Example for Configuring BGP/MPLS IP VPN
Networking Requirements
CE1 connects to the headquarters R&D area of a company, and CE3 connects to the branch R&D area. CE1 and CE3 belong to vpna.
CE2 connects to the headquarters non-R&D area, and CE4 connects to the branch non-R&D area. CE2 and CE4 belong to vpnb.
BGP/MPLS IP VPN needs to be deployed for the company to ensure secure communication between the headquarters and branches.
Configuration Roadmap
The configuration roadmap is as follows:
Configure OSPF between the P and PEs to ensure IP connectivity on the backbone network.
Configure basic MPLS capabilities and MPLS LDP on the P and PEs to set up MPLS LSP tunnels for VPN data transmission on the backbone network.
Configure VPN instances vpna and vpnb on PE1 and PE2. Set the VPN target of vpna to 111:1 and the VPN target of vpnb to 222:2. This configuration allows users in the same VPN to communicate with each other and isolates users in different VPNs. Bind the VPN instance to the PE interfaces connected to CEs to provide access for VPN users.
Configure MP-IBGP on PE1 and PE2 to enable them to exchange VPN routing information.
Configure EBGP on the CEs and PEs to exchange VPN routing information.
Procedure
Configure OSPF on the MPLS backbone network so that the PEs and Ps can communicate with each other.
# Configure PE1.
<Huawei> system-view[Huawei] sysname PE1[PE1] interface loopback 1[PE1-LoopBack1] ip address 1.1.1.9 32[PE1-LoopBack1] quit[PE1] interface gigabitethernet 3/0/0[PE1-GigabitEthernet3/0/0] ip address 172.1.1.1 24[PE1-GigabitEthernet3/0/0] quit[PE1] ospf 1[PE1-ospf-1] area 0[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0[PE1-ospf-1-area-0.0.0.0] quit[PE1-ospf-1] quit
# Configure P.
<Huawei> system-view[Huawei] sysname P[P] interface loopback 1[P-LoopBack1] ip address 2.2.2.9 32[P-LoopBack1] quit[P] interface gigabitethernet 1/0/0 [P-GigabitEthernet1/0/0] ip address 172.1.1.2 24[P-GigabitEthernet1/0/0] quit[P] interface gigabitethernet 2/0/0[P-GigabitEthernet2/0/0] ip address 172.2.1.1 24[P-GigabitEthernet2/0/0] quit[P] ospf[P-ospf-1] area 0[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0[P-ospf-1-area-0.0.0.0] quit[P-ospf-1] quit
# Configure PE2.
<Huawei> system-view[Huawei] sysname PE2[PE2] interface loopback 1[PE2-LoopBack1] ip address 3.3.3.9 32[PE2-LoopBack1] quit[PE2] interface gigabitethernet 3/0/0 [PE2-GigabitEthernet3/0/0] ip address 172.2.1.2 24[PE2-GigabitEthernet3/0/0] quit[PE2] ospf[PE2-ospf-1] area 0[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0[PE2-ospf-1-area-0.0.0.0] quit[PE2-ospf-1] quit
After the configuration is complete, OSPF neighbor relationships can be set up between PE1, P, and PE2. Run the display ospf peer command. The command output shows that the neighbor status is Full. Run the display ip routing-table command. The command output shows that PEs have learned the routes to Loopback1 of each other.
The information displayed on PE1 is used as an example.
[PE1] display ip routing-tableRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------ Routing Tables: Public Destinations : 11 Routes : 11 Destination/Mask Proto Pre Cost Flags NextHop Interface 1.1.1.9/32 Direct 0 0 D 127.0.0.1 LoopBack1 2.2.2.9/32 OSPF 10 1 D 172.1.1.2 GigabitEthernet3/0/0 3.3.3.9/32 OSPF 10 2 D 172.1.1.2 GigabitEthernet3/0/0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 172.1.1.0/24 Direct 0 0 D 172.1.1.1 GigabitEthernet3/0/0 172.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0 172.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0 172.2.1.0/24 OSPF 10 2 D 172.1.1.2 GigabitEthernet3/0/0 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[PE1] display ospf peer OSPF Process 1 with Router ID 1.1.1.9 Neighbors Area 0.0.0.0 interface 172.1.1.1(GigabitEthernet3/0/0)'s neighbors Router ID: 2.2.2.9 Address: 172.1.1.2 State: Full Mode:Nbr is Master Priority: 1 DR: 172.1.1.1 BDR: 172.1.1.2 MTU: 0 Dead timer due in 37 sec Retrans timer interval: 5 Neighbor is up for 00:16:21 Authentication Sequence: [ 0 ]
Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network to set up LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9[PE1] mpls[PE1-mpls] quit[PE1] mpls ldp[PE1-mpls-ldp] quit[PE1] interface gigabitethernet 3/0/0[PE1-GigabitEthernet3/0/0] mpls[PE1-GigabitEthernet3/0/0] mpls ldp[PE1-GigabitEthernet3/0/0] quit
# Configure P.
[P] mpls lsr-id 2.2.2.9[P] mpls[P-mpls] quit[P] mpls ldp[P-mpls-ldp] quit[P] interface gigabitethernet 1/0/0[P-GigabitEthernet1/0/0] mpls[P-GigabitEthernet1/0/0] mpls ldp[P-GigabitEthernet1/0/0] quit[P] interface gigabitethernet 2/0/0[P-GigabitEthernet2/0/0] mpls[P-GigabitEthernet2/0/0] mpls ldp[P-GigabitEthernet2/0/0] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9[PE2] mpls[PE2-mpls] quit[PE2] mpls ldp[PE2-mpls-ldp] quit[PE2] interface gigabitethernet 3/0/0[PE2-GigabitEthernet3/0/0] mpls[PE2-GigabitEthernet3/0/0] mpls ldp[PE2-GigabitEthernet3/0/0] quit
After the configuration is complete, LDP sessions can be set up between PE1 and the P and between the P and PE2. Run the display mpls ldp session command. The command output shows that the Status field is Operational. Run the display mpls ldp lsp command. Information about the established LDP LSPs is displayed.
The information displayed on PE1 is used as an example.
[PE1] display mpls ldp session LDP Session(s) in Public Network Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM) A '*' before a session means the session is being deleted. ------------------------------------------------------------------------------ PeerID Status LAM SsnRole SsnAge KASent/Rcv ------------------------------------------------------------------------------ 2.2.2.9:0 Operational DU Active 0000:00:01 6/6 ------------------------------------------------------------------------------ TOTAL: 1 session(s) Found.
[PE1] display mpls ldp lspLDP LSP Information ------------------------------------------------------------------------------- DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface ------------------------------------------------------------------------------- 1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0 *1.1.1.9/32 Liberal/1024 DS/2.2.2.9 2.2.2.9/32 NULL/3 - 172.1.1.2 GE3/0/0 2.2.2.9/32 1024/3 2.2.2.9 172.1.1.2 GE3/0/0 3.3.3.9/32 NULL/1025 - 172.1.1.2 GE3/0/0 3.3.3.9/32 1025/1025 2.2.2.9 172.1.1.2 GE3/0/0 ------------------------------------------------------------------------------- TOTAL: 5 Normal LSP(s) Found. TOTAL: 1 Liberal LSP(s) Found. TOTAL: 0 Frr LSP(s) Found. A '*' before an LSP means the LSP is not established A '*' before a Label means the USCB or DSCB is stale A '*' before a UpstreamPeer means the session is stale A '*' before a DS means the session is stale A '*' before a NextHop means the LSP is FRR LSP
Configure VPN instances on PEs and bind the instances to the interfaces connected to CEs.
# Configure PE1.
[PE1] ip vpn-instance vpna[PE1-vpn-instance-vpna] ipv4-family[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both[PE1-vpn-instance-vpna-af-ipv4] quit[PE1-vpn-instance-vpna] quit[PE1] ip vpn-instance vpnb[PE1-vpn-instance-vpnb] ipv4-family[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both[PE1-vpn-instance-vpna-af-ipv4] quit[PE1-vpn-instance-vpnb] quit[PE1] interface gigabitethernet 1/0/0[PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna[PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 24[PE1-GigabitEthernet1/0/0] quit[PE1] interface gigabitethernet 2/0/0[PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpnb[PE1-GigabitEthernet2/0/0] ip address 10.2.1.2 24[PE1-GigabitEthernet2/0/0] quit
# Configure PE2.
[PE2] ip vpn-instance vpna[PE2-vpn-instance-vpna] ipv4-family[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both[PE2-vpn-instance-vpna-af-ipv4] quit[PE2-vpn-instance-vpna] quit[PE2] ip vpn-instance vpnb[PE2-vpn-instance-vpnb] ipv4-family[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both[PE2-vpn-instance-vpnb-af-ipv4] quit[PE2-vpn-instance-vpnb] quit[PE2] interface gigabitethernet 1/0/0[PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpna[PE2-GigabitEthernet1/0/0] ip address 10.3.1.2 24[PE2-GigabitEthernet1/0/0] quit[PE2] interface gigabitethernet 2/0/0[PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpnb[PE2-GigabitEthernet2/0/0] ip address 10.4.1.2 24[PE2-GigabitEthernet2/0/0] quit
# Assign IP addresses to interfaces on CEs according to Figure 7-42.
# Configure CE1. The configurations of CE2, CE3, and CE4 are similar to the configuration of CE1, and are not mentioned here.
<Huawei> system-view[Huawei] sysname CE1[CE1] interface gigabitethernet 1/0/0[CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24[CE1-GigabitEthernet1/0/0] quit
After the configuration is complete, run the display ip vpn-instance verbose command on the PEs to check the configuration of VPN instances. Each PE can ping its connected CE.
If a PE has multiple interfaces bound to the same VPN instance, specify a source IP addresses by setting -a source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command to ping the remote CE. If the source IP address is not specified, the ping operation fails.
The information displayed on PE1 is used as an example.
[PE1] display ip vpn-instance verbose Total VPN-Instances configured : 2 Total IPv4 VPN-Instances configured : 2 Total IPv6 VPN-Instances configured : 0 VPN-Instance Name and ID : vpna, 1 Interfaces : GigabitEthernet1/0/0 Address family ipv4 Create date : 2012/07/25 00:58:17 Up time : 0 days, 22 hours, 24 minutes and 53 seconds Route Distinguisher : 100:1 Export VPN Targets : 111:1 Import VPN Targets : 111:1 Label Policy : label per route Log Interval : 5 VPN-Instance Name and ID : vpnb, 2 Interfaces : GigabitEthernet2/0/0 Address family ipv4 Create date : 2012/07/25 00:58:17 Up time : 0 days, 22 hours, 24 minutes and 53 seconds Route Distinguisher : 100:2 Export VPN Targets : 222:2 Import VPN Targets : 222:2 Label Policy : label per route Log Interval : 5
[PE1] ping -vpn-instance vpna 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=5 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=3 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=3 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=3 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=16 ms --- 10.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/6/16 ms
Set up an MP-IBGP peer relationship between the PEs.
# Configure PE1.
[PE1] bgp 100[PE1-bgp] peer 3.3.3.9 as-number 100[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1[PE1-bgp] ipv4-family vpnv4[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable[PE1-bgp-af-vpnv4] quit[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100[PE2-bgp] peer 1.1.1.9 as-number 100[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1[PE2-bgp] ipv4-family vpnv4[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable[PE2-bgp-af-vpnv4] quit[PE2-bgp] quit
After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer command on the PEs. The command output shows that BGP peer relationships have been established between the PEs.
[PE1] display bgp peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 3.3.3.9 4 100 12 6 0 00:02:21 Established 0
[PE1] display bgp vpnv4 all peerBGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 3.3.3.9 4 100 12 18 0 00:09:38 Established 0
Set up EBGP peer relationships between the PEs and CEs and import VPN routes into BGP.
# Configure CE1. The configurations of CE2, CE3, and CE4 are similar to the configuration of CE1, and are not mentioned here.
[CE1] bgp 65410[CE1-bgp] peer 10.1.1.2 as-number 100[CE1-bgp] import-route direct[CE1-bgp] quit
# Configure PE1. The configuration on PE2 is similar to the configuration on PE1 and is not mentioned here.
[PE1] bgp 100[PE1-bgp] ipv4-family vpn-instance vpna[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410[PE1-bgp-vpna] import-route direct[PE1-bgp-vpna] quit[PE1-bgp] ipv4-family vpn-instance vpnb[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420[PE1-bgp-vpnb] import-route direct[PE1-bgp-vpnb] quit[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command on the PEs. The command output shows that BGP peer relationships have been established between the PEs and CEs.
The peer relationship between PE1 and CE1 is used as an example.
[PE1] display bgp vpnv4 vpn-instance vpna peer BGP local router ID : 1.1.1.9 Local AS number : 100 VPN-Instance vpna, Router ID 1.1.1.9: Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 10.1.1.1 4 65410 6 3 0 00:00:02 Established 4
Verify the configuration.
# Run the display ip routing-table vpn-instance command on the PEs to view the routes to the remote CEs.
# The information displayed on PE1 is used as an example.
[PE1] display ip routing-table vpn-instance vpnaRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------ Routing Tables: vpna Destinations : 5 Routes : 5 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 Direct 0 0 D 10.1.1.2 GigabitEthernet1/0/0 10.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0 10.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0 10.3.1.0/24 IBGP 255 0 RD 3.3.3.9 GigabitEthernet3/0/0 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[PE1] display ip routing-table vpn-instance vpnbRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------ Routing Tables: vpnb Destinations : 5 Routes : 5 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.2.1.0/24 Direct 0 0 D 10.2.1.2 GigabitEthernet2/0/0 10.2.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0 10.2.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0 10.4.1.0/24 IBGP 255 0 RD 3.3.3.9 GigabitEthernet3/0/0 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
# CEs in the same VPN can ping each other, whereas CEs in different VPNs cannot.
# For example, CE1 can ping CE3 at 10.3.1.1 but cannot ping CE4 at 10.4.1.1.
[CE1] ping 10.3.1.1 PING 10.3.1.1: 56 data bytes, press CTRL_C to break Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms --- 10.3.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 34/48/72 ms
[CE1] ping 10.4.1.1 PING 10.4.1.1: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.4.1.1 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
Configuration Files
PE1 configuration file
# sysname PE1 # ip vpn-instance vpna ipv4-family route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # ip vpn-instance vpnb ipv4-family route-distinguisher 100:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity # mpls lsr-id 1.1.1.9 mpls # mpls ldp # interface GigabitEthernet1/0/0 ip binding vpn-instance vpna ip address 10.1.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip binding vpn-instance vpnb ip address 10.2.1.2 255.255.255.0 # interface GigabitEthernet3/0/0 ip address 172.1.1.1 255.255.255.0 mpls mpls ldp # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # bgp 100 peer 3.3.3.9 as-number 100 peer 3.3.3.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 3.3.3.9 enable # ipv4-family vpnv4 policy vpn-target peer 3.3.3.9 enable # ipv4-family vpn-instance vpna import-route direct peer 10.1.1.1 as-number 65410 # ipv4-family vpn-instance vpnb import-route direct peer 10.2.1.1 as-number 65420 # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 172.1.1.0 0.0.0.255 # return
P configuration file
# sysname P # mpls lsr-id 2.2.2.9 mpls # mpls ldp # interface GigabitEthernet1/0/0 ip address 172.1.1.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet2/0/0 ip address 172.2.1.1 255.255.255.0 mpls mpls ldp # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 172.1.1.0 0.0.0.255 network 172.2.1.0 0.0.0.255 # return
PE2 configuration file
# sysname PE2 # ip vpn-instance vpna ipv4-family route-distinguisher 200:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # ip vpn-instance vpnb ipv4-family route-distinguisher 200:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity # mpls lsr-id 3.3.3.9 mpls # mpls ldp # interface GigabitEthernet1/0/0 ip binding vpn-instance vpna ip address 10.3.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip binding vpn-instance vpnb ip address 10.4.1.2 255.255.255.0 # interface GigabitEthernet3/0/0 ip address 172.2.1.2 255.255.255.0 mpls mpls ldp # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # bgp 100 peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.9 enable # ipv4-family vpn-instance vpna import-route direct peer 10.3.1.1 as-number 65430 # ipv4-family vpn-instance vpnb import-route direct peer 10.4.1.1 as-number 65440 # ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 172.2.1.0 0.0.0.255 # return
CE1 configuration file
# sysname CE1 # interface GigabitEthernet1/0/0 ip address 10.1.1.1 255.255.255.0 # bgp 65410 peer 10.1.1.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.1.1.2 enable # return
CE2 configuration file
# sysname CE2 # interface GigabitEthernet1/0/0 ip address 10.2.1.1 255.255.255.0 # bgp 65420 peer 10.2.1.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.2.1.2 enable # return
CE3 configuration file
# sysname CE3 # interface GigabitEthernet1/0/0 ip address 10.3.1.1 255.255.255.0 # bgp 65430 peer 10.3.1.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.3.1.2 enable # return
CE4 configuration file
# sysname CE4 # interface GigabitEthernet1/0/0 ip address 10.4.1.1 255.255.255.0 # bgp 65440 peer 10.4.1.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.4.1.2 enable # return
