01-07 BGP Mpls Ip VPN Configuration
Uploaded by
sirbulandkhan01-07 BGP Mpls Ip VPN Configuration
Uploaded by
sirbulandkhanHuawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
7 BGP/MPLS IP VPN Configuration
About This Chapter
An enterprise can build its own BGP/MPLS IP VPN network to implement secure
interconnection between its headquarters and branches. The BGP/MPLS IP VPN
network ensures high-quality communication within the enterprise network.
7.1 Overview of BGP/MPLS IP VPN
This section describes the definition, background, and functions of BGP/MPLS IP
VPN.
7.2 Understanding BGP/MPLS IP VPN
This section describes the implementation of BGP/MPLS IP VPN.
7.3 Application Scenarios for BGP/MPLS IP VPN
This section describes the application scenarios for BGP/MPLS IP VPN.
7.4 Summary of BGP/MPLS IP VPN Configuration Tasks
After basic BGP/MPLS IP VPN configurations are complete, a simple VPN network
can be established using MPLS technology. To deploy special BGP/MPLS IP VPN
networking, perform other configuration tasks according to the reference sections
provided in the following table.
7.5 Licensing Requirements and Limitations for BGP/MPLS IP VPN
7.6 Default Settings for BGP/MPLS IP VPN
This section describes the default settings for BGP/MPLS IP VPN.
7.7 Configuring BGP/MPLS IP VPN
This section describes the procedures for configuring BGP/MPLS IP VPN functions.
7.8 Maintaining BGP/MPLS IP VPN
You can check route summary information in a VPN instance, monitor network
connectivity, and reset BGP connections when maintaining a BGP/MPLS IP VPN
network.
7.9 Configuration Examples for BGP/MPLS IP VPN
This section provides several configuration examples of BGP/MPLS IP VPN
networking. In each configuration example, the networking requirements,
configuration roadmap, configuration procedures, and configuration files are
provided.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 680
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
7.10 FAQ About BGP/MPLS IP VPN
This section describes the FAQ about BGP/MPLS IP VPN.
7.1 Overview of BGP/MPLS IP VPN
This section describes the definition, background, and functions of BGP/MPLS IP
VPN.
Definition
A BGP/MPLS IP VPN is a Layer 3 virtual private network (L3VPN). A BGP/MPLS IP
VPN uses the Border Gateway Protocol (BGP) to advertise VPN routes and uses
Multiprotocol Label Switching (MPLS) to forward VPN packets on backbone
networks. Here, IP that Internet Protocol (IP) packets are carried by the VPN.
Figure 7-1 shows the BGP/MPLS IP VPN model.
Figure 7-1 BGP/MPLS IP VPN model
VPN 2
VPN 1 CE Site
Site IP/MPLS
CE
P Backbone P
PE
PE
PE
VPN 2 P P
VPN 1
Site
CE Site
CE
The BGP/MPLS IP VPN model consists of the following entities:
● Customer Edge (CE): a device that is deployed at the edge of a customer
network and has interfaces directly connected to the service provider (SP)
network. A CE device can be a router, a switch, or a host. Generally, CE devices
do not detect VPNs and do not need to support MPLS.
● Provider Edge (PE): a device that is deployed at the edge of an SP network
and directly connected to a CE device. On an MPLS network, PE devices
process all VPN services and must have high performance.
● Provider (P): a backbone device that is deployed on an SP network and is not
directly connected to CE devices. P devices only need to provide basic MPLS
forwarding capabilities and do not maintain VPN information.
PE and P devices are managed by SPs. CE devices are managed by customers
unless customers authorize SPs to manage their CE devices.
A PE device can connect to multiple CE devices. A CE device can connect to
multiple PE devices of the same SP or different SPs.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 681
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Purpose
A traditional VPN sets up full-mesh tunnels or permanent virtual circuits (PVCs)
between all sites to forward VPN data. This method makes networks difficult to
maintain and expand. When a new site is added to an established VPN, a network
administrator must modify the configuration of all edge nodes connected to this
site.
A BGP/MPLS IP VPN uses a peer model that enables SPs and customers to
exchange routing information. The SPs are responsible for forwarding data of
customers, without participation of the customers. A BGP/MPLS IP VPN is more
scalable and more easier to manage than a traditional VPN. When a new site is
added, a network administrator only needs to modify the configuration of the
edge nodes serving the new site.
BGP/MPLS IP VPN allows overlapping address spaces and overlapping VPNs so
that VPNs can be flexibly deployed and expanded. In addition, BGP/MPLS IP VPN
supports MPLS Traffic Engineering (TE). Because of these merits, BGP/MPLS IP
VPN becomes an important approach for IP network carriers to provide value-
added services and is now widely used.
7.2 Understanding BGP/MPLS IP VPN
This section describes the implementation of BGP/MPLS IP VPN.
7.2.1 Concepts
Site
The site is frequently mentioned in VPN technology. The following describes a site
from different aspects:
● A site is a group of IP systems with IP connectivity, which can be achieved
independent of SP networks.
Figure 7-2 shows an example of sites. On the networks on the left side in
Figure 7-2, the headquarters of company X in city A is a site, and the branch
of company X in city B is another site. IP devices can communicate within
each site without using the carrier network.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 682
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-2 Sites
Two sites One site
Site A Site X
CE
CE
Carrier's Carrier's Headquarters
network Headquarters network
of X company of X company
in City A in City A
Router
CE
Branch of X Branch of X
company in company in
City B City B
Site B
● Sites are configured based on topologies between devices but not their
geographic locations, although devices in a site are geographically adjacent to
each other in most cases. Two geographically separated IP systems can also
compose a site if they are connected through leased lines and can
communicate without the use of the carrier network.
On the right of Figure 7-2, the branch network in city B connects to the
headquarters network in city A through leased lines but not a carrier network.
The branch network and the headquarters network compose a site.
● The devices in a site may belong to multiple VPNs. That is, a site may belong
to more than multiple VPNs.
As shown in Figure 7-3, the decision-making department of company X in city
A (Site A) is allowed to communicate with the R&D department in city B (Site
B) and the financial department in city C (Site C). Site B and Site C are not
allowed to communicate with each other. In this case, two VPNs, VPN1 and
VPN2, can be established. Site A and Site B belong to VPN1; Site A and Site C
belong to VPN2. Site A belongs to two VPNs.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 683
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-3 One site belonging to multiple VPNs
VPN 1
X Company CE X Company
Decision-making R&D
Site A department Site B department
CE
VPN 2
X Company Carrier's
Financial network
department CE
Site C
● A site connects to a carrier network through CE devices. A site may have more
than one CE device, but a CE device belongs to only one site.
CE devices are selected according to sites:
If a site is a host, the host is the CE device of the site.
If a site is a subnet, switches are used as CE devices.
If a site has multiple subnets, routers are used as CE devices.
Sites connected to the same carrier network can be grouped into different
sets using policies. Only sites that belong to the same set can communicate
with each other through the carrier network. Such a set is a VPN.
Address Space Overlapping
As a private network, each VPN manages an address space. Address spaces of
different VPNs may overlap. For example, if both VPN1 and VPN2 use addresses
on the network segment 10.110.10.0/24, their address spaces overlap.
VPNs can use overlapping address spaces in the following situations:
● Two VPNs do not cover the same site.
● Two VPNs cover the same site, but devices in the site do not need to
communicate with devices using overlapping address spaces in the VPNs.
VPN Instance
In BGP/MPLS IP VPN implementation, routes of different VPNs are isolated by VPN
instances.
A PE device establishes and maintains a VPN instance for each directly connected
site. A VPN instance contains VPN member interfaces and routes of the
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 684
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
corresponding site. Specifically, information in a VPN instance includes the IP
routing table, label forwarding table, interface bound to the VPN instance, and
VPN instance management information. VPN instance management information
includes the route distinguisher (RD), route filtering policy, and member interface
list of the VPN instance.
The relationships between VPNs, sites, and VPN instances are as follows:
● A VPN consists of multiple sites. A site may belong to multiple VPNs.
● A site is associated with a VPN instance on a PE device. A VPN instance
integrates VPN members and routing policies of associated sites. Multiple
sites compose a VPN based on rules of the VPN instance.
● VPN instances are not mapped to VPNs on a one-to-one basis, whereas VPN
instances are mapped to sites on a one-to-one basis.
A VPN instance is also called a VPN routing and forwarding table (VRF). A PE
device has multiple routing and forwarding tables, including a public routing and
forwarding table and one or more VRFs. Figure 7-4 shows VPN instances.
Figure 7-4 VPN instances
VPN1
Site1 CE
IP/MPLS
VPN1 PE
Backbone
VPN-instance
VPN2 Public
VPN-instance forwarding table
VPN2
Site2 CE
A public routing and forwarding table and a VRF differ in the following aspects:
● A public routing table contains IPv4 routes of all the PE and P devices. The
routes are static routes or dynamic routes generated by routing protocols on
the backbone network.
● A VPN routing table contains routes of all sites that belong to a VPN instance.
The routes are obtained through the exchange of VPN routing information
between PE devices or between CE and PE devices.
● Information in a public forwarding table is extracted from the public routing
table according to route management policies, whereas information in a VPN
forwarding table is extracted from the corresponding VPN routing table.
VPN instances on a PE device are independent of each other and maintain a
VRF independent of the public routing and forwarding table.
Each VPN instance can be considered as a virtual device, which maintains an
independent address space and connects to VPNs through interfaces.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 685
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
RD and VPN-IPv4 Address
Traditional BGP cannot process VPN routes with overlapping address spaces. For
example, VPN1 and VPN2 use addresses on the network segment 10.110.10.0/24,
and they each advertise a route to this network segment. The local PE device can
identify routes based on VPN instances. However, when the routes are advertised
to the remote PE device, BGP selects only one of the two routes because load
balancing is not performed between routes of different VPNs. The other route is
lost.
To address the preceding problem, PE devices use Multiprotocol Extensions for
BGP-4 (MP-BGP) to advertise VPN routes and use the VPN-IPv4 address.
A VPN-IPv4 address has 12 bytes. The first eight bytes represent the RD, and the
last four bytes represent the IPv4 address prefix, as shown in Figure 7-5.
Figure 7-5 VPN-IPv4 address
Route Distinguisher ( 8-Byte )
Type Field Administrator Assigned IPv4 Address Prefix
( 2-Byte ) Subfield Number Subfield ( 4-Byte )
RDs distinguish IPv4 prefixes with the same address space. IPv4 addresses with
RDs are VPN-IPv4 addresses (VPNv4 addresses). After receiving IPv4 routes from a
CE device, a PE device converts the routes into globally unique VPN-IPv4 routes
and advertises the routes on the public network.
SPs can allocate RDs independently because of the RD format. When CE devices
are dual-homed to PE devices, the RD must be globally unique to ensure correct
routing. As shown in Figure 7-6, a CE device is dual-homed to PE1 and PE2. PE1
also functions as a route reflector (RR).
Figure 7-6 Networking diagram of CE dual-homing
CE RR
VPN site
PE1
10.1.1.1/8 PE3
IP/MPLS
Backbone
PE2
PE1 is an edge device of the backbone network and advertises a VPN-IPv4 route
with the IPv4 prefix 10.1.1.1/8 to PE3. PE1 also functions as an RR and reflects a
VPN-IPv4 route with the IPv4 prefix 10.1.1.1/8 from PE2 to PE3.
● If the VPN has the same RD on PE1 and PE2, the two VPN-IPv4 routes to
10.1.1.1/8 have the same destination address. Therefore, PE3 receives only one
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 686
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
VPN-IPv4 route (CE -> PE1 -> PE3) to 10.1.1.1/8 from PE1. If the direct link
between PE1 and the CE is faulty, PE3 deletes the VPN-IPv4 route to
10.1.1.1/8. Then another route to 10.1.1.1/8 needs to be established to
forward VPN data to 10.1.1.1/8. The path for the route is PE3 -> PE1 -> PE2 ->
CE. During the route establishment, user services will be interrupted.
● If the VPN has the same RD on PE1 and PE2, the two VPN-IPv4 routes to
10.1.1.1/8 have different destination addresses. Therefore, PE3 receives two
VPN-IPv4 route to 10.1.1.1/8 from PE1. When any link between PE1 and CE
becomes faulty, PE3 deletes the corresponding route and reserves the other
one. Data destined for 10.1.1.1/8 can still be correctly forwarded.
VPN Target
A VPN target, also called the route target (RT), is a BGP extension community
attribute. BGP/MPLS IP VPN uses VPN targets to control VPN routes
advertisement.
A VPN instance is associated with one or more VPN target attributes. VPN target
attributes are classified into the following types:
● Export target: After a PE device learns IPv4 routes from directly connected
sites, it converts the routes to VPN-IPv4 routes and sets the export target
attribute for those routes. The export target attribute is advertised with the
routes as a BGP extended community attribute.
● Import target: After a PE device receives VPN-IPv4 routes from other PE
devices, it checks the export target attribute of the routes. If the export target
is the same as the import target of a VPN instance on the local PE device, the
local PE device adds the route to the VPN routing table.
BGP/MPLS IP VPN uses VPN targets to control advertisement and receiving of VPN
routes between sites. VPN export targets are independent of import targets. An
export target and an import target can be configured with multiple values to
implement flexible VPN access control and VPN networking.
For example, if the import target of a VPN instance contains 100:1, 200:1, and
300:1, any route with the export target of 100:1, 200:1, or 300:1 is added to the
routing table of the VPN instance.
7.2.2 Implementation
This section describes BGP/MPLS IP VPN implementation:
● VPN Label Distribution
● VPN Route Cross
● Public Network Tunnel Iteration
● VPN Route Selection Rules
● Route Advertisement in BGP/MPLS IP VPN
● Packet Forwarding in BGP/MPLS IP VPN
VPN Label Distribution
Before advertising private routes to other PE devices on the backbone network
through MP-BGP, a PE device must assign MPLS labels (VPN label) to the private
routes. Packets transmitted over the backbone network carry MPLS labels.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 687
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
A PE device allocates MPLS labels in either of the following ways:
● One label per route
Each route in a VRF is assigned one label. When a large number of routes
exist on the network, the Incoming Label Map (ILM) maintains a large
number of entries, which requires high router capacity.
● One label per instance
Each VPN instance is assigned one label. All the routes of a VPN instance
share the same label, saving labels.
NOTE
MP-BGP can allocate labels to private routes only after MPLS is enabled on the PE device.
VPN Route Cross
The routes exchanged between two PE devices through MP-BGP are VPNv4 routes.
A PE device checks received VPNv4 routes and drops the following routes:
● VPNv4 routes with unreachable next hops
● VPNv4 routes received from an RR with the cluster_id of the PE device in the
cluster_list
● VPNv4 routes that are denied by the BGP routing policy
The PE device matches the remaining routes with the Import Targets of VPN
instances. The matching process is called VPN route cross.
Some routes sent from local CE devices belong to different VPNs. The PE device
also matches these routes with Import Targets of local VPN instances if these
routes have reachable next hops or can be iterated. The matching process is called
local VPN route cross. For example, CE1 resides in a site of VPN1, and CE2 resides
in a site of VPN2. Both CE1 and CE2 connect to PE1. When PE1 receives routes of
VPN1 from CE1, PE1 also matches the routes with the Import Target of the
instance of VPN2.
NOTE
To correctly forward a packet, a BGP-enabled device must find out a directly reachable
address, through which the packet can be forwarded to the next hop in the routing table.
The route to the directly reachable address is called dependent route, because BGP guides
packet forwarding based on the route. The process of finding a dependent route based on
the next-hop address is called route iteration.
Public Network Tunnel Iteration
To transmit traffic of private networks across a public network, tunnels need to be
established on the public network. After VPN route cross is complete, PE devices
perform route iteration based on destination IPv4 prefixes to find the appropriate
tunnels (except for local cross routes). Then tunnel iteration is performed. The
routes are injected into the VPN routing table only after tunnel iteration succeeds.
The process of iterating routes to corresponding tunnels is called tunnel iteration.
After tunnel iteration succeeds, tunnel IDs are reserved for subsequent packet
forwarding. A tunnel ID identifies a tunnel. In VPN packet forwarding, the PE
devices search for tunnels based on tunnel IDs.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 688
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
VPN Route Selection Rules
Not all the cross routes processed by tunnel iteration are installed to VPN routing
tables. Similarly, not all the routes received from the local CE devices and the local
cross routes are injected into VPN routing tables.
When multiple routes to the same destination are available, a PE device selects
one route based on the following rules if load balancing is not configured:
● If a route received from a local CE device and a cross route are destined to the
same destination, the PE device selects the route received from the local CE
device.
● If a local cross route and a cross route received from another PE device are
destined for the same destination, the PE device selects the local cross route.
If load balancing is configured, the PE device selects one route based on the
following rules:
● Preferentially selects the route from the local CE device. When one route from
the local CE device and multiple cross routes exist, the PE device selects the
route from the local CE device.
● Performs load balancing between the routes from the local CE device or
between the cross routes. The PE device does not perform load balancing
between the routes from the local CE device and the cross routes.
● The AS_Path attributes of the routes participating in load balancing must be
the same.
Route Advertisement in BGP/MPLS IP VPN
In basic BGP/MPLS IP VPN application, CE and PE devices are responsible for
advertising VPN routes, whereas P devices only need to maintain routes of the
backbone network without knowing VPN routes. Generally, PE devices maintain all
VPN routes.
VPN routes are advertised from the local CE device to the ingress PE device, from
the ingress PE device to the egress PE device, and from the egress PE device to the
remote CE device. After the whole route advertisement process is complete, the
local and remote CE devices have reachable routes to each other, and VPN routes
can be advertised on the backbone network.
The route advertisement process is as follows:
● Route advertisement from the local CE device to the ingress PE device
After a neighbor or peer relationship is set up between a CE device and the
directly connected PE device, the CE device advertises the local IPv4 routes to
the PE device. The CE and PE devices can use static routes, the Routing
Information Protocol (RIP), the Open Shortest Path First (OSPF) protocol, the
Intermediate System-to-Intermediate System (IS-IS) protocol, or BGP (Border
Gateway Protocol). No matter which routing protocol is used, the routes
advertised by the CE device to the PE device are standard IPv4 routes.
● Route advertisement from the ingress PE device to the egress PE device
– After learning VPN routes from a CE device, the egress PE device adds
RDs to standard IPv4 routes. The routes are changed into VPN-IPv4
routes.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 689
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
– The ingress PE device advertises the MP-BGP Update messages
containing VPN-IPv4 routes to the egress PE device. The Update
messages contain Export Targets and MPLS labels.
– When the egress PE device receives the VPN-IPv4 routes and if the next
hops are reachable, it performs VPN route cross, tunnel iteration, and
route selection to determine whether to inject the routes into the VRF.
For the routes added to the VPN routing table, the local PE stores the
tunnel IDs and MPLS labels carried in MP-BGP Update messages for
subsequent packet forwarding.
● Route advertisement from the egress PE device to the remote CE device
The remote CE device can learn VPN routes from the egress PE device through
static routes, RIP, OSPF, IS-IS, or BGP. Route advertisement from the egress PE
device to the remote CE device is the same as that from the local CE device to
the ingress PE device. The routes advertised by the egress PE device to the
remote CE device are standard IPv4 routes.
Figure 7-7 shows route advertisement from CE2 to CE1. In this example, BGP runs
between CE and PE devices, and LSPs are used.
Figure 7-7 Route advertisement from CE2 to CE1
CE1 Ingress PE P Egress PE CE2
IGP IP/MPLS Backbone IGP
routing table routing table
Import Import
BGP BGP
routing table routing table
BGP VPN routing VPN routing BGP
Update table table Update
Route cross&
tunnel iteration BGP
Update Routing table
Carrying label,RD, and
export RT Message
1. Interior Gateway Protocol (IGP) routes are imported into the BGP IPv4 unicast
address family of CE2.
2. CE2 advertises an EBGP Update message with routing information to the
egress PE device. After receiving the message, the egress PE device converts
the route to a VPN-IPv4 route, and then installs the route to the VPN routing
table.
3. The egress PE device allocates an MPLS label to the route. Then it adds the
label and VPN-IPv4 routing information to the NLRI field and the export
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 690
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
target to the extended community attribute field of the MP-IBGP Update
message. After that, the egress PE device sends the Update message to the
ingress PE device.
4. After receiving the message, the ingress PE device performs VPN route cross.
After the VPN route cross succeeds, the ingress PE device performs tunnel
iteration based on the destination IPv4 address to find the appropriate tunnel.
If tunnel iteration succeeds, the ingress PE device stores the tunnel ID and
label, and then adds the route to the VPN routing table of the VPN instance.
5. The ingress PE device advertises a BGP Update message with the route to
CE1. The advertised route is an IPv4 route.
6. After receiving the route, CE1 installs the route to the BGP routing table. CE1
can import the route to the IGP routing table by importing BGP routes to IGP.
To ensure that CE1 and CE2 can communicate, CE1 also needs to advertise routes
to CE2, of which the process is similar to the preceding process.
Packet Forwarding in Basic BGP/MPLS IP VPN
In basic BGP/MPLS IP VPN applications (excluding inter-AS VPN), VPN packets are
forwarded with double labels:
● Outer label (public network label): is swapped on the backbone network,
identifies an LSP from a PE device to a remote PE device, and enables VPN
packets to reach the remote PE device through the LSP.
● Inner label (VPN label): is used when VPN packets are sent from the remote
PE device to a CE device, and identifies the site (or specifically, the CE device)
to which VPN packets are sent. The remote PE device finds the outbound
interface for VPN packets according to the inner label.
If two sites of a VPN connect to the same PE device, the PE device only needs to
know how VPN packets can reach the remote CE device.
Figure 7-8 shows packet forwarding from CE1 to CE2. In Figure 7-8, I-L indicates
an inner label, and O-L indicates an outer label.
Figure 7-8 Forwarding of a VPN packet from CE1 to CE2
IP/MPLS Backbone
CE1 Ingress PE P Egress PE CE2
data data data data data data data data
I-L I-L I-L I-L
Push O-L1 O-L1 O-L2 O-L2 Pop
Out-Label Switch
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 691
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
1. CE1 sends a VPN packet.
2. After receiving the packet on the interface bound to a VPN instance, the
ingress PE device processes the packet as follows:
– Searches for the corresponding VPN forwarding table based on the RD of
the VPN instance.
– Matches the destination IPv4 prefix to find the corresponding tunnel ID.
– Adds I-L to the packet and finds the tunnel based on the tunnel ID.
– Sends the packet through the tunnel and adds O-L1 to the packet.
Then the packet travels across the backbone network with double MPLS
labels. Each P device on the backbone network swaps the outer label of the
packet.
3. After receiving the packet with double labels, the egress PE device delivers the
packet to MPLS for processing. MPLS pops the outer label. In this example,
the final outer label of the packet is O-L2. If the PHP function is configured,
the outer label is popped on the hop before the egress PE device, and the
egress PE device receives the packet with only the inner label.
4. At this time, the egress PE device can only identify the inner label. Finding the
label is at the bottom of the label stack, and the egress PE device pops the
inner label.
5. The egress PE device sends the packet to CE2. At this time, the packet is an IP
packet.
The packet is successfully transmitted from CE1 to CE2. CE2 transmits the
packet to the destination according to the IP forwarding process.
7.2.3 Basic Networking
Intranet VPN
In an intranet VPN, all the users in the VPN can transmit packets to each other,
but cannot communicate with users outside the VPN. The sites within an intranet
VPN usually belong to the same organization.
In intranet VPN networking, each VPN is allocated a VPN target as the export
target and import target. The VPN target of a VPN cannot be used by other VPNs.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 692
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-9 Intranet VPN networking
VPN1 VPN1 VPN2
Import: 100:1 Import: 200:1 VPN2
Export: 100:1 Export: 200:1
CE CE
Site1
Site4
IP/MPLS Backbone
VPN2
PE P PE VPN1
CE
CE
Site2
VPN2 VPN1 Site3
Import: 200:1 Import: 100:1
Export: 200:1 Export: 100:1
As shown in Figure 7-9, PE devices allocate the VPN target 100:1 to VPN1 and the
target 200:1 to VPN2. The two sites in the same VPN can communicate with each
other, whereas sites in different VPNs cannot communicate.
Extranet VPN
If users in a VPN need to access some sites of another VPN, extranet networking
can be used.
In extranet networking, if a VPN needs to access a shared site, its export target
must be included in the import target of the VPN instance covering the shared
site, and its import target must be included in the export target of the VPN
instance covering the shared site.
Figure 7-10 Extranet VPN networking
VPN1
CE VPN1
Site1 Import: 100:1
Export: 100:1
VPN1
IP/MPLS
Backbone
CE
PE1 Site3
PE2 PE3
VPN1
VPN2 Import: 100:1, 200:1
VPN2 Export: 100:1, 200:1
CE
Import: 200:1
Site2 Export: 200:1
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 693
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
As shown in Figure 7-10, VPN1 and VPN2 can access Site3 of VPN1.
● PE3 can receive VPN-IPv4 routes advertised by PE1 and PE2.
● PE1 and PE2 can receive VPN-IPv4 routes advertised by PE3.
Site1 and Site3 of VPN1 can communicate with each other. Site2 of VPN2 and
Site3 of VPN1 communicate with each other.
PE3 does not advertise the VPN-IPv4 routes learned from PE1 to PE2 and does not
advertise the VPN-IPv4 routes learned from PE2 to PE1. Therefore, Site1 of VPN1
and Site2 of VPN2 cannot communicate with each other.
Hub and Spoke
If a central access control device needs to be deployed to control communication
between VPN users, the Hub and Spoke networking can be used. The site with the
access control device deployed is the Hub site, and other sites are Spoke sites. The
following devices are used in Hub and Spoke networking:
● Hub-CE: is deployed in the Hub site and connected to the VPN backbone
network.
● Spoke-CE: is deployed in a Spoke site and connected to the VPN backbone
network.
● Hub-PE: is deployed on the VPN backbone network and connected to the Hub
site.
● Spoke-PE: is deployed on the VPN backbone network and connected to a
Spoke site.
A Spoke site advertises routes to the Hub site, and then the Hub site advertises
the routes to other Spoke sites. Spoke sites do not advertise routes to each other.
The Hub site controls communication between all Spoke sites.
In Hub and Spoke networking, two VPN targets are configured to represent Hub
and Spoke respectively. Figure 7-11 shows the Hub and Spoke networking.
Figure 7-11 Hub and Spoke networking
VPN1
Import:Hub
Export:Spoke
VPN1 VPN1-out
Spoke-PE Export:Hub
6
Site1 5 VPN1
Spoke-CE 4
IP/MPLS
Backbone Hub-CE
VPN1 Hub-PE 3 Site3
2
1
Spoke-CE Spoke-PE VPN1-in
Site2 VPN1 Import:Spoke
Import:Hub
Export;Spoke
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 694
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
The VPN targets of a PE device must comply with the following rules:
● The export target and import target of a Spoke-PE device are Spoke and Hub
respectively. The import target of any Spoke-PE device must be different from
the export target of any other Spoke-PE device.
● A Hub-PE device requires two interfaces or sub-interfaces.
– One interface or sub-interface receives routes from Spoke-PE devices. The
import target of the VPN instance on the interface is Spoke.
– The other interface or sub-interface advertises routes to Spoke-PE
devices. The export target of the VPN instance on the interface is Hub.
As shown in Figure 7-11, the Hub site controls communication between Spoke
sites. The arrows show the process of advertising a route from Site2 to Site1:
● The Hub-PE device can receive VPN-IPv4 routes advertised by all the Spoke-PE
devices.
● All the Spoke-PE devices can receive VPN-IPv4 routes advertised by the Hub-
PE.
● The Hub-PE device advertises the routes learned from Spoke-PE devices to the
Hub-CE device, and advertises the routes learned from the Hub-CE device to
all the Spoke-PE devices. By doing this, the Spoke sites can access each other
through the Hub site.
● The import target of any Spoke-PE device is different from the export targets
of other Spoke-PE devices. Therefore, any two Spoke-PE devices do not
directly advertise VPN-IPv4 routes to each other. The Spoke sites cannot
directly communicate with each other.
7.2.4 Inter-AS VPN
The MPLS VPN solution is widely used, serving an increasing number of users in a
large number of applications. As more sites are developed in an enterprise, a site
at one geographical location often needs to connect to an ISP network at another
geographical location. Consider, for example, the inter-AS issue facing operators
who manage different metropolitan area networks (MANs) or backbone networks
that span different autonomous systems (AS).
Generally, MPLS VPN architecture runs within an AS. Routes of any VPN can be
flooded within the AS, and cannot be flooded to other ASs. To implement
exchange of VPN routes between different ASs, the inter-AS MPLS VPN model is
used. The inter-AS MPLS VPN model is an extension to MPLS VPN framework.
Through this model, route prefixes and labels can be advertised over links
between different carrier networks.
RFC defines the following inter-AS VPN solutions:
● Inter-Provider Backbones Option A: Autonomous system boundary routers
(ASBRs) manage VPN routes for inter-AS VPNs through dedicated interfaces.
This solution is also called VRF-to-VRF.
● Inter-Provider Backbones Option B: ASBRs advertise labeled VPN-IPv4 routes
to each other through MP-EBGP. This solution is also called EBGP
redistribution of labeled VPN-IPv4 routes.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 695
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
● Inter-Provider Backbones Option C: PE devices advertise labeled VPN-IPv4
routes to each other through Multi-hop MP-EBGP. This solution is also called
Multi-hop EBGP redistribution of labeled VPN-IPv4 routes.
Inter-Provider Backbones Option A
● Introduction
Option A is a basic BGP/MPLS IP VPN application in an inter-AS scenario. In
this solution, ASBRs do not require extra configurations for inter-AS VPN or
run MPLS. ASBRs of the two ASs are directly connected and function as the PE
devices of the ASs. Each ASBR considers the peer ASBR as its CE device and
creates a VPN instance for each VPN. The ASBRs use EBGP to advertise IPv4
routes.
As shown in Figure 7-12, ASBR2 in AS200 is a CE of ASBR1 in AS 100, and
ASBR1 is the CE of ASBR2. VPN LSP indicates a private tunnel, and LSP
indicates a public tunnel.
Figure 7-12 Inter-Provider Backbones Option A
VPN1-CE2
VPN1-CE1
PE1 PE3
MP
-IB GP
GP ASBR1 ASBR2 -IB
MP
AS100 AS200
MP
GP Create a VPN instance -IB
-IB GP
MP and logical interface for
each VPN
PE2 PE4
VPN LSP1 IP forwarding VPN LSP2
VPN2-CE1 LSP1 LSP2 VPN2-CE2
● Route advertisement
In Option A, PE and ASBR devices use MP-IBGP to exchange VPN-IPv4 routes.
Two ASBRs can run BGP, IGP multi-instance, or use static routes to exchange
VPN information. EBGP is recommended for inter-AS route exchange.
Figure 7-13 shows the process of advertising the route destined for
10.1.1.1/24 from CE1 to CE2. In Figure 7-13, D indicates the destination
address; NH indicates the next hop; L1 and L2 are private labels. Figure 7-13
does not show advertisement of public IGP routes and distribution of public
network labels.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 696
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-13 Route advertisement of Option A
VPN-v4 update: VPN-v4 update:
RD: 1:27:10.1.1.1/24 RD: 1:27:10.1.1.1/24
NH=PE1 NH=ASBR2
RT=100:1, Label=(L1) RT=100:1, Label=(L2)
PE1 ASBR1 ASBR2 PE3 BGP, OSPF, RIP
BGP, OSPF, RIP 10.1.1.1/24, NH=PE3
10.1.1.1/24, NH=CE1 AS100 AS200
CE1 D: 10.1.1.1/24 CE2
NH=ASBR1
10.1.1.1/24
● Packet forwarding
Figure 7-14 shows how packets are forwarded over the LSPs, which serve as
the tunnels on the public network. L1 and L2 are inner labels; Lx and Ly are
outer tunnel labels.
Figure 7-14 Packet forwarding of Option A
Ly L1 10.1.1.1/24 Lx L2 10.1.1.1/24
PE1 ASBR1 ASBR2 PE3
4
10
/2
.1
.1
AS100 AS200
.1
.1
.1
.1
10.1.1.1/24
/2
10
4
CE1 CE2
10.1.1.1/24
● Characteristics
– Simplified configuration: MPLS does not need to run between ASBRs and
no extra configuration is required.
– Low scalability: ASBRs need to manage all VPN routes and create VPN
instances for each VPN. Because IP forwarding is performed between the
ASBRs, the ASBRs must reserve an interface for each inter-AS VPN.
Therefore, the PE devices must have high performance. If a VPN spans
multiple ASs, the intermediate ASs must support the VPN service. The
configuration is complex and intermediate ASs is affected. Option A is
applicable when the number of inter-AS VPNs is small.
Inter-Provider Backbones Option B
● Introduction
In Option B, two ASBRs use MP-EBGP to exchange labeled VPN-IPv4 routes
received from the PE devices in the ASs. In the figure, VPN LSPs are private
network tunnels, and LSPs are public network tunnels.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 697
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-15 Inter-Provider Backbones Option B
VPN1-CE2
VPN1-CE1
PE1 PE3
MP
-IB GP
GP ASBR1 ASBR2 -IB
MP
AS100 AS200
(VPN-v4) MP
GP -IB
-IB GP
MP
PE2 PE4
VPN LSP1 VPN LSP2 VPN LSP2
VPN2-CE1 LSP1 LSP2 VPN2-CE2
In Option B, the ASBRs receive all inter-AS VPN-IPv4 routes within or outside
the local AS and advertise the routes. In basic MPLS VPN implementation, a
PE device stores only the VPN routes that match the VPN target of the local
VPN instance. The ASBRs are configured to store all the received VPN routes,
regardless of whether any local VPN instance matches the routes.
All the traffic is forwarded by the ASBRs. This facilitates traffic control but
increases the load on the ASBRs. BGP routing policies, such as VPN target
filtering policies, can be configured on the ASBRs so that the ASBRs only save
some of VPN-IPv4 routes.
● Route advertisement
Figure 7-16 shows how the route destined for 10.1.1.1/24 is advertised from
CE1 to CE2. D indicates the destination address; NH indicates the next hop;
L1, L2, and L3 are inner labels. Figure 7-16 does not show advertisement of
public IGP routes and distribution of public network labels.
Figure 7-16 Route advertisement of Option B
VPN-v4 update: VPN-v4 update:
RD: 1:27:10.1.1.1/24 RD: 1:27:10.1.1.1/24
NH=PE1 NH=ASBR2
RT=100:1, Label=(L1) RT=100:1, Label=(L3)
BGP, OSPF, RIP
PE1 ASBR1 ASBR2 PE3 10.1.1.1/24, NH=PE3
BGP, OSPF, RIP
10.1.1.1/24, NH=CE1 AS200
AS100
CE1 CE2
VPN-v4 update:
RD: 1:27:10.1.1.1/24
NH=ASBR1
RT=100:1, Label=(L2)
10.1.1.1/24
The route advertisement process is as follows:
a. CE1 uses BGP, OSPF, or RIP to advertise routes to PE1 in AS 100.
b. PE1 in AS 100 uses MP-IBGP to advertise labeled VPNv4 routes to ASBR1
in AS 100. If a route reflector (RR) is deployed on the network, PE1
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 698
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
advertises the VPNv4 routes to the RR, and then the RR reflects the
routes to ASBR1.
c. ASBR1 uses MP-EBGP to advertise the labeled VPNv4 routes to ASBR2.
Because MP-EBGP changes the next hop of the routes when advertising
the routes, ASBR1 allocates a new label to the VPNv4 routes.
d. ASBR2 uses MP-IBGP to advertise the labeled VPNv4 routes to PE3 in AS
200. If an RR is deployed on the network, ASBR2 advertises the VPNv4
routes to the RR, and then the RR reflects the routes to PE3. When ASBR2
advertises routes to an MP-IBGP peer in the local AS, it changes the next
hop of the routes to itself.
e. PE3 in AS 200 uses BGP, OSPF, or RIP to advertise the routes to CE2.
Both ASBR1 and ASBR2 swap inner labels of the VPNv4 routes. The inter-AS
labels are carried in BGP messages, so the ASBRs do not need to run signaling
protocols such as Label Distribution Protocol (LDP) or Resource Reservation
Protocol (RSVP).
● Packet forwarding
In Option B, both the ASBRs swap labels during packet forwarding. Figure
7-17 shows how packets are forwarded over the LSPs, which serve as the
tunnels on the public network. L1, L2, and L3 are inner labels; Lx and Ly are
outer tunnel labels.
Figure 7-17 Packet forwarding of Option B
P Ly L1 10.1.1.1/24 P
L3 10.1.1.1/24
L1 10.1.1.1/24 Lx L3 10.1.1.1/24
ASBR1 ASBR2
MP-EBGP
24
AS200
AS100
10
1/
(VPN-v4)
.
.1
.1
.1
.1
PE1 L2 10.1.1.1/24
.1
10
PE3
/2
4
CE1
CE2
10.1.1.1/24
● Characteristics
– Unlike Option A, Option B is not limited by the number of links between
ASBRs.
– Information about VPN routes is stored on and advertised by ASBRs.
When a large number of VPN routes exist, the overburdened ASBRs are
likely to encounter bottlenecks. Therefore, in the MP-EBGP solution, the
ASBRs that maintain VPN routes do not perform IP forwarding on the
public network.
Inter-Provider Backbones Option C
● Introduction
Option A and Option B can meet inter-AS VPN requirements. However, ASBRs
need to maintain and distribute VPN-IPv4 routes. When each AS needs to
exchange a large number of VPN routes, ASBRs may hinder network
extension.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 699
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
To address this issue, PE devices can directly exchange VPN-IPv4 routes, and
ASBRs do not maintain or advertise VPN-IPv4 routes.
– The ASBRs use MP-IBGP to advertise labeled IPv4 routes to PE devices in
their respective ASs. The ASBRs also advertise labeled IPv4 routes
received from PE devices in the local AS to the ASBR peers in other ASs.
The ASBRs in the transit AS also advertise labeled IPv4 routes. A VPN LSP
can be established between the ingress PE and egress PE.
– The PE devices in different ASs establish a multi-hop EBGP connection to
exchange VPN-IPv4 routes.
– The ASBRs do not store or advertise VPN-IPv4 routes to each other.
Figure 7-18 shows the networking of inter-AS VPN Option C. In the figure,
VPN LSPs are private network tunnels, and LSPs are public network tunnels. A
BGP LSP enables two PE devices to exchange loopback interface information,
and it consists of two parts, for example, BGP LSP1 from PE1 to PE3 and BGP
LSP2 from PE3 to PE1.
Figure 7-18 Inter-Provider Backbones Option C
VPN1-CE2
VPN1-CE1 Multi-Hop MP-BGP
PE1 PE3
MP GP
-IB -IB
GP ASBR1 ASBR2 MP
AS100 AS200
EBGP
GP MP
-IB -IB
MP GP
PE2 PE4
Multi-Hop MP-BGP
VPN LSP
VPN2-CE1 VPN2-CE2
LSP1 LSP2
BGP LSP2 BGP LSP1
To improve network scalability, you can specify an RR in each AS. The RR
stores all VPN-IPv4 routes and exchanges VPN-IPv4 routes with the PE devices
in the local AS. The RRs in two ASs establish an MP-EBGP connection to
advertise VPN-IPv4 routes.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 700
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-19 Inter-Provider Backbones Option C with an RR
VPN1-CE1 VPN1-CE2
PE1 PE3
MP-IBGP MP-IBGP
EBGP
AS100 AS200
ASBR1 ASBR2
RR1 RR2
PE2 Multi-Hop MP-EBGP
PE4
VPN LSP
VPN2-CE1 VPN2-CE2
● Route advertisement
The key to Option C is establishment of inter-AS tunnels on a public network.
Figure 7-20 shows how the route destined for 10.1.1.1/24 is advertised from
CE1 to CE2. D indicates the destination address; NH indicates the next hop; L3
indicates the inner label. L9 and L10 are BGP LSP labels. Figure 7-20 does not
show advertisement of public IGP routes and distribution of public network
labels.
Figure 7-20 Route advertisement of Option C
VPN-v4 update:
RD: 1:27:10.1.1.1/24
NH=PE1
RT=100:1, Label=(L3)
k1 D: 1.1.1.1/32
ac
o kb /32 NH=ASBR2
Lo 1.1.1 Label=(L10)
1.
PE1 ASBR1 ASBR2 PE3 BGP, OSPF, RIP
BGP, OSPF, RIP 10.1.1.1/24, NH=PE3
10.1.1.1/24, NH=CE1 AS100 AS200
CE1 D: 1.1.1.1/32 CE2
NH=ASBR1
Label=(L9)
10.1.1.1/24
● Packet forwarding
Figure 7-21 shows how packets are forwarded over the LSPs, which serve as
the tunnels on the public network. L3 is the inner label; L9 and L10 are BGP
LSP labels; Lx and Ly are outer tunnel labels.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 701
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-21 Packet forwarding of Option C
P Ly L3 10.1.1.1/24 P
L10 L3 10.1.1.1/24
L3 10.1.1.1/24 Lx L10 L3 10.1.1.1/24
ASBR1 ASBR2
EBGP
24
AS200
AS100
10
1/
1.
1..
1.
1.
PE1 L9 L3 10.1.1.1/24
.
10
1/
PE3
24
CE1
CE2
10.1.1.1/24
Before forwarding a packet to PE1, PE2 adds three labels to the packet: VPN
route label, BGP LSP label, and public LSP label. When the packet reaches
ASBR2, two labels are left: VPN route label and BGP LSP label. When the
packet reaches ASBR1, the BGP LSP label is terminated. Then common MPLS
VPN forwarding is performed.
● Characteristics
– VPN routes are directly exchanged between the ingress PE and the egress
PE. The routes do not need to be stored and forwarded by intermediate
devices.
– Only PE devices need to exchange VPN routes. P devices and ASBRs are
only responsible for packet forwarding. The intermediate devices need to
support only MPLS forwarding, and do not need to support MPLS VPN
services. ASBRs are unlikely to encounter bottlenecks. Option C is suitable
for the VPNs that span multiple ASs.
– MPLS VPN load balancing is easy to carry out in Option C.
– Managing an end-to-end connection between PE devices has high costs.
7.2.5 MCE
Definition
A multi-VPN-instance CE (MCE) device can function as a CE device for multiple
VPN instances in BGP/MPLS IP VPN networking. The MCE function helps reduce
expenses of network devices.
Background
BGP/MPLS IP VPN uses tunnels to transmit data of private networks on a public
network. In the traditional BGP/MPLS IP VPN architecture, each VPN instance
must use a CE device to connect to a PE device, as shown in Figure 7-22.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 702
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-22 Networking without an MCE device
CE VPN1
Site
PE CE
VPN2
IP/MPLS Site
Backbone
VPN3
CE Site
In many cases, a private network must be divided into multiple VPNs to
implement fine-grained service management and enhance security. Services of
users in different VPNs must be completely isolated. Deploying a CE device for
each VPN increases the cost of device procurement and maintenance. If multiple
VPNs share one CE device, data security cannot be ensured because all the VPNs
use the same routing and forwarding table.
MCE technology ensures data security between different VPNs while reducing
network construction and maintenance costs. Figure 7-23 shows MCE networking.
Figure 7-23 Networking with an MCE device
VPN1
Site
PE MCE
VPN2
IP/MPLS
Site
Backbone
VPN3
Site
An MCE device has some PE functions. By binding each VPN instance to a different
interface, an MCE device creates and maintains an independent VRF for each VPN.
This application is also called multi-VRF application. The MCE device isolates
forwarding paths of different VPNs on a private network and advertises routes of
each VPN to the peer PE device, ensuring that VPN packets are correctly
transmitted on the public network.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 703
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Implementation
An MCE device maintains a VRF for each VPN and binds each VPN instance to an
interface. When the MCE device receives a route, it checks the receiving interface
to determine the origin of the route and adds the route to the VRF of the VPN
instance bound to the interface.
The PE interfaces connected to the MCE device must also be bound to the VPN
instances. The bindings between interfaces and VPN instances on the PE device
must be the same as those on the MCE device. When the PE device receives a
packet, it checks the receiving interface to determine to which VPN the packet
belongs, and then transmits the packet in the corresponding tunnel.
In Figure 7-23:
● The MCE device saves routes learned from VPN1 in VRF1.
● The PE device saves routes of VPN1 learned from the MCE device in VRF1.
● Routes of VPN2 and VPN3 are isolated from routes of VPN1, and are not
saved in VRF1.
The MCE device exchanges routes with VPN sites and PE device in the following
ways:
● Route exchange with VPN sites
Route Implementation
Exchange
Method
Static Static routes are bound to VPN instances on the MCE device.
routes Static routes of different VPNs are isolated even if VPNs use
overlapping address spaces.
Routing Each VPN instance is bound to a RIP process on the MCE device
Informatio so that routes of different VPNs are exchanged between the
n Protocol MCE device and VPN sites using different RIP processes. This
(RIP) isolates routes of different VPNs and ensures security of VPN
routes.
Open Each VPN instance is bound to an OSPF process on the MCE
Shortest device to isolate routes of different VPNs.
Path First
(OSPF)
Intermedia Each VPN instance is bound to an IS-IS process on the MCE
te System device to isolate routes of different VPNs.
to
Intermedia
te System
(IS-IS)
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 704
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Route Implementation
Exchange
Method
Border Each VPN instance is configured with a BGP peer on the MCE
Gateway device. The MCE imports IGP routes of each VPN to the BGP
Protocol routing table of the VPN.
(BGP)
● Route exchange with the PE device
Routes of different VPN instances are isolated on the MCE device. The MCE
and PE devices identify packets of different VPN instances according to
bindings between interfaces and VPN instances. An administrator only needs
to perform simple routing configuration on the MCE and PE devices, and to
import the VPN routes of the MCE device to the routing protocol running
between the MCE and PE devices.
The MCE and PE devices can use static routes, RIP, OSPF, IS-IS, or BGP to
exchange routes.
7.2.6 HoVPN
Definition
Hierarchy of VPN (HoVPN) is a multi-layer VPN architecture that deploys PE
functions on multiple PE devices. In this architecture, multiple PE devices play
different roles and fulfill the functions of one PE. HoVPN is also called hierarchy of
PE (HoPE).
Background
As key devices on a BGP/MPLS IP VPN network, PE devices provide must provide a
large number of interfaces for user access, and provide large-capacity memory
and high forwarding capabilities to manage and advertise VPN routes, and process
user packets.
Most networks use typical hierarchical architecture. For example, a MAN uses a
three-layer architecture consisting of the core, aggregation, and access layers.
From the core layer to the access layer, the requirements for device performance
decreases, but the network scale increases.
BGP/MPLS IP VPN uses a plane model, which has the same performance
requirement for all the PE devices. If some PE devices do not provide high
performance or scalability, the entire network is affected.
Because the plane model of BGP/MPLS IP VPN is different from the typical
hierarchical architecture, deployment of new PE devices at each layer is difficult
due to low scalability. This plane model hinders large-scale VPN deployment. The
HoVPN solution is developed to address this issue.
In the HoVPN model, devices at higher layers must have high routing and
forwarding capabilities, whereas devices at lower layers can have lower
capabilities.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 705
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Implementation
● HoVPN architecture
Figure 7-24 HoVPN architecture
CE
VPN1
Site1 VPN2
CE
Site3
PE
VPN2
SPE
Site1 UPE
CE IP/MPLS
Backbone
HoPE
CE
CE
VPN1 PE
Site2
VPN1
UPE Site3
VPN2
Site2 CE
As shown in Figure 7-24, the devices directly connected to user devices are
called underlayer PE or user-end PE (UPE) devices. The device that is deployed
within the backbone network and connected to UPE devices is called a
superstratum PE or service provider-end PE (SPE) device.
Multiple UPE devices and an SPE device form a hierarchy of PE and provide
functions of a traditional PE device.
● Relationship between the UPE and SPE
– The UPE device provides user access. It maintains routes of directly
connected VPN sites, but does not maintain routes of remote VPN sites or
only maintains summarized routes of remote VPN sites. Each UPE device
assigns an inner label to routes of directly connected sites and uses MP-
BGP to advertise the label with the VPN routes to the SPE device.
– The SPE device manages and advertises VPN routes. It maintains all the
routes of the VPN sites connected through the UPE devices, including
routes of local and remote sites. However, the SPE does not advertise
routes of remote sites to the UPE devices. Instead, it advertises only
default routes of VPN instances with labels.
– The UPE and SPE devices use label forwarding. The SPE device uses only
one interface to connect to each UPE device and does not need to
provide many interfaces for access users. An UPE device can connect to
the SPE device through a physical interface, a sub-interface, or a tunnel
interface. If a tunnel interface is used, the UPE and SPE devices can
communicate across an IP or MPLS network. Labeled packets are
transmitted between the UPE and SPE devices through a tunnel. If a GRE
tunnel is used, GRE must support encapsulation of MPLS packets.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 706
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
As an SPE device and a UPE device play different roles, requirements for
them are different:
▪ An SPE device has a large routing table, high forwarding
performance, but few interfaces.
▪ A UPE device has a small routing table, low forwarding performance,
and high access capabilities.
A PE device is a SPE device for a lower-layer PE device and is a UPE
device for an upper-layer PE device.
An HoPE can coexist with common PE devices on an MPLS network.
● SPE-UPE
If a UPE device and an SPE device belong to the same AS, MP-BGP running
between them is MP-IBGP. If they belong to different ASs, MP-BGP running
between them is MP-EBGP.
When MP-IBGP is used, an SPE device can function as an RR of multiple UPE
devices to advertise routes between the IBGP peers. To reduce the number of
routes on the UPE devices, do not use the SPE as an RR for other PE devices.
A UPE device can connect to multiple SPE devices. This networking is called
UPE multi-homing. In this networking, the SPE devices advertise the VRF
default routes to the UPE device. The UPE device selects one route as the
optimal route or selects multiple routes to perform load balancing. The UPE
device advertises all the VPN routes to the SPE devices or advertises some of
VPN routes to each SPE to implement load balancing.
● Label operation in HoVPN
Figure 7-25 shows an example of label operation in HoVPN. In this example,
an LSP tunnel is set up between the SPE and PE devices.
Figure 7-25 Label operation in HoVPN
Swap inner label
Out-
Inner
Inner Data layer
Data SPE label-2 PE
label-1 label
Out-
Inner
UPE Inner Data layer
Data label-1
label-2 label
Data
Swap inner label Data
Data Data
CE1 CE2
– CE1 → CE2 (marked by the black line)
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 707
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
▪ After receiving a packet from CE1, the UPE device adds an inner label
to the packet and forwards the packet to the SPE device.
▪ After receiving the labeled packet, the SPE device swaps the inner
label, adds an outer LSP label to the packet, and sends the packet to
the PE device.
▪ After the packet arrives at the previous hop of the PE device, this hop
pops the outer LSP label. The process is called penultimate hop
popping.
▪ After the PE device receives the packet, it pops the inner label.
– CE2 → CE1 (marked by the blue line)
▪ After receiving a packet from CE2, the PE device adds an inner label
and an outer LSP label to the packet, and then forwards the packet
to the SPE device.
▪ After the packet arrives at the previous hop of the SPE device, this
hop pops the outer LSP label.
▪ The SPE device swaps the inner label for a new one and forwards the
packet to the UPE device.
▪ After the UPE device receives the packet, it pops the inner label.
● HoVPN embedding and extension
HoVPN supports HoPE embedding.
– An HoPE can function as a UPE device and compose a new HoPE with an
SPE device.
– An HoPE can function as an SPE device and compose a new HoPE with
multiple UPE devices.
– HoPEs can be embedded multiple times in the preceding two modes.
HoPE embedding can infinitely extend a VPN.
Figure 7-26 HoPE embedding
SPE
MPE UPE
UPE UPE
CE CE CE CE
Site Site Site Site
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 708
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-26 shows a three-layer HoPE, and the PE device in the middle is
called the middle-level PE (MPE) device. MP-BGP runs between the SPE and
MPE devices, and between the MPE and UPE devices.
NOTE
Actually, the MPE device does not exist in an HoVPN model. The concept is used just
for the convenience of description.
MP-BGP advertises all the VPN routes of the UPE devices to the SPE device,
but advertises only the default VPN routes of the SPE device to the UPE
devices.
The SPE device maintains the routes of all VPN sites connected to the PE
devices, whereas the UPE devices maintain only the VPN routes of the directly
connected VPN sites. The quantities of routes maintained by the SPE, MPE,
and UPE devices are in descending order.
Advantages of HoVPN
The HoVPN model has the following advantages:
● A BGP/MPLS IP VPN network can be divided into different hierarchies. If the
performance of UPE devices does not satisfy service requirements, an SPE
device can be added above UPE devices. When access capabilities of an SPE
device are insufficient, UPE devices can be added below the SPE device.
● Label forwarding is performed between UPE and SPE devices. Therefore, a
UPE device and an SPE device are interconnected through only a pair of
interfaces or sub-interfaces. This saves interface resources.
● If a UPE device and an SPE device are separated by an IP or MPLS network,
they can set up a GRE or LSP tunnel. A layered MPLS VPN has enhanced
scalability.
● The UPE devices maintain only the local VPN routes, and all the remote
routes are represented by a default or summarized route. This reduces loads
on the UPE devices.
● SPE and UPE devices use MP-BGP to exchange routes and advertise labels.
Each UPE device sets up only one MP-BGP peer, reducing the protocol cost
and configuration workload.
7.2.7 VPN FRR
Definition
As networks develop rapidly, the time used for end-to-end service convergence if a
fault occurs on a carrier's network has been used as an indicator to measure
bearer network performance. MPLS TE Fast Reroute (FRR) is one of the commonly
used fast switching technologies. The solution is to create an end-to-end TE tunnel
between two PEs and a backup LSP that protects a primary LSP. When either of
the PE devices detects that the primary LSP is unavailable because of a node or
link failure, the PE switches the traffic to the backup LSP.
MPLS TE FRR protects services in the case of a link or node failure between two PE
devices at both ends of a TE tunnel; however, MPLS TE FRR cannot protect services
in the case of a PE device failure. If a fault occurs on the ingress or egress, services
can only be restored through end-to-end route convergence and LSP convergence.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 709
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
The service convergence time is closely related to the number of routes inside an
MPLS VPN and the number of LSP hops on the bearer network. The more VPN
routes, the longer the service convergence time, and the more traffic is lost.
VPN FRR sets in advance on a remote PE device forwarding entries pointing to the
active and standby PE devices, respectively. In collaboration with fast PE fault
detection, VPN FRR can reduce end-to-end service convergence time if a fault
occurs on an MPLS VPN where a CE device is dual-homed to two PE devices. In
VPN FRR, service convergence time depends on only the time required to detect
remote PE device faults and change tunnel status. VPN FRR enables the service
convergence time to be irrelevant to the number of VPN routes on the bearer
network.
Implementation
Figure 7-27 Typical VPN FRR networking
IP/MPLS
Backbone PE2
VPN Site Link A VPN Site
CE1 PE1 CE2
Link B
PE3
As shown in Figure 7-27, normally, CE1 accesses CE2 over Link A. If PE2 is Down,
CE1 accesses CE2 over Link B.
● Based on the traditional BGP/MPLS VPN technology, both PE2 and PE3
advertise routes destined for CE2 to PE1, and assign VPN labels to these
routes. PE1 then selects a preferred VPNv4 route based on the routing policy.
In this example, the preferred route is the one advertised by PE2, and only the
routing information, including the forwarding prefix, inner label, selected LSP,
advertised by PE2 is filled in the forwarding entry of the forwarding engine to
guide packet forwarding.
● When PE2 fails, PE1 detects the fault of PE2 (the BGP peer relationship
becomes Down or the outer LSP is unavailable). Then PE1 selects the route
advertised by PE3 and updates the forwarding entry to complete end-to-end
convergence. Before PE1 delivers the forwarding entry matching the route
advertised by PE3, CE1 cannot communicate with CE2 for a certain period
because the destination of the outer LSP, PE2, is Down. As a result, end-to-
end services are interrupted.
● VPN FRR is an improvement on the traditional reliability technology. VPN FRR
enables PE1 to add the optimal route advertised by PE2 and the secondary
optimal route advertised by PE3 to a forwarding entry. The optimal route is
used for traffic forwarding, and the secondary optimal route is used as a
backup route.
● If a fault occurs on PE2, the MPLS LSP between PE1 and PE2 becomes
unavailable. After detecting the fault, PE1 marks the corresponding entry in
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 710
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
the LSP status table as unavailable, and delivers the setting to the forwarding
table. After selecting a forwarding entry, the forwarding engine examines the
status of the LSP corresponding to the forwarding entry. If the LSP is
unavailable, the forwarding engine uses the second-best route carried in the
forwarding entry to forward packets. After being tagged with the inner labels
assigned by PE3, packets are transmitted to PE3 over the LSP between PE1
and PE3 and then forwarded to CE2. In this manner, fast end-to-end service
convergence is implemented and traffic from CE1 to CE2 is restored.
VPN FRR performs fast switching based on inner labels. Outer tunnels can be LDP
LSPs or RSVP TE tunnels. When the forwarding engine detects that the outer
tunnel is unavailable, it triggers fast switching based on inner labels.
7.2.8 VPN GR
NOTE
The AR3260 can function as both the GR restarter and GR helper, and other devices can
only function as the GR helper.
Definition
VPN GR is an application of GR technology on a VPN. VPN GR ensures
uninterrupted VPN traffic forwarding when an active/standby switchover is
performed on a device transmitting VPN services. The purposes of VPN GR are as
follows:
● Reduce the impact of route flapping on the entire network during the
switchover.
● Reduce the impact on important VPN services.
● Reduce single-point failures on PE or CE devices to improve VPN network
reliability.
Prerequisites for VPN GR
The device where an active/standby switchover occurs and its connected devices
must have GR capabilities. They must retain forwarding information of all VPN
routes within a period to ensure uninterrupted VPN traffic forwarding. That is, the
devices must support IGP GR, BGP GR, and LDP GR. If TE tunnels are deployed on
the backbone network, the devices must support RSVP GR.
Implementation
On a common BGP/MPLS VPN network, active/standby switchovers may occur on
any PE, CE, or P device.
● Active/standby switchover on a PE device
The GR process on a PE device is the same as that on the GR restarter in IGP
GR, BGP GR, or LDP GR.
When a CE device connected to the PE device detects the restart of the PE
device, the CE device acts the same as the GR helper IGP GR or BGP GR and
retains all IPv4 routes in a period.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 711
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
When the P device connected to the PE device detects the restart of the PE
device, the P device acts the same as the GR helper in IGP GR, BGP GR, or
LDP GR and retains all public IPv4 routes in a period.
When other PE devices (including those functioning as ASBRs) and the RR
reflecting VPNv4 routes detect the restart of the PE device, they act the same
as the GR helper in BGP GR, and retain all the public IPv4 routes and VPNv4
routes in a period.
● Active/standby switchover on a P device
The GR process on a P device is the same as that on the GR restarter in IGP
GR, BGP GR, or LDP GR.
When a P or PE device connected to this P device detects the restart, the P or
PE device acts the same as the GR helper in IGP GR, BGP GR or LDP GR and
retains all the public IPv4 routes in a period.
● Active/standby switchover on a CE device
The GR process on a CE device is the same as that on the GR restarter in IGP
GR or BGP GR.
When the PE device connected to the CE device detects the restart of the CE
device, the PE device acts the same as the GR helper in IGP GR or BGP GR and
retains all the private IPv4 routes in a period.
For details about IGP GR and BGP GR, see "GR" in the Huawei AR Series Access
Routers Configuration Guide - IP Routing.
For details about LDP GR and RSVP GR, see "GR" in the Huawei AR Series Access
Routers Configuration Guide - MPLS.
7.2.9 VPN NSR
The BGP/MPLS IP VPN supports Non-stop Routing (NSR), which ensures
uninterrupted VPN operating during an active/standby switchover. For details
about NSR, see "NSR" in the Feature Description - ReliabilityHuawei AR Series
Access Routers Configuration Guide - Reliability.
NSR backs up the following data to ensure uninterrupted BGP/MPLS IP VPN
operating:
● VPN forwarding table
● Labels
7.2.10 VPN Tunnel Policy
Introduction to VPN Tunnels
VPN data is transmitted over tunnels, including LSP tunnels, GRE tunnels, and
Traffic Engineering (TE) tunnels. TE tunnels are constraint-based routed label
switched path (CR-LSP) tunnels.
● GRE tunnel
If PE devices support MPLS functions but P devices on the backbone network
provide only IP functions, LSPs cannot serve as tunnels. In this situation, GRE
tunnels can be used as the tunnels of the VPN backbone network.
For details about GRE, see 3 GRE Configuration in the Huawei AR Series
Access Routers Configuration Guide - VPN.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 712
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
● LSP
An LSP forwards packets through label switching and is often used in BGP/
MPLS IP VPN. If LSPs are used as public network tunnels, only PE devices need
to analyze IP packet headers, and other devices that VPN packets pass do not
need to analyze IP packet headers. This reduces VPN packet processing time
and packet transmission delay. In addition, MPLS labels are supported by all
link layers. An LSP is similar to an ATM virtual circuit (VC) or FR VC in
functions and security. If all the devices on the backbone network support
MPLS, it is recommended that LSP tunnels or MPLS TE tunnels be used as
public network tunnels.
For details about LSPs, see MPLS LDP Configuration in the Huawei AR Series
Access Routers Configuration Guide - MPLS.
● MPLS TE tunnel
As a combination of MPLS and TE technologies, MPLS TE can balance
network traffic by setting up LSPs along specified nodes and steering traffic
away from congested nodes. LSPs in MPLS TE are called MPLS TE tunnels,
which are also widely used in BGP/MPLS IP VPN.
Besides advantages of LSP, MPLS TE tunnels is capable of handling network
congestion. Using MPLS TE tunnels, SPs can fully utilize existing network
resources to provide diversified services. MPLS TE tunnels also allow SPs to
optimize network resources and manage resources.
Usually, carriers are required to provide VPN users with end-to-end QoS for
various services, such as voice, video, key-data services, and Internet access.
MPLS TE tunnels can offer users with QoS guarantee.
Using MPLS TE tunnels, carriers can also provide required QoS guaranteed
services for different VPN users based on policies.
For details about MPLS TE, see MPLS TE Configuration in the Huawei AR
Series Access Routers Configuration Guide - MPLS.
Tunnel Policy
VPN services are transmitted over tunnels. By default, LSPs are preferred in VPN
service transmission, and only one LSP serves one VPN service.
When VPN services need to be transmitted over a specified TE tunnel or when
load balancing needs to be performed among multiple tunnels to fully use
network resources, tunnel policies need to be applied to VPNs. Tunnel policies are
classified into two types, which cannot be configured simultaneously:
● Tunnel type prioritization policy: specifies the sequence in which each type of
tunnel is selected and the number of tunnels participating in load balancing.
Tunnels defined in a tunnel type prioritization policy are selected in sequence:
The tunnels of the type specified first are selected as long as the tunnels are
in Up state, regardless of whether they are in use. The tunnels of the type
specified later are not selected unless load balancing is required or the
tunnels of the type specified first are all Down.
For example, a tunnel policy defines the following rules: Both CR-LSPs and
LSPs can be used, CR-LSPs are prior to LSPs, and the number of tunnels
participating in load balancing is 3. Tunnels are selected as follows:
– CR-LSPs in Up state are preferred. If three or more CR-LSPs are in Up
state, the three CR-LSPs listed earlier are selected.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 713
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
– If there are less than three CR-LSPs in Up state, LSPs are selected. For
example, if only one CR-LSP is in Up state, two LSP tunnels can be
selected. If only one LSP or none is in Up state, the existing tunnels in Up
state are used. If more than two LSPs are in Up state, only the first two
LSPs are selected.
NOTE
If a TE tunnel is reserved for tunnel binding, the TE tunnel cannot be selected.
The tunnel type prioritization policy cannot specify the desired tunnels to use
when multiple tunnels of the same type are available.
● Tunnel binding policy: specifies TE tunnels for carrying services of a VPN. You
can specify multiple TE tunnels to the same destination for load balancing.
You can also determine whether to use other tunnels to prevent traffic
interruption when the specified tunnels are all unavailable. The rules for
tunnel selection are as follows:
– Specified TE tunnels in Up state are selected to perform load balancing.
– If all the specified TE tunnels are unavailable, no other tunnel is selected
by default. If you enable a PE device to select other tunnels in this
situation, the PE device selects an available tunnel in the order of LSP
and CR-LSP.
A tunnel binding policy can specify accurate TE tunnels over which VPN
services are transmitted. TE tunnels have high reliability and guaranteed
bandwidth, so tunnel binding policies can be used for VPN services requiring
QoS guarantee. As shown in Figure 7-28, two MPLS TE tunnels, Tunnel1 and
Tunnel2, are set up between PE1 and PE3.
Figure 7-28 Networking diagram of VPN tunnel binding
VPNA VPNA
CE1 CE3 Site3
Site1 IP/MPLS
Backbone
TE Tunnel1 for VPNA
PE1 PE3
TE Tunnel2 for VPNB
Site4
Site2
CE2 CE4
VPNB VPNB
If you bind VPN A to Tunnel1 and VPN B to Tunnel2, VPN A and VPN B use
different TE tunnels. Tunnel1 serves only VPN A, and Tunnel2 serves only VPN
B. In this manner, services of VPN A and VPN B are isolated from each other
and also from other services. The bandwidth for VPN A and VPN B is ensured.
This facilitates subsequent QoS deployment.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 714
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Tunnel Selector
In HoVPN or inter-AS VPN Option B, SPE devices or ASBRs accept VPNv4 routes
from all the UPE or PE devices. Currently, PE devices iterate LSP tunnels for VPNv4
routes. Sometimes, TE tunnels need to be iterated for VPNv4 routes to provide
guaranteed bandwidth; the PE devices cannot provide this function by default.
In inter-AS VPN Option C, PE devices select LSP tunnels for BGP-IPv4 labeled
routes. To provide guaranteed bandwidth, TE tunnels need to be iterated for
VPNv4 routes, which cannot be implemented on the PE devices by default.
Tunnel selector addresses this issue.
The tunnel selector can filter VPNv4 routes or BGP-IPv4 labeled routes and apply a
tunnel policy to the routes that pass the filtering criteria. In this way, expected
tunnels can be selected based on the tunnel policy.
7.3 Application Scenarios for BGP/MPLS IP VPN
This section describes the application scenarios for BGP/MPLS IP VPN.
7.3.1 BGP/MPLS IP VPN Application
Service Overview
Figure 7-29 shows a typical networking diagram for a carrier. Site1 and Site2
represent two networks in different cities. The two networks may be networks for
two branches of a company, or networks for municipal governments of the two
cities. During communication between Site1 and Site2, data security must be
ensured. The two networks must be separated from other networks and packets
exchanged between the two networks must be transparently transmitted over the
carrier's backbone network. BGP/MPLS VPN technology can meet such service
requirements. VPN labels assigned using MP-BGP enable packets to enter the
correct VPN site and MPLS enables packets to be transparently transmitted over
tunnels on the carrier's backbone network.
Figure 7-29 BGP/MPLS IP VPN application
IP/MPLS Backbone
PE1 P1 PE3
CE1 CE2
VPN 1 VPN 1
RR2 Site2
Site1
RR1
PE2 P2
PE4
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 715
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Networking Description
PE and P devices on the carrier's backbone network must be used to transmit
routes and packets between Site1 and Site2 from the two networks to
communicate. CE devices can be dual-homed to PE devices to ensure high
network availability. Generally, a carrier deploys route reflectors (RRs) on the
backbone network to reflect VPNv4 and VPNv6 routes.
Feature Deployment
In BGP/MPLS IP VPN networking, the following configurations must be performed:
● Configure static routes between CE devices and PE devices or configure RIP,
OSPF, IS-IS, or BGP on CEs and PEs for them to exchange routing information.
● Configure MP-BGP peer relationships between all PE devices and RR1 and
between all PE devices and RR2. Configure all PE devices as the clients of RR1
and RR2 and configure RR1 and RR2 to back up each other. These
configurations ensure network reliability.
● Configure MPLS and an IGP on PE and P devices and establish MPLS tunnels
for traffic forwarding.
● Adjust IGP costs of links to:
– Ensure that the two links between CE1 and CE2 work in active/standby
mode. If one link fails, traffic is switched to the other link for
transmission.
– Adjust the costs of links between RRs and the backbone network. Ensure
that RRs are used only for route reflection, not for traffic forwarding.
● Configure VPN FRR for services that have high requirements on real-time
transmission to enhance network reliability.
7.3.2 Hub and Spoke Networking Application
Service Overview
Financial enterprises such as banks can use the Hub&Spoke networking mode to
ensure financial data security. Hub&Spoke networking allows branches to
exchange data only through the headquarters. In this manner, data transmission
between branches is under effective supervision.
In Hub&Spoke networking, the site where the access control device of the
headquarters is located is called a Hub site; other sites where branches are located
are called Spoke sites. At the Hub site, a device that connects to the VPN
backbone network is called a Hub-CE device. At a Spoke site, a device that
connects to the VPN backbone network is called a Spoke-CE device. On the VPN
backbone network, a device that connects to the Hub site is called a Hub-PE
device, and a device that connects to a Spoke site is called a Spoke-PE device.
A Spoke site advertises routes to the Hub site. The Hub site then advertises the
routes to other Spoke sites. Spoke sites do not advertise routes to each other. The
Hub site controls communication between all the Spoke sites.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 716
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Networking Description
In Hub and Spoke networking, the following solutions can be used:
● EBGP running between the Hub-CE and Hub-PE devices, and between Spoke-
PE and Spoke-CE devices
● IGP running between the Hub-CE and Hub-PE devices, and between Spoke-PE
and Spoke-CE devices
● EBGP running between the Hub-CE and Hub-PE devices, and IGP running
between Spoke-PE and Spoke-CE devices
The following describes these networking solutions in detail:
● EBGP running between the Hub-CE and Hub-PE devices, and between Spoke-
PE and Spoke-CE devices
As shown in Figure 7-30, a route advertised by a Spoke-CE device is
forwarded to the Hub-CE and Hub-PE device before being transmitted to
other Spoke-PE devices. If EBGP runs between the Hub-PE and the Hub-CE
device, the Hub-PE device performs an AS-Loop check on the route. When the
Hub-PE device detects its own AS number in the route, it discards the route.
To implement Hub and Spoke networking, the Hub-PE device must be
configured to allow repeated AS numbers.
Figure 7-30 EBGP running between the Hub-CE and Hub-PE devices, and
between Spoke-PE and Spoke-CE devices
AS65401 Spoke-PE1
EBGP
Spoke-CE1 EBGP
IBGP Hub-CE
VPN_in
IP/MPLS Backbone
AS100
Spoke-CE2 IBGP EBGP
AS65403
EBGP Hub-PE VPN_out
Spoke-PE2
AS65402
● IGP running between the Hub-CE and Hub-PE devices, and between Spoke-PE
and Spoke-CE devices
As shown in Figure 7-31, all PE and CE devices exchange routes using an IGP,
and IGP routes do not contain the AS_Path attribute. Therefore, the AS_Path
field of BGP VPNv4 routes is empty.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 717
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-31 IGP running between the Hub-CE and Hub-PE devices, and
between Spoke-PE and Spoke-CE devices
AS65401 Spoke-PE1
OSPF100
Spoke-CE1 vpn1 OSPF 100 Hub-CE
IBGP
vpn_in
IP/MPLS Backbone
AS100 OSPF 200
Spoke-CE2 IBGP
OSPF100 vpn_out AS65403
vpn1 Hub-PE
Spoke-PE2
AS65402
● EBGP running between the Hub-CE and Hub-PE devices, and IGP running
between Spoke-PE and Spoke-CE devices
As shown in Figure 7-32, the network topology is similar to that shown in
Figure 7-30. The AS_Path attribute of the routes forwarded by the Hub-CE
device to the Hub-PE device contains the AS number of the Hub-PE device.
Therefore, the Hub-PE device must be configured to allow repeated AS
numbers.
Figure 7-32 EBGP running between the Hub-CE and Hub-PE devices, and IGP
running between Spoke-PE and Spoke-CE devices
AS65401 Spoke-PE1
OSPF100
Spoke-CE1 vpn1 EBGP
IBGP Hub-CE
vpn_in
IP/MPLS Backbone
AS100 EBGP
Spoke-CE2 IBGP
OSPF100 vpn_out AS65403
vpn1 Hub-PE
Spoke-PE2
AS65402
7.3.3 Interconnection Between VPNs and the Internet
Generally, users within a VPN can only communicate with other users in the same
VPN. They cannot communicate with users on the Internet or connect to the
Internet. However, VPN sites may need to access the Internet. To implement
interconnection between a VPN and the Internet, the following conditions must be
met:
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 718
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
● The devices in the VPN that need to access the Internet have reachable routes
to the Internet.
● Routes are available from the Internet to the devices in the VPN.
● Similar to interconnection between non-VPN users and the Internet, security
mechanisms such as firewalls must be used.
Interconnection between a VPN and the Internet can be implemented in the
following ways:
● Interconnection implemented on a PE device: PE devices of the backbone
network identify data streams destined for the VPN and those destined for
the Internet, and then forward the data to the Internet and the VPN
respectively. PE devices provide the firewall function between the VPN and the
Internet.
● Interconnection implemented on an Internet gateway: Internet gateways
are carrier devices connected to the Internet. They must support VPN route
management. For example, a PE device that has no VPN user attached can
function as an Internet gateway.
● Interconnection implemented on a CE device: CE devices of the private
network identify data streams destined for the VPN and those destined for
the Internet, and then direct the data to two areas. One area connects to the
VPN through a PE device, and the other area connects to the Internet through
an ISP router that does not belong to the VPN. The CE devices provide the
firewall function.
Interconnection Implemented on a PE Device
Generally, default static routes are used.
● The PE device sends a default route destined for the Internet to the CE device.
● The PE device adds a default route destined for the Internet gateway to the
VPN routing table.
● To ensure that the Internet has a route to the VPN, the PE device must have a
static route to the CE in the public routing table and advertise this route to
the Internet. The static route is manually added to the public routing table of
the PE device. In the static route, the destination address is the address of the
VPN user, and the outbound interface is the PE interface that connects to the
CE device. The PE uses an IGP to advertise the route to the Internet.
Figure 7-33 Interconnection implemented on a PE Device
Internet
Internet
Gateway
IP/MPLS
Backbone
VPN site
CE PE
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 719
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Interconnection Implemented on an Internet Gateway
An instance is configured for each VPN on the Internet gateway. Each VPN uses
one interface to access the Internet, and the interface is bound to the VPN
instance.
Figure 7-34 Interconnection implemented on an Internet gateway
Internet
VPN-instance
Internet
Gateway
IP/MPLS
Backbone
VPN site
CE PE
Interconnection Implemented on a CE Device
Interconnection between a VPN and the Internet can be implemented on a CE
device in the following ways:
● The CE device directly connects to the Internet, as shown in Figure 7-35.
A direct connection with the Internet can be achieved in the following modes:
– One of sites (for example, central site) connects to the Internet. The CE
device in the central site has a default route to the Internet, which is
advertised to other sites through the backbone network. The firewalls are
deployed only in the central site. In this mode, all the traffic to the
Internet passes through the VPN backbone network except the traffic of
the central site. A typical application of this mode is connections between
the Internet and Hub sites in Hub and Spoke networking.
– Each site connects to the Internet. Each CE device has a default route to
the Internet and configured with the firewall functions. None of traffic to
the Internet passes through the VPN backbone network.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 720
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-35 A CE device directly connects to the Internet
Internet
IP/MPLS
Backbone
VPN site
CE PE
● A single CE interface or sub-interface connects to a PE device. The PE device
injects routes of the CE device into the public routing table and advertises the
routes to the Internet. Then the PE device advertises the default route or the
Internet routes to the CE device. The interface that connects to the PE device
does not belong to any VPN and is not associated with any VPN instance.
That is, the interface can act as a VPN user and a non-VPN user to connect to
the PE device, as shown in Figure 7-36.
It is recommended that a tunnel be set up between the VPN backbone device
connected to the Internet and the PE device connected to the CE device.
Internet routes are transmitted through the tunnel, and P devices do not
accept the Internet routes.
Figure 7-36 A single CE interface connects to a PE device
Internet
CE IP/MPLS
VPN-instance Backbone
VPN site
PE
Comparison Between the Three Solutions
Interconnection implemented on a PE device can save interface resources and
allow different VPNs to share one public IP address. However, the configuration on
the PE device is complex, and security cannot be guaranteed. Denial of Service
(DoS) attacks from the Internet may occur on the PE device. When this occurs, the
link between the PE and CE devices is occupied by a large amount of attack traffic,
and cannot transmit valid VPN packets.
Interconnection implemented on an Internet gateway provides higher security
than that on a PE device. An Internet gateway, however, must be configured with
multiple VPN instances, which may overburden the gateway. In addition, an
Internet gateway has multiple interfaces connected to the Internet, and each
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 721
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
interface has a public network IP address. Each VPN uses an interface on the
gateway and one public network IP address.
Interconnection implemented on a CE device is simple to deploy. This solution has
high security and reliability because public routes are separated from VPN routes.
However, this solution consumes interface resources and each VPN needs a public
network address.
Table 7-1 Comparison between three solutions
Solution Security Used Interface Used Public IP Easiness
Address of
Deployme
nt
Interconn Low The PE device reserves Multiple VPNs Difficult
ection only one interface for on the PE device
implemen both VPN access and share a public IP
ted on a Internet access. This address.
PE device solution saves
interface resources.
Interconn High The Internet gateway Each VPN uses a Difficult
ection must reserve an public IP
implemen interface for each address.
ted on an VPN to access the
Internet Internet. This solution
gateway consumes interface
resources of the
gateway.
Interconn High The CE device must Each VPN uses a Easy
ection reserve an interface public IP
implemen for each VPN to address.
ted on a access the Internet.
CE This solution
consumes interface
resources of the CE.
7.4 Summary of BGP/MPLS IP VPN Configuration Tasks
After basic BGP/MPLS IP VPN configurations are complete, a simple VPN network
can be established using MPLS technology. To deploy special BGP/MPLS IP VPN
networking, perform other configuration tasks according to the reference sections
provided in the following table.
Table 7-2 lists the BGP/MPLS IP VPN configuration tasks.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 722
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Table 7-2 BGP/MPLS IP VPN configuration tasks
Scenario Description Task
Configure basic This configuration establishes 7.7.1 Configuring Basic BGP/
BGP/MPLS IP a simple BGP/MPLS IP L3VPN MPLS IP VPN Functions
VPN functions network with basic functions.
Configure BGP/ You adjust the basic BGP/ 7.7.1 Configuring Basic BGP/
MPLS IP VPN MPLS IP L3VPN MPLS IP VPN Functions
in various configurations in different 7.7.2 Configuring Hub and
networking networking mode to Spoke
modes implement flexible
communication and isolation
between VPNs:
● Intranet VPN and extranet
VPN networking: The
configurations are same as
the configurations in basic
BGP/MPLS IP VPN
networking except for the
VPN target setting.
● Hub and Spoke
networking: configure the
Hub and Spoke.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 723
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Scenario Description Task
Configure Configure inter-AS VPN if the 7.7.3 Configuring Inter-AS
inter-AS VPN backbone network spans VPN Option A
multiple ASs. Three inter-AS 7.7.4 Configuring Inter-AS
VPN solutions are available, VPN Option B
applicable to different
scenarios: 7.7.5 Configuring Inter-AS
VPN Option C (Solution 1)
● Inter-AS VPN Option A:
Use this solution when 7.7.6 Configuring Inter-AS
only a few VPNs are VPN Option C (Solution 2)
configured on the PE
devices. The ASBRs must
support VPN instances.
● Inter-AS VPN Option B:
Use this solution when
many VPNs are configured
on the PE devices, and the
ASBRs do not have enough
interfaces to reserve an
interface for each inter-AS
VPN. The ASBRs must be
able to maintain and
advertise VPN-IPv4 routes.
● Inter-AS VPN Option C:
Use this solution when a
large number of VPN
routes need to be
exchanged between ASs.
This solution mitigates the
loads on ASBRs so that
they will not become the
bottleneck on the network.
Configure an An MCE device can connect to 7.7.7 Configuring an MCE
MCE device multiple VPNs. The MCE Device
solution isolates services of
different VPNs while reducing
cost of CE devices.
Configure HoVPN can reduce loads on 7.7.8 Configuring HoVPN
HoVPN PE devices. In an HoVPN
networking, aggregation and
access devices function as
user-end provider edge (UPE)
devices and work with the
superstratum provider edge
(SPE) devices on the
backbone to provide PE
functions.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 724
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Scenario Description Task
Configure To ensure that VPN traffic is 7.7.10 Configuring an OSPF
OSPF sham forwarded over the backbone Sham Link
links network but not through
backdoor routes, configure
OSPF sham links between PE
devices. Then routes on the
MPLS VPN backbone network
change into intra-area OSPF
routes and can be preferred in
VPN traffic forwarding.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 725
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Scenario Description Task
Configure BGP/ To improve VPN network 7.7.11 Configuring Route
MPLS IP VPN reliability, you can deploy a Reflection to Optimize the
reliability VPN networking with full- VPN Backbone Layer
mesh connections on the 7.7.12 Configuring IP FRR
backbone network, nested PE for VPN Routes
devices on the MPLS network,
and CE dual-homing (or 7.7.13 Configuring VPN FRR
multi-homing) on the access 7.7.14 Configuring VPN GR
layer. In this networking, a
BGP route reflector (RR) can
be configured to reduce the
number of MP-IBGP
connections. This
configuration mitigates loads
on the network devices and
facilitates device maintenance
and management.
The following technologies
can also be used to improve
VPN network reliability:
● IP fast reroute (IP FRR) for
VPN routes: enables traffic
to be quickly switched to
another PE-CE link
between when the primary
route is unreachable. This
technology reduces the IP
service interruption time.
● VPN fast reroute (VPN
FRR): enables traffic to be
quickly switched to
another PE-PE link the
primary link between them
fails. This technology
implements end-to-end
fast convergence of VPN
services.
● VPN graceful restart (VPN
GR): ensures uninterrupted
VPN traffic forwarding
during an active/standby
switchover on a PE, P, or
CE device. This technology
minimizes the impact of PE
or CE failures on VPN
services. The AR3260 can
function as both the GR
restarter and GR helper,
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 726
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Scenario Description Task
and other devices can only
function as the GR helper.
Configure VPN When VPN services need to 7.7.15 Configuring Tunnel
tunnel policies be transmitted over a Policies
specified traffic engineering
(TE) tunnel or when load
balancing needs to be
performed among multiple
tunnels to fully use network
resources, configure VPN
tunnel policies.
Connect VPNs If users in a VPN need to 7.7.16 Connecting a VPN to
to the Internet connect to the Internet, the Internet
configure interconnection
between the VPN and the
Internet.
7.5 Licensing Requirements and Limitations for BGP/
MPLS IP VPN
Involved Network Elements
None
License Requirements
BGP/MPLS IP VPN is a basic feature of the device and is not under license control.
Feature Limitations
When configuring BGP/MPLS IP VPN on the router, pay attention to the following
points:
The AR100&AR120&AR150&AR160&AR200 series do not supports BGP/MPLS IP
VPN, only supports MCE.
7.6 Default Settings for BGP/MPLS IP VPN
This section describes the default settings for BGP/MPLS IP VPN.
Table 7-3 lists the default settings for BGP/MPLS IP VPN.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 727
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Table 7-3 Default settings for BGP/MPLS IP VPN
Parameter Default Setting
BGP/MPLS IP VPN feature Disabled
Alarm function for BGP/MPLS IP VPN Disabled
events
Number of local AS number repetitions 0
allowed (applicable to Hub and Spoke
networking)
Label allocation mode on PE devices Label per route
Label allocation mode on ASBRs (inter- Label per route
AS VPN)
7.7 Configuring BGP/MPLS IP VPN
This section describes the procedures for configuring BGP/MPLS IP VPN functions.
7.7.1 Configuring Basic BGP/MPLS IP VPN Functions
Basic BGP/MPLS VPN applies to the scenario in which there is only one carrier, the
MPLS backbone network belong to the same AS, and PEs, Ps, and CEs are not
multi-role hosts. After basic BGP/MPLS VPN is configured, different sites in a VPN
can communicate with each other.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 728
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
7.7.1.1 Configuration Tasks
Table 7-4 Basic BGP/MPLS IP VPN configuration tasks
Configurati Sub-task Configuration
on Task
Configure Confirm 1. Determine number of devices and
the MPLS requirements of interfaces based on the network scale,
VPN VPN users. including:
backbone ● Number of users
network.
● Number of VPNs for each user
● Number of VPN instances for each
VPN
2. Routing protocol used on the backbone
network
NOTE
When RIP-1 runs on the backbone network,
you need to enable LDP to search for routes
to establish LSPs based on the longest match
rule. For details, see Configuring LDP
Extensions for Inter-Area LSPs.
Configure routing Configure an Interior Gateway Protocol
between backbone (IGP) on the PE and P devices of the MPLS
devices. backbone network to achieve IP
connectivity on the backbone network.
For detailed configuration, see the Huawei
AR Series Access Routers Configuration
Guide - IP Routing.
Enable MPLS on Enable MPLS and configure a Label
backbone devices. Distribution Protocol (LDP) to set up public
network tunnels. The LDP can be MPLS LDP
or Resource Reservation Protocol-Traffic
Engineering (RSVP-TE).
● For detailed configuration, see the MPLS
LDP Configuration in the Huawei AR
Series Access Routers Configuration
Guide - MPLS.
● For detailed configuration, see the RSVP-
TE Configuration in the Huawei AR
Series Access Routers Configuration
Guide - MPLS.
You also need to configure VPN tunnel
policies when VPN services need to be
transmitted over TE tunnels or when
multiple tunnels need to perform load
balancing to fully use network resources.
For detailed configuration, see 7.7.15
Configuring Tunnel Policies.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 729
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Configurati Sub-task Configuration
on Task
Configure MP-IBGP See 7.7.1.2 Establishing MP-IBGP Peer
between PE Relationships Between PE Devices.
devices.
Connect Configure VPN See 7.7.1.3 Configuring a VPN Instance
MPLS VPN instances on PE on a PE Device.
users. devices.
Bind VPN instances See 7.7.1.4 Binding a VPN Instance to an
to interfaces. Interface.
Configure route See 7.7.1.5 Configuring Route Exchange
exchange between Between PE and CE Devices.
PE and CE devices.
7.7.1.2 Establishing MP-IBGP Peer Relationships Between PE Devices
Context
Perform the following steps on the PE devices.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
Step 3 Run peer ipv4-address as-number as-number
The peer PE is configured as a BGP peer.
Step 4 Run peer ipv4-address connect-interface loopback interface-number
An interface is used to set up a Transmission Control Protocol (TCP) connection
with the BGP peer.
NOTE
A PE must use a loopback interface address with a 32-bit mask to set up an MP-IBGP peer
relationship with the peer PE so that VPN routes can be iterated to tunnels. The route to
the local loopback interface is advertised to the peer PE using an IGP on the MPLS
backbone network.
Step 5 Run ipv4-family vpnv4 [ unicast ]
The BGP-VPNv4 address family view is displayed.
Step 6 Run peer ipv4-address enable
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 730
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
The ability to exchange VPN IPv4 routes with the BGP peer is enabled.
----End
Related Tasks
When a large number of PE devices on the backbone network need to establish
MP-IBGP peer relationships to exchange VPN routes, configure a route reflector
(RR) to reduce the number of MP-IBGP connections between PE devices. The PE
devices only need to establish MP-IBGP peer relationships with the RR. For
detailed configuration, see 7.7.11 Configuring Route Reflection to Optimize the
VPN Backbone Layer.
7.7.1.3 Configuring a VPN Instance on a PE Device
Context
In BGP/MPLS IP VPN application, each VPN has an instance to maintain
forwarding information of the local VPN. Such an instance is called a VPN instance
or VPN routing and forwarding table (VRF).
VPN instances isolate VPN routes from routes on the public network and isolate
the routes of different VPN instances. VPN instances must be configured in all
types of BGP/MPLS IP VPN networking.
Perform the following steps on each PE device.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ip vpn-instance vpn-instance-name
A VPN instance is created, and its view is displayed.
NOTE
A VPN instance name is case sensitive. For example, "vpn1" and "VPN1" are different VPN
instances.
Step 3 (Optional) Run description description-information
The description is configured for the VPN instance.
Step 4 (Optional) Run service-id service-id
A service ID is created for the VPN instance.
A service ID is unique on a device. It distinguishes a VPN service from other VPN
services on the network.
Step 5 Run ipv4-family
The IPv4 address family is enabled for the VPN instance, and the VPN instance
IPv4 address family view is displayed.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 731
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
VPN instances support both the IPv4 and IPv6 address families. Configurations in a
VPN instance can be performed only after an address family is enabled for the
VPN instance based on the advertised route and forwarding data type.
Step 6 Run route-distinguisher route-distinguisher
An RD is configured for the VPN instance IPv4 address family.
A VPN instance IPv4 address family takes effect only after being configured with
an RD. The RDs of different VPN instances on a PE must be different.
NOTE
● An RD can be modified or deleted only after the VPN instance is deleted or the VPN
instance IPv4 address family is disabled.
● If you configure an RD for the VPN instance IPv4 address family in the created VPN
instance view, the VPN instance IPv4 address family is enabled and the VPN instance
IPv4 address family is displayed.
Step 7 Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-
extcommunity ]
A VPN target is configured for the VPN instance IPv4 address family.
A VPN target is a BGP extended community attribute. It is used to control the
receiving and advertisement of VPN routing information. A maximum of eight
VPN targets can be configured using a vpn-target command.
Step 8 (Optional) Restrict the number of routes in a VRF.
The configuration restricts the number of routes or route prefixes imported from
the attached CE devices and peer PE devices into a VPN instance on a PE device. It
is recommended that you use only one of the following commands.
By default, the number of routes in a VRF is not limited as long as the total
number of routes does not exceed the maximum number of unicast routes
supported by the PE device.
● To set the maximum number of routes in the VPN instance IPv4 address
family, run routing-table limit number { alert-percent | simply-alert }.
NOTE
The routing-table limit command enables the system to display a message when the
number of routes added to the routing table of VPN instance IPv4 address family
exceeds the limit. If you run the routing-table limit command to increase the
maximum number of routes in the VPN instance IPv4 address family or run the undo
routing-table limit command cancel the limit, the system adds newly received routes
of various protocols to the private network IP routing table.
● To set the maximum number of route prefixes in the VPN instance IPv4
address family, run prefix limit number { alert-percent [ route-unchanged ] |
simply-alert }.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 732
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
NOTE
If the prefix limit command is run, the system gives a prompt when the number of
route prefixes added to the routing table of the VPN instance IPv4 address family
exceeds the limit. After the prefix limit command is run to increase the allowed
maximum number of route prefixes in a VPN instance IPv4 address family or the undo
prefix limit command is run to cancel the limit, the system adds newly received route
prefixes of various protocols to the private network IP routing table.
After the number of route prefixes exceeds the maximum limit, direct and static routes
can still be added to the IPv4 address family routing table of VPN instances.
Step 9 (Optional) Run limit-log-interval interval
The interval for logging the event that the number of routes exceeds the threshold
is set for the VPN instance IPv4 address family.
If the routes or prefixes in the IPv4 address family of a VPN instance reach the
maximum, the system will generate logs at intervals (defaulting to 5 seconds). To
prevent logs from being displayed frequently, run this step to prolong the interval
of log generation.
Step 10 (Optional) Configure a routing policy for the VPN instance.
In addition to using VPN targets to control VPN route advertisement and
reception, you can configure a routing policy for the VPN instance to better
control VPN routes.
● An import routing policy filters routes before they are imported into the VPN
instance IPv4 address family.
● An export routing policy filters routes before they are advertised to other PE
devices.
NOTE
Before applying a routing policy to a VPN instance, create the routing policy. For details
about how to configure a routing policy, see Routing Policy Configuration in the Huawei AR
Series Access Routers Configuration Guide - IP Routing.
Run the following command as required:
● To configure an import routing policy for the VPN instance IPv4 address
family, run import route-policy policy-name.
● To configure an export routing policy for the VPN instance IPv4 address
family, run export route-policy policy-name.
Step 11 (Optional) Run one of the following commands to configure the label allocation
mode in the VPN instance IPv4 address family.
● Run apply-label per-instance
MPLS label allocation based on the VPN instance IPv4 address family (known
as label per instance) is configured. One label is assigned to all the routes of
the VPN instance IPv4 address family.
When a large number of VPN routes on the PE exhausts MPLS label resources,
the label per instance mode saves label resources on the PE and lowers the
requirement for the PE capacity.
● Run apply-label per-route
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 733
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
MPLS label allocation based on each route (known as label per route) is
configured. The VPN instance address family assigns a unique label to each
route to be sent to the peer PE.
When only a small number of VPN routes exists on the PE and MPLS label
resources are sufficient, the label per route mode improves system security. In
this way, downstream devices can load balance VPN traffic based on the inner
labels of packets.
By default, the VPN instance IPv4 address family assigns the same label to all
routes to be sent to the peer PE.
----End
7.7.1.4 Binding a VPN Instance to an Interface
Prerequisites
A VPN instance has been created and the IPv4 address family has been enabled
for the VPN instance.
Context
● After configuring a VPN instance on a PE device, bind the VPN instance to the
interface that belongs to the VPN. Otherwise, the interface functions as a
public network interface and cannot forward VPN data.
● An interface becomes a private network interface after a VPN instance is
bound to it. You must configure an IP address for the interface so that the PE
device can exchange routing information with its attached CE device.
● After a VPN instance is bound to an interface, configuration of the Layer 3
features (IPv4 and IPv6 features) including IP addresses and routing protocols
is deleted from the interface.
● When you disable an address family (IPv4 or IPv6 address family) in a VPN
instance, configuration of the address family is deleted from the interface. No
interface is bound to a VPN instance if no address family configuration exists
in the VPN instance.
Perform the following steps on the PE devices.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run ip binding vpn-instance vpn-instance-name
A VPN instance is bound to the interface.
By default, an interface is a public network interface and is not associated with
any VPN instance.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 734
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Step 4 Run ip address ip-address { mask | mask-length }
An IP address is configured for the interface.
----End
7.7.1.5 Configuring Route Exchange Between PE and CE Devices
Context
In BGP/MPLS IP VPN, a routing protocol or static routes must be configured
between a PE and a CE to allow them to communicate and allow the CE to obtain
routes to other CEs. The routing protocol can be EBGP (External/Exterior BGP),
IBGP (Internal/Interior BGP), RIP (Routing Information Protocol), OSPF (Open
Shortest Path First), or IS-IS (Intermediate System to Intermediate System).
Choose one of the following configurations as needed:
● Configure EBGP between a PE and a CE
● Configure IBGP between a PE and a CE
● Configure static route between a PE and a CE
● Configure RIP between a PE and a CE
● Configure OSPF between a PE and a CE
● Configure IS-IS between a PE and a CE
The routing protocol configurations on the CE and PE are different:
● The CE is located at the client side. It does not know the existence of a VPN.
Therefore, you do not need to configure VPN parameters when configuring a
routing protocol on the CE device.
● The PE device is located at the edge of the carrier's network. It connects to a
CE device and exchanges VPN routing information with other PE devices. If
the CE devices that access a PE device belong to different VPNs, the PE must
maintain different VRF tables. When configuring a routing protocol on the PE
device, specify the name of the VPN instance to which the routing protocol
applies and configure the routing protocol and MP-BGP to import routes from
each other.
Configure EBGP Between a PE and a CE
Perform the following configuration on the PE device.
Table 7-5 PE configuration
Action Command Description
Enter the system-view -
system
view.
Enter the bgp { as-number-plain | as-number- -
BGP view. dot }
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 735
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Action Command Description
Enter the ipv4-family vpn-instance vpn- -
BGP-VPN instance-name
instance
IPv4
address
family
view.
(Optional as-number as-number A VPN instance uses the AS
) number of BGP by default.
Configure To smoothly re-assign a
a unique device to another AS or
AS transmit different services in
number different instances, run this
for the command to configure a
VPN different AS number for each
instance VPN instance IPv4 address
IPv4 family.
address
NOTE
family. The AS number configured in
the BGP-VPN instance IPv4
address family view must be
different from the AS number
configured in the BGP view.
Configure peer ipv4-address as-number as- -
a CE number
device as
a VPN
peer.
Set the peer { ipv4-address | group-name } Generally, EBGP peers are
maximum ebgp-max-hop [ hop-count ] connected by a directly
number physical link. If no directly
of hops of physical link is available, this
an EBGP command must be used to
connectio allow EBGP peers to
n. establish a multi-hop TCP
connection.
The default value of hop-
count is 255. If the maximum
number of hops is set to 1,
the PE cannot establish an
EBGP connection with a peer
if they are not directly
connected.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 736
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Action Command Description
(Optional Use either of the following The PE device needs to
) Import commands: import the routes destined
direct ● import-route direct [ med med for the local CE device into
routes | route-policy route-policy- its VPN routing table so that
destined name ] * it can advertise the routes to
for the the remote PE device.
local CE ● network ipv4-address [ mask |
NOTE
device mask-length ] [ route-policy The PE device can automatically
into the route-policy-name ] learn the direct routes destined
routing for the local CE device. The
learned routes take precedence
table of
over the direct routes
the IPv4 advertised from the local CE
VPN device using EBGP. If this step is
instance. not performed, the PE does not
use MP-BGP to advertise the
direct routes destined for the
local CE device to the remote
PE device.
(Optional peer { group-name | ipv4-address } Several CE devices at a VPN
) soo site-of-origin site may establish BGP
Configure connections with different PE
the Site- devices. The VPN routes
of-Origin advertised from the CE
(SoO) devices to the PE devices
attribute may be re-advertised to the
for a CE same VPN site after the
device. routes traverse the backbone
network. This may cause
route loops at the VPN site.
If the SoO attribute is
configured for a specified CE
device, the PE device adds
the attribute to a route sent
from the CE device and
advertises the route to the
remote PE. The remote PE
device checks the SoO
attribute of the route before
sending it to its attached CE
device. If the SoO attribute is
the same as the local SoO
attribute on the remote PE
device, the remote PE device
does not send the route to
its attached CE device.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 737
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Action Command Description
(Optional peer ipv4-address substitute-as BGP uses AS numbers to
) Enable detect routing loops. Sites
BGP AS located at different
number geographical locations must
substituti be assigned different AS
on. numbers to ensure correct
transmission of routing
information. If CE devices
scattered at different
geographical locations use
the same AS number,
configure BGP AS number
substitution on the PE
devices.
NOTICE
Enabling BGP AS number
substitution may cause route
loops in a CE multi-homing
network.
(Optional routing-table rib-only [ route- If the BGP routing table has
) Prohibit policy route-policy-name ] large numbers of VPN
BGP routes, these routes will
private consume large numbers of
routes memory resources after
from being delivered to the IP VPN
being routing table. If these routes
delivered are not used in traffic
to the forwarding, you can run the
private IP routing-table rib-only
routing command to prevent these
table. routes from being added to
the IP VPN routing table. If
some of these routes are not
used in traffic forwarding,
you can run the routing-
table rib-only route-policy
command to prevent this
part of routes from being
added to the IP VPN routing
table.
NOTICE
If traffic is interrupted after the
routing-table rib-only
command is run, you can
configure a static route or
default route to guide traffic
forwarding.
Perform the following configurations on the CE device.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 738
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Table 7-6 CE configuration
Action Command Description
Enter the system-view -
system
view.
Enter the bgp { as-number-plain | as-number- -
BGP view. dot }
Configure peer ipv4-address as-number as- -
the PE number
device as
a VPN
peer.
Set the peer { ipv4-address | group-name } Generally, EBGP peers are
maximum ebgp-max-hop [ hop-count ] connected by a directly
number physical link. If no directly
of hops of physical link is available, this
an EBGP command must be used to
connectio allow EBGP peers to
n. establish a multi-hop TCP
connection.
The default value of hop-
count is 255. If the maximum
number of hops is set to 1,
the PE cannot establish an
EBGP connection with a peer
if they are not directly
connected.
Import import-route protocol [ process- The CE device advertises the
routes of id ] [ med med | route-policy routes of its own VPN
the local route-policy-name ] * network segment to the
sites. connected PE device. The PE
device forwards the routes to
the remote CE device. The
type of routes imported at
this step may vary according
to the networking mode.
Configure IBGP Between a PE and a CE
Perform the following configuration on the PE device.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 739
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Table 7-7 PE configuration
Action Command Description
Enter the system-view -
system
view.
Enter the bgp { as-number-plain | as-number- -
BGP view. dot }
Enter the ipv4-family vpn-instance vpn- -
BGP-VPN instance-name
instance
IPv4
address
family
view.
(Optional as-number as-number A VPN instance uses the AS
) number of BGP by default.
Configure To smoothly re-assign a
a unique device to another AS or
AS transmit different services in
number different instances, run this
for the command to configure a
VPN different AS number for each
instance VPN instance IPv4 address
IPv4 family.
address
NOTE
family. The AS number configured in
the BGP-VPN instance IPv4
address family view must be
different from the AS number
configured in the BGP view.
Configure peer ipv4-address as-number as- -
a CE number
device as
a VPN
peer.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 740
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Action Command Description
(Optional Use either of the following The PE device needs to
) Import commands: import the routes destined
direct ● import-route direct [ med med for the local CE device into
routes | route-policy route-policy- its VPN routing table so that
destined name ] * it can advertise the routes to
for the the remote PE device.
local CE ● network ipv4-address [ mask |
NOTE
device mask-length ] [ route-policy The PE device can automatically
into the route-policy-name ] learn the direct routes destined
routing for the local CE device. The
learned routes take precedence
table of
over the direct routes
the IPv4 advertised from the local CE
VPN device using IBGP. If this step is
instance. not performed, the PE does not
use MP-BGP to advertise the
direct routes destined for the
local CE device to the remote
PE device.
(Optional routing-table rib-only [ route- If the BGP routing table has
) Prohibit policy route-policy-name ] large numbers of VPN
BGP routes, these routes will
private consume large numbers of
routes memory resources after
from being delivered to the IP VPN
being routing table. If these routes
delivered are not used in traffic
to the forwarding, you can run the
private IP routing-table rib-only
routing command to prevent these
table. routes from being added to
the IP VPN routing table. If
some of these routes are not
used in traffic forwarding,
you can run the routing-
table rib-only route-policy
command to prevent this
part of routes from being
added to the IP VPN routing
table.
NOTICE
If traffic is interrupted after the
routing-table rib-only
command is run, you can
configure a static route or
default route to guide traffic
forwarding.
Perform the following configurations on the CE device.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 741
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Table 7-8 CE configuration
Action Command Description
Enter the system-view -
system
view.
Enter the bgp { as-number-plain | as-number- -
BGP view. dot }
Configure peer ipv4-address as-number as- -
the PE number
device as
a VPN
peer.
Import import-route protocol [ process- The CE device advertises the
routes of id ] [ med med | route-policy routes of its own VPN
the local route-policy-name ] * network segment to the
sites. connected PE device. The PE
device forwards the routes to
the remote CE device. The
type of routes imported at
this step may vary according
to the networking mode.
When many CE devices connect to a PE device, the PE device can function as an
RR and the CE devices function as clients. This reduces the number of IBGP
connections between CE devices and facilitates route maintenance and
management.
Configure Static Routes Between a PE and a CE
Perform the following configuration on the PE device. The procedure for
configuring static routes on the CE device is not provided here. For details about
how to configure a static route, see Static Route Configuration in the Huawei AR
Series Access Routers Configuration Guide - IP Routing.
Table 7-9 PE configuration
Action Command Description
Enter the system-view -
system
view.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 742
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Action Command Description
Configure ip route-static vpn-instance vpn- -
a static source-name destination-address
route for { mask | mask-length } interface-
a VPN type interface-number [ nexthop-
instance. address ] [ preference preference |
tag tag ] *
Enter the bgp { as-number-plain | as-number- -
BGP view. dot }
Enter the ipv4-family vpn-instance vpn- -
BGP-VPN instance-name
instance
IPv4
address
family
view.
Import import-route static [ med med | After this command is run in
the route-policy route-policy-name ] * the BGP-VPN instance IPv4
configure address family view, the PE
d static will import the VPN routes
route to learned from the attached CE
the into the BGP routing table
routing and advertise VPNv4 routes
table of to the remote PE.
the BGP-
VPN
instance
IPv4
address
family.
Configure RIP between a PE and a CE
Perform the following configuration on the PE device. Configure RIPv1 or RIPv2 on
the CE, and the CE configuration details are not provided here. For details on how
to configure RIP, see RIP Configuration in the Huawei AR Series Access Routers
Configuration Guide - IP Routing.
NOTICE
Deleting a VPN instance or disabling a VPN instance IPv4 address family will
delete all the RIP processes bound to the VPN instance or the VPN instance IPv4
address family on the PE device.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 743
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Table 7-10 PE configuration
Action Command Description
Enter the system-view -
system
view.
Create a rip process-id vpn-instance vpn- A RIP process can be bound
RIP instance-name to only one VPN instance. If
process a RIP process is not bound to
running any VPN instance before it is
between started, this process becomes
the PE a public network process and
and CE can no longer be bound to a
devices VPN instance.
and enter
the RIP
view.
Enable network network-address -
RIP on the
network
segment
of the
interface
to which
the VPN
instance is
bound.
Import import-route bgp [ cost { cost | After this command is
BGP transparent } | route-policy route- executed in the RIP view, the
routes to policy-name ] * PE device can import the
the RIP VPNv4 routes learned from
routing the remote PE device into
table. the RIP routing table and
advertise them to the
attached CE device.
Return to quit -
system
view.
Enter the bgp { as-number-plain | as-number- -
BGP view. dot }
Enter the ipv4-family vpn-instance vpn- -
BGP-VPN instance-name
instance
IPv4
address
family
view.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 744
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Action Command Description
Import import-route rip process-id [ med After this command is run in
RIP routes med | route-policy route-policy- the BGP-VPN instance IPv4
into the name ] * address family view, the PE
routing will import the VPN routes
table of learned from the attached CE
the BGP- into the BGP routing table
VPN and advertise VPNv4 routes
instance to the remote PE.
IPv4
address
family.
Configure OSPF Between a PE and a CE
Configure OSPF on the CE, and the CE configuration details are not provided here.
Perform the following configuration on the PE device. For details on how to
configure OSPF, see OSPF Configuration in the Huawei AR Series Access Routers
Configuration Guide - IP Routing.
NOTICE
Deleting a VPN instance or disabling a VPN instance IPv4 address family will
delete all the OSPF processes bound to the VPN instance or the VPN instance IPv4
address family on the PE device.
Table 7-11 PE configuration
Action Command Description
Enter the system-view -
system
view.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 745
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Action Command Description
Create an ospf process-id [ router-id router- An OSPF process can be
OSPF id ] vpn-instance vpn-instance- bound to only one VPN
process name instance. If an OSPF process
running is not bound to any VPN
between instance before it is started,
the PE this process becomes a
and CE public network process and
device can no longer be bound to a
and enter VPN instance.
the OSPF A router ID needs to be
view. specified when an OSPF
process is started after it is
bound to a VPN instance.
The router ID must be
different from the public
network router ID configured
in the system view. If the
router ID is not specified,
OSPF selects the IP address
of one of the interfaces
bound to the VPN instance
as the router ID based on a
certain rule.
(Optional domain-id domain-id [ secondary ] The domain ID of an OSPF
) process is contained in the
Configure routes generated by the
a domain process. When OSPF routes
ID for the are imported into BGP, the
OSPF domain ID is added to the
process. BGP VPN routes and
forwarded as the BGP
extended community
attribute.
There are no restrictions on
the domain IDs of the OSPF
processes of different VPNs
on a PE device. The OSPF
processes of the same VPN
must be configured with the
same domain ID to ensure
proper route advertisement.
The default domain ID is 0.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 746
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Action Command Description
(Optional route-tag tag The VPN route tag prevents
) loops of Type-5 LSAs in CE
Configure dual-homing networking.
a VPN By default, the VPN route
route tag. tag is calculated using the
BGP AS number. If BGP is not
configured, the VPN route
tag is 0.
Import import-route bgp [ permit-ibgp ] After this command is
BGP [ cost cost | route-policy route- executed in the OSPF view,
routes to policy-name | tag tag | type type ] * the PE can import the VPNv4
the OSPF routes learned from the
routing remote PE into the OSPF
table. routing table and advertise
them to the attached CE.
Enter the area area-id -
OSPF area
view.
Enable network ip-address wildcard-mask -
OSPF on
the
network
segment
of the
interface
to which
the VPN
instance is
bound.
Return to quit -
the OSPF
view.
Return to quit -
system
view.
Enter the bgp { as-number-plain | as-number- -
BGP view. dot }
Enter the ipv4-family vpn-instance vpn- -
BGP-VPN instance-name
instance
IPv4
address
family
view.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 747
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Action Command Description
Import import-route ospf process-id After this command is run in
OSPF [ med med | route-policy route- the BGP-VPN instance IPv4
routes policy-name ] * address family view, the PE
into the will import the VPN routes
routing learned from the attached CE
table of into the BGP routing table
the BGP- and advertise VPNv4 routes
VPN to the remote PE.
instance
IPv4
address
family.
Configure IS-IS Between a PE and a CE
Configure IS-IS on the CE, and the CE configuration details are not provided here.
Perform the following configuration on the PE device. For details on how to
configure IS-IS, see "IPv4 IS-IS Configuration" in the Huawei AR Series Access
Routers Configuration Guide - IP Routing.
NOTICE
Deleting a VPN instance or disabling a VPN instance IPv4 address family will
delete all the IS-IS processes bound to the VPN instance or the VPN instance IPv4
address family on the PE device.
Table 7-12 PE configuration
Action Command Description
Enter the system-view -
system
view.
Create an isis process-id vpn-instance vpn- An IS-IS process can be
IS-IS instance-name bound to only one VPN
process instance. If an IS-IS process
running is not bound to any VPN
between instance before it is started,
the PE this process becomes a
and CE public network process and
devices can no longer be bound to a
and enter VPN instance.
the IS-IS
view.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 748
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Action Command Description
Set a network-entity net A NET specifies the current
network IS-IS area address and the
entity title system ID of the router. An
(NET) for IS-IS process on one router
the IS-IS can be configured with a
process. maximum of three NETs.
(Optional is-level { level-1 | level-1-2 | By default, the IS-IS level of
) Set the level-2 } the router is Level-1-2.
level of
the PE
device.
Import ● import-route bgp [ cost-type If the IS-IS level is not
BGP { external | internal } | cost cost specified in the command,
routes to | tag tag | route-policy route- BGP routes will be imported
the IS-IS policy-name | [ level-1 | level-2 | into the Level-2 IS-IS routing
routing level-1-2 ] ] * table.
table. ● import-route bgp inherit-cost After this command is
[ { level-1 | level-2 | level-1-2 } | executed in the ISIS view, the
tag tag | route-policy route- PE can import the VPNv4
policy-name ] * routes learned from the
remote PE into the IS-IS
routing table and advertise
them to the attached CE.
Return to quit -
system
view.
Enter the interface interface-type interface- -
view of number
the
interface
to which
the VPN
instance is
bound.
Enable IS- isis enable [ process-id ] -
IS on the
interface.
Return to quit -
system
view.
Enter the bgp { as-number-plain | as-number- -
BGP view. dot }
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 749
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Action Command Description
Enter the ipv4-family vpn-instance vpn- -
BGP-VPN instance-name
instance
IPv4
address
family
view.
Import IS- import-route isis process-id [ med After this command is run in
IS routes med | route-policy route-policy- the BGP-VPN instance IPv4
into the name ] * address family view, the PE
routing will import the VPN routes
table of learned from the attached
the BGP- CE into the BGP routing
VPN table and advertise VPNv4
instance routes to the remote PE.
IPv4
address
family.
7.7.1.6 Verifying the Configuration of Basic BGP/MPLS IP VPN Functions
Prerequisites
All configurations for a basic BGP/MPLS IP VPN are complete.
Procedure
● Run the following commands on the PE to check information about the
created VPN instance IPv4 address family, including the RD and other
attributes.
– Run the display ip vpn-instance vpn-instance-name command to check
brief information about a specified VPN instance.
– Run the display ip vpn-instance verbose vpn-instance-name command
to check detailed information about a specified VPN instance.
– Run the display ip vpn-instance import-vt ivt-value command to check
information about the VPN instances with the specified import VPN
target.
– Run the display ip vpn-instance [ vpn-instance-name ] interface
command to view information about the interface bound to a specified
VPN instance.
● Run the following commands on the PE and CE to check information about
the IPv4 VPN routes to the local and remote sites.
– Run the display ip routing-table vpn-instance vpn-instance-name
command on the PE to check the routing information of a specified VPN
instance IPv4 address family.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 750
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
– Run the display ip routing-table command on the CE to check routing
information.
----End
7.7.2 Configuring Hub and Spoke
In Hub and Spoke networking, a central site is deployed and all the other sites
communicate through the central site. The central site controls communication
between sites.
Pre-configuration Tasks
Before configuring Hub and Spoke, complete the following tasks:
● Configuring IGP on PE devices and P devices in the MPLS backbone network
NOTE
When RIP-1 runs on the backbone network, you need to enable LDP to search for
routes to establish LSPs based on the longest match rule. For details, see Configuring
LDP Extensions for Inter-Area LSPs.
● Configuring basic MPLS capabilities and MPLS LDP (or RSVP-TE) on PE devices
and P devices in the MPLS backbone network
● Configuring the IP addresses, through which the CE devices access the PE
devices, on the CE devices
NOTE
You also need to configure VPN tunnel policies when VPN services need to be transmitted
over TE tunnels or when multiple tunnels need to perform load balancing to fully use
network resources. For detailed configuration, see 7.7.15.1 Configuring and Applying a
Tunnel Policy.
Configuration Procedure
All the following tasks are mandatory. Perform these tasks in this sequence to
complete the Hub and Spoke configuration.
7.7.2.1 Configuring MP-IBGP Between Hub-PE and Spoke-PE
Context
The Hub-PE must set up the MP-IBGP peer with all the Spoke-PE devices. Spoke-
PE devices do not need to set up the MP-IBGP peer between each other.
Perform the following steps on the Hub-PE and Spoke-PE devices.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bgp { as-number-plain | as-number-dot }
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 751
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
The BGP view is displayed.
Step 3 Run peer ipv4-address as-number as-number
The peer PE is configured as a BGP peer.
Step 4 Run peer ipv4-address connect-interface loopback interface-number
An interface is used to set up a Transmission Control Protocol (TCP) connection
with the BGP peer.
NOTE
A PE must use a loopback interface address with a 32-bit mask to set up an MP-IBGP peer
relationship with the peer PE so that VPN routes can be iterated to tunnels. The route to
the local loopback interface is advertised to the peer PE using an IGP on the MPLS
backbone network.
Step 5 Run ipv4-family vpnv4 [ unicast ]
The BGP-VPNv4 address family view is displayed.
Step 6 Run peer ipv4-address enable
The ability to exchange VPN IPv4 routes with the BGP peer is enabled.
----End
7.7.2.2 Configuring VPN Instances on PE Devices
Context
Configure VPN instances on each Spoke-PE device and the Hub-PE device. This
section provides only the mandatory configuration for a VPN instance. For the
optional configuration of a VPN instance, see 7.7.1.3 Configuring a VPN Instance
on a PE Device.
Procedure
● Configure VPN instances on the Hub-PE device.
Configure the following two VPN instances for the Hub-PE device:
– VPN-in: accepts and maintains all the VPNv4 routes advertised by all the
Spoke-PE devices.
– VPN-out: maintains the routes of the Hub site and all the Spoke sites and
advertises those routes to all the Spoke-PE devices.
a. Run system-view
The system view is displayed.
b. Run ip vpn-instance VPN-in
The VPN-in instance is created and the VPN-in instance view is displayed.
c. Run ipv4-family
The IPv4 address family is enabled for the VPN-in instance, and the VPN-
in instance IPv4 address family view is displayed.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 752
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
d. Run route-distinguisher route-distinguisher
The RD of the VPN-in instance IPv4 address family is configured.
e. Run vpn-target vpn-target1 &<1-8> import-extcommunity
The VPN target extended community for the VPN-in instance IPv4
address family is created to import the VPNv4 routes advertised by all the
Spoke-PE devices.
vpn-target1 lists the Export VPN targets advertised by all the Spoke-PE
devices.
f. Run quit
The VPN instance view is displayed.
g. Run quit
Return to the system view.
h. Run ip vpn-instance VPN-out
The VPN-out instance is created and the VPN-out instance view is
displayed.
i. Run ipv4-family
The IPv4 address family is enabled for the VPN-out instance, and the
VPN-out instance IPv4 address family view is displayed.
j. Run route-distinguisher route-distinguisher
The RD of the VPN-out instance IPv4 address family is configured.
k. Run vpn-target vpn-target2 &<1-8> export-extcommunity
The VPN target extended community for the VPN-out instance IPv4
address family is created to advertise the routes of all the Hubs and
Spokes.
vpn-target2 lists the Import VPN targets advertised by all the Spoke-PE
devices.
● Configure a Spoke-PE device.
Every Spoke-PE device is configured with a VPN instance.
a. Run system-view
The system view is displayed.
b. Run ip vpn-instance vpn-instance-name
The VPN instance view of VPN-in is displayed.
c. Run ipv4-family
The VPN instance IPv4 address family view is displayed.
d. Run route-distinguisher route-distinguisher
The RD of the VPN-in instance is configured.
e. Run vpn-target vpn-target2 &<1-8> import-extcommunity
The VPN target extended community is configured for the VPN instance
IPv4 address family to receive the VPNv4 routes advertised by the Hub-PE
device.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 753
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
vpn-target2 must be in the export VPN target list configured on the Hub-
PE device.
f. Run vpn-target vpn-target1 &<1-8> export-extcommunity
The VPN target extended community is configured for the VPN instance
IPv4 address family to advertise the routes of Spoke sites.
vpn-target1 must be in the import VPN target list configured on the Hub-
PE device.
----End
7.7.2.3 Binding a VPN Instance to an Interface
Prerequisites
A VPN instance has been created and the IPv4 address family has been enabled
for the VPN instance.
Context
The configuration on the Hub-PE involves two interfaces or sub-interfaces: one is
bound with the VPN-in and receives the routes advertised by the Spoke-PE; the
other is bound with the VPN-out and advertises the routes of the Hub and all the
Spokes.
● After configuring a VPN instance on a PE device, bind the VPN instance to the
interface that belongs to the VPN. Otherwise, the interface functions as a
public network interface and cannot forward VPN data.
● An interface becomes a private network interface after a VPN instance is
bound to it. You must configure an IP address for the interface so that the PE
device can exchange routing information with its attached CE device.
● After a VPN instance is bound to an interface, configuration of the Layer 3
features (IPv4 and IPv6 features) including IP addresses and routing protocols
is deleted from the interface.
● When you disable an address family (IPv4 or IPv6 address family) in a VPN
instance, configuration of the address family is deleted from the interface. No
interface is bound to a VPN instance if no address family configuration exists
in the VPN instance.
Perform the following steps on the Hub-PE and all the Spoke-PE devices.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run ip binding vpn-instance vpn-instance-name
A VPN instance is bound to the interface.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 754
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
By default, an interface is a public network interface and is not associated with
any VPN instance.
Step 4 Run ip address ip-address { mask | mask-length }
An IP address is configured for the interface.
----End
7.7.2.4 Configuring Route Exchange Between PE device and CE Devices
Context
The Hub-PE and Hub-CE devices can use IGP or EBGP to exchange routing
information. When they use EBGP, you must configure the Hub-PE device to allow
repeated local AS number.
As shown in Figure 7-37, the routing information advertised by a Spoke-CE is
forwarded to the Hub-CE and Hub-PE device before being transmitted to other
Spoke-PE devices. If EBGP runs between the Hub-PE device and the Hub-CE, the
Hub-PE device performs the AS-Loop detection on the route. If the Hub-PE device
detects its own AS number in the route, it discards the route. In this case, to
implement the Hub and Spoke networking, the Hub-PE device must be configured
to permit the existence of repeated local AS numbers.
Figure 7-37 EBGP running between the Hub-CE and Hub-PE devices
AS65401 Spoke-PE1
Spoke-CE1 EBGP
IBGP Hub-CE
VPN_in
VPN backbone
AS100
Spoke-CE2 IBGP EBGP
AS65403
Hub-PE VPN_out
Spoke-PE2
AS65402
Procedure
● Configure EBGP between the Hub-PE and Hub-CE devices.
For detailed configuration procedures, see Configuring a Routing Protocol
Between PE device and CE.
The Spoke-PE and Spoke-CE devices can use EBGP, IGP, or static routes.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 755
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
To set up an EBGP peer relationship between the Hub-PE and Hub-CE devices
and between a Spoke-PE device and a Spoke-CE device, perform the following
steps on the Hub-PE device:
a. Run system-view
The system view is displayed.
b. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
c. Run ipv4-family vpn-instance vpn-instance-name
The BGP-VPN instance IPv4 address family view is displayed.
d. Run peer ip-address allow-as-loop [ number ]
The Hub-PE is configured to allow the routing loop. Here the value of
number is set as 1, which means the route with the AS repeated once can
be sent.
● Configure an IGP between the Hub-PE and Hub-CE devices.
For detailed configuration procedures, see Configuring a Routing Protocol
Between PE and CE.
In this way, instead of BGP, IGP or static routes are adopted between the
Spoke-PE and the Spoke-CE. If BGP is used, the source BGP route's AS number
will get lost when the route is transmitted through the IGP running between
the Hub-PE and Hub-CE. The Spoke-PE will receive both the source BGP route
sent by the Spoke-CE and the source BGP route with no AS number forwarded
by the Hub-PE. The source BGP route sent by the Spoke-CE has an AS number
and is therefore not preferred by the Spoke-PE. After the route is withdrawn,
the Spoke-PE prefers the source BGP route received from the Spoke-CE again
and advertises this route again. As this process repeats, route flapping occurs.
● Configure static routes between the Hub-PE and the Hub-CE devices.
For detailed configuration procedures, see Configuring a Routing Protocol
Between PE device and CE.
EBGP, IGP, or static routes can be used between the Spoke-PE and the Spoke-
CE devices.
If the Hub-CE device uses the default route to access the Hub-PE device,
perform the following steps on the Hub-PE device to advertise the default
route to all the Spoke-PE devices:
a. Run system-view
The system view is displayed.
b. Run ip route-static vpn-instance vpn-source-name 0.0.0.0 0.0.0.0
nexthop-address [ preference preference | tag tag ]* [ description text ]
Here, vpn-instance-name refers to the VPN-out. nexthop-address is the IP
address of the Hub-CE interface that is connected with the PE device
interface bound with the VPN-out instance.
c. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 756
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
d. Run ipv4-family vpn-instance vpn-instance-name
The BGP-VPN instance IPv4 address family view is displayed. vpn-
instance-name refers to the VPN-out instance.
e. Run network 0.0.0.0 0
The default route is advertised to all the Spoke-PE devices through MP-
BGP.
----End
7.7.2.5 Verifying the Hub and Spoke Configuration
Prerequisites
The configurations of the Hub and Spoke function are complete.
Procedure
● Run the display ip routing-table vpn-instance vpn-instance-name command
to check routing information about the VPN-in and VPN-out on the Hub-PE.
If the VPN-in routing table has routes to all the Spoke stations, and the VPN-
out routing table has routes to the Hub and all the Spoke stations, it means
the configuration is successful.
● Run the display ip routing-table command to check routing information on
the Hub-CE and all the Spoke-CE devices.
The Hub-CE and all the Spoke-CE devices have routes to the Hub and all the
Spoke sites.
----End
7.7.3 Configuring Inter-AS VPN Option A
If the MPLS VPN backbone network spans multiple ASs, inter-AS VPN is required.
Inter-AS VPN-Option A can be used when each PE device has a few VPNs and VPN
routes.
Procedure
To implement inter-AS VPN Option A, complete basic BGP/MPLS IP VPN
configuration in each AS and configure the ASBR-PE devices as the CE device of
each other. You need to configure VPN instances for a PE device and an ASBR-PE
device respectively. The PE device connects to CE devices, and the ASBR-PE device
connects to the remote ASBR-PE device. For details about basic BGP/MPLS IP VPN
configuration, see 7.7.1 Configuring Basic BGP/MPLS IP VPN Functions.
NOTE
In inter-AS VPN Option A, the VPN targets of VPN instances on the ASBR and PE devices in
the same AS must match for the same VPN. This is not required for the PE devices in
different ASs.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 757
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Verifying the Configuration
After inter-AS VPN Option A is configured, run the following commands to check
previous configurations.
● Run the display bgp vpnv4 all peer command on the PE or ASBR, and you
can view that the status of the BGP VPNv4 peer relationship between the PE
and ASBR in the same AS is "Established".
● Run the display bgp vpnv4 all routing-table command on the PE or ASBR,
and you can view the VPNv4 routes.
● Run the display ip routing-table vpn-instance vpn-instance-name command
on the PE or ASBR, and you can view that the VPN routing table of the PE or
ASBR has related VPN routes.
7.7.4 Configuring Inter-AS VPN Option B
If virtual private network (VPN) routes need to be established over a Multiprotocol
Label Switching (MPLS) backbone network spanning multiple autonomous areas
(ASs), inter-AS VPN is required. If the provider edge (PE) devices connect to many
VPNs but the autonomous area border routers (ASBRs) do not have enough
interfaces to reserve an interface for each inter-AS VPN, the inter-AS VPN Option
B solution can be used on the network.
Pre-configuration Tasks
Before configuring inter-AS VPN Option B, complete the following tasks:
● Configuring an Interior Gateway Protocol (IGP) for the MPLS backbone
network of each AS to ensure IP connectivity on the backbone network within
each AS
● Configuring the basic MPLS functions and MPLS Label Distribution Protocol
(LDP) or Resource Reservation Protocol-Traffic Engineering (RSVP-TE) for the
MPLS backbone network of each AS
● In each AS, configuring VPN instances on the PE devices connected to CE
devices and associating the VPN instances with PE interfaces connected to CE
devices
● Configuring route exchange between the PE and CE devices in each AS
For details about the configurations, see 7.7.1 Configuring Basic BGP/MPLS IP
VPN Functions.
Configuration Procedure
7.7.4.4 (Optional) Configuring Routing Policies to Control VPN Route
Advertisement and Acceptance and 7.7.4.5 (Optional) Enabling Next-Hop-
based Label Allocation on the ASBR are optional, and other tasks are
mandatory. Perform these tasks in this sequence to complete inter-AS VPN Option
B configuration.
When VPN services need to be transmitted over TE tunnels or when multiple
tunnels need to perform load balancing to fully use network resources, you also
need to complete the task of 7.7.15 Configuring Tunnel Policies.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 758
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
NOTE
In inter-AS VPN Option B, the ASBRs maintain and advertise VPNv4 routes of inter-AS VPNs,
and they can also work as PE devices. When the ASBRs work as PE devices, configure VPN
instances on the ASBRs to enable them to exchange routing information with CE devices.
The configuration is the same as that on common PE devices.
7.7.4.1 Configuring MP-IBGP Between PE and ASBR in the Same AS
Context
Perform the following steps on the PE and ASBR in the same AS.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
Step 3 Run peer ipv4-address as-number as-number
The peer ASBR is specified as the IBGP peer.
Step 4 Run peer ipv4-address connect-interface loopback interface-number
The loopback interface is specified as the outgoing interface of the BGP session.
NOTE
The 32-bit mask IP addresses of the loopback interfaces must be used to establish the MP-
IBGP peer relationship between PEs. This can ensure that the tunnel can be iterated. The
route destined to the loopback interface is advertised to the remote PE based on IGP on the
MPLS backbone network.
Step 5 Run ipv4-family vpnv4 [ unicast ]
The BGP-VPNv4 address family is displayed.
Step 6 Run peer ipv4-address enable
The exchange of VPNv4 routes between the PE and ASBR in the same AS is
enabled.
NOTE
When the ASBR sends a VPNv4 route to a PE, the ASBR can automatically change the next
hop in the VPNv4 route to the IP address of itself.
----End
7.7.4.2 Configuring MP-EBGP Between ASBRs in Different ASs
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 759
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Context
In inter-AS VPN Option B, you need not create VPN instances on ASBRs. The ASBR
does not filter the VPNv4 routes received from the PE in the same AS based on
VPN targets. Instead, it advertises the received VPNv4 routes to the peer ASBR
through MP-EBGP.
In the AR, an ASBR can only change the next-hop address of a VPNv4 route to the
ASBR's address before advertising the route to a PE.
Perform the following steps on the ASBR.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of the interface connected with the ASBR interface is displayed.
Step 3 Run ip address ip-address { mask | mask-length }
The interface IP address is configured.
Step 4 Run mpls
The MPLS capability is enabled.
Step 5 Run quit
Return to the system view.
Step 6 Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
Step 7 Run peer ipv4-address as-number as-number
The peer ASBR is specified as the EBGP peer.
Step 8 (Optional) Run peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]
The maximum number of hops is configured for the EBGP connection.
Generally, one or multiple directly connected physical links exist between EBGP
peers. If the directly connected physical link(s) is/are not available, run this
command to ensure that the TCP connection can be set up between the EBGP
peers through multiple hops.
Step 9 Run ipv4-family vpnv4 [ unicast ]
The BGP-VPNv4 address family is displayed.
Step 10 Run peer ipv4-address enable
The exchange of IPv4 VPN routes with the peer ASBR is enabled.
----End
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 760
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
7.7.4.3 Disabling an ASBR from Filtering VPNv4 Routes by VPN Targets
Context
By default, the PE performs VPN target filtering on the received IPv4 VPN routes.
The routes passing the filter are added to the routing table, and the others are
discarded. If the PE is not configured with VPN instance, or the VPN instance is not
configured with the VPN target, the PE discards all the received VPN IPv4 routes.
In Inter-AS VPN Option B, you do not need to configure VPN instances on the
ASBRs. An ASBR must save all the VPNv4 routes and advertises the VPNv4 routes
to the remote ASBR. In this case, the ASBR must accept all the VPNv4 routing
information without the VPN target filtering.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
Step 3 Run ipv4-family vpnv4 [ unicast ]
The BGP-VPNv4 address family is displayed.
Step 4 Run undo policy vpn-target
The VPN IPv4 routes are not filtered by the VPN target.
----End
7.7.4.4 (Optional) Configuring Routing Policies to Control VPN Route
Advertisement and Acceptance
Context
The ASBRs accept all VPNv4 routes after they are configured not to filter VPNv4
routes by VPN targets. When there are many VPN routes on the network, the
ASBRs are overburdened.
If only some of VPNs or sites need to communicate across ASs, you can configure
a routing policy on the ASBRs to restrict the VPNv4 routes that can be accepted by
the ASBRs. This reduces loads on the ASBRs.
This section describes how to configure the following filtering policies to control
VPNv4 route advertisement and acceptance:
● Filtering policy based VPN targets
● Filtering policy based on RDs
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 761
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run either of the following command to configure a route filter.
1. To configure an extended community filter, run ip extcommunity-filter
extcomm-filter-number { permit | deny } { rt { as-number:nn | ipv4-
address:nn } } &<1-16>.
2. To configure an RD filter, run ip rd-filter rd-filter-number { deny | permit }
route-distinguisher &<1-10>.
Step 3 Run route-policy route-policy-name permit node node
A routing policy is configured.
Step 4 Run either of the following command to configure an if-match clause in the
configured route filter:
1. If you configured an extended community filter in Step 2, run the if-match
extcommunity-filter { { basic-extcomm-filter-num | advanced-extcomm-
filter-num } &<1-16> | advanced-extcomm-filter-name | basic-extcomm-filter-
name } command to configure an if-match clause based on the extended
community filter in the routing policy.
2. If you configured an RD filter in Step 2, run the if-match rd-filter rd-filter-
number command to configure an if-match clause based on the RD filter in
the routing policy.
Step 5 Run quit
Return to the system view.
Step 6 Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
Step 7 Run ipv4-family vpnv4 [ unicast ]
The BGP-VPNv4 address family is displayed.
Step 8 Run peer ipv4-address route-policy route-policy-name { export | import }
The routing policy is applied to controlling the VPN IPv4 routing information.
----End
7.7.4.5 (Optional) Enabling Next-Hop-based Label Allocation on the ASBR
Context
In an inter-AS VPN Option B scenario, ASBRs can be enabled to allocate labels to
VPN routes based on next hops. This saves labels on the ASBRs.
Next-hop-based label allocation means to allocate the same label for the routes
with the same forwarding behavior. In other words, VPN routes with the same
forwarding path and outbound label are assigned the same label. Different from
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 762
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
the prefix-based label allocation mode that is used by default, next-hop-based
label allocation enrich the label allocation modes and allows for flexible label
allocation. In addition, when an ASBR functions as a PE device, next-hop-based
label allocation can be used together with one label per instance mode to save
labels on the ASBR.
As shown in Figure 7-38, the inter-AS VPN Option B networking is established;
two VPN instances, VPN1 and VPN2, are configured on PE1; the label allocation
mode is one label per VPN instance. CE1 in VPN1 and CE2 in VPN2 are
respectively imported with 1 thousand VPN routes. When the next-hop-based
label allocation feature is not enabled for VPN routes on ASBRs, the 2 thousand
routes of PE1 advertised by ASBR1 to ASBR2 use 2 thousand labels; after the next-
hop-based label allocation feature is enabled for VPN routes on ASBR1, ASBR1
only assigns one label for VPN routes of the same next hop and outgoing label. As
a result, ASBR1 needs to allocate only two labels for 2 thousands routes.
Figure 7-38 Next-hop-based label allocation for VPN routes on ASBR
VPN1
CE1 VPN1
CE3
BGP/MPLS backbone BGP/MPLS backbone
AS: 100 AS: 200
PE3
MP-EBGP
MP-IBGP
MP-IBGP
PE1 ASBR1 ASBR2
PE4
CE4
CE2
VPN2
VPN2
NOTICE
After next-hop-based label allocation is enabled or disabled, the label allocated by
the ASBR for a route changes, which leads to packet loss.
Perform the following steps on the ASBR.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 763
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Step 3 Run ipv4-family vpnv4
The BGP-VPNv4 view is displayed.
Step 4 Run apply-label per-nexthop
The next-hop-based label allocation for IPv4 VPN routes is enabled on the ASBR.
----End
7.7.4.6 Verifying the Inter-AS VPN Option B Configuration
Prerequisites
The configuration of inter-AS VPN Option B is complete.
Procedure
● Run the display bgp vpnv4 all peer command on the PE or ASBR. If the
status of the IBGP peer between the PE and ASBR in the same AS is
"Established", and the status of the EBGP peer between ASBRs in the different
AS is "Established", the configuration is successful.
● Run the display bgp vpnv4 all routing-table command on the ASBR. If the
VPN IPv4 routes are displayed, the configuration is successful.
● Run the display ip routing-table vpn-instance vpn-instance-name command
on the PE device. If the VPN routes are displayed, the configuration is
successful.
● Run the display mpls lsp command on the ASBR. If information about the
LSP and label is displayed, it means that the configuration succeeds. If the
ASBR is enabled with the next-hop-based label allocation, only one label is
allocated for the VPN routes with the same next hop and outgoing label.
● Run the display ip extcommunity-filter command on an ASBR to check the
configured extended community filters.
● Run the display ip rd-filter command on an ASBR to check the configured
RD filters.
----End
7.7.5 Configuring Inter-AS VPN Option C (Solution 1)
If virtual private network (VPN) routes need to be established over a Multiprotocol
Label Switching (MPLS) backbone network spanning multiple autonomous areas
(ASs), inter-AS VPN is required. If each AS needs to exchange a large number of
VPN routes, inter-AS VPN Option C is a good choice to prevent the autonomous
area border routers (ASBRs) from becoming bottlenecks that impede network
expansion.
Pre-configuration Tasks
Before configuring inter-AS VPN Option C, complete the following tasks:
● Configuring an Interior Gateway Protocol (IGP) for the MPLS backbone
network of each AS to ensure IP connectivity on the backbone network within
each AS
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 764
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
● Configuring the basic MPLS functions and MPLS Label Distribution Protocol
(LDP) or Resource Reservation Protocol-Traffic Engineering (RSVP-TE) for the
MPLS backbone network of each AS
● In each AS, configuring VPN instances on the PE devices connected to CE
devices and associating the VPN instances with PE interfaces connected to CE
devices
● Configuring route exchange between the PE and CE devices in each AS
For details about the configurations, see 7.7.1 Configuring Basic BGP/MPLS IP
VPN Functions.
Context
The following solutions can be used to implement inter-AS VPN Option C:
● Solution 1: After learning the labeled BGP routes of the public network in the
remote AS from the remote ASBR, the local ASBR allocates labels for these
routes, and advertises these routes to the IBGP peer that supports the label
switching capability. In this manner, a complete LSP is set up.
● Solution 2: The IBGP peer relationship between the PE and ASBR is not
needed. In this solution, an ASBR learns the labeled public BGP routes of the
remote AS from the peer ASBR. Then these labeled public BGP routes are
imported to an IGP to trigger the establishment of an LDP LSP. In this manner,
a complete LDP LSP can be established between the two PEs.
Solution 1 is described in this section, and solution 2 is described in 7.7.6
Configuring Inter-AS VPN Option C (Solution 2).
Configuration Procedure
All the following tasks are mandatory. Perform these tasks in this sequence to
complete inter-AS VPN Option C configuration.
When VPN services need to be transmitted over TE tunnels or when multiple
tunnels need to perform load balancing to fully use network resources, you also
need to complete the task of 7.7.15 Configuring Tunnel Policies.
NOTE
In inter-AS VPN Option C mode, do not enable LDP between ASBRs. If LDP is enabled on
the interfaces between ASBRs, LDP sessions are then established between the ASBRs. When
a lot of BGP routes exist, many LDP labels are occupied.
7.7.5.1 Enabling the Labeled IPv4 Route Exchange
Context
In inter-AS VPN Option C, establish an inter-AS VPN LSP. The related PEs and
ASBRs exchange public network routes with the MPLS labels.
The public network routes with the MPLS labels are advertised by the MP-BGP.
The label mapping information of a route is carried by advertising BGP updates.
This feature is implemented through BGP extension attributes, which requires BGP
peers to process the labeled IPv4 routes.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 765
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
By default, BGP peers cannot process labeled IPv4 routes.
Procedure
● Configure a PE device.
a. Run system-view
The system view is displayed.
b. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
c. Run peer ipv4-address as-number as-number
An IBGP peer relationship is established between the local PE and ASBR
in the same AS.
d. Run peer ipv4-address connect-interface loopback interface-number
A loopback interface is specified as the outbound interface of the BGP
session.
e. Run peer ipv4-address label-route-capability
Exchange of the labeled IPv4 routes with the ASBR in the same AS is
enabled.
● Configure an ASBR.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The view of the interface connected with the peer ASBR is displayed.
c. Run ip address ip-address { mask | mask-length }
The interface IP address is configured.
d. Run mpls
The MPLS capability is enabled.
e. Run quit
Return to the system view.
f. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
g. Run peer ipv4-address as-number as-number
An IBGP peer relationship is established between the local PE and the
remote PE in the same AS.
h. Run peer ipv4-address connect-interface loopback interface-number
A loopback interface is specified as the outbound interface of the BGP
session.
i. Run peer ipv4-address label-route-capability
Exchange of the labeled IPv4 routes with the remote PE in the same AS is
enabled.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 766
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
j. Run peer ipv4-address as-number as-number
The peer ASBR is specified as the EBGP peer.
k. (Optional) Run peer { ipv4-address | group-name } ebgp-max-hop
[ hop-count ]
The maximum number of hops is configured for the EBGP connection.
Generally, one or multiple directly connected physical links exist between
EBGP peers. If the directly connected physical links are not available, run
the peer ebgp-max-hop command to ensure that the TCP connection
can be set up between the EBGP peers through multiple hops.
If BGP uses a loopback interface establish an EBGP peer relationship, you
must run the peer ebgp-max-hop command and set to hot count to a
value larger than or equal to 2. Otherwise, the peer relationship cannot
be established. If hop-count is not specified, the default value 255 is used.
l. Run peer ipv4-address label-route-capability [ check-tunnel-
reachable ]
The exchange of the labeled IPv4 routes with the peer ASBR is enabled.
▪ If tunnel reachability checking is enabled, BGP advertises IPv4 unicast
routes to peers when routed tunnels are unreachable or advertises
labeled routes to peers when routed tunnels are reachable. This
eliminates the risk of establishing an MP-EBGP peer relationship
between PEs over a faulty LSP because this will cause data
forwarding failures.
▪ If tunnel reachability checking is disabled, BGP advertises labeled
routes to peers whether the tunnels for imported routes are
reachable or not.
----End
7.7.5.2 Configuring a Routing Policy to Control Label Distribution
Context
You need to configure a routing policy to control label allocation for each inter-AS
BGP LSP. If labeled IPv4 routes are advertised to a PE of the local AS, you need to
re-allocate MPLS labels to these routes. If routes sent by a PE of the local AS are
advertised to the peer ASBR, you need to allocate MPLS labels to these routes.
Procedure
Step 1 Create a routing policy.
Perform the following steps on the ASBR.
1. Run system-view
The system view is displayed.
2. Run route-policy policy-name1 permit node node
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 767
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
The routing policy applied to the local PE is created.
For the labeled IPv4 routes received from peer ASBRs, and sent to the PEs in
the same AS, this policy ensures that a new MPLS label is allocated.
3. Run if-match mpls-label
The IPv4 routes with labels are matched.
4. Run apply mpls-label
The label is allocated to the IPv4 route.
5. Run quit
Return to the system view.
6. Run route-policy policy-name2 permit node node
The routing policy applied to the peer ASBR is created.
For the labeled IPv4 routes received from PE in the local AS, and sent to the
remote ASBR, this policy ensures that a new MPLS label is allocated.
7. Run apply mpls-label
The label is allocated to the IPv4 route.
Step 2 Apply the routing policy.
Perform the following steps on the ASBR.
1. Run system-view
The system view is displayed.
2. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
3. Run peer ipv4-address route-policy policy-name1 export
The routing policy adopted when the route is advertised to the local PE is
created.
4. Run peer ipv4-address route-policy policy-name2 export
The routing policy adopted when the route is advertised to the peer ASBR is
created.
Step 3 (Optional) Control the creation of ingress LSPs for labeled BGP routes based on
routing policies.
Perform the following steps on each PE.
1. Run system-view
The system view is displayed.
2. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
3. Run ingress-lsp trigger route-policy route-policy-name
The function to create ingress LSPs for labeled BGP routes based on routing
policies is configured.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 768
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
On a MAN where the hybrid access mode is used, a large number of labeled
BGP routes are used to establish end-to-end LSPs. On certain intermediate
nodes where VPN services do not need to be supported, excessive ingress LSPs
are created, wasting network resources. In this case, you can run the ingress-
lsp trigger command to create ingress LSPs based on a routing policy to save
network resources.
----End
7.7.5.3 Establishing an MP-EBGP Peer Relationship Between PE Devices
Context
By introducing extended community attributes into BGP, MP-EBGP can advertise
VPNv4 routes between PEs.
Procedure
● Configure a PE device to advertise its loopback interface IP addresses used for
peer relationship establishment to the ASBRs of other ASs and peer PE
devices. You can also configure an ASBR to send the loopback interface IP
addresses of a PE device used for peer relationship establishment to the
ASBRs of other ASs and peer PE devices.
a. Run system-view
The system view is displayed.
b. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
c. Run network ip-address [ mask | mask-length ] [ route-policy route-
policy-name ]
The loopback address of the PE in the local AS is advertised to the
remote ASBR.
● (Optional) Disable an ASBR from advertising BGP supernet labeled routes.
In an inter-AS VPN Option C scenario, a PE uses a routing policy to assign a
label to its loopback address route and advertises this route as a BGP labeled
route. When an ASBR receives the route, the route is a BGP supernet labeled
route in which the destination address and next hop address are the same or
the destination address is more detailed than the next hop address. In
V2R3C00 or earlier, the ASBR does not advertise the received BGP supernet
labeled route. After the ASBR is upgraded to a version later than V2R3C00,
the ASBR can advertise the received BGP supernet labeled route to other BGP
peers. This advertisement may change the traffic path on the network before
and after the upgrade. To ensure that the traffic path remains unchanged,
disable the ASBR from advertising BGP supernet labeled routes.
a. Run system-view
The system view is displayed.
b. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 769
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
c. Run supernet label-route advertise disable
The ASBR is disabled from advertising BGP supernet labeled routes.
After you disable the ASBR from advertising BGP supernet labeled routes,
to advertise the loopback address route of a PE in the local AS to a PE in
another AS, run the network command on the ASBR to advertise the
BGP route to the loopback address of the PE in the same AS.
● Perform the following steps on the PE device:
a. Run system-view
The system view is displayed.
b. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
c. Run peer ipv4-address as-number { as-number-plain | as-number-dot }
The peer PE is specified as the EBGP peer.
d. Run peer ipv4-address connect-interface loopback interface-number
The source interface that sends BGP packets is specified.
e. Run peer ipv4-address ebgp-max-hop [ hop-count ]
The maximum hop of the EBGP peer is configured.
PEs of different ASs are generally not directly connected. To set up the
EBGP peer between PEs of different ASs, configure the maximum hop
between PEs and ensure the PEs are reachable.
f. (Optional) Run peer { group-name | ipv4-address } mpls-local-ifnet
disable
The ability to establish an MPLS local IFNET tunnel between PEs is
disabled.
In the Option C scenario, PEs establish an MP-EBGP peer relationship.
Therefore, an MPLS local IFNET tunnel between PEs is established over
the MP-EBGP peer relationship. The MPLS local IFNET tunnel fails to
transmit traffic because PEs are indirectly connected.
If a fault occurs on the BGP LSP between PEs, traffic is iterated to the
MPLS local IFNET tunnel, not an FRR bypass tunnel. As the MPLS local
IFNET tunnel cannot forward traffic, traffic is interrupted. To prevent the
traffic interruption, run this command to disable the establishment of an
MPLS local IFNET tunnel between PEs.
g. Run ipv4-family vpnv4 [ unicast ]
The BGP VPNv4 address family is displayed.
h. Run peer ipv4-address enable
The exchange of VPN IPv4 routes with the peer PE is enabled.
----End
Related Tasks
To improve scalability, specify an RR in each AS and establish MP-EBGP peer
relationships between the RRs in ASs to save all VPNv4 routes on the RRs. Then
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 770
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
configure PEs in each AS as the RR's clients to exchange VPNv4 routing
information with the RR. The configuration is as follows:
● Configure a PE device to advertise its loopback interface IP addresses used for
peer relationship establishment to the ASBRs of other ASs and peer PE
devices. You can also configure an ASBR to send the loopback interface IP
addresses of a PE device used for peer relationship establishment to the
ASBRs of other ASs and peer PE devices. The configuration procedure is the
same as the above mentioned procedure.
● Establish an MP-EBGP peer relationship between the RRs. The configuration
procedure is similar to the procedure for establishing an MP-EBGP peer
relationship between two PE devices, except that you need to run the peer
ipv4-address next-hop-invariable command in the BGP-VPNv4 address family
view of the RRs to configure them not to change the next hop when
advertising routes to the EBGP peers.
● Configure PE devices as the clients of the RR in the local AS to exchange
VPNv4 routing information with the RR. For details about the configurations,
see 7.7.11 Configuring Route Reflection to Optimize the VPN Backbone
Layer.
7.7.5.4 Verifying the Inter-AS VPN Option C Configuration (Solution 1)
Prerequisites
The configuration of inter-AS VPN Option C (Solution 1) is complete.
Procedure
● Run the display bgp vpnv4 all peer command to check the BGP peers on the
PE device. You can find the status of the EBGP peer between PEs is
"Established".
● Run the display bgp vpnv4 all routing-table command to check the VPN
IPv4 routing table on the PE or ASBR. You can view that the PE has the VPN
IPv4 routes while the ASBR has no VPN IPv4 route.
● Run the display bgp routing-table label command to check information
about the label of the IPv4 route on the ASBR.
● Run the display ip routing-table vpn-instance vpn-instance-name command
to check the VPN routing table on the PE device. The command displays all
VPN routes to all the CE devices in the VPN routing table of the PE device.
----End
7.7.6 Configuring Inter-AS VPN Option C (Solution 2)
If virtual private network (VPN) routes need to be established over a Multiprotocol
Label Switching (MPLS) backbone network spanning multiple autonomous areas
(ASs), inter-AS VPN is required. If each AS needs to exchange a large number of
VPN routes, inter-AS VPN-Option C is a good choice to prevent the autonomous
area border routers (ASBRs) from becoming bottlenecks that impede network
expansion.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 771
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Pre-configuration Tasks
Before configuring inter-AS VPN Option C, complete the following tasks:
● Configuring an Interior Gateway Protocol (IGP) for the MPLS backbone
network of each AS to ensure IP connectivity on the backbone network within
each AS
● Configuring the basic MPLS functions and MPLS Label Distribution Protocol
(LDP) or Resource Reservation Protocol-Traffic Engineering (RSVP-TE) for the
MPLS backbone network of each AS
● In each AS, configuring VPN instances on the PE devices connected to CE
devices and associating the VPN instances with PE interfaces connected to CE
devices
● Configuring route exchange between the PE and CE devices in each AS
For details about the configurations, see 7.7.1 Configuring Basic BGP/MPLS IP
VPN Functions.
Context
The following solutions can be used to implement inter-AS VPN-Option C:
● Solution 1: After learning the labeled BGP routes of the public network in the
remote AS from the remote ASBR, the local ASBR allocates labels for these
routes, and advertises these routes to the IBGP peer that supports the label
switching capability. In this manner, a complete LSP is set up.
● Solution 2: The IBGP peer relationship between the PE and ASBR is not
needed. In this solution, an ASBR learns the labeled public BGP routes of the
remote AS from the peer ASBR. Then these labeled public BGP routes are
imported to an IGP to trigger the establishment of an LDP LSP. In this manner,
a complete LDP LSP can be established between the two PEs.
If an ASBR is ready to access a large number of PEs, solution 2 is recommended
for its easy configuration.
NOTE
In inter-AS VPN Option C mode, do not enable LDP between ASBRs. If LDP is enabled on
the interfaces between ASBRs, LDP sessions are then established between the ASBRs. When
a lot of BGP routes exist, many LDP labels are occupied.
Configuration Procedure
All the following tasks are mandatory. Perform these tasks in this sequence to
complete inter-AS VPN Option C configuration.
When VPN services need to be transmitted over TE tunnels or when multiple
tunnels need to perform load balancing to fully use network resources, you also
need to complete the task of 7.7.15 Configuring Tunnel Policies.
7.7.6.1 Establishing the EBGP Peer Relationship Between ASBRs
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 772
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Context
An EBGP peer relationship is established between ASBRs to advertise routes
destined for the loopback interfaces on PEs.
Perform the following steps on ASBRs.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of the interface that connects the remote ASBR is displayed.
Step 3 Run ip address ip-address { mask | mask-length }
The IP address is configured.
Step 4 Run quit
Return to the system view.
Step 5 Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
Step 6 Run peer ipv4-address as-number as-number
The remote ASBR is configured as the EBGP peer.
Step 7 (Optional) Run peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]
The maximum number of hops is configured for the EBGP connection.
Generally, one or multiple directly connected physical links exist between EBGP
peers. If the directly connected physical link(s) is/are not available, run the peer
ebgp-max-hop command to ensure that the TCP connection can be set up
between the EBGP peers through multiple hops.
----End
7.7.6.2 Advertising the Routes of the PE in the Local AS to the Remote PE
Context
After the routes of the loopback interface on a PE in an AS are advertised to the
remote PE in another AS, the MP-EBGP peer relationship is established between
PEs.
Procedure
● The loopback address of the PE in the local AS is advertised to the remote
ASBR.
Perform the following steps on the local ASBR:
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 773
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
a. Run system-view
The system view is displayed.
b. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
c. Run network ip-address [ mask | mask-length ]
The loopback address of the PE in the local AS is advertised to the
remote ASBR.
● The BGP routes are imported to IGP.
Perform the following steps on the peer ASBR:
a. Run system-view
The system view is displayed.
b. Run ospf process-id
The OSPF view is displayed.
c. Run import-route bgp [ cost cost ] [ route-policy route-policy-name ]
The BGP routes are imported to IGP.
----End
7.7.6.3 Enabling the Capability of Exchanging Labeled IPv4 Routes
Context
To establish an inter-AS BGP LSP, you must enable ASBRs to exchange labeled IPv4
routes.
Perform the following steps on ASBRs.
Procedure
● Creating a routing policy.
a. Run system-view
The system view is displayed.
b. Run route-policy route-policy-name permit node node
The routing policy applied to advertise routes to the remote ASBR is
configured.
c. Run apply mpls-label
Labels for IPv4 routes are distributed.
d. Run quit
Return to the system view.
● Applying a Routing Policy
a. Run system-view
The system view is displayed.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 774
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
b. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
c. Run peer ipv4-address route-policy route-policy-name export
The routing policy applied to advertise routes to the remote ASBR is
configured.
d. Run quit
Return to the system view.
● Enabling the function of labeled IPv4 route exchange.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The view of the interface connecting the remote ASBR is displayed.
c. Run mpls
The MPLS function is enabled.
d. Run quit
Return to the system view.
e. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
f. Run peer ipv4-address label-route-capability
The labeled IPv4 route exchange capability with the remote ASBR is
configured.
g. Run quit
Return to the system view.
----End
7.7.6.4 Establishing an LDP LSP for the Labeled BGP Routes of the Public
Network
Context
By enabling LDP on ASBRs to allocate labels for BGP routes, you can establish LDP
LSPs for labeled BGP routes of the public network that are filtered in the IP prefix
list.
Perform the following steps on ASBRs.
Procedure
Step 1 Run system-view
The system view is displayed.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 775
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Step 2 Run mpls
The MPLS view is displayed.
Step 3 Run lsp-trigger bgp-label-route [ ip-prefix ip-prefix-name ]
An LDP LSP is established for the labeled BGP routes of the public network that is
filtered by the IP prefix list.
----End
7.7.6.5 Establishing the MP-EBGP Peer Relationship Between PEs
Prerequisites
By introducing extended community attributes into BGP, MP-IBGP can advertise
VPNv4 routes between PEs. PEs of different ASs are generally not directly
connected. To set up an EBGP connection between the PEs of different ASs, you
must configure the permitted maximum number of hops between PEs.
Perform the following steps on PEs.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
Step 3 Run peer ipv4-address as-number as-number
The remote PE is specified as the EBGP peer.
Step 4 Run peer ipv4-address connect-interface interface-type interface-number ipv4-
source-address
The source interface that sends BGP packets is specified.
Step 5 Run peer ipv4-address ebgp-max-hop [ hop-count ]
The maximum number of hops permitted to establish the EBGP peer is specified.
Step 6 (Optional) Run peer { group-name | ipv4-address } mpls-local-ifnet disable
The ability to establish an MPLS local IFNET tunnel between PEs is disabled.
In the Option C scenario, PEs establish an MP-EBGP peer relationship. Therefore,
an MPLS local IFNET tunnel between PEs is established over the MP-EBGP peer
relationship. The MPLS local IFNET tunnel fails to transmit traffic because PEs are
indirectly connected.
If a fault occurs on the BGP LSP between PEs, traffic is iterated to the MPLS local
IFNET tunnel, not an FRR bypass tunnel. As the MPLS local IFNET tunnel cannot
forward traffic, traffic is interrupted. To prevent the traffic interruption, run this
command to disable the establishment of an MPLS local IFNET tunnel between
PEs.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 776
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Step 7 Run ipv4-family vpnv4
The BGP VPNv4 sub-address family view is displayed.
Step 8 Run peer ipv4-address enable
The VPNv4 route exchange capability with the remote PE is enabled.
----End
7.7.6.6 Verifying the Inter-AS VPN Option C Configuration (Solution 2)
Prerequisites
The configurations of the Inter-AS VPN Option C (Solution 2) function are
complete.
Procedure
● Run the display bgp vpnv4 all peer command to check information about
the specified VPNv4 peer on a PE. You can find that the EBGP peer
relationship between PEs is established.
● Run the display bgp vpnv4 all routing-table command to check information
about the VPN-IPv4 routing table on a PE or an ASBR. You can find that BGP
VPNv4 routes and BGP VPN instance routes are on the PE, rather than on the
ASBR.
● Run the display bgp routing-table label command to check information
about the labels of IPv4 routes on an ASBR.
● Run the display ip routing-table vpn-instance vpn-instance-name command
to check the VPN routing table on a PE device. You can find that the VPN
routing table of the PE has the VPN routes to the CE related to the specified
VPN instance.
● Run the display mpls route-state [ { exclude | include } { idle | ready |
settingup } * | destination-address mask-length ] [ verbose ] command to
check the matching relationship between routes and the LSP on an ASBR. You
can find the routes with the type as L, that is, the labeled BGP routes of the
public network.
● Run the display ip routing-table command to check information about the
routing table on an ASBR. You can find that the routes to the remote PE are
labeled BGP routes of the public network: The routing table is "Public", the
protocol type is "BGP", and the label has a non-zero value.
● Run the display mpls lsp [ vpn-instance vpn-instance-name ] [ protocol
ldp ] [ { exclude | include } ip-address mask-length ] [ outgoing-interface
interface-type interface-number ] [ in-label in-label-value ] [ out-label out-
label-value ] [ lsr-role { egress | ingress | transit } ] [ verbose ] command to
check whether an LDP LSP is established on an ASBR. You can find that an
LDP LSP is established between the ASBR and the remote PE. Besides, the LDP
ingress LSP to the remote PE can be found on the local PE.
----End
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 777
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
7.7.7 Configuring an MCE Device
A multi-VPN-instance CE (MCE) device can connect to multiple VPNs. The MCE
solution isolates services of different VPNs while reducing cost of network devices.
Pre-configuration Tasks
Before configuring an MCE device, complete the following tasks:
● Configuring a VPN Instance on the multi-instance CE, and the PE that is
accessed by it (each service with a VPN instance)
● Configuring the link layer protocol and network layer protocol for LAN
interfaces and connecting the LAN to the multi-instance CE (each service
using an interface to access the multi-instance CE)
● Binding related VPN instances to the interfaces of the multi-instance CE and
PE interfaces through which the PE accesses the multi-instance and
configuring IP addresses for those interfaces
Configuration Procedure
The following tasks are mandatory and can be performed in a random order.
7.7.7.1 Configure Route Exchange Between an MCE Device and VPN Sites
Context
Routing protocols that can be used between an MCE device and VPN sites are
static route, the Routing Information Protocol (RIP), Open Shortest Path First
(OSPF), Intermediate System to Intermediate System (IS-IS), or Border Gateway
Protocol (BGP). Choose one of the following configurations as needed:
● Configure static routes between an MCE device and a site.
● Configure RIP between an MCE device and a site.
● Configure OSPF between an MCE device and a site.
● Configure IS-IS between an MCE device and a site.
● Configure BGP between an MCE device and a site.
The following configurations are performed on the MCE device. On the devices in
the site, you only need to configure the corresponding routing protocol.
Configure Static Routes Between an MCE Device and a Site
Perform the following configurations on the MCE device. You only need to
configure a static route to the MCE device in the site. The site configuration is not
provided here. For detailed configuration of static routes, see Static Route
Configuration in the Huawei AR Series Access Routers Configuration Guide - IP
Routing.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 778
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Table 7-13 MCE configuration
Action Command Description
Enter the system-view -
system view.
Configure a ip route-static vpn-instance vpn- You must specify the
static route to source-name destination-address next hop address on
the site. { mask | mask-length } { nexthop- the MCE device.
address [ public ] | interface-type
interface-number [ nexthop-
address ] } [ preference preference |
tag tag ] *
Configure RIP Between an MCE Device and a Site
Perform the following configurations on the MCE device. Configure RIPv1 or RIPv2
in the site. The site configuration is not provided here. For detailed RIP
configuration, see RIP Configuration in the Huawei AR Series Access Routers
Configuration Guide - IP Routing.
Table 7-14 MCE configuration
Action Command Description
Enter the system-view -
system view.
Create a RIP rip process-id vpn-instance vpn- A RIP process can be
process instance-name bound to only one
running VPN instance. If a RIP
between the process is not bound
MCE device to any VPN instance
and the site before it is started, this
and enter the process becomes a
RIP view. public network process
and can no longer be
bound to a VPN
instance.
Enable RIP on network network-address -
the network
segment of the
interface to
which the VPN
instance is
bound.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 779
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Action Command Description
(Optional) import-route { { static | direct | Perform this step if
Import the unr } | { rip | ospf | isis } [ process- another routing
routes to the id ] } [ cost cost | route-policy protocol is running
remote sites route-policy-name ] * between the MCE and
advertised by import-route bgp [ cost { cost | PE devices in the VPN
the PE device transparent } | route-policy route- instance.
in to the RIP
policy-name ] *
routing table.
Configure OSPF Between an MCE Device and a Site
Perform the following configurations on the MCE device. Configure OSPF in the
site. The site configuration is not provided here. For detailed OSPF configuration,
see OSPF Configuration in the Huawei AR Series Access Routers Configuration
Guide - IP Routing.
Table 7-15 MCE configuration
Action Command Description
Enter the system-view -
system view.
Create an OSPF ospf [ process-id | router-id router- -
process running id ] * vpn-instance vpn-instance-
between the name
MCE device
and the site
and enter the
OSPF view.
(Optional) import-route { bgp [ permit-ibgp ] Perform this step if
Import the | direct | unr | rip [ process-id-rip ] | another routing
routes to the static | isis [ process-id-isis ] | ospf protocol is running
remote sites [ process-id-ospf ] } [ cost cost | between the MCE and
advertised by type type | tag tag | route-policy PE devices in the VPN
the PE device route-policy-name ] * instance.
into the OSPF
routing table.
Configure an area { area-id | area-id-address } -
OSPF area and
enter the OSPF
area view.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 780
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Action Command Description
Enable OSPF network ip-address wildcard-mask -
on the network
segment of the
interface to
which the VPN
instance is
bound.
Configure IS-IS Between an MCE Device and a Site
Perform the following configurations on the MCE device. You only need to
configure IS-IS in the site. The site configuration is not provided here. For detailed
IS-IS configuration, see IS-IS Configuration in the Huawei AR Series Access Routers
Configuration Guide - IP Routing.
Table 7-16 MCE configuration
Action Command Description
Enter the system-view -
system view.
Create an IS-IS isis process-id vpn-instance vpn- An IS-IS process can be
process running instance-name bound to only one VPN
between the instance. If an IS-IS
MCE device and process is not bound to
the site and any VPN instance before
enter the IS-IS it is started, this process
view. becomes a public
network process and
can no longer be bound
to a VPN instance.
Set a network network-entity net A NET specifies the
entity title current IS-IS area
(NET) for the address and the system
IS-IS process. ID of the router. A
maximum of three NETs
can be configured for
one process on each
router.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 781
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Action Command Description
Import the Use either of the following Perform this step if
routes to the commands: another routing
remote sites ● import-route { direct | static | protocol is running
advertised by unr | { ospf | rip | isis } between the MCE and
the PE device [ process-id ] | bgp } [ cost- PE devices in the VPN
into the IS-IS type { external | internal } | instance.
routing table. cost cost | tag tag | route-
policy route-policy-name |
[ level-1 | level-2 | level-1-2 ] ]
*
● import-route { { ospf | rip |
isis } [ process-id ] | bgp |
direct | unr }inherit-cost
[ { level-1 | level-2 | level-1-2 }
| tag tag | route-policy route-
policy-name ] *
Return to quit -
system view.
Enter the view interface interface-type interface- -
of the interface number
to which the
VPN instance is
bound.
Enable IS-IS on isis enable [ process-id ] -
the interface.
Configure BGP between an MCE Device and a Site
Perform the following configurations on the MCE device.
Table 7-17 MCE configuration
Action Command Description
Enter the system-view -
system view.
Enter the BGP bgp { as-number-plain | as-number- -
view. dot }
Enter the BGP- ipv4-family vpn-instance vpn- -
VPN instance instance-name
IPv4 address
family view.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 782
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Action Command Description
Configure the peer ipv4-address as-number as- -
device number
connected to
the MCE device
in the site as a
VPN peer.
Import the import-route protocol [ process-id ] Perform this step if
routes to the [ med med | route-policy route- another routing
remote sites policy-name ] * protocol is running
advertised by between the MCE
the PE device and PE devices in the
into the BGP VPN instance.
routing table.
Perform the following configurations on the device connected to the MCE device
in the site.
Table 7-18 Site configuration
Action Command Description
Enter the system-view -
system view.
Enter the BGP bgp { as-number-plain | as-number- -
view. dot }
Configure the peer ipv4-address as-number as- -
MCE device as a number
VPN peer.
Import IGP import-route protocol [ process-id ] The site must
routes of the [ med med | route-policy route- advertise routes to its
VPN into the policy-name ] * attached VPN
BGP routing network segments to
table. the MCE device.
7.7.7.2 Configure Route Exchange Between an MCE Device and a PE Device
Context
Routing protocols that can be used between an MCE device and a PE device are
static routing, RIP, OSPF, IS-IS, and BGP. Choose one of the following
configurations as needed:
● Configure static routes between an MCE device and a PE device.
● Configure RIP between an MCE device and a PE device.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 783
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
● Configure OSPF between an MCE device and a PE device.
● Configure IS-IS between an MCE device and a PE device.
● Configure BGP between an MCE device and a PE device.
The following configurations are performed on the MCE device. The configurations
on the PE device are similar to those on a PE device in the BGP/MPLS IP VPN
networking. For detailed configuration, see Configuring Route Exchange
Between PE and CE Devices.
Configure Static Routes Between an MCE Device and a PE Device
Perform the following configurations on the MCE device.
Table 7-19 MCE configuration
Action Command Description
Enter the system system-view -
view.
Configure a static ip route-static vpn-instance vpn- You must specify
route to the PE source-name destination-address the next hop
device. { mask | mask-length } vpn-instance address on the MCE
vpn-destination-name nexthop- device.
address [ preference preference | tag
tag ] *
Configure RIP Between an MCE Device and a PE Device
Perform the following configurations on the MCE device.
Table 7-20 MCE configuration
Action Command Description
Enter the system system-view -
view.
Create a RIP rip process-id vpn-instance vpn- A RIP process can be
process running instance-name bound to only one
between the VPN instance. If a
MCE and PE RIP process is not
devices and enter bound to any VPN
the RIP view. instance before it is
started, this process
becomes a public
network process and
can no longer be
bound to a VPN
instance.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 784
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Action Command Description
Enable RIP on network network-address -
the network
segment of the
interface to
which the VPN
instance is
bound.
(Optional) import-route { { static | direct | Perform this step if
Import VPN unr } | { rip | ospf | isis } [ process- another routing
routes of the site id ] } [ cost cost | route-policy route- protocol is running
into the RIP policy-name ] * between the MCE
routing table. import-route bgp [ cost { cost | device and VPN
transparent } | route-policy route- sites in the VPN
instance.
policy-name ] *
Configure OSPF Between an MCE Device and a PE Device
Perform the following configurations on the MCE device.
Table 7-21 MCE configuration
Action Command Description
Enter the system system-view -
view.
Create an OSPF ospf [ process-id | router-id router- -
process running id ] * vpn-instance vpn-instance-
between the name
MCE and PE
devices and enter
the OSPF view.
(Optional) import-route { bgp [ permit-ibgp ] | Perform this step if
Import VPN direct | unr | rip [ process-id-rip ] | another routing
routes of the site static | isis [ process-id-isis ] | ospf protocol is running
into the OSPF [ process-id-ospf ] } [ cost cost | type between the MCE
routing table. type | tag tag | route-policy route- device and VPN sites
policy-name ] * in the VPN instance.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 785
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Action Command Description
Disable routing vpn-instance-capability simple By default, routing
loop detection in loop detection is
the OSPF disabled in an OSPF
process. process. If routing
loop detection is not
disabled in the OSPF
process on the MCE
device, the MCE
device rejects OSPF
routes sent from the
PE device.
Configure an area { area-id | area-id-address } -
OSPF area and
enter the OSPF
area view.
Enable OSPF on network ip-address wildcard-mask -
the network
segment of the
interface to
which the VPN
instance is
bound.
Configure IS-IS Between an MCE Device and a PE Device
Perform the following configurations on the MCE device.
Table 7-22 MCE configuration
Action Command Description
Enter the system-view -
system view.
Create an IS-IS isis process-id vpn-instance vpn- An IS-IS process can
process running instance-name be bound to only
between the one VPN instance. If
MCE and PE an IS-IS process is
devices and not bound to any
enter the IS-IS VPN instance before
view. it is started, this
process becomes a
public network
process and can no
longer be bound to
a VPN instance.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 786
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Action Command Description
Set a network network-entity net A NET specifies the
entity title current IS-IS area
(NET) for the address and the
IS-IS process. system ID of the
router. A maximum
of three NETs can be
configured for one
process on each
router.
(Optional) Use either of the following Perform this step if
Import VPN commands: another routing
routes of the ● import-route { direct | static | unr protocol is running
site into the IS- | { ospf | rip | isis } [ process-id ] | between the MCE
IS routing table. bgp } [ cost-type { external | device and VPN sites
internal } | cost cost | tag tag | in the VPN instance.
route-policy route-policy-name |
[ level-1 | level-2 | level-1-2 ] ] *
● import-route { { ospf | rip | isis }
[ process-id ] | bgp | direct |
unr }inherit-cost [ { level-1 |
level-2 | level-1-2 } | tag tag |
route-policy route-policy-name ] *
Return to quit -
system view.
Enter the view interface interface-type interface- -
of the interface number
to which the
VPN instance is
bound.
Enable IS-IS on isis enable [ process-id ] -
the interface.
Configure BGP Between an MCE Device and a PE Device
Perform the following configurations on the MCE device.
Table 7-23 MCE configuration
Action Command Description
Enter the system-view -
system view.
Enter the BGP bgp { as-number-plain | as-number- -
view. dot }
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 787
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Action Command Description
Enter the BGP- ipv4-family vpn-instance vpn- -
VPN instance instance-name
IPv4 address
family view.
Configure the peer ipv4-address as-number as- -
PE device as the number
VPN peer of the
MCE device.
Import the import-route protocol [ process-id ] Perform this step if
routes to the [ med med | route-policy route- another routing
remote sites policy-name ] * protocol is running
advertised by between the MCE
the PE device device and VPN
into the BGP sites in the VPN
routing table. instance.
7.7.7.3 Verifying the MCE Configuration
Prerequisites
The configurations of the Multi-VPN-Instance CE function are complete.
Procedure
● Run the display ip routing-table vpn-instance vpn-instance-name
[ verbose ] command to check the VPN routing table on the multi-instance
CE. If there are routes to the LAN and the remote nodes for each service, the
configuration is successful.
----End
7.7.8 Configuring HoVPN
The HoVPN networking reduces the requirements for PE devices.
Pre-configuration Tasks
Before configuring HoVPN, complete the task of 7.7.1 Configuring Basic BGP/
MPLS IP VPN Functions.
Configuration Procedure
In addition to basic BGP/MPLS IP VPN configuration, you need to specify UPE
devices on the SPE device and advertise default routes of VPN instances to the
UPE devices.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 788
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
When VPN services need to be transmitted over TE tunnels or when multiple
tunnels need to perform load balancing to fully use network resources, you also
need to complete the task of 7.7.15 Configuring Tunnel Policies.
NOTE
The VPN instance status obtained from a management information base (MIB) or schema
is Up only if at least one interface bound to the VPN instance is Up. On an HoVPN, VPN
instances on SPEs are not bound to interfaces. As a result, the VPN instance status obtained
from a MIB or schema is always Down. To solve this problem, run the transit-vpn
command in the VPN instance view or VPN instance IPv4 address family view of an SPE.
Then, the VPN instance status obtained from a MIB or schema is always Up, no matter
whether the VPN instance is bound to interfaces.
Perform the following steps on the SPE device.
Procedure
Step 1 Specify a UPE device.
1. Run system-view
The system view is displayed.
2. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
3. Run peer { ipv4-address | group-name } as-number as-number
A UPE device is specified as the BGP peer of the SPE.
4. Run ipv4-family vpnv4 [ unicast ]
The BGP-VPNv4 family is displayed.
5. Run peer { ipv4-address | group-name } enable
The capability of exchanging BGP VPNv4 routing information with the peer is
enabled.
6. Run peer { ipv4-address | group-name } upe
The peer is specified as the UPE of the SPE.
Step 2 Advertise default routes of a VPN instance.
1. Run system-view
The system view is displayed.
2. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
3. Run ipv4-family vpnv4
The BGP-VPNv4 family view is displayed.
4. Run peer { ipv4-address | group-name } default-originate vpn-instance vpn-
instance-name
The default routes of a specified VPN instance are advertised to the UPE
device.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 789
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
After running the command, the SPE advertises a default route to the UPE
with its local address as the next hop, regardless of whether there is a default
route in the local routing table.
----End
Verifying the Configuration
After completing the HoVPN configuration, run the display ip routing-table
command on the CE devices. You can see that the local CE device does not have
any route to the network segment of the remote CE interface but has a default
route with the next hop as the UPE device.
7.7.9 Configuring PBR to an LSP for VPN Packets
Policy-based routing (PBR) to an LSP enables the device to forward VPN packets
through LSPs on the MPLS backbone network through PBR, without the need to
search the forwarding table of the VPN instance.
Context
The AR supports PBR to an LSP for VPN packets, which can be used for VPN data
forwarding.
If VPN packets do not match the PBR rules, they are forwarded according to
common VPN data forwarding process. If VPN packets match the PBR rules, they
are forwarded through the specified LSP.
NOTE
PBR to an LSP for VPN packets requires two or more LSPs. If PBR to an LSP for VPN packets
are used together with LDP FRR, the LSPs must work in active/standby mode. In other
situations, the LSPs can work in active/standby mode or load balancing mode.
Perform the following configuration on the ingress PE device.
Pre-configuration Tasks
Before configuring PBR to an LSP for VPN packets, complete the following tasks:
● Configuring an ACL to filter packets if you want to filter packets based on IP
addresses
● Configuring at least two LSPs from the ingress PE device to the egress PE
device
● Configuring LDP FRR if necessary
Procedure
Step 1 Configure PBR to an LSP for VPN packets.
1. Run system-view
The system view is displayed.
2. Run policy-based-route policy-name { deny | permit } node node-id
A routing policy or a policy node is created.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 790
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
3. Run if-match acl acl-number
An if-match clause is configured to match the IP addresses of packets.
Or run if-match packet-length min-length max-length
An if-match clause is configured to match the lengths of IP packets.
4. Run apply lsp vpn vpn-instance-name ce-address [ pe-address [ p-address |
interface-type interface-number | secondary ] ]
PBR to an LSP are configured for VPN packets.
5. (Optional) Run ip policy-based-route refresh-time [ refreshtime-value ]
The interval at which local PBR updates LSPs is configured.
By default, the interval at which local PBR updates LSPs is 5000 ms.
Step 2 Apply PBR.
Enable PBR in the system (local PBR).
1. Run system-view
The system view is displayed.
2. Run ip local policy-based-route policy-name
Local PBR is enabled.
Local PBR takes effect only to locally originated packets and only one local
PBR rule can be configured.
----End
Verifying the Configuration
After completing the configuration of PBR to an LSP, run the tracert lsp [ -a
source-ip | -exp exp-value | -h ttl-value | -r reply-mode | -t time-out ] * { ip
destination-address mask-length [ ip-address ] [ nexthop nexthop-address |
draft6 ] | te tunnel interface-number [ hot-standby | primary ] [ draft6 ]
[ compatible-mode ] } command to check the VPN packet transmission path. The
command output shows that VPN packets are transmitted through the specified
LSP.
NOTE
Before running the tracert lsp command on a CE device to check the packet forwarding
path, run the ttl propagate vpn command on the ingress and egress PE devices directly
connected to the CE device to enable MPLS IP TTL replication.
7.7.10 Configuring an OSPF Sham Link
The sham link between two PE devices on an MPLS VPN backbone network is
considered as an OSPF intra-area route. Then VPN traffic is transmitted through
the route over the backbone network but not backdoor routes.
Pre-configuration Tasks
Before configuring an OSPF sham link, complete the following tasks:
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 791
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
● 7.7.1 Configuring Basic BGP/MPLS IP VPN Functions (use OSPF between PE
and CE)
● Configuring OSPF in the LANs where the CE devices are located
Context
OSPF sham links are IP unnumbered P2P links between two PE devices on an
MPLS VPN backbone network.
Generally, BGP peers use BGP extended community attributes to carry routing
information over the MPLS VPN backbone. OSPF running on a PE device can use
the routing information to generate inter-area routes from the PE to CE devices.
As shown in Figure 7-39, if an intra-area OSPF link exists between the network
segments of local and remote CE devices, this OSPF link is called a backdoor link.
Figure 7-39 OSPF sham link
MPLS VPN backbone
PE1 sham link PE2
Area 0
Area 0
OSPF 200
OSPF 200
CE2
CE1
VPN1
VPN1
site2
site1 backdoor
The routes that pass through a backdoor link are intra-area routes and have a
higher preference than the inter-area routes that pass through the MPLS VPN
backbone network. As a result, VPN traffic is always forwarded through the
backdoor routes instead of the backbone network. Generally, backdoor links are
only used as backup links.
To avoid such a problem, an OSPF sham link can be established between the PE
devices. In this way, the routes that pass through the MPLS VPN backbone
network become OSPF intra-area routes and are preferred over the backdoor
routes in VPN traffic forwarding.
Configure an OSPF sham link only when a backdoor link exists between two sites
in the same OSPF area. If no backdoor link exists between sites in the same area,
you do not need to configure any OSPF sham link.
Perform the following steps on the PE devices at both ends of a sham link.
Procedure
Step 1 Configure an endpoint address for the sham link.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 792
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Each VPN instance must have an endpoint address of the sham link. The endpoint
address is a loopback interface address with a 32-bit mask in the VPN address
space on a PE device. Multiple sham links of the same OSPF process share an
endpoint address, but sham links of different OSPF processes cannot have the
same endpoint address.
1. Run system-view
The system view is displayed.
2. Run interface loopback interface-number
A loopback interface is created and the loopback interface view is displayed.
3. Run ip binding vpn-instance vpn-instance-name
The loopback interface is bound to a VPN instance.
4. Run ip address ip-address { mask | mask-length }
An IP address is assigned to the loopback interface.
NOTE
The loopback interface address must have a 32-bit mask, 255.255.255.255.
Step 2 Advertise routes of the sham link endpoint address.
1. Run system-view
The system view is displayed.
2. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
3. Run ipv4-family vpn-instance vpn-instance-name
The BGP-VPN instance IPv4 address family view is displayed.
4. Run import-route direct
Direct routes are imported to BGP. (The route of the sham link endpoint
address is imported to BGP).
BGP advertises the sham link endpoint address as a VPN IPv4 address.
NOTE
The route of the sham link endpoint address cannot be advertised to the peer PE
through an OSPF process bound to a VPN instance.
If the route of the sham link endpoint address is advertised to the peer PE through an
OSPF process bound to a VPN instance, the peer PE has two routes to the sham link
endpoint address. One route is learned from the OSPF process, and the other is
learned from MP-BGP. The OSPF route takes precedence over the BGP route, so the
peer PE uses the OSPF route. As a result, the sham link fails to be established.
Step 3 Create a sham link.
1. Run system-view
The system view is displayed.
2. Run ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name
The OSPF view is displayed.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 793
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
3. Run area area-id
The OSPF area view is displayed.
4. Run sham-link source-ip-address destination-ip-address [ [ simple [ plain
plain-text | [ cipher ] cipher-text ] | { md5 | hmac-md5 | hmac-sha256 }
[ key-id { plain plain-text | [ cipher ] cipher-text } ] | authentication-null |
keychain keychain-name ] | smart-discover | cost cost | dead dead-interval |
hello hello-interval | retransmit retransmit-interval | trans-delay trans-delay-
interval ] *
A sham link is configured.
The default settings of the parameters in the command are as follows:
– cost (sham link interface cost): 1
– dead-interval (sham link timeout interval): 40 seconds
– hello-interval (interval for sending Hello packets on the sham link
interface): 10 seconds
– retransmit-interval (LSA packet retransmission interval on the sham link
interface): 5 seconds
– trans-delay-interval (delay in sending LSA packets on the sham link
interface): 1 second
Both ends of the sham link must use the same packet authentication method.
If packet authentication is configured, the PE devices accept only the OSPF
packets that pass the authentication. If packets fail the authentication, the
neighbor relationship cannot be established between the PE devices.
If simple-text authentication (simple) is used, the authentication key type is
plain by default. If the MD5 or HMAC-MD5 authentication (md5 | hmac-
md5) is used, the authentication key type is cipher by default.
NOTE
If plain is selected, the password is saved in the configuration file in plain text. This
brings security risks. It is recommended that you select cipher to save the password in
cipher text.
MD5 and HMAC-MD5 authentication cannot ensure security. Keychain authentication
is recommended.
To forward VPN traffic over the MPLS backbone network, ensure that the cost of the
sham link is smaller than the cost of the OSPF route used for forwarding VPN traffic
over the customer network. A commonly used method is to set the cost of the
forwarding interface on the customer network to be larger than the cost of the sham
link.
----End
Verifying the Configuration
After configuring an OSPF sham link, you can check the routing table on a CE,
trace the nodes that data packets pass through from local CE to the remote CE,
and check whether the sham link is successfully established on the PE.
● Run the display ip routing-table vpn-instance vpn-instance-name command
on the PE to check the VPN routing table. You can see from the VPN routing
table that the route from the PE to the remote CE is a BGP route that passes
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 794
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
through the backbone network but not an OSPF route that passes through
the customer network.
● Run the display ip routing-table and tracert host commands on a CE, and
you can find that the VPN traffic from the local CE to the remote CE is
forwarded through the backbone network.
● Run the display ospf process-id sham-link [ area area-id ] command on the
PE to check whether the sham link is established successfully. You can find
that the OSPF neighbor relationship between the PE and the remote CE is
Full.
● Run the display ospf routing on the CE, and you can find that the route to
the remote CE is an intra-area route.
7.7.11 Configuring Route Reflection to Optimize the VPN
Backbone Layer
Using an RR can reduce the number of MP IBGP connections between PEs. This
not only reduces the burden of PEs, but also facilitates network maintenance and
management.
Pre-configuration Tasks
Before configuring route reflection to optimize the VPN backbone layer, complete
the following tasks:
● Configuring the routing protocol for the MPLS backbone network to
implement IP interworking between devices on the backbone network
● Establishing tunnels (LSPs, GRE, or MPLS TE tunnels) between the RR and all
client PE devices
Configuration Procedure
All the following configuration tasks are mandatory. An RR can be any device such
as P, PE, and ASBR.
7.7.11.1 Configuring the Client PEs to Establish MP IBGP Connections with
the RR
Context
Perform the following steps on all Client PEs.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 795
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Step 3 Run peer ipv4-address as-number as-number
The RR is specified as the BGP peer.
Step 4 Run peer ipv4-address connect-interface interface-type interface-number
The interface is specified as an interface to establish the TCP connection.
Step 5 Run ipv4-family vpnv4
The BGP VPNv4 address family view is displayed.
Step 6 Run peer ipv4-address enable
The capability of exchanging VPNv4 routes between the PE and RR is enabled.
----End
7.7.11.2 Configuring the RR to Establish MP IBGP Connections with the
Client PEs
Context
Choose one of the following schemes to configure the RR.
Procedure
● Configuring the RR to establish MP IBGP connections with the peer group
Add all the client PEs to the peer group and establish MP-IBGP connections
with the peer group.
a. Run system-view
The system view is displayed.
b. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
c. Run group group-name [ internal ]
An IBGP peer group is created.
d. Run peer group-name connect-interface interface-type interface-
number
The interface is specified as an interface to establish the TCP connection.
e. Run ipv4-family vpnv4
The BGP VPNv4 address family view is displayed.
f. Run peer group-name enable
The capability of exchanging IPv4 VPN routes between the RR and the
peer group is enabled.
By default, only the peer in the BGP IPv4 unicast address family view is
automatically enabled.
g. Run peer ip-address group group-name
The peer is added to the peer group.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 796
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
● Configuring the RR to establish an MP IBGP connection with each client PE
Repeat the following steps on the RR to establish an MP IBGP connection with
each client PE.
a. Run system-view
The system view is displayed.
b. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
c. Run peer ipv4-address as-number as-number
The client PE is specified as the BGP peer.
d. Run peer ipv4-address connect-interface interface-type interface-
number
The interface is specified as an interface to establish the TCP connection.
e. Run ipv4-family vpnv4
The BGP VPNv4 address family view is displayed.
f. Run peer ipv4-address enable
The capability of exchanging VPNv4 routes between the RR and the client
PE is enabled.
----End
7.7.11.3 Configuring Route Reflection for BGP IPv4 VPN Routes
Context
Perform the following steps on the RR.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
Step 3 Run ipv4-family vpnv4
The BGP VPNv4 address family view is displayed.
Step 4 Enable route reflection for BGP VPNv4 routes on the RR.
● Run the peer group-name reflect-client command to enable route reflection
if the RR establishes the MP IBGP connection with the peer group consisting
of client PEs.
● Run the peer ipv4-address reflect-client command repeatedly to enable
route reflection if the RR establishes the MP IBGP connection with each PE
rather than peer group.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 797
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Step 5 Run undo policy vpn-target
The filtering of VPNv4 routes based on the VPN target is disabled.
Step 6 (Optional) Run rr-filter { extcomm-filter-number | extcomm-filter-name }
The reflection policy is configured for the RR. Only the IBGP route of which route-
target extended community attribute meets the matching rules can be reflected.
This allows load balancing among RRs.
In the command, the extended community filter specified by extcomm-filter-
number or extcomm-filter-name must have been configured using the ip
extcommunity-filter command.
Step 7 (Optional) Run undo reflect between-clients
Route reflection is disabled between clients.
If the clients of an RR have established full-mesh connections with each other, the
undo reflect between-clients command can be used to disable route reflection
between clients in order to reduce the link cost. By default, route reflection is
enabled between the clients of an RR.
This command can only be configured on the RR.
Step 8 (Optional) Run reflector cluster-id cluster-id
The RR cluster ID is set.
If a cluster has multiple RRs, you can use this command to set the same cluster ID
for these RRs to prevent routing loops. By default, the cluster ID is the router ID.
----End
7.7.11.4 Verifying the Configuration of Route Reflection to Optimize the
VPN Backbone Layer
Prerequisites
The configurations of the reflection to optimize the VPN backbone layer function
are complete.
Procedure
● Run the display bgp vpnv4 all peer [ [ ipv4-address ] verbose ] command to
check information about the BGP VPNv4 peer on the RR or the Client PEs. You
can find that the status of the MP IBGP connections between the RR and all
Client PEs is "Established".
● Run the display bgp vpnv4 all routing-table peer ipv4-address { advertised-
routes | received-routes } command or display bgp vpnv4 all routing-table
statistics command to check information about the routes received from the
peer or the routes advertised to the peer on the RR or the Client PEs. You can
find that the RR and each Client PE can receive and send VPNv4 routing
information between each other.
● Run the display bgp vpnv4 all group [ group-name ] command to check
information about the VPNv4 peer group on the RR. You can view information
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 798
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
about the group members and find that the status of the BGP connections
between the RR and the group members is "Established".
----End
7.7.12 Configuring IP FRR for VPN Routes
When multiple CE devices in a VPN site connect to the same PE, you can configure
IP FRR for VPN routes. IP FRR enables VPN traffic to be fast switched to another
PE-CE link when the next hop of the primary route is unreachable.
Pre-configuration Tasks
Before configuring IP FRR for VPN routes, complete the following tasks:
● 7.7.1 Configuring Basic BGP/MPLS IP VPN Functions
● Ensuring that the PE has learned VPN routes with the same prefix from the
attached CE devices
Context
IP FRR for VPN routes is used in scenarios where multiple CE devices connect to
one PE device. As shown in Figure 7-40, the PE device forwards data to the site of
vpn1 through Link_A, and Link_B is a backup link. When the PE device detects that
the route to CE1 is unreachable, it immediately switches traffic to Link_B and then
performs other operations to trigger VPN route convergence. This minimizes
impact of the link failure on VPN services.
Figure 7-40 IP FRR for VPN routes
CE1
VPN1 Site
IP/MPLS
Backbone Link_A
SwitchA
PE Link_B
CE2
Configuration Procedure
The router supports IP FRR for VPN routes.
Perform the following steps on a PE device.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 799
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Procedure
● configuring IP FRR
a. Run system-view
The system view is displayed.
b. Run route-policy route-policy-name { permit | deny } node node
A node is configured for a route-policy, and the route-policy view is
displayed.
c. Run apply backup-interface interface-type interface-number
A backup outbound interface is specified.
d. (Optional) Run apply backup-nexthop ip-address
A backup next hop is specified.
The backup next hop is optional for a P2P link and mandatory for a non-
P2P link.
e. Run quit
Return to the system view.
f. Run ip vpn-instance vpn-instance-name
The VPN instance view is displayed.
g. Run ipv4-family
The VPN instance IPv4 address family view is displayed.
h. Run ip frr route-policy route-policy-name
IP FRR is enabled for the VPN instance IPv4 address family.
----End
Verifying the Configuration
Run the display ip routing-table vpn-instance vpn-instance-name [ ipv4-
address ] verbose command to check the backup next hops and backup outbound
interfaces of VPN-IPv4 routes in the routing table.
7.7.13 Configuring VPN FRR
In the networking of CE dual-homing, you can configure VPN FRR to ensure VPN
service switchover to a secondary link when the primary link between PEs fails.
Pre-configuration Tasks
Before configuring VPN FRR, complete the following tasks:
● 7.7.1 Configuring Basic BGP/MPLS IP VPN Functions
● Generating two unequal-cost routes on the PE by setting different costs or
metrics
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 800
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Context
VPN FRR is used in PE multi-homing scenarios to enhance network reliability. As
shown in Figure 7-41, if the primary link (Link A) between PE1 and ASBR1 fails,
VPN FRR quickly switches traffic to the backup link (Link B) between PE1 and
ASBR2 to minimize the impact of the link failure on VPN services.
Figure 7-41 VPN FRR networking
ASBR1
CE1
PE1 A
Link
VPN Site AS100
Link B
CE2 ASBR2
You can configure VPN FRR in either of the following modes:
● Manual VPN FRR: Information such as the backup next hop is specified.
● Auto VPN FRR: The backup next hop is unspecified, but a proper next hop is
selected for the VPN route.
You can select either mode as required. If both of them are configured, manual
VPN FRR has a higher priority. When manual VPN FRR fails, auto VPN FRR takes
effect.
NOTE
● Configuring the lsp-trigger command on the P is not recommended when an LSP is
created on the VPN backbone network. Use the default configuration on the P.
Otherwise, VPN FRR switchback may fail.
● To implement fast switching within milliseconds, configure BFD for LSPs. For details
about BFD, see Configuring Static BFD to Detect an LDP LSP, Configuring Dynamic BFD
for LDP LSPs and Configuring Static BFD for TE Tunnels in Huawei AR Series Access
Routers Configuration Guide - MPLS. Perform the BFD configuration based on the
tunnel used for forwarding VPN services.
● In the L3VPN over GRE scenario, the device does not support VPN FRR function.
Perform the following steps on a PE device.
Procedure
● Configure manual VPN FRR.
a. Run system-view
The system view is displayed.
b. Run route-policy route-policy-name { permit | deny } node node
The routing policy node is created and the routing policy view is
displayed.
c. Run apply backup-nexthop ip-address
The backup next hop is configured.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 801
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
d. Run quit
Return to the system view.
e. Run ip vpn-instance vpn-instance-name
The VPN instance view is displayed.
f. Run ipv4-family
The VPN instance IPv4 address family view is displayed.
g. Run vpn frr route-policy route-policy-name
The VPN FRR is enabled.
● Enable VPN auto FRR using a routing policy.
a. Run system-view
The system view is displayed.
b. Run route-policy route-policy-name { permit | deny } node node
The routing policy node is created and the routing policy view is
displayed.
c. Run apply backup-nexthop auto
The auto mode is used.
d. Run
quit
Return to the system view.
e. Run ip vpn-instance vpn-instance-name
The VPN instance view is displayed.
f. Run ipv4-family
The VPN instance IPv4 address family view is displayed.
g. Run vpn frr route-policy route-policy-name
The VPN FRR is enabled.
● (Optional) Add multiple VPNv4 routes to the VPN instance with a different
RD from these routes' RDs.
By default, if the RD of the VPN instance on the local PE is different from the
RDs of the VPN instances on multiple remote PEs, and the RDs of the VPN
instances on remote PEs are the same, the local PE adds only the optimal
route to the VPN instance after receiving VPNv4 or VPNv6 routes with the
same destination address from the remote PEs. As a result, load balancing or
VPN FRR does not take effect. To resolve this problem, run the vpn-route
cross multipath command on the local PE.
a. Run system-view
The system view is displayed.
b. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
c. Run ipv4-family vpn-instance vpn-instance-name
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 802
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
The BGP-VPN instance IPv4 address family view is displayed.
d. Run vpn-route cross multipath
Multiple VPNv4 routes are added to the VPN instance with a different RD
from these routes' RDs.
● (Optional) Disable VPN FRR in all VPN instances.
To disable VPN FRR in a VPN instance, run the undo vpn frr command in the
VPN instance view. However, if multiple VPN instances are configured on a PE
and VPN FRR is enabled for each VPN instance, it is complex to disable VPN
FRR one by one in these VPN instances.
To address this problem, the device allows you to disable VPN FRR in all VPN
instances using one command.
a. Run system-view
The system view is displayed.
b. Run undo vpn frr all
VPN FRR is disabled from all VPN instances.
----End
Verifying the Configuration
All VPN FRR configurations are complete, run the display ip routing-table vpn-
instance vpn-instance-name [ ip-address ] verbose command to check
information about the backup next-hop PE, backup tunnel, and backup label.
7.7.14 Configuring VPN GR
In the process of active/standby control board switchover or the system upgrade,
you can configure VPN GR to ensure that VPN traffic is not interrupted on the PE,
CE, or P device.
Context
In GR process, two roles are defined according to their functions, that is, GR
restarter and GR helper.
● GR restarter: performs active/standby control board switchover or the system
upgrade.
● GR helper: helps the GR restarter to implement uninterrupted service
forwarding.
NOTE
The AR3260 can function as both the GR restarter and GR helper, and other devices can
only function as the GR helper.
VPN GR is the collection of GR capabilities of various protocols running on devices
on VPN networks. You need to configure IGP GR, BGP GR, MPLS LDP GR, or MPLS
TE GR based on the related protocol running on the GR restarter. You also need to
configure neighboring devices of the GR restarter as the GR helper to help the GR
restarter implement uninterrupted service forwarding.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 803
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Configure specified VPN GR on the PE, CE, and P as follows:
● Configure IGP GR, BGP GR and MPLS LDP (or MPLS TE) GR on the PE device.
● Configure IGP GR and the MPLS LDP (or MPLS TE) GR on the P device.
● Configure IGP GR or the BGP GR on the CE device.
● If a VPN spans multiple ASs, you must configure the IGP GR, BGP GR and
MPLS LDP GR on the ASBR.
NOTE
The GR capability cannot ensure uninterrupted traffic forwarding when the neighboring
device performs an active/standby switchover at the same time.
Pre-configuration Tasks
Before configuring VPN GR, complete the following tasks:
● 7.7.1 Configuring Basic BGP/MPLS IP VPN Functions
● Enabling GR Helper on all the devices on the network
Procedure
● Configure IS-IS GR or OSPF GR.
– For details about how to configure IS-IS GR, see section "Enabling IS-IS
GR" in Huawei AR Series Access Routers Configuration Guide - IP Routing.
– For details about how to configure OSPF GR, see section "Configuring
OSPF GR" in Huawei AR Series Access Routers Configuration Guide - IP
Routing.
● Configure BGP GR.
– For details about how to configure BGP GR, see section "Configuring the
BGP GR Function" in Huawei AR Series Access Routers Configuration
Guide - IP Routing.
● Configure MPLS LDP GR or MPLS TE GR.
– For details about how to configure MPLS LDP GR, see section
"Configuring LDP GR" in Huawei AR Series Access Routers Configuration
Guide - MPLS.
– For details about how to configure MPLS TE GR, see section "Configuring
RSVP GR" in Huawei AR Series Access Routers Configuration Guide -
MPLS.
----End
7.7.15 Configuring Tunnel Policies
This section describes how to configure a tunnel policy and tunnel selector. By
default, VPN services are transmitted through LSP tunnels. To use TE tunnels to
transmit VPN services or load balance VPN traffic on multiple tunnels, configure a
tunnel policy.
Pre-configuration Tasks
Before configuring a tunnel policy, complete the following tasks:
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 804
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
● Creating GRE or LSP or MPLS TE tunnels used to transmit VPN services
NOTE
For details on how to create a GRE tunnel, see GRE Configuration in the Huawei AR
Series Access Routers Configuration Guide - VPN.
For details on how to create an LSP tunnel, see MPLS LDP Configuration in the
Huawei AR Series Access Routers Configuration Guide - MPLS.
For details on how to create a TE tunnel, see MPLS TE Configuration in the Huawei AR
Series Access Routers Configuration Guide - MPLS.
● Establishing the basic VPN network (For details about BGP/MPLS IP VPN
configuration, see Configuring Basic BGP/MPLS IP VPN Functions)
Before configuring and applying a tunnel selector, complete the following tasks:
● Configuring a tunnel policy (see 7.7.15.1 Configuring and Applying a Tunnel
Policy)
● Configuring an RD filter if routes need to be filtered based on RDs
● Configuring an ACL or IPv4 prefix if routes need to be filtered based on the
next hop IPv4 address
Configuration Procedure
When VPN services need to be transmitted over TE or GRE tunnels, or when
multiple tunnels need to perform load balancing to fully use network resources,
complete the task of 7.7.15.1 Configuring and Applying a Tunnel Policy.
To select TE or GRE tunnels to transmitted VPN services in HoVPN, inter-AS VPN
Option B, or inter-AS VPN Option C networking, complete the task of 7.7.15.2
Configuring and Applying a Tunnel Selector on the SPE, ASBR, and PE devices.
NOTE
By default, if you specify a nonexistent tunnel policy in a command, the command does not
take effect.
If you need the nonexistent tunnel policy can be specified in a command, run the tunnel-
policy nonexistent-config-check command.
7.7.15.1 Configuring and Applying a Tunnel Policy
Context
VPN data is transmitted over tunnels. By default, LSP tunnels are used to transmit
data, and each service is transmitted by only one LSP tunnel.
If the default tunnel configuration cannot meet VPN service requirements, apply
tunnel policies to VPNs. You can configure either of the following types of tunnel
policies according to service requirements:
● Tunnel type prioritization policy: This policy can change the type of tunnels
selected for VPN data transmission or select multiple tunnels for load
balancing.
● Tunnel binding policy: This policy can bind multiple TE tunnels to provide QoS
guarantee for a VPN.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 805
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Perform the following steps on the PE devices that need to use a tunnel policy.
Procedure
Step 1 Configure a tunnel policy.
Use either of the following methods to configure a tunnel policy.
Configure a tunnel type prioritization policy.
By default, no tunnel policy is configured. LSP tunnels are used to transmit VPN
data and each VPN service is transmitted over one LSP tunnel.
1. Run system-view
The system view is displayed.
2. Run tunnel-policy policy-name
A tunnel policy is created, and tunnel policy view is displayed.
3. (Optional) Run description description-information
The description of the tunnel policy is configured.
4. Run tunnel select-seq { gre | lsp | cr-lsp }* load-balance-number load-
balance-number
The sequence in which each type of tunnel is selected and the number of
tunnels participating in load balancing are set.
Configure a tunnel binding policy.
1. Run system-view
The system view is displayed.
2. Run interface tunnel interface-number
A tunnel interface is created and the tunnel interface view is displayed.
3. Run tunnel-protocol mpls te
MPLS TE is configured as a tunnel protocol.
4. Run mpls te reserved-for-binding
The binding capability of the TE tunnel is enabled.
5. Run mpls te commit
The MPLS TE configuration is committed for the configuration to take effect.
6. Run quit
Return to the system view.
7. Run tunnel-policy policy-name
A tunnel policy is created.
8. (Optional) Run description description-information
The description of the tunnel policy is configured.
9. Run tunnel binding destination dest-ip-address te { tunnel interface-
number } &<1-16> [ ignore-destination-check ] [ down-switch ]
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 806
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Bind specified TE tunnels in the policy.
NOTE
– If the PE device has multiple peers, you can run the tunnel binding command
multiple times to specify different destination IP addresses in a tunnel policy.
– If down-switch is specified in the command, the system selects available tunnels
in an order of LSP, CR-LSP, and GRE when the bound tunnels are unavailable.
Step 2 Apply the tunnel policy.
1. Run system-view
The system view is displayed.
2. Run ip vpn-instance vpn-instance-name
The VPN instance view is displayed.
3. Run ipv4-family
The VPN instance IPv4 address family view is displayed.
4. Run tnl-policy policy-name
A tunnel policy is applied to the VPN instance IPv4 address family.
----End
Verifying the Configuration
After configuring a tunnel policy and apply it to a VPN instance, you can check
information about the tunnel policy applied to the VPN instance and tunnels in
the system.
● Run the display tunnel-info { tunnel-id tunnel-id | all | statistics [ slots ] }
command to check information about tunnels in the system.
● Run the display interface tunnel interface-number command to check
detailed information about a specified tunnel interface.
● Run the display tunnel-policy [ tunnel-policy-name ] command to check
information about the specified tunnel policy.
● Run the display ip vpn-instance verbose [ vpn-instance-name ] command to
check the tunnel policy applied to the specified VPN instance.
7.7.15.2 Configuring and Applying a Tunnel Selector
Context
By configuring a tunnel selector, you can set route filtering conditions to iterate
expected routes to the specified tunnels. A tunnel consists of two parts:
● if-match clause: matches an attribute of routes, for example, RD and next
hop.
If no if-match clause is configured in a tunnel selector, all routes match the
tunnel selector.
● apply clause: applies a tunnel policy to the routes matching the filtering rules.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 807
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
After a tunnel selector is applied to routes on a PE, ASBR, or SPE device, the device
filters routes using the specified filtering rules and iterates the matching routes to
specified tunnels.
A tunnel selector takes effect for the following routes:
● VPNv4 routes: When a tunnel selector is applied to a BGP-VPNv4 address
family on an SPE device in HoVPN networking or an ASBR in inter-AS VPN
Option B networking, the SPE device or ASBR applies the tunnel policy to
VPNv4 routes and iterates the matching routes to expected tunnels.
● Labeled BGP-IPv4 routes: When a tunnel selector is applied to the BGP-IPv4
unicast address family on a PE device or an ASBR in inter-AS VPN Option C
networking, the PE device or ASBR applies the tunnel policy to labeled BGP-
IPv4 routes.
Procedure
Step 1 Create a tunnel selector.
1. Run system-view
The system view is displayed.
2. Run tunnel-selector tunnel-selector-name { permit | deny } node node
A tunnel selector is created, and tunnel selector view is displayed.
3. (Optional) Configure if-match clauses.
If no if-match clause is configured in a tunnel selector, all routes match the
tunnel selector.
– To configure an if-match clause that filters routes based on router
distinguishers (RDs), run if-match rd-filter rd-filter-number.
– To configure an if-match clause that filters routes based on next-hop
IPv4 addresses, run if-match ip next-hop { acl { acl-number | acl-name }
| ip-prefix ip-prefix-name }.
– To configure an if-match clause that filters routes based on next-hop
IPv6 addresses, run if-match ipv6 next-hop prefix-list ipv6-prefix-name.
4. Run apply tunnel-policy tunnel-policy-name
An apply clause is configured to specify a tunnel policy for the routes
matching the if-match clause.
Step 2 Apply the tunnel selector.
Perform the following steps on an SPE device in HoVPN networking or an ASBR in
inter-AS VPN Option B networking:
1. Run system-view
The system view is displayed.
2. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
3. Run ipv4-family vpnv4
The BGP-VPNv4 address family view is displayed.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 808
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
4. Run tunnel-selector tunnel-selector-name
The tunnel selector is applied to VPNv4 routes on the local device. The tunnel
policy specified in the apply clause is applied to the VPNv4 routes that
matching the if-match clause. The VPNv4 routes that are filtered out by the
if-match clause are iterated to LSP tunnels.
Step 3 Apply the tunnel selector.
Apply the tunnel selector to VPNv4 routes.
Perform the following steps on an SPE device in HoVPN networking or an ASBR in
inter-AS VPN Option B networking:
1. Run system-view
The system view is displayed.
2. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
3. Run ipv4-family vpnv4
The BGP-VPNv4 address family view is displayed.
4. Run tunnel-selector tunnel-selector-name
The tunnel selector is applied to VPNv4 routes on the local device. The tunnel
policy specified in the apply clause is applied to the VPNv4 routes that
matching the if-match clause. The VPNv4 routes that are filtered out by the
if-match clause are iterated to LSP tunnels.
Apply the tunnel selector to labeled BGP-IPv4 routes.
Perform the following steps on a PE device or an ASBR in inter-AS VPN Option C
networking:
1. Run system-view
The system view is displayed.
2. Run bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
3. Run tunnel-selector tunnel-selector-name
The tunnel selector is applied to labeled BGP-IPv4 routes on the local device.
The tunnel policy specified in the apply clause is applied to the labeled BGP-
IPv4 routes that matching the if-match clause. The labeled BGP-IPv4 routes
that are filtered out by the if-match clause are iterated to LSP tunnels.
----End
Verifying the Configuration
After configuring and applying a tunnel selector, run the following commands to
check information about the tunnel selector and tunnel policy specified in the
tunnel selector.
● Run the display tunnel-selector tunnel-selector-name command to check
detailed information about the tunnel selector.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 809
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
● Run the display tunnel-policy tunnel-policy-name command to check
information about the tunnel policy specified by the apply clause in the
tunnel selector.
● Run the display bgp vpnv4 all routing-table ipv4-address [ mask [ longer-
prefixes ] | mask-length [ longer-prefixes ] ] command to check tunnels
selected for VPNv4 routes on the ASBR or SPE device.
● Run the display ip routing-table ip-address [ mask | mask-length ] [ longer-
match ] verbose command to check the tunnels selected for labeled BGP-
IPv4 routes on the PE device.
● Run the display tunnel-info { tunnel-id tunnel-id | all | statistics [ slots ] }
command to check information about tunnels in the system.
7.7.16 Connecting a VPN to the Internet
Generally, users within a VPN cannot communicate with Internet users because
VPN users cannot access the Internet. If each VPN site needs to access the
Internet, configure the interconnection between the VPN and the Internet.
Pre-configuration Tasks
● 7.7.1 Configuring Basic BGP/MPLS IP VPN Functions
Configuration Procedure
Step 1, step 2, and step 3 can be performed at any sequence.
Procedure
Step 1 Configure a static route on the CE device.
1. Run system-view
The system view is displayed.
2. Run ip route-static ip-address { mask | mask-length } { interface-type
interface-number [ nexthop-address ] | nexthop-address } [ preference
preference | tag tag ] * [ description text ]
The static route to a public network destination address is configured.
ip-address can be a public network address or 0.0.0.0. If the dest-ip-address is
0.0.0.0, the static route is also called the default route. The mask of a default
route must be 0.0.0.0 or the mask-length of the default route must be 0. The
out-interface must be the interface connected directly with the PE device, and
the next-hop is the IP address of the peer PE interface connected directly with
the CE device.
NOTE
If the CE and PE devices are connected through an Ethernet network, the next-hop
must be specified.
Step 2 Configure a static VPN route to the Internet on the PE device.
1. Run system-view
The system view is displayed.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 810
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
2. Run ip route-static vpn-instance vpn-source-name destination-address
{ mask | mask-length } nexthop-address public [ preference preference | tag
tag ] * [ description text ]
A static route from the VPN to the Internet is configured and the next-hop
address is a public network address.
Step 3 Configure a static route to the VPN on the PE device.
1. Run system-view
The system view is displayed.
2. Run ip route-static ip-address { mask | mask-length } { interface-type
interface-number [ nexthop-address ] | vpn-instance vpn-instance-name
nexthop-address | nexthop-address } [ preference preference | tag tag ] *
[ description text ]
The static route from the public network to the VPN is configured and the
next-hop address is a private network address.
NOTE
If the CE and PE devices are connected through an Ethernet network, the next-hop
must be specified.
3. Advertise the static route to the Internet.
For detailed configuration, see the Huawei AR Series Access Routers
Configuration Guide - IP Routing. For example, if OSPF is running between
the PE device and the Internet, perform the following steps:
a. Run system-view
The system view is displayed.
b. Run ospf [ process-id ]
The OSPF view is displayed.
c. Run import-route static
Static routes are imported into OSPF.
----End
Verifying the Configuration
● Run the display ip routing-table vpn-instance vpn-instance-name command
to check the VPN routing table on the PE device. The command output shows
that the route to the CE and the route to the destination device in the public
network exist in the VPN routing table.
● Run the display ip routing-table command to check the routing table on the
CE and the destination device in the public network. The command output
shows that the CE has the route to the destination device in the public
network and the destination device in the public network has the route to the
CE.
● Run the ping command to check the connectivity between the CE and the
destination device on the public network. The CE device and the destination
device on the public network can ping each other.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 811
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
7.8 Maintaining BGP/MPLS IP VPN
You can check route summary information in a VPN instance, monitor network
connectivity, and reset BGP connections when maintaining a BGP/MPLS IP VPN
network.
7.8.1 Collecting Statistics About L3VPN Traffic
Prerequisites
L3VPN traffic statistics collection is applicable to the interface traffic at the user
side of a VPN. Before collecting L3VPN traffic statistics, you need to enable the
L3VPN traffic statistics function.
NOTE
● Currently, L3VPN traffic statistics collection can count only unicast packets.
● In L3VPN over MPLS TE scenarios, if the device is enabled to collect L3VPN traffic
statistics and traffic statistics on an MPLS TE tunnel interface simultaneously, packets
received from the interface bound to a VPN instance are not counted as L3VPN traffic.
● Enabling L3VPN traffic statistics function may affect the forwarding performance. For
example, when all interfaces provide line-speed forwarding, some interface may be
unable to forward packets at line speed. Exercise caution when you enable traffic
statistics on a VLANIF interface.
● L3VPN traffic statistics is unavailable for error packets.
Perform the following steps on the device:
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the ip vpn-instance vpn-instance-name command to enter the VPN instance
view.
Step 3 Run the traffic-statistics enable command to enable the function of collecting
statistics about L3VPN traffic.
----End
7.8.2 Checking L3VPN Traffic
Context
This function displays traffic statistics on the interface at the user side of the VPN.
Note that traffic statistics are collected only after the L3VPN traffic statistics
function is enabled.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 812
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Procedure
● Run the display traffic-statistics vpn-instance vpn-instance-name command
to check the statistics about L3VPN traffic of a specified VPN instance.
----End
7.8.3 Clearing L3VPN Traffic
Context
Run the following command in the user view to clear L3VPN traffic statistics.
NOTICE
Statistics cannot be restored after being cleared. Therefore, use this command
with caution.
Procedure
● Run the reset traffic-statistics vpn-instance { name vpn-instance-name |
all } command in the user view to clear statistics about L3VPN traffic of a
specified VPN instance or all VPN instances.
----End
7.8.4 Displaying BGP/MPLS IP VPN Information
Context
In routine maintenance, you can run the following commands in any view to
check the status of BGP/MPLS IP VPN.
Procedure
● Run the display ip vpn-instance [ verbose ] [ vpn-instance-name ] command
to check information about the VPN instance.
● Run the display default-parameter l3vpn command to check the default
configuration of L3VPN during initialization.
● Run the display ip routing-table vpn-instance vpn-instance-name command
to check the IP routing table of a VPN instance.
● Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name }
routing-table [ statistics ] label command to check information about
labeled routes in the BGP routing table.
● Run the display bgp vpnv4 { all | route-distinguisher route-distinguisher |
vpn-instance vpn-instance-name } routing-table ipv4-address [ mask | mask-
length ] command to check information about the BGP VPNv4 routing table.
● Run the display bgp vpnv4 { all | route-distinguisher route-distinguisher |
vpn-instance vpn-instance-name } routing-table statistics command to
check statistics about the BGP VPNv4 routing table.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 813
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
● Run the display bgp vpnv4 { all | route-distinguisher route-distinguisher |
vpn-instance vpn-instance-name } routing-table command to check
information about the BGP VPNv4 routing table.
● Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } group
[ group-name ] command to check information about the BGP VPNv4 peer
group.
● Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } peer
[ [ ipv4-address ] verbose ] command to check BGP VPNv4 peer information.
● Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name }
network command to check the routing information advertised by BGP
VPNv4.
● Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } paths
[ as-regular-expression ] command to check the AS path information of BGP
VPNv4.
● Run the display bgp vpnv4 vpn-instance vpn-instance-name peer { group-
name | ipv4-address } log-info command to check the BGP peer's log
information of a specified VPN instance.
----End
7.8.5 Checking Network Connectivity and Reachability
Context
After completing VPN configuration, you can:
● Run the ping command on the local CE to check whether the local CE and the
remote CE in the same VPN can communicate with each other. If the ping
fails, you can run the tracert command to locate the faulty node.
● Run the ping command with the -vpn-instance vpn-instance-name
parameter on the PE to check whether the PE and the CE in the same VPN as
the PE can communicate with each other. If the ping fails, you can run the
tracert command with the -vpn-instance vpn-instance-name parameter to
locate the faulty node.
If multiple interfaces on the PE are bound to the same VPN, you need to specify
the source IP address, that is, the -a source-ip-address when you ping or tracert
the remote CE that accesses the peer PE. If no source IP address is specified, the
PE selects the smallest IP address from the IP addresses of the interfaces on the PE
bound to this VPN as the source address of the Internet Control Message Protocol
(ICMP) messages. If the CE has no route to the selected IPv4 route, the CE discards
the returned ICMP message.
NOTE
By default, as for the MPLS time to live (MPLS TTL) timeout packet with a single label, the
router returns the ICMP message according to the local IP route (that is, the public network
route). However, no VPN route exists in the public network routing table of the ASBR and
therefore, the ICMP message is discarded when being sent to or returned by the ASBR.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 814
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Procedure
● Run the ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | [ -i
interface-type interface-number | -si source-interface-type source-interface-
number ] | -m time | -n | -name | -p pattern | -q | -r | -s packetsize | -system-
time | -t timeout | -tos tos-value | -v | -vpn-instance vpn-instance-name |
ignore-mtu ] * host [ ip-forwarding ] command to check network
connectivity from the local device to a specified destination IP address.
● Run the tracert [ -a source-ip-address | -f first-ttl | -m max-ttl | -name | -p
port | -q nqueries | -vpn-instance vpn-instance-name | -w timeout | -v ] * host
command to check the gateways that a data packet passes when it is sent
from the local device to the destination.
● Run the ping lsp [ -a source-ip | -c count | -exp exp-value | -h ttl-value | -m
interval | -r reply-mode | -s packet-size | -t time-out | -v ] * ip destination-
address mask-length [ ip-address ] [ nexthop nexthop-address | draft6 ]
command to check connectivity of a Label Switched Path (LSP).
● Run the tracert lsp [ -a source-ip | -exp exp-value | -h ttl-value | -r reply-
mode | -t time-out | -v ] * ip destination-address mask-length [ ip-address ]
[ nexthop nexthop-address | draft6 ] command to check the gateways that a
data packet passes when it is sent from the local device to the destination
along the LSP.
----End
7.8.6 Viewing the Integrated Route Statistics of IPv4 VPN
Instances
Procedure
● Run the display ip routing-table vpn-instance vpn-instance-name statistics
command to check the integrated route statistics of an IPv4 VPN instance.
● Run the display ip routing-table all-vpn-instance statistics command to
check the integrated route statistics of all IPv4 VPN instances.
----End
7.8.7 Resetting BGP Statistics of a VPN Instance IPv4 Address
Family
Procedure
● Run the reset bgp vpn-instance vpn-instance-name ipv4-family [ ipv4-
address ] flap-info command in the user view to clear statistics of the BGP
peer flap for a specified VPN instance IPv4 address family.
● Run the reset bgp vpn-instance vpn-instance-name ipv4-family dampening
[ ipv4-address [ mask | mask-length ] ] command in the user view to clear
dampening information of the VPN instance IPv4 address family.
----End
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 815
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
7.8.8 Resetting BGP Connections
Context
NOTICE
VPN services are interrupted after the BGP connection is reset. Exercise caution
when running the commands.
When the BGP configuration changes, you can use the soft reset or reset BGP
connections to let the new configurations take effect. A soft reset requires that the
BGP peers have route refreshment capability (supporting Route-Refresh
messages).
Procedure
● Run the refresh bgp vpn-instance vpn-instance-name ipv4-family { all |
ipv4-address | group group-name | internal | external } import command in
the user view to trigger the inbound soft reset of the VPN instance IPv4
address family's BGP connection.
● Run the refresh bgp vpn-instance vpn-instance-name ipv4-family { all |
ipv4-address | group group-name | internal | external } export command in
the user view to trigger the outbound soft reset of the VPN instance IPv4
address family's BGP connection.
● Run the refresh bgp vpnv4 { all | ipv4-address | group group-name | internal
| external } import command in the user view to trigger the inbound soft
reset of the BGP VPNv4 connection.
● Run the refresh bgp vpnv4 { all | ipv4-address | group group-name | internal
| external } export command in the user view to trigger the outbound soft
reset of the BGP VPNv4 connection.
● Run the reset bgp vpn-instance vpn-instance-name ipv4-family { as-number
| ipv4-address | group group-name | all | internal | external } command in
the user view to reset BGP connections of the VPN instance IPv4 address
family.
● Run the reset bgp vpnv4 { as-number | ipv4-address | group group-name |
all | internal | external } command in the user view to reset BGP VPNv4
connections.
----End
7.8.9 Monitoring the Running Status of VPN Tunnels
Context
In routine maintenance, run the following commands in any check to check the
tunnel status.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 816
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Procedure
● Run the display interface tunnel interface-number command to check
information about a specified tunnel interface.
● Run the display tunnel-info tunnel-id tunnel-id command to check detailed
information about a specified tunnel.
● Run the display tunnel-info all command to check information about all
tunnels.
● Run the display tunnel-policy [ tunnel-policy-name ] command to check the
configuration of a tunnel policy.
● Run the display ip vpn-instance verbose [ vpn-instance-name ] command to
check information about the tunnel policy applied to a VPN instance.
● Run the display ip routing-table vpn-instance vpn-instance-name [ ip-
address ] verbose command to check the tunnel to which VPN routes are
iterated.
----End
7.9 Configuration Examples for BGP/MPLS IP VPN
This section provides several configuration examples of BGP/MPLS IP VPN
networking. In each configuration example, the networking requirements,
configuration roadmap, configuration procedures, and configuration files are
provided.
7.9.1 Example for Configuring BGP/MPLS IP VPN
Networking Requirements
As shown in Figure 7-42:
● CE1 connects to the headquarters R&D area of a company, and CE3 connects
to the branch R&D area. CE1 and CE3 belong to vpna.
● CE2 connects to the headquarters non-R&D area, and CE4 connects to the
branch non-R&D area. CE2 and CE4 belong to vpnb.
BGP/MPLS IP VPN needs to be deployed for the company to ensure secure
communication between the headquarters and branches.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 817
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-42 Networking diagram for configuring BGP/MPLS IP VPN
AS: 65410 AS: 65430
vpna vpna
GE1/0/0 CE1 CE3
GE1/0/0
10.1.1.1/24 10.3.1.1/24
Loopback1
GE1/0/0 2.2.2.9/32 GE1/0/0
10.1.1.2/24 10.3.1.2/24
PE1 GE1/0/0 GE2/0/0 PE2
Loopback1 172.1.1.2/24 172.2.1.1/24 Loopback1
1.1.1.9/32 GE3/0/0 GE3/0/0 3.3.3.9/32
172.1.1.1/24 P 172.2.1.2/24
GE2/0/0 GE2/0/0
10.2.1.2/24 AS: 100 10.4.1.2/24
VPN Backbone
GE1/0/0 GE1/0/0
10.2.1.1/24 10.4.1.1/24
CE2 CE4
vpnb vpnb
AS: 65420
AS: 65440
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure OSPF between the P and PEs to ensure IP connectivity on the
backbone network.
2. Configure basic MPLS capabilities and MPLS LDP on the P and PEs to set up
MPLS LSP tunnels for VPN data transmission on the backbone network.
3. Configure VPN instances vpna and vpnb on PE1 and PE2. Set the VPN target
of vpna to 111:1 and the VPN target of vpnb to 222:2. This configuration
allows users in the same VPN to communicate with each other and isolates
users in different VPNs. Bind the VPN instance to the PE interfaces connected
to CEs to provide access for VPN users.
4. Configure MP-IBGP on PE1 and PE2 to enable them to exchange VPN routing
information.
5. Configure EBGP on the CEs and PEs to exchange VPN routing information.
Procedure
Step 1 Configure OSPF on the MPLS backbone network so that the PEs and Ps can
communicate with each other.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 818
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
# Configure PE1.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] ip address 172.1.1.1 24
[PE1-GigabitEthernet3/0/0] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
<Huawei> system-view
[Huawei] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.9 32
[P-LoopBack1] quit
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] ip address 172.1.1.2 24
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] ip address 172.2.1.1 24
[P-GigabitEthernet2/0/0] quit
[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
<Huawei> system-view
[Huawei] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.9 32
[PE2-LoopBack1] quit
[PE2] interface gigabitethernet 3/0/0
[PE2-GigabitEthernet3/0/0] ip address 172.2.1.2 24
[PE2-GigabitEthernet3/0/0] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration is complete, OSPF neighbor relationships can be set up
between PE1, P, and PE2. Run the display ospf peer command. The command
output shows that the neighbor status is Full. Run the display ip routing-table
command. The command output shows that PEs have learned the routes to
Loopback1 of each other.
The information displayed on PE1 is used as an example.
[PE1] display ip routing-table
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 11 Routes : 11
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 819
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.9/32 Direct 0 0 D 127.0.0.1 LoopBack1
2.2.2.9/32 OSPF 10 1 D 172.1.1.2 GigabitEthernet3/0/0
3.3.3.9/32 OSPF 10 2 D 172.1.1.2 GigabitEthernet3/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.1.1.0/24 Direct 0 0 D 172.1.1.1 GigabitEthernet3/0/0
172.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0
172.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0
172.2.1.0/24 OSPF 10 2 D 172.1.1.2 GigabitEthernet3/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[PE1] display ospf peer
OSPF Process 1 with Router ID 1.1.1.9
Neighbors
Area 0.0.0.0 interface 172.1.1.1(GigabitEthernet3/0/0)'s neighbors
Router ID: 2.2.2.9 Address: 172.1.1.2
State: Full Mode:Nbr is Master Priority: 1
DR: 172.1.1.1 BDR: 172.1.1.2 MTU: 0
Dead timer due in 37 sec
Retrans timer interval: 5
Neighbor is up for 00:16:21
Authentication Sequence: [ 0 ]
Step 2 Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network
to set up LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] mpls
[PE1-GigabitEthernet3/0/0] mpls ldp
[PE1-GigabitEthernet3/0/0] quit
# Configure P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] mpls
[P-GigabitEthernet1/0/0] mpls ldp
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] mpls
[P-GigabitEthernet2/0/0] mpls ldp
[P-GigabitEthernet2/0/0] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet 3/0/0
[PE2-GigabitEthernet3/0/0] mpls
[PE2-GigabitEthernet3/0/0] mpls ldp
[PE2-GigabitEthernet3/0/0] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 820
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
After the configuration is complete, LDP sessions can be set up between PE1 and
the P and between the P and PE2. Run the display mpls ldp session command.
The command output shows that the Status field is Operational. Run the display
mpls ldp lsp command. Information about the established LDP LSPs is displayed.
The information displayed on PE1 is used as an example.
[PE1] display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
2.2.2.9:0 Operational DU Active 0000:00:01 6/6
------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
[PE1] display mpls ldp lsp
LDP LSP Information
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0
*1.1.1.9/32 Liberal/1024 DS/2.2.2.9
2.2.2.9/32 NULL/3 - 172.1.1.2 GE3/0/0
2.2.2.9/32 1024/3 2.2.2.9 172.1.1.2 GE3/0/0
3.3.3.9/32 NULL/1025 - 172.1.1.2 GE3/0/0
3.3.3.9/32 1025/1025 2.2.2.9 172.1.1.2 GE3/0/0
-------------------------------------------------------------------------------
TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is stale
A '*' before a DS means the session is stale
A '*' before a NextHop means the LSP is FRR LSP
Step 3 Configure VPN instances on PEs and bind the instances to the interfaces
connected to CEs.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 24
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpnb
[PE1-GigabitEthernet2/0/0] ip address 10.2.1.2 24
[PE1-GigabitEthernet2/0/0] quit
# Configure PE2.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 821
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] ipv4-family
[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[PE2-GigabitEthernet1/0/0] ip address 10.3.1.2 24
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpnb
[PE2-GigabitEthernet2/0/0] ip address 10.4.1.2 24
[PE2-GigabitEthernet2/0/0] quit
# Assign IP addresses to interfaces on CEs according to Figure 7-42.
# Configure CE1. The configurations of CE2, CE3, and CE4 are similar to the
configuration of CE1, and are not mentioned here.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[CE1-GigabitEthernet1/0/0] quit
After the configuration is complete, run the display ip vpn-instance verbose
command on the PEs to check the configuration of VPN instances. Each PE can
ping its connected CE.
NOTE
If a PE has multiple interfaces bound to the same VPN instance, specify a source IP
addresses by setting -a source-ip-address in the ping -vpn-instance vpn-instance-name -a
source-ip-address dest-ip-address command to ping the remote CE. If the source IP address
is not specified, the ping operation fails.
The information displayed on PE1 is used as an example.
[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
Total IPv4 VPN-Instances configured : 2
Total IPv6 VPN-Instances configured : 0
VPN-Instance Name and ID : vpna, 1
Interfaces : GigabitEthernet1/0/0
Address family ipv4
Create date : 2012/07/25 00:58:17
Up time : 0 days, 22 hours, 24 minutes and 53 seconds
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label Policy : label per route
Log Interval : 5
VPN-Instance Name and ID : vpnb, 2
Interfaces : GigabitEthernet2/0/0
Address family ipv4
Create date : 2012/07/25 00:58:17
Up time : 0 days, 22 hours, 24 minutes and 53 seconds
Route Distinguisher : 100:2
Export VPN Targets : 222:2
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 822
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Import VPN Targets : 222:2
Label Policy : label per route
Log Interval : 5
[PE1] ping -vpn-instance vpna 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=5 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=3 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=3 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=3 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=16 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/6/16 ms
Step 4 Set up an MP-IBGP peer relationship between the PEs.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
After the configuration is complete, run the display bgp peer or display bgp
vpnv4 all peer command on the PEs. The command output shows that BGP peer
relationships have been established between the PEs.
[PE1] display bgp peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
3.3.3.9 4 100 12 6 0 00:02:21 Established 0
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
3.3.3.9 4 100 12 18 0 00:09:38 Established 0
Step 5 Set up EBGP peer relationships between the PEs and CEs and import VPN routes
into BGP.
# Configure CE1. The configurations of CE2, CE3, and CE4 are similar to the
configuration of CE1, and are not mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 823
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE1. The configuration on PE2 is similar to the configuration on PE1
and is not mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer
command on the PEs. The command output shows that BGP peer relationships
have been established between the PEs and CEs.
The peer relationship between PE1 and CE1 is used as an example.
[PE1] display bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.9
Local AS number : 100
VPN-Instance vpna, Router ID 1.1.1.9:
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65410 6 3 0 00:00:02 Established 4
Step 6 Verify the configuration.
# Run the display ip routing-table vpn-instance command on the PEs to view
the routes to the remote CEs.
# The information displayed on PE1 is used as an example.
[PE1] display ip routing-table vpn-instance vpna
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpna
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.2 GigabitEthernet1/0/0
10.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.3.1.0/24 IBGP 255 0 RD 3.3.3.9 GigabitEthernet3/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[PE1] display ip routing-table vpn-instance vpnb
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpnb
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.2.1.0/24 Direct 0 0 D 10.2.1.2 GigabitEthernet2/0/0
10.2.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
10.2.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
10.4.1.0/24 IBGP 255 0 RD 3.3.3.9 GigabitEthernet3/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 824
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
# CEs in the same VPN can ping each other, whereas CEs in different VPNs cannot.
# For example, CE1 can ping CE3 at 10.3.1.1 but cannot ping CE4 at 10.4.1.1.
[CE1] ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms
Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms
--- 10.3.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms
[CE1] ping 10.4.1.1
PING 10.4.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.4.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
----End
Configuration Files
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet3/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 825
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 10.1.1.1 as-number 65410
#
ipv4-family vpn-instance vpnb
import-route direct
peer 10.2.1.1 as-number 65420
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
● P configuration file
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 826
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
#
interface GigabitEthernet3/0/0
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 10.3.1.1 as-number 65430
#
ipv4-family vpn-instance vpnb
import-route direct
peer 10.4.1.1 as-number 65440
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 172.2.1.0 0.0.0.255
#
return
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
● CE2 configuration file
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 827
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65420
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
● CE3 configuration file
#
sysname CE3
#
interface GigabitEthernet1/0/0
ip address 10.3.1.1 255.255.255.0
#
bgp 65430
peer 10.3.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.3.1.2 enable
#
return
● CE4 configuration file
#
sysname CE4
#
interface GigabitEthernet1/0/0
ip address 10.4.1.1 255.255.255.0
#
bgp 65440
peer 10.4.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.4.1.2 enable
#
return
7.9.2 Example for Configuring BGP/MPLS IP VPNs with
Overlapping Address Spaces
Networking Requirements
As shown in Figure 7-43:
● CE1 connects to the headquarters R&D area of a company, and CE2 connects
to the branch R&D area. CE1 and CE2 belong to vpna.
● CE3 connects to the headquarters non-R&D area, and CE4 connects to the
branch non-R&D area. CE3 and CE4 belong to vpnb.
● TheR&D areas and non-R&D areas use overlapping address spaces.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 828
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
The company wants to ensure secure communication between the headquarters
and branches and isolate the R&D areas from non-R&D areas, without changing
the current network deployment.
Figure 7-43 Networking diagram for configuring BGP/MPLS IP VPNs with
overlapping address spaces
vpna vpna
CE1 CE2
GE1/0/0 GE1/0/0
14.1.1.2/24 34.1.1.2/24
Loopback0
GE2/0/0 2.2.2.9/32 GE1/0/0
14.1.1.1/24 GE1/0/0 PE2 34.1.1.1/24
GE2/0/0
12.1.1.1/24 23.1.1.1/24
Loopback0 Loopback0
1.1.1.9/32 3.3.3.9/32
GE1/0/0 GE2/0/0
GE3/0/0 PE1 12.1.1.2/24 P 23.1.1.2/24 GE3/0/0
14.1.1.1/24 34.1.1.1/24
VPN Backbone
GE1/0/0 GE1/0/0
14.1.1.2/24 34.1.1.2/24
CE3 CE4
vpnb vpnb
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure OSPF between the P and PEs to ensure IP connectivity on the
backbone network.
2. Configure basic MPLS capabilities and MPLS LDP on the P and PEs to set up
MPLS LSP tunnels for VPN data transmission on the backbone network.
3. Configure MP-IBGP on PE1 and PE2 to enable them to exchange VPN routing
information.
4. Configure VPN instances vpna and vpnb on PE1 and PE2. Set the VPN target
of vpna to 100:100 and the VPN target of vpnb to 200:200. This configuration
allows users in the same VPN to communicate with each other and isolates
users in different VPNs. Bind the VPN instance to the PE interfaces connected
to CEs to provide access for VPN users.
5. Configure static routes on the CEs and PEs to exchange VPN routing
information.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 829
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Procedure
Step 1 Assign IP addresses to interfaces according to Figure 7-43.
# Configure PE1. The configuration on PE2, P, and CE1 to CE4 is similar to the
configuration on PE1 and is not mentioned here.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface loopback 0
[PE1-LoopBack0] ip address 1.1.1.9 32
[PE1-LoopBack0] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] ip address 12.1.1.1 24
[PE1-GigabitEthernet1/0/0] quit
Step 2 Configure OSPF on the MPLS backbone network so that the PEs and Ps can
communicate with each other.
# Configure PE1.
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 12.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[P-ospf-1-area-0.0.0.0] network 12.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 23.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 23.1.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration is complete, OSPF neighbor relationships can be set up
between PE1, P, and PE2. Run the display ospf peer command. The command
output shows that the neighbor status is Full. Run the display ip routing-table
command. The command output shows that PEs have learned the routes to
Loopback0 of each other.
The information displayed on PE1 is used as an example.
[PE1] display ip routing-table
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.9/32 Direct 0 0 D 127.0.0.1 LoopBack0
2.2.2.9/32 OSPF 10 1 D 12.1.1.2 GigabitEthernet1/0/0
3.3.3.9/32 OSPF 10 2 D 12.1.1.2 GigabitEthernet1/0/0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 830
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
12.1.1.0/24 Direct 0 0 D 12.1.1.1 GigabitEthernet1/0/0
12.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
12.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
23.1.1.0/24 OSPF 10 2 D 12.1.1.2 GigabitEthernet1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Step 3 Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network
to set up LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] mpls
[PE1-GigabitEthernet1/0/0] mpls ldp
[PE1-GigabitEthernet1/0/0] quit
# Configure P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] mpls
[P-GigabitEthernet1/0/0] mpls ldp
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] mpls
[P-GigabitEthernet2/0/0] mpls ldp
[P-GigabitEthernet2/0/0] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] mpls
[PE2-GigabitEthernet2/0/0] mpls ldp
[PE2-GigabitEthernet2/0/0] quit
After the configuration is complete, LDP sessions can be set up between PE1 and
the P and between the P and PE2. Run the display mpls ldp session command.
The command output shows that the Status field is Operational. Run the display
mpls ldp lsp command. Information about the established LDP LSPs is displayed.
The information displayed on PE1 is used as an example.
[PE1] display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
2.2.2.9:0 Operational DU Active 0000:00:01 6/6
------------------------------------------------------------------------------
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 831
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
TOTAL: 1 session(s) Found.
[PE1] display mpls ldp lsp
LDP LSP Information
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0
*1.1.1.9/32 Liberal/1024 DS/2.2.2.9
2.2.2.9/32 NULL/3 - 12.1.1.2 GE1/0/0
2.2.2.9/32 1024/3 2.2.2.9 12.1.1.2 GE1/0/0
3.3.3.9/32 NULL/1025 - 12.1.1.2 GE1/0/0
3.3.3.9/32 1025/1025 2.2.2.9 12.1.1.2 GE1/0/0
-------------------------------------------------------------------------------
TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is stale
A '*' before a DS means the session is stale
A '*' before a NextHop means the LSP is FRR LSP
Step 4 Configure VPN instances on PEs and bind the instances to the interfaces
connected to CEs.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:100
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 100:100 export-extcommunity
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 100:100 import-extcommunity
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 300:300
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 200:200 export-extcommunity
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 200:200 import-extcommunity
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpna
[PE1-GigabitEthernet2/0/0] ip address 14.1.1.1 255.255.255.0
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] ip binding vpn-instance vpnb
[PE1-GigabitEthernet3/0/0] ip address 14.1.1.1 255.255.255.0
[PE1-GigabitEthernet3/0/0] quit
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:200
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 100:100 export-extcommunity
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 100:100 import-extcommunity
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] ipv4-family
[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 400:400
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 200:200 export-extcommunity
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 200:200 import-extcommunity
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] interface gigabitethernet 1/0/0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 832
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[PE2-GigabitEthernet1/0/0] ip address 34.1.1.1 255.255.255.0
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface gigabitethernet 3/0/0
[PE2-GigabitEthernet3/0/0] ip binding vpn-instance vpnb
[PE2-GigabitEthernet3/0/0] ip address 34.1.1.1 255.255.255.0
[PE2-GigabitEthernet3/0/0] quit
# Assign IP addresses to interfaces on CEs according to Figure 7-43.
# Configure CE1. The configurations of CE2, CE3, and CE4 are similar to the
configuration of CE1, and are not mentioned here.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] ip address 14.1.1.2 24
[CE1-GigabitEthernet1/0/0] quit
After the configuration is complete, run the display ip vpn-instance verbose
command on the PEs to check the configuration of VPN instances. Each PE can
ping its connected CE.
The information displayed on PE1 is used as an example.
[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
Total IPv4 VPN-Instances configured : 2
Total IPv6 VPN-Instances configured : 0
VPN-Instance Name and ID : vpna, 1
Interfaces : GigabitEthernet2/0/0
Address family ipv4
Create date : 2012/07/25 00:58:17 UTC+08:00
Up time : 0 days, 22 hours, 24 minutes and 53 seconds
Route Distinguisher : 100:100
Export VPN Targets : 100:100
Import VPN Targets : 100:100
Label Policy : label per route
Log Interval : 5
VPN-Instance Name and ID : vpnb, 2
Interfaces : GigabitEthernet3/0/0
Address family ipv4
Create date : 2012/07/25 00:58:17 UTC+08:00
Up time : 0 days, 22 hours, 24 minutes and 53 seconds
Route Distinguisher : 300:300
Export VPN Targets : 200:200
Import VPN Targets : 200:200
Label Policy : label per route
Log Interval : 5
[PE1] ping -vpn-instance vpna 14.1.1.2
PING 14.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 14.1.1.2: bytes=56 Sequence=1 ttl=255 time=5 ms
Reply from 14.1.1.2: bytes=56 Sequence=2 ttl=255 time=3 ms
Reply from 14.1.1.2: bytes=56 Sequence=3 ttl=255 time=3 ms
Reply from 14.1.1.2: bytes=56 Sequence=4 ttl=255 time=3 ms
Reply from 14.1.1.2: bytes=56 Sequence=5 ttl=255 time=16 ms
--- 14.1.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/6/16 ms
Step 5 Set up an MP-IBGP peer relationship between the PEs.
# Configure PE1.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 833
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 0
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] ipv4-family vpn-instance vpna
[PE2-bgp-vpna] import-route direct
[PE2-bgp-vpna] quit
[PE2-bgp] ipv4-family vpn-instance vpnb
[PE2-bgp-vpnb] import-route direct
[PE2-bgp-vpnb] quit
[PE2-bgp] quit
After the configuration is complete, run the display bgp peer command on the
PEs. The command output shows that a BGP peer relationship has been set up
between the PEs.
[PE1] display bgp peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
3.3.3.9 4 100 3 3 0 00:01:08 Established 0
Step 6 On CE1, CE2, CE3, and CE4, configure static routes to their connected PEs.
# Configure CE1. The configurations of CE2, CE3, and CE4 are similar to the
configuration of CE1, and are not mentioned here.
[CE1] ip route-static 0.0.0.0 0.0.0.0 gigabitethernet 1/0/0 14.1.1.1
Step 7 Verify the configuration.
# Run the display ip routing-table vpn-instance command on the PEs to view
the routes to the remote CEs.
# The information displayed on PE1 is used as an example.
[PE1] display ip routing-table vpn-instance vpna
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpna
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
14.1.1.0/24 Direct 0 0 D 14.1.1.1 GigabitEthernet2/0/0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 834
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
14.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
14.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
34.1.1.0/24 IBGP 255 0 RD 3.3.3.9 GigabitEthernet1/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[PE1] display ip routing-table vpn-instance vpnb
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpnb
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
14.1.1.0/24 Direct 0 0 D 14.1.1.1 GigabitEthernet3/0/0
14.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0
14.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0
34.1.1.0/24 IBGP 255 0 RD 3.3.3.9 GigabitEthernet1/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
# Run the ping 34.1.1.2 command on CE1, and the ping is successful. Run the
display interface command on PE2 to view traffic statistics on GE1/0/0 and
GE3/0/0. The command output shows that there are packets passing through
GE1/0/0 but no packet passing through GE3/0/0. This indicates that the two VPN
instances have overlapping address spaces but they are isolated from each other.
----End
Configuration Files
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:100
vpn-target 100:100 export-extcommunity
vpn-target 100:100 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 300:300
vpn-target 200:200 export-extcommunity
vpn-target 200:200 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 12.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpna
ip address 14.1.1.1 255.255.255.0
#
interface GigabitEthernet3/0/0
ip binding vpn-instance vpnb
ip address 14.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
#
bgp 100
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 835
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
#
ipv4-family vpn-instance vpnb
import-route direct
#
ospf 1
area 0.0.0.0
network 12.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
● P configuration file
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 12.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 23.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 12.1.1.0 0.0.0.255
network 23.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:200
vpn-target 100:100 export-extcommunity
vpn-target 100:100 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 400:400
vpn-target 200:200 export-extcommunity
vpn-target 200:200 import-extcommunity
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 836
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpna
ip address 34.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 23.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet3/0/0
ip binding vpn-instance vpnb
ip address 34.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
#
ipv4-family vpn-instance vpnb
import-route direct
#
ospf 1
area 0.0.0.0
network 23.1.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 14.1.1.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 14.1.1.1
#
return
● CE2 configuration file
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 34.1.1.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 34.1.1.1
#
return
● CE3 configuration file
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 837
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
sysname CE3
#
interface GigabitEthernet1/0/0
ip address 14.1.1.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 14.1.1.1
#
return
● CE4 configuration file
#
sysname CE4
#
interface GigabitEthernet1/0/0
ip address 34.1.1.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 34.1.1.1
#
return
7.9.3 Example for Configuring Communication Between Local
VPNs
Networking Requirements
As shown in Figure 7-44, company A and company B realize communication
between their respective headquarters and branches through BGP/MPLS IP VPN.
The network deployment is as follows:
● CE1 connects to the headquarters of company A, and CE3 connects to the
branches of company A. CE1 and CE3 belong to vpna.
● CE2 connects to the headquarters of company B, and CE4 connects to the
branches of company B. CE2 and CE4 belong to vpnb.
Headquarters of company A and headquarters of company B need to
communicate with each other for business.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 838
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-44 Networking diagram for configuring communication between local
VPNs
A
A vpna
vpna Site2
Site1
CE1 CE3
GE1/0/0 GE1/0/0
GE1/0/0
10.1.1.2/24 10.3.1.2/24 GE1/0/0
10.1.1.1/24
10.3.1.1/24
IP/MPLS
GE1/0/0 PE1 PE2 GE1/0/0
10.2.1.1/24 10.4.1.1/24
GE2/0/0 GE2/0/0
10.4.1.2/24 CE4
CE2 10.2.1.2/24
B
vpnb B
vpnb
Site1
Site2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure VPN instances on PE1 and configure different VPN targets for the
instances to isolate VPNs.
2. On PE1, bind the VPN instances to the interfaces connected to CEs to provide
access for VPN users.
3. Import direct routes to the local CEs into the VPN routing table on PE1. On
each CE connected to PE1, configure a static route to the other local CE to
enable the CEs to communicate with each other.
Procedure
Step 1 # Assign IP addresses to interfaces on CEs according to Figure 7-44.
# Configure CE1. The configuration on CE2 is similar to the configuration on CE1
and is not mentioned here.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[CE1-GigabitEthernet1/0/0] quit
Step 2 Configure VPN instances on PEs and bind the instances to the interfaces
connected to CEs.
# Configure PE1.
<Huawei> system-view
[Huawei] sysname PE1
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 839
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 export-extcommunity
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 222:2 import-extcommunity
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 export-extcommunity
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 111:1 import-extcommunity
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 24
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpnb
[PE1-GigabitEthernet2/0/0] ip address 10.2.1.2 24
[PE1-GigabitEthernet2/0/0] quit
Each PE can ping its connected CE. The information displayed on PE1 and CE1 is
used as an example.
[PE1] ping -vpn-instance vpna 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=5 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=3 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=3 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=3 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=16 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/6/16 ms
Step 3 Configure BGP and import the direct routes to local CEs to the VPN routing table.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1–bgp-vpna] import-route direct
[PE1–bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1–bgp-vpnb] import-route direct
[PE1–bgp-vpnb] quit
[PE1–bgp] quit
Step 4 Configure static routes on the CEs.
# Configure CE1.
[CE1] ip route-static 10.2.1.0 24 10.1.1.2
# Configure CE2.
[CE2] ip route-static 10.1.1.0 24 10.2.1.2
Step 5 Verify the configuration.
# After the configuration is complete, run the display ip routing-table vpn-
instance vpna command on PE1. The command output shows that the VPNs have
imported routes of each other. The VPN instance vpna is used as an example.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 840
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE1] display ip routing-table vpn-instance vpna
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpna
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.2 GigabitEthernet1/0/0
10.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.2.1.0/24 BGP 255 0 D 10.2.1.2 GigabitEthernet2/0/0
10.2.1.2/32 BGP 255 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
# CE1 and CE2 can ping each other.
[CE1] ping 10.2.1.1
PING 10.2.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms
Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms
Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms
Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms
Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms
--- 10.2.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms
----End
Configuration Files
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 222:2 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 111:1 import-extcommunity
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
bgp 100
#
ipv4-family unicast
undo synchronization
#
ipv4-family vpn-instance vpna
import-route direct
#
ipv4-family vpn-instance vpnb
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 841
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
import-route direct
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 222:2 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 111:1 import-extcommunity
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
#
bgp 100
#
ipv4-family unicast
undo synchronization
#
ipv4-family vpn-instance vpna
import-route direct
#
ipv4-family vpn-instance vpnb
import-route direct
#
return
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return
● CE2 configuration file
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.2
#
return
● CE3 configuration file
#
sysname CE3
#
interface GigabitEthernet1/0/0
ip address 10.3.1.1 255.255.255.0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 842
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
ip route-static 10.4.1.0 255.255.255.0 10.3.1.2
#
return
● CE4 configuration file
#
sysname CE4
#
interface GigabitEthernet1/0/0
ip address 10.4.1.1 255.255.255.0
#
ip route-static 10.3.1.0 255.255.255.0 10.4.1.2
#
return
7.9.4 Example for Configuring Hub and Spoke
Networking Requirements
A bank wants to realize secure communication between its headquarters and
branches through MPLS VPN. VPN traffic from branches passes the headquarters
so that the headquarters can monitor the traffic. The Hub and Spoke networking
can meet the bank's needs. As shown in Figure 7-45, the Spoke-CEs connect to
branches, and the Hub-CE connects to the headquarters. All traffic transmitted
between Spoke-CEs is forwarded by the Hub-CE.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 843
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-45 Networking diagram for configuring Hub and Spoke
vpna
AS: 65430
Hub-CE
GE1/0/0 GE2/0/0
110.1.1.1/24 110.2.1.1/24
GE3/0/0 GE4/0/0
110.1.1.2/24 110.2.1.2/24
Hub-PE
GE1/0/0 GE2/0/0
10.1.1.2/24 11.1.1.2/24
Loopback1
Loopback1 2.2.2.9/32 Loopback1
1.1.1.9/32 3.3.3.9/32
Spoke-PE1 GE2/0/0 GE2/0/0
Spoke-PE2
10.1.1.1/24 11.1.1.1/24
GE1/0/0 VPN Backbone GE1/0/0
100.1.1.2/24 AS100 120.1.1.2/24
GE1/0/0 GE1/0/0
100.1.1.1/24 120.1.1.1/24
Spoke-CE1 Spoke-CE2
AS: 65410 AS: 65420
vpna vpna
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IGP protocol on the backbone network to enable the Hub-PE
and Spoke-PEs to communicate with each other.
2. Configure basic MPLS capabilities and MPLS LDP on the backbone network to
set up LDP LSPs.
3. Set up MP-IBGP peer relationships between the Hub-PE and the Spoke-PEs.
The Spoke-PEs do not need to set up an MP-IBGP peer relationship or
exchange VPN routing information.
4. Create two VPN instances on the Hub-PE. One is used to receive routes from
Spoke-PEs, and the other is used to advertise routes to the Spoke-PEs. Set
import target of the first VPN instance to 100:1 and the export target of the
other VPN instance to 200:1.
5. Create a VPN instance on the Spoke-PEs. Set the export target of the VPN
instance to 100:1 and the import target to 200:1.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 844
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
6. Configure EBGP on the CEs and PEs to enable them to exchange VPN routing
information. Configure Hub-PE to allow Hub-PE to receive the route with the
AS repeated for one time.
Procedure
Step 1 Configure OSPF on the backbone network to enable the Hub-PE and Spoke-PEs to
communicate with each other.
# Configure Spoke-PE1. The configuration on the Hub-PE and Spoke-PE2 is similar
to the configuration on Spoke-PE1 and is not mentioned here.
<Huawei> system-view
[Huawei] sysname Spoke-PE1
[Spoke-PE1] interface loopback 1
[Spoke-PE1-LoopBack1] ip address 1.1.1.9 32
[Spoke-PE1-LoopBack1] quit
[Spoke-PE1] interface gigabitethernet 2/0/0
[Spoke-PE1-GigabitEthernet2/0/0] ip address 10.1.1.1 24
[Spoke-PE1-GigabitEthernet2/0/0] quit
[Spoke-PE1] ospf 1
[Spoke-PE1-ospf-1] area 0
[Spoke-PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[Spoke-PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[Spoke-PE1-ospf-1-area-0.0.0.0] quit
[Spoke-PE1-ospf-1] quit
After the configuration is complete, Hub-PE can establish OSPF neighbor
relationships with the Spoke-PEs. Run the display ospf peer command on the PEs.
The command output shows that the status of OSPF neighbor relationships is Full.
Run the display ip routing-table command. The command output shows that the
Hub-PE and the Spoke-PEs have learned the route to the loopback interface of
each other.
Step 2 Configure basic MPLS capabilities and MPLS LDP on the backbone network to set
up LDP LSPs.
# Configure the Hub-PE. The configuration on the Spoke-PEs is similar to the
configuration on the Hub-PE and is not mentioned here.
[Hub-PE] mpls lsr-id 2.2.2.9
[Hub-PE] mpls
[Hub-PE-mpls] label advertise non-null
[Hub-PE-mpls] quit
[Hub-PE] mpls ldp
[Hub-PE-mpls-ldp] quit
[Hub-PE] interface gigabitethernet 1/0/0
[Hub-PE-GigabitEthernet1/0/0] mpls
[Hub-PE-GigabitEthernet1/0/0] mpls ldp
[Hub-PE-GigabitEthernet1/0/0] quit
[Hub-PE] interface gigabitethernet 2/0/0
[Hub-PE-GigabitEthernet2/0/0] mpls
[Hub-PE-GigabitEthernet2/0/0] mpls ldp
[Hub-PE-GigabitEthernet2/0/0] quit
After the configuration is complete, the Hub-PE can set up LDP peer relationships
with the Spoke-PEs. Run the display mpls ldp session command on the PEs. In
the command output, the state is Operational. Run the display mpls ldp lsp
command. Information about the established LDP LSPs is displayed.
Step 3 Configure VPN instances on PEs and bind the instances to the interfaces
connected to CEs.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 845
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
NOTE
The import target of the VPN instances on the Hub-PE is the export target of the VPN
instance on the Spoke-PEs. The import target and export target on the Hub-PE are
different. The import VPN target on the Spoke-PEs is the export VPN target on the Hub-PE.
# Configure Spoke-PE1.
[Spoke-PE1] ip vpn-instance vpna
[Spoke-PE1-vpn-instance-vpna] ipv4-family
[Spoke-PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[Spoke-PE1-vpn-instance-vpna-af-ipv4] vpn-target 100:1 export-extcommunity
[Spoke-PE1-vpn-instance-vpna-af-ipv4] vpn-target 200:1 import-extcommunity
[Spoke-PE1-vpn-instance-vpna-af-ipv4] quit
[Spoke-PE1-vpn-instance-vpna] quit
[Spoke-PE1] interface gigabitethernet 1/0/0
[Spoke-PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[Spoke-PE1-GigabitEthernet1/0/0] ip address 100.1.1.2 24
[Spoke-PE1-GigabitEthernet1/0/0] quit
#Configure Spoke-PE2.
[Spoke-PE2] ip vpn-instance vpna
[Spoke-PE2-vpn-instance-vpna] ipv4-family
[Spoke-PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 100:3
[Spoke-PE2-vpn-instance-vpna-af-ipv4] vpn-target 100:1 export-extcommunity
[Spoke-PE2-vpn-instance-vpna-af-ipv4] vpn-target 200:1 import-extcommunity
[Spoke-PE2-vpn-instance-vpna-af-ipv4] quit
[Spoke-PE2-vpn-instance-vpna] quit
[Spoke-PE2] interface gigabitethernet 1/0/0
[Spoke-PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[Spoke-PE2-GigabitEthernet1/0/0] ip address 120.1.1.2 24
[Spoke-PE2-GigabitEthernet1/0/0] quit
# Configure the Hub-PE.
[Hub-PE] ip vpn-instance vpn_in
[Hub-PE-vpn-instance-vpn_in] ipv4-family
[Hub-PE-vpn-instance-vpn_in-af-ipv4] route-distinguisher 100:21
[Hub-PE-vpn-instance-vpn_in-af-ipv4] vpn-target 100:1 import-extcommunity
[Hub-PE-vpn-instance-vpn_in-af-ipv4] quit
[Hub-PE-vpn-instance-vpn_in] quit
[Hub-PE] ip vpn-instance vpn_out
[Hub-PE-vpn-instance-vpn_out] ipv4-family
[Hub-PE-vpn-instance-vpn_out-af-ipv4] route-distinguisher 100:22
[Hub-PE-vpn-instance-vpn_out-af-ipv4] vpn-target 200:1 export-extcommunity
[Hub-PE-vpn-instance-vpn_out-af-ipv4] quit
[Hub-PE-vpn-instance-vpn_out] quit
[Hub-PE] interface gigabitethernet 3/0/0
[Hub-PE-GigabitEthernet3/0/0] ip binding vpn-instance vpn_in
[Hub-PE-GigabitEthernet3/0/0] ip address 110.1.1.2 24
[Hub-PE-GigabitEthernet3/0/0] quit
[Hub-PE] interface gigabitethernet 4/0/0
[Hub-PE-GigabitEthernet4/0/0] ip binding vpn-instance vpn_out
[Hub-PE-GigabitEthernet4/0/0] ip address 110.2.1.2 24
[Hub-PE-GigabitEthernet4/0/0] quit
# Assign IP addresses to interfaces on CEs according to Figure 7-45.
# Configure Spoke-CE1. The configuration on other CEs is similar to the
configuration on Spoke-CE1 and is not mentioned here.
<Huawei> system-view
[Huawei] sysname Spoke-CE1
[Spoke-CE1] interface gigabitethernet 1/0/0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 846
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[Spoke-CE1-GigabitEthernet1/0/0] ip address 100.1.1.1 24
[Spoke-CE1-GigabitEthernet1/0/0] quit
After the configuration is complete, run the display ip vpn-instance verbose
command on the PEs to check the configuration of VPN instances. Each PE can
ping its connected CE by using the ping -vpn-instance vpn-name ip-address
command.
NOTE
If a PE has multiple interfaces bound to the same VPN instance, you need to specify the
source IP addresses by setting -a source-ip-address in the ping -vpn-instance vpn-instance-
name -a source-ip-address dest-ip-address command to ping the remote CE. If the source IP
address is not specified, the ping operation fails.
Step 4 Set up EBGP peer relationships between the PEs and CEs and import VPN routes
into BGP.
NOTE
To accept the routes advertised by Hub-CE, configure the Hub-PE to allow AS number to be
repeated once.
# Configure Spoke-CE1.
[Spoke-CE1] bgp 65410
[Spoke-CE1-bgp] peer 100.1.1.2 as-number 100
[Spoke-CE1-bgp] import-route direct
[Spoke-CE1-bgp] quit
# Configure Spoke-PE1.
[Spoke-PE1] bgp 100
[Spoke-PE1-bgp] ipv4-family vpn-instance vpna
[Spoke-PE1-bgp-vpna] peer 100.1.1.1 as-number 65410
[Spoke-PE1-bgp-vpna] import-route direct
[Spoke-PE1-bgp-vpna] quit
[Spoke-PE1-bgp] quit
# Configure Spoke-CE2.
[Spoke-CE2] bgp 65420
[Spoke-CE2-bgp] peer 120.1.1.2 as-number 100
[Spoke-CE2-bgp] import-route direct
[Spoke-CE2-bgp] quit
#Configure Spoke-PE2.
[Spoke-PE2] bgp 100
[Spoke-PE2-bgp] ipv4-family vpn-instance vpna
[Spoke-PE2-bgp-vpna] peer 120.1.1.1 as-number 65420
[Spoke-PE2-bgp-vpna] import-route direct
[Spoke-PE2-bgp-vpna] quit
[Spoke-PE2-bgp] quit
# Configure the Hub-CE.
[Hub-CE] bgp 65430
[Hub-CE-bgp] peer 110.1.1.2 as-number 100
[Hub-CE-bgp] peer 110.2.1.2 as-number 100
[Hub-CE-bgp] import-route direct
[Hub-CE-bgp] quit
# Configure the Hub-PE.
[Hub-PE] bgp 100
[Hub-PE-bgp] ipv4-family vpn-instance vpn_in
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 847
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[Hub-PE-bgp-vpn_in] peer 110.1.1.1 as-number 65430
[Hub-PE-bgp-vpn_in] import-route direct
[Hub-PE-bgp-vpn_in] quit
[Hub-PE-bgp] ipv4-family vpn-instance vpn_out
[Hub-PE-bgp-vpn_out] peer 110.2.1.1 as-number 65430
[Hub-PE-bgp-vpn_out] peer 110.2.1.1 allow-as-loop 1
[Hub-PE-bgp-vpn_out] import-route direct
[Hub-PE-bgp-vpn_out] quit
[Hub-PE-bgp] quit
After the configuration is complete, run the display bgp vpnv4 all peer command
on the PEs. The command output shows that the BGP peer relationships have
been set up between the PEs and CEs and are in Established state.
Step 5 Set up MP-IBGP peer relationships between the Spoke-PEs and Hub-PE.
NOTE
The Spoke-PEs do not need to allow the repeated AS number, because the router does not
check the AS_Path attribute in the routing information advertised by the IBGP peers.
# Configure Spoke-PE1.
[Spoke-PE1] bgp 100
[Spoke-PE1-bgp] peer 2.2.2.9 as-number 100
[Spoke-PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[Spoke-PE1-bgp] ipv4-family vpnv4
[Spoke-PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[Spoke-PE1-bgp-af-vpnv4] quit
#Configure Spoke-PE2.
[Spoke-PE2] bgp 100
[Spoke-PE2-bgp] peer 2.2.2.9 as-number 100
[Spoke-PE2-bgp] peer 2.2.2.9 connect-interface loopback 1
[Spoke-PE2-bgp] ipv4-family vpnv4
[Spoke-PE2-bgp-af-vpnv4] peer 2.2.2.9 enable
[Spoke-PE2-bgp-af-vpnv4] quit
# Configure the Hub-PE.
[Hub-PE] bgp 100
[Hub-PE-bgp] peer 1.1.1.9 as-number 100
[Hub-PE-bgp] peer 1.1.1.9 connect-interface loopback 1
[Hub-PE-bgp] peer 3.3.3.9 as-number 100
[Hub-PE-bgp] peer 3.3.3.9 connect-interface loopback 1
[Hub-PE-bgp] ipv4-family vpnv4
[Hub-PE-bgp-af-vpnv4] peer 1.1.1.9 enable
[Hub-PE-bgp-af-vpnv4] peer 3.3.3.9 enable
[Hub-PE-bgp-af-vpnv4] quit
After the configuration is complete, run the display bgp peer or display bgp
vpnv4 all peer command on the PEs. The command output shows that the BGP
peer relationships have been set up between the Spoke-PEs and the Hub-PE and
are in Established state.
Step 6 Verify the configuration.
# After the configuration is complete, the Spoke-CEs can ping each other. Run the
tracert command on the CEs. The command output shows that the traffic
between the Spoke-CEs is forwarded through the Hub-CE. You can also deduce the
number of forwarding devices between the Spoke-CEs based on the TTL in the
ping result.
# The information displayed on Spoke-CE1 is used as an example.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 848
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[Spoke-CE1] ping 120.1.1.1
PING 120.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 120.1.1.1: bytes=56 Sequence=1 ttl=250 time=80 ms
Reply from 120.1.1.1: bytes=56 Sequence=2 ttl=250 time=129 ms
Reply from 120.1.1.1: bytes=56 Sequence=3 ttl=250 time=132 ms
Reply from 120.1.1.1: bytes=56 Sequence=4 ttl=250 time=92 ms
Reply from 120.1.1.1: bytes=56 Sequence=5 ttl=250 time=126 ms
--- 120.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 80/111/132 ms
[Spoke-CE1] tracert 120.1.1.1
traceroute to 120.1.1.1(120.1.1.1), max hops: 30 ,packet length: 40,press CTRL
_C to break
1 100.1.1.2 10 ms 2 ms 1 ms
2 110.1.1.2 < AS=100 > 10 ms 2 ms 2 ms
3 110.1.1.1 < AS=100 > 10 ms 2 ms 2 ms
4 110.2.1.2 < AS=65430 > 10 ms 2 ms 2 ms
5 120.1.1.2 < AS=100 > 10 ms 2 ms 2 ms
6 120.1.1.1 < AS=100 > 10 ms 2 ms 5 ms
# Run the display bgp routing-table command on the Spoke-CEs. The command
output shows the repeated AS number in AS paths of the BGP routes to the
remote Spoke-CE.
# The information displayed on Spoke-CE1 is used as an example.
[Spoke-CE1] display bgp routing-table
BGP Local router ID is 100.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 8
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 100.1.1.0/24 0.0.0.0 0 0 ?
100.1.1.2 0 0 100?
*> 100.1.1.1/32 0.0.0.0 0 0 ?
*> 110.1.1.0/24 100.1.1.2 0 100 65430?
*> 110.2.1.0/24 100.1.1.2 0 100?
*> 120.1.1.0/24 100.1.1.2 0 100 65430 100?
*> 127.0.0.0 0.0.0.0 0 0 ?
*> 127.0.0.1/32 0.0.0.0 0 0 ?
----End
Configuration Files
● Spoke-CE1 configuration file
#
sysname Spoke-CE1
#
interface GigabitEthernet1/0/0
ip address 100.1.1.1 255.255.255.0
#
bgp 65410
peer 100.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 100.1.1.2 enable
#
return
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 849
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
● Spoke-PE1 configuration file
#
sysname Spoke-PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 200:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
label advertise non-null
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpna
ip address 100.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 100.1.1.1 as-number 65410
import-route direct
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
● Spoke-PE2 configuration file
#
sysname Spoke-PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:3
vpn-target 100:1 export-extcommunity
vpn-target 200:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
label advertise non-null
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpna
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 850
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
ip address 120.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 11.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 120.1.1.1 as-number 65420
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 11.1.1.0 0.0.0.255
#
return
● Spoke-CE2 configuration file
#
sysname Spoke-CE2
#
interface GigabitEthernet1/0/0
ip address 120.1.1.1 255.255.255.0
#
bgp 65420
peer 120.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 120.1.1.2 enable
#
return
● Hub-CE configuration file
#
sysname Hub-CE
#
interface GigabitEthernet1/0/0
ip address 110.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 110.2.1.1 255.255.255.0
#
bgp 65430
peer 110.1.1.2 as-number 100
peer 110.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 110.2.1.2 enable
peer 110.1.1.2 enable
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 851
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
return
● Hub-PE configuration file
#
sysname Hub-PE
#
ip vpn-instance vpn_in
ipv4-family
route-distinguisher 100:21
vpn-target 100:1 import-extcommunity
#
ip vpn-instance vpn_out
ipv4-family
route-distinguisher 100:22
vpn-target 200:1 export-extcommunity
#
mpls lsr-id 2.2.2.9
mpls
label advertise non-null
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 11.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet3/0/0
ip binding vpn-instance vpn_in
ip address 110.1.1.2 255.255.255.0
#
interface GigabitEthernet4/0/0
ip binding vpn-instance vpn_out
ip address 110.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn_in
peer 110.1.1.1 as-number 65430
import-route direct
#
ipv4-family vpn-instance vpn_out
peer 110.2.1.1 as-number 65430
peer 110.2.1.1 allow-as-loop
import-route direct
#
ospf 1
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 852
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
#
return
7.9.5 Example for Configuring Inter-AS VPN Option A
Networking Requirements
The headquarters and branches of a company connect to networks of different
carriers. To enable the headquarters and branches to communicate, Inter-AS BGP/
MPLS IP VPN needs to be implemented. As shown in Figure 7-46, CE1 is located in
the headquarters and connects to PE1 in AS 100. CE2 is located at the branch and
connects to PE2 in AS 200. Both CE1 and CE2 belong to vpn1.
Figure 7-46 Networking diagram for configuring inter-AS VPN Option A
VPN Backbone VPN Backbone
AS 100 Loopback1 Loopback1 AS 200
2.2.2.9/32 3.3.3.9/32
GE2/0/0 GE2/0/0
192.1.1.1/24 192.1.1.2/24
GE1/0/0 GE1/0/0
172.1.1.1/24 ASBR-PE1 ASBR-PE2 162.1.1.1/24
Loopback1 Loopback1
1.1.1.9/32 4.4.4.9/32
GE1/0/0 GE1/0/0
172.1.1.2/24 162.1.1.2/24
PE1 PE2
GE2/0/0 GE2/0/0
10.1.1.2/24 10.2.1.2/24
GE1/0/0 GE1/0/0
CE1 CE2
10.1.1.1/24 10.2.1.1/24
vpn1 vpn1
AS 65001 AS 65002
Configuration Roadmap
Inter-AS Option A can be deployed to meet the company's requirement. The
configuration roadmap is as follows:
1. On the MPLS backbone network in AS 100 and AS 200, configure an IGP
protocol to enable the PE and ASBR-PEs to communicate with each other.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 853
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
2. Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone
network to set up LDP LSPs.
3. Set up an MP-IBGP peer relationship between the PE and ASBR-PEs in each
AS to exchange VPN routing information.
4. Create a VPN instance on the PE in each AS and bind the VPN instance to the
interface connected to the CE.
5. Set up an EBGP peer relationship between the PEs and CEs in each AS to
exchange VPN routing information.
6. Create a VPN instance on each ASBR-PE and bind the instance to the interface
connected to the other ASBR-PE (regarding the ASBR-PE as its CE). Set up an
EBGP peer relationship between the ASBR-PEs to exchange VPN routing
information.
Procedure
Step 1 Assign IP addresses to interfaces according to Figure 7-46.
# Configure PE1. The configuration on PE2, CE1, CE2, ASBR-PE1, and ASBR-PE2 is
similar to the configuration on PE1 and is not mentioned here.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] ip address 172.1.1.2 24
[PE1-GigabitEthernet1/0/0] quit
Step 2 On the MPLS backbone network in AS 100 and AS 200, configure OSPF to enable
the PEs and the ASBR-PEs to communicate with each other.
# Configure PE1. The configuration on PE2 and ASBR-PEs is similar to the
configuration on PE1 and is not mentioned here.
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
NOTE
The 32-bit loopback interface address used as LSR ID should be advertised by the PEs and
ASBR-PEs using OSPF.
After the configuration is complete, the ASBR-PEs and PEs in the same AS can set
up an OSPF neighbor relationship. Run the display ospf peer command to verify
that the status of the neighbor relationship is Full. Run the display ip routing-
table command. The command output shows that the ASBR and PEs in the same
AS have learned the routes to Loopback1 of each other.
Step 3 Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network
of AS 100 and AS 200 to set up LDP LSPs.
# Configure basic MPLS capabilities on PE1 and enable LDP on the interface
connected to ASBR-PE1.
[PE1] mpls lsr-id 1.1.1.9
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 854
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE1] mpls
[PE1-mpls] label advertise non-null
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] mpls
[PE1-GigabitEthernet1/0/0] mpls ldp
[PE1-GigabitEthernet1/0/0] quit
# Configure basic MPLS capabilities on ASBR-PE1 and enable LDP on the interface
connected to PE1.
[ASBR-PE1] mpls lsr-id 2.2.2.9
[ASBR-PE1] mpls
[ASBR-PE1-mpls] label advertise non-null
[ASBR-PE1-mpls] quit
[ASBR-PE1] mpls ldp
[ASBR-PE1-mpls-ldp] quit
[ASBR-PE1] interface gigabitethernet 1/0/0
[ASBR-PE1-GigabitEthernet1/0/0] mpls
[ASBR-PE1-GigabitEthernet1/0/0] mpls ldp
[ASBR-PE1-GigabitEthernet1/0/0] quit
# Configure basic MPLS capabilities on ASBR-PE2 and enable LDP on the interface
connected to PE2.
[ASBR-PE2] mpls lsr-id 3.3.3.9
[ASBR-PE2] mpls
[ASBR-PE2-mpls] label advertise non-null
[ASBR-PE2-mpls] quit
[ASBR-PE2] mpls ldp
[ASBR-PE2-mpls-ldp] quit
[ASBR-PE2] interface gigabitethernet 1/0/0
[ASBR-PE2-GigabitEthernet1/0/0] mpls
[ASBR-PE2-GigabitEthernet1/0/0] mpls ldp
[ASBR-PE2-GigabitEthernet1/0/0] quit
# Configure basic MPLS capabilities on PE2 and enable LDP on the interface
connected to ASBR-PE2.
[PE2] mpls lsr-id 4.4.4.9
[PE2] mpls
[PE2-mpls] label advertise non-null
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] mpls
[PE2-GigabitEthernet1/0/0] mpls ldp
[PE2-GigabitEthernet1/0/0] quit
After the configuration is complete, the PE and ASBR-PEs in the same AS can set
up an LDP peer relationship. Run the display mpls ldp session command on the
PE and ASBR-PEs to verify that the state is Operational.
The information displayed on PE1 is used as an example.
[PE1] display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 855
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
2.2.2.9:0 Operational DU Active 0002:23:46 17225/17224
------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
Step 4 Set up an MP-IBGP peer relationship between the PE and ASBR-PEs in each AS to
exchange VPN routing information.
# On PE1: set up an MP-IBGP peer relationship with ASBR-PE1. The configuration
on PE2 is similar to the configuration on PE1 and is not mentioned here.
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.9 as-number 100
[PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# On ASBR-PE1: set up an MP-IBGP peer relationship with PE1. The configuration
on ASBR-PE2 is similar to the configuration on ASBR-PE1 and is not mentioned
here.
[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] peer 1.1.1.9 as-number 100
[ASBR-PE1-bgp] peer 1.1.1.9 connect-interface loopback 1
[ASBR-PE1-bgp] ipv4-family vpnv4
[ASBR-PE1-bgp-af-vpnv4] peer 1.1.1.9 enable
[ASBR-PE1-bgp-af-vpnv4] quit
[ASBR-PE1-bgp] quit
Step 5 On the PEs, create a VPN instance, enable the IPv4 address family in the instance,
and bind the instance to the interfaces connected to CEs.
NOTE
The VPN targets of the VPN instances on the ASBR-PE and PEs in an AS must match. In
different ASs, the VPN targets of the PEs do not need to match.
# Configure PE1. The configuration on PE2 is similar to the configuration on PE1
and is not mentioned here.
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] ipv4-family
[PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[PE1-GigabitEthernet2/0/0] ip address 10.1.1.2 24
[PE1-GigabitEthernet2/0/0] quit
Step 6 Set up EBGP peer relationships between the PEs and CEs to exchange VPN routing
information.
# Configure CE1. The configuration on CE2 is similar to the configuration on CE1
and is not mentioned here.
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[CE1-GigabitEthernet1/0/0] quit
[CE1] bgp 65001
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 856
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
# Configure PE1. The configuration on PE2 is similar to the configuration on PE1
and is not mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65001
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance vpn-
instanc-ename peer command on the PEs. The command output shows that the
BGP peer relationships have been set up between the PEs and CEs and are in
Established state. Run the display bgp vpnv4 all peer command on the PEs. The
command output shows that each PE has set up a BGP peer relationship with the
CE and ASBR-PEs in the same AS, and the BGP peer relationships are in
Established state.
The information displayed on PE1 is used as an example.
[PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.9
Local AS number : 100
VPN-Instance vpn1, Router ID 1.1.1.9:
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65001 5 4 0 00:00:01 Established 3
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.9 4 100 11 11 0 00:07:09 Established 0
Peer of IPv4-family for vpn instance :
VPN-Instance vpn1, Router ID 1.1.1.9:
10.1.1.1 4 65001 5 4 0 00:00:12 Established 3
Step 7 Configure Inter-AS VPN Option A.
# On ASBR-PE1, create a VPN instance and bind the VPN instance to the interface
connected to ASBR-PE2 (ASBR-PE1 considers ASBR-PE2 as its CE).
[ASBR-PE1] ip vpn-instance vpn1
[ASBR-PE1-vpn-instance-vpn1] ipv4-family
[ASBR-PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:2
[ASBR-PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both
[ASBR-PE1-vpn-instance-vpn1-af-ipv4] quit
[ASBR-PE1-vpn-instance-vpn1] quit
[ASBR-PE1] interface gigabitethernet 2/0/0
[ASBR-PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[ASBR-PE1-GigabitEthernet2/0/0] ip address 192.168.1.1 24
[ASBR-PE1-GigabitEthernet2/0/0] quit
# On ASBR-PE2, create a VPN instance and bind the VPN instance to the interface
connected to ASBR-PE1 (ASBR-PE2 considers ASBR-PE1 as its CE).
[ASBR-PE2] ip vpn-instance vpn1
[ASBR-PE2-vpn-instance-vpn1] ipv4-family
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 857
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[ASBR-PE2-vpn-instance-vpn1-af-ipv4] route-distinguisher 200:2
[ASBR-PE2-vpn-instance-vpn1-af-ipv4] vpn-target 2:2 both
[ASBR-PE2-vpn-instance-vpn1-af-ipv4] quit
[ASBR-PE2-vpn-instance-vpn1] quit
[ASBR-PE2] interface gigabitethernet 2/0/0
[ASBR-PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[ASBR-PE2-GigabitEthernet2/0/0] ip address 192.1.1.2 24
[ASBR-PE2-GigabitEthernet2/0/0] quit
# On ASBR-PE1, set up an EBGP peer relationship with ASBR-PE2.
[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] ipv4-family vpn-instance vpn1
[ASBR-PE1-bgp-vpn1] peer 192.1.1.2 as-number 200
[ASBR-PE1-bgp-vpn1] import-route direct
[ASBR-PE1-bgp-vpn1] quit
[ASBR-PE1-bgp] quit
# On ASBR-PE2, set up an EBGP peer relationship with ASBR-PE1.
[ASBR-PE2] bgp 200
[ASBR-PE2-bgp] ipv4-family vpn-instance vpn1
[ASBR-PE2-bgp-vpn1] peer 192.1.1.1 as-number 100
[ASBR-PE2-bgp-vpn1] import-route direct
[ASBR-PE2-bgp-vpn1] quit
[ASBR-PE2-bgp] quit
Run the display bgp vpnv4 vpn-instance vpn1 peer command on the ASBR-PEs.
The command output shows that a BGP peer relationship has been established
between the ASBR-PEs and is in Established state.
Step 8 Verify the configuration.
# After the configuration is complete, CE1 and CE2 learn routes to interfaces on
each other and can ping each other successfully.
# The information displayed on CE1 is used as an example.
[CE1] display ip routing-table
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 9 Routes : 9
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.1 GigabitEthernet1/0/0
10.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.2.1.0/24 EBGP 255 0 D 10.1.1.2 GigabitEthernet1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.1.1.0/24 EBGP 255 0 D 10.1.1.2 GigabitEthernet1/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[CE1] ping 10.2.1.1
PING 10.2.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=251 time=119 ms
Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=251 time=141 ms
Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=251 time=136 ms
Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=251 time=113 ms
Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=251 time=78 ms
--- 10.2.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 78/117/141 ms
# Run the display ip routing-table vpn-instance command on an ASBR-PE to
check the VPN routing table.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 858
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[ASBR-PE1] display ip routing-table vpn-instance vpn1
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpn1
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 IBGP 255 0 RD 1.1.1.9 GigabitEthernet1/0/0
10.2.1.0/24 EBGP 255 0 D 192.1.1.2 GigabitEthernet2/0/0
192.1.1.0/24 Direct 0 0 D 192.1.1.1 GigabitEthernet2/0/0
192.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
192.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
# Run the display bgp vpnv4 all routing-table command on an ASBR-PE to
check the VPNv4 routes.
[ASBR-PE1] display bgp vpnv4 all routing-table
BGP Local router ID is 2.2.2.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 5
Route Distinguisher: 100:1
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 10.1.1.0/24 1.1.1.9 0 100 0 ?
Route Distinguisher: 100:2
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.2.1.0/24 192.1.1.2 0 200?
*> 192.1.1.0 0.0.0.0 0 0 ?
* 192.1.1.2 0 0 200?
*> 192.1.1.1/32 0.0.0.0 0 0 ?
VPN-Instance vpn1, Router ID 2.2.2.9:
Total Number of Routes: 5
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 10.1.1.0/24 1.1.1.9 0 100 0 ?
*> 10.2.1.0/24 192.1.1.2 0 200?
*> 192.1.1.0 0.0.0.0 0 0 ?
192.1.1.2 0 0 200?
*> 192.1.1.1/32 0.0.0.0 0 0 ?
----End
Configuration Files
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 859
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
bgp 65001
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
label advertise non-null
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.16.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 65001
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
● ASBR-PE1 configuration file
#
sysname ASBR-PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:2
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 860
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
mpls lsr-id 2.2.2.9
mpls
label advertise non-null
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.16.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 192.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
import-route direct
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
peer 192.1.1.2 as-number 200
import-route direct
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
● ASBR-PE2 configuration file
#
sysname ASBR-PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:2
vpn-target 2:2 export-extcommunity
vpn-target 2:2 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
label advertise non-null
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 192.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 861
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
bgp 200
peer 4.4.4.9 as-number 200
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 4.4.4.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.9 enable
#
ipv4-family vpn-instance vpn1
peer 192.1.1.1 as-number 100
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
vpn-target 2:2 export-extcommunity
vpn-target 2:2 import-extcommunity
#
mpls lsr-id 4.4.4.9
mpls
label advertise non-null
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
peer 3.3.3.9 as-number 200
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 65002
import-route direct
#
ospf 1
area 0.0.0.0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 862
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
● CE2 configuration file
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65002
peer 10.2.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
7.9.6 Example for Configuring Inter-AS VPN Option B
Networking Requirements
The headquarters and branches of a company connect to networks of different
carriers. To enable the headquarters and branches to communicate, Inter-AS BGP/
MPLS IP VPN needs to be implemented. As shown in Figure 7-47, CE1 is located in
the headquarters and connects to PE1 in AS 100. CE2 is located at the branch and
connects to PE2 in AS 200. Both CE1 and CE2 belong to vpn1.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 863
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-47 Networking diagram for configuring inter-AS VPN Option B
VPN Backbone VPN Backbone
AS 100 Loopback1 Loopback1 AS 200
2.2.2.9/32 3.3.3.9/32
GE2/0/0 GE2/0/0
192.1.1.1/24 192.1.1.2/24
GE1/0/0 GE1/0/0
172.1.1.1/24 ASBR-PE1 ASBR-PE2 162.1.1.1/24
Loopback1 Loopback1
1.1.1.9/32 4.4.4.9/32
GE1/0/0 GE1/0/0
172.1.1.2/24 162.1.1.2/24
PE1 PE2
GE2/0/0 GE2/0/0
10.1.1.2/24 10.2.1.2/24
GE1/0/0 GE1/0/0
CE1 CE2
10.1.1.1/24 10.2.1.1/24
vpn1 vpn1
AS 65001 AS 65002
Configuration Roadmap
Inter-AS Option B can be deployed to meet the company's requirement. The
configuration roadmap is as follows:
1. On the MPLS backbone network in AS 100 and AS 200, configure an IGP
protocol to enable the PE and ASBR-PEs to communicate with each other.
2. Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone
network to set up LDP LSPs.
3. Set up an MP-IBGP peer relationship between the PE and ASBR-PEs in each
AS to exchange VPN routing information.
4. Create a VPN instance on the PE in each AS and bind the VPN instance to the
interface connected to the CE.
5. Set up an EBGP peer relationship between the PEs and CEs between the ASs
to exchange VPN routing information.
6. Enable MPLS on the interfaces connecting the ASBRs and set up an MP-EBGP
peer relationship between the ASBRs. Configure the ASBRs not to filter
received VPNv4 routes based on VPN targets.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 864
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Procedure
Step 1 Assign IP addresses to interfaces according to Figure 7-47.
# Configure PE1. The configuration on PE2, CE1, CE2, ASBR-PE1, and ASBR-PE2 is
similar to the configuration on PE1 and is not mentioned here.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] ip address 172.1.1.2 24
[PE1-GigabitEthernet1/0/0] quit
Step 2 On the MPLS backbone network in AS 100 and AS 200, configure OSPF to enable
the PEs and the ASBR-PEs to communicate with each other.
# Configure PE1. The configuration on PE2 and ASBR-PEs is similar to the
configuration on PE1 and is not mentioned here.
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
NOTE
The 32-bit loopback interface address used as LSR ID should be advertised by the PEs and
ASBR-PEs using OSPF.
After the configuration is complete, the ASBR and PEs in the same AS can set up
an OSPF neighbor relationship. Run the display ospf peer command to verify that
the status of the neighbor relationship is Full. Run the display ip routing-table
command. The command output shows that the ASBR and PEs in the same AS
have learned the routes to Loopback1 of each other.
Step 3 Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network
of AS 100 and AS 200 to set up LDP LSPs.
# Configure basic MPLS capabilities on PE1 and enable LDP on the interface
connected to ASBR-PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] mpls
[PE1-GigabitEthernet1/0/0] mpls ldp
[PE1-GigabitEthernet1/0/0] quit
# Configure basic MPLS capabilities on ASBR-PE1 and enable LDP on the interface
connected to PE1.
[ASBR-PE1] mpls lsr-id 2.2.2.9
[ASBR-PE1] mpls
[ASBR-PE1-mpls] quit
[ASBR-PE1] mpls ldp
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 865
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[ASBR-PE1-mpls-ldp] quit
[ASBR-PE1] interface gigabitethernet 1/0/0
[ASBR-PE1-GigabitEthernet1/0/0] mpls
[ASBR-PE1-GigabitEthernet1/0/0] mpls ldp
[ASBR-PE1-GigabitEthernet1/0/0] quit
# Configure basic MPLS capabilities on ASBR-PE2 and enable LDP on the interface
connected to PE2.
[ASBR-PE2] mpls lsr-id 3.3.3.9
[ASBR-PE2] mpls
[ASBR-PE2-mpls] quit
[ASBR-PE2] mpls ldp
[ASBR-PE2-mpls-ldp] quit
[ASBR-PE2] interface gigabitethernet 1/0/0
[ASBR-PE2-GigabitEthernet1/0/0] mpls
[ASBR-PE2-GigabitEthernet1/0/0] mpls ldp
[ASBR-PE2-GigabitEthernet1/0/0] quit
# Configure basic MPLS capabilities on PE2 and enable LDP on the interface
connected to ASBR-PE2.
[PE2] mpls lsr-id 4.4.4.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] mpls
[PE2-GigabitEthernet1/0/0] mpls ldp
[PE2-GigabitEthernet1/0/0] quit
After the configuration is complete, the PE and ASBR-PEs in the same AS can set
up an LDP peer relationship. Run the display mpls ldp session command on the
PE and ASBR-PEs to verify that the state is Operational.
The information displayed on PE1 is used as an example.
[PE1] display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
2.2.2.9:0 Operational DU Active 0002:23:46 17225/17224
------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
Step 4 Set up an MP-IBGP peer relationship between the PE and ASBR-PEs in each AS to
exchange VPN routing information.
# On PE1: set up an MP-IBGP peer relationship with ASBR-PE1. The configuration
on PE2 is similar to the configuration on PE1 and is not mentioned here.
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.9 as-number 100
[PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# On ASBR-PE1: set up an MP-IBGP peer relationship with PE1. The configuration
on ASBR-PE2 is similar to the configuration on ASBR-PE1 and is not mentioned
here.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 866
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] peer 1.1.1.9 as-number 100
[ASBR-PE1-bgp] peer 1.1.1.9 connect-interface loopback 1
[ASBR-PE1-bgp] ipv4-family vpnv4
[ASBR-PE1-bgp-af-vpnv4] peer 1.1.1.9 enable
[ASBR-PE1-bgp-af-vpnv4] quit
[ASBR-PE1-bgp] quit
Step 5 On the PEs, create a VPN instance, enable the IPv4 address family in the instance,
and bind the instance to the interfaces connected to CEs.
NOTE
The VPN targets of the VPN instances on the ASBR-PE and PEs in an AS must match. In
different ASs, the VPN targets of the PEs do not need to match.
# Configure PE1. The configuration on PE2 is similar to the configuration on PE1
and is not mentioned here.
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] ipv4-family
[PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[PE1-GigabitEthernet2/0/0] ip address 10.1.1.2 24
[PE1-GigabitEthernet2/0/0] quit
Step 6 Set up EBGP peer relationships between the PEs and CEs to exchange VPN routing
information.
# Configure CE1. The configuration on CE2 is similar to the configuration on CE1
and is not mentioned here.
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[CE1-GigabitEthernet1/0/0] quit
[CE1] bgp 65001
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE1. The configuration on PE2 is similar to the configuration PE1 and
is not mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65001
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance vpn-
instancename peer command on the PEs. The command output shows that the
BGP peer relationships have been set up between the PEs and CEs and are in
Established state. Run the display bgp vpnv4 all peer command on the PEs. The
command output shows that each PE has set up a BGP peer relationship with the
CE and ASBR-PEs in the same AS, and the BGP peer relationships are in
Established state.
The information displayed on PE1 is used as an example.
[PE1] display bgp vpnv4 vpn-instance vpn1 peer
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 867
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
BGP local router ID : 1.1.1.9
Local AS number : 100
VPN-Instance vpn1, Router ID 1.1.1.9:
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65001 965 967 0 16:00:58 Established 3
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.9 4 100 979 974 0 16:08:16 Established 0
Peer of IPv4-family for vpn instance :
VPN-Instance vpn1, Router ID 1.1.1.9:
10.1.1.1 4 65001 966 968 0 16:01:19 Established 3
Step 7 Configure Inter-AS VPN Option B.
# On ASBR-PE1: Enable MPLS on the interface connected to ASBR-PE2.
[ASBR-PE1] interface gigabitethernet 2/0/0
[ASBR-PE1-GigabitEthernet2/0/0] ip address 192.1.1.1 24
[ASBR-PE1-GigabitEthernet2/0/0] mpls
[ASBR-PE1-GigabitEthernet2/0/0] quit
# On ASBR-PE1: set up the MP-EBGP peer relationship with ASBR-PE2, disable
ASBR-PE1 from filtering VPNv4 routes based on VPN targets, and enable next-
hop-based label allocation. The configuration on ASBR–PE2 is similar to the
configuration on ASBR–PE1 and is not mentioned here.
[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] peer 192.1.1.2 as-number 200
[ASBR-PE1-bgp] ipv4-family vpnv4
[ASBR-PE1-bgp-af-vpnv4] peer 192.1.1.2 enable
[ASBR-PE1-bgp-af-vpnv4] undo policy vpn-target
[ASBR-PE1-bgp-af-vpnv4] apply-label per-nexthop
[ASBR-PE1-bgp-af-vpnv4] quit
[ASBR-PE1-bgp] quit
Step 8 Verify the configuration.
# After the configuration is complete, CE1 and CE2 learn routes to interfaces on
each other and can ping each other successfully.
# The information displayed on CE1 is used as an example.
[CE1] display ip routing-table
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.1 GigabitEthernet1/0/0
10.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.2.1.0/24 EBGP 255 0 D 10.1.1.2 GigabitEthernet1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 868
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[CE1] ping 10.2.1.1
PING 10.2.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=251 time=119 ms
Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=251 time=141 ms
Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=251 time=136 ms
Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=251 time=113 ms
Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=251 time=78 ms
--- 10.2.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 78/117/141 ms
# Run the display bgp vpnv4 all routing-table command on an ASBR-PE to
check the VPNv4 routes.
[ASBR-PE1] display bgp vpnv4 all routing-table
BGP Local router ID is 110.1.1.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 2
Route Distinguisher: 100:1
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 10.1.1.0/24 1.1.1.9 0 100 0 ?
Route Distinguisher: 200:1
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.2.1.0/24 192.1.1.2 0 200?
----End
Configuration Files
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65001
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 869
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 65001
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
● ASBR-PE1 configuration file
#
sysname ASBR-PE1
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 192.1.1.1 255.255.255.0
mpls
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 192.1.1.2 as-number 200
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 870
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
ipv4-family unicast
undo synchronization
peer 192.1.1.2 enable
peer 1.1.1.9 enable
#
ipv4-family vpnv4
undo policy vpn-target
apply-label per-nexthop
peer 1.1.1.9 enable
peer 192.1.1.2 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
● ASBR-PE2 configuration file
#
sysname ASBR-PE2
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 192.1.1.2 255.255.255.0
mpls
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 200
peer 192.1.1.1 as-number 100
peer 4.4.4.9 as-number 200
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 192.1.1.1 enable
peer 4.4.4.9 enable
#
ipv4-family vpnv4
undo policy vpn-target
apply-label per-nexthop
peer 4.4.4.9 enable
peer 192.1.1.1 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 172.17.1.0 0.0.0.255
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
vpn-target 1:1 export-extcommunity
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 871
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
peer 3.3.3.9 as-number 200
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 65002
import-route direct
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
● CE2 configuration file
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65002
peer 10.2.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
7.9.7 Example for Configuring Inter-AS VPN Option C
(Solution 1)
Networking Requirements
The headquarters and branches of a company connect to networks of different
carriers. To enable the headquarters and branches to communicate, Inter-AS BGP/
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 872
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
MPLS IP VPN needs to be implemented. As shown in Figure 7-48, CE1 is located in
the headquarters and connects to PE1 in AS 100. CE2 is located at the branch and
connects to PE2 in AS 200. Both CE1 and CE2 belong to vpn1.
Figure 7-48 Networking diagram for configuring inter-AS VPN Option C
VPN Backbone VPN Backbone
AS 100 Loopback1 Loopback1 AS 200
2.2.2.9/32 3.3.3.9/32
GE2/0/0 GE2/0/0
192.1.1.1/24 192.1.1.2/24
GE1/0/0 GE1/0/0
172.1.1.1/24 ASBR-PE1 ASBR-PE2 162.1.1.1/24
Loopback1 Loopback1
1.1.1.9/32 4.4.4.9/32
GE1/0/0 GE1/0/0
172.1.1.2/24 162.1.1.2/24
PE1 PE2
GE2/0/0 GE2/0/0
10.1.1.2/24 10.2.1.2/24
GE1/0/0 GE1/0/0
CE1 CE2
10.1.1.1/24 10.2.1.1/24
vpn1 vpn1
AS 65001 AS 65002
Configuration Roadmap
Inter-AS Option C can be deployed to meet the company's requirement. The
configuration roadmap is as follows:
1. On the MPLS backbone network in AS 100 and AS 200, configure an IGP
protocol to enable the PE and ASBR-PEs to communicate with each other.
2. Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone
network to set up LDP LSPs.
3. Set up an MP-IBGP peer relationship between the PE and ASBR-PEs in each
AS to exchange the labeled IPv4 routes.
4. Create a VPN instance on the PE in each AS and bind the VPN instance to the
interface connected to the CE.
5. Set up an EBGP peer relationship between the PEs and CEs in each AS to
exchange VPN routing information.
6. Enable the capability of exchanging labeled IPv4 routes between the local
ASBR-PE and the remote ASBR-PE.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 873
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
7. Set up an MP-EBGP relationship between PEs in different ASs and set the
maximum hops between the PEs.
8. Configure a routing policy on the ASBR-PE: Assign MPLS labels to the routes
advertised to the emote ASBR-PE; assign new MPLS labels to the labeled IPv4
routes advertised to the PE in the local AS.
Procedure
Step 1 Assign IP addresses to interfaces according to Figure 7-48.
# Configure PE1. The configuration on PE2, CE1, CE2, ASBR-PE1, and ASBR-PE2 is
similar to the configuration on PE1 and is not mentioned here.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] ip address 172.1.1.2 24
[PE1-GigabitEthernet1/0/0] quit
Step 2 On the MPLS backbone network in AS 100 and AS 200, configure OSPF to enable
the PEs and the ASBR-PEs to communicate with each other.
# Configure PE1. The configuration on PE2 and ASBR-PEs is similar to the
configuration on PE1 and is not mentioned here.
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
NOTE
The 32-bit loopback interface address used as LSR ID should be advertised by the PEs and
ASBR-PEs using OSPF.
After the configuration is complete, the ASBR and PEs in the same AS can set up
an OSPF neighbor relationship. Run the display ospf peer command to verify that
the status of the neighbor relationship is Full. Run the display ip routing-table
command. The command output shows that the ASBR and PEs in the same AS
have learned the routes to Loopback1 of each other.
Step 3 Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network
of AS 100 and AS 200 to set up LDP LSPs.
# Configure basic MPLS capabilities on PE1 and enable LDP on the interface
connected to ASBR-PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] mpls
[PE1-GigabitEthernet1/0/0] mpls ldp
[PE1-GigabitEthernet1/0/0] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 874
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
# Configure basic MPLS capabilities on ASBR-PE1 and enable LDP on the interface
connected to PE1.
[ASBR-PE1] mpls lsr-id 2.2.2.9
[ASBR-PE1] mpls
[ASBR-PE1-mpls] quit
[ASBR-PE1] mpls ldp
[ASBR-PE1-mpls-ldp] quit
[ASBR-PE1] interface gigabitethernet 1/0/0
[ASBR-PE1-GigabitEthernet1/0/0] mpls
[ASBR-PE1-GigabitEthernet1/0/0] mpls ldp
[ASBR-PE1-GigabitEthernet1/0/0] quit
# Configure basic MPLS capabilities on ASBR-PE2 and enable LDP on the interface
connected to PE2.
[ASBR-PE2] mpls lsr-id 3.3.3.9
[ASBR-PE2] mpls
[ASBR-PE2-mpls] quit
[ASBR-PE2] mpls ldp
[ASBR-PE2-mpls-ldp] quit
[ASBR-PE2] interface gigabitethernet 1/0/0
[ASBR-PE2-GigabitEthernet1/0/0] mpls
[ASBR-PE2-GigabitEthernet1/0/0] mpls ldp
[ASBR-PE2-GigabitEthernet1/0/0] quit
# Configure basic MPLS capabilities on PE2 and enable LDP on the interface
connected to ASBR-PE2.
[PE2] mpls lsr-id 4.4.4.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] mpls
[PE2-GigabitEthernet1/0/0] mpls ldp
[PE2-GigabitEthernet1/0/0] quit
After the configuration is complete, the PE and ASBR-PEs in the same AS can set
up an LDP peer relationship. Run the display mpls ldp session command on the
PE and ASBR-PEs to verify that the state is Operational.
The information displayed on PE1 is used as an example.
[PE1] display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
2.2.2.9:0 Operational DU Active 0002:23:46 17225/17224
------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
Step 4 Set up an MP-IBGP peer relationship between the PE and ASBR-PEs.
# On PE1: set up an MP-IBGP peer relationship with ASBR-PE1. The configuration
on PE2 is similar to the configuration on PE1 and is not mentioned here.
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.9 as-number 100
[PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 875
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# On ASBR-PE1: set up an MP-IBGP peer relationship with PE1. The configuration
on ASBR-PE2 is similar to the configuration on ASBR-PE1 and is not mentioned
here.
[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] peer 1.1.1.9 as-number 100
[ASBR-PE1-bgp] peer 1.1.1.9 connect-interface loopback 1
[ASBR-PE1-bgp] ipv4-family vpnv4
[ASBR-PE1-bgp-af-vpnv4] peer 1.1.1.9 enable
[ASBR-PE1-bgp-af-vpnv4] quit
[ASBR-PE1-bgp] quit
Step 5 On the PEs, create a VPN instance, enable the IPv4 address family in the instance,
and bind the instance to the interfaces connected to CEs.
NOTE
The VPN targets of the VPN instances on the ASBR-PE and PEs in an AS must match. In
different ASs, the VPN targets of the PEs do not need to match.
# Configure PE1. The configuration on PE2 is similar to the configuration on PE1
and is not mentioned here.
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] ipv4-family
[PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[PE1-GigabitEthernet2/0/0] ip address 10.1.1.2 24
[PE1-GigabitEthernet2/0/0] quit
Step 6 Set up EBGP peer relationships between the PEs and CEs to exchange VPN routing
information.
# Configure CE1. The configuration on CE2 is similar to the configuration on CE1
and is not mentioned here.
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[CE1-GigabitEthernet1/0/0] quit
[CE1] bgp 65001
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE1. The configuration on PE2 is similar to the configuration on PE1
and is not mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65001
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance vpn-
instancename peer command on the PEs. The command output shows that the
BGP peer relationships have been set up between the PEs and CEs and are in
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 876
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Established state. Run the display bgp vpnv4 all peer command on the PEs. The
command output shows that each PE has set up a BGP peer relationship with the
CE and ASBR-PEs in the same AS, and the BGP peer relationships are in
Established state.
The information displayed on PE1 is used as an example.
[PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.9
Local AS number : 100
VPN-Instance vpn1, Router ID 1.1.1.9:
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65001 1043 1048 0 17:17:21 Established 2
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.9 4 100 59 52 0 00:45:16 Established 0
Peer of IPv4-family for vpn instance :
VPN-Instance vpn1, Router ID 1.1.1.9:
10.1.1.1 4 65001 1045 1050 0 17:19:21 Established 2
Step 7 Enable the capability of exchanging labeled IPv4 routes.
# On PE1: Enable the capability of exchanging labeled IPv4 routes with ASBR-PE1.
The configuration on PE2 is similar to the configuration on PE1 and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.9 label-route-capability
[PE1-bgp] quit
# On ASBR-PE1: Enable MPLS on the interface connected to ASBR-PE2. The
configuration on ASBR-PE2 is similar to the configuration on ASBR-PE1 and is not
mentioned here.
[ASBR-PE1] interface gigabitethernet 2/0/0
[ASBR-PE1-GigabitEthernet2/0/0] ip address 192.1.1.1 24
[ASBR-PE1-GigabitEthernet2/0/0] mpls
[ASBR-PE1-GigabitEthernet2/0/0] quit
# On ASBR-PE1: Create a routing policy. The configuration on ASBR-PE2 is similar
to the configuration on ASBR-PE1 and is not mentioned here.
[ASBR-PE1] route-policy policy1 permit node 1
[ASBR-PE1-route-policy] apply mpls-label
[ASBR-PE1-route-policy] quit
[ASBR-PE1] route-policy policy2 permit node 1
[ASBR-PE1-route-policy] if-match mpls-label
[ASBR-PE1-route-policy] apply mpls-label
[ASBR-PE1-route-policy] quit
# On ASBR-PE1: Apply a routing policy to the routes advertised to PE1, and enable
the capability of exchanging labeled IPv4 routes with PE1. The configuration on
ASBR-PE2 is similar to the configuration on ASBR-PE1 and is not mentioned here.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 877
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] peer 1.1.1.9 route-policy policy2 export
[ASBR-PE1-bgp] peer 1.1.1.9 label-route-capability
# On ASBR-PE1: Apply a routing policy to the routes advertised to ASBR-PE2, and
enable the capability of exchanging labeled IPv4 routes with ASBR-PE2.
[ASBR-PE1-bgp] peer 192.1.1.2 as-number 200
[ASBR-PE1-bgp] peer 192.1.1.2 route-policy policy1 export
[ASBR-PE1-bgp] peer 192.1.1.2 label-route-capability
[ASBR-PE1-bgp] quit
# On ASBR-PE1: Advertise routes to loopback interfaces to ASBR-PE2, and then to
PE2. The configuration on ASBR-PE2 is similar to the configuration on ASBR-PE1
and is not mentioned here.
[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] network 1.1.1.9 32
[ASBR-PE1-bgp] quit
Step 8 Set up an MP-EBGP peer relationship between PE1 and PE2.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 4.4.4.9 as-number 200
[PE1-bgp] peer 4.4.4.9 connect-interface LoopBack 1
[PE1-bgp] peer 4.4.4.9 ebgp-max-hop 10
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 4.4.4.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 200
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface LoopBack 1
[PE2-bgp] peer 1.1.1.9 ebgp-max-hop 10
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
Step 9 Verify the configuration.
# After the configuration is complete, CE1 and CE2 learn routes to interfaces on
each other and can ping each other successfully.
# The information displayed on CE1 is used as an example.
[CE1] display ip routing-table
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.1 GigabitEthernet1/0/0
10.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.2.1.0/24 EBGP 255 0 D 10.1.1.2 GigabitEthernet1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[CE1] ping 10.2.1.1
PING 10.2.1.1: 56 data bytes, press CTRL_C to break
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 878
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=251 time=119 ms
Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=251 time=141 ms
Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=251 time=136 ms
Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=251 time=113 ms
Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=251 time=78 ms
--- 10.2.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 78/117/141 ms
# No VPNv4 route exists on ASBR-PEs. Run the display bgp routing-table label
command on an ASBR-PE to check information about labels of routes.
# ASBR-PE1 is used as an example.
[ASBR-PE1] display bgp routing-table label
BGP Local router ID is 2.2.2.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 2
Network NextHop In/Out Label
*> 1.1.1.9 172.1.1.2 1098/NULL
*> 4.4.4.9 192.1.1.2 1099/1067
----End
Configuration Files
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65001
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 879
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
interface GigabitEthernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
peer 4.4.4.9 as-number 200
peer 4.4.4.9 ebgp-max-hop 10
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
peer 2.2.2.9 label-route-capability
peer 4.4.4.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
peer 4.4.4.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 65001
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
● ASBR-PE1 configuration file
#
sysname ASBR-PE1
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 192.1.1.1 255.255.255.0
mpls
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 192.1.1.2 as-number 200
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
network 1.1.1.9 255.255.255.255
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 880
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
peer 192.1.1.2 enable
peer 192.1.1.2 route-policy policy1 export
peer 192.1.1.2 label-route-capability
peer 1.1.1.9 enable
peer 1.1.1.9 route-policy policy2 export
peer 1.1.1.9 label-route-capability
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
route-policy policy1 permit node 1
apply mpls-label
route-policy policy2 permit node 1
if-match mpls-label
apply mpls-label
#
return
● ASBR-PE2 configuration file
#
sysname ASBR-PE2
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 192.1.1.2 255.255.255.0
mpls
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 200
peer 192.1.1.1 as-number 100
peer 4.4.4.9 as-number 200
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
network 4.4.4.9 255.255.255.255
peer 192.1.1.1 enable
peer 192.1.1.1 route-policy policy1 export
peer 192.1.1.1 label-route-capability
peer 4.4.4.9 enable
peer 4.4.4.9 route-policy policy2 export
peer 4.4.4.9 label-route-capability
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.9 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
route-policy policy1 permit node 1
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 881
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
apply mpls-label
route-policy policy2 permit node 1
if-match mpls-label
apply mpls-label
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
peer 1.1.1.9 as-number 100
peer 1.1.1.9 ebgp-max-hop 10
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 200
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 3.3.3.9 enable
peer 3.3.3.9 label-route-capability
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 65002
import-route direct
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
● CE2 configuration file
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 882
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
bgp 65002
peer 10.2.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
7.9.8 Example for Configuring Inter-AS VPN Option C
(Solution 2)
Networking Requirements
The headquarters and branches of a company connect to networks of different
carriers. To enable the headquarters and branches to communicate, Inter-AS BGP/
MPLS IP VPN needs to be implemented. As shown in Figure 7-49, CE1 is located in
the headquarters and connects to PE1 in AS 100. CE2 is located at the branch and
connects to PE2 in AS 200. Both CE1 and CE2 belong to vpn1.
Figure 7-49 Networking diagram for configuring Inter-AS VPN Option C
VPN Backbone VPN Backbone
AS 100 Loopback1 Loopback1 AS 200
2.2.2.9/32 3.3.3.9/32
GE2/0/0 GE2/0/0
192.1.1.1/24 192.1.1.2/24
GE1/0/0 GE1/0/0
172.1.1.1/24 ASBR-PE1 ASBR-PE2 162.1.1.1/24
Loopback1 Loopback1
1.1.1.9/32 4.4.4.9/32
GE1/0/0 GE1/0/0
172.1.1.2/24 162.1.1.2/24
PE1 PE2
GE2/0/0 GE2/0/0
10.1.1.2/24 10.2.1.2/24
GE1/0/0 GE1/0/0
CE1 CE2
10.1.1.1/24 10.2.1.1/24
vpn1 vpn1
AS 65001 AS 65002
No IBGP peer relationship is required between the PE and ASBR-PEs. The ASBR-PE
learns the labeled BGP routes of the public network at the remote AS from the
remote ASBR-PE. Then these BGP routes are imported to IGP. In this manner, LDP
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 883
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
can distribute labels for these routes and establish an inter-AS LDP LSP. The inter-
AS BGP/MPLS IP VPN Option C can then be implemented.
Configuration Roadmap
Inter-AS Option C can be deployed to meet the company's requirement. The
configuration roadmap is as follows:
1. On the MPLS backbone network in AS 100 and AS 200, configure an IGP
protocol to enable the PE and ASBR-PEs to communicate with each other.
2. Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone
network to set up LDP LSPs.
3. Create a VPN instance on the PE in each AS and bind the VPN instance to the
interface connected to the CE.
4. Set up an EBGP peer relationship between the PEs and CEs in each AS to
exchange VPN routing information.
5. Advertise routes of the PE in an AS to the remote PE: First on the local ASBR-
PE, advertise the routes of the PE in an AS to the remote ASBR-PE through
BGP; then on the remote ASBR-PE, import these BGP routes to IGP. Then the
remote PE learns routes of the PE in the local AS through IGP.
6. Configure a routing policy on the ASBR-PE: Assign MPLS labels to the routes
advertised to the emote ASBR-PE.
7. Enable the capability of exchanging labeled IPv4 routes between the local
ASBR-PE and the remote ASBR-PE.
8. Configure LDP LSPs for the labeled BGP routes of the public network on
ASBR-PEs.
9. Set up MP-EBGP peer relationships between PEs of different ASs. In most
cases, these PEs are not directly connected, and the maximum hops between
them must be specified.
Procedure
Step 1 Assign IP addresses to interfaces according to Figure 7-49.
# Configure PE1. The configuration on PE2, CE1, CE2, ASBR-PE1, and ASBR-PE2 is
similar to the configuration on PE1 and is not mentioned here.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] ip address 172.1.1.2 24
[PE1-GigabitEthernet1/0/0] quit
Step 2 On the MPLS backbone network in AS 100 and AS 200, configure OSPF to enable
the PEs and the ASBR-PEs to communicate with each other.
# Configure PE1. The configuration on PE2 and ASBR-PEs is similar to the
configuration on PE1 and is not mentioned here.
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 884
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
NOTE
The 32-bit loopback interface address used as LSR ID should be advertised by the PEs and
ASBR-PEs using OSPF.
After the configuration is complete, the ASBR and PEs in the same AS can set up
an OSPF neighbor relationship. Run the display ospf peer command to verify that
the status of the neighbor relationship is Full. Run the display ip routing-table
command. The command output shows that the ASBR and PEs in the same AS
have learned the routes to Loopback1 of each other.
The information displayed on PE1 is used as an example.
[PE1] display ospf peer
OSPF Process 1 with Router ID 1.1.1.9
Neighbors
Area 0.0.0.0 interface 172.1.1.2(GigabitEthernet1/0/0)'s neighbors
Router ID: 2.2.2.9 Address: 172.1.1.1
State: Full Mode:Nbr is Master Priority: 1
DR: 172.1.1.2 BDR: 172.1.1.1 MTU: 0
Dead timer due in 34 sec
Retrans timer interval: 5
Neighbor is up for 18:50:53
Authentication Sequence: [ 0 ]
The ASBR-PE and PEs in the same AS have obtained the IP address of Loopback1
interface of each other and can ping Loopback1 interface address of each other.
Step 3 Set up the EBGP peer relationship between ASBR-PEs.
# Configure ASBR-PE1.
[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] peer 192.1.1.2 as-number 200
[ASBR-PE1-bgp] quit
# Configure ASBR-PE2.
[ASBR-PE2] bgp 200
[ASBR-PE2-bgp] peer 192.1.1.1 as-number 100
[ASBR-PE2-bgp] quit
After the configuration is complete, run the display bgp peer command on ASBR-
PEs. The command output shows that the statue of neighbors is Established.
ASBR-PE1 is used as an example.
[ASBR-PE1] display bgp peer
BGP local router ID : 2.2.2.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
192.1.1.2 4 200 129 134 0 01:39:21 Established 1
Step 4 Advertise the routes of a PE in an AS to the remote PE.
# On ASBR-PE1: Advertise routes to loopback interfaces to ASBR-PE2.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 885
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] network 1.1.1.9 32
[ASBR-PE1-bgp] quit
# On ASBR-PE2: Advertise routes to loopback interfaces to ASBR-PE1.
[ASBR-PE2] bgp 200
[ASBR-PE2-bgp] network 4.4.4.9 32
[ASBR-PE2-bgp] quit
# On ASBR-PE1: Import BGP routes to OSPF, and advertise the routes of PE2 to
PE1 according to OSPF.
[ASBR-PE1] ospf 1
[ASBR-PE1-ospf-1] import-route bgp
# On ASBR-PE2: Import BGP routes to OSPF, and advertise the routes of PE1 to
PE2 according to OSPF.
[ASBR-PE2] ospf 1
[ASBR-PE2-ospf-1] import-route bgp
After the configuration is complete, run the display ip routing-table command
on PEs to check the routing table. PE1 is used as an example.
[PE1] display ip routing-table
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.9/32 Direct 0 0 D 127.0.0.1 LoopBack1
2.2.2.9/32 OSPF 10 1 D 172.1.1.1 GigabitEthernet1/0/0
4.4.4.9/32 O_ASE 150 1 D 172.1.1.1 GigabitEthernet1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.1.1.0/24 Direct 0 0 D 172.1.1.2 GigabitEthernet1/0/0
172.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
172.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Step 5 Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network
of AS 100 and AS 200 to set up LDP LSPs.
# Configure basic MPLS capabilities on PE1 and enable LDP on the interface
connected to ASBR-PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] mpls
[PE1-GigabitEthernet1/0/0] mpls ldp
[PE1-GigabitEthernet1/0/0] quit
# Configure basic MPLS capabilities on ASBR-PE1 and enable LDP on the interface
connected to PE1.
[ASBR-PE1] mpls lsr-id 2.2.2.9
[ASBR-PE1] mpls
[ASBR-PE1-mpls] quit
[ASBR-PE1] mpls ldp
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 886
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[ASBR-PE1-mpls-ldp] quit
[ASBR-PE1] interface gigabitethernet 1/0/0
[ASBR-PE1-GigabitEthernet1/0/0] mpls
[ASBR-PE1-GigabitEthernet1/0/0] mpls ldp
[ASBR-PE1-GigabitEthernet1/0/0] quit
# Configure basic MPLS capabilities on ASBR-PE2 and enable LDP on the interface
connected to PE2.
[ASBR-PE2] mpls lsr-id 3.3.3.9
[ASBR-PE2] mpls
[ASBR-PE2-mpls] quit
[ASBR-PE2] mpls ldp
[ASBR-PE2-mpls-ldp] quit
[ASBR-PE2] interface gigabitethernet 1/0/0
[ASBR-PE2-GigabitEthernet1/0/0] mpls
[ASBR-PE2-GigabitEthernet1/0/0] mpls ldp
[ASBR-PE2-GigabitEthernet1/0/0] quit
# Configure basic MPLS capabilities on PE2 and enable LDP on the interface
connected to ASBR-PE2.
[PE2] mpls lsr-id 4.4.4.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] mpls
[PE2-GigabitEthernet1/0/0] mpls ldp
[PE2-GigabitEthernet1/0/0] quit
After the configuration is complete, the LDP sessions between PE1 and the ASBR-
PE1, and between PE2 and ASBR-PE2 are set up. Run the display mpls ldp session
command. The command output shows that the status is "Operational". Run the
display mpls ldp lsp command. Information about the established LDP LSPs is
displayed.
The information displayed on PE1 is used as an example.
[PE1] display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
2.2.2.9:0 Operational DU Passive 0000:00:01 5/5
------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
[PE1] display mpls ldp lsp
LDP LSP Information
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0
*1.1.1.9/32 Liberal/1024 DS/2.2.2.9
2.2.2.9/32 NULL/3 - 172.1.1.1 GE1/0/0
2.2.2.9/32 1024/3 2.2.2.9 172.1.1.1 GE1/0/0
-------------------------------------------------------------------------------
TOTAL: 3 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is stale
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 887
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
A '*' before a DS means the session is stale
A '*' before a NextHop means the LSP is FRR LSP
Step 6 Enable the capability of exchanging labeled IPv4 routes on ASBR-PEs.
# On ASBR-PE1: Enable MPLS on the interface connected to ASBR-PE2. The
configuration on ASBR-PE2 is similar to the configuration on ASBR-PE1 and is not
mentioned here.
[ASBR-PE1] interface gigabitethernet 2/0/0
[ASBR-PE1-GigabitEthernet2/0/0] ip address 192.1.1.1 24
[ASBR-PE1-GigabitEthernet2/0/0] mpls
[ASBR-PE1-GigabitEthernet2/0/0] quit
# On ASBR-PE1: Create a routing policy. The configuration on ASBR-PE2 is similar
to the configuration on ASBR-PE1 and is not mentioned here.
[ASBR-PE1] route-policy policy1 permit node 1
[ASBR-PE1-route-policy] apply mpls-label
[ASBR-PE1-route-policy] quit
# On ASBR-PE1: Apply a routing policy to the routes advertised to ASBR-PE2, and
enable the capability of exchanging labeled IPv4 routes with ASBR-PE2. The
configuration on ASBR-PE2 is similar to the configuration on ASBR-PE1 and is not
mentioned here.
[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] peer 192.1.1.2 route-policy policy1 export
[ASBR-PE1-bgp] peer 192.1.1.2 label-route-capability
[ASBR-PE1-bgp] quit
Step 7 Configure LDP LSPs for the labeled BGP routes of the public network on ASBR
devices.
# Configure ASBR-PE1.
[ASBR-PE1] mpls
[ASBR-PE1-mpls] lsp-trigger bgp-label-route
[ASBR-PE1-mpls] quit
# Configure ASBR-PE2.
[ASBR-PE2] mpls
[ASBR-PE2-mpls] lsp-trigger bgp-label-route
[ASBR-PE2-mpls] quit
Step 8 Configure VPN instances to access CEs on PEs.
# Configure PE1.
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] ipv4-family
[PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 export-extcommunity
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 import-extcommunity
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[PE1-GigabitEthernet2/0/0] ip address 10.1.1.2 24
[PE1-GigabitEthernet2/0/0] quit
# Configure PE2.
[PE2] ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] ipv4-family
[PE2-vpn-instance-vpn1-af-ipv4] route-distinguisher 200:1
[PE2-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 export-extcommunity
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 888
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE2-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 import-extcommunity
[PE2-vpn-instance-vpn1-af-ipv4] quit
[PE2-vpn-instance-vpn1] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[PE2-GigabitEthernet2/0/0] ip address 10.2.1.2 24
[PE2-GigabitEthernet2/0/0] quit
After the configuration is complete, run the display ip vpn-instance verbose
command on the PEs to check the configuration of VPN instances. Each PE can
ping its connected CE.
The information displayed on PE1 and CE1 is used as an example.
[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 1
Total IPv4 VPN-Instances configured : 1
Total IPv6 VPN-Instances configured : 0
VPN-Instance Name and ID : vpn1, 1
Interfaces : GigabitEthernet2/0/0
Address family ipv4
Create date : 2008/02/27 09:53:47
Up time : 0 days, 00 hours, 35 minutes and 43 seconds
Route Distinguisher : 100:1
Export VPN Targets : 1:1
Import VPN Targets : 1:1
Label Policy : label per route
Log Interval : 5
[PE1] ping -vpn-instance vpn1 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Request time out
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=50 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=40 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=30 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=10 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 10/32/50 ms
Step 9 Set up an MP-EBGP peer relationship between PE1 and PE2.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 4.4.4.9 as-number 200
[PE1-bgp] peer 4.4.4.9 connect-interface LoopBack 1
[PE1-bgp] peer 4.4.4.9 ebgp-max-hop 10
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 4.4.4.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 200
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface LoopBack 1
[PE2-bgp] peer 1.1.1.9 ebgp-max-hop 10
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
Step 10 Set up EBGP peer relationships between the PEs and CEs and import VPN routes
into BGP.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 889
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
# Configure CE1.
[CE1] bgp 65001
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure CE2.
[CE2] bgp 65002
[CE2-bgp] peer 10.2.1.2 as-number 200
[CE2-bgp] import-route direct
[CE2-bgp] quit
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65001
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 200
[PE2-bgp] ipv4-family vpn-instance vpn1
[PE2-bgp-vpn1] peer 10.2.1.1 as-number 65002
[PE2-bgp-vpn1] import-route direct
[PE2-bgp-vpn1] quit
[PE2-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer
command on the PEs. The command output shows that BGP peer relationships
have been established between the PEs and CEs.
The peer relationship between PE1 and CE1 is used as an example.
[PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.9
Local AS number : 100
VPN-Instance vpn1, router ID 1.1.1.9:
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65001 3 3 0 00:00:52 Established 1
Step 11 Verify the configuration.
# After the configuration is complete, CE1 and CE2 learn routes to interfaces on
each other and can ping each other successfully.
# The information displayed on CE1 is used as an example.
[CE1] display ip routing-table
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.1 GigabitEthernet1/0/0
10.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.2.1.0/24 EBGP 255 0 D 10.1.1.2 GigabitEthernet1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 890
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[CE1] ping 10.2.1.1
PING 10.2.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=251 time=102 ms
Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=251 time=89 ms
Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=251 time=106 ms
Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=251 time=104 ms
Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=251 time=56 ms
--- 10.2.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 56/91/106 ms
# After the configuration is complete, run the display ip routing-table dest-ip-
address verbose command on ASBR-PE1. The command output shows that the
routes from ASBR-PE1 to PE2 are labeled BGP routes of the public network:
routing table is "Public", the protocol type is "BGP", and the label has a non-zero
value.
# The information displayed on ASBR-PE1 is used as an example.
[ASBR-PE1] display ip routing-table 4.4.4.9 verbose
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination : 4.4.4.9/32
Protocol : BGP Process ID : 0
Preference : 255 Cost : 1
NextHop : 192.1.1.2 Neighbour : 192.1.1.2
State : Active Adv Age : 00h12m53s
Tag : 0 Priority : 0
Label : 15360 QoSInfo : 0x0
IndirectID : 0x0
RelayNextHop : 192.1.1.2 Interface : GigabitEthernet2/0/0
TunnelID : 0x6002006 Flags : D
# Run the display mpls lsp protocol ldp include dest-ip-address verbose on
ASBR-PE1 and PE2 respectively. The command output shows that an LDP LSP is
established between ASBR-PE1 and PE2. Besides, you can find an LDP Ingress LSP
on a PE to the remote PE.
[ASBR-PE1] display mpls lsp protocol ldp include 4.4.4.9 32 verbose
----------------------------------------------------------------------
LSP Information: LDP LSP
----------------------------------------------------------------------
No : 1
VrfIndex :
Fec : 4.4.4.9/32
Nexthop : 192.1.1.2
In-Label : 1024
Out-Label : NULL
In-Interface : ----------
Out-Interface : ----------
LspIndex : 13313
Token : 0x0
FrrToken : 0x0
LsrType : Egress
Outgoing token : 0x6002006
Label Operation : SWAPPUSH
Mpls-Mtu : ------
TimeStamp : 15829sec
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 891
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Bfd-State : ---
BGPKey : 0x24
----End
Configuration Files
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65001
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 4.4.4.9 as-number 200
peer 4.4.4.9 ebgp-max-hop 10
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 4.4.4.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
peer 10.1.1.1 as-number 65001
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 892
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
● ASBR-PE1 configuration file
#
sysname ASBR-PE1
#
mpls lsr-id 2.2.2.9
mpls
lsp-trigger bgp-label-route
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 192.1.1.1 255.255.255.0
mpls
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 192.1.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
network 1.1.1.9 255.255.255.255
peer 192.1.1.2 enable
peer 192.1.1.2 route-policy policy1 export
peer 192.1.1.2 label-route-capability
#
ospf 1
import-route bgp
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
route-policy policy1 permit node 1
apply mpls-label
#
return
● ASBR-PE2 configuration file
#
sysname ASBR-PE2
#
mpls lsr-id 3.3.3.9
mpls
lsp-trigger bgp-label-route
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 192.1.1.2 255.255.255.0
mpls
#
interface LoopBack1
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 893
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
ip address 3.3.3.9 255.255.255.255
#
bgp 200
peer 192.1.1.1 as-number 100
#
ipv4-family unicast
undo synchronization
network 4.4.4.9 255.255.255.255
peer 192.1.1.1 enable
peer 192.1.1.1 route-policy policy1 export
peer 192.1.1.1 label-route-capability
#
ospf 1
import-route bgp
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
route-policy policy1 permit node 1
apply mpls-label
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
peer 1.1.1.9 as-number 100
peer 1.1.1.9 ebgp-max-hop 10
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
peer 10.2.1.1 as-number 65002
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 894
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
network 162.1.1.0 0.0.0.255
#
return
● CE2 configuration file
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65002
peer 10.2.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
7.9.9 Example for Configuring MCE
Networking Requirements
The headquarters and branches of a company need to communicate through
MPLS VPN, and two services of the company must be isolated. To reduce
hardware costs, the company wants the branches to connect to the PE through
one CE.
As shown in Figure 7-50, the networking requirements are as follows:
● CE1 and CE2 connect to the headquarters. CE1 belongs to vpna, and CE2
belongs to vpnb.
● The multi-VPN-instance CE (MCE) device connects to vpna and vpnb of the
branches through CE3 and CE4.
Users in the same VPN need to communicate with each other, but users in
different VPNs must be isolated.
Figure 7-50 Networking diagram for configuring MCE
vpna vpna
CE1 CE3
GE1/0/0 GE1/0/0
10.1.1.1/24 Loopback1 10.3.1.1/24
2.2.2.9/32 GE3/0/0
GE1/0/0
10.1.1.2/24 GE2/0/0.1 GE1/0/0.1 10.3.1.2/24
GE3/0/0
192.1.1.1/24 192.1.1.2/24 vpna
Loopback1 172.1.1.1/24
MCE
1.1.1.9/32 GE1/0/0 GE2/0/0.2 GE1/0/0.2 vpnb
GE2/0/0 PE1 172.1.1.2/24 PE2 192.2.1.1/24 192.2.1.2/24 GE4/0/0
10.2.1.2/24 10.4.1.2/24
GE1/0/0 GE1/0/0
10.2.1.1/24 10.4.1.1/24
CE2 CE4
vpnb vpnb
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 895
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure OSPF between PEs to implement interworking between them and
configure MP-IBGP to exchange VPN routing information.
2. Configure basic MPLS capabilities and MPLS LDP on the PEs to set up LDP
LSPs.
3. Create VPN instances vpna and vpnb on the MCEs and PEs to isolate services.
4. Set up EBGP peer relationships between PE1 and its connected CEs, and
import BGP routes to the VPN routing table on PE1.
5. Configure routing between the MCE and VPN sites and between the MCE and
PE2.
Procedure
Step 1 Configure OSPF on PEs of the backbone network.
# Configure PE1. The configuration on PE2 is similar to the configuration on PE1
and is not mentioned here.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] ip address 172.1.1.1 24
[PE1-GigabitEthernet3/0/0] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
After the configuration is complete, PEs can learn Loopback1 address of each
other.
The information displayed on PE2 is used as an example.
[PE2] display ip routing-table
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 9 Routes : 9
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.9/32 OSPF 10 1 D 172.1.1.1 GigabitEthernet1/0/0
2.2.2.9/32 Direct 0 0 D 127.0.0.1 LoopBack1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.1.1.0/24 Direct 0 0 D 172.1.1.2 GigabitEthernet1/0/0
172.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
172.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Step 2 Configure basic MPLS capabilities and MPLS LDP on the PEs to set up LDP LSPs.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 896
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
# Configure PE1. The configuration on PE2 is similar to the configuration on PE1
and is not mentioned here.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] mpls
[PE1-GigabitEthernet3/0/0] mpls ldp
[PE1-GigabitEthernet3/0/0] quit
After the configuration is complete, run the display mpls ldp session command
on the PEs. The command output shows that the MPLS LDP session between the
PEs is in Operational state.
The information displayed on PE2 is used as an example.
[PE2] display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
1.1.1.9:0 Operational DU Active 0000:00:04 17/17
------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
Step 3 Configure VPN instances on the PEs. On PE1, bind the VPN instances to the
interfaces connected to CE1 and CE2 respectively. On PE2, bind the VPN instances
to the interfaces connected to the MCE.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 24
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpnb
[PE1-GigabitEthernet2/0/0] ip address 10.2.1.2 24
[PE1-GigabitEthernet2/0/0] quit
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] ipv4-family
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 897
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] interface gigabitethernet 2/0/0.1
[PE2-GigabitEthernet2/0/0.1] dot1q termination vid 10
[PE2-GigabitEthernet2/0/0.1] ip binding vpn-instance vpna
[PE2-GigabitEthernet2/0/0.1] ip address 192.1.1.1 24
[PE2-GigabitEthernet2/0/0.1] arp broadcast enable
[PE2-GigabitEthernet2/0/0.1] quit
[PE2] interface gigabitethernet 2/0/0.2
[PE2-GigabitEthernet2/0/0.2] dot1q termination vid 20
[PE2-GigabitEthernet2/0/0.2] ip binding vpn-instance vpnb
[PE2-GigabitEthernet2/0/0.2] ip address 192.2.1.1 24
[PE2-GigabitEthernet2/0/0.1] arp broadcast enable
[PE2-GigabitEthernet2/0/0.2] quit
Step 4 Configure VPN instances on the MCE, and bind the VPN instances to the interfaces
connected to CE3, CE4, and PE2.
<Huawei> system-view
[Huawei] sysname MCE
[MCE] ip vpn-instance vpna
[MCE-vpn-instance-vpna] ipv4-family
[MCE-vpn-instance-vpna-af-ipv4] route-distinguisher 300:1
[MCE-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[MCE-vpn-instance-vpna-af-ipv4] quit
[MCE-vpn-instance-vpna] quit
[MCE] ip vpn-instance vpnb
[MCE-vpn-instance-vpnb] ipv4-family
[MCE-vpn-instance-vpnb-af-ipv4] route-distinguisher 300:2
[MCE-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[MCE-vpn-instance-vpnb-af-ipv4] quit
[MCE-vpn-instance-vpnb] quit
[MCE] interface gigabitethernet 3/0/0
[MCE-GigabitEthernet3/0/0] ip binding vpn-instance vpna
[MCE-GigabitEthernet3/0/0] ip address 10.3.1.2 24
[MCE-GigabitEthernet3/0/0] quit
[MCE] interface gigabitethernet 4/0/0
[MCE-GigabitEthernet4/0/0] ip binding vpn-instance vpnb
[MCE-GigabitEthernet4/0/0] ip address 10.4.1.2 24
[MCE-GigabitEthernet4/0/0] quit
[MCE] interface gigabitethernet 1/0/0.1
[MCE-GigabitEthernet1/0/0.1] dot1q termination vid 10
[MCE-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[MCE-GigabitEthernet1/0/0.1] ip address 192.1.1.2 24
[MCE-GigabitEthernet1/0/0.1] arp broadcast enable
[MCE-GigabitEthernet1/0/0.1] quit
[MCE] interface gigabitethernet 1/0/0.2
[MCE-GigabitEthernet1/0/0.2] dot1q termination vid 20
[MCE-GigabitEthernet1/0/0.2] ip binding vpn-instance vpnb
[MCE-GigabitEthernet1/0/0.2] ip address 192.2.1.2 24
[MCE-GigabitEthernet1/0/0.2] arp broadcast enable
[MCE-GigabitEthernet1/0/0.2] quit
Step 5 Set up an MP-IBGP peer relationship between PEs. Set up EBGP peer relationships
between PE1 and CE1, and between PE1 and CE2.
# Configure CE1. The configuration on other PE1 and PE2 is similar to the
configuration on CE1 and is not mentioned here.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] ipv4-family unicast
[CE1-bgp-af-ipv4] import-route direct
[CE1-bgp-af-ipv4] quit
[CE1-bgp] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 898
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
After the configuration is complete, run the display bgp vpnv4 all peer command
on PE1. The command output shows that the PE1 has set up an IBGP peer
relationship with PE2 and EBGP peer relationships with CE1 and CE2. The peer
relationships are in Established state.
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 3 Peers in established state : 3
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.9 4 100 288 287 0 01:19:16 Established 4
Peer of IPv4-family for vpn instance :
VPN-Instance vpna, router ID 1.1.1.9:
10.1.1.1 4 65410 9 11 0 00:04:14 Established 4
VPN-Instance vpnb, router ID 1.1.1.9:
10.2.1.1 4 65420 9 12 0 00:04:09 Established 3
Step 6 Configure OSPF multi-instance between the MCE and PE2.
# Configure PE2.
[PE2] ospf 100 vpn-instance vpna
[PE2-ospf-100] area 0
[PE2-ospf-100-area-0.0.0.0] network 192.1.1.0 0.0.0.255
[PE2-ospf-100-area-0.0.0.0] quit
[PE2-ospf-100] import-route bgp
[PE2-ospf-100] quit
[PE2] ospf 200 vpn-instance vpnb
[PE2-ospf-200] area 0
[PE2-ospf-200-area-0.0.0.0] network 192.2.1.0 0.0.0.255
[PE2-ospf-200-area-0.0.0.0] quit
[PE2-ospf-200] import-route bgp
[PE2-ospf-200] quit
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpna
[PE2-bgp-vpna] import-route ospf 100
[PE2-bgp-vpna] quit
[PE2-bgp] ipv4-family vpn-instance vpnb
[PE2-bgp-vpnb] import-route ospf 200
[PE2-bgp-vpnb] quit
[PE2-bgp] quit
# Configure the MCE.
[MCE] ospf 100 vpn-instance vpna
[MCE-ospf-100] area 0
[MCE-ospf-100-area-0.0.0.0] network 192.1.1.0 0.0.0.255
[MCE-ospf-100-area-0.0.0.0] quit
[MCE-ospf-100] quit
[MCE] ospf 200 vpn-instance vpnb
[MCE-ospf-200] area 0
[MCE-ospf-200-area-0.0.0.0] network 192.2.1.0 0.0.0.255
[MCE-ospf-200-area-0.0.0.0] quit
[MCE-ospf-200] quit
Step 7 Configure RIPv2 between the MCE and CE3, and between the MCE and CE4.
# Configure the MCE.
[MCE] rip 100 vpn-instance vpna
[MCE-rip-100] version 2
[MCE-rip-100] network 10.0.0.0
[MCE-rip-100] import-route ospf 100
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 899
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[MCE-rip-100] quit
[MCE] rip 200 vpn-instance vpnb
[MCE-rip-200] version 2
[MCE-rip-200] network 10.0.0.0
[MCE-rip-200] import-route ospf 200
[MCE-rip-200] quit
# Configure CE3.
<Huawei> system-view
[Huawei] sysname CE3
[CE3] rip 100
[CE3-rip-100] version 2
[CE3-rip-100] network 10.0.0.0
[CE3-rip-100] import-route direct
# Configure CE4.
<Huawei> system-view
[Huawei] sysname CE4
[CE4] rip 200
[CE4-rip-200] version 2
[CE4-rip-200] network 10.0.0.0
[CE4-rip-200] import-route direct
Step 8 Disable loop detection on the MCE device and import RIP routes.
[MCE] ospf 100 vpn-instance vpna
[MCE-ospf-100] vpn-instance-capability simple
[MCE-ospf-100] import-route rip 100
[MCE-ospf-100] quit
[MCE] ospf 200 vpn-instance vpnb
[MCE-ospf-200] vpn-instance-capability simple
[MCE-ospf-200] import-route rip 200
[MCE-ospf-200] quit
Step 9 Verify the configuration.
# After the configuration is complete, run the display ip routing-table vpn-
instance command on the MCE. The command output shows the route to the
remote CE.
# The VPN instance vpna is used as an example.
[MCE] display ip routing-table vpn-instance vpna
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpna
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 O_ASE 150 1 D 192.1.1.1 GigabitEthernet1/0/0.1
10.3.1.0/24 Direct 0 0 D 10.3.1.2 GigabitEthernet3/0/0
10.3.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0
10.3.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0
192.1.1.0/24 Direct 0 0 D 192.1.1.2 GigabitEthernet1/0/0.1
192.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0.1
192.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0.1
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
# Run the display ip routing-table vpn-instance command on the PE. The
command output shows the route to the remote CE.
# The VPN instance vpna on PE1 is used as an example.
[PE1] display ip routing-table vpn-instance vpna
Route Flags:
R - relay, D - download to fib
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 900
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
------------------------------------------------------------------------------
Routing Tables: vpna
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.2 GigabitEthernet1/0/0
10.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.3.1.0/24 IBGP 255 2 RD 2.2.2.9 GigabitEthernet3/0/0
192.1.1.0/24 IBGP 255 0 RD 2.2.2.9 GigabitEthernet3/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
# CE1 and CE3 can ping each other, and CE2 and CE4 can ping each other.
# The ping from CE1 to CE3 is used as an example.
[CE1] ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=252 time=125 ms
Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=252 time=125 ms
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=252 time=125 ms
Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=252 time=125 ms
Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=252 time=125 ms
--- 10.3.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 125/125/125 ms
# CE1 cannot ping CE2 or CE4. CE3 cannot ping CE2 or CE4.
# For example, if you ping CE4 from CE1, the following information is displayed:
[CE1] ping 10.4.1.1
PING 10.4.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.4.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
----End
Configuration Files
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 901
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
● CE2 configuration file
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65420
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet3/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
import-route direct
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 902
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
ipv4-family vpn-instance vpnb
peer 10.2.1.1 as-number 65420
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0.1
dot1q termination vid 10
ip binding vpn-instance vpna
ip address 192.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0.2
dot1q termination vid 20
ip binding vpn-instance vpnb
ip address 192.2.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
import-route ospf 100
#
ipv4-family vpn-instance vpnb
import-route ospf 200
#
ospf 1
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 903
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
ospf 100 vpn-instance vpna
import-route bgp
area 0.0.0.0
network 192.1.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route bgp
area 0.0.0.0
network 192.2.1.0 0.0.0.255
#
return
● MCE configuration file
#
sysname MCE
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 300:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 300:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 10
ip binding vpn-instance vpna
ip address 192.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0.2
dot1q termination vid 20
ip binding vpn-instance vpnb
ip address 192.2.1.2 255.255.255.0
#
interface GigabitEthernet3/0/0
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
#
interface GigabitEthernet4/0/0
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
#
ospf 100 vpn-instance vpna
import-route rip 100
vpn-instance-capability simple
area 0.0.0.0
network 192.1.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route rip 200
vpn-instance-capability simple
area 0.0.0.0
network 192.2.1.0 0.0.0.255
#
rip 100 vpn-instance vpna
version 2
network 10.0.0.0
import-route ospf 100
#
rip 200 vpn-instance vpnb
version 2
network 10.0.0.0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 904
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
import-route ospf 200
#
return
● CE3 configuration file
#
sysname CE3
#
interface GigabitEthernet1/0/0
ip address 10.3.1.1 255.255.255.0
#
rip 100
version 2
network 10.0.0.0
import-route direct
#
return
● CE4 configuration file
#
sysname CE4
#
interface GigabitEthernet1/0/0
ip address 10.4.1.1 255.255.255.0
#
rip 200
version 2
network 10.0.0.0
import-route direct
#
return
7.9.10 Example for Configuring PBR to an LSP for VPN Packets
Networking Requirements
As shown in Figure 7-51, the BGP/MPLS IP VPN backbone network consists of
PE1, PE2, P1, and P2. CE1 and CE2 connect to the backbone network through PE1
and PE2 respectively. The path PE1->P2->PE2 is the primary LSP, and the path PE1-
>P1->PE2 is the backup LSP.
If the PBR is configured on PE1, packets of 10 to 1000 bytes long sent from CE1 to
CE2 are forwarded through P2.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 905
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-51 Networking diagram for configuring the PBR to an LSP for VPN
packets
Loopback1
AS 100
2.2.2.9/32
GE1/0/0 GE2/0/0
172.1.1.2/24 172.2.1.1/24
P1
Loopback1 Loopback1
1.1.1.9/32 3.3.3.9/32
GE1/0/0 GE1/0/0
172.1.1.1/24 172.2.1.2/24
PE1 MPLS Backbone PE2
GE2/0/0 GE2/0/0
172.3.1.1/24 172.4.1.2/24
GE3/0/0 Loopback1 GE3/0/0
10.1.1.2/24 4.4.4.9/32 10.3.1.2/24
GE1/0/0 GE2/0/0
172.3.1.2/24 172.4.1.1/24
P2
GE1/0/0 GE1/0/0
10.1.1.1/24 10.3.1.1/24
vpna vpna
AS:65410 CE1 CE2 AS:65430
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure BGP/MPLS VPN according to 7.9.1 Example for Configuring BGP/
MPLS IP VPN.
2. Configure the PBR and policy node on the PE that requires the configuration
of the PBR to an LSP. Set a matching rule of IP packet length and specify an
LSP for forwarding VPN instance packets that meet the matching rule in the
policy-based route view.
3. Apply the PBR to the outbound interface bound to the VPN instance on the
PE.
Procedure
Step 1 Configure BGP/MPLS VPN.
For the configuration procedure, refer to 7.9.1 Example for Configuring BGP/
MPLS IP VPN.
After the configuration is complete, run the display mpls lsp command to check
LSPs on PE1.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 906
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE1] display mpls lsp
----------------------------------------------------------------------
LSP Information: BGP LSP
----------------------------------------------------------------------
FEC In/Out Label In/Out IF Vrf Name
10.1.1.0/24 15360/NULL -/- vpna
----------------------------------------------------------------------
LSP Information: LDP LSP
----------------------------------------------------------------------
FEC In/Out Label In/Out IF Vrf Name
2.2.2.9/32 NULL/3 -/GE1/0/0
2.2.2.9/32 1024/3 -/GE1/0/0
3.3.3.9/32 NULL/1024 -/GE1/0/0
3.3.3.9/32 NULL/1024 -/GE2/0/0
4.4.4.9/32 NULL/3 -/GE2/0/0
4.4.4.9/32 1025/3 -/GE2/0/0
1.1.1.9/32 3/NULL -/-
The LSPs to PE2 have two outbound interfaces: GE1/0/0 and GE2/0/0.
Step 2 Configure the PBR to an LSP on PE1.
[PE1] policy-based-route policy1 permit node 10
[PE1-policy-based-route-policy1-10] if-match packet-length 10 1000
[PE1-policy-based-route-policy1-10] apply lsp vpn vpna 10.3.1.1 3.3.3.9 172.3.1.2
[PE1-policy-based-route-policy1-10] quit
Step 3 Enable the PBR on PE1.
[PE1] ip local policy-based-route policy1
Step 4 Clear statistics on GE2/0/0 of PE1.
[PE1] quit
<PE1> reset counters interface GigabitEthernet 2/0/0
Step 5 Verify the configuration.
# Ping CE2 from CE1 to check the forwarding path of the packets.
[CE1] ping –c 1500 –s 950 10.3.1.1
# Check packet statistics on the interface of PE1.
<PE1> display interface gigabitethernet 2/0/0
GigabitEthernet2/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2012-09-14 18:13:40
Description:HUAWEI, AR Series, GigabitEthernet2/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 172.3.1.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 80fb-0635-45b6
Last physical up time : 2012-09-14 18:13:40
Last physical down time : 2012-09-14 18:13:23
Current system time: 2012-09-14 18:23:37
Port Mode: COMMON COPPER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO
Last 300 seconds input rate 456 bits/sec, 0 packets/sec
Last 300 seconds output rate 472 bits/sec, 0 packets/sec
Input peak rate 18088 bits/sec,Record time: 2012-09-14 18:22:50
Output peak rate 18016 bits/sec,Record time: 2012-09-14 18:22:50
Input: 30 packets, 25402 bytes
Unicast: 26, Multicast: 4
Broadcast: 0, Jumbo: 0
Discard: 0, Total Error: 0
CRC: 0, Giants: 0
Jabbers: 0, Throttles: 0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 907
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Runts: 0, Symbols: 0
Ignoreds: 0, Frames: 0
Output: 31 packets, 25970 bytes
Unicast: 27, Multicast: 4
Broadcast: 0, Jumbo: 0
Discard: 0, Total Error: 0
Collisions: 0, ExcessiveCollisions: 0
Late Collisions: 0, Deferreds: 0
Input bandwidth utilization threshold : 100.00%
Output bandwidth utilization threshold: 100.00%
Input bandwidth utilization : 0.01%
Output bandwidth utilization : 0.01%
# Run the display interface gigabitethernet 1/0/0 and display interface
gigabitethernet 2/0/0 commands repeatedly on PE1 to check the change of
packet statistics on interfaces of PE1. The command output shows that packets
are forwarded along the specified LSP.
----End
Configuration Files
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet3/0/0
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 172.3.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 908
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.3.1.0 0.0.0.255
network 172.1.1.0 0.0.0.255
#
policy-based-route policy1 permit node 10
if-match packet-length 10 1000
apply lsp vpn vpna 10.3.1.1 3.3.3.9 172.3.1.2
#
ip local policy-based-route policy1
#
return
● P1 configuration file
#
sysname P1
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.2.1.0 0.0.0.255
network 172.1.1.0 0.0.0.255
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:2
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface GigabitEthernet3/0/0
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 909
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 172.4.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
peer 10.3.1.1 as-number 65430
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 172.2.1.0 0.0.0.255
network 172.4.1.0 0.0.0.255
#
return
● P2 configuration file
#
sysname P2
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.3.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 172.4.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 172.3.1.0 0.0.0.255
network 172.4.1.0 0.0.0.255
#
return
● CE1 configuration file
#
sysname CE1
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 910
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
import-route direct
undo synchronization
peer 10.1.1.2 enable
#
return
● CE2 configuration file
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.3.1.1 255.255.255.0
#
bgp 65430
peer 10.3.1.2 as-number 100
#
ipv4-family unicast
import-route direct
undo synchronization
peer 10.3.1.2 enable
#
return
7.9.11 Example for Configuring HoVPN
Networking Requirements
Figure 7-52 shows a hierarchical VPN network consisting of a provincial backbone
network and a city MPLS VPN network.
● The SPE is located on the provincial backbone network and connects to the
city MPLS VPN network.
● The UPE is located on the city network and connects to VPN users.
The routing and forwarding capabilities of the UPE are lower than those of the
SPE and PEs. The HoVPN networking can enable users in vpna to communicate
with each other while reducing the loads on the UPE.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 911
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-52 Networking diagram for configuring HoVPN
Loopback1 Loopback1
AS: 100 2.2.2.9./32 3.3.3.9./32
GE2/0/0
GE1/0/0
172.2.1.1/24
172.1.1.2/24 PE
Loopback1
GE2/0/0
1.1.1.9./32 172.2.1.2/24
SPE GE1/0/0
UPE
10.2.1.2/24
GE2/0/0
172.1.1.1/24 VPN Backbone
GE1/0/0
10.1.1.2/24
GE1/0/0 GE1/0/0
10.1.1.1/24 10.2.1.1/24
CE1 CE2
AS: 65410 AS: 65420
vpna vpna
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IGP on the backbone network to implement IP interworking.
2. Configure basic MPLS capabilities and MPLS LDP on the backbone network to
set up MPLS LSPs.
3. Set up MP-IBGP peer relationships between the UPE and SPE and between
the PE and SPE to exchange VPN routing information.
4. On the UPE and PEs, create VPN instances and set up EBGP peer relationships
with CEs to exchange VPN routing information.
5. On the SPE, create a VPN instance and specify the UPE as its underlayer PE
(or user-end PE). Advertise the default route of the VPN instance to the UPE
to reduce the loads on the UPE.
Procedure
Step 1 Configure OSPF on the backbone network to implement IP interworking.
# Configure the UPE.
<Huawei> system-view
[Huawei] sysname UPE
[UPE] interface loopback 1
[UPE-LoopBack1] ip address 1.1.1.9 32
[UPE-LoopBack1] quit
[UPE] interface gigabitethernet 2/0/0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 912
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[UPE-GigabitEthernet2/0/0] ip address 172.1.1.1 24
[UPE-GigabitEthernet2/0/0] quit
[UPE] ospf
[UPE-ospf-1] area 0
[UPE-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[UPE-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[UPE-ospf-1-area-0.0.0.0] quit
[UPE-ospf-1] quit
The configuration on the SPE and PEs is similar to the configuration on the UPE
and is not mentioned here.
After the configuration is complete, OSPF neighbor relationships are set up
between the UPE, SPE, and PE. Run the display ospf peer command on these
devices. The command output shows that the neighbor relationships are in Full
state. Run the display ip routing-table command on these devices. The command
output shows that they have learned the route to the loopback interface of each
other.
Step 2 Configure basic MPLS capabilities and MPLS LDP on the backbone network to set
up LDP LSPs.
# Configure the UPE.
[UPE] mpls lsr-id 1.1.1.9
[UPE] mpls
[UPE-mpls] quit
[UPE] mpls ldp
[UPE-mpls-ldp] quit
[UPE] interface gigabitethernet 2/0/0
[UPE-GigabitEthernet2/0/0] mpls
[UPE-GigabitEthernet2/0/0] mpls ldp
[UPE-GigabitEthernet2/0/0] quit
The configuration on the SPE and PEs is similar to the configuration on the UPE
and is not mentioned here.
After the configuration is complete, LDP sessions are established between UPE
and SPE, and between SPE and PE. Run the display mpls ldp session command
on these devices. The command output shows that the status is Operational. Run
the display mpls ldp lsp command. Information about the established LDP LSPs is
displayed.
Step 3 Set up MP-IBGP peer relationships between the UPE and SPE and between the PE
and SPE.
# Configure the UPE.
[UPE] bgp 100
[UPE-bgp] peer 2.2.2.9 as-number 100
[UPE-bgp] peer 2.2.2.9 connect-interface loopback 1
[UPE-bgp] ipv4-family vpnv4
[UPE-bgp-af-vpnv4] peer 2.2.2.9 enable
[UPE-bgp-af-vpnv4] quit
[UPE-bgp] quit
# Configure the SPE.
[SPE] bgp 100
[SPE-bgp] peer 1.1.1.9 as-number 100
[SPE-bgp] peer 1.1.1.9 connect-interface loopback 1
[SPE-bgp] peer 3.3.3.9 as-number 100
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 913
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[SPE-bgp] peer 3.3.3.9 connect-interface loopback 1
[SPE-bgp] ipv4-family vpnv4
[SPE-bgp-af-vpnv4] peer 1.1.1.9 enable
[SPE-bgp-af-vpnv4] peer 3.3.3.9 enable
[SPE-bgp-af-vpnv4] quit
[SPE-bgp] quit
# Configure the PE.
[PE] bgp 100
[PE-bgp] peer 2.2.2.9 as-number 100
[PE-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE-bgp] ipv4-family vpnv4
[PE-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE-bgp-af-vpnv4] quit
[PE-bgp] quit
Step 4 On the UPE and PEs, create a VPN instance and set up EBGP peer relationships
with the CEs.
# Configure the UPE.
[UPE] ip vpn-instance vpna
[UPE-vpn-instance-vpna] ipv4-family
[UPE-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[UPE-vpn-instance-vpna-af-ipv4] vpn-target 1:1
[UPE-vpn-instance-vpna-af-ipv4] quit
[UPE-vpn-instance-vpna] quit
[UPE] interface gigabitethernet 1/0/0
[UPE-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[UPE-GigabitEthernet1/0/0] ip address 10.1.1.2 24
[UPE-GigabitEthernet1/0/0] quit
[UPE] bgp 100
[UPE-bgp] ipv4-family vpn-instance vpna
[UPE-bgp-vpna] peer 10.1.1.1 as-number 65410
[UPE-bgp-vpna] import-route direct
[UPE-bgp-vpna] quit
[UPE-bgp] quit
# Configure CE1.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[CE1-GigabitEthernet1/0/0] quit
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure the PE.
[PE] ip vpn-instance vpna
[PE-vpn-instance-vpna] ipv4-family
[PE-vpn-instance-vpna-af-ipv4] route-distinguisher 100:2
[PE-vpn-instance-vpna-af-ipv4] vpn-target 1:1
[PE-vpn-instance-vpna-af-ipv4] quit
[PE-vpn-instance-vpna] quit
[PE] interface gigabitethernet 1/0/0
[PE-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[PE-GigabitEthernet1/0/0] ip address 10.2.1.2 24
[PE-GigabitEthernet1/0/0] quit
[PE] bgp 100
[PE-bgp] ipv4-family vpn-instance vpna
[PE-bgp-vpna] peer 10.2.1.1 as-number 65420
[PE-bgp-vpna] import-route direct
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 914
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE-bgp-vpna] quit
[PE-bgp] quit
# Configure CE2.
<Huawei> system-view
[Huawei] sysname CE2
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] ip address 10.2.1.1 24
[CE2-GigabitEthernet1/0/0] quit
[CE2] bgp 65420
[CE2-bgp] peer 10.2.1.2 as-number 100
[CE2-bgp] import-route direct
[CE2-bgp] quit
After the configuration is complete, run the display ip vpn-instance verbose
command on the UPE and PEs to check the configuration of VPN instances. Run
the ping -vpn-instance command on the UPE and PEs to ping the connected CEs.
The ping operations succeed.
NOTE
If a PE has multiple interfaces bound to the same VPN instance, you need to specify the
source IP addresses by setting -a source-ip-address in the ping -vpn-instance vpn-instance-
name -a source-ip-address dest-ip-address command to ping the remote CE. If the source IP
address is not specified, the ping operation fails.
UPE is used as an example.
[UPE] display ip vpn-instance verbose
Total VPN-Instances configured : 1
Total IPv4 VPN-Instances configured : 1
Total IPv6 VPN-Instances configured : 0
VPN-Instance Name and ID : vpna, 1
Interfaces : GigabitEthernet1/0/0
Address family ipv4
Create date : 2012/09/14 14:34:10
Up time : 0 days, 00 hours, 16 minutes and 01 seconds
Route Distinguisher : 100:1
Export VPN Targets : 1:1
Import VPN Targets : 1:1
Label Policy : label per route
Log Interval : 5
Step 5 On the SPE, create a VPN instance, specify the UPE as its underlayer PE, and
advertise the default route of the VPN instance to the UPE.
# Configure the VPN instance.
[SPE] ip vpn-instance vpna
[SPE-vpn-instance-vpna] route-distinguisher 200:1
[SPE-vpn-instance-vpna] vpn-target 1:1
[SPE-vpn-instance-vpna] quit
# Specify the UPE for the SPE.
[SPE] bgp 100
[SPE-bgp] ipv4-family vpnv4
[SPE-bgp-af-vpnv4] peer 1.1.1.9 upe
# Advertise the default route of the VPN instance to the UPE.
[SPE-bgp-af-vpnv4] peer 1.1.1.9 default-originate vpn-instance vpna
[SPE-bgp-af-vpnv4] quit
[SPE-bgp] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 915
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Step 6 Verify the configuration.
# After the configuration is complete, CE1 has no route to the network segment
of the interface on CE2, but CE1 has a default route with the next hop as UPE. CE2
has a BGP route to the network segment of the interface on CE1. CE1 and CE2 can
ping each other.
[CE1] display ip routing-table
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 EBGP 255 0 D 10.1.1.2 GigabitEthernet1/0/0
10.1.1.0/24 Direct 0 0 D 10.1.1.1 GigabitEthernet1/0/0
10.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[CE1] ping 10.2.1.1
PING 10.2.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=252 time=2 ms
Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=252 time=1 ms
Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=252 time=1 ms
Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=252 time=1 ms
Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=252 time=1 ms
--- 10.2.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/2 ms
[CE2] display ip routing-table
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 EBGP 255 0 D 10.2.1.2 GigabitEthernet1/0/0
10.2.1.0/24 Direct 0 0 D 10.2.1.1 GigabitEthernet1/0/0
10.2.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.2.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
# Run the display bgp vpnv4 all routing-table command on the UPE. The
command output shows a default route of vpna with the next hop as SPE.
[UPE] display bgp vpnv4 all routing-table
BGP Local router ID is 1.1.1.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 916
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Total number of routes from all PE: 4
Route Distinguisher: 100:1
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.1.1.0/24 0.0.0.0 0 0 ?
* 10.1.1.1 0 0 65410?
*> 10.1.1.2/32 0.0.0.0 0 0 ?
Route Distinguisher: 200:1
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 0.0.0.0 2.2.2.9 0 100 0 i
VPN-Instance vpna, Router ID 1.1.1.9:
Total Number of Routes: 4
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 0.0.0.0 2.2.2.9 0 100 0 i
*> 10.1.1.0/24 0.0.0.0 0 0 ?
10.1.1.1 0 0 65410?
*> 10.1.1.2/32 0.0.0.0 0 0 ?
----End
Configuration Files
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
● UPE configuration file
#
sysname UPE
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 917
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
interface GigabitEthernet2/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
● SPE configuration file
#
sysname SPE
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 3.3.3.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 3.3.3.9 enable
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 918
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 1.1.1.9 upe
peer 1.1.1.9 default-originate vpn-instance vpna
peer 3.3.3.9 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
#
return
● PE configuration file
#
sysname PE
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:2
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpna
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 10.2.1.1 as-number 65420
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 172.2.1.0 0.0.0.255
#
return
● CE2 configuration file
#
sysname CE2
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 919
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65420
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
7.9.12 Example for Configuring an OSPF Sham Link
Networking Requirements
As shown in Figure 7-53, CE1 and CE2 belong to the same OSPF area of VPN1
and they connect to PE1 and PE2 respectively. A backdoor link exists between CE1
and CE2 and is used as a backup link.
The CEs and PEs need to run OSPF. When the backbone network is running
properly, VPN traffic of CE1 and CE2 should be forwarded over the MPLS
backbone network without passing through the backdoor link.
Figure 7-53 Networking diagram for configuring OSPF sham link
Loopback1 Loopback1 Loopback1
1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
PE1 PE2
GE2/0/0 GE1/0/0 GE2/0/0 GE2/0/0
10.1.1.1/24 10.1.1.2/24 40.1.1.1/24 40.1.1.2/24
GE1/0/0 0 P Lo GE1/0/0
100.1.1.2/24 ck1 o
6.6 pba 120.1.1.2/24
pba /32 sham link .6. ck1
o
Lo .5.5.5 6/3 0
2
5
GE1/0/0 GE1/0/0
100.1.1.1/24 120.1.1.1/24
GE2/0/0 GE1/0/0 GE2/0/0 GE2/0/0
20.1.1.1/24 20.1.1.2/24 30.1.1.1/24 30.1.1.2/24
CE1 RTA CE2
VPN1 VPN1
backdoor
Configuration Roadmap
The configuration roadmap is as follows:
1. Set up an ME-IBGP peer relationship between the PEs and configure OSPF
between the PEs and CEs.
2. Create a VPN instance on the PEs and bind it to the interfaces connected to
CEs.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 920
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
3. Create an OSPF sham link on the PEs.
4. Set the cost of the backdoor link to be larger than the cost of the sham link
so that VPN traffic is transmitted over the MPLS backbone network.
Procedure
Step 1 Configure OSPF on the customer network.
Configure OSPF on CE1, RTA, and CE2 and advertise the network segment of each
interface.
# Configure CE1.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] interface gigabitethernet2/0/0
[CE1-GigabitEthernet2/0/0] ip address 20.1.1.1 24
[CE1-GigabitEthernet2/0/0] quit
[CE1] interface gigabitethernet1/0/0
[CE1-GigabitEthernet1/0/0] ip address 100.1.1.1 24
[CE1-GigabitEthernet1/0/0] quit
[CE1] ospf
[CE1-ospf-1] area 0
[CE1-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[CE1-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255
[CE1-ospf-1-area-0.0.0.0] quit
[CE1-ospf-1] quit
# Configure RTA.
<Huawei> system-view
[Huawei] sysname RTA
[RTA] interface gigabitethernet 1/0/0
[RTA-GigabitEthernet1/0/0] ip address 20.1.1.2 24
[RTA-GigabitEthernet1/0/0] quit
[RTA] interface gigabitethernet 2/0/0
[RTA-GigabitEthernet2/0/0] ip address 30.1.1.1 24
[RTA-GigabitEthernet2/0/0] quit
[RTA] ospf
[RTA-ospf-1] area 0
[RTA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[RTA-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[RTA-ospf-1-area-0.0.0.0] quit
[RTA-ospf-1] quit
# Configure CE2.
<Huawei> system-view
[Huawei] sysname CE2
[CE2] interface gigabitethernet 2/0/0
[CE2-GigabitEthernet2/0/0] ip address 30.1.1.2 24
[CE2-GigabitEthernet2/0/0] quit
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] ip address 120.1.1.2 24
[CE2-GigabitEthernet1/0/0] quit
[CE2] ospf
[CE2-ospf-1] area 0
[CE2-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[CE2-ospf-1-area-0.0.0.0] network 120.1.1.0 0.0.0.255
[CE2-ospf-1-area-0.0.0.0] quit
[CE2-ospf-1] quit
Step 2 Complete basic BGP/MPLS IP VPN configuration on the backbone network:
configure an IGP, enable MPLS and LDP, and set up an MP-IBGP peer relationship
between the PEs.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 921
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
# Configure PE1.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip address 10.1.1.1 24
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] mpls
[PE1-GigabitEthernet2/0/0] mpls ldp
[PE1-GigabitEthernet2/0/0] quit
[PE1] ospf 1 router-id 1.1.1.9
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure P.
<Huawei> system-view
[Huawei] sysname P
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] ip address 10.1.1.2 24
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] ip address 40.1.1.1 24
[P-GigabitEthernet2/0/0] quit
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.9 32
[P-LoopBack1] quit
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] mpls
[P-GigabitEthernet1/0/0] mpls ldp
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] mpls
[P-GigabitEthernet2/0/0] mpls ldp
[P-GigabitEthernet2/0/0] quit
[P] ospf 1 router-id 2.2.2.9
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[P-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 40.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 922
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
<Huawei> system-view
[Huawei] sysname PE2
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] ip address 40.1.1.2 24
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.9 32
[PE2-LoopBack1] quit
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] mpls
[PE2-GigabitEthernet2/0/0] mpls ldp
[PE2-GigabitEthernet2/0/0] quit
[PE2] ospf 1 router-id 3.3.3.9
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 40.1.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
After the configuration is complete, PE1 and PE2 can learn the route to the
loopback interface of each other and set up an MP-IBGP peer relationship.
Step 3 Configure OSPF between the PEs and CEs.
# Configure PE1.
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] ipv4-family
[PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
[PE1-GigabitEthernet1/0/0] ip address 100.1.1.2 24
[PE1-GigabitEthernet1/0/0] quit
[PE1] ospf 100 router-id 5.5.5.5 vpn-instance vpn1
[PE1-ospf-100] domain-id 10
[PE1-ospf-100] import-route bgp
[PE1-ospf-100] area 0
[PE1-ospf-100-area-0.0.0.0] network 100.1.1.0 0.0.0.255
[PE1-ospf-100-area-0.0.0.0] quit
[PE1-ospf-100] quit
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] import-route ospf 100
[PE1-bgp-vpn1] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] ipv4-family
[PE2-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:2
[PE2-vpn-instance-vpn1-af-ipv4] vpn-target 1:1
[PE2-vpn-instance-vpn1-af-ipv4] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 923
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE2-vpn-instance-vpn1] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
[PE2-GigabitEthernet1/0/0] ip address 120.1.1.1 24
[PE2-GigabitEthernet1/0/0] quit
[PE2] ospf 100 router-id 6.6.6.6 vpn-instance vpn1
[PE2-ospf-100] import-route bgp
[PE2-ospf-100] domain-id 10
[PE2-ospf-100] area 0
[PE2-ospf-100-area-0.0.0.0] network 120.1.1.0 0.0.0.255
[PE2-ospf-100-area-0.0.0.0] quit
[PE2-ospf-100] quit
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpn1
[PE2-bgp-vpn1] import-route direct
[PE2-bgp-vpn1] import-route ospf 100
[PE2-bgp-vpn1] quit
[PE2-bgp] quit
After the configuration is complete, run the display ip routing-table vpn-
instance command on the PEs. The command output shows that the routes to the
remote CEs are OSPF routes through the customer network, not the BGP routes
through the backbone network.
The information displayed on PE1 is used as an example.
[PE1] display ip routing-table vpn-instance vpn1
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpn1
Destinations : 7 Routes : 7
Destination/Mask Proto Pre Cost Flags NextHop Interface
20.1.1.0/24 OSPF 10 2 D 100.1.1.1 GigabitEthernet1/0/0
30.1.1.0/24 OSPF 10 3 D 100.1.1.1 GigabitEthernet1/0/0
100.1.1.0/24 Direct 0 0 D 100.1.1.2 GigabitEthernet1/0/0
100.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
100.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
120.1.1.0/24 OSPF 10 4 D 100.1.1.1 GigabitEthernet1/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Step 4 Configure an OSPF sham link.
NOTE
To forward VPN traffic through the MPLS backbone network, ensure that the cost of the
sham link is smaller than the cost of the OSPF route used for forwarding VPN traffic over
the customer network. A commonly used method is to set the cost of the forwarding
interface on the customer network to be larger than the cost of the sham link.
# Configure CE1.
[CE1] interface gigabitethernet 2/0/0
[CE1-GigabitEthernet2/0/0] ospf cost 10
[CE1-GigabitEthernet2/0/0] quit
# Configure CE2.
[CE2] interface gigabitethernet 2/0/0
[CE2-GigabitEthernet2/0/0] ospf cost 10
[CE2-GigabitEthernet2/0/0] quit
# Configure PE1.
[PE1] interface loopback 10
[PE1-LoopBack10] ip binding vpn-instance vpn1
[PE1-LoopBack10] ip address 5.5.5.5 32
[PE1-LoopBack10] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 924
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE1] ospf 100
[PE1-ospf-100] area 0
[PE1-ospf-100-area-0.0.0.0] sham-link 5.5.5.5 6.6.6.6 cost 1
[PE1-ospf-100-area-0.0.0.0] quit
[PE1-ospf-100] quit
# Configure PE2.
[PE2] interface loopback 10
[PE2-LoopBack10] ip binding vpn-instance vpn1
[PE2-LoopBack10] ip address 6.6.6.6 32
[PE2-LoopBack10] quit
[PE2] ospf 100
[PE2-ospf-100] area 0
[PE2-ospf-100-area-0.0.0.0] sham-link 6.6.6.6 5.5.5.5 cost 1
[PE2-ospf-100-area-0.0.0.0] quit
[PE2-ospf-100] quit
Step 5 Verify the configuration.
# After the configuration is complete, run the display ip routing-table vpn-
instance command on the PEs. The command output shows that the routes to the
remote CEs are BGP routes through the backbone network, and there are routes
to the destination of the sham link.
# The information displayed on PE1 is used as an example.
[PE1] display ip routing-table vpn-instance vpn1
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpn1
Destinations : 9 Routes : 9
Destination/Mask Proto Pre Cost Flags NextHop Interface
5.5.5.5/32 Direct 0 0 D 127.0.0.1 LoopBack10
6.6.6.6/32 IBGP 255 0 RD 3.3.3.9 GigabitEthernet2/0/0
20.1.1.0/24 OSPF 10 11 D 100.1.1.1 GigabitEthernet1/0/0
30.1.1.0/24 OSPF 10 12 D 100.1.1.1 GigabitEthernet1/0/0
100.1.1.0/24 Direct 0 0 D 100.1.1.2 GigabitEthernet1/0/0
100.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
100.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
120.1.1.0/24 IBGP 255 0 RD 3.3.3.9 GigabitEthernet2/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
# Run the display ip routing-table command on the CEs. The command output
shows that the cost of the OSPF route to the remote CE has changed to 3, and the
next hop has changed to the interface connected to PE. That is, VPN traffic to the
remote CE is forwarded through the backbone network.
# The information displayed on CE1 is used as an example.
[CE1] display ip routing-table
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost Flags NextHop Interface
5.5.5.5/32 O_ASE 150 1 D 100.1.1.2 GigabitEthernet1/0/0
6.6.6.6/32 O_ASE 150 1 D 100.1.1.2 GigabitEthernet1/0/0
20.1.1.0/24 Direct 0 0 D 20.1.1.1 GigabitEthernet2/0/0
20.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
20.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
30.1.1.0/24 OSPF 10 11 D 20.1.1.2 GigabitEthernet2/0/0
100.1.1.0/24 Direct 0 0 D 100.1.1.1 GigabitEthernet1/0/0
100.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
100.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
120.1.1.0/24 OSPF 10 3 D 100.1.1.2 GigabitEthernet1/0/0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 925
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
NOTE
Cost of the OSPF route from CE1 to CE2 = Cost of the path from CE1 to PE1 + Cost of the
sham link + Cost of the path from PE2 to CE2 = 1 + 1 + 1 = 3
# Run the tracert command on CE1. The command output shows that the data
sent from CE1 to CE2 passes through the interface connected to PE1. That is, VPN
traffic is transmitted through the backbone network.
[CE1] tracert 120.1.1.1
traceroute to 120.1.1.1(120.1.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break
1 100.1.1.2 10 ms 1 ms 1 ms
2 10.1.1.2 10 ms 1 ms 1 ms
3 120.1.1.1 10 ms 2 ms 1 ms
[CE1] tracert 30.1.1.2
traceroute to 30.1.1.2(30.1.1.2), max hops: 30 ,packet length: 40,press CTRL_C to break
1 20.1.1.2 10 ms 1 ms 1 ms
2 30.1.1.2 10 ms 2 ms 1 ms
# Run the display ospf 100 sham-link command on the PEs to check information
about the sham link.
# The information displayed on PE1 is used as an example.
[PE1] display ospf 100 sham-link
OSPF Process 100 with Router ID 5.5.5.5
Sham Link:
Area NeighborId Source-IP Destination-IP State Cost
0.0.0.0 6.6.6.6 5.5.5.5 6.6.6.6 P-2-P 1
# Run the display ospf sham-link area command. The command output shows
that the neighbor relationship is in Full state.
[PE1] display ospf sham-link area 0
OSPF Process 1 with Router ID 1.1.1.9
OSPF Process 100 with Router ID 5.5.5.5
Sham-Link: 5.5.5.5 --> 6.6.6.6
Neighbor ID: 6.6.6.6, State: Full, GR status: Normal
Area: 0.0.0.0
Cost: 1 State: P-2-P, Type: Sham
Timers: Hello 10 , Dead 40 , Retransmit 5 , Transmit Delay 1
# Run the display ospf routing command on the CEs. The command output
shows that the route to the remote CE is learned as an intra-area route.
[CE1] display ospf routing
OSPF Process 1 with Router ID 100.1.1.1
Routing Tables
Routing for Network
Destination Cost Type NextHop AdvRouter Area
120.1.1.0/24 3 Transit 100.1.1.2 6.6.6.6 0.0.0.0
20.1.1.0/24 10 Transit 20.1.1.1 100.1.1.1 0.0.0.0
30.1.1.0/24 11 Transit 20.1.1.2 30.1.1.1 0.0.0.0
100.1.1.0/24 1 Transit 100.1.1.1 100.1.1.1 0.0.0.0
Routing for ASEs
Destination Cost Type Tag NextHop AdvRouter
6.6.6.6/32 1 Type2 3489661028 100.1.1.2 5.5.5.5
5.5.5.5/32 1 Type2 3489661028 100.1.1.2 6.6.6.6
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 926
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Total Nets: 6
Intra Area: 4 Inter Area: 0 ASE: 2 NSSA: 0
----End
Configuration Files
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1
ip address 100.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
interface LoopBack10
ip binding vpn-instance vpn1
ip address 5.5.5.5 255.255.255.255
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
import-route ospf 100
#
ospf 1 router-id 1.1.1.9
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
ospf 100 router-id 5.5.5.5 vpn-instance vpn1
import-route bgp
domain-id 0.0.0.10
area 0.0.0.0
network 100.1.1.0 0.0.0.255
sham-link 5.5.5.5 6.6.6.6
#
return
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 927
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
● P configuration file
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 40.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1 router-id 2.2.2.9
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:2
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1
ip address 120.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 40.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
interface LoopBack10
ip binding vpn-instance vpn1
ip address 6.6.6.6 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 928
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
import-route ospf 100
#
ospf 1 router-id 3.3.3.9
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 40.1.1.0 0.0.0.255
#
ospf 100 router-id 6.6.6.6 vpn-instance vpn1
import-route bgp
domain-id 0.0.0.10
area 0.0.0.0
network 120.1.1.0 0.0.0.255
sham-link 6.6.6.6 5.5.5.5
#
return
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 100.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 20.1.1.1 255.255.255.0
ospf cost 10
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.255
network 20.1.1.0 0.0.0.255
#
return
● CE2 configuration file
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 120.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 30.1.1.2 255.255.255.0
ospf cost 10
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
network 120.1.1.0 0.0.0.255
#
return
● RTA configuration file
#
sysname RTA
#
interface GigabitEthernet1/0/0
ip address 20.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 30.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 929
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
7.9.13 Example for Configuring BGP AS Number Substitution
Networking Requirements
As shown in Figure 7-54, CE1 and CE2 belong to the same VPN. CE1 connects to
PE1, and CE2 connects to PE2. Both CE1 and CE2 use AS number 600.
The PEs and CEs need to set up EBGP peer relationships to allow communication
between VPN users.
Figure 7-54 Networking diagram for configuring BGP AS number substitution
Loopback1 Loopback1 Loopback1
1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE2/0/0 GE2/0/0
20.1.1.1/24 30.1.1.1/24
PE1
PE2
GE1/0/0 GE2/0/0
20.1.1.2/24 P 30.1.1.1/24
GE1/0/0 GE1/0/0
10.1.1.2/24 10.2.1.2/24
VPN Backbone
AS 100
GE1/0/0 GE1/0/0
10.1.1.1/24 10.2.1.1/24
CE2
CE1
GE2/0/0 GE2/0/0
10.3.1.1/24 10.4.1.1/24
vpn1 vpn1
AS 600 AS 600
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure OSPF between the P and PEs to ensure IP connectivity on the
backbone network.
2. Configure basic MPLS capabilities and MPLS LDP on the P and PEs to set up
MPLS LSP tunnels for VPN data transmission on the backbone network.
3. Set up an MP-IBGP peer relationship between PEs to exchange VPNv4 routes.
4. Configure a VPN instance and set the VPN target to 1:1 on PE1 and PE2 so
that users in the VPN can communicate with each other. Bind the VPN
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 930
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
instance to the PE interfaces connected to CEs to provide access for VPN
users.
5. Set up EBGP peer relationships between the PEs and CEs and import routes of
the CEs into routing tables of the PEs.
6. Configure BGP AS number substitution on the PEs to enable them to accept
routes with the local AS number.
Procedure
Step 1 Configure basic BGP/MPLS IP VPN functions.
The configurations include the following:
● Configure OSPF on the MPLS backbone network so that the PEs and P can
learn the routes to the loopback interface of each other.
● Configure basic MPLS capabilities and MPLS LDP on the backbone network to
set up MPLS LSPs.
● Set up an MP-IBGP peer relationship between PEs to exchange VPNv4 routes.
● Configure the VPN instance of VPN1 on PE2 and bind the VPN instance to the
interface connected to CE2.
● Configure the VPN instance of VPN1 on PE1 and bind the VPN instance to the
interface connected to CE1.
● Set up BGP peer relationships between PE1 and CE1 and between PE2 and
CE2 to import routes of CEs to PEs.
For detailed configuration, refer to 7.9.1 Example for Configuring BGP/MPLS IP
VPN.
After the configuration is complete, run the display ip routing-table command
on CE2 to check the routing table. The routing table on CE2 contains the route to
the network segment (10.1.1.0/24) of interface that connects CE1 to PE1 but
contains no route to the VPN (10.3.1.0/24) of CE1. This is the same on CE1.
[CE2] display ip routing-table
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 EBGP 255 0 D 10.2.1.2 GigabitEthernet1/0/0
10.2.1.0/24 Direct 0 0 D 10.2.1.1 GigabitEthernet1/0/0
10.2.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.2.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.4.1.0/24 Direct 0 0 D 10.4.1.1 GigabitEthernet2/0/0
10.4.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
10.4.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Run the display ip routing-table vpn-instance command on the PEs to check the
routing table of the VPN instance. The VPN routing table has routes to the VPN of
the CEs.
The information displayed on PE2 is used as an example.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 931
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE2] display ip routing-table vpn-instance vpn1
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpn1
Destinations : 7 Routes : 7
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 IBGP 255 0 RD 1.1.1.9 GigabitEthernet2/0/0
10.2.1.0/24 Direct 0 0 D 10.2.1.2 GigabitEthernet1/0/0
10.2.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.2.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.3.1.0/24 IBGP 255 0 RD 1.1.1.9 GigabitEthernet2/0/0
10.4.1.0/24 EBGP 255 0 D 10.2.1.1 GigabitEthernet1/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Run the display bgp routing-table peer received-routes command on CE2. The
command output shows that CE2 did not accept the route to 10.3.1.0/24.
[CE2] display bgp routing-table peer 10.2.1.2 received-routes
BGP Local router ID is 10.2.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 2
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.1.1.0/24 10.2.1.2 0 100?
10.2.1.0/24 10.2.1.2 0 0 100?
Step 2 Configure BGP AS number substitution.
Configure BGP AS number substitution on the PEs.
# Configure PE2. PE2 is used as an example.
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpn1
[PE2-bgp-vpn1] peer 10.2.1.1 substitute-as
[PE2-bgp-vpn1] quit
[PE2-bgp] quit
Check the routing information accepted by CE2 and routing table on CE2.
[CE2] display bgp routing-table peer 10.2.1.2 received-routes
BGP Local router ID is 10.2.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 3
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.1.1.0/24 10.2.1.2 0 100?
10.2.1.0/24 10.2.1.2 0 0 100?
*> 10.3.1.0/24 10.2.1.2 0 100 100?
[CE2] display ip routing-table
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 EBGP 255 0 D 10.2.1.2 GigabitEthernet1/0/0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 932
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
10.2.1.0/24 Direct 0 0 D 10.2.1.1 GigabitEthernet1/0/0
10.2.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.2.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.3.1.0/24 EBGP 255 0 D 10.2.1.2 GigabitEthernet1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.4.1.0/24 Direct 0 0 D 10.4.1.1 GigabitEthernet2/0/0
10.4.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
10.4.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
After configuring BGP AS number substitution on PE1, you can find that CE1 and
CE2 can successfully ping each other.
[CE1] ping –a 10.3.1.1 10.4.1.1
PING 10.4.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.4.1.1: bytes=56 Sequence=1 ttl=252 time=2 ms
Reply from 10.4.1.1: bytes=56 Sequence=2 ttl=252 time=1 ms
Reply from 10.4.1.1: bytes=56 Sequence=3 ttl=252 time=2 ms
Reply from 10.4.1.1: bytes=56 Sequence=4 ttl=252 time=2 ms
Reply from 10.4.1.1: bytes=56 Sequence=5 ttl=252 time=2 ms
--- 10.4.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/2 ms
----End
Configuration Files
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.3.1.1 255.255.255.0
#
bgp 600
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 933
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 600
peer 10.1.1.1 substitute-as
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 20.1.1.0 0.0.0.255
#
return
● P configuration file
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address ip address 20.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address ip address 30.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
● PE2 configuration file
#
sysname PE2
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 934
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:2
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 30.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 600
peer 10.2.1.1 substitute-as
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 30.1.1.0 0.0.0.255
#
return
● CE2 configuration file
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.4.1.1 255.255.255.0
#
bgp 600
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
7.9.14 Example for Configuring the BGP SoO Attribute
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 935
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Networking Requirements
When multiple CEs in a VPN site connect to different PEs, VPN routes advertised
from the CEs to the PEs may be sent back to the VPN site after the routes traverse
the backbone network. This may cause routing loops in the VPN site.
As shown in Figure 7-55, CE1 and CE2 belong to site 1; CE2 and CE3 connect to
PE2. Site 1 and site 2 have the same AS number. The PEs and CEs run EBGP. PE1
uses MP-IGBP to advertise the routes learned from CE1 to PE2. Then PE2
advertises these routes to CE2 and CE3. However, CE2 has learned the routes
through IGP in site 1. As a result, a routing loop may occur in site 1.
To prevent routing loops in site 1, configure the BGP Site of Origin (SoO) attribute
on the PEs. When PE2 advertises routes to CE2, PE2 checks whether the SoO
attribute of the routes is the same as the locally configured SoO attribute. If so,
PE2 does not advertise these routes to CE2. PE2 can advertise the routes to CE3.
Figure 7-55 Networking diagram for configuring the BGP SoO attribute
Loopback 1
1.1.1.1/32
Loopback 1
11.11.11.11/32 GE1/0/0 PE1
192.168.1.1/30
CE1
GE1/0/0
GE2/0/0
192.168.1.2/30
GE2/0/0 10.1.1.1/30
192.168.4.1/30
AS 65410
AS 100
GE2/0/0
192.168.4.2/30
site1 GE3/0/0
GE1/0/0 Loopback 1
10.1.1.2/30
192.168.2.2/30 33.33.33.33/32
CE2 GE1/0/0
Loopback 1 GE1/0/0 192.168.3.2/30
22.22.22.22/32 192.168.2.1/30 site2
PE2 GE2/0/0 CE3
192.168.3.1/30 AS 65410
Loopback 1
2.2.2.2/32
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IP address for each interface and an IGP on the backbone
network so that PEs can communicate.
2. Enable MPLS and MPLS LDP on the backbone network so that LDP LSPs can
be established between the PEs.
3. Set up an MP-IBGP peer relationship between the PEs.
4. Configure VPN instances on PEs and bind the instances to the interfaces
connected to CEs.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 936
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
5. Set up EBGP peer relationships between the PEs and CEs and enable AS
number substitution on the PEs.
6. Configure the BGP SoO attribute for the connected CEs on the PEs.
Procedure
Step 1 Configure an IP address for each interface and an IGP on the backbone network
so that PEs can learn routes to loopback interfaces of each other.
In this example, OSPF is configured.
# Configure PE1.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip address 10.1.1.1 30
[PE1-GigabitEthernet2/0/0] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.3
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
The configuration on PE2 and CEs is similar to the configuration on PE1 and is not
mentioned here.
After the configuration is complete, run the display ip routing-table command
on the PEs. The command output shows that the PEs have learned the route to
loopback interfaces of each other.
The information displayed on PE1 is used as an example.
[PE1] display ip routing-table
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 9 Routes : 9
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack1
2.2.2.2/32 OSPF 10 1 D 10.1.1.2 GigabitEthernet2/0/0
10.1.1.0/30 Direct 0 0 D 10.1.1.1 GigabitEthernet2/0/0
10.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
10.1.1.3/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Step 2 Enable MPLS and MPLS LDP on the backbone network to set up LDP LSPs.
Enable MPLS and MPLS LDP globally and on interfaces of the PE.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 937
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] mpls
[PE1-GigabitEthernet2/0/0] mpls ldp
[PE1-GigabitEthernet2/0/0] quit
The configuration on PE2 is the same as the configuration on PE1.
After the configuration is complete, run the display mpls ldp lsp command on
the PEs. The command output shows the labels assigned to the routes to loopback
interfaces on the peer PEs. The information displayed on PE1 is used as an
example.
[PE1] display mpls ldp lsp
LDP LSP Information
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.1/32 3/NULL 2.2.2.2 127.0.0.1 InLoop0
*1.1.1.1/32 Liberal/1024 DS/2.2.2.2
2.2.2.2/32 NULL/3 - 10.1.1.2 GE2/0/0
2.2.2.2/32 1024/3 2.2.2.2 10.1.1.2 GE2/0/0
-------------------------------------------------------------------------------
TOTAL: 3 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is stale
A '*' before a DS means the session is stale
A '*' before a NextHop means the LSP is FRR LSP
Step 3 Set up an MP-IBGP peer relationship between the PEs.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.2 as-number 100
[PE1-bgp] peer 2.2.2.2 connect-interface loopback1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.2 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
The configuration on PE2 is similar to the configuration on PE1 and is not
mentioned here. For configuration details, refer to "Configuration Files".
After the configuration is complete, run the display bgp peer or display bgp
vpnv4 all peer command on the PEs. The command output shows that BGP peer
relationships have been established between the PEs. The information displayed
on PE1 is used as an example.
[PE1] display bgp peer
BGP local router ID : 10.1.1.1
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.2 4 100 187 186 0 02:44:06 Established 1
Step 4 On each PE, configure a VPN instance, enable the IPv4 address family in the
instance, and bind the instance to the interfaces connected to the CEs.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 938
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 100:100
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[PE1-GigabitEthernet1/0/0] ip address 192.168.1.1 30
[PE1-GigabitEthernet1/0/0] quit
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 100:2
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 100:100
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[PE2-GigabitEthernet1/0/0] ip address 192.168.2.1 30
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpna
[PE2-GigabitEthernet2/0/0] ip address 192.168.3.1 30
[PE2-GigabitEthernet2/0/0] quit
After the configuration is complete, run the display ip vpn-instance verbose
command on the PEs to check the configuration of VPN instances.
Step 5 Set up EBGP peer relationships between PEs and CEs, enable AS number
substitution on the PEs, and configure PEs to import routes from CEs.
In this configuration example, the two VPN sites have the same AS number.
Therefore, AS number substitution needs to be enabled on PE1 and PE2.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 192.168.1.2 as-number 65410
[PE1-bgp-vpna] peer 192.168.1.2 substitute-as
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] quit
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 192.168.1.1 as-number 100
[CE1-bgp] network 11.11.11.11 32
[CE1-bgp] network 192.168.4.0 30
[CE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpna
[PE2-bgp-vpna] peer 192.168.2.2 as-number 65410
[PE2-bgp-vpna] peer 192.168.3.2 as-number 65410
[PE2-bgp-vpna] peer 192.168.2.2 substitute-as
[PE2-bgp-vpna] peer 192.168.3.2 substitute-as
[PE2-bgp-vpna] import-route direct
[PE2-bgp-vpna] quit
[PE2-bgp] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 939
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
# Configure CE2.
[CE2] bgp 65410
[CE2-bgp] peer 192.168.2.1 as-number 100
[CE2-bgp] network 22.22.22.22 32
[CE2-bgp] network 192.168.4.0 30
[CE2-bgp] quit
# Configure CE3.
[CE3] bgp 65410
[CE3-bgp] peer 192.168.3.1 as-number 100
[CE3-bgp] network 33.33.33.33 32
[CE3-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer
command on the PEs. The command output shows that the status of EBGP peer
relationships between PEs and CEs is Established. This indicates that EBGP peer
relationships have been established between PEs and CEs. The information
displayed on PE1 is used as an example.
[PE1] display bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 10.1.1.1
Local AS number : 100
VPN-Instance vpna, router ID 10.1.1.1:
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
192.168.1.2 4 65410 224 231 0 03:02:12 Established 1
Run the display bgp vpnv4 routing-table command on the PEs. The command
output shows the routes sent from the PEs to the PEs. The following shows the
routes sent from PE2 to CE2.
[PE2] display bgp vpnv4 vpn-instance vpna routing-table peer 192.168.2.2 advertised-routes
BGP Local router ID is 2.2.2.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
VPN-Instance vpna, Router ID 2.2.2.2:
Total Number of Routes: 6
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 11.11.11.11/32 192.168.2.1 0 100 100i
*> 22.22.22.22/32 192.168.2.1 0 100 100i
*> 33.33.33.33/32 192.168.2.1 0 100 100i
*>i 192.168.1.0/30 192.168.2.1 0 100?
*> 192.168.2.0/30 192.168.2.1 0 0 100?
*> 192.168.3.0/30 192.168.2.1 0 0 100?
Step 6 Configure the BGP SoO attribute on the PEs.
CE1 and CE2 belong to the same site, so you need to set the same BGP SoO
attribute value for the two CEs on PE1 and PE2. PE2 connects to two VPN sites, so
you need to set different SoO attribute value for the CEs.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 940
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE1-bgp-vpna] peer 192.168.1.2 soo 100:101
[PE1-bgp-vpna] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpna
[PE2-bgp-vpna] peer 192.168.2.2 soo 100:101
[PE2-bgp-vpna] peer 192.168.3.2 soo 100:102
[PE2-bgp-vpna] quit
[PE2-bgp] quit
Step 7 Verify the configuration.
# After the configuration is complete, run the display bgp vpnv4 routing-table
command on PE2 again. The command output shows that the routes sent from
PE2 to CE2 have changed and the routes sent from PE2 to CE3 remain unchanged.
[PE2] display bgp vpnv4 vpn-instance vpna routing-table peer 192.168.2.2 advertised-routes
BGP Local router ID is 2.2.2.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
VPN-Instance vpna, Router ID 2.2.2.2:
Total Number of Routes: 4
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 33.33.33.33/32 192.168.2.1 0 100 100i
*>i 192.168.1.0/30 192.168.2.1 0 100?
*> 192.168.2.0/30 192.168.2.1 0 0 100?
*> 192.168.3.0/30 192.168.2.1 0 0 100?
[PE2] display bgp vpnv4 vpn-instance vpna routing-table peer 192.168.3.2 advertised-routes
BGP Local router ID is 2.2.2.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
VPN-Instance vpna, Router ID 2.2.2.2:
Total Number of Routes: 6
Network NextHop MED LocPrf PrefVal Path/Ogn
*>i 11.11.11.11/32 192.168.3.1 0 100 100i
*> 22.22.22.22/32 192.168.3.1 0 100 100i
*>i 192.168.1.0/30 192.168.3.1 0 100?
*> 192.168.2.0/30 192.168.3.1 0 0 100?
*> 192.168.3.0/30 192.168.3.1 0 0 100?
*> 192.168.4.0/30 192.168.3.1 0 100 100i
# Run the display bgp vpnv4 routing-table command on PE2. The command
output shows the SoO attribute carried in the routes sent from PE2 to CE3.
[PE2] display bgp vpnv4 vpn-instance vpna routing-table 11.11.11.11 32
BGP local router ID : 2.2.2.2
Local AS number : 100
VPN-Instance vpna, Router ID 2.2.2.2:
Paths: 1 available, 1 best, 1 select
BGP routing table entry information of 11.11.11.11/32:
Label information (Received/Applied): 1029/NULL
From: 1.1.1.1 (1.1.1.1)
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 941
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Route Duration: 00h11m51s
Relay Tunnel Out-Interface: GigabitEthernet3/0/0
Relay token: 0x3d
Original nexthop: 1.1.1.1
Qos information : 0x0
Ext-Community:RT <100 : 100>, SoO <100 : 101>
AS-path 65410, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, b
est, select, active, pre 255, IGP cost 1
Advertised to such 1 peers:
192.168.3.2
# The preceding command output shows that after the BGP SoO attribute is
configured, the VPN routes received from CEs carry the SoO attribute, and PE2
does not send any route to CE2. This indicates that the configuration of the BGP
SoO attribute has taken effect.
----End
Configuration Files
● CE1 configuration file
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 192.168.1.2 255.255.255.252
#
interface GigabitEthernet2/0/0
ip address 192.168.4.1 255.255.255.252
#
interface LoopBack1
ip address 11.11.11.11 255.255.255.255
#
bgp 65410
peer 192.168.1.1 as-number 100
#
ipv4-family unicast
undo synchronization
network 11.11.11.11 255.255.255.255
network 192.168.4.0 255.255.255.252
peer 192.168.1.1 enable
#
return
● CE2 configuration file
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 192.168.2.2 255.255.255.252
#
interface GigabitEthernet2/0/0
ip address 192.168.4.2 255.255.255.252
#
interface LoopBack1
ip address 22.22.22.22 255.255.255.255
#
bgp 65410
peer 192.168.2.1 as-number 100
#
ipv4-family unicast
undo synchronization
network 22.22.22.22 255.255.255.255
network 192.168.4.0 255.255.255.252
peer 192.168.2.1 enable
#
return
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 942
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 100:100 export-extcommunity
vpn-target 100:100 import-extcommunity
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpna
ip address 192.168.1.1 255.255.255.252
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 192.168.1.2 as-number 65410
peer 192.168.1.2 substitute-as
peer 192.168.1.2 soo 100:101
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.3
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:2
vpn-target 100:100 export-extcommunity
vpn-target 100:100 import-extcommunity
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 943
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
interface GigabitEthernet1/0/0
ip binding vpn-instance vpna
ip address 192.168.2.1 255.255.255.252
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpna
ip address 192.168.3.1 255.255.255.252
#
interface GigabitEthernet3/0/0
ip address 10.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 192.168.2.2 as-number 65410
peer 192.168.2.2 substitute-as
peer 192.168.2.2 soo 100:101
peer 192.168.3.2 as-number 65410
peer 192.168.3.2 substitute-as
peer 192.168.3.2 soo 100:102
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.3
#
return
● CE3 configuration file
#
sysname CE3
#
interface GigabitEthernet1/0/0
ip address 192.168.3.2 255.255.255.252
#
interface LoopBack1
ip address 33.33.33.33 255.255.255.255
#
bgp 65410
peer 192.168.3.1 as-number 100
#
ipv4-family unicast
undo synchronization
network 33.33.33.33 255.255.255.255
peer 192.168.3.1 enable
#
return
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 944
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
7.9.15 Example for Configuring CE Dual-homing
Networking Requirements
It is a trend to transmit all telecommunication services on an IP network. Key
services such 3G/NGN, IPTV streaming media, and VPN services require high
reliability on networks. In addition to improving the reliability of the network
devices, you can improve the link reliability by configuring fast route convergence,
fault detection, fast reroute, and route backup.
On the access layer, the CE dual-homing networking is a common method to
improve the network reliability. A dual-homed CE connects to two PEs that belong
to the same VPN as the CE. In this networking, the CE connects to the backbone
network through two links. The two links work in load balancing mode or active/
standby mode.
As shown in Figure 7-56, CE1 is located in site1 of vpn1, and CE2 is located in
site2 of vpn1. CE1 connects to PE1 and PE2, and CE2 connects to PE3 and PE4.
If the data traffic volume from CE1 to CE2 is large but traffic volume from CE2 to
CE1 is small, the data traffic from CE1 to CE2 can be transmitted in load balancing
mode. The data traffic from CE2 to CE1 is transmitted through PE4, and PE3 only
works as a backup.
Figure 7-56 Networking diagram for configuring CE dual-homing
VPN backbone
AS 100
Loopback1 Loopback1 Loopback1
GE1/0/0 GE2/0/0 GE2/0/0
GE1/0/0 GE1/0/0 GE2/0/0
CE1 CE2
PE1 P1 PE3
GE1/0/0 GE1/0/0
GE2/0/0 GE2/0/0
GE3/0/0 PE2 P2 PE4 GE3/0/0
GE2/0/0 GE2/0/0
GE1/0/0 GE1/0/0 GE1/0/0 GE2/0/0
vpn1 site1 vpn1 site2
AS 65410 Loopback1 Loopback1 Loopback1 AS 65420
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 945
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Device Interface and IP Device Interface and IP
Address Address
Loopback1
PE2
PE1 1.1.1.1/32 PE2
GE1/0/0 GE2/0/0
GE1/0/0 GE2/0/0 10.2.1.2/30 100.2.1.1/30
10.1.1.2/30 100.1.1.1/30
Loopback1
PE1 2.2.2.2/32
Loopback1
P2
P1 5.5.5.5/32 P2
GE1/0/0 GE2/0/0
GE1/0/0 GE2/0/0
100.2.1.2/30 100.4.1.1/30
100.1.1.2/30 100.3.1.1/30
P1 Loopback1
Loopback1 6.6.6.6/32
Loopback1
PE3 3.3.3.3/32 PE4 4.4.4.4/32
GE1/0/0 GE2/0/0 GE1/0/0 GE2/0/0
100.3.1.2/30 10.3.1.1/30 100.4.1.2/30 10.4.1.1/30
PE3 PE4
CE1 CE2 0 GE
0/ 10 1
CE1 1/ /3
0 .3. /0/0
GE .1.1 1.2
/3
CE2
.1 0
GE3/0/0 10
GE3/0/0
10.5.1.1/24 /0 10.6.1.1/24
2/0 /30
G
G E
E2
1.2
10
.4.
/0
.2
10
/0
.1
.
1/
30
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic BGP/MPLS IP VPN functions.
2. In the BGP view of CE1, configure load balancing for traffic sent to CE2.
3. Increase the MED value of the BGP-VPN route on PE3 to ensure that the next
hop of the route selected by CE2 to the customer network connected to CE1 is
PE4.
Procedure
Step 1 Configure an IGP on the MPLS backbone network so that PEs and Ps can
communicate with each other.
# Configure PE1.
# Set IP addresses of interfaces. The IP addresses of the loopback interfaces must
use a 32-bit mask.
[PE1] interface loopback 1
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 946
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip address 100.1.1.1 255.255.255.252
[PE1-GigabitEthernet2/0/0] quit
# Configure the ISIS protocol to advertise routes of the interfaces.
[PE1] isis 1
[PE1-isis-1] network-entity 10.0000.0000.0001.00
[PE1-isis-1] quit
[PE1] interface loopback 1
[PE1-LoopBack1] isis enable 1
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] isis enable 1
[PE1-GigabitEthernet2/0/0] quit
The configuration on PE2, PE3, PE4, P1, and P2 is similar to the configuration on
PE1 and is not mentioned here.
After the configuration is complete, run the display ip routing-table command.
The command output shows that PE1 and PE3 can learn the routes of Loopback1
interface of each other; PE2 and PE4 can learn routes of Loopback1 interface of
each other.
Step 2 Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network
to set up LDP LSPs.
# Configure PE1.
# Enable MPLS and LDP in the system view, set the LSR ID to the IP address of the
loopback interface, and trigger the LSP.
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# Enable MPLS and LDP on the interface connected to the backbone network.
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] mpls
[PE1-GigabitEthernet2/0/0] mpls ldp
[PE1-GigabitEthernet2/0/0] quit
# The configuration on PE2, PE3, PE4, P1, and P2 is similar to the configuration on
PE1 and is not mentioned here.
After the configuration is complete, LDP sessions can be set up between PE1 and
P1, and between PE3 and P1. Run the display mpls ldp session command. The
command output shows that the status of the sessions is Operational. Run the
display mpls ldp lsp command. Information about the established LDP LSPs is
displayed.
The information displayed on PE1 is used as an example.
[PE1] display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 947
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
5.5.5.5:0 Operational DU Passive 0000:07:02 1688/1688
------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
[PE1] display mpls ldp lsp
LDP LSP Information
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.1/32 3/NULL 5.5.5.5 127.0.0.1 InLoop0
*1.1.1.1/32 Liberal/1024 DS/5.5.5.5
3.3.3.3/32 NULL/1025 - 100.1.1.2 GE2/0/0
3.3.3.3/32 1025/1025 5.5.5.5 100.1.1.2 GE2/0/0
5.5.5.5/32 NULL/3 - 100.1.1.2 GE2/0/0
5.5.5.5/32 1024/3 5.5.5.5 100.1.1.2 GE2/0/0
-----------------------------------------------------------------------------
TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is stale
A '*' before a DS means the session is stale
A '*' before a NextHop means the LSP is FRR LSP
Step 3 Configure VPN instances on PEs and bind the instances to the interfaces
connected to CEs.
# Configure PE1.
# Create a VPN instance and set the RD and VPN target of the VPN instance. The
VPN target set on the local PE must match the VPN target of the MP-BGP peer PE
so that the sites of the same VPN can communicate with each other.
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] ipv4-family
[PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
# Bind the VPN instance to the interface connected to the CE and set the IP
address of the interface.
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
[PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 255.255.255.252
[PE1-GigabitEthernet1/0/0] quit
# Configure PE2.
# Create a VPN instance and set the RD and VPN target of the VPN instance. The
VPN target set on the local PE must match the VPN target of the MP-BGP peer PE
so that the sites of the same VPN can communicate with each other.
[PE2] ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] ipv4-family
[PE2-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:2
[PE2-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both
[PE2-vpn-instance-vpn1-af-ipv4] quit
[PE2-vpn-instance-vpn1] quit
# Bind the VPN instance to the interface connected to the CE and set the IP
address of the interface.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 948
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
[PE2-GigabitEthernet1/0/0] ip address 10.2.1.2 255.255.255.252
[PE2-GigabitEthernet1/0/0] quit
# Configure PE3.
# Create a VPN instance and set the RD and VPN target of the VPN instance. The
VPN target set on the local PE must match the VPN target of the MP-BGP peer PE
so that the sites of the same VPN can communicate with each other.
[PE3] ip vpn-instance vpn1
[PE3-vpn-instance-vpn1] ipv4-family
[PE3-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:3
[PE3-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both
[PE3-vpn-instance-vpn1-af-ipv4] quit
[PE3-vpn-instance-vpn1] quit
# Bind the VPN instance to the interface connected to the CE and set the IP
address of the interface.
[PE3] interface gigabitethernet 2/0/0
[PE3-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[PE3-GigabitEthernet2/0/0] ip address 10.3.1.1 255.255.255.252
[PE3-GigabitEthernet2/0/0] quit
# Configure PE4.
# Create a VPN instance and set the RD and VPN target of the VPN instance. The
VPN target set on the local PE must match the VPN target of the MP-BGP peer PE
so that the sites of the same VPN can communicate with each other.
[PE4] ip vpn-instance vpn1
[PE4-vpn-instance-vpn1] ipv4-family
[PE4-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:4
[PE4-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both
[PE4-vpn-instance-vpn1-af-ipv4] quit
[PE4-vpn-instance-vpn1] quit
# Bind the VPN instance to the interface connected to the CE and set the IP
address of the interface.
[PE4]interface gigabitethernet 2/0/0
[PE4-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[PE4-GigabitEthernet2/0/0] ip address 10.4.1.1 255.255.255.252
[PE4-GigabitEthernet2/0/0] quit
# Assign IP addresses to interfaces on CEs according to Figure 7-56.
# Configure CE1.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface gigabitethernet 2/0/0
[CE1-GigabitEthernet2/0/0] ip address 10.2.1.1 24
[CE1-GigabitEthernet2/0/0] quit
[CE1] interface gigabitethernet 3/0/0
[CE1-GigabitEthernet3/0/0] ip address 10.5.1.1 24
[CE1-GigabitEthernet3/0/0] quit
The configuration on other CEs is similar to the configuration on Spoke-CE1 and is
not mentioned here.
After the configuration is complete, run the display ip vpn-instance verbose
command on the PEs to check the configuration of VPN instances.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 949
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
The information displayed on PE1 is used as an example.
[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 1
Total IPv4 VPN-Instances configured : 1
Total IPv6 VPN-Instances configured : 0
VPN-Instance Name and ID : vpn1, 1
Interfaces : GigabitEthernet1/0/0
Address family ipv4
Create date : 2012/07/25 00:58:17
Up time : 0 days, 17 hours, 38 minutes and 53 seconds
Route Distinguisher : 100:1
Export VPN Targets : 1:1
Import VPN Targets : 1:1
Label Policy : label per route
Log Interval : 5
Step 4 Set up MP-IBGP peer relationships between the PEs.
# Configure PE1.
# Specify PE3 as the IGBP peer and use the IP address of the loopback interface to
set up an IBGP connection with the peer.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.3 as-number 100
[PE1-bgp] peer 3.3.3.3 connect-interface loopback 1
# Enter the VPNv4 address family view and enable the local PE to exchange VPN
routing information with the IGBP peer.
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.3 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE3.
# Specify PE1 as the IGBP peer and use the IP address of the loopback interface to
set up an IBGP connection with the peer.
[PE3] bgp 100
[PE3-bgp] peer 1.1.1.1 as-number 100
[PE3-bgp] peer 1.1.1.1 connect-interface loopback 1
# Enter the VPNv4 address family view and enable the local PE to exchange VPN
routing information with the IGBP peer.
[PE3-bgp] ipv4-family vpnv4
[PE3-bgp-af-vpnv4] peer 1.1.1.1 enable
[PE3-bgp-af-vpnv4] quit
[PE3-bgp] quit
# Configure PE2.
# Specify PE4 as the IGBP peer and use the IP address of the loopback interface to
set up an IBGP connection with the peer.
[PE2] bgp 100
[PE2-bgp] peer 4.4.4.4 as-number 100
[PE2-bgp] peer 4.4.4.4 connect-interface loopback 1
# Enter the VPNv4 address family view and enable the local PE to exchange VPN
routing information with the IGBP peer.
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 4.4.4.4 enable
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 950
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
# Configure PE4.
# Specify PE2 as the IGBP peer and use the IP address of the loopback interface to
set up an IBGP connection with the peer.
[PE4] bgp 100
[PE4-bgp] peer 2.2.2.2 as-number 100
[PE4-bgp] peer 2.2.2.2 connect-interface loopback 1
# Enter the VPNv4 address family view and enable the local PE to exchange VPN
routing information with the IGBP peer.
[PE4-bgp] ipv4-family vpnv4
[PE4-bgp-af-vpnv4] peer 2.2.2.2 enable
[PE4-bgp-af-vpnv4] quit
[PE4-bgp] quit
After the configuration is complete, run the display bgp vpnv4 all peer command
on the PEs. The command output shows that the BGP peer relationships have
been set up between the PEs and are in Established state.
The information displayed on PE1 is used as an example.
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.1
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
3.3.3.3 4 100 70 81 0 01:00:23 Established 3
Step 5 Configure EBGP between the PE and the CEs to import the VPN routes.
# Configure CE1.
# Enable BGP, specify PE1 and PE2 as EBGP peers, and import direct routes.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] peer 10.2.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE1.
# Enable BGP, specify CE1 as the EBGP peer, and import direct routes.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] quit
[PE1-bgp] quit
# Configure PE2.
# Enable BGP, specify CE1 as the EBGP peer, and import direct routes.
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpn1
[PE2-bgp-vpn1] peer 10.2.1.1 as-number 65410
[PE2-bgp-vpn1] import-route direct
[PE2-bgp-vpn1] quit
[PE2-bgp] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 951
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
# Configure CE2.
# Enable BGP, specify PE3 and PE4 as EBGP peers, and import direct routes.
[CE2] bgp 65420
[CE2-bgp] peer 10.3.1.1 as-number 100
[CE2-bgp] peer 10.4.1.1 as-number 100
[CE2-bgp] import-route direct
[CE2-bgp] quit
# Configure PE3.
# Enable BGP, specify CE2 as the EBGP peer, and import direct routes.
[PE3] bgp 100
[PE3-bgp] ipv4-family vpn-instance vpn1
[PE3-bgp-vpn1] peer 10.3.1.2 as-number 65420
[PE3-bgp-vpn1] import-route direct
[PE3-bgp-vpn1] quit
[PE3-bgp] quit
# Configure PE4.
# Enable BGP, specify CE2 as the EBGP peer, and import direct routes.
[PE4] bgp 100
[PE4-bgp] ipv4-family vpn-instance vpn1
[PE4-bgp-vpn1] peer 10.4.1.2 as-number 65420
[PE4-bgp-vpn1] import-route direct
[PE4-bgp-vpn1] quit
[PE4-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance vpn-
instancename peer command on the PEs. The command output shows that the
BGP peer relationships have been set up between the PEs and CEs and are in
Established state. Each PE can ping its connected CE.
The information displayed on PE1 is used as an example.
[PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.1
Local AS number : 100
VPN-Instance vpn1, Router ID 1.1.1.1:
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65410 408 435 0 06:16:09 Established 5
[PE1] ping -vpn-instance vpn1 10.1.1.1
PING 10.1.1.1 : 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=80 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=20 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=30 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=50 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=30 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/42/80 ms
Step 6 On CE1, configure load balancing for the traffic sent from CE1 to CE2.
[CE1] bgp 65410
[CE1-bgp] ipv4-family unicast
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 952
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[CE1-bgp-af-ipv4] maximum load-balancing 2
[CE1-bgp-af-ipv4] quit
[CE1-bgp] quit
Step 7 Configure a routing policy on PE3 to increase the MED value of the BGP routes
advertised to CE2. Then the traffic sent from CE2 to CE1 is forwarded by PE4, and
PE3 is a backup of PE4.
[PE3] route-policy policy1 permit node 10
[PE3-route-policy] apply cost 120
[PE3-route-policy] quit
[PE3] bgp 100
[PE3-bgp] ipv4-family vpn-instance vpn1
[PE3-bgp-vpn1] peer 10.3.1.2 route-policy policy1 export
[PE3-bgp-vpn1] quit
[PE3-bgp] quit
Check the BGP routing table on CE2. In the routing table, the route to 10.5.1.0/30
advertised by PE3 has a MED value of 120, larger than the MED value of the route
advertised by PE4 (the default MED value is 0). Therefore, CE2 selects the route
advertised by PE4.
[CE2] display bgp routing-table
Total Number of Routes: 11
BGP Local router ID is 10.2.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.5.1.0/24 10.4.1.1 0 100 65410?
* 10.3.1.1 120 0 100 65410?
*> 10.6.1.0/24 0.0.0.0 0 0 ?
*> 10.1.1.0/30 10.3.1.1 120 0 100?
* 10.4.1.1 0 100 65410?
*> 10.2.1.0/30 10.4.1.1 0 100?
* 10.3.1.1 120 0 100 65410?
*> 10.3.1.0/30 0.0.0.0 0 0 ?
* 10.3.1.1 120 0 100?
*> 10.4.1.0/30 0.0.0.0 0 0 ?
* 10.4.1.1 0 0 100?
*> 127.0.0.0 0.0.0.0 0 0 ?
*> 127.0.0.1/30 0.0.0.0 0 0 ?
Step 8 Verify the configuration.
#If the configuration is successful:
#The display ip routing-table command on CE1 displays the routes to the
customer network connected to CE2. The routes work in load balancing mode.
[CE1] display ip routing-table
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 16 Routes : 17
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.5.1.0/24 Direct 0 0 D 10.5.1.1 GigabitEthernet3/0/0
10.5.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0
10.5.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0
10.6.1.0/24 EBGP 255 0 D 10.1.1.2 GigabitEthernet1/0/0
EBGP 255 0 D 10.2.1.2 GigabitEthernet2/0/0
10.1.1.0/30 Direct 0 0 D 10.1.1.1 GigabitEthernet1/0/0
10.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.1.1.3/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 953
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
10.2.1.0/30 Direct 0 0 D 10.2.1.1 GigabitEthernet2/0/0
10.2.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
10.2.1.3/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
10.3.1.0/30 EBGP 255 0 D 10.1.1.2 GigabitEthernet1/0/0
10.4.1.0/30 EBGP 255 0 D 10.2.1.2 GigabitEthernet2/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
# The display ip routing-table command on CE2 displays the routes to the
customer network connected to CE1. The next hop of the route is 10.4.1.1, IP
address of the interface that connects PE4 to CE2.
[CE2] display ip routing-table
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 16 Routes : 16
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.5.1.0/24 EBGP 255 0 D 10.4.1.1 GigabitEthernet2/0/0
10.6.1.0/24 Direct 0 0 D 10.6.1.1 GigabitEthernet3/0/0
10.6.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0
10.6.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0
10.1.1.0/30 EBGP 255 120 D 10.3.1.1 GigabitEthernet1/0/0
10.2.1.0/30 EBGP 255 0 D 10.4.1.1 GigabitEthernet2/0/0
10.3.1.0/30 Direct 0 0 D 10.3.1.2 GigabitEthernet1/0/0
10.3.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.3.1.3/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.4.1.0/30 Direct 0 0 D 10.4.1.2 GigabitEthernet2/0/0
10.4.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
10.4.1.3/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
----End
Configuration Files
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.252
#
interface GigabitEthernet2/0/0
ip address 10.2.1.1 255.255.255.252
#
interface GigabitEthernet3/0/0
ip address 10.5.1.1 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
maximum load-balancing 2
peer 10.1.1.2 enable
peer 10.2.1.2 enable
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 954
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
return
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0001.00
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.252
#
interface GigabitEthernet2/0/0
ip address 100.1.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
isis enable 1
#
bgp 100
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 65410
import-route direct
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:2
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0002.00
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 955
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.252
#
interface GigabitEthernet2/0/0
ip address 100.2.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
isis enable 1
#
bgp 100
peer 4.4.4.4 as-number 100
peer 4.4.4.4 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 4.4.4.4 enable
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.4 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 65410
import-route direct
#
return
● P1 configuration file
#
sysname P1
#
mpls lsr-id 5.5.5.5
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0005.00
#
interface GigabitEthernet1/0/0
ip address 100.1.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 100.3.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface LoopBack1
ip address 5.5.5.5 255.255.255.255
isis enable 1
#
return
● P2 configuration file
#
sysname P2
#
mpls lsr-id 6.6.6.6
mpls
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 956
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
mpls ldp
#
isis 1
network-entity 10.0000.0000.0006.00
#
interface GigabitEthernet1/0/0
ip address 100.2.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 100.4.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface LoopBack1
ip address 6.6.6.6 255.255.255.255
isis enable 1
#
return
● PE3 configuration file
#
sysname PE3
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:3
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0003.00
#
interface GigabitEthernet1/0/0
ip address 100.3.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.3.1.1 255.255.255.252
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
isis enable 1
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn1
peer 10.3.1.2 as-number 65420
peer 10.3.1.2 route-policy policy1 export
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 957
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
import-route direct
#
route-policy policy1 permit node 10
apply cost 120
#
return
● PE4 configuration file
#
sysname PE4
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:4
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 4.4.4.4
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0004.00
#
interface GigabitEthernet1/0/0
ip address 100.4.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.4.1.1 255.255.255.252
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
isis enable 1
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
#
ipv4-family vpn-instance vpn1
peer 10.4.1.2 as-number 65420
import-route direct
#
return
● CE2 configuration file
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.3.1.2 255.255.255.252
#
interface GigabitEthernet2/0/0
ip address 10.4.1.2 255.255.255.252
#
interface GigabitEthernet3/0/0
ip address 10.6.1.1 255.255.255.0
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 958
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
bgp 65420
peer 10.3.1.1 as-number 100
peer 10.4.1.1 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.3.1.1 enable
peer 10.4.1.1 enable
#
return
7.9.16 Example for Configuring VPN FRR
Networking Requirements
As shown in Figure 7-57, CE1 dual-homing networking is deployed to improve
reliability of VPN data transmission. Link_A is the primary link, and Link_B is the
backup link. The customer wants to transmit VPN services through the primary
link and hopes that VPN traffic can be quickly switched to the backup link when
the primary link fails.
Figure 7-57 Networking diagram for configuring VPN FRR
VPN backbone Loopback1
2.2.2.2/32
GE1/0/0 GE2/0/0
100.1.1.2/30 10.1.1.2/30
GE2/0/0 PE2 GE1/0/0 vpn1 site
100.1.1.1/30 10.1.1.1/30
Link_A
AS65410
PE1 CE1
Link_B GE3/0/0
GE3/0/0 GE2/0/0 10.3.1.1/24
PE3
100.2.1.1/30 10.2.1.1/30
Lo .1.1
GE1/0/0 GE2/0/0
op .1
1
AS100 100.2.1.2/30 10.2.1.2/30
ba /32
ck
1
Loopback1
3.3.3.3/32
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure OSPF on PE1, PE2, and PE3 to implement interworking on the
backbone network.
2. Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone
network to set up LDP LSPs.
3. Configure a VPN instance on PE1, PE2, and PE3. On PE2 and PE3, bind the
VPN instance to the interfaces connected to CE1.
4. Set up EBGP peer relationships between PE2 and CE1 and between PE3 and
CE1. Set up MP-IBGP peer relationships between the PEs.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 959
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
5. On PE1, configure a routing policy for VPN FRR, configure the backup next
hop, and enable VPN FRR. When VPN FRR is not required, run the undo vpn
frr command to disable this function.
6. Configure multi-hop BFD on PE1 and PE2.
Procedure
Step 1 Assign IP addresses to interfaces according to Figure 7-57.
# Configure PE1.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip address 100.1.1.1 30
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] ip address 100.2.1.1 30
[PE1-GigabitEthernet3/0/0] quit
The configuration on PE2, PE3, and CE1 is similar to the configuration on PE1 and
is not mentioned here.
Step 2 Configure OSPF on the MPLS backbone network for IP connectivity between the
PEs on the backbone network.
# Configure PE1.
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.3
[PE1-ospf-1-area-0.0.0.0] network 100.2.1.0 0.0.0.3
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
The configuration on PE2 and PE3 is similar to the configuration on PE1 and is not
mentioned here.
Step 3 Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network
to set up LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] mpls
[PE1-GigabitEthernet2/0/0] mpls ldp
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] mpls
[PE1-GigabitEthernet3/0/0] mpls ldp
[PE1-GigabitEthernet3/0/0] quit
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.2
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 960
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] mpls
[PE2-GigabitEthernet1/0/0] mpls ldp
[PE2-GigabitEthernet1/0/0] quit
# Configure PE3.
[PE3] mpls lsr-id 3.3.3.3
[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit
[PE3] interface gigabitethernet 1/0/0
[PE3-GigabitEthernet1/0/0] mpls
[PE3-GigabitEthernet1/0/0] mpls ldp
[PE3-GigabitEthernet1/0/0] quit
Run the display mpls lsp command on the PEs. The command output shows that
LSPs are established between PE1 and PE2 and between PE1 and PE3. The
information displayed on PE1 is used as an example.
[PE1] display mpls lsp
----------------------------------------------------------------------
LSP Information: LDP LSP
----------------------------------------------------------------------
FEC In/Out Label In/Out IF Vrf Name
1.1.1.1/32 3/NULL -/-
3.3.3.3/32 NULL/3 -/GE3/0/0
3.3.3.3/32 1025/3 -/GE3/0/0
2.2.2.2/32 NULL/3 -/GE2/0/0
2.2.2.2/32 1024/3 -/GE2/0/0
Step 4 Configure VPN instances on PEs and bind the instances to the interfaces
connected to CE1.
# Configure PE1.
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] ipv4-family
[PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
# Configure PE2.
[PE2] ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] ipv4-family
[PE2-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:2
[PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1
[PE2-vpn-instance-vpn1-af-ipv4] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[PE2-GigabitEthernet2/0/0] ip address 10.1.1.2 30
[PE2-GigabitEthernet2/0/0] quit
# Configure PE3.
[PE3] ip vpn-instance vpn1
[PE3-vpn-instance-vpn1] ipv4-family
[PE3-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:3
[PE3-vpn-instance-vpn1-af-ipv4] vpn-target 111:1
[PE3-vpn-instance-vpn1-af-ipv4] quit
[PE3-vpn-instance-vpn1] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 961
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE3] interface gigabitethernet 2/0/0
[PE3-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[PE3-GigabitEthernet2/0/0] ip address 10.2.1.2 30
[PE3-GigabitEthernet2/0/0] quit
Step 5 Import direct VPN routes to PE1. Set up EBGP peer relationships between PE2 and
CE1 and between PE3 and CE1 to import VPN routes.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpn1
[PE2-bgp-vpn1] peer 10.1.1.1 as-number 65410
[PE2-bgp-vpn1] import-route direct
[PE2-bgp-vpn1] quit
[PE2-bgp] quit
# Configure PE3.
[PE3] bgp 100
[PE3-bgp] ipv4-family vpn-instance vpn1
[PE3-bgp-vpn1] peer 10.2.1.1 as-number 65410
[PE3-bgp-vpn1] import-route direct
[PE3-bgp-vpn1] quit
[PE3-bgp] quit
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] peer 10.2.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] network 10.3.1.0 24
[CE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 all peer command
on PE2 and PE3. The command output shows that PE2 and PE3 have set up EBGP
peer relationships with CE1. The peer relationships are in Established state.
The information displayed on PE2 is used as an example.
[PE2] display bgp vpnv4 all peer
BGP local router ID : 2.2.2.2
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
Peer of IPv4-family for vpn instance :
VPN-Instance vpn1, Router ID 2.2.2.2:
10.1.1.1 4 65410 966 968 0 16:01:19 Established 5
Step 6 Set up an MP-IBGP peer relationship between the PEs.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.2 as-number 100
[PE1-bgp] peer 2.2.2.2 connect-interface loopback 1
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 962
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE1-bgp] peer 3.3.3.3 as-number 100
[PE1-bgp] peer 3.3.3.3 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.2 enable
[PE1-bgp-af-vpnv4] peer 3.3.3.3 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.1 as-number 100
[PE2-bgp] peer 1.1.1.1 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.1 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
# Configure PE3.
[PE3] bgp 100
[PE3-bgp] peer 1.1.1.1 as-number 100
[PE3-bgp] peer 1.1.1.1 connect-interface loopback 1
[PE3-bgp] ipv4-family vpnv4
[PE3-bgp-af-vpnv4] peer 1.1.1.1 enable
[PE3-bgp-af-vpnv4] quit
[PE3-bgp] quit
Run the display bgp vpnv4 all peer command on the PEs. The command output
shows that an MP-IBGP peer relationship has been set up between the PEs and is
in Established state.
The information displayed on PE1 is used as an example.
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.1
Local AS number : 100
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.2 4 100 20 17 0 00:13:26 Established 5
3.3.3.3 4 100 24 19 0 00:17:18 Established 5
Step 7 Configure the VPN FRR routing policy.
[PE1] ip ip-prefix vpn_frr_list permit 2.2.2.2 32
[PE1] route-policy vpn_frr_rp permit node 10
[PE1-route-policy] if-match ip next-hop ip-prefix vpn_frr_list
[PE1-route-policy] apply backup-nexthop 3.3.3.3
[PE1-route-policy] quit
Step 8 Configure multi-hop BFD.
# Configure multi-hop BFD on PE1.
[PE1] bfd
[PE1-bfd] quit
[PE1] bfd for_vpn_frr bind peer-ip 2.2.2.2
[PE1-bfd-session-for_vpn_frr] discriminator local 10
[PE1-bfd-session-for_vpn_frr] discriminator remote 20
[PE1-bfd-session-for_vpn_frr] min-tx-interval 100
[PE1-bfd-session-for_vpn_frr] min-rx-interval 100
[PE1-bfd-session-for_vpn_frr] commit
[PE1-bfd-session-for_vpn_frr] quit
# Configure multi-hop BFD on PE2.
[PE2] bfd
[PE2-bfd] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 963
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE2] bfd for_vpn_frr bind peer-ip 1.1.1.1
[PE2-bfd-session-for_vpn_frr] discriminator local 20
[PE2-bfd-session-for_vpn_frr] discriminator remote 10
[PE2-bfd-session-for_vpn_frr] min-tx-interval 100
[PE2-bfd-session-for_vpn_frr] min-rx-interval 100
[PE2-bfd-session-for_vpn_frr] commit
[PE2-bfd-session-for_vpn_frr] quit
After the configuration is complete, run the display bfd session all verbose
command on PE1 and PE2. The command output shows that a multi-hop BFD
session is established and the status of the BFD session is Up.
Step 9 Enable VPN FRR.
# Enable VPN FRR on PE1.
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] ipv4-family
[PE1-vpn-instance-vpn1-af-ipv4] vpn frr route-policy vpn_frr_rp
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
Step 10 Verify the configuration.
# Check the backup next hop, backup label, and backup tunnel ID on PE1.
[PE1] display ip routing-table vpn-instance vpn1 10.3.1.0 verbose
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : vpn1
Summary Count : 1
Destination: 10.3.1.0/24
Protocol: IBGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 2.2.2.2 Neighbour: 2.2.2.2
State: Active Adv Relied Age: 00h15m06s
Tag: 0 Priority: low
Label: 15361 QoSInfo: 0x0
IndirectID: 0x13
RelayNextHop: 100.1.1.2 Interface: GigabitEthernet2/0/0
TunnelID: 0x31 Flags: RD
BkNextHop: 3.3.3.3 BkInterface:GigabitEthernet3/0/0
BkLabel: 15362 SecTunnelID: 0x0
BkPETunnelID: 0x32 BkPESecTunnelID: 0x0
BkIndirectID: 0x15
# Run the shutdown command on GE1/0/0 of PE2 to simulate a link failure.
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] shutdown
[PE2-GigabitEthernet1/0/0] quit
# Run the display ip routing-table vpn-instance command on the PE1 again.
The command output shows that the next hop of the route to 10.3.1.0/24 is
3.3.3.3.
[PE1] display ip routing-table vpn-instance vpn1 10.3.1.0 verbose
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : vpn1
Summary Count : 1
Destination: 10.3.1.0/24
Protocol: IBGP Process ID: 0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 964
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Preference: 255 Cost: 0
NextHop: 3.3.3.3 Neighbour: 3.3.3.3
State: Active Adv Relied Age: 00h15m06s
Tag: 0 Priority: low
Label: 15362 QoSInfo: 0x0
IndirectID: 0x15
RelayNextHop: 100.2.1.2 Interface: GigabitEthernet3/0/0
TunnelID: 0x32 Flags: RD
----End
Configuration Files
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn frr route-policy vpn_frr_rp
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 100.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface GigabitEthernet3/0/0
ip address 100.2.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bfd for_vpn_frr bind peer-ip 2.2.2.2
discriminator local 10
discriminator remote 20
min-tx-interval 100
min-rx-interval 100
commit
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack1
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
ipv4-family vpn-instance vpn1
import-route direct
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 965
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.3
network 100.2.1.0 0.0.0.3
network 1.1.1.1 0.0.0.0
#
ip ip-prefix vpn_frr_list index 10 permit 2.2.2.2 32
#
route-policy vpn_frr_rp permit node 10
if-match ip next-hop ip-prefix vpn_frr_list
apply backup-nexthop 3.3.3.3
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:2
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 100.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.252
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bfd for_vpn_frr bind peer-ip 1.1.1.1
discriminator local 20
discriminator remote 10
min-tx-interval 100
min-rx-interval 100
commit
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 65410
import-route direct
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.3
network 2.2.2.2 0.0.0.0
#
return
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 966
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
● PE3 configuration file
#
sysname PE3
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:3
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 100.2.1.2 255.255.255.252
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.252
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 65410
import-route direct
#
ospf 1
area 0.0.0.0
network 100.2.1.0 0.0.0.3
network 3.3.3.3 0.0.0.0
#
Return
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.252
#
interface GigabitEthernet2/0/0
ip address 10.2.1.1 255.255.255.252
#
interface GigabitEthernet3/0/0
ip address 10.3.1.1 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 967
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
network 10.3.1.0 255.255.255.0
import-route direct
peer 10.1.1.2 enable
peer 10.2.1.2 enable
#
return
7.9.17 Example for Configuring IP FRR for VPN Routes
Networking Requirements
When multiple CEs in a site connect to the same PE, the PE learns multiple IP VPN
routes with the same VPN prefix. To use one of IP VPN routes as the primary route
and the other as backup routes, configure IP FRR for VPN routes. Then the PE
generates primary and backup routes to the VPN prefix. When the link of the
primary route fails, IP traffic on the VPN is quickly switched to the link of a
backup route.
As shown in Figure 7-58, the PE has two OSPF routes to RTA. The route on Link_A
is the optimal route, and the route on Link_B is the suboptimal route. IP FRR for
VPN routes needs to be configured on the PE to quickly switch IP traffic on the
VPN to Link_B when Link_A fails.
Figure 7-58 Networking diagram for configuring IP FRR for VPN routes
CE1
vpn1 site
GE1/0/0 GE2/0/0
10.1.1.2/30 10.3.1.1/30
GE1/0/0 GE1/0/0
10.1.1.1/30 10.3.1.2/30 GE3/0/0
Link_A 10.5.1.1/24
VPN PE RTA
backbone Link_B
GE2/0/0 GE2/0/0
10.2.1.1/30 GE2/0/010.4.1.2/30
GE1/0/0
10.2.1.2/30 10.4.1.1/30
CE2
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable basic OSPF functions on each router so that routes to RTA can be
advertised to CE1 and CE2.
2. On the PE, configure VPN instance vpn1, bind GE1/0/0 and GE2/0/0 to vpn1,
and configure OSPF multi-instance.
3. Set the cost on GE2/0/0 of the PE and RTA both to a large value so that OSPF
preferentially selects Link_A.
4. Configure IP FRR for VPN routes on the PE.
5. Configure BFD to detect the link status.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 968
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Procedure
Step 1 Assign IP addresses to interfaces.
# Assign IP addresses to the interfaces on RTA.
<Huawei> system-view
[Huawei] sysname RTA
[RTA] interface gigabitethernet 1/0/0
[RTA-GigabitEthernet1/0/0] ip address 10.3.1.2 30
[RTA-GigabitEthernet1/0/0] quit
[RTA] interface gigabitethernet 2/0/0
[RTA-GigabitEthernet2/0/0] ip address 10.4.1.2 30
[RTA-GigabitEthernet2/0/0] quit
[RTA] interface gigabitethernet 3/0/0
[RTA-GigabitEthernet3/0/0] ip address 10.5.1.1 30
[RTA-GigabitEthernet3/0/0] quit
The configuration on PE, CE1, and CE2 is similar to the configuration on RTA and
is not mentioned here.
Step 2 Configure OSPF on CE1, CE2, and RTA.
# Configure CE1.
[CE1] ospf 1
[CE1-ospf] area 0
[CE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.3
[CE1-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.3
[CE1-ospf-1-area-0.0.0.0] quit
[CE1-ospf-1] quit
The configuration on CE2 and RTA is similar to the configuration on CE1 and is
not mentioned here.
After the configuration is complete, CE1, CE2, and RTA can learn interface
addresses from each other. The information displayed on CE1 is used as an
example.
[CE1] display ip routing-table
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 13 Routes : 13
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/30 Direct 0 0 D 10.1.1.2 GigabitEthernet1/0/0
10.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.1.1.3/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.3.1.0/30 Direct 0 0 D 10.3.1.1 GigabitEthernet2/0/0
10.3.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
10.3.1.3/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
10.2.1.0/30 OSPF 10 3 D 10.3.1.2 GigabitEthernet2/0/0
10.4.1.0/30 OSPF 10 2 D 10.3.1.2 GigabitEthernet2/0/0
10.5.1.0/24 OSPF 10 2 D 10.3.1.2 GigabitEthernet2/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Step 3 Configure a VPN instance and OSPF multi-instance on the PE.
# On the PE, configure VPN instance vpn1 and bind GE1/0/0 and GE2/0/0 to vpn1.
[PE] ip vpn-instance vpn1
[PE-vpn-instance-vpn1] ipv4-family
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 969
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[PE-vpn-instance-vpn1-af-ipv4] vpn-target 111:1
[PE-vpn-instance-vpn1-af-ipv4] quit
[PE-vpn-instance-vpn1] quit
[PE] interface gigabitethernet 1/0/0
[PE-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
[PE-GigabitEthernet1/0/0] ip address 10.1.1.1 30
[PE-GigabitEthernet1/0/0] quit
[PE] interface gigabitethernet 2/0/0
[PE-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[PE-GigabitEthernet2/0/0] ip address 10.2.1.1 30
[PE-GigabitEthernet2/0/0] quit
# Configure OSPF multi-instance on the PE.
[PE] ospf vpn-instance vpn1
[PE-ospf-1] area 0
[PE-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.3
[PE-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.3
[PE-ospf-1-area-0.0.0.0] quit
[PE-ospf-1] quit
Step 4 Set the cost on the OSPF interface.
# Set the cost on GE2/0/0 of the PE to 100 so that OSPF preferentially selects
Link_A.
[PE] interface gigabitethernet 2/0/0
[PE-GigabitEthernet2/0/0] ospf cost 100
[PE-GigabitEthernet2/0/0] quit
# Set the cost on GE2/0/0 of RTA to 100 so that OSPF preferentially selects Link_A.
[RTA] interface gigabitethernet 2/0/0
[RTA-GigabitEthernet2/0/0] ospf cost 100
[RTA-GigabitEthernet2/0/0] quit
Step 5 Configure a routing policy.
# Configure a routing policy, a backup next hop, and a backup outbound interface
on the PE. Configure an if-match clause.
[PE] ip ip-prefix frr1 permit 10.5.1.0 24
[PE] route-policy ip_frr_rp permit node 10
[PE-route-policy] if-match ip-prefix frr1
[PE-route-policy] apply backup-nexthop 10.2.1.2
[PE-route-policy] apply backup-interface gigabitethernet 2/0/0
[PE-route-policy] quit
Step 6 Configure association between BFD and IP FRR.
# Configure the PE.
[PE] bfd
[PE-bfd] quit
[PE] bfd for_ip_frr bind peer-ip 10.1.1.2 vpn-instance vpn1 interface gigabitethernet 1/0/0
[PE-bfd-session-for_ip_frr] discriminator local 10
[PE-bfd-session-for_ip_frr] discriminator remote 20
[PE-bfd-session-for_ip_frr] min-tx-interval 100
[PE-bfd-session-for_ip_frr] min-rx-interval 100
[PE-bfd-session-for_ip_frr] commit
[PE-bfd-session-for_ip_frr] quit
# Configure CE1.
[CE1] bfd
[CE1-bfd] quit
[CE1] bfd for_ip_frr bind peer-ip 10.1.1.1 interface gigabitethernet 1/0/0
[CE1-bfd-session-for_ip_frr] discriminator local 20
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 970
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[CE1-bfd-session-for_ip_frr] discriminator remote 10
[CE1-bfd-session-for_ip_frr] min-tx-interval 100
[CE1-bfd-session-for_ip_frr] min-rx-interval 100
[CE1-bfd-session-for_ip_frr] commit
[CE1-bfd-session-for_ip_frr] quit
# Run the display bfd session all verbose command on the PE and CE1. The
command output shows that the BFD session status is Up.
Step 7 Enable IP FRR for VPN routes.
[PE] ip vpn-instance vpn1
[PE-vpn-instance-vpn1] ipv4-family
[PE-vpn-instance-vpn1-af-ipv4] ip frr route-policy ip_frr_rp
[PE-vpn-instance-vpn1-af-ipv4] quit
[PE-vpn-instance-vpn1] quit
Step 8 Verify the configurations.
# Run the display ip routing-table vpn-instance command on the PE. The
command output shows that the next hop of the route to 10.5.1.0/24 is 10.1.1.2,
and the route has a backup next hop and a backup outbound interface.
[PE] display ip routing-table vpn-instance vpn1 10.5.1.0 verbose
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : vpn1
Summary Count : 1
Destination: 10.5.1.0/24
Protocol: OSPF Process ID: 1
Preference: 10 Cost: 3
NextHop: 10.1.1.2 Neighbour: 0.0.0.0
State: Active Adv Age: 00h00m03s
Tag: 0 Priority: low
Label: NULL QoSInfo: 0x0
IndirectID: 0x0
RelayNextHop: 0.0.0.0 Interface: GigabitEthetnet1/0/0
TunnelID: 0x0 Flags: D
BkNextHop: 10.2.1.2 BkInterface: GigabitEthetnet2/0/0
BkLabel: NULL SecTunnelID: 0x0
BkPETunnelID: 0x0 BkPESecTunnelID: 0x0
BkIndirectID: 0x0
# Run the shutdown command on GE1/0/0 of CE1 to simulate a link failure.
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] shutdown
[CE1-GigabitEthernet1/0/0] quit
# Run the display ip routing-table vpn-instance command on the PE again. The
command output shows that the next hop of the route to 10.5.1.0/24 is 10.2.1.2.
[PE] display ip routing-table vpn-instance vpn1 10.5.1.0 verbose
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : vpn1
Summary Count : 1
Destination: 10.5.1.0/24
Protocol: OSPF Process ID: 1
Preference: 10 Cost: 102
NextHop: 10.2.1.2 Neighbour: 0.0.0.0
State: Active Adv Age: 00h01m03s
Tag: 0 Priority: low
Label: NULL QoSInfo: 0x0
IndirectID: 0x0
RelayNextHop: 0.0.0.0 Interface: GigabitEthetnet2/0/0
TunnelID: 0x0 Flags: D
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 971
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
BkNextHop: 10.2.1.2 BkInterface: GigabitEthetnet2/0/0
BkLabel: NULL SecTunnelID: 0x0
BkPETunnelID: 0x0 BkPESecTunnelID: 0x0
BkIndirectID: 0x0
----End
Configuration Files
● PE configuration file
#
sysname PE
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
ip frr route-policy ip_frr_rp
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
bfd
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.1 255.255.255.252
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.1 255.255.255.252
ospf cost 100
#
ospf 1 vpn-instance vpn1
area 0.0.0.0
network 10.1.1.0 0.0.0.3
network 10.2.1.0 0.0.0.3
#
ip ip-prefix frr1 index 10 permit 10.5.1.0 24
#
route-policy ip_frr_rp permit node 10
if-match ip-prefix frr1
apply backup-nexthop 10.2.1.2
apply backup-interface GigabitEthernet2/0/0
#
bfd for_ip_frr bind peer-ip 10.1.1.2 vpn-instance vpn1 interface GigabitEthernet 1/0/0
discriminator local 10
discriminator remote 20
min-tx-interval 100
min-rx-interval 100
commit
#
return
● CE1 configuration file
#
sysname CE1
#
bfd
#
interface GigabitEthernet1/0/0
ip address 10.1.1.2 255.255.255.252
#
interface GigabitEthernet2/0/0
ip address 10.3.1.1 255.255.255.252
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.3
network 10.3.1.0 0.0.0.3
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 972
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
bfd for_ip_frr bind peer-ip 10.1.1.1 interface GigabitEthernet 1/0/0
discriminator local 20
discriminator remote 10
min-tx-interval 100
min-rx-interval 100
commit
#
return
● CE2 configuration file
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.2 255.255.255.252
#
interface GigabitEthernet2/0/0
ip address 10.4.1.1 255.255.255.252
#
ospf 1
area 0.0.0.0
network 10.2.1.0 0.0.0.3
network 10.4.1.0 0.0.0.3
#
return
● RTA configuration file
#
sysname RTA
#
interface GigabitEthernet1/0/0
ip address 10.3.1.2 255.255.255.252
#
interface GigabitEthernet2/0/0
ip address 10.4.1.2 255.255.255.252
ospf cost 100
#
interface GigabitEthernet3/0/0
ip address 10.5.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.3.1.0 0.0.0.3
network 10.4.1.0 0.0.0.3
area 0.0.0.2
network 10.5.1.0 0.0.0.255
#
return
7.9.18 Example for Configuring VPN GR
Networking Requirements
NOTE
Only the AR3260 can be used in this scenario.
As shown in Figure 7-59, CE1 and CE2 belong to the same VPN. PE1, P, PE2 on the
backbone network belong to the same AS and use the IS-IS protocol to exchange
routing information. CE1 connects to PE1, and CE2 connects to PE2. BGP runs
between CE1 and PE1, and OSPF runs between CE2 and PE2.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 973
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-59 VPN GR networking
Loopback1 Loopback1 Loopback1
1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE2/0/0 GE1/0/0
100.1.1.1/30 100.2.1.2/30
PE1 PE2
GE1/0/0 GE2/0/0
GE1/0/0 100.1.1.2/30 P 100.2.1.1/30 GE2/0/0
10.1.1.2/30 10.2.1.2/30
GE1/0/0 GE1/0/0
10.1.1.1/30 10.2.1.1/30
CE1 CE2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic BGP/MPLS IP VPN functions.
2. Configure IGP GR, BGP GR, and LDP GR on the backbone network. Configure
GR for the routing protocols running between the PE and CE devices to ensure
uninterrupted VPN traffic forwarding when an active/standby switchover
occurs on any of the CE, PE, and P devices.
Procedure
Step 1 Configure IP addresses for the interfaces on the backbone network.
# Configure PE1.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip address 100.1.1.1 30
[PE1-GigabitEthernet2/0/0] quit
The configurations of PE2 and P are similar to the configuration of PE1, and are
not mentioned here.
Step 2 Configure basic BGP/MPLS IP VPN functions on the backbone network.
Configure IS-IS as the IGP on the backbone network, enable LDP on PE1 and PE2,
and set up an MP-IBGP peer relationship between PE1 and PE2.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 974
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE1] isis 1
[PE1-isis-1] network-entity 10.0000.0000.0001.00
[PE1-isis-1] quit
[PE1] interface loopback 1
[PE1-LoopBack1] isis enable 1
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip address 100.1.1.1 30
[PE1-GigabitEthernet2/0/0] isis enable 1
[PE1-GigabitEthernet2/0/0] mpls
[PE1-GigabitEthernet2/0/0] mpls ldp
[PE1-GigabitEthernet2/0/0] quit
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] isis 1
[P-isis-1] network-entity 10.0000.0000.0002.00
[P-isis-1] quit
[P] interface loopback 1
[P-LoopBack1] isis enable 1
[P-LoopBack1] quit
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] isis enable 1
[P-GigabitEthernet1/0/0] mpls
[P-GigabitEthernet1/0/0] mpls ldp
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] isis enable 1
[P-GigabitEthernet2/0/0] mpls
[P-GigabitEthernet2/0/0] mpls ldp
[P-GigabitEthernet2/0/0] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] isis 1
[PE2-isis-1] network-entity 10.0000.0000.0003.00
[PE2-isis-1] quit
[PE2] interface loopback 1
[PE2-LoopBack1] isis enable 1
[PE2-LoopBack1] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] isis enable 1
[PE2-GigabitEthernet1/0/0] mpls
[PE2-GigabitEthernet1/0/0] mpls ldp
[PE2-GigabitEthernet1/0/0] quit
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 975
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
After the configuration is complete, run the display isis peer command on PE1 or
PE2. You can see that the IS-IS neighbor relationship is in Up state. Run the
display bgp vpnv4 all peer command, and you can see that the BGP peer
relationship has been set up and is in Established state. Run the display mpls ldp
session command, and you can see that an LDP session has been set up and the
session status is Operational.
Step 3 Configure a VPN instance on the PE devices and bind the instance to the
interfaces connected to the CE devices.
Configure VPN instance vpn1 on PE1 and bind it to the interface connected to
CE1. Configure VPN instance vpn1 on PE2 and bind it to the interface connected
to CE2. Set up an EBGP peer relationship between CE1 and PE1. Set up an OSPF
neighbor relationship between CE2 and PE2.
# Configure CE1.
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 30
[CE1-GigabitEthernet1/0/0] quit
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE1.
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] ipv4-family
[PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
[PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 30
[PE1-GigabitEthernet1/0/0] quit
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpn1] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] ipv4-family
[PE2-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:2
[PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1
[PE2-vpn-instance-vpn1-af-ipv4] quit
[PE2-vpn-instance-vpn1] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[PE2-GigabitEthernet2/0/0] ip address 10.2.1.2 30
[PE2-GigabitEthernet2/0/0] quit
[PE2] ospf 2 vpn-instance vpn1
[PE2-ospf-2] area 0
[PE2-ospf-2-area-0.0.0.0] network 10.2.1.0 0.0.0.3
[PE2-ospf-2-area-0.0.0.0] quit
[PE2-ospf-2] import-route bgp
[PE2-ospf-2] quit
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpn1
[PE2-bgp-vpn1] import-route ospf 2
[PE2-bgp-vpn1] quit
[PE2-bgp] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 976
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
# Configure CE2.
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] ip address 10.2.1.1 30
[CE2-GigabitEthernet1/0/0] quit
[CE2] ospf 2
[CE2-ospf-2] area 0
[CE2-ospf-2-area-0.0.0.0] network 10.2.1.0 0.0.0.3
[CE2-ospf-2-area-0.0.0.0] quit
[CE2-ospf-2] import-route direct
[CE2-ospf-2] quit
The basic BGP/MPLS IP VPN configuration is complete, and CE1 and CE2 can
communicate with each other.
Step 4 Configure IGP GR on the backbone network.
Configure IGP GR on PE1, P, and PE2.
# Configure PE1.
[PE1] isis 1
[PE1-isis-1] graceful-restart
[PE1-isis-1] quit
# Configure P.
[P] isis 1
[P-isis-1] graceful-restart
[P-isis-1] quit
# Configure PE2.
[PE2] isis 1
[PE2-isis-1] graceful-restart
[PE2-isis-1] quit
Run the display isis graceful-restart status command on PE1, P, and PE2. The
command output shows that IS-IS GR has been configured successfully.
The display on PE1 is used as an example:
[PE1] display isis graceful-restart status
Restart information for ISIS(1)
-------------------------------
IS-IS(1) Level-1 Restart Status
Restart Interval: 300
SA Bit Supported
Total Number of Interfaces = 2
Restart Status: RESTART COMPLETE
IS-IS(1) Level-2 Restart Status
Restart Interval: 300
SA Bit Supported
Total Number of Interfaces = 2
Restart Status: RESTART COMPLETE
Step 5 Configure MPLS LDP GR on the backbone network.
Configure MPLS LDP GR on PE1, P, and PE2.
# Configure PE1.
[PE1] mpls ldp
[PE1-mpls-ldp] graceful-restart
[PE1-mpls-ldp] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 977
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
# Configure P.
[P] mpls ldp
[P-mpls-ldp] graceful-restart
[P-mpls-ldp] quit
# Configure PE2.
[PE2] mpls ldp
[PE2-mpls-ldp] graceful-restart
[PE2-mpls-ldp] quit
Step 6 Configure GR for the routing protocols running between the PE and CE devices.
Configure BGP GR on PE1 and CE1. Configure OSPF GR on PE2 and CE2.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] graceful-restart
[PE1-bgp] quit
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] graceful-restart
[CE1-bgp] quit
# Configure PE2.
[PE2] ospf 2 vpn-instance vpn1
[PE2-ospf-2] opaque-capability enable
[PE2-ospf-2] graceful-restart
[PE2-ospf-2] quit
# Configure CE2.
[CE2] ospf 2
[CE2-ospf-2] opaque-capability enable
[CE2-ospf-2] graceful-restart
[CE2-ospf-2] quit
Run the display ospf brief command on PE2 or CE2. The command output shows
that OSPF GR has been configured successfully.
The display on PE2 is used as an example:
[PE2] display ospf brief
OSPF Process 2 with Router ID 10.2.1.2
OSPF Protocol Information
RouterID: 10.2.1.2 Border Router: AREA AS
ECA-route-type: 0x0306
Route Tag: 3489661028
PE Router, Multi-VPN-Instance is enabled
Opaque Capable
Global DS-TE Mode: Non-Standard IETF Mode
Graceful-restart capability: planned and un-planned, totally
Helper support capability : enabled
filter capability : disabled
policy capability : strict lsa check, planned and un-planned
Applications Supported: MPLS Traffic-Engineering
Spf-schedule-interval: max 10000ms, start 500ms, hold 1000ms
Default ASE parameters: Metric: 1 Tag: 1 Type: 2
Route Preference: 10
ASE Route Preference: 150
SPF Computation Count: 17
RFC 1583 Compatible
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 978
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Retransmission limitation is disabled
Area Count: 1 Nssa Area Count: 0
ExChange/Loading Neighbors: 0
Process total up interface count: 1
Process valid up interface count: 1
Area: 0.0.0.0 (MPLS TE not enabled)
Authtype: None Area flag: Normal
SPF scheduled Count: 17
ExChange/Loading Neighbors: 0
Router ID conflict state: Normal
Area interface up count: 1
Interface: 10.2.1.2 (GigabitEthernet2/0/0)
Cost: 1 State: DR Type: Broadcast MTU: 1500
Priority: 1
Designated Router: 10.2.1.2
Backup Designated Router: 10.2.1.1
Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1
Step 7 Configure BGP GR on the PE devices.
BGP GR has been configured in step 6, so you only need to configure BGP GR on
PE2 in this step.
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] graceful-restart
[PE2-bgp] quit
Run the display bgp vpnv4 all peer verbose command on PE1. The command
output shows that IBGP GR has taken effect between PE1 and PE2, and EBGP GR
has taken effect between PE1 and CE1.
[PE1] display bgp vpnv4 all peer verbose
BGP Peer is 3.3.3.9, remote AS 100
Type: IBGP link
BGP version 4, Remote router ID 3.3.3.9
Update-group ID: 1
BGP current state: Established, Up for 00h01m04s
BGP current event: RecvKeepalive
BGP last state: OpenConfirm
BGP Peer Up count: 3
Received total routes: 3
Received active routes total: 3
Received mac routes: 0
Advertised total routes: 2
Port: Local - 179 Remote - 56400
Configured: Connect-retry Time: 32 sec
Configured: Min Hold Time: 0 sec
Configured: Active Hold Time: 180 sec Keepalive Time:60 sec
Received : Active Hold Time: 180 sec
Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec
Peer optional capabilities:
Peer supports bgp multi-protocol extension
Peer supports bgp route refresh capability
Peer supports bgp 4-byte-as capability
Graceful Restart Capability: advertised and received
Restart Timer Value received from Peer: 150 seconds
Address families preserved for peer in GR:
IPv4 Unicast (was preserved)
VPNv4 (was preserved)
Address family IPv4 Unicast: advertised and received
Address family VPNv4: advertised and received
Received: Total 7 messages
Update messages 4
Open messages 1
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 979
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
KeepAlive messages 2
Notification messages 0
Refresh messages 0
Sent: Total 8 messages
Update messages 3
Open messages 2
KeepAlive messages 3
Notification messages 0
Refresh messages 0
Authentication type configured: None
Last keepalive received: 2013/09/15 19:43:15
Last keepalive sent : 2013/09/15 19:43:15
Last update received: 2013/09/15 19:42:15
Last update sent : 2013/09/15 19:42:15
Minimum route advertisement interval is 0 seconds
Optional capabilities:
Route refresh capability has been enabled
4-byte-as capability has been enabled
Connect-interface has been configured
Peer Preferred Value: 0
Routing policy configured:
No routing policy is configured
IPv4-family for VPN instance: vpn1
BGP Peer is 10.1.1.1, remote AS 65410
Type: EBGP link
BGP version 4, Remote router ID 10.1.1.1
Update-group ID: 1
BGP current state: Established, Up for 00h05m43s
BGP current event: KATimerExpired
BGP last state: OpenConfirm
BGP Peer Up count: 2
Received total routes: 2
Received active routes total: 0
Received mac routes: 0
Advertised total routes: 3
Port: Local - 179 Remote - 49695
Configured: Connect-retry Time: 32 sec
Configured: Min Hold Time: 0 sec
Configured: Active Hold Time: 180 sec Keepalive Time:60 sec
Received : Active Hold Time: 180 sec
Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec
Peer optional capabilities:
Peer supports bgp multi-protocol extension
Peer supports bgp route refresh capability
Peer supports bgp 4-byte-as capability
Graceful Restart Capability: advertised and received
Restart Timer Value received from Peer: 150 seconds
Address families preserved for peer in GR:
IPv4 Unicast (was preserved)
Address family IPv4 Unicast: advertised and received
Received: Total 10 messages
Update messages 3
Open messages 1
KeepAlive messages 6
Notification messages 0
Refresh messages 0
Sent: Total 15 messages
Update messages 6
Open messages 2
KeepAlive messages 7
Notification messages 0
Refresh messages 0
Authentication type configured: None
Last keepalive received: 2013/09/15 19:42:37
Last keepalive sent : 2013/09/15 19:42:37
Last update received: 2013/09/15 19:37:37
Last update sent : 2013/09/15 19:42:15
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 980
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Minimum route advertisement interval is 30 seconds
Optional capabilities:
Route refresh capability has been enabled
4-byte-as capability has been enabled
Peer Preferred Value: 0
Routing policy configured:
No routing policy is configured
Step 8 Verify the configuration.
# Run the display switchover state command on PE1 to check the status of the
slave SRU. The following information is displayed:
[PE1] display switchover state
Slot 15 HA FSM State(master): realtime or routine backup.
Slot 14 HA FSM State(slave): receiving realtime or routine data.
# Perform an active/standby switchover on PE1.
[PE1] slave switchover
Are you sure to switch over? (y/n)[n]:y
# Communication between the site connected to CE1 and the site connected to
CE2 is not interrupted.
NOTE
Communication between the sites may be interrupted when two or more neighboring
devices among CE1, PE1, PE2, and CE2 perform an active/standby switchover at the same
time.
----End
Configuration Files
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
graceful-restart
#
isis 1
graceful-restart
network-entity 10.0000.0000.0001.00
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.252
#
interface GigabitEthernet2/0/0
ip address 100.1.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 981
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
isis enable 1
#
bgp 100
graceful-restart
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 65410
#
return
● P configuration file
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
graceful-restart
#
isis 1
graceful-restart
network-entity 10.0000.0000.0002.00
#
interface GigabitEthernet1/0/0
ip address 100.1.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 100.2.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
isis enable 1
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:2
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
graceful-restart
#
isis 1
graceful-restart
network-entity 10.0000.0000.0003.00
#
interface GigabitEthernet1/0/0
ip address 100.2.1.2 255.255.255.252
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 982
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
isis enable 1
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.252
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
isis enable 1
#
bgp 100
graceful-restart
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
import-route ospf 2
#
ospf 2 vpn-instance vpn1
import-route bgp
opaque-capability enable
graceful-restart
area 0.0.0.0
network 10.2.1.0 0.0.0.3
#
return
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.252
#
bgp 65410
graceful-restart
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
● CE2 configuration file
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.252
#
ospf 2
import-route direct
opaque-capability enable
graceful-restart
area 0.0.0.0
network 10.2.1.0 0.0.0.3
#
return
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 983
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
7.9.19 Example for Configuring Double RRs to Optimize the
VPN Backbone Layer
Networking Requirements
When deploying a VPN, you can configure double route reflectors (RRs) on the
VPN. To achieve this, you need to select two RRs from the Ps in the same AS on
the backbone network and ensure that the two RRs back up each other and
reflect routes of the public network and VPNv4.
As shown in Figure 7-60, PE1, PE2, RR1, and RR2 are located in AS 100 on the
backbone network. CE1 and CE2 belong to vpna. Select RR1 and RR2 as the RRs of
the VPN.
Figure 7-60 Networking diagram for configuring double RRs on a VPN
Loopback1 Loopback1
2.2.2.9/32 AS100 3.3.3.9/32
RR1 GE2/0/0 GE1/0/0 RR2
GE1/0/0 GE2/0/0
GE3/0/0 GE3/0/0
GE1/0/0 GE1/0/0
Loopback1 Loopback1
1.1.1.9/32 GE3/0/0 GE3/0/0 4.4.4.9/32
PE1 GE2/0/0 GE2/0/0 PE2
VPN Backbone
GE1/0/0 GE1/0/0
10.1.1.1/24 10.2.1.1/24
CE1 CE2
AS65410 AS65420
vpna vpna
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 984
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Device Interface and IP Address Device Interface and IP Address
PE1 PE2
10 GE1
2. 0
0.3 /0
24
1. 0/
.4. /0
1/
0. 1/
2/
10 GE
PE1 24
GE3/0/0 Loopback1
Loopback1 GE3/0/0 4.4.4.9/32
1.1.1.9/32 100.1.3.1/24 100.2.4.2/24
0
0/ 4 PE2
2/ 2/2
G 1.1
E
10
.
E2 .2
G .1
.
.2
/0 /2
10
/0 4
Loopback1 Loopback1
RR1 2.2.2.9/32 RR2 3.3.3.9/32
GE2/0/0 RR2 GE2/0/0
RR1
100.2.3.1/24 100.3.4.1/24
GE1/0/0 GE1/0/0
100.1.2.2/24 GE3/0/0 100.2.3.2/24 GE3/0/0
100.2.4.1/24 100.1.3.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IGP protocol on the MPLS backbone network for IP connectivity.
2. Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone
network to set up MPLS LSPs.
3. Configure VPN instances on PE1 and PE2 and bind the instances to the
interfaces connected to the CEs. Configure the same VPN target for the VPN
instances to enable users in the same VPN to communicate with each other.
4. Set up EBGP peer relationships between the PEs and CEs and import VPN
routes into BGP.
5. Set up MP-IBGP peer relationships between PEs and RRs. The PEs do not need
to set up an MP-IBGP peer relationship.
6. Configure the same reflector cluster ID for RR1 and RR2 so that they back up
each other.
7. Configure RR1 and RR2 to accept all VPNv4 routes without filtering the routes
based on VPN targets, because RR1 and RR2 must save all VPNv4 routes and
advertise them to PEs.
NOTE
On a VPN with double RRs, ensure that each RR has at least two paths to a PE and the
paths do not share the same network segment or node. If there is only one path between
the RRs and PEs or if the paths share the same network segment or node, double RRs
cannot improve network reliability.
Procedure
Step 1 Assign IP addresses to interfaces according to Figure 7-60.
# Configure PE1.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 985
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] ip address 100.1.2.1 24
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] ip address 100.1.3.1 24
[PE1-GigabitEthernet3/0/0] quit
The configuration on PE2, RRs, CE1, and CE2 is similar to the configuration on PE1
and is not mentioned here.
Step 2 Configure an IGP protocol on the MPLS backbone network for IP connectivity.
# Configure PE1.
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 100.1.2.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 100.1.3.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
The configuration on PE2 and RRs is similar to the configuration on PE1 and is not
mentioned here.
NOTE
The IP addresses of loopback interfaces that are used as LSR IDs need to be advertised.
After the configuration is complete, the devices on the backbone network can
learn the loopback interface addresses from each other.
The information displayed on PE1 is used as an example.
[PE1] display ip routing-table
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 17 Routes : 19
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.9/32 Direct 0 0 D 127.0.0.1 LoopBack1
2.2.2.9/32 OSPF 10 1 D 100.1.2.2 GigabitEthernet1/0/0
3.3.3.9/32 OSPF 10 1 D 100.1.3.2 GigabitEthernet3/0/0
4.4.4.9/32 OSPF 10 2 D 100.1.3.2 GigabitEthernet1/0/0
OSPF 10 2 D 100.1.2.2 GigabitEthernet3/0/0
100.1.2.0/24 Direct 0 0 D 100.1.2.1 GigabitEthernet1/0/0
100.1.2.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
100.1.2.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
100.1.3.0/24 Direct 0 0 D 100.1.3.1 GigabitEthernet3/0/0
100.1.3.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0
100.1.3.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0
100.2.3.0/24 OSPF 10 2 D 100.1.3.2 GigabitEthernet3/0/0
OSPF 10 2 D 100.1.2.2 GigabitEthernet1/0/0
100.2.4.0/24 OSPF 10 2 D 100.1.2.2 GigabitEthernet1/0/0
100.3.4.0/24 OSPF 10 2 D 100.1.3.2 GigabitEthernet3/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 986
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Step 3 Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network
to set up LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] mpls
[PE1-GigabitEthernet1/0/0] mpls ldp
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] mpls
[PE1-GigabitEthernet3/0/0] mpls ldp
[PE1-GigabitEthernet3/0/0] quit
The configuration on PE2 and RRs is similar to the configuration on PE1 and is not
mentioned here.
After the configuration is complete, run the display mpls ldp session command
on the PEs and RRs. The State field in the command output displays as
Operational.
The information displayed on PE1 and RR1 is used as an example.
[PE1] display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
----------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
----------------------------------------------------------------------
2.2.2.9:0 Operational DU Passive 0000:00:01 8/8
3.3.3.9:0 Operational DU Passive 0000:00:00 4/4
----------------------------------------------------------------------
TOTAL: 2 session(s) Found.
[RR1] display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
----------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
----------------------------------------------------------------------
1.1.1.9:0 Operational DU Active 000:00:02 11/11
3.3.3.9:0 Operational DU Passive 000:00:01 8/8
4.4.4.9:0 Operational DU Passive 000:00:00 4/4
----------------------------------------------------------------------
TOTAL: 3 session(s) Found.
Step 4 Configure VPN instances on the PEs.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 1:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpna
[PE1-GigabitEthernet2/0/0] ip address 10.1.1.2 24
[PE1-GigabitEthernet2/0/0] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 987
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
The configuration on PE2 is similar to the configuration on PE1 and is not
mentioned here.
Step 5 Set up EBGP peer relationships between the PEs and CEs and import VPN routes
into BGP.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] quit
The configuration on CE2 is similar to the configuration on CE1 and is not
mentioned here.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] quit
The configuration on PE2 is similar to the configuration on PE1 and is not
mentioned here.
Step 6 Set up MP-IBGP peer relationships between PEs and RRs.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.9 as-number 100
[PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure RR1.
[RR1] bgp 100
[RR1-bgp] group rr1 internal
[RR1-bgp] peer rr1 connect-interface loopback 1
[RR1-bgp] peer 1.1.1.9 group rr1
[RR1-bgp] peer 3.3.3.9 group rr1
[RR1-bgp] peer 4.4.4.9 group rr1
[RR1-bgp] ipv4-family vpnv4
[RR1-bgp-af-vpnv4] peer rr1 enable
[RR1-bgp-af-vpnv4] peer 1.1.1.9 group rr1
[RR1-bgp-af-vpnv4] peer 3.3.3.9 group rr1
[RR1-bgp-af-vpnv4] peer 4.4.4.9 group rr1
[RR1-bgp-af-vpnv4] quit
[RR1-bgp] quit
# Configure RR2.
[RR2] bgp 100
[RR2-bgp] group rr2 internal
[RR2-bgp] peer rr2 connect-interface loopback 1
[RR2-bgp] peer 1.1.1.9 group rr2
[RR2-bgp] peer 2.2.2.9 group rr2
[RR2-bgp] peer 4.4.4.9 group rr2
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 988
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[RR2-bgp] ipv4-family vpnv4
[RR2-bgp-af-vpnv4] peer rr2 enable
[RR2-bgp-af-vpnv4] peer 1.1.1.9 group rr2
[RR2-bgp-af-vpnv4] peer 2.2.2.9 group rr2
[RR2-bgp-af-vpnv4] peer 4.4.4.9 group rr2
[RR2-bgp-af-vpnv4] quit
[RR2-bgp] quit
The configuration on PE2 is similar to the configuration on PE1 and is not
mentioned here.
After the configuration is complete, run the display bgp vpnv4 all peer command
on the PEs. The command output shows that the PEs have set up IBGP peer
relationships with RRs, and the peer relationships are in Established state. The PEs
also set up EBGP peer relationships with the CEs.
The information displayed on PE1 is used as an example.
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 3 Peers in established state : 3
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.9 4 100 2 4 0 00:00:31 Established 0
3.3.3.9 4 100 3 5 0 00:01:23 Established 0
Peer of IPv4-family for vpn instance :
VPN-Instance vpna, Router ID 1.1.1.9:
10.1.1.1 4 65410 79 82 0 01:13:29 Established 0
Step 7 Configure route reflection on RR1 and RR2.
# Configure RR1.
[RR1] bgp 100
[RR1-bgp] ipv4-family vpnv4
[RR1-bgp-af-vpnv4] reflector cluster-id 100
[RR1-bgp-af-vpnv4] peer rr1 reflect-client
[RR1-bgp-af-vpnv4] undo policy vpn-target
[RR1-bgp-af-vpnv4] quit
[RR1-bgp] quit
# Configure RR2.
[RR2] bgp 100
[RR2-bgp] ipv4-family vpnv4
[RR2-bgp-af-vpnv4] reflector cluster-id 100
[RR2-bgp-af-vpnv4] peer rr2 reflect-client
[RR2-bgp-af-vpnv4] undo policy vpn-target
[RR2-bgp-af-vpnv4] quit
[RR2-bgp] quit
Step 8 Verify the configuration.
# Check the VPN routing table on a PE. The routing table contains a route to the
remote CE.
# The information displayed on PE1 is used as an example.
[PE1] display ip routing-table vpn-instance vpna
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpna
Destinations : 8 Routes : 8
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 989
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.2 GigabitEthernet2/0/0
10.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
10.2.1.0/24 IBGP 255 0 RD 4.4.4.9 GigabitEthernet3/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
# If CE1 and CE2 can ping each other, the route reflection function has been
configured successfully.
# Run the shutdown command in the view of GE3/0/0 on PE1 and GE3/0/0 on
PE2. CE1 and CE2 can still ping each other, indicating that the RRs are successfully
configured.
----End
Configuration Files
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 100.1.2.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet3/0/0
ip address 100.1.3.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 990
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
peer 2.2.2.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.2.0 0.0.0.255
network 100.1.3.0 0.0.0.255
#
return
● RR1 configuration file
#
sysname RR1
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 100.1.2.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 100.2.3.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet3/0/0
ip address 100.2.4.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 3.3.3.9 as-number 100
peer 4.4.4.9 as-number 100
group rr1 internal
peer rr1 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer rr1 enable
peer 1.1.1.9 enable
peer 1.1.1.9 group rr1
peer 3.3.3.9 enable
peer 3.3.3.9 group rr1
peer 4.4.4.9 enable
peer 4.4.4.9 group rr1
#
ipv4-family vpnv4
reflector cluster-id 100
undo policy vpn-target
peer rr1 enable
peer rr1 reflect-client
peer 1.1.1.9 enable
peer 1.1.1.9 group rr1
peer 3.3.3.9 enable
peer 3.3.3.9 group rr1
peer 4.4.4.9 enable
peer 4.4.4.9 group rr1
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 991
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
ospf 1
area 0.0.0.0
network 100.1.2.0 0.0.0.255
network 100.2.3.0 0.0.0.255
network 100.2.4.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
● RR2 configuration file
#
sysname RR2
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 100.2.3.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 100.3.4.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet3/0/0
ip address 100.1.3.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 2.2.2.9 as-number 100
peer 4.4.4.9 as-number 100
group rr2 internal
peer rr2 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer rr2 enable
peer 1.1.1.9 enable
peer 1.1.1.9 group rr2
peer 3.3.3.9 enable
peer 3.3.3.9 group rr2
peer 4.4.4.9 enable
peer 4.4.4.9 group rr2
#
ipv4-family vpnv4
reflector cluster-id 100
undo policy vpn-target
peer rr2 enable
peer rr2 reflect-client
peer 1.1.1.9 enable
peer 1.1.1.9 group rr2
peer 2.2.2.9 enable
peer 2.2.2.9 group rr2
peer 4.4.4.9 enable
peer 4.4.4.9 group rr2
#
ospf 1
area 0.0.0.0
network 100.2.3.0 0.0.0.255
network 100.3.4.0 0.0.0.255
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 992
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
network 100.1.3.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 100.3.4.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpna
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet3/0/0
ip address 100.2.4.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 10.2.1.1 as-number 65420
import-route direct
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 100.3.4.0 0.0.0.255
network 100.2.4.0 0.0.0.255
#
return
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 993
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
peer 10.1.1.2 enable
#
return
● CE2 configuration file
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65420
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
peer 10.2.1.2 enable
#
return
7.9.20 Example for Connecting a VPN to the Internet
Networking Requirements
As shown in Figure 7-61, CE1 and CE2 need to communicate with each other, and
users connected to CE1 need to connect to the Internet.
To enable users connected to CE1 to access the Internet, connect an agent server
to CE1 and configure a public IP address for the agent server. Then users
connected to CE1 can access the Internet through the agent server. In this
example, the P represents on the Internet.
Figure 7-61 Networking diagram for connecting a VPN to the Internet
Loopback1 Loopback1
1.1.1.1/32 2.2.2.2/32 Loopback1
3.3.3.3/32
GE1/0/0 GE1/0/0
PE1 100.1.1.2/24 100.2.1.2/24
PE2
GE2/0/0 GE2/0/0
GE1/0/0 100.1.1.1/24 P 100.2.1.1/24 GE2/0/0
10.1.1.2/24 10.2.1.2/24
Internet
AS100
GE1/0/0 GE1/0/0
10.1.1.1/24 10.2.1.1/24
GE2/0/0 CE2
10.3.1.2/24 Agent Server
CE1 10.3.1.1/24
vpn1 vpn1
AS 65420
AS 65410
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 994
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic BGP/MPLS IP VPN functions.
2. Configure three static routes:
– On CE1, create a default route and specify PE1 as the next hop.
– On PE1, configure a default route from the VPN to the Internet and
specify P as the next hop. This route enables traffic to be transmitted
from the agent server to the Internet.
– On PE1, configure a static route from the Internet to the agent server and
specify CE1 as the next hop. Configure IGP to advertise the static route to
the Internet. This route enables traffic to be transmitted from the Internet
to the agent server.
Procedure
Step 1 Assign IP addresses to interfaces according to Figure 7-61.
# Configure PE1.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip address 100.1.1.1 24
[PE1-GigabitEthernet2/0/0] quit
The configuration on PE2, P, CE1, and CE2 is similar to the configuration on PE1
and is not mentioned here.
Step 2 Configure an IGP protocol on the MPLS backbone network for IP connectivity.
# Configure PE1.
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
The configuration on PE2 and P is similar to the configuration on PE1 and is not
mentioned here.
NOTE
The IP addresses of loopback interfaces that are used as LSR IDs need to be advertised.
After the configuration is complete, the devices on the backbone network can
learn the loopback interface addresses from each other.
Step 3 Set up MPLS LDP LSPs and an MP-IBGP peer relationship between the devices on
the backbone network.
# Enable MPLS LDP on PE1 to set up MPLS LDP LSPs.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 995
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] mpls
[PE1-GigabitEthernet2/0/0] mpls ldp
[PE1-GigabitEthernet2/0/0] quit
The configuration on PE2 and P is similar to the configuration on PE1 and is not
mentioned here.
After the configuration is complete, run the display mpls ldp session command
on P. The command output shows that the LDP sessions between PE1 and P, and
between PE2 and P are in Operational state.
The information displayed on P is used as an example.
[P] display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
1.1.1.1:0 Operational DU Active 0000:00:00 2/2
3.3.3.3:0 Operational DU Active 0000:23:08 5556/5555
------------------------------------------------------------------------------
TOTAL: 2 session(s) Found.
# Configure an MP-IBGP peer on PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.3 as-number 100
[PE1-bgp] peer 3.3.3.3 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.3 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
The configuration on PE2 is similar to the configuration on PE1 and is not
mentioned here.
Run the display bgp vpnv4 all peer command on PE1 and PE2. The command
output shows that an MP-IBGP peer relationship has been set up between the PEs
and is in Established state. The information displayed on PE1 is used as an
example.
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.1
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
3.3.3.3 4 100 6 8 0 00:03:48 Established 2
Step 4 Create VPN instances and set up EBGP peer relationships.
# Create VPN instance vpn1 on the PEs and bind it to the interfaces connected to
CEs. The information displayed on PE1 is used as an example.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 996
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] ipv4-family
[PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
[PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 24
[PE1-GigabitEthernet1/0/0] quit
The configuration on PE2 is similar to the configuration on PE1 and is not
mentioned here.
Set up EBGP peer relationships between PE1 and CE1 and between PE2 and CE2
so that routes of the CEs can be advertised to the PEs. The configuration on CE1
and PE1 is used as an example.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
The configuration on CE2 is similar to the configuration on CE1 and is not
mentioned here.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] import-route static
[PE1-bgp-vpn1] quit
[PE1-bgp] quit
The configuration on PE2 is similar to the configuration on PE1 and is not
mentioned here.
After the configuration is complete, run the display ip vpn-instance command on
the PEs. In the command output, vpn1 is displayed in the VPN-Instance Name
field.
The information displayed on PE1 is used as an example.
[PE1] display ip vpn-instance
Total VPN-Instances configured :1
Total IPv4 VPN-Instances configured : 1
Total IPv6 VPN-Instances configured : 0
VPN-Instance Name RD Address-family
vpn1 100:1 IPv4
Run the display bgp vpnv4 all peer command on the PEs. The command output
shows that the IBGP and EBGP peer relationships are all in Established state.
The information displayed on PE1 is used as an example.
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.1
Local AS number : 100
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 997
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
3.3.3.3 4 100 127 134 0 01:39:44 Established 2
Peer of IPv4-family for vpn instance :
VPN-Instance vpn1, Router ID 1.1.1.1:
10.1.1.1 4 65410 107 110 0 01:26:33 Established 3
Step 5 Configure static routes to enable VPN users to access the Internet.
# On CE1, create a default route and specify PE1 as the next hop.
[CE1] ip route-static 0.0.0.0 0 10.1.1.2
# Configure PE1.
# Configure a default route from the agent server to the Internet and specify P as
the next hop. Specify the public keyword in the command to use the public IP
address of P as the next hop address.
[PE1] ip route-static vpn-instance vpn1 0.0.0.0 0 100.1.1.2 public
NOTE
If the CEs and PEs are connected through an Ethernet network, you must specify the next
hop when configuring the static route.
# Configure a static route from the Internet to the agent server and specify CE1 as
the next hop.
[PE1] ip route-static 10.3.1.0 24 vpn-instance vpn1 10.1.1.1
# Advertise the preceding static route to the Internet using an IGP (OSPF in this
example).
[PE1] ospf 1
[PE1-ospf-1] import-route static
[PE1-ospf-1] quit
# Configure the agent server. Set the IP address of the agent server to 10.3.1.1/24
and the default gateway address of the agent server to 10.3.1.2/24 (address of
CE1). In addition, the agent server must run the agent software.
Step 6 Verify the configuration.
# Run the display ip routing-table vpn-instance vpn1 command on PE1 to check
the VPN routing table of vpn1. The VPN routing table has a default route with the
next hop address 100.1.1.2 and the outbound interface GE2/0/0.
[PE1] display ip routing-table vpn-instance vpn1
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpn1
Destinations : 7 Routes : 7
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 100.1.1.2 GigabitEthernet2/0/0
10.1.1.0/24 Direct 0 0 D 10.1.1.2 GigabitEthernet1/0/0
10.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.2.1.0/24 IBGP 255 0 RD 3.3.3.3 GigabitEthernet2/0/0
10.3.1.0/24 EBGP 255 0 D 10.1.1.1 GigabitEthernet1/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 998
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
# Run the display ip routing-table command on PE1 to check the IP routing
table on PE1. The routing table has a route to the agent server, in which the next
hop address is 10.1.1.1.
[PE1] display ip routing-table
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack1
2.2.2.2/32 OSPF 10 1 D 100.1.1.2 GigabitEthernet2/0/0
3.3.3.3/32 OSPF 10 2 D 100.1.1.2 GigabitEthernet2/0/0
100.1.1.0/24 Direct 0 0 D 100.1.1.1 GigabitEthernet2/0/0
100.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
100.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
100.2.1.0/24 OSPF 10 2 D 100.1.1.2 GigabitEthernet2/0/0
10.3.1.0/24 Static 60 0 RD 10.1.1.1 GigabitEthernet1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
# P can ping the agent server.
[P] ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=1 ms
Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=1 ms
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=1 ms
Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=1 ms
Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=1 ms
--- 10.3.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
# The agent server can access the P on the Internet.
----End
Configuration Files
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.3.1.2 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
#
return
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 999
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 65410
import-route static
import-route direct
#
ospf 1
import-route static
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 100.1.1.0 0.0.0.255
#
ip route-static 10.3.1.0 255.255.255.0 vpn-instance vpn1 10.1.1.1
ip route-static vpn-instance vpn1 0.0.0.0 0.0.0.0 100.1.1.2 public
#
return
● P configuration file
#
sysname P
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1000
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
interface GigabitEthernet2/0/0
ip address 100.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 100.1.1.0 0.0.0.255
network 100.2.1.0 0.0.0.255
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:2
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 100.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 65420
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 100.2.1.0 0.0.0.255
#
return
● CE2 configuration file
#
sysname CE2
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1001
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65420
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
7.9.21 Example for Configuring BGP/MPLS IP VPN to Use a
GRE Tunnel
Networking Requirements
NOTE
The AR100&AR120&AR150&AR160&AR200 cannot be used in this scenario.
In Figure 7-62:
● Branch 1 connects to the VPN backbone network through CE1 and PE1.
● Branch 2 connects to the VPN backbone network through CE2 and PE2.
On the backbone network, PEs provide MPLS functions, and the P does not
provide MPLS functions.
The enterprise wants to establish a GRE tunnel between the PEs and use IP to
forward VPN packets over the IP network.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1002
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-62 Networking diagram for configuring BGP/MPLS IP VPN to use a GRE
tunnel
AS:100
GE1/0/0 GE2/0/0
172.1.1.2/24 172.2.1.1/24
P
Loopback1 Loopback1
10.10.1.1/32 10.10.2.1/32
GE2/0/0 GE2/0/0
172.1.1.1/24 172.2.1.2/24
PE1 PE2
GRE Tunnel
GE1/0/0 Tunnel0/0/1 Tunnel0/0/1 GE1/0/0
10.1.1.2/24 10.3.1.1/24 10.3.1.2/24 10.2.1.2/24
GE1/0/0 GE1/0/0
10.1.1.1/24 10.2.1.1/24
CE1 CE2
vpn1 vpn1
AS: 65410 AS: 65420
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure OSPF between the PEs and P to implement IP connectivity on the
backbone network.
2. Create a GRE tunnel between PEs so that VPN packets can be transmitted
over the GRE tunnel.
3. Configure VPN instances on PEs and bind each PE interface connected to a CE
to a VPN instance.
4. Because the P device does not support MPLS functions, an LSP cannot be used
to transmit VPN packets. Configure a tunnel policy on the PEs to specify that
VPN packets are transmitted over a GRE tunnel, and apply the tunnel policy.
5. Establish EBGP peer relationships between PEs and CEs to exchange routes so
that a CE can learn routes from the peer CE and CE1 can communicate with
CE2.
Procedure
Step 1 Configure an IP address for each interface.
# Configure CE1.
<Huawei> system-view
[Huawei] sysname CE1
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1003
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[CE1-GigabitEthernet1/0/0] quit
# Configure IP addresses for interfaces on PE1 except the interface to be bound to
a VPN instance. This is because all configurations on this interface are deleted
when the interface is bound to a VPN instance.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip address 172.1.1.1 24
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 10.10.1.1 32
[PE1-LoopBack1] quit
# Configure the P device.
<Huawei> system-view
[Huawei] sysname P
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] ip address 172.1.1.2 24
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] ip address 172.2.1.1 24
[P-GigabitEthernet2/0/0] quit
# Configure IP addresses for interfaces on PE2 except the interface to be bound to
a VPN instance. This is because all configurations on this interface are deleted
when the interface is bound to a VPN instance.
<Huawei> system-view
[Huawei] sysname PE2
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] ip address 172.2.1.2 24
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 10.10.2.1 32
[PE2-LoopBack1] quit
# Configure CE2.
<Huawei> system-view
[Huawei] sysname CE2
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] ip address 10.2.1.1 24
[CE2-GigabitEthernet1/0/0] quit
Step 2 Configure IGP on the MPLS backbone network to implement interworking
between PEs.
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 10.10.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure the P device.
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1004
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 10.10.2.1 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configurations are complete, OSPF neighbor relationships can be set up
between PE1, P, and PE2. Run the display ospf peer command. You can see that
the neighbor status is Full. Run the display ip routing-table command. You can
see that PEs have learnt the routes to Loopback1 of each other.
Step 3 Configure a GRE tunnel.
# Configure PE1.
[PE1] interface tunnel 0/0/1
[PE1-Tunnel0/0/1] tunnel-protocol gre
[PE1-Tunnel0/0/1] source loopback 1
[PE1-Tunnel0/0/1] destination 10.10.2.1
[PE1-Tunnel0/0/1] ip address 10.3.1.1 24
[PE1-Tunnel0/0/1] quit
# Configure PE2.
[PE2] interface tunnel 0/0/1
[PE2-Tunnel0/0/1] tunnel-protocol gre
[PE2-Tunnel0/0/1] source loopback 1
[PE2-Tunnel0/0/1] destination 10.10.1.1
[PE2-Tunnel0/0/1] ip address 10.3.1.2 24
[PE2-Tunnel0/0/1] quit
Step 4 Enable basic MPLS functions on the PEs.
# Configure PE1.
[PE1] mpls lsr-id 10.10.1.1
[PE1] mpls
[PE1-mpls] quit
# Configure PE2.
[PE2] mpls lsr-id 10.10.2.1
[PE2] mpls
[PE2-mpls] quit
Step 5 Configure VPN instances on PEs and bind each interface that connects a PE to a
CE to a VPN instance. Apply tunnel policies on the PEs to specify the GRE tunnel
used to forward VPN packets.
# Configure PE1.
[PE1] tunnel-policy gre1
[PE1-tunnel-policy-gre1] tunnel select-seq gre load-balance-number 1
[PE1-tunnel-policy-gre1] quit
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] ipv4-family
[PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both
[PE1-vpn-instance-vpn1-af-ipv4] tnl-policy gre1
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
[PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 24
[PE1-GigabitEthernet1/0/0] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1005
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
# Configure PE2.
[PE2] tunnel-policy gre1
[PE2-tunnel-policy-gre1] tunnel select-seq gre load-balance-number 1
[PE2-tunnel-policy-gre1] quit
[PE2] ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] ipv4-family
[PE2-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:2
[PE2-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both
[PE2-vpn-instance-vpn1-af-ipv4] tnl-policy gre1
[PE2-vpn-instance-vpn1-af-ipv4] quit
[PE2-vpn-instance-vpn1] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
[PE2-GigabitEthernet1/0/0] ip address 10.2.1.2 24
[PE2-GigabitEthernet1/0/0] quit
After the configurations are complete, run the display ip vpn-instance verbose
command on PEs to view the configurations of VPN instances. Each PE can ping its
local CE.
NOTE
If a PE has multiple interfaces bound to the same VPN instance, specify a source IP address
by setting -a source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-
address dest-ip-address command to ping a remote CE. If the source IP address is not
specified, the ping operation fails.
Step 6 Set up EBGP peer relationships between the PEs and CEs and import VPN routes
to EBGP.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] quit
[PE1-bgp] quit
# Configure CE2.
[CE2] bgp 65420
[CE2-bgp] peer 10.2.1.2 as-number 100
[CE2-bgp] import-route direct
[CE2-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpn1
[PE2-bgp-vpn1] peer 10.2.1.1 as-number 65420
[PE2-bgp-vpn1] quit
[PE2-bgp] quit
After the configurations are complete, run the display bgp vpnv4 vpn-instance
peer command on PEs. You can see that BGP peer relationships have been
established between PEs and CEs and are in Established state.
The command output on PE1 is used as an example.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1006
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 10.10.1.1
Local AS number : 100
VPN-Instance vpn1, Router ID 10.10.1.1:
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65410 6 3 0 00:01:14 Established 3
Step 7 Set up an MP-IBGP peer relationship between PEs.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 10.10.2.1 as-number 100
[PE1-bgp] peer 10.10.2.1 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 10.10.2.1 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 10.10.1.1 as-number 100
[PE2-bgp] peer 10.10.1.1 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 10.10.1.1 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
After the configurations are complete, run the display bgp vpnv4 all peer
command on a PE. The command output shows that the BGP peer relationships
have been established between the PEs and are in the Established state.
[PE1] display bgp vpnv4 all peer
BGP local router ID : 10.10.1.1
Local AS number : 100
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.10.2.1 4 100 4 7 0 00:02:54 Established 0
Peer of IPv4-family for vpn instance :
VPN-Instance vpn1, Router ID 10.10.1.1:
10.1.1.1 4 65410 122 119 0 01:57:43 Established 3
Step 8 Verify the configuration.
# After the configuration is complete, CEs can learn routes to each other. CEs can
successfully ping each other.
# The command output on CE1 is used as an example.
[CE1] display ip routing-table 10.2.1.0
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.2.1.0/24 EBGP 255 0 D 10.1.1.2 GigabitEthernet1/0/0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1007
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[CE1] ping 10.2.1.1
PING 10.2.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=253 time=1 ms
Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=253 time=1 ms
Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=253 time=1 ms
Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=253 time=10 ms
Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=253 time=1 ms
--- 10.2.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/2/10 ms
----End
Configuration Files
● Configuration file of CE1
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
● Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
tnl-policy gre1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
mpls lsr-id 10.10.1.1
mpls
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 172.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 10.10.1.1 255.255.255.255
#
interface Tunnel0/0/1
ip address 10.3.1.1 255.255.255.0
tunnel-protocol gre
source LoopBack1
destination 10.10.2.1
#
tunnel-policy gre1
tunnel select-seq gre load-balance-number 1
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1008
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
bgp 100
peer 10.10.2.1 as-number 100
peer 10.10.2.1 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 10.10.2.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 10.10.2.1 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 65410
import-route direct
#
ospf 1
area 0.0.0.0
network 10.10.1.1 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
● Configuration file of the P device
#
sysname P
#
interface GigabitEthernet1/0/0
ip address 172.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 172.2.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
#
return
● Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:2
tnl-policy gre1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
mpls lsr-id 10.10.2.1
mpls
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 172.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 10.10.2.1 255.255.255.255
#
interface Tunnel0/0/1
ip address 10.3.1.2 255.255.255.0
tunnel-protocol gre
source LoopBack1
destination 10.10.1.1
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1009
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
tunnel-policy gre1
tunnel select-seq gre load-balance-number 1
#
bgp 100
peer 10.10.1.1 as-number 100
peer 10.10.1.1 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 10.10.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 10.10.1.1 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 65420
#
ospf 1
area 0.0.0.0
network 10.10.2.1 0.0.0.0
network 172.2.1.0 0.0.0.255
#
return
● Configuration file of CE2
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65420
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
7.9.22 Example for Configuring L3VPN Using LDP Signaling
over GRE
Networking Requirements
In Figure 7-63:
● Branch 1 connects to the VPN backbone network through CE1 and PE1.
● Branch 2 connects to the VPN backbone network through CE2 and PE2.
On the backbone network, PEs provide MPLS functions, and the P does not
provide MPLS functions.
The enterprise wants to deploy BGP/MPLS IP VPN between PE1 and PE2 and use
LDP LSPs to transmit VPN data so that CE1 can communicate with CE2.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1010
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-63 Networking for configuring L3VPN using LDP signaling over
AS:100
GE1/0/0 GE2/0/0
172.1.1.2/24 172.2.1.1/24
P
Loopback1 Loopback1
1.1.1.9/32 2.2.2.9/32
PE1 GE2/0/0 GE2/0/0 PE2
172.1.1.1/24 172.2.1.2/24
Loopback0 Loopback0
1.1.1.1/32 GRE tunnel 2.2.2.2/32
GE1/0/0 Tunnel0/0/1 Tunnel0/0/1 GE1/0/0
10.1.1.2/24 20.1.1.1/24 20.1.1.2/24 10.2.1.2/24
GE1/0/0 GE1/0/0
10.1.1.1/24 10.2.1.1/24
CE1 CE2
vpn1 vpn1
AS: 65410 AS: 65420
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure OSPF between the PEs and P to implement IP connectivity on the
backbone network.
2. Configure basic MPLS functions and MPLS LDP on PEs so that MPLS LSPs can
be established to transmit VPN data.
3. Because the P device does not support MPLS functions and an LSP is required
to transmit VPN data, use LDP over GRE so that a GRE tunnel is set up
between PEs to transmit services over LDP LSPs. Create GRE tunnel interfaces
on PEs, specify source and destination addresses of the tunnel, and establish a
GRE tunnel between PEs to implement interworking on the MPLS network.
4. Enable MPLS LDP on tunnel interfaces to implement LDP over GRE and
establish MPLS LSPs.
5. Configure VPN instances on PEs and bind each PE interface connected to a CE
to a VPN instance.
6. Establish an MP-IBGP peer relationship between PE1 and PE2, and establish
EBGP peer relationships between PEs and CEs and import VPN routes, so that
CE1 can communicate with CE2.
NOTE
The IP address of Loopback1 interface is used as the LSR ID, that is, LDP uses this IP address to
establish a session. A GRE tunnel interface must have an IP address configured, and uses
addresses of Loopback0 interfaces as source and destination addresses. The source and
destination addresses, and physical interface are advertised by an IGP, and the IP address of
Loopback1 interface and tunnel interface address are advertised by another IGP or static route.
If a static route is used, specify the tunnel interface as the outbound interface.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1011
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Procedure
Step 1 Configure OSPF between the PEs and P to implement IP connectivity on the
backbone network.
# Configure PE1.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip address 172.1.1.1 24
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface loopback 0
[PE1-LoopBack0] ip address 1.1.1.1 32
[PE1-LoopBack0] quit
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
The configurations of PE2 and P are similar to the configuration of PE1, and are
not mentioned here.
After the configurations are complete, OSPF neighbor relationships can be set up
between PE1, P, and PE2. Run the display ospf peer command. You can see that
the neighbor status is Full. Run the display ip routing-table command. You can
see that PEs have learnt the routes to Loopback1 of each other.
Step 2 Enable basic MPLS functions and MPLS LDP on PEs.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
Step 3 Create GRE tunnel interfaces on PEs, and specify source and destination addresses
of the tunnel.
Create and configure GRE tunnel interfaces on PE1 and PE2, and establish a GRE
tunnel between PEs to implement interworking on the MPLS network.
# Configure PE1.
[PE1] interface tunnel 0/0/1
[PE1-Tunnel0/0/1] tunnel-protocol gre
[PE1-Tunnel0/0/1] ip address 20.1.1.1 24
[PE1-Tunnel0/0/1] source loopback 0
[PE1-Tunnel0/0/1] destination 2.2.2.2
[PE1-Tunnel0/0/1] quit
[PE1] ospf 11
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1012
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE1-ospf-11] area 0
[PE1-ospf-11-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-11-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[PE1-ospf-11-area-0.0.0.0] quit
[PE1-ospf-11] quit
# Configure PE2.
[PE2] interface tunnel 0/0/1
[PE2-Tunnel0/0/1] tunnel-protocol gre
[PE2-Tunnel0/0/1] ip address 20.1.1.2 24
[PE2-Tunnel0/0/1] source loopback 0
[PE2-Tunnel0/0/1] destination 1.1.1.1
[PE2-Tunnel0/0/1] quit
[PE2] ospf 11
[PE2-ospf-11] area 0
[PE2-ospf-11-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[PE2-ospf-11-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[PE2-ospf-11-area-0.0.0.0] quit
[PE2-ospf-11] quit
After the configurations are complete, a GRE tunnel is set up between PE1 and
PE2. Run the display ip routing-table command. You can see that PEs have learnt
the routes to Loopback1 of each other.
Step 4 Enable MPLS LDP on tunnel interfaces of PEs.
Enable MPLS LDP on tunnel interfaces of PE1 and PE2 so that MPLS LSPs can be
established.
# Configure PE1.
[PE1] interface tunnel 0/0/1
[PE1-Tunnel0/0/1] mpls
[PE1-Tunnel0/0/1] mpls ldp
[PE1-Tunnel0/0/1] quit
# Configure PE2.
[PE2] interface tunnel 0/0/1
[PE2-Tunnel0/0/1] mpls
[PE2-Tunnel0/0/1] mpls ldp
[PE2-Tunnel0/0/1] quit
After the configurations are complete, an LDP session can be set up between PE1
and PE2. Run the display mpls ldp session command. You can see that the Status
field is Operational in the command output.
Step 5 Configure a VPN instance on each PE and connect CEs to PEs.
# Configure PE1.
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] ipv4-family
[PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
[PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 24
[PE1-GigabitEthernet1/0/0] quit
# Configure PE2.
[PE2] ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] ipv4-family
[PE2-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:2
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1013
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE2-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both
[PE2-vpn-instance-vpn1-af-ipv4] quit
[PE2-vpn-instance-vpn1] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
[PE2-GigabitEthernet1/0/0] ip address 10.2.1.2 24
[PE2-GigabitEthernet1/0/0] quit
Configure IP addresses for CE interfaces according to Figure 7-63.
# Configure CE1.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[CE1-GigabitEthernet1/0/0] quit
The configuration of CE2 is similar to that of CE1, and is not mentioned here.
After the configurations are complete, run the display ip vpn-instance verbose
command on PEs to view the configurations of VPN instances. Each PE can
successfully ping the connected CE.
NOTE
If multiple interfaces on a PE is bound to the same VPN instance, specify a source IP
addresses by specifying -a source-ip-address in the ping -vpn-instance vpn-instance-name
-a source-ip-address dest-ip-address command to ping the remote CE. Otherwise, the ping
operation fails.
Step 6 Set up EBGP peer relationships between the PEs and CEs and import VPN routes
to EBGP.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] quit
[PE1-bgp] quit
# Configure CE2.
[CE2] bgp 65420
[CE2-bgp] peer 10.2.1.2 as-number 100
[CE2-bgp] import-route direct
[CE2-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpn1
[PE2-bgp-vpn1] peer 10.2.1.1 as-number 65420
[PE2-bgp-vpn1] quit
[PE2-bgp] quit
After the configurations are complete, run the display bgp vpnv4 vpn-instance
peer command on PEs. You can see that BGP peer relationships have been
established between PEs and CEs and are in Established state.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1014
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
The display on PE1 is used as an example.
[PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.9
Local AS number : 100
VPN-Instance vpn1, Router ID 1.1.1.9:
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65410 6 3 0 00:01:14 Established 3
Step 7 Set up an MP-IBGP peer relationship between PEs.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.9 as-number 100
[PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
After the configurations are complete, run the display bgp vpnv4 all peer
command on a PE. You can see that the BGP peer relationship between PEs is in
Established state.
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.9 4 100 4 7 0 00:02:54 Established 0
Peer of IPv4-family for vpn instance :
VPN-Instance vpn1, Router ID 1.1.1.9:
10.1.1.1 4 65410 122 119 0 01:57:43 Established 3
Step 8 Verify the configuration.
# After the configurations are complete, CEs can learn routes to the interface of
each other, and can ping each other successfully.
# The display on CE1 is used as an example.
[CE1] display ip routing-table 10.2.1.0
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1015
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
10.2.1.0/24 EBGP 255 0 D 10.1.1.2 GigabitEthernet1/0/0
[CE1] ping 10.2.1.1
PING 10.2.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=253 time=1 ms
Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=253 time=1 ms
Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=253 time=1 ms
Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=253 time=10 ms
Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=253 time=1 ms
--- 10.2.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/2/10 ms
----End
Configuration Files
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 172.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
interface Tunnel0/0/1
ip address 20.1.1.1 255.255.255.0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1016
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
tunnel-protocol gre
source LoopBack0
destination 2.2.2.2
mpls
mpls ldp
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 65410
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 172.1.1.0 0.0.0.255
#
ospf 11
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 20.1.1.0 0.0.0.255
#
return
● P configuration file
#
sysname P
#
interface GigabitEthernet1/0/0
ip address 172.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 172.2.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:2
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1017
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
interface GigabitEthernet2/0/0
ip address 172.2.1.2 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
interface Tunnel0/0/1
ip address 20.1.1.2 255.255.255.0
tunnel-protocol gre
source LoopBack0
destination 1.1.1.1
mpls
mpls ldp
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 65420
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 172.2.1.0 0.0.0.255
#
ospf 11
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 20.1.1.0 0.0.0.255
#
return
● CE2 configuration file
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65420
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1018
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
7.9.23 Example for Configuring L3VPN with LDP Signals
Carried by DSVPN
Networking Requirements
As shown in Figure 7-64, a large-scale enterprise has deployed a production
network vpn1 and an office network vpn2 in the headquarters and branches
respectively. The enterprise establishes an IP/MPLS backbone network in its
headquarters, and its branches located in different areas use Spoke-PE to connect
to the IP/MPLS backbone network through the Internet. In this example, the
backbone network has only a Hub-P and PE1 and the enterprise has only two
branches. Spoke-PE2 and Spoke-PE3 in branches dynamically obtain their public
addresses. (Configurations related to dynamic address allocation is omitted in this
example and public addresses are manually specified.) Because the Internet
cannot provide the MPLS function for the enterprise, the production networks and
office networks in branches cannot communicate with those in the headquarters.
The enterprise wants to expand the IP/MPLS backbone network, deploy BGP/MPLS
IP VPN in the headquarters and branches, and use LDP LSP to transmit data from
vpn1 and vpn2 to implement secure interconnection between the headquarters
and branches and between branches. VPN data between branches needs to be
forwarded by the headquarters so that the headquarters can monitor traffic in
real-time.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1019
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-64 Networking diagram for configuring L3VPN with LDP signals carried
by DSVPN
Enterprise
branch1
Loopback1 Loopback1
vpn 2.2.2.9/32 1.1.1.9/32 vpn
1 1
GE2 Spoke-PE2 /0/0
/0/0 GE2
Tunnel0/0/1 PE1
172.10.1.2/24
GE 3
vpn /0 /0 GE1/0/0 /0/0 vpn
GE3 GR 2
2 GE1/0/0
E Tu
n ne
l
GE2/0/0
Loopback1
Internet GE1/0/0 4.4.4.9/32
Hub-P
e l
nn Tunnel0/0/1
vpn E Tu
1
GE1/0/0 GR 172.10.1.1/24
GE2
/0/0
Tunnel0/0/1
172.10.1.3/24
vpn /0/0
GE3 Spoke-PE3
2 Enterprise
Loopback1
3.3.3.9/32 headquarters
Enterprise
branch2
Device Interface and IP Device Interface and IP
Address Address
Spoke-PE2 192. GE PE1
1 68.1 2/0/0 / 0 /0 /2 4
1.1/2 Spoke-PE2 G E 2 6 8 .1 .1
4 2 . 1
19
GE1/0/0 PE1
202.2.1.2/24 GE3
/0/0 /
192. 0/0
GE3 /24 GE1/0/0 168.
1
.12. 172.1.1.1/24 2.1/2
92.168 4
1
Spoke-PE3 Hub-P
192. G
168. E2/0/0
21.1
/24
GE1/0/0 GE2/0/0
202.3.1.2/24 172.1.1.2/24
/0 /0
G E 3 /2 4 Spoke-PE3
2. 1
.1 6 8 .2 GE1/0/0
1 92 202.1.1.2/24
Hub-P
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1020
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Configuration Roadmap
To expand the IP/MPLS backbone network and deploy BGP/MPLS IP VPN for an
enterprise, you need to add the Spoke-PE devices in the branches to the IP/MPLS
backbone network in the headquarters. MPLS LDP packets between the
headquarters and branches need to be transmitted over GRE tunnels because the
Internet cannot provide the MPLS function. As there are a large number of
branches and devices in the branches dynamically obtain their public addresses,
DSVPN is used to establish GRE tunnels between the headquarters and branches.
As a result, L3VPN with LDP signals carried by DSVPN can meet the requirements
of the enterprise.
The configuration roadmap for L3VPN with LDP signals carried by DSVPN is as
follows:
1. Configure branch devices to save only summarized routes to the
headquarters, configure OSPF on Hub-P and Spoke-PEs to advertise routes,
and set the OSPF network type to point-to-multipoint (P2MP), so that all VPN
data between branches is forwarded by the headquarters.
2. Enable MPLS LDP on tunnel interfaces of Spoke-PE2, Spoke-PE3, and Hub-P
and set up MPLS LSP tunnels to implement LDP over mGRE.
3. Configure L3VPN on Spoke-PE2, Spoke-PE3, and PE1 to implement secure
interconnection between the headquarters and branches and between
branches. Because there are a large number of branches, a route reflector can
be used to reduce the number of MP-IBGP connections between PEs.
NOTE
Do not configure NHRP redirection on the Hub because LDP over mGRE does not need to
establish tunnels for direct communication between branches.
Procedure
Step 1 Configure interface IP addresses and OSPF on Hub-P and PE1 to implement
interconnection on the IP/MPLS backbone network.
# Configure PE1.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] ip address 172.1.1.1 24
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
The configuration of Hub-P is similar to that of PE1, and is not mentioned here.
After the configuration is complete, an OSPF neighbor relationship can be set up
between Hub-P and PE1. Run the display ospf peer command. You can see that
the neighbor status is Full. Run the display ip routing-table command. You can
see that Hub-P and PE1 have learnt the routes to Loopback1 of each other.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1021
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Step 2 Configure interface IP addresses and static routes on Hub-P, Spoke-PE2, and
Spoke-PE3 to ensure that public routes are reachable.
Because Hub-P, Spoke-PE2, and Spoke-PE3 are directly connected to the Internet,
IP addresses and default static routes are manually specified here.
# Configure Spoke-PE2.
<Huawei> system-view
[Huawei] sysname Spoke-PE2
[Spoke-PE2] interface gigabitethernet 1/0/0
[Spoke-PE2-GigabitEthernet1/0/0] ip address 202.2.1.2 24
[Spoke-PE2-GigabitEthernet1/0/0] quit
[Spoke-PE2] interface loopback 1
[Spoke-PE2-LoopBack1] ip address 2.2.2.9 32
[Spoke-PE2-LoopBack1] quit
[Spoke-PE2] ip route-static 0.0.0.0 0 202.2.1.1
The configurations of Spoke-PE3 and Hub-P are similar to that of Spoke-PE2, and
are not mentioned here.
After the configuration is complete, devices can ping each other and public routes
are reachable.
Step 3 Create tunnel interfaces and configure DSVPN on Hub-P, Spoke-PE2, and Spoke-
PE3.
1. Create an mGRE interface, configure an IP address, and specify a source
tunnel interface.
# Configure Spoke-PE2.
[Spoke-PE2] interface tunnel 0/0/1
[Spoke-PE2-Tunnel0/0/1] ip address 172.10.1.2 24
[Spoke-PE2-Tunnel0/0/1] tunnel-protocol gre p2mp
[Spoke-PE2-Tunnel0/0/1] source gigabitethernet 1/0/0
[Spoke-PE2-Tunnel0/0/1] quit
The configurations of Spoke-PE3 and Hub-P are similar to that of Spoke-PE2,
and are not mentioned here.
2. Configure OSPF to advertise the MPLS LSR ID as DSVPN subnet information
through the tunnel interface.
# Configure Spoke-PE2.
[Spoke-PE2] ospf 1
[Spoke-PE2-ospf-1] area 0
[Spoke-PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[Spoke-PE2-ospf-1-area-0.0.0.0] network 172.10.1.0 0.0.0.255
[Spoke-PE2-ospf-1-area-0.0.0.0] quit
[Spoke-PE2-ospf-1] quit
The configurations of Spoke-PE3 and Hub-P are similar to that of Spoke-PE2,
and are not mentioned here.
3. Configure NHRP and set the OSPF network type to P2MP. Do not configure
NHRP redirection on the Hub-P.
# Configure Hub-P.
[Hub-P] interface tunnel 0/0/1
[Hub-P-Tunnel0/0/1] nhrp entry multicast dynamic
[Hub-P-Tunnel0/0/1] ospf network-type p2mp
[Hub-P-Tunnel0/0/1] ospf dr-priority 100
[Hub-P-Tunnel0/0/1] quit
# Configure Spoke-PE2.
[Spoke-PE2] interface tunnel 0/0/1
[Spoke-PE2-Tunnel0/0/1] nhrp entry 172.10.1.1 202.1.1.2 register
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1022
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[Spoke-PE2-Tunnel0/0/1] ospf network-type p2mp
[Spoke-PE2-Tunnel0/0/1] ospf dr-priority 0
[Spoke-PE2-Tunnel0/0/1] quit
# Configure Spoke-PE3.
[Spoke-PE3] interface tunnel 0/0/1
[Spoke-PE3-Tunnel0/0/1] nhrp entry 172.10.1.1 202.1.1.2 register
[Spoke-PE3-Tunnel0/0/1] ospf network-type p2mp
[Spoke-PE3-Tunnel0/0/1] ospf dr-priority 0
[Spoke-PE3-Tunnel0/0/1] quit
After the configuration is complete, run the display nhrp peer all command on
Hub-P to view registration information about Spoke-PE2 and Spoke-PE3.
[Hub] display nhrp peer all
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
172.10.1.2 32 202.2.1.2 172.10.1.2 dynamic route tunnel
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/1
Created time : 00:02:36
Expire time : 01:57:24
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
172.10.1.3 32 202.3.1.2 172.10.1.3 dynamic route tunnel
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/1
Created time : 00:00:04
Expire time : 01:59:56
Number of nhrp peers: 2
Run the display ip routing-table command on all devices on the IP/MPLS
backbone network. You can see that all devices have learnt the routes to
Loopback1 of other devices.
Step 4 Enable basic MPLS functions and MPLS LDP on Spoke-PE2, Spoke-PE3, Hub-P, and
PE1.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
The configurations of Spoke-PE2, Spoke-PE3 and Hub-P are similar to that of PE1,
and are not mentioned here.
Step 5 Enable MPLS LDP on the interfaces of Spoke-PE2, Spoke-PE3, Hub-P, and PE1.
Enable MPLS LDP on interfaces of Hub-P and PE1 that are directly connected to
each other and enable MPLS LDP on tunnel interfaces of Spoke-PE2, Spoke-PE3
and Hub-P to establish MPLS LSP tunnels.
# Configure PE1.
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] mpls
[PE1-GigabitEthernet1/0/0] mpls ldp
[PE1-GigabitEthernet1/0/0] quit
# Configure Hub-P.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1023
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[Hub-P] interface gigabitethernet 2/0/0
[Hub-P-GigabitEthernet2/0/0] mpls
[Hub-P-GigabitEthernet2/0/0] mpls ldp
[Hub-P-GigabitEthernet2/0/0] quit
[Hub-P] interface tunnel 0/0/1
[Hub-P-Tunnel0/0/1] mpls
[Hub-P-Tunnel0/0/1] mpls ldp
[Hub-P-Tunnel0/0/1] quit
# Configure Spoke-PE2.
[Spoke-PE2] interface tunnel 0/0/1
[Spoke-PE2-Tunnel0/0/1] mpls
[Spoke-PE2-Tunnel0/0/1] mpls ldp
[Spoke-PE2-Tunnel0/0/1] quit
# Configure Spoke-PE3.
[Spoke-PE3] interface tunnel 0/0/1
[Spoke-PE3-Tunnel0/0/1] mpls
[Spoke-PE3-Tunnel0/0/1] mpls ldp
[Spoke-PE3-Tunnel0/0/1] quit
After the configuration is complete, PE1, Spoke-PE2, and Spoke-PE3 can establish
LDP sessions with Hub-P. Run the display mpls ldp session command. You can
see that the MPLS LDP session status is Operational.
Step 6 Configure VPN instances on Spoke-PE2, Spoke-PE3, and PE1 and bind VPN
instances to interfaces.
# Configure PE1.
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] ipv4-family
[PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
[PE1] ip vpn-instance vpn2
[PE1-vpn-instance-vpn2] ipv4-family
[PE1-vpn-instance-vpn2-af-ipv4] route-distinguisher 100:2
[PE1-vpn-instance-vpn2-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpn2-af-ipv4] quit
[PE1-vpn-instance-vpn2] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[PE1-GigabitEthernet2/0/0] ip address 192.168.1.1 24
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] ip binding vpn-instance vpn2
[PE1-GigabitEthernet3/0/0] ip address 192.168.2.1 24
[PE1-GigabitEthernet3/0/0] quit
# Configure Spoke-PE2.
[Spoke-PE2] ip vpn-instance vpn1
[Spoke-PE2-vpn-instance-vpn1] ipv4-family
[Spoke-PE2-vpn-instance-vpn1-af-ipv4] route-distinguisher 200:1
[Spoke-PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 both
[Spoke-PE2-vpn-instance-vpn1-af-ipv4] quit
[Spoke-PE2-vpn-instance-vpn1] quit
[Spoke-PE2] ip vpn-instance vpn2
[Spoke-PE2-vpn-instance-vpn2] ipv4-family
[Spoke-PE2-vpn-instance-vpn2-af-ipv4] route-distinguisher 200:2
[Spoke-PE2-vpn-instance-vpn2-af-ipv4] vpn-target 222:2 both
[Spoke-PE2-vpn-instance-vpn2-af-ipv4] quit
[Spoke-PE2-vpn-instance-vpn2] quit
[Spoke-PE2] interface gigabitethernet 2/0/0
[Spoke-PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1024
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[Spoke-PE2-GigabitEthernet2/0/0] ip address 192.168.11.1 24
[Spoke-PE2-GigabitEthernet2/0/0] quit
[Spoke-PE2] interface gigabitethernet 3/0/0
[Spoke-PE2-GigabitEthernet3/0/0] ip binding vpn-instance vpn2
[Spoke-PE2-GigabitEthernet3/0/0] ip address 192.168.12.1 24
[Spoke-PE2-GigabitEthernet3/0/0] quit
# Configure Spoke-PE3.
[Spoke-PE3] ip vpn-instance vpn1
[Spoke-PE3-vpn-instance-vpn1] ipv4-family
[Spoke-PE3-vpn-instance-vpn1-af-ipv4] route-distinguisher 300:1
[Spoke-PE3-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 both
[Spoke-PE3-vpn-instance-vpn1-af-ipv4] quit
[Spoke-PE3-vpn-instance-vpn1] quit
[Spoke-PE3] ip vpn-instance vpn2
[Spoke-PE3-vpn-instance-vpn2] ipv4-family
[Spoke-PE3-vpn-instance-vpn2-af-ipv4] route-distinguisher 300:2
[Spoke-PE3-vpn-instance-vpn2-af-ipv4] vpn-target 222:2 both
[Spoke-PE3-vpn-instance-vpn2-af-ipv4] quit
[Spoke-PE3-vpn-instance-vpn2] quit
[Spoke-PE3] interface gigabitethernet 2/0/0
[Spoke-PE3-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[Spoke-PE3-GigabitEthernet2/0/0] ip address 192.168.21.1 24
[Spoke-PE3-GigabitEthernet2/0/0] quit
[Spoke-PE3] interface gigabitethernet 3/0/0
[Spoke-PE3-GigabitEthernet3/0/0] ip binding vpn-instance vpn2
[Spoke-PE3-GigabitEthernet3/0/0] ip address 192.168.22.1 24
[Spoke-PE3-GigabitEthernet3/0/0] quit
After the configuration is complete, run the display ip vpn-instance verbose
command on each device to view the configuration of VPN instances.
Step 7 Set up MP-IBGP peer relationships between Spoke-PE2, Spoke-PE3, and PE1.
Configure PE1 as a route reflector. Spoke-PE2 and Spoke-PE3 can set up MP-IBGP
peer relationships with PE1.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] group rr1 internal
[PE1-bgp] peer rr1 connect-interface loopback 1
[PE1-bgp] peer 2.2.2.9 group rr1
[PE1-bgp] peer 3.3.3.9 group rr1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer rr1 enable
[PE1-bgp-af-vpnv4] peer 2.2.2.9 group rr1
[PE1-bgp-af-vpnv4] peer 3.3.3.9 group rr1
[PE1-bgp-af-vpnv4] reflector cluster-id 100
[PE1-bgp-af-vpnv4] peer rr1 reflect-client
[PE1-bgp-af-vpnv4] undo policy vpn-target
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] quit
[PE1-bgp] ipv4-family vpn-instance vpn2
[PE1-bgp-vpn2] import-route direct
[PE1-bgp-vpn2] quit
[PE1-bgp] quit
# Configure Spoke-PE2.
[Spoke-PE2] bgp 100
[Spoke-PE2-bgp] peer 1.1.1.9 as-number 100
[Spoke-PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[Spoke-PE2-bgp] ipv4-family vpnv4
[Spoke-PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[Spoke-PE2-bgp-af-vpnv4] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1025
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[Spoke-PE2-bgp] ipv4-family vpn-instance vpn1
[Spoke-PE2-bgp-vpn1] import-route direct
[Spoke-PE2-bgp-vpn1] quit
[Spoke-PE2-bgp] ipv4-family vpn-instance vpn2
[Spoke-PE2-bgp-vpn2] import-route direct
[Spoke-PE2-bgp-vpn2] quit
[Spoke-PE2-bgp] quit
# Configure Spoke-PE3.
[Spoke-PE3] bgp 100
[Spoke-PE3-bgp] peer 1.1.1.9 as-number 100
[Spoke-PE3-bgp] peer 1.1.1.9 connect-interface loopback 1
[Spoke-PE3-bgp] ipv4-family vpnv4
[Spoke-PE3-bgp-af-vpnv4] peer 1.1.1.9 enable
[Spoke-PE3-bgp-af-vpnv4] quit
[Spoke-PE3-bgp] ipv4-family vpn-instance vpn1
[Spoke-PE3-bgp-vpn1] import-route direct
[Spoke-PE3-bgp-vpn1] quit
[Spoke-PE3-bgp] ipv4-family vpn-instance vpn2
[Spoke-PE3-bgp-vpn2] import-route direct
[Spoke-PE3-bgp-vpn2] quit
[Spoke-PE3-bgp] quit
After the configuration is complete, run the display bgp vpnv4 all peer command
on Spoke-PE2, Spoke-PE3, and PE1. You can see that Spoke-PE2, Spoke-PE3, and
PE1 have set up BGP peer relationships with PE1 and are in Established state.
The display on PE1 is used as an example:
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.9 4 100 5 12 0 00:02:00 Established 2
3.3.3.9 4 100 5 11 0 00:01:02 Established 2
Step 8 Verify the configuration.
# After the configuration is complete, Spoke-PE2, Spoke-PE3, and PE1 can learn
the routes to vpn1 and vpn2 of each other.
# The display on PE1 is used as an example:
[PE1] display ip routing-table vpn-instance vpn1
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpn1
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
192.168.1.0/24 Direct 0 0 D 192.168.1.1 GigabitEthernet2/0/0
192.168.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
192.168.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
192.168.11.0/24 IBGP 255 0 RD 2.2.2.9 GigabitEthernet1/0/0
192.168.21.0/24 IBGP 255 0 RD 3.3.3.9 GigabitEthernet1/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[PE1] display ip routing-table vpn-instance vpn2
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpn2
Destinations : 6 Routes : 6
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1026
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Destination/Mask Proto Pre Cost Flags NextHop Interface
192.168.2.0/24 Direct 0 0 D 192.168.2.1 GigabitEthernet3/0/0
192.168.2.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0
192.168.2.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0
192.168.12.0/24 IBGP 255 0 RD 2.2.2.9 GigabitEthernet1/0/0
192.168.22.0/24 IBGP 255 0 RD 3.3.3.9 GigabitEthernet1/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
# Devices in the same VPN can successfully ping each other, whereas devices in
different VPNs cannot.
# The display on Spoke-PE2 is used as an example:
[Spoke-PE2] ping -vpn-instance vpn1 -a 192.168.11.1 192.168.1.1
PING 192.168.1.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=254 time=10 ms
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=254 time=1 ms
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=254 time=1 ms
Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=254 time=1 ms
Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=254 time=1 ms
--- 192.168.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/2/10 ms
[Spoke-PE2] ping -vpn-instance vpn2 -a 192.168.12.1 192.168.2.1
PING 192.168.2.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=254 time=1 ms
Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=254 time=1 ms
Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=254 time=10 ms
Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=254 time=1 ms
Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=254 time=1 ms
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/2/10 ms
----End
Configuration Files
NOTE
This example does not provide configuration files of devices on the Internet.
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpn2
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.9
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1027
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet3/0/0
ip binding vpn-instance vpn2
ip address 192.168.2.1 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
group rr1 internal
peer rr1 connect-interface LoopBack1
peer 2.2.2.9 as-number 100
peer 2.2.2.9 group rr1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 group rr1
#
ipv4-family unicast
undo synchronization
peer rr1 enable
peer 2.2.2.9 enable
peer 2.2.2.9 group rr1
peer 3.3.3.9 enable
peer 3.3.3.9 group rr1
#
ipv4-family vpnv4
reflector cluster-id 100
undo policy vpn-target
peer rr1 enable
peer rr1 reflect-client
peer 2.2.2.9 enable
peer 2.2.2.9 group rr1
peer 3.3.3.9 enable
peer 3.3.3.9 group rr1
#
ipv4-family vpn-instance vpn1
import-route direct
#
ipv4-family vpn-instance vpn2
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
● Hub-P configuration file
#
sysname Hub-P
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 202.1.1.2 255.255.255.0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1028
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
interface GigabitEthernet2/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
interface Tunnel0/0/1
ip address 172.10.1.1 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp
ospf dr-priority 100
mpls
mpls ldp
nhrp entry multicast dynamic
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.10.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.1
#
return
● Spoke-PE2 configuration file
#
sysname Spoke-PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpn2
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 202.2.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 192.168.11.1 255.255.255.0
#
interface GigabitEthernet3/0/0
ip binding vpn-instance vpn2
ip address 192.168.12.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
interface Tunnel0/0/1
ip address 172.10.1.2 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp
ospf dr-priority 0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1029
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
mpls
mpls ldp
nhrp entry 172.10.1.1 202.1.1.2 register
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
#
ipv4-family vpn-instance vpn2
import-route direct
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.10.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.2.1.1
#
return
● Spoke-PE3 configuration file
#
sysname Spoke-PE3
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 300:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpn2
ipv4-family
route-distinguisher 300:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 202.3.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 192.168.21.1 255.255.255.0
#
interface GigabitEthernet3/0/0
ip binding vpn-instance vpn2
ip address 192.168.22.1 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
interface Tunnel0/0/1
ip address 172.10.1.3 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1030
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
ospf network-type p2mp
ospf dr-priority 0
mpls
mpls ldp
nhrp entry 172.10.1.1 202.1.1.2 register
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
#
ipv4-family vpn-instance vpn2
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 172.10.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.3.1.1
#
return
7.9.24 Example for Configuring L3VPN with LDP Signals
Carried by DSVPN and Protected by IPSec
Networking Requirements
As shown in Figure 7-65, a large-scale enterprise has deployed a production
network vpn1 and an office network vpn2 in the headquarters and branches
respectively. The enterprise establishes an IP/MPLS backbone network in its
headquarters, and its branches located in different areas use Spoke-PE to connect
to the IP/MPLS backbone network through the Internet. In this example, the
backbone network has only a Hub-P and PE1 and the enterprise has only two
branches. Spoke-PE2 and Spoke-PE3 in branches dynamically obtain their public
addresses. (Configurations related to dynamic address allocation is omitted in this
example and public addresses are manually specified.) Because the Internet
cannot provide the MPLS function for the enterprise, the production networks and
office networks in branches cannot communicate with those in the headquarters.
The enterprise wants to expand the IP/MPLS backbone network, deploy BGP/MPLS
IP VPN in the headquarters and branches, and use LDP LSP to transmit data from
vpn1 and vpn2 to implement secure interconnection between the headquarters
and branches and between branches. VPN data between branches needs to be
forwarded by the headquarters and encrypted using IPSec so that the
headquarters can monitor and protect data.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1031
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Figure 7-65 Networking diagram for configuring L3VPN with LDP signals carried
by DSVPN and protected by IPSec
Enterprise
branch1
Loopback1 Loopback1
vpn 2.2.2.9/32 1.1.1.9/32 vpn
1 1
GE2 Spoke-PE2 /0/0
/0/0 GE2
Tunnel0/0/1 PE1
172.10.1.2/24
GR GE 3
vpn /0 /0 ET GE1/0/0 /0/0 vpn
GE3 un 2
2 GE1/0/0 ne
l
IPS
ec
GE2/0/0
Loopback1
Internet GE1/0/0 4.4.4.9/32
Hub-P
ec
IPS
vpn Tunnel0/0/1
GE1/0/0 n el 172.10.1.1/24
1 GE2 un
/0/0 ET
GR
Tunnel0/0/1
172.10.1.3/24
vpn /0/0 Enterprise
GE3 Spoke-PE3
headquarters
2
Loopback1
Enterprise 3.3.3.9/32
branch2
Device Interface and IP Device Interface and IP
Address Address
Spoke-PE2 192. GE PE1
1 68.1 2/0/0 / 0 /0 /2 4
1.1/2 Spoke-PE2 G E 2 6 8 .1 .1
4 2 . 1
19
GE1/0/0 PE1
202.2.1.2/24 GE3
/0/0 /
192. 0/0
GE3 /24 GE1/0/0 168.
1
.12. 172.1.1.1/24 2.1/2
92.168 4
1
Spoke-PE3 Hub-P
192. G
168. E2/0/0
21.1
/24
GE1/0/0 GE2/0/0
202.3.1.2/24 172.1.1.2/24
/0 /0
G E 3 /2 4 Spoke-PE3
2. 1
.1 6 8 .2 GE1/0/0
1 92 202.1.1.2/24
Hub-P
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1032
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Configuration Roadmap
To expand the IP/MPLS backbone network and deploy BGP/MPLS IP VPN for an
enterprise, you need to add the Spoke-PE devices in the branches to the IP/MPLS
backbone network in the headquarters. MPLS LDP packets between the
headquarters and branches need to be transmitted over GRE tunnels because the
Internet cannot provide the MPLS function. As there are a large number of
branches and devices in the branches dynamically obtain their public addresses,
DSVPN is used to establish GRE tunnels between the headquarters and branches.
In addition, IPSec is required to encrypt and protect VPN data transmitted over the
Internet. As a result, L3VPN with LDP signals carried by DSVPN and protected by
IPSec can meet the requirements of the enterprise.
The configuration roadmap for L3VPN with LDP signals carried by DSVPN and
protected by IPSec is as follows:
1. Configure branch devices to save only summarized routes to the
headquarters, configure OSPF on Hub-P and Spoke-PEs to advertise routes,
and set the OSPF network type to point-to-multipoint (P2MP), so that all VPN
data between branches is forwarded by the headquarters.
2. Configure IPSec on Spoke-PE2, Spoke-PE3, and Hub-P and apply IPSec profiles
to tunnel interfaces to encrypt and protect VPN data between branches.
3. Enable MPLS LDP on tunnel interfaces of Spoke-PE2, Spoke-PE3, and Hub-P
and set up MPLS LSP tunnels to implement LDP over mGRE.
4. Configure L3VPN on Spoke-PE2, Spoke-PE3, and PE1 to implement secure
interconnection between the headquarters and branches and between
branches. Because there are a large number of branches, a route reflector can
be used to reduce the number of MP-IBGP connections between PEs.
NOTE
Do not configure NHRP redirection on the Hub because LDP over mGRE does not need to
establish tunnels for direct communication between branches.
Procedure
Step 1 Configure interface IP addresses and OSPF on Hub-P and PE1 to implement
interconnection on the IP/MPLS backbone network.
# Configure PE1.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] ip address 172.1.1.1 24
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
The configuration of Hub-P is similar to that of PE1, and is not mentioned here.
After the configuration is complete, an OSPF neighbor relationship can be set up
between Hub-P and PE1. Run the display ospf peer command. You can see that
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1033
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
the neighbor status is Full. Run the display ip routing-table command. You can
see that Hub-P and PE1 have learnt the routes to Loopback1 of each other.
Step 2 Configure interface IP addresses and static routes on Hub-P, Spoke-PE2, and
Spoke-PE3 to ensure that public routes are reachable.
Because Hub-P, Spoke-PE2, and Spoke-PE3 are directly connected to the Internet,
IP addresses and default static routes are manually specified here.
# Configure Spoke-PE2.
<Huawei> system-view
[Huawei] sysname Spoke-PE2
[Spoke-PE2] interface gigabitethernet 1/0/0
[Spoke-PE2-GigabitEthernet1/0/0] ip address 202.2.1.2 24
[Spoke-PE2-GigabitEthernet1/0/0] quit
[Spoke-PE2] interface loopback 1
[Spoke-PE2-LoopBack1] ip address 2.2.2.9 32
[Spoke-PE2-LoopBack1] quit
[Spoke-PE2] ip route-static 0.0.0.0 0 202.2.1.1
The configurations of Spoke-PE3 and Hub-P are similar to that of Spoke-PE2, and
are not mentioned here.
After the configuration is complete, devices can ping each other and public routes
are reachable.
Step 3 Create tunnel interfaces and configure DSVPN on Hub-P, Spoke-PE2, and Spoke-
PE3.
1. Create an mGRE interface, configure an IP address, and specify a source
tunnel interface.
# Configure Spoke-PE2.
[Spoke-PE2] interface tunnel 0/0/1
[Spoke-PE2-Tunnel0/0/1] ip address 172.10.1.2 24
[Spoke-PE2-Tunnel0/0/1] tunnel-protocol gre p2mp
[Spoke-PE2-Tunnel0/0/1] source gigabitethernet 1/0/0
[Spoke-PE2-Tunnel0/0/1] quit
The configurations of Spoke-PE3 and Hub-P are similar to that of Spoke-PE2,
and are not mentioned here.
2. Configure OSPF to advertise the MPLS LSR ID as DSVPN subnet information
through the tunnel interface.
# Configure Spoke-PE2.
[Spoke-PE2] ospf 1
[Spoke-PE2-ospf-1] area 0
[Spoke-PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[Spoke-PE2-ospf-1-area-0.0.0.0] network 172.10.1.0 0.0.0.255
[Spoke-PE2-ospf-1-area-0.0.0.0] quit
[Spoke-PE2-ospf-1] quit
The configurations of Spoke-PE3 and Hub-P are similar to that of Spoke-PE2,
and are not mentioned here.
3. Configure NHRP and set the OSPF network type to P2MP. Do not configure
NHRP redirection on the Hub-P.
# Configure Hub-P.
[Hub-P] interface tunnel 0/0/1
[Hub-P-Tunnel0/0/1] nhrp entry multicast dynamic
[Hub-P-Tunnel0/0/1] ospf network-type p2mp
[Hub-P-Tunnel0/0/1] ospf dr-priority 100
[Hub-P-Tunnel0/0/1] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1034
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
# Configure Spoke-PE2.
[Spoke-PE2] interface tunnel 0/0/1
[Spoke-PE2-Tunnel0/0/1] nhrp entry 172.10.1.1 202.1.1.2 register
[Spoke-PE2-Tunnel0/0/1] ospf network-type p2mp
[Spoke-PE2-Tunnel0/0/1] ospf dr-priority 0
[Spoke-PE2-Tunnel0/0/1] quit
# Configure Spoke-PE3.
[Spoke-PE3] interface tunnel 0/0/1
[Spoke-PE3-Tunnel0/0/1] nhrp entry 172.10.1.1 202.1.1.2 register
[Spoke-PE3-Tunnel0/0/1] ospf network-type p2mp
[Spoke-PE3-Tunnel0/0/1] ospf dr-priority 0
[Spoke-PE3-Tunnel0/0/1] quit
After the configuration is complete, run the display nhrp peer all command on
Hub-P to view registration information about Spoke-PE2 and Spoke-PE3.
[Hub] display nhrp peer all
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
172.10.1.2 32 202.2.1.2 172.10.1.2 dynamic route tunnel
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/1
Created time : 00:02:36
Expire time : 01:57:24
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
172.10.1.3 32 202.3.1.2 172.10.1.3 dynamic route tunnel
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/1
Created time : 00:00:04
Expire time : 01:59:56
Number of nhrp peers: 2
Run the display ip routing-table command on all devices on the IP/MPLS
backbone network. You can see that all devices have learnt the routes to
Loopback1 of other devices.
Step 4 Configure IPSec on Spoke-PE2, Spoke-PE3, and Hub-P.
Configure IPSec on the devices and bind IPSec profiles to the tunnel interfaces.
# Configure Hub-P.
[Hub-P] ipsec proposal pro1
[Hub-P-ipsec-proposal-pro1] transform ah-esp
[Hub-P-ipsec-proposal-pro1] ah authentication-algorithm sha2-512
[Hub-P-ipsec-proposal-pro1] esp authentication-algorithm sha2-512
[Hub-P-ipsec-proposal-pro1] esp encryption-algorithm aes-256
[Hub-P-ipsec-proposal-pro1] quit
[Hub-P] ike proposal 1
[Hub-P-ike-proposal-1] dh group5
[Hub-P-ike-proposal-1] authentication-algorithm aes-xcbc-mac-96
[Hub-P-ike-proposal-1] prf aes-xcbc-128
[Hub-P-ike-proposal-1] quit
[Hub-P] ike peer Hub-P v2
[Hub-P-ike-peer-Hub-P] ike-proposal 1
[Hub-P-ike-peer-Hub-P] pre-shared-key cipher huawei
[Hub-P-ike-peer-Hub-P] quit
[Hub-P] ipsec profile profile1
[Hub-P-ipsec-profile-profile1] proposal pro1
[Hub-P-ipsec-profile-profile1] ike-peer Hub-P
[Hub-P-ipsec-profile-profile1] quit
[Hub-P] interface tunnel 0/0/1
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1035
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[Hub-P-Tunnel0/0/1] ipsec profile profile1
[Hub-P-Tunnel0/0/1] quit
The configurations of Spoke-PE2 and Spoke-PE3 are similar to that of Hub-P, and
are not mentioned here.
After the configuration is complete, run the display ipsec sa command on Spoke-
PE2, Spoke-PE3, and Hub-P. You can see that security associations (SAs) have been
established.
Step 5 Enable basic MPLS functions and MPLS LDP on Spoke-PE2, Spoke-PE3, Hub-P, and
PE1.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
The configurations of Spoke-PE2, Spoke-PE3 and Hub-P are similar to that of PE1,
and are not mentioned here.
Step 6 Enable MPLS LDP on the interfaces of Spoke-PE2, Spoke-PE3, Hub-P, and PE1.
Enable MPLS LDP on interfaces of Hub-P and PE1 that are directly connected to
each other and enable MPLS LDP on tunnel interfaces of Spoke-PE2, Spoke-PE3
and Hub-P to establish MPLS LSP tunnels.
# Configure PE1.
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] mpls
[PE1-GigabitEthernet1/0/0] mpls ldp
[PE1-GigabitEthernet1/0/0] quit
# Configure Hub-P.
[Hub-P] interface gigabitethernet 2/0/0
[Hub-P-GigabitEthernet2/0/0] mpls
[Hub-P-GigabitEthernet2/0/0] mpls ldp
[Hub-P-GigabitEthernet2/0/0] quit
[Hub-P] interface tunnel 0/0/1
[Hub-P-Tunnel0/0/1] mpls
[Hub-P-Tunnel0/0/1] mpls ldp
[Hub-P-Tunnel0/0/1] quit
# Configure Spoke-PE2.
[Spoke-PE2] interface tunnel 0/0/1
[Spoke-PE2-Tunnel0/0/1] mpls
[Spoke-PE2-Tunnel0/0/1] mpls ldp
[Spoke-PE2-Tunnel0/0/1] quit
# Configure Spoke-PE3.
[Spoke-PE3] interface tunnel 0/0/1
[Spoke-PE3-Tunnel0/0/1] mpls
[Spoke-PE3-Tunnel0/0/1] mpls ldp
[Spoke-PE3-Tunnel0/0/1] quit
After the configuration is complete, PE1, Spoke-PE2, and Spoke-PE3 can establish
LDP sessions with Hub-P. Run the display mpls ldp session command. You can
see that the MPLS LDP session status is Operational.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1036
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Step 7 Configure VPN instances on Spoke-PE2, Spoke-PE3, and PE1 and bind VPN
instances to interfaces.
# Configure PE1.
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] ipv4-family
[PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
[PE1] ip vpn-instance vpn2
[PE1-vpn-instance-vpn2] ipv4-family
[PE1-vpn-instance-vpn2-af-ipv4] route-distinguisher 100:2
[PE1-vpn-instance-vpn2-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpn2-af-ipv4] quit
[PE1-vpn-instance-vpn2] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[PE1-GigabitEthernet2/0/0] ip address 192.168.1.1 24
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] ip binding vpn-instance vpn2
[PE1-GigabitEthernet3/0/0] ip address 192.168.2.1 24
[PE1-GigabitEthernet3/0/0] quit
# Configure Spoke-PE2.
[Spoke-PE2] ip vpn-instance vpn1
[Spoke-PE2-vpn-instance-vpn1] ipv4-family
[Spoke-PE2-vpn-instance-vpn1-af-ipv4] route-distinguisher 200:1
[Spoke-PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 both
[Spoke-PE2-vpn-instance-vpn1-af-ipv4] quit
[Spoke-PE2-vpn-instance-vpn1] quit
[Spoke-PE2] ip vpn-instance vpn2
[Spoke-PE2-vpn-instance-vpn2] ipv4-family
[Spoke-PE2-vpn-instance-vpn2-af-ipv4] route-distinguisher 200:2
[Spoke-PE2-vpn-instance-vpn2-af-ipv4] vpn-target 222:2 both
[Spoke-PE2-vpn-instance-vpn2-af-ipv4] quit
[Spoke-PE2-vpn-instance-vpn2] quit
[Spoke-PE2] interface gigabitethernet 2/0/0
[Spoke-PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[Spoke-PE2-GigabitEthernet2/0/0] ip address 192.168.11.1 24
[Spoke-PE2-GigabitEthernet2/0/0] quit
[Spoke-PE2] interface gigabitethernet 3/0/0
[Spoke-PE2-GigabitEthernet3/0/0] ip binding vpn-instance vpn2
[Spoke-PE2-GigabitEthernet3/0/0] ip address 192.168.12.1 24
[Spoke-PE2-GigabitEthernet3/0/0] quit
# Configure Spoke-PE3.
[Spoke-PE3] ip vpn-instance vpn1
[Spoke-PE3-vpn-instance-vpn1] ipv4-family
[Spoke-PE3-vpn-instance-vpn1-af-ipv4] route-distinguisher 300:1
[Spoke-PE3-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 both
[Spoke-PE3-vpn-instance-vpn1-af-ipv4] quit
[Spoke-PE3-vpn-instance-vpn1] quit
[Spoke-PE3] ip vpn-instance vpn2
[Spoke-PE3-vpn-instance-vpn2] ipv4-family
[Spoke-PE3-vpn-instance-vpn2-af-ipv4] route-distinguisher 300:2
[Spoke-PE3-vpn-instance-vpn2-af-ipv4] vpn-target 222:2 both
[Spoke-PE3-vpn-instance-vpn2-af-ipv4] quit
[Spoke-PE3-vpn-instance-vpn2] quit
[Spoke-PE3] interface gigabitethernet 2/0/0
[Spoke-PE3-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[Spoke-PE3-GigabitEthernet2/0/0] ip address 192.168.21.1 24
[Spoke-PE3-GigabitEthernet2/0/0] quit
[Spoke-PE3] interface gigabitethernet 3/0/0
[Spoke-PE3-GigabitEthernet3/0/0] ip binding vpn-instance vpn2
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1037
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[Spoke-PE3-GigabitEthernet3/0/0] ip address 192.168.22.1 24
[Spoke-PE3-GigabitEthernet3/0/0] quit
After the configuration is complete, run the display ip vpn-instance verbose
command on each device to view the configuration of VPN instances.
Step 8 Set up MP-IBGP peer relationships between Spoke-PE2, Spoke-PE3, and PE1.
Configure PE1 as a route reflector. Spoke-PE2 and Spoke-PE3 can set up MP-IBGP
peer relationships with PE1.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] group rr1 internal
[PE1-bgp] peer rr1 connect-interface loopback 1
[PE1-bgp] peer 2.2.2.9 group rr1
[PE1-bgp] peer 3.3.3.9 group rr1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer rr1 enable
[PE1-bgp-af-vpnv4] peer 2.2.2.9 group rr1
[PE1-bgp-af-vpnv4] peer 3.3.3.9 group rr1
[PE1-bgp-af-vpnv4] reflector cluster-id 100
[PE1-bgp-af-vpnv4] peer rr1 reflect-client
[PE1-bgp-af-vpnv4] undo policy vpn-target
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] quit
[PE1-bgp] ipv4-family vpn-instance vpn2
[PE1-bgp-vpn2] import-route direct
[PE1-bgp-vpn2] quit
[PE1-bgp] quit
# Configure Spoke-PE2.
[Spoke-PE2] bgp 100
[Spoke-PE2-bgp] peer 1.1.1.9 as-number 100
[Spoke-PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[Spoke-PE2-bgp] ipv4-family vpnv4
[Spoke-PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[Spoke-PE2-bgp-af-vpnv4] quit
[Spoke-PE2-bgp] ipv4-family vpn-instance vpn1
[Spoke-PE2-bgp-vpn1] import-route direct
[Spoke-PE2-bgp-vpn1] quit
[Spoke-PE2-bgp] ipv4-family vpn-instance vpn2
[Spoke-PE2-bgp-vpn2] import-route direct
[Spoke-PE2-bgp-vpn2] quit
[Spoke-PE2-bgp] quit
# Configure Spoke-PE3.
[Spoke-PE3] bgp 100
[Spoke-PE3-bgp] peer 1.1.1.9 as-number 100
[Spoke-PE3-bgp] peer 1.1.1.9 connect-interface loopback 1
[Spoke-PE3-bgp] ipv4-family vpnv4
[Spoke-PE3-bgp-af-vpnv4] peer 1.1.1.9 enable
[Spoke-PE3-bgp-af-vpnv4] quit
[Spoke-PE3-bgp] ipv4-family vpn-instance vpn1
[Spoke-PE3-bgp-vpn1] import-route direct
[Spoke-PE3-bgp-vpn1] quit
[Spoke-PE3-bgp] ipv4-family vpn-instance vpn2
[Spoke-PE3-bgp-vpn2] import-route direct
[Spoke-PE3-bgp-vpn2] quit
[Spoke-PE3-bgp] quit
After the configuration is complete, run the display bgp vpnv4 all peer command
on Spoke-PE2, Spoke-PE3, and PE1. You can see that Spoke-PE2, Spoke-PE3, and
PE1 have set up BGP peer relationships with PE1 and are in Established state.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1038
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
The display on PE1 is used as an example:
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.9 4 100 5 12 0 00:02:00 Established 2
3.3.3.9 4 100 5 11 0 00:01:02 Established 2
Step 9 Verify the configuration.
# After the configuration is complete, Spoke-PE2, Spoke-PE3, and PE1 can learn
the routes to vpn1 and vpn2 of each other.
# The display on PE1 is used as an example:
[PE1] display ip routing-table vpn-instance vpn1
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpn1
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
192.168.1.0/24 Direct 0 0 D 192.168.1.1 GigabitEthernet2/0/0
192.168.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
192.168.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
192.168.11.0/24 IBGP 255 0 RD 2.2.2.9 GigabitEthernet1/0/0
192.168.21.0/24 IBGP 255 0 RD 3.3.3.9 GigabitEthernet1/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[PE1] display ip routing-table vpn-instance vpn2
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpn2
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
192.168.2.0/24 Direct 0 0 D 192.168.2.1 GigabitEthernet3/0/0
192.168.2.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0
192.168.2.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0
192.168.12.0/24 IBGP 255 0 RD 2.2.2.9 GigabitEthernet1/0/0
192.168.22.0/24 IBGP 255 0 RD 3.3.3.9 GigabitEthernet1/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
# Devices in the same VPN can successfully ping each other, whereas devices in
different VPNs cannot.
# The display on Spoke-PE2 is used as an example:
[Spoke-PE2] ping -vpn-instance vpn1 -a 192.168.11.1 192.168.1.1
PING 192.168.1.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=254 time=10 ms
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=254 time=1 ms
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=254 time=1 ms
Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=254 time=1 ms
Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=254 time=1 ms
--- 192.168.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/2/10 ms
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1039
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[Spoke-PE2] ping -vpn-instance vpn2 -a 192.168.12.1 192.168.2.1
PING 192.168.2.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=254 time=1 ms
Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=254 time=1 ms
Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=254 time=10 ms
Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=254 time=1 ms
Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=254 time=1 ms
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/2/10 ms
----End
Configuration Files
NOTE
This example does not provide configuration files of devices on the Internet.
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpn2
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet3/0/0
ip binding vpn-instance vpn2
ip address 192.168.2.1 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
group rr1 internal
peer rr1 connect-interface LoopBack1
peer 2.2.2.9 as-number 100
peer 2.2.2.9 group rr1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 group rr1
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1040
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
ipv4-family unicast
undo synchronization
peer rr1 enable
peer 2.2.2.9 enable
peer 2.2.2.9 group rr1
peer 3.3.3.9 enable
peer 3.3.3.9 group rr1
#
ipv4-family vpnv4
reflector cluster-id 100
undo policy vpn-target
peer rr1 enable
peer rr1 reflect-client
peer 2.2.2.9 enable
peer 2.2.2.9 group rr1
peer 3.3.3.9 enable
peer 3.3.3.9 group rr1
#
ipv4-family vpn-instance vpn1
import-route direct
#
ipv4-family vpn-instance vpn2
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
● Hub-P configuration file
#
sysname Hub-P
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
ipsec proposal pro1
transform ah-esp
ah authentication-algorithm sha2-512
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ike proposal 1
dh group5
authentication-algorithm aes-xcbc-mac-96
prf aes-xcbc-128
#
ike peer Hub-P v2
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
ike-proposal 1
#
ipsec profile profile1
ike-peer Hub-P
proposal pro1
#
interface GigabitEthernet1/0/0
ip address 202.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1041
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
interface Tunnel0/0/1
ip address 172.10.1.1 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp
ospf dr-priority 100
ipsec profile profile1
mpls
mpls ldp
nhrp entry multicast dynamic
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.10.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.1
#
return
● Spoke-PE2 configuration file
#
sysname Spoke-PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpn2
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
ipsec proposal pro1
transform ah-esp
ah authentication-algorithm sha2-512
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ike proposal 1
dh group5
authentication-algorithm aes-xcbc-mac-96
prf aes-xcbc-128
#
ike peer Spoke-PE2 v2
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
ike-proposal 1
#
ipsec profile profile1
ike-peer Spoke-PE2
proposal pro1
#
interface GigabitEthernet1/0/0
ip address 202.2.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 192.168.11.1 255.255.255.0
#
interface GigabitEthernet3/0/0
ip binding vpn-instance vpn2
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1042
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
ip address 192.168.12.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
interface Tunnel0/0/1
ip address 172.10.1.2 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp
ospf dr-priority 0
ipsec profile profile1
mpls
mpls ldp
nhrp entry 172.10.1.1 202.1.1.2 register
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
#
ipv4-family vpn-instance vpn2
import-route direct
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.10.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.2.1.1
#
return
● Spoke-PE3 configuration file
#
sysname Spoke-PE3
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 300:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpn2
ipv4-family
route-distinguisher 300:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
ipsec proposal pro1
transform ah-esp
ah authentication-algorithm sha2-512
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1043
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
ike proposal 1
dh group5
authentication-algorithm aes-xcbc-mac-96
prf aes-xcbc-128
#
ike peer Spoke-PE3 v2
pre-shared-key cipher %^%#IRFGEiFPJ1$&a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%^%#
ike-proposal 1
#
ipsec profile profile1
ike-peer Spoke-PE3
proposal pro1
#
interface GigabitEthernet1/0/0
ip address 202.3.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 192.168.21.1 255.255.255.0
#
interface GigabitEthernet3/0/0
ip binding vpn-instance vpn2
ip address 192.168.22.1 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
interface Tunnel0/0/1
ip address 172.10.1.3 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp
ospf dr-priority 0
ipsec profile profile1
mpls
mpls ldp
nhrp entry 172.10.1.1 202.1.1.2 register
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
#
ipv4-family vpn-instance vpn2
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 172.10.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.3.1.1
#
return
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1044
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
7.9.25 Example for Configuring a Tunnel Policy for an L3VPN
Networking Requirements
As shown in Figure 7-66, CE1 and CE3 belong to vpna, and CE2 and CE4 belong to
vpnb. Two MPLS TE tunnels and one LSP are set up between PE1 and PE2. To use
the tunnels more efficiently, vpnb uses multiple tunnels to share the loads and
prefers the TE tunnels for load balancing.
Figure 7-66 Networking diagram for configuring a tunnel policy for an L3VPN
Loopback1 Loopback1
3.3.3.3/32 5.5.5.5/32
vpna vpna
CE1 CE3
Loopback1 Loopback1
1.1.1.1/32 2.2.2.2/32
MPLS TE tunnel 1
GE1/0/0 GE1/0/0
10.1.1.1/30 10.3.1.1/30
GE2/0/0 MPLS TE tunnel 2 ( binding) GE2/0/0
10.1.1.2/30 10.3.1.2/30
GE1/0/0 GE1/0/0
GE3/0/0 GE3/0/0
100.1.1.1/30 100.1.1.2/30
10.2.1.2/30 PE1 PE2 10.4.1.2/30
GE1/0/0 GE1/0/0
10.2.1.1/30 LSP 10.4.1.1/30
CE2 CE4
vpnb vpnb
Loopback1 Loopback1
4.4.4.4/32 6.6.6.6/32
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a routing protocol so that PEs can communicate with each other.
2. Configure basic MPLS capabilities on the routers on the backbone network
and set up an LSP and two MPLS TE tunnels between the PEs.
3. Configure VPN instances on PEs and connect CEs to the PEs.
4. Configure tunnel policies and apply the policies to different VPN instances.
5. Configure MP-IBGP to exchange VPN routing information.
Procedure
Step 1 Configure an IGP on the MPLS backbone network so that PEs can communicate.
# Configure PE1.
<Huawei> system-view
[Huawei] sysname PE1
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1045
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet1/0/0
[PE1-GigabitEthernet1/0/0] ip address 100.1.1.1 30
[PE1-GigabitEthernet1/0/0] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.3
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure PE2.
<Huawei> system-view
[Huawei] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 2.2.2.2 32
[PE2-LoopBack1] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] ip address 100.1.1.2 30
[PE2-GigabitEthernet1/0/0] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.3
[PE2-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# After the configuration is complete, run the display ip routing-table command
on PEs, and you can view that PEs have learned the routes to Loopback1
interfaces from each other.
# The information displayed on PE1 is used as an example.
[PE1] display ip routing-table
Route Flags: R - relay, D - download to forwarding
------------------------------------------------------------------------------
Routing Tables: _public_
Destinations : 9 Routes : 9
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack1
2.2.2.2/32 OSPF 10 1 D 100.1.1.2 GigabitEthernet1/0/0
100.1.1.0/30 Direct 0 0 D 100.1.1.1 GigabitEthernet1/0/0
100.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
100.1.1.3/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Step 2 Configure basic MPLS capabilities on the MPLS backbone to set up an LDP LSP
between PEs.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] mpls
[PE1-GigabitEthernet1/0/0] mpls ldp
[PE1-GigabitEthernet1/0/0] quit
# Configure PE2.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1046
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE2] mpls lsr-id 2.2.2.2
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] mpls
[PE2-GigabitEthernet1/0/0] mpls ldp
[PE2-GigabitEthernet1/0/0] quit
# After the configuration is complete, an LDP LSP is set up between PE1 and PE2.
Run the display tunnel-info all command, and you can find the LSP destined for
the address 2.2.2.2. Run the display mpls ldp lsp command, and you can view LSP
information.
# The information displayed on PE1 is used as an example.
[PE1] display tunnel-info all
* -> Allocated VC Token
Tunnel ID Type Destination Token
----------------------------------------------------------------------
0x15 lsp 2.2.2.2 21
0x16 lsp 2.2.2.2 22
[PE1] display mpls ldp lsp
LDP LSP Information
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.1/32 3/NULL 2.2.2.2 127.0.0.1 InLoop0
*1.1.1.1/32 Liberal/16 DS/2.2.2.2
2.2.2.2/32 NULL/3 - 100.1.1.2 GE1/0/0
2.2.2.2/32 16/3 2.2.2.2 100.1.1.2 GE1/0/0
-------------------------------------------------------------------------------
TOTAL: 3 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is stale
A '*' before a DS means the session is stale
A '*' before a NextHop means the LSP is FRR LSP
Step 3 Set up MPLS TE tunnels between PEs.
# Configure PE1.
[PE1] mpls
[PE1-mpls] mpls te
[PE1-mpls] mpls rsvp-te
[PE1-mpls] mpls te cspf
[PE1-mpls] quit
[PE1] interface gigabitethernet1/0/0
[PE1-GigabitEthernet1/0/0] mpls te
[PE1-GigabitEthernet1/0/0] mpls rsvp-te
[PE1-GigabitEthernet1/0/0] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] mpls te
[PE2-mpls] mpls rsvp-te
[PE2-mpls] mpls te cspf
[PE2-mpls] quit
[PE2] interface gigabitethernet1/0/0
[PE2-GigabitEthernet1/0/0] mpls te
[PE2-GigabitEthernet1/0/0] mpls rsvp-te
[PE2-GigabitEthernet1/0/0] quit
# Enable OSPF on the devices along the TE tunnels to transmit TE attributes.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1047
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] opaque-capability enable
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] mpls-te enable
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] opaque-capability enable
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] mpls-te enable
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# Configure an MPLS TE tunnel.
# Configure PE1.
[PE1] interface tunnel 0/0/1
[PE1-Tunnel0/0/1] ip address unnumbered interface loopback 1
[PE1-Tunnel0/0/1] tunnel-protocol mpls te
[PE1-Tunnel0/0/1] destination 2.2.2.2
[PE1-Tunnel0/0/1] mpls te tunnel-id 11
[PE1-Tunnel0/0/1] mpls te commit
[PE1-Tunnel0/0/1] quit
# Configure PE2.
[PE2] interface tunnel 0/0/1
[PE2-Tunnel0/0/1] ip address unnumbered interface loopback 1
[PE2-Tunnel0/0/1] tunnel-protocol mpls te
[PE2-Tunnel0/0/1] destination 1.1.1.1
[PE2-Tunnel0/0/1] mpls te tunnel-id 11
[PE2-Tunnel0/0/1] mpls te commit
[PE2-Tunnel0/0/1] quit
# Configure an MPLS TE tunnel and bind the tunnel to the VPN.
# Configure PE1.
[PE1] interface tunnel 0/0/2
[PE1-Tunnel0/0/2] ip address unnumbered interface loopback 1
[PE1-Tunnel0/0/2] tunnel-protocol mpls te
[PE1-Tunnel0/0/2] destination 2.2.2.2
[PE1-Tunnel0/0/2] mpls te tunnel-id 22
[PE1-Tunnel0/0/2] mpls te reserved-for-binding
[PE1-Tunnel0/0/2] mpls te commit
[PE1-Tunnel0/0/2] quit
# Configure PE2.
[PE2] interface tunnel 0/0/2
[PE2-Tunnel0/0/2] ip address unnumbered interface loopback 1
[PE2-Tunnel0/0/2] tunnel-protocol mpls te
[PE2-Tunnel0/0/2] destination 1.1.1.1
[PE2-Tunnel0/0/2] mpls te tunnel-id 22
[PE2-Tunnel0/0/2] mpls te reserved-for-binding
[PE2-Tunnel0/0/2] mpls te commit
[PE2-Tunnel0/0/2] quit
# After the configuration is complete, run the display mpls te tunnel-interface
command on PEs, and you can view that Tunnel0/0/1 and Tunnel0/0/2 are both
Up. The information displayed on PE1 is used as an example.
[PE1] display mpls te tunnel-interface
----------------------------------------------------------------
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1048
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
Tunnel0/0/1
----------------------------------------------------------------
Tunnel State Desc : UP
Active LSP : Primary LSP
Session ID : 11
Ingress LSR ID : 1.1.1.1 Egress LSR ID: 2.2.2.2
Admin State : UP Oper State : UP
Primary LSP State : UP
Main LSP State : READY LSP ID : 1
----------------------------------------------------------------
Tunnel0/0/2
----------------------------------------------------------------
Tunnel State Desc : UP
Active LSP : Primary LSP
Session ID : 22
Ingress LSR ID : 1.1.1.1 Egress LSR ID: 2.2.2.2
Admin State : UP Oper State : UP
Primary LSP State : UP
Main LSP State : READY LSP ID : 2
Step 4 Configure VPN instances on PEs and bind the instances to the interfaces
connected to CEs.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface gigabitethernet2/0/0
[PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpna
[PE1-GigabitEthernet2/0/0] ip address 10.1.1.2 30
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] ip binding vpn-instance vpnb
[PE1-GigabitEthernet3/0/0] ip address 10.2.1.2 30
[PE1-GigabitEthernet3/0/0] quit
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 100:3
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] ipv4-family
[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:4
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpna
[PE2-GigabitEthernet2/0/0] ip address 10.3.1.2 30
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface gigabitethernet 3/0/0
[PE2-GigabitEthernet3/0/0] ip binding vpn-instance vpnb
[PE2-GigabitEthernet3/0/0] ip address 10.4.1.2 30
[PE2-GigabitEthernet3/0/0] quit
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1049
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
# Assign IP addresses to the interfaces on the CEs according to Figure 7-66. The
configuration procedure is not provided here.
# After the configuration is complete, run the display ip vpn-instance verbose
command on PEs, and you can view configuration of the VPN instances.
NOTE
If a PE has multiple interfaces bound to the same VPN, when you run the ping command to
ping the CE connected to the remote PE, specify the source IP address; that is, specify -a
source-ip-address in the ping -a source-ip-address -vpn-instance vpn-instance-name
destination-address command. Otherwise, the ping fails.
Step 5 Configure and apply a tunnel policy on PEs.
# Configure the tunnel policy for binding primary tunnel and apply the tunnel
policy to vpna.
# Configure PE1.
[PE1] tunnel-policy policy1
[PE1-tunnel-policy-policy1] tunnel binding destination 2.2.2.2 te tunnel 0/0/2
[PE1-tunnel-policy-policy1] quit
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] tnl-policy policy1
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
# Configure PE2.
[PE2] tunnel-policy policy1
[PE2-tunnel-policy-policy1] tunnel binding destination 1.1.1.1 te tunnel 0/0/2
[PE2-tunnel-policy-policy1] quit
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] tnl-policy policy1
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
# Configure a tunnel type prioritizing policy and apply the policy to vpnb.
# Configure PE1.
[PE1] tunnel-policy policy2
[PE1-tunnel-policy-policy2] tunnel select-seq cr-lsp lsp load-balance-number 2
[PE1-tunnel-policy-policy2] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] tnl-policy policy2
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
# Configure PE2.
[PE2] tunnel-policy policy2
[PE2-tunnel-policy-policy2] tunnel select-seq cr-lsp lsp load-balance-number 2
[PE2-tunnel-policy-policy2] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] ipv4-family
[PE2-vpn-instance-vpnb-af-ipv4] tnl-policy policy2
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
Step 6 Set up an MP-IBGP peer relationship between the PEs.
# Configure PE1.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1050
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.2 as-number 100
[PE1-bgp] peer 2.2.2.2 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.2 enable
[PE1-bgp-af-vpnv4] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.1 as-number 100
[PE2-bgp] peer 1.1.1.1 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.1 enable
[PE2-bgp-af-vpnv4] quit
# After the configuration is complete, run the display bgp peer or display bgp
vpnv4 all peer command on the PEs. The command output shows that a BGP
peer relationship is set up between PEs and the BGP peer relationship is in
Established state.
Step 7 Set up EBGP peer relationships between PEs and CEs.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-af-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-af-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-af-vpnb] peer 10.2.1.1 as-number 65410
[PE1-bgp-af-vpnb] quit
[PE1-bgp] quit
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure CE2.
[CE2] bgp 65410
[CE2-bgp] peer 10.2.1.2 as-number 100
[CE2-bgp] import-route direct
[CE2-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpna
[PE2-bgp-af-vpna] peer 10.3.1.1 as-number 65420
[PE2-bgp-af-vpna] quit
[PE2-bgp] ipv4-family vpn-instance vpnb
[PE2-bgp-af-vpnb] peer 10.4.1.1 as-number 65420
[PE2-bgp-af-vpnb] quit
[PE2-bgp] quit
# Configure CE3.
[CE3] bgp 65420
[CE3-bgp] peer 10.3.1.2 as-number 100
[CE3-bgp] import-route direct
[CE3-bgp] quit
# Configure CE4.
[CE4] bgp 65420
[CE4-bgp] peer 10.4.1.2 as-number 100
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1051
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
[CE4-bgp] import-route direct
[CE4-bgp] quit
Step 8 Verify the configuration.
# Run the display bgp routing-table command on CEs, and you can find the
routes to the remote CEs.
# The information displayed on CE1 is used as an example.
[CE1] display bgp routing-table
BGP Local router ID is 3.3.3.3
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 5
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 3.3.3.3/32 0.0.0.0 0 0 ?
*> 5.5.5.5/32 10.1.1.2 0 100 65420?
*> 10.4.1.0/24 0.0.0.0 0 0 ?
10.4.1.1 0 0 100?
*> 10.1.1.2/32 0.0.0.0 0 0 ?
*> 10.3.1.0/30 10.1.1.2 0 100?
*> 127.0.0.0 0.0.0.0 0 0 ?
*> 127.0.0.1/32 0.0.0.0 0 0 ?
# Run the display ip routing-table vpn-instance verbose command on PEs, and
you can find the tunnels used by the VPN routes.
# The information displayed on PE1 is used as an example.
[PE1] display ip routing-table vpn-instance vpna 5.5.5.5 verbose
Route Flags:
R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpna
Summary Count : 1
Destination: 5.5.5.5/32
Protocol: IBGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 2.2.2.2 Neighbour: 2.2.2.2
State: Active Adv Relied Age: 00h00m08s
Tag: 0 Priority: low
Label: 0x13 QoSInfo: 0x0
IndirectID: 0xb9
RelayNextHop: 0.0.0.0 Interface: Tunnel0/0/2
TunnelID: 0x3d Flags: RD
[PE1] display ip routing-table vpn-instance vpnb 6.6.6.6 verbose
Route Flags: R - relay, D - download for forwarding
------------------------------------------------------------------------------
Routing Table : vpnb
Summary Count : 1
Destination: 6.6.6.6/32
Protocol: IBGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 2.2.2.2 Neighbour: 2.2.2.2
State: Active Adv Relied Age: 00h04m37s
Tag: 0 Priority: low
Label: 0x15 QoSInfo: 0x0
IndirectID: 0xb8
RelayNextHop: 0.0.0.0 Interface: Tunnel0/0/1
TunnelID: 0x3b Flags: RD
RelayNextHop: 0.0.0.0 Interface: LDP LSP
TunnelID: 0x1c Flags: RD
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1052
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
# CEs in the same VPN can ping each other, whereas CEs in different VPNs cannot.
----End
Configuration Files
● PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
tnl-policy policy1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
tnl-policy policy2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.1
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 100.1.1.1 255.255.255.252
mpls
mpls te
mpls rsvp-te
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.252
#
interface GigabitEthernet3/0/0
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.252
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
interface Tunnel0/0/1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 2.2.2.2
mpls te tunnel-id 11
mpls te commit
#
interface Tunnel0/0/2
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 2.2.2.2
mpls te tunnel-id 22
mpls te reserved-for-binding
mpls te commit
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack1
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1053
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
#
ipv4-family vpn-instance vpnb
peer 10.2.1.1 as-number 65410
#
ospf 1
opaque-capability enable
area 0.0.0.0
mpls-te enable
network 100.1.1.0 0.0.0.3
network 1.1.1.1 0.0.0.0
#
tunnel-policy policy1
tunnel binding destination 2.2.2.2 te Tunnel0/0/2
#
tunnel-policy policy2
tunnel select-seq cr-lsp lsp load-balance-number 2
#
return
● PE2 configuration file
#
sysname PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:3
tnl-policy policy1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:4
tnl-policy policy2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 2.2.2.2
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 100.1.1.2 255.255.255.252
mpls
mpls te
mpls rsvp-te
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.252
#
interface GigabitEthernet3/0/0
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.252
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1054
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
interface Tunnel0/0/1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 1.1.1.1
mpls te tunnel-id 11
mpls te commit
#
interface Tunnel0/0/2
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 1.1.1.1
mpls te tunnel-id 22
mpls te reserved-for-binding
mpls te commit
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpna
peer 10.3.1.1 as-number 65420
#
ipv4-family vpn-instance vpnb
peer 10.4.1.1 as-number 65420
#
ospf 1
opaque-capability enable
area 0.0.0.0
mpls-te enable
network 100.1.1.0 0.0.0.3
network 2.2.2.2 0.0.0.0
#
tunnel-policy policy1
tunnel binding destination 1.1.1.1 te Tunnel0/0/2
#
tunnel-policy policy2
tunnel select-seq cr-lsp lsp load-balance-number 2
#
return
● CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.252
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1055
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
#
return
● CE2 configuration file
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.252
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
bgp 65410
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
● CE3 configuration file
#
sysname CE3
#
interface GigabitEthernet1/0/0
ip address 10.3.1.1 255.255.255.252
#
interface LoopBack1
ip address 5.5.5.5 255.255.255.255
#
bgp 65420
peer 10.3.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.3.1.2 enable
#
return
● CE4 configuration file
#
sysname CE4
#
interface GigabitEthernet1/0/0
ip address 10.4.1.1 255.255.255.252
#
interface LoopBack1
ip address 6.6.6.6 255.255.255.255
#
bgp 65420
peer 10.4.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.4.1.2 enable
#
return
7.10 FAQ About BGP/MPLS IP VPN
This section describes the FAQ about BGP/MPLS IP VPN.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1056
Huawei AR Series Access Routers
CLI-based Configuration Guide - VPN 7 BGP/MPLS IP VPN Configuration
7.10.1 Why Routes Cannot Be Imported When AS Numbers on
the BGP/MPLS IP VPN Are the Same?
When the AS number in the Update message to be received by the EBGP-enabled
device is the same as the AS number on the device, the device does not receive
the Update message. This prevents routing loops. In some scenarios, the device
needs to receive an Update message that carries the same AS number as the AS
number on the device. In Hub and Spoke networking, when the Hub-PE and Hub-
CE use EBGP, the Update message received by the Hub-CE contains the AS number
of the Hub-PE. To prevent the Hub-PE from discarding such Update message, run
the peer allow-as-loop command to set the number of times for the repeated AS
number.
Issue 09 (2023-08-01) Copyright © Huawei Technologies Co., Ltd. 1057
You might also like
- Study Guide Cisco 300-515 SPVI Implementing Cisco Service Provider VPN Services Certification ExamFrom EverandStudy Guide Cisco 300-515 SPVI Implementing Cisco Service Provider VPN Services Certification ExamNo ratings yet
- Study Guide Cisco 300-730 SVPN Implementing Secure Solutions with Virtual Private NetworksFrom EverandStudy Guide Cisco 300-730 SVPN Implementing Secure Solutions with Virtual Private NetworksNo ratings yet
- Welcome To INE's Presentation Of:: Introduction To MP LS VP NsNo ratings yetWelcome To INE's Presentation Of:: Introduction To MP LS VP Ns91 pages
- Implementing Mpls Layer 3 VPNS: Software Module in The Cisco Ios XR System Management Configuration GuideNo ratings yetImplementing Mpls Layer 3 VPNS: Software Module in The Cisco Ios XR System Management Configuration Guide112 pages
- B Cisco Nexus 9000 Series NX-OS Label Switching Configuration Guide 7x Chapter 0111No ratings yetB Cisco Nexus 9000 Series NX-OS Label Switching Configuration Guide 7x Chapter 011138 pages
- Knowledge Base - MPLS VPN Over IP TunnelsNo ratings yetKnowledge Base - MPLS VPN Over IP Tunnels15 pages
- 01-09 Typical MPLS and VPN ConfigurationsNo ratings yet01-09 Typical MPLS and VPN Configurations112 pages
- BGP MPLS Layer 3 VPNs Practical ConfigurationNo ratings yetBGP MPLS Layer 3 VPNs Practical Configuration10 pages
- Dissertation On Intellectual Property Rights100% (2)Dissertation On Intellectual Property Rights7 pages
- Mpls VPN Configuration and Design GuideNo ratings yetMpls VPN Configuration and Design Guide103 pages
- MPLS VPN Technology: Implementation of Frame Mode MPLS100% (1)MPLS VPN Technology: Implementation of Frame Mode MPLS37 pages
- Remote Access Mpls VPNS: Finding Feature InformationNo ratings yetRemote Access Mpls VPNS: Finding Feature Information12 pages
- Mpls VPN: Secucam Technologies & Electronic SecuritiesNo ratings yetMpls VPN: Secucam Technologies & Electronic Securities26 pages
- NVIDIA DGX SuperPOD With DGX GB200 SystemsNo ratings yetNVIDIA DGX SuperPOD With DGX GB200 Systems3 pages
- Alcatel-Lucent Network Routing Specialist II (NRS II) Self-Study Guide: Preparing for the NRS II Certification ExamsFrom EverandAlcatel-Lucent Network Routing Specialist II (NRS II) Self-Study Guide: Preparing for the NRS II Certification ExamsNo ratings yet
- Multiprotocol BGP MPLS VPN: Finding Feature InformationNo ratings yetMultiprotocol BGP MPLS VPN: Finding Feature Information14 pages
- International Journal of Engineering Research and Development (IJERD)No ratings yetInternational Journal of Engineering Research and Development (IJERD)7 pages
- MPLS VPN Technology: Implementation of Frame Mode MPLSNo ratings yetMPLS VPN Technology: Implementation of Frame Mode MPLS37 pages
- IIM KZ EPGP Combine Brochure Batch 17 32c718e31aNo ratings yetIIM KZ EPGP Combine Brochure Batch 17 32c718e31a20 pages
- Example - Preventing BGP Session Resets - Technical Documentation - Support - Juniper NetworksNo ratings yetExample - Preventing BGP Session Resets - Technical Documentation - Support - Juniper Networks4 pages
- LEARN MPLS FROM SCRATCH PART-A: A Beginner's Guide to Next Level of NetworkingFrom EverandLEARN MPLS FROM SCRATCH PART-A: A Beginner's Guide to Next Level of NetworkingNo ratings yet
- Versatile Routing and Services with BGP: Understanding and Implementing BGP in SR-OSFrom EverandVersatile Routing and Services with BGP: Understanding and Implementing BGP in SR-OSNo ratings yet
- Alcatel-Lucent Service Routing Architect (SRA) Self-Study Guide: Preparing for the BGP, VPRN and Multicast ExamsFrom EverandAlcatel-Lucent Service Routing Architect (SRA) Self-Study Guide: Preparing for the BGP, VPRN and Multicast ExamsNo ratings yet
- Project (Time) Control For An EPC ProjectNo ratings yetProject (Time) Control For An EPC Project12 pages
- Global Maritime Distress and Safety System (GMDSS) : Companies Can Opt For Block Booking100% (1)Global Maritime Distress and Safety System (GMDSS) : Companies Can Opt For Block Booking1 page
- TCP/IP: Network+ Protocols And Campus LAN Switching FundamentalsFrom EverandTCP/IP: Network+ Protocols And Campus LAN Switching FundamentalsNo ratings yet
- 9/11 Commission Interview Requests For Defense Department PersonnelNo ratings yet9/11 Commission Interview Requests For Defense Department Personnel6 pages
- Universidades e Instituciones de Investigación de Venezuela: Análisis Integral de 54 Instituciones y 2.515 Científicos (AD Scientific Index 2025)No ratings yetUniversidades e Instituciones de Investigación de Venezuela: Análisis Integral de 54 Instituciones y 2.515 Científicos (AD Scientific Index 2025)30 pages
- Comprehensive Mpls VPN Solutions: Meeting The Needs of Emerging Services With Innovative TechnologyNo ratings yetComprehensive Mpls VPN Solutions: Meeting The Needs of Emerging Services With Innovative Technology6 pages
- LEARN MPLS FROM SCRATCH PART-B: A Beginners guide to next level of networkingFrom EverandLEARN MPLS FROM SCRATCH PART-B: A Beginners guide to next level of networkingNo ratings yet
- Imanager U2000 Product Documentation V200R014C50 - 02 20191127111505No ratings yetImanager U2000 Product Documentation V200R014C50 - 02 201911271115057 pages
- Activity 19 - Classification and Transfer of VictimsNo ratings yetActivity 19 - Classification and Transfer of Victims49 pages
- Digital Signatures: CCA Controller of Certifying AuthoritiesNo ratings yetDigital Signatures: CCA Controller of Certifying Authorities18 pages
- Ficha Técnica Del Montacargas XC SERIES 3 WHEEL ELECTRIC FORKLIFT WITH LI-ION BATTERY 3,200-4,000LBSNo ratings yetFicha Técnica Del Montacargas XC SERIES 3 WHEEL ELECTRIC FORKLIFT WITH LI-ION BATTERY 3,200-4,000LBS6 pages
