Example for Configuring Hub and Spoke (Using a Default Route Between Hub-PE and Hub-CE)
Networking Requirements
As shown in Figure 1, the communication between Spoke-CEs is controlled by the Hub-CE in the central site. That is, the traffic between Spoke-CEs is forwarded by the Hub-CE, and not only by the Hub-PE. You need to configure a default route between the Hub-PE and Hub-CE.
In this scenario, to avoid loops, ensure that all connected interfaces have STP disabled and connected interfaces are removed from VLAN 1. If STP is enabled and VLANIF interfaces of switches are used to construct a Layer 3 ring network, an interface on the network will be blocked. As a result, Layer 3 services on the network cannot run normally.
Configuration Roadmap
The configuration roadmap is as follows:
Establish tunnels and IBGP peer relationships between the Hub-PE and the Spoke-PEs. The Spoke-PEs do not establish an IBGP peer relationship or exchange VPN routing information.
Create two IPv6 VPN instances, namely, vpn_in and vpn_out, on the Hub-PE. The VPN target received by vpn_in is the same as the VPN target advertised by the Spoke-PEs. The VPN target advertised by vpn_out is different from the VPN target received by vpn_out, but is the same as the VPN target received by the Spoke-PEs.
Create an IPv6 VPN instance on each Spoke-PE. The VPN target received by the IPv6 VPN instance is the same as the VPN target advertised by vpn_out, and the VPN target advertised by the IPv6 VPN instance is the same as the VPN target received by vpn_in.
Configure the default route as follows:
Configure the IPv6 default route on the Hub-CE. Set the next hop of the route to the IPv6 address of the Hub-PE's interface bound to vpn_in.
Configure the default route for vpn_out on the Hub-PE. Set the next hop of the default route to the address of the Hub-CE.
In the BGP VPN instance address family view of vpn_out on the Hub-PE, run the network :: 0 command to advertise the default route to all Spoke sites.
Configure BGP4+ between the Spoke-PEs and Spoke-CEs.
Procedure
- Configure an IGP protocol on the backbone network to enable
the Hub-PE and Spoke-PEs to communicate with each other.
In this example, OSPF and Spoke-PE1 are used as examples.
# Configure Spoke-PE1.
<HUAWEI> system-view [HUAWEI] sysname Spoke-PE1 [Spoke-PE1] ospf 1 [Spoke-PE1-ospf-1] area 0 [Spoke-PE1-ospf-1-area-0.0.0.0] network 22.1.1.0 0.0.0.255 [Spoke-PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0 [Spoke-PE1-ospf-1-area-0.0.0.0] quit [Spoke-PE1-ospf-1] quit
The configuration on the Hub-PE and Spoke-PE2 is similar to the configuration on Spoke-PE1 and is not mentioned here.
After the configuration is complete, an OSPF neighbor relationship is established between the PEs. Run the display ospf peer command, and you can see that the neighbor status is Full. Run the display ip routing-table command on the PEs. The command output shows that the PEs have learned the route to the loopback interface of each other.
- Configure basic MPLS capabilities and MPLS LDP on the backbone
network to establish LDP LSPs.
# Configure the Hub-PE.
[Hub-PE] mpls lsr-id 2.2.2.9 [Hub-PE] mpls [Hub-PE-mpls] quit [Hub-PE] mpls ldp [Hub-PE-mpls-ldp] quit [Hub-PE] interface vlanif 10 [Hub-PE-Vlanif10] mpls [Hub-PE-Vlanif10] mpls ldp [Hub-PE-Vlanif10] quit [Hub-PE] interface vlanif 20 [Hub-PE-Vlanif20] mpls [Hub-PE-Vlanif20] mpls ldp [Hub-PE-Vlanif20] quit
# The configuration on Spoke-PEs is similar to the configuration on the Hub-PE and is not mentioned here.
After the configuration is complete, LDP peer relationships are established between the Hub-PE and Spoke-PEs. Run the display mpls ldp session command on each device, and you can see that the status is Operational.
- Configure IPv6 VPN instances on PEs and bind the interfaces
connected to CEs to the VPN instances.
The VPN targets of the two IPv6 VPN instances on the Hub-PE are the VPN targets advertised by the two Spoke-PEs, and the advertised VPN target is different from the received VPN target.
Configure IPv6 VPN instances on Spoke-PEs. The import VPN target on the Spoke-PEs is the VPN target advertised by the Hub-PE.
# Configure Spoke-PE1.
[Spoke-PE1] ip vpn-instance vpna [Spoke-PE1-vpn-instance-vpna] ipv6-family [Spoke-PE1-vpn-instance-vpna-af-ipv6] route-distinguisher 100:1 [Spoke-PE1-vpn-instance-vpna-af-ipv6] vpn-target 100:1 export-extcommunity [Spoke-PE1-vpn-instance-vpna-af-ipv6] vpn-target 200:1 import-extcommunity [Spoke-PE1-vpn-instance-vpna-af-ipv6] quit [Spoke-PE1-vpn-instance-vpna] quit [Spoke-PE1] interface vlanif 50 [Spoke-PE1-Vlanif50] ipv6 enable [Spoke-PE1-Vlanif50] ip binding vpn-instance vpna [Spoke-PE1-Vlanif50] ipv6 address 2001::2 64 [Spoke-PE1-Vlanif50] quit
#Configure Spoke-PE2.
[Spoke-PE2] ip vpn-instance vpna [Spoke-PE2-vpn-instance-vpna] ipv6-family [Spoke-PE2-vpn-instance-vpna-af-ipv6] route-distinguisher 100:3 [Spoke-PE2-vpn-instance-vpna-af-ipv6] vpn-target 100:1 export-extcommunity [Spoke-PE2-vpn-instance-vpna-af-ipv6] vpn-target 200:1 import-extcommunity [Spoke-PE2-vpn-instance-vpna-af-ipv6] quit [Spoke-PE2-vpn-instance-vpna] quit [Spoke-PE2] interface vlanif 60 [Spoke-PE2-Vlanif60] ipv6 enable [Spoke-PE2-Vlanif60] ip binding vpn-instance vpna [Spoke-PE2-Vlanif60] ipv6 address 2002::2 64 [Spoke-PE2-Vlanif60] quit
# Configure the Hub-PE.
[Hub-PE] ip vpn-instance vpn_in [Hub-PE-vpn-instance-vpn_in] ipv6-family [Hub-PE-vpn-instance-vpn_in-af-ipv6] route-distinguisher 100:21 [Hub-PE-vpn-instance-vpn_in-af-ipv6] vpn-target 100:1 import-extcommunity [Hub-PE-vpn-instance-vpn_in-af-ipv6] quit [Hub-PE-vpn-instance-vpn_in] quit [Hub-PE] ip vpn-instance vpn_out [Hub-PE-vpn-instance-vpn_out] ipv6-family [Hub-PE-vpn-instance-vpn_out-af-ipv6] route-distinguisher 100:22 [Hub-PE-vpn-instance-vpn_out-af-ipv6] vpn-target 200:1 export-extcommunity [Hub-PE-vpn-instance-vpn_out-af-ipv6] quit [Hub-PE-vpn-instance-vpn_out] quit [Hub-PE] interface vlanif 30 [Hub-PE-Vlanif30] ipv6 enable [Hub-PE-Vlanif30] ip binding vpn-instance vpn_in [Hub-PE-Vlanif30] ipv6 address 2003::2 64 [Hub-PE-Vlanif30] quit [Hub-PE] interface vlanif 40 [Hub-PE-Vlanif40] ipv6 enable [Hub-PE-Vlanif40] ip binding vpn-instance vpn_out [Hub-PE-Vlanif40] ipv6 address 2004::2 64 [Hub-PE-Vlanif40] quit
# Assign IPv6 addresses to the interfaces on the CEs according to Figure 1. The configuration procedure is not mentioned here.
After the configuration is complete, run the display ip vpn-instance verbose command on the PEs to check the configuration of IPv6 VPN instances.
- Establish EBGP peer relationships between the Spoke-PEs
and Spoke-CEs and import VPN routes.
# Configure Spoke-CE1.
<HUAWEI> system-view [HUAWEI] sysname Spoke-CE1 [Spoke-CE1] bgp 65410 [Spoke-CE1-bgp] router-id 10.10.10.10 [Spoke-CE1-bgp] peer 2001::2 as-number 100 [Spoke-CE1-bgp] ipv6-family unicast [Spoke-CE1-bgp-af-ipv6] peer 2001::2 enable [Spoke-CE1-bgp-af-ipv6] import-route direct [Spoke-CE1-bgp-af-ipv6] quit [Spoke-CE1-bgp] quit
# Configure Spoke-PE1.
[Spoke-PE1] bgp 100 [Spoke-PE1-bgp] ipv6-family vpn-instance vpna [Spoke-PE1-bgp6-vpna] peer 2001::1 as-number 65410 [Spoke-PE1-bgp6-vpna] import-route direct [Spoke-PE1-bgp6-vpna] quit [Spoke-PE1-bgp] quit
# Configure Spoke-CE2.
<HUAWEI> system-view [HUAWEI] sysname Spoke-CE2 [Spoke-CE2] bgp 65420 [Spoke-CE2-bgp] router-id 20.20.20.20 [Spoke-CE2-bgp] peer 2002::2 as-number 100 [Spoke-CE2-bgp] ipv6-family unicast [Spoke-CE2-bgp-af-ipv6] peer 2002::2 enable [Spoke-CE2-bgp-af-ipv6] import-route direct [Spoke-CE2-bgp-af-ipv6] quit [Spoke-CE2-bgp] quit
#Configure Spoke-PE2.
[Spoke-PE2] bgp 100 [Spoke-PE2-bgp] ipv6-family vpn-instance vpna [Spoke-PE2-bgp6-vpna] peer 2002::1 as-number 65420 [Spoke-PE2-bgp6-vpna] import-route direct [Spoke-PE2-bgp6-vpna] quit [Spoke-PE2-bgp] quit
After the configuration is complete, run the display bgp vpnv6 all peer command on the PEs. The command output shows that the BGP peer relationships have been established between the PEs and CEs and are in Established state. Each PE can ping its connected CE.
If multiple interfaces on a PE are bound to the same VPN, you must specify the source IPv6 address when you run the ping ipv6 vpn-instance command to ping the CE connected to the peer PE. That is, specify -a source-ipv6-address in the ping ipv6 vpn-instance vpn-instance-name -a source-ipv6-address dest-ipv6-address command. Otherwise, the ping operation may fail.
- Configure the default route on the Hub-PE and Hub-CE.
# Configure the Hub-CE.
<HUAWEI> system-view [HUAWEI] sysname Hub-CE [Hub-CE] ipv6 route-static :: 0 2003::2
# Configure the Hub-PE.
# Configure the default route for vpn_out. Set the next hop of the default route to the address of the Hub-CE.
[Hub-PE] ipv6 route-static vpn-instance vpn_out :: 0 2004::1
# Advertise the default route using MP-IBGP.
[Hub-PE] bgp 100 [Hub-PE-bgp] ipv6-family vpn-instance vpn_out [Hub-PE-bgp6-vpn_out] network :: 0
# Advertise the default route using MP-IBGP.
[Hub-PE-bgp6-vpn_out] import-route direct [Hub-PE-bgp6-vpn_out] quit [Hub-PE-bgp] quit
- Establish MP-IBGP peer relationships between PEs.
The Spoke-PEs do not need to allow the repeated AS number, because the switch does not check the AS_Path attribute in the routing information advertised by the IBGP peers.
# Configure Spoke-PE1.
[Spoke-PE1] bgp 100 [Spoke-PE1-bgp] peer 2.2.2.9 as-number 100 [Spoke-PE1-bgp] peer 2.2.2.9 connect-interface loopback 1 [Spoke-PE1-bgp] ipv6-family vpnv6 [Spoke-PE1-bgp-af-vpnv6] peer 2.2.2.9 enable [Spoke-PE1-bgp-af-vpnv6] quit
#Configure Spoke-PE2.
[Spoke-PE2] bgp 100 [Spoke-PE2-bgp] peer 2.2.2.9 as-number 100 [Spoke-PE2-bgp] peer 2.2.2.9 connect-interface loopback 1 [Spoke-PE2-bgp] ipv6-family vpnv6 [Spoke-PE2-bgp-af-vpnv6] peer 2.2.2.9 enable [Spoke-PE2-bgp-af-vpnv6] quit
# Configure the Hub-PE.
[Hub-PE] bgp 100 [Hub-PE-bgp] peer 1.1.1.9 as-number 100 [Hub-PE-bgp] peer 1.1.1.9 connect-interface loopback 1 [Hub-PE-bgp] peer 3.3.3.9 as-number 100 [Hub-PE-bgp] peer 3.3.3.9 connect-interface loopback 1 [Hub-PE-bgp] ipv6-family vpnv6 [Hub-PE-bgp-af-vpnv6] peer 1.1.1.9 enable [Hub-PE-bgp-af-vpnv6] peer 3.3.3.9 enable [Hub-PE-bgp-af-vpnv6] quit
After the configuration is complete, run the display bgp vpnv6 all peer command on the PEs. The command output shows that MP-IBGP peer relationships have been established and are in Established state.
- Verify the configuration.
After the configuration is complete, check the BGP IPv6 VPN routes on the Spoke-PEs. You can see that the default route of vpn_out on the Hub-PE is advertised to each Spoke-PE.
[Spoke-PE1] display bgp vpnv6 all routing-table BGP Local router ID is 1.1.1.9 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Total number of routes from all PE: 4 Route Distinguisher: 100:1 *> Network : 2001:: PrefixLen : 64 NextHop : :: LocPrf : MED : 0 PrefVal : 0 Label : NULL Path/Ogn : ? * NextHop : 2001::1 LocPrf : MED : 0 PrefVal : 0 Label : NULL Path/Ogn : 65410 ? Route Distinguisher: 100:22 *>i Network : :: PrefixLen : 0 NextHop : ::FFFF:2.2.2.9 LocPrf : 100 MED : 0 PrefVal : 0 Label : 105473 Path/Ogn : i *>i Network : 2004:: PrefixLen : 64 NextHop : ::FFFF:2.2.2.9 LocPrf : 100 MED : 0 PrefVal : 0 Label : 105472 Path/Ogn : ? VPN-Instance vpna : Total Number of Routes: 4 *>i Network : :: PrefixLen : 0 NextHop : ::FFFF:2.2.2.9 LocPrf : 100 MED : 0 PrefVal : 0 Label : 105473 Path/Ogn : i *> Network : 2001:: PrefixLen : 64 NextHop : :: LocPrf : MED : 0 PrefVal : 0 Label : NULL Path/Ogn : ? * NextHop : 2001::1 LocPrf : MED : 0 PrefVal : 0 Label : NULL Path/Ogn : 65410 ? *>i Network : 2004:: PrefixLen : 64 NextHop : ::FFFF:2.2.2.9 LocPrf : 100 MED : 0 PrefVal : 0 Label : 105472 Path/Ogn : ?The Spoke-CEs can ping each other. Run the tracert command on the Spoke-CEs, and you can see that the traffic between the Spoke-CEs is forwarded through the Hub-CE.
[Spoke-CE1] ping ipv6 2002::1 PING 2002::1 : 56 data bytes, press CTRL_C to break Reply from 2002::1 bytes=56 Sequence=1 hop limit=59 time = 187 ms Reply from 2002::1 bytes=56 Sequence=2 hop limit=59 time = 187 ms Reply from 2002::1 bytes=56 Sequence=3 hop limit=59 time = 187 ms Reply from 2002::1 bytes=56 Sequence=4 hop limit=59 time = 187 ms Reply from 2002::1 bytes=56 Sequence=5 hop limit=59 time = 187 ms --- 2002::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 187/187/187 ms[Spoke-CE1] tracert ipv6 2002::1 traceroute to 2002::1 30 hops max,60 bytes packet 1 2001::2 16 ms 31 ms 16 ms 2 2004::2 78 ms 62 ms 63 ms 3 2004::1 62 ms 63 ms 62 ms 4 2003::2 63 ms 62 ms 63 ms 5 2002::2 109 ms 94 ms 109 ms 6 2002::1 125 ms 141 ms 125 ms
Run the display bgp ipv6 routing-table command on a Spoke-CE, and you can see the default route advertised by BGP on the peer Spoke-PE. Run the display ipv6 routing-table command, and you can see the default route whose next hop is the peer Spoke-PE.
[Spoke-CE1] display bgp ipv6 routing-table Total Number of Routes: 4 BGP Local router ID is 10.10.10.10 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete *> Network : :: PrefixLen : 0 NextHop : 2001::2 LocPrf : MED : PrefVal : 0 Label : Path/Ogn : 100 i *> Network : 2001:: PrefixLen : 64 NextHop : :: LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : ? * NextHop : 2001::2 LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : 100 ? *> Network : 2004:: PrefixLen : 64 NextHop : 2001::2 LocPrf : MED : PrefVal : 0 Label : Path/Ogn : 100 ?[Spoke-CE1] display ipv6 routing-table Routing Table : Public Destinations : 5 Routes : 5 Destination : :: PrefixLength : 0 NextHop : 2001::2 Preference : 255 Cost : 0 Protocol : BGP RelayNextHop : :: TunnelID : 0x0 Interface : Vlanif50 Flags : D Destination : ::1 PrefixLength : 128 NextHop : ::1 Preference : 0 Cost : 0 Protocol : Direct RelayNextHop : :: TunnelID : 0x0 Interface : InLoopBack0 Flags : D Destination : 2001:: PrefixLength : 64 NextHop : 2001::1 Preference : 0 Cost : 0 Protocol : Direct RelayNextHop : :: TunnelID : 0x0 Interface : Vlanif50 Flags : D Destination : 2001::1 PrefixLength : 128 NextHop : ::1 Preference : 0 Cost : 0 Protocol : Direct RelayNextHop : :: TunnelID : 0x0 Interface : Vlanif50 Flags : D Destination : 2004:: PrefixLength : 64 NextHop : 2001::2 Preference : 255 Cost : 0 Protocol : BGP RelayNextHop : :: TunnelID : 0x0 Interface : Vlanif50 Flags : D
Configuration Files
Spoke-CE1 configuration file
# sysname Spoke-CE1 # ipv6 # vlan batch 50 # interface Vlanif50 ipv6 enable ipv6 address 2001::1/64 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 50 # bgp 65410 router-id 10.10.10.10 peer 2001::2 as-number 100 # ipv6-family unicast undo synchronization import-route direct peer 2001::2 enable # return
Spoke-PE1 configuration file
# sysname Spoke-PE1 # ipv6 # vlan batch 10 50 # ip vpn-instance vpna ipv6-family route-distinguisher 100:1 vpn-target 100:1 export-extcommunity vpn-target 200:1 import-extcommunity # mpls lsr-id 1.1.1.9 mpls # mpls ldp # interface vlanif10 ip address 22.1.1.1 255.255.255.0 mpls mpls ldp # interface Vlanif50 ipv6 enable ip binding vpn-instance vpna ipv6 address 2001::2/64 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 50 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 10 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # bgp 100 peer 2.2.2.9 as-number 100 peer 2.2.2.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 2.2.2.9 enable # ipv6-family vpnv6 policy vpn-target peer 2.2.2.9 enable # ipv6-family vpn-instance vpna peer 2001::1 as-number 65410 import-route direct # ospf 1 area 0.0.0.0 network 22.1.1.0 0.0.0.255 network 1.1.1.9 0.0.0.0 # return
Spoke-PE2 configuration file
# sysname Spoke-PE2 # ipv6 # vlan batch 20 60 # ip vpn-instance vpna ipv6-family route-distinguisher 100:3 vpn-target 100:1 export-extcommunity vpn-target 200:1 import-extcommunity # mpls lsr-id 3.3.3.9 mpls # mpls ldp # interface Vlanif20 ip address 11.1.1.1 255.255.255.0 mpls mpls ldp # interface Vlanif60 ipv6 enable ip binding vpn-instance vpna ipv6 address 2002::2/64 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 60 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 20 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # bgp 100 peer 2.2.2.9 as-number 100 peer 2.2.2.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 2.2.2.9 enable # ipv6-family vpnv6 policy vpn-target peer 2.2.2.9 enable # ipv6-family vpn-instance vpna peer 2002::1 as-number 65420 import-route direct # ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 11.1.1.0 0.0.0.255 # return
Spoke-CE2 configuration file
# sysname Spoke-CE2 # ipv6 # vlan batch 60 # interface Vlanif60 ipv6 enable ipv6 address 2002::1/64 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 60 # bgp 65420 router-id 20.20.20.20 peer 2002::2 as-number 100 # ipv6-family unicast undo synchronization import-route direct peer 2002::2 enable # return
Hub-CE configuration file
# sysname Hub-CE # ipv6 # vlan batch 30 40 # interface Vlanif30 ipv6 enable ipv6 address 2003::1/64 # interface Vlanif40 ipv6 enable ipv6 address 2004::1/64 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 30 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 40 # ipv6 route-static :: 0 2003::2 # return
Hub-PE configuration file
# sysname Hub-PE # ipv6 # vlan batch 10 20 30 40 # ip vpn-instance vpn_in ipv6-family route-distinguisher 100:21 vpn-target 100:1 import-extcommunity # ip vpn-instance vpn_out ipv6-family route-distinguisher 100:22 vpn-target 200:1 export-extcommunity # mpls lsr-id 2.2.2.9 mpls # mpls ldp # interface Vlanif10 ip address 22.1.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif20 ip address 11.1.1.2 255.255.255.0 mpls mpls ldp # interface Vlanif30 ipv6 enable ip binding vpn-instance vpn_in ipv6 address 2003::2/64 # interface Vlanif40 ipv6 enable ip binding vpn-instance vpn_out ipv6 address 2004::2/64 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 30 # interface GigabitEthernet0/0/4 port link-type trunk port trunk allow-pass vlan 40 # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # bgp 100 peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 peer 3.3.3.9 as-number 100 peer 3.3.3.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable peer 3.3.3.9 enable # ipv6-family vpnv6 policy vpn-target peer 1.1.1.9 enable peer 3.3.3.9 enable # ipv6-family vpn-instance vpn_out network :: 0 import-route direct # ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 22.1.1.0 0.0.0.255 network 11.1.1.0 0.0.0.255 # ipv6 route-static vpn-instance vpn_out :: 0 2004::1 # return