Configuring Inter-Provider VPN Option A (on Routers)

I. Network requirements

• CE 1 and CE 2 belong to the same VPN. CE 1 accesses the network through PE 1 in AS 100 and CE 2 accesses the network through PE 2 in AS 200.
• Inter-provider MPLS L3VPN is implemented using option A. That is, the VRF-to-VRF method is used to manage VPN routes.
•  The MPLS backbone in each AS runs OSPF.

II. Network diagram

III. Configuration procedure

1) Configure IGP on the MPLS backbone, implementing the connectivity in the backbone

This example uses OSPF. The detailed configuration steps are omitted.

Note:

The 32-bit loopback interface address used as the LSR ID needs to be advertised by OSPF.

• After you complete the above configurations, each ASBR PE and the PE in the same AS should be able to establish OSPF adjacencies. Issuing the display ospf peer command, you can see that the adjacencies reach the state of Full, and that PEs can learn the loopback addresses of each other.

Each ASBR PE and the PE in the same AS should be able to ping each other.

2) Configure MPLS basic capability and MPLS LDP on the MPLS backbone to establish LDP LSPs

# Configure MPLS basic capability on PE 1 and enable MPLS LDP on the interface connected to ASBR PE 1.

<PE1> system-view

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls

[PE1-mpls] quit

[PE1] mpls ldp

[PE1-mpls-ldp] quit

[PE1] interface pos 5/0

[PE1-POS5/0] mpls

[PE1-POS5/0] mpls ldp

[PE1-POS5/0] quit

# Configure MPLS basic capability on ASBR PE 1 and enable MPLS LDP on the interface connected to PE 1.

<ASBR-PE1> system-view

[ASBR-PE1] mpls lsr-id 2.2.2.9

[ASBR-PE1] mpls

[ASBR-PE1-mpls] quit

[ASBR-PE1] mpls ldp

[ASBR-PE1-mpls-ldp] quit

[ASBR-PE1] interface pos 5/0

[ASBR-PE1-POS5/0] mpls

[ASBR-PE1-POS5/0] mpls ldp

[ASBR-PE1-POS5/0] quit

# Configure MPLS basic capability on ASBR PE 2 and enable MPLS LDP on the interface connected to PE 2.

<ASBR-PE2> system-view

[ASBR-PE2] mpls lsr-id 3.3.3.9

[ASBR-PE2] mpls

[ASBR-PE2-mpls] quit

[ASBR-PE2] mpls ldp

[ASBR-PE2-mpls-ldp] quit

[ASBR-PE2] interface pos 5/0

[ASBR-PE2-POS5/0] mpls

[ASBR-PE2-POS5/0] mpls ldp

[ASBR-PE2-POS5/0] quit

# Configure MPLS basic capability on PE 2 and enable MPLS LDP on the interface connected to ASBR PE 2.

<PE2> system-view

[PE2] mpls lsr-id 4.4.4.9

[PE2] mpls

[PE2-mpls] quit

[PE2] mpls ldp

[PE2-mpls-ldp] quit

[PE2] interface pos 5/0

[PE2-POS5/0] mpls

[PE2-POS5/0] mpls ldp

[PE2-POS5/0] quit

After you complete the above configurations, each PE and the ASBR PE in the same AS should be able to establish neighbor relationship. Issuing the display mpls ldp session command on the devices, you can see that the Session State field has a value of Operational in the output information.

3) Configure VPN instances on PEs to allow CEs to access the network

Note:

The VPN targets for the VPN instances of the PEs must match those for the VPN instances of the ASBR-PEs in the same AS. It is not required for PEs in different ASs.

# Configure CE 1.

<CE1> system-view

[CE1] interface ethernet 1/0

[CE1-Ethernet1/0] ip address 10.1.1.1 24

[CE1-Ethernet1/0] quit

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 100:1 both

[PE1-vpn-instance-vpn1] quit

[PE1] interface ethernet 1/1

[PE1-Ethernet1/1] ip binding vpn-instance vpn1

[PE1-Ethernet1/1] ip address 10.1.1.2 24

[PE1-Ethernet1/1] quit

# Configure CE 2.

<CE2> system-view

[CE2] interface ethernet 1/0

[CE2-Ethernet1/0] ip address 10.2.1.1 24

[CE2-Ethernet1/0] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 200:2

[PE2-vpn-instance-vpn1] vpn-target 100:1 both

[PE2-vpn-instance-vpn1] quit

[PE2] interface ethernet 1/1

[PE2-Ethernet1/1] ip binding vpn-instance vpn1

[PE2-Ethernet1/1] ip address 10.2.1.2 24

[PE2-Ethernet1/1] quit

# Configure ASBR PE 1, creating a VPN instance and binding the instance to the interface connected with ASBR PE 2. Note that ASBR PE 1 considers ASBR PE 2 its CE.

[ASBR-PE1] ip vpn-instance vpn1

[ASBR-PE1-vpn-vpn1] route-distinguisher 100:1

[ASBR-PE1-vpn-vpn1] vpn-target 100:1 both

[ASBR-PE1-vpn-vpn1] quit

[ASBR-PE1] interface pos 5/1

[ASBR-PE1-POS5/1] ip binding vpn-instance vpn1

[ASBR-PE1-POS5/1] ip address 192.1.1.1 24

[ASBR-PE1-POS5/1] quit

# Configure ASBR PE 2, creating a VPN instance and binding the instance to the interface connected with ASBR PE 1. Note that ASBR PE 2 considers ASBR PE 1 its CE.

[ASBR-PE2] ip vpn-instance vpn1

[ASBR-PE2-vpn-vpn1] route-distinguisher 200:1

[ASBR-PE2-vpn-vpn1] vpn-target 100:1 both

[ASBR-PE2-vpn-vpn1] quit

[ASBR-PE2] interface pos 5/1

[ASBR-PE2-POS5/1] ip binding vpn-instance vpn1

[ASBR-PE2-POS5/1] ip address 192.1.1.2 24

[ASBR-PE2-POS5/1] quit

After completing the above configurations, you should see the VPN instance configurations by issuing the display ip vpn-instance command.

The PEs should be able to ping their respective CEs and the ASBR PEs should be able to ping each other.

4) Establish EBGP peer relationship between PEs and CEs to allow VPN routes to be injected

# Configure CE 1.

[CE1] bgp 65001

[CE1-bgp] peer 10.1.1.2 as-number 100

[CE1-bgp] import-route direct

[CE1-bgp] quit

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] ipv4-family vpn-instance vpn1

[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65001

[PE1-bgp-vpn1] import-route direct

[PE1-bgp-vpn1] quit

[PE1-bgp] quit

# Configure CE 2.

[CE2] bgp 65002

[CE2-bgp] peer 10.2.1.2 as-number 200

[CE2-bgp] import-route direct

[CE2-bgp] quit

# Configure PE 2.

[PE2] bgp 200

[PE2-bgp] ipv4-family vpn-instance vpn1

[PE2-bgp-vpn1] peer 10.2.1.1 as-number 65002

[PE2-bgp-vpn1] import-route direct

[PE2-bgp-vpn1] quit

[PE2-bgp] quit

5) Establish IBGP peer relationship between each PE and the ASBR PE in the same AS and EBGP peer relationship between the ASBR PEs

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] peer 2.2.2.9 as-number 100

[PE1-bgp] peer 2.2.2.9 connect-interface loopback 0

[PE1-bgp] ipv4-family vpnv4

[PE1-bgp-af-vpnv4] peer 2.2.2.9 enable

[PE1-bgp-af-vpnv4] peer 2.2.2.9 next-hop-local

[PE1-bgp-af-vpnv4] quit

[PE1-bgp] quit

# Configure ASBR PE 1.

[ASBR-PE1] bgp 100

[ASBR-PE1-bgp] ipv4-family vpn-instance vpn1

[ASBR-PE1-bgp-vpn1] peer 192.1.1.2 as-number 200

[ASBR-PE1-bgp-vpn1] quit

[ASBR-PE1-bgp] peer 1.1.1.9 as-number 100

[ASBR-PE1-bgp] peer 1.1.1.9 connect-interface loopback 0

[ASBR-PE1-bgp] ipv4-family vpnv4

[ASBR-PE1-bgp-af-vpnv4] peer 1.1.1.9 enable

[ASBR-PE1-bgp-af-vpnv4] peer 1.1.1.9 next-hop-local

[ASBR-PE1-bgp-af-vpnv4] quit

[ASBR-PE1-bgp] quit

# Configure ASBR PE 2.

[ASBR-PE2] bgp 200

[ASBR-PE2-bgp] ipv4-family vpn-instance vpn1

[ASBR-PE2-bgp-vpn1] peer 192.1.1.1 as-number 100

[ASBR-PE2-bgp-vpn1] quit

[ASBR-PE2-bgp] peer 4.4.4.9 as-number 200

[ASBR-PE2-bgp] peer 4.4.4.9 connect-interface loopback 0

[ASBR-PE2-bgp] ipv4-family vpnv4

[ASBR-PE2-bgp-af-vpnv4] peer 4.4.4.9 enable

[ASBR-PE2-bgp-af-vpnv4] peer 4.4.4.9 next-hop-local

[ASBR-PE2-bgp-af-vpnv4] quit

[ASBR-PE2-bgp] quit

# Configure PE 2.

[PE2] bgp 200

[PE2-bgp] peer 3.3.3.9 as-number 200

[PE2-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE2-bgp] ipv4-family vpnv4

[PE2-bgp-af-vpnv4] peer 3.3.3.9 enable

[PE2-bgp-af-vpnv4] peer 3.3.3.9 next-hop-local

[PE2-bgp-af-vpnv4] quit

[PE2-bgp] quit

6) Verify your configurations

After you complete the above configurations, the CEs should be able to learn the interface routes from each other and ping each other.

Configuring MPLS L3VPNs Using a GRE Tunnel (on Switches)

I. Network requirements

• CE 1 and CE 2 belong to VPN 1. On the service provider backbone, the PEs support MPLS, while the P device does not support MPLS and provides pure IP functions.
• On the backbone, a GRE tunnel is used to encapsulate and forward VPN packets to implement MPLS L3VPN.

This networking scheme requires that tunneling policies be configured on the PEs and the tunnel type for VPN traffic be specified as GRE.

II. Network diagram

III. Configuration procedure

1) Configure IGP on the MPLS backbone, enabling the PEs and the P device to communicate
This example uses OSPF. The detailed configuration steps are omitted.
After you complete the above configurations, OSPF adjacency should be established between PE 1, P, and PE 2. Issuing the display ospf peer command, you can see that the adjacency status is Full. Issuing the display ip routing-table command, you can see that the PEs have learned the loopback route of each other.

2) Enable MPLS basic capability on the PEs

# Configure PE 1.

<PE1> system-view
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit

# Configure PE 2.

<PE2> system-view
[PE2] mpls lsr-id 2.2.2.9
[PE2] mpls
[PE2-mpls] quit

3) Configure VPN instances on PEs to allow CEs to access and apply tunneling policies to the PEs, specifying to use a GRE tunnel for VPN packet forwarding

# Configure PE 1.

[PE1] tunnel-policy gre1
[PE1-tunnel-policy-gre1] tunnel select-seq gre load-balance-number 1
[PE1-tunnel-policy-gre1] quit
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] route-distinguisher 100:1
[PE1-vpn-instance-vpn1] vpn-target 100:1 both
[PE1-vpn-instance-vpn1] tnl-policy gre1
[PE1-vpn-instance-vpn1] quit
[PE1] interface vlan-interface 1
[PE1-Vlan-interface1] ip binding vpn-instance vpn1
[PE1-Vlan-interface1] ip address 10.1.1.2 24
[PE1-Vlan-interface1] quit

# Configure PE 2.

[PE2] tunnel-policy gre1
[PE2-tunnel-policy-gre1] tunnel select-seq gre load-balance-number 1
[PE2-tunnel-policy-gre1] quit
[PE2] ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] route-distinguisher 100:2
[PE2-vpn-instance-vpn1] vpn-target 100:1 both
[PE2-vpn-instance-vpn1] tnl-policy gre1
[PE2-vpn-instance-vpn1] quit
[PE2] interface vlan-interface 1
[PE2-Vlan-interface1] ip binding vpn-instance vpn1
[PE2-Vlan-interface1] ip address 10.2.1.2 24
[PE2-Vlan-interface1] quit

# Configure CE 1.

<CE1> system-view
[CE1] interface vlan-interface 1
[CE1-Vlan-interface1] ip address 10.1.1.1 24
[CE1-Vlan-interface1] quit

# Configure CE 2.

<CE2> system-view
[CE2] interface vlan-interface 1
[CE2-Vlan-interface1] ip address 10.2.1.1 24
[CE2-Vlan-interface1] quit

After completing the above configurations, you can issue the display ip vpn-instance command on the PEs to view the configuration of the VPN instance. The PEs should be capable of pinging their respective CEs. The following takes PE 1 as an example:

[PE1] display ip vpn-instance
VPN-Instance Name     RD        Create Time
vpn1                              100:1   2006/08/13 09:32:45

[PE1] ping -vpn-instance vpn1 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=27 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=33 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=7 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=29 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=9 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 7/21/33 ms

4) Establish EBGP peer relationship between PEs and CEs to allow VPN routes to be injected

# Configure CE 1.

[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit

# Configure PE 1.

[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpn1] peer 10.1.1.1 next-hop-local
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] quit
[PE1-bgp] quit

Note:

The configurations for CE 2 are similar to those for CE 1 and the configurations for PE 2 are similar to those for PE 1. The detailed configuration steps are omitted.

After completing the above configuration, if you issue the display bgp vpnv4 vpn-instance peer command on the PEs, you should see that BGP peer relationship has been established between PE and CE, and has reached the state of Established.
The following takes PE 1 as an example:

[PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
10.1.1.1 4 65410 5 5 0 1 00:02:03 Established

5) Configure MP-IBGP peers between PEs

# Configure PE 1.
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.9 as-number 100
[PE1-bgp] peer 2.2.2.9 connect-interface loopback 0
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit

Note:

The configurations for PE 2 are similar to those for PE 1. The detailed configuration steps are omitted.

After completing the above configuration, if you issue the display bgp peer command or the display bgp vpnv4 all peer command on the PEs, you should see that BGP peer relationship has been established between the PEs, and has reached the state of Established.

[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
2.2.2.9 4 100 3 3 0 1 00:00:34 Established

6) Configure a GRE tunnel

# Configure PE 1.
[PE1] interface tunnel 0
[PE1-Tunnel0] tunnel-protocol gre
[PE1-Tunnel0] source loopback 0
[PE1-Tunnel0] destination 2.2.2.9
[PE1-Tunnel0] ip address 20.1.1.1 24
[PE1-Tunnel0] mpls
[PE1-Tunnel0] quit

# Configure PE 2.
[PE2] interface tunnel 0
[PE2-Tunnel0] tunnel-protocol gre
[PE2-Tunnel0] source loopback 0
[PE2-Tunnel0] destination 1.1.1.9
[PE2-Tunnel0] ip address 20.1.1.2 24
[PE2-Tunnel0] mpls
[PE2-Tunnel0] quit

7) Verify your configurations

After you complete the above configurations, the CEs should be able to learn the interface routes from each other.
The following takes CE 1 as an example:

[CE1] display ip routing-table
Routing Tables: Public
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost NextHop Interface
10.1.1.0/24 Direct 0 0 10.1.1.1 Vlan1
10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
10.2.1.0/24 BGP 255 0 10.1.1.2 Vlan1
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

The following takes PE 1 as an example:

[PE1] display ip routing-table
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.9/32 Direct 0 0 127.0.0.1 InLoop0
2.2.2.9/32 OSPF 10 3125 172.1.1.2 Vlan2
10.2.1.0/24 Static 60 0 20.1.1.1 Tunnel0
20.1.1.0/24 Direct 0 0 20.1.1.1 Tunnel0
20.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
172.1.1.0/24 Direct 0 0 172.1.1.1 Vlan2
172.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
172.1.1.2/32 Direct 0 0 172.1.1.2 Vlan2
172.2.1.0/24 OSPF 10 3124 172.1.1.2 Vlan2

[PE1] display ip routing-table vpn-instance vpn1
Routing Tables: vpn1
Destinations : 3 Routes : 3
Destination/Mask Proto Pre Cost NextHop Interface
10.1.1.0/24 Direct 0 0 10.1.1.2 Vlan1
10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0
10.2.1.0/24 BGP 255 0 2.2.2.9 NULL0

The CEs should be able to ping each other.
[CE1] ping 10.2.1.1
PING 10.2.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=253 time=41 ms
Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=253 time=69 ms
Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=253 time=68 ms
Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=253 time=68 ms
Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=253 time=67 ms
--- 10.2.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 41/62/69 ms

Configuring MPLS L3VPNs Using a GRE Tunnel on Routers

I. Network requirements

•  CE 1 and CE 2 belong to VPN 1. On the service provider backbone, the PEs support MPLS, while the P device does not support MPLS and provides pure IP functions.
• On the backbone, a GRE tunnel is used to encapsulate and forward VPN packets to implement MPLS L3VPN.

This networking scheme requires that tunneling policies be configured on the PEs and the tunnel type for VPN traffic be specified as GRE.

II. Network diagram

III. Configuration procedure

1) Configure IGP on the MPLS backbone, enabling the PEs and the P device to communicate
This example uses OSPF. The detailed configuration steps are omitted.
After you complete the above configurations, OSPF adjacency should be established between PE 1, P, and PE 2. Issuing the display ospf peer command, you can see that the adjacency status is Full. Issuing the display ip routing-table command, you can see that the PEs have learned the loopback route of each other.

2) Enable MPLS basic capability on the PEs

# Configure PE 1.

<PE1> system-view
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit

# Configure PE 2.

<PE2> system-view
[PE2] mpls lsr-id 2.2.2.9
[PE2] mpls
[PE2-mpls] quit

3) Configure VPN instances on PEs to allow CEs to access and apply tunneling policies to the PEs, specifying to use a GRE tunnel for VPN packet forwarding

# Configure PE 1.

[PE1] tunnel-policy gre1
[PE1-tunnel-policy-gre1] tunnel select-seq gre load-balance-number 1
[PE1-tunnel-policy-gre1] quit
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] route-distinguisher 100:1
[PE1-vpn-instance-vpn1] vpn-target 100:1 both
[PE1-vpn-instance-vpn1] tnl-policy gre1
[PE1-vpn-instance-vpn1] quit
[PE1] interface ethernet 1/0
[PE1-Ethernet1/0] ip binding vpn-instance vpn1
[PE1-Ethernet1/0] ip address 10.1.1.2 24
[PE1-Ethernet1/0] quit

# Configure PE 2.

[PE2] tunnel-policy gre1
[PE2-tunnel-policy-gre1] tunnel select-seq gre load-balance-number 1
[PE2-tunnel-policy-gre1] quit
[PE2] ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] route-distinguisher 100:2
[PE2-vpn-instance-vpn1] vpn-target 100:1 both
[PE2-vpn-instance-vpn1] tnl-policy gre1
[PE2-vpn-instance-vpn1] quit
[PE2] interface ethernet 1/0
[PE2-Ethernet1/0] ip binding vpn-instance vpn1
[PE2-Ethernet1/0] ip address 10.2.1.2 24
[PE2-Ethernet1/0] quit

# Configure CE 1.

<CE1> system-view
[CE1] interface ethernet 1/0
[CE1-Ethernet1/0] ip address 10.1.1.1 24
[CE1-Ethernet1/0] quit

# Configure CE 2.

<CE2> system-view
[CE2] interface ethernet 1/0
[CE2-Ethernet1/0] ip address 10.2.1.1 24
[CE2-Ethernet1/0] quit

After completing the above configurations, you can issue the display ip vpn-instance command on the PEs to view the configuration of the VPN instance. The PEs should be capable of pinging their respective CEs. The following takes PE 1 as an example:

[PE1] display ip vpn-instance

Total VPN-Instances configured : 1
VPN-Instance Name   RD     Create Time
vpn1                           100:1   2006/08/13 09:32:45

[PE1] ping -vpn-instance vpn1 10.1.1.1

PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=27 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=33 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=7 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=29 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=9 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 7/21/33 ms

4) Establish EBGP peer relationship between PEs and CEs to allow VPN routes to be injected

# Configure CE 1.

[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit

# Configure PE 1.

[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpn1] peer 10.1.1.1 next-hop-local
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] quit
[PE1-bgp] quit

Note:

The configurations for CE 2 are similar to those for CE 1 and the configurations for PE 2 are similar to those for PE 1. The detailed configuration steps are omitted.

After completing the above configuration, if you issue the display bgp vpnv4 vpn-instance peer command on the PEs, you should see that BGP peer relationship has been established between PE and CE, and has reached the state of Established.

The following takes PE 1 as an example:

[PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer         V  AS      MsgRcvd MsgSent OutQ PrefRcv Up/Down   State
10.1.1.1   4  65410        5               5          0          1        00:02:03   Established

5) Configure MP-IBGP peers between PEs

# Configure PE 1.

[PE1] bgp 100
[PE1-bgp] peer 2.2.2.9 as-number 100
[PE1-bgp] peer 2.2.2.9 connect-interface loopback 0
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE1-bgp-af-vpnv4] quit

[PE1-bgp] quit

Note:

The configurations for PE 2 are similar to those for PE 1. The detailed configuration steps are omitted.

After completing the above configuration, if you issue the display bgp peer command or the display bgp vpnv4 all peer command on the PEs, you should see that BGP peer relationship has been established between the PEs, and has reached the state of Established.

[PE1] display bgp vpnv4 all peer

BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer     V   AS   MsgRcvd MsgSent OutQ PrefRcv Up/Down   State
2.2.2.9 4   100          3              3           0         1        00:00:34   Established

6) Configure a GRE tunnel

# Configure PE 1.

[PE1] interface tunnel 0

[PE1-Tunnel0] tunnel-protocol gre
[PE1-Tunnel0] source loopback 0
[PE1-Tunnel0] destination 2.2.2.9
[PE1-Tunnel0] ip address 20.1.1.1 24
[PE1-Tunnel0] mpls
[PE1-Tunnel0] quit

# Configure PE 2.

[PE2] interface tunnel 0
[PE2-Tunnel0] tunnel-protocol gre
[PE2-Tunnel0] source loopback 0
[PE2-Tunnel0] destination 1.1.1.9
[PE2-Tunnel0] ip address 20.1.1.2 24
[PE2-Tunnel0] mpls
[PE2-Tunnel0] quit

The CEs should be able to ping each other.

[CE1] ping 10.2.1.1
PING 10.2.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=253 time=41 ms
Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=253 time=69 ms
Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=253 time=68 ms
Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=253 time=68 ms
Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=253 time=67 ms
--- 10.2.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 41/62/69 ms

Configuring MPLS L3VPN on Switch

I. Network requirements

• CE 1 and CE 3 belong to VPN 1, while CE 2 and CE 4 belong to VPN 2.
•  VPN 1 uses VPN target attributes 111:1, while VPN 2 uses VPN target attributes 222:2. Users of different VPNs cannot access each other.
•  PEs and the P device support MPLS.

II. Network diagram

III. Configuration procedure

1) Configure IGP on the MPLS backbone, enabling the PEs and the P device to communicate

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.9 32

[PE1-LoopBack0] quit

[PE1] interface vlan-interface 3

[PE1-Vlan-interface3] ip address 172.1.1.1 24

[PE1- Vlan-interface3] quit

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# Configure the P device.

<P> system-view

[P] interface loopback 0

[P-LoopBack0] ip address 2.2.2.9 32

[P-LoopBack0] quit

[P] interface vlan-interface 3

[P-Vlan-interface3] ip address 172.1.1.2 24

[P- Vlan-interface3] quit

[P] interface vlan-interface 1

[P-Vlan-interface1] ip address 172.2.1.1 24

[P-Vlan-interface1] quit

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

# Configure PE 2.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 3.3.3.9 32

[PE2-LoopBack0] quit

[PE2] interface vlan-interface 1

[PE2-Vlan-interface1] ip address 172.2.1.2 24

[PE2-Vlan-interface1] quit

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

After you complete the above configurations, OSPF adjacency should be established between PE 1, P, and PE 2. Issuing the display ospf peer command, you can see that the adjacency status is Full. Issuing the display ip routing-table command, you can see that the PEs have learned the loopback route of each other. The following takes PE 1 as an example:

[PE1] display ip routing-table

Routing Tables: Public

Destinations : 9 Routes : 9

Destination/Mask    Proto      Pre   Cost   NextHop     Interface

1.1.1.9/32                 Direct      0       0      127.0.0.1    InLoop0

2.2.2.9/32                 OSPF     10       1      172.1.1.2    Vlan3

3.3.3.9/32                 OSPF     10       2      172.1.1.2    Vlan3

127.0.0.0/8               Direct      0        0      127.0.0.1    InLoop0

127.0.0.1/32             Direct      0        0      127.0.0.1    InLoop0

172.1.1.0/24             Direct      0        0      172.1.1.1    Vlan3

172.1.1.1/32             Direct      0        0      127.0.0.1    InLoop0

172.1.1.2/32             Direct      0        0      172.1.1.2    Vlan3

172.2.1.0/24             OSPF     10        1      172.1.1.2   Vlan3

[PE1] display ospf peer verbose

OSPF Process 1 with Router ID 1.1.1.9

Neighbors

Area 0.0.0.0 interface 172.1.1.1(Vlan-interface3)'s neighbors

Router ID: 172.1.1.2 Address: 172.1.1.2 GR State: Normal

State: Full Mode:Nbr is Master Priority: 1

DR: None  BDR: None  MTU: 1500

Dead timer due in 38 sec

Neighbor is up for 00:02:44

Authentication Sequence: [ 0 ]

2) Configure MPLS basic capability and MPLS LDP on the MPLS backbone to establish LDP LSPs

# Configure PE 1.

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls

[PE1-mpls] quit

[PE1] mpls ldp

[PE1-mpls-ldp] quit

[PE1] interface vlan-interface 3

[PE1-Vlan-interface3] mpls

[PE1-Vlan-interface3] mpls ldp

[PE1-Vlan-interface3] quit

# Configure the P device.

[P] mpls lsr-id 2.2.2.9

[P] mpls

[P-mpls] quit

[P] mpls ldp

[P-mpls-ldp] quit

[P] interface vlan-interface 3

[P-Vlan-interface3] mpls

[P-Vlan-interface3] mpls ldp

[P-Vlan-interface3] quit

[P] interface vlan-interface 1

[P-Vlan-interface1] mpls

[P-Vlan0interface1] mpls ldp

[P-Vlan-interface1] quit

# Configure PE 2.

[PE2] mpls lsr-id 3.3.3.9

[PE2] mpls

[PE2-mpls] quit

[PE2] mpls ldp

[PE2-mpls-ldp] quit

[PE2] interface vlan-interface 1

[PE2-Vlan-interface1] mpls

[PE2-Vlan-interface1] mpls ldp

[PE2-Vlan-interface1] quit

After you complete the above configurations, LDP sessions should be established between PE 1, P, and PE 2. Issuing the display mpls ldp session command, you can see that the Session State field has a value of Operational. Issuing the display mpls ldp lsp command, you can see that the LSPs established by LDP. The following takes PE 1 as an example:

[PE1] display mpls ldp session

LDP Session(s) in Public Network

----------------------------------------------------------------

Peer-ID Status LAM SsnRole FT MD5 KA-Sent/Rcv

---------------------------------------------------------------

2.2.2.9:0 Operational DU Passive Off Off 5/5

---------------------------------------------------------------

LAM : Label Advertisement Mode FT : Fault Tolerance

[PE1] display mpls ldp lsp

LDP LSP Information

------------------------------------------------------------------

SN DestAddress/Mask In/OutLabel Next-Hop In/Out-Interface

------------------------------------------------------------------

1 1.1.1.9/32 3/NULL 127.0.0.1 Vlan-interface3/InLoop0

2 2.2.2.9/32 NULL/3 172.1.1.2 -------/Vlan-interface3

3 3.3.3.9/32 NULL/1024 172.1.1.2 -------/Vlan-interface3

------------------------------------------------------------------

A '*' before an LSP means the LSP is not established

A '*' before a Label means the USCB or DSCB is stale

3) Configure VPN instances on PEs to allow CEs to access

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 111:1

[PE1-vpn-instance-vpn1] quit

[PE1] ip vpn-instance vpn2

[PE1-vpn-instance-vpn2] route-distinguisher 100:2

[PE1-vpn-instance-vpn2] vpn-target 222:2

[PE1-vpn-instance-vpn2] quit

[PE1] interface vlan-interface 1

[PE1-Vlan-interface1] ip binding vpn-instance vpn1

[PE1-Vlan-interface1] ip address 10.1.1.2 24

[PE1-Vlan-interface1] quit

[PE1] interface vlan-interface 2

[PE1-Vlan-interface2] ip binding vpn-instance vpn2

[PE1-Vlan-interface2] ip address 10.2.1.2 24

[PE1-Vlan-interface2] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 200:1

[PE2-vpn-instance-vpn1] vpn-target 111:1

[PE2-vpn-instance-vpn1] quit

[PE2] ip vpn-instance vpn2

[PE2-vpn-instance-vpn2] route-distinguisher 200:2

[PE2-vpn-instance-vpn2] vpn-target 222:2

[PE2-vpn-instance-vpn2] quit

[PE2] interface vlan-interface 2

[PE2-Vlan-interface2] ip binding vpn-instance vpn1

[PE2-Vlan-interface2] ip address 10.3.1.2 24

[PE2-Vlan-interface2] quit

[PE2] interface vlan-interface 3

[PE2-Vlan-interface3] ip binding vpn-instance vpn2

[PE2-Vlan-interface3] ip address 10.4.1.2 24

[PE2-Vlan-interface3] quit

# Configure IP addresses for the CEs as required in Figure. The detailed configuration steps are omitted.

After completing the above configurations, you can issue the display ip vpn-instance command on the PEs to view the configuration of the VPN instance. The PEs should be capable of pinging their respective CEs. The following takes PE 1 and CE 1 as an example:

[PE1] display ip vpn-instance

Total VPN-Instances configured : 2

VPN-Instance Name RD Create Time

vpn1 100:1 2006/08/13 09:32:45

vpn2 100:2 2006/08/13 09:42:59

[PE1] ping -vpn-instance vpn1 10.1.1.1

PING 10.1.1.1: 56 data bytes, press CTRL_C to break

Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=56 ms

Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=4 ms

Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=4 ms

Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=52 ms

Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=3 ms

--- 10.1.1.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 3/23/56 ms

4) Establish EBGP peer relationship between PEs and CEs to allow VPN routes to be injected

# Configure CE 1.

<CE1> system-view

[CE1] bgp 65410

[CE1-bgp] peer 10.1.1.2 as-number 100

[CE1-bgp] import-route direct

[CE1-bgp] quit

Note:

The configurations for the other three CEs are similar to the above. The detailed configuration steps are omitted.

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] ipv4-family vpn-instance vpn1

[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410

[PE1-bgp-vpn1] import-route direct

[PE1-bgp-vpn1] quit

[PE1-bgp] ipv4-family vpn-instance vpn2

[PE1-bgp-vpn2] peer 10.2.1.1 as-number 65420

[PE1-bgp-vpn2] import-route direct

[PE1-bgp-vpn2] quit

[PE1-bgp] quit

Note:

The configurations for PE 2 are similar to those for PE 1. The detailed configuration steps are omitted.

After completing the above configuration, if you issue the display bgp vpnv4 vpn-instance peer command on the PEs, you should see that BGP peer relationship has been established between PE and CE, and has reached the state of Established. The following takes PE 1 and CE 1 as an example:

[PE1] display bgp vpnv4 vpn-instance vpn1 peer

BGP local router ID : 1.1.1.9

Local AS number : 100

Total number of peers : 1 Peers in established state : 1

Peer        V   AS     MsgRcvd MsgSent  OutQ  PrefRcv Up/Down   State

10.1.1.1  4  65410      11               9          0             1       00:06:37   Established

5) Configure MP-IBGP peers between PEs

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] peer 3.3.3.9 as-number 100

[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp] ipv4-family vpnv4

[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable

[PE1-bgp-af-vpnv4] quit

[PE1-bgp] quit

# Configure PE 2.

[PE2] bgp 100

[PE2-bgp] peer 1.1.1.9 as-number 100

[PE2-bgp] peer 1.1.1.9 connect-interface loopback 0

[PE2-bgp] ipv4-family vpnv4

[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable

[PE2-bgp-af-vpnv4] quit

[PE2-bgp] quit

After completing the above configuration, if you issue the display bgp peer command or the display bgp vpnv4 all peer command on the PEs, you should see that BGP peer relationship has been established between the PEs, and has reached the state of Established.

[PE1] display bgp peer

BGP local router ID : 1.1.1.9

Local AS number : 100

Total number of peers : 1 Peers in established state : 1

Peer      V  AS    MsgRcvd  MsgSent   OutQ  PrefRcv Up/Down     State

3.3.3.9  4  100          2              6               0           0      00:00:12    Established

6) Verify your configurations

Issuing the display ip routing-table vpn-instance command on the PEs, you should see the routes to the CEs. The following takes PE 1 as an example:

[PE1] display ip routing-table vpn-instance vpn1

Routing Tables: vpn1

Destinations : 3 Routes : 3

Destination/Mask Proto Pre Cost NextHop Interface

10.1.1.0/24 Direct 0 0 10.1.1.2 Vlan1

10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0

10.3.1.0/24 BGP 255 0 3.3.3.9 NULL0

[PE1] display ip routing-table vpn-instance vpn2

Routing Tables: vpn2

Destinations : 3 Routes : 3

Destination/Mask Proto Pre Cost NextHop Interface

10.2.1.0/24 Direct 0 0 10.2.1.2 Vlan2

10.2.1.2/32 Direct 0 0 127.0.0.1 InLoop0

10.4.1.0/24 BGP 255 0 3.3.3.9 NULL0

CEs of the same VPN should be capable of pinging each other, whereas those of different VPNs should not. For example, CE 1 should be capable of pinging CE 3 (10.3.1.1), but should not be capable of pinging CE 4 (10.4.1.1):

[CE1] ping 10.3.1.1

PING 10.3.1.1: 56 data bytes, press CTRL_C to break

Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms

Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms

Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms

Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms

Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms

--- 10.3.1.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 34/48/72 ms

[CE1] ping 10.4.1.1

PING 10.4.1.1: 56 data bytes, press CTRL_C to break

Request time out

Request time out

Request time out

Request time out

Request time out

--- 10.4.1.1 ping statistics ---

5 packet(s) transmitted

0 packet(s) received

100.00% packet loss

Configuring MPLS L3VPN on Routers

Network requirements

• CE 1 and CE 3 belong to VPN 1, while CE 2 and CE 4 belong to VPN 2.
•  VPN 1 uses VPN target attributes 111:1, while VPN 2 uses VPN target attributes 222:2. Users of different VPNs cannot access each other.
• EBGP is used to exchange VPN routing information between CE and PE.
• PEs use OSPF to communicate with each other and use MP-IBGP to exchange VPN routing information.

II. Network diagram

 

Configuration procedure

1) Configure IGP on the MPLS backbone, enabling the PEs and the P device to communicate

# Configure PE 1.

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.9 32

[PE1-LoopBack0] quit

[PE1] interface pos 5/0

[PE1-POS5/0] ip address 172.1.1.1 24

[PE1-POS5/0] quit

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit 

[PE1-ospf-1] quit

# Configure the P device.

<P> system-view

[P] interface loopback 0

[P-LoopBack0] ip address 2.2.2.9 32

[P-LoopBack0] quit

[P] interface pos 5/0

[P-POS5/0] ip address 172.1.1.2 24

[P-POS5/0] quit

[P] interface pos 5/1

[P-POS5/1] ip address 172.2.1.1 24

[P-POS5/1] quit

[P] ospf

[P-ospf-1] area 0

[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[P-ospf-1-area-0.0.0.0] quit

[P-ospf-1] quit

# Configure PE 2.

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 3.3.3.9 32

[PE2-LoopBack0] quit

[PE2] interface pos 5/0

[PE2-POS5/0] ip address 172.2.1.2 24

[PE2-POS5/0] quit

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

After you complete the above configurations, OSPF adjacency should be established between PE 1, P, and PE 2. Issuing the display ospf peer command, you can see that the adjacency status is Full. Issuing the display ip routing-table command, you can see that the PEs have learned the loopback route of each other. The following takes PE 1 as an example:

[PE1] display ip routing-table

Routing Tables: Public

Destinations : 9 Routes : 9

Destination/Mask    Proto     Pre    Cost  NextHop    Interface

1.1.1.9/32                Direct     0         0    127.0.0.1    InLoop0

2.2.2.9/32               OSPF     10        1    172.1.1.2     POS5/0

3.3.3.9/32               OSPF     10        2    172.1.1.2     POS5/0

127.0.0.0/8             Direct     0          0    127.0.0.1     InLoop0

127.0.0.1/32           Direct     0          0    127.0.0.1     InLoop0

172.1.1.0/24           Direct     0          0    172.1.1.1     POS5/0

172.1.1.1/32           Direct     0          0    127.0.0.1     InLoop0

172.1.1.2/32           Direct     0          0    172.1.1.2     POS5/0

172.2.1.0/24           OSPF    10          1   172.1.1.2     POS5/0

[PE1] display ospf peer verbose

OSPF Process 1 with Router ID 1.1.1.9

Neighbors

Area 0.0.0.0 interface 172.1.1.1(POS5/0)'s neighbors

Router ID: 172.1.1.2 Address: 172.1.1.2 GR State: Normal

State: Full Mode:Nbr is Master Priority: 1

DR: None BDR: None MTU: 1500

Dead timer due in 38 sec

Neighbor is up for 00:02:44

Authentication Sequence: [ 0 ]

2) Configure MPLS basic capability and MPLS LDP on the MPLS backbone to establish LDP LSPs

# Configure PE 1.

[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls

[PE1-mpls] quit

[PE1] mpls ldp

[PE1-mpls-ldp] quit

[PE1] interface pos 5/0

[PE1-POS5/0] mpls

[PE1-POS5/0] mpls ldp

[PE1-POS5/0] quit

# Configure the P device.

[P] mpls lsr-id 2.2.2.9

[P] mpls

[P-mpls] quit

[P] mpls ldp

[P-mpls-ldp] quit

[P] interface pos 5/0

[P-POS5/0] mpls

[P-POS5/0] mpls ldp

[P-POS5/0] quit

[P] interface pos 5/1

[P-POS5/1] mpls

[P-POS5/1] mpls ldp

[P-POS5/1] quit

# Configure PE 2.

[PE2] mpls lsr-id 3.3.3.9

[PE2] mpls

[PE2-mpls] quit

[PE2] mpls ldp

[PE2-mpls-ldp] quit

[PE2] interface pos 5/0

[PE2-POS5/0] mpls

[PE2-POS5/0] mpls ldp

[PE2-POS5/0] quit

After you complete the above configurations, LDP sessions should be established between PE 1, P, and PE 2. Issuing the display mpls ldp session command, you can see that the Session State field has a value of Operational. Issuing the display mpls ldp lsp command, you can see that the LSPs established by LDP. The following takes PE 1 as an example:

[PE1] display mpls ldp session

LDP Session(s) in Public Network

----------------------------------------------------------------

Peer-ID Status LAM SsnRole FT MD5 KA-Sent/Rcv

---------------------------------------------------------------

2.2.2.9:0 Operational DU Passive Off Off 5/5

---------------------------------------------------------------

LAM : Label Advertisement Mode FT : Fault Tolerance

[PE1] display mpls ldp lsp

LDP LSP Information

------------------------------------------------------------------

SN DestAddress/Mask    In/OutLabel    Next-Hop         In/Out-Interface

------------------------------------------------------------------

1 1.1.1.9/32                      3/NULL         127.0.0.1 --------POS5/0/InLoop0

2 2.2.2.9/32                      NULL/3         172.1.1.2 -------/POS5/0

3 3.3.3.9/32                      NULL/1024    172.1.1.2 -------/POS5/0

------------------------------------------------------------------

A '*' before an LSP means the LSP is not established

A '*' before a Label means the USCB or DSCB is stale

3) Configure VPN instances on PEs to allow CEs to access

# Configure PE 1.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 111:1

[PE1-vpn-instance-vpn1] quit

[PE1] ip vpn-instance vpn2

[PE1-vpn-instance-vpn2] route-distinguisher 100:2

[PE1-vpn-instance-vpn2] vpn-target 222:2

[PE1-vpn-instance-vpn2] quit

[PE1] interface ethernet 1/0

[PE1-Ethernet1/0] ip binding vpn-instance vpn1

[PE1-Ethernet1/0] ip address 10.1.1.2 24

[PE1-Ethernet1/0] quit

[PE1] interface ethernet 1/1

[PE1-Ethernet1/1] ip binding vpn-instance vpn2

[PE1-Ethernet1/1] ip address 10.2.1.2 24

[PE1-Ethernet1/1] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 200:1

[PE2-vpn-instance-vpn1] vpn-target 111:1

[PE2-vpn-instance-vpn1] quit

[PE2] ip vpn-instance vpn2

[PE2-vpn-instance-vpn2] route-distinguisher 200:2

[PE2-vpn-instance-vpn2] vpn-target 222:2

[PE2-vpn-instance-vpn2] quit

[PE2] interface ethernet 1/0

[PE2-Ethernet1/0] ip binding vpn-instance vpn1

[PE2-Ethernet1/0] ip address 10.3.1.2 24

[PE2-Ethernet1/0] quit

[PE2] interface ethernet 1/1

[PE2-Ethernet1/1] ip binding vpn-instance vpn2

[PE2-Ethernet1/1] ip address 10.4.1.2 24

[PE2-Ethernet1/1] quit

# Configure IP addresses for the CEs as required in Figure 1-19. The detailed configuration steps are omitted.

After completing the above configurations, you can issue the display ip vpn-instance command on the PEs to view the configuration of the VPN instance. The PEs should be capable of pinging their respective CEs. The following takes PE 1 and CE 1 as an example:

[PE1] display ip vpn-instance

Total VPN-Instances configured : 2

VPN-Instance Name RD Create Time

vpn1 100:1 2006/08/13 09:32:45

vpn2 100:2 2006/08/13 09:42:59

[PE1] ping -vpn-instance vpn1 10.1.1.1

PING 10.1.1.1: 56 data bytes, press CTRL_C to break

Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=56 ms

Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=4 ms

Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=4 ms

Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=52 ms

Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=3 ms

--- 10.1.1.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 3/23/56 ms

4) Establish EBGP peer relationship between PEs and CEs to allow VPN routes to be injected

# Configure CE 1.

<CE1> system-view

[CE1] bgp 65410

[CE1-bgp] peer 10.1.1.2 as-number 100

[CE1-bgp] import-route direct

[CE1-bgp] quit

Note:

The configurations for the other three CEs (CE 2 through CE 4) are similar to the above. The detailed configuration steps are omitted.

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] ipv4-family vpn-instance vpn1

[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410

[PE1-bgp-vpn1] import-route direct

[PE1-bgp-vpn1] quit

[PE1-bgp] ipv4-family vpn-instance vpn2

[PE1-bgp-vpn2] peer 10.2.1.1 as-number 65420

[PE1-bgp-vpn2] import-route direct

[PE1-bgp-vpn2] quit

[PE1-bgp] quit

Note:

The configurations for PE 2 are similar to those for PE 1. The detailed configuration steps are omitted.

After completing the above configuration, if you issue the display bgp vpnv4 vpn-instance peer command on the PEs, you should see that BGP peer relationship has been established between PE and CE, and has reached the state of Established. The following takes PE 1 and CE 1 as an example:

[PE1] display bgp vpnv4 vpn-instance vpn1 peer

BGP local router ID : 1.1.1.9

Local AS number : 100

Total number of peers : 1 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

10.1.1.1 4 65410 11 9 0 1 00:06:37 Established

5) Configure MP-IBGP peer relationship between PEs

# Configure PE 1.

[PE1] bgp 100

[PE1-bgp] peer 3.3.3.9 as-number 100

[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0

[PE1-bgp] ipv4-family vpnv4

[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable

[PE1-bgp-af-vpnv4] quit

[PE1-bgp] quit

# Configure PE 2.

[PE2] bgp 100

[PE2-bgp] peer 1.1.1.9 as-number 100

[PE2-bgp] peer 1.1.1.9 connect-interface loopback 0

[PE2-bgp] ipv4-family vpnv4

[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable

[PE2-bgp-af-vpnv4] quit

[PE2-bgp] quit

After completing the above configuration, if you issue the display bgp peer command or the display bgp vpnv4 all peer command on the PEs, you should see that BGP peer relationship has been established between the PEs, and has reached the state of Established.

[PE1] display bgp peer

BGP local router ID : 1.1.1.9

Local AS number : 100

Total number of peers : 1 Peers in established state : 1

Peer      V   AS    MsgRcvd MsgSent   OutQ  PrefRcv   Up/Down         State

3.3.3.9  4    100         2              6             0            0         00:00:12    Established

6) Verify your configurations

Issuing the display ip routing-table vpn-instance command on the PEs, you should see the routes to the CEs. The following takes PE 1 as an example:

[PE1] display ip routing-table vpn-instance vpn1

Routing Tables: vpn1

Destinations : 3 Routes : 3

Destination/Mask Proto     Pre   Cost   NextHop    Interface

10.1.1.0/24            Direct   0         0       10.1.1.2     Eth1/0

10.1.1.2/32            Direct   0         0       127.0.0.1   InLoop0

10.3.1.0/24            BGP    255      0       3.3.3.9       NULL0

[PE1] display ip routing-table vpn-instance vpn2

Routing Tables: vpn2

Destinations : 3 Routes : 3

Destination/Mask Proto     Pre   Cost   NextHop    Interface

10.1.1.0/24            Direct   0         0       10.2.1.2     Eth1/1

10.1.1.2/32            Direct   0         0       127.0.0.1   InLoop0

10.3.1.0/24            BGP    255      0       3.3.3.9       NULL0

CEs of the same VPN should be capable of pinging each other, whereas those of different VPNs should not. For example, CE 1 should be capable of pinging CE 3 (10.3.1.1), but should not be capable of pinging CE 4 (10.4.1.1):

[CE1] ping 10.3.1.1

PING 10.3.1.1: 56 data bytes, press CTRL_C to break

Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms

Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms

Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms

Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms

Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms

--- 10.3.1.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 34/48/72 ms

[CE1] ping 10.4.1.1

PING 10.4.1.1: 56 data bytes, press CTRL_C to break

Request time out

Request time out

Request time out

Request time out

Request time out

--- 10.4.1.1 ping statistics ---

5 packet(s) transmitted

0 packet(s) received

100.00% packet loss