01-09 Typical MPLS and VPN Configurations

S2700, S3700, S5700, S6700, S7700, and S9700 Series
Switches
Typical Configuration Examples 9 Typical MPLS and VPN Configurations
9 Typical MPLS and VPN Configurations
9.1 Typical BGP/MPLS IP VPN Configurations

9.2 Example for Connecting QinQ Termination Sub-interfaces to a VLL Network
9.3 Example for Deploying BGP/MPLS IP VPN and VPLS on One ISP Network
9.1 Typical BGP/MPLS IP VPN Configurations
9.1.1 Example for Configuring BGP/MPLS IP VPN

BGP/MPLS IP VPN Overview
BGP/MPLS IP VPN is an MPLS-based L3VPN that can be flexibly deployed and easily
extended, and is suitable for deployment on a large scale. To add a new site, the network
administrator only needs to modify the configuration of the edge nodes serving the new site.
BGP/MPLS IP VPN is suitable for communication between the headquarters and branches in
different locations. As communication data needs to traverse the backbone network of the
carrier, BGP is used to advertise VPN routes over the backbone network and MPLS is used to
forward VPN packets on the backbone network. As different departments of an enterprise
need to be isolated, BGP/MPLS IP VPN can isolate route, address space, and access between
different VPNs.
Configuration Notes
l The SA series cards do not support the BGP/MPLS IP VPN function. The X1E series
cards of V200R006C00 and later versions support the BGP/MPLS IP VPN function.
l Applicable products and versions lists applicable products and versions.
NOTE
For details about software mappings, visit Hardware Query Tool and search for the desired product
model.
Networking Requirements
As shown in Figure 9-1:
Issue 25 (2019-11-10) Copyright © Huawei Technologies Co., Ltd. 1118

Switches
l CE1 connects to the headquarters R&D area of a company, and CE3 connects to the
branch R&D area. CE1 and CE3 belong to vpna.
l CE2 connects to the headquarters non-R&D area, and CE4 connects to the branch non-
R&D area. CE2 and CE4 belong to vpnb.
BGP/MPLS IP VPN needs to be deployed for the company to ensure secure communication
between the headquarters and branch while isolating data between the R&D area and non-
R&D area.
Figure 9-1 Networking diagram for configuring BGP/MPLS IP VPN
AS: 65410 AS: 65430

vpna vpna
CE1 CE3
GE1/0/0 GE1/0/0
VLANIF10 VLANIF40
10.1.1.1/24 10.3.1.1/24
Loopback1
GE1/0/0 2.2.2.9/32 GE1/0/0
VLANIF10 GE1/0/0 GE2/0/0 VLANIF40
10.1.1.2/24 VLANIF30 VLANIF60 10.3.1.2/24
PE1 PE2
Loopback1 172.1.1.2/24 172.2.1.1/24 Loopback1
1.1.1.9/32 GE3/0/0 3.3.3.9/32
GE3/0/0
GE2/0/0 VLANIF30 P VLANIF60 GE2/0/0
VLANIF20 172.1.1.1/24 172.2.1.2/24 VLANIF50
AS: 100
10.2.1.2/24 10.4.1.2/24
VPN Backbone
GE1/0/0 GE1/0/0
VLANIF20 VLANIF50
10.2.1.1/24 10.4.1.1/24
CE2 CE4
vpnb vpnb
AS: 65420 AS: 65440
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure OSPF between the P and PEs to ensure IP connectivity on the backbone
network.
2. Configure basic MPLS capabilities and MPLS LDP on the P and PEs to establish MPLS
LSP tunnels for VPN data transmission on the backbone network.
3. Configure MP-IBGP on PE1 and PE2 to enable them to exchange VPN routing
information.
4. Configure VPN instances vpna and vpnb on PE1 and PE2. Set the VPN target of vpna
to 111:1 and the VPN target of vpnb to 222:2. This configuration allows users in the
same VPN to communicate with each other and isolates users on different VPNs. Bind
the PE interfaces connected to CEs to the corresponding VPN instances to provide
access for VPN users.

Switches
5. Configure EBGP on the CEs and PEs to exchange VPN routing information.
Procedure
Step 1 Configure an IGP on the MPLS backbone network so that PEs and P can communicate with
each other.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] vlan batch 10 20 30
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port link-type trunk
[PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] ip address 172.1.1.1 24
[PE1-Vlanif30] quit
[PE1] ospf 1 router-id 1.1.1.9
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
[HUAWEI] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.9 32
[P-LoopBack1] quit
[P] vlan batch 30 60
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type trunk
[P-GigabitEthernet1/0/0] port trunk allow-pass vlan 30
[P-GigabitEthernet1/0/0] quit
[P-GigabitEthernet2/0/0] port link-type trunk
[P-GigabitEthernet2/0/0] port trunk allow-pass vlan 60
[P] interface vlanif 30
[P-Vlanif30] ip address 172.1.1.2 24
[P-Vlanif30] quit
[P-Vlanif60] quit
[P] ospf 1 router-id 2.2.2.9
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.

Switches
[PE2] vlan batch 40 50 60
[PE2-Vlanif60] quit
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After the configuration is complete, OSPF neighbor relationships are established between PE1
and P, and between PE2 and P. Run the display ospf peer command. The command output
shows that the neighbor status is Full. Run the display ip routing-table command. The
command output shows that PEs have learned the routes to Loopback1 of each other.
The information displayed on PE1 is used as an example.
[PE1] display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.9/32 Direct 0 0 D 127.0.0.1 LoopBack1

2.2.2.9/32 OSPF 10 1 D 172.1.1.2 Vlanif30
3.3.3.9/32 OSPF 10 2 D 172.1.1.2 Vlanif30
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
172.1.1.0/24 Direct 0 0 D 172.1.1.1 Vlanif30
172.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
172.2.1.0/24 OSPF 10 2 D 172.1.1.2 Vlanif30
[PE1] display ospf peer
OSPF Process 1 with Router ID 1.1.1.9

Neighbors
Area 0.0.0.0 interface 172.1.1.1(Vlanif30)'s neighbors

Router ID: 2.2.2.9 Address: 172.1.1.2
State: Full Mode:Nbr is Master Priority: 1
DR: 172.1.1.2 BDR: 172.1.1.1 MTU: 0
Dead timer due in 37 sec
Retrans timer interval: 5
Neighbor is up for 00:16:21
Authentication Sequence: [ 0 ]
Step 2 Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network to
establish LDP LSPs.
# Configure PE1.

Switches
[PE1] mpls lsr-id 1.1.1.9

[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif30] mpls
[PE1-Vlanif30] mpls ldp
[PE1-Vlanif30] quit
# Configure P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
[P-Vlanif60] mpls
[P-Vlanif60] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif60] mpls
[PE2-Vlanif60] quit
After the configuration is complete, LDP sessions are established between PE1 and the P and
between the P and PE2. Run the display mpls ldp session command. The command output
shows that the Status field is Operational. Run the display mpls ldp lsp command.
Information about the established LDP LSPs is displayed.
[PE1] display mpls ldp session
LDP Session(s) in Public Network

Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
2.2.2.9:0 Operational DU Passive 0000:00:01 6/6
------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
[PE1] display mpls ldp lsp
LDP LSP Information

-------------------------------------------------------------------------------
Flag after Out IF: (I) - LSP Is Only Iterated by RLFA
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0
*1.1.1.9/32 Liberal/1024 DS/2.2.2.9
2.2.2.9/32 NULL/3 - 172.1.1.2 Vlanif30
2.2.2.9/32 1024/3 2.2.2.9 172.1.1.2 Vlanif30

Switches
3.3.3.9/32 NULL/1025 - 172.1.1.2 Vlanif30

3.3.3.9/32 1025/1025 2.2.2.9 172.1.1.2 Vlanif30
-------------------------------------------------------------------------------
TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is stale
A '*' before a DS means the session is stale
A '*' before a NextHop means the LSP is FRR LSP
Step 3 Configure VPN instances on PEs and bind the interfaces connected to CEs to the VPN
instances.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1-Vlanif10] ip binding vpn-instance vpna
[PE1-Vlanif10] quit
[PE1-Vlanif20] ip binding vpn-instance vpnb
[PE1-Vlanif20] quit
# Configure PE2.
[PE2-Vlanif40] quit
[PE2-Vlanif50] quit
# Assign IP addresses to the interfaces on the CE1 connecting to the headquarters R&D area
according to Figure 9-1. The configurations on CE2, CE3, and CE4 are similar to the
configuration on CE1 and are not mentioned here.
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit

Switches
[CE1] interface vlanif 10

[CE1-Vlanif10] ip address 10.1.1.1 24
[CE1-Vlanif10] quit
After the configuration is complete, run the display ip vpn-instance verbose command on
the PEs to check the configuration of VPN instances. Each PE can ping its connected CE.
NOTE
If a PE has multiple interfaces bound to the same VPN instance, specify a source IP address by setting -a
source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address
command to ping a remote CE. If the source IP address is not specified, the ping fails.
PE1 is used as an example.

[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
Total IPv4 VPN-Instances configured : 2
VPN-Instance Name and ID : vpna, 1

Interfaces : Vlanif10
Address family ipv4
Create date : 2014-11-03 02:39:34+00:00
Up time : 0 days, 22 hours, 24 minutes and 53 seconds
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label Policy : label per instance
Per-Instance Label : 4098
Log Interval : 5
VPN-Instance Name and ID : vpnb, 2

Interfaces : Vlanif20
Address family ipv4
Create date : 2014-11-03 02:39:34+00:00
Log Interval : 5
[PE1] ping -vpn-instance vpna 10.1.1.1

PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=5 ms
--- 10.1.1.1 ping statistics ---

5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/6/16 ms
Step 4 Establish EBGP peer relationships between PEs and CEs and import VPN routes into BGP.
# Configure CE1 connecting to the headquarters R&D area. The configurations on CE2, CE3,
and CE4 are similar to the configuration on CE1 and are not mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit

Switches
# Configure PE1. The configuration on PE2 is similar to the configuration on PE1 and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command
on the PEs. The command output shows that BGP peer relationships have been established
between the PEs and CEs.
The peer relationship between PE1 and CE1 is used as an example.
[PE1] display bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.9

Local AS number : 100
VPN-Instance vpna, Router ID 1.1.1.9:
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State

PrefRcv
10.1.1.1 4 65410 11 9 0 00:07:25 Established

1
Step 5 Establish MP-IBGP peer relationships between PEs.

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit
After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer
command on the PEs. The command output shows that BGP peer relationships have been
established between the PEs.
[PE1] display bgp peer

Peer V AS MsgRcvd MsgSent OutQ Up/Down

State PrefRcv

Switches
3.3.3.9 4 100 12 6 0 00:02:21

Established 0
[PE1] display bgp vpnv4 all peer


PrefRcv
3.3.3.9 4 100 12 18 0 00:09:38 Established 0

Peer of IPv4-family for vpn instance :

10.1.1.1 4 65410 25 25 0 00:17:57 Established 1
VPN-Instance vpnb, Router ID 1.1.1.9:
10.2.1.1 4 65420 21 22 0 00:17:10 Established 1
Step 6 Verify the configuration.
Run the display ip routing-table vpn-instance command on the PEs to view the routes to the
remote CEs.

[PE1] display ip routing-table vpn-instance vpna
------------------------------------------------------------------------------
Routing Tables: vpna

10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif10
10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.3.1.0/24 IBGP 255 0 RD 3.3.3.9 Vlanif30
[PE1] display ip routing-table vpn-instance vpnb
------------------------------------------------------------------------------
Routing Tables: vpnb

10.2.1.0/24 Direct 0 0 D 10.2.1.2 Vlanif20
10.2.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.4.1.0/24 IBGP 255 0 RD 3.3.3.9 Vlanif30
CEs in the same VPN can ping each other, whereas CEs in different VPNs cannot.
For example, CE1 connecting to the headquarters R&D area can ping CE3 connecting to the
branch R&D area at 10.3.1.1 but cannot ping CE4 connecting to the branch non-R&D area at
10.4.1.1.
[CE1] ping 10.3.1.1
0.00% packet loss
----End

Switches
Configuration Files
l Configuration file of PE1
#
sysname PE1
#
vlan batch 10 20 30
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
#

Switches
ipv4-family vpn-instance vpnb

import-route direct
#
ospf 1 router-id 1.1.1.9
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
l Configuration file of P
#
sysname P
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
#
return
#
sysname PE2
#
vlan batch 40 50 60
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 3.3.3.9

Switches
mpls
#
mpls ldp
#
interface Vlanif40
ip address 10.3.1.2 255.255.255.0
#
interface Vlanif50
ip address 10.4.1.2 255.255.255.0
#
interface Vlanif60
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
#
import-route direct
#
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 172.2.1.0 0.0.0.255
#
return
l Configuration file of CE1 connecting to the headquarters R&D area
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#

Switches

#
bgp 65410
#
ipv4-family unicast
import-route direct
peer 10.1.1.2 enable
#
return
l Configuration file of CE2 connecting to the headquarters non-R&D area
#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
l Configuration file of CE3 connecting to the branch R&D area
#
sysname CE3
#
vlan batch 40
#
interface Vlanif40
ip address 10.3.1.1 255.255.255.0
#
#
bgp 65430
#
ipv4-family unicast
import-route direct
#
return
l Configuration file of CE4 connecting to the branch non-R&D area
#
sysname CE4
#
vlan batch 50
#
interface Vlanif50
ip address 10.4.1.1 255.255.255.0
#

Switches
#
bgp 65440
#
ipv4-family unicast
import-route direct
#
return
Applicable products and versions
Table 9-1 Applicable products and versions

Product Product Model Software Version
S5700 S5700-HI V200R002C00,

V200R003C00,
V200R005(C00SPC500&C
01&C02)
S5710-EI V200R002C00,
V200R003C00,
V200R005(C00&C02)
S5710-HI V200R003C00,
V200R005(C00&C02&C03
)
S5720-EI V200R009C00,
V200R010C00,
V200R011C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10
S5720-HI V200R007C10,
V200R009C00,
V200R010C00,
V200R011C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R019C00
S5730-HI V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10
S5731-H V200R013C02,
V200R019C00,
V200R019C10

Switches
S5731S-H V200R019C00,
V200R019C10
S5732-H V200R019C00,
V200R019C10
S6700 S6700-EI V200R005(C00&C01)
S6720-EI V200R008C00,
V200R009C00,
V200R010C00,
V200R011C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10
S6720S-EI V200R009C00,
V200R010C00,
V200R011C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10
S6720-HI V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10
S6730-H V200R013C02,
V200R019C00,
V200R019C10
S7700 S7703, S7706, S7712 V200R001(C00&C01),

V200R002C00,
V200R003C00,
V200R005C00,
V200R006C00,
V200R007C00,
V200R008C00,
V200R009C00,
V200R010C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R013C02,
V200R019C00,
V200R019C10

Switches
S7703 PoE V200R013C00,

V200R019C00,
V200R019C10
S7706 PoE V200R013C00,

V200R019C00,
V200R019C10
S9700 S9703, S9706, S9712 V200R001(C00&C01),

V200R002C00,
V200R003C00,
V200R005C00,
V200R006C00,
V200R007(C00&C10),
V200R008C00,
V200R009C00,
V200R010C00,
V200R011C10,
V200R012C00,
V200R013C00
9.1.2 Example for Configuring an MCE

MCE Overview
A multi-VPN-instance customer edge (MCE) device can function as a CE device for multiple
VPN instances in BGP/MPLS IP VPN networking. This differs from the traditional BGP/
MPLS IP VPN architecture, which requires each VPN instance to use a CE device to connect
to a PE device.
MCE is suitable when users on a private network need to be divided into multiple VPNs or
when services of users in different VPNs must be completely isolated. Deploying a CE device
for each VPN increases the cost of device procurement and maintenance. On the other hand, if
multiple VPNs share one CE device, data security cannot be ensured because all the VPNs
use the same routing table.
An MCE device creates and maintains an independent VRF for each VPN to ensures data
security between different VPNs while reducing network construction and maintenance costs.
The Multi-VRF application isolates forwarding paths of different VPNs on a private network
and advertises routes of each VPN to the peer PE device, ensuring that VPN packets are
correctly transmitted on the public network.
Configuration Notes
l In V100R006C05, only the S3700-EI supports the MCE function.
In other versions, all the switch models except the S5700-SI, S5710-C-LI, S5710-X-LI,
S5700S-LI, S5700-LI, and S2750-EI support the MCE function.

Switches
NOTE
model.
The headquarters and branches of a company need to communicate through MPLS VPN, and
two services of the company must be isolated. To reduce hardware costs, the company wants
the branch to connect to the PE through just one CE.
As shown in Figure 9-2, the networking requirements are as follows:
l CE1 and CE2 connect to the headquarters. CE1 belongs to vpna, and CE2 belongs to
vpnb.
l The MCE connects to vpna and vpnb of the branch through SwitchA and SwitchB.
Users in the same VPN need to communicate with each other, whereas users in different
VPNs must be isolated.
Figure 9-2 Networking diagram for configuring an MCE

vpna
GE2/0/0
vpna VLANIF10
CE1 192.168.1.1/24
SwitchA
GE1/0/0 GE1/0/0
VLANIF10 VLANIF60
10.1.1.1/24 10.3.1.1/24
Loopback1
GE1/0/0 2.2.2.9./32 GE3/0/0
VLANIF10 VPN VLANIF60
10.1.1.2/24 Backbone 10.3.1.2/24
MCE
Loopback1 PE1 PE2
1.1.1.9./32 GE3/0/0 GE1/0/0
GE2/0/0 GE1/0/0
GE2/0/0 VLANIF30 VLANIF30 VLANIF100 GE4/0/0
VLANIF100
VLANIF20 172.1.1.1/24 172.1.1.2/24 10.5.1.2/24 VLANIF70
10.5.1.1/24
10.2.1.2/24 VLANIF200 VLANIF200 10.4.1.2/24
10.6.1.1/24 10.6.1.2/24
GE1/0/0 GE1/0/0
VLANIF20 VLANIF70
10.2.1.1/24 10.4.1.1/24
SwitchB
CE2
GE2/0/0
vpnb
VLANIF10
192.168.2.2/24
vpnb

Switches
1. Configure OSPF between PEs so that they can communicate and configure MP-IBGP to
exchange VPN routing information.
2. Configure basic MPLS capabilities and MPLS LDP on the PEs to establish LDP LSPs.
3. Create VPN instances vpna and vpnb on the MCE and PEs to isolate services.
4. Establish EBGP peer relationships between PE1 and its connected CEs, and import BGP
routes to the VPN routing table of PE1.
5. Configure routing between the MCE and VPN sites and between the MCE and PE2.
Procedure
Step 1 Configure VLANs on interfaces and assign IP addresses to the VLANIF interfaces and
loopback interfaces according to Figure 9-2.
# Configure PE1. The configurations on PE2, CE1, CE2, MCE, SwitchA and SwitchB are
similar to the configuration on PE1 and are not mentioned here.
[PE1] vlan batch 30
[PE1-Vlanif30] quit
Step 2 Configure OSPF on PEs of the backbone network.

# Configure PE1.
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure PE2.
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After the configuration is complete, PEs can obtain Loopback1 address of each other.
------------------------------------------------------------------------------
1.1.1.9/32 OSPF 10 1 D 172.1.1.1 Vlanif30


Switches
10.3.1.0/24 Direct 0 0 D 10.3.1.3 Vlanif60

10.3.1.3/32 Direct 0 0 D 127.0.0.1 Vlanif60
10.4.1.0/24 Direct 0 0 D 10.4.1.3 Vlanif70
10.4.1.3/32 Direct 0 0 D 127.0.0.1 Vlanif70
172.1.1.0/24 Direct 0 0 D 172.1.1.2 Vlanif30
172.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif30
Step 3 Configure basic MPLS capabilities and MPLS LDP on the PEs to establish LDP LSPs.
mentioned here.

[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif30] mpls
[PE1-Vlanif30] quit
After the configuration is complete, run the display mpls ldp session command on the PEs.
The command output shows that the MPLS LDP session between the PEs is in Operational
state.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
1.1.1.9:0 Operational DU Active 0000:00:04 17/17
------------------------------------------------------------------------------
Step 4 Configure VPN instances on the PEs. On PE1, bind the interfaces connected to CE1 and CE2
to the VPN instances. On PE2, bind the interface connected to the MCE to the VPN instances.
# Configure PE1.
[PE1] vlan batch 10 20
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1 //Set the RD to 100:1.
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both //Add the RT value
100:1 to routes exported from the VPN instance vpna to MP-BGP. Only the routes
with the RT value 100:1 can be imported to vpna.
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2

Switches

[PE1-Vlanif10] ip binding vpn-instance vpna //Bind the interface to vpna.
[PE1-Vlanif10] quit
[PE1-Vlanif20] quit
# Configure PE2.
[PE2-GigabitEthernet2/0/0] port trunk allow-pass vlan 60 70
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[PE2-vpn-instance-vpnb] ipv4-family
[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2
[PE2-Vlanif60] quit
[PE2-Vlanif70] quit
Step 5 Configure VPN instances on the MCE and bind the interfaces connected to SwitchA and
SwitchB to the VPN instances.
[HUAWEI] sysname MCE
[MCE] vlan batch 60 70
[MCE] interface gigabitethernet 1/0/0
[MCE-GigabitEthernet1/0/0] port link-type trunk
[MCE-GigabitEthernet1/0/0] port trunk allow-pass vlan 60 70
[MCE-GigabitEthernet1/0/0] quit
[MCE-GigabitEthernet3/0/0] port trunk allow-pass vlan 60
[MCE-GigabitEthernet4/0/0] port trunk allow-pass vlan 70
[MCE] ip vpn-instance vpna
[MCE-vpn-instance-vpna] ipv4-family
[MCE-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[MCE-vpn-instance-vpna-af-ipv4] quit
[MCE-vpn-instance-vpna] quit
[MCE] ip vpn-instance vpnb
[MCE-vpn-instance-vpnb] ipv4-family
[MCE-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[MCE-vpn-instance-vpnb-af-ipv4] quit
[MCE-vpn-instance-vpnb] quit
[MCE] interface vlanif 60
[MCE-Vlanif60] ip binding vpn-instance vpna

Switches
[MCE-Vlanif60] ip address 10.3.1.2 24

[MCE-Vlanif60] quit
[MCE] interface vlanif 70
[MCE-Vlanif70] ip binding vpn-instance vpnb
[MCE-Vlanif70] ip address 10.4.1.2 24
[MCE-Vlanif70] quit
Step 6 Establish an MP-IBGP peer relationship between PEs. Establish an EBGP peer relationship
between PE1 and CE1, and between PE1 and CE2.
# Configure CE1. The configuration on CE2 is similar to the configuration on CE1 and is not
mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100 //Establish an EBGP peer relationship
between PE1 and CE1 and import VPN routes.
[CE1-bgp] quit
mentioned here.
[PE1] bgp 100
[PE1-bgp-vpna] quit
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
Set up an MP-IBGP peer relationship between the PE devices.

mentioned here.
[PE1] bgp 100
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 all peer command on PE1.
The command output shows that PE1 has established an IBGP peer relationship with PE2 and
EBGP peer relationships with CE1 and CE2. The peer relationships are in Established state.
[PE1] display bgp vpnv4 all peer

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2.2.2.9 4 100 288 287 0 01:19:16 Established 6
Peer of IPv4-family for vpn instance :

10.1.1.1 4 65410 9 11 0 00:01:38 Established
2
VPN-Instance vpnb, Router ID 1.1.1.9:

10.2.1.1 4 65420 9 12 0 00:04:09 Established 2

Switches
Step 7 Configure routing between the MCE and VPN sites.

The MCE directly connects to vpna, which uses no routing protocol. Configure static routes
to implement communication between the MCE and vpna.
l # Configure SwitchA.
Assign IP address 192.168.1.1/24 to the interface connected to vpna. The configuration
details are not mentioned here.
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 60
[SwitchA] interface gigabitethernet 1/0/0
[SwitchA-GigabitEthernet1/0/0] port link-type trunk
[SwitchA-GigabitEthernet1/0/0] port trunk allow-pass vlan 60
[SwitchA-GigabitEthernet1/0/0] quit
[SwitchA] interface vlanif 60
[SwitchA-Vlanif60] ip address 10.3.1.1 24
[SwitchA-Vlanif60] quit
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.3.1.2 //Create a default route
destined to the MCE for SwitchA.
l # Configure the MCE.
[MCE] ip route-static vpn-instance vpna 192.168.1.0 24 10.3.1.1 //Create a

VPN route destined to SwitchA for the VPN instance vpna.
l # Check the routes of vpna on the MCE.
[MCE] display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to fib, T - to vpn-
instance
------------------------------------------------------------------------------
Routing Tables:
vpna
Destinations : 3 Routes :
3
Destination/Mask Proto Pre Cost Flags NextHop

Interface
10.3.1.0/24 Direct 0 0 D 10.3.1.2

Vlanif60
10.3.1.2/32 Direct 0 0 D 127.0.0.1
Vlanif60
192.168.1.0/24 Static 60 0 RD 10.3.1.1
Vlanif60
The preceding information shows that the MCE has a static route to vpna.
The RIP protocol runs in vpnb. Configure RIP process 200 on the MCE and bind it to vpnb
so that routes learned by RIP are added to the routing table of vpnb.
l # Configure the MCE.
[MCE] rip 200 vpn-instance vpnb
[MCE-rip-200] version 2
[MCE-rip-200] network 10.0.0.0
[MCE-rip-200] import-route ospf 200 //Import OSPF routes so that SwitchB
can learn routes to the MCE.
[MCE-rip-200] quit
l # Configure SwitchB.
Assign IP address 192.168.2.1/24 to the interface connected to vpnb. The configuration
is not mentioned here.
[HUAWEI] sysname SwitchB

Switches
[SwitchB] vlan batch 70

[SwitchB] interface gigabitethernet 1/0/0
[SwitchB-GigabitEthernet1/0/0] port link-type trunk
[SwitchB-GigabitEthernet1/0/0] port trunk allow-pass vlan 70
[SwitchB-GigabitEthernet1/0/0] quit
[SwitchB] interface vlanif 70
[SwitchB-Vlanif70] ip address 10.4.1.1 24
[SwitchB-Vlanif70] quit
[SwitchB] rip 200
[SwitchB-rip-200] version 2
[SwitchB-rip-200] network 10.0.0.0
[SwitchB-rip-200] network 192.168.2.0
[SwitchB-rip-200] quit
l # Check the routes of vpnb on the MCE.

[MCE] display ip routing-table vpn-instance vpnb
instance
------------------------------------------------------------------------------
Routing Tables:
vpnb
Destinations : 3 Routes :
3
Destination/Mask Proto Pre Cost Flags NextHop

Interface
10.4.1.0/24 Direct 0 0 D 10.4.1.2

Vlanif70
10.4.1.2/32 Direct 0 0 D 127.0.0.1
Vlanif70
192.168.2.0/24 RIP 100 1 D 10.4.1.1
Vlanif70
The preceding information shows that the MCE has learned the route to vpnb using RIP.
The route to vpnb and the route to vpna (192.168.1.0) are maintained in different VPN
routing tables so that users in the two VPNs are isolated from each other.
Step 8 Configure OSPF multi-instance between the MCE and PE2.
# Configure PE2.
NOTE
To configure OSPF multi-instance between the MCE and PE2, complete the following tasks on PE2:
l In the OSPF view, import BGP routes and advertise VPN routes of PE1 to the MCE.
l In the BGP view, import routes of the OSPF processes and advertise the VPN routes of the MCE
to PE1.
[PE2] ospf 100 vpn-instance vpna
[PE2-ospf-100] import-route bgp //Import BGP routes to OSPF 100 in vpna between
the PE and MCE, so that the MCE learns routes to CE1.
[PE2-ospf-100] area 0
[PE2-ospf-100] quit
[PE2] ospf 200 vpn-instance vpnb
[PE2-ospf-200] import-route bgp //Import BGP routes to OSPF 200 in vpnb between
the PE and MCE, so that the MCE learns routes to CE2.
[PE2-ospf-200] area 0
[PE2-ospf-200] quit
[PE2] bgp 100
[PE2-bgp-vpna] import-route ospf 100 //Import OSPF 100 to BGP so that PE2 adds

Switches
the VPNv4 prefix to routes and uses MP-IBGP to advertise routes to PE1.
[PE2-bgp-vpna] quit
[PE2-bgp-vpnb] import-route ospf 200 //Import OSPF 200 to BGP so that PE2 adds
the VPNv4 prefix to routes and uses MP-IBGP to advertise routes to PE1.
[PE2-bgp-vpnb] quit
# Configure the MCE.

NOTE
Import VPN routes to the OSPF processes.
[MCE] ospf 100 vpn-instance vpna //Configure dynamic OSPF routes for
the VPN instance vpna.
[MCE-ospf-100] import-route static //Import static private routes of
SwitchA to the MCE.
[MCE-ospf-100] vpn-instance-capability simple //Disable loop detection for OSPF
VPN, so that the MCE can learn routes re-advertised from PE2.
[MCE-ospf-100] area 0
[MCE-ospf-100-area-0.0.0.0] network 10.3.1.0 0.0.0.255
[MCE-ospf-100-area-0.0.0.0] quit
[MCE-ospf-100] quit
[MCE] ospf 200 vpn-instance vpnb
[MCE-ospf-200] import-route rip 200
[MCE-ospf-200] vpn-instance-capability simple
[MCE-ospf-200] area 0
[MCE-ospf-200-area-0.0.0.0] network 10.4.1.0 0.0.0.255
[MCE-ospf-200-area-0.0.0.0] quit
[MCE-ospf-200] quit
After the configuration is complete, run the display ip routing-table vpn-instance command
on the MCE to view the routes to the remote CEs.
The VPN instance vpna is used as an example.

[MCE] display ip routing-table vpn-instance vpna
------------------------------------------------------------------------------
10.1.1.0/24 O_ASE 150 1 D 10.3.1.3 Vlanif60

10.3.1.0/24 Direct 0 0 D 10.3.1.2 Vlanif60
10.3.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif60
192.168.1.0/24 Static 60 0 RD 10.3.1.1 Vlanif60
Run the display ip routing-table vpn-instance command on the PEs to view the routes to the
remote CEs.
The VPN instance vpna on PE1 is used as an example.

------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif10

10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.3.1.0/24 IBGP 255 0 RD 2.2.2.9 Vlanif30
192.168.1.0/24 IBGP 255 2 RD 2.2.2.9 Vlanif30

Switches
CE1 and SwitchA can communicate with each other. CE2 and SwitchB can communicate
with each other.
The information displayed on CE1 is used as an example.
[CE1] ping 10.3.1.1

0.00% packet loss
CE1 cannot ping CE2 or SwitchB. SwitchA cannot ping CE2 or SwitchB.
The ping from CE1 to SwitchB is used as an example.
[CE1] ping 10.4.1.1
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
----End
Configuration Files
l Configuration file of CE1
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE2
#
vlan batch 20

Switches
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
#
sysname PE1
#
vlan batch 10 20 30
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.0
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100

Switches

#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
vlan batch 30 60 70
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 10.3.1.3 255.255.255.0
#
interface Vlanif70
ip address 10.4.1.3 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
#

Switches

port trunk allow-pass vlan 60 70
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route ospf 100
#
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
ospf 100 vpn-instance vpna
import-route bgp
area 0.0.0.0
network 10.3.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route bgp
area 0.0.0.0
network 10.4.1.0 0.0.0.255
#
return
l Configuration file of the MCE
#
sysname MCE
#
vlan batch 60 70
#
ipv4-family
#
ipv4-family
#
interface Vlanif60
ip address 10.3.1.2 255.255.255.0
#
interface Vlanif70
ip address 10.4.1.2 255.255.255.0
#
#
#

Switches

#
ospf 100 vpn-instance vpna
import-route static
vpn-instance-capability simple
area 0.0.0.0
network 10.3.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route rip 200
area 0.0.0.0
network 10.4.1.0 0.0.0.255
#
rip 200 vpn-instance vpnb
version 2
network 10.0.0.0
#
ip route-static vpn-instance vpna 192.168.1.0 255.255.255.0 10.3.1.1
#
return
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 60
#
interface Vlanif60
ip address 10.3.1.1 255.255.255.0
#
#
ip route-static 0.0.0.0 0.0.0.0 10.3.1.2
#
return
l Configuration file of SwitchB
#
sysname SwitchB
#
vlan batch 70
#
interface Vlanif70
ip address 10.4.1.1 255.255.255.0
#
#
rip 200
version 2
network 10.0.0.0
network 192.168.2.0
#
return
9.1.3 Example for Configuring Multicast VPN Access Through

MCE Devices
Multicast VPN Overview
Multicast VPN technology allows multicast services to run on BGP/MPLS IP VPN networks.
This technology encapsulates multicast packets from a private network to enable the packets

Switches
to be forwarded along the multicast distribution tree (MDT) on a public network. When the
packets reach the destination network, they are decapsulated and forwarded to receivers as
multicast packets of the private network.
Multicast VPN is used to address the following problems occurring during the multicast
service deployment on BGP/MPLS IP VPN networks:
l VPN multicast packets cannot pass the reverse path forwarding (RPF) check on the
public network.
In multicast forwarding, multicast routers perform RPF checks on multicast packets
based on the multicast source address and inbound interface. Only multicast packets
from the RPF interface are forwarded. Each router needs to know the unicast route to the
multicast source. The provider (P) device on a BGP/MPLS IP VPN network does not
know the VPN routes; therefore, RPF checks fail on the P device.
l Overlapping multicast source addresses or group addresses on VPNs lead to inter-VPN
communication.
A BGP/MPLS IP VPN network allows overlapping addresses in sites on each VPN;
therefore, the multicast source addresses or group addresses of different VPNs may
overlap. A PE device must correctly forward multicast packets from a VPN to only the
users at the sites on the same VPN to prevent communication between different VPNs.
l VPN packets are forwarded in unicast mode on the public network. When the multicast
traffic volume is high, loads on the public network increase greatly.
Multicast technology ensures that each link transmits only one copy of multicast packets.
Each device replicates multicast data according to the number of outbound interfaces,
and the bandwidth consumed does not increase with the number of receivers. If the
public network supports multicast forwarding, multicast packets are replicated only at
bifurcation points on the public network. This on-demand replication mechanism reduces
loads on the public network and conserves bandwidth.
l All PE devices on a VPN can receive multicast packets from a multicast source on the
same VPN. When the multicast traffic volume is high, loads on the PE devices increase
greatly.
A VPN is composed of multiple sites, each of which connects to a different PE. Some
sites may not have receivers. If VPN multicast data is forwarded only to the PE devices
with receivers connected, burdens on PE devices are reduced.
Configuration Notes
l If multicast VPN in multicast domain (MD) mode is used on switches, the PIM-SM SSM
model cannot be used on the public network.
l Multicast VPN cannot be deployed on inter-AS BGP/MPLS IPv4 VPN networks.
l Multicast VPN cannot be deployed on BGP/MPLS IPv6 VPN networks.
l Interfaces on the following interface cards cannot be configured as member interfaces of
Eth-Trunk multicast loopback interfaces:
– V200R001 to V200R003: ES0D0G24SA00, ES0D0G24CA00, ES0D0X12SA00,
ES1D2G48SBC0, and ES1D2G48TBC0 interface cards for the S7700;
EH1D2G24SSA0, EH1D2S24CSA0, EH1D2X12SSA0, EH1D2G48SBC0, and
EH1D2G48TBC0 interface cards for the S9700
– V200R005 to V200R009: X1E series, ES0D0G24SA00, ES0D0G24CA00,
ES1D2G48SBC0, and ES1D2G48TBC0 interface cards for the S7700; X1E series,
EH1D2G48SBC0, and EH1D2G48TBC0 interface cards for the S9700

Switches

NOTE
For details about software mappings, visit Hardware Query Tool and search for the desired
product model.
As shown in Figure 9-3, a company deploys two services, data of which is transmitted in
multicast mode. The VPN site blue using service A and the VPN site white using service B
both connect to the backbone network through the MCE devices. Multicast VPN in MD mode
can be deployed to meet the multicast service requirements of the company. This
configuration can isolate data of different services and reduces multicast traffic loads on the
public network.

Switches
Figure 9-3 Multicast VPN access through MCE devices

Source1
VPN Blue
GE2/0/1
VLANIF101 CE1
192.168.11.1/24
GE1/0/1
VLANIF100
192.168.1.2/24
Source2 192.168.12.1/24
VLANIF201 192.168.1.1/24
GE2/0/1 VLANIF100
CE2 192.168.2.1/24 GE1/0/1
VLANIF200
VPN White GE1/0/2 GE1/0/2 MCE1
VLANIF200
192.168.2.2/24 GE1/0/0
VLANIF20 VLANIF10
10.1.2.2/24 10.1.1.2/24
BGP/MPLS VPN Backbone

10.1.2.1/24 10.1.1.1/24
VLANIF20 VLANIF10
PE2 10.1.4.2/24 10.1.4.1/24 P 10.1.3.2/24 GE1/0/0
VLANIF40 VLANIF40 VLANIF30
3.3.3.3/32 GE3/0/0 GE3/0/0 GE2/0/0 1.1.1.1/32
Loopback0 Loopback0
GE2/0/0
VLANIF30
GE1/0/0 10.1.3.1/24 PE1
VLANIF50 VLANIF60 Loopback0
10.1.5.1/24 10.1.6.1/24 2.2.2.2/32
10.1.5.2/24 10.1.6.2/24
VLANIF50 VLANIF60
GE1/0/0 192.168.4.2/24
GE1/0/2 VLANIF400
MCE2 VPN White
VLANIF400 GE1/0/2
GE1/0/1 192.168.4.1/24 CE4 GE2/0/1
VLANIF300 VLANIF401
192.168.3.1/24 192.168.14.1/24
192.168.3.2/24 HostB
VLANIF300
GE1/0/1
192.168.13.1/24
CE3 VLANIF301
GE2/0/1
VPN Blue
HostA
1. Configure BGP/MPLS IP VPN to ensure connectivity of the VPN network.

2. Configure multicast loopback interfaces, share-group addresses, and multicast tunnel
interfaces (MTIs) for VPN instances on the PE devices to implement multicast VPN in
MD mode.

Switches
3. Enable multicast routing and PIM on all the devices. Configure the multicast function in
the public network between the PE and P devices. Configure the multicast function in the
VPN instances between PE and MCE devices, and between the MCE and CE devices.
Procedure
Step 1 Configure BGP/MPLS IP VPN.
1. Configure the Open Shortest Path First (OSPF) protocol on the backbone network to
allow communication between the provider edge devices (PE1 and PE2) and
intermediate device P.
# Configure PE1.
<PE1> system-view
[PE1] interface loopback 0 //Create a loopback interface.
[PE1] router id 1.1.1.1 //Set the router ID of PE1 to 1.1.1.1 for route
management.
[PE1] vlan batch 30
[PE1-GigabitEthernet2/0/0] port link-type trunk //Set the link type of
the interface to trunk, which is not the default link type.
[PE1] interface vlanif 30 //Create a VLANIF interface.
[PE1-Vlanif30] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255 //Specify that the
interface running OSPF is the one connected to the 10.1.3.0 network segment
and that the interface belongs to Area 0.
[PE1-ospf-1] quit
The configurations on P and PE2 are similar to the configuration of PE1, and are not
mentioned here.
After the configuration is complete, OSPF neighbor relationships can be set up between
PE1 and P and between P and PE2. Run the display ospf peer command on PE1, P, and
PE2, and you can see that the neighbors are in Full state. Run the display ip routing-
table command, and you can see that PE devices have learned the routes to Loopback0
of each other.
2. Enable basic MPLS capabilities and MPLS LDP on the provider edge devices PE1 and
PE2 to set up LDP LSPs on the MPLS backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1 //Set the LSR ID of PE1 to 1.1.1.1.
[PE1] mpls //Enable MPLS globally.
[PE1-mpls] quit
[PE1] mpls ldp //Enable MPLS LDP globally.
[PE1-mpls-ldp] quit
[PE1-Vlanif30] mpls //Enable MPLS on the VLANIF interface.
[PE1-Vlanif30] mpls ldp //Enable MPLS LDP on the VLANIF interface.
[PE1-Vlanif30] quit
The configurations on P and PE2 are similar to the configuration of PE1, and are not
mentioned here.

Switches
After the configuration is complete, LDP sessions can be set up between PE1 and P and
between P and PE2. Run the display mpls ldp session command on the PE and P
devices, and you can see that LDP session is in Operational state.
3. Establish a Multiprotocol Interior Border Gateway Protocol (MP-IBGP) peer
relationship between the provider edge devices PE1 and PE2.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.3 as-number 100 //Create BGP peer 3.3.3.3 and set
its AS number to 100.
[PE1-bgp] peer 3.3.3.3 connect-interface loopback 0 //Specify LoopBack0
as the source interface to send BGP packets to BGP peer 3.3.3.3.
[PE1-bgp] ipv4-family vpnv4 //Enter the BGP-VPNv4 address family view.
[PE1-bgp-af-vpnv4] peer 3.3.3.3 enable //Enable the local switch to
exchange BGP-VPNv4 routes with BGP peer 3.3.3.3.
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.1 as-number 100 //Create BGP peer 1.1.1.1 and set
its AS number to 100.
[PE2-bgp] peer 1.1.1.1 connect-interface loopback 0 //Specify LoopBack0
as the source interface to send BGP packets to 1.1.1.1.
[PE2-bgp] ipv4-family vpnv4 //Enter the BGP-VPNv4 address family view.
[PE2-bgp-af-vpnv4] peer 1.1.1.1 enable ///Enable the local switch to
exchange BGP-VPNv4 routes with BGP peer 1.1.1.1.
[PE2-bgp] quit
After the configuration is complete, run the display bgp vpnv4 all peer command on the
PE devices. You can see that a BGP peer relationship has been set up between PE1 and
PE2 and is in Established state.
4. Create VPN instances blue and white on the provider edge devices PE1 and PE2, and
aggregate egress devices MCE1 and MCE2 for branches, to connect each service site's
egress CE to the PE devices through the MCE devices.
# Configure PE1.
[PE1] ip vpn-instance blue //Create VPN instance blue.
[PE1-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN
instance blue to 100:1.
[PE1-vpn-instance-blue-af-ipv4] vpn-target 111:1 both //Add 111:1 to the
export VPN target list and import VPN target list of VPN instance blue.
[PE1-vpn-instance-blue-af-ipv4] quit
[PE1-vpn-instance-blue] quit
[PE1] ip vpn-instance white //Create VPN instance white.
[PE1-vpn-instance-white] route-distinguisher 200:1 //Set the RD of VPN
instance white to 200:1.
[PE1-vpn-instance-white-af-ipv4] vpn-target 222:1 both //Add 222:1 to the
export VPN target list and import VPN target list of VPN instance white.
[PE1-vpn-instance-white-af-ipv4] quit
[PE1-vpn-instance-white] quit
[PE1-Vlanif10] ip binding vpn-instance blue //Bind VPN instance blue to
VLANIF10 so that VLANIF10 becomes a private network interface of VPN instance
blue.

Switches
[PE1-Vlanif10] quit
[PE1-Vlanif20] ip binding vpn-instance white //Bind VPN instance blue to
white.
[PE1-Vlanif20] quit
# Configure MCE1.
[MCE1] ip vpn-instance blue //Create VPN instance blue.
[MCE1-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN
[MCE1-vpn-instance-blue-af-ipv4] vpn-target 111:1 both //Add 111:1 to the
[MCE1-vpn-instance-blue-af-ipv4] quit
[MCE1-vpn-instance-blue] quit
[MCE1] ip vpn-instance white //Create VPN instance white.
[MCE1-vpn-instance-white] route-distinguisher 200:1 //Set the RD of VPN
[MCE1-vpn-instance-white-af-ipv4] vpn-target 222:1 both //Add 222:1 to
the export VPN target list and import VPN target list of VPN instance white.
[MCE1-vpn-instance-white-af-ipv4] quit
[MCE1-vpn-instance-white] quit
[MCE1] vlan batch 10 20 100 200
[MCE1] interface gigabitethernet 1/0/0
[MCE1-GigabitEthernet1/0/0] port link-type trunk //Set the link type of
[MCE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 20
[MCE1-GigabitEthernet1/0/0] quit
[MCE1-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[MCE1] interface vlanif 10
[MCE1-Vlanif10] ip binding vpn-instance blue //Bind VPN instance blue to
blue.
[MCE1-Vlanif10] ip address 10.1.1.2 24
[MCE1-Vlanif10] quit
[MCE1-Vlanif20] ip binding vpn-instance white //Bind VPN instance white
to VLANIF20 so that VLANIF20 becomes a private network interface of VPN
instance white.
VLANIF100 so that VLANIF100 becomes a private network interface of VPN
instance blue.
instance white.
# Configure PE2.
[PE2] ip vpn-instance blue //Create VPN instance blue.
[PE2-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN

Switches
[PE2-vpn-instance-blue-af-ipv4] vpn-target 111:1 both //Add 111:1 to the

[PE2] ip vpn-instance white //Create VPN instance white.
[PE2-vpn-instance-white] route-distinguisher 200:1 //Set the RD of VPN
[PE2-vpn-instance-white-af-ipv4] vpn-target 222:1 both //Add 222:1 to the
export VPN target list and import VPN target list of VPN instance white.
[PE2-Vlanif50] ip binding vpn-instance blue //Bind VPN instance blue to
blue.
[PE2-Vlanif50] quit
[PE2-Vlanif60] ip binding vpn-instance white //Bind VPN instance white to
white.
[PE2-Vlanif60] quit
# Configure MCE2.
[MCE2] ip vpn-instance blue //Create VPN instance blue.
[MCE2-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN
[MCE2-vpn-instance-blue-af-ipv4] vpn-target 111:1 both //Add 111:1 to the
[MCE2-vpn-instance-blue-af-ipv4] quit
[MCE2] ip vpn-instance white //Create VPN instance white.
[MCE2-vpn-instance-white] route-distinguisher 200:1 //Set the RD of VPN
[MCE2-vpn-instance-white-af-ipv4] vpn-target 222:1 both //Add 222:1 to
the export VPN target list and import VPN target list of VPN instance white.
[MCE2-vpn-instance-white-af-ipv4] quit
[MCE2] vlan batch 50 60 300 400
[MCE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 50 60
blue.

Switches

instance white.
VLANIF300 so that VLANIF300 becomes a private network interface of VPN
instance blue.
instance white.
5. Configure OSPF on the provider edge devices PE1 and PE2, branches' aggregate egress
devices MCE1 and MCE2, and each service site's egress CE. Import VPN routes to the
OSPF routing table.
# Configure PE1.
[PE1] ospf 2 vpn-instance blue //Create an OSPF process to serve VPN
instance blue.
[PE1-ospf-2] import-route bgp //Import BGP routes.
[PE1-ospf-2] area 0
[PE1-ospf-2] quit
[PE1] ospf 3 vpn-instance white //Create an OSPF process to serve VPN
instance white.
[PE1-ospf-3] area 0
[PE1-ospf-3] quit
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance blue //Enter the IPv4 address family
view of BGP-VPN instance blue.
[PE1-bgp-blue] import-route ospf 2 //Import routes of OSPF process 2.
[PE1-bgp-blue] quit
[PE1-bgp] ipv4-family vpn-instance white //Enter the IPv4 address family
view of BGP-VPN instance white
[PE1-bgp-white] import-route ospf 3 //Import routes of OSPF process 3.
[PE1-bgp-white] quit
[PE1-bgp] quit
# Configure MCE1.
[MCE1] ospf 1 vpn-instance blue //Create an OSPF process to serve VPN
instance blue.
[MCE1-ospf-1] vpn-instance-capability simple //Disable OSPF routing loop
detection.
[MCE1-ospf-1] area 0
[MCE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //Specify that the
interface is running OSPF is the one connected to the 10.1.1.0 network
segment and that the interface belongs to Area 0.
[MCE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 //Specify that
the interface is running OSPF is the one connected to the 192.168.1.0 network
[MCE1-ospf-1-area-0.0.0.0] quit
[MCE1-ospf-1] quit
[MCE1] ospf 2 vpn-instance white //Create an OSPF process to serve VPN
instance white.

Switches
detection.
[MCE1-ospf-2] quit
# Configure PE2.
[PE2] ospf 2 vpn-instance blue //Create an OSPF process to serve VPN
instance blue.
[PE2-ospf-2] area 0
[PE2-ospf-2] quit
[PE2] ospf 3 vpn-instance white //Create an OSPF process to serve VPN
instance white.
[PE2-ospf-3] area 0
[PE2-ospf-3] quit
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance blue //Enter the IPv4 address family
view of BGP-VPN instance blue.
[PE2-bgp-blue] import-route ospf 2 //Import routes of OSPF process 2.
[PE2-bgp-blue] quit
[PE2-bgp] ipv4-family vpn-instance white //Enter the IPv4 address family
view of BGP-VPN instance white.
[PE2-bgp-white] import-route ospf 3 //Import routes of OSPF process 3.
[PE2-bgp-white] quit
[PE2-bgp] quit
# Configure MCE2.
[MCE2] ospf 1 vpn-instance blue //Create an OSPF process to serve VPN
instance blue.
detection.
[MCE2-ospf-1] quit
[MCE2] ospf 2 vpn-instance white //Create an OSPF process to serve VPN
instance white.
detection.
[MCE2-ospf-2] quit

Switches
# Configure CE1, egress for a site of service A.

[CE1] vlan batch 100 101
[CE1-GigabitEthernet1/0/1] port link-type trunk //Set the link type of
[CE1-Vlanif100] quit
[CE1] ospf
[CE1-ospf-1] area 0
[CE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 //Specify that
the interface is running OSPF is the one connected to the 192.168.11.0
network segment and that the interface belongs to Area 0.
[CE1-ospf-1-area-0.0.0.0] quit
[CE1-ospf-1] quit
# Configure CE2, egress for a site of service B.

[CE2] ospf
[CE2-ospf-1] area 0
[CE2-ospf-1] quit


Switches

[CE3] ospf
[CE3-ospf-1] area 0
[CE3-ospf-1] quit

[CE4] ospf
[CE4-ospf-1] area 0
[CE4-ospf-1] quit
After the configuration is complete, run the display ip routing-table vpn-instance vpn-
instance-name command on the PE or MCE devices. You can see that the local PE or
MCE device has a VPN route to the remote PE. Run the display ip routing-table
protocol ospf command on the CE devices. You can see that CE1 and CE3 have learned
routes to each other, and CE2 and CE4 have learned routes to each other.
Step 2 Configure multicast loopback interfaces, share-group addresses, and MTIs for VPN instances
on the provider edge devices PE1 and PE2.
# Configure PE1.
[PE1] interface eth-trunk 10
[PE1-Eth-Trunk10] service type multicast-tunnel //Configure Eth-Trunk 10 as a
multicast loopback interface.
[PE1-Eth-Trunk10] trunkport gigabitethernet 3/0/5 //Bind member interface
GE3/0/5 to Eth-Trunk 10.
[PE1-Eth-Trunk10] quit
[PE1] ip vpn-instance blue

Switches
[PE1-vpn-instance-blue] multicast routing-enable //Enable multicast routing

in VPN instance blue.
[PE1-vpn-instance-blue] multicast-domain share-group 239.1.1.1 binding mtunnel
0 //Specify 239.1.1.1 as the Share-Group for VPN instance blue and bind it to
multicast tunnel interface MTI0.
[PE1-vpn-instance-blue] ipv4-family
[PE1-vpn-instance-blue-af-ipv4] multicast-domain source-interface loopback
0 //Configure the MTI to use the address of Loopback0 as the default address.
[PE1] ip vpn-instance white
[PE1-vpn-instance-white] multicast routing-enable //Enable multicast routing
in VPN instance white.
[PE1-vpn-instance-white] multicast-domain share-group 239.1.2.1 binding mtunnel
10 //Specify 239.1.2.1 as the Share-Group for VPN instance white and bind it
to multicast tunnel interface MTI0.
[PE1-vpn-instance-white] ipv4-family
[PE1-vpn-instance-white-af-ipv4] multicast-domain source-interface loopback
# Configure PE2.
[PE2] interface eth-trunk 10
[PE2-Eth-Trunk10] service type multicast-tunnel //Configure Eth-Trunk 10 as a
multicast loopback interface.
[PE2-Eth-Trunk10] trunkport gigabitethernet 3/0/5 //Bind member interface
GE3/0/5 to Eth-Trunk 10.
[PE2-Eth-Trunk10] quit
[PE2] ip vpn-instance blue
[PE2-vpn-instance-blue] multicast routing-enable //Enable multicast routing
in VPN instance blue.
[PE2-vpn-instance-blue] multicast-domain share-group 239.1.1.1 binding mtunnel
0 //Specify 239.1.1.1 as the Share-Group for VPN instance blue and bind it to
multicast tunnel interface MTI0.
[PE2-vpn-instance-blue] ipv4-family
[PE2-vpn-instance-blue-af-ipv4] multicast-domain source-interface loopback
[PE2] ip vpn-instance white
[PE2-vpn-instance-white] multicast routing-enable //Enable multicast routing
in VPN instance white.
[PE2-vpn-instance-white] multicast-domain share-group 239.1.2.1 binding mtunnel
10 //Specify 239.1.2.1 as the Share-Group for VPN instance white and bind it
to multicast tunnel interface MTI0.
[PE2-vpn-instance-white] ipv4-family
[PE2-vpn-instance-white-af-ipv4] multicast-domain source-interface loopback
Step 3 Configure the multicast function on the public and private networks.
1. Configure the multicast function on the public network.
Enable PIM-SM on the public network. Configure Loopback0 of the provider's
intermediate device P as a candidate bootstrap router (C-BSR) and candidate rendezvous
point (C-RP) on the public network.
# Configure PE1.
[PE1] multicast routing-enable //Enable multicast routing globally.
[PE1-Vlanif30] pim sm //Enable PIM-SM on VLANIF30.
[PE1-Vlanif30] quit
[PE1-LoopBack0] pim sm //Enable PIM-SM on Loopback0.

Switches
# Configure PE2.
[PE2] multicast routing-enable //Enable multicast routing globally.
[PE2-Vlanif40] quit
[PE2-LoopBack0] pim sm //Enable PIM-SM on Loopback0.
# Configure P.
[P] multicast routing-enable //Enable multicast routing globally.
[P-Vlanif30] pim sm //Enable PIM-SM on VLANIF30.
[P-Vlanif30] quit
[P-Vlanif40] pim sm //Enable PIM-SM on VLANIF40.
[P-Vlanif40] quit
[P-LoopBack0] pim sm //Enable PIM-SM on Loopback0.
[P-LoopBack0] quit
[P] pim
[P-pim] c-bsr loopback 0 //Configure Loopback0 as a C-BSR interface.
[P-pim] c-rp loopback 0 //Configure Loopback0 as a C-RP interface.
2. Configure the multicast function on the private network.

Enable PIM-SM on the private networks. Configure VLANIF 10 of provider edge PE1
as a C-BSR and C-RP of VPN instance blue, and configure VLANIF 20 of PE1 as a C-
BSR and C-RP of VPN instance white. Configure IGMP on VLANIF 301 of service site
egress CE3 and VLANIF 401 of service site egress CE4. (The two VLANIF interfaces
are connected to network segments of receivers.)
# Configure PE1.
[PE1-Vlanif10] quit
[PE1-Vlanif20] quit
[PE1] pim vpn-instance blue
[PE1-pim-blue] c-bsr vlanif 10 //Configure VLANIF10 as a C-BSR interface
for VPN instance blue.
[PE1-pim-blue] c-rp vlanif 10 //Configure VLANIF10 as a C-RP interface
for VPN instance blue.
[PE1-pim-blue] quit
[PE1] pim vpn-instance white
[PE1-pim-white] c-bsr vlanif 20 //Configure VLANIF20 as a C-BSR interface
for VPN instance white.
[PE1-pim-white] c-rp vlanif 20 //Configure VLANIF20 as a C-RP interface
for VPN instance white.
[PE1-pim-white] quit
# Configure MCE1.
[MCE1] multicast routing-enable //Enable multicast routing globally.
[MCE1] ip vpn-instance blue
[MCE1-vpn-instance-blue] multicast routing-enable //Enable multicast
routing in VPN instance blue.
[MCE1] ip vpn-instance white
[MCE1-vpn-instance-white] multicast routing-enable //Enable multicast
routing in VPN instance white.
[MCE1-Vlanif10] pim sm //Enable PIM-SM on VLANIF10.

Switches

# Configure PE2.
[PE2-Vlanif50] quit
[PE2-Vlanif60] quit
# Configure MCE2.
[MCE2] multicast routing-enable //Enable multicast routing globally.
[MCE2] ip vpn-instance blue
[MCE2-vpn-instance-blue] multicast routing-enable //Enable multicast
routing in VPN instance blue.
[MCE2] ip vpn-instance white
[MCE2-vpn-instance-white] multicast routing-enable //Enable multicast
routing in VPN instance white.
[MCE2] interface vlanif 50 //Enable PIM-SM on VLANIF50.
[MCE2-Vlanif50] pim sm

[CE1] multicast routing-enable //Enable multicast routing globally.
[CE1-Vlanif100] pim sm //Enable PIM-SM on VLANIF100.



Switches

[CE3-Vlanif301] igmp enable //Enable PIM-SM on VLANIF301.

[CE4-Vlanif401] igmp enable //Enable IGMP VLANIF401.

After the configuration is complete, receivers on the private networks can receive multicast
data from the multicast source.
----End
Configuration Files
l Configuration file of provider edge PE1
#
sysname PE1
#
router id 1.1.1.1
#
vlan batch 10 20 30
#
multicast routing-enable
#
ip vpn-instance blue
ipv4-family
multicast-domain source-interface LoopBack0
multicast-domain share-group 239.1.1.1 binding mtunnel 0
#
ip vpn-instance white
ipv4-family
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif10
ip binding vpn-instance blue
ip address 10.1.1.1 255.255.255.0
pim sm
#
interface Vlanif20
ip binding vpn-instance white
ip address 10.1.2.1 255.255.255.0
pim sm
#
interface Vlanif30

Switches
ip address 10.1.3.1 255.255.255.0

pim sm
mpls
mpls ldp
#
interface Eth-Trunk10
service type multicast-tunnel
#
#
#
eth-trunk 10
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
pim sm
#
interface MTunnel0
#
interface MTunnel10
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
ipv4-family vpn-instance blue
import-route ospf 2
#
ipv4-family vpn-instance white
import-route ospf 3
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.3.0 0.0.0.255
#
ospf 2 vpn-instance blue
import-route bgp
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
ospf 3 vpn-instance white
import-route bgp
area 0.0.0.0
network 10.1.2.0 0.0.0.255
#
pim vpn-instance blue
c-bsr Vlanif10
c-rp Vlanif10
#
pim vpn-instance white
c-bsr Vlanif20
c-rp Vlanif20

Switches
#
return
l Configuration file of provider edge PE2
#
sysname PE2
#
router id 3.3.3.3
#
vlan batch 40 50 60
#
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif40
ip address 10.1.4.2 255.255.255.0
pim sm
mpls
mpls ldp
#
interface Vlanif50
ip address 10.1.5.1 255.255.255.0
pim sm
#
interface Vlanif60
ip address 10.1.6.1 255.255.255.0
pim sm
#
interface Eth-Trunk10
service type multicast-tunnel
#
#
#
eth-trunk 10
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
pim sm
#

Switches
interface MTunnel0
#
interface MTunnel10
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance blue
import-route ospf 2
#
ipv4-family vpn-instance white
import-route ospf 3
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.1.4.0 0.0.0.255
#
import-route bgp
area 0.0.0.0
network 10.1.5.0 0.0.0.255
#
import-route bgp
area 0.0.0.0
network 10.1.6.0 0.0.0.255
#
return
l Configuration file of provider intermediate device P
#
sysname P
#
router id 2.2.2.2
#
vlan batch 30 40
#
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif30
ip address 10.1.3.2 255.255.255.0
pim sm
mpls
mpls ldp
#
interface Vlanif40
ip address 10.1.4.1 255.255.255.0
pim sm
mpls
mpls ldp
#

Switches

#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
#
pim
c-bsr LoopBack0
c-rp LoopBack0
#
return
l Configuration file of branches' aggregate egress MCE1
#
sysname MCE1
#
vlan batch 10 20 100 200
#
#
ipv4-family
#
ipv4-family
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
pim sm
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
pim sm
#
interface Vlanif100
ip address 192.168.1.1 255.255.255.0
pim sm
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
pim sm
#
#

Switches

#
#
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
l Configuration file of branches' aggregate egress MCE2
#
sysname MCE2
#
vlan batch 50 60 300 400
#
#
ipv4-family
#
ipv4-family
#
interface Vlanif50
ip address 10.1.5.2 255.255.255.0
pim sm
#
interface Vlanif60
ip address 10.1.6.2 255.255.255.0
pim sm
#
interface Vlanif300
ip address 192.168.3.1 255.255.255.0
pim sm
#
interface Vlanif400
ip address 192.168.4.1 255.255.255.0
pim sm
#
#
#

Switches
#
area 0.0.0.0
network 10.1.5.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
area 0.0.0.0
network 10.1.6.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
return
l Configuration file of CE1, egress for a site of service A
#
sysname CE1
#
vlan batch 100 to 101
#
#
interface Vlanif100
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.11.0 0.0.0.255
#
return
l Configuration file of CE2, egress for a site of service B
#
sysname CE2
#
#
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
pim sm
#
interface Vlanif201
ip address 192.168.12.1 255.255.255.0
pim sm
#
#

Switches

#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 192.168.12.0 0.0.0.255
#
return
l Configuration file of CE3, egress for a site of service A.
#
sysname CE3
#
#
#
interface Vlanif300
ip address 192.168.3.2 255.255.255.0
pim sm
#
interface Vlanif301
ip address 192.168.13.1 255.255.255.0
pim sm
igmp enable
#
#
#
ospf 1
area 0.0.0.0
network 192.168.3.0 0.0.0.255
network 192.168.13.0 0.0.0.255
#
return
l Configuration file of CE4, egress for a site of service B
#
sysname CE4
#
#
#
interface Vlanif400
ip address 192.168.4.2 255.255.255.0
pim sm
#
interface Vlanif401
ip address 192.168.14.1 255.255.255.0
pim sm
igmp enable
#
#
#
ospf 1
area 0.0.0.0
network 192.168.4.0 0.0.0.255

Switches
network 192.168.14.0 0.0.0.255

#
return

Product Software Version
S7700 All versions
S9700 V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005C00,
V200R006C00, V200R007(C00&C10),
V200R008C00, V200R009C00,
V200R010C00, V200R011C10,
V200R012C00, V200R013C00
S5700-HI Only V200R005C01 and V200R005C02
S5710-HI Only V200R005C02
S5720-HI V200R010C00, V200R011C00,

V200R011C10, V200R012C00,
V200R013C00, V200R019C00
S5720-EI, S6720-EI, S6720S-EI V200R010C00 and later versions
S6720-HI, S5730-HI V200R012C00 and later versions
S5731-H V200R013C02, V200R019C00,

V200R019C10
S5731-S, S5731S-S V200R019C00, V200R019C10
S5731S-H V200R019C00, V200R019C10
S5732-H V200R019C00, V200R019C10
S6730-H V200R013C02, V200R019C00,

V200R019C10
S6730-S, S6730S-S V200R019C00, V200R019C10
9.1.4 Example for Configuring L3VPN and VRRP

L3VPN and VRRP Overview
L3VPN is suitable for communication between the headquarters and branches in different
locations. As communication data needs to traverse the backbone network of the ISP, BGP is
used to advertise VPN routes and MPLS is used to forward VPN packets on the backbone
network. As different departments of an enterprise need to be isolated, BGP/MPLS IP VPN
can implement route isolation, address space isolation, and access isolation between different
VPNs.

Switches
Generally, all hosts on the same network segment have the same default route with the
gateway address as the next hop address. The hosts use the default route to send packets to the
gateway and the gateway forwards the packets to other network segments. When the gateway
fails, the hosts with the same default route cannot communicate with external networks.
Configuring multiple egress gateways is a common method to improve system reliability.
However, route selection between the gateways becomes an issue.
VRRP solves the problem. VRRP virtualizes multiple routing devices into a virtual router
without changing the networking, and uses the virtual router IP address as the default gateway
address to implement gateway backup. When the master in the virtual router fails, VRRP uses
a backup to transmit service traffic.
It is recommended that you set the preemption delay of the backup in a VRRP group to 0,
configure the master in preemption mode, and set the preemption delay to be longer than 15s.
These settings allow a period of time for status synchronization between the uplink and
downlink on an unstable network. If the preceding settings are not used, two masters may
coexist and user devices may learn incorrect address of the master. As a result, traffic is
interrupted.
l Preemption mode: A backup preempts to be the master when its priority is higher than
the master.
l Non-preemption mode: As long as the master is working properly, the backup with a
higher priority cannot become the master.
Configuration Notes
l Ensure that each device of the same VRRP group is configured with the same VRID.
l In V200R003 and earlier versions, VRRP can be configured only on the VLANIF
interface.
In V200R005 and later versions, VRRP can be configured on the VLANIF interface and
Layer 3 Ethernet interface.
For a modular switch in V200R006 and later versions, VRRP can be configured on the
VLANIF interface, Layer 3 Ethernet interface, Dot1q termination sub-interface, and
QinQ termination sub-interface.
For a fixed switch in V200R009 and later versions, VRRP can be configured on the
VLANIF interface, Layer 3 Ethernet interface, and sub-interface.
NOTE
model.
In Figure 9-4, CE1 and CE2 belong to vpna, and CE1 is dual-homed to PE1 and PE2 through
the switch. The requirements are as follows:
l Normally, CE1 uses PE1 as the default gateway to communicate with CE2. When PE1
becomes faulty, PE2 takes over PE1, implementing gateway redundancy.
l After PE1 recovers, it preempts to be the master to transmit data after a preemption delay
of 20s.

Switches
NOTE
In this scenario, to avoid loops, ensure that all connected interfaces have STP disabled and connected
interfaces are removed from VLAN 1. If STP is enabled and VLANIF interfaces of switches are used to
construct a Layer 3 ring network, an interface on the network will be blocked. As a result, Layer 3
services on the network cannot run normally.
Figure 9-4 Networking for configuring L3VPN and VRRP
VRRP VRID 1 Loopback1

Virtual IP Address: PE1
1.1.1.1/32
10.1.1.111 Master
GE1/0/2
GE1/0/1
GE1/0/5
GE1/0/3
GE1/0/1 GE1/0/1
Loopback1 GE1/0/3
CE1 Switch CE2
3.3.3.3/32 GE1/0/3
GE1/0/2 PE3 GE1/0/2
AS: 65410 AS: 65430
GE1/0/5
vpna vpna
GE1/0/1
GE1/0/2
Loopback1 PE2
2.2.2.2/32 Backup
Device Interface VLANIF Interface IP Address
PE1 GE1/0/1 VLANIF 300 192.168.1.1/24
GE1/0/2 VLANIF 100 10.1.1.1/24
GE1/0/5 VLANIF 100 10.1.1.1/24
PE2 GE1/0/1 VLANIF 200 192.168.2.1/24
GE1/0/2 VLANIF 100 10.1.1.2/24
GE1/0/5 VLANIF 100 10.1.1.2/24
PE3 GE1/0/1 VLANIF 300 192.168.1.2/24
GE1/0/2 VLANIF 200 192.168.2.2/24
GE1/0/3 VLANIF 400 172.16.1.100/24
CE1 GE1/0/3 VLANIF 100 10.1.1.100/24
CE2 GE1/0/3 VLANIF 400 172.16.1.200/24
VRRP is configured to implement gateway redundancy on the L3VPN. The configuration
roadmap is as follows:

Switches
1. Configure OSPF between PEs to implement IP connectivity on the backbone network.

2. Configure basic MPLS functions and MPLS LDP on PEs so that MPLS LSPs can be
established to transmit VPN data.
3. Configure VPN instances on PEs to implement connectivity between VPNs. Bind VPN
instances to PE interfaces connected to CEs so that VPN users can be connected.
4. Configure MP-IBGP between PE1 and PE3, and between PE2 and PE3 to exchange
VPN routing information.
5. Configure EBGP between CEs and PEs to exchange VPN routing information.
6. Configure a loop prevention protocol on PE1, PE1, and switch to prevent loops. Here,
MSTP is used.
7. Configure a VRRP group on PE1 and PE2. Set a higher priority for PE1 so that PE1
functions as the master to forward traffic, and set the preemption delay to 20s on PE1.
Set a lower priority for PE2 so that PE2 functions as the backup.
Procedure
Step 1 Configure an IGP protocol on the MPLS backbone network so that the PEs can communicate
with each other.
# Configure PE1.
[PE1] vlan 300
[PE1-vlan300] quit
[PE1-GigabitEthernet1/0/1] port link-type hybrid
[PE1-GigabitEthernet1/0/1] port hybrid pvid vlan 300
[PE1-GigabitEthernet1/0/1] port hybrid untagged vlan 300
[PE1-Vlanif300] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure PE2.
[PE2] vlan 200
[PE2-vlan200] quit
[PE2] ospf 1
[PE2-ospf-1] area 0

Switches

[PE2-ospf-1] quit
# Configure PE3.
[PE3] ospf 1
[PE3-ospf-1] area 0
[PE3-ospf-1] quit
Step 2 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS
backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif300] mpls
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
# Configure PE3.
[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp

Switches
[PE3-mpls-ldp] quit
Step 3 Configure a VPN instance on each PE and connect CEs to PEs.

# Configure the switch.
[HUAWEI] sysname Switch
[Switch] vlan 100
[Switch-vlan100] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type hybrid
[Switch-GigabitEthernet1/0/1] port hybrid pvid vlan 100
[Switch-GigabitEthernet1/0/1] port hybrid untagged vlan 100
[Switch-GigabitEthernet1/0/1] quit
# Configure PE1.
[PE1] vlan 100
[PE1-vlan100] quit
# Configure PE2.
[PE2] vlan 100
[PE2-vlan100] quit

Switches

# Configure PE3.
[PE3] vlan 400
[PE3-vlan400] quit
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
[CE1-GigabitEthernet1/0/3] port link-type hybrid
[CE1-GigabitEthernet1/0/3] port hybrid pvid vlan 100
[CE1-GigabitEthernet1/0/3] port hybrid untagged vlan 100
# Configure CE2.
[CE2] vlan 400
[CE2-vlan400] quit
[CE2-GigabitEthernet1/0/3] port hybrid pvid vlan 400
[CE2-GigabitEthernet1/0/3] port hybrid untagged vlan 400
Step 4 Set up EBGP peer relationships between PEs and CEs and import VPN routes.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] quit

Switches
# Configure CE2.
[CE2] bgp 65430
[CE2-bgp] quit
# Configure PE1.
[PE1] bgp 100
[PE1-bgp-vpna] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp-vpna] quit
[PE2-bgp] quit
# Configure PE3.
[PE3] bgp 100
[PE3-bgp-vpna] quit
[PE3-bgp] quit
Step 5 Set up MP-IBGP peer relationships between PEs.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit
# Configure PE3.
[PE3] bgp 100
[PE3-bgp] quit

Switches
Step 6 Configure MSTP to block the link between PE2 and the switch and prevent loops.
# Configure PE1 to work in MSTP mode.
[PE1] stp mode mstp
# Configure PE2 to work in MSTP mode.

[PE2] stp mode mstp
# Configure the switch to work in MSTP mode.

[Switch] stp mode mstp
# Configure PE1 as the root bridge.

[PE1] stp root primary
# Configure PE2 as the secondary root bridge.

[PE2] stp root secondary
# Set the path cost of the port connecting PE2 and the switch to 400000 to block the link
between PE2 and the switch.
[PE2-GigabitEthernet1/0/2] stp cost 400000
[Switch-GigabitEthernet1/0/2] stp cost 400000
# Disable STP on GigabitEthernet1/0/3 connecting SwitchA and CE1.

[Switch-GigabitEthernet1/0/3] stp disable
# Enable STP on PE1 globally.

[PE1] stp enable
# Enable STP on PE2 globally.

[PE2] stp enable
# Enable STP on the switch globally.

[Switch] stp enable
# After the configuration is complete, run the display stp brief command on the switch. You
can see that GE1/0/2 is the alternate port and in DISCARDING state.
[Switch] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 ROOT FORWARDING NONE
0 GigabitEthernet1/0/2 ALTE DISCARDING NONE
Step 7 Configure a VRRP group.

# Configure VRRP group 1 on PE1, and set the priority of PE1 to 120 and the preemption
delay to 20s.
[PE1-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111 //Create VRRP group 1.
[PE1-Vlanif100] vrrp vrid 1 priority 120 //Set the priority to 120.
[PE1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 20 //Set the preemption
delay to 20s.

Switches
# Configure VRRP group 1 on PE2. PE2 uses default value 100.

[PE2-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111 //Create VRRP group 1.

# After the configuration is complete, run the display vrrp command on PE1 and PE2. You
can see that PE1 is in Master state and PE2 is in Backup state.
[PE1] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
[PE2] display vrrp
State : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
# Run the shutdown command on GE1/0/2 and GE1/0/5 of PE1 to simulate a link fault.
[PE1-GigabitEthernet1/0/2] shutdown
[PE1-GigabitEthernet1/0/5] shutdown
# Run the display vrrp command on PE2 to check the VRRP status. The command output
shows that PE2 is in Master state.
[PE2] display vrrp
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 100

Switches
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:18:40
# Run the undo shutdown command on GE1/0/2 and GE1/0/5 of PE1. After 20s, run the
display vrrp command on PE1 to check the VRRP status. PE1 restores to be in Master state.
[PE1-GigabitEthernet1/0/2] undo shutdown
[PE1-GigabitEthernet1/0/5] undo shutdown
[PE1] display vrrp
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:20:56
----End
Configuration Files
#
sysname PE1
#
vlan batch 100 300
#
stp instance 0 root primary
#
ipv4-family
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.111
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
#

Switches
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
mpls
mpls ldp
#
port link-type hybrid
port hybrid pvid vlan 300
port hybrid untagged vlan 300
#
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
import-route direct
peer 10.1.1.100 as-number 65410
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return
#
sysname PE2
#
vlan batch 100 200
#
stp instance 0 root secondary
#
ipv4-family
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.111
#

Switches
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
mpls
mpls ldp
#
#
stp instance 0 cost 400000
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
import-route direct
peer 10.1.1.100 as-number 65410
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 192.168.2.0 0.0.0.255
#
return
#
sysname PE3
#
vlan batch 200 300 400
#
ipv4-family
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif300

Switches
ip address 192.168.1.2 255.255.255.0

mpls
mpls ldp
#
interface Vlanif400
ip address 172.16.1.100 255.255.255.0
#
#
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
peer 2.2.2.2 enable
#
import-route direct
peer 172.16.1.200 as-number 65430
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
l Configuration file of the switch
#
sysname Switch
#
vlan batch 100
#
#
stp instance 0 cost 400000

Switches
#
stp disable
#
return

#
sysname CE1
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.100 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE2
#
vlan batch 400
#
interface Vlanif400
ip address 172.16.1.200 255.255.255.0
#
#
bgp 65430
peer 172.16.1.100 as-number 100
#
ipv4-family unicast
import-route direct
#
return

Switches

S5700 S5700-HI V200R002C00,

V200R003C00,
V200R005(C00SPC500&C
01&C02)
S5710-EI V200R002C00,
V200R003C00,
V200R005(C00&C02)
S5710-HI V200R003C00,
V200R005(C00&C02&C03
)
S5720-EI V200R009C00,
V200R010C00,
V200R011C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10
S5720-HI V200R007C10,
V200R009C00,
V200R010C00,
V200R011C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R019C00
S5730-HI V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10
S5731-H V200R013C02,
V200R019C00,
V200R019C10
S5731S-H V200R019C00,
V200R019C10
S5732-H V200R019C00,
V200R019C10
S6700 S6700-EI V200R005(C00&C01)

Switches
S6720-EI V200R008C00,
V200R009C00,
V200R010C00,
V200R011C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10
S6720S-EI V200R009C00,
V200R010C00,
V200R011C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10
S6720-HI V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10
S6730-H V200R013C02,
V200R019C00,
V200R019C10
S7700 S7703, S7706, S7712 V200R001(C00&C01),

V200R002C00,
V200R003C00,
V200R005C00,
V200R006C00,
V200R007C00,
V200R008C00,
V200R009C00,
V200R010C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R013C02,
V200R019C00,
V200R019C10
S7703 PoE V200R013C00,

V200R019C00,
V200R019C10
S7706 PoE V200R013C00,

V200R019C00,
V200R019C10

Switches
S9700 S9703, S9706, S9712 V200R001(C00&C01),

V200R002C00,
V200R003C00,
V200R005C00,
V200R006C00,
V200R007(C00&C10),
V200R008C00,
V200R009C00,
V200R010C00,
V200R011C10,
V200R012C00,
V200R013C00
9.1.5 Example for Configuring Routing Policies to Control Mutual

Access Between L3VPN Users
Overview
extended, and is suitable for deployment on a large scale. BGP/MPLS IP VPN technology can
be used to implement secure communication or isolation between branches in different
locations.
Routing policies are used to filter routes and set route attributes. You can change route
attributes to change a route over which network traffic is transmitted.
BGP/MPLS IP VPN can be combined with routing policies to control the receiving and
advertisement of VPN routes, implementing mutual access between specific branch users.
Configuration Notes
NOTE
model.
As shown in Figure 9-5, CE1 is connected to the branch Site 1, and CE2 is connected to the
branch Site 2. Site 1 and Site 2 communicate with each other over the ISP backbone network.
The enterprise requires that L3VPN users on some network segments can securely
communicate with each other to meet service requirements.

Switches
Figure 9-5 Configuring routing policies to control mutual access between L3VPN users
VPN Backbone
Loopback1 Loopback1
1.1.1.9/32 2.2.2.9/32
GE2/0/0 GE2/0/0
VLANIF100 VLANIF100
PE1 172.10.1.1/24 172.10.1.2/24 PE2
GE1/0/0 GE1/0/0
VLANIF10 VLANIF10
192.168.1.1/24 192.168.2.1/24
CE1 GE1/0/0 GE1/0/0 CE2

VLANIF10 VLANIF10
192.168.1.2/24 192.168.2.2/24
vpna vpna
Site1 Site2
1. Configure OSPF between the PE devices to ensure IP connectivity on the backbone
network.
2. Enable basic MPLS capabilities and MPLS LDP on the PE devices to set up MPLS LSP
tunnels for VPN data transmission on the backbone network.
3. Create VPN instances on the PE devices, bind CE interfaces to the VPN instances, and
assign different VPN targets to the VPN instances to isolate users from different
branches.
4. Configure routing policies on the PE devices and change the VPN targets of routes
filtered out based on specified routing policies to implement communication between
branch users on a specified network segment.
5. Set up EBGP peer relationships between the CE and PE devices so that they can
6. Configure MP-IBGP between the PE devices to enable them to exchange VPN routing
information.
Procedure
Step 1 Configure an IGP protocol on the MPLS backbone network so that the PE devices can
communicate with each other.
# Configure PE1.

Switches

[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After the configuration is complete, run the display ospf peer command. The command
output shows that OSPF neighbor relationship has been set up between PE1 and PE2, and the
neighbor status is Full. Run the display ip routing-table command on PE1 and PE2, and you
can view that PE1 and PE2 have learned the routes to each other's Loopback1 address.
Step 2 Enable basic MPLS capabilities and MPLS LDP on the PE devices to set up LDP LSPs on the
MPLS backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# Configure PE2.

Switches

[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
After the configuration is complete, PE1 and PE2 have established LDP sessions. Run the
display mpls ldp session command, and you can view that the LDP session status is
Operational.
Step 3 Configure a VPN instance on each PE device and connect the CE devices to the PE devices.
# Configure PE1.
[PE1-Vlanif10] quit
# Configure PE2.
[PE2-Vlanif10] quit
# Assign IP addresses to interfaces on CE1 and CE2 according to Figure 9-5.

[CE1] vlan batch 10
[CE1-Vlanif10] quit
[CE2] vlan batch 10
[CE2-Vlanif10] quit
PE1 and PE2 to view VPN instance configuration. The PE devices can ping CE devices
attached to them.

Switches
NOTE
If a PE device has multiple interfaces bound to the same VPN instance, you need to specify a source IP
address when pinging the CE device connected to the remote PE device. To specify the source IP
address, set the -a source-ip-address parameter in the ping -vpn-instance vpn-instance-name -a source-
ip-address dest-ip-address command. If no source IP address is specified, the ping operation fails.
Step 4 Configure routing policies.

# Configure PE1.
[PE1] ip ip-prefix ipPrefix1 index 10 permit 192.168.1.0 24 greater-equal 24 less-
equal 32
[PE1] route-policy vpnroute permit node 1
[PE1-route-policy] if-match ip-prefix ipPrefix1
[PE1-route-policy] apply extcommunity rt 222:1
[PE1-route-policy] quit
[PE1-vpn-instance-vpna] export route-policy vpnroute
# Configure PE2.
[PE2] ip ip-prefix ipPrefix1 index 10 permit 192.168.2.0 24 greater-equal 24 less-
equal 32
[PE2] route-policy vpnroute permit node 1
[PE2-route-policy] if-match ip-prefix ipPrefix1
[PE2-route-policy] apply extcommunity rt 111:1
[PE2-route-policy] quit
[PE2-vpn-instance-vpna] export route-policy vpnroute
Step 5 Set up EBGP peer relationships between the PE and CE devices and import VPN routes.
# Configure CE1. The configuration of CE2 is similar to that of CE1, and is not mentioned
here.
[CE1] bgp 65410
[CE1-bgp] quit
# Configure PE1. The configuration of PE2 is similar to that of PE1, and is not mentioned
here.
[PE1] bgp 100
[PE1-bgp-vpna] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance vpna peer
command on PE1 and PE2. You can view that BGP peer relationships between PE and CE
devices have been established and are in the Established state.
Step 6 Set up an MP-IBGP peer relationship between PE1 and PE2.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] quit

Switches
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit
After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer
command on PE1 and PE2. You can view that the BGP peer relationships have been
established between the PE devices and are in the Established state.
# Run the ping -vpn-instance command on PE1 and PE2. You can successfully ping the CE
site that is attached to the peer PE device.
The display on PE1 is used as an example:
[PE1] ping -vpn-instance vpna 192.168.2.2

0.00% packet loss
----End
Configuration Files
#
sysname PE1
#
vlan batch 10 100
#
ipv4-family
export route-policy vpnroute
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif100
ip address 172.10.1.1 255.255.255.0
mpls
mpls ldp
#

Switches
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
peer 192.168.1.2 as-number 65410
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.10.1.0 0.0.0.255
#
route-policy vpnroute permit node 1
if-match ip-prefix ipPrefix1
apply extcommunity rt 222:1
#
ip ip-prefix ipPrefix1 index 10 permit 192.168.1.0 24 greater-equal 24 less-
equal 32
#
return
#
sysname PE2
#
vlan batch 10 100
#
ipv4-family
export route-policy vpnroute
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif100
ip address 172.10.1.2 255.255.255.0
mpls
mpls ldp
#

Switches

#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
peer 192.168.2.2 as-number 65420
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.10.1.0 0.0.0.255
#
route-policy vpnroute permit node 1
if-match ip-prefix ipPrefix1
apply extcommunity rt 111:1
#
ip ip-prefix ipPrefix1 index 10 permit 192.168.2.0 24 greater-equal 24 less-
equal 32
#
return
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return
Configuration file of CE2
#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.2.2 255.255.255.0

Switches
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return

S5700 S5700-HI V200R002C00,

V200R003C00,
V200R005(C00SPC500&C
01&C02)
S5710-EI V200R002C00,
V200R003C00,
V200R005(C00&C02)
S5710-HI V200R003C00,
V200R005(C00&C02&C03
)
S5720-EI V200R009C00,
V200R010C00,
V200R011C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10
S5720-HI V200R007C10,
V200R009C00,
V200R010C00,
V200R011C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R019C00
S5730-HI V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10

Switches
S5731-H V200R013C02,
V200R019C00,
V200R019C10
S5731S-H V200R019C00,
V200R019C10
S5732-H V200R019C00,
V200R019C10
S6700 S6700-EI V200R005(C00&C01)
S6720-EI V200R008C00,
V200R009C00,
V200R010C00,
V200R011C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10
S6720S-EI V200R009C00,
V200R010C00,
V200R011C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10
S6720-HI V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10
S6730-H V200R013C02,
V200R019C00,
V200R019C10

Switches
S7700 S7703, S7706, S7712 V200R001(C00&C01),

V200R002C00,
V200R003C00,
V200R005C00,
V200R006C00,
V200R007C00,
V200R008C00,
V200R009C00,
V200R010C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R013C02,
V200R019C00,
V200R019C10
S7703 PoE V200R013C00,

V200R019C00,
V200R019C10
S7706 PoE V200R013C00,

V200R019C00,
V200R019C10
S9700 S9703, S9706, S9712 V200R001(C00&C01),

V200R002C00,
V200R003C00,
V200R005C00,
V200R006C00,
V200R007(C00&C10),
V200R008C00,
V200R009C00,
V200R010C00,
V200R011C10,
V200R012C00,
V200R013C00
9.2 Example for Connecting QinQ Termination Sub-

interfaces to a VLL Network
Overview
As a point-to-point (P2P) Layer 2 tunneling technology based on MPLS, VLL transparently
transmits Layer 2 data packets over the MPLS backbone network, so that geographically
isolated sites that belong to the same VLAN can communicate with each other.
After QinQ termination sub-interfaces are connected to a VLL network, the sub-interfaces on
devices terminate double VLAN tags before sending the packets to the VLL network.

Switches
QinQ termination sub-interfaces apply to scenarios where all the VLANs (such as VLAN 100
to VLAN 200) of one site need to communicate with a remote site over the VLL network or
VLAN resources of the public network need to be saved. In these scenarios, the switching
device deployed between the CE and PE devices adds the same outer VLAN tag to packets
carrying different inner VLAN tags from different CE devices. The sub-interface on the PE
device then terminates double VLAN tags in QinQ packets and sends the packets to the VLL
tunnel.
QinQ is an extension to MAN Ethernet VPN on the core VLL network. It can form an end-to-
end VPN solution to implement Layer 2 communication between geographically isolated
users.
Configuration Notes
l The SA series cards do not support the VLL function. The X1E series cards of
V200R007 and later versions support the VLL function.
l For applicable product models and versions, see Applicable Product Models and
Versions.
NOTE
For details about software mappings, visit Hardware Query Tool and search for the desired
product model.
As shown in Figure 9-6, CE1 and CE2 are connected to PE1 and PE2 respectively through
VLANs.
A Martini VLL is set up between CE1 and CE2.
Switch1 is connected to CE1 and PE1.
Switch2 is connected to CE2 and PE2.
You are required to configure selective QinQ on the interfaces connected to CEs so that the
Switch adds the VLAN tags specified by the carrier to the packets sent from CEs.
When the Switch is connected to multiple CEs, the Switch can add the same VLAN tag to the
packets from different CEs, thereby saving VLAN IDs on the public network.

Switches
Figure 9-6 Networking diagram for connecting QinQ termination sub-interfaces to a VLL
network
Loopback1 Loopback1 Loopback1
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE2/0/0 GE1/0/0
PE1 PE2
GE2/0/0 GE1/0/0
GE1/0/0 P GE2/0/0
GE2/0/0 GE2/0/0
Switch1 Switch2
GE1/0/0 GE1/0/0
GE1/0/0 GE1/0/0
CE1 CE2
Switch Interface VLANIF Interface IP Address
PE1 GigabitEthernet1/0/0 GigabitEthernet1/0/0.1 -
- GigabitEthernet2/0/0 VLANIF20 10.1.1.1/24
- Loopback1 - 1.1.1.1/32
PE2 GigabitEthernet1/0/0 VLANIF30 10.2.2.1/24
- GigabitEthernet2/0/0 GigabitEthernet2/0/0.1 -
- Loopback1 - 3.3.3.3/32
P GigabitEthernet1/0/0 VLANIF30 10.2.2.2/24
- GigabitEthernet2/0/0 VLANIF20 10.1.1.2/24
- Loopback1 - 2.2.2.2/32
CE1 GigabitEthernet1/0/0 VLANIF10 10.10.10.1/24
CE2 GigabitEthernet1/0/0 VLANIF10 10.10.10.2/24
1. Configure a routing protocol on devices (PE and P) of the backbone network to
implement interworking, and enable MPLS.
2. Use the default tunnel policy to create an LSP and configure the LSP for data
transmission.
3. Enable MPLS L2VPN and create VC connections on PEs.
4. Configure QinQ termination sub-interfaces on PE interfaces connected to the switches to
implement VLL access.

Switches
5. Configure selective QinQ on the switch interfaces connected to CEs.
Procedure
Step 1 Configure the VLANs to which interfaces of CEs, PEs, and P belong and assign IP addresses
to VLANIF interfaces according to Figure 9-6.
# Configure CE1 to ensure that packets sent from CE1 to Switch1 carry single VLAN tag.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
# Configure CE2 to ensure that packets sent from CE2 to Switch2 carry single VLAN tag.
[CE2] vlan batch 10
[CE2-Vlanif10] quit
# Configure PE1.
[PE1] vlan batch 20
[PE1-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[PE1-Vlanif20] quit
# Configure the P.
[HUAWEI] sysname P
[P-GigabitEthernet1/0/0] port link-type hybrid
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[P-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[P-Vlanif20] quit
[P-Vlanif30] quit

Switches
# Configure PE2.
[PE2] vlan batch 30
[PE2-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[PE2-Vlanif30] quit
Step 2 Configure selective QinQ on interfaces of the Switch and specify the VLANs allowed by the
interfaces.
# Configure Switch1.
[HUAWEI] sysname Switch1
[Switch1] vlan 100
[Switch1-vlan100] quit
[Switch1] interface gigabitethernet2/0/0
[Switch1-GigabitEthernet2/0/0] port link-type hybrid
[Switch1-GigabitEthernet2/0/0] port hybrid tagged vlan 100
[Switch1-GigabitEthernet2/0/0] quit
[Switch1-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[Switch1-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100 //On a
fixed switch, first run the qinq vlan-translation enable command to enable VLAN
translation.
[Switch2] vlan 100
[Switch2-vlan100] quit
[Switch2-GigabitEthernet2/0/0] port hybrid tagged vlan 100
[Switch2-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[Switch2-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100 //On a
fixed switch, first run the qinq vlan-translation enable command to enable VLAN
translation.
Step 3 Configure an IGP on the MPLS backbone network. OSPF is used as an example.
Configure PE1, P, and PE2 to advertise 32-bit loopback interface addresses as the LSR IDs.
# Configure PE1.
[PE1] router id 1.1.1.1
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit

Switches
# Configure the P.
[P] router id 2.2.2.2
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] router id 3.3.3.3
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
# After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command. You can see that the OSPF neighbor
relationship status is Full. Run the display ip routing-table command. You can see that the
PEs learn the route to the Loopback1 interface of each other. The display on PE1 is used as an
example:

Neighbors

DR: 10.1.1.2 BDR: 10.1.1.1 MTU: 0
instance
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 10.1.1.2 Vlanif20
3.3.3.3/32 OSPF 10 2 D 10.1.1.2 Vlanif20
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif20
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.2.2.0/24 OSPF 10 2 D 10.1.1.2 Vlanif20
Step 4 Enable basic MPLS functions and MPLS LDP on the MPLS backbone network.
# Configure PE1.
[PE1] mpls

Switches
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure the P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
Step 5 Set up a remote LDP session between PEs.

# Configure PE1.
[PE1] mpls ldp remote-peer 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] remote-ip 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] quit
After the configuration is complete, run the display mpls ldp session command on PE1 to
view the LDP session setup. You can see that an LDP session is set up between PE1 and PE2.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 6 Enable MPLS L2VPN on PEs and set up VC connections.

Switches
# On PE1, create a VC connection on gigabitethernet1/0/0.1 connected to Switch1.

[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1] vcmp role silent
[PE1] interface gigabitethernet1/0/0
[PE1] interface gigabitethernet1/0/0.1
[PE1-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10
[PE1-GigabitEthernet1/0/0.1] mpls l2vc 3.3.3.3 101
[PE1-GigabitEthernet1/0/0.1] quit
# On PE2, create a VC connection on gigabitethernet2/0/0.1 connected to Switch2.

[PE2] mpls l2vpn
[PE2-l2vpn] quit
[PE2] interface gigabitethernet2/0/0
[PE2] interface gigabitethernet2/0/0.1
[PE2-GigabitEthernet2/0/0.1] mpls l2vc 1.1.1.1 101

Check the L2VPN connections on PEs. You can see that an L2VC connection has been set up
and is in Up state.
[PE1] display mpls l2vc interface gigabitethernet1/0/0.1
*client interface : GigabitEthernet1/0/0.1 is up
Administrator PW : no
session state : up
AC status : up
Ignore AC state : disable
VC state : up
Ignore AC state : disable
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN
destination : 3.3.3.3
local group ID : 0 remote group ID : 0
local VC label : 23552 remote VC label : 23552
local AC OAM State : up
local PSN OAM State : up
local forwarding state : forwarding
local status code : 0x0
remote AC OAM state : up
remote PSN OAM state : up
remote forwarding state: forwarding
remote status code : 0x0
ignore standby state : no
BFD for PW : unavailable
VCCV State : up
manual fault : not set
active state : active
forwarding entry : exist
link state : up
local VC MTU : 1500 remote VC MTU : 1500
local VCCV : alert ttl lsp-ping bfd
remote VCCV : alert ttl lsp-ping bfd
local control word : disable remote control word : disable
tunnel policy name : --
PW template name : --

Switches
primary or secondary : primary

load balance type : flow
Access-port : false
Switchover Flag : false
VC tunnel/token info : 1 tunnels/tokens
NO.0 TNL type : lsp , TNL ID : 0x10031
Backup TNL type : lsp , TNL ID : 0x0
create time : 1 days, 22 hours, 15 minutes, 9 seconds
up time : 0 days, 22 hours, 54 minutes, 57 seconds
last change time : 0 days, 22 hours, 54 minutes, 57 seconds
VC last up time : 2010/10/09 19:26:37
VC total up time : 1 days, 20 hours, 42 minutes, 30 seconds
CKey : 8
NKey : 3
PW redundancy mode : frr
AdminPw interface : --
AdminPw link state : --
Diffserv Mode : uniform
Service Class : be
Color : --
DomainId : --
Domain Name : --
CE1 and CE2 can ping each other.

The display on CE1 is used as an example:
[CE1] ping 10.10.10.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
#
return
l Configuration file of Switch1

#
sysname Switch1
#
vlan batch 100
#

Switches

port vlan-stacking vlan 10 stack-vlan 100
#
port hybrid tagged vlan 100
#
return
#
sysname PE1
#
router id 1.1.1.1
#
vcmp role silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 3.3.3.3
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0 port link-type hybrid
#
interface GigabitEthernet1/0/0.1
qinq termination pe-vid 100 ce-vid 10
mpls l2vc 3.3.3.3 101
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
l Configuration file of the P
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0

Switches
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.1
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
interface GigabitEthernet2/0/0 port link-type hybrid
#
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0

Switches
network 3.3.3.3 0.0.0.0

network 10.2.2.0 0.0.0.255
#
return

#
sysname Switch2
#
vlan batch 100
#
#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
#
return
Applicable Product Models and Versions
Table 9-5 Applicable product models and versions
S5700 S5700-HI V200R002C00, V200R003C00,

V200R005(C00SPC500&C01&C02)
S5710-EI V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720-EI V200R009C00, V200R010C00,

V200R011C00, V200R011C10,
V200R012C00, V200R013C00,
V200R019C00, V200R019C10
S5710-HI V200R003C00,
V200R005(C00&C02&C03)
S5720-HI V200R007C10, V200R009C00,

V200R010C00, V200R011C00,
V200R011C10, V200R012C00,
V200R013C00, V200R019C00

Switches
S5730-HI V200R012C00, V200R013C00,

V200R019C00, V200R019C10
S5731-H V200R013C02, V200R019C00,

V200R019C10
S5731-S, S5731S-S V200R019C00, V200R019C10
S5731S-H V200R019C00, V200R019C10
S5732-H V200R019C00, V200R019C10
S6700 S6700-EI V200R005(C00&C01)
S6720-EI V200R008C00, V200R009C00,

V200R010C00, V200R011C00,
V200R011C10, V200R012C00,
V200R013C00, V200R019C00,
V200R019C10
S6720S-EI V200R009C00, V200R010C00,

V200R011C00, V200R011C10,
V200R012C00, V200R013C00,
V200R019C00, V200R019C10
S6720-HI V200R012C00, V200R013C00,

V200R019C00, V200R019C10
S6730-H V200R013C02, V200R019C00,

V200R019C10
S6730-S, S6730S-S V200R019C00, V200R019C10
S7700 S7703, S7706, S7712 V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005C00,
V200R006C00, V200R007C00,
V200R008C00, V200R009C00,
V200R010C00, V200R011C10,
V200R012C00, V200R013C00,
V200R013C02, V200R019C00,
V200R019C10
S7703 PoE V200R013C00, V200R019C00,

V200R019C10
S7706 PoE V200R013C00, V200R019C00,

V200R019C10
S9700 S9703, S9706, S9712 V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005C00,
V200R006C00, V200R007(C00&C10),
V200R008C00, V200R009C00,
V200R010C00, V200R011C10,
V200R012C00, V200R013C00

Switches
9.3 Example for Deploying BGP/MPLS IP VPN and VPLS

on One ISP Network
Overview
extended, and is suitable for deployment on a large scale. To add a new site, the network
administrator only needs to modify the configuration of the edge nodes serving the new site.
BGP/MPLS IP VPN is suitable for communication between the headquarters and branches in
different locations. As communication data needs to traverse the backbone network of the ISP,
BGP is used to advertise VPN routes over the backbone network and MPLS is used to
forward VPN packets on the backbone network. As different departments of an enterprise
need to be isolated, BGP/MPLS IP VPN can isolate route, address space, and access between
different VPNs.
VPLS integrates the advantages provided by Ethernet and MPLS. By emulating traditional
LAN functions, VPLS enables users who are far apart and on different Ethernet LANs to
communicate with each other over the IP/MPLS network provided by the ISP as if they were
on the same LAN.
As enterprises set up more and more branches in different regions and office flexibility
increases, applications such as instant messaging and teleconferencing are increasingly widely
used. This imposes high requirements for end-to-end (E2E) datacom technologies. Multiple
enterprise branches distributed in different regions need to communicate over the
metropolitan area network (MAN) provided by the ISP. Layer 2 service packets between
enterprise branches need to be transmitted over the MAN using the VPLS technology, so that
the enterprise branches in different regions can communicate with each other.
The ISP can use the same PE device to provide VPLS and L3VPN services for enterprises to
reduce the network construction costs.
Configuration Notes
l The SA series cards cannot be used in this example. The X1E series cards of V200R007
and later versions can be used in this example.
NOTE
model.
As shown in Figure 9-7:
l An ISP provides both VPLS and L3VPN services.
l CE1 connected to the headquarters of enterprise A and CE3 connected to a branch
belong to the same VPLS to provide Layer 2 services. CE1 and CE3 are bound to vpna
to implement secure transmission of Layer 3 data.

Switches
l CE2 connected to the headquarters of enterprise B and CE4 connected to a branch

belong to the same VPLS to provide Layer 2 services. CE2 and CE3 are bound to vpna
to implement secure transmission of Layer 3 data.
l Selective QinQ needs to be configured on CE-side interfaces on switches to add outer
VLAN tags specified by the ISP to the packets sent from CE devices. If a switch
connects to multiple CE devices, it can add the same VLAN tag to packets from different
CE devices. This saves VLAN IDs on the ISP network.
Figure 9-7 Networking for deploying BGP/MPLS IP VPN and VPLS on one ISP network
AS: 65410 VSI1 VSI1 AS: 65430

vpna vpna
GE1/0/0 GE1/0/0
VLANIF10 CE1 VLANIF10 CE3
10.1.1.1/24 10.3.1.1/24
Loopback1
2.2.2.9/32
GE1/0/0 GE1/0/0 GE2/0/0 GE1/0/0
PE1 VLANIF30 VLANIF60 PE2
Loopback1 172.1.1.2/24 172.2.1.1/24 Loopback1
1.1.1.9/32 GE3/0/0 3.3.3.9/32
GE3/0/0
VLANIF30 P VLANIF60
GE2/0/0 172.1.1.1/24 172.2.1.2/24 GE2/0/0
AS: 100
VPN backbone
GE2/0/0 GE2/0/0
Switch1 Switch2
GE1/0/0 GE1/0/0
GE1/0/0 GE1/0/0
CE2 VLANIF20 VLANIF20 CE4
10.2.1.1/24 10.4.1.1/24
vpnb vpnb
VSI2 VSI2
AS: 65420 AS: 65440
Data Plan
Device Interface Sub-interface IP Address
PE1 GigabitEthernet1/0/0 GigabitEthernet1/0/0.1 10.1.1.2/24

Switches
Device Interface Sub-interface IP Address
1. Configure OSPF between the P and PE devices to ensure IP connectivity on the
backbone network.
2. Enable basic MPLS capabilities and MPLS LDP on the P and PE devices to set up
MPLS LSP tunnels for VPN data transmission on the backbone network.
3. Configure MP-IBGP on PE1 and PE2 to enable them to exchange VPN routing
information.
4. Configure BGP/MPLS IP VPN. Configure L3VPN instances vpna and vpnb on PE1 and
PE2. Set the VPN target of vpna to 111:1 and the VPN target of vpnb to 222:2. This
configuration allows users in the same VPN to communicate with each other and isolates
users of different VPNs. Configure dot1q termination sub-interfaces for single-tagged
packets sent from CE1 and CE3. Configure QinQ termination sub-interfaces for double-
tagged packets sent from CE2 and CE4.
5. Configure the VPLS service. Create VPLS VSI instances on PE1 and PE2. In each VSI
instance, specify BGP as the signaling protocol, and set the RD, VPN target and site.
Bind sub-interfaces to VSI instances so that the sub-interfaces function as AC interfaces
to provide access for VPLS users. Configure dot1q termination sub-interfaces for single-
tagged packets sent from CE1 and CE3. Configure QinQ termination sub-interfaces for
double-tagged packets sent from CE2 and CE4.
6. Configure selective QinQ on CE-side interfaces of the switches and specify the VLANs
allowed by the interfaces.
7. Set up EBGP peer relationships between the CE and PE devices so that they can
Procedure
Step 1 Configure an IGP protocol on the MPLS backbone network so that the PE and P devices can
communicate with each other.
# Configure PE1.
[PE1] vlan batch 30

Switches
[PE1-Vlanif30] quit
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure the P.
[HUAWEI] sysname P
[P-LoopBack1] quit
[P-GigabitEthernet1/0/0] port hybrid untagged vlan 30
[P-GigabitEthernet2/0/0] port hybrid untagged vlan 60
[P-Vlanif30] quit
[P-Vlanif60] quit
[P] ospf 1 router-id 2.2.2.9
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] vlan batch 60
[PE2-Vlanif60] quit
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After the configuration is complete, OSPF neighbor relationships can be set up between PE1,
P, and PE2. Run the display ospf peer command on PE1, P, and PE2, and you can view that

Switches
the neighbor status is Full. Run the display ip routing-table command on PE1 and PE2, and
you can view that PE1 and PE2 have learned the routes to each other's Loopback1 address.
------------------------------------------------------------------------------

2.2.2.9/32 OSPF 10 1 D 172.1.1.2 Vlanif30
3.3.3.9/32 OSPF 10 2 D 172.1.1.2 Vlanif30
172.1.1.0/24 Direct 0 0 D 172.1.1.1 Vlanif30
172.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
172.2.1.0/24 OSPF 10 2 D 172.1.1.2 Vlanif30

Neighbors

DR: 172.1.1.2 BDR: 172.1.1.1 MTU: 0
Step 2 Enable basic MPLS capabilities and MPLS LDP on the PE devices to set up LDP LSPs on the
MPLS backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif30] mpls
[PE1-Vlanif30] quit
# Configure the P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
[P-Vlanif60] mpls
[P-Vlanif60] quit
# Configure PE2.
[PE2] mpls

Switches
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif60] mpls
[PE2-Vlanif60] quit
After the configuration is complete, LDP sessions are established between PE1 and the P and
between the P and PE2. Run the display mpls ldp session command on PE1, P, and PE2, and
you can view that the LDP session status is Operational. Run the display mpls ldp lsp
command, and you can view information about the established LDP LSPs.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
[PE1] display mpls ldp lsp
LDP LSP Information

-------------------------------------------------------------------------------
Flag after Out IF: (I) - LSP Is Only Iterated by RLFA
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0
*1.1.1.9/32 Liberal/1025 DS/2.2.2.9
2.2.2.9/32 NULL/3 - 172.1.1.2 Vlanif30
2.2.2.9/32 1024/3 2.2.2.9 172.1.1.2 Vlanif30
3.3.3.9/32 NULL/1025 - 172.1.1.2 Vlanif30
3.3.3.9/32 1025/1025 2.2.2.9 172.1.1.2 Vlanif30
-------------------------------------------------------------------------------
TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is stale
A '*' before a DS means the session is stale
A '*' before a NextHop means the LSP is FRR LSP
Step 3 Configure L3VPN instances on the PE devices. Configure dot1q termination sub-interfaces
for single-tagged packets from vpna. Configure QinQ termination sub-interfaces for double-
tagged packets from vpnb. (Layer 3 service users are identified by VLAN 10 and VLAN 20,
and the PE devices use VLAN 10 and VLAN 100 to identify Layer 3 services.)
# Configure PE1.

Switches

[PE1] interface gigabitethernet 1/0/0.1
[PE1-GigabitEthernet1/0/0.1] dot1q termination vid 10
[PE1-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE1-GigabitEthernet1/0/0.1] ip address 10.1.1.2 24
[PE1-GigabitEthernet1/0/0.1] arp broadcast enable
[PE1-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb
# Configure PE2.
[PE2-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE2-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb
# Configure CE1 connecting to the headquarters of enterprise A. Configure IP addresses for

interfaces of CE2, CE3, and CE4 according to Figure 9-7. The configurations of CE2, CE3,
and CE4 are similar to the configuration of CE1, and are not mentioned here.
[CE1] vlan batch 10 to 11
[CE1-GigabitEthernet1/0/0] port hybrid tagged vlan 10 to 11
[CE1-Vlanif10] quit
PE1 and PE2 to view VPN instance configuration. The PE devices can ping CE devices
attached to them.

Switches
NOTE
If a PE device has multiple interfaces bound to the same VPN instance, you need to specify a source IP
address when pinging the CE device connected to the remote PE device. To specify the source IP
address, set the -a source-ip-address parameter in the ping -vpn-instance vpn-instance-name -a source-
ip-address dest-ip-address command. If no source IP address is specified, the ping operation fails.
The ping test from PE1 to CE1 is used as an example:

[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
VPN-Instance Name and ID : vpna, 1

Interfaces : GigabitEthernet1/0/0.1
Address family ipv4
Create date : 2012/07/25 00:58:17 UTC+08:00
Log Interval : 5
VPN-Instance Name and ID : vpnb, 2

Interfaces : GigabitEthernet2/0/0.1
Address family ipv4
Create date : 2012/07/25 00:58:17 UTC+08:00
Log Interval : 5
[PE1] ping -vpn-instance vpnb 10.2.1.1

0.00% packet loss
Step 4 Create VPLS VSI instances on PE1 and PE2. In each VSI instance, specify BGP as the
signaling protocol, and set the RD, VPN target and site. Bind sub-interfaces to VSI instances
so that the sub-interfaces function as AC interfaces to provide access for VPLS users.
Configure dot1q termination sub-interfaces for single-tagged packets sent from CE1 and CE3.
Configure QinQ termination sub-interfaces for double-tagged packets sent from CE2 and
CE4. (The CE devices use VLAN 11 and VLAN 21 to identify Layer 2 service users, and the
PE devices use VLAN 11 and VLAN 200 to identify Layer 2 services.)
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1] vsi vsi1 auto
[PE1-vsi-vsi1] pwsignal bgp
[PE1-vsi-vsi1-bgp] route-distinguisher 101:1
[PE1-vsi-vsi1-bgp] vpn-target 100:1 import-extcommunity

Switches
[PE1-vsi-vsi1-bgp] vpn-target 100:1 export-extcommunity

[PE1-vsi-vsi1-bgp] site 1 range 5 default-offset 0
[PE1-vsi-vsi1-bgp] quit
[PE1-vsi-vsi1] quit
[PE1] vsi vsi2 auto
[PE1-vsi-vsi2] quit
[PE1-GigabitEthernet1/0/0.2] l2 binding vsi vsi1
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
[PE2] vsi vsi1 auto
[PE2-vsi-vsi1] quit
[PE2] vsi vsi2 auto
[PE2-vsi-vsi2] quit
Step 5 Set up EBGP peer relationships between the PE and CE devices and import L3VPN routes to
BGP.
# Configure CE1 connecting to the headquarters of enterprise A. The configurations of CE2,
CE3, and CE4 are similar to that of CE1, and are not mentioned here.
[CE1] bgp 65410
[CE1-bgp] quit
# Configure PE1. The configuration of PE2 is similar to that of PE1, and is not mentioned
here.
[PE1] bgp 100
[PE1-bgp-vpna] quit

Switches

[PE1-bgp-vpnb] quit
[PE1-bgp]quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance vpn-instance-
name peer command on the PE devices. You can view that BGP peer relationships between
PE and CE devices have been established and are in the Established state.
The BGP peer relationship between PE1 and CE1 is used as an example:
[PE1] display bgp vpnv4 vpn-instance vpna peer


PrefRcv
10.1.1.1 4 65410 11 9 0 00:07:25 Established

1
Step 6 Set up an MP-IBGP peer relationship between PE1 and PE2.

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] vpls-family
[PE1-bgp-af-vpls] peer 3.3.3.9 enable
[PE1-bgp-af-vpls] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] vpls-family
[PE2-bgp-af-vpls] peer 1.1.1.9 enable
[PE2-bgp-af-vpls] quit
[PE2-bgp] quit
Step 7 Configure selective QinQ on CE-side interfaces of the switches and specify the VLANs
allowed by the interfaces.
[Switch1] vlan batch 100 200
[Switch1] interface gigabitethernet 2/0/0
[Switch1-GigabitEthernet2/0/0] port hybrid tagged vlan 100 200
[Switch1-GigabitEthernet1/0/0] port hybrid untagged vlan 100 200
[Switch1-GigabitEthernet1/0/0] port vlan-stacking vlan 20 stack-vlan 100

Switches

[Switch2] vlan batch 100 200
[Switch2-GigabitEthernet2/0/0] port hybrid tagged vlan 100 200
[Switch2-GigabitEthernet1/0/0] port hybrid untagged vlan 100 200

Run the display ip routing-table vpn-instance command on PE1 and PE2 to view the
L3VPN routes to the remote CE devices.
------------------------------------------------------------------------------

10.1.1.0/24 Direct 0 0 D 10.1.1.2
GigabitEthernet1/0/0.1
10.1.1.2/32 Direct 0 0 D 127.0.0.1
10.3.1.0/24 IBGP 255 0 RD 3.3.3.9
[PE1] display ip routing-table vpn-instance vpnb
------------------------------------------------------------------------------
Routing Tables: vpnb

10.2.1.0/24 Direct 0 0 D 10.2.1.2
10.2.1.2/32 Direct 0 0 D 127.0.0.1
10.4.1.0/24 IBGP 255 0 RD 3.3.3.9
CE devices in the same VPN instance can successfully ping each other, whereas CE devices
in different VPN instances cannot.
For example, CE1 connecting to the headquarters of enterprise A can successfully ping CE3
connecting to a branch at 10.3.1.1 but cannot ping CE4 connecting to the headquarters of
enterprise B at 10.4.1.1.
[CE1] ping 10.3.1.1

Switches
0.00% packet loss
[CE1] ping 10.4.1.1
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
Run the display vsi name vsi2 verbose command on PE1, and you can view that vsi2 has a
PW to PE2 and is in Up state.
[PE1] display vsi name vsi2 verbose
***VSI Name : vsi2

Administrator VSI : no
Isolate Spoken : disable
VSI Index : 1
PW Signaling : bgp
Member Discovery Style : auto
PW MAC Learn Style : unqualify
Encapsulation Type : vlan
MTU : 1500
Diffserv Mode : uniform
Mpls Exp : --
DomainId : 255
Domain Name :
Ignore AcState : disable
P2P VSI : disable
Create Time : 0 days, 0 hours, 22 minutes, 6 seconds
VSI State : up
BGP RD : 101:2
SiteID/Range/Offset : 1/5/0
Import vpn target : 200:1
Export vpn target : 200:1
Remote Label Block : 35845/5/0
Local Label Block : 0/35845/5/0
Interface Name : GigabitEthernet2/0/0.2

State : up
Access Port : false
Last Up Time : 2012/12/24 21:19:48
Total Up Time : 0 days, 0 hours, 20 minutes, 42 seconds
**PW Information:
*Peer Ip Address : 3.3.3.9

PW State : up
Local VC Label : 35847
Remote VC Label : 35846
PW Type : label
Local VCCV : alert lsp-ping bfd
Remote VCCV : alert lsp-ping bfd
Tunnel ID : 0x5
Broadcast Tunnel ID : 0x5
Broad BackupTunnel ID : 0x0
Ckey : 0xc
Nkey : 0xb
Main PW Token : 0x5
Slave PW Token : 0x0
Tnl Type : LSP
OutInterface : Vlanif30

Switches
Backup OutInterface :
Stp Enable : 0
PW Last Up Time : 2012/12/24 21:38:43
PW Total Up Time : 0 days, 0 hours, 1 minutes, 47 seconds
----End
Configuration Files
#
sysname PE1
#
vcmp role silent
#
vlan batch 30
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi vsi1 auto
pwsignal bgp
site 1 range 5 default-offset 0
#
vsi vsi2 auto
pwsignal bgp
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
dot1q termination vid 10
ip address 10.1.1.2 255.255.255.0
arp broadcast enable
#
l2 binding vsi vsi1
#

Switches
#
ip address 10.2.1.2 255.255.255.0
#
l2 binding vsi vsi2
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.9 enable
#
vpls-family
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
import-route direct
#
import-route direct
#
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
l Configuration file of the P device
#
sysname P
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 172.2.1.1 255.255.255.0

Switches
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
#
sysname PE2
#
vcmp role silent
#
vlan batch 60
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi vsi1 auto
pwsignal bgp
#
vsi vsi2 auto
pwsignal bgp
#
mpls ldp
#
interface Vlanif60
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#

Switches
#
ip address 10.3.1.2 255.255.255.0
#
l2 binding vsi vsi1
#
#
ip address 10.4.1.2 255.255.255.0
#
l2 binding vsi vsi2
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
vpls-family
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
#
import-route direct
#
area 0.0.0.0
network 172.2.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
l Configuration file of CE1 connecting to the headquarters of enterprise A
#
sysname CE1
#
vlan batch 10 to 11

Switches
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
port hybrid tagged vlan 10 to 11
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return
l Configuration file of CE2 connecting to the headquarters of enterprise B
#
sysname CE2
#
vlan batch 20 to 21
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
l Configuration file of CE3 connecting to a branch of enterprise A
#
sysname CE3
#
vlan batch 10 to 11
#
interface Vlanif10
ip address 10.3.1.1 255.255.255.0
#
#
bgp 65430
#
ipv4-family unicast
import-route direct
#
return
l Configuration file of CE4 connecting to a branch of enterprise B
#
sysname CE4
#
vlan batch 20 to 21
#

Switches
interface Vlanif20
ip address 10.4.1.1 255.255.255.0
#
#
bgp 65440
#
ipv4-family unicast
import-route direct
#
return

#
sysname Switch1
#
vlan batch 100 200
#
port hybrid untagged vlan 100 200
#
port hybrid tagged vlan 100 200
#
return

#
sysname Switch2
#
vlan batch 100 200
#
port hybrid untagged vlan 100 200
#
port hybrid tagged vlan 100 200
#
return

S5700 S5700-HI V200R002C00,

V200R003C00,
V200R005(C00SPC500&C
01&C02)

Switches
S5710-EI V200R002C00,
V200R003C00,
V200R005(C00&C02)
S5710-HI V200R003C00,
V200R005(C00&C02&C03
)
S5720-EI V200R009C00,
V200R010C00,
V200R011C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10
S5720-HI V200R007C10,
V200R009C00,
V200R010C00,
V200R011C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R019C00
S5730-HI V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10
S5731-H V200R013C02,
V200R019C00,
V200R019C10
S5731S-H V200R019C00,
V200R019C10
S5732-H V200R019C00,
V200R019C10
S6700 S6700-EI V200R005(C00&C01)
S6720-EI V200R008C00,
V200R009C00,
V200R010C00,
V200R011C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10

Switches
S6720S-EI V200R009C00,
V200R010C00,
V200R011C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10
S6720-HI V200R012C00,
V200R013C00,
V200R019C00,
V200R019C10
S6730-H V200R013C02,
V200R019C00,
V200R019C10
S7700 S7703, S7706, S7712 V200R001(C00&C01),

V200R002C00,
V200R003C00,
V200R005C00,
V200R006C00,
V200R007C00,
V200R008C00,
V200R009C00,
V200R010C00,
V200R011C10,
V200R012C00,
V200R013C00,
V200R013C02,
V200R019C00,
V200R019C10
S7703 PoE V200R013C00,

V200R019C00,
V200R019C10
S7706 PoE V200R013C00,

V200R019C00,
V200R019C10

Switches
S9700 S9703, S9706, S9712 V200R001(C00&C01),

V200R002C00,
V200R003C00,
V200R005C00,
V200R006C00,
V200R007(C00&C10),
V200R008C00,
V200R009C00,
V200R010C00,
V200R011C10,
V200R012C00,
V200R013C00

01-09 Typical MPLS and VPN Configurations

Uploaded by

Copyright:

Available Formats

01-09 Typical MPLS and VPN Configurations

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01-09 Typical MPLS and VPN Configurations

Uploaded by

Copyright:

Available Formats

S2700, S3700, S5700, S6700, S7700, and S9700 Series

9 Typical MPLS and VPN Configurations

9.1 Typical BGP/MPLS IP VPN Configurations

9.1 Typical BGP/MPLS IP VPN Configurations

9.1.1 Example for Configuring BGP/MPLS IP VPN

Issue 25 (2019-11-10) Copyright © Huawei Technologies Co., Ltd. 1118

Figure 9-1 Networking diagram for configuring BGP/MPLS IP VPN

AS: 65410 AS: 65430

Issue 25 (2019-11-10) Copyright © Huawei Technologies Co., Ltd. 1119

Issue 25 (2019-11-10) Copyright © Huawei Technologies Co., Ltd. 1120

Destination/Mask Proto Pre Cost Flags NextHop Interface

1.1.1.9/32 Direct 0 0 D 127.0.0.1 LoopBack1

OSPF Process 1 with Router ID 1.1.1.9

Area 0.0.0.0 interface 172.1.1.1(Vlanif30)'s neighbors

Issue 25 (2019-11-10) Copyright © Huawei Technologies Co., Ltd. 1121

[PE1] mpls lsr-id 1.1.1.9

LDP Session(s) in Public Network

[PE1] display mpls ldp lsp

LDP LSP Information

Issue 25 (2019-11-10) Copyright © Huawei Technologies Co., Ltd. 1122

3.3.3.9/32 NULL/1025 - 172.1.1.2 Vlanif30

Issue 25 (2019-11-10) Copyright © Huawei Technologies Co., Ltd. 1123

[CE1] interface vlanif 10

PE1 is used as an example.

VPN-Instance Name and ID : vpna, 1

VPN-Instance Name and ID : vpnb, 2

[PE1] ping -vpn-instance vpna 10.1.1.1

--- 10.1.1.1 ping statistics ---

Issue 25 (2019-11-10) Copyright © Huawei Technologies Co., Ltd. 1124

BGP local router ID : 1.1.1.9

Peer V AS MsgRcvd MsgSent OutQ Up/Down State

10.1.1.1 4 65410 11 9 0 00:07:25 Established

Step 5 Establish MP-IBGP peer relationships between PEs.

BGP local router ID : 1.1.1.9

Peer V AS MsgRcvd MsgSent OutQ Up/Down

Issue 25 (2019-11-10) Copyright © Huawei Technologies Co., Ltd. 1125

3.3.3.9 4 100 12 6 0 00:02:21

BGP local router ID : 1.1.1.9

Peer V AS MsgRcvd MsgSent OutQ Up/Down State

3.3.3.9 4 100 12 18 0 00:09:38 Established 0

VPN-Instance vpna, Router ID 1.1.1.9:

Step 6 Verify the configuration.

The information displayed on PE1 is used as an example.

Destination/Mask Proto Pre Cost Flags NextHop Interface

Destination/Mask Proto Pre Cost Flags NextHop Interface

Issue 25 (2019-11-10) Copyright © Huawei Technologies Co., Ltd. 1126

Issue 25 (2019-11-10) Copyright © Huawei Technologies Co., Ltd. 1127

ipv4-family vpn-instance vpnb

Issue 25 (2019-11-10) Copyright © Huawei Technologies Co., Ltd. 1128

Issue 25 (2019-11-10) Copyright © Huawei Technologies Co., Ltd. 1129

port trunk allow-pass vlan 10

Issue 25 (2019-11-10) Copyright © Huawei Technologies Co., Ltd. 1130

Applicable products and versions

Table 9-1 Applicable products and versions

S5700 S5700-HI V200R002C00,

Issue 25 (2019-11-10) Copyright © Huawei Technologies Co., Ltd. 1131

Product Product Model Software Version

S6700 S6700-EI V200R005(C00&C01)

S7700 S7703, S7706, S7712 V200R001(C00&C01),