Configuring Route Exchange Between PEs and CEs

To enable CEs to communicate, the PEs and CEs must be capable of exchanging routes.

Context

In BGP/MPLS IP VPN, a routing protocol or static route must be configured between a PE and a CE to allow them to communicate and allow the CE to obtain routes to other CEs. The routing protocol can be External Border Gateway Protocol (EBGP), Internal Border Gateway Protocol (IBGP), Routing Information Protocol (RIP), Open Shortest Path First (OSPF), or Intermediate System to Intermediate System (IS-IS). Choose one of the following configurations as needed:
The routing protocol configurations on the CE and PE are different:
  • The CE is located at the client side and unaware of the VPN. Therefore, you do not need to configure VPN parameters when configuring a routing protocol on the CE.
  • A PE is located at the edge of the carrier's network. It connects to a CE and exchanges VPN routing information with other PEs. If the CEs that access a PE belong to different VPNs, the PE must maintain different VRF tables. When configuring a routing protocol on the PE, specify the name of the VPN instance to which the routing protocol applies and configure the routing protocol and MP-BGP to import routes from each other.

Procedure

  • Configure EBGP between a PE and a CE.

    Perform the following steps on the PE:

    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv4 address family view is displayed.

    4. (Optional) Run as-number vrf-as

      An AS number is configured for the VPN instance IPv4 address family.

      If a device needs to be simulated as multiple BGP devices logically during network transfer or service identification, you can run the as-number command to configure a different AS number for each VPN instance IPv4 address family.

      The AS number configured in the BGP-VPN instance IPv4 address family view must be different from the AS number configured in the BGP view.

    5. Run peer ipv4-address as-number as-number

      The CE is configured as a VPN peer.

    6. (Optional) Run peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]

      The maximum number of hops between the PE and its EBGP peer (the CE) is specified. This step is mandatory if the PE and CE are not directly connected.

      Generally, EBGP peers are connected by a direct physical link. If no direct physical link is available, the peer ebgp-max-hop command must be used to allow EBGP peers to establish a multi-hop TCP connection.

      If the maximum number of hops is set to 1, the PE cannot establish an EBGP connection with a peer if they are not directly connected.

    7. (Optional) Run either of the following commands:

      • import-route direct [ med med | route-policy route-policy-name ] *
      • network ipv4-address [ mask | mask-length ] [ route-policy route-policy-name ]

      The PE is enabled to import the direct routes destined for the local CE into the VRF table and advertise the routes to the remote PE.

      The PE can automatically learn the direct routes destined for the local CE. The learned routes take precedence over the direct routes advertised from the local CE using EBGP. If this step is not performed, the PE does not use MP-BGP to advertise the direct routes destined for the local CE to the remote PE.

    8. (Optional) Run peer { group-name | ipv4-address } soo site-of-origin

      The Site of Origin (SoO) attribute is configured for the CE that has been specified as a VPN peer of the PE.

      Several CEs at a VPN site may establish BGP connections with different PEs. The VPN routes advertised from the CEs to the PEs may be re-advertised to the same VPN site after the routes traverse the backbone network. This may cause route loops at the VPN site.

      If the SoO attribute is configured for a specified CE, the PE adds the attribute to a route sent from the CE and advertises the route to the remote PE. The remote PE checks the SoO attribute of the route before sending it to its attached CE. If the SoO attribute is the same as the local SoO attribute on the remote PE, the remote PE does not send the route to its attached CE.

    9. (Optional) Run peer ipv4-address allow-as-loop [ number ]

      Route loops are allowed.

      This step is used in hub & spoke networking.

      Generally, BGP uses the AS number to detect route loops. On a hub & spoke network, if EBGP runs between a Hub-PE and a Hub-CE at a hub site, the route sent from the Hub-PE to the Hub-CE carries the AS number of the Hub-PE. If the Hub-CE sends a route update message to the Hub-PE, the Hub-PE will deny it because the route update message contains the AS number of the Hub-PE. To ensure proper route transmission on a hub & spoke network, configure all the BGP peers along the path (along which the Hub-CE advertises VPN routes to the Spoke-CE) to accept the routes which have the AS number repeated once.

    10. (Optional) Run peer ipv4-address substitute-as

      BGP AS number substitution is enabled. Perform this step on the PE in a scenario in which CEs at different sites use the same AS number.

      Enabling BGP AS number substitution may cause routing loops on a CE multi-homing network.

    11. Run commit

      The configuration is committed.

    Perform the following steps on the CE:

    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run peer ipv4-address as-number as-number

      The PE is configured as a VPN peer.

    4. (Optional) Run peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]

      The maximum number of hops between the CE and its EBGP peer (the PE) is set. This step is mandatory if the PE and CE are not directly connected.

      Generally, EBGP peers are directly connected by a physical link. If no direct physical link is available, the peer ebgp-max-hop command must be used to allow EBGP peers to establish a multi-hop TCP connection.

      If the maximum number of hops is set to 1, the CE cannot establish an EBGP connection with a peer if they are not directly connected.

    5. Run import-route { direct | static | rip process-id | ospf process-id | isis process-id } [ med med | route-policy route-policy-name ] *

      Routes of the local site are imported.

      The CE advertises the routes of its own VPN network segment to the connected PE. The PE forwards the routes to the remote CE. The type of route imported at this step may vary according to the networking mode.

    6. Run commit

      The configuration is committed.

  • Configure IBGP between a PE and a CE.

    Perform the following steps on the PE:

    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv4-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv4 address family view is displayed.

    4. Run peer ipv4-address as-number as-number

      The CE is configured as a VPN peer.

    5. (Optional) Run either of the following commands:

      • import-route direct [ med med | route-policy route-policy-name ] *
      • network ipv4-address [ mask | mask-length ] [ route-policy route-policy-name ]

      The PE is enabled to import the direct routes destined for the local CE into the VRF table and advertise the routes to the remote PE.

      The PE can automatically learn the direct routes destined for the local CE. The learned routes take precedence over the direct routes advertised from the local CE using IBGP. If this step is not performed, the PE does not use MP-BGP to advertise the direct routes destined for the local CE to the remote PE.

    6. Run commit

      The configuration is committed.

    Perform the following steps on the CE:

    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run peer ipv4-address as-number as-number

      The PE is configured as a VPN peer.

    4. Run import-route { direct | static | rip process-id | ospf process-id | isis process-id } [ med med | route-policy route-policy-name ] *

      Routes of the local site are imported.

      The CE advertises the routes of its own VPN network segment to the connected PE. The PE forwards the routes to the remote CE. The type of route imported at this step may vary according to the networking mode.

    5. Run commit

      The configuration is committed.

  • Configure a static route between a PE and a CE.

    Perform the following configurations on the PE device. The configurations on the CE are similar to those on the PE and are not provided here.

    Configuring a static route on the CE is not described here. For details about how to configure a static route, see "IPv4 Static Route Configuration" in the HUAWEI NetEngine 8000 F SeriesRouter Configuration Guide - IP Routing.

    1. Run system-view

      The system view is displayed.

    2. Run ip route-static vpn-instance vpn-source-name destination-address { mask | mask-length } interface-type interface-number [ nexthop-address ] [ preference preference | tag tag ] *

      A static route is configured for a specified VPN instance IPv4 address family.

    3. Run bgp as-number

      The BGP view is displayed.

    4. Run ipv4-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv4 address family view is displayed.

    5. Run import-route static [ med med | route-policy route-policy-name ] *

      The configured static route is added to the VRF table of the BGP-VPN instance IPv4 address family.

      A VPN that receives routes outside it from a device other than the PE and advertises the routes to the PE is called a transit VPN. A VPN that receives only routes in it and routes advertised by the PE is called a stub VPN. Generally, a static route is used for route exchange between the CE and PE in a stub VPN only.

    6. Run commit

      The configuration is committed.

  • Configure RIP between a PE and a CE.

    Perform the following configurations on the PE device. The configurations on the CE are similar to those on the PE and are not provided here.

    Configuring RIPv1 or RIPv2 on the CE is not described here. For details about how to configure RIP, see "RIP Configuration" in the HUAWEI NetEngine 8000 F SeriesRouter Configuration Guide - IP Routing.

    1. Run system-view

      The system view is displayed.

    2. Run rip process-id vpn-instance vpn-instance-name

      A RIP process is created on the PE.

      A RIP process can be bound only to one VPN instance. If a RIP process is not bound to any VPN instance before it is started, this process becomes a public network process and cannot be bound to a VPN instance later.

    3. Run network network-address

      RIP is enabled on the network segment where the interface bound to the VPN instance resides.

    4. Run import-route bgp [ cost { cost | transparent } | route-policy route-policy-name ] *

      BGP routes are imported into the RIP routing table.

      After the import-route bgp command is run in the RIP view, the PE can import the VPNv4 routes learned from the remote PE into the RIP routing table and advertise them to the attached CE.

    5. Run quit

      Return to the system view.

    6. Run bgp as-number

      The BGP view is displayed.

    7. Run ipv4-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv4 address family view is displayed.

    8. Run import-route rip process-id [ med med | route-policy route-policy-name ] *

      RIP routes are imported into the VRF table of the BGP-VPN instance IPv4 address family.

      After the import-route rip command is run in the BGP-VPN instance IPv4 address family view, the PE imports the VPN routes learned from the attached CE into the BGP routing table and advertises VPNv4 routes to the remote PE.

    9. Run commit

      The configuration is committed.

    Deleting a VPN instance or disabling a VPN instance IPv4 address family will delete all the RIP processes bound to the VPN instance or the VPN instance IPv4 address family on the PE.

  • Configure OSPF between a PE and a CE.

    Configure OSPF on the CE, and the CE configuration details are not provided here. Perform the following steps on the PE:

    Configuring OSPF on the CE is not described here. For details about how to configure OSPF, see "OSPF Configuration" in the HUAWEI NetEngine 8000 F SeriesRouter Configuration Guide - IP Routing.

    1. Run system-view

      The system view is displayed.

    2. Run ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name

      An OSPF process is created on the PE, and the OSPF view is displayed.

      An OSPF process can be bound to only one VPN instance. If an OSPF process is not bound to any VPN instance before it is started, this process becomes a public network process and cannot be bound to a VPN instance later.

      A router ID needs to be specified when an OSPF process is started after it is bound to a VPN instance. The router ID must be different from the public network router ID configured in the system view. If the router ID is not specified, OSPF selects the IP address of one of the interfaces bound to the VPN instance as the router ID based on a certain rule.

    3. (Optional) Run domain-id domain-id [ secondary ]

      The domain ID is configured.

      The domain ID can be an integer or in dotted decimal notation.

      Each OSPF process can be configured with two domain IDs. Different processes can have the same domain ID. There is no restriction on the domain IDs of the OSPF processes of different VPNs on a PE. The OSPF processes of the same VPN must be configured with the same domain ID to ensure proper route advertisement.

      The domain ID of an OSPF process is contained in the routes generated by this OSPF process. When OSPF routes are imported into BGP, the domain ID is added to the BGP VPN routes and forwarded as the BGP extended community attribute.

    4. (Optional) Run route-tag tag

      The VPN route tag is configured.

      • If a BGP process is not started on the local device, the default VPN route tag is 0.
      • If a BGP process is started on the local device, the default VPN route tag is 3489660928 (0xD000 in the hexadecimal format) plus the local AS number of BGP.

    5. Run import-route bgp [ cost cost | route-policy route-policy-name | tag tag | type type ] *

      BGP routes are imported.

    6. Run area area-id

      The OSPF area view is displayed.

    7. Run network ip-address wildcard-mask

      OSPF is enabled on the network segment where the interface bound to the VPN instance resides.

      A network segment belongs to only one area. The area to which each OSPF interface belongs must be specified.

      OSPF can run on an interface properly only when the following conditions are met:

      • The mask length of the IP address of the interface is longer than or equal to that specified in the network command.

      • The primary IP address of the interface is on the network segment specified in the network command.

    8. Run quit

      The OSPF view is displayed.

    9. Run quit

      Return to the system view.

    10. Run bgp as-number

      The BGP view is displayed.

    11. Run ipv4-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv4 address family view is displayed.

    12. Run import-route ospf process-id [ med med | route-policy route-policy-name ] *

      OSPF routes are imported into the VRF table of the BGP-VPN instance IPv4 address family.

    13. Run commit

      The configuration is committed.

    Deleting a VPN instance or disabling a VPN instance IPv4 address family will delete all the OSPF processes bound to the VPN instance or the VPN instance IPv4 address family on the PE.

  • Configure IS-IS between a PE and a CE.

    Perform the following steps on the PE:

    Configuring IS-IS on the CE is not described here. For details about how to configure IS-IS, see "IS-IS Configuration" in the HUAWEI NetEngine 8000 F SeriesRouter Configuration Guide - IP Routing.

    1. Run system-view

      The system view is displayed.

    2. Run isis process-id vpn-instance vpn-instance-name

      An IS-IS process is created on the PE, and the IS-IS view is displayed.

      An IS-IS process can be bound to only one VPN instance. If an IS-IS process is not bound to any VPN instance before it is started, this process becomes a public network process and cannot be bound to a VPN instance later.

    3. Run network-entity net-addr

      The network entity title (NET) is configured.

      A NET specifies the current IS-IS area address and the system ID of the router.

    4. (Optional) Run is-level { level-1 | level-1-2 | level-2 }

      The IS-IS level of the router is specified.

      Configure the device level based on the network planning. If no device level is configured, IS-IS establishes separate neighbor relationships for Level-1 and Level-2 devices and maintains two identical LSDBs, consuming excessive system resources.

    5. Run import-route bgp [ cost-type { external | internal } | cost cost | tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ] *

      BGP routes are imported.

      If the IS-IS level is not specified in the command, BGP routes will be imported into the Level-2 IS-IS routing table.

    6. Run quit

      Return to the system view.

    7. Run interface interface-type interface-number

      The view of the interface bound to the VPN instance is displayed.

    8. Run isis enable [ process-id ]

      IS-IS is enabled on the interface.

    9. Run quit

      Return to the system view.

    10. Run bgp as-number

      The BGP view is displayed.

    11. Run ipv4-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv4 address family view is displayed.

    12. Run import-route isis process-id [ med med | route-policy route-policy-name ] *

      IS-IS routes are imported into the VRF table of the BGP-VPN instance IPv4 address family.

    13. Run commit

      The configuration is committed.

    Deleting a VPN instance or disabling a VPN instance IPv4 address family will delete all the IS-IS processes bound to the VPN instance or the VPN instance IPv4 address family on the PE.

  • Configure a direct route between a PE and a CE.

    A direct route can be configured between a PE and a CE only if the CE is a host and connected to the PE using a VLANIF interface. Note that the direct route only needs to be configured on the PE.

    Perform the following steps on the PE:

    1. Run system-view

      The system view is displayed.

    2. Run ip vpn-instance vpn-instance-name

      The VPN instance view is displayed.

    3. Run ipv4-family

      The VPN instance IPv4 address family view is displayed.

    4. Run arp vlink-direct-route advertise [ route-policy route-policy-name | route-filter route-filter-name ]

      ARP Vlink direct routes are advertised.

      After the parameter route-policy route-policy-name or route-filter route-filter-name is specified in the arp vlink-direct-route advertise command, only filtered ARP Vlink direct routes are advertised.

    5. Run quit

      Return to the VPN instance view.

    6. Run quit

      Return to the system view.

    7. Run bgp { as-number-plain | as-number-dot }

      The BGP view is displayed.

    8. Run ipv4-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv4 address family view is displayed.

    9. Run import-route direct [ med med | route-policy route-policy-name ] *

      The direct route to the local CE is imported.

      After the direct route to the local CE is imported to the VPN routing table, the local PE use MP-BGP to advertise the direct route to the remote PE. This allows the remote CE to access the local CE.

    10. Run commit

      The configuration is committed.

Parent Topic: Configuring Inter-AS NG MVPN Option B
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic