H3C S9500 Series Operating instructions

  • Hello! I am an AI chatbot trained to assist you with the H3C S9500 Series Operating instructions. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Table of Contents
i
Table of Contents
Chapter 1 MPLS L3VPN Configuration........................................................................................1-1
1.1 MPLS L3VPN Overview.....................................................................................................1-1
1.1.1 MPLS L3VPN Model...............................................................................................1-2
1.1.2 MPLS L3VPN Implementation ................................................................................1-5
1.1.3 Nested MPLS L3VPN Implementation....................................................................1-7
1.1.4 Hierarchical MPLS L3VPN Implementation............................................................1-8
1.1.5 Introduction to OSPF Multi-Instance.......................................................................1-9
1.1.6 Introduction to Multi-Role Host..............................................................................1-10
1.2 MPLS L3VPN Configuration............................................................................................1-11
1.2.1 Configuring Various Kinds of Routers................................................................... 1-11
1.2.2 Configuring CE Router..........................................................................................1-11
1.2.3 Configuring PE Router..........................................................................................1-13
1.2.4 Configuring P Router.............................................................................................1-26
1.3 Displaying and Debugging MPLS L3VPN .......................................................................1-26
1.4 Typical MPLS L3VPN Configuration Examples...............................................................1-28
1.4.1 Integrated MPLS L3VPN Configuration Example................................................. 1-28
1.4.2 Extranet Configuration Example ...........................................................................1-34
1.4.3 Hub&Spoke Configuration Example .....................................................................1-39
1.4.4 CE Dual-home Configuration Example.................................................................1-45
1.4.5 Cross-domain MPLS L3VPN Configuration Example...........................................1-51
1.4.6 Cross-Domain MPLS L3VPN Configuration Example — Option C ......................1-56
1.4.7 Hierarchical MPLS L3VPN Configuration Example ..............................................1-64
1.4.8 OSPF Multi-instance Sham-link Configuration Example.......................................1-67
1.4.9 Nested MPLS L3VPN Configuration Example......................................................1-73
1.4.10 OSPF Multi-instance CE Configuration Example................................................1-79
1.4.11 Multi-Role Host Configuration Example..............................................................1-81
1.4.12 FIB Entry Application Configuration Example.....................................................1-85
1.5 Troubleshooting MPLS L3VPN Configuration.................................................................1-88
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Chapter 1 MPLS L3VPN Configuration
1-1
Chapter 1 MPLS L3VPN Configuration
When configuring MPLS L3VPN, go to these sections for information you are interested
in:
z MPLS L3VPN Overview
z MPLS L3VPN Configuration
z Displaying and Debugging MPLS L3VPN
z Typical MPLS L3VPN Configuration Examples
z Troubleshooting MPLS L3VPN Configuration
1.1 MPLS L3VPN Overview
Traditional VPN, for which Layer 2 tunneling protocols (L2TP, L2F and PPTP, and so
on.) or Layer 3 tunnel technology (IPSec, GRE and so on.) is adopted, is a great
success and is therefore widely used. However, along with the increase of the size of
VPNs, the deficiency of traditional VPN in such aspects as expansibility and
manageability becomes more and more obvious. In addition, QoS (Quality of Service)
and security are also the difficult problem for traditional VPN.
Using the MPLS technology, service providers can implement the IP-based VPN
services easily and enable their networks to meet the expansibility and manageability
requirement for VPN. The VPN constructed by using MPLS also provides the possibility
for the implementation of value-added service. Multiple VPNs can be formed from a
single access point, and each VPN represents a different service, making the network
able to transmit services of different types in a flexible way.
The H3C S9500 series routing switches provide full MPLS L3VPN networking
capabilities:
z Address isolation, allowing the overlap of addresses of different VPNs and public
networks.
z Supporting MBGP advertising VPN routing information through public networks,
establishing MPLS L3VPN.
z Forwarding VPN data stream over MPLS LSP.
z Providing MPLS VPN performance monitoring and fault detecting tools.
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Chapter 1 MPLS L3VPN Configuration
1-2
1.1.1 MPLS L3VPN Model
I. MPLS L3VPN model
Figure 1-1 MPLS L3VPN model
As shown in
Figure 1-1, MPLS L3VPN model contains three parts: CE, PE and P.
z CE (Customer Edge) device: It is a composing part of the customer network, which
is usually connected with the service provider directly through an interface. It may
be a router or a switch which cannot sense the existence of VPN.
z PE (Provider Edge) device: It is an edge device of the provider network,
connecting with CE devices directly. In MPLS network, a PE device processes all
the operations for VPN. PE needs to possess MPLS basic forwarding capability.
z P (Provider) device: It is the backbone router in the provider network, which is not
connected with CE directly. P router needs to possess MPLS basic forwarding
capability.
The classification of CE and PE mainly depends on the range for the management of
the provider and the customer, and CE and PE are the edges of the management
ranges.
II. Nested MPLS L3VPN model
In a basic MPLS L3VPN model, the PEs are in the network of the service provider and
are managed by the service provider.
When a VPN user wants to subdivide the VPN into multiple VPNs, the traditional
solution is to configure these VPNs directly on the PEs of the service provider. This
solution is easy to implement, but has the following disadvantages: the number of the
VPNs carried on PEs may increase rapidly; the operator may have to perform more
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Chapter 1 MPLS L3VPN Configuration
1-3
operations when required by a user to adjust the relation between the user's internal
VPNs. These disadvantages not only increase the network operating cost, but also
bring relevant management and security issues.
The nested VPN is a better solution. Its main idea is to transfer VPNv4 route between
PE and CE of common MPLS L3VPN such that user themselves can manage their
internal VPN division, and the service provider can be saved from participating into
users' internal VPN management.
The following figure shows the network model for nested VPN:
VPN3
VPN2
VPN1
VPN1
PE
PE
PE
CE1
CE2
CE3
CE4
VPN2
VPN3
CE6
VPN
CE7
P
PE
VPN
VPN1
CE5
Figure 1-2 Network model for nested MPLS L3VPN
III. Basic concepts in MPLS L3VPN
1) VPN-instance
VPN-instance is an important concept in VPN routing in MPLS. In an MPLS VPN
implementation, each site corresponds to a specific VPN-instance on PE (their
association is implemented by binding VPN-instance to the VLAN interface). If
subscribers on one site belong to multiple VPNs, then the corresponding VPN-instance
includes information about all these VPNs.
Specifically, such information should be included in VPN-instance: label forwarding
table, IP routing table, the interfaces bound with VPN-instance, and the management
information (RD, route filtering policy, member interface list, and so on). It includes the
VPN membership and routing rules of this site.
PE is responsible for updating and maintaining the relationship between VPN-instance
and VPN. To avoid data leakage from the VPN and illegal data entering into the VPN,
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Chapter 1 MPLS L3VPN Configuration
1-4
each VPN-instance on the PE has an independent set of routing table and label
forwarding table, in which the forwarding information of the message is saved
2) MBGP
MBGP (multiprotocol extensions for BGP-4, see RFC2283) propagates VPN
membership information and routes between PE routers. It features backward
compatibility: It not only supports traditional IPv4 address family, but also supports
other address families, for example, VPN-IPv4 address family. MP-BGP ensures that
VPN private routes are only advertised within VPNs, as well as implementing
communication between MPLS VPN members.
3) VPN-IPv4 address
VPN is just a private network, so it can use the same IP address to indicate different
sites. But the IP address is supposed as unique when MP-BGP advertises CE routes
between PE routers, so routing errors may occur for the different meaning in two
systems. The solution is to switch IPv4 addresses to VPN-IPv4 address to generate
globally unique addresses before advertising them, so PE routers is required to support
MP-BGP.
A VPN-IPv4 address consists of 12 bytes, and the first eight bytes represent the RD
(Route Distinguisher), which are followed by a 4-byte IPv4 address. The service
providers can distribute RD independently. However, their special AS (Autonomous
System) number must be taken as a part of the RD. After being processed in this way,
even if the 4-byte IPv4 address contained in VPN-IPv4 address has been overlapped,
the VPN-IPv4 address can still maintain globally unique. RD is only used within the
carrier network to differentiate routes. When the RD is 0, a VPN-IPv4 address is just a
IPv4 address in general sense.
The route received by PE from CE is the IPv4 route that needs to be redistributed into
VPN-instance routing table, and in this case a RD needs to be added. It is
recommended that the same RD be configured for all routes from the same user site.
IV. VPN Target attribute
VPN Target attribute is one of the MBGP extension community attributes and is used to
limit VPN routing information advertisement. It identifies the set of sites that can use
some route, namely by which Sites this route can be received, and the PE router can
receive the route transmitted by which Sites. The PE routers connected with the site
specified in VPN Target can all receive the routes with this attribute.
For PE routers, there are two sets of VPN Target attributes: one of them, referred to as
Export Targets, is added to the route received from a direct-connect site in advertising
local routes to remote PE routers. And the other one, known as Import Targets, is used
to decide which routes can be imported into the routing table of this site in receiving
routes from remote PE routers.
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Chapter 1 MPLS L3VPN Configuration
1-5
When matching the VPN Target attribute carried by the route to filter the routing
information received by the PE router, if the export VPN target set of the received route
contains identical items with the import VPN target set of the local end, the route is
imported into the VPN routing table and then advertised to the connected CE .
Otherwise, the route will be rejected.
Figure 1-3 Route filtering through matching VPN Target attribute
Note:
The routes for other VPNs will not appear in the VPN's routing table by using VPN
Target attribute to filter routing information received at PE router, so the CE-transmitted
data will only be forwarded within the VPN.
V. Routing policy
If the advertisement of routing information needs to be controlled in a more accurate
manner than using egress extended community attributes only, you can use an
outgoing routing policy.
In the outgoing routing policy you can set specific extended community attributes for
specific routes to be advertised.
After creating a VPN instance, you can choose whether to configure an outgoing
routing policy for it.
1.1.2 MPLS L3VPN Implementation
MPLS L3VPN works on this principle: It uses BGP to propagate VPN private routing
information on carrier backbone network, and uses MPLS to forward VPN service
traffic.
The following are introductions to MPLS L3VPN implementation from two aspects:
advertising VPN routing information and forwarding VPN packets.
I. Advertising VPN routing information
Routing information exchange has the following four types:
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Chapter 1 MPLS L3VPN Configuration
1-6
1) Between CE and PE
A PE router can learn routing information about the CE connected to it through static
route, RIP (supporting multi-instance), OSPF (supporting multi-instance) or EBGP, and
imports it in a vpn-instance.
2) Between ingress PE and egress PE
The ingress PE router uses MP-BGP to send information across public network: It
advertises routing information learned from CE to the egress PE router (with MPLS
label) and learns the CE routing information learned at the egress PE router.
The internal connectivity among the VPN internal nodes is ensured through enabling
IGP (for example, RIP and OSPF) or configuring static routes on the PEs.
3) LSP setup between PEs
LSPs must be set up between PEs for VPN data traffic forwarding with MPLS LSP. The
PE router which receives packets from CE and create label protocol stack is called
Ingress LSR, while the BGP next hop (Egress PE router) is Egress LSR. Using LDP to
create fully connected LSPs among PEs.
4) Between PE and CE
A CE can learn remote VPN routes from the PE connected through static routes, RIP,
OSPF or EBGP.
With above-mentioned steps, reachable routes can be established between CEs, for
transmission of VPN private routing information over public network.
II. Forwarding VPN packets
On the ingress PE, two-layer label stack is formed for each VPN packet:
Interior-layer label, also called MPLS label, is at the bottom of the label stack and
distributed by M-BGP when the egress PE advertises routing information (in VPN
forwarding table) to ingress GE. When VPN packets from public network reach the CE,
they can be forwarded from the designated interface to the designated CE or site by
searching for the target MPLS forwarding table according to the labels contained.
Exterior-layer label, known as LSP initialization label, distributed by MPLS LDP, is at
the top of the label stack and indicates an LSP from the ingress PE to egress PE. By the
switching of exterior-layer label, VPN packets can be forwarded along the LSP to the
peer PE.
Figure 1-4 illustrates the details:
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Chapter 1 MPLS L3VPN Configuration
1-7
1.1.1.2
Layer2
Layer1
1.1.1.2
Layer2
1.1.1.2
1.1.1.2
PE2
Site 1
CE1
PE1
P
P
1.1.1.1/24
CE2
1.1.1.2
Layer 2
Layer 1
1.1.1.2
Layer 2
1.1.1.2
1.1.1.2
Site 2
1.1.1.2/24
Figure 1-4 Forwarding VPN packets
1) Site 1 sends an IPv4 packet with the destination address 1.1.1.2 of to CE1. CE1
looks up the IP routing table for a matched entry and sends the packet to PE1
according to the matched entry.
2) Depending on the interface the packet reaches and the destination of it, PE1 looks
up the VPN-instance entry to obtain interior-layer label, exterior-layer label, BGP
next hop (PE2), and output interfaces. After the establishment of labels, PE1
forwards MPLS packets to the first P of LSP through output interface.
3) Each P router on LSP forwards MPLS packets using exterior-layer label to the
penultimate-hop router, namely the P router before PE2. The penultimate-hop
router extracts the exterior-layer and sends MPLS packet to PE2.
4) PE2 looks up in the MPLS forwarding table according to the interior-layer label and
destination address to determine the egress interface for labeling operation and
the packet. It then extracts the interior-layer label and forwards through the egress
interface the IPv4 packet to CE2.
5) CE2 looks up in the routing table and sends the packet in normal IPv4 packet
forwarding mode to the site2.
1.1.3 Nested MPLS L3VPN Implementation
When implementing a nested MPLS L3VPN, pay attention to the following items:
z No address overlap is allowed between user's internal sub-VPNs.
z To ensure the VPN routing information is correctly advertised over the backbone
network, the VPN-Targets of the user VPN and the internal sub-VPNs cannot be
overlapped and must be specified by the service provider.
z The provider PE and the customer PE must be directly connected and cannot
exchange VPNv4 route in Multihop-EBGP mode.
Before configuring a nested MPLS L3VPN, you must complete the following tasks:
z Configuring IGP on the MPLS backbone network (including provider PE and P
routers) to implement the IP connectivity on the backbone network.
z Configuring basic MPLS capability on the MPLS backbone network.
z Configuring MPLS LDP and setting up LDP LSP on the MPLS backbone network.
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Chapter 1 MPLS L3VPN Configuration
1-8
z Configuring BGP on the MPLS backbone network (create IBGP peers between
provider PEs).
z Configuring basic MPLS capability on user-end network (including customer PEs).
1.1.4 Hierarchical MPLS L3VPN Implementation
As PE is required to aggregate multiple VPN routes on a MPLS L3VPN, it is prone to
forming a bottleneck in a large-scale deployment or in the case that PE capacity is
small. To solve the problem, Hangzhou H3C Technologies Co., Ltd. introduced the
HoVPN (Hierarchy of VPN, Hierarchical MPLS L3VPN) solution.
Hierarchical MPLS L3VPN divides an MPLS VPN into several MPLS VPNs in a
hierarchical network structure. Each VPN takes on a role depending on its level. There
are high performance requirements in routing and forwarding on the PEs at the higher
level of MPLS VPN, because they are primarily used for connecting the backbone
networks and providing access service for huge VPN clients. However, such
requirements are relatively low for PEs at the lower level of the network as they
primarily function to access the VPN clients at the edges. Congruous with the IP
network model, HoVPN model improves the scalability of MPLS L3VPN, and hence
allows lower-layer MPLS VPNs comprising low-end equipment to provide MPLS VPN
accessing and interconnect through the high-end MPLS VPN backbone.
As shown in
Figure 1-5, the PEs directly connected with user devices are called UPE
(underlayer PE or user-end PE); the devices in the core network connected with the
UPEs are called SPE (superstratum PE or service-provider-end PE).
Hierarchical PEs have the same appearance as that of the traditional PEs and can
coexist with other PEs in the same MPLS network.
UPEs are responsible for user access; they only maintain the routes of directly
connected VPN sites, but not that of the remote sites. SPEs, however, are responsible
for the maintenance and advertisement of VPN routes; they maintain all the routes of
the VPNs connected by their UPEs, including the routes in both local and remote sites.
UPE and SPE are relative concepts. In a multi-layer PE architecture, an upper layer PE
is an SPE for its lower layer PE, and a lower layer PE is an UPE for its upper layer PE.
The MBGP runs between SPE and UPE can be either MP-IBGP or MP-EBGP,
depending on whether the SPE and the UPE are in the same AS.
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Chapter 1 MPLS L3VPN Configuration
1-9
Figure 1-5 Hierarchical MPLS L3VPN
1.1.5 Introduction to OSPF Multi-Instance
As one of the most popular IGP routing protocols, OSPF is used as an internal routing
protocol in many VPNs. Using OSPF on PE-CE links brings convenience to you
because in this case CE routers only need to support OSPF protocol, without the need
of supporting other protocols, and network administrator only have to know the OSPF
protocol. If you want to transform conventional OSPF backbone into MPLS L3VPN,
using OSPF between PE and CE can simplify this transform process.
Therefore IETF raised two new OSPF VPN extension drafts, to provide a complete
solution to SPPF problems in MPLS L3VPN application when OSPF is used as PE-CE
routing protocol. In this case, PE router must be able to run multiple OSPF instances,
each of which corresponds to one VPN instance, owns an individual interface, routing
table, and sends VPN routing information over MPLS network using BGP/OSPF
interaction.
If supporting OSPF multi-instance, one router can run multiple OSPF processes, which
can be bound to different VPN instances. In practice, you can create one OSPF
instance for each service type. OSPF multi-instance can fully isolate different services
in transmission, which can solve security problems with low cost to meet the needs of
customers. Generally, OSPF multi-instance is run on PEs; The CE running OSPF
multi-instance in the LAN is called multi-VPN-instance CE. At present, isolation of LAN
services implements by VLAN function of the switch. OSPF Multi-VPN-Instance CE
provides schemes of services isolation implemented on routers.
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Chapter 1 MPLS L3VPN Configuration
1-10
Area 2
OSPF 100 VPN
-
GREEN
Area0
OSPF 100 VPN
OSPF200 VPN
GREEN
Area1
Area0
OSPF100 VPN
-
RED
OSPF 200 VPN
-
GREEN
-
RED
-
-
0
Area1
CE11
CE12
CE31
CE22
PE1 PE2
PE3
-
Area 1
MPLS VPN Backbone
VPN-RED
Site1
OSPF
Area0
Site1
OSPFArea1
GREEN
Site2
OSPFArea2
Site2
OSPF Area1
-
CE21
-
VPN-
GREEN
VPN-
VPN-RED
Figure 1-6 OSPF multi-instance application in MPLS L3VPN PE
MPLS
Network
R&D
Engineering
Finances
ospf 100
vpn
-
rd
ospf 300
vpn
-
finances
ospf
vpn
-
finances
ospf
200
vpn
-
engineering
-----
PE
ospf
ospf 200
vpn
-
rd
ospf 300
vpn
-
finances
ospf 300
vpn
-
ospf
vpn
-
-----
ospf
100
vpn
-
engineering
-----
ospf
-----
Multi
VPN
-
Instance CE
CE
-
Multi
VPN
-
CE
-
Figure 1-7 Multi-VPN-instance CE application in conventional LAN
1.1.6 Introduction to Multi-Role Host
The VPN attribute of the packets from a CE to its PE lies on the VPN bound with the
ingress interface. This, in fact determines that all the CEs forwarded by the PE through
the same ingress interface belong to the same VPN; but in actual network
environments, a CE may need to access multiple VPNs through one physical interface.
Though you can configure different logical interfaces to meet this need, this
compromised method brings additional configuration burden and has limitation in
actual use.
To resolve this problem, the idea of multi-role host is generated. Specifically to say, this
idea is to differentiate the accesses to different VPNs through configuring policy routing
based on IP addresses, and transmit downstream data flow from PE to CE by
configuring static routing. The static routing under multi-role host circumstance is
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Chapter 1 MPLS L3VPN Configuration
1-11
different from common hosts; it is implemented by specifying an interface of another
VPN as the egress interface through a static route in a VPN; and thus allowing one
logical interface to access multiple VPNs.
1.2 MPLS L3VPN Configuration
1.2.1 Configuring Various Kinds of Routers
Implementing MPLS L3VPN functions requires the following procedures in general:
Configure basic information on PE, CE and P; establish the logical or physical link with
IP capabilities from PE to PE; advertise and update VPN network information.
I. CE router
The configuration on CE is relative simple. Only static route, RIP, OSPF or EBGP
configuration is needed for VPN routing information exchange with the PE connected,
MPLS configuration is not needed.
II. PE router
The configuration on PE is relative complex. After the configuration, the PE implements
MPLS L3VPN core functions.
The following sections describe the configuration tasks on a PE device:
z Configuring basic MPLS capability
z Defining MPLS L3VPN site
z Configuring PE-CE route exchanging
z Configuring PE-PE route exchanging
III. P router
The configuration on P device is relative simple. The main task is to configure MPLS
basic capacity on the P device to support LDP and MPLS forwarding.
The following are detailed configurations.
1.2.2 Configuring CE Router
As a customer-side device, only basic configuration is required on a CE router, for
routing information exchange with PE router. Currently route switching modes available
include static route, RIP, OSPF, EBGP, and so on.
I. Creating static route
If you select static route mode for CE-PE route switching, you should then configure a
private static route pointing to PE on CE.
Perform the following configuration in the system view to create/delete a static route in
VPN instance routing table:
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Chapter 1 MPLS L3VPN Configuration
1-12
To do... Use the command...
Create a specified
VPN-instance static
route
ip route-static [ vpn-instance vpn-instance-name-list ]
ip-address { mask | mask-length } { interface-type
interface-number | vpn-instance vpn-instance-name
nexthop-ip-address } [ public ] [ preference
preference-value | tag tag-value | public ] * [ reject |
blackhole ] [ description text ]
Delete a specified
VPN-instance static
route
undo ip route-static vpn-instance vpn-instance-name-list
destination-ip-address { mask | mask-length }
[ interface-name | vpn-instance vpn-nexthop-name ]
nexthop-ip-address [ public ] [ preference
preference-value ]
By default, the preference value for a static route is 60. You can also specify preference
for a static route.
II. Configuring RIP
If you select RIP mode for CE-PE route switching, you should then configure RIP on
CE.
III. Configuring OSPF
If you select OSPF mode for CE-PE route switching, you should then configure OSPF
on CE.
You must configure OSPF multi-instance to isolate services of different VPNs on CE
router, which is now called Multi-VPN-Instance CE.
You can bind OSPF processes with VPN with the following command in OSPF view.
Table 1-1 Configure the router as multi-VPN-instance CE
To do... Use the command...
Configure the router as multi-VPN-instance CE
vpn-instance-capability simple
Remove the configuration
undo vpn-instance-capability
IV. Configuring EBGP
If you select BGP mode for CE-PE route switching, you should then configure EBGP
peer, import direct-connect route, static route and other IGP routes, for BGP to
advertise VPN routes to PE.
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Chapter 1 MPLS L3VPN Configuration
1-13
1.2.3 Configuring PE Router
I. Configuring basic MPLS capability
It includes configuring MPLS LSR ID, enable MPLS globally and enable MPLS in the
corresponding VLAN interface view.
Refer to MPLS Configuration.
II. Defining MPLS L3VPN site
1) Create VPN-instance and enter VPN-instance view
The VPN instance is associated with a site. The VPN membership and routing rules of
a site is configured in the corresponding VPN instance.
This command is used to create a new VPN-instance and enter the VPN-instance view,
or directly enter the VPN-instance view if the VPN-instance already exists.
Perform the following configuration in the system view to create a VPN-instance and
enter VPN-instance view:
To do... Use the command...
Create a VPN-instance and
enter VPN-instance view
ip vpn-instance vpn-instance-name
Delete a VPN-instance undo ip vpn-instance vpn-instance-name
By default, no VPN-instance is defined.
2) Configure RD for the vpn-instance
After PE router is configured with RD, when a VPN route learned from CE is imported
into BGP, BGP attaches the RD in front of the IPv4 address. Then the general IPv4
address which may overlaps between several VPN IPv4 addresses in the VPN is
turned into a globally unique VPN IPv4 address and thus ensure the correct routing in
the VPN.
Perform the following configuration in VPN-instance view to configure RD for the
VPN-instance:
To do... Use the command...
Configure RD for the VPN-instance route-distinguisher route-distinguisher
The parameter in the above command has no default value. A VPN-instance works only
when a RD is configured for it. Other parameters for a VPN-instance cannot be
configured before configuring a RD for it.
To modify the RD, you must first delete the VPN-instance and reconfigure it.
3) Configure VPN-instance description
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Chapter 1 MPLS L3VPN Configuration
1-14
Perform the following configuration in VPN-instance view to configure VPN-instance
description:
To do... Use the command...
Configure VPN-instance description description vpn-instance-description
Delete VPN-instance description
undo description
4) Configure VPN-target attribute for the VPN-instance
VPN-target attribute, a BGP extension community attribute, controls advertisement of
VPN routing information.
The following is the advertisement controlling process of VPN routing information:
z When BGP is imported into a VPN route learned at CE, it associates a VPN-target
extension community attribute list for the route. Usually the list is the VPN-instance
output routing attribute list which is associated with CE.
z VPN instance defines input routing attribute list according to the
import-extcommunity in VPN-target, defines the acceptable route range and
import it.
z VPN instance modifies VPN-target attributes for the routes to be advertised,
according to the export-extcommunity in VPN-target.
Like an RD, an extension community includes an ASN plus an arbitrary number or an IP
address plus an arbitrary number. There are two types of formats:
The first one is related to autonomous system number (ASN), in the form of 16-bit ASN
(can be 0 here): 32-bit user-defined number, for example, 100:1.
The second one is related to IP address, in the form of 32-bit IP address (can be 0.0.0.0
here):16-bit user-defined number, for example, 172.1.1.1:1.
Perform the following configuration in the VPN-instance view to create VPN-target
extended community for the VPN-instance:
To do... Use the command...
Configure VPN-target extended
community for the VPN-instance
vpn-target vpn-target-extcommunity
[ import-extcommunity |
export-extcommunity | both ]
Delete the specified VPN-target attribute
from the VPN-target attribute list
associated with the VPN-instance
undo vpn-target
vpn-target-extcommunity
[ import-extcommunity |
export-extcommunity | both ]
By default, the value is both. In general all Sites in a VPN can be interconnected, and
the import-extcommunity and export-extcommunity attributes are the same, so you
can execute the command only with the both option.
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Chapter 1 MPLS L3VPN Configuration
1-15
Up to 16 VPN-targets can be configured with a command, and up to 20 vpn-targets can
be configured for a VPN-instance.
5) Limit the maximum number of routes in a VPN-instance
This command is used to limit the maximum number of routes for a VPN-instance so as
to avoid too many routes imported from a Site.
Perform the following configuration in the VPN-instance view to set the maximum
number of routes in the VPN-instance:
To do... Use the command...
Limit the maximum number of routes in
the VPN-instance
routing-table limit integer
{ alarm-integer | syslog-alert }
Remove the maximum number limitation
undo routing-table limit
Integer is in the range of 1 to 65536 and alarm-integer is in the range of 1 to 100.
Note:
Changing the maximum route limit for VPN-instance will not affect the existing routing
table. To make the new configuration take effect immediately, you should rebuild the
corresponding routing protocol or perform shutdown/undo shutdown operation on
the corresponding interface.
6) Configure vlan-id larger than 1024 on the fast Ethernet port of Trunk type
(Optional)
Configure vlan-id larger than 1024, with the range of MPLS/VPN VLANs allowed to
pass the port from vlan-id to vlan-id + 1023
Perform the following configuration in Ethernet port view to configure the vlan-id range
of MPLS/VPN VLANs allowed:
To do... Use the command...
Configure the vlan-id range of MPLS/VPN VLANs
allowed to pass Trunk fast Ethernet ports
port trunk mpls vlan
from vlan-id [ to ] vlanid
Remove the configured vlan-id range of MPLS/VPN
VLANs allowed to pass Trunk fast Ethernet ports
undo port trunk mpls
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Chapter 1 MPLS L3VPN Configuration
1-16
By default, the vlan-id range of MPLS/VPN VLANs is from 0 to 1023, and the default
value of vlan-id is 0. The value range of vlan-id is from 1 to 3071.
Caution:
z This command is only applicable to fast Ethernet ports on the cards with suffix C.
z This command can only be executed on Trunk ports, and MPLS/VPN-enabled
VLANs and VLANs out of the configured range are excluded..
z Set the VPN range for the cards and set the range of MPLS/VPN VLAN vlan-id on
the interface of the card to 1 to 4094.
Perform the following configuration in system view to configure the MPLS/VPN VLAN
vlan-id range for the card:
To do... Use the command...
Enable the 4K VPN-range for the card
vlan vpn-range slot slot-number
enable
Disable the 4K VPN-range for the card
undo vlan vpn-range slot slot-number
enable
Caution:
z This command is only applicable to fast Ethernet ports on the cards with suffix C.
z This command is actually effective for only the first 12 ports on the card. When you
configure MPLS/VPN VLAN vlan-id on subsequent ports, only the MPLS/VPN
VLAN range enabled for one VLAN will take effect. If you remove MPLS/VPN
configuration from an active port, no subsequent port will take effect automatically
either, and you have to reconfigure the ports to update their states.
z For F32GC card, 4 GE ports are initialized for 4k VLANs. Of 32 FE ports, only the
first 8 ports will take effect.
z Restart the card after issuing a command or its corresponding undo command to
ensure that the configuration takes effect.
z After you cancel card configuration, if the VLAN configured on a port exceeds 1K,
which is the default value, the configuration will be deleted automatically.
z In aggregation mode, VPN-range configuration will not be synchronized
automatically and you can manually make/remove the configuration on an individual
port.
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Chapter 1 MPLS L3VPN Configuration
1-17
z Set the VPN range for the ports and set the range of MPLS/VPN VLAN vlan-id on
the ports to 1 to 4094.
Perform the following configuration in Ethernet interface view.
Table 1-2 Configure the MPLS/VPN VLAN vlan-id range for the interface
To do... Use the command...
Enable the 4K vpn-range for the
interface
port vpn-range share-mode enable
Disable the 4K vpn-range for the
interface
undo port vpn-range share-mode
enable
Caution:
z This command is only applicable to the ports on the cards with suffix C.
z Ports supporting this function stop supporting the application of ACL rules.
7) Associate interface with VPN-instance
VPN instance is associated with the direct-connect Site through interface binding.
When the packets from the Site reach the PE router though the interface bound, then
the PE can look routing information (including next hop, label, egress interface, and so
on.) up in the corresponding VPN-instance.
This command can associate a VPN-instance with an interface.
Perform the following configuration in VLAN interface view to associate interface with
VPN-instance:
To do... Use the command...
Associate interface with VPN-instance
ip binding vpn-instance
vpn-instance-name
Remove the association of the interface with
VPN-instance
undo ip binding vpn-instance
vpn-instance-name
Caution:
As executing the ip binding vpn-instance command on an interface will delete the IP
address of the interface, you must configure the IP address of the interface after
executing that command when you bind the interface with a VPN-instance.
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Chapter 1 MPLS L3VPN Configuration
1-18
8) Configure an outgoing routing policy for a VPN instance
By configuring an outgoing routing policy for a VPN instance, you can set specific
extended community attributes for specific routes.
Perform the following operation in VPN instance view to configure/remove outgoing
routing policy association:
To do... Use the command...
Configure an outgoing routing policy for
the VPN instance
export route-policy route-policy-name
Remove the outgoing routing policy
applied on the VPN instance
undo export route-policy
III. Configuring PE-CE route exchanging
These route exchanging modes are available between PE and CE: static route, RIP,
OSPF, EBGP.
1) Configure static route on PE
You can configure a static route pointing to CE on PE for it to learn VPN routing
information from CE.
Perform the following configuration in the system view to create/delete static route in
VPN-instance routing table:
To do... Use the command...
Create the static
route of a specific
VPN-instance
ip route-static [ vpn-instance vpn-instance-name-list ]
ip-address { mask | mask-length } { interface-type
interface-number | vpn-instance vpn-instance-name
nexthop-ip-address } [ public ] [ preference
preference-value | tag tag-value | public ] * [ reject |
blackhole ] [ description text ]
Delete a static route
of a specific
VPN-instance
undo ip route-static vpn-instance vpn-instance-name-list
destination-ip-address { mask | mask-length }
[ interface-name | vpn-instance vpn-nexthop-name ]
nexthop-ip-address [ public ] [ preference
preference-value ]
By default, the preference value for a static route is 60. You can also specify another
preference for the static route you are configuring.
2) Configure RIP multi-instance
If you select RIP mode for CE-PE route switching, you should then specify running
environment for RIP instance on PE. With this command, you can enter RIP view and
import and advertise RIP instance in the view.
Perform the following configuration in the RIP view to configure PE-CE RIP instance:
Operation Manual – MPLS L3VPN
H3C S9500 Series Routing Switches Chapter 1 MPLS L3VPN Configuration
1-19
To do... Use the command...
Create PE-CE RIP instance
ipv4-family [ unicast ] vpn-instance
vpn-instance-name
Delete PE-CE RIP instance
undo ipv4-family [ unicast ] vpn-instance
vpn-instance-name
Then configuring RIP multi-instance to import IBGP route.
3) Configure OSPF multi-instance on PE
If you select OSPF mode for CE-PE route switching, you should then configure OSPF
multi-instance on PE. Other configurations, such as MPLS basic configuration,
VPN-instance configuration, do not change. Noted that when OSPF routes and
direct-connect routes are imported in the VPN instance address family view, BGP
routes should also be imported into OSPF. Here only introduces OSPF multi-instance
configuration in detail.
First step: Configure OSPF process.
Perform the following configuration in the system view to configure OSPF process:
To do... Use the command...
Configure an OSPF process
ospf process-id [ router-id router-id-number ]
[ vpn-instance vpn-instance-name ]
Delete an OSPF process undo ospf process-id
By default, the process index is 1.
Caution:
An OSPF process can only belong to one VPN instance, while one VPN instance may
contain multiple OSPF processes. By default, an OSPF process belongs to public
network.
Step 2: Configure Domain ID
The Domain ID is used to identify an OSPF autonomous system (AS), and the same
OSPF domain must have the same Domain ID. One process can be configured with
only one Domain ID; different processes can be configured with the same Domain ID or
different Domain IDs.
/