Example for Configuring Inter-AS VPN Option A
Networking Requirements
The headquarters and branch of a company connect to networks of different carriers. To enable the headquarters and branch to communicate, Inter-AS BGP/MPLS IP VPN needs to be implemented. As shown in Figure 1, CE1 is located in the headquarters and connects to PE1 in AS 100. CE2 is located at the branch and connects to PE2 in AS 200. Both CE1 and CE2 belong to vpn1.
Configuration Roadmap
Inter-AS Option A can be deployed to meet the company's requirement. The configuration roadmap is as follows:
- On the MPLS backbone networks in AS 100 and AS 200, configure an IGP protocol to enable the PEs and ASBR-PEs to communicate with each other.
- Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network to establish LDP LSPs.
- Establish an MP-IBGP peer relationship between the PE and ASBR-PE in each AS to exchange VPN routing information.
- Configure a VPN instance on the PE in each AS and bind the interface connected to the CE to the VPN instance.
- Establish an EBGP peer relationship between the PE and CE in each AS to exchange VPN routing information.
- Create a VPN instance on each ASBR-PE and the instance to the interface connected to the other ASBR-PE (regarding the ASBR-PE as its CE). Establish an EBGP peer relationship between the ASBR-PEs to exchange VPN routing information.
Procedure
- Configure VLANs on interfaces and assign IP addresses to
the VLANIF interfaces and loopback interfaces according to Figure 1.
# Configure PE1.
<HUAWEI> system-view [HUAWEI] sysname PE1 [PE1] interface loopback 1 [PE1-LoopBack1] ip address 1.1.1.9 32 [PE1-LoopBack1] quit [PE1] vlan batch 10 11 [PE1] interface gigabitethernet 0/0/1 [PE1-GigabitEthernet0/0/1] port link-type trunk [PE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 11 [PE1-GigabitEthernet0/0/1] quit [PE1] interface gigabitethernet 0/0/2 [PE1-GigabitEthernet0/0/2] port link-type trunk [PE1-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 [PE1-GigabitEthernet0/0/2] quit [PE1] interface vlanif 11 [PE1-Vlanif11] ip address 172.1.1.2 24 [PE1-Vlanif11] quit
The configuration on PE2, CE1, and CE2 is similar to the configuration on PE1 and is not mentioned here.
- On the MPLS backbone networks in AS 100 and AS 200, configure
OSPF to enable the PEs and the ASBR-PEs to communicate with each other.
# Configure PE1.
[PE1] ospf [PE1-ospf-1] area 0 [PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0 [PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255 [PE1-ospf-1-area-0.0.0.0] quit [PE1-ospf-1] quit
The configuration on PE2 and ASBR-PEs is similar to the configuration on PE1 and is not mentioned here.
The PEs and ASBRs need to advertise their LSR IDs (32-bit IP addresses of loopback interfaces) using OSPF.
After the configuration is complete, the ASBR and PE in the same AS can establish an OSPF neighbor relationship. Run the display ospf peer command to verify that the status of the neighbor relationship is Full. Run the display ip routing-table command. The command output shows that the ASBR and PE in the same AS have learned the routes to Loopback1 of each other.
- Configure basic MPLS capabilities and MPLS LDP on the MPLS
backbone networks of AS100 and AS200 to establish LDP LSPs.
# Configure basic MPLS capabilities on PE1 and enable LDP on the interface connected to ASBR-PE1.
[PE1] mpls lsr-id 1.1.1.9 [PE1] mpls [PE1-mpls] label advertise non-null [PE1-mpls] quit [PE1] mpls ldp [PE1-mpls-ldp] quit [PE1] interface vlanif 11 [PE1-Vlanif11] mpls [PE1-Vlanif11] mpls ldp [PE1-Vlanif11] quit
# Configure basic MPLS capabilities on ASBR-PE1 and enable LDP on the interface connected to PE1.
[ASBR-PE1] mpls lsr-id 2.2.2.9 [ASBR-PE1] mpls [ASBR-PE1-mpls] label advertise non-null [ASBR-PE1-mpls] quit [ASBR-PE1] mpls ldp [ASBR-PE1-mpls-ldp] quit [ASBR-PE1] interface vlanif 11 [ASBR-PE1-Vlanif11] mpls [ASBR-PE1-Vlanif11] mpls ldp [ASBR-PE1-Vlanif11] quit
# Configure basic MPLS capabilities on ASBR-PE2 and enable LDP on the interface connected to PE2.
[ASBR-PE2] mpls lsr-id 3.3.3.9 [ASBR-PE2] mpls [ASBR-PE2-mpls] label advertise non-null [ASBR-PE2-mpls] quit [ASBR-PE2] mpls ldp [ASBR-PE2-mpls-ldp] quit [ASBR-PE2] interface vlanif 22 [ASBR-PE2-Vlanif22] mpls [ASBR-PE2-Vlanif22] mpls ldp [ASBR-PE2-Vlanif22] quit
# Configure basic MPLS capabilities on PE2 and enable LDP on the interface connected to ASBR-PE2.
[PE2] mpls lsr-id 4.4.4.9 [PE2] mpls [PE2-mpls] label advertise non-null [PE2-mpls] quit [PE2] mpls ldp [PE2-mpls-ldp] quit [PE2] interface vlanif 22 [PE2-Vlanif22] mpls [PE2-Vlanif22] mpls ldp [PE2-Vlanif22] quit
After the configuration is complete, the PE and ASBR-PE in the same AS can establish an LDP peer relationship. Run the display mpls ldp session command on the PE and ASBR-PE to verify that the status is Operational.
The information displayed on PE1 is used as an example.
[PE1] display mpls ldp session LDP Session(s) in Public Network Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM) A '*' before a session means the session is being deleted. ------------------------------------------------------------------------------ PeerID Status LAM SsnRole SsnAge KASent/Rcv ------------------------------------------------------------------------------ 2.2.2.9:0 Operational DU Active 0002:23:46 17225/17224 ------------------------------------------------------------------------------ TOTAL: 1 session(s) Found.
- Establish an MP-IBGP peer relationship between the PE and
ASBR-PE in each AS to exchange VPN routing information.
# On PE1: establish an MP-IBGP peer relationship with ASBR-PE1.
[PE1] bgp 100 [PE1-bgp] peer 2.2.2.9 as-number 100 [PE1-bgp] peer 2.2.2.9 connect-interface loopback 1 [PE1-bgp] ipv4-family vpnv4 [PE1-bgp-af-vpnv4] peer 2.2.2.9 enable [PE1-bgp-af-vpnv4] quit [PE1-bgp] quit
# On ASBR-PE1: establish an MP-IBGP peer relationship with PE1.
[ASBR-PE1] bgp 100 [ASBR-PE1-bgp] peer 1.1.1.9 as-number 100 [ASBR-PE1-bgp] peer 1.1.1.9 connect-interface loopback 1 [ASBR-PE1-bgp] ipv4-family vpnv4 [ASBR-PE1-bgp-af-vpnv4] peer 1.1.1.9 enable [ASBR-PE1-bgp-af-vpnv4] quit [ASBR-PE1-bgp] quit
The configuration on PE2 and ASBR-PE2 is respectively similar to the configuration on PE1 and ASBR-PE1 and is not mentioned here.
- On each PE, create a VPN instance, enable the IPv4 address
family in the instance, and bind the interface connected to the CE
to the VPN instance.
The VPN targets of the VPN instances on the ASBR-PE and PE in an AS must match. In different ASs, the VPN targets of the PEs do not need to match.
# Configure PE1.[PE1] ip vpn-instance vpn1 [PE1-vpn-instance-vpn1] ipv4-family [PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1 [PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both [PE1-vpn-instance-vpn1-af-ipv4] quit [PE1-vpn-instance-vpn1] quit [PE1] interface vlanif 10 [PE1-Vlanif10] ip binding vpn-instance vpn1 [PE1-Vlanif10] ip address 10.1.1.2 24 [PE1-Vlanif10] quit
# Configure PE2.
The configuration on PE2 is similar to the configuration on PE1 and is not mentioned here.
- Establish EBGP peer relationships between the PEs and CEs
to exchange VPN routing information.
# Configure CE1.
[CE1] interface vlanif 10 [CE1-Vlanif10] ip address 10.1.1.1 24 [CE1-Vlanif10] quit [CE1] bgp 65001 [CE1-bgp] peer 10.1.1.2 as-number 100 [CE1-bgp] import-route direct [CE1-bgp] quit
# Configure PE1.
[PE1] bgp 100 [PE1-bgp] ipv4-family vpn-instance vpn1 [PE1-bgp-vpn1] peer 10.1.1.1 as-number 65001 [PE1-bgp-vpn1] import-route direct [PE1-bgp-vpn1] quit [PE1-bgp] quit
The configuration on CE2 and PE2 is respectively similar to the configuration on CE1 and PE1 and is not mentioned here.
After the configuration is complete, run the display bgp vpnv4 vpn-instance vpn-instancename peer command on the PEs. The command output shows that BGP peer relationships have been established between the PEs and CEs and are in Established state. Run the display bgp vpnv4 all peer command on the PEs. The command output shows that each PE has established a BGP peer relationship with the CE and ASBR-PE in the same AS, and the BGP peer relationships are in Established state.
The information displayed on PE1 is used as an example.
[PE1] display bgp vpnv4 vpn-instance vpn1 peer BGP local router ID : 1.1.1.9 Local AS number : 100 VPN-Instance vpn1, Router ID 1.1.1.9: Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 10.1.1.1 4 65001 5 4 0 00:00:01 Established 3 [PE1] display bgp vpnv4 all peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 2 Peers in established state : 2 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 2.2.2.9 4 100 11 11 0 00:07:09 Established 0 Peer of IPv4-family for vpn instance : VPN-Instance vpn1, Router ID 1.1.1.9: 10.1.1.1 4 65001 5 4 0 00:00:12 Established 3 - Configure inter-AS VPN Option A.
# On ASBR-PE1, create a VPN instance and bind the interface connected to ASBR-PE2 to the VPN instance (ASBR-PE1 considers ASBR-PE2 as its CE).
[ASBR-PE1] ip vpn-instance vpn1 [ASBR-PE1-vpn-instance-vpn1] ipv4-family [ASBR-PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:2 [ASBR-PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both [ASBR-PE1-vpn-instance-vpn1-af-ipv4] quit [ASBR-PE1-vpn-instance-vpn1] quit [ASBR-PE1] interface vlanif 12 [ASBR-PE1-Vlanif12] ip binding vpn-instance vpn1 [ASBR-PE1-Vlanif12] ip address 192.1.1.1 24 [ASBR-PE1-Vlanif12] quit
# On ASBR-PE2, create a VPN instance and bind the interface connected to ASBR-PE1 to the VPN instance (ASBR-PE2 considers ASBR-PE1 as its CE).
[ASBR-PE2] ip vpn-instance vpn1 [ASBR-PE2-vpn-instance-vpn1] ipv4-family [ASBR-PE2-vpn-instance-vpn1-af-ipv4] route-distinguisher 200:2 [ASBR-PE2-vpn-instance-vpn1-af-ipv4] vpn-target 2:2 both [ASBR-PE2-vpn-instance-vpn1-af-ipv4] quit [ASBR-PE2-vpn-instance-vpn1] quit [ASBR-PE2] interface vlanif 12 [ASBR-PE2-Vlanif12] ip binding vpn-instance vpn1 [ASBR-PE2-Vlanif12] ip address 192.1.1.2 24 [ASBR-PE2-Vlanif12] quit
# On ASBR-PE1, establish an EBGP peer relationship with ASBR-PE2.
[ASBR-PE1] bgp 100 [ASBR-PE1-bgp] ipv4-family vpn-instance vpn1 [ASBR-PE1-bgp-vpn1] peer 192.1.1.2 as-number 200 [ASBR-PE1-bgp-vpn1] import-route direct [ASBR-PE1-bgp-vpn1] quit [ASBR-PE1-bgp] quit
# On ASBR-PE2, establish an EBGP peer relationship with ASBR-PE1.
[ASBR-PE2] bgp 200 [ASBR-PE2-bgp] ipv4-family vpn-instance vpn1 [ASBR-PE2-bgp-vpn1] peer 192.1.1.1 as-number 100 [ASBR-PE2-bgp-vpn1] import-route direct [ASBR-PE2-bgp-vpn1] quit [ASBR-PE2-bgp] quit
Run the display bgp vpnv4 vpn-instance peer command on the ASBR-PEs. The command output shows that a BGP peer relationship has been established between the ASBR-PEs and is in Established state.
- Verify the configurations.
After the configuration is complete, CE1 and CE2 learn routes to interfaces on each other and can ping each other successfully.
The information displayed on CE1 is used as an example.
[CE1] display ip routing-table Route Flags: R - relay, D - download to fib, T - to vpn-instance ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 6 Routes : 6 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10 10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10 10.2.1.0/24 EBGP 255 0 D 10.1.1.2 Vlanif10 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.1.1.0/24 EBGP 255 0 D 10.1.1.2 Vlanif10[CE1] ping 10.2.1.1 PING 10.2.1.1: 56 data bytes, press CTRL_C to break Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=251 time=119 ms Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=251 time=141 ms Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=251 time=136 ms Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=251 time=113 ms Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=251 time=78 ms --- 10.2.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 78/117/141 msRun the display ip routing-table vpn-instance command on an ASBR-PE to check the VPN routing table.
[ASBR-PE1] display ip routing-table vpn-instance vpn1 Route Flags: R - relay, D - download to fib, T - to vpn-instance ------------------------------------------------------------------------------ Routing Tables: vpn1 Destinations : 4 Routes : 4 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 IBGP 255 0 RD 1.1.1.9 Vlanif11 10.2.1.0/24 EBGP 255 0 D 192.1.1.2 Vlanif12 192.1.1.0/24 Direct 0 0 D 192.1.1.1 Vlanif12 192.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif12Run the display bgp vpnv4 all routing-table command on an ASBR-PE to check the VPNv4 routes.
[ASBR-PE1] display bgp vpnv4 all routing-table BGP Local router ID is 2.2.2.9 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Total number of routes from all PE: 5 Route Distinguisher: 100:1 Network NextHop MED LocPrf PrefVal Path/Ogn *>i 10.1.1.0/24 1.1.1.9 0 100 0 ? Route Distinguisher: 100:2 Network NextHop MED LocPrf PrefVal Path/Ogn *> 10.2.1.0/24 192.1.1.2 0 200? *> 192.1.1.0 0.0.0.0 0 0 ? * 192.1.1.2 0 0 200? *> 192.1.1.1/32 0.0.0.0 0 0 ? VPN-Instance vpn1, Router ID 110.1.1.2: Total Number of Routes: 5 Network NextHop MED LocPrf PrefVal Path/Ogn *>i 10.1.1.0/24 1.1.1.9 0 100 0 ? *> 10.2.1.0/24 192.1.1.2 0 200? *> 192.1.1.0 0.0.0.0 0 0 ? 192.1.1.2 0 0 200? *> 192.1.1.1/32 0.0.0.0 0 0 ?
Configuration Files
CE1 configuration file
# sysname CE1 # vlan batch 10 # interface Vlanif10 ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 # bgp 65001 peer 10.1.1.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.1.1.2 enable # return
PE1 configuration file
# sysname PE1 # vlan batch 10 to 11 # ip vpn-instance vpn1 ipv4-family route-distinguisher 100:1 vpn-target 1:1 export-extcommunity vpn-target 1:1 import-extcommunity # mpls lsr-id 1.1.1.9 mpls label advertise non-null # mpls ldp # interface Vlanif10 ip binding vpn-instance vpn1 ip address 10.1.1.2 255.255.255.0 # interface Vlanif11 ip address 172.1.1.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 11 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 10 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # bgp 100 peer 2.2.2.9 as-number 100 peer 2.2.2.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 2.2.2.9 enable # ipv4-family vpnv4 policy vpn-target peer 2.2.2.9 enable # ipv4-family vpn-instance vpn1 peer 10.1.1.1 as-number 65001 import-route direct # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 172.1.1.0 0.0.0.255 # return
ASBR-PE1 configuration file
# sysname ASBR-PE1 # vlan batch 11 to 12 # ip vpn-instance vpn1 ipv4-family route-distinguisher 100:2 vpn-target 1:1 export-extcommunity vpn-target 1:1 import-extcommunity # mpls lsr-id 2.2.2.9 mpls label advertise non-null # mpls ldp # interface Vlanif11 ip address 172.1.1.1 255.255.255.0 mpls mpls ldp # interface Vlanif12 ip binding vpn-instance vpn1 ip address 192.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 11 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 12 # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # bgp 100 peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization import-route direct peer 1.1.1.9 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.9 enable # ipv4-family vpn-instance vpn1 peer 192.1.1.2 as-number 200 import-route direct # ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 172.1.1.0 0.0.0.255 # return
ASBR-PE2 configuration file
# sysname ASBR-PE2 # vlan batch 12 22 # ip vpn-instance vpn1 ipv4-family route-distinguisher 200:2 vpn-target 2:2 export-extcommunity vpn-target 2:2 import-extcommunity # mpls lsr-id 3.3.3.9 mpls label advertise non-null # mpls ldp # interface Vlanif22 ip address 162.1.1.1 255.255.255.0 mpls mpls ldp # interface Vlanif12 ip binding vpn-instance vpn1 ip address 192.1.1.2 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 22 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 12 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # bgp 200 peer 4.4.4.9 as-number 200 peer 4.4.4.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 4.4.4.9 enable # ipv4-family vpnv4 policy vpn-target peer 4.4.4.9 enable # ipv4-family vpn-instance vpn1 peer 192.1.1.1 as-number 100 import-route direct # ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 162.1.1.0 0.0.0.255 # return
PE2 configuration file
# sysname PE2 # vlan batch 10 22 # ip vpn-instance vpn1 ipv4-family route-distinguisher 200:1 vpn-target 2:2 export-extcommunity vpn-target 2:2 import-extcommunity # mpls lsr-id 4.4.4.9 mpls label advertise non-null # mpls ldp # interface Vlanif10 ip binding vpn-instance vpn1 ip address 10.2.1.2 255.255.255.0 # interface Vlanif22 ip address 162.1.1.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 22 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 10 # interface LoopBack1 ip address 4.4.4.9 255.255.255.255 # bgp 200 peer 3.3.3.9 as-number 200 peer 3.3.3.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 3.3.3.9 enable # ipv4-family vpnv4 policy vpn-target peer 3.3.3.9 enable # ipv4-family vpn-instance vpn1 peer 10.2.1.1 as-number 65002 import-route direct # ospf 1 area 0.0.0.0 network 4.4.4.9 0.0.0.0 network 162.1.1.0 0.0.0.255 # return
CE2 configuration file
# sysname CE2 # vlan batch 10 # interface Vlanif10 ip address 10.2.1.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 # bgp 65002 peer 10.2.1.2 as-number 200 # ipv4-family unicast undo synchronization import-route direct peer 10.2.1.2 enable # return