Configuration Guide - VPN (V800R002C01 - 01)

HUAWEI NetEngine5000E Core Router
V800R002C01
Configuration Guide - VPN
Issue 01
Date 2011-10-15
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 01 (2011-10-15) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd.
Configuration Guide - VPN About This Document
About This Document
Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the VPN feature supported by the NE5000E
device.
This document describes how to configure the Basic Configurations feature.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Related Versions (Optional)

The following table lists the product versions related to this document.
Product Name Version
HUAWEI NetEngine5000E V800R002C01

Core Router
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates a hazard with a high level of risk, which if not

avoided, will result in death or serious injury.
Indicates a hazard with a medium or low level of risk, which

if not avoided, could result in minor or moderate injury.
Issue 01 (2011-10-15) Huawei Proprietary and Confidential ii

Configuration Guide - VPN About This Document
Symbol Description
Indicates a potentially hazardous situation, which if not

avoided, could result in equipment damage, data loss,
performance degradation, or unexpected results.
Indicates a tip that may help you solve a problem or save time.
Provides additional information to emphasize or supplement

important points of the main text.
Command Conventions (Optional)

The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n times.
# A line starting with the # sign is comments.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Changes in Issue 01 (2011-10-15)

The initial commercial release.
Issue 01 (2011-10-15) Huawei Proprietary and Confidential iii

Configuration Guide - VPN Contents
Contents
About This Document.....................................................................................................................ii

1 VPN Tunnel Management Configuration................................................................................1
1.1 VPN Tunnel Management Overview.................................................................................................................2
1.2 VPN Tunnel Management Features Supported by the NE5000E......................................................................2
1.3 Configuring Tunnel Interfaces............................................................................................................................3
1.3.1 Creating a Tunnel Interface.......................................................................................................................4
1.3.2 Configuring a Tunnel Interface.................................................................................................................4
1.3.3 Checking the Configuration.......................................................................................................................5
1.4 Configuring a Tunnel Type Prioritizing Policy for an L3VPN..........................................................................5
1.4.1 Configuring a Tunnel Type Prioritizing Policy.........................................................................................6
1.4.2 Applying a Tunnel Policy to an L3VPN...................................................................................................7
1.4.3 Checking the Configuration.......................................................................................................................7
1.5 Configuring a Tunnel Binding Policy for an L3VPN.........................................................................................9
1.5.1 Configuring a Tunnel Binding Policy.....................................................................................................10
1.5.2 Applying a Tunnel Policy to an L3VPN.................................................................................................11
1.5.3 Checking the Configuration.....................................................................................................................11
1.6 Maintaining a VPN Tunnel...............................................................................................................................13
1.6.1 Monitoring the Running Status of a Tunnel............................................................................................13
1.7 Configuration Examples...................................................................................................................................13
1.7.1 Example for Configuring a Tunnel Policy for an L3VPN.......................................................................13
2 BGP/MPLS IP VPN Configuration..........................................................................................27

2.1 BGP/MPLS IP VPN Overview.........................................................................................................................29
2.2 BGP/MPLS IP VPN Features Supported by the NE5000E..............................................................................29
2.3 Configuring a VPN Instance Enabled with the IPv4 Address Family.............................................................32
2.3.1 Creating a VPN Instance.........................................................................................................................33
2.3.2 Configuring Attributes for the VPN Instance IPv4 Address Family.......................................................34
2.3.3 (Optional) Limiting the Route Number of the VPN Instance IPv4 Address Family..............................35
2.3.4 (Optional) Applying a Tunnel Policy to the VPN instance IPv4 Address Family..................................36
2.3.5 (Optional) Configuring MPLS Label Allocation Based on the VPN Instance IPv4 Address Family
..........................................................................................................................................................................37
2.4 Configuring Basic BGP/MPLS IP VPN...........................................................................................................39
2.4.1 Configuring a VPN Instance....................................................................................................................40
Issue 01 (2011-10-15) Huawei Proprietary and Confidential iv

2.4.2 Binding an Interface to a VPN Instance..................................................................................................40

2.4.3 (Optional) Configuring a Router ID for a BGP VPN Instance IPv4 Address Family.............................41
2.4.4 Configuring Route Exchange Between PEs............................................................................................42
2.4.5 Configuring Route Exchange Between a PE and a CE...........................................................................43
2.5 Configuring Route Reflection to Optimize the VPN Backbone Layer............................................................53
2.5.1 Configuring a Client PE to Establish an MP-IBGP Peer Relationship with an RR................................54
2.5.2 Configuring an RR to Establish MP-IBGP Peer Relationships with All Client PEs..............................55
2.5.3 Configuring Route Reflection for BGP VPNv4 Routes..........................................................................56
2.6 Configuring Hub and Spoke.............................................................................................................................58
2.6.1 Configuring a VPN Instance....................................................................................................................59
2.6.2 Configuring Routing Attributes for a VPN Instance...............................................................................60
2.6.3 Binding an Interface to a VPN Instance..................................................................................................63
2.6.4 Configuring Route Exchange Between a Hub-PE and a Spoke-PE........................................................64
2.6.5 Configuring Route Exchange Between a PE and a CE...........................................................................65
2.7 Configuring a Tunnel Policy for the Backbone Network of a BGP/MPLS IP VPN........................................66
2.7.1 Configuring a Tunnel Policy...................................................................................................................67
2.7.2 Applying a Tunnel Policy to a VPN........................................................................................................68
2.8 Configuring Inter-AS VPN Option A...............................................................................................................69
2.9 Configuring Inter-AS VPN Option B (Basic Networking)..............................................................................72
2.9.1 Configuring MP-IBGP Between a PE and an ASBR in the Same AS....................................................73
2.9.2 Configuring MP-EBGP Between ASBRs in Different ASs....................................................................74
2.9.3 Controlling the Learning and Advertising of VPN Routes on ASBR.....................................................75
2.9.4 Configuring Route Exchange Between a CE and a PE...........................................................................77
2.10 Configuring Inter-AS VPN Option B (ASBR Also Functioning as a PE).....................................................78
2.10.1 Configuring MP-IBGP Between a PE and an ASBR in the Same AS..................................................79
2.10.2 Configuring MP-EBGP Between ASBRs in Different ASs..................................................................80
2.10.3 Controlling the Learning and Advertising of VPN Routes on ASBR...................................................81
2.10.4 Configuring a VPN Instance on an ASBR............................................................................................81
2.10.5 Configuring Route Exchange Between a CE and an ASBR.................................................................82
2.10.6 Configuring Route Exchange Between a CE and a PE.........................................................................82
2.10.7 Checking the Configuration...................................................................................................................83
2.11 Configuring Inter-AS VPN Option B (ASBR Also Functioning as an RR)..................................................83
2.11.4 Configuring BGP IPv4 VPN Route Reflection on an ASBR................................................................87
Issue 01 (2011-10-15) Huawei Proprietary and Confidential v

2.12 Configuring Inter-AS VPN Option B (Spanning More Than Two ASs).......................................................89
2.12.3 Configuring MP-IBGP Between ASBRs in the Same AS....................................................................92
2.13 Configuring the Multi-VPN-Instance CE.......................................................................................................94
2.13.1 Configuring OSPF Multi-Instance on the PE........................................................................................95
2.13.2 Configuring the OSPF Multi-Instance on the Multi-Instance CE.........................................................96
2.13.3 Disabling Route Loop Detection on the Multi-VPN-Instance CE........................................................97
2.14 Configuring VPN FRR...................................................................................................................................98
2.15 Configuring FRR for IP Routes on a Private Network.................................................................................100
2.16 Configuring Hybrid FRR for IP and VPNv4 Routes....................................................................................102
2.17 Maintaining BGP/MPLS IP VPN.................................................................................................................105
2.17.1 Monitoring the Running Status of BGP/MPLS IP VPN.....................................................................105
2.17.2 Checking the Network Connectivity and Reachability.......................................................................106
2.17.3 Clearing BGP Statistics of the VPN Instance IPv4 Address Family...................................................106
2.17.4 Resetting BGP Connections................................................................................................................107
2.18 Configuration Examples...............................................................................................................................108
2.18.1 Example for Configuring BGP/MPLS IP VPN...................................................................................108
2.18.2 Example for Configuring BGP AS Number Substitution...................................................................120
2.18.3 Example for Configuring the BGP SoO..............................................................................................126
2.18.4 Example for Configuring CE Dual-Homing with EBGP Running Between a PE and a CE..............136
2.18.5 Example for Configuring Double RRs for the Optimization of the VPN Backbone Layer................149
2.18.6 Example for Configuring an RR for the Optimization of the VPN Access Layer..............................158
2.18.7 Example for Configuring Hub and Spoke...........................................................................................166
2.18.8 Example for Configuring Extranet VPN.............................................................................................175
2.18.9 Example for Configuring Load Balancing Among Tunnels to Which Remote Cross Routes Are Iterated
on a VPN........................................................................................................................................................184
2.18.10 Example for Configuring Inter-AS VPN Option A...........................................................................191
2.18.11 Example for Configuring Inter-AS VPN Option B with Basic Networking.....................................200
2.18.12 Example for Configuring Inter-AS VPN Option B with an RR in an AS.........................................207
2.18.13 Example for Configuring Inter-AS VPN Option B with an ASBR Filtering VPN Routes...............220
2.18.14 Example for Configuring Inter-AS VPN Option B with a P Between ASBRs.................................233
2.18.15 Example for Configuring Inter-AS VPN Option B with ASBRs Functioning as PEs......................241
2.18.16 Example for Configuring Inter-AS VPN Option B with an ASBR Functioning as an RR...............251
2.18.17 Example for Configuring Inter-AS VPN Option B with the VPN Spanning Multiple ASs.............262
2.18.18 Example for Configuring a Multi-VPN-Instance CE........................................................................274
2.18.19 Example for Configuring VPN FRR with FRR Switchover Being Implemented on a PE...............285
2.18.20 Example for Configuring FRR for IP Routes on a Private Network.................................................293
2.18.21 Example for Configuring Hybrid FRR for IP and VPNv4 Routes....................................................300
2.18.22 Example for Configuring BFD for Static VPN Routes.....................................................................310
Issue 01 (2011-10-15) Huawei Proprietary and Confidential vi

3 BGP/MPLS IPv6 VPN Configuration....................................................................................326

3.1 BGP/MPLS IPv6 VPN Overview...................................................................................................................328
3.2 BGP/MPLS IPv6 VPN Functions Supported by the NE5000E.....................................................................329
3.3 Configuring an IPv6 Address Family-supporting VPN Instance...................................................................330
3.3.1 Creating a VPN Instance.......................................................................................................................331
3.3.2 Configuring Attributes for the VPN Instance IPv6 Address Family.....................................................332
3.3.3 (Optional) Applying a Tunnel Policy to the VPN Instance IPv6 Address Family................................333
3.3.4 (Optional) Configuring MPLS Label Allocation Based on the VPN Instance IPv6 Address Family
........................................................................................................................................................................334
3.4 Configuring Basic BGP/MPLS IPv6 VPN.....................................................................................................335
3.4.1 Configuring an IPv6 Address Family-supporting VPN Instance..........................................................336
3.4.2 Binding an Interface to a VPN Instance................................................................................................336
3.4.3 Configuring MP-IBGP to Run Between PEs........................................................................................337
3.4.4 Configuring Route Exchange Between a PE and a CE.........................................................................338
3.5 Configuring Route Reflection for BGP VPNv6 Routes.................................................................................348
3.5.1 Configuring a Client PE to Establish an MP-IBGP Connection with the RR.......................................349
3.5.2 Configuring the RR to Establish MP-IBGP Connections with All Client PEs.....................................350
3.5.3 Configuring Route Reflection for BGP VPNv6 Routes........................................................................352
3.6 Configuring a Tunnel Policy for the Backbone Network of a BGP/MPLS IPv6 VPN..................................353
3.6.1 Configuring a Tunnel Policy.................................................................................................................354
3.6.2 Applying a Tunnel Policy to the IPv6 VPN..........................................................................................355
3.7 Configuring Inter-AS IPv6 VPN Option A....................................................................................................357
3.8 Configuring Inter-AS IPv6 VPN Option B....................................................................................................358
3.8.4 Configuring Route Exchange Between a CE and a PE.........................................................................363
3.9 Configuring Load Balancing Among IPv6 VPN Routes on the Backbone Network.....................................365
3.10 Configuring VPNv6 FRR.............................................................................................................................366
3.11 Configuring FRR for IPv6 Routes on a Private Network.............................................................................367
3.12 Configuring Hybrid FRR for IPv6 and VPNv6 Routes................................................................................369
3.13 Maintaining BGP/MPLS IPv6 VPN.............................................................................................................371
3.13.1 Displaying BGP/MPLS IPv6 VPN Information..................................................................................371
3.13.2 Checking the Network Connectivity and Reachability.......................................................................372
3.13.3 Checking Route Statistics for a VPN Instance IPv6 Address Family.................................................373
3.13.4 Clearing BGP Statistics for a VPN Instance IPv6 Address Family....................................................373
3.13.5 Resetting BGP Connections................................................................................................................374
3.14 Configuration Examples...............................................................................................................................375
Issue 01 (2011-10-15) Huawei Proprietary and Confidential vii

3.14.1 Example for Configuring Basic BGP/MPLS IPv6 VPN.....................................................................375

3.14.2 Example for Configuring BGP4+ AS Number Substitution...............................................................386
3.14.3 Example for Configuring Load Balancing Among IPv6 VPN Routes................................................393
3.14.4 Example for Configuring Load Balancing Among Tunnels to Which Remote Cross Routes Are Iterated
on an IPv6 VPN..............................................................................................................................................401
3.14.5 Example for Configuring Inter-AS IPv6 VPN Option A....................................................................408
3.14.6 Example for Configuring Inter-AS IPv6 VPN Option B....................................................................420
3.14.7 Example for Configuring VPNv6 FRR...............................................................................................427
3.14.8 Example for Configuring FRR for IPv6 Routes on a Private Network...............................................435
3.14.9 Example for Configuring Hybrid FRR for IPv6 and VPNv6 Routes..................................................443
3.14.10 Example for Configuring an RR in an IPv6 VPN.............................................................................452
Issue 01 (2011-10-15) Huawei Proprietary and Confidential viii

Configuration Guide - VPN 1 VPN Tunnel Management Configuration
1 VPN Tunnel Management Configuration
About This Chapter
VPN tunnel management involves the creation, management, and maintenance of VPN tunnels.
1.1 VPN Tunnel Management Overview

VPN tunnel management overview covers the introduction to common VPN tunnels, including
LSPs and TE tunnels, and tunnel configuration management.
1.2 VPN Tunnel Management Features Supported by the NE5000E
The main feature involved in VPN tunnel management is the tunnel policy, including the tunnel
type prioritizing policy and tunnel binding policy.
1.3 Configuring Tunnel Interfaces
Tunnel interfaces are point-to-point virtual interfaces that are used for encapsulating packets.
Similar to loopback interfaces, tunnel interfaces are logical interfaces.
1.4 Configuring a Tunnel Type Prioritizing Policy for an L3VPN
If load balancing or other types of tunnels are required, you need to configure a tunnel type
prioritizing policy and apply this tunnel policy.
1.5 Configuring a Tunnel Binding Policy for an L3VPN
L3VPN tunnel binding refers to the binding between a TE tunnel and a specified L3VPN.
Through the binding, VPN services can be exclusively transmitted over the bound tunnel.
1.6 Maintaining a VPN Tunnel
Maintaining a VPN tunnel involves monitoring the running status of the VPN tunnel and
debugging the VPN tunnel.
1.7 Configuration Examples
This section provides examples for applying a tunnel policy to an L3VPN.
Issue 01 (2011-10-15) Huawei Proprietary and Confidential 1

1.1 VPN Tunnel Management Overview

VPN tunnel management overview covers the introduction to common VPN tunnels, including
LSPs and TE tunnels, and tunnel configuration management.
In Virtual Private Networks (VPNs), through the tunnel technology, dedicated transmission
channels, namely, tunnels can be set up on the backbone networks and packets can then be
transparently transmitted through the tunnels.
Common VPN Tunnels

The common VPN tunnels are as follows:
l LSP
Label Switched Paths (LSPs) are used as tunnels for VPN data forwarding over the Multi-
Protocol Label Switch (MPLS) VPN public network. In this mode, only the PE rather than
each device that a VPN packet passes needs to analyze IP packet headers. Thus, the time
to process VPN packets shortens and the delay of packet transmission decreases. In
addition, MPLS labels are supported any link-layer protocol. An LSP is similar to an
Asynchronous Transfer Mode (ATM) virtual circuit (VC) or a Frame Relay (FR) VC in
function and security.
l MPLS TE
Generally, carriers are required to provide VPN users with end-to-end Quality of Service
(QoS) for various services, such as the voice service, video service, mission-critical service,
and common online service. MPLS Traffic Engineering (TE) tunnels can optimize network
resources and offer users QoS guaranteed services.
Tunnel Configuration Management

The setup and management of tunnels vary with the tunnel type. For example, MPLS TE tunnels
(CR-LSP tunnels) are set up and managed through tunnel interfaces, whereas Label Distribution
Protocol (LDP) LSPs tunnels are automatically set up as long as corresponding protocols are
configured.
This section describes the configurations of tunnel interfaces and general tunnel management.
l Tunnel interface configuration: You can specify different tunnel types on different tunnel
interfaces. Configurations of tunnels vary with the tunnel type.
l Tunnel management: This function notifies the tunnel status to applications that use the
tunnel and provides tunnel query policies for tunnel selection. The commonly used function
is to set tunnel policies.
1.2 VPN Tunnel Management Features Supported by the

NE5000E
The main feature involved in VPN tunnel management is the tunnel policy, including the tunnel
type prioritizing policy and tunnel binding policy.
An application such as a VPN selects tunnels according to tunnel policies. If no tunnel policy is
created, the tunnel management module searches for the tunnel according to a default policy.

Tunnel Type Prioritizing Policy

When creating a tunnel type prioritizing policy, you can specify the sequence in which each type
of tunnel is selected and the number of tunnels participating in load balancing.
Rules for tunnel selection based on the tunnel type prioritizing policy are: The tunnel type
specified first is selected as long as this type of tunnel is Up, no matter whether this type of
tunnel is selected by other services; commonly, the tunnel type specified later is not selected
except that load balancing is required or the preceding tunnels are all Down. For example, as
defined in a tunnel policy for the same destination, both LSPs and CR-LSPs can be used and
LSPs are prior to CR-LSPs. If the LSP does not exist, the VPN chooses the CR-LSP. After an
LSP is set up, the VPN selects the LSP and does not use the CR-LSP any more.
If there are multiple eligible tunnels of the same type, the tunnel policy chooses randomly one
or more tunnels.
If the tunnel policy defines that both CR-LSPs and LSPs can be used and CR-LSPs are prior to
LSPs, and the number of tunnels participating in load balancing is three, the tunnel is selected
based on the following rules:
l CR-LSPs are preferred as long as they are Up. If the number of CR-LSPs that are Up is
smaller than three (CR-LSPs are not sufficient or CR-LSPs are sufficient whereas their
status is Down), the CR-LSPs are preferentially selected and the LSPs in the Up state are
also selected.
l If there is one LSP tunnel among the selected three tunnels, when a new CR-LSP is set up
or a CR-LSP in the Down state becomes Up, the CR-LSP is selected and the LSP is no
longer used.
l If the number of present tunnels for load balancing is smaller than the configured number
and a CR-LSP or an LSP in the Up state is added, the newly added tunnel participates in
load balancing.
l The number of present tunnels for load balancing depends on that of the eligible tunnels.
For example, if there are only one CR-LSP and one LSP in the Up state, load balancing is
performed between the two tunnels. The tunnels of other types are not selected even if they
are Up.
Tunnel Binding Policy

In tunnel binding, you can bind one or multiple TE tunnels for one destination address. In
addition, you can configure the down-switch attribute. In this manner, other types of tunnels are
selected when the specified tunnels are unavailable, thereby ensuring non-stop VPN services.
1.3 Configuring Tunnel Interfaces

Tunnel interfaces are point-to-point virtual interfaces that are used for encapsulating packets.
Similar to loopback interfaces, tunnel interfaces are logical interfaces.
Applicable Environment
Tunnels such as MPLS TE tunnels, and IPv6 over IPv4 tunnels all use virtual interfaces, namely,
tunnel interfaces, to forward packets. Before setting up these types of tunnels, you need to create
tunnel interfaces.
Tunnel interfaces can be configured with different encapsulation modes as required, for example,
mpls te, and ipv6-ipv4.

Pre-configuration Tasks
Before configuring a tunnel interface, complete the following tasks:
l Connecting interfaces correctly and configuring physical parameters for the interfaces to
ensure that the physical layer statuses of these interfaces are Up
l Configuring parameters of the link layer protocol and IP addresses for the interfaces to
ensure that the link layer protocol on the interfaces is Up
Configuration Procedures
Figure 1-1 Flowchart for configuring a tunnel interface
Create a tunnel interface
Configure a tunnel interface
Mandatory
procedure
Optional
procedure
1.3.1 Creating a Tunnel Interface

The TE tunnels are set up and managed through tunnel interfaces.
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
interface tunnel interface-number
A tunnel interface is created.

Step 3 (Optional) Run:
description text
The tunnel description information is configured.
----End
1.3.2 Configuring a Tunnel Interface

Configurations about tunnel interfaces vary with the tunnel type. You can only run related
commands after a tunnel interface is configured with a tunnel encapsulation type.
Procedure
l For detailed TE tunnel interface configuration, refer to Configuring the MPLS TE Tunnel
Interface in the NE5000E Configuration Guide - MPLS.

l For detailed IPv6 over IPv4 tunnel interface configuration, refer to IPv6 over IPv4 Tunnel
Configuration in the NE5000E Configuration Guide - IP Service.
----End
1.3.3 Checking the Configuration

After a tunnel interface is configured, you can view details about the tunnel interface and the
specified tunnel.
Prerequisite
All configurations of the functions of the tunnel interface are completed.
Procedure
l Run the display tunnel-info all command to check information about all tunnels.
l Run the display tunnel-info tunnel-id command to check details about the specified tunnel.
----End
Example
Run the display tunnel-info command, and you can view the tunnel ID of the specified tunnel
and other configurations.
<HUAWEI> display tunnel-info all
Tunnel ID Type Destination Status
-----------------------------------------------------------------------------
0x0000000001004c4b81 ldp 2.2.2.2 UP
0x000000000300000001 te 2.2.2.2 UP
Run the display tunnel-info tunnel-id command, and you can view details about the tunnel.
<HUAWEI> display tunnel-info 000000000300000001
Tunnel ID: 0x000000000300000001
Type: te
Name: Tunnel2
Destination: 2.2.2.2
Instance ID: 0
Cost: 4294967295
Status: UP
1.4 Configuring a Tunnel Type Prioritizing Policy for an

L3VPN
If load balancing or other types of tunnels are required, you need to configure a tunnel type
prioritizing policy and apply this tunnel policy.
By default, the system selects a tunnel for a VPN based on the default policy. That is, in the
order of LSPs, CR-LSPs, and Local_IfNet, and load balancing is not performed by default. If
load balancing or other types of tunnels are required, you need to configure a tunnel policy and
apply the tunnel policy.
For L3VPNs, a tunnel policy needs to be bound to a VPN instance.

Before configuring a tunnel policy, complete the following tasks:
l Connecting interfaces correctly and configuring physical parameters for the interfaces to
ensure that the physical layer statuses of these interfaces are Up
l Setting up a tunnel (LSP or TE tunnel) to be used by the VPN instance
l Configuring VPN instances on PEs
Figure 1-2 Flowchart for configuring a tunnel type prioritizing policy for an L3VPN
Configure a
tunnel type prioritizing policy
Apply a tunnel policy

to an L3VPN
Mandatory
procedure
Optional
procedure
1.4.1 Configuring a Tunnel Type Prioritizing Policy

When creating a tunnel type prioritizing policy, you can specify the sequence in which each type
of tunnel is selected and the number of tunnels participating in load balancing.
Procedure
Step 1 Run:
system-view

Step 2 Run:
tunnel-policy policy-name
A tunnel policy is created and the tunnel policy view is displayed.

A tunnel policy can specify only one tunnel selection method. If multiple tunnel selection
methods are required, you need to create multiple tunnel policies.
A VPN instance can be associated with only one tunnel policy and multiple VPN instances can
share one tunnel policy.
Step 3 Run:
tunnel select-seq { cr-lsp | lsp }* load-balance-number load-balance-number
The sequence in which each type of tunnel is selected and the number of tunnels participating
in load balancing are set.

For L3VPNs, if no tunnel policies are configured, LSP is used as the VPN tunnel, and no load
balancing is carried out.
Step 4 Run:
commit
The configuration is committed.
----End
1.4.2 Applying a Tunnel Policy to an L3VPN

A tunnel policy needs to be applied to the VPN instance IPv4 address family or IPv6 address
family for specifying the sequence in which each type of tunnel is selected and the number of
tunnels participating in load balancing.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip vpn-instance vpn-instance-name
The VPN instance view is displayed.
Step 3 Run:
ipv4-family or ipv6-family
The VPN instance IPv4 address family view or IPv6 address family view is displayed.
Step 4 Run:
tnl-policy policy-name
A tunnel policy is applied to the VPN instance IPv4 address family or IPv6 address family.
Step 5 Run:
commit
----End

After a tunnel type prioritizing policy is configured for an L3VPN, you can view the
configuration of the tunnel policy and information about the tunnels and tunnel policy that are
used by VPN routing.
Prerequisite
All configurations about a tunnel type prioritizing policy are complete and the tunnel policy is
applied to an L3VPN instance.

Procedure
l Run the display tunnel-info { all | statistics | tunnel-id } command to check information
about existing tunnels of the system.
l Run the display tunnel-policy [ policy-name ] command to check the configuration about
the specified tunnel policy.
l Run the display ip vpn-instance verbose [ vpn-instance-name ] command to check the
tunnel policy applied to the specified VPN instance.
l Run the display ip routing-table vpn-instance vpn-instance-name [ ip-address ]
verbose or the display ipv6 routing-table vpn-instance vpn-instance-name [ ipv6-
address ] verbose command to check the tunnel used by VPN routing.
----End
Example
Run the display tunnel-info all command, and you can view information and status of existing
tunnels of the system.
-----------------------------------------------------------------------------
0x0000000001004c4b81 ldp 2.2.2.9 UP
0x000000000300000001 te 2.2.2.9 UP
0x000000000300000002 te 2.2.2.9 UP
Run the display tunnel-policy command, and you can view the configuration about the tunnel
policy. For example:
<HUAWEI> display tunnel-policy policy2
Tunnel Policy Name Select-Seq Load balance No

---------------------------------------------------------------------
policy2 CR-LSP LSP 3
Run the display ip vpn-instance verbose command, and you can view the tunnel policy applied
to the specified VPN instance. For example, from the following output, you can view that the
tunnel policy applied to the VPN instance vpnb is policy2.
<HUAWEI> display ip vpn-instance verbose vpnb
VPN-Instance Name and ID : vpnb, 1

Interfaces : GigaEthernet1/0/0
Address family ipv4
Create date : 2009/11/04 17:47:21
Up time : 0 days, 01 hours, 58 minutes and 12 seconds
Route Distinguisher : 11:11
Export VPN Targets : 22:22
Import VPN Targets : 22:22
Label Policy : label per route
The diffserv-mode Information is : uniform
The ttl-mode Information is : pipe
Tunnel Policy : policy2
Run the display ip routing-table vpn-instance vpn-instance-name [ ip-address ] verbose

command, and you can view the tunnel used by VPN routing. For example:
<HUAWEI> display ip routing-table vpn-instance vpnb 6.6.6.6 verbose
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Table : vpnb
Summary Count : 1

Destination: 6.6.6.6/32
Protocol: BGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 2.2.2.2 Neighbour: 0.0.0.0
State: Active Adv Relied Age: 00h59m36s
Tag: 0 Priority: low
Label: 0x15 QoSInfo: 0x0
IndirectID: 0xb8
RelayNextHop: 0.0.0.0 Interface: Tunnel1
TunnelID: 0x000000000300000001 Flags: RD
RelayNextHop: 0.0.0.0 Interface: LDP LSP
TunnelID: 0x0000000001004c4b81 Flags: RD

L3VPN tunnel binding refers to the binding between a TE tunnel and a specified L3VPN.
Through the binding, VPN services can be exclusively transmitted over the bound tunnel.
For VPN service deployment, VPN tunnel binding is required in the following conditions:
l VPN services need to be transmitted over a specified TE tunnel.
l VPN services require guaranteed bandwidth.
Before configuring VPN tunnel binding, complete the following tasks:
l Configuring static routes or enabling an IGP to ensure that the routes between nodes are
reachable
l Configuring basic MPLS functions and enabling MPLS TE
l Setting up an MPLS TE tunnel between PEs
l Configuring VPN instances on PEs
Figure 1-3 Flowchart for configuring a tunnel binding policy for an L3VPN
Configure a tunnel binding policy
Apply a tunnel policy to an L3VPN
Mandatory
procedure
Optional
procedure
Related Tasks
1.7.1 Example for Configuring a Tunnel Policy for an L3VPN

1.5.1 Configuring a Tunnel Binding Policy

You can create a tunnel binding policy and bind a destination address to a TE tunnel in the policy.
Procedure
l Enable the tunnel binding
1. Run:
system-view

2. Run:
interface tunnel interface-number
The tunnel interface view of the MPLS TE is displayed.

3. Run:
mpls te reserved-for-binding
The VPN binding for the tunnel is enabled.

The tunnel policy in select-sequence mode cannot use the tunnel enabled with the
VPN binding.
4. Run:
commit

l Configuring a Tunnel policy
1. Run:
system-view

2. Run:
A tunnel policy is created.

3. Run:
tunnel binding destination dest-ip-address te tunnel interface-number
[ down-switch ]
The destination is bound to the tunnel policy. Then, VPN data from the local device
to the destination address is transmitted over the bound tunnel.
NOTE
l If the tunnel select-seq command is configured in the tunnel policy, you cannot configure
the tunnel binding command for this policy.
l The same destination IP address on a PE can be bound to up to many tunnels to implement
load balancing.
l When the PE has multiple peers, you can configure different tunnel binding commands
for the multiple destination addresses in one tunnel policy.
4. Run:
commit

----End

1.5.2 Applying a Tunnel Policy to an L3VPN

After a tunnel binding policy is applied to an L3VPN, VPN data bound for an IP address is
transmitted along the bound tunnel.
Context
Do as follows on the PE devices at both ends of a tunnel. For different VPN services on one PE
for the same destination, the same tunnel policy can be used.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
ipv4-family or ipv6-family
The VPN instance IPv4 address family or IPv6 address family view is displayed.
Step 4 Run:
A tunnel policy is applied to the VPN instance IPv4 address family or IPv6 address family.
Step 5 Run:
commit
----End

After L3VPN tunnel binding is configured, you can view information about the tunnel binding
policy and the interface of the bound tunnel.
Prerequisite
All configurations about a tunnel binding policy are complete and the tunnel policy is applied
to an L3VPN instance.
Procedure
l Run the display tunnel-info { all | statistics | tunnel-id } command to check information
about existing tunnels of the system.
l Run the display tunnel-policy policy-name command to check the configuration about the
specified tunnel binding policy.


l Run the display ip routing-table vpn-instance vpn-instance-name [ ip-address ]
verbose or the display ipv6 routing-table vpn-instance vpn-instance-name [ ipv6-
address ] verbose command to check the tunnel used by VPN routing.
----End
Example
Run the display tunnel-info all command, and you can view information and status of existing
tunnels of the system.
-----------------------------------------------------------------------------
0x0000000001004c4b81 ldp 2.2.2.9 UP
0x000000000300000001 te 2.2.2.9 UP
0x000000000300000002 te 2.2.2.9 UP
Run the display tunnel-policy command, and you can view the destination address and tunnel
interface defined in the tunnel binding policy.

---------------------------------------------------------------------
The number of binding:1
Tunnel Policy Name Destination Tunnel Intf Down Switch
-----------------------------------------------------------------------------
policy2 1.1.1.1 Tunnel2 Disable
Run the display ip vpn-instance verbose command, and you can view the tunnel policy applied
to the VPN instance. For example, from the following output, you can view that the tunnel policy
applied to the VPN instance vpna is policy1.
<HUAWEI> display ip vpn-instance verbose
Total VPN-Instances configured : 1
VPN-Instance Name and ID : vpna, 1

Interfaces : GigaEthernet3/0/2
Address family ipv4
Create date : 2009/11/04 17:47:21
Maximum Routes Limit : 100
Run the display ip routing-table vpn-instance vpn-instance-name [ ip-address ] verbose

command, and you can view the tunnel used by VPN routing. For example:
<HUAWEI> display ip routing-table vpn-instance vpna 5.5.5.5 verbose
------------------------------------------------------------------------------
Routing Table : vpna
Summary Count : 1


IndirectID: 0xb9
1.6 Maintaining a VPN Tunnel

Maintaining a VPN tunnel involves monitoring the running status of the VPN tunnel and
debugging the VPN tunnel.
1.6.1 Monitoring the Running Status of a Tunnel

To find whether a VPN tunnel is set up and configurations of the setup tunnel, you can monitor
the running status of the VPN tunnel.
Context
In routine maintenance, you can run the following commands in any view to know tunnel
running.
Procedure
l Run the display interface tunnel interface-number command to check information about
a tunnel interface.
l Run the display tunnel-info all command to view tunnel information.
l Run the display tunnel-info tunnel-id command to check details about a tunnel.
l Run the display tunnel-policy policy-namecommand to view the configuration about the
specified tunnel policy.
l Run the display ip vpn-instance verbose [ vpn-instance-name ] command to view the
l Run the display ip routing-table vpn-instance [ ip-address ] verbose command or the
display ipv6 routing-table vpn-instance vpn-instance-name [ ipv6-address ] verbose
command to view the tunnel used by VPN routing.
----End

This section provides examples for applying a tunnel policy to an L3VPN.
1.7.1 Example for Configuring a Tunnel Policy for an L3VPN

To fully use tunnel resources, you can apply different tunnel policies to load balance the traffic
of different VPNs among different tunnels.

Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. In a cluster, an interface is numbered in the format of chassis ID/slot number/
card number/interface number. This requires the chassis ID to be specified along with the slot
number.
Figure 1-4 shows an MPLS L3VPN. CE1 and CE3 belong to vpna; CE2 and CE4 belong to
vpnb. Two MPLS TE tunnels and one LSP are set up between PE1 and PE2. One of the TE
tunnels is 5 Mbit/s, and the other is 10 Mbit/s. CEs in vpna require 10 Mbit/s bandwidth for
communication. Therefore, you need to bind the eligible tunnel to vpna to ensure bandwidth of
vpna. To make full use of tunnel resources, vpnb uses load balancing for tunnels and prefers the
TE tunnel.
Figure 1-4 Networking diagram for configuring a tunnel policy for an L3VPN
Loopback1 Loopback1
3.3.3.3/32 5.5.5.5/32
vpna vpna
CE1 CE3
Loopback1 Loopback1
1.1.1.1/32 2.2.2.2/32
MPLS TE tunnel 1
POS1/0/0 POS1/0/0
10.1.1.1/30 10.3.1.1/30
POS2/0/0 MPLS TE tunnel 2 ( binding) POS2/0/0
10.1.1.2/30 10.3.1.2/30
POS1/0/0 POS1/0/0
POS2/0/1 POS2/0/1
100.1.1.1/30 100.1.1.2/30
10.2.1.2/30 PE1 PE2 10.4.1.2/30
POS1/0/0 LSP POS1/0/0

10.2.1.1/30 10.4.1.1/30
CE2 CE4
vpnb vpnb
Loopback1 Loopback1
4.4.4.4/32 6.6.6.6/32
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a routing protocol to ensure that PEs can communicate.
2. Configure basic MPLS functions on the router in the backbone network and set up an LSP
and two MPLS TE tunnels between PEs.
3. Configure VPN instances on PEs and connect CEs to PEs.

4. Configure tunnel policies and apply the policies to different VPN instances.
5. Configure the Multi-protocol Extensions for Interior Border Gateway Protocol (MP-IBGP)
on PEs to exchange VPN routing information.
Data Preparation
To complete the configuration, you need the following data.
l MPLS LSR IDs of PEs
l Names of VPN instances, RDs, and VPN targets
l Names of two tunnel policies
Procedure
Step 1 Configure an IGP on the MPLS backbone network so that PEs can communicate.
# Configure PE1.
<HUAWEI> system-view
[~HUAWEI] sysname PE1
[~HUAWEI] commit
[~PE1] interface loopback 1
[~PE1-LoopBack1] ip address 1.1.1.1 32
[~PE1-LoopBack1] quit
[~PE1] interface pos1/0/0
[~PE1-Pos1/0/0] ip address 100.1.1.1 30
[~PE1-Pos1/0/0] undo shutdown
[~PE1-Pos1/0/0] quit
[~PE1] ospf 1
[~PE1-ospf-1] area 0
[~PE1-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.3
[~PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[~PE1-ospf-1-area-0.0.0.0] quit
[~PE1-ospf-1] quit
[~PE1] commit
# Configure PE2.
[~HUAWEI] commit
[~PE2] interface pos 1/0/0
[~PE2-Pos1/0/0] ip address 100.1.1.2 30
[~PE2] ospf 1
[~PE2-ospf-1-area-0.0.0.0] commit
[~PE2-ospf-1] quit
# After the configuration, run the display ip routing-table command on PEs, and you can view
that PEs learn the routes to the Loopback1 interfaces from each other.
# Take the display on PE1 as an example.
[~PE1] display ip routing-table
Route Flags: R - relay, D - download to forwarding
------------------------------------------------------------------------------

Routing Tables: _public_

Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack1
2.2.2.2/32 OSPF 10 1 D 100.1.1.2 Pos1/0/0
100.1.1.0/30 Direct 0 0 D 172.1.1.1 Pos1/0/0
100.1.1.2/32 Direct 0 0 D 172.1.1.2 Pos1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
Step 2 Configure basic MPLS capability on the MPLS backbone network and setup the Label
Distribution Protocol (LDP) LSP between PEs.
# Configure PE1.
[~PE1] mpls lsr-id 1.1.1.1
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
[~PE1-mpls-ldp] quit
[~PE1-Pos1/0/0] mpls
[~PE1-Pos1/0/0] mpls ldp
[~PE1-Pos1/0/0] commit
# Configure PE2.
[~PE2] mpls
[~PE2-mpls] quit
[~PE2] mpls ldp
After the configuration, run the display tunnel-info all command, you can find that the LSPs
between PE1 and PE2 are set up. Run the display mpls ldp lsp command, you can view the
information about the LSPs.
# Take PE1 as an example.

[~PE1] display tunnel-info all
-----------------------------------------------------------------------------
0x0000000001004c4b81 ldp 2.2.2.2 UP
<PE1> display mpls ldp lsp
LDP LSP Information
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
*1.1.1.1/32 Liberal/16 DS/2.2.2.2
1.1.1.1/32 3/NULL 2.2.2.2 127.0.0.1 Loop1
2.2.2.2/32 NULL/3 - 100.1.1.2 Pos1/0/0
2.2.2.2/32 16/3 2.2.2.2 100.1.1.2 Pos1/0/0
-------------------------------------------------------------------------------
TOTAL: 3 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is in GR state
A '*' before a NextHop means the LSP is FRR LSP
Step 3 Set up MPLS TE tunnels between PEs.

# Configure the maximum link bandwidth and reservable bandwidth for the TE tunnels.
# Configure PE1.
[~PE1] mpls
[~PE1-mpls] mpls te
[~PE1-mpls] mpls rsvp-te
[~PE1-mpls] mpls te cspf
[~PE1-mpls] quit
[~PE1-Pos1/0/0] mpls te
[~PE1-Pos1/0/0] mpls rsvp-te
[~PE1-Pos1/0/0] mpls te bandwidth max-reservable-bandwidth 20000
[~PE1-Pos1/0/0] mpls te bandwidth bc0 15000
# Configure PE2.
[~PE2] mpls
[~PE2-mpls] mpls te
[~PE2-mpls] mpls rsvp-te
[~PE2-mpls] mpls te cspf
[~PE2-mpls] quit
[~PE2-Pos1/0/0] mpls te
[~PE2-Pos1/0/0] mpls rsvp-te
[~PE2-Pos1/0/0] mpls te bandwidth max-reservable-bandwidth 20000
[~PE2-Pos1/0/0] mpls te bandwidth bc0 15000
# Enable OSPF on the devices along the TE tunnels to transmit the TE attributes.
# Configure PE1.
[~PE1] ospf 1
[~PE1-ospf-1] opaque-capability enable
[~PE1-ospf-1-area-0.0.0.0] mpls-te enable
[~PE1-ospf-1] quit
# Configure PE2.
[~PE2] ospf 1
[~PE2-ospf-1] opaque-capability enable
[~PE2-ospf-1-area-0.0.0.0] mpls-te enable
[~PE2-ospf-1] quit
# Set up a 5 Mbit/s MPLS TE tunnel.

# Configure PE1.
[~PE1] interface tunnel 1
[~PE1-Tunnel1] ip address unnumbered interface loopback1
[~PE1-Tunnel1] tunnel-protocol mpls te
[~PE1-Tunnel1] destination 2.2.2.2
[~PE1-Tunnel1] mpls te bandwidth ct0 5000
[~PE1-Tunnel1] commit
[~PE1-Tunnel1] quit
# Configure PE2.


[~PE2-Tunnel1] quit
# Set up a 10 Mbit/s MPLS TE tunnel and bind the tunnel to a VPN instance.
# Configure PE1.
[~PE1-Tunnel2] mpls te reserved-for-binding
[~PE1-Tunnel2] quit
# Configure PE2.
[~PE2-Tunnel2] mpls te reserved-for-binding
[~PE2-Tunnel2] quit
# After the configuration, run the display tunnel-info all command on PEs, and you can view
that Tunnel1 and Tunnel2 interfaces are both Up. Take the display on PE1 as an example.
<PE1> display tunnel-info all
-----------------------------------------------------------------------------
0x0000000001004c4b81 ldp 2.2.2.2 UP
0x000000000300000001 te 2.2.2.2 UP
0x000000000300000002 te 2.2.2.2 UP
Step 4 Configure VPN instances on PEs and configure CEs to access PEs.
# Configure PE1.
[~PE1] ip vpn-instance vpna
[~PE1-vpn-instance-vpna] ipv4-family
[~PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[~PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[~PE1-vpn-instance-vpna-af-ipv4] quit
[~PE1-vpn-instance-vpna] quit
[~PE1] ip vpn-instance vpnb
[~PE1-vpn-instance-vpnb] ipv4-family
[~PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[~PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[~PE1-vpn-instance-vpnb-af-ipv4] quit
[~PE1-vpn-instance-vpnb] quit
[~PE1-Pos2/0/0] ip binding vpn-instance vpna
[~PE1-Pos2/0/0] ip address 10.1.1.2 30
[~PE1-Pos2/0/1] ip binding vpn-instance vpnb
[~PE1-Pos2/0/1] ip address 10.2.1.2 30
# Configure PE2.


[~PE2-Pos2/0/0] ip address 10.3.1.2 30
[~PE2-Pos2/0/1] ip address 10.4.1.2 30
# Assign an IP address to each interface on CEs according to Figure 1-4. The detailed
configuration procedure is not mentioned here.
# After the configuration, run the display ip vpn-instance verbose command on PEs to view
the configurations of VPN instances.
NOTE
If a PE has multiple interfaces bound to the same VPN, when you run the ping command to ping the CE
that is attached to the peer PE, you need to specify the source IP address; that is, you need to specify -a
source-ip-address in the ping -a source-ip-address -vpn-instance vpn-instance-name destination-
address command. Otherwise, the ping fails.
Step 5 Create tunnel policies on PEs and apply the tunnel policies.
# Configure a tunnel binding policy and apply the policy to vpna.
# Configure PE1.
[~PE1] tunnel-policy policy1
[~PE1-tunnel-policy-policy1] tunnel binding destination 2.2.2.2 te tunnel 2
[~PE1-tunnel-policy-policy1] quit
[~PE1-vpn-instance-vpna-af-ipv4] tnl-policy policy1
[~PE1] commit
# Configure PE2.
[~PE2-tunnel-policy-policy1] tunnel binding destination 1.1.1.1 te tunnel 2
[~PE2-vpn-instance-vpna-af-ipv4] tnl-policy policy1
[~PE2] commit
# Configure a tunnel type prioritizing policy and apply the policy to vpnb.
# Configure PE1.


[~PE1-tunnel-policy-policy2] tunnel select-seq cr-lsp lsp load-balance-number 2
[~PE1-vpn-instance-vpnb-af-ipv4] tnl-policy policy2
[~PE1] commit
# Configure PE2.
[~PE2-tunnel-policy-policy2] tunnel select-seq cr-lsp lsp load-balance-number 2
[~PE2-vpn-instance-vpnb-af-ipv4] tnl-policy policy2
[~PE2] commit
Step 6 Set up an MP-IBGP peer relationship between PEs.

# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] peer 2.2.2.2 as-number 100
[~PE1-bgp] peer 2.2.2.2 connect-interface loopback 1
[~PE1-bgp] ipv4-family vpnv4
[~PE1-bgp-af-vpnv4] peer 2.2.2.2 enable
[~PE1-bgp-af-vpnv4] commit
[~PE1-bgp-af-vpnv4] quit
# Configure PE2.
[~PE2] bgp 100
# After the configuration, run the display bgp peer or display bgp vpnv4 all peer command
on PEs, and you can view that a BGP peer relationship is set up between PEs and the BGP peer
relationship is in the Established state.
Step 7 Set up EBGP peer relationships between PEs and CEs.
# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] ipv4-family vpn-instance vpna
[~PE1-bgp-af-vpna] peer 10.1.1.1 as-number 65410
[~PE1-bgp-af-vpna] quit
[~PE1-bgp] ipv4-family vpn-instance vpnb
[~PE1-bgp-af-vpnb] peer 10.2.1.1 as-number 65410
[~PE1-bgp-af-vpnb] commit
[~PE1-bgp-af-vpnb] quit
[~PE1-bgp] quit
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] commit
[CE1-bgp] quit

# Configure CE2.
[CE2] bgp 65410
[CE2-bgp] commit
[CE2-bgp] quit
# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp-af-vpna] peer 10.3.1.1 as-number 65420
[~PE2-bgp-af-vpna] quit
[~PE2-bgp-af-vpnb] peer 10.4.1.1 as-number 65420
[~PE2-bgp-af-vpnb] commit
[~PE2-bgp-af-vpnb] quit
[~PE2-bgp] quit
# Configure CE3.
[CE3] bgp 65420
[CE3-bgp] commit
[CE3-bgp] quit
# Configure CE4.
[CE4] bgp 65420
[CE4-bgp] commit
[CE4-bgp] quit
Step 8 Verify the configuration.

# Run the display bgp routing-table command on CEs, and you can view the routes to remote
CEs.
# Take the display on CE1 as an example.
<CE1> display bgp routing-table
BGP Local router ID is 3.3.3.3

Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 5

Network NextHop MED LocPrf PrefVal Path/Ogn
*> 3.3.3.3/32 0.0.0.0 0 0 ?

*> 5.5.5.5/32 10.1.1.2 0 100 65420?
*> 10.1.1.0/30 0.0.0.0 0 0 ?
*> 10.1.1.2/32 0.0.0.0 0 0 ?
*> 10.3.1.0/30 10.1.1.2 0 100 65420?
# Run the display ip routing-table vpn-instance verbose command on PEs, and you can view
the tunnel used by VPN routing.
# Take the display on PE1 as an example.
[~PE1] display ip routing-table vpn-instance vpna 5.5.5.5 verbose
------------------------------------------------------------------------------
Summary Count : 1

IndirectID: 0xb9
[~PE1] display ip routing-table vpn-instance vpnb 6.6.6.6 verbose
------------------------------------------------------------------------------
Routing Table : vpnb
Summary Count : 1
IndirectID: 0xb8
# CEs in the same VPN can ping through each other whereas CEs in different VPNs cannot.
----End
Configuration Files
l Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
tnl-policy policy1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
tnl-policy policy2
#
mpls lsr-id 1.1.1.1
#
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.1.1.1 255.255.255.252
mpls
mpls te

mpls te bandwidth max-reservable-bandwidth 20000

mpls te bandwidth bc0 15000
mpls rsvp-te
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.252
#
interface Pos2/0/1
undo shutdown
link-protocol ppp
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.252
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
interface Tunnel1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 2.2.2.2
mpls te bandwidth ct0 5000
#
interface Tunnel2
destination 2.2.2.2
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
#
ipv4-family vpn-instance vpna
#
ipv4-family vpn-instance vpnb
#
ospf 1
opaque-capability enable
area 0.0.0.0
mpls-te enable
network 100.1.1.0 0.0.0.3
network 1.1.1.1 0.0.0.0
#
tunnel-policy policy1
tunnel binding destination 2.2.2.2 te Tunnel2
#
tunnel select-seq cr-lsp lsp load-balance-number 2
#
return
#
sysname PE2
#

ipv4-family
tnl-policy policy1
#
ipv4-family
tnl-policy policy2
#
mpls lsr-id 2.2.2.2
#
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.1.1.2 255.255.255.252
mpls
mpls te
mpls te bandwidth max-reservable-bandwidth 20000
mpls te bandwidth bc0 15000
mpls rsvp-te
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 10.3.1.2 255.255.255.252
#
interface Pos2/0/1
undo shutdown
link-protocol ppp
ip address 10.4.1.2 255.255.255.252
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
interface Tunnel1
destination 1.1.1.1
#
interface Tunnel2
destination 1.1.1.1
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable

#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
#
#
ospf 1
area 0.0.0.0
mpls-te enable
network 100.1.1.0 0.0.0.3
network 2.2.2.2 0.0.0.0
#
tunnel binding destination 1.1.1.1 te Tunnel2
#
#
return
l Configuration file of CE1

#
sysname CE1
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.1 255.255.255.252
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 65410
#
ipv4-family unicast
import-route direct
peer 10.1.1.2 enable
#
return

#
sysname CE2
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.2.1.1 255.255.255.252
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return


#
sysname CE3
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.3.1.1 255.255.255.252
#
interface LoopBack1
ip address 5.5.5.5 255.255.255.255
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE4
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.4.1.1 255.255.255.252
#
interface LoopBack1
ip address 6.6.6.6 255.255.255.255
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
Related Tasks

Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration
2 BGP/MPLS IP VPN Configuration
About This Chapter
For BGP/MPLS IP VPN configurations, VPN concepts, common VPN networkings, and VPN
reliability feature are introduced in advance.
2.1 BGP/MPLS IP VPN Overview

This section describes protocols and networkings involved in BGP/MPLS IP VPN, and concepts
and functions about the PE, P, and CE devices.
2.2 BGP/MPLS IP VPN Features Supported by the NE5000E
This section mainly describes the typical networking and application of BGP/MPLS IP VPN
and the reliability mechanisms used by BGP/MPLS IP VPN.
2.3 Configuring a VPN Instance Enabled with the IPv4 Address Family
Configuring VPN instances is required in all BGP/MPLS IP VPN solutions.
2.4 Configuring Basic BGP/MPLS IP VPN
The basic BGP/MPLS IP VPN contains only one SP network and MPLS backbone network does
not span multiple ASs. In addition, the role of each PE, P, or CE is unique, that is, a router cannot
function as both a PE and a CE.
2.5 Configuring Route Reflection to Optimize the VPN Backbone Layer
Using an Route Reflector (RR) can reduce the number of MP-IBGP connections between PEs.
This not only reduces the burden on PEs but also facilitates network maintenance and
management.
2.6 Configuring Hub and Spoke
In the Hub and Spoke networking, an access control device is specified in the VPN, and users
communicate with each other through the access control device.
2.7 Configuring a Tunnel Policy for the Backbone Network of a BGP/MPLS IP VPN
A tunnel policy applied to a VPN can specify the type of tunnel selected for the VPN and enable
load balancing among tunnels.
2.8 Configuring Inter-AS VPN Option A
If the number of VPNs that a PE accesses and the number of VPN routes are small, inter-AS
VPN Option A can be adopted.
2.9 Configuring Inter-AS VPN Option B (Basic Networking)

In the scenario where the backbone network spans two ASs, ASBRs need to advertise VPNv4
routes through MP-EBGP.
2.10 Configuring Inter-AS VPN Option B (ASBR Also Functioning as a PE)
routes through MP-EBGP and ASBRs also need to function as PEs.
2.11 Configuring Inter-AS VPN Option B (ASBR Also Functioning as an RR)
routes through MP-EBGP. When multiple PEs exist in the ASs, you can configure an ASBR as
an RR to lower configuration complexities.
2.12 Configuring Inter-AS VPN Option B (Spanning More Than Two ASs)
In the scenario where the backbone network spans more than two ASs, ASBRs need to advertise
VPNv4 routes through MP-EBGP.
2.13 Configuring the Multi-VPN-Instance CE
By using OSPF multi-instance on CEs, you can implement service isolation on the LAN.
2.14 Configuring VPN FRR
In the networking of CE dual-homing, you can configure VPN FRR to ensure VPN service
switchover to a secondary link when the primary link between PEs fails.
2.15 Configuring FRR for IP Routes on a Private Network
This section describes how to configure FRR for IP routes on a private network in the networking
where multiple CEs at a VPN site access the same PE. This feature can quickly switch traffic to
a link connected to another CE if the primary route from a PE to a CE becomes unreachable.
2.16 Configuring Hybrid FRR for IP and VPNv4 Routes
This section describes how to configure hybrid FRR in the networking where a CE is dual-homed
to two PEs. If the next hop from a PE to a CE is unreachable, hybrid FRR can send traffic to
another PE over a tunnel, and the traffic will be routed to the CE by using IP forwarding on the
private network. This improves network reliability.
2.17 Maintaining BGP/MPLS IP VPN
Maintaining BGP/MPLS IP VPN involves checking L3VPN traffic, monitoring network
connectivity, resetting BGP connections, and debugging BGP/MPLS IP VPN information.
This section provides several configuration examples of VPN networking. In each configuration
example, the networking requirements, configuration notes, configuration roadmap,
configuration procedures, and configuration files are provided.

2.1 BGP/MPLS IP VPN Overview

This section describes protocols and networkings involved in BGP/MPLS IP VPN, and concepts
and functions about the PE, P, and CE devices.
BGP/MPLS IP VPN is a Provider Edge (PE)-based L3VPN technology in the Provider

Provisioned VPN (PPVPN) solutions. It uses the Boarder Gateway Protocol (BGP) to advertise
VPN routes and the Multi-Protocol Label Switching (MPLS) to forward the VPN packets on a
provider's backbone network. "IP" here refers to the IP packets borne by VPNs.
Figure 2-1 Networking diagram of BGP/MPLS IP VPN
VPN 2
VPN 1 Site
Service provider's CE
Site
CE
P backbone P
PE
PE
PE
VPN 2 P P VPN 1
Site CE CE Site
BGP/MPLS IP VPN features flexible networking modes, excellent extensibility and convenient
support for Quality of Service (QoS) and MPLS Traffic Engineering (MPLS TE) features. It is
now widely used.
In BGP/MPLS IP VPN, three types of devices are involved:
l Customer Edge (CE): It is an edge device on the user network. A CE is directly connected
to a Service Provider (SP) network. CEs can be routers, switches, or hosts. Usually, CEs
cannot sense the existence of VPNs and need not support MPLS.
l Provider Edge (PE): It is an edge device on an SP network. A PE is directly connected to
a CE. On the MPLS network, PEs are responsible for processing all VPN services.
l Provider (P): is a backbone device on the SP network. A P is not directly connected to a
CE. Ps only need to possess basic MPLS forwarding capabilities and do not need to maintain
information about VPNs.
2.2 BGP/MPLS IP VPN Features Supported by the NE5000E

This section mainly describes the typical networking and application of BGP/MPLS IP VPN
and the reliability mechanisms used by BGP/MPLS IP VPN.

Typical Networking and Application

The NE5000E supports the following typical BGP/MPLS IP VPN networkings:
l Intranet
All users in a VPN form a Closed User Group (CUG) and the users can forward data to
each other. Users in a VPN cannot communicate with users outside the VPN. As shown in
Figure 2-2, Site 1 in VPN1 can communicate with only Site4 and cannot communicate
with Sites 2 and 3.
Figure 2-2 Schematic diagram of an intranet

VPN1 VPN2
VPN1 VPN2
Import: 100:1 Import: 200:1
Export: 100:1 Export: 200:1
CE
CE Backbone Site3
Site1
VPN2 PE P PE VPN1
VPN2 VPN1
CE Import: 200:1 Import: 100:1 CE
Site2 Export: 200:1 Export: 100:1 Site4
l Extranet
A user in a VPN can communicate with sites in another VPN. As shown in Figure 2-3,
Sites 1 and 2 both can communicate with Site3 and Site3 can communicate both Sites 1
and 2. Site1 and Site2, however, cannot communicate.
Figure 2-3 Schematic diagram of an extranet
Site1
VPN1
CE Import: 100:1
Export: 100:1
VPN1 VPN1
PE1
Site3
PE2
PE3 CE
VPN2 VPN1
VPN2 Import: 100:1, 200:1
Import: 200:1 Export: 100:1, 200:1
CE
Export: 200:1
Site2

l Hub and Spoke

In the networking of Hub and Spoke, an access control device is specified in a VPN, and
users communicate with each other through this access control device. That is, the
communication flows between Spoke sites all travel through a Hub site. As shown in Figure
2-4, Site1 and Site2 cannot communicate directly but need to communicate through Site3.
Figure 2-4 Schematic diagram of Hub and Spoke
VPN1
Spoke-PE
Site1
VPN1
Spoke-CE
Hub-CE
Hub-PE
VPN1 Site3
Spoke-CE Spoke-PE
Site2
l Inter-AS VPN
If a VPN backbone network spans multiple ASs, inter-AS VPN must be deployed. There
are two modes for implementing inter-AS VPN: Option A and Option B.
l Multi-VPN-Instance CE
Currently, different services on a Local Area Network (LAN) are isolated through the
Virtual LAN (VLAN) function of switches. However, the routing capability of a switch is
weaker than the router. To ensure that the services of the LAN are safely isolated and
improve the routing capability of the LAN, you can configure Multi-VPN-Instance CE to
solve the security problem of the LAN at a low cost.
l VPN and Internet interworking
The NE5000E supports the interworking between the VPN and the Internet. In this way,
users in a VPN can not only communicate with each other but also access the Internet.
Reliability
To improve the reliability of a VPN, generally, the following networking models are adopted:
l The backbone network is an MPLS network, in which the devices on the backbone layer
are fully connected and backed up. The devices on the backbone layer are generally
connected through high-speed interfaces. If the number of PEs is large, use a BGP route
reflector to reflect VPNv4 routes to decrease the number of MP-IBGP connections.
l The convergence layer is of either a mesh topology or a ring topology.
l The CE can either be single-homed or multi-homed on the access layer.
The NE5000E supports the following reliability mechanisms:

l VPN Fast ReRoute (VPN FRR): ensures that VPN traffic can be switched to another PE-
PE link when traffic forwarding between PEs fails. In this way, end-to-end fast convergence
of VPN services is implemented.
l VPN Graceful Restart (VPN GR): ensures that VPN traffic is not interrupted when
therouter (PE, P, or CE) bearing the VPN traffic performs master-slave switchover. This
reduces the impact of a single point failure on VPN services. Currently, the NE5000E
supports only the GR helper.
l VPN NSR
Non-Stop Routing (NSR) is a technique that prevents a peer from sensing the fault on the
control plane of a router that provides a slave control plane. With NSR, when the control
plane of the router becomes faulty, the peer relationships set up through specific routing
protocols, MPLS, and other protocols that carry services are not interrupted.
During the master/slave switchover, VPN NSR ensures the continuous forwarding at the
forwarding plane and continuous advertisement of VPN routes. In this process, the peer
relationships are not affected, with peers not knowing the switchover on the local router.
This ensures uninterrupted transmission of VPN services.
2.3 Configuring a VPN Instance Enabled with the IPv4

Address Family
Configuring VPN instances is required in all BGP/MPLS IP VPN solutions.
A VPN instance is an important part in the VPN technology. VPN instances are used to isolate
private network routes and public network routes.
VPN instances exist only on PEs for creating private network routing tables and saving VPN
routes sent by local CEs and remote PEs.
Before configuring a VPN instance enabled with the IPv4 address family, complete the following
tasks:
l Configuring routing policies to control the import or export of VPN routes
l Configuring tunnel policies to implement tunnel load balancing for VPN instance IPv4
address family, change the default sequence in which Label Switched Paths (LSPs) or
MPLS TE tunnels are selected, or bind VPN instances to TE tunnels

Figure 2-5 Flowchart for configuring a VPN instance enabled with the IPv4 address family
Create a VPN instance
Configure attributes for the VPN instance

IPv4 address family
Limit the route number of the VPN instance IPv4

address family
Apply a tunnel policy to the VPN instance IPv4

address family
Configure MPLS label allocation based on the

VPN instance IPv4 address family
Mandatory
procedure
Optional
procedure
2.3.1 Creating a VPN Instance

A VPN instance takes effect only after a Route Distinguisher (RD) is configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A VPN instance is created and the VPN instance view is displayed.
NOTE
The name of a VPN instance is case sensitive. For example, vpn1 and VPN1 are two different VPN
instances.

description description-information
The description about the VPN instance is configured. The description is used to record the
purpose of creating the VPN instance and the CEs with which the VPN instance sets up
connections.
Step 4 Run:
commit
----End

2.3.2 Configuring Attributes for the VPN Instance IPv4 Address

Family
To implement the control over the import and export of VPN routes, you need to configure a
VPN target for a VPN instance and routing policies for importing and exporting VPN routes.
Context
In addition to the VPN target attribute used to control the import and export of VPN routes, you
can configure a routing policy to control VPN route control accurately.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv4-family
The IPv4 address family is enabled for the VPN instance and the VPN instance IPv4 address
family view is displayed.
A VPN instance supports the IPv4 address family and IPv6 address family. You can configure
the VPN only after the IPv4 or IPv6 address family is configured on the basis of the type of the
protocol stack used to advertise routes and forward data.
Step 4 Run:
route-distinguisher route-distinguisher
An RD is configured for the VPN instance IPv4 address family.

The VPN instance IPv4 address family takes effect only after an RD is configured for it. The
RDs configured in different VPN instance IPv4 address family views of the same PE must be
different.
NOTE
A configured RD cannot be changed or deleted. You need to delete a VPN instance or disable the VPN
instance IPv4 address family before changing or deleting the RD of the VPN instance IPv4 address
family.
Step 5 Run:
vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]
A VPN target is configured for the VPN instance IPv4 address family.
A VPN target is an extended community attribute of BGP. It controls the import and export of
VPN routes. When a PE exports VPN routes to other PEs, it appends export VPN targets to the
exported routes. When a PE imports VPN routes from other PEs, it decides whether to add the
imported routes to the corresponding VPN instances IPv4 address family according to the import
VPN targets of the local VPN instances and export VPN targets appended to the imported routes.

You can configure a maximum of eight VPN targets each time you run the vpn-target command.

import route-policy policy-name
A routing policy for importing VPN route is configured.
The routing policy for importing VPN routes can filter the routes imported by VPN instances
IPv4 address family and set attributes for the routes that pass the filtering.

export route-policy policy-name
A routing policy for exporting VPN route is configured.
A routing policy for exporting VPN routes can filter the routes advertised by VPN instances
IPv4 address family and set attributes for the routes that pass the filtering.
Step 8 Run:
quit
Return to the system view.
Step 9 Run:
bgp as-number
The BGP view is displayed.
Step 10 Run:
ipv4-family vpn-instance vpn-instance-name
A BGP private routing table is created for the VPN instance and the BGP-VPN instance view
is displayed.
VPN targets configured for VPN instance IPv4 address family can be synchronized into a BGP
private routing table only after the ipv4-family vpn-instance command is run. In this way, VPN
targets can be used to filter the routes to be injected to the BGP private routing table. If the ipv4-
family vpn-instance command is not run, no route can be injected to the BGP private routing
table.
Step 11 Run:
commit
----End
2.3.3 (Optional) Limiting the Route Number of the VPN Instance

IPv4 Address Family
To prevent a PE from importing excessive VPN routes, you can set the maximum number of
routes of each VPN instance IPv4 address family.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
ipv4-family
The VPN instance IPv4 address family view is displayed.

prefix limit number { alert-percent | simply-alert }
The maximum number of prefixes of the VPN instance IPv4 address family is set.
To prevent a PE from importing excessive prefixes from CEs, you can set the maximum number
of prefixes supported by a VPN instance IPv4 address family.
If simply-alert is specified, it indicates that when the number of VPN prefixes exceeds the
number, the system generates an alarm and still injects VPN prefixe to the routing table of the
VPN instance IPv4 address family. After the total number of VPN prefixes and the public
network routes reaches the unicast route limit specified in the license file, the subsequent VPN
prefixes are dropped.
Step 5 Run:
commit
----End
2.3.4 (Optional) Applying a Tunnel Policy to the VPN instance IPv4

Address Family
By applying a tunnel policy to the VPN instance IPv4 address family, you can specify a dedicated
tunnel for VPN traffic forwarding.
Context
By default, the system selects a tunnel for the VPN instance IPv4 address family in the sequence
of LSPs, CR-LSPs, GRE tunnels, and Local_IfNet, and load balancing is not performed. In the
following cases:
l To specify tunnels of different priorities to be used by different VPN services
l To specify tunnel load balancing for VPN services
l To designate specific TE tunnels for VPN services
You need to configure a tunnel policy on the PE and apply the tunnel policy to the VPN instance
IPv4 address family.
Currently, the NE5000E supports two types of tunnel policy:
l Tunnel type prioritizing policy: is used to change the sequence in which each type of tunnels
are selected or set the number of tunnels participating in load balancing.

l Tunnel binding policy: is used to bind a TE tunnel to a destination address so that VPN
services for this destination can be transmitted over this dedicated TE tunnel.
For configurations about tunnel policies, see the chapter "VPN Tunnel Management
Configuration" in this manual.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
ipv4-family
Step 4 Run:
A tunnel policy is applied to the VPN instance IPv4 address family.
Step 5 Run:
commit
----End
2.3.5 (Optional) Configuring MPLS Label Allocation Based on the

VPN Instance IPv4 Address Family
If VPN routes are in a great number, you can reduce the number of MPLS labels maintained by
PEs by configuring MPLS label allocation based on VPN instance IPv4 address family.
Context
By default, the system allocates one label to each route of the VPN instance IPv4 address
family. When a large number of VPN routes exist, the Incoming Label Map (ILM) on a PE needs
to maintain a great deal of information. This poses a requirement for a larger capacity of the PE.
To reduce the entries in the ILM, you can configure the system to allocate a label for each VPN
instance IPv4 address family. Then, all the routes of the VPN instance IPv4 address family use
one label.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
ipv4-family
Step 4 Run:
apply-label per-instance
MPLS label allocation based on VPN instance IPv4 address family is configured. Then, all the
routes of the VPN instance IPv4 address family use one label.
NOTE
The change of the label allocation mode leads to the re-advertisement of VPN routes. So, use the apply-label
per-instance command with caution.
Step 5 Run:
commit
----End

After configuring a VPN instance, you can view information about the VPN instance IPv4
address family on the local device, including the RD value and other attributes.
Prerequisite
All configurations about the VPN instance are complete.
Procedure
l Run the display ip vpn-instance [ verbose ] vpn-instance-name command to check brief
information or detailed information about a specified VPN instance.
----End
Example
After a VPN instance is configured, run the display ip vpn-instance command, and you can
view brief information about the configured VPN instance on the local device. For example:
<HUAWEI> display ip vpn-instance
VPN-Instance Name Address-family
vrf1 ipv4 ipv6
vrf2
vrf3 ipv4 ipv6
vrf4 ipv4
vrf5 ipv6

Run the display ip vpn-instance verbose command, and you can view detailed information
about the VPN instance configured on the local device. For example:
<HUAWEI> display ip vpn-instance verbose vpn1
VPN-Instance Name and ID : vpn1, 1

Interfaces : GigabitEthernet1/0/0
Address family ipv4
Create date : 2009/11/19 11:48:13
Label policy : label per instance
Import Route Policy : p1
Export Route Policy : p2
Tunnel Policy : tnlpolicy1
Description : This is a VPN for company1.
Maximum Routes Limit : 100
Threshold Routes Limit : 80%

The basic BGP/MPLS IP VPN contains only one SP network and MPLS backbone network does
not span multiple ASs. In addition, the role of each PE, P, or CE is unique, that is, a router cannot
function as both a PE and a CE.
The basic BGP/MPLS IP VPN supports intranet VPN, extranet VPN, and Hub and Spoke
solutions.
l Intranet: All users in a VPN form a CUG and users in a VPN cannot communicate with
users outside the VPN.
l Extranet: Users in a VPN want to access the sites in another VPN.
l Hub and Spoke: An access control device is specified in a VPN, and users communicate
with each other through this access control device. For configurations about Hub and Spoke,
see Configuring Hub and Spoke.
Before configuring basic BGP/MPLS IP VPN, complete the following tasks:
l Configuring an IGP on the MPLS backbone network (PE and P) to implement IP
intercommunication
l Configuring basic MPLS functions and MPLS LDP on the MPLS backbone network (PE
and P)
l Configuring a tunnel between PEs based on a tunnel policy
l Configuring IP addresses for the interfaces connecting CEs to PEs

Figure 2-6 Flowchart for configuring basic BGP/MPLS IP VPN
Configure a VPN instance
Bind an
interface to a VPN instance
Configure a router ID for

a BGP VPN instance IPv4 address family
Configure
route exchange between PEs
Configure route exchange

between a PE and a CE
Mandatory
procedure
Optional
procedure
Related Tasks
2.18.1 Example for Configuring BGP/MPLS IP VPN
2.4.1 Configuring a VPN Instance

You can configure a VPN instance for managing VPN routes.
Procedure
Step 1 For detailed procedure for configuring a VPN instance, see 2.3 Configuring a VPN Instance
Enabled with the IPv4 Address Family.
----End
2.4.2 Binding an Interface to a VPN Instance

By binding an interface to a VPN instance, you can change the interface to a VPN interface.
Then, packets entering this interface are forwarded according to the forwarding information of
the VPN instance.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface interface-type interface-number
The view of the interface to be bound to a VPN instance is displayed.

Step 3 Run:
ip binding vpn-instance vpn-instance-name
The interface is bound to a VPN instance.
NOTE
After the ip binding vpn-instance command is run on an interface, the Layer 3 features such as the IP
address and routing protocol configured on the interface are deleted.
Step 4 Run:
ip address ip-address { mask | mask-length }
An IP address is configured for the interface.

Step 5 Run:
commit
----End
2.4.3 (Optional) Configuring a Router ID for a BGP VPN Instance

IPv4 Address Family
You can configure different router IDs for BGP VPN instance IPv4 address families on the same
device.
Context
By default, no router ID is configured for a BGP VPN instance IPv4 address family, and the
BGP router ID is used. This makes different BGP VPN instance IPv4 address families on the
same device have the same router ID. In some cases, different router IDs need to be configured
for different BGP VPN instance IPv4 address families. For example, BGP peer relationships
need to be established between different BGP VPN instance IPv4 address families on the same
PE.
There are two methods of configuring a router ID for a BGP VPN instance IPv4 address family.
You can choose either of the two methods as required.
CAUTION
If a BGP session has been established in a BGP-VPN instance IPv4 address family, changing
or deleting the configured router ID resets the BGP session.
Procedure
l Configuring router IDs for all BGP VPN instance IPv4 address families
1. Run:
system-view

2. Run:
bgp as-number


3. Run:
router-id vpn-instance auto-select
Automatic router ID selection is configured for all BGP VPN instance IPv4 address
families.
NOTE
Rules for automatically selecting a router ID for a BGP VPN instance IPv4 address family are
as follows:
l If the loopback interfaces configured with IP addresses are bound to the VPN instance
enabled with the IPv4 address family, the largest IP address among the IP addresses of the
loopback interfaces is selected as the router ID.
l If no loopback interfaces configured with IP addresses are bound to the VPN instance
enabled with the IPv4 address family, the largest IP address among the IP addresses of
other interfaces bound to the VPN instance is selected as the router ID, regardless of whether
the interface is Up or Down.
l Configuring a router ID for a specified BGP VPN instance IPv4 address family
1. Run:
system-view

2. Run:
bgp as-number

3. Run:
The BGP-VPN instance IPv4 address family view is displayed.

4. Run:
router-id { ipv4-address | auto-select }
A router ID or automatic route ID selection is configured for the current BGP VPN
instance IPv4 address family.
----End
2.4.4 Configuring Route Exchange Between PEs

PEs exchange routes through MP-IBGP. By importing extended community attributes to BGP,
MP-IBGP can advertise VPNv4 routes between PEs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bgp as-number

Step 3 Run:
peer peer-address as-number as-number
The remote PE is configured as a BGP peer.
Step 4 Run:
peer peer-address connect-interface loopback interface-number
The interface used to establish a TCP connection is specified.
NOTE
PEs must use the loopback interface addresses with 32-bit masks to establish an MP-IBGP peer relationship
so that routes can be iterated to the tunnel.
Step 5 Run:
ipv4-family vpnv4
The BGP VPNv4 sub-address family view displayed.
Step 6 Run:
peer peer-address enable
The capability of exchanging VPNv4 routing information of the peer is enabled.
Step 7 Run:
commit
----End
2.4.5 Configuring Route Exchange Between a PE and a CE

Through route exchange, a PE can learn routes from attached CEs and advertise the routes to
the remote PE and the CEs can also learn the routes advertised by the remote PE.
Context
PEs and CEs can exchange routes through static routes (including default routes), RIP multi-
instance, OSPF multi-instance, IS-IS multi-instance, or BGP.
NOTE
The VPN that can receive the routes of another VPN that are not advertised by the PE and advertise the
routes to the PE is called a transit VPN.
The VPN that receives only the routes of the local VPN and advertised by the PE is called a stub VPN.
Commonly, static routes are used for route exchange between the CE and the PE in a stub VPN.
Choose one of the following configurations as required:
l Configuring IS-IS between a PE and a CE

l Configuring OSPF between a PE and a CE
l Configuring EBGP between a PE and a CE
l Configuring a static route between a PE and a CE (including the default route)
l Configuring RIP between a PE and a CE
l Configuring IBGP between a PE and a CE

NOTE
For detailed configurations about the IS-IS, OSPF, BGP, static route, and RIP, see the HUAWEI
NetEngine5000E Core Router Configuration Guide - IP Routing.
Procedure
l Configuring IS-IS between a PE and a CE
The following section covers only configurations on the PE. For the CE, you only need to
configure IS-IS and the detailed configuration procedures are not mentioned here.
1. Run:
system-view

2. Run:
isis process-id vpn-instance vpn-instance-name
An IS-IS instance is created on the PE for communications between the PE and the
CE and the IS-IS view is displayed.
An IS-IS process can be bound to only one VPN instance. If you run an IS-IS process
without binding it to a VPN instance, the IS-IS process is considered as a public
network process. The IS-IS process on the public network cannot be bound to a VPN
instance.
3. Run:
network-entity net
The Network Entity Title (NET) is configured.

A NET specifies the current IS-IS area address and the system ID of the router. A
maximum of three NETs can be configured for one process on the router.
4. (Optional) Run:
is-level { level-1 | level-1-2 | level-2 }
The level of the router is set.

By default, the level of the router is level-1-2.
5. Run:
import-route bgp [ cost value ] [ cost-type { external | internal } ]
[ level-1 | level-1-2 | level-2 ] [ route-policy policy-name ] [ tag tag-
value ]
The BGP route is imported.

If no IS-IS level is specified before you run this command, the BGP route is imported
to the Level-2 routing table.
6. Run:
commit

7. Run:
quit

8. Run:

The view of the interface to be bound to the VPN instance is displayed.

9. Run:
isis enable [ process-id ]
IS-IS is enabled on the interface.

10. Run:
quit

11. Run:
bgp as-number

12. Run:

13. Run:
import-route isis process-id [ med med ] [ route-policy policy-name ]
The IS-IS route is imported into the routing table of the BGP VPN instance IPv4
address family.
14. Run:
commit
NOTE
After the VPN instance is deleted or disable the IPv4 address family of the VPN instance, all
the IS-IS processes bound to the VPN instance are deleted.
l Configuring OSPF between a PE and a CE
The following section covers only configurations on the PE. For the CE, you only need to
configure OSPF and the detailed configuration procedures are not mentioned here.
1. Run:
system-view

2. Run:
ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name
An OSPF instance is created on the PE for communications between the PE and the
CE and the OSPF view is displayed.
An OSPF process can be bound to only one VPN instance. If you run an OSPF process
without binding it to a VPN instance, the OSPF process is considered as a public
network process. The OSPF process on the public network cannot be bound to a VPN
instance.
The OSPF process that is bound to the VPN instance does not use the public network
router ID configured in the system view. You must specify the router ID when starting
the OSPF process. If no router ID is specified, OSPF selects an IP address from the
IP addresses of the interfaces bound to this VPN instance based on route ID selection
rules and takes the selected IP address as the router ID.

3. (Optional) Run:
domain-id domain-id [ secondary ]
The domain ID is set.

The domain ID can be expressed by an integer or in dotted decimal notation. By
default, the domain ID is 0.
The domain ID is used to identify whether the routes imported into the VPN instances
belong to the same OSPF area. A domain ID can be advertised to remote PEs as a
BGP extension community attribute. When importing the BGP private routes, the
remote PEs convert the imported routes to Type5, Type7, or Type3 LSAs based on
the domain IDs. If the domain ID of a received route is the same as the local domain
ID,
– Type1, Type2, and Type3 LSAs are generated as Type3 LSAs.

– For Type5 and Type7 LSAs, Type5 LSAs are generated if the local area is not a
Not So Stubby Area (NSSA); Type7 LSAs are generated if the local area is an
NSSA.
If the domain ID of a received route and the local domain ID are different, regardless
of the types of the LSAs, Type5 LSAs are generated if the local area is a non-NSSA;
Type7 LSAs are generated if the local area is an NSSA.
4. (Optional) Run:
route-tag tag-value
The VPN route tag is configured.

By default, OSPF allocates a VPN route tag automatically according to the algorithm.
– If the BGP process is not started on the local device, by default, the tag value is 0.
– If the BGP process is started on the local device, by default, the first two bytes of
the tag value are fixed to be 0xD000, and the last two bytes are the local AS number.
That is, the tag value equals 3489660928 plus the local AS number of BGP.
The route tag can be used in the scenario of CE dual-homing to avoid loops of Type5
LSAs. If the route tags of the VPN routes of Type5 or Type7 LSAs received by the
PE from the CE are the same as the route tag configured on the PE, the LSAs are
discarded rather than being used in the SPF calculation.
5. Run:
import-route bgp [ cost value ] [ type { 1 | 2 } ] [ tag value ] [ route-
policy policy-name ]

6. Run:
area area-id
The OSPF area view is displayed.

7. Run:
network ip-address wildcard-mask
OSPF is run on the network segment where the interface bound to the VPN instance
resides.
A network segment belongs to only one area. That is, you need to specify an area for
each interface that runs OSPF.

OSPF can properly run on an interface only when the following conditions are met:
– The mask length of the IP address of the interface is equal to or longer than the
mask length specified in the network command.
– The primary IP address of the interface is within the network segment specified in
the network command.
For a loopback interface, by default, OSPF advertises its IP address in 32-bit host
route, which is irrelevant to the mask length of the IP address on the interface.
8. Run:
commit

9. Run:
quit
Return to the OSPF view.

10. Run:
quit

11. Run:
bgp as-number

12. Run:

13. Run:
import-route ospf process-id [ med med ] [ route-policy policy-name ]
The OSPF route is imported into the routing table of the BGP VPN instance IPv4
address family.
14. Run:
commit
NOTE
the OSPF processes bound to the VPN instance are deleted.
l Configuring EBGP between a PE and a CE
Do as follows on the PE:
1. Run:
system-view

2. Run:
bgp as-number

3. Run:

4. Run:
peer peer-address as-number number
The CE is configured as an EBGP peer in the VPN.

5. (Optional) Run:
peer { ipv4-address } ebgp-max-hop [ number ]
The maximum number of hops is configured for the EBGP connection.

By default, a direct physical link must be available between EBGP peers. If the
requirement is not met, you must run the peer ebgp-max-hop command to allow
EBGP peers to establish a TCP connection through multiple hops.
6. (Optional) Select either step to import the direct routes destined for the local CE to
the VPN routing table and advertise the routes to the remote PE.
– Run the import-route direct [ med med | route-policy policy-name ]* command
to import the direct routes destined for the local CE.
– Run the network ip-address mask command to advertise the direct routes destined
for the local CE.
7. (Optional) Run:
peer { group-name | ipv4-address | ipv6-address } soo site-of-origin
The Site of Origin (SoO) attribute is configured for the specified CE.
When multiple CEs in a VPN site access different PEs, VPN routes sent from CEs to
PEs may return to this VPN site after traveling through the backbone network. This
may cause routing loops in the VPN site.
After the SoO attribute is configured on a PE, the PE adds the SoO attribute to the
route sent from a CE and then advertises the route to other PE peers. Before advertising
the VPN route to the connected CE, the PE peers check the SoO attribute carried in
the VPN route. If the PE peers find that this SoO attribute is the same as the locally
configured SoO attribute, the PE peers do not advertise this VPN route to the connected
CE.
8. (Optional) Run:
peer ip-address allow-as-loop [ number ]
The route loop is allowed.

This step is required for the Hub and Spoke networking.
Generally, BGP detect route loops based on AS numbers. In the Hub and Spoke
networking where EBGP is run between the PE and the CE at the Hub site, the Hub-
PE advertises routing information carrying the local AS number to the Hub-CE.
Therefore, when the Hub-PE receives a route Update message from the Hub-CE, the
Hub-PE cannot accept the route Update message if the AS number carried in the route
Update message is identical with the AS number of the Hub-PE. To ensure normal
route advertisement in the Hub and Spoke networking, you need to configure the BGP
peers to allow the routes with the AS numbers in the AS-path repeated once to pass
when the Hub-CE advertises the VPN routes to the Spoke-CEs.
9. (Optional) Run:

peer ip-address substitute-as
BGP AS number substitution is enabled.
This Step is required for the scenario where physically dispersed CEs need to use the
same AS number. The configuration is executed on the PE.
NOTE
In the case of CE multi-homing, the BGP AS number substitution function may lead to route
loops.
10. Run:
commit
Do as follows on the CE:
1. Run:
system-view

2. Run:
bgp as-number

3. Run:
The PE is configured as an EBGP peer.

4. (Optional) Run:
peer { ipv4-address | group-name } ebgp-max-hop [ number ]
The maximum number of hops is configured for the EBGP connection.
By default, a directly-connected physical link must be available between EBGP peers.

If the requirement is not met, you must run the peer ebgp-max-hop command to allow
EBGP peers to establish a TCP connection through multiple hops.
5. Run:
import-route { direct | static | rip [ process-id ] | ospf process-id |
isis process-id } [ med med | route-policy policy-name ]*
The routes of the local site are imported.
The CE must advertise its own VPN routes to the attached PE and the PE then
advertises the routes to the remote CE. In actual applications, the types of routes to
be imported may be different.
6. Run:
commit

l Configuring a static route between a PE and a CE (including the default route)
Do as follows on the PE. No special configurations are required on the CE and therefore
the CE configurations are not mentioned here.
1. Run:
system-view


2. Run:
ip route-static vpn-instance vpn-instance-name dest-ip-address { mask |
mask-length } { interface-type interface-number | vpn-instance vpn-
destination-name nexthop-address | nexthop-address [ public ] }
[ preference preference ] [ tag tag ] [ description text ]
The static route is configured for the specified VPN instance IPv4 address family.
3. Run:
bgp as-number

4. Run:

5. Run:
import-route static [ med med ] [ route-policy policy-name ]
The static route is imported into the routing table of the BGP VPN instance IPv4
address family.
6. Run:
commit

l Configuring RIP between a PE and a CE
Do as follows on the PE. You only need to configure RIPv1 or RIPv2 on the CE and the
detailed configuration procedures are not mentioned here.
1. Run:
system-view

2. Run:
rip process-id vpn-instance vpn-instance-name
A RIP instance is created on the PE for communicates between the PE and the CE and
the RIP view is displayed.
A RIP process can be bound to only one VPN instance. If you run a RIP process
without binding it to a VPN instance, the RIP process is considered as a public network
process. The RIP process on the public network cannot be bound to a VPN instance.
3. Run:
network network-address
RIP is run on the network segment where the interface bound to the VPN instance
resides.
4. Run:
import-route bgp [ cost value ] [ route-policy policy-name]

After the import-route bgp command is run in the RIP view, the PE can import the
BGP routes of the VPN instance IPv4 address family into the RIP routing table and
further advertises them to the attached CE.

5. Run:
commit

6. Run:
quit

7. Run:
bgp as-number

8. Run:

9. Run:
import-route rip process-id [ med med ] [ route-policy policy-name ]
The RIP route is imported into the routing table of the BGP VPN instance IPv4 address
family.
After the import-route rip command is run in the BGP-VPN instance IPv4 address
family view, the PE imports the VPN routes learnt from the attached CE into BGP,
forms them into VPN-IPv4 routes, and advertises them to the remote PE.
10. Run:
commit
NOTE
the RIP processes bound to the VPN instance are deleted.
l Configuring IBGP between a PE and a CE
1. Run:
system-view

2. Run:
bgp as-number

3. Run:

4. Run:
peer peer-address as-number number
The CE is configured as an IBGP peer in the VPN.

5. (Optional) Select either step to import the direct route destined for the local CE to the
VPN routing table and advertise the route to the remote PE.

– Run the import-route direct [ med med | route-policy policy-name ]* command

to import the direct route destined for the local CE.
– Run the network ip-address mask command to advertise the direct route destined
for the local CE.
NOTE
If Step 5 is not performed, the PE does not advertise the direct route to the remote PE through
MP-BGP.
6. Run:
commit
1. Run:
system-view

2. Run:
bgp as-number

3. Run:
The PE is configured as an IBGP peer.

4. Run:
import-route { direct | static | rip [ process-id ] | ospf process-id |
isis process-id } [ med med | route-policy policy-name ]*
The routes of the local site are imported.
The CE must advertise its own VPN routes to the attached PE. In actual applications,
the types of routes to be imported may be different.
5. Run:
commit
----End

After configuring the basic BGP/MPLS IP VPN, you can view IPv4 VPN routes on the PE or
CE.
Prerequisite
All configurations about basic BGP/MPLS IP VPN are complete.
Procedure
l Run the display ip routing-table vpn-instance vpn-instance-name command to check
routing information about the specified VPN instance IPv4 address family on the PE.

l Run the ping command on the local CE to ping the remote CE.
----End
Example
Run the display ip routing-table vpn-instance vpn-instance-name command on the PE, and
you can find that the PE has VPN routes to its interconnected CEs.
<HUAWEI> display ip routing-table vpn-instance vpna
Route Flags: R - relied, D - download for forwarding
------------------------------------------------------------------------------
Routing Tables: vpna
10.1.1.0/24 Direct 0 0 D 10.1.1.2 GigabitEthernet1/0/0
10.3.1.0/24 BGP 255 0 RD 3.3.3.9 Pos3/0/0
Run the ping command on the CE, and you can view that the local CE can ping the remote CE
successfully.
<HUAWEI> ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms
--- 10.3.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms
2.5 Configuring Route Reflection to Optimize the VPN

Backbone Layer
Using an Route Reflector (RR) can reduce the number of MP-IBGP connections between PEs.
This not only reduces the burden on PEs but also facilitates network maintenance and
management.
If too many PEs reside on the VPN backbone network and these PEs need to establish MP-IBGP
peer relationships to exchange VPN routes, you can configure route reflection to optimize the
VPN backbone network.
A BGP speaker does not advertise the routes learnt from an IBGP peer to other IBGP peers. To
enable a PE to advertise the routes of the VPN that the PE accesses to the BGP VPNv4 peers in
the same AS, the PE must establish IBGP peer relationships with all peers to directly exchange
VPN routing information. That is, MP-IBGP peers must be fully meshed. Suppose there are n
PEs (including ASBRs) in an AS, n (n-1)/2 pairs of MP-IBGP peers need be created. A large
number of IBGP peers consume a great number of network resources. After an RR is configured,
each PE needs to set up an MP-IBGP peer relationship with only the RR, that is, n pairs of MP-
IBGP peers are required.

Before configuring route reflection to optimize the VPN backbone layer, complete the following
tasks:
l Configuring the routing protocol for the MPLS backbone network to implement IP
interworking between routers on the backbone network
l Establishing tunnels (LSPs or MPLS TE tunnels) between all the PEs
Figure 2-7 Flowchart for configuring route reflection to optimize the VPN backbone layer
Configure a client PE to establish an MP-

IBGP peer relationship with an RR
Configure an RR to establish MP-IBGP peer

relationships with all client PEs
Configure route
reflection for BGP VPNv4 routes
Mandatory
procedure
Optional
procedure
Related Tasks
2.18.5 Example for Configuring Double RRs for the Optimization of the VPN Backbone Layer
2.18.6 Example for Configuring an RR for the Optimization of the VPN Access Layer
2.5.1 Configuring a Client PE to Establish an MP-IBGP Peer

Relationship with an RR
You can configure a PE to establish an MP-IBGP peer relationship with an RR to reflect VPNv4
routes.
Context
A PE or P can function as an RR on the backbone network.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bgp as-number

Step 3 Run:
peer peer-ipv4-address as-number as-number
The RR is specified as a BGP peer.
Step 4 Run:
peer peer-ipv4-address connect-interface loopback interface-number
NOTE
A client PE must use the loopback interface address with a 32-bit mask to establish an MP-IBGP peer
relationship with the RR so that routes can be iterated to the tunnel.
Step 5 Run:
ipv4-family vpnv4
The BGP-VPNv4 address family view is displayed.
Step 6 Run:
peer peer-ipv4-address enable
The capability of exchanging VPNv4 routes between the PE and the RR is enabled.
Step 7 Run:
commit
----End
2.5.2 Configuring an RR to Establish MP-IBGP Peer Relationships

with All Client PEs
You can configure an RR to establish MP-IBGP peer relationships with all its clients (PEs) to
reflect VPNv4 routes.
Procedure
l Configuring the RR to establish an MP-IBGP peer relationship with each of its client
Perform Steps 3 to 6 repeatedly on the RR to establish MP-IBGP peer relationships with
all client PEs.
1. Run:
system-view

2. Run:
bgp as-number

3. Run:
The client PE is specified as a BGP peer.

4. Run:
peer peer-ipv4-address connect-interface interface-type interface-number
The interface used to establish a TCP connection is specified. The IP address of the
interface must be the same as the MPLS LSR ID. You are recommended to specify a
loopback interface to establish the TCP connection.
5. Run:
ipv4-family vpnv4

6. Run:
The capability of exchanging VPNv4 routes between the RR and the client PE is
enabled.
7. Run:
commit
----End
2.5.3 Configuring Route Reflection for BGP VPNv4 Routes

The premise of enabling BGP VPNv4 route reflection is that the RR has established MP-IBGP
peer relationships with all client PEs.
Context
For detailed configurations about an RR, please refer to the chapter BGP Configuration in the
Configuration Guide - IP Routing.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bgp as-number
Step 3 Run:
ipv4-family vpnv4
The BGP VPNv4 sub-address family view is displayed.
Step 4 Run:
peer peer-ipv4-address reflect-client
The local device is configured as an RR and its peer is considered as the client of the RR.

undo reflect between-clients

Route reflection between clients is disabled if the clients are fully connected.
Step 6 Run:
undo policy vpn-target
Filtering VPNv4 routes based on VPN targets is disabled.

rr-filter extended-list-number
The reflection policy is configured for the RR.
Step 8 Run:
commit
----End

After configuring route reflection to optimize the VPN backbone layer, you can view BGP
VPNv4 peer information and VPNv4 routing information on the RR or its client PEs.
Prerequisite
All the configurations about route reflection are complete.
Procedure
l Run the display bgp vpnv4 all peer [ [ ipv4-address ] verbose ] command on the RR or
client PE to view information about the BGP VPNv4 peer.
l Run the display bgp vpnv4 all routing-table peer peer-ipv4-address { advertised-
routes | received-routes } [ statistics ] command on the RR or client PE to view
information about the routes received from the peer or the routes advertised to the peer.
----End
Example
l Run the display bgp vpnv4 all peer command on the RR or client PE, and you can find
that the status of the MP-IBGP peer relationships between the RR and all client PEs is
"Established."
<HUAWEI> display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 3 Peers in established state : 3
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.9 4 100 2 4 0 00:00:31 Established 0
3.3.3.9 4 100 3 5 0 00:01:23 Established 0
Peer of vpn instance :
VPN-Instance vpna, router ID 1.1.1.9:
10.1.1.1 4 65410 79 82 0 01:13:29 Established 0
l Run the display bgp vpnv4 all routing-table peer { advertised-routes | received-
routes } command on the RR or client PE, and you can find that the RR and client PE can
exchange VPNv4 routing information.


In the Hub and Spoke networking, an access control device is specified in the VPN, and users
If it is required that an access control device be specified in the VPN and all the users access the
VPN through this access control device, you can deploy the Hub and Spoke networking so that
all the data exchanged between Spoke sites flow through the Hub site.
As shown in Figure 2-8, Site1 and Site2 in VPN1 communicate with each other through Site3.
In such a scenario, you can deploy a monitoring device at Site 3 to monitor the communication
between Site1 and Site2.
Figure 2-8 Diagram of the Hub-Spoke networking
VPN1
Spoke-PE
Site1
VPN1
Spoke-CE
Hub-CE
Hub-PE
Site3
Spoke-CE Spoke-PE
Site2
VPN1
Before configuring Hub and Spoke, complete the following tasks:
l Configuring an IGP on the MPLS backbone network to implement IP interworking
l Configuring the basic MPLS capability and establish an LDP LSP between PEs
l Configuring an IP address for the interface connecting the CE to the PE

Figure 2-9 Flowchart for configuring Hub and Spoke
Configure routing
attributes for a VPN instance
Bind an interface
to a VPN instance

between a Hub-PE and a Spoke-PE

Mandatory
procedure
Optional
procedure
Related Tasks
2.18.7 Example for Configuring Hub and Spoke
2.6.1 Configuring a VPN Instance

You can configure a VPN instance for managing VPN routes.
Context
In the Hub and Spoke networking, the PE connected to a central site (Hub site) is called a Hub-
PE and the PE connected to a non-central site (Spoke site) is called a Spoke-PE.
You need to configure a VPN instance on each Spoke-PE and two VPN instances (VPN-in and
VPN-out) on each Hub-PE.
l VPN-in is used to receive and maintain the VPNv4 routes advertised by all the Spoke-PEs.
l VPN-out is used to maintain the routes of the Hub site and all the Spoke sites and advertise
the routes to all Spoke-PEs.
NOTE
Steps 1 to 7 are performed to configure one VPN instance. Configurations of different VPN instances are
similar. Note that the different VPN instances on the same device must have different names, RDs, and
description.
Procedure
Step 1 Run:

system-view

Step 2 Run:

The name of a VPN instance is case sensitive. For example, "vpn1" and "VPN1" are two different
VPN instances.
The description of the VPN instance is configured.

The description is be used to record the purpose of creating the VPN instance and the CEs with
which the VPN instance sets up connections.
Step 4 Run:
ipv4-family
Step 5 Run:

The VPN instance IPv4 address family takes effect only after an RD is configured. Before
configuring an RD, you can configure only the description about the VPN instance. No other
parameters can be configured.
MPLS label allocation based on VPN instances IPv4 address family is configured. Then, all the
routes of the VPN instance IPv4 address family use one label.
In general, each route is assigned one label (one label per route).
To prevent a PE from importing excessive prefixes, you can set the maximum number of prefixes
supported by the VPN instance IPv4 address family.
Step 8 Run:
commit
----End
2.6.2 Configuring Routing Attributes for a VPN Instance

In the networking of Hub and Spoke, you can configure VPN targets on the Hub-PE and Spoke
PEs to control the advertisement of VPN routes. The import VPN target configured on the Hub-

PE must contain the export VPN targets configured on all the Spoke-PEs. The export VPN target
configured on the Hub-PE must contain the import VPN targets configure on all the Spoke-PEs.
Context
Controlling the advertisement of VPN routes by configuring VPN targets is also a key part of
the Hub and Spoke solution.
Procedure
l Configuring the Hub-PE
1. Run:
system-view

2. Run:
ip vpn-instance vpn-instance-name1
The VPN instance view of VPN-in is displayed.

3. Run:
ipv4-family

4. Run:
vpn-target vpn-target1 &<1-8> import-extcommunity
The VPN target extended community is configured for the VPN instance IPv4 address
family to receive the VPNv4 routes advertised by all the Spoke-PEs.
The vpn-target1 list here must contain the export VPN targets configured on all the
Spoke-PEs.
5. (Optional) Run:
A routing policy for importing VPN routes is configured.

6. (Optional) Run:
A routing policy for exporting VPN routes is configured.

7. Run:
commit

8. Run:
quit

9. Run:
The VPN instance view of VPN-out is displayed.

10. Run:
ipv4-family


11. Run:
vpn-target vpn-target2 &<1-8> export-extcommunity
family to advertise the routes of all the Hub sites and Spoke sites.
The vpn-target2 list here must contain the import VPN targets configured on all the
Spoke-PEs.
12. (Optional) Run:
import route-policy
policy-name

13. (Optional) Run:

14. (Optional) Run:
commit

l Configuring the Spoke-PE
1. Run:
system-view

2. Run:
The VPN instance view of VPN-in is displayed.

3. Run:
ipv4-family

4. Run:
vpn-target vpn-target2 &<1-8> import-extcommunity
family to receive the VPNv4 routes advertised by the Hub-PE.
vpn-target2 must be in the export VPN target list configured on the Hub-PE.
5. Run:
vpn-target vpn-target1 &<1-8> export-extcommunity
family to advertise the routes of the sites the Spoke-PEs access.
vpn-target1 must be in the import VPN target list configured on the Hub-PE.
6. (Optional) Run:

7. (Optional) Run:


8. Run:
commit
----End

By binding an interface to a VPN instance, you can change the interface to a VPN interface.
Then, packets entering this interface are forwarded according to the forwarding information of
the VPN instance.
Context
The configuration on the Hub-PE involves two interfaces or sub-interfaces:
l One is bound to VPN-in for receiving the routes advertised by Spoke-PEs.

l One is bound to VPN-out for advertising the routes of all the Hub sites and Spoke sites.
Do as follows on the Hub-PE and all the Spoke-PEs:
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
The interface is bound to a VPN instance.
NOTE
After the ip binding vpn-instance command is run on an interface, the Layer 3 features such as the IP
address and routing protocol configured on the interface are deleted.
Step 4 Run:
Step 5 Run:
commit
----End

2.6.4 Configuring Route Exchange Between a Hub-PE and a Spoke-

PE
By importing extended community attributes to BGP, MP-IBGP can advertise VPNv4 routes
between PEs.
Context
MP-IBGP peer relationships need be established between the Hub-PE and each Spoke-PE.
Spoke-PEs need not exchange routes directly and therefore they need not establish MP-IBGP
peer relationships.
Do as follows on the Hub-PE and all the Spoke-PEs:
Procedure
Step 1 Run:
system-view
Step 2 Run:
bgp as-number
Step 3 Run:
Step 4 Run:
NOTE
PEs must use the loopback interface addresses with 32-bit masks to establish an MP-IBGP peer relationship
so that routes can be iterated to the tunnel. The route to the loopback interface is advertised to the peer PE
through IGP on the MPLS backbone network.
Step 5 Run:
ipv4-family vpnv4 [unicast]
Step 6 Run:
The capability of exchanging BGP VPNv4 routing information with the peer is enabled.
Step 7 Run:
commit
----End


The routing protocol run between a PE and a CE can be BGP or IGP. A static route (including
the default route) can also run between them. You can choose any of them as required.
Context
The routing protocol run between a Spoke-PE and a Spoke-CE is related to the routing protocol
run between a Hub-PE and a Hub-CE. EBGP, IGP, and the static route (including the default
route) can run between a Hub-PE and a Hub-CE. You can choose any of them as required.
Procedure
l Configuring EBGP between a Hub-PE and a Hub-CE
For detailed configuration procedures, see 2.4.5 Configuring Route Exchange Between
a PE and a CE.
In this mode, EBGP, IGP, or static route (including the default route) can be run between
a Spoke-PE and a Spoke-CE.
If EBGP is run both between the Spoke-PE and the Spoke-CE and between the Hub-PE
and the Hub-CE, you need to run the peer ip-address allow-as-loop [ number ] command
in the BGP-VPN instance IPv4 address family view of the Hub-PE to allow route loops. If
number is set to 1, it indicates that the route with the AS numbers in the AS-path list repeated
once is allowed.
l Configuring IGP between a Hub-PE and a Hub-CE
a PE and a CE.
In this mode, only IGP or static route (including the default route) can be run between a
Spoke-PE and a Spoke-CE. For details, see the chapter "BGP/MPLS IP VPN" in the Feature
Description - VPN.
l Configuring a static route (including the default route) between a Hub-PE and a Hub-CE
a PE and a CE.
In this mode, EBGP, IGP, or static route (including the default route) can be run between
a Spoke-PE and a Spoke-CE.
If a Hub-CE adopts the default route to access the Hub-PE, to enable the Hub-PE to advertise
the default route to all the Spoke-PEs, you need to run the following commands on the Hub-
PE:
– Run the ip route-static vpn-instance vpn-instance-name 0.0.0.0 0.0.0.0 nexthop-
address [ tag tag ] [ description text ] command in the system view.
In this example, vpn-instance-name specifies VPN-out and nexthop-address specifies
the IP address of the Hub-CE interface that is connected with the PE interface bound to
VPN-out.
– Run the network 0.0.0.0 0 command in the BGP-VPN instance IPv4 address family
view to advertise the default route to all the Spoke-PEs through MP-BGP.
vpn-instance-name here is also VPN-out.
----End


After Hub and Spoke is configured, you can view VPN routing information on the PE or CE.
Prerequisite
All configurations of Hub and Spoke are complete.
Procedure
l Run the display ip routing-table vpn-instance vpn-instance-name command to check
routing information about VPN-in and VPN-out on the Hub-PE.
l Run the display ip routing-table command on the Hub-CE and all the Spoke-CEs to check
routing information.
----End
Example
After the configuration, run the display ip routing-table vpn-instance vpn-instance-name
command, and you can find that the routing table of VPN-in has routes to all the Spoke sites and
the routing table of VPN-out has routes to the Hub site and all the Spoke sites.
Additionally, the Hub-CE and all the Spoke-CEs have routes to the Hub site and all the Spoke
sites.
2.7 Configuring a Tunnel Policy for the Backbone Network

of a BGP/MPLS IP VPN
A tunnel policy applied to a VPN can specify the type of tunnel selected for the VPN and enable
load balancing among tunnels.
By default, the system selects a tunnel in the order of LSPs, CR-LSPs, and Local_IfNet for VPN
services, and does not perform load balancing. To configure load balancing or select tunnels of
other types, configure a tunnel policy and apply it to the VPN.
At present, the NE5000E supports the following modes of tunnel policies:
l Select-sequence: A sequence of tunnel types to be selected or the number of tunnels
participating in load balancing can be specified.
l Tunnel binding: A TE tunnel is bound to a specified destination IP address. This allows the
VPN traffic destined for that destination address to be transmitted over the TE tunnel.
For details on tunnel policy configurations, see VPN Tunnel Management Configuration.
Before configuring a tunnel policy for the backbone network of a BGP/MPLS IP VPN, complete
the following tasks:
l Configuring a basic BGP/MPLS IP VPN

l Setting up a tunnel of the type specified in the tunnel policy
Figure 2-10 Flowchart for configuring a tunnel policy for the backbone network of a BGP/
MPLS IP VPN
Configure a tunnel policy
Apply a tunnel policy to a VPN
Mandatory
procedure
Optional
procedure
Related Tasks
2.18.9 Example for Configuring Load Balancing Among Tunnels to Which Remote Cross
Routes Are Iterated on a VPN
2.7.1 Configuring a Tunnel Policy

A tunnel policy can determine the sequence in which tunnels are selected or bind a TE tunnel
to a specified destination IP address.
Context
In the tunnel policy view, the select-sequence mode and tunnel binding mode are mutually
exclusive. Choose one of the following configurations as needed:
Procedure
l Configure a tunnel policy in select-sequence mode.
1. Run:
system-view

2. Run:
A tunnel policy is created, and the tunnel policy view is displayed.

3. Run:
tunnel select-seq { lsp | cr-lsp }* load-balance-number load-balance-number
The priority sequence of tunnel types and number of tunnels participating in load
balancing are configured.
A tunnel policy in select-sequence mode defines that tunnels to the same destination
are selected in sequence. If a tunnel listed earlier is Up, it is selected regardless of

whether other services have selected it. The tunnels listed later are not selected except
in case of even load balancing or when the preceding tunnels are Down.
4. Run:
commit

l Configure a tunnel policy in tunnel binding mode.
1. Run:
system-view

2. Run:

3. Run:
tunnel binding destination dest-ip-address te { tunnel interface-number }
&<1-6> [ down-switch ]
A tunnel policy is configured to bind a TE tunnel to the specified destination address.

4. Run:
commit

----End
2.7.2 Applying a Tunnel Policy to a VPN

This section describes how to apply a tunnel policy to a VPN to change the tunnel type or the
sequence in which tunnels are selected for VPN services.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv4-family

Step 4 Run:

Step 5 Run:
commit

----End

This section describes how to check the name of a tunnel policy applied to a VPN and the
configurations of the tunnel policy.
Prerequisite
The configurations of a tunnel policy for the backbone network of a BGP/MPLS IP VPN are
complete.
Procedure
l Run the display tunnel-policy policy-name command to check the configurations of a
tunnel policy used by a VPN instance.
----End
Example
Run the display tunnel-policy command. If the configuration of a tunnel policy is displayed, it
means that the configuration succeeds. For example:
------------------------------------------------------
policy1 CR-LSP LSP 2
Run the display ip vpn-instance verbose command, and you can view the tunnel policy used
by a VPN instance. In the following command output, the tunnel policy used by the IPv4 address
family of a VPN instance named vpna is policy1.
Address family ipv4
Create date : 2006/09/27 15:25:29
Label policy : label per route

If the number of VPNs that a PE accesses and the number of VPN routes are small, inter-AS
VPN Option A can be adopted.

Inter-AS VPN Option A is a typical application of BGP/MPLS IP VPN in an inter-AS scenario.
You need not perform special configurations. In inter-AS VPN Option A, either of the ASBRs
takes the peer ASBR as its CE and advertises IPv4 routes to the peer ASBR through EBGP.
As shown in Figure 2-11, for ASBR 1 in AS 100, ASBR 2 in AS 200 is a CE. Similarly, for
ASBR2, ASBR 1 is a CE.
Figure 2-11 Networking diagram of Inter-AS VPN Option A
VPN1
CE1
VPN1
CE3
BGP/MPLS backbone BGP/MPLS backbone
AS: 100 AS: 200
PE1
PE3
ASBR1
CE
MP-IBGP MP-IBGP
EBGP
ASBR2
PE2
PE4
VPN LSP1 IP forwarding
LSP1 CE4
CE2 VPN2
VPN2
Inter-AS VPN Option A is applicable in the scenario where the number of VPNs that a PE
accesses and the number of VPN routes are small. In Inter-AS VPN Option A, ASBRs must
support VPN instances and must be capable of managing VPN routes. In addition, ASBRs must
reserve dedicated interfaces, for example, sub-interfaces, physical interfaces, and bound logical
interfaces, for each inter-AS VPN network. Inter-AS VPN Option A requires high performance
of ASBRs and you need not perform any special configurations on the ASBRs.
Before configuring inter-AS VPN Option A, complete the following tasks:
l Configuring an IGP for the MPLS backbone network of each AS to ensure IP connectivity
of the backbone network within an AS
l Configuring the basic MPLS functions and MPLS LDP on the PE and ASBR
l Establishing a tunnel (LSP or MPLS TE tunnel) between the PE and ASBR in the same
AS
Procedure
Step 1 Take the ASBR as a PE and perform 2.4 Configuring Basic BGP/MPLS IP VPN for each AS.

NOTE
In inter-AS VPN Option A mode, ensure that the VPN targets of the VPN instances on the ASBR match
those of the VPN instances on the PE in the same AS.? The VPN targets of the VPN instances on the PEs
in different ASs do not need to match each other.
Step 2 On the ASBR, bind the interface connected with the remote ASBR to a VPN instance. For
detailed configuration procedures, see 2.4.2 Binding an Interface to a VPN Instance.
Step 3 Configure the routing protocol run between ASBRs. For detailed configuration procedures, see
2.4.5 Configuring Route Exchange Between a PE and a CE.
----End
Checking the Configuration

After inter-AS VPN Option A is configured, run the following commands to check previous
configurations.
l Run the display bgp vpnv4 all peer command on the PE or ASBR, and you can view that
the status of the BGP VPNv4 peer relationship between the PE and ASBR in the same AS
is "Established".
l Run the display bgp vpnv4 all routing-table command on the PE or ASBR, and you can
view the VPNv4 routes.
l Run the display ip routing-table vpn-instance command on the PE or ASBR, and you
can view that the VPN routing table of the PE or ASBR has related VPN routes.
Run the display bgp vpnv4 all routing-table command on the ASBR, and you can view the
VPNv4 routes on the ASBR.
<HUAWEI> display bgp vpnv4 all routing-table
Total number of routes from all PE: 2
Route Distinguisher: 100:1
*>i 10.1.1.0/24 1.1.1.9 0 100 0 ?
*>i 10.1.1.1/32 1.1.1.9 0 100 0 ?
VPN-Instance vpn1, router ID 2.2.2.9:

*>i 10.1.1.0/24 1.1.1.9 0 100 0 ?
*>i 10.1.1.1/32 1.1.1.9 0 100 0 ?
*> 10.2.1.0/24 192.1.1.2 0 200?
*> 10.2.1.1/32 192.1.1.2 0 200?
*> 192.1.1.0 0.0.0.0 0 0 ?
* 192.1.1.2 0 0 200?
*> 192.1.1.1/32 0.0.0.0 0 0 ?
* 192.1.1.2 0 0 200?
*> 192.1.1.2/32 0.0.0.0 0 0 ?
Related Tasks
2.18.10 Example for Configuring Inter-AS VPN Option A


If an ASBR can manage VPN routes but there are not enough interfaces for all inter-AS VPNs,
inter-AS VPN Option B can be used. Inter-AS VPN Option B requires ASBRs to help to maintain
and advertise VPNv4 routes and you need not create VPN instances on the ASBRs. In the basic
networking of inter-AS VPN Option B, an ASBR cannot play other roles, such as the PE or RR,
and an RR is not required in each AS.
On the network shown in Figure 2-12, the interfaces connected between ASBRs do not need to
be bound to the VPN. A single-hop MP-EBGP peer relationship is set up between the ASBRs
to transmit all inter-AS VPN routing information.
Figure 2-12 Schematic diagram for Inter-AS VPN Option B (basic networking)
VPN1
CE1
VPN1
CE3
IP/MPLS Backbone IP/MPLS Backbone
AS: 100 AS: 200
PE1
PE3
ASBR1 ASBR2
MP-IBGP MP-IBGP
MP-EBGP
PE2
PE4
CE4
CE2 VPN2
VPN2
Before configuring inter-AS VPN Option B, complete the following tasks:
l Configuring the basic MPLS functions for the MPLS backbone network of each AS and
establishing an LDP LSP or TE tunnel between MP-IBGP peers
l 2.3 Configuring a VPN Instance Enabled with the IPv4 Address Family on the PE
connected to the CE and 2.4.2 Binding an Interface to a VPN Instance

Figure 2-13 Flowchart for configuring inter-AS VPN Option B (basic networking)
Configuring MP-IBGP Between

a PE and an ASBR in the Same AS
Configuring MP-EBGP
Between ASBRs in Different ASs
Controlling the Learning and

Advertising of VPN Routes on ASBR
Configuring Route Exchange

Between a CE and a PE
Mandatory
procedure
Optional
procedure
Related Tasks
2.18.11 Example for Configuring Inter-AS VPN Option B with Basic Networking
2.9.1 Configuring MP-IBGP Between a PE and an ASBR in the Same

AS
between the PE and the ASBR.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bgp as-number
Step 3 Run:
The IBGP peer relationship is set up between the PE and ASBR in the same AS.
Step 4 Run:
The loopback interface is specified as the outbound interface of the BGP session.

Step 5 Run:
ipv4-family vpnv4 [ unicast ]

Step 6 Run:
The capability of VPNv4 route exchange between the PE and the ASBR is enabled.
Step 7 Run:
commit
----End
2.9.2 Configuring MP-EBGP Between ASBRs in Different ASs

After the MP-EBGP peer relationship is established between ASBRs, an ASBR can advertise
the VPNv4 routes of its AS to the other ASBR.
Context
In inter-AS VPN Option B (basic networking), you need not create VPN instances on ASBRs.
The ASBR does not filter the VPNv4 routes received from the PE in the same AS based on VPN
targets. Instead, it advertises the received routes to the peer ASBR through MP-EBGP.
Procedure
Step 1 Run:
system-view
The system view of the ASBR is displayed.

Step 2 Run:
The view of the interface that connects to the peer ASBR is displayed.
Step 3 Run:

Step 4 Run:
mpls
The MPLS capability is enabled.

Step 5 Run:
commit

Step 6 Run:
quit

Step 7 Run:
bgp as-number

Step 8 Run:
The peer ASBR is specified as an EBGP peer.

Step 9 Run:

Step 10 Run:
The capability of exchanging VPNv4 routes with the peer ASBR is enabled.
Step 11 Run:
commit
----End
2.9.3 Controlling the Learning and Advertising of VPN Routes on

ASBR
An ASBR can either save partial VPNv4 routes by filtering VPN targets through a routing policy
or save all VPNv4 routes.
Context
By default, an ASBR filters the VPN targets of only the received VPNv4 routes. The routes are
imported into the routing table if they pass the filtration; otherwise, they are discarded. Therefore,
if no VPN instance is configured on the ASBR or no VPN target is configured for the VPN
instance, the ASBR discards all the received VPNv4 routes.
You can configure an ASBR to control the importing and exporting of VPN routes through
multiple methods. The two methods are described as follows:
l Not to filter VPN targets, that is, the ASBR stores all the VPNv4 routes
l To filter VPN targets, that is, the ASBR stores partial VPNv4 routes through routing policies
Configure either of the following methods on each ASBR based on the actual situation:
Procedure
l Not to filter VPN targets
1. Run:
system-view

2. Run:
bgp as-number


3. Run:

4. Run:
Filtering VPN targets of VPNv4 routes is disabled.
In inter-AS VPN Option B mode, the ASBR does not need to store VPN instance
information but must store information about all the VPNv4 routing information and
advertise the routing information to the peer ASBR. In this case, the ASBR needs to
import all the received VPNv4 routing information without filtering them based on
VPN targets.
5. Run:
commit

l Filtering VPN targets
1. Run:
system-view

2. Run:
ip extcommunity-filter extcom-filter-number { deny | permit } rt vpn-
target &<1-16>
The extended community filter is configured.

3. Run:
route-policy route-policy-name permit node node
A routing policy is configured.

4. Run:
if-match extcommunity-filter extcomm-filter-number &<1-16>
A matching rule based on the extended community filter is configured.

5. Run:
commit

6. Run:
quit

7. Run:
bgp as-number

8. Run:

9. Run:
peer peer-address route-policy policy-name { export | import }
The routing policy is applied to controlling the importing and exporting of VPNv4
routes.
10. Run:
commit

----End
2.9.4 Configuring Route Exchange Between a CE and a PE

BGP, the static route (including the default route), or IGP can run between a CE and a PE. You
can choose any of them as required.
Procedure
Step 1 You can configure a routing protocol between a CE and a PE based on the actual situation. For
detailed configuration procedures, see 2.4.5 Configuring Route Exchange Between a PE and
a CE.
----End

After configuring inter-AS VPN Option B (basic networking), you can view the status of all
BGP peer relationships and VPNv4 routing information on PEs or ASBRs.
Prerequisite
All the configurations about inter-AS VPN Option B are complete.
Procedure
l Run the display bgp vpnv4 all peer command on the PE or ASBR to check the status of
all BGP peer relationships.
l Run the display bgp vpnv4 all routing-table command on the PE or ASBR to check
information about VPNv4 routes.
l Run the display ip routing-table vpn-instance vpn-instance-name command on the PE
to check information about the VPN routing table.
----End
Example
Run the display bgp vpnv4 all peer command on the PE or ASBR, and you can view that the
status of the BGP VPNv4 peer relationship between the PE and ASBR in the same AS is
"Established". In addition, the status of the EBGP peer relationship between the directly
connected ASBRs in different ASs is also "Established".


*>i 10.1.1.0/24 1.1.1.9 0 100 0 ?
*>i 10.1.1.1/32 1.1.1.9 0 100 0 ?
*> 10.2.1.0/24 192.1.1.2 0 200?
Run the display ip routing-table vpn-instance command on the PE, and you can view that the
VPN routing table contains related VPN routes.
<HUAWEI> display ip routing-table vpn-instance vpna
Route Flags: R - relied, D - download for forwarding
------------------------------------------------------------------------------
10.3.1.0/24 BGP 255 0 RD 3.3.3.9 Pos3/0/0
2.10 Configuring Inter-AS VPN Option B (ASBR Also

Functioning as a PE)
routes through MP-EBGP and ASBRs also need to function as PEs.
and the ASBR also functions as a PE for CE access, you can configure inter-AS VPN Option B
(ASBR also functioning as a PE). This mode requires ASBRs to help to maintain and advertise
not only the VPNv4 routes of its own VPN instances but also the VPNv4 routes of other VPN
instances.
Before configuring inter-AS VPN Option B (ASBR also functioning as a PE), complete the
following tasks:
l Configuring basic MPLS capabilities for the MPLS backbone network of each AS and

Figure 2-14 Flowchart for configuring inter-AS VPN Option B (ASBR functioning as a PE)
Configure MP-IBGP between

a PE and an ASBR in the same AS
Configure MP-EBGP between ASBRs

in different ASs


on an ASBR

between a CE and an ASBR

between a CE and a PE
Mandatory
procedure
Optional
procedure
Related Tasks
2.18.15 Example for Configuring Inter-AS VPN Option B with ASBRs Functioning as PEs
2.10.1 Configuring MP-IBGP Between a PE and an ASBR in the

Same AS
Procedure
Step 1 Run:
system-view
Step 2 Run:
bgp as-number
Step 3 Run:

Step 4 Run:
Step 5 Run:

Step 6 Run:
Step 7 Run:
commit
----End

After the MP-EBGP peer relationship is established between ASBRs, ASBRs can exchange
VPNv4 routes.
Context
In inter-AS VPN Option B (basic networking), you need not create VPN instances on ASBRs.
The ASBR does not filter the VPNv4 routes received from the PE in the same AS based on VPN
targets. Instead, it advertises the received routes to the peer ASBR through MP-EBGP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:

Step 4 Run:
mpls

Step 5 Run:
commit


Step 6 Run:
quit

Step 7 Run:
bgp as-number

Step 8 Run:

Step 9 Run:

Step 10 Run:
Step 11 Run:
commit
----End

ASBR
Context
For configuration details, see 2.9.3 Controlling the Learning and Advertising of VPN Routes
on ASBR.
2.10.4 Configuring a VPN Instance on an ASBR

If an ASBR also functions as a PE, you need to configure a VPN instance enabled with the IPv4
address family on the ASBR to manage VPN routes.
Procedure
Step 1 Run:
system-view

Step 2 Run:


Step 3 Run:
ipv4-family
Step 4 Run:

Step 5 Run:
vpn-target vpn-target &<1-8> import-extcommunity
A VPN target is configured for the VPN instance IPv4 address family.


Step 9 Run:
commit
----End
2.10.5 Configuring Route Exchange Between a CE and an ASBR

The configuration of route exchange between a CE and an ASBR is similar to that about route
exchange between a CE and a PE in basic BGP/MPLS IP VPN.
Procedure
Step 1 Configure a routing protocol between a CE and an ASBR based on the actual situation. For
a CE.
----End

The routing protocol run between a CE and a PE can be BGP, static route (including the default
route), or IGP. You can choose any of them as required.

Procedure
Step 1 Configure a routing protocol between a CE and a PE based on the actual situation. For detailed
configuration procedures, see 2.4.5 Configuring Route Exchange Between a PE and a CE.
----End

After configuring inter-AS VPN Option B (ASBR also functioning as a PE), you can view the
status of all BGP peer relationships and VPNv4 routing information on PEs or ASBRs.
Prerequisite
All the configurations about inter-AS VPN Option B (ASBR also functioning as a PE) are
complete.
Procedure
or the ASBR to check information about the VPN routing table.
l Run the display mpls lsp command to view the LSP and label information on the ASBR.
----End
Example
Run the display ip routing-table vpn-instance command on the PE or ASBR, and you can view
that the VPN routing table has related VPN routes.
Run the display mpls lsp command, and you can view the LSP and label information on the
ASBR.
2.11 Configuring Inter-AS VPN Option B (ASBR Also

Functioning as an RR)
an RR to lower configuration complexities.

In inter-AS VPN Option B, if multiple PEs exist in an AS, you can configure an ASBR as an
RR to reduce the number of MP-IBGP connections needed between PEs. Configuring an ASBR
as an RR will burden the ASBR. Therefore, it is required that a high-performance device be used
as the ASBR. As shown in Figure 2-15, ASBR1 is configured as an RR so that PE1 and PE2
need not set up an MP-IBGP peer relationship.
Figure 2-15 Networking diagram of inter-AS VPN Option B (ASBR also functioning as an RR)
CE1 PE1
AS100 AS200
PE3 CE3
ASBR2
CE2 PE2
ASBR1
(RR)
Before configuring inter-AS VPN Option B (ASBR also functioning as an RR), complete the
following tasks:

Figure 2-16 Flowchart for configuring inter-AS VPN Option B (ASBR also functioning as an
RR)
Configure MP-IBGP between a PE

and an ASBR in the same AS
Configure MP-EBGP
between ASBRs in different ASs

Configure BGP IPv4 VPN

route reflection on an ASBR
Mandatory
procedure
Optional
procedure
Related Tasks
2.18.16 Example for Configuring Inter-AS VPN Option B with an ASBR Functioning as an RR

Same AS
Procedure
l Configuring the ASBR (RR) to establish an MP-IBGP peer relationship with each of its
client PEs
Perform Steps 1 to 6 repeatedly on the ASBR and the PEs to establish MP-IBGP peer
relationships with all client PEs.
1. Run:
system-view

2. Run:
bgp as-number

3. Run:
The client PE is specified as a BGP peer.

4. Run:
interface must be the same as the MPLS LSR ID. It is recommended to specify a
loopback interface to establish the TCP connection.
5. Run:
ipv4-family vpnv4

6. Run:
The capability of exchanging VPNv4 routes between the ASBR and the client PE is
enabled.
7. Run:
commit

----End

Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:

Step 4 Run:
mpls

Step 5 Run:
commit

Step 6 Run:
quit

Step 7 Run:
bgp as-number

Step 8 Run:

Step 9 Run:

Step 10 Run:
Step 11 Run:
commit
----End

ASBR
Context
on ASBR.
2.11.4 Configuring BGP IPv4 VPN Route Reflection on an ASBR

Route reflection on an ASBR is used to reflect the VPNv4 routes advertised by the PE in the
same AS to other PEs. In this way, PEs need not set up BGP peer relationships, which simplifies
configurations.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
ipv4-family vpnv4


Step 4 Run:
The ASBR is configured as an RR or the PE is configured as a client. If you need to configure

multiple PEs as clients, repeatedly run this command.
undo reflect between-clients
Route reflection between clients is disabled. You need to run this command if the clients are
fully connected.
Step 6 Run:
The filtering of VPNv4 routes based on the VPN target is disabled.

rr-filter extended-list-number
The reflection policy is configured for the RR.

Step 8 Run:
commit
----End

After configuring inter-AS VPN Option B (ASBR also functioning as an RR), you can view the
Prerequisite
All the configurations about inter-AS VPN Option B (ASBR also functioning as an RR) are
complete.
Procedure
----End
Example

Run the display ip routing-table vpn-instance command on the PE, and you can view that the
VPN routes in the VPN routing table.
ASBR.
2.12 Configuring Inter-AS VPN Option B (Spanning More

Than Two ASs)
In the scenario where the backbone network spans more than two ASs, ASBRs need to advertise
If the L3VPN needs to span more than two ASs, you can configure inter-AS VPN Option B
(spanning more than two ASs). As shown in Figure 2-17, the L3VPN needs to span three ASs
to transmit VPN routes.
Figure 2-17 Networking diagram of inter-AS VPN Option B (spanning more than two ASs)
AS200
ASBR4
AS100 ASBR3
AS300
ASBR1 PE2
PE1 ASBR2
CE1 CE2
Before configuring inter-AS VPN Option B (spanning more than two ASs), complete the
following tasks:

Figure 2-18 Flowchart for configuring inter-AS VPN Option B (spanning more than two ASs)
Configure MP-IBGP between a PE

and an ASBR in the same AS
Configure MP-EBGP
between ASBRs in different ASs
Configure MP-IBGP
between ASBRs in the same AS

Mandatory
procedure
Optional
procedure
Related Tasks
2.18.17 Example for Configuring Inter-AS VPN Option B with the VPN Spanning Multiple ASs

Same AS
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
The IBGP peer relationship is established between the PE and ASBR in the same AS.

Step 4 Run:
Step 5 Run:

Step 6 Run:
Step 7 Run:
commit
----End

Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:

Step 4 Run:
mpls

Step 5 Run:
commit

Step 6 Run:
quit

Step 7 Run:

bgp as-number

Step 8 Run:

Step 9 Run:

Step 10 Run:
Step 11 Run:
commit
----End
2.12.3 Configuring MP-IBGP Between ASBRs in the Same AS

After the MP-IBGP peer relationship is established between the ASBRs in the same AS, ASBRs
can exchange VPNv4 routes.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
The IBGP peer relationship is set up between the ASBRs in the same AS.
Step 4 Run:
Step 5 Run:

Step 6 Run:

The capability of VPNv4 route exchange between the ASBRs in the same AS is enabled.
Step 7 Run:
commit
----End

ASBR
Context
on ASBR.

After configuring inter-AS VPN Option B (spanning more than two ASs), you can view the
Prerequisite
All the configurations of inter-AS VPN Option B are complete.
Procedure
----End
Example
Run the display ip routing-table vpn-instance command on the PE, and you can view the VPN
routes in the VPN routing table.

ASBR.

By using OSPF multi-instance on CEs, you can implement service isolation on the LAN.
In a LAN, if you want to use the CE rather than the VLAN function on the switch to isolate VPN
services, you can configure the multi-VPN-instance CE.
As shown in Figure 2-19, the R&D department and sales department of company X in city A
are in the same LAN and access the VPN backbone network through the same CE. To enable
the R&D department and sales department in city A to communicate with each other, and enable
the R&D department in city A and the R&D department in city C to communicate with each
other but completely isolate the R&D departments from sales departments, you can configure
OSPF multi-instance on both the CE in city A and the PE connecting the CE to the backbone
network. Similar to the OSPF multi-instance on a PE, each OSPF instance on a CE serves as a
virtual CE for each type of service. Multi-VPN-instance implements service isolation with a low
cost and ensures the security of each type of service.
Figure 2-19 Schematic diagram of multi-VPN-instance CE
X company's
R&D department
in city C
CE
R&D department
PE
OSPF2 VPN2 VPN

backbone
X company's LAN
network
in city A PE
CE OSPF1 VPN1 PE
CE
Sales department
X company's
sales department
in city B
Before configuring the multi-VPN-instance CE, complete the following tasks:
l 2.3 Configuring a VPN Instance Enabled with the IPv4 Address Family on the multi-
instance CE and the PE that the CE accesses (a VPN instance for each service)

l Configuring the link layer protocol and network layer protocol for LAN interfaces and
connecting the LAN with the multi-instance CE (each service using an interface to access
the multi-instance CE)
l Binding related VPN instances to the interfaces of the multi-instance CE and PE interfaces
through which the PE accesses the multi-instance and configuring IP addresses for those
interfaces
Figure 2-20 Flowchart for configuring multi-VPN-instance CE
Configure OSPF
Multi-Instance on the PE
Configure the OSPF Multi-Instance on

the Multi-Instance CE
Disable route loop detection

on the Multi-VPN-Instance CE
Mandatory
procedure
Optional
procedure
Related Tasks
2.18.18 Example for Configuring a Multi-VPN-Instance CE
2.13.1 Configuring OSPF Multi-Instance on the PE

Different services use different OSPF process IDs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
OSPF multi-instance is configured.
Different services use different OSPF process IDs.router-id be either the same or not.
Step 3 Run:
area area-id
Step 4 Run:

The IP address of the interface connected to the multi-instance CE is advertised.

Step 5 Run:
commit

Step 6 Run:
quit
Return to the OSPF view.

Step 7 Run:
import-route bgp
A BGP route is imported.

Step 8 Run:
commit

Step 9 Run:
quit

Step 10 Run:
bgp as-number

Step 11 Run:

Step 12 Run:
import-route ospf process-id
The OSPF multi-instance route is imported.

Step 13 Run:
commit
----End
2.13.2 Configuring the OSPF Multi-Instance on the Multi-Instance

CE
The process ID of the OSPF multi-instance configured on the multi-instance CE must be the
same as that configured on the PE.
Procedure
Step 1 Run:
system-view

Step 2 Run:
OSPF multi-instance is configured.
NOTE
The OSPF process ID must be the same as that configured on the PE.
Step 3 Run:
area area-id
Step 4 Run:
The IP address of the interface connecting the PE is advertised.
NOTE
If the multi-instance CE does not learn the routes of the LAN through the OSPF multi-instance of the local
process, you also need to run related commands to import the routes of the LAN into the OSPF multi-
instance of the local process.
Step 5 Run:
commit
----End
2.13.3 Disabling Route Loop Detection on the Multi-VPN-Instance

CE
If route loop detection is performed, the CE discards the route with the DN bit being 1 received
from the PE.
Context
The multi-VPN-instance CE is a scheme for implementing service isolation by isolating routes.
Special configurations are not required but you need to disable route loop detection.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The OSPF view is displayed.
Step 3 Run:
vpn-instance-capability simple

Route loop detection is disabled.

Step 4 Run:
commit

----End

After the multi-VPN-instance CE is configured, you can find that the VPN routing table of the
multi-instance CE contains the routes to the LAN and remote sites for each service.
Prerequisite
All configurations about the multi-VPN-instance CE are complete.
Procedure
l Run the display ip routing-table vpn-instance vpn-instance-name [ verbose ] command
on the multi-instance CE to check information about the VPN routing table.
----End
Example
After the configuration, run the display ip routing-table vpn-instance command on the multi-
instance CE, and you can find that the VPN routing table of the CE contains the routes to the
LAN and remote sites for each service.

In the networking of CE dual-homing, you can configure VPN FRR to ensure VPN service
switchover to a secondary link when the primary link between PEs fails.
VPN FRR is applicable to services that are very sensitive to packet loss and delay on VPNs. As
shown in Figure 2-21, CE1 is dual-homed to PE2 and PE3. When the link between PE1 and
PE2 fails, VPN traffic need be fast switched to the link between PE1 and PE3.
Figure 2-21 Schematic diagram of VPN FRR
PE2
PE1 VPN site

MPLS Backbone AS65400
AS100
CE1
PE3

Before configuring VPN FRR, complete the following tasks:
l Configuring a routing protocol on the router to implement IP internetworking
l Generating two unequal-cost routes on the PE by setting different costs or metrics
l Setting up the VPN
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Run:
auto-frr
VPN Auto FRR is enabled.

Step 5 Run:
commit
----End
Example
All VPN FRR configurations are complete, run the display ip routing-table vpn-instance vpn-
instance-name [ ip-address ] verbose command to check information about the backup next-
hop PE, backup tunnel, and backup label.
<HUAWEI> display ip routing-table vpn-instance vpn1 10.1.1.0 verbose
------------------------------------------------------------------------------
Routing Table : vpn1
Summary Count : 1
State: Active Adv GotQ Age: 00h15m06s
Label: 15361 QoSInfo: 0x0
IndirectID: 0x13
RelayNextHop: 0.0.0.0 Interface: Pos2/0/0
BkNextHop: 3.3.3.3 BkInterface: Unknown
BkLabel: 15362 SecTunnelID: 0x0
BkPETunnelID: 0x000000000100000002 BkPESecTunnelID: 0x0

BkIndirectID: 0x15
Related Tasks
2.18.19 Example for Configuring VPN FRR with FRR Switchover Being Implemented on a PE

This section describes how to configure FRR for IP routes on a private network in the networking
where multiple CEs at a VPN site access the same PE. This feature can quickly switch traffic to
This feature is suitable for IP services that are sensitive to the packet loss and delay on a private
network. With IP FRR configured on the private network, if the route from a PE to a CE is
unavailable, traffic from the PE can be quickly switched to a link connected to another CE. This
reduces the time of IP service interruption.
On the network shown in Figure 2-22, in normal situations, the PE selects Link_A to forward
traffic to vpn1 site and uses Link_B as the backup link. If the PE detects that the route to CE1
is unreachable, it will immediately switch traffic to Link_B and private network routes will be
converged. This can minimize the impact on VPN services.
Figure 2-22 FRR for IP routes on a priviate network

CE1
vpn1
site
IP/MPLS
Backbone Link_A
RouterA
PE Link_B
CE2
At present, the NE5000E supports two modes of FRR for IP routes on a private network. The
two modes are different in networking and configuration procedures.
l IP FRR: applicable to the networking where different PE-CE pairs use different routing
protocols.
l BGP Auto FRR for the private network: applicable to the networking where BGP runs
between the PE and CEs.
Before configuring FRR for IP routes on a private network, complete the following tasks:
l Configuring a BGP/MPLS IP VPN
l Configuring the PE to learn private network routes with the same prefix from different CEs
attached to it

Procedure
l Configure IP FRR.
1. Run:
system-view

2. Run:

3. Run:
ipv4-family

4. Run:
ip frr
IP FRR is enabled.
5. Run:
commit

l Configure BGP Auto FRR for the private network.
1. Run:
system-view

2. Run:
bgp as-number

3. Run:

4. Run:
auto-frr
BGP Auto FRR is enabled.

5. Run:
commit

----End
Example
Run the display ip routing-table vpn-instance vpn-instance-name [ ipv4-address ] verbose
command to check the backup outbound interface and backup next hop of the IP route in the
routing table.
Run the display ip routing-table vpn-instance vpn-instance-name verbose command on the
PE. You can see that the route has a backup outbound interface and a backup next hop.


------------------------------------------------------------------------------
Summary Count : 1
Label: NULL QoSInfo: 0x0
IndirectID: 0xc7
BkNextHop: 20.1.1.2 BkInterface: Gigabitethernet2/0/0
BkLabel: NULL SecTunnelID: 0x0
BkIndirectID: 0xc8
Related Tasks
2.18.20 Example for Configuring FRR for IP Routes on a Private Network

This section describes how to configure hybrid FRR in the networking where a CE is dual-homed
to two PEs. If the next hop from a PE to a CE is unreachable, hybrid FRR can send traffic to
another PE over a tunnel, and the traffic will be routed to the CE by using IP forwarding on the
private network. This improves network reliability.
Hybrid FRR for IP and VPNv4 routes can quickly switch traffic from a PE to another PE that
serves as the backup next hop if the primary route to a CE is unreachable.
A PE learns VPN routes with the same prefix from a CE and other PEs. In this situation, hybrid
FRR for IP and VPNv4 routes can be configured on the PE. Enabled with hybrid FRR, the PE
generates a primary route and a backup route to the VPN prefix. If the link between the PE and
CE fails, the link traffic can be quickly switched to the backup next hop (a PE).
On the network shown in Figure 2-23, in normal situations, PE1 selects Link_A to forward
traffic to the CE and uses Link_B as the backup link. If PE2 detects that the route to the CE is
unreachable, it will immediately switch traffic to Link_B and private network routes will be
converged. This can minimize the impact on VPN services.

Figure 2-23 Hybrid FRR for IP and VPNv4 routes

PE2
Link_A
PE1
vpn1
Link_B
site
IP/MPLS CE
Backbone
PE3
At present, the NE5000E supports two modes of hybrid FRR for IP and VPNv4 routes, which
differ in terms of networking and configuration procedures.
l IP FRR: It is applicable to the networking where a non-BGP routing protocol runs between
the PEs and CE.
l BGP Auto FRR for the private network: It is applicable to the networking where BGP runs
between the PEs and CE.
Before configuring hybrid FRR for IP and VPNv4 routes, complete the following tasks:
l Configuring BGP/MPLS IP VPN
l Configuring a PE to learn IP routes with the same prefix from a CE and other VPNv4 peers
Procedure
l Configure IP FRR.
1. Run:
system-view

2. Run:

3. Run:
ipv4-family

4. Run:
ip frr
IP FRR is enabled.
5. Run:
commit


1. Run:
system-view

2. Run:
bgp as-number

3. Run:

4. Run:
auto-frr

5. Run:
commit
----End
Example
Run the display ip routing-table vpn-instance vpn-instance-name [ ipv4-address ] verbose
command to check the backup outbound interface and backup next hop of the IP route in the
routing table.
Run the display ip routing-table vpn-instance vpn-instance-name verbose command on the

PE. You can find that the route has a backup outbound interface and a backup next hop, and the
hop is on a tunnel such as an LDP LSP.
------------------------------------------------------------------------------
Summary Count : 1
IndirectID: 0xa9
RelayNextHop: 192.168.2.2 Interface: GigabitEthernet2/0/0
BkNextHop: 0.0.0.0 BkInterface: LDP LSP
BkLabel: 0x27 SecTunnelID: 0x5000098
BkIndirectID: 0xaa
Related Tasks
2.18.21 Example for Configuring Hybrid FRR for IP and VPNv4 Routes

2.17 Maintaining BGP/MPLS IP VPN

Maintaining BGP/MPLS IP VPN involves checking L3VPN traffic, monitoring network
connectivity, resetting BGP connections, and debugging BGP/MPLS IP VPN information.
2.17.1 Monitoring the Running Status of BGP/MPLS IP VPN

Monitoring the running status of BGP/MPLS IP VPN involves checking VPN instance
information, VPNv4 peer information, and BGP peer log information.
Context
In routine maintenance, you can run any of the following commands in any view to check the
running status of BGP/MPLS IP VPN.
Procedure
l Run the display ip routing-table vpn-instance vpn-instance-name [ [ filter-option ]
[ verbose ] | statistics ] command to check information about the IP routing table of a VPN
instance.
l Run the display ip vpn-instance [ verbose ] [ vpn-instance-name ] command to check
information about a VPN instance.
l Run the display mpls lsp command to check information about LSPs.
l Run the display bgp vpnv4 { all | route-distinguisher route-distinguisher | vpn-
instance vpn-instance-name } routing-table destination-address [ mask | mask-length ]
command to check information about a specific BGP VPNv4 routing entry.
instance vpn-instance-name } routing-table statistics [ match-options ] command to
check statistics of the BGP VPNv4 routing table.
instance vpn-instance-name } routing-table [ match-options ] command to check
information about the BGP VPNv4 routing table.
l Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } group [ group-
name ] command to check information about the BGP VPNv4 peer groups.
l Run the display bgp { all | vpn-instance vpn-instance-name } peer [ [ peer-address ]
verbose ] command to check information about the BGP VPNv4 peer.
l Run the display bgp { all | vpn-instance vpn-instance-name } network command to check
information about the VPNv4 routes imported into the BGP routing table through the
network command.
l Run the display bgp { all | vpn-instance vpn-instance-name } paths [ as-regular-
expression ] command to check information about the AS path of the BGP VPNv4 route.
l Run the display bgp vpn-instance vpn-instance-name peer { group-name | peer-
address } log-info command to check the logs about the BGP peer of the VPN instance
----End

2.17.2 Checking the Network Connectivity and Reachability

This section describes how to use the ping command to detect the network connectivity between
the source and the destination, and how to use the tracert command to check the devices through
which data packets are sent from the source to the destination.
Procedure
l Run the ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interface-
type interface-number | -m time | -n | -p pattern | -q | -r | -s packetsize | -t timeout | -tos tos-
value | -v | -vpn-instance vpn-instance-name ] * dest-address command to detect the
reachability of the destination.
l Run the tracert [ -a source-ip-address | -f first-TTL | -m max-TTL | -p port | -q nqueries |
-vpn-instance vpn-instance-name | -w timeout ]* dest-address command to check the
gateway that a packet passes from the source to the destination.
l Run the ping lsp [ -a source-ip | -c count | -exp exp-value | -h ttl-value | -m interval | -r
reply-mode | -s packet-size | -t time-out | -v ] * vpn-instance vpn-name remote remote-
address mask-length command, and you can check connectivity of the Layer 3 VPN LSP.
----End
Example
After the VPN configuration
l You can run the ping command on the local CE to check whether the local CE and the
remote CE in the same VPN can communicate with each other. If the ping fails, you can
run the tracert command to locate the faulty node.
l You can also run the ping command with the -vpn-instance vpn-instance-name parameter
on the PE to check whether the PE and the CE in the same VPN as the PE can communicate
with each other. If the ping fails, you can run the tracert command with the -vpn-
instance vpn-instance-nameparameter to locate the faulty node.
If multiple interfaces on the PE are bound to the same VPN, you need to specify the source IP
address, that is, the -a source-ip-address when you ping or tracert the remote CE that accesses
the peer PE. If no source IP address is specified, the PE selects the a lowest IP address from the
IP addresses of the interfaces on the PE bound to this VPN as the source address of the ICMP
messages. If the CE has no route to the selected IPv4 route, the CE discards the returned ICMP
message.
NOTE
By default, as for the MPLS TTL timeout packet with a single label, the router returns the ICMP message
according to the local IP route (that is, the public network route). However, no VPN route exists in the
public network routing table of the ASBR and therefore, the ICMP message is discarded when being sent
to or returned by the ASBR.
2.17.3 Clearing BGP Statistics of the VPN Instance IPv4 Address

Family
BGP statistics of the VPN instance IPv4 address family cannot be restored after being cleared.
Therefore, perform the action with caution.

Context
CAUTION
BGP statistics of the VPN instance IPv4 address family cannot be restored after being cleared.
Therefore, perform the action with caution.
Procedure
l After confirming that you need to clear the statistics about BGP peer flap in the specified
VPN instance IPv4 address family, run the reset bgp vpn-instance vpn-instance-name
ipv4-family [ peer-address ]flap-info command in the user view.
l After confirming that you need to clear the statistics about route dampening information
of the specified VPN instance IPv4 address family, run the reset bgp vpn-instance vpn-
instance-name ipv4-family dampening [ ip-address [ mask | mask-length ] ] command in
the user view.
----End
2.17.4 Resetting BGP Connections

After BGP configurations are changed, you can make the new configurations take effect through
soft reset or reset of the BGP connection. Note that resetting the BGP connection leads to the
interruption of VPN services.
Context
CAUTION
VPN services are interrupted after the BGP connection is reset. So, confirm the action before
you use the command.
After BGP configurations are changed, you can validate the new configurations through soft
reset or reset of the BGP connection. Soft reset requires BGP peers to have the route refresh
capability. This means that BGP peers should support Route-Refresh messages.
Procedure
l Run the refresh bgp vpn-instance vpn-instance-name ipv4-family { all | peer-address |
group group-name | internal | external } { import | export }command in the user view
to trigger the soft reset of the VPN instance IPv4 address family's BGP connection in the
inbound or outbound direction so as to validate the configuration.
l Run the refresh bgp vpnv4 { all | peer-address | group group-name | internal |
external } { import | export } command in the user view to trigger the soft reset of the
BGP VPNv4 connection in the inbound or outbound direction so as to validate the
configuration.
l Run thereset bgp vpn-instance vpn-instance-name ipv4-family { as-number | peer-
address | group group-name | all | internal | external } command in the user view to reset

BGP connections of the VPN instance IPv4 address family so as to validate the
configuration.
l Run the reset bgp vpnv4 { as-number | peer-address | group group-name | all | internal
| external } command in the user view to reset the BGP VPNv4 connection so as to validate
the configuration.
----End

This section provides several configuration examples of VPN networking. In each configuration
example, the networking requirements, configuration notes, configuration roadmap,
configuration procedures, and configuration files are provided.
2.18.1 Example for Configuring BGP/MPLS IP VPN

After BGP/MPLS IP VPN is configured, users in the same VPN can communicate with each
other whereas users in different VPNs cannot communicate with each other.
CAUTION
interface number. On an NE5000E cluster, an interface is numbered in the format of chassis ID/
slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.
As shown in Figure 2-24:

l CE1 and CE3 belong to vpna.
l CE2 and CE4 belong to vpnb.
l The VPN target of vpna is 111:1; the VPN target of vpnb is 222:2.
It is required that users in the same VPN be able to communicate with each other whereas users
in different VPNs be unable to communicate with each other.

Figure 2-24 Networking diagram of BGP/MPLS IP VPN
Loopback1 Loopback1
11.11.11.11/32 33.33.33.33/32
vpna vpna
CE1 CE3
GE1/0/0 AS: 65410 GE1/0/0

AS: 65430
10.1.1.1/24 10.3.1.1/24
Loopback1
GE1/0/0 2.2.2.9/32 GE1/0/0
10.1.1.2/24 POS1/0/0 POS2/0/0 10.3.1.2/24
PE1 PE2
Loopback1 172.1.1.2/24 172.2.1.1/24 Loopback1
1.1.1.9/32 POS3/0/0 POS3/0/0 3.3.3.9/32
172.1.1.1/24 172.2.1.2/24
GE2/0/0 P GE2/0/0
10.2.1.2/24 MPLS backbone 10.4.1.2/24
AS: 100
GE1/0/0 GE1/0/0
10.2.1.1/24 AS: 65420 AS: 65440 10.4.1.1/24
CE2 CE4
vpnb vpnb
Loopback1 Loopback1
22.22.22.22/32 44.44.44.44/32
Configuration Notes
When configuring BGP/MPLS IP VPN, note the following:
l On the same VPN, the export VPN target list of a site shares VPN targets with the import
VPN target lists of the other sites; the import VPN target list of a site shares VPN targets
with the export VPN target lists of the other sites.
l After a PE interface connected to a CE is bound to a VPN instance, Layer 3 features on
this interface such as the IP address and routing protocol are automatically deleted and can
be reconfigured if required.
1. Enable OSPF on the backbone network to ensure that PEs interwork with each other.
2. Configure basic MPLS functions and MPLS LDP, and set up MPLS LSPs on the backbone
network.
3. Configure VPN instances enabled with the IPv4 address family on the PEs and bind each
interface that connects a PE to a CE to a VPN instance.
4. Enable Multi-protocol Extensions for Interior Border Gateway Protocol (MP IBGP) on PEs
to exchange VPN routing information.

5. Configure EBGP on CEs and PEs to exchange VPN routing information.
Data Preparation
To complete the configuration, you need the following data:
l MPLS LSR IDs of the PEs and P
l Router Distinguishers (RDs) of vpna and vpnb
l VPN targets of vpna and vpnb
Procedure
Step 1 Configure an IGP on the MPLS backbone network to achieve connectivity between the PEs and
P. OSPF is adopted as an IGP in this example.
# Configure PE1.
[~PE1-LoopBack1] commit
[~PE1-Pos3/0/0] ip address 172.1.1.1 24
[~PE1] ospf
[~PE1-ospf-1] quit
# Configure the P.
[~HUAWEI] sysname P
[~P] interface loopback 1
[~P-LoopBack1] ip address 2.2.2.9 32
[~P-LoopBack1] commit
[~P-LoopBack1] quit
[~P] interface pos 1/0/0
[~P-Pos1/0/0] ip address 172.1.1.2 24
[~P-Pos1/0/0] commit
[~P-Pos1/0/0] quit
[~P-Pos2/0/0] ip address 172.2.1.1 24
[~P-Pos2/0/0] quit
[~P] ospf
[~P-ospf-1] area 0
[~P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[~P-ospf-1-area-0.0.0.0] commit
[~P-ospf-1-area-0.0.0.0] quit
[~P-ospf-1] quit
# Configure PE2.


[~PE2-Pos3/0/0] ip address 172.2.1.2 24
[~PE2] ospf
[~PE2-ospf-1] quit
After the configuration, OSPF neighbor relationships can be set up between PE1, P, and PE2.
Run the display ospf peer command, and you can view that the neighbor status is Full. Run the
display ip routing-table command, and you can view that the PEs have learnt the routes to
Loopback1 of each other.
Take the display on PE1 as an example.

<PE1> display ip routing-table
------------------------------------------------------------------------------
2.2.2.9/32 OSPF 10 2 D 172.1.1.2 Pos3/0/0
3.3.3.9/32 OSPF 10 3 D 172.1.1.2 Pos3/0/0
172.1.1.0/24 Direct 0 0 D 172.1.1.1 Pos3/0/0
172.1.1.1/32 Direct 0 0 D 127.0.0.1 Pos3/0/0
172.1.1.255/32 Direct 0 0 D 127.0.0.1 Pos3/0/0
172.2.1.0/24 OSPF 10 2 D 172.1.1.2 Pos3/0/0
<PE1> display ospf peer
OSPF Process 1 with Router ID 1.1.1.9
Neighbors
Area 0.0.0.0 interface 172.1.1.1(Pos3/0/0)'s neighbors
Router ID: 172.1.1.2 Address: 172.1.1.2
State: Full Mode:Nbr is Master Priority: 1
DR: None BDR: None MTU: 1500
Dead timer due in 38 sec
Retrans timer interval: 0
Neighbor is up for 00:02:44
Authentication Sequence: [ 0 ]
Step 2 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS
backbone network.
# Configure PE1.
[~PE1] mpls
[~PE1-mpls] commit
[~PE1-mpls] quit
[~PE1] mpls ldp
[~PE1-mpls-ldp] commit
# Configure the P.

[~P] mpls lsr-id 2.2.2.9

[~P] mpls
[~P-mpls] commit
[~P-mpls] quit
[~P] mpls ldp
[~P-mpls-ldp] quit
[~P-Pos1/0/0] mpls
[~P-Pos1/0/0] mpls ldp
[~P-Pos1/0/0] quit
[~P-Pos2/0/0] mpls
[~P-Pos2/0/0] mpls ldp
[~P-Pos2/0/0] quit
# Configure PE2.
[~PE2] mpls
[~PE2-mpls] commit
[~PE2-mpls] quit
[~PE2] mpls ldp
[~PE2-mpls-ldp] commit
After the configuration, LDP sessions can be set up between PE1 and the P and between the P
and PE2. Run the display mpls ldp session command, and you can view that the Status field
is Operational. Run the display mpls ldp lsp command, and you can check whether LDP LSPs
are set up.
<PE1> display mpls ldp session
LDP Session(s) in Public Network
-------------------------------------------------------------------------
Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv
-------------------------------------------------------------------------
2.2.2.9:0 Operational DU Passive 006:20:55 39551/39552
-------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
LAM : Label Advertisement Mode SsnAge Unit : DDD:HH:MM
LDP LSP Information
------------------------------------------------------------------
SN DestAddress/Mask In/OutLabel Next-Hop In/Out-Interface
------------------------------------------------------------------
1 1.1.1.9/32 3/NULL 127.0.0.1 Pos3/0/0/InLoop0
2 2.2.2.9/32 NULL/3 172.1.1.2 -------/Pos3/0/0
3 3.3.3.9/32 NULL/1024 172.1.1.2 -------/Pos3/0/0
------------------------------------------------------------------
Step 3 Configure VPN instances enabled with the IPv4 address family on the PEs and connect the CEs
to the PEs through the VPN instances.
# Configure PE1.


[~PE1] interface gigabitethernet 1/0/0
[~PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[~PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 24
[~PE1-GigabitEthernet1/0/0] commit
[~PE1-GigabitEthernet1/0/0] quit
[~PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpnb
# Configure PE2.
# Assign an IP address to each interface on CEs as shown in Figure 2-24. The detailed
configuration procedure is not mentioned here. For details, see "Configuration Files."
After the configuration, run the display ip vpn-instance verbose command on the PEs to view
the configurations of VPN instances. Each PE can successfully ping its connected CE.
NOTE
If a PE has multiple interfaces bound to the same VPN instance, you need to specify a source IP address
by specifying -a source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address
dest-ip-address command to ping the CE connected to the remote PE. Otherwise, the ping operation fails.
Take the display on PE1 and CE1 as an example:

<PE1> display ip vpn-instance verbose
Address family ipv4
Create date : 2009/01/21 11:30:35


Label policy: label per route
Address family ipv4
Create date : 2009/01/21 11:31:18
[~PE1] ping -vpn-instance vpna 10.1.1.1
0.00% packet loss
Step 4 Set up EBGP peer relationships between the PEs and CEs.
# Configure CE1.
[~CE1] interface loopback 1
[~CE1-LoopBack1] ip address 11.11.11.11 32
[~CE1-LoopBack1] quit
[~CE1] bgp 65410
[~CE1-bgp] peer 10.1.1.2 as-number 100
[~CE1-bgp] network 11.11.11.11 32
[~CE1-bgp] quit
[~CE1] commit
NOTE
The configurations of CE2, CE3, and CE4 are similar to the configuration of CE1, and are not mentioned
here. For details, see "Configuration Files."
# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[~PE1-bgp-vpna] commit
[~PE1-bgp-vpna] quit
[~PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[~PE1-bgp-vpnb] commit
[~PE1-bgp-vpnb] quit
NOTE
The procedure for configuring PE2 is similar to the procedure for configuring PE1, and the detailed
configuration is not mentioned here. For details, see "Configuration Files."
After the configuration, run the display bgp vpnv4 vpn-instance peer command on the PEs,
and you can view that BGP peer relationships have been established between the PEs and CEs.
Take the peer relationship between PE1 and CE1 as an example.
<PE1> display bgp vpnv4 vpn-instance vpna peer


10.1.1.1 4 65410 11 9 0 00:06:37 Established 1
Step 5 Set up an MP-IBGP peer relationship between the PEs.

# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] quit
# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] quit
# After the configuration, run the display bgp peer or display bgp vpnv4 all peer command
on the PEs, and you can view that a BGP peer relationship has been set up between the PEs.
<PE1> display bgp peer
Peer V AS MsgRcvd MsgSent OutQ Up/Down State
PrefRcv
3.3.3.9 4 100 2 6 0 00:00:12 Established
0
<PE1> display bgp vpnv4 all peer
3.3.3.9 4 100 12 18 0 00:09:38 Established 0
Peer of vpn instance:

10.1.1.1 4 65410 25 25 0 00:17:57 Established 1
VPN-Instance vpnb, router ID 1.1.1.9:

10.2.1.1 4 65420 21 22 0 00:17:10 Established 1

# Run the display ip routing-table vpn-instance command on the PEs, and you can view the
routes to the loopback interfaces of the CEs.
<PE1> display ip routing-table vpn-instance vpna
------------------------------------------------------------------------------


11.11.11.11/32 BGP 255 0 RD 10.1.1.1 GigabitEthernet1/0/0
33.33.33.33/32 BGP 255 0 RD 3.3.3.9 LDP LSP
<PE1> display ip routing-table vpn-instance vpnb
------------------------------------------------------------------------------
Routing Tables: vpnb
44.44.44.44/32 BGP 255 0 RD 3.3.3.9 LDP LSP
CEs in the same VPN can successfully ping each other whereas CEs in different VPNs cannot.
For example, CE1 can successfully ping CE3 at 10.3.1.1 but cannot successfully ping CE4 at
10.4.1.1.
[~CE1] ping -a 11.11.11.11 33.33.33.33
0.00% packet loss
[~CE1] ping -a 11.11.11.11 44.44.44.44
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
----End
Configuration Files
#
sysname PE1
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 1.1.1.9
#
mpls
#

mpls ldp
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
#
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
l Configuration file of the P
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#

interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
#
sysname PE2
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.3.1.2 255.255.255.0
#
undo shutdown
ip address 10.4.1.2 255.255.255.0
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
#

#
ospf 1
area 0.0.0.0
network 172.2.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return

#
sysname CE1
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 11.11.11.11 255.255.255.255
#
bgp 65410
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
#
return

#
sysname CE2
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface LoopBack1
ip address 22.22.22.22 255.255.255.255
#
bgp 65420
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
#
return

#
sysname CE3
#
undo shutdown
ip address 10.3.1.1 255.255.255.0
#
interface LoopBack1
ip address 33.33.33.33 255.255.255.255
#
bgp 65430
network 33.33.33.33 255.255.255.255
#
ipv4-family unicast
#

return

#
sysname CE4
#
undo shutdown
ip address 10.4.1.1 255.255.255.0
#
interface LoopBack1
ip address 44.44.44.44 255.255.255.255
#
bgp 65440
network 44.44.44.44 255.255.255.255
#
ipv4-family unicast
#
return
Related Tasks
2.18.2 Example for Configuring BGP AS Number Substitution

Sites in the same VPNs have the same AS number. When establishing an EBGP neighbor
relationship between a PE and a CE, you need to enable AS number substitution on the PE.
Otherwise, the local CE discards the VPN route with the local AS number. As a result, users of
the same VPN cannot communicate with each other.
CAUTION
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
As shown in Figure 2-25, CE1 and CE2 belong to the same VPN. CE1 is connected to PE1;
CE2 is connected to PE2. Both CE1 and CE2 use AS 600. When EBGP runs between a PE and
a CE, the BGP routes sent from the CE to the PE carry the AS_Path attribute. The local PE sends
the BGP routes to the remote PE through MP-IBGP. When the remote PE sends the BGP routes
to its connected CE through EBGP, the CE discards the BGP routes whose AS_Path attribute
carries AS 600.
To address the preceding problem, it is required that AS number substitution be configured on

the PEs. In this manner, when a PE sends VPN routes to a CE through BGP, it substitutes its
own AS number (AS 100 in this example) for the AS numbers in the VPN routes. Then, the CE
can receive the remote VPN routes.

Figure 2-25 Networking of BGP AS number substitution
Loopback1 Loopback1 Loopback1

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
POS1/0/0 POS2/0/0
PE1 PE2
20.1.1.2/24 30.1.1.2/24
POS1/0/0 POS2/0/0 POS2/0/0 POS1/0/0
10.1.1.2/24 20.1.1.1/24 30.1.1.1/24 10.2.1.2/24
P
Backbone POS1/0/0
POS1/0/0
AS 100 10.2.1.1/24
10.1.1.1/24 CE2
CE1
GE2/0/0 GE2/0/0
100.1.1.1/24 200.1.1.1/24
VPN1 VPN1
AS 600 AS 600
Configuration Notes
When configuring BGP AS number substitution, note the following:
l Configure EBGP on the PEs and CEs.
1. Configure basic BGP/MPLS IP VPN functions.

2. Configure BGP AS number substitution on the PEs.
Data Preparation

l VPN instances on PE1 and PE2
l AS numbers of the CEs (CE1 and CE2 having the same AS number that is different from
the AS number of the backbone network)
Procedure
Step 1 Configure basic BGP/MPLS IP VPN functions.
The configurations include the following:

l Configure OSPF on the MPLS backbone network so that the PEs and P can learn the routes
to the loopback interfaces of each other.
l Configure basic MPLS functions and MPLS LDP, and set up LDP LSPs on the MPLS
backbone network.
l Set up MP-IBGP peer relationships between the PEs and advertise VPNv4 routes.
l Configure the VPN instance enabled with the IPv4 address family of VPN1 on PE2 and
connect CE2 to PE2.
l Configure the VPN instance enabled with the IPv4 address family of VPN1 on PE1 and
connect CE1 to PE1.
l Configure EBGP on PE1 and CE1, and PE2 and CE2; import routes of each CE to its
connected PE.
After the configuration, run the display ip routing-table command on CE2, and you can view
that CE2 has learnt the route to the network segment (10.1.1.0/24) where the interface that
connects CE1 to PE1 resides, but there is no route to the VPN (100.1.1.0/24) of CE1. This is the
same on CE1.
<CE2> display ip routing-table
------------------------------------------------------------------------------
10.1.1.0/24 BGP 255 0 D 10.2.1.2 Pos1/0/0
10.1.1.1/32 BGP 255 0 D 10.2.1.2 Pos1/0/0
10.2.1.0/24 Direct 0 0 D 10.2.1.1 Pos1/0/0
10.2.1.2/32 Direct 0 0 D 10.2.1.2 Pos1/0/0
Run the display ip routing-table vpn-instance command on the PEs, and you can view that
the VPN routing table has routes to the VPN of the CEs.
<PE2> display ip routing-table vpn-instance vpn1
------------------------------------------------------------------------------
Routing Tables: vpn1
10.1.1.0/24 BGP 255 0 RD 1.1.1.9 Pos2/0/0
10.1.1.1/32 BGP 255 0 RD 1.1.1.9 Pos2/0/0
10.1.1.2/32 BGP 255 0 RD 1.1.1.9 Pos2/0/0
10.2.1.0/24 Direct 0 0 D 10.2.1.2 Pos1/0/0
10.2.1.1/32 Direct 0 0 D 10.2.1.1 Pos1/0/0
100.1.1.0/24 BGP 255 0 RD 1.1.1.9 Pos2/0/0
200.1.1.0/24 BGP 255 0 D 10.2.1.1 Pos1/0/0
Run the display bgp routing-table peer received-routes command on CE2, and you can view
that CE2 receives no route to 100.1.1.0/24.
<CE2> display bgp routing-table peer 10.2.1.2 received-routes

*> 10.1.1.0/24 10.2.1.2 0 100?

*> 10.1.1.1/32 10.2.1.2 0 100?
* 10.2.1.0/24 10.2.1.2 0 0 100?
*> 10.2.1.1/32 10.2.1.2 0 0 100?
Step 2 Configure BGP AS number substitution.

Configure BGP AS number substitution on the PEs.
# Take PE2 as an example:
[~PE2] bgp 100
[~PE2-bgp] ipv4-family vpn-instance vpn1
[~PE2-bgp-vpn1] peer 10.2.1.1 substitute-as
[~PE2-bgp-vpn1] commit
Display the routing information and routing table received by CE2.

<CE2> display bgp routing-table peer 10.2.1.2 received-routes
*> 10.1.1.0/24 10.2.1.2 0 100?
*> 10.1.1.1/32 10.2.1.2 0 100?
*> 10.1.1.2/32 10.2.1.2 0 100 100?
* 10.2.1.0/24 10.2.1.2 0 0 100?
* 10.2.1.1/32 10.2.1.2 0 0 100?
*> 100.1.1.0/24 10.2.1.2 0 100 100?
------------------------------------------------------------------------------
10.1.1.0/24 BGP 255 0 D 10.2.1.2 Pos1/0/0
10.1.1.1/32 BGP 255 0 D 10.2.1.2 Pos1/0/0
10.2.1.0/24 Direct 0 0 D 10.2.1.1 Pos1/0/0
10.2.1.2/32 Direct 0 0 D 10.2.1.2 Pos1/0/0
100.1.1.1/24 BGP 255 0 D 10.2.1.2 Pos1/0/0
After configuring BGP AS number substitution on PE1, you can find that CE1 and CE2 can
successfully ping each other through GE interfaces.
[~CE1] ping –a 100.1.1.1 200.1.1.1
0.00% packet loss
----End

Configuration Files
#
sysname CE1
#
undo shutdown
ip address 100.1.1.1 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.1 255.255.255.0
#
bgp 600
#
ipv4-family unicast
import-route direct
#
return

#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#

ipv4-family vpn-instance vpn1

peer 10.1.1.1 substitute-as
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 20.1.1.0 0.0.0.255
#
return
#
sysname P
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 20.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 30.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
ipv4-family
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.2.1.2 255.255.255.0
#
interface Pos2/0/0

undo shutdown
link-protocol ppp
ip address 30.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 30.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
undo shutdown
ip address 200.1.1.1 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.2.1.1 255.255.255.0
#
bgp 600
#
ipv4-family unicast
import-route direct
#
return
2.18.3 Example for Configuring the BGP SoO

By configuring the BGP SoO attribute, you can prevent routes sent from a VPN site from
returning to the same site after these routes travel through the backbone network. This avoids
routing loops in the VPN site.

CAUTION
When multiple CEs in a VPN site access different PEs, VPN routes sent from CEs to PEs may
return to this VPN site after traveling through the backbone network. This may cause routing
loops in the VPN site.
As shown in Figure 2-26, CE1 and CE2 belong to Site 1; CE2 and CE3 access PE2; Site 1 and
Site 2 have the same AS number. EBGP runs between PEs and CEs. PE1 sends the routes
received from CE1 to PE2 through MP-IBGP, and then PE2 sends the received routes to CE2
and CE3. CE2, however, has learned these routes through an IGP in the VPN site. This may
cause routing loops in the VPN site.
It is required to configure the BGP SoO attribute so that PE2 checks the SoO attribute carried
in the routes to be sent to CE2. If PE2 finds that this SoO attribute is the same as the locally
configured SoO attribute, PE2 refuses to send these routes to CE2. This avoids routing loops in
the VPN site1. PE2 can still send these routes to CE3.
Figure 2-26 Networking diagram of configuring the BGP SoO

Loopback 1
Loopback 1
PE1
0/ 0
CE1 GE1/
0/ 0
GE1/
POS1/0/1
GE2/0/0
site1
AS 100
GE2/0/0
POS1/0/1
AS
65410 Loopback 1
GE1 PE2
/0 /0 site2
CE2 GE1 GE1/0/0
0/0 AS
Loopback 1 GE2/0/0
65410
CE3
Loopback 1
Device Interface IP Address

CE1 Loopback1 11.11.11.11/32
GE 1/0/0 192.168.1.2/30

GE 2/0/0 192.168.4.1/30
PE1 Loopback1 1.1.1.1/32
POS 1/0/1 10.1.1.1/30
GE 1/0/0 192.168.1.1/30
POS 1/0/1 10.1.1.2/30
GE 1/0/0 192.168.2.1/30
GE 2/0/0 192.168.3.1/30
CE2 Loopback1 22.22.22.22/32
GE 1/0/0 192.168.2.2/30
GE 2/0/0 192.168.4.2/30
CE3 Loopback1 33.33.33.33/32
GE 1/0/0 192.168.3.2/30
1. Configure an IP address for each interface and an IGP on the backbone network so that PEs
can communicate.
2. Enable MPLS and MPLS LDP on the backbone network so that LDP LSPs can be
established between PEs.
3. Establish MP-IBGP peer relationships between PEs.
4. Configure VPN instances on PEs and bind the interfaces connecting PEs to CEs to the VPN
instances.
5. Establish EBGP peer relationships between PEs and CEs, enable AS number substitution
on PEs.
6. Configure the BGP SoO attribute on PEs for CEs.
Data Preparation

l Names of the VPN instances created on PE1 and PE2, and RDs, and VPN-targets of the
l Numbers of the ASs where PEs and CEs reside
l Value of the BGP SoO attribute on PEs
Procedure
Step 1 Configure an IP address for each interface and an IGP on the backbone network so that PEs can
learn routes to loopback interfaces of each other.

In this example, OSPF is configured as an IGP. For configuration details, see "Configuration
Files."
After the configuration is complete, run the display ip routing-table command on PEs. The
command output shows that the PEs have learned the routes to loopback interfaces of each other.
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1562 D 10.1.1.2 Pos1/0/1
10.1.1.0/30 Direct 0 0 D 10.1.1.1 Pos1/0/1
10.1.1.2/32 Direct 0 0 D 10.1.1.2 Pos1/0/1
Step 2 Enable MPLS and MPLS LDP on the backbone network so that LDP LSPs can be established
between PEs.
You need to enable MPLS and MPLS LDP on the PEs in the system view and interface view.
# Configure PE1.
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
[~PE1] commit
The configuration of PE2 is similar to the configuration of PE1, and is not mentioned here. For
configuration details, see "Configuration Files."
After the configuration is complete, run the display mpls ldp lsp command on PEs. The
command output shows information about the labels assigned to the routes to loopback interfaces
on the other PEs. Take the display on PE1 as an example.
LDP LSP Information

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
1.1.1.1/32 3/NULL 2.2.2.2 127.0.0.1 InLoop0
*1.1.1.1/32 Liberal
2.2.2.2/32 NULL/3 - 10.1.1.2 Pos1/0/1
2.2.2.2/32 1024/3 2.2.2.2 10.1.1.2 Pos1/0/1
-------------------------------------------------------------------------------

Step 3 Establish MP-IBGP peer relationships between PEs.
# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] peer 2.2.2.2 connect-interface loopback1
[~PE1-bgp] quit
[~PE1] commit
configuration details, see "Configuration Files."
After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer
command on PEs. The command output shows that BGP peer relationships have been established
between the PEs. Take the display on PE1 as an example.


PrefRcv
2.2.2.2 4 100 187 186 0 02:44:06 Established

1
Step 4 On PEs, create VPN instances, enable IPv4 address families on the VPN instances, and bind the
interfaces connecting the PEs to CEs to the VPN instances.
# Configure PE1.
[~PE1-vpn-instance-vpna-af-ipv4] vpn-target 100:100
[~PE1] interface gigabitethernet1/0/0
[~PE1] commit
# Configure PE2.
[~PE2-vpn-instance-vpna-af-ipv4] vpn-target 100:100
[~PE2] commit

After the configuration is complete, run the display ip vpn-instance command on PEs to view
Step 5 Establish EBGP peer relationships between PEs and CEs, enable AS number substitution on
PEs, and configure PEs to import routes from CEs.
In this configuration example, the two VPN sites have the same AS number. Therefore, AS
number substitution needs to be enabled on PE1 and PE2.
# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp-vpna] peer 192.168.1.2 substitute-as
[~PE1-bgp-vpna] import-route direct
[~PE1-bgp] quit
[~PE1] commit
# Configure CE1.
[~CE1] bgp 65410
[~CE1-bgp] network 11.11.11.11 32
[~CE1-bgp] network 192.168.4.0 30
[~CE1-bgp] quit
[~CE1] commit
# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] quit
[~PE2] commit
# Configure CE2.
[~CE2] bgp 65410
[~CE2-bgp] network 22.22.22.22 32
[~CE2-bgp] network 192.168.4.0 30
[~CE2-bgp] quit
[~CE2] commit
# Configure CE3.
[~CE3] bgp 65410
[~CE3-bgp] network 33.33.33.33 32
[~CE3-bgp] quit
[~CE3] commit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command
on PEs. The command output shows that the status of EBGP peer relationships between PEs
and CEs is Established. This indicates that EBGP peer relationships have been established
between PEs and CEs. Take the display on PE1 as an example.




PrefRcv
192.168.1.2 4 65410 224 231 0 03:02:12 Established

1
Run the display bgp vpnv4 routing-table command on PEs. The command output shows
information about the routes sent from the PEs to CEs. The following takes the routes sent from
PE2 to CE2 as an example.
<PE2> display bgp vpnv4 vpn-instance vpna routing-table peer 192.168.2.2 advertised-
routes


*>i 11.11.11.11/32 1.1.1.1 0 100 0 65410i

*> 22.22.22.22/32 192.168.2.2 0 0 65410i
*> 33.33.33.33/32 192.168.3.2 0 0 65410i
*>i 192.168.1.0/30 1.1.1.1 0 100 0 ?
*> 192.168.2.0/30 0.0.0.0 0 0 ?
*> 192.168.3.0/30 0.0.0.0 0 0 ?
*> 192.168.4.0/30 192.168.2.2 0 0 65410i
Step 6 Configure the BGP SoO attribute on PEs.

Because CE1 and CE2 reside in the same site, the same BGP SoO attribute needs to be configured
on PE1 and PE2 for CE1 and CE2 respectively. Because PE2 accesses two VPN sites, different
SoO attributes need to be configured on PE2 for different CEs.
# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp-vpna] peer 192.168.1.2 soo 100:101
[~PE1-bgp] quit
[~PE1] commit
# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] quit
[~PE2] commit

After the configuration is complete, run the display bgp vpnv4 routing-table command on PE2
again. The command output shows that PE2 does not send any VPN route to CE2 and the routes
sent from PE2 to CE3 remain unchanged.
<PE2> display bgp vpnv4 vpn-instance vpna routing-table peer 192.168.3.2 advertised-
routes



*>i 11.11.11.11/32 1.1.1.1 0 100 0 65410i

*> 22.22.22.22/32 192.168.2.2 0 0 65410i
*> 33.33.33.33/32 192.168.3.2 0 0 65410i
*>i 192.168.1.0/30 1.1.1.1 0 100 0 ?
*> 192.168.2.0/30 0.0.0.0 0 0 ?
*> 192.168.3.0/30 0.0.0.0 0 0 ?
*> 192.168.4.0/30 192.168.2.2 0 0 65410i
Run the display bgp vpnv4 routing-table command on PE2. The command output shows
information about the SoO attribute carried in the routes sent from PE2 to CE3.
<PE2> display bgp vpnv4 vpn-instance vpna routing-table 11.11.11.11 32


Paths: 1 available, 1 best, 1 select
BGP routing table entry information of 11.11.11.11/32:
Label information (Received/Applied): 1028/NULL
From: 1.1.1.1 (10.1.1.1)
Route Duration: 00h11m12s
Relay Tunnel Out-Interface: Pos1/0/1
Relay token: 0x800001
Original nexthop: 1.1.1.1
Qos information : 0x0
Ext-Community:RT <100 : 100>, SoO <100 : 101>
AS-path 65410, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, b
est, select, active, pre 255
Advertised to such 2 peers:
Update-Group 0 :
192.168.2.2
192.168.3.2
The preceding command output shows that after the BGP SoO attribute is configured, the VPN
routes received from CEs carry the SoO attribute, and PE2 does not send any route to CE2. This
indicates that the configuration of the BGP SoO attribute has taken effect.
----End
Configuration Files
sysname CE1
#
undo shutdown
ip address 192.168.1.2 255.255.255.252
#
undo shutdown
ip address 192.168.4.1 255.255.255.252
#
interface LoopBack1
ip address 11.11.11.11 255.255.255.255
#

bgp 65410
#
ipv4-family unicast
network 11.11.11.11 255.255.255.255
network 192.168.4.0 255.255.255.252
#
return

#
sysname CE2
#
undo shutdown
ip address 192.168.2.2 255.255.255.252
#
undo shutdown
ip address 192.168.4.2 255.255.255.252
#
interface LoopBack1
ip address 22.22.22.22 255.255.255.255
#
bgp 65410
#
ipv4-family unicast
network 22.22.22.22 255.255.255.255
network 192.168.4.0 255.255.255.252
#
return

#
sysname PE1
#
ipv4-family
#
mpls lsr-id 1.1.1.1
#
mpls
#
mpls ldp
#
undo shutdown
ip address 192.168.1.1 255.255.255.252
#
interface Pos1/0/1
undo shutdown
link-protocol ppp
ip address 10.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#

bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
#
import-route direct
peer 192.168.1.2 as-number 65410
peer 192.168.1.2 soo 100:101
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.3
#
return

#
sysname PE2
#
ipv4-family
#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls ldp
#
undo shutdown
ip address 192.168.2.1 255.255.255.252
#
undo shutdown
ip address 192.168.3.1 255.255.255.252
#
interface Pos1/0/1
undo shutdown
link-protocol ppp
ip address 10.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#

ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
import-route direct
peer 192.168.2.2 as-number 65410
peer 192.168.2.2 soo 100:101
peer 192.168.3.2 as-number 65410
peer 192.168.3.2 soo 100:102
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.3
#
return

#
sysname CE3
#
undo shutdown
ip address 192.168.3.2 255.255.255.252
#
interface LoopBack1
ip address 33.33.33.33 255.255.255.255
#
bgp 65410
#
ipv4-family unicast
network 33.33.33.33 255.255.255.255
#
return
2.18.4 Example for Configuring CE Dual-Homing with EBGP

Running Between a PE and a CE
CE dual-homing indicates that a CE is connected to the backbone network by two links that
work in either load balancing or master/backup mode.
CAUTION
With the development of telecommunications services, all telecommunications services will be

carried on a unified IP network. Important services such as 3G/NGN, IPTV streaming media,
and VIP customer VPN require high reliability of the network. To improve network reliability,

in addition to reliability of the network devices, you must consider the link and network reliability
such as fast route convergence, fault detection, fast reroute, and path backup.
At the access layer, CE dual-homing is a common solution to improving network reliability. The
networking where a CE is connected to two PEs that belong to the same VPN is called CE dual-
homing. In this case, the CE accesses the backbone network through two links. The two links
can work in either load balancing or master/backup mode.
As shown in Figure 2-27, CE1 resides at site1 of vpn1; CE2 resides at site2 of vpn1. CE1 is
dual-homed to PE1 and PE2; CE2 is dual-homed to PE3 and PE4.
If the data traffic from CE1 to CE2 is heavy whereas the traffic from CE2 to CE1 is light, the
data traffic from CE1 to CE2 can be transmitted in load balancing mode; the data traffic from
CE2 to CE1 can be forwarded by PE4 with PE3 as a backup.
Figure 2-27 Networking diagram of CE dual-homing

VPN backbone
AS 100
POS2/0/0 POS2/0/0
GE1/0/0 POS1/0/0 POS1/0/0 GE2/0/0
CE1 CE2
PE1 P1 PE3
GE1/0/0 GE1/0/0
GE2/0/0 GE2/0/0
PE2 P2 PE4
Loopback1 POS2/0/0 POS2/0/0 Loopback1
GE1/0/0 POS1/0/0 POS1/0/0 GE2/0/0
vpn1 site1 vpn1 site2
AS 65410 Loopback1 Loopback1 Loopback1 AS 65420

CE1 Loopback1 11.11.11.11/32
GE 1/0/0 10.1.1.1/30
GE 2/0/0 10.2.1.1/30
GE 1/0/0 10.1.1.2/30
POS 2/0/0 100.1.1.1/30
GE 1/0/0 10.2.1.2/30
POS 2/0/0 100.2.1.1/30
P1 Loopback1 5.5.5.5/32
POS 1/0/0 100.1.1.2/30
POS 2/0/0 100.3.1.1/30
P2 Loopback1 6.6.6.6/32
POS 1/0/0 100.2.1.2/30
POS 2/0/0 100.4.1.1/30
POS 1/0/0 100.3.1.2/30

GE 2/0/0 10.3.1.1/30
POS 1/0/0 100.4.1.2/30
GE 2/0/0 10.4.1.1/30
CE2 Loopback1 22.22.22.22/32
GE 1/0/0 10.3.1.2/30
GE 2/0/0 10.4.1.2/30
Configuration Notes
When configuring CE dual-homing with EBGP running between a PE and a CE, note the
following:
l The CE is dual-homed to two PEs configured with VPN instances of different RDs.
2. Configure load balancing for the data traffic from CE1 to CE2 in the BGP view of CE1.
3. Increase the MED value of the BGP-VPN route on PE3 to ensure that the next hop of the
route selected by CE2 to the users that access CE1 is PE4.
Data Preparation
l Names of the VPN instances, RDs, and VPN targets of the PEs
l AS numbers of the CEs
Procedure
Step 1 Configure an IGP on the MPLS backbone network to interconnect devices on the MPLS
backbone network.
# Assign an IP address to each interface on PE1. Note that the IP address of a loopback interface
contains the 32-bit mask.
[~PE1-Pos2/0/0] ip address 100.1.1.1 30
# Configure IS-IS to advertise routes of each interface.

[~PE1] isis 1

[~PE1-isis-1] network-entity 10.0000.0000.0001.00

[~PE1-isis-1] commit
[~PE1-isis-1] quit
[~PE1-LoopBack1] isis enable 1
[~PE1-Pos2/0/0] isis enable 1
# The configurations of other devices on the backbone network are the same as the configuration
of PE1, and are not mentioned here. For details, see "Configuration Files."
After the configuration, run the display ip routing-table command, and you can view that PE1
and PE3, and PE2 and PE4 have learnt the routes to Loopback1 of each other.
------------------------------------------------------------------------------
3.3.3.3/32 ISIS 15 20 D 100.1.1.2 Pos2/0/0
5.5.5.5/32 ISIS 15 10 D 100.1.1.2 Pos2/0/0
100.1.1.0/30 Direct 0 0 D 100.1.1.1 Pos2/0/0
100.1.1.2/32 Direct 0 0 D 100.1.1.2 Pos2/0/0
100.3.1.0/30 ISIS 15 20 D 100.1.1.2 Pos2/0/0
Step 2 Configure basic MPLS functions and MPLS LDP, and set up LDP LSPs on the MPLS backbone
network.
# Configure PE1.
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
# The configurations of other devices on the backbone network are the same as the configuration
of PE1, and are not mentioned here. For details, see "Configuration Files."
After the configuration, LDP sessions can be set up between PE1 and the P and between the P
and PE2. Run the display mpls ldp session command, and you can view that the Status field
is dislayed as Operational. Run the display mpls ldp lsp command, and you can check whether
LDP LSPs are set up.
------------------------------------------------------------------------------
------------------------------------------------------------------------------


------------------------------------------------------------------------------
LDP LSP Information
------------------------------------------------------------------------------
------------------------------------------------------------------------------
1 1.1.1.1/32 3/NULL 127.0.0.1 Pos2/0/0/InLoop0
2 3.3.3.3/32 NULL/1025 100.1.1.2 -------/Pos2/0/0
3 5.5.5.5/32 NULL/3 100.1.1.2 -------/Pos2/0/0
*4 100.1.1.0/30 Liberal
5 100.3.1.0/30 NULL/3 100.1.1.2 -------/Pos2/0/0
------------------------------------------------------------------------------
to the PEs through the VPN instances.
# Configure PE1. Configure vpn1 and specify its RD and VPN target. The VPN target configured
on the local PE must be the same as the VPN target of the MP-BGP peer PE so that sites in the
same VPN can communicate with each other.
[~PE1] ip vpn-instance vpn1
[~PE1-vpn-instance-vpn1] ipv4-family
[~PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[~PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both
[~PE1-vpn-instance-vpn1-af-ipv4] commit
[~PE1-vpn-instance-vpn1-af-ipv4] quit
[~PE1-vpn-instance-vpn1] quit
# Bind the interface that connects PE1 to a CE to a VPN instance, and assign an IP address to
the interface.
[~PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
# The configurations of PE2, PE3, and PE4 are similar to the configuration of PE1, and are not
mentioned here. For details, see "Configuration Files."
After the configuration, run the display ip vpn-instance verbose command on the PEs to view

Address family ipv4
Create date : 2008/09/18 14:17:15
Step 4 Configure EBGP on the PEs and CEs, and import VPN routes.

# Assign an IP address to each interface on the CEs as shown in Figure 2-27. The detailed
configuration is not mentioned here. For details, see "Configuration Files."
# On CE1, specify PE1 and PE2 as EBGP peers.
[~CE1] bgp 65410
[~CE1-bgp] network 11.11.11.11 32
[~CE1-bgp] commit
[~CE1-bgp] quit
# On PE1, specify CE1 as an EBGP peer.

[~PE1] bgp 100
[~PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
[~PE1-bgp-vpn1] quit

[~PE2] bgp 100
# On CE2, specify PE3 and PE4 as EBGP peers.

[~CE2] bgp 65420
[~CE2-bgp] network 22.22.22.22 32
[~CE2-bgp] commit
[~CE2-bgp] quit

[~PE3] bgp 100

[~PE4] bgp 100
<PE1> display bgp vpnv4 vpn-instance vpn1 peer

10.1.1.1 4 65410 408 435 0 06:16:09 Established 5
Each PE can successfully ping its connected CE. Take the display on PE1 as an example.
<PE1> ping -vpn-instance vpn1 11.11.11.11
0.00% packet loss
Step 5 Set up an MP-IBGP peer relationship between the PEs.

# On PE1, specify PE3 as the IBGP peer and establish an IBGP peer relationship between PE1
and PE3 through loopback interfaces.
[~PE1] bgp 100
[~PE3] bgp 100
[~PE2] bgp 100
[~PE4] bgp 100
After the configuration, run the display bgp peer or display bgp vpnv4 all peer command on
the PEs, and you can view that the BGP peer relationships have been established between the
PEs.


3.3.3.3 4 100 2 6 0 00:00:12 Established 0
3.3.3.3 4 100 12 18 0 00:09:38 Established 0

10.1.1.1 4 65410 25 25 0 00:17:57 Established 1
Step 6 On CE1, enable load balancing for the traffic from CE1 to CE2.
[~CE1] bgp 65410
[~CE1-bgp] ipv4-family unicast
[~CE1-bgp-af-ipv4] maximum load-balancing 2
[~CE1-bgp-af-ipv4] commit
Step 7 Configure a routing policy. Increase the MED value of the BGP route advertised by PE3 to CE2
and ensure that the traffic from CE2 to CE1 passes through PE4. PE3 functions as a backup.
[~PE3] route-policy policy1 permit node 10
[~PE3-route-policy] apply cost 120
[~PE3-route-policy] commit
[~PE3-route-policy] quit
[~PE3] bgp 100
[~PE3-bgp-vpn1] peer 10.3.1.2 route-policy policy1 export
Display the BGP routing table of CE2. You can view that, for the route to 11.11.11.11/32, the
MED value advertised by PE3 is 120. This value is greater than the MED value advertised by
PE4. Therefore, the MED value advertised by PE4 is chosen. By default, the MED value is 0.
<CE2> display bgp routing-table
*> 11.11.11.11/32 10.4.1.1 0 100

65410?
* 10.3.1.1 120 0 100
65410?
*> 22.22.22.22/32 0.0.0.0 0 0 ?

Run the display ip routing-table command on CE1, and you can view the routes to the users
connected to CE2 and that traffic is transmitted in load balancing mode.
------------------------------------------------------------------------------
10.1.1.0/30 Direct 0 0 D 10.1.1.1

Gigabitethernet1/0/0

10.2.1.0/30 Direct 0 0 D 10.2.1.1

22.22.22.22/32 BGP 255 0 D 10.1.1.2
BGP 255 0 D 10.2.1.2
Run the display ip routing-table command on CE2, you can view the routes to the users
connected to CE1, and the next hop of the routes is 10.4.1.1. The next hop is the IP address of
the interface that connects PE4 to CE2.
------------------------------------------------------------------------------
11.11.11.11/32 BGP 255 0 D 10.4.1.1

10.3.1.0/30 Direct 0 0 D 10.3.1.2
GigabitEthernet1/0/0
10.4.1.0/30 Direct 0 0 D 10.4.1.2
----End
Configuration Files
#
sysname CE1
#
interface Gigabitethernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.252
#
undo shutdown
ip address 10.2.1.1 255.255.255.252
#
interface Loopback1
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65410
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
maximum load-balancing 2
#
return


#
sysname PE1
#
ipv4-family
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0001.00
#
undo shutdown
ip address 10.1.1.2 255.255.255.252
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 100.1.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
#
Return

#
sysname PE2
#
ipv4-family
#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls ldp
#
isis 1

network-entity 10.0000.0000.0002.00
#
undo shutdown
ip address 10.2.1.2 255.255.255.252
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 100.2.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 4.4.4.4 enable
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.4 enable
#
#
Return
l Configuration file of P1
#
sysname P1
#
mpls lsr-id 5.5.5.5
#
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0005.00
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.1.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 100.3.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface LoopBack1
ip address 5.5.5.5 255.255.255.255
isis enable 1
#

Return
#
sysname P2
#
mpls lsr-id 6.6.6.6
#
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0006.00
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.2.1.2 255.255.255.252
mpls
mpls ldp
isis enable 1
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 100.4.1.1 255.255.255.252
mpls
mpls ldp
isis enable 1
#
interface LoopBack1
ip address 6.6.6.6 255.255.255.255
isis enable 1
#
Return
sysname PE3
#
ipv4-family
#
mpls lsr-id 3.3.3.3
#
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0003.00
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.3.1.2 255.255.255.252
mpls
mpls ldp
isis enable 1
#
undo shutdown
ip address 10.3.1.1 255.255.255.252
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255

isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
peer 10.3.1.2 route-policy policy1 export
#
route-policy policy1 permit node 10
apply cost 120
#
Return
#
sysname PE4
#
ipv4-family
#
mpls lsr-id 4.4.4.4
#
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0004.00
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.4.1.2 255.255.255.252
mpls
mpls ldp
isis enable 1
#
undo shutdown
ip address 10.4.1.1 255.255.255.252
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable

#
#
Return

#
sysname CE2
#
undo shutdown
ip address 10.3.1.2 255.255.255.252
#
undo shutdown
ip address 10.4.1.2 255.255.255.252
#
interface Loopback1
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65420
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
#
Return
2.18.5 Example for Configuring Double RRs for the Optimization

of the VPN Backbone Layer
If a great number of MP-IBGP connections exist between PEs, you can configure RRs to reduce
the number of MP-IBGP connections and the workload of PEs, thus optimizing the VPN
backbone layer.
CAUTION
When deploying a VPN, you can configure double route reflectors (RRs) on the VPN to improve
reliability. To achieve this, you need to select two RRs from the Ps in the same AS on the
backbone network and ensure that the two RRs back up each other and reflect routes of the public
network and VPNv4.

Figure 2-28 Networking of configuring double RRs for the optimization of the VPN backbone
layer
Loopback1 Loopback1
2.2.2.9/32 3.3.3.9/32
POS2/0/0 POS1/0/0
RR1 100.2.3.1/24 100.2.3.2/24 RR2
POS1/0/0 POS2/0/0
100.1.2.2/24 AS100 100.3.4.1/24
POS3/0/0 POS3/0/0
POS1/0/0 100.2.4.1/24 100.1.3.2/24 POS1/0/0
100.1.2.1/24 100.3.4.2/24
Loopback1 Loopback1
POS3/0/0 POS3/0/0
1.1.1.9/32 4.4.4.9/32
100.1.3.1/24 100.2.4.2/24
PE1 POS2/0/0 POS2/0/0 PE2
10.1.1.2/24 10.2.1.2/24
POS1/0/0 POS1/0/0
10.1.1.1/24 10.2.1.1/24
Loopback1
Loopback1 AS65410 AS65420
22.22.22.22/3
11.11.11.11/32 2
CE1 CE2
As shown in Figure 2-28, PE1, PE2, RR1, and RR2 are within AS100 of the backbone network.
CE1 and CE2 belong to vpna. It is required that RR1 and RR2 be configured as RRs.
Configuration Notes
When configuring double RRs for the optimization of the VPN backbone layer, note the
following:
l The RRs do not filter the received VPNv4 routes based on VPN targets.
l The RRs that back up each other are configured with the same cluster ID.
1. Configure an IGP, enable MPLS and MPLS LDP, and set up LDP LSPs on the MPLS
backbone network.
2. Set up MP-IBGP connections between the PEs and RRs. There is no need to set up an MP-
IBGP connection between PEs.
3. Set up an EBGP connection between each PE and CE.
4. Configure RR1 and RR2 to back up each other and configure them with the same cluster
ID.
5. Configure RR1 and RR2 to receive all VPNv4 routing information without filtering the
information based on VPN targets because RR1 and RR2 must save all VPNv4 routing
information and advertise it to PEs.

NOTE
On the VPN with double RRs, there must be at least two paths not sharing the same network segment or
node between each RR and PE. Otherwise, the double RRs are inapplicable.
Data Preparation
l MPLS LSR IDs of the PEs and RRs
l Names, RDs, and VPN targets of the VPN instances on PE1 and PE2
l AS numbers of the PEs and CEs
l BGP peer group name
1. Configure an IGP on the MPLS backbone network to implement interworking of devices
along the LSP.
In this example, OSPF is used as the IGP protocol. For details, see "Configuration Files."
NOTE
The IP addresses of loopback interfaces that are used as LSR IDs need to be advertised.
After the configuration, the devices along the LSP can learn the address of the loopback
interface from each other.
------------------------------------------------------------------------------
2.2.2.9/32 OSPF 10 2 D 100.1.2.2 Pos1/0/0
3.3.3.9/32 OSPF 10 2 D 100.1.3.2 Pos3/0/0
4.4.4.9/32 OSPF 10 3 D 100.1.3.2 Pos3/0/0
OSPF 10 3 D 100.1.2.2 Pos1/0/0
100.1.2.0/24 Direct 0 0 D 100.1.2.1 Pos1/0/0
100.1.2.2/32 Direct 0 0 D 100.1.2.2 Pos1/0/0
100.1.3.0/24 Direct 0 0 D 100.1.3.1 Pos3/0/0
100.1.3.2/32 Direct 0 0 D 100.1.3.2 Pos3/0/0
100.2.3.0/24 OSPF 10 2 D 100.1.3.2 Pos3/0/0
OSPF 10 2 D 100.1.2.2 Pos1/0/0
100.2.4.0/24 OSPF 10 2 D 100.1.2.2 Pos1/0/0
100.3.4.0/24 OSPF 10 2 D 100.1.3.2 Pos3/0/0
2. Set up LSPs on the MPLS backbone network.

Enable MPLS and MPLS LDP on the devices and interfaces along the LSP. For details,
see "Configuration Files."
After the configuration, run the display mpls ldp session command on the PEs and RRs,
and you can view that the Status field is displayed as Operational.
Take the display on PE1 and RR1 as an example:
----------------------------------------------------------------------


----------------------------------------------------------------------
----------------------------------------------------------------------
<RR1> display mpls ldp session
----------------------------------------------------------------------
----------------------------------------------------------------------
1.1.1.9:0 Operational DU Active 000:00:02 11/11
----------------------------------------------------------------------
3. Set up the MP-IBGP peer relationship between each PE and RR.
# Configure PE1.
<PE1> system-view
[~PE1] bgp 100
# Configure RR1.
<RR1> system-view
[~RR1] bgp 100
[~RR1-bgp] peer 1.1.1.9 as-number 100
[~RR1-bgp] peer 1.1.1.9 connect-interface loopback 1
[~RR1-bgp] ipv4-family vpnv4
[~RR1-bgp-af-vpnv4] peer 1.1.1.9 enable
[~RR1-bgp-af-vpnv4] commit
[~RR1-bgp-af-vpnv4] quit
[~RR1-bgp] quit
# Configure RR2.
<RR2> system-view
[~RR2] bgp 100
[~RR2-bgp] quit
# Configure PE2.
The configuration of PE2 is similar to the configuration of PE1, and is not mentioned here.

After the configuration, run the display bgp vpnv4 all peer command on the PEs, and you
can view that the IBGP peer relationship is established between each PE and RR, and the
EBGP peer relationship is established between each PE and CE.
Take the display on PE1 and RR1 as an example.
2.2.2.9 4 100 2 4 0 00:00:31 Established 0
3.3.3.9 4 100 3 5 0 00:01:23 Established 0
4. Set up the EBGP peer relationships between the PEs and CEs and import VPN routes.
For details, see 2.18.1 Example for Configuring BGP/MPLS IP VPN.
5. Configure a VPN instance enabled with the IPv4 address family on each PE.
For details, see 2.18.1 Example for Configuring BGP/MPLS IP VPN.
6. Configure route reflection on RR1 and RR2.
# Configure RR1.
[~RR1] bgp 100
[~RR1-bgp-af-vpnv4] reflector cluster-id 100
[~RR1-bgp-af-vpnv4] peer 1.1.1.9 reflect-client
[~RR1-bgp-af-vpnv4] undo policy vpn-target
# Configure RR2.
[~RR2] bgp 100
7. Verify the configuration.

Check the VPN routing table on the PEs, and you can view routes to the loopback interfaces
of the remote CEs.
------------------------------------------------------------------------------
11.11.11.11/32 BGP 255 0 RD 10.1.1.1 Pos2/0/0
22.22.22.22/32 BGP 255 0 RD 4.4.4.9 Pos3/0/0
CE1 and CE2 can successfully ping each other. This indicates that the configuration
succeeds.
After the shutdown command is run in the view of POS 3/0/0 on PE1 or POS 3/0/0 on
PE2, CE1 and CE2 can still successfully ping each other. This indicates that the two RRs
are successfully configured.

Configuration Files
#
sysname PE1
#
ipv4-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.1.2.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 100.1.3.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
peer 3.3.3.9 enable
#
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.2.0 0.0.0.255
network 100.1.3.0 0.0.0.255
#
return
l Configuration file of RR1

#
sysname RR1
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.1.2.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 100.2.3.1 255.255.255.0
mpls
mpls ldp
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 100.2.4.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 connect-interface loopback 1
#
ipv4-family unicast
peer 4.4.4.9 enable
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
reflector cluster-id 100
peer 1.1.1.9 enable
peer 1.1.1.9 reflect-client
peer 3.3.3.9 enable
peer 4.4.4.9 enable
#
ospf 1
area 0.0.0.0
network 100.1.2.0 0.0.0.255
network 100.2.3.0 0.0.0.255
network 100.2.4.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
l Configuration file of RR2
#
sysname RR2
#

mpls lsr-id 3.3.3.9

#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.2.3.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 100.3.4.1 255.255.255.0
mpls
mpls ldp
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 100.1.3.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
peer 2.2.2.9 enable
peer 4.4.4.9 enable
#
ipv4-family vpnv4
peer 1.1.1.9 enable
peer 2.2.2.9 enable
peer 4.4.4.9 enable
#
ospf 1
area 0.0.0.0
network 100.2.3.0 0.0.0.255
network 100.3.4.0 0.0.0.255
network 100.1.3.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
#
sysname PE2
#
ipv4-family


#
mpls lsr-id 4.4.4.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.3.4.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 10.2.1.2 255.255.255.0
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 100.2.4.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
peer 2.2.2.9 enable
#
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 100.3.4.0 0.0.0.255
network 100.2.4.0 0.0.0.255
#
return
#
sysname CE1
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.1 255.255.255.0
#
interface Loopback 1
undo shutdown

ip address 11.11.11.11 255.255.255.255

#
bgp 65410
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
#
return

#
sysname CE2
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.2.1.1 255.255.255.0
#
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65420
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
#
return
Related Tasks
2.18.6 Example for Configuring an RR for the Optimization of the

VPN Access Layer
If a PE and its connected CEs are in the same AS, you can deploy a BGP RR to reduce the
number of IBGP connections between the CEs and facilitate maintenance and management.
CAUTION
Figure 2-29 shows the networking of a BGP/MPLS IP VPN. CE1, CE2, CE3, and CE4 belong
to vpna; CE1, CE2, CE3 and PE1 are in the same AS and all these three CEs are connected to
PE1. It is required that PE1 be configured as an RR to reduce the number of IBGP connections
between CE1, CE2, and CE3 and reflect private routes.

Figure 2-29 Networking for configuring an RR for the optimization of the VPN access layer
Loopback1
11.11.11.11/32
G
10 E1/
.1. 0/0
1.2
CE1 / 24
Loopback1
Loopback1 1.1.1.1/32 Loopback1
22.22.22.22/32 G MPLS Backbone 44.44.44.44/32
10 E1/ AS 100
.1. 0/0 PE2
1
GE1/0/0 .1/2 PE1 POS1/0/0 GE1/0/0
4
10.2.1.2/24 100.3.1.2/24 10.4.1.2/24
GE2/0/0 POS1/0/0 GE1/0/0
CE2 10.2.1.1/24 100.3.1.1/24 10.4.1.1/24
/0 CE4
E 3 /0 1 /2 4
/0 G .1 . Loopback1
E 1/0 2/24 .3
CE3 G .1. 10 2.2.2.2/32
.3
10
Loopback1
33.33.33.33/32
Configuration Notes
When configuring an RR for the optimization of the VPN access layer, note the following:
l The interfaces that connect PE1 to CE1, CE2, and CE3 are bound to the same VPN instance.
l PE1, CE1, CE2, and CE3 are in the same AS.
l An IBGP connection is set up between PE1 and each of CE1, CE2, and CE3, and direct
routes of PE1 are imported to BGP VPN instances IPv4 address family so that routes from
a CE can be iterated to the next hop when being reflected to other CEs.

2. Set up an IBGP connection between PE1 and each of CE1, CE2, and CE3.
3. Configure PE1 as an RR to reflect routes from each CE.
Data Preparation

l Names, RDs, and VPN targets of the VPN instances on PE1 and PE2
l AS numbers of the PEs and CEs

1. Configure an IGP on the MPLS backbone network so that the PEs can learn the routes to
the loopback interfaces of each other. The detailed configuration is not mentioned here.
For details, see "Configuration Files."
2. Set up an LSP on the MPLS backbone network.
Enable MPLS and MPLS LDP on the devices and interfaces along the LSP. For details,
After the configuration, run the display mpls ldp session command on the PEs, and you
can view that the Status field is displayed as Operational.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
TOTAL: 1 Session(s) Found.
3. Set up MP-IBGP peer relationships between the PEs.

# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] quit
# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] quit
can view that MP-IBGP peer relationships have been established between the PEs and CEs.


PrefRcv
2.2.2.2 4 100 1633 1641 0 27:09:46 Established

0
4. Configure a VPN instance enabled with the IPv4 address family on each PE and bind the
PE interfaces that connect to the CEs to the VPN instance.
# Configure PE1, and bind the PE1 interfaces that connect to the CEs to the same VPN
instance.


[~PE1] commit
# Configure PE2.
[~PE2] commit
# After the configuration, run the display ip vpn-instance verbose command on PEs to
view the configurations of VPN instances.

Interfaces : GigabitEthernet1/0/0,
GigabitEthernet2/0/0,
Address family ipv4
Create date : 2009/12/06 15:39:50
5. Set up an IBGP peer relationship between PE1 and each of CE1, CE2, and CE3.
# Configure PE1 as an IBGP peer for each of CE1, CE2, and CE3, and import direct routes
to the BGP VPN instance IPv4 address family routing table of PE1.
[~PE1] bgp 100
# Configure CE1.
[~CE1-Loopback1] ip address 11.11.11.11 32
[~CE1-Loopback1] quit

[~CE1] bgp 100

[~CE1-bgp] network 11.11.11.11 32
[~CE1-bgp] commit
# Configure CE2.
[~CE2] bgp 100
[~CE2-bgp] network 22.22.22.22 32
[~CE2-bgp] commit
# Configure CE3.
[~CE3] bgp 100
[~CE3-bgp] network 33.33.33.33 32
[~CE3-bgp] commit
After the configuration, run the display bgp vpnv4 vpn-instance peer command on PE1,
and you can view that the IBGP peer relationship is set up between PE1 and each of CE1,
CE2, and CE3.


PrefRcv
10.1.1.2 4 100 1058 1058 0 17:37:22 Established
0
10.2.1.2 4 100 3 3 0 00:01:56 Established
0
10.3.1.2 4 100 2 2 0 00:00:32 Established
0
6. Configure route reflection on PE1.

# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp-vpna] peer 10.1.1.2 reflect-client

Run the display ip routing-table command on each CE, and you can view that there are
routes to the loopback interfaces of the other CEs. Take the display on CE2 as an example.
------------------------------------------------------------------------------
Routing Table : _public_
10.1.1.0/24 BGP 255 0 RD 10.2.1.1

10.1.1.1/32 BGP 255 0 RD 10.1.1.2
10.1.1.2/32 BGP 255 0 RD 10.2.1.1

10.2.1.0/24 Direct 0 0 D 10.2.1.2

10.2.1.1/32 Direct 0 0 D 10.2.1.1
10.2.1.2/32 Direct 0 0 D 127.0.0.1
10.3.1.0/24 BGP 255 0 RD 10.2.1.1
11.11.11.11/32 BGP 255 0 RD 10.1.1.2
22.22.22.22/32 Direct 0 0 D 127.0.0.1
33.33.33.33/32 BGP 255 0 RD 10.3.1.2
44.44.44.44/32 BGP 255 0 RD 10.2.1.1
Configuration Files
#
sysname CE1
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 11.11.11.11 255.255.255.255
#
bgp 100
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
#
return
#
sysname CE2
#
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 22.22.22.22 255.255.255.255
#
bgp 100
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
#
return

#
sysname CE3
#

undo shutdown
ip address 10.3.1.2 255.255.255.0
#
interface LoopBack1
ip address 33.33.33.33 255.255.255.255
#
bgp 100
network 33.33.33.33 255.255.255.255
#
ipv4-family unicast
#
return
#
sysname PE1
#
mpls lsr-id 1.1.1.1
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
undo shutdown
ip address 10.3.1.1 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
mpls
mpls ldp
ip address 100.3.1.1 255.255.255.0
#
interface LoopBack1
undo shutdown
ip address 1.1.1.1 255.255.255.255
#
ipv4-family
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 100.3.1.0 0.0.0.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable
#
ipv4-family vpnv4

policy vpn-target
peer 2.2.2.2 enable
#
import-route direct
#
return
#
sysname PE2
#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.4.1.1 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
mpls
mpls ldp
ip address 100.3.1.2 255.255.255.0
#
interface LoopBack1
undo shutdown
ip address 2.2.2.2 255.255.255.255
#
ipv4-family
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
#
return
#
sysname CE4
#
undo shutdown
ip address 10.4.1.2 255.255.255.0
#

interface LoopBack1
ip address 44.44.44.44 255.255.255.255
#
bgp 65410
network 44.44.44.44 255.255.255.255
#
ipv4-family unicast
#
return
Related Tasks
2.18.7 Example for Configuring Hub and Spoke

In the networking of Hub and Spoke, an access control device is specified in the VPN, and users
CAUTION
As shown in Figure 2-30, the communications between the Spoke-CEs is controlled by the Hub-
CE at a central site. That is, the traffic between Spoke-CEs is forwarded through the Hub-CE,
not only through the Hub-PE.

Figure 2-30 Diagram of the Hub and Spoke networking
Loopback1
33.33.33.33/32
AS: 65430
Hub-CE
GE1/0/0 GE2/0/0
110.1.1.1/24 110.2.1.1/24
GE3/0/0 GE4/0/0
110.1.1.2/24 110.2.1.2/24
Hub-PE
POS1/0/0 POS2/0/0
10.1.1.2/24 11.1.1.2/24
Loopback1 Loopback1
Loopback1
1.1.1.9/32 3.3.3.9/32
2.2.2.9/32
POS2/0/0 POS2/0/0
10.1.1.1/24 11.1.1.1/24
GE1/0/0 Spoke-PE1 Spoke-PE2 GE1/0/0

100.1.1.2/24 Backbone 120.1.1.2/24
AS100
GE1/0/0 GE1/0/0
AS: 65410 AS: 65420
100.1.1.1/24 120.1.1.1/24
Spoke-CE1 Spoke-CE2
Loopback1 Loopback1
11.11.11.11/32 22.22.22.22/32
Configuration Notes
When configuring Hub and Spoke, note the following:
l The import target and export target configured on a Spoke-PE are different.
l Two VPN instances (vpn_in and vpn_out) are created on the Hub-PE. The VPN targets
received by vpn_in are the VPN targets advertised by the two Spoke-PEs; the VPN targets
advertised by vpn_out are the VPN targets received by the two Spoke-PEs and are different
from the VPN targets received by vpn_in.
l The Hub-PE is configured to accept the routes whose AS number is repeated once in the
AS_Path attribute.
1. Establish MP-IBGP peer relationships between the Hub-PE and Spoke-PEs. There is no
need to establish the MP-IBGP peer relationship or exchange VPN route information
between the two Spoke-PEs.

2. Create VPN instances and VPN targets on PEs.

3. Configure EBGP connections between CEs and PEs.
Data Preparation
l MPLS LSR ID of each PE
l Names, RDs, and VPN targets of the VPN instances of the Hub-PE and Spoke-PEs
Procedure
Step 1 Configure an IGP on the MPLS backbone network for the interworking between the Hub-PE
and Spoke-PEs.
After the configuration, the OSPF neighbor relationships have been set up between the Hub-PE
and Spoke-PEs. Run the display ospf peer command, and you can view that the neighbor status
is Full. Run the display ip routing-table command, and you can view that the Hub-PE and
Spoke-PEs have learnt the routes to the loopback interface of each other.
network.
For details, see "Configuration Files."
After the configuration, LDP neighbor relationships have been set up between the Hub-PE and
Spoke-PEs. Run the display mpls ldp session command on routers, and you can view that the
Session Status field is displayed as Operational.
to PEs.
NOTE
The import target of a VPN on the Hub-PE must contain the export target attributes of all Spoke-PEs.
The export target of another VPN on the Hub-PE must contain the import target attributes of all Spoke-
PEs.
# Configure Spoke-PE1.
<Spoke-PE1> system-view
[~Spoke-PE1] ip vpn-instance vpna
[~Spoke-PE1-vpn-instance-vpna] ipv4-family
[~Spoke-PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[~Spoke-PE1-vpn-instance-vpna-af-ipv4] vpn-target 100:1 export-extcommunity
[~Spoke-PE1-vpn-instance-vpna-af-ipv4] vpn-target 200:1 import-extcommunity
[~Spoke-PE1-vpn-instance-vpna-af-ipv4] commit
[~Spoke-PE1-vpn-instance-vpna-af-ipv4] quit
[~Spoke-PE1] interface gigabitethernet 1/0/0
[~Spoke-PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[~Spoke-PE1-GigabitEthernet1/0/0] ip address 100.1.1.2 24
[~Spoke-PE1-GigabitEthernet1/0/0] commit
[~Spoke-PE1-GigabitEthernet1/0/0] quit
<Spoke-PE2> system-view
[~Spoke-PE2] ip vpn-instance vpna
[~Spoke-PE2-vpn-instance-vpna] ipv4-family
[~Spoke-PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 100:3

[~Spoke-PE2-vpn-instance-vpna-af-ipv4] vpn-target 100:1 export-extcommunity

[~Spoke-PE2-vpn-instance-vpna-af-ipv4] vpn-target 200:1 import-extcommunity
[~Spoke-PE2-vpn-instance-vpna-af-ipv4] commit
[~Spoke-PE2-vpn-instance-vpna-af-ipv4] quit
[~Spoke-PE2] interface gigabitethernet 1/0/0
[~Spoke-PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[~Spoke-PE2-GigabitEthernet1/0/0] ip address 120.1.1.2 24
[~Spoke-PE2-GigabitEthernet1/0/0] commit
[~Spoke-PE2-GigabitEthernet1/0/0] quit
# Configure the Hub-PE.

[~Hub-PE] ip vpn-instance vpn_in
[~Hub-PE-vpn-instance-vpn_in] ipv4-family
[~Hub-PE-vpn-instance-vpn_in-af-ipv4] route-distinguisher 100:21
[~Hub-PE-vpn-instance-vpn_in-af-ipv4] vpn-target 100:1 import-extcommunity
[~Hub-PE-vpn-instance-vpn_in-af-ipv4] commit
[~Hub-PE-vpn-instance-vpn_in-af-ipv4] quit
[~Hub-PE-vpn-instance-vpn_in] quit
[~Hub-PE] ip vpn-instance vpn_out
[~Hub-PE-vpn-instance-vpn_out] ipv4-family
[~Hub-PE-vpn-instance-vpn_out-af-ipv4] route-distinguisher 100:22
[~Hub-PE-vpn-instance-vpn_out-af-ipv4] vpn-target 200:1 export-extcommunity
[~Hub-PE-vpn-instance-vpn_out-af-ipv4] commit
[~Hub-PE-vpn-instance-vpn_out-af-ipv4] quit
[~Hub-PE-vpn-instance-vpn_out] quit
[~Hub-PE] interface gigabitethernet 3/0/0
[~Hub-PE-GigabitEthernet3/0/0] ip binding vpn-instance vpn_in
[~Hub-PE-GigabitEthernet3/0/0] ip address 110.1.1.2 24
[~Hub-PE-GigabitEthernet3/0/0] commit
[~Hub-PE-GigabitEthernet3/0/0] quit
[~Hub-PE] interface gigabitethernet 4/0/0
[~Hub-PE-GigabitEthernet4/0/0] ip binding vpn-instance vpn_out
[~Hub-PE-GigabitEthernet4/0/0] ip address 110.2.1.2 24
[~Hub-PE-GigabitEthernet4/0/0] commit
[~Hub-PE-GigabitEthernet4/0/0] quit
# Assign an IP address to each interface on CEs as shown in Figure 2-30. The detailed
configuration procedure is not mentioned here. For details, see "Configuration Files."
After the configuration, run the display ip vpn-instance verbose command on PEs to view the
configurations of VPN instances. Each PE can successfully ping its connected CEs by using the
ping -vpn-instance vpn-name ip-address command.
NOTE
If a PE has multiple interfaces bound to the same VPN instance, you need to specify a source IP address
by specifying -a source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address
dest-ip-address command to ping the CE connected to the remote PE. Otherwise, the ping operation fails.
Step 4 Set up the EBGP peer relationships between the PEs and CEs and import VPN routes.
NOTE
Configure the Hub-PE to allow the AS number to be repeated once in the AS_Path attribute to receive the
routes advertised by the Hub-CE.
You do not need to configure the Spoke-PEs to allow the AS number to be repeated once because the
router does not check the AS-Path attributes in its received routes advertised by the IBGP peer.
# Configure Spoke-CE1.
[~Spoke-CE1] interface loopback 1
[~Spoke-CE1-Loopback1] ip address 11.11.11.11 32
[~Spoke-CE1-Loopback1] quit
[~Spoke-CE1] bgp 65410
[~Spoke-CE1-bgp] peer 100.1.1.2 as-number 100
[~Spoke-CE1-bgp] network 11.11.11.11 32
[~Spoke-CE1-bgp] quit

[~Spoke-CE1] commit
[~Spoke-PE1] bgp 100
[~Spoke-PE1-bgp] ipv4-family vpn-instance vpna
[~Spoke-PE1-bgp-vpna] peer 100.1.1.1 as-number 65410
[~Spoke-PE1-bgp-vpna] commit
[~Spoke-PE1-bgp-vpna] quit
[~Spoke-PE1-bgp] quit
# Configure Spoke-CE2.
[~Spoke-CE2] interface loopback 1
[~Spoke-CE2-Loopback1] ip address 22.22.22.22 32
[~Spoke-CE2-Loopback1] quit
[~Spoke-CE2] bgp 65420
[~Spoke-CE2-bgp] peer 120.1.1.2 as-number 100
[~Spoke-CE2-bgp] network 22.22.22.22 32
[~Spoke-CE2-bgp] commit
[~Spoke-CE2-bgp] quit
[~Spoke-PE2-bgp] ipv4-family vpn-instance vpna
[~Spoke-PE2-bgp-vpna] peer 120.1.1.1 as-number 65420
[~Spoke-PE2-bgp-vpna] commit
[~Spoke-PE2-bgp-vpna] quit
[~Spoke-PE2-bgp] quit
# Configure the Hub-CE.

[~Hub-CE] interface loopback 1
[~Hub-CE-Loopback1] ip address 33.33.33.33 32
[~Hub-CE-Loopback1] quit
[~Hub-CE] bgp 65430
[~Hub-CE-bgp] peer 110.1.1.2 as-number 100
[~Hub-CE-bgp] peer 110.2.1.2 as-number 100
[~Hub-CE-bgp] network 33.33.33.33 32
[~Hub-CE-bgp] quit
[~Hub-CE] commit

[~Hub-PE] bgp 100
[~Hub-PE-bgp] ipv4-family vpn-instance vpn_in
[~Hub-PE-bgp-vpn_in] peer 110.1.1.1 as-number 65430
[~Hub-PE-bgp-vpn_in] commit
[~Hub-PE-bgp-vpn_in] quit
[~Hub-PE-bgp] ipv4-family vpn-instance vpn_out
[~Hub-PE-bgp-vpn_out] peer 110.2.1.1 as-number 65430
[~Hub-PE-bgp-vpn_out] peer 110.2.1.1 allow-as-loop 1
[~Hub-PE-bgp-vpn_out] commit
[~Hub-PE-bgp-vpn_out] quit
[~Hub-PE-bgp] quit
After the configuration, run the display bgp vpnv4 all peer command on the PEs. You can find
that BGP peer relationships have been established between PEs and CEs.
Step 5 Set up MP-IBGP peer relationships between the PEs.
[~Spoke-PE1-bgp] peer 2.2.2.9 as-number 100
[~Spoke-PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[~Spoke-PE1-bgp] ipv4-family vpnv4
[~Spoke-PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[~Spoke-PE1-bgp-af-vpnv4] commit

[~Spoke-PE1-bgp-af-vpnv4] quit
[~Spoke-PE2-bgp] peer 2.2.2.9 as-number 100
[~Spoke-PE2-bgp] peer 2.2.2.9 connect-interface loopback 1
[~Spoke-PE2-bgp] ipv4-family vpnv4
[~Spoke-PE2-bgp-af-vpnv4] peer 2.2.2.9 enable
[~Spoke-PE2-bgp-af-vpnv4] commit
[~Spoke-PE2-bgp-af-vpnv4] quit

[~Hub-PE] bgp 100
[~Hub-PE-bgp] peer 1.1.1.9 as-number 100
[~Hub-PE-bgp] peer 1.1.1.9 connect-interface loopback 1
[~Hub-PE-bgp] peer 3.3.3.9 as-number 100
[~Hub-PE-bgp] peer 3.3.3.9 connect-interface loopback 1
[~Hub-PE-bgp] ipv4-family vpnv4
[~Hub-PE-bgp-af-vpnv4] peer 1.1.1.9 enable
[~Hub-PE-bgp-af-vpnv4] peer 3.3.3.9 enable
[~Hub-PE-bgp-af-vpnv4] commit
[~Hub-PE-bgp-af-vpnv4] quit
After the configuration, run the display bgp peer or display bgp vpnv4 all peer command on
the PEs, and you can view that the BGP peer relationships have been established between the
PEs.
After the configuration, the Spoke-CEs can successfully ping each other. Run the tracert
command, and you can view that the traffic between the Spoke-CEs is forwarded through the
Hub-CE. You can also deduce the number of forwarding devices between the Spoke-CEs based
on the TTL displayed in the ping command output.
Take the display on Spoke-CE1 as an example.
<Spoke-CE1> ping -a 11.11.11.11.11 22.22.22.22
Reply from 22.22.22.22: bytes=56 Sequence=1 ttl=250ime=80 ms
Reply from 22.22.22.22: bytes=56 Sequence=2 ttl=250ime=129 ms
0.00% packet loss
<Spoke-CE1> tracert -a 11.11.11.11 22.22.22.22
traceroute to 22.22.22.22(22.22.22.22), max hops: 30 ,packet length: 40
1 100.1.1.2 8 ms 2 ms 2 ms
2 110.1.1.2 < AS=100 > 3 ms 2 ms 2 ms
3 110.1.1.1 < AS=100 > 3 ms 2 ms 2 ms
4 110.2.1.2 < AS=65430 > 3 ms 2 ms 2 ms
5 120.1.1.2 < AS=100 > 6 ms 6 ms 6 ms
6 22.22.22.22 < AS=65420 > 6 ms 6 ms 6 ms
Run the display bgp routing-table command on each Spoke-CE, and you can find that there
are repetitive AS numbers in the AS-Path attributes of the BGP routes to the peer Spoke-CE.
Take the display on Spoke-CE1 as an example.
<Spoke-CE1> display bgp routing-table


*> 100.1.1.0/24 0.0.0.0 0 0 ?
* 100.1.1.2 0 0 100?
*> 100.1.1.1/32 0.0.0.0 0 0 ?
*>33.33.33.33/32 100.1.1.2 0 100 65430?
*> 22.22.22.22/32 100.1.1.2 0 100 65430 100?
----End
Configuration Files
l Configuration file of Spoke-CE1
#
sysname Spoke-CE1
#
undo shutdown
ip address 100.1.1.1 255.255.255.0
#
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65410
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
#
return
l Configuration file of Spoke-PE1

#
sysname Spoke-PE1
#
ipv4-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 100.1.1.2 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100


#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
l Configuration file of Spoke-PE2
#
sysname Spoke-PE2
#
ipv4-family
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 120.1.1.2 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 11.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 11.1.1.0 0.0.0.255

#
return
l Configuration file of Spoke-CE2
#
sysname Spoke-CE2
#
undo shutdown
ip address 120.1.1.1 255.255.255.0
#
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65420
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
#
return
l Configuration file of the Hub-CE
#
sysname Hub-CE
#
undo shutdown
ip address 110.1.1.1 255.255.255.0
#
undo shutdown
ip address 110.2.1.1 255.255.255.0
#
undo shutdown
ip address 33.33.33.33 255.255.255.255
#
bgp 65430
network 33.33.33.33 255.255.255.255
#
ipv4-family unicast
#
return
l Configuration file of the Hub-PE
#
sysname Hub-PE
#
ip vpn-instance vpn_in
ipv4-family
#
ip vpn-instance vpn_out
ipv4-family
#
mpls lsr-id 2.2.2.9
#
mpls

#
mpls ldp
#
undo shutdown
ip binding vpn-instance vpn_in
ip address 110.1.1.2 255.255.255.0
#
undo shutdown
ip binding vpn-instance vpn_out
ip address 110.2.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 11.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn_in
#
ipv4-family vpn-instance vpn_out
peer 110.2.1.1 allow-as-loop
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
#
return
Related Tasks
2.18.8 Example for Configuring Extranet VPN

Configuring extranet VPN enables users in a VPN to access sites in other VPNs.

CAUTION
As shown in Figure 2-31, CE1 and CE3 belong to vpna; CE2 belongs to vpnb. By default,
devices in different VPNs cannot communicate with each other. In some scenarios, however,
devices in different VPNs need to communicate with each other. In this case, you can configure
VPN targets for the communication between CE2 and CE3.
Figure 2-31 Networking diagram of extranet VPN
Loopback1
33.33.33.33/32
CE3
AS: 65430
GE1/0/0 vpna
110.1.1.1/24
GE3/0/0
110.1.1.2/24
PE3
POS1/0/0 POS2/0/0
10.1.1.2/24 11.1.1.2/24
Loopback1 Loopback1
Loopback1
1.1.1.9/32 3.3.3.9/32
2.2.2.9/32
POS2/0/0 POS2/0/0
10.1.1.1/24 11.1.1.1/24
GE1/0/0 PE1 PE2 GE1/0/0
100.1.1.2/24 Backbone 120.1.1.2/24
AS100
GE1/0/0 vpna vpnb GE1/0/0

100.1.1.1/24 120.1.1.1/24
AS: 65410 AS: 65420
CE1
CE2
Loopback1 Loopback1
11.11.11.11/32 22.22.22.22/32
Configuration Notes
When configuring extranet VPN, note the following:

l The import VPN target list of PE3 contains the export VPN targets of PE1 and PE2; the
export VPN target list of PE3 contains the import VPN targets of PE1 and PE2.
1. Configure an IGP on the MPLS backbone network to enable PEs to communicate.
2. Configure MPLS and MPLS LSPs on the MPLS backbone network so that PEs can
communicate through the LSPs.
3. Establish MP-IBGP peer relationships between PE1 and PE3, and between PE2 and PE3.
4. Create VPN instances on the PEs, ensuring that the import VPN target list of PE3 contains
the export VPN targets of the other PEs and the export VPN target list of PE3 contains the
import VPN targets of the other PEs
Data Preparation
l MPLS LSR IDs on PEs
l Names, RDs, and VPN targets of the VPN instances created on PE1 and PE2
l AS numbers of PEs and CEs
1. Configure an IGP on the MPLS backbone network so that PEs can learn the routes to the
loopback interface of each other. In this example, OSPF is used as the IGP protocol. For
details, see "Configuration Files."
After the configuration, the OSPF neighbor relationships can be established between the
PEs. Run the display ospf peer command, and you can view that the neighbor relationship
is in the Full state. Run the display ip routing-table command, and you can view that PEs
have learnt the routes to the loopback interface of each other.
2. Set up LDP LSPs on the MPLS backbone network.
# Configure PE1.
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
# Configure PE2.
[~PE2] mpls
[~PE2-mpls] quit
[~PE2] mpls ldp

# Configure PE3.
[~PE3] mpls
[~PE3-mpls] quit
[~PE3] mpls ldp
After the configuration, the LDP sessions can be established between the PEs. Run the
display mpls ldp session command on each device, and you can view that the Status field
is displayed as Operational. Take the display on PE1 as an example.
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
-------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
-------------------------------------------------------------------------
-------------------------------------------------------------------------
3. Establish MP-IBGP peer relationships between PE1 and PE3, and between PE2 and PE3.
# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] quit
# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] quit
# Configure PE3.
[~PE3] bgp 100
[~PE3-bgp] quit
can view that MP-IBGP peer relationships have been established between PEs and CEs.


PrefRcv
2.2.2.9 4 100 12 18 0 00:09:38 Established
0
4. Create VPN instances on the PEs, ensuring that the import VPN target list of PE3 contains
the export VPN targets of the other PEs and the export VPN target list of PE3 contains the
import VPN targets of the other PEs
# Configure PE1.
[~PE1-vpn-instance-vpna-af-ipv4] commit
# Configure PE2.
[~PE2-vpn-instance-vpnb-af-ipv4] commit
# Configure PE3.
[~PE3-vpn-instance-vpna-af-ipv4] vpn-target 111:1 222:2 both
[~PE3-vpn-instance-vpna-af-ipv4] commit
5. Set up the EBGP peer relationships between the PEs and CEs and import VPN routes.
# Configure CE1.
[~CE1] bgp 65410
[~CE1-bgp] network 11.11.11.11 32
[~CE1-bgp] commit
The configurations of CE2 and CE3 are similar to the configuration of CE1, and are not
# Configure PE1.

[~PE1] bgp 100

The configurations of PE2 and PE3 are similar to the configuration of PE1, and are not
After the configuration, run the display bgp vpnv4 vpn-instance peer command on the
PEs, and you can view that BGP peer relationships have been established between PEs and
CEs.
PrefRcv
100.1.1.1 4 65410 11 9 0 00:06:37 Established 1

Run the display ip routing-table command on CE1, and you can view routes to CE3 rather
than CE2.
------------------------------------------------------------------------------
11.11.11.11/32 Direct 0 0 D 127.0.0.1 Loopback1
33.33.33.33/32 BGP 255 0 RD 2.2.2.9 Pos2/0/0
CE2 can successfully ping CE3 at 33.33.33.33 but cannot successfully ping CE1 at
22.22.22.22.
[~CE1] ping -a 11.11.11.11 33.33.33.33
0.00% packet loss
[~CE1] ping -a 11.11.11.11 22.22.22.22
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
Configuration Files
#

sysname CE1
#
undo shutdown
ip address 100.1.1.1 255.255.255.0
#
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65410
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
#
return
#
sysname PE1
#
ipv4-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 100.1.1.2 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0

#
return
#
sysname PE2
#
ipv4-family
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 120.1.1.2 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 11.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 11.1.1.0 0.0.0.255
#
return
#
sysname CE2
#
undo shutdown
ip address 120.1.1.1 255.255.255.0
#
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65420

network 22.22.22.22 255.255.255.255

#
ipv4-family unicast
#
return
#
sysname PE3
#
ipv4-family
vpn-target 111:1 222:2 import-extcommunity
vpn-target 111:1 222:2 export-extcommunity
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 110.1.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 11.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255

#
return

#
sysname CE3
#
undo shutdown
ip address 110.1.1.1 255.255.255.0
#
undo shutdown
ip address 33.33.33.33 255.255.255.255
#
bgp 65430
network 33.33.33.33 255.255.255.255
#
ipv4-family unicast
#
return
2.18.9 Example for Configuring Load Balancing Among Tunnels to

Which Remote Cross Routes Are Iterated on a VPN
Load balancing can be configured if there are multiple tunnels between PE peers on the backbone
network. It can fully utilize network resources and enhance the reliability of VPN services on
the backbone network.
CAUTION
If multiple tunnels such as LDP LSPs and TE tunnels exist between PE peers on the MPLS
backbone network of a BGP/MPLS IP VPN, load balancing among tunnels can be configured
to distribute IPv6 VPN traffic to the tunnels and prevent network congestion.
As shown in Figure 2-32, two links exist between PE1 and PE2 in the basic BGP/MPLS IP VPN
networking: an LDP LSP (PE1-P1-PE2) and a TE tunnel (PE1-P2-PE2). All VPN traffic is
forwarded over the LSP according to the default tunnel policy, which may cause the link of PE1-
P1-PE2 to be busy and the link of PE1-P2-PE2 to be idle.
To address this problem, load balancing among tunnels can be configured on the MPLS backbone
network to distribute VPN traffic evenly to the two tunnels.

Figure 2-32 Networking diagram for configuring load balancing among tunnels to which remote
cross routes are iterated on a VPN
Loopback1
2.2.2.9/32
/0 PO
S 1/ 0 / 24 30 S2/
PO .1.2 .1. 0
1.1 /0
Loopback1 .1 /24 Loopback1 Loopback1
20
1.1.1.9/32 3.3.3.9/32 22.22.22.22/32
P1 PO
/0 30 S2
.1. /0/ GE1/0/0
PE1 S 2/0 /24 1.2 0 PE2
PO .1.1 /24 192.168.1.2/30
.1
20 GE3/0/0
PO /0 192.168.1.1/30
PO
10 S1/0 1 /0 /2 4 0
/0/ 4 CE2
10 S1/0 .1. P2 O S . 1 1 2
.1.
1 /0 1.2 /0 P 1 .1 S /
Loopback2 .1/24 /24 . P O 1. 1. 2
40 0 .
11.11.11.11/32 4
Backbone
AS 100
Loopback1
4.4.4.9/32
Configuration Notes
When configuring load balancing among tunnels to which remote cross routes are iterated on a
VPN, note the following item:
l The tunnels existing in the system meet the requirements of the configured tunnel policy.
1. Configure OSPF on the MPLS backbone network for IP connectivity between devices on
2. On the MPLS backbone network, enable MPLS and MPLS LDP to set up an LDP LSP;
enable MPLS TE to set up an MPLS TE tunnel.
3. Create a VPN instance on each PE and connect the CE to PE2.
4. Create a tunnel policy on PE1 to distribute traffic to the LDP LSP and TE tunnel between
PE1 and PE2.
5. Apply the tunnel policy to the VPN instance IPv4 address family on PE1.
Procedure
Step 1 Configure a basic BGP/MPLS IP VPN.
For details on the configuration procedure, see Example for Configuring Basic BGP/MPLS
IP VPN. The main configurations are listed below:
l Configure OSPF on the MPLS backbone network to allow the PEs to learn the route to each
other's loopback interface.
l Configure basic MPLS functions and enable MPLS LDP on PE1, P1, and PE2 to set up an
LDP LSP along the PEs.

l Enable MPLS TE on PE1, P2, and PE2 to set up an MPLS TE tunnel along the PEs.
l Establish a VPNv4 peer relationship between the PEs.
l Create a VPN instance that supports the IPv4 address family on each PE and bind the PE
interface connecting to the CE to the VPN instance.
l Enable BGP between the PEs and CE, and import the route of the loopback interface into
BGP on the CE.
After the configuration is complete, run the display ip routing-table vpn-instance command
on PE1. You can find that PE1 has learned the route to the loopback interface on the CE.
<PE1> display ip routing-table vpn-instance vpn1
------------------------------------------------------------------------------

22.22.22.22/32 BGP 255 0 RD 3.3.3.9 LDP LSP
192.168.1.0/30 BGP 255 0 RD 3.3.3.9 LDP LSP
192.168.1.2/32 BGP 255 0 RD 3.3.3.9 LDP LSP
<PE1> display ip routing-table vpn-instance vpn1 22.22.22.22 verbose
------------------------------------------------------------------------------
Summary Count : 1
Label: 0x1f QoSInfo: 0x0
IndirectID: 0xb7
The command output shows that the route to 22.22.22.22/32 is iterated to only one LSP on PE1
because no tunnel policy is applied to the VPN.
Step 2 Apply a tunnel policy to the VPN on PE1.
Configure a tunnel policy in select-sequence mode to make tunnels be selected in the order of
TE tunnels and LSPs and to set the number of tunnels participating in load balancing to 2.
# Configure PE1.
[~PE1] tunnel-policy te-lsp-l2
[~PE1-tunnel-policy-te-lsp-l2] tunnel select-seq cr-lsp lsp load-balance-number 2
[~PE1-tunnel-policy-te-lsp-l2] quit
# Apply a tunnel policy to the VPN instance IPv4 address family.

[~PE1-vpn-instance-vpn1-af-ipv4] tnl-policy te-lsp-l2
[~PE1] commit

After the configuration is complete, run the display ip routing-table vpn-instance verbose
command on PE1. You can find that the route to the loopback interface on the CE is iterated to
two tunnels.
------------------------------------------------------------------------------
Summary Count : 1
Label: 0x1f QoSInfo: 0x0
IndirectID: 0xbc
Load balancing between tunnels to which remote cross routes are iterated is successfully
deployed on the VPN.
----End
Configuration Files
#
sysname PE1
#
ipv4-family
tnl-policy te-lsp-l2
#
mpls lsr-id 1.1.1.9
#
mpls
mpls te
mpls te cspf
mpls rsvp-te
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255

#
interface LoopBack2
ip address 11.11.11.11 255.255.255.255
#
interface Tunnel1
destination 3.3.3.9
mpls te tunnel-id 100
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ospf 1
area 0.0.0.0
mpls-te enable
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 20.1.1.0 0.0.0.255
#
tunnel-policy te-lsp-l2
#
return
#
sysname P1
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 20.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 30.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
mpls-te enable
network 2.2.2.9 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255

#
return
#
sysname P2
#
mpls lsr-id 4.4.4.9
#
mpls
mpls te
mpls te cspf
mpls rsvp-te
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 40.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
ospf 1
area 0.0.0.0
mpls-te enable
network 4.4.4.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
ipv4-family
#
mpls lsr-id 3.3.3.9
#
mpls
mpls te
mpls te cspf
mpls rsvp-te
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 40.1.1.2 255.255.255.0
mpls
mpls te

mpls rsvp-te
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 30.1.1.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip address 192.168.1.1 255.255.255.252
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
peer 192.168.1.2 as-number 65410
#
ospf 1
area 0.0.0.0
mpls-te enable
network 3.3.3.9 0.0.0.0
network 30.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
undo shutdown
ip address 192.168.1.2 255.255.255.252
#
interface LoopBack1
ip address 22.22.22.22 255.255.255.255
#
bgp 65410
#
ipv4-family unicast
network 22.22.22.22 32
#
return
Related Tasks
2.7 Configuring a Tunnel Policy for the Backbone Network of a BGP/MPLS IP VPN

2.18.10 Example for Configuring Inter-AS VPN Option A

After VPN instances are configured on ASBRs, you can adopt the Option A solution to manage
VPN routes in VRF-to-VRF mode.
CAUTION
As shown in Figure 2-33, CE1 and CE2 belong to the same VPN. CE1 is connected to PE1 in
AS 100, and CE2 is connected to PE2 in AS 200.
It is required that inter-AS BGP/MPLS IP VPN be implemented through Option A. That is,
VRF-to-VRF is required to manage VPN routes.
Figure 2-33 Networking diagram of inter-AS VPN Option A
BGP/MPLS Backbone BGP/MPLS Backbone

AS 100 AS 200
Loopback1 Loopback1
2.2.2.9/32 3.3.3.9/32
POS1/0/0
POS2/0/0 POS2/0/0 POS1/0/0
172.1.1.1/24
192.1.1.1/24 192.1.1.2/24 162.1.1.1/24
Loopback1
ASBR1 ASBR2 Loopback1
1.1.1.9/32
4.4.4.9/32
POS1/0/0 POS1/0/0
PE1 172.1.1.2/24 162.1.1.2/24 PE2
GE2/0/0 GE2/0/0
10.1.1.2/24 10.2.1.2/24
GE1/0/0 GE1/0/0
10.1.1.1/24 10.2.1.1/24
CE1
CE2
AS 65001
AS 65002
Loopback1 Loopback1
11.11.11.11/32 22.22.22.22/32

1. Set up EBGP peer relationships between the PEs and CEs and set up MP-IBGP peer
relationships between the PEs and ASBRs.
2. Create a VPN instance on each ASBR and bind the VPN instance to the interface that
connects one ASBR to the other, and then set up an EBGP peer relationship between the
ASBRs.
Data Preparation
l MPLS LSR IDs of the PEs and the ASBRs
l Names, RDs, and VPN targets of the VPN instances of the PEs and ASBRs
Procedure
Step 1 On the MPLS backbone networks in AS 100 and AS 200, configure an IGP to interconnect the
PE and ASBR on each network.
NOTE
The 32-bit IP address of the loopback interface that functions as the LSR ID needs to be advertised by
using OSPF.
After the configuration, the OSPF neighbor relationship can be established between the ASBR
and PE in the same AS. Run the display ospf peercommand , and you can view that the neighbor
relationship is in the Full state.
The ASBR and PE in the same AS can learn and successfully ping the IP address of the loopback
interface of each other.
Step 2 Configure basic MPLS functions and MPLS LDP, and set up MPLS LDP LSPs on the MPLS
backbone network in AS 100 and AS 200.
# Configure basic MPLS functions on PE1 and enable LDP on the interface that connects PE1
to ASBR1.
<PE1> system-view
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
# Configure basic MPLS functions on ASBR1 and enable LDP on the interface that connects
ASBR1 to PE1.
<ASBR1> system-view
[~ASBR1] mpls lsr-id 2.2.2.9
[~ASBR1] mpls
[~ASBR1-mpls] quit
[~ASBR1] mpls ldp
[~ASBR1-mpls-ldp] quit
[~ASBR1] interface pos1/0/0
[~ASBR1-Pos1/0/0] mpls
[~ASBR1-Pos1/0/0] mpls ldp

[~ASBR1-Pos1/0/0] commit
[~ASBR1-Pos1/0/0] quit
# Configure basic MPLS functions on ASBR2 and enable LDP on the interface that connects
ASBR2 to PE2.
<ASBR2> system-view
[~ASBR2] mpls
[~ASBR2-mpls] quit
[~ASBR2] mpls ldp
# Configure basic MPLS functions on PE2 and enable LDP on the interface that connects PE2
to ASBR2.
<PE2> system-view
[~PE2] mpls
[~PE2-mpls] quit
[~PE2] mpls ldp
After the configuration, the LDP session is established between the PE and ASBR in the same
AS. Run the display mpls ldp session command on the PEs and ASBRs, and you can view that
the Status field is displayed as Operational.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Step 3 Configure basic BGP/MPLS IP VPN functions in AS 100 and AS 200.

NOTE
The VPN targets of the VPN instances of the ASBR and PE in an AS must be the same. The VPN targets
of the VPN instances of the ASBR and PE in different ASs can be different.
# Configure CE1.
<CE1> system-view
[~CE1] interface gigabitethernet 1/0/0
[~CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[~CE1-GigabitEthernet1/0/0] quit
[~CE1] bgp 65001
[~CE1-bgp] network 11.11.11.11 32
[~CE1-bgp] quit

[~CE1] commit
# On PE1, set up an EBGP peer relationship between PE1 and CE1.

[~PE1] bgp 100
[~PE1-bgp] quit
# On PE1, set up an MP-IBGP peer relationship between PE1 and ASBR1.

[~PE1] bgp 100
# On ASBR1, set up an MP-IBGP peer relationship between ASBR1 and PE1.

[~ASBR1] bgp 100
[~ASBR1-bgp] peer 1.1.1.9 as-number 100
[~ASBR1-bgp] peer 1.1.1.9 connect-interface loopback 1
[~ASBR1-bgp] ipv4-family vpnv4
[~ASBR1-bgp-af-vpnv4] peer 1.1.1.9 enable
[~ASBR1-bgp-af-vpnv4] commit
[~ASBR1-bgp-af-vpnv4] quit
[~ASBR1-bgp] quit
NOTE
The configurations of CE2, PE2, and ASBR2 are similar to the configurations of CE1, PE1, and ASBR1
respectively, and are not mentioned here.
After the configuration, run the display bgp vpnv4 vpn-instance vpn-instancename peer
command on the PEs, and you can view that BGP peer relationships have been established
between PEs and CEs. Run the display bgp vpnv4 all peer command, and you can view that
the BGP peer relationships have been established between each PE and CE, and between each
PE and ASBR.
10.1.1.1 4 65001 10 10 0 00:07:10 Established 0
2.2.2.9 4 100 3 7 0 00:01:36 Established 0


10.1.1.1 4 65001 13 13 0 00:04:00 Established 2
Step 4 Configure inter-AS VPN in VRF-to-VRF mode.

# On ASBR1, create a VPN instance and bind it to the interface that connects ASBR1 to ASBR2
(ASBR1 regards ASBR2 as its CE).
[~ASBR1] ip vpn-instance vpn1
[~ASBR1-vpn-instance-vpn1] ipv4-family
[~ASBR1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:2
[~ASBR1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both
[~ASBR1-vpn-instance-vpn1-af-ipv4] quit
[~ASBR1-vpn-instance-vpn1] quit
[~ASBR1] interface pos 2/0/0
[~ASBR1-Pos2/0/0] ip binding vpn-instance vpn1
[~ASBR1-Pos2/0/0] ip address 192.1.1.1 24
[~ASBR1] commit
# On ASBR2, create a VPN instance and bind it to the interface that connects ASBR2 to ASBR1
(ASBR2 regards ASBR1 as its CE).
[~ASBR2-vpn-instance-vpn1-af-ipv4] commit
# On ASBR1, set up an EBGP peer relationship between ASBR1 and ASBR2.

[~ASBR1] bgp 100
[~ASBR1-bgp] ipv4-family vpn-instance vpn1
[~ASBR1-bgp-vpn1] peer 192.1.1.2 as-number 200
[~ASBR1-bgp-vpn1] commit
[~ASBR1-bgp-vpn1] quit
[~ASBR1-bgp] quit
# On ASBR2, set up an EBGP peer relationship between ASBR2 and ASBR1.

[~ASBR2] bgp 200
[~ASBR2-bgp-vpn1] peer 192.1.1.1 as-number 100
[~ASBR2-bgp-vpn1] commit
[~ASBR2-bgp-vpn1] quit
[~ASBR2-bgp] quit
After the configuration, run the display bgp vpnv4 vpn-instance peer command on the ASBRs,
and you can view that BGP peer relationships have been established between the ASBRs.
After the configuration, CEs can learn routes from each other, and CE1 and CE2 can ping each
other successfully.
Take the display on CE1 as an example.
------------------------------------------------------------------------------


22.22.22.22/32 BGP 255 0 D 10.1.1.2 GigabitEthernet1/0/0
[~CE1] ping -a 11.11.11.11 22.22.22.22
0.00% packet loss
Run the display ip routing-table vpn-instance command on an ASBR, and you can view the
VPN routing table on the ASBR.
<ASBR1> display ip routing-table vpn-instance vpn1
------------------------------------------------------------------------------
Routing Tables: vpn1
11.11.11.11/32 BGP 255 0 RD 1.1.1.9 Pos1/0/0
22.22.22.22/32 BGP 255 0 D 192.1.1.2 Pos2/0/0
192.1.1.0/24 Direct 0 0 D 192.1.1.1 Pos2/0/0
192.1.1.2/32 Direct 0 0 D 192.1.1.2 Pos2/0/0
Run the display bgp vpnv4 all routing-table command on an ASBR, and you can view the
<ASBR1> display bgp vpnv4 all routing-table
*>i 11.11.11.11/32 1.1.1.9 0 100 0 ?

*>i 11.11.11.11/32 1.1.1.9 0 100 0 65001?
*> 22.22.22.22/32 192.1.1.2 0 ?
*> 192.1.1.0 0.0.0.0 0 0 ?
* 192.1.1.2 0 0 200?
*> 192.1.1.1/32 0.0.0.0 0 0 ?
* 192.1.1.2 0 0 200?
*> 192.1.1.2/32 0.0.0.0 0 0 ?
----End
Configuration Files

#
sysname CE1
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65001
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
#
return
#
sysname PE1
#
ipv4-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0

network 172.1.1.0 0.0.0.255

#
return
l Configuration file of ASBR1
#
sysname ASBR1
#
ipv4-family
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
sysname ASBR2
#
ipv4-family
#
mpls lsr-id 3.3.3.9
#

mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 4.4.4.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.9 enable
#
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
ipv4-family
#
mpls lsr-id 4.4.4.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#

interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65002
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
#
return
Related Tasks
2.18.11 Example for Configuring Inter-AS VPN Option B with Basic

Networking
An MP-EBGP peer relationship can be established between the ASBRs with only one hop to
exchange VPNv4 routes.

CAUTION
AS 100, and CE2 is connected to PE2 in AS 200. It is required that an MP-EBGP peer relationship
be established between the ASBRs to transmit VPNv4 routes, thus implementing inter-AS VPN
Option B.
Figure 2-34 Networking diagram of inter-AS VPN Option B with basic networking

AS 100 AS 200
Loopback1 Loopback1
2.2.2.9/32 3.3.3.9/32
POS1/0/0
POS2/0/0 POS2/0/0 POS1/0/0
172.1.1.1/24
192.1.1.1/24 192.1.1.2/24 162.1.1.1/24
Loopback1
ASBR1 ASBR2 Loopback1
1.1.1.9/32
4.4.4.9/32
POS1/0/0 POS1/0/0
PE1 172.1.1.2/24 162.1.1.2/24 PE2
GE2/0/0 GE2/0/0
10.1.1.2/24 10.2.1.2/24
GE1/0/0 GE1/0/0
10.1.1.1/24 10.2.1.1/24
CE1
CE2
AS 65001
AS 65002
Loopback1 Loopback1
11.11.11.11/32 22.22.22.22/32
Configuration Notes
When configuring inter-AS VPN Option B with basic networking, note the following:
l An MP-EBGP peer relationship is established between ASBR1 and ASBR2, and the
ASBRs do not filter received VPNv4 routes based on VPN targets.

1. Configure an IGP on the MPLS backbone network to implement interworking of the ASBR
and PE in the same AS, and set up an MPLS LDP LSP between the ASBR and PE in the
same AS.
3. Configure VPN instances on the PEs rather than ASBRs.
4. Enable MPLS on the interface that connects one ASBR to the other ASBR, set up an MP-
EBGP peer relationship between the ASBRs, and configure the ASBRs not to filter received
VPNv4 routes based on VPN targets.
Data Preparation
l MPLS LSR IDs of the PEs and ASBRs
l Names, RDs, and VPN targets of the VPN instances of the PEs
Procedure
NOTE
using OSPF.
and PE in the same AS. Run the display ospf peer command, and you can view that the neighbor
backbone networks in AS 100 and AS 200.
The detailed configuration is not mentioned here. For details, see 2.18.10 Example for
Configuring Inter-AS VPN Option A.
Step 3 Configure the basic BGP/MPLS IP VPN functions on PE1 and PE2.
NOTE
The VPN targets of the VPN instances of PE1 and PE2 must be the same.
The detailed configuration is not mentioned here. For details, see "Configuration Files."
Step 4 Configure inter-AS VPN Option B.
# On ASBR1, set up an MP-EBGP peer relationship between ASBR1 and ASBR2, and configure
ASBR1 not to filter received VPNv4 routes based on VPN targets.
[~ASBR1] bgp 100

[~ASBR1-bgp-af-vpnv4] undo policy vpn-target

[~ASBR1-bgp] quit
The configuration of ASBR2 is similar to the configuration of ASBR1, and is not mentioned
here.
After the configuration, CEs can learn routes to the loopback interface of each other, and CE1
and CE2 can ping each other successfully.
------------------------------------------------------------------------------
<CE1> ping -a 11.11.11.11 22.22.22.22
0.00% packet loss
Take the display on ASBR1 as an example.
*>i 11.11.11.11/32 1.1.1.9 0 100 0 ?
*> 22.22.22.22/32 192.1.1.2 0 200?
----End
Configuration Files
#
sysname CE1
#

undo shutdown
ip address 10.1.1.1 255.255.255.0
#
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65001
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
return
#
sysname PE1
#
ipv4-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return

#
sysname ASBR1
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
peer 1.1.1.9 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
sysname ASBR2
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255

#
bgp 200
#
ipv4-family unicast
peer 4.4.4.9 enable
#
ipv4-family vpnv4
peer 4.4.4.9 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
ipv4-family
#
mpls lsr-id 4.4.4.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
#
ospf 1

area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65002
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
#
return
Related Tasks
2.18.12 Example for Configuring Inter-AS VPN Option B with an

RR in an AS
implement inter-AS VPN Option B, and an RR is configured in an AS to reflect VPNv4 routes.
CAUTION
As shown in Figure 2-35, CE1, CE2, and CE3 belong to the same VPN; PE1 and PE3 are in the
same AS. It is required that inter-AS VPN Option B be configured and an RR be configured in
AS 100 to reflect VPNv4 routes between PEs and between a PE and an ASBR so as to reduce
MP-IBGP connections in AS 100.

Figure 2-35 Networking of inter-AS VPN Option B with an RR in a AS
Loopback1
AS 65003
CE3
GE1/0/0
GE2/0/0
PE3 BGP/MPLS Backbone AS BGP/MPLS Backbone

100 AS 200
POS1/0/0
Loopback1 Loopback1
Loopback1 POS3/0/0
RR POS1/0/0 POS2/0/0
Loopback1 POS1/0/0
POS2/0/0 POS2/0/0
Loopback1
Loopback1
POS1/0/0 ASBR1 ASBR2
PE1 POS1/0/0 POS1/0/0 PE2
GE2/0/0 GE2/0/0
GE1/0/0 GE1/0/0
CE1 CE2
AS 65001 AS 65002
Loopback1 Loopback1
CE1 Loopback1 11.11.11.11/32
GE1/0/0 10.1.1.1/24
GE 2/0/0 10.1.1.2/24
POS 1/0/0 172.1.1.2/24
RR Loopback1 4.4.4.4/32
POS 1/0/0 172.1.1.1/24
POS 2/0/0 172.2.1.1/24
POS 3/0/0 172.3.1.1/24
CE3 Loopback1 33.33.33.33/32
GE 1/0/0 10.3.1.1/24

GE 2/0/0 10.3.1.2/24
POS 1/0/0 172.3.1.2/24
ASBR1 Loopback1 5.5.5.5/32
POS 1/0/0 172.2.1.2/24
POS 2/0/0 192.1.1.1/24
POS 1/0/0 162.1.1.1/24
POS 2/0/0 192.1.1.2/24
CE2 Loopback1 22.22.22.22/32
GE 1/0/0 10.2.1.1/24
GE 2/0/0 10.2.1.2/24
POS 1/0/0 162.1.1.2/24
Configuration Notes
When configuring inter-AS VPN Option B with an RR in a AS, note the following:
l There is no need to create VPN instances on ASBRs or configure ASBRs to filter VPNv4
routes based on VPN targets.
l PE1, PE3, and ASBR1 need to be configured as clients for the RR.
same AS.
relationships between the PEs and ASBRs in the same AS.
3. Enable the route reflection for VPNv4 routes on the RR.
4. Configure VPN instances on the PEs rather than ASBRs or the RR.

Data Preparation
l AS numbers of PEs and CEs
l MPLS LSR IDs of the PEs and the ASBR-PEs
l Names, RDs, and VPN targets of the VPN instances created on PE1 and PE2
1. On the MPLS backbone networks in AS 100 and AS 200, configure an IGP to interconnect
the devices in the same AS. In this example, OSPF is used as the IGP protocol. For details,
After the configuration, the OSPF neighbor relationship can be established between the
devices in the same AS. Run the display ospf peer command, and you can view that the
neighbor relationship is in the Full state. Run the display ip routing-table command, and
you can view that PEs have learnt the routes to the loopback interface of each other.
2. Configure basic MPLS functions and MPLS LDP, and set up MPLS LDP LSPs on the
MPLS backbone networks in AS 100 and AS 200.
# Configure PE1.
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
# Configure the RR.
[~RR] mpls lsr-id 4.4.4.4
[~RR] mpls
[~RR-mpls] quit
[~RR] mpls ldp
[~RR-mpls-ldp] quit
[~RR] interface pos 1/0/0
[~RR-Pos1/0/0] mpls
[~RR-Pos1/0/0] mpls ldp
[~RR-Pos1/0/0] quit
[~RR-Pos2/0/0] mpls
[~RR-Pos2/0/0] quit
[~RR-Pos3/0/0] mpls
[~RR-Pos3/0/0] quit
[~RR] commit
# Configure ASBR1.
[~ASBR1] mpls
[~ASBR1-mpls] quit
[~ASBR1] mpls ldp


[~ASBR1] commit
After the configuration, LDP sessions can be set up between PEs and the RR and between
ASBRs and the RR. Run the display mpls ldp session command on each device, and you
can view that the Status field is displayed as Operational. Take the display on PE1 as an
example.
-------------------------------------------------------------------------
-------------------------------------------------------------------------
-------------------------------------------------------------------------
3. Set up MP-IBGP peer relationships between the PEs, ASBRs, and RR in AS 100; set up
an MP-IBGP peer relationship between the PE and ASBR in AS 200.
# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] quit
# Configure ASBR1.
[~ASBR1] bgp 100
[~ASBR1-bgp] quit
Set up MP-IBGP peer relationships between the RR and PE1, PE3, and ASBR1.
[~RR] bgp 100
[~RR-bgp] peer 1.1.1.1 as-number 100
[~RR-bgp] peer 1.1.1.1 connect-interface loopback 1
[~RR-bgp] ipv4-family vpnv4
[~RR-bgp-af-vpnv4] peer 1.1.1.1 enable
[~RR-bgp-af-vpnv4] commit
[~RR-bgp-af-vpnv4] quit
[~RR-bgp] quit
After the configuration, run the display bgp peer or display bgp vpnv4 all peer command
on the PEs, RR, or ASBRs, and you can view that the BGP peer relationships have been

established between the PEs or ASBRs and the RR in AS 100. Take the display on the RR
as an example:
<RR> display bgp vpnv4 all peer
PrefRcv
1.1.1.1 4 100 12 18 0 00:09:38 Established
0
3.3.3.3 4 100 12 18 0 00:09:38 Established
0
5.5.5.5 4 100 12 18 0 00:09:38 Established
0
4. Enable the route reflection for VPNv4 routes on the RR.

# Configure the RR.
[~RR] bgp 100
[~RR-bgp] ipv4-family vpnv4
[~RR-bgp-af-vpnv4] undo policy vpn-target
[~RR-bgp-af-vpnv4] peer 1.1.1.1 reflect-client
[~RR-bgp-af-vpnv4] commit
[~RR-bgp-af-vpnv4] quit
[~RR-bgp] quit
5. Configure VPN instances on the PEs and connect the CEs to the PEs through the VPN
instances.
# Configure PE1.
[~PE1] commit
# After the configuration, run the display ip vpn-instance verbose command on PEs to
view the configurations of VPN instances.
Address family ipv4
Create date : 2009/09/18 11:30:35
6. Set up EBGP peer relationships between the PEs and CEs, and import VPN routes to the
loopback interfaces of the CEs.
# Configure CE1.


[~CE1] bgp 65001
[~CE1-bgp] network 11.11.11.11 32
[~CE1-bgp] quit
[~CE1] commit
# Configure PE1.
[~PE1] bgp 100
After the configuration, run the display bgp vpnv4 vpn-instance peer command on the
PEs, and you can view that BGP peer relationships have been established between the PEs
and CEs.
PrefRcv
10.1.1.1 4 65001 11 9 0 00:06:37 Established 1
7. Set up an MP-EBGP peer relationship between the ASBRs, and configure the ASBRs not
to filter received VPNv4 routes based on VPN targets.
# On ASBR1, set up an MP-EBGP peer relationship between ASBR1 and ASBR2, and
configure ASBR1 not to filter received VPNv4 routes based on VPN targets.
[~ASBR1] bgp 100
[~ASBR1-bgp] quit
After the configuration, CEs can learn routes to the loopback interface of each other, and
CE1 and CE2 can ping each other successfully.
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1
22.22.22.22/32 BGP 255 0 D 10.1.1.2

33.33.33.33/32 BGP 255 0 D 10.1.1.2

<CE1> ping -a 11.11.11.11 22.22.22.22
0.00% packet loss
Run the display bgp vpnv4 all routing-table command on the RR or ASBRs, and you can
view the VPNv4 routes on the RR or ASBRs.
<RR> display bgp vpnv4 all routing-table


*>i 11.11.11.11/32 1.1.1.1 0 100 0 ?

*>i 22.22.22.22/32 5.5.5.5 0 100 0 ?

*>i 33.33.33.33/32 3.3.3.3 0 100 0 ?
Configuration Files
#
sysname CE1
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65001
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast


#
return
#
sysname PE1
#
ipv4-family
#
mpls lsr-id 1.1.1.1
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 4.4.4.4 enable
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.4 enable
#
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.1 0.0.0.0
#
return
#
sysname PE3
#
ipv4-family
#
mpls lsr-id 3.3.3.3
#
mpls

#
mpls ldp
#
undo shutdown
ip address 10.3.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.3.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 4.4.4.4 enable
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.4 enable
#
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 172.3.1.0 0.0.0.255
#
return
#
sysname CE3
#
undo shutdown
ip address 10.3.1.1 255.255.255.0
#
undo shutdown
ip address 33.33.33.33 255.255.255.255
#
bgp 65003
network 33.33.33.33 255.255.255.255
#
ipv4-family unicast
#
return
l Configuration file of the RR
#
sysname RR
#
mpls lsr-id 4.4.4.4
#
mpls
#

mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 172.3.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
peer 3.3.3.3 enable
peer 5.5.5.5 enable
#
ipv4-family vpnv4
peer 1.1.1.1 enable
peer 3.3.3.3 enable
peer 5.5.5.5 enable
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 172.3.1.0 0.0.0.255
#
return
#
sysname ASBR1
#
mpls lsr-id 5.5.5.5
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown

link-protocol ppp
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 5.5.5.5 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 4.4.4.4 enable
peer 6.6.6.6 enable
#
ipv4-family vpnv4
peer 4.4.4.4 enable
peer 6.6.6.6 enable
#
ospf 1
area 0.0.0.0
network 5.5.5.5 0.0.0.0
network 172.2.1.0 0.0.0.255
#
return
#
sysname ASBR1
#
mpls lsr-id 6.6.6.6
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 6.6.6.6 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 2.2.2.2 enable

peer 5.5.5.5 enable

#
ipv4-family vpnv4
peer 2.2.2.2 enable
peer 5.5.5.5 enable
#
ospf 1
area 0.0.0.0
network 6.6.6.6 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
ipv4-family
#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 6.6.6.6 enable
#
ipv4-family vpnv4
policy vpn-target
peer 6.6.6.6 enable
#
#
ospf 1
area 0.0.0.0
network 162.1.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
return
#
sysname CE2

#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65002
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
#
return

ASBR Filtering VPN Routes
A routing policy is configured on an ASBR to filter VPNv4 routes based on VPN targets and
only some VPNv4 routes are saved.
CAUTION
As shown in Figure 2-36, CE1, CE2, and CE3 belong to the same VPN; PE2 is not in the same
AS where PE1 and PE3 belong. CE2 and CE3 do not need to communicate. It is required that
ASBR1 be configured to filter VPN routes based on RDs so that routes of CE3 cannot be
transmitted to PE2 by ASBR2. This implements inter-AS VPN Option B.

Figure 2-36 Networking of inter-AS VPN Option B with an ASBR filtering VPN routes
Loopback1
AS 65003
CE3
GE1/0/0
GE2/0/0
PE3 BGP/MPLS Backbone AS BGP/MPLS Backbone

100 AS 200
POS1/0/0 Loopback1 Loopback1
Loopback1
POS3/0/0 POS2/0/0
POS1/0/0 POS2/0/0 POS1/0/0
Loopback1
Loopback1
ASBR1 ASBR2
POS1/0/0
PE1 POS1/0/0
PE2
GE2/0/0 GE2/0/0
GE1/0/0 GE1/0/0
CE1 CE2
AS 65001 AS 65002
Loopback1 Loopback1
CE1 Loopback1 11.11.11.11/32
GE 1/0/0 10.1.1.1/24
GE 2/0/0 10.1.1.2/24
POS 1/0/0 172.1.1.2/24
CE3 Loopback1 33.33.33.33/32
GE 1/0/0 10.3.1.1/24
GE 2/0/0 10.3.1.2/24
POS 1/0/0 172.3.1.2/24
POS 1/0/0 172.1.1.1/24

POS 2/0/0 192.1.1.1/24
POS 3/0/0 172.3.1.1/24
POS 1/0/0 162.1.1.1/24
POS 2/0/0 192.1.1.2/24
CE2 Loopback1 22.22.22.22/32
GE 1/0/0 10.2.1.1/24
GE 2/0/0 10.2.1.2/24
POS 1/0/0 162.1.1.2/24
Configuration Notes
When configuring inter-AS VPN Option B with an ASBR filtering VPN routes, note the
following:
l An MP-IBGP peer relationship needs to be established between PE1 and PE3.

l There is no need to create VPN instances on the ASBRs. One ASBR needs to filter the
VPNv4 routes advertised to the other ASBR based on RDs.
same AS.
relationships between the PEs and ASBR-PEs.
4. Enable MPLS on the interface that connects one ASBR to the other ASBR and set up an
MP-EBGP peer relationship between the ASBRs. One ASBR needs to filter the VPNv4
routes advertised to the other ASBR based on RDs.
Data Preparation

l Routing policy used by an ASBR to filter VPN routes based on VPN targets

Procedure
devices in the same AS.
After the configuration, the OSPF neighbor relationships can be established between the devices
in the same AS. Run the display ospf peer command, and you can view that the neighbor
relationship is in the Full state. Run the display ip routing-table command, and you can view
that PEs or ASBRs have learnt the routes to the loopback interface of each other.
network of each AS.
# Configure PE1.
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
The configurations of PE2 and PE3 are similar to the configuration of PE1, and are not mentioned
# Configure ASBR1.
[~ASBR1] mpls
[~ASBR1-mpls] quit
[~ASBR1] mpls ldp
After the configuration, the LDP sessions can be established between the PEs. Run the display
mpls ldp session command on each device, and you can view that the Status field is displayed
as Operational. Take the display on PE1 as an example.
-------------------------------------------------------------------------
-------------------------------------------------------------------------
-------------------------------------------------------------------------
Step 3 Set up MP-IBGP peer relationships between the PEs and ASBR in each AS; set up an MP-IBGP
peer relationship between PE1 and PE3 in AS 100.
# Configure PE1.

[~PE1] bgp 100

[~PE1-bgp] quit
# Configure ASBR1.
[~ASBR1] bgp 100
[~ASBR1-bgp] quit
After the configuration, run the display bgp vpnv4 all peer command on the PEs or ASBRs,
and you can view that MP-IBGP peer relationships have been established between the PEs and
ASBRs. Take the display on PE1 as an example.
3.3.3.3 4 100 12 18 0 00:09:38 Established 0
5.5.5.5 4 100 12 18 0 00:09:38 Established 0
Step 4 Configure VPN instances on the PEs and connect the CEs to the PEs through the VPN instances.
# Configure PE1.
# Configure PE2.


# Configure PE3.
# After the configuration, run the display ip vpn-instance verbose command on PEs to view
Address family ipv4
Create date : 2009/09/18 11:30:35
Step 5 Set up EBGP peer relationships between the PEs and CEs, and import VPN routes to the loopback
interfaces of the CEs.
# Configure CE1.
[~CE1] bgp 65001
[~CE1-bgp] network 11.11.11.11 32
[~CE1-bgp] quit
[~CE1] commit
# Configure PE1.
[~PE1] bgp 100


10.1.1.1 4 65001 11 9 0 00:06:37 Established 1
Step 6 Set up an MP-EBGP peer relationship between the ASBRs, and configure the ASBRs to filter
received VPNv4 routes.
ASBR1 to filter received VPNv4 routes.
[~ASBR1] ip rd-filter 10 deny 100:3
[~ASBR1] route-policy test permit node 10
[~ASBR1-route-policy] if-match rd-filter 10
[~ASBR1-route-policy] commit
[~ASBR1-route-policy] quit
[~ASBR1] bgp 100
[~ASBR1-bgp-af-vpnv4] peer 192.1.1.2 route-policy test export
[~ASBR1-bgp] quit
ASBR2 not to filter received VPNv4 routes.
[~ASBR2] bgp 100
[~ASBR2-bgp] quit

After the configuration, run the display bgp vpnv4 all routing-table command on ASBR1, and
you can view routes sent by PE3.


*>i 11.11.11.11/32 1.1.1.1 0 100 0 ?

*>i 22.22.22.22/32 6.6.6.6 0 100 0 ?

*>i 33.33.33.33/32 3.3.3.3 0 100 0 ?
Run the display bgp vpnv4 all routing-table command on ASBR2, and you can view that there
are no routes sent from PE3.


*>i 11.11.11.11/32 5.5.5.5 0 100 0 ?


*>i 22.22.22.22/24 2.2.2.2 0 100 0 ?
CE1 and CE3, and CE1 and CE2 can successfully ping each other whereas CE2 and CE3 cannot
successfully ping each other.
<CE1> ping -a 11.11.11.11 33.33.33.33
0.00% packet loss
<CE2> ping -a 22.22.22.22 33.33.33.33
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
----End
Configuration Files
#
sysname CE1
#

undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface Loopback1
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65001
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
#
return
#
sysname PE1
#
ipv4-family
#
mpls lsr-id 1.1.1.1
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.3 enable
peer 5.5.5.5 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
peer 5.5.5.5 enable
#
#
ospf 1
area 0.0.0.0

network 172.1.1.0 0.0.0.255

network 1.1.1.1 0.0.0.0
#
return
#
sysname PE3
#
ipv4-family
#
mpls lsr-id 3.3.3.3
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.3.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.3.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
peer 5.5.5.5 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
peer 5.5.5.5 enable
#
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 172.3.1.0 0.0.0.255
#
return
#
sysname CE3
#
undo shutdown
ip address 10.3.1.1 255.255.255.0
#

interface Loopback1
undo shutdown
ip address 33.33.33.33 255.255.255.255
#
bgp 65003
network 33.33.33.33 255.255.255.255
#
ipv4-family unicast
#
return
#
sysname ASBR1
#
mpls lsr-id 5.5.5.5
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.1 255.255.255.0
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 172.3.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 5.5.5.5 255.255.255.255
#
route-policy test permit node 10
if-match rd-filter 10
#
ip rd-filter 10 deny 100:3
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
peer 3.3.3.3 enable
peer 6.6.6.6 enable
#
ipv4-family vpnv4
peer 1.1.1.1 enable
peer 3.3.3.3 enable
peer 6.6.6.6 enable

peer 6.6.6.6 route-policy test export

#
ospf 1
area 0.0.0.0
network 5.5.5.5 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.3.1.0 0.0.0.255
#
return
#
sysname ASBR2
#
mpls lsr-id 6.6.6.6
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 6.6.6.6 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 2.2.2.2 enable
peer 5.5.5.5 enable
#
ipv4-family vpnv4
peer 2.2.2.2 enable
peer 5.5.5.5 enable
#
ospf 1
area 0.0.0.0
network 6.6.6.6 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
ipv4-family
#
mpls lsr-id 2.2.2.2
#

mpls
#
mpls ldp
#
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 6.6.6.6 enable
#
ipv4-family vpnv4
policy vpn-target
peer 6.6.6.6 enable
#
#
ospf 1
area 0.0.0.0
network 162.1.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
return

#
sysname CE2
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface Loopback1
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65002
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
#
return

2.18.14 Example for Configuring Inter-AS VPN Option B with a P

Between ASBRs
An LSP is set up between the ASBRs through LDP and IGP to traverse the MPLS networks that
do not support VPN. There is a P being deployed between the ASBRs.
CAUTION
AS 100, and CE2 is connected to PE2 in AS 200. The MPLS network between the ASBRs does
not support VPN. That is, there must be a P between the ASBRs. It is required that an LSP be
set up between the ASBRs in different ASs to implement inter-AS VPN Option B.
Figure 2-37 Networking diagram of inter-AS VPN Option B with a P between ASBRs
BGP/MPLS Backbone AS BGP/MPLS Backbone

100 AS 200
2.2.2.9/32 5.5.5.9/32 3.3.3.9/32
POS2/0/0 POS2/0/0
POS1/0/0
192.1.1.1/24 192.2.1.2/24
172.1.1.1/24 POS1/0/0
POS1/0/0 POS2/0/0 162.1.1.1/24
Loopback1 192.1.1.2/24 P 192.2.1.1/24 ASBR2 Loopback1
ASBR1
1.1.1.9/32 4.4.4.9/32
POS1/0/0 POS1/0/0
PE1 172.1.1.2/24 162.1.1.2/24 PE2
GE2/0/0 GE2/0/0
10.1.1.2/24 10.2.1.2/24
GE1/0/0 GE1/0/0
10.1.1.1/24 10.2.1.1/24
CE1 CE2
AS 65001 AS 65002
Loopback1 Loopback1
11.11.11.11/32 22.22.22.22/32
Configuration Notes
When configuring inter-AS VPN Option B with a P between ASBRs, note the following:

l There is no need to create VPN instances on ASBRs or configure ASBRs to filter VPNv4
routes based on VPN targets.
l LDP and IGP are required between ASBRs.
l An MP-EBGP peer relationship needs to be set up between ASBRs with multiple hops.
same AS.
4. Set up an EBGP peer relationship between ASBRs and set up an MPLS LDP LSP.
Data Preparation

Procedure
NOTE
using OSPF.
Step 2 Configure basic MPLS functions and MPLS LDP and set up LDP LSPs on the MPLS backbone
networks of AS 100 and AS 200.
Configuring Inter-AS VPN Option A.
Step 3 Configure the basic BGP/MPLS IP VPN functions on PE1 and PE2, as described in 2.18.1
Example for Configuring BGP/MPLS IP VPN.
NOTE

Step 4 Set up an MPLS LDP LSP and establish an MP-EBGP neighbor relationship between the
ASBRs.
Configure an IGP between the ASBRs. In this example, OSPF is used as the IGP protocol.
# Configure ASBR1.
<ASBR1> system-view
[~ASBR1] ospf 2
[~ASBR1-ospf-2] area 0
[~ASBR1-ospf-2-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[~ASBR1-ospf-2-area-0.0.0.0] network 192.1.1.0 0.0.0.255
[~ASBR1-ospf-2-area-0.0.0.0] quit
[~ASBR1-ospf-2] commit
[~ASBR1-ospf-2] quit
[~ASBR1] quit
NOTE
The process ID of OSPF runs between the ASBRs must be different from that of OSPF runs in each AS.
The configurations of ASBR2 and the P are similar to the configuration of ASBR1, and are not
Set up an MPLS LDP LSP between the ASBRs.
<ASBR1> system-view
[~ASBR1] mpls
[~ASBR1-mpls] quit
[~ASBR1] mpls ldp
The configurations of ASBR2 and the P are similar to the configuration of ASBR1, and are not
After the configuration, run the display mpls ldp lsp command on the ASBRs, and you can
view that there is an MPLS LDP LSP between the ASBRs.
<ASBR1>display mpls ldp lsp
LDP LSP Information
--------------------------------------------------------------------------
--------------------------------------------------------------------------
*1 2.2.2.9/32 Liberal
2 3.3.3.9/32 NULL/19 192.1.1.1 -------/Pos2/0/0
3 3.3.3.9/32 16/19 192.1.1.1 Pos2/0/0/Pos2/0/0
4 5.5.5.9/32 NULL/3 192.1.1.1 -------/Pos2/0/0
5 5.5.5.9/32 17/3 192.1.1.1 Pos2/0/0/Pos2/0/0
--------------------------------------------------------------------------
# Set up an MP-EBGP peer relationship between ASBR1 and ASBR2, and configure the ASBRs
not to filter received VPNv4 routes based on VPN targets.

[~ASBR1] bgp 100

[~ASBR1-bgp] peer 3.3.3.9 connect-interface loopback1
[~ASBR1-bgp] peer 3.3.3.9 ebgp-max-hop 3
[~ASBR1-bgp] quit

After the configuration, CEs can learn routes of interfaces of each other, and CE1 and CE2 can
ping each other successfully.
------------------------------------------------------------------------------
<CE1> ping -a 11.11.11.11 22.22.22.22
0.00% packet loss
Run the display bgp vpnv4 all routing-table command on the ASBRs, and you can view the
VPNv4 routes on the ASBRs.
*>i 11.11.11.11/32 1.1.1.9 0 100 0 ?
*> 22.22.22.22/24 192.1.1.2 0 200?
----End
Configuration Files
#

sysname CE1
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65001
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
return
#
sysname PE1
#
ipv4-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#

return
#
sysname ASBR1
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 3.3.3.9 ebgp-max-hop 3
#
ipv4-family unicast
peer 3.3.3.9 enable
peer 1.1.1.9 enable
#
ipv4-family vpnv4
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
ospf 2
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 192.1.1.0 0.0.0.255
#
return
#
sysname P
#
mpls lsr-id 5.5.5.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown

link-protocol ppp
ip address 192.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 5.5.5.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 5.5.5.9 0.0.0.0
network 192.1.1.0 0.0.0.255
network 192.2.1.0 0.0.0.255
#
return
#
sysname ASBR2
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 200
peer 4.4.4.9 ebgp-max-hop 3
#
ipv4-family unicast
peer 2.2.2.9 enable
peer 4.4.4.9 enable
#
ipv4-family vpnv4
peer 4.4.4.9 enable
peer 2.2.2.9 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0

network 162.1.1.0 0.0.0.255

#
ospf 2
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 192.2.1.0 0.0.0.255
#
return
#
sysname PE2
#
ipv4-family
#
mpls lsr-id 4.4.4.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
#
sysname CE2
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#

undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65002
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
#
return
2.18.15 Example for Configuring Inter-AS VPN Option B with

ASBRs Functioning as PEs
routes through MP-EBGP and ASBRs also function as PEs.
CAUTION
In inter-AS VPN Option B, the ASBRs function as inter-AS devices to transmit VPNv4 routes
and also function as PEs to manage VPN routes. In this case, inter-AS VPN Option B with
ASBRs functioning as PEs can be deployed. This decreases the number of PEs being deployed
but puts higher requirement on the ASBR performance.
In the networking shown in Figure 2-38, it is required that inter-AS VPN Option B be configured
and ASBRs be configured to function as PEs to interconnect the CEs.

Figure 2-38 Networking diagram of inter-AS VPN Option B with ASBRs functioning as PEs
BGP/MPLS Backbone AS BGP/MPLS Backbone

100 AS 200
Loopback1 Loopback1
2.2.2.9/32 3.3.3.9/32
POS2/0/0 POS2/0/0
POS1/0/0 192.1.1.1/24 192.1.1.2/24
172.1.1.1/24 POS1/0/0
GE1/0/0 162.1.1.1/24
GE1/0/0
Loopback1 ASBR1 10.3.1.2/24 ASBR2
10.4.1.2/24 Loopback1
1.1.1.9/32 4.4.4.9/32
POS1/0/0 POS1/0/0
172.1.1.2/24 GE1/0/0 GE1/0/0 162.1.1.2/24
PE1 10.3.1.1/24 10.4.1.1/24 PE2
GE2/0/0 GE2/0/0
10.1.1.2/24 10.2.1.2/24
CE3 CE4
GE1/0/0 GE1/0/0
AS AS
10.1.1.1/24 10.2.1.1/24
65003 65004
CE1
CE2
AS 65001 Loopback1 Loopback1 AS 65002
33.33.33.33/32 44.44.44.44/32
Loopback1 Loopback1
11.11.11.11/32 22.22.22.22/32
Configuration Notes
When configuring inter-AS VPN Option B with ASBRs functioning as PEs, note the following:
l VPN instances need to be created on ASBRs and ASBRs and CEs need to communicate.
l ASBRs do not filter the received VPNv4 routes based on VPN targets.
same AS.
2. Set up MP-IBGP peer relationships between PEs and ASBRs.
3. Create VPN instances on PEs and ASBRs, and set up EBGP peer relationships between
the PEs, ASBRs, and CEs.
4. Enable MPLS on the interface that connects one ASBR to the other ASBR and set up an
MP-EBGP peer relationship between the ASBRs.
Data Preparation
l Names, RDs, and VPN targets of the VPN instances of the PEs and ASBRs

Procedure
and PE in the same AS. Run the display ospf peercommand, and you can view that the neighbor
relationship is in the Full state. The ASBR and PE in the same AS can learn and successfully
ping the IP address of the loopback interface of each other.
# Configure PE1.
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
# Configure ASBR1.
[~ASBR1] mpls
[~ASBR1-mpls] quit
[~ASBR1] mpls ldp
After the configuration, the LDP session can be established between the PE and ASBR. Run the
display mpls ldp session command on each device, and you can view that the Status field is
displayed as Operational. Take the display on PE1 as an example.
-------------------------------------------------------------------------
-------------------------------------------------------------------------
-------------------------------------------------------------------------
Step 3 Set up an MP-IBGP peer relationship between the PE and ASBR in the same AS.
# Configure PE1.

[~PE1] bgp 100

[~PE1-bgp] quit
# Configure ASBR1.
[~ASBR1] bgp 100
[~ASBR1-bgp] quit
After the configuration, the MP-IBGP peer relationship can be established between the PE and
ASBR in the same AS. Take the display on PE1 as an example.
After the configuration, run the display bgp vpnv4 all peer command on the PE or ASBR, and
you can view that an MP-IBGP peer relationship has been established between the PE and ASBR
in the same AS. Take the display on PE1 as an example.


PrefRcv
2.2.2.2 4 100 54 59 0 00:45:03 Established 2
Step 4 Configure VPN instances on the PEs and ASBRs and connect the CEs to the PEs through the
VPN instances.
# Configure PE1.
The configurations of PE2, ASBR1, and ASBR2 are similar to the configuration of PE1, and
are not mentioned here. For details, see "Configuration Files."
After the configuration, run the display ip vpn-instance verbose command on the PE or ASBR
to view the configurations of VPN instances. Take the display on PE1 as an example.


Address family ipv4
Create date : 2009/09/18 11:30:35
Step 5 Set up EBGP peer relationships between the PEs, ASBRs, and CEs, and import VPN routes to
the loopback interfaces of the CEs.
# Configure CE1.
[~CE1] bgp 65001
[~CE1-bgp] network 11.11.11.11 32
[~CE1-bgp] quit
[~CE1] commit
The configurations of CE2, CE3, and CE4 are similar to the configuration of CE1, and are not
# Configure PE1.
[~PE1] bgp 100
The configurations of PE2, ASBR1, and ASBR2 are similar to the configuration of PE1, and
are not mentioned here. For details, see "Configuration Files."
After the configuration, run the display bgp vpnv4 vpn-instance peer command on the PEs or
ASBRs, and you can view that BGP peer relationships have been established between the PEs
and CEs. Take the peer relationship between PE1 and CE1 as an example.
10.1.1.1 4 65001 11 9 0 00:06:37 Established 1
Step 6 Set up an MP-EBGP peer relationship between the ASBRs, and configure the ASBRs not to
filter received VPNv4 routes based on VPN targets.
[~ASBR1] bgp 100
[~ASBR1-bgp] quit

NOTE
The ASBR does not filter the received VPNv4 routes based on VPN targets. Instead, it advertises the
received routes to the peer ASBR or the PE in the same AS. The VPN routing table on the ASBR is used
to match the VPN targets. Routes that have matching VPN targets in the VPN routing table on the ASBR
are received.

After the configuration, run the display ip routing-table command on the CEs, and you can
view the routes learnt by the local CE from other CEs. Take the display on CE1 as an example:
------------------------------------------------------------------------------
VPNv4 routes on the ASBRs. Take the display on ASBR1 as an example.
*>i 11.11.11.11/32 1.1.1.9 100 0 ?
*> 22.22.22.22/32 3.3.3.9 0 200?
*>i 33.33.33.33/32 0.0.0.0 0 0 ?
*>i 44.44.44.44/32 3.3.3.9 0 100 0 200?
----End
Configuration Files
#
sysname CE1
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface Loopback1
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65001


network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
return
#
sysname PE1
#
ipv4-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
sysname ASBR1
#
ipv4-family

#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.3.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
peer 1.1.1.9 enable
#
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
sysname CE3
#
undo shutdown
ip address 10.3.1.1 255.255.255.0
#
interface Loopback1
undo shutdown
ip address 33.33.33.33 255.255.255.255
#
bgp 65003
network 33.33.33.33 255.255.255.255
#
ipv4-family unicast


return
#
sysname ASBR2
#
ipv4-family
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.4.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 4.4.4.9 enable
#
ipv4-family vpnv4
peer 4.4.4.9 enable
#
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
#
sysname CE4
#
undo shutdown

ip address 10.4.1.1 255.255.255.0

#
interface Loopback1
undo shutdown
ip address 44.44.44.44 255.255.255.255
#
bgp 65004
network 44.44.44.44 255.255.255.255
#
ipv4-family unicast
return
#
sysname PE2
#
ipv4-family
#
mpls lsr-id 4.4.4.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
#

sysname CE2
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface Loopback1
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65002
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
#
return
Related Tasks
2.10 Configuring Inter-AS VPN Option B (ASBR Also Functioning as a PE)

ASBR Functioning as an RR
In the scenario where the backbone network spans two ASs, the ASBRs need to advertise VPNv4
an RP to simplify configurations.
CAUTION
As shown in Figure 2-39, CE1, CE2, and CE3 belong to the same VPN; PE2 is not in the same
AS where PE1 and PE3 belong. It is required that Inter-AS VPN Option B be adopted to
interconnect CE1, CE2, and CE3. To lower configuration complexities, you can configure
ASBR1 as an RR rather than set up an MP-IBGP peer relationship between PE1 and PE3. Then,
ASBR1 reflects the routes sent from PE1 to PE3 and the routes sent from PE3 to PE1, and then
sends the optimal route to ASBR2 after performing routing.

Figure 2-39 Networking diagram of inter-AS VPN Option B with an ASBR functioning as an
RR
Loopback1
CE3
AS 65003
GE1/0/0
GE2/0/0
PE3 BGP/MPLS Backbone BGP/MPLS Backbone

AS 100 AS 200
POS1/0/0
Loopback1 Loopback1
Loopback1
POS3/0/0 POS2/0/0
POS1/0/0 POS2/0/0 POS1/0/0
Loopback1
Loopback1
ASBR1 ASBR2
(RR)
POS1/0/0
PE1 POS1/0/0 PE2
GE2/0/0 GE2/0/0
GE1/0/0 GE1/0/0
CE1 CE2
AS65001 AS 65002
Loopback1 Loopback1
CE1 Loopback1 11.11.11.11/32
GE 1/0/0 10.1.1.1/24
GE 2/0/0 10.1.1.2/24
POS 1/0/0 172.1.1.2/24
CE3 Loopback1 33.33.33.33/32
GE 1/0/0 10.3.1.1/24
GE 2/0/0 10.3.1.2/24
POS 1/0/0 172.3.1.2/24

POS 1/0/0 172.1.1.1/24
POS 2/0/0 192.1.1.1/24
POS 3/0/0 172.3.1.1/24
POS 1/0/0 162.1.1.1/24
POS 2/0/0 192.1.1.2/24
CE2 Loopback1 22.22.22.22/32
GE 1/0/0 10.2.1.1/24
GE 2/0/0 10.2.1.2/24
POS 1/0/0 162.1.1.2/24
Configuration Notes
When configuring inter-AS VPN Option B with an ASBR functioning as an RR, note the
following:
l ASBR1 needs to be configured as an RR with PE1 and PE3 to serve as clients.

l ASBR1 does not filter the received VPNv4 routes based on VPN targets.
1. Configure an IGP on the MPLS backbone network to interwork the ASBR and PE in the
same AS, and set up an MPLS LDP LSP between the ASBR and PE in the same AS.
4. Set up an MP-EBGP peer relationship between the ASBRs.
5. Configure ASBR1 as an RR.
Data Preparation


Procedure
After the configuration, the OSPF neighbor relationships can be established between the PEs
and ASBRs. Run the display ospf peer command, and you can view that the neighbor
relationship is in the Full state. Run the display ip routing-table command, and you can view
that PEs or ASBRs have learnt the routes to the loopback interface of each other.
network of each AS.
# Configure PE1.
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
# Configure ASBR1.
[~ASBR1] mpls
[~ASBR1-mpls] quit
[~ASBR1] mpls ldp
After the configuration, the LDP sessions can be established between the PE and ASBR. Run
the display mpls ldp session command on each device, and you can view that the Status field
is displayed as Operational. Take the display on PE1 as an example.
-------------------------------------------------------------------------
-------------------------------------------------------------------------
-------------------------------------------------------------------------

Step 3 Set up an MP-IBGP peer relationship between the PE and ASBR in the same AS.
# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] quit
# Configure ASBR1.
[~ASBR1] bgp 100
[~ASBR1-bgp] quit
After the configuration, run the display bgp vpnv4 all peer command on the PEs or ASBRs,
and you can view that MP-IBGP peer relationships have been established between the PEs and
ASBRs. Take the display on PE1 as an example.
<ASBR1> display bgp vpnv4 all peer
5.5.5.5 4 100 12 18 0 00:09:38 Established 0
Step 4 Configure VPN instances on the PEs and connect the CEs to the PEs.
# Configure PE1.
configurations of VPN instances.


Address family ipv4
Create date : 2009/09/18 11:30:35
interfaces of the CEs.
# Configure CE1.
[~CE1] bgp 65001
[~CE1-bgp] network 11.11.11.11 32
[~CE1-bgp] quit
[~CE1] commit
# Configure PE1.
[~PE1] bgp 100
10.1.1.1 4 65001 11 9 0 00:06:37 Established 1
Step 6 Set up an MP-EBGP peer relationship between the ASBRs, and configure the ASBRs not to
filter received VPNv4 routes based on VPN targets.
ASBR1 to filter received VPNv4 routes.
[~ASBR1] bgp 100

[~ASBR1-bgp] quit
here.
Step 7 Configure ASBR1 as an RR to reflect the VPNv4 routes from PE1 to PE3, and reflect the VPNv4
routes from PE3 to PE1.
# Configure ASBR1.
[~ASBR1] bgp 100
[~ASBR1-bgp-af-vpnv4] peer 1.1.1.1 reflect-client
[~ASBR1-bgp-af-vpnv4] peer 3.3.3.3 reflect-client
[~ASBR1-bgp] quit

After the configuration, run the display bgp vpnv4 all routing-table command on the ASBRs,
and you can view routes sent from PEs. Take the display on ASBR2 as an example.


*>i 11.11.11.11/32 5.5.5.5 0 100 0 ?

*>i 22.22.22.22/32 2.2.2.2 0 100 0 ?

*>i 33.33.33.33/32 5.5.5.5 0 100 0 ?
CE1, CE2, and CE3 can successfully ping each other.

<CE1> ping -a 11.11.11.11 33.33.33.33
0.00% packet loss
----End

Configuration Files
#
sysname CE1
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface Loopback1
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65001
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
#
return

#
sysname PE1
#
ipv4-family
#
mpls lsr-id 1.1.1.1
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 5.5.5.5 enable
#
ipv4-family vpnv4
policy vpn-target
peer 5.5.5.5 enable
#

#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.1 0.0.0.0
#
return
#
sysname PE3
#
ipv4-family
#
mpls lsr-id 3.3.3.3
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.3.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.3.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 5.5.5.5 enable
#
ipv4-family vpnv4
policy vpn-target
peer 5.5.5.5 enable
#
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 172.3.1.0 0.0.0.255
#
return
#
sysname CE3
#
undo shutdown
ip address 10.3.1.1 255.255.255.0
#
interface Loopback1

undo shutdown
ip address 33.33.33.33 255.255.255.255
#
bgp 65003
network 33.33.33.33 255.255.255.255
#
ipv4-family unicast
#
return
#
sysname ASBR1
#
mpls lsr-id 5.5.5.5
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.1 255.255.255.0
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 172.3.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 5.5.5.5 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
peer 3.3.3.3 enable
peer 6.6.6.6 enable
#
ipv4-family vpnv4
peer 1.1.1.1 enable
peer 6.6.6.6 enable
#
ospf 1
area 0.0.0.0
network 5.5.5.5 0.0.0.0
network 172.1.1.0 0.0.0.255

network 172.3.1.0 0.0.0.255

#
return
#
sysname ASBR1
#
mpls lsr-id 6.6.6.6
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 6.6.6.6 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 2.2.2.2 enable
peer 5.5.5.5 enable
#
ipv4-family vpnv4
peer 2.2.2.2 enable
peer 5.5.5.5 enable
#
ospf 1
area 0.0.0.0
network 6.6.6.6 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
ipv4-family
#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls ldp
#
undo shutdown


ip address 10.2.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 6.6.6.6 enable
#
ipv4-family vpnv4
policy vpn-target
peer 6.6.6.6 enable
#
#
ospf 1
area 0.0.0.0
network 162.1.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
return

#
sysname CE2
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface Loopback1
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65002
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
#
return
Related Tasks
2.11 Configuring Inter-AS VPN Option B (ASBR Also Functioning as an RR)
2.18.17 Example for Configuring Inter-AS VPN Option B with the

VPN Spanning Multiple ASs
In the scenario where the backbone network spans multiple ASs, ASBRs need to advertise

CAUTION
As shown in Figure 2-40, CE1 and CE2 belong to vpna; the VPN spans AS 100, AS 200, and
AS 300. This networking is similar to the inter-AS VPN Option B with basic networking in that
no VPN instances are required on the ASBRs. One ASBR transmits the received VPNv4 routes
to the peer ASBR. Different from the inter-AS VPN Option B with basic networking, this
networking requires that an MP-IBGP peer relationship be set up between the ASBRs in AS
200.
Figure 2-40 Networking diagram of inter-AS VPN Option B with the VPN spanning multiple
ASs
BGP/MPLS Backbone
AS 200
Loopback1 Loopback1
POS1/0/0
ASBR2 ASBR3
POS1/0/0
POS2/0/0 POS2/0/0
POS2/0/0 ASBR1 ASBR4 POS2/0/0
AS 100
POS1/0/0 POS1/0/0 AS 300
Loopback1 Loopback1
Loopback1 Loopback1
POS1/0/0 POS1/0/0
PE1 PE2
GE2/0/0 GE2/0/0
GE1/0/0 GE1/0/0
CE1 CE2
AS 65001 AS 65002
Loopback1 Loopback1

CE1 Loopback1 11.11.11.11/32
GE 1/0/0 10.1.1.1/24
GE 2/0/0 10.1.1.2/24
POS 1/0/0 172.1.1.2/24
POS 1/0/0 172.1.1.1/24
POS 2/0/0 192.1.1.1/24
POS 1/0/0 162.1.1.1/24
POS 2/0/0 192.1.1.2/24
POS 1/0/0 162.1.1.2/24
POS 2/0/0 192.2.1.1/24
POS 1/0/0 152.1.1.1/24
POS 2/0/0 192.2.1.2/24
GE 2/0/0 10.2.1.2/24
POS 1/0/0 152.1.1.2/24
CE2 Loopback1 22.22.22.22/32
GE 1/0/0 10.2.1.1/24
Configuration Notes
When configuring inter-AS VPN Option B with the VPN spanning multiple ASs, note the
following:
l An MP-EBGP peer relationship needs to be set up between the ASBRs in different ASs;
an MP-IBGP peer relationship needs to be set up between the ASBRs or between the PE
and ASBR in the same AS.
l ASBRs do not filter the received VPNv4 routes based on VPN targets.

1. Configure an IGP on each AS to interconnect devices in the same AS; set up an MPLS
LDP LSP between the ASBR and PE or between ASBRs in the same AS.
2. Set up an MP-EBGP peer relationship between the ASBRs in different ASs; set up an MP-
IBGP peer relationship between the ASBRs or between the PE and ASBR in the same AS.
3. Configure VPN instances on the PEs and connect the CEs to the PEs.
4. Enable MPLS on the interface that connects one ASBR to another ASBR and configure
the ASBRs not to filter VPNv4 routes based on VPN targets.
Data Preparation
Procedure
Step 1 On the MPLS backbone networks in each AS, configure an IGP to interconnect the devices in
the same AS.
After the configuration, the OSPF neighbor relationship can be established between the devices
in the same AS. Run the display ospf peer command, and you can view that the neighbor
relationship is in the Full state. the devices in the same AS can learn and successfully ping the
IP address of the loopback interface of each other.
network of each AS.
# Configure PE1.
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
# Configure ASBR1.
[~ASBR1] mpls
[~ASBR1-mpls] quit
[~ASBR1] mpls ldp

The configurations of ASBR2, ASBR3, and ASBR4 are similar to the configuration of ASBR1,
and are not mentioned here. For details, see "Configuration Files."
After the configuration, the LDP sessions can be established between the PE and ASBR and
between the ASBRs. Run the display mpls ldp session command on each device, and you can
view that the Status field is displayed as Operational. Take the display on PE1 as an example.
-------------------------------------------------------------------------
-------------------------------------------------------------------------
-------------------------------------------------------------------------
Step 3 Set up an MP-IBGP peer relationship between the PE and ASBR and between the ASBRs in the
same AS.
# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] quit
# Configure ASBR1.
[~ASBR1] bgp 100
[~ASBR1-bgp] quit
The configurations of devices in AS 200 and AS 300 are similar to the configurations of devices
in AS 100, and are not mentioned here.
After the configuration, run the display bgp vpnv4 all peer command on the PE or ASBR, and
you can view that an MP-IBGP peer relationship has been established between the PE and ASBR
and between the ASBRs in the same AS. Take the display on PE1 as an example.


PrefRcv
2.2.2.9 4 100 18970 19008 0 91:51:24 Established

0
# Configure PE1.


# Configure PE2.
configurations of VPN instances.
Address family ipv4
Create date : 2009/09/18 11:30:35
interfaces of the CEs to BGP.
# Configure CE1.
[~CE1] bgp 65001
[~CE1-bgp] quit
[~CE1] commit
The configuration of CE2 is similar to the configuration of CE1, and is not mentioned here. For
# Configure PE1.
[~PE1] bgp 100


10.1.1.1 4 65001 11 9 0 00:06:37 Established 1
Step 6 Set up an MP-EBGP peer relationship between the ASBRs in different ASs, and configure the
ASBRs not to filter received VPNv4 routes based on VPN targets.
# On ASBR2, enable MPLS on POS 2/0/0 that connects ASBR2 to ASBR1.

<ASBR2> system-view
[~ASBR1] bgp 100
[~ASBR1-bgp] quit
[~ASBR2] bgp 200
[~ASBR2-bgp] quit
The configuration of the peer relationship between ASBR3 and ASBR4 is similar to
configuration of the pper relationship between ASBR1 and ASBR2, and is not mentioned here.
After the configuration, run the display bgp vpnv4 all peer command, and you can view that
the MP-EBGP peer relationships between the ASBRs have been established. Take the display
on ASBR1 as an example.


PrefRcv
1.1.1.9 4 100 17533 17554 0 127:24:5 Established 1

3.3.3.9 4 200 12343 34554 0 127:24:5 Established 1


After the configuration, the CEs can learn routes to the loopback interface of each other, and
can ping each other successfully.
------------------------------------------------------------------------------
<CE1> ping -a 11.11.11.11 22.22.22.22
0.00% packet loss
VPNv4 routes on the ASBRs.
*>i 11.11.11.11/32 1.1.1.9 0 100 0 ?
*> 22.22.22.22/32 192.1.1.2 0 200?
----End
Configuration Files
#
sysname CE1
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
undo shutdown
ip address 11.11.11.11 255.255.255.255
#

bgp 65001
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
return
#
sysname PE1
#
ipv4-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
sysname ASBR1
#
mpls lsr-id 2.2.2.9
#
mpls
#

mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
peer 1.1.1.9 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
sysname ASBR2
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 200
#
ipv4-family unicast

peer 4.4.4.9 enable
#
ipv4-family vpnv4
peer 4.4.4.9 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
#
sysname ASBR3
#
mpls lsr-id 4.4.4.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 192.2.1.1 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
peer 3.3.3.9 enable
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
#
sysname ASBR4
#
mpls lsr-id 5.5.5.9
#
mpls

#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 152.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 5.5.5.9 255.255.255.255
#
bgp 300
#
ipv4-family unicast
peer 6.6.6.9 enable
#
ipv4-family vpnv4
peer 6.6.6.9 enable
#
ospf 1
area 0.0.0.0
network 6.6.6.9 0.0.0.0
network 152.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
ipv4-family
#
mpls lsr-id 6.6.6.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 152.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 6.6.6.9 255.255.255.255

#
bgp 300
#
ipv4-family unicast
peer 5.5.5.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 5.5.5.9 enable
#
#
ospf 1
area 0.0.0.0
network 6.6.6.9 0.0.0.0
network 152.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65002
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
#
return
Related Tasks
2.12 Configuring Inter-AS VPN Option B (Spanning More Than Two ASs)
2.18.18 Example for Configuring a Multi-VPN-Instance CE

By using OSPF multi-instance on CEs, you can implement isolate different services on a LAN.
CAUTION

The multi-VPN-instance CE (MCE) isolates different VPN services on a LAN through CEs and
ensures the security of the VPN services.
As shown in Figure 2-41:
l CE1 and CE2 belong to the same LAN; the MCE, CE3, and CE4 belong to the same VPN.
l The MCE is a CE that can be connected to multiple VPNs whose services are isolated
completely.
l CE1 and CE3 belong to vpna; CE2 and CE4 belong to vpnb.
l Different VPN targets are used in vpna and vpnb.
It is required that devices in the same VPN be able to communicate whereas devices in different
VPNs be unable to communicate.
Figure 2-41 Networking of a multi-VPN-instance CE

vpna vpna
Loopback1 Loopback1
CE1 CE3
11.11.11.11/32 33.33.33.33/32
POS1/0/0 POS1/0/0
10.1.1.1/24 Loopback1 10.3.1.1/24
2.2.2.9/32 POS3/0/0
POS1/0/0
10.1.1.2/24 POS2/0/0 POS1/0/0 10.3.1.2/24
POS3/0/0 192.1.1.1/24 192.1.1.2/24 vpna
Loopback1 172.1.1.1/24
MCE
1.1.1.9/32 POS1/0/0
POS3/0/0 POS2/0/0 vpnb
POS2/0/0 PE1 172.1.1.2/24 PE2 192.2.1.1/24 192.2.1.2/24 POS4/0/0
10.2.1.2/24 10.4.1.2/24
POS1/0/0 POS1/0/0
10.2.1.1/24 10.4.1.1/24
CE2 Loopback1 Loopback1
22.22.22.22/32 44.44.44.44/32 CE4
vpnb vpnb
Configuration Notes
When configuring a multi-VPN-instance CE, note the following:
l The MCE needs to be configured with different VPN instances and different interfaces are
bound to the VPN instances.
l The OSPF multi-instance processes need to be configured on the PEs and MCE to exchange
routes; the MCE needs to be configured not to check routing loops.
1. Configure OSPF on the PEs to implement interworking between the PEs, and configure
MP-IBGP to exchange VPN routing information.

2. Set up an EBGP peer relationship between each PE and its connected CE, and import the
VPN routes to the VPN routing table of each PE.
3. Configure OSPF multi-instance on the MCE and PE2 to exchange VPN routing
information, and run RIP-2 between the MCE and CE3 and between the MCE and CE4 to
exchange VPN routing information.
NOTE
When configuring OSPF multi-instance between the MCE and PE2, you need to do as follows:
l In the OSPF view of PE2, import the BGP route and advertise the private route of PE1 to the MCE.
l In the BGP view of PE2, import the OSPF route and advertise the private route of the MCE to PE1.
Data Preparation
l Names, RDs, and VPN targets of the VPN instances on PE1, PE2, and the MCE (different
VPN instances have different VPN targets)
l OSPF process IDs used for OSPF multi-instances (different services have different OSPF
process IDs)
l IDs of RIP processes used to import VPN routes of CE3 and CE4 to the MCE (RIP process
IDs must be different for the VPN routes of CE3 and CE4)
Procedure
Step 1 Configure OSPF on the PEs on the backbone network to interconnect the PEs.
The configuration is not mentioned here. For details, see "Configuration Files."
After the configuration, PEs can learn the routes to loopback1 of each other.
------------------------------------------------------------------------------
1.1.1.9/32 OSPF 10 2 D 172.1.1.1 Pos1/0/0
172.1.1.0/24 Direct 0 0 D 172.1.1.2 Pos1/0/0
172.1.1.1/32 Direct 0 0 D 172.1.1.1 Pos1/0/0
Step 2 Configure basic MPLS functions and MPLS LDP on the PEs, and set up LDP LSPs between the
PEs on the MPLS backbone network.
After the configuration, run the display mpls ldp session command on the PEs, and you can
view that the MPLS LDP session between the PEs is Operational.
--------------------------------------------------------------------------

--------------------------------------------------------------------------
--------------------------------------------------------------------------
Step 3 Configure VPN instances on the PEs; connect CE1 and CE2 to PE1 and connect the MCE to
PE2.
# Configure PE1.
<PE1> system-view
[~PE1-Pos1/0/0] ip address 10.1.1.2 24
[~PE1-Pos2/0/0] ip address 10.2.1.2 24
# Configure PE2.
<PE2> system-view
[~PE2-Pos2/0/0] ip address 192.1.1.1 24
[~PE2]interface pos3/0/0
[~PE2-Pos3/0/0] ip address 192.2.1.1 24
Step 4 Configure VPN instances on the MCE, and connect CE3, CE4, and PE2 to the MCE.
[~HUAWEI] sysname MCE
[~MCE] ip vpn-instance vpna
[~MCE-vpn-instance-vpna] route-distinguisher 100:1
[~MCE-vpn-instance-vpna] vpn-target 111:1 both
[~MCE-vpn-instance-vpna] commit
[~MCE-vpn-instance-vpna] quit

[~MCE] ip vpn-instance vpnb

[~MCE-vpn-instance-vpnb] route-distinguisher 100:2
[~MCE-vpn-instance-vpnb] vpn-target 222:2 both
[~MCE-vpn-instance-vpnb] commit
[~MCE-vpn-instance-vpnb] quit
[~MCE] interface pos3/0/0
[~MCE-Pos3/0/0] ip binding vpn-instance vpna
[~MCE-Pos3/0/0] ip address 10.3.1.2 24
[~MCE-Pos3/0/0] commit
[~MCE-Pos3/0/0] quit
[~MCE-Pos4/0/0] ip binding vpn-instance vpnb
[~MCE-Pos1/0/0] ip binding vpn-instance vpna
[~MCE-Pos2/0/0] ip binding vpn-instance vpnb
Step 5 Create an MP-IBGP peer relationship between the PEs, and create an EBGP peer relationship
between PE1 and CE1, and between PE1 and CE2.
After the configuration, run the display bgp vpnv4 all peer command on PE1, and you can view
that an IBGP peer relationship has been established between PE1 and PE2, and an EBGP peer
relationship has been established between PE1 and CE1 and between PE1 and CE2.
2.2.2.9 4 100 13 10 0 00:03:45 Established 6

10.1.1.1 4 65410 9 11 0 00:04:14 Established 2
VPN-Instance vpnb, router ID 1.1.1.9:

10.2.1.1 4 65420 9 12 0 00:04:09 Established 2
Step 6 Configure OSPF multi-instances on PE2 and the MCE.

# Configure PE2.
<PE2> system-view
[~PE2] ospf 100 vpn-instance vpna
[~PE2-ospf-100] import-route bgp
[~PE2-ospf-100] commit
[~PE2-ospf-100] quit
[~PE2] ospf 200 vpn-instance vpnb
[~PE2-ospf-200] commit

[~PE2-ospf-200] quit
[~PE2] bgp 100
[~PE2-bgp-vpna] import-route ospf 100
[~PE2-bgp-vpnb] import-route ospf 200
[~PE2-bgp-vpnb] commit
[~PE2-bgp-vpnb] quit
# Configure the MCE.

<MCE> system-view
[~MCE] ospf 100 vpn-instance vpna
[~MCE-ospf-100] area 0
[~MCE-ospf-100-area-0.0.0.0] network 192.1.1.0 0.0.0.255
[~MCE-ospf-100-area-0.0.0.0] commit
[~MCE-ospf-100-area-0.0.0.0] quit
[~MCE-ospf-100] quit
[~MCE] ospf 200 vpn-instance vpnb
[~MCE-ospf-200] area 0
[~MCE-ospf-200-area-0.0.0.0] network 192.2.1.0 0.0.0.255
[~MCE-ospf-200-area-0.0.0.0] commit
[~MCE-ospf-200-area-0.0.0.0] quit
Step 7 Configure RIP-2 on the MCE, CE3, and CE4.
# Configure the MCE.

[~MCE] rip 100 vpn-instance vpna
[~MCE-rip-100] version 2
[~MCE-rip-100] network 10.0.0.0
[~MCE-rip-100] import-route ospf 100
[~MCE-rip-100] commit
[~MCE-rip-100] quit
[~MCE] rip 200 vpn-instance vpnb
[~MCE-rip-200] version 2
[~MCE-rip-200] network 10.0.0.0
[~MCE-rip-200] import-route ospf 200
[~MCE-rip-200] commit
# Configure CE3.
[~HUAWEI] sysname CE3
[~CE3] rip 100
[~CE3-rip-100] verdion 2
[~CE3-rip-100] network 10.0.0.0
[~CE3-rip-100] network 33.33.33.33
[~CE3-rip-100] commit
# Configure CE4.
[~HUAWEI] sysname CE4
[~CE4] rip 200
[~CE4-rip-200] version 2
[~CE4-rip-200] network 10.0.0.0
[~CE4-rip-200] network 44.44.44.44
[~CE4-rip-200] commit
Step 8 Configure the MCE not to detect routing loops and import RIP routes.
<MCE> system-view
[~MCE] ospf 100 vpn-instance vpna
[~MCE-ospf-100] vpn-instance-capability simple
[~MCE-ospf-100] import-route rip 100
[~MCE-ospf-100] commit

[~MCE] ospf 200 vpn-instance vpnb
[~MCE-ospf-200] vpn-instance-capability simple
[~MCE-ospf-200] import-route rip 200
[~MCE-ospf-200] commit

After the configuration, run the display ip routing-table vpn-instance command on the MCE,
and you can view that MCE has a route to each peer CE.
Take vpna as an example.
<MCE> display ip routing-table vpn-instance vpna
------------------------------------------------------------------------------
11.11.11.11/32 O_ASE 150 1 D 192.1.1.1 Pos1/0/0
10.3.1.0/24 Direct 0 0 D 10.3.1.2 Pos3/0/0
10.3.1.1/32 Direct 0 0 D 10.3.1.1 Pos3/0/0
192.1.1.0/24 Direct 0 0 D 192.1.1.2 Pos1/0/0
192.1.1.1/32 Direct 0 0 D 192.1.1.1 Pos1/0/0
Run the display ip routing-table vpn-instance command on the PEs, and you can view that
the PEs have routes to their peer CEs.
Take vpna on PE1 as an example.
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Pos1/0/0
10.1.1.1/32 Direct 0 0 D 10.1.1.1 Pos1/0/0
33.33.33.33/32 BGP 255 2 RD 2.2.2.9 Pos3/0/0
CE1 and CE3 can successfully ping each other; CE2 and CE4 can successfully ping each other.
Take CE1 as an example.
[~CE1] ping -a 11.11.11.11 33.33.33.33
0.00% packet loss
CE1 cannot successfuly ping CE2 or CE4; CE3 cannot successfully ping CE2 or CE4.
For example, if you ping CE4 from CE1, the display is as follows:
[~CE1] ping -a 11.11.11.11 44.44.44.44
Request time out
Request time out
Request time out

Request time out

Request time out
100.00% packet loss
----End
Configuration Files
#
sysname CE1
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.1 255.255.255.0
#
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65410
network 11.11.11.11 255.255.255.255
#
ipv4-family unicast
#
return

#
sysname CE2
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.2.1.1 255.255.255.0
#
undo shutdown
ip address 22.22.22.22 255.255.255.255
#
bgp 65420
network 22.22.22.22 255.255.255.255
#
ipv4-family unicast
#
return

#
sysname PE1
#
ipv4-family
#

ipv4-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 10.2.1.2 255.255.255.0
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
#
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
ipv4-family
#
ipv4-family

#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.1 255.255.255.0
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 192.2.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route ospf 100
#
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
ospf 100 vpn-instance vpna
import-route bgp
area 0.0.0.0
network 192.1.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route bgp
area 0.0.0.0
network 192.2.1.0 0.0.0.255
#
return
l Configuration file of the MCE
#
sysname MCE

#
ipv4-family
#
ipv4-family
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.2 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.2.1.2 255.255.255.0
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 10.3.1.2 255.255.255.0
#
interface Pos4/0/0
undo shutdown
link-protocol ppp
ip address 10.4.1.2 255.255.255.0
#
ospf 100 vpn-instance vpna
import-route rip 100
area 0.0.0.0
network 192.1.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route rip 200
area 0.0.0.0
network 192.2.1.0 0.0.0.255
#
rip 100 vpn-instance vpna
version 2
network 10.0.0.0
#
rip 200 vpn-instance vpnb
version 2
network 10.0.0.0
#
return
#
sysname CE3
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.3.1.1 255.255.255.0
#

undo shutdown
ip address 33.33.33.33 255.255.255.255
#
rip 100
version 2
network 10.0.0.0
network 33.33.33.33
#
return

#
sysname CE4
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.4.1.1 255.255.255.0
#
undo shutdown
ip address 44.44.44.44 255.255.255.255
#
rip 200
version 2
network 10.0.0.0
network 44.44.44.44
#
return
Related Tasks
2.18.19 Example for Configuring VPN FRR with FRR Switchover

Being Implemented on a PE
In the networking of CE dual-homing, you can configure VPN FRR to ensure fast switchover
of the VPN service if a PE fails.
CAUTION
The networking is shown in Figure 2-42. It is required that a backup next hop be configured on
PE1 with PE3 serving as a backup to PE2. In this manner, when PE2 fails, the traffic can be
quickly switched to PE3.

Figure 2-42 Networking diagram of VPN FRR with FRR switchover being implemented on a
PE
Loopback1
2.2.2.2/32
VPN backbone
PE2
Loopback1
POS1/0/0 GE2/0/0
1.1.1.1/32 AS100
100.1.1.2/30 10.1.1.2/30
POS2/0/0 GE1/0/0
100.1.1.1/30 10.1.1.1/30
Link_A vpn1 site
PE1 CE
Link_B AS65410
POS3/0/0 GE2/0/0
100.2.1.1/30 10.2.1.1/30
POS1/0/0 GE2/0/0
100.2.1.2/30 Loopback1
10.2.1.2/30 11.11.11.11/32
PE3
Loopback1
3.3.3.3/32
Configuration Notes
When configuring VPN FRR with FRR switchover being implemented on a PE, note the
following:
1. Configure OSPF on the MPLS backbone network on which PE1, PE2, and PE3 reside to
implement interworking of PEs on the backbone network.
2. Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the
MPLS backbone network.
3. Configure VPN instances on PE1, PE2, and PE3 and connect the CE to both PE2 and PE3.
4. Establish MP-EBGP peer relationships between each PE and the CE and import VPN
routes; set up MP-IBGP peer relationships between the PEs.
5. Configure BGP Auto FRR on PE1.
Data Preparation
l AS 100 where the PEs reside and AS 65410 where the CE resides
l Names of the VPN instances configured on PEs
Procedure
Step 1 Assign an IP address to each interface of devices on the VPN backbone network and VPN sites.
The configuration is not mentioned here.

Step 2 Configure OSPF on the MPLS backbone network to implement interworking of PEs on the
backbone network. The configuration is not mentioned here.
backbone network.
# Configure PE1.
<PE1> system-view
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
# Configure PE2.
<PE2> system-view
[~PE2] mpls
[~PE2-mpls] quit
[~PE2] mpls ldp
# Configure PE3.
<PE3> system-view
[~PE3] mpls
[~PE3-mpls] quit
[~PE3] mpls ldp
Run the display mpls lsp command on the PEs, and you can view that an LSP is established
between PE1 and PE2 and between PE1 and PE3. Take the display on PE1 as an example.
<PE1> display mpls lsp
----------------------------------------------------------------------
LSP Information: LDP LSP
----------------------------------------------------------------------
FEC In/Out Label In/Out IF Vrf Name
3.3.3.3/32 NULL/3 -/Pos3/0/0
1.1.1.1/32 3/NULL -/-
100.1.1.0/30 3/NULL -/-
3.3.3.3/32 1024/3 -/Pos3/0/0
100.2.1.0/30 3/NULL -/-
2.2.2.2/32 NULL/3 -/Pos2/0/0
2.2.2.2/32 1025/3 -/Pos2/0/0

Step 4 Configure VPN instances on the PEs and connect the CE to both PE2 and PE3.
# Configure PE1.
[~PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1
[~PE1] commit
# Configure PE2.
# Configure PE3.
Step 5 Set up MP-EBGP peer relationships between PE2 and the CE and between PE3 and the CE, and
import VPN routes destined to the loopback interface of the CE.
# Configure PE2.
[~PE2] bgp 100
# Configure PE3.
[~PE3] bgp 100
# Configure the CE.

[~CE] interface loopback 1
[~CE-Loopback1] ip address 11.11.11.11 32
[~CE-Loopback1] quit
[~CE] bgp 65410
[~CE-bgp] peer 10.1.1.2 as-number 100
[~CE-bgp] network 10.3.1.0 24
[~CE-bgp] quit

[~CE] commit
# Configure PE1.
[~PE1] bgp 100
After the configuration, run the display bgp vpnv4 vpn-instance peer command on PE2 and
PE3, and you can view that an EBGP peer relationship has been established between PE2 and
the CE and between PE3 and the CE.
10.1.1.1 4 65410 46 46 0 00:37:41 Established
5
Step 6 Set up MP-IBGP peer relationships between the PEs.

# Configure PE1.
[~PE1] bgp 100
# Configure PE2.
[~PE2] bgp 100
# Configure PE3.
[~PE3] bgp 100
After the configuration, run the display bgp vpnv4 all peer command on the PEs, and you can
view that the MP-IBGP peer relationships have been established.
2.2.2.2 4 100 20 17 0 00:13:26 Established 5

3.3.3.3 4 100 24 19 0 00:17:18 Established 5
Step 7 Enable BGP Auto FRR.

[~PE1] bgp 100
[~PE1-bgp-vpn1] auto-frr
[~PE1-bgp] quit
[~PE1] commit
# Display the backup next hop, backup tag, and backup tunnel ID.
------------------------------------------------------------------------------
Summary Count : 1
Label: 15361 QoSInfo: 0x0
IndirectID: 0x13
BkNextHop: 3.3.3.3 BkInterface:Unknown
BkLabel: 15362 SecTunnelID: 0x0
BkIndirectID: 0x15
----End
Configuration Files
#
sysname PE1
#
ipv4-family
#
mpls lsr-id 1.1.1.1
#
mpls
#
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 100.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 100.2.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255

#
bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
auto-frr
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.3
network 100.2.1.0 0.0.0.3
network 1.1.1.1 0.0.0.0
#
return
#
sysname PE2
#
ipv4-family
#
bfd
#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.1.1.2 255.255.255.252
mpls
mpls ldp
#
undo shutdown
ip address 10.1.1.2 255.255.255.252
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpnv4

policy vpn-target
peer 1.1.1.1 enable
#
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.3
network 2.2.2.2 0.0.0.0
#
bfd for_ip_frr bind peer-ip 1.1.1.1
discriminator local 20
discriminator remote 10
#
return

#
sysname PE3
#
ipv4-family
#
mpls lsr-id 3.3.3.3
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.2.1.2 255.255.255.252
mpls
mpls ldp
#
undo shutdown
ip address 10.2.1.2 255.255.255.252
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
#
ospf 1
area 0.0.0.0
network 100.2.1.0 0.0.0.3
network 3.3.3.3 0.0.0.0
#
Return

l Configuration file of the CE

#
sysname CE
#
undo shutdown
ip address 10.1.1.1 255.255.255.252
#
undo shutdown
ip address 10.2.1.1 255.255.255.252
#
undo shutdown
ip address 11.11.11.11 255.255.255.255
#
bgp 65410
#
ipv4-family unicast
network 11.11.11.11 255.255.255.255
#
return
Related Tasks
2.18.20 Example for Configuring FRR for IP Routes on a Private

Network
FRR for IP routes can be deployed on a private network where multiple CEs at an IPv6 VPN
site access the same PE. If a route from the PE to a CE is unavailable, this feature quickly switches
traffic to a link from the PE to another CE.
CAUTION
At a VPN site, different CEs use BGP to access the same PE. The PE has learned multiple IP
VPN routes with the same VPN prefix from the CEs. To enable the system to select a primary
route and a backup route, you can deploy FRR for IP routes on the private network. If this feature
is configured, the PE generates a primary route and a backup route to the same destination on
the private network. After that, IP traffic can be quickly switched to the link of the backup route
when the link of the primary route fails.
As shown in Figure 2-43, an EBGP peer relationship is set up between the PE and each CE.
There are two BGP routes from the PE to Loopback 1 on Router A. The optimal route resides

on Link_A; the sub-optimal route resides on Link_B. FRR for IP routes must be deployed on
the PE to allow IPv6 traffic to be quickly switched to Link_B when Link_A fails.
Figure 2-43 Networking diagram for configuring FRR for IP routes on a private network
CE1
GE1/0/0 GE2/0/0
vpn1
10.1.1.2/24 30.1.1.1/24
GE1/0/0 site
GE1/0/0
10.1.1.1/24 30.1.1.2/24
VPN Link_A Loopback 1
PE RouterA
backbone Link_B 11.11.11.11/32
GE2/0/0 GE2/0/0
20.1.1.1/24 GE1/0/0 40.1.1.2/24
GE2/0/0
20.1.1.2/24 CE2 40.1.1.1/24
1. Configure an IGP at the VPN site to advertise the route of Loopback 1 on Router A to CE1
and CE2.
2. Create a VPN instance named vpna on the PE, and bind GE 1/0/0 and GE 2/0/0 to vpna.
3. Establish an EBGP peer relationship between the PE and CE1, and between the PE and
CE2. On CE1 and CE2, configure an IGP and BGP to import routes from each other.
4. Enable IPv6 Auto FRR for the private network on the PE.
Data Preparation
l VPN instance name (vpna) and attributes of the VPN instance IPv4 address family, for
example, the RD (100:1) and VPN target (100:100), on the PE
l MEDs configured for the IGP routes imported into BGP on CE1 and CE2
Procedure
Step 1 Configure IP addresses for the interfaces on the routers at the VPN site.
For details on the configuration procedure, see the following configuration files.
Step 2 Configure an IGP at the VPN site to advertise the route of Loopback 1 on Router A to CE1 and
CE2. In this example, OSPF is configured as an IGP.
# Configure CE1.
[~CE1] ospf 1
[~CE1-ospf] area 0
[~CE1-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255

[~CE1-ospf-1-area-0.0.0.0] quit
[~CE1-ospf] quit
[~CE1] commit
The configurations of CE2 and Router A are similar to the configuration of CE1. For details on
the configuration procedure, see the following configuration files.
After the configuration is complete, run the display ip routing-table command on the CEs, and
you can find that CE1 and CE2 have learned the route to Loopback 1 on Router A. The following
takes the display on CE1 as an example:
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.2

10.1.1.1/32 Direct 0 0 D 10.1.1.1
10.1.1.2/32 Direct 0 0 D 127.0.0.1
11.11.11.11/32 OSPF 10 1 D 30.1.1.2
30.1.1.0/24 Direct 0 0 D 30.1.1.1
30.1.1.1/32 Direct 0 0 D 127.0.0.1
30.1.1.255/32 Direct 0 0 D 127.0.0.1
40.1.1.0/24 OSPF 10 2 D 30.1.1.2
Step 3 Configure a VPN instance on the PE and bind the interfaces connecting the PE to the CEs to the
VPN instance.
# Configure a VPN instance named vpna on the PE, and bind GE 1/0/0 and GE 2/0/0 to the
instance.
<PE> system-view
[~PE] ip vpn-instance vpna
[~PE-vpn-instance-vpna] ipv4-family
[~PE-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[~PE-vpn-instance-vpna-af-ipv4] vpn-target 100:100
[~PE-vpn-instance-vpna-af-ipv4] quit
[~PE-vpn-instance-vpna] quit
[~PE] interface gigabitethernet 1/0/0
[~PE-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[~PE-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[~PE-GigabitEthernet1/0/0] quit
[~PE-GigabitEthernet2/0/0] ip address 20.1.1.1 24
[~PE-GigabitEthernet2/0/0] commit
[~PE] quit
Step 4 Establish EBGP peer relationships between the PE and CEs.

# Configure the PE.
[~PE] bgp 100
[~PE-bgp] ipv4-family vpn-instancee vpna
[~PE-bgp-vpna] peer 10.1.1.2 as-number 65410

[~PE-bgp-vpna] peer 20.1.1.2 as-number 65410

[~PE-bgp-vpna] quit
[~PE-bgp] commit
[~PE-bgp] quit
# Configure CE1.
[~CE1] bgp 65410
[~CE1-bgp] commit
[~CE1-bgp] quit
# Configure CE2.
[~CE2] bgp 65410
[~CE2-bgp] commit
[~CE2-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance vpna peer
command on the PE, and you can find that the status of the EBGP peer relationship between the
PE and CEs is Established. It indicates that the EBGP peer relationships have been set up
<PE> display bgp vpnv4 vpn-instancee vpna peer


PrefRcv
10.1.1.2 4 65410 21 23 0 00:17:47 Established
1
20.1.1.2 4 65410 51 64 0 00:15:03 Established
1
Step 5 Configure route exchange between OSPF and BGP on the CEs.
# Configure CE1.
[~CE1] bgp 100
[~CE1-bgp] network 11.11.11.11 32
[~CE1-bgp] quit
[~CE1] ospf 1
[~CE1-ospf-1] import-route bgp
[~CE1-ospf-1] quit
[~CE1] commit
# Configure CE2.
[~CE2] bgp 100
[~CE2-bgp] network 11.11.11.11 32
[~CE2-bgp] quit
[~CE2] ospf 1
[~CE2-ospf-1] import-route bgp
[~CE2-ospf-10] quit
[~CE2] commit
After the configuration is complete, run the display ip routing-table vpn-instance command
on the PE, and you can find the route to Loopback 1 on Router A in the command output.
<PE> display ip routing-table vpn-instance vpna
display ip routing-table vpn-instance vpna
------------------------------------------------------------------------------

10.1.1.0/24 Direct 0 0 D 10.1.1.1

10.1.1.1/32 Direct 0 0 D 127.0.0.1
10.1.1.2/32 Direct 0 0 D 10.1.1.2
11.11.11.11/32 BGP 255 1 RD 10.1.1.2
20.1.1.0/24 Direct 0 0 D 20.1.1.1
20.1.1.1/32 Direct 0 0 D 127.0.0.1
Step 6 Enable BGP Auto FRR for the private network on the PE.
# Configure the PE.
[~PE] bgp 100
[~PE-bgp] ipv4-family vpn-instance vpna
[~PE-bgp-vpna] auto-frr
[~PE-bgp-vpna] quit
[~PE-bgp] quit
[~PE] commit
NOTE
The auto-frr command configured in the BGP-VPN instance IPv4 address family view is valid for only the
networking where BGP runs between the PE and CEs.

Run the display ip routing-table vpn-instance command on the PE. You can find that the next
hop to 11.11.11.11/32 is 10.1.1.2, and the PE has a backup next hop and a backup outbound
interface.
<PE> display ip routing-table vpn-instance vpna 11.11.11.11 verbose
------------------------------------------------------------------------------
Summary Count : 1
IndirectID: 0xc7
BkNextHop: 20.1.1.2 BkInterface: GigabitEthernet2/0/0
BkLabel: NULL SecTunnelID: 0x0
BkIndirectID: 0xc8
Run the shutdown command on GE 2/0/0 of CE1 to simulate a link fault.

[~CE1] interface Gigabitethernet2/0/0
[~CE1-GigabitEthernet2/0/0] shutdown
[~CE1-GigabitEthernet2/0/0] commit
[~CE1] quit
Run the display ip routing-table vpn-instance command on the PE. You can find that the next
hop to 11.11.11.11/32 is 20.1.1.2, and the PE does not have a backup next hop or a backup
outbound interface.

<PE> display ip routing-table vpn-instance vpna 11.11.11.11 verbose

------------------------------------------------------------------------------
Summary Count : 1
IndirectID: 0xc8
FRR configured for IP routes on the private network has taken effect.
----End
Configuration Files
l Configuration file of the PE
#
sysname PE
#
ipv4-family
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
undo shutdown
ip address 20.1.1.1 255.255.255.0
#
bgp 100
#
ipv4-family unicast
#
ipv4-family vpn-instancee vpna
auto-frr
#
return

#
sysname CE1
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
undo shutdown
ip address 30.1.1.1 255.255.255.0
#
bgp 65410

#
ipv4-family unicast
#
ipv4-family unicast
network 11.11.11.11 255.255.255.255
#
ospf 1
import-route bgp
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
undo shutdown
ip address 20.1.1.2 255.255.255.0
#
undo shutdown
ip address 40.1.1.1 255.255.255.0
#
bgp 65410
#
ipv4-family unicast
network 11.11.11.11 255.255.255.255
#
ospf 1
import-route bgp
area 0.0.0.0
network 40.1.1.0 0.0.0.255
#
return
l Configuration file of Router A

#
sysname RouterA
#
undo shutdown
ip address 30.1.1.2 255.255.255.0
#
undo shutdown
ip address 40.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 11.11.11.11/128
#
ospf 1
area 0.0.0.0
network 11.11.11.11 0.0.0.0
network 30.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
#
return
Related Tasks

2.18.21 Example for Configuring Hybrid FRR for IP and VPNv4

Routes
In a network where a CE is dual-homed to two PEs, hybrid FRR can be configured on PEs to
protect the link between either PE and the CE. If the link between one of the PEs and the CE
fails, traffic destined for the CE can be switched to the other PE to reach the CE.
CAUTION
A CE at a VPN site is dual-homed to two PEs, and a VPNv4 peer relationship is set up between
the two PEs. To protect one of the PE-CE links, hybrid FRR for IP and VPNv4 routes can be
configured.
If the link fails, hybrid FRR can quickly switch traffic destined for the CE to the backup next
hop (a PE).
As shown in Figure 2-44, a CE is connected to PE2 and PE3; an MPLS public network tunnel
and a VPNv4 peer relationship are set up between PE2 and PE3. OSPF is configured between
PE2 and the CE and EBGP is configured between PE3 and the CE to exchange routing
information. PE3 learns from the CE a route to Loopback 1 on the CE and sends the route to its
VPNv4 peer. PE2 then has two BGP routes to Loopback 1 on the CE. One is learned by using
OSPF, and the other is a VPNv4 route sent from PE3 by using MP-IBGP. PE2 selects the OSPF
route sent from the CE preferably because OSPF takes precedence over BGP. PE3 selects a route
to Loopback 1 on the CE from the routes sent from the CE and PE2 in a similar manner.
The requirements are as follows:
l PE2 must be configured to make the VPNv4 route sent from PE3 serve as a backup for the
OSPF route sent from the CE.
l PE3 must be configured to select the EBGP route sent from the CE preferably and use the
IBGP route sent from PE2 as a backup route.
If the link between a PE and the CE fails, downstream traffic can be switched to the other PE to
reach the CE.
To meet the requirements, enable FRR for IP routes on the private network on PE2 and enable
BGP Auto FRR on PE3 to implement hybrid FRR for IP and VPNv4 routes.

Figure 2-44 Networking diagram for configuring hybrid FRR for IP and VPNv4 routes
Loopback1
2.2.2.2 /32
VPNbackbone
PE2
Loopback1 GE2/0/0 Loopback1
POS1/0/0
1.1.1.1/32 AS100 192.168.1.1/30 22.22.22.22/32
100.1.1.2/30
GE1/0/0
POS2/0/0
192.168.1.2/30
100.1.1.1/30 POS3/0/0
AS65410
110.1.1.1/30
PE1 CE
POS3/0/0
110.1.1.2/30 vpn1 site
POS3/0/0 GE2/0/0
100.2.1.1/30 192.168.2.2/30
POS1/0/0 GE2/0/0
100.2.1.2/30 192.168.2.1/30
PE3
Loopback1
3.3.3.3 /32
1. Configure OSPF on the MPLS backbone network for IP connectivity between PE1, PE2,
and PE3.
3. Establish an MP-IBGP peer relationship between PE1, PE2, and PE3.
4. Configure a VPN instance on each PE, and connect the CE to PE2 and PE3.
5. Configure routing protocols between the PEs and the CE.
6. Enable IP FRR for the VPN instance on PE2, and enable BGP Auto FRR on PE3.
Procedure
Step 1 Configure IP addresses for interfaces on the backbone network of the VPN and interfaces at the
VPN site. Details for configuration procedures are not provided here.
Step 2 Configure OSPF on the MPLS backbone network for IP connectivity between the PEs on the
backbone network. Details for configuration procedures are not provided here.
backbone network.
# Configure PE1.
<PE1> system-view
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp

[~PE1] commit
# Configure PE2.
<PE2> system-view
[~PE2] mpls
[~PE2-mpls] quit
[~PE2] mpls ldp
[~PE2] commit
# Configure PE3.
<PE3> system-view
[~PE3] mpls
[~PE3-mpls] quit
[~PE3] mpls ldp
[~PE3] commit
Run the display mpls lsp command on the PEs. You can see that LSPs have been set up between
PE1 and PE2, and between PE1 and PE3. The following uses the display on PE1 as an example:
[~PE1] display mpls lsp
----------------------------------------------------------------------
----------------------------------------------------------------------
2.2.2.2/32 NULL/3 -/Pos2/0/0
2.2.2.2/32 1024/3 -/Pos2/0/0
3.3.3.3/32 NULL/3 -/Pos3/0/0
3.3.3.3/32 1025/3 -/Pos3/0/0
Step 4 Establish an MP-IBGP peer relationship between the PEs.
# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] quit
[~PE1] commit
# Configure PE2.

[~PE2] bgp 100

[~PE2-bgp] quit
[~PE2] commit
# Configure PE3.
[~PE3] bgp 100
[~PE3-bgp] quit
[~PE3] commit
After the configuration is complete, run the display bgp vpnv4 all peer command on the PEs.
You can find that the status of the MP-IBGP peer relationship between the PEs is
Established. This means that the MP-IBGP peer relationships have been successfully set up.
The following uses the display on PE1 as an example:
[~PE1] display bgp vpnv4 all peer
2.2.2.2 4 100 20 17 0 00:13:26 Established 0
3.3.3.3 4 100 24 19 0 00:17:18 Established 1
Step 5 Configure a VPN instance on each PE, and connect the CE to PE2 and PE3.
# Configure PE1.
[~PE1] commit
# Configure PE2.
[~PE2] commit
# Configure PE3.

[~PE3] commit
Step 6 Configure an OSPF instance on PE2 and the CE and set up an EBGP peer relationship between
PE3 and the CE.
# Configure PE2.
[~PE2] ospf 2 vpn-instance vpn1
[~PE2-ospf-2-area-0.0.0.1] network 192.168.1.0.0 0.0.0.252
[~PE2-ospf-2] quit
[~PE2] bgp 100
[~PE2-bgp-vpn1] import-route ospf 2
[~PE2-bgp] quit
[~PE2] commit
# Configure PE3.
[~PE3] bgp 100
[~PE3-bgp-vpn1] bestroute as-path-ignore
[~PE3-bgp] quit
[~PE3] commit
# Configure the CE.

[~CE] bgp 65410
[~CE-bgp] network 22.22.22.22 32
[~CE-bgp] quit
[~CE] ospf 1
[~CE-ospf-1] area 1
[~CE-ospf-1-area-0.0.0.1] network 192.168.1.0.0 0.0.0.252
[~CE-ospf-1-area-0.0.0.1] network 22.22.22.22 0.0.0.0
[~CE-ospf-1-area-0.0.0.1] quit
[~CE-ospf-1] quit
[~CE] ip frr
[~CE] commit
After the configuration is complete, run the display ip routing-table vpn-instance vpn1
22.22.22.22 verbose command on PE2, and you can find the route to Loopback 1 on the CE in
the command output.

------------------------------------------------------------------------------
Summary Count : 2
Protocol: OSPF Process ID: 2
State: Active Adv Age: 00h11m08s

Tag: 0 Priority: medium

IndirectID: 0x76
TunnelID: 0x0 Flags: D
State: Inactive Adv Age: 00h13m25s
IndirectID: 0xb7
TunnelID: 0x0000000001004c4c62 Flags: R
The command output shows that PE2 has learned the routes to Loopback 1 on the CE from the
CE by using OSPF and from PE3 by using BGP. Because OSPF takes precedence over BGP,
PE2 selects the OSPF route advertised by PE3 preferably.
Step 7 Enable IP Auto FRR for the VPN instance IPv4 address family on PE2.
# Configure PE2.
[~PE2-vpn-instance-vpn1-af-ipv4] ip frr
[~PE2] commit
Step 8 Enable BGP Auto FRR for the BGP-VPN instance IPv4 address family on PE3.
# Configure PE3.
[~PE3] bgp 100
[~PE3-bgp-vpn1] auto-frr
[~PE3-bgp] quit
[~PE3] commit

After the configuration is complete, run the display ip routing-table vpn-instance verbose
command on PE2 and PE3 to check the routing table of the VPN instance on each PE.
------------------------------------------------------------------------------
Summary Count : 2
Protocol: OSPF Process ID: 2
State: Active Adv Age: 00h26m40s
Tag: 0 Priority: medium
IndirectID: 0x76
TunnelID: 0x0 Flags: D
BkPETunnelID: 0x0000000001004c4c62 BkPESecTunnelID: 0x0
BkIndirectID: 0xb7

State: Inactive Adv Age: 00h28m57s
IndirectID: 0xb7
TunnelID: 0x0000000001004c4c62 Flags: R
------------------------------------------------------------------------------
Summary Count : 1
IndirectID: 0xa9
BkIndirectID: 0xaa
The command output shows that after IP FRR is enabled, both PE2 and PE3 have the primary
and backup routes to Loopback 1 on the CE, and the backup route is iterated to an LDP LSP.
Run the shutdown command and then the display ip routing-table vpn-instance verbose
command on GE 2/0/0 on PE2. You can find that the next hop to the loopback interface on the
CE is changed to PE3.
------------------------------------------------------------------------------
Summary Count : 1
IndirectID: 0xb7
RelayNextHop: 0.0.0.0 Interface:LDP LSP
TunnelID: 0x0000000001004c4c62 Flags: RD
Perform the same operation on PE3, and you can view similar information.
Hybrid FRR for IP and VPNv4 routes has taken effect on PE2 and PE3.
----End
Configuration Files
#
sysname PE1
#

ipv4-family
#
mpls lsr-id 1.1.1.1
#
mpls
#
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 100.2.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
interface LoopBack2
ip address 11.11.11.11 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.3
network 100.2.1.0 0.0.0.3
network 1.1.1.1 0.0.0.0
#
return
#
sysname PE2
#
ipv4-family
ip frr

#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.2 255.255.255.252
mpls
mpls ldp
#
undo shutdown
ip address 192.168.1.1 255.255.255.252
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 110.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
peer 3.3.3.3 enable
#
import-route ospf 2
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.3
network 110.1.1.0 0.0.0.3
network 2.2.2.2 0.0.0.0
#
ospf 2 vpn-instance vpn1
import-route bgp
area 0.0.0.1
network 192.168.1.0 0.0.0.252
#
return
#
sysname PE3
#
ipv4-family

#
mpls lsr-id 3.3.3.3
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.2.1.2 255.255.255.252
mpls
mpls ldp
#
undo shutdown
ip address 192.168.2.1 255.255.255.252
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 110.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
peer 2.2.2.2 enable
#
bestroute as-path-ignore
auto-frr
peer 192.168.2.2 as-number 65410
#
ospf 1
area 0.0.0.0
network 100.2.1.0 0.0.0.3
network 110.1.1.0 0.0.0.3
network 3.3.3.3 0.0.0.0
#
Return
#
sysname CE
#
undo shutdown
ip address 192.168.1.2 255.255.255.252
#
undo shutdown
ip address 192.168.2.2 255.255.255.252
#

interface LoopBack1
ip address 22.22.22.22 255.255.255.255
#
bgp 65410
#
ipv4-family unicast
network 22.22.22.22 255.255.255.255
#
ospf 1
area 0.0.0.1
network 22.22.22.22 0.0.0.0
network 192.168.1.0 0.0.0.252
#
return
Related Tasks
2.18.22 Example for Configuring BFD for Static VPN Routes

In the networking of CE dual-homing, the link fault can be sensed and a static route on a CE
that is bound to a BFD session can be refreshed according to the BFD session status. This helps
implement the fast convergence of VPN traffic.
CAUTION
As shown in Figure 2-45, CE1 and CE2 belong to VPN A. Two default routes with the next
hops as PE1 and PE2 respectively are configured on CE1. The two routes carry out load
balancing. The static routes bound to VPN A are configured on PE1 and PE2 separately and are
imported to BGP.
BFD sessions are established between PE1 and CE1, and between PE2 and CE1. It is required
that BFD be configured on PE1 and PE2 to detect static VPN routes. In normal situations, the
traffic from CE1 to the public network can be forwarded through PE1 and PE2 in load balancing
mode. If the link between CE1 and PE1 or PE2 fails, the static route senses the link fault by
tracking BFD session status and CE1 updates the route. Then the traffic is forwarded through
the other link.

Figure 2-45 Networking of configuring BFD for static VPN routes
Loopback1
2.2.2.2/32
AS:100
PE1
PO
/0/0 10 S1/0
3 0.1 /0
GE .2/24 .1.
1. 1 1/2
Loopback1 10. 4
10 POS AS:65410
1.1.1.1/32 0.1 1/0
/ 0 POS2/0/0 .1.2 /0
1 /0 2 4 /24
GE 1.1.1/ 100.3.1.1/24 PE3
0 . GE1/0/0
1
CE1 Loopback1 10.3.1.2/24
GE 4.4.4.4/32 GE3/0/0
10. 2/0/0
2.1 POS2/0/0 0 10.3.1.1/24 CE2
.1/2 2 /0/ 4
VPNA 4 100.3.1.2/24 O S /2 VPNA
P .1.2
GE 0. 2
10. 3/0 0 10
2.1 /0 / 4
.2/2 /0 S1 . 1 / 2
4 PO 0.2.1
0 MPLS
PE2 1
Loopback1 backbone
3.3.3.3/32
Configuration Notes
When configuring BFD for static VPN routes, note the following:
1. Configure OSPF between the PEs to implement interworking between the PEs.
2. Establish MPLS LSPs between the PEs.
3. Configure VPN instances on the PEs and bind each interface that connects a PE to a CE to
a VPN instance.
4. Configure MP-IBGP on the PEs to exchange VPN routing information.
5. Configure two default routes with the next hops as PE1 and PE2 respectively on CE1 to
implement load balancing between PE1 and PE2.
6. Configure the static route bound to VPN A on PE1 and PE2 and import the static route into
BGP.
7. Configure an MP-EBGP peer relationship between PE3 and CE2.
8. Configure static BFD sessions with automatically negotiated discriminators between PE1
and CE1, and between PE2 and CE1.
9. Configure BFD for VPN static routes on PE1 and PE2.
Data Preparation

l MPLS LSR IDs of the PEs

l Names, RDs, and VPN targets of the VPN instances on the PEs
l Local IP address and peer IP address of BFD
Procedure
Step 1 Configure an IGP on the MPLS backbone network to interconnect the devices on the backbone
network.
# Configure PE1.
[~PE1-Pos1/0/0] ip address 100.1.1.1 24
[~PE1-Pos2/0/0] ip address 100.3.1.1 24
[~PE1] ospf
[~PE1-ospf-1] quit
Configure PE2.
[~PE2-Pos1/0/0] ip address 100.2.1.1 24
[~PE2-Pos2/0/0] ip address 100.3.1.2 24
[~PE2] ospf
[~PE2-ospf-1] quit
Configure PE3.
[~PE3-LoopBack1] [~PE3-LoopBack1] quit
[~PE3-LoopBack1] [~PE3-LoopBack1] quit

[~PE3-Pos1/0/0] ip address 100.1.1.2 24
[~PE3-Pos2/0/0] ip address 100.2.1.2 24
[~PE3] ospf
[~PE3-ospf-1] quit
After the configuration, OSPF neighbor relationships can be set up between PE1, PE2, and PE3.
Run the display ip routing-table command, and you can view that the PEs have learnt the routes
to Loopback1 of each other.

------------------------------------------------------------------------------

3.3.3.3/32 OSPF 10 2 D 100.3.1.2 Pos2/0/0
4.4.4.4/32 OSPF 10 2 D 100.1.1.2 Pos1/0/0
100.3.1.0/24 Direct 0 0 D 100.3.1.1 Pos2/0/0
100.3.1.2/32 Direct 0 0 D 100.3.1.2 Pos2/0/0
100.1.1.0/24 Direct 0 0 D 100.1.1.1 Pos1/0/0
100.1.1.2/32 Direct 0 0 D 100.1.1.2 Pos1/0/0
100.2.1.0/24 OSPF 10 2 D 100.1.1.2 Pos1/0/0
OSPF 10 2 D 100.3.1.2 Pos2/0/0
backbone network.
# Configure PE1.
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
# Configure PE2.


[~PE2] mpls
[~PE2-mpls] quit
[~PE2] mpls ldp
Configure PE3.
[~PE3] mpls
[~PE3-mpls] quit
[~PE3] mpls ldp
[~PE3] interfacepos 2/0/0
After the preceding configuration, LDP sessions can be set up between the PEs. Run the display
mpls ldp session command, and you can view that the Status field is displayed as
Operational.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
# Configure PE1.
[~PE1] ip vpn-instance VPNA
[~PE1-vpn-instance-VPNA] ipv4-family
[~PE1-vpn-instance-VPNA-af-ipv4] route-distinguisher 100:1
[~PE1-vpn-instance-VPNA-af-ipv4] vpn-target 111:1 both
[~PE1-vpn-instance-VPNA-af-ipv4] quit
[~PE1-vpn-instance-VPNA] quit
[~PE1-GigabitEthernet3/0/0] ip binding vpn-instance VPNA
# Configure PE2.


# Configure PE3.
Configure CE1.
# Configure CE2.
configurations of VPN instances. Each PE can successfully ping its connected CE.
Take PE1 and CE1 as an example:
VPN-Instance Name and ID : VPNA, 1

Address family ipv4
Create date : 2008/09/21 12:18:46
[~PE1] ping -vpn-instance VPNA 10.1.1.1


0.00% packet loss
Step 4 Import the VPN routes between PE1, PE2, and CE1.
Configure two default routes with the next hops being PE1 and PE2 respectively on CE1 to
implement load balancing between PE1 and PE2. Configure the static routes to be bound to the
VPN instance on PE1 and PE2 and import the static routes into BGP.
# Configure CE1.
[~CE1] load-balance packet all
[~CE1] ip route-static 0.0.0.0 0 10.1.1.2
[~CE1] ip route-static 0.0.0.0 0 10.2.1.2
# Configure PE1.
[~PE1] ip route-static vpn-instance VPNA 1.1.1.1 32 10.1.1.1
[~PE1] bgp 100
[~PE1-bgp] ipv4-family vpn-instance VPNA
[~PE1-bgp-VPNA] import-route direct
[~PE1-bgp-VPNA] import-route static
[~PE1-bgp-VPNA] commit
[~PE1-bgp-VPNA] quit
# Configure PE2.
[~PE2] ip route-static vpn-instance VPNA 1.1.1.1 32 10.2.1.1
[~PE2] bgp 100
[~PE2-bgp-VPNA] import-route static
Step 5 Set up an EBGP peer relationship between PE3 and CE2, and import VPN routes to EBGP.
# Configure CE2.
[~CE2] bgp 65410
[~CE2-bgp] import-route direct
[~CE2-bgp] commit
[~CE2] quit
# Configure PE3. Configure the number of routes carrying out load balancing to 2 on PE3.
[~PE3] bgp 100
[~PE3-bgp-VPNA] peer 10.3.1.2 as-number 65410
[~PE3-bgp-VPNA] maximum load-balancing 2
Step 6 Set up MP-IBGP peer relationships between PEs.

# Configure PE1.
[~PE1] bgp 100


[~PE1-bgp] quit
# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] quit
# Configure PE3.
[~PE3] bgp 100
[~PE3-bgp] quit
After the configuration, run the display bgp peer command on the PEs, and you can view that
the BGP peer relationships have been established between the PEs.

4.4.4.4 4 100 205 202 0 03:05:25 Established 0

3.3.3.3 4 100 197 254 0 03:06:54 Established 0
Step 7 Configure BFD sessions with automatically negotiated discriminators.

Set up BFD sessions between CE1 and PE1, and between CE1 and PE2.
# Configure PE1.
[~PE1] bfd
[~PE1-bfd] quit
[~PE1] bfd pe1_to_ce1 bind peer-ip 10.1.1.1 vpn-instance VPNA interface
gigabitethernet 3/0/0 source-ip 10.1.1.2 auto
[~PE1-bfd-session-pe1_to_ce1] commit
[~PE1-bfd-session-pe1_to_ce1] quit
# Configure PE2.
[~PE2] bfd
[~PE2-bfd] quit
[~PE2] bfd pe2_to_ce1 bind peer-ip 10.2.1.1 vpn-instance VPNA interface
gigabitethernet 3/0/0 source-ip 10.2.1.2 auto
[~PE2-bfd-session-pe2_to_ce1] commit
[~PE2-bfd-session-pe2_to_ce1] quit
# Configure CE1.

[~CE1] bfd
[~CE1-bfd] quit
[~CE1] bfd ce1_to_pe1 bind peer-ip 10.1.1.2 interface gigabitethernet 1/0/0 source-
ip 10.1.1.1 auto
[~CE1-bfd-session-ce1_to_pe1] commit
[~CE1-bfd-session-ce1_to_pe1] quit
[~CE1] bfd ce1_to_pe2 bind peer-ip 10.2.1.2 interface gigabitethernet 2/0/0 source
-ip 10.2.1.1 auto
[~CE1-bfd-session-ce1_to_pe2] commit
[~CE1-bfd-session-ce1_to_pe2] quit
After the configuration, run the display bfd session all verbose command on the PEs and CEs,
and you can view that a one-hop static auto-negotiation BFD session is set up, and the session
status is Up. The local and remote IDs of the BFD session are obtained through auto-negotiation.
Take PE1 and CE1 as an example:
# The display on PE1 is as follows:
<PE1> display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 16384 (One Hop) State : Up Name : pe1_to_ce1
--------------------------------------------------------------------------------
Local Discriminator : 8192 Remote Discriminator : 8192
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Interface(GigabitEthernet3/0/0)
Bind Session Type : Static_Auto
Bind Peer IP Address : 10.1.1.1
NextHop Ip Address : 10.1.1.1
Bind Interface : GigabitEthernet3/0/0
Bind Source IP Address : 10.1.1.2
Vpn Instance Name : VPNA
FSM Board Id : 3 TOS-EXP : 6
Min Tx Interval (ms) : 10 Min Rx Interval (ms) : 10
Actual Tx Interval (ms): - Actual Rx Interval (ms): -
Local Detect Multi : 3 Detect Interval (ms) : -
Echo Passive : Disable Acl Number : -
Destination Port : 3784 TTL : 254
Proc Interface Status : Disable Process PST : Disable
WTR Interval (ms) : - Local Demand Mode : Disable
Active Multi : 3
Last Local Diagnostic : No Diagnostic
Bind Application : AUTO
Session TX TmrID : - Session Detect TmrID : -
Session Init TmrID : - Session WTR TmrID : -
Session Echo Tx TmrID : -
PDT Index : FSM-5020000 | RCV-0 | IF-5020000 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 1/0
# The display on CE1 is as follows:

<CE1> display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 16384 (One Hop) State : Up Name : ce1_to_pe1
--------------------------------------------------------------------------------


Active Multi : 3
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Session MIndex : 16384 (One Hop) State : Up Name : ce1_to_pe2
--------------------------------------------------------------------------------
Active Multi : 3
--------------------------------------------------------------------------------
Step 8 Configure BFD for VPN static routes on the PEs.
# Configure PE1.
[~PE1] ip route-static vpn-instance VPNA 1.1.1.1 255.255.255.255 10.1.1.1 track bfd-
session pe1_to_ce1
# Configure PE2.
[~PE2] ip route-static vpn-instance VPNA 1.1.1.1 255.255.255.255 10.2.1.1 track bfd-
session pe2_to_ce1
# Check the VPN routing tables on the PEs and you can view that the static route exists in the
routing table of each PE.
<PE1> display ip routing-table vpn-instance VPNA
------------------------------------------------------------------------------
Routing Tables: VPNA
1.1.1.1/32 Static 60 0 RD 10.1.1.1

10.1.1.0/24 Direct 0 0 D 10.1.1.2
10.2.1.0/24 BGP 255 0 RD 3.3.3.3 Pos2/0/0
10.3.1.0/24 BGP 255 0 RD 4.4.4.4 Pos1/0/0
# On CE1, check the gateway through which the packets destined for CE2 pass. You can view
that load balancing is carried out between PE1 and PE2 at the first hop.
<CE1> tracert 10.3.1.2
1 10.1.1.2 20 ms 10.2.1.2 1 ms 10.1.1.2 40 ms
2 10.3.1.1 40 ms 30 ms 50 ms
3 10.3.1.2 80 ms 80 ms 60 ms
# Check the routing table on PE3. You can find that there are two routes to PE1 (1.1.1.1), with
the next hops being 3.3.3.3 and 2.2.2.2 respectively. The two routes carry out load balancing.
------------------------------------------------------------------------------
1.1.1.1/32 BGP 255 0 RD 3.3.3.3 Pos2/0/0

BGP 255 0 RD 2.2.2.2 Pos1/0/0
10.1.1.0/24 BGP 255 0 RD 2.2.2.2 Pos1/0/0
10.2.1.0/24 BGP 255 0 RD 3.3.3.3 Pos2/0/0
10.3.1.0/24 Direct 0 0 D 10.3.1.1
# On CE2, check the traffic destined for CE1, and you can find that load balancing is performed
when the traffic leaves PE3.
[~CE2] tracert 1.1.1.1
1 10.3.1.1 9 ms 2 ms 2 ms
2 10.2.1.2 < AS=100 > 6 ms 5 ms 2 ms
3 10.2.1.1 < AS=100 > 6 ms 6 ms 5 ms
# Run the shutdown command on GE 1/0/0 of CE1 to simulate a link fault.

[~CE1-GigabitEthernet1/0/0] shutdown
# Run the display bfd session all verbose command on PE1, and you can view that the status
of the BFD session is Down.
<PE1> display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 16384 (One Hop) State : Down Name : pe1_to_ce1
--------------------------------------------------------------------------------


Active Multi : 3
--------------------------------------------------------------------------------
# Run the display ip routing-table vpn-instance command on PE1 to check the VPN routing
table, and you can view that the next hop of the route destined for CE1 is only PE2.
------------------------------------------------------------------------------
1.1.1.1/32 BGP 255 0 RD 3.3.3.3 Pos2/0/0

10.2.1.0/24 BGP 255 0 RD 3.3.3.3 Pos2/0/0
10.3.1.0/24 BGP 255 0 RD 4.4.4.4 Pos1/0/0
# On CE1, check the gateway through which the packets destined for CE2 pass, and you can
view that load balancing is not carried out between PE1 and PE2 at the first hop, and the traffic
flows only through PE2.
<CE3> tracert 10.3.1.2
1 10.2.1.2 50 ms 30 ms 10 ms
2 10.3.1.1 110 ms 70 ms 90 ms
3 10.3.1.2 60 ms 70 ms 80 ms
# Run the display ip routing-table vpn-instance command on PE3 to check the routing table.
You can view that there is only one route to CE1 (1.1.1.1) with the next hop being PE1 (3.3.3.3).
------------------------------------------------------------------------------
1.1.1.1/32 BGP 255 0 RD 3.3.3.3 Pos2/0/0

10.2.1.0/24 BGP 255 0 RD 3.3.3.3 Pos2/0/0
10.3.1.0/24 Direct 0 0 D 10.3.1.1
# On CE2, check the traffic destined for CE1, and you can view that the traffic is forwarded
through POS 2/0/0 (10.2.1.2) after the traffic leaves PE3.
[~CE2] tracert 1.1.1.1
1 10.3.1.1 9 ms 2 ms 2 ms
2 10.2.1.2 < AS=100 > 6 ms 5 ms 5 ms
3 10.2.1.1 < AS=100 > 6 ms 5 ms 5 ms

Use a tester to generate traffic, and the traffic is forwarded through load balancing. After a link
between CE1 and PE1 or a link between CE1 and PE2 fails, you can find that the traffic is
switched in less than 50 ms.
----End
Configuration Files
#
#
sysname PE1
#
ip vpn-instance VPNA
ipv4-family
#
bfd
#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls ldp
#
undo shutdown
ip binding vpn-instance VPNA
ip address 10.1.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 100.3.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.3 enable
peer 4.4.4.4 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
peer 4.4.4.4 enable
#
ipv4-family vpn-instance VPNA
import-route direct

import-route static
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.255
network 100.3.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
ip route-static vpn-instance VPNA 1.1.1.1 255.255.255.255 10.1.1.1 track bfd-
session pe1_to_ce1
#
bfd pe1_to_ce1 bind peer-ip 10.1.1.1 vpn-instance VPNA interface
GigabitEthernet3/0/0 source-ip 10.1.1.2 auto
#
return
#
sysname PE2
#
ipv4-family
#
bfd
#
mpls lsr-id 3.3.3.3
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 100.3.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable
peer 4.4.4.4 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable

peer 4.4.4.4 enable

#
import-route direct
import-route static
#
ospf 1
area 0.0.0.0
network 100.3.1.0 0.0.0.255
network 100.2.1.0 0.0.0.255
network 3.3.3.3 0.0.0.0
#
ip route-static vpn-instance VPNA 1.1.1.1 255.255.255.255 10.2.1.1 track bfd-
session pe2_to_ce1
#
bfd pe2_to_ce1 bind peer-ip 10.2.1.1 vpn-instance VPNA interface
GigabitEthernet3/0/0 source-ip 10.2.1.2 auto
#
return
#
sysname PE3
#
ipv4-family
#
mpls lsr-id 4.4.4.4
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.3.1.1 255.255.255.0
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 100.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target

peer 2.2.2.2 enable

peer 3.3.3.3 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.255
network 100.2.1.0 0.0.0.255
network 4.4.4.4 0.0.0.0
#
return

#
sysname CE1
#
bfd
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
load-balance packet all
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
ip route-static 0.0.0.0 0.0.0.0 10.2.1.2
#
bfd ce1_to_pe1 bind peer-ip 10.1.1.2 interface GigabitEthernet1/0/0 source-ip
10.1.1.1 auto
#
bfd ce1_to_pe2 bind peer-ip 10.2.1.2 interface GigabitEthernet2/0/0 source-ip
10.2.1.1 auto
#
return

#
sysname CE2
#
undo shutdown
ip address 10.3.1.2 255.255.255.0
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return

Configuration Guide - VPN 3 BGP/MPLS IPv6 VPN Configuration
3 BGP/MPLS IPv6 VPN Configuration
About This Chapter
This chapter describes principles, applications, and configurations of BGP/MPLS IPv6 VPN.
3.1 BGP/MPLS IPv6 VPN Overview

This section describes the similarities and differences between BGP/MPLS IPv6 VPN and BGP/
MPLS IPv4 VPN.
3.2 BGP/MPLS IPv6 VPN Functions Supported by the NE5000E
This section describes the basic networking of BGP/MPLS IPv6 VPN and networking models
that are used to enhance VPN reliability.
3.3 Configuring an IPv6 Address Family-supporting VPN Instance
This section describes how to configure an IPv6 address family-supporting VPN instance, which
is required in BGP/MPLS IPv6 VPN configuration.
3.4 Configuring Basic BGP/MPLS IPv6 VPN
This section describes how to configure basic BGP/MPLS IPv6 VPN.
3.5 Configuring Route Reflection for BGP VPNv6 Routes
Deploying a BGP VPNv6 Route Reflector (RR) reduces the number of MP-IBGP connections.
This lightens the burden on PEs and facilitates network maintenance and management.
3.6 Configuring a Tunnel Policy for the Backbone Network of a BGP/MPLS IPv6 VPN
A tunnel policy applied to an IPv6 VPN can specify the type of tunnel selected for the VPN and
enable load balancing between tunnels.
3.7 Configuring Inter-AS IPv6 VPN Option A
In inter-AS IPv6 VPN Option A, an ASBR takes the peer ASBR as a CE and uses EBGP+ to
advertise IPv6 routes to the peer ASBR.
3.8 Configuring Inter-AS IPv6 VPN Option B
3.9 Configuring Load Balancing Among IPv6 VPN Routes on the Backbone Network
This section describes how to configure load balancing of VPN traffic among multiple links on
the backbone network of an IPv6 VPN.

3.10 Configuring VPNv6 FRR

This section describes how to configure FRR to protect PEs.
3.11 Configuring FRR for IPv6 Routes on a Private Network
This section describes how to configure IPv6 FRR for a private network in the networking where
multiple CEs at an IPv6 VPN site access the same PE. This feature can quickly switch traffic to
3.12 Configuring Hybrid FRR for IPv6 and VPNv6 Routes
This section describes how to configure hybrid FRR in the CE dual-homing networking. If the
next hop from a PE to a CE is unreachable, hybrid FRR can send traffic to another PE over a
tunnel, and the traffic will be routed to the CE through IP forwarding on the private network.
This improves network reliability.
3.13 Maintaining BGP/MPLS IPv6 VPN
This section describes how to maintain BGP/MPLS IPv6 VPN.
This section provides several configuration examples of BGP/MPLS IPv6 VPN.

3.1 BGP/MPLS IPv6 VPN Overview

This section describes the similarities and differences between BGP/MPLS IPv6 VPN and BGP/
MPLS IPv4 VPN.
As an enhanced version of IPv4, IPv6 is an Internet protocol of the next generation. IPv6 provides
the enhanced address space, configuration, maintenance, and security functions, and supports
more access users and devices in the Internet than IPv4.
A VPN is a virtual private communication network built over shared links or public networks
such as the Internet. Users located in different areas can exchange data through shared links or
public networks.
IPv6 VPN and IPv4 VPN are different in the packet format. On an IPv6 VPN, CEs forward IPv6
packets to PEs, whereas on an IPv4 VPN, CEs forward IPv4 packets to PEs.
At present, IPv6 VPN services are transmitted across the IPv4 backbone network of a service
provider. In this situation, PEs must support IPv4/IPv6 dual-stack because the backbone network
runs IPv4 and customer sites use IPv6 address families, as shown in Figure 3-1. Any network
protocol that supports IPv6 services can be used to set up connections between CEs and PEs.
PEs use IPv6 on customer-facing interfaces and IPv4 on core-facing interfaces.
Figure 3-1 Networking diagram of an IPv6 VPN over an IPv4 public network
IPv4 VPN backbone
P PE CE
IPv6
PE VPN site
CE
IPv6 P
VPN site
PE
CE
IPv6
VPN site
IPv6 VPN uses Multiprotocol Extensions for BGP-4 (MP-BGP) to advertise VPNv6 routes on
the backbone network, triggers MPLS to allocate labels for IPv6 packet identification, and uses
LSPs and MPLS TE tunnels to transmit VPN services on the backbone network. The working
principle is similar to that of BGP/MPLS IP VPN.

3.2 BGP/MPLS IPv6 VPN Functions Supported by the

NE5000E
This section describes the basic networking of BGP/MPLS IPv6 VPN and networking models
that are used to enhance VPN reliability.
Basic Networking
NE5000Es use MP-BGP for VPNv6 route exchange between PEs, and the static route, IS-IS
multi-instance, or BGP4+ for route exchange between PEs and CEs. VPN targets are set on
NE5000Es to control the sending and receiving of VPN routes to achieve multiple VPN
networking topologies.
On an MPLS backbone network, LSPs or MPLS TE tunnels can be used to transmit VPN
services. If VPN services need to be load balanced among different tunnels on a backbone
network, a tunnel policy can be configured.
Inter-AS VPN
Inter-AS VPN is needed when VPN services are transmitted over an MPLS backbone network
that spans multiple ASs. At present, the NE5000E supports inter-AS IPv6 VPN Option A.
Inter-AS IPv6 VPN Option A is applicable to the situation where VPNs and VPN routes
configured on PEs are a few. In inter-AS VPN Option A, Autonomous System Border Routers
(ASBRs) are required to support VPN instances to be capable of managing VPN routes. In
addition, ASBRs must provide dedicated interfaces for inter-AS VPNs. The dedicated interfaces
can be sub-interfaces, physical interfaces, or logical interfaces. Therefore, the requirement for
ASBRs' performance is rather high, but no inter-AS configurations need to be performed on
ASBRs.
Reliability
The following networking model is usually used to improve VPN reliability:
l A full-mesh MPLS network deployed with hierarchical backup is used as the backbone
network, and devices on the network are connected to each other by using high-speed
interfaces. If there are a great number of PEs, BGP route reflectors (RRs) are configured
to reflect VPNv6 routes, which can reduce MP-IBGP connections.
l A ring or full-mesh network is used as the convergence network.
l CEs are dual- or multi-homed at the access layer.
NE5000Es support load balancing between IPv6 VPN routes or tunnels. This allows VPN
services to be load balanced among different links on the backbone network.
To protect links between PEs, NE5000Es support VPNv6 Fast Reroute (FRR), an end-to-end
fast switching technology, to switch VPN services from a faulty PE to another PE to which a
CE is dual-homed on an IPv6 VPN network.
Different FRR features are provided to protect links between PEs and CEs on different types of
networks.

l If two CEs at the same site are connected to one PE, VPN IPv6 FRR can be deployed to
quickly switch VPN traffic to the link between the other CE and the PE when a link between
one CE and the PE fails.
l If a PE connected to a CE learns routes to the CE from another PE, hybrid FRR can be
deployed to quickly switch VPN traffic to another PE once the link between the PE and
CE fails.
3.3 Configuring an IPv6 Address Family-supporting VPN

Instance
This section describes how to configure an IPv6 address family-supporting VPN instance, which
is required in BGP/MPLS IPv6 VPN configuration.
IPv6 address family-supporting VPN instances isolate IPv6 VPN routes from public network
routes on PEs, and the routes in an IPv6 address family of different VPN instances from each
other. In an IPv6 address family-supporting VPN instance, routes in an IPv6 address family are
also isolated from routes in an IPv4 address family. In all BGP/MPLS IPv6 VPN networking
solutions, IPv6 address family-supporting VPN instances need to be configured.
Similar to the VPN instance IPv4 address family, the VPN instance IPv6 address family achieves
independence of address space by means of Route Distinguishers (RDs) and controls routes and
IPv6 VPN memberships at the directly-connected site by means of VPN targets.
If VPN targets have been used to control the sending and receiving of IPv6 VPN routes, you can
also apply an import or export routing policy to achieve accurate control. An import routing
policy can filter the routes to be imported into the VPN instance IPv6 address family based on
VPN targets; an export routing policy can filter the IPv6 VPN routes to be advertised to other
PEs.
Before configuring an IPv6 address family-supporting VPN instance, complete the following
tasks:
l Configuring an import or export routing policy if it needs to be applied to the VPN instance
IPv6 address family
l Configuring a tunnel policy if it needs to be applied to the VPN instance IPv6 address
family

Figure 3-2 Flowchart for configuring an IPv6 address family-supporting VPN instance
Create a VPN instance
Configure attributes for the VPN instance

IPv6 address family
Apply a tunnel policy to the VPN instance IPv6

address family
Configure MPLS label allocation based on the VPN

instance IPv6 address family
Mandatory
procedure
Optional
procedure
3.3.1 Creating a VPN Instance

A VPN instance must be created for a VPN. This allows a VPN Routing and Forwarding (VRF)
table to be created on the PE to isolate VPN routes from public network routes.
Procedure
Step 1 Run:
system-view
Step 2 Run:
A VPN instance is created, and the VPN instance view is displayed.
NOTE
The name of a VPN instance is case-sensitive. For example, vpn1 and VPN1 represent two different VPN
instances.

The description of the VPN instance is configured.
The description of a VPN instance can help you memorize information about the instance.
----End

3.3.2 Configuring Attributes for the VPN Instance IPv6 Address

Family
Some route attributes such as the RD, VPN target, route limit, and routing policy need to be
configured to facilitate the management of routes in the VPN instance IPv6 address family.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
ipv6-family
The IPv6 address family is enabled for the VPN instance, and the VPN instance IPv6 address
Step 4 Run:
The VPN instance IPv6 address family takes effect only after an RD is configured for it. The
RDs configured in different VPN instance IPv6 address family views of the same PE must be
different.
NOTE
A configured RD cannot be changed or deleted. You need to delete a VPN instance or disable the VPN
instance IPv6 address family before changing or deleting the RD of the VPN instance IPv6 address
family.
Step 5 Run:
vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]
An IPv6 VPN target extended community is configured for the VPN instance IPv6 address
family.
A VPN target is a BGP extended community attribute. It is used to control the receiving and
advertisement of IPv6 VPN routing information. You can configure a maximum of eight IPv6
VPN targets by using the vpn-target command.

The maximum number of prefixes of the VPN instance IPv6 address family is configured.
The maximum number of prefixes can be defined for the VPN instance IPv6 address family to
prevent too many prefixes from being imported into the PE.

NOTE
If the prefix limit command is run, the system gives a prompt when the number of route prefixes injected
into the routing table of the VPN instance exceeds the limit.

An import routing policy is configured for the VPN instance IPv6 address family.
An export routing policy is configured for the VPN instance IPv6 address family.
Step 9 Run:
commit
----End
3.3.3 (Optional) Applying a Tunnel Policy to the VPN Instance IPv6

Address Family
By applying a tunnel policy to the VPN instance IPv6 address family, you can specify the tunnel
for forwarding IPv6 VPN traffic.
Context
By default, the system selects a tunnel in the order of LSPs, CR-LSPs, and Local_IfNet, and
does not perform load balancing.
Do as follows on the PE configured with the VPN instance IPv6 address family:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv6-family

Step 4 Run:

Step 5 Run:
commit

----End
3.3.4 (Optional) Configuring MPLS Label Allocation Based on the

VPN Instance IPv6 Address Family
This section describes how to configure MPLS label allocation based on the VPN instance IPv6
address family. A PE allocates the same MPLS label to all routes in the VPN instance IPv6
address family. If there are many IPv6 VPN routes, this configuration can reduce the number of
MPLS labels maintained by PEs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A VPN instance is created, and the VPN instance view is displayed.

Step 3 Run:
ipv6-family

MPLS label allocation based on the VPN instance IPv6 address family is configured. All routes
in the VPN instance IPv6 address family are advertised with the same label.
By default, MPLS labels are allocated to routes in the "one label per route" manner. If the number
of routes increases, the number of in-segment entries maintained by the Incoming Label Map
(ILM) increases accordingly, which raises a higher requirement for device capacity.
The NE5000E supports VPN-based MPLS label allocation. One label is allocated to each VPN
instance IPv6 address family. All routes in a VPN instance IPv6 address family are advertised
with the same MPLS label.
Step 5 Run:
commit
----End

This section describes how to check the configurations of VPN instances in the system and the
address families supported by the VPN instances.
Prerequisite
The configurations of the VPN instance IPv6 address family are complete.

Procedure
l Run the display ip vpn-instance verbose vpn-instance-name command to check detailed
information about the IPv6 address family-enabled VPN instance.
l Run the display ip vpn-instance command to check VPN instances in the system and
information about the address families supported by the VPN instances.
----End
Example
Run the display ip vpn-instance command. If the preceding configurations are successful, you
can view the name of the created VPN instance and the address family supported by it.
<HUAWEI> display ip vpn-instance
VPN-Instance Name Address-family
vpna ipv4 ipv6
vpnb ipv6
Run the display ip vpn-instance verbose vpn-instance-name command, and you can view
detailed information about the created VPN instance that supports the IPv6 address family,
including the creation time, time during which the instance keeps Up, RD, VPN target, and label
allocation policy.
<HUAWEI> display ip vpn-instance verbose vpna

Address family ipv6
Create date : 2010/07/20 12:31:47 UTC-08:00
Log Interval : 5
3.4 Configuring Basic BGP/MPLS IPv6 VPN

This section describes how to configure basic BGP/MPLS IPv6 VPN.
On ordinary IPv4 VPNs, IPv4 routing protocols run between PEs, and between PEs and CEs.
In an IPv6 VPN application, however, an IPv6 routing protocol needs to run between PEs and
CEs to provide IPv6 VPN services for users. Static routes, IS-ISv6 multi-instance, or BGP4+
can run between PEs and CEs for route exchange.
In the IPv6 VPN application, an IPv4 routing protocol can still run between PEs. This means
that any PE pair can establish a VPNv6 neighbor relationship by using IPv4 addresses, and
VPNv6 route information can be transmitted over IPv4 tunnels on the backbone network.
Both IPv4 and IPv6 routing protocols can run between a PE-CE pair to provide dual-stack VPN
access services.
Before configuring basic BGP/MPLS IPv6 VPN, complete the following tasks:

l Enabling IPv6 on interfaces to be configured with IPv6 addresses

l Configuring an IGP on PEs and Ps on the MPLS backbone network for IP connectivity
l Configuring basic MPLS functions on PEs and Ps on the MPLS backbone network
l Establishing LSPs or MPLS TE tunnels between PEs
Figure 3-3 Networking for a basic BGP/MPLS IPv6 VPN
Configure an IPv6 address

family-supporting VPN instance
Bind an interface to a VPN instance
Configure MP-IBGP to run between PEs

Mandatory
procedure
Optional
procedure
3.4.1 Configuring an IPv6 Address Family-supporting VPN

Instance
This section describes how to configure an IPv6 address family-supporting VPN instance to
allow the creation of the routing table of the IPv6 VPN instance.
Procedure
Step 1 For details on the configuration procedure, see Configuring an IPv6 Address Family-
supporting VPN Instance.
----End

After a PE interface is bound to a VPN instance, the interface belongs to the VPN. Packets
entering the interface are forwarded based on the forwarding information of the VPN instance.
Procedure
Step 1 Run:
system-view


Step 2 Run:

Step 3 Run:
The interface is bound to the VPN instance.
NOTE
Running the ip binding vpn-instance command on an interface deletes the configured Layer 3 attributes
such as the IPv4 address, IPv6 address, and routing protocol. If these Layer 3 attributes are still required,
you need to configure them again.
An interface cannot be bound to a VPN instance that is not enabled with an address family.
Disabling an address family of a VPN instance will delete the relevant configurations on the interfaces
bound to the VPN instance. Disabling all address families of a VPN instance will unbind the instance from
its bound interfaces.
Step 4 Run:
ipv6 enable
IPv6 is enabled on the interface.

Step 5 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
An IPv6 address is configured for the interface.

Step 6 Run:
commit
----End
Follow-up Procedure
If an IPv6 address family-enabled VPN instance is bound to a PE interface connecting to a CE,
the interface belongs to the VPN. Packets entering the interface will be forwarded based on the
forwarding information of the VPN instance IPv6 address family.
3.4.3 Configuring MP-IBGP to Run Between PEs

By adding extended community attributes to BGP, MP-IBGP can advertise VPNv6 routes
between PEs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number


Step 3 Run:

Step 4 Run:
The interface used to set up a TCP connection is specified.
NOTE
The IP addresses, each with a 32-bit mask, of the loopback interfaces on PEs must be used to establish the
MP-IBGP peer relationship between the PEs. This ensures that the route to the loopback interface can be
iterated to a tunnel. The route to the local loopback interface is advertised to the peer PE by using the IGP
on the MPLS backbone network.
Step 5 Run:
ipv6-family vpnv6

Step 6 Run:
The function that exchanges VPNv6 routing information with the peer is enabled.
Step 7 Run:
commit
----End

The routing protocol running between a PE and a CE can be EBGP, IPv6 static route, IS-IS,
RIPng, OSPFv3, or IBGP.
Context
Choose one of the following configurations to set a routing protocol between a PE and a CE:
l Configure EBGP between a PE and a CE.
l Configure IPv6 static route between a PE and a CE.
l Configure IS-IS between a PE and a CE.
l Configure RIPng between a PE and a CE.
l Configure OSPFv3 between a PE and a CE.
l Configure IBGP between a PE and a CE.
Procedure
l Configure EBGP between a PE and a CE.
1. Run:

system-view

2. Run:
bgp as-number

3. Run:

4. Run:
peer peer-ipv6-address as-number number
The CE is specified as an IPv6 VPN peer.

5. (Optional) Run:
The maximum number of hops for the establishment of an EBGP connection is

configured.
A directly connected physical link must be available between EBGP peers. If such a
link does not exist, the peer ebgp-max-hop command must be used to allow EBGP
peers to establish a TCP connection over multiple hops.
6. (Optional) Run:
peer { group-name | ipv4-address | ipv6-address } soo site-of-origin
The Site-of-Origin (SoO) attribute is configured for the specified CE.
If multiple CEs at a VPN site access different PEs by using BGP, VPN routes sent
from the CEs to the PEs may return to the VPN site after traveling across the backbone
network. This will cause routing loops at the VPN site.
If the SoO attribute is configured on a PE, the PE adds the SoO attribute to the route
sent from a CE and then advertises the route to peer PEs. After receiving the route,
the peer PEs check the SoO attribute carried in the VPN route before advertising the
route to their attached CEs. If the peer PEs find that this SoO attribute is the same as
the locally configured SoO attribute, they do not advertise the VPN route to CEs.
7. (Optional) Run:
peer peer-ipv6-address allow-as-loop [ number ]
Rooting loops are allowed.
This step applies to the Hub and Spoke networking solution.
BGP uses the AS number to detect a routing loop. In the Hub and Spoke networking,
if EBGP runs between the Hub-PE and Hub-CE, the route sent from the Hub-PE to
the Hub-CE carries the AS number of the Hub-PE. If the Hub-CE sends a route update
message to the Hub-PE, the Hub-PE denies it because that update message contains
the AS number of the Hub-PE. To ensure proper route transmission in the Hub and
Spoke networking, you need to configure all the BGP peers along the path, used for
the Hub-CE to advertise private network routes to the Spoke-CE, to accept the routes
which have the AS number repeated once.
8. (Optional) Run:
peer peer-ipv6-address substitute-as

The substitution of the AS number is enabled.

This step is used in the situation where physically-dispersed CEs use the same AS
number.
9. Run:
commit

1. Run:
system-view

2. Run:
bgp as-number

3. (Optional) Run:
router-id ipv4-address
The route ID is configured.

If the CE does not have an interface configured with an IPv4 address, configure a route
ID for it.
4. Run:
The PE is specified as the peer.

5. (Optional) Run:
The maximum number of hops for the establishment of an EBGP connection is

configured.
A directly connected physical link must be available between EBGP peers. If such a
link does not exist, the peer ebgp-max-hop command must be used to allow EBGP
peers to establish a TCP connection through multiple hops.
6. Run:
ipv6-family unicast
The BGP-IPv6 unicast address family view is displayed.

7. Run:
The function that exchanges BGP routing information with the BGP IPv6 peer is
enabled.
8. (Optional) Choose either one of the following configurations if the direct routes or
specific network segment routes of the CE need to be imported into BGP and sent to
the peer PE.
– Run:
import-route { direct | static | ripng process-id | ospfv3 process-id
| isis process-id } [ med value | route-policy policy-name ]*
Routes of the local site are imported.

The address of the VPN network segment is advertised from the CE to the
connected PE, and is then advertised by the PE to its peer PE. In real world
situations, the type of imported route may be different from that used in this
document.
– Run:
network ipv6-address prefix-length
The IPv6 routes of a specified network segment are imported into BGP.
9. Run:
commit

l Configure IPv6 static route between a PE and a CE.
NOTE
For details on the configuration of IPv6 static route, see "Static Route Configuration" in the HUAWEI
NetEngine5000E Core Router Configuration Guide - IP Routing.
1. Run:
system-view

2. Run:
ipv6 route-static vpn-instance vpn-instance-name dest-ipv6-address mask-
length { interface-type interface-number [ nexthop-ipv6-address ] | vpn-
instance vpn-destination-name nexthop-ipv6-address | nexthop-ipv6-address
[ public ] } [ preference value ] [ tag tag ] [ description text ]
A static route is configured for the VPN instance IPv6 address family.
3. Run:
bgp as-number

4. Run:

5. Run:
import-route static [ med value ] [ route-policy policy-name ]
The configured static route is imported into the routing table of the BGP-VPN instance
The configurations of an ordinary IPv6 static route are performed on the CE, and details
for the configuration procedure are not provided here.
l Run:
commit

l Configure IS-IS between a PE and a CE.
Do as follows on the PE. Configure common IS-IS on the CE. For details on IS-IS
configurations, see "IS-IS Configuration" in the HUAWEI NetEngine5000E Core Router
Configuration Guide - IP Routing.

1. Run:
system-view

2. Run:
isis process-id vpn-instance vpn-instance-name
An IS-IS instance is created on the PE and CE, and the IS-IS view is displayed.
An IS-IS multi-instance process belongs to only one VPN instance IPv6 address
family. If an IS-IS process is not bound to a VPN instance when the process is enabled,
it is classified as a public network process.
If only one IS-IS process (which can be a public network process or a multi-instance
process) runs on the router, you do not need to specify process-id in the command.
The default process ID 1 will be used.
NOTE
Deleting an IS-IS multi-instance process will disable IS-IS on all the interfaces that run this
process.
Deleting a VPN instance or disabling the VPN instance IPv6 address family will delete all
associated IS-IS processes.
3. Run:
network-entity net
The Network Entity Title (NET) is configured.
A NET specifies the current IS-IS area address and the system ID of the device. A
maximum of three NETs can be configured for one process on the router.
4. (Optional) Run:
is-level { level-1 | level-1-2 | level-2 }
The level of the router is configured.
By default, the level of the router is Level-1-2.

5. Run:
ipv6 enable
IPv6 is enabled for the IS-IS process.

6. Run:
import-route bgp [ cost value ] [ cost-type { external | internal } ]
[ level-1 | level-1-2 | level-2 ] [ route-policy policy-name ] [ tag tag-
value ]
BGP routes are imported.

7. Run:
quit

8. Run:
The interface view is displayed.

9. Run:
isis ipv6 enable [ process-id ]

IS-IS is enabled on the interface.

10. Run:
quit

11. Run:
bgp as-number

12. Run:

13. Run:
import-route isis process-id [ med med ] [ route-policy policy-name ]
IS-IS routes are imported into the routing table of the BGP-VPN instance IPv6 address
family.
14. Run:
commit

l Configure RIPng between a PE and a CE.
NOTE
Do as follows on the PE. Configure common RIPng on the CE. For details on RIPng configurations,
see "RIPng Configuration" in the HUAWEI NetEngine5000E Core Router Configuration Guide -
IP Routing.
1. Run:
system-view

2. Run:
ripng [ process-id ] vpn-instance vpn-instance-name
A RIPng instance is created on the PE and CE, and the RIPng view is displayed.
A RIPng multi-instance process belongs to only one VPN instance. If a RIPng process
is not bound to a VPN instance when the process is enabled, it is classified as a public
network process.
If only one RIPng process (which can be a public network process or a multi-instance
process) runs on the router, you do not need to specify process-id in the command.
The default process ID 1 will be used.
3. Run:
import-route bgp [ cost cost | route-policy route-policy-name ]*
BGP routes are imported.

After the execution of the import-route bgp command in the RIPng view, the PE
imports IPv6 VPN routes learned from the remote PE into RIPng and then advertises
them to its attached CEs.
4. Run:
quit


5. Run:
The view of an interface connecting to the CE is displayed.

6. Run:
ripng process-id enable
RIPng is enabled on the interface.
NOTE
The command cannot be used in the interface view if IPv6 is not enabled on the interface.
7. Run:
quit

8. Run:
bgp as-number

9. Run:

10. Run:
import-route ripng process-id [ med med | route-policy route-policy-name ]
*
RIPng routes are imported into the routing table of the BGP-VPN instance IPv6
address family.
After the import-route ripng command is run in the BGP-VPN instance IPv6 address
family view, the PE imports the IPv6 routes learned from the local CE into BGP, forms
them into VPN IPv6 routes, and advertises the VPN IPv6 routes to the remote PE.
NOTE
Deleting a RIPng multi-instance process will disable RIPng on all the interfaces that run this
process.
associated RIPng processes.
11. Run:
commit

l Configure OSPFv3 between a PE and a CE.
Configure common OSPFv3 on the CE. For details on OSPFv3 configurations, see the
HUAWEI NetEngine5000E Core Router Configuration Guide - IP Routing.
1. Run:
system-view

2. Run:
ospfv3 [ process-id ] [ vpn-instance vpn-instance-name ]
An OSPFv3 multi-instance is created, and the OSPFv3 multi-instance view is

displayed.
An OSPFv3 process belongs to only one VPN instance. If an OSPFv3 process is not
bound to a VPN instance when the process is enabled, it is classified as a public
network process and cannot be bound to a VPN instance.
NOTE
associated OSPFv3 processes.
3. Run:
router-id router-id
The router ID is configured.

If no router ID is specified, OSPFv3 selects the IP address of one interface bound to
the VPN instance as the router ID based on a selection rule.
4. Run:
import-route bgp [ cost cost | route-policy route-policy-name | tag tag |
type type ] *
BGP routes are imported into OSPFv3 and then advertised from the PE to the CE.
5. Run:
quit

6. Run:
The view of the interface bound to the VPN instance is displayed.

7. Run:
ospfv3 process-id area area-id [ instance instance-id ]
OSPFv3 is enabled on the interface.

8. Run:
quit

9. Run:
bgp as-number

10. Run:

11. Run:
import-route ospfv3 process-id [ med med | route-policy route-policy-
name ]*
OSPFv3 routes are imported into the routing table of the BGP-VPN instance IPv6
address family.

12. Run:
commit

l Configure IBGP between a PE and a CE.
1. Run:
system-view

2. Run:
bgp as-number

3. Run:

4. Run:
peer peer-ipv6-address as-number number
The CE is specified as an IPv6 VPN peer.

5. (Optional) Choose either one of the following configurations if the direct routes of the
CE need to be imported into the VPN routing table and advertised to the remote PE.
– Run:
import-route direct [ med med | route-policy route-policy-name ]*
The direct routes of the CE are imported into the VPN routing table.
– Run:
The IPv6 routes of the directly connected network segment are imported into the
IPv6 routing table of the BGP-VPN instance.
NOTE
A PE automatically learns the direct route to its attached CE, and this route takes precedence
over any direct route sent from the CE using IBGP. If this step is not performed, the PE does
not use MP-BGP to send the direct route automatically learned to the remote PE.
6. Run:
commit

1. Run:
system-view

2. Run:
bgp as-number

3. Run:
peer ipv6-address as-number as-number

The PE is specified as the IBGP peer.

4. (Optional) Choose either one of the following configurations if the direct routes or
specific network segment routes of the CE need to be imported into BGP and sent to
the peer PE.
– Run:
import-route { direct | static | ripng process-id | ospfv3 process-id
| isis process-id } [ med value | route-policy policy-name ]
Routes of the local site are imported.

The address of the VPN network segment is advertised from the CE to the
connected PE, and is then advertised by the PE to its peer PE. In real world
situations, the type of imported route may be different from that used in this
document.
– Run:
The IPv6 routes of a specified network segment are imported into BGP.
5. Run:
commit

----End

This section describes how to check the routes to the local and remote VPN sites on the PE and
CE after basic BGP/MPLS IPv6 VPN is configured.
Prerequisite
The basic BGP/MPLS IPv6 VPN configurations are complete.
Procedure
l Run the display ipv6 routing-table vpn-instance [ vpn-instance-name ] command on the
PE to check the routing information of the VPN instance IPv6 address family.
l Run the display ipv6 routing-table command on the CE to check routing information.
----End
Example
Run the display ipv6 routing-table vpn-instance [ vpn-instance-name ] command on the PE
to check the routing information of a specified VPN instance IPv6 address family. If a VPN
route from the PE to a relevant CE is displayed, it means that the configuration succeeds.
<HUAWEI> display ipv6 routing-table vpn-instance vpna
Destination : 1:: PrefixLength : 64

NextHop : 1::2 Preference : 0
Cost : 0 Protocol : Direct
RelayNextHop : :: TunnelID : 0x0
Interface : GigabitEthernet1/0/0 Flags : D

Destination : 1::2 PrefixLength : 128

NextHop : ::1 Preference : 0

Cost : 0 Protocol : BGP
RelayNextHop : 1::1 TunnelID : 0x0
Interface : GigabitEthernet1/0/0 Flags : RD

NextHop : ::FFFF:22.22.22.22 Preference : 255
RelayNextHop : :: TunnelID :
0x0000000001004c4b42
Interface : 0x0000000001004c4b42 Flags : RD
Destination : FE80:: PrefixLength : 10

NextHop : :: Preference : 0
Interface : NULL0 Flags : D
Run the display ipv6 routing-table command on the CE. If all routes from the CE to other CEs
are displayed, it means that the configuration succeeds.
<HUAWEI> display ipv6 routing-table 6::6 128
Summary Count : 1

3.5 Configuring Route Reflection for BGP VPNv6 Routes

Deploying a BGP VPNv6 Route Reflector (RR) reduces the number of MP-IBGP connections.
This lightens the burden on PEs and facilitates network maintenance and management.
The BGP speaker does not advertise routes learned from an IBGP peer to other IBGP peers. To
advertise the routes of an accessed VPN to BGP VPNv6 peers in the same AS, a PE must establish
IBGP connections with all peers for direct exchange of IPv6 VPN routing information. This
means that MP IBGP peers must establish connections between each other. Assume that there
are n PEs (including ASBRs) in an AS. In this situation, n(n - 1)/2 MP-IBGP peer relationships
need to be established. A large number of IBGP peers consume a great amount of network
resources.
Using an RR can solve this problem. In an AS, one device serves as an RR to reflect VPNv6
routes; the other PEs and ASBR PEs serve as clients and are called client PEs. A P, PE, ASBR,
or other type of device can be configured as an RR.
Before configuring route reflection to optimize the VPN backbone layer, complete the following
tasks:

l Configuring a routing protocol on the MPLS backbone network for IP connectivity

l Establishing LSPs or MPLS TE tunnels between the RR and all PEs serving as clients
l Configuring the extended community attribute if a reflection policy needs to be applied to
VPNv6 routes
Figure 3-4 Flowchart for configuring route reflection for BGP VPNv6 routes
Configure a client PE to establish

an MP-IBGP connection with the RR
Configure the RR to establish MP-IBGP

connections with all client PEs
Configure route reflection

for BGP VPNv6 routes
Mandatory
procedure
Optional
procedure
3.5.1 Configuring a Client PE to Establish an MP-IBGP Connection

with the RR
This section describes how to configure a PE to establish an MP-IBGP connection with the RR
so that the RR will reflect VPNv6 routes for the PE.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bgp as-number
Step 3 Run:
The RR is specified as the BGP peer.
Step 4 Run:

The IP address of the interface must be the same as the MPLS LSR ID of the system. Specifying
a loopback interface to establish the TCP connection is recommended.
Step 5 Run:
ipv6-family vpnv6

Step 6 Run:
The function that exchanges VPNv6 routes with the RR is enabled on the PE.
Step 7 Run:
commit
----End
3.5.2 Configuring the RR to Establish MP-IBGP Connections with

All Client PEs
This section describes how to configure the RR to establish MP-IBGP connections with all its
client PEs so that the RR will reflect VPNv6 routes for all these PEs.
Context
Choose one of the following schemes to configure the RR to establish MP-IBGP connections
with the client PEs:
Procedure
l Configure the RR to establish an MP-IBGP connection with a peer group.
Add all the client PEs to a peer group and establish an MP-IBGP connection with the peer
group.
1. Run:
system-view

2. Run:
bgp as-number

3. Run:
group group-name [ internal ]
An IBGP peer group is created.

4. Run:
peer group-name connect-interface interface-type interface-number
interface must be the same as the MPLS LSR ID of the system. Specifying a loopback
interface to establish the TCP connection is recommended.

5. Run:
ipv6-family vpnv6

6. Run:
peer group-name enable
The function that exchanges BGP IPv6 VPN routes between the RR and the peer group
is enabled.
7. Run:
peer ip-address group group-name
The peer is added to the peer group.

8. Run:
commit

l Configure the RR to establish an MP-IBGP connection with each client PE.
Perform Step 1 to Step 6 repeatedly on the RR to establish an MP-IBGP connection between
the RR and each client PE.
1. Run:
system-view

2. Run:
bgp as-number

3. Run:
The client PE is specified as the BGP peer.

4. Run:
peer peer-ipv4-addressconnect-interface interface-type interface-number

The IP address of the interface must be the same as the MPLS LSR ID. Specifying a
loopback interface to establish the TCP connection is recommended.
5. Run:
ipv6-family vpnv6

6. Run:
The function that exchanges BGP IPv6 VPN routes between the RR and the client PE
is enabled.
7. Run:
commit

----End

3.5.3 Configuring Route Reflection for BGP VPNv6 Routes

This section describes how to enable route reflection for BGP VPNv6 routes so that the RR can
reflect the VPNv6 routes received from a client PE to other client PEs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bgp as-number
Step 3 Run:
ipv6-family vpnv6
Step 4 Enable route reflection for BGP IPv6 VPN routes on the RR.
l To enable route reflection if the RR has established an MP-IBGP connection with a peer
group consisting of all the client PEs, run:
peer { group-name | peer-ipv4-address } reflect-client
l To enable route reflection if the RR has established an MP-IBGP connection with each client
PE rather than a peer group, run the following commands repeatedly:
Step 5 Run:
Filtering received VPNv6 routes based on the VPN target is disabled.

rr-filter extcomm-filter-number
A reflection policy is configured for the RR.
Step 7 Run:
commit
----End

This section describes how to check information about VPNv6 peers and VPNv6 routes on the
PE or RR after route reflection for BGP VPNv6 routes is configured.
Prerequisite
The configurations of route reflection for BGP VPNv6 routes are complete.

Procedure
l Run the display bgp vpnv6 all peer [ [ ipv4-address ] verbose ] command on the RR or
a client PE to check information about BGP VPNv6 peers.
l Run the display bgp vpnv6 all routing-table peer peer-ipv4-address { advertised-
routes | received-routes } [ statistics ] command on the RR or a client PE to check VPNv6
routes received from the peer or advertised to the peer.
l Run the display bgp vpnv6 all group [ group-name ] command on the RR to check
information about the VPNv6 peer group.
----End
Example
If the preceding configurations succeed,
You can find that the status of the MP-IBGP connections between the RR and all client PEs is
"Established" after running the display bgp vpnv6 all peer command on the RR or client PEs.


PrefRcv
1.1.1.9 4 100 1263 1530 0 19:46:01 Established 1

3.3.3.9 4 100 1170 1109 0 17:50:26 Established 1
You can find that the RR and each client PE can send and receive VPNv6 routing information
between each other after running the display bgp vpnv6 all routing-table peer command on
the RR or client PEs.
If a peer group is configured, you can view information about the group members and find that
the status of the BGP connections between the RR and group members is "Established" after
running the display bgp vpnv6 all group command on the RR.
3.6 Configuring a Tunnel Policy for the Backbone Network

of a BGP/MPLS IPv6 VPN
A tunnel policy applied to an IPv6 VPN can specify the type of tunnel selected for the VPN and
enable load balancing between tunnels.
By default, the system selects a tunnel in the order of LSPs, CR-LSPs, and Local_IfNet, and
does not perform load balancing. To configure load balancing or select tunnels of other types,
you need to configure a tunnel policy and apply it to the IPv6 VPN.
At present, the NE5000E supports the following modes of tunnel policies:
l Select-sequence: A sequence of tunnel types to be selected or the number of tunnels

participating in load balancing can be specified.

l Tunnel binding: A TE tunnel is bound to a specified destination IP address so that the VPN
traffic to that destination address can only be transmitted over the TE tunnel.
For details on tunnel policy configurations, see VPN Tunnel Management Configuration.
Before configuring a tunnel policy for the backbone network of a BGP/MPLS IPv6 VPN,
complete the following tasks:
l Configuring basic BGP/MPLS IPv6 VPN
l Setting up a tunnel of the type specified in the tunnel policy
Figure 3-5 Flowchart for configuring a tunnel policy for the backbone network of a BGP/MPLS
IPv6 VPN
Configure a tunnel policy
Apply a tunnel policy to the IPv6 VPN
Mandatory
procedure
Optional
procedure
3.6.1 Configuring a Tunnel Policy

A tunnel policy can determine the tunnel-selecting sequence and number of tunnels participating
in load balancing.
Context
In the tunnel policy view, the select-sequence mode and tunnel binding mode are mutually
exclusive. Choose one of the following configurations as required:
Procedure
l Configure a tunnel policy in select-sequence mode.
1. Run:
system-view

2. Run:

3. Run:
tunnel select-seq { lsp | cr-lsp }* load-balance-number load-balance-number
The priority sequence of tunnel types and number of tunnels participating in load
balancing are configured.

According to a tunnel policy in select-sequence mode, tunnels to the same destination

are selected in sequence. If a tunnel listed earlier is Up, it is selected regardless of
whether other services have selected it. The tunnels listed later are not selected except
in case of even load balancing or when the preceding tunnels are Down.
4. Run:
commit

l Configure a tunnel policy in tunnel binding mode.
1. Run:
system-view

2. Run:

3. Run:
tunnel binding destination dest-ip-address te { tunnel interface-number }
&<1-6> [ down-switch ]
A tunnel policy is configured to bind a TE tunnel to the specified destination address.

4. Run:
commit

----End
3.6.2 Applying a Tunnel Policy to the IPv6 VPN

This section describes how to apply a tunnel policy to an IPv6 VPN to change the tunnel type
or the tunnel-selecting sequence for VPN services.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv6-family

A VPN instance supports both the IPv4 address family and IPv6 address family. VPN
configurations can be performed only if an IPv4 or IPv6 address family (which is determined
by the forwarding route type) has been enabled for the VPN instance.
Step 4 Run:

The tunnel policy is applied to the VPN instance IPv6 address family.
Step 5 Run:
commit
----End

This section describes how to check the name of a tunnel policy applied to a VPN and the
configurations of the tunnel policy.
Prerequisite
The configurations of a tunnel policy for the backbone network of a BGP/MPLS IPv6 VPN are
complete.
Procedure
l Run the display tunnel-policy policy-name command to check the configurations of a
tunnel policy used by a VPN instance.
----End
Example
Run the display tunnel-policy command. If the configuration of a tunnel policy is displayed, it
means that the configuration succeeds. For example:
------------------------------------------------------
policy1 LSP 1
Run the display ip vpn-instance verbose command, and you can view the tunnel policy used
by a VPN instance. In the following command output, the tunnel policy used by the IPv6 address
family of a VPN instance named vpna is policy1.
Address family ipv6
Create date : 2006/09/27 15:25:29

3.7 Configuring Inter-AS IPv6 VPN Option A

In inter-AS IPv6 VPN Option A, an ASBR takes the peer ASBR as a CE and uses EBGP+ to
advertise IPv6 routes to the peer ASBR.
If the MPLS backbone network bearing IPv6 VPN routes spans across multiple ASs, the inter-
AS VPN solution is required.
If the number of VPNs that access PEs and the number of IPv6 VPN routes are small, inter-AS
VPN Option A is recommended. In inter-AS VPN Option A, ASBRs are required to support
VPN instances so that they will be capable of managing IPv6 VPN routes. In addition, ASBRs
must provide dedicated interfaces for inter-AS VPNs, which can be sub-interfaces or physical
interfaces. Therefore, the requirement for ASBRs' performance is rather high, but no inter-AS
configurations need to be performed on ASBRs.
Before configuring inter-AS VPN Option A, complete the following tasks:
l Configuring an IGP for the MPLS backbone network of each AS for IP connectivity of the
backbone network within each AS
l Enabling MPLS on the PEs and ASBRs
l Establishing an LSP or MPLS TE tunnel between the PE and the ASBR within each AS
l Enabling IPv6 on interfaces to be configured with IPv6 addresses
Procedure
Step 1 Configure basic BGP/MPLS IPv6 VPN for each AS. For details, see Configuring Basic BGP/
MPLS IPv6 VPN.
Step 2 Configure ASBRs in different ASs to consider each other as a CE.
Step 3 Enable the IPv6 address family-enabled VPN instance on the PEs and ASBRs. For details on
the configuration procedures, see Configuring the IPv6 Address Family-supporting VPN
Instance.
After the configuration, the PEs can access their attached CEs, and ASBRs in different ASs can
access each other.
NOTE
In inter-AS VPN Option A, on the same IPv6 VPN, the VPN targets of the IPv6 address family-enabled
VPN instances of the ASBR and PE that are in the same AS must be matched. This is not required for the
PEs in different ASs.
----End
Example
Run the following commands to check the previous configuration.
Run the display bgp vpnv6 all peer command on the PE or ASBR to check information about
BGP peer relationships.

Run the display bgp vpnv6 all routing-table command on the PE or ASBR to check VPNv6
routing information.
Run the display ipv6 routing-table vpn-instance [ vpn-instance-name ] command on the PE

or ASBR to check the routing table of the VPN instance IPv6 address family.
3.8 Configuring Inter-AS IPv6 VPN Option B

inter-AS VPN Option B can be used. Inter-AS VPN Option B requires ASBRs to help to maintain
and advertise VPNv6 routes and you need not create VPN instances on the ASBRs.
On the network shown in Figure 3-6, the interfaces connected between ASBRs do not need to
be bound to the VPN. A single-hop MP-EBGP peer relationship is set up between the ASBRs
to transmit all inter-AS VPN routing information.
Figure 3-6 Schematic diagram for Inter-AS IPv6 VPN Option B
VPN1
CE1
VPN1
CE3
IP/MPLS Backbone IP/MPLS Backbone
AS: 100 AS: 200
PE1
PE3
ASBR1 ASBR2
MP-IBGP MP-IBGP
MP-EBGP
PE2
PE4
CE4
CE2 VPN2
VPN2
Before configuring inter-AS VPN Option B, complete the following tasks:
l 3.3 Configuring an IPv6 Address Family-supporting VPN Instance on the PE

l Configuring an IPv6 address for the interface connecting the CE to the PE
Figure 3-7 Flowchart for configuring inter-AS IPv6 VPN Option B
Configuring MP-IBGP Between

a PE and an ASBR in the Same AS
Configuring MP-EBGP
Between ASBRs in Different ASs

Configuring Route Exchange

Between a CE and a PE
Mandatory
procedure
Optional
procedure
3.8.1 Configuring MP-IBGP Between a PE and an ASBR in the Same

AS
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
Step 4 Run:
Step 5 Run:

The BGP-VPNv6 sub-address family view is displayed.

Step 6 Run:
Step 7 Run:
commit
----End

Context
In inter-AS IPv6 VPN Option B, you need not create VPN instances on ASBRs. The ASBR does
not filter the VPNv6 routes received from the PE in the same AS based on VPN targets. Instead,
it advertises the received routes to the peer ASBR through MP-EBGP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:

Step 4 Run:
mpls

Step 5 Run:
commit

Step 6 Run:
quit

Step 7 Run:
bgp as-number

Step 8 Run:
Step 9 Run:
Step 10 Run:
Step 11 Run:
commit
----End

ASBR
Context
By default, an ASBR filters the VPN targets of only the received VPNv6 routes. The routes are
imported into the routing table if they pass the filtration; otherwise, they are discarded. Therefore,
if no VPN instance is configured on the ASBR or no VPN target is configured for the VPN
instance, the ASBR discards all the received VPNv6 routes.
You can configure an ASBR to control the importing and exporting of VPN routes through
multiple methods. The two methods are described as follows:
l Not to filter VPN targets, that is, the ASBR stores all the VPNv6 routes
l To filter VPN targets, that is, the ASBR stores partial VPNv6 routes through routing policies
Configure either of the following methods on each ASBR based on the actual situation:
Procedure
l Not to filter VPN targets
1. Run:
system-view

2. Run:
bgp as-number

3. Run:

4. Run:
Filtering VPN targets of VPNv6 routes is disabled.

In inter-AS VPN Option B mode, the ASBR does not need to store VPN instance
information but must store information about all the VPNv6 routing information and
advertise the routing information to the peer ASBR. In this case, the ASBR needs to
import all the received VPNv6 routing information without filtering them based on
VPN targets.
5. Run:
commit

l Filtering VPN targets
1. Run:
system-view

2. Run:
ip extcommunity-filter extcom-filter-number { deny | permit } rt vpn-
target &<1-16>
The extended community filter is configured.

3. Run:
route-policy route-policy-name permit node node
A routing policy is configured.

4. Run:
if-match extcommunity-filter extcomm-filter-number &<1-16>
A matching rule based on the extended community filter is configured.

5. Run:
commit

6. Run:
quit

7. Run:
bgp as-number

8. Run:

9. Run:
peer peer-address route-policy policy-name { export | import }

The routing policy is applied to controlling the importing and exporting of VPNv6
routes.
10. Run:
commit

----End

BGP, the static route (including the default route), or IGP can run between a CE and a PE. You
can choose any of them as required.
Procedure
Step 1 You can configure a routing protocol between a CE and a PE based on the actual situation. For
a CE.
----End

After configuring inter-AS IPv6 VPN Option B, you can view the status of all BGP peer
relationships and VPNv6 routing information on PEs or ASBRs.
Prerequisite
All the configurations about inter-AS VPN Option B are complete.
Procedure
l Run the display ipv6 routing-table vpn-instance vpn-instance-name command on the PE
----End
Example

PrefRcv

1.1.1.9 4 100 39 30 0 00:22:42 Established

1
192.1.1.2 4 200 31 24 0 00:18:15 Established
1


*>i Network : 2001:: PrefixLen : 64

NextHop : ::FFFF:1.1.1.9 LocPrf : 100
MED : 0 PrefVal : 0
Label : 17/18
Path/Ogn : ?
*> Network : 2002:: PrefixLen : 64

NextHop : ::FFFF:192.1.1.2 LocPrf :
MED : PrefVal : 0
Label : 17/17
Path/Ogn : 200?
Run the display ipv6 routing-table vpn-instance vpn-instance-name command on the PE, and
you can view that the VPN routing table contains related VPN routes.
<HUAWEI> display ipv6 routing-table vpn-instance vpna

Interface : Pos3/1/1 Flags : D


01004c4b42
Interface : LDP LSP Flags : RD


3.9 Configuring Load Balancing Among IPv6 VPN Routes

on the Backbone Network
This section describes how to configure load balancing of VPN traffic among multiple links on
the backbone network of an IPv6 VPN.
Deploying load balancing among IPv6 VPN routes allows even distribution of VPN traffic to
different links on the backbone network, which improves the link usage.
A PE may receive multiple IPv6 VPN routes with the same prefix from different VPNv6 peers.
Usually, the PE selects an optimal route and delivers it to the Forwarding Information Base (FIB)
to guide data forwarding. If load balancing is configured on the PE, it delivers multiple routes
to the FIB. VPN data then can be distributed to different links on the backbone network in a
packet-by-packet or session-by-session manner.
Before configuring load balancing among IPv6 VPN routes, complete the following tasks:
l Configuring BGP/MPLS IPv6 VPN
l Ensuring that the PE receives IPv6 VPN routes with the same prefix from different VPNv6
peers
Procedure
Step 1 Run:
system-view
Step 2 Run:
bgp as-number
Step 3 Run:
Step 4 Run:
maximum load-balancing number
Load balancing among BGP routes is configured for the BGP VPN instance IPv6 address family.
Step 5 Run:
commit
----End

Example
Run the following commands to check the preceding configurations:
Run the display ipv6 routing-table vpn-instance command on the PE to check detailed
information about IPv6 VPN routes with a specified prefix.
Run the display ipv6 routing-table vpn-instancevpn-instance-name ipv6-address [ prefix-
length ] [ longer-match ] [ verbose ] command on the PE. If the IPv6 VPN route with the
specified prefix has more than one next hop, it means that the configuration of load balancing
among IPv6 VPN routes on the backbone network succeeds.
<HUAWEI> display ipv6 routing-table vpn-instance vpna 200:0:1:2::1
Summary Count : 2
Destination : 200:0:1:2::1 PrefixLength : 128

RelayNextHop : ::FFFF:100.1.1.2 TunnelID : 0x800003
Interface : Pos2/0/0 Flags : RD

3.10 Configuring VPNv6 FRR

This section describes how to configure FRR to protect PEs.
VPNv6 FRR is applicable to IPv6 services that are sensitive to the packet loss and delay. The
system has higher requirements on the VPN that transmits IPv6 services. If VPNv6 FRR is
enabled, IPv6 VPN services can be quickly switched to another link when a fault occurs on the
VPN. In this manner, IPv6 VPN services are not interrupted.
At present, the NE5000E supports VPNv6 Auto FRR. This function automatically selects the
next hop (a PE) for VPN routes, and there are no fixed backup next hops.
Before configuring VPNv6 FRR, complete the following tasks:
l Ensuring that the PE receives IPv6 VPN routes with the same prefix from different VPNv6
peers
Procedure
Step 1 Run:
system-view

Step 2 Run:

bgp as-number

Step 3 Run:
The BGP-VPNv6 instance view is displayed.

Step 4 Run:
auto-frr
VPNv6 Auto FRR is enabled.

Step 5 Run:
commit
----End
Result
Run the display ipv6 routing-table vpn-instance vpn-instance-name [ ipv6-address ]
verbose command to check the backup next hop, backup tunnel, and backup label in the routing
table.
Example
Run the display ipv6 routing-table vpn-instance verbose command on the PE where VPNv6
FRR is enabled, and you can view the backup next hop (a PE), backup tunnel, and backup label
of routes. For example, set the primary next hop and backup next hop for the route to 200:0:1:2::1
to 2.2.2.2 and 3.3.3.3 respectively on the PE. The information about the backup next hop, backup
tunnel, and backup label is as follows:
<HUAWEI> display ipv6 routing-table vpn-instance vpna 200:0:1:2::1 128 verbose
Routing Table :vpna

Summary Count : 1

Neighbour : ::2.2.2.2 ProcessID : 0
Label : 1030 Protocol : BGP
State : Active Adv Relied Cost : 0
Entry ID : 12 EntryFlags : 0x80024904
Reference Cnt: 2 Tag : 0
IndirectID : 0x4 Age : 31sec
RelayNextHop : ::FFFF:100.1.1.2 TunnelID :
0x0000000001004c4ba2
BkNextHop : ::FFFF:3.3.3.3 BkInterface :
BkLabel : 1026 BkTunnelID : 0x0
BkPETunnelID : 0x800001 BkIndirectID : 0x6
3.11 Configuring FRR for IPv6 Routes on a Private Network

This section describes how to configure IPv6 FRR for a private network in the networking where
multiple CEs at an IPv6 VPN site access the same PE. This feature can quickly switch traffic to

This feature is suitable for IP services that are sensitive to the packet loss and delay on a VPN.
With IPv6 FRR configured on the private network, if the route from a PE to a CE is unreachable,
traffic from the PE can be quickly switched to a link connected to another CE. This ensures non-
stop forwarding of IP services.
At present, the NE5000E supports two modes of IPv6 FRR for the private network, which differ
in terms of networking and configuration procedures.
l IPv6 FRR: It is applicable to the networking where different PE-CE pairs use different
routing protocols.
l BGP Auto FRR: It is applicable to the networking where BGP runs between the PE and
CEs.
Before configuring FRR for IPv6 routes in a private network, complete the following tasks:

l Ensuring that the PE learns IPv6 VPN routes with the same prefix from different CEs
attached to it
Procedure
l Configure IPv6 FRR.
1. Run:
system-view

2. Run:

3. Run:
ipv6-family

4. Run:
ipv6 frr
IPv6 FRR is enabled.

5. Run:
commit

1. Run:
system-view

2. Run:
bgp as-number


3. Run:

4. Run:
auto-frr

5. Run:
commit

----End
Example
verbose command to check the backup outbound interface and backup next hop of the IPv6
route in the routing table.
Run the display ipv6 routing-table vpn-instance vpn-instance-name verbose command on the
PE, and you can view that the IPv6 route has a backup outbound interface and a backup next
hop.
<HUAWEI> display ipv6 routing-table vpn-instance vpna 2004::1 verbose
Summary Count : 1

Neighbour : 2000::2 ProcessID : 0
Label : NULL Protocol : BGP
State : Active Adv Cost : 100
BkNextHop : 2001::2 BkInterface :
BkLabel : NULL BkTunnelID : 0x0
3.12 Configuring Hybrid FRR for IPv6 and VPNv6 Routes

This section describes how to configure hybrid FRR in the CE dual-homing networking. If the
next hop from a PE to a CE is unreachable, hybrid FRR can send traffic to another PE over a
tunnel, and the traffic will be routed to the CE through IP forwarding on the private network.
This improves network reliability.
Hybrid FRR for IPv6 and VPNv6 routes can quickly switch traffic from a PE to another PE that
serves as the backup next hop if the primary route to a CE is unreachable.
A PE learns IPv6 VPN routes with the same prefix from a CE and other PEs. In this situation,
hybrid FRR for IPv6 and VPNv6 routes can be configured on the PE. Enabled with hybrid FRR,

the PE generates a primary route and a backup route to the VPN prefix. If the link between the
PE and CE fails, the link traffic can be quickly switched to the backup next hop (a PE).
At present, the NE5000E supports two modes of hybrid FRR for IPv6 and VPNv6 routes, which
differ in terms of networking and configuration procedures.
l IPv6 FRR: It is applicable to the networking where a non-BGP routing protocol runs
l BGP Auto FRR for the private network: It is applicable to the networking where BGP runs
Before configuring hybrid FRR for IPv6 and VPNv6 routes, complete the following tasks:

l Ensuring that a PE learns IPv6 routes with the same prefix from a CE and other VPNv6
peers
Procedure
l Configure IPv6 FRR.
1. Run:
system-view

2. Run:

3. Run:
ipv6-family

4. Run:
ipv6 frr
IPv6 FRR is enabled.

5. Run:
commit

1. Run:
system-view

2. Run:
bgp as-number

3. Run:


4. Run:
auto-frr

5. Run:
commit
----End
Example
verbose command to check the backup outbound interface and backup next hop of the IPv6
route in the routing table.
Run the display ipv6 routing-table vpn-instance vpn-instance-name verbose command on the
PE, and you can view that the IPv6 route has a backup outbound interface and a backup next
hop.
<HUAWEI> display ipv6 routing-table vpn-instance vpn1 200:0:1:2::1 verbose
Summary Count : 1

Label : NULL Protocol : Static
IndirectID : 0x8a9 Age : 3sec
0x0000000001004c4b42
BkLabel : 17 BkTunnelID : 0x0000000001004c4
3.13 Maintaining BGP/MPLS IPv6 VPN

This section describes how to maintain BGP/MPLS IPv6 VPN.
3.13.1 Displaying BGP/MPLS IPv6 VPN Information

Monitoring the running status of BGP/MPLS IPv6 VPN involves checking VPN instance
information, VPNv6 peer information, and BGP peer log information.
Context
In routine maintenance, the following commands can be run in any view to display BGP/MPLS
IPv6 VPN information.

Procedure
l Run the display ipv6 routing-table vpn-instance vpn-instance-name [ [ filter-option ]
[ verbose ] | statistics ] command on the PE to check the routing table of the VPN instance
l Run the display ip vpn-instance [ verbose | brief ] [ vpn-instance-name ] command to
check information about the VPN instance IPv6 address family.
l Run the display mpls lsp command to check information about LSPs.
instance vpn-instance-name } routing-table destination-address [ mask-length ]
command to check entries in the routing table of the BGP-VPN instance IPv6 address
family.
instance vpn-instance-name } routing-table statistics [ match-options ] command to
check statistics about the routing table of the BGP-VPN instance IPv6 address family.
instance vpn-instance-name } routing-table [ match-options ] command to check
information about the routing table of the BGP-VPN instance IPv6 address family.
l Run the display bgp vpnv6 { all | vpn-instance vpn-instance-name } group [ group-
name ] command to check VPNv6 BGP peer group information.
l Run the display bgp vpnv6 { all | vpn-instance vpn-instance-name } peer [ [ peer-
address ] verbose ] command to check VPNv6 BGP peer information.
l Run the display bgp vpnv6 { all | vpn-instance vpn-instance-name } network command
to check VPNv6 route information advertised by BGP.
l Run the display bgp vpnv6 { all | vpn-instance vpn-instance-name } paths [ as-regular-
expression ] command to check the AS_Path of the routes in the BGP-VPN instance IPv6
address family.
l Run the display bgp vpnv6 vpn-instance vpn-instance-name peer { group-name | ipv6-
address } log-info command to check log information about the BGP peers in the BGP-
VPN instance IPv6 address family.
----End
3.13.2 Checking the Network Connectivity and Reachability

This section describes how to use the ping command to detect the network connectivity between
the sending end and the destination, and how to use the tracert command to check the devices
through which data packets are sent from the sending end to the destination.
Procedure
l Run the ping ipv6 [ -a source-ipv6-address | -c echo-number | -m wait-time | -s byte-
number | -t time-out | -tc traffic-class | vpn-instance vpn-instance-name ]* dest-ipv6-
address [ -i interface-type interface-number ] command to check whether an IPv6 network
is correctly set up to send packets from the transmitting end to the destination address.
l Run the tracert ipv6 [ -f first-hop-limit | -m max-hop-limit | -p port-number | -q probes | -
w wait-time | vpn-instance vpn-instance-name ]* { ipv6-address | host-name } command
to check the gateways through which the IPv6 packets are sent from the transmitting end
to the destination address.
l Run the ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interface-
type interface-number | -m time | -n | -p pattern | -q | -r | -s packetsize |-t timeout | -tos tos-

value | -v | -vpn-instance vpn-instance-name ]* dest-address command to check whether

the IPv4 backbone network is correctly set up to send packets from the transmitting end to
the destination address.
l Run thetracert [ -a source-ip-address | -f first-TTL | -m max-TTL | -p port | -q nqueries | -
vpn-instance vpn-instance-name | -w timeout ]* dest-address command to check the
gateways through which the IPv4 packets are sent from the transmitting end on the IPv4
backbone network to the destination address on the IPv4 backbone network.
----End
Example
After IPv6 VPN configurations are complete, run the ping command with ipv6 vpn-instance
vpn-instance-name on the PE to check whether the PE can communicate with the CE in the same
IPv6 VPN. If the ping fails, run the tracert command with vpn-instance vpn-instance-name to
locate the fault.
If multiple interfaces on a PE are bound to the same VPN instance enabled with an IPv6 address
family, specify the source IP address when you ping the remote CE that accesses the peer PE.
This means that the parameter -a source-ipv6-address needs to be specified in the ping
command. If you do not specify a source IP address, the PE selects the address of its interface
bound to the VPN instance as the source address of the ICMPv6 packet. If the CE does not have
a route to the selected IPv6 address, the ICMPv6 packet sent back from the peer PE will be
discarded.
NOTE
By default, as for the MPLS TTL timeout packet with a single MPLS label, the router returns the ICMPv6
packet based on the local IP route, which is a public network route. No VPN route, however, exists in the
public-network routing table of the ASBR. As a result, the ICMPv6 packet is discarded when it is sent from
the ASBR or returned to the ASBR.
3.13.3 Checking Route Statistics for a VPN Instance IPv6 Address

Family
This section describes how to check statistics about the routes learned by using various protocols
in the VPN instance IPv6 address family.
Procedure
l Run the display ipv6 routing-table vpn-instance vpn-instnace-name statistics command
to check route statistics for a specified VPN instance IPv6 address family.
----End
3.13.4 Clearing BGP Statistics for a VPN Instance IPv6 Address

Family
BGP statistics for the VPN instance IPv6 address family cannot be restored after being cleared.
Exercise caution when clearing the statistics.

Context
CAUTION
BGP statistics for the VPN instance IPv6 address family cannot be restored after being cleared.
Exercise caution when clearing the statistics.
Procedure
l Run the reset bgp vpn-instance vpn-instance-name ipv6-family [ ipv6-address ] flap-
info command in the user view to clear statistics about BGP peer flapping for a specified
VPN instance IPv6 address family.
l Run the reset bgp vpn-instance vpn-instance-name ipv6-family dampening [ ipv6-
address mask-length ] command in the user view to clear dampening information of a
specified VPN instance IPv6 address family.
----End
3.13.5 Resetting BGP Connections

If a faulty BGP connection needs to be restarted or a new BGP configuration needs to take effect,
you can use soft reset or reset the BGP connection to address the need. Note that resetting a BGP
connection will interrupt VPN services.
Context
CAUTION
Resetting BGP connections will interrupt VPN services. Exercise caution when performing the
resetting action.
When the BGP configuration changes, you can use soft reset or reset BGP connections to validate
the new BGP configuration. Soft reset requires BGP peers to be able to refresh routes. This
means that BGP peers should support Route-Refresh messages.
Procedure
l Run the refresh bgp vpn-instance vpn-instance-name ipv6-family { all | ipv6-address |
group group-name | internal | external } { import | export } command to trigger the soft
reset of the VPN instance IPv6 address family's BGP connections in the inbound or
outbound direction.
l Run the refresh bgp vpnv6 { all | ipv4-address | group group-name | internal |
external } { import | export } command to trigger the soft reset of BGP VPNv6
connections in the inbound or outbound direction.
l Run the reset bgp vpn-instance vpn-instance-name ipv6-family { all | as-number | ipv6-
address | group group-name | external } command to reset the BGP connections of a
specified VPN instance IPv6 address family.

l Run the reset bgp vpnv6 { as-number | ipv4-address | group group-name | all | internal |
external } command to reset BGP VPNv6 connections.
----End

This section provides several configuration examples of BGP/MPLS IPv6 VPN.
3.14.1 Example for Configuring Basic BGP/MPLS IPv6 VPN

This section provides an example to illustrate how to configure basic BGP/MPLS IPv6 VPN to
allow intra-VPN access and prohibit inter-VPN access.
CAUTION
slot number/card number/interface number. If the slot number is specified, the chassis ID of the
slot must also be specified.
If users at different sites desire IPv6 data communications between each other across the public
network without having the internal route information known to the public network, BGP/MPLS
IPv6 VPN can be deployed. BGP/MPLS IPv6 VPN also isolates VPNs from each other: It allows
intra-VPN access and prohibits inter-VPN access.
As shown in Figure 3-8, CE1 and CE3 belong to vpna; CE2 and CE4 belong to vpnb. It is
required that BGP/MPLS IPv6 VPN be configured to allow site access within each VPN across
the MPLS backbone network and prohibit site access between vpna and vpnb. In addition, PEs
and CEs are required to use different routing protocols for route exchange. The requirements
are as follows:
l BGP4+ between PE1 and CE1, and between PE2 and CE4
l IPv6 static route between PE1 and CE2
l IS-IS between PE2 and CE3

Figure 3-8 Networking diagram for configuring basic BGP/MPLS IPv6 VPN
AS: 65410 AS: 65420

vpna vpnb
Loopback1 Loopback1
CE1 1999 ::1/64 CE4
1998::1/64
GE1/0/0 GE1/0/0
2001::1 2005::1
Loopback1
GE1/0/0 2.2.2.9/32 GE1/0/0
2001::2 PE1 PE2 2005::2
POS1/0/0 POS2/0/0
Loopback1 192.168.1.2/24 192.168.2.1/24 Loopback1
1.1.1.9/32 POS3/0/0 POS3/0/0 3.3.3.9/32
GE2/0/0 192.168.1.1/24 P 192.168.2.2/24 GE2/0/0
2003::2 MPLSbackbone 2004::2
AS: 100
GE1/0/0 GE1/0/0
2003::1 2004::1
CE2 Loopback1 Loopback1 CE3
1998::1/64 1999 ::1/64
vpnb vpna
AS: 65410 AS:65420
1. Configure an IGP on the IPv4 backbone network for IP connectivity between the PEs on
2. Configure MPLS and MPLS LDP on each PE and the P, and establish an LDP LSP between
the PEs.
3. Configure MP-IBGP between PE1 and PE2 to exchange IPv6 VPN routing information.
4. Configure VPN instances that support the IPv6 address family on PE1 and PE2, and bind
the interfaces connecting the PEs to CEs to the VPN instances.
5. Configure IPv6 routing protocols between PEs and CEs to exchange IPv6 routing
information.
Data Preparation
l Numbers of the ASs where the PEs and CEs reside

l Names of VPN instances
l Attributes of the VPN instance IPv6 address family, such as the RD and VPN target

Procedure
Step 1 Configure IPv4 or IPv6 addresses for interfaces on each device.
# Configure an IPv6 address for the interface on CE1.
<CE1> system-view
[~CE1-GigabitEthernet1/0/0] ipv6 enable
[~CE1-GigabitEthernet1/0/0] ipv6 address 2001::1 64
The configurations of CE2, CE3, CE4, PE1, PE2, and the P are similar to the configuration of
CE1. For details on the configuration procedure, see the following configuration files.
Step 2 Configure an IGP on the IPv4 backbone network for IP connectivity between the PEs. In this
example, IS-IS is configured as an IGP.
# Configure PE1.
[~PE1] isis 1
[~PE1-isis-1] quit
[~PE1-Pos3/0/0] isis enable 1
[~PE1-LoopBack1] isis enable 1
[~PE1] commit
The configurations of the P and PE2 are similar to the configuration of PE1. For details on the
configuration procedure for the P and PE2, see the following configuration files.
After the configuration is complete, PE1, the P, and PE2 can learn the routes, including routes
to the loopback interfaces, from one another. You can run the display ip routing-table command
to view the routes. The following uses the display on PE1 as an example:
[~PE1] display ip routing-table
------------------------------------------------------------------------------

2.2.2.9/32 ISIS-L2 15 10 D 192.168.1.2 Pos3/0/0
3.3.3.9/32 ISIS-L2 15 20 D 192.168.1.2 Pos3/0/0
192.168.1.0/24 Direct 0 0 D 192.168.1.1 Pos3/0/0
192.168.1.2/32 Direct 0 0 D 192.168.1.2 Pos3/0/0
192.168.2.0/24 ISIS-L2 15 20 D 192.168.1.2 Pos3/0/0
Step 3 Enable MPLS and MPLS LDP on the devices in the IPv4 backbone network and interfaces on
the devices, and set up an LDP LSP between PE1 and PE2.
# Enable MPLS and MPLS LDP on PE1.
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp


[~PE1] commit
The configurations of the P and PE2 are similar to the configuration of PE1. For details on the
configuration procedure for the P and PE2, see the following configuration files.
After the configuration is complete, PE1 and PE2 can set up LDP LSPs. You can run the display
mpls ldp lsp command to check whether LDP LSPs are set up. The following uses the display
on PE1 as an example:
[~PE1] display mpls ldp lsp
LDP LSP Information
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0
*1.1.1.9/32 Liberal/1024 DS/2.2.2.9
2.2.2.9/32 NULL/3 - 192.168.1.2 Pos3/0/0
2.2.2.9/32 1024/3 2.2.2.9 192.168.1.2 Pos3/0/0
3.3.3.9/32 NULL/1025 - 192.168.1.2 Pos3/0/0
3.3.3.9/32 1025/1025 2.2.2.9 192.168.1.2 Pos3/0/0
-------------------------------------------------------------------------------
A '*' before a DS means the session is in GR state
Step 4 On PEs, create VPN instances that support the IPv6 address family and bind the interfaces
connecting the PEs to CEs to the VPN instances.
# Create an IPv6 address family-supporting VPN instance named vpna on PE1.
[~PE1-vpn-instance-vpna-af-ipv6] vpn-target 22:22 export-extcommunity
[~PE1-vpn-instance-vpna-af-ipv6] vpn-target 33:33 import-extcommunity
[~PE1] commit
# Bind the interface connecting PE1 to CE1 to vpna.

[~PE1-GigabitEthernet1/0/0] ipv6 enable
[~PE1-GigabitEthernet1/0/0] ipv6 address 2001::2 64
[~PE1] commit
# Create an IPv6 address family-supporting VPN instance named vpnb on PE1.

[~PE1-vpn-instance-vpnb-af-ipv6] vpn-target 44:44 export-extcommunity
[~PE1-vpn-instance-vpnb-af-ipv6] vpn-target 55:55 import-extcommunity
[~PE1] commit
# Bind the interface connecting PE1 to CE2 to vpnb.


[~PE1] commit
The configuration of PE2 is similar to the configuration of PE1. For details on the configuration
procedure for PE2, see the following configuration files.
After the configuration is complete, you can run the display ip vpn-instance verbose command
on each PE to check the configuration of its VPN instance. You can also find that each PE can
successfully ping its connected CE. The following uses the display on PE1 as an example:
[~PE1] display ip vpn-instance verbose

Address family ipv6
Create date : 2010/07/20 12:31:47 UTC-08:00
Log Interval : 5

Address family ipv6
Create date : 2010/07/20 14:41:46 UTC-08:00
Log Interval : 5
[~PE1] ping ipv6 vpn-instance vpna 2001::1
PING 2001::1 : 56 data bytes, press CTRL_C to break
Reply from 2001::1
bytes=56 Sequence=1 hop limit=64 time = 20 ms
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
--- 2001::1 ping statistics ---

0.00% packet loss
Step 5 Establish a VPNv6 peer relationship between the PEs.
# Configure PE1.
[~PE1] bgp 100
[~PE1] commit

# Configure PE2.
[~PE2] bgp 100
[~PE2] commit
After the configuration is complete, you can run the display bgp vpnv6 all peer command on
the PEs to check whether the VPNv6 peer relationship is set up. The following uses the display
on PE1 as an example:


PrefRcv
1.1.1.9 4 100 4 3 0 00:01:50 Established

0
The command output shows that the status of the VPNv6 peer relationship is Established. This
means that the VPNv6 peer relationship between PE1 and PE2 is successfully set up.
Step 6 Configure BGP4+ on PE1 and CE1.
# Configure EBGP on PE1.
[~PE1] bgp 100
[~PE1-bgp6-vpna] peer 2001::1 as-number 65410
[~PE1-bgp6-vpna] quit
[~PE1-bgp] quit
[~PE1] commit
# Configure EBGP on CE1.

[~CE1] bgp 65410
[~CE1-bgp] router-id 10.10.10.10
[~CE1-bgp] peer 2001::2 as-number 100
[~CE1-bgp-af-ipv6] peer 2001::2 enable
[~CE1-bgp-af-ipv6] import-route direct
[~CE1-bgp-af-ipv6] quit
[~CE1-bgp] quit
[~CE1] commit
The configurations of PE2 and CE4 are similar to the configurations of PE1 and CE1. For details
on the configuration procedure for PE2 and CE4, see the following configuration files.
After the configuration is complete, you can run the display bgp vpnv6 vpn-instance vpn-
instance-name peer command on the PEs to check whether the EBGP peer relationship is set
up.
[~PE1] display bgp vpnv6 vpn-instance vpna peer



PrefRcv
2001::1 4 65410 3 3 0 00:00:37 Established

1
Step 7 Configure static routes between PE1 and CE2.

# Configure an IPv6 static route for the VPN instance vpnb on PE1, and import the route into
the routing table of the BGP-VPN instance IPv6 address family.
[~PE1] ipv6 route-static vpn-instance vpnb 1998:: 64 2003::1
[~PE1] bgp 100
[~PE1-bgp6-vpnb] import-route static
[~PE1-bgp6-vpnb] quit
[~PE1-bgp] quit
[~PE1] commit
# Configure a default IPv6 route on CE2.

[~CE2] ipv6 route-static :: 0 2003::2
Step 8 Configure IS-IS between PE2 and CE3.

# Configure IS-IS on PE2.
[~PE2] isis 10 vpn-instance vpna
[~PE2-isis-10] ipv6 enable
[~PE2-isis-10] ipv6 import-route bgp
[~PE2-isis-10] quit
[~PE2-Gigabitethernet 2/0/0] isis ipv6 enable 10
[~PE2-Gigabitethernet 2/0/0] quit
[~PE2] commit
# Import IS-IS routes into BGP on PE2.

[~PE2] bgp 100
[~PE2-bgp6-vpna] import-route isis 10
[~PE2-bgp] quit
[~PE2] commit
# Configure IS-IS on CE3.

[~CE3] isis 10
[~CE3-isis-10] network-entity 30.0000.0000.0002.00
[~CE3-isis-10] ipv6 enable
[~CE3-isis-10] quit
[~CE3-GigabitEthernet1/0/0] isis ipv6 enable 10
[~CE3-GigabitEthernet2/0/0] isis ipv6 enable 10
[~CE3] commit

After the configuration is complete, the ping (with the source address specified in the ping
command) between CE1 and CE3, and between CE2 and CE4 can succeed. The following uses
the display on CE1 as an example:
[~CE1] ping ipv6 -a 1998::1 1999::1
Reply from 1999::1


Reply from 1999::1
Reply from 1999::1
Reply from 1999::1
Reply from 1999::1

0.00% packet loss
The address 1999::1/64 also exists on CE4. To determine whether the forwarding path is the
expected one, you only need to run the display ipv6 statistics interface command on PE2 to
check if the number of ICMPv6 packets sent and received on the interface changes.
Run the ping ipv6 -a 1998::1 -c 100 1999::1 command on CE1 to send 100 IPv6 data packets
with the source address to PE2. On PE2, run the display ipv6 statistics interface
gigabitethernet1/0/0 and display ipv6 statistics interface gigabitethernet2/0/0 commands
repeatedly to check the number of ICMPv6 packets sent and received on GE 1/0/0 and GE 2/0/0.
The command outputs show that the number of ICMPv6 packets sent and received on GE 2/0/0
keeps changing. It indicates that IPv6 data is forwarded to CE3 that is in the same VPN. It also
proves that vpna and vpnb are isolated from each other.
----End
Configuration Files
#
sysname PE1
#
ipv6-family
#
ipv6-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
isis 1
network-entity 10.1111.1111.1111.00
#
undo shutdown
ipv6 enable
ipv6 address 2003::2/64
#
interface Pos3/0/0
undo shutdown
link-protocol ppp

ip address 192.168.1.1 255.255.255.0

isis enable 1
mpls
mpls ldp
#
undo shutdown
ipv6 enable
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv6-family unicast
#
ipv6-family vpnv6
policy vpn-target
peer 3.3.3.9 enable
#
peer 2001::1 as-number 65410
#
import-route static
#
ipv6 route-static vpn-instance vpnb 1998:: 64 2003::1
#
return
#
sysname P
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
isis 1
network-entity 20.2222.2222.2222.00
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 192.168.1.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.168.2.1 255.255.255.0
isis enable 1
mpls
mpls ldp
#

interface LoopBack1
ip address 2.2.2.9 255.255.255.255
isis enable 1
#
return
#
sysname PE2
#
ipv6-family
#
ipv6-family
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
isis 1
network-entity 30.3333.3333.3333.00
#
isis 10 vpn-instance vpna
network-entity 30.0000.0000.0001.00
#
ipv6 enable topology standard
ipv6 import-route bgp
#
#
undo shutdown
ipv6 enable
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 192.168.2.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#
undo shutdown
ipv6 enable
isis ipv6 enable 10
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable

#
ipv6-family vpnv6
policy vpn-target
peer 1.1.1.9 enable
#
import-route isis 10
#
#
return
#
sysname CE1
#
undo shutdown
ipv6 enable
#
interface LoopBack1
ipv6 enable
#
bgp 65410
router-id 10.10.10.10
#
ipv4-family unicast
#
ipv6-family unicast
network 1998:: 64
import-route direct
peer 2001::2 enable
#
return
#
sysname CE2
#
undo shutdown
ipv6 enable
#
interface LoopBack1
ipv6 enable
#
ipv6 route-static :: 0 2003::2
#
return
#
sysname CE3
#
isis 10
network-entity 30.0000.0000.0002.00
#
ipv6 enable topology standard
#
#

undo shutdown
ipv6 enable
isis ipv6 enable 10
#
interface LoopBack1
ipv6 enable
isis ipv6 enable 10
#
return

#
sysname CE4
#
undo shutdown
ipv6 enable
#
interface LoopBack1
ipv6 enable
#
bgp 65420
router-id 20.20.20.20
#
ipv4-family unicast
#
ipv6-family unicast
import-route direct
peer 2005::2 enable
#
return
3.14.2 Example for Configuring BGP4+ AS Number Substitution

If the AS numbers of different sites in a VPN are the same and EBGP peer relationships are set
up between PEs and CEs, AS number replacement needs to be enabled on PEs. Otherwise, CEs
will discard the VPN routes that carry the same AS information as their local AS information,
and this will make VPN users unable to communicate.
CAUTION
If different IPv6 VPN sites have the same AS number, and EBGP connections are established
between PEs and CEs, you need to enable BGP4+ AS number substitution on the PEs that the
VPN sites access.

As shown in Figure 3-9, the AS numbers of CE1 and CE2 are both 65410; EBGP is used to
exchange routes between PE1 and CE1, and between PE2 and CE2.
The AS number 65410 is contained in the AS_Path attribute of the BGP routes learned by PE1
from CE1. PE2 learns BGP routes from PE1 and checks the AS_Path attribute of the routes
before using EBGP to send them to CE2. Finding that the AS number 65410 in the AS_Path
attribute of the routes is the same as the AS number of CE2, PE2 does not send the routes to
CE2. As a result, CE1 and CE2 cannot communicate with each other.
If BGP4+ AS number substitution is configured, PE2 will replace the AS number (65410) in the
AS_Path attribute of VPN routes with its own AS number (100). In this manner, the routes can
pass the AS number check provided by BGP and reach CE2, and then the two VPN sites can
access each other.
Figure 3-9 Networking diagram for configuring BGP4+ AS number substitution

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
POS1/0/0 POS2/0/0
PE1 PE2
20.1.1.2/24 30.1.1.2/24
POS1/0/0 POS2/0/0 POS2/0/0 POS1/0/0
2001:2/64 20.1.1.1/24 30.1.1.1/24 2002::2/64
P
Backbone POS1/0/0
POS1/0/0
AS 100 2002::1/64
2001::1/64 CE2
CE1
Loopback1 Loopback1
1998::1/64 1999::1/64
vpna vpna
AS 65410 AS 65410
1. Configure basic BGP/MPLS IPv6 VPN.

2. Configure EBGP on PEs and CEs to exchange routing information.
3. Configure BGP4+ AS number substitution on PEs.
Data Preparation
l MPLS LSR IDs of PEs and the P

l VPN instances configured on PE1 and PE2
l Same AS number of CE1 and CE2 (which differs from the AS number of the backbone
network)

Procedure
Step 1 Configure basic BGP/MPLS IPv6 VPN.
IPv6 VPN. The main configurations are listed below:
l Configure OSPF on the MPLS backbone network so that the PEs can learn the route to each
l Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS
backbone network.
l Create a VPN instance that supports the IPv6 address family on each PE and bind the interface
connecting the PE to a CE to the VPN instance.
l Configure BGP on PEs and CEs to exchange routing information.
After the configuration is complete, run the display ipv6 routing-table command on CE2. You
can find that CE2 has learned a route to the network segment 2001::1/64 where the interface that
connects CE1 to PE1 resides, but CE2 does not have a route to 1998::1/64, the loopback interface
of CE1. CE1 is in a similar situation.
<CE2> display ipv6 routing-table
Destination : ::1 PrefixLength : 128

Interface : InLoopBack0 Flags : D

Interface : LoopBack1 Flags : D







Run the display ipv6 routing-table vpn-instance command on PE2. You can find that there is
a route to 1998::1/64, the loopback address of the remote CE, in the routing table of the VPN
instance IPv6 address family.
<PE2> display ipv6 routing-table vpn-instance vpna






Run the display bgp ipv6 routing-table peer received-routes command on CE2. You can find
that CE2 has not received a route with the prefix 1998::1/64.
[~CE2] display bgp ipv6 routing-table peer 2002::2 received-routes


NextHop : 2002::2 LocPrf :
MED : PrefVal : 0
Label :
Path/Ogn : 100 ?
Network : 2002:: PrefixLen : 64
MED : 0 PrefVal : 0
Label :
Path/Ogn : 100 ?

Step 2 Configure BGP4+ AS number substitution on PEs.

# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp6-vpna] peer 2002::1 substitute-as
[~PE2-bgp] quit
[~PE2] commit
Run the display bgp ipv6 routing-table peer received-routes command on CE2 to check the
routing information received from the EBGP peer. You can find that CE2 has received a route
to 1998::1/64 from PE2, and the value in the Path/Ogn field is 100 100. It indicates that the AS
number has been replaced.
[~CE2] display bgp ipv6 routing-table peer 2002::2 received-routes


MED : PrefVal : 0
Label :
Path/Ogn : 100 100 i
MED : PrefVal : 0
Label :
Path/Ogn : 100 ?
Network : 2002:: PrefixLen : 64
MED : 0 PrefVal : 0
Label :
Path/Ogn : 100 ?
After BGP4+ AS number substitution is configured on PE1, the ping (with the source address
specified in the ping command) between CE1 and CE2 succeeds.
[~CE2] ping ipv6 -a 1999::1 1998::1

Reply from 1998::1
Reply from 1998::1
Reply from 1998::1
Reply from 1998::1
Reply from 1998::1

0.00% packet loss
----End

Configuration Files
#
sysname CE1
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ipv6 enable
ipv6 address 2001::1 64
#
interface LoopBack1
ipv6 enable
#
bgp 65410
#
ipv6-family unicast
import-route direct
peer 2001::2 enable
#
return

#
sysname PE1
#
ipv6-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ipv6 enable
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv6-family vpnv6
policy vpn-target

peer 3.3.3.9 enable

#
peer 2001::1 substitute-as
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 20.1.1.0 0.0.0.255
#
return
#
sysname P
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 20.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 30.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
ipv6-family
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ipv6 enable


#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 30.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 1.1.1.9 enable
#
peer 2002::1 substitute-as
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 30.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ipv6 enable
#
interface LoopBack1
ipv6 enable
#
bgp 65410
#
ipv6-family unicast
import-route direct
peer 2002::2 enable
#
return
3.14.3 Example for Configuring Load Balancing Among IPv6 VPN

Routes
If there are multiple routes from a PE to a remote or local site, configuring load balancing among
IPv6 VPN routes can fully utilize network resources and improve network reliability.

CAUTION
Load balancing among IPv6 VPN routes can be applied in the following situations:
l A PE receives multiple VPNv6 routes with the same prefix from different peer PEs.
l Different CEs at a site use BGP to access the same PE, and the PE learns multiple IPv6
VPN routes with the same VPN prefix from the CEs.
As shown in Figure 3-10, PE1 sets up a VPNv6 peer relationship with PE2 and PE3 and learns
two routes to the CE from PE2 and PE3. It is required that load balancing among IPv6 VPN
routes be configured on PE1 to load balance the IPv6 VPN traffic destined for CE1 between
PE2 and PE3.
Figure 3-10 Networking diagram for configuring load balancing among IPv6 VPN routes
Loopback1
2.2.2.2/32
VPN backbone
PE2
POS1/0/0 200:0:1:2::1/128
1.1.1.1/32 AS100 2001::2/64
100.1.1.2/30
POS2/0/0 GE1/0/0
100.1.1.1/30 2001::1/64
Link_A
Loopback2 CE
PE1
1999::1/128
Link_B
POS3/0/0 GE2/0/0
100.2.1.1/30 2003::1/64
POS1/0/0 GE2/0/0
100.2.1.2/30 2003::2/64
PE3
Loopback1
3.3.3.3/32
Configuration Notes
When configuring load balancing between IPv6 routes, note the following:
l The RDs configured for the IPv6 VPN instance on PE2 and PE3 must be different.
1. Configure BGP/MPLS IPv6 VPN, and connect the CE to PE2 and PE3.
2. Configure load balancing among IPv6 VPN routes for the BGP-VPN instance IPv6 address
family on PE1.

Procedure
Step 1 Configure IPv4 addresses for interfaces on the backbone network of the VPN and IPv6 addresses
for interfaces at the VPN site. Details for configuration procedures are not provided here.
backbone network.
# Configure PE1.
<PE1> system-view
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
[~PE1] commit
# Configure PE2.
<PE2> system-view
[~PE2] mpls
[~PE2-mpls] quit
[~PE2] mpls ldp
[~PE2] commit
# Configure PE3.
<PE3> system-view
[~PE3] mpls
[~PE3-mpls] quit
[~PE3] mpls ldp
[~PE3] commit
Run the display mpls lsp command on the PEs. You can view that LSPs are set up between PE1
and PE2, and between PE1 and PE3. The following uses the display on PE1 as an example:
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
1.1.1.1/32 3/NULL -/-
2.2.2.2/32 NULL/3 -/Pos2/0/0
2.2.2.2/32 1025/3 -/Pos2/0/0

3.3.3.3/32 NULL/3 -/Pos3/0/0

3.3.3.3/32 1024/3 -/Pos3/0/0
Step 4 Configure a VPN instance that supports the IPv6 address family on each PE, and connect the
CE to PE2 and PE3.
# Configure PE1.
[~PE1] interface loopback2
[~PE1-Loopback2] ip binding vpn-instance vpn1
[~PE1-Loopback2] ipv6 enable
[~PE1-Loopback2] ipv6 address 1999::128
[~PE1-Loobpack2] quit
[~PE1] commit
# Configure PE2.
[~PE2] commit
# Configure PE3.
[~PE3] commit
Step 5 Establish an EBGP peer relationship between PE2 and the CE, and between PE3 and the CE.
# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp6-vpn1] peer 2001::1 as-number 65410
[~PE2-bgp6-vpn1] quit
[~PE2-bgp] quit
[~PE2] commit
# Configure PE3.
[~PE3] bgp 100
[~PE3-bgp] quit

[~PE3-bgp] commit
# Configure the CE to import the routes of Loopback 1 into BGP.

<CE> system-view
[~CE] bgp 65410
[~CE-bgp] router-id 10.10.10.10
[~CE-bgp] peer 2001::2 as-number 100
[~CE-bgp] ipv6-family unicast
[~CE-bgp-af-ipv6] peer 2001::2 enable
[~CE-bgp-af-ipv6] network 200:0:1:2::1 128
[~CE-bgp-af-ipv6] quit
[~CE-bgp] quit
[~CE] commit
After the configuration is complete, run the display bgp vpnv6 all peer command on PE2 and
PE3. You can find that the status of the EBGP peer relationship between the PEs and CE is
Established. This means that the EBGP peer relationships are successfully set up.


PrefRcv
1.1.1.1 4 100 27 24 0 00:19:33 Established 0

2001::1 4 65410 12 10 0 00:08:30 Established 1
Step 6 Establish MP-IBGP peer relationships between PEs.

# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] quit
[~PE1] commit
# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] quit
[~PE2-bgp] commit
# Configure PE3.
[~PE3] bgp 100


[~PE3-bgp] quit
[~PE3] commit
After the configuration is complete, run the display bgp vpnv6 all peer command on the PEs.
You can find that the status of the MP-IBGP peer relationships between PEs is Established.
This means that the MP-IBGP peer relationships are successfully set up.
2.2.2.2 4 100 20 17 0 00:13:26 Established 5
3.3.3.3 4 100 24 19 0 00:17:18 Established 5
Step 7 Configure load balancing among IPv6 VPN routes.

# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp6-vpn1] maximum load-balancing 2
[~PE1-bgp] quit
[~PE1] commit

After the configuration is complete, run the display ipv6 routing-table vpn-instance
verbose command on PE1. You can view that PE2 and PE3 serve as next hops on the IPv6 VPN
routes to the loopback interface on the CE.
<PE1> display ipv6 routing-table vpn-instance vpn1 200:0:1:2::1
Summary Count : 2


----End
Configuration Files
#
sysname PE1
#
ipv6-family


#
mpls lsr-id 1.1.1.1
#
mpls
#
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 100.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 100.2.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
interface LoopBack2
ipv6 enable
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
ipv6-family vpnv6
policy vpn-target
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.3
network 100.2.1.0 0.0.0.3
network 1.1.1.1 0.0.0.0
#
return
#
sysname PE2
#
ipv6-family
#
mpls lsr-id 2.2.2.2
#
mpls

#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.1.1.2 255.255.255.252
mpls
mpls ldp
#
undo shutdown
ipv6 enable
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv6-family vpnv6
policy vpn-target
peer 1.1.1.1 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.3
network 2.2.2.2 0.0.0.0
#
return
#
sysname PE3
#
ipv6-family
#
mpls lsr-id 3.3.3.3
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.2.1.2 255.255.255.252
mpls
mpls ldp
#
undo shutdown
ipv6 enable
ip address 2003::2/64

#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv6-family vpnv6
policy vpn-target
peer 1.1.1.1 enable
#
#
ospf 1
area 0.0.0.0
network 100.2.1.0 0.0.0.3
network 3.3.3.3 0.0.0.0
#
return

#
sysname CE
#
undo shutdown
ipv6 enable
#
undo shutdown
ipv6 enable
#
interface LoopBack1
ipv6 enable
ipv6 address 200:0:1:2::1/128
#
bgp 65410
router-id 10.10.10.10
#
ipv4-family unicast
#
ipv6-family unicast
network 200:0:1:2::1 128
peer 2001::2 enable
peer 2003::2 enable
#
return
3.14.4 Example for Configuring Load Balancing Among Tunnels to

Which Remote Cross Routes Are Iterated on an IPv6 VPN
If there are multiple tunnels between PEs on the backbone network, configuring load balancing
among tunnels can fully utilize network resources and enhance the reliability of VPN services
on the backbone network.

CAUTION
If multiple tunnels such as LDP LSPs and TE tunnels exist between peer PEs on the MPLS
backbone network of a BGP/MPLS IPv6 VPN, load balancing among tunnels can be configured
to distribute IPv6 VPN traffic to the tunnels and prevent network congestion.
As shown in Figure 3-11, two links exist between PE1 and PE2 in the basic BGP/MPLS IPv6
VPN networking: an LDP LSP (PE1-P1-PE2) and a TE tunnel (PE1-P2-PE2). All IPv6 VPN
traffic is forwarded over the LSP according to the default tunnel policy, which may cause the
link of PE1-P1-PE2 to be busy and the link of PE1-P2-PE2 to be idle.
To address this problem, load balancing among tunnels can be configured on the MPLS backbone
network to distribute IPv6 VPN traffic evenly to the two tunnels.
Figure 3-11 Networking diagram for configuring load balancing among tunnels to which remote
cross routes are iterated on an IPv6 VPN
Loopback1
2.2.2.9/32
0 PO
/ 0/ 30 S2/
S1 2/24 .1. 0
O
P . 1. 1.1 /0
Loopback1 .1 /24 Loopback1 Loopback1
20
1.1.1.9/32 P1 3.3.3.9/32 200:0:1:2::1/128
PO
/ 0/
0 30 S2
.1. /0/
PE1 O S2 1/24 1.2 0 PE2 GE1/0/0
P . 1. /24 2002::2/64
.1
20
GE3/0/0
PO / 0 2002::1/64
PO 10 S1/0 /0 /0 CE2
10 S .1.
1.2 /0 S1 /24 1/ 0 / 24
.1. 1/0/0 P2 P O 1 .1 .1 S
1.1 /24 . PO 1.1.2
Loopback2 /24 40 .
1999::1/128 40
Backbone
AS 100
Loopback1
4.4.4.9/32
Configuration Notes
When configuring load balancing among tunnels to which remote cross routes are iterated on
an IPv6 VPN, note the following:
l The tunnels existing in the system can meet the requirements of the configured tunnel
policy.

1. Configure OSPF on the MPLS backbone network for IP connectivity between devices on
2. On the MPLS backbone network, enable MPLS and MPLS LDP to set up an LDP LSP;
enable MPLS TE to set up an MPLS TE tunnel.
3. Configure an IPv6 address family-enabled VPN instance on the PEs and connect the CE
to PE2.
4. Create a tunnel policy on PE1 to distribute traffic to the LDP LSP and TE tunnel between
PE1 and PE2.
5. Apply the tunnel policy to the VPN instance IPv6 address family on PE1.
Procedure
Step 1 Configure basic BGP/MPLS IPv6 VPN.
IPv6 VPN. The main configurations are listed below:
l Configure OSPF on the MPLS backbone network so that the PEs can learn the route to each
l Configure basic MPLS functions and enable MPLS LDP on PE1, P1, and PE2 to set up an
LDP LSP between the PEs.
l Enable MPLS TE on PE1, P2, and PE2 to set up an MPLS TE tunnel between the PEs.
l Create a VPN instance that supports the IPv6 address family on each PE and bind the interface
connecting the PE to the CE to the VPN instance.
l Enable BGP between the PEs and CE, and import the routes to the loopback interface into
BGP on the CE.
After the configuration is complete, run the display ipv6 routing-table vpn-instance command
on PE1. You can find that PE1 has learned the route to the loopback interface on the CE.
<PE1> display ipv6 routing-table vpn-instance vpn1


Interface : LoopBack2 Flags : D


<PE1> display ipv6 routing-table vpn-instance vpn1 200:0:1:2::1 verbose
Summary Count : 1

0x0000000001004c4ba2
The command output shows that PE1 iterates the route to 200:0:1:2::1/128 to only one LSP since
no tunnel policy is applied to the VPN instance IPv6 address family, and the outbound interface
is POS 2/0/0.
Step 2 Apply a tunnel policy to the VPN instance IPv6 address family on PE1.
Configure a tunnel policy in select-sequence mode to make tunnels be selected in the order of
TE tunnels and LSPs and to set the number of tunnels participating in load balancing to 2.
# Configure PE1.
[~PE1] tunnel-policy te-lsp-l2
[~PE1-tunnel-policy-te-lsp-l2] tunnel select-seq cr-lsp lsp load-balance-number 2
[~PE1-tunnel-policy-te-lsp-l2] quit
# Apply the tunnel policy to the VPN instance IPv6 address family.
[~PE1-vpn-instance-vpn1-af-ipv6] tnl-policy te-lsp-l2
[~PE1] commit

verbose command on PE1. You can find that the route to the loopback interface on the CE is
iterated to two tunnels.
Summary Count : 1

Neighbour : :: ProcessID : 0
0x000000000300000001
Interface : Tunnel1 Flags : RD
0x0000000001004c4ba2

Load balancing between tunnels to which remote cross routes are iterated is successfully
deployed on the IPv6 VPN.
----End
Configuration Files
#
sysname PE1
#
ipv6-family
tnl-policy te-lsp-l2
#
mpls lsr-id 1.1.1.9
#
mpls
mpls te
mpls te cspf
mpls rsvp-te
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
interface LoopBack2
ipv6 enable
#
interface Tunnel1
destination 3.3.3.9
mpls te tunnel-id 100
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 3.3.3.9 enable
#

ospf 1
area 0.0.0.0
mpls-te enable
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 20.1.1.0 0.0.0.255
#
tunnel-policy te-lsp-l2
#
return
#
sysname P1
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 20.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 30.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
mpls-te enable
network 2.2.2.9 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
#
sysname P2
#
mpls lsr-id 4.4.4.9
#
mpls
mpls te
mpls te cspf
mpls rsvp-te
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te

#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 40.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
ospf 1
area 0.0.0.0
mpls-te enable
network 4.4.4.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
ipv6-family
#
mpls lsr-id 3.3.3.9
#
mpls
mpls te
mpls te cspf
mpls rsvp-te
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 40.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 30.1.1.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ipv6 enable
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast

peer 1.1.1.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 1.1.1.9 enable
#
#
ospf 1
area 0.0.0.0
mpls-te enable
network 3.3.3.9 0.0.0.0
network 30.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
undo shutdown
ipv6 enable
#
interface LoopBack1
ipv6 enable
ipv6 address 200:0:1:2::1/128
#
bgp 65410
router-id 10.10.10.10
#
ipv6-family unicast
network 200:0:1:2::1 128
peer 2002::1 enable
#
return
3.14.5 Example for Configuring Inter-AS IPv6 VPN Option A

This section provides an example to describe how to deploy an IPv6 VPN instance on ASBRs
to implement inter-AS IPv6 VPN Option A, namely, VRF-to-VRF.
CAUTION
Inter-AS IPv6 VPN Option A can be deployed if IPv6 VPN services need to be provided to
customers across ASs on a carrier's backbone network.

It is easy to configure inter-AS IPv6 VPN Option A. You only need to create an IPv6 address
family-supporting VPN instance on ASBRs and configure the ASBRs to consider each other as
a CE. If services of many VPNs need to be transmitted across ASs, the requirements on ASBR
performance will be high.
As shown in Figure 3-12, CE1 and CE2 belong to the same VPN. CE1 accesses PE1 in AS 100;
CE2 accesses PE2 in AS 200.
It is required that Option A be configured to implement inter-AS IPv6 VPN so that CE1 and
CE2 can access each other.
Figure 3-12 Networking diagram for configuring inter-AS VPN Option A

AS 100 AS 200
Loopback1 Loopback1
2.2.2.9/32 3.3.3.9/32
POS2/0/0 POS2/0/0
POS1/0/0 2003::1/64 2003::2/64 POS1/0/0
172.1.1.1/24 162.1.1.1/24
Loopback1 Loopback1
1.1.1.9/32 ASBR1 ASBR2 4.4.4.9/32
POS1/0/0 POS1/0/0
PE1 172.1.1.2/24 PE2
162.1.1.2/24
GE2/0/0 GE2/0/0
2001::2/64 2002::2/64
GE1/0/0 GE1/0/0
2001::1/64 2002::1/64
CE1 CE2
AS 65001 AS 65002
1. Establish EBGP peer relationships between the PEs and CEs and establish MP-IBGP peer
2. Create an IPv6 address family-enabled VPN instance and bind the instance to the interface
connecting to the peer ASBR on each ASBR; establish an EBGP peer relationship between
the ASBRs.
Data Preparation

l Name of the IPv6 address family-enabled VPN instance configured on each PE and ASBR,
and the RD and VPN target of the instance

Procedure
Step 1 Configure an IGP on the MPLS backbone networks of AS 100 and AS 200 for IP connectivity
between the ASBR and the PE within each MPLS backbone network.
In this example, OSPF is configured as an IGP. Details for the configuration procedures are not
provided here.
NOTE
using OSPF.
After the configuration is complete, the OSPF neighbor relationship can be established between
the ASBR and the PE in the same AS. Run the display ospf peer command, and you can view
that the neighbor relationship is in the Full state.
The ASBR and PE in the same AS can learn the LSR ID (IP address of Loopback 1) of each
other and ping each other successfully.
Step 2 Configure basic MPLS functions, enable MPLS LDP, and set up MPLS LDP LSPs on the MPLS
backbone networks of AS 100 and AS 200.
# Configure basic MPLS functions on PE1 and enable LDP on the interface connecting PE1 to
ASBR1.
<PE1> system-view
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
[~PE1] commit
# Configure basic MPLS functions on ASBR1 and enable LDP on the interface connecting
ASBR1 to PE1.
<ASBR1> system-view
[~ASBR1] mpls
[~ASBR1-mpls] quit
[~ASBR1] mpls ldp
[~ASBR1] commit
# Configure basic MPLS functions on ASBR2 and enable LDP on the interface connecting
ASBR2 to PE2.
<ASBR2> system-view
[~ASBR2] mpls
[~ASBR2-mpls] quit
[~ASBR2] mpls ldp

[~ASBR2] commit
# Configure basic MPLS functions on PE2 and enable LDP on the interface connecting PE2 to
ASBR2.
<PE2> system-view
[~PE2] mpls
[~PE2-mpls] quit
[~PE2] mpls ldp
[~PE20] commit
After the configuration is complete, an LDP peer relationship can be set up between the PE and
the ASBR in the same AS. Run the display mpls ldp session command on each device, and you
can view that the session state is displayed as Operational.
[~PE1] display mpls ldp session
--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Step 3 Configure basic BGP/MPLS IPv6 VPN on AS 100 and AS 200.

NOTE
The VPN targets of the IPv6 address family-enabled VPN instance configured on the ASBR and the PE in
the same AS must be matched. This is not required for the PEs in different ASs.
# Configure CE1.
<CE1> system-view
[~CE1-GigabitEthernet1/0/0] ipv6 enable
[~CE1-GigabitEthernet1/0/0] ipv6 address 2001::1 64
[~CE1] bgp 65001
[~CE1-bgp] router-id 10.10.10.10
[~CE1-bgp-af-ipv6] import-route direct
[~CE1-bgp] quit
[~CE1] commit
# Configure PE1 to set up an EBGP peer relationship with CE1.



[~PE1] bgp 100
[~PE1-bgp6-vpn1] import-route direct
[~PE1-bgp] quit
[~PE1] commit
# Configure PE1 to set up an MP-IBGP peer relationship with ASBR1.

[~PE1] bgp 100
[~PE1-bgp] quit
[~PE1] commit
# Configure ASBR1 to set up an MP-IBGP peer relationship with PE1.

[~ASBR1] bgp 100
[~ASBR1-bgp] quit
[~ASBR1] commit
NOTE
The configurations of CE2, PE2, and ASBR2 are similar to the configurations of CE1, PE1, and ASBR1
respectively, and details are not provided here.
on the PEs, and you can view that the BGP peer relationships between the PEs and the CEs are
in the Established state. Run the display bgp vpnv6 all peer command on the PE or ASBR,
and you can view that the BGP peer relationship is established between the PEs and the CEs,
and between the PEs and ASBRs.
[~PE1] display bgp vpnv6 vpn-instance vpn1 peer
2001::1 4 65001 14 12 0 00:08:36 Established 1
2.2.2.9 4 100 13 12 0 00:09:10 Established 0

2001::1 4 65001 17 14 0 00:11:09 Established 1
Step 4 Configure inter-AS VPN in VRF-to-VRF mode.

# Create an IPv6 address family-enabled VPN instance on ASBR1 and bind the interface that
connects ASBR1 to ASBR2 (it is considered as a CE by ASBR1) to the VPN instance.


[~ASBR1-Pos2/0/0] ipv6 enable
[~ASBR1-Pos2/0/0] ipv6 address 2003::1 64
[~ASBR1] commit
# Create an IPv6 address family-enabled VPN instance on ASBR2 and bind the interface that
connects ASBR2 to ASBR1 (it is considered as a CE by ASBR2) to the VPN instance.
[~ASBR2-Pos2/0/0] ipv6 enable
[~ASBR2-Pos2/0/0] ipv6 address 2003::2 64
[~ASBR2] commit
# Configure ASBR1 to set up an EBGP peer relationship with ASBR2.

[~ASBR1] bgp 100
[~ASBR1-bgp6-vpn1] peer 2003::2 as-number 200
[~ASBR1-bgp6-vpn1] import-route direct
[~ASBR1-bgp6-vpn1] quit
[~ASBR1-bgp] quit
[~ASBR1] commit
# Configure ASBR2 to set up an EBGP peer relationship with ASBR1.

[~ASBR2] bgp 200
[~ASBR2-bgp6-vpn1] peer 2003::1 as-number 100
[~ASBR2-bgp6-vpn1] import-route direct
[~ASBR2-bgp6-vpn1] quit
[~ASBR2-bgp] quit
[~ASBR2] commit
After the configuration is complete, run the display bgp vpnv6 vpn-instance peer command,
and you can view that the BGP peer relationship between the ASBRs is in the Established state.
After the configuration is complete, the CEs can learn routes of interfaces of each other and
successfully ping each other. The following uses the display on CE1 as an example:
[~CE1] display ipv6 routing-table







[~CE1] ping ipv6 2002::1
Reply from 2002::1
Reply from 2002::1
Reply from 2002::1
Reply from 2002::1
Reply from 2002::1
0.00% packet loss
Run the display ipv6 routing-table vpn-instance command on either of ASBRs, and you can
view the routing table of the VPN instance IPv6 address maintained on the ASBR. The following
uses the display on ASBR1 as an example:
<ASBR1> display ipv6 routing-table vpn-instance vpn1

RelayNextHop : :: TunnelID : 0xa0010082
Interface : NULL0 Flags : RD





Run the display bgp vpnv6 all routing-table command on either of ASBRs, and you can view
the IPv6 VPN routes on the ASBR. The following uses the display on ASBR1 as an example:


MED : 0 PrefVal : 0
Label : 105472
Path/Ogn : ?

MED : PrefVal : 0
Label : NULL
Path/Ogn : 200 ?
NextHop : :: LocPrf :
MED : 0 PrefVal : 0
Label : NULL
Path/Ogn : ?
*
MED : 0 PrefVal : 0
Label : NULL
Path/Ogn : 200 ?
VPN-Instance vpn1 :

MED : 0 PrefVal : 0
Label : 105472
Path/Ogn : ?
MED : PrefVal : 0
Label : NULL
Path/Ogn : 200 ?
NextHop : :: LocPrf :
MED : 0 PrefVal : 0
Label : NULL
Path/Ogn : ?
*


MED : 0 PrefVal : 0
Label : NULL
Path/Ogn : 200 ?
----End
Configuration Files
#
sysname CE1
#
undo shutdown
ipv6 enable
#
bgp 65001
router-id 10.10.10.10
#
ipv6-family unicast
import-route direct
peer 2001::2 enable
#
return

#
sysname PE1
#
ipv6-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
undo shutdown
ipv6 enable
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable

#
ipv6-family vpnv6
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
sysname ASBR1
#
ipv6-family
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ipv6 enable
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
import-route direct
peer 1.1.1.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255

#
return
#
sysname ASBR2
#
ipv6-family
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ipv6 enable
ipv6 enable
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 4.4.4.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 4.4.4.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
ipv6-family
#

mpls lsr-id 4.4.4.9

#
mpls
#
mpls ldp
#
undo shutdown
ipv6 enable
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 3.3.3.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
undo shutdown
ipv6 enable
#
bgp 65002
router-id 20.20.20.20
#
ipv6-family unicast
import-route direct
peer 2002::2 enable
#
return

3.14.6 Example for Configuring Inter-AS IPv6 VPN Option B

exchange VPNv6 routes.
CAUTION
AS 100, and CE2 is connected to PE2 in AS 200. It is required that an MP-EBGP peer relationship
be established between the ASBRs to transmit VPNv6 routes, thus implementing inter-AS VPN
Option B.
Figure 3-13 Networking diagram of inter-AS IPv6 VPN Option B

AS 100 AS 200
Loopback1 Loopback1
2.2.2.9/32 3.3.3.9/32
POS2/0/0 POS2/0/0
POS1/0/0 POS1/0/0
192.1.1.1/24 192.1.1.2/24
172.1.1.1/24 162.1.1.1/24
Loopback1 Loopback1
1.1.1.9/32 ASBR1 ASBR2 4.4.4.9/32
POS1/0/0 POS1/0/0
PE1 172.1.1.2/24 PE2
162.1.1.2/24
GE2/0/0 GE2/0/0
2001::2/64 2002::2/64
GE1/0/0 GE1/0/0
2001::1/64 2002::1/64
CE1 CE2
AS 65001 AS 65002
Configuration Notes
When configuring inter-AS IPv6 VPN Option B, note the following:
l An MP-EBGP peer relationship is established between ASBR1 and ASBR2, and the
ASBRs do not filter received VPNv6 routes based on VPN targets.

same AS.
Data Preparation
Procedure
NOTE
using OSPF.
Configuring Inter-AS IPv6 VPN Option A.
Step 3 Configure the basic BGP/MPLS IPv6 VPN functions on PE1 and PE2.
NOTE
Step 4 Configure inter-AS VPN-Option B mode.
# Configure ASBR1. Enable MPLS on POS2/0/0 connected with ASBR2.
<ASBR1> system-view


[~ASBR1] commit
# Configure ASBR1. Establish MP-EBGP peer with ASBR2 and perform no VPN-Target
filtering on the received VPN-IPv6 routes, and then enable ASBR 1 to allocate labels based on
the next hop.
[~ASBR1] bgp 100
[~ASBR1-bgp] quit
[~ASBR1] commit
NOTE
The configurations of ASBR2 are similar to that of ASBR1 and are not mentioned here.

After the configuration, CEs can learn routes to the interface of each other, and CE1 and CE2
can ping each other successfully.

Destination : ::FFFF:127.0.0.0 PrefixLength : 104

Destination : ::FFFF:127.0.0.1 PrefixLength : 128


Interface : Gigabitethernet3/1/1 Flags : D

Interface : Gigabitethernet3/1/1 Flags : D

Interface : Gigabitethernet3/1/1 Flags : RD


<CE1> ping ipv6 2002::1
Reply from 2002::1
Reply from 2002::1
Reply from 2002::1
Reply from 2002::1
Reply from 2002::1
0.00% packet loss



MED : 0 PrefVal : 0
Label : 21/23
Path/Ogn : 65410?

NextHop : ::FFFF:192.1.1.2 LocPrf :
MED : PrefVal : 0
Label : 25/25
Path/Ogn : 200 65411?
----End
Configuration Files
#
sysname CE1
#
undo shutdown
ipv6 enable
#
bgp 65001
router-id 10.10.10.10


#
ipv6-family unicast
import-route direct
peer 2001::2 enable
#
return
#
sysname PE1
#
ipv6-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
undo shutdown
ipv6 enable
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 2.2.2.9 enable
#
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
sysname ASBR1
#
mpls lsr-id 2.2.2.9
#

mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.1 255.255.255.0
mpls
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv6-family vpnv6
peer 1.1.1.9 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
sysname ASBR2
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 192.1.1.2 255.255.255.0
mpls
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 200


#
ipv4-family unicast
peer 4.4.4.9 enable
#
ipv6-family vpnv6
peer 4.4.4.9 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
ipv6-family
#
mpls lsr-id 4.4.4.9
#
mpls
#
mpls ldp
#
undo shutdown
ipv6 enable
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 3.3.3.9 enable
#
#
ospf 1
area 0.0.0.0

network 4.4.4.9 0.0.0.0

network 162.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
undo shutdown
ipv6 enable
#
bgp 65002
router-id 20.20.20.20
#
ipv6-family unicast
import-route direct
peer 2002::2 enable
#
return
3.14.7 Example for Configuring VPNv6 FRR

This section describes how to configure VPNv6 FRR in the CE dual-homing networking. If a
PE fails, VPNv6 FRR can quickly switch IPv6 VPN traffic.
CAUTION
slot number/card number/interface number. If the slot number is specified, the chassis ID of the
slot must also be specified.
VPNv6 FRR can be deployed in the CE dual-homing networking. If the primary link between
PEs fails, VPNv6 FRR can quickly switch IPv6 VPN traffic to the backup link.
As shown in Figure 3-14, PE1 learns two routes with the same prefix to the CE from PE2 and
PE3. It is required that PE3 be configured as a backup next hop for the IPv6 route on PE1. In
this manner, VPN traffic can be quickly switched to PE3 if PE2 becomes faulty.

Figure 3-14 Networking diagram for configuring VPNv6 FRR

Loopback1
2.2.2.2 /32
VPNbackbone
PE2
POS1/0/0 200:0:1:2::1/128
1.1.1.1/32 AS100 2001::2/64
100.1.1.2/30
POS2/0/0 GE1/0/0
100.1.1.1/30 2001::1/64
Link_A
Loopback2 CE
1999::1/64
PE1
Link_B
POS3/0/0 GE2/0/0
100.2.1.1/30 2003::1/64
POS1/0/0 GE2/0/0
100.2.1.2/30 2003::2/64
PE3
Loopback1
3.3.3.3 /32
and PE3.
3. Configure a VPN instance that supports the IPv6 address family on PE1, PE2, and PE3,
and connect the CE to PE2 and PE3.
4. Establish an EBGP peer relationship between the CE and PE2, and between the CE and
PE3, import IPv6 VPN routes, and establish MP-IBGP peer relationships between PEs.
5. Enable VPNv6 Auto FRR on PE1.
Data Preparation
l AS numbers of the PEs and CE
l Name of the VPN instance configured on each PE and the other attributes of the VPN
instance IPv6 address family such as the RD and VPN target
l Names of the routing policy and ip-prefix configured on PE1
Procedure
backbone network.

# Configure PE1.
<PE1> system-view
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
[~PE1] commit
# Configure PE2.
<PE2> system-view
[~PE2] mpls
[~PE2-mpls] quit
[~PE2] mpls ldp
[~PE2] commit
# Configure PE3.
<PE3> system-view
[~PE3] mpls
[~PE3-mpls] quit
[~PE3] mpls ldp
[~PE3] commit
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
1.1.1.1/32 3/NULL -/-
3.3.3.3/32 NULL/3 -/Pos3/0/0
3.3.3.3/32 1024/3 -/Pos3/0/0
2.2.2.2/32 NULL/3 -/Pos2/0/0
2.2.2.2/32 1025/3 -/Pos2/0/0
CE to PE2 and PE3.
# Configure PE1.

[~PE1] interface loopback2
[~PE1-Loopback2] ip binding vpn-instance vpn1
[~PE1-Loopback2] ipv6 enable
[~PE1-Loopback2] ipv6 address 1999::128
[~PE1-Loobpack2] quit
[~PE1] commit
# Configure PE2.
[~PE2] commit
# Configure PE3.
[~PE3] commit
Step 5 Establish an EBGP peer relationship between PE2 and the CE, and between PE3 and the CE.
# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] quit
[~PE2] commit
# Configure PE3.
[~PE3] bgp 100
[~PE3-bgp] quit
[~PE3] commit
# Configure the CE.

<CE> system-view
[~CE] bgp 65410

[~CE-bgp] quit
[~CE] commit
After the step, run the display bgp vpnv6 all peer command on PE2 and PE3. You can find that
the status of the EBGP peer relationships between the PEs and CE is Established. This means
that the EBGP peer relationships are successfully set up.


PrefRcv
1.1.1.1 4 100 27 24 0 00:19:33 Established 0

2001::1 4 65410 12 10 0 00:08:30 Established 1

# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] quit
[~PE1] commit
# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] quit
[~PE2-bgp] commit
# Configure PE3.
[~PE3] bgp 100
[~PE3-bgp] quit
[~PE3] commit
After the step, run the display bgp vpnv6 all peer command on the PEs. You can find that the
status of the MP-IBGP peer relationship between the PEs is Established. This means that the
MP-IBGP peer relationships are successfully set up.


2.2.2.2 4 100 20 17 0 00:13:26 Established 5
3.3.3.3 4 100 24 19 0 00:17:18 Established 5
Step 7 Enable VPNv6 Auto FRR.

# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp6-vpn1] auto-frr
[~PE1-bgp] quit
[~PE1] commit

verbose command on PE1. You can view the backup next hop, backup label, and backup tunnel
ID of the IPv6 VPN route.
<PE1> display ipv6 routing-table vpn-instance vpn1 200:0:1:2::1 128 verbose
Routing Table :vpn1

Summary Count : 1

RelayNextHop : ::FFFF:100.1.1.2 TunnelID :
0x0000000001004c4ba2
----End
Configuration Files
#
sysname PE1
#
ipv6-family
#
mpls lsr-id 1.1.1.1
#
mpls
#
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp

ip address 100.1.1.1 255.255.255.252

mpls
mpls ldp
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 100.2.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
interface LoopBack2
ipv6 enable
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
ipv6-family vpnv6
policy vpn-target
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
auto-frr
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.3
network 100.2.1.0 0.0.0.3
network 1.1.1.1 0.0.0.0
#
return
#
sysname PE2
#
ipv6-family
#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.1.1.2 255.255.255.252
mpls
mpls ldp
#

undo shutdown
ipv6 enable
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv6-family vpnv6
policy vpn-target
peer 1.1.1.1 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.3
network 2.2.2.2 0.0.0.0
#
return
#
sysname PE3
#
ipv6-family
#
mpls lsr-id 3.3.3.3
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.2.1.2 255.255.255.252
mpls
mpls ldp
#
undo shutdown
ipv6 enable
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable

#
ipv6-family vpnv6
policy vpn-target
peer 1.1.1.1 enable
#
#
ospf 1
area 0.0.0.0
network 100.2.1.0 0.0.0.3
network 3.3.3.3 0.0.0.0
#
Return

#
sysname CE
#
undo shutdown
ipv6 enable
#
undo shutdown
ipv6 enable
#
interface LoopBack1
ipv6 enable
ipv6 address 200:0:1:2::1/128
#
bgp 65410
router-id 10.10.10.10
#
ipv4-family unicast
#
ipv6-family unicast
network 200:0:1:2::1 128
peer 2001::2 enable
peer 2003::2 enable
#
return
3.14.8 Example for Configuring FRR for IPv6 Routes on a Private

Network
FRR for IPv6 routes can be deployed on a private network where multiple CEs at an IPv6 VPN
site access the same PE. If a route from the PE to a CE is unreachable, this feature quickly
switches traffic to a link from the PE to another CE.

CAUTION
At a VPN site, different CEs use BGP to access the same PE. The PE learns multiple IPv6 VPN
routes with the same VPN prefix from the CEs. To enable the system to select a primary route
and a backup route, you can deploy FRR for IPv6 routes on the private network. If this feature
is configured, the PE generates a primary route and a backup route to the same destination on
the private network. After that, IPv6 traffic can be quickly switched to the link where the backup
route resides in case the link where the primary route resides is faulty.
As shown in Figure 3-15, an EBGP peer relationship is set up between the PE and each CE.
There are two BGP routes from the PE to Loopback 1 on Router A. The optimal route resides
on Link_A; the sub-optimal route resides on Link_B. It is required that IPv6 Auto FRR be
deployed on the PE so that if Link_A fails, IPv6 traffic can be quickly switched to Link_B.
Figure 3-15 Configuring IPv6 Auto FRR for the private network
CE1 vpn1
GE1/0/0 GE2/0/0 site
2000::2/64 2002::1/64
GE1/0/0 GE1/0/0 Loopback 1
2000::1/64 2002::2/64 2004::1/128
Link_A
VPN PE RouterA
backbone Link_B
GE2/0/0 GE2/0/0
2001::1/64 GE2/0/02003::2/64
GE1/0/0
2001::2/64 2003::1/64
CE2
1. Configure an IGP at the VPN site to advertise the routes of Loopback 1 on Router A to
CE1 and CE2.
2. Create a VPN instance named vpna that supports the IPv6 address family on the PE, and
bind GE 1/0/0 and GE 2/0/0 to vpna.
3. Establish an EBGP peer relationship between the PE and CE1, and between the PE and
CE2. On CE1 and CE2, configure an IGP and BGP to import routes from each other.

4. Enable IPv6 Auto FRR for the private network on the PE.
Data Preparation
l VPN instance name (vpna) and attributes of the VPN instance IPv6 address family, for
example, the RD (100:1) and VPN target (100:100), on the PE
l MEDs configured for the IGP routes imported into BGP on CE1 and CE2
Procedure
Step 1 Configure IPv6 addresses for the interfaces on the routers at the VPN site.
For details on the configuration procedure, see the following configuration files.
Step 2 Configure an IGP at the VPN site to advertise the route of Loopback 1 on Router A to CE1 and
CE2. In this example, OSPFv3 is configured as an IGP.
# Configure CE1.
[~CE1] ospfv3 1
[~CE1-ospfv3-1] router-id 2.2.2.2
[~CE1-ospfv3-1] quit
[~CE1] interface gigaethernet 2/0/0
[~CE1-GigabitEthernet2/0/0] ospfv3 1 area 0.0.0.0
[~CE1] commit
The configurations of CE2 and Router A are similar to the configuration of CE1. For details on
the configuration procedure, see the following configuration files.
After the configuration is complete, run the display ipv6 routing-table command on the CEs,
and you can find that CE1 and CE2 have learned the route of Loopback 1 on Router A. The
following takes the display on CE1 as an example:







NextHop : FE80::5451:0:FAC1:1 Preference : 10
Cost : 3124 Protocol : OSPFv3

NextHop : FE80::5451:0:FAC1:1 Preference : 10
Cost : 1562 Protocol : OSPFv3

Step 3 Configure a VPN instance that supports the IPv6 address family on the PE and bind the interfaces
connecting the PE to the CEs to the VPN instance.
# Configure a VPN instance named vpna on the PE, and bind GE 1/0/0 and GE 2/0/0 to the
instance.
<PE> system-view
[~PE] ip vpn-instance vpna
[~PE-vpn-instance-vpna] ipv6-family
[~PE-vpn-instance-vpna-af-ipv6] route-distinguisher 100:1
[~PE-vpn-instance-vpna-af-ipv6] vpn-target 100:100
[~PE-vpn-instance-vpna-af-ipv6] quit
[~PE-vpn-instance-vpna] quit
[~PE-GigabitEthernet1/0/0] ipv6 enable
[~PE-GigabitEthernet1/0/0] ipv6 address 2000::1 64
[~PE-GigabitEthernet2/0/0] ipv6 enable
[~PE-GigabitEthernet2/0/0] ipv6 address 2001::1 64
[~PE] commit
Step 4 Establish EBGP peer relationships between the PE and CEs.

# Configure the PE.
[~PE] bgp 100
[~PE-bgp] ipv6-family vpn-instancee vpna
[~PE-bgp6-vpna] peer 2000::2 as-number 65410
[~PE-bgp6-vpna] peer 2001::2 as-number 65410
[~PE-bgp6-vpna] quit
[~PE-bgp] quit
[~PE] commit
# Configure CE1.
[~CE1] bgp 65410
[~CE1-bgp] quit

[~CE1] commit
The configuration of CE2 is similar to the configuration of CE1. For details on the configuration
of CE2, see the following configuration fils.
After the configuration is complete, run the display bgp vpnv6 vpn-instance vpna peer
command on the PE, and you can find that the status of the EBGP peer relationship between the
PE and CEs is Established. It indicates that the EBGP peer relationships have been set up
<PE> display bgp vpnv6 vpn-instancee vpna peer


PrefRcv
2000::2 4 65410 35 37 0 00:24:31 Established 3

2001::2 4 65410 41 43 0 00:24:03 Established 3
Step 5 Configure route exchange between OSPFv3 and BGP on the CEs.
Configure OSPFv3 routes on the CEs and import them into BGP. To make the PE select the
route along Link_A as the optimal route, ensure that the MED configured for the OSPFv3 routes
imported into BGP on CE1 is smaller than that configured on CE2.
# Configure CE1.
[~CE1] bgp 100
[~CE1-bgp-af-ipv6] import-route ospfv3 1 med 100
[~CE1-bgp] quit
[~CE1] commit
# Configure CE2.
[~CE2] bgp 100
[~CE2-bgp-af-ipv6] import-route ospfv3 1 med 500
[~CE2-bgp] quit
[~CE2] commit
# Import BGP routes into OSPFv3 on CE1.

[~CE1] ospfv3 1
[~CE1-ospfv3-1] import-route bgp
[~CE1] commit
# Import BGP routes into OSPFv3 on CE2.

[~CE2] ospfv3 1
[~CE2-ospfv3-1] import-route bgp
[~CE2] commit
on the PE, and you can find the route to Loopback 1 on Router A in the command output.
<PE> display ipv6 routing-table vpn-instance vpna









Step 6 Enable IPv6 Auto FRR for the private network on the PE.
# Configure the PE.
[~PE] bgp 100
[~PE-bgp] ipv6-family vpn-instance vpna
[~PE-bgp6-vpna] auto-frr
[~PE-bgp6-vpna] quit
[~PE-bgp] quit
[~PE-bgp] commit
NOTE
The auto-frr command run in the BGP-VPN instance IPv6 address family view is valid only for BGP routes.

Run the display ipv6 routing-table vpn-instance command on the PE. You can find that the
next hop to 2004::1/128 is 2000::2, and the PE has a backup next hop and a backup outbound
interface.
<PE> display ipv6 routing-table vpn-instance vpna 2004::1 verbose

Summary Count : 1

BkNextHop : 2001::2 BkInterface :
BkLabel : NULL BkTunnelID : 0x0
Disable IPv6 on GE 2/0/0 on CE1 so that IPv6 routes cannot be transmitted over Link_A.
[~CE1] interface Gigabitethernet2/0/0
[~CE1-GigabitEthernet2/0/0] undo ipv6 enable
[~CE1] commit
Run the display ipv6 routing-table vpn-instance command again on the PE. You can find that
the next hop to 2004::1/128 is 2001::2, and the PE does not have a backup next hop or a backup
outbound interface.
<PE> display ipv6 routing-table vpn-instance vpna 2004::1 verbose
Summary Count : 1

IPv6 Auto FRR configured for routes on the private network has taken effect.
----End
Configuration Files
l Configuration file of the PE
#
sysname PE
#
ipv6-family
#
undo shutdown
ipv6 enable
#
undo shutdown

ipv6 enable
#
bgp 100
#
ipv4-family unicast
#
ipv6-family vpnv6
policy vpn-target
#
ipv6-family vpn-instancee vpna
auto-frr
#
return

#
sysname CE1
#
ospfv3 1
router-id 2.2.2.2
import-route bgp
#
undo shutdown
ipv6 enable
#
undo shutdown
ipv6 enable
ospfv3 1 area 0.0.0.0
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 65410
#
ipv4-family unicast
#
ipv6-family unicast
import-route ospfv3 1 med 100
peer 2000::1 enable
#
return

#
sysname CE2
#
ospfv3 1
router-id 3.3.3.3
import-route bgp
#
undo shutdown
ipv6 enable
#
undo shutdown
ipv6 enable


#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 65410
#
ipv4-family unicast
#
ipv6-family unicast
import-route ospfv3 1 med 500
peer 2001::1 enable
#
return
l Configuration file of Router A

#
sysname RouterA
#
ospfv3 1
router-id 4.4.4.4
#
undo shutdown
ipv6 enable
#
undo shutdown
ipv6 enable
#
interface LoopBack1
ipv6 enable
#
return
3.14.9 Example for Configuring Hybrid FRR for IPv6 and VPNv6
Routes
In a network where a CE is dual-homed to two PEs, hybrid FRR can be configured on PEs to
protect the link between either PE and the CE. If the link between one of the PEs and the CE
fails, traffic destined for the CE can be switched to the other PE to reach the CE.
CAUTION

A CE at an IPv6 VPN site is dual-homed to two PEs, and a VPNv6 peer relationship is set up
between the two PEs. To protect a link between the CE and one of the PEs, hybrid FRR for IPv6
and VPNv6 routes can be configured.
If the link fails, hybrid FRR can quickly switch traffic destined for the CE to the backup next
hop (a PE).
NOTE
Hybrid FRR for IPv6 and VPNv6 routes is applicable to only the networking where CEs establish BGP
peer relationships with PEs.
As shown in Figure 3-16, a CE is connected to PE2 and PE3; an MPLS public network tunnel
and a VPNv6 peer relationship are set up between PE2 and PE3. PE2 and PE3 use EBGP to
exchange routing information with the CE. PE3 learns from the CE a route to the interface
Loopback 1 on the CE and sends the route to its VPNv6 peer. As a result, PE2 has two BGP
routes to Loopback 1 on the CE: One is sent from the CE by using EBGP, and the other is sent
from PE3 by using MP-IBGP.
It is required that PE2 be configured to preferably select the EBGP route sent from the CE for
data forwarding and use the VPNv6 route sent from PE3 as a backup route. If the link between
PE2 and the CE fails, the link traffic can be switched to PE3 that serves as the backup next hop.
Figure 3-16 Networking diagram for configuring hybrid FRR for IPv6 and VPNv6 routes
Loopback1
2.2.2.2 /32
VPNbackbone
PE2
POS1/0/0 200:0:1:2::1/128
1.1.1.1/32 AS100 2001::2/64
100.1.1.2/30
POS2/0/0 GE1/0/0
100.1.1.1/30 2001::1/64
POS3/0/0
AS65410
110.1.1.1/30
PE1 CE
POS3/0/0
110.1.1.2/30 GE2/0/0
vpn1 site
POS3/0/0
100.2.1.1/30 2003::1/64
POS1/0/0 GE2/0/0
100.2.1.2/30 2003::2/64
PE3
Loopback1
3.3.3.3 /32
and PE3.
3. Establish an MP-IBGP peer relationship between PE1, PE2, and PE3.
4. Configure a VPN instance that supports the IPv6 address family on each PE, and connect
the CE to PE2 and PE3.
5. Establish an EBGP peer relationship between PE2 and the CE, and between PE3 and the
CE, and import the route of the loopback interface into BGP on the CE.

6. Configure Auto FRR for the BGP VPN instance IPv6 address family on PE2 so that the
VPNv6 route sent from PE3 can serve as a backup route.
Procedure
backbone network.
# Configure PE1.
<PE1> system-view
[~PE1] mpls
[~PE1-mpls] quit
[~PE1] mpls ldp
[~PE1] commit
# Configure PE2.
<PE2> system-view
[~PE2] mpls
[~PE2-mpls] quit
[~PE2] mpls ldp
[~PE2] commit
# Configure PE3.
<PE3> system-view
[~PE3] mpls
[~PE3-mpls] quit
[~PE3] mpls ldp
[~PE3] commit

----------------------------------------------------------------------
----------------------------------------------------------------------
2.2.2.2/32 NULL/3 -/Pos2/0/0
2.2.2.2/32 1024/3 -/Pos2/0/0
3.3.3.3/32 NULL/3 -/Pos3/0/0
3.3.3.3/32 1025/3 -/Pos3/0/0

# Configure PE1.
[~PE1] bgp 100
[~PE1-bgp] quit
[~PE1] commit
# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] quit
[~PE2] commit
# Configure PE3.
[~PE3] bgp 100
[~PE3-bgp] quit
[~PE3] commit
After the step, run the display bgp vpnv6 all peer command on the PEs. You can find that the
status of the MP-IBGP peer relationship between the PEs is Established. This means that the
MP-IBGP peer relationships are successfully set up.
2.2.2.2 4 100 20 17 0 00:13:26 Established 5

3.3.3.3 4 100 24 19 0 00:17:18 Established 5
CE to PE2 and PE3.
# Configure PE1.
[~PE1] commit
# Configure PE2.
[~PE2] commit
# Configure PE3.
[~PE3] commit
Step 6 Establish an EBGP peer relationship between PE2 and the CE, and between PE3 and the CE,
and import the route of the loopback interface into BGP on the CE.
# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp] quit
[~PE2] commit
# Configure PE3.
[~PE3] bgp 100
[~PE3-bgp] quit
[~PE3] commit
# Configure the CE.

[~CE] bgp 65410


[~CE-bgp] quit
[~CE] commit
on PE2, and you can find the route to Loopback 1 on the CE in the command output.
<PE2> display ipv6 routing-table vpn-instance vpn1 200:0:1:2::1 128
Summary Count : 1

Step 7 Configure VPNv6 Auto FRR on PE2, and adjust the precedence of EBGP routes to make PE2
select an EBGP route preferably.
# Configure PE2.
[~PE2] bgp 100
[~PE2-bgp6-vpn1] preference 100 255 255
[~PE2-bgp6-vpn1] auto-frr
[~PE2-bgp] quit
[~PE2] commit

verbose command on PE2. You can view information about the primary and backup routes to
the loopback interface on the CE in the routing table of the VPN instance IPv6 address family.
Because the EBGP route takes precedence over the IBGP route, PE2 selects the EBGP route
sent from the CE to forward data and the IBGP route sent from PE3 as the backup route. The
contents in boldface as below indicate information about the backup next hop, backup label, and
backup tunnel ID. The information shows that an hybrid FRR entry is generated.
Summary Count : 1

IndirectID : 0x8a9 Age : 3sec
BkNextHop : :: BkInterface : LDP LSP
BkPETunnelID : 0x0000000001004c4b44 BkIndirectID : 0xae
Run the shutdown command and then the display ipv6 routing-table vpn-instance verbose
command on GE 2/0/0 on PE2. You can find that the next hop to the loopback interface on the
CE is changed to PE3.


Summary Count : 1

IndirectID : 0xa5 Age : 9sec
0x0000000001004c4b42
Hybrid FRR for IPv6 and VPNv6 routes has taken effect.
----End
Configuration Files
#
sysname PE1
#
ipv6-family
#
mpls lsr-id 1.1.1.1
#
mpls
#
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 100.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 100.2.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
interface LoopBack2
ip address 2.3.4.5 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable

peer 3.3.3.3 enable

#
ipv6-family vpnv6
policy vpn-target
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.3
network 100.2.1.0 0.0.0.3
network 1.1.1.1 0.0.0.0
#
return
#
sysname PE2
#
ipv6-family
#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.1.1.2 255.255.255.252
mpls
mpls ldp
#
undo shutdown
ipv6 enable
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 110.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
peer 3.3.3.3 enable
#
ipv6-family vpnv6
policy vpn-target

peer 1.1.1.1 enable

peer 3.3.3.3 enable
#
preference 100 255 255
auto-frr
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.3
network 110.1.1.0 0.0.0.3
network 2.2.2.2 0.0.0.0
#
return
#
sysname PE3
#
ipv6-family
#
mpls lsr-id 3.3.3.3
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.2.1.2 255.255.255.252
mpls
mpls ldp
#
undo shutdown
ipv6 enable
#
interface Pos3/0/0
undo shutdown
link-protocol ppp
ip address 110.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv6-family vpnv6
policy vpn-target
peer 1.1.1.1 enable
peer 2.2.2.2 enable
#


preference 100 255 255
auto-frr
#
ospf 1
area 0.0.0.0
network 100.2.1.0 0.0.0.3
network 110.1.1.0 0.0.0.3
network 3.3.3.3 0.0.0.0
#
Return

#
sysname CE
#
undo shutdown
ipv6 enable
#
undo shutdown
ipv6 enable
#
interface LoopBack1
ipv6 enable
ipv6 address 200:0:1:2::1/128
#
bgp 65410
router-id 10.10.10.10
#
ipv4-family unicast
#
ipv6-family unicast
network 200::200 128
peer 2001::2 enable
peer 2003::2 enable
#
return
3.14.10 Example for Configuring an RR in an IPv6 VPN

If a lot of MP-IBGP peer relationships between PEs need to be set up on the backbone network,
configuring an RR can reduce configurations of MP-IBGP peer relationships and the stress on
PEs.
CAUTION

On the backbone network of an IPv6 VPN where a lot of VPNv6 peer relationships need to be
set up, a P or PE can be configured as the RR, and therefore other PEs only need to set up a
VPNv6 peer relationship with the RR. This reduces configurations of VPNv6 peer relationships
between PEs as well as the stress on PEs.
NOTE
To enhance the reliability of an RR-deployed network, two RRs can be configured for mutual backup.
As shown in Figure 3-17, PE1, PE2, and RR1 reside in AS 100, the backbone network; CE1
and CE2 belong to vpna. It is required that RR1 be configured as an RR for the IPv6 VPN.
Figure 3-17 Networking diagram for configuring an RR in an IPv6 VPN
Loopback1 AS100
2.2.2.9/32
POS1/0/0 POS2/0/0
100.1.2.2/24 100.2.3.1/24
RR1
POS1/0/0 POS1/0/0
100.1.2.1/24 100.2.3.2/24
Loopback1 Loopback1
1.1.1.9/32 PE1 PE2 3.3.3.9/32
POS2/0/0 POS2/0/0
2001::2/64 2002::2/64
POS1/0/0 POS1/0/0
2001::1/64 2002::1/64
CE1 CE2
AS65410 AS65420
1. Set up an MP-IBGP connection between each PE and the RR. There is no need to set up
an MP-IBGP peer relationship between the PEs.
2. Set up EBGP peer relationships between the PEs and CEs.
3. Establish LDP LSPs between the PEs and RR on the backbone network.
4. Configure the RR to receive all VPNv6 routing information without filtering the
information by VPN targets.
Data Preparation
l MPLS LSR IDs of the PEs and RR1

l Name of the VPN instance created on PE1 and PE2, and the RD and VPN target of the
l Routing protocol running between the PEs and CE for route exchange (EBGP in this
configuration example)
Procedure
Step 1 Configure an IP address for each interface. For details on the configuration procedures, see the
following configuration files.
Step 2 Configure an IGP on the MPLS backbone network so that devices on the backbone network can
learn the route to one another's loopback interface.
OSPF is used as the IGP in this example. Details for the configuration procedures are not
provided here.
After the configuration is complete, run the display ip routing-table command on each device
on the backbone network. You can find that the devices have learned the route to one another's
loopback interface.
------------------------------------------------------------------------------
2.2.2.9/32 OSPF 10 1 D 100.1.2.2 Pos1/0/0
3.3.3.9/32 OSPF 10 3 D 100.1.2.2 Pos1/0/0
100.1.2.0/24 Direct 0 0 D 100.1.2.1 Pos1/0/0
100.1.2.2/32 Direct 0 0 D 100.1.2.2 Pos1/0/0
100.2.3.0/24 OSPF 10 2 D 100.1.2.2 Pos1/0/0
Step 3 Enable MPLS and MPLS LDP globally and on the interfaces of the PEs and RR1, and set up
LDP LSPs between the PEs and RR1.
Enable MPLS and MPLS LDP globally and on the interfaces of PE1, RR1, and PE2. For details
on the configuration procedures, see the following configuration files.
After the configuration is complete, run the display mpls ldp session command on each PE and
RR1. You can view that the session state is displayed as "Operational", which means that the
LDP peer relationship is successfully set up.
The following uses the display on RR1 as an example:
<RR1> display mpls ldp session
----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
Step 4 Configure an IPv6 address family-supporting VPN instance on each PE.

For details on the configuration procedures, see Example for Configuring Basic BGP/MPLS
IPv6 VPN.
Step 5 Establish EBGP peer relationships between the PEs and the CEs to import VPN routes.
For details on the configuration procedures, see Example for Configuring Basic BGP/MPLS
IPv6 VPN.
on each PE. You can find that the status of EBGP peer relationships between the PEs and the
CEs is Established.

PrefRcv
2001::1 4 65410 1385 1392 0 17:39:46 Established 1
Step 6 Establish a VPNv6 peer relationship between each PE and RR1.

# Configure PE1.
<PE1> system-view
[~PE1] bgp 100
[~PE1-bgp] quit
[~PE1] commit
# Configure RR1.
<RR1> system-view
[~RR1] bgp 100
[~RR1-bgp] quit
[~RR1] commit
The configuration of PE2 is similar to the configuration of PE1. For details on the configuration
procedure for PE2, see the following configuration files.
After the configuration is complete, run the display bgp vpnv6 all peer command on PEs or
RR1. You can find that the status of the EBGP peer relationships between the PEs and RR1 is
Established.
The following uses the display on RR1 as an example:
<RR1> display bgp vpnv6 all peer



PrefRcv
1.1.1.9 4 100 1263 1530 0 19:46:01 Established 1

3.3.3.9 4 100 1170 1109 0 17:50:26 Established 1
Step 7 Configure VPNv6 route reflection on RR1.

# Configure RR1.
[~RR1] bgp 100
[~RR1-bgp-af-vpnv6] peer 1.1.1.9 next-hop-local
[~RR1-bgp-af-vpnv6] peer 3.3.3.9 next-hop-local
[~RR1-bgp] quit
[~RR1] commit

Run the display ipv6 routing-table vpn-instance command on each PE. You can view that the
PEs have learned the routes to remote VPN sites and the iterated outbound interfaces point to
RR1.
<PE1> display ipv6 routing-table vpn-instance vpna



RelayNextHop : ::FFFF:100.1.2.2 TunnelID : 0xa0010080

CE1 and CE2 can successfully ping each other even though no VPNv6 peer relationship is
configured between PE1 and PE2. This indicates that the RR is successfully configured.
----End
Configuration Files

#
sysname PE1
#
ipv6-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.1.2.1 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ipv6 enable
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.2.0 0.0.0.255
#
return
l Configuration file of the RR
#
sysname RR
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.1.2.2 255.255.255.0
mpls

mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 100.2.3.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv6-family vpnv6
peer 1.1.1.9 enable
peer 1.1.1.9 next-hop-local
peer 3.3.3.9 enable
peer 3.3.3.9 next-hop-local
#
ospf 1
area 0.0.0.0
network 100.1.2.0 0.0.0.255
network 100.2.3.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
#
sysname PE2
#
ipv6-family
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 100.2.3.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ipv6 enable

#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 100.2.3.0 0.0.0.255
#
return

#
sysname CE1
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ipv6 enable
#
bgp 65410
#
ipv6-family unicast
peer 2001::2 enable
import-route direct
#
return

#
sysname CE2
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ipv6 enable
#
bgp 65420
#
ipv6-family unicast
peer 2002::2 enable
import-route direct
#
return


Configuration Guide - VPN (V800R002C01 - 01)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuration Guide - VPN (V800R002C01 - 01)

Uploaded by

Copyright:

Available Formats

HUAWEI NetEngine5000E Core Router

Configuration Guide - VPN

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2011-10-15) Huawei Proprietary and Confidential i

About This Document

Related Versions (Optional)

Product Name Version

HUAWEI NetEngine5000E V800R002C01

Indicates a hazard with a high level of risk, which if not

Indicates a hazard with a medium or low level of risk, which

Issue 01 (2011-10-15) Huawei Proprietary and Confidential ii

Indicates a potentially hazardous situation, which if not

Provides additional information to emphasize or supplement

Command Conventions (Optional)

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... }* Optional items are grouped in braces and separated by

[ x | y | ... ]* Optional items are grouped in brackets and separated by

# A line starting with the # sign is comments.

Changes in Issue 01 (2011-10-15)

Issue 01 (2011-10-15) Huawei Proprietary and Confidential iii

About This Document.....................................................................................................................ii

2 BGP/MPLS IP VPN Configuration..........................................................................................27

Issue 01 (2011-10-15) Huawei Proprietary and Confidential iv

2.4.2 Binding an Interface to a VPN Instance..................................................................................................40

Issue 01 (2011-10-15) Huawei Proprietary and Confidential v

Issue 01 (2011-10-15) Huawei Proprietary and Confidential vi

3 BGP/MPLS IPv6 VPN Configuration....................................................................................326

Issue 01 (2011-10-15) Huawei Proprietary and Confidential vii

3.14.1 Example for Configuring Basic BGP/MPLS IPv6 VPN.....................................................................375

Issue 01 (2011-10-15) Huawei Proprietary and Confidential viii

1 VPN Tunnel Management Configuration

About This Chapter

1.1 VPN Tunnel Management Overview

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 1

1.1 VPN Tunnel Management Overview

Common VPN Tunnels

Tunnel Configuration Management

1.2 VPN Tunnel Management Features Supported by the

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 2

Tunnel Type Prioritizing Policy

Tunnel Binding Policy

1.3 Configuring Tunnel Interfaces

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 3

Figure 1-1 Flowchart for configuring a tunnel interface

Create a tunnel interface

Configure a tunnel interface

1.3.1 Creating a Tunnel Interface

The system view is displayed.

A tunnel interface is created.

The tunnel description information is configured.

1.3.2 Configuring a Tunnel Interface

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 4

1.3.3 Checking the Configuration

1.4 Configuring a Tunnel Type Prioritizing Policy for an

Issue 01 (2011-10-15) Huawei Proprietary and Confidential 5

Apply a tunnel policy

1.4.1 Configuring a Tunnel Type Prioritizing Policy