Sie sind auf Seite 1von 468

HUAWEI NetEngine5000E Core Router

V800R002C01

Configuration Guide - VPN

Issue 01
Date 2011-10-15

HUAWEI TECHNOLOGIES CO., LTD.


Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.


Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website: http://www.huawei.com
Email: support@huawei.com

Issue 01 (2011-10-15) Huawei Proprietary and Confidential i


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN About This Document

About This Document

Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the VPN feature supported by the NE5000E
device.
This document describes how to configure the Basic Configurations feature.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers

Related Versions (Optional)


The following table lists the product versions related to this document.

Product Name Version

HUAWEI NetEngine5000E V800R002C01


Core Router

Symbol Conventions
The symbols that may be found in this document are defined as follows.

Symbol Description

Indicates a hazard with a high level of risk, which if not


avoided, will result in death or serious injury.

Indicates a hazard with a medium or low level of risk, which


if not avoided, could result in minor or moderate injury.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential ii


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN About This Document

Symbol Description

Indicates a potentially hazardous situation, which if not


avoided, could result in equipment damage, data loss,
performance degradation, or unexpected results.

Indicates a tip that may help you solve a problem or save time.

Provides additional information to emphasize or supplement


important points of the main text.

Command Conventions (Optional)


The command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by


vertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated by


vertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated by


vertical bars. A minimum of one item or a maximum of all
items can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated by


vertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.

Changes in Issue 01 (2011-10-15)


The initial commercial release.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential iii


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN Contents

Contents

About This Document.....................................................................................................................ii


1 VPN Tunnel Management Configuration................................................................................1
1.1 VPN Tunnel Management Overview.................................................................................................................2
1.2 VPN Tunnel Management Features Supported by the NE5000E......................................................................2
1.3 Configuring Tunnel Interfaces............................................................................................................................3
1.3.1 Creating a Tunnel Interface.......................................................................................................................4
1.3.2 Configuring a Tunnel Interface.................................................................................................................4
1.3.3 Checking the Configuration.......................................................................................................................5
1.4 Configuring a Tunnel Type Prioritizing Policy for an L3VPN..........................................................................5
1.4.1 Configuring a Tunnel Type Prioritizing Policy.........................................................................................6
1.4.2 Applying a Tunnel Policy to an L3VPN...................................................................................................7
1.4.3 Checking the Configuration.......................................................................................................................7
1.5 Configuring a Tunnel Binding Policy for an L3VPN.........................................................................................9
1.5.1 Configuring a Tunnel Binding Policy.....................................................................................................10
1.5.2 Applying a Tunnel Policy to an L3VPN.................................................................................................11
1.5.3 Checking the Configuration.....................................................................................................................11
1.6 Maintaining a VPN Tunnel...............................................................................................................................13
1.6.1 Monitoring the Running Status of a Tunnel............................................................................................13
1.7 Configuration Examples...................................................................................................................................13
1.7.1 Example for Configuring a Tunnel Policy for an L3VPN.......................................................................13

2 BGP/MPLS IP VPN Configuration..........................................................................................27


2.1 BGP/MPLS IP VPN Overview.........................................................................................................................29
2.2 BGP/MPLS IP VPN Features Supported by the NE5000E..............................................................................29
2.3 Configuring a VPN Instance Enabled with the IPv4 Address Family.............................................................32
2.3.1 Creating a VPN Instance.........................................................................................................................33
2.3.2 Configuring Attributes for the VPN Instance IPv4 Address Family.......................................................34
2.3.3 (Optional) Limiting the Route Number of the VPN Instance IPv4 Address Family..............................35
2.3.4 (Optional) Applying a Tunnel Policy to the VPN instance IPv4 Address Family..................................36
2.3.5 (Optional) Configuring MPLS Label Allocation Based on the VPN Instance IPv4 Address Family
..........................................................................................................................................................................37
2.3.6 Checking the Configuration.....................................................................................................................38
2.4 Configuring Basic BGP/MPLS IP VPN...........................................................................................................39
2.4.1 Configuring a VPN Instance....................................................................................................................40

Issue 01 (2011-10-15) Huawei Proprietary and Confidential iv


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN Contents

2.4.2 Binding an Interface to a VPN Instance..................................................................................................40


2.4.3 (Optional) Configuring a Router ID for a BGP VPN Instance IPv4 Address Family.............................41
2.4.4 Configuring Route Exchange Between PEs............................................................................................42
2.4.5 Configuring Route Exchange Between a PE and a CE...........................................................................43
2.4.6 Checking the Configuration.....................................................................................................................52
2.5 Configuring Route Reflection to Optimize the VPN Backbone Layer............................................................53
2.5.1 Configuring a Client PE to Establish an MP-IBGP Peer Relationship with an RR................................54
2.5.2 Configuring an RR to Establish MP-IBGP Peer Relationships with All Client PEs..............................55
2.5.3 Configuring Route Reflection for BGP VPNv4 Routes..........................................................................56
2.5.4 Checking the Configuration.....................................................................................................................57
2.6 Configuring Hub and Spoke.............................................................................................................................58
2.6.1 Configuring a VPN Instance....................................................................................................................59
2.6.2 Configuring Routing Attributes for a VPN Instance...............................................................................60
2.6.3 Binding an Interface to a VPN Instance..................................................................................................63
2.6.4 Configuring Route Exchange Between a Hub-PE and a Spoke-PE........................................................64
2.6.5 Configuring Route Exchange Between a PE and a CE...........................................................................65
2.6.6 Checking the Configuration.....................................................................................................................66
2.7 Configuring a Tunnel Policy for the Backbone Network of a BGP/MPLS IP VPN........................................66
2.7.1 Configuring a Tunnel Policy...................................................................................................................67
2.7.2 Applying a Tunnel Policy to a VPN........................................................................................................68
2.7.3 Checking the Configuration.....................................................................................................................69
2.8 Configuring Inter-AS VPN Option A...............................................................................................................69
2.9 Configuring Inter-AS VPN Option B (Basic Networking)..............................................................................72
2.9.1 Configuring MP-IBGP Between a PE and an ASBR in the Same AS....................................................73
2.9.2 Configuring MP-EBGP Between ASBRs in Different ASs....................................................................74
2.9.3 Controlling the Learning and Advertising of VPN Routes on ASBR.....................................................75
2.9.4 Configuring Route Exchange Between a CE and a PE...........................................................................77
2.9.5 Checking the Configuration.....................................................................................................................77
2.10 Configuring Inter-AS VPN Option B (ASBR Also Functioning as a PE).....................................................78
2.10.1 Configuring MP-IBGP Between a PE and an ASBR in the Same AS..................................................79
2.10.2 Configuring MP-EBGP Between ASBRs in Different ASs..................................................................80
2.10.3 Controlling the Learning and Advertising of VPN Routes on ASBR...................................................81
2.10.4 Configuring a VPN Instance on an ASBR............................................................................................81
2.10.5 Configuring Route Exchange Between a CE and an ASBR.................................................................82
2.10.6 Configuring Route Exchange Between a CE and a PE.........................................................................82
2.10.7 Checking the Configuration...................................................................................................................83
2.11 Configuring Inter-AS VPN Option B (ASBR Also Functioning as an RR)..................................................83
2.11.1 Configuring MP-IBGP Between a PE and an ASBR in the Same AS..................................................85
2.11.2 Configuring MP-EBGP Between ASBRs in Different ASs..................................................................86
2.11.3 Controlling the Learning and Advertising of VPN Routes on ASBR...................................................87
2.11.4 Configuring BGP IPv4 VPN Route Reflection on an ASBR................................................................87
2.11.5 Checking the Configuration...................................................................................................................88

Issue 01 (2011-10-15) Huawei Proprietary and Confidential v


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN Contents

2.12 Configuring Inter-AS VPN Option B (Spanning More Than Two ASs).......................................................89
2.12.1 Configuring MP-IBGP Between a PE and an ASBR in the Same AS..................................................90
2.12.2 Configuring MP-EBGP Between ASBRs in Different ASs..................................................................91
2.12.3 Configuring MP-IBGP Between ASBRs in the Same AS....................................................................92
2.12.4 Controlling the Learning and Advertising of VPN Routes on ASBR...................................................93
2.12.5 Checking the Configuration...................................................................................................................93
2.13 Configuring the Multi-VPN-Instance CE.......................................................................................................94
2.13.1 Configuring OSPF Multi-Instance on the PE........................................................................................95
2.13.2 Configuring the OSPF Multi-Instance on the Multi-Instance CE.........................................................96
2.13.3 Disabling Route Loop Detection on the Multi-VPN-Instance CE........................................................97
2.13.4 Checking the Configuration...................................................................................................................98
2.14 Configuring VPN FRR...................................................................................................................................98
2.15 Configuring FRR for IP Routes on a Private Network.................................................................................100
2.16 Configuring Hybrid FRR for IP and VPNv4 Routes....................................................................................102
2.17 Maintaining BGP/MPLS IP VPN.................................................................................................................105
2.17.1 Monitoring the Running Status of BGP/MPLS IP VPN.....................................................................105
2.17.2 Checking the Network Connectivity and Reachability.......................................................................106
2.17.3 Clearing BGP Statistics of the VPN Instance IPv4 Address Family...................................................106
2.17.4 Resetting BGP Connections................................................................................................................107
2.18 Configuration Examples...............................................................................................................................108
2.18.1 Example for Configuring BGP/MPLS IP VPN...................................................................................108
2.18.2 Example for Configuring BGP AS Number Substitution...................................................................120
2.18.3 Example for Configuring the BGP SoO..............................................................................................126
2.18.4 Example for Configuring CE Dual-Homing with EBGP Running Between a PE and a CE..............136
2.18.5 Example for Configuring Double RRs for the Optimization of the VPN Backbone Layer................149
2.18.6 Example for Configuring an RR for the Optimization of the VPN Access Layer..............................158
2.18.7 Example for Configuring Hub and Spoke...........................................................................................166
2.18.8 Example for Configuring Extranet VPN.............................................................................................175
2.18.9 Example for Configuring Load Balancing Among Tunnels to Which Remote Cross Routes Are Iterated
on a VPN........................................................................................................................................................184
2.18.10 Example for Configuring Inter-AS VPN Option A...........................................................................191
2.18.11 Example for Configuring Inter-AS VPN Option B with Basic Networking.....................................200
2.18.12 Example for Configuring Inter-AS VPN Option B with an RR in an AS.........................................207
2.18.13 Example for Configuring Inter-AS VPN Option B with an ASBR Filtering VPN Routes...............220
2.18.14 Example for Configuring Inter-AS VPN Option B with a P Between ASBRs.................................233
2.18.15 Example for Configuring Inter-AS VPN Option B with ASBRs Functioning as PEs......................241
2.18.16 Example for Configuring Inter-AS VPN Option B with an ASBR Functioning as an RR...............251
2.18.17 Example for Configuring Inter-AS VPN Option B with the VPN Spanning Multiple ASs.............262
2.18.18 Example for Configuring a Multi-VPN-Instance CE........................................................................274
2.18.19 Example for Configuring VPN FRR with FRR Switchover Being Implemented on a PE...............285
2.18.20 Example for Configuring FRR for IP Routes on a Private Network.................................................293
2.18.21 Example for Configuring Hybrid FRR for IP and VPNv4 Routes....................................................300
2.18.22 Example for Configuring BFD for Static VPN Routes.....................................................................310

Issue 01 (2011-10-15) Huawei Proprietary and Confidential vi


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN Contents

3 BGP/MPLS IPv6 VPN Configuration....................................................................................326


3.1 BGP/MPLS IPv6 VPN Overview...................................................................................................................328
3.2 BGP/MPLS IPv6 VPN Functions Supported by the NE5000E.....................................................................329
3.3 Configuring an IPv6 Address Family-supporting VPN Instance...................................................................330
3.3.1 Creating a VPN Instance.......................................................................................................................331
3.3.2 Configuring Attributes for the VPN Instance IPv6 Address Family.....................................................332
3.3.3 (Optional) Applying a Tunnel Policy to the VPN Instance IPv6 Address Family................................333
3.3.4 (Optional) Configuring MPLS Label Allocation Based on the VPN Instance IPv6 Address Family
........................................................................................................................................................................334
3.3.5 Checking the Configuration...................................................................................................................334
3.4 Configuring Basic BGP/MPLS IPv6 VPN.....................................................................................................335
3.4.1 Configuring an IPv6 Address Family-supporting VPN Instance..........................................................336
3.4.2 Binding an Interface to a VPN Instance................................................................................................336
3.4.3 Configuring MP-IBGP to Run Between PEs........................................................................................337
3.4.4 Configuring Route Exchange Between a PE and a CE.........................................................................338
3.4.5 Checking the Configuration...................................................................................................................347
3.5 Configuring Route Reflection for BGP VPNv6 Routes.................................................................................348
3.5.1 Configuring a Client PE to Establish an MP-IBGP Connection with the RR.......................................349
3.5.2 Configuring the RR to Establish MP-IBGP Connections with All Client PEs.....................................350
3.5.3 Configuring Route Reflection for BGP VPNv6 Routes........................................................................352
3.5.4 Checking the Configuration...................................................................................................................352
3.6 Configuring a Tunnel Policy for the Backbone Network of a BGP/MPLS IPv6 VPN..................................353
3.6.1 Configuring a Tunnel Policy.................................................................................................................354
3.6.2 Applying a Tunnel Policy to the IPv6 VPN..........................................................................................355
3.6.3 Checking the Configuration...................................................................................................................356
3.7 Configuring Inter-AS IPv6 VPN Option A....................................................................................................357
3.8 Configuring Inter-AS IPv6 VPN Option B....................................................................................................358
3.8.1 Configuring MP-IBGP Between a PE and an ASBR in the Same AS..................................................359
3.8.2 Configuring MP-EBGP Between ASBRs in Different ASs..................................................................360
3.8.3 Controlling the Learning and Advertising of VPN Routes on ASBR...................................................361
3.8.4 Configuring Route Exchange Between a CE and a PE.........................................................................363
3.8.5 Checking the Configuration...................................................................................................................363
3.9 Configuring Load Balancing Among IPv6 VPN Routes on the Backbone Network.....................................365
3.10 Configuring VPNv6 FRR.............................................................................................................................366
3.11 Configuring FRR for IPv6 Routes on a Private Network.............................................................................367
3.12 Configuring Hybrid FRR for IPv6 and VPNv6 Routes................................................................................369
3.13 Maintaining BGP/MPLS IPv6 VPN.............................................................................................................371
3.13.1 Displaying BGP/MPLS IPv6 VPN Information..................................................................................371
3.13.2 Checking the Network Connectivity and Reachability.......................................................................372
3.13.3 Checking Route Statistics for a VPN Instance IPv6 Address Family.................................................373
3.13.4 Clearing BGP Statistics for a VPN Instance IPv6 Address Family....................................................373
3.13.5 Resetting BGP Connections................................................................................................................374
3.14 Configuration Examples...............................................................................................................................375

Issue 01 (2011-10-15) Huawei Proprietary and Confidential vii


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN Contents

3.14.1 Example for Configuring Basic BGP/MPLS IPv6 VPN.....................................................................375


3.14.2 Example for Configuring BGP4+ AS Number Substitution...............................................................386
3.14.3 Example for Configuring Load Balancing Among IPv6 VPN Routes................................................393
3.14.4 Example for Configuring Load Balancing Among Tunnels to Which Remote Cross Routes Are Iterated
on an IPv6 VPN..............................................................................................................................................401
3.14.5 Example for Configuring Inter-AS IPv6 VPN Option A....................................................................408
3.14.6 Example for Configuring Inter-AS IPv6 VPN Option B....................................................................420
3.14.7 Example for Configuring VPNv6 FRR...............................................................................................427
3.14.8 Example for Configuring FRR for IPv6 Routes on a Private Network...............................................435
3.14.9 Example for Configuring Hybrid FRR for IPv6 and VPNv6 Routes..................................................443
3.14.10 Example for Configuring an RR in an IPv6 VPN.............................................................................452

Issue 01 (2011-10-15) Huawei Proprietary and Confidential viii


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

1 VPN Tunnel Management Configuration

About This Chapter

VPN tunnel management involves the creation, management, and maintenance of VPN tunnels.

1.1 VPN Tunnel Management Overview


VPN tunnel management overview covers the introduction to common VPN tunnels, including
LSPs and TE tunnels, and tunnel configuration management.
1.2 VPN Tunnel Management Features Supported by the NE5000E
The main feature involved in VPN tunnel management is the tunnel policy, including the tunnel
type prioritizing policy and tunnel binding policy.
1.3 Configuring Tunnel Interfaces
Tunnel interfaces are point-to-point virtual interfaces that are used for encapsulating packets.
Similar to loopback interfaces, tunnel interfaces are logical interfaces.
1.4 Configuring a Tunnel Type Prioritizing Policy for an L3VPN
If load balancing or other types of tunnels are required, you need to configure a tunnel type
prioritizing policy and apply this tunnel policy.
1.5 Configuring a Tunnel Binding Policy for an L3VPN
L3VPN tunnel binding refers to the binding between a TE tunnel and a specified L3VPN.
Through the binding, VPN services can be exclusively transmitted over the bound tunnel.
1.6 Maintaining a VPN Tunnel
Maintaining a VPN tunnel involves monitoring the running status of the VPN tunnel and
debugging the VPN tunnel.
1.7 Configuration Examples
This section provides examples for applying a tunnel policy to an L3VPN.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 1


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

1.1 VPN Tunnel Management Overview


VPN tunnel management overview covers the introduction to common VPN tunnels, including
LSPs and TE tunnels, and tunnel configuration management.
In Virtual Private Networks (VPNs), through the tunnel technology, dedicated transmission
channels, namely, tunnels can be set up on the backbone networks and packets can then be
transparently transmitted through the tunnels.

Common VPN Tunnels


The common VPN tunnels are as follows:
l LSP
Label Switched Paths (LSPs) are used as tunnels for VPN data forwarding over the Multi-
Protocol Label Switch (MPLS) VPN public network. In this mode, only the PE rather than
each device that a VPN packet passes needs to analyze IP packet headers. Thus, the time
to process VPN packets shortens and the delay of packet transmission decreases. In
addition, MPLS labels are supported any link-layer protocol. An LSP is similar to an
Asynchronous Transfer Mode (ATM) virtual circuit (VC) or a Frame Relay (FR) VC in
function and security.
l MPLS TE
Generally, carriers are required to provide VPN users with end-to-end Quality of Service
(QoS) for various services, such as the voice service, video service, mission-critical service,
and common online service. MPLS Traffic Engineering (TE) tunnels can optimize network
resources and offer users QoS guaranteed services.

Tunnel Configuration Management


The setup and management of tunnels vary with the tunnel type. For example, MPLS TE tunnels
(CR-LSP tunnels) are set up and managed through tunnel interfaces, whereas Label Distribution
Protocol (LDP) LSPs tunnels are automatically set up as long as corresponding protocols are
configured.
This section describes the configurations of tunnel interfaces and general tunnel management.
l Tunnel interface configuration: You can specify different tunnel types on different tunnel
interfaces. Configurations of tunnels vary with the tunnel type.
l Tunnel management: This function notifies the tunnel status to applications that use the
tunnel and provides tunnel query policies for tunnel selection. The commonly used function
is to set tunnel policies.

1.2 VPN Tunnel Management Features Supported by the


NE5000E
The main feature involved in VPN tunnel management is the tunnel policy, including the tunnel
type prioritizing policy and tunnel binding policy.
An application such as a VPN selects tunnels according to tunnel policies. If no tunnel policy is
created, the tunnel management module searches for the tunnel according to a default policy.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 2


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Tunnel Type Prioritizing Policy


When creating a tunnel type prioritizing policy, you can specify the sequence in which each type
of tunnel is selected and the number of tunnels participating in load balancing.
Rules for tunnel selection based on the tunnel type prioritizing policy are: The tunnel type
specified first is selected as long as this type of tunnel is Up, no matter whether this type of
tunnel is selected by other services; commonly, the tunnel type specified later is not selected
except that load balancing is required or the preceding tunnels are all Down. For example, as
defined in a tunnel policy for the same destination, both LSPs and CR-LSPs can be used and
LSPs are prior to CR-LSPs. If the LSP does not exist, the VPN chooses the CR-LSP. After an
LSP is set up, the VPN selects the LSP and does not use the CR-LSP any more.
If there are multiple eligible tunnels of the same type, the tunnel policy chooses randomly one
or more tunnels.
If the tunnel policy defines that both CR-LSPs and LSPs can be used and CR-LSPs are prior to
LSPs, and the number of tunnels participating in load balancing is three, the tunnel is selected
based on the following rules:
l CR-LSPs are preferred as long as they are Up. If the number of CR-LSPs that are Up is
smaller than three (CR-LSPs are not sufficient or CR-LSPs are sufficient whereas their
status is Down), the CR-LSPs are preferentially selected and the LSPs in the Up state are
also selected.
l If there is one LSP tunnel among the selected three tunnels, when a new CR-LSP is set up
or a CR-LSP in the Down state becomes Up, the CR-LSP is selected and the LSP is no
longer used.
l If the number of present tunnels for load balancing is smaller than the configured number
and a CR-LSP or an LSP in the Up state is added, the newly added tunnel participates in
load balancing.
l The number of present tunnels for load balancing depends on that of the eligible tunnels.
For example, if there are only one CR-LSP and one LSP in the Up state, load balancing is
performed between the two tunnels. The tunnels of other types are not selected even if they
are Up.

Tunnel Binding Policy


In tunnel binding, you can bind one or multiple TE tunnels for one destination address. In
addition, you can configure the down-switch attribute. In this manner, other types of tunnels are
selected when the specified tunnels are unavailable, thereby ensuring non-stop VPN services.

1.3 Configuring Tunnel Interfaces


Tunnel interfaces are point-to-point virtual interfaces that are used for encapsulating packets.
Similar to loopback interfaces, tunnel interfaces are logical interfaces.

Applicable Environment
Tunnels such as MPLS TE tunnels, and IPv6 over IPv4 tunnels all use virtual interfaces, namely,
tunnel interfaces, to forward packets. Before setting up these types of tunnels, you need to create
tunnel interfaces.
Tunnel interfaces can be configured with different encapsulation modes as required, for example,
mpls te, and ipv6-ipv4.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 3


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Pre-configuration Tasks
Before configuring a tunnel interface, complete the following tasks:
l Connecting interfaces correctly and configuring physical parameters for the interfaces to
ensure that the physical layer statuses of these interfaces are Up
l Configuring parameters of the link layer protocol and IP addresses for the interfaces to
ensure that the link layer protocol on the interfaces is Up

Configuration Procedures

Figure 1-1 Flowchart for configuring a tunnel interface

Create a tunnel interface

Configure a tunnel interface

Mandatory
procedure
Optional
procedure

1.3.1 Creating a Tunnel Interface


The TE tunnels are set up and managed through tunnel interfaces.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
interface tunnel interface-number

A tunnel interface is created.


Step 3 (Optional) Run:
description text

The tunnel description information is configured.

----End

1.3.2 Configuring a Tunnel Interface


Configurations about tunnel interfaces vary with the tunnel type. You can only run related
commands after a tunnel interface is configured with a tunnel encapsulation type.

Procedure
l For detailed TE tunnel interface configuration, refer to Configuring the MPLS TE Tunnel
Interface in the NE5000E Configuration Guide - MPLS.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 4


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

l For detailed IPv6 over IPv4 tunnel interface configuration, refer to IPv6 over IPv4 Tunnel
Configuration in the NE5000E Configuration Guide - IP Service.
----End

1.3.3 Checking the Configuration


After a tunnel interface is configured, you can view details about the tunnel interface and the
specified tunnel.

Prerequisite
All configurations of the functions of the tunnel interface are completed.

Procedure
l Run the display tunnel-info all command to check information about all tunnels.
l Run the display tunnel-info tunnel-id command to check details about the specified tunnel.
----End

Example
Run the display tunnel-info command, and you can view the tunnel ID of the specified tunnel
and other configurations.
<HUAWEI> display tunnel-info all
Tunnel ID Type Destination Status
-----------------------------------------------------------------------------
0x0000000001004c4b81 ldp 2.2.2.2 UP
0x000000000300000001 te 2.2.2.2 UP

Run the display tunnel-info tunnel-id command, and you can view details about the tunnel.
<HUAWEI> display tunnel-info 000000000300000001
Tunnel ID: 0x000000000300000001
Type: te
Name: Tunnel2
Destination: 2.2.2.2
Instance ID: 0
Cost: 4294967295
Status: UP

1.4 Configuring a Tunnel Type Prioritizing Policy for an


L3VPN
If load balancing or other types of tunnels are required, you need to configure a tunnel type
prioritizing policy and apply this tunnel policy.

Applicable Environment
By default, the system selects a tunnel for a VPN based on the default policy. That is, in the
order of LSPs, CR-LSPs, and Local_IfNet, and load balancing is not performed by default. If
load balancing or other types of tunnels are required, you need to configure a tunnel policy and
apply the tunnel policy.
For L3VPNs, a tunnel policy needs to be bound to a VPN instance.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 5


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Pre-configuration Tasks
Before configuring a tunnel policy, complete the following tasks:
l Connecting interfaces correctly and configuring physical parameters for the interfaces to
ensure that the physical layer statuses of these interfaces are Up
l Configuring parameters of the link layer protocol and IP addresses for the interfaces to
ensure that the link layer protocol on the interfaces is Up
l Setting up a tunnel (LSP or TE tunnel) to be used by the VPN instance
l Configuring VPN instances on PEs

Configuration Procedures

Figure 1-2 Flowchart for configuring a tunnel type prioritizing policy for an L3VPN

Configure a
tunnel type prioritizing policy

Apply a tunnel policy


to an L3VPN

Mandatory
procedure
Optional
procedure

1.4.1 Configuring a Tunnel Type Prioritizing Policy


When creating a tunnel type prioritizing policy, you can specify the sequence in which each type
of tunnel is selected and the number of tunnels participating in load balancing.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
tunnel-policy policy-name

A tunnel policy is created and the tunnel policy view is displayed.


A tunnel policy can specify only one tunnel selection method. If multiple tunnel selection
methods are required, you need to create multiple tunnel policies.
A VPN instance can be associated with only one tunnel policy and multiple VPN instances can
share one tunnel policy.
Step 3 Run:
tunnel select-seq { cr-lsp | lsp }* load-balance-number load-balance-number

The sequence in which each type of tunnel is selected and the number of tunnels participating
in load balancing are set.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 6


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

For L3VPNs, if no tunnel policies are configured, LSP is used as the VPN tunnel, and no load
balancing is carried out.

Step 4 Run:
commit

The configuration is committed.

----End

1.4.2 Applying a Tunnel Policy to an L3VPN


A tunnel policy needs to be applied to the VPN instance IPv4 address family or IPv6 address
family for specifying the sequence in which each type of tunnel is selected and the number of
tunnels participating in load balancing.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
ip vpn-instance vpn-instance-name

The VPN instance view is displayed.

Step 3 Run:
ipv4-family or ipv6-family

The VPN instance IPv4 address family view or IPv6 address family view is displayed.

Step 4 Run:
tnl-policy policy-name

A tunnel policy is applied to the VPN instance IPv4 address family or IPv6 address family.

Step 5 Run:
commit

The configuration is committed.

----End

1.4.3 Checking the Configuration


After a tunnel type prioritizing policy is configured for an L3VPN, you can view the
configuration of the tunnel policy and information about the tunnels and tunnel policy that are
used by VPN routing.

Prerequisite
All configurations about a tunnel type prioritizing policy are complete and the tunnel policy is
applied to an L3VPN instance.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 7


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Procedure
l Run the display tunnel-info { all | statistics | tunnel-id } command to check information
about existing tunnels of the system.
l Run the display tunnel-policy [ policy-name ] command to check the configuration about
the specified tunnel policy.
l Run the display ip vpn-instance verbose [ vpn-instance-name ] command to check the
tunnel policy applied to the specified VPN instance.
l Run the display ip routing-table vpn-instance vpn-instance-name [ ip-address ]
verbose or the display ipv6 routing-table vpn-instance vpn-instance-name [ ipv6-
address ] verbose command to check the tunnel used by VPN routing.
----End

Example
Run the display tunnel-info all command, and you can view information and status of existing
tunnels of the system.
<HUAWEI> display tunnel-info all
Tunnel ID Type Destination Status
-----------------------------------------------------------------------------
0x0000000001004c4b81 ldp 2.2.2.9 UP
0x000000000300000001 te 2.2.2.9 UP
0x000000000300000002 te 2.2.2.9 UP

Run the display tunnel-policy command, and you can view the configuration about the tunnel
policy. For example:
<HUAWEI> display tunnel-policy policy2

Tunnel Policy Name Select-Seq Load balance No


---------------------------------------------------------------------
policy2 CR-LSP LSP 3

Run the display ip vpn-instance verbose command, and you can view the tunnel policy applied
to the specified VPN instance. For example, from the following output, you can view that the
tunnel policy applied to the VPN instance vpnb is policy2.
<HUAWEI> display ip vpn-instance verbose vpnb

VPN-Instance Name and ID : vpnb, 1


Interfaces : GigaEthernet1/0/0
Address family ipv4
Create date : 2009/11/04 17:47:21
Up time : 0 days, 01 hours, 58 minutes and 12 seconds
Route Distinguisher : 11:11
Export VPN Targets : 22:22
Import VPN Targets : 22:22
Label Policy : label per route
The diffserv-mode Information is : uniform
The ttl-mode Information is : pipe
Tunnel Policy : policy2

Run the display ip routing-table vpn-instance vpn-instance-name [ ip-address ] verbose


command, and you can view the tunnel used by VPN routing. For example:
<HUAWEI> display ip routing-table vpn-instance vpnb 6.6.6.6 verbose
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Table : vpnb
Summary Count : 1

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 8


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Destination: 6.6.6.6/32
Protocol: BGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 2.2.2.2 Neighbour: 0.0.0.0
State: Active Adv Relied Age: 00h59m36s
Tag: 0 Priority: low
Label: 0x15 QoSInfo: 0x0
IndirectID: 0xb8
RelayNextHop: 0.0.0.0 Interface: Tunnel1
TunnelID: 0x000000000300000001 Flags: RD
RelayNextHop: 0.0.0.0 Interface: LDP LSP
TunnelID: 0x0000000001004c4b81 Flags: RD

1.5 Configuring a Tunnel Binding Policy for an L3VPN


L3VPN tunnel binding refers to the binding between a TE tunnel and a specified L3VPN.
Through the binding, VPN services can be exclusively transmitted over the bound tunnel.

Applicable Environment
For VPN service deployment, VPN tunnel binding is required in the following conditions:
l VPN services need to be transmitted over a specified TE tunnel.
l VPN services require guaranteed bandwidth.

Pre-configuration Tasks
Before configuring VPN tunnel binding, complete the following tasks:
l Configuring parameters of the link layer protocol and IP addresses for the interfaces to
ensure that the link layer protocol on the interfaces is Up
l Configuring static routes or enabling an IGP to ensure that the routes between nodes are
reachable
l Configuring basic MPLS functions and enabling MPLS TE
l Setting up an MPLS TE tunnel between PEs
l Configuring VPN instances on PEs

Configuration Procedures

Figure 1-3 Flowchart for configuring a tunnel binding policy for an L3VPN

Configure a tunnel binding policy

Apply a tunnel policy to an L3VPN

Mandatory
procedure
Optional
procedure

Related Tasks
1.7.1 Example for Configuring a Tunnel Policy for an L3VPN

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 9


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

1.5.1 Configuring a Tunnel Binding Policy


You can create a tunnel binding policy and bind a destination address to a TE tunnel in the policy.

Procedure
l Enable the tunnel binding
1. Run:
system-view

The system view is displayed.


2. Run:
interface tunnel interface-number

The tunnel interface view of the MPLS TE is displayed.


3. Run:
mpls te reserved-for-binding

The VPN binding for the tunnel is enabled.


The tunnel policy in select-sequence mode cannot use the tunnel enabled with the
VPN binding.
4. Run:
commit

The configuration is committed.


l Configuring a Tunnel policy
1. Run:
system-view

The system view is displayed.


2. Run:
tunnel-policy policy-name

A tunnel policy is created.


3. Run:
tunnel binding destination dest-ip-address te tunnel interface-number
[ down-switch ]

The destination is bound to the tunnel policy. Then, VPN data from the local device
to the destination address is transmitted over the bound tunnel.

NOTE

l If the tunnel select-seq command is configured in the tunnel policy, you cannot configure
the tunnel binding command for this policy.
l The same destination IP address on a PE can be bound to up to many tunnels to implement
load balancing.
l When the PE has multiple peers, you can configure different tunnel binding commands
for the multiple destination addresses in one tunnel policy.
4. Run:
commit

The configuration is committed.


----End

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 10


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

1.5.2 Applying a Tunnel Policy to an L3VPN


After a tunnel binding policy is applied to an L3VPN, VPN data bound for an IP address is
transmitted along the bound tunnel.

Context
Do as follows on the PE devices at both ends of a tunnel. For different VPN services on one PE
for the same destination, the same tunnel policy can be used.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
ip vpn-instance vpn-instance-name

The VPN instance view is displayed.

Step 3 Run:
ipv4-family or ipv6-family

The VPN instance IPv4 address family or IPv6 address family view is displayed.

Step 4 Run:
tnl-policy policy-name

A tunnel policy is applied to the VPN instance IPv4 address family or IPv6 address family.

Step 5 Run:
commit

The configuration is committed.

----End

1.5.3 Checking the Configuration


After L3VPN tunnel binding is configured, you can view information about the tunnel binding
policy and the interface of the bound tunnel.

Prerequisite
All configurations about a tunnel binding policy are complete and the tunnel policy is applied
to an L3VPN instance.

Procedure
l Run the display tunnel-info { all | statistics | tunnel-id } command to check information
about existing tunnels of the system.
l Run the display tunnel-policy policy-name command to check the configuration about the
specified tunnel binding policy.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 11


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

l Run the display ip vpn-instance verbose [ vpn-instance-name ] command to check the


tunnel policy applied to the specified VPN instance.
l Run the display ip routing-table vpn-instance vpn-instance-name [ ip-address ]
verbose or the display ipv6 routing-table vpn-instance vpn-instance-name [ ipv6-
address ] verbose command to check the tunnel used by VPN routing.
----End

Example
Run the display tunnel-info all command, and you can view information and status of existing
tunnels of the system.
<HUAWEI> display tunnel-info all
Tunnel ID Type Destination Status
-----------------------------------------------------------------------------
0x0000000001004c4b81 ldp 2.2.2.9 UP
0x000000000300000001 te 2.2.2.9 UP
0x000000000300000002 te 2.2.2.9 UP

Run the display tunnel-policy command, and you can view the destination address and tunnel
interface defined in the tunnel binding policy.
<HUAWEI> display tunnel-policy policy2

Tunnel Policy Name Select-Seq Load balance No


---------------------------------------------------------------------
The number of binding:1
Tunnel Policy Name Destination Tunnel Intf Down Switch
-----------------------------------------------------------------------------
policy2 1.1.1.1 Tunnel2 Disable

Run the display ip vpn-instance verbose command, and you can view the tunnel policy applied
to the VPN instance. For example, from the following output, you can view that the tunnel policy
applied to the VPN instance vpna is policy1.
<HUAWEI> display ip vpn-instance verbose
Total VPN-Instances configured : 1

VPN-Instance Name and ID : vpna, 1


Interfaces : GigaEthernet3/0/2
Address family ipv4
Create date : 2009/11/04 17:47:21
Up time : 0 days, 01 hours, 58 minutes and 12 seconds
Route Distinguisher : 11:11
Export VPN Targets : 22:22
Import VPN Targets : 22:22
Label Policy : label per route
The diffserv-mode Information is : uniform
The ttl-mode Information is : pipe
Tunnel Policy : policy2
Maximum Routes Limit : 100

Run the display ip routing-table vpn-instance vpn-instance-name [ ip-address ] verbose


command, and you can view the tunnel used by VPN routing. For example:
<HUAWEI> display ip routing-table vpn-instance vpna 5.5.5.5 verbose
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Table : vpna
Summary Count : 1

Destination: 5.5.5.5/32
Protocol: BGP Process ID: 0
Preference: 255 Cost: 0

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 12


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

NextHop: 2.2.2.2 Neighbour: 0.0.0.0


State: Active Adv Relied Age: 01h09m09s
Tag: 0 Priority: low
Label: 0x13 QoSInfo: 0x0
IndirectID: 0xb9
RelayNextHop: 0.0.0.0 Interface: Tunnel2
TunnelID: 0x000000000300000002 Flags: RD

1.6 Maintaining a VPN Tunnel


Maintaining a VPN tunnel involves monitoring the running status of the VPN tunnel and
debugging the VPN tunnel.

1.6.1 Monitoring the Running Status of a Tunnel


To find whether a VPN tunnel is set up and configurations of the setup tunnel, you can monitor
the running status of the VPN tunnel.

Context
In routine maintenance, you can run the following commands in any view to know tunnel
running.

Procedure
l Run the display interface tunnel interface-number command to check information about
a tunnel interface.
l Run the display tunnel-info all command to view tunnel information.
l Run the display tunnel-info tunnel-id command to check details about a tunnel.
l Run the display tunnel-policy policy-namecommand to view the configuration about the
specified tunnel policy.
l Run the display ip vpn-instance verbose [ vpn-instance-name ] command to view the
tunnel policy applied to the specified VPN instance.
l Run the display ip routing-table vpn-instance [ ip-address ] verbose command or the
display ipv6 routing-table vpn-instance vpn-instance-name [ ipv6-address ] verbose
command to view the tunnel used by VPN routing.

----End

1.7 Configuration Examples


This section provides examples for applying a tunnel policy to an L3VPN.

1.7.1 Example for Configuring a Tunnel Policy for an L3VPN


To fully use tunnel resources, you can apply different tunnel policies to load balance the traffic
of different VPNs among different tunnels.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 13


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Networking Requirements

CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. In a cluster, an interface is numbered in the format of chassis ID/slot number/
card number/interface number. This requires the chassis ID to be specified along with the slot
number.

Figure 1-4 shows an MPLS L3VPN. CE1 and CE3 belong to vpna; CE2 and CE4 belong to
vpnb. Two MPLS TE tunnels and one LSP are set up between PE1 and PE2. One of the TE
tunnels is 5 Mbit/s, and the other is 10 Mbit/s. CEs in vpna require 10 Mbit/s bandwidth for
communication. Therefore, you need to bind the eligible tunnel to vpna to ensure bandwidth of
vpna. To make full use of tunnel resources, vpnb uses load balancing for tunnels and prefers the
TE tunnel.

Figure 1-4 Networking diagram for configuring a tunnel policy for an L3VPN
Loopback1 Loopback1
3.3.3.3/32 5.5.5.5/32
vpna vpna
CE1 CE3
Loopback1 Loopback1
1.1.1.1/32 2.2.2.2/32
MPLS TE tunnel 1
POS1/0/0 POS1/0/0
10.1.1.1/30 10.3.1.1/30
POS2/0/0 MPLS TE tunnel 2 ( binding) POS2/0/0
10.1.1.2/30 10.3.1.2/30
POS1/0/0 POS1/0/0
POS2/0/1 POS2/0/1
100.1.1.1/30 100.1.1.2/30
10.2.1.2/30 PE1 PE2 10.4.1.2/30

POS1/0/0 LSP POS1/0/0


10.2.1.1/30 10.4.1.1/30

CE2 CE4
vpnb vpnb
Loopback1 Loopback1
4.4.4.4/32 6.6.6.6/32

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a routing protocol to ensure that PEs can communicate.
2. Configure basic MPLS functions on the router in the backbone network and set up an LSP
and two MPLS TE tunnels between PEs.
3. Configure VPN instances on PEs and connect CEs to PEs.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 14


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

4. Configure tunnel policies and apply the policies to different VPN instances.
5. Configure the Multi-protocol Extensions for Interior Border Gateway Protocol (MP-IBGP)
on PEs to exchange VPN routing information.

Data Preparation
To complete the configuration, you need the following data.
l MPLS LSR IDs of PEs
l Names of VPN instances, RDs, and VPN targets
l Names of two tunnel policies

Procedure
Step 1 Configure an IGP on the MPLS backbone network so that PEs can communicate.
# Configure PE1.
<HUAWEI> system-view
[~HUAWEI] sysname PE1
[~HUAWEI] commit
[~PE1] interface loopback 1
[~PE1-LoopBack1] ip address 1.1.1.1 32
[~PE1-LoopBack1] quit
[~PE1] interface pos1/0/0
[~PE1-Pos1/0/0] ip address 100.1.1.1 30
[~PE1-Pos1/0/0] undo shutdown
[~PE1-Pos1/0/0] quit
[~PE1] ospf 1
[~PE1-ospf-1] area 0
[~PE1-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.3
[~PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[~PE1-ospf-1-area-0.0.0.0] quit
[~PE1-ospf-1] quit
[~PE1] commit

# Configure PE2.
<HUAWEI> system-view
[~HUAWEI] sysname PE2
[~HUAWEI] commit
[~PE2] interface loopback 1
[~PE2-LoopBack1] ip address 2.2.2.2 32
[~PE2-LoopBack1] quit
[~PE2] interface pos 1/0/0
[~PE2-Pos1/0/0] ip address 100.1.1.2 30
[~PE2-Pos1/0/0] undo shutdown
[~PE2-Pos1/0/0] quit
[~PE2] ospf 1
[~PE2-ospf-1] area 0
[~PE2-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.3
[~PE2-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[~PE2-ospf-1-area-0.0.0.0] commit
[~PE2-ospf-1-area-0.0.0.0] quit
[~PE2-ospf-1] quit

# After the configuration, run the display ip routing-table command on PEs, and you can view
that PEs learn the routes to the Loopback1 interfaces from each other.
# Take the display on PE1 as an example.
[~PE1] display ip routing-table
Route Flags: R - relay, D - download to forwarding
------------------------------------------------------------------------------

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 15


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Routing Tables: _public_


Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack1
2.2.2.2/32 OSPF 10 1 D 100.1.1.2 Pos1/0/0
100.1.1.0/30 Direct 0 0 D 172.1.1.1 Pos1/0/0
100.1.1.2/32 Direct 0 0 D 172.1.1.2 Pos1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Step 2 Configure basic MPLS capability on the MPLS backbone network and setup the Label
Distribution Protocol (LDP) LSP between PEs.

# Configure PE1.
[~PE1] mpls lsr-id 1.1.1.1
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
[~PE1-mpls-ldp] quit
[~PE1] interface pos 1/0/0
[~PE1-Pos1/0/0] mpls
[~PE1-Pos1/0/0] mpls ldp
[~PE1-Pos1/0/0] commit
[~PE1-Pos1/0/0] quit

# Configure PE2.
[~PE2] mpls lsr-id 2.2.2.2
[~PE2] mpls
[~PE2-mpls] quit
[~PE2] mpls ldp
[~PE2-mpls-ldp] quit
[~PE2] interface pos 1/0/0
[~PE2-Pos1/0/0] mpls
[~PE2-Pos1/0/0] mpls ldp
[~PE2-Pos1/0/0] commit
[~PE2-Pos1/0/0] quit

After the configuration, run the display tunnel-info all command, you can find that the LSPs
between PE1 and PE2 are set up. Run the display mpls ldp lsp command, you can view the
information about the LSPs.

# Take PE1 as an example.


[~PE1] display tunnel-info all
Tunnel ID Type Destination Status
-----------------------------------------------------------------------------
0x0000000001004c4b81 ldp 2.2.2.2 UP
<PE1> display mpls ldp lsp
LDP LSP Information
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
*1.1.1.1/32 Liberal/16 DS/2.2.2.2
1.1.1.1/32 3/NULL 2.2.2.2 127.0.0.1 Loop1
2.2.2.2/32 NULL/3 - 100.1.1.2 Pos1/0/0
2.2.2.2/32 16/3 2.2.2.2 100.1.1.2 Pos1/0/0
-------------------------------------------------------------------------------
TOTAL: 3 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is in GR state
A '*' before a NextHop means the LSP is FRR LSP

Step 3 Set up MPLS TE tunnels between PEs.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 16


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

# Configure the maximum link bandwidth and reservable bandwidth for the TE tunnels.
# Configure PE1.
[~PE1] mpls
[~PE1-mpls] mpls te
[~PE1-mpls] mpls rsvp-te
[~PE1-mpls] mpls te cspf
[~PE1-mpls] quit
[~PE1] interface pos1/0/0
[~PE1-Pos1/0/0] mpls te
[~PE1-Pos1/0/0] mpls rsvp-te
[~PE1-Pos1/0/0] mpls te bandwidth max-reservable-bandwidth 20000
[~PE1-Pos1/0/0] mpls te bandwidth bc0 15000
[~PE1-Pos1/0/0] commit
[~PE1-Pos1/0/0] quit

# Configure PE2.
[~PE2] mpls
[~PE2-mpls] mpls te
[~PE2-mpls] mpls rsvp-te
[~PE2-mpls] mpls te cspf
[~PE2-mpls] quit
[~PE2] interface pos1/0/0
[~PE2-Pos1/0/0] mpls te
[~PE2-Pos1/0/0] mpls rsvp-te
[~PE2-Pos1/0/0] mpls te bandwidth max-reservable-bandwidth 20000
[~PE2-Pos1/0/0] mpls te bandwidth bc0 15000
[~PE2-Pos1/0/0] commit
[~PE2-Pos1/0/0] quit

# Enable OSPF on the devices along the TE tunnels to transmit the TE attributes.
# Configure PE1.
[~PE1] ospf 1
[~PE1-ospf-1] opaque-capability enable
[~PE1-ospf-1] area 0
[~PE1-ospf-1-area-0.0.0.0] mpls-te enable
[~PE1-ospf-1-area-0.0.0.0] commit
[~PE1-ospf-1-area-0.0.0.0] quit
[~PE1-ospf-1] quit

# Configure PE2.
[~PE2] ospf 1
[~PE2-ospf-1] opaque-capability enable
[~PE2-ospf-1] area 0
[~PE2-ospf-1-area-0.0.0.0] mpls-te enable
[~PE2-ospf-1-area-0.0.0.0] commit
[~PE2-ospf-1-area-0.0.0.0] quit
[~PE2-ospf-1] quit

# Set up a 5 Mbit/s MPLS TE tunnel.


# Configure PE1.
[~PE1] interface tunnel 1
[~PE1-Tunnel1] ip address unnumbered interface loopback1
[~PE1-Tunnel1] tunnel-protocol mpls te
[~PE1-Tunnel1] destination 2.2.2.2
[~PE1-Tunnel1] mpls te bandwidth ct0 5000
[~PE1-Tunnel1] commit
[~PE1-Tunnel1] quit

# Configure PE2.
[~PE2] interface tunnel 1
[~PE2-Tunnel1] ip address unnumbered interface loopback1

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 17


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

[~PE2-Tunnel1] tunnel-protocol mpls te


[~PE2-Tunnel1] destination 1.1.1.1
[~PE2-Tunnel1] mpls te bandwidth ct0 5000
[~PE2-Tunnel1] commit
[~PE2-Tunnel1] quit

# Set up a 10 Mbit/s MPLS TE tunnel and bind the tunnel to a VPN instance.
# Configure PE1.
[~PE1] interface tunnel 2
[~PE1-Tunnel2] ip address unnumbered interface loopback1
[~PE1-Tunnel2] tunnel-protocol mpls te
[~PE1-Tunnel2] destination 2.2.2.2
[~PE1-Tunnel2] mpls te bandwidth ct0 10000
[~PE1-Tunnel2] mpls te reserved-for-binding
[~PE1-Tunnel2] commit
[~PE1-Tunnel2] quit

# Configure PE2.
[~PE2] interface tunnel 2
[~PE2-Tunnel2] ip address unnumbered interface loopback1
[~PE2-Tunnel2] tunnel-protocol mpls te
[~PE2-Tunnel2] destination 1.1.1.1
[~PE2-Tunnel2] mpls te bandwidth ct0 10000
[~PE2-Tunnel2] mpls te reserved-for-binding
[~PE2-Tunnel2] commit
[~PE2-Tunnel2] quit

# After the configuration, run the display tunnel-info all command on PEs, and you can view
that Tunnel1 and Tunnel2 interfaces are both Up. Take the display on PE1 as an example.
<PE1> display tunnel-info all
Tunnel ID Type Destination Status
-----------------------------------------------------------------------------
0x0000000001004c4b81 ldp 2.2.2.2 UP
0x000000000300000001 te 2.2.2.2 UP
0x000000000300000002 te 2.2.2.2 UP

Step 4 Configure VPN instances on PEs and configure CEs to access PEs.
# Configure PE1.
[~PE1] ip vpn-instance vpna
[~PE1-vpn-instance-vpna] ipv4-family
[~PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[~PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[~PE1-vpn-instance-vpna-af-ipv4] quit
[~PE1-vpn-instance-vpna] quit
[~PE1] ip vpn-instance vpnb
[~PE1-vpn-instance-vpnb] ipv4-family
[~PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[~PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[~PE1-vpn-instance-vpnb-af-ipv4] quit
[~PE1-vpn-instance-vpnb] quit
[~PE1] interface pos2/0/0
[~PE1-Pos2/0/0] ip binding vpn-instance vpna
[~PE1-Pos2/0/0] ip address 10.1.1.2 30
[~PE1-Pos2/0/0] undo shutdown
[~PE1-Pos2/0/0] quit
[~PE1] interface pos 2/0/1
[~PE1-Pos2/0/1] ip binding vpn-instance vpnb
[~PE1-Pos2/0/1] ip address 10.2.1.2 30
[~PE1-Pos2/0/1] undo shutdown
[~PE1-Pos2/0/1] commit
[~PE1-Pos2/0/1] quit

# Configure PE2.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 18


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

[~PE2] ip vpn-instance vpna


[~PE2-vpn-instance-vpna] ipv4-family
[~PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 100:3
[~PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[~PE2-vpn-instance-vpna-af-ipv4] quit
[~PE2-vpn-instance-vpna] quit
[~PE2] ip vpn-instance vpnb
[~PE2-vpn-instance-vpnb] ipv4-family
[~PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:4
[~PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[~PE2-vpn-instance-vpnb-af-ipv4] quit
[~PE2-vpn-instance-vpnb] quit
[~PE2] interface pos 2/0/0
[~PE2-Pos2/0/0] ip binding vpn-instance vpna
[~PE2-Pos2/0/0] ip address 10.3.1.2 30
[~PE2-Pos2/0/0] undo shutdown
[~PE2-Pos2/0/0] quit
[~PE2] interface pos 2/0/1
[~PE2-Pos2/0/1] ip binding vpn-instance vpnb
[~PE2-Pos2/0/1] ip address 10.4.1.2 30
[~PE2-Pos2/0/1] undo shutdown
[~PE2-Pos2/0/1] commit
[~PE2-Pos2/0/1] quit

# Assign an IP address to each interface on CEs according to Figure 1-4. The detailed
configuration procedure is not mentioned here.
# After the configuration, run the display ip vpn-instance verbose command on PEs to view
the configurations of VPN instances.

NOTE

If a PE has multiple interfaces bound to the same VPN, when you run the ping command to ping the CE
that is attached to the peer PE, you need to specify the source IP address; that is, you need to specify -a
source-ip-address in the ping -a source-ip-address -vpn-instance vpn-instance-name destination-
address command. Otherwise, the ping fails.

Step 5 Create tunnel policies on PEs and apply the tunnel policies.
# Configure a tunnel binding policy and apply the policy to vpna.
# Configure PE1.
[~PE1] tunnel-policy policy1
[~PE1-tunnel-policy-policy1] tunnel binding destination 2.2.2.2 te tunnel 2
[~PE1-tunnel-policy-policy1] quit
[~PE1] ip vpn-instance vpna
[~PE1-vpn-instance-vpna] ipv4-family
[~PE1-vpn-instance-vpna-af-ipv4] tnl-policy policy1
[~PE1-vpn-instance-vpna-af-ipv4] quit
[~PE1-vpn-instance-vpna] quit
[~PE1] commit

# Configure PE2.
[~PE2] tunnel-policy policy1
[~PE2-tunnel-policy-policy1] tunnel binding destination 1.1.1.1 te tunnel 2
[~PE2-tunnel-policy-policy1] quit
[~PE2] ip vpn-instance vpna
[~PE2-vpn-instance-vpna] ipv4-family
[~PE2-vpn-instance-vpna-af-ipv4] tnl-policy policy1
[~PE2-vpn-instance-vpna-af-ipv4] quit
[~PE2-vpn-instance-vpna] quit
[~PE2] commit

# Configure a tunnel type prioritizing policy and apply the policy to vpnb.
# Configure PE1.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 19


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

[~PE1] tunnel-policy policy2


[~PE1-tunnel-policy-policy2] tunnel select-seq cr-lsp lsp load-balance-number 2
[~PE1-tunnel-policy-policy2] quit
[~PE1] ip vpn-instance vpnb
[~PE1-vpn-instance-vpnb] ipv4-family
[~PE1-vpn-instance-vpnb-af-ipv4] tnl-policy policy2
[~PE1-vpn-instance-vpnb-af-ipv4] quit
[~PE1-vpn-instance-vpnb] quit
[~PE1] commit

# Configure PE2.
[~PE2] tunnel-policy policy2
[~PE2-tunnel-policy-policy2] tunnel select-seq cr-lsp lsp load-balance-number 2
[~PE2-tunnel-policy-policy2] quit
[~PE2] ip vpn-instance vpnb
[~PE2-vpn-instance-vpnb] ipv4-family
[~PE2-vpn-instance-vpnb-af-ipv4] tnl-policy policy2
[~PE2-vpn-instance-vpnb-af-ipv4] quit
[~PE2-vpn-instance-vpnb] quit
[~PE2] commit

Step 6 Set up an MP-IBGP peer relationship between PEs.


# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] peer 2.2.2.2 as-number 100
[~PE1-bgp] peer 2.2.2.2 connect-interface loopback 1
[~PE1-bgp] ipv4-family vpnv4
[~PE1-bgp-af-vpnv4] peer 2.2.2.2 enable
[~PE1-bgp-af-vpnv4] commit
[~PE1-bgp-af-vpnv4] quit

# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] peer 1.1.1.1 as-number 100
[~PE2-bgp] peer 1.1.1.1 connect-interface loopback 1
[~PE2-bgp] ipv4-family vpnv4
[~PE2-bgp-af-vpnv4] peer 1.1.1.1 enable
[~PE2-bgp-af-vpnv4] commit
[~PE2-bgp-af-vpnv4] quit

# After the configuration, run the display bgp peer or display bgp vpnv4 all peer command
on PEs, and you can view that a BGP peer relationship is set up between PEs and the BGP peer
relationship is in the Established state.
Step 7 Set up EBGP peer relationships between PEs and CEs.
# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] ipv4-family vpn-instance vpna
[~PE1-bgp-af-vpna] peer 10.1.1.1 as-number 65410
[~PE1-bgp-af-vpna] quit
[~PE1-bgp] ipv4-family vpn-instance vpnb
[~PE1-bgp-af-vpnb] peer 10.2.1.1 as-number 65410
[~PE1-bgp-af-vpnb] commit
[~PE1-bgp-af-vpnb] quit
[~PE1-bgp] quit

# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] commit
[CE1-bgp] quit

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 20


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

# Configure CE2.
[CE2] bgp 65410
[CE2-bgp] peer 10.2.1.2 as-number 100
[CE2-bgp] import-route direct
[CE2-bgp] commit
[CE2-bgp] quit

# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] ipv4-family vpn-instance vpna
[~PE2-bgp-af-vpna] peer 10.3.1.1 as-number 65420
[~PE2-bgp-af-vpna] quit
[~PE2-bgp] ipv4-family vpn-instance vpnb
[~PE2-bgp-af-vpnb] peer 10.4.1.1 as-number 65420
[~PE2-bgp-af-vpnb] commit
[~PE2-bgp-af-vpnb] quit
[~PE2-bgp] quit

# Configure CE3.
[CE3] bgp 65420
[CE3-bgp] peer 10.3.1.2 as-number 100
[CE3-bgp] import-route direct
[CE3-bgp] commit
[CE3-bgp] quit

# Configure CE4.
[CE4] bgp 65420
[CE4-bgp] peer 10.4.1.2 as-number 100
[CE4-bgp] import-route direct
[CE4-bgp] commit
[CE4-bgp] quit

Step 8 Verify the configuration.


# Run the display bgp routing-table command on CEs, and you can view the routes to remote
CEs.
# Take the display on CE1 as an example.
<CE1> display bgp routing-table

BGP Local router ID is 3.3.3.3


Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete

Total Number of Routes: 5


Network NextHop MED LocPrf PrefVal Path/Ogn

*> 3.3.3.3/32 0.0.0.0 0 0 ?


*> 5.5.5.5/32 10.1.1.2 0 100 65420?
*> 10.1.1.0/30 0.0.0.0 0 0 ?
*> 10.1.1.2/32 0.0.0.0 0 0 ?
*> 10.3.1.0/30 10.1.1.2 0 100 65420?

# Run the display ip routing-table vpn-instance verbose command on PEs, and you can view
the tunnel used by VPN routing.
# Take the display on PE1 as an example.
[~PE1] display ip routing-table vpn-instance vpna 5.5.5.5 verbose
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Table : vpna
Summary Count : 1

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 21


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

Destination: 5.5.5.5/32
Protocol: BGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 2.2.2.2 Neighbour: 0.0.0.0
State: Active Adv Relied Age: 00h00m08s
Tag: 0 Priority: low
Label: 0x13 QoSInfo: 0x0
IndirectID: 0xb9
RelayNextHop: 0.0.0.0 Interface: Tunnel2
TunnelID: 0x000000000300000002 Flags: RD
[~PE1] display ip routing-table vpn-instance vpnb 6.6.6.6 verbose
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Table : vpnb
Summary Count : 1

Destination: 6.6.6.6/32
Protocol: BGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 2.2.2.2 Neighbour: 0.0.0.0
State: Active Adv Relied Age: 00h04m37s
Tag: 0 Priority: low
Label: 0x15 QoSInfo: 0x0
IndirectID: 0xb8
RelayNextHop: 0.0.0.0 Interface: Tunnel1
TunnelID: 0x000000000300000001 Flags: RD
RelayNextHop: 0.0.0.0 Interface: LDP LSP
TunnelID: 0x0000000001004c4b81 Flags: RD

# CEs in the same VPN can ping through each other whereas CEs in different VPNs cannot.

----End

Configuration Files
l Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
tnl-policy policy1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
tnl-policy policy2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.1
#
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.1.1.1 255.255.255.252
mpls
mpls te

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 22


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

mpls te bandwidth max-reservable-bandwidth 20000


mpls te bandwidth bc0 15000
mpls rsvp-te
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.252
#
interface Pos2/0/1
undo shutdown
link-protocol ppp
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.252
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
interface Tunnel1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 2.2.2.2
mpls te bandwidth ct0 5000
#
interface Tunnel2
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 2.2.2.2
mpls te bandwidth ct0 10000
mpls te reserved-for-binding
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
#
ipv4-family vpn-instance vpnb
peer 10.2.1.1 as-number 65410
#
ospf 1
opaque-capability enable
area 0.0.0.0
mpls-te enable
network 100.1.1.0 0.0.0.3
network 1.1.1.1 0.0.0.0
#
tunnel-policy policy1
tunnel binding destination 2.2.2.2 te Tunnel2
#
tunnel-policy policy2
tunnel select-seq cr-lsp lsp load-balance-number 2
#
return
l Configuration file of PE2
#
sysname PE2
#

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 23


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

ip vpn-instance vpna
ipv4-family
route-distinguisher 100:3
tnl-policy policy1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:4
tnl-policy policy2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 2.2.2.2
#
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.1.1.2 255.255.255.252
mpls
mpls te
mpls te bandwidth max-reservable-bandwidth 20000
mpls te bandwidth bc0 15000
mpls rsvp-te
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.252
#
interface Pos2/0/1
undo shutdown
link-protocol ppp
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.252
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
interface Tunnel1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 1.1.1.1
mpls te bandwidth ct0 5000
#
interface Tunnel2
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 1.1.1.1
mpls te bandwidth ct0 10000
mpls te reserved-for-binding
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 24


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpna
peer 10.3.1.1 as-number 65420
#
ipv4-family vpn-instance vpnb
peer 10.4.1.1 as-number 65420
#
ospf 1
opaque-capability enable
area 0.0.0.0
mpls-te enable
network 100.1.1.0 0.0.0.3
network 2.2.2.2 0.0.0.0
#
tunnel-policy policy1
tunnel binding destination 1.1.1.1 te Tunnel2
#
tunnel-policy policy2
tunnel select-seq cr-lsp lsp load-balance-number 2
#
return

l Configuration file of CE1


#
sysname CE1
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.1 255.255.255.252
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return

l Configuration file of CE2


#
sysname CE2
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.2.1.1 255.255.255.252
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
bgp 65410
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 25


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 1 VPN Tunnel Management Configuration

l Configuration file of CE3


#
sysname CE3
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.3.1.1 255.255.255.252
#
interface LoopBack1
ip address 5.5.5.5 255.255.255.255
#
bgp 65420
peer 10.3.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.3.1.2 enable
#
return

l Configuration file of CE4


#
sysname CE4
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.4.1.1 255.255.255.252
#
interface LoopBack1
ip address 6.6.6.6 255.255.255.255
#
bgp 65420
peer 10.4.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.4.1.2 enable
#
return

Related Tasks
1.5 Configuring a Tunnel Binding Policy for an L3VPN

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 26


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

2 BGP/MPLS IP VPN Configuration

About This Chapter

For BGP/MPLS IP VPN configurations, VPN concepts, common VPN networkings, and VPN
reliability feature are introduced in advance.

2.1 BGP/MPLS IP VPN Overview


This section describes protocols and networkings involved in BGP/MPLS IP VPN, and concepts
and functions about the PE, P, and CE devices.
2.2 BGP/MPLS IP VPN Features Supported by the NE5000E
This section mainly describes the typical networking and application of BGP/MPLS IP VPN
and the reliability mechanisms used by BGP/MPLS IP VPN.
2.3 Configuring a VPN Instance Enabled with the IPv4 Address Family
Configuring VPN instances is required in all BGP/MPLS IP VPN solutions.
2.4 Configuring Basic BGP/MPLS IP VPN
The basic BGP/MPLS IP VPN contains only one SP network and MPLS backbone network does
not span multiple ASs. In addition, the role of each PE, P, or CE is unique, that is, a router cannot
function as both a PE and a CE.
2.5 Configuring Route Reflection to Optimize the VPN Backbone Layer
Using an Route Reflector (RR) can reduce the number of MP-IBGP connections between PEs.
This not only reduces the burden on PEs but also facilitates network maintenance and
management.
2.6 Configuring Hub and Spoke
In the Hub and Spoke networking, an access control device is specified in the VPN, and users
communicate with each other through the access control device.
2.7 Configuring a Tunnel Policy for the Backbone Network of a BGP/MPLS IP VPN
A tunnel policy applied to a VPN can specify the type of tunnel selected for the VPN and enable
load balancing among tunnels.
2.8 Configuring Inter-AS VPN Option A
If the number of VPNs that a PE accesses and the number of VPN routes are small, inter-AS
VPN Option A can be adopted.
2.9 Configuring Inter-AS VPN Option B (Basic Networking)

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 27


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

In the scenario where the backbone network spans two ASs, ASBRs need to advertise VPNv4
routes through MP-EBGP.
2.10 Configuring Inter-AS VPN Option B (ASBR Also Functioning as a PE)
In the scenario where the backbone network spans two ASs, ASBRs need to advertise VPNv4
routes through MP-EBGP and ASBRs also need to function as PEs.
2.11 Configuring Inter-AS VPN Option B (ASBR Also Functioning as an RR)
In the scenario where the backbone network spans two ASs, ASBRs need to advertise VPNv4
routes through MP-EBGP. When multiple PEs exist in the ASs, you can configure an ASBR as
an RR to lower configuration complexities.
2.12 Configuring Inter-AS VPN Option B (Spanning More Than Two ASs)
In the scenario where the backbone network spans more than two ASs, ASBRs need to advertise
VPNv4 routes through MP-EBGP.
2.13 Configuring the Multi-VPN-Instance CE
By using OSPF multi-instance on CEs, you can implement service isolation on the LAN.
2.14 Configuring VPN FRR
In the networking of CE dual-homing, you can configure VPN FRR to ensure VPN service
switchover to a secondary link when the primary link between PEs fails.
2.15 Configuring FRR for IP Routes on a Private Network
This section describes how to configure FRR for IP routes on a private network in the networking
where multiple CEs at a VPN site access the same PE. This feature can quickly switch traffic to
a link connected to another CE if the primary route from a PE to a CE becomes unreachable.
2.16 Configuring Hybrid FRR for IP and VPNv4 Routes
This section describes how to configure hybrid FRR in the networking where a CE is dual-homed
to two PEs. If the next hop from a PE to a CE is unreachable, hybrid FRR can send traffic to
another PE over a tunnel, and the traffic will be routed to the CE by using IP forwarding on the
private network. This improves network reliability.
2.17 Maintaining BGP/MPLS IP VPN
Maintaining BGP/MPLS IP VPN involves checking L3VPN traffic, monitoring network
connectivity, resetting BGP connections, and debugging BGP/MPLS IP VPN information.
2.18 Configuration Examples
This section provides several configuration examples of VPN networking. In each configuration
example, the networking requirements, configuration notes, configuration roadmap,
configuration procedures, and configuration files are provided.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 28


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

2.1 BGP/MPLS IP VPN Overview


This section describes protocols and networkings involved in BGP/MPLS IP VPN, and concepts
and functions about the PE, P, and CE devices.

BGP/MPLS IP VPN is a Provider Edge (PE)-based L3VPN technology in the Provider


Provisioned VPN (PPVPN) solutions. It uses the Boarder Gateway Protocol (BGP) to advertise
VPN routes and the Multi-Protocol Label Switching (MPLS) to forward the VPN packets on a
provider's backbone network. "IP" here refers to the IP packets borne by VPNs.

Figure 2-1 Networking diagram of BGP/MPLS IP VPN

VPN 2
VPN 1 Site
Service provider's CE
Site
CE
P backbone P
PE

PE
PE

VPN 2 P P VPN 1
Site CE CE Site

BGP/MPLS IP VPN features flexible networking modes, excellent extensibility and convenient
support for Quality of Service (QoS) and MPLS Traffic Engineering (MPLS TE) features. It is
now widely used.

In BGP/MPLS IP VPN, three types of devices are involved:

l Customer Edge (CE): It is an edge device on the user network. A CE is directly connected
to a Service Provider (SP) network. CEs can be routers, switches, or hosts. Usually, CEs
cannot sense the existence of VPNs and need not support MPLS.
l Provider Edge (PE): It is an edge device on an SP network. A PE is directly connected to
a CE. On the MPLS network, PEs are responsible for processing all VPN services.
l Provider (P): is a backbone device on the SP network. A P is not directly connected to a
CE. Ps only need to possess basic MPLS forwarding capabilities and do not need to maintain
information about VPNs.

2.2 BGP/MPLS IP VPN Features Supported by the NE5000E


This section mainly describes the typical networking and application of BGP/MPLS IP VPN
and the reliability mechanisms used by BGP/MPLS IP VPN.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 29


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Typical Networking and Application


The NE5000E supports the following typical BGP/MPLS IP VPN networkings:
l Intranet
All users in a VPN form a Closed User Group (CUG) and the users can forward data to
each other. Users in a VPN cannot communicate with users outside the VPN. As shown in
Figure 2-2, Site 1 in VPN1 can communicate with only Site4 and cannot communicate
with Sites 2 and 3.

Figure 2-2 Schematic diagram of an intranet


VPN1 VPN2
VPN1 VPN2
Import: 100:1 Import: 200:1
Export: 100:1 Export: 200:1

CE
CE Backbone Site3
Site1

VPN2 PE P PE VPN1

VPN2 VPN1
CE Import: 200:1 Import: 100:1 CE
Site2 Export: 200:1 Export: 100:1 Site4

l Extranet
A user in a VPN can communicate with sites in another VPN. As shown in Figure 2-3,
Sites 1 and 2 both can communicate with Site3 and Site3 can communicate both Sites 1
and 2. Site1 and Site2, however, cannot communicate.

Figure 2-3 Schematic diagram of an extranet

Site1
VPN1
CE Import: 100:1
Export: 100:1

VPN1 VPN1
PE1
Site3
PE2
PE3 CE

VPN2 VPN1
VPN2 Import: 100:1, 200:1
Import: 200:1 Export: 100:1, 200:1
CE
Export: 200:1
Site2

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 30


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

l Hub and Spoke


In the networking of Hub and Spoke, an access control device is specified in a VPN, and
users communicate with each other through this access control device. That is, the
communication flows between Spoke sites all travel through a Hub site. As shown in Figure
2-4, Site1 and Site2 cannot communicate directly but need to communicate through Site3.

Figure 2-4 Schematic diagram of Hub and Spoke

VPN1
Spoke-PE
Site1
VPN1
Spoke-CE
Hub-CE
Hub-PE
VPN1 Site3

Spoke-CE Spoke-PE
Site2

l Inter-AS VPN
If a VPN backbone network spans multiple ASs, inter-AS VPN must be deployed. There
are two modes for implementing inter-AS VPN: Option A and Option B.
l Multi-VPN-Instance CE
Currently, different services on a Local Area Network (LAN) are isolated through the
Virtual LAN (VLAN) function of switches. However, the routing capability of a switch is
weaker than the router. To ensure that the services of the LAN are safely isolated and
improve the routing capability of the LAN, you can configure Multi-VPN-Instance CE to
solve the security problem of the LAN at a low cost.
l VPN and Internet interworking
The NE5000E supports the interworking between the VPN and the Internet. In this way,
users in a VPN can not only communicate with each other but also access the Internet.

Reliability
To improve the reliability of a VPN, generally, the following networking models are adopted:

l The backbone network is an MPLS network, in which the devices on the backbone layer
are fully connected and backed up. The devices on the backbone layer are generally
connected through high-speed interfaces. If the number of PEs is large, use a BGP route
reflector to reflect VPNv4 routes to decrease the number of MP-IBGP connections.
l The convergence layer is of either a mesh topology or a ring topology.
l The CE can either be single-homed or multi-homed on the access layer.

The NE5000E supports the following reliability mechanisms:

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 31


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

l VPN Fast ReRoute (VPN FRR): ensures that VPN traffic can be switched to another PE-
PE link when traffic forwarding between PEs fails. In this way, end-to-end fast convergence
of VPN services is implemented.
l VPN Graceful Restart (VPN GR): ensures that VPN traffic is not interrupted when
therouter (PE, P, or CE) bearing the VPN traffic performs master-slave switchover. This
reduces the impact of a single point failure on VPN services. Currently, the NE5000E
supports only the GR helper.
l VPN NSR
Non-Stop Routing (NSR) is a technique that prevents a peer from sensing the fault on the
control plane of a router that provides a slave control plane. With NSR, when the control
plane of the router becomes faulty, the peer relationships set up through specific routing
protocols, MPLS, and other protocols that carry services are not interrupted.
During the master/slave switchover, VPN NSR ensures the continuous forwarding at the
forwarding plane and continuous advertisement of VPN routes. In this process, the peer
relationships are not affected, with peers not knowing the switchover on the local router.
This ensures uninterrupted transmission of VPN services.

2.3 Configuring a VPN Instance Enabled with the IPv4


Address Family
Configuring VPN instances is required in all BGP/MPLS IP VPN solutions.

Applicable Environment
A VPN instance is an important part in the VPN technology. VPN instances are used to isolate
private network routes and public network routes.
VPN instances exist only on PEs for creating private network routing tables and saving VPN
routes sent by local CEs and remote PEs.

Pre-configuration Tasks
Before configuring a VPN instance enabled with the IPv4 address family, complete the following
tasks:
l Configuring routing policies to control the import or export of VPN routes
l Configuring tunnel policies to implement tunnel load balancing for VPN instance IPv4
address family, change the default sequence in which Label Switched Paths (LSPs) or
MPLS TE tunnels are selected, or bind VPN instances to TE tunnels

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 32


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Configuration Procedures

Figure 2-5 Flowchart for configuring a VPN instance enabled with the IPv4 address family

Create a VPN instance

Configure attributes for the VPN instance


IPv4 address family

Limit the route number of the VPN instance IPv4


address family

Apply a tunnel policy to the VPN instance IPv4


address family

Configure MPLS label allocation based on the


VPN instance IPv4 address family
Mandatory
procedure
Optional
procedure

2.3.1 Creating a VPN Instance


A VPN instance takes effect only after a Route Distinguisher (RD) is configured.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ip vpn-instance vpn-instance-name

A VPN instance is created and the VPN instance view is displayed.

NOTE
The name of a VPN instance is case sensitive. For example, vpn1 and VPN1 are two different VPN
instances.

Step 3 (Optional) Run:


description description-information

The description about the VPN instance is configured. The description is used to record the
purpose of creating the VPN instance and the CEs with which the VPN instance sets up
connections.
Step 4 Run:
commit

The configuration is committed.

----End

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 33


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

2.3.2 Configuring Attributes for the VPN Instance IPv4 Address


Family
To implement the control over the import and export of VPN routes, you need to configure a
VPN target for a VPN instance and routing policies for importing and exporting VPN routes.

Context
In addition to the VPN target attribute used to control the import and export of VPN routes, you
can configure a routing policy to control VPN route control accurately.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ip vpn-instance vpn-instance-name

The VPN instance view is displayed.


Step 3 Run:
ipv4-family

The IPv4 address family is enabled for the VPN instance and the VPN instance IPv4 address
family view is displayed.
A VPN instance supports the IPv4 address family and IPv6 address family. You can configure
the VPN only after the IPv4 or IPv6 address family is configured on the basis of the type of the
protocol stack used to advertise routes and forward data.
Step 4 Run:
route-distinguisher route-distinguisher

An RD is configured for the VPN instance IPv4 address family.


The VPN instance IPv4 address family takes effect only after an RD is configured for it. The
RDs configured in different VPN instance IPv4 address family views of the same PE must be
different.

NOTE

A configured RD cannot be changed or deleted. You need to delete a VPN instance or disable the VPN
instance IPv4 address family before changing or deleting the RD of the VPN instance IPv4 address
family.

Step 5 Run:
vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

A VPN target is configured for the VPN instance IPv4 address family.
A VPN target is an extended community attribute of BGP. It controls the import and export of
VPN routes. When a PE exports VPN routes to other PEs, it appends export VPN targets to the
exported routes. When a PE imports VPN routes from other PEs, it decides whether to add the
imported routes to the corresponding VPN instances IPv4 address family according to the import
VPN targets of the local VPN instances and export VPN targets appended to the imported routes.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 34


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

You can configure a maximum of eight VPN targets each time you run the vpn-target command.

Step 6 (Optional) Run:


import route-policy policy-name

A routing policy for importing VPN route is configured.

The routing policy for importing VPN routes can filter the routes imported by VPN instances
IPv4 address family and set attributes for the routes that pass the filtering.

Step 7 (Optional) Run:


export route-policy policy-name

A routing policy for exporting VPN route is configured.

A routing policy for exporting VPN routes can filter the routes advertised by VPN instances
IPv4 address family and set attributes for the routes that pass the filtering.

Step 8 Run:
quit

Return to the system view.

Step 9 Run:
bgp as-number

The BGP view is displayed.

Step 10 Run:
ipv4-family vpn-instance vpn-instance-name

A BGP private routing table is created for the VPN instance and the BGP-VPN instance view
is displayed.

VPN targets configured for VPN instance IPv4 address family can be synchronized into a BGP
private routing table only after the ipv4-family vpn-instance command is run. In this way, VPN
targets can be used to filter the routes to be injected to the BGP private routing table. If the ipv4-
family vpn-instance command is not run, no route can be injected to the BGP private routing
table.

Step 11 Run:
commit

The configuration is committed.

----End

2.3.3 (Optional) Limiting the Route Number of the VPN Instance


IPv4 Address Family
To prevent a PE from importing excessive VPN routes, you can set the maximum number of
routes of each VPN instance IPv4 address family.

Procedure
Step 1 Run:
system-view

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 35


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

The system view is displayed.

Step 2 Run:
ip vpn-instance vpn-instance-name

The VPN instance view is displayed.

Step 3 Run:
ipv4-family

The VPN instance IPv4 address family view is displayed.

Step 4 (Optional) Run:


prefix limit number { alert-percent | simply-alert }

The maximum number of prefixes of the VPN instance IPv4 address family is set.

To prevent a PE from importing excessive prefixes from CEs, you can set the maximum number
of prefixes supported by a VPN instance IPv4 address family.

If simply-alert is specified, it indicates that when the number of VPN prefixes exceeds the
number, the system generates an alarm and still injects VPN prefixe to the routing table of the
VPN instance IPv4 address family. After the total number of VPN prefixes and the public
network routes reaches the unicast route limit specified in the license file, the subsequent VPN
prefixes are dropped.

Step 5 Run:
commit

The configuration is committed.

----End

2.3.4 (Optional) Applying a Tunnel Policy to the VPN instance IPv4


Address Family
By applying a tunnel policy to the VPN instance IPv4 address family, you can specify a dedicated
tunnel for VPN traffic forwarding.

Context
By default, the system selects a tunnel for the VPN instance IPv4 address family in the sequence
of LSPs, CR-LSPs, GRE tunnels, and Local_IfNet, and load balancing is not performed. In the
following cases:
l To specify tunnels of different priorities to be used by different VPN services
l To specify tunnel load balancing for VPN services
l To designate specific TE tunnels for VPN services
You need to configure a tunnel policy on the PE and apply the tunnel policy to the VPN instance
IPv4 address family.

Currently, the NE5000E supports two types of tunnel policy:

l Tunnel type prioritizing policy: is used to change the sequence in which each type of tunnels
are selected or set the number of tunnels participating in load balancing.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 36


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

l Tunnel binding policy: is used to bind a TE tunnel to a destination address so that VPN
services for this destination can be transmitted over this dedicated TE tunnel.

For configurations about tunnel policies, see the chapter "VPN Tunnel Management
Configuration" in this manual.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
ip vpn-instance vpn-instance-name

The VPN instance view is displayed.

Step 3 Run:
ipv4-family

The IPv4 address family is enabled for the VPN instance and the VPN instance IPv4 address
family view is displayed.

Step 4 Run:
tnl-policy policy-name

A tunnel policy is applied to the VPN instance IPv4 address family.

Step 5 Run:
commit

The configuration is committed.

----End

2.3.5 (Optional) Configuring MPLS Label Allocation Based on the


VPN Instance IPv4 Address Family
If VPN routes are in a great number, you can reduce the number of MPLS labels maintained by
PEs by configuring MPLS label allocation based on VPN instance IPv4 address family.

Context
By default, the system allocates one label to each route of the VPN instance IPv4 address
family. When a large number of VPN routes exist, the Incoming Label Map (ILM) on a PE needs
to maintain a great deal of information. This poses a requirement for a larger capacity of the PE.
To reduce the entries in the ILM, you can configure the system to allocate a label for each VPN
instance IPv4 address family. Then, all the routes of the VPN instance IPv4 address family use
one label.

Procedure
Step 1 Run:
system-view

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 37


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

The system view is displayed.

Step 2 Run:
ip vpn-instance vpn-instance-name

The VPN instance view is displayed.

Step 3 Run:
ipv4-family

The IPv4 address family is enabled for the VPN instance and the VPN instance IPv4 address
family view is displayed.

Step 4 Run:
apply-label per-instance

MPLS label allocation based on VPN instance IPv4 address family is configured. Then, all the
routes of the VPN instance IPv4 address family use one label.

NOTE

The change of the label allocation mode leads to the re-advertisement of VPN routes. So, use the apply-label
per-instance command with caution.

Step 5 Run:
commit

The configuration is committed.

----End

2.3.6 Checking the Configuration


After configuring a VPN instance, you can view information about the VPN instance IPv4
address family on the local device, including the RD value and other attributes.

Prerequisite
All configurations about the VPN instance are complete.

Procedure
l Run the display ip vpn-instance [ verbose ] vpn-instance-name command to check brief
information or detailed information about a specified VPN instance.

----End

Example
After a VPN instance is configured, run the display ip vpn-instance command, and you can
view brief information about the configured VPN instance on the local device. For example:
<HUAWEI> display ip vpn-instance
Total VPN-Instances configured : 5
VPN-Instance Name Address-family
vrf1 ipv4 ipv6
vrf2
vrf3 ipv4 ipv6
vrf4 ipv4
vrf5 ipv6

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 38


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Run the display ip vpn-instance verbose command, and you can view detailed information
about the VPN instance configured on the local device. For example:
<HUAWEI> display ip vpn-instance verbose vpn1

VPN-Instance Name and ID : vpn1, 1


Interfaces : GigabitEthernet1/0/0
Address family ipv4
Create date : 2009/11/19 11:48:13
Up time : 0 days, 00 hours, 41 minutes and 51 seconds
Route Distinguisher : 1:1
Export VPN Targets : 1:2
Import VPN Targets : 1:2
Label policy : label per instance
Import Route Policy : p1
Export Route Policy : p2
The diffserv-mode Information is : uniform
The ttl-mode Information is : pipe
Tunnel Policy : tnlpolicy1
Description : This is a VPN for company1.
Maximum Routes Limit : 100
Threshold Routes Limit : 80%

2.4 Configuring Basic BGP/MPLS IP VPN


The basic BGP/MPLS IP VPN contains only one SP network and MPLS backbone network does
not span multiple ASs. In addition, the role of each PE, P, or CE is unique, that is, a router cannot
function as both a PE and a CE.

Applicable Environment
The basic BGP/MPLS IP VPN supports intranet VPN, extranet VPN, and Hub and Spoke
solutions.
l Intranet: All users in a VPN form a CUG and users in a VPN cannot communicate with
users outside the VPN.
l Extranet: Users in a VPN want to access the sites in another VPN.
l Hub and Spoke: An access control device is specified in a VPN, and users communicate
with each other through this access control device. For configurations about Hub and Spoke,
see Configuring Hub and Spoke.

Pre-configuration Tasks
Before configuring basic BGP/MPLS IP VPN, complete the following tasks:
l Configuring an IGP on the MPLS backbone network (PE and P) to implement IP
intercommunication
l Configuring basic MPLS functions and MPLS LDP on the MPLS backbone network (PE
and P)
l Configuring a tunnel between PEs based on a tunnel policy
l Configuring IP addresses for the interfaces connecting CEs to PEs

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 39


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Configuration Procedures

Figure 2-6 Flowchart for configuring basic BGP/MPLS IP VPN

Configure a VPN instance

Bind an
interface to a VPN instance

Configure a router ID for


a BGP VPN instance IPv4 address family

Configure
route exchange between PEs

Configure route exchange


between a PE and a CE
Mandatory
procedure
Optional
procedure

Related Tasks
2.18.1 Example for Configuring BGP/MPLS IP VPN

2.4.1 Configuring a VPN Instance


You can configure a VPN instance for managing VPN routes.

Procedure
Step 1 For detailed procedure for configuring a VPN instance, see 2.3 Configuring a VPN Instance
Enabled with the IPv4 Address Family.

----End

2.4.2 Binding an Interface to a VPN Instance


By binding an interface to a VPN instance, you can change the interface to a VPN interface.
Then, packets entering this interface are forwarded according to the forwarding information of
the VPN instance.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
interface interface-type interface-number

The view of the interface to be bound to a VPN instance is displayed.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 40


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Step 3 Run:
ip binding vpn-instance vpn-instance-name

The interface is bound to a VPN instance.

NOTE

After the ip binding vpn-instance command is run on an interface, the Layer 3 features such as the IP
address and routing protocol configured on the interface are deleted.

Step 4 Run:
ip address ip-address { mask | mask-length }

An IP address is configured for the interface.


Step 5 Run:
commit

The configuration is committed.

----End

2.4.3 (Optional) Configuring a Router ID for a BGP VPN Instance


IPv4 Address Family
You can configure different router IDs for BGP VPN instance IPv4 address families on the same
device.

Context
By default, no router ID is configured for a BGP VPN instance IPv4 address family, and the
BGP router ID is used. This makes different BGP VPN instance IPv4 address families on the
same device have the same router ID. In some cases, different router IDs need to be configured
for different BGP VPN instance IPv4 address families. For example, BGP peer relationships
need to be established between different BGP VPN instance IPv4 address families on the same
PE.
There are two methods of configuring a router ID for a BGP VPN instance IPv4 address family.
You can choose either of the two methods as required.

CAUTION
If a BGP session has been established in a BGP-VPN instance IPv4 address family, changing
or deleting the configured router ID resets the BGP session.

Procedure
l Configuring router IDs for all BGP VPN instance IPv4 address families
1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 41


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

The BGP view is displayed.


3. Run:
router-id vpn-instance auto-select

Automatic router ID selection is configured for all BGP VPN instance IPv4 address
families.

NOTE

Rules for automatically selecting a router ID for a BGP VPN instance IPv4 address family are
as follows:
l If the loopback interfaces configured with IP addresses are bound to the VPN instance
enabled with the IPv4 address family, the largest IP address among the IP addresses of the
loopback interfaces is selected as the router ID.
l If no loopback interfaces configured with IP addresses are bound to the VPN instance
enabled with the IPv4 address family, the largest IP address among the IP addresses of
other interfaces bound to the VPN instance is selected as the router ID, regardless of whether
the interface is Up or Down.
l Configuring a router ID for a specified BGP VPN instance IPv4 address family
1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

The BGP view is displayed.


3. Run:
ipv4-family vpn-instance vpn-instance-name

The BGP-VPN instance IPv4 address family view is displayed.


4. Run:
router-id { ipv4-address | auto-select }

A router ID or automatic route ID selection is configured for the current BGP VPN
instance IPv4 address family.

----End

2.4.4 Configuring Route Exchange Between PEs


PEs exchange routes through MP-IBGP. By importing extended community attributes to BGP,
MP-IBGP can advertise VPNv4 routes between PEs.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
bgp as-number

The BGP view is displayed.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 42


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Step 3 Run:
peer peer-address as-number as-number

The remote PE is configured as a BGP peer.

Step 4 Run:
peer peer-address connect-interface loopback interface-number

The interface used to establish a TCP connection is specified.

NOTE

PEs must use the loopback interface addresses with 32-bit masks to establish an MP-IBGP peer relationship
so that routes can be iterated to the tunnel.

Step 5 Run:
ipv4-family vpnv4

The BGP VPNv4 sub-address family view displayed.

Step 6 Run:
peer peer-address enable

The capability of exchanging VPNv4 routing information of the peer is enabled.

Step 7 Run:
commit

The configuration is committed.

----End

2.4.5 Configuring Route Exchange Between a PE and a CE


Through route exchange, a PE can learn routes from attached CEs and advertise the routes to
the remote PE and the CEs can also learn the routes advertised by the remote PE.

Context
PEs and CEs can exchange routes through static routes (including default routes), RIP multi-
instance, OSPF multi-instance, IS-IS multi-instance, or BGP.

NOTE

The VPN that can receive the routes of another VPN that are not advertised by the PE and advertise the
routes to the PE is called a transit VPN.
The VPN that receives only the routes of the local VPN and advertised by the PE is called a stub VPN.
Commonly, static routes are used for route exchange between the CE and the PE in a stub VPN.

Choose one of the following configurations as required:

l Configuring IS-IS between a PE and a CE


l Configuring OSPF between a PE and a CE
l Configuring EBGP between a PE and a CE
l Configuring a static route between a PE and a CE (including the default route)
l Configuring RIP between a PE and a CE
l Configuring IBGP between a PE and a CE

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 43


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

NOTE

For detailed configurations about the IS-IS, OSPF, BGP, static route, and RIP, see the HUAWEI
NetEngine5000E Core Router Configuration Guide - IP Routing.

Procedure
l Configuring IS-IS between a PE and a CE
The following section covers only configurations on the PE. For the CE, you only need to
configure IS-IS and the detailed configuration procedures are not mentioned here.
1. Run:
system-view

The system view is displayed.


2. Run:
isis process-id vpn-instance vpn-instance-name

An IS-IS instance is created on the PE for communications between the PE and the
CE and the IS-IS view is displayed.
An IS-IS process can be bound to only one VPN instance. If you run an IS-IS process
without binding it to a VPN instance, the IS-IS process is considered as a public
network process. The IS-IS process on the public network cannot be bound to a VPN
instance.
3. Run:
network-entity net

The Network Entity Title (NET) is configured.


A NET specifies the current IS-IS area address and the system ID of the router. A
maximum of three NETs can be configured for one process on the router.
4. (Optional) Run:
is-level { level-1 | level-1-2 | level-2 }

The level of the router is set.


By default, the level of the router is level-1-2.
5. Run:
import-route bgp [ cost value ] [ cost-type { external | internal } ]
[ level-1 | level-1-2 | level-2 ] [ route-policy policy-name ] [ tag tag-
value ]

The BGP route is imported.


If no IS-IS level is specified before you run this command, the BGP route is imported
to the Level-2 routing table.
6. Run:
commit

The configuration is committed.


7. Run:
quit

Return to the system view.


8. Run:
interface interface-type interface-number

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 44


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

The view of the interface to be bound to the VPN instance is displayed.


9. Run:
isis enable [ process-id ]

IS-IS is enabled on the interface.


10. Run:
quit

Return to the system view.


11. Run:
bgp as-number

The BGP view is displayed.


12. Run:
ipv4-family vpn-instance vpn-instance-name

The BGP-VPN instance IPv4 address family view is displayed.


13. Run:
import-route isis process-id [ med med ] [ route-policy policy-name ]

The IS-IS route is imported into the routing table of the BGP VPN instance IPv4
address family.
14. Run:
commit

The configuration is committed.

NOTE

After the VPN instance is deleted or disable the IPv4 address family of the VPN instance, all
the IS-IS processes bound to the VPN instance are deleted.
l Configuring OSPF between a PE and a CE
The following section covers only configurations on the PE. For the CE, you only need to
configure OSPF and the detailed configuration procedures are not mentioned here.
1. Run:
system-view

The system view is displayed.


2. Run:
ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name

An OSPF instance is created on the PE for communications between the PE and the
CE and the OSPF view is displayed.

An OSPF process can be bound to only one VPN instance. If you run an OSPF process
without binding it to a VPN instance, the OSPF process is considered as a public
network process. The OSPF process on the public network cannot be bound to a VPN
instance.

The OSPF process that is bound to the VPN instance does not use the public network
router ID configured in the system view. You must specify the router ID when starting
the OSPF process. If no router ID is specified, OSPF selects an IP address from the
IP addresses of the interfaces bound to this VPN instance based on route ID selection
rules and takes the selected IP address as the router ID.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 45


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

3. (Optional) Run:
domain-id domain-id [ secondary ]

The domain ID is set.


The domain ID can be expressed by an integer or in dotted decimal notation. By
default, the domain ID is 0.
The domain ID is used to identify whether the routes imported into the VPN instances
belong to the same OSPF area. A domain ID can be advertised to remote PEs as a
BGP extension community attribute. When importing the BGP private routes, the
remote PEs convert the imported routes to Type5, Type7, or Type3 LSAs based on
the domain IDs. If the domain ID of a received route is the same as the local domain
ID,

– Type1, Type2, and Type3 LSAs are generated as Type3 LSAs.


– For Type5 and Type7 LSAs, Type5 LSAs are generated if the local area is not a
Not So Stubby Area (NSSA); Type7 LSAs are generated if the local area is an
NSSA.
If the domain ID of a received route and the local domain ID are different, regardless
of the types of the LSAs, Type5 LSAs are generated if the local area is a non-NSSA;
Type7 LSAs are generated if the local area is an NSSA.
4. (Optional) Run:
route-tag tag-value

The VPN route tag is configured.


By default, OSPF allocates a VPN route tag automatically according to the algorithm.

– If the BGP process is not started on the local device, by default, the tag value is 0.
– If the BGP process is started on the local device, by default, the first two bytes of
the tag value are fixed to be 0xD000, and the last two bytes are the local AS number.
That is, the tag value equals 3489660928 plus the local AS number of BGP.
The route tag can be used in the scenario of CE dual-homing to avoid loops of Type5
LSAs. If the route tags of the VPN routes of Type5 or Type7 LSAs received by the
PE from the CE are the same as the route tag configured on the PE, the LSAs are
discarded rather than being used in the SPF calculation.
5. Run:
import-route bgp [ cost value ] [ type { 1 | 2 } ] [ tag value ] [ route-
policy policy-name ]

The BGP route is imported.


6. Run:
area area-id

The OSPF area view is displayed.


7. Run:
network ip-address wildcard-mask

OSPF is run on the network segment where the interface bound to the VPN instance
resides.
A network segment belongs to only one area. That is, you need to specify an area for
each interface that runs OSPF.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 46


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

OSPF can properly run on an interface only when the following conditions are met:

– The mask length of the IP address of the interface is equal to or longer than the
mask length specified in the network command.
– The primary IP address of the interface is within the network segment specified in
the network command.

For a loopback interface, by default, OSPF advertises its IP address in 32-bit host
route, which is irrelevant to the mask length of the IP address on the interface.
8. Run:
commit

The configuration is committed.


9. Run:
quit

Return to the OSPF view.


10. Run:
quit

Return to the system view.


11. Run:
bgp as-number

The BGP view is displayed.


12. Run:
ipv4-family vpn-instance vpn-instance-name

The BGP-VPN instance IPv4 address family view is displayed.


13. Run:
import-route ospf process-id [ med med ] [ route-policy policy-name ]

The OSPF route is imported into the routing table of the BGP VPN instance IPv4
address family.
14. Run:
commit

The configuration is committed.

NOTE
After the VPN instance is deleted or disable the IPv4 address family of the VPN instance, all
the OSPF processes bound to the VPN instance are deleted.

l Configuring EBGP between a PE and a CE

Do as follows on the PE:

1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

The BGP view is displayed.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 47


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

3. Run:
ipv4-family vpn-instance vpn-instance-name

The BGP-VPN instance IPv4 address family view is displayed.


4. Run:
peer peer-address as-number number

The CE is configured as an EBGP peer in the VPN.


5. (Optional) Run:
peer { ipv4-address } ebgp-max-hop [ number ]

The maximum number of hops is configured for the EBGP connection.


By default, a direct physical link must be available between EBGP peers. If the
requirement is not met, you must run the peer ebgp-max-hop command to allow
EBGP peers to establish a TCP connection through multiple hops.
6. (Optional) Select either step to import the direct routes destined for the local CE to
the VPN routing table and advertise the routes to the remote PE.
– Run the import-route direct [ med med | route-policy policy-name ]* command
to import the direct routes destined for the local CE.
– Run the network ip-address mask command to advertise the direct routes destined
for the local CE.
7. (Optional) Run:
peer { group-name | ipv4-address | ipv6-address } soo site-of-origin

The Site of Origin (SoO) attribute is configured for the specified CE.
When multiple CEs in a VPN site access different PEs, VPN routes sent from CEs to
PEs may return to this VPN site after traveling through the backbone network. This
may cause routing loops in the VPN site.
After the SoO attribute is configured on a PE, the PE adds the SoO attribute to the
route sent from a CE and then advertises the route to other PE peers. Before advertising
the VPN route to the connected CE, the PE peers check the SoO attribute carried in
the VPN route. If the PE peers find that this SoO attribute is the same as the locally
configured SoO attribute, the PE peers do not advertise this VPN route to the connected
CE.
8. (Optional) Run:
peer ip-address allow-as-loop [ number ]

The route loop is allowed.


This step is required for the Hub and Spoke networking.
Generally, BGP detect route loops based on AS numbers. In the Hub and Spoke
networking where EBGP is run between the PE and the CE at the Hub site, the Hub-
PE advertises routing information carrying the local AS number to the Hub-CE.
Therefore, when the Hub-PE receives a route Update message from the Hub-CE, the
Hub-PE cannot accept the route Update message if the AS number carried in the route
Update message is identical with the AS number of the Hub-PE. To ensure normal
route advertisement in the Hub and Spoke networking, you need to configure the BGP
peers to allow the routes with the AS numbers in the AS-path repeated once to pass
when the Hub-CE advertises the VPN routes to the Spoke-CEs.
9. (Optional) Run:

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 48


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

peer ip-address substitute-as

BGP AS number substitution is enabled.

This Step is required for the scenario where physically dispersed CEs need to use the
same AS number. The configuration is executed on the PE.

NOTE
In the case of CE multi-homing, the BGP AS number substitution function may lead to route
loops.
10. Run:
commit

The configuration is committed.

Do as follows on the CE:

1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

The BGP view is displayed.


3. Run:
peer peer-address as-number as-number

The PE is configured as an EBGP peer.


4. (Optional) Run:
peer { ipv4-address | group-name } ebgp-max-hop [ number ]

The maximum number of hops is configured for the EBGP connection.

By default, a directly-connected physical link must be available between EBGP peers.


If the requirement is not met, you must run the peer ebgp-max-hop command to allow
EBGP peers to establish a TCP connection through multiple hops.
5. Run:
import-route { direct | static | rip [ process-id ] | ospf process-id |
isis process-id } [ med med | route-policy policy-name ]*

The routes of the local site are imported.

The CE must advertise its own VPN routes to the attached PE and the PE then
advertises the routes to the remote CE. In actual applications, the types of routes to
be imported may be different.
6. Run:
commit

The configuration is committed.


l Configuring a static route between a PE and a CE (including the default route)
Do as follows on the PE. No special configurations are required on the CE and therefore
the CE configurations are not mentioned here.
1. Run:
system-view

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 49


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

The system view is displayed.


2. Run:
ip route-static vpn-instance vpn-instance-name dest-ip-address { mask |
mask-length } { interface-type interface-number | vpn-instance vpn-
destination-name nexthop-address | nexthop-address [ public ] }
[ preference preference ] [ tag tag ] [ description text ]

The static route is configured for the specified VPN instance IPv4 address family.
3. Run:
bgp as-number

The BGP view is displayed.


4. Run:
ipv4-family vpn-instance vpn-instance-name

The BGP-VPN instance IPv4 address family view is displayed.


5. Run:
import-route static [ med med ] [ route-policy policy-name ]

The static route is imported into the routing table of the BGP VPN instance IPv4
address family.
6. Run:
commit

The configuration is committed.


l Configuring RIP between a PE and a CE
Do as follows on the PE. You only need to configure RIPv1 or RIPv2 on the CE and the
detailed configuration procedures are not mentioned here.
1. Run:
system-view

The system view is displayed.


2. Run:
rip process-id vpn-instance vpn-instance-name

A RIP instance is created on the PE for communicates between the PE and the CE and
the RIP view is displayed.
A RIP process can be bound to only one VPN instance. If you run a RIP process
without binding it to a VPN instance, the RIP process is considered as a public network
process. The RIP process on the public network cannot be bound to a VPN instance.
3. Run:
network network-address

RIP is run on the network segment where the interface bound to the VPN instance
resides.
4. Run:
import-route bgp [ cost value ] [ route-policy policy-name]

The BGP route is imported.


After the import-route bgp command is run in the RIP view, the PE can import the
BGP routes of the VPN instance IPv4 address family into the RIP routing table and
further advertises them to the attached CE.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 50


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

5. Run:
commit

The configuration is committed.


6. Run:
quit

Return to the system view.


7. Run:
bgp as-number

The BGP view is displayed.


8. Run:
ipv4-family vpn-instance vpn-instance-name

The BGP-VPN instance IPv4 address family view is displayed.


9. Run:
import-route rip process-id [ med med ] [ route-policy policy-name ]

The RIP route is imported into the routing table of the BGP VPN instance IPv4 address
family.
After the import-route rip command is run in the BGP-VPN instance IPv4 address
family view, the PE imports the VPN routes learnt from the attached CE into BGP,
forms them into VPN-IPv4 routes, and advertises them to the remote PE.
10. Run:
commit

The configuration is committed.

NOTE

After the VPN instance is deleted or disable the IPv4 address family of the VPN instance, all
the RIP processes bound to the VPN instance are deleted.
l Configuring IBGP between a PE and a CE
Do as follows on the PE:
1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

The BGP view is displayed.


3. Run:
ipv4-family vpn-instance vpn-instance-name

The BGP-VPN instance IPv4 address family view is displayed.


4. Run:
peer peer-address as-number number

The CE is configured as an IBGP peer in the VPN.


5. (Optional) Select either step to import the direct route destined for the local CE to the
VPN routing table and advertise the route to the remote PE.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 51


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

– Run the import-route direct [ med med | route-policy policy-name ]* command


to import the direct route destined for the local CE.
– Run the network ip-address mask command to advertise the direct route destined
for the local CE.
NOTE

If Step 5 is not performed, the PE does not advertise the direct route to the remote PE through
MP-BGP.
6. Run:
commit

The configuration is committed.

Do as follows on the CE:

1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

The BGP view is displayed.


3. Run:
peer peer-address as-number as-number

The PE is configured as an IBGP peer.


4. Run:
import-route { direct | static | rip [ process-id ] | ospf process-id |
isis process-id } [ med med | route-policy policy-name ]*

The routes of the local site are imported.

The CE must advertise its own VPN routes to the attached PE. In actual applications,
the types of routes to be imported may be different.
5. Run:
commit

The configuration is committed.

----End

2.4.6 Checking the Configuration


After configuring the basic BGP/MPLS IP VPN, you can view IPv4 VPN routes on the PE or
CE.

Prerequisite
All configurations about basic BGP/MPLS IP VPN are complete.

Procedure
l Run the display ip routing-table vpn-instance vpn-instance-name command to check
routing information about the specified VPN instance IPv4 address family on the PE.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 52


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

l Run the ping command on the local CE to ping the remote CE.

----End

Example
Run the display ip routing-table vpn-instance vpn-instance-name command on the PE, and
you can find that the PE has VPN routes to its interconnected CEs.
<HUAWEI> display ip routing-table vpn-instance vpna
Route Flags: R - relied, D - download for forwarding
------------------------------------------------------------------------------
Routing Tables: vpna
Destinations : 3 Routes : 3
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.2 GigabitEthernet1/0/0
10.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.3.1.0/24 BGP 255 0 RD 3.3.3.9 Pos3/0/0

Run the ping command on the CE, and you can view that the local CE can ping the remote CE
successfully.
<HUAWEI> ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms
Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms
--- 10.3.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms

2.5 Configuring Route Reflection to Optimize the VPN


Backbone Layer
Using an Route Reflector (RR) can reduce the number of MP-IBGP connections between PEs.
This not only reduces the burden on PEs but also facilitates network maintenance and
management.

Applicable Environment
If too many PEs reside on the VPN backbone network and these PEs need to establish MP-IBGP
peer relationships to exchange VPN routes, you can configure route reflection to optimize the
VPN backbone network.

A BGP speaker does not advertise the routes learnt from an IBGP peer to other IBGP peers. To
enable a PE to advertise the routes of the VPN that the PE accesses to the BGP VPNv4 peers in
the same AS, the PE must establish IBGP peer relationships with all peers to directly exchange
VPN routing information. That is, MP-IBGP peers must be fully meshed. Suppose there are n
PEs (including ASBRs) in an AS, n (n-1)/2 pairs of MP-IBGP peers need be created. A large
number of IBGP peers consume a great number of network resources. After an RR is configured,
each PE needs to set up an MP-IBGP peer relationship with only the RR, that is, n pairs of MP-
IBGP peers are required.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 53


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Pre-configuration Tasks
Before configuring route reflection to optimize the VPN backbone layer, complete the following
tasks:

l Configuring the routing protocol for the MPLS backbone network to implement IP
interworking between routers on the backbone network
l Establishing tunnels (LSPs or MPLS TE tunnels) between all the PEs

Configuration Procedures

Figure 2-7 Flowchart for configuring route reflection to optimize the VPN backbone layer

Configure a client PE to establish an MP-


IBGP peer relationship with an RR

Configure an RR to establish MP-IBGP peer


relationships with all client PEs

Configure route
reflection for BGP VPNv4 routes

Mandatory
procedure
Optional
procedure

Related Tasks
2.18.5 Example for Configuring Double RRs for the Optimization of the VPN Backbone Layer
2.18.6 Example for Configuring an RR for the Optimization of the VPN Access Layer

2.5.1 Configuring a Client PE to Establish an MP-IBGP Peer


Relationship with an RR
You can configure a PE to establish an MP-IBGP peer relationship with an RR to reflect VPNv4
routes.

Context
A PE or P can function as an RR on the backbone network.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
bgp as-number

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 54


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

The BGP view is displayed.

Step 3 Run:
peer peer-ipv4-address as-number as-number

The RR is specified as a BGP peer.

Step 4 Run:
peer peer-ipv4-address connect-interface loopback interface-number

The interface used to establish a TCP connection is specified.

NOTE

A client PE must use the loopback interface address with a 32-bit mask to establish an MP-IBGP peer
relationship with the RR so that routes can be iterated to the tunnel.

Step 5 Run:
ipv4-family vpnv4

The BGP-VPNv4 address family view is displayed.

Step 6 Run:
peer peer-ipv4-address enable

The capability of exchanging VPNv4 routes between the PE and the RR is enabled.

Step 7 Run:
commit

The configuration is committed.

----End

2.5.2 Configuring an RR to Establish MP-IBGP Peer Relationships


with All Client PEs
You can configure an RR to establish MP-IBGP peer relationships with all its clients (PEs) to
reflect VPNv4 routes.

Procedure
l Configuring the RR to establish an MP-IBGP peer relationship with each of its client
Perform Steps 3 to 6 repeatedly on the RR to establish MP-IBGP peer relationships with
all client PEs.
1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

The BGP view is displayed.


3. Run:
peer peer-ipv4-address as-number as-number

The client PE is specified as a BGP peer.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 55


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

4. Run:
peer peer-ipv4-address connect-interface interface-type interface-number

The interface used to establish a TCP connection is specified. The IP address of the
interface must be the same as the MPLS LSR ID. You are recommended to specify a
loopback interface to establish the TCP connection.
5. Run:
ipv4-family vpnv4

The BGP-VPNv4 address family view is displayed.


6. Run:
peer peer-ipv4-address enable

The capability of exchanging VPNv4 routes between the RR and the client PE is
enabled.
7. Run:
commit

The configuration is committed.

----End

2.5.3 Configuring Route Reflection for BGP VPNv4 Routes


The premise of enabling BGP VPNv4 route reflection is that the RR has established MP-IBGP
peer relationships with all client PEs.

Context
For detailed configurations about an RR, please refer to the chapter BGP Configuration in the
Configuration Guide - IP Routing.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
bgp as-number

The BGP view is displayed.

Step 3 Run:
ipv4-family vpnv4

The BGP VPNv4 sub-address family view is displayed.

Step 4 Run:
peer peer-ipv4-address reflect-client

The local device is configured as an RR and its peer is considered as the client of the RR.

Step 5 (Optional) Run:


undo reflect between-clients

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 56


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Route reflection between clients is disabled if the clients are fully connected.

Step 6 Run:
undo policy vpn-target

Filtering VPNv4 routes based on VPN targets is disabled.

Step 7 (Optional) Run:


rr-filter extended-list-number

The reflection policy is configured for the RR.

Step 8 Run:
commit

The configuration is committed.

----End

2.5.4 Checking the Configuration


After configuring route reflection to optimize the VPN backbone layer, you can view BGP
VPNv4 peer information and VPNv4 routing information on the RR or its client PEs.

Prerequisite
All the configurations about route reflection are complete.

Procedure
l Run the display bgp vpnv4 all peer [ [ ipv4-address ] verbose ] command on the RR or
client PE to view information about the BGP VPNv4 peer.
l Run the display bgp vpnv4 all routing-table peer peer-ipv4-address { advertised-
routes | received-routes } [ statistics ] command on the RR or client PE to view
information about the routes received from the peer or the routes advertised to the peer.

----End

Example
l Run the display bgp vpnv4 all peer command on the RR or client PE, and you can find
that the status of the MP-IBGP peer relationships between the RR and all client PEs is
"Established."
<HUAWEI> display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 3 Peers in established state : 3
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.9 4 100 2 4 0 00:00:31 Established 0
3.3.3.9 4 100 3 5 0 00:01:23 Established 0
Peer of vpn instance :
VPN-Instance vpna, router ID 1.1.1.9:
10.1.1.1 4 65410 79 82 0 01:13:29 Established 0

l Run the display bgp vpnv4 all routing-table peer { advertised-routes | received-
routes } command on the RR or client PE, and you can find that the RR and client PE can
exchange VPNv4 routing information.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 57


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

2.6 Configuring Hub and Spoke


In the Hub and Spoke networking, an access control device is specified in the VPN, and users
communicate with each other through the access control device.

Applicable Environment
If it is required that an access control device be specified in the VPN and all the users access the
VPN through this access control device, you can deploy the Hub and Spoke networking so that
all the data exchanged between Spoke sites flow through the Hub site.
As shown in Figure 2-8, Site1 and Site2 in VPN1 communicate with each other through Site3.
In such a scenario, you can deploy a monitoring device at Site 3 to monitor the communication
between Site1 and Site2.

Figure 2-8 Diagram of the Hub-Spoke networking

VPN1
Spoke-PE
Site1
VPN1
Spoke-CE
Hub-CE
Hub-PE
Site3

Spoke-CE Spoke-PE
Site2

VPN1

Pre-configuration Tasks
Before configuring Hub and Spoke, complete the following tasks:
l Configuring an IGP on the MPLS backbone network to implement IP interworking
l Configuring the basic MPLS capability and establish an LDP LSP between PEs
l Configuring an IP address for the interface connecting the CE to the PE

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 58


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Configuration Procedures

Figure 2-9 Flowchart for configuring Hub and Spoke

Configure a VPN instance

Configure routing
attributes for a VPN instance

Bind an interface
to a VPN instance

Configure route exchange


between a Hub-PE and a Spoke-PE

Configure route exchange


between a PE and a CE

Mandatory
procedure
Optional
procedure

Related Tasks
2.18.7 Example for Configuring Hub and Spoke

2.6.1 Configuring a VPN Instance


You can configure a VPN instance for managing VPN routes.

Context
In the Hub and Spoke networking, the PE connected to a central site (Hub site) is called a Hub-
PE and the PE connected to a non-central site (Spoke site) is called a Spoke-PE.
You need to configure a VPN instance on each Spoke-PE and two VPN instances (VPN-in and
VPN-out) on each Hub-PE.
l VPN-in is used to receive and maintain the VPNv4 routes advertised by all the Spoke-PEs.
l VPN-out is used to maintain the routes of the Hub site and all the Spoke sites and advertise
the routes to all Spoke-PEs.

NOTE

Steps 1 to 7 are performed to configure one VPN instance. Configurations of different VPN instances are
similar. Note that the different VPN instances on the same device must have different names, RDs, and
description.

Procedure
Step 1 Run:

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 59


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

system-view

The system view is displayed.


Step 2 Run:
ip vpn-instance vpn-instance-name

A VPN instance is created and the VPN instance view is displayed.


The name of a VPN instance is case sensitive. For example, "vpn1" and "VPN1" are two different
VPN instances.
Step 3 (Optional) Run:
description description-information

The description of the VPN instance is configured.


The description is be used to record the purpose of creating the VPN instance and the CEs with
which the VPN instance sets up connections.
Step 4 Run:
ipv4-family

The IPv4 address family is enabled for the VPN instance and the VPN instance IPv4 address
family view is displayed.
Step 5 Run:
route-distinguisher route-distinguisher

An RD is configured for the VPN instance IPv4 address family.


The VPN instance IPv4 address family takes effect only after an RD is configured. Before
configuring an RD, you can configure only the description about the VPN instance. No other
parameters can be configured.
Step 6 (Optional) Run:
apply-label per-instance

MPLS label allocation based on VPN instances IPv4 address family is configured. Then, all the
routes of the VPN instance IPv4 address family use one label.
In general, each route is assigned one label (one label per route).
Step 7 (Optional) Run:
prefix limit number { alert-percent | simply-alert }

The maximum number of prefixes of the VPN instance IPv4 address family is set.
To prevent a PE from importing excessive prefixes, you can set the maximum number of prefixes
supported by the VPN instance IPv4 address family.
Step 8 Run:
commit

The configuration is committed.

----End

2.6.2 Configuring Routing Attributes for a VPN Instance


In the networking of Hub and Spoke, you can configure VPN targets on the Hub-PE and Spoke
PEs to control the advertisement of VPN routes. The import VPN target configured on the Hub-

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 60


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

PE must contain the export VPN targets configured on all the Spoke-PEs. The export VPN target
configured on the Hub-PE must contain the import VPN targets configure on all the Spoke-PEs.

Context
Controlling the advertisement of VPN routes by configuring VPN targets is also a key part of
the Hub and Spoke solution.

Procedure
l Configuring the Hub-PE
1. Run:
system-view

The system view is displayed.


2. Run:
ip vpn-instance vpn-instance-name1

The VPN instance view of VPN-in is displayed.


3. Run:
ipv4-family

The VPN instance IPv4 address family view is displayed.


4. Run:
vpn-target vpn-target1 &<1-8> import-extcommunity

The VPN target extended community is configured for the VPN instance IPv4 address
family to receive the VPNv4 routes advertised by all the Spoke-PEs.

The vpn-target1 list here must contain the export VPN targets configured on all the
Spoke-PEs.
5. (Optional) Run:
import route-policy policy-name

A routing policy for importing VPN routes is configured.


6. (Optional) Run:
export route-policy policy-name

A routing policy for exporting VPN routes is configured.


7. Run:
commit

The configuration is committed.


8. Run:
quit

Return to the system view.


9. Run:
ip vpn-instance vpn-instance-name2

The VPN instance view of VPN-out is displayed.


10. Run:
ipv4-family

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 61


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

The VPN instance IPv4 address family view is displayed.


11. Run:
vpn-target vpn-target2 &<1-8> export-extcommunity

The VPN target extended community is configured for the VPN instance IPv4 address
family to advertise the routes of all the Hub sites and Spoke sites.
The vpn-target2 list here must contain the import VPN targets configured on all the
Spoke-PEs.
12. (Optional) Run:
import route-policy
policy-name

A routing policy for importing VPN routes is configured.


13. (Optional) Run:
export route-policy policy-name

A routing policy for exporting VPN routes is configured.


14. (Optional) Run:
commit

The configuration is committed.


l Configuring the Spoke-PE
1. Run:
system-view

The system view is displayed.


2. Run:
ip vpn-instance vpn-instance-name1

The VPN instance view of VPN-in is displayed.


3. Run:
ipv4-family

The VPN instance IPv4 address family view is displayed.


4. Run:
vpn-target vpn-target2 &<1-8> import-extcommunity

The VPN target extended community is configured for the VPN instance IPv4 address
family to receive the VPNv4 routes advertised by the Hub-PE.
vpn-target2 must be in the export VPN target list configured on the Hub-PE.
5. Run:
vpn-target vpn-target1 &<1-8> export-extcommunity

The VPN target extended community is configured for the VPN instance IPv4 address
family to advertise the routes of the sites the Spoke-PEs access.
vpn-target1 must be in the import VPN target list configured on the Hub-PE.
6. (Optional) Run:
import route-policy policy-name

A routing policy for importing VPN routes is configured.


7. (Optional) Run:

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 62


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

export route-policy policy-name

A routing policy for exporting VPN routes is configured.


8. Run:
commit

The configuration is committed.

----End

2.6.3 Binding an Interface to a VPN Instance


By binding an interface to a VPN instance, you can change the interface to a VPN interface.
Then, packets entering this interface are forwarded according to the forwarding information of
the VPN instance.

Context
The configuration on the Hub-PE involves two interfaces or sub-interfaces:

l One is bound to VPN-in for receiving the routes advertised by Spoke-PEs.


l One is bound to VPN-out for advertising the routes of all the Hub sites and Spoke sites.

Do as follows on the Hub-PE and all the Spoke-PEs:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
interface interface-type interface-number

The view of the interface to be bound to the VPN instance is displayed.

Step 3 Run:
ip binding vpn-instance vpn-instance-name

The interface is bound to a VPN instance.

NOTE

After the ip binding vpn-instance command is run on an interface, the Layer 3 features such as the IP
address and routing protocol configured on the interface are deleted.

Step 4 Run:
ip address ip-address { mask | mask-length }

An IP address is configured for the interface.

Step 5 Run:
commit

The configuration is committed.

----End

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 63


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

2.6.4 Configuring Route Exchange Between a Hub-PE and a Spoke-


PE
By importing extended community attributes to BGP, MP-IBGP can advertise VPNv4 routes
between PEs.

Context
MP-IBGP peer relationships need be established between the Hub-PE and each Spoke-PE.
Spoke-PEs need not exchange routes directly and therefore they need not establish MP-IBGP
peer relationships.

Do as follows on the Hub-PE and all the Spoke-PEs:

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
bgp as-number

The BGP view is displayed.

Step 3 Run:
peer peer-address as-number as-number

The remote PE is configured as a BGP peer.

Step 4 Run:
peer peer-address connect-interface loopback interface-number

The interface used to establish a TCP connection is specified.

NOTE
PEs must use the loopback interface addresses with 32-bit masks to establish an MP-IBGP peer relationship
so that routes can be iterated to the tunnel. The route to the loopback interface is advertised to the peer PE
through IGP on the MPLS backbone network.

Step 5 Run:
ipv4-family vpnv4 [unicast]

The BGP VPNv4 sub-address family view is displayed.

Step 6 Run:
peer peer-address enable

The capability of exchanging BGP VPNv4 routing information with the peer is enabled.

Step 7 Run:
commit

The configuration is committed.

----End

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 64


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

2.6.5 Configuring Route Exchange Between a PE and a CE


The routing protocol run between a PE and a CE can be BGP or IGP. A static route (including
the default route) can also run between them. You can choose any of them as required.

Context
The routing protocol run between a Spoke-PE and a Spoke-CE is related to the routing protocol
run between a Hub-PE and a Hub-CE. EBGP, IGP, and the static route (including the default
route) can run between a Hub-PE and a Hub-CE. You can choose any of them as required.

Procedure
l Configuring EBGP between a Hub-PE and a Hub-CE
For detailed configuration procedures, see 2.4.5 Configuring Route Exchange Between
a PE and a CE.
In this mode, EBGP, IGP, or static route (including the default route) can be run between
a Spoke-PE and a Spoke-CE.
If EBGP is run both between the Spoke-PE and the Spoke-CE and between the Hub-PE
and the Hub-CE, you need to run the peer ip-address allow-as-loop [ number ] command
in the BGP-VPN instance IPv4 address family view of the Hub-PE to allow route loops. If
number is set to 1, it indicates that the route with the AS numbers in the AS-path list repeated
once is allowed.
l Configuring IGP between a Hub-PE and a Hub-CE
For detailed configuration procedures, see 2.4.5 Configuring Route Exchange Between
a PE and a CE.
In this mode, only IGP or static route (including the default route) can be run between a
Spoke-PE and a Spoke-CE. For details, see the chapter "BGP/MPLS IP VPN" in the Feature
Description - VPN.
l Configuring a static route (including the default route) between a Hub-PE and a Hub-CE
For detailed configuration procedures, see 2.4.5 Configuring Route Exchange Between
a PE and a CE.
In this mode, EBGP, IGP, or static route (including the default route) can be run between
a Spoke-PE and a Spoke-CE.
If a Hub-CE adopts the default route to access the Hub-PE, to enable the Hub-PE to advertise
the default route to all the Spoke-PEs, you need to run the following commands on the Hub-
PE:
– Run the ip route-static vpn-instance vpn-instance-name 0.0.0.0 0.0.0.0 nexthop-
address [ tag tag ] [ description text ] command in the system view.
In this example, vpn-instance-name specifies VPN-out and nexthop-address specifies
the IP address of the Hub-CE interface that is connected with the PE interface bound to
VPN-out.
– Run the network 0.0.0.0 0 command in the BGP-VPN instance IPv4 address family
view to advertise the default route to all the Spoke-PEs through MP-BGP.
vpn-instance-name here is also VPN-out.
----End

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 65


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

2.6.6 Checking the Configuration


After Hub and Spoke is configured, you can view VPN routing information on the PE or CE.

Prerequisite
All configurations of Hub and Spoke are complete.

Procedure
l Run the display ip routing-table vpn-instance vpn-instance-name command to check
routing information about VPN-in and VPN-out on the Hub-PE.
l Run the display ip routing-table command on the Hub-CE and all the Spoke-CEs to check
routing information.
----End

Example
After the configuration, run the display ip routing-table vpn-instance vpn-instance-name
command, and you can find that the routing table of VPN-in has routes to all the Spoke sites and
the routing table of VPN-out has routes to the Hub site and all the Spoke sites.
Additionally, the Hub-CE and all the Spoke-CEs have routes to the Hub site and all the Spoke
sites.

2.7 Configuring a Tunnel Policy for the Backbone Network


of a BGP/MPLS IP VPN
A tunnel policy applied to a VPN can specify the type of tunnel selected for the VPN and enable
load balancing among tunnels.

Applicable Environment
By default, the system selects a tunnel in the order of LSPs, CR-LSPs, and Local_IfNet for VPN
services, and does not perform load balancing. To configure load balancing or select tunnels of
other types, configure a tunnel policy and apply it to the VPN.
At present, the NE5000E supports the following modes of tunnel policies:
l Select-sequence: A sequence of tunnel types to be selected or the number of tunnels
participating in load balancing can be specified.
l Tunnel binding: A TE tunnel is bound to a specified destination IP address. This allows the
VPN traffic destined for that destination address to be transmitted over the TE tunnel.
For details on tunnel policy configurations, see VPN Tunnel Management Configuration.

Pre-configuration Tasks
Before configuring a tunnel policy for the backbone network of a BGP/MPLS IP VPN, complete
the following tasks:
l Configuring a basic BGP/MPLS IP VPN

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 66


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

l Setting up a tunnel of the type specified in the tunnel policy

Configuration Procedures

Figure 2-10 Flowchart for configuring a tunnel policy for the backbone network of a BGP/
MPLS IP VPN

Configure a tunnel policy

Apply a tunnel policy to a VPN

Mandatory
procedure
Optional
procedure

Related Tasks
2.18.9 Example for Configuring Load Balancing Among Tunnels to Which Remote Cross
Routes Are Iterated on a VPN

2.7.1 Configuring a Tunnel Policy


A tunnel policy can determine the sequence in which tunnels are selected or bind a TE tunnel
to a specified destination IP address.

Context
In the tunnel policy view, the select-sequence mode and tunnel binding mode are mutually
exclusive. Choose one of the following configurations as needed:

Procedure
l Configure a tunnel policy in select-sequence mode.
1. Run:
system-view

The system view is displayed.


2. Run:
tunnel-policy policy-name

A tunnel policy is created, and the tunnel policy view is displayed.


3. Run:
tunnel select-seq { lsp | cr-lsp }* load-balance-number load-balance-number

The priority sequence of tunnel types and number of tunnels participating in load
balancing are configured.

A tunnel policy in select-sequence mode defines that tunnels to the same destination
are selected in sequence. If a tunnel listed earlier is Up, it is selected regardless of

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 67


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

whether other services have selected it. The tunnels listed later are not selected except
in case of even load balancing or when the preceding tunnels are Down.
4. Run:
commit

The configuration is committed.


l Configure a tunnel policy in tunnel binding mode.
1. Run:
system-view

The system view is displayed.


2. Run:
tunnel-policy policy-name

A tunnel policy is created, and the tunnel policy view is displayed.


3. Run:
tunnel binding destination dest-ip-address te { tunnel interface-number }
&<1-6> [ down-switch ]

A tunnel policy is configured to bind a TE tunnel to the specified destination address.


4. Run:
commit

The configuration is committed.


----End

2.7.2 Applying a Tunnel Policy to a VPN


This section describes how to apply a tunnel policy to a VPN to change the tunnel type or the
sequence in which tunnels are selected for VPN services.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
ip vpn-instance vpn-instance-name

The VPN instance view is displayed.


Step 3 Run:
ipv4-family

The VPN instance IPv4 address family view is displayed.


Step 4 Run:
tnl-policy policy-name

A tunnel policy is applied to the VPN instance IPv4 address family.


Step 5 Run:
commit

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 68


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

The configuration is committed.

----End

2.7.3 Checking the Configuration


This section describes how to check the name of a tunnel policy applied to a VPN and the
configurations of the tunnel policy.

Prerequisite
The configurations of a tunnel policy for the backbone network of a BGP/MPLS IP VPN are
complete.

Procedure
l Run the display tunnel-policy policy-name command to check the configurations of a
specified tunnel policy.
l Run the display ip vpn-instance verbose [ vpn-instance-name ] command to check the
tunnel policy used by a VPN instance.

----End

Example
Run the display tunnel-policy command. If the configuration of a tunnel policy is displayed, it
means that the configuration succeeds. For example:
<HUAWEI> display tunnel-policy policy1
Tunnel Policy Name Select-Seq Load balance No
------------------------------------------------------
policy1 CR-LSP LSP 2

Run the display ip vpn-instance verbose command, and you can view the tunnel policy used
by a VPN instance. In the following command output, the tunnel policy used by the IPv4 address
family of a VPN instance named vpna is policy1.
<HUAWEI> display ip vpn-instance verbose
Total VPN-Instances configured : 1
VPN-Instance Name and ID : vpn1, 1
Interfaces : GigabitEthernet1/0/0
Address family ipv4
Create date : 2006/09/27 15:25:29
Up time : 0 days, 00 hours, 02 minutes and 11 seconds
Route Distinguisher : 100:1
Export VPN Targets : 2:2
Import VPN Targets : 1:1
Label policy : label per route
Tunnel Policy : policy1

2.8 Configuring Inter-AS VPN Option A


If the number of VPNs that a PE accesses and the number of VPN routes are small, inter-AS
VPN Option A can be adopted.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 69


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Applicable Environment
Inter-AS VPN Option A is a typical application of BGP/MPLS IP VPN in an inter-AS scenario.
You need not perform special configurations. In inter-AS VPN Option A, either of the ASBRs
takes the peer ASBR as its CE and advertises IPv4 routes to the peer ASBR through EBGP.

As shown in Figure 2-11, for ASBR 1 in AS 100, ASBR 2 in AS 200 is a CE. Similarly, for
ASBR2, ASBR 1 is a CE.

Figure 2-11 Networking diagram of Inter-AS VPN Option A

VPN1
CE1
VPN1
CE3
BGP/MPLS backbone BGP/MPLS backbone
AS: 100 AS: 200
PE1
PE3
ASBR1
CE
MP-IBGP MP-IBGP
EBGP
ASBR2
PE2
PE4
VPN LSP1 IP forwarding
LSP1 CE4
CE2 VPN2
VPN2

Inter-AS VPN Option A is applicable in the scenario where the number of VPNs that a PE
accesses and the number of VPN routes are small. In Inter-AS VPN Option A, ASBRs must
support VPN instances and must be capable of managing VPN routes. In addition, ASBRs must
reserve dedicated interfaces, for example, sub-interfaces, physical interfaces, and bound logical
interfaces, for each inter-AS VPN network. Inter-AS VPN Option A requires high performance
of ASBRs and you need not perform any special configurations on the ASBRs.

Pre-configuration Tasks
Before configuring inter-AS VPN Option A, complete the following tasks:

l Configuring an IGP for the MPLS backbone network of each AS to ensure IP connectivity
of the backbone network within an AS
l Configuring the basic MPLS functions and MPLS LDP on the PE and ASBR
l Establishing a tunnel (LSP or MPLS TE tunnel) between the PE and ASBR in the same
AS
l Configuring an IP address for the interface connecting the CE to the PE

Procedure
Step 1 Take the ASBR as a PE and perform 2.4 Configuring Basic BGP/MPLS IP VPN for each AS.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 70


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

NOTE

In inter-AS VPN Option A mode, ensure that the VPN targets of the VPN instances on the ASBR match
those of the VPN instances on the PE in the same AS.? The VPN targets of the VPN instances on the PEs
in different ASs do not need to match each other.

Step 2 On the ASBR, bind the interface connected with the remote ASBR to a VPN instance. For
detailed configuration procedures, see 2.4.2 Binding an Interface to a VPN Instance.
Step 3 Configure the routing protocol run between ASBRs. For detailed configuration procedures, see
2.4.5 Configuring Route Exchange Between a PE and a CE.

----End

Checking the Configuration


After inter-AS VPN Option A is configured, run the following commands to check previous
configurations.
l Run the display bgp vpnv4 all peer command on the PE or ASBR, and you can view that
the status of the BGP VPNv4 peer relationship between the PE and ASBR in the same AS
is "Established".
l Run the display bgp vpnv4 all routing-table command on the PE or ASBR, and you can
view the VPNv4 routes.
l Run the display ip routing-table vpn-instance command on the PE or ASBR, and you
can view that the VPN routing table of the PE or ASBR has related VPN routes.
Run the display bgp vpnv4 all routing-table command on the ASBR, and you can view the
VPNv4 routes on the ASBR.
<HUAWEI> display bgp vpnv4 all routing-table
BGP Local router ID is 2.2.2.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 2
Route Distinguisher: 100:1
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 10.1.1.0/24 1.1.1.9 0 100 0 ?
*>i 10.1.1.1/32 1.1.1.9 0 100 0 ?
VPN-Instance vpn1, router ID 2.2.2.9:

Total Number of Routes: 9


Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 10.1.1.0/24 1.1.1.9 0 100 0 ?
*>i 10.1.1.1/32 1.1.1.9 0 100 0 ?
*> 10.2.1.0/24 192.1.1.2 0 200?
*> 10.2.1.1/32 192.1.1.2 0 200?
*> 192.1.1.0 0.0.0.0 0 0 ?
* 192.1.1.2 0 0 200?
*> 192.1.1.1/32 0.0.0.0 0 0 ?
* 192.1.1.2 0 0 200?
*> 192.1.1.2/32 0.0.0.0 0 0 ?

Related Tasks
2.18.10 Example for Configuring Inter-AS VPN Option A

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 71


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

2.9 Configuring Inter-AS VPN Option B (Basic Networking)


In the scenario where the backbone network spans two ASs, ASBRs need to advertise VPNv4
routes through MP-EBGP.

Applicable Environment
If an ASBR can manage VPN routes but there are not enough interfaces for all inter-AS VPNs,
inter-AS VPN Option B can be used. Inter-AS VPN Option B requires ASBRs to help to maintain
and advertise VPNv4 routes and you need not create VPN instances on the ASBRs. In the basic
networking of inter-AS VPN Option B, an ASBR cannot play other roles, such as the PE or RR,
and an RR is not required in each AS.

On the network shown in Figure 2-12, the interfaces connected between ASBRs do not need to
be bound to the VPN. A single-hop MP-EBGP peer relationship is set up between the ASBRs
to transmit all inter-AS VPN routing information.

Figure 2-12 Schematic diagram for Inter-AS VPN Option B (basic networking)

VPN1
CE1
VPN1
CE3
IP/MPLS Backbone IP/MPLS Backbone
AS: 100 AS: 200
PE1
PE3
ASBR1 ASBR2
MP-IBGP MP-IBGP
MP-EBGP

PE2
PE4

CE4
CE2 VPN2
VPN2

Pre-configuration Tasks
Before configuring inter-AS VPN Option B, complete the following tasks:

l Configuring an IGP for the MPLS backbone network of each AS to ensure IP connectivity
of the backbone network within an AS
l Configuring the basic MPLS functions for the MPLS backbone network of each AS and
establishing an LDP LSP or TE tunnel between MP-IBGP peers
l 2.3 Configuring a VPN Instance Enabled with the IPv4 Address Family on the PE
connected to the CE and 2.4.2 Binding an Interface to a VPN Instance
l Configuring an IP address for the interface connecting the CE to the PE

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 72


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Configuration Procedures

Figure 2-13 Flowchart for configuring inter-AS VPN Option B (basic networking)

Configuring MP-IBGP Between


a PE and an ASBR in the Same AS

Configuring MP-EBGP
Between ASBRs in Different ASs

Controlling the Learning and


Advertising of VPN Routes on ASBR

Configuring Route Exchange


Between a CE and a PE

Mandatory
procedure
Optional
procedure

Related Tasks
2.18.11 Example for Configuring Inter-AS VPN Option B with Basic Networking

2.9.1 Configuring MP-IBGP Between a PE and an ASBR in the Same


AS
By importing extended community attributes to BGP, MP-IBGP can advertise VPNv4 routes
between the PE and the ASBR.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
bgp as-number

The BGP view is displayed.

Step 3 Run:
peer peer-address as-number as-number

The IBGP peer relationship is set up between the PE and ASBR in the same AS.

Step 4 Run:
peer peer-address connect-interface loopback interface-number

The loopback interface is specified as the outbound interface of the BGP session.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 73


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Step 5 Run:
ipv4-family vpnv4 [ unicast ]

The BGP VPNv4 sub-address family view is displayed.


Step 6 Run:
peer peer-address enable

The capability of VPNv4 route exchange between the PE and the ASBR is enabled.
Step 7 Run:
commit

The configuration is committed.

----End

2.9.2 Configuring MP-EBGP Between ASBRs in Different ASs


After the MP-EBGP peer relationship is established between ASBRs, an ASBR can advertise
the VPNv4 routes of its AS to the other ASBR.

Context
In inter-AS VPN Option B (basic networking), you need not create VPN instances on ASBRs.
The ASBR does not filter the VPNv4 routes received from the PE in the same AS based on VPN
targets. Instead, it advertises the received routes to the peer ASBR through MP-EBGP.

Procedure
Step 1 Run:
system-view

The system view of the ASBR is displayed.


Step 2 Run:
interface interface-type interface-number

The view of the interface that connects to the peer ASBR is displayed.
Step 3 Run:
ip address ip-address { mask | mask-length }

An IP address is configured for the interface.


Step 4 Run:
mpls

The MPLS capability is enabled.


Step 5 Run:
commit

The configuration is committed.


Step 6 Run:
quit

Return to the system view.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 74


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Step 7 Run:
bgp as-number

The BGP view is displayed.


Step 8 Run:
peer peer-address as-number as-number

The peer ASBR is specified as an EBGP peer.


Step 9 Run:
ipv4-family vpnv4 [ unicast ]

The BGP VPNv4 sub-address family view displayed.


Step 10 Run:
peer peer-address enable

The capability of exchanging VPNv4 routes with the peer ASBR is enabled.
Step 11 Run:
commit

The configuration is committed.

----End

2.9.3 Controlling the Learning and Advertising of VPN Routes on


ASBR
An ASBR can either save partial VPNv4 routes by filtering VPN targets through a routing policy
or save all VPNv4 routes.

Context
By default, an ASBR filters the VPN targets of only the received VPNv4 routes. The routes are
imported into the routing table if they pass the filtration; otherwise, they are discarded. Therefore,
if no VPN instance is configured on the ASBR or no VPN target is configured for the VPN
instance, the ASBR discards all the received VPNv4 routes.
You can configure an ASBR to control the importing and exporting of VPN routes through
multiple methods. The two methods are described as follows:
l Not to filter VPN targets, that is, the ASBR stores all the VPNv4 routes
l To filter VPN targets, that is, the ASBR stores partial VPNv4 routes through routing policies
Configure either of the following methods on each ASBR based on the actual situation:

Procedure
l Not to filter VPN targets
1. Run:
system-view

The system view of the ASBR is displayed.


2. Run:
bgp as-number

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 75


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

The BGP view is displayed.


3. Run:
ipv4-family vpnv4 [ unicast ]

The BGP VPNv4 sub-address family view displayed.


4. Run:
undo policy vpn-target

Filtering VPN targets of VPNv4 routes is disabled.

In inter-AS VPN Option B mode, the ASBR does not need to store VPN instance
information but must store information about all the VPNv4 routing information and
advertise the routing information to the peer ASBR. In this case, the ASBR needs to
import all the received VPNv4 routing information without filtering them based on
VPN targets.
5. Run:
commit

The configuration is committed.


l Filtering VPN targets
1. Run:
system-view

The system view of the ASBR is displayed.


2. Run:
ip extcommunity-filter extcom-filter-number { deny | permit } rt vpn-
target &<1-16>

The extended community filter is configured.


3. Run:
route-policy route-policy-name permit node node

A routing policy is configured.


4. Run:
if-match extcommunity-filter extcomm-filter-number &<1-16>

A matching rule based on the extended community filter is configured.


5. Run:
commit

The configuration is committed.


6. Run:
quit

Return to the system view.


7. Run:
bgp as-number

The BGP view is displayed.


8. Run:
ipv4-family vpnv4 [ unicast ]

The BGP VPNv4 sub-address family view displayed.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 76


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

9. Run:
peer peer-address route-policy policy-name { export | import }

The routing policy is applied to controlling the importing and exporting of VPNv4
routes.
10. Run:
commit

The configuration is committed.


----End

2.9.4 Configuring Route Exchange Between a CE and a PE


BGP, the static route (including the default route), or IGP can run between a CE and a PE. You
can choose any of them as required.

Procedure
Step 1 You can configure a routing protocol between a CE and a PE based on the actual situation. For
detailed configuration procedures, see 2.4.5 Configuring Route Exchange Between a PE and
a CE.

----End

2.9.5 Checking the Configuration


After configuring inter-AS VPN Option B (basic networking), you can view the status of all
BGP peer relationships and VPNv4 routing information on PEs or ASBRs.

Prerequisite
All the configurations about inter-AS VPN Option B are complete.

Procedure
l Run the display bgp vpnv4 all peer command on the PE or ASBR to check the status of
all BGP peer relationships.
l Run the display bgp vpnv4 all routing-table command on the PE or ASBR to check
information about VPNv4 routes.
l Run the display ip routing-table vpn-instance vpn-instance-name command on the PE
to check information about the VPN routing table.
----End

Example
Run the display bgp vpnv4 all peer command on the PE or ASBR, and you can view that the
status of the BGP VPNv4 peer relationship between the PE and ASBR in the same AS is
"Established". In addition, the status of the EBGP peer relationship between the directly
connected ASBRs in different ASs is also "Established".
Run the display bgp vpnv4 all routing-table command on the ASBR, and you can view the
VPNv4 routes on the ASBR.
<HUAWEI> display bgp vpnv4 all routing-table

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 77


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

BGP Local router ID is 2.2.2.9


Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 3
Route Distinguisher: 100:1
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 10.1.1.0/24 1.1.1.9 0 100 0 ?
*>i 10.1.1.1/32 1.1.1.9 0 100 0 ?
Route Distinguisher: 200:1
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.2.1.0/24 192.1.1.2 0 200?

Run the display ip routing-table vpn-instance command on the PE, and you can view that the
VPN routing table contains related VPN routes.
<HUAWEI> display ip routing-table vpn-instance vpna
Route Flags: R - relied, D - download for forwarding
------------------------------------------------------------------------------
Routing Tables: vpna
Destinations : 3 Routes : 3
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.2 GigabitEthernet1/0/0
10.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.3.1.0/24 BGP 255 0 RD 3.3.3.9 Pos3/0/0

2.10 Configuring Inter-AS VPN Option B (ASBR Also


Functioning as a PE)
In the scenario where the backbone network spans two ASs, ASBRs need to advertise VPNv4
routes through MP-EBGP and ASBRs also need to function as PEs.

Applicable Environment
If an ASBR can manage VPN routes but there are not enough interfaces for all inter-AS VPNs,
and the ASBR also functions as a PE for CE access, you can configure inter-AS VPN Option B
(ASBR also functioning as a PE). This mode requires ASBRs to help to maintain and advertise
not only the VPNv4 routes of its own VPN instances but also the VPNv4 routes of other VPN
instances.

Pre-configuration Tasks
Before configuring inter-AS VPN Option B (ASBR also functioning as a PE), complete the
following tasks:
l Configuring an IGP for the MPLS backbone network of each AS to ensure IP connectivity
of the backbone network within an AS
l Configuring basic MPLS capabilities for the MPLS backbone network of each AS and
establishing an LDP LSP or TE tunnel between MP-IBGP peers
l 2.3 Configuring a VPN Instance Enabled with the IPv4 Address Family on the PE
connected to the CE and 2.4.2 Binding an Interface to a VPN Instance
l Configuring an IP address for the interface connecting the CE to the PE

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 78


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Configuration Procedures

Figure 2-14 Flowchart for configuring inter-AS VPN Option B (ASBR functioning as a PE)

Configure MP-IBGP between


a PE and an ASBR in the same AS

Configure MP-EBGP between ASBRs


in different ASs

Controlling the Learning and


Advertising of VPN Routes on ASBR

Configure a VPN instance


on an ASBR

Configure route exchange


between a CE and an ASBR

Configure route exchange


between a CE and a PE

Mandatory
procedure
Optional
procedure

Related Tasks
2.18.15 Example for Configuring Inter-AS VPN Option B with ASBRs Functioning as PEs

2.10.1 Configuring MP-IBGP Between a PE and an ASBR in the


Same AS
By importing extended community attributes to BGP, MP-IBGP can advertise VPNv4 routes
between the PE and the ASBR.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
bgp as-number

The BGP view is displayed.

Step 3 Run:
peer peer-address as-number as-number

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 79


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

The IBGP peer relationship is set up between the PE and ASBR in the same AS.
Step 4 Run:
peer peer-address connect-interface loopback interface-number

The loopback interface is specified as the outbound interface of the BGP session.
Step 5 Run:
ipv4-family vpnv4 [ unicast ]

The BGP VPNv4 sub-address family view displayed.


Step 6 Run:
peer peer-address enable

The capability of VPNv4 route exchange between the PE and the ASBR is enabled.
Step 7 Run:
commit

The configuration is committed.

----End

2.10.2 Configuring MP-EBGP Between ASBRs in Different ASs


After the MP-EBGP peer relationship is established between ASBRs, ASBRs can exchange
VPNv4 routes.

Context
In inter-AS VPN Option B (basic networking), you need not create VPN instances on ASBRs.
The ASBR does not filter the VPNv4 routes received from the PE in the same AS based on VPN
targets. Instead, it advertises the received routes to the peer ASBR through MP-EBGP.

Procedure
Step 1 Run:
system-view

The system view of the ASBR is displayed.


Step 2 Run:
interface interface-type interface-number

The view of the interface that connects to the peer ASBR is displayed.
Step 3 Run:
ip address ip-address { mask | mask-length }

An IP address is configured for the interface.


Step 4 Run:
mpls

The MPLS capability is enabled.


Step 5 Run:
commit

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 80


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

The configuration is committed.


Step 6 Run:
quit

Return to the system view.


Step 7 Run:
bgp as-number

The BGP view is displayed.


Step 8 Run:
peer peer-address as-number as-number

The peer ASBR is specified as an EBGP peer.


Step 9 Run:
ipv4-family vpnv4 [ unicast ]

The BGP VPNv4 sub-address family view displayed.


Step 10 Run:
peer peer-address enable

The capability of exchanging VPNv4 routes with the peer ASBR is enabled.
Step 11 Run:
commit

The configuration is committed.

----End

2.10.3 Controlling the Learning and Advertising of VPN Routes on


ASBR
An ASBR can either save partial VPNv4 routes by filtering VPN targets through a routing policy
or save all VPNv4 routes.

Context
For configuration details, see 2.9.3 Controlling the Learning and Advertising of VPN Routes
on ASBR.

2.10.4 Configuring a VPN Instance on an ASBR


If an ASBR also functions as a PE, you need to configure a VPN instance enabled with the IPv4
address family on the ASBR to manage VPN routes.

Procedure
Step 1 Run:
system-view

The system view of the ASBR is displayed.


Step 2 Run:

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 81


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

ip vpn-instance vpn-instance-name

A VPN instance is created and the VPN instance view is displayed.


Step 3 Run:
ipv4-family

The IPv4 address family is enabled for the VPN instance and the VPN instance IPv4 address
family view is displayed.
Step 4 Run:
route-distinguisher route-distinguisher

An RD is configured for the VPN instance IPv4 address family.


Step 5 Run:
vpn-target vpn-target &<1-8> import-extcommunity

A VPN target is configured for the VPN instance IPv4 address family.
Step 6 (Optional) Run:
prefix limit number { alert-percent | simply-alert }

The maximum number of prefixes of the VPN instance IPv4 address family is set.
Step 7 (Optional) Run:
import route-policy policy-name

A routing policy for importing VPN routes is configured.


Step 8 (Optional) Run:
export route-policy policy-name

A routing policy for exporting VPN routes is configured.


Step 9 Run:
commit

The configuration is committed.

----End

2.10.5 Configuring Route Exchange Between a CE and an ASBR


The configuration of route exchange between a CE and an ASBR is similar to that about route
exchange between a CE and a PE in basic BGP/MPLS IP VPN.

Procedure
Step 1 Configure a routing protocol between a CE and an ASBR based on the actual situation. For
detailed configuration procedures, see 2.4.5 Configuring Route Exchange Between a PE and
a CE.

----End

2.10.6 Configuring Route Exchange Between a CE and a PE


The routing protocol run between a CE and a PE can be BGP, static route (including the default
route), or IGP. You can choose any of them as required.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 82


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Procedure
Step 1 Configure a routing protocol between a CE and a PE based on the actual situation. For detailed
configuration procedures, see 2.4.5 Configuring Route Exchange Between a PE and a CE.

----End

2.10.7 Checking the Configuration


After configuring inter-AS VPN Option B (ASBR also functioning as a PE), you can view the
status of all BGP peer relationships and VPNv4 routing information on PEs or ASBRs.

Prerequisite
All the configurations about inter-AS VPN Option B (ASBR also functioning as a PE) are
complete.

Procedure
l Run the display bgp vpnv4 all peer command on the PE or ASBR to check the status of
all BGP peer relationships.
l Run the display bgp vpnv4 all routing-table command on the PE or ASBR to check
information about VPNv4 routes.
l Run the display ip routing-table vpn-instance vpn-instance-name command on the PE
or the ASBR to check information about the VPN routing table.
l Run the display mpls lsp command to view the LSP and label information on the ASBR.

----End

Example
Run the display bgp vpnv4 all routing-table command on the ASBR, and you can view the
VPNv4 routes on the ASBR.

Run the display bgp vpnv4 all peer command on the PE or ASBR, and you can view that the
status of the BGP VPNv4 peer relationship between the PE and ASBR in the same AS is
"Established". In addition, the status of the EBGP peer relationship between the directly
connected ASBRs in different ASs is also "Established".

Run the display ip routing-table vpn-instance command on the PE or ASBR, and you can view
that the VPN routing table has related VPN routes.

Run the display mpls lsp command, and you can view the LSP and label information on the
ASBR.

2.11 Configuring Inter-AS VPN Option B (ASBR Also


Functioning as an RR)
In the scenario where the backbone network spans two ASs, ASBRs need to advertise VPNv4
routes through MP-EBGP. When multiple PEs exist in the ASs, you can configure an ASBR as
an RR to lower configuration complexities.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 83


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Applicable Environment
In inter-AS VPN Option B, if multiple PEs exist in an AS, you can configure an ASBR as an
RR to reduce the number of MP-IBGP connections needed between PEs. Configuring an ASBR
as an RR will burden the ASBR. Therefore, it is required that a high-performance device be used
as the ASBR. As shown in Figure 2-15, ASBR1 is configured as an RR so that PE1 and PE2
need not set up an MP-IBGP peer relationship.

Figure 2-15 Networking diagram of inter-AS VPN Option B (ASBR also functioning as an RR)
CE1 PE1
AS100 AS200
PE3 CE3
ASBR2
CE2 PE2

ASBR1
(RR)

Pre-configuration Tasks
Before configuring inter-AS VPN Option B (ASBR also functioning as an RR), complete the
following tasks:
l Configuring an IGP for the MPLS backbone network of each AS to ensure IP connectivity
of the backbone network within an AS
l Configuring the basic MPLS functions for the MPLS backbone network of each AS and
establishing an LDP LSP or TE tunnel between MP-IBGP peers
l 2.3 Configuring a VPN Instance Enabled with the IPv4 Address Family on the PE
connected to the CE and 2.4.2 Binding an Interface to a VPN Instance
l Configuring an IP address for the interface connecting the CE to the PE

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 84


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Configuration Procedures

Figure 2-16 Flowchart for configuring inter-AS VPN Option B (ASBR also functioning as an
RR)

Configure MP-IBGP between a PE


and an ASBR in the same AS

Configure MP-EBGP
between ASBRs in different ASs

Controlling the Learning and


Advertising of VPN Routes on ASBR

Configure BGP IPv4 VPN


route reflection on an ASBR

Mandatory
procedure
Optional
procedure

Related Tasks
2.18.16 Example for Configuring Inter-AS VPN Option B with an ASBR Functioning as an RR

2.11.1 Configuring MP-IBGP Between a PE and an ASBR in the


Same AS
By importing extended community attributes to BGP, MP-IBGP can advertise VPNv4 routes
between the PE and the ASBR.

Procedure
l Configuring the ASBR (RR) to establish an MP-IBGP peer relationship with each of its
client PEs
Perform Steps 1 to 6 repeatedly on the ASBR and the PEs to establish MP-IBGP peer
relationships with all client PEs.
1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

The BGP view is displayed.


3. Run:
peer peer-ipv4-address as-number as-number

The client PE is specified as a BGP peer.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 85


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

4. Run:
peer peer-ipv4-address connect-interface interface-type interface-number

The interface used to establish a TCP connection is specified. The IP address of the
interface must be the same as the MPLS LSR ID. It is recommended to specify a
loopback interface to establish the TCP connection.
5. Run:
ipv4-family vpnv4

The BGP-VPNv4 address family view is displayed.


6. Run:
peer peer-ipv4-address enable

The capability of exchanging VPNv4 routes between the ASBR and the client PE is
enabled.
7. Run:
commit

The configuration is committed.


----End

2.11.2 Configuring MP-EBGP Between ASBRs in Different ASs


After the MP-EBGP peer relationship is established between ASBRs, an ASBR can advertise
the VPNv4 routes of its AS to the other ASBR.

Procedure
Step 1 Run:
system-view

The system view of the ASBR is displayed.


Step 2 Run:
interface interface-type interface-number

The view of the interface that connects to the peer ASBR is displayed.
Step 3 Run:
ip address ip-address { mask | mask-length }

An IP address is configured for the interface.


Step 4 Run:
mpls

The MPLS capability is enabled.


Step 5 Run:
commit

The configuration is committed.


Step 6 Run:
quit

Return to the system view.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 86


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Step 7 Run:
bgp as-number

The BGP view is displayed.


Step 8 Run:
peer peer-address as-number as-number

The peer ASBR is specified as an EBGP peer.


Step 9 Run:
ipv4-family vpnv4 [ unicast ]

The BGP VPNv4 sub-address family view is displayed.


Step 10 Run:
peer peer-address enable

The capability of exchanging VPNv4 routes with the peer ASBR is enabled.
Step 11 Run:
commit

The configuration is committed.

----End

2.11.3 Controlling the Learning and Advertising of VPN Routes on


ASBR
An ASBR can either save partial VPNv4 routes by filtering VPN targets through a routing policy
or save all VPNv4 routes.

Context
For configuration details, see 2.9.3 Controlling the Learning and Advertising of VPN Routes
on ASBR.

2.11.4 Configuring BGP IPv4 VPN Route Reflection on an ASBR


Route reflection on an ASBR is used to reflect the VPNv4 routes advertised by the PE in the
same AS to other PEs. In this way, PEs need not set up BGP peer relationships, which simplifies
configurations.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
bgp as-number

The BGP view is displayed.


Step 3 Run:
ipv4-family vpnv4

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 87


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

The BGP VPNv4 sub-address family view displayed.


Step 4 Run:
peer peer-ipv4-address reflect-client

The ASBR is configured as an RR or the PE is configured as a client. If you need to configure


multiple PEs as clients, repeatedly run this command.
Step 5 (Optional) Run:
undo reflect between-clients

Route reflection between clients is disabled. You need to run this command if the clients are
fully connected.
Step 6 Run:
undo policy vpn-target

The filtering of VPNv4 routes based on the VPN target is disabled.


Step 7 (Optional) Run:
rr-filter extended-list-number

The reflection policy is configured for the RR.


Step 8 Run:
commit

The configuration is committed.

----End

2.11.5 Checking the Configuration


After configuring inter-AS VPN Option B (ASBR also functioning as an RR), you can view the
status of all BGP peer relationships and VPNv4 routing information on PEs or ASBRs.

Prerequisite
All the configurations about inter-AS VPN Option B (ASBR also functioning as an RR) are
complete.

Procedure
l Run the display bgp vpnv4 all peer command on the PE or ASBR to check the status of
all BGP peer relationships.
l Run the display bgp vpnv4 all routing-table command on the PE or ASBR to check
information about VPNv4 routes.
l Run the display ip routing-table vpn-instance vpn-instance-name command on the PE
to check information about the VPN routing table.
l Run the display mpls lsp command to view the LSP and label information on the ASBR.
----End

Example
Run the display bgp vpnv4 all routing-table command on the ASBR, and you can view the
VPNv4 routes on the ASBR.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 88


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Run the display bgp vpnv4 all peer command on the PE or ASBR, and you can view that the
status of the BGP VPNv4 peer relationship between the PE and ASBR in the same AS is
"Established". In addition, the status of the EBGP peer relationship between the directly
connected ASBRs in different ASs is also "Established".

Run the display ip routing-table vpn-instance command on the PE, and you can view that the
VPN routes in the VPN routing table.

Run the display mpls lsp command, and you can view the LSP and label information on the
ASBR.

2.12 Configuring Inter-AS VPN Option B (Spanning More


Than Two ASs)
In the scenario where the backbone network spans more than two ASs, ASBRs need to advertise
VPNv4 routes through MP-EBGP.

Applicable Environment
If the L3VPN needs to span more than two ASs, you can configure inter-AS VPN Option B
(spanning more than two ASs). As shown in Figure 2-17, the L3VPN needs to span three ASs
to transmit VPN routes.

Figure 2-17 Networking diagram of inter-AS VPN Option B (spanning more than two ASs)

AS200
ASBR4

AS100 ASBR3
AS300

ASBR1 PE2
PE1 ASBR2

CE1 CE2

Pre-configuration Tasks
Before configuring inter-AS VPN Option B (spanning more than two ASs), complete the
following tasks:

l Configuring an IGP for the MPLS backbone network of each AS to ensure IP connectivity
of the backbone network within an AS
l Configuring the basic MPLS functions for the MPLS backbone network of each AS and
establishing an LDP LSP or TE tunnel between MP-IBGP peers

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 89


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

l 2.3 Configuring a VPN Instance Enabled with the IPv4 Address Family on the PE
connected to the CE and 2.4.2 Binding an Interface to a VPN Instance
l Configuring an IP address for the interface connecting the CE to the PE

Configuration Procedures

Figure 2-18 Flowchart for configuring inter-AS VPN Option B (spanning more than two ASs)

Configure MP-IBGP between a PE


and an ASBR in the same AS

Configure MP-EBGP
between ASBRs in different ASs

Configure MP-IBGP
between ASBRs in the same AS

Controlling the Learning and


Advertising of VPN Routes on ASBR

Mandatory
procedure
Optional
procedure

Related Tasks
2.18.17 Example for Configuring Inter-AS VPN Option B with the VPN Spanning Multiple ASs

2.12.1 Configuring MP-IBGP Between a PE and an ASBR in the


Same AS
By importing extended community attributes to BGP, MP-IBGP can advertise VPNv4 routes
between the PE and the ASBR.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
bgp as-number

The BGP view is displayed.


Step 3 Run:
peer peer-address as-number as-number

The IBGP peer relationship is established between the PE and ASBR in the same AS.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 90


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Step 4 Run:
peer peer-address connect-interface loopback interface-number

The loopback interface is specified as the outbound interface of the BGP session.
Step 5 Run:
ipv4-family vpnv4 [ unicast ]

The BGP VPNv4 sub-address family view displayed.


Step 6 Run:
peer peer-address enable

The capability of VPNv4 route exchange between the PE and the ASBR is enabled.
Step 7 Run:
commit

The configuration is committed.

----End

2.12.2 Configuring MP-EBGP Between ASBRs in Different ASs


After the MP-EBGP peer relationship is established between ASBRs, an ASBR can advertise
the VPNv4 routes of its AS to the other ASBR.

Procedure
Step 1 Run:
system-view

The system view of the ASBR is displayed.


Step 2 Run:
interface interface-type interface-number

The view of the interface that connects to the peer ASBR is displayed.
Step 3 Run:
ip address ip-address { mask | mask-length }

An IP address is configured for the interface.


Step 4 Run:
mpls

The MPLS capability is enabled.


Step 5 Run:
commit

The configuration is committed.


Step 6 Run:
quit

Return to the system view.


Step 7 Run:

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 91


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

bgp as-number

The BGP view is displayed.


Step 8 Run:
peer peer-address as-number as-number

The peer ASBR is specified as an EBGP peer.


Step 9 Run:
ipv4-family vpnv4 [ unicast ]

The BGP VPNv4 sub-address family view displayed.


Step 10 Run:
peer peer-address enable

The capability of exchanging VPNv4 routes with the peer ASBR is enabled.
Step 11 Run:
commit

The configuration is committed.

----End

2.12.3 Configuring MP-IBGP Between ASBRs in the Same AS


After the MP-IBGP peer relationship is established between the ASBRs in the same AS, ASBRs
can exchange VPNv4 routes.

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
bgp as-number

The BGP view is displayed.


Step 3 Run:
peer peer-address as-number as-number

The IBGP peer relationship is set up between the ASBRs in the same AS.
Step 4 Run:
peer peer-address connect-interface loopback interface-number

The loopback interface is specified as the outbound interface of the BGP session.
Step 5 Run:
ipv4-family vpnv4 [ unicast ]

The BGP VPNv4 sub-address family view displayed.


Step 6 Run:
peer peer-address enable

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 92


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

The capability of VPNv4 route exchange between the ASBRs in the same AS is enabled.

Step 7 Run:
commit

The configuration is committed.

----End

2.12.4 Controlling the Learning and Advertising of VPN Routes on


ASBR
An ASBR can either save partial VPNv4 routes by filtering VPN targets through a routing policy
or save all VPNv4 routes.

Context
For configuration details, see 2.9.3 Controlling the Learning and Advertising of VPN Routes
on ASBR.

2.12.5 Checking the Configuration


After configuring inter-AS VPN Option B (spanning more than two ASs), you can view the
status of all BGP peer relationships and VPNv4 routing information on PEs or ASBRs.

Prerequisite
All the configurations of inter-AS VPN Option B are complete.

Procedure
l Run the display bgp vpnv4 all peer command on the PE or ASBR to check the status of
all BGP peer relationships.
l Run the display bgp vpnv4 all routing-table command on the PE or ASBR to check
information about VPNv4 routes.
l Run the display ip routing-table vpn-instance vpn-instance-name command on the PE
to check information about the VPN routing table.
l Run the display mpls lsp command to view the LSP and label information on the ASBR.

----End

Example
Run the display bgp vpnv4 all routing-table command on the ASBR, and you can view the
VPNv4 routes on the ASBR.

Run the display bgp vpnv4 all peer command on the PE or ASBR, and you can view that the
status of the BGP VPNv4 peer relationship between the PE and ASBR in the same AS is
"Established". In addition, the status of the EBGP peer relationship between the directly
connected ASBRs in different ASs is also "Established".

Run the display ip routing-table vpn-instance command on the PE, and you can view the VPN
routes in the VPN routing table.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 93


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Run the display mpls lsp command, and you can view the LSP and label information on the
ASBR.

2.13 Configuring the Multi-VPN-Instance CE


By using OSPF multi-instance on CEs, you can implement service isolation on the LAN.

Applicable Environment
In a LAN, if you want to use the CE rather than the VLAN function on the switch to isolate VPN
services, you can configure the multi-VPN-instance CE.

As shown in Figure 2-19, the R&D department and sales department of company X in city A
are in the same LAN and access the VPN backbone network through the same CE. To enable
the R&D department and sales department in city A to communicate with each other, and enable
the R&D department in city A and the R&D department in city C to communicate with each
other but completely isolate the R&D departments from sales departments, you can configure
OSPF multi-instance on both the CE in city A and the PE connecting the CE to the backbone
network. Similar to the OSPF multi-instance on a PE, each OSPF instance on a CE serves as a
virtual CE for each type of service. Multi-VPN-instance implements service isolation with a low
cost and ensures the security of each type of service.

Figure 2-19 Schematic diagram of multi-VPN-instance CE

X company's
R&D department
in city C

CE

R&D department

PE

OSPF2 VPN2 VPN


backbone
X company's LAN
network
in city A PE
CE OSPF1 VPN1 PE
CE

Sales department
X company's
sales department
in city B

Pre-configuration Tasks
Before configuring the multi-VPN-instance CE, complete the following tasks:

l 2.3 Configuring a VPN Instance Enabled with the IPv4 Address Family on the multi-
instance CE and the PE that the CE accesses (a VPN instance for each service)

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 94


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

l Configuring the link layer protocol and network layer protocol for LAN interfaces and
connecting the LAN with the multi-instance CE (each service using an interface to access
the multi-instance CE)
l Binding related VPN instances to the interfaces of the multi-instance CE and PE interfaces
through which the PE accesses the multi-instance and configuring IP addresses for those
interfaces

Configuration Procedures

Figure 2-20 Flowchart for configuring multi-VPN-instance CE

Configure OSPF
Multi-Instance on the PE

Configure the OSPF Multi-Instance on


the Multi-Instance CE

Disable route loop detection


on the Multi-VPN-Instance CE

Mandatory
procedure
Optional
procedure

Related Tasks
2.18.18 Example for Configuring a Multi-VPN-Instance CE

2.13.1 Configuring OSPF Multi-Instance on the PE


Different services use different OSPF process IDs.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name

OSPF multi-instance is configured.

Different services use different OSPF process IDs.router-id be either the same or not.

Step 3 Run:
area area-id

The OSPF area view is displayed.

Step 4 Run:
network ip-address wildcard-mask

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 95


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

The IP address of the interface connected to the multi-instance CE is advertised.


Step 5 Run:
commit

The configuration is committed.


Step 6 Run:
quit

Return to the OSPF view.


Step 7 Run:
import-route bgp

A BGP route is imported.


Step 8 Run:
commit

The configuration is committed.


Step 9 Run:
quit

Return to the system view.


Step 10 Run:
bgp as-number

The BGP view is displayed.


Step 11 Run:
ipv4-family vpn-instance vpn-instance-name

The BGP-VPN instance IPv4 address family view is displayed.


Step 12 Run:
import-route ospf process-id

The OSPF multi-instance route is imported.


Step 13 Run:
commit

The configuration is committed.

----End

2.13.2 Configuring the OSPF Multi-Instance on the Multi-Instance


CE
The process ID of the OSPF multi-instance configured on the multi-instance CE must be the
same as that configured on the PE.

Procedure
Step 1 Run:
system-view

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 96


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

The system view is displayed.

Step 2 Run:
ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name

OSPF multi-instance is configured.

NOTE

The OSPF process ID must be the same as that configured on the PE.

Step 3 Run:
area area-id

The OSPF area view is displayed.

Step 4 Run:
network ip-address wildcard-mask

The IP address of the interface connecting the PE is advertised.

NOTE
If the multi-instance CE does not learn the routes of the LAN through the OSPF multi-instance of the local
process, you also need to run related commands to import the routes of the LAN into the OSPF multi-
instance of the local process.

Step 5 Run:
commit

The configuration is committed.

----End

2.13.3 Disabling Route Loop Detection on the Multi-VPN-Instance


CE
If route loop detection is performed, the CE discards the route with the DN bit being 1 received
from the PE.

Context
The multi-VPN-instance CE is a scheme for implementing service isolation by isolating routes.
Special configurations are not required but you need to disable route loop detection.

Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name

The OSPF view is displayed.

Step 3 Run:
vpn-instance-capability simple

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 97


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Route loop detection is disabled.


Step 4 Run:
commit

The configuration is committed.


----End

2.13.4 Checking the Configuration


After the multi-VPN-instance CE is configured, you can find that the VPN routing table of the
multi-instance CE contains the routes to the LAN and remote sites for each service.

Prerequisite
All configurations about the multi-VPN-instance CE are complete.

Procedure
l Run the display ip routing-table vpn-instance vpn-instance-name [ verbose ] command
on the multi-instance CE to check information about the VPN routing table.
----End

Example
After the configuration, run the display ip routing-table vpn-instance command on the multi-
instance CE, and you can find that the VPN routing table of the CE contains the routes to the
LAN and remote sites for each service.

2.14 Configuring VPN FRR


In the networking of CE dual-homing, you can configure VPN FRR to ensure VPN service
switchover to a secondary link when the primary link between PEs fails.

Applicable Environment
VPN FRR is applicable to services that are very sensitive to packet loss and delay on VPNs. As
shown in Figure 2-21, CE1 is dual-homed to PE2 and PE3. When the link between PE1 and
PE2 fails, VPN traffic need be fast switched to the link between PE1 and PE3.

Figure 2-21 Schematic diagram of VPN FRR

PE2

PE1 VPN site


MPLS Backbone AS65400
AS100
CE1

PE3

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 98


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Pre-configuration Tasks
Before configuring VPN FRR, complete the following tasks:
l Configuring a routing protocol on the router to implement IP internetworking
l Generating two unequal-cost routes on the PE by setting different costs or metrics
l Setting up the VPN

Procedure
Step 1 Run:
system-view

The system view is displayed.


Step 2 Run:
bgp as-number

The BGP view is displayed.


Step 3 Run:
ipv4-family vpn-instance vpn-instance-name

The BGP-VPN instance IPv4 address family view is displayed.


Step 4 Run:
auto-frr

VPN Auto FRR is enabled.


Step 5 Run:
commit

The configuration is committed.

----End

Example
All VPN FRR configurations are complete, run the display ip routing-table vpn-instance vpn-
instance-name [ ip-address ] verbose command to check information about the backup next-
hop PE, backup tunnel, and backup label.
<HUAWEI> display ip routing-table vpn-instance vpn1 10.1.1.0 verbose
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Table : vpn1
Summary Count : 1
Destination: 10.3.1.0/24
Protocol: BGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 2.2.2.2 Neighbour: 2.2.2.2
State: Active Adv GotQ Age: 00h15m06s
Tag: 0 Priority: low
Label: 15361 QoSInfo: 0x0
IndirectID: 0x13
RelayNextHop: 0.0.0.0 Interface: Pos2/0/0
TunnelID: 0x000000000100000001 Flags: RD
BkNextHop: 3.3.3.3 BkInterface: Unknown
BkLabel: 15362 SecTunnelID: 0x0
BkPETunnelID: 0x000000000100000002 BkPESecTunnelID: 0x0

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 99


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

BkIndirectID: 0x15

Related Tasks
2.18.19 Example for Configuring VPN FRR with FRR Switchover Being Implemented on a PE

2.15 Configuring FRR for IP Routes on a Private Network


This section describes how to configure FRR for IP routes on a private network in the networking
where multiple CEs at a VPN site access the same PE. This feature can quickly switch traffic to
a link connected to another CE if the primary route from a PE to a CE becomes unreachable.

Applicable Environment
This feature is suitable for IP services that are sensitive to the packet loss and delay on a private
network. With IP FRR configured on the private network, if the route from a PE to a CE is
unavailable, traffic from the PE can be quickly switched to a link connected to another CE. This
reduces the time of IP service interruption.
On the network shown in Figure 2-22, in normal situations, the PE selects Link_A to forward
traffic to vpn1 site and uses Link_B as the backup link. If the PE detects that the route to CE1
is unreachable, it will immediately switch traffic to Link_B and private network routes will be
converged. This can minimize the impact on VPN services.

Figure 2-22 FRR for IP routes on a priviate network


CE1
vpn1
site
IP/MPLS
Backbone Link_A
RouterA
PE Link_B

CE2

At present, the NE5000E supports two modes of FRR for IP routes on a private network. The
two modes are different in networking and configuration procedures.
l IP FRR: applicable to the networking where different PE-CE pairs use different routing
protocols.
l BGP Auto FRR for the private network: applicable to the networking where BGP runs
between the PE and CEs.

Pre-configuration Tasks
Before configuring FRR for IP routes on a private network, complete the following tasks:
l Configuring a BGP/MPLS IP VPN
l Configuring the PE to learn private network routes with the same prefix from different CEs
attached to it

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 100


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Procedure
l Configure IP FRR.
1. Run:
system-view

The system view is displayed.


2. Run:
ip vpn-instance vpn-instance-name

The VPN instance view is displayed.


3. Run:
ipv4-family

The VPN instance IPv4 address family view is displayed.


4. Run:
ip frr

IP FRR is enabled.
5. Run:
commit

The configuration is committed.


l Configure BGP Auto FRR for the private network.
1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

The BGP view is displayed.


3. Run:
ipv4-family vpn-instance vpn-instance-name

The BGP-VPN instance IPv4 address family view is displayed.


4. Run:
auto-frr

BGP Auto FRR is enabled.


5. Run:
commit

The configuration is committed.


----End

Example
Run the display ip routing-table vpn-instance vpn-instance-name [ ipv4-address ] verbose
command to check the backup outbound interface and backup next hop of the IP route in the
routing table.
Run the display ip routing-table vpn-instance vpn-instance-name verbose command on the
PE. You can see that the route has a backup outbound interface and a backup next hop.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 101


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

<HUAWEI> display ip routing-table vpn-instance vpna 4.4.4.9 verbose


Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Table : vpna
Summary Count : 1

Destination: 4.4.4.9/32
Protocol: BGP Process ID: 0
Preference: 255 Cost: 1
NextHop: 10.1.1.2 Neighbour: 0.0.0.0
State: Active Adv Relied Age: 00h00m04s
Tag: 0 Priority: low
Label: NULL QoSInfo: 0x0
IndirectID: 0xc7
RelayNextHop: 10.1.1.2 Interface: Pos1/0/0
TunnelID: 0x0 Flags: RD
BkNextHop: 20.1.1.2 BkInterface: Gigabitethernet2/0/0
BkLabel: NULL SecTunnelID: 0x0
BkPETunnelID: 0x0 BkPESecTunnelID: 0x0
BkIndirectID: 0xc8

Related Tasks
2.18.20 Example for Configuring FRR for IP Routes on a Private Network

2.16 Configuring Hybrid FRR for IP and VPNv4 Routes


This section describes how to configure hybrid FRR in the networking where a CE is dual-homed
to two PEs. If the next hop from a PE to a CE is unreachable, hybrid FRR can send traffic to
another PE over a tunnel, and the traffic will be routed to the CE by using IP forwarding on the
private network. This improves network reliability.

Applicable Environment
Hybrid FRR for IP and VPNv4 routes can quickly switch traffic from a PE to another PE that
serves as the backup next hop if the primary route to a CE is unreachable.
A PE learns VPN routes with the same prefix from a CE and other PEs. In this situation, hybrid
FRR for IP and VPNv4 routes can be configured on the PE. Enabled with hybrid FRR, the PE
generates a primary route and a backup route to the VPN prefix. If the link between the PE and
CE fails, the link traffic can be quickly switched to the backup next hop (a PE).
On the network shown in Figure 2-23, in normal situations, PE1 selects Link_A to forward
traffic to the CE and uses Link_B as the backup link. If PE2 detects that the route to the CE is
unreachable, it will immediately switch traffic to Link_B and private network routes will be
converged. This can minimize the impact on VPN services.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 102


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Figure 2-23 Hybrid FRR for IP and VPNv4 routes


PE2
Link_A

PE1
vpn1
Link_B
site

IP/MPLS CE
Backbone
PE3

At present, the NE5000E supports two modes of hybrid FRR for IP and VPNv4 routes, which
differ in terms of networking and configuration procedures.
l IP FRR: It is applicable to the networking where a non-BGP routing protocol runs between
the PEs and CE.
l BGP Auto FRR for the private network: It is applicable to the networking where BGP runs
between the PEs and CE.

Pre-configuration Tasks
Before configuring hybrid FRR for IP and VPNv4 routes, complete the following tasks:
l Configuring BGP/MPLS IP VPN
l Configuring a PE to learn IP routes with the same prefix from a CE and other VPNv4 peers

Procedure
l Configure IP FRR.
1. Run:
system-view

The system view is displayed.


2. Run:
ip vpn-instance vpn-instance-name

The VPN instance view is displayed.


3. Run:
ipv4-family

The VPN instance IPv4 address family view is displayed.


4. Run:
ip frr

IP FRR is enabled.
5. Run:
commit

The configuration is committed.


l Configure BGP Auto FRR for the private network.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 103


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

1. Run:
system-view

The system view is displayed.


2. Run:
bgp as-number

The BGP view is displayed.


3. Run:
ipv4-family vpn-instance vpn-instance-name

The BGP-VPN instance IPv4 address family view is displayed.


4. Run:
auto-frr

BGP Auto FRR is enabled.


5. Run:
commit

The configuration is committed.

----End

Example
Run the display ip routing-table vpn-instance vpn-instance-name [ ipv4-address ] verbose
command to check the backup outbound interface and backup next hop of the IP route in the
routing table.

Run the display ip routing-table vpn-instance vpn-instance-name verbose command on the


PE. You can find that the route has a backup outbound interface and a backup next hop, and the
hop is on a tunnel such as an LDP LSP.
<HUAWEI> display ip routing-table vpn-instance vpna 22.22.22.22 verbose
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Table : vpna
Summary Count : 1

Destination: 22.22.22.22/32
Protocol: BGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 192.168.2.2 Neighbour: 0.0.0.0
State: Active Adv Relied Age: 00h00m31s
Tag: 0 Priority: low
Label: NULL QoSInfo: 0x0
IndirectID: 0xa9
RelayNextHop: 192.168.2.2 Interface: GigabitEthernet2/0/0
TunnelID: 0x0 Flags: RD
BkNextHop: 0.0.0.0 BkInterface: LDP LSP
BkLabel: 0x27 SecTunnelID: 0x5000098
BkPETunnelID: 0x0 BkPESecTunnelID: 0x0
BkIndirectID: 0xaa

Related Tasks
2.18.21 Example for Configuring Hybrid FRR for IP and VPNv4 Routes

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 104


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

2.17 Maintaining BGP/MPLS IP VPN


Maintaining BGP/MPLS IP VPN involves checking L3VPN traffic, monitoring network
connectivity, resetting BGP connections, and debugging BGP/MPLS IP VPN information.

2.17.1 Monitoring the Running Status of BGP/MPLS IP VPN


Monitoring the running status of BGP/MPLS IP VPN involves checking VPN instance
information, VPNv4 peer information, and BGP peer log information.

Context
In routine maintenance, you can run any of the following commands in any view to check the
running status of BGP/MPLS IP VPN.

Procedure
l Run the display ip routing-table vpn-instance vpn-instance-name [ [ filter-option ]
[ verbose ] | statistics ] command to check information about the IP routing table of a VPN
instance.
l Run the display ip vpn-instance [ verbose ] [ vpn-instance-name ] command to check
information about a VPN instance.
l Run the display mpls lsp command to check information about LSPs.
l Run the display bgp vpnv4 { all | route-distinguisher route-distinguisher | vpn-
instance vpn-instance-name } routing-table destination-address [ mask | mask-length ]
command to check information about a specific BGP VPNv4 routing entry.
l Run the display bgp vpnv4 { all | route-distinguisher route-distinguisher | vpn-
instance vpn-instance-name } routing-table statistics [ match-options ] command to
check statistics of the BGP VPNv4 routing table.
l Run the display bgp vpnv4 { all | route-distinguisher route-distinguisher | vpn-
instance vpn-instance-name } routing-table [ match-options ] command to check
information about the BGP VPNv4 routing table.
l Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } group [ group-
name ] command to check information about the BGP VPNv4 peer groups.
l Run the display bgp { all | vpn-instance vpn-instance-name } peer [ [ peer-address ]
verbose ] command to check information about the BGP VPNv4 peer.
l Run the display bgp { all | vpn-instance vpn-instance-name } network command to check
information about the VPNv4 routes imported into the BGP routing table through the
network command.
l Run the display bgp { all | vpn-instance vpn-instance-name } paths [ as-regular-
expression ] command to check information about the AS path of the BGP VPNv4 route.
l Run the display bgp vpn-instance vpn-instance-name peer { group-name | peer-
address } log-info command to check the logs about the BGP peer of the VPN instance
IPv4 address family.

----End

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 105


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

2.17.2 Checking the Network Connectivity and Reachability


This section describes how to use the ping command to detect the network connectivity between
the source and the destination, and how to use the tracert command to check the devices through
which data packets are sent from the source to the destination.

Procedure
l Run the ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interface-
type interface-number | -m time | -n | -p pattern | -q | -r | -s packetsize | -t timeout | -tos tos-
value | -v | -vpn-instance vpn-instance-name ] * dest-address command to detect the
reachability of the destination.
l Run the tracert [ -a source-ip-address | -f first-TTL | -m max-TTL | -p port | -q nqueries |
-vpn-instance vpn-instance-name | -w timeout ]* dest-address command to check the
gateway that a packet passes from the source to the destination.
l Run the ping lsp [ -a source-ip | -c count | -exp exp-value | -h ttl-value | -m interval | -r
reply-mode | -s packet-size | -t time-out | -v ] * vpn-instance vpn-name remote remote-
address mask-length command, and you can check connectivity of the Layer 3 VPN LSP.

----End

Example
After the VPN configuration
l You can run the ping command on the local CE to check whether the local CE and the
remote CE in the same VPN can communicate with each other. If the ping fails, you can
run the tracert command to locate the faulty node.
l You can also run the ping command with the -vpn-instance vpn-instance-name parameter
on the PE to check whether the PE and the CE in the same VPN as the PE can communicate
with each other. If the ping fails, you can run the tracert command with the -vpn-
instance vpn-instance-nameparameter to locate the faulty node.

If multiple interfaces on the PE are bound to the same VPN, you need to specify the source IP
address, that is, the -a source-ip-address when you ping or tracert the remote CE that accesses
the peer PE. If no source IP address is specified, the PE selects the a lowest IP address from the
IP addresses of the interfaces on the PE bound to this VPN as the source address of the ICMP
messages. If the CE has no route to the selected IPv4 route, the CE discards the returned ICMP
message.

NOTE

By default, as for the MPLS TTL timeout packet with a single label, the router returns the ICMP message
according to the local IP route (that is, the public network route). However, no VPN route exists in the
public network routing table of the ASBR and therefore, the ICMP message is discarded when being sent
to or returned by the ASBR.

2.17.3 Clearing BGP Statistics of the VPN Instance IPv4 Address


Family
BGP statistics of the VPN instance IPv4 address family cannot be restored after being cleared.
Therefore, perform the action with caution.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 106


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Context

CAUTION
BGP statistics of the VPN instance IPv4 address family cannot be restored after being cleared.
Therefore, perform the action with caution.

Procedure
l After confirming that you need to clear the statistics about BGP peer flap in the specified
VPN instance IPv4 address family, run the reset bgp vpn-instance vpn-instance-name
ipv4-family [ peer-address ]flap-info command in the user view.
l After confirming that you need to clear the statistics about route dampening information
of the specified VPN instance IPv4 address family, run the reset bgp vpn-instance vpn-
instance-name ipv4-family dampening [ ip-address [ mask | mask-length ] ] command in
the user view.
----End

2.17.4 Resetting BGP Connections


After BGP configurations are changed, you can make the new configurations take effect through
soft reset or reset of the BGP connection. Note that resetting the BGP connection leads to the
interruption of VPN services.

Context

CAUTION
VPN services are interrupted after the BGP connection is reset. So, confirm the action before
you use the command.

After BGP configurations are changed, you can validate the new configurations through soft
reset or reset of the BGP connection. Soft reset requires BGP peers to have the route refresh
capability. This means that BGP peers should support Route-Refresh messages.

Procedure
l Run the refresh bgp vpn-instance vpn-instance-name ipv4-family { all | peer-address |
group group-name | internal | external } { import | export }command in the user view
to trigger the soft reset of the VPN instance IPv4 address family's BGP connection in the
inbound or outbound direction so as to validate the configuration.
l Run the refresh bgp vpnv4 { all | peer-address | group group-name | internal |
external } { import | export } command in the user view to trigger the soft reset of the
BGP VPNv4 connection in the inbound or outbound direction so as to validate the
configuration.
l Run thereset bgp vpn-instance vpn-instance-name ipv4-family { as-number | peer-
address | group group-name | all | internal | external } command in the user view to reset

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 107


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

BGP connections of the VPN instance IPv4 address family so as to validate the
configuration.
l Run the reset bgp vpnv4 { as-number | peer-address | group group-name | all | internal
| external } command in the user view to reset the BGP VPNv4 connection so as to validate
the configuration.
----End

2.18 Configuration Examples


This section provides several configuration examples of VPN networking. In each configuration
example, the networking requirements, configuration notes, configuration roadmap,
configuration procedures, and configuration files are provided.

2.18.1 Example for Configuring BGP/MPLS IP VPN


After BGP/MPLS IP VPN is configured, users in the same VPN can communicate with each
other whereas users in different VPNs cannot communicate with each other.

Networking Requirements

CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, an interface is numbered in the format of chassis ID/
slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.

As shown in Figure 2-24:


l CE1 and CE3 belong to vpna.
l CE2 and CE4 belong to vpnb.
l The VPN target of vpna is 111:1; the VPN target of vpnb is 222:2.
It is required that users in the same VPN be able to communicate with each other whereas users
in different VPNs be unable to communicate with each other.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 108


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Figure 2-24 Networking diagram of BGP/MPLS IP VPN

Loopback1 Loopback1
11.11.11.11/32 33.33.33.33/32
vpna vpna
CE1 CE3

GE1/0/0 AS: 65410 GE1/0/0


AS: 65430
10.1.1.1/24 10.3.1.1/24

Loopback1
GE1/0/0 2.2.2.9/32 GE1/0/0
10.1.1.2/24 POS1/0/0 POS2/0/0 10.3.1.2/24
PE1 PE2
Loopback1 172.1.1.2/24 172.2.1.1/24 Loopback1
1.1.1.9/32 POS3/0/0 POS3/0/0 3.3.3.9/32
172.1.1.1/24 172.2.1.2/24
GE2/0/0 P GE2/0/0
10.2.1.2/24 MPLS backbone 10.4.1.2/24

AS: 100

GE1/0/0 GE1/0/0
10.2.1.1/24 AS: 65420 AS: 65440 10.4.1.1/24
CE2 CE4
vpnb vpnb
Loopback1 Loopback1
22.22.22.22/32 44.44.44.44/32

Configuration Notes
When configuring BGP/MPLS IP VPN, note the following:

l On the same VPN, the export VPN target list of a site shares VPN targets with the import
VPN target lists of the other sites; the import VPN target list of a site shares VPN targets
with the export VPN target lists of the other sites.
l After a PE interface connected to a CE is bound to a VPN instance, Layer 3 features on
this interface such as the IP address and routing protocol are automatically deleted and can
be reconfigured if required.

Configuration Roadmap
The configuration roadmap is as follows:

1. Enable OSPF on the backbone network to ensure that PEs interwork with each other.
2. Configure basic MPLS functions and MPLS LDP, and set up MPLS LSPs on the backbone
network.
3. Configure VPN instances enabled with the IPv4 address family on the PEs and bind each
interface that connects a PE to a CE to a VPN instance.
4. Enable Multi-protocol Extensions for Interior Border Gateway Protocol (MP IBGP) on PEs
to exchange VPN routing information.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 109


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

5. Configure EBGP on CEs and PEs to exchange VPN routing information.

Data Preparation
To complete the configuration, you need the following data:
l MPLS LSR IDs of the PEs and P
l Router Distinguishers (RDs) of vpna and vpnb
l VPN targets of vpna and vpnb

Procedure
Step 1 Configure an IGP on the MPLS backbone network to achieve connectivity between the PEs and
P. OSPF is adopted as an IGP in this example.
# Configure PE1.
<HUAWEI> system-view
[~HUAWEI] sysname PE1
[~PE1] interface loopback 1
[~PE1-LoopBack1] ip address 1.1.1.9 32
[~PE1-LoopBack1] commit
[~PE1-LoopBack1] quit
[~PE1] interface pos3/0/0
[~PE1-Pos3/0/0] ip address 172.1.1.1 24
[~PE1-Pos3/0/0] commit
[~PE1-Pos3/0/0] quit
[~PE1] ospf
[~PE1-ospf-1] area 0
[~PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[~PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[~PE1-ospf-1-area-0.0.0.0] commit
[~PE1-ospf-1-area-0.0.0.0] quit
[~PE1-ospf-1] quit

# Configure the P.
<HUAWEI> system-view
[~HUAWEI] sysname P
[~P] interface loopback 1
[~P-LoopBack1] ip address 2.2.2.9 32
[~P-LoopBack1] commit
[~P-LoopBack1] quit
[~P] interface pos 1/0/0
[~P-Pos1/0/0] ip address 172.1.1.2 24
[~P-Pos1/0/0] commit
[~P-Pos1/0/0] quit
[~P] interface pos 2/0/0
[~P-Pos2/0/0] ip address 172.2.1.1 24
[~P-Pos2/0/0] commit
[~P-Pos2/0/0] quit
[~P] ospf
[~P-ospf-1] area 0
[~P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[~P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[~P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[~P-ospf-1-area-0.0.0.0] commit
[~P-ospf-1-area-0.0.0.0] quit
[~P-ospf-1] quit

# Configure PE2.
<HUAWEI> system-view
[~HUAWEI] sysname PE2
[~PE2] interface loopback 1

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 110


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

[~PE2-LoopBack1] ip address 3.3.3.9 32


[~PE2-LoopBack1] commit
[~PE2-LoopBack1] quit
[~PE2] interface pos 3/0/0
[~PE2-Pos3/0/0] ip address 172.2.1.2 24
[~PE2-Pos3/0/0] commit
[~PE2-Pos3/0/0] quit
[~PE2] ospf
[~PE2-ospf-1] area 0
[~PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[~PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[~PE2-ospf-1-area-0.0.0.0] commit
[~PE2-ospf-1-area-0.0.0.0] quit
[~PE2-ospf-1] quit

After the configuration, OSPF neighbor relationships can be set up between PE1, P, and PE2.
Run the display ospf peer command, and you can view that the neighbor status is Full. Run the
display ip routing-table command, and you can view that the PEs have learnt the routes to
Loopback1 of each other.

Take the display on PE1 as an example.


<PE1> display ip routing-table
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Tables: _public_
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0
2.2.2.9/32 OSPF 10 2 D 172.1.1.2 Pos3/0/0
3.3.3.9/32 OSPF 10 3 D 172.1.1.2 Pos3/0/0
172.1.1.0/24 Direct 0 0 D 172.1.1.1 Pos3/0/0
172.1.1.1/32 Direct 0 0 D 127.0.0.1 Pos3/0/0
172.1.1.255/32 Direct 0 0 D 127.0.0.1 Pos3/0/0
172.2.1.0/24 OSPF 10 2 D 172.1.1.2 Pos3/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
<PE1> display ospf peer
OSPF Process 1 with Router ID 1.1.1.9
Neighbors
Area 0.0.0.0 interface 172.1.1.1(Pos3/0/0)'s neighbors
Router ID: 172.1.1.2 Address: 172.1.1.2
State: Full Mode:Nbr is Master Priority: 1
DR: None BDR: None MTU: 1500
Dead timer due in 38 sec
Retrans timer interval: 0
Neighbor is up for 00:02:44
Authentication Sequence: [ 0 ]

Step 2 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS
backbone network.

# Configure PE1.
[~PE1] mpls lsr-id 1.1.1.9
[~PE1] mpls
[~PE1-mpls] commit
[~PE1-mpls] quit
[~PE1] mpls ldp
[~PE1-mpls-ldp] commit
[~PE1-mpls-ldp] quit
[~PE1] interface pos 3/0/0
[~PE1-Pos3/0/0] mpls
[~PE1-Pos3/0/0] mpls ldp
[~PE1-Pos3/0/0] commit
[~PE1-Pos3/0/0] quit

# Configure the P.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 111


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

[~P] mpls lsr-id 2.2.2.9


[~P] mpls
[~P-mpls] commit
[~P-mpls] quit
[~P] mpls ldp
[~P-mpls-ldp] quit
[~P] interface pos 1/0/0
[~P-Pos1/0/0] mpls
[~P-Pos1/0/0] mpls ldp
[~P-Pos1/0/0] commit
[~P-Pos1/0/0] quit
[~P] interface pos 2/0/0
[~P-Pos2/0/0] mpls
[~P-Pos2/0/0] mpls ldp
[~P-Pos2/0/0] commit
[~P-Pos2/0/0] quit

# Configure PE2.
[~PE2] mpls lsr-id 3.3.3.9
[~PE2] mpls
[~PE2-mpls] commit
[~PE2-mpls] quit
[~PE2] mpls ldp
[~PE2-mpls-ldp] commit
[~PE2-mpls-ldp] quit
[~PE2] interface pos 3/0/0
[~PE2-Pos3/0/0] mpls
[~PE2-Pos3/0/0] mpls ldp
[~PE2-Pos3/0/0] commit
[~PE2-Pos3/0/0] quit

After the configuration, LDP sessions can be set up between PE1 and the P and between the P
and PE2. Run the display mpls ldp session command, and you can view that the Status field
is Operational. Run the display mpls ldp lsp command, and you can check whether LDP LSPs
are set up.
Take the display on PE1 as an example.
<PE1> display mpls ldp session
LDP Session(s) in Public Network
-------------------------------------------------------------------------
Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv
-------------------------------------------------------------------------
2.2.2.9:0 Operational DU Passive 006:20:55 39551/39552
-------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM
<PE1> display mpls ldp lsp
LDP LSP Information
------------------------------------------------------------------
SN DestAddress/Mask In/OutLabel Next-Hop In/Out-Interface
------------------------------------------------------------------
1 1.1.1.9/32 3/NULL 127.0.0.1 Pos3/0/0/InLoop0
2 2.2.2.9/32 NULL/3 172.1.1.2 -------/Pos3/0/0
3 3.3.3.9/32 NULL/1024 172.1.1.2 -------/Pos3/0/0
------------------------------------------------------------------
TOTAL: 3 Normal LSP(s) Found.
TOTAL: 0 Liberal LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale

Step 3 Configure VPN instances enabled with the IPv4 address family on the PEs and connect the CEs
to the PEs through the VPN instances.
# Configure PE1.
[~PE1] ip vpn-instance vpna
[~PE1-vpn-instance-vpna] ipv4-family

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 112


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

[~PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1


[~PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[~PE1-vpn-instance-vpna-af-ipv4] quit
[~PE1-vpn-instance-vpna] quit
[~PE1] ip vpn-instance vpnb
[~PE1-vpn-instance-vpnb] ipv4-family
[~PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[~PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[~PE1-vpn-instance-vpnb-af-ipv4] quit
[~PE1-vpn-instance-vpnb] quit
[~PE1] interface gigabitethernet 1/0/0
[~PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[~PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 24
[~PE1-GigabitEthernet1/0/0] commit
[~PE1-GigabitEthernet1/0/0] quit
[~PE1] interface gigabitethernet 2/0/0
[~PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpnb
[~PE1-GigabitEthernet2/0/0] ip address 10.2.1.2 24
[~PE1-GigabitEthernet2/0/0] commit
[~PE1-GigabitEthernet2/0/0] quit

# Configure PE2.
[~PE2] ip vpn-instance vpna
[~PE2-vpn-instance-vpna] ipv4-family
[~PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[~PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[~PE2-vpn-instance-vpna-af-ipv4] quit
[~PE2-vpn-instance-vpna] quit
[~PE2] ip vpn-instance vpnb
[~PE2-vpn-instance-vpnb] ipv4-family
[~PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2
[~PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[~PE2-vpn-instance-vpnb-af-ipv4] quit
[~PE2-vpn-instance-vpnb] quit
[~PE2] interface gigabitethernet 1/0/0
[~PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[~PE2-GigabitEthernet1/0/0] ip address 10.3.1.2 24
[~PE2-GigabitEthernet1/0/0] commit
[~PE2-GigabitEthernet1/0/0] quit
[~PE2] interface gigabitethernet 2/0/0
[~PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpnb
[~PE2-GigabitEthernet2/0/0] ip address 10.4.1.2 24
[~PE2-GigabitEthernet2/0/0] commit
[~PE2-GigabitEthernet2/0/0] quit

# Assign an IP address to each interface on CEs as shown in Figure 2-24. The detailed
configuration procedure is not mentioned here. For details, see "Configuration Files."
After the configuration, run the display ip vpn-instance verbose command on the PEs to view
the configurations of VPN instances. Each PE can successfully ping its connected CE.

NOTE

If a PE has multiple interfaces bound to the same VPN instance, you need to specify a source IP address
by specifying -a source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address
dest-ip-address command to ping the CE connected to the remote PE. Otherwise, the ping operation fails.

Take the display on PE1 and CE1 as an example:


<PE1> display ip vpn-instance verbose
Total VPN-Instances configured : 2
VPN-Instance Name and ID : vpna, 1
Interfaces : GigabitEthernet1/0/0
Address family ipv4
Create date : 2009/01/21 11:30:35
Up time : 0 days, 00 hours, 05 minutes and 19 seconds
Route Distinguisher : 100:1
Export VPN Targets : 111:1

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 113


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Import VPN Targets : 111:1


Label policy: label per route
The diffserv-mode Information is : uniform
The ttl-mode Information is : pipe
VPN-Instance Name and ID : vpnb, 2
Interfaces : GigabitEthernet2/0/0
Address family ipv4
Create date : 2009/01/21 11:31:18
Up time : 0 days, 00 hours, 04 minutes and 36 seconds
Route Distinguisher : 100:2
Export VPN Targets : 222:2
Import VPN Targets : 222:2
Label policy: label per route
The diffserv-mode Information is : uniform
The ttl-mode Information is : pipe
[~PE1] ping -vpn-instance vpna 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=56 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=4 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=4 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=52 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=3 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/23/56 ms

Step 4 Set up EBGP peer relationships between the PEs and CEs.
# Configure CE1.
[~CE1] interface loopback 1
[~CE1-LoopBack1] ip address 11.11.11.11 32
[~CE1-LoopBack1] quit
[~CE1] bgp 65410
[~CE1-bgp] peer 10.1.1.2 as-number 100
[~CE1-bgp] network 11.11.11.11 32
[~CE1-bgp] quit
[~CE1] commit

NOTE

The configurations of CE2, CE3, and CE4 are similar to the configuration of CE1, and are not mentioned
here. For details, see "Configuration Files."

# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] ipv4-family vpn-instance vpna
[~PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[~PE1-bgp-vpna] commit
[~PE1-bgp-vpna] quit
[~PE1-bgp] ipv4-family vpn-instance vpnb
[~PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[~PE1-bgp-vpnb] commit
[~PE1-bgp-vpnb] quit

NOTE

The procedure for configuring PE2 is similar to the procedure for configuring PE1, and the detailed
configuration is not mentioned here. For details, see "Configuration Files."

After the configuration, run the display bgp vpnv4 vpn-instance peer command on the PEs,
and you can view that BGP peer relationships have been established between the PEs and CEs.
Take the peer relationship between PE1 and CE1 as an example.
<PE1> display bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.9

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 114


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Local AS number : 100


Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65410 11 9 0 00:06:37 Established 1

Step 5 Set up an MP-IBGP peer relationship between the PEs.


# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] peer 3.3.3.9 as-number 100
[~PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[~PE1-bgp] ipv4-family vpnv4
[~PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[~PE1-bgp-af-vpnv4] commit
[~PE1-bgp-af-vpnv4] quit
[~PE1-bgp] quit

# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] peer 1.1.1.9 as-number 100
[~PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[~PE2-bgp] ipv4-family vpnv4
[~PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[~PE2-bgp-af-vpnv4] commit
[~PE2-bgp-af-vpnv4] quit
[~PE2-bgp] quit

# After the configuration, run the display bgp peer or display bgp vpnv4 all peer command
on the PEs, and you can view that a BGP peer relationship has been set up between the PEs.
<PE1> display bgp peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State
PrefRcv
3.3.3.9 4 100 2 6 0 00:00:12 Established
0
<PE1> display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 3 Peers in established state : 3
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
3.3.3.9 4 100 12 18 0 00:09:38 Established 0
Peer of vpn instance:

VPN-Instance vpna, router ID 1.1.1.9:


10.1.1.1 4 65410 25 25 0 00:17:57 Established 1

VPN-Instance vpnb, router ID 1.1.1.9:


10.2.1.1 4 65420 21 22 0 00:17:10 Established 1

Step 6 Verify the configuration.


# Run the display ip routing-table vpn-instance command on the PEs, and you can view the
routes to the loopback interfaces of the CEs.
Take the display on PE1 as an example.
<PE1> display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Tables: vpna
Destinations : 3 Routes : 3
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.2 GigabitEthernet1/0/0
10.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 115


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

10.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0


11.11.11.11/32 BGP 255 0 RD 10.1.1.1 GigabitEthernet1/0/0
33.33.33.33/32 BGP 255 0 RD 3.3.3.9 LDP LSP
<PE1> display ip routing-table vpn-instance vpnb
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Tables: vpnb
Destinations : 3 Routes : 3
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.2.1.0/24 Direct 0 0 D 10.2.1.2 GigabitEthernet2/0/0
10.2.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
10.2.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
22.22.22.22/32 BGP 255 0 RD 10.2.1.1 GigabitEthernet2/0/0
44.44.44.44/32 BGP 255 0 RD 3.3.3.9 LDP LSP

CEs in the same VPN can successfully ping each other whereas CEs in different VPNs cannot.
For example, CE1 can successfully ping CE3 at 10.3.1.1 but cannot successfully ping CE4 at
10.4.1.1.
[~CE1] ping -a 11.11.11.11 33.33.33.33
PING 33.33.33.33: 56 data bytes, press CTRL_C to break
Reply from 33.33.33.33: bytes=56 Sequence=1 ttl=251 time=72 ms
Reply from 33.33.33.33: bytes=56 Sequence=2 ttl=251 time=34 ms
Reply from 33.33.33.33: bytes=56 Sequence=3 ttl=251 time=50 ms
Reply from 33.33.33.33: bytes=56 Sequence=4 ttl=251 time=50 ms
Reply from 33.33.33.33: bytes=56 Sequence=5 ttl=251 time=34 ms
--- 33.33.33.33 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms
[~CE1] ping -a 11.11.11.11 44.44.44.44
PING 44.44.44.44: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 44.44.44.44 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss

----End

Configuration Files
l Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.9
#
mpls
#

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 116


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

mpls ldp
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
#
ipv4-family vpn-instance vpnb
peer 10.2.1.1 as-number 65420
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
l Configuration file of the P
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 117


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
l Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
peer 10.3.1.1 as-number 65430
#
ipv4-family vpn-instance vpnb
peer 10.4.1.1 as-number 65440

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 118


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

#
ospf 1
area 0.0.0.0
network 172.2.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return

l Configuration file of CE1


#
sysname CE1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 11.11.11.11 255.255.255.255
#
bgp 65410
peer 10.1.1.2 as-number 100
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
undo synchronization
peer 10.1.1.2 enable
#
return

l Configuration file of CE2


#
sysname CE2
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface LoopBack1
ip address 22.22.22.22 255.255.255.255
#
bgp 65420
peer 10.2.1.2 as-number 100
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
undo synchronization
peer 10.2.1.2 enable
#
return

l Configuration file of CE3


#
sysname CE3
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.3.1.1 255.255.255.0
#
interface LoopBack1
ip address 33.33.33.33 255.255.255.255
#
bgp 65430
peer 10.3.1.2 as-number 100
network 33.33.33.33 255.255.255.255
#
ipv4-family unicast
undo synchronization
peer 10.3.1.2 enable
#

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 119


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

return

l Configuration file of CE4


#
sysname CE4
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.4.1.1 255.255.255.0
#
interface LoopBack1
ip address 44.44.44.44 255.255.255.255
#
bgp 65440
peer 10.4.1.2 as-number 100
network 44.44.44.44 255.255.255.255
#
ipv4-family unicast
undo synchronization
peer 10.4.1.2 enable
#
return

Related Tasks
2.4 Configuring Basic BGP/MPLS IP VPN

2.18.2 Example for Configuring BGP AS Number Substitution


Sites in the same VPNs have the same AS number. When establishing an EBGP neighbor
relationship between a PE and a CE, you need to enable AS number substitution on the PE.
Otherwise, the local CE discards the VPN route with the local AS number. As a result, users of
the same VPN cannot communicate with each other.

Networking Requirements

CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.

As shown in Figure 2-25, CE1 and CE2 belong to the same VPN. CE1 is connected to PE1;
CE2 is connected to PE2. Both CE1 and CE2 use AS 600. When EBGP runs between a PE and
a CE, the BGP routes sent from the CE to the PE carry the AS_Path attribute. The local PE sends
the BGP routes to the remote PE through MP-IBGP. When the remote PE sends the BGP routes
to its connected CE through EBGP, the CE discards the BGP routes whose AS_Path attribute
carries AS 600.

To address the preceding problem, it is required that AS number substitution be configured on


the PEs. In this manner, when a PE sends VPN routes to a CE through BGP, it substitutes its
own AS number (AS 100 in this example) for the AS numbers in the VPN routes. Then, the CE
can receive the remote VPN routes.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 120


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Figure 2-25 Networking of BGP AS number substitution

Loopback1 Loopback1 Loopback1


1.1.1.9/32 2.2.2.9/32 3.3.3.9/32

POS1/0/0 POS2/0/0
PE1 PE2
20.1.1.2/24 30.1.1.2/24
POS1/0/0 POS2/0/0 POS2/0/0 POS1/0/0
10.1.1.2/24 20.1.1.1/24 30.1.1.1/24 10.2.1.2/24
P
Backbone POS1/0/0
POS1/0/0
AS 100 10.2.1.1/24
10.1.1.1/24 CE2
CE1
GE2/0/0 GE2/0/0
100.1.1.1/24 200.1.1.1/24

VPN1 VPN1
AS 600 AS 600

Configuration Notes
When configuring BGP AS number substitution, note the following:

l Configure EBGP on the PEs and CEs.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure basic BGP/MPLS IP VPN functions.


2. Configure BGP AS number substitution on the PEs.

Data Preparation
To complete the configuration, you need the following data:

l MPLS LSR IDs of the PEs and P


l VPN instances on PE1 and PE2
l AS numbers of the CEs (CE1 and CE2 having the same AS number that is different from
the AS number of the backbone network)

Procedure
Step 1 Configure basic BGP/MPLS IP VPN functions.

The configurations include the following:

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 121


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

l Configure OSPF on the MPLS backbone network so that the PEs and P can learn the routes
to the loopback interfaces of each other.
l Configure basic MPLS functions and MPLS LDP, and set up LDP LSPs on the MPLS
backbone network.
l Set up MP-IBGP peer relationships between the PEs and advertise VPNv4 routes.
l Configure the VPN instance enabled with the IPv4 address family of VPN1 on PE2 and
connect CE2 to PE2.
l Configure the VPN instance enabled with the IPv4 address family of VPN1 on PE1 and
connect CE1 to PE1.
l Configure EBGP on PE1 and CE1, and PE2 and CE2; import routes of each CE to its
connected PE.
After the configuration, run the display ip routing-table command on CE2, and you can view
that CE2 has learnt the route to the network segment (10.1.1.0/24) where the interface that
connects CE1 to PE1 resides, but there is no route to the VPN (100.1.1.0/24) of CE1. This is the
same on CE1.
<CE2> display ip routing-table
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Tables: _public_
Destinations : 9 Routes : 9
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 BGP 255 0 D 10.2.1.2 Pos1/0/0
10.1.1.1/32 BGP 255 0 D 10.2.1.2 Pos1/0/0
10.2.1.0/24 Direct 0 0 D 10.2.1.1 Pos1/0/0
10.2.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.2.1.2/32 Direct 0 0 D 10.2.1.2 Pos1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
200.1.1.0/24 Direct 0 0 D 200.1.1.1 GigabitEthernet2/0/0
200.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Run the display ip routing-table vpn-instance command on the PEs, and you can view that
the VPN routing table has routes to the VPN of the CEs.
Take the display on PE2 as an example.
<PE2> display ip routing-table vpn-instance vpn1
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Tables: vpn1
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 BGP 255 0 RD 1.1.1.9 Pos2/0/0
10.1.1.1/32 BGP 255 0 RD 1.1.1.9 Pos2/0/0
10.1.1.2/32 BGP 255 0 RD 1.1.1.9 Pos2/0/0
10.2.1.0/24 Direct 0 0 D 10.2.1.2 Pos1/0/0
10.2.1.1/32 Direct 0 0 D 10.2.1.1 Pos1/0/0
10.2.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
100.1.1.0/24 BGP 255 0 RD 1.1.1.9 Pos2/0/0
200.1.1.0/24 BGP 255 0 D 10.2.1.1 Pos1/0/0

Run the display bgp routing-table peer received-routes command on CE2, and you can view
that CE2 receives no route to 100.1.1.0/24.
<CE2> display bgp routing-table peer 10.2.1.2 received-routes
BGP Local router ID is 10.2.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 4
Network NextHop MED LocPrf PrefVal Path/Ogn

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 122


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

*> 10.1.1.0/24 10.2.1.2 0 100?


*> 10.1.1.1/32 10.2.1.2 0 100?
* 10.2.1.0/24 10.2.1.2 0 0 100?
*> 10.2.1.1/32 10.2.1.2 0 0 100?

Step 2 Configure BGP AS number substitution.


Configure BGP AS number substitution on the PEs.
# Take PE2 as an example:
[~PE2] bgp 100
[~PE2-bgp] ipv4-family vpn-instance vpn1
[~PE2-bgp-vpn1] peer 10.2.1.1 substitute-as
[~PE2-bgp-vpn1] commit

Display the routing information and routing table received by CE2.


<CE2> display bgp routing-table peer 10.2.1.2 received-routes
BGP Local router ID is 10.2.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 6
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.1.1.0/24 10.2.1.2 0 100?
*> 10.1.1.1/32 10.2.1.2 0 100?
*> 10.1.1.2/32 10.2.1.2 0 100 100?
* 10.2.1.0/24 10.2.1.2 0 0 100?
* 10.2.1.1/32 10.2.1.2 0 0 100?
*> 100.1.1.0/24 10.2.1.2 0 100 100?
<CE2> display ip routing-table
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Tables: _public_
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 BGP 255 0 D 10.2.1.2 Pos1/0/0
10.1.1.1/32 BGP 255 0 D 10.2.1.2 Pos1/0/0
10.2.1.0/24 Direct 0 0 D 10.2.1.1 Pos1/0/0
10.2.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.2.1.2/32 Direct 0 0 D 10.2.1.2 Pos1/0/0
100.1.1.1/24 BGP 255 0 D 10.2.1.2 Pos1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
200.1.1.0/24 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
200.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

After configuring BGP AS number substitution on PE1, you can find that CE1 and CE2 can
successfully ping each other through GE interfaces.
[~CE1] ping –a 100.1.1.1 200.1.1.1
PING 200.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 200.1.1.1: bytes=56 Sequence=1 ttl=253 time=109 ms
Reply from 200.1.1.1: bytes=56 Sequence=2 ttl=253 time=67 ms
Reply from 200.1.1.1: bytes=56 Sequence=3 ttl=253 time=66 ms
Reply from 200.1.1.1: bytes=56 Sequence=4 ttl=253 time=85 ms
Reply from 200.1.1.1: bytes=56 Sequence=5 ttl=253 time=70 ms
--- 200.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 66/79/109 ms

----End

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 123


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Configuration Files
l Configuration file of CE1
#
sysname CE1
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 100.1.1.1 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.1 255.255.255.0
#
bgp 600
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return

l Configuration file of PE1


#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 124


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

ipv4-family vpn-instance vpn1


peer 10.1.1.1 as-number 600
peer 10.1.1.1 substitute-as
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 20.1.1.0 0.0.0.255
#
return
l Configuration file of the P
#
sysname P
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 20.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 30.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
l Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface Pos2/0/0

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 125


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

undo shutdown
link-protocol ppp
ip address 30.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 600
peer 10.2.1.1 substitute-as
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 30.1.1.0 0.0.0.255
#
return

l Configuration file of CE2


#
sysname CE2
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 200.1.1.1 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.2.1.1 255.255.255.0
#
bgp 600
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return

2.18.3 Example for Configuring the BGP SoO


By configuring the BGP SoO attribute, you can prevent routes sent from a VPN site from
returning to the same site after these routes travel through the backbone network. This avoids
routing loops in the VPN site.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 126


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Networking Requirements

CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.

When multiple CEs in a VPN site access different PEs, VPN routes sent from CEs to PEs may
return to this VPN site after traveling through the backbone network. This may cause routing
loops in the VPN site.

As shown in Figure 2-26, CE1 and CE2 belong to Site 1; CE2 and CE3 access PE2; Site 1 and
Site 2 have the same AS number. EBGP runs between PEs and CEs. PE1 sends the routes
received from CE1 to PE2 through MP-IBGP, and then PE2 sends the received routes to CE2
and CE3. CE2, however, has learned these routes through an IGP in the VPN site. This may
cause routing loops in the VPN site.

It is required to configure the BGP SoO attribute so that PE2 checks the SoO attribute carried
in the routes to be sent to CE2. If PE2 finds that this SoO attribute is the same as the locally
configured SoO attribute, PE2 refuses to send these routes to CE2. This avoids routing loops in
the VPN site1. PE2 can still send these routes to CE3.

Figure 2-26 Networking diagram of configuring the BGP SoO


Loopback 1
Loopback 1
PE1
0/ 0
CE1 GE1/
0/ 0
GE1/
POS1/0/1
GE2/0/0

site1
AS 100
GE2/0/0

POS1/0/1

AS
65410 Loopback 1
GE1 PE2
/0 /0 site2
CE2 GE1 GE1/0/0
0/0 AS
Loopback 1 GE2/0/0
65410
CE3
Loopback 1

Device Interface IP Address


CE1 Loopback1 11.11.11.11/32
GE 1/0/0 192.168.1.2/30

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 127


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

GE 2/0/0 192.168.4.1/30
PE1 Loopback1 1.1.1.1/32
POS 1/0/1 10.1.1.1/30
GE 1/0/0 192.168.1.1/30
PE2 Loopback1 2.2.2.2/32
POS 1/0/1 10.1.1.2/30
GE 1/0/0 192.168.2.1/30
GE 2/0/0 192.168.3.1/30
CE2 Loopback1 22.22.22.22/32
GE 1/0/0 192.168.2.2/30
GE 2/0/0 192.168.4.2/30
CE3 Loopback1 33.33.33.33/32
GE 1/0/0 192.168.3.2/30

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure an IP address for each interface and an IGP on the backbone network so that PEs
can communicate.
2. Enable MPLS and MPLS LDP on the backbone network so that LDP LSPs can be
established between PEs.
3. Establish MP-IBGP peer relationships between PEs.
4. Configure VPN instances on PEs and bind the interfaces connecting PEs to CEs to the VPN
instances.
5. Establish EBGP peer relationships between PEs and CEs, enable AS number substitution
on PEs.
6. Configure the BGP SoO attribute on PEs for CEs.

Data Preparation
To complete the configuration, you need the following data:

l MPLS LSR IDs of PEs


l Names of the VPN instances created on PE1 and PE2, and RDs, and VPN-targets of the
VPN instance IPv4 address family
l Numbers of the ASs where PEs and CEs reside
l Value of the BGP SoO attribute on PEs

Procedure
Step 1 Configure an IP address for each interface and an IGP on the backbone network so that PEs can
learn routes to loopback interfaces of each other.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 128


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

In this example, OSPF is configured as an IGP. For configuration details, see "Configuration
Files."
After the configuration is complete, run the display ip routing-table command on PEs. The
command output shows that the PEs have learned the routes to loopback interfaces of each other.
Take the display on PE1 as an example.
<PE1> display ip routing-table
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Tables: _public_
Destinations : 7 Routes : 7

Destination/Mask Proto Pre Cost Flags NextHop Interface

1.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0


2.2.2.2/32 OSPF 10 1562 D 10.1.1.2 Pos1/0/1
10.1.1.0/30 Direct 0 0 D 10.1.1.1 Pos1/0/1
10.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.1.1.2/32 Direct 0 0 D 10.1.1.2 Pos1/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Step 2 Enable MPLS and MPLS LDP on the backbone network so that LDP LSPs can be established
between PEs.
You need to enable MPLS and MPLS LDP on the PEs in the system view and interface view.
# Configure PE1.
[~PE1] mpls lsr-id 1.1.1.1
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
[~PE1-mpls-ldp] quit
[~PE1] interface pos1/0/1
[~PE1-Pos1/0/1] mpls
[~PE1-Pos1/0/1] mpls ldp
[~PE1-Pos1/0/1] quit
[~PE1] commit

The configuration of PE2 is similar to the configuration of PE1, and is not mentioned here. For
configuration details, see "Configuration Files."
After the configuration is complete, run the display mpls ldp lsp command on PEs. The
command output shows information about the labels assigned to the routes to loopback interfaces
on the other PEs. Take the display on PE1 as an example.
<PE1> display mpls ldp lsp

LDP LSP Information


-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.1/32 3/NULL 2.2.2.2 127.0.0.1 InLoop0
*1.1.1.1/32 Liberal
2.2.2.2/32 NULL/3 - 10.1.1.2 Pos1/0/1
2.2.2.2/32 1024/3 2.2.2.2 10.1.1.2 Pos1/0/1
-------------------------------------------------------------------------------
TOTAL: 3 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is in GR state
A '*' before a NextHop means the LSP is FRR LSP

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 129


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Step 3 Establish MP-IBGP peer relationships between PEs.

# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] peer 2.2.2.2 as-number 100
[~PE1-bgp] peer 2.2.2.2 connect-interface loopback1
[~PE1-bgp] ipv4-family vpnv4
[~PE1-bgp-af-vpnv4] peer 2.2.2.2 enable
[~PE1-bgp-af-vpnv4] quit
[~PE1-bgp] quit
[~PE1] commit

The configuration of PE2 is similar to the configuration of PE1, and is not mentioned here. For
configuration details, see "Configuration Files."

After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer
command on PEs. The command output shows that BGP peer relationships have been established
between the PEs. Take the display on PE1 as an example.
<PE1> display bgp peer

BGP local router ID : 10.1.1.1


Local AS number : 100
Total number of peers : 1 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down State


PrefRcv

2.2.2.2 4 100 187 186 0 02:44:06 Established


1

Step 4 On PEs, create VPN instances, enable IPv4 address families on the VPN instances, and bind the
interfaces connecting the PEs to CEs to the VPN instances.

# Configure PE1.
[~PE1] ip vpn-instance vpna
[~PE1-vpn-instance-vpna] ipv4-family
[~PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[~PE1-vpn-instance-vpna-af-ipv4] vpn-target 100:100
[~PE1-vpn-instance-vpna-af-ipv4] quit
[~PE1-vpn-instance-vpna] quit
[~PE1] interface gigabitethernet1/0/0
[~PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[~PE1-GigabitEthernet1/0/0] ip address 192.168.1.1 30
[~PE1-GigabitEthernet1/0/0] quit
[~PE1] commit

# Configure PE2.
[~PE2] ip vpn-instance vpna
[~PE2-vpn-instance-vpna] ipv4-family
[~PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 100:2
[~PE2-vpn-instance-vpna-af-ipv4] vpn-target 100:100
[~PE2-vpn-instance-vpna-af-ipv4] quit
[~PE2-vpn-instance-vpna] quit
[~PE2] interface gigabitethernet1/0/0
[~PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[~PE2-GigabitEthernet1/0/0] ip address 192.168.2.1 30
[~PE2-GigabitEthernet1/0/0] quit
[~PE2] interface gigabitethernet2/0/0
[~PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpna
[~PE2-GigabitEthernet2/0/0] ip address 192.168.3.1 30
[~PE2-GigabitEthernet2/0/0] quit
[~PE2] commit

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 130


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

After the configuration is complete, run the display ip vpn-instance command on PEs to view
the configurations of VPN instances.
Step 5 Establish EBGP peer relationships between PEs and CEs, enable AS number substitution on
PEs, and configure PEs to import routes from CEs.
In this configuration example, the two VPN sites have the same AS number. Therefore, AS
number substitution needs to be enabled on PE1 and PE2.
# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] ipv4-family vpn-instance vpna
[~PE1-bgp-vpna] peer 192.168.1.2 as-number 65410
[~PE1-bgp-vpna] peer 192.168.1.2 substitute-as
[~PE1-bgp-vpna] import-route direct
[~PE1-bgp-vpna] quit
[~PE1-bgp] quit
[~PE1] commit

# Configure CE1.
[~CE1] bgp 65410
[~CE1-bgp] peer 192.168.1.1 as-number 100
[~CE1-bgp] network 11.11.11.11 32
[~CE1-bgp] network 192.168.4.0 30
[~CE1-bgp] quit
[~CE1] commit

# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] ipv4-family vpn-instance vpna
[~PE2-bgp-vpna] peer 192.168.2.2 as-number 65410
[~PE2-bgp-vpna] peer 192.168.3.2 as-number 65410
[~PE2-bgp-vpna] peer 192.168.2.2 substitute-as
[~PE2-bgp-vpna] peer 192.168.3.2 substitute-as
[~PE2-bgp-vpna] import-route direct
[~PE2-bgp-vpna] quit
[~PE2-bgp] quit
[~PE2] commit

# Configure CE2.
[~CE2] bgp 65410
[~CE2-bgp] peer 192.168.2.1 as-number 100
[~CE2-bgp] network 22.22.22.22 32
[~CE2-bgp] network 192.168.4.0 30
[~CE2-bgp] quit
[~CE2] commit

# Configure CE3.
[~CE3] bgp 65410
[~CE3-bgp] peer 192.168.3.1 as-number 100
[~CE3-bgp] network 33.33.33.33 32
[~CE3-bgp] quit
[~CE3] commit

After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command
on PEs. The command output shows that the status of EBGP peer relationships between PEs
and CEs is Established. This indicates that EBGP peer relationships have been established
between PEs and CEs. Take the display on PE1 as an example.
<PE1> display bgp vpnv4 vpn-instance vpna peer

BGP local router ID : 10.1.1.1


Local AS number : 100

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 131


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

VPN-Instance vpna, router ID 10.1.1.1:


Total number of peers : 1 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down State


PrefRcv

192.168.1.2 4 65410 224 231 0 03:02:12 Established


1

Run the display bgp vpnv4 routing-table command on PEs. The command output shows
information about the routes sent from the PEs to CEs. The following takes the routes sent from
PE2 to CE2 as an example.
<PE2> display bgp vpnv4 vpn-instance vpna routing-table peer 192.168.2.2 advertised-
routes

VPN-Instance vpna, router ID 2.2.2.2:

BGP Local router ID is 2.2.2.2


Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete

Total Number of Routes: 7


Network NextHop MED LocPrf PrefVal Path/Ogn

*>i 11.11.11.11/32 1.1.1.1 0 100 0 65410i


*> 22.22.22.22/32 192.168.2.2 0 0 65410i
*> 33.33.33.33/32 192.168.3.2 0 0 65410i
*>i 192.168.1.0/30 1.1.1.1 0 100 0 ?
*> 192.168.2.0/30 0.0.0.0 0 0 ?
*> 192.168.3.0/30 0.0.0.0 0 0 ?
*> 192.168.4.0/30 192.168.2.2 0 0 65410i

Step 6 Configure the BGP SoO attribute on PEs.


Because CE1 and CE2 reside in the same site, the same BGP SoO attribute needs to be configured
on PE1 and PE2 for CE1 and CE2 respectively. Because PE2 accesses two VPN sites, different
SoO attributes need to be configured on PE2 for different CEs.
# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] ipv4-family vpn-instance vpna
[~PE1-bgp-vpna] peer 192.168.1.2 soo 100:101
[~PE1-bgp-vpna] quit
[~PE1-bgp] quit
[~PE1] commit

# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] ipv4-family vpn-instance vpna
[~PE2-bgp-vpna] peer 192.168.2.2 soo 100:101
[~PE2-bgp-vpna] peer 192.168.3.2 soo 100:102
[~PE2-bgp-vpna] quit
[~PE2-bgp] quit
[~PE2] commit

Step 7 Verify the configuration.


After the configuration is complete, run the display bgp vpnv4 routing-table command on PE2
again. The command output shows that PE2 does not send any VPN route to CE2 and the routes
sent from PE2 to CE3 remain unchanged.
<PE2> display bgp vpnv4 vpn-instance vpna routing-table peer 192.168.3.2 advertised-
routes

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 132


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

VPN-Instance vpna, router ID 2.2.2.2:

BGP Local router ID is 2.2.2.2


Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete

Total Number of Routes: 7


Network NextHop MED LocPrf PrefVal Path/Ogn

*>i 11.11.11.11/32 1.1.1.1 0 100 0 65410i


*> 22.22.22.22/32 192.168.2.2 0 0 65410i
*> 33.33.33.33/32 192.168.3.2 0 0 65410i
*>i 192.168.1.0/30 1.1.1.1 0 100 0 ?
*> 192.168.2.0/30 0.0.0.0 0 0 ?
*> 192.168.3.0/30 0.0.0.0 0 0 ?
*> 192.168.4.0/30 192.168.2.2 0 0 65410i

Run the display bgp vpnv4 routing-table command on PE2. The command output shows
information about the SoO attribute carried in the routes sent from PE2 to CE3.
<PE2> display bgp vpnv4 vpn-instance vpna routing-table 11.11.11.11 32

BGP local router ID : 2.2.2.2


Local AS number : 100

VPN-Instance vpna, router ID 2.2.2.2:


Paths: 1 available, 1 best, 1 select
BGP routing table entry information of 11.11.11.11/32:
Label information (Received/Applied): 1028/NULL
From: 1.1.1.1 (10.1.1.1)
Route Duration: 00h11m12s
Relay Tunnel Out-Interface: Pos1/0/1
Relay token: 0x800001
Original nexthop: 1.1.1.1
Qos information : 0x0
Ext-Community:RT <100 : 100>, SoO <100 : 101>
AS-path 65410, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, b
est, select, active, pre 255
Advertised to such 2 peers:
Update-Group 0 :
192.168.2.2
192.168.3.2

The preceding command output shows that after the BGP SoO attribute is configured, the VPN
routes received from CEs carry the SoO attribute, and PE2 does not send any route to CE2. This
indicates that the configuration of the BGP SoO attribute has taken effect.

----End

Configuration Files
l Configuration file of CE1
sysname CE1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.2 255.255.255.252
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 192.168.4.1 255.255.255.252
#
interface LoopBack1
ip address 11.11.11.11 255.255.255.255
#

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 133


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

bgp 65410
peer 192.168.1.1 as-number 100
#
ipv4-family unicast
undo synchronization
network 11.11.11.11 255.255.255.255
network 192.168.4.0 255.255.255.252
peer 192.168.1.1 enable
#
return

l Configuration file of CE2


#
sysname CE2
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.2.2 255.255.255.252
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 192.168.4.2 255.255.255.252
#
interface LoopBack1
ip address 22.22.22.22 255.255.255.255
#
bgp 65410
peer 192.168.2.1 as-number 100
#
ipv4-family unicast
undo synchronization
network 22.22.22.22 255.255.255.255
network 192.168.4.0 255.255.255.252
peer 192.168.2.1 enable
#
return

l Configuration file of PE1


#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 100:100 export-extcommunity
vpn-target 100:100 import-extcommunity
#
mpls lsr-id 1.1.1.1
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 192.168.1.1 255.255.255.252
#
interface Pos1/0/1
undo shutdown
link-protocol ppp
ip address 10.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 134


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 192.168.1.2 as-number 65410
peer 192.168.1.2 substitute-as
peer 192.168.1.2 soo 100:101
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.3
#
return

l Configuration file of PE2


#
sysname PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:2
vpn-target 100:100 export-extcommunity
vpn-target 100:100 import-extcommunity
#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 192.168.2.1 255.255.255.252
#
interface GigabitEthernet2/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 192.168.3.1 255.255.255.252
#
interface Pos1/0/1
undo shutdown
link-protocol ppp
ip address 10.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 135


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 192.168.2.2 as-number 65410
peer 192.168.2.2 substitute-as
peer 192.168.2.2 soo 100:101
peer 192.168.3.2 as-number 65410
peer 192.168.3.2 substitute-as
peer 192.168.3.2 soo 100:102
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.3
#
return

l Configuration file of CE3


#
sysname CE3
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.3.2 255.255.255.252
#
interface LoopBack1
ip address 33.33.33.33 255.255.255.255
#
bgp 65410
peer 192.168.3.1 as-number 100
#
ipv4-family unicast
undo synchronization
network 33.33.33.33 255.255.255.255
peer 192.168.3.1 enable
#
return

2.18.4 Example for Configuring CE Dual-Homing with EBGP


Running Between a PE and a CE
CE dual-homing indicates that a CE is connected to the backbone network by two links that
work in either load balancing or master/backup mode.

Networking Requirements

CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.

With the development of telecommunications services, all telecommunications services will be


carried on a unified IP network. Important services such as 3G/NGN, IPTV streaming media,
and VIP customer VPN require high reliability of the network. To improve network reliability,

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 136


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

in addition to reliability of the network devices, you must consider the link and network reliability
such as fast route convergence, fault detection, fast reroute, and path backup.

At the access layer, CE dual-homing is a common solution to improving network reliability. The
networking where a CE is connected to two PEs that belong to the same VPN is called CE dual-
homing. In this case, the CE accesses the backbone network through two links. The two links
can work in either load balancing or master/backup mode.

As shown in Figure 2-27, CE1 resides at site1 of vpn1; CE2 resides at site2 of vpn1. CE1 is
dual-homed to PE1 and PE2; CE2 is dual-homed to PE3 and PE4.

If the data traffic from CE1 to CE2 is heavy whereas the traffic from CE2 to CE1 is light, the
data traffic from CE1 to CE2 can be transmitted in load balancing mode; the data traffic from
CE2 to CE1 can be forwarded by PE4 with PE3 as a backup.

Figure 2-27 Networking diagram of CE dual-homing


VPN backbone
AS 100

Loopback1 Loopback1 Loopback1

POS2/0/0 POS2/0/0
GE1/0/0 POS1/0/0 POS1/0/0 GE2/0/0
CE1 CE2
PE1 P1 PE3
GE1/0/0 GE1/0/0
GE2/0/0 GE2/0/0
PE2 P2 PE4
Loopback1 POS2/0/0 POS2/0/0 Loopback1
GE1/0/0 POS1/0/0 POS1/0/0 GE2/0/0
vpn1 site1 vpn1 site2
AS 65410 Loopback1 Loopback1 Loopback1 AS 65420

Device Interface IP Address


CE1 Loopback1 11.11.11.11/32
GE 1/0/0 10.1.1.1/30
GE 2/0/0 10.2.1.1/30
PE1 Loopback1 1.1.1.1/32
GE 1/0/0 10.1.1.2/30
POS 2/0/0 100.1.1.1/30
PE2 Loopback1 2.2.2.2/32
GE 1/0/0 10.2.1.2/30
POS 2/0/0 100.2.1.1/30
P1 Loopback1 5.5.5.5/32
POS 1/0/0 100.1.1.2/30
POS 2/0/0 100.3.1.1/30
P2 Loopback1 6.6.6.6/32
POS 1/0/0 100.2.1.2/30
POS 2/0/0 100.4.1.1/30
PE3 Loopback1 3.3.3.3/32
POS 1/0/0 100.3.1.2/30

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 137


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

GE 2/0/0 10.3.1.1/30
PE4 Loopback1 4.4.4.4/32
POS 1/0/0 100.4.1.2/30
GE 2/0/0 10.4.1.1/30
CE2 Loopback1 22.22.22.22/32
GE 1/0/0 10.3.1.2/30
GE 2/0/0 10.4.1.2/30

Configuration Notes
When configuring CE dual-homing with EBGP running between a PE and a CE, note the
following:
l The CE is dual-homed to two PEs configured with VPN instances of different RDs.

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic BGP/MPLS IP VPN functions.
2. Configure load balancing for the data traffic from CE1 to CE2 in the BGP view of CE1.
3. Increase the MED value of the BGP-VPN route on PE3 to ensure that the next hop of the
route selected by CE2 to the users that access CE1 is PE4.

Data Preparation
To complete the configuration, you need the following data:
l MPLS LSR IDs of the PEs and P
l Names of the VPN instances, RDs, and VPN targets of the PEs
l AS numbers of the CEs

Procedure
Step 1 Configure an IGP on the MPLS backbone network to interconnect devices on the MPLS
backbone network.
# Assign an IP address to each interface on PE1. Note that the IP address of a loopback interface
contains the 32-bit mask.
<HUAWEI> system-view
[~HUAWEI] sysname PE1
[~PE1] interface loopback 1
[~PE1-LoopBack1] ip address 1.1.1.1 32
[~PE1-LoopBack1] commit
[~PE1-LoopBack1] quit
[~PE1] interface pos2/0/0
[~PE1-Pos2/0/0] ip address 100.1.1.1 30
[~PE1-Pos2/0/0] commit
[~PE1-Pos2/0/0] quit

# Configure IS-IS to advertise routes of each interface.


[~PE1] isis 1

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 138


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

[~PE1-isis-1] network-entity 10.0000.0000.0001.00


[~PE1-isis-1] commit
[~PE1-isis-1] quit
[~PE1] interface loopback 1
[~PE1-LoopBack1] isis enable 1
[~PE1-LoopBack1] commit
[~PE1-LoopBack1] quit
[~PE1] interface pos2/0/0
[~PE1-Pos2/0/0] isis enable 1
[~PE1-Pos2/0/0] commit
[~PE1-Pos2/0/0] quit

# The configurations of other devices on the backbone network are the same as the configuration
of PE1, and are not mentioned here. For details, see "Configuration Files."
After the configuration, run the display ip routing-table command, and you can view that PE1
and PE3, and PE2 and PE4 have learnt the routes to Loopback1 of each other.
Take the display on PE1 as an example.
<PE1> display ip routing-table
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Tables: _public_
Destinations : 9 Routes : 9
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
3.3.3.3/32 ISIS 15 20 D 100.1.1.2 Pos2/0/0
5.5.5.5/32 ISIS 15 10 D 100.1.1.2 Pos2/0/0
100.1.1.0/30 Direct 0 0 D 100.1.1.1 Pos2/0/0
100.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
100.1.1.2/32 Direct 0 0 D 100.1.1.2 Pos2/0/0
100.3.1.0/30 ISIS 15 20 D 100.1.1.2 Pos2/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Step 2 Configure basic MPLS functions and MPLS LDP, and set up LDP LSPs on the MPLS backbone
network.
# Configure PE1.
[~PE1] mpls lsr-id 1.1.1.1
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
[~PE1-mpls-ldp] quit
[~PE1] interface pos 2/0/0
[~PE1-Pos2/0/0] mpls
[~PE1-Pos2/0/0] mpls ldp
[~PE1-Pos2/0/0] commit
[~PE1-Pos2/0/0] quit

# The configurations of other devices on the backbone network are the same as the configuration
of PE1, and are not mentioned here. For details, see "Configuration Files."
After the configuration, LDP sessions can be set up between PE1 and the P and between the P
and PE2. Run the display mpls ldp session command, and you can view that the Status field
is dislayed as Operational. Run the display mpls ldp lsp command, and you can check whether
LDP LSPs are set up.
Take the display on PE1 as an example.
<PE1> display mpls ldp session
LDP Session(s) in Public Network
------------------------------------------------------------------------------
Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv
------------------------------------------------------------------------------

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 139


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

5.5.5.5:0 Operational DU Passive 000:07:02 1688/1688


------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM
<PE1> display mpls ldp lsp
LDP LSP Information
------------------------------------------------------------------------------
SN DestAddress/Mask In/OutLabel Next-Hop In/Out-Interface
------------------------------------------------------------------------------
1 1.1.1.1/32 3/NULL 127.0.0.1 Pos2/0/0/InLoop0
2 3.3.3.3/32 NULL/1025 100.1.1.2 -------/Pos2/0/0
3 5.5.5.5/32 NULL/3 100.1.1.2 -------/Pos2/0/0
*4 100.1.1.0/30 Liberal
5 100.3.1.0/30 NULL/3 100.1.1.2 -------/Pos2/0/0
------------------------------------------------------------------------------
TOTAL: 4 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale

Step 3 Configure VPN instances enabled with the IPv4 address family on the PEs and connect the CEs
to the PEs through the VPN instances.

# Configure PE1. Configure vpn1 and specify its RD and VPN target. The VPN target configured
on the local PE must be the same as the VPN target of the MP-BGP peer PE so that sites in the
same VPN can communicate with each other.
[~PE1] ip vpn-instance vpn1
[~PE1-vpn-instance-vpn1] ipv4-family
[~PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[~PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both
[~PE1-vpn-instance-vpn1-af-ipv4] commit
[~PE1-vpn-instance-vpn1-af-ipv4] quit
[~PE1-vpn-instance-vpn1] quit

# Bind the interface that connects PE1 to a CE to a VPN instance, and assign an IP address to
the interface.
[~PE1] interface gigabitethernet 1/0/0
[~PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
[~PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 30
[~PE1-GigabitEthernet1/0/0] commit
[~PE1-GigabitEthernet1/0/0] quit

# The configurations of PE2, PE3, and PE4 are similar to the configuration of PE1, and are not
mentioned here. For details, see "Configuration Files."

After the configuration, run the display ip vpn-instance verbose command on the PEs to view
the configurations of VPN instances.

Take the display on PE1 as an example.


<PE1> display ip vpn-instance verbose
Total VPN-Instances configured : 1
VPN-Instance Name and ID : vpn1, 1
Interfaces : GigabitEthernet1/0/0
Address family ipv4
Create date : 2008/09/18 14:17:15
Up time : 0 days, 07 hours, 23 minutes and 53 seconds
Route Distinguisher : 100:1
Export VPN Targets : 1:1
Import VPN Targets : 1:1
Label policy : label per route
The diffserv-mode Information is : uniform
The ttl-mode Information is : pipe

Step 4 Configure EBGP on the PEs and CEs, and import VPN routes.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 140


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

# Assign an IP address to each interface on the CEs as shown in Figure 2-27. The detailed
configuration is not mentioned here. For details, see "Configuration Files."
# On CE1, specify PE1 and PE2 as EBGP peers.
[~CE1] interface loopback 1
[~CE1-LoopBack1] ip address 11.11.11.11 32
[~CE1-LoopBack1] quit
[~CE1] bgp 65410
[~CE1-bgp] peer 10.1.1.2 as-number 100
[~CE1-bgp] peer 10.2.1.2 as-number 100
[~CE1-bgp] network 11.11.11.11 32
[~CE1-bgp] commit
[~CE1-bgp] quit

# On PE1, specify CE1 as an EBGP peer.


[~PE1] bgp 100
[~PE1-bgp] ipv4-family vpn-instance vpn1
[~PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
[~PE1-bgp-vpn1] commit
[~PE1-bgp-vpn1] quit

# On PE2, specify CE1 as an EBGP peer.


[~PE2] bgp 100
[~PE2-bgp] ipv4-family vpn-instance vpn1
[~PE2-bgp-vpn1] peer 10.2.1.1 as-number 65410
[~PE2-bgp-vpn1] commit
[~PE2-bgp-vpn1] quit

# On CE2, specify PE3 and PE4 as EBGP peers.


[~CE1] interface loopback 1
[~CE1-LoopBack1] ip address 22.22.22.22 32
[~CE1-LoopBack1] quit
[~CE2] bgp 65420
[~CE2-bgp] peer 10.3.1.1 as-number 100
[~CE2-bgp] peer 10.4.1.1 as-number 100
[~CE2-bgp] network 22.22.22.22 32
[~CE2-bgp] commit
[~CE2-bgp] quit

# On PE3, specify CE2 as an EBGP peer.


[~PE3] bgp 100
[~PE3-bgp] ipv4-family vpn-instance vpn1
[~PE3-bgp-vpn1] peer 10.3.1.2 as-number 65420
[~PE3-bgp-vpn1] commit
[~PE3-bgp-vpn1] quit

# On PE4, specify CE2 as an EBGP peer.


[~PE4] bgp 100
[~PE4-bgp] ipv4-family vpn-instance vpn1
[~PE4-bgp-vpn1] peer 10.4.1.2 as-number 65420
[~PE4-bgp-vpn1] commit
[~PE4-bgp-vpn1] quit

After the configuration, run the display bgp vpnv4 vpn-instance peer command on the PEs,
and you can view that BGP peer relationships have been established between the PEs and CEs.
Take the peer relationship between PE1 and CE1 as an example.
<PE1> display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.1
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 141


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

10.1.1.1 4 65410 408 435 0 06:16:09 Established 5

Each PE can successfully ping its connected CE. Take the display on PE1 as an example.
<PE1> ping -vpn-instance vpn1 11.11.11.11
PING 11.11.11.11: 56 data bytes, press CTRL_C to break
Reply from 11.11.11.11: bytes=56 Sequence=1 ttl=254 time=80 ms
Reply from 11.11.11.11: bytes=56 Sequence=2 ttl=254 time=20 ms
Reply from 11.11.11.11: bytes=56 Sequence=3 ttl=254 time=30 ms
Reply from 11.11.11.11: bytes=56 Sequence=4 ttl=254 time=50 ms
Reply from 11.11.11.11: bytes=56 Sequence=5 ttl=254 time=30 ms
--- 11.11.11.11 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/42/80 ms

Step 5 Set up an MP-IBGP peer relationship between the PEs.


# On PE1, specify PE3 as the IBGP peer and establish an IBGP peer relationship between PE1
and PE3 through loopback interfaces.
[~PE1] bgp 100
[~PE1-bgp] peer 3.3.3.3 as-number 100
[~PE1-bgp] peer 3.3.3.3 connect-interface loopback 1
[~PE1-bgp] ipv4-family vpnv4
[~PE1-bgp-af-vpnv4] peer 3.3.3.3 enable
[~PE1-bgp-af-vpnv4] commit
[~PE1-bgp-af-vpnv4] quit

# On PE3, specify PE1 as the IBGP peer and establish an IBGP peer relationship between PE3
and PE1 through loopback interfaces.
[~PE3] bgp 100
[~PE3-bgp] peer 1.1.1.1 as-number 100
[~PE3-bgp] peer 1.1.1.1 connect-interface loopback 1
[~PE3-bgp] ipv4-family vpnv4
[~PE3-bgp-af-vpnv4] peer 1.1.1.1 enable
[~PE3-bgp-af-vpnv4] commit
[~PE3-bgp-af-vpnv4] quit

# On PE2, specify PE4 as the IBGP peer and establish an IBGP peer relationship between PE2
and PE4 through loopback interfaces.
[~PE2] bgp 100
[~PE2-bgp] peer 4.4.4.4 as-number 100
[~PE2-bgp] peer 4.4.4.4 connect-interface loopback 1
[~PE2-bgp] ipv4-family vpnv4
[~PE2-bgp-af-vpnv4] peer 4.4.4.4 enable
[~PE2-bgp-af-vpnv4] commit
[~PE2-bgp-af-vpnv4] quit

# On PE4, specify PE2 as the IBGP peer and establish an IBGP peer relationship between PE4
and PE2 through loopback interfaces.
[~PE4] bgp 100
[~PE4-bgp] peer 2.2.2.2 as-number 100
[~PE4-bgp] peer 2.2.2.2 connect-interface loopback 1
[~PE4-bgp] ipv4-family vpnv4
[~PE4-bgp-af-vpnv4] peer 2.2.2.2 enable
[~PE4-bgp-af-vpnv4] commit
[~PE4-bgp-af-vpnv4] quit

After the configuration, run the display bgp peer or display bgp vpnv4 all peer command on
the PEs, and you can view that the BGP peer relationships have been established between the
PEs.
<PE1> display bgp peer

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 142


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

BGP local router ID : 1.1.1.1


Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
3.3.3.3 4 100 2 6 0 00:00:12 Established 0
<PE1> display bgp vpnv4 all peer
BGP local router ID : 1.1.1.1
Local AS number : 100
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
3.3.3.3 4 100 12 18 0 00:09:38 Established 0
Peer of vpn instance:

VPN-Instance vpn1, router ID 1.1.1.1:


10.1.1.1 4 65410 25 25 0 00:17:57 Established 1

Step 6 On CE1, enable load balancing for the traffic from CE1 to CE2.
[~CE1] bgp 65410
[~CE1-bgp] ipv4-family unicast
[~CE1-bgp-af-ipv4] maximum load-balancing 2
[~CE1-bgp-af-ipv4] commit

Step 7 Configure a routing policy. Increase the MED value of the BGP route advertised by PE3 to CE2
and ensure that the traffic from CE2 to CE1 passes through PE4. PE3 functions as a backup.
[~PE3] route-policy policy1 permit node 10
[~PE3-route-policy] apply cost 120
[~PE3-route-policy] commit
[~PE3-route-policy] quit
[~PE3] bgp 100
[~PE3-bgp] ipv4-family vpn-instance vpn1
[~PE3-bgp-vpn1] peer 10.3.1.2 route-policy policy1 export
[~PE3-bgp-vpn1] commit

Display the BGP routing table of CE2. You can view that, for the route to 11.11.11.11/32, the
MED value advertised by PE3 is 120. This value is greater than the MED value advertised by
PE4. Therefore, the MED value advertised by PE4 is chosen. By default, the MED value is 0.
<CE2> display bgp routing-table
BGP Local router ID is 11.11.11.11
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn

*> 11.11.11.11/32 10.4.1.1 0 100


65410?
* 10.3.1.1 120 0 100
65410?
*> 22.22.22.22/32 0.0.0.0 0 0 ?

Step 8 Verify the configuration.


Run the display ip routing-table command on CE1, and you can view the routes to the users
connected to CE2 and that traffic is transmitted in load balancing mode.
<CE1> display ip routing-table
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Tables: _public_
Destinations : 8 Routes : 9

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.1.0/30 Direct 0 0 D 10.1.1.1


Gigabitethernet1/0/0
10.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 143


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

10.2.1.0/30 Direct 0 0 D 10.2.1.1


Gigabitethernet2/0/0
10.2.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
11.11.11.11/32 Direct 0 0 D 127.0.0.1 LoopBack1
22.22.22.22/32 BGP 255 0 D 10.1.1.2
Gigabitethernet1/0/0
BGP 255 0 D 10.2.1.2
Gigabitethernet2/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Run the display ip routing-table command on CE2, you can view the routes to the users
connected to CE1, and the next hop of the routes is 10.4.1.1. The next hop is the IP address of
the interface that connects PE4 to CE2.
<CE2> display ip routing-table
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Tables: _public_
Destinations : 8 Routes : 8

Destination/Mask Proto Pre Cost Flags NextHop Interface

11.11.11.11/32 BGP 255 0 D 10.4.1.1


Gigabitethernet2/0/0
22.22.22.22/32 Direct 0 0 D 127.0.0.1 LoopBack1
10.3.1.0/30 Direct 0 0 D 10.3.1.2
GigabitEthernet1/0/0
10.3.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.4.1.0/30 Direct 0 0 D 10.4.1.2
Gigabitethernet2/0/0
10.4.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

----End

Configuration Files
l Configuration file of CE1
#
sysname CE1
#
interface Gigabitethernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.252
#
interface Gigabitethernet2/0/0
undo shutdown
ip address 10.2.1.1 255.255.255.252
#
interface Loopback1
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65410
peer 10.1.1.2 as-number 100
peer 10.2.1.2 as-number 100
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
undo synchronization
maximum load-balancing 2
peer 10.1.1.2 enable
peer 10.2.1.2 enable
#
return

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 144


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

l Configuration file of PE1


#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0001.00
#
interface Gigabitethernet1/0/0
undo shutdown
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.252
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 100.1.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
isis enable 1
#
bgp 100
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 65410
#
Return

l Configuration file of PE2


#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:2
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls ldp
#
isis 1

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 145


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

network-entity 10.0000.0000.0002.00
#
interface Gigabitethernet1/0/0
undo shutdown
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.252
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 100.2.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
isis enable 1
#
bgp 100
peer 4.4.4.4 as-number 100
peer 4.4.4.4 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 4.4.4.4 enable
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.4 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 65410
#
Return

l Configuration file of P1
#
sysname P1
#
mpls lsr-id 5.5.5.5
#
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0005.00
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.1.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 100.3.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface LoopBack1
ip address 5.5.5.5 255.255.255.255
isis enable 1
#

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 146


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Return
l Configuration file of P2
#
sysname P2
#
mpls lsr-id 6.6.6.6
#
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0006.00
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.2.1.2 255.255.255.252
mpls
mpls ldp
isis enable 1
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 100.4.1.1 255.255.255.252
mpls
mpls ldp
isis enable 1
#
interface LoopBack1
ip address 6.6.6.6 255.255.255.255
isis enable 1
#
Return
l Configuration file of PE3
sysname PE3
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:3
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 3.3.3.3
#
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0003.00
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.3.1.2 255.255.255.252
mpls
mpls ldp
isis enable 1
#
interface Gigabitethernet2/0/0
undo shutdown
ip binding vpn-instance vpn1
ip address 10.3.1.1 255.255.255.252
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 147


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

isis enable 1
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn1
peer 10.3.1.2 as-number 65420
peer 10.3.1.2 route-policy policy1 export
#
route-policy policy1 permit node 10
apply cost 120
#
Return
l Configuration file of PE4
#
sysname PE4
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:4
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 4.4.4.4
#
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0004.00
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.4.1.2 255.255.255.252
mpls
mpls ldp
isis enable 1
#
interface Gigabitethernet2/0/0
undo shutdown
ip binding vpn-instance vpn1
ip address 10.4.1.1 255.255.255.252
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
isis enable 1
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 148


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

#
ipv4-family vpn-instance vpn1
peer 10.4.1.2 as-number 65420
#
Return

l Configuration file of CE2


#
sysname CE2
#
interface Gigabitethernet1/0/0
undo shutdown
ip address 10.3.1.2 255.255.255.252
#
interface Gigabitethernet2/0/0
undo shutdown
ip address 10.4.1.2 255.255.255.252
#
interface Loopback1
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65420
peer 10.3.1.1 as-number 100
peer 10.4.1.1 as-number 100
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
undo synchronization
peer 10.3.1.1 enable
peer 10.4.1.1 enable
#
Return

2.18.5 Example for Configuring Double RRs for the Optimization


of the VPN Backbone Layer
If a great number of MP-IBGP connections exist between PEs, you can configure RRs to reduce
the number of MP-IBGP connections and the workload of PEs, thus optimizing the VPN
backbone layer.

Networking Requirements

CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.

When deploying a VPN, you can configure double route reflectors (RRs) on the VPN to improve
reliability. To achieve this, you need to select two RRs from the Ps in the same AS on the
backbone network and ensure that the two RRs back up each other and reflect routes of the public
network and VPNv4.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 149


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Figure 2-28 Networking of configuring double RRs for the optimization of the VPN backbone
layer
Loopback1 Loopback1
2.2.2.9/32 3.3.3.9/32
POS2/0/0 POS1/0/0
RR1 100.2.3.1/24 100.2.3.2/24 RR2
POS1/0/0 POS2/0/0
100.1.2.2/24 AS100 100.3.4.1/24
POS3/0/0 POS3/0/0
POS1/0/0 100.2.4.1/24 100.1.3.2/24 POS1/0/0
100.1.2.1/24 100.3.4.2/24
Loopback1 Loopback1
POS3/0/0 POS3/0/0
1.1.1.9/32 4.4.4.9/32
100.1.3.1/24 100.2.4.2/24
PE1 POS2/0/0 POS2/0/0 PE2
10.1.1.2/24 10.2.1.2/24

POS1/0/0 POS1/0/0
10.1.1.1/24 10.2.1.1/24
Loopback1
Loopback1 AS65410 AS65420
22.22.22.22/3
11.11.11.11/32 2
CE1 CE2

As shown in Figure 2-28, PE1, PE2, RR1, and RR2 are within AS100 of the backbone network.
CE1 and CE2 belong to vpna. It is required that RR1 and RR2 be configured as RRs.

Configuration Notes
When configuring double RRs for the optimization of the VPN backbone layer, note the
following:

l The RRs do not filter the received VPNv4 routes based on VPN targets.
l The RRs that back up each other are configured with the same cluster ID.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure an IGP, enable MPLS and MPLS LDP, and set up LDP LSPs on the MPLS
backbone network.
2. Set up MP-IBGP connections between the PEs and RRs. There is no need to set up an MP-
IBGP connection between PEs.
3. Set up an EBGP connection between each PE and CE.
4. Configure RR1 and RR2 to back up each other and configure them with the same cluster
ID.
5. Configure RR1 and RR2 to receive all VPNv4 routing information without filtering the
information based on VPN targets because RR1 and RR2 must save all VPNv4 routing
information and advertise it to PEs.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 150


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

NOTE

On the VPN with double RRs, there must be at least two paths not sharing the same network segment or
node between each RR and PE. Otherwise, the double RRs are inapplicable.

Data Preparation
To complete the configuration, you need the following data:
l MPLS LSR IDs of the PEs and RRs
l Names, RDs, and VPN targets of the VPN instances on PE1 and PE2
l AS numbers of the PEs and CEs
l BGP peer group name

Configuration Procedures
1. Configure an IGP on the MPLS backbone network to implement interworking of devices
along the LSP.
In this example, OSPF is used as the IGP protocol. For details, see "Configuration Files."
NOTE

The IP addresses of loopback interfaces that are used as LSR IDs need to be advertised.
After the configuration, the devices along the LSP can learn the address of the loopback
interface from each other.
Take the display on PE1 as an example.
<PE1> display ip routing-table
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Tables: _public_
Destinations : 15 Routes : 17
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0
2.2.2.9/32 OSPF 10 2 D 100.1.2.2 Pos1/0/0
3.3.3.9/32 OSPF 10 2 D 100.1.3.2 Pos3/0/0
4.4.4.9/32 OSPF 10 3 D 100.1.3.2 Pos3/0/0
OSPF 10 3 D 100.1.2.2 Pos1/0/0
100.1.2.0/24 Direct 0 0 D 100.1.2.1 Pos1/0/0
100.1.2.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
100.1.2.2/32 Direct 0 0 D 100.1.2.2 Pos1/0/0
100.1.3.0/24 Direct 0 0 D 100.1.3.1 Pos3/0/0
100.1.3.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
100.1.3.2/32 Direct 0 0 D 100.1.3.2 Pos3/0/0
100.2.3.0/24 OSPF 10 2 D 100.1.3.2 Pos3/0/0
OSPF 10 2 D 100.1.2.2 Pos1/0/0
100.2.4.0/24 OSPF 10 2 D 100.1.2.2 Pos1/0/0
100.3.4.0/24 OSPF 10 2 D 100.1.3.2 Pos3/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

2. Set up LSPs on the MPLS backbone network.


Enable MPLS and MPLS LDP on the devices and interfaces along the LSP. For details,
see "Configuration Files."
After the configuration, run the display mpls ldp session command on the PEs and RRs,
and you can view that the Status field is displayed as Operational.
Take the display on PE1 and RR1 as an example:
<PE1> display mpls ldp session
LDP Session(s) in Public Network
----------------------------------------------------------------------

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 151


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv


----------------------------------------------------------------------
2.2.2.9:0 Operational DU Passive 000:00:01 8/8
3.3.3.9:0 Operational DU Passive 000:00:00 4/4
----------------------------------------------------------------------
TOTAL: 2 session(s) Found.
LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM
<RR1> display mpls ldp session
LDP Session(s) in Public Network
----------------------------------------------------------------------
Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv
----------------------------------------------------------------------
1.1.1.9:0 Operational DU Active 000:00:02 11/11
3.3.3.9:0 Operational DU Passive 000:00:01 8/8
4.4.4.9:0 Operational DU Passive 000:00:00 4/4
----------------------------------------------------------------------
TOTAL: 3 session(s) Found.
LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM
3. Set up the MP-IBGP peer relationship between each PE and RR.
# Configure PE1.
<PE1> system-view
[~PE1] bgp 100
[~PE1-bgp] peer 2.2.2.9 as-number 100
[~PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[~PE1-bgp] peer 3.3.3.9 as-number 100
[~PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[~PE1-bgp] ipv4-family vpnv4
[~PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[~PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[~PE1-bgp-af-vpnv4] commit
[~PE1-bgp-af-vpnv4] quit
# Configure RR1.
<RR1> system-view
[~RR1] bgp 100
[~RR1-bgp] peer 1.1.1.9 as-number 100
[~RR1-bgp] peer 1.1.1.9 connect-interface loopback 1
[~RR1-bgp] peer 3.3.3.9 as-number 100
[~RR1-bgp] peer 3.3.3.9 connect-interface loopback 1
[~RR1-bgp] peer 4.4.4.9 as-number 100
[~RR1-bgp] peer 4.4.4.9 connect-interface loopback 1
[~RR1-bgp] ipv4-family vpnv4
[~RR1-bgp-af-vpnv4] peer 1.1.1.9 enable
[~RR1-bgp-af-vpnv4] peer 3.3.3.9 enable
[~RR1-bgp-af-vpnv4] peer 4.4.4.9 enable
[~RR1-bgp-af-vpnv4] commit
[~RR1-bgp-af-vpnv4] quit
[~RR1-bgp] quit
# Configure RR2.
<RR2> system-view
[~RR2] bgp 100
[~RR2-bgp] peer 1.1.1.9 as-number 100
[~RR2-bgp] peer 1.1.1.9 connect-interface loopback 1
[~RR2-bgp] peer 2.2.2.9 as-number 100
[~RR2-bgp] peer 2.2.2.9 connect-interface loopback 1
[~RR2-bgp] peer 4.4.4.9 as-number 100
[~RR2-bgp] peer 4.4.4.9 connect-interface loopback 1
[~RR2-bgp] ipv4-family vpnv4
[~RR2-bgp-af-vpnv4] peer 1.1.1.9 enable
[~RR2-bgp-af-vpnv4] peer 2.2.2.9 enable
[~RR2-bgp-af-vpnv4] peer 4.4.4.9 enable
[~RR2-bgp-af-vpnv4] commit
[~RR2-bgp-af-vpnv4] quit
[~RR2-bgp] quit
# Configure PE2.
The configuration of PE2 is similar to the configuration of PE1, and is not mentioned here.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 152


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

After the configuration, run the display bgp vpnv4 all peer command on the PEs, and you
can view that the IBGP peer relationship is established between each PE and RR, and the
EBGP peer relationship is established between each PE and CE.
Take the display on PE1 and RR1 as an example.
<PE1> display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 3 Peers in established state : 3
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.9 4 100 2 4 0 00:00:31 Established 0
3.3.3.9 4 100 3 5 0 00:01:23 Established 0

4. Set up the EBGP peer relationships between the PEs and CEs and import VPN routes.
For details, see 2.18.1 Example for Configuring BGP/MPLS IP VPN.
5. Configure a VPN instance enabled with the IPv4 address family on each PE.
For details, see 2.18.1 Example for Configuring BGP/MPLS IP VPN.
6. Configure route reflection on RR1 and RR2.
# Configure RR1.
[~RR1] bgp 100
[~RR1-bgp] ipv4-family vpnv4
[~RR1-bgp-af-vpnv4] reflector cluster-id 100
[~RR1-bgp-af-vpnv4] peer 1.1.1.9 reflect-client
[~RR1-bgp-af-vpnv4] peer 3.3.3.9 reflect-client
[~RR1-bgp-af-vpnv4] peer 4.4.4.9 reflect-client
[~RR1-bgp-af-vpnv4] undo policy vpn-target
[~RR1-bgp-af-vpnv4] commit
[~RR1-bgp-af-vpnv4] quit

# Configure RR2.
[~RR2] bgp 100
[~RR2-bgp] ipv4-family vpnv4
[~RR2-bgp-af-vpnv4] reflector cluster-id 100
[~RR2-bgp-af-vpnv4] peer 1.1.1.9 reflect-client
[~RR2-bgp-af-vpnv4] peer 2.2.2.9 reflect-client
[~RR2-bgp-af-vpnv4] peer 4.4.4.9 reflect-client
[~RR2-bgp-af-vpnv4] undo policy vpn-target
[~RR2-bgp-af-vpnv4] commit
[~RR2-bgp-af-vpnv4] quit

7. Verify the configuration.


Check the VPN routing table on the PEs, and you can view routes to the loopback interfaces
of the remote CEs.
Take the display on PE1 as an example.
<PE1> display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Tables: vpna
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
11.11.11.11/32 BGP 255 0 RD 10.1.1.1 Pos2/0/0
22.22.22.22/32 BGP 255 0 RD 4.4.4.9 Pos3/0/0

CE1 and CE2 can successfully ping each other. This indicates that the configuration
succeeds.
After the shutdown command is run in the view of POS 3/0/0 on PE1 or POS 3/0/0 on
PE2, CE1 and CE2 can still successfully ping each other. This indicates that the two RRs
are successfully configured.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 153


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Configuration Files
l Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.1.2.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 100.1.3.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.2.0 0.0.0.255
network 100.1.3.0 0.0.0.255
#
return

l Configuration file of RR1

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 154


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

#
sysname RR1
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.1.2.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 100.2.3.1 255.255.255.0
mpls
mpls ldp
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 100.2.4.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface loopback 1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface loopback 1
peer 4.4.4.9 as-number 100
peer 4.4.4.9 connect-interface loopback 1
#
ipv4-family unicast
undo synchronization
peer 4.4.4.9 enable
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
reflector cluster-id 100
undo policy vpn-target
peer 1.1.1.9 enable
peer 1.1.1.9 reflect-client
peer 3.3.3.9 enable
peer 3.3.3.9 reflect-client
peer 4.4.4.9 enable
peer 4.4.4.9 reflect-client
#
ospf 1
area 0.0.0.0
network 100.1.2.0 0.0.0.255
network 100.2.3.0 0.0.0.255
network 100.2.4.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
l Configuration file of RR2
#
sysname RR2
#

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 155


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

mpls lsr-id 3.3.3.9


#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.2.3.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 100.3.4.1 255.255.255.0
mpls
mpls ldp
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 100.1.3.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
peer 4.4.4.9 as-number 100
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 2.2.2.9 enable
peer 4.4.4.9 enable
#
ipv4-family vpnv4
reflector cluster-id 100
undo policy vpn-target
peer 1.1.1.9 enable
peer 1.1.1.9 reflect-client
peer 2.2.2.9 enable
peer 2.2.2.9 reflect-client
peer 4.4.4.9 enable
peer 4.4.4.9 reflect-client
#
ospf 1
area 0.0.0.0
network 100.2.3.0 0.0.0.255
network 100.3.4.0 0.0.0.255
network 100.1.3.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
l Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 156


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

vpn-target 1:1 export-extcommunity


vpn-target 1:1 import-extcommunity
#
mpls lsr-id 4.4.4.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.3.4.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip binding vpn-instance vpna
ip address 10.2.1.2 255.255.255.0
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 100.2.4.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 10.2.1.1 as-number 65420
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 100.3.4.0 0.0.0.255
network 100.2.4.0 0.0.0.255
#
return
l Configuration file of CE1
#
sysname CE1
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 157


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

ip address 11.11.11.11 255.255.255.255


#
bgp 65410
peer 10.1.1.2 as-number 100
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
undo synchronization
peer 10.1.1.2 enable
#
return

l Configuration file of CE2


#
sysname CE2
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.2.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65420
peer 10.2.1.2 as-number 100
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
undo synchronization
peer 10.2.1.2 enable
#
return

Related Tasks
2.5 Configuring Route Reflection to Optimize the VPN Backbone Layer

2.18.6 Example for Configuring an RR for the Optimization of the


VPN Access Layer
If a PE and its connected CEs are in the same AS, you can deploy a BGP RR to reduce the
number of IBGP connections between the CEs and facilitate maintenance and management.

Networking Requirements

CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, an interface is numbered in the format of chassis ID/
slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.

Figure 2-29 shows the networking of a BGP/MPLS IP VPN. CE1, CE2, CE3, and CE4 belong
to vpna; CE1, CE2, CE3 and PE1 are in the same AS and all these three CEs are connected to
PE1. It is required that PE1 be configured as an RR to reduce the number of IBGP connections
between CE1, CE2, and CE3 and reflect private routes.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 158


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Figure 2-29 Networking for configuring an RR for the optimization of the VPN access layer
Loopback1
11.11.11.11/32

G
10 E1/
.1. 0/0
1.2
CE1 / 24
Loopback1
Loopback1 1.1.1.1/32 Loopback1
22.22.22.22/32 G MPLS Backbone 44.44.44.44/32
10 E1/ AS 100
.1. 0/0 PE2
1
GE1/0/0 .1/2 PE1 POS1/0/0 GE1/0/0
4
10.2.1.2/24 100.3.1.2/24 10.4.1.2/24
GE2/0/0 POS1/0/0 GE1/0/0
CE2 10.2.1.1/24 100.3.1.1/24 10.4.1.1/24
/0 CE4
E 3 /0 1 /2 4
/0 G .1 . Loopback1
E 1/0 2/24 .3
CE3 G .1. 10 2.2.2.2/32
.3
10

Loopback1
33.33.33.33/32

Configuration Notes
When configuring an RR for the optimization of the VPN access layer, note the following:

l The interfaces that connect PE1 to CE1, CE2, and CE3 are bound to the same VPN instance.
l PE1, CE1, CE2, and CE3 are in the same AS.
l An IBGP connection is set up between PE1 and each of CE1, CE2, and CE3, and direct
routes of PE1 are imported to BGP VPN instances IPv4 address family so that routes from
a CE can be iterated to the next hop when being reflected to other CEs.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure basic BGP/MPLS IP VPN functions.


2. Set up an IBGP connection between PE1 and each of CE1, CE2, and CE3.
3. Configure PE1 as an RR to reflect routes from each CE.

Data Preparation
To complete the configuration, you need the following data:

l MPLS LSR IDs of PEs


l Names, RDs, and VPN targets of the VPN instances on PE1 and PE2
l AS numbers of the PEs and CEs

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 159


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Configuration Procedures
1. Configure an IGP on the MPLS backbone network so that the PEs can learn the routes to
the loopback interfaces of each other. The detailed configuration is not mentioned here.
For details, see "Configuration Files."
2. Set up an LSP on the MPLS backbone network.
Enable MPLS and MPLS LDP on the devices and interfaces along the LSP. For details,
see "Configuration Files."
After the configuration, run the display mpls ldp session command on the PEs, and you
can view that the Status field is displayed as Operational.
Take the display on PE1 as an example.
<PE1> display mpls ldp session
LDP Session(s) in Public Network
--------------------------------------------------------------------------
Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv
--------------------------------------------------------------------------
2.2.2.2:0 Operational DU Passive 011:19:20 67949/67949
--------------------------------------------------------------------------
TOTAL: 1 Session(s) Found.
LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM

3. Set up MP-IBGP peer relationships between the PEs.


# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] peer 2.2.2.2 as-number 100
[~PE1-bgp] peer 2.2.2.2 connect-interface loopback 1
[~PE1-bgp] ipv4-family vpnv4
[~PE1-bgp-af-vpnv4] peer 2.2.2.2 enable
[~PE1-bgp-af-vpnv4] commit
[~PE1-bgp-af-vpnv4] quit
[~PE1-bgp] quit

# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] peer 1.1.1.1 as-number 100
[~PE2-bgp] peer 1.1.1.1 connect-interface loopback 1
[~PE2-bgp] ipv4-family vpnv4
[~PE2-bgp-af-vpnv4] peer 1.1.1.1 enable
[~PE2-bgp-af-vpnv4] commit
[~PE2-bgp-af-vpnv4] quit
[~PE2-bgp] quit

After the configuration, run the display bgp vpnv4 all peer command on the PEs, and you
can view that MP-IBGP peer relationships have been established between the PEs and CEs.
<PE1> display bgp vpnv4 all peer

BGP local router ID : 1.1.1.1


Local AS number : 100
Total number of peers : 1 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down State


PrefRcv

2.2.2.2 4 100 1633 1641 0 27:09:46 Established


0

4. Configure a VPN instance enabled with the IPv4 address family on each PE and bind the
PE interfaces that connect to the CEs to the VPN instance.
# Configure PE1, and bind the PE1 interfaces that connect to the CEs to the same VPN
instance.
[~PE1] ip vpn-instance vpna
[~PE1-vpn-instance-vpna] ipv4-family

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 160


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

[~PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1


[~PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[~PE1-vpn-instance-vpna-af-ipv4] quit
[~PE1-vpn-instance-vpna] quit
[~PE1] interface gigabitethernet 1/0/0
[~PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[~PE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[~PE1-GigabitEthernet1/0/0] quit
[~PE1] interface gigabitethernet 2/0/0
[~PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpna
[~PE1-GigabitEthernet2/0/0] ip address 10.2.1.1 24
[~PE1-GigabitEthernet2/0/0] quit
[~PE1] interface gigabitethernet 3/0/0
[~PE1-GigabitEthernet3/0/0] ip binding vpn-instance vpna
[~PE1-GigabitEthernet3/0/0] ip address 10.3.1.1 24
[~PE1-GigabitEthernet3/0/0] quit
[~PE1] commit

# Configure PE2.
[~PE2] ip vpn-instance vpna
[~PE2-vpn-instance-vpna] ipv4-family
[~PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[~PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[~PE2-vpn-instance-vpna-af-ipv4] quit
[~PE2-vpn-instance-vpna] quit
[~PE2] interface gigabitethernet 1/0/0
[~PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[~PE2-GigabitEthernet1/0/0] ip address 10.4.1.1 24
[~PE2-GigabitEthernet1/0/0] quit
[~PE2] commit

# After the configuration, run the display ip vpn-instance verbose command on PEs to
view the configurations of VPN instances.
Take the display on PE1 as an example.
<PE1> display ip vpn-instance verbose
Total VPN-Instances configured : 1

VPN-Instance Name and ID : vpna, 1


Interfaces : GigabitEthernet1/0/0,
GigabitEthernet2/0/0,
GigabitEthernet3/0/0
Address family ipv4
Create date : 2009/12/06 15:39:50
Up time : 0 days, 00 hours, 02 minutes and 22 seconds
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label policy : label per route
The diffserv-mode Information is : uniform
The ttl-mode Information is : pipe

5. Set up an IBGP peer relationship between PE1 and each of CE1, CE2, and CE3.
# Configure PE1 as an IBGP peer for each of CE1, CE2, and CE3, and import direct routes
to the BGP VPN instance IPv4 address family routing table of PE1.
[~PE1] bgp 100
[~PE1-bgp] ipv4-family vpn-instance vpna
[~PE1-bgp-vpna] peer 10.1.1.2 as-number 100
[~PE1-bgp-vpna] peer 10.2.1.2 as-number 100
[~PE1-bgp-vpna] peer 10.3.1.2 as-number 100
[~PE1-bgp-vpna] import-route direct
[~PE1-bgp-vpna] commit
[~PE1-bgp-vpna] quit

# Configure CE1.
[~CE1] interface loopback 1
[~CE1-Loopback1] ip address 11.11.11.11 32
[~CE1-Loopback1] quit

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 161


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

[~CE1] bgp 100


[~CE1-bgp] peer 10.1.1.1 as-number 100
[~CE1-bgp] network 11.11.11.11 32
[~CE1-bgp] commit

# Configure CE2.
[~CE2] interface loopback 1
[~CE2-Loopback1] ip address 22.22.22.22 32
[~CE2-Loopback1] quit
[~CE2] bgp 100
[~CE2-bgp] peer 10.2.1.1 as-number 100
[~CE2-bgp] network 22.22.22.22 32
[~CE2-bgp] commit

# Configure CE3.
[~CE3] interface loopback 1
[~CE3-Loopback1] ip address 33.33.33.33 32
[~CE3-Loopback1] quit
[~CE3] bgp 100
[~CE3-bgp] peer 10.3.1.1 as-number 100
[~CE3-bgp] network 33.33.33.33 32
[~CE3-bgp] commit

After the configuration, run the display bgp vpnv4 vpn-instance peer command on PE1,
and you can view that the IBGP peer relationship is set up between PE1 and each of CE1,
CE2, and CE3.
<PE1> display bgp vpnv4 vpn-instance vpna peer

BGP local router ID : 10.1.1.1


Local AS number : 100
Total number of peers : 3 Peers in established state : 3

Peer V AS MsgRcvd MsgSent OutQ Up/Down State


PrefRcv
10.1.1.2 4 100 1058 1058 0 17:37:22 Established
0
10.2.1.2 4 100 3 3 0 00:01:56 Established
0
10.3.1.2 4 100 2 2 0 00:00:32 Established
0

6. Configure route reflection on PE1.


# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] ipv4-family vpn-instance vpna
[~PE1-bgp-vpna] peer 10.1.1.2 reflect-client
[~PE1-bgp-vpna] peer 10.2.1.2 reflect-client
[~PE1-bgp-vpna] peer 10.3.1.2 reflect-client
[~PE1-bgp-vpna] commit

7. Verify the configuration.


Run the display ip routing-table command on each CE, and you can view that there are
routes to the loopback interfaces of the other CEs. Take the display on CE2 as an example.
<CE2> display ip routing-table
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Table : _public_
Destinations : 14 Routes : 14

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.1.0/24 BGP 255 0 RD 10.2.1.1


GigabitEthernet1/0/0
10.1.1.1/32 BGP 255 0 RD 10.1.1.2
GigabitEthernet1/0/0
10.1.1.2/32 BGP 255 0 RD 10.2.1.1
GigabitEthernet1/0/0

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 162


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

10.2.1.0/24 Direct 0 0 D 10.2.1.2


GigabitEthernet1/0/0
10.2.1.1/32 Direct 0 0 D 10.2.1.1
GigabitEthernet1/0/0
10.2.1.2/32 Direct 0 0 D 127.0.0.1
GigabitEthernet1/0/0
10.3.1.0/24 BGP 255 0 RD 10.2.1.1
GigabitEthernet1/0/0
11.11.11.11/32 BGP 255 0 RD 10.1.1.2
GigabitEthernet1/0/0
22.22.22.22/32 Direct 0 0 D 127.0.0.1
GigabitEthernet1/0/0
33.33.33.33/32 BGP 255 0 RD 10.3.1.2
GigabitEthernet1/0/0
44.44.44.44/32 BGP 255 0 RD 10.2.1.1
GigabitEthernet1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Configuration Files
l Configuration file of CE1

#
sysname CE1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 11.11.11.11 255.255.255.255
#
bgp 100
peer 10.1.1.1 as-number 100
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
peer 10.1.1.1 enable
#
return

l Configuration file of CE2

#
sysname CE2
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 22.22.22.22 255.255.255.255
#
bgp 100
peer 10.2.1.1 as-number 100
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
peer 10.2.1.1 enable
#
return

l Configuration file of CE3


#
sysname CE3
#
interface GigabitEthernet1/0/0

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 163


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

undo shutdown
ip address 10.3.1.2 255.255.255.0
#
interface LoopBack1
ip address 33.33.33.33 255.255.255.255
#
bgp 100
peer 10.3.1.1 as-number 100
network 33.33.33.33 255.255.255.255
#
ipv4-family unicast
peer 10.3.1.1 enable
#
return
l Configuration file of PE1
#
sysname PE1
#
mpls lsr-id 1.1.1.1
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet3/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.3.1.1 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
mpls
mpls ldp
ip address 100.3.1.1 255.255.255.0
#
interface LoopBack1
undo shutdown
ip address 1.1.1.1 255.255.255.255
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 100.3.1.0 0.0.0.255
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack1
#
ipv4-family unicast
peer 2.2.2.2 enable
#
ipv4-family vpnv4

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 164


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

policy vpn-target
peer 2.2.2.2 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.2 as-number 100
peer 10.2.1.2 as-number 100
peer 10.3.1.2 as-number 100
peer 10.1.1.2 reflect-client
peer 10.2.1.2 reflect-client
peer 10.3.1.2 reflect-client
import-route direct
#
return
l Configuration file of PE2
#
sysname PE2
#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.4.1.1 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
mpls
mpls ldp
ip address 100.3.1.2 255.255.255.0
#
interface LoopBack1
undo shutdown
ip address 2.2.2.2 255.255.255.255
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack1
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpna
peer 10.4.1.2 as-number 65410
#
return
l Configuration file of CE4
#
sysname CE4
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.4.1.2 255.255.255.0
#

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 165


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

interface LoopBack1
ip address 44.44.44.44 255.255.255.255
#
bgp 65410
peer 10.4.1.1 as-number 100
network 44.44.44.44 255.255.255.255
#
ipv4-family unicast
peer 10.4.1.1 enable
#
return

Related Tasks
2.5 Configuring Route Reflection to Optimize the VPN Backbone Layer

2.18.7 Example for Configuring Hub and Spoke


In the networking of Hub and Spoke, an access control device is specified in the VPN, and users
communicate with each other through the access control device.

Networking Requirements

CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, an interface is numbered in the format of chassis ID/
slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.

As shown in Figure 2-30, the communications between the Spoke-CEs is controlled by the Hub-
CE at a central site. That is, the traffic between Spoke-CEs is forwarded through the Hub-CE,
not only through the Hub-PE.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 166


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Figure 2-30 Diagram of the Hub and Spoke networking

Loopback1
33.33.33.33/32
AS: 65430
Hub-CE
GE1/0/0 GE2/0/0
110.1.1.1/24 110.2.1.1/24

GE3/0/0 GE4/0/0
110.1.1.2/24 110.2.1.2/24
Hub-PE
POS1/0/0 POS2/0/0
10.1.1.2/24 11.1.1.2/24
Loopback1 Loopback1
Loopback1
1.1.1.9/32 3.3.3.9/32
2.2.2.9/32

POS2/0/0 POS2/0/0
10.1.1.1/24 11.1.1.1/24

GE1/0/0 Spoke-PE1 Spoke-PE2 GE1/0/0


100.1.1.2/24 Backbone 120.1.1.2/24
AS100

GE1/0/0 GE1/0/0
AS: 65410 AS: 65420
100.1.1.1/24 120.1.1.1/24
Spoke-CE1 Spoke-CE2

Loopback1 Loopback1
11.11.11.11/32 22.22.22.22/32

Configuration Notes
When configuring Hub and Spoke, note the following:

l The import target and export target configured on a Spoke-PE are different.
l Two VPN instances (vpn_in and vpn_out) are created on the Hub-PE. The VPN targets
received by vpn_in are the VPN targets advertised by the two Spoke-PEs; the VPN targets
advertised by vpn_out are the VPN targets received by the two Spoke-PEs and are different
from the VPN targets received by vpn_in.
l The Hub-PE is configured to accept the routes whose AS number is repeated once in the
AS_Path attribute.

Configuration Roadmap
The configuration roadmap is as follows:

1. Establish MP-IBGP peer relationships between the Hub-PE and Spoke-PEs. There is no
need to establish the MP-IBGP peer relationship or exchange VPN route information
between the two Spoke-PEs.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 167


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

2. Create VPN instances and VPN targets on PEs.


3. Configure EBGP connections between CEs and PEs.

Data Preparation
To complete the configuration, you need the following data:
l MPLS LSR ID of each PE
l Names, RDs, and VPN targets of the VPN instances of the Hub-PE and Spoke-PEs

Procedure
Step 1 Configure an IGP on the MPLS backbone network for the interworking between the Hub-PE
and Spoke-PEs.
In this example, OSPF is used as the IGP protocol. For details, see "Configuration Files."
After the configuration, the OSPF neighbor relationships have been set up between the Hub-PE
and Spoke-PEs. Run the display ospf peer command, and you can view that the neighbor status
is Full. Run the display ip routing-table command, and you can view that the Hub-PE and
Spoke-PEs have learnt the routes to the loopback interface of each other.
Step 2 Configure basic MPLS functions and MPLS LDP, and set up LDP LSPs on the MPLS backbone
network.
For details, see "Configuration Files."
After the configuration, LDP neighbor relationships have been set up between the Hub-PE and
Spoke-PEs. Run the display mpls ldp session command on routers, and you can view that the
Session Status field is displayed as Operational.
Step 3 Configure VPN instances enabled with the IPv4 address family on the PEs and connect the CEs
to PEs.
NOTE

The import target of a VPN on the Hub-PE must contain the export target attributes of all Spoke-PEs.
The export target of another VPN on the Hub-PE must contain the import target attributes of all Spoke-
PEs.

# Configure Spoke-PE1.
<Spoke-PE1> system-view
[~Spoke-PE1] ip vpn-instance vpna
[~Spoke-PE1-vpn-instance-vpna] ipv4-family
[~Spoke-PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[~Spoke-PE1-vpn-instance-vpna-af-ipv4] vpn-target 100:1 export-extcommunity
[~Spoke-PE1-vpn-instance-vpna-af-ipv4] vpn-target 200:1 import-extcommunity
[~Spoke-PE1-vpn-instance-vpna-af-ipv4] commit
[~Spoke-PE1-vpn-instance-vpna-af-ipv4] quit
[~Spoke-PE1] interface gigabitethernet 1/0/0
[~Spoke-PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[~Spoke-PE1-GigabitEthernet1/0/0] ip address 100.1.1.2 24
[~Spoke-PE1-GigabitEthernet1/0/0] commit
[~Spoke-PE1-GigabitEthernet1/0/0] quit

# Configure Spoke-PE2.
<Spoke-PE2> system-view
[~Spoke-PE2] ip vpn-instance vpna
[~Spoke-PE2-vpn-instance-vpna] ipv4-family
[~Spoke-PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 100:3

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 168


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

[~Spoke-PE2-vpn-instance-vpna-af-ipv4] vpn-target 100:1 export-extcommunity


[~Spoke-PE2-vpn-instance-vpna-af-ipv4] vpn-target 200:1 import-extcommunity
[~Spoke-PE2-vpn-instance-vpna-af-ipv4] commit
[~Spoke-PE2-vpn-instance-vpna-af-ipv4] quit
[~Spoke-PE2] interface gigabitethernet 1/0/0
[~Spoke-PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[~Spoke-PE2-GigabitEthernet1/0/0] ip address 120.1.1.2 24
[~Spoke-PE2-GigabitEthernet1/0/0] commit
[~Spoke-PE2-GigabitEthernet1/0/0] quit

# Configure the Hub-PE.


[~Hub-PE] ip vpn-instance vpn_in
[~Hub-PE-vpn-instance-vpn_in] ipv4-family
[~Hub-PE-vpn-instance-vpn_in-af-ipv4] route-distinguisher 100:21
[~Hub-PE-vpn-instance-vpn_in-af-ipv4] vpn-target 100:1 import-extcommunity
[~Hub-PE-vpn-instance-vpn_in-af-ipv4] commit
[~Hub-PE-vpn-instance-vpn_in-af-ipv4] quit
[~Hub-PE-vpn-instance-vpn_in] quit
[~Hub-PE] ip vpn-instance vpn_out
[~Hub-PE-vpn-instance-vpn_out] ipv4-family
[~Hub-PE-vpn-instance-vpn_out-af-ipv4] route-distinguisher 100:22
[~Hub-PE-vpn-instance-vpn_out-af-ipv4] vpn-target 200:1 export-extcommunity
[~Hub-PE-vpn-instance-vpn_out-af-ipv4] commit
[~Hub-PE-vpn-instance-vpn_out-af-ipv4] quit
[~Hub-PE-vpn-instance-vpn_out] quit
[~Hub-PE] interface gigabitethernet 3/0/0
[~Hub-PE-GigabitEthernet3/0/0] ip binding vpn-instance vpn_in
[~Hub-PE-GigabitEthernet3/0/0] ip address 110.1.1.2 24
[~Hub-PE-GigabitEthernet3/0/0] commit
[~Hub-PE-GigabitEthernet3/0/0] quit
[~Hub-PE] interface gigabitethernet 4/0/0
[~Hub-PE-GigabitEthernet4/0/0] ip binding vpn-instance vpn_out
[~Hub-PE-GigabitEthernet4/0/0] ip address 110.2.1.2 24
[~Hub-PE-GigabitEthernet4/0/0] commit
[~Hub-PE-GigabitEthernet4/0/0] quit

# Assign an IP address to each interface on CEs as shown in Figure 2-30. The detailed
configuration procedure is not mentioned here. For details, see "Configuration Files."
After the configuration, run the display ip vpn-instance verbose command on PEs to view the
configurations of VPN instances. Each PE can successfully ping its connected CEs by using the
ping -vpn-instance vpn-name ip-address command.

NOTE

If a PE has multiple interfaces bound to the same VPN instance, you need to specify a source IP address
by specifying -a source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address
dest-ip-address command to ping the CE connected to the remote PE. Otherwise, the ping operation fails.

Step 4 Set up the EBGP peer relationships between the PEs and CEs and import VPN routes.
NOTE

Configure the Hub-PE to allow the AS number to be repeated once in the AS_Path attribute to receive the
routes advertised by the Hub-CE.
You do not need to configure the Spoke-PEs to allow the AS number to be repeated once because the
router does not check the AS-Path attributes in its received routes advertised by the IBGP peer.

# Configure Spoke-CE1.
[~Spoke-CE1] interface loopback 1
[~Spoke-CE1-Loopback1] ip address 11.11.11.11 32
[~Spoke-CE1-Loopback1] quit
[~Spoke-CE1] bgp 65410
[~Spoke-CE1-bgp] peer 100.1.1.2 as-number 100
[~Spoke-CE1-bgp] network 11.11.11.11 32
[~Spoke-CE1-bgp] quit

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 169


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

[~Spoke-CE1] commit

# Configure Spoke-PE1.
[~Spoke-PE1] bgp 100
[~Spoke-PE1-bgp] ipv4-family vpn-instance vpna
[~Spoke-PE1-bgp-vpna] peer 100.1.1.1 as-number 65410
[~Spoke-PE1-bgp-vpna] commit
[~Spoke-PE1-bgp-vpna] quit
[~Spoke-PE1-bgp] quit

# Configure Spoke-CE2.
[~Spoke-CE2] interface loopback 1
[~Spoke-CE2-Loopback1] ip address 22.22.22.22 32
[~Spoke-CE2-Loopback1] quit
[~Spoke-CE2] bgp 65420
[~Spoke-CE2-bgp] peer 120.1.1.2 as-number 100
[~Spoke-CE2-bgp] network 22.22.22.22 32
[~Spoke-CE2-bgp] commit
[~Spoke-CE2-bgp] quit

# Configure Spoke-PE2.
[~Spoke-PE2] bgp 100
[~Spoke-PE2-bgp] ipv4-family vpn-instance vpna
[~Spoke-PE2-bgp-vpna] peer 120.1.1.1 as-number 65420
[~Spoke-PE2-bgp-vpna] commit
[~Spoke-PE2-bgp-vpna] quit
[~Spoke-PE2-bgp] quit

# Configure the Hub-CE.


[~Hub-CE] interface loopback 1
[~Hub-CE-Loopback1] ip address 33.33.33.33 32
[~Hub-CE-Loopback1] quit
[~Hub-CE] bgp 65430
[~Hub-CE-bgp] peer 110.1.1.2 as-number 100
[~Hub-CE-bgp] peer 110.2.1.2 as-number 100
[~Hub-CE-bgp] network 33.33.33.33 32
[~Hub-CE-bgp] quit
[~Hub-CE] commit

# Configure the Hub-PE.


[~Hub-PE] bgp 100
[~Hub-PE-bgp] ipv4-family vpn-instance vpn_in
[~Hub-PE-bgp-vpn_in] peer 110.1.1.1 as-number 65430
[~Hub-PE-bgp-vpn_in] commit
[~Hub-PE-bgp-vpn_in] quit
[~Hub-PE-bgp] ipv4-family vpn-instance vpn_out
[~Hub-PE-bgp-vpn_out] peer 110.2.1.1 as-number 65430
[~Hub-PE-bgp-vpn_out] peer 110.2.1.1 allow-as-loop 1
[~Hub-PE-bgp-vpn_out] commit
[~Hub-PE-bgp-vpn_out] quit
[~Hub-PE-bgp] quit

After the configuration, run the display bgp vpnv4 all peer command on the PEs. You can find
that BGP peer relationships have been established between PEs and CEs.
Step 5 Set up MP-IBGP peer relationships between the PEs.
# Configure Spoke-PE1.
[~Spoke-PE1] bgp 100
[~Spoke-PE1-bgp] peer 2.2.2.9 as-number 100
[~Spoke-PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[~Spoke-PE1-bgp] ipv4-family vpnv4
[~Spoke-PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[~Spoke-PE1-bgp-af-vpnv4] commit

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 170


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

[~Spoke-PE1-bgp-af-vpnv4] quit

# Configure Spoke-PE2.
[~Spoke-PE2] bgp 100
[~Spoke-PE2-bgp] peer 2.2.2.9 as-number 100
[~Spoke-PE2-bgp] peer 2.2.2.9 connect-interface loopback 1
[~Spoke-PE2-bgp] ipv4-family vpnv4
[~Spoke-PE2-bgp-af-vpnv4] peer 2.2.2.9 enable
[~Spoke-PE2-bgp-af-vpnv4] commit
[~Spoke-PE2-bgp-af-vpnv4] quit

# Configure the Hub-PE.


[~Hub-PE] bgp 100
[~Hub-PE-bgp] peer 1.1.1.9 as-number 100
[~Hub-PE-bgp] peer 1.1.1.9 connect-interface loopback 1
[~Hub-PE-bgp] peer 3.3.3.9 as-number 100
[~Hub-PE-bgp] peer 3.3.3.9 connect-interface loopback 1
[~Hub-PE-bgp] ipv4-family vpnv4
[~Hub-PE-bgp-af-vpnv4] peer 1.1.1.9 enable
[~Hub-PE-bgp-af-vpnv4] peer 3.3.3.9 enable
[~Hub-PE-bgp-af-vpnv4] commit
[~Hub-PE-bgp-af-vpnv4] quit

After the configuration, run the display bgp peer or display bgp vpnv4 all peer command on
the PEs, and you can view that the BGP peer relationships have been established between the
PEs.
Step 6 Verify the configuration.
After the configuration, the Spoke-CEs can successfully ping each other. Run the tracert
command, and you can view that the traffic between the Spoke-CEs is forwarded through the
Hub-CE. You can also deduce the number of forwarding devices between the Spoke-CEs based
on the TTL displayed in the ping command output.
Take the display on Spoke-CE1 as an example.
<Spoke-CE1> ping -a 11.11.11.11.11 22.22.22.22
PING 22.22.22.22: 56 data bytes, press CTRL_C to break
Reply from 22.22.22.22: bytes=56 Sequence=1 ttl=250ime=80 ms
Reply from 22.22.22.22: bytes=56 Sequence=2 ttl=250ime=129 ms
Reply from 22.22.22.22: bytes=56 Sequence=3 ttl=250 time=132 ms
Reply from 22.22.22.22: bytes=56 Sequence=4 ttl=250 time=92 ms
Reply from 22.22.22.22: bytes=56 Sequence=5 ttl=250 time=126 ms
--- 22.22.22.22 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 80/111/132 ms
<Spoke-CE1> tracert -a 11.11.11.11 22.22.22.22
traceroute to 22.22.22.22(22.22.22.22), max hops: 30 ,packet length: 40
1 100.1.1.2 8 ms 2 ms 2 ms
2 110.1.1.2 < AS=100 > 3 ms 2 ms 2 ms
3 110.1.1.1 < AS=100 > 3 ms 2 ms 2 ms
4 110.2.1.2 < AS=65430 > 3 ms 2 ms 2 ms
5 120.1.1.2 < AS=100 > 6 ms 6 ms 6 ms
6 22.22.22.22 < AS=65420 > 6 ms 6 ms 6 ms

Run the display bgp routing-table command on each Spoke-CE, and you can find that there
are repetitive AS numbers in the AS-Path attributes of the BGP routes to the peer Spoke-CE.
Take the display on Spoke-CE1 as an example.
<Spoke-CE1> display bgp routing-table
BGP Local router ID is 11.11.11.11
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 171


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Origin : i - IGP, e - EGP, ? - incomplete


Total Number of Routes: 5
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 100.1.1.0/24 0.0.0.0 0 0 ?
* 100.1.1.2 0 0 100?
*> 100.1.1.1/32 0.0.0.0 0 0 ?
*>33.33.33.33/32 100.1.1.2 0 100 65430?
*> 22.22.22.22/32 100.1.1.2 0 100 65430 100?

----End

Configuration Files
l Configuration file of Spoke-CE1
#
sysname Spoke-CE1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 100.1.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65410
peer 100.1.1.2 as-number 100
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
undo synchronization
peer 100.1.1.2 enable
#
return

l Configuration file of Spoke-PE1


#
sysname Spoke-PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 200:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 100.1.1.2 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 172


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

peer 2.2.2.9 connect-interface LoopBack1


#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 100.1.1.1 as-number 65410
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
l Configuration file of Spoke-PE2
#
sysname Spoke-PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:3
vpn-target 100:1 export-extcommunity
vpn-target 200:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 120.1.1.2 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 11.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 120.1.1.1 as-number 65420
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 11.1.1.0 0.0.0.255

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 173


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

#
return
l Configuration file of Spoke-CE2
#
sysname Spoke-CE2
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 120.1.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65420
peer 120.1.1.2 as-number 100
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
undo synchronization
peer 120.1.1.2 enable
#
return
l Configuration file of the Hub-CE
#
sysname Hub-CE
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 110.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 110.2.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 33.33.33.33 255.255.255.255
#
bgp 65430
peer 110.1.1.2 as-number 100
peer 110.2.1.2 as-number 100
network 33.33.33.33 255.255.255.255
#
ipv4-family unicast
undo synchronization
peer 110.2.1.2 enable
peer 110.1.1.2 enable
#
return
l Configuration file of the Hub-PE
#
sysname Hub-PE
#
ip vpn-instance vpn_in
ipv4-family
route-distinguisher 100:21
vpn-target 100:1 import-extcommunity
#
ip vpn-instance vpn_out
ipv4-family
route-distinguisher 100:22
vpn-target 200:1 export-extcommunity
#
mpls lsr-id 2.2.2.9
#
mpls

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 174


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

#
mpls ldp
#
interface GigabitEthernet3/0/0
undo shutdown
ip binding vpn-instance vpn_in
ip address 110.1.1.2 255.255.255.0
#
interface GigabitEthernet4/0/0
undo shutdown
ip binding vpn-instance vpn_out
ip address 110.2.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 11.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn_in
peer 110.1.1.1 as-number 65430
#
ipv4-family vpn-instance vpn_out
peer 110.2.1.1 as-number 65430
peer 110.2.1.1 allow-as-loop
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
#
return

Related Tasks
2.6 Configuring Hub and Spoke

2.18.8 Example for Configuring Extranet VPN


Configuring extranet VPN enables users in a VPN to access sites in other VPNs.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 175


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Networking Requirements

CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, an interface is numbered in the format of chassis ID/
slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.

As shown in Figure 2-31, CE1 and CE3 belong to vpna; CE2 belongs to vpnb. By default,
devices in different VPNs cannot communicate with each other. In some scenarios, however,
devices in different VPNs need to communicate with each other. In this case, you can configure
VPN targets for the communication between CE2 and CE3.

Figure 2-31 Networking diagram of extranet VPN

Loopback1
33.33.33.33/32

CE3
AS: 65430
GE1/0/0 vpna
110.1.1.1/24

GE3/0/0
110.1.1.2/24
PE3
POS1/0/0 POS2/0/0
10.1.1.2/24 11.1.1.2/24
Loopback1 Loopback1
Loopback1
1.1.1.9/32 3.3.3.9/32
2.2.2.9/32

POS2/0/0 POS2/0/0
10.1.1.1/24 11.1.1.1/24
GE1/0/0 PE1 PE2 GE1/0/0
100.1.1.2/24 Backbone 120.1.1.2/24
AS100

GE1/0/0 vpna vpnb GE1/0/0


100.1.1.1/24 120.1.1.1/24
AS: 65410 AS: 65420
CE1
CE2

Loopback1 Loopback1
11.11.11.11/32 22.22.22.22/32

Configuration Notes
When configuring extranet VPN, note the following:

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 176


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

l The import VPN target list of PE3 contains the export VPN targets of PE1 and PE2; the
export VPN target list of PE3 contains the import VPN targets of PE1 and PE2.

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IGP on the MPLS backbone network to enable PEs to communicate.
2. Configure MPLS and MPLS LSPs on the MPLS backbone network so that PEs can
communicate through the LSPs.
3. Establish MP-IBGP peer relationships between PE1 and PE3, and between PE2 and PE3.
4. Create VPN instances on the PEs, ensuring that the import VPN target list of PE3 contains
the export VPN targets of the other PEs and the export VPN target list of PE3 contains the
import VPN targets of the other PEs

Data Preparation
To complete the configuration, you need the following data:
l MPLS LSR IDs on PEs
l Names, RDs, and VPN targets of the VPN instances created on PE1 and PE2
l AS numbers of PEs and CEs

Configuration Procedures
1. Configure an IGP on the MPLS backbone network so that PEs can learn the routes to the
loopback interface of each other. In this example, OSPF is used as the IGP protocol. For
details, see "Configuration Files."
After the configuration, the OSPF neighbor relationships can be established between the
PEs. Run the display ospf peer command, and you can view that the neighbor relationship
is in the Full state. Run the display ip routing-table command, and you can view that PEs
have learnt the routes to the loopback interface of each other.
2. Set up LDP LSPs on the MPLS backbone network.
# Configure PE1.
[~PE1] mpls lsr-id 1.1.1.9
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
[~PE1-mpls-ldp] quit
[~PE1] interface pos 2/0/0
[~PE1-Pos2/0/0] mpls
[~PE1-Pos2/0/0] mpls ldp
[~PE1-Pos2/0/0] commit
[~PE1-Pos2/0/0] quit

# Configure PE2.
[~PE2] mpls lsr-id 3.3.3.9
[~PE2] mpls
[~PE2-mpls] quit
[~PE2] mpls ldp
[~PE2-mpls-ldp] quit
[~PE2] interface pos 2/0/0
[~PE2-Pos2/0/0] mpls
[~PE2-Pos2/0/0] mpls ldp
[~PE2-Pos2/0/0] commit
[~PE2-Pos2/0/0] quit

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 177


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

# Configure PE3.
[~PE3] mpls lsr-id 2.2.2.9
[~PE3] mpls
[~PE3-mpls] quit
[~PE3] mpls ldp
[~PE3-mpls-ldp] quit
[~PE3] interface pos 1/0/0
[~PE3-Pos1/0/0] mpls
[~PE3-Pos1/0/0] mpls ldp
[~PE3-Pos1/0/0] commit
[~PE3-Pos1/0/0] quit
[~PE3] interface pos 2/0/0
[~PE3-Pos2/0/0] mpls
[~PE3-Pos2/0/0] mpls ldp
[~PE3-Pos2/0/0] commit
[~PE3-Pos2/0/0] quit

After the configuration, the LDP sessions can be established between the PEs. Run the
display mpls ldp session command on each device, and you can view that the Status field
is displayed as Operational. Take the display on PE1 as an example.
<PE1> display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
-------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
-------------------------------------------------------------------------
2.2.2.9:0 Operational DU Passive 0000:00:01 5/5
3.3.3.9:0 Operational DU Passive 0000:00:01 5/5
-------------------------------------------------------------------------
TOTAL: 2 session(s) Found.

3. Establish MP-IBGP peer relationships between PE1 and PE3, and between PE2 and PE3.
# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] peer 2.2.2.9 as-number 100
[~PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[~PE1-bgp] ipv4-family vpnv4
[~PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[~PE1-bgp-af-vpnv4] commit
[~PE1-bgp-af-vpnv4] quit
[~PE1-bgp] quit

# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] peer 2.2.2.9 as-number 100
[~PE2-bgp] peer 2.2.2.9 connect-interface loopback 1
[~PE2-bgp] ipv4-family vpnv4
[~PE2-bgp-af-vpnv4] peer 2.2.2.9 enable
[~PE2-bgp-af-vpnv4] commit
[~PE2-bgp-af-vpnv4] quit
[~PE2-bgp] quit

# Configure PE3.
[~PE3] bgp 100
[~PE3-bgp] peer 1.1.1.9 as-number 100
[~PE3-bgp] peer 3.3.3.9 connect-interface loopback 1
[~PE3-bgp] ipv4-family vpnv4
[~PE3-bgp-af-vpnv4] peer 1.1.1.9 enable
[~PE3-bgp-af-vpnv4] peer 3.3.3.9 enable
[~PE3-bgp-af-vpnv4] commit
[~PE3-bgp-af-vpnv4] quit
[~PE3-bgp] quit

After the configuration, run the display bgp vpnv4 all peer command on the PEs, and you
can view that MP-IBGP peer relationships have been established between PEs and CEs.
Take the display on PE1 as an example.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 178


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

<PE1> display bgp vpnv4 all peer


BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 3
Peer V AS MsgRcvd MsgSent OutQ Up/Down State
PrefRcv
2.2.2.9 4 100 12 18 0 00:09:38 Established
0

4. Create VPN instances on the PEs, ensuring that the import VPN target list of PE3 contains
the export VPN targets of the other PEs and the export VPN target list of PE3 contains the
import VPN targets of the other PEs
# Configure PE1.
[~PE1] ip vpn-instance vpna
[~PE1-vpn-instance-vpna] ipv4-family
[~PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[~PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[~PE1-vpn-instance-vpna-af-ipv4] commit
[~PE1-vpn-instance-vpna-af-ipv4] quit
[~PE1-vpn-instance-vpna] quit
[~PE1] interface gigabitethernet 1/0/0
[~PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[~PE1-GigabitEthernet1/0/0] ip address 100.1.1.2 24
[~PE1-GigabitEthernet1/0/0] commit
[~PE1-GigabitEthernet1/0/0] quit

# Configure PE2.
[~PE2] ip vpn-instance vpnb
[~PE2-vpn-instance-vpnb] ipv4-family
[~PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[~PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[~PE2-vpn-instance-vpnb-af-ipv4] commit
[~PE2-vpn-instance-vpnb-af-ipv4] quit
[~PE2-vpn-instance-vpnb] quit
[~PE2] interface gigabitethernet 1/0/0
[~PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpnb
[~PE2-GigabitEthernet1/0/0] ip address 120.1.1.2 24
[~PE2-GigabitEthernet1/0/0] commit
[~PE2-GigabitEthernet1/0/0] quit

# Configure PE3.
[~PE3] ip vpn-instance vpna
[~PE3-vpn-instance-vpna] ipv4-family
[~PE3-vpn-instance-vpna-af-ipv4] route-distinguisher 100:3
[~PE3-vpn-instance-vpna-af-ipv4] vpn-target 111:1 222:2 both
[~PE3-vpn-instance-vpna-af-ipv4] commit
[~PE3-vpn-instance-vpna-af-ipv4] quit
[~PE3-vpn-instance-vpna] quit
[~PE3] interface gigabitethernet 3/0/0
[~PE3-GigabitEthernet3/0/0] ip binding vpn-instance vpna
[~PE3-GigabitEthernet3/0/0] ip address 110.1.1.2 24
[~PE3-GigabitEthernet3/0/0] commit
[~PE3-GigabitEthernet3/0/0] quit

5. Set up the EBGP peer relationships between the PEs and CEs and import VPN routes.
# Configure CE1.
[~CE1] interface loopback 1
[~CE1-Loopback1] ip address 11.11.11.11 32
[~CE1-Loopback1] quit
[~CE1] bgp 65410
[~CE1-bgp] peer 100.1.1.2 as-number 100
[~CE1-bgp] network 11.11.11.11 32
[~CE1-bgp] commit

The configurations of CE2 and CE3 are similar to the configuration of CE1, and are not
mentioned here. For details, see "Configuration Files."
# Configure PE1.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 179


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

[~PE1] bgp 100


[~PE1-bgp] ipv4-family vpn-instance vpna
[~PE1-bgp-vpna] peer 100.1.1.1 as-number 65410
[~PE1-bgp-vpna] commit
[~PE1-bgp-vpna] quit

The configurations of PE2 and PE3 are similar to the configuration of PE1, and are not
mentioned here. For details, see "Configuration Files."
After the configuration, run the display bgp vpnv4 vpn-instance peer command on the
PEs, and you can view that BGP peer relationships have been established between PEs and
CEs.
Take the peer relationship between PE1 and CE1 as an example.
<PE1> display bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State
PrefRcv
100.1.1.1 4 65410 11 9 0 00:06:37 Established 1

6. Verify the configuration.


Run the display ip routing-table command on CE1, and you can view routes to CE3 rather
than CE2.
<CE1> display ip routing-table
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Tables: _public_
Destinations : 4 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop Interface
11.11.11.11/32 Direct 0 0 D 127.0.0.1 Loopback1
100.1.1.0/24 Direct 0 0 D 10.1.1.1 GigabitEthernet1/0/0
100.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
33.33.33.33/32 BGP 255 0 RD 2.2.2.9 Pos2/0/0

CE2 can successfully ping CE3 at 33.33.33.33 but cannot successfully ping CE1 at
22.22.22.22.
[~CE1] ping -a 11.11.11.11 33.33.33.33
PING 33.33.33.33: 56 data bytes, press CTRL_C to break
Reply from 33.33.33.33: bytes=56 Sequence=1 ttl=253 time=72 ms
Reply from 33.33.33.33: bytes=56 Sequence=2 ttl=253 time=34 ms
Reply from 33.33.33.33: bytes=56 Sequence=3 ttl=253 time=50 ms
Reply from 33.33.33.33: bytes=56 Sequence=4 ttl=253 time=50 ms
Reply from 33.33.33.33: bytes=56 Sequence=5 ttl=253 time=34 ms
--- 33.33.33.33 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms
[~CE1] ping -a 11.11.11.11 22.22.22.22
PING 22.22.22.22: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 22.22.22.22 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss

Configuration Files
l Configuration file of CE1
#

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 180


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

sysname CE1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 100.1.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65410
peer 100.1.1.2 as-number 100
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
undo synchronization
peer 100.1.1.2 enable
#
return
l Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 100.1.1.2 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 100.1.1.1 as-number 65410
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 181


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

#
return
l Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 120.1.1.2 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 11.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 120.1.1.1 as-number 65420
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 11.1.1.0 0.0.0.255
#
return
l Configuration file of CE2
#
sysname CE2
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 120.1.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65420
peer 120.1.1.2 as-number 100

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 182


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

network 22.22.22.22 255.255.255.255


#
ipv4-family unicast
undo synchronization
peer 120.1.1.2 enable
#
return
l Configuration file of PE3
#
sysname PE3
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:3
vpn-target 111:1 222:2 import-extcommunity
vpn-target 111:1 222:2 export-extcommunity
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet3/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 110.1.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 11.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
peer 110.1.1.1 as-number 65430
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 183


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

#
return

l Configuration file of CE3


#
sysname CE3
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 110.1.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 33.33.33.33 255.255.255.255
#
bgp 65430
peer 110.1.1.2 as-number 100
network 33.33.33.33 255.255.255.255
#
ipv4-family unicast
undo synchronization
peer 110.1.1.2 enable
#
return

2.18.9 Example for Configuring Load Balancing Among Tunnels to


Which Remote Cross Routes Are Iterated on a VPN
Load balancing can be configured if there are multiple tunnels between PE peers on the backbone
network. It can fully utilize network resources and enhance the reliability of VPN services on
the backbone network.

Networking Requirements

CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.

If multiple tunnels such as LDP LSPs and TE tunnels exist between PE peers on the MPLS
backbone network of a BGP/MPLS IP VPN, load balancing among tunnels can be configured
to distribute IPv6 VPN traffic to the tunnels and prevent network congestion.
As shown in Figure 2-32, two links exist between PE1 and PE2 in the basic BGP/MPLS IP VPN
networking: an LDP LSP (PE1-P1-PE2) and a TE tunnel (PE1-P2-PE2). All VPN traffic is
forwarded over the LSP according to the default tunnel policy, which may cause the link of PE1-
P1-PE2 to be busy and the link of PE1-P2-PE2 to be idle.
To address this problem, load balancing among tunnels can be configured on the MPLS backbone
network to distribute VPN traffic evenly to the two tunnels.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 184


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Figure 2-32 Networking diagram for configuring load balancing among tunnels to which remote
cross routes are iterated on a VPN

Loopback1
2.2.2.9/32

/0 PO
S 1/ 0 / 24 30 S2/
PO .1.2 .1. 0
1.1 /0
Loopback1 .1 /24 Loopback1 Loopback1
20
1.1.1.9/32 3.3.3.9/32 22.22.22.22/32
P1 PO
/0 30 S2
.1. /0/ GE1/0/0
PE1 S 2/0 /24 1.2 0 PE2
PO .1.1 /24 192.168.1.2/30
.1
20 GE3/0/0
PO /0 192.168.1.1/30
PO
10 S1/0 1 /0 /2 4 0
/0/ 4 CE2
10 S1/0 .1. P2 O S . 1 1 2
.1.
1 /0 1.2 /0 P 1 .1 S /
Loopback2 .1/24 /24 . P O 1. 1. 2
40 0 .
11.11.11.11/32 4

Backbone
AS 100
Loopback1
4.4.4.9/32

Configuration Notes
When configuring load balancing among tunnels to which remote cross routes are iterated on a
VPN, note the following item:
l The tunnels existing in the system meet the requirements of the configured tunnel policy.

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure OSPF on the MPLS backbone network for IP connectivity between devices on
the backbone network.
2. On the MPLS backbone network, enable MPLS and MPLS LDP to set up an LDP LSP;
enable MPLS TE to set up an MPLS TE tunnel.
3. Create a VPN instance on each PE and connect the CE to PE2.
4. Create a tunnel policy on PE1 to distribute traffic to the LDP LSP and TE tunnel between
PE1 and PE2.
5. Apply the tunnel policy to the VPN instance IPv4 address family on PE1.

Procedure
Step 1 Configure a basic BGP/MPLS IP VPN.
For details on the configuration procedure, see Example for Configuring Basic BGP/MPLS
IP VPN. The main configurations are listed below:
l Configure OSPF on the MPLS backbone network to allow the PEs to learn the route to each
other's loopback interface.
l Configure basic MPLS functions and enable MPLS LDP on PE1, P1, and PE2 to set up an
LDP LSP along the PEs.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 185


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

l Enable MPLS TE on PE1, P2, and PE2 to set up an MPLS TE tunnel along the PEs.
l Establish a VPNv4 peer relationship between the PEs.
l Create a VPN instance that supports the IPv4 address family on each PE and bind the PE
interface connecting to the CE to the VPN instance.
l Enable BGP between the PEs and CE, and import the route of the loopback interface into
BGP on the CE.

After the configuration is complete, run the display ip routing-table vpn-instance command
on PE1. You can find that PE1 has learned the route to the loopback interface on the CE.
<PE1> display ip routing-table vpn-instance vpn1
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Table : vpn1
Destinations : 4 Routes : 4

Destination/Mask Proto Pre Cost Flags NextHop Interface

11.11.11.11/32 Direct 0 0 D 127.0.0.1 LoopBack2


22.22.22.22/32 BGP 255 0 RD 3.3.3.9 LDP LSP
192.168.1.0/30 BGP 255 0 RD 3.3.3.9 LDP LSP
192.168.1.2/32 BGP 255 0 RD 3.3.3.9 LDP LSP
<PE1> display ip routing-table vpn-instance vpn1 22.22.22.22 verbose
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Table : vpn1
Summary Count : 1

Destination: 22.22.22.22/32
Protocol: BGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 3.3.3.9 Neighbour: 0.0.0.0
State: Active Adv Relied Age: 00h02m28s
Tag: 0 Priority: low
Label: 0x1f QoSInfo: 0x0
IndirectID: 0xb7
RelayNextHop: 0.0.0.0 Interface: LDP LSP
TunnelID: 0x0000000001004c4b43 Flags: RD

The command output shows that the route to 22.22.22.22/32 is iterated to only one LSP on PE1
because no tunnel policy is applied to the VPN.

Step 2 Apply a tunnel policy to the VPN on PE1.

Configure a tunnel policy in select-sequence mode to make tunnels be selected in the order of
TE tunnels and LSPs and to set the number of tunnels participating in load balancing to 2.

# Configure PE1.
[~PE1] tunnel-policy te-lsp-l2
[~PE1-tunnel-policy-te-lsp-l2] tunnel select-seq cr-lsp lsp load-balance-number 2
[~PE1-tunnel-policy-te-lsp-l2] quit

# Apply a tunnel policy to the VPN instance IPv4 address family.


[~PE1] ip vpn-instance vpn1
[~PE1-vpn-instance-vpn1] ipv4-family
[~PE1-vpn-instance-vpn1-af-ipv4] tnl-policy te-lsp-l2
[~PE1-vpn-instance-vpn1-af-ipv4] quit
[~PE1-vpn-instance-vpn1] quit
[~PE1] commit

Step 3 Verify the configuration.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 186


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

After the configuration is complete, run the display ip routing-table vpn-instance verbose
command on PE1. You can find that the route to the loopback interface on the CE is iterated to
two tunnels.
<PE1> display ip routing-table vpn-instance vpn1 22.22.22.22 verbose
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Table : vpn1
Summary Count : 1

Destination: 22.22.22.22/32
Protocol: BGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 3.3.3.9 Neighbour: 0.0.0.0
State: Active Adv Relied Age: 00h00m06s
Tag: 0 Priority: low
Label: 0x1f QoSInfo: 0x0
IndirectID: 0xbc
RelayNextHop: 0.0.0.0 Interface: Tunnel1
TunnelID: 0x000000000300000001 Flags: RD
RelayNextHop: 0.0.0.0 Interface: LDP LSP
TunnelID: 0x0000000001004c4b43 Flags: RD

Load balancing between tunnels to which remote cross routes are iterated is successfully
deployed on the VPN.

----End

Configuration Files
l Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
tnl-policy te-lsp-l2
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
#
mpls
mpls te
mpls te cspf
mpls rsvp-te
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 187


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

#
interface LoopBack2
ip binding vpn-instance vpn1
ip address 11.11.11.11 255.255.255.255
#
interface Tunnel1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 3.3.3.9
mpls te tunnel-id 100
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ospf 1
opaque-capability enable
area 0.0.0.0
mpls-te enable
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 20.1.1.0 0.0.0.255
#
tunnel-policy te-lsp-l2
tunnel select-seq cr-lsp lsp load-balance-number 2
#
return
l Configuration file of P1
#
sysname P1
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 20.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 30.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
opaque-capability enable
area 0.0.0.0
mpls-te enable
network 2.2.2.9 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 188


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

#
return
l Configuration file of P2
#
sysname P2
#
mpls lsr-id 4.4.4.9
#
mpls
mpls te
mpls te cspf
mpls rsvp-te
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 40.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
ospf 1
opaque-capability enable
area 0.0.0.0
mpls-te enable
network 4.4.4.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
#
return
l Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
#
mpls
mpls te
mpls te cspf
mpls rsvp-te
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 40.1.1.2 255.255.255.0
mpls
mpls te

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 189


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

mpls rsvp-te
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 30.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet3/0/0
undo shutdown
ip binding vpn-instance vpn1
ip address 192.168.1.1 255.255.255.252
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
peer 192.168.1.2 as-number 65410
#
ospf 1
opaque-capability enable
area 0.0.0.0
mpls-te enable
network 3.3.3.9 0.0.0.0
network 30.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
#
return

l Configuration file of CE2


#
sysname CE2
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.2 255.255.255.252
#
interface LoopBack1
ip address 22.22.22.22 255.255.255.255
#
bgp 65410
peer 192.168.1.1 as-number 100
#
ipv4-family unicast
undo synchronization
network 22.22.22.22 32
peer 192.168.1.1 enable
#
return

Related Tasks
2.7 Configuring a Tunnel Policy for the Backbone Network of a BGP/MPLS IP VPN

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 190


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

2.18.10 Example for Configuring Inter-AS VPN Option A


After VPN instances are configured on ASBRs, you can adopt the Option A solution to manage
VPN routes in VRF-to-VRF mode.

Networking Requirements

CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, an interface is numbered in the format of chassis ID/
slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.

As shown in Figure 2-33, CE1 and CE2 belong to the same VPN. CE1 is connected to PE1 in
AS 100, and CE2 is connected to PE2 in AS 200.

It is required that inter-AS BGP/MPLS IP VPN be implemented through Option A. That is,
VRF-to-VRF is required to manage VPN routes.

Figure 2-33 Networking diagram of inter-AS VPN Option A

BGP/MPLS Backbone BGP/MPLS Backbone


AS 100 AS 200
Loopback1 Loopback1
2.2.2.9/32 3.3.3.9/32
POS1/0/0
POS2/0/0 POS2/0/0 POS1/0/0
172.1.1.1/24
192.1.1.1/24 192.1.1.2/24 162.1.1.1/24
Loopback1
ASBR1 ASBR2 Loopback1
1.1.1.9/32
4.4.4.9/32
POS1/0/0 POS1/0/0
PE1 172.1.1.2/24 162.1.1.2/24 PE2

GE2/0/0 GE2/0/0
10.1.1.2/24 10.2.1.2/24
GE1/0/0 GE1/0/0
10.1.1.1/24 10.2.1.1/24
CE1
CE2
AS 65001
AS 65002
Loopback1 Loopback1
11.11.11.11/32 22.22.22.22/32

Configuration Roadmap
The configuration roadmap is as follows:

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 191


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

1. Set up EBGP peer relationships between the PEs and CEs and set up MP-IBGP peer
relationships between the PEs and ASBRs.
2. Create a VPN instance on each ASBR and bind the VPN instance to the interface that
connects one ASBR to the other, and then set up an EBGP peer relationship between the
ASBRs.

Data Preparation
To complete the configuration, you need the following data:
l MPLS LSR IDs of the PEs and the ASBRs
l Names, RDs, and VPN targets of the VPN instances of the PEs and ASBRs

Procedure
Step 1 On the MPLS backbone networks in AS 100 and AS 200, configure an IGP to interconnect the
PE and ASBR on each network.
In this example, OSPF is used as the IGP protocol. For details, see "Configuration Files."

NOTE

The 32-bit IP address of the loopback interface that functions as the LSR ID needs to be advertised by
using OSPF.

After the configuration, the OSPF neighbor relationship can be established between the ASBR
and PE in the same AS. Run the display ospf peercommand , and you can view that the neighbor
relationship is in the Full state.
The ASBR and PE in the same AS can learn and successfully ping the IP address of the loopback
interface of each other.
Step 2 Configure basic MPLS functions and MPLS LDP, and set up MPLS LDP LSPs on the MPLS
backbone network in AS 100 and AS 200.
# Configure basic MPLS functions on PE1 and enable LDP on the interface that connects PE1
to ASBR1.
<PE1> system-view
[~PE1] mpls lsr-id 1.1.1.9
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
[~PE1-mpls-ldp] quit
[~PE1] interface pos1/0/0
[~PE1-Pos1/0/0] mpls
[~PE1-Pos1/0/0] mpls ldp
[~PE1-Pos1/0/0] commit
[~PE1-Pos1/0/0] quit

# Configure basic MPLS functions on ASBR1 and enable LDP on the interface that connects
ASBR1 to PE1.
<ASBR1> system-view
[~ASBR1] mpls lsr-id 2.2.2.9
[~ASBR1] mpls
[~ASBR1-mpls] quit
[~ASBR1] mpls ldp
[~ASBR1-mpls-ldp] quit
[~ASBR1] interface pos1/0/0
[~ASBR1-Pos1/0/0] mpls
[~ASBR1-Pos1/0/0] mpls ldp

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 192


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

[~ASBR1-Pos1/0/0] commit
[~ASBR1-Pos1/0/0] quit

# Configure basic MPLS functions on ASBR2 and enable LDP on the interface that connects
ASBR2 to PE2.
<ASBR2> system-view
[~ASBR2] mpls lsr-id 3.3.3.9
[~ASBR2] mpls
[~ASBR2-mpls] quit
[~ASBR2] mpls ldp
[~ASBR2-mpls-ldp] quit
[~ASBR2] interface pos1/0/0
[~ASBR2-Pos1/0/0] mpls
[~ASBR2-Pos1/0/0] mpls ldp
[~ASBR2-Pos1/0/0] commit
[~ASBR2-Pos1/0/0] quit

# Configure basic MPLS functions on PE2 and enable LDP on the interface that connects PE2
to ASBR2.
<PE2> system-view
[~PE2] mpls lsr-id 4.4.4.9
[~PE2] mpls
[~PE2-mpls] quit
[~PE2] mpls ldp
[~PE2-mpls-ldp] quit
[~PE2] interface pos1/0/0
[~PE2-Pos1/0/0] mpls
[~PE2-Pos1/0/0] mpls ldp
[~PE2-Pos1/0/0] commit
[~PE2-Pos1/0/0] quit

After the configuration, the LDP session is established between the PE and ASBR in the same
AS. Run the display mpls ldp session command on the PEs and ASBRs, and you can view that
the Status field is displayed as Operational.
Take the display on PE1 as an example.
<PE1> display mpls ldp session
LDP Session(s) in Public Network
--------------------------------------------------------------------------
Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv
--------------------------------------------------------------------------
2.2.2.9:0 Operational DU Passive 000:00:02 9/9
--------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM

Step 3 Configure basic BGP/MPLS IP VPN functions in AS 100 and AS 200.


NOTE

The VPN targets of the VPN instances of the ASBR and PE in an AS must be the same. The VPN targets
of the VPN instances of the ASBR and PE in different ASs can be different.

# Configure CE1.
<CE1> system-view
[~CE1] interface gigabitethernet 1/0/0
[~CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[~CE1-GigabitEthernet1/0/0] quit
[~CE1] interface loopback 1
[~CE1-Loopback1] ip address 11.11.11.11 32
[~CE1-Loopback1] quit
[~CE1] bgp 65001
[~CE1-bgp] peer 10.1.1.2 as-number 100
[~CE1-bgp] network 11.11.11.11 32
[~CE1-bgp] quit

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 193


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

[~CE1] commit

# On PE1, set up an EBGP peer relationship between PE1 and CE1.


[~PE1] ip vpn-instance vpn1
[~PE1-vpn-instance-vpn1] ipv4-family
[~PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[~PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both
[~PE1-vpn-instance-vpn1-af-ipv4] quit
[~PE1-vpn-instance-vpn1] quit
[~PE1] interface gigabitethernet 2/0/0
[~PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[~PE1-GigabitEthernet2/0/0] ip address 10.1.1.2 24
[~PE1-GigabitEthernet2/0/0] commit
[~PE1-GigabitEthernet2/0/0] quit
[~PE1] bgp 100
[~PE1-bgp] ipv4-family vpn-instance vpn1
[~PE1-bgp-vpn1] peer 10.1.1.1 as-number 65001
[~PE1-bgp-vpn1] commit
[~PE1-bgp-vpn1] quit
[~PE1-bgp] quit

# On PE1, set up an MP-IBGP peer relationship between PE1 and ASBR1.


[~PE1] bgp 100
[~PE1-bgp] peer 2.2.2.9 as-number 100
[~PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[~PE1-bgp] ipv4-family vpnv4
[~PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[~PE1-bgp-af-vpnv4] commit
[~PE1-bgp-af-vpnv4] quit

# On ASBR1, set up an MP-IBGP peer relationship between ASBR1 and PE1.


[~ASBR1] bgp 100
[~ASBR1-bgp] peer 1.1.1.9 as-number 100
[~ASBR1-bgp] peer 1.1.1.9 connect-interface loopback 1
[~ASBR1-bgp] ipv4-family vpnv4
[~ASBR1-bgp-af-vpnv4] peer 1.1.1.9 enable
[~ASBR1-bgp-af-vpnv4] commit
[~ASBR1-bgp-af-vpnv4] quit
[~ASBR1-bgp] quit

NOTE

The configurations of CE2, PE2, and ASBR2 are similar to the configurations of CE1, PE1, and ASBR1
respectively, and are not mentioned here.

After the configuration, run the display bgp vpnv4 vpn-instance vpn-instancename peer
command on the PEs, and you can view that BGP peer relationships have been established
between PEs and CEs. Run the display bgp vpnv4 all peer command, and you can view that
the BGP peer relationships have been established between each PE and CE, and between each
PE and ASBR.
Take the display on PE1 as an example.
<PE1> display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65001 10 10 0 00:07:10 Established 0
<PE1> display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.9 4 100 3 7 0 00:01:36 Established 0
Peer of vpn instance:

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 194


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

VPN-Instance vpn1, router ID 1.1.1.9:


10.1.1.1 4 65001 13 13 0 00:04:00 Established 2

Step 4 Configure inter-AS VPN in VRF-to-VRF mode.


# On ASBR1, create a VPN instance and bind it to the interface that connects ASBR1 to ASBR2
(ASBR1 regards ASBR2 as its CE).
[~ASBR1] ip vpn-instance vpn1
[~ASBR1-vpn-instance-vpn1] ipv4-family
[~ASBR1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:2
[~ASBR1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both
[~ASBR1-vpn-instance-vpn1-af-ipv4] quit
[~ASBR1-vpn-instance-vpn1] quit
[~ASBR1] interface pos 2/0/0
[~ASBR1-Pos2/0/0] ip binding vpn-instance vpn1
[~ASBR1-Pos2/0/0] ip address 192.1.1.1 24
[~ASBR1-Pos2/0/0] quit
[~ASBR1] commit

# On ASBR2, create a VPN instance and bind it to the interface that connects ASBR2 to ASBR1
(ASBR2 regards ASBR1 as its CE).
[~ASBR2] ip vpn-instance vpn1
[~ASBR2-vpn-instance-vpn1] ipv4-family
[~ASBR2-vpn-instance-vpn1-af-ipv4] route-distinguisher 200:2
[~ASBR2-vpn-instance-vpn1-af-ipv4] vpn-target 2:2 both
[~ASBR2-vpn-instance-vpn1-af-ipv4] commit
[~ASBR2-vpn-instance-vpn1-af-ipv4] quit
[~ASBR2-vpn-instance-vpn1] quit
[~ASBR2] interface pos 2/0/0
[~ASBR2-Pos2/0/0] ip binding vpn-instance vpn1
[~ASBR2-Pos2/0/0] ip address 192.1.1.2 24
[~ASBR2-Pos2/0/0] commit
[~ASBR2-Pos2/0/0] quit

# On ASBR1, set up an EBGP peer relationship between ASBR1 and ASBR2.


[~ASBR1] bgp 100
[~ASBR1-bgp] ipv4-family vpn-instance vpn1
[~ASBR1-bgp-vpn1] peer 192.1.1.2 as-number 200
[~ASBR1-bgp-vpn1] commit
[~ASBR1-bgp-vpn1] quit
[~ASBR1-bgp] quit

# On ASBR2, set up an EBGP peer relationship between ASBR2 and ASBR1.


[~ASBR2] bgp 200
[~ASBR2-bgp] ipv4-family vpn-instance vpn1
[~ASBR2-bgp-vpn1] peer 192.1.1.1 as-number 100
[~ASBR2-bgp-vpn1] commit
[~ASBR2-bgp-vpn1] quit
[~ASBR2-bgp] quit

After the configuration, run the display bgp vpnv4 vpn-instance peer command on the ASBRs,
and you can view that BGP peer relationships have been established between the ASBRs.
Step 5 Verify the configuration.
After the configuration, CEs can learn routes from each other, and CE1 and CE2 can ping each
other successfully.
Take the display on CE1 as an example.
<CE1> display ip routing-table
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 195


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Routing Tables: _public_


Destinations : 7 Routes : 7
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.1 GigabitEthernet1/0/0
10.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
22.22.22.22/32 BGP 255 0 D 10.1.1.2 GigabitEthernet1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.1.1.0/24 BGP 255 0 D 10.1.1.2 GigabitEthernet1/0/0
192.1.1.2/32 BGP 255 0 D 10.1.1.2 GigabitEthernet1/0/0
[~CE1] ping -a 11.11.11.11 22.22.22.22
PING 22.22.22.22: 56 data bytes, press CTRL_C to break
Reply from 22.22.22.22: bytes=56 Sequence=1 ttl=251 time=119 ms
Reply from 22.22.22.22: bytes=56 Sequence=2 ttl=251 time=141 ms
Reply from 22.22.22.22: bytes=56 Sequence=3 ttl=251 time=136 ms
Reply from 22.22.22.22: bytes=56 Sequence=4 ttl=251 time=113 ms
Reply from 22.22.22.22: bytes=56 Sequence=5 ttl=251 time=78 ms
--- 22.22.22.22 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 78/117/141 ms

Run the display ip routing-table vpn-instance command on an ASBR, and you can view the
VPN routing table on the ASBR.
<ASBR1> display ip routing-table vpn-instance vpn1
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Tables: vpn1
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
11.11.11.11/32 BGP 255 0 RD 1.1.1.9 Pos1/0/0
22.22.22.22/32 BGP 255 0 D 192.1.1.2 Pos2/0/0
192.1.1.0/24 Direct 0 0 D 192.1.1.1 Pos2/0/0
192.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.1.1.2/32 Direct 0 0 D 192.1.1.2 Pos2/0/0

Run the display bgp vpnv4 all routing-table command on an ASBR, and you can view the
VPNv4 routes on the ASBR.
<ASBR1> display bgp vpnv4 all routing-table
Local AS number : 100
BGP Local router ID is 2.2.2.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 1
Route Distinguisher: 100:1
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 11.11.11.11/32 1.1.1.9 0 100 0 ?
VPN-Instance vpn1, router ID 2.2.2.9:

Total Number of Routes: 7


Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 11.11.11.11/32 1.1.1.9 0 100 0 65001?
*> 22.22.22.22/32 192.1.1.2 0 ?
*> 192.1.1.0 0.0.0.0 0 0 ?
* 192.1.1.2 0 0 200?
*> 192.1.1.1/32 0.0.0.0 0 0 ?
* 192.1.1.2 0 0 200?
*> 192.1.1.2/32 0.0.0.0 0 0 ?

----End

Configuration Files
l Configuration file of CE1

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 196


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

#
sysname CE1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65001
peer 10.1.1.2 as-number 100
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
undo synchronization
peer 10.1.1.2 enable
#
return
l Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet2/0/0
undo shutdown
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 65001
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 197


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

network 172.1.1.0 0.0.0.255


#
return
l Configuration file of ASBR1
#
sysname ASBR1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:2
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip binding vpn-instance vpn1
ip address 192.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
peer 192.1.1.2 as-number 200
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
l Configuration file of ASBR2
#
sysname ASBR2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:2
vpn-target 2:2 export-extcommunity
vpn-target 2:2 import-extcommunity
#
mpls lsr-id 3.3.3.9
#

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 198


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip binding vpn-instance vpn1
ip address 192.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 200
peer 4.4.4.9 as-number 200
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 4.4.4.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.9 enable
#
ipv4-family vpn-instance vpn1
peer 192.1.1.1 as-number 100
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
l Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
vpn-target 2:2 export-extcommunity
vpn-target 2:2 import-extcommunity
#
mpls lsr-id 4.4.4.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet2/0/0
undo shutdown
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 199


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
peer 3.3.3.9 as-number 200
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 65002
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return

l Configuration file of CE2


#
sysname CE2
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65002
peer 10.2.1.2 as-number 200
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
undo synchronization
peer 10.2.1.2 enable
#
return

Related Tasks
2.8 Configuring Inter-AS VPN Option A

2.18.11 Example for Configuring Inter-AS VPN Option B with Basic


Networking
An MP-EBGP peer relationship can be established between the ASBRs with only one hop to
exchange VPNv4 routes.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 200


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Networking Requirements

CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.

As shown in Figure 2-34, CE1 and CE2 belong to the same VPN. CE1 is connected to PE1 in
AS 100, and CE2 is connected to PE2 in AS 200. It is required that an MP-EBGP peer relationship
be established between the ASBRs to transmit VPNv4 routes, thus implementing inter-AS VPN
Option B.

Figure 2-34 Networking diagram of inter-AS VPN Option B with basic networking

BGP/MPLS Backbone BGP/MPLS Backbone


AS 100 AS 200
Loopback1 Loopback1
2.2.2.9/32 3.3.3.9/32
POS1/0/0
POS2/0/0 POS2/0/0 POS1/0/0
172.1.1.1/24
192.1.1.1/24 192.1.1.2/24 162.1.1.1/24
Loopback1
ASBR1 ASBR2 Loopback1
1.1.1.9/32
4.4.4.9/32
POS1/0/0 POS1/0/0
PE1 172.1.1.2/24 162.1.1.2/24 PE2

GE2/0/0 GE2/0/0
10.1.1.2/24 10.2.1.2/24
GE1/0/0 GE1/0/0
10.1.1.1/24 10.2.1.1/24
CE1
CE2
AS 65001
AS 65002
Loopback1 Loopback1
11.11.11.11/32 22.22.22.22/32

Configuration Notes
When configuring inter-AS VPN Option B with basic networking, note the following:

l An MP-EBGP peer relationship is established between ASBR1 and ASBR2, and the
ASBRs do not filter received VPNv4 routes based on VPN targets.

Configuration Roadmap
The configuration roadmap is as follows:

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 201


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

1. Configure an IGP on the MPLS backbone network to implement interworking of the ASBR
and PE in the same AS, and set up an MPLS LDP LSP between the ASBR and PE in the
same AS.
2. Set up EBGP peer relationships between the PEs and CEs and set up MP-IBGP peer
relationships between the PEs and ASBRs.
3. Configure VPN instances on the PEs rather than ASBRs.
4. Enable MPLS on the interface that connects one ASBR to the other ASBR, set up an MP-
EBGP peer relationship between the ASBRs, and configure the ASBRs not to filter received
VPNv4 routes based on VPN targets.

Data Preparation
To complete the configuration, you need the following data:
l MPLS LSR IDs of the PEs and ASBRs
l Names, RDs, and VPN targets of the VPN instances of the PEs

Procedure
Step 1 On the MPLS backbone networks in AS 100 and AS 200, configure an IGP to interconnect the
PE and ASBR on each network.
In this example, OSPF is used as the IGP protocol. For details, see "Configuration Files."

NOTE

The 32-bit IP address of the loopback interface that functions as the LSR ID needs to be advertised by
using OSPF.

After the configuration, the OSPF neighbor relationship can be established between the ASBR
and PE in the same AS. Run the display ospf peer command, and you can view that the neighbor
relationship is in the Full state.
The ASBR and PE in the same AS can learn and successfully ping the IP address of the loopback
interface of each other.
Step 2 Configure basic MPLS functions and MPLS LDP, and set up MPLS LDP LSPs on the MPLS
backbone networks in AS 100 and AS 200.
The detailed configuration is not mentioned here. For details, see 2.18.10 Example for
Configuring Inter-AS VPN Option A.
Step 3 Configure the basic BGP/MPLS IP VPN functions on PE1 and PE2.
NOTE

The VPN targets of the VPN instances of PE1 and PE2 must be the same.

The detailed configuration is not mentioned here. For details, see "Configuration Files."
Step 4 Configure inter-AS VPN Option B.
# On ASBR1, set up an MP-EBGP peer relationship between ASBR1 and ASBR2, and configure
ASBR1 not to filter received VPNv4 routes based on VPN targets.
[~ASBR1] bgp 100
[~ASBR1-bgp] peer 192.1.1.2 as-number 200
[~ASBR1-bgp] ipv4-family vpnv4
[~ASBR1-bgp-af-vpnv4] peer 192.1.1.2 enable

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 202


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

[~ASBR1-bgp-af-vpnv4] undo policy vpn-target


[~ASBR1-bgp-af-vpnv4] commit
[~ASBR1-bgp-af-vpnv4] quit
[~ASBR1-bgp] quit

The configuration of ASBR2 is similar to the configuration of ASBR1, and is not mentioned
here.
Step 5 Verify the configuration.
After the configuration, CEs can learn routes to the loopback interface of each other, and CE1
and CE2 can ping each other successfully.
Take the display on CE1 as an example.
<CE1> display ip routing-table
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Tables: _public_
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.1 GigabitEthernet1/0/0
10.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
22.22.22.22/32 BGP 255 0 D 10.1.1.2 GigabitEthernet1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
<CE1> ping -a 11.11.11.11 22.22.22.22
PING 22.22.22.22: 56 data bytes, press CTRL_C to break
Reply from 22.22.22.22: bytes=56 Sequence=1 ttl=252 time=120 ms
Reply from 22.22.22.22: bytes=56 Sequence=2 ttl=252 time=73 ms
Reply from 22.22.22.22: bytes=56 Sequence=3 ttl=252 time=111 ms
Reply from 22.22.22.22: bytes=56 Sequence=4 ttl=252 time=86 ms
Reply from 22.22.22.22: bytes=56 Sequence=5 ttl=252 time=110 ms
--- 22.22.22.22 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 73/100/120 ms

Run the display bgp vpnv4 all routing-table command on an ASBR, and you can view the
VPNv4 routes on the ASBR.
Take the display on ASBR1 as an example.
<ASBR1> display bgp vpnv4 all routing-table
Local AS number : 100
BGP Local router ID is 2.2.2.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 2
Route Distinguisher: 100:1
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 11.11.11.11/32 1.1.1.9 0 100 0 ?
Route Distinguisher: 200:1
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 22.22.22.22/32 192.1.1.2 0 200?

----End

Configuration Files
l Configuration file of CE1
#
sysname CE1
#
interface GigabitEthernet1/0/0

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 203


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65001
peer 10.1.1.2 as-number 100
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
undo synchronization
peer 10.1.1.2 enable
return
l Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet2/0/0
undo shutdown
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 65001
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
l Configuration file of ASBR1

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 204


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

#
sysname ASBR1
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 192.1.1.2 as-number 200
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 192.1.1.2 enable
peer 1.1.1.9 enable
#
ipv4-family vpnv4
undo policy vpn-target
peer 1.1.1.9 enable
peer 192.1.1.2 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
l Configuration file of ASBR2
#
sysname ASBR2
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 205


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

#
bgp 200
peer 192.1.1.1 as-number 100
peer 4.4.4.9 as-number 200
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 192.1.1.1 enable
peer 4.4.4.9 enable
#
ipv4-family vpnv4
undo policy vpn-target
peer 4.4.4.9 enable
peer 192.1.1.1 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
l Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 4.4.4.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet2/0/0
undo shutdown
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
peer 3.3.3.9 as-number 200
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 65002
#
ospf 1

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 206


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return

l Configuration file of CE2


#
sysname CE2
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65002
peer 10.2.1.2 as-number 200
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
undo synchronization
peer 10.2.1.2 enable
#
return

Related Tasks
2.9 Configuring Inter-AS VPN Option B (Basic Networking)

2.18.12 Example for Configuring Inter-AS VPN Option B with an


RR in an AS
An MP-EBGP peer relationship can be established between the ASBRs with only one hop to
implement inter-AS VPN Option B, and an RR is configured in an AS to reflect VPNv4 routes.

Networking Requirements

CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.

As shown in Figure 2-35, CE1, CE2, and CE3 belong to the same VPN; PE1 and PE3 are in the
same AS. It is required that inter-AS VPN Option B be configured and an RR be configured in
AS 100 to reflect VPNv4 routes between PEs and between a PE and an ASBR so as to reduce
MP-IBGP connections in AS 100.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 207


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Figure 2-35 Networking of inter-AS VPN Option B with an RR in a AS

Loopback1

AS 65003
CE3
GE1/0/0

GE2/0/0

PE3 BGP/MPLS Backbone AS BGP/MPLS Backbone


100 AS 200
POS1/0/0
Loopback1 Loopback1
Loopback1 POS3/0/0
RR POS1/0/0 POS2/0/0
Loopback1 POS1/0/0
POS2/0/0 POS2/0/0
Loopback1
Loopback1
POS1/0/0 ASBR1 ASBR2

PE1 POS1/0/0 POS1/0/0 PE2

GE2/0/0 GE2/0/0

GE1/0/0 GE1/0/0
CE1 CE2
AS 65001 AS 65002

Loopback1 Loopback1

Device Interface IP Address

CE1 Loopback1 11.11.11.11/32

GE1/0/0 10.1.1.1/24

PE1 Loopback1 1.1.1.1/32

GE 2/0/0 10.1.1.2/24

POS 1/0/0 172.1.1.2/24

RR Loopback1 4.4.4.4/32

POS 1/0/0 172.1.1.1/24

POS 2/0/0 172.2.1.1/24

POS 3/0/0 172.3.1.1/24

CE3 Loopback1 33.33.33.33/32

GE 1/0/0 10.3.1.1/24

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 208


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Device Interface IP Address

PE3 Loopback1 3.3.3.3/32

GE 2/0/0 10.3.1.2/24

POS 1/0/0 172.3.1.2/24

ASBR1 Loopback1 5.5.5.5/32

POS 1/0/0 172.2.1.2/24

POS 2/0/0 192.1.1.1/24

ASBR2 Loopback1 6.6.6.6/32

POS 1/0/0 162.1.1.1/24

POS 2/0/0 192.1.1.2/24

CE2 Loopback1 22.22.22.22/32

GE 1/0/0 10.2.1.1/24

PE2 Loopback1 2.2.2.2/32

GE 2/0/0 10.2.1.2/24

POS 1/0/0 162.1.1.2/24

Configuration Notes
When configuring inter-AS VPN Option B with an RR in a AS, note the following:

l There is no need to create VPN instances on ASBRs or configure ASBRs to filter VPNv4
routes based on VPN targets.
l PE1, PE3, and ASBR1 need to be configured as clients for the RR.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure an IGP on the MPLS backbone network to implement interworking of the ASBR
and PE in the same AS, and set up an MPLS LDP LSP between the ASBR and PE in the
same AS.
2. Set up EBGP peer relationships between the PEs and CEs and set up MP-IBGP peer
relationships between the PEs and ASBRs in the same AS.
3. Enable the route reflection for VPNv4 routes on the RR.
4. Configure VPN instances on the PEs rather than ASBRs or the RR.
5. Enable MPLS on the interface that connects one ASBR to the other ASBR, set up an MP-
EBGP peer relationship between the ASBRs, and configure the ASBRs not to filter received
VPNv4 routes based on VPN targets.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 209


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Data Preparation
To complete the configuration, you need the following data:
l AS numbers of PEs and CEs
l MPLS LSR IDs of the PEs and the ASBR-PEs
l Names, RDs, and VPN targets of the VPN instances created on PE1 and PE2

Configuration Procedures
1. On the MPLS backbone networks in AS 100 and AS 200, configure an IGP to interconnect
the devices in the same AS. In this example, OSPF is used as the IGP protocol. For details,
see "Configuration Files."
After the configuration, the OSPF neighbor relationship can be established between the
devices in the same AS. Run the display ospf peer command, and you can view that the
neighbor relationship is in the Full state. Run the display ip routing-table command, and
you can view that PEs have learnt the routes to the loopback interface of each other.
2. Configure basic MPLS functions and MPLS LDP, and set up MPLS LDP LSPs on the
MPLS backbone networks in AS 100 and AS 200.
# Configure PE1.
[~PE1] mpls lsr-id 1.1.1.1
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
[~PE1-mpls-ldp] quit
[~PE1] interface pos 1/0/0
[~PE1-Pos1/0/0] mpls
[~PE1-Pos1/0/0] mpls ldp
[~PE1-Pos1/0/0] commit
[~PE1-Pos1/0/0] quit

The configurations of PE2 and PE3 are similar to the configuration of PE1, and are not
mentioned here. For details, see "Configuration Files."
# Configure the RR.
[~RR] mpls lsr-id 4.4.4.4
[~RR] mpls
[~RR-mpls] quit
[~RR] mpls ldp
[~RR-mpls-ldp] quit
[~RR] interface pos 1/0/0
[~RR-Pos1/0/0] mpls
[~RR-Pos1/0/0] mpls ldp
[~RR-Pos1/0/0] quit
[~RR] interface pos 2/0/0
[~RR-Pos2/0/0] mpls
[~RR-Pos2/0/0] mpls ldp
[~RR-Pos2/0/0] quit
[~RR] interface pos 3/0/0
[~RR-Pos3/0/0] mpls
[~RR-Pos3/0/0] mpls ldp
[~RR-Pos3/0/0] quit
[~RR] commit

# Configure ASBR1.
[~ASBR1] mpls lsr-id 5.5.5.5
[~ASBR1] mpls
[~ASBR1-mpls] quit
[~ASBR1] mpls ldp
[~ASBR1-mpls-ldp] quit
[~ASBR1] interface pos 1/0/0
[~ASBR1-Pos1/0/0] mpls

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 210


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

[~ASBR1-Pos1/0/0] mpls ldp


[~ASBR1-Pos1/0/0] quit
[~ASBR1] commit
The configuration of ASBR2 is similar to the configuration of ASBR1, and is not mentioned
here. For details, see "Configuration Files."
After the configuration, LDP sessions can be set up between PEs and the RR and between
ASBRs and the RR. Run the display mpls ldp session command on each device, and you
can view that the Status field is displayed as Operational. Take the display on PE1 as an
example.
<PE1> display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
-------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
-------------------------------------------------------------------------
4.4.4.4:0 Operational DU Passive 0000:00:01 5/5
-------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
3. Set up MP-IBGP peer relationships between the PEs, ASBRs, and RR in AS 100; set up
an MP-IBGP peer relationship between the PE and ASBR in AS 200.
# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] peer 4.4.4.4 as-number 100
[~PE1-bgp] peer 4.4.4.4 connect-interface loopback 1
[~PE1-bgp] ipv4-family vpnv4
[~PE1-bgp-af-vpnv4] peer 4.4.4.4 enable
[~PE1-bgp-af-vpnv4] commit
[~PE1-bgp-af-vpnv4] quit
[~PE1-bgp] quit
The configurations of PE2 and PE3 are similar to the configuration of PE1, and are not
mentioned here. For details, see "Configuration Files."
# Configure ASBR1.
[~ASBR1] bgp 100
[~ASBR1-bgp] peer 4.4.4.4 as-number 100
[~ASBR1-bgp] peer 4.4.4.4 connect-interface loopback 1
[~ASBR1-bgp] ipv4-family vpnv4
[~ASBR1-bgp-af-vpnv4] peer 4.4.4.4 enable
[~ASBR1-bgp-af-vpnv4] commit
[~ASBR1-bgp-af-vpnv4] quit
[~ASBR1-bgp] quit
The configuration of ASBR2 is similar to the configuration of ASBR1, and is not mentioned
here. For details, see "Configuration Files."
Set up MP-IBGP peer relationships between the RR and PE1, PE3, and ASBR1.
[~RR] bgp 100
[~RR-bgp] peer 1.1.1.1 as-number 100
[~RR-bgp] peer 1.1.1.1 connect-interface loopback 1
[~RR-bgp] peer 3.3.3.3 as-number 100
[~RR-bgp] peer 3.3.3.3 connect-interface loopback 1
[~RR-bgp] peer 5.5.5.5 as-number 100
[~RR-bgp] peer 5.5.5.5 connect-interface loopback 1
[~RR-bgp] ipv4-family vpnv4
[~RR-bgp-af-vpnv4] peer 1.1.1.1 enable
[~RR-bgp-af-vpnv4] peer 3.3.3.3 enable
[~RR-bgp-af-vpnv4] peer 5.5.5.5 enable
[~RR-bgp-af-vpnv4] commit
[~RR-bgp-af-vpnv4] quit
[~RR-bgp] quit
After the configuration, run the display bgp peer or display bgp vpnv4 all peer command
on the PEs, RR, or ASBRs, and you can view that the BGP peer relationships have been

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 211


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

established between the PEs or ASBRs and the RR in AS 100. Take the display on the RR
as an example:
<RR> display bgp vpnv4 all peer
BGP local router ID : 4.4.4.4
Local AS number : 100
Total number of peers : 3 Peers in established state : 3
Peer V AS MsgRcvd MsgSent OutQ Up/Down State
PrefRcv
1.1.1.1 4 100 12 18 0 00:09:38 Established
0
3.3.3.3 4 100 12 18 0 00:09:38 Established
0
5.5.5.5 4 100 12 18 0 00:09:38 Established
0

4. Enable the route reflection for VPNv4 routes on the RR.


# Configure the RR.
[~RR] bgp 100
[~RR-bgp] ipv4-family vpnv4
[~RR-bgp-af-vpnv4] undo policy vpn-target
[~RR-bgp-af-vpnv4] peer 1.1.1.1 reflect-client
[~RR-bgp-af-vpnv4] peer 3.3.3.3 reflect-client
[~RR-bgp-af-vpnv4] peer 5.5.5.5 reflect-client
[~RR-bgp-af-vpnv4] commit
[~RR-bgp-af-vpnv4] quit
[~RR-bgp] quit

5. Configure VPN instances on the PEs and connect the CEs to the PEs through the VPN
instances.
# Configure PE1.
[~PE1] ip vpn-instance vpna
[~PE1-vpn-instance-vpna] ipv4-family
[~PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[~PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[~PE1-vpn-instance-vpna-af-ipv4] quit
[~PE1-vpn-instance-vpna] quit
[~PE1] interface gigabitethernet 2/0/0
[~PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpna
[~PE1-GigabitEthernet2/0/0] ip address 10.1.1.2 24
[~PE1-GigabitEthernet2/0/0] quit
[~PE1] commit

The configurations of PE2 and PE3 are similar to the configuration of PE1, and are not
mentioned here. For details, see "Configuration Files."
# After the configuration, run the display ip vpn-instance verbose command on PEs to
view the configurations of VPN instances.
<PE1> display ip vpn-instance verbose
Total VPN-Instances configured : 1
VPN-Instance Name and ID : vpna, 1
Interfaces : GigabitEthernet2/0/0
Address family ipv4
Create date : 2009/09/18 11:30:35
Up time : 0 days, 00 hours, 05 minutes and 19 seconds
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label policy: label per route
The diffserv-mode Information is : uniform
The ttl-mode Information is : pipe

6. Set up EBGP peer relationships between the PEs and CEs, and import VPN routes to the
loopback interfaces of the CEs.
# Configure CE1.
[~CE1] interface loopback 1

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 212


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

[~CE1-Loopback1] ip address 11.11.11.11 32


[~CE1-Loopback1] quit
[~CE1] bgp 65001
[~CE1-bgp] peer 10.1.1.2 as-number 100
[~CE1-bgp] network 11.11.11.11 32
[~CE1-bgp] quit
[~CE1] commit

The configurations of CE2 and CE3 are similar to the configuration of CE1, and are not
mentioned here. For details, see "Configuration Files."
# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] ipv4-family vpn-instance vpna
[~PE1-bgp-vpna] peer 10.1.1.1 as-number 65001
[~PE1-bgp-vpna] commit
[~PE1-bgp-vpna] quit

The configurations of PE2 and PE3 are similar to the configuration of PE1, and are not
mentioned here. For details, see "Configuration Files."
After the configuration, run the display bgp vpnv4 vpn-instance peer command on the
PEs, and you can view that BGP peer relationships have been established between the PEs
and CEs.
Take the peer relationship between PE1 and CE1 as an example.
<PE1> display bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.1
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State
PrefRcv
10.1.1.1 4 65001 11 9 0 00:06:37 Established 1

7. Set up an MP-EBGP peer relationship between the ASBRs, and configure the ASBRs not
to filter received VPNv4 routes based on VPN targets.
# On ASBR1, set up an MP-EBGP peer relationship between ASBR1 and ASBR2, and
configure ASBR1 not to filter received VPNv4 routes based on VPN targets.
[~ASBR1] bgp 100
[~ASBR1-bgp] peer 192.1.1.2 as-number 200
[~ASBR1-bgp] ipv4-family vpnv4
[~ASBR1-bgp-af-vpnv4] peer 192.1.1.2 enable
[~ASBR1-bgp-af-vpnv4] undo policy vpn-target
[~ASBR1-bgp-af-vpnv4] commit
[~ASBR1-bgp-af-vpnv4] quit
[~ASBR1-bgp] quit

The configuration of ASBR2 is similar to the configuration of ASBR1, and is not mentioned
here. For details, see "Configuration Files."
8. Verify the configuration.
After the configuration, CEs can learn routes to the loopback interface of each other, and
CE1 and CE2 can ping each other successfully.
Take the display on CE1 as an example.
<CE1> display ip routing-table
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Tables: _public_
Destinations : 7 Routes : 7
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.1
GigabitEthernet1/0/0
10.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
11.11.11.11/32 Direct 0 0 D 127.0.0.1 LoopBack1
22.22.22.22/32 BGP 255 0 D 10.1.1.2
GigabitEthernet1/0/0

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 213


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

33.33.33.33/32 BGP 255 0 D 10.1.1.2


GigabitEthernet1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
<CE1> ping -a 11.11.11.11 22.22.22.22
PING 22.22.22.22: 56 data bytes, press CTRL_C to break
Reply from 22.22.22.22: bytes=56 Sequence=1 ttl=252 time=120 ms
Reply from 22.22.22.22: bytes=56 Sequence=2 ttl=252 time=73 ms
Reply from 22.22.22.22: bytes=56 Sequence=3 ttl=252 time=111 ms
Reply from 22.22.22.22: bytes=56 Sequence=4 ttl=252 time=86 ms
Reply from 22.22.22.22: bytes=56 Sequence=5 ttl=252 time=110 ms
--- 22.22.22.22 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 73/100/120 ms

Run the display bgp vpnv4 all routing-table command on the RR or ASBRs, and you can
view the VPNv4 routes on the RR or ASBRs.
<RR> display bgp vpnv4 all routing-table
Local AS number : 100

BGP Local router ID is 4.4.4.4


Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete

Total number of routes from all PE: 3


Route Distinguisher: 100:1

Network NextHop MED LocPrf PrefVal Path/Ogn

*>i 11.11.11.11/32 1.1.1.1 0 100 0 ?


Route Distinguisher: 200:2

Network NextHop MED LocPrf PrefVal Path/Ogn

*>i 22.22.22.22/32 5.5.5.5 0 100 0 ?


Route Distinguisher: 100:3

Network NextHop MED LocPrf PrefVal Path/Ogn

*>i 33.33.33.33/32 3.3.3.3 0 100 0 ?

Configuration Files
l Configuration file of CE1
#
sysname CE1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65001
peer 10.1.1.2 as-number 100
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
undo synchronization

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 214


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

peer 10.1.1.2 enable


#
return
l Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.1
#
mpls
#
mpls ldp
#
interface GigabitEthernet2/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 4.4.4.4 as-number 100
peer 4.4.4.4 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 4.4.4.4 enable
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.4 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65001
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.1 0.0.0.0
#
return
l Configuration file of PE3
#
sysname PE3
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:3
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 3.3.3.3
#
mpls

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 215


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

#
mpls ldp
#
interface GigabitEthernet2/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.3.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
peer 4.4.4.4 as-number 100
peer 4.4.4.4 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 4.4.4.4 enable
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.4 enable
#
ipv4-family vpn-instance vpna
peer 10.3.1.1 as-number 65003
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 172.3.1.0 0.0.0.255
#
return
l Configuration file of CE3
#
sysname CE3
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.3.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 33.33.33.33 255.255.255.255
#
bgp 65003
peer 10.3.1.2 as-number 100
network 33.33.33.33 255.255.255.255
#
ipv4-family unicast
undo synchronization
peer 10.3.1.2 enable
#
return
l Configuration file of the RR
#
sysname RR
#
mpls lsr-id 4.4.4.4
#
mpls
#

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 216


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 172.3.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack1
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack1
peer 5.5.5.5 as-number 100
peer 5.5.5.5 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
peer 3.3.3.3 enable
peer 5.5.5.5 enable
#
ipv4-family vpnv4
undo policy vpn-target
peer 1.1.1.1 enable
peer 1.1.1.1 reflect-client
peer 3.3.3.3 enable
peer 3.3.3.3 reflect-client
peer 5.5.5.5 enable
peer 5.5.5.5 reflect-client
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 172.3.1.0 0.0.0.255
#
return
l Configuration file of ASBR1
#
sysname ASBR1
#
mpls lsr-id 5.5.5.5
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 217


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

link-protocol ppp
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 5.5.5.5 255.255.255.255
#
bgp 100
peer 4.4.4.4 as-number 100
peer 4.4.4.4 connect-interface LoopBack1
peer 6.6.6.6 as-number 200
peer 6.6.6.6 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 4.4.4.4 enable
peer 6.6.6.6 enable
#
ipv4-family vpnv4
undo policy vpn-target
peer 4.4.4.4 enable
peer 6.6.6.6 enable
#
ospf 1
area 0.0.0.0
network 5.5.5.5 0.0.0.0
network 172.2.1.0 0.0.0.255
#
return
l Configuration file of ASBR2
#
sysname ASBR1
#
mpls lsr-id 6.6.6.6
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 6.6.6.6 255.255.255.255
#
bgp 200
peer 2.2.2.2 as-number 200
peer 2.2.2.2 connect-interface LoopBack1
peer 5.5.5.5 as-number 100
peer 5.5.5.5 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 218


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

peer 5.5.5.5 enable


#
ipv4-family vpnv4
undo policy vpn-target
peer 2.2.2.2 enable
peer 5.5.5.5 enable
#
ospf 1
area 0.0.0.0
network 6.6.6.6 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
l Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:2
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls ldp
#
interface GigabitEthernet2/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.2.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 200
peer 6.6.6.6 as-number 100
peer 6.6.6.6 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 6.6.6.6 enable
#
ipv4-family vpnv4
policy vpn-target
peer 6.6.6.6 enable
#
ipv4-family vpn-instance vpna
peer 10.2.1.1 as-number 65002
#
ospf 1
area 0.0.0.0
network 162.1.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
return
l Configuration file of CE2
#
sysname CE2

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 219


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65002
peer 10.2.1.2 as-number 200
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
undo synchronization
peer 10.2.1.2 enable
#
return

2.18.13 Example for Configuring Inter-AS VPN Option B with an


ASBR Filtering VPN Routes
A routing policy is configured on an ASBR to filter VPNv4 routes based on VPN targets and
only some VPNv4 routes are saved.

Networking Requirements

CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.

As shown in Figure 2-36, CE1, CE2, and CE3 belong to the same VPN; PE2 is not in the same
AS where PE1 and PE3 belong. CE2 and CE3 do not need to communicate. It is required that
ASBR1 be configured to filter VPN routes based on RDs so that routes of CE3 cannot be
transmitted to PE2 by ASBR2. This implements inter-AS VPN Option B.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 220


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Figure 2-36 Networking of inter-AS VPN Option B with an ASBR filtering VPN routes

Loopback1

AS 65003
CE3
GE1/0/0

GE2/0/0

PE3 BGP/MPLS Backbone AS BGP/MPLS Backbone


100 AS 200
POS1/0/0 Loopback1 Loopback1
Loopback1
POS3/0/0 POS2/0/0
POS1/0/0 POS2/0/0 POS1/0/0
Loopback1
Loopback1
ASBR1 ASBR2
POS1/0/0
PE1 POS1/0/0
PE2

GE2/0/0 GE2/0/0

GE1/0/0 GE1/0/0
CE1 CE2
AS 65001 AS 65002

Loopback1 Loopback1

Device Interface IP Address

CE1 Loopback1 11.11.11.11/32

GE 1/0/0 10.1.1.1/24

PE1 Loopback1 1.1.1.1/32

GE 2/0/0 10.1.1.2/24

POS 1/0/0 172.1.1.2/24

CE3 Loopback1 33.33.33.33/32

GE 1/0/0 10.3.1.1/24

PE3 Loopback1 3.3.3.3/32

GE 2/0/0 10.3.1.2/24

POS 1/0/0 172.3.1.2/24

ASBR1 Loopback1 5.5.5.5/32

POS 1/0/0 172.1.1.1/24

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 221


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Device Interface IP Address

POS 2/0/0 192.1.1.1/24

POS 3/0/0 172.3.1.1/24

ASBR2 Loopback1 6.6.6.6/32

POS 1/0/0 162.1.1.1/24

POS 2/0/0 192.1.1.2/24

CE2 Loopback1 22.22.22.22/32

GE 1/0/0 10.2.1.1/24

PE2 Loopback1 2.2.2.2/32

GE 2/0/0 10.2.1.2/24

POS 1/0/0 162.1.1.2/24

Configuration Notes
When configuring inter-AS VPN Option B with an ASBR filtering VPN routes, note the
following:

l An MP-IBGP peer relationship needs to be established between PE1 and PE3.


l There is no need to create VPN instances on the ASBRs. One ASBR needs to filter the
VPNv4 routes advertised to the other ASBR based on RDs.

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure an IGP on the MPLS backbone network to implement interworking of the ASBR
and PE in the same AS, and set up an MPLS LDP LSP between the ASBR and PE in the
same AS.
2. Set up EBGP peer relationships between the PEs and CEs and set up MP-IBGP peer
relationships between the PEs and ASBR-PEs.
3. Configure VPN instances on the PEs rather than ASBRs.
4. Enable MPLS on the interface that connects one ASBR to the other ASBR and set up an
MP-EBGP peer relationship between the ASBRs. One ASBR needs to filter the VPNv4
routes advertised to the other ASBR based on RDs.

Data Preparation
To complete the configuration, you need the following data:

l MPLS LSR IDs of the PEs and ASBRs


l Names, RDs, and VPN targets of the VPN instances of the PEs
l Routing policy used by an ASBR to filter VPN routes based on VPN targets

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 222


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

Procedure
Step 1 On the MPLS backbone networks in AS 100 and AS 200, configure an IGP to interconnect the
devices in the same AS.
In this example, OSPF is used as the IGP protocol. For details, see "Configuration Files."
After the configuration, the OSPF neighbor relationships can be established between the devices
in the same AS. Run the display ospf peer command, and you can view that the neighbor
relationship is in the Full state. Run the display ip routing-table command, and you can view
that PEs or ASBRs have learnt the routes to the loopback interface of each other.
Step 2 Configure basic MPLS functions and MPLS LDP, and set up LDP LSPs on the MPLS backbone
network of each AS.
# Configure PE1.
[~PE1] mpls lsr-id 1.1.1.1
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
[~PE1-mpls-ldp] quit
[~PE1] interface pos 1/0/0
[~PE1-Pos1/0/0] mpls
[~PE1-Pos1/0/0] mpls ldp
[~PE1-Pos1/0/0] commit
[~PE1-Pos1/0/0] quit

The configurations of PE2 and PE3 are similar to the configuration of PE1, and are not mentioned
here. For details, see "Configuration Files."
# Configure ASBR1.
[~ASBR1] mpls lsr-id 5.5.5.5
[~ASBR1] mpls
[~ASBR1-mpls] quit
[~ASBR1] mpls ldp
[~ASBR1-mpls-ldp] quit
[~ASBR1] interface pos 1/0/0
[~ASBR1-Pos1/0/0] mpls
[~ASBR1-Pos1/0/0] mpls ldp
[~ASBR1-Pos1/0/0] commit
[~ASBR1-Pos1/0/0] quit

The configuration of ASBR2 is similar to the configuration of ASBR1, and is not mentioned
here. For details, see "Configuration Files."
After the configuration, the LDP sessions can be established between the PEs. Run the display
mpls ldp session command on each device, and you can view that the Status field is displayed
as Operational. Take the display on PE1 as an example.
<PE1> display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
-------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
-------------------------------------------------------------------------
4.4.4.4:0 Operational DU Passive 0000:00:01 5/5
-------------------------------------------------------------------------
TOTAL: 1 session(s) Found.

Step 3 Set up MP-IBGP peer relationships between the PEs and ASBR in each AS; set up an MP-IBGP
peer relationship between PE1 and PE3 in AS 100.
# Configure PE1.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 223


Copyright © Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration

[~PE1] bgp 100


[~PE1-bgp] peer 3.3.3.3 as-number 100
[~PE1-bgp] peer 3.3.3.3 connect-interface loopback 1
[~PE1-bgp] peer 5.5.5.5 as-number 100
[~PE1-bgp] peer 5.5.5.5 connect-interface loopback 1
[~PE1-bgp] ipv4-family vpnv4
[~PE1-bgp-af-vpnv4] peer 3.3.3.3 enable
[~PE1-bgp-af-vpnv4] peer 5.5.5.5 enable
[~PE1-bgp-af-vpnv4] commit
[~PE1-bgp-af-vpnv4] quit
[~PE1-bgp] quit

The configurations of PE2 and PE3 are similar to the configuration of PE1, and are not mentioned
here. For details, see "Configuration Files."
# Configure ASBR1.
[~ASBR1] bgp 100
[~ASBR1-bgp] peer 1.1.1.1 as-number 100
[~ASBR1-bgp] peer 1.1.1.1 connect-interface loopback 1
[~ASBR1-bgp] peer 3.3.3.3 as-number 100
[~ASBR1-bgp] peer 3.3.3.3 connect-interface loopback 1
[~ASBR1-bgp] ipv4-family v