HP 10500 series User manual
HP 10500 Switch Series
MPLS
Configuration Guide
Part number: 5998-2212
Software version: Release 1201 and later
Document version: 6W102-20130530
Legal and notice information
© Copyright 2013 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or
use of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained
herein.
i
Contents
Configuring MCE ························································································································································· 1
Overview············································································································································································1
MPLS L3VPN overview·············································································································································1
MPLS L3VPN concepts ·············································································································································2
Multi-VPN-instance CE ·············································································································································4
Using MCE in tunneling applications·····················································································································5
Configuring routing on an MCE······································································································································6
Route exchange between an MCE and a VPN site······························································································6
Route exchange between an MCE and a PE ········································································································8
Configuring VPN instances ··············································································································································8
Creating a VPN instance·········································································································································8
Associating a VPN instance with an interface ······································································································9
Configuring route-related attributes of a VPN instance························································································9
Configuring routing on an MCE··································································································································· 10
Configuring routing between MCE and VPN site······························································································ 10
Configuring routing between MCE and PE ········································································································ 15
Resetting BGP connections ············································································································································ 19
Displaying and maintaining MCE································································································································ 20
MCE configuration examples ······································································································································· 21
Using OSPF to advertise VPN routes to the PE··································································································· 21
Using BGP to advertise VPN routes to the PE····································································································· 26
Using tunnels to advertise VPN routes ················································································································ 29
Configuring IPv6 MCE···············································································································································36
Overview········································································································································································· 36
Configuring VPN instances ··········································································································································· 36
Creating a VPN instance······································································································································ 36
Associating a VPN instance with an interface ··································································································· 36
Configuring route attributes for a VPN instance ································································································ 37
Configuring routing on an IPv6 MCE ·························································································································· 38
Configuring routing between IPv6 MCE and VPN site ····················································································· 38
Configuring routing between IPv6 MCE and PE································································································ 42
Resetting IPv6 BGP connections···································································································································· 45
Displaying information about IPv6 MCE ····················································································································· 45
IPv6 MCE configuration example································································································································· 46
Configuring basic MPLS ············································································································································52
MPLS overview ······························································································································································· 52
Basic concepts ······················································································································································· 52
MPLS network structure ········································································································································· 54
LSP establishment and label distribution ············································································································· 54
MPLS forwarding ··················································································································································· 57
LDP ·········································································································································································· 58
Protocols ································································································································································· 60
MPLS configuration task list··········································································································································· 60
Enabling the MPLS function··········································································································································· 61
Configuring a static LSP ················································································································································ 62
Establishing dynamic LSPs through LDP······················································································································· 63
Configuring MPLS LDP capability ························································································································ 63
Configuring local LDP session parameters ········································································································· 63
ii
Configuring remote LDP session parameters ······································································································ 64
Configuring PHP ···················································································································································· 65
Configuring the policy for triggering LSP establishment ··················································································· 65
Configuring the label distribution control mode ································································································ 66
Configuring LDP loop detection ··························································································································· 67
Configuring LDP MD5 authentication·················································································································· 68
Configuring LDP label filtering ····························································································································· 68
Configuring a DSCP for outgoing LDP packets·································································································· 69
Maintaining LDP sessions ·············································································································································· 70
Configuring BFD for MPLS LDP ···························································································································· 70
Resetting LDP sessions··········································································································································· 70
Managing and optimizing MPLS forwarding ············································································································· 70
Configuring a TTL processing mode for an LSR ································································································· 71
Sending back ICMP TTL exceeded messages for MPLS TTL expired packets ················································· 72
Configuring LDP GR ·············································································································································· 73
Configuring LDP NSR············································································································································ 75
Configuring MPLS statistics collection·························································································································· 75
Inspecting LSPs ······························································································································································· 75
Configuring MPLS LSP ping·································································································································· 76
Configuring MPLS LSP tracert······························································································································· 76
Configuring BFD for LSPs······································································································································ 76
Configuring periodic LSP tracert·························································································································· 77
Enabling MPLS trap························································································································································ 78
Displaying and maintaining MPLS ······························································································································· 78
Displaying MPLS operation ·································································································································· 78
Displaying MPLS LDP operation··························································································································· 80
Clearing MPLS statistics ········································································································································ 81
MPLS configuration examples······································································································································· 81
Configuring static LSPs·········································································································································· 81
Configuring LDP to establish LSPs dynamically·································································································· 84
Configuring BFD for LSPs······································································································································ 88
Configuring MPLS TE ·················································································································································90
MPLS TE overview ·························································································································································· 90
Basic concepts ······················································································································································· 91
MPLS TE implementation······································································································································· 91
CR-LSP····································································································································································· 92
RSVP-TE··································································································································································· 93
Traffic forwarding·················································································································································· 97
CR-LSP backup ······················································································································································· 98
FRR ·········································································································································································· 98
PS for an MPLS TE tunnel····································································································································100
Protocols and standards ·····································································································································100
MPLS TE configuration task list ···································································································································101
Configuring basic MPLS TE·········································································································································101
Creating an MPLS TE tunnel over a static CR-LSP·····································································································102
Configuring an MPLS TE tunnel with a dynamic signaling protocol·······································································103
Configuration prerequisites ································································································································103
Configuration procedure ····································································································································104
Configuring RSVP-TE advanced features ···················································································································107
Configuring RSVP reservation style ···················································································································107
Configuring RSVP state timers····························································································································108
Configuring the RSVP refresh mechanism·········································································································108
Configuring the RSVP hello extension ···············································································································109
Configuring RSVP-TE resource reservation confirmation ·················································································109
iii
Configuring RSVP authentication·······················································································································110
Configuring DSCP for outgoing RSVP packets·································································································110
Configuring RSVP-TE GR·····································································································································110
Tuning CR-LSP setup·····················································································································································111
Configuring route pinning ··································································································································111
Configuring administrative group and affinity attribute··················································································111
Configuring CR-LSP reoptimization····················································································································112
Tuning MPLS TE tunnel setup·······································································································································113
Configuring loop detection ································································································································113
Configuring route and label recording ·············································································································113
Configuring tunnel setup retry····························································································································113
Assigning priorities to a tunnel ··························································································································114
Configuring traffic forwarding····································································································································114
Forwarding traffic along MPLS TE tunnels using static routes·········································································114
Forwarding traffic along MPLS TE tunnels through automatic route advertisement······································115
Configuring traffic forwarding tuning parameters····································································································116
Configuring the failed link timer ························································································································116
Specifying the link metric type for tunnel path calculation ·············································································117
Configuring the traffic flow type of a tunnel·····································································································117
Configuring CR-LSP backup ········································································································································117
Configuring FRR ···························································································································································118
Enabling FRR on the ingress node of a protected LSP·····················································································118
Configuring a bypass tunnel on its PLR·············································································································119
Configuring node protection ······························································································································120
Configuring the FRR polling timer······················································································································120
Inspecting an MPLS TE tunnel ·····································································································································121
Configuring MPLS LSP ping································································································································121
Configuring MPLS LSP tracert·····························································································································121
Configuring BFD for an MPLS TE tunnel············································································································121
Configuring periodic LSP tracert for an MPLS TE tunnel ·················································································123
Configuring protection switching ·······························································································································124
Displaying and maintaining MPLS TE ························································································································124
Configuring MPLS TE examples··································································································································127
MPLS TE using static CR-LSP configuration example························································································127
MPLS TE using RSVP-TE configuration example ·······························································································132
RSVP-TE GR configuration example···················································································································138
MPLS RSVP-TE and BFD cooperation configuration example·········································································140
CR-LSP backup configuration example ·············································································································142
FRR configuration example·································································································································145
MPLS TE in MPLS L3VPN configuration example·····························································································154
Troubleshooting MPLS TE ············································································································································162
No TE LSA generated ·········································································································································162
Configuring VPLS ···················································································································································· 163
VPLS overview ······························································································································································163
Basic VPLS concepts············································································································································163
MAC address learning and flooding ················································································································164
VPLS loop avoidance ··········································································································································165
VPLS packet encapsulation·································································································································166
H-VPLS implementation ·······································································································································166
VPLS configuration task list··········································································································································168
Enabling L2VPN and MPLS L2VPN····························································································································169
Configuring LDP VPLS ··················································································································································169
Configuring an LDP VPLS instance·····················································································································169
Configuring BGP VPLS·················································································································································170
iv
Configuring the BGP extension··························································································································171
Configuring a BGP VPLS instance ·····················································································································171
Resetting VPLS BGP connections························································································································171
Binding a service instance with a VPLS instance ······································································································172
Configuring MAC address learning···························································································································172
Configuring VPLS instance attributes··························································································································172
Displaying and maintaining VPLS ······························································································································173
VPLS configuration examples······································································································································174
Binding service instances with VPLS instances ·································································································175
Configuring PW redundancy for H-VPLS access······························································································179
Configuring BFD for the primary link in an H-VPLS network···········································································183
Troubleshooting VPLS···················································································································································188
Configuring MPLS L2VPN······································································································································· 190
MPLS L2VPN overview ················································································································································190
Basic concepts ·····················································································································································190
MPLS L2VPN network models ····························································································································191
Remote connection operation ····························································································································191
Implementation of MPLS L2VPN·························································································································193
VC encapsulations types·····································································································································198
MPLS L2VPN configuration task list····························································································································198
Configuring basic MPLS L2VPN ·································································································································199
Configuring a PE-CE interface ····································································································································199
Configuring Ethernet encapsulation ··················································································································199
Configuring VLAN encapsulation······················································································································200
Configuring CCC MPLS L2VPN··································································································································200
Configuring SVC MPLS L2VPN···································································································································201
Configuring Martini MPLS L2VPN ······························································································································201
Configuring the remote peer······························································································································202
Creating a Martini VC on a Layer 3 interface·································································································202
Creating a Martini VC for a service instance ··································································································202
Inspecting VCs through MPLS LSP ping·············································································································204
Configuring Kompella MPLS L2VPN ··························································································································204
Configuring BGP L2VPN capability ··················································································································204
Creating and configuring MPLS L2VPN············································································································205
Creating a CE connection ··································································································································205
Resetting L2VPN BGP sessions···························································································································207
Displaying and maintaining MPLS L2VPN ················································································································207
MPLS L2VPN configuration examples························································································································209
Configuring a remote CCC connection ············································································································209
Configuring SVC MPLS L2VPN ··························································································································212
Configuring Martini MPLS L2VPN ·····················································································································216
Configuring Kompella MPLS L2VPN ·················································································································220
Configuring a VC for a service instance ··········································································································222
Troubleshooting MPLS L2VPN·····································································································································227
Configuring MPLS L3VPN······································································································································· 228
MPLS L3VPN overview ················································································································································228
MPLS L3VPN concepts ········································································································································229
MPLS L3VPN packet forwarding························································································································231
MPLS L3VPN networking schemes·····················································································································232
MPLS L3VPN routing information advertisement······························································································235
Inter-AS VPN ························································································································································236
Carrier's carrier ···················································································································································239
Nested VPN ·························································································································································241
v
HoVPN··································································································································································243
OSPF VPN extension···········································································································································245
BGP AS number substitution and SoO··············································································································247
MPLS L3VPN configuration task list····························································································································248
Configuring basic MPLS L3VPN ·································································································································248
Configuring VPN instances ································································································································249
Configuring routing between PE and CE··········································································································253
Configuring routing between PEs ······················································································································259
Configuring routing features for BGP VPNv4 subaddress family ··································································259
Configuring inter-AS VPN ···········································································································································262
Configuring inter-AS option A····························································································································262
Configuring inter-AS option B ····························································································································263
Configuring inter-AS option C····························································································································264
Configuring nested VPN··············································································································································265
Configuration restrictions and guidelines ·········································································································266
Configuration procedure ····································································································································266
Configuring HoVPN·····················································································································································267
Configuring an OSPF sham link ·································································································································267
Configuring a loopback interface ·····················································································································268
Redistributing the loopback interface route and OSPF routes into BGP························································268
Creating a sham link···········································································································································268
Configuring BGP AS number substitution and SoO·································································································269
Resetting BGP connections ··········································································································································270
Displaying and maintaining MPLS L3VPN ················································································································270
MPLS L3VPN configuration examples························································································································273
Configuring MPLS L3VPNs using EBGP between PE and CE·········································································273
Configuring MPLS L3VPNs using IBGP between PE and CE ··········································································280
Configuring a hub-spoke network ·····················································································································287
Configuring inter-AS option A····························································································································295
Configuring inter-AS option B ····························································································································300
Configuring inter-AS option C····························································································································305
Configuring carrier's carrier ······························································································································311
Configuring nested VPN·····································································································································318
Configuring HoVPN ············································································································································328
Configuring OSPF sham links ····························································································································334
Configuring BGP AS number substitution ·········································································································339
Configuring BGP AS number substitution and SoO ························································································343
Configuring IPv6 MPLS L3VPN ······························································································································ 346
Overview·······································································································································································346
IPv6 MPLS L3VPN packet forwarding ···············································································································347
IPv6 MPLS L3VPN routing information advertisement ·····················································································347
IPv6 MPLS L3VPN network schemes and functions··························································································348
IPv6 MPLS L3VPN configuration task list ···················································································································348
Configuring basic IPv6 MPLS L3VPN·························································································································348
Configuring VPN instances ································································································································349
Configuring route related attributes for a VPN instance·················································································350
Configuring routing between PE and CE··········································································································352
Configuring routing between PEs ······················································································································355
Configuring routing features for the BGP-VPNv6 subaddress family·····························································356
Configuring inter-AS IPv6 VPN···································································································································357
Configuring inter-AS IPv6 VPN option A ··········································································································358
Configuring inter-AS IPv6 VPN option C ··········································································································358
Resetting IPv6 BGP connections··································································································································359
Displaying information about IPv6 MPLS L3VPN······································································································359
vi
IPv6 MPLS L3VPN configuration examples ···············································································································360
Configuring IPv6 MPLS L3VPNs·························································································································361
Configuring inter-AS IPv6 VPN option A ··········································································································368
Configuring inter-AS IPv6 VPN option C ··········································································································373
Configuring carrier's carrier ······························································································································380
Support and other resources ·································································································································· 388
Contacting HP ······························································································································································388
Subscription service ············································································································································388
Related information······················································································································································388
Documents····························································································································································388
Websites·······························································································································································388
Conventions ··································································································································································389
Index ········································································································································································ 391
1
Configuring MCE
The term "router" in this chapter refers to both routers and Layer 3 switches.
This chapter covers only MCE-related configuration. For information about routing protocols, see Layer
3—IP Services Configuration Guide.
The term "Layer 3 interface" in this chapter refers to route-mode (or Layer 3) Ethernet ports. You can set
an Ethernet port to operate in route mode by using the port link-mode route command (see Layer
2—LAN Switching Configuration Guide).
Overview
This section describes the basic MPLS L3VPN information that is important to understand the
Multi-VPN-Instance CE (MCE) feature, and the MCE specific information.
MPLS L3VPN overview
MPLS L3VPN is a type of PE-based L3VPN technology for service provider VPN solutions. It uses BGP to
advertise VPN routes and uses MPLS to forward VPN packets on service provider backbones.
MPLS L3VPN provides flexible networking modes, excellent scalability, and convenient support for MPLS
QoS and MPLS TE.
The MPLS L3VPN model consists of the following device types:
•Customer edge (CE) device—A CE resides on a customer network and has one or more interfaces
directly connected with service provider networks. It can be a router, a switch, or a host. It can
neither "sense" the existence of any VPN nor does it need to support MPLS.
•Provider edge (PE) device—A PE resides on a service provider network and connects one or more
CEs to the network. On an MPLS network, all VPN processing occurs on the PEs.
•Provider (P) device—A P device is a core device on a service provider network. It is not directly
connected with any CE. It only needs to be equipped with basic MPLS forwarding capability.
2
Figure 1 Network diagram for MPLS L3VPN model
CEs and PEs mark the boundary between the service providers and the customers.
After a CE establishes adjacency with a directly connected PE, it advertises its VPN routes to the PE and
learns remote VPN routes from the PE. A CE and a PE use BGP/IGP to exchange routing information. You
can also configure static routes between them.
After a PE learns the VPN routing information of a CE, it uses BGP to exchange VPN routing information
with other PEs. A PE maintains routing information about only VPNs that are directly connected, rather
than all VPN routing information on the provider network.
A P router maintains only routes to PEs and does not deal with VPN routing information.
When VPN traffic travels over the MPLS backbone, the ingress PE functions as the ingress LSR, the egress
PE functions as the egress LSR, and P routers function as the transit LSRs.
MPLS L3VPN concepts
This section describes concepts for MPLS L3VPN.
Site
Sites are often mentioned in the VPN. A site has the following features:
•A site is a group of IP systems with IP connectivity that does not rely on any service provider network
to implement.
•The classification of a site depends on the topology relationship of the devices, rather than the
geographical positions, though the devices at a site are, in most cases, adjacent to each other
geographically.
•The devices at a site can belong to multiple VPNs.
•A site is connected to a provider network through one or more CEs. A site can contain many CEs,
but a CE can belong to only one site.
Sites connected to the same provider network can be classified into different sets by policies. Only the
sites in the same set can access each other through the provider network. Such a set is called a VPN.
3
Address space overlapping
Each VPN independently manages the addresses it uses. The assembly of such addresses for a VPN is
called an address space.
The address spaces of VPNs may overlap. For example, if both VPN 1 and VPN 2 use the addresses on
network segment 10.110.10.0/24, address space overlapping occurs.
VPN instance
In MPLS VPN, routes of different VPNs are identified by VPN instance.
A PE creates and maintains a separate VPN instance for each VPN at a directly connected site. Each
VPN instance contains the VPN membership and routing rules of the corresponding site. If a user at a site
belongs to multiple VPNs at the same time, the VPN instance of the site contains information about all of
the VPNs.
For independence and security of VPN data, each VPN instance on a PE maintains a relatively
independent routing table and a separate LFIB. VPN instance information contains the following items:
the LFIB, IP routing table, interfaces bound to the VPN instance, and administration information of the
VPN instance. The administration information of the VPN instance includes the RD, route filtering policy,
and member interface list.
VPN-IPv4 address
Traditional BGP cannot process overlapping VPN routes. If, for example, both VPN 1 and VPN 2 use
addresses on the segment 10.110.10.0/24 and each advertise a route to the segment, BGP selects only
one of them, which results in the loss of the other route.
PEs use MP-BGP to advertise VPN routes and use VPN-IPv4 address family to solve the problem with
traditional BGP.
A VPN-IPv4 address consists of 12 bytes. The first eight bytes represent the RD, followed by a four-byte
IPv4 address prefix.
Figure 2 VPN-IPv4 address structure
When a PE receives an ordinary IPv4 route from a CE, it must advertise the VPN route to the peer PE. The
uniqueness of a VPN route is implemented by adding an RD to the route.
A service provider can independently assign RDs if the assigned RDs are unique. A PE can advertise
different routes to VPNs even if the VPNs are from different service providers and are using the same IPv4
address space.
Configure a distinct RD for each VPN instance on a PE, so that routes to the same CE use the same RD.
The VPN-IPv4 address with an RD of 0 is a globally unique IPv4 address.
By prefixing a distinct RD to a specific IPv4 address prefix, you get a globally unique VPN IPv4 address
prefix.
An RD can be related to an AS number, in which case it is the combination of the AS number and a
discretionary number. An RD can also be related to an IP address, in which case it is the combination of
the IP address and a discretionary number.
4
An RD can be in one of the following formats distinguished by the Type field:
•When the value of the Type field is 0, the Administrator subfield occupies two bytes, the Assigned
number subfield occupies four bytes, and the RD format is 16 - b i t A S n u m b e r :32-bit user-defined
number. For example, 100:1.
•When the value of the Type field is 1, the Administrator subfield occupies four bytes, the Assigned
number subfield occupies two bytes, and the RD format is 32-bit IPv4 address:16-bit user-defined
number. F o r ex a m p l e, 172.1.1.1:1.
•When the value of the Type field is 2, the Administrator subfield occupies four bytes, the Assigned
number subfield occupies two bytes, and the RD format is 32-bit AS number:16-bit user-defined
number, where the minimum value of the AS number is 65536. For example, 65536:1.
To guarantee global uniqueness for an RD, do not set the Administrator subfield to any private AS
number or private IP address.
VPN target attributes
MPLS L3VPN uses the BGP extended community attributes called VPN target attributes or route target
attributes, to control the advertisement of VPN routing information.
A VPN instance on a PE supports the following types of VPN target attributes:
•Export target attribute: A local PE sets this type of VPN target attribute for VPN-IPv4 routes learned
from directly connected sites before advertising them to other PEs.
•Import target attribute: A PE checks the export target attribute of VPN-IPv4 routes advertised by
other PEs. If the export target attribute matches the import target attribute of the VPN instance, the
PE adds the routes to the VPN routing table.
In other words, VPN target attributes define which sites can receive VPN-IPv4 routes, and from which
sites that a PE can receive routes.
Similar to RDs, VPN target attributes can be of the following formats:
•16 - b i t AS n u m b e r :32-bit user-defined number. For example, 100:1.
•32-bit IPv4 address:16-bit user-defined number. Fo r e xa m p l e , 172.1.1.1:1.
•32-bit AS number:16-bit user-defined number, where the minimum value of the AS number is 65536.
For example, 65536:1.
Multi-VPN-instance CE
Using tunnels, MPLS L3VPN implements private network data transmission over the public network.
However, the traditional MPLS L3VPN architecture requires each VPN instance exclusively use a CE to
connect with a PE, as shown in Figure 1.
For better services and higher security, a private network is usually divided into multiple VPNs to isolate
services. To meet these requirements, you can configure a CE for each VPN, which increases users'
device expenses and maintenance costs. Or, you can configure multiple VPNs to use the same CE and
the same routing table, which sacrifices data security.
Using the MCE function of the switch, you can remove the contradiction of low cost and high security in
multi-VPN networks. With MCE configured, a CE can bind each VPN in a network with a VLAN interface
on the CE, and create and maintain a separate routing table (multi-VRF) for each VPN. This separates the
forwarding paths of packets of different VPNs and, in conjunction with the PE, can correctly advertise the
routes of each VPN to the peer PE, ensuring the normal transmission of VPN packets over the public
network.
5
Figure 3 shows how an MCE maintains the routing entries of multiple VPNs and how an MCE exchanges
VPN routes with PEs.
Figure 3 Network diagram for the MCE function
On the left-side network, there are two VPN sites, both of which are connected to the MPLS backbone
through the MCE device. VPN 1 and VPN 2 on the left-side network must establish a tunnel with VPN 1
and VPN 2 on the right-side network, respectively.
With the MCE function, you can create a routing table for VPN 1 and VPN 2 on the MCE device, and
bind VLAN-interface 2 with VPN 1 and VLAN-interface 3 with VPN 2. When receiving a routing
message, the MCE device can determine the source of the routing information according to the inbound
interface, and then update the routing table of the corresponding VPN.
In addition, you must perform configurations on PE 1 to bind the interfaces connecting the MCE with the
VPNs in the same way as you do on the MCE device. The MCE device and PE 1 must be connected
through a trunk link to allow packets of VLAN 2 and VLAN 3. When receiving a packet, PE 1 can
determine which VPN the packet belongs to and then passes the packet to the right tunnel.
Using MCE in tunneling applications
In addition to MPLS L3VPN, you can also use tunneling technologies to implement other types of VPNs.
The MCE function provided by the switch can be applied in VPN applications based on tunneling.
Figure 4 Network diagram for using MCE in a tunneling application (1)
PE1
PE
PE2
P
P
VPN2
Site2
VPN1
Site1
MCE
VLAN-int2
VLAN-int3
CE
Site1
VPN2
CE
VPN1
Site2
VLAN-int7
VLAN-int8
6
By establishing multiple tunnels between two MCE devices and binding the tunnel interfaces with VPN
instances, you can make the routing information and data of the VPN instances delivered to the peer
devices through the bound tunnel interfaces. According to the tunnel interfaces receiving the routes, an
MCE device determines the VPN instances that the routes belong to and advertises the routes to the
corresponding sites. As shown in Figure 4, you can bind Tunnel 1 with VPN 1 to make the MCE devices
deliver the routing information and data of VPN 1 through the tunnel.
You can also use an MCE in a tunneling application as shown in Figure 5 to connect multiple remote CEs
through tunnels. In this scenario, the CE devices only need to receive and advertise routes as usual, while
the MCE advertises and receives VPN routing information based on the bindings between tunnel
interfaces and VPNs.
Figure 5 Network diagram for using MCE in a tunneling application (2)
MCE devices in a tunneling application can exchange VPN routing information with their peer MCE
devices or CE devices directly, just as MCE devices in an MPLS L3VPN application do with the
corresponding PEs. For more information, see "Route exchange between an MCE and a PE."
GRE tunnel, IPv4 over IPv4 tunnel, and IPv4 over IPv6 tunnel support MCE. For more information about
tunnel types, see Layer 3—IP Services Configuration Guide.
Configuring routing on an MCE
Interface-to-VPN-instance binding enables MCEs and PEs to determine the sources of received packets
and then forward the packets according to the routing information concerning the corresponding VPNs.
MCE routing configuration includes:
•MCE-VPN site routing configuration
•MCE-PE routing configuration
Route exchange between an MCE and a VPN site
An MCE can adopt the following routing protocols to exchange VPN routes with a site:
•Static route
•RIP
•OSPF
•IS-IS
•IBGP
IP network
VPN 1
Site1
VPN 1
Site2
VPN 2
Site1 VPN 2
Site2
MCE
CE
Tunnel2
CE
7
•EBGP
This section briefly introduces the cooperation of routing protocols and MCE. For information about the
routing protocols, see Layer 3—IP Routing Configuration Guide.
Static routes
An MCE can communicate with a site through static routes. As static routes configured for traditional CEs
take effect globally, address overlapping between multiple VPNs remains a problem until the emergence
of MCE. MCE allows static-route-to-VPN-instance binding, which isolates the static routes of different
VPNs.
RIP
The switch can bind RIP processes to VPN instances. With these bindings on the MCE, private network
routes of different VPNs can be exchanged between MCE and sites through different RIP processes,
isolating and securing VPN routes.
OSPF
The switch can bind OSPF processes to VPN instances and isolate the routes of different VPNs.
For an OSPF process bound to a VPN instance, the router ID of the public network configured in system
view is invalid. You must specify the router ID when creating an OSPF process.
An OSPF process can be bound to only one VPN instance. However, a VPN instance can use multiple
OSPF processes for private network route transmission. To make sure routes can be advertised properly,
configure the same domain ID for all OSPF processes bound to the same VPN instance.
Routes redistributed from OSPF to BGP on the MCE have their OSPF attributes removed. To enable BGP
to distinguish routes redistributed from different OSPF domains, you must enable the redistributed routes
to carry the OSPF domain ID by configuring the domain-id command in OSPF view. The domain ID is
added to BGP VPN routes as an extended community attribute.
In cases where a VPN has multiple MCE devices attached to it and when an MCE device advertises the
routes learned from BGP within the VPN, the routes may be learned by other MCE devices, generating
route loops. To prevent route loops, configure route tags for different VPN instances on each MCE. HP
recommends that you assign the same route tag to the same VPN on all MCEs.
IS-IS
Similar to those in OSPF, IS-IS processes can be bound to VPN instances for private network routes to be
exchanged between MCE and sites. An IS-IS process can be bound to only one VPN instance.
IBGP
To use IBGP to exchange private routes between an MCE and a site, configure IBGP peers for VPN
instances on the MCE and redistribute IGP routing information from corresponding VPNs. If the MCE is
connected with multiple sites in the same VPN, you can configure the MCE as a route reflector (RR) and
configure the egress routers of the sites as clients, making the MCE reflect routing information between
the sites. This eliminates the necessity for BGP connections between sites, reducing the number of BGP
connections and simplifying network configuration.
EBGP
To use EBGP for exchanging routing information between an MCE and VPN sites, you must configure a
BGP peer for each VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on
the VPN sites. You also can configure filtering policies to filter the received routes and the routes to be
advertised.
8
Route exchange between an MCE and a PE
Routing information entries are bound to specific VPN instances on an MCE device, and packets of each
VPN instance are forwarded between MCE and PE according to interface. As a result, VPN routing
information can be transmitted by performing relatively simple configurations between MCE and PE,
such as importing the VPN routing entries on MCE devices to the routing table of the routing protocol
running between MCE and PEs.
The following routing protocols can be used between MCE and PE devices for routing formation
exchange:
•Static route
•RIP
•OSPF
•IS-IS
•IBGP
•EBGP
For information about routing protocol configuration and route import, see Layer 3—IP Routing
Configuration Guide.
Configuring VPN instances
Configuring VPN instances is required in all MCE networking schemes.
By configuring VPN instances on a PE, you isolate not only VPN routes from public network routes, but
also routes of a VPN from those of another VPN. This feature allows VPN instances to be used in
networking scenarios besides MCE.
Creating a VPN instance
A VPN instance is associated with a site. It is a collection of the VPN membership and routing rules of its
associated site. A VPN instance does not necessarily correspond to one VPN.
A VPN instance takes effect only after you configure an RD for it. Before configuring an RD for a VPN
instance, you can configure no other parameters for the instance but a description.
You can configure a description for a VPN instance to record its related information, such as its
relationship with a certain VPN.
To create and configure a VPN instance:
Ste
p
Command
Remarks
1. Enter system view. system-view N/A
2. Create a VPN instance and
enter VPN instance view. ip vpn-instance vpn-instance-name
N/A
3. Configure an RD for the VPN
instance.
route-distinguisher
route-distinguisher N/A
4. Configure a description for
the VPN instance. description text Optional.
9
NOTE:
For easy management, set the same RD for the same VPN instance on the MCE and the PE.
Associating a VPN instance with an interface
After creating and configuring a VPN instance, associate the VPN instance with the interfaces connected
to the VPN sites.
In an MPLS L3VPN application, you also need to associate the VPN instances with the interfaces
connecting the PE.
In a tunneling application, you must associate the VPN instances with the tunnel interfaces connecting
the peer MCE device or CE device.
You can add a management Ethernet interface on the switch to a VPN, so the IP address of the interface
only participates in the route calculation of the specified VPN.
To associate a VPN instance with an interface:
Ste
p
Command
Remarks
1. Enter system view. system-view N/A
2. Enter interface view. interface interface-type
interface-number N/A
3. Associate the current interface
with a VPN instance.
ip binding vpn-instance
vpn-instance-name
No VPN instance is associated
with an interface by default.
After you bind an interface with a
VPN instance by using this
command, the IP address of the
interface is cleared. Be sure to
reconfigure an IP address for the
interface.
Configuring route-related attributes of a VPN instance
The control process of VPN route advertisement is as follows:
•When a VPN route learned from a site gets redistributed into BGP, BGP associates it with a VPN
target extended community attribute list, which is usually the export target attribute of the VPN
instance associated with the site.
•The VPN instance determines which routes it can accept and redistribute according to the
import-extcommunity in the VPN target.
•The VPN instance determines how to change the VPN targets attributes for routes to be advertised
according to the export-extcommunity in the VPN target.
IMPORTANT:
•Only when BGP runs between the MCE and PE can the VPN target attribute be advertised to the PE
along with the routing information. In other cases, configuring this attribute makes no sense.
•Before associating a routing policy with a VPN instance, you must first create the routing policy.
Otherwise, the default routing policy is used.
10
To configure route related attributes of a VPN instance:
Ste
p
Command
Remarks
1. Enter system view. system-view N/A
2. Enter VPN instance view. ip vpn-instance vpn-instance-name
N/A
3. Enter IPv4 VPN view. ipv4-family Optional.
4. Associate the current VPN
instance with one or more
VPN targets.
vpn-target vpn-target&<1-8>
[ both | export-extcommunity |
import-extcommunity ]
A single vpn-target command can
configure up to eight VPN targets.
You can configure up to 64 VPN
targets for a VPN instance.
5. Configure the maximum
number of routes for the VPN
instance.
routing-table limit number
{ warn-threshold | simply-alert }
Optional.
Not configured by default.
Setting the maximum number of
routes for a VPN instance to
support is for preventing too many
routes from being redistributed into
the PE.
6. Apply an import routing
policy to the current VPN
instance.
import route-policy route-policy
Optional.
By default, all routes permitted by
the import target attribute can be
redistributed into the VPN instance.
7. Apply an export routing
policy to the current VPN
instance.
export route-policy route-policy
Optional.
By default, all VPN instance routes
permitted by the export target
attribute can be redistributed.
NOTE:
You can configure route related attributes for IPv4 VPNs in both VPN instance view and IPv4 VPN view.
Those configured in IPv4 VPN view take precedence.
Configuring routing on an MCE
MCE implements service isolation through route isolation. MCE routing configuration includes:
•MCE-VPN site routing configuration
•MCE-PE routing configuration
On the PE in an MCE network environment, disable routing loop detection to avoid route loss during
route calculation and disable route redistribution between routing protocols to save system resources.
Before you configure routing on an MCE, complete the following tasks:
•On the MCE, configure VPN instances, and bind the VPN instances with the interfaces connected
to the VPN sites and those connected to the PE.
•Configure the link layer and network layer protocols on related interfaces to ensure IP connectivity.
Configuring routing between MCE and VPN site
You can configure static routing, RIP, OSPF, IS-IS, EBGP, or IBGP between the MCE and a VPN site.
11
Configuring static routing between MCE and VPN site
An MCE can reach a VPN site through a static route. Static routing on a traditional CE is globally
effective and thus does not support address overlapping among VPNs. An MCE supports binding a static
route with a VPN instance, so that the static routes of different VPN instances can be isolated from each
other.
To configure static routing between MCE and VPN site:
Ste
p
Command
Remarks
1. Enter system view. system-view N/A
2. Configure a static route
for a VPN instance.
•ip route-static dest-address { mask | mask-length }
{ gateway-address | interface-type
interface-number [ gateway-address ] |
vpn-instance d-vpn-instance-name
gateway-address } [ preference preference-value ]
[ tag tag-value ] [ description description-text ]
•ip route-static vpn-instance
s-vpn-instance-name&<1-6> dest-address { mask |
mask-length } { gateway-address [ public ] |
interface-type interface-number
[ gateway-address ] | vpn-instance
d-vpn-instance-name gateway-address }
[ preference preference-value ] [ tag tag-value ]
[ description description-text ]
Use either command.
Perform this
configuration on the
MCE. On a VPN site,
configure a normal
static route.
3. Configure the default
precedence for static
routes.
ip route-static default-preference
default-preference-value
Optional.
60 by default.
Configuring RIP between MCE and VPN site
A RIP process belongs to the public network or a single VPN instance. If you create a RIP process without
binding it to a VPN instance, the process belongs to the public network. By configuring RIP
process-to-VPN instance bindings on a IPv6 MCE, you allow routes of different VPNs to be exchanged
between the MCE and the sites through different RIP processes, ensuring the separation and security of
VPN routes.
For more information about RIP, see Layer 3—IP Routing Configuration Guide.
To configure RIP between MCE and VPN site:
Ste
p
Command
Remarks
1. Enter system view. system-view N/A
2. Create a RIP process for a
VPN instance and enter RIP
view.
rip [ process-id ]vpn-instance
vpn-instance-name
Perform this configuration on the
MCE. On a VPN site, create a
normal RIP process.
3. Enable RIP on the interface
attached to the specified
network.
network network-address By default, RIP is disabled on an
interface.
4. Redistribute remote site routes
advertised by the PE.
import-route protocol [process-id ]
[allow-ibgp ] [ cost cost |
route-policy route-policy-name |
tag tag ] *
By default, no route is redistributed
into RIP.
12
Ste
p
Command
Remarks
5. Configure the default cost
value for the redistributed
routes.
default cost value Optional.
0 by default.
Configuring OSPF between MCE and VPN site
An OSPF process belongs to the public network or a single VPN instance. If you create an OSPF process
without binding it to a VPN instance, the process belongs to the public network.
By configuring OSPF process-to-VPN instance bindings on a MCE, you allow routes of different VPNs to
be exchanged between the MCE and the sites through different OSPF processes, ensuring the separation
and security of VPN routes.
For more information about OSPF, see Layer 3—IP Routing Configuration Guide.
To configure OSPF between MCE and VPN site:
Ste
p
Command
Remarks
1. Enter system view. system-view N/A
2. Create an OSPF process for a
VPN instance and enter OSPF
view.
ospf [ process-id | router-id
router-id | vpn-instance
vpn-instance-name ] *
Perform this configuration on the
MCE. On a VPN site, create a
normal OSPF process.
An OSPF process can belong to
only one VPN instance, but one
VPN instance can use multiple
OSPF processes to advertise the
VPN routes.
3. Configure the OSPF domain
ID. domain-id domain-id [ secondary ]
Optional.
0 by default.
Perform this configuration on the
MCE. On a VPN site, perform the
common OSPF configuration.
4. Redistribute remote site routes
advertised by the PE.
import-route protocol [ process-id
| allow-ibgp ] [ cost cost | type
type | tag tag | route-policy
route-policy-name ] *
By default, no route of any other
routing protocol is redistributed
into OSPF.
5. Create an OSPF area and
enter OSPF area view. area area-id By default, no OSPF area is
created.
6. Enable OSPF on the interface
attached to the specified
network in the area. network ip-address wildcard-mask
By default, an interface neither
belongs to any area nor runs
OSPF.
NOTE:
A
n OSPF process that is bound with a VPN instance does not use the public network router ID confi
g
ured
in system view. Therefore, you must configure a router ID when starting the OSPF process. All OSPF
processes for the same VPN must be configured with the same OSPF domain ID to ensure correct route
advertisement.
Other manuals for 10500 series
13
Table of contents
Other HP Network Router manuals
HP
HP ProCurve MSM317 User manual
HP
HP FlexNetwork HSR6802 User manual
HP
HP 6400/8400 User manual
HP
HP ProCurve 7102 User manual
HP
HP HP ProCurve Series 6600 Installation manual
HP
HP J4897A User manual
HP
HP 7000dl Series User instructions
HP
HP StorageWorks MPX200 User manual
HP
HP MSR900-W User manual
HP
HP PS110 User manual
