Overview of MCE IPv6
A multi-VPN-instance CE (MCE) device uses routing multi-instance to isolate services or users of IPv6.
In may cases, a private network must be divided into multiple VPNs to realize fine-grained service management and enhance security. Services of users in different VPNs must be completely isolated. Deploying a CE device for each VPN increases the cost of device procurement and maintenance. If multiple VPNs share one CE device, data security cannot be ensured because all the VPNs use the same routing and forwarding table.
The MCE technology ensures data security between different VPNs while reducing network construction and maintenance costs. Figure 8-2 shows the MCE deployment.
An MCE device has some PE functions. By binding each VPN instance to a different interface, an MCE device creates and maintains an independent VRF for each VPN. This application is also called multi-VRF application. The MCE device isolates forwarding paths of different VPNs on a private network and advertises routes of each VPN to the peer PE device, ensuring that VPN packets are correctly transmitted on the public network.
Configuring a VPN Instance
Context
The following configurations are performed on the MCE device.
Similar configurations must be performed on the PE devices. The PE configuration procedure and commands used vary in devices from different vendors and different product models. For detailed configuration, see the documentation of the PE devices.
Procedure
Enable IPv6 globally
Run system-view
The system view is displayed.
Run ipv6
IPv6 is enabled globally.
Create VPN instance
An RD can be modified or deleted only after the VPN instance is deleted or the VPN instance IPv6 address family is disabled.
Run ip vpn-instance vpn-instance-name
A VPN instance is created, and its view is displayed.
A VPN instance name is case sensitive. For example, vpn1 and VPN1 are different VPN instances.
No default VPN instance is defined on an MCE device, and you can create multiple VPN instances on the MCE device.
(Optional) Run description description-information
The description is configured for the VPN instance.
The description is similar to that of the host name and interface, which can be used to record information about the relationship between a VPN instance and a VPN.
(Optional) Run service-id service-id
A service ID is created for the VPN instance.
A service ID is unique on a device. It distinguishes a VPN service from other VPN services on the network.
Run ipv6-family
The IPv6 address family is enabled for the VPN instance, and the VPN instance IPv6 address family view is displayed.
VPN instances support both the IPv4 and IPv6 address families. Configurations in a VPN instance can be performed only after an address family is enabled for the VPN instance based on the advertised route and forwarding data type.
Run route-distinguisher route-distinguisher
An RD is configured for the VPN instance IPv6 address family.
A VPN instance IPv6 address family takes effect only after being configured with an RD. The RDs of different VPN instances on a PE must be different.
Bind the VPN instance to an interface.
Run system-view
The system view is displayed.
Run interface interface-type interface-number
The interface view is displayed.
Run ip binding vpn-instance vpn-instance-name
The VPN instance is bound to the interface.
By default, no VPN instance is bound to an interface.
When you run the ip binding vpn-instance command on an interface, all configurations of Layer 3 features on the interface, such as the IP address and routing protocol, are deleted. To use these features, reconfigure them.Run ipv6 enable
IPv6 is enabled on the interface.
Run ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
An IPv6 address is configured for the interface.
Configure Route Exchange Between an MCE Device and VPN Sites
Context
The following configurations are performed on the MCE device. On the devices in the site, you only need to configure the corresponding routing protocol.
Configure IPv6 Static Routes Between an MCE Device and a Site
For detailed configuration of static routes, see Configuring IPv6 Static Routes in the Huawei AR Series Access Routers Configuration Guide – IP Routing.
Action | Command | Description |
|---|---|---|
- | ||
Configure an ipv6 static route to the site. | ipv6 route-static vpn-instance vpn-instance-name dest-ipv6-address prefix-length { [ interface-type interface-number ] nexthop-ipv6-address | nexthop-ipv6-address [ public ] | vpn-instance vpn-destination-name nexthop-ipv6-address } [ preference preference | tag tag ] * [ description text ] | You must specify the next hop address on the MCE device. |
Configure RIPng Between an MCE Device and a Site
For detailed RIPng configuration, see RIPng Configuration in the Huawei AR Series Access Routers Configuration Guide - IP Routing.
Configure OSPFv3 Between an MCE Device and a Site
For detailed OSPFv3 configuration, see OSPFv3 Configuration in the Huawei AR Series Access Routers Configuration Guide - IP Routing.
Action | Command | Description |
|---|---|---|
Enter the system view. | system-view | - |
Create an OSPFv3 process running between the MCE device and the site and enter the OSPFv3 view. | ospfv3 [ process-id ] [ vpn-instance vpn-instance-name ] | - |
(Optional) Import the routes to the remote sites advertised by the PE device into the OSPFv3 routing table. | import-route { bgp [ permit-ibgp ] | unr | direct | ripng help-process-id | static | isis help-process-id | ospfv3 help-process-id } [ cost cost | type type | tag tag | route-policy route-policy-name ] * | Perform this step if another routing protocol is running between the MCE and PE devices in the VPN instance. |
Return to system view. | quit | - |
Enter the interface view. | interface interface-type interface-number | - |
Enable OSPFv3 on the interface. | ospfv3 process-id area area-id [ instance instance-id ] | - |
Configure IS-IS IPv6 Between an MCE Device and a Site
For detailed IS-IS configuration, see IS-IS IPv6 Configuration in the Huawei AR Series Access Routers Configuration Guide - IP Routing.
Action | Command | Description |
|---|---|---|
Enter the system view. | system-view | - |
Create an IS-IS process running between the MCE device and the site and enter the IS-IS IPv6 view. | isis process-id vpn-instance vpn-instance-name | An IS-IS process can be bound to only one VPN instance. If an IS-IS IPv6 process is not bound to any VPN instance before it is started, this process becomes a public network process and can no longer be bound to a VPN instance. |
Set a network entity title (NET) for the IS-IS process. | network-entity net | A NET specifies the current IS-IS area address and the system ID of the router. A maximum of three NETs can be configured for one process on each router. |
Enable IS-IS IPv6 on the process. | ipv6 enable [ topology { compatible [ enable-mt-spf ] | ipv6 | standard } ] | - |
(Optional) Import the routes to the remote sites advertised by the PE device into the IS-IS IPv6 routing table. | Use either of the following commands:
| Perform this step if another routing protocol is running between the MCE and PE devices in the VPN instance. |
Return to system view. | quit | - |
Enter the view of the interface to which the VPN instance is bound. | interface interface-type interface-number | - |
Enable IS-IS IPv6 on the interface. | isis ipv6 enable [ process-id ] | - |
Configure BGP4+ between an MCE Device and a Site
Action | Command | Description |
|---|---|---|
Enter the system view. | system-view | - |
Enter the BGP view. | - | |
Enter the BGP-VPN instance IPv6 address family view. | - | |
Configure the device connected to the MCE device in the site as a VPN peer. | - | |
Import the routes to the remote sites advertised by the PE device into the BGP routing table. | import-route protocol [ process-id ] [ med med | route-policy route-policy-name ] * | Perform this step if another routing protocol is running between the MCE and PE devices in the VPN instance. |
Action | Command | Description |
|---|---|---|
Enter the system view. | system-view | - |
Enter the BGP view. | bgp { as-number-plain | as-number-dot } | - |
Configure the MCE device as a VPN peer. | peer ipv6-address as-number as-number | - |
Enter the BGP-VPN instance IPv6 address family view. | ipv6-family unicast | - |
Configure the MCE device as a VPN peer. | peer { group-name | ipv6-address } enable | - |
Import IGP routes of the VPN into the BGP routing table. | import-route protocol [ process-id ] [ med med | route-policy route-policy-name ] * | The site must advertise routes to its attached VPN network segments to the MCE device. |
