNNEL, loopback not set
Tunnel destination 6.6.6.6
Tunnel up/down statistics 1
Tunnel protocol/transport MPLS/MPLS, ILM is available,
primary tunnel id is 0x10001, secondary tunnel id is 0x0

QoS max-bandwidth : 64 Kbps


Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queue : Size/Length/Discards) 0/256/0
300 seconds output rate 0 bits/sec, 0 packets/sec
276 seconds output rate 0 bits/sec, 0 packets/sec
0 packets output, 0 bytes
0 output error
0 output drop

Input bandwidth utilization : --


Output bandwidth utilization : --

Run the display tunnel-info command to check the information about the tunnel, such as the
tunnel ID. For example:
[Quidway] display tunnel-info all
* -> Allocated VC Token
Tunnel ID Type Destination Token
----------------------------------------------------------------------
0x10000 lsp 7.7.7.7 0
0x10001 lsp 6.6.6.6 1
0x10002 lsp 6.6.6.6 2
0x10003 gre 10.1.1.1 3

Run the display tunnel-info tunnel-id tunnel-id command to further check the information
about the tunnel. For example:
[Quidway] display tunnel-info tunnel-id 10003
Tunnel ID: 0x10003
Tunnel Token: 3
Type: gre
Destination: 10.1.1.1
Out Slot: 0
Instance ID: 0
Interface: Tunnel1/0/0

1.4 Configuring Tunnel Policies Applied to L3VPN


By default, the system selects an LSP and performs no load balancing. If load balancing or other
types of tunnels are required, you need to configure a select-sequence tunnel policy and apply
the tunnel policy.

1.4.1 Establishing the Configuration Task


Before configuring a select-sequence tunnel policy for an L3VPN, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the required data. This
can help you complete the configuration task quickly and accurately.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 9


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Applicable Environment
By default, the system selects LSPs for a VPN and no load balancing is performed. If load
balancing or other types of tunnels are required, you need to configure a tunnel policy and apply
the tunnel policy.

In L3VPN, a tunnel policy is applied for VPN instances. In L2VPN, a tunnel policy is applied
for VCs.

The policy includes tunnel selection and the number of tunnels for load balancing.

Pre-configuration Tasks
Before configuring a tunnel policy, complete the following tasks:

l Connecting the interfaces, and configuring physical parameters for the interfaces to ensure
that the physical status of the interfaces is Up
l Configuring parameters of the link layer protocol and IP addresses for the interfaces to
ensure that the status of the link layer protocol on the interfaces is Up
l Creating the tunnel (LSP or MPLS TE) for the VPN instance
l Configuring the VPN instance on the PE (refer to the chapter "Configuring a VPN
Instance" in this manual)

Data Preparation
To configure the tunnel policy, you need the following data.

No. Data

1 Name of the tunnel policy

2 Priority of the tunnels

3 Number of tunnels for load balancing

4 Name of the VPN instance configured with a tunnel policy

1.4.2 Configuring a Tunnel Policy


For a select-sequence tunnel policy, you can specify the sequence in selecting tunnels and the
number of tunnels carrying out load balancing.

Context
Do as follows on a PE configured with a VPN instance.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 10


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Step 2 Run:
tunnel-policy policy-name

A tunnel policy is created and the tunnel policy view is displayed.


A tunnel policy indicates only one tunnel selection mode. If more tunnel selection modes are
required, you need to create multiple tunnel policies.
A VPN instance can only use one tunnel policy;multiple VPN instances can use the same VPN
tunnel policy.
Step 3 Run:
tunnel select-seq { cr-lsp | gre | lsp }* load-balance-number load-balance-number

The priority of the tunnels and the number of tunnels for load balancing are configured.
If no tunnel policy is configured for the L3VPN, an LSP is used as the VPN tunnel, and the
number of tunnels for load balancing is 1.

----End

1.4.3 Applying the Tunnel Policy to L3VPN


After a tunnel policy is configured, you also need to apply the tunnel policy to the VPN instance.

Context
For L3VPN, the tunnel policy is applied to the VPN instance. Do as follows on a PE configured
with a VPN instance.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ip vpn-instance vpn-instance-name

The VPN instance view is displayed.


Step 3 Run:
tnl-policy policy-name

A tunnel policy is applied to the VPN instance.

----End

1.4.4 Checking the Configuration


If a select-sequence tunnel policy is configured for an L3VPN, you can view configurations of
the tunnel policy, and information about the tunnels and tunnel policy that is applied to the routes
of the VPN instance.

Prerequisite
The configurations of the tunnel policies (Select-sequence Mode) applied to L3VPN function
are complete.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 11


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Procedure
l Run the display tunnel-policy tunnel-policy-name command to check configuration of the
tunnel policy.
l Run the display ip vpn-instance verbose [ vpn-instance-name ] command to check tunnel
policy of the VPN instance.
l Run the display ip routing-table vpn-instance vpn-instance-name [ ip-address ]
verbose command to check the tunnel that transmits the routes of the VPN instance.
l Run the display tunnel-info tunnel-id tunnel-id command to check information about a
specified tunnel.

----End

Example
Run the display tunnel-policy command. If the configuration of the tunnel policy is displayed,
it means the configuration succeeds. For example:
[Quidway] display tunnel-policy policy1
Tunnel Policy Name Select-Seq Load balance No
---------------------------------------------------------------------
policy1 LSP 1

Run the display tunnel-policy command. If the tunnel policy of the VPN instance is displayed,
it means the configuration succeeds. In the following example, you can view the tunnel policy
of the VPN named vpna is policy1.
[Quidway] display ip vpn-instance verbose
Total VPN-Instances configured : 1

VPN-Instance Name and ID : vpna, 1


Create date : 2007/09/20 12:03:31 UTC-08:00
Up time : 0 days, 05 hours, 23 minutes and 09 seconds
Route Distinguisher : 1:1
Export VPN Targets : 1:1
Import VPN Targets : 1:1
Label Policy : label per route
Tunnel Policy : policy1
Log Interval : 5
Interfaces : Vlanif10

Run the display ip routing-table vpn-instance vpn-instance-name verbose command, and you
can view the information about the tunnel that transmits the VPN routes. For example:
[Quidway] display ip routing-table vpn-instance vpna 11.11.12.0 verbose
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : vpna
Summary Count : 1

Destination: 11.11.12.0/24
Protocol: BGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 6.6.6.6 Neighbour: 6.6.6.6
State: Active Adv Relied Age: 00h01m04s
Tag: 0 Priority: low
Label: 11264 QoSInfo: 0x0
IndirectID: 0x3
RelayNextHop: 0.0.0.0 Interface: Tunnel1/0/1
TunnelID: 0x10002 Flags: RD
RelayNextHop: 10.1.1.1 Interface: Vlanif15
TunnelID: 0x10000 Flags: RD

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 12


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Run the display tunnel-info tunnel-id tunnel-id command, and you can view detailed
information about a specified tunnel. For example:
[Quidway] display tunnel-info tunnel-id 10005
Tunnel ID: 0x10005
Tunnel Token: 5
Type: cr lsp
Destination: 10.1.1.1
Out Slot: 0
Instance ID: 0
Interface: Tunnel1/0/1
Sub Tunnel ID: 0x0

1.5 Configuring Tunnel Policies Applied to L2VPN


By default, the system selects LSPs for a VPN and no load balancing is carried out. If load
balancing or other types of tunnels are required, you need to configure a tunnel policy and bind
the tunnel policy to the tunnels.

1.5.1 Establishing the Configuration Task


Before configuring a select-sequence tunnel policy for an L2VPN, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the required data. This
can help you complete the configuration task quickly and accurately.

Applicable Environment
By default, LSPs are selected for a VPN, and no load balancing is carried out. To perform load
balancing or select tunnels of other types, configure and apply the corresponding tunnel policies.

For an L2VPN tunnel, the tunnel policy is applied to VC.

At present, a tunnel policy in select-sequence mode consists of the following parts:

l Tunnel selection
l Number of tunnels participating in load balancing

Pre-configuration Tasks
Before configuring a tunnel policy, complete the following tasks:

l Connecting the interfaces, and configuring physical parameters for the interfaces to ensure
that the physical status of the interfaces is Up
l Configuring parameters of the link layer protocol and IP addresses for the interfaces to
ensure that the status of the link layer protocol on the interfaces is Up
l Creating the tunnel (LSP or MPLS TE) for a VC
l Enabling MPLS L2VPN and performing basic L2VPN configurations on PEs
l Creating the VC of the corresponding type on the PE (refer to the chapter "VLL
Configuration" in this manual)

Data Preparation
Before configuring a tunnel policy, you need the following data.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 13


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

No. Data

1 Name of the tunnel policy

2 Priority of tunnels

3 Number of tunnels participating in load balancing

4 Type and serial number of the VC interface on which the


tunnel policy needs to be applied

1.5.2 Configuring a Tunnel Policy


By using the select-sequence tunnel policy, you can specify the sequence in which the tunnel
types are used and the number of tunnels carrying out load balancing.

Context
Do as follows on a PE configured with VC.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
tunnel-policy policy-name

The tunnel policy is created, and the tunnel policy view is displayed.
A tunnel policy indicates only one tunnel selection mode. If more tunnel selection modes are
required, you need create multiple tunnel policies.
A VC can apply only one tunnel policy. Multiple VCs can share the same tunnel policy.
Step 3 Run:
tunnel select-seq { cr-lsp | gre | lsp } * load-balance-number load-balance-number

The priority of tunnels and number of tunnels participating in load balancing are configured.

NOTE
The VPLS network and VLL network do not support GRE tunnels. Therefore, do not configure gre when
configuring a tunnel policy on the VPLS network or VLL network.

----End

Follow-up Procedure
For L2VPN, if no tunnel policy is configured, LSP is selected as the VPN tunnel, and no load
balancing is carried out.
In a tunnel policy, tunnels are selected in sequential order. If the preceding tunnel is Up, it will
be selected irrespective of whether or not another service has selected it. The subsequent tunnel

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 14


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

is not selected in most cases, exceptthat load balancing is performed or the preceding tunnels
are in the Down state.

For example, if the tunnel select-seq cr-lsp lsp load-balance-number 1 command is


configured, a VPN selects the LSP tunnel if no CR-LSP exists. After an CR-LSP is set up, the
VPN selects the CR-LSP and does not use the LSP tunnel anymore.

1.5.3 Applying the Tunnel Policy to L2VPN


This part describes how to apply a tunnel policy for the VLL, VPLS and PWE3.

Context
Select one of the following configurations according to the L2VPN type.

l Applying a tunnel policy to VLL in SVC mode


l Applying a tunnel policy to VLL in Martini mode
l Applying a tunnel policy to VLL in Kompella mode
l Applying a tunnel policy to VPLS in Martini mode
l Applying a tunnel policy to VPLS in Kompella mode
l Applying a tunnel policy to PWE3

When using XGE, GE, Ethernet, or Eth-Trunk interfaces as AC interfaces, you need to configure
the undo portswitch command in the interface view before configuring the L2VPN.

When using XGE, GE, Ethernet, or Eth-Trunk sub-interfaces as AC interfaces, you need to
configure the sub-interface type before configuring the L2VPN. For details on how to configure
sub-interfaces, see Connecting Sub-interfaces to a VLL Network.

Procedure
l Applying a tunnel policy to VLL in SVC mode
Do as follows on PEs configured with VCs:
1. Run:
system-view

The system view is displayed.


2. Run:
interface interface-type interface-number

The view of the interface connected with the CE is displayed.


3. Run:
mpls static-l2vc destination ip-address transmit-vpn-label transmit-label-
value receive-vpn-label receive-label-value tunnel-policy tnl-policy-name

A tunnel policy is applied to the VC of the VLL in SVC mode.


l Applying a tunnel policy to VLL in Martini mode
Do as follows on PEs configured with VCs:
1. Run:
system-view

The system view is displayed.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 15


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

2. Run:
interface interface-type interface-number

The view of the interface connected with the CE is displayed.


3. Run:
mpls l2vc ip-address vc-id tunnel-policy policy-name

A tunnel policy is applied to the VC of the VLL in Martini mode.


l Applying a tunnel policy to VLL in Kompella mode
Do as follows on PEs configured with VCs:
1. Run:
system-view

The system view is displayed.


2. Run:
mpls l2vpn vpn-name

The MPLS L2VPN instance view is displayed.


3. Run:
ce ce-name

The MPLS L2VPN CE view is displayed.


4. Run:
connection [ ce-offset id ] interface interface-type interface-number
tunnel-policy policy-name

A tunnel policy is applied to the VC of the VLL in Kompella mode.

NOTE
Before configuring Kompella VLL on a PE, create a connection with a CE by running the ce
ce-name id ce-id [ range ce-range ] [ default-offset ce-offset ] command.
l Applying a tunnel policy to VPLS in Martini mode
Do as follows on the PEs at both ends of a PW:
1. Run:
system-view

The system view is displayed.


2. Run:
vsi vsi-name [ auto | static ]

A VSI is created.
3. Run:
pwsignal ldp

LDP is configured as the PW signaling protocol and the VSI-LDP view is displayed.
4. Run:
vsi-id vsi-id

The VSI ID is set.


5. Run:
peer peer-address [ negotiation-vc-id vc-id ] [ tnl-policy policy-name ]

The VSI peer relationship is configured and a tunnel policy is applied to the peer.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 16


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

l Applying a tunnel policy to VPLS in Kompella mode


Do as follows on the PEs at both ends of a PW:
1. Run:
system-view

The system view is displayed.


2. Run:
vsi vsi-name [ auto | static ]

A VSI is created.
3. Run:
pwsignal bgp

BGP is configured as the PW signaling protocol and the VSI BGP view is displayed.
4. Run:
route-distinguisher route-distinguisher

The RD is configured for the VSI.


5. Run:
tnl-policy policy-name

A tunnel policy is applied to the VSI.


l Applying a tunnel policy to PWE3
Do as follows on PEsconfigured with VCs.
1. Run:
system-view

The system view is displayed.


2. Run:
interface interface-type interface-number

The view of the interface connected with the CE device is displayed.


3. Choose one of the following options to apply tunnel policy to PW.
For dynamic PW, run: mpls l2vc { pw-template pw-template-name | ip-
address } * vc-id tunnel-policy policy-name
For static PW, run: mpls static-l2vc { { destination ip-address | pw-template
pw-template-name vc-id } * | destination ip-address [ vc-id ] } transmit-vpn-
label transmit-label-value receive-vpn-label receive-label-value [ tunnel-
policy tnl-policy-name | [ control-word | no-control-word ] | [ raw | tagged] ] *

----End

1.5.4 Checking the Configuration


After a select-sequence tunnel policy is configured for an L2VPN, you can view configurations
of the tunnel policy, tunnels that are used by VCs, and information about these tunnels.

Context
The configurations of the tunnel policies (Select-sequence Mode) applied to L2VPN function
are complete.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 17


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Procedure
l Run the display tunnel-policy tunnel-policy-name. command to check the configuration
of a tunnel policy.
l Run the display mpls l2vc [ interface interface-type interface-number ]. command to check
the information about the tunnel used by the VC in L2VPN in SVC, PWE3, or Martini
mode.
l Run the display mpls l2vpn connection [ interface interface-type interface-number ]
command to check the information about the tunnel used by the VC in Kompella L2VPN.
l Run the display tunnel-info tunnel-id tunnel-id command to check information about a
specified tunnel.
----End

Example
Run the display tunnel-policy command. If the bound tunnel interface is displayed, it means
the configuration succeeds. For example:
<Quidway> display tunnel-policy policy1
Tunnel Policy Name Select-Seq Load balance No
---------------------------------------------------------------------
policy1 LSP 1

For the VC of the L2VPN in SVC or Martini mode, run the display mpls l2vc interface
interface-type interface-number command. If the tunnel policy configuration of the VC is
displayed, it means the configuration succeeds. In the following example, you can view the
tunnel policy on VLANIF 10 of the VC is policy1.
<Quidway> display mpls l2vc interface vlanif 10
*client interface : Vlanif10 is up
Administrator PW : no
session state : up
AC state : up
VC state : up
VC ID : 116119
VC type : VLAN
destination : 6.6.6.6
local group ID : 0 remote group ID : 0
local VC label : 23552 remote VC label : 23552
local AC OAM State : up
local PSN State : up
local forwarding state : forwarding
local status code : 0x0
remote AC OAM state : up
remote PSN state : up
remote forwarding state: forwarding
remote status code : 0x0
BFD for PW : unavailable
manual fault : not set
active state : active
forwarding entry : exist
link state : up
local VC MTU : 1500 remote VC MTU : 1500
local VCCV : alert lsp-ping bfd
remote VCCV : Disable
local control word : disable remote control word : disable
tunnel policy name : policy1
traffic behavior name : --
PW template name : --
primary or secondary : primary
VC tunnel/token info : 1 tunnels/tokens
NO.0 TNL type : lsp , TNL ID : 0x10000

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 18


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

create time : 0 days, 2 hours, 0 minutes, 12 seconds


up time : 0 days, 2 hours, 0 minutes, 12 seconds
last change time : 0 days, 2 hours, 0 minutes, 12 seconds
VC last up time : 2009/09/20 20:33:37
VC total up time : 0 days, 2 hours, 0 minutes, 12 seconds
CKey : 5
NKey : 4
PW redundancy mode : --
AdminPw interface : --
AdminPw link state : --

For the VC of the L2VPN in Kompella mode, run the display mpls l2vpn connection
interface interface-type interface-number command. If the tunnel policy of the VC is displayed,
it means the configuration succeeds.
[Quidway] display mpls l2vpn connection interface vlanif 10
conn-type: remote
local vc state: up
remote vc state: up
local ce-id: 2
local ce name: ce2
remote ce-id: 1
intf(state,encap): Vlanif10(up,vlan)
peer id: 6.6.6.6
route-distinguisher: 100:1
local vc label: 31750
remote vc label: 35847
tunnel policy: Policy2
CKey: 7
NKey: 6
primary or secondary: primary
forward entry exist or not: true
forward entry active or not:true
manual fault set or not: not set
AC OAM state: up
BFD for PW session index: --
BFD for PW state: invalid
BFD for LSP state: true
Local C bit is not set
Remote C bit is not set
tunnel type: lsp
tunnel id: 0x10000

1.6 Configuring L3VPN Tunnel Binding


VPN tunnel binding refers to the binding between a TE tunnel and a VPN. After the binding,
the TE tunnel is exclusively used by the VPN.

1.6.1 Establishing the Configuration Task


Before configuring L3VPN tunnel binding, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.

Applicable Environment
When deploying the VPN service, you can bind a VPN primary tunnel to an MPLS TE tunnel.
In this manner, the MPLS TE tunnel can transmit VPN services exclusively. The congestion
caused by unbalanced load can be avoided, and no interference occurs among different VPN
services. Therefore, the QoS of the VPN service is guaranteed.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 19


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Pre-configuration Tasks
Before configuring VPN primary tunnel binding, complete the following tasks:
l Connecting the interfaces, configuring physical parameters for the interfaces to ensure that
the physical status of the interfaces is Up
l Configuring parameters of the link layer protocol and IP addresses for the interfaces to
ensure the status of the link layer protocol on the interfaces is Up
l Configuring the static route or the Interior Gateway Protocol (IGP) to ensure routes are
reachable to all nodes
l Configuring basic MPLS functions and enabling MPLS TE
l Configuring the MPLS TE tunnels between PEs (refer to the Quidway S7700 Smart Routing
Switch Configuration Guide - MPLS).
l Configuring the VPN instance on the PE (refer to the chapter "3 BGP MPLS IP VPN
Configuration" in this manual)

Data Preparation
To configure VPN primary tunnel binding, you need the following data.

No. Data

1 Name of the tunnel policy

2 QoS parameters for the MPLS TE tunnel such as bandwidth

3 Name of the VPN instance

1.6.2 Enabling the VPN Binding for a Tunnel


A tunnel can be bound to a VPN only after VPN tunnel binding is enabled.

Context
Only the tunnel enabled with the VPN binding can be bound with the VPN.
Do as follows on PEs at both ends of the TE tunnel.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
interface tunnel interface-number

The tunnel interface view of the MPLS TE is displayed.


Step 3 Run:
mpls te reserved-for-binding

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 20


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

The VPN binding for the tunnel is enabled.

The tunnel policy in select-sequence mode cannot use the tunnel enabled with the VPN binding.

Step 4 Run:
mpls te commit

The current configuration is validated.

----End

1.6.3 Configuring the VPN Binding of the Tunnel Policy


After enabling VPN tunnel binding, you must also configure a tunnel policy to ensure that the
VPN data is transmitted along the bound tunnel.

Context
Do as follows on PEs at both ends of the TE tunnel.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
tunnel-policy policy-name

A tunnel policy is created.

Step 3 Run:
tunnel binding destination dest-ip-address te tunnel interface-number [ down-
switch ]

The peer address is bound with the tunnel policy. The VPN data from the local end are transmitted
to the destination address through the bound tunnel.

Note the following:

l Tunnel policy can be either in select-sequence mode or tunnel binding mode. Therefore, the
tunnel policy configured with the tunnel binding command cannot be then configured with
the tunnel select-seq command.
l A maximum of six tunnels can be bound to the same destination address for a PE.
l If the PE has multiple peers, a tunnel policy can be configured with multiple tunnel
binding commands with different destination address

----End

1.6.4 Applying the Tunnel Policy to the L3VPN


After a tunnel binding policy is applied to an L3VPN, the VPN data is transmitted along the
bound tunnel.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 21


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Context
Different VPN services to the same destination on a PE must apply different tunnel policies, and
be bound with different TE tunnels.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ip vpn-instance vpn-instance-name

The VPN instance view is displayed.


Step 3 Run:
tnl-policy policy-name

The tunnel policy is applied to the VPN instance.

----End

1.6.5 Checking the Configuration


After configuring L3VPN main tunnel binding, you can view information about the bound tunnel
policy, and interfaces of the bound tunnel.

Prerequisite
The configurations of the L3VPN tunnel binding function are complete.

Procedure
l Run the display tunnel-policy tunnel-policy-name command to check information about
the tunnel policy in tunnel binding mode.
l Run the display interface tunnel interface-number command to check the information
about the interface of the bound tunnel.
l Run the display ip vpn-instance verbose [ vpn-instance-name ] command to check the
tunnel policy of the VPN instance.
l Run the display ip routing-table vpn-instance vpn-instance-name [ ip-address ]
verbose command to view information about the tunnel for IP routing.
l Run the display tunnel-info tunnel-id tunnel-id command to check information about a
specified tunnel.
----End

Example
Run the display tunnel-policy command. If the bound tunnel interface is displayed, and the
destination address is configured the same as that in real situation, it means the configuration
succeeds. For example:
<Quidway> display tunnel-policy policy1
Tunnel Policy Name Destination Tunnel Intf Down Switch

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 22


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

---------------------------------------------------------------------
policy1 2.2.2.9 Tunnel1/0/0 Disable
3.3.3.9 Tunnel2/0/0 Disable

Run the display interface tunnel, and you can view the bound tunnel is Up. For example:
<Quidway> display interface tunnel 1/0/0
Tunnel1/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2009-02-23 10:54:40
Description : HUAWEI, Quidway Series, Tunnel1/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is unnumbered, using address of LoopBack1(1.1.1.9/32)
Encapsulation is TUNNEL, loopback not set
Tunnel destination 2.2.2.9
Tunnel up/down statistics 1
Tunnel protocol/transport MPLS/MPLS, ILM is available,
QoS max-bandwidth : 64 Kbps
Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0
300 seconds output rate 0 bits/sec, 0 packets/sec
68 seconds output rate 0 bits/sec, 0 packets/sec
22894187 packets output, 2958834536 bytes
0 packets output error

Input bandwidth utilization : --


Output bandwidth utilization : --

Run the display ip vpn-instance verbose command. If the tunnel policy name of the VPN
instance is displayed, it means the configuration succeeds. In the following example, you can
view the tunnel policy of the VPN instance named vpna is policy1.
<Quidway> display ip vpn-instance verbose
Total VPN-Instances configured : 1
VPN-Instance Name and ID : vpna, 1
Create date : 2004/10/11 16:12:02
Up time : 0 days, 00 hours, 03 minutes and 07 seconds
Route Distinguisher : 100:1
Export VPN Targets : 100:1
Import VPN Targets : 100:1
Label Policy : label per route
Tunnel Policy : policy1
Log Interval : 5
Interfaces : Vlanif10

Run the display ip routing-table vpn-instance verbose command and you can view the tunnels
used by the VPN routes. For example:
<Quidway> display ip routing-table vpn-instance vpna 10.3.1.0 verbose
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------
Routing Table : vpna
Summary Count : 1
Destination: 10.3.1.0/30
Protocol: BGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 2.2.2.2 Neighbour: 2.2.2.2
State: Active Adv GotQ Age: 00h00m08s
Tag: 0 Priority: low
Label: 109568 QoSInfo: 0x0
IndirectID: 0x12
RelayNextHop: 0.0.0.0 Interface: Tunnel1/0/2
Tunnel ID: 0x10002 Flags: RD

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 23


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

1.7 Configuring L2VPN Tunnel Binding


L2VPN tunnel binding refers to the binding between a TE tunnel and a VPN. After the binding,
the TE tunnel is exclusively used by the VPN.

1.7.1 Establishing the Configuration Task


Before configuring L2VPN main tunnel binding, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.

Applicable Environment
When deploying the MPLS L2VPN service, you need consider not only the transparent
transmission of user data, but also the following points:
l MPLS TE tunnels are used to transmit data, which can optimize the usage of network
resource, and avoid the congestion caused by unbalanced load.
l The L2VPN service should be separated from other services. Therefore, the QoS of the
L2VPN service is guaranteed.
The MPLS TE tunnel and the MPLS L2VPN primary tunnel binding need to be configured on
the PEs of the backbone network.

Pre-configuration Tasks
Before configuring MPLS L2VPN primary tunnel binding, complete the following tasks:
l Connecting the interfaces, and configuring physical parameters for the interfaces to ensure
that the physical status of the interfaces is Up
l Configuring parameters of the link layer protocol and IP addresses for the interfaces to
ensure that the status of the link layer protocol on the interfaces is Up
l Configuring the static route or IGP to ensure that routes are reachable to all nodes
l Configuring basic MPLS functions and enabling MPLS TE
l Configuring the MPLS TE tunnels between PEs (refer to the Quidway S7700 Smart Routing
Switch Configuration Guide - MPLS
l Creating the VC on the PE (refer to the chapter "MPLS L2VPN Configuration" in this
manual)

Data Preparation
To configure L2VPN primary tunnel binding, you need the following data.

No. Data

1 Name of the tunnel policy

2 QoS parameters for the MPLS TE tunnel such as bandwidth

3 Type and serial number of the VC interface , destination address, and VC ID

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 24


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

1.7.2 Enabling the VPN Binding for a Tunnel


A tunnel can be bound to a VPN only after VPN tunnel binding is enabled.

Context
Only the tunnel enabled with the VPN binding can be bound with the VPN.
Do as follows on PEs at both ends of the TE tunnel.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
interface tunnel interface-number

The tunnel interface view of the MPLS TE is displayed.


Step 3 Run:
mpls te reserved-for-binding

The VPN binding forthe tunnel is enabled.


The tunnel policy in select-sequence mode cannot use the tunnel enabled with the VPN binding.
Step 4 Run:
mpls te commit

The current configuration is validated.

----End

1.7.3 Configuring the VPN Binding of the Tunnel Policy


After enabling VPN tunnel binding, you must also configure a tunnel policy to ensure that the
VPN data is transmitted along the bound tunnel.

Context
Do as follows on PEs at both ends of the TE tunnel.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
tunnel-policy policy-name

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 25


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

A tunnel policy is created.

Step 3 Run:
tunnel binding destination dest-ip-address te tunnel interface-number [ down-
switch ]

The peer address is bound with the tunnel policy. The VPN data from the local end are transmitted
through the bound tunnel to the destination address.

If a TE tunnel is bound with the destination address, the VPN data is only transmitted to the
destination address through the bound tunnel. Note the following:

l Tunnel policy can be either in select-sequence mode or tunnel binding mode. Therefore, the
tunnel policy configured with the tunnel binding command cannot be then configured with
the tunnel select-seq command.
l One dest-ip-address of a PE device can only be bound with one tunnel. If multiple tunnels
are bound, the last binding overwrites the previous one.
l If the PE has multiple peers, a tunnel policy can be configured with multiple tunnel
binding commands with different dest-ip-address.

----End

1.7.4 Applying the Tunnel Policy to the Martini L2VPN


After a tunnel binding policy is applied to an L2VPN, the VPN data is transmitted along the
bound tunnel.

Context
Different VPN services to the same destination on a PE must apply different tunnel policies, and
be bound with different TE tunnels.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
interface interface-type interface-number

The AC interface view is displayed.

Step 3 Run:
mpls l2vc ip-address vc-id tunnel-policy policy-name

The tunnel policy is applied to the VC.

----End

1.7.5 Checking the Configuration


After configuring L2VPN main tunnel binding, you can view information about the bound tunnel
policy, and interfaces of the bound tunnel.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 26


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Context
The configurations of the L2VPN tnnel binding function are complete.

Procedure
l Run the display tunnel-policy tunnel-policy-name. command to check information about
the tunnel policy in tunnel binding mode.
l Run the display interface tunnel interface-number. command to check the information
about the interface of the bound tunnel.
l Run the display mpls l2vc [ interface interface-type interface-number ]. command to check
the information about the tunnel used by the VC in L2VPN in SVC, PWE3, or Martini
mode.
----End

Example
Run the display tunnel-policy command. If the bound tunnel interface is displayed, and the
destination address is configured the same as that in real situation, it means the configuration
succeeds. For example:
<Quidway> display tunnel-policy policy1
Tunnel Policy Name Destination Tunnel Intf Down Switch
---------------------------------------------------------------------
policy1 2.2.2.9 Tunnel1/0/0 Disable
3.3.3.9 Tunnel2/0/0 Disable

Run the display interface tunnel command. If the bound tunnel is Up, it means the configuration
succeeds. For example:
<Quidway> display interface tunnel 1/0/0
Tunnel1/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2009-02-23 10:54:40
Description : HUAWEI, Quidway Series, Tunnel1/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is unnumbered, using address of LoopBack1(1.1.1.9/32)
Encapsulation is TUNNEL, loopback not set
Tunnel destination 2.2.2.9
Tunnel protocol/transport MPLS/MPLS, ILM is available,
primary tunnel id is 0x10006, secondary tunnel id is 0x0
QoS max-bandwidth : 64 Kbps
Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0
300 seconds output rate 0 bits/sec, 0 packets/sec
68 seconds output rate 0 bits/sec, 0 packets/sec
22894187 packets output, 2958834536 bytes
0 packets output error
Input bandwidth utilization : --
Output bandwidth utilization : --

Run the display mpls l2vc command. If the tunnel policy name of the VC is displayed, it means
the configuration succeeds. In the following example, you can view the tunnel policy of the VC
is policy1.
<Quidway> display mpls l2vc
total LDP VC : 1 1 up 0 down

*client interface : GigabitEthernet1/0/0.1


Administrator PW : no
session state : up

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 27


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

AC status : up
VC state : up
VC ID : 116119
VC type : VLAN
destination : 6.6.6.6
local VC label : 23552 remote VC label : 23552
control word : disable
forwarding entry : exist
local group ID : 0
manual fault : not set
active state : active
link state : up
local VC MTU : 1500 remote VC MTU : 1500
tunnel policy name : policy1
traffic behavior name: --
PW template name : --
primary or secondary : primary
create time : 0 days, 0 hours, 3 minutes, 45 seconds
up time : 0 days, 0 hours, 3 minutes, 45 seconds
last change time : 0 days, 0 hours, 3 minutes, 45 seconds
VC last up time : 2007/09/20 20:33:37
VC total up time : 0 days, 0 hours, 3 minutes, 45 seconds
CKey : 5
NKey : 4
AdminPw interface : --
AdminPw link state : --

1.8 Maintaining a VPN Tunnel


Monitor the running status of the VPN tunnel.

1.8.1 Monitoring the Running Status of a Tunnel


To know whether a VPN tunnel is created and configurations of a created tunnel, you can monitor
the running status of the VPN tunnel.

Context
In routine maintenance, you can run the following commands to view the running status of a
VPN tunnel.

Procedure
l Run the display interface tunnel interface-number command to view information about
the tunnel interface.
l Run the display tunnel-info tunnel-id command to view information about a specified
tunnel.
l Run the display tunnel-info all command to view information about all tunnels.
l Run the display tunnel-policy tunnel-policy-name command to view information about a
specified tunnel policy.
l Run the display ip vpn-instance verbose [ vpn-instance-name ] command to view
information about the tunnel policy oused by a specified VPN instance.
l Run the display ip routing-table vpn-instance [ ip-address ] verbose command to view
information about the tunnel for IP routing.
l Run the display mpls l2vc [ interface interface-type interface-number ] command to view
information about the tunnel used by the VC in the SVC, PWE3 VC, or Martini L2VPN.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 28


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

l Run the display mpls l2vpn connection interface interface-type interface-number


command to view information about the tunnel used by the VC in the Kompella L2VPN.

----End

1.8.2 Debugging a Tunnel


If a VPN tunnel runs abnormally, you need to debug the VPN tunnel to locate the fault and
analyze the cause. Note that debugging affects the performance of the system.

Context

CAUTION
Debugging affects the performance of the system. Therefore, after debugging, run the undo
debugging all command to disable the debugging immediately.

When a fault occurs in a tunnel, run the following debugging commands in the user view to
debug the tunnel and locate the fault.

For the procedure of outputting the debugging information, refer to Information Center
Configuration.

For the description about the debugging commands, refer to the Quidway S7700 Smart Routing
Switch Debugging Reference.

Procedure
l Run the debugging tunnel all [ interface tunnel interface-number ] command in the user
view to enable tunnel debugging.
l Run the debugging tnlm { all | error | event } command in the user view to enable the
debugging related to tunnel management.

----End

1.9 Configuration Examples


This section provides examples for applying a tunnel policy to the L3VPN or L2VPN.

1.9.1 Example for Configuring Tunnel Policies for the L3VPN

Networking Requirements
Figure 1-2 shows the networking diagram of the MPLS L3VPN. CE1 and CE3 belong to VPNA,
and CE2 and CE4 belongs to VPNB. Two MPLS TE tunnels and an LSP are set up between PE1
and PE2. VPNA is binding one of TE tunnels. VPNB prefers the TE tunnels.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 29


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Figure 1-2 Networking diagram for configuring the tunnel policy for the L3VPN

VPNA VPNA
CE1 CE3

GE1/0/3
GE1/0/3 Loopback1
Loopback1 MPLS TE tunnel 1/0/1
1.1.1.1/32 2.2.2.2/32

GE1/0/3
MPLS TE tunnel 1/0/2 ( binding) GE1/0/3
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
PE1 PE2
GE1/0/2 LSP

GE1/0/2

VPNB VPNB
CE2 CE4
Device Interface VLANIF interface IP address

PE1 GigabitEthernet1/0/1 VLANIF 10 100.1.1.1/30

GigabitEthernet1/0/2 VLANIF 20 10.2.1.2/30

GigabitEthernet1/0/3 VLANIF 30 10.1.1.2/30

Loopback1 - 1.1.1.1/32

PE2 GigabitEthernet1/0/1 VLANIF 10 100.1.1.2/30

GigabitEthernet1/0/2 VLANIF 40 10.4.1.2/30

GigabitEthernet1/0/3 VLANIF 50 10.3.1.2/30

Loopback1 - 2.2.2.2/32

CE1 GigabitEthernet1/0/3 VLANIF 30 10.1.1.1/30

CE2 GigabitEthernet1/0/2 VLANIF 20 10.2.1.1/30

CE3 GigabitEthernet1/0/3 VLANIF 50 10.3.1.1/30

CE4 GigabitEthernet1/0/2 VLANIF 40 10.4.1.1/30

Configuration Roadmap
The configuration roadmap is as follows:

1. Enable the routing protocol to ensure communication between the PEs.


2. Configure the basic MPLS capability on the PEs on the backbone network and set up an
LSP and two MPLS TE tunnels between the PEs.
3. Configure VPN instances on the PEs and connect the CEs to the PEs.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 30


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

4. Configure tunnel policies and apply the tunnel policies to the VPN instances.
5. Configure MP-IBGP for exchanging routing information between the VPNs.

Data Preparation
To complete the configuration, you need the following data:
l MPLS LSR IDs of the PEs
l Names, RDs, and VPN targets of the two VPN instances
l Names of the two tunnel policies

Procedure
Step 1 Enable the IGP protocol on the MPLS backbone network to ensure IP interworking between the
PEs.
# Configure PE1.
<Quidway> system-view
[Quidway] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] vlan 10
[PE1-vlan10] quit
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[PE1-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[PE1-GigabitEthernet1/0/1] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip address 100.1.1.1 30
[PE1-Vlanif10] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.3
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit

# Configure PE2.
<Quidway> system-view
[Quidway] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 2.2.2.2 32
[PE2-LoopBack1] quit
[PE2] vlan 10
[PE2-vlan10] quit
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[PE2-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[PE2-GigabitEthernet1/0/1] quit
[PE2] interface vlanif 10
[PE2-Vlanif10] ip address 100.1.1.2 30
[PE2-Vlanif10] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.3
[PE2-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit

# By running the display ip routing-table command on the PEs, you can see that the PEs can
learn the routes of each other's Loopback1 interface.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 31


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

# Take the display on PE1 as an example:


[PE1] display ip routing-table
Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
2.2.2.2/32 OSPF 10 2 D 100.1.1.2 Vlanif10
100.1.1.0/30 Direct 0 0 D 100.1.1.1 Vlanif10
100.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
100.1.1.2/32 Direct 0 0 D 172.1.1.2 Vlanif10
100.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Step 2 Enable the basic MPLS capability on the MPLS backbone and establish an LDP LSP.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] label advertise non-null
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] mpls
[PE1-Vlanif10] mpls ldp
[PE1-Vlanif10] quit

# Configure PE2.
[PE2] mpls lsr-id 2.2.2.2
[PE2] mpls
[PE1-mpls] label advertise non-null
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 10
[PE2-Vlanif10] mpls
[PE2-Vlanif10] mpls ldp
[PE2-Vlanif10] quit

# After the configuration, an LDP LSP can be set up between PE1 and PE2. By running the
display tunnel-info all command, you can see the LSP destined for the address 2.2.2.2. By
running the display mpls ldp lsp command, you can view the LSP information.
# Take the display on PE1 as an example:
[PE1] display tunnel-info all
* -> Allocated VC Token
Tunnel ID Type Destination Token
----------------------------------------------------------------------
0x1001c lsp 2.2.2.2 0
0x1001d lsp 2.2.2.2 1

[PE1]display mpls ldp lsp

LDP LSP Information


-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.1/32 1124/NULL 2.2.2.2 127.0.0.1 InLoop0
1.1.1.1/32 Liberal/1024 2.2.2.2
2.2.2.2/32 NULL/1025 - 100.1.1.2 Vlanif10

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 32


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

-------------------------------------------------------------------------------
TOTAL: 3 Normal LSP(s) Found.
TOTAL: 0 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is in GR state
A '*' before a NextHop means the LSP is FRR LSP

Step 3 Set up an MPLS TE tunnel between the PEs.

# Configure the maximum link bandwidth and maximum reservable bandwidth for the MPLS
TE tunnel.

# Configure PE1.
[PE1] mpls
[PE1-mpls] mpls te
[PE1-mpls] mpls rsvp-te
[PE1-mpls] mpls te cspf
[PE1-mpls] quit
[PE1] interface tunnel 1/0/1
[PE1-Tunnel1/0/1] ip address unnumbered interface loopback1
[PE1-Tunnel1/0/1] tunnel-protocol mpls te
[PE1-Tunnel1/0/1] destination 2.2.2.2
[PE1-Tunnel1/0/1] mpls te tunnel-id 11
[PE1-Tunnel1/0/1] mpls te commit
[PE1-Tunnel1/0/1] quit
[PE1] interface tunnel 1/0/2
[PE1-Tunnel1/0/2] ip address unnumbered interface loopback1
[PE1-Tunnel1/0/2] tunnel-protocol mpls te
[PE1-Tunnel1/0/2] destination 2.2.2.2
[PE1-Tunnel1/0/2] mpls te tunnel-id 22
[PE1-Tunnel1/0/2] mpls te reserved-for-binding
[PE1-Tunnel1/0/2] mpls te commit
[PE1-Tunnel1/0/2] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] mpls te
[PE1-Vlanif10] mpls rsvp-te
[PE1-Vlanif10] quit

# Configure PE2.
[PE2] mpls
[PE2-mpls] mpls te
[PE2-mpls] mpls rsvp-te
[PE2-mpls] mpls te cspf
[PE2-mpls] quit
[PE2] interface tunnel 1/0/1
[PE2-Tunnel1/0/1] ip address unnumbered interface loopback1
[PE2-Tunnel1/0/1] tunnel-protocol mpls te
[PE2-Tunnel1/0/1] destination 1.1.1.1
[PE2-Tunnel1/0/1] mpls te tunnel-id 11
[PE2-Tunnel1/0/1] mpls te commit
[PE2-Tunnel1/0/1] quit
[PE2] interface tunnel 1/0/2
[PE2-Tunnel1/0/2] ip address unnumbered interface loopback1
[PE2-Tunnel1/0/2] tunnel-protocol mpls te
[PE2-Tunnel1/0/2] destination 1.1.1.1
[PE2-Tunnel1/0/2] mpls te tunnel-id 22
[PE2-Tunnel1/0/2] mpls te reserved-for-binding
[PE2-Tunnel1/0/2] mpls te commit
[PE2-Tunnel1/0/2] quit
[PE2] interface vlanif 10
[PE2-Vlanif10] mpls
[PE2-Vlanif10] mpls te
[PE2-Vlanif10] mpls rsvp-te
[PE2-Vlanif10] quit

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 33


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

# Enable OSPF on the devices along the TE tunnel so that the devices can transmit TE attributes.
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] opaque-capability enable
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] mpls-te enable
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit

# Configure PE1.
[PE2] ospf 1
[PE2-ospf-1] opaque-capability enable
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] mpls-te enable
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit

# By running the display interface tunnel interface-number command on the PEs, you can see
that Tunnel1/0/1 and Tunnel1/0/2 are both Up. Take Tunnel1/0/2 on PE1 for example.
[PE1] display interface Tunnel 1/0/2
Tunnel1/0/2 current state : UP
Line protocol current state : UP
Last line protocol up time : 2007-09-10 13:54:57-08:00
Description:HUAWEI, Quidway Series, Tunnel1/0/0 Interface
Route Port,
Internet Address is unnumbered, using address of LoopBack0(1.1.1.1/32)
Encapsulation is TUNNEL, loopback not set
Tunnel destination 2.2.2.2
Tunnel up/down statistics 1
Tunnel protocol/transport MPLS/MPLS, ILM is available,
primary tunnel id is 0x1003d, secondary tunnel id is 0x0

QoS max-bandwidth : 64 Kbps


Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queue : Size/Length/Discards) 0/256/0
300 seconds output rate 0 bits/sec, 0 packets/sec
196 seconds output rate 0 bits/sec, 0 packets/sec
0 packets output, 0 bytes
0 output error
0 output drop

Input bandwidth utilization : --


Output bandwidth utilization : --

Step 4 Configure VPN instances on each PE and connect the CEs to the PEs.
# Configure PE1.
[PE1] ip vpn-instance VPNA
[PE1-vpn-instance-VPNA] route-distinguisher 100:1
[PE1-vpn-instance-VPNA] vpn-target 111:1 both
[PE1-vpn-instance-VPNA] quit
[PE1] ip vpn-instance VPNB
[PE1-vpn-instance-VPNB] route-distinguisher 100:2
[PE1-vpn-instance-VPNB] vpn-target 222:2 both
[PE1-vpn-instance-VPNB] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] ip binding vpn-instance VPNA
[PE1-Vlanif30] ip address 10.1.1.2 30
[PE1-Vlanif30] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip binding vpn-instance VPNB
[PE1-Vlanif20] ip address 10.2.1.2 30
[PE1-Vlanif20] quit

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 34


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

# Configure PE2.
[PE2] ip vpn-instance VPNA
[PE2-vpn-instance-VPNA] route-distinguisher 100:3
[PE2-vpn-instance-VPNA] vpn-target 111:1 both
[PE2-vpn-instance-VPNA] quit
[PE2] ip vpn-instance VPNB
[PE2-vpn-instance-VPNB] route-distinguisher 100:4
[PE2-vpn-instance-VPNB] vpn-target 222:2 both
[PE2-vpn-instance-VPNB] quit
[PE2] interface vlanif 50
[PE2-Vlanif50] ip binding vpn-instance VPNA
[PE2-Vlanif50] ip address 10.3.1.2 30
[PE2-Vlanif50] quit
[PE2] interface vlanif 40
[PE2-Vlanif40] ip binding vpn-instance VPNB
[PE2-Vlanif40] ip address 10.4.1.2 30
[PE2-Vlanif40] quit

# Configure the interface addresses of the VLAN where the CE interface resides and configure
the IP addresses of the VLANIF interfaces according to Figure 1-2. The configuration procedure
is not given.
# By running the display ip vpn-instance verbose command on the PEs, you can see the
configuration of the VPN instances. The PEs can ping the connected CEs successfully.
NOTE

If multiple interfaces on a PE are bound to the same VPN, you must specify the source address when you
run the ping command to ping the connected CE. That is, specify -a source-ip-address in the ping -a
source-ip-address -vpn-instance vpn-instance-name destination-address command; otherwise, the ping
operation may fail.

Step 5 Configure and apply a tunnel policy on the PE.


# Configure the tunnel policy for binding primary tunnel and apply the tunnel policy to VPNA.
# Configure PE1.
[PE1]tunnel-policy policy1
[PE1-tunnel-policy-policy1]tunnel binding destination 2.2.2.2 te tunnel1/0/2
[PE1-tunnel-policy-policy1] quit
[PE1] ip vpn-instance VPNA
[PE1-vpn-instance-VPNA] tnl-policy policy1
[PE1-vpn-instance-VPNA] quit

# Configure PE2.
[PE2] tunnel-policy policy1
[PE2-tunnel-policy-policy1] tunnel binding destination 1.1.1.1 te tunnel1/0/2
[PE2-tunnel-policy-policy1] quit
[PE2] ip vpn-instance VPNA
[PE2-vpn-instance-VPNA] tnl-policy policy1
[PE2-vpn-instance-VPNA] quit

# Configure the tunnel policy that specifies the tunnel selection sequence and apply the tunnel
policy to VPNB.
# Configure PE1.
[PE1] tunnel-policy policy2
[PE1-tunnel-policy-policy2] tunnel select-seq cr-lsp lsp load-balance-number 1
[PE1-tunnel-policy-policy2] quit
[PE1] ip vpn-instance VPNB
[PE1-vpn-instance-VPNB] tnl-policy policy2
[PE1-vpn-instance-VPNB] quit

# Configure PE2.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 35


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

[PE2] tunnel-policy policy2


[PE2-tunnel-policy-policy2] tunnel select-seq cr-lsp lsp load-balance-number 1
[PE2-tunnel-policy-policy2] quit
[PE2] ip vpn-instance VPNB
[PE2-vpn-instance-VPNB] tnl-policy policy2
[PE2-vpn-instance-VPNB] quit

Step 6 Set up MP-IBGP adjacency between the PEs.


# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.2 as-number 100
[PE1-bgp] peer 2.2.2.2 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.2 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit

# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.1 as-number 100
[PE2-bgp] peer 1.1.1.1 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.1 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit

# After the configuration, run the display bgp peer or display bgp vpnv4 all peer command.
You can see that the BGP peers between the PEs are established.
Step 7 Set up EBGP adjacency between PEs and CEs.
# Configure PE1
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance VPNA
[PE1-bgp-af-VPNA] peer 10.1.1.1 as-number 65410
[PE1-bgp-af-VPNA] quit
[PE1-bgp] ipv4-family vpn-instance VPNB
[PE1-bgp-af-VPNB] peer 10.2.1.1 as-number 65410
[PE1-bgp-af-VPNB] quit
[PE1-bgp] quit

# Configure CE1
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] quit

# Configure CE2
[CE2] bgp 65410
[CE2-bgp] peer 10.2.1.2 as-number 100
[CE2-bgp] quit

# Configure PE2
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance VPNA
[PE2-bgp-af-VPNA] peer 10.3.1.1 as-number 65420
[PE2-bgp-af-VPNA] quit
[PE2-bgp] ipv4-family vpn-instance VPNB
[PE2-bgp-af-VPNB] peer 10.4.1.1 as-number 65420
[PE2-bgp-af-VPNB] quit
[PE2-bgp] quit

# Configure CE3

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 36


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

[CE3] bgp 65420


[CE3-bgp] peer 10.3.1.2 as-number 100
[CE3-bgp] quit

# Configure CE4
[CE4] bgp 65420
[CE4-bgp] peer 10.4.1.2 as-number 100
[CE4-bgp] quit

Step 8 Verify the configuration.

# Run the display ip routing-table vpn-instance command on the PE. You can view the routes
to the remote CE.

# Take the display on PE1 as an example:


[PE1] display ip routing-table vpn-instance VPNA
Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------
Routing Tables: VPNA
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/30 Direct 0 0 D 10.1.1.2 Vlanif30
10.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.3.1.0/30 BGP 255 0 RD 2.2.2.2 Tunnel1/0/2
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[PE1] display ip routing-table vpn-instance VPNB
Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------
Routing Tables: VPNB
Destinations : 5 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.2.1.0/30 Direct 0 0 D 10.2.1.2 Vlanif20
10.2.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.2.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.4.1.0/30 BGP 255 0 RD 2.2.2.2 Tunnel1/0/1
BGP 255 0 RD 2.2.2.2 Vlanif10
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

# Run the display ip routing-table vpn-instance verbose command on the PEs, and you can
see the tunnels used by the VPN routes.

# Take the display on PE1 as an example:


[PE1] display ip routing-table vpn-instance VPNA 10.3.1.0 verbose
Routing Table : VPNA
Summary Count : 1
Destination: 10.3.1.0/30
Protocol: BGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 2.2.2.2 Neighbour: 2.2.2.2
State: Active Adv GotQ Age: 00h00m08s
Tag: 0 Priority: 0
Label: 109568 QoSInfo: 0x0
RelayNextHop: 0.0.0.0 Interface: Tunnel1/0/2
Tunnel ID: 0x1003d
[PE1] display ip routing-table vpn-instance VPNB 10.4.1.0 verbose
Routing Table : VPNB
Summary Count : 1
Destination: 10.4.1.0/30
Protocol: BGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 2.2.2.2 Neighbour: 2.2.2.2
State: Active Adv GotQ Age: 01h02m27s
Tag: 0 Priority: 0
Label: 107520 QoSInfo:0x0

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 37


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

RelayNextHop: 0.0.0.0 Interface: Tunnel1/0/1


Tunnel ID: 0x1001c

# The CEs in the same VPN can ping each other, and the CEs in different VPNs cannot ping
each other.

----End

Configuration Files
l Configuration file of PE1
#
sysname PE1
#
vlan batch 10 20 30
#
ip vpn-instance VPNA
route-distinguisher 100:1
tnl-policy policy1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance VPNB
route-distinguisher 100:2
tnl-policy policy2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.1
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls te cspf
#
mpls ldp
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.252
mpls
mpls te
mpls rsvp-te
mpls ldp
#
interface Vlanif20
ip binding vpn-instance VPNB
ip address 10.2.1.2 255.255.255.252
#
interface Vlanif30
ip binding vpn-instance VPNA
ip address 10.1.1.2 255.255.255.252
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet1/0/2
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
interface GigabitEthernet1/0/3
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
interface Tunnel1/0/1

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 38


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

ip address unnumbered interface loopback1


tunnel-protocol mpls te
destination 2.2.2.2
mpls te tunnel-id 11
mpls te commit
#
interface Tunnel1/0/2
ip address unnumbered interface loopback1
tunnel-protocol mpls te
destination 2.2.2.2
mpls te tunnel-id 22
mpls te reserved-for-binding
mpls te commit
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
#
ipv4-family vpn-instance VPNA
peer 10.1.1.1 as-number 65410
#
ipv4-family vpn-instance VPNB
peer 10.2.1.1 as-number 65410
#
ospf 1
opaque-capability enable
area 0.0.0.0
network 100.1.1.0 0.0.0.3
network 1.1.1.1 0.0.0.0
mpls-te enable
#
tunnel-policy policy1
tunnel binding destination 2.2.2.2 te Tunnel1/0/2
#
tunnel-policy policy2
tunnel select-seq cr-lsp lsp load-balance-number 1
#
return
l Configuration file of PE2
#
sysname PE2
#
vlan batch 10 40 50
#
ip vpn-instance VPNA
route-distinguisher 100:3
tnl-policy policy1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance VPNB
route-distinguisher 100:4
tnl-policy policy2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 2.2.2.2
mpls
mpls te
label advertise non-null
mpls rsvp-te

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 39


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

mpls te cspf
#
mpls ldp
#
interface Vlanif10
ip address 100.1.1.2 255.255.255.252
mpls
mpls te
mpls rsvp-te
mpls ldp
#
interface Vlanif40
ip binding vpn-instance VPNB
ip address 10.4.1.2 255.255.255.252
#
interface Vlanif50
ip binding vpn-instance VPNA
ip address 10.3.1.2 255.255.255.252
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet1/0/2
port hybrid pvid vlan 40
port hybrid untagged vlan 40
#
interface GigabitEthernet1/0/3
port hybrid pvid vlan 50
port hybrid untagged vlan 50
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
interface Tunnel1/0/1
ip address unnumbered interface loopback1
tunnel-protocol mpls te
destination 1.1.1.1
mpls te tunnel-id 11
mpls te commit
#
interface Tunnel1/0/2
ip address unnumbered interface loopback1
tunnel-protocol mpls te
destination 1.1.1.1
mpls te tunnel-id 22
mpls te reserved-for-binding
mpls te commit
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance VPNA
peer 10.3.1.1 as-number 65420
#
ipv4-family vpn-instance VPNB
peer 10.4.1.1 as-number 65420
#
ospf 1
opaque-capability enable

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 40


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

area 0.0.0.0
network 100.1.1.0 0.0.0.3
network 2.2.2.2 0.0.0.0
mpls-te enable
#
tunnel-policy policy1
tunnel binding destination 1.1.1.1 te Tunnel1/0/2
#
tunnel-policy policy2
tunnel select-seq cr-lsp lsp load-balance-number 1
#
return
l Configuration file of CE1
#
sysname CE1
#
vlan batch 30
#
interface Vlanif30
ip address 10.1.1.1 255.255.255.252
#
interface GigabitEthernet1/0/3
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
peer 10.1.1.2 enable
#
return
l Configuration file of CE2

#
sysname CE2
#
vlan batch 20
#
interface vlanif 20
ip address 10.2.1.1 255.255.255.252
#
interface GigabitEthernet1/0/2
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
bgp 65410
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
peer 10.2.1.2 enable
#
return
l Configuration file of CE3
#
sysname CE3
#
vlan batch 50
#
interface Vlanif50
ip address 10.3.1.1 255.255.255.252
#
interface GigabitEthernet1/0/3
port hybrid pvid vlan 50
port hybrid untagged vlan 50

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 41


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

#
bgp 65420
peer 10.3.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
peer 10.3.1.2 enable
#
return

l Configuration file of CE4


#
sysname CE4
#
vlan batch 40
#
interface Vlanif 40
ip address 10.4.1.1 255.255.255.252
#
interface GigabitEthernet1/0/2
port hybrid pvid vlan 40
port hybrid untagged vlan 40
#
bgp 65420
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
peer 10.4.1.2 enable
#
return

1.9.2 Example for Binding a Tunnel to the Martini L2VPN


Networking Requirements
As shown in Figure 1-3, Site 1, Site 2, and Site 3 belong to VPNA. The networking requirements
are as follows:
l Configuring a Martini L2VPN
l The communication between Site 1 and Site 2 is independent of that between Site 1 and
Site 3.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 42


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Figure 1-3 Networking diagram for configuring the L2VPN tunnel binding
Loopback1
2.2.2.9/32
VPNA
VLAN2
GE 1/0/1
GE 1/0/2 GE 1/0/1
Loopback1 Loopback1 PE2 CE2
Site2
1.1.1.9/32 4.4.4.9/32

GE 1/0/1 GE 1/0/2
PE1 GE 1/0/1 GE 1/0/3
GE 1/0/2 P

GE 1/0/3 PE3
GE 1/0/3 GE 1/0/1
VLAN1 VLAN4
GE 1/0/1
GE 1/0/2 GE 1/0/3 VLAN3 CE3
Loopback1 Site3
3.3.3.9/32
Site1 CE1
VPNA VPNA

Device Interface VLANIF interface IP address

PE1 GigabitEthernet1/0/1 VLANIF 7 100.1.1.2/24

GigabitEthernet1/0/2 VLANIF 10 -

GigabitEthernet1/0/3 VLANIF 4 -

Loopback1 - 1.1.1.9/32

PE2 GigabitEthernet1/0/1 VLANIF 2 -

GigabitEthernet1/0/2 VLANIF 5 100.2.1.2/24

Loopback1 - 2.2.2.9/32

PE3 GigabitEthernet1/0/1 VLANIF 3 -

GigabitEthernet1/0/3 VLANIF 6 100.3.1.2/24

Loopback1 - 3.3.3.9/32

P GigabitEthernet1/0/1 VLANIF 7 100.1.1.1/24

GigabitEthernet1/0/2 VLANIF 5 100.2.1.1/24

GigabitEthernet1/0/3 VLANIF 6 100.3.1.1/24

CE1 GigabitEthernet1/0/2 VLANIF 10 10.1.1.1/24

GigabitEthernet1/0/3 VLANIF 4 20.1.1.1/24

CE2 GigabitEthernet1/0/1 VLANIF 2 10.1.1.2/24

CE3 GigabitEthernet1/0/1 VLANIF 3 20.1.1.2/24

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 43


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure a TE tunnel.
2. Configure a tunnel policy to bind the IP address of the remote end to the tunnel.
3. Apply the tunnel policy to the L2VC.
4. Connect the CEs to the backbone network.

Data Preparation
To complete the configuration, you need the following data:

l Tunnel policy
l VC ID
l Parameters for the MPLS TE tunnel
NOTE

For different L2VPN services from a PE to the same destination, different tunnel policies and TE tunnels
are required.

Procedure
Step 1 Enable PEs to communicate with each other.

# Configure an Interior Gateway Protocol (IGP) on the MPLS backbone network to implement
interworking between the PEs. IS-IS is used in this example, and the IS-IS process ID is 1.

# Configure PE1.
<Quidway> system-view
[Quidway] sysname PE1
[PE1] vlan 7
[PE1-vlan7] quit
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port hybrid pvid vlan 7
[PE1-GigabitEthernet1/0/1] port hybrid tagged vlan 7
[PE1-GigabitEthernet1/0/1] quit
[PE1] interface vlanif 7
[PE1-Vlanif7] ip address 100.1.1.2 24
[PE1-Vlanif7] quit
[PE1]isis 1
[PE1-isis-1] network-entity 10.0000.0000.0000.0001.00
[PE1-isis-1] is-level level-2
[PE1-isis-1] quit
[PE1] interface vlanif 7
[PE1-Vlanif7] isis enable 1
[PE1-Vlanif7] quit
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] isis enable 1
[PE1-LoopBack1] quit

# The configuration procedures of PE2 and PE3 are similar to the configuration procedure of
PE1.

# Configure the P.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 44


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

<Quidway> system-view
[Quidway] sysname P
[P] vlan batch 5 6 7
[P]interface gigabitethernet 1/0/1
[P-GigabitEthernet1/0/1] port hybrid pvid vlan 7
[P-GigabitEthernet1/0/1] port hybrid tagged vlan 7
[P-GigabitEthernet1/0/1] quit
[P]interface gigabitethernet 1/0/2
[P-GigabitEthernet1/0/2] port hybrid pvid vlan 5
[P-GigabitEthernet1/0/2] port hybrid tagged vlan 5
[P-GigabitEthernet1/0/2] quit
[P]interface gigabitethernet 1/0/3
[P-GigabitEthernet1/0/3] port hybrid pvid vlan 6
[P-GigabitEthernet1/0/3] port hybrid tagged vlan 6
[P-GigabitEthernet1/0/3] quit
[P] interface vlanif 7
[P-Vlanif7] ip address 100.1.1.1 24
[P-Vlanif7] quit
[P] interface vlanif 5
[P-Vlanif5] ip address 100.2.1.1 24
[P-Vlanif5] quit
[P] interface vlanif 6
[P-Vlanif6] ip address 100.3.1.1 24
[P-Vlanif6] quit
[P]isis 1
[P-isis-1] network-entity 10.0000.0000.0000.0002.00
[P-isis-1] is-level level-2
[P-isis-1] quit
[P] interface vlanif 5
[P-Vlanif5] isis enable 1
[P-Vlanif5] quit
[P] interface vlanif 6
[P-Vlanif6] isis enable 1
[P-Vlanif6] quit
[P] interface vlanif 7
[P-Vlanif7] isis enable 1
[P-Vlanif7] quit
[P] interface loopback 1
[P-LoopBack1] ip address 1.1.1.9 32
[P-LoopBack1] isis enable 1
[P-LoopBack1] quit

# Run the display ip routing-table command in any view of the PEs, and you can see that the
PEs can learn the loopback address of each other.
# Take the display on PE1 as an example:
[PE1] display ip routing-table
Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0
2.2.2.9/32 ISIS 15 20 D 100.1.1.2 Vlanif7
3.3.3.9/32 ISIS 15 20 D 100.1.1.2 Vlanif7
4.4.4.9/32 ISIS 15 10 D 100.1.1.2 Vlanif7
100.1.1.0/24 Direct 0 0 D 100.1.1.1 Vlanif7
100.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
100.1.1.2/32 Direct 0 0 D 100.1.1.2 Vlanif7
100.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
100.2.1.0/24 ISIS 15 20 D 100.1.1.2 Vlanif7
100.3.1.0/24 ISIS 15 20 D 100.1.1.2 Vlanif7
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 45


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Step 2 Configure the basic MPLS capability, set up the LDP peers, and enable MPLS TE, Resource
Reservation Protocol-TE (RSVP-TE), and Constraint Shortest Path First (CSPF).

# In this example, RSVP-TE is used as the signaling protocol. Enable global MPLS TE and
RSVP-TE on the PEs and P along the TE tunnel. Configure CSPF on the tunnel ingress. Enable
MPLS TE and RSVP-TE on the interfaces along the tunnel. Configure the LDP remote peers
on PEs to transmit the private network routes.

# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] mpls te
[PE1-mpls] mpls rsvp-te
[PE1-mpls] mpls te cspf
[PE1-mpls] quit
[PE1] interface vlanif 7
[PE1-Vlanif7] mpls
[PE1-Vlanif7] mpls te
[PE1-Vlanif7] mpls rsvp-te
[PE1-Vlanif7] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] mpls ldp remote-peer 2.2.2.9
[PE1-mpls-ldp-remote-2.2.2.9] remote-ip 2.2.2.9
[PE1-mpls-ldp-remote-2.2.2.9] quit
[PE1] mpls ldp remote-peer 3.3.3.9
[PE1-mpls-ldp-remote-3.3.3.9] remote-ip 3.3.3.9
[PE1-mpls-ldp-remote-3.3.3.9] quit

# The configuration procedures of PE2 and PE3 are similar to the configuration procedure of
PE1.

# Configure the P.
[P] mpls lsr-id 4.4.4.9
[P] mpls
[P-mpls] mpls te
[P-mpls] mpls rsvp-te
[P-mpls] quit
[P] interface vlanif 7
[P-Vlanif7] mpls
[P-Vlanif7] mpls te
[P-Vlanif7] mpls rsvp-te
[P-Vlanif7] quit
[P] interface vlanif 5
[P-Vlanif5] mpls
[P-Vlanif5] mpls te
[P-Vlanif5] mpls rsvp-te
[P-Vlanif5] quit
[P] interface vlanif 6
[P-Vlanif6] mpls
[P-Vlanif6] mpls te
[P-Vlanif6] mpls rsvp-te
[P-Vlanif6] quit

# Run the display mpls ldp session command on the PEs, and you can see that LDP peers are
set up between PE1 and PE2 and between PE1 and PE3.

# Take the display on PE1 as an example:


[PE1] display mpls ldp session

LDP Session(s) in Public Network


Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 46


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

PeerID Status LAM SsnRole SsnAge KASent/Rcv


------------------------------------------------------------------------------
2.2.2.9:0 Operational DU Passive 0000:00:33 4/4
3.3.3.9:0 Operational DU Passive 0000:00:42 4/4
------------------------------------------------------------------------------
TOTAL: 2 session(s) Found.

Step 3 Configure IS-IS TE.


# Configure PE1.
[PE1] isis 1
[PE1-isis-1] cost-style wide
[PE1-isis-1] traffic-eng level-2
[PE1-isis-1] quit

# The configuration procedures of P, PE2, and PE3 are similar to the configuration procedure
of PE1.

NOTE

When IS-IS TE is configured on only the local end, the session set up on the local end turns Down. When
IS-IS TE is configured on the remote end, the LDP session becomes Up again.

Step 4 Configure the explicit path of MPLS TE.


# You can manually specify a path for MPLS TE, that is, configure an explicit path for MPLS
TE. Take the configuration of explicit path on PE1 for example.
# Configure PE1.
[PE1] explicit-path PE1toPE2
[PE1-explicit-path-PE1toPE2] next hop 100.1.1.2
[PE1-explicit-path-PE1toPE2] next hop 100.2.1.2
[PE1-explicit-path-PE1toPE2] next hop 2.2.2.9
[PE1-explicit-path-PE1toPE2] quit
[PE1] explicit-path PE1toPE3
[PE1-explicit-path-PE1toPE3] next hop 100.1.1.2
[PE1-explicit-path-PE1toPE3] next hop 100.3.1.2
[PE1-explicit-path-PE1toPE3] next hop 3.3.3.9
[PE1-explicit-path-PE1toPE3] quit

Step 5 Configure the MPLS TE tunnel.


NOTE

An MPLS TE tunnel is unidirectional. To guarantee bidirectional QoS on the TE tunnel, you must configure
an MPLS TE tunnel on PEs.

# Create two tunnel interfaces on PE1; create a tunnel interface on each of PE2 and PE3.
# Configure PE1.
[PE1] interface tunnel 1/0/0
[PE1-Tunnel1/0/0] ip address unnumbered interface loopback 1
[PE1-Tunnel1/0/0] tunnel-protocol mpls te
[PE1-Tunnel1/0/0] destination 2.2.2.9
[PE1-Tunnel1/0/0] mpls te tunnel-id 100
[PE1-Tunnel1/0/0] mpls te signal-protocol rsvp-te
[PE1-Tunnel1/0/0] mpls te path explicit-path PE1toPE2
[PE1-Tunnel1/0/0] mpls te commit
[PE1-Tunnel1/0/0] quit
[PE1] interface tunnel 2/0/0
[PE1-Tunnel2/0/0] ip address unnumbered interface loopback 1
[PE1-Tunnel2/0/0] tunnel-protocol mpls te
[PE1-Tunnel2/0/0] destination 3.3.3.9
[PE1-Tunnel2/0/0] mpls te tunnel-id 200
[PE1-Tunnel2/0/0] mpls te signal-protocol rsvp-te
[PE1-Tunnel2/0/0] mpls te path explicit-path PE1toPE3

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 47


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

[PE1-Tunnel2/0/0] mpls te commit


[PE1-Tunnel2/0/0] quit

# Configure PE2.
[PE2] interface tunnel 1/0/0
[PE2-Tunnel1/0/0] ip address unnumbered interface loopback 1
[PE2-Tunnel1/0/0] tunnel-protocol mpls te
[PE2-Tunnel1/0/0] destination 1.1.1.9
[PE2-Tunnel1/0/0] mpls te tunnel-id 100
[PE2-Tunnel1/0/0] mpls te signal-protocol rsvp-te
[PE2-Tunnel1/0/0] mpls te commit
[PE2-Tunnel1/0/0] quit

# Configure PE3.
[PE3] interface tunnel 1/0/0
[PE3-Tunnel1/0/0] ip address unnumbered interface loopback 1
[PE3-Tunnel1/0/0] tunnel-protocol mpls te
[PE3-Tunnel1/0/0] destination 1.1.1.9
[PE3-Tunnel1/0/0] mpls te tunnel-id 100
[PE3-Tunnel1/0/0] mpls te signal-protocol rsvp-te
[PE3-Tunnel1/0/0] mpls te commit
[PE3-Tunnel1/0/0] quit

# Run the display this interface command in the tunnel interface view of the PEs, and you can
see that the TE tunnel is Up. Take Tunnel1/0/0 of PE1 for example.
[PE1-Tunnel1/0/0] display this interface
Tunnel1/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2007-09-10 13:54:57-08:00
Description:HUAWEI, Quidway Series, Tunnel1/0/0 Interface
Route Port,
Internet Address is unnumbered, using address of LoopBack1(1.1.1.9/32)
Encapsulation is TUNNEL, loopback not set
Tunnel destination 2.2.2.9
Tunnel up/down statistics 1
Tunnel protocol/transport MPLS/MPLS, ILM is available,
primary tunnel id is 0x1003c, secondary tunnel id is 0x0

QoS max-bandwidth : 64 Kbps


Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queue : Size/Length/Discards) 0/256/0
300 seconds output rate 0 bits/sec, 0 packets/sec
196 seconds output rate 0 bits/sec, 0 packets/sec
0 packets output, 0 bytes
0 output error
0 output drop

Input bandwidth utilization : --


Output bandwidth utilization : --

Step 6 Configure the VPN tunnel binding.

# Configure PE1. Bind PE1 to Tunnel1.


[PE1] mpls l2vpn
[PE1-l2vpn] mpls l2vpn default martini
[PE1-l2vpn] quit
[PE1] interface tunnel 1/0/0
[PE1-Tunnel1/0/0] mpls te reserved-for-binding
[PE1-Tunnel1/0/0] mpls te commit
[PE1-Tunnel1/0/0] quit
[PE1] tunnel-policy policy1
[PE1-tunnel-policy-policy1] tunnel binding destination 2.2.2.9 te tunnel 1/0/0
[PE1-tunnel-policy-policy1] quit
[PE1] interface VLANIF 10

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 48


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

[PE1-Vlanif10] mpls l2vc 2.2.2.9 100 tunnel-policy policy1


[PE1-Vlanif10] quit

# Configure PE1. Bind PE1 to Tunnel2.


[PE1] interface tunnel 2/0/0
[PE1-Tunnel2/0/0] mpls te reserved-for-binding
[PE1-Tunnel2/0/0] mpls te commit
[PE1-Tunnel2/0/0] quit
[PE1] tunnel-policy policy2
[PE1-tunnel-policy-policy2] tunnel binding destination 3.3.3.9 te tunnel 2/0/0
[PE1-tunnel-policy-policy2] quit
[PE1] interface vlanif 4
[PE1-Vlanif4] mpls l2vc 3.3.3.9 200 tunnel-policy policy2
[PE1-Vlanif4] quit

# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] mpls l2vpn default martini
[PE2-l2vpn] quit
[PE2] interface tunnel 1/0/0
[PE2-Tunnel1/0/0] mpls te reserved-for-binding
[PE2-Tunnel1/0/0] mpls te commit
[PE2-Tunnel1/0/0] quit
[PE2] tunnel-policy policy1
[PE2-tunnel-policy-policy1] tunnel binding destination 1.1.1.9 te tunnel 1/0/0
[PE2-tunnel-policy-policy1] quit
[PE2] interface vlanif 2
[PE2-Vlanif2] mpls l2vc 1.1.1.9 100 tunnel-policy policy1
[PE2-Vlanif2] quit

# Configure PE3.
[PE3] mpls l2vpn
[PE3-l2vpn] mpls l2vpn default martini
[PE3-l2vpn] quit
[PE3] interface tunnel 1/0/0
[PE3-Tunnel1/0/0] mpls te reserved-for-binding
[PE3-Tunnel1/0/0] mpls te commit
[PE3-Tunnel1/0/0] quit
[PE3] tunnel-policy policy1
[PE3-tunnel-policy-policy1] tunnel binding destination 1.1.1.9 te tunnel 1/0/0
[PE3-tunnel-policy-policy1] quit
[PE3] interface vlanif 3
[PE3-Vlanif3] mpls l2vc 1.1.1.9 200 tunnel-policy policy1
[PE3-Vlanif3] quit

Step 7 Connect the CEs to the backbone network.


# The following takes the configuration of CE1 as an example. The configuration procedures of
CE2 and CE3 are the same as the configuration procedure of CE1, and are not mentioned here.

[CE1] vlan 10
[CE1] quit
[CE1] vlan 4
[CE1] quit
[CE1] interface gigabitethernet 1/0/2
[CE1-GigabitEthernet1/0/2] port link-type trunk
[CE1-GigabitEthernet1/0/2] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/2] quit
[CE1] interface gigabitethernet 1/0/3
[CE1-GigabitEthernet1/0/3] port link-type trunk
[CE1-GigabitEthernet1/0/3] port trunk allow-pass vlan 4
[CE1-GigabitEthernet1/0/3] quit
[CE1] interface VLANIF 10
[CE1-Vlanif10] ip address 10.1.1.1 24
[CE1-Vlanif10] quit
[CE1] interface vlanif 4

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 49


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

[CE1-Vlanif4] ip address 20.1.1.1 24


[CE1-Vlanif4] quit

Step 8 Verify the configuration.

# Check the VC status on PE1. All the VCs on PE1 are Up.
[PE1] display mpls l2vc
total LDP VC : 2 1 up 0 down

*client interface : Vlanif4


Administrator PW : no
session state : up
AC status : up
VC state : up
VC ID : 200
VC type : VLAN
destination : 3.3.3.9
local VC label : 23552 remote VC label : 23552
control word : disable
forwarding entry : exist
local group ID : 0
manual fault : not set
active state : active
link state : up
local VC MTU : 1500 remote VC MTU : 1500
tunnel policy name : policy2
traffic behavior name: --
PW template name : --
primary or secondary : primary
create time : 0 days, 0 hours, 3 minutes, 45 seconds
up time : 0 days, 0 hours, 3 minutes, 45 seconds
last change time : 0 days, 0 hours, 3 minutes, 45 seconds
VC last up time : 2009/09/20 20:33:37
VC total up time : 0 days, 0 hours, 3 minutes, 45 seconds
CKey : 5
NKey : 4
AdminPw interface : --
AdminPw link state : --

*client interface : Vlanif10


Administrator PW : no
session state : up
AC status : up
VC state : up
VC ID : 100
VC type : VLAN
destination : 2.2.2.9
local VC label : 23553 remote VC label : 23553
control word : disable
forwarding entry : exist
local group ID : 0
manual fault : not set
active state : active
link state : up
local VC MTU : 1500 remote VC MTU : 1500
tunnel policy name : policy1
traffic behavior name: --
PW template name : --
primary or secondary : primary
create time : 0 days, 0 hours, 5 minutes, 45 seconds
up time : 0 days, 0 hours, 5 minutes, 45 seconds
last change time : 0 days, 0 hours, 5 minutes, 45 seconds
VC last up time : 2009/09/20 20:35:37
VC total up time : 0 days, 0 hours, 5 minutes, 45 seconds
CKey : 5
NKey : 4
AdminPw interface : --
AdminPw link state : --

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 50


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

# Check information about the interfaces on the bound tunnel.

# Take Tunnel 1/0/0 of PE1 as an example.


[PE1-Tunnel1/0/0] display this interface
Tunnel1/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2007-09-10 13:54:57-08:00
Description:HUAWEI, Quidway Series, Tunnel1/0/0 Interface
Route Port,
Internet Address is unnumbered, using address of LoopBack1(1.1.1.9/32)
Encapsulation is TUNNEL, loopback not set
Tunnel destination 2.2.2.9
Tunnel up/down statistics 1
Tunnel protocol/transport MPLS/MPLS, ILM is available,
primary tunnel id is 0x1003c, secondary tunnel id is 0x0

QoS max-bandwidth : 64 Kbps


Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queue : Size/Length/Discards) 0/256/0
300 seconds output rate 0 bits/sec, 0 packets/sec
190 seconds output rate 0 bits/sec, 0 packets/sec
0 packets output, 0 bytes
0 output error
0 output drop

Input bandwidth utilization : --


Output bandwidth utilization : --

# CE1 can ping CE2 and CE3.

# Display information about Tunnel1/0/0 on PE1.


[PE1] display interface Tunnel 1/0/0
Tunnel1/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2007-09-10 13:54:57-08:00
Description:HUAWEI, Quidway Series, Tunnel1/0/0 Interface
Route Port,
Internet Address is unnumbered, using address of LoopBack1(1.1.1.9/32)
Encapsulation is TUNNEL, loopback not set
Tunnel destination 2.2.2.9
Tunnel up/down statistics 1
Tunnel protocol/transport MPLS/MPLS, ILM is available,
primary tunnel id is 0x1003c, secondary tunnel id is 0x0

QoS max-bandwidth : 64 Kbps


Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queue : Size/Length/Discards) 0/256/0
300 seconds output rate 2952 bits/sec, 2 packets/sec
196 seconds output rate 72 bits/sec, 0 packets/sec
48739720 packets output, 361150 bytes
0 output error
0 output drop

Input bandwidth utilization : --


Output bandwidth utilization : --

# You can see that the number of datagrams passing through Tunnel 1/0/0 increases.

# Run the ping 20.1.1.2 command on CE1 to check information about Tunnel 1/0/0 of PE1. You
can see that the statistics of packets on Tunnel 1/0/0 remain unchanged because Tunnel 1/0/0
on PE1 transmits only the data between PE1 and PE2.

----End

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 51


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Configuration Files
l Configuration file of PE1
#
sysname PE1
#
vlan batch 4 7 10
#
mpls lsr-id 1.1.1.9
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls l2vpn
mpls l2vpn default martini
#
explicit-path pe1tope2
next hop 100.1.1.1
next hop 100.2.1.2
next hop 2.2.2.9
#
explicit-path PE1toPE3
next hop 100.1.1.1
next hop 100.3.1.2
next hop 3.3.3.9
#
mpls ldp
#
mpls ldp remote-peer 2.2.2.9
remote-ip 2.2.2.9
#
mpls ldp remote-peer 3.3.3.9
remote-ip 3.3.3.9
#
isis 1
is-level level-2
cost-style wide
network-entity 10.0000.0000.0000.0001.00
traffic-eng level-2
#
interface Vlanif4
mpls l2vc 3.3.3.9 200 tunnel-policy policy2
#
interface Vlanif7
ip address 100.1.1.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface Vlanif10
mpls l2vc 2.2.2.9 100 tunnel-policy policy1
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 7
port hybrid tagged vlan 7
#
interface GigabitEthernet1/0/2
port hybrid pvid vlan 10
port hybrid tagged vlan 10
#
interface GigabitEthernet1/0/3
port hybrid pvid vlan 4
port hybrid tagged vlan 4
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
isis enable 1

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 52


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

#
interface Tunnel1/0/0
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 2.2.2.9
mpls te tunnel-id 100
mpls te path explicit-path pe1tope2
mpls te reserved-for-binding
mpls te commit
#
interface Tunnel2/0/0
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 3.3.3.9
mpls te tunnel-id 200
mpls te path explicit-path pe1tope3
mpls te reserved-for-binding
mpls te commit
#
tunnel-policy policy1
tunnel binding destination 2.2.2.9 te tunnel1/0/0
#
tunnel-policy policy2
tunnel binding destination 3.3.3.9 te tunnel2/0/0
#
return

l Configuration file of P
#
sysname P
#
vlan batch 5 6 7
#
mpls lsr-id 4.4.4.9
mpls
mpls te
mpls rsvp-te
#
isis 1
is-level level-2
cost-style wide
network-entity 10.0000.0000.0000.0002.00
traffic-eng level-2
#
interface Vlanif5
ip address 100.2.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface Vlanif6
ip address 100.3.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface Vlanif7
ip address 100.1.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 7
port hybrid tagged vlan 7
#
interface GigabitEthernet1/0/2

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 53


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

port hybrid pvid vlan 5


port hybrid tagged vlan 5
#
interface GigabitEthernet1/0/3
port hybrid pvid vlan 6
port hybrid tagged vlan 6
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
isis enable 1
#
return

l Configuration file of PE2


#
sysname PE2
#
vlan batch 2 5
#
mpls lsr-id 2.2.2.9
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls l2vpn
mpls l2vpn default martini
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.9
remote-ip 1.1.1.9
#
isis 1
is-level level-2
cost-style wide
network-entity 10.0000.0000.0000.0003.00
traffic-eng level-2
#
interface Vlanif2
mpls l2vc 1.1.1.9 100 tunnel-policy policy1
#
interface Vlanif5
ip address 100.2.1.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 2
port hybrid tagged vlan 2
#
interface GigabitEthernet1/0/2
port hybrid pvid vlan 5
port hybrid tagged vlan 5
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
isis enable 1
#
interface Tunnel1/0/0
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 1.1.1.9
mpls te tunnel-id 100
mpls te reserved-for-binding
mpls te commit
#
tunnel-policy policy1

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 54


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

tunnel binding destination 1.1.1.9 te tunnel1/0/0


#
return

l Configuration file of PE3


#
sysname PE3
#
vlan batch 3 6
#
mpls lsr-id 3.3.3.9
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls l2vpn
mpls l2vpn default martini
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.9
remote-ip 1.1.1.9
#
isis 1
is-level level-2
cost-style wide
network-entity 10.0000.0000.0000.0004.00
traffic-eng level-2
#
interface Vlanif3
mpls l2vc 1.1.1.9 200 tunnel-policy policy1
#
interface Vlanif6
ip address 100.3.1.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 3
port hybrid tagged vlan 3
#
interface GigabitEthernet1/0/3
port hybrid pvid vlan 6
port hybrid tagged vlan 6
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
isis enable 1
#
interface Tunnel1/0/0
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 1.1.1.9
mpls te tunnel-id 100
mpls te reserved-for-binding
mpls te commit
#
tunnel-policy policy1
tunnel binding destination 1.1.1.9 te tunnel1/0/0
#
return

l Configuration file of CE1


#
sysname CE1
#
vlan batch 4 10

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 55


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

#
interface Vlanif4
ip address 20.1.1.1 255.255.255.0
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 4
#
return

l Configuration file of CE2


#
sysname CE2
#
vlan batch 2
#
interface Vlanif2
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2
#
return

l Configuration file of CE3


#
sysname CE3
#
vlan batch 3
#
interface Vlanif2
ip address 20.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 3
#
return

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 56


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

2 GRE Configuration

About This Chapter

Generic Routing Encapsulation (GRE) encapsulates the packets of certain network layer
protocols such as Internetwork Packet Exchange (IPX), Asynchronous Transfer Mode (ATM),
IPv6, and AppleTalk so that the encapsulated packets can be transmitted over the IPv4
network. The latest GRE standards specify that GRE can encapsulate Layer 2 frames such as
Point-to-Point Protocol (PPP) frames and Multi-Protocol Label Switching (MPLS) frames.

2.1 Introduction to GRE


The transmission of packets in a GRE tunnel involves two processes: encapsulation and
decapsulation. After receiving a packet of a certain network layer protocol such as IPX that needs
to be encapsulated and routed, the system adds a GRE header to the packet, and then encapsulates
the packet into a packet of another protocol such as IP.
2.2 GRE Features Supported by the S7700
GRE features supported the S7700 include the following: multi-protocol local network
transmission through the single-protocol backbone network, enlargement of the operation scope
of the network running a hop-limited protocol (like IPX), connection of some discontinuous
subnets to establish a VPN, and working in conjunction with IPSec to compensate the flaw of
IPSec in multicast data protection.
2.3 Configuring GRE
You can configure GRE only after a GRE tunnel is configured.
2.4 Configuring a GRE Tunnel Between CE and PE
Configuring a GRE tunnel between a CE and a PE enables the CE to access the public network
through the GRE tunnel.
2.5 Configuring the Keepalive Function
Before configuring a tunnel policy and a GRE tunnel for the VPN, enable the Keepalive function
of the GRE tunnel. In this manner, the VPN does not select the GRE tunnel that cannot reach
the remote end, and data loss can be avoided.
2.6 Maintaining GRE
This section describes how to reset the statistics of a tunnel interface, monitor the running status
of GRE.
2.7 Configuration Examples

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 57


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

Familiarize yourself with the configuration procedures against the networking diagrams. This
chapter provides networking requirements, configuration notes, and configuration roadmap in
configurations examples.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 58


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

2.1 Introduction to GRE


The transmission of packets in a GRE tunnel involves two processes: encapsulation and
decapsulation. After receiving a packet of a certain network layer protocol such as IPX that needs
to be encapsulated and routed, the system adds a GRE header to the packet, and then encapsulates
the packet into a packet of another protocol such as IP.

GRE encapsulates the packets of certain network layer protocols such as IP and IPX. After
encapsulation, these packets can be transmitted over the network by another network layer
protocol, such as IP.

GRE can serve as a Layer 3 tunneling protocol for VPNs. A tunnel is a virtual point-to-point
connection and can be regarded as a virtual interface that supports only point-to-point
connections. This interface provides a path to transmit encapsulated datagrams. GRE
encapsulates and decapsulates datagrams at both ends of the tunnel.

2.2 GRE Features Supported by the S7700


GRE features supported the S7700 include the following: multi-protocol local network
transmission through the single-protocol backbone network, enlargement of the operation scope
of the network running a hop-limited protocol (like IPX), connection of some discontinuous
subnets to establish a VPN, and working in conjunction with IPSec to compensate the flaw of
IPSec in multicast data protection.

Multi-Protocol Local Network Transmission Through Single-Protocol Backbone


Network
In Figure 2-1, Group 1 and Group 2 are the local networks running the Novell IPX protocol.
Team 1 and Team 2 are the local networks running the IP protocol.

Figure 2-1 Networking diagram of multi-protocol local network transmission through the
single-protocol backbone network

Novell IPX Novell IPX


Group 1 Group 2

Internet

GRE Tunnel
SwitchA SwitchB
IP IP
Team 1 Team 2

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 59


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

The tunnel between Switch A and Switch B adopts the GRE protocol, so that Group 1
communicates with Group 2 without affecting the communication between Team 1 and Team
2.

Enlarging Operation Scope of the Network Running a Hop-Limited Protocol (Like


IPX)
If the hop count between two terminals in Figure 2-2 is more than 15, the two terminals cannot
communicate with each other.

Figure 2-2 Networking diagram of enlarged network operation scope

IP
network
IP IP
network network

Tunnel

PC PC

When the tunnel is used in the network, a few hops are hidden. This enlarges the scope of the
network operation.

Connecting Some Discontinuous Sub-Networks to Establish a VPN


GRE tunnels can be used to connect discontinuous sub-networks, as shown in Figure 2-3, Two
sub-networks Group 1 and Group 2 running the Novell IPX protocol are in different cities. A
VPN across the Wide Area Network (WAN) can be established after the tunnel technology is
adopted.

Figure 2-3 Networking diagram of discontinuous sub-networks connected through a tunnel

IP network
Novell Novell
Tunnel
Group2
Group1

GRE can be applied to both Layer 2 Virtual Private Network (L2VPN) and Layer 3 Virtual
Private Network (L3VPN). Usually, the MPLS VPN backbone network uses label switched

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 60


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

paths (LSPs) as the public network tunnel. If the core switch (P) in the backbone network,
however, provides only the IP function without the MPLS function when the PE at the network
edge has the MPLS function, the LSP cannot be used as the public network tunnel. Then, you
can use the GRE tunnel in place of the LSP to provide Layer 3 or Layer 2 VPN solutions at the
core network.
GRE tunnels can also be used as the non-MPLS VPN backbone tunnel. In this case, the private
network packet cannot contain the MPLS label when transmitted in the VPN backbone network.

2.3 Configuring GRE


You can configure GRE only after a GRE tunnel is configured.

2.3.1 Establishing the Configuration Task


Before configuring a GRE tunnel, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the data required for the configuration. This
will help you complete the configuration task quickly and accurately.

Applicable Environment
To set up a GRE tunnel, you need to create a tunnel interface first, and then configure GRE
functions on the tunnel interface. If the tunnel interface is deleted, all configurations on the
interface are deleted accordingly.

Pre-configuration Tasks
Before configuring an ordinary GRE tunnel, complete the following tasks:
l Ensuring the IP connectivity between the source interface and the destination interface

Data Preparation
To configure an ordinary GRE tunnel, you need the following data.

No. Data

1 Number of the tunnel interface

2 Source address and destination address of the tunnel

3 IP address of the tunnel interface

4 Key of the tunnel interface

2.3.2 Configuring a Tunnel Interface


After creating a tunnel interface, you need to specify GRE as the encapsulation type, set the
source address or source interface of the tunnel, and set the destination address of the tunnel.
You also need to set the network address of the tunnel interface so that the tunnel can support
dynamic routing protocols. The network addresses of both ends of a tunnel must belong to the
same network segment.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 61


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

Context
Do as follows on switchs on the two ends of a tunnel:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
interface tunnel interface-number

A tunnel interface is created and the tunnel interface view is displayed.

Step 3 Run:
tunnel-protocol gre

The tunnel is encapsulated with GRE.

Step 4 Run:
source { source-ip-address | interface-type interface-number }

The source address or source interface of the tunnel is configured.

NOTE

The source interface of a GRE tunnel cannot be configured as the management network port, and the source
address of the tunnel cannot be configured as the IP address of the management network port.

Step 5 Run:
destination [ vpn-instance vpn-instance-name ] ip-address

The destination address of the tunnel is configured.

After a tunnel interface is created, you need to specify the source address or source interface and
destination address of the tunnel. The source address is the IP address of the loopback interface
that sends GRE packets, whereas the destination address is the IP address of the loopback
interface that receives the GRE packets.

Step 6 (Optional) Run:


mtu mtu

The Maximum Transmission Unit (MTU) of the tunnel interface is modified.

The new MTU takes effect only after you run the shutdown command and then the undo
shutdown command on the interface.

Step 7 Choose one of the following commands to configure the IP address of the tunnel interface.
l Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IP
address of the tunnel interface.
l Run the ip address unnumbered interface interface-type interface-number command to
configure IP unnumbered for the tunnel interface.

To support dynamic routing protocols on a tunnel, you must configure a network address for the
tunnel interface. The network address of the tunnel interface may not be a public address, but
should be in the same network segment on both ends of the tunnel.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 62


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

By default, the network address of a tunnel interface is not set.

----End

2.3.3 Configuring Routes for the Tunnel


Routes for a tunnel must be available on both the source and destination devices so that packets
encapsulated with GRE can be forwarded properly. A route passing through tunnel interfaces
can be a static route or a dynamic route.

Context
Do as follows on devices on two ends of a tunnel:

NOTE

The packets encapsulated with GRE are forwarded correctly only if the routes for the tunnel are available
on both the source and destination switchs.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Choose one of the following methods to configure routes passing through the tunnel interface.
l Run the ip route-static ip-address { mask | mask-length } tunnel interface-number
[ description text ] command to configure a static route.
The static route must be configured on both ends of the tunnel. In this command, the
destination address is neither the destination address of the tunnel nor the address of the
opposite tunnel interface, but the destination address of the packet that is not encapsulated
with GRE. The outbound interface must be the local tunnel interface.
l Configure dynamic routes using IGP or BGP. Details for the procedure are not provided here.
For the configuration of dynamic routes, see the S7700 Configuration Guide - IP Routing.
When configuring a dynamic routing protocol, enable the dynamic routing protocol on both
the tunnel interface and the interface connected to the private network. To ensure proper
routing, do not choose the tunnel interface as the next hop when configuring the route to the
physical or logical interface of the destination tunnel.
Use Switch A in Figure 2-4 as an example. The source interface of Tunnel 1/0/1 is VLANIF
10 on Switch A, and its destination interface is VLANIF 20 on Switch C. If a dynamic routing
protocol is used, the protocol must be configured on the tunnel interface and the GE interface
connected to the PC. Moreover, in the routing table of Switch A, the egress with the
destination as the network segment where VLANIF 20 on Switch C resides cannot be Tunnel
1/0/1.
In practical configurations, tunnel interfaces and physical interfaces connected to the public
network should use different routing protocols or different processes of the same routing
protocol. In this manner, you can avoid selecting a tunnel interface as an outbound interface
for packets destined for the destination of the tunnel. In addition, a physical interface is
prevented from forwarding user packets that should be forwarded through the tunnel.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 63


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

Figure 2-4 Diagram of configuring the GRE dynamic routing protocol

Backbone
GE1/0/0 GE2/0/0
VLANIF10 VLANIF20

SwitchA Tunnel SwitchC

GE2/0/0 Tunnel1/0/1 Tunnel2/0/1 GE1/0/0

PC1 PC2

----End

2.3.4 Checking the Configuration


After a GRE tunnel is set up, you can view the running status and routing information about the
tunnel interface.

Context
The configurations of the GRE function are complete.

Procedure
l Run the display interface tunnel [ interface-number ] command to check the operating
status of the tunnel interface.
l Run the display ip routing-table command to check the routing table.
l Run the ping -a source-ip-address host command to check whether the two ends of the
tunnel can successfully ping each other.
----End

Example
Run the display interface tunnel command. If the tunnel interface is Up, the configuration
succeeds. For example:
<Quidway> display interface Tunnel 1/0/0
Tunnel1/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2009-03-19 18:38:07
Description : HUAWEI, Quidway Series, Tunnel1/0/0 Interface
Route Port, The Maximum Transmit Unit is 1500 bytes
Internet Address is 40.1.1.1/24
Encapsulation is TUNNEL, loopback not set
Tunnel source 20.1.1.1 (Loopback1), destination 30.1.1.2
Tunnel protocol/transport GRE/IP, key disabled
keepalive disabled
Checksumming of packets disabled
QoS max-bandwidth : 64 Kbps

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 64


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

Output queue : (Urgent queue : Size/Length/Discards) 0/50/0


Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queue : Size/Length/Discards) 0/256/0
300 seconds input rate 31776024 bytes/sec, 31776152 packets/sec
300 seconds output rate 31776024 bytes/sec, 31776152 packets/sec
511 packets input, 46339 bytes
0 input error
508 packets output, 46015 bytes
0 output error

300 seconds input rate 0 bits/sec, 0 packets/sec


300 seconds output rate 0 bits/sec, 0 packets/sec
4 seconds input rate 176 bits/sec, 0 packets/sec
4 seconds output rate 0 bits/sec, 0 packets/sec
157 packets input, 14716 bytes
0 input error
45 packets output, 4860 bytes
0 output error
Input:
Unicast: 0 packets, Multicast: 0 packets
Output:
Unicast: 45 packets, Multicast: 0 packets
Input bandwidth utilization : --
Output bandwidth utilization : --

Run the display ip routing-table command. If the route passing through the tunnel interface
exists in the routing table, the configuration succeeds. For example:
<Quidway> display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 12 Routes : 12

Destination/Mask Proto Pre Cost Flags NextHop Interface

6.6.6.6/32 OSPF 10 2 D 10.1.1.1 Vlanif15


9.9.9.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif15
10.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.2.1.0/24 Static 60 0 D 40.1.1.1 Tunnel1/0/1
40.1.1.0/24 Direct 0 0 D 40.1.1.1 Tunnel1/0/1
40.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Run the ping -a source-ip-address dest-ip-address command, and you can find that the ping
from the local tunnel interface to the destination tunnel succeeds.

2.4 Configuring a GRE Tunnel Between CE and PE


Configuring a GRE tunnel between a CE and a PE enables the CE to access the public network
through the GRE tunnel.

2.4.1 Establishing the Configuration Task


Before configuring a GRE tunnel between a CE and a PE, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 65


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

Applicable Environment
To allow users of the CE that is not directly connected with a PE to access the Multi-Protocol
Label Switching (MPLS) VPN, configure a GRE tunnel and create routes between them and
configure MPLS VPN on the PE.

Pre-configuration Tasks
Before configuring a GRE tunnel between a CE and a PE, complete the following tasks:

l Assigning IP addresses for interfaces on the CE and PE


l Configuring the routes between the CE and PE

Data Preparation
To configure a GRE tunnel between a CE and a PE, you need the following data.

No. Data

1 Number of the GRE tunnel interface specified on the CE

2 Source address or source interface and destination address of the GRE tunnel interface
specified on the CE

3 Number of the GRE tunnel interface specified on the PE

4 Source address or source interface and destination address of the GRE tunnel interface
specified on the PE

2.4.2 Configuring the GRE Tunnel Interface on CE


After creating a tunnel interface on a CE, you need to specify GRE as the encapsulation type,
set the source address or source interface of the tunnel interface, and set the destination address
of the tunnel interface. The source address of the tunnel specified on the CE is the destination
address of the tunnel specified on the PE. The destination address of the tunnel specified on the
CE is the source address of the tunnel specified on the PE.

Context
Do as follows on the CE.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
interface tunnel interface-number

The tunnel interface is created and the tunnel interface view is displayed.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 66


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

Step 3 Run:
tunnel-protocol gre

The tunnel is encapsulated as a GRE tunnel.


Step 4 Run:
The source address or source interface of the tunnel interface is configured.

NOTE

The virtual IP address of the VRRP backup group can be configured as the source address of the GRE
tunnel.

Step 5 Run:
destination ip-address

The destination address of the tunnel interface is configured.


Step 6 (Optional) Run:
mtu mtu

The MTU of the interface can be modified. The new MTU takes effect only after you run the
shutdown and the undo shutdown commands in succession on the interface.
Step 7 Choose one of the following commands to configure the IP address of the tunnel interface.
l Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IP
address of the tunnel interface.
l Run the ip address unnumbered interface interface-type interface-number command to
configure IP unnumbered for the tunnel interface.

----End

2.4.3 Configuring the GRE Tunnel Interface on PE


After creating a tunnel interface on a PE, you need to specify GRE as the encapsulation type,
set the source address or source interface of the tunnel interface, and set the destination address
of the tunnel interface. The source address of the tunnel specified on the PE is the destination
address of the tunnel specified on the CE. The destination address of the tunnel specified on the
PE is the source address of the tunnel specified on the CE.

Context
Do as follows on the PE:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
interface tunnel interface-number

A tunnel interface is created and the tunnel interface view is displayed.


Step 3 Run:

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 67


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

tunnel-protocol gre

The tunnel is encapsulated as a GRE tunnel.


Step 4 Run:
source { source-ip-address | interface-type interface-number }

The source address or source interface of the tunnel interface is configured.

NOTE

The virtual IP address of the VRRP backup group can be configured as the source address of the GRE
tunnel.

The source interface of the tunnel cannot be the interface of the tunnel, but can be specified as
the interface of another tunnel.
The source address of the tunnel specified on the PE is identical with the destination address of
the tunnel specified on the CE. The destination address of the tunnel specified on the PE is
identical with the source address of the tunnel specified on the CE.
Step 5 Run:
destination [ vpn-instance vpn-instance-name ] ip-address

The destination address of the tunnel interface is configured.


If the tunnel passes through another VPN, the parameter vpn-instance vpn-instance-name need
to be specified. If the tunnel passes through the public network, the parameter is not required.
Step 6 (Optional) Run:
mtu mtu

The MTU of the interface is modified. The new MTU takes effect only after you run the
shutdown and the undo shutdown commands in succession on the interface.
Step 7 Choose one of the following commands to configure the IP address of the tunnel interface.
l Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IP
address of the tunnel interface.
l Run the ip address unnumbered interface interface-type interface-number command to
configure IP unnumbered for the tunnel interface.

----End

2.4.4 Binding the GRE Tunnel with the VPN to Which CE belongs
on PE
Bind the tunnel interface on the PE that connects the CE to a VPN instance. Then, the tunnel
interface becomes a VPN interface. The packets sent from the VPN interface are forwarded
based on forwarding information in the VPN instance.

Context
Do as follows on the PE.

Procedure
Step 1 Run:
system-view

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 68


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

The system view is displayed.


Step 2 Run:
interface tunnel interface-number

The tunnel interface is created and the tunnel interface view is displayed.
Step 3 Run:
ip binding vpn-instance vpn-instance-name

Bind the GRE tunnel with the VPN instance.

NOTE

The running of the ip binding vpn-instance command on a tunnel interface can delete the Layer 3 attributes,
such as the IP address and routing protocol. If these Layer 3 attributes are still required, you need to
configure them again.

Step 4 Choose one of the following commands to configure the IP address of the tunnel interface.
l Run the ip address ip-address { mask | mask-length } [ sub ] command to assign an IP address
to the tunnel interface.
l Run the ip address unnumbered interface interface-type interface-number command to
configure IP unnumbered for the tunnel interface.

----End

2.4.5 Checking the Configuration


After a GRE tunnel is set up between a CE and a PE, you can view routes to a specified VPN.

Prerequisite
The GRE tunnel between the CE and the PE is fully configured.

Procedure
l Run the display interface tunnel [ interface-number ] command to check the working
mode of the tunnel interface.
l Run the display ip routing-table vpn-instance vpn-instance-name command to check the
VPN routing table on the PE.
l Run the display ip routing-table command to check the routing table on the CE.
l Run the ping -a source-ip-address host command to check whether two ends of the tunnel
can ping each other successfully.
----End

Example
Run the display interface tunnel command on two ends of the tunnel. If the tunnel interface is
Up, it means that the configuration succeeds. Take the display on the PE as an example:
<Quidway> display interface Tunnel 1/0/0
Tunnel1/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2009-04-19 18:38:07
Description : HUAWEI, Quidway Series, Tunnel1/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 40.1.1.1/24

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 69


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

Encapsulation is TUNNEL, loopback not set


Tunnel source 20.1.1.1 (loopback1), destination 30.1.1.2
Tunnel protocol/transport GRE/IP, key disabled
keepalive disabled
Checksumming of packets disabled
QoS max-bandwidth : 64 Kbps
Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queue : Size/Length/Discards) 0/256/0
300 seconds input rate 31776024 bytes/sec, 31776152 packets/sec
300 seconds output rate 31776024 bytes/sec, 31776152 packets/sec
511 packets input, 46339 bytes
0 input error
508 packets output, 46015 bytes
0 output error

300 seconds input rate 0 bits/sec, 0 packets/sec


300 seconds output rate 0 bits/sec, 0 packets/sec
0 seconds input rate 0 bits/sec, 0 packets/sec
0 seconds output rate 0 bits/sec, 0 packets/sec
260 packets input, 24180 bytes
0 input error
65 packets output, 7020 bytes
0 output error
Input:
Unicast: 0 packets, Multicast: 0 packets
Output:
Unicast: 65 packets, Multicast: 0 packets
Input bandwidth utilization : --
Output bandwidth utilization : --

2.5 Configuring the Keepalive Function


Before configuring a tunnel policy and a GRE tunnel for the VPN, enable the Keepalive function
of the GRE tunnel. In this manner, the VPN does not select the GRE tunnel that cannot reach
the remote end, and data loss can be avoided.

2.5.1 Establishing the Configuration Task


Before configuring the Keepalive function of a GRE tunnel, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the required data. This
can help you complete the configuration task quickly and accurately.

Application Environment
The Keepalive function can be configured on one end of a GRE tunnel to test the status of the
GRE tunnel. If the remote end is found unreachable, the tunnel is disconnected on time to avoid
data black hole.

Figure 2-5 GRE tunnel supporting Keepalive

Source Internet Destination


GRE tunnel
SwitchA SwitchB

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 70


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

Pre-configuration Tasks
Before configuring the Keepalive function, complete the following tasks:
l Configuring the link layer attributes of the interfaces
l Assigning IP addresses to the interfaces
l Establishing the GRE tunnel and keeping the tunnel Up

Data Preparation
To configure the Keepalive function, you need the following data.

No. Data

1 Interval for sending Keepalive messages

2 Retry times of the unreachable timer

2.5.2 Enabling the Keepalive Function


The Keepalive function of a GRE tunnel is unidirectional. To implement the Keepalive function
on both ends, you must enable the Keepalive function on both ends of a GRE tunnel.

Context
Do as follows on the switch that requires the Keepalive function.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
interface tunnel interface-number

The tunnel interface view is displayed.


Step 3 Run:
tunnel-protocol gre

The tunnel is encapsulated with GRE.


Step 4 Run:
keepalive [ period period [ retry-times retry-times ] ]

The Keepalive function is enabled.


The Keepalive function of a GRE tunnel is unidirectional. Therefore, to realize the Keepalive
function on both ends, you must enable the Keepalive function on both ends of a GRE tunnel.
One end can be configured with the Keepalive function regardless of whether the remote end is
enabled with the Keepalive function or not. But it is still recommended to enable the Keepalive
function on both ends of the GRE tunnel.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 71


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

TIP

Before configuring the tunnel policy and the GRE tunnel for the VPN, enable the Keepalive function for
the GRE tunnel. In this manner, the VPN does not select the GRE tunnel that cannot reach the remote end,
and the data loss can be avoided. The reasons for enabling the Keepalive function are as below:
l If the Keepalive function is not enabled, the local tunnel interface may always be Up regardless of
whether data reaches the remote end.
l If the Keepalive function is enabled on the local end, the local tunnel interface is set Down when the
remote end is unreachable. As a result, the VPN does not select the unreachable GRE tunnel and the
data is not lost.

----End

2.5.3 Checking the Configuration


After a GRE tunnel is enabled with the Keepalive function, you can view the Keepalive packets
and Keepalive Response packets sent and received by the GRE tunnel interfaces.

Prerequisite
The Keepalive function is enabled on the GRE tunnel.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
interface tunnel interface-number

The tunnel interface view is displayed.

Step 3 Run:
display keepalive packets count

Check the Keepalive packets and Keepalive Response packets sent and received by the GRE
tunnel interface.

----End

Example
On the tunnel interface that is enabled with the Keepalive function, run the display keepalive
packets count command, and you can ascertain the number of sent Keepalive packets and
received Keepalive Response packets on both the local end and the remote end. If the Keepalive
function is successfully configured on the local tunnel interface, the number of sent Keepalive
packets or received Keepalive Response packets on the local end is not 0.
[Quidway] interface tunnel 1/0/0
[Quidway-Tunnel1/0/0] tunnel-protocol gre
[Quidway-Tunnel1/0/0] keepalive
[Quidway-Tunnel1/0/0] display keepalive packets count
Send 34 keepalive packets to peers, Receive 34 keepalive response packets from peers
Receive 0 keepalive packets from peers, Send 0 keepalive response packets to peers

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 72


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

2.6 Maintaining GRE


This section describes how to reset the statistics of a tunnel interface, monitor the running status
of GRE.

2.6.1 Resetting the Statistics of a Tunnel Interface


When you need to reset the statistics of a tunnel interface, you can run the reset commands to
clear the Keepalive packets and Keepalive Response packets sent and received by a GRE tunnel
interface.

Procedure
l Run the reset counters interface tunnel [ interface-number ] command in the user view
to reset the statistics on the tunnel interface.
l Reset the statistics on Keepalive packets on the tunnel interface.
1. Run:
system-view

The system view is displayed.


2. Run:
interface tunnel interface-number

The tunnel interface view is displayed.


3. Run:
reset keepalive packets count

Reset the statistics on Keepalive packets on the tunnel interface.

NOTE

You can run the reset keepalive packets count command only in the tunnel interface view,
and the tunnel protocol of the interface must be GRE.

----End

2.6.2 Monitoring the Running Status of GRE


In routine maintenance, you can run the GRE related display commands to view the running
status of GRE.

Context
In routine maintenance, you can run the following commands to view the running status of GRE:

Procedure
l Run the display interface tunnel [ interface-number ] command to check the running status
of the tunnel interface.
l Run the display ip routing-table vpn-instance vpn-instance-name command to check the
VPN routing table on the PE.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 73


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

l Run the display ip routing-table command to check the routing table on the CE.
l Run the ping [ -a source-ip-address | -vpn-instance vpn-instance-name ] * host command
to check whether two ends of the tunnel can communicate with each other.

----End

2.6.3 Debugging GRE


When a GRE fault occurs, you can run the L2TP related debugging commands to debug GRE
and locate the fault.

Context
NOTE

The debugging process affects the system performance. Therefore, after finishing the debugging process,
you need run the undo debugging all command immediately to disable the debugging.

When GRE goes abnormal, run the debugging commands in the user view to view debugging
information, locate the fault, and analyze the cause.

For details of the debugging operation, refer to the chapter Information Center Configuration in
Quidway S7700 Smart Routing Switch Configuration Guide-System Management. For details
of debugging commands, refer to Quidway S7700 Smart Routing Switch Debugging
Reference.

Procedure
l Run the debugging tunnel keepalive command in the user view to debug the Keepalive
function of the GRE tunnel.

----End

2.7 Configuration Examples


Familiarize yourself with the configuration procedures against the networking diagrams. This
chapter provides networking requirements, configuration notes, and configuration roadmap in
configurations examples.

2.7.1 Example for Configuring Static Routes on the GRE Tunnel

Networking Requirements
As shown in Figure 2-6, Switch A, Switch B, and Switch C are on the VPN backbone network.
OSPF runs among the Switches.

GRE is used between Switch A and Switch C to implement the interworking between PC1 and
PC2.

PC1 and PC2 use Switch A and Switch C as their default gateways.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 74


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

Figure 2-6 Networking diagram for configuring static routes


SwitchB

GE1/0/0 GE2/0/0

GE1/0/0 GE1/0/0

SwitchA SwitchC
GE2/0/0 Tunnel1/0/1 Tunnel1/0/1
GE2/0/0
40.1.1.1/24 40.1.1.2/24

PC1 PC2
10.1.1.1/24 10.2.1.1/24

Device Interface VLANIF interface IP address

Switch A GigabitEthernet1/0/0 VLANIF 10 20.1.1.1/24

GigabitEthernet2/0/0 VLANIF 30 10.1.1.2/24

Switch B GigabitEthernet1/0/0 VLANIF 10 20.1.1.2/24

GigabitEthernet2/0/0 VLANIF 20 30.1.1.1/24

Switch C GigabitEthernet1/0/0 VLANIF 20 30.1.1.2/24

GigabitEthernet2/0/0 VLANIF 40 10.2.1.2/24

Configuration Roadmap
The configuration roadmap is as follows:

1. Run the dynamic routing protocol on the Switches to implement interconnection.


2. Create tunnel interfaces on Switch A and Switch C and specify the source and destination
addresses of the tunnel. The source address is the IP address of the interface sending packets,
and the destination address is the IP address of the interface receiving packets.
3. Configure the IP address of the tunnel so that the tunnel supports the dynamic routing
protocol.
4. Configure the static route between Switch A and its connected PCs, and between Switch
C and its connected PCs to make the traffic between PC1 and PC2 transmitted through the
GRE tunnel.
5. Configure the egress of the static route as the local tunnel interface.

Data Preparation
To complete the configuration, you need the following data:

l IDs of the VLANs that the interfaces belong to, as shown in Figure 2-6

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 75


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

l IP address of VLANIF interfaces, as shown in Figure 2-6


l Procrss id and area id of OSPF
l Source address and destination address of the GRE tunnel, and IP addresses of tunnel
interfaces

Procedure
Step 1 Assign the IP address to each interface.
<Quidway> system-view
[Quidway] sysname SwitchA
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] vlan 30
[SwitchA-vlan30] quit
[SwitchA] interface gigabitethernet 1/0/0
[SwitchA-GigabitEthernet1/0/0] port hybrid pvid vlan 10
[SwitchA-GigabitEthernet1/0/0] port hybrid untagged vlan 10
[SwitchA-GigabitEthernet1/0/0] quit
[SwitchA] interface gigabitethernet 2/0/0
[SwitchA-GigabitEthernet2/0/0] port hybrid pvid vlan 30
[SwitchA-GigabitEthernet2/0/0] port hybrid untagged vlan 30
[SwitchA-GigabitEthernet2/0/0] quit
[SwitchA] interface vlanif 10
[SwitchA-Vlanif10] ip address 20.1.1.1 24
[SwitchA-Vlanif10] quit
[SwitchA] interface vlanif 30
[SwitchA-Vlanif30] ip address 10.1.1.2 24
[SwitchA-Vlanif30] quit

The configurations of Switch B and Switch C are similar to the configuration of Switch A, and
are not mentioned here.
Step 2 Configure IGP on the VPN backbone network.
# Configure Switch A.
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit

The configurations of Switch B and Switch C are similar to the configuration of Switch A, and
are not mentioned here.
# Run the display ip routing-table command on Switch A and Switch C. You can find that they
learn the OSPF routes destined for the network segment of the peer.
# Take Switch A for example. The information is displayed as follows:
[SwitchA] display ip routing-table
Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif30
10.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
20.1.1.0/24 Direct 0 0 D 20.1.1.1 Vlanif10
20.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
20.1.1.2/32 Direct 0 0 D 20.1.1.2 Vlanif10
20.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
30.1.1.0/24 OSPF 10 2 D 20.1.1.2 Vlanif10
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 76


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0


127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Step 3 Configure the tunnel interface.


# Configure Switch A.
[SwitchA] interface tunnel 1/0/1
[SwitchA-Tunnel1/0/1] tunnel-protocol gre
[SwitchA-Tunnel1/0/1] ip address 40.1.1.1 255.255.255.0
[SwitchA-Tunnel1/0/1] source 20.1.1.1
[SwitchA-Tunnel1/0/1] destination 30.1.1.2
[SwitchA-Tunnel1/0/1] quit

# Configure Switch C.
[SwitchC] interface tunnel 1/0/1
[SwitchC-Tunnel1/0/1] tunnel-protocol gre
[SwitchC-Tunnel1/0/1] ip address 40.1.1.2 255.255.255.0
[SwitchC-Tunnel1/0/1] source 30.1.1.2
[SwitchC-Tunnel1/0/1] destination 20.1.1.1
[SwitchC-Tunnel1/0/1] quit

# After the configuration, the status of tunnel interfaces is Up, and the tunnel interfaces can ping
each other.
# Take Switch A for example. The information is displayed as follows:
[SwitchA] ping -a 40.1.1.1 40.1.1.2
PING 40.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 40.1.1.2: bytes=56 Sequence=1 ttl=255 time=24 ms
Reply from 40.1.1.2: bytes=56 Sequence=2 ttl=255 time=33 ms
Reply from 40.1.1.2: bytes=56 Sequence=3 ttl=255 time=48 ms
Reply from 40.1.1.2: bytes=56 Sequence=4 ttl=255 time=33 ms
Reply from 40.1.1.2: bytes=56 Sequence=5 ttl=255 time=36 ms
--- 40.1.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 24/34/48 ms

Step 4 Configure static routes.


# Configure Switch A.
[SwitchA] ip route-static 10.2.1.0 255.255.255.0 tunnel 1/0/1

# Configure Switch C.
[SwitchC] ip route-static 10.1.1.0 255.255.255.0 tunnel 1/0/1

# Run the display ip routing-table command on Switch A and Switch C. You can see the static
route from the tunnel interface to the use-side network segment of the peer.
# Take Switch A for example. The information is displayed as follows:
[SwitchA] display ip routing-table
Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 16 Routes : 16
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif30
10.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.2.1.0/24 Static 60 0 D 40.1.1.1 Tunnel1/0/1
20.1.1.0/24 Direct 0 0 D 20.1.1.1 Vlanif10
20.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 77


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

20.1.1.2/32 Direct 0 0 D 20.1.1.2 Vlanif10


20.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
30.1.1.0/24 OSPF 10 2 D 20.1.1.2 Vlanif10
40.1.1.0/24 Direct 0 0 D 40.1.1.1 Tunnel1/0/1
40.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
40.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

PC1 and PC2 can ping each other.

----End

Configuration Files
l Configuration file of Switch A
#
sysname SwitchA
#
vlan batch 10 30
#
interface Vlanif10
ip address 20.1.1.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
interface Tunnel1/0/1
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
ip route-static 10.2.1.0 255.255.255.0 Tunnel1/0/1
#
return

l Configuration file of Switch B


#
sysname SwitchB
#
vlan batch 10 20
#
interface Vlanif10
ip address 20.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 30.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet2/0/0

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 78


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

port hybrid pvid vlan 20


port hybrid untagged vlan 20
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return

l Configuration file of Switch C


#
sysname Switch-C
#
vlan batch 20 40
#
interface Vlanif20
ip address 30.1.1.2 255.255.255.0
#
interface Vlanif40
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 40
port hybrid untagged vlan 40
#
interface Tunnel1/0/1
ip address 40.1.1.2 255.255.255.0
tunnel-protocol gre
source 30.1.1.2
destination 20.1.1.1
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
ip route-static 10.1.1.0 255.255.255.0 Tunnel1/0/1
#
return

2.7.2 Example for Configuring the Dynamic Routing Protocol on the


GRE Tunnel
Networking Requirements
As shown in Figure 2-7, OSPF runs between Switch A, Switch B, and Switch C.
GRE is used between Switch A and Switch C to implement the interworking between PC1 and
PC2. OSPF is enabled on the tunnel interfaces.
PC1 and PC2 use Switch A and Switch C as their default gateways.
OSPF process 1 is enabled between Switch A, Switch B, and Switch C; OSPF process 2 is
enabled between Switch A and PC1 and between Switch C and PC2.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 79


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

Figure 2-7 Networking diagram for configuring dynamic routing protocol

GE1/0/0 SwitchB GE2/0/0


VLANIF 20 VLANIF 30
20.1.1.2/24 30.1.1.1/24

GE2/0/0 GE1/0/0
VLANIF 20 VLANIF 30
20.1.1.1/24 OSPF 1 30.1.1.2/24

SwitchA SwitchC
Tunnel
GE1/0/0 GE2/0/0
Tunnel1/0/1 Tunnel1/0/1 VLANIF 40
VLANIF 10
10.1.1.2/24 40.1.1.1/24 40.1.1.2/24 10.2.1.2/24

PC1 PC2
10.1.1.1/24
10.2.1.1/24
OSPF 2 OSPF 2

Device Interface VLANIF interface IP address

Switch A GigabitEthernet1/0/0 VLANIF 10 10.1.1.2/24

GigabitEthernet2/0/0 VLANIF 20 20.1.1.1/24

Switch B GigabitEthernet1/0/0 VLANIF 20 20.1.1.2/24

GigabitEthernet2/0/0 VLANIF 30 30.1.1.1/24

Switch C GigabitEthernet1/0/0 VLANIF 30 30.1.1.2/24

GigabitEthernet2/0/0 VLANIF 40 10.2.1.2/24

Configuration Roadmap
The configuration roadmap is as follows:

1. Run IGP on the Switches (OSPF process 1 is used here).


2. Create GRE tunnels between the Switches connected to PCs so that data between any two
PCs is transmitted through GRE tunnels.

Data Preparation
To complete the configuration, you need the following data:

l IDs of the VLANs that the interfaces belong to, as shown in Figure 2-7
l IP address of the VLANIF interfaces, as shown in Figure 2-7
l Source addresses and destination addresses on the two ends of the GRE tunnel

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 80


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

l IP addresses of the interfaces on the two ends of the GRE tunnel

Procedure
Step 1 Assign the IP address to each interface.
<Quidway> system-view
[Quidway] sysname SwitchA
[SwitchA] vlan batch 10 20
[SwitchA] interface gigabitethernet 1/0/0
[SwitchA-GigabitEthernet1/0/0] port hybrid pvid vlan 10
[SwitchA-GigabitEthernet1/0/0] port hybrid untagged vlan 10
[SwitchA-GigabitEthernet1/0/0] quit
[SwitchA] interface gigabitethernet 2/0/0
[SwitchA-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[SwitchA-GigabitEthernet2/0/0] port hybrid untagged vlan 20
[SwitchA-GigabitEthernet2/0/0] quit
[SwitchA] interface vlanif 10
[SwitchA-Vlanif10] ip address 10.1.1.2 24
[SwitchA-Vlanif10] quit
[SwitchA] interface vlanif 20
[SwitchA-Vlanif20] ip address 20.1.1.1 24
[SwitchA-Vlanif20] quit

The configurations of Switch B and Switch C are similar to the configuration of Switch A, and
are not mentioned here.
Step 2 Configure OSPF process 1 between SwitchA, SwitchB, and SwitchC.
# Configure SwitchA.
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit

# Configure SwitchB.
[SwitchB] ospf 1
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit

# Configure SwitchC.
[SwitchC] ospf 1
[SwitchC-ospf-1] area 0
[SwitchC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] quit
[SwitchC-ospf-1] quit

# Run the display ip routing-table command on Switch A and Switch C. You can find that they
learn the OSPF routes destined for the network segment of the peer.
Step 3 Configure the tunnel interface.
The configuration procedure is the same as that in 2.7.1 Example for Configuring Static Routes
on the GRE Tunnel.
Step 4 Configure the OSPF protocol on the tunnel interfaces.
# Configure Switch A.
[SwitchA] ospf 2
[SwitchA-ospf-2] area 0

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 81


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

[SwitchA-ospf-2-area-0.0.0.0] network 40.1.1.0 0.0.0.255


[SwitchA-ospf-2-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[SwitchA-ospf-2-area-0.0.0.0] quit
[SwitchA-ospf-2] quit

# Configure Switch C.
[SwitchC] ospf 2
[SwitchC-ospf-2] area 0
[SwitchC-ospf-2-area-0.0.0.0] network 40.1.1.0 0.0.0.255
[SwitchC-ospf-2-area-0.0.0.0] network 10.2.1.0 0.0.0.255
[SwitchC-ospf-2-area-0.0.0.0] quit
[SwitchC-ospf-2] quit

Step 5 Verify the configuration.


# Run the display ip routing-table command on Switch A and Switch C. You can see the OSPF
route from the tunnel interface to the user-side network segment of the peer. In addition, the next
hop on the route to the destination physical address (30.1.1.0/24) of the tunnel is not a tunnel
interface.
# Take Switch A for example. The information is displayed as follows:
[SwitchA] display ip routing-table
Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 15 Routes : 15
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif30
10.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.2.1.0/24 OSPF 10 2 D 40.1.1.2 Tunnel1/0/1
20.1.1.0/24 Direct 0 0 D 20.1.1.1 Vlanif10
20.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
20.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
30.1.1.0/24 OSPF 10 2 D 20.1.1.2 Vlanif10
40.1.1.0/24 Direct 0 0 D 40.1.1.1 Tunnel1/0/1
40.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
40.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

# PC1 and PC2 can ping each other.

----End

Configuration Files
l Configuration file of Switch A
#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 82


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

interface GigabitEthernet2/0/0
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
interface Tunnel1/0/1
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
ospf 2
area 0.0.0.0
network 40.1.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return
l Configuration file of Switch B
#
sysname SwitchB
#
vlan batch 20 30
#
interface Vlanif20
ip address 20.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 30.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
l Configuration file of Switch C
#
sysname SwitchC
#
vlan batch 30 40
#
interface Vlanif30
ip address 30.1.1.2 255.255.255.0
#
interface Vlanif40
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 40
port hybrid untagged vlan 40
#
interface Tunnel1/0/1
ip address 40.1.1.2 255.255.255.0

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 83


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

tunnel-protocol gre
source 30.1.1.2
destination 20.1.1.1
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
ospf 2
area 0.0.0.0
network 40.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return

2.7.3 Example for Configuring the CE to Access a VPN Through a


GRE Tunnel of the Public Network

Networking Requirements
As shown in Figure 2-8,

l PE1 and PE2 are located in the MPLS backbone network.


l CE1 is connected to PE1 through Switch A.
l CE2 is connected to PE2 directly.
l CE1 and CE2 belong to the same VPN.

CE1 and CE2 are required to interwork with each other.

Figure 2-8 Networking diagram in which CEs access a VPN through the GRE tunnel of the
public network

Loopback1
Loopback1

PE1
SwitchA GE2/0/0 GE2/0/0 PE2
GE1/0/0 GE1/0/0
GE1/0/0 GE2/0/0

el Tunnel1/0/0
nn
GE2/0/0 Tu
GE1/0/0
CE1 Tunnel2/0/0 CE2

GE2/0/0
GE1/0/0

PC1 PC1

Device Interface VLANIF interface IP address

CE1 GigabitEthernet1/0/0 VLANIF 10 21.1.1.2/24

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 84


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

GigabitEthernet2/0/0 VLANIF 20 30.1.1.1/24

Tunnel2/0/0 - 2.2.2.1/24

Switch A GigabitEthernet1/0/0 VLANIF 20 30.1.1.2/24

GigabitEthernet2/0/0 VLANIF 30 50.1.1.1/24

PE1 Loopback1 - 1.1.1.9/32

GigabitEthernet1/0/0 VLANIF 30 50.1.1.2/24

GigabitEthernet2/0/0 VLANIF 40 110.1.1.1/24

Tunnel1/0/0 - 2.2.2.2/24

PE2 Loopback1 - 3.3.3.9/32

GigabitEthernet1/0/0 VLANIF 40 110.1.1.2/24

GigabitEthernet2/0/0 VLANIF 50 11.1.1.2/24

CE2 GigabitEthernet1/0/0 VLANIF 50 11.1.1.1/24

GigabitEthernet2/0/0 VLANIF 60 41.1.1.2/24

Configuration Roadmap
PE1 and CE1 are indirectly connected. So the VPN instance on PE1 cannot be bound to the
physical interface on PE1. In such a situation, a GRE tunnel is required between CE1 and PE1.
vpn1 on PE1 can then be bound to the GRE tunnel, and CE1 can access the VPN through the
GRE tunnel.

The configuration roadmap is as follows:

1. Configure OSPF 10 on PE1 and PE2 to implement the interworking between the two
devices, and then enable MPLS.
2. Configure OSPF 20 on CE1, Switch A, and PE1 to implement the interworking between
the three devices.
3. Establish a GRE tunnel between CE1 and PE1.
4. Create VPN instances vpn1 on PE1 and PE2. Then bind the VPN instance on PE1 to the
GRE tunnel interface, and bind the VPN instance on PE2 to the connected physical interface
of CE2.
5. Configure IS-IS routes between CE1 and PE1, and between CE2 and PE2 to implement
the interworking between the CEs and PEs.
6. Configure BGP on PEs to implement the interworking between CE1 and CE2.

Data Preparation
To complete the configuration, you need the following data:

l IP addresses of the interfaces, process ID of the routing protocol, and AS number


l Source address and destination address of the GRE tunnel
l VPN instance names, RDs, and VPN targets on PEs

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 85


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

Procedure
Step 1 Configure the IP address for each VLANIF interface and the routing protocol for the MPLS
backbone network.
Configure OSPF10 on PE1 and PE2, and then configure MPLS and LDP. The detailed
configurations are not mentioned here.
Step 2 Configure a routing protocol between CE1, Switch A, and PE1.
Configure OSPF 20 on CE1, Switch A, and PE1. The detailed configurations are not mentioned
here.
Step 3 Establish a GRE tunnel between CE1 and PE1.
# Configure CE1.
[CE1] interface tunnel 2/0/0
[CE1-Tunnel2/0/0] ip address 2.2.2.1 255.255.255.0
[CE1-Tunnel2/0/0] tunnel-protocol gre
[CE1-Tunnel2/0/0] source 30.1.1.1
[CE1-Tunnel2/0/0] destination 50.1.1.2
[CE1-Tunnel2/0/0] quit

# Configure PE1.
[PE1] interface tunnel 1/0/0
[PE1-Tunnel1/0/0] ip address 2.2.2.2 255.255.255.0
[PE1-Tunnel1/0/0] tunnel-protocol gre
[PE1-Tunnel1/0/0] source 50.1.1.2
[PE1-Tunnel1/0/0] destination 30.1.1.1
[PE1-Tunnel1/0/0] quit

# After the configuration, a GRE tunnel is established between CE1 and PE1.
Step 4 Create a VPN instance named vpn1 on PE1 and bind the VPN instance to the GRE tunnel.
[PE1]ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] route-distinguisher 100:1
[PE1-vpn-instance-vpn1] vpn-target 111:1 export-extcommunity
[PE1-vpn-instance-vpn1] vpn-target 111:1 import-extcommunity
[PE1-vpn-instance-vpn1] quit
[PE1] interface tunnel 1/0/0
[PE1-Tunnel1/0/0] ip binding vpn-instance vpn1
[PE1-Tunnel1/0/0] ip address 2.2.2.2 255.255.255.0
[PE1-Tunnel1/0/0] quit

Step 5 Create a VPN instance named vpn1 on PE2 and bind the VPN instance to the VLANIF interface.
[PE2]ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] route-distinguisher 200:1
[PE2-vpn-instance-vpn1] vpn-target 111:1 export-extcommunity
[PE2-vpn-instance-vpn1] vpn-target 111:1 import-extcommunity
[PE2-vpn-instance-vpn1] quit
[PE2] interface vlanif 50
[PE2-Vlanif50] ip binding vpn-instance vpn1
[PE2-Vlanif50] ip address 11.1.1.2 255.255.255.0
[PE2-Vlanif50] quit

Step 6 Configure the IS-IS route between CE1 and PE1.


# Configure CE1.
[CE1] isis 50
[CE1-isis-50] network-entity 50.0000.0000.0001.00
[CE1-isis-50] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] isis enable 50

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 86


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

[CE1-Vlanif10] quit
[CE1] interface tunnel 2/0/0
[CE1-Tunnel2/0/0] isis enable 50
[CE1-Tunnel2/0/0] quit

# Configure PE1.
[PE1] isis 50 vpn-instance vpn1
[PE1-isis-50] network-entity 50.0000.0000.0002.00
[PE1-isis-50] quit
[PE1] interface tunnel 1/0/0
[PE1-Tunnel1/0/0] isis enable 50
[PE1-Tunnel1/0/0] quit

Step 7 Configure the IS-IS route between CE2 and PE2.


# Configure CE2.
[CE2] isis 50
[CE2-isis-50] network-entity 50.0000.0000.0004.00
[CE2-isis-50] quit
[CE2] interface vlanif 50
[CE2-Vlanif50] isis enable 50
[CE2-Vlanif50] quit
[CE2] interface vlanif 60
[CE2-Vlanif60] isis enable 50
[CE2-Vlanif60] quit

# Configure PE2.
[PE2] isis 50 vpn-instance vpn1
[PE2-isis-50] network-entity 50.0000.0000.0003.00
[PE2-isis-50] quit
[PE2] interface vlanif50
[PE2-Vlanif50] isis enable 50
[PE2-Vlanif50] quit

Step 8 Set up the MP-BGP peer relationship between PE1 and PE2.
# On PE1, specify PE2 as an IBGP peer, set up the IBGP connection by using the loopback
interface, and enable the capability of exchanging VPN IPv4 routing information between PE1
and PE2.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit

# Enter the view of the BGP VPN instance vpn1 and import the direct routes and IS-IS routes.
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] import-route isis 50

# On PE2, specify PE1 as an IBGP peer, set up the IBGP connection by using the loopback
interface, and enable the capability of exchanging VPN IPv4 routing information between PE2
and PE1.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit

# Enter the view of the BGP VPN instance vpn1 and import the direct routes and IS-IS routes.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 87


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

[PE2-bgp] ipv4-family vpn-instance vpn1


[PE2-bgp-vpn1] import-route direct
[PE2-bgp-vpn1] import-route isis 50

Step 9 Import BGP routes into IS-IS.


# Configure PE1.
[PE1] isis 50
[PE1-isis-50] import-route bgp

# Configure PE2.
[PE2] isis 50
[PE2-isis-50] import-route bgp

Step 10 Verify the configuration.


# After the configuration, CE1 and CE2 can successfully ping each other.
<CE1> ping 41.1.1.2
PING 41.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 41.1.1.2: bytes=56 Sequence=1 ttl=253 time=190 ms
Reply from 41.1.1.2: bytes=56 Sequence=2 ttl=253 time=110 ms
Reply from 41.1.1.2: bytes=56 Sequence=3 ttl=253 time=110 ms
Reply from 41.1.1.2: bytes=56 Sequence=4 ttl=253 time=110 ms
Reply from 41.1.1.2: bytes=56 Sequence=5 ttl=253 time=100 ms

--- 41.1.1.2 ping statistics ---


5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 100/124/190 ms

<CE2> ping 21.1.1.2


PING 21.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 21.1.1.2: bytes=56 Sequence=1 ttl=253 time=120 ms
Reply from 21.1.1.2: bytes=56 Sequence=2 ttl=253 time=110 ms
Reply from 21.1.1.2: bytes=56 Sequence=3 ttl=253 time=120 ms
Reply from 21.1.1.2: bytes=56 Sequence=4 ttl=253 time=90 ms
Reply from 21.1.1.2: bytes=56 Sequence=5 ttl=253 time=60 ms

--- 21.1.1.2 ping statistics ---


5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/100/120 ms

----End

Configuration Files
l Configuration file of CE1
#
sysname CE1
#
vlan batch 10 20
#
isis 50
network-entity 50.0000.0000.0001.00
#
interface Vlanif10
ip address 21.1.1.2 255.255.255.0
isis enable 50
#
interface Vlanif20
ip address 30.1.1.1 255.255.255.0
#

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 88


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

interface GigabitEthernet1/0/0
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
interface Tunnel2/0/0
ip address 2.2.2.1 255.255.255.0
tunnel-protocol gre
source 30.1.1.1
destination 50.1.1.2
isis enable 50
#
ospf 20
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
return
l Configuration file of Switch A
#
sysname SwitchA
#
vlan batch 20 30
#
interface Vlanif20
ip address 30.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 50.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
ospf 20
area 0.0.0.0
network 30.1.1.0 0.0.0.255
network 50.1.1.0 0.0.0.255
#
return
l Configuration file of PE1
#
sysname PE1
#
vlan batch 30 40
#
ip vpn-instance vpn1
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
lsp-trigger all
#
mpls ldp
#
isis 50 vpn-instance vpn1
network-entity 50.0000.0000.0002.00
import-route bgp
#
interface Vlanif30

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 89


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

ip binding vpn-instance vpn1


ip address 50.1.1.2 255.255.255.0
#
interface Vlanif40
ip address 110.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 40
port hybrid untagged vlan 40
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
interface Tunnel1/0/0
ip binding vpn-instance vpn1
ip address 2.2.2.2 255.255.255.0
tunnel-protocol gre
source 50.1.1.2
destination 30.1.1.1
isis enable 50
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
import-route isis 50
#
ospf 10
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 110.1.1.0 0.0.0.255
#
ospf 20
area 0.0.0.0
network 50.1.1.0 0.0.0.255
#
return
l Configuration file of PE2
#
sysname PE2
#
vlan batch 40 50
#
ip vpn-instance vpn1
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
lsp-trigger all
#
mpls ldp

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 90


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

#
isis 50 vpn-instance vpn1
network-entity 50.0000.0000.0003.00
import-route bgp
#
interface Vlanif40
ip address 110.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif50
ip binding vpn-instance vpn1
ip address 11.1.1.2 255.255.255.0
isis enable 50
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 40
port hybrid untagged vlan 40
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 50
port hybrid untagged vlan 50
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
import-route isis 50
#
ospf 10
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 110.1.1.0 0.0.0.255
#
return
l Configuration file of CE2
#
sysname CE2
#
vlan batch 50 60
#
isis 50
network-entity 50.0000.0000.0004.00
#
interface Vlanif50
ip address 11.1.1.1 255.255.255.0
isis enable 50
#
interface Vlanif60
ip address 41.1.1.2 255.255.255.0
isis enable 50
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 50
port hybrid untagged vlan 50
#

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 91


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

interface GigabitEthernet2/0/0
port hybrid pvid vlan 60
port hybrid untagged vlan 60
#
return

2.7.4 Example for Configuring the Keepalive Function for GRE

Networking Requirements
As shown in Figure 2-9, Switch A and Switch B are configured with the GRE protocol. The
two ends of the GRE tunnel need be configured with the Keepalive function.

Figure 2-9 Networking diagram of configuring the Keepalive function on two ends of a GRE
tunnel

GE1/0/0 Internet GE1/0/0


GRE tunnel
SwitchA SwitchB
Tunnel1/0/0 Tunnel1/0/0
40.1.1.1/24 40.1.1.2/24

Device Interface VLANIF Interface IP Address

Switch A GigabitEthernet1/0/0 VLANIF 10 20.1.1.1/24

Tunnel1/0/0 - 40.1.1.1/24

Switch B GigabitEthernet1/0/0 VLANIF 20 30.1.1.2/24

Tunnel1/0/0 - 40.1.1.2/24

Configuration Roadmap
To enable the Keepalive function on one end of the GRE tunnel, run the keepalive command in
the tunnel interface view on the end.
TIP

If the Keepalive function is enabled on the source end, the forwarding function is obligatory, and the
Keepalive function is optional for the destination end.

Data Preparation
To complete the configuration, you need the following data:

l Data for configuring the routing protocol for the backbone network
l Source address and destination address of the GRE tunnel
l Interval for sending Keepalive messages
l Parameters of unreachable timer

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 92


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

Procedure
Step 1 Configure Switch A and Switch B to implement the interworking between the two devices.
The detailed procedures are not mentioned here.
Step 2 Configure a tunnel on Switch A and enable the Keepalive function.
<SwitchA> system-view
[SwitchA] interface tunnel 1/0/0
[SwitchA-Tunnel1/0/0] ip address 40.1.1.1 255.255.255.0
[SwitchA-Tunnel1/0/0] tunnel-protocol gre
[SwitchA-Tunnel1/0/0] source 20.1.1.1
[SwitchA-Tunnel1/0/0] destination 30.1.1.2
[SwitchA-Tunnel1/0/0] keepalive period 20 retry-times 3
[SwitchA-Tunnel1/0/0] quit

Step 3 Configure a tunnel on Switch B and enable the Keepalive function.


<SwitchB> system-view
[SwitchB] interface tunnel 1/0/0
[SwitchB-Tunnel1/0/0] ip address 40.1.1.2 255.255.255.0
[SwitchB-Tunnel1/0/0] tunnel-protocol gre
[SwitchB-Tunnel1/0/0] source 30.1.1.2
[SwitchB-Tunnel1/0/0] destination 20.1.1.1
[SwitchB-Tunnel1/0/0] keepalive period 20 retry-times 3
[SwitchB-Tunnel1/0/0] quit

Step 4 Verify the configuration.


# The tunnel interface on Switch A can successfully ping the tunnel interface on Switch B.
<SwitchA> ping -a 40.1.1.1 40.1.1.2
PING 40.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 40.1.1.2: bytes=56 Sequence=1 ttl=255 time=9 ms
Reply from 40.1.1.2: bytes=56 Sequence=2 ttl=255 time=7 ms
Reply from 40.1.1.2: bytes=56 Sequence=3 ttl=255 time=7 ms
Reply from 40.1.1.2: bytes=56 Sequence=4 ttl=255 time=7 ms
Reply from 40.1.1.2: bytes=56 Sequence=5 ttl=255 time=7 ms

--- 40.1.1.2 ping statistics ---


5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 7/7/9 ms

# Enable the debugging of the Keepalive messages on Switch A and view information about the
Keepalive messages.
<SwitchA> terminal monitor
<SwitchA> terminal debugging
<SwitchA> debugging tunnel keepalive
Oct 26 2008 20:18:54.860.1 SwitchA TUNNEL/7/debug:GRE_KEEP:Judge keepalive fin
ished. Received keepalive response packet from peer router.
Oct 26 2008 20:18:54.860.2 SwitchA TUNNEL/7/debug:GRE_FWD: Receive the respons
e keepalive packet on mainboard successfully, keepalive finished.
Oct 26 2008 20:19:15.340.1 SwitchA TUNNEL/7/debug:GRE_KEEP:Judge keepalive fin
ished. Received keepalive response packet from peer router.
Oct 26 2008 20:19:15.340.2 SwitchA TUNNEL/7/debug:GRE_FWD: Receive the respons
e keepalive packet on mainboard successfully, keepalive finished.

----End

Configuration Files
l Configuration file of Switch A
#
sysname SwitchA

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 93


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 2 GRE Configuration

#
vlan batch 10
#
interface Vlanif10
ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface Tunnel1/0/0
ip address 40.1.1.1 255.255.255.0
source 20.1.1.1
destination 30.1.1.2
keepalive period 20
#
return

l Configuration file of Switch B


#
sysname SwitchB
#
vlan batch 20
#
interface Vlanif20
ip address 30.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
interface Tunnel1/0/0
ip address 40.1.1.2 255.255.255.0
source 30.1.1.2
destination 20.1.1.1
keepalive period 20
#
return

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 94


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

3 BGP MPLS IP VPN Configuration

About This Chapter

This chapter describes the BGP/MPLS IP VPN configuration, including the introduction to the
BGP/MPLS IP VPN, common networking of the BGP/MPLS IP VPN, and configurations to
ensure the reliability of the BGP/MPLS IP VPN.

3.1 Introduction to BGP/MPLS IP VPN


This section describes the concepts and roles of the PE, P, and CE.
3.2 BGP/MPLS IP VPN Features Supported by the S7700
The S7700 supports basic and typical networking of the BGP/MPLS IP VPN, and such features
as reliability and QoS of the BGP/MPLS IP VPN.
3.3 Configuring a VPN Instance
A VPN instance isolates VPN routes from public network routes.
3.4 Configuring Basic BGP/MPLS IP VPN
The basic BGP/MPLS IP VPN refers to a VPN that is established on one SP's MPLS backbone
network that does not span multiple ASs. The role of each PE, P, or CE of the basic BGP/MPLS
IP VPN is unique. For example, a router cannot function as both a PE and a CE.
3.5 Configuring Hub and Spoke
In the networking of Hub and Spoke, an access control device is specified in the VPN, and users
communicate with each other through the access control device.
3.6 Configuring Inter-AS VPN Option A
In inter-AS VPN OptionA, an ASBR takes the peer ASBR as its CE and advertises VPNv4 routes
to the peer ASBR through EBGP.
3.7 Configuring Inter-AS VPN Option B
In inter-AS VPN OptionB, through MP-EBGP, two ASBRs receive VPNv4 routes from PEs in
their respective ASs and then exchange the VPNv4 routes with each other.
3.8 Configuring HoVPN
HoVPN indicates a hierarchical VPN, in which multiple PEs play different roles and form a
hierarchical structure. In this manner, these PEs function as one PE, and the performance
requirement for PEs are lowered.
3.9 Configuring OSPF Sham Link

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 95


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

This section describes how to configure the routes that traverse the MPLS VPN backbone
network to be the routes of the OSPF area. After the configuration, traffic between sites of the
same VPN in the same OSPF area need not be forwarded through routes of the OSPF area.
3.10 Configuring a Multi-VPN-Instance CE
By using OSPF multi-instance on CEs, you can implement service isolation on the LAN.
3.11 Connecting VPN and the Internet
Generally, users within a VPN can communicate only with each other instead of with Internet
users, and the VPN users cannot access the Internet. If each site of the VPN needs to access the
Internet, you need to configure the interconnection between the VPN and the Internet.
3.12 Configuring VPN FRR
In the networking of CE dual-homing, you can configure VPN FRR to ensure the end-to-end
VPN service fast switchover if the PE fails.
3.13 Configuring VPN GR
In the process of master/slave control board switchover or the system upgrade, you can configure
VPN GR to ensure that VPN traffic is not interrupted on the PE, CE, or P.
3.14 Configuring Route Reflection to Optimize the VPN Backbone Layer
Using an RR can reduce the number of MP IBGP connections between PEs. This not only reduces
the burden of PEs but also facilitates network maintenance and management.
3.15 Configuring Route Reflection to Optimize the VPN Access Layer
If a PE and the connected CEs are in the same AS, you can deploy a BGP route RR to reduce
the number of IBGP connections between CEs and facilitate maintenance and management.
3.16 Maintaining BGP/MPLS IP VPN
This section describes how to maintain the BGP/MPLS IP VPN, which involves L3VPN traffic
checking, network connectivity monitoring, BGP connection resetting.
3.17 Configuration Examples
This section provides several configuration examples of VPN networking. In each configuration
example, the networking requirements, configuration roadmap, configuration notes,
configuration procedures, and configuration files are described.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 96


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

3.1 Introduction to BGP/MPLS IP VPN


This section describes the concepts and roles of the PE, P, and CE.
BGP/MPLS IP VPN is a PE-based L3VPN technology used in the Provider Provisioned VPN
(PPVPN) solution. BGP/MPLS IP VPN uses BGP to advertise VPN routes and MPLS to forward
VPN packets on the provider's backbone network.
Characterized by flexible networking modes, excellent extensibility, and convenient support for
MPLS QoS and MPLS TE, BGP/MPLS IP VPN is widely used.
Figure 3-1 shows the networking diagram of BGP/MPLS IP VPN.

Figure 3-1 BGP/MPLS IP VPN model

VPN 1 Service VPN 2


Site CE CE Site
provider's
P backbone P
PE

PE
PE

VPN 2 P VPN 1
CE P CE
Site Site

The BGP/MPLS IP VPN model consists of the following parts:


l A Customer Edge (CE) is an edge device on the customer network, which has one or more
interfaces directly connected to the service provider network. A CE can be a switch, a
router or a host. Mostly, CEs cannot "sense" the existence of the VPN, and do not need to
support MPLS.
l A Provider Edge (PE) is an edge device on the provider network, which is directly connected
to the CE. In the MPLS network, PEs perform all the VPN-related processing.
l A Provider (P) is a backbone device on the provider network, which is not directly
connected to the CE. Ps only need to possess basic MPLS forwarding capabilities and do
not need to maintain information about VPNs.
l A site is a group of IP systems that have IP connectivity among themselves without being
connected to the service provider network. A site is connected to the provider network
through the CE. A site may contain many CEs, but a CE belongs only to a single site.

3.2 BGP/MPLS IP VPN Features Supported by the S7700


The S7700 supports basic and typical networking of the BGP/MPLS IP VPN, and such features
as reliability and QoS of the BGP/MPLS IP VPN.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 97


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Basic Networking
The S7700 uses the Multi-protocol Extensions for Border Gateway Protocol (MP-BGP) to
achieve the VPN route exchange between PEs. The static route, Routing Information Protocol
(RIP) multi-instance, Open Shortest Path First (OSPF) multi-instance, Intermediate System-to-
Intermediate System (IS-IS) multi-instance, or external BGP (EBGP) can be used to exchange
routes between a PE and a CE. In addition, by using VPN targets to control the transmission of
VPN routes, the S7700 can implement multiple VPN networking topologies including Intranet,
Extranet, and Hub&Spoke.

Typical Networking
The S7700 supports the following typical VPN networking:

l Inter-AS VPN
If a VPN backbone network spans multiple ASs, the inter-AS VPN must be configured.
Currently, the S7700 supports inter-AS VPN Option A and Option B.
l HoVPN
To relieve the stress on a PE, the Hierarchy of VPN (HoVPN) can be configured. A device
on the convergence layer or the access layer is selected as the Underlayer Provider Edge
(UPE), which works jointly with the PE, that is, the Superstratum Provider Edge (SPE) on
the backbone layer, to implement the functions of the PE.
l OSPF sham link
If OSPF runs between the PE and CE, an OSPF sham link can be configured to solve the
following problem: OSPF does not select the private route passing through the MPLS
backbone network, because the intra-area route passing through the backdoor link takes
precedence over the private route, as shown in Figure 3-2.

Figure 3-2 Schematic diagram of sham link

MPLS VPN backbone

sham link PE2


PE1
Area 1
Area 1
OSPF 200
OSPF 200
CE22
CE12
VPN1
VPN1
site3
site1 backdoor

l Multi-VPN-Instance CE
The Multi-VPN-Instance CE can be configured to improve the routing capability of the
LAN, solve the security problem of the LAN at a low cast, and ensure that the LAN services

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 98


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

are safely differentiated. Currently, LAN services can be differentiated by utilizing VLAN
switches, but they have a weak routing capability.
l VPN and Internet interworking
The S7700 implements interworking between VPNs and the Internet by configuring static
routes on PEs.

Reliability
To improve the reliability of a VPN, generally, the following networking modes are adopted.

l The backbone network is an MPLS network, on which the devices adopt hierarchical
backup and are fully connected through high-speed interfaces. If there are many PEs on
the network, the BGP route reflector is deployed to reflect IPv4 VPN routes in order to
decrease the number of Multi-Protocol internal BGP (MP IBGP) connections.
l Either a mesh topology or a ring topology is used at the convergence layer based on the
requirements.
l The dual-homed CE or multi-homed CE is deployed on the access layer.

The S7700 supports VPN FRR in a VPN network where the dual-homed CE reside. After a PE
fails, VPN FRR ensures that the VPN service from CE to CE is quickly switched to the remaining
PEs.

The IP FRR feature can be configured to ensure that VPN traffic can rapidly switch to another
link between the PE and the other CE, when two CEs at a site access a PE, and a link between
one CE and the PE fails.

VPN Graceful Restart (GR), a feature that can improve the reliability of a VPN, can also be
deployed. After the deployment of VPN GR, the VPN traffic is not interrupted in the master/
slave switchover process on the switch (PE, P, or CE). This reduces the impact of a single point
failure on VPN services.

Interfaces Bound to VPN Instances


A VPN instance needs to be bound to the interface on the PE that is connected to the CE. After
being bound, the interface functions as the private network interface. The packets entering the
VPN instance through this interface are forwarded according to forwarding information in the
VPN instance. By default, an interface is a public network interface and is not bound to any VPN
instance.

The S7700 can bind VLANIF interfaces, XGE sub-interfaces, GE sub-interfaces, Ethernet sub-
interfaces, Eth-Trunk sub-interfaces, Ethernet port (Ethernet 0/0/0) , and GRE tunnel interfaces
to VPN instances. On the S7700, IP addresses cannot be assigned to GE interfaces, Eth-Trunk
interfaces, and Ethernet interfaces (excluding management network ports) and these interfaces
cannot be bound to VPN instances.

For details on how to bind sub-interfaces to VPN instances, see Configuring a Sub-interface to
Access an L3VPN in the Quidway S7700 Smart Routing Switch Configuration Guide -
Ethernet.

3.3 Configuring a VPN Instance


A VPN instance isolates VPN routes from public network routes.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 99


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

3.3.1 Establishing the Configuration Task


Before configuring a VPN instance, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the data required for the configuration. This
will help you complete the configuration task quickly and accurately.

Applicable Environment
In BGP/MPLS IP VPN, each VPN is instantiated, and the instances of private forwarding
information of each VPN are established, that is, a VPN instance is established. A VPN instance
is also called the VPN Routing and Forwarding (VRF) table. In RFC 4364 (BGP/MPLS IP
VPNs), a VPN instance is called the per-site forwarding table.

The VPN instance is used to separate the VPN routes from public routes. In all the BGP/MPLS
IP VPN networking scenarios, you should configure VPN instances.

The VPN instance can realize the separation of address spaces based on the Router Distinguisher
(RD), and can control VPN membership and routing rules based on the VPN target attribute.

In addition, to achieve enhanced routing control, you can also enforce inbound and outbound
routing policies. The inbound routing policy is used to filter the routes imported into the VPN
instance, and the outbound routing policy is used to filter the routes advertised to other PEs.

Pre-configuration Tasks
Before configuring a VPN instance, complete the following tasks:

l Configuring routing policies if import or export routing policies need to be applied to the
VPN instance

Data Preparation
To configure a VPN instance, you need the following data.

No. Data

1 Name of the VPN instance

2 (Optional) Description of the VPN instance

3 RD, VPN target attribute of the VPN instance

4 (Optional) Maximum number of routes allowed by the VPN instance

5 (Optional) Routing policy that controls the receiving and sending of VPN routes

6 (Optional) Tunnel policy

3.3.2 Creating a VPN Instance


Configuring a VPN instanceis the preliminary step for configuring other VPN attributes. After
a VPN instance is configured, a VPN routing and forwarding table is created.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 100


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Context
Do as follows on the PE that is connected to the CE:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
ip vpn-instance vpn-instance-name

A VPN instance is created, and the VPN instance view is displayed.

NOTE

The name of the VPN instance is case sensitive. For example, vpn1 and VPN1 are considered as different
VPN instances.

No default VPN instance exists on a PE, and multiple VPN instances can be created on the PE.

Step 3 Run:
route-distinguisher route-distinguisher

The RD of the VPN instance is configured.

A VPN instance takes effect only after the RD is configured. The RDs of the VPN instances on
the same PE must be different from each other.

Before the RD is configured, no other parameters can be configured except for the VPN instance
description.

NOTE

An RD cannot be changed or deleted once it is configured. To change an RD, first, delete the VPN instance,
and then re-configure a VPN instance and an RD. To delete the RD, you only need to delete the VPN
instance.

Step 4 (Optional) Run:


description description-information

The description of the VPN instance is configured.

The description of a VPN instance functions the same as the description of a host name or an
interface. It is recommended that the proper description be configured.

----End

3.3.3 Configuring Attributes for the VPN Instance


To facilitate management of routes of the VPN instance , you also need to configure other VPN
attributes, such as the VPN target, route limit, and routing policy.

Context
Do as follows on the PE that is configured with VPN instances.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 101


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

NOTE

It is recommended to perform either Step 4 or Step 5.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ip vpn-instance vpn-instance-name

The VPN instance view is displayed.


Step 3 Run:
vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

The VPN target extended community attribute for the VPN instance is created.
VPN target is the extended community attribute of the Border Gateway Protocol (BGP). It
controls the import and export of VPN routes. You can configure a maximum of 8 VPN targets
with a command.
Step 4 (Optional) Run:
routing-table limit number { alert-percent | simply-alert }

The maximum number of routes of the VPN instance is configured.


You can define the maximum number of routes for a VPN instance to prevent the PE from
importing too many routes from the CE.

NOTE

If the routing-table limit command is run, the system gives a prompt when the number of routes injected
into the routing table of the VPN instance exceeds the maximum. If the routing-table limit command is
run to increase the maximum number of routes supported in a VPN instance or the undo routing-table
limit command is run to remove the limit on the routing table, for excess routes, the following operations
are required:
l For the excessive static routes, you need to reconfigure them manually.
l For the excessive routes learnt from CEs through the IGP multi-instance routing protocol, you need to
re-initiate the multi-instance process of the routing protocol on the PE.
For the remote cross routes learnt through the MP-IBGP and the BGP routes learnt from CEs, the system
automatically refreshes them.

Step 5 (Optional) Run:


prefix limit number { alert-percent [ route-unchanged ] | simply-alert }

The maximum number of prefixes of the VPN instance is configured.


You can define the maximum number of prefixes for a VPN instance to avoid importing too
many prefixes from the CE.
Step 6 (Optional) Run:
limit-log-interval interval

The frequency of displaying logs when the number of routes exceeds the threshold is configured.
Step 7 (Optional) Run:
import route-policy policy-name

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 102


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

The inbound routing policy of the VPN instance is configured.

Step 8 (Optional) Run:


export route-policy policy-name

The outbound routing policy of the VPN instance is configured.

----End

3.3.4 (Optional) Applying a Tunnel Policy to the VPN Instance


By applying a tunnel policy to a VPN instance, you can specify the tunnel for VPN traffic
forwarding.

Context
By default, the VPN instance uses an MPLS LSP as the tunnel and no load balancing is carried
out.

Do as follows on the PE configured with VPN instances.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
ip vpn-instance vpn-instance-name

The VPN instance view is displayed.

Step 3 Run:
tnl-policy policy-name

A tunnel policy is applied to the VPN instance.

----End

3.3.5 (Optional) Configuring MPLS Label Allocation Based on the


VPN Instance
This section describes how the MPLS label is allocated in a VPN instance . To be specific, how
the local PE allocates the same MPLS label for all routes of the VPN instance. If there are a
large number of VPN routes, you can reduce the number of MPLS labels maintained by PEs.

Context
Do as follows on the PE configured with VPN instances.

Procedure
Step 1 Run:
system-view

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 103


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

The system view is displayed.


Step 2 Run:
ip vpn-instance vpn-instance-name

The VPN instance view is displayed.


Step 3 Run:
apply-label per-instance

The MPLS label is allocated based on the VPN instance, which ensures that all the routes in a
VPN instance use the same MPLS label.
Generally, MPLS label allocation is in one label per route mode. When the number of routes
becomes larger, more labels are required.
Therefore, MPLS label allocation based on the VPN instance is introduced and provided by the
S7700. In this manner, all the routes of a VPN instance share the same MPLS label.

----End

3.3.6 Checking the Configuration


After configuring a VPN instance, you can view information about it on the local device,
including RD attributes and other attributes.

Prerequisite
The functions of the VPN instance are fully configured.

Procedure
l Run the display ip vpn-instance verbose vpn-instance-name command to check detailed
information about the VPN instance.
l Run the display ip vpn-instance vpn-instance-name command to check brief information
about the VPN instance.
----End

Example
Run the display ip vpn-instance command. If brief information including the RD and creating
time about the VPN instance is displayed, it means that the configuration succeeded. For
example:
<Quidway> display ip vpn-instance vpna
VPN-Instance Name RD Creation Time
vpn1 100:1 2010/06/19 02:08:54 UTC-0
3:00 DST

Run the display ip vpn-instance verbose command. If detailed information about the VPN
instance is displayed, it means the configuration succeeded. For example:
<Quidway> display ip vpn-instance verbose vpn1
VPN-Instance Name and ID : vpn1, 1
Create date : 2008/09/29 14:05:31
Up time : 0 days, 05 hours, 36 minutes and 49 seconds
Route Distinguisher : 100:1
Export VPN Targets : 1:1
Import VPN Targets : 1:1

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 104


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Label Policy : label per route


Import Route Policy : p1
The VPN QoS configuration information : based on VPN
CIR: 100 PIR: 100
Export Route Policy : p2
Tunnel Policy : po1
Description : This is a VPN for company1
Maximum Routes Limit : 100
Threshold Routes Limit : 90%
Log Interval : 5

3.4 Configuring Basic BGP/MPLS IP VPN


The basic BGP/MPLS IP VPN refers to a VPN that is established on one SP's MPLS backbone
network that does not span multiple ASs. The role of each PE, P, or CE of the basic BGP/MPLS
IP VPN is unique. For example, a router cannot function as both a PE and a CE.

3.4.1 Establishing the Configuration Task


Before configuring the basic BGP/MPLS IP VPN, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.

Applicable Environment
The section describes the basic BGP/MPLS IP VPN networking. To be specific, the networking
features only one carrier and one intra-AS MPLS backbone network. In addition, the roles of
the P, PE, and CE are unique. For example, no device serves both as the PE and CE.
For special BGP/MPLS IP VPN networkings such as HoVPN, multi-role host, and inter-AS
VPN, additional configurations are needed. You can refer to the related sections in this chapter
for details.
In terms of the configuration of the BGP/MPLS IP VPN, it is critical for you to configure the
management of the advertisement of VPN routes on the MPLS backbone networks, including
the management of route advertisement between the PE and CE, and between PEs.
You can configure MP-IBGP to exchange routes between PEs. To exchange routes between the
PE and CE, you can configure static routes, RIP multi-instance, OSPF multi-instance, IS-IS
multi-instance, or BGP according to the specific networking situations.

NOTE

If a VPN is used to receive the external routes and the routes advertised by non-PE devices, and then
advertise these routes to PEs, the VPN is called a transit VPN.
If a VPN is used to accept the internal routes and the routes advertised by PEs, the VPN is called a stub
VPN. In most cases, the static route is only used to exchange routes between the PE and CE in the stub
VPN.

Pre-configuration Tasks
Before configuring basic BGP/MPLS IP VPN, complete the following tasks:

l Configuring IGP for the MPLS backbone network (PE, P) to implement IP connectivity
l Configuring basic MPLS functions and MPLS LDP for the MPLS backbone network (PE,
P)

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 105


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

l Configuring tunnels between PEs based on the tunnel policy


l Configuring the IP address for the CE interface that is connected to the PE

Data Preparation
To configure basic BGP/MPLS IP VPN, you need the following data.

No. Data

1 To configure a VPN instance, you need the following data:


l Name of the VPN instance
l (Optional) Description of the VPN instance
l RD, VPN target attribute of the VPN instance
l (Optional) Routing policy used to control the sending and receiving of VPN routes
l (Optional) Tunnel policy
l (Optional) Maximum number of routes permitted in a VPN instance

2 IP address of the PE interface that is connected to the CE

3 Route-exchanging mode between the PE and CE, which can be the static route, RIP,
OSPF, IS-IS, or BGP

4 AS number of the PE

5 IP address and interface of the PE used to establish the BGP peer relationship

3.4.2 Configuring a VPN Instance


This part describes how to configure a VPN instance to manage VPN routes.

Context
For the details, see Configuring VPN Instances.

3.4.3 Binding an Interface with a VPN Instance


After associating an interface with a VPN instance, you can change the interface to a VPN
interface. As a result, packets that pass through the interface are forwarded according to the
forwarding information of the VPN instance, and Layer 3 attributes such as the IP address and
routing protocol that are configured for the interface, are deleted. These Layer 3 attributes need
to be re-configured if required.

Context
Do as follows on the PE that is connected to the CE.

Procedure
Step 1 Run:
system-view

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 106


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

The system view is displayed.

Step 2 Run:
interface interface-type interface-number

The view of the interface that is to be bound with the VPN instance is displayed.

The XGE, GE, Eth-Trunk, and Ethernet interfaces (excluding Ethernet 0/0/0) cannot be bound
to VPN instances.

Step 3 Run:
ip binding vpn-instance vpn-instance-name

The interface is bound to the VPN instance.

NOTE

The running of the ip binding vpn-instance command on an interface can delete the Layer 3 attributes,
such as the IP address and routing protocol. If these Layer 3 attributes are still required, you need to
configure them again.

Step 4 Run:
ip address ip-address { mask | mask-length }

The IP address is configured.

----End

3.4.4 Configuring MP-IBGP Between PEs


By importing extended community attributes to BGP, MP-IBGP can advertise VPNv4 routes
between PEs.

Context
Do as follows on the PE that is connected to the CE:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
bgp as-number

The BGP view is displayed.

Step 3 Run:
peer ipv4-address as-number as-number

The remote PE is specified as the peer.

Step 4 Run:
peer ipv4-address connect-interface loopback interface-number

The interface used to set up the TCP connection is specified.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 107


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

NOTE

The 32-bit mask IP addresses of the loopback interfaces must be used to establish the MP-IBGP peer
relationship between PEs. This can ensure the tunnel can be iterated. The route destined to the loopback
interface is advertised to the remote PE based on IGP on the MPLS backbone network.

Step 5 Run:
ipv4-family vpnv4

The BGP VPNv4 sub-address family view is displayed.


Step 6 Run:
peer ipv4-address enable

The VPN IPv4 routing information can be exchanged between the peers.

----End

3.4.5 Configuring a Routing Protocol Between a PE and a CE


The routing protocol between a PE and a CE can be EBGP, IBGP, static route, RIP, OSPF, or
IS-IS. You can choose any of them as required in the configuration process.

Context
Select one of the following configurations as required:
l Configuring EBGP between a PE and a CE
l Configuring IBGP between a PE and a CE
l Configuring the static route between a PE and a CE
l Configuring RIP between a PE and a CE
l Configuring OSPF between a PE and a CE
l Configuring IS-IS between a PE and a CE

Procedure
l Configure EBGP between s PE and a CE.
Do as follows on the PE:
1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

The BGP view is displayed.


3. Run:
ipv4-family vpn-instance vpn-instance-name

The BGP VPN instance view is displayed.


4. (Optional) Run:
as-number as-number

An AS number for the VPN instance is specified.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 108


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

During network transfer or service identification, a device needs to be simulated as


multiple BGP devices logically. In this case, you can run the as-number command
to configure an AS number for each VPN instance.

NOTE

The AS number configured in the BGP-VPN instance view cannot be the same as the AS
number configured in the BGP view.
5. Run:
peer ipv4-address as-number as-number

The CE is specified as the peer of the VPN.


6. (Optional) Run:
peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]

The maximum number of hops is configured for the EBGP connection.

Generally, one or multiple directly-connected physical links exist between EBGP


peers. If the directly-connected physical link(s) are not available, you must run the
peer ebgp-max-hop command to ensure that the TCP connection can be set up
between the EBGP peers through multiple hops.
7. (Optional) When the direct route of the local CE needs to be imported to the VPN
routing table (for being advertised to the remote PE), you can choose either of the
following configurations:
Run the import-route direct [ med med | route-policy route-policy-name ]*
command to import the direct routes of the local CE into the VPN routing table.
Run the network ipv4-address [ mask | mask-length ] [ route-policy route-policy-
name ] command to import a specific direct route of the local CE into the VPN
routing table.
NOTE

The PE can automatically learn the direct route destined for the local CE, and the learnt
direct route has a higher priority than the direct route that is advertised by the local CE
based on EBGP. Therefore, if this step is not configured, the PE cannot advertise the direct
route to the remote PE based on MP-BGP.
8. (Optional) Run:
peer ip-address allow-as-loop [ number ]

The loop is allowed.

This Step is optional and used in the Hub and Spoke networking.

Generally, BGP uses the AS number to detect a loop. In the Hub and Spoke
networking, however, if EBGP runs between the PE and the CE at the Hub site, the
Hub-PE carries the local AS number when advertising routes to the Hub-CE.
Therefore, the PE denies the subsequent routing update from the Hub-CE. To ensure
the proper transmission of routes in the Hub and Spoke networking, you need to
configure all the BGP peers along the path, used for the Hub-CE to advertise private
network routes to the Spoke-CE, and to accept the routes with the AS number repeated
once.
9. (Optional) Run:
peer ip-address substitute-as

The AS number substitution is enabled for BGP.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 109


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

This Step is used for the networking scenario where physically-dispersed CEs use the
same AS number. The configuration is performed on the PE.

CAUTION
In the case of multi-homed CE, the BGP AS substitution function may lead to route
loops.

NOTE

Compared with the BGP view, the BGP-VPN instance view does not support the following
commands:
l BGP confederation: confederation
l BGP graceful restart: graceful-restart
l Router ID of BGP: router-id
l Synchronization between BGP and IGP: synchronization
l BGP timer: timer
Do as follows on the CE:
1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

The BGP view is displayed.


3. Run:
peer ipv4-address as-number as-number

The PE is specified as the peer of the VPN.


4. (Optional) Run:
peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]

The maximum number of hops is configured for the EBGP connection.


Generally, one or multiple directly-connected physical link(s) exist between a pair of
EBGP peers. If not, you must use the peer ebgp-max-hop command to ensure that
the TCP connection can be set up between the EBGP peers through multiple hops.
5. Run:
import-route { direct | static | rip process-id | ospf process-id | isis
process-id } [ med med | route-policy route-policy-name ]*

Routes of the local site are imported.


The CE must advertise the reachable VPN segment addresses to the attached PE.
Through the PE, the addresses are advertised to the remote CEs. In applications, the
types of routes to be imported may be different.
l Configure IBGP between a PE and a CE.
Do as follows on the PE:
1. Run:

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 110


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

system-view

The system view is displayed.


2. Run:
bgp as-number

The BGP view is displayed.


3. Run:
ipv4-family vpn-instance vpn-instance-name

The BGP-VPN instance view is displayed.


4. (Optional) Run:
as-number as-number

An AS number for the VPN instance is specified.

During network transfer or service identification, a device needs to be simulated as


multiple BGP devices logically. In this case, you can run the as-number command
to configure an AS number for each VPN instance.

NOTE

The AS number configured in the BGP-VPN instance view cannot be the same as the AS
number configured in the BGP view.
5. Run:
peer ipv4-address as-number as-number

The CE is specified as the peer of the VPN.


6. (Optional) When the direct route of the local CE need be imported to the VPN routing
table (for being advertised to the remote PE), select either of the following
configurations:
Run the import-route direct [ med med | route-policy route-policy-name ]*
command to import the direct routes of the local CE to the VPN routing table..
Run the network ipv4-address [ mask | mask-length ] [ route-policy route-policy-
name ] command to import a specific direct route of the local CE to the VPN routing
table.
NOTE
The PE can automatically learn the direct route to the local CE. The route has a higher priority
than the direct route that is advertised by IBGP. Therefore, if this step is not performed, the PE
does not advertise the direct route to the remote PE by using MP-BGP.

Do as follows on the CE:

1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

The BGP view is displayed.


3. Run:
peer ipv4-address as-number as-number

The PE is specified as the IBGP peer.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 111


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

4. Run:
import-route { direct | static | rip process-id | ospf process-id | isis
process-id } [ med med | route-policy route-policy-name ]*

The route is imported to the local CE.

The CE advertises its VPN network segment to the connected PE, and the PE then
advertises the address to the remote CE. Note that the type of the imported route may
vary with different networking modes.
l Configure the static route between a PE and a CE.
Do as follows on the PE. The CE is configured with the static route, and the configurations
are common, therefore not mentioned here.
NOTE

For details, see Quidway S7700 Smart Routing Switch Configuration Guide - IP Routing.
1. Run:
system-view

The system view is displayed.


2. Run:
ip route-static vpn-instance vpn-source-name destination-address { mask
| mask-length } interface-type interface-number [ nexthop-address ]
[ preference preference | tag tag ] *

The static route is configured for the specified VPN instance.


3. Run:
bgp as-number

The BGP view is displayed.


4. Run:
ipv4-family vpn-instance vpn-instance-name

The BGP VPN instance view is displayed.


5. Run:
import-route static [ med med | route-policy route-policy-name ]*

The configured static route is imported into the routing table of the BGP VPN instance.
l Configure RIP between a PE and a CE
Do as follows on the PE. The CE is configured with RIPv1 or RIPv2, and the configurations
are common, therefore not mentioned here.
NOTE

For details, see Quidway S7700 Smart Routing Switch Configuration Guide - IP Routing.
1. Run:
system-view

The system view is displayed.


2. Run:
rip process-id vpn-instance vpn-instance-name

The RIP instance is created between the PE and the CE and the RIP view is displayed.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 112


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

A RIP process belongs to only one VPN instance. If you run a RIP process without
binding it to a VPN instance, this process is considered as a public network process.
A RIP process that belongs to a public network cannot be bound with a VPN instance.
3. Run:
network network-address

The RIP is configured on the network segment of the interface bound with the VPN
instance.
4. Run:
import-route bgp [ cost { cost | transparent } | route-policy route-policy-
name ]*

The BGP route is imported.


After the running of the import-route bgpcommand in the RIP view, the PE imports
the VPN-IPv4 routes learnt from the remote PE into the RIP, and then advertises them
to its CE.
5. Run:
quit

Return to the system view.


6. Run:
bgp as-number

The BGP view is displayed.


7. Run:
ipv4-family vpn-instance vpn-instance-name

The BGP VPN instance view is displayed.


8. Run:
import-route rip process-id [ med med | route-policy route-policy-name ]*

The RIP route is imported into the routing table of the BGP VPN instance.
After the configuration of the import-route ripcommand in the BGP VPN view, the
PE imports the VPN routes learnt from its CE into BGP, forms them into VPN-IPv4
routes, and advertises them to the remote PE.
NOTE

After a VPN instance is deleted, all the associated RIP processes are deleted.
l Configure OSPF between a PE and a CE
Do as follows on the PE. The CE is configured with OSPF. The configurations are common,
therefore not mentioned here.
NOTE

For details, see Quidway S7700 Smart Routing Switch Configuration Guide - IP Routing.
1. Run:
system-view

The system view is displayed.


2. Run:
ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name

The OSPF instance is created between the PE and the CE, and the OSPF view is
displayed.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 113


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

An OSPF process belongs to only one VPN instance. If you run an OSPF process
without binding it to a VPN instance, this process is considered as a public network
process. An OSPF process that belongs to a public network cannot be bound with a
VPN instance.

The OSPF processes that are bound to the VPN instance do not use the public network
Router ID configured in the system view. You need to specify the router ID when
starting an OSPF process. Otherwise, according to the router ID selecting rule, the IP
address of any interface that is bound to the VPN instance is selected as the router ID
in the OSPF process.
3. (Optional) Run:
domain-id domain-id [ secondary ]

The domain ID is configured.

The domain ID can be expressed by an integer or in dotted decimal notation.

You can configure two domain IDs for each OSPF process. The domain IDs of
different processes are independent of each other.

There is no limitation to configure the domain IDs of the OSPF processes in different
VPNs on the PE. But, all the OSPF processes in one VPN should be configured with
the same domain ID to ensure correct routing advertisement.

The domain ID of an OSPF process is contained in the routes generated by this process.
When the OSPF routes are imported into BGP, the domain ID is added into the BGP
VPN route and is transmitted as the BGP extended community attribute.

By default, the domain ID is 0.


4. (Optional) Run:
route-tag tag

The VPN route tag is configured.

By default, OSPF automatically allocates the VPN route tag according to the
algorithm:

If the BGP process is not started on the local device, the tag value is 0 by default.
If the BGP process is started on the local device, the first two bytes of the tag value
are fixed as 0xD000, and the last two bytes are the local AS number by default.
That is, the tag value equals 3489660928 plus the local AS number.
5. Run:
import-route bgp [ cost cost | route-policy route-policy-name | tag tag |
type type ] *

The BGP route is imported.


6. Run:
area area-id

The OSPF area view is displayed.


7. Run:
network ip-address wildcard-mask

OSPF is run on the network segment where the interface bound to the VPN instance
resides.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 114


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

A network segment can belong to only one area. That is, you must specify to which
area each OSPF interface belongs.

OSPF can run on an interface if the following conditions are true:

The mask length of the IP address on the interface must be equal to or longer than
the wildcard-mask specified in the network command.
The primary IP address of the interface must be located in the network segment
specified in the network command.

For a loopback interface, OSPF advertises the IP address of the loopback interface as
a 32-bit host route by default, which bears no relation to the mask length configured
on the interface.
8. Run:
quit

Return to the OSPF view.


9. Run:
quit

Return to the system view.


10. Run:
bgp as-number

The BGP view is displayed.


11. Run:
ipv4-family vpn-instance vpn-instance-name

The BGP VPN instance view is displayed.


12. Run:
import-route ospf process-id [ med med | route-policy route-policy-name ]*

The OSPF route is imported into the routing table of the BGP VPN instance.

NOTE
After a VPN instance is deleted, all related OSPF processes are deleted.
l Configuring IS-IS between PE and CE
Do as follows on the PE. The CE is configured with IS-IS. The configurations are common,
therefore not mentioned here.
NOTE

For details, see Quidway S7700 Smart Routing Switch Configuration Guide - IP Routing.
1. Run:
system-view

The system view is displayed.


2. Run:
isis process-id vpn-instance vpn-instance-name

The IS-IS instance between the CE and the PE is created and the IS-IS view is
displayed.

An IS-IS process belongs to only one VPN instance. If you run an IS-IS process
without binding it to a VPN instance, this process is considered as a public network

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 115


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

process. An IS-IS process that belongs to a public network cannot be bound with a
VPN instance.
3. Run:
network-entity net

The Network Entity Title (NET) is configured.

An NET defines the address of the current IS-IS area and the system ID of the
switch. A maximum of three NETs can be configured for one process on a switch.
4. (Optional) Run:
is-level { level-1 | level-1-2 | level-2 }

The level of the switch is configured.

By default, the level of a switch is Level-1-2.


5. Run:
import-route bgp [ cost-type { external | internal } | cost cost | tag
tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ]
*

The BGP route is imported.


6. Run:
quit

Return to the system view.


7. Run:
interface interface-type interface-number

The view of the interface bound to the VPN instance is displayed.


8. Run:
isis enable [ process-id ]

IS-IS is enabled on the interface.


9. Run:
quit

The system view is displayed.


10. Run:
bgp as-number

The BGP view is displayed.


11. Run:
ipv4-family vpn-instance vpn-instance-name

The BGP VPN instance view is displayed.


12. Run:
import-route isis process-id [ med med | route-policy route-policy-name ]*

The IS-IS route is imported into the routing table of the BGP VPN instance.

NOTE
After the VPN instance is deleted, all IS-IS processes are deleted.

----End

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 116


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

3.4.6 Checking the Configuration


After configuring the basic BGP/MPLS IP VPN function, you can view IPv4 VPN information
about the local and remote sites on the PE or the CE.

Prerequisite
The configurations of the basic BGP/MPLS IP VPN function are complete.

Procedure
l Run the display ip routing-table vpn-instance vpn-instance-name command to check
routing information about the specified VPN instance on the PE.
l Run the display ip routing-table command to check routing information on the CE.

----End

Example
Run the display ip routing-table vpn-instance vpn-instance-name command. If the VPN routes
related to the CE are displayed, it means the configuration succeeded.

Run the display ip routing-table command. If the routes to the peer CE are displayed on the
CE, it means the configuration succeeded.

3.5 Configuring Hub and Spoke


In the networking of Hub and Spoke, an access control device is specified in the VPN, and users
communicate with each other through the access control device.

3.5.1 Establishing the Configuration Task


Before configuring the networking of Hub and Spoke, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.

Applicable Environment
If it is required that all the users must access to a central access control device, the Hub and
Spoke networking is adopted. In the Hub and Spoke network, all the Spoke stations communicate
through the Hub station.

Pre-configuration Task
Before configuring Hub and Spoke, complete the following tasks:

l Configuring IGP on PE devices and P devices in the MPLS backbone network


l Configuring basic MPLS capability on PE devices and P devices in the MPLS backbone
network
l Configuring the IP addresses, through which the CE devices access the PE devices, on the
CE devices

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 117


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Data Preparation
Before configuring Hub and Spoke, you need the following data.

No. Data

1 To configure a VPN instance, you need the following data:


l Name of the VPN instance
l (Optional) Description of the VPN instance
l RD, VPN target attribute of the VPN instance
l (Optional) Routing policy
l (Optional) Maximum number of route permitted in a VPN instance

2 IP addresses through which the CE devices access the PE devices

3 Data for route configuration (static route, RIP, OSPF, IS-IS, or EBGP) between Hub-
PE and Hub-CE, and Spoke-PE and Spoke-CE

3.5.2 Creating a VPN Instance


This part describes how to configure a VPN instance to manage VPN routes.

Context
Configure the VPN instance on each Spoke-PE and Hub-PE.

Every Spoke-PE is configured with a VPN instance, while each Hub-PE is configured with the
following two VPN instances:

l VPN-in: It receives and maintains all the VPNv4 routes advertised by all the Spoke-PEs.
l VPN-out: It maintains the routes of all the Hub stations and Spoke stations and advertises
those routes to all the Spoke-PEs.
NOTE

l Different VPN instances on a device have different names, RDs, and description.
l It is recomended to perform either Step 6 or Step 7.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
ip vpn-instance vpn-instance-name

The VPN instance is created and the VPN instance view is displayed.

The name of the VPN instance is case sensitive. For example, vpn1 and VPN1 are considered
as different VPN instances.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 118


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Step 3 (Optional) Run:


description description-information

The description about the VPN instance is configured.


The description can be used to record the relationship between a VPN instance and a certain
VPN.
Step 4 Run:
route-distinguisher route-distinguisher

The RD of the VPN instance is configured.


A VPN instance takes effect only after the RD is configured. Before configuring the RD, you
can configure only the description about the VPN instance.
Step 5 (Optional) Run:
apply-label per-instance

The label is allocated based on VPN instance. That is, all the routes in a VPN instance use the
same label.
The MPLS labels are generally allocated on a one label per route basis.
The S7700 provides the feature of the MPLS label allocation based on the VPN instance, that
is, all the routes of a VPN instance share the same label.
Step 6 (Optional) Run:
routing-table limit number { alert-percent | simply-alert }

The maximum number of routes of the VPN instance is configured.


You can define the maximum number of routes for a VPN instance to avoid importing too many
routes.
NOTE

If the routing-table limit command is run, the system gives a prompt when the number of routes injected
into the routing table of the VPN instance exceeds the upper limit. If the routing-table limit command is
run to increase the maximum number of routes supported in a VPN instance or the undo routing-table
limit command is run to remove the limit on the routing table, for excess routes, the following operations
are required:
l For the excessive static routes, you need to reconfigure them manually.
l For the excessive routes learnt from CEs through the IGP multi-instance routing protocol, you need to
re-initiate the multi-instance process of the routing protocol on the PE.
l For the remote cross routes learnt through the MP-IBGP and the BGP routes learnt from CEs, the
system automatically refreshes them.

Step 7 (Optional) Run:


prefix limit number { alert-percent [ route-unchanged ] | simply-alert }

The maximum number of prefixes of the VPN instance is configured.


You can define the maximum number of prefixes for a VPN instance to avoid importing too
many prefixes.
Step 8 (Optional) Run:
limit-log-interval interval

The frequency of displaying logs when the number of routes exceeds the threshold is configured.

----End

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 119


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

3.5.3 Configuring Route Attributes of the VPN Instance


This part describes how to configure the VPN target to control route advertisement and
acceptance.

Procedure
l Configuring Hub-PE
1. Run:
system-view

The system view is displayed.


2. Run:
ip vpn-instance vpn-instance-name1

The VPN instance view of the VPN-in is displayed.


3. Run:
vpn-target vpn-target1 &<1-8> import-extcommunity

The VPN target extended community for the VPN instance is created to import the
IPv4 routes advertised by all the Spoke-PEs.
vpn-target1 lists the Export VPN targets advertised by all the Spoke-PEs.
4. (Optional) Run:
import route-policy policy-name

The import routing policy of the VPN instance is configured.


5. (Optional) Run:
export route-policy policy-name

The export routing policy of the VPN instance is configured.


6. Run:
quit

Return to the system view.


7. Run:
ip vpn-instance vpn-instance-name2

The VPN instance view of the VPN-out is displayed.


8. Run:
vpn-target vpn-target2 &<1-8> export-extcommunity

The VPN target extended community for the VPN instance is created to advertise the
routes of all the Hubs and the Spokes.
vpn-target2 lists the Import VPN targets advertised by all the Spoke-PEs.
9. (Optional) Run:
import route-policy policy-name

The import routing policy of the VPN instance is configured.


10. (Optional) Run:
export route-policy policy-name

The export routing policy of the VPN instance is configured.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 120


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

l Configuring Spoke-PE
1. Run:
system-view

The system view is displayed.


2. Run:
ip vpn-instance vpn-instance-name1

The VPN instance view of the VPN-in is displayed.


3. Run:
vpn-target vpn-target2 &<1-8> import-extcommunity

The VPN target extended community for the VPN instance is created to import the
IPv4 routes advertised by all the Hub-PEs.

vpn-target2 should be included in the export VPN target list of the Hub-PE.
4. Run:
vpn-target vpn-target1 &<1-8> export-extcommunity

The VPN target extended community for the VPN instance is created to advertise the
IPv4 routes of stations the Spoke-PE accesses.

vpn-target1 should be included in the import VPN target list of the Hub-PE.
5. (Optional) Run:
import route-policy policy-name

The import routing policy of the VPN instance is configured.


6. (Optional) Run:
export route-policy policy-name

The export routing policy of the VPN instance is configured.

----End

3.5.4 Binding an Interface with the VPN Instance


After associating an interface with a VPN instance, you can change the interface to a VPN
interface. As a result, packets that pass through the interface are forwarded according to the
forwarding information of the VPN instance, and such Layer 3 attributes as IP address and
routing protocol that are configured for the interface are deleted. These Layer 3 attributes need
to be re-configured if required.

Context
The configuration on the Hub-PE involves two interfaces or sub-interfaces: one is bound with
the VPN-in and receives the routes advertised by the Spoke-PE; the other is bound with the
VPN-out and advertises the routes of the Hub and all the Spokes.

Do as follows on the Hub-PE and all the Spoke-PEs.

Procedure
Step 1 Run:
system-view

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 121


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

The system view is displayed.

Step 2 Run:
interface interface-type interface-number

The view of the interface that is to be bound with the VPN instance is displayed.

Step 3 Run:
ip binding vpn-instance vpn-instance-name

The interface is bound with the VPN instance.

NOTE

The running of the ip binding vpn-instance command on an interface can delete the Layer 3 attributes,
such as the IP address and routing protocol. If these Layer 3 attributes are still required, you need to
configure them again.

Step 4 Run:
ip address ip-address { mask | mask-length }

The IP address is configured.

----End

3.5.5 Configuring MP-IBGP Between Hub-PE and Spoke-PE


By importing extended community attributes to BGP, MP-IBGP can advertise VPNv4 routes
between PEs.

Context
The Hub-PE must set up the MP-IBGP peer with all the Spoke-PEs. Spoke-PEs need not set up
the MP-IBGP peer between each other.

Do as follows on the Hub-PE and the Spoke-PE.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
bgp as-number

The BGP view is displayed.

Step 3 Run:
peer ipv4-address as-number as-number

The remote PE is specified as the peer.

Step 4 Run:
peer ipv4-address connect-interface loopback interface-number

The interface to set up the TCP connection is specified.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 122


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

NOTE

The 32-bit mask IP addresses of the loopback interfaces must be used to establish the MP-IBGP peer
relationship between PEs. This can ensure the tunnel can be iterated. The route destined to the loopback
interface is advertised to the remote PE based on IGP on the MPLS backbone network.

Step 5 Run:
ipv4-family vpnv4 [ unicast ]

The BGP VPNv4 address family view is displayed.

Step 6 Run:
peer ipv4-address enable

The VPN IPv4 routing information is exchanged between the peers.

----End

3.5.6 Configuring Route Exchange Between PE and CE


The routing protocol between a PE and a CE can be BGP, static route, or IGP. You can choose
any of them as required in the configuration process.

Context
The Hub-PE and the Hub-CE can exchange routes in the following ways.

Procedure
l Configuring EBGP between the Hub-PE and the Hub-CE

In this way, EBGP, IGP, or static routes can be adopted between the Spoke-PE and the
Spoke-CE.

To set up the EBGP peer between the Hub-PE and the Hub-CE and between the Spoke-PE
and the Spoke-CE, do as follows on the Hub-PE:

1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

The BGP view is displayed.


3. Run:
ipv4-family vpn-instance vpn-instance-name

The BGP VPN instance view is displayed.


4. Run:
peer ip-address allow-as-loop [ number ]

Allow the routing loop. Here the value of number is set as 1, which means the route
with the AS repeated once can be sent.
l Configuring IGP between the Hub-PE and the Hub-CE

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 123


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

In this way, instead of BGP, IGP or static routes are adopted between the Spoke-PE and
the Spoke-CE. For details, refer to the chapter "BGP/MPLS IP VPN" in the Quidway
S7700 Smart Routing Switch Feature Desripiton- VPN.
l Configuring static routes between the Hub-PE and the Hub-CE
In this way, EBGP, IGP, or static routes can be adopted between the Spoke-PE and the
Spoke-CE.
If the Hub-CE uses the default route to access the Hub-PE, to advertise the default route to
all the Spoke-PEs, do as follows on the Hub-PE:
1. Run:
system-view

The system view is displayed.


2. Run:
ip route-static vpn-instance vpn-source-name 0.0.0.0 0.0.0.0 nexthop-
address [ preference preference | tag tag ]* [ description text ]

Here, vpn-instance-name refers to the VPN-out. nexthop-address is the IP address of


the Hub-CE interface that is connected with the PE interface bound with the VPN-
out.
3. Run:
bgp as-number

The BGP view is displayed.


4. Run:
ipv4-family vpn-instance vpn-instance-name

The BGP VPN instance view is displayed. vpn-instance-name refers to the VPN-out.
5. Run:
network 0.0.0.0 0

Advertise the default route to all the Spoke-PEs through MP-BGP.


----End

Follow-up Procedure
Choose one of the preceding methods as required. For detailed configurations, see Configuring
a Routing Protocol Between PE and CE.

3.5.7 Checking the Configuration


After the networking of Hub and Spoke is configured, you can view VPN routing information
on the PE or CE.

Prerequisite
The configurations of the Hub and Spoke function are complete.

Procedure
l Run the display ip routing-table vpn-instance vpn-instance-name command to check
routing information about the VPN-in and VPN-out on the Hub-PE.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 124


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

l Run the display ip routing-table command to check routing information on the Hub-CE
and all the Spoke-CEs.

----End

Example
Run the preceding commands. If the routing table of the VPN-in has routes to all the Spoke
stations, and the routing table of the VPN-out has routes to the Hub and all the Spoke stations,
it means the configuration succeeds.

Additionally, Hub-CE and all the Spoke-CEs have routes to the Hub and all the Spoke stations.

3.6 Configuring Inter-AS VPN Option A


In inter-AS VPN OptionA, an ASBR takes the peer ASBR as its CE and advertises VPNv4 routes
to the peer ASBR through EBGP.

3.6.1 Establishing the Configuration Task


Before configuring inter-AS VPN OptionA, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.

Applicable Environment
If the MPLS backbone network bearing the VPN routes is across multiple ASs, you must
configure the Inter-AS VPNs.

The Inter-AS VPN Option A is convenient to implement and is suitable when the amount of the
VPNs and the VPN routes on the PE is small.

In VPN-Option A, the Autonomous System Boundary Routers (ASBRs) must support the VPN
instances and can manage VPN routes. Option A, therefore, requires high performance of the
ASBRs. No inter-AS configuration is needed on the ASBRs.

Pre-configuration Tasks
Before configuring inter-AS VPN Option A, complete the following tasks:

l Configuring IGP for MPLS backbone networks in each AS to keep IP connectivity of the
backbones in one AS
l Enabling MPLS and MPLS LDP on the PE and the ASBR
l Setting up the tunnel (LSP or MPLS TE) between the PE and the ASBR in the same AS
l Configuring the IP address of the CE interface through which the CE accesses the PE

Data Preparation
To configure inter-AS VPN Option A, you need the following data:

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 125


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

No. Data

1 To configure the VPN instance on the PE and the ASBR, you need the following
data:
l Name of the VPN instance
l (Optional) Description of the VPN instance
l RD, VPN target attribute of the VPN instance
l (Optional) Routing policy
l (Optional) Tunnel policy
l (Optional) Maximum number of route permitted in a VPN instance

2 IP address of the PE interface connected with the PE

3 AS number of the PE

4 IP addresses of the interfaces connected the ASBRs

5 Routing protocol configured between the PE and the CE: static routes, RIP, OSPF,
IS-IS and BGP

6 IP addresses and interfaces setting up the IBGP peer between the PE and the ASBR

3.6.2 Configuring Inter-AS VPN Option A


The VPN instance configured on a PE is used to access a CE, and the VPN instance configured
on an ASBR is used to access the peer ASBR.

Context
Inter-AS VPN Option A is easy to deploy. When the amount of the VPNs and the VPN routes
on the PE is small, this solution can be adopted.

The configurations of the inter-AS VPN Option A are as follows:

Procedure
Step 1 3.4 Configuring Basic BGP/MPLS IP VPN on each AS

Step 2 Configuring ASBR by considering the peer ASBR as its CE

Step 3 Configuring VPN instances for the PE and the ASBR separately

The VPN instance for PE is used to access CE; that for ASBR is used to access its peer ASBR.

NOTE
In inter-AS VPN Option A mode, for the same VPN, the VPN targets of ASBR and the PE VPN instance
must be matched in an AS. This is not required for the PEs in different ASs.

----End

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 126


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

3.6.3 Checking the Configuration


After configuring inter-AS VPN OptionA, you can view information about all BGP peer
relationships and IPv4 VPN routes on PEs or ASBRs.

Prerequisite
The configurations of the Inter-AS VPN Option A function are complete.

Procedure
l Run the display bgp vpnv4 all peer command to check information about the BGP peers
on the PE or the ASBR.
l Run the display bgp vpnv4 all routing-table command to check the IPv4 VPN routes on
the PE or the ASBR.
l Run the display ip routing-table vpn-instance vpn-instance-name command to check the
VPN routing table on the PE or the ASBR.
----End

Example
After the successful configuration, run the display bgp vpnv4 all peer command on the PE or
the ASBR, and you can view that the BGP VPNv4 peer relationship between the ASBR and the
PE in the same AS is "Established".
Run the display bgp vpnv4all routing-table command on the PE or the ASBR, and you can
view the VPNv4 routes on the ASBR.
Run the display ip routing-table vpn-instance command on the PE or the ASBR, and you can
view all the relevant routes in the VPN routing table.

3.7 Configuring Inter-AS VPN Option B


In inter-AS VPN OptionB, through MP-EBGP, two ASBRs receive VPNv4 routes from PEs in
their respective ASs and then exchange the VPNv4 routes with each other.

3.7.1 Establishing the Configuration Task


Before configuring inter-AS VPN OptionB, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.

Applicable Environment
If the MPLS backbone network bearing VPN routes crosses multiple ASs, the inter-AS VPN is
needed. If the ASBR can manage VPN routes, however, there are no enough interfaces for each
inter-AS VPN, the inter-AS VPN Option B is adopted. In this option, the ASBR is involved in
maintaining and advertising VPN IPv4 routes.

Pre-configuration Tasks
Before configuring inter-AS VPN Option B, complete the following tasks:

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 127


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

l Configuring IGP for MPLS backbone networks in each AS to realize IP connectivity of the
backbones in one AS
l Configuring basic MPLS capability and MPLS LDP for the MPLS backbone network
l Configuring VPN Instances on the PE devices connected with the CE devices and
Binding an Interface with a VPN Instance
l Configuring the IP addresses of the CE interfaces through which the CE accesses the PE

Data Preparation
To configure inter-AS VPN Option B, you need the following data.

No. Data

1 To configure the VPN instance on the PE, you need the following data:
l Name of the VPN instance
l (Optional) Description of the VPN instance
l RD, VPN target attribute of the VPN instance
l (Optional) Routing policy for controlling the import and export of VPN routes
l (Optional) Maximum number of route permitted in a VPN instance

2 IP address of the PE interface connected with the PE

3 AS number of the PE

4 IP addresses of the interfaces connected the ASBRs

5 Routing policy configured between the PE and the CE: static routes, RIP, OSPF, IS-
IS and BGP

6 IP addresses and interfaces setting up the IBGP peer between the PE and the ASBR

3.7.2 Configuring MP-IBGP Between PEs and ASBRs in the Same


AS
By importing extended community attributes to BGP, MP-IBGP can advertise VPNv4 routes
between the PE and the ASBR.

Context
Do as follows on the PE and the ASBR in the same AS.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
bgp as-number

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 128


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

The BGP view is displayed.


Step 3 Run:
peer ipv4-address as-number as-number

The peer ASBR is specified as the IBGP peer.


Step 4 Run:
peer ipv4-address connect-interface loopback interface-number

The loopback interface is specified as the outgoing interface of the BGP session.

NOTE

The 32-bit mask IP addresses of the loopback interfaces must be used to establish the MP-IBGP peer
relationship between PEs. This can ensure the tunnel can be iterated. The route destined to the loopback
interface is advertised to the remote PE based on IGP on the MPLS backbone network.

Step 5 Run:
ipv4-family vpnv4 [ unicast ]

The BGP-VPNv4 address family is displayed.


Step 6 Run:
peer ipv4-address enable

The exchange of IPv4 VPN routes between PE and ASBR in the same AS is enabled.

----End

3.7.3 Configuring MP-EBGP Between ASBRs in Different ASs


After the MP-EBGP peer relationship is established between ASBRs, either ASBR can advertise
the VPNv4 routes of its AS to the other ASBR.

Context
Do as follows on the ASBR.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
interface interface-type interface-number

The view of the interface connected with the ASBR interface is displayed.
Step 3 Run:
ip address ip-address { mask | mask-length }

The IP address of the interface is configured.


Step 4 Run:
mpls

The MPLS capability is enabled.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 129


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Step 5 Run:
quit

Return to the system view.


Step 6 Run:
bgp as-number

The BGP view is displayed.


Step 7 Run:
peer ipv4-address as-number as-number

The peer ASBR is specified as the EBGP peer.


Step 8 (Optional) Run:
peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]

The maximum number of hops is configured for the EBGP connection.


Generally, one or multiple directly-connected physical links exist between EBGP peers. If the
directly-connected physical link(s) are not available, you must run the peer ebgp-max-hop
command to ensure that the TCP connection can be set up between the EBGP peers through
multiple hops.
Step 9 Run:
ipv4-family vpnv4 [ unicast ]

The BGP-VPNv4 address family is displayed.


Step 10 Run:
peer ipv4-address enable

The exchange of IPv4 VPN routes with the peer ASBR is enabled.

----End

3.7.4 Controlling the Receiving and Sending of VPN Routes by


Using Routing Policies
An ASBR can either save all VPNv4 routes or partial VPNv4 routes (by filtering VPN targets
through a routing policy).

Context
The following describes two methods for controlling the receiving and sending of VPN routes:
l Without VPN Target Filtering
In this way, the ASBR stores all the VPN IPv4 routes.
l VPN Target Filtering
In this way, the ASBR stores partial VPN IPv4 routes through routing policies.
In practical applications, only one of the preceding methods is selected.

Procedure
l Without VPN Target Filtering

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 130


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Do as follows on the ASBR.

1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

The BGP view is displayed.


3. Run:
ipv4-family vpnv4 [ unicast ]

The BGP-VPNv4 address family is displayed.


4. Run:
undo policy vpn-target

The VPN IPv4 routes are not filtered by the VPN target.

By default, the PE performs VPN target filtering on the received IPv4 VPN routes.
The routes passing the filter is added to the routing table, and the others are discarded.
If the PE is not configured with VPN instance, or the VPN instance is not configured
with the VPN target, the PE discards all the received VPN IPv4 routes.

In the Inter-AS VPN Option B mode, if the ASBR does not store information about
the VPN instance, the ASBR must save all the VPNv4 routing information and
advertise it to the peer ASBR. In this case, the ASBR should receive all the VPNv4
routing information without the VPN target filtering.
l VPN Target Filtering

Do as follows on the ASBR.

1. Run:
system-view

The system view is displayed.


2. Run:
ip extcommunity-filter extcomm-filter-number { permit | deny } { rt { as-
number:nn | ipv4-address:nn } } &<1-16>

The extended community filter is configured.


3. Run:
route-policy route-policy-name permit node node

The routing policy is configured.


4. Run:
if-match extcommunity-filter extcomm-filter-number &<1-16>

A matching rule based on the extended community filter is configured.


5. Run:
quit

Return to the system view.


6. Run:
bgp as-number

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 131


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

The BGP view is displayed.


7. Run:
ipv4-family vpnv4 [ unicast ]

The BGP-VPNv4 address family is displayed.


8. Run:
peer ipv4-address route-policy route-policy-name { export | import }

The routing policy is applied to controlling the VPN IPv4 routing information.
----End

3.7.5 (Optional) Storing Information About the VPN Instance on


the ASBR
If VPNv4 routes need to be sent and received on an ASBR, you can configure the relevant VPN
instance on the ASBR.

Context
If the VPN receives and sends the VPNv4 routing information through the ASBR, configure the
corresponding instance on the ASBR. Otherwise, the instance is not needed.
Do as follows on the ASBR.

NOTE

It is recomended to perform either Step 5 or Step 6.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ip vpn-instance vpn-instance-name

A VPN instance is created and the VPN instance view is displayed.


Step 3 Run:
route-distinguisher route-distinguisher

The RD of the VPN instance is configured.


Step 4 Run:
vpn-target vpn-target &<1-8> import-extcommunity

The VPN target extended community for the VPN instance is created.
For the same VPN in the inter-AS VPN Option B mode, the VPN targets of the ASBR and the
PE in an AS should match with each other.
The VPN targets of the PE in different ASs must match with each other too.
Step 5 (Optional) Run:
apply-label per-instance

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 132


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

The MPLS label is allocated based on the VPN instance, which ensures that all the routes in a
VPN instance use the same MPLS label.

Step 6 (Optional) Run:


routing-table limit number { alert-percent | simply-alert }

The maximum number of routes of the VPN instance is configured.

Step 7 (Optional) Run:


prefix limit number { alert-percent [ route-unchanged ] | simply-alert }

The maximum number of prefixes of the VPN instance is configured.

Step 8 (Optional) Run:


limit-log-interval interval

The frequency of displaying logs when the number of routes exceeds the threshold is configured.

Step 9 (Optional) Run:


import route-policy policy-name

The import routing policy of the VPN instance is configured.

Step 10 (Optional) Run:


export route-policy policy-name

The export routing policy of the VPN instance is configured.

----End

3.7.6 (Optional) Enabling Next-Hop-based Label Allocation on the


ASBR
To save label resources on an ASBR, you can enable next-hop-based label allocation on the
ASBR. Note that next-hop-based label allocation and one label per instance need to be used
together on the ASBR.

Context
In a VPN Option B scenario, after next-hop-based label allocation is enabled on the ASBR, the
ASBR allocates only one label for the IPv4 VPN routes with the same next hop and outgoing
label. Compared with allocating a label for each IPv4 VPN route, next-hop-based label allocation
greatly saves the label resources.

Do as follows on the ASBR:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
bgp as-number

The BGP view is displayed.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 133


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Step 3 Run:
ipv4-family vpnv4

The BGP VPNv4 view is displayed.


Step 4 Run:
apply-label per-nexthop

The next-hop-based label allocation for IPv4 VPN routes is enabled on the ASBR.

CAUTION
After next-hop-based label allocation is enabled or disabled, the label allocated by the ASBR
for a route changes, which leads to packet loss.

----End

3.7.7 Configuring the Routing Protocol Between CE and PE


The routing protocol between a PE and a CE can be BGP, static route, or IGP. You can choose
any of them as required in the configuration process.

Context
Choose one of the preceding methods as required. For detailed configurations, see 3.4.5
Configuring a Routing Protocol Between a PE and a CE.

3.7.8 Checking the Configuration


After configuring inter-AS VPN OptionB, you can view information about all BGP peer
relationships and VPNv4 routes on PEs or ASBRs.

Prerequisite
The configurations of the Inter-AS VPN Option B function are complete.

Procedure
l Run the display bgp vpnv4 all peer command to check the VPN IPv4 routing table on the
PE or the ASBR.
l Run the display bgp vpnv4 all routing-table command to check information about all the
BGP peers on the PE or the ASBR.
l Run the display ip routing-table vpn-instance vpn-instance-name command to check the
VPN routing table on the PE.
l Run the display mpls lsp command to check information about the LSP and label on the
ASBR.
----End

Example
Run the display bgp vpnv4 all routing-table command on the ASBR. If the IPv4 routes of the
VPN are displayed, it means that the configuration succeeds.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 134


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Run the display bgp vpnv4 all peer command on the PE or the ASBR. If the status of the IBGP
peer between PE and ASBR in the same AS is "Established", and the status of the EBGP peer
between ASBRs in the different AS is "Established", it means that the configuration succeeds.
Run the display ip routing-table vpn-instance command on the PE. If the VPN routes are
displayed, it means that the configuration succeeds.
Run the display mpls lsp command on the ASBR. If information about the LSP and label is
displayed, it means that the configuration succeeds. If the ASBR is enabled with the next-hop-
based label allocation, only one label is allocated for the VPN routes with the same next hop
and outgoing label.

3.8 Configuring HoVPN


HoVPN indicates a hierarchical VPN, in which multiple PEs play different roles and form a
hierarchical structure. In this manner, these PEs function as one PE, and the performance
requirement for PEs are lowered.

3.8.1 Establishing the Configuration Task


Before configuring HoVPN, familiarize yourself with the applicable environment, complete the
pre-configuration tasks, and obtain the required data. This can help you complete the
configuration task quickly and accurately.

Applicable Environment
For hierarchical VPN networks, adopt the HoVPN to reduce the requirements for PE devices.

Pre-configuration Tasks
Before configuring HoVPN, complete the task of Configuring Basic BGP/MPLS IP VPN.

Data Preparation
To configure HoVPN, you need the following data.

No. Data

1 Relationship between UPE and SPE

2 Name of the VPN instance sending default routes to UPE

3.8.2 Specifying UPE


Before configuring a UPE, you must establish the VPNv4 peer relationship between the UPE
and SPE.

Context
Do as follows on the SPE.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 135


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
bgp as-number

The BGP view is displayed.


Step 3 Run:
peer { ipv4-address | group-name } as-number as-number

The UPE is specified as the BGP peer of the SPE.


Step 4 Run:
ipv4-family vpnv4 [ unicast ]

The BGP VPNv4 sub-address family is displayed.


Step 5 Run:
peer { ipv4-address | group-name } enable

The capability of exchanging BGP VPNv4 routing information with the peer is enabled.
Step 6 Run:
peer { ipv4-address | group-name } upe

The peer is specified as the UPE of the SPE.

----End

3.8.3 Advertising Default Routes of a VPN Instance


The SPE advertises the UPE of a default route with the next hop address as the local address. In
this manner, the SPE instructs the VPN packet forwarding on the UPE.

Context
Do as follows on the SPE.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
bgp as-number

The BGP view is displayed.


Step 3 Run:
ipv4-family vpnv4

The BGP-VPNv4 sub-address family view is displayed.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 136


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Step 4 Run:
peer { ipv4-address | group-name } default-originate vpn-instance vpn-instance-name

The default routes of a specified VPN instance are advertised to the UPE.

After running the command, the SPE advertises a default route to the UPE with its local address
as the next hop, regardless of whether there is a default route in the local routing table or not.

----End

3.8.4 Checking the Configuration


After configuring HoVPN, you can find that the local CE has no route that is destined for the
network segment of interface on the remote CE, but has a default route with the next hop as the
UPE.

Prerequisite
The configurations of the HoVPN function are complete

Procedure
l Run the display ip routing-table command to check the routing table on the CE.

----End

Example
Run the display ip routing-table on the CE connected with the UPE. You can find that there is
a default route whose next hop is UPE. And there is no route to the network segment where the
peer CE resides.

3.9 Configuring OSPF Sham Link


This section describes how to configure the routes that traverse the MPLS VPN backbone
network to be the routes of the OSPF area. After the configuration, traffic between sites of the
same VPN in the same OSPF area need not be forwarded through routes of the OSPF area.

3.9.1 Establishing the Configuration Task


Before configuring an OSPF sham link, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This can help you complete
the configuration task quickly and accurately.

Applicable Environment
After a sham link is configured between VPN PEs, the sham link is considered as an OSPF intra-
area route. It is used to ensure that the traffic is transmitted over the backbone instead of the
backdoor link between the two CEs.

The source and destination addresses of the sham link should use loopback interface addresses
with 32-bit masks. Besides, this loopback interface must be bound to the VPN instances and be
advertised through the BGP.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 137


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Pre-configuration Tasks
Before configuring the OSPF sham link, you need to complete the following tasks:

l 3.4 Configuring Basic BGP/MPLS IP VPN (OSPF between the PE and the CE)
l Configuring OSPF in the LAN where the CEs reside

Data Preparation
To configure the OSPF sham link, you need the following data.

No. Data

1 Number and address of the loopback interfaces that serve as the ends of sham link

2 Name of the VPN instance

3 Process number of OSPF instance on PE for CEs

4 Local AS number

5 Metric used in sham link and other link parameters

3.9.2 Configuring the Loopback Address of the Sham Link


The end address of a sham link is the IP address (with the 32-bit mask) of a loopback interface.
The loopback interface must be bound to the VPN instance. The end addresses of sham links of
the same OSPF process can be the same. The end addresses of sham links of different OSPF
processes must be different.

Context
Do as follows on the PEs of the two ends of the sham link:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
interface loopback interface-number

A loopback interface is created and the loopback interface view is displayed.

A sham link of each VPN instance must have an end interface address that is an address of the
loopback interface. The address has a 32-bit mask. Multiple sham links of an OSPF process can
share the same address. The end addresses of two sham links of different OSPF processes must
be different.

Step 3 Run:
ip binding vpn-instance vpn-instance-name

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 138


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

The loopback interface is bound to the VPN instance.

Step 4 Run:
ip address ip-address { mask | mask-length }

The address of the loopback interface is configured.

NOTE

The IP address of the loopback interface should have a 32-bit mask, that is, 255.255.255.255.

----End

3.9.3 Advertising Routes of End Address of the Sham Link


The route destined for the end address of the sham link cannot be advertised to the remote PE
through the OSPF process of the VPN. The end address of the sham link is advertised to the
remote PE by BGP as a VPNv4 address.

Context
Do as follows on the PEs of the two ends of the sham link.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
bgp as-number

The BGP view is displayed.

Step 3 Run:
ipv4-family vpn-instance vpn-instance-name

The BGP-VPN instance view is displayed.

Step 4 Run:
import-route direct

The direct route is imported. That is, the route of the end address is imported into BGP.

BGP advertises the end address of the sham link as the VPN-IPv4 address.

NOTE

The route of one end address of the sham link cannot be advertised to the remote PE through the OSPF
process of the private network.
If the routes, however, are advertised to the remote PE through the OSPF process of the private network,
the remote PE has two routes destined for the end address of the sham link. One route is learnt through the
OSPF process of the private network, and the other route is learnt through MP-BGP. In this case, the remote
PE incorrectly selects the OSPF route, because the OSPF route have a higher priority than the BGP route.
As a result, the sham link cannot be successfully established.

----End

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 139


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

3.9.4 Creating a Sham Link


Creating a sham link is to establish a virtual link that connects the two end addresses of the sham
link.

Context
Do as follows on the PEs of the two ends of the sham link.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name

The OSPF view is displayed.


Step 3 Run:
area area-id

The OSPF area view is displayed.


Step 4 Run:
sham-link source-ip-address destination-ip-address [ cost cost | hello hello-
interval | retransmit retransmit-interval | trans-delay trans-delay-interval |
dead dead-interval | { [ simple [ [ plain ] plain-text | cipher cipher-text ] |
{ md5 | hmac-md5 } [ key-id { plain plain-text | [ cipher ] cipher-text } ]|
authentication-null } | smart-discover ] *

The sham link is configured.


By default,
l The interface cost of the sham link, namely, cost is 1.
l The invalid interval of the sham link, namely,dead-interval is 40 seconds.
l Interval for sending Hello packets, namely, hello-interval, is 10 seconds.
l Interval for retransmitting LSA packets, namely, retransmit-interval, is 5 seconds.
l Delay for sending LSA packets, namely, trans-delay-interval, is 1 second.
The authentication mode on the two ends of the sham link must be the same.
If the packet authentication is supported, only the OSPF packets that pass the authentication can
be received. If the authentication fails, the neighbor relationship cannot be set up.
If the plain text, namely, simple is used, the authenticator type is plain by default. If the MD5
algorithm or HMAC-MD5 algorithm, namely, md5 | hmac-md5 is used, the authenticator type
is cipher by default.

NOTE
To forward the VPN traffic through the MPLS backbone network, configure the cost of the sham link less
than that of the OSPF route through the private network. The common method is increases the cost of the
forwarding interface of private network.

----End

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 140


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

3.9.5 Checking the Configuration


After configuring an OSPF sham link, you can view information about the routing table on the
CE, the nodes through which packets are sent, and established and non-established sham links.

Prerequisite
The configurations of the OSPF sham link function are complete.

Procedure
l Run the display ip routing-table vpn-instance vpn-instance-name command to check the
routing table of the specified VPN instance on the PE.
l Run the display ip routing-table command to check the routing table on the CE.
l Run the tracert host command to check the path of the data transmitted to the peer CE On
the CE.
l Run the display ospf process-id sham-link [ area area-id ] command to check the setup
state of the sham-link on the PE.
l Run the display ospf routing command to check the routes discovered by OSPF on the
CE.
----End

Example
Run the display ip routing-table vpn-instance command. You can find the routes from the PE
to the peer CE is the OSPF routes that pass through the private network rather than the BGP
routes that pass through the backbone network.
Run the display ip routing-table and the tracert commands on the CE. You can find the VPN
traffic from the CE to the peer is forwarded through the backbone network.
Run the display ospf process-id sham-link command on the PE. You can find the OSPF
neighbor status between the PE and the peer CE is Full.
Run the display ospf routing on the CE. You can find the routes from the CE to the peer CE is
learned as the intra-area routes.

3.10 Configuring a Multi-VPN-Instance CE


By using OSPF multi-instance on CEs, you can implement service isolation on the LAN.

3.10.1 Establishing the Configuration Task


Before configuring a multi-VPN-instance CE, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the data required for the
configuration. This will help you complete the configuration task quickly and accurately.

Applicable Environment
The multi-VPN-instance CE is used in the LAN. You can implement service isolation through
the multiple OSPF instances on the CE devices.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 141


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

One OSPF process can belong to only one VPN instance but one VPN instance can run several
OSPF processes.

The Multi-VPN-Instance CE can be considered as a networking solution that isolates services


by isolating routes. Before configuring a multi-VPN-instance CE, you need to disable routing
loop detection.

Pre-configuration Tasks
Before configuring a multi-VPN-instance CE, complete the following tasks:

l 3.3 Configuring a VPN Instance on the multi-instance CE, and the PE that is accessed by
it (each service with a VPN instance)
l Configuring the link layer protocol and network layer protocol for LAN interfaces and
connecting the LAN to the multi-instance CE (each service using an interface to access the
multi-instance CE)
l Binding related VPN instances to the interfaces of the multi-instance CE and PE interfaces
through which the PE accesses the multi-instance and configuring IP addresses for those
interfaces

Data Preparation
To configure a multi-VPN-instance CE, you need the following data.

No. Data

1 Names of the VPN instances corresponding with the OSPF processes used by each
service

2 OSPF process number and Router ID used by each service

3 Routes advertised by each OSPF process

3.10.2 Configuring the OSPF Multi-Instance on the PE


Different services use different OSPF process IDs.

Context
Do as follows on the PE that is accessed by the multi-instance CE:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name

The OSPF multi-instance is configured.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 142


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Different services have different OSPF process IDs. However, router IDs of different services
do not necessarily differ.
Step 3 Run:
area
area-id

The OSPF area view is displayed.


Step 4 Run:
network ip-address wildcard-mask

The IP address of the interface connected to the multi-instance CE is advertised.


Step 5 Run:
quit

The OSPF view is displayed.


Step 6 Run:
import-route bgp

The BGP route is imported.


Step 7 Run:
quit

Return to the system view.


Step 8 Run:
bgp as-number

The BGP view is displayed.


Step 9 Run:
ipv4-family vpn-instance vpn-instance-name

The BGP-VPN instance view is displayed.


Step 10 Run:
import-route ospf process-id

The OSPF multi-instance route is imported.

----End

3.10.3 Configuring the OSPF Multi-Instance on the Multi-Instance


CE
The process ID of the OSPF multi-instance configured on the multi-VPN-instance CE must be
the same as that configured on the PE.

Context
Do as follows on the multi-instance CE:

Procedure
Step 1 Run:

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 143


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

system-view

The system view is displayed.


Step 2 Run:
ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name

The OSPF multi-instance is configured.


The OSPF process ID corresponds to that of the PE.
Step 3 Run:
area area-id

The OSPF area view is displayed.


Step 4 Run:
network ip-address wildcard-mask

The IP address of the interface connected the PE is advertised.

NOTE
If the multi-instance CE does not learn the routes of a LAN through the OSPF multi-instance of the process,
the routes of the LAN need to be imported to the OSPF instances of the process.

----End

3.10.4 Canceling the Loop Detection on the Multi-Instance CE


If the route loop check is performed, the CE discards the route from the PE with the DN bit being
1.

Context
Do as follows on the PE:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name

The OSPF view is displayed.


Step 3 Run:
vpn-instance-capability simple

Loop detection is not performed.

----End

3.10.5 Checking the Configuration


After the multi-VPN-instance CE is configured, you can find that the VPN routing table of the
CE contains the routes destined for the LAN and remote sites for each service.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 144


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Prerequisite
The configurations of the Multi-VPN-Instance CE function are complete.

Procedure
l Run the display ip routing-table vpn-instance vpn-instance-name [ verbose ] command
to check the VPN routing table on the multi-instance CE.

----End

Example
Run the display ip routing-table vpn-instance command on the multi-instance CE to check
the VPN routing table. If there are routes to the LAN and the remote nodes for each service, it
means the configuration succeeded.

3.11 Connecting VPN and the Internet


Generally, users within a VPN can communicate only with each other instead of with Internet
users, and the VPN users cannot access the Internet. If each site of the VPN needs to access the
Internet, you need to configure the interconnection between the VPN and the Internet.

3.11.1 Establishing the Configuration Task


Before configuring the interconnection between a VPN and the Internet, familiarize yourself
with the applicable environment, complete the pre-configuration tasks, and obtain the required
data. This can help you complete the configuration task quickly and accurately.

Applicable Environment
You can enable VPN users to access the Internet, by supplementing certain software
configurations in the established VPN network.

Pre-configuration Tasks
Before configuring VPN users to access the Internet, complete the following tasks:

l Setting up the VPN network

Data Preparation
To configure interconnection between a VPN and the Internet, you need the following data.

No. Data

1 Names of the VPN instances

2 Destination IP address of static routes

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 145


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

3.11.2 Configuring the Static Route on the CE


This part describes how to configure static routes on CEs to forward packets from the VPN to
the Internet.

Context
Do as follows on the CE.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
ip route-static ip-address { mask | mask-length } { interface-type interface-
number [ nexthop-address ] | nexthop-address } [ preference preference | tag tag ]
* [ description text ]

The static route to the public network destination address.

ip-address can be the destination address of the public network or 0.0.0.0. If the dest-ip-
address is 0.0.0.0, the static route is also called default route, the mask of which must be 0.0.0.0
or the mask-length of which must be 0. Note that, the out-interface must be the interface
connected directly with the PE, and the next-hop is the IP address of the peer PE interface
connected directly with the CE.

NOTE

If the CE and the PE are connected through an Ethernet network, the next-hop must be specified.

----End

3.11.3 Configuring the Private Network Static Route on the PE


This part describes how to configure static routes on PEs to forward packets from the VPN to
the Internet.

Context
Do as follows on the PE.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
ip route-static vpn-instance vpn-source-name destination-address { mask | mask-
length } nexthop-address public [ preference preference | tag tag ]* [ description
text ]

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 146


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

The static route from the VPN to Internet is configured and the next-hop address is a public
network address.

----End

3.11.4 Configuring the Static Route to VPN on the Device of the


Public Network
This part describes how to configure static routes to VPN users to forward packets from the
Internet to the VPN.

Context
Do as follows on the PE.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
ip route-static ip-address { mask | mask-length } { interface-type interface-
number nexthop-address | vpn-instance vpn-instance-name nexthop-address | nexthop-
address } [ preference preference | tag tag ]* [ description text ]

The static route from the public network to the VPN is configured and the next-hop address is
a private network address.

NOTE

If the CE and the PE are connected through an Ethernet network, the next-hop must be specified.

----End

3.11.5 Checking the Configuration


After configuring the interconnection between a VPN and the Internet, you can find that the
VPN routing table contains the routes destined for the CE and the router in the public network,
and the routing table in the destined device of the public network contains the route to the CE.

Prerequisite
The configurations of the VPN and the Internet function are complete.

Procedure
l Run the display ip routing-table vpn-instance vpn-instance-name command to check the
VPN routing table on the PE.
l Run the display ip routing-table command to check the routing table on the CE and the
destination switch in the public network.

----End

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 147


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Example
Run the display ip routing-table vpn-instance command on the PE, and you can find that the
route to the CE and the route to the destination switch in the public network exist in the VPN
routing table.

Run the display ip routing-table command on the CE, and you can find that the CE has the
route to the destination switch in the public network and the destination switch in the public
network has the route to the CE.

The CE and the destination switch in the public network can successfully ping each other.

3.12 Configuring VPN FRR


In the networking of CE dual-homing, you can configure VPN FRR to ensure the end-to-end
VPN service fast switchover if the PE fails.

3.12.1 Establishing the Configuration Task


Before configuring VPN FRR, familiarize yourself with the applicable environment, complete
the pre-configuration tasks, and obtain the required data. This can help you complete the
configuration task quickly and accurately.

Applicable Environment
It is applied to the service sensitive to packet loss or delay in the private network.

You can configure VPN FRR in either of the following modes:

l Manual VPN FRR: Information such as the backup next hop is specified.
l Auto VPN FRR: The backup next hop is unspecified, but a proper next hop is selected for
the VPN route.

You can select either mode as required. If both of them are configured, manual VPN FRR has
a higher priority. When manual VPN FRR fails, auto VPN FRR takes effect.

Pre-configuration Tasks
Before configuring VPN FRR, complete the following tasks:

l Configuring the routing protocol on the switchs to achieve internetworking


l Generating two unequal-cost routes by configuring different metrics
l Setting up the VPN network

CAUTION
Configuring the lsp-trigger command on the P is not recommended when an LSP is created
on the VPN backbone network. Use the default configuration on the P. Otherwise, VPN
FRR switchback may fail.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 148


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Data Preparation
To configure the VPN FRR, you need the following data.

No. Data

1 (Optional) Name of the routing policy

2 Name of the VPN instance

3 (Optional) Backup next hop

3.12.2 Configuring Manual VPN FRR


After a backup next hop (a PE) is specified according to the routing policy, the VPN traffic can
be forwarded to the backup next hop if traffic forwarding between PEs fails.

Context
Do as follows on the switch.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
route-policy route-policy-name { permit | deny } node node

The routing policy node is created and the routing policy view is displayed.

Step 3 Run:
apply backup-nexthop { ip-address | auto }

The backup next hop is configured.

Step 4 Run:
quit

Return to the system view.

Step 5 Run:
ip vpn-instance vpn-instance-name

The VPN instance view is displayed.

Step 6 Run:
vpn frr route-policy route-policy-name

The VPN FRR is enabled.

----End

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 149


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

3.12.3 Configuring VPN Auto FRR


If the primary link between PEs fails, VPN traffic is forwarded through the next hop (a PE) that
is automatically selected by the system.

Context
Do as follows on the switch.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
bgp as-number

The BGP view is displayed.


Step 3 Run:
ipv4-family vpn-instance vpn-instance-name

The BGP-VPN instance view is displayed.


Step 4 Run:
auto-frr

VPN Auto FRR is enabled.

----End

3.12.4 Checking the Configuration


After configuring VPN FRR, you can view information about the backup next hop (a PE), backup
tunnel, and backup label in the VPN routing table.

Prerequisite
The configurations of the VPN FRR function are complete.

Procedure
l Run the display ip routing-table vpn-instance vpn-instance-name [ ip-address ]
verbose command to check information about the backup next hop, backup tunnel, and
backup label.
----End

Example
Run the display ip routing-table vpn-instance vpn-instance-name ip-address verbose
command on the PE configured with VPN FRR. If information about the backup next-hop PE,
backup tunnel, and label value of the routes is displayed, it means the configuration succeeds.
<Quidway> display ip routing-table vpn-instance vpn1 18.0.0.0 verbose
Route Flags: R - relay, D - download to fib

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 150


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

------------------------------------------------------------------------------
Routing Table : zy
Summary Count : 1

Destination: 18.0.0.0/24
Protocol: BGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 171.0.0.16 Neighbour: 171.0.0.16
State: Active Adv Relied Age: 00h00m18s
Tag: 0 Priority: low
Label: 11264 QoSInfo: 0x0
IndirectID: 0x2f
RelayNextHop: 171.16.19.16 Interface: Vlanif69
TunnelID: 0x10050 Flags: RD
BkNextHop: 171.0.0.17 BkInterface: Unknown
BkLabel: 11264 SecTunnelID: 0x1005e
BkPETunnelID: 0x1005c BkPESecTunnelID: 0x0
BkIndirectID: 0x2c

3.13 Configuring VPN GR


In the process of master/slave control board switchover or the system upgrade, you can configure
VPN GR to ensure that VPN traffic is not interrupted on the PE, CE, or P.

3.13.1 Establishing the Configuration Task


Before configuring VPN GR, familiarize yourself with the applicable environment, complete
the pre-configuration tasks, and obtain the data required for the configuration. This will help
you complete the configuration task quickly and accurately.

Applicable Environment
The VPN GR is enabled for the BGP/MPLS IP VPN that needs the GR capability. Configuring
VPN GR on the switch that undertakes the VPN service can ensure that switch keeps forwarding
when the switch performs the AMB/SMB switchover and the VPN traffic is not broken.
NOTE

The GR capability cannot ensure that the traffic is not broken if the neighboring switch performs the AMB/
SMB switchover at the same time.

When configuring VPN GR, you must configure the IGP GR, BGP GR and MPLS LDP GR on
the PE, configure the IGP GR and the MPLS LDP GR on the P, and configure the IGP GR or
the BGP GR on the CE. If more than one domain is traversed, you must configure the IGP GR,
BGP GR and MPLS LDP GR on the ASBR.

Pre-configuration Tasks
Before configuring VPN GR, complete the following tasks:
l Establishing the VPN environment and configuring the VPN
l Configuring the common IGP GR (such as the IS-IS GR and the OSPF GR), BGP GR and
MPLS LDP GR on PEs and Ps in all related backbone networks to ensure that the backbone
network has the GR capability

Data Preparation
To configure VPN GR, you need the following data.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 151


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

No. Data

1 (Optional) Interval for re-establishing the GR session (by default, it is 300 seconds)
if the IS-IS GR is enabled

2 (Optional) Interval for the GR time if the OSPF GR is enabled

3 Reconnection time of the MPLS LDP session (by default, it is 300 seconds)

4 Validity period of the MPLS LDP neighbors (by default, it is 600 seconds)

5 Maximum time of BGP session reestablishment (by default, it is 150 seconds)

6 Time of waiting for the End-of-Rib messages(by default, it is 600 seconds)

3.13.2 Configuring IGP GR on the Backbone Network


You can configure IGP GR based on the specific IGP running on the backbone network. IGP
GR can be IS-IS GR or OSPF GR.

Context
NOTE
When configuring GR on the backbone network, configure the corresponding IGP GR (IS-IS GR or OSPF
GR) based on the specific IGP protocol running on the backbone network.

Procedure
l Configure IS-IS GR on the backbone network.
If IS-IS is running on the public network, do as follows on the related PEs and Ps on the
backbone network:
1. Run:
system-view

The system view is displayed.


2. Run:
isis process-id

The IS-IS view is displayed.


3. Run:
graceful-restart

The IS-IS GR capability is enabled.


By default, the IS-IS GR capability is disabled.
4. (Optional) Run:
graceful-restart interval interval-value

The interval for reestablishing the IS-IS GR session is configured.


The interval for reestablishing the IS-IS GR session is set to the Hold time in the IS-
IS Hello PDU. In this manner, the neighbor does not terminate the adjacency
relationship with the switch when the switch performs the AMB/SMB switchover.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 152


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

By default, the interval for reestablishing the IS-IS GR session is 300 seconds.
5. (Optional) Run:
graceful-restart suppress-sa

The GR Restarter is configured to suppress the advertisement of the adjacency


relationship when it is restarting.
The suppress advertisement (SA) bit is used in the Hello PDUs by a restarting
switch to request its neighbors to suppress advertising the adjacency to the restarting
switch. The SA bit is removed once its database synchronization is over. Enabling this
feature avoids the black hole effect caused by sending and receiving LSP during the
restart process.
If the administrator does not want the restarting switch to set the SA bit in its Hello
PDUs, the administrator can use the undo graceful-restart suppress-sa command to
disable it.
By default, the SA bit does not take effect.
l Configure OSPF GR on the backbone network.
If OSPF is running on the public network, do as follows on the related PEs and Ps on the
backbone network:
1. Run:
system-view

The system view is displayed.


2. Run:
ospf process-id

The OSPF view is displayed.


3. Run:
opaque-capability enable

The opaque-lsa capability is enabled.


4. Perform the following as needed:
To enable the GR capability of OSPF, run:
graceful-restart

To enable the GR Help capability of OSPF at which the Restarter performs the
GR, run:
graceful-restart helper-role { { { ip-prefix ip-prefix-name | acl-
number acl-number | acl-name acl-name } | ignore-external-lsa | planned-
only } * | never }

It is suggested to enable the GR capability of OSPF on all the related PEs and Ps on
the backbone network.
By default, the GR capability of OSPF and the GR Help capability of OSPF are
disabled.
----End

3.13.3 Configuring MPLS GR on the Backbone Network


In the process of master/slave control board switchover or the system upgrade, you can configure
MPLS GR to ensure normal MPLS traffic forwarding. If LDP LSPs are configured on the

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 153


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

backbone network, you can configure MPLS LDP GR; if RSVP-TE tunnels are configured on
the backbone network, you can configure MPLS RSVP GR; if other types of tunnels are
configured on the backbone network, you do not need to perform the operation.

Context
If you use an LDP LSP tunnel, you need to configure MPLS LDP GR. If you use an RSVP-TE
tunnel, you need to configure MPLS RSVP GR. If you use another type of tunnel, you need not
perform this step.

Procedure
l Configure MPLS LDP GR.
1. Run:
system-view

The system view is displayed.


2. Run:
mpls

MPLS is enabled globally, and the MPLS view is displayed.


3. Run:
quit

Return to the system view.


4. Run:
mpls ldp

The MPLS LDP view is displayed.


5. Run:
graceful-restart

The GR capability of MPLS LDP is enabled.


6. (Optional) Run:
graceful-restart timer reconnect time

The reconnection period of the MPLS LDP session is configured.


By default, the reconnection period is 300 seconds.
7. (Optional) Run:
graceful-restart timer neighbor-liveness time

The validity period of MPLS LDP neighbors is configured.


By default, the validity period of MPLS LDP neighbors is 600 seconds.
8. (Optional) Run:
graceful-restart timer recovery time

The MPLS LDP recovery period is configured.


By default, the MPLS LDP recovery period is 300 seconds.
NOTE

When the GR capability of MPLS LDP is enabled or the GR parameters are modified, the LDP session
is reestablished.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 154


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

l Configure RSVP GR.


1. Run:
system-view

The system view is displayed.


2. Run:
mpls

The MPLS view is displayed.


3. Run:
mpls te

MPLS TE is enabled.
4. Run:
mpls rsvp-te

RSVP TE is enabled.
5. Run:
mpls rsvp-te hello

The RSVP Hello extension of the local node is enabled.


6. Run:
mpls rsvp-te hello full-gr

The GR capability of RSVP TE is enabled. In addition, the GR capability of the peer


is also supported.

By default, the GR capability of RSVP TE is disabled.


7. (Optional) Run:
mpls rsvp-te hello nodeid-session ip-address

The Hello session is established between nodes of RSVP TE enabled with GR


capability.
8. Run:
quit

Return to the system view.


9. Run:
interface interface-type interface-number

The RSVP interface view is displayed.


10. Run:
mpls

The MPLS view is displayed.


11. Run:
mpls te

MPLS TE is enabled.
12. Run:
mpls rsvp-te

RSVP TE is enabled.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 155


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

13. Run:
mpls rsvp-te hello

The RSVP Hello extension function is enabled on the interface.


Although the RSVP Hello extension function is enabled globally, it is disabled on the
RSVP-enabled interfaces by default.
----End

3.13.4 Configuring GR of the Routing Protocol Between PEs and


CEs
You can configure GR of a routing protocol according to the specific routing protocol running
between the CE and the PE. GR of a routing protocol can be IS-IS GR, OSPF GR, or BGP GR.

Context
NOTE
When configuring GR of the routing protocol running between PEs and CEs, configure the corresponding
GR (IS-IS GR, OSPF GR, or BGP GR) according to the routing protocol running between the PEs and
CEs.

Procedure
l Configure GR of the IS-IS multi-instance between PEs and CEs.
Do as follows if IS-IS is run between the PE and the CE:
1. Run:
system-view

The system view is displayed.


2. Run:
isis process-id vpn-instance vpn-instance-name

The IS-IS multi-instance view is displayed.


3. Run:
graceful-restart

The IS-IS GR capability is enabled.


By default, the IS-IS GR capability is disabled.
4. (Optional) Run:
graceful-restart interval interval-value

The interval for reestablishing the IS-IS GR session is configured.


The interval for reestablishing the IS-IS GR session is set to the Hold time in the IS-
IS Hello PDU. In this manner, the neighbor does not terminate the adjacency
relationship with the switch when the switch performs the AMB/SMB switchover.
By default, the interval for reestablishing the IS-IS GR session is 300 seconds.
5. (Optional) Run:
graceful-restart suppress-sa

The GR Restarter is configured to suppress the advertisement of the adjacency


relationship when it is restarting.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 156


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

The suppress advertisement (SA) bit is used in the Hello PDUs by a restarting
switch to request its neighbors to suppress advertising the adjacency to the restarting
switch. The SA bit is removed once its database synchronization is over. Enabling this
feature avoids the black hole effect caused by sending and receiving LSP during the
restart process.
If the administrator does not want the restarting switch to set the SA bit in its Hello
PDUs, the administrator can use the undo graceful-restart suppress-sa command to
disable it.
By default, the SA bit does not take effect.
l Configure GR of the OSPF multi-instance between PEs and CES.
Do as follows if OSPF is run between the PE and the CE:
1. Run:
system-view

The system view is displayed.


2. Run:
ospf process-id vpn-instance vpn-instance-name

The OSPF multi-instance view is displayed.


3. Run:
opaque-capability enable

The opaque-lsa capability is enabled.


4. Perform the following as needed:
To enable the GR capability of OSPF, run:
graceful-restart

To enable the GR Help capability of OSPF at which the Restarter performs the
GR, run:
graceful-restart helper-role { { { ip-prefix ip-prefix-name | acl-
number acl-number | acl-name acl-name } | ignore-external-lsa | planned-
only } * | never }

It is suggested to enable the GR capability of OSPF on all the related PEs and Ps on
the backbone network.
By default, the local link signaling capability, the out-of-band capability, the GR Help
capability and the GR capability of OSPF are all disabled.
l Configure BGP GR between PEs and CEs.
Do as follows on the PE and CE if EBGP is run between them:
1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

The BGP view is displayed.


3. Run:
graceful-restart

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 157


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

The GR capability of BGP is enabled.


4. (Optional) Run:
graceful-restart timer restart time

The maximum time for restarting the GR Restarter is configured.

The restart period is the maximum waiting period, from the time when the receiving
speaker detects that the GR Restarter restarts, to the time when the BGP session is
reestablished. If no BGP session is reestablished within the restart period, the receiving
speaker deletes the BGP route in the stale state. By default, the restart period is 150
seconds.

CAUTION
Modifying the restart period leads to the reestablishment of the BGP peer relationship.

5. (Optional) Run:
graceful-restart timer wait-for-rib time

The time of waiting for the End-of-RIB message is configured.

By default, the time of waiting for the End-of-RIB message is 600 seconds.

----End

3.13.5 Configuring BGP GR for MP-BGP


When MP-BGP restarts, the peer relationship is re-established and traffic forwarding is
interrupted. If BGP GR is enabled, traffic interruption can be prevented.

Context
Configure BGP GR for MP-BGP on all the PEs (including the PE that serves as the ASBR) and
the RRs that reflect the VPNv4 route, unless BGP GR has been configured for MP-BGP when
BGP GR is configured between PEs and CEs.

The process of configuring BGP GR for MP-BGP is the same as that of configuring GR in the
common BGP. For the detailed configuration, see 3.13.4 Configuring GR of the Routing
Protocol Between PEs and CEs.

3.13.6 Checking the Configuration


After configuring VPN GR, you can view status information about IGP GR and BGP GR.

Prerequisite
The configurations of the VPN GR function are complete.

Procedure
l Run the display ospf brief command to check the status of the OSPF GR.
l Run the display isis graceful-restart status [ level-1 | level-2 ] [ process-id | vpn-
instance vpn-instance-name ] command to check the status of the IS-IS GR.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 158


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

l Run the display bgp vpnv4 all peer verbose command to check the status of the BGP GR.
----End

Example
Run the display isis graceful-restart status command on the PE, and you can view the status
of the ISIS GR. For example:
<Quidway> display isis graceful-restart status
Restart information for ISIS(1)
-------------------------------
IS-IS(1) Level-1 Restart Status
Restart Interval: 300
SA Bit Supported
Total Number of Interfaces = 2
Restart Status: RESTART COMPLETE
IS-IS(1) Level-2 Restart Status
Restart Interval: 300
SA Bit Supported
Total Number of Interfaces = 2
Restart Status: RESTART COMPLETE

Run the display bgp peer verbose command on the PE, and you can find that IBGP GR between
PEs and EBGP GR between the PE and CE are configured successfully. For example:
<Quidway> display bgp vpnv4 all peer verbose
Peer: 3.3.3.9 remote AS 100
Type: IBGP link
BGP version 4, remote router ID 3.3.3.9
Update-group ID : 1
BGP current state: Established, Up for 00h23m47s
BGP current event: RecvKeepalive
BGP last state: OpenConfirm
BGP Peer Up count: 2
Received total routes: 2
Received active routes total: 2
Advertised total routes: 2
Port: Local - 49941 Remote - 179
Port: Local - 52845 Remote - 179
Configured: Active Hold Time: 180 sec Keepalive Time:60 sec
Received : Active Hold Time: 180 sec
Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec
Peer optional capabilities:
Peer supports bgp multi-protocol extension
Peer supports bgp route refresh capability
Peer supports bgp 4-byte-as capability
Graceful Restart Capability: advertised and received
Restart Timer Value received from Peer: 150 seconds
Address families preserved for peer in GR:
IPv4 Unicast (was preserved)
VPNv4 (was preserved)
Address family IPv4 Unicast: advertised and received
Address family VPNv4: advertised and received
Received: Total 29 messages
Update messages 9
Open messages 1
KeepAlive messages 19
Notification messages 0
Refresh messages 0
Authentication type configured: None
Sent: Total 25 messages
Update messages 5
Open messages 1
KeepAlive messages 19
Notification messages 0
Refresh messages 0
Last keepalive received: 2009-12-31 19:49:49

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 159


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Minimum route advertisement interval is 0 seconds


Optional capabilities:
Route refresh capability has been enabled
4-byte-as capability has been enabled
Connect-interface has been configured
Peer Preferred Value: 0
Routing policy configured:
No routing policy is configured
VPN instance: vpn1
Peer: 10.1.1.1 remote AS 65410
Type: EBGP link
BGP version 4, remote router ID 10.1.1.1
Update-group ID : 1
BGP current state: Established, Up for 00h43m05s
BGP current event: KATimerExpired
BGP last state: OpenConfirm
BGP Peer Up count: 2
Received total routes: 2
Received active routes total: 2
Advertised total routes: 2
Port: Local - 49941 Remote - 179
Port: Local - 50390 Remote - 179
Configured: Active Hold Time: 180 sec Keepalive Time:60 sec
Received : Active Hold Time: 180 sec
Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec
Peer optional capabilities:
Peer supports bgp multi-protocol extension
Peer supports bgp route refresh capability
Peer supports bgp 4-byte-as capability
Graceful Restart Capability: advertised and received
Restart Timer Value received from Peer: 150 seconds
Address families preserved for peer in GR:
IPv4 Unicast (was preserved)
Address family IPv4 Unicast: advertised and received
Received: Total 25 messages
Update messages 4
Open messages 1
KeepAlive messages 20
Notification messages 0
Refresh messages 0
Authentication type configured: None
Sent: Total 28 messages
Update messages 9
Open messages 1
KeepAlive messages 18
Notification messages 0
Refresh messages 0
Last keepalive received: 2009-12-31 19:49:50
Minimum route advertisement interval is 30 seconds
Optional capabilities:
Route refresh capability has been enabled
4-byte-as capability has been enabled
Peer Preferred Value: 0
Routing policy configured:
No routing policy is configured

3.14 Configuring Route Reflection to Optimize the VPN


Backbone Layer
Using an RR can reduce the number of MP IBGP connections between PEs. This not only reduces
the burden of PEs but also facilitates network maintenance and management.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 160


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

3.14.1 Establishing the Configuration Task


Before configuring an RR to optimize the VPN backbone layer, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the required data. This
can help you complete the configuration task quickly and accurately.

Applicable Environment
The BGP speaker does not advertise the routes learned from IBGP devices to its IBGP peers.
To make a PE advertise the routes of the VPN that the PE accesses to the BGP VPNv4 peers in
the same AS, the PE must establish IBGP connections with all peers to directly exchange VPN
routing information. That is, MP IBGP peers must establish full connections between each other.
Suppose there are n PEs (including ASBRs) in an AS, n (n-1)/2 MP IBGP connections need to
be established. A large number of IBGP peers consume a great amount of network resources.
The Route Reflector (RR) can solve this problem. In an AS, one switch can be configured as the
RR to reflect VPNv4 routes and the other PEs and ASBRs serve as the clients, which are called
Client PEs. An RR can be a P, PE, ASBR, or a switch of other types.
The introduction of the RR reduces the number of MP IBGP connections. This lightens the
burden of PEs and facilitates network maintenance and management.

Pre-configuration Tasks
Before configuring route reflection to optimize the VPN backbone layer, complete the following
tasks:
l Configuring the routing protocol for the MPLS backbone network to implement IP
interworking between switchs in the backbone network
l Establishing tunnels (LSPs or MPLS TE tunnels) between the RR and all Client PEs

Data Preparation
To configure the BGP VPNv4 route reflection, you need the following data.

No. Data

1 Local AS number and peer AS number

2 Type and number of the interfaces used to set up the TCP connection

3 BGP peer group name and IP addresses of peers

3.14.2 Configuring the Client PEs to Establish MP IBGP


Connections with the RR
An MP-IBGP connection is configured between the PE and the RR to facilitate VPNv4 route
reflection.

Context
Do as follows on all Client PEs:

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 161


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
bgp as-number

The BGP view is displayed.

Step 3 Run:
peer ipv4-address as-number as-number

The RR is specified as the BGP peer.

Step 4 Run:
peer ipv4-address connect-interface interface-type interface-number

The interface is specified as an interface to establish the TCP connection.

The IP address of the interface must be the same as the MPLS LSR ID. It is recommended to
specify a loopback interface to establish the TCP connection.

Step 5 Run:
ipv4-family vpnv4

The BGP VPNv4 address family view is displayed.

Step 6 Run:
peer ipv4-address enable

The capability of exchanging VPNv4 routes between the PE and the RR is enabled.

----End

3.14.3 Configuring the RR to Establish MP IBGP Connections with


the Client PEs
MP-IBGP connections are configured between the RR and all its clients (PEs) to facilitate
VPNv4 route reflection.

Context
Choose one of the following schemes to configure the RR.

Procedure
l Configuring the RR to Establish MP IBGP Connections with the Peer Group
1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 162


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

The BGP view is displayed.


3. Run:
group group-name [ internal ]

An IBGP peer group is created.


4. Run:
peer group-name connect-interface interface-type interface-number

The interface is specified as an interface to establish the TCP connection. The IP


address of the interface must be the same as the MPLS LSR ID. It is recommended to
specify a loopback interface to establish the TCP connection.
5. Run:
ipv4-family vpnv4

The BGP VPNv4 address family view is displayed.


6. Run:
peer group-name enable

The capability of exchanging IPv4 VPN routes between the RR and the peer group is
enabled.
7. Run:
peer ip-address group group-name

The peer is added to the peer group.


l Configuring the RR to establish an MP IBGP connection with each client PE
1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

The BGP view is displayed.


3. Run:
peer ipv4-address as-number as-number

The client PE is specified as the BGP peer.


4. Run:
peer ipv4-address connect-interface interface-type interface-number

The interface is specified as an interface to establish the TCP connection.


The IP address of the interface must be the same as the MPLS LSR ID. It is
recommended to specify a loopback interface to establish the TCP connection.
5. Run:
ipv4-family vpnv4

The BGP VPNv4 address family view is displayed.


6. Run:
peer ipv4-address enable

The capability of exchanging VPNv4 routes between the RR and the client PE is
enabled.
----End

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 163


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

3.14.4 Configuring Route Reflection for BGP IPv4 VPN routes


The premise of enabling BGP VPNv4 route reflection is that the RR has established the MP-
IBGP connections with all its clients (PEs).

Context
Do as follows on the RR:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
bgp as-number

The BGP view is displayed.

Step 3 Run:
ipv4-family vpnv4

The BGP VPNv4 address family view is displayed.

Step 4 Enable route reflection for BGP VPNv4 routes on the RR.
l Run the peer group-name reflect-client command to enable route reflection if the RR
establishes the MP IBGP connection with the peer group consisting of client PEs.
l Run the peer ipv4-address reflect-client command repeatedly to enable route reflection if
the RR establishes the MP IBGP connection with each PE rather than peer group.

Step 5 Run:
undo policy vpn-target

The filtering of VPNv4 routes based on the VPN target is disabled.

Step 6 (Optional) Run:


rr-filter extcomm-filter-number

The reflection policy is configured for the RR.

----End

3.14.5 Checking the Configuration


After configuring an RR to optimize the VPN backbone layer, you can view BGP VPNv4 peer
information and VPNv4 routing information on the RR or its clients (PEs).

Prerequisite
The configurations of the reflection to optimize the VPN backbone layer function are complete.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 164


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Procedure
l Run the display bgp vpnv4 all peer [ [ ipv4-address ] verbose ] command to check
information about the BGP VPNv4 peer on the RR or the Client PEs.
l Run the display bgp vpnv4 all routing-table peer ipv4-address { advertised-routes |
received-routes } command or display bgp vpnv4 all routing-table statistics command
to check information about the routes received from the peer or the routes advertised to the
peer on the RR or the Client PEs.
l Run the display bgp vpnv4 all group [ group-name ] command to check information about
the VPNv4 peer group on the RR.

----End

Example
If the configurations succeed,

l You can find that the status of the MP IBGP connections between the RR and all Client
PEs is "Established" after running the display bgp vpnv4 all peer command on the RR or
Client PEs.
l You can find that the RR and each Client PE can receive and send VPNv4 routing
information between each other after running the display bgp vpnv4 all routing-table
peer command on the RR or the Client PEs.
l If the peer group is configured, you can view information about the group members and
find that the status of the BGP connections between the RR and the group members is
"Established" after running the display bgp vpnv4 all group command on the RR.

3.15 Configuring Route Reflection to Optimize the VPN


Access Layer
If a PE and the connected CEs are in the same AS, you can deploy a BGP route RR to reduce
the number of IBGP connections between CEs and facilitate maintenance and management.

3.15.1 Establishing the Configuration Task


Before configuring an RR to optimize the VPN access layer, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the required data. This
can help you complete the configuration task quickly and accurately.

Applicable Environment
If a PE and multiple CEs accessing the PE are located in the same AS, to reduce the IBGP
connections between the CEs, the PE can be configured as an RR to reflect the routes of the
VPN instance, and the CEs can be configured as clients, which are called Client CEs. This
simplifies and facilitates network maintenance and management.

Pre-configuration Tasks
Before configuring route reflection to optimize the VPN access layer, complete the following
tasks:

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 165


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

l Configure a routing protocol for the MPLS backbone network to implement IP interworking
between the switchs in the backbone network.

Data Preparation
Before configuring route reflection to optimize the VPN access layer, you need the following
data.

No. Data

1 Local AS number and peer AS number

2 Type and number of the interfaces used to set up the TCP connection

3 BGP peer group name and IP addresses of peers

3.15.2 Configuring All Client CEs to Establish IBGP Connections


with the RR
This part describes how to configure an IBGP connection between the client (a CE) and the RR
to reflect VPNv4 routes.

Context
Do as follows on all Client CEs:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
bgp as-number

The BGP view is displayed.

Step 3 Run:
peer ipv4-address as-number as-number

The RR is specified as the BGP peer.

Step 4 Run:
peer ipv4-address connect-interface
interface-type interface-number

The interface is specified as an interface to establish the TCP connection.

The IP address of the interface must be the same as the MPLS LSR ID. It is recommended to
specify a loopback interface to establish the TCP connection.

----End

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 166


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

3.15.3 Configuring the RR to Establish MP IBGP Connections with


All Client CEs
This part describes how to configure MP-IBGP connections between the RR and all its clients
(CEs) to reflect VPNv4 routes to all clients (CEs).

Context
Do as follows on the RR:

Procedure
l Establishing the MP-IBGP Connection with the Peer Group
1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

The BGP view is displayed.


3. Run:
ipv4-family vpn-instance vpn-instance-name

The BGP VPN instance view is displayed.


4. Run:
group group-name [ internal ]

An IBGP peer group is created.


5. Run:
peer group-name connect-interface interface-type interface-number

The interface is specified as an interface to establish the TCP connection.


6. Run:
peer ip-address groupgroup-name

The peer is added to the peer group.


l Establishing the MP-IBGP Connection with Each Peer
1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

The BGP view is displayed.


3. Run:
ipv4-family vpn-instance vpn-instance-name

The BGP VPN instance view is displayed.


4. Run:
peer ipv4-address as-number as-number

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 167


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

The peer of the BGP IPv4 VPN instance is configured.


5. Run:
peer ipv4-address connect-interface interface-type interface-number

The interface is specified as an interface to establish the TCP connection.


Perform Step 1 to Step 5 repeatedly on the RR to establish MP-IBGP connections with all
client CEs.
----End

3.15.4 Configuring Route Reflection for the Routes of the BGP VPN
Instance
The premise of enabling BGP VPNv4 route reflection is that the RR has established the MP-
IBGP connections with all its clients (CEs).

Context
Do as follows on the RR:

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
bgp as-number

The BGP view is displayed.


Step 3 Run:
ipv4-family vpn-instance vpn-instance-name

The BGP VPN instance view is displayed.


Step 4 Enable route reflection for the routes of the BGP VPN instance on the RR.
l Run the peer group-name reflect-client command to enable route reflection if the RR
establishes the IBGP connection with the peer group consisting of all Client CEs.
l Run the peer ipv4-address reflect-client command repeatedly to enable route reflection if
the RR establishes the IBGP connection with each PE rather than the peer group.
Step 5 (Optional) Run:
reflect between-clients

Route reflection between the Client CEs is enabled.


By default, route reflection between the Client CEs is enabled.
If the Client CEs are fully connected, you can use the undo reflect between-clients command
to disable route reflection between the clients to reduce the cost.
Step 6 (Optional) Run:
reflector cluster-id cluster-id

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 168


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

The cluster ID of the RR is set.


If a cluster has multiple RRs, you can use this command to set the same cluster ID for these RRs
to prevent routing loops. By default, the cluster ID is the router ID.

----End

3.15.5 Checking the Configuration


After configuring an RR to optimize the VPN access layer, you can view information on the RR
about peers of the BGP VPN instance, routes received from the peers, and the VPNv4 routes
advertised to the peers.

Prerequisite
The configurations of the route reflection to optimize the VPN access layer function are
complete.

Procedure
l Run the display bgp [ vpnv4 vpn-instance vpn-instance-name ] peer [ ipv4-address ]
verbose command to check information about the peer group of the BGP VPN instance on
the RR.
l Run the display bgp peer [ ipv4-address ] verbose command to check information about
the BGP peer on the Client CE.
l Run the display bgp vpnv4 all routing-table peer ipv4-address { advertised-routes |
received-routes } command or display bgp vpnv4 all routing-table statistics command
to check information about the routes received from the peer or the routes advertised to the
peer on the RR.
l Run the display bgp routing-table peer ipv4-address { advertised-routes | received-
routes }command or display bgp routing-table statistics command to check information
about the routes received from the peer or the routes advertised to the peer on the Client
CE.
l Run the display bgp vpnv4 vpn-instance vpn-instance-name group [ group-name ]
command to check information about the VPNv4 peer group on the RR.
l Run the display bgp group [ group-name ] command to check information about the
VPNv4 peer group on the CE.
----End

Example
If the configurations succeed, you can achieve the following objects:
l You can find that the status of the MP IBGP connections between the RR and all Client
CEs is "Established" after running the display bgp vpnv4 all peer command on the RR.
l You can find that the status of the IBGP connections between the RR and all Client CEs is
"Established" after running the display bgp peer command on the Client CE.
l You can view the routing information advertised by the RR to the Client CE or the routing
information advertised by the Client CE to the RR after running the display bgp vpnv4
all routing-table peer command on the RR.
l You can view the routing information advertised by the Client CE to the RR and the routing
information advertised by the RR to the Client CE after running the display bgp routing-

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 169


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

table peer ipv4-address { advertised-routes | received-routes } command or display bgp


vpnv4 all routing-table statistics command command on the Client CE.
l If the peer group is configured, you can view information about the group members and
find that the status of the BGP connections between the RR and the group members is
"Established" after running the display bgp vpnv4 all group command on the RR.

3.16 Maintaining BGP/MPLS IP VPN


This section describes how to maintain the BGP/MPLS IP VPN, which involves L3VPN traffic
checking, network connectivity monitoring, BGP connection resetting.

3.16.1 Viewing the Integrated Route Statistics of All IPv4 VPN


Instances
Integrated route statistics of all VPN instances refer to the sum of statistics of all VPN instances.

Procedure
l Run the display ip routing-table all-vpn-instance statistics command to check the
integrated route statistics of all VPN instances.

----End

3.16.2 Displaying BGP/MPLS IP VPN Information


This section describes how to monitor the running status of the BGP/MPLS IP VPN, which
involves VPN instance information checking, VPNv4 peer information checking, and BGP peer
log information checking.

Context
In routine maintenance, you can run the following commands in any view to check the status of
BGP/MPLS IP VPN.

Procedure
l Run the display ip routing-table vpn-instance vpn-instance-name command to check the
IP routing table of a VPN instance.
l Run the display ip vpn-instance [ verbose ] [ vpn-instance-name ] command to check
information about the VPN instance.
l Run the display bgp [ vpnv4 { all | vpn-instance vpn-instance-name } ] routing-table
label command to check information about labeled routes in the BGP routing table.
l Run the display bgp vpnv4 { all | route-distinguisher route-distinguisher | vpn-
instance vpn-instance-name } routing-table ipv4-address [ mask | mask-length ] command
to check information about the BGP VPNv4 routing table.
l Run the display bgp vpnv4 { all | route-distinguisher route-distinguisher | vpn-
instance vpn-instance-name } routing-table statistics [ match-options ] command to
check statistics about the BGP VPNv4 routing table.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 170


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

l Run the display bgp vpnv4 { all | route-distinguisher route-distinguisher | vpn-


instance vpn-instance-name } routing-table [ match-options ] command to check
information about the BGP VPNv4 routing table.
l Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } group [ group-
name ] command to check information about the BGP VPNv4 peer group.
l Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } peer [ [ ipv4-
address ] verbose ] command to check BGP VPNv4 peer information.
l Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } network command
to check the routing information advertised by BGP VPNv4.
l Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } paths [ as-regular-
expression ] command to check the AS path information of BGP VPNv4.
l Run the display bgp vpnv4 vpn-instance vpn-instance-name peer { group-name | ipv4-
address } log-info command to check the BGP peer's log information of a specified VPN
instance.

----End

3.16.3 Checking the Network Connectivity and Reachability


This section describes how to use the ping command to detect the network connectivity between
the source and the destination, and how to use the tracert command to check the devices through
which data packets are sent from the source to the destination.

Procedure
l Run the ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interface-
type interface-number | -m time | -n | -p pattern | -q | -r | -s packetsize | -t timeout | -tos tos-
value | -v | -vpn-instance vpn-instance-name ] * host command to check the network
connectivity.
l Run the tracert [ -a source-ip-address | -f first-ttl | -m max-ttl | -p port | -q nqueries | -vpn-
instance vpn-instance-name | -w timeout ] * host command to trace the gateways that the
packet passes by from the source to the destination.
l Run the ping lsp [ -a source-ip | -c count | -exp exp-value | -h ttl-value | -m interval | -r
reply-mode | -s packet-size | -t time-out | -v ] * vpn-instance vpn-name remote remote-
address mask-length command to check the connectivity of the L3VPN LSP.

----End

Example
After the VPN configuration, using the ping command with vpn-instance vpn-instance-name
on the PE, you can check whether the PE and the CEs that belong to the same VPN can
communicate with each other. If the ping fails, you can use the tracert command with vpn-
instance vpn-instance-name to locate the fault.

If multiple interfaces bound to the same VPN exist on the PE, specify the source IP address, that
is -a source-ip-address when you ping or tracert the remote CE that accesses the peer PE.
Otherwise, the ping or tracert may fail.

If you do not specify a source IP address, the PE chooses the smallest IP address of the interface
bound to the VPN on the PE as the source address of the ICMP packet randomly. If no route to
the selected address exists on the CE, the ICMP packet sent back from the peer PE is discarded.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 171


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

3.16.4 Resetting BGP Statistics of a VPN Instance


BGP statistics of the VPN instance cannot be restored after being cleared. Exercise caution when
performing the action.

Procedure
l Run the reset bgp vpn-instance vpn-instance-name [ ipv4-address ]flap-info command
in the user view to clear statistics of the BGP peer flap for a specified VPN instance.
l Run the reset bgp vpn-instance vpn-instance-name dampening [ ipv4-address [ mask |
mask-length ] ] command in the user view to clear dampening information of the VPN
instance.

----End

3.16.5 Resetting BGP Connections


After BGP configurations are changed, you can validate the new configurations through soft
reset or reset of the BGP connection. Note that resetting the BGP connection leads to the
interruption of VPN services.

Context

CAUTION
VPN services are interrupted after the BGP connection is reset. Exercise caution when running
the commands.

When the BGP configuration changes, you can use the soft reset or reset BGP connections to
let the new configurations take effect. Soft reset requires that the BGP peers have route
refreshment capability (supporting Route-Refresh messages).

Procedure
l Run the refresh bgp vpn-instance vpn-instance-name { all | ipv4-address | group group-
name | internal | external } import command in the user view to trigger the inbound soft
reset of the VPN instance's BGP connection.
l Run the refresh bgp vpn-instance vpn-instance-name { all | ipv4-address | group group-
name | internal | external } export command in the user view to trigger the outbound soft
reset of the VPN instance's BGP connection.
l Run the refresh bgp vpnv4 { all | ipv4-address | group group-name | internal | external }
import command in the user view to trigger the inbound soft reset of the BGP VPNv4
connection.
l Run the refresh bgp vpnv4 { all | ipv4-address | group group-name | internal | external }
export command in the user view to trigger the outbound soft reset of the BGP VPNv4
connection.
l Run the reset bgp vpn-instance vpn-instance-name { as-number | ipv4-address | group
group-name | all | internal | external } command in the user view to reset BGP connections
of the VPN instance.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 172


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

l Run the reset bgp vpnv4 { as-number | ipv4-address | group group-name | all | internal |
external } command in the user view to reset BGP VPNv4 connections.
----End

3.16.6 Debugging BGP/MPLS IP VPN


Run the relevant debugging command to view the debugging information and locate the fault.
Note that debugging affects the performance of the system.

Context

CAUTION
Debugging affects system performance. After debugging is complete, run the undo debugging
all command to disable debugging immediately.

Run the following debugging commands in the user view to debug BGP/MPLS IP VPN and
locate the fault.
For more information, see the chapter "Information Center Configuration" in the S7700 Smart
Routing Switch Configuration Guide - System Management. For the description about the
debugging commands, see the Quidway S7700 Smart Routing Switch Debugging Reference.

Procedure
l Run the debugging bgp vpn-instance vpn-instance-name peer-address { all | event |
graceful-restart | timer } command in the user view to enable the debugging of the
specified BGP peers in a VPN instance.
l Run the debugging bgp vpn-instance vpn-instance-name peer-address { keepalive |
open | packet | raw-packet | route-refresh } [ receive | send ] [ verbose ] command in
the user view to enable the packet debugging of the specified BGP peers in a VPN instance.
l Run the debugging bgp update vpn-instance vpn-instance-name [ peer ip-address | acl
acl-number | ip-prefix ip-prefix-name ] [ receive | send ] [ verbose ] command in the user
view to enable the BGP Update packets debugging of VPN instances.
l Run the debugging bgp update vpnv4 [ peer ip-address | acl acl-number | ip-prefix ip-
prefix-name ] [ receive | send ] [ verbose ] command in the user view to enable the BGP
Update packets debugging of BGP VPNv4 routes.
l Run the debugging bgp update label-route [ peer ip-address ] [ acl acl-number | ip-
prefix ip-prefix-name ] [ receive | send ] [ verbose ] command in the user view to enable
the BGP Update packets debugging of labeled routes.
----End

3.17 Configuration Examples


This section provides several configuration examples of VPN networking. In each configuration
example, the networking requirements, configuration roadmap, configuration notes,
configuration procedures, and configuration files are described.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 173


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

3.17.1 Example for Configuring the BGP/MPLS IP VPN

Networking Requirements
As shown in Figure 3-3, CE1 and CE3 belong to vpna and CE2 and CE4 belong to vpnb. The
VPN target of vpna is 111:1, and VPN target of vpnb is 222:2. The users in different VPNs
cannot access each other.

Figure 3-3 Networking diagram for configuring BGP/MPLS IP VPN

AS: 65410 AS: 65430


VPN-A VPN-A

CE1 CE3
GE1/0/0 GE1/0/0

Loopback1
2.2.2.9/32
GE1/0/0 GE1/0/0
PE1 PE2
GE1/0/0 GE2/0/0
Loopback1 Loopback1
1.1.1.9/32 GE3/0/0 GE3/0/0 3.3.3.9/32
GE2/0/0 P GE2/0/0
MPLS backbone
AS: 100

GE1/0/0 GE1/0/0

CE2 CE4
VPN-B VPN-B
AS: 65420 AS: 65440

Device Interface VLANIF interface IP address

PE1 GigabitEthernet1/0/0 VLANIF 10 10.1.1.2/24

GigabitEthernet2/0/0 VLANIF 20 10.2.1.2/24

GigabitEthernet3/0/0 VLANIF 30 172.1.1.1/24

PE2 GigabitEthernet1/0/0 VLANIF 40 10.3.1.2/24

GigabitEthernet2/0/0 VLANIF 50 10.4.1.2/24

GigabitEthernet3/0/0 VLANIF 60 172.2.1.2/24

P GigabitEthernet1/0/0 VLANIF 30 172.1.1.2/24

GigabitEthernet2/0/0 VLANIF 60 172.2.1.1/24

CE1 GigabitEthernet1/0/0 VLANIF 10 10.1.1.1/24

CE2 GigabitEthernet1/0/0 VLANIF 20 10.2.1.1/24

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 174


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

CE3 GigabitEthernet1/0/0 VLANIF 40 10.3.1.1/24

CE4 GigabitEthernet1/0/0 VLANIF 50 10.4.1.1/24

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure VPN instances on the PEs connected to CEs on the backbone network and bind
related VPNs to the interfaces connected to the CEs.
2. Configure OSPF on the PEs and P to implement interconnection between PEs.
3. Configure the basic MPLS capabilities and LDP and create an MPLS LSP.
4. Configure MP-IBGP for exchanging routing information between the VPNs.
5. Configure EBGP for exchanging VPN routing information between the CE and PE.

Data Preparation
To complete the configuration, you need the following data:
l IDs of the VLANs that the interfaces belong to, as shown in Figure 3-3
l IP address of each VLAN interface, as shown in Figure 3-3
l MPLS LSR-IDs of PE and P
l RDs of vpna and vpnb
l VPN targets of received and sent routes of vpna and vpnb

Procedure
Step 1 Configure IGP on the MPLS backbone network so that PEs and P can interwork.
# Configure PE1.
<Quidway> system-view
[Quidway] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] vlan batch 10 20 30
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port hybrid pvid vlan 10
[PE1-GigabitEthernet1/0/0] port hybrid untagged vlan 10
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[PE1-GigabitEthernet2/0/0] port hybrid untagged vlan 20
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] port hybrid pvid vlan 30
[PE1-GigabitEthernet3/0/0] port hybrid untagged vlan 30
[PE1-GigabitEthernet3/0/0] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] ip address 172.1.1.1 24
[PE1-Vlanif30] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 175


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit

# Configure the P.
<Quidway> system-view
[Quidway] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.9 32
[P-LoopBack1] quit
[P] vlan batch 30 60
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet1/0/0] port hybrid untagged vlan 30
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] port hybrid pvid vlan 60
[P-GigabitEthernet2/0/0] port hybrid untagged vlan 60
[P-GigabitEthernet2/0/0] quit
[P] interface vlanif 30
[P-Vlanif30] ip address 172.1.1.2 24
[P-Vlanif30] quit
[P] interface vlanif 60
[P-Vlanif60] ip address 172.2.1.1 24
[P-Vlanif60] quit
[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit

# Configure PE2.
<Quidway> system-view
[Quidway] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.9 32
[PE2-LoopBack1] quit
[PE2] vlan batch 40 50 60
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port hybrid pvid vlan 40
[PE2-GigabitEthernet1/0/0] port hybrid untagged vlan 40
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] port hybrid pvid vlan 50
[PE2-GigabitEthernet2/0/0] port hybrid untagged vlan 50
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface gigabitethernet 3/0/0
[PE2-GigabitEthernet3/0/0] port hybrid pvid vlan 60
[PE2-GigabitEthernet3/0/0] port hybrid untagged vlan 60
[PE2-GigabitEthernet3/0/0] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] ip address 172.2.1.2 24
[PE2-Vlanif60] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit

After the configuration, OSPF adjacencies are established between PE1, P, and PE2. By running
the display ospf peer command, you can see that the status of the OSPF adjacency is Full. By
running the display ip routing-table command, you can see that the PEs can learn the routes
of each other's Loopback1 interface.
Take PE1 for example.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 176


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

[PE1] display ip routing-table


Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 12 Routes : 12

Destination/Mask Proto Pre Cost Flags NextHop Interface

1.1.1.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0


2.2.2.9/32 OSPF 10 1 D 172.1.1.2 Vlanif30
3.3.3.9/32 OSPF 10 2 D 172.1.1.2 Vlanif30
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.1.1.0/24 Direct 0 0 D 172.1.1.1 Vlanif30
172.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.1.1.2/32 Direct 0 0 D 172.1.1.2 Vlanif30
172.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.2.1.0/24 OSPF 10 2 D 172.1.1.2 Vlanif30
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

[PE1] display ospf peer

OSPF Process 1 with Router ID 1.1.1.9


Neighbors

Area 0.0.0.0 interface 172.1.1.1(Vlanif30)'s neighbors


Router ID: 172.1.1.2 Address: 172.1.1.2
State: Full Mode:Nbr is Master Priority: 1
DR: None BDR: None MTU: 1500
Dead timer due in 37 sec
Neighbor is up for 00:16:21
Authentication Sequence: [ 0 ]

Step 2 Configure basic MPLS functions and MPLS LDP on the MPLS backbone network and set up
LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] mpls
[PE1-Vlanif30] mpls ldp
[PE1-Vlanif30] quit

# Configure the P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
[P] interface vlanif 60
[P-Vlanif60] mpls
[P-Vlanif60] mpls ldp
[P-Vlanif60] quit

# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 177


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

[PE2] mpls ldp


[PE2-mpls-ldp] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] mpls
[PE2-Vlanif60] mpls ldp
[PE2-Vlanif60] quit

After the configuration, LDP sessions are established between PE1 and P, and between P and
PE2. By running the display mpls ldp session command, you can see that the status of the LSP
sessions is Operational. By running the display mpls ldp lsp command, you can see the
establishment status of the LDP LSP.

Take PE1 for example.


[PE1] display mpls ldp session

LDP Session(s) in Public Network


Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv
------------------------------------------------------------------------------
2.2.2.9:0 Operational DU Active 0000:00:01 6/6
------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.

[PE1] display mpls ldp lsp

LDP LSP Information


-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0
*1.1.1.9/32 Liberal
2.2.2.9/32 NULL/3 - 172.1.1.2 Vlanfi30
2.2.2.9/32 1024/3 2.2.2.9 172.1.1.2 Vlanfi30
3.3.3.9/32 NULL/1025 - 172.1.1.2 Vlanfi30
3.3.3.9/32 1025/1025 2.2.2.9 172.1.1.2 Vlanfi30
-------------------------------------------------------------------------------
TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is in GR state
A '*' before a NextHop means the LSP is FRR LSP

Step 3 Configure VPN instances on each PE and connect the CEs to the PEs.

# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna] vpn-target 111:1 both
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] route-distinguisher 100:2
[PE1-vpn-instance-vpnb] vpn-target 222:2 both
[PE1-vpn-instance-vpnb] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip binding vpn-instance vpna
[PE1-Vlanif10] ip address 10.1.1.2 24
[PE1-Vlanif10] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip binding vpn-instance vpnb
[PE1-Vlanif20] ip address 10.2.1.2 24
[PE1-Vlanif20] quit

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 178


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 200:1
[PE2-vpn-instance-vpna] vpn-target 111:1 both
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] route-distinguisher 200:2
[PE2-vpn-instance-vpnb] vpn-target 222:2 both
[PE2-vpn-instance-vpnb] quit
[PE2] interface vlanif 40
[PE2-Vlanif40] ip binding vpn-instance vpna
[PE2-Vlanif40] ip address 10.3.1.2 24
[PE2-Vlanif40] quit
[PE2] interface vlanif 50
[PE2-Vlanif50] ip binding vpn-instance vpnb
[PE2-Vlanif50] ip address 10.4.1.2 24
[PE2-Vlanif50] quit

# Configure IP addresses of the interfaces on the CEs according to Figure 3-3. The configuration
procedure is not given here.

After the configuration, run the display ip vpn-instance verbose command on the PEs, and you
can see the configuration of the VPN instances. The PEs can ping the connected CEs
successfully.

NOTE

If multiple interfaces on a PE are bound to the same VPN, you must specify the source address when you
run the ping -vpn-instance command to ping the CE connected to the peer PE. That is, specify -a source-
ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address destination-address
command. Otherwise, the ping operation may fail.

Take PE1 and CE1 for example.


[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2

VPN-Instance Name and ID : vpna, 1


Create date : 2008/11/24 16:28:27 UTC-08:00
Up time : 0 days, 00 hours, 11 minutes and 25 seconds
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label policy : label per route
Log Interval : 5
Interfaces : Vlanif10

VPN-Instance Name and ID : vpnb, 2


Create date : 2008/11/24 16:30:37 UTC-08:00
Up time : 0 days, 00 hours, 09 minutes and 15 seconds
Route Distinguisher : 100:2
Export VPN Targets : 222:2
Import VPN Targets : 222:2
Label policy : label per route
Log Interval : 5
Interfaces : Vlanif20

[PE1] ping -vpn-instance vpna 10.1.1.1


PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=5 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=3 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=3 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=3 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=16 ms

--- 10.1.1.1 ping statistics ---


5 packet(s) transmitted

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 179


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/6/16 ms

Step 4 Set up EBGP peer relation between the PE and the CE and import VPN routes.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct

NOTE

The configuration procedures of CE2, CE3 and CE4 are similar to the configuration procedure of CE1 and
are not mentioned here.

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit

NOTE

The configuration procedure of PE2 is similar to the configuration procedure of PE1 and is not mentioned
here.

After the configuration, run the display bgp vpnv4 vpn-instance peer command on a PE, and
you can find that the BGP peer relation between the PE and CE is in Established state.
Take the peer relation between PE1 and CE1 for example:
[PE1] display bgp vpnv4 vpn-instance vpna peer

BGP local router ID : 1.1.1.9


Local AS number : 100
Total number of peers : 1 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down State


PrefRcv

118.118.118.2 4 65410 11 9 0 00:07:25 Established


1

Step 5 Set up MP-IBGP adjacency between the PEs.


# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit

# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 180


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

After the configuration, run the display bgp peer or display bgp vpnv4 all peer command, and
you can see that the BGP peer relation between the PEs is in Established state.
[PE1] display bgp peer

BGP local router ID : 1.1.1.9


Local AS number : 100
Total number of peers : 1 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down State


PrefRcv

3.3.3.9 4 100 12 6 0 00:02:21 Established


0

[PE1] display bgp vpnv4 all peer


BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 3 Peers in established state : 3

Peer V AS MsgRcvd MsgSent OutQ Up/Down State


PrefRcv

3.3.3.9 4 100 12 18 0 00:09:38 Established 0


Peer of vpn instance:

vpn instance vpna :


10.1.1.1 4 65410 25 25 0 00:17:57 Established 1
vpn instance vpnb :
10.2.1.1 4 65420 21 22 0 00:17:10 Established 1

Step 6 Verify the configuration.


Run the display ip routing-table vpn-instance command on the PE, and you can view the routes
to the remote CE.
Take PE1 for example.
[PE1] display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpna
Destinations : 5 Routes : 5

Destination/Mask Proto Pre Cost Flags NextHop Interface


10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif10
10.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.3.1.0/24 BGP 255 0 RD 3.3.3.9 Vlanif30
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[PE1] display ip routing-table vpn-instance vpnb
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpnb
Destinations : 5 Routes : 5

Destination/Mask Proto Pre Cost Flags NextHop Interface


10.2.1.0/24 Direct 0 0 D 10.2.1.2 Vlanif20
10.2.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.2.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.4.1.0/24 BGP 255 0 RD 3.3.3.9 Vlanif30
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

The CEs in the same VPN can ping each other, but the CEs in different VPNs cannot ping each
other.
For example, CE1 can ping CE3 (10.3.1.1) but cannot ping CE4 (10.4.1.1).
[CE1] ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 181


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms


Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms
--- 10.3.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms
[CE1] ping 10.4.1.1
PING 10.4.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.4.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss

----End

Configuration Files
l Configuration file of PE1
#
sysname PE1
#
vlan batch 10 20 30
#
ip vpn-instance vpna
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
ip vpn-instance vpnb
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
interface GigabitEthernet3/0/0

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 182


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

port hybrid pvid vlan 30


port hybrid untagged vlan 30
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
import-route direct
#
ipv4-family vpn-instance vpnb
peer 10.2.1.1 as-number 65420
import-route direct
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
l Configuration file of P
#
sysname P
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 60
port hybrid untagged vlan 60
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 183


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

#
return
l Configuration file of PE2
#
sysname PE2
#
vlan batch 40 50 60
#
ip vpn-instance vpna
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif40
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
#
interface Vlanif50
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
#
interface Vlanif60
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 40
port hybrid untagged vlan 40
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 50
port hybrid untagged vlan 50
#
interface GigabitEthernet3/0/0
port hybrid pvid vlan 60
port hybrid untagged vlan 60
#

interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
peer 10.3.1.1 as-number 65430
import-route direct
#
ipv4-family vpn-instance vpnb

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 184


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

peer 10.4.1.1 as-number 65440


import-route direct
#
ospf 1
area 0.0.0.0
network 172.2.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
l Configuration file of CE1
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
l Configuration file of CE2
#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
bgp 65420
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
l Configuration file of CE3
#
sysname CE3
#
vlan batch 40
#
interface Vlanif40
ip address 10.3.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 40
port hybrid untagged vlan 40
#
bgp 65430

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 185


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

peer 10.3.1.2 as-number 100


#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.3.1.2 enable
#
return

l Configuration file of CE4


#
sysname CE4
#
vlan batch 50
#
interface Vlanif50
ip address 10.4.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 50
port hybrid untagged vlan 50
#
bgp 65440
peer 10.4.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.4.1.2 enable
#
return

3.17.2 Example for Configuring Overlapping Addresses in Two


BGP/MPLS IP VPNs
Networking Requirements
As shown in Figure 3-4, CE1 and CE2 belong to vpna and CE3 and CE4 belong to vpnb. The
VPN target of vpna is 100:100, and the VPN target of vpnb is 200:200. The users on different
VPNs cannot access each other.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 186


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Figure 3-4 Networking diagram of BGP/MPLS IP VPN

CE1 CE2
GE3/0/1
vpna vpna
GE3/0/1
VLANIF 100 VLANIF 100
14.1.1.2/24 34.1.1.2/24

GE3/0/1 Loopback0 GE3/0/1


VLANIF 100 2.2.2.9/32 VLANIF 100
14.1.1.1/24 GE1/0/1 GE2/0/1
VLANIF 10 VLANIF 20 PE2 34.1.1.1/24
Loopback0 12.1.1.1/24 23.1.1.1/24 Loopback0
1.1.1.9/32 3.3.3.9/32
GE1/0/1 GE2/0/1
GE3/0/2
PE1 VLANIF 10 P VLANIF 20 GE3/0/2
VLANIF 101 12.1.1.2/24 23.1.1.2/24 VLANIF 101
14.1.1.1/24 34.1.1.1/24

GE3/0/1 GE3/0/1
VLANIF 101 VLANIF 101
14.1.1.2/24 34.1.1.2/24
CE3 CE4
vpnb vpnb

Device Interface VLANIF Interface IP Address

PE1 GigabitEthernet1/0/1 VLANIF 10 12.1.1.1/24

GigabitEthernet3/0/1 VLANIF 100 14.1.1.1/24

GigabitEthernet3/0/2 VLANIF 101 14.1.1.1/24

PE2 GigabitEthernet2/0/1 VLANIF 20 23.1.1.2/24

GigabitEthernet3/0/1 VLANIF 100 34.1.1.1/24

GigabitEthernet3/0/2 VLANIF 101 34.1.1.1/24

P GigabitEthernet1/0/1 VLANIF 10 12.1.1.2/24

GigabitEthernet2/0/1 VLANIF 20 23.1.1.1/24

CE1 GigabitEthernet3/0/1 VLANIF 100 14.1.1.2/24

CE2 GigabitEthernet3/0/1 VLANIF 100 34.1.1.2/24

CE3 GigabitEthernet3/0/1 VLANIF 101 14.1.1.2/24

CE4 GigabitEthernet3/0/1 VLANIF 101 34.1.1.2/24

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure VPN instances on the PEs on the backbone network. Bind the interfaces
connected to CEs to the corresponding VPN instances so that CE1 and CE2 belong to a
VPN instance, and CE3 and CE4 belong to another VPN instance. Then assign IP addresses
to the PE interfaces connected to CEs.
2. Configure OSPF on the PEs to implement interconnection between PEs.
3. Enable MPLS and MPLS LDP on the PEs and P and set up an MPLS LSP.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 187


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

4. Configure MP-IBGP between the PEs to exchange VPN routing information.


5. Configure static routes between the CEs and PEs.

Data Preparation
To complete the configuration, you need the following data:
l IDs of the VLANs that the interfaces belong to, as shown in Figure 3-4
l IP address of each VLANIF interface, as shown in Figure 3-4
l MPLS LSR-IDs of PEs and P
l RDs of vpna and vpnb
l VPN targets of vpna and vpnb

Procedure
Step 1 Configure VLANs that the interfaces belong to and assign IP addresses to the VLANIF interfaces
and loopback interfaces according to Figure 3-4.
The configuration procedure is not mentioned.
Step 2 Configure an IGP protocol on the MPLS backbone network so that PE and P routers can
communicate with each other.
# Configure PE1.
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 12.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit

# Configure P.
[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[P-ospf-1-area-0.0.0.0] network 12.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 23.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit

# Configure PE2.
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 23.1.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit

After the configuration, OSPF relations are established between PE1, P, and PE2. By running
the display ospf peer command, you can see that the status of the OSPF relations is Full. By
running the display ip routing-table command, you can see that the PEs can learn the routes
of Loopback0 interface of each other.
Take the display on PE1 as an example.
[PE1] display ip routing-table
Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 188


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Destinations : 12 Routes : 12

Destination/Mask Proto Pre Cost Flags NextHop Interface

1.1.1.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0


2.2.2.9/32 OSPF 10 1 D 12.1.1.2 Vlanif10
3.3.3.9/32 OSPF 10 2 D 12.1.1.2 Vlanif10
12.1.1.0/24 Direct 0 0 D 12.1.1.1 Vlanif10
12.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
12.1.1.2/32 Direct 0 0 D 12.1.1.2 Vlanif10
12.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
23.1.1.0/24 OSPF 10 2 D 12.1.1.2 Vlanif10
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Step 3 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS
backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] mpls
[PE1-Vlanif10] mpls ldp

# Configure P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 10
[P-Vlanif10] mpls
[P-Vlanif10] mpls ldp
[P-Vlanif10] quit
[P] interface vlanif 20
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit

# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 20
[PE2-Vlanif20] mpls
[PE2-Vlanif20] mpls ldp
[PE2-Vlanif20] quit

After the configuration, LDP sessions should be set up between PE1 and P, and between PE2
and P. Running the display mpls ldp session command, you can see that Status is
Operational. Run the display mpls ldp lsp command, and you can see the establishment status
of the LDP LSP.
Take the display on PE1 as an example.
[PE1] display mpls ldp session

LDP Session(s) in Public Network

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 189


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)


A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv
------------------------------------------------------------------------------
2.2.2.9:0 Operational DU Active 0000:00:01 6/6
------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.

[PE1] display mpls ldp lsp

LDP LSP Information


-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0
*1.1.1.9/32 Liberal
2.2.2.9/32 NULL/3 - 12.1.1.2 Vlanif10
2.2.2.9/32 1024/3 2.2.2.9 12.1.1.2 Vlanif10
3.3.3.9/32 NULL/1025 - 12.1.1.2 Vlanif10
3.3.3.9/32 1025/1025 2.2.2.9 12.1.1.2 Vlanif10
-------------------------------------------------------------------------------
TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is in GR state
A '*' before a NextHop means the LSP is FRR LSP

Step 4 Configure VPN instances on each PE and connect the CEs to the PEs.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:100
[PE1-vpn-instance-vpna] vpn-target 100:100 export-extcommunity
[PE1-vpn-instance-vpna] vpn-target 100:100 import-extcommunity
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] route-distinguisher 300:300
[PE1-vpn-instance-vpnb] vpn-target 200:200 export-extcommunity
[PE1-vpn-instance-vpnb] vpn-target 200:200 import-extcommunity
[PE1-vpn-instance-vpnb] quit
[PE1] interface vlanif 100
[PE1-Vlanif100] ip binding vpn-instance vpna
[PE1-Vlanif100] ip address 14.1.1.1 255.255.255.0
[PE1-Vlanif100] quit
[PE1] interface vlanif 101
[PE1-Vlanif101] ip binding vpn-instance vpnb
[PE1-Vlanif101] ip address 14.1.1.1 255.255.255.0
[PE1-Vlanif101] quit

# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 200:200
[PE2-vpn-instance-vpna] vpn-target 100:100 export-extcommunity
[PE2-vpn-instance-vpna] vpn-target 100:100 import-extcommunity
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] route-distinguisher 400:400
[PE2-vpn-instance-vpnb] vpn-target 200:200 export-extcommunity
[PE2-vpn-instance-vpnb] vpn-target 200:200 import-extcommunity
[PE2-vpn-instance-vpnb] quit
[PE2] interface vlanif 100
[PE2-Vlanif100] ip binding vpn-instance vpna
[PE2-Vlanif100] ip address 34.1.1.1 255.255.255.0
[PE2-Vlanif100] quit

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 190


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

[PE2] interface vlanif 101


[PE2-Vlanif101] ip binding vpn-instance vpnb
[PE2-Vlanif101] ip address 34.1.1.1 255.255.255.0
[PE2-Vlanif101] quit

# Assign IP addresses to the interfaces on the CEs according to Figure 3-4. The configuration
procedure is not mentioned here.
After the configuration, run the display ip vpn-instance verbose command on the PEs, and you
can see the configuration of the VPN instances. The PEs can ping the connected CEs
successfully.
Take the display on PE1 and CE1 as an example.
[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2

VPN-Instance Name and ID : vpna, 1


Create date : 2008/11/24 16:28:27 UTC-08:00
Up time : 0 days, 00 hours, 11 minutes and 25 seconds
Route Distinguisher : 100:100
Export VPN Targets : 100:100
Import VPN Targets : 100:100
Label policy : label per route
Log Interval : 5
Interfaces : Vlanif100

VPN-Instance Name and ID : vpnb, 2


Create date : 2008/11/24 16:30:37 UTC-08:00
Up time : 0 days, 00 hours, 09 minutes and 15 seconds
Route Distinguisher : 300:300
Export VPN Targets : 200:200
Import VPN Targets : 200:200
Label policy : label per route
Log Interval : 5
Interfaces : Vlanif101

[PE1] ping -vpn-instance vpna 14.1.1.2


PING 14.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 14.1.1.2: bytes=56 Sequence=1 ttl=255 time=5 ms
Reply from 14.1.1.2: bytes=56 Sequence=2 ttl=255 time=3 ms
Reply from 14.1.1.2: bytes=56 Sequence=3 ttl=255 time=3 ms
Reply from 14.1.1.2: bytes=56 Sequence=4 ttl=255 time=3 ms
Reply from 14.1.1.2: bytes=56 Sequence=5 ttl=255 time=16 ms

--- 14.1.1.2 ping statistics ---


5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/6/16 ms

Step 5 On CE1, CE2, CE3, and CE4, configure static routes to their connected PEs.
# Configure CE1.
[CE1] ip route-static 0.0.0.0 0.0.0.0 vlanif 100 14.1.1.1

NOTE

Configurations of CE2, CE3 and CE4 are similar to the configuration of CE1, and are not mentioned here.

Step 6 Set up MP-IBGP peer relations between PEs.


# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback0
[PE1-bgp] ipv4-family vpnv4

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 191


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable


[PE1-bgp-af-vpnv4] quit
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit

# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback0
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] ipv4-family vpn-instance vpna
[PE2-bgp-vpna] import-route direct
[PE2-bgp-vpna] quit
[PE2-bgp] ipv4-family vpn-instance vpnb
[PE2-bgp-vpnb] import-route direct
[PE2-bgp-vpnb] quit

After the configuration, run the display bgp peer command on a PE, and you can see that the
BGP peer relation between the PE and CE is in Established state.
[PE1]display bgp peer
BGP local router ID : 1.1.1.9
Local ASN : 100
Total number of peers : 1 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

3.3.3.9 4 100 3 3 0 00:01:08 Established


0

Step 7 Verify the configuration.


Run the display ip routing-table vpn-instance command on a PE, and you can view the routes
to the remote CE.
Take the display on PE1 as an example.
[PE1] display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpna
Destinations : 5 Routes : 5

Destination/Mask Proto Pre Cost Flags NextHop Interface

14.1.1.0/24 Direct 0 0 D 14.1.1.1 Vlanif100


14.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
14.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
34.1.1.0/24 BGP 255 0 RD 3.3.3.9 Vlanif10
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

[PE1] display ip routing-table vpn-instance vpnb


Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpnb
Destinations : 5 Routes : 5

Destination/Mask Proto Pre Cost Flags NextHop Interface

14.1.1.0/24 Direct 0 0 D 14.1.1.1 Vlanif101


14.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
14.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 192


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

34.1.1.0/24 BGP 255 0 RD 3.3.3.9 Vlanif10


255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Run the ping 34.1.1.1 command on CE1, and the ping is successful. Run the display
interface command to view the statistics about packets on GE 3/0/1 and GE3/0/2 of PE2, and
you can see that there are packets passing through GE 3/0/1 but there is not any packet passing
through GE3/0/2. This indicates that the two VPN instances contain same addresses but users
in the VPNs cannot communicate with each other.

----End

Configuration Files
l Configuration file of PE1
#
sysname PE1
#
vlan batch 10 100 101
#
ip vpn-instance vpna
route-distinguisher 100:100
vpn-target 100:100 export-extcommunity
vpn-target 100:100 import-extcommunity
ip vpn-instance vpnb
route-distinguisher 300:300
vpn-target 200:200 export-extcommunity
vpn-target 200:200 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 12.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif100
ip binding vpn-instance vpna
ip address 14.1.1.1 255.255.255.0
#
interface Vlanif101
ip binding vpn-instance vpnb
ip address 14.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet3/0/1
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
interface GigabitEthernet3/0/2
port hybrid pvid vlan 101
port hybrid untagged vlan 101
#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 193


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

peer 3.3.3.9 enable


#
ipv4-family vpnv4
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
l Configuration file of P
#
sysname P
#
vlan batch 10 20
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 12.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
ip address 23.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet2/0/1
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 12.1.1.0 0.0.0.255
network 23.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
l Configuration file of PE2
#
sysname PE2
#
vlan batch 20 100 101
#
ip vpn-instance vpna
route-distinguisher 200:200
vpn-target 100:100 export-extcommunity
vpn-target 100:100 import-extcommunity
#
ip vpn-instance vpnb
route-distinguisher 400:400
vpn-target 200:200 export-extcommunity
vpn-target 200:200 import-extcommunity

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 194


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 23.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif100
ip binding vpn-instance vpna
ip address 34.1.1.1 255.255.255.0
#
interface Vlanif101
ip binding vpn-instance vpnb
ip address 34.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/1
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
interface GigabitEthernet3/0/1
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
interface GigabitEthernet3/0/2
port hybrid pvid vlan 101
port hybrid untagged vlan 101
#
interface LoopBack0
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
#
ipv4-family vpn-instance vpnb
import-route direct
#
ospf 1
area 0.0.0.0
network 23.1.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
l Configuration file of CE1
#
sysname CE1
#
vlan batch 100
#
interface Vlanif100
ip address 14.1.1.2 255.255.255.0
#
interface GigabitEthernet3/0/1
port hybrid pvid vlan 100
port hybrid untagged vlan 100

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 195


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

#
ip route-static 0.0.0.0 0.0.0.0 Vlanif 100 14.1.1.1
#
return

l Configuration file of CE2


#
sysname CE2
#
vlan batch 100
#
interface Vlanif100
ip address 34.1.1.2 255.255.255.0
#
interface GigabitEthernet3/0/1
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
ip route-static 0.0.0.0 0.0.0.0 Vlanif 100 34.1.1.1
#
return

l Configuration file of CE3


#
sysname CE3
#
vlan batch 101
#
interface Vlanif101
ip address 14.1.1.2 255.255.255.0
#
interface GigabitEthernet3/0/1
port hybrid pvid vlan 101
port hybrid untagged vlan 101
#
ip route-static 0.0.0.0 0.0.0.0 Vlanif 100 14.1.1.1
#
return

l Configuration file of CE4


#
sysname CE4
#
vlan batch 101
#
interface Vlanif101
ip address 34.1.1.2 255.255.255.0
#
interface GigabitEthernet3/0/1
port hybrid pvid vlan 101
port hybrid untagged vlan 101
#
ip route-static 0.0.0.0 0.0.0.0 Vlanif 100 34.1.1.1
#
return

3.17.3 Example for Configuring Mutual Access Between VPNs on


S7700

Networking Requirements
As shown in Figure 3-5, the S7700 functions as the PE on the MPLS backbone. CE1 belongs
to vpna; CE2 belongs to vpnb.

It is required that CE1 and CE2 can communicate with each other.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 196


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

NOTE

This example is only for configuring mutual access for local VPNs on S7700, for details about configuring
mutual access for local VPNs on SPU board, see 3.17.4 Example for Configuring Mutual Access for
Local VPNs on SPU Board.

Figure 3-5 Networking diagram for configuring mutual access between VPNs

GE1/0/0 PE1 GE2/0/0


VLANIF10 VLANIF20
GE1/0/0 GE1/0/0
CE1 VLANIF10 VLANIF20
CE2
vpna vpnb
Device Interface VLANIF interface IP address

CE1 GE1/0/0 VLANIF 10 10.1.1.1/24

CE2 GE1/0/0 VLANIF 20 10.2.1.1/24

PE1 GE1/0/0 VLANIF 10 10.1.1.2/24

PE1 GE2/0/0 VLANIF 20 10.2.1.2/24

Configuration Roadmap
The configuration roadmap is as follows:
1. On the PE, configure a VPN instance, set different VPN targets for the VPN instance
2. On the PE, bind the interface connected to the CE to the VPN instance.
3. Enable the routing protocol on the CEs.

Data Preparation
To complete the configuration, you need the following data:
l VLAN ID and IP address of VLANIF interface allowed by each interface
l RD of the VPN
l VPN targets of the received and sent routes

Configuration Procedure

Procedure
Step 1 Create VLANs and specify the VLAN IDs that are allowed by the interfaces, as shown in Figure
3-5.
# Configure PE1.
<Quidway> system-view
[Quidway] sysname PE1
[PE1] vlan batch 10 20
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port link-type trunk
[PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 2/0/0

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 197


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

[PE1-GigabitEthernet2/0/0] port link-type trunk


[PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 20
[PE1-GigabitEthernet2/0/0] quit

# Configure CE1.
<Quidway> system-view
[Quidway] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit

# Configure CE2.
<Quidway> system-view
[Quidway] sysname CE2
[CE2] vlan batch 20
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port link-type trunk
[CE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 20
[CE2-GigabitEthernet1/0/0] quit

Step 2 Configure a VPN instance on each PE and connect the CEs to the PEs.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna] vpn-target 111:1 export-extcommunity
[PE1-vpn-instance-vpna] vpn-target 111:1 222:2 import-extcommunity
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] route-distinguisher 100:2
[PE1-vpn-instance-vpnb] vpn-target 222:2 export-extcommunity
[PE1-vpn-instance-vpnb] vpn-target 222:2 111:1 import-extcommunity
[PE1-vpn-instance-vpnb] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip binding vpn-instance vpna
[PE1-Vlanif10] ip address 10.1.1.2 24
[PE1-Vlanif10] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip binding vpn-instance vpnb
[PE1-Vlanif20] ip address 10.2.1.2 24
[PE1-Vlanif20] quit

# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 200:1
[PE2-vpn-instance-vpna] vpn-target 111:1 both
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] route-distinguisher 200:2
[PE2-vpn-instance-vpnb] vpn-target 222:2 both
[PE2-vpn-instance-vpnb] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] ip binding vpn-instance vpna
[PE2-Vlanif30] ip address 10.3.1.2 24
[PE2-Vlanif30] quit
[PE2] interface vlanif 40
[PE2-Vlanif40] ip binding vpn-instance vpnb
[PE2-Vlanif40] ip address 10.4.1.2 24
[PE2-Vlanif40] quit

# Assign IP addresses to the interfaces on the CEs according to Figure 3-5. The configuration
procedure is not mentioned here.
After the configuration, The PE can ping the connected CE successfully.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 198


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Take the display on PE1 and CE1 as an example:

[PE1] ping -vpn-instance vpna 10.1.1.1


PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=5 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=3 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=3 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=3 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=16 ms

--- 10.1.1.1 ping statistics ---


5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/6/16 ms

Step 3 Configure BGP to import the direct route to the VPN instance routing table.
# Configure PE1
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] import-route direct
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] import-route direct

Step 4 Enable the routing protocol on the CEs.


# Configure CE1.
[CE1] ip route-static 10.2.1.0 24 10.1.1.2

# Configure CE2.
[CE2] ip route-static 10.1.1.0 24 10.2.1.2

Step 5 Verify the configuration.


After the configuration, CE1 and CE2, which are connected to PE1 but belong to different VPNs,
can communicate with each other.
[PE1] display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpna
Destinations : 6 Routes : 6

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10


10.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.2.1.0/24 BGP 255 0 D 10.2.1.1 Vlanif20
10.2.1.2/32 BGP 255 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[CE1] ping 10.2.1.1
PING 10.2.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms
Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms
Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms
Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms
Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms
--- 10.2.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms

----End

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 199


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Configuration Files
l Configuration file of PE1

#
sysname PE1
#
vlan batch 10 20
#
ip vpn-instance vpna
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 222:2 import-extcommunity
ip vpn-instance vpnb
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 111:1 import-extcommunity
#
interface Vlanif10
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
bgp 100
#
ipv4-family unicast
undo synchronization
#
ipv4-family vpn-instance vpna
import-route direct
#
ipv4-family vpn-instance vpnb
import-route direct
#
return

l Configuration file of CE1


#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
ip route-static 10.2.1.0 24 10.1.1.2
#
return

l Configuration file of CE2


#
sysname CE2
#
vlan batch 20

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 200


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
ip route-static 10.1.1.0 24 10.2.1.2
#
return

3.17.4 Example for Configuring Mutual Access for Local VPNs on


SPU Board

Networking Requirements
As shown in Figure 3-6, the S7700 functions as the PE. PC1 belongs to vpn-a and PC2 belongs
to vpn-b.

PC1 and PC2 need to communicate with each other.

NOTE

This example is only for configuring mutual access for local VPNs on SPU board, for details about
configuring mutual access for local VPNs on S7700, see 3.17.3 Example for Configuring Mutual Access
Between VPNs on S7700.

Figure 3-6 Networking diagram for configuring mutual access betwen local VPNs

VLAN 10 10.10.10.2/24
Eth-trunk0 Eth-trunk0.10
XGE2/0/0 XGE0/0/1
Eth-Trunk0
XGE2/0/1 XGE0/0/2
Eth-trunk0 Eth-trunk0.20
VLAN 10 20.20.20.2/24

GE1/0/4 GE1/0/6
PC1 Switch PC2
10.10.10.1/24 20.20.20.1/24

Configuration Roadmap
The configuration roadmap is as follows:

1. Import flows from the switch to the SPU.


2. Configure the VPN instance and bind the VPN instance to interfaces.
3. Configure the static route for the mutual access between local VPNs.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 201


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Procedure
Step 1 Import flows from the switch to the SPU.

# Configure the switch.


[Switch] sysname Switch
[Switch] vlan 10
[Switch-vlan10] quit
[Switch] interface gigabitethernet 1/0/4
[Switch-GigabitEthernet1/0/4] port link-type access
[Switch-GigabitEthernet1/0/4] port default vlan 10
[Switch-GigabitEthernet1/0/4] quit
[Switch] vlan 20
[Switch-vlan20] quit
[Switch] interface gigabitethernet 1/0/6
[Switch-GigabitEthernet1/0/6] port link-type access
[Switch-GigabitEthernet1/0/6] port default vlan 20
[Switch-GigabitEthernet1/0/6] quit
[Switch] interface eth-trunk 0
[Switch-Eth-Trunk0] port link-type trunk
[Switch-Eth-Trunk0] undo port trunk allow-pass vlan 1
[Switch-Eth-Trunk0] port trunk allow-pass vlan 10 20
[Switch-Eth-Trunk0] quit
[Switch] interface xgigabitethernet 2/0/0
[Switch-XGigabitEthernet2/0/0] eth-trunk 0
[Switch-XGigabitEthernet2/0/0] quit
[Switch] interface xgigabitethernet 2/0/1
[Switch-XGigabitEthernet2/0/1] eth-trunk 0
[Switch-XGigabitEthernet2/0/1] quit

# Configure the SPU on the switch.


[Quidway] sysname SPU
[SPU] interface eth-trunk 0
[SPU] interface xgigabitethernet 0/0/1
[SPU-XGigabitEthernet0/0/1] eth-trunk 0
[SPU] interface xgigabitethernet 0/0/2
[SPU-XGigabitEthernet0/0/2] eth-trunk 0

Step 2 Configure a VPN instance on the SPU.


[SPU] ip vpn-instance vpn-a
[SPU-vpn-instance-vpn-a] route-distinguisher 1:1
[SPU-vpn-instance-vpn-a] vpn-target 1:1
[SPU-vpn-instance-vpn-a] quit
[SPU] ip vpn-instance vpn-b
[SPU-vpn-instance-vpn-b] route-distinguisher 2:2
[SPU-vpn-instance-vpn-b] vpn-target 2:2
[SPU-vpn-instance-vpn-b] quit

Step 3 Create sub-interfaces on the SPU and bind the VPN instance to the sub-interfaces.
[SPU] interface eth-trunk 0.10
[SPU-Eth-Trunk0.10] control-vid 10 dot1q-termination
[SPU-Eth-Trunk0.10] dot1q termination vid 10
[SPU-Eth-Trunk0.10] ip binding vpn-instance vpn-a
[SPU-Eth-Trunk0.10] ip address 10.10.10.2 24
[SPU-Eth-Trunk0.10] arp broadcast enable
[SPU-Eth-Trunk0.10] quit
[SPU] interface eth-trunk 0.20
[SPU-Eth-Trunk0.20] control-vid 20 dot1q-termination
[SPU-Eth-Trunk0.20] dot1q termination vid 20
[SPU-Eth-Trunk0.20] ip binding vpn-instance vpn-b
[SPU-Eth-Trunk0.20] ip address 20.20.20.2 24
[SPU-Eth-Trunk0.20] arp broadcast enable
[SPU-Eth-Trunk0.20] quit

Step 4 Configure the static route on the SPU to allow the VPNs to communicate with each other.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 202


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

[SPU] ip route-static vpn-instance vpn-a 20.20.20.1 32 Eth-Trunk 0.20 20.20.20.1


[SPU] ip route-static vpn-instance vpn-b 10.10.10.1 32 Eth-Trunk 0.10 10.10.10.1

Step 5 Verify the configuration.

Ping PC2 on PC1. The ping is successful.

----End

Configuration Files
l Configuration file of switch
#
sysname Switch
#
vlan batch 10 20
#
interface Eth-Trunk0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
#
interface GigabitEthernet1/0/4
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/6
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20
#
interface XGigabitEthernet2/0/0
eth-trunk 0
#
interface XGigabitEthernet2/0/1
eth-trunk 0
#
return

l Configuration file of the SPU on the switch


#
sysname SPU
#
interface Eth-Trunk0
#
interface Eth-Trunk 0.10
control-vid 10 dot1q-termination
dot1q termination vid 10
ip binding vpn-instance vpn-a
ip address 10.10.10.2 24
arp broadcast enable
#
interface Eth-Trunk 0.20
control-vid 20 dot1q-termination
dot1q termination vid 20
ip binding vpn-instance vpn-b
ip address 20.20.20.2 24
arp broadcast enable
#
interface XGigabitEthernet0/0/1
eth-trunk 0
#
interface XGigabitEthernet0/0/2
eth-trunk 0
#
ip route-static vpn-instance vpn-a 20.20.20.1 32 Eth-Trunk 0.20 20.20.20.1

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 203


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

ip route-static vpn-instance vpn-b 10.10.10.1 32 Eth-Trunk 0.10 10.10.10.1


#

3.17.5 Example for Configuring BGP ASN Substitution

Networking Requirements
As shown in Figure 3-7, CE1 and CE2 belong to the same VPN instance and access PE1 and
PE2 respectively.

CE1 and CE2 use the same ASN, namely, 600.

Figure 3-7 Networking diagram for configuring BGP ASN substitution

Loopback1 Loopback1 Loopback1


1.1.1.9/32 2.2.2.9/32 3.3.3.9/32

PE1 GE1/0/0 GE2/0/0 PE2


GE1/0/0 GE2/0/0 GE2/0/0 GE1/0/0
P

Backbone
GE1/0/0 GE1/0/0
AS 100
CE1 CE2

GE2/0/0 GE2/0/0

vpn1 vpn1
AS 600 AS 600

Device Interface VLANIF interface IP address

PE1 GigabitEthernet1/0/0 VLANIF 10 10.1.1.2/24

GigabitEthernet2/0/0 VLANIF 20 20.1.1.1/24

PE2 GigabitEthernet1/0/0 VLANIF 40 10.2.1.2/24

GigabitEthernet2/0/0 VLANIF 30 30.1.1.2/24

P GigabitEthernet1/0/0 VLANIF 20 20.1.1.2/24

GigabitEthernet2/0/0 VLANIF 30 30.1.1.1/24

CE1 GigabitEthernet1/0/0 VLANIF 10 10.1.1.1/24

GigabitEthernet2/0/0 VLANIF 50 100.1.1.1/24

CE2 GigabitEthernet1/0/0 VLANIF 40 10.2.1.1/24

GigabitEthernet2/0/0 VLANIF 60 200.1.1.1/24

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 204


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Configuration Roadmap
The configuration roadmap is as follows:
1. Enable IGP on the backbone network to implement interworking between PEs, and between
PE and P so that they can learn loopback address of each other.
2. Create an MPLS LDP LSP between the PEs, create VPN instances on PEs, and connect
PEs to CEs.
3. Establish EBGP adjacencies between the PEs and CEs to import routes of the CEs to the
PEs.
4. Configure BGP ASN substitution on PEs.

Data Preparation
To complete the configuration, you need the following data:
l MPLS LSR-IDs of PE and P
l VPN instances on PE1 and PE2
l ASN used by CE1 and CE2, which is different from the ASN of the backbone network

Procedure
Step 1 Configure basic BGP/MPLS IP VPN.
The configurations are as follows:
l Configure OSPF on the MPLS backbone so that the PE and P can learn routes of the loopback
interface from each other.
l Enable MPLS capability and MPLS LDP on the MPLS backbone and establish an LDP LSP.
l Establish an MP-IBGP adjacency between PEs and advertise VPNv4 routes.
l Configure VPN instance of VPN1 on PE2 and connect PE2 to CE2.
l Configure VPN instance of VPN1 on PE1 and connect PE1 to CE1.
l Configure BGP between PE1 and CE1, and between PE2 and CE2. Import routes of the CEs
to PEs.
After the configuration, run the display ip routing-table command on CE2. You can see that
CE2 can learn the route of the network segment (10.1.1.0/24) of the interface connecting PE1
to CE1, but there is no route to VPN (100.1.1.0/24) of CE1. When you run the display ip routing-
table command on CE1, you can see the similar information.
[CE2] display ip routing-table
Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 BGP 255 0 D 10.2.1.2 Vlanif40
10.2.1.0/24 Direct 0 0 D 10.2.1.1 Vlanif40
10.2.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.2.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
200.1.1.0/24 Direct 0 0 D 200.1.1.1 Vlanif60
200.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 205


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Run the display ip routing-table vpn-instance command on PEs, and you can see the routes
to the VPNs of the peer CEs.
Take PE2 for example.
[PE2] display ip routing-table vpn-instance vpn1
Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpn1
Destinations : 7 Routes : 7
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 BGP 255 0 RD 1.1.1.9 Vlanif30
10.2.1.0/24 Direct 0 0 D 10.2.1.2 Vlanif40
10.2.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.2.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
100.1.1.0/24 BGP 255 0 RD 1.1.1.9 Vlanif30
200.1.1.0/24 BGP 255 0 D 10.2.1.1 Vlanif40
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Enable debugging of the BGP Update packets on PE2. The debugging information shows that
PE2 advertises the route to 100.1.1.0/24 and the AS path information is "100 600".
<PE2> terminal monitor
<PE2> terminal debugging
<PE2> debugging bgp update vpn-instance vpn1 peer 10.2.1.1 verbose
<PE2> refresh bgp vpn-instance vpn1 all export
*0.4402392 PE2 RM/7/RMDEBUG:
BGP.vpn1: Send UPDATE to 10.2.1.1 for following destinations :
Origin : Incomplete
AS Path : 100 600
Next Hop : 10.2.1.2
100.1.1.0/24,

Run the display bgp routing-table peer received-routes command on CE2, and you can see
that CE2 does not accept the route to 100.1.1.0/24.
[CE2] display bgp routing-table peer 10.2.1.2 received-routes
Total Number of Routes: 3
BGP Local router ID is 10.2.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.1.1.0/24 10.2.1.2 0 100?
* 10.2.1.0/24 10.2.1.2 0 0 100?
* 10.2.1.1/32 10.2.1.2 0 0 100?

Step 2 Configure BGP ASN substitution.


Configure BGP ASN substitution on PEs.
# Take PE2 for example.
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpn1
[PE2-bgp-vpn1] peer 10.2.1.1 substitute-as

In the route advertised to CE2 by PE2, you can see that the AS path information of 100.1.1.0/24
changes from "100 600" to "100 100".
*0.13498737 PE2 RM/7/RMDEBUG:
BGP.vpn1: Send UPDATE to 10.2.1.1 for following destinations :
Origin : Incomplete
AS Path : 100 100
Next Hop : 10.2.1.2
100.1.1.0/24

Display the routing information and routing table received by CE2.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 206


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

[CE2] display bgp routing-table peer 10.2.1.2 received-routes


Total Number of Routes: 5
BGP Local router ID is 10.2.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.1.1.0/24 10.2.1.2 0 100?
* 10.2.1.0/24 10.2.1.2 0 0 100?
* 10.2.1.1/32 10.2.1.2 0 0 100?
*> 100.1.1.0/24 10.2.1.2 0 100 100!

[CE2] display ip routing-table


Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 BGP 255 0 D 10.2.1.2 Vlanif40
10.2.1.0/24 Direct 0 0 D 10.2.1.1 Vlanif40
10.2.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.2.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
100.1.1.1/24 BGP 255 0 D 10.2.1.2 Vlanif40
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
200.1.1.0/24 Direct 0 0 D 127.0.0.1 Vlanif60
200.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

After BGP ASN substitution is configured on PE1, the GE interfaces of CE1 and CE2 can ping
each other.
[CE1] ping -a 100.1.1.1 200.1.1.1
PING 200.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 200.1.1.1: bytes=56 Sequence=1 ttl=253 time=109 ms
Reply from 200.1.1.1: bytes=56 Sequence=2 ttl=253 time=67 ms
Reply from 200.1.1.1: bytes=56 Sequence=3 ttl=253 time=66 ms
Reply from 200.1.1.1: bytes=56 Sequence=4 ttl=253 time=85 ms
Reply from 200.1.1.1: bytes=56 Sequence=5 ttl=253 time=70 ms
--- 200.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 66/79/109 ms

----End

Configuration Files
l Configuration file of CE1
#
sysname CE1
#
vlan batch 10 50
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif50
ip address 100.1.1.1 255.255.255.0
#

interface GigabitEthernet1/0/0
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet2/0/0

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 207


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

port hybrid pvid vlan 50


port hybrid untagged vlan 50
#
bgp 600
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
l Configuration file of PE1
#
sysname PE1
#
vlan batch 10 20
#
ip vpn-instance vpn1
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 600
peer 10.1.1.1 substitute-as
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 20.1.1.0 0.0.0.255

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 208


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

#
return
l Configuration file of P
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address ip address 20.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address ip address 30.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
l Configuration file of PE2
#
sysname PE2
#
vlan batch 30 40
#
ip vpn-instance vpn1
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 30.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 40

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 209


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

port hybrid untagged vlan 40


#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 600
peer 10.2.1.1 substitute-as
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 30.1.1.0 0.0.0.255
#
return

l Configuration file of CE2


#
sysname CE2
#
vlan batch 40 60
#
interface Vlanif40
ip address 10.2.1.1 255.255.255.0
#
interface Vlanif60
ip address 200.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 40
port hybrid untagged vlan 40
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 60
port hybrid untagged vlan 60
#
bgp 600
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 210


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

3.17.6 Example for Configuring Hub&Spoke

Networking Requirements
As shown in Figure 3-8, the communication between Spoke-CEs is controlled by the Hub-CE
in the central site. That is, the traffic between Spoke-CEs is forwarded by the Hub-CE, and not
only by the Hub-PE.

Figure 3-8 Networking diagram for configuring Hub&Spoke

AS: 65430
Hub-CE

GE1/0/0 GE2/0/0

GE3/0/0 GE3/0/1
Hub-PE

GE1/0/0 GE2/0/0

Loopback1 Loopback1 Loopback1


1.1.1.9/32 2.2.2.9/32 3.3.3.9/32

GE2/0/0 GE2/0/0
Spoke-PE1 Spoke-PE2
GE1/0/0 GE1/0/0
Backbone
AS100

GE1/0/0 GE1/0/0

Spoke-CE1 Spoke-CE2
AS: 65410 AS: 65420

Device Interface VLANIF interface IP address

Hub-PE GigabitEthernet1/0/0 VLANIF 10 10.1.1.2/24

GigabitEthernet2/0/0 VLANIF 20 11.1.1.2/24

GigabitEthernet3/0/0 VLANIF 30 110.1.1.2/24

GigabitEthernet3/0/1 VLANIF 40 110.2.1.2/24

Loopback1 - 2.2.2.9/32

Spoke-PE1 GigabitEthernet1/0/0 VLANIF 50 100.1.1.2/24

GigabitEthernet2/0/0 VLANIF 10 10.1.1.1/24

Loopback1 - 1.1.1.9/32

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 211


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Spoke-PE2 GigabitEthernet1/0/0 VLANIF 60 120.1.1.2/24

GigabitEthernet2/0/0 VLANIF 20 11.1.1.1/24

Loopback1 - 3.3.3.9/32

Hub-CE GigabitEthernet1/0/0 VLANIF 30 110.1.1.1/24

GigabitEthernet2/0/0 VLANIF 40 110.2.1.1/24

Spoke-CE1 GigabitEthernet1/0/0 VLANIF 50 100.1.1.1/24

Spoke-CE2 GigabitEthernet1/0/0 VLANIF 60 120.1.1.1/24

Configuration Roadmap
The configuration roadmap is as follows:
1. Set up MP-IBGP peer relation between the Hub-PE and the Spoke-PE. Do not set up MP-
IBGP peer relation between Spoke-PEs.
2. Create two VPN instances on the Hub-PE. The import targets are the export targets of the
two Spoke-PEs. The export targets are different from the import targets.
3. Create a VPN instance on the Spoke-PE. The import target is the export target of the Hub-
PE.
4. Run EBGP between the CE and PE.
5. Configure the Hub-PE to accept the routes with two repeated ASNs.

Data Preparation
To complete the configuration, you need the following data:
l IDs of the VLANs that the interfaces belong to, as shown in Figure 3-8
l IP address of each VLANIF interface, as shown in Figure 3-8
l MPLS LSR IDs of the PEs
l VPN instance names, RDs, and VPN targets of the Hub-PE and Spoke-PE

Procedure
Step 1 Configure IGP on the backbone network to make the Hub-PE and the Spoke-PE communicate
with each other.
In this example, OSPF is used as IGP and the configuration procedure is not mentioned.
After the configuration, an OSPF adjacency can be established between the Hub-PE and the
Spoke-PEs. Run the display ospf peer command, and you can see that the status of the adjacency
is Full. Run the display ip routing-table command, and you can see that the Hub-PE and the
Spoke-PEs can learn the loopback routes of each other.
Step 2 Configure the basic MPLS capability on the backbone network and set up an LDP LSP.
# Configure the Hub-PE.
[Hub-PE] mpls lsr-id 2.2.2.9
[Hub-PE] mpls

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 212


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

[Hub-PE-mpls] label advertise non-null


[Hub-PE-mpls] quit
[Hub-PE] mpls ldp
[Hub-PE-mpls-ldp] quit
[Hub-PE] interface vlanif 10
[Hub-PE-Vlanif10] mpls
[Hub-PE-Vlanif10] mpls ldp
[Hub-PE-Vlanif10] quit
[Hub-PE] interface vlanif 20
[Hub-PE-Vlanif20] mpls
[Hub-PE-Vlanif20] mpls ldp
[Hub-PE-Vlanif20] quit

After the configuration, LDP peer relation can be set up between the Hub-PE and the Spoke-
PEs. Run the display mpls ldp session command on each Switch, and you can see that the
session status is Operational.
The configuration procedure of the Spoke-PE is similar to the configuration procedure of the
Hub-PE and is not mentioned here.
Step 3 Configure VPN instances on each PE and connect the CEs to the PEs.
NOTE

The VPN targets of the two VPNs on the Hub-PE are advertised by the two Spoke-PE, and the advertised
VPN target is different from the received VPN target. The import VPN target on the Spoke-PE is the export
VPN target on the Hub-PE.

# Configure Spoke-PE1.
<Spoke-PE1> system-view
[Spoke-PE1] ip vpn-instance vpna
[Spoke-PE1-vpn-instance-vpna] route-distinguisher 100:1
[Spoke-PE1-vpn-instance-vpna] vpn-target 100:1 export-extcommunity
[Spoke-PE1-vpn-instance-vpna] vpn-target 200:1 import-extcommunity
[Spoke-PE1-vpn-instance-vpna] quit
[Spoke-PE1] interface vlanif 50
[Spoke-PE1-Vlanif50] ip binding vpn-instance vpna
[Spoke-PE1-Vlanif50] ip address 100.1.1.2 24
[Spoke-PE1-Vlanif50] quit

# Configure Spoke-PE2.
<Spoke-PE2> system-view
[Spoke-PE2] ip vpn-instance vpna
[Spoke-PE2-vpn-instance-vpna] route-distinguisher 100:3
[Spoke-PE2-vpn-instance-vpna] vpn-target 100:1 export-extcommunity
[Spoke-PE2-vpn-instance-vpna] vpn-target 200:1 import-extcommunity
[Spoke-PE2-vpn-instance-vpna] quit
[Spoke-PE2] interface vlanif 60
[Spoke-PE2-Vlanif60] ip binding vpn-instance vpna
[Spoke-PE2-Vlanif60] ip address 120.1.1.2 24
[Spoke-PE2-Vlanif60] quit

# Configure the Hub-PE.


<Hub-PE> system-view
[Hub-PE] ip vpn-instance vpn_in
[Hub-PE-vpn-instance-vpn_in] route-distinguisher 100:21
[Hub-PE-vpn-instance-vpn_in] vpn-target 100:1 import-extcommunity
[Hub-PE-vpn-instance-vpn_in] quit
[Hub-PE] ip vpn-instance vpn_out
[Hub-PE-vpn-instance-vpn_out] route-distinguisher 100:22
[Hub-PE-vpn-instance-vpn_out] vpn-target 200:1 export-extcommunity
[Hub-PE-vpn-instance-vpn_out] quit
[Hub-PE] interface vlanif 30
[Hub-PE-Vlanif30] ip binding vpn-instance vpn_in
[Hub-PE-Vlanif30] ip address 110.1.1.2 24
[Hub-PE-Vlanif30] quit

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 213


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

[Hub-PE] interface vlanif 40


[Hub-PE-Vlanif40] ip binding vpn-instance vpn_out
[Hub-PE-Vlanif40] ip address 110.2.1.2 24
[Hub-PE-Vlanif40] quit

# Configure the IP addresses of the interfaces on the CEs. The configuration procedure is not
given here.
After the configuration, run the display ip vpn-instance verbose command on the PEs, and you
can see the configuration of the VPN instances. Each PE can ping the connected CEs by using
the ping -vpn-instance vpn-name ip-address command.
NOTE

If multiple interfaces on a PE are bound to the same VPN, you must specify the source address when you
run the ping -vpn-instance command to ping the CE connected to the peer PE. That is, specify -a source-
ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address destination-address
command. Otherwise, the ping operation may fail.

Step 4 Set up EBGP peer relation between the PE and the CE and import VPN routes.
NOTE

To receive the routes advertised by the Hub-CE, configure the Hub-PE to allow the ASN to be repeated
once.

# Configure Spoke-CE1.
[Spoke-CE1] bgp 65410
[Spoke-CE1-bgp] peer 100.1.1.2 as-number 100
[Spoke-CE1-bgp] import-route direct
[Spoke-CE1-bgp] quit

# Configure Spoke-PE1.
[Spoke-PE1] bgp 100
[Spoke-PE1-bgp] ipv4-family vpn-instance vpna
[Spoke-PE1-bgp-vpna] peer 100.1.1.1 as-number 65410
[Spoke-PE1-bgp-vpna] import-route direct
[Spoke-PE1-bgp-vpna] quit
[Spoke-PE1-bgp] quit

# Configure Spoke-CE2.
[Spoke-CE2] bgp 65420
[Spoke-CE2-bgp] peer 120.1.1.2 as-number 100
[Spoke-CE2-bgp] import-route direct
[Spoke-CE2-bgp] quit

# Configure Spoke-PE2.
[Spoke-PE2] bgp 100
[Spoke-PE2-bgp] ipv4-family vpn-instance vpna
[Spoke-PE2-bgp-vpna] peer 120.1.1.1 as-number 65420
[Spoke-PE2-bgp-vpna] import-route direct
[Spoke-PE2-bgp-vpna] quit
[Spoke-PE2-bgp] quit

# Configure the Hub-CE.


[Hub-CE] bgp 65430
[Hub-CE-bgp] peer 110.1.1.2 as-number 100
[Hub-CE-bgp] peer 110.2.1.2 as-number 100
[Hub-CE-bgp] import-route direct
[Hub-CE-bgp] quit

# Configure the Hub-PE.


[Hub-PE] bgp 100
[Hub-PE-bgp] ipv4-family vpn-instance vpn_in

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 214


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

[Hub-PE-bgp-vpn_in] peer 110.1.1.1 as-number 65430


[Hub-PE-bgp-vpn_in] import-route direct
[Hub-PE-bgp-vpn_in] quit
[Hub-PE-bgp] ipv4-family vpn-instance vpn_out
[Hub-PE-bgp-vpn_out] peer 110.2.1.1 as-number 65430
[Hub-PE-bgp-vpn_out] peer 110.2.1.1 allow-as-loop 1
[Hub-PE-bgp-vpn_out] import-route direct
[Hub-PE-bgp-vpn_out] quit
[Hub-PE-bgp] quit

After the configuration, run the display bgp vpnv4 all peer command on a PE, and you can
find that the BGP peer relation between the PE and CE is in Established state.
Step 5 Set up MP-IBGP adjacency between the PEs.
NOTE

The Spoke-PE need not allow the repeated ASN, because the Switch does not check the AS path attribute
in the routing information advertised by the IBGP peers.

# Configure Spoke-PE1.
[Spoke-PE1] bgp 100
[Spoke-PE1-bgp] peer 2.2.2.9 as-number 100
[Spoke-PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[Spoke-PE1-bgp] ipv4-family vpnv4
[Spoke-PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[Spoke-PE1-bgp-af-vpnv4] quit

# Configure Spoke-PE2.
[Spoke-PE2] bgp 100
[Spoke-PE2-bgp] peer 2.2.2.9 as-number 100
[Spoke-PE2-bgp] peer 2.2.2.9 connect-interface loopback 1
[Spoke-PE2-bgp] ipv4-family vpnv4
[Spoke-PE2-bgp-af-vpnv4] peer 2.2.2.9 enable
[Spoke-PE2-bgp-af-vpnv4] quit

# Configure the Hub-PE.


[Hub-PE] bgp 100
[Hub-PE-bgp] peer 1.1.1.9 as-number 100
[Hub-PE-bgp] peer 1.1.1.9 connect-interface loopback 1
[Hub-PE-bgp] peer 3.3.3.9 as-number 100
[Hub-PE-bgp] peer 3.3.3.9 connect-interface loopback 1
[Hub-PE-bgp] ipv4-family vpnv4
[Hub-PE-bgp-af-vpnv4] peer 1.1.1.9 enable
[Hub-PE-bgp-af-vpnv4] peer 3.3.3.9 enable
[Hub-PE-bgp-af-vpnv4] quit

After the configuration, run the display bgp peer or display bgp vpnv4 all peer command, and
you can see that the BGP peer relation between the PEs is in Established state.
Step 6 Verify the configuration.
After the configuration, the Spoke-CEs can ping each other. Run the tracert command, and you
can see that the traffic between the Spoke-CEs is forwarded through the Hub-CE. You can also
deduce the number of forwarding devices between the Spoke-CEs based on the TTL in the ping
result.
Take Spoke-CE1 for example.
[Spoke-CE1] ping 120.1.1.1
PING 120.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 120.1.1.1: bytes=56 Sequence=1 ttl=250 time=80 ms
Reply from 120.1.1.1: bytes=56 Sequence=2 ttl=250 time=129 ms
Reply from 120.1.1.1: bytes=56 Sequence=3 ttl=250 time=132 ms
Reply from 120.1.1.1: bytes=56 Sequence=4 ttl=250 time=92 ms

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 215


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Reply from 120.1.1.1: bytes=56 Sequence=5 ttl=250 time=126 ms


--- 120.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 80/111/132 ms
[Spoke-CE1] tracert 120.1.1.1
traceroute to 120.1.1.1(120.1.1.1) 30 hops max,40 bytes packet
1 100.1.1.2 24 ms 19 ms 11 ms
2 110.2.1.2 87 ms 60 ms 58 ms
3 110.2.1.1 59 ms 27 ms 53 ms
4 110.1.1.2 41 ms 34 ms 56 ms
5 120.1.1.2 90 ms 66 ms 75 ms
6 120.1.1.1 143 ms 96 ms 90 ms

Run the display bgp routing-table command on the Spoke-CE, and you can see the repeated
ASNs in AS paths of the BGP routes to the remote Spoke-CE.
Take Spoke-CE1 for example.
[Spoke-CE1] display bgp routing-table
Total Number of Routes: 6
BGP Local router ID is 100.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Network NextHop MED LocPrf PrefVal Path/Ogn

*> 100.1.1.0/24 0.0.0.0 0 0 ?


* 100.1.1.2 0 0 100?
*> 100.1.1.1/32 0.0.0.0 0 0 ?
*> 110.1.1.0/24 100.1.1.2 0 100 65430?
*> 110.2.1.0/24 100.1.1.2 0 100?
*> 120.1.1.0/24 100.1.1.2 0 100 65430 100?

----End

Configuration Files
l Configuration file of Spoke-CE1
#
sysname Spoke-CE1
#
vlan batch 50
#
interface Vlanif50
ip address 100.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 50
port hybrid untagged vlan 50
#
bgp 65410
peer 100.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 100.1.1.2 enable
#
return

l Configuration file of Spoke-PE1


#
sysname Spoke-PE1
#
vlan batch 10 50
#

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 216


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

ip vpn-instance vpna
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 200:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
label advertise non-null
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif50
ip binding vpn-instance vpna
ip address 100.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 50
port hybrid untagged vlan 50
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 100.1.1.1 as-number 65410
import-route direct
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
l Configuration file of Spoke-PE2
#
sysname Spoke-PE2
#
vlan batch 20 60
#
ip vpn-instance vpna
route-distinguisher 100:3
vpn-target 100:1 export-extcommunity
vpn-target 200:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
label advertise non-null
#
mpls ldp

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 217


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

#
interface Vlanif20
ip address 11.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip binding vpn-instance vpna
ip address 120.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 60
port hybrid untagged vlan 60
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 120.1.1.1 as-number 65420
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 11.1.1.0 0.0.0.255
#
return
l Configuration file of Spoke-CE2
#
sysname Spoke-CE2
#
vlan batch 60
#
interface Vlanif60
ip address 120.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 60
port hybrid untagged vlan 60
#
bgp 65420
peer 120.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 120.1.1.2 enable
#
return
l Configuration file of Hub-CE
#
sysname Hub-CE

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 218


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

#
vlan batch 30 40
#
interface Vlanif30
ip address 110.1.1.1 255.255.255.0
#
interface Vlanif40
ip address 110.2.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 40
port hybrid untagged vlan 40
#
bgp 65430
peer 110.1.1.2 as-number 100
peer 110.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 110.2.1.2 enable
peer 110.1.1.2 enable
#
return
l Configuration file of Hub-PE
#
sysname Hub-PE
#
vlan batch 10 20 30 40
#
ip vpn-instance vpn_in
route-distinguisher 100:21
vpn-target 100:1 import-extcommunity
#
ip vpn-instance vpn_out
route-distinguisher 100:22
vpn-target 200:1 export-extcommunity
#
mpls lsr-id 2.2.2.9
mpls
label advertise non-null
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
ip address 11.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip binding vpn-instance vpn_in
ip address 110.1.1.2 255.255.255.0
#
interface Vlanif40
ip binding vpn-instance vpn_out
ip address 110.2.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 10
port hybrid untagged vlan 10

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 219


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
interface GigabitEthernet3/0/0
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
interface GigabitEthernet3/0/1
port hybrid pvid vlan 40
port hybrid untagged vlan 40
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn_in
peer 110.1.1.1 as-number 65430
import-route direct
#
ipv4-family vpn-instance vpn_out
peer 110.2.1.1 as-number 65430
peer 110.2.1.1 allow-as-loop
import-route direct
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
#
return

3.17.7 Example for Configuring Inter-AS VPN Option A

Networking Requirements
As shown in Figure 3-9, CE1 and CE2 belong to the same VPN. CE1 accesses PE1 through AS
100, and CE2 accesses PE2 through AS 200.
Inter-AS BGP/MPLS IP VPN is implemented through Option A. That is, the VRF-to-VRF
method is used to manage VPN routes.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 220


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

Figure 3-9 Networking diagram for configuring inter-AS VPN Option A


BGP/MPLS Backbone BGP/MPLS Backbone
AS 100 Loopback1 Loopback1 AS 200
2.2.2.9/32 3.3.3.9/32
GE2/0/0 GE2/0/0
VLAN IF12 VLAN IF12 GE1/0/0
GE1/0/0 192.1.1.1/24 192.1.1.2/24 VLANIF 22
VLANIF 11
172.1.1.1/24 ASBR-PE1 ASBR-PE2 162.1.1.1/24

Loopback1 Loopback1
1.1.1.9/32 GE1/0/0 4.4.4.9/32
GE1/0/0
VLANIF 11
VLANIF 22
PE1 172.1.1.2/24 162.1.1.2/24 PE2
GE2/0/0 GE2/0/0
VLANIF 10 VLANIF 10
10.1.1.2/24 10.2.1.2/24

GE1/0/0 GE1/0/0
VLANIF 10 VLANIF 10
10.1.1.1/24 10.2.1.1/24

CE1 CE2
AS 65001 AS 65002

Configuration Roadmap
The configuration roadmap is as follows:
1. Set up the EBGP peer relation between the PE and the CE and set up MP-IBGP peer relation
between the PE and the ASBR.
2. Create a VPN instance on the two ASBR-PEs and bind the VPN instance to the interface
connected to the other ASBR-PE (regarding the ASBR-PE as its CE) and set up the EBGP
peer relation between the ASBR-PEs.

Data Preparation
To complete the configuration, you need the following data:
l MPLS LSR IDs of PEs and ASBR-PEs
l VPN instance names, RDs, and VPN targets for the PEs and ABSR-PEs

Procedure
Step 1 Create VLANs and specify the VLAN IDs that are allowed by the interfaces, as shown in Figure
3-9.
The configuration procedure is not mentioned here.
Step 2 On the MPLS backbone networks in AS 100 and AS 200, configure an IGP protocol so that the
PEs and the ASBRs on the network can communicate with each other.
The OSPF protocol is used in this example and the configuration procedure is not mentioned
here.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 221


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

NOTE

The 32-bit loopback interface address used as the LSR ID must be advertised by OSPF.

After the configuration, the OSPF neighbor relation can be established between the ASBR and
the PE in the same AS. Run the display ospf peer command, and you can find that the neighbor
status is Full.
The ASBR-PE and PE in the same AS can ping each other and learn the loopback interface
address of each other.
Step 3 Configure the basic MPLS function and MPLS LDP on the MPLS backbone networks of AS
100 and AS 200 and set up the MPLS LDP LSP.
# Configure the basic MPLS function on PE1 and enable LDP on the interface connected to
ASBR-PE1.
<PE1> system-view
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] label advertise non-null
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 11
[PE1-Vlanif11] mpls
[PE1-Vlanif11] mpls ldp
[PE1-Vlanif11] quit

# Configure the basic MPLS function on ASBR-PE1 and enable LDP on the interface connected
to PE1.
<ASBR-PE1> system-view
[ASBR-PE1] mpls lsr-id 2.2.2.9
[ASBR-PE1] mpls
[ASBR-PE1-mpls] label advertise non-null
[ASBR-PE1-mpls] quit
[ASBR-PE1] mpls ldp
[ASBR-PE1-mpls-ldp] quit
[ASBR-PE1] interface vlanif 11
[ASBR-PE1-Vlanif11] mpls
[ASBR-PE1-Vlanif11] mpls ldp
[ASBR-PE1-Vlanif11] quit

# Configure the basic MPLS function on ASBR-PE2 and enable LDP on the interface connected
to PE2.
<ASBR-PE2> system-view
[ASBR-PE2] mpls lsr-id 3.3.3.9
[ASBR-PE2] mpls
[ASBR-PE2-mpls] label advertise non-null
[ASBR-PE2-mpls] quit
[ASBR-PE2] mpls ldp
[ASBR-PE2-mpls-ldp] quit
[ASBR-PE2] interface vlanif 22
[ASBR-PE2-Vlanif22] mpls
[ASBR-PE2-Vlanif22] mpls ldp
[ASBR-PE2-Vlanif22] quit

# Configure the basic MPLS function on PE2 and enable LDP on the interface connected to
ASBR-PE2.
<PE2> system-view
[PE2] mpls lsr-id 4.4.4.9
[PE2] mpls
[PE2-mpls] label advertise non-null
[PE2-mpls] quit

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 222


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

[PE2] mpls ldp


[PE2-mpls-ldp] quit
[PE2] interface vlanif 22
[PE2-Vlanif22] mpls
[PE2-Vlanif22] mpls ldp
[PE2-Vlanif22] quit

After the configuration, the LDP peer relation can be set up between the PE and ASBR in the
same AS. Run the display mpls ldp session command on each Switch, and you can see that the
session status is Operational.

Take the display on PE1 as an example:


[PE1] display mpls ldp session

LDP Session(s) in Public Network


Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
2.2.2.9:0 Operational DU Active 0002:23:46 17225/17224
------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.

Step 4 Configure the basic BGP/MPLS IP VPNs in AS 100 and AS 200.


NOTE

The VPN targets of the VPN instances of the ASBR-PE and PE in an AS should match each other. In
different ASs, the VPN targets of the VPN instances in different ASs do not need to match each other.

# Configure CE1.
<CE1> system-view
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.1.1.1 24
[CE1-Vlanif10] quit
[CE1] bgp 65001
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit

# On PE1, set up an EBGP peer relation between PE1 and CE1.


[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] route-distinguisher 100:1
[PE1-vpn-instance-vpn1] vpn-target 1:1 both
[PE1-vpn-instance-vpn1] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip binding vpn-instance vpn1
[PE1-Vlanif10] ip address 10.1.1.2 24
[PE1-Vlanif10] quit
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65001
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] quit
[PE1-bgp] quit

# On PE1, set up an MP-IBGP peer relation between ASBR-PE1 and MP-IBGP.


[PE1] bgp 100
[PE1-bgp] peer 2.2.2.9 as-number 100
[PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE1-bgp-af-vpnv4] quit

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 223


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

# On ASBR-PE1, set up an MP-IBGP peer relation between ASBR-PE1 and PE1.


[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] peer 1.1.1.9 as-number 100
[ASBR-PE1-bgp] peer 1.1.1.9 connect-interface loopback 1
[ASBR-PE1-bgp] ipv4-family vpnv4
[ASBR-PE1-bgp-af-vpnv4] peer 1.1.1.9 enable
[ASBR-PE1-bgp-af-vpnv4] quit
[ASBR-PE1-bgp] quit

NOTE

The configurations on CE2, PE2, and ASBR-PE2 are similar to the configurations on CE1, PE1 and ASBR-
PE1 and are not mentioned here.

After the configuration, run the display bgp vpnv4 vpn-instance vpn-instancename peer
command on a PE, and you can find that the BGP peer relation between the PE and CE is in
Established state. Run the display bgp vpnv4 all peer command, and you can see the BGP peer
relations are set up between the PE and CE, and between the PE and ASBR, and the BGP peer
relations are in Established state.
Take the display on PE1 as an example:
[PE1] display bgp vpnv4 vpn-instance vpn1 peer

BGP local router ID : 1.1.1.9


Local AS number : 100
Total number of peers : 1 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv


10.1.1.1 4 65001 10 10 0 00:07:10 Established 0
[PE1] display bgp vpnv4 all peer

BGP local router ID : 1.1.1.9


Local AS number : 100
Total number of peers : 2 Peers in established state : 2

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

2.2.2.9 4 100 3 7 0 00:01:36 Established 0


Peer of vpn instance:
vpn instance vpn1 :
10.1.1.1 4 65001 13 13 0 00:04:00 Established 2

Step 5 Configure the inter-AS VPN in VRF-to-VRF mode.


# On ASBR-PE1, create a VPN instance and bind the VPN instance to the interface connected
to ASBR-PE2 (ASBR-PE1 regards ASBR-PE2 as its own CE).
[ASBR-PE1] ip vpn-instance vpn1
[ASBR-PE1-vpn-instance-vpn1] route-distinguisher 100:2
[ASBR-PE1-vpn-instance-vpn1] vpn-target 1:1 both
[ASBR-PE1-vpn-instance-vpn1] quit
[ASBR-PE1] interface vlanif 12
[ASBR-PE1-Vlanif12] ip binding vpn-instance vpn1
[ASBR-PE1-Vlanif12] ip address 192.1.1.1 24
[ASBR-PE1-Vlanif12] quit

# On ASBR-PE2, create a VPN instance and bind the VPN instance to the interface connected
to ASBR-PE1 (ASBR-PE2 regards ASBR-PE1 as its own CE).
[ASBR-PE2] ip vpn-instance vpn1
[ASBR-PE2-vpn-instance-vpn1] route-distinguisher 200:2
[ASBR-PE2-vpn-instance-vpn1] vpn-target 2:2 both
[ASBR-PE2-vpn-instance-vpn1] quit
[ASBR-PE2] interface GigabitEthernet vlanif 12
[ASBR-PE2-Vlanif12] ip binding vpn-instance vpn1
[ASBR-PE2-Vlanif12] ip address 192.1.1.2 24
[ASBR-PE2-Vlanif12] quit

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 224


Copyright Huawei Technologies Co., Ltd.
Quidway S7700 Smart Routing Switch
Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration

# On ASBR-PE1, set up an EBGP peer relation between ASBR-PE1 and ASBR-PE2.


[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] ipv4-family vpn-instance vpn1
[ASBR-PE1-bgp-vpn1] peer 192.1.1.2 as-number 200
[ASBR-PE1-bgp-vpn1] import-route direct
[ASBR-PE1-bgp-vpn1] quit
[ASBR-PE1-bgp] quit

# On ASBR-PE2, set up an EBGP peer relation between ASBR-PE2 and ASBR-PE1.


[ASBR-PE2] bgp 200
[ASBR-PE2-bgp] ipv4-family vpn-instance vpn1
[ASBR-PE2-bgp-vpn1] peer 192.1.1.1 as-number 100
[ASBR-PE2-bgp-vpn1] import-route direct
[ASBR-PE2-bgp-vpn1] quit
[ASBR-PE2-bgp] quit

Run the display bgp vpnv4 vpn-instance peer command on the ASBR PE, and you can see
that the BGP peer relation is established between the ASBR-PEs.
Step 6 Verify the configuration.
After the preceding configuration, CEs can learn the routes from the interfaces of each other,
and CE1 and CE2 can ping each other successfully.
Take the display on CE1 as an example:
[CE1] display ip routing-table
Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10
10.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.2.1.0/24 BGP 255 0 D 10.1.1.2 Vlanif10
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.1.1.0/24 BGP 255 0 D 10.1.1.2 Vlanif10
192.1.1.2/32 BGP 255 0 D 10.1.1.2 Vlanif10
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[CE1] ping 10.2.1.1
PING 10.2.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.2.1.1: bytes=56 Sequence=