Configuration Guide - VPN (V100R006C00 - 01)

Quidway S7700 Smart Routing Switch
V100R006C00
Configuration Guide - VPN
Issue 01
Date 2011-07-15
HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 01 (2011-07-15) Huawei Proprietary and Confidential i

Copyright Huawei Technologies Co., Ltd.
Configuration Guide - VPN About This Document
About This Document
Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the VPN feature supported by the S7700 device.
This document describes how to configure the VPN feature.
NOTE
S7700 is controlled by the license. By default, the MPLS function is disabled on the S7700. To use the
MPLS function of the S7700,buy the license from the Huawei local office.
This document is intended for:

l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates a hazard with a high level of risk, which if not

avoided, will result in death or serious injury.
DANGER
Indicates a hazard with a medium or low level of risk, which

if not avoided, could result in minor or moderate injury.
WARNING
Indicates a potentially hazardous situation, which if not

avoided, could result in equipment damage, data loss,
CAUTION
performance degradation, or unexpected results.
TIP Indicates a tip that may help you solve a problem or save
time.
NOTE Provides additional information to emphasize or supplement

important points of the main text.
Issue 01 (2011-07-15) Huawei Proprietary and Confidential ii

Configuration Guide - VPN About This Document
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n times.
# A line starting with the # sign is comments.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Changes in Issue 01 (2011-07-15)

Initial commercial release.
Issue 01 (2011-07-15) Huawei Proprietary and Confidential iii

Configuration Guide - VPN Contents
Contents
About This Document.....................................................................................................................ii

1 VPN Tunnel Management Configuration................................................................................1
1.1 Introduction to VPN Tunnels.............................................................................................................................3
1.2 VPN Tunnel Features Supported by the S7700..................................................................................................4
1.3 Configuring a Tunnel Interface..........................................................................................................................5
1.3.1 Establishing the Configuration Task.........................................................................................................6
1.3.2 Creating Tunnel Interfaces........................................................................................................................6
1.3.3 Configuring a Tunnel.................................................................................................................................7
1.3.4 Checking the Configuration.......................................................................................................................8
1.4 Configuring Tunnel Policies Applied to L3VPN...............................................................................................9
1.4.1 Establishing the Configuration Task.........................................................................................................9
1.4.2 Configuring a Tunnel Policy...................................................................................................................10
1.4.3 Applying the Tunnel Policy to L3VPN...................................................................................................11
1.4.4 Checking the Configuration.....................................................................................................................11
1.5 Configuring Tunnel Policies Applied to L2VPN.............................................................................................13
1.5.1 Establishing the Configuration Task.......................................................................................................13
1.5.2 Configuring a Tunnel Policy...................................................................................................................14
1.5.3 Applying the Tunnel Policy to L2VPN...................................................................................................15
1.6 Configuring L3VPN Tunnel Binding...............................................................................................................19
1.6.2 Enabling the VPN Binding for a Tunnel.................................................................................................20
1.6.3 Configuring the VPN Binding of the Tunnel Policy...............................................................................21
1.6.4 Applying the Tunnel Policy to the L3VPN.............................................................................................21
1.7 Configuring L2VPN Tunnel Binding...............................................................................................................24
1.7.2 Enabling the VPN Binding for a Tunnel.................................................................................................25
1.7.3 Configuring the VPN Binding of the Tunnel Policy...............................................................................25
1.7.4 Applying the Tunnel Policy to the Martini L2VPN................................................................................26
1.8 Maintaining a VPN Tunnel...............................................................................................................................28
1.8.1 Monitoring the Running Status of a Tunnel............................................................................................28
Issue 01 (2011-07-15) Huawei Proprietary and Confidential iv

1.8.2 Debugging a Tunnel................................................................................................................................29

1.9 Configuration Examples...................................................................................................................................29
1.9.1 Example for Configuring Tunnel Policies for the L3VPN......................................................................29
1.9.2 Example for Binding a Tunnel to the Martini L2VPN............................................................................42
2 GRE Configuration.....................................................................................................................57
2.1 Introduction to GRE.........................................................................................................................................59
2.2 GRE Features Supported by the S7700............................................................................................................59
2.3 Configuring GRE..............................................................................................................................................61
2.3.2 Configuring a Tunnel Interface...............................................................................................................61
2.3.3 Configuring Routes for the Tunnel..........................................................................................................63
2.4 Configuring a GRE Tunnel Between CE and PE.............................................................................................65
2.4.2 Configuring the GRE Tunnel Interface on CE........................................................................................66
2.4.3 Configuring the GRE Tunnel Interface on PE.........................................................................................67
2.4.4 Binding the GRE Tunnel with the VPN to Which CE belongs on PE....................................................68
2.5 Configuring the Keepalive Function................................................................................................................70
2.5.2 Enabling the Keepalive Function............................................................................................................71
2.6 Maintaining GRE..............................................................................................................................................73
2.6.1 Resetting the Statistics of a Tunnel Interface..........................................................................................73
2.6.2 Monitoring the Running Status of GRE..................................................................................................73
2.6.3 Debugging GRE......................................................................................................................................74
2.7 Configuration Examples...................................................................................................................................74
2.7.1 Example for Configuring Static Routes on the GRE Tunnel..................................................................74
2.7.2 Example for Configuring the Dynamic Routing Protocol on the GRE Tunnel.......................................79
2.7.3 Example for Configuring the CE to Access a VPN Through a GRE Tunnel of the Public Network
..........................................................................................................................................................................84
2.7.4 Example for Configuring the Keepalive Function for GRE....................................................................92
3 BGP MPLS IP VPN Configuration..........................................................................................95

3.1 Introduction to BGP/MPLS IP VPN................................................................................................................97
3.2 BGP/MPLS IP VPN Features Supported by the S7700...................................................................................97
3.3 Configuring a VPN Instance.............................................................................................................................99
3.3.1 Establishing the Configuration Task.....................................................................................................100
3.3.2 Creating a VPN Instance.......................................................................................................................100
3.3.3 Configuring Attributes for the VPN Instance .......................................................................................101
3.3.4 (Optional) Applying a Tunnel Policy to the VPN Instance...................................................................103
3.3.5 (Optional) Configuring MPLS Label Allocation Based on the VPN Instance......................................103
3.3.6 Checking the Configuration...................................................................................................................104
Issue 01 (2011-07-15) Huawei Proprietary and Confidential v

3.4 Configuring Basic BGP/MPLS IP VPN.........................................................................................................105

3.4.2 Configuring a VPN Instance..................................................................................................................106
3.4.3 Binding an Interface with a VPN Instance............................................................................................106
3.4.4 Configuring MP-IBGP Between PEs....................................................................................................107
3.4.5 Configuring a Routing Protocol Between a PE and a CE.....................................................................108
3.5 Configuring Hub and Spoke...........................................................................................................................117
3.5.2 Creating a VPN Instance.......................................................................................................................118
3.5.3 Configuring Route Attributes of the VPN Instance...............................................................................120
3.5.4 Binding an Interface with the VPN Instance.........................................................................................121
3.5.5 Configuring MP-IBGP Between Hub-PE and Spoke-PE......................................................................122
3.5.6 Configuring Route Exchange Between PE and CE...............................................................................123
3.6 Configuring Inter-AS VPN Option A.............................................................................................................125
3.6.2 Configuring Inter-AS VPN Option A....................................................................................................126
3.7 Configuring Inter-AS VPN Option B.............................................................................................................127
3.7.2 Configuring MP-IBGP Between PEs and ASBRs in the Same AS......................................................128
3.7.3 Configuring MP-EBGP Between ASBRs in Different ASs..................................................................129
3.7.4 Controlling the Receiving and Sending of VPN Routes by Using Routing Policies............................130
3.7.5 (Optional) Storing Information About the VPN Instance on the ASBR...............................................132
3.7.6 (Optional) Enabling Next-Hop-based Label Allocation on the ASBR.................................................133
3.7.7 Configuring the Routing Protocol Between CE and PE........................................................................134
3.8 Configuring HoVPN.......................................................................................................................................135
3.8.2 Specifying UPE.....................................................................................................................................135
3.8.3 Advertising Default Routes of a VPN Instance.....................................................................................136
3.9 Configuring OSPF Sham Link.......................................................................................................................137
3.9.2 Configuring the Loopback Address of the Sham Link..........................................................................138
3.9.3 Advertising Routes of End Address of the Sham Link.........................................................................139
3.9.4 Creating a Sham Link............................................................................................................................140
3.10 Configuring a Multi-VPN-Instance CE........................................................................................................141
3.10.1 Establishing the Configuration Task...................................................................................................141
3.10.2 Configuring the OSPF Multi-Instance on the PE................................................................................142
Issue 01 (2011-07-15) Huawei Proprietary and Confidential vi

3.10.3 Configuring the OSPF Multi-Instance on the Multi-Instance CE.......................................................143

3.10.4 Canceling the Loop Detection on the Multi-Instance CE....................................................................144
3.10.5 Checking the Configuration.................................................................................................................144
3.11 Connecting VPN and the Internet.................................................................................................................145
3.11.2 Configuring the Static Route on the CE..............................................................................................146
3.11.3 Configuring the Private Network Static Route on the PE...................................................................146
3.11.4 Configuring the Static Route to VPN on the Device of the Public Network......................................147
3.12 Configuring VPN FRR.................................................................................................................................148
3.12.2 Configuring Manual VPN FRR...........................................................................................................149
3.12.3 Configuring VPN Auto FRR...............................................................................................................150
3.13 Configuring VPN GR...................................................................................................................................151
3.13.2 Configuring IGP GR on the Backbone Network.................................................................................152
3.13.3 Configuring MPLS GR on the Backbone Network.............................................................................153
3.13.4 Configuring GR of the Routing Protocol Between PEs and CEs........................................................156
3.13.5 Configuring BGP GR for MP-BGP.....................................................................................................158
3.14 Configuring Route Reflection to Optimize the VPN Backbone Layer........................................................160
3.14.2 Configuring the Client PEs to Establish MP IBGP Connections with the RR....................................161
3.14.3 Configuring the RR to Establish MP IBGP Connections with the Client PEs....................................162
3.14.4 Configuring Route Reflection for BGP IPv4 VPN routes...................................................................164
3.15 Configuring Route Reflection to Optimize the VPN Access Layer.............................................................165
3.15.2 Configuring All Client CEs to Establish IBGP Connections with the RR..........................................166
3.15.3 Configuring the RR to Establish MP IBGP Connections with All Client CEs...................................167
3.15.4 Configuring Route Reflection for the Routes of the BGP VPN Instance...........................................168
3.16 Maintaining BGP/MPLS IP VPN.................................................................................................................170
3.16.1 Viewing the Integrated Route Statistics of All IPv4 VPN Instances..................................................170
3.16.2 Displaying BGP/MPLS IP VPN Information......................................................................................170
3.16.3 Checking the Network Connectivity and Reachability.......................................................................171
3.16.4 Resetting BGP Statistics of a VPN Instance.......................................................................................172
3.16.5 Resetting BGP Connections................................................................................................................172
3.16.6 Debugging BGP/MPLS IP VPN..........................................................................................................173
3.17 Configuration Examples...............................................................................................................................173
3.17.1 Example for Configuring the BGP/MPLS IP VPN.............................................................................174
Issue 01 (2011-07-15) Huawei Proprietary and Confidential vii

3.17.2 Example for Configuring Overlapping Addresses in Two BGP/MPLS IP VPNs..............................186

3.17.3 Example for Configuring Mutual Access Between VPNs on S7700..................................................196
3.17.4 Example for Configuring Mutual Access for Local VPNs on SPU Board.........................................201
3.17.5 Example for Configuring BGP ASN Substitution...............................................................................204
3.17.6 Example for Configuring Hub&Spoke................................................................................................211
3.17.7 Example for Configuring Inter-AS VPN Option A.............................................................................220
3.17.8 Example for Configuring Inter-AS VPN Option B.............................................................................230
3.17.9 Example for Configuring the HoVPN.................................................................................................237
3.17.10 Example for Configuring the OSPF Sham Link................................................................................245
3.17.11 Example for Configuring the Multi-VPN-Instance CE.....................................................................257
3.17.12 Example for Connecting a VPN to the Internet.................................................................................269
3.17.13 Example for Configuring CE Dual-Homing.....................................................................................276
3.17.14 Example for Configuring VPN FRR.................................................................................................291
3.17.15 Example for Configuring VPN GR...................................................................................................299
3.17.16 Example for Configuring Double RRs to Optimize VPN Backbone Layer......................................310
4 BGP MPLS IPv6 VPN Configuration....................................................................................321

4.1 Introduction to BGP/MPLS IPv6 VPN..........................................................................................................323
4.2 BGP/MPLS IPv6 VPN Features Supported by the S7700.............................................................................324
4.3 Configuring an IPv6 VPN Instances..............................................................................................................324
4.3.2 Creating an IPv6 VPN Instance.............................................................................................................325
4.3.3 Configuring Attributes for the IPv6 VPN Instance...............................................................................326
4.3.4 (Optional) Configuring MPLS Label Allocation Based on the IPv6 VPN Instance.............................327
4.4 Configuring Basic BGP/MPLS IPv6 VPN.....................................................................................................329
4.4.2 Configuring an IPv6 VPN Instance.......................................................................................................330
4.4.3 Binding an Interface to an IPv6 VPN Instance......................................................................................330
4.4.4 Configuring MP-IBGP Between PEs....................................................................................................331
4.5 Configuring Hub and Spoke...........................................................................................................................340
4.5.2 Configuring an IPv6 VPN Instance.......................................................................................................341
4.5.3 Configuring Route Related Attributes of an IPv6 VPN Instance..........................................................342
4.5.4 Binding an Interface to an IPv6 VPN Instance......................................................................................344
4.5.5 Configuring MP-IBGP Between Hub-PE and Spoke-PE......................................................................345
4.6 Configuring a Tunnel Policy applied to BGP/MPLS IPv6 VPN....................................................................348
4.6.2 Configuring a Tunnel Policy.................................................................................................................349
Issue 01 (2011-07-15) Huawei Proprietary and Confidential viii

4.6.3 Applying the Tunnel Policy to the IPv6 VPN.......................................................................................350

4.7 Configuring Inter-AS IPv6 VPN-Option A....................................................................................................351
4.7.2 Configuring Inter-AS IPv6 VPN Option A...........................................................................................352
4.8 Configuring Inter-AS IPv6 VPN-Option B....................................................................................................353
4.8.2 Configuring MP-IBGP Between PEs and ASBRs in the Same AS......................................................355
4.8.3 Configuring MP-EBGP Between ASBRs in Different ASs..................................................................355
4.8.4 Controlling the Receiving and Sending of VPN Routes.......................................................................356
4.8.5 (Optional) Storing Information About the IPv6 VPN instance on the ASBRs.....................................357
4.8.6 (Optional) Enabling Next-Hop-based Label Allocation on the ASBR.................................................358
4.9 Configuring Route Reflection for BGP VPNv6 Routes.................................................................................360
4.9.2 Configuring the Client PEs to Establish MP IBGP Connections with the RR......................................361
4.9.3 Configuring the RR to Establish MP IBGP Connections with All Client PEs......................................362
4.9.4 Configuring Route Reflection for BGP VPNv6 Routes........................................................................363
4.10 Maintaining BGP/MPLS IPv6 VPN.............................................................................................................365
4.10.1 Displaying BGP/MPLS IPv6 VPN Information..................................................................................365
4.10.2 Checking the Network Connectivity and Reachability.......................................................................366
4.10.3 Viewing the Integrated Route Statistics of all IPv6 VPN Instances....................................................367
4.10.4 Resetting BGP Statistics of IPv6 VPN instance..................................................................................367
4.10.5 Resetting BGP Connections................................................................................................................367
4.10.6 Debugging BGP/MPLS IPv6 VPN......................................................................................................368
4.11.1 Example for Configure Basic BGP/MPLS IPv6 VPN........................................................................369
4.11.2 Example for Configuring Hub&Spoke (Using BGP4+ Between PE and CE)....................................383
4.11.3 Example for Configuring Hub&Spoke (Using the Default Route Between Hub-PE and Hub-CE)
........................................................................................................................................................................395
4.11.4 Example for Configuring Inter-AS IPv6 VPN Option A....................................................................408
4.11.5 Example for Configuring Dual-Homed CEs.......................................................................................419
4.11.6 Example for Configuring a VPNv6 RR...............................................................................................438
5 VLL Configuration....................................................................................................................446
5.1 Introduction to VLL........................................................................................................................................448
5.2 VLL Features Supported by the S7700..........................................................................................................449
5.3 Configuring CCC VLL...................................................................................................................................454
5.3.2 Enabling the MPLS L2VPN..................................................................................................................455
Issue 01 (2011-07-15) Huawei Proprietary and Confidential ix

5.3.3 Creating a Local CCC Connection........................................................................................................455

5.3.4 Creating a Remote CCC Connection.....................................................................................................456
5.4 Configuring the SVC VLL.............................................................................................................................458
5.4.2 Enabling MPLS L2VPN........................................................................................................................459
5.4.3 Creating an SVC VLL Connection........................................................................................................459
5.5 Configuring Martini VLL...............................................................................................................................461
5.5.3 Creating a Martini VLL Connection.....................................................................................................462
5.6 Configuring Kompella VLL...........................................................................................................................464
5.6.3 Configuring BGP/MPLS L2VPN..........................................................................................................466
5.6.4 Configuring a VPN................................................................................................................................466
5.6.5 Creating a CE Connection.....................................................................................................................468
5.6.6 (Optional) Configuring BGP L2VPN Features.....................................................................................469
5.7 Configuring Inter-AS Martini VLL................................................................................................................472
5.7.2 Configuring Inter-AS Option A.............................................................................................................473
5.8 Configuring the Inter-AS Kompella VLL......................................................................................................474
5.8.2 Configuring the Inter-AS Kompella VLL Option A.............................................................................475
5.9 Configuring VLL FRR...................................................................................................................................477
5.9.2 Configuring Master and Backup PWs...................................................................................................478
5.9.3 (Optional) Configuring Fast Fault Notification - Physical Layer Fault Notification............................480
5.9.4 (Optional) Configuring BFD for PW.....................................................................................................481
5.9.5 (Optional) Configuring the Revertive Switchover................................................................................481
5.10 Maintaining VLL..........................................................................................................................................485
5.10.1 Enabling Traffic Statistics on the VLL................................................................................................485
5.10.2 Viewing Traffic Statistics on the VLL................................................................................................486
5.10.3 Resetting Traffic Statistics on the VLL...............................................................................................486
5.10.4 Resetting BGP TCP Connections of VLL...........................................................................................486
5.10.5 Monitoring the Running Status of VLL..............................................................................................487
Issue 01 (2011-07-15) Huawei Proprietary and Confidential x

5.10.6 Debugging VLL...................................................................................................................................487

5.10.7 Checking Connectivity of the VLL Network......................................................................................488
5.11.1 Example for Configuring a Local CCC Connection...........................................................................489
5.11.2 Example for Configuring a Remote CCC Connection........................................................................493
5.11.3 Example for Configuring an SVC VLL..............................................................................................499
5.11.4 Example for Configuring a Martini VLL............................................................................................505
5.11.5 Example for Configuring a Local Kompella VLL..............................................................................511
5.11.6 Example for Configuring a Remote Kompella Connection................................................................514
5.11.7 Example for Configuring the Inter-AS Martini VLL Option A..........................................................521
5.11.8 Example for Configuring the Inter-AS Kompella VLL Option A......................................................528
6 PWE3 Configuration.................................................................................................................539
6.1 Introduction to PWE3.....................................................................................................................................541
6.2 PWE3 Features Supported by the S7700........................................................................................................542
6.3 Configuring the Attributes of a PW Template................................................................................................551
6.3.2 Creating a PW Template........................................................................................................................552
6.3.3 Setting the Attributes for a PW Template.............................................................................................553
6.4 Configuring a Static PW.................................................................................................................................554
6.4.3 Creating a Static PW..............................................................................................................................556
6.5 Configuring a Dynamic PW...........................................................................................................................557
6.5.3 Creating a Dynamic PW........................................................................................................................558
6.6 Configuring PW Switching............................................................................................................................560
6.6.2 Configuring PW Switching...................................................................................................................561
6.7 Configuring a Backup PW..............................................................................................................................564
6.7.2 Configuring a Backup PW.....................................................................................................................565
6.8 Configuring Static BFD for PW.....................................................................................................................568
6.8.2 Enabling BFD Globally.........................................................................................................................569
6.8.3 Enabling the Sending of BFD for PW Packets to the Protocol Stack...................................................569
6.8.4 Configuring BFD for PW......................................................................................................................569
Issue 01 (2011-07-15) Huawei Proprietary and Confidential xi


6.9 Configuring Dynamic BFD for PW................................................................................................................571
6.9.3 Enabling the Sending of BFD for PW Packets to the Protocol Stack...................................................573
6.9.4 Configuring the Attributes of a PW Template.......................................................................................573
6.9.5 (Optional) Adjusting BFD Parameters..................................................................................................574
6.9.6 Configuring PWs...................................................................................................................................574
6.9.7 Triggering Dynamic BFD for PW.........................................................................................................574
6.10 Configuring PWE3 FRR...............................................................................................................................576
6.10.2 Configuring Primary and Backup PWs...............................................................................................577
6.10.3 (Optional) Configuring BFD for PW...................................................................................................579
6.10.4 (Optional) Configuring the Revertive Switchover..............................................................................579
6.11 Configuring Inter-AS PWE3........................................................................................................................583
6.11.2 Configuring Inter-AS PWE3-Option A...............................................................................................584
6.12 Maintaining PWE3.......................................................................................................................................586
6.12.1 Verifying the Connectivity of a PW....................................................................................................586
6.12.2 Locating a Fault of a PW.....................................................................................................................587
6.12.3 Debugging a PWE3.............................................................................................................................588
6.13.1 Example for Configuring a Dynamic SH-PW.....................................................................................589
6.13.2 Example for Configuring a Static MH-PW.........................................................................................595
6.13.3 Example for Configuring a Dynamic MH-PW....................................................................................602
6.13.4 Example for Configuring a Mixed MH-PW........................................................................................613
6.13.5 Example for Configuring Static BFD for PW.....................................................................................620
6.13.6 Example for Configuring Dynamic BFD for SH-PW.........................................................................635
6.13.7 Example for Configuring Dynamic BFD for MH-PW........................................................................645
6.13.8 Example for Configuring Inter-AS PWE3-Option A..........................................................................659
7 VPLS Configuration..................................................................................................................667
7.1 Introduction to VPLS......................................................................................................................................669
7.2 VPLS Features Supported by the S7700........................................................................................................670
7.3 Configuring Kompella VPLS.........................................................................................................................681
7.3.2 Enabling the BGP Peer to Exchange VPLS Information......................................................................682
7.3.3 Creating a VSI and Configuring BGP Signaling...................................................................................683
7.3.4 (Optional) Configuring Huawei Devices to Communicate with Non-Huawei Devices........................685
7.3.5 Binding the VSI to an AC Interface......................................................................................................686
Issue 01 (2011-07-15) Huawei Proprietary and Confidential xii

7.3.6 (Optional) Configuring the Features of Kompella VPLS......................................................................688

7.4 Configuring Martini VPLS.............................................................................................................................691
7.4.2 Creating a VSI and Configuring LDP Signaling...................................................................................692
7.4.3 Binding the VSI to an AC Interface......................................................................................................693
7.5 Configuring LDP HVPLS..............................................................................................................................697
7.5.2 Configuring SPE....................................................................................................................................698
7.5.3 Configuring UPE...................................................................................................................................699
7.6 Configuring the Static VLL to Access the VPLS Network............................................................................700
7.6.2 Configuring a UPE to Access an SPE Through a Static VLL...............................................................701
7.6.3 Configuring the UPE to Access the SPE Through the Static VLL.......................................................701
7.6.4 Binding the VSI of the SPE with the VLL............................................................................................702
7.7 Configuring Inter-AS Kompella VPLS..........................................................................................................705
7.7.2 Configuring Inter-AS Kompella VPLS Option A.................................................................................706
7.8 Configuring Inter-AS Martini VPLS..............................................................................................................709
7.8.2 Configuring Inter-AS Martini VPLS Option A.....................................................................................709
7.9 Configuring Dual-homed Kompella VPLS....................................................................................................712
7.9.2 Creating VSIs and Configuring BGP Signaling....................................................................................713
7.9.3 Configuring the Multi-homed Preference for a VSI..............................................................................715
7.9.4 Binding a VSI to an AC Interface.........................................................................................................716
7.10 Configuring Related Parameters of a VSI....................................................................................................717
7.10.2 Configuring General Parameters of the VSI........................................................................................717
7.10.3 Configuring MAC Address Learning..................................................................................................718
7.10.4 Configuring a VSI to Ignore the AC Status.........................................................................................720
7.11 Configuring Suppression on VPLS Traffic..................................................................................................721
7.11.2 Configuring VSI-based Traffic Suppression.......................................................................................722
7.12 Maintaining VPLS........................................................................................................................................724
Issue 01 (2011-07-15) Huawei Proprietary and Confidential xiii

7.12.1 Collecting the Statistics of the Traffic on a VPLS PW.......................................................................724

7.12.2 Checking the Traffic on a VPLS PW..................................................................................................725
7.12.3 Clearing the Traffic Statistics..............................................................................................................725
7.12.4 Checking the Consistency of VPN Configurations(Service Ping)......................................................726
7.12.5 Debugging VPLS.................................................................................................................................726
7.12.6 Enabling or Disabling VSI..................................................................................................................727
7.12.7 Clearing MAC Address Entries...........................................................................................................727
7.12.8 Checking the MAC Address Learning Capability...............................................................................728
7.12.9 Checking Connectivity of the VPLS Network....................................................................................729
7.13.1 Example for Configuring Martini VPLS.............................................................................................730
7.13.2 Example for Configuring Kompella VPLS.........................................................................................737
7.13.3 Example for Configuring VPLS over TE in Martini Mode.................................................................744
7.13.4 Example for Configuring LDP HVPLS...............................................................................................754
7.13.5 Example for Configuring Static VLLs to Access a VPLS Network...................................................761
7.13.6 Example for Configuring Dynamic VLLs to Access a VPLS Network..............................................772
7.13.7 Example for Configuring Inter-AS Martini VPLS Option A..............................................................781
7.13.8 Example for Configuring Inter-AS Kompella VPLS Option A..........................................................788
8 VPLS Convergence Configuration.........................................................................................799

8.1 VPLS Convergence Overview........................................................................................................................800
8.2 VPLS Convergence Supported by the S7700.................................................................................................800
8.3 Configuring VPLS Convergence (UPE Directly Connected to the NPE)......................................................804
8.3.2 Configuring the mVSI...........................................................................................................................805
8.3.3 Configuring the Binding Relations for the mVSI..................................................................................806
8.4 Configuring BFD for VSI PW........................................................................................................................807
8.4.3 Enabling the Sending of BFD for VSI-PW Packets to the Protocol Stack............................................808
8.4.4 Establishing BFD Sessions....................................................................................................................809
8.5 Maintaining VPLS Convergence....................................................................................................................810
8.5.1 Debugging VPLS Convergence.............................................................................................................810
8.6 Configuration Examples.................................................................................................................................811
8.6.1 Example for Configuring the mVSI......................................................................................................811
Issue 01 (2011-07-15) Huawei Proprietary and Confidential xiv

Configuration Guide - VPN 1 VPN Tunnel Management Configuration
1 VPN Tunnel Management Configuration
About This Chapter
VPN tunnel management involves the creation, management, and maintenance of VPN tunnels.
1.1 Introduction to VPN Tunnels

This part briefly introduces VPN tunnels, including such commonly-used VPN tunnels as LSPs,
TE tunnels, and GRE tunnels, and the configuration and management of these VPN tunnels.
1.2 VPN Tunnel Features Supported by the S7700
The S7700 supports such VPN tunnel features as the select-sequence tunnel policy and tunnel
binding policy.
1.3 Configuring a Tunnel Interface
Tunnel interfaces are point-to-point virtual interfaces that are used for encapsulating packets.
Similar to loopback interfaces, tunnel interfaces are logical interfaces.
1.4 Configuring Tunnel Policies Applied to L3VPN
By default, the system selects an LSP and performs no load balancing. If load balancing or other
types of tunnels are required, you need to configure a select-sequence tunnel policy and apply
the tunnel policy.
By default, the system selects LSPs for a VPN and no load balancing is carried out. If load
balancing or other types of tunnels are required, you need to configure a tunnel policy and bind
the tunnel policy to the tunnels.
1.6 Configuring L3VPN Tunnel Binding
VPN tunnel binding refers to the binding between a TE tunnel and a VPN. After the binding,
the TE tunnel is exclusively used by the VPN.
L2VPN tunnel binding refers to the binding between a TE tunnel and a VPN. After the binding,
1.8 Maintaining a VPN Tunnel
Monitor the running status of the VPN tunnel.
1.9 Configuration Examples
Issue 01 (2011-07-15) Huawei Proprietary and Confidential 1

This section provides examples for applying a tunnel policy to the L3VPN or L2VPN.

1.1 Introduction to VPN Tunnels

This part briefly introduces VPN tunnels, including such commonly-used VPN tunnels as LSPs,
TE tunnels, and GRE tunnels, and the configuration and management of these VPN tunnels.
In Virtual Private Networks (VPNs), based on the tunnel technology, dedicated transmission
channels, namely, tunnels, can be set up in backbone networks. Packets can then be transparently
transmitted through the tunnels.
Common VPN Tunnels

Common VPN tunnels are described as follows:
l LSP
When LSPs are adopted as tunnels on the public network of Multi-Protocol Label Switching
(MPLS) VPN, IP packet headers are analyzed only on Provider Edges (PEs), rather than
on each device along which VPN packets are transmitted. In this manner, the time to process
VPN packets shortens and the delay of packet transmission decreases. In addition, MPLS
labels are supported by all link layer protocols. A Label Switched Path (LSP) is similar to
an Asynchronous Transfer Mode (ATM) Virtual Circuit (VC)or a Frame Relay (FR) VC
in function and security.
l MPLS TE
Generally, carriers are required to provide VPN users with Quality of Service (QoS)
guarantee for various end-to-end services, such as the voice service, video service, key data
service, and Internet access service. To meet users' requirements, carriers offer the MPLS
Traffic Engineering (MPLS TE) tunnels, which can optimize network resources and offer
users with QoS guaranteed services.
l GRE
In an MPLS Layer 3 VPN (MPLS L3VPN), a CE and a PEmust have a direct connection.
If they are not directly connected, a GRE tunnel is generally set up between the CE and the
PE to ensure the CE can access MPLS VPN.
Tunnel Configuration Management

The setup and management of tunnels vary with the tunnel type. For example, GRE tunnels and
MPLS TE tunnels, both of which are Constraint-based Routed LSP (CR-LSP) tunnels, are
managed by using tunnel interfaces, whereas MPLS LSP tunnels are managed without using
tunnel interfaces.
This chapter describes the configurations of tunnel interfaces and general tunnel management.
l Tunnel management: informs the current application about the tunnel status and checks the
tunnel and tunnel policy based on the destination IP address reported by the application.
l Tunnel policy: selects a tunnel based on the destination IP address.
An application selects tunnels according to the tunnel policy. If no tunnel policy is configured,
the default tunnel policy is selected. By default, no load balancing can be performed among
tunnels, and only one LSP tunnel can be selected.

1.2 VPN Tunnel Features Supported by the S7700

The S7700 supports such VPN tunnel features as the select-sequence tunnel policy and tunnel
binding policy.
An application (such as VPN) selects tunnels according to the tunnel policy. If no tunnel policy
is configured, the tunnel management module selects the tunnel according to the default tunnel
policy.
The tunnel policy can be in either of two modes:

l Select-sequence
l Tunnel binding
These two modes are mutually exclusive.
Select-sequence Mode
With the tunnel policy of the select-sequence mode, you can specify the sequence to select the
tunnel types, and the number of tunnels participating in load balancing.
In the tunnel policy, tunnels are selected in sequence. If a tunnel listed earlier is Up and not
bound, it is selected irrespective of whether another service has selected it. The subsequent tunnel
is not selected in most cases, except that load balancing is carried out, or the preceding tunnels
are in the Down state.
For example, in a tunnel policy, both LSPs and CR-LSPs to the same destination can be selected,
and LSPs are prior to CR-LSPs. If LSPs do not exist, a VPN chooses CR-LSPs. After an LSP
is set up, the VPN selects the LSP and does not use CR-LSPs anymore.
If there are multiple eligible tunnels of the same type, one or more tunnels are chosen randomly
in the tunnel policy.
In select-sequence mode, if both CR-LSPs and LSPs can be selected, CR-LSPs are prior to LSPs,
and the number of tunnels in load balancing is 3, the policies to select tunnels are shown as
below:
l The CR-LSP in the Up state is preferred. If the number of CR-LSPs that are Up is smaller
than 3 (CR-LSPs are not sufficient or CR-LSPs are sufficient whereas their status is Down),
LSPs in the Up state are also selected.
l Suppose three tunnels have been selected, one of which is a LSP. If a CR-LSP tunnel is
added or a CR-LSP in the Down state goes Up, the CR-LSP is selected and the LSP quits
the load balancing.
l If the number of tunnels in load balancing at the moment is smaller than the configured
number, the newly added CR-LSP or LSP in the Up state participates in load balancing.
l The number of tunnels in load balancing is decided by the number of the eligible tunnels.
For example, if only one CR-LSP and one LSP in the Up state, load balancing is performed
between them. The tunnels of other types are not selected even if they are Up.
l The load balancing for tunnels differs from the load balancing for routes. For example,
when three CR-LSPs are used for load balancing, they may be on the same path. While
three routes are used for load balancing, different three paths are used actually.

NOTE
In IPv4 VPN networking, you can configure a maximum of six tunnels for load balancing. And in IPv6
VPN networking,the S7700 does not support load balancing by tunnels, that is, the number of tunnels for
load balancing is 1.
Tunnel Binding Mode

Tunnel binding indicates that a certain TE tunnel can only be applied for a specific VPN service.
As shown in Figure 1-1, two MPLS TEs, namely, Tunnel1 and Tunnel2, are set up between
PE1 and PE3.
Figure 1-1 Networking example using VPN primary tunnel binding
VPNA VPNA
CE1 CE3 Site3

Site1
VPN Backbone
TE Tunnel1 for VPNA

PE1 PE3
TE Tunnel2 for VPNB
Site4
Site2
CE2 CE4
VPNB VPNB
The QoS of both VPN A and VPN B is guaranteed if you configure the VPN primary tunnel
binding, that is, binding VPN A with Tunnel 1 and binding VPN B with Tunnel 2. After the
configuration, both VPN A and VPN B use separate TE tunnels. In this manner, services of VPN
A and VPN B are not affected by each other or other services.
The VPN primary tunnel binding has the following features:
l The VPN data to a specific peer PE is always transmitted through the bound TE tunnel.
l The bound TE tunnel cannot be used in select-sequence mode or in load balancing.
l VPN primary tunnel binding can only use the bound primary tunnel for the specific peer
PE. Other peer PEs, however, adopt the default tunnel policy.
You can arrange network resources by creating MPLS TE tunnels of different QoS features.
Then you can manually configure each TE tunnel to carry the corresponding VPN service.
Therefore, network resources can be optimally used.
1.3 Configuring a Tunnel Interface

Tunnel interfaces are point-to-point virtual interfaces that are used for encapsulating packets.
Similar to loopback interfaces, tunnel interfaces are logical interfaces.

1.3.1 Establishing the Configuration Task

Before configuring a tunnel interface, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This can help you complete
the configuration task quickly and accurately.
Applicable Environments
Tunnels such as GRE and MPLS TE tunnels use a kind of virtual logical interface, that is, tunnel
interface, to forward packets. You must create the tunnel interfaces before using these tunnels.
The source address and destination address of a GRE tunnel uniquely identify the GRE tunnel.
The destination address of a GRE tunnel is the IP address of the real interface that receives
packets. In a GRE tunnel, the source address of the local end is the destination address of the
remote end; the destination address of the local end is the source address of the remote end.
For different purposes, a tunnel interface can be encapsulated differently.
Pre-configuration Tasks
Before configuring a tunnel interface, complete the following tasks:
l Connecting the interfaces, and configuring physical parameters for the interfaces to ensure
that the physical status of the interfaces is Up
l Configuring parameters of the link layer protocol and IP addresses for the interfaces to
ensure that the status of the link layer protocol on the interfaces is Up
l If configure TE tunnel, enable MPLS and MPLS TE globally firstly
Data Preparation
To configure a tunnel interface, you need the following data.
No. Data
1 Number of the tunnel interface
2 Encapsulation type of the tunnel, source address,source interface, and destination

address of the tunnel interface
1.3.2 Creating Tunnel Interfaces

You can manage such tunnels as GRE tunnels and TE tunnels by creating tunnel interfaces.
Context
Do as follows on switchs at two ends of a tunnel.
Procedure
Step 1 Run:
system-view

The system view is displayed.

Step 2 Run:
interface tunnel interface-number
A tunnel interface is created.

TIP
When creating the tunnel interfaces, you are recommended to set the slot numbers of the tunnel interfaces
the same as the slot number of the interface sending the packets, that is, the interface at the source end. In
this manner, the packet forwarding efficiency can be improved.
----End
1.3.3 Configuring a Tunnel

Tunnel interfaces of different types have different configurations. The command for a specific
feature can be configured on tunnel interfaces only after these tunnel interfaces are configured
with encapsulation modes.
Context
Do as follows on switchs with tunnel interfaces.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The tunnel interface view is displayed.

Step 3 Run:
tunnel-protocol { gre | mpls te | ipv6-ipv4 [ 6to4 | auto-tunnel | isatap ] | ipv4-
ipv6 | none }
The encapsulation type of the tunnel is configured.

By default, the encapsulation protocol of a tunnel interface is none.
The related commands of an encapsulation protocol can be run only after the protocol is
encapsulated on the tunnel interface. For example, you can run MPLS TE commands in a tunnel
interface view after the tunnel-protocol mpls te command is configured on the tunnel interface.
Before using the tunnel-protocol mpls te command, enable global MPLS and MPLS TE first.
Step 4 Run:
destination [ vpn-instance vpn-instance-name ] dest-ip-address
The destination address is configured for the tunnel.

The parameter vpn-instance vpn-instance-name is valid only for GRE.
Step 5 (Optional) Run:
source { source-ip-address | loopback interface-number }

The source address or source interface of the tunnel is configured.

Different tunnel interfaces encapsulated with one protocol cannot be configured with the same
source address and destination address.
Whether a source address or a destination address is necessary for a tunnel interface depends on
the tunnel type. For example, an MPLS TE tunnel interface requires only a destination address.
If you use interface-type interface-number to specify the source address of a tunnel, the specified
interface cannot be the local tunnel interface.
mtu mtu
The MTU of the interface is configured.

The newly configured MTU is validated only after you run the shutdown command and the
undo shutdown command on the interface in sequence.
Step 7 Choose one of the following methods to configure the IP address of a tunnel interface.
l Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IP
address of a tunnel interface.
l Run the ip address unnumbered interface interface-type interface-number command to
configure IP unnumbered on the tunnel interface.
NOTE
For details, refer to the chapter "IP Addresses Configuration" in the Quidway S7700 Smart Routing Switch
Configuration Guide - IP Services.
----End
1.3.4 Checking the Configuration

After a tunnel interface is configured, you can view detailed information about the tunnel
interface and the specified tunnel.
Prerequisite
The configurations of the tunnel interface function are complete.
Procedure
l Run the display interface tunnel interface-number command to check information about
a tunnel interface.
l Run the display tunnel-info all command to check information about all tunnels.
l Run the display tunnel-info tunnel-id tunnel-id command to check detailed information
about a specific tunnel.
----End
Example
Run the display interface tunnel command to see that "Line protocol current state" of the tunnel
interface is "UP". For example:
[Quidway] display interface tunnel 1/0/0
Tunnel1/0/0 current state : UP
Line protocol current state : UP

Last line protocol up time : 2008-02-09 17:05:25 UTC-05:00

Description:HUAWEI, Quidway Series, Tunnel1/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is unnumbered, using address of LoopBack0(9.9.9.9/32)
Encapsulation is TUNNEL, loopback not set
Tunnel destination 6.6.6.6
Tunnel up/down statistics 1
Tunnel protocol/transport MPLS/MPLS, ILM is available,
primary tunnel id is 0x10001, secondary tunnel id is 0x0
QoS max-bandwidth : 64 Kbps

Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queue : Size/Length/Discards) 0/256/0
300 seconds output rate 0 bits/sec, 0 packets/sec
0 packets output, 0 bytes
0 output error
0 output drop
Input bandwidth utilization : --

Output bandwidth utilization : --
Run the display tunnel-info command to check the information about the tunnel, such as the
tunnel ID. For example:
[Quidway] display tunnel-info all
* -> Allocated VC Token
Tunnel ID Type Destination Token
----------------------------------------------------------------------
0x10000 lsp 7.7.7.7 0
0x10001 lsp 6.6.6.6 1
0x10002 lsp 6.6.6.6 2
0x10003 gre 10.1.1.1 3
Run the display tunnel-info tunnel-id tunnel-id command to further check the information
about the tunnel. For example:
[Quidway] display tunnel-info tunnel-id 10003
Tunnel ID: 0x10003
Tunnel Token: 3
Type: gre
Destination: 10.1.1.1
Out Slot: 0
Instance ID: 0
Interface: Tunnel1/0/0

By default, the system selects an LSP and performs no load balancing. If load balancing or other
types of tunnels are required, you need to configure a select-sequence tunnel policy and apply
the tunnel policy.

Before configuring a select-sequence tunnel policy for an L3VPN, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the required data. This
can help you complete the configuration task quickly and accurately.

Applicable Environment
By default, the system selects LSPs for a VPN and no load balancing is performed. If load
balancing or other types of tunnels are required, you need to configure a tunnel policy and apply
the tunnel policy.
In L3VPN, a tunnel policy is applied for VPN instances. In L2VPN, a tunnel policy is applied
for VCs.
The policy includes tunnel selection and the number of tunnels for load balancing.
Before configuring a tunnel policy, complete the following tasks:
l Creating the tunnel (LSP or MPLS TE) for the VPN instance
l Configuring the VPN instance on the PE (refer to the chapter "Configuring a VPN
Instance" in this manual)
Data Preparation
To configure the tunnel policy, you need the following data.
No. Data
1 Name of the tunnel policy
2 Priority of the tunnels
3 Number of tunnels for load balancing
4 Name of the VPN instance configured with a tunnel policy
1.4.2 Configuring a Tunnel Policy

For a select-sequence tunnel policy, you can specify the sequence in selecting tunnels and the
number of tunnels carrying out load balancing.
Context
Do as follows on a PE configured with a VPN instance.
Procedure
Step 1 Run:
system-view

Step 2 Run:
tunnel-policy policy-name
A tunnel policy is created and the tunnel policy view is displayed.

A tunnel policy indicates only one tunnel selection mode. If more tunnel selection modes are
required, you need to create multiple tunnel policies.
A VPN instance can only use one tunnel policy;multiple VPN instances can use the same VPN
tunnel policy.
Step 3 Run:
tunnel select-seq { cr-lsp | gre | lsp }* load-balance-number load-balance-number
The priority of the tunnels and the number of tunnels for load balancing are configured.
If no tunnel policy is configured for the L3VPN, an LSP is used as the VPN tunnel, and the
number of tunnels for load balancing is 1.
----End
1.4.3 Applying the Tunnel Policy to L3VPN

After a tunnel policy is configured, you also need to apply the tunnel policy to the VPN instance.
Context
For L3VPN, the tunnel policy is applied to the VPN instance. Do as follows on a PE configured
with a VPN instance.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip vpn-instance vpn-instance-name
The VPN instance view is displayed.

Step 3 Run:
tnl-policy policy-name
A tunnel policy is applied to the VPN instance.
----End

If a select-sequence tunnel policy is configured for an L3VPN, you can view configurations of
the tunnel policy, and information about the tunnels and tunnel policy that is applied to the routes
of the VPN instance.
Prerequisite
The configurations of the tunnel policies (Select-sequence Mode) applied to L3VPN function
are complete.

Procedure
l Run the display tunnel-policy tunnel-policy-name command to check configuration of the
tunnel policy.
l Run the display ip vpn-instance verbose [ vpn-instance-name ] command to check tunnel
policy of the VPN instance.
l Run the display ip routing-table vpn-instance vpn-instance-name [ ip-address ]
verbose command to check the tunnel that transmits the routes of the VPN instance.
l Run the display tunnel-info tunnel-id tunnel-id command to check information about a
specified tunnel.
----End
Example
Run the display tunnel-policy command. If the configuration of the tunnel policy is displayed,
it means the configuration succeeds. For example:
[Quidway] display tunnel-policy policy1
Tunnel Policy Name Select-Seq Load balance No
---------------------------------------------------------------------
policy1 LSP 1
Run the display tunnel-policy command. If the tunnel policy of the VPN instance is displayed,
it means the configuration succeeds. In the following example, you can view the tunnel policy
of the VPN named vpna is policy1.
[Quidway] display ip vpn-instance verbose
Total VPN-Instances configured : 1
VPN-Instance Name and ID : vpna, 1

Create date : 2007/09/20 12:03:31 UTC-08:00
Up time : 0 days, 05 hours, 23 minutes and 09 seconds
Route Distinguisher : 1:1
Export VPN Targets : 1:1
Import VPN Targets : 1:1
Label Policy : label per route
Tunnel Policy : policy1
Log Interval : 5
Interfaces : Vlanif10
Run the display ip routing-table vpn-instance vpn-instance-name verbose command, and you
can view the information about the tunnel that transmits the VPN routes. For example:
[Quidway] display ip routing-table vpn-instance vpna 11.11.12.0 verbose
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : vpna
Summary Count : 1
Destination: 11.11.12.0/24
Protocol: BGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 6.6.6.6 Neighbour: 6.6.6.6
State: Active Adv Relied Age: 00h01m04s
Tag: 0 Priority: low
Label: 11264 QoSInfo: 0x0
IndirectID: 0x3
RelayNextHop: 0.0.0.0 Interface: Tunnel1/0/1
TunnelID: 0x10002 Flags: RD
RelayNextHop: 10.1.1.1 Interface: Vlanif15

Run the display tunnel-info tunnel-id tunnel-id command, and you can view detailed
information about a specified tunnel. For example:
[Quidway] display tunnel-info tunnel-id 10005
Tunnel ID: 0x10005
Tunnel Token: 5
Type: cr lsp
Destination: 10.1.1.1
Out Slot: 0
Instance ID: 0
Interface: Tunnel1/0/1
Sub Tunnel ID: 0x0

By default, the system selects LSPs for a VPN and no load balancing is carried out. If load
balancing or other types of tunnels are required, you need to configure a tunnel policy and bind
the tunnel policy to the tunnels.

Before configuring a select-sequence tunnel policy for an L2VPN, familiarize yourself with the
By default, LSPs are selected for a VPN, and no load balancing is carried out. To perform load
balancing or select tunnels of other types, configure and apply the corresponding tunnel policies.
For an L2VPN tunnel, the tunnel policy is applied to VC.
At present, a tunnel policy in select-sequence mode consists of the following parts:
l Tunnel selection
l Number of tunnels participating in load balancing
Before configuring a tunnel policy, complete the following tasks:
l Creating the tunnel (LSP or MPLS TE) for a VC
l Enabling MPLS L2VPN and performing basic L2VPN configurations on PEs
l Creating the VC of the corresponding type on the PE (refer to the chapter "VLL
Configuration" in this manual)
Data Preparation
Before configuring a tunnel policy, you need the following data.

No. Data
2 Priority of tunnels
3 Number of tunnels participating in load balancing
4 Type and serial number of the VC interface on which the

tunnel policy needs to be applied

By using the select-sequence tunnel policy, you can specify the sequence in which the tunnel
types are used and the number of tunnels carrying out load balancing.
Context
Do as follows on a PE configured with VC.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The tunnel policy is created, and the tunnel policy view is displayed.
A tunnel policy indicates only one tunnel selection mode. If more tunnel selection modes are
required, you need create multiple tunnel policies.
A VC can apply only one tunnel policy. Multiple VCs can share the same tunnel policy.
Step 3 Run:
tunnel select-seq { cr-lsp | gre | lsp } * load-balance-number load-balance-number
The priority of tunnels and number of tunnels participating in load balancing are configured.
NOTE
The VPLS network and VLL network do not support GRE tunnels. Therefore, do not configure gre when
configuring a tunnel policy on the VPLS network or VLL network.
----End
Follow-up Procedure
For L2VPN, if no tunnel policy is configured, LSP is selected as the VPN tunnel, and no load
balancing is carried out.
In a tunnel policy, tunnels are selected in sequential order. If the preceding tunnel is Up, it will
be selected irrespective of whether or not another service has selected it. The subsequent tunnel

is not selected in most cases, exceptthat load balancing is performed or the preceding tunnels
are in the Down state.
For example, if the tunnel select-seq cr-lsp lsp load-balance-number 1 command is

configured, a VPN selects the LSP tunnel if no CR-LSP exists. After an CR-LSP is set up, the
VPN selects the CR-LSP and does not use the LSP tunnel anymore.
1.5.3 Applying the Tunnel Policy to L2VPN

This part describes how to apply a tunnel policy for the VLL, VPLS and PWE3.
Context
Select one of the following configurations according to the L2VPN type.
l Applying a tunnel policy to VLL in SVC mode

l Applying a tunnel policy to VLL in Martini mode
l Applying a tunnel policy to VLL in Kompella mode
l Applying a tunnel policy to VPLS in Martini mode
l Applying a tunnel policy to VPLS in Kompella mode
l Applying a tunnel policy to PWE3
When using XGE, GE, Ethernet, or Eth-Trunk interfaces as AC interfaces, you need to configure
the undo portswitch command in the interface view before configuring the L2VPN.
When using XGE, GE, Ethernet, or Eth-Trunk sub-interfaces as AC interfaces, you need to
configure the sub-interface type before configuring the L2VPN. For details on how to configure
sub-interfaces, see Connecting Sub-interfaces to a VLL Network.
Procedure
l Applying a tunnel policy to VLL in SVC mode
Do as follows on PEs configured with VCs:
1. Run:
system-view

2. Run:
interface interface-type interface-number
The view of the interface connected with the CE is displayed.

3. Run:
mpls static-l2vc destination ip-address transmit-vpn-label transmit-label-
value receive-vpn-label receive-label-value tunnel-policy tnl-policy-name
A tunnel policy is applied to the VC of the VLL in SVC mode.

l Applying a tunnel policy to VLL in Martini mode
1. Run:
system-view

2. Run:
The view of the interface connected with the CE is displayed.

3. Run:
mpls l2vc ip-address vc-id tunnel-policy policy-name
A tunnel policy is applied to the VC of the VLL in Martini mode.

l Applying a tunnel policy to VLL in Kompella mode
1. Run:
system-view

2. Run:
mpls l2vpn vpn-name
The MPLS L2VPN instance view is displayed.

3. Run:
ce ce-name
The MPLS L2VPN CE view is displayed.

4. Run:
connection [ ce-offset id ] interface interface-type interface-number
A tunnel policy is applied to the VC of the VLL in Kompella mode.
NOTE
Before configuring Kompella VLL on a PE, create a connection with a CE by running the ce
ce-name id ce-id [ range ce-range ] [ default-offset ce-offset ] command.
l Applying a tunnel policy to VPLS in Martini mode
Do as follows on the PEs at both ends of a PW:
1. Run:
system-view

2. Run:
vsi vsi-name [ auto | static ]
A VSI is created.
3. Run:
pwsignal ldp
LDP is configured as the PW signaling protocol and the VSI-LDP view is displayed.
4. Run:
vsi-id vsi-id
The VSI ID is set.

5. Run:
peer peer-address [ negotiation-vc-id vc-id ] [ tnl-policy policy-name ]
The VSI peer relationship is configured and a tunnel policy is applied to the peer.

l Applying a tunnel policy to VPLS in Kompella mode

1. Run:
system-view

2. Run:
A VSI is created.
3. Run:
pwsignal bgp
BGP is configured as the PW signaling protocol and the VSI BGP view is displayed.
4. Run:
route-distinguisher route-distinguisher
The RD is configured for the VSI.

5. Run:
A tunnel policy is applied to the VSI.

l Applying a tunnel policy to PWE3
Do as follows on PEsconfigured with VCs.
1. Run:
system-view

2. Run:
The view of the interface connected with the CE device is displayed.

3. Choose one of the following options to apply tunnel policy to PW.
For dynamic PW, run: mpls l2vc { pw-template pw-template-name | ip-
address } * vc-id tunnel-policy policy-name
For static PW, run: mpls static-l2vc { { destination ip-address | pw-template
pw-template-name vc-id } * | destination ip-address [ vc-id ] } transmit-vpn-
label transmit-label-value receive-vpn-label receive-label-value [ tunnel-
policy tnl-policy-name | [ control-word | no-control-word ] | [ raw | tagged] ] *
----End

After a select-sequence tunnel policy is configured for an L2VPN, you can view configurations
of the tunnel policy, tunnels that are used by VCs, and information about these tunnels.
Context
The configurations of the tunnel policies (Select-sequence Mode) applied to L2VPN function
are complete.

Procedure
l Run the display tunnel-policy tunnel-policy-name. command to check the configuration
of a tunnel policy.
l Run the display mpls l2vc [ interface interface-type interface-number ]. command to check
the information about the tunnel used by the VC in L2VPN in SVC, PWE3, or Martini
mode.
l Run the display mpls l2vpn connection [ interface interface-type interface-number ]
command to check the information about the tunnel used by the VC in Kompella L2VPN.
specified tunnel.
----End
Example
Run the display tunnel-policy command. If the bound tunnel interface is displayed, it means
the configuration succeeds. For example:
<Quidway> display tunnel-policy policy1
---------------------------------------------------------------------
policy1 LSP 1
For the VC of the L2VPN in SVC or Martini mode, run the display mpls l2vc interface
interface-type interface-number command. If the tunnel policy configuration of the VC is
displayed, it means the configuration succeeds. In the following example, you can view the
tunnel policy on VLANIF 10 of the VC is policy1.
<Quidway> display mpls l2vc interface vlanif 10
*client interface : Vlanif10 is up
Administrator PW : no
session state : up
AC state : up
VC state : up
VC ID : 116119
VC type : VLAN
destination : 6.6.6.6
local group ID : 0 remote group ID : 0
local VC label : 23552 remote VC label : 23552
local AC OAM State : up
local PSN State : up
local forwarding state : forwarding
local status code : 0x0
remote AC OAM state : up
remote PSN state : up
remote forwarding state: forwarding
remote status code : 0x0
BFD for PW : unavailable
manual fault : not set
active state : active
forwarding entry : exist
link state : up
local VC MTU : 1500 remote VC MTU : 1500
local VCCV : alert lsp-ping bfd
remote VCCV : Disable
local control word : disable remote control word : disable
tunnel policy name : policy1
traffic behavior name : --
PW template name : --
primary or secondary : primary
VC tunnel/token info : 1 tunnels/tokens
NO.0 TNL type : lsp , TNL ID : 0x10000

create time : 0 days, 2 hours, 0 minutes, 12 seconds

up time : 0 days, 2 hours, 0 minutes, 12 seconds
last change time : 0 days, 2 hours, 0 minutes, 12 seconds
VC last up time : 2009/09/20 20:33:37
VC total up time : 0 days, 2 hours, 0 minutes, 12 seconds
CKey : 5
NKey : 4
PW redundancy mode : --
AdminPw interface : --
AdminPw link state : --
For the VC of the L2VPN in Kompella mode, run the display mpls l2vpn connection
interface interface-type interface-number command. If the tunnel policy of the VC is displayed,
it means the configuration succeeds.
[Quidway] display mpls l2vpn connection interface vlanif 10
conn-type: remote
local vc state: up
remote vc state: up
local ce-id: 2
local ce name: ce2
remote ce-id: 1
intf(state,encap): Vlanif10(up,vlan)
peer id: 6.6.6.6
route-distinguisher: 100:1
local vc label: 31750
remote vc label: 35847
tunnel policy: Policy2
CKey: 7
NKey: 6
primary or secondary: primary
forward entry exist or not: true
forward entry active or not:true
manual fault set or not: not set
AC OAM state: up
BFD for PW session index: --
BFD for PW state: invalid
BFD for LSP state: true
Local C bit is not set
Remote C bit is not set
tunnel type: lsp
tunnel id: 0x10000

VPN tunnel binding refers to the binding between a TE tunnel and a VPN. After the binding,

Before configuring L3VPN tunnel binding, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.
When deploying the VPN service, you can bind a VPN primary tunnel to an MPLS TE tunnel.
In this manner, the MPLS TE tunnel can transmit VPN services exclusively. The congestion
caused by unbalanced load can be avoided, and no interference occurs among different VPN
services. Therefore, the QoS of the VPN service is guaranteed.

Before configuring VPN primary tunnel binding, complete the following tasks:
l Connecting the interfaces, configuring physical parameters for the interfaces to ensure that
the physical status of the interfaces is Up
ensure the status of the link layer protocol on the interfaces is Up
l Configuring the static route or the Interior Gateway Protocol (IGP) to ensure routes are
reachable to all nodes
l Configuring basic MPLS functions and enabling MPLS TE
l Configuring the MPLS TE tunnels between PEs (refer to the Quidway S7700 Smart Routing
Switch Configuration Guide - MPLS).
l Configuring the VPN instance on the PE (refer to the chapter "3 BGP MPLS IP VPN
Configuration" in this manual)
Data Preparation
To configure VPN primary tunnel binding, you need the following data.
No. Data
2 QoS parameters for the MPLS TE tunnel such as bandwidth
3 Name of the VPN instance
1.6.2 Enabling the VPN Binding for a Tunnel

A tunnel can be bound to a VPN only after VPN tunnel binding is enabled.
Context
Only the tunnel enabled with the VPN binding can be bound with the VPN.
Do as follows on PEs at both ends of the TE tunnel.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The tunnel interface view of the MPLS TE is displayed.

Step 3 Run:
mpls te reserved-for-binding

The VPN binding for the tunnel is enabled.
The tunnel policy in select-sequence mode cannot use the tunnel enabled with the VPN binding.
Step 4 Run:
mpls te commit
The current configuration is validated.
----End
1.6.3 Configuring the VPN Binding of the Tunnel Policy

After enabling VPN tunnel binding, you must also configure a tunnel policy to ensure that the
VPN data is transmitted along the bound tunnel.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
A tunnel policy is created.
Step 3 Run:
tunnel binding destination dest-ip-address te tunnel interface-number [ down-
switch ]
The peer address is bound with the tunnel policy. The VPN data from the local end are transmitted
to the destination address through the bound tunnel.
Note the following:
l Tunnel policy can be either in select-sequence mode or tunnel binding mode. Therefore, the
tunnel policy configured with the tunnel binding command cannot be then configured with
the tunnel select-seq command.
l A maximum of six tunnels can be bound to the same destination address for a PE.
l If the PE has multiple peers, a tunnel policy can be configured with multiple tunnel
binding commands with different destination address
----End
1.6.4 Applying the Tunnel Policy to the L3VPN

After a tunnel binding policy is applied to an L3VPN, the VPN data is transmitted along the
bound tunnel.

Context
Different VPN services to the same destination on a PE must apply different tunnel policies, and
be bound with different TE tunnels.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
The tunnel policy is applied to the VPN instance.
----End

After configuring L3VPN main tunnel binding, you can view information about the bound tunnel
policy, and interfaces of the bound tunnel.
Prerequisite
The configurations of the L3VPN tunnel binding function are complete.
Procedure
l Run the display tunnel-policy tunnel-policy-name command to check information about
the tunnel policy in tunnel binding mode.
l Run the display interface tunnel interface-number command to check the information
about the interface of the bound tunnel.
l Run the display ip vpn-instance verbose [ vpn-instance-name ] command to check the
tunnel policy of the VPN instance.
verbose command to view information about the tunnel for IP routing.
specified tunnel.
----End
Example
Run the display tunnel-policy command. If the bound tunnel interface is displayed, and the
destination address is configured the same as that in real situation, it means the configuration
succeeds. For example:
Tunnel Policy Name Destination Tunnel Intf Down Switch

---------------------------------------------------------------------
policy1 2.2.2.9 Tunnel1/0/0 Disable
3.3.3.9 Tunnel2/0/0 Disable
Run the display interface tunnel, and you can view the bound tunnel is Up. For example:
<Quidway> display interface tunnel 1/0/0
Last line protocol up time : 2009-02-23 10:54:40
Description : HUAWEI, Quidway Series, Tunnel1/0/0 Interface
Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0
0 packets output error

Run the display ip vpn-instance verbose command. If the tunnel policy name of the VPN
instance is displayed, it means the configuration succeeds. In the following example, you can
view the tunnel policy of the VPN instance named vpna is policy1.
<Quidway> display ip vpn-instance verbose
Create date : 2004/10/11 16:12:02
Log Interval : 5
Run the display ip routing-table vpn-instance verbose command and you can view the tunnels
used by the VPN routes. For example:
<Quidway> display ip routing-table vpn-instance vpna 10.3.1.0 verbose
-----------------------------------------------------------------------------
Routing Table : vpna
Summary Count : 1
State: Active Adv GotQ Age: 00h00m08s
IndirectID: 0x12
Tunnel ID: 0x10002 Flags: RD


L2VPN tunnel binding refers to the binding between a TE tunnel and a VPN. After the binding,

Before configuring L2VPN main tunnel binding, familiarize yourself with the applicable
When deploying the MPLS L2VPN service, you need consider not only the transparent
transmission of user data, but also the following points:
l MPLS TE tunnels are used to transmit data, which can optimize the usage of network
resource, and avoid the congestion caused by unbalanced load.
l The L2VPN service should be separated from other services. Therefore, the QoS of the
L2VPN service is guaranteed.
The MPLS TE tunnel and the MPLS L2VPN primary tunnel binding need to be configured on
the PEs of the backbone network.
Before configuring MPLS L2VPN primary tunnel binding, complete the following tasks:
l Configuring the static route or IGP to ensure that routes are reachable to all nodes
l Configuring basic MPLS functions and enabling MPLS TE
l Configuring the MPLS TE tunnels between PEs (refer to the Quidway S7700 Smart Routing
Switch Configuration Guide - MPLS
l Creating the VC on the PE (refer to the chapter "MPLS L2VPN Configuration" in this
manual)
Data Preparation
To configure L2VPN primary tunnel binding, you need the following data.
No. Data
2 QoS parameters for the MPLS TE tunnel such as bandwidth
3 Type and serial number of the VC interface , destination address, and VC ID

1.7.2 Enabling the VPN Binding for a Tunnel

A tunnel can be bound to a VPN only after VPN tunnel binding is enabled.
Context
Only the tunnel enabled with the VPN binding can be bound with the VPN.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The tunnel interface view of the MPLS TE is displayed.

Step 3 Run:
The VPN binding forthe tunnel is enabled.

The tunnel policy in select-sequence mode cannot use the tunnel enabled with the VPN binding.
Step 4 Run:
mpls te commit
The current configuration is validated.
----End
1.7.3 Configuring the VPN Binding of the Tunnel Policy

After enabling VPN tunnel binding, you must also configure a tunnel policy to ensure that the
VPN data is transmitted along the bound tunnel.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

A tunnel policy is created.
Step 3 Run:
tunnel binding destination dest-ip-address te tunnel interface-number [ down-
switch ]
The peer address is bound with the tunnel policy. The VPN data from the local end are transmitted
through the bound tunnel to the destination address.
If a TE tunnel is bound with the destination address, the VPN data is only transmitted to the
destination address through the bound tunnel. Note the following:
l Tunnel policy can be either in select-sequence mode or tunnel binding mode. Therefore, the
tunnel policy configured with the tunnel binding command cannot be then configured with
the tunnel select-seq command.
l One dest-ip-address of a PE device can only be bound with one tunnel. If multiple tunnels
are bound, the last binding overwrites the previous one.
l If the PE has multiple peers, a tunnel policy can be configured with multiple tunnel
binding commands with different dest-ip-address.
----End
1.7.4 Applying the Tunnel Policy to the Martini L2VPN

After a tunnel binding policy is applied to an L2VPN, the VPN data is transmitted along the
bound tunnel.
Context
Different VPN services to the same destination on a PE must apply different tunnel policies, and
be bound with different TE tunnels.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The AC interface view is displayed.
Step 3 Run:
mpls l2vc ip-address vc-id tunnel-policy policy-name
The tunnel policy is applied to the VC.
----End

After configuring L2VPN main tunnel binding, you can view information about the bound tunnel
policy, and interfaces of the bound tunnel.

Context
The configurations of the L2VPN tnnel binding function are complete.
Procedure
l Run the display tunnel-policy tunnel-policy-name. command to check information about
the tunnel policy in tunnel binding mode.
l Run the display interface tunnel interface-number. command to check the information
about the interface of the bound tunnel.
l Run the display mpls l2vc [ interface interface-type interface-number ]. command to check
the information about the tunnel used by the VC in L2VPN in SVC, PWE3, or Martini
mode.
----End
Example
Run the display tunnel-policy command. If the bound tunnel interface is displayed, and the
destination address is configured the same as that in real situation, it means the configuration
Tunnel Policy Name Destination Tunnel Intf Down Switch
---------------------------------------------------------------------
policy1 2.2.2.9 Tunnel1/0/0 Disable
3.3.3.9 Tunnel2/0/0 Disable
Run the display interface tunnel command. If the bound tunnel is Up, it means the configuration
<Quidway> display interface tunnel 1/0/0
primary tunnel id is 0x10006, secondary tunnel id is 0x0
Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0
0 packets output error
Run the display mpls l2vc command. If the tunnel policy name of the VC is displayed, it means
the configuration succeeds. In the following example, you can view the tunnel policy of the VC
is policy1.
<Quidway> display mpls l2vc
total LDP VC : 1 1 up 0 down
*client interface : GigabitEthernet1/0/0.1

session state : up

AC status : up
VC state : up
VC ID : 116119
VC type : VLAN
control word : disable
local group ID : 0
link state : up
traffic behavior name: --
VC last up time : 2007/09/20 20:33:37
CKey : 5
NKey : 4
1.8 Maintaining a VPN Tunnel

Monitor the running status of the VPN tunnel.
1.8.1 Monitoring the Running Status of a Tunnel

To know whether a VPN tunnel is created and configurations of a created tunnel, you can monitor
the running status of the VPN tunnel.
Context
In routine maintenance, you can run the following commands to view the running status of a
VPN tunnel.
Procedure
l Run the display interface tunnel interface-number command to view information about
the tunnel interface.
l Run the display tunnel-info tunnel-id command to view information about a specified
tunnel.
l Run the display tunnel-info all command to view information about all tunnels.
l Run the display tunnel-policy tunnel-policy-name command to view information about a
specified tunnel policy.
l Run the display ip vpn-instance verbose [ vpn-instance-name ] command to view
information about the tunnel policy oused by a specified VPN instance.
l Run the display ip routing-table vpn-instance [ ip-address ] verbose command to view
information about the tunnel for IP routing.
l Run the display mpls l2vc [ interface interface-type interface-number ] command to view
information about the tunnel used by the VC in the SVC, PWE3 VC, or Martini L2VPN.

l Run the display mpls l2vpn connection interface interface-type interface-number

command to view information about the tunnel used by the VC in the Kompella L2VPN.
----End
1.8.2 Debugging a Tunnel

If a VPN tunnel runs abnormally, you need to debug the VPN tunnel to locate the fault and
analyze the cause. Note that debugging affects the performance of the system.
Context
CAUTION
Debugging affects the performance of the system. Therefore, after debugging, run the undo
debugging all command to disable the debugging immediately.
When a fault occurs in a tunnel, run the following debugging commands in the user view to
debug the tunnel and locate the fault.
For the procedure of outputting the debugging information, refer to Information Center
Configuration.
For the description about the debugging commands, refer to the Quidway S7700 Smart Routing
Switch Debugging Reference.
Procedure
l Run the debugging tunnel all [ interface tunnel interface-number ] command in the user
view to enable tunnel debugging.
l Run the debugging tnlm { all | error | event } command in the user view to enable the
debugging related to tunnel management.
----End

This section provides examples for applying a tunnel policy to the L3VPN or L2VPN.
1.9.1 Example for Configuring Tunnel Policies for the L3VPN
Networking Requirements
Figure 1-2 shows the networking diagram of the MPLS L3VPN. CE1 and CE3 belong to VPNA,
and CE2 and CE4 belongs to VPNB. Two MPLS TE tunnels and an LSP are set up between PE1
and PE2. VPNA is binding one of TE tunnels. VPNB prefers the TE tunnels.

Figure 1-2 Networking diagram for configuring the tunnel policy for the L3VPN
VPNA VPNA
CE1 CE3
GE1/0/3
GE1/0/3 Loopback1
Loopback1 MPLS TE tunnel 1/0/1
1.1.1.1/32 2.2.2.2/32
GE1/0/3
MPLS TE tunnel 1/0/2 ( binding) GE1/0/3
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
PE1 PE2
GE1/0/2 LSP
GE1/0/2
VPNB VPNB
CE2 CE4
Device Interface VLANIF interface IP address
PE1 GigabitEthernet1/0/1 VLANIF 10 100.1.1.1/30
GigabitEthernet1/0/2 VLANIF 20 10.2.1.2/30
Loopback1 - 1.1.1.1/32
Loopback1 - 2.2.2.2/32
CE1 GigabitEthernet1/0/3 VLANIF 30 10.1.1.1/30
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the routing protocol to ensure communication between the PEs.

2. Configure the basic MPLS capability on the PEs on the backbone network and set up an
LSP and two MPLS TE tunnels between the PEs.
3. Configure VPN instances on the PEs and connect the CEs to the PEs.

4. Configure tunnel policies and apply the tunnel policies to the VPN instances.
5. Configure MP-IBGP for exchanging routing information between the VPNs.
Data Preparation
To complete the configuration, you need the following data:
l MPLS LSR IDs of the PEs
l Names, RDs, and VPN targets of the two VPN instances
l Names of the two tunnel policies
Procedure
Step 1 Enable the IGP protocol on the MPLS backbone network to ensure IP interworking between the
PEs.
# Configure PE1.
<Quidway> system-view
[Quidway] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] vlan 10
[PE1-vlan10] quit
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[PE1-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[PE1-GigabitEthernet1/0/1] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip address 100.1.1.1 30
[PE1-Vlanif10] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.3
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure PE2.
[PE2] vlan 10
[PE2-vlan10] quit
[PE2-Vlanif10] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
# By running the display ip routing-table command on the PEs, you can see that the PEs can
learn the routes of each other's Loopback1 interface.

# Take the display on PE1 as an example:

[PE1] display ip routing-table
Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
2.2.2.2/32 OSPF 10 2 D 100.1.1.2 Vlanif10
100.1.1.0/30 Direct 0 0 D 100.1.1.1 Vlanif10
100.1.1.2/32 Direct 0 0 D 172.1.1.2 Vlanif10
Step 2 Enable the basic MPLS capability on the MPLS backbone and establish an LDP LSP.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] label advertise non-null
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif10] mpls
[PE1-Vlanif10] mpls ldp
[PE1-Vlanif10] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif10] mpls
[PE2-Vlanif10] quit
# After the configuration, an LDP LSP can be set up between PE1 and PE2. By running the
display tunnel-info all command, you can see the LSP destined for the address 2.2.2.2. By
running the display mpls ldp lsp command, you can view the LSP information.
[PE1] display tunnel-info all
----------------------------------------------------------------------
0x1001c lsp 2.2.2.2 0
0x1001d lsp 2.2.2.2 1
[PE1]display mpls ldp lsp
LDP LSP Information

-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.1/32 1124/NULL 2.2.2.2 127.0.0.1 InLoop0
1.1.1.1/32 Liberal/1024 2.2.2.2
2.2.2.2/32 NULL/1025 - 100.1.1.2 Vlanif10

-------------------------------------------------------------------------------
TOTAL: 3 Normal LSP(s) Found.
TOTAL: 0 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is in GR state
A '*' before a NextHop means the LSP is FRR LSP
Step 3 Set up an MPLS TE tunnel between the PEs.
# Configure the maximum link bandwidth and maximum reservable bandwidth for the MPLS
TE tunnel.
# Configure PE1.
[PE1] mpls
[PE1-mpls] mpls te
[PE1-mpls] mpls rsvp-te
[PE1-mpls] mpls te cspf
[PE1-mpls] quit
[PE1] interface tunnel 1/0/1
[PE1-Tunnel1/0/1] ip address unnumbered interface loopback1
[PE1-Tunnel1/0/1] tunnel-protocol mpls te
[PE1-Tunnel1/0/1] destination 2.2.2.2
[PE1-Tunnel1/0/1] mpls te tunnel-id 11
[PE1-Tunnel1/0/1] mpls te commit
[PE1-Tunnel1/0/1] quit
[PE1-Tunnel1/0/2] mpls te reserved-for-binding
[PE1-Vlanif10] mpls te
[PE1-Vlanif10] mpls rsvp-te
[PE1-Vlanif10] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] mpls te
[PE2-mpls] quit
[PE2-Vlanif10] mpls
[PE2-Vlanif10] quit

# Enable OSPF on the devices along the TE tunnel so that the devices can transmit TE attributes.
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] opaque-capability enable
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] mpls-te enable
[PE1-ospf-1] quit
# Configure PE1.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
# By running the display interface tunnel interface-number command on the PEs, you can see
that Tunnel1/0/1 and Tunnel1/0/2 are both Up. Take Tunnel1/0/2 on PE1 for example.
[PE1] display interface Tunnel 1/0/2
Last line protocol up time : 2007-09-10 13:54:57-08:00
Route Port,
primary tunnel id is 0x1003d, secondary tunnel id is 0x0

0 output error
0 output drop

Step 4 Configure VPN instances on each PE and connect the CEs to the PEs.
# Configure PE1.
[PE1] ip vpn-instance VPNA
[PE1-vpn-instance-VPNA] route-distinguisher 100:1
[PE1-vpn-instance-VPNA] vpn-target 111:1 both
[PE1-vpn-instance-VPNA] quit
[PE1] ip vpn-instance VPNB
[PE1-vpn-instance-VPNB] route-distinguisher 100:2
[PE1-vpn-instance-VPNB] vpn-target 222:2 both
[PE1-vpn-instance-VPNB] quit
[PE1-Vlanif30] ip binding vpn-instance VPNA
[PE1-Vlanif30] quit
[PE1-Vlanif20] ip binding vpn-instance VPNB
[PE1-Vlanif20] quit

# Configure PE2.
[PE2-vpn-instance-VPNA] route-distinguisher 100:3
[PE2-vpn-instance-VPNA] vpn-target 111:1 both
[PE2-vpn-instance-VPNB] route-distinguisher 100:4
[PE2-vpn-instance-VPNB] vpn-target 222:2 both
[PE2-Vlanif50] ip binding vpn-instance VPNA
[PE2-Vlanif50] quit
[PE2-Vlanif40] ip binding vpn-instance VPNB
[PE2-Vlanif40] quit
# Configure the interface addresses of the VLAN where the CE interface resides and configure
the IP addresses of the VLANIF interfaces according to Figure 1-2. The configuration procedure
is not given.
# By running the display ip vpn-instance verbose command on the PEs, you can see the
configuration of the VPN instances. The PEs can ping the connected CEs successfully.
NOTE
If multiple interfaces on a PE are bound to the same VPN, you must specify the source address when you
run the ping command to ping the connected CE. That is, specify -a source-ip-address in the ping -a
source-ip-address -vpn-instance vpn-instance-name destination-address command; otherwise, the ping
operation may fail.
Step 5 Configure and apply a tunnel policy on the PE.

# Configure the tunnel policy for binding primary tunnel and apply the tunnel policy to VPNA.
# Configure PE1.
[PE1]tunnel-policy policy1
[PE1-tunnel-policy-policy1]tunnel binding destination 2.2.2.2 te tunnel1/0/2
[PE1-tunnel-policy-policy1] quit
[PE1-vpn-instance-VPNA] tnl-policy policy1
# Configure PE2.
[PE2] tunnel-policy policy1
[PE2-tunnel-policy-policy1] tunnel binding destination 1.1.1.1 te tunnel1/0/2
[PE2-vpn-instance-VPNA] tnl-policy policy1
# Configure the tunnel policy that specifies the tunnel selection sequence and apply the tunnel
policy to VPNB.
# Configure PE1.
[PE1-tunnel-policy-policy2] tunnel select-seq cr-lsp lsp load-balance-number 1
[PE1-vpn-instance-VPNB] tnl-policy policy2
# Configure PE2.


[PE2-tunnel-policy-policy2] tunnel select-seq cr-lsp lsp load-balance-number 1
[PE2-vpn-instance-VPNB] tnl-policy policy2
Step 6 Set up MP-IBGP adjacency between the PEs.

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.2 as-number 100
[PE1-bgp] peer 2.2.2.2 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.2 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit
# After the configuration, run the display bgp peer or display bgp vpnv4 all peer command.
You can see that the BGP peers between the PEs are established.
Step 7 Set up EBGP adjacency between PEs and CEs.
# Configure PE1
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance VPNA
[PE1-bgp-af-VPNA] peer 10.1.1.1 as-number 65410
[PE1-bgp-af-VPNA] quit
[PE1-bgp] ipv4-family vpn-instance VPNB
[PE1-bgp-af-VPNB] peer 10.2.1.1 as-number 65410
[PE1-bgp-af-VPNB] quit
[PE1-bgp] quit
# Configure CE1
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] quit
# Configure CE2
[CE2] bgp 65410
[CE2-bgp] quit
# Configure PE2
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance VPNA
[PE2-bgp-af-VPNA] peer 10.3.1.1 as-number 65420
[PE2-bgp-af-VPNA] quit
[PE2-bgp] ipv4-family vpn-instance VPNB
[PE2-bgp-af-VPNB] peer 10.4.1.1 as-number 65420
[PE2-bgp-af-VPNB] quit
[PE2-bgp] quit
# Configure CE3

[CE3] bgp 65420

[CE3-bgp] quit
# Configure CE4
[CE4] bgp 65420
[CE4-bgp] quit
Step 8 Verify the configuration.
# Run the display ip routing-table vpn-instance command on the PE. You can view the routes
to the remote CE.

[PE1] display ip routing-table vpn-instance VPNA
------------------------------------------------------------------------------
Routing Tables: VPNA
10.1.1.0/30 Direct 0 0 D 10.1.1.2 Vlanif30
10.3.1.0/30 BGP 255 0 RD 2.2.2.2 Tunnel1/0/2
[PE1] display ip routing-table vpn-instance VPNB
------------------------------------------------------------------------------
Routing Tables: VPNB
10.2.1.0/30 Direct 0 0 D 10.2.1.2 Vlanif20
10.4.1.0/30 BGP 255 0 RD 2.2.2.2 Tunnel1/0/1
BGP 255 0 RD 2.2.2.2 Vlanif10
# Run the display ip routing-table vpn-instance verbose command on the PEs, and you can
see the tunnels used by the VPN routes.

[PE1] display ip routing-table vpn-instance VPNA 10.3.1.0 verbose
Routing Table : VPNA
Summary Count : 1
Tag: 0 Priority: 0
Tunnel ID: 0x1003d
[PE1] display ip routing-table vpn-instance VPNB 10.4.1.0 verbose
Routing Table : VPNB
Summary Count : 1
Tag: 0 Priority: 0
Label: 107520 QoSInfo:0x0


Tunnel ID: 0x1001c
# The CEs in the same VPN can ping each other, and the CEs in different VPNs cannot ping
each other.
----End
Configuration Files
l Configuration file of PE1
#
sysname PE1
#
vlan batch 10 20 30
#
ip vpn-instance VPNA
route-distinguisher 100:1
tnl-policy policy1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance VPNB
tnl-policy policy2
#
mpls lsr-id 1.1.1.1
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls te cspf
#
mpls ldp
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.252
mpls
mpls te
mpls rsvp-te
mpls ldp
#
interface Vlanif20
ip binding vpn-instance VPNB
ip address 10.2.1.2 255.255.255.252
#
interface Vlanif30
ip binding vpn-instance VPNA
ip address 10.1.1.2 255.255.255.252
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
interface Tunnel1/0/1

ip address unnumbered interface loopback1

tunnel-protocol mpls te
destination 2.2.2.2
mpls te tunnel-id 11
mpls te commit
#
destination 2.2.2.2
mpls te commit
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
#
ipv4-family vpn-instance VPNA
#
ipv4-family vpn-instance VPNB
#
ospf 1
opaque-capability enable
area 0.0.0.0
network 100.1.1.0 0.0.0.3
network 1.1.1.1 0.0.0.0
mpls-te enable
#
tunnel-policy policy1
tunnel binding destination 2.2.2.2 te Tunnel1/0/2
#
tunnel select-seq cr-lsp lsp load-balance-number 1
#
return
#
sysname PE2
#
vlan batch 10 40 50
#
ip vpn-instance VPNA
tnl-policy policy1
#
ip vpn-instance VPNB
tnl-policy policy2
#
mpls lsr-id 2.2.2.2
mpls
mpls te
mpls rsvp-te

mpls te cspf
#
mpls ldp
#
interface Vlanif10
ip address 100.1.1.2 255.255.255.252
mpls
mpls te
mpls rsvp-te
mpls ldp
#
interface Vlanif40
ip binding vpn-instance VPNB
ip address 10.4.1.2 255.255.255.252
#
interface Vlanif50
ip binding vpn-instance VPNA
ip address 10.3.1.2 255.255.255.252
#
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
destination 1.1.1.1
mpls te commit
#
destination 1.1.1.1
mpls te commit
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance VPNA
#
ipv4-family vpn-instance VPNB
#
ospf 1

area 0.0.0.0
network 100.1.1.0 0.0.0.3
network 2.2.2.2 0.0.0.0
mpls-te enable
#
#
tunnel select-seq cr-lsp lsp load-balance-number 1
#
return
l Configuration file of CE1
#
sysname CE1
#
vlan batch 30
#
interface Vlanif30
ip address 10.1.1.1 255.255.255.252
#
#
bgp 65410
#
ipv4-family unicast
peer 10.1.1.2 enable
#
return
#
sysname CE2
#
vlan batch 20
#
interface vlanif 20
ip address 10.2.1.1 255.255.255.252
#
#
bgp 65410
#
ipv4-family unicast
#
return
#
sysname CE3
#
vlan batch 50
#
interface Vlanif50
ip address 10.3.1.1 255.255.255.252
#

#
bgp 65420
#
ipv4-family unicast
#
return

#
sysname CE4
#
vlan batch 40
#
interface Vlanif 40
ip address 10.4.1.1 255.255.255.252
#
#
bgp 65420
#
ipv4-family unicast
#
return
1.9.2 Example for Binding a Tunnel to the Martini L2VPN

As shown in Figure 1-3, Site 1, Site 2, and Site 3 belong to VPNA. The networking requirements
are as follows:
l Configuring a Martini L2VPN
l The communication between Site 1 and Site 2 is independent of that between Site 1 and
Site 3.

Figure 1-3 Networking diagram for configuring the L2VPN tunnel binding
Loopback1
2.2.2.9/32
VPNA
VLAN2
GE 1/0/1
GE 1/0/2 GE 1/0/1
Loopback1 Loopback1 PE2 CE2
Site2
1.1.1.9/32 4.4.4.9/32
GE 1/0/1 GE 1/0/2
PE1 GE 1/0/1 GE 1/0/3
GE 1/0/2 P
GE 1/0/3 PE3
GE 1/0/3 GE 1/0/1
VLAN1 VLAN4
GE 1/0/1
GE 1/0/2 GE 1/0/3 VLAN3 CE3
Loopback1 Site3
3.3.3.9/32
Site1 CE1
VPNA VPNA
GigabitEthernet1/0/2 VLANIF 10 -
Loopback1 - 1.1.1.9/32
PE2 GigabitEthernet1/0/1 VLANIF 2 -
Loopback1 - 2.2.2.9/32
Loopback1 - 3.3.3.9/32
P GigabitEthernet1/0/1 VLANIF 7 100.1.1.1/24

1. Configure a TE tunnel.
2. Configure a tunnel policy to bind the IP address of the remote end to the tunnel.
3. Apply the tunnel policy to the L2VC.
4. Connect the CEs to the backbone network.
Data Preparation
l Tunnel policy
l VC ID
l Parameters for the MPLS TE tunnel
NOTE
For different L2VPN services from a PE to the same destination, different tunnel policies and TE tunnels
are required.
Procedure
Step 1 Enable PEs to communicate with each other.
# Configure an Interior Gateway Protocol (IGP) on the MPLS backbone network to implement
interworking between the PEs. IS-IS is used in this example, and the IS-IS process ID is 1.
# Configure PE1.
[PE1] vlan 7
[PE1-vlan7] quit
[PE1-GigabitEthernet1/0/1] port hybrid tagged vlan 7
[PE1-Vlanif7] quit
[PE1]isis 1
[PE1-isis-1] network-entity 10.0000.0000.0000.0001.00
[PE1-isis-1] is-level level-2
[PE1-isis-1] quit
[PE1-Vlanif7] isis enable 1
[PE1-Vlanif7] quit
[PE1-LoopBack1] isis enable 1
# The configuration procedures of PE2 and PE3 are similar to the configuration procedure of
PE1.
# Configure the P.

[Quidway] sysname P
[P] vlan batch 5 6 7
[P]interface gigabitethernet 1/0/1
[P-GigabitEthernet1/0/1] port hybrid pvid vlan 7
[P-GigabitEthernet1/0/1] port hybrid tagged vlan 7
[P-GigabitEthernet1/0/1] quit
[P] interface vlanif 7
[P-Vlanif7] ip address 100.1.1.1 24
[P-Vlanif7] quit
[P-Vlanif5] quit
[P-Vlanif6] quit
[P]isis 1
[P-isis-1] network-entity 10.0000.0000.0000.0002.00
[P-isis-1] is-level level-2
[P-isis-1] quit
[P-Vlanif5] isis enable 1
[P-Vlanif5] quit
[P-Vlanif6] quit
[P-Vlanif7] quit
[P] interface loopback 1
[P-LoopBack1] ip address 1.1.1.9 32
[P-LoopBack1] isis enable 1
[P-LoopBack1] quit
# Run the display ip routing-table command in any view of the PEs, and you can see that the
PEs can learn the loopback address of each other.
------------------------------------------------------------------------------
2.2.2.9/32 ISIS 15 20 D 100.1.1.2 Vlanif7
3.3.3.9/32 ISIS 15 20 D 100.1.1.2 Vlanif7
4.4.4.9/32 ISIS 15 10 D 100.1.1.2 Vlanif7
100.1.1.0/24 Direct 0 0 D 100.1.1.1 Vlanif7
100.1.1.2/32 Direct 0 0 D 100.1.1.2 Vlanif7
100.2.1.0/24 ISIS 15 20 D 100.1.1.2 Vlanif7
100.3.1.0/24 ISIS 15 20 D 100.1.1.2 Vlanif7

Step 2 Configure the basic MPLS capability, set up the LDP peers, and enable MPLS TE, Resource
Reservation Protocol-TE (RSVP-TE), and Constraint Shortest Path First (CSPF).
# In this example, RSVP-TE is used as the signaling protocol. Enable global MPLS TE and
RSVP-TE on the PEs and P along the TE tunnel. Configure CSPF on the tunnel ingress. Enable
MPLS TE and RSVP-TE on the interfaces along the tunnel. Configure the LDP remote peers
on PEs to transmit the private network routes.
# Configure PE1.
[PE1] mpls
[PE1-mpls] mpls te
[PE1-mpls] quit
[PE1-Vlanif7] mpls
[PE1-Vlanif7] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] mpls ldp remote-peer 2.2.2.9
[PE1-mpls-ldp-remote-2.2.2.9] remote-ip 2.2.2.9
[PE1-mpls-ldp-remote-2.2.2.9] quit
# The configuration procedures of PE2 and PE3 are similar to the configuration procedure of
PE1.
# Configure the P.
[P] mpls lsr-id 4.4.4.9
[P] mpls
[P-mpls] mpls te
[P-mpls] mpls rsvp-te
[P-mpls] quit
[P-Vlanif7] mpls
[P-Vlanif7] mpls te
[P-Vlanif7] mpls rsvp-te
[P-Vlanif7] quit
[P-Vlanif5] mpls
[P-Vlanif5] mpls te
[P-Vlanif5] quit
[P-Vlanif6] mpls
[P-Vlanif6] mpls te
[P-Vlanif6] quit
# Run the display mpls ldp session command on the PEs, and you can see that LDP peers are
set up between PE1 and PE2 and between PE1 and PE3.

[PE1] display mpls ldp session
LDP Session(s) in Public Network

Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------

PeerID Status LAM SsnRole SsnAge KASent/Rcv

------------------------------------------------------------------------------
2.2.2.9:0 Operational DU Passive 0000:00:33 4/4
------------------------------------------------------------------------------
TOTAL: 2 session(s) Found.
Step 3 Configure IS-IS TE.

# Configure PE1.
[PE1] isis 1
[PE1-isis-1] cost-style wide
[PE1-isis-1] traffic-eng level-2
[PE1-isis-1] quit
# The configuration procedures of P, PE2, and PE3 are similar to the configuration procedure
of PE1.
NOTE
When IS-IS TE is configured on only the local end, the session set up on the local end turns Down. When
IS-IS TE is configured on the remote end, the LDP session becomes Up again.
Step 4 Configure the explicit path of MPLS TE.

# You can manually specify a path for MPLS TE, that is, configure an explicit path for MPLS
TE. Take the configuration of explicit path on PE1 for example.
# Configure PE1.
[PE1] explicit-path PE1toPE2
[PE1-explicit-path-PE1toPE2] next hop 100.1.1.2
[PE1-explicit-path-PE1toPE2] quit
[PE1] explicit-path PE1toPE3
[PE1-explicit-path-PE1toPE3] quit
Step 5 Configure the MPLS TE tunnel.

NOTE
An MPLS TE tunnel is unidirectional. To guarantee bidirectional QoS on the TE tunnel, you must configure
an MPLS TE tunnel on PEs.
# Create two tunnel interfaces on PE1; create a tunnel interface on each of PE2 and PE3.
# Configure PE1.
[PE1-Tunnel1/0/0] ip address unnumbered interface loopback 1
[PE1-Tunnel1/0/0] mpls te signal-protocol rsvp-te
[PE1-Tunnel1/0/0] mpls te path explicit-path PE1toPE2
[PE1-Tunnel2/0/0] mpls te path explicit-path PE1toPE3


# Configure PE2.
# Configure PE3.
# Run the display this interface command in the tunnel interface view of the PEs, and you can
see that the TE tunnel is Up. Take Tunnel1/0/0 of PE1 for example.
[PE1-Tunnel1/0/0] display this interface
Route Port,
primary tunnel id is 0x1003c, secondary tunnel id is 0x0

0 output error
0 output drop

Step 6 Configure the VPN tunnel binding.
# Configure PE1. Bind PE1 to Tunnel1.

[PE1] mpls l2vpn
[PE1-l2vpn] mpls l2vpn default martini
[PE1-l2vpn] quit
[PE1-tunnel-policy-policy1] tunnel binding destination 2.2.2.9 te tunnel 1/0/0
[PE1] interface VLANIF 10

[PE1-Vlanif10] mpls l2vc 2.2.2.9 100 tunnel-policy policy1

[PE1-Vlanif10] quit
# Configure PE1. Bind PE1 to Tunnel2.

[PE1-Vlanif4] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
[PE2-Vlanif2] quit
# Configure PE3.
[PE3] mpls l2vpn
[PE3-l2vpn] quit
[PE3-Vlanif3] quit
Step 7 Connect the CEs to the backbone network.

# The following takes the configuration of CE1 as an example. The configuration procedures of
CE2 and CE3 are the same as the configuration procedure of CE1, and are not mentioned here.
[CE1] vlan 10
[CE1] quit
[CE1] vlan 4
[CE1] quit
[CE1] interface gigabitethernet 1/0/2
[CE1-GigabitEthernet1/0/2] port link-type trunk
[CE1-GigabitEthernet1/0/2] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/2] quit
[CE1] interface VLANIF 10
[CE1-Vlanif10] ip address 10.1.1.1 24
[CE1-Vlanif10] quit
[CE1] interface vlanif 4


[CE1-Vlanif4] quit
# Check the VC status on PE1. All the VCs on PE1 are Up.
[PE1] display mpls l2vc
*client interface : Vlanif4

session state : up
AC status : up
VC state : up
VC ID : 200
VC type : VLAN
local group ID : 0
link state : up
VC last up time : 2009/09/20 20:33:37
CKey : 5
NKey : 4

session state : up
AC status : up
VC state : up
VC ID : 100
VC type : VLAN
local group ID : 0
link state : up
VC last up time : 2009/09/20 20:35:37
CKey : 5
NKey : 4

# Check information about the interfaces on the bound tunnel.
# Take Tunnel 1/0/0 of PE1 as an example.

Route Port,

0 output error
0 output drop

# CE1 can ping CE2 and CE3.
# Display information about Tunnel1/0/0 on PE1.

[PE1] display interface Tunnel 1/0/0
Route Port,

0 output error
0 output drop

# You can see that the number of datagrams passing through Tunnel 1/0/0 increases.
# Run the ping 20.1.1.2 command on CE1 to check information about Tunnel 1/0/0 of PE1. You
can see that the statistics of packets on Tunnel 1/0/0 remain unchanged because Tunnel 1/0/0
on PE1 transmits only the data between PE1 and PE2.
----End

Configuration Files
#
sysname PE1
#
vlan batch 4 7 10
#
mpls lsr-id 1.1.1.9
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls l2vpn
mpls l2vpn default martini
#
explicit-path pe1tope2
next hop 100.1.1.1
next hop 100.2.1.2
next hop 2.2.2.9
#
explicit-path PE1toPE3
next hop 100.1.1.1
next hop 100.3.1.2
next hop 3.3.3.9
#
mpls ldp
#
mpls ldp remote-peer 2.2.2.9
remote-ip 2.2.2.9
#
remote-ip 3.3.3.9
#
isis 1
is-level level-2
cost-style wide
network-entity 10.0000.0000.0000.0001.00
traffic-eng level-2
#
interface Vlanif4
mpls l2vc 3.3.3.9 200 tunnel-policy policy2
#
interface Vlanif7
ip address 100.1.1.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface Vlanif10
#
port hybrid tagged vlan 7
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
isis enable 1

#
ip address unnumbered interface LoopBack1
destination 2.2.2.9
mpls te path explicit-path pe1tope2
mpls te commit
#
destination 3.3.3.9
mpls te path explicit-path pe1tope3
mpls te commit
#
tunnel binding destination 2.2.2.9 te tunnel1/0/0
#
#
return
l Configuration file of P
#
sysname P
#
vlan batch 5 6 7
#
mpls lsr-id 4.4.4.9
mpls
mpls te
mpls rsvp-te
#
isis 1
is-level level-2
cost-style wide
network-entity 10.0000.0000.0000.0002.00
traffic-eng level-2
#
interface Vlanif5
ip address 100.2.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface Vlanif6
ip address 100.3.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface Vlanif7
ip address 100.1.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
#


#
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
isis enable 1
#
return

#
sysname PE2
#
vlan batch 2 5
#
mpls lsr-id 2.2.2.9
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls l2vpn
#
mpls ldp
#
remote-ip 1.1.1.9
#
isis 1
is-level level-2
cost-style wide
network-entity 10.0000.0000.0000.0003.00
traffic-eng level-2
#
interface Vlanif2
#
interface Vlanif5
ip address 100.2.1.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
isis enable 1
#
destination 1.1.1.9
mpls te commit
#


#
return

#
sysname PE3
#
vlan batch 3 6
#
mpls lsr-id 3.3.3.9
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls l2vpn
#
mpls ldp
#
remote-ip 1.1.1.9
#
isis 1
is-level level-2
cost-style wide
network-entity 10.0000.0000.0000.0004.00
traffic-eng level-2
#
interface Vlanif3
#
interface Vlanif6
ip address 100.3.1.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
isis enable 1
#
destination 1.1.1.9
mpls te commit
#
#
return

#
sysname CE1
#
vlan batch 4 10

#
interface Vlanif4
ip address 20.1.1.1 255.255.255.0
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
port link-type trunk
port trunk allow-pass vlan 10
#
#
return

#
sysname CE2
#
vlan batch 2
#
interface Vlanif2
ip address 10.1.1.2 255.255.255.0
#
#
return

#
sysname CE3
#
vlan batch 3
#
interface Vlanif2
ip address 20.1.1.2 255.255.255.0
#
#
return

Configuration Guide - VPN 2 GRE Configuration
2 GRE Configuration
About This Chapter
Generic Routing Encapsulation (GRE) encapsulates the packets of certain network layer
protocols such as Internetwork Packet Exchange (IPX), Asynchronous Transfer Mode (ATM),
IPv6, and AppleTalk so that the encapsulated packets can be transmitted over the IPv4
network. The latest GRE standards specify that GRE can encapsulate Layer 2 frames such as
Point-to-Point Protocol (PPP) frames and Multi-Protocol Label Switching (MPLS) frames.
2.1 Introduction to GRE

The transmission of packets in a GRE tunnel involves two processes: encapsulation and
decapsulation. After receiving a packet of a certain network layer protocol such as IPX that needs
to be encapsulated and routed, the system adds a GRE header to the packet, and then encapsulates
the packet into a packet of another protocol such as IP.
2.2 GRE Features Supported by the S7700
GRE features supported the S7700 include the following: multi-protocol local network
transmission through the single-protocol backbone network, enlargement of the operation scope
of the network running a hop-limited protocol (like IPX), connection of some discontinuous
subnets to establish a VPN, and working in conjunction with IPSec to compensate the flaw of
IPSec in multicast data protection.
2.3 Configuring GRE
You can configure GRE only after a GRE tunnel is configured.
2.4 Configuring a GRE Tunnel Between CE and PE
Configuring a GRE tunnel between a CE and a PE enables the CE to access the public network
through the GRE tunnel.
2.5 Configuring the Keepalive Function
Before configuring a tunnel policy and a GRE tunnel for the VPN, enable the Keepalive function
of the GRE tunnel. In this manner, the VPN does not select the GRE tunnel that cannot reach
the remote end, and data loss can be avoided.
2.6 Maintaining GRE
This section describes how to reset the statistics of a tunnel interface, monitor the running status
of GRE.

Familiarize yourself with the configuration procedures against the networking diagrams. This
chapter provides networking requirements, configuration notes, and configuration roadmap in
configurations examples.

2.1 Introduction to GRE

The transmission of packets in a GRE tunnel involves two processes: encapsulation and
decapsulation. After receiving a packet of a certain network layer protocol such as IPX that needs
to be encapsulated and routed, the system adds a GRE header to the packet, and then encapsulates
the packet into a packet of another protocol such as IP.
GRE encapsulates the packets of certain network layer protocols such as IP and IPX. After
encapsulation, these packets can be transmitted over the network by another network layer
protocol, such as IP.
GRE can serve as a Layer 3 tunneling protocol for VPNs. A tunnel is a virtual point-to-point
connection and can be regarded as a virtual interface that supports only point-to-point
connections. This interface provides a path to transmit encapsulated datagrams. GRE
encapsulates and decapsulates datagrams at both ends of the tunnel.
2.2 GRE Features Supported by the S7700

GRE features supported the S7700 include the following: multi-protocol local network
transmission through the single-protocol backbone network, enlargement of the operation scope
of the network running a hop-limited protocol (like IPX), connection of some discontinuous
subnets to establish a VPN, and working in conjunction with IPSec to compensate the flaw of
IPSec in multicast data protection.
Multi-Protocol Local Network Transmission Through Single-Protocol Backbone

Network
In Figure 2-1, Group 1 and Group 2 are the local networks running the Novell IPX protocol.
Team 1 and Team 2 are the local networks running the IP protocol.
Figure 2-1 Networking diagram of multi-protocol local network transmission through the
single-protocol backbone network
Novell IPX Novell IPX

Group 1 Group 2
Internet
GRE Tunnel
SwitchA SwitchB
IP IP
Team 1 Team 2

The tunnel between Switch A and Switch B adopts the GRE protocol, so that Group 1
communicates with Group 2 without affecting the communication between Team 1 and Team
2.
Enlarging Operation Scope of the Network Running a Hop-Limited Protocol (Like

IPX)
If the hop count between two terminals in Figure 2-2 is more than 15, the two terminals cannot
communicate with each other.
Figure 2-2 Networking diagram of enlarged network operation scope
IP
network
IP IP
network network
Tunnel
PC PC
When the tunnel is used in the network, a few hops are hidden. This enlarges the scope of the
network operation.
Connecting Some Discontinuous Sub-Networks to Establish a VPN

GRE tunnels can be used to connect discontinuous sub-networks, as shown in Figure 2-3, Two
sub-networks Group 1 and Group 2 running the Novell IPX protocol are in different cities. A
VPN across the Wide Area Network (WAN) can be established after the tunnel technology is
adopted.
Figure 2-3 Networking diagram of discontinuous sub-networks connected through a tunnel
IP network
Novell Novell
Tunnel
Group2
Group1
GRE can be applied to both Layer 2 Virtual Private Network (L2VPN) and Layer 3 Virtual
Private Network (L3VPN). Usually, the MPLS VPN backbone network uses label switched

paths (LSPs) as the public network tunnel. If the core switch (P) in the backbone network,
however, provides only the IP function without the MPLS function when the PE at the network
edge has the MPLS function, the LSP cannot be used as the public network tunnel. Then, you
can use the GRE tunnel in place of the LSP to provide Layer 3 or Layer 2 VPN solutions at the
core network.
GRE tunnels can also be used as the non-MPLS VPN backbone tunnel. In this case, the private
network packet cannot contain the MPLS label when transmitted in the VPN backbone network.
2.3 Configuring GRE

You can configure GRE only after a GRE tunnel is configured.

Before configuring a GRE tunnel, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the data required for the configuration. This
will help you complete the configuration task quickly and accurately.
To set up a GRE tunnel, you need to create a tunnel interface first, and then configure GRE
functions on the tunnel interface. If the tunnel interface is deleted, all configurations on the
interface are deleted accordingly.
Before configuring an ordinary GRE tunnel, complete the following tasks:
l Ensuring the IP connectivity between the source interface and the destination interface
Data Preparation
To configure an ordinary GRE tunnel, you need the following data.
No. Data
1 Number of the tunnel interface
2 Source address and destination address of the tunnel
3 IP address of the tunnel interface
4 Key of the tunnel interface
2.3.2 Configuring a Tunnel Interface

After creating a tunnel interface, you need to specify GRE as the encapsulation type, set the
source address or source interface of the tunnel, and set the destination address of the tunnel.
You also need to set the network address of the tunnel interface so that the tunnel can support
dynamic routing protocols. The network addresses of both ends of a tunnel must belong to the
same network segment.

Context
Do as follows on switchs on the two ends of a tunnel:
Procedure
Step 1 Run:
system-view
Step 2 Run:
A tunnel interface is created and the tunnel interface view is displayed.
Step 3 Run:
tunnel-protocol gre
The tunnel is encapsulated with GRE.
Step 4 Run:
source { source-ip-address | interface-type interface-number }
The source address or source interface of the tunnel is configured.
NOTE
The source interface of a GRE tunnel cannot be configured as the management network port, and the source
address of the tunnel cannot be configured as the IP address of the management network port.
Step 5 Run:
destination [ vpn-instance vpn-instance-name ] ip-address
The destination address of the tunnel is configured.
After a tunnel interface is created, you need to specify the source address or source interface and
destination address of the tunnel. The source address is the IP address of the loopback interface
that sends GRE packets, whereas the destination address is the IP address of the loopback
interface that receives the GRE packets.

mtu mtu
The Maximum Transmission Unit (MTU) of the tunnel interface is modified.
The new MTU takes effect only after you run the shutdown command and then the undo
shutdown command on the interface.
Step 7 Choose one of the following commands to configure the IP address of the tunnel interface.
address of the tunnel interface.
configure IP unnumbered for the tunnel interface.
To support dynamic routing protocols on a tunnel, you must configure a network address for the
tunnel interface. The network address of the tunnel interface may not be a public address, but
should be in the same network segment on both ends of the tunnel.

By default, the network address of a tunnel interface is not set.
----End
2.3.3 Configuring Routes for the Tunnel

Routes for a tunnel must be available on both the source and destination devices so that packets
encapsulated with GRE can be forwarded properly. A route passing through tunnel interfaces
can be a static route or a dynamic route.
Context
Do as follows on devices on two ends of a tunnel:
NOTE
The packets encapsulated with GRE are forwarded correctly only if the routes for the tunnel are available
on both the source and destination switchs.
Procedure
Step 1 Run:
system-view
Step 2 Choose one of the following methods to configure routes passing through the tunnel interface.
l Run the ip route-static ip-address { mask | mask-length } tunnel interface-number
[ description text ] command to configure a static route.
The static route must be configured on both ends of the tunnel. In this command, the
destination address is neither the destination address of the tunnel nor the address of the
opposite tunnel interface, but the destination address of the packet that is not encapsulated
with GRE. The outbound interface must be the local tunnel interface.
l Configure dynamic routes using IGP or BGP. Details for the procedure are not provided here.
For the configuration of dynamic routes, see the S7700 Configuration Guide - IP Routing.
When configuring a dynamic routing protocol, enable the dynamic routing protocol on both
the tunnel interface and the interface connected to the private network. To ensure proper
routing, do not choose the tunnel interface as the next hop when configuring the route to the
physical or logical interface of the destination tunnel.
Use Switch A in Figure 2-4 as an example. The source interface of Tunnel 1/0/1 is VLANIF
10 on Switch A, and its destination interface is VLANIF 20 on Switch C. If a dynamic routing
protocol is used, the protocol must be configured on the tunnel interface and the GE interface
connected to the PC. Moreover, in the routing table of Switch A, the egress with the
destination as the network segment where VLANIF 20 on Switch C resides cannot be Tunnel
1/0/1.
In practical configurations, tunnel interfaces and physical interfaces connected to the public
network should use different routing protocols or different processes of the same routing
protocol. In this manner, you can avoid selecting a tunnel interface as an outbound interface
for packets destined for the destination of the tunnel. In addition, a physical interface is
prevented from forwarding user packets that should be forwarded through the tunnel.

Figure 2-4 Diagram of configuring the GRE dynamic routing protocol
Backbone
GE1/0/0 GE2/0/0
VLANIF10 VLANIF20
SwitchA Tunnel SwitchC
GE2/0/0 Tunnel1/0/1 Tunnel2/0/1 GE1/0/0
PC1 PC2
----End

After a GRE tunnel is set up, you can view the running status and routing information about the
tunnel interface.
Context
The configurations of the GRE function are complete.
Procedure
l Run the display interface tunnel [ interface-number ] command to check the operating
status of the tunnel interface.
l Run the display ip routing-table command to check the routing table.
l Run the ping -a source-ip-address host command to check whether the two ends of the
tunnel can successfully ping each other.
----End
Example
Run the display interface tunnel command. If the tunnel interface is Up, the configuration
<Quidway> display interface Tunnel 1/0/0
Route Port, The Maximum Transmit Unit is 1500 bytes
Internet Address is 40.1.1.1/24
Tunnel source 20.1.1.1 (Loopback1), destination 30.1.1.2
Tunnel protocol/transport GRE/IP, key disabled
keepalive disabled
Checksumming of packets disabled


300 seconds input rate 31776024 bytes/sec, 31776152 packets/sec
300 seconds output rate 31776024 bytes/sec, 31776152 packets/sec
511 packets input, 46339 bytes
0 input error
0 output error
300 seconds input rate 0 bits/sec, 0 packets/sec

0 input error
0 output error
Input:
Unicast: 0 packets, Multicast: 0 packets
Output:
Run the display ip routing-table command. If the route passing through the tunnel interface
exists in the routing table, the configuration succeeds. For example:
<Quidway> display ip routing-table
------------------------------------------------------------------------------
6.6.6.6/32 OSPF 10 2 D 10.1.1.1 Vlanif15

10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif15
10.2.1.0/24 Static 60 0 D 40.1.1.1 Tunnel1/0/1
40.1.1.0/24 Direct 0 0 D 40.1.1.1 Tunnel1/0/1
Run the ping -a source-ip-address dest-ip-address command, and you can find that the ping
from the local tunnel interface to the destination tunnel succeeds.
2.4 Configuring a GRE Tunnel Between CE and PE

Configuring a GRE tunnel between a CE and a PE enables the CE to access the public network
through the GRE tunnel.

Before configuring a GRE tunnel between a CE and a PE, familiarize yourself with the applicable

To allow users of the CE that is not directly connected with a PE to access the Multi-Protocol
Label Switching (MPLS) VPN, configure a GRE tunnel and create routes between them and
configure MPLS VPN on the PE.
Before configuring a GRE tunnel between a CE and a PE, complete the following tasks:
l Assigning IP addresses for interfaces on the CE and PE

l Configuring the routes between the CE and PE
Data Preparation
To configure a GRE tunnel between a CE and a PE, you need the following data.
No. Data
1 Number of the GRE tunnel interface specified on the CE
2 Source address or source interface and destination address of the GRE tunnel interface
specified on the CE
3 Number of the GRE tunnel interface specified on the PE
4 Source address or source interface and destination address of the GRE tunnel interface
specified on the PE
2.4.2 Configuring the GRE Tunnel Interface on CE

After creating a tunnel interface on a CE, you need to specify GRE as the encapsulation type,
set the source address or source interface of the tunnel interface, and set the destination address
of the tunnel interface. The source address of the tunnel specified on the CE is the destination
address of the tunnel specified on the PE. The destination address of the tunnel specified on the
CE is the source address of the tunnel specified on the PE.
Context
Do as follows on the CE.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The tunnel interface is created and the tunnel interface view is displayed.

Step 3 Run:
tunnel-protocol gre
The tunnel is encapsulated as a GRE tunnel.

Step 4 Run:
The source address or source interface of the tunnel interface is configured.
NOTE
The virtual IP address of the VRRP backup group can be configured as the source address of the GRE
tunnel.
Step 5 Run:
destination ip-address
The destination address of the tunnel interface is configured.

mtu mtu
The MTU of the interface can be modified. The new MTU takes effect only after you run the
shutdown and the undo shutdown commands in succession on the interface.
----End
2.4.3 Configuring the GRE Tunnel Interface on PE

After creating a tunnel interface on a PE, you need to specify GRE as the encapsulation type,
set the source address or source interface of the tunnel interface, and set the destination address
of the tunnel interface. The source address of the tunnel specified on the PE is the destination
address of the tunnel specified on the CE. The destination address of the tunnel specified on the
PE is the source address of the tunnel specified on the CE.
Context
Do as follows on the PE:
Procedure
Step 1 Run:
system-view

Step 2 Run:
A tunnel interface is created and the tunnel interface view is displayed.

Step 3 Run:

tunnel-protocol gre
The tunnel is encapsulated as a GRE tunnel.

Step 4 Run:
source { source-ip-address | interface-type interface-number }
The source address or source interface of the tunnel interface is configured.
NOTE
The virtual IP address of the VRRP backup group can be configured as the source address of the GRE
tunnel.
The source interface of the tunnel cannot be the interface of the tunnel, but can be specified as
the interface of another tunnel.
The source address of the tunnel specified on the PE is identical with the destination address of
the tunnel specified on the CE. The destination address of the tunnel specified on the PE is
identical with the source address of the tunnel specified on the CE.
Step 5 Run:
destination [ vpn-instance vpn-instance-name ] ip-address
The destination address of the tunnel interface is configured.

If the tunnel passes through another VPN, the parameter vpn-instance vpn-instance-name need
to be specified. If the tunnel passes through the public network, the parameter is not required.
mtu mtu
The MTU of the interface is modified. The new MTU takes effect only after you run the
shutdown and the undo shutdown commands in succession on the interface.
----End
2.4.4 Binding the GRE Tunnel with the VPN to Which CE belongs
on PE
Bind the tunnel interface on the PE that connects the CE to a VPN instance. Then, the tunnel
interface becomes a VPN interface. The packets sent from the VPN interface are forwarded
based on forwarding information in the VPN instance.
Context
Do as follows on the PE.
Procedure
Step 1 Run:
system-view


Step 2 Run:
The tunnel interface is created and the tunnel interface view is displayed.
Step 3 Run:
ip binding vpn-instance vpn-instance-name
Bind the GRE tunnel with the VPN instance.
NOTE
The running of the ip binding vpn-instance command on a tunnel interface can delete the Layer 3 attributes,
such as the IP address and routing protocol. If these Layer 3 attributes are still required, you need to
configure them again.
l Run the ip address ip-address { mask | mask-length } [ sub ] command to assign an IP address
to the tunnel interface.
----End

After a GRE tunnel is set up between a CE and a PE, you can view routes to a specified VPN.
Prerequisite
The GRE tunnel between the CE and the PE is fully configured.
Procedure
l Run the display interface tunnel [ interface-number ] command to check the working
mode of the tunnel interface.
l Run the display ip routing-table vpn-instance vpn-instance-name command to check the
VPN routing table on the PE.
l Run the display ip routing-table command to check the routing table on the CE.
l Run the ping -a source-ip-address host command to check whether two ends of the tunnel
can ping each other successfully.
----End
Example
Run the display interface tunnel command on two ends of the tunnel. If the tunnel interface is
Up, it means that the configuration succeeds. Take the display on the PE as an example:
<Quidway> display interface Tunnel 1/0/0
Internet Address is 40.1.1.1/24


Tunnel source 20.1.1.1 (loopback1), destination 30.1.1.2
Tunnel protocol/transport GRE/IP, key disabled
keepalive disabled
Checksumming of packets disabled
300 seconds input rate 31776024 bytes/sec, 31776152 packets/sec
300 seconds output rate 31776024 bytes/sec, 31776152 packets/sec
0 input error
0 output error

0 input error
0 output error
Input:
Output:
2.5 Configuring the Keepalive Function

Before configuring a tunnel policy and a GRE tunnel for the VPN, enable the Keepalive function
of the GRE tunnel. In this manner, the VPN does not select the GRE tunnel that cannot reach
the remote end, and data loss can be avoided.

Before configuring the Keepalive function of a GRE tunnel, familiarize yourself with the
Application Environment
The Keepalive function can be configured on one end of a GRE tunnel to test the status of the
GRE tunnel. If the remote end is found unreachable, the tunnel is disconnected on time to avoid
data black hole.
Figure 2-5 GRE tunnel supporting Keepalive
Source Internet Destination

GRE tunnel
SwitchA SwitchB

Before configuring the Keepalive function, complete the following tasks:
l Configuring the link layer attributes of the interfaces
l Assigning IP addresses to the interfaces
l Establishing the GRE tunnel and keeping the tunnel Up
Data Preparation
To configure the Keepalive function, you need the following data.
No. Data
1 Interval for sending Keepalive messages
2 Retry times of the unreachable timer
2.5.2 Enabling the Keepalive Function

The Keepalive function of a GRE tunnel is unidirectional. To implement the Keepalive function
on both ends, you must enable the Keepalive function on both ends of a GRE tunnel.
Context
Do as follows on the switch that requires the Keepalive function.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
tunnel-protocol gre
The tunnel is encapsulated with GRE.

Step 4 Run:
keepalive [ period period [ retry-times retry-times ] ]
The Keepalive function is enabled.

The Keepalive function of a GRE tunnel is unidirectional. Therefore, to realize the Keepalive
function on both ends, you must enable the Keepalive function on both ends of a GRE tunnel.
One end can be configured with the Keepalive function regardless of whether the remote end is
enabled with the Keepalive function or not. But it is still recommended to enable the Keepalive
function on both ends of the GRE tunnel.

TIP
Before configuring the tunnel policy and the GRE tunnel for the VPN, enable the Keepalive function for
the GRE tunnel. In this manner, the VPN does not select the GRE tunnel that cannot reach the remote end,
and the data loss can be avoided. The reasons for enabling the Keepalive function are as below:
l If the Keepalive function is not enabled, the local tunnel interface may always be Up regardless of
whether data reaches the remote end.
l If the Keepalive function is enabled on the local end, the local tunnel interface is set Down when the
remote end is unreachable. As a result, the VPN does not select the unreachable GRE tunnel and the
data is not lost.
----End

After a GRE tunnel is enabled with the Keepalive function, you can view the Keepalive packets
and Keepalive Response packets sent and received by the GRE tunnel interfaces.
Prerequisite
The Keepalive function is enabled on the GRE tunnel.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
display keepalive packets count
Check the Keepalive packets and Keepalive Response packets sent and received by the GRE
tunnel interface.
----End
Example
On the tunnel interface that is enabled with the Keepalive function, run the display keepalive
packets count command, and you can ascertain the number of sent Keepalive packets and
received Keepalive Response packets on both the local end and the remote end. If the Keepalive
function is successfully configured on the local tunnel interface, the number of sent Keepalive
packets or received Keepalive Response packets on the local end is not 0.
[Quidway] interface tunnel 1/0/0
[Quidway-Tunnel1/0/0] tunnel-protocol gre
[Quidway-Tunnel1/0/0] keepalive
[Quidway-Tunnel1/0/0] display keepalive packets count
Send 34 keepalive packets to peers, Receive 34 keepalive response packets from peers
Receive 0 keepalive packets from peers, Send 0 keepalive response packets to peers

2.6 Maintaining GRE

This section describes how to reset the statistics of a tunnel interface, monitor the running status
of GRE.
2.6.1 Resetting the Statistics of a Tunnel Interface

When you need to reset the statistics of a tunnel interface, you can run the reset commands to
clear the Keepalive packets and Keepalive Response packets sent and received by a GRE tunnel
interface.
Procedure
l Run the reset counters interface tunnel [ interface-number ] command in the user view
to reset the statistics on the tunnel interface.
l Reset the statistics on Keepalive packets on the tunnel interface.
1. Run:
system-view

2. Run:

3. Run:
reset keepalive packets count
Reset the statistics on Keepalive packets on the tunnel interface.
NOTE
You can run the reset keepalive packets count command only in the tunnel interface view,
and the tunnel protocol of the interface must be GRE.
----End
2.6.2 Monitoring the Running Status of GRE

In routine maintenance, you can run the GRE related display commands to view the running
status of GRE.
Context
In routine maintenance, you can run the following commands to view the running status of GRE:
Procedure
l Run the display interface tunnel [ interface-number ] command to check the running status
of the tunnel interface.

l Run the ping [ -a source-ip-address | -vpn-instance vpn-instance-name ] * host command
to check whether two ends of the tunnel can communicate with each other.
----End
2.6.3 Debugging GRE

When a GRE fault occurs, you can run the L2TP related debugging commands to debug GRE
and locate the fault.
Context
NOTE
The debugging process affects the system performance. Therefore, after finishing the debugging process,
you need run the undo debugging all command immediately to disable the debugging.
When GRE goes abnormal, run the debugging commands in the user view to view debugging
information, locate the fault, and analyze the cause.
For details of the debugging operation, refer to the chapter Information Center Configuration in
Quidway S7700 Smart Routing Switch Configuration Guide-System Management. For details
of debugging commands, refer to Quidway S7700 Smart Routing Switch Debugging
Reference.
Procedure
l Run the debugging tunnel keepalive command in the user view to debug the Keepalive
function of the GRE tunnel.
----End

Familiarize yourself with the configuration procedures against the networking diagrams. This
chapter provides networking requirements, configuration notes, and configuration roadmap in
configurations examples.
2.7.1 Example for Configuring Static Routes on the GRE Tunnel
As shown in Figure 2-6, Switch A, Switch B, and Switch C are on the VPN backbone network.
OSPF runs among the Switches.
GRE is used between Switch A and Switch C to implement the interworking between PC1 and
PC2.
PC1 and PC2 use Switch A and Switch C as their default gateways.

Figure 2-6 Networking diagram for configuring static routes

SwitchB
GE1/0/0 GE2/0/0
GE1/0/0 GE1/0/0
SwitchA SwitchC
GE2/0/0 Tunnel1/0/1 Tunnel1/0/1
GE2/0/0
40.1.1.1/24 40.1.1.2/24
PC1 PC2
10.1.1.1/24 10.2.1.1/24
Switch A GigabitEthernet1/0/0 VLANIF 10 20.1.1.1/24
Switch B GigabitEthernet1/0/0 VLANIF 10 20.1.1.2/24
Switch C GigabitEthernet1/0/0 VLANIF 20 30.1.1.2/24
1. Run the dynamic routing protocol on the Switches to implement interconnection.

2. Create tunnel interfaces on Switch A and Switch C and specify the source and destination
addresses of the tunnel. The source address is the IP address of the interface sending packets,
and the destination address is the IP address of the interface receiving packets.
3. Configure the IP address of the tunnel so that the tunnel supports the dynamic routing
protocol.
4. Configure the static route between Switch A and its connected PCs, and between Switch
C and its connected PCs to make the traffic between PC1 and PC2 transmitted through the
GRE tunnel.
5. Configure the egress of the static route as the local tunnel interface.
Data Preparation
l IDs of the VLANs that the interfaces belong to, as shown in Figure 2-6

l IP address of VLANIF interfaces, as shown in Figure 2-6

l Procrss id and area id of OSPF
l Source address and destination address of the GRE tunnel, and IP addresses of tunnel
interfaces
Procedure
Step 1 Assign the IP address to each interface.
[Quidway] sysname SwitchA
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] vlan 30
[SwitchA-vlan30] quit
[SwitchA] interface gigabitethernet 1/0/0
[SwitchA-GigabitEthernet1/0/0] port hybrid pvid vlan 10
[SwitchA-GigabitEthernet1/0/0] port hybrid untagged vlan 10
[SwitchA-GigabitEthernet1/0/0] quit
[SwitchA] interface vlanif 10
[SwitchA-Vlanif10] ip address 20.1.1.1 24
[SwitchA-Vlanif10] quit
The configurations of Switch B and Switch C are similar to the configuration of Switch A, and
are not mentioned here.
Step 2 Configure IGP on the VPN backbone network.
# Configure Switch A.
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
# Run the display ip routing-table command on Switch A and Switch C. You can find that they
learn the OSPF routes destined for the network segment of the peer.
# Take Switch A for example. The information is displayed as follows:
[SwitchA] display ip routing-table
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif30
20.1.1.0/24 Direct 0 0 D 20.1.1.1 Vlanif10
20.1.1.2/32 Direct 0 0 D 20.1.1.2 Vlanif10
30.1.1.0/24 OSPF 10 2 D 20.1.1.2 Vlanif10


Step 3 Configure the tunnel interface.

[SwitchA] interface tunnel 1/0/1
[SwitchA-Tunnel1/0/1] tunnel-protocol gre
[SwitchA-Tunnel1/0/1] ip address 40.1.1.1 255.255.255.0
[SwitchA-Tunnel1/0/1] source 20.1.1.1
[SwitchA-Tunnel1/0/1] destination 30.1.1.2
[SwitchA-Tunnel1/0/1] quit
# Configure Switch C.
[SwitchC] interface tunnel 1/0/1
[SwitchC-Tunnel1/0/1] tunnel-protocol gre
[SwitchC-Tunnel1/0/1] ip address 40.1.1.2 255.255.255.0
[SwitchC-Tunnel1/0/1] source 30.1.1.2
[SwitchC-Tunnel1/0/1] destination 20.1.1.1
[SwitchC-Tunnel1/0/1] quit
# After the configuration, the status of tunnel interfaces is Up, and the tunnel interfaces can ping
each other.
[SwitchA] ping -a 40.1.1.1 40.1.1.2
PING 40.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 40.1.1.2: bytes=56 Sequence=1 ttl=255 time=24 ms
--- 40.1.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 24/34/48 ms
Step 4 Configure static routes.

[SwitchA] ip route-static 10.2.1.0 255.255.255.0 tunnel 1/0/1
[SwitchC] ip route-static 10.1.1.0 255.255.255.0 tunnel 1/0/1
# Run the display ip routing-table command on Switch A and Switch C. You can see the static
route from the tunnel interface to the use-side network segment of the peer.
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif30
10.2.1.0/24 Static 60 0 D 40.1.1.1 Tunnel1/0/1
20.1.1.0/24 Direct 0 0 D 20.1.1.1 Vlanif10

20.1.1.2/32 Direct 0 0 D 20.1.1.2 Vlanif10

30.1.1.0/24 OSPF 10 2 D 20.1.1.2 Vlanif10
40.1.1.0/24 Direct 0 0 D 40.1.1.1 Tunnel1/0/1
PC1 and PC2 can ping each other.
----End
Configuration Files
l Configuration file of Switch A
#
sysname SwitchA
#
vlan batch 10 30
#
interface Vlanif10
ip address 20.1.1.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.1.2 255.255.255.0
#
#
#
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
ip route-static 10.2.1.0 255.255.255.0 Tunnel1/0/1
#
return
l Configuration file of Switch B

#
sysname SwitchB
#
vlan batch 10 20
#
interface Vlanif10
ip address 20.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 30.1.1.1 255.255.255.0
#
#


#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
l Configuration file of Switch C

#
sysname Switch-C
#
vlan batch 20 40
#
interface Vlanif20
ip address 30.1.1.2 255.255.255.0
#
interface Vlanif40
ip address 10.2.1.2 255.255.255.0
#
#
#
ip address 40.1.1.2 255.255.255.0
tunnel-protocol gre
source 30.1.1.2
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
ip route-static 10.1.1.0 255.255.255.0 Tunnel1/0/1
#
return
2.7.2 Example for Configuring the Dynamic Routing Protocol on the

GRE Tunnel
As shown in Figure 2-7, OSPF runs between Switch A, Switch B, and Switch C.
GRE is used between Switch A and Switch C to implement the interworking between PC1 and
PC2. OSPF is enabled on the tunnel interfaces.
PC1 and PC2 use Switch A and Switch C as their default gateways.
OSPF process 1 is enabled between Switch A, Switch B, and Switch C; OSPF process 2 is
enabled between Switch A and PC1 and between Switch C and PC2.

Figure 2-7 Networking diagram for configuring dynamic routing protocol
GE1/0/0 SwitchB GE2/0/0

VLANIF 20 VLANIF 30
20.1.1.2/24 30.1.1.1/24
GE2/0/0 GE1/0/0
VLANIF 20 VLANIF 30
20.1.1.1/24 OSPF 1 30.1.1.2/24
SwitchA SwitchC
Tunnel
GE1/0/0 GE2/0/0
Tunnel1/0/1 Tunnel1/0/1 VLANIF 40
VLANIF 10
10.1.1.2/24 40.1.1.1/24 40.1.1.2/24 10.2.1.2/24
PC1 PC2
10.1.1.1/24
10.2.1.1/24
OSPF 2 OSPF 2
Switch C GigabitEthernet1/0/0 VLANIF 30 30.1.1.2/24
1. Run IGP on the Switches (OSPF process 1 is used here).

2. Create GRE tunnels between the Switches connected to PCs so that data between any two
PCs is transmitted through GRE tunnels.
Data Preparation
l IP address of the VLANIF interfaces, as shown in Figure 2-7
l Source addresses and destination addresses on the two ends of the GRE tunnel

l IP addresses of the interfaces on the two ends of the GRE tunnel
Procedure
Step 1 Assign the IP address to each interface.
[Quidway] sysname SwitchA
[SwitchA] vlan batch 10 20
Step 2 Configure OSPF process 1 between SwitchA, SwitchB, and SwitchC.
# Configure SwitchA.
[SwitchA] ospf 1
# Configure SwitchB.
[SwitchB] ospf 1
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit
# Configure SwitchC.
[SwitchC] ospf 1
[SwitchC-ospf-1] area 0
[SwitchC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] quit
[SwitchC-ospf-1] quit
# Run the display ip routing-table command on Switch A and Switch C. You can find that they
learn the OSPF routes destined for the network segment of the peer.
Step 3 Configure the tunnel interface.
The configuration procedure is the same as that in 2.7.1 Example for Configuring Static Routes
on the GRE Tunnel.
Step 4 Configure the OSPF protocol on the tunnel interfaces.
[SwitchA] ospf 2


[SwitchC] ospf 2
[SwitchC-ospf-2] area 0
[SwitchC-ospf-2-area-0.0.0.0] quit
[SwitchC-ospf-2] quit

# Run the display ip routing-table command on Switch A and Switch C. You can see the OSPF
route from the tunnel interface to the user-side network segment of the peer. In addition, the next
hop on the route to the destination physical address (30.1.1.0/24) of the tunnel is not a tunnel
interface.
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif30
10.2.1.0/24 OSPF 10 2 D 40.1.1.2 Tunnel1/0/1
20.1.1.0/24 Direct 0 0 D 20.1.1.1 Vlanif10
30.1.1.0/24 OSPF 10 2 D 20.1.1.2 Vlanif10
40.1.1.0/24 Direct 0 0 D 40.1.1.1 Tunnel1/0/1
# PC1 and PC2 can ping each other.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 20.1.1.1 255.255.255.0
#
#

#
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
ospf 2
area 0.0.0.0
network 40.1.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return
#
sysname SwitchB
#
vlan batch 20 30
#
interface Vlanif20
ip address 20.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 30.1.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
l Configuration file of Switch C
#
sysname SwitchC
#
vlan batch 30 40
#
interface Vlanif30
ip address 30.1.1.2 255.255.255.0
#
interface Vlanif40
ip address 10.2.1.2 255.255.255.0
#
#
#
ip address 40.1.1.2 255.255.255.0

tunnel-protocol gre
source 30.1.1.2
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
ospf 2
area 0.0.0.0
network 40.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return
2.7.3 Example for Configuring the CE to Access a VPN Through a

GRE Tunnel of the Public Network
As shown in Figure 2-8,
l PE1 and PE2 are located in the MPLS backbone network.

l CE1 is connected to PE1 through Switch A.
l CE2 is connected to PE2 directly.
l CE1 and CE2 belong to the same VPN.
CE1 and CE2 are required to interwork with each other.
Figure 2-8 Networking diagram in which CEs access a VPN through the GRE tunnel of the
public network
Loopback1
Loopback1
PE1
SwitchA GE2/0/0 GE2/0/0 PE2
GE1/0/0 GE1/0/0
GE1/0/0 GE2/0/0
el Tunnel1/0/0
nn
GE2/0/0 Tu
GE1/0/0
CE1 Tunnel2/0/0 CE2
GE2/0/0
GE1/0/0
PC1 PC1

Tunnel2/0/0 - 2.2.2.1/24
PE1 Loopback1 - 1.1.1.9/32
Tunnel1/0/0 - 2.2.2.2/24
PE2 Loopback1 - 3.3.3.9/32
PE1 and CE1 are indirectly connected. So the VPN instance on PE1 cannot be bound to the
physical interface on PE1. In such a situation, a GRE tunnel is required between CE1 and PE1.
vpn1 on PE1 can then be bound to the GRE tunnel, and CE1 can access the VPN through the
GRE tunnel.
1. Configure OSPF 10 on PE1 and PE2 to implement the interworking between the two
devices, and then enable MPLS.
2. Configure OSPF 20 on CE1, Switch A, and PE1 to implement the interworking between
the three devices.
3. Establish a GRE tunnel between CE1 and PE1.
4. Create VPN instances vpn1 on PE1 and PE2. Then bind the VPN instance on PE1 to the
GRE tunnel interface, and bind the VPN instance on PE2 to the connected physical interface
of CE2.
5. Configure IS-IS routes between CE1 and PE1, and between CE2 and PE2 to implement
the interworking between the CEs and PEs.
6. Configure BGP on PEs to implement the interworking between CE1 and CE2.
Data Preparation
l IP addresses of the interfaces, process ID of the routing protocol, and AS number

l Source address and destination address of the GRE tunnel
l VPN instance names, RDs, and VPN targets on PEs

Procedure
Step 1 Configure the IP address for each VLANIF interface and the routing protocol for the MPLS
backbone network.
Configure OSPF10 on PE1 and PE2, and then configure MPLS and LDP. The detailed
configurations are not mentioned here.
Step 2 Configure a routing protocol between CE1, Switch A, and PE1.
Configure OSPF 20 on CE1, Switch A, and PE1. The detailed configurations are not mentioned
here.
Step 3 Establish a GRE tunnel between CE1 and PE1.
# Configure CE1.
[CE1] interface tunnel 2/0/0
[CE1-Tunnel2/0/0] ip address 2.2.2.1 255.255.255.0
[CE1-Tunnel2/0/0] tunnel-protocol gre
[CE1-Tunnel2/0/0] source 30.1.1.1
[CE1-Tunnel2/0/0] destination 50.1.1.2
[CE1-Tunnel2/0/0] quit
# Configure PE1.
[PE1-Tunnel1/0/0] ip address 2.2.2.2 255.255.255.0
[PE1-Tunnel1/0/0] tunnel-protocol gre
[PE1-Tunnel1/0/0] source 50.1.1.2
# After the configuration, a GRE tunnel is established between CE1 and PE1.
Step 4 Create a VPN instance named vpn1 on PE1 and bind the VPN instance to the GRE tunnel.
[PE1]ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] route-distinguisher 100:1
[PE1-vpn-instance-vpn1] vpn-target 111:1 export-extcommunity
[PE1-vpn-instance-vpn1] vpn-target 111:1 import-extcommunity
[PE1-vpn-instance-vpn1] quit
[PE1-Tunnel1/0/0] ip binding vpn-instance vpn1
[PE1-Tunnel1/0/0] ip address 2.2.2.2 255.255.255.0
Step 5 Create a VPN instance named vpn1 on PE2 and bind the VPN instance to the VLANIF interface.
[PE2]ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] vpn-target 111:1 export-extcommunity
[PE2-vpn-instance-vpn1] vpn-target 111:1 import-extcommunity
[PE2-Vlanif50] ip binding vpn-instance vpn1
[PE2-Vlanif50] ip address 11.1.1.2 255.255.255.0
[PE2-Vlanif50] quit
Step 6 Configure the IS-IS route between CE1 and PE1.

# Configure CE1.
[CE1] isis 50
[CE1-isis-50] network-entity 50.0000.0000.0001.00
[CE1-isis-50] quit
[CE1-Vlanif10] isis enable 50

[CE1-Vlanif10] quit
[CE1] interface tunnel 2/0/0
[CE1-Tunnel2/0/0] isis enable 50
[CE1-Tunnel2/0/0] quit
# Configure PE1.
[PE1] isis 50 vpn-instance vpn1
[PE1-isis-50] network-entity 50.0000.0000.0002.00
[PE1-isis-50] quit
[PE1-Tunnel1/0/0] isis enable 50
Step 7 Configure the IS-IS route between CE2 and PE2.

# Configure CE2.
[CE2] isis 50
[CE2-isis-50] quit
[CE2-Vlanif50] quit
[CE2-Vlanif60] quit
# Configure PE2.
[PE2] isis 50 vpn-instance vpn1
[PE2-isis-50] quit
[PE2] interface vlanif50
[PE2-Vlanif50] quit
Step 8 Set up the MP-BGP peer relationship between PE1 and PE2.
# On PE1, specify PE2 as an IBGP peer, set up the IBGP connection by using the loopback
interface, and enable the capability of exchanging VPN IPv4 routing information between PE1
and PE2.
[PE1] bgp 100
# Enter the view of the BGP VPN instance vpn1 and import the direct routes and IS-IS routes.
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] import-route isis 50
# On PE2, specify PE1 as an IBGP peer, set up the IBGP connection by using the loopback
interface, and enable the capability of exchanging VPN IPv4 routing information between PE2
and PE1.
[PE2] bgp 100
# Enter the view of the BGP VPN instance vpn1 and import the direct routes and IS-IS routes.


[PE2-bgp-vpn1] import-route isis 50
Step 9 Import BGP routes into IS-IS.

# Configure PE1.
[PE1] isis 50
[PE1-isis-50] import-route bgp
# Configure PE2.
[PE2] isis 50
[PE2-isis-50] import-route bgp

# After the configuration, CE1 and CE2 can successfully ping each other.
<CE1> ping 41.1.1.2

0.00% packet loss
<CE2> ping 21.1.1.2


0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10 20
#
isis 50
network-entity 50.0000.0000.0001.00
#
interface Vlanif10
ip address 21.1.1.2 255.255.255.0
isis enable 50
#
interface Vlanif20
ip address 30.1.1.1 255.255.255.0
#

#
#
ip address 2.2.2.1 255.255.255.0
tunnel-protocol gre
source 30.1.1.1
isis enable 50
#
ospf 20
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
return
#
sysname SwitchA
#
vlan batch 20 30
#
interface Vlanif20
ip address 30.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 50.1.1.1 255.255.255.0
#
#
#
ospf 20
area 0.0.0.0
network 30.1.1.0 0.0.0.255
network 50.1.1.0 0.0.0.255
#
return
#
sysname PE1
#
vlan batch 30 40
#
ip vpn-instance vpn1
#
mpls lsr-id 1.1.1.9
mpls
lsp-trigger all
#
mpls ldp
#
isis 50 vpn-instance vpn1
network-entity 50.0000.0000.0002.00
import-route bgp
#
interface Vlanif30

ip binding vpn-instance vpn1

ip address 50.1.1.2 255.255.255.0
#
interface Vlanif40
ip address 110.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ip address 2.2.2.2 255.255.255.0
tunnel-protocol gre
source 50.1.1.2
isis enable 50
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
import-route isis 50
#
ospf 10
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 110.1.1.0 0.0.0.255
#
ospf 20
area 0.0.0.0
network 50.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
vlan batch 40 50
#
#
mpls lsr-id 3.3.3.9
mpls
lsp-trigger all
#
mpls ldp

#
isis 50 vpn-instance vpn1
network-entity 50.0000.0000.0003.00
import-route bgp
#
interface Vlanif40
ip address 110.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif50
ip address 11.1.1.2 255.255.255.0
isis enable 50
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
#
ospf 10
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 110.1.1.0 0.0.0.255
#
return
#
sysname CE2
#
vlan batch 50 60
#
isis 50
network-entity 50.0000.0000.0004.00
#
interface Vlanif50
ip address 11.1.1.1 255.255.255.0
isis enable 50
#
interface Vlanif60
ip address 41.1.1.2 255.255.255.0
isis enable 50
#
#

#
return
2.7.4 Example for Configuring the Keepalive Function for GRE
As shown in Figure 2-9, Switch A and Switch B are configured with the GRE protocol. The
two ends of the GRE tunnel need be configured with the Keepalive function.
Figure 2-9 Networking diagram of configuring the Keepalive function on two ends of a GRE
tunnel
GE1/0/0 Internet GE1/0/0

GRE tunnel
SwitchA SwitchB
Tunnel1/0/0 Tunnel1/0/0
40.1.1.1/24 40.1.1.2/24
Device Interface VLANIF Interface IP Address
Tunnel1/0/0 - 40.1.1.1/24
Tunnel1/0/0 - 40.1.1.2/24
To enable the Keepalive function on one end of the GRE tunnel, run the keepalive command in
the tunnel interface view on the end.
TIP
If the Keepalive function is enabled on the source end, the forwarding function is obligatory, and the
Keepalive function is optional for the destination end.
Data Preparation
l Data for configuring the routing protocol for the backbone network
l Source address and destination address of the GRE tunnel
l Interval for sending Keepalive messages
l Parameters of unreachable timer

Procedure
Step 1 Configure Switch A and Switch B to implement the interworking between the two devices.
The detailed procedures are not mentioned here.
Step 2 Configure a tunnel on Switch A and enable the Keepalive function.
<SwitchA> system-view
[SwitchA] interface tunnel 1/0/0
[SwitchA-Tunnel1/0/0] ip address 40.1.1.1 255.255.255.0
[SwitchA-Tunnel1/0/0] tunnel-protocol gre
[SwitchA-Tunnel1/0/0] source 20.1.1.1
[SwitchA-Tunnel1/0/0] destination 30.1.1.2
[SwitchA-Tunnel1/0/0] keepalive period 20 retry-times 3
[SwitchA-Tunnel1/0/0] quit
Step 3 Configure a tunnel on Switch B and enable the Keepalive function.

<SwitchB> system-view
[SwitchB] interface tunnel 1/0/0
[SwitchB-Tunnel1/0/0] ip address 40.1.1.2 255.255.255.0
[SwitchB-Tunnel1/0/0] tunnel-protocol gre
[SwitchB-Tunnel1/0/0] source 30.1.1.2
[SwitchB-Tunnel1/0/0] destination 20.1.1.1
[SwitchB-Tunnel1/0/0] keepalive period 20 retry-times 3
[SwitchB-Tunnel1/0/0] quit

# The tunnel interface on Switch A can successfully ping the tunnel interface on Switch B.
<SwitchA> ping -a 40.1.1.1 40.1.1.2

0.00% packet loss
# Enable the debugging of the Keepalive messages on Switch A and view information about the
Keepalive messages.
<SwitchA> terminal monitor
<SwitchA> terminal debugging
<SwitchA> debugging tunnel keepalive
Oct 26 2008 20:18:54.860.1 SwitchA TUNNEL/7/debug:GRE_KEEP:Judge keepalive fin
ished. Received keepalive response packet from peer router.
Oct 26 2008 20:18:54.860.2 SwitchA TUNNEL/7/debug:GRE_FWD: Receive the respons
e keepalive packet on mainboard successfully, keepalive finished.
Oct 26 2008 20:19:15.340.1 SwitchA TUNNEL/7/debug:GRE_KEEP:Judge keepalive fin
ished. Received keepalive response packet from peer router.
Oct 26 2008 20:19:15.340.2 SwitchA TUNNEL/7/debug:GRE_FWD: Receive the respons
e keepalive packet on mainboard successfully, keepalive finished.
----End
Configuration Files
#
sysname SwitchA

#
vlan batch 10
#
interface Vlanif10
ip address 20.1.1.1 255.255.255.0
#
#
ip address 40.1.1.1 255.255.255.0
source 20.1.1.1
keepalive period 20
#
return

#
sysname SwitchB
#
vlan batch 20
#
interface Vlanif20
ip address 30.1.1.2 255.255.255.0
#
#
ip address 40.1.1.2 255.255.255.0
source 30.1.1.2
keepalive period 20
#
return

Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration
3 BGP MPLS IP VPN Configuration
About This Chapter
This chapter describes the BGP/MPLS IP VPN configuration, including the introduction to the
BGP/MPLS IP VPN, common networking of the BGP/MPLS IP VPN, and configurations to
ensure the reliability of the BGP/MPLS IP VPN.
3.1 Introduction to BGP/MPLS IP VPN

This section describes the concepts and roles of the PE, P, and CE.
3.2 BGP/MPLS IP VPN Features Supported by the S7700
The S7700 supports basic and typical networking of the BGP/MPLS IP VPN, and such features
as reliability and QoS of the BGP/MPLS IP VPN.
3.3 Configuring a VPN Instance
A VPN instance isolates VPN routes from public network routes.
3.4 Configuring Basic BGP/MPLS IP VPN
The basic BGP/MPLS IP VPN refers to a VPN that is established on one SP's MPLS backbone
network that does not span multiple ASs. The role of each PE, P, or CE of the basic BGP/MPLS
IP VPN is unique. For example, a router cannot function as both a PE and a CE.
3.5 Configuring Hub and Spoke
In the networking of Hub and Spoke, an access control device is specified in the VPN, and users
communicate with each other through the access control device.
3.6 Configuring Inter-AS VPN Option A
In inter-AS VPN OptionA, an ASBR takes the peer ASBR as its CE and advertises VPNv4 routes
to the peer ASBR through EBGP.
3.7 Configuring Inter-AS VPN Option B
In inter-AS VPN OptionB, through MP-EBGP, two ASBRs receive VPNv4 routes from PEs in
their respective ASs and then exchange the VPNv4 routes with each other.
3.8 Configuring HoVPN
HoVPN indicates a hierarchical VPN, in which multiple PEs play different roles and form a
hierarchical structure. In this manner, these PEs function as one PE, and the performance
requirement for PEs are lowered.
3.9 Configuring OSPF Sham Link

This section describes how to configure the routes that traverse the MPLS VPN backbone
network to be the routes of the OSPF area. After the configuration, traffic between sites of the
same VPN in the same OSPF area need not be forwarded through routes of the OSPF area.
3.10 Configuring a Multi-VPN-Instance CE
By using OSPF multi-instance on CEs, you can implement service isolation on the LAN.
3.11 Connecting VPN and the Internet
Generally, users within a VPN can communicate only with each other instead of with Internet
users, and the VPN users cannot access the Internet. If each site of the VPN needs to access the
Internet, you need to configure the interconnection between the VPN and the Internet.
3.12 Configuring VPN FRR
In the networking of CE dual-homing, you can configure VPN FRR to ensure the end-to-end
VPN service fast switchover if the PE fails.
3.13 Configuring VPN GR
In the process of master/slave control board switchover or the system upgrade, you can configure
VPN GR to ensure that VPN traffic is not interrupted on the PE, CE, or P.
3.14 Configuring Route Reflection to Optimize the VPN Backbone Layer
Using an RR can reduce the number of MP IBGP connections between PEs. This not only reduces
the burden of PEs but also facilitates network maintenance and management.
3.15 Configuring Route Reflection to Optimize the VPN Access Layer
If a PE and the connected CEs are in the same AS, you can deploy a BGP route RR to reduce
the number of IBGP connections between CEs and facilitate maintenance and management.
3.16 Maintaining BGP/MPLS IP VPN
This section describes how to maintain the BGP/MPLS IP VPN, which involves L3VPN traffic
checking, network connectivity monitoring, BGP connection resetting.
This section provides several configuration examples of VPN networking. In each configuration
example, the networking requirements, configuration roadmap, configuration notes,
configuration procedures, and configuration files are described.

3.1 Introduction to BGP/MPLS IP VPN

This section describes the concepts and roles of the PE, P, and CE.
BGP/MPLS IP VPN is a PE-based L3VPN technology used in the Provider Provisioned VPN
(PPVPN) solution. BGP/MPLS IP VPN uses BGP to advertise VPN routes and MPLS to forward
VPN packets on the provider's backbone network.
Characterized by flexible networking modes, excellent extensibility, and convenient support for
MPLS QoS and MPLS TE, BGP/MPLS IP VPN is widely used.
Figure 3-1 shows the networking diagram of BGP/MPLS IP VPN.
Figure 3-1 BGP/MPLS IP VPN model
VPN 1 Service VPN 2

Site CE CE Site
provider's
P backbone P
PE
PE
PE
VPN 2 P VPN 1
CE P CE
Site Site
The BGP/MPLS IP VPN model consists of the following parts:

l A Customer Edge (CE) is an edge device on the customer network, which has one or more
interfaces directly connected to the service provider network. A CE can be a switch, a
router or a host. Mostly, CEs cannot "sense" the existence of the VPN, and do not need to
support MPLS.
l A Provider Edge (PE) is an edge device on the provider network, which is directly connected
to the CE. In the MPLS network, PEs perform all the VPN-related processing.
l A Provider (P) is a backbone device on the provider network, which is not directly
connected to the CE. Ps only need to possess basic MPLS forwarding capabilities and do
not need to maintain information about VPNs.
l A site is a group of IP systems that have IP connectivity among themselves without being
connected to the service provider network. A site is connected to the provider network
through the CE. A site may contain many CEs, but a CE belongs only to a single site.
3.2 BGP/MPLS IP VPN Features Supported by the S7700

The S7700 supports basic and typical networking of the BGP/MPLS IP VPN, and such features
as reliability and QoS of the BGP/MPLS IP VPN.

Basic Networking
The S7700 uses the Multi-protocol Extensions for Border Gateway Protocol (MP-BGP) to
achieve the VPN route exchange between PEs. The static route, Routing Information Protocol
(RIP) multi-instance, Open Shortest Path First (OSPF) multi-instance, Intermediate System-to-
Intermediate System (IS-IS) multi-instance, or external BGP (EBGP) can be used to exchange
routes between a PE and a CE. In addition, by using VPN targets to control the transmission of
VPN routes, the S7700 can implement multiple VPN networking topologies including Intranet,
Extranet, and Hub&Spoke.
Typical Networking
The S7700 supports the following typical VPN networking:
l Inter-AS VPN
If a VPN backbone network spans multiple ASs, the inter-AS VPN must be configured.
Currently, the S7700 supports inter-AS VPN Option A and Option B.
l HoVPN
To relieve the stress on a PE, the Hierarchy of VPN (HoVPN) can be configured. A device
on the convergence layer or the access layer is selected as the Underlayer Provider Edge
(UPE), which works jointly with the PE, that is, the Superstratum Provider Edge (SPE) on
the backbone layer, to implement the functions of the PE.
l OSPF sham link
If OSPF runs between the PE and CE, an OSPF sham link can be configured to solve the
following problem: OSPF does not select the private route passing through the MPLS
backbone network, because the intra-area route passing through the backdoor link takes
precedence over the private route, as shown in Figure 3-2.
Figure 3-2 Schematic diagram of sham link
MPLS VPN backbone
sham link PE2

PE1
Area 1
Area 1
OSPF 200
OSPF 200
CE22
CE12
VPN1
VPN1
site3
site1 backdoor
l Multi-VPN-Instance CE
The Multi-VPN-Instance CE can be configured to improve the routing capability of the
LAN, solve the security problem of the LAN at a low cast, and ensure that the LAN services

are safely differentiated. Currently, LAN services can be differentiated by utilizing VLAN
switches, but they have a weak routing capability.
l VPN and Internet interworking
The S7700 implements interworking between VPNs and the Internet by configuring static
routes on PEs.
Reliability
To improve the reliability of a VPN, generally, the following networking modes are adopted.
l The backbone network is an MPLS network, on which the devices adopt hierarchical
backup and are fully connected through high-speed interfaces. If there are many PEs on
the network, the BGP route reflector is deployed to reflect IPv4 VPN routes in order to
decrease the number of Multi-Protocol internal BGP (MP IBGP) connections.
l Either a mesh topology or a ring topology is used at the convergence layer based on the
requirements.
l The dual-homed CE or multi-homed CE is deployed on the access layer.
The S7700 supports VPN FRR in a VPN network where the dual-homed CE reside. After a PE
fails, VPN FRR ensures that the VPN service from CE to CE is quickly switched to the remaining
PEs.
The IP FRR feature can be configured to ensure that VPN traffic can rapidly switch to another
link between the PE and the other CE, when two CEs at a site access a PE, and a link between
one CE and the PE fails.
VPN Graceful Restart (GR), a feature that can improve the reliability of a VPN, can also be
deployed. After the deployment of VPN GR, the VPN traffic is not interrupted in the master/
slave switchover process on the switch (PE, P, or CE). This reduces the impact of a single point
failure on VPN services.
Interfaces Bound to VPN Instances

A VPN instance needs to be bound to the interface on the PE that is connected to the CE. After
being bound, the interface functions as the private network interface. The packets entering the
VPN instance through this interface are forwarded according to forwarding information in the
VPN instance. By default, an interface is a public network interface and is not bound to any VPN
instance.
The S7700 can bind VLANIF interfaces, XGE sub-interfaces, GE sub-interfaces, Ethernet sub-
interfaces, Eth-Trunk sub-interfaces, Ethernet port (Ethernet 0/0/0) , and GRE tunnel interfaces
to VPN instances. On the S7700, IP addresses cannot be assigned to GE interfaces, Eth-Trunk
interfaces, and Ethernet interfaces (excluding management network ports) and these interfaces
cannot be bound to VPN instances.
For details on how to bind sub-interfaces to VPN instances, see Configuring a Sub-interface to
Access an L3VPN in the Quidway S7700 Smart Routing Switch Configuration Guide -
Ethernet.
3.3 Configuring a VPN Instance

A VPN instance isolates VPN routes from public network routes.


Before configuring a VPN instance, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the data required for the configuration. This
will help you complete the configuration task quickly and accurately.
In BGP/MPLS IP VPN, each VPN is instantiated, and the instances of private forwarding
information of each VPN are established, that is, a VPN instance is established. A VPN instance
is also called the VPN Routing and Forwarding (VRF) table. In RFC 4364 (BGP/MPLS IP
VPNs), a VPN instance is called the per-site forwarding table.
The VPN instance is used to separate the VPN routes from public routes. In all the BGP/MPLS
IP VPN networking scenarios, you should configure VPN instances.
The VPN instance can realize the separation of address spaces based on the Router Distinguisher
(RD), and can control VPN membership and routing rules based on the VPN target attribute.
In addition, to achieve enhanced routing control, you can also enforce inbound and outbound
routing policies. The inbound routing policy is used to filter the routes imported into the VPN
instance, and the outbound routing policy is used to filter the routes advertised to other PEs.
Before configuring a VPN instance, complete the following tasks:
l Configuring routing policies if import or export routing policies need to be applied to the
VPN instance
Data Preparation
To configure a VPN instance, you need the following data.
No. Data
2 (Optional) Description of the VPN instance
3 RD, VPN target attribute of the VPN instance
4 (Optional) Maximum number of routes allowed by the VPN instance
5 (Optional) Routing policy that controls the receiving and sending of VPN routes
6 (Optional) Tunnel policy
3.3.2 Creating a VPN Instance

Configuring a VPN instanceis the preliminary step for configuring other VPN attributes. After
a VPN instance is configured, a VPN routing and forwarding table is created.

Context
Do as follows on the PE that is connected to the CE:
Procedure
Step 1 Run:
system-view
Step 2 Run:
A VPN instance is created, and the VPN instance view is displayed.
NOTE
The name of the VPN instance is case sensitive. For example, vpn1 and VPN1 are considered as different
VPN instances.
No default VPN instance exists on a PE, and multiple VPN instances can be created on the PE.
Step 3 Run:
The RD of the VPN instance is configured.
A VPN instance takes effect only after the RD is configured. The RDs of the VPN instances on
the same PE must be different from each other.
Before the RD is configured, no other parameters can be configured except for the VPN instance
description.
NOTE
An RD cannot be changed or deleted once it is configured. To change an RD, first, delete the VPN instance,
and then re-configure a VPN instance and an RD. To delete the RD, you only need to delete the VPN
instance.

description description-information
The description of the VPN instance is configured.
The description of a VPN instance functions the same as the description of a host name or an
interface. It is recommended that the proper description be configured.
----End
3.3.3 Configuring Attributes for the VPN Instance

To facilitate management of routes of the VPN instance , you also need to configure other VPN
attributes, such as the VPN target, route limit, and routing policy.
Context
Do as follows on the PE that is configured with VPN instances.

NOTE
It is recommended to perform either Step 4 or Step 5.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]
The VPN target extended community attribute for the VPN instance is created.
VPN target is the extended community attribute of the Border Gateway Protocol (BGP). It
controls the import and export of VPN routes. You can configure a maximum of 8 VPN targets
with a command.
routing-table limit number { alert-percent | simply-alert }
The maximum number of routes of the VPN instance is configured.

You can define the maximum number of routes for a VPN instance to prevent the PE from
importing too many routes from the CE.
NOTE
If the routing-table limit command is run, the system gives a prompt when the number of routes injected
into the routing table of the VPN instance exceeds the maximum. If the routing-table limit command is
run to increase the maximum number of routes supported in a VPN instance or the undo routing-table
limit command is run to remove the limit on the routing table, for excess routes, the following operations
are required:
l For the excessive static routes, you need to reconfigure them manually.
l For the excessive routes learnt from CEs through the IGP multi-instance routing protocol, you need to
re-initiate the multi-instance process of the routing protocol on the PE.
For the remote cross routes learnt through the MP-IBGP and the BGP routes learnt from CEs, the system
automatically refreshes them.

prefix limit number { alert-percent [ route-unchanged ] | simply-alert }
The maximum number of prefixes of the VPN instance is configured.

You can define the maximum number of prefixes for a VPN instance to avoid importing too
many prefixes from the CE.
limit-log-interval interval
The frequency of displaying logs when the number of routes exceeds the threshold is configured.
import route-policy policy-name

The inbound routing policy of the VPN instance is configured.

export route-policy policy-name
The outbound routing policy of the VPN instance is configured.
----End
3.3.4 (Optional) Applying a Tunnel Policy to the VPN Instance

By applying a tunnel policy to a VPN instance, you can specify the tunnel for VPN traffic
forwarding.
Context
By default, the VPN instance uses an MPLS LSP as the tunnel and no load balancing is carried
out.
Do as follows on the PE configured with VPN instances.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
A tunnel policy is applied to the VPN instance.
----End
3.3.5 (Optional) Configuring MPLS Label Allocation Based on the

VPN Instance
This section describes how the MPLS label is allocated in a VPN instance . To be specific, how
the local PE allocates the same MPLS label for all routes of the VPN instance. If there are a
large number of VPN routes, you can reduce the number of MPLS labels maintained by PEs.
Context
Do as follows on the PE configured with VPN instances.
Procedure
Step 1 Run:
system-view


Step 2 Run:

Step 3 Run:
apply-label per-instance
The MPLS label is allocated based on the VPN instance, which ensures that all the routes in a
VPN instance use the same MPLS label.
Generally, MPLS label allocation is in one label per route mode. When the number of routes
becomes larger, more labels are required.
Therefore, MPLS label allocation based on the VPN instance is introduced and provided by the
S7700. In this manner, all the routes of a VPN instance share the same MPLS label.
----End

After configuring a VPN instance, you can view information about it on the local device,
including RD attributes and other attributes.
Prerequisite
The functions of the VPN instance are fully configured.
Procedure
l Run the display ip vpn-instance verbose vpn-instance-name command to check detailed
information about the VPN instance.
l Run the display ip vpn-instance vpn-instance-name command to check brief information
about the VPN instance.
----End
Example
Run the display ip vpn-instance command. If brief information including the RD and creating
time about the VPN instance is displayed, it means that the configuration succeeded. For
example:
<Quidway> display ip vpn-instance vpna
VPN-Instance Name RD Creation Time
vpn1 100:1 2010/06/19 02:08:54 UTC-0
3:00 DST
Run the display ip vpn-instance verbose command. If detailed information about the VPN
instance is displayed, it means the configuration succeeded. For example:
<Quidway> display ip vpn-instance verbose vpn1
VPN-Instance Name and ID : vpn1, 1
Create date : 2008/09/29 14:05:31


Import Route Policy : p1
The VPN QoS configuration information : based on VPN
CIR: 100 PIR: 100
Export Route Policy : p2
Tunnel Policy : po1
Description : This is a VPN for company1
Maximum Routes Limit : 100
Threshold Routes Limit : 90%
Log Interval : 5
3.4 Configuring Basic BGP/MPLS IP VPN

The basic BGP/MPLS IP VPN refers to a VPN that is established on one SP's MPLS backbone
network that does not span multiple ASs. The role of each PE, P, or CE of the basic BGP/MPLS
IP VPN is unique. For example, a router cannot function as both a PE and a CE.

Before configuring the basic BGP/MPLS IP VPN, familiarize yourself with the applicable
The section describes the basic BGP/MPLS IP VPN networking. To be specific, the networking
features only one carrier and one intra-AS MPLS backbone network. In addition, the roles of
the P, PE, and CE are unique. For example, no device serves both as the PE and CE.
For special BGP/MPLS IP VPN networkings such as HoVPN, multi-role host, and inter-AS
VPN, additional configurations are needed. You can refer to the related sections in this chapter
for details.
In terms of the configuration of the BGP/MPLS IP VPN, it is critical for you to configure the
management of the advertisement of VPN routes on the MPLS backbone networks, including
the management of route advertisement between the PE and CE, and between PEs.
You can configure MP-IBGP to exchange routes between PEs. To exchange routes between the
PE and CE, you can configure static routes, RIP multi-instance, OSPF multi-instance, IS-IS
multi-instance, or BGP according to the specific networking situations.
NOTE
If a VPN is used to receive the external routes and the routes advertised by non-PE devices, and then
advertise these routes to PEs, the VPN is called a transit VPN.
If a VPN is used to accept the internal routes and the routes advertised by PEs, the VPN is called a stub
VPN. In most cases, the static route is only used to exchange routes between the PE and CE in the stub
VPN.
Before configuring basic BGP/MPLS IP VPN, complete the following tasks:
l Configuring IGP for the MPLS backbone network (PE, P) to implement IP connectivity
l Configuring basic MPLS functions and MPLS LDP for the MPLS backbone network (PE,
P)

l Configuring tunnels between PEs based on the tunnel policy

l Configuring the IP address for the CE interface that is connected to the PE
Data Preparation
To configure basic BGP/MPLS IP VPN, you need the following data.
No. Data
1 To configure a VPN instance, you need the following data:

l Name of the VPN instance
l (Optional) Description of the VPN instance
l RD, VPN target attribute of the VPN instance
l (Optional) Routing policy used to control the sending and receiving of VPN routes
l (Optional) Tunnel policy
l (Optional) Maximum number of routes permitted in a VPN instance
2 IP address of the PE interface that is connected to the CE
3 Route-exchanging mode between the PE and CE, which can be the static route, RIP,
OSPF, IS-IS, or BGP
4 AS number of the PE
5 IP address and interface of the PE used to establish the BGP peer relationship
3.4.2 Configuring a VPN Instance

This part describes how to configure a VPN instance to manage VPN routes.
Context
For the details, see Configuring VPN Instances.
3.4.3 Binding an Interface with a VPN Instance

After associating an interface with a VPN instance, you can change the interface to a VPN
interface. As a result, packets that pass through the interface are forwarded according to the
forwarding information of the VPN instance, and Layer 3 attributes such as the IP address and
routing protocol that are configured for the interface, are deleted. These Layer 3 attributes need
to be re-configured if required.
Context
Do as follows on the PE that is connected to the CE.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the interface that is to be bound with the VPN instance is displayed.
The XGE, GE, Eth-Trunk, and Ethernet interfaces (excluding Ethernet 0/0/0) cannot be bound
to VPN instances.
Step 3 Run:
The interface is bound to the VPN instance.
NOTE
The running of the ip binding vpn-instance command on an interface can delete the Layer 3 attributes,
Step 4 Run:
ip address ip-address { mask | mask-length }
The IP address is configured.
----End
3.4.4 Configuring MP-IBGP Between PEs

By importing extended community attributes to BGP, MP-IBGP can advertise VPNv4 routes
between PEs.
Context
Do as follows on the PE that is connected to the CE:
Procedure
Step 1 Run:
system-view
Step 2 Run:
bgp as-number
The BGP view is displayed.
Step 3 Run:
peer ipv4-address as-number as-number
The remote PE is specified as the peer.
Step 4 Run:
peer ipv4-address connect-interface loopback interface-number
The interface used to set up the TCP connection is specified.

NOTE
The 32-bit mask IP addresses of the loopback interfaces must be used to establish the MP-IBGP peer
relationship between PEs. This can ensure the tunnel can be iterated. The route destined to the loopback
interface is advertised to the remote PE based on IGP on the MPLS backbone network.
Step 5 Run:
ipv4-family vpnv4
The BGP VPNv4 sub-address family view is displayed.

Step 6 Run:
peer ipv4-address enable
The VPN IPv4 routing information can be exchanged between the peers.
----End
3.4.5 Configuring a Routing Protocol Between a PE and a CE

The routing protocol between a PE and a CE can be EBGP, IBGP, static route, RIP, OSPF, or
IS-IS. You can choose any of them as required in the configuration process.
Context
Select one of the following configurations as required:
l Configuring EBGP between a PE and a CE
l Configuring IBGP between a PE and a CE
l Configuring the static route between a PE and a CE
l Configuring RIP between a PE and a CE
l Configuring OSPF between a PE and a CE
l Configuring IS-IS between a PE and a CE
Procedure
l Configure EBGP between s PE and a CE.
1. Run:
system-view

2. Run:
bgp as-number

3. Run:
ipv4-family vpn-instance vpn-instance-name
The BGP VPN instance view is displayed.

4. (Optional) Run:
as-number as-number
An AS number for the VPN instance is specified.

During network transfer or service identification, a device needs to be simulated as

multiple BGP devices logically. In this case, you can run the as-number command
to configure an AS number for each VPN instance.
NOTE
The AS number configured in the BGP-VPN instance view cannot be the same as the AS
number configured in the BGP view.
5. Run:
The CE is specified as the peer of the VPN.

6. (Optional) Run:
peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]
The maximum number of hops is configured for the EBGP connection.
Generally, one or multiple directly-connected physical links exist between EBGP

peers. If the directly-connected physical link(s) are not available, you must run the
peer ebgp-max-hop command to ensure that the TCP connection can be set up
between the EBGP peers through multiple hops.
7. (Optional) When the direct route of the local CE needs to be imported to the VPN
routing table (for being advertised to the remote PE), you can choose either of the
following configurations:
Run the import-route direct [ med med | route-policy route-policy-name ]*
command to import the direct routes of the local CE into the VPN routing table.
Run the network ipv4-address [ mask | mask-length ] [ route-policy route-policy-
name ] command to import a specific direct route of the local CE into the VPN
routing table.
NOTE
The PE can automatically learn the direct route destined for the local CE, and the learnt
direct route has a higher priority than the direct route that is advertised by the local CE
based on EBGP. Therefore, if this step is not configured, the PE cannot advertise the direct
route to the remote PE based on MP-BGP.
8. (Optional) Run:
peer ip-address allow-as-loop [ number ]
The loop is allowed.
This Step is optional and used in the Hub and Spoke networking.
Generally, BGP uses the AS number to detect a loop. In the Hub and Spoke
networking, however, if EBGP runs between the PE and the CE at the Hub site, the
Hub-PE carries the local AS number when advertising routes to the Hub-CE.
Therefore, the PE denies the subsequent routing update from the Hub-CE. To ensure
the proper transmission of routes in the Hub and Spoke networking, you need to
configure all the BGP peers along the path, used for the Hub-CE to advertise private
network routes to the Spoke-CE, and to accept the routes with the AS number repeated
once.
9. (Optional) Run:
peer ip-address substitute-as
The AS number substitution is enabled for BGP.

This Step is used for the networking scenario where physically-dispersed CEs use the
same AS number. The configuration is performed on the PE.
CAUTION
In the case of multi-homed CE, the BGP AS substitution function may lead to route
loops.
NOTE
Compared with the BGP view, the BGP-VPN instance view does not support the following
commands:
l BGP confederation: confederation
l BGP graceful restart: graceful-restart
l Router ID of BGP: router-id
l Synchronization between BGP and IGP: synchronization
l BGP timer: timer
Do as follows on the CE:
1. Run:
system-view

2. Run:
bgp as-number

3. Run:
The PE is specified as the peer of the VPN.

4. (Optional) Run:

Generally, one or multiple directly-connected physical link(s) exist between a pair of
EBGP peers. If not, you must use the peer ebgp-max-hop command to ensure that
the TCP connection can be set up between the EBGP peers through multiple hops.
5. Run:
import-route { direct | static | rip process-id | ospf process-id | isis
process-id } [ med med | route-policy route-policy-name ]*
Routes of the local site are imported.

The CE must advertise the reachable VPN segment addresses to the attached PE.
Through the PE, the addresses are advertised to the remote CEs. In applications, the
types of routes to be imported may be different.
l Configure IBGP between a PE and a CE.
1. Run:

system-view

2. Run:
bgp as-number

3. Run:
The BGP-VPN instance view is displayed.

4. (Optional) Run:
as-number as-number
An AS number for the VPN instance is specified.

to configure an AS number for each VPN instance.
NOTE
The AS number configured in the BGP-VPN instance view cannot be the same as the AS
5. Run:
The CE is specified as the peer of the VPN.

6. (Optional) When the direct route of the local CE need be imported to the VPN routing
table (for being advertised to the remote PE), select either of the following
configurations:
Run the import-route direct [ med med | route-policy route-policy-name ]*
command to import the direct routes of the local CE to the VPN routing table..
Run the network ipv4-address [ mask | mask-length ] [ route-policy route-policy-
name ] command to import a specific direct route of the local CE to the VPN routing
table.
NOTE
The PE can automatically learn the direct route to the local CE. The route has a higher priority
than the direct route that is advertised by IBGP. Therefore, if this step is not performed, the PE
does not advertise the direct route to the remote PE by using MP-BGP.
1. Run:
system-view

2. Run:
bgp as-number

3. Run:
The PE is specified as the IBGP peer.

4. Run:
import-route { direct | static | rip process-id | ospf process-id | isis
process-id } [ med med | route-policy route-policy-name ]*
The route is imported to the local CE.
The CE advertises its VPN network segment to the connected PE, and the PE then
advertises the address to the remote CE. Note that the type of the imported route may
vary with different networking modes.
l Configure the static route between a PE and a CE.
Do as follows on the PE. The CE is configured with the static route, and the configurations
are common, therefore not mentioned here.
NOTE
For details, see Quidway S7700 Smart Routing Switch Configuration Guide - IP Routing.
1. Run:
system-view

2. Run:
ip route-static vpn-instance vpn-source-name destination-address { mask
| mask-length } interface-type interface-number [ nexthop-address ]
[ preference preference | tag tag ] *
The static route is configured for the specified VPN instance.

3. Run:
bgp as-number

4. Run:

5. Run:
import-route static [ med med | route-policy route-policy-name ]*
The configured static route is imported into the routing table of the BGP VPN instance.
l Configure RIP between a PE and a CE
Do as follows on the PE. The CE is configured with RIPv1 or RIPv2, and the configurations
are common, therefore not mentioned here.
NOTE
1. Run:
system-view

2. Run:
rip process-id vpn-instance vpn-instance-name
The RIP instance is created between the PE and the CE and the RIP view is displayed.

A RIP process belongs to only one VPN instance. If you run a RIP process without
binding it to a VPN instance, this process is considered as a public network process.
A RIP process that belongs to a public network cannot be bound with a VPN instance.
3. Run:
network network-address
The RIP is configured on the network segment of the interface bound with the VPN
instance.
4. Run:
import-route bgp [ cost { cost | transparent } | route-policy route-policy-
name ]*
The BGP route is imported.

After the running of the import-route bgpcommand in the RIP view, the PE imports
the VPN-IPv4 routes learnt from the remote PE into the RIP, and then advertises them
to its CE.
5. Run:
quit
Return to the system view.

6. Run:
bgp as-number

7. Run:

8. Run:
import-route rip process-id [ med med | route-policy route-policy-name ]*
The RIP route is imported into the routing table of the BGP VPN instance.
After the configuration of the import-route ripcommand in the BGP VPN view, the
PE imports the VPN routes learnt from its CE into BGP, forms them into VPN-IPv4
routes, and advertises them to the remote PE.
NOTE
After a VPN instance is deleted, all the associated RIP processes are deleted.
l Configure OSPF between a PE and a CE
Do as follows on the PE. The CE is configured with OSPF. The configurations are common,
therefore not mentioned here.
NOTE
1. Run:
system-view

2. Run:
ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name
The OSPF instance is created between the PE and the CE, and the OSPF view is
displayed.

An OSPF process belongs to only one VPN instance. If you run an OSPF process
without binding it to a VPN instance, this process is considered as a public network
process. An OSPF process that belongs to a public network cannot be bound with a
VPN instance.
The OSPF processes that are bound to the VPN instance do not use the public network
Router ID configured in the system view. You need to specify the router ID when
starting an OSPF process. Otherwise, according to the router ID selecting rule, the IP
address of any interface that is bound to the VPN instance is selected as the router ID
in the OSPF process.
3. (Optional) Run:
domain-id domain-id [ secondary ]
The domain ID is configured.
The domain ID can be expressed by an integer or in dotted decimal notation.
You can configure two domain IDs for each OSPF process. The domain IDs of
different processes are independent of each other.
There is no limitation to configure the domain IDs of the OSPF processes in different
VPNs on the PE. But, all the OSPF processes in one VPN should be configured with
the same domain ID to ensure correct routing advertisement.
The domain ID of an OSPF process is contained in the routes generated by this process.
When the OSPF routes are imported into BGP, the domain ID is added into the BGP
VPN route and is transmitted as the BGP extended community attribute.
By default, the domain ID is 0.

4. (Optional) Run:
route-tag tag
The VPN route tag is configured.
By default, OSPF automatically allocates the VPN route tag according to the
algorithm:
If the BGP process is not started on the local device, the tag value is 0 by default.
If the BGP process is started on the local device, the first two bytes of the tag value
are fixed as 0xD000, and the last two bytes are the local AS number by default.
That is, the tag value equals 3489660928 plus the local AS number.
5. Run:
import-route bgp [ cost cost | route-policy route-policy-name | tag tag |
type type ] *

6. Run:
area area-id
The OSPF area view is displayed.

7. Run:
network ip-address wildcard-mask
OSPF is run on the network segment where the interface bound to the VPN instance
resides.

A network segment can belong to only one area. That is, you must specify to which
area each OSPF interface belongs.
OSPF can run on an interface if the following conditions are true:
The mask length of the IP address on the interface must be equal to or longer than
the wildcard-mask specified in the network command.
The primary IP address of the interface must be located in the network segment
specified in the network command.
For a loopback interface, OSPF advertises the IP address of the loopback interface as
a 32-bit host route by default, which bears no relation to the mask length configured
on the interface.
8. Run:
quit
Return to the OSPF view.

9. Run:
quit

10. Run:
bgp as-number

11. Run:

12. Run:
import-route ospf process-id [ med med | route-policy route-policy-name ]*
The OSPF route is imported into the routing table of the BGP VPN instance.
NOTE
After a VPN instance is deleted, all related OSPF processes are deleted.
l Configuring IS-IS between PE and CE
Do as follows on the PE. The CE is configured with IS-IS. The configurations are common,
therefore not mentioned here.
NOTE
1. Run:
system-view

2. Run:
isis process-id vpn-instance vpn-instance-name
The IS-IS instance between the CE and the PE is created and the IS-IS view is
displayed.
An IS-IS process belongs to only one VPN instance. If you run an IS-IS process
without binding it to a VPN instance, this process is considered as a public network

process. An IS-IS process that belongs to a public network cannot be bound with a
VPN instance.
3. Run:
network-entity net
The Network Entity Title (NET) is configured.
An NET defines the address of the current IS-IS area and the system ID of the
switch. A maximum of three NETs can be configured for one process on a switch.
4. (Optional) Run:
is-level { level-1 | level-1-2 | level-2 }
The level of the switch is configured.
By default, the level of a switch is Level-1-2.

5. Run:
import-route bgp [ cost-type { external | internal } | cost cost | tag
tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ]
*

6. Run:
quit

7. Run:
The view of the interface bound to the VPN instance is displayed.

8. Run:
isis enable [ process-id ]
IS-IS is enabled on the interface.

9. Run:
quit

10. Run:
bgp as-number

11. Run:

12. Run:
import-route isis process-id [ med med | route-policy route-policy-name ]*
The IS-IS route is imported into the routing table of the BGP VPN instance.
NOTE
After the VPN instance is deleted, all IS-IS processes are deleted.
----End


After configuring the basic BGP/MPLS IP VPN function, you can view IPv4 VPN information
about the local and remote sites on the PE or the CE.
Prerequisite
The configurations of the basic BGP/MPLS IP VPN function are complete.
Procedure
l Run the display ip routing-table vpn-instance vpn-instance-name command to check
routing information about the specified VPN instance on the PE.
l Run the display ip routing-table command to check routing information on the CE.
----End
Example
Run the display ip routing-table vpn-instance vpn-instance-name command. If the VPN routes
related to the CE are displayed, it means the configuration succeeded.
Run the display ip routing-table command. If the routes to the peer CE are displayed on the
CE, it means the configuration succeeded.

In the networking of Hub and Spoke, an access control device is specified in the VPN, and users
communicate with each other through the access control device.

Before configuring the networking of Hub and Spoke, familiarize yourself with the applicable
If it is required that all the users must access to a central access control device, the Hub and
Spoke networking is adopted. In the Hub and Spoke network, all the Spoke stations communicate
through the Hub station.
Pre-configuration Task
Before configuring Hub and Spoke, complete the following tasks:
l Configuring IGP on PE devices and P devices in the MPLS backbone network

l Configuring basic MPLS capability on PE devices and P devices in the MPLS backbone
network
l Configuring the IP addresses, through which the CE devices access the PE devices, on the
CE devices

Data Preparation
Before configuring Hub and Spoke, you need the following data.
No. Data
1 To configure a VPN instance, you need the following data:

l (Optional) Routing policy
l (Optional) Maximum number of route permitted in a VPN instance
2 IP addresses through which the CE devices access the PE devices
3 Data for route configuration (static route, RIP, OSPF, IS-IS, or EBGP) between Hub-
PE and Hub-CE, and Spoke-PE and Spoke-CE
3.5.2 Creating a VPN Instance

This part describes how to configure a VPN instance to manage VPN routes.
Context
Configure the VPN instance on each Spoke-PE and Hub-PE.
Every Spoke-PE is configured with a VPN instance, while each Hub-PE is configured with the
following two VPN instances:
l VPN-in: It receives and maintains all the VPNv4 routes advertised by all the Spoke-PEs.
l VPN-out: It maintains the routes of all the Hub stations and Spoke stations and advertises
those routes to all the Spoke-PEs.
NOTE
l Different VPN instances on a device have different names, RDs, and description.
l It is recomended to perform either Step 6 or Step 7.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The VPN instance is created and the VPN instance view is displayed.
The name of the VPN instance is case sensitive. For example, vpn1 and VPN1 are considered
as different VPN instances.


The description about the VPN instance is configured.

The description can be used to record the relationship between a VPN instance and a certain
VPN.
Step 4 Run:

A VPN instance takes effect only after the RD is configured. Before configuring the RD, you
can configure only the description about the VPN instance.
The label is allocated based on VPN instance. That is, all the routes in a VPN instance use the
same label.
The MPLS labels are generally allocated on a one label per route basis.
The S7700 provides the feature of the MPLS label allocation based on the VPN instance, that
is, all the routes of a VPN instance share the same label.

You can define the maximum number of routes for a VPN instance to avoid importing too many
routes.
NOTE
into the routing table of the VPN instance exceeds the upper limit. If the routing-table limit command is
run to increase the maximum number of routes supported in a VPN instance or the undo routing-table
are required:
l For the remote cross routes learnt through the MP-IBGP and the BGP routes learnt from CEs, the
system automatically refreshes them.


You can define the maximum number of prefixes for a VPN instance to avoid importing too
many prefixes.
----End

3.5.3 Configuring Route Attributes of the VPN Instance

This part describes how to configure the VPN target to control route advertisement and
acceptance.
Procedure
l Configuring Hub-PE
1. Run:
system-view

2. Run:
ip vpn-instance vpn-instance-name1
The VPN instance view of the VPN-in is displayed.

3. Run:
vpn-target vpn-target1 &<1-8> import-extcommunity
The VPN target extended community for the VPN instance is created to import the
IPv4 routes advertised by all the Spoke-PEs.
vpn-target1 lists the Export VPN targets advertised by all the Spoke-PEs.
4. (Optional) Run:
The import routing policy of the VPN instance is configured.

5. (Optional) Run:
The export routing policy of the VPN instance is configured.

6. Run:
quit

7. Run:
The VPN instance view of the VPN-out is displayed.

8. Run:
vpn-target vpn-target2 &<1-8> export-extcommunity
The VPN target extended community for the VPN instance is created to advertise the
routes of all the Hubs and the Spokes.
vpn-target2 lists the Import VPN targets advertised by all the Spoke-PEs.
9. (Optional) Run:

10. (Optional) Run:

l Configuring Spoke-PE
1. Run:
system-view

2. Run:
The VPN instance view of the VPN-in is displayed.

3. Run:
The VPN target extended community for the VPN instance is created to import the
IPv4 routes advertised by all the Hub-PEs.
vpn-target2 should be included in the export VPN target list of the Hub-PE.
4. Run:
The VPN target extended community for the VPN instance is created to advertise the
IPv4 routes of stations the Spoke-PE accesses.
vpn-target1 should be included in the import VPN target list of the Hub-PE.
5. (Optional) Run:

6. (Optional) Run:
----End
3.5.4 Binding an Interface with the VPN Instance

After associating an interface with a VPN instance, you can change the interface to a VPN
forwarding information of the VPN instance, and such Layer 3 attributes as IP address and
routing protocol that are configured for the interface are deleted. These Layer 3 attributes need
Context
The configuration on the Hub-PE involves two interfaces or sub-interfaces: one is bound with
the VPN-in and receives the routes advertised by the Spoke-PE; the other is bound with the
VPN-out and advertises the routes of the Hub and all the Spokes.
Do as follows on the Hub-PE and all the Spoke-PEs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the interface that is to be bound with the VPN instance is displayed.
Step 3 Run:
The interface is bound with the VPN instance.
NOTE
The running of the ip binding vpn-instance command on an interface can delete the Layer 3 attributes,
Step 4 Run:
The IP address is configured.
----End
3.5.5 Configuring MP-IBGP Between Hub-PE and Spoke-PE

between PEs.
Context
The Hub-PE must set up the MP-IBGP peer with all the Spoke-PEs. Spoke-PEs need not set up
the MP-IBGP peer between each other.
Do as follows on the Hub-PE and the Spoke-PE.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bgp as-number
Step 3 Run:
Step 4 Run:
The interface to set up the TCP connection is specified.

NOTE
Step 5 Run:
ipv4-family vpnv4 [ unicast ]
The BGP VPNv4 address family view is displayed.
Step 6 Run:
The VPN IPv4 routing information is exchanged between the peers.
----End
3.5.6 Configuring Route Exchange Between PE and CE

The routing protocol between a PE and a CE can be BGP, static route, or IGP. You can choose
any of them as required in the configuration process.
Context
The Hub-PE and the Hub-CE can exchange routes in the following ways.
Procedure
l Configuring EBGP between the Hub-PE and the Hub-CE
In this way, EBGP, IGP, or static routes can be adopted between the Spoke-PE and the
Spoke-CE.
To set up the EBGP peer between the Hub-PE and the Hub-CE and between the Spoke-PE
and the Spoke-CE, do as follows on the Hub-PE:
1. Run:
system-view

2. Run:
bgp as-number

3. Run:

4. Run:
peer ip-address allow-as-loop [ number ]
Allow the routing loop. Here the value of number is set as 1, which means the route
with the AS repeated once can be sent.
l Configuring IGP between the Hub-PE and the Hub-CE

In this way, instead of BGP, IGP or static routes are adopted between the Spoke-PE and
the Spoke-CE. For details, refer to the chapter "BGP/MPLS IP VPN" in the Quidway
S7700 Smart Routing Switch Feature Desripiton- VPN.
l Configuring static routes between the Hub-PE and the Hub-CE
In this way, EBGP, IGP, or static routes can be adopted between the Spoke-PE and the
Spoke-CE.
If the Hub-CE uses the default route to access the Hub-PE, to advertise the default route to
all the Spoke-PEs, do as follows on the Hub-PE:
1. Run:
system-view

2. Run:
ip route-static vpn-instance vpn-source-name 0.0.0.0 0.0.0.0 nexthop-
address [ preference preference | tag tag ]* [ description text ]
Here, vpn-instance-name refers to the VPN-out. nexthop-address is the IP address of

the Hub-CE interface that is connected with the PE interface bound with the VPN-
out.
3. Run:
bgp as-number

4. Run:
The BGP VPN instance view is displayed. vpn-instance-name refers to the VPN-out.
5. Run:
network 0.0.0.0 0
Advertise the default route to all the Spoke-PEs through MP-BGP.

----End
Follow-up Procedure
Choose one of the preceding methods as required. For detailed configurations, see Configuring
a Routing Protocol Between PE and CE.

After the networking of Hub and Spoke is configured, you can view VPN routing information
on the PE or CE.
Prerequisite
The configurations of the Hub and Spoke function are complete.
Procedure
l Run the display ip routing-table vpn-instance vpn-instance-name command to check
routing information about the VPN-in and VPN-out on the Hub-PE.

l Run the display ip routing-table command to check routing information on the Hub-CE
and all the Spoke-CEs.
----End
Example
Run the preceding commands. If the routing table of the VPN-in has routes to all the Spoke
stations, and the routing table of the VPN-out has routes to the Hub and all the Spoke stations,
Additionally, Hub-CE and all the Spoke-CEs have routes to the Hub and all the Spoke stations.
3.6 Configuring Inter-AS VPN Option A

In inter-AS VPN OptionA, an ASBR takes the peer ASBR as its CE and advertises VPNv4 routes
to the peer ASBR through EBGP.

Before configuring inter-AS VPN OptionA, familiarize yourself with the applicable
If the MPLS backbone network bearing the VPN routes is across multiple ASs, you must
configure the Inter-AS VPNs.
The Inter-AS VPN Option A is convenient to implement and is suitable when the amount of the
VPNs and the VPN routes on the PE is small.
In VPN-Option A, the Autonomous System Boundary Routers (ASBRs) must support the VPN
instances and can manage VPN routes. Option A, therefore, requires high performance of the
ASBRs. No inter-AS configuration is needed on the ASBRs.
Before configuring inter-AS VPN Option A, complete the following tasks:
l Configuring IGP for MPLS backbone networks in each AS to keep IP connectivity of the
backbones in one AS
l Enabling MPLS and MPLS LDP on the PE and the ASBR
l Setting up the tunnel (LSP or MPLS TE) between the PE and the ASBR in the same AS
l Configuring the IP address of the CE interface through which the CE accesses the PE
Data Preparation
To configure inter-AS VPN Option A, you need the following data:

No. Data
1 To configure the VPN instance on the PE and the ASBR, you need the following
data:
l (Optional) Routing policy
2 IP address of the PE interface connected with the PE
4 IP addresses of the interfaces connected the ASBRs
5 Routing protocol configured between the PE and the CE: static routes, RIP, OSPF,
IS-IS and BGP
6 IP addresses and interfaces setting up the IBGP peer between the PE and the ASBR
3.6.2 Configuring Inter-AS VPN Option A

The VPN instance configured on a PE is used to access a CE, and the VPN instance configured
on an ASBR is used to access the peer ASBR.
Context
Inter-AS VPN Option A is easy to deploy. When the amount of the VPNs and the VPN routes
on the PE is small, this solution can be adopted.
The configurations of the inter-AS VPN Option A are as follows:
Procedure
Step 1 3.4 Configuring Basic BGP/MPLS IP VPN on each AS
Step 2 Configuring ASBR by considering the peer ASBR as its CE
Step 3 Configuring VPN instances for the PE and the ASBR separately
The VPN instance for PE is used to access CE; that for ASBR is used to access its peer ASBR.
NOTE
In inter-AS VPN Option A mode, for the same VPN, the VPN targets of ASBR and the PE VPN instance
must be matched in an AS. This is not required for the PEs in different ASs.
----End


After configuring inter-AS VPN OptionA, you can view information about all BGP peer
relationships and IPv4 VPN routes on PEs or ASBRs.
Prerequisite
The configurations of the Inter-AS VPN Option A function are complete.
Procedure
l Run the display bgp vpnv4 all peer command to check information about the BGP peers
on the PE or the ASBR.
l Run the display bgp vpnv4 all routing-table command to check the IPv4 VPN routes on
the PE or the ASBR.
VPN routing table on the PE or the ASBR.
----End
Example
After the successful configuration, run the display bgp vpnv4 all peer command on the PE or
the ASBR, and you can view that the BGP VPNv4 peer relationship between the ASBR and the
PE in the same AS is "Established".
Run the display bgp vpnv4all routing-table command on the PE or the ASBR, and you can
view the VPNv4 routes on the ASBR.
Run the display ip routing-table vpn-instance command on the PE or the ASBR, and you can
view all the relevant routes in the VPN routing table.
3.7 Configuring Inter-AS VPN Option B

In inter-AS VPN OptionB, through MP-EBGP, two ASBRs receive VPNv4 routes from PEs in
their respective ASs and then exchange the VPNv4 routes with each other.

Before configuring inter-AS VPN OptionB, familiarize yourself with the applicable
If the MPLS backbone network bearing VPN routes crosses multiple ASs, the inter-AS VPN is
needed. If the ASBR can manage VPN routes, however, there are no enough interfaces for each
inter-AS VPN, the inter-AS VPN Option B is adopted. In this option, the ASBR is involved in
maintaining and advertising VPN IPv4 routes.
Before configuring inter-AS VPN Option B, complete the following tasks:

l Configuring IGP for MPLS backbone networks in each AS to realize IP connectivity of the
backbones in one AS
l Configuring basic MPLS capability and MPLS LDP for the MPLS backbone network
l Configuring VPN Instances on the PE devices connected with the CE devices and
Binding an Interface with a VPN Instance
l Configuring the IP addresses of the CE interfaces through which the CE accesses the PE
Data Preparation
To configure inter-AS VPN Option B, you need the following data.
No. Data
1 To configure the VPN instance on the PE, you need the following data:
l (Optional) Routing policy for controlling the import and export of VPN routes
2 IP address of the PE interface connected with the PE
4 IP addresses of the interfaces connected the ASBRs
5 Routing policy configured between the PE and the CE: static routes, RIP, OSPF, IS-
IS and BGP
6 IP addresses and interfaces setting up the IBGP peer between the PE and the ASBR
3.7.2 Configuring MP-IBGP Between PEs and ASBRs in the Same

AS
between the PE and the ASBR.
Context
Do as follows on the PE and the ASBR in the same AS.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number


Step 3 Run:
The peer ASBR is specified as the IBGP peer.

Step 4 Run:
The loopback interface is specified as the outgoing interface of the BGP session.
NOTE
Step 5 Run:
The BGP-VPNv4 address family is displayed.

Step 6 Run:
The exchange of IPv4 VPN routes between PE and ASBR in the same AS is enabled.
----End
3.7.3 Configuring MP-EBGP Between ASBRs in Different ASs

After the MP-EBGP peer relationship is established between ASBRs, either ASBR can advertise
the VPNv4 routes of its AS to the other ASBR.
Context
Do as follows on the ASBR.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the interface connected with the ASBR interface is displayed.
Step 3 Run:
The IP address of the interface is configured.

Step 4 Run:
mpls
The MPLS capability is enabled.

Step 5 Run:
quit

Step 6 Run:
bgp as-number

Step 7 Run:
The peer ASBR is specified as the EBGP peer.


Generally, one or multiple directly-connected physical links exist between EBGP peers. If the
directly-connected physical link(s) are not available, you must run the peer ebgp-max-hop
command to ensure that the TCP connection can be set up between the EBGP peers through
multiple hops.
Step 9 Run:

Step 10 Run:
The exchange of IPv4 VPN routes with the peer ASBR is enabled.
----End
3.7.4 Controlling the Receiving and Sending of VPN Routes by

Using Routing Policies
An ASBR can either save all VPNv4 routes or partial VPNv4 routes (by filtering VPN targets
through a routing policy).
Context
The following describes two methods for controlling the receiving and sending of VPN routes:
l Without VPN Target Filtering
In this way, the ASBR stores all the VPN IPv4 routes.
l VPN Target Filtering
In this way, the ASBR stores partial VPN IPv4 routes through routing policies.
In practical applications, only one of the preceding methods is selected.
Procedure
l Without VPN Target Filtering

1. Run:
system-view

2. Run:
bgp as-number

3. Run:

4. Run:
undo policy vpn-target
The VPN IPv4 routes are not filtered by the VPN target.
By default, the PE performs VPN target filtering on the received IPv4 VPN routes.
The routes passing the filter is added to the routing table, and the others are discarded.
If the PE is not configured with VPN instance, or the VPN instance is not configured
with the VPN target, the PE discards all the received VPN IPv4 routes.
In the Inter-AS VPN Option B mode, if the ASBR does not store information about
the VPN instance, the ASBR must save all the VPNv4 routing information and
advertise it to the peer ASBR. In this case, the ASBR should receive all the VPNv4
routing information without the VPN target filtering.
l VPN Target Filtering
1. Run:
system-view

2. Run:
ip extcommunity-filter extcomm-filter-number { permit | deny } { rt { as-
number:nn | ipv4-address:nn } } &<1-16>
The extended community filter is configured.

3. Run:
route-policy route-policy-name permit node node
The routing policy is configured.

4. Run:
if-match extcommunity-filter extcomm-filter-number &<1-16>
A matching rule based on the extended community filter is configured.

5. Run:
quit

6. Run:
bgp as-number


7. Run:

8. Run:
peer ipv4-address route-policy route-policy-name { export | import }
The routing policy is applied to controlling the VPN IPv4 routing information.
----End
3.7.5 (Optional) Storing Information About the VPN Instance on

the ASBR
If VPNv4 routes need to be sent and received on an ASBR, you can configure the relevant VPN
instance on the ASBR.
Context
If the VPN receives and sends the VPNv4 routing information through the ASBR, configure the
corresponding instance on the ASBR. Otherwise, the instance is not needed.
NOTE
It is recomended to perform either Step 5 or Step 6.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A VPN instance is created and the VPN instance view is displayed.

Step 3 Run:

Step 4 Run:
vpn-target vpn-target &<1-8> import-extcommunity
The VPN target extended community for the VPN instance is created.
For the same VPN in the inter-AS VPN Option B mode, the VPN targets of the ASBR and the
PE in an AS should match with each other.
The VPN targets of the PE in different ASs must match with each other too.

The MPLS label is allocated based on the VPN instance, which ensures that all the routes in a
VPN instance use the same MPLS label.





----End
3.7.6 (Optional) Enabling Next-Hop-based Label Allocation on the

ASBR
To save label resources on an ASBR, you can enable next-hop-based label allocation on the
ASBR. Note that next-hop-based label allocation and one label per instance need to be used
together on the ASBR.
Context
In a VPN Option B scenario, after next-hop-based label allocation is enabled on the ASBR, the
ASBR allocates only one label for the IPv4 VPN routes with the same next hop and outgoing
label. Compared with allocating a label for each IPv4 VPN route, next-hop-based label allocation
greatly saves the label resources.
Do as follows on the ASBR:
Procedure
Step 1 Run:
system-view
Step 2 Run:
bgp as-number

Step 3 Run:
ipv4-family vpnv4
The BGP VPNv4 view is displayed.

Step 4 Run:
apply-label per-nexthop
The next-hop-based label allocation for IPv4 VPN routes is enabled on the ASBR.
CAUTION
After next-hop-based label allocation is enabled or disabled, the label allocated by the ASBR
for a route changes, which leads to packet loss.
----End
3.7.7 Configuring the Routing Protocol Between CE and PE

The routing protocol between a PE and a CE can be BGP, static route, or IGP. You can choose
any of them as required in the configuration process.
Context
Choose one of the preceding methods as required. For detailed configurations, see 3.4.5
Configuring a Routing Protocol Between a PE and a CE.

After configuring inter-AS VPN OptionB, you can view information about all BGP peer
relationships and VPNv4 routes on PEs or ASBRs.
Prerequisite
The configurations of the Inter-AS VPN Option B function are complete.
Procedure
l Run the display bgp vpnv4 all peer command to check the VPN IPv4 routing table on the
PE or the ASBR.
l Run the display bgp vpnv4 all routing-table command to check information about all the
BGP peers on the PE or the ASBR.
l Run the display mpls lsp command to check information about the LSP and label on the
ASBR.
----End
Example
Run the display bgp vpnv4 all routing-table command on the ASBR. If the IPv4 routes of the
VPN are displayed, it means that the configuration succeeds.

Run the display bgp vpnv4 all peer command on the PE or the ASBR. If the status of the IBGP
peer between PE and ASBR in the same AS is "Established", and the status of the EBGP peer
between ASBRs in the different AS is "Established", it means that the configuration succeeds.
Run the display ip routing-table vpn-instance command on the PE. If the VPN routes are
displayed, it means that the configuration succeeds.
Run the display mpls lsp command on the ASBR. If information about the LSP and label is
displayed, it means that the configuration succeeds. If the ASBR is enabled with the next-hop-
based label allocation, only one label is allocated for the VPN routes with the same next hop
and outgoing label.
3.8 Configuring HoVPN

HoVPN indicates a hierarchical VPN, in which multiple PEs play different roles and form a
hierarchical structure. In this manner, these PEs function as one PE, and the performance
requirement for PEs are lowered.

Before configuring HoVPN, familiarize yourself with the applicable environment, complete the
pre-configuration tasks, and obtain the required data. This can help you complete the
configuration task quickly and accurately.
For hierarchical VPN networks, adopt the HoVPN to reduce the requirements for PE devices.
Before configuring HoVPN, complete the task of Configuring Basic BGP/MPLS IP VPN.
Data Preparation
To configure HoVPN, you need the following data.
No. Data
1 Relationship between UPE and SPE
2 Name of the VPN instance sending default routes to UPE
3.8.2 Specifying UPE

Before configuring a UPE, you must establish the VPNv4 peer relationship between the UPE
and SPE.
Context
Do as follows on the SPE.

Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
peer { ipv4-address | group-name } as-number as-number
The UPE is specified as the BGP peer of the SPE.

Step 4 Run:
The BGP VPNv4 sub-address family is displayed.

Step 5 Run:
peer { ipv4-address | group-name } enable
The capability of exchanging BGP VPNv4 routing information with the peer is enabled.
Step 6 Run:
peer { ipv4-address | group-name } upe
The peer is specified as the UPE of the SPE.
----End
3.8.3 Advertising Default Routes of a VPN Instance

The SPE advertises the UPE of a default route with the next hop address as the local address. In
this manner, the SPE instructs the VPN packet forwarding on the UPE.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
ipv4-family vpnv4
The BGP-VPNv4 sub-address family view is displayed.

Step 4 Run:
peer { ipv4-address | group-name } default-originate vpn-instance vpn-instance-name
The default routes of a specified VPN instance are advertised to the UPE.
After running the command, the SPE advertises a default route to the UPE with its local address
as the next hop, regardless of whether there is a default route in the local routing table or not.
----End

After configuring HoVPN, you can find that the local CE has no route that is destined for the
network segment of interface on the remote CE, but has a default route with the next hop as the
UPE.
Prerequisite
The configurations of the HoVPN function are complete
Procedure
----End
Example
Run the display ip routing-table on the CE connected with the UPE. You can find that there is
a default route whose next hop is UPE. And there is no route to the network segment where the
peer CE resides.
3.9 Configuring OSPF Sham Link

This section describes how to configure the routes that traverse the MPLS VPN backbone
network to be the routes of the OSPF area. After the configuration, traffic between sites of the
same VPN in the same OSPF area need not be forwarded through routes of the OSPF area.

Before configuring an OSPF sham link, familiarize yourself with the applicable environment,
After a sham link is configured between VPN PEs, the sham link is considered as an OSPF intra-
area route. It is used to ensure that the traffic is transmitted over the backbone instead of the
backdoor link between the two CEs.
The source and destination addresses of the sham link should use loopback interface addresses
with 32-bit masks. Besides, this loopback interface must be bound to the VPN instances and be
advertised through the BGP.

Before configuring the OSPF sham link, you need to complete the following tasks:
l 3.4 Configuring Basic BGP/MPLS IP VPN (OSPF between the PE and the CE)
l Configuring OSPF in the LAN where the CEs reside
Data Preparation
To configure the OSPF sham link, you need the following data.
No. Data
1 Number and address of the loopback interfaces that serve as the ends of sham link
3 Process number of OSPF instance on PE for CEs
4 Local AS number
5 Metric used in sham link and other link parameters
3.9.2 Configuring the Loopback Address of the Sham Link

The end address of a sham link is the IP address (with the 32-bit mask) of a loopback interface.
The loopback interface must be bound to the VPN instance. The end addresses of sham links of
the same OSPF process can be the same. The end addresses of sham links of different OSPF
processes must be different.
Context
Do as follows on the PEs of the two ends of the sham link:
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface loopback interface-number
A loopback interface is created and the loopback interface view is displayed.
A sham link of each VPN instance must have an end interface address that is an address of the
loopback interface. The address has a 32-bit mask. Multiple sham links of an OSPF process can
share the same address. The end addresses of two sham links of different OSPF processes must
be different.
Step 3 Run:

The loopback interface is bound to the VPN instance.
Step 4 Run:
The address of the loopback interface is configured.
NOTE
The IP address of the loopback interface should have a 32-bit mask, that is, 255.255.255.255.
----End
3.9.3 Advertising Routes of End Address of the Sham Link

The route destined for the end address of the sham link cannot be advertised to the remote PE
through the OSPF process of the VPN. The end address of the sham link is advertised to the
remote PE by BGP as a VPNv4 address.
Context
Do as follows on the PEs of the two ends of the sham link.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bgp as-number
Step 3 Run:
Step 4 Run:
import-route direct
The direct route is imported. That is, the route of the end address is imported into BGP.
BGP advertises the end address of the sham link as the VPN-IPv4 address.
NOTE
The route of one end address of the sham link cannot be advertised to the remote PE through the OSPF
process of the private network.
If the routes, however, are advertised to the remote PE through the OSPF process of the private network,
the remote PE has two routes destined for the end address of the sham link. One route is learnt through the
OSPF process of the private network, and the other route is learnt through MP-BGP. In this case, the remote
PE incorrectly selects the OSPF route, because the OSPF route have a higher priority than the BGP route.
As a result, the sham link cannot be successfully established.
----End

3.9.4 Creating a Sham Link

Creating a sham link is to establish a virtual link that connects the two end addresses of the sham
link.
Context
Do as follows on the PEs of the two ends of the sham link.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The OSPF view is displayed.

Step 3 Run:
area area-id

Step 4 Run:
sham-link source-ip-address destination-ip-address [ cost cost | hello hello-
interval | retransmit retransmit-interval | trans-delay trans-delay-interval |
dead dead-interval | { [ simple [ [ plain ] plain-text | cipher cipher-text ] |
{ md5 | hmac-md5 } [ key-id { plain plain-text | [ cipher ] cipher-text } ]|
authentication-null } | smart-discover ] *
The sham link is configured.

By default,
l The interface cost of the sham link, namely, cost is 1.
l The invalid interval of the sham link, namely,dead-interval is 40 seconds.
l Interval for sending Hello packets, namely, hello-interval, is 10 seconds.
l Interval for retransmitting LSA packets, namely, retransmit-interval, is 5 seconds.
l Delay for sending LSA packets, namely, trans-delay-interval, is 1 second.
The authentication mode on the two ends of the sham link must be the same.
If the packet authentication is supported, only the OSPF packets that pass the authentication can
be received. If the authentication fails, the neighbor relationship cannot be set up.
If the plain text, namely, simple is used, the authenticator type is plain by default. If the MD5
algorithm or HMAC-MD5 algorithm, namely, md5 | hmac-md5 is used, the authenticator type
is cipher by default.
NOTE
To forward the VPN traffic through the MPLS backbone network, configure the cost of the sham link less
than that of the OSPF route through the private network. The common method is increases the cost of the
forwarding interface of private network.
----End


After configuring an OSPF sham link, you can view information about the routing table on the
CE, the nodes through which packets are sent, and established and non-established sham links.
Prerequisite
The configurations of the OSPF sham link function are complete.
Procedure
routing table of the specified VPN instance on the PE.
l Run the tracert host command to check the path of the data transmitted to the peer CE On
the CE.
l Run the display ospf process-id sham-link [ area area-id ] command to check the setup
state of the sham-link on the PE.
l Run the display ospf routing command to check the routes discovered by OSPF on the
CE.
----End
Example
Run the display ip routing-table vpn-instance command. You can find the routes from the PE
to the peer CE is the OSPF routes that pass through the private network rather than the BGP
routes that pass through the backbone network.
Run the display ip routing-table and the tracert commands on the CE. You can find the VPN
traffic from the CE to the peer is forwarded through the backbone network.
Run the display ospf process-id sham-link command on the PE. You can find the OSPF
neighbor status between the PE and the peer CE is Full.
Run the display ospf routing on the CE. You can find the routes from the CE to the peer CE is
learned as the intra-area routes.
3.10 Configuring a Multi-VPN-Instance CE

By using OSPF multi-instance on CEs, you can implement service isolation on the LAN.

Before configuring a multi-VPN-instance CE, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the data required for the
configuration. This will help you complete the configuration task quickly and accurately.
The multi-VPN-instance CE is used in the LAN. You can implement service isolation through
the multiple OSPF instances on the CE devices.

One OSPF process can belong to only one VPN instance but one VPN instance can run several
OSPF processes.
The Multi-VPN-Instance CE can be considered as a networking solution that isolates services

by isolating routes. Before configuring a multi-VPN-instance CE, you need to disable routing
loop detection.
Before configuring a multi-VPN-instance CE, complete the following tasks:
l 3.3 Configuring a VPN Instance on the multi-instance CE, and the PE that is accessed by
it (each service with a VPN instance)
l Configuring the link layer protocol and network layer protocol for LAN interfaces and
connecting the LAN to the multi-instance CE (each service using an interface to access the
multi-instance CE)
l Binding related VPN instances to the interfaces of the multi-instance CE and PE interfaces
through which the PE accesses the multi-instance and configuring IP addresses for those
interfaces
Data Preparation
To configure a multi-VPN-instance CE, you need the following data.
No. Data
1 Names of the VPN instances corresponding with the OSPF processes used by each
service
2 OSPF process number and Router ID used by each service
3 Routes advertised by each OSPF process
3.10.2 Configuring the OSPF Multi-Instance on the PE

Different services use different OSPF process IDs.
Context
Do as follows on the PE that is accessed by the multi-instance CE:
Procedure
Step 1 Run:
system-view
Step 2 Run:
The OSPF multi-instance is configured.

Different services have different OSPF process IDs. However, router IDs of different services
do not necessarily differ.
Step 3 Run:
area
area-id

Step 4 Run:
The IP address of the interface connected to the multi-instance CE is advertised.

Step 5 Run:
quit

Step 6 Run:
import-route bgp

Step 7 Run:
quit

Step 8 Run:
bgp as-number

Step 9 Run:

Step 10 Run:
import-route ospf process-id
The OSPF multi-instance route is imported.
----End
3.10.3 Configuring the OSPF Multi-Instance on the Multi-Instance

CE
The process ID of the OSPF multi-instance configured on the multi-VPN-instance CE must be
the same as that configured on the PE.
Context
Do as follows on the multi-instance CE:
Procedure
Step 1 Run:

system-view

Step 2 Run:
The OSPF multi-instance is configured.

The OSPF process ID corresponds to that of the PE.
Step 3 Run:
area area-id

Step 4 Run:
The IP address of the interface connected the PE is advertised.
NOTE
If the multi-instance CE does not learn the routes of a LAN through the OSPF multi-instance of the process,
the routes of the LAN need to be imported to the OSPF instances of the process.
----End
3.10.4 Canceling the Loop Detection on the Multi-Instance CE

If the route loop check is performed, the CE discards the route from the PE with the DN bit being
1.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
vpn-instance-capability simple
Loop detection is not performed.
----End

After the multi-VPN-instance CE is configured, you can find that the VPN routing table of the
CE contains the routes destined for the LAN and remote sites for each service.

Prerequisite
The configurations of the Multi-VPN-Instance CE function are complete.
Procedure
l Run the display ip routing-table vpn-instance vpn-instance-name [ verbose ] command
to check the VPN routing table on the multi-instance CE.
----End
Example
Run the display ip routing-table vpn-instance command on the multi-instance CE to check
the VPN routing table. If there are routes to the LAN and the remote nodes for each service, it
means the configuration succeeded.
3.11 Connecting VPN and the Internet

Generally, users within a VPN can communicate only with each other instead of with Internet
users, and the VPN users cannot access the Internet. If each site of the VPN needs to access the
Internet, you need to configure the interconnection between the VPN and the Internet.

Before configuring the interconnection between a VPN and the Internet, familiarize yourself
with the applicable environment, complete the pre-configuration tasks, and obtain the required
data. This can help you complete the configuration task quickly and accurately.
You can enable VPN users to access the Internet, by supplementing certain software
configurations in the established VPN network.
Before configuring VPN users to access the Internet, complete the following tasks:
l Setting up the VPN network
Data Preparation
To configure interconnection between a VPN and the Internet, you need the following data.
No. Data
1 Names of the VPN instances
2 Destination IP address of static routes

3.11.2 Configuring the Static Route on the CE

This part describes how to configure static routes on CEs to forward packets from the VPN to
the Internet.
Context
Do as follows on the CE.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip route-static ip-address { mask | mask-length } { interface-type interface-
number [ nexthop-address ] | nexthop-address } [ preference preference | tag tag ]
* [ description text ]
The static route to the public network destination address.
ip-address can be the destination address of the public network or 0.0.0.0. If the dest-ip-
address is 0.0.0.0, the static route is also called default route, the mask of which must be 0.0.0.0
or the mask-length of which must be 0. Note that, the out-interface must be the interface
connected directly with the PE, and the next-hop is the IP address of the peer PE interface
connected directly with the CE.
NOTE
If the CE and the PE are connected through an Ethernet network, the next-hop must be specified.
----End
3.11.3 Configuring the Private Network Static Route on the PE

This part describes how to configure static routes on PEs to forward packets from the VPN to
the Internet.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip route-static vpn-instance vpn-source-name destination-address { mask | mask-
length } nexthop-address public [ preference preference | tag tag ]* [ description
text ]

The static route from the VPN to Internet is configured and the next-hop address is a public
network address.
----End
3.11.4 Configuring the Static Route to VPN on the Device of the

Public Network
This part describes how to configure static routes to VPN users to forward packets from the
Internet to the VPN.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip route-static ip-address { mask | mask-length } { interface-type interface-
number nexthop-address | vpn-instance vpn-instance-name nexthop-address | nexthop-
address } [ preference preference | tag tag ]* [ description text ]
The static route from the public network to the VPN is configured and the next-hop address is
a private network address.
NOTE
If the CE and the PE are connected through an Ethernet network, the next-hop must be specified.
----End

After configuring the interconnection between a VPN and the Internet, you can find that the
VPN routing table contains the routes destined for the CE and the router in the public network,
and the routing table in the destined device of the public network contains the route to the CE.
Prerequisite
The configurations of the VPN and the Internet function are complete.
Procedure
l Run the display ip routing-table command to check the routing table on the CE and the
destination switch in the public network.
----End

Example
Run the display ip routing-table vpn-instance command on the PE, and you can find that the
route to the CE and the route to the destination switch in the public network exist in the VPN
routing table.
Run the display ip routing-table command on the CE, and you can find that the CE has the
route to the destination switch in the public network and the destination switch in the public
network has the route to the CE.
The CE and the destination switch in the public network can successfully ping each other.
3.12 Configuring VPN FRR

In the networking of CE dual-homing, you can configure VPN FRR to ensure the end-to-end
VPN service fast switchover if the PE fails.

Before configuring VPN FRR, familiarize yourself with the applicable environment, complete
the pre-configuration tasks, and obtain the required data. This can help you complete the
It is applied to the service sensitive to packet loss or delay in the private network.
You can configure VPN FRR in either of the following modes:
l Manual VPN FRR: Information such as the backup next hop is specified.
l Auto VPN FRR: The backup next hop is unspecified, but a proper next hop is selected for
the VPN route.
You can select either mode as required. If both of them are configured, manual VPN FRR has
a higher priority. When manual VPN FRR fails, auto VPN FRR takes effect.
Before configuring VPN FRR, complete the following tasks:
l Configuring the routing protocol on the switchs to achieve internetworking

l Generating two unequal-cost routes by configuring different metrics
l Setting up the VPN network
CAUTION
Configuring the lsp-trigger command on the P is not recommended when an LSP is created
on the VPN backbone network. Use the default configuration on the P. Otherwise, VPN
FRR switchback may fail.

Data Preparation
To configure the VPN FRR, you need the following data.
No. Data
1 (Optional) Name of the routing policy
3 (Optional) Backup next hop
3.12.2 Configuring Manual VPN FRR

After a backup next hop (a PE) is specified according to the routing policy, the VPN traffic can
be forwarded to the backup next hop if traffic forwarding between PEs fails.
Context
Do as follows on the switch.
Procedure
Step 1 Run:
system-view
Step 2 Run:
route-policy route-policy-name { permit | deny } node node
The routing policy node is created and the routing policy view is displayed.
Step 3 Run:
apply backup-nexthop { ip-address | auto }
The backup next hop is configured.
Step 4 Run:
quit
Step 5 Run:
Step 6 Run:
vpn frr route-policy route-policy-name
The VPN FRR is enabled.
----End

3.12.3 Configuring VPN Auto FRR

If the primary link between PEs fails, VPN traffic is forwarded through the next hop (a PE) that
is automatically selected by the system.
Context
Do as follows on the switch.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Run:
auto-frr
VPN Auto FRR is enabled.
----End

After configuring VPN FRR, you can view information about the backup next hop (a PE), backup
tunnel, and backup label in the VPN routing table.
Prerequisite
The configurations of the VPN FRR function are complete.
Procedure
verbose command to check information about the backup next hop, backup tunnel, and
backup label.
----End
Example
Run the display ip routing-table vpn-instance vpn-instance-name ip-address verbose
command on the PE configured with VPN FRR. If information about the backup next-hop PE,
backup tunnel, and label value of the routes is displayed, it means the configuration succeeds.
<Quidway> display ip routing-table vpn-instance vpn1 18.0.0.0 verbose

------------------------------------------------------------------------------
Routing Table : zy
Summary Count : 1
State: Active Adv Relied Age: 00h00m18s
IndirectID: 0x2f
BkNextHop: 171.0.0.17 BkInterface: Unknown
BkLabel: 11264 SecTunnelID: 0x1005e
BkPETunnelID: 0x1005c BkPESecTunnelID: 0x0
BkIndirectID: 0x2c
3.13 Configuring VPN GR

VPN GR to ensure that VPN traffic is not interrupted on the PE, CE, or P.

Before configuring VPN GR, familiarize yourself with the applicable environment, complete
the pre-configuration tasks, and obtain the data required for the configuration. This will help
The VPN GR is enabled for the BGP/MPLS IP VPN that needs the GR capability. Configuring
VPN GR on the switch that undertakes the VPN service can ensure that switch keeps forwarding
when the switch performs the AMB/SMB switchover and the VPN traffic is not broken.
NOTE
The GR capability cannot ensure that the traffic is not broken if the neighboring switch performs the AMB/
SMB switchover at the same time.
When configuring VPN GR, you must configure the IGP GR, BGP GR and MPLS LDP GR on
the PE, configure the IGP GR and the MPLS LDP GR on the P, and configure the IGP GR or
the BGP GR on the CE. If more than one domain is traversed, you must configure the IGP GR,
BGP GR and MPLS LDP GR on the ASBR.
Before configuring VPN GR, complete the following tasks:
l Establishing the VPN environment and configuring the VPN
l Configuring the common IGP GR (such as the IS-IS GR and the OSPF GR), BGP GR and
MPLS LDP GR on PEs and Ps in all related backbone networks to ensure that the backbone
network has the GR capability
Data Preparation
To configure VPN GR, you need the following data.

No. Data
1 (Optional) Interval for re-establishing the GR session (by default, it is 300 seconds)
if the IS-IS GR is enabled
2 (Optional) Interval for the GR time if the OSPF GR is enabled
3 Reconnection time of the MPLS LDP session (by default, it is 300 seconds)
4 Validity period of the MPLS LDP neighbors (by default, it is 600 seconds)
5 Maximum time of BGP session reestablishment (by default, it is 150 seconds)
6 Time of waiting for the End-of-Rib messages(by default, it is 600 seconds)
3.13.2 Configuring IGP GR on the Backbone Network

You can configure IGP GR based on the specific IGP running on the backbone network. IGP
GR can be IS-IS GR or OSPF GR.
Context
NOTE
When configuring GR on the backbone network, configure the corresponding IGP GR (IS-IS GR or OSPF
GR) based on the specific IGP protocol running on the backbone network.
Procedure
l Configure IS-IS GR on the backbone network.
If IS-IS is running on the public network, do as follows on the related PEs and Ps on the
backbone network:
1. Run:
system-view

2. Run:
isis process-id
The IS-IS view is displayed.

3. Run:
graceful-restart
The IS-IS GR capability is enabled.

By default, the IS-IS GR capability is disabled.
4. (Optional) Run:
graceful-restart interval interval-value
The interval for reestablishing the IS-IS GR session is configured.

The interval for reestablishing the IS-IS GR session is set to the Hold time in the IS-
IS Hello PDU. In this manner, the neighbor does not terminate the adjacency
relationship with the switch when the switch performs the AMB/SMB switchover.

By default, the interval for reestablishing the IS-IS GR session is 300 seconds.
5. (Optional) Run:
graceful-restart suppress-sa
The GR Restarter is configured to suppress the advertisement of the adjacency

relationship when it is restarting.
The suppress advertisement (SA) bit is used in the Hello PDUs by a restarting
switch to request its neighbors to suppress advertising the adjacency to the restarting
switch. The SA bit is removed once its database synchronization is over. Enabling this
feature avoids the black hole effect caused by sending and receiving LSP during the
restart process.
If the administrator does not want the restarting switch to set the SA bit in its Hello
PDUs, the administrator can use the undo graceful-restart suppress-sa command to
disable it.
By default, the SA bit does not take effect.
l Configure OSPF GR on the backbone network.
If OSPF is running on the public network, do as follows on the related PEs and Ps on the
backbone network:
1. Run:
system-view

2. Run:
ospf process-id

3. Run:
The opaque-lsa capability is enabled.

4. Perform the following as needed:
To enable the GR capability of OSPF, run:
graceful-restart
To enable the GR Help capability of OSPF at which the Restarter performs the
GR, run:
graceful-restart helper-role { { { ip-prefix ip-prefix-name | acl-
number acl-number | acl-name acl-name } | ignore-external-lsa | planned-
only } * | never }
It is suggested to enable the GR capability of OSPF on all the related PEs and Ps on
the backbone network.
By default, the GR capability of OSPF and the GR Help capability of OSPF are
disabled.
----End
3.13.3 Configuring MPLS GR on the Backbone Network

MPLS GR to ensure normal MPLS traffic forwarding. If LDP LSPs are configured on the

backbone network, you can configure MPLS LDP GR; if RSVP-TE tunnels are configured on
the backbone network, you can configure MPLS RSVP GR; if other types of tunnels are
configured on the backbone network, you do not need to perform the operation.
Context
If you use an LDP LSP tunnel, you need to configure MPLS LDP GR. If you use an RSVP-TE
tunnel, you need to configure MPLS RSVP GR. If you use another type of tunnel, you need not
perform this step.
Procedure
l Configure MPLS LDP GR.
1. Run:
system-view

2. Run:
mpls
MPLS is enabled globally, and the MPLS view is displayed.

3. Run:
quit

4. Run:
mpls ldp
The MPLS LDP view is displayed.

5. Run:
graceful-restart
The GR capability of MPLS LDP is enabled.

6. (Optional) Run:
graceful-restart timer reconnect time
The reconnection period of the MPLS LDP session is configured.

By default, the reconnection period is 300 seconds.
7. (Optional) Run:
graceful-restart timer neighbor-liveness time
The validity period of MPLS LDP neighbors is configured.

By default, the validity period of MPLS LDP neighbors is 600 seconds.
8. (Optional) Run:
graceful-restart timer recovery time
The MPLS LDP recovery period is configured.

By default, the MPLS LDP recovery period is 300 seconds.
NOTE
When the GR capability of MPLS LDP is enabled or the GR parameters are modified, the LDP session
is reestablished.

l Configure RSVP GR.

1. Run:
system-view

2. Run:
mpls
The MPLS view is displayed.

3. Run:
mpls te
MPLS TE is enabled.
4. Run:
mpls rsvp-te
RSVP TE is enabled.
5. Run:
mpls rsvp-te hello
The RSVP Hello extension of the local node is enabled.

6. Run:
mpls rsvp-te hello full-gr
The GR capability of RSVP TE is enabled. In addition, the GR capability of the peer

is also supported.
By default, the GR capability of RSVP TE is disabled.

7. (Optional) Run:
mpls rsvp-te hello nodeid-session ip-address
The Hello session is established between nodes of RSVP TE enabled with GR

capability.
8. Run:
quit

9. Run:
The RSVP interface view is displayed.

10. Run:
mpls
The MPLS view is displayed.

11. Run:
mpls te
MPLS TE is enabled.
12. Run:
mpls rsvp-te
RSVP TE is enabled.

13. Run:
mpls rsvp-te hello
The RSVP Hello extension function is enabled on the interface.

Although the RSVP Hello extension function is enabled globally, it is disabled on the
RSVP-enabled interfaces by default.
----End
3.13.4 Configuring GR of the Routing Protocol Between PEs and

CEs
You can configure GR of a routing protocol according to the specific routing protocol running
between the CE and the PE. GR of a routing protocol can be IS-IS GR, OSPF GR, or BGP GR.
Context
NOTE
When configuring GR of the routing protocol running between PEs and CEs, configure the corresponding
GR (IS-IS GR, OSPF GR, or BGP GR) according to the routing protocol running between the PEs and
CEs.
Procedure
l Configure GR of the IS-IS multi-instance between PEs and CEs.
Do as follows if IS-IS is run between the PE and the CE:
1. Run:
system-view

2. Run:
isis process-id vpn-instance vpn-instance-name
The IS-IS multi-instance view is displayed.

3. Run:
graceful-restart
The IS-IS GR capability is enabled.

By default, the IS-IS GR capability is disabled.
4. (Optional) Run:
graceful-restart interval interval-value
The interval for reestablishing the IS-IS GR session is configured.

The interval for reestablishing the IS-IS GR session is set to the Hold time in the IS-
IS Hello PDU. In this manner, the neighbor does not terminate the adjacency
relationship with the switch when the switch performs the AMB/SMB switchover.
By default, the interval for reestablishing the IS-IS GR session is 300 seconds.
5. (Optional) Run:
graceful-restart suppress-sa
The GR Restarter is configured to suppress the advertisement of the adjacency

relationship when it is restarting.

The suppress advertisement (SA) bit is used in the Hello PDUs by a restarting
switch to request its neighbors to suppress advertising the adjacency to the restarting
switch. The SA bit is removed once its database synchronization is over. Enabling this
feature avoids the black hole effect caused by sending and receiving LSP during the
restart process.
If the administrator does not want the restarting switch to set the SA bit in its Hello
PDUs, the administrator can use the undo graceful-restart suppress-sa command to
disable it.
By default, the SA bit does not take effect.
l Configure GR of the OSPF multi-instance between PEs and CES.
Do as follows if OSPF is run between the PE and the CE:
1. Run:
system-view

2. Run:
ospf process-id vpn-instance vpn-instance-name
The OSPF multi-instance view is displayed.

3. Run:
The opaque-lsa capability is enabled.

4. Perform the following as needed:
To enable the GR capability of OSPF, run:
graceful-restart
To enable the GR Help capability of OSPF at which the Restarter performs the
GR, run:
graceful-restart helper-role { { { ip-prefix ip-prefix-name | acl-
number acl-number | acl-name acl-name } | ignore-external-lsa | planned-
only } * | never }
It is suggested to enable the GR capability of OSPF on all the related PEs and Ps on
By default, the local link signaling capability, the out-of-band capability, the GR Help
capability and the GR capability of OSPF are all disabled.
l Configure BGP GR between PEs and CEs.
Do as follows on the PE and CE if EBGP is run between them:
1. Run:
system-view

2. Run:
bgp as-number

3. Run:
graceful-restart

The GR capability of BGP is enabled.

4. (Optional) Run:
graceful-restart timer restart time
The maximum time for restarting the GR Restarter is configured.
The restart period is the maximum waiting period, from the time when the receiving
speaker detects that the GR Restarter restarts, to the time when the BGP session is
reestablished. If no BGP session is reestablished within the restart period, the receiving
speaker deletes the BGP route in the stale state. By default, the restart period is 150
seconds.
CAUTION
Modifying the restart period leads to the reestablishment of the BGP peer relationship.
5. (Optional) Run:
graceful-restart timer wait-for-rib time
The time of waiting for the End-of-RIB message is configured.
By default, the time of waiting for the End-of-RIB message is 600 seconds.
----End
3.13.5 Configuring BGP GR for MP-BGP

When MP-BGP restarts, the peer relationship is re-established and traffic forwarding is
interrupted. If BGP GR is enabled, traffic interruption can be prevented.
Context
Configure BGP GR for MP-BGP on all the PEs (including the PE that serves as the ASBR) and
the RRs that reflect the VPNv4 route, unless BGP GR has been configured for MP-BGP when
BGP GR is configured between PEs and CEs.
The process of configuring BGP GR for MP-BGP is the same as that of configuring GR in the
common BGP. For the detailed configuration, see 3.13.4 Configuring GR of the Routing
Protocol Between PEs and CEs.

After configuring VPN GR, you can view status information about IGP GR and BGP GR.
Prerequisite
The configurations of the VPN GR function are complete.
Procedure
l Run the display ospf brief command to check the status of the OSPF GR.
l Run the display isis graceful-restart status [ level-1 | level-2 ] [ process-id | vpn-
instance vpn-instance-name ] command to check the status of the IS-IS GR.

l Run the display bgp vpnv4 all peer verbose command to check the status of the BGP GR.
----End
Example
Run the display isis graceful-restart status command on the PE, and you can view the status
of the ISIS GR. For example:
<Quidway> display isis graceful-restart status
Restart information for ISIS(1)
-------------------------------
IS-IS(1) Level-1 Restart Status
Restart Interval: 300
SA Bit Supported
Total Number of Interfaces = 2
Restart Status: RESTART COMPLETE
SA Bit Supported
Run the display bgp peer verbose command on the PE, and you can find that IBGP GR between
PEs and EBGP GR between the PE and CE are configured successfully. For example:
<Quidway> display bgp vpnv4 all peer verbose
Peer: 3.3.3.9 remote AS 100
Type: IBGP link
BGP version 4, remote router ID 3.3.3.9
Update-group ID : 1
BGP current state: Established, Up for 00h23m47s
BGP current event: RecvKeepalive
BGP last state: OpenConfirm
BGP Peer Up count: 2
Received total routes: 2
Received active routes total: 2
Advertised total routes: 2
Port: Local - 49941 Remote - 179
Configured: Active Hold Time: 180 sec Keepalive Time:60 sec
Received : Active Hold Time: 180 sec
Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec
Peer optional capabilities:
Peer supports bgp multi-protocol extension
Peer supports bgp route refresh capability
Peer supports bgp 4-byte-as capability
Graceful Restart Capability: advertised and received
Restart Timer Value received from Peer: 150 seconds
Address families preserved for peer in GR:
IPv4 Unicast (was preserved)
VPNv4 (was preserved)
Address family IPv4 Unicast: advertised and received
Address family VPNv4: advertised and received
Received: Total 29 messages
Update messages 9
Open messages 1
KeepAlive messages 19
Notification messages 0
Refresh messages 0
Authentication type configured: None
Sent: Total 25 messages
Update messages 5
Open messages 1
Refresh messages 0
Last keepalive received: 2009-12-31 19:49:49

Minimum route advertisement interval is 0 seconds

Optional capabilities:
Route refresh capability has been enabled
4-byte-as capability has been enabled
Connect-interface has been configured
Peer Preferred Value: 0
Routing policy configured:
No routing policy is configured
VPN instance: vpn1
Type: EBGP link
Update-group ID : 1
BGP current event: KATimerExpired
Update messages 4
Open messages 1
Refresh messages 0
Update messages 9
Open messages 1
Refresh messages 0
3.14 Configuring Route Reflection to Optimize the VPN

Backbone Layer
Using an RR can reduce the number of MP IBGP connections between PEs. This not only reduces
the burden of PEs but also facilitates network maintenance and management.


Before configuring an RR to optimize the VPN backbone layer, familiarize yourself with the
The BGP speaker does not advertise the routes learned from IBGP devices to its IBGP peers.
To make a PE advertise the routes of the VPN that the PE accesses to the BGP VPNv4 peers in
the same AS, the PE must establish IBGP connections with all peers to directly exchange VPN
routing information. That is, MP IBGP peers must establish full connections between each other.
Suppose there are n PEs (including ASBRs) in an AS, n (n-1)/2 MP IBGP connections need to
be established. A large number of IBGP peers consume a great amount of network resources.
The Route Reflector (RR) can solve this problem. In an AS, one switch can be configured as the
RR to reflect VPNv4 routes and the other PEs and ASBRs serve as the clients, which are called
Client PEs. An RR can be a P, PE, ASBR, or a switch of other types.
The introduction of the RR reduces the number of MP IBGP connections. This lightens the
burden of PEs and facilitates network maintenance and management.
Before configuring route reflection to optimize the VPN backbone layer, complete the following
tasks:
l Configuring the routing protocol for the MPLS backbone network to implement IP
interworking between switchs in the backbone network
l Establishing tunnels (LSPs or MPLS TE tunnels) between the RR and all Client PEs
Data Preparation
To configure the BGP VPNv4 route reflection, you need the following data.
No. Data
1 Local AS number and peer AS number
2 Type and number of the interfaces used to set up the TCP connection
3 BGP peer group name and IP addresses of peers
3.14.2 Configuring the Client PEs to Establish MP IBGP

Connections with the RR
An MP-IBGP connection is configured between the PE and the RR to facilitate VPNv4 route
reflection.
Context
Do as follows on all Client PEs:

Procedure
Step 1 Run:
system-view
Step 2 Run:
bgp as-number
Step 3 Run:
The RR is specified as the BGP peer.
Step 4 Run:
peer ipv4-address connect-interface interface-type interface-number
The interface is specified as an interface to establish the TCP connection.
The IP address of the interface must be the same as the MPLS LSR ID. It is recommended to
specify a loopback interface to establish the TCP connection.
Step 5 Run:
ipv4-family vpnv4
Step 6 Run:
The capability of exchanging VPNv4 routes between the PE and the RR is enabled.
----End
3.14.3 Configuring the RR to Establish MP IBGP Connections with

the Client PEs
MP-IBGP connections are configured between the RR and all its clients (PEs) to facilitate
VPNv4 route reflection.
Context
Choose one of the following schemes to configure the RR.
Procedure
l Configuring the RR to Establish MP IBGP Connections with the Peer Group
1. Run:
system-view

2. Run:
bgp as-number


3. Run:
group group-name [ internal ]
An IBGP peer group is created.

4. Run:
peer group-name connect-interface interface-type interface-number
The interface is specified as an interface to establish the TCP connection. The IP

address of the interface must be the same as the MPLS LSR ID. It is recommended to
5. Run:
ipv4-family vpnv4

6. Run:
peer group-name enable
The capability of exchanging IPv4 VPN routes between the RR and the peer group is
enabled.
7. Run:
peer ip-address group group-name
The peer is added to the peer group.

l Configuring the RR to establish an MP IBGP connection with each client PE
1. Run:
system-view

2. Run:
bgp as-number

3. Run:
The client PE is specified as the BGP peer.

4. Run:

The IP address of the interface must be the same as the MPLS LSR ID. It is
recommended to specify a loopback interface to establish the TCP connection.
5. Run:
ipv4-family vpnv4

6. Run:
The capability of exchanging VPNv4 routes between the RR and the client PE is
enabled.
----End

3.14.4 Configuring Route Reflection for BGP IPv4 VPN routes

The premise of enabling BGP VPNv4 route reflection is that the RR has established the MP-
IBGP connections with all its clients (PEs).
Context
Do as follows on the RR:
Procedure
Step 1 Run:
system-view
Step 2 Run:
bgp as-number
Step 3 Run:
ipv4-family vpnv4
Step 4 Enable route reflection for BGP VPNv4 routes on the RR.
l Run the peer group-name reflect-client command to enable route reflection if the RR
establishes the MP IBGP connection with the peer group consisting of client PEs.
l Run the peer ipv4-address reflect-client command repeatedly to enable route reflection if
the RR establishes the MP IBGP connection with each PE rather than peer group.
Step 5 Run:
The filtering of VPNv4 routes based on the VPN target is disabled.

rr-filter extcomm-filter-number
The reflection policy is configured for the RR.
----End

After configuring an RR to optimize the VPN backbone layer, you can view BGP VPNv4 peer
information and VPNv4 routing information on the RR or its clients (PEs).
Prerequisite
The configurations of the reflection to optimize the VPN backbone layer function are complete.

Procedure
l Run the display bgp vpnv4 all peer [ [ ipv4-address ] verbose ] command to check
information about the BGP VPNv4 peer on the RR or the Client PEs.
l Run the display bgp vpnv4 all routing-table peer ipv4-address { advertised-routes |
received-routes } command or display bgp vpnv4 all routing-table statistics command
to check information about the routes received from the peer or the routes advertised to the
peer on the RR or the Client PEs.
l Run the display bgp vpnv4 all group [ group-name ] command to check information about
the VPNv4 peer group on the RR.
----End
Example
If the configurations succeed,
l You can find that the status of the MP IBGP connections between the RR and all Client
PEs is "Established" after running the display bgp vpnv4 all peer command on the RR or
Client PEs.
l You can find that the RR and each Client PE can receive and send VPNv4 routing
information between each other after running the display bgp vpnv4 all routing-table
peer command on the RR or the Client PEs.
l If the peer group is configured, you can view information about the group members and
find that the status of the BGP connections between the RR and the group members is
"Established" after running the display bgp vpnv4 all group command on the RR.
3.15 Configuring Route Reflection to Optimize the VPN

Access Layer
If a PE and the connected CEs are in the same AS, you can deploy a BGP route RR to reduce
the number of IBGP connections between CEs and facilitate maintenance and management.

Before configuring an RR to optimize the VPN access layer, familiarize yourself with the
If a PE and multiple CEs accessing the PE are located in the same AS, to reduce the IBGP
connections between the CEs, the PE can be configured as an RR to reflect the routes of the
VPN instance, and the CEs can be configured as clients, which are called Client CEs. This
simplifies and facilitates network maintenance and management.
Before configuring route reflection to optimize the VPN access layer, complete the following
tasks:

l Configure a routing protocol for the MPLS backbone network to implement IP interworking
between the switchs in the backbone network.
Data Preparation
Before configuring route reflection to optimize the VPN access layer, you need the following
data.
No. Data
3 BGP peer group name and IP addresses of peers
3.15.2 Configuring All Client CEs to Establish IBGP Connections

with the RR
This part describes how to configure an IBGP connection between the client (a CE) and the RR
to reflect VPNv4 routes.
Context
Do as follows on all Client CEs:
Procedure
Step 1 Run:
system-view
Step 2 Run:
bgp as-number
Step 3 Run:
Step 4 Run:
peer ipv4-address connect-interface
interface-type interface-number
----End


All Client CEs
This part describes how to configure MP-IBGP connections between the RR and all its clients
(CEs) to reflect VPNv4 routes to all clients (CEs).
Context
Procedure
l Establishing the MP-IBGP Connection with the Peer Group
1. Run:
system-view

2. Run:
bgp as-number

3. Run:

4. Run:

5. Run:

6. Run:
peer ip-address groupgroup-name

l Establishing the MP-IBGP Connection with Each Peer
1. Run:
system-view

2. Run:
bgp as-number

3. Run:

4. Run:

The peer of the BGP IPv4 VPN instance is configured.

5. Run:

Perform Step 1 to Step 5 repeatedly on the RR to establish MP-IBGP connections with all
client CEs.
----End
3.15.4 Configuring Route Reflection for the Routes of the BGP VPN
Instance
The premise of enabling BGP VPNv4 route reflection is that the RR has established the MP-
IBGP connections with all its clients (CEs).
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Enable route reflection for the routes of the BGP VPN instance on the RR.
l Run the peer group-name reflect-client command to enable route reflection if the RR
establishes the IBGP connection with the peer group consisting of all Client CEs.
l Run the peer ipv4-address reflect-client command repeatedly to enable route reflection if
the RR establishes the IBGP connection with each PE rather than the peer group.
reflect between-clients
Route reflection between the Client CEs is enabled.

By default, route reflection between the Client CEs is enabled.
If the Client CEs are fully connected, you can use the undo reflect between-clients command
to disable route reflection between the clients to reduce the cost.
reflector cluster-id cluster-id

The cluster ID of the RR is set.

If a cluster has multiple RRs, you can use this command to set the same cluster ID for these RRs
to prevent routing loops. By default, the cluster ID is the router ID.
----End

After configuring an RR to optimize the VPN access layer, you can view information on the RR
about peers of the BGP VPN instance, routes received from the peers, and the VPNv4 routes
advertised to the peers.
Prerequisite
The configurations of the route reflection to optimize the VPN access layer function are
complete.
Procedure
l Run the display bgp [ vpnv4 vpn-instance vpn-instance-name ] peer [ ipv4-address ]
verbose command to check information about the peer group of the BGP VPN instance on
the RR.
l Run the display bgp peer [ ipv4-address ] verbose command to check information about
the BGP peer on the Client CE.
received-routes } command or display bgp vpnv4 all routing-table statistics command
to check information about the routes received from the peer or the routes advertised to the
peer on the RR.
l Run the display bgp routing-table peer ipv4-address { advertised-routes | received-
routes }command or display bgp routing-table statistics command to check information
about the routes received from the peer or the routes advertised to the peer on the Client
CE.
l Run the display bgp vpnv4 vpn-instance vpn-instance-name group [ group-name ]
command to check information about the VPNv4 peer group on the RR.
l Run the display bgp group [ group-name ] command to check information about the
VPNv4 peer group on the CE.
----End
Example
If the configurations succeed, you can achieve the following objects:
CEs is "Established" after running the display bgp vpnv4 all peer command on the RR.
l You can find that the status of the IBGP connections between the RR and all Client CEs is
"Established" after running the display bgp peer command on the Client CE.
l You can view the routing information advertised by the RR to the Client CE or the routing
information advertised by the Client CE to the RR after running the display bgp vpnv4
all routing-table peer command on the RR.
l You can view the routing information advertised by the Client CE to the RR and the routing
information advertised by the RR to the Client CE after running the display bgp routing-

table peer ipv4-address { advertised-routes | received-routes } command or display bgp

vpnv4 all routing-table statistics command command on the Client CE.
3.16 Maintaining BGP/MPLS IP VPN

This section describes how to maintain the BGP/MPLS IP VPN, which involves L3VPN traffic
checking, network connectivity monitoring, BGP connection resetting.
3.16.1 Viewing the Integrated Route Statistics of All IPv4 VPN

Instances
Integrated route statistics of all VPN instances refer to the sum of statistics of all VPN instances.
Procedure
l Run the display ip routing-table all-vpn-instance statistics command to check the
integrated route statistics of all VPN instances.
----End
3.16.2 Displaying BGP/MPLS IP VPN Information

This section describes how to monitor the running status of the BGP/MPLS IP VPN, which
involves VPN instance information checking, VPNv4 peer information checking, and BGP peer
log information checking.
Context
In routine maintenance, you can run the following commands in any view to check the status of
BGP/MPLS IP VPN.
Procedure
IP routing table of a VPN instance.
l Run the display ip vpn-instance [ verbose ] [ vpn-instance-name ] command to check
information about the VPN instance.
l Run the display bgp [ vpnv4 { all | vpn-instance vpn-instance-name } ] routing-table
label command to check information about labeled routes in the BGP routing table.
l Run the display bgp vpnv4 { all | route-distinguisher route-distinguisher | vpn-
instance vpn-instance-name } routing-table ipv4-address [ mask | mask-length ] command
to check information about the BGP VPNv4 routing table.
instance vpn-instance-name } routing-table statistics [ match-options ] command to
check statistics about the BGP VPNv4 routing table.


instance vpn-instance-name } routing-table [ match-options ] command to check
information about the BGP VPNv4 routing table.
l Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } group [ group-
name ] command to check information about the BGP VPNv4 peer group.
l Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } peer [ [ ipv4-
address ] verbose ] command to check BGP VPNv4 peer information.
l Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } network command
to check the routing information advertised by BGP VPNv4.
l Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } paths [ as-regular-
expression ] command to check the AS path information of BGP VPNv4.
l Run the display bgp vpnv4 vpn-instance vpn-instance-name peer { group-name | ipv4-
address } log-info command to check the BGP peer's log information of a specified VPN
instance.
----End
3.16.3 Checking the Network Connectivity and Reachability

This section describes how to use the ping command to detect the network connectivity between
the source and the destination, and how to use the tracert command to check the devices through
which data packets are sent from the source to the destination.
Procedure
l Run the ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interface-
type interface-number | -m time | -n | -p pattern | -q | -r | -s packetsize | -t timeout | -tos tos-
value | -v | -vpn-instance vpn-instance-name ] * host command to check the network
connectivity.
l Run the tracert [ -a source-ip-address | -f first-ttl | -m max-ttl | -p port | -q nqueries | -vpn-
instance vpn-instance-name | -w timeout ] * host command to trace the gateways that the
packet passes by from the source to the destination.
l Run the ping lsp [ -a source-ip | -c count | -exp exp-value | -h ttl-value | -m interval | -r
reply-mode | -s packet-size | -t time-out | -v ] * vpn-instance vpn-name remote remote-
address mask-length command to check the connectivity of the L3VPN LSP.
----End
Example
After the VPN configuration, using the ping command with vpn-instance vpn-instance-name
on the PE, you can check whether the PE and the CEs that belong to the same VPN can
communicate with each other. If the ping fails, you can use the tracert command with vpn-
instance vpn-instance-name to locate the fault.
If multiple interfaces bound to the same VPN exist on the PE, specify the source IP address, that
is -a source-ip-address when you ping or tracert the remote CE that accesses the peer PE.
Otherwise, the ping or tracert may fail.
If you do not specify a source IP address, the PE chooses the smallest IP address of the interface
bound to the VPN on the PE as the source address of the ICMP packet randomly. If no route to
the selected address exists on the CE, the ICMP packet sent back from the peer PE is discarded.

3.16.4 Resetting BGP Statistics of a VPN Instance

BGP statistics of the VPN instance cannot be restored after being cleared. Exercise caution when
performing the action.
Procedure
l Run the reset bgp vpn-instance vpn-instance-name [ ipv4-address ]flap-info command
in the user view to clear statistics of the BGP peer flap for a specified VPN instance.
l Run the reset bgp vpn-instance vpn-instance-name dampening [ ipv4-address [ mask |
mask-length ] ] command in the user view to clear dampening information of the VPN
instance.
----End
3.16.5 Resetting BGP Connections

After BGP configurations are changed, you can validate the new configurations through soft
reset or reset of the BGP connection. Note that resetting the BGP connection leads to the
interruption of VPN services.
Context
CAUTION
VPN services are interrupted after the BGP connection is reset. Exercise caution when running
the commands.
When the BGP configuration changes, you can use the soft reset or reset BGP connections to
let the new configurations take effect. Soft reset requires that the BGP peers have route
refreshment capability (supporting Route-Refresh messages).
Procedure
l Run the refresh bgp vpn-instance vpn-instance-name { all | ipv4-address | group group-
name | internal | external } import command in the user view to trigger the inbound soft
reset of the VPN instance's BGP connection.
l Run the refresh bgp vpn-instance vpn-instance-name { all | ipv4-address | group group-
name | internal | external } export command in the user view to trigger the outbound soft
reset of the VPN instance's BGP connection.
l Run the refresh bgp vpnv4 { all | ipv4-address | group group-name | internal | external }
import command in the user view to trigger the inbound soft reset of the BGP VPNv4
connection.
l Run the refresh bgp vpnv4 { all | ipv4-address | group group-name | internal | external }
export command in the user view to trigger the outbound soft reset of the BGP VPNv4
connection.
l Run the reset bgp vpn-instance vpn-instance-name { as-number | ipv4-address | group
group-name | all | internal | external } command in the user view to reset BGP connections
of the VPN instance.

l Run the reset bgp vpnv4 { as-number | ipv4-address | group group-name | all | internal |
external } command in the user view to reset BGP VPNv4 connections.
----End
3.16.6 Debugging BGP/MPLS IP VPN

Run the relevant debugging command to view the debugging information and locate the fault.
Note that debugging affects the performance of the system.
Context
CAUTION
Debugging affects system performance. After debugging is complete, run the undo debugging
all command to disable debugging immediately.
Run the following debugging commands in the user view to debug BGP/MPLS IP VPN and
locate the fault.
For more information, see the chapter "Information Center Configuration" in the S7700 Smart
Routing Switch Configuration Guide - System Management. For the description about the
debugging commands, see the Quidway S7700 Smart Routing Switch Debugging Reference.
Procedure
l Run the debugging bgp vpn-instance vpn-instance-name peer-address { all | event |
graceful-restart | timer } command in the user view to enable the debugging of the
specified BGP peers in a VPN instance.
l Run the debugging bgp vpn-instance vpn-instance-name peer-address { keepalive |
open | packet | raw-packet | route-refresh } [ receive | send ] [ verbose ] command in
the user view to enable the packet debugging of the specified BGP peers in a VPN instance.
l Run the debugging bgp update vpn-instance vpn-instance-name [ peer ip-address | acl
acl-number | ip-prefix ip-prefix-name ] [ receive | send ] [ verbose ] command in the user
view to enable the BGP Update packets debugging of VPN instances.
l Run the debugging bgp update vpnv4 [ peer ip-address | acl acl-number | ip-prefix ip-
prefix-name ] [ receive | send ] [ verbose ] command in the user view to enable the BGP
Update packets debugging of BGP VPNv4 routes.
l Run the debugging bgp update label-route [ peer ip-address ] [ acl acl-number | ip-
prefix ip-prefix-name ] [ receive | send ] [ verbose ] command in the user view to enable
the BGP Update packets debugging of labeled routes.
----End

This section provides several configuration examples of VPN networking. In each configuration
example, the networking requirements, configuration roadmap, configuration notes,
configuration procedures, and configuration files are described.

3.17.1 Example for Configuring the BGP/MPLS IP VPN
As shown in Figure 3-3, CE1 and CE3 belong to vpna and CE2 and CE4 belong to vpnb. The
VPN target of vpna is 111:1, and VPN target of vpnb is 222:2. The users in different VPNs
cannot access each other.
Figure 3-3 Networking diagram for configuring BGP/MPLS IP VPN
AS: 65410 AS: 65430

VPN-A VPN-A
CE1 CE3
GE1/0/0 GE1/0/0
Loopback1
2.2.2.9/32
GE1/0/0 GE1/0/0
PE1 PE2
GE1/0/0 GE2/0/0
Loopback1 Loopback1
1.1.1.9/32 GE3/0/0 GE3/0/0 3.3.3.9/32
GE2/0/0 P GE2/0/0
MPLS backbone
AS: 100
GE1/0/0 GE1/0/0
CE2 CE4
VPN-B VPN-B
AS: 65420 AS: 65440

1. Configure VPN instances on the PEs connected to CEs on the backbone network and bind
related VPNs to the interfaces connected to the CEs.
2. Configure OSPF on the PEs and P to implement interconnection between PEs.
3. Configure the basic MPLS capabilities and LDP and create an MPLS LSP.
4. Configure MP-IBGP for exchanging routing information between the VPNs.
5. Configure EBGP for exchanging VPN routing information between the CE and PE.
Data Preparation
l IP address of each VLAN interface, as shown in Figure 3-3
l MPLS LSR-IDs of PE and P
l RDs of vpna and vpnb
l VPN targets of received and sent routes of vpna and vpnb
Procedure
Step 1 Configure IGP on the MPLS backbone network so that PEs and P can interwork.
# Configure PE1.
[PE1] vlan batch 10 20 30
[PE1-Vlanif30] quit
[PE1] ospf
[PE1-ospf-1] area 0

[PE1-ospf-1] quit
# Configure the P.
[Quidway] sysname P
[P-LoopBack1] quit
[P] vlan batch 30 60
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port hybrid untagged vlan 30
[P-Vlanif30] quit
[P-Vlanif60] quit
[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] vlan batch 40 50 60
[PE2-Vlanif60] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After the configuration, OSPF adjacencies are established between PE1, P, and PE2. By running
the display ospf peer command, you can see that the status of the OSPF adjacency is Full. By
running the display ip routing-table command, you can see that the PEs can learn the routes
of each other's Loopback1 interface.
Take PE1 for example.


------------------------------------------------------------------------------

2.2.2.9/32 OSPF 10 1 D 172.1.1.2 Vlanif30
3.3.3.9/32 OSPF 10 2 D 172.1.1.2 Vlanif30
172.1.1.0/24 Direct 0 0 D 172.1.1.1 Vlanif30
172.1.1.2/32 Direct 0 0 D 172.1.1.2 Vlanif30
172.2.1.0/24 OSPF 10 2 D 172.1.1.2 Vlanif30
[PE1] display ospf peer
OSPF Process 1 with Router ID 1.1.1.9

Neighbors
Area 0.0.0.0 interface 172.1.1.1(Vlanif30)'s neighbors

Router ID: 172.1.1.2 Address: 172.1.1.2
State: Full Mode:Nbr is Master Priority: 1
DR: None BDR: None MTU: 1500
Dead timer due in 37 sec
Neighbor is up for 00:16:21
Authentication Sequence: [ 0 ]
Step 2 Configure basic MPLS functions and MPLS LDP on the MPLS backbone network and set up
LDP LSPs.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif30] mpls
[PE1-Vlanif30] quit
# Configure the P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
[P-Vlanif60] mpls
[P-Vlanif60] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit

[PE2] mpls ldp

[PE2-mpls-ldp] quit
[PE2-Vlanif60] mpls
[PE2-Vlanif60] quit
After the configuration, LDP sessions are established between PE1 and P, and between P and
PE2. By running the display mpls ldp session command, you can see that the status of the LSP
sessions is Operational. By running the display mpls ldp lsp command, you can see the
establishment status of the LDP LSP.


------------------------------------------------------------------------------
Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv
------------------------------------------------------------------------------
2.2.2.9:0 Operational DU Active 0000:00:01 6/6
------------------------------------------------------------------------------
[PE1] display mpls ldp lsp
LDP LSP Information

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0
*1.1.1.9/32 Liberal
2.2.2.9/32 NULL/3 - 172.1.1.2 Vlanfi30
2.2.2.9/32 1024/3 2.2.2.9 172.1.1.2 Vlanfi30
3.3.3.9/32 NULL/1025 - 172.1.1.2 Vlanfi30
3.3.3.9/32 1025/1025 2.2.2.9 172.1.1.2 Vlanfi30
-------------------------------------------------------------------------------
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna] vpn-target 111:1 both
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] route-distinguisher 100:2
[PE1-vpn-instance-vpnb] vpn-target 222:2 both
[PE1-vpn-instance-vpnb] quit
[PE1-Vlanif10] ip binding vpn-instance vpna
[PE1-Vlanif10] quit
[PE1-Vlanif20] ip binding vpn-instance vpnb
[PE1-Vlanif20] quit

# Configure PE2.
[PE2-Vlanif40] quit
[PE2-Vlanif50] quit
# Configure IP addresses of the interfaces on the CEs according to Figure 3-3. The configuration
procedure is not given here.
After the configuration, run the display ip vpn-instance verbose command on the PEs, and you
can see the configuration of the VPN instances. The PEs can ping the connected CEs
successfully.
NOTE
run the ping -vpn-instance command to ping the CE connected to the peer PE. That is, specify -a source-
ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address destination-address
command. Otherwise, the ping operation may fail.
Take PE1 and CE1 for example.

[PE1] display ip vpn-instance verbose

Create date : 2008/11/24 16:28:27 UTC-08:00
Label policy : label per route
Log Interval : 5
VPN-Instance Name and ID : vpnb, 2

Create date : 2008/11/24 16:30:37 UTC-08:00
Log Interval : 5
[PE1] ping -vpn-instance vpna 10.1.1.1



0.00% packet loss
Step 4 Set up EBGP peer relation between the PE and the CE and import VPN routes.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] import-route direct
NOTE
The configuration procedures of CE2, CE3 and CE4 are similar to the configuration procedure of CE1 and
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
NOTE
The configuration procedure of PE2 is similar to the configuration procedure of PE1 and is not mentioned
here.
After the configuration, run the display bgp vpnv4 vpn-instance peer command on a PE, and
you can find that the BGP peer relation between the PE and CE is in Established state.
Take the peer relation between PE1 and CE1 for example:
[PE1] display bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.9

Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State

PrefRcv
118.118.118.2 4 65410 11 9 0 00:07:25 Established

1

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100

After the configuration, run the display bgp peer or display bgp vpnv4 all peer command, and
you can see that the BGP peer relation between the PEs is in Established state.
[PE1] display bgp peer


PrefRcv
3.3.3.9 4 100 12 6 0 00:02:21 Established

0
[PE1] display bgp vpnv4 all peer


PrefRcv
3.3.3.9 4 100 12 18 0 00:09:38 Established 0

Peer of vpn instance:
vpn instance vpna :

10.1.1.1 4 65410 25 25 0 00:17:57 Established 1
vpn instance vpnb :
10.2.1.1 4 65420 21 22 0 00:17:10 Established 1

Run the display ip routing-table vpn-instance command on the PE, and you can view the routes
to the remote CE.
[PE1] display ip routing-table vpn-instance vpna
------------------------------------------------------------------------------
Routing Tables: vpna

10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif10
10.3.1.0/24 BGP 255 0 RD 3.3.3.9 Vlanif30
[PE1] display ip routing-table vpn-instance vpnb
------------------------------------------------------------------------------
Routing Tables: vpnb

10.2.1.0/24 Direct 0 0 D 10.2.1.2 Vlanif20
10.4.1.0/24 BGP 255 0 RD 3.3.3.9 Vlanif30
The CEs in the same VPN can ping each other, but the CEs in different VPNs cannot ping each
other.
For example, CE1 can ping CE3 (10.3.1.1) but cannot ping CE4 (10.4.1.1).
[CE1] ping 10.3.1.1


0.00% packet loss
[CE1] ping 10.4.1.1
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
----End
Configuration Files
#
sysname PE1
#
vlan batch 10 20 30
#
ip vpn-instance vpna
ip vpn-instance vpnb
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#


#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
#
ipv4-family vpn-instance vpnb
import-route direct
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
#
sysname P
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0

#
return
#
sysname PE2
#
vlan batch 40 50 60
#
#
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif40
ip address 10.3.1.2 255.255.255.0
#
interface Vlanif50
ip address 10.4.1.2 255.255.255.0
#
interface Vlanif60
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
#


import-route direct
#
ospf 1
area 0.0.0.0
network 172.2.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return
#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
#
sysname CE3
#
vlan batch 40
#
interface Vlanif40
ip address 10.3.1.1 255.255.255.0
#
#
bgp 65430


#
ipv4-family unicast
import-route direct
#
return

#
sysname CE4
#
vlan batch 50
#
interface Vlanif50
ip address 10.4.1.1 255.255.255.0
#
#
bgp 65440
#
ipv4-family unicast
import-route direct
#
return
3.17.2 Example for Configuring Overlapping Addresses in Two

BGP/MPLS IP VPNs
As shown in Figure 3-4, CE1 and CE2 belong to vpna and CE3 and CE4 belong to vpnb. The
VPN target of vpna is 100:100, and the VPN target of vpnb is 200:200. The users on different
VPNs cannot access each other.

Figure 3-4 Networking diagram of BGP/MPLS IP VPN
CE1 CE2
GE3/0/1
vpna vpna
GE3/0/1
VLANIF 100 VLANIF 100
14.1.1.2/24 34.1.1.2/24
GE3/0/1 Loopback0 GE3/0/1

VLANIF 100 2.2.2.9/32 VLANIF 100
14.1.1.1/24 GE1/0/1 GE2/0/1
VLANIF 10 VLANIF 20 PE2 34.1.1.1/24
Loopback0 12.1.1.1/24 23.1.1.1/24 Loopback0
1.1.1.9/32 3.3.3.9/32
GE1/0/1 GE2/0/1
GE3/0/2
PE1 VLANIF 10 P VLANIF 20 GE3/0/2
VLANIF 101 12.1.1.2/24 23.1.1.2/24 VLANIF 101
14.1.1.1/24 34.1.1.1/24
GE3/0/1 GE3/0/1
14.1.1.2/24 34.1.1.2/24
CE3 CE4
vpnb vpnb
1. Configure VPN instances on the PEs on the backbone network. Bind the interfaces
connected to CEs to the corresponding VPN instances so that CE1 and CE2 belong to a
VPN instance, and CE3 and CE4 belong to another VPN instance. Then assign IP addresses
to the PE interfaces connected to CEs.
2. Configure OSPF on the PEs to implement interconnection between PEs.
3. Enable MPLS and MPLS LDP on the PEs and P and set up an MPLS LSP.

4. Configure MP-IBGP between the PEs to exchange VPN routing information.

5. Configure static routes between the CEs and PEs.
Data Preparation
l IP address of each VLANIF interface, as shown in Figure 3-4
l MPLS LSR-IDs of PEs and P
l RDs of vpna and vpnb
l VPN targets of vpna and vpnb
Procedure
Step 1 Configure VLANs that the interfaces belong to and assign IP addresses to the VLANIF interfaces
and loopback interfaces according to Figure 3-4.
The configuration procedure is not mentioned.
Step 2 Configure an IGP protocol on the MPLS backbone network so that PE and P routers can
# Configure PE1.
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[P] ospf
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After the configuration, OSPF relations are established between PE1, P, and PE2. By running
the display ospf peer command, you can see that the status of the OSPF relations is Full. By
running the display ip routing-table command, you can see that the PEs can learn the routes
of Loopback0 interface of each other.
Take the display on PE1 as an example.
------------------------------------------------------------------------------


2.2.2.9/32 OSPF 10 1 D 12.1.1.2 Vlanif10
3.3.3.9/32 OSPF 10 2 D 12.1.1.2 Vlanif10
12.1.1.0/24 Direct 0 0 D 12.1.1.1 Vlanif10
12.1.1.2/32 Direct 0 0 D 12.1.1.2 Vlanif10
23.1.1.0/24 OSPF 10 2 D 12.1.1.2 Vlanif10
Step 3 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS
backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif10] mpls
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif10] mpls
[P-Vlanif10] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif20] mpls
[PE2-Vlanif20] quit
After the configuration, LDP sessions should be set up between PE1 and P, and between PE2
and P. Running the display mpls ldp session command, you can see that Status is
Operational. Run the display mpls ldp lsp command, and you can see the establishment status
of the LDP LSP.


------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
LDP LSP Information

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0
*1.1.1.9/32 Liberal
2.2.2.9/32 NULL/3 - 12.1.1.2 Vlanif10
2.2.2.9/32 1024/3 2.2.2.9 12.1.1.2 Vlanif10
3.3.3.9/32 NULL/1025 - 12.1.1.2 Vlanif10
3.3.3.9/32 1025/1025 2.2.2.9 12.1.1.2 Vlanif10
-------------------------------------------------------------------------------
# Configure PE1.
[PE1-vpn-instance-vpna] vpn-target 100:100 export-extcommunity
[PE1-vpn-instance-vpna] vpn-target 100:100 import-extcommunity
[PE1-vpn-instance-vpnb] vpn-target 200:200 export-extcommunity
[PE1-vpn-instance-vpnb] vpn-target 200:200 import-extcommunity
[PE1-Vlanif100] quit
# Configure PE2.
[PE2-vpn-instance-vpna] vpn-target 100:100 import-extcommunity
[PE2-vpn-instance-vpnb] vpn-target 200:200 import-extcommunity


# Assign IP addresses to the interfaces on the CEs according to Figure 3-4. The configuration
procedure is not mentioned here.
can see the configuration of the VPN instances. The PEs can ping the connected CEs
successfully.
Take the display on PE1 and CE1 as an example.
[PE1] display ip vpn-instance verbose

Create date : 2008/11/24 16:28:27 UTC-08:00
Log Interval : 5
VPN-Instance Name and ID : vpnb, 2

Create date : 2008/11/24 16:30:37 UTC-08:00
Log Interval : 5


0.00% packet loss
Step 5 On CE1, CE2, CE3, and CE4, configure static routes to their connected PEs.
# Configure CE1.
[CE1] ip route-static 0.0.0.0 0.0.0.0 vlanif 100 14.1.1.1
NOTE
Configurations of CE2, CE3 and CE4 are similar to the configuration of CE1, and are not mentioned here.
Step 6 Set up MP-IBGP peer relations between PEs.

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback0


[PE1-bgp-vpna] quit
[PE1-bgp-vpnb] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp-vpna] quit
[PE2-bgp-vpnb] quit
After the configuration, run the display bgp peer command on a PE, and you can see that the
BGP peer relation between the PE and CE is in Established state.
[PE1]display bgp peer
Local ASN : 100
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
3.3.3.9 4 100 3 3 0 00:01:08 Established

0

Run the display ip routing-table vpn-instance command on a PE, and you can view the routes
to the remote CE.
------------------------------------------------------------------------------
14.1.1.0/24 Direct 0 0 D 14.1.1.1 Vlanif100

34.1.1.0/24 BGP 255 0 RD 3.3.3.9 Vlanif10
[PE1] display ip routing-table vpn-instance vpnb

------------------------------------------------------------------------------
Routing Tables: vpnb
14.1.1.0/24 Direct 0 0 D 14.1.1.1 Vlanif101


34.1.1.0/24 BGP 255 0 RD 3.3.3.9 Vlanif10

Run the ping 34.1.1.1 command on CE1, and the ping is successful. Run the display
interface command to view the statistics about packets on GE 3/0/1 and GE3/0/2 of PE2, and
you can see that there are packets passing through GE 3/0/1 but there is not any packet passing
through GE3/0/2. This indicates that the two VPN instances contain same addresses but users
in the VPNs cannot communicate with each other.
----End
Configuration Files
#
sysname PE1
#
vlan batch 10 100 101
#
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 12.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif100
ip address 14.1.1.1 255.255.255.0
#
interface Vlanif101
ip address 14.1.1.1 255.255.255.0
#
#
#
#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast

peer 3.3.3.9 enable

#
ipv4-family vpnv4
peer 3.3.3.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
#
sysname P
#
vlan batch 10 20
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 12.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
ip address 23.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 12.1.1.0 0.0.0.255
network 23.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
#
sysname PE2
#
#
#

#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 23.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif100
ip address 34.1.1.1 255.255.255.0
#
interface Vlanif101
ip address 34.1.1.1 255.255.255.0
#
#
#
#
interface LoopBack0
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
peer 1.1.1.9 enable
#
import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 23.1.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
#
sysname CE1
#
vlan batch 100
#
interface Vlanif100
ip address 14.1.1.2 255.255.255.0
#

#
ip route-static 0.0.0.0 0.0.0.0 Vlanif 100 14.1.1.1
#
return

#
sysname CE2
#
vlan batch 100
#
interface Vlanif100
ip address 34.1.1.2 255.255.255.0
#
#
#
return

#
sysname CE3
#
vlan batch 101
#
interface Vlanif101
ip address 14.1.1.2 255.255.255.0
#
#
#
return

#
sysname CE4
#
vlan batch 101
#
interface Vlanif101
ip address 34.1.1.2 255.255.255.0
#
#
#
return
3.17.3 Example for Configuring Mutual Access Between VPNs on

S7700
As shown in Figure 3-5, the S7700 functions as the PE on the MPLS backbone. CE1 belongs
to vpna; CE2 belongs to vpnb.
It is required that CE1 and CE2 can communicate with each other.

NOTE
This example is only for configuring mutual access for local VPNs on S7700, for details about configuring
mutual access for local VPNs on SPU board, see 3.17.4 Example for Configuring Mutual Access for
Local VPNs on SPU Board.
Figure 3-5 Networking diagram for configuring mutual access between VPNs
GE1/0/0 PE1 GE2/0/0

VLANIF10 VLANIF20
GE1/0/0 GE1/0/0
CE1 VLANIF10 VLANIF20
CE2
vpna vpnb
CE1 GE1/0/0 VLANIF 10 10.1.1.1/24
CE2 GE1/0/0 VLANIF 20 10.2.1.1/24
PE1 GE1/0/0 VLANIF 10 10.1.1.2/24
PE1 GE2/0/0 VLANIF 20 10.2.1.2/24
1. On the PE, configure a VPN instance, set different VPN targets for the VPN instance
2. On the PE, bind the interface connected to the CE to the VPN instance.
3. Enable the routing protocol on the CEs.
Data Preparation
l VLAN ID and IP address of VLANIF interface allowed by each interface
l RD of the VPN
l VPN targets of the received and sent routes
Configuration Procedure
Procedure
Step 1 Create VLANs and specify the VLAN IDs that are allowed by the interfaces, as shown in Figure
3-5.
# Configure PE1.
[PE1] vlan batch 10 20
[PE1-GigabitEthernet1/0/0] port link-type trunk
[PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10


# Configure CE1.
[Quidway] sysname CE1
[CE1] vlan batch 10
# Configure CE2.
[CE2] vlan batch 20
Step 2 Configure a VPN instance on each PE and connect the CEs to the PEs.
# Configure PE1.
[PE1-vpn-instance-vpna] vpn-target 111:1 222:2 import-extcommunity
[PE1-vpn-instance-vpnb] vpn-target 222:2 111:1 import-extcommunity
[PE1-Vlanif10] quit
[PE1-Vlanif20] quit
# Configure PE2.
[PE2-Vlanif30] quit
[PE2-Vlanif40] quit
# Assign IP addresses to the interfaces on the CEs according to Figure 3-5. The configuration
After the configuration, The PE can ping the connected CE successfully.

Take the display on PE1 and CE1 as an example:


0.00% packet loss
Step 3 Configure BGP to import the direct route to the VPN instance routing table.
# Configure PE1
[PE1] bgp 100
Step 4 Enable the routing protocol on the CEs.

# Configure CE1.
[CE1] ip route-static 10.2.1.0 24 10.1.1.2
# Configure CE2.

After the configuration, CE1 and CE2, which are connected to PE1 but belong to different VPNs,
can communicate with each other.
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10

10.2.1.0/24 BGP 255 0 D 10.2.1.1 Vlanif20
10.2.1.2/32 BGP 255 0 D 127.0.0.1 InLoopBack0
[CE1] ping 10.2.1.1
0.00% packet loss
----End

Configuration Files
#
sysname PE1
#
vlan batch 10 20
#
vpn-target 111:1 222:2 import-extcommunity
vpn-target 222:2 111:1 import-extcommunity
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.0
#
#
#
bgp 100
#
ipv4-family unicast
#
import-route direct
#
import-route direct
#
return

#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
ip route-static 10.2.1.0 24 10.1.1.2
#
return

#
sysname CE2
#
vlan batch 20

#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
ip route-static 10.1.1.0 24 10.2.1.2
#
return
3.17.4 Example for Configuring Mutual Access for Local VPNs on

SPU Board
As shown in Figure 3-6, the S7700 functions as the PE. PC1 belongs to vpn-a and PC2 belongs
to vpn-b.
PC1 and PC2 need to communicate with each other.
NOTE
This example is only for configuring mutual access for local VPNs on SPU board, for details about
configuring mutual access for local VPNs on S7700, see 3.17.3 Example for Configuring Mutual Access
Between VPNs on S7700.
Figure 3-6 Networking diagram for configuring mutual access betwen local VPNs
VLAN 10 10.10.10.2/24
Eth-trunk0 Eth-trunk0.10
XGE2/0/0 XGE0/0/1
Eth-Trunk0
XGE2/0/1 XGE0/0/2
Eth-trunk0 Eth-trunk0.20
VLAN 10 20.20.20.2/24
GE1/0/4 GE1/0/6
PC1 Switch PC2
10.10.10.1/24 20.20.20.1/24
1. Import flows from the switch to the SPU.

2. Configure the VPN instance and bind the VPN instance to interfaces.
3. Configure the static route for the mutual access between local VPNs.

Procedure
Step 1 Import flows from the switch to the SPU.
# Configure the switch.

[Switch] sysname Switch
[Switch] vlan 10
[Switch-vlan10] quit
[Switch] interface gigabitethernet 1/0/4
[Switch-GigabitEthernet1/0/4] port link-type access
[Switch-GigabitEthernet1/0/4] port default vlan 10
[Switch-GigabitEthernet1/0/4] quit
[Switch] vlan 20
[Switch-vlan20] quit
[Switch-GigabitEthernet1/0/6] port link-type access
[Switch-GigabitEthernet1/0/6] port default vlan 20
[Switch] interface eth-trunk 0
[Switch-Eth-Trunk0] port link-type trunk
[Switch-Eth-Trunk0] undo port trunk allow-pass vlan 1
[Switch-Eth-Trunk0] port trunk allow-pass vlan 10 20
[Switch-Eth-Trunk0] quit
[Switch] interface xgigabitethernet 2/0/0
[Switch-XGigabitEthernet2/0/0] eth-trunk 0
[Switch-XGigabitEthernet2/0/0] quit
[Switch] interface xgigabitethernet 2/0/1
[Switch-XGigabitEthernet2/0/1] eth-trunk 0
[Switch-XGigabitEthernet2/0/1] quit
# Configure the SPU on the switch.

[Quidway] sysname SPU
[SPU] interface eth-trunk 0
[SPU] interface xgigabitethernet 0/0/1
[SPU-XGigabitEthernet0/0/1] eth-trunk 0
[SPU] interface xgigabitethernet 0/0/2
[SPU-XGigabitEthernet0/0/2] eth-trunk 0
Step 2 Configure a VPN instance on the SPU.

[SPU] ip vpn-instance vpn-a
[SPU-vpn-instance-vpn-a] route-distinguisher 1:1
[SPU-vpn-instance-vpn-a] vpn-target 1:1
[SPU-vpn-instance-vpn-a] quit
[SPU] ip vpn-instance vpn-b
[SPU-vpn-instance-vpn-b] route-distinguisher 2:2
[SPU-vpn-instance-vpn-b] vpn-target 2:2
[SPU-vpn-instance-vpn-b] quit
Step 3 Create sub-interfaces on the SPU and bind the VPN instance to the sub-interfaces.
[SPU] interface eth-trunk 0.10
[SPU-Eth-Trunk0.10] control-vid 10 dot1q-termination
[SPU-Eth-Trunk0.10] dot1q termination vid 10
[SPU-Eth-Trunk0.10] ip binding vpn-instance vpn-a
[SPU-Eth-Trunk0.10] ip address 10.10.10.2 24
[SPU-Eth-Trunk0.10] arp broadcast enable
[SPU-Eth-Trunk0.10] quit
[SPU] interface eth-trunk 0.20
[SPU-Eth-Trunk0.20] control-vid 20 dot1q-termination
[SPU-Eth-Trunk0.20] dot1q termination vid 20
[SPU-Eth-Trunk0.20] ip binding vpn-instance vpn-b
[SPU-Eth-Trunk0.20] ip address 20.20.20.2 24
[SPU-Eth-Trunk0.20] arp broadcast enable
[SPU-Eth-Trunk0.20] quit
Step 4 Configure the static route on the SPU to allow the VPNs to communicate with each other.

[SPU] ip route-static vpn-instance vpn-a 20.20.20.1 32 Eth-Trunk 0.20 20.20.20.1

[SPU] ip route-static vpn-instance vpn-b 10.10.10.1 32 Eth-Trunk 0.10 10.10.10.1
Ping PC2 on PC1. The ping is successful.
----End
Configuration Files
l Configuration file of switch
#
sysname Switch
#
vlan batch 10 20
#
interface Eth-Trunk0
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
#
port link-type access
port default vlan 10
#
undo port trunk allow-pass vlan 1
#
interface XGigabitEthernet2/0/0
eth-trunk 0
#
eth-trunk 0
#
return
l Configuration file of the SPU on the switch

#
sysname SPU
#
interface Eth-Trunk0
#
interface Eth-Trunk 0.10
control-vid 10 dot1q-termination
dot1q termination vid 10
ip binding vpn-instance vpn-a
ip address 10.10.10.2 24
arp broadcast enable
#
interface Eth-Trunk 0.20
ip binding vpn-instance vpn-b
ip address 20.20.20.2 24
arp broadcast enable
#
eth-trunk 0
#
eth-trunk 0
#
ip route-static vpn-instance vpn-a 20.20.20.1 32 Eth-Trunk 0.20 20.20.20.1

ip route-static vpn-instance vpn-b 10.10.10.1 32 Eth-Trunk 0.10 10.10.10.1

#
3.17.5 Example for Configuring BGP ASN Substitution
As shown in Figure 3-7, CE1 and CE2 belong to the same VPN instance and access PE1 and
PE2 respectively.
CE1 and CE2 use the same ASN, namely, 600.
Figure 3-7 Networking diagram for configuring BGP ASN substitution
Loopback1 Loopback1 Loopback1

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
PE1 GE1/0/0 GE2/0/0 PE2

GE1/0/0 GE2/0/0 GE2/0/0 GE1/0/0
P
Backbone
GE1/0/0 GE1/0/0
AS 100
CE1 CE2
GE2/0/0 GE2/0/0
vpn1 vpn1
AS 600 AS 600

1. Enable IGP on the backbone network to implement interworking between PEs, and between
PE and P so that they can learn loopback address of each other.
2. Create an MPLS LDP LSP between the PEs, create VPN instances on PEs, and connect
PEs to CEs.
3. Establish EBGP adjacencies between the PEs and CEs to import routes of the CEs to the
PEs.
4. Configure BGP ASN substitution on PEs.
Data Preparation
l VPN instances on PE1 and PE2
l ASN used by CE1 and CE2, which is different from the ASN of the backbone network
Procedure
Step 1 Configure basic BGP/MPLS IP VPN.
The configurations are as follows:
l Configure OSPF on the MPLS backbone so that the PE and P can learn routes of the loopback
interface from each other.
l Enable MPLS capability and MPLS LDP on the MPLS backbone and establish an LDP LSP.
l Establish an MP-IBGP adjacency between PEs and advertise VPNv4 routes.
l Configure VPN instance of VPN1 on PE2 and connect PE2 to CE2.
l Configure VPN instance of VPN1 on PE1 and connect PE1 to CE1.
l Configure BGP between PE1 and CE1, and between PE2 and CE2. Import routes of the CEs
to PEs.
After the configuration, run the display ip routing-table command on CE2. You can see that
CE2 can learn the route of the network segment (10.1.1.0/24) of the interface connecting PE1
to CE1, but there is no route to VPN (100.1.1.0/24) of CE1. When you run the display ip routing-
table command on CE1, you can see the similar information.
[CE2] display ip routing-table
------------------------------------------------------------------------------
10.1.1.0/24 BGP 255 0 D 10.2.1.2 Vlanif40
10.2.1.0/24 Direct 0 0 D 10.2.1.1 Vlanif40
200.1.1.0/24 Direct 0 0 D 200.1.1.1 Vlanif60

Run the display ip routing-table vpn-instance command on PEs, and you can see the routes
to the VPNs of the peer CEs.
[PE2] display ip routing-table vpn-instance vpn1
------------------------------------------------------------------------------
Routing Tables: vpn1
10.1.1.0/24 BGP 255 0 RD 1.1.1.9 Vlanif30
10.2.1.0/24 Direct 0 0 D 10.2.1.2 Vlanif40
100.1.1.0/24 BGP 255 0 RD 1.1.1.9 Vlanif30
200.1.1.0/24 BGP 255 0 D 10.2.1.1 Vlanif40
Enable debugging of the BGP Update packets on PE2. The debugging information shows that
PE2 advertises the route to 100.1.1.0/24 and the AS path information is "100 600".
<PE2> terminal monitor
<PE2> terminal debugging
<PE2> debugging bgp update vpn-instance vpn1 peer 10.2.1.1 verbose
<PE2> refresh bgp vpn-instance vpn1 all export
*0.4402392 PE2 RM/7/RMDEBUG:
BGP.vpn1: Send UPDATE to 10.2.1.1 for following destinations :
Origin : Incomplete
AS Path : 100 600
Next Hop : 10.2.1.2
100.1.1.0/24,
Run the display bgp routing-table peer received-routes command on CE2, and you can see
that CE2 does not accept the route to 100.1.1.0/24.
[CE2] display bgp routing-table peer 10.2.1.2 received-routes
Total Number of Routes: 3
BGP Local router ID is 10.2.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 10.1.1.0/24 10.2.1.2 0 100?
* 10.2.1.0/24 10.2.1.2 0 0 100?
* 10.2.1.1/32 10.2.1.2 0 0 100?
Step 2 Configure BGP ASN substitution.

Configure BGP ASN substitution on PEs.
# Take PE2 for example.
[PE2] bgp 100
[PE2-bgp-vpn1] peer 10.2.1.1 substitute-as
In the route advertised to CE2 by PE2, you can see that the AS path information of 100.1.1.0/24
changes from "100 600" to "100 100".
*0.13498737 PE2 RM/7/RMDEBUG:
BGP.vpn1: Send UPDATE to 10.2.1.1 for following destinations :
Origin : Incomplete
AS Path : 100 100
Next Hop : 10.2.1.2
100.1.1.0/24
Display the routing information and routing table received by CE2.

[CE2] display bgp routing-table peer 10.2.1.2 received-routes

*> 10.1.1.0/24 10.2.1.2 0 100?
* 10.2.1.0/24 10.2.1.2 0 0 100?
* 10.2.1.1/32 10.2.1.2 0 0 100?
*> 100.1.1.0/24 10.2.1.2 0 100 100!

------------------------------------------------------------------------------
10.1.1.0/24 BGP 255 0 D 10.2.1.2 Vlanif40
10.2.1.0/24 Direct 0 0 D 10.2.1.1 Vlanif40
100.1.1.1/24 BGP 255 0 D 10.2.1.2 Vlanif40
200.1.1.0/24 Direct 0 0 D 127.0.0.1 Vlanif60
After BGP ASN substitution is configured on PE1, the GE interfaces of CE1 and CE2 can ping
each other.
[CE1] ping -a 100.1.1.1 200.1.1.1
0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10 50
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif50
ip address 100.1.1.1 255.255.255.0
#
#


#
bgp 600
#
ipv4-family unicast
import-route direct
#
return
#
sysname PE1
#
vlan batch 10 20
#
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
peer 10.1.1.1 substitute-as
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 20.1.1.0 0.0.0.255

#
return
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address ip address 20.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address ip address 30.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
vlan batch 30 40
#
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 30.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 10.2.1.2 255.255.255.0
#


#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
peer 10.2.1.1 substitute-as
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 30.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
vlan batch 40 60
#
interface Vlanif40
ip address 10.2.1.1 255.255.255.0
#
interface Vlanif60
ip address 200.1.1.1 255.255.255.0
#
#
#
bgp 600
#
ipv4-family unicast
import-route direct
#
return

3.17.6 Example for Configuring Hub&Spoke
As shown in Figure 3-8, the communication between Spoke-CEs is controlled by the Hub-CE
in the central site. That is, the traffic between Spoke-CEs is forwarded by the Hub-CE, and not
only by the Hub-PE.
Figure 3-8 Networking diagram for configuring Hub&Spoke
AS: 65430
Hub-CE
GE1/0/0 GE2/0/0
GE3/0/0 GE3/0/1
Hub-PE
GE1/0/0 GE2/0/0

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE2/0/0 GE2/0/0
Spoke-PE1 Spoke-PE2
GE1/0/0 GE1/0/0
Backbone
AS100
GE1/0/0 GE1/0/0
Spoke-CE1 Spoke-CE2
AS: 65410 AS: 65420
Hub-PE GigabitEthernet1/0/0 VLANIF 10 10.1.1.2/24
Loopback1 - 2.2.2.9/32
Spoke-PE1 GigabitEthernet1/0/0 VLANIF 50 100.1.1.2/24
Loopback1 - 1.1.1.9/32

Spoke-PE2 GigabitEthernet1/0/0 VLANIF 60 120.1.1.2/24
Loopback1 - 3.3.3.9/32
Hub-CE GigabitEthernet1/0/0 VLANIF 30 110.1.1.1/24
Spoke-CE1 GigabitEthernet1/0/0 VLANIF 50 100.1.1.1/24
Spoke-CE2 GigabitEthernet1/0/0 VLANIF 60 120.1.1.1/24
1. Set up MP-IBGP peer relation between the Hub-PE and the Spoke-PE. Do not set up MP-
IBGP peer relation between Spoke-PEs.
2. Create two VPN instances on the Hub-PE. The import targets are the export targets of the
two Spoke-PEs. The export targets are different from the import targets.
3. Create a VPN instance on the Spoke-PE. The import target is the export target of the Hub-
PE.
4. Run EBGP between the CE and PE.
5. Configure the Hub-PE to accept the routes with two repeated ASNs.
Data Preparation
l IP address of each VLANIF interface, as shown in Figure 3-8
l VPN instance names, RDs, and VPN targets of the Hub-PE and Spoke-PE
Procedure
Step 1 Configure IGP on the backbone network to make the Hub-PE and the Spoke-PE communicate
with each other.
In this example, OSPF is used as IGP and the configuration procedure is not mentioned.
After the configuration, an OSPF adjacency can be established between the Hub-PE and the
Spoke-PEs. Run the display ospf peer command, and you can see that the status of the adjacency
is Full. Run the display ip routing-table command, and you can see that the Hub-PE and the
Spoke-PEs can learn the loopback routes of each other.
Step 2 Configure the basic MPLS capability on the backbone network and set up an LDP LSP.
# Configure the Hub-PE.
[Hub-PE] mpls lsr-id 2.2.2.9
[Hub-PE] mpls

[Hub-PE-mpls] label advertise non-null

[Hub-PE-mpls] quit
[Hub-PE] mpls ldp
[Hub-PE-mpls-ldp] quit
[Hub-PE] interface vlanif 10
[Hub-PE-Vlanif10] mpls
[Hub-PE-Vlanif10] mpls ldp
[Hub-PE-Vlanif10] quit
[Hub-PE-Vlanif20] mpls
[Hub-PE-Vlanif20] mpls ldp
After the configuration, LDP peer relation can be set up between the Hub-PE and the Spoke-
PEs. Run the display mpls ldp session command on each Switch, and you can see that the
session status is Operational.
The configuration procedure of the Spoke-PE is similar to the configuration procedure of the
Hub-PE and is not mentioned here.
NOTE
The VPN targets of the two VPNs on the Hub-PE are advertised by the two Spoke-PE, and the advertised
VPN target is different from the received VPN target. The import VPN target on the Spoke-PE is the export
VPN target on the Hub-PE.
# Configure Spoke-PE1.
<Spoke-PE1> system-view
[Spoke-PE1] ip vpn-instance vpna
[Spoke-PE1-vpn-instance-vpna] route-distinguisher 100:1
[Spoke-PE1-vpn-instance-vpna] vpn-target 100:1 export-extcommunity
[Spoke-PE1-vpn-instance-vpna] vpn-target 200:1 import-extcommunity
[Spoke-PE1-vpn-instance-vpna] quit
[Spoke-PE1] interface vlanif 50
[Spoke-PE1-Vlanif50] ip binding vpn-instance vpna
[Spoke-PE1-Vlanif50] ip address 100.1.1.2 24
[Spoke-PE1-Vlanif50] quit
[Spoke-PE2] ip vpn-instance vpna
[Spoke-PE2-vpn-instance-vpna] route-distinguisher 100:3
[Spoke-PE2-vpn-instance-vpna] vpn-target 100:1 export-extcommunity
[Spoke-PE2-vpn-instance-vpna] vpn-target 200:1 import-extcommunity
[Spoke-PE2-vpn-instance-vpna] quit
[Spoke-PE2-Vlanif60] ip binding vpn-instance vpna
[Spoke-PE2-Vlanif60] ip address 120.1.1.2 24

<Hub-PE> system-view
[Hub-PE] ip vpn-instance vpn_in
[Hub-PE-vpn-instance-vpn_in] route-distinguisher 100:21
[Hub-PE-vpn-instance-vpn_in] vpn-target 100:1 import-extcommunity
[Hub-PE-vpn-instance-vpn_in] quit
[Hub-PE] ip vpn-instance vpn_out
[Hub-PE-vpn-instance-vpn_out] route-distinguisher 100:22
[Hub-PE-vpn-instance-vpn_out] vpn-target 200:1 export-extcommunity
[Hub-PE-vpn-instance-vpn_out] quit
[Hub-PE-Vlanif30] ip binding vpn-instance vpn_in
[Hub-PE-Vlanif30] ip address 110.1.1.2 24


[Hub-PE-Vlanif40] ip binding vpn-instance vpn_out
[Hub-PE-Vlanif40] ip address 110.2.1.2 24
# Configure the IP addresses of the interfaces on the CEs. The configuration procedure is not
given here.
can see the configuration of the VPN instances. Each PE can ping the connected CEs by using
the ping -vpn-instance vpn-name ip-address command.
NOTE
Step 4 Set up EBGP peer relation between the PE and the CE and import VPN routes.
NOTE
To receive the routes advertised by the Hub-CE, configure the Hub-PE to allow the ASN to be repeated
once.
# Configure Spoke-CE1.
[Spoke-CE1] bgp 65410
[Spoke-CE1-bgp] peer 100.1.1.2 as-number 100
[Spoke-CE1-bgp] import-route direct
[Spoke-CE1-bgp] quit
[Spoke-PE1] bgp 100
[Spoke-PE1-bgp] ipv4-family vpn-instance vpna
[Spoke-PE1-bgp-vpna] peer 100.1.1.1 as-number 65410
[Spoke-PE1-bgp-vpna] import-route direct
[Spoke-PE1-bgp-vpna] quit
[Spoke-PE1-bgp] quit
[Spoke-CE2-bgp] peer 120.1.1.2 as-number 100
[Spoke-CE2-bgp] import-route direct
[Spoke-PE2] bgp 100
[Spoke-PE2-bgp] ipv4-family vpn-instance vpna
[Spoke-PE2-bgp-vpna] peer 120.1.1.1 as-number 65420
[Spoke-PE2-bgp-vpna] import-route direct
[Spoke-PE2-bgp-vpna] quit
# Configure the Hub-CE.

[Hub-CE] bgp 65430
[Hub-CE-bgp] peer 110.1.1.2 as-number 100
[Hub-CE-bgp] peer 110.2.1.2 as-number 100
[Hub-CE-bgp] import-route direct
[Hub-CE-bgp] quit

[Hub-PE] bgp 100
[Hub-PE-bgp] ipv4-family vpn-instance vpn_in

[Hub-PE-bgp-vpn_in] peer 110.1.1.1 as-number 65430

[Hub-PE-bgp-vpn_in] import-route direct
[Hub-PE-bgp-vpn_in] quit
[Hub-PE-bgp] ipv4-family vpn-instance vpn_out
[Hub-PE-bgp-vpn_out] peer 110.2.1.1 as-number 65430
[Hub-PE-bgp-vpn_out] peer 110.2.1.1 allow-as-loop 1
[Hub-PE-bgp-vpn_out] import-route direct
[Hub-PE-bgp-vpn_out] quit
[Hub-PE-bgp] quit
After the configuration, run the display bgp vpnv4 all peer command on a PE, and you can
find that the BGP peer relation between the PE and CE is in Established state.
NOTE
The Spoke-PE need not allow the repeated ASN, because the Switch does not check the AS path attribute
in the routing information advertised by the IBGP peers.
[Spoke-PE1] bgp 100
[Spoke-PE1-bgp] peer 2.2.2.9 as-number 100
[Spoke-PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[Spoke-PE1-bgp] ipv4-family vpnv4
[Spoke-PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[Spoke-PE1-bgp-af-vpnv4] quit
[Spoke-PE2] bgp 100

[Hub-PE] bgp 100
[Hub-PE-bgp] peer 1.1.1.9 as-number 100
[Hub-PE-bgp] peer 1.1.1.9 connect-interface loopback 1
[Hub-PE-bgp] ipv4-family vpnv4
[Hub-PE-bgp-af-vpnv4] peer 1.1.1.9 enable
[Hub-PE-bgp-af-vpnv4] quit
After the configuration, run the display bgp peer or display bgp vpnv4 all peer command, and
you can see that the BGP peer relation between the PEs is in Established state.
After the configuration, the Spoke-CEs can ping each other. Run the tracert command, and you
can see that the traffic between the Spoke-CEs is forwarded through the Hub-CE. You can also
deduce the number of forwarding devices between the Spoke-CEs based on the TTL in the ping
result.
Take Spoke-CE1 for example.
[Spoke-CE1] ping 120.1.1.1


0.00% packet loss
[Spoke-CE1] tracert 120.1.1.1
traceroute to 120.1.1.1(120.1.1.1) 30 hops max,40 bytes packet
1 100.1.1.2 24 ms 19 ms 11 ms
2 110.2.1.2 87 ms 60 ms 58 ms
3 110.2.1.1 59 ms 27 ms 53 ms
4 110.1.1.2 41 ms 34 ms 56 ms
5 120.1.1.2 90 ms 66 ms 75 ms
6 120.1.1.1 143 ms 96 ms 90 ms
Run the display bgp routing-table command on the Spoke-CE, and you can see the repeated
ASNs in AS paths of the BGP routes to the remote Spoke-CE.
Take Spoke-CE1 for example.
[Spoke-CE1] display bgp routing-table
*> 100.1.1.0/24 0.0.0.0 0 0 ?

* 100.1.1.2 0 0 100?
*> 100.1.1.1/32 0.0.0.0 0 0 ?
*> 110.1.1.0/24 100.1.1.2 0 100 65430?
*> 110.2.1.0/24 100.1.1.2 0 100?
*> 120.1.1.0/24 100.1.1.2 0 100 65430 100?
----End
Configuration Files
l Configuration file of Spoke-CE1
#
sysname Spoke-CE1
#
vlan batch 50
#
interface Vlanif50
ip address 100.1.1.1 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return
l Configuration file of Spoke-PE1

#
sysname Spoke-PE1
#
vlan batch 10 50
#

#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif50
ip address 100.1.1.2 255.255.255.0
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
#
sysname Spoke-PE2
#
vlan batch 20 60
#
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp

#
interface Vlanif20
ip address 11.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 120.1.1.2 255.255.255.0
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 11.1.1.0 0.0.0.255
#
return
#
sysname Spoke-CE2
#
vlan batch 60
#
interface Vlanif60
ip address 120.1.1.1 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
l Configuration file of Hub-CE
#
sysname Hub-CE

#
vlan batch 30 40
#
interface Vlanif30
ip address 110.1.1.1 255.255.255.0
#
interface Vlanif40
ip address 110.2.1.1 255.255.255.0
#
#
#
bgp 65430
#
ipv4-family unicast
import-route direct
#
return
l Configuration file of Hub-PE
#
sysname Hub-PE
#
vlan batch 10 20 30 40
#
ip vpn-instance vpn_in
#
ip vpn-instance vpn_out
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
ip address 11.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip binding vpn-instance vpn_in
ip address 110.1.1.2 255.255.255.0
#
interface Vlanif40
ip binding vpn-instance vpn_out
ip address 110.2.1.2 255.255.255.0
#

#
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn_in
import-route direct
#
ipv4-family vpn-instance vpn_out
peer 110.2.1.1 allow-as-loop
import-route direct
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
#
return
3.17.7 Example for Configuring Inter-AS VPN Option A
As shown in Figure 3-9, CE1 and CE2 belong to the same VPN. CE1 accesses PE1 through AS
100, and CE2 accesses PE2 through AS 200.
Inter-AS BGP/MPLS IP VPN is implemented through Option A. That is, the VRF-to-VRF
method is used to manage VPN routes.

Figure 3-9 Networking diagram for configuring inter-AS VPN Option A

BGP/MPLS Backbone BGP/MPLS Backbone
AS 100 Loopback1 Loopback1 AS 200
2.2.2.9/32 3.3.3.9/32
GE2/0/0 GE2/0/0
VLAN IF12 VLAN IF12 GE1/0/0
GE1/0/0 192.1.1.1/24 192.1.1.2/24 VLANIF 22
VLANIF 11
172.1.1.1/24 ASBR-PE1 ASBR-PE2 162.1.1.1/24
Loopback1 Loopback1
1.1.1.9/32 GE1/0/0 4.4.4.9/32
GE1/0/0
VLANIF 11
VLANIF 22
PE1 172.1.1.2/24 162.1.1.2/24 PE2
GE2/0/0 GE2/0/0
VLANIF 10 VLANIF 10
10.1.1.2/24 10.2.1.2/24
GE1/0/0 GE1/0/0
VLANIF 10 VLANIF 10
10.1.1.1/24 10.2.1.1/24
CE1 CE2
AS 65001 AS 65002
1. Set up the EBGP peer relation between the PE and the CE and set up MP-IBGP peer relation
2. Create a VPN instance on the two ASBR-PEs and bind the VPN instance to the interface
connected to the other ASBR-PE (regarding the ASBR-PE as its CE) and set up the EBGP
peer relation between the ASBR-PEs.
Data Preparation
l MPLS LSR IDs of PEs and ASBR-PEs
l VPN instance names, RDs, and VPN targets for the PEs and ABSR-PEs
Procedure
Step 1 Create VLANs and specify the VLAN IDs that are allowed by the interfaces, as shown in Figure
3-9.
The configuration procedure is not mentioned here.
Step 2 On the MPLS backbone networks in AS 100 and AS 200, configure an IGP protocol so that the
PEs and the ASBRs on the network can communicate with each other.
The OSPF protocol is used in this example and the configuration procedure is not mentioned
here.

NOTE
The 32-bit loopback interface address used as the LSR ID must be advertised by OSPF.
After the configuration, the OSPF neighbor relation can be established between the ASBR and
the PE in the same AS. Run the display ospf peer command, and you can find that the neighbor
status is Full.
The ASBR-PE and PE in the same AS can ping each other and learn the loopback interface
address of each other.
Step 3 Configure the basic MPLS function and MPLS LDP on the MPLS backbone networks of AS
100 and AS 200 and set up the MPLS LDP LSP.
# Configure the basic MPLS function on PE1 and enable LDP on the interface connected to
ASBR-PE1.
<PE1> system-view
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif11] mpls
[PE1-Vlanif11] quit
# Configure the basic MPLS function on ASBR-PE1 and enable LDP on the interface connected
to PE1.
<ASBR-PE1> system-view
[ASBR-PE1] mpls lsr-id 2.2.2.9
[ASBR-PE1] mpls
[ASBR-PE1-mpls] label advertise non-null
[ASBR-PE1-mpls] quit
[ASBR-PE1] mpls ldp
[ASBR-PE1-mpls-ldp] quit
[ASBR-PE1] interface vlanif 11
[ASBR-PE1-Vlanif11] mpls
[ASBR-PE1-Vlanif11] mpls ldp
[ASBR-PE1-Vlanif11] quit
to PE2.
[ASBR-PE2] mpls
[ASBR-PE2-mpls] label advertise non-null
[ASBR-PE2] mpls ldp
ASBR-PE2.
<PE2> system-view
[PE2] mpls
[PE2-mpls] quit

[PE2] mpls ldp

[PE2-mpls-ldp] quit
[PE2-Vlanif22] mpls
[PE2-Vlanif22] quit
After the configuration, the LDP peer relation can be set up between the PE and ASBR in the
same AS. Run the display mpls ldp session command on each Switch, and you can see that the
Take the display on PE1 as an example:


------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 4 Configure the basic BGP/MPLS IP VPNs in AS 100 and AS 200.

NOTE
The VPN targets of the VPN instances of the ASBR-PE and PE in an AS should match each other. In
different ASs, the VPN targets of the VPN instances in different ASs do not need to match each other.
# Configure CE1.
<CE1> system-view
[CE1-Vlanif10] quit
[CE1] bgp 65001
[CE1-bgp] quit
# On PE1, set up an EBGP peer relation between PE1 and CE1.

[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] vpn-target 1:1 both
[PE1-Vlanif10] quit
[PE1] bgp 100
[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65001
[PE1-bgp-vpn1] quit
[PE1-bgp] quit
# On PE1, set up an MP-IBGP peer relation between ASBR-PE1 and MP-IBGP.

[PE1] bgp 100

# On ASBR-PE1, set up an MP-IBGP peer relation between ASBR-PE1 and PE1.

[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] peer 1.1.1.9 as-number 100
[ASBR-PE1-bgp] peer 1.1.1.9 connect-interface loopback 1
[ASBR-PE1-bgp] ipv4-family vpnv4
[ASBR-PE1-bgp-af-vpnv4] peer 1.1.1.9 enable
[ASBR-PE1-bgp-af-vpnv4] quit
[ASBR-PE1-bgp] quit
NOTE
The configurations on CE2, PE2, and ASBR-PE2 are similar to the configurations on CE1, PE1 and ASBR-
PE1 and are not mentioned here.
After the configuration, run the display bgp vpnv4 vpn-instance vpn-instancename peer
command on a PE, and you can find that the BGP peer relation between the PE and CE is in
Established state. Run the display bgp vpnv4 all peer command, and you can see the BGP peer
relations are set up between the PE and CE, and between the PE and ASBR, and the BGP peer
relations are in Established state.
[PE1] display bgp vpnv4 vpn-instance vpn1 peer


10.1.1.1 4 65001 10 10 0 00:07:10 Established 0

2.2.2.9 4 100 3 7 0 00:01:36 Established 0

Peer of vpn instance:
vpn instance vpn1 :
10.1.1.1 4 65001 13 13 0 00:04:00 Established 2
Step 5 Configure the inter-AS VPN in VRF-to-VRF mode.

# On ASBR-PE1, create a VPN instance and bind the VPN instance to the interface connected
to ASBR-PE2 (ASBR-PE1 regards ASBR-PE2 as its own CE).
[ASBR-PE1] ip vpn-instance vpn1
[ASBR-PE1-vpn-instance-vpn1] route-distinguisher 100:2
[ASBR-PE1-vpn-instance-vpn1] vpn-target 1:1 both
[ASBR-PE1-vpn-instance-vpn1] quit
[ASBR-PE1-Vlanif12] ip binding vpn-instance vpn1
[ASBR-PE1-Vlanif12] ip address 192.1.1.1 24
# On ASBR-PE2, create a VPN instance and bind the VPN instance to the interface connected
[ASBR-PE2] ip vpn-instance vpn1
[ASBR-PE2-vpn-instance-vpn1] route-distinguisher 200:2
[ASBR-PE2-vpn-instance-vpn1] vpn-target 2:2 both
[ASBR-PE2-vpn-instance-vpn1] quit
[ASBR-PE2] interface GigabitEthernet vlanif 12
[ASBR-PE2-Vlanif12] ip binding vpn-instance vpn1
[ASBR-PE2-Vlanif12] ip address 192.1.1.2 24

# On ASBR-PE1, set up an EBGP peer relation between ASBR-PE1 and ASBR-PE2.

[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] ipv4-family vpn-instance vpn1
[ASBR-PE1-bgp-vpn1] peer 192.1.1.2 as-number 200
[ASBR-PE1-bgp-vpn1] import-route direct
[ASBR-PE1-bgp-vpn1] quit
[ASBR-PE1-bgp] quit

[ASBR-PE2] bgp 200
[ASBR-PE2-bgp] ipv4-family vpn-instance vpn1
[ASBR-PE2-bgp-vpn1] peer 192.1.1.1 as-number 100
[ASBR-PE2-bgp-vpn1] import-route direct
[ASBR-PE2-bgp-vpn1] quit
[ASBR-PE2-bgp] quit
Run the display bgp vpnv4 vpn-instance peer command on the ASBR PE, and you can see
that the BGP peer relation is established between the ASBR-PEs.
After the preceding configuration, CEs can learn the routes from the interfaces of each other,
and CE1 and CE2 can ping each other successfully.
Take the display on CE1 as an example:
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10
10.2.1.0/24 BGP 255 0 D 10.1.1.2 Vlanif10
192.1.1.0/24 BGP 255 0 D 10.1.1.2 Vlanif10
192.1.1.2/32 BGP 255 0 D 10.1.1.2 Vlanif10
[CE1] ping 10.2.1.1
0.00% packet loss
Run the display ip routing-table vpn-instance command on an ASBR-PE, and you can see the
VPN routing table on the ASBR-PE.
[ASBR-PE1] display ip routing-table vpn-instance vpn1
------------------------------------------------------------------------------
10.1.1.0/24 BGP 255 0 RD 1.1.1.9 Vlanif11
10.2.1.0/24 BGP 255 0 D 192.1.1.2 Vlanif12
192.1.1.0/24 Direct 0 0 D 192.1.1.1 Vlanif12


Run the display bgp vpnv4 all routing-table command on an ASBR-PE, and you can see the
VPNv4 routes on the ASBR-PE.
[ASBR-PE1] display bgp vpnv4 all routing-table
Total number of routes from all PE: 2
Route Distinguisher: 100:1
*>i 10.1.1.0/24 1.1.1.9 0 100 0 ?

*>i 10.1.1.1/32 1.1.1.9 0 100 0 ?
Total routes of vpn-instance vpn1: 9
*>i 10.1.1.0/24 1.1.1.9 0 100 0 ?
*>i 10.1.1.1/32 1.1.1.9 0 100 0 ?
*> 10.2.1.0/24 192.1.1.2 0 200?
*> 10.2.1.1/32 192.1.1.2 0 200?
*> 192.1.1.0 0.0.0.0 0 0 ?
* 192.1.1.2 0 0 200?
*> 192.1.1.1/32 0.0.0.0 0 0 ?
* 192.1.1.2 0 0 200?
*> 192.1.1.2/32 0.0.0.0 0 0 ?
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif 10
ip address 10.1.1.1 255.255.255.0
#
#
bgp 65001
#
ipv4-family unicast
import-route direct
#
return

#
sysname PE1
#
vlan batch 10 20
#
#

mpls lsr-id 1.1.1.9

mpls
#
mpls ldp
#
interface Vlanif 10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif11
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable#
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
l Configuration file of ASBR-PE1
#
sysname ASBR-PE1
#
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif11
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 12
ip address 192.1.1.1 255.255.255.0
#


#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
import-route direct
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
sysname ASBR-PE2
#
vlan batch 12 22
#
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif22
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif12
ip address 192.1.1.2 255.255.255.0
#
port link-ype trunk
#
port link-ype trunk
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#

bgp 200
#
ipv4-family unicast
peer 4.4.4.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
vlan batch 10 22
#
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.2.1.2 255.255.255.0
#
interface Vlanif22
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
port link-ype trunk
#
port link-ype trunk
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target

peer 3.3.3.9 enable

#
import-route direct
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.2.1.1 255.255.255.0
#
port link-ype trunk
#
bgp 65002
#
ipv4-family unicast
import-route direct
#
return
3.17.8 Example for Configuring Inter-AS VPN Option B

As shown in Figure 3-10, CE1 and CE2 are deployed on the same VPN. CE1 is connected to
the network through PE1 in AS100 and CE2 is connected to the network through PE2 in AS200.
The inter-AS BGP/MPLS IP VPN is implemented in Option B mode.
l ASBR1 and ASBR2 exchanges VPNv4 routing information with each other through MP-
EBGP.
l The ASBRs do not filter the received VPNv4 routes based on the VPN target.

Figure 3-10 Networking of the inter-AS VPN

2.2.2.9/32 3.3.3.9/32
GE2/0/0 GE2/0/0
VLAN IF12 VLAN IF12 GE1/0/0
GE1/0/0 192.1.1.1/24 192.1.1.2/24 VLANIF 22
VLANIF 11 162.1.1.1/24
172.1.1.1/24 ASBR1 ASBR2
Loopback1 Loopback1
1.1.1.9/32 GE1/0/0 GE1/0/0 4.4.4.9/32
VLANIF 11
172.1.1.2/24 VLANIF 22
PE1 162.1.1.2/24 PE2
GE2/0/0 GE2/0/0
VLANIF 10 VLANIF 10
10.1.1.2/24 10.2.1.2/24
GE1/0/0 GE1/0/0
VLANIF 10 VLANIF 10
10.1.1.1/24 10.2.1.1/24
CE1
CE2
AS 65001 AS 65002
1. Run IGP on the backbone network to implement the communication between ASBRs and
PEs in the same AS. Set up MPLS LDP LSPs between ASBRs and PEs in the same AS.
2. Set up EBGP peer relationships between PEs and CEs and set up MP-IBGP peer
relationships between PEs and ASBRs.
3. Create VPN instances on PEs (you do not need to create VPN instances on ASBRs.)
4. Enable MPLS on the interface that connect ASBR1 and ASBR2, set up the MP-EBGP peer
relationship between ASBRs, and configure the ASBRs not to filter the received VPNv4
routes based on the VPN target.
Data Preparation
l MPLS LSR IDs of PEs and ASBRs
l Names, RDs, and VPN targets of the VPN instances created on PE1 and PE2
Procedure
Step 1 On the MPLS backbone networks in AS100 and AS200, configure IGP to implement
communication between PEs on the respective backbone network.

OSPF is used in this example. The configuration details are not mentioned here.
NOTE
Advertise the 32-bit IP address of the loopback interface, that is, the LSR ID, by using OSPF.
After the configuration, the OSPF neighbor relationship can be set up between the ASBR and
the PE in the same AS. Run the display ospf peer command, and you can view that the status
of the neighbor relationship is Full.
The ASBR and PE in the same AS can learn and ping the IP address of the loopback interface
of each other.
Step 2 Configure basic MPLS functions and MPLS LDP on MPLS backbone networks of AS100 and
AS200 to establish LDP LSPs.
For detailed configurations, see 3.17.7 Example for Configuring Inter-AS VPN Option A.
Step 3 Configure BGP/MPLS IP VPN on PE1 and PE2.
NOTE
The VPN targets of VPN instances created on PE1 and PE2 must be matched.
For details on the configuration, see the following configuration files.

Step 4 Configure inter-AS VPN Option B.
# Configure ASBR1: Enable MPLS on VLANIF12 through which ASBR1 is connected to
ASBR2.
<ASBR1> system-view
[ASBR1] interface vlanif 12
[ASBR1-Vlanif12] ip address 192.1.1.1 24
[ASBR1-Vlanif12] mpls
[ASBR1-Vlanif12] quit
# Configure ASBR1: Set up the MP-EBGP peer relationship with ASBR2 and configure ASBR1
not to filter the received VPNv4 routes based on the VPN target.
[ASBR1] bgp 100
[ASBR1-bgp] peer 192.1.1.2 as-number 200
[ASBR1-bgp] ipv4-family vpnv4
[ASBR1-bgp-af-vpnv4] peer 192.1.1.2 enable
[ASBR1-bgp-af-vpnv4] undo policy vpn-target
[ASBR1-bgp-af-vpnv4] quit
[ASBR1-bgp] quit
NOTE
The configuration on ASBR2 is the same as the configuration on ASBR1, and is not mentioned here.

After the preceding configuration, CEs can learn routes of interfaces of each other, and CE1 and
CE2 can ping each other.
For example, information about CE1 is displayed as follows:
<CE1> display ip routing-table
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10

10.2.1.0/24 BGP 255 0 D 10.1.1.2 Vlanif10

<CE1> ping 10.2.1.1
0.00% packet loss
Run the display bgp vpnv4 all routing-table command on an ASBR, and you can view VPNv4
routes on the ASBR.
For example, information about ASBR1 is displayed as follows:
[ASBR1] display bgp vpnv4 all routing-table
*>i 10.1.1.0/24 1.1.1.9 0 100 0 ?
*>i 10.1.1.1/32 1.1.1.9 0 100 0 ?
*> 10.2.1.0/24 192.1.1.2 0 200?
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bgp 65001
#
ipv4-family unicast
import-route direct
return

#
sysname PE
#
vlan batch 10 11
#

#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif11
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
l Configuration file of ASBR1
#
sysname ASBR1
#
vlan batch 11 12
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif11
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif12
ip address 192.1.1.1 255.255.255.0

mpls
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
peer 1.1.1.9 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
l Configuration file of ASBR2
#
sysname ASBR2
#
vlan batch 12 22
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif12
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif22
ip address 192.1.1.2 255.255.255.0
mpls
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 200

#
ipv4-family unicast
peer 4.4.4.9 enable
#
ipv4-family vpnv4
peer 4.4.4.9 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
vlan batch 10 22
#
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.2.1.2 255.255.255.0
#
interface Vlanif22
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
import-route direct
#

ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
vlan 10
#
interface Vlanif10
ip address 10.2.1.1 255.255.255.0
#
#
bgp 65002
#
ipv4-family unicast
import-route direct
#
return
3.17.9 Example for Configuring the HoVPN

As shown in Figure 3-11, CE1 and CE2 belong to the same VPN and have the same VPN target.
CE1 connects to the backbone network through UPE, and CE2 connects to the network through
PE. UPE, SPE and PE are interconnected through OSPF.

Figure 3-11 Networking diagram for configuring the HoVPN
Loopback1 Loopback1
2.2.2.9./32 3.3.3.9./32
GE2/0/0 PE
Loopback1
1.1.1.9./32 GE1/0/0 GE2/0/0
SPE GE1/0/0
GE2/0/0
UPE GE1/0/0 AS: 100
GE1/0/0 GE1/0/0
CE1 CE2
VPN-A AS: 65410 AS: 65420 VPN-A
UPE GigabitEthernet1/0/0 VLANIF 30 10.1.1.2/24
SPE GigabitEthernet1/0/0 VLANIF 10 172.1.1.2/24
PE GigabitEthernet1/0/0 VLANIF 40 10.2.1.2/24
1. Configure IGP on the backbone network so that PEs can learn the loopback address of each
other. Create MPLS LSPs between the PEs.
2. Create a VPN instance on UPE and set up an EBGP adjacency between UPE and CE1.
Create a VPN instance on PE and set up an EBGP adjacency between PE and CE2.
3. Set up an MP-IBGP adjacency between UPE and SPE, and between PE and SPE.
4. Create a VPN instance on the SPE and set the UPE as its under layer PE. Configure the
UPE to advertise the default route of the VPN instance.

Data Preparation
l IDs of the VLANs that the interfaces of PE and CE belong to, as shown in Figure 3-11
l IP address of each VLAN interface, as shown in Figure 3-11
l MPLS LSR-IDs of UPE, SPE, and PE
l VPN instances on UPE, SPE, and PE
Procedure
Step 1 Configure OSPF on the MPLS backbone network to implement network connectivity.
After the configuration, an OSPF adjacency is set up among UPE, SPE, and PE. Run the display
ospf peer command, and you can see that the adjacency is in Full state. Run the display ip
routing-table command on the PEs, and you can see the PEs can learn the loopback routes of
each other.
LDP LSPs.
After the configuration, LDP sessions are established between UPE and SPE, and between SPE
and PE. By running the display mpls ldp session command, you can see that the session status
is Operational. By running the display mpls ldp lsp command, you can see the establishment
status of the LDP LSP.
Step 3 Connect PEs to CEs and run BGP between them.
# Configure the UPE.
<UPE> system-view
[UPE] ip vpn-instance vpna
[UPE-vpn-instance-vpna] route-distinguisher 100:1
[UPE-vpn-instance-vpna] vpn-target 1:1
[UPE-vpn-instance-vpna] quit
[UPE] interface vlanif 30
[UPE-Vlanif30] ip binding vpn-instance vpna
[UPE-Vlanif30] ip address 10.1.1.2 24
[UPE-Vlanif30] quit
[UPE] bgp 100
[UPE-bgp] ipv4-family vpn-instance vpna
[UPE-bgp-vpna] peer 10.1.1.1 as-number 65410
[UPE-bgp-vpna] import-route direct
[UPE-bgp-vpna] quit
[UPE-bgp] quit
# Configure CE1.
[CE1-Vlanif30] quit
[CE1] bgp 65410
[CE1-bgp] quit
# Configure PE.

<PE> system-view
[PE] ip vpn-instance vpna
[PE-vpn-instance-vpna] route-distinguisher 100:2
[PE-vpn-instance-vpna] vpn-target 1:1
[PE-vpn-instance-vpna] quit
[PE] interface vlanif 40
[PE-Vlanif40] ip binding vpn-instance vpna
[PE-Vlanif40] ip address 10.2.1.2 24
[PE-Vlanif40] quit
[PE] bgp 100
[PE-bgp] ipv4-family vpn-instance vpna
[PE-bgp-vpna] peer 10.2.1.1 as-number 65420
[PE-bgp-vpna] import-route direct
[PE-bgp-vpna] quit
[PE-bgp] quit
# Configure CE2.
[CE2-Vlanif40] quit
[CE2] bgp 65420
[CE2-bgp] quit
After the configuration, run the display ip vpn-instance verbose command on the UPE and the
PE, and you can see the configuration of the VPN instances. By running the ping -vpn-
instance, you can see that the UPE and the PE can ping the connected CEs.
NOTE
Step 4 Set up an MP-IBGP adjacency between UPE and SPE, and between PE and SPE.
<UPE> system-view
[UPE] bgp 100
[UPE-bgp] peer 2.2.2.9 as-number 100
[UPE-bgp] peer 2.2.2.9 connect-interface loopback 1
[UPE-bgp] ipv4-family vpnv4
[UPE-bgp-af-vpnv4] peer 2.2.2.9 enable
[UPE-bgp-af-vpnv4] quit
[UPE-bgp] quit
# Configure the SPE.

<SPE> system-view
[SPE] bgp 100
[SPE-bgp] peer 1.1.1.9 as-number 100
[SPE-bgp] peer 1.1.1.9 connect-interface loopback 1
[SPE-bgp] peer 3.3.3.9 as-number 100
[SPE-bgp] peer 3.3.3.9 connect-interface loopback 1
[SPE-bgp] ipv4-family vpnv4
[SPE-bgp-af-vpnv4] peer 1.1.1.9 enable
[SPE-bgp-af-vpnv4] peer 3.3.3.9 enable
[SPE-bgp-af-vpnv4] quit
[SPE-bgp] quit
# Configure the PE.

<PE> system-view
[PE] bgp 100

[PE-bgp] peer 2.2.2.9 as-number 100

[PE-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE-bgp] ipv4-family vpnv4
[PE-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE-bgp-af-vpnv4] quit
[PE-bgp] quit
Step 5 Configure the SPE.

# Configure the VPN instance.
[SPE] ip vpn-instance vpna
[SPE-vpn-instance-vpna] route-distinguisher 200:1
[SPE-vpn-instance-vpna] vpn-target 1:1
[SPE-vpn-instance-vpna] quit
# Specify the UPE for the SPE.

[SPE] bgp 100
[SPE-bgp] ipv4-family vpnv4
[SPE-bgp-af-vpnv4] peer 1.1.1.9 upe
# Advertise the default route of the VPN instance to the UPE.

[SPE-bgp-af-vpnv4] peer 1.1.1.9 default-originate vpn-instance vpna
[SPE-bgp-af-vpnv4] quit

After the configuration, CE1 has no route to the network segment of the interface on CE2, but
it has a default route with the next hop being UPE. CE2 has a BGP route to the network segment
of the interface on CE1. CE1 and CE2 can ping each other.
<CE1> display ip routing-table
------------------------------------------------------------------------------
0.0.0.0/0 BGP 255 0 D 10.1.1.2 Vlanif30

10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif30
[CE1] ping 10.2.1.1

0.00% packet loss

------------------------------------------------------------------------------

10.1.1.0/24 BGP 255 0 D 10.2.1.2 Vlanif40

10.2.1.0/24 Direct 0 0 D 10.2.1.1 Vlanif40
Run the display bgp vpnv4 all routing-table command on the UPE, and you can see a default
route of the VPN instance vpna with the next hop being SPE.
[UPE] display bgp vpnv4 all routing-table
*>i 0.0.0.0 2.2.2.9 100 0 i
Total routes of vpn-instance vpna: 6
*>i 0.0.0.0 2.2.2.9 100 0 i
*> 10.1.1.0/24 0.0.0.0 0 0 ?
* 10.1.1.2 0 0 65410?
*> 10.1.1.1/32 0.0.0.0 0 0 ?
*> 10.1.1.2/32 0.0.0.0 0 0 ?
* 10.1.1.1 0 0 65410?
----End
Configuration Files
#
sysname CE1
#
vlan batch 30
#
interface VLanif30
ip address 10.1.1.1 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return
l Configuration file of UPE

#
sysname UPE
#
vlan batch 10 30
#


#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif 10
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 30
ip address 10.1.1.2 255.255.255.0
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
l Configuration file of SPE
#
sysname SPE
#
vlan batch 10 20
#
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 172.1.1.2 255.255.255.0

mpls
mpls ldp
#
interface Vlanif20
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 1.1.1.9 upe
peer 1.1.1.9 default-originate vpn-instance vpna
peer 3.3.3.9 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
#
return
l Configuration file of PE
#
sysname PE
#
vlan batch 20 40
#
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 10.2.1.2 255.255.255.0

#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 172.2.1.0 0.0.0.255
#
return

#
sysname CE2
#
vlan batch 40
#
interface Vlanif40
ip address 10.2.1.1 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
3.17.10 Example for Configuring the OSPF Sham Link

As shown in Figure 3-12, CE1 and CE2 belong to the same OSPF area of vpn1 and are connected
to PE1 and PE2 respectively. Assume that the cost of each link is 1.
A CE and a PE communicate through OSPF. VPN traffic is forwarded between CE1 and CE2
over the MPLS backbone, not through the OSPF intra-area routes.

Figure 3-12 Networking diagram for configuring the OSPF sham link
1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE2/0/0 GE2/0/0
PE1 PE2
GE1/0/0 GE2/0/0
GE1/0/0 P GE1/0/0
Loopback10 Loopback10
sham link
5.5.5.5/32 6.6.6.6/32
GE1/0/0 GE1/0/0
GE2/0/0 GE1/0/0 GE2/0/0 GE2/0/0

Switch
CE1 CE2
backdoor
Switch GigabitEthernet1/0/0 VLANIF 20 20.1.1.2/24
1. Set up an MP-IBGP adjacency between the PEs and enable OSPF between the PE and CEs.
2. Create VPN instances on the PEs and bind the instances to the interfaces connected to the
CEs.
3. Create an OSPF sham link between the PEs.
4. Adjust the cost value of the backdoor link of the VPN to be greater than that of the sham
link.

Data Preparation
l Name of the VPN instance, RD, and VPN target on the PE
l OSPF processes running on the interior of the backbone network and user networks, which
are different from that running on the PEs connected to CEs
l Cost of the sham link, which must be less than the cost for forwarding OSPF routes through
the user network
Procedure
Step 1 Configure OSPF on the user network.
Configure common OSPF on CE1, Switch and CE2 and advertise the segment address of each
interface.
# Configure CE1.
[CE1] vlan batch 20 50
[CE1-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[CE1-GigabitEthernet2/0/0] port hybrid untagged vlan 20
[CE1-Vlanif20] quit
[CE1-Vlanif50] quit
[CE1] ospf
[CE1-ospf-1] area 0
[CE1-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[CE1-ospf-1-area-0.0.0.0] quit
[CE1-ospf-1] quit
# Configure Switch.
[Quidway] sysname Switch
[Switch] vlan 20 30
[Switch-GigabitEthernet1/0/0] port hybrid pvid vlan 20
[Switch-GigabitEthernet1/0/0] port hybrid untagged vlan 20
[Switch-GigabitEthernet2/0/0] port hybrid pvid vlan 30
[Switch-GigabitEthernet2/0/0] port hybrid untagged vlan 30
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 20.1.1.2 24
[Switch-Vlanif20] quit
[Switch] interface vlanif 30
[Switch-Vlanif30] ip address 30.1.1.1 24
[Switch-Vlanif30] quit
[Switch] ospf

[Switch-ospf-1] area 0
[Switch-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[Switch-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[Switch-ospf-1-area-0.0.0.0] quit
[Switch-ospf-1] quit
[CE2-Vlanif30] quit
[CE2-Vlanif60] quit
[CE2] ospf
[CE2-ospf-1] area 0
[CE2-ospf-1] quit
Step 2 Configure basic BGP/MPLS IP VPN function on the backbone network, including IGP, MPLS
and LDP on the backbone network, and MP-IBGP adjacency between the PEs.
# Configure PE1.
[PE1] mpls
[PE1-mpls] lsp-trigger all
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif10] mpls
[PE1-Vlanif10] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
[PE1] bgp 100

[PE1-bgp] quit
# Configure the P.
[Quidway] sysname P
[P] vlan batch 10 40
[P-LoopBack1] quit
[P] mpls
[P-mpls] lsp-trigger all
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif10] mpls
[P-Vlanif10] quit
[P-Vlanif40] mpls
[P-Vlanif40] quit
[P] ospf
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif40] mpls
[PE2-Vlanif40] quit

[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
[PE2] bgp 100
[PE2-bgp] quit
After the configuration, PE1 and PE2 can learn the loopback route of each other. The MP-IBGP
adjacency is set up between PE1 and PE2.
Step 3 Configure links between PE and CE. That is, running OSPF between PE and CE.
# Configure PE1.
[PE1-vpn-instance-vpn1] vpn-target 1:1
[PE1-Vlanif50] quit
[PE1] ospf 100 vpn-instance vpn1
[PE1-ospf-100] domain-id 10
[PE1-ospf-100] import-route bgp
[PE1-ospf-100] area 0
[PE1-ospf-100] quit
[PE1] bgp 100
[PE1-bgp-vpn1] import-route ospf 100
[PE1-bgp-vpn1] quit
[PE1-bgp] quit
# Configure PE2.
[PE2-Vlanif60] quit
[PE2-ospf-100] domain-id 10
[PE2-ospf-100] quit
[PE2] bgp 100
[PE2-bgp-vpn1] quit
[PE2-bgp] quit

After the configuration, run the display ip routing-table vpn-instance command on the PEs,
and you can see that the routes to the peer CEs are OSPF routes through the backbone network,
not the BGP routes through the user network.
------------------------------------------------------------------------------
20.1.1.0/24 OSPF 10 2 D 100.1.1.1 Vlanif50
30.1.1.0/24 OSPF 10 3 D 100.1.1.1 Vlanif50
100.1.1.0/24 Direct 0 0 D 100.1.1.2 Vlanif50
120.1.1.0/24 OSPF 10 4 D 100.1.1.1 Vlanif50
Step 4 Configure a sham link.

NOTE
To forward VPN traffic through the MPLS backbone, you must configure the cost of the sham link to be
smaller than the cost of the OSPF route through the user network. A commonly used method is to set the
cost of the forwarding interface on the user network to be greater than the cost of the sham link.
# Configure CE1.
[CE1-Vlanif20] ospf cost 10
# Configure CE2.
[CE2-Vlanif30] ospf cost 10
# Configure PE1.
[PE1-LoopBack10] ip binding vpn-instance vpn1
[PE1] ospf 100
[PE1-ospf-100-area-0.0.0.0] sham-link 5.5.5.5 6.6.6.6 cost 1
[PE1-ospf-100] quit
# Configure PE2.
[PE2-LoopBack10] ip binding vpn-instance vpn1
[PE2] ospf 100
[PE2-ospf-100-area-0.0.0.0] sham-link 6.6.6.6 5.5.5.5 cost 1
[PE2-ospf-100] quit

After the configuration, run the display ip routing-table vpn-instance command on the PEs.
You can see that the routes to the peer CEs are BGP routes through the backbone network, and
there are routes to the destination of the sham link.


------------------------------------------------------------------------------
6.6.6.6/32 BGP 255 0 RD 3.3.3.9 Vlanif10
20.1.1.0/24 OSPF 10 11 D 100.1.1.1 Vlanif50
30.1.1.0/24 OSPF 100 12 RD 3.3.3.9 Vlanif10
100.1.1.0/24 Direct 0 0 D 100.1.1.2 Vlanif50
120.1.1.0/24 BGP 255 0 RD 3.3.3.9 Vlanif50
Run the display ip routing-table command on the CEs, and you can see that the cost of the
OSPF route to the peer CE is changed to 3, and the next hop is changed to the VLANIF interface
connected to PE. That is, the VPN traffic to the peer CE is forwarded through the backbone
network.
Take CE1 for example.
------------------------------------------------------------------------------
5.5.5.5/32 O_ASE 150 1 D 100.1.1.2 Vlanif50
6.6.6.6/32 O_ASE 150 1 D 100.1.1.2 Vlanif50
20.1.1.0/24 Direct 0 0 D 20.1.1.1 Vlanif20
30.1.1.0/24 OSPF 10 11 D 100.1.1.2 Vlanif20
100.1.1.0/24 Direct 0 0 D 100.1.1.1 Vlanif50
120.1.1.0/24 OSPF 10 3 D 100.1.1.2 Vlanif50
120.1.1.1/32 O_ASE 150 1 D 100.1.1.2 Vlanif50
NOTE
The cost of the OSPF route from CE1 to CE2 is the sum of the cost from CE1 to PE1, the cost of sham
link, and the cost from PE2 to CE2, that is, 1 + 1 + 1 =3.
Run the tracert command, and you can see that the data from CE1 to CE2 passes through the
VLANIF interface connected to PE1. That is, VPN traffic is transmitted through the backbone
network.
[CE1] tracert 120.1.1.1
1 100.1.1.2 47 ms 31 ms 31 ms
2 120.1.1.2 94 ms 94 ms 94 ms
3 120.1.1.1 125 ms 156 ms 125 ms
[CE1] tracert 30.1.1.2
1 20.1.1.2 80 ms 60 ms 60 ms
2 30.1.1.2 100 ms 90 ms 130 ms
Run the display ospf sham-link command on the PEs, and you can see the information about
the sham link.

[PE1] display ospf sham-link

Sham Link:
Area NeighborId Source-IP Destination-IP State Cost
Sham Link:
Area NeighborId Source-IP Destination-IP State Cost
0.0.0.0 6.6.6.6 5.5.5.5 6.6.6.6 P-2-P 1
Run the display ospf sham-link area command, and you can see that the state of the peer is
Full.
[PE1] display ospf sham-link area 0
Sham-Link: 5.5.5.5 --> 6.6.6.6
NeighborID: 6.6.6.6, State: Full
Area: 0.0.0.0
Cost: 10 State: P-2-P, Type: Sham
Timers: Hello 10 , Dead 40 , Retransmit 5 , Transmit Delay 1
Run the display ospf routing command on the CEs, and you can see that the route to the peer
CE is learned and considered as the intra-area route.
[CE1] display ospf routing
Routing Tables
Routing for Network
Destination Cost Type NextHop AdvRouter Area
120.1.1.0/24 3 Transit 100.1.1.2 6.6.6.6 0.0.0.0
20.1.1.0/24 10 Stub 20.1.1.1 100.1.1.1 0.0.0.0
30.1.1.0/24 11 Stub 20.1.1.2 30.1.1.1 0.0.0.0
100.1.1.0/24 1 Transit 100.1.1.1 100.1.1.1 0.0.0.0
Routing for ASEs
Destination Cost Type Tag NextHop AdvRouter
120.1.1.1/32 1 Type2 3489661028 100.1.1.2 5.5.5.5
6.6.6.6/32 1 Type2 3489661028 100.1.1.2 5.5.5.5
5.5.5.5/32 1 Type2 3489661028 100.1.1.2 6.6.6.6
100.1.1.1/32 1 Type2 3489661028 100.1.1.2 6.6.6.6
Total Nets: 8
Intra Area: 4 Inter Area: 0 ASE: 4 NSSA: 0
----End
Configuration Files
#
sysname PE1
#
vlan batch 10 50
#
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#

interface Vlanif50
ip address 100.1.1.2 255.255.255.0
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
interface LoopBack10
ip address 5.5.5.5 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
import-route direct
import-route ospf 100
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
ospf 100 vpn-instance vpn1
import-route bgp
domain-id 0.0.0.10
area 0.0.0.0
network 100.1.1.0 0.0.0.255
sham-link 5.5.5.5 6.6.6.6 cost 1
#
return
#
sysname P
#
vlan batch 10 40
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 40.1.1.1 255.255.255.0
mpls
mpls ldp
#

#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
vlan batch 40 60
#
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif40
ip address 40.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 120.1.1.2 255.255.255.0
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
interface LoopBack10
ip address 6.6.6.6 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable

#
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 40.1.1.0 0.0.0.255
#
import-route bgp
domain-id 0.0.0.10
area 0.0.0.0
network 120.1.1.0 0.0.0.255
sham-link 6.6.6.6 5.5.5.5 cost 1
#
return
#
sysname CE1
#
vlan batch 20 50
#
interface Vlanif20
ip address 20.1.1.1 255.255.255.0
ospf cost 10
#
interface Vlanif50
ip address 100.1.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.255
network 20.1.1.0 0.0.0.255
#
return
#
sysname CE2
#
vlan batch 30 60
#
interface vlanif30
ip address 30.1.1.2 255.255.255.0
ospf cost 10
#
interface vlanif60
ip address 120.1.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0

network 30.1.1.0 0.0.0.255

network 120.1.1.0 0.0.0.255
#
return
l Configuration file of Switch

#
sysname Switch
#
vlan batch 20 30
#
interface Vlanif20
ip address 20.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 30.1.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
3.17.11 Example for Configuring the Multi-VPN-Instance CE

As shown in Figure 3-13, the networking requirements are as follows:
l CE1, CE2, CE3 and CE4 are customer edge devices. CE1 and CE2 belong to a LAN, and
CE3 and CE4 belong to another LAN.
l PE1 and PE2 are edge devices of the backbone network.
l The MCE is a multi-VPN-instance CE located on the user network.
l CE1 and CE3 belong to vpna; CE2 and CE4 belong to vpnb.
l vpna and vpnb use different VPN targets.
It is required that users on the same VPN can access each other, but users on different VPNs
cannot access each other. In this way, services of different VPNs on the LAN are separated from
each other.

Figure 3-13 Networking diagram for configuring multi-VPN-instance CE

vpna vpna
CE1 CE3
GE1/0/0 GE1/0/0
Loopback1
2.2.2.9./32
GE1/0/0 GE3/0/0
GE2/0/0 GE1/0/0 vpna
Loopback1 GE3/0/0
MCE
1.1.1.9./32 GE1/0/0
GE3/0/0 GE2/0/0 vpnb
PE1 PE2
GE2/0/0 GE3/0/1
GE1/0/0 GE1/0/0
vpnb CE2 CE4 vpnb
Loopback1 - 1.1.1.9/32
Loopback1 - 2.2.2.9/32
MCE GigabitEthernet1/0/0 VLANIF 50 192.1.1.2/24
1. Configure OSPF between PEs to implement interworking between PEs and configure MP-
IBGP to exchange VPN routing information.

2. Set up an EBGP adjacency between PE and the connected CE to import the VPN routes to
the VPN routing table of PE.
3. Configure OSPF multi-instance between MCE and PE2 to exchange VPN routing
information. Configure RIPv2 between MCE and CE3, and between MCE and CE4, to
exchange VPN routing information.
NOTE
When configuring OSPF multi-instance between MCE and PE2, you need to perform the following
operations.
In the OSPF view of PE2, import the BGP route and advertise the VPN route of PE1 to the MCE.
The OSPF process is used by the MCE and PE2 for the configuration of OSPF multi-instance.
In the BGP view of PE2, import the OSPF route and advertise the VPN route of MCE to PE1.
The OSPF process is used by the MCE and PE2 for the configuration of OSPF multi-instance.
Data Preparation
l A VPN instance for each isolated service is created on PE1, PE2 and MCE. Note that the
VPN targets of different VPN instances differ from each other and the VPN targets of the
same VPN instance are identical.
l The OSPF data needs to be configured. For different OSPF multi-instances, the OSPF
process IDs must be different.
l The RIP processes used to import VPN routes of CE3 and CE4 to MCE need to be
configured. The RIP processes use different process IDs.
Procedure
Step 1 Run OSPF on the PEs of the backbone network.
After the configuration, PEs can learn the Loopback1 address of each other.
<PE2> display ip routing-table
------------------------------------------------------------------------------
1.1.1.9/32 OSPF 10 2 D 172.1.1.1 Vlanif30

172.1.1.0/24 Direct 0 0 D 172.1.1.2 Vlanif30
172.1.1.2/32 Direct 0 0 D 172.1.1.1 Vlanif30
Step 2 Configure the basic MPLS capability and MPLS LDP on the backbone network and set up an
LDP LSP.

After the configuration, run the display mpls ldp session command on the PEs, and you can see
that the MPLS LDP session between PEs is in Operational state.
<PE2> display mpls ldp session

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 3 Configure the VPN instance on PEs. Connect CE1 and CE2 to PE1 and connect MCE to PE2.
# Configure PE1.
<PE1> system-view
[PE1-Vlanif10] quit
[PE1-Vlanif20] quit
# Configure PE2.
<PE2> system-view


[PE2-Vlanif50] quit
[PE2]interface vlanif 40
[PE2-Vlnaif40] ip binding vpn-instance vpnb
[PE2-Vlnaif40] ip address 192.2.1.1 24
[PE2-Vlnaif40] quit
Step 4 Configure VPN instances on the MCE. Connect CE3, CE4, and PE2 to MCE.
[Quidway] sysname MCE
[MCE] vlan batch 40 50 60 70
[MCE] interface gigabitethernet 2/0/0
[MCE-GigabitEthernet2/0/0] port hybrid pvid vlan 40
[MCE-GigabitEthernet2/0/0] port hybrid untagged vlan 40
[MCE-GigabitEthernet2/0/0] quit
[MCE] ip vpn-instance vpna
[MCE-vpn-instance-vpna] route-distinguisher 100:1
[MCE-vpn-instance-vpna] vpn-target 111:1 both
[MCE-vpn-instance-vpna] quit
[MCE] ip vpn-instance vpnb
[MCE-vpn-instance-vpnb] route-distinguisher 100:2
[MCE-vpn-instance-vpnb] vpn-target 222:2 both
[MCE-vpn-instance-vpnb] quit
[MCE] interface vlanif 60
[MCE-Vlanif60] ip binding vpn-instance vpna
[MCE-Vlanif60] ip address 10.3.1.2 24
[MCE-Vlanif60] quit
[MCE-Vlanif70] ip binding vpn-instance vpnb
[MCE-Vlanif70] quit
[MCE-Vlanif50] ip binding vpn-instance vpna
[MCE-Vlanif50] quit
[MCE-Vlanif40] ip binding vpn-instance vpnb
[MCE-Vlanif40] ipaddress 192.2.1.2 24
[MCE-Vlanif40] quit
Step 5 Set up an MP-IBGP adjacency between PEs, and between PE1 and CE1. Set up an EBGP
adjacency between PE1 and CE1, and between PE1 and CE2.
After the configuration, run the display bgp vpnv4 all peer command on PE1, and you can see
that the IBGP adjacency between PE1 and PE2 is in Established state. The EBGP adjacency
between PE1 and CE1 and the EBGP adjacency between PE1 and CE2 are in Established state.


2.2.2.9 4 100 288 287 0 01:19:16 Established 6
Peer of vpn instance :

vpn instance vpna :
10.1.1.1 4 65410 9 11 0 00:04:14 Established 2
vpn instance vpnb :
10.2.1.1 4 65420 9 12 0 00:04:09 Established 2
Step 6 Configure the OSPF multi-instance between the MCE and PE2.
# Configure PE2.
<PE2> system-view
[PE2] ospf 100 vpn-instance vpna
[PE2-ospf-100] quit
[PE2] ospf 200 vpn-instance vpnb
[PE2-ospf-200] quit
[PE2] bgp 100
[PE2-bgp-vpna] import-route ospf 100
[PE2-bgp-vpna] quit
[PE2-bgp-vpnb] import-route ospf 200
[PE2-bgp-vpnb] quit
# Configure MCE.
<MCE> system-view
[MCE] ospf 100 vpn-instance vpna
[MCE-ospf-100] area 0
[MCE-ospf-100-area-0.0.0.0] network 192.1.1.0 0.0.0.255
[MCE-ospf-100-area-0.0.0.0] quit
[MCE-ospf-100] quit
[MCE] ospf 200 vpn-instance vpnb
[MCE-ospf-200] area 0
[MCE-ospf-200-area-0.0.0.0] network 192.2.1.0 0.0.0.255
[MCE-ospf-200-area-0.0.0.0] quit
[MCE-ospf-200] quit
Step 7 Run RIPv2 between the MCE and CE3, and between the MCE and CE4.
# Configure MCE.
[MCE] rip 100 vpn-instance vpna
[MCE-rip-100] version 2
[MCE-rip-100] network 10.0.0.0
[MCE-rip-100] import-route ospf 100
[MCE-rip-100] quit
[MCE] rip 200 vpn-instance vpnb
[MCE-rip-200] version 2
[MCE-rip-200] network 10.0.0.0
[MCE-rip-200] import-route ospf 200
# Configure CE3.
[CE3] vlan batch 60


[CE3]interface vlanif 60
[CE3-Vlanif60]ip address 10.3.1.1 24
[CE3-Vlanif60] quit
[CE3] rip 100
[CE3-rip-100] version 2
[CE3-rip-100] network 10.0.0.0
[CE3-rip-100] import-route direct
# Configure CE4.
[CE4] vlan batch 70
[CE4]interface vlanif 70
[CE4-Vlanif70]ip address 10.4.1.1 24
[CE4-Vlanif70] quit
[CE4] rip 200
[CE4-rip-200] version 2
[CE4-rip-200] network 10.0.0.0
[CE4-rip-200] import-route direct
Step 8 Disable loopback detection on MCE and import RIP routes.

<MCE> system-view
[MCE] ospf 100 vpn-instance vpna
[MCE-ospf-100] vpn-instance-capability simple
[MCE-ospf-100] import-route rip 100
[MCE] ospf 200 vpn-instance vpnb
[MCE-ospf-200] vpn-instance-capability simple
[MCE-ospf-200] import-route rip 200

After the configuration, run the display ip routing-table vpn-instance command on the MCE,
and you can see the route to the peer CE.
Take vpna for example.
[MCE] display ip routing-table vpn-instance vpna
------------------------------------------------------------------------------
10.1.1.0/24 O_ASE 150 1 D 192.1.1.1 vlanif50

10.3.1.0/24 Direct 0 0 D 10.3.1.2 vlanif60
192.1.1.0/24 Direct 0 0 D 192.1.1.2 vlanif50
Run the display ip routing-table vpn-instance command on the PE, and you can see the route
to the peer CE.
Take vpna on PE1 for example.
------------------------------------------------------------------------------

10.1.1.0/24 Direct 0 0 D 10.1.1.2 vlanif10

10.3.1.0/24 BGP 255 2 RD 2.2.2.9 vlanif30
192.1.1.0/24 BGP 255 0 RD 2.2.2.9 vlanif30
CE1 and CE3 can ping each other. CE2 and CE4 can ping each other.
[CE1] ping 10.3.1.1

0.00% packet loss
CE1 cannot ping CE2 or CE4. CE3 cannot ping CE2 or CE4.
For example, if you ping CE4 from CE1, the information is displayed as follows:
[CE1] ping 10.4.1.1
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct


#
return
#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
#
sysname PE1
#
vlan batch 10 20 30
#
#
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.0
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#

#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
vlan batch 30 40 50
#
#
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 192.2.1.1 255.255.255.0
#
interface Vlanif50
ip address 192.1.1.1 255.255.255.0
#

interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
#
#
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
#
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
ospf 100 vpn-instance vpna
import-route bgp
area 0.0.0.0
network 192.1.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route bgp
area 0.0.0.0
network 192.2.1.0 0.0.0.255
#
return
l Configuration file of the MCE
#
sysname MCE
#
#
#
#
interface Vlanif40
ip address 192.2.1.2 255.255.255.0
#

interface Vlanif50
ip address 192.1.1.2 255.255.255.0
#
interface Vlanif60
ip address 10.3.1.2 255.255.255.0
#
interface Vlanif70
ip address 10.4.1.2 255.255.255.0
#
#
#
#
#
ospf 100 vpn-instance vpna
import-route rip 100
area 0.0.0.0
network 192.1.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route rip 200
area 0.0.0.0
network 192.2.1.0 0.0.0.255
#
rip 100 vpn-instance vpna
version 2
network 10.0.0.0
#
rip 200 vpn-instance vpnb
version 2
network 10.0.0.0
#
return
#
sysname CE3
#
vlan batch 60
#
interface Vlanif60
ip address 10.3.1.1 255.255.255.0
#
#
rip 100
version 2
network 10.0.0.0
import-route direct

#
return

#
sysname CE4
#
vlan batch 70
#
interface Vlanif70
ip address 10.4.1.1 255.255.255.0
#
#
rip 200
version 2
network 10.0.0.0
import-route direct
#
return
3.17.12 Example for Connecting a VPN to the Internet

As shown in Figure 3-14, CE1 and CE2 on the VPN can access each other. An agent server
with the public network address is connected to CE1. Thus, users of CE1 can connect to the
Internet through this agent server. In this example, the P resides on the Internet.
Figure 3-14 Networking diagram for connecting a VPN to the Internet

1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
PE1 GE1/0/0 GE1/0/0 PE2

GE2/0/0 GE2/0/0
GE1/0/0 GE2/0/0
P
Internet
GE1/0/0 AS100 GE1/0/0
GE2/0/0
CE1 Agent Server CE2

VPN1 VPN1
100.3.1.1/24
AS 65410 AS 65420

In this example, you need to configure an L3VPN, and then configure three static routes. The
configuration roadmap is as follows:
1. 3.4 Configuring Basic BGP/MPLS IP VPN.

2. Add a default route on CE1, with the next hop being PE1.
3. Add a default route on PE1 from a device on the VPN to the Internet. The IP address of the
P is the next hop address. Thus, the traffic on the agent server can reach the Internet.
4. Add a static route on PE1 from the Internet to the agent server. The IP address of CE1 is
the next hop address. Advertise the static route to the Internet through IGP. Thus, the traffic
on the Internet can reach the server connected to CE1.
Data Preparation

l RD of the VPN
l VPN targets of the received and sent routes
Procedure
Step 1 Configure VLANs that the interfaces belong to, as shown in Figure 3-14.
Step 2 Configure the IGP protocol.
Assign IP addresses to the physical interfaces and loopback interfaces on the backbone network.
Run IGP on each device on the backbone network so that PE1, P and PE2 can ping each other
and learn the loopback address of each other. The detailed configuration is not mentioned here.
Step 3 Set up MPLS LDP LSPs and MP-IBGP adjacencies.
Set up an MPLS LSP and an MP-IBGP adjacency between the PEs. The detailed configuration
is not mentioned here.
After the configuration, run the display mpls ldp session command on P, and you can find that
the LDP sessions between PE1 and P, and between PE2 and P are in Operational state.
Take the display on P for example.

<P> display mpls ldp session

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Run the display bgp vpnv4 all peer command on the PEs, and you can find that the MP-IBGP
adjacency is in Established state. Take PE1 for example.
<PE1> display bgp vpnv4 all peer


3.3.3.3 4 100 6 8 0 00:03:48 Established 2
Step 4 Create VPN instances and set up EBGP adjacencies.
Create VPN 1 on the PEs and bind VPN 1 to the interfaces connected to CEs. Set up EBGP
adjacencies between PE1 and CE1 and between PE2 and CE2 to import routes of the CEs to the
PEs. The detailed configuration is not mentioned here.
After the configuration, run the display ip vpn-instance command on the PEs, and you can find
VPN 1 is displayed in the VPN-Instance Name field.

[PE1] display ip vpn-instance
VPN-Instance Name RD Creation Time
vpn1 100:1 2010/01/16 17:30:42 UTC-0
8:00
Run the display bgp vpnv4 all peer command on the PEs, and you can see that the IBGP and
EBGP adjacencies are in Established state.

3.3.3.3 4 100 127 134 0 01:39:44 Established 2
vpn instance vpn1 :
10.1.1.1 4 65410 107 110 0 01:26:33 Established 3
Step 5 Configure the static route to enable VPN users to access the public network.
# Add a default route on CE1 with the next hop being PE1.
<CE1> system-view
# Configure PE1.

# Configure a default route from the agent server of the VPN to the Internet. The next hop is P.
Specify the address of the next hop as a public network address. That is, add the keyword
public to the right of the next hop address in the command.
<PE1> system-view
[PE1] ip route-static vpn-instance vpn1 0.0.0.0 0 100.1.1.2 public
NOTE
If the CE and PE are connected through the Ethernet, you must specify the next hop.
# Configure a static route from the Internet to the agent server. The next hop is CE1.
[PE1] ip route-static 100.3.1.1 24 vpn-instance vpn1 10.1.1.1
# Advertise the static route from PE1 to the agent server to the Internet through IGP.
[PE1] ospf 1
[PE1-ospf-1] import-route static
# Configure the agent server. Set the IP address of the agent server to 100.3.1.1/24. Specify CE1
as the default gateway (100.3.1.2/24) of the agent server. In addition, the agent software should
be run on the agent server.
Run the display ip routing-table vpn-instance command on PE1, and you can see that a default
route exists in the routing table of VPN 1. The next hop address is 100.1.1.2 and the outgoing
interface is Vlanif10.
------------------------------------------------------------------------------
0.0.0.0/0 Static 60 0 RD 100.1.1.2 Vlanif10
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif30
10.2.1.0/24 BGP 255 0 RD 3.3.3.3 Vlanif10
100.3.1.1/32 BGP 255 0 D 10.1.1.1 Vlanif30
Run the display ip routing-table command on PE1, and you can see the route destined for the
agent in the routing table of the public network. The next hop address is 10.1.1.1.
------------------------------------------------------------------------------
2.2.2.2/32 OSPF 10 2 D 100.1.1.2 Vlanif10
3.3.3.3/32 OSPF 10 3 D 100.1.1.2 Vlanif10
100.1.1.0/24 Direct 0 0 D 100.1.1.1 Vlanif10
100.2.1.0/24 OSPF 10 2 D 100.1.1.2 Vlanif10
100.3.1.0/24 Static 60 0 D 10.1.1.1 Vlanif30
P can ping the agent server.

[P] ping 100.3.1.1


0.00% packet loss
The agent server can access the P on the Internet.
----End
Configuration Files
#
sysname CE1
#
vlan batch 30 50
#
interface Vlanif30
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif50
ip address 100.3.1.2 255.255.255.0
#
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
#
return

#
sysname PE1
#
vlan batch 10 30
#
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#

interface Vlanif10
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.1.1.2 255.255.255.0
#
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
import-route static
import-route direct
#
ospf 1
import-route static
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 100.1.1.0 0.0.0.255
#
ip route-static 100.3.1.0 255.255.255.0 Vlanif30 10.1.1.1
ip route-static vpn-instance vpn1 0.0.0.0 0.0.0.0 100.1.1.2 public
#
return
#
sysname P
#
vlan batch 10 20
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif10
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
ip address 100.2.1.1 255.255.255.0
mpls
mpls ldp
#


#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 100.1.1.0 0.0.0.255
network 100.2.1.0 0.0.0.255
#
ip route-static 100.3.1.0 255.255.255.0 100.1.1.1
#
return
#
sysname PE2
#
vlan batch 20 40
#
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif20
ip address 100.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 10.2.1.2 255.255.255.0
#
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#

import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 100.2.1.0 0.0.0.255
#
return

#
sysname CE2
#
vlan batch 40
#
interface Vlanif 40
ip address 10.2.1.1 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
3.17.13 Example for Configuring CE Dual-Homing

With the development of telecommunication services, diverse telecommunication services will
be uniformly carried by IP networks. The deployment of 3G/NGN services, IPTV media stream
services, and VPN services of VIP customers requires high reliability of networks. In addition
to the reliability of network devices, you also need to take the link reliability and network
reliability into consideration. You can adopt mechanisms such as fast convergence of routes,
fault detection, fast reroute, and backup to improve the reliability.
At the access layer, CE dual-homing is a common network structure for improving the network
reliability. If a CE is connected to two PEs on the same VPN, it is considered as CE dual-homing.
In this case, the CE accesses the backbone network through two links that are used for load
balancing or function as primary and backup links.
As shown in Figure 3-15, CE1 is deployed in site1 on VPN1 and CE2 is deployed in site2 on
VPN2. CE1 is dual-homed to PE1 and PE2; CE2 is dual-homed to PE3 and PE4.
If too much traffic is transmitted from CE1 to CE2 but less traffic is transmitted from CE2 to
CE1, you can enable load balancing for the traffic transmitted from CE1 to CE2 and specify that
traffic is transmitted from CE2 to CE1 through PE4. In this case, PE3 functions as the backup
device.

Figure 3-15 Networking of CE dual-homing

VPN backbone
AS 100
GE2/0/0 GE2/0/0
GE1/0/0 GE1/0/0 GE1/0/0 GE2/0/0
CE1
PE1 P1 PE3
GE1/0/0 GE1/0/0
CE2
GE2/0/0
GE3/0/0 PE2 P2 GE2/0/0
GE3/0/0
GE2/0/0 GE2/0/0
GE1/0/0 GE1/0/0 GE2/0/0
GE1/0/0
vpn1 site1 PE4 vpn1 site2
Loopback1 Loopback1 AS 65420
AS 65410
Loopback1
Device Interface VLANIF Interface IPv4 Address
PE1 Loopback1 - 1.1.1.1/32
GE1/0/0 VLANIF 101 10.1.1.2/30
GE2/0/0 VLANIF 10 100.1.1.1/30
PE2 Loopback1 - 2.2.2.2/32
GE1/0/0 VLANIF 102 10.2.1.2/30
GE2/0/0 VLANIF 20 100.2.1.1/30
P1 Loopback1 - 5.5.5.5/32
GE1/0/0 VLANIF 10 100.1.1.2/30
GE2/0/0 VLANIF 30 100.3.1.1/30
P2 Loopback1 - 6.6.6.6/32
GE1/0/0 VLANIF 20 100.2.1.2/30
GE2/0/0 VLANIF 40 100.4.1.1/30
PE3 Loopback1 - 3.3.3.3/32
GE1/0/0 VLANIF 30 100.3.1.2/30
GE2/0/0 VLANIF 103 10.3.1.1/30
PE4 Loopback1 - 4.4.4.4/32
GE1/0/0 VLANIF 40 100.4.1.2/30
GE2/0/0 VLANIF 104 10.4.1.1/30
CE1 GE1/0/0 VLANIF 101 10.1.1.1/30
GE2/0/0 VLANIF 102 10.2.1.1/30
GE3/0/0 VLANIF 1001 1.5.1.1/24

CE2 GE1/0/0 VLANIF 103 10.3.1.2/30
GE2/0/0 VLANIF 104 10.4.1.2/30
GE3/0/0 VLANIF 1002 1.6.1.1/24
1. Configure BGP/MPLS IP VPN.

2. In the BGP view of CE1, enable load balancing for the traffic transmitted from CE1 to CE2.
3. Increase the MED value of the BGP-VPN route on PE3. In this way, CE2 selects PE4 as
the next hop to CE1.
Data Preparation
l MPLS LSR-IDs of PEs and P devices

l VPN instances created on PE1 and PE2
l AS numbers of CE1 and CE2
Procedure
Step 1 Configure VLANs to which the interfaces belong according to Figure 3-15.
The configuration details are not mentioned here.
Step 2 Configure IGP on the MPLS backbone network so that PEs and P devices can interwork with
each other.
# Configure PE1.
# Assign IP addresses to interfaces. The IP address of a loopback interface must have a 32-bit
mask.
<PE1> system-view
[PE1-Vlanif10] quit
# Configure IS-IS to advertise routes on interfaces.

[PE1] isis 1
[PE1-isis-1] quit
[PE1-Vlanif10] quit

The configurations of PE2, PE3, PE4, P1, and P2 are the same as the configuration of PE1, and
After the configuration, run the display ip routing-table command, and you can view that PE1
and PE3 can learn the loopback1 route of each other and PE2 and PE4 can learn the loopback1
route of each other.
For example, information about PE1 is displayed as follows:

3.3.3.3/32 ISIS 15 20 D 100.1.1.2 Vlanif10
5.5.5.5/32 ISIS 15 10 D 100.1.1.2 Vlanif10
100.1.1.0/30 Direct 0 0 D 100.1.1.1 Vlanif10
100.3.1.0/30 ISIS 15 20 D 100.1.1.2 Vlanif10
Step 3 Configure basic MPLS functions and MPLS LDP, and set up LDP LSPs on the MPLS backbone
network.
# Configure PE1.
# Enable MPLS and LDP, specify the LSR ID as the IP address of the loopback interface, and
trigger setup of LSPs.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# Enable MPLS and LDP on interfaces on the backbone network.

[PE1-Vlanif10] mpls
[PE1-Vlanif10] quit
# The configurations of PE2, PE3, PE4, P1, and P2 are the same as the configuration of PE1,
and are not mentioned here.
After the configuration, LDP sessions must be set up between PE1 and the P device, and between
PE2 and the P device. Run the display mpls ldp session command, and you can view that the
LDP sessions are in Operational state. Run the display mpls ldp lsp command, and you can
view status of LDP LSPs.

------------------------------------------------------------------------------
------------------------------------------------------------------------------


------------------------------------------------------------------------------
<PE1> display mpls ldp lsp
LDP LSP Information

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 5.5.5.5 127.0.0.1 InLoop0
3.3.3.9/32 NULL/1025 - 10.1.1.2 Vlanif10
3.3.3.9/32 1025/1025 5.5.5.5 10.1.1.2 Vlanif10
5.5.5.5/32 NULL/3 - 10.1.1.2 Vlanif10
5.5.5.5/32 1024/3 5.5.5.5 10.1.1.2 Vlanif10
-----------------------------------------------------------------------------
Step 4 Create VPN instances on PEs and connect CEs to PEs.

# Configure PE1.
# Create a VPN instance, and specify the RD and VPN target. The VPN targets of PE1 and the
MP-BGP peer PE must match each other to implement mutual access of sites on the same VPN.

# Bind the interfaces connected to CEs to the corresponding VPNs and assign IP addresses to
these interfaces.
# Configure PE2.
# Create a VPN instance, and specify the RD and VPN target. The VPN targets of PE2 and the

# Bind the interfaces connected to CEs to the corresponding VPNs.

# Configure PE3.
# Create a VPN instance and specify the RD and VPN target. The VPN targets of PE3 and the


these interfaces.
# Configure PE4.
# Create a VPN instance and specify the RD and VPN target. The VPN targets of PE4 and the
MP-BGP peer PE to implement mutual access of sites on the same VPN.
these interfaces.
# Assign IP addresses to the interfaces on CEs according to Figure 3-15. The configuration
details are not mentioned here.
# After the configuration, run the display ip vpn-instance verbose command on PEs, and you
can view configuration results of VPN instances.
<PE1> display ip vpn-instance verbose
VPN-Instance Name and ID : vpn1, 1

Create date : 2006/10/14 18:12:43 UTC-08:00
Log Interval : 5
Step 5 Configure EBGP between PEs and CEs to import VPN routes.
# Configure CE1.
# Enable BGP, specify PE1 and PE2 as EBGP peers, and import direct routes.
[CE1] bgp 65410
[CE1-bgp] quit
# Configure PE1.
# Enable BGP.

[PE1] bgp 100
# In the BGP-VPN instance view, specify CEs as EBGP peers and import direct routes.
[PE1-bgp-vpn1] quit
# Configure PE2.
# Enable BGP.
[PE2] bgp 100
[PE2-bgp-vpn1] quit
# Configure CE2.
# Enable BGP, specify PE3 and PE4 as EBGP peers, and import direct routes.
[CE2] bgp 65420
[CE2-bgp] quit
# Configure PE3.
# Enable BGP.
[PE3] bgp 100
[PE3-bgp-vpn1] quit
# Configure PE4.
# Enable BGP.
[PE4] bgp 100
# In the BGP-IPv4 instance view, specify CEs as EBGP peers and import direct routes.
[PE4-bgp-vpn1] quit
After the configuration, run the display bgp vpnv4 vpn-instance vpn-instance-name peer
command on PEs, and you can view that BGP peer relationships are set up between PEs and
CEs and are in Established state. Each PE can ping its connected CE.
[PE1] display bgp vpnv4 vpn-instance vpn1 peer


10.1.1.1 4 65410 408 435 0 06:16:09 Established 5
<PE1> ping -vpn-instance vpn1 10.1.1.1

PING 10.1.1.1 : 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1
bytes=56 Sequence=1 hop limit=64 time = 15 ms
Reply from 10.1.1.1
Reply from 10.1.1.1
Reply from 10.1.1.1
Reply from 10.1.1.1

0.00% packet loss
Step 6 Set up MP-IBGP peer relationships between PEs.
# Configure PE1.
# Specify PE3 as the IBGP peer of PE1 and set up an IBGP connection through the loopback
interface.
[PE1] bgp 100
# In the VPNv4 address family view, enable the capability of exchanging VPN-IPv4 routing
information between PE1 and PE3.
# Configure PE3.
interface.
[PE3] bgp 100
# Configure PE2.
interface.
[PE2] bgp 100

# Configure PE4.
interface.
[PE4] bgp 100
After the configuration, run the display bgp vpnv4 all peer command on PEs, and you can view
that BGP peer relationships are set up between PEs and are in Established state.
3.3.3.3 4 100 70 81 0 01:00:23 Established 3
vpn instance vpn1 :

10.1.1.1 4 65410 16 12 0 00:06:42 Established 3
Step 7 On CE1, enable load balancing for the traffic transmitted from CE1 to CE2.
[CE1] bgp 65410
[CE1-bgp] ipv4-family unicast
[CE1-bgp-af-ipv4] maximum load-balancing 2
Step 8 Configure a routing policy and increase the MED value of the BGP route that is advertised to
CE2 by PE3. In this manner, traffic is transmitted from CE2 to CE1 through PE4. In this case,
PE3 functions as the backup device.
[PE3] route-policy policy1 permit node 10
[PE3-route-policy] apply cost 120
[PE3-route-policy] quit
[PE3] bgp 100
[PE3-bgp-vpn1] peer 10.3.1.2 route-policy policy1 export

If the configurations are successful:
Run the display ip routing-table command on CE1, and you can view the route to CE2 and that
traffic is transmitted in load balancing mode.

------------------------------------------------------------------------------

1.5.1.0/24 Direct 0 0 D 1.5.1.1 Vlanif1001

1.6.1.0/24 BGP 255 0 D 10.1.1.2 Vlanif101
BGP 255 0 D 10.2.1.2 Vlanif102
10.1.1.0/30 Direct 0 0 D 10.1.1.1 Vlanif101
10.2.1.0/30 Direct 0 0 D 10.2.1.1 Vlanif102
10.3.1.0/30 BGP 255 0 D 10.1.1.2 Vlanif101
10.4.1.0/30 BGP 255 0 D 10.2.1.2 Vlanif102
----End
Configuration Files
#
sysname CE1
#
vlan batch 101 102 1001
#
interface Vlanif101
ip address 10.1.1.1 255.255.255.252
#
interface Vlanif102
ip address 10.2.1.1 255.255.255.252
#
interface Vlanif1001
ip address 1.5.1.1 255.255.255.0
#
#
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
maximum load-balancing 2
#
return

#
sysname PE1
#
vlan batch 10 101
#
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0001.00
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif101
ip address 10.1.1.2 64
#
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
import-route direct
#
return
#
sysname PE2
#
vlan batch 20 102
#
#
mpls lsr-id 2.2.2.2

mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0002.00
#
interface Vlanif20
ip address 100.2.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif102
ip address 10.2.1.2 255.255.255.252
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 4.4.4.4 enable
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.4 enable
#
import-route direct
#
return
l Configuration file of P1
#
sysname P1
#
vlan batch 10 30
#
mpls lsr-id 5.5.5.5
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0005.00
#
interface Vlanif 10
ip address 100.1.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif 30
ip address 100.3.1.1 255.255.255.252
isis enable 1

mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 5.5.5.5 255.255.255.255
isis enable 1
#
return
#
sysname P2
#
vlan batch 20 40
#
mpls lsr-id 6.6.6.6
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0006.00
#
interface Vlanif20
ip address 100.2.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif40
ip address 100.4.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 6.6.6.6 255.255.255.255
isis enable 1
#
return
sysname PE3
#
vlan batch 30 103
#
#
mpls lsr-id 3.3.3.3
mpls
#

mpls ldp
#
isis 1
network-entity 10.0000.0000.0003.0
#
interface Vlanif30
ip address 100.3.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif 103
ip address 10.3.1.1 255.255.255.252
#
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
peer 10.3.1.2 route-policy policy1 export
import-route direct
#
route-policy policy permit node 10
apply cost 120
#
return
#
sysname PE4
#
vlan batch 40 104
#
#
mpls lsr-id 4.4.4.4
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0004.00\
#
interface Vlanif40
ip address 100.4.1.2 255.255.255.252

isis enable 1
mpls
mpls ldp
#
ip address 10.4.1.1. 255.255.255.252
#
#
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
#
import-route direct
#
return
#
sysname CE2
#
vlan batch 103 104 1002
#
ip address 10.3.1.2 255.255.255.252
#
ip address 10.4.1.2 255.255.255.252
#
ip address 1.6.1.1 255.255.255.0
#
#
#
#
bgp 65420
router-id 20.20.20.20
peer 10.4.1.1. as-number 100
#

ipv4-family unicast
import-route direct
peer 10.4.1.1. enable
#
return
3.17.14 Example for Configuring VPN FRR

As shown in Figure 3-16, you need to configure the backup next hop on PE1 to configure PE3
as a backup of PE2. When a fault occurs to PE2, traffic can be switched to PE3 quickly.
Figure 3-16 Networking diagram for configuring VPN FRR
Loopback1
VPN backbone 2.2.2.2/32
PE2
AS100 GE2/0/0
GE1/0/0 vpn1 site
GE2/0/0 GE1/0/0
Link_A
AS65410
PE1 CE1
Loopback1 Link_B GE3/0/0
1.1.1.1/32 GE3/0/0 GE2/0/0
GE1/0/0 GE2/0/0
PE3
Loopback1
3.3.3.3/32
Loopback1 - 1.1.1.1/32
Loopback1 - 2.2.2.2/32
Loopback1 - 3.3.3.3/32

1. Configure OSPF on the backbone routers (PE1, PE2, and PE3) to implement interworking
of these backbone routers.
2. Enable MPLS capability on the MPLS backbone and establish an LDP LSP.
3. Configure a VPN instance on PE1, PE2, and PE3 and connect CE1 to PE2 and PE3.
4. Establish EBGP adjacencies between the PEs and CE1 and import VPN routes. Establish
MP-IBGP adjacencies between the PEs.
5. On PE1, configure a routing policy for VPN FRR, configure the backup next hop, and
enable VPN FRR. If the VPN FRR is not required, run the undo vpn frr command to
disable this function.
Data Preparation
l Name of VPN instance, RD, and VPN target (111:1) on PE
l Name of the routing policy on PE1 and IP prefix
Procedure
Step 1 Configure the VLAN on each interface. The configuration procedure is not given here.
Step 2 Configure IP addresses of interfaces on the VPN backbone network and VPN sites. The
configuration procedure is not mentioned here.
Step 3 Configure OSPF on the MPLS backbone network to implement interworking of the PEs. The
LDP LSPs.
# Configure PE1.
<PE1> system-view
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif10] mpls
[PE1-Vlanif10] quit
[PE1-Vlanif30] mpls
[PE1-Vlanif30] quit
# Configure PE2.
<PE2> system-view
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp

[PE2-mpls-ldp] quit
[PE2-Vlanif10] mpls
[PE2-Vlanif10] quit
# Configure PE3.
<PE3> system-view
[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit
[PE3-Vlanif30] mpls
[PE3-Vlanif30] quit
Run the display mpls lsp command on the PEs, and you can see that LSPs are established
between PE1 and PE2 and between PE1 and PE3. Take PE1 for example.
[PE1] display mpls lsp
----------------------------------------------------------------------
LSP Information: LDP LSP
----------------------------------------------------------------------
FEC In/Out Label In/Out IF Vrf Name
3.3.3.3/32 NULL/1025 -/Vlanif30
1.1.1.1/32 1024/NULL -/-
3.3.3.3/32 1025/1025 -/Vlanif30
2.2.2.2/32 NULL/1026 -/Vlanif10
2.2.2.2/32 1027/1026 -/Vlanif10
# Configure PE1.
# Configure PE2.
[PE2-Vlanif20] quit
# Configure PE3.
[PE3-Vlanif40] quit
Step 6 Import direct VPN routes to PE1. Create EBGP adjacencies between PE2 and CE and between
PE3 and CE to import VPN routes.
# Configure PE1.

[PE1] bgp 100

[PE1-bgp-vpn1] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp-vpn1] quit
# Configure PE3.
[PE3] bgp 100
[PE3-bgp-vpn1] quit
# Configure CE.
<CE> system-view
[CE] bgp 65410
[CE-bgp] peer 10.1.1.2 as-number 100
[CE-bgp] peer 10.2.1.2 as-number 100
[CE-bgp] import-route direct
[CE-bgp] network 10.3.1.0 24
[CE-bgp] quit
Run the display bgp vpnv4 all peer command on PE2 and PE3, and you can see that EBGP
adjacencies are established between PEs and CE.


vpn instance vpn1 :
10.1.1.1 4 65410 46 46 0 00:37:41 Established 5
Step 7 Set up an MP-IBGP adjacency between the PEs.

# Configure PE1.
[PE1] bgp 100
# Configure PE2.
[PE2] bgp 100

# Configure PE3.
[PE3] bgp 100
Run the display bgp vpnv4 all peer command on the PEs, and you can see that MP-IBGP
adjacencies are established between PEs.


2.2.2.2 4 100 20 17 0 00:13:26 Established 5

3.3.3.3 4 100 24 19 0 00:17:18 Established 5
Step 8 Configure routing policy for VPN FRR.

[PE1] ip ip-prefix vpn_frr_list permit 2.2.2.2 32
[PE1] route-policy vpn_frr_rp permit node 10
[PE1-route-policy] if-match ip next-hop ip-prefix vpn_frr_list
[PE1-route-policy] apply backup-nexthop 3.3.3.3
Step 9 Enable VPN FRR.

[PE1-vpn-instance-vpn1] vpn frr route-policy vpn_frr_rp
# View the backup next hop, backup label, and backup tunnel ID.
<PE1> display ip routing-table vpn-instance vpn1 10.3.1.0 verbose
Routing Table : vpn1
Summary Count : 1
Tag: 0 Priority: 0
TunnelID: 0x10002
BkNextHop: 3.3.3.3 BkInterface:
BkLabel: 11264 SecTunnelID: 0x0
BkPETunnelID: 0x10001 BkPESecTunnelID: 0x0
Step 10 To disable VPN FRR, run the undo vpn frr command.
[PE1-vpn-instance-vpn1] undo vpn frr
# After disabling VPN FRR, view the backup next hop, backup label, and backup tunnel ID.
----End

Configuration Files
#
sysname PE1
#
vlan batch 10 30
#
vpn frr route-policy vpn_frr_rp
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface Vlanif30
ip address 100.2.1.1 255.255.255.252
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.3
network 100.2.1.0 0.0.0.3
network 1.1.1.1 0.0.0.0
#
ip ip-prefix vpn_frr_list permit 2.2.2.2 32
#
route-policy vpn_frr_rp permit node 10

if-match ip next-hop ip-prefix vpn_frr_list

apply backup-nexthop 3.3.3.3
#
return
#
sysname PE2
#
vlan batch 10 20
#
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface vlanif 10
ip address 100.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface vlanif 20
ip address 10.1.1.2 255.255.255.252
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.3
network 2.2.2.2 0.0.0.0
#
return
#
sysname PE3
#
vlan batch 30 40

#
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif 30
ip address 100.2.1.2 255.255.255.252
mpls
mpls ldp
#
interface Vlanif 40
ip address 10.2.1.2 255.255.255.252
#
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 100.2.1.0 0.0.0.3
network 3.3.3.3 0.0.0.0
#
Return
l Configuration file of CE
#
sysname CE
#
vlan batch 20 40 50
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.252
#
interface Vlanif40
ip address 10.2.1.1 255.255.255.252
#
interface Vlanif50
ip address 10.3.1.1 255.255.255.0
#

#
#
#
bgp 65410
#
ipv4-family unicast
network 10.3.1.0 255.255.255.0
import-route direct
#
return
3.17.15 Example for Configuring VPN GR
CE1 and CE2 are deployed on the same VPN. As backbone network devices, PE1, P device,
and PE2 are connected through IS-IS in the same AS. CE1 is connected to PE1, between which
BGP is run; CE2 is connected to PE2, between which OSPF is run, as shown in Figure 3-17.
Figure 3-17 Networking of VPN GR

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE2/0/0 GE1/0/0
VLANIF 20 VLANIF 30
100.1.1.1/30 100.2.1.2/30
PE1 PE2
GE1/0/0 GE2/0/0
GE1/0/0 GE2/0/0
VLANIF 20 P VLANIF 30
VLANIF 10 VLANIF 40
100.1.1.2/30 100.2.1.1/30
10.1.1.2/30 10.2.1.2/30
GE1/0/0 GE1/0/0
VLANIF 10 VLANIF 40
10.1.1.1/30 10.2.1.1/30
CE1 CE2

1. Configure BGP/MPLS IP VPN.
2. Configure IGP GR of the backbone network.
3. Configure MPLS LDP GR of the backbone network.
4. Configure GR of routing protocols between PEs and CEs.
5. Configure BGP GR.
Data Preparation
l VPN instance name, Router Distinguisher (RD), and VPN target
l Interval for IS-IS to reestablish GR sessions (this example retains the default value, that is,
300 seconds)
l Time for reestablishing MPLS LDP sessions (this example retains the default value, that
is, 300 seconds) and value of the neighbor-liveness timer (this example retains the default
value, that is, 600 seconds)
l BGP-allowed maximum interval for the peer end to reestablish GR sessions (this example
retains the default value, that is, 150 seconds)
l Time for waiting for End-of-RIB messages (this example retains the default value, that is,
600 seconds)
l Data of the routing protocols between PEs and CEs (in this example, BGP is run between
CE1 and PE1 and OSPF is run between CE2 and PE2)
l Data required for configuring IGP of the backbone network (this example uses IS-IS)
Procedure
Step 1 Create VLANs and add interfaces to the VLANs.
# Configure PE1.

# The configurations of the P device, PE2, CE2, and CE1 are the same as the configuration of
PE1, and are not mentioned here.
Step 2 Configure BGP/MPLS IP VPN of the backbone network.
Use IS-IS as the IGP protocol of the backbone network, enable LDP between PE1 and PE2, and
set up MP-IBGP peer relationships.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] isis 1
[PE1-isis-1] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
[PE1] bgp 100
[PE1-bgp] quit
# Configure the P device.

[P-LoopBack1] quit
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] isis 1
[P-isis-1] network-entity 10.0000.0000.0002.00
[P-isis-1] quit
[P-LoopBack1] isis enable 1
[P-LoopBack1] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.


[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] isis 1
[PE2-isis-1] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
[PE2] bgp 100
[PE2-bgp] quit
After the configuration, run the display mpls ldp session command on PE1 or PE2, and you
can view that the LDP session is set up and is in Operational state. Run the display bgp vpnv4
all peer command, and you can view that the BGP peer relationship is set up and is in Established
state. Run the display isis peer command, and you can view that the IS-IS neighbor relationship
is set up and is in Up state.
Step 3 Create VPN instances and configure CEs to access these instances.
Create a VPN instance of VPN1 on PE1 and configure CE1 to access the instance; create a VPN
instance of VPN1 on PE2 and configure CE2 to access the instance. Then configure EBGP
between CE1 and PE1 and configure OSPF between CE2 and PE2.
# Configure CE1.
[CE1-Vlanif10] quit
[CE1] bgp 65410
[CE1-bgp] quit
# Configure PE1.
[PE1-Vlanif10] quit
[PE1] bgp 100
[PE1-bgp-vpn1] quit
[PE1-bgp] quit
# Configure PE2.


[PE2-Vlanif40] quit
[PE2-ospf-2] area 0
[PE2-ospf-2] quit
[PE2] bgp 100
[PE2-bgp-vpn1] quit
[PE2-bgp] quit
# Configure CE2.
[CE2-Vlanif40] quit
[CE2] ospf 2
[CE2-ospf-2] area 0
[CE2-ospf-2] import-route direct
[CE2-ospf-2] quit
The configuration of BGP/MPLS IP VPN is complete. CE1 can communicate with CE2.
Step 4 Configure IGP GR of the backbone network.
Configure IGP GR on PE1, P device, and PE2 on the backbone network.
# Configure PE1.
[PE1] isis 1
[PE1-isis-1] graceful-restart
[PE1-isis-1] quit

[P] isis 1
[P-isis-1] graceful-restart
[P-isis-1] quit
# Configure PE2.
[PE2] isis 1
[PE2-isis-1] graceful-restart
[PE2-isis-1] quit
Run the display isis graceful-restart status command on PE1, P device, and PE2, and you can
view that IS-IS GR is configured successfully.
[PE1] display isis graceful-restart status
Restart information for ISIS(1)

-------------------------------

SA Bit Supported



SA Bit Supported
Step 5 Configure MPLS LDP GR of the backbone network.

Configure MPLS LDP GR on PE1, P device, and PE2 on the backbone network.
# Configure PE1.
[PE1] mpls ldp
[PE1-mpls-ldp] graceful-restart
[PE1-mpls-ldp] quit

[P] mpls ldp
[P-mpls-ldp] graceful-restart
[P-mpls-ldp] quit
# Configure PE2.
[PE2] mpls ldp
[PE2-mpls-ldp] graceful-restart
[PE2-mpls-ldp] quit
Step 6 Configure GR of routing protocols between PEs and CEs.

Configure BGP GR for BGP between PE1 and CE1 and configure OSPF GR for OSPF between
PE2 and CE2
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] graceful-restart
[PE1-bgp] quit
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] graceful-restart
[CE1-bgp] quit
# Configure PE2.
[PE2-ospf-2] graceful-restart
[PE2-ospf-2] quit
# Configure CE2.
[CE2] ospf 2
[CE2-ospf-2] opaque-capability enable
[CE2-ospf-2] graceful-restart
[CE2-ospf-2] quit
Run the display ospf brief command on PE2 or CE2, and you can view that OSPF GR is
configured successfully.
[PE2] display ospf brief

OSPF Protocol Information
RouterID: 10.2.1.2 Border Router: AREA AS

ECA-route-type: 0x0306
Route Tag: 3489661028
PE Router, Multi-VPN-Instance is enabled
Opaque Capable
Graceful-restart capability: planned and un-planned, totally
Helper support capability : enabled
filter capability : disabled
policy capability : strict lsa check, planned and un-planned
Applications Supported: MPLS Traffic-Engineering
Spf-schedule-interval: 5s
Default ASE parameters: Metric: 1 Tag: 1 Type: 2
Route Preference: 10
ASE Route Preference: 150
SPF Computation Count: 8
RFC 1583 Compatible
Retransmission limitation is disabled
SendPacket Peak-Control: (Disabled)
Area Count: 1 Nssa Area Count: 0
ExChange/Loading Neighbors: 0
Area: 0.0.0.0 (MPLS TE not enabled)

Authtype: None Area flag: Normal
SPF scheduled Count: 8
ExChange/Loading Neighbors: 0
Interface: 10.2.1.2 (Vlanif40)

Cost: 1 State: BDR Type: Broadcast MTU: 1500
Priority: 1
Designated Router: 10.2.1.1
Backup Designated Router: 10.2.1.2
Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1
Step 7 Configure BGP GR on PE2.

# Configure PE2.
[PE2] bgp 100
[PE2-bgp] graceful-restart
[PE2-bgp] quit
Run the display bgp vpnv4 all peer verbose command on PE1, and you can view that IBGP
GR between PE1 and PE2 and EBGP GR between PE1 and CE1 are configured successfully.
[PE1] display bgp vpnv4 all peer verbose

Type: IBGP link
Update-group ID : 1
BGP current event: RecvKeepalive


VPNv4 (was preserved)
Address family VPNv4: advertised and received
Update messages 9
Open messages 1
Refresh messages 0
Update messages 5
Open messages 1
Refresh messages 0
Connect-interface has been configured
VPN instance: vpn1

Type: EBGP link
Update-group ID : 1
BGP current event: KATimerExpired
Update messages 4
Open messages 1
Refresh messages 0
Update messages 9
Open messages 1
Refresh messages 0



# Run the display switchover state command on PE1, and you can view the slave board status.
For example, information is displayed as follows:
Slot 5 HA FSM State (master): The slave has been inserted.
Perform active/standby switchover on PE1.

[PE1] slave switchover
Warning: This operation will switch the slave board to the master board. Continu
e?[Y/N]:y
You can view that the communication between CE1 and CE2 is not interrupted.
NOTE
If two or more neighboring devices among CE1, PE1, PE2, and CE2 perform active/standby switchover,
the current communication may be interrupted.
----End
Configuration Files
#
sysname PE1
#
vlan batch 10 20
#
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
graceful-restart
#
isis 1
graceful-restart
network-entity 10.0000.0000.0001.00
#
interface Vlanif 10
ip address 10.1.1.2 255.255.255.252
#
interface Vlanif 20
ip address 100.1.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
#

#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
isis enable 1
#
bgp 100
graceful-restart
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
import-route direct
#
return
l Configuration file of the P device
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
graceful-restart
#
isis 1
network-entity 10.0000.0000.0002.00
graceful-restart
#
interface Vlanif 20
ip address 100.1.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif 30
ip address 100.2.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
isis enable 1
#
return
#
sysname PE2
#
vlan batch 30 40
#


#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
graceful-restart
#
isis 1
graceful-restart
network-entity 10.0000.0000.0003.00
#
interface Vlanif 30
ip address 100.2.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif 40
ip address 10.2.1.2 255.255.255.252
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
isis enable 1
#
bgp 100
graceful-restart
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route ospf 2
import-route direct
#
graceful-restart
import-route bgp
area 0.0.0.0
network 10.2.1.0 0.0.0.3
#
return
#
sysname CE1
#
vlan batch 10
#
interface Vlanif 10
ip address 10.1.1.1 255.255.255.252
#
#

bgp 65410
graceful-restart
import-route direct
#
return

#
sysname CE2
#
vlan batch 40
#
interface Vlanif 40
ip address 10.2.1.1 255.255.255.252
#
#
ospf 2
import-route direct
graceful-restart
area 0.0.0.0
network 10.2.1.0 0.0.0.3
#
return
3.17.16 Example for Configuring Double RRs to Optimize VPN

Backbone Layer
In VPN deployment, to improve the reliability, you can configure VPN instances with double
RRs. That is, select two Ps in the same AS as two RRs. They are backup devices of each other,
reflecting routes of the public network and VPNv4.

Figure 3-18 Networking diagram for configuring double reflectors to optimize VPN backbone
layer
Loopback1 Loopback1
2.2.2.9/32 3.3.3.9/32
P1 GE2/0/0 GE1/0/0 P2
GE1/0/0 AS100 GE2/0/0

GE3/0/0 GE3/0/0
GE1/0/0 GE1/0/0
Loopback1 Loopback1
1.1.1.9/32 GE3/0/0 GE3/0/0 4.4.4.9/32
PE1 GE2/0/0 GE2/0/0 PE2
GE1/0/0 GE1/0/0
AS65410 AS65420
CE1 CE2
Loopback1 1.1.1.9/32
P1 GigabitEthernet1/0/0 VLANIF 10 100.1.2.2/24

As shown in Figure 3-18, PE1, PE2, P1, and P2 are on the backbone network AS100. CE1 and
CE2 belong to VPNA. Select P1 and P2 as the RRs of the VPN.
1. Set up MP-IBGP adjacencies between the PEs and RRs.
2. Set up EBGP adjacencies between the PE and CEs.
3. Enable MPLS LSP on the public tunnel and enable MPLS LDP on the devices and interfaces
along the tunnel.
4. Configure P1 and P2 to be the backup of each other and configure the same RR ID for them.
5. P1 and P2 need to store all VPNv4 routing information and advertise the routing information
to PEs, so configure P1 and P2 to accept all the VPNv4 routing information without filtering
the routing information based on VPN targets.
NOTE
At least two paths that do not use the same network segment and node must exist between the RR and PE;
otherwise, the double RRs are unnecessary.
Data Preparation
l ID of the VLAN that each interface belongs to and IP address of each interface, as shown
in Figure 3-18
l MPLS LSR-IDs of PE and ASBR-PEs
l Routing protocol used to exchange routing information between the PE and CEs (EBGP is
used in this example)
l Convergence priorities of the routes in the VPN instances
l Name of the RD and name of the routing policy
Procedure
1. Configure the VLAN on each interface. The configuration procedure is not given here.
2. Configure an IGP protocol on the MPLS backbone network to implement interworking of
devices along the LSP.
OSPF is used as the IGP protocol in this example. The configuration procedure is not given
here.
NOTE
The address of the loopback interface, which functions as the LSR ID, must be advertised.
After the configuration, devices along the LSP can learn the address of the loopback
interface of each other.
------------------------------------------------------------------------------

1.1.1.9/32 Direct 0 0 D 127.0.0.1

InLoopBack0
2.2.2.9/32 OSPF 10 2 D 100.1.2.2 Vlanif10
3.3.3.9/32 OSPF 10 2 D 100.1.3.2 Vlanif40
4.4.4.9/32 OSPF 10 3 D 100.1.3.2 Vlanif10
OSPF 10 3 D 100.1.2.2 Vlanif40
100.1.2.0/24 Direct 0 0 D 100.1.2.1 Vlanif10
100.1.2.1/32 Direct 0 0 D 127.0.0.1
InLoopBack0
100.1.2.255/32 Direct 0 0 D 127.0.0.1
InLoopBack0
100.1.3.0/24 Direct 0 0 D 100.1.3.1 Vlanif40
100.1.3.1/32 Direct 0 0 D 127.0.0.1
InLoopBack0
100.1.3.255/32 Direct 0 0 D 127.0.0.1
InLoopBack0
100.2.3.0/24 OSPF 10 2 D 100.1.3.2 Vlanif40
OSPF 10 2 D 100.1.2.2 Vlanif10
100.2.4.0/24 OSPF 10 2 D 100.1.2.2 Vlanif10
100.3.4.0/24 OSPF 10 2 D 100.1.3.2 Vlanif40
127.0.0.0/8 Direct 0 0 D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1
InLoopBack0
3. Set up LSPs on the MPLS backbone network.

Enable MPLS and MPLS LDP on the devices and interfaces along the LSP. The
configuration procedure is not given here.
After the configuration, run the display mpls ldp session command, and you can see in
the display that the Session State item is Operational.
Take the display on PE1 and P1 for example.

----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
[P1] display mpls ldp session

----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
4. Configure a VPN instance on PE.

For the configuration procedure, see Example for Configuring the BGP/MPLS IP
VPN. The configuration details are not mentioned here.
5. Set up EBGP peer relation between the PE and the CE and import VPN routes.
For the configuration procedure, see Example for Configuring the BGP/MPLS IP
VPN. The configuration details are not mentioned here.
6. Set up the MP-IBGP peer relation between PEs and RRs.
# Configure PE1.
<PE1> system-view
[PE1] bgp 100
# Configure P1.
<P1> system-view
[P1] bgp 100
[P1-bgp] group P1 internal
[P1-bgp] peer P1 connect-interface loopback 1
[P1-bgp] peer 1.1.1.9 group P1
[P1-bgp] ipv4-family vpnv4
[P1-bgp-af-vpnv4] peer P1 enable
[P1-bgp-af-vpnv4] peer 1.1.1.9 group P1
[P1-bgp-af-vpnv4] quit
[P1-bgp] quit
# Configure P2.
<P2> system-view
[P2] bgp 100
[P2-bgp] group P2 internal
[P2-bgp] peer P2 connect-interface loopback 1
[P2-bgp-af-vpnv4] peer P2 enable
[P2-bgp] quit
# Configure PE2.
The configuration procedure of PE2 is similar to the configuration procedure of PE1 and
is not mentioned.
After the configuration, run the display bgp vpnv4 all peer command on the PEs, and you
can see that the BGP adjacencies are established between the PEs and RRs. The EBGP
adjacencies are established between the PE and CEs.
Take the display on PE1 and P1 for example.



2.2.2.9 4 100 2 4 0 00:00:31 Established 0
3.3.3.9 4 100 3 5 0 00:01:23 Established 0
vpn instance vpna :
10.1.1.1 4 65410 79 82 0 01:13:29 Established 0
7. Configure the reflector function on P1 and P2.

# Configure P1.
[P1] bgp 100
[P1-bgp-af-vpnv4] reflector cluster-id 100
[P1-bgp-af-vpnv4] peer P1 reflect-client
[P1-bgp-af-vpnv4] undo policy vpn-target
# Configure P2.
[P2] bgp 100
[P2-bgp-af-vpnv4] reflector cluster-id 100
[P2-bgp-af-vpnv4] peer P2 reflect-client
[P2-bgp-af-vpnv4] undo policy vpn-target
8. Verify the configuration.

Display the VPN routing table on PE, and you can see the route to the remote CE.
<PE1> display ip routing-table vpn-instance vpna
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif60

10.1.1.2/32 Direct 0 0 D 127.0.0.1
InLoopBack0
10.1.1.255/32 Direct 0 0 D 10.1.1.1 Vlanif60
10.2.1.0/24 BGP 255 0 RD 4.4.4.9 Vlanif40
If CE1 and CE2 can ping each other, it indicates that the RRs are successfully configured.
After running the shutdown command in the view of VLANIF 40 on PE1 and the view of
VLANIF 50 on PE2, you can see that CE1 can ping CE2. This indicates that the RRs are
successfully configured.
Configuration Files
#
sysname PE1
#
vlan batch 10 40 60
#
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#

interface Vlanif10
ip address 100.1.2.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 100.1.3.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 10.1.1.2 255.255.255.0
#
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
peer 3.3.3.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.2.0 0.0.0.255
network 100.1.3.0 0.0.0.255
#
return
#
sysname P1
#
Vlan batch 10 20 50
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 100.1.2.2 255.255.255.0

mpls
mpls ldp
#
interface Vlanif20
ip address 100.2.3.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif50
ip address 100.2.4.1 255.255.255.0
mpls
mpls ldp
#
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
group P1 internal
peer P1 connect-interface LoopBack1
#
ipv4-family unicast
undo peer 4.4.4.9 enable
peer P1 enable
#
ipv4-family vpnv4
reflector cluster-id 100
peer P1 enable
peer P1 reflect-client
peer 1.1.1.9 enable
peer 1.1.1.9 group P1
peer 3.3.3.9 enable
peer 4.4.4.9 enable
#
ospf 1
area 0.0.0.0
network 100.1.2.0 0.0.0.255
network 100.2.3.0 0.0.0.255
network 100.2.4.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
#
sysname P2
#
vlan batch 20 30 40
#
mpls lsr-id 3.3.3.9

mpls
#
mpls ldp
#
interface Vlanif20
ip address 100.2.3.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 100.3.4.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 100.1.3.2 255.255.255.0
mpls
mpls ldp
#
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
group P2 internal
peer P2 connect-interface LoopBack1
#
ipv4-family unicast
peer P2 enable
#
ipv4-family vpnv4
peer P2 enable
peer P2 reflect-client
peer 1.1.1.9 enable
peer 2.2.2.9 enable
peer 4.4.4.9 enable
#
ospf 1
area 0.0.0.0
network 100.2.3.0 0.0.0.255
network 100.3.4.0 0.0.0.255
network 100.1.3.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return

#
sysname PE2
#
vlan batch 30 50 70
#
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 100.3.4.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif50
ip address 100.2.4.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif70
ip address 10.2.1.2 255.255.255.0
#
#
#
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
peer 2.2.2.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 100.3.4.0 0.0.0.255
network 100.2.4.0 0.0.0.255

#
return

#
sysname CE1
#
vlan batch 60
#
interface Vlanif60
ip address 10.1.1.1 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
#
return

#
sysname CE2
#
vlan batch 70
#
interface Vlanif70
ip address 10.2.1.1 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
#
return

Configuration Guide - VPN 4 BGP MPLS IPv6 VPN Configuration
4 BGP MPLS IPv6 VPN Configuration
About This Chapter
This chapter describes the BGP/MPLS IPv6 VPN configuration, including the comparison
between the IPv6 VPN and IPv4 VPN, common networking of the BGP/MPLS IPv6 VPN, and
configurations to ensure the reliability of the BGP/MPLS IPv6 VPN.
4.1 Introduction to BGP/MPLS IPv6 VPN

This part describes the similarities and differences between BGP/MPLS IPv6 VPN and BGP/
MPLS IP VPN.
4.2 BGP/MPLS IPv6 VPN Features Supported by the S7700
This part describes the basic networking, typical networking, and reliability of BGP/MPLS IP
VPN supported by the S7700.
4.3 Configuring an IPv6 VPN Instances
The VPN instance is used to isolate VPN routes from public network routes.
4.4 Configuring Basic BGP/MPLS IPv6 VPN
The basic BGP/MPLS IPv6 VPN is established only on one SP network and the MPLS backbone
network does not span multiple ASs. In addition, the role of each PE, P, or CE is unique. That
is, a router cannot function as both a PE and a CE.
In the networking of Hub and Spoke, an access control device is specified in the IPv6 VPN, and
users communicate with each other through the access control device.
4.6 Configuring a Tunnel Policy applied to BGP/MPLS IPv6 VPN
By default, the system selects an LSP for a BGP/MPLS IPv6 VPN and no load balancing is
carried out. If load balancing or other types of tunnels are required, you need to configure a
tunnel policy for the backbone network of the IPv6 VPN.
4.7 Configuring Inter-AS IPv6 VPN-Option A
In inter-AS IPv6 VPN OptionA, an ASBR takes the peer ASBR as its CE and advertises VPNv6
routes to the peer ASBR through EBGP+.
4.8 Configuring Inter-AS IPv6 VPN-Option B
In inter-AS IPv6 VPN OptionB, ASBRs exchange VPNv6 routes that are sent from the PEs in
the attached ASs through MP-EBGP.

4.9 Configuring Route Reflection for BGP VPNv6 Routes

Deploying a BGP VPNv6 Route Reflector (RR) reduces the number of MP-IBGP connections.
This lightens the burden of PEs and facilitates network maintenance and management.
4.10 Maintaining BGP/MPLS IPv6 VPN
Maintaining BGP/MPLS IPv6 VPN involves checking VPN traffic, monitoring network
connectivity, resetting BGP connection.
This section provides several configuration examples of IPv6 VPN. In each configuration
example, the networking requirements, configuration notes, configuration roadmap,
configuration procedures, and configuration files are provided.

4.1 Introduction to BGP/MPLS IPv6 VPN

This part describes the similarities and differences between BGP/MPLS IPv6 VPN and BGP/
MPLS IP VPN.
As an enhancement of IPv4, IPv6 is an Internet protocol of the next generation. IPv6 provides
the more address spaces and enhanced security functions, and supports more access users and
devices in the Internet than IPv4.
The Virtual Private Network (VPN) is a virtual private communication network built over public
networks such as the Internet. Users located in different areas can exchange data through the
public networks.
The difference between the IPv4 VPN and IPv6 VPN lies in the type of the packets, that is, IPv4
packets or IPv6 packets, sent from the CE to the PE.
At present, IPv6 VPN services are implemented over the IPv4 backbone network of the SP. In
this case, the PE must support the IPv4/IPv6 dual stack operations because the backbone network
is an IPv4 network and the client sites use the IPv6 address family, as shown in Figure 4-1. Any
network protocol that can bear IPv6 traffic can run between the CEs and the PEs. PE interfaces
connected to the client run IPv6; PE interfaces connected to the public network run IPv4.
Figure 4-1 Schematic diagram of the IPv6 VPN over the IPv4 public network
IPv4 VPN backbone
P PE CE
IPv6
CE PE VPN site
IPv6 P
VPN site
PE
CE
IPv6
VPN site
Currently, the S7700 supports the following IPv6 VPN networking schemes:
l Intranet VPN
l Extranet VPN
l Hub and Spoke
l Inter-AS VPN (both inter-AS and multi-AS backbones)
For description about these networking schemes, refer to 3 BGP MPLS IP VPN
Configuration in this manual.

4.2 BGP/MPLS IPv6 VPN Features Supported by the S7700

This part describes the basic networking, typical networking, and reliability of BGP/MPLS IP
VPN supported by the S7700.
Basic Networking
The S7700 supports the VPN route exchange between PEs through MP-IBGP. To ensure that a
PE and a CE can exchange routes, you can configure the static route, RIPng multi-instance, IS-
IS multi-instance, or BGP4+. The S7700 uses VPN targets to control the transmission of VPN
routes; thus, multiple VPN networking topologies.
Generally, LSPs or MPLS TE tunnels are configured as the tunnels of VPN backbone networks.
If PEs support MPLS functions and Ps support IP functions rather than MPLS functions, GRE
tunnels can be configured.
Reliability
To improve the reliability of a VPN, generally, the following networking modes are adopted.
l The backbone network is an MPLS network, on which the devices adopt hierarchical
backup and are fully connected through high-speed interfaces. If the number of PEs is large,
use the BGP route reflector to reflect IPv6 VPN routes to decrease the number of MP IBGP
connections.
l The convergence layer is of either a mesh topology or a ring topology.
l The dual-homed CE or multi-homed CE is configured on the access layer.
The S7700 does not support VPNv6 GR.
4.3 Configuring an IPv6 VPN Instances

The VPN instance is used to isolate VPN routes from public network routes.

Before configuring the IPv6 VPN instance, familiarize yourself with the applicable environment,
The IPv6 VPN instance is used to isolate IPv6 VPN routes and public routes. Routes in different
IPv6 VPN instance are isolated from each other, and IPv6 VPN routes and IPv4 VPN routes are
isolated from each other. In all the BGP/MPLS IPv6 VPN networking scenarios, you should
configure IPv6 VPN instance.
The IPv6 VPN instance implements isolation of address spaces through the RD, and controls
IPv6 VPN membership and routing rules through the VPN-Target attribute.
To control the advertisement of IPv6 VPN routes more accurately with the VPN target attribute,
use import and export routing policies. The import routing policy is used to filter the routes

imported to the IPv6 VPN instance. The export routing policy is used to filter the routes exported
to other PEs.
Before configuring an IPv6 VPN instance, complete the following tasks:
l Enabling IPv6 on PEs and on the interfaces that need to be configured with IPv6
l Configuring routing policies if the import or export routing policy needs to be applied to
the IPv6 VPN instance
Data Preparation
To configure IPv6 VPN instance, you need the following data.
No. Data
1 Name of the IPv6 VPN instance
2 (Optional) Description of the IPv6 VPN instance
3 RD, VPN-Target of the IPv6 VPN instance
4 (Optional) Maximum number of routes allowed by the IPv6 VPN instance
5 (Optional) Routing policy that controls the receiving and sending of IPv6 VPN routes
6 (Optional) Tunnel policy used in the IPv6 VPN instance
4.3.2 Creating an IPv6 VPN Instance

Configuring IPv6 VPN Instance is the preliminary step for configuring other IPv6 VPN
attributes. Afteran IPv6 VPN Instance is configured, a VPN routing and forwarding table is
created.
Context
Do as follows on the PE device that is connected to the CE device:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6 vpn6-instance vpn6-instance-name
An IPv6 VPN instance is created and the IPv6 VPN instance view is displayed.
NOTE
The name of the IPv6 VPN instance is case sensitive. For example, vpn1 and VPN1 are considered as
different IPv6 VPN instances.

No default IPv6 VPN instance exists on a PE, and multiple IPv6 VPN instances can be created
on the PE.
Step 3 Run:
The RD for the IPv6 VPN instance is configured.

An IPv6 VPN instance takes effect only after the RD is configured. Before configuring the RD,
you may configure only the description for the IPv6 VPN instance.
NOTE
The RD cannot be changed or deleted once it is configured. To change the RD, you need to delete the IPv6
VPN instance and then re-configure a IPv6 VPN instance and an RD. To delete the RD, you need only to
delete the IPv6 VPN instance.

The description for the IPv6 VPN Instance is configured.

The description about an IPv6 VPN Instance functions the same as the description about a host
name or an interface. It is recommended that the proper description be configured.
----End
4.3.3 Configuring Attributes for the IPv6 VPN Instance

To facilitate management of routes of the IPv6 VPN Instance , you also need to configure other
VPN attributes, such as the RD, VPN target, route limit, and routing policy.
Context
Do as follows on the PE device that is configured with IPv6 VPN Instance .
NOTE
It is recommended to perform either Step 4 or Step 5.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The IPv6 VPN instance view is displayed.

Step 3 Run:
vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]
An IPv6 VPN-Target extended community is created for the IPv6 VPN Instance .
VPN target is the extended community attribute of the Border Gateway Protocol (BGP). It is
used to control the advertisement of VPN routing information. You can configure a maximum
of 8 IPv6 VPN-Targets with the vpn-target command.


The maximum number of routes of the IPv6 VPN Instance is configured.
You can define the maximum number of routes that can be supported by the IPv6 VPN Instance
to avoid a PE importing too many IPv6 VPN routes.
NOTE
into the routing table of the VPN instance exceeds the upper limit. If the routing-table limit command to
increase the maximum number of routes supported in an IPv6 VPN instance or the undo routing-table
are required:
l For the remote cross routes learnt through the MP-IBGP and the BGP routes learnt from CEs, the
system automatically refreshes them.

The maximum number of prefixes of the IPv6 VPN instance is configured.
You can define the maximum number of prefixes for the IPv6 VPN instance to avoid importing
too many prefixes from the CE.


An import routing policy of the IPv6 VPN instance is created.

An export routing policy of the IPv6 VPN instance is created.
----End
4.3.4 (Optional) Configuring MPLS Label Allocation Based on the

IPv6 VPN Instance
This part describes how the MPLS label is allocated in the IPv6 VPN Instance. A PE allocates
the same MPLS label for all routes of the IPv6 VPN Instance. If the IPv6 VPN routes are in a
great number, you can reduce the number of MPLS labels maintained by PEs.
Context
Do as follows on the PE device that is configured with IPv6 VPN Instance.

Procedure
Step 1 Run:
system-view

Step 2 Run:

The label is allocated based on the IPv6 VPN Instance. That is, all the routes in the IPv6 VPN
Instance use the same label.
By default, the MPLS labels are allocated on a one label per route basis. When the number of
routes becomes more, more labels are required.
The S7700 provides the feature of the MPLS label allocation based on the IPv6 VPN Instance,
that is, all the routes of the IPv6 VPN Instance share the same label.
----End

After configuring an IPv6 VPN instance, you can view information about the IPv6 VPN
instance on the local device, including the RD value and other attributes.
Prerequisite
The configurations of the IPv6 VPN instance function are complete.
Procedure
l Run the display ipv6 vpn6-instance verbose vpn6-instance-name command to view
detailed information about the IPv6 VPN instance.
l Run the display ipv6 vpn6-instance brief vpn6-instance-name command to view brief
information about the IPv6 VPN instance.
----End
Example
Run the display ipv6 vpn6-instance brief command. If brief information including the RD and
creating time about the VPN instance is displayed, it means the configuration succeeds. For
example:
<Quidway> display ipv6 vpn6-instance brief vpn1
VPN6-Instance Name RD Creation Time
vpn1 1:1 2010/01/20 14:39:40
<Quidway> display ipv6 vpn6-instance brief vpn2
VPN6-Instance Name RD Creation Time
vpn2 2:2 2010/01/05 21:57:49
8:00
Run the display ipv6 vpn6-instance verbose command. If detailed information including
creating date, period during which the VPN instance is Up, the RD value, VPN target, and the

policy for label allocation about the VPN instance is displayed, it means the configuration
<Quidway> display ipv6 vpn6-instance verbose vpn1
VPN6-Instance Name and ID : vpn1, 1
Create date : 2010/01/20 14:39:40
Import VPN Targets : 1:1, 1:2
Log Interval : 5
Interfaces : GigabitEthernet1/0/0
<Quidway> display ipv6 vpn6-instance verbose vpn2
Create date : 2010/01/05 21:57:49
Import Route Policy : po1
Description : huawei
Log Interval : 5
4.4 Configuring Basic BGP/MPLS IPv6 VPN

The basic BGP/MPLS IPv6 VPN is established only on one SP network and the MPLS backbone
network does not span multiple ASs. In addition, the role of each PE, P, or CE is unique. That
is, a router cannot function as both a PE and a CE.

Before configuring BGP/MPLS IPv6 VPN, familiarize yourself with the applicable
The BGP/MPLS IPv6 VPN networking mentioned in this section involves only a carrier and an
MPLS backbone network (not inter-provider), and LSP serves as the public tunnel. The functions
of the PE, the P and the CE are simple. None of them serves as both the PE and the CE.
Certain special BGP/MPLS IPv6 VPN networking scenarios such as, inter-provider VPN and
Carrier's Carrier need additional configurations. For more information, see the related sections
in this chapter.
When configuring the BGP/MPLS IPv6 VPN, management of the advertisement of VPN routes
on the MPLS backbone networks is a key task, including the management of routes
advertisement between the PE and the CE, and between the PEs.
For the route exchange between the PE and the CE, you can configure static routes, RIPng multi-
instance, IS-ISv6 multi-instance or BGP4+ according to the networking situations. The MP-
IBGP is adopted between the PEs.

Before configuring basic BGP/MPLS IPv6 VPN, complete the following tasks:
l Enabling IPv6 on PEs and on the interfaces that need to be configured with IPv6
l Configuring IGP for the MPLS backbone network (PE, P) to implement IP connectivity
l Configuring the basic MPLS capabilities for the MPLS backbone network (PE, P)
l Configuring the tunnels between PEs (LSP or MPLS TE)
l Configuring the IPv6 addresses for the CE interface attached to PE
Data Preparation
To configure basic BGP/MPLS IPv6 VPN, you need the following data.
No. Data
1 including: To configure an IPv6 VPN instances, you need the following data:
l Name and RD of the IPv6 VPN instance
l (Optional) Description of the IPv6 VPN instances
l VPN Target
l (Optional) Routing policy that controls the receiving and sending of IPv6 VPN
routes
l (Optional) The maximum number of routes allowed by the IPv6 VPN instances
2 IPv6 addresses of the PE interfaces attached to the CE
3 IPv6 addresses of the CE interfaces attached to the PE
4 Routing protocol between the PE and the CE, such as static route, RIPng, IS-ISv6,
or BGP4+
6 IP address and interface of the PE to establish the BGP peers
4.4.2 Configuring an IPv6 VPN Instance

You can configure an IPv6 VPN Instance for managing IPv6 VPN routes.
Context
For the details, see 4.3 Configuring an IPv6 VPN Instances.
4.4.3 Binding an Interface to an IPv6 VPN Instance

After binding an interface to an IPv6 VPN Instance, you can change the interface to a VPN

Context
Do as follows on the PE devices connected with CE devices.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The view of the interface that is to be bound with the IPv6 VPN instance is displayed.
You can bind VLANIF interfaces to IPv6 VPN instances.
Step 3 Run:
ipv6 enable
The IPv6 capability is enabled on the interface.
Step 4 Run:
ipv6 binding vpn6-instance vpn6-instance-name
The interface is bound with the IPv6 VPN instance.
NOTE
Running the ipv6 binding vpn6-instance command deletes the Layer 3 features such as IPv6 address and
IPv6 routing protocols. They need to be re-configured if required.
Step 5 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
The IPv6 address is configured.
----End
4.4.4 Configuring MP-IBGP Between PEs

With extended community attributes added to BGP, MP-IBGP can advertise VPNv6 routes
between PEs.
Context
Do as follows on the PE devices connected with CE devices.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bgp as-number

Step 3 Run:
Step 4 Run:
The interface is used to set up TCP connections.
NOTE
Step 5 Run:
ipv6-family vpnv6
The BGP IPv6 VPN address family view is displayed.
Step 6 Run:
The VPN-IPv6 routing exchange on the peer is enabled.
----End

The routing protocol between a PE and a CE can be BGP4+, IPv6 static route, RIPng, OSPFv3,
or IS-ISv6.
Context
Choose one of the following configurations as required:
l Configuring BGP4+ Between PE and CE

l Configuring Static Routes Between PE and CE
l Configuring RIPng Between PE and CE
l Configuring OSPFv3 Between PE and CE
l Configuring IS-ISv6 Between PE and CE
Procedure
l Configuring BGP4+ Between PE and CE
1. Run:
system-view

2. Run:
bgp as-number


3. Run:
ipv6-family vpn6-instance vpn6-instance-name
The BGP-VPN6 instance view is displayed.

4. (Optional) Run:
as-number as-number
An AS number for the IPv6 VPN instance is specified.

to configure an AS number for each IPv6 VPN instance .
NOTE
The AS number configured in the BGP-VPNv6 instance view cannot be the same as the AS
5. Run:
The CE is specified as an IPv6 VPN peer.

6. (Optional) Run:
The maximum hop of the EBGP peer is configured.

Generally, the EBGP peers have directly connected physical links between each other.
If not, you must use the peer ebgp-max-hop command to permit the EBGP peers to
set up the TCP connection through multiple hops.
7. (Optional) Run:
peer ipv6-address allow-as-loop [ number ]
Routing loop is allowed.

Step 6 applies to the Hub and Spoke networking.
The BGP uses the AS number to detect a routing loop. In the case of Hub and Spoke
networking, however, if EBGP runs between the PE and the CE at the Hub site, the
Hub-PE carries the local AS number when advertising routes to the Hub-CE.
Therefore, the PE denies the subsequent update from the Hub-CE, because it contains
the local AS number. To ensure proper transmission of routes in the Hub and Spoke
scenario, configure all the BGP peers along the path, used for the Hub-CE to advertise
private network routes to the Spoke-CE, to accept the routes which have the AS
number repeated once.
8. (Optional) Run:
peer ipv6-address substitute-as
The function of substituting AS numbers of BGP is enabled.

This step is used for the networking scenario where physically-dispersed CEs use the
same AS number.
1. Run:
system-view


2. Run:
bgp as-number

3. (Optional) Run:
router-id ipv4-address
The router ID is configured.

If the CE device has no interface configured with an IPv4 address, configure a router
ID.
4. Run:
The PE is specified as the peer.

5. (Optional) Run:
The maximum hop of the EBGP peer is configured.

Generally, the EBGP peers have directly connected physical links between each other.
If not, you must use the peer ebgp-max-hop command to permit the EBGP peers to
set up the TCP connection through multiple hops.
6. Run:
ipv6-family unicast
The BGP-IPv6 address family view is displayed.

7. Run:
The exchange of BGP routes with the peer is enabled.

8. Run:
import-route { direct | static | ripng process-id | ospfv3 process-id |
isis process-id } [ med med | route-policy route-policy-name ]*
Routes of the local site are imported.

The address of the VPN network segment is advertised to the connected PE, and then
is advertised by the PE to the peer CE.
The type of the imported route varies with networking modes.
l Configuring Static Routes Between PE and CE
NOTE
For the detailed configuration about the IPv6 static route, refer to the Quidway S7700 Smart Routing
Switch Configuration Guide - IP Routing.
1. Run:
system-view

2. Run:
ipv6 route-static vpn6-instance vpn6-instance-name dest-ipv6-address
prefix-length { interface-type interface-number nexthop-ipv6-address |

vpn6-instance vpn6-destination-name nexthop-ipv6-address | nexthop-ipv6-

address [ public ] } [ preference preference | tag tag ]* [ description
text ]
The static route is configured for the IPv6 VPN Instance .

3. Run:
bgp as-number

4. Run:

5. Run:
import-route static [ med med | route-policy route-policy-name ]*
The configured static route is imported to the routing table of BGP-VPNv6 instance.
The configurations on the CE is the same as the ordinary IPv6 static routes and are not
mentioned here.
l Configuring RIPng Between PE and CE
The configurations on the CE are similar to the configuration of common RIPng and are
not mentioned here.
NOTE
For the detailed configuration about RIPng, refer to the Quidway S7700 Smart Routing Switch
Configuration Guide IP Routing Volume.

1. Run:
system-view

2. Run:
ripng process-id vpn6-instance vpn6-instance-name
A RIPng instance is created between PE and CE and the RIPng view is displayed.
A RIPng multi-instance process can only belong to one IPv6 VPN Instance. If a RIPng
process is not bound to the IPv6 VPN Instance when the process is enabled, the process
is classified as a public network process.
If only one RIPng process (including public network process and multi-instance
process) is run on a switch, you need not specify process-id, that is, the default process
ID 1 is adopted.
3. Run:
import-route bgp [ cost cost | route-policy route-policy-name ]*
The BGP routes are imported.

After the execution of the import-route bgp command in the RIPng view, the PE
imports the VPN-IPv6 routes learnt from the remote PE into the RIPng and further
advertises them to its CE.
4. Run:
quit


5. Run:
The interface view of VLANIF interface connecting CE is displayed.

6. Run:
ripng process-id enable
RIPng is configured on the interface.
NOTE
The command can not be used in the interface view if the IPv6 is not enabled. The command
is not supported on the ATM interface.
7. Run:
quit

8. Run:
bgp as-number

9. Run:

10. Run:
import-route ripng process-id [ med med | route-policy route-policy-name ]
*
The RIPng routes are imported into the routing table of BGP-VPNv6 instance.
After the running of the import-route ripng command in the BGP-VPNv6 instance
view, the PE imports the RIPng routes learnt from its CE into BGP, forms them into
VPN-IPv6 routes and advertise them to the remote PE.
NOTE
After a RIPng multi-instance process is deleted, RIPng is disabled on all the interfaces that run
this process.
After an IPv6 VPN instance is deleted, all the related RIPng processes are also deleted.
l Configuring OSPFv3 Between PE and CE
Configure OSPFv3 on the CE. For the detailed configuration about OSPFv3, refer to the
Quidway S7700 Smart Routing Switch Configuration Guide - IP Routing.
Configure an OSPFv3 multi-instance on the PE and configure BGP and OSPFv3 to import
routes from each other.
1. Run:
system-view

2. Run:
ospfv3 [ process-id ] [ vpn6-instance vpn6-instance-name ]
OSPFv3 multi-instance is created and the OSPFv3 multi-instance view is displayed.

One OSPFv3 instance belongs to only one IPv6 VPN Instance. If an OSPFv3 process
is not bound to an IPv6 VPN Instance , the OSPFv3 process is a public process. In
addition, the public OSPFv3 instance cannot be bound to an IPv6 VPN Instance.
3. Run:
router-id router-id
A router ID is set.
If no router ID is specified, OSPFv3 selects a router ID from IP addresses of the

interfaces bound to the IPv6 VPN Instance based on the router ID selection rule.
4. Run:
import-route bgp [ cost cost | route-policy route-policy-name | tag tag |
type type ] *
BGP routes are imported into OSPFv3 so that the PE uses OSPFv3 to send these routes
to the CE.
5. Run:
quit
The system is displayed.

6. Run:
The view of the interface bound to a VPN instance is displayed.

7. Run:
ospfv3 process-id area area-id [ instance instance-id ]
OSPFv3 is enabled on the interface.

8. Run:
quit
The system is displayed.

9. Run:
bgp as-number

10. Run:

11. Run:
import-route ospfv3 process-id [ med med | route-policy route-policy-
name ]*
OSPFv3 are imported routes into the BGP-VPN6 instance routing table.
NOTE
After an IPv6 VPN instance has been deleted, all associated OSPFv3 processes will be deleted.
l Configuring IS-ISv6 Between PE and CE
You can configure the common IS-ISv6 on the CE.
The configurations on CE are not mentioned here.

NOTE
For the detailed configuration about IS-ISv6, refer to the Quidway S7700 Smart Routing Switch
Configuration Guide - IP Routing.

1. Run:
system-view

2. Run:
isis process-id vpn6-instance vpn6-instance-name
The IS-IS instance between the PE and the CE is created and the IS-IS view is
displayed.
An IS-IS multi-instance process can only belong to one IPv6 VPN Instance. If an IS-
IS process is not bound to an IPv6 VPN Instance when the process is enabled, the
process is classified as a public network process.
If only one IS-IS process (including public network process and multi-instance
process) is run on a switch, you need not specify process-id, that is, the default process
ID 1 is adopted.
NOTE
After an IS-IS multi-instance process is deleted, IS-IS is disabled on all the interfaces that run
this process.
After an IPv6 VPN instance is deleted, all the related IS-IS processes are also deleted.
3. Run:
network-entity net
The Network Entity Title (NET) is configured.

The NET defines the system ID of the switch and the address of the local IS-IS area.
A maximum of three NETs can be configured for a process on a switch.
4. (Optional) Run:
is-level { level-1 | level-1-2 | level-2 }
The level of the switch is configured.

By default, the level of a switch is level-1-2.
5. Run:
ipv6 enable
IPv6 is enabled for the IS-IS process.

IPv6 can be enabled for an IS-IS process only after IPv6 is enabled in the system view.
6. Run:
ipv6 import-route bgp inherit-cost [ tag tag | route-policy route-policy-
name | [ level-1 | level-2 | level-1-2 ] ]*

7. Run:
quit

8. Run:
The interface view is displayed.

9. Run:
isis ipv6 enable [ process-id ]
IS-IS IPv6 is enabled on the interface.

10. Run:
quit

11. Run:
bgp as-number

12. Run:

13. Run:
import-route isis process-id [ med med | route-policy route-policy-name ]*
The IS-IS route is installed to the BGP-VPNv6 instance routing table.
----End

After configuring the basic BGP/MPLS IPv6 VPN function, you can view IPv6 VPN routing
information about the local and remote sites on the PE or the CE.
Prerequisite
The configurations of the Basic BGP/MPLS IPv6 VPN function are complete.
Procedure
l Run the display ipv6 routing-table vpn6-instance vpn6-instance-name command to
check the routing table of the specified IPv6 VPN instance on PE.
l Run the display ipv6 routing-table command to check the routing table on CE.
----End
Example
Run the display ipv6 routing-table vpn6-instance vpn6-instance-name command. If the VPN
routes related to the CE are displayed, it means the configuration succeeds.
Run the display ipv6 routing-table command. If the routes to the remote CE are displayed on
the CE, it means the configuration succeeds.


In the networking of Hub and Spoke, an access control device is specified in the IPv6 VPN, and
users communicate with each other through the access control device.

Before configuring the networking of Hub and Spoke, familiarize yourself with the applicable
If it is required that all the users must access to a central access control device, the Hub and
Spoke networking is adopted. In the Hub and spoke network, all the Spoke stations communicate
through the Hub station.
Before configuring basic Hub and Spoke, complete the following tasks:
l Configuring IGP on PE devices and P devices in the MPLS backbone network

l Configuring basic MPLS capability on PE devices and P devices in the MPLS backbone
network
l Configuring the tunnels between the PE devices (LSP or MPLS TE tunnels)
l Enabling IPv6 on PEs, CEs and on the interfaces that need to be configured with IPv6
l Configuring the IPv6 addresses, through which the CE devices access the PE devices, on
the CE devices
Data Preparation
To configure Hub and Spoke, you need the following data.
No. Data
1 To configure an IPv6 VPN instance, you need the following data:

l Name and RD of the IPv6 VPN instance
l (Optional) Description of the IPv6 VPN instance
l VPN Target
routes
l (Optional) The maximum number of routes allowed by the IPv6 VPN instance
3 IPv6 addresses of the CE interfaces attached to the PE

No. Data
4 Data for the configurations of routing protocols (static route, RIPng, IS-ISv6, or
BGP4+) between Hub-PE and Hub-CE, and between Spoke-PE and Spoke-CE
4.5.2 Configuring an IPv6 VPN Instance

You can configure an IPv6 VPN Instances for managing IPv6 VPN routes.
Context
Configure the IPv6 VPN Instanc on each Spoke-PE and Hub-PE.
Every Spoke-PE is configured with an IPv6 VPN Instances, while each Hub-PE is configured
with the following two IPv6 VPN instances (VPN-spoke and VPN-hub):
l VPN-spoke: It receives and maintains all the VPN-IPv6 routes.

l VPN-hub: It maintains the routes of all the Hub stations and Spoke stations and advertises
those routes to all the Spoke-PEs.
NOTE
l Step 1 to 7 describes how to configure an IPv6 VPN Instances. Different IPv6 VPN instances on a
device are different in names, RDs, and description.
l It is recomended to perform either Step 6 or Step 7.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The name of the IPv6 VPN instance is case sensitive. For example, vpn1 and VPN1 are
considered as different IPv6 VPN instances.

The description for the IPv6 VPN instance is configured.
Similar to the host name or interface description, the description can be used to record
information such as the relationship between an IPv6 VPN instance and an IPv6 VPN. You
should set the appropriate description for the IPv6 VPN instance.
Step 4 Run:
The RD is configured for the IPv6 VPN Instance .

An IPv6 VPN Instance takes effect only after the RD is configured. Before configuring the RD,
you may configure only the description for the IPv6 VPN Instance .

The label is allocated based on IPv6 VPN instance . That is, all the routes in An IPv6 VPN
Instance use the same label.
By default, the MPLS labels are allocated on one label per route.
The S7700 provides the feature of the MPLS label allocation based on the IPv6 VPN instance ,
that is, all the routes of the IPv6 VPN Instance share the same label.

The maximum number of routes of the IPv6 VPN instance is configured.
You can define the maximum number of routes that can be supported by An IPv6 VPN
Instance to avoid a PE importing too many routes of the IPv6 VPN instance .
NOTE
into the routing table of the VPN instance exceeds the upper limit. If the routing-table limit command to
increase the maximum number of routes supported in an IPv6 VPN instance or the undo routing-table
are required:
For the remote cross routes learnt through the MP-IBGP and the BGP routes learnt from CEs, the system
automatically refreshes them.

You can define the maximum number of prefixes for the IPv6 VPN instance to avoid importing
too many prefixes.

----End
4.5.3 Configuring Route Related Attributes of an IPv6 VPN Instance

In the networking of Hub and Spoke, VPN targets are configured on the Hub-PE and Spoke-
PEs to control the advertisement of IPv6 VPN routes. The import VPN target configured on the
Hub-PE must contain the export VPN targets configured on all Spoke-PEs. The export VPN
target configured on the Hub-PE must contain the import VPN targets configured on all Spoke-
PEs.

Procedure
l Configuring Hub-PE
1. Run
system-view

2. Run
ipv6 vpn6-instance vpn6-instance-name1
The IPv6 VPN instance view of VPN-spoke is displayed.

3. Run
The VPN target extended community for the IPv6 VPN instance is created. The VPN-
IPv6 routes advertised by all the Spoke-PEs are imported.
vpn-target1 lists the export community attribute of vpn-target advertised by all the
Spoke-PEs.
4. (Optional) Run
The import routing policy of the IPv6 VPN instance is configured.

5. (Optional) Run
The export routing policy of the IPv6 VPN Instance is configured.

6. Run
quit

7. Run
ipv6 vpn6-instance vpn6-instance-name2
The IPv6 VPN instance view of the VPN-hub is displayed.

8. Run
The VPN target extended community is configured to advertise the routes of all the
Hub stations and Spoke stations.
vpn-target2 is a list that contains all the import VPN targets of all the Spoke-PEs.
9. (Optional) Run

10. (Optional) Run
The export routing policy of the IPv6 VPN instance is configured.

l Configuring Spoke-PE
1. Run
system-view


2. Run
The IPv6 VPN instance view of the VPN-spoke is displayed.

3. Run
The VPN target extended community for the IPv6 VPN instance is created. The VPN-
IPv6 routes advertised by the Hub-PE are imported.
vpn-target2 is the export community attribute of vpn-target advertised by the Hub-
PE.
4. Run
The VPN target extended community for the IPv6 VPN instance is created. The IPv6
routes of stations the Spoke-PE accesses are advertised.
5. (Optional) Run

6. (Optional) Run
The export routing policy of the IPv6 VPN instance is configured.

----End
4.5.4 Binding an Interface to an IPv6 VPN Instance

After binding an interface to an IPv6 VPN Instance, you can change the interface to a VPN
Context
The configuration on the Hub-PE involves two interfaces or sub-interfaces: one is bound with
the VPN-spoke and receives the routes advertised by the Spoke-PE; the other is bound with the
VPN-hub and advertises the routes of the Hub and all the Spokes.
Do as follows on the Hub-PE and all the Spoke-PEs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the interface that is to be bound with the IPv6 VPN instance is displayed.

You can bind VLANIF interfaces to IPv6 VPN instances.
Step 3 Run:
ipv6 enable
The IPv6 capability is enabled on the interface.
Step 4 Run:
ipv6 binding vpn6-instance vpn6-instance-name
The interface is bound with the IPv6 VPN instance.
NOTE
Running the ipv6 binding vpn6-instance command deletes the Layer 3 features such as IPv6 address and
IPv6 routing protocols. They need to be re-configured if required.
Step 5 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
The IPv6 address is configured.
----End
4.5.5 Configuring MP-IBGP Between Hub-PE and Spoke-PE

between PEs.
Context
The Hub-PE must set up the MP-IBGP peer with all the Spoke-PEs. Spoke-PEs need not set up
the MP-IBGP peer between each other.
Do as follows on the Hub-PE and the Spoke-PE.
Procedure
Step 1 Run
system-view
Step 2 Run
bgp as-number
Step 3 Run
Step 4 Run
The interface to set up the TCP connection is specified.

NOTE
Step 5 Run
ipv6-family vpnv6
Step 6 Run
The VPN-IPv6 routing information is exchanged between the peers.
----End

The routing protocol between a PE and a CE can be BGP4+, static route, RIPng, or IS-ISv6.
Context
The Hub-PE and the Hub-CE can exchange routes in the following ways.
Procedure
l Configuring EBGP between the Hub-PE and the Hub-CE
In this way, BGP4+, RIPng multi-instance, IS-ISv6 multi-instance or static routes can be
adopted between the Spoke-PE and the Spoke-CE.
To set up the EBGP peer between the Hub-PE and the Hub-CE, do as follows on the Hub-
PE:
1. Run:
system-view

2. Run:
bgp as-number

3. Run:
The BGP-VPNv6 instance view is displayed.

4. Run:
peer ipv6-address allow-as-loop [ number ]
Allow the routing loop. Here the value of number is set as 1, which means the route
with the AS repeated once can be sent.
l Configuring IGP between the Hub-PE and the Hub-CE
In this way, instead of BGP4+, RIPng multi-instance, IS-ISv6 multi-instance or static routes
are adopted between the Spoke-PE and the Spoke-CE.

l Configuring static routes between the Hub-PE and the Hub-CE
If the Hub-CE uses the default route to access the Hub-PE, to advertise the default route to
all the Spoke-PEs, do as follows on the Hub-PE:
1. Run:
system-view

2. Run:
ipv6 route-static vpn6-instance vpn6-instance-name :: 0 nexthop-ipv6-
address [ tag tag ] [ description text ]
The default route is configured. Here, vpn6-instance-name refers to the VPN-hub.

nexthop-ipv6-address is the IPv6 address of the Hub-CE interface that is connected
with the PE interface bound with the VPN-out.
3. Run:
bgp as-number

4. Run:
TheBGP-VPNv6 instance view is displayed.
Here, vpn6-instance-name refers to the VPN-hub.

5. Run:
network :: 0
Advertise the default route to all the Spoke-PEs through MP-BGP.
----End
Follow-up Procedure
Choose one of the preceding methods as required. For detailed configurations, see 4.4.5
Configuring Route Exchange Between PE and CE.

After the networking of Hub and Spoke is configured, you can view IPv6 VPN routing
information on the PE and CE.
Prerequisite
The configurations of the Hub and Spoke function are complete.
Procedure
check routing information about the VPN-spoke on the Hub-PE.
check routing information about the VPN-hub on the Hub-PE.

l Run the display ipv6 routing-table command to check routing information on the Hub-
CE and all the Spoke-CEs.
----End
Example
Run the preceding commands. If the routing table of the VPN-spoke has routes to all the Spoke
stations, and the routing table of the VPN-hub has routes to the Hub and all the Spoke stations,
Additionally, Hub-CE and all the Spoke-CEs have routes to the Hub and all the Spoke stations.
4.6 Configuring a Tunnel Policy applied to BGP/MPLS IPv6

VPN
By default, the system selects an LSP for a BGP/MPLS IPv6 VPN and no load balancing is
carried out. If load balancing or other types of tunnels are required, you need to configure a
tunnel policy for the backbone network of the IPv6 VPN.

Before configuring the tunnel policy for the backbone network of a BGP/MPLS IPv6 VPN,
familiarize yourself with the applicable environment, complete the pre-configuration tasks, and
obtain the required data. This can help you complete the configuration task quickly and
accurately.
By default, an LSP is selected as the tunnel for a VPN, and no load balancing is carried out. To
perform load balancing or select tunnels of other types, you need to configure a tunnel policy in
select-sequence mode and then apply it.
In the IPv6 VPN, a tunnel policy is applied on IPv6 VPN instances.
In inter-AS VPN-Option B, inter-AS VPN-Option C and carrier's carrier, only LSPs are selected
as public network tunnels.
A tunnel policy in select-sequence mode includes the tunnel selection sequence and the number
of tunnels for load balancing.
Currently, optional tunnel types for BGP/MPLS IPv6 VPN are GRE, LSP configured statically
or dynamically, and CR-LSP (MPLS TE).
Before configuring a tunnel policy, configure the following tasks:
l Enabling IPv6 on the PEs and on the interfaces that need to be configured with IPv6
l Creating the IPv6 VPN instances on PE
l Setting up a tunnel between two PEs (LSP, MPLS TE or GRE)

For configuration of LSPs and MPLS TE tunnels, refer to the Quidway S7700 Smart
Routing Switch Configuration Guide - MPLS.
Data Preparation
To configure the tunnel policy, you need the following data.
No. Data
2 Priority sequence of the tunnels
3 Number of tunnels for load balancing
4 Name of the IPv6 VPN instance to which the tunnel policy is applied

A tunnel policy can determine the tunnel-selecting sequence and number of load-balanced
tunnels.
Context
Do as follows on PE devices configured with IPv6 VPN instance:
Procedure
Step 1 Run
system-view

Step 2 Run
A tunnel policy is created and the tunnel policy view is displayed.

For the tunnel policy in select-sequence mode, a tunnel policy corresponds to only one mode
for selecting tunnels. If multiple modes for selecting tunnels are required, you need to create
multiple tunnel policies.
An IPv6 VPN instance instance can have only one tunnel policy. Multiple IPv6 VPN instance
can share a tunnel policy.
Step 3 Run
tunnel select-seq { gre | lsp | cr-lsp } * load-balance-number load-balance-number
The precedence of the tunnels and the number of tunnels carrying out load balancing are
configured.
In IPv6 VPN, if no tunnel policy is configured, LSPs are selected as VPN tunnels and no load
balancing is performed.
In a tunnel policy, tunnels are selected in sequential order. If the preceding tunnel is Up, it will
be selected irrespective of whether or not other services have selected it. The subsequent tunnel

is not selected except in the case of load balancing or when the preceding tunnels are in the
Down state.
For example, if the tunnel select-seq lsp gre load-balance-number 1 command is configured,
a VPN selects GRE tunnels if no LSP exists. After an LSP is set up, the VPN selects the LSP
and does not use GRE tunnels anymore.
In IPv6 VPN networking, no GRE tunnel can be configured between PEs,and does not support
load balancing by tunnels, that is, the number of tunnels for load balancing is 1.
----End
4.6.3 Applying the Tunnel Policy to the IPv6 VPN

After a tunnel policy is configured, you need to apply the tunnel policy to theIPv6 VPN instance
to specify the tunnel-selecting sequence and number of load-balanced tunnels.
Context
Do as follows on PE devices configured with IPv6 VPN instance .
Procedure
Step 1 Run
system-view
Step 2 Run
Step 3 Run
The tunnel policy is applied to the IPv6 VPN instance .
For IPv6 VPN, the tunnel policy is applied to the IPv6 VPN instance.
----End

After a tunnel policy is configured for the backbone network of a BGP/MPLS IPv6 VPN, you
can find that the tunnel policy is applied by the IPv6 VPN instance and view information about
the tunnel policy.
Prerequisite
The configurations of the tunnel Policy applied to BGP/MPLS IPv6 VPN function are complete.
Procedure
l Run the display tunnel-policy tunnel-policy-name command to check configuration of the
tunnel policy.

l Run the display ipv6 vpn6-instance verbose [ vpn6-instance-name ] command to check

name of the tunnel policy of the IPv6 VPN instance .
----End
Example
Run the display tunnel-policy tunnel-policy-name command. If the configuration of the tunnel
policy is displayed, it means the configuration succeeds. For example:
------------------------------------------------------
policy1 LSP 1
Run the display ipv6 vpn6-instance verbose command. If the tunnel policy name of the IPv6
VPN instance is displayed, it means the configuration succeeds. In the following example, you
can view the tunnel policy of the VPN named vpna is policy1.
<Quidway> display ipv6 vpn6-instance verbose
Total VPN6-Instances configured : 1
VPN6-Instance Name and ID : vpna, 1

Create date : 2007/10/05 21:57:49 UTC-08:00
Description : ipv6
Log Interval : 5
4.7 Configuring Inter-AS IPv6 VPN-Option A

In inter-AS IPv6 VPN OptionA, an ASBR takes the peer ASBR as its CE and advertises VPNv6
routes to the peer ASBR through EBGP+.

Before configuring inter-AS IPv6 VPN OptionA, familiarize yourself with the applicable
If the MPLS backbone network bearing the VPN-IPv6 routes cross multiple ASs, you must
configure the inter-AS VPNs.
If the number of VPNs that access PEs and the number of IPv6 VPN routes are small, inter-AS
VPN Option-A is recommended.
In VPN-Option A, the Autonomous System Boundary Routers (ASBRs) must support the IPv6
VPN instance and can manage IPv6 routes. In addition, the ASBRs must reserve special
interfaces including sub-interfaces and physical interfaces for each inter-AS IPv6 VPN. Option
A, therefore, requires high performance of the ASBRs. No inter-AS configuration is needed on
the ASBRs.

Before configuring the IPv6 VPN-Option A, complete the following tasks:
backbones in one AS
l Enabling MPLS on the PEs and the ASBRs
l Setting up the tunnel (LSP or MPLS TE) between the PE and the ASBR in the same AS
l Enabling IPv6 on PEs, CEs and on the interfaces that need to be configured with IPv6
l Configuring the IPv6 address of the CE interface through which the CE accesses the PE
Data Preparation
To configure inter-AS IPv6 VPN-Option A, you need the following data.
No. Data
1 To configure the IPv6 VPN instance on the PE and the ASBR, you need the following
data:
l Name of the IPv6 VPN instance
l RD, VPN Target
routes
l (Optional) The maximum number of routes allowed by the IPv6 VPN instance
4 IPv6 addresses of the interfaces connected the ASBRs
5 Routing protocol adopted between the PE and the CE: static route, RIPng, IS-ISv6,
or BGP4+
6 IPv4 addresses and interfaces between the PE and ASBR to establish the MP-IBGP
peers
4.7.2 Configuring Inter-AS IPv6 VPN Option A

This part describes how to configure an IPv6 VPN instance on the PE and ASBR to be
respectively associated with the CE and the peer ASBR.
Context
Inter-AS IPv6 VPN-Option A is easy to deploy. When the amount of the IPv6 VPNs and the
VPN-IPv6 routes on the PE is small, the Option A can be adopted.
The configurations of the inter-AS VPN-Option A are as follows:

Procedure
Step 1 4.4 Configuring Basic BGP/MPLS IPv6 VPN on each AS.
Step 2 Configuring ASBR by considering the peer ASBR as its CE.
Step 3 Configuring an IPv6 VPN instance for the PE and the ASBR separately. For more detail, refer
to 4.3 Configuring an IPv6 VPN Instances.
The VPN instance for PE is used to access CE; that for ASBR is used to access its peer ASBR.
NOTE
In inter-AS VPN-Option A mode, for the same IPv6 VPN, the VPN targets of the IPv6 VPN instance on
ASBR and the PE must be matched in an AS. This is not required for the PEs in different ASs.
----End

After inter-AS IPv6 VPN OptionA is configured, you can view information about all BGP peer
relationships, and IPv6 VPN routing information on the PE or ASBR.
Prerequisite
The configurations of the Inter-AS IPv6 VPN-Option A function are complete.
Procedure
l Run the display bgp vpnv6 all peer command to check information about the BGP peers
l Run the display bgp vpnv6 all routing-table command to check the VPN-IPv6 routes on
the PE or the ASBR.
l Run the display ipv6 routing-table vpn6-instance vpn6-instance-namecommand to check
the VPN routing table on the PE or the ASBR.
----End
Example
Run the display bgp vpnv6 all peer command. If the BGP IPv6 VPN peer relationship between
the ASBR and the PE in the same AS is "Established", it means the configuration succeeds.
Run the display bgp vpnv6 all routing-table command. If the VPN-IPv6 routes of the ASBR
are displayed, it means the configuration succeeds.
Running the display ipv6 routing-table vpn6-instance vpn6-instance-name command, you can
view the relevant IPv6 VPN routes in the VPN routing table of the PE and the ASBR.
4.8 Configuring Inter-AS IPv6 VPN-Option B

In inter-AS IPv6 VPN OptionB, ASBRs exchange VPNv6 routes that are sent from the PEs in
the attached ASs through MP-EBGP.


Before configuring inter-AS IPv6 VPN OptionB, familiarize yourself with the applicable
If the MPLS backbone network bearing VPN-IPv6 routes crosses multiple ASs, the inter-AS
VPN is needed. If the ASBR can manage VPN-IPv6 routes, however, there are no enough
interfaces for each inter-AS IPv6 VPN, the inter-AS VPN-Option B is adopted. In this option,
the ASBR is involved in maintaining and advertising VPN-IPv6 routes.
Before configuring inter-AS IPv6 VPN-Option B, complete the following tasks:
backbones in one AS
l Configuring basic MPLS capability for the MPLS backbone network
l Configuring MPLS LDP to establish LDP LSP for the MPLS backbone network
l 4.3.2 Creating an IPv6 VPN Instance on the PE devices connected with the CE devices
and 4.4.3 Binding an Interface to an IPv6 VPN Instance
l Configuring the IPv6 addresses of the CE interfaces through which the CE accesses the PE
Data Preparation
To configure inter-AS IPv6 VPN-Option B, you need the following data.
No. Data
1 To configure the IPv6 VPN instance on the PE, you need the following data:
l Name of the IPv6 VPN instance
l RD, VPN Target
routes
l (Optional) he maximum number of routes allowed by the IPv6 VPN instance
4 IPv4 addresses of the interfaces connected the ASBRs
5 Routing protocol adopted between the PE and the CE: static route, RIPng, IS-ISv6
or BGP4+
6 IPv4 addresses and interfaces setting up the MP-IBGP peer between the PE and the
ASBR

4.8.2 Configuring MP-IBGP Between PEs and ASBRs in the Same

AS
between PEs and ASBRs.
Context
Do as follows on the PE and the ASBR in the same AS:
Procedure
Step 1 Run
system-view

Step 2 Run:
bgp as-number

Step 3 Run
The peer ASBR is specified as the IBGP peer.

Step 4 Run
The address of the loopback interface is specified as the source address of the BGP session.
Step 5 Run
ipv6-family vpnv6
The BGP IPv6 VPN address family is displayed.

Step 6 Run
The exchange of VPN-IPv6 routes with the peer PE or the ASBR is enabled.
----End
4.8.3 Configuring MP-EBGP Between ASBRs in Different ASs

In inter-AS IPv6 VPN OptionB, ASBRs may not be configured with the IPv6 VPN instance,
but they must establish an MP-EBGP peer relationship with each other.
Context
Procedure
Step 1 Run
system-view


Step 2 Run
The view of the interface connected with the ASBR interface is displayed.
Step 3 Run
The IPv4 address of the interface is configured.

Step 4 Run
mpls
MPLS is enabled on the interface.

Step 5 Run
quit

Step 6 Run
bgp as-number

Step 7 Run
The peer ASBR is specified as the EBGP peer.

Step 8 Run
ipv6-family vpnv6

Step 9 Run
The exchange of VPN-IPv6 routes with the peer ASBR is enabled.
----End
4.8.4 Controlling the Receiving and Sending of VPN Routes

An ASBR can either store all VPNv6 routes or store certain VPNv6 routes by filtering VPN
targets through a routing policy.
Context
There are several methods for controlling the receiving and sending of VPN routes on the ASBR.
Without VPN Target Filtering is one for controlling the receiving and sending of VPN routes.
Procedure
Step 1 Run
system-view

Step 2 Run
bgp as-number
Step 3 Run
ipv6-family vpnv6
Step 4 Run
The VPN-IPv6 routes are not filtered by the VPN target.
By default, the PE performs VPN target filtering on the received VPN-IPv6 routes. The routes
passing the filter is added to the routing table, and the others are discarded. If the PE is not
configured with IPv6 VPN instance, or the IPv6 VPN instance is not configured with the VPN-
Target, the PE discards all the received VPN-IPv6 routes.
In the inter-AS VPN-Option B mode, if the ASBR does not store information about the IPv6
VPN instance, the ASBR must save all the VPN-IPv6 routing information and advertise it to the
peer ASBR. In this case, the ASBR should receive all the VPN-IPv6 routing information without
the VPN-Target filtering.
----End
4.8.5 (Optional) Storing Information About the IPv6 VPN instance

on the ASBRs
If IPv6 VPN routing information needs to be sent and received through ASBRs, the
corresponding IPv6 VPN instances needs to be configured on the ASBRs.
Context
NOTE
It is recomended to perform either Step 5 or Step 6.
Procedure
Step 1 Run
system-view
Step 2 Run
If the VPN receives and sends the VPN-IPv6 routing information through the ASBR, configure
the corresponding instance on the ASBR. Otherwise, the instance is not needed.

Step 3 Run
The RD is configured for the IPv6 VPN instance.
Step 4 Run
vpn-target vpn-target &<1-8> import-extcommunity
The VPN target extended community for the IPv6 VPN instance is created.
For the same VPN in the inter-AS VPN-Option B mode, the VPN targets of the ASBR and the
PE in an AS should match with each other.
The VPN targets of the PE in different Ass must match with each other likewise.
Step 5 (Optional) Run

The maximum number of routes is configured for the IPv6 VPN instance.



An import routing policy is created for the IPv6 VPN instance.

An export routing policy is created for the IPv6 VPN instance.
----End
4.8.6 (Optional) Enabling Next-Hop-based Label Allocation on the

ASBR
To save label resources on an ASBR, you can enable next-hop-based label allocation on the
ASBR. Note that next-hop-based label allocation and one label per instance need to be enabled
together on the ASBR.
Context
In a VPN Option B scenario, after next-hop-based label allocation is enabled on the ASBR, the
ASBR allocates only one label for the IPv6 VPN routes with the same next hop and outgoing
label. Compared with allocating a label for each IPv6 VPN route, next-hop-based label allocation
greatly saves the label resources.

Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number
The BGP view is display

Step 3 Run:
ipv6-family vpnv6
The BGP-VPNv6 view is displayed.

Step 4 Run:
apply-label per-nexthop
The next-hop-based label allocation for IPv6 VPN routes is enabled.
CAUTION
After next-hop-based label allocation is enabled or disabled, the label allocated by the ASBR
for a route changes, which leads to packet loss.
----End

The routing protocol between a PE and a CE can be BGP4+, static route, RIPng, OSPFv3, or
IS-ISv6.
Context
Choose one of the preceding methods as required.
l Configuring BGP4+ Between PE and CE.
l Configuring Static Routes Between PE and CE.
l Configuring RIPng Between PE and CE.
l Configuring OSPFv3 Between PE and CE.
l Configuring IS-ISv6 Between PE and CE.
For detailed configurations, see 4.4.5 Configuring Route Exchange Between PE and CE.

After inter-AS IPv6 VPN OptionB is configured, you can view information about all BGP peer
relationships, and IPv6 VPN routing information on the PE or ASBR.
Prerequisite
The configurations of the Inter-AS IPv6 VPN-Option B function are complete.

Procedure
l Run the display bgp vpnv6 all routing-table command to check the VPN-IPv6 routing
table on the PE or the ASBR.
l Run the display bgp vpnv6 all peer command to check information about all the BGP
peers on the PE or the ASBR.
l Run the display ipv6 routing-table vpn6-instance [ vpn6-instance-name ] command to
check the VPN routing table on the PE.
l Run the display mpls lsp command to check information about the LSP and label on the
ASBR.
----End
Example
Run the display bgp vpnv6 all routing-table command on the ASBR. If the IPv6 routes of the
VPN are displayed, it means the configuration succeeds.
Run the display bgp vpnv6 all peer command on the PE or the ASBR. You can find that the
status of the IBGP peer relationship between PEs and ASBRs in the same AS is Established,
and the status of the EBGP peer relationship between two directly connected ASBRs in different
ASs is Established.
Run the display ipv6 routing-table vpn6-instance [ vpn6-instance-name ] command on the
PE. If the relevant IPv6 VPN routes are displayed, it means the configuration succeeds.
Run the display mpls lsp command on the ASBR. If information about the LSP and label is
displayed, it means that the configuration succeeds. If the ASBR is enabled with the next-hop-
based label allocation, only one label is allocated for the IPv6 VPN routes with the same next
hop and outgoing label.
4.9 Configuring Route Reflection for BGP VPNv6 Routes

Deploying a BGP VPNv6 Route Reflector (RR) reduces the number of MP-IBGP connections.
This lightens the burden of PEs and facilitates network maintenance and management.

Before configuring a BGP VPNv6 RR to optimize the IPv6 VPN backbone layer, familiarize
yourself with the applicable environment, complete the pre-configuration tasks, and obtain the
required data. This can help you complete the configuration task quickly and accurately.
The BGP speaker does not advertise the routes learned from IBGP devices to its IBGP peers.
To make a PE advertise the routes of the VPN that the PE accesses to the BGP VPNv6 peers in
the same AS, the PE must establish IBGP connections with all peers to directly exchange VPN
routing information. That is, MP IBGP peers must establish full connections between each other.
Suppose there are n PEs (including ASBRs) in an AS, n (n-1)/2 MP IBGP connections need to
be established. A large number of IBGP peers consume a great amount of network resources.
The Route Reflector (RR) can solve this problem. In an AS, one switch severs as the RR to
reflect IPv6 VPN routes and the other PEs and ASBRs serve as the clients, which are called

Client PEs. An RR can be a P, PE, ASBR, or other devices. To relieve the burden of an RR, you
can configure the RR to maintain routing information instead of forwarding user data.
The introduction of the RR reduces the number of MP IBGP connections. This lightens the
burden of PEs and facilitates network maintenance and management.
Before configuring the route reflection for BGP VPNv6 routes, complete the following tasks:
l Enable IPv6 globally on the PE, and enable IPv6 on the interfaces that need be configured
with IPv6.
l Configuring the routing protocol for the MPLS backbone network to implement IP
connectivity between switchs in the backbone network
l Establishing tunnels (LSPs or MPLS TE tunnels) between the RR and all PEs serving as
the clients
Data Preparation
To configure route reflection for BGP VPNv6 routes, you need the following data.
No. Data
3 IP address of the peer
4.9.2 Configuring the Client PEs to Establish MP IBGP Connections

with the RR
You can configure a PE to establish an MP-IBGP peer relationship with an RR. In this manner,
the RR reflects VPNv6 routes for the PE.
Context
Do as follows on all Client PEs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:

Step 4 Run:
Step 5 Run:
ipv6-family vpnv6
Step 6 Run:
The capability of exchanging IPv6 VPN routes between the Client PE and the RR is enabled.
----End

All Client PEs
You can configure an RR to establish MP-IBGP peer relationships with all its client PEs. In this
manner, the RR reflects VPNv6 routes for all these PEs.
Context
Choose one of the following schemes to configure the RR to establish MP IBGP connections
with the client PEs.
Procedure
l Configuring the RR to Establish MP IBGP Connections with the Peer Group
Add all the client PEs to the peer group and establish MP IBGP connection between the
RR and the peer group.
1. Run:
system-view

2. Run:
bgp as-number

3. Run:

4. Run:


5. Run:
ipv6-family vpnv6
The BGP-VPNv6 address family view is displayed.

6. Run:
enabled.
7. Run:

l Configuring the RR to establish an MP IBGP connection with each client PE
Perform Step 1 to Step 6 repeatedly on the RR to establish an MP IBGP connection between
the RR and each client PE.
1. Run:
system-view

2. Run:
bgp as-number

3. Run:
The client PE is specified as the BGP peer.

4. Run:

The IP address of the interface must be the same as the MPLS LSR ID. It is
recommended to specify a loopback interface to establish the TCP connection.
5. Run:
ipv6-family vpnv6
The BGP-VPNv6 address family view is displayed.

6. Run:
The capability of exchanging IPv6 VPN routes between the RR and the client PE is
enabled.
----End
4.9.4 Configuring Route Reflection for BGP VPNv6 Routes

Before configuring a BGP VPNv6 RR, ensure that the RR establishes the MP-IBGP peer
relationships with all its client PEs.

Context
Do as follows on the RR.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bgp as-number
Step 3 Run:
ipv6-family vpnv6
Step 4 Enable the route reflection for BGP IPv6 VPN routes on the RR.
l Run the peer { group-name | ipv4-address } reflect-client command to enable the route
reflection if the RR establishes the MP IBGP connection with the peer group consisting of
all Client PEs.
l Run the peer ipv4-address reflect-client command repeatedly to enable the route reflection
if the RR establishes the MP IBGP connection with each PE rather than peer group.
Step 5 Run:
The filtering of IPv6 VPN routes based on the VPN target is disabled.

----End

After configuring a BGP VPNv6 RR to optimize the VPN backbone layer, you can view BGP
peer information and VPNv6 routing information on the RR or its client PEs.
Prerequisite
The configurations of the route reflection for BGP VPNv6 function are complete.
Procedure
l Run the display bgp vpnv6 all peer [ [ ipv4-address ] verbose ] command to check
information about the BGP VPNv6 peer on the RR or the Client PEs.
received-routes } command to check information about the IPv6 VPN routes received
from the peer or the IPv6 VPN routes advertised to the peer on the RR or the Client PEs.

l Run the display bgp vpnv6 all group [ group-name ] command to check information about
the IPv6 VPN peer group on the RR.
----End
Example
If the configurations succeed,
PEs is "Established" after running the display bgp vpnv6 all peer command on the RR or
Client PEs.
l You can find that the RR and each Client PE can receive and send IPv6 VPN routing
information between each other after running the display bgp vpnv6 all routing-table
peer ipv4-address { advertised-routes | received-routes } command on the RR or the
Client PEs.
4.10 Maintaining BGP/MPLS IPv6 VPN

Maintaining BGP/MPLS IPv6 VPN involves checking VPN traffic, monitoring network
connectivity, resetting BGP connection.
4.10.1 Displaying BGP/MPLS IPv6 VPN Information

Monitoring the running status of BGP/MPLS IPv6 VPN involves checking information about
IPv6 VPN instance, VPNv6 peers, and logs of BGP peers.
Prerequisite
In routine maintenance, you can run the following commands in any view to check the status of
BGP/MPLS IPv6 VPN.
Procedure
check the IP routing table of the IPv6 VPN instance.
l Run the display ipv6 vpn6-instance [ verbose | brief ] [ vpn6-instance-name ] command
to check the IPv6 VPN instance information.
l Run the display bgp vpnv6 { all | route-distinguisher route-distinguisher | vpn6-
instance vpn6-instance-name } routing-table ipv6-address [ prefix-length ] command to
check information of the BGP IPv6 VPN routing table.
instance vpn6-instance-name } routing-table statistics [ match-options ] command to
check the statistics about the BGP VPN-IPv6 routing table.
instance vpn6-instance-name } routing-table [ match-options ] command to check
information of the BGP VPN-IPv6 routing table.

l Run the display bgp vpnv6 { all | vpn6-instance vpn6-instance-name } group [ group-
name ] command to check BGP IPv6 VPN peer group information.
l Run the display bgp vpnv6 all peer [ [ ipv4-address ] verbose ] or display bgp vpnv6
vpn6-instance vpn6-instance-name peer [ [ ipv6-address ] verbose ] command to check
BGP IPv6 VPN peer information.
l Run the display bgp vpnv6 { all | vpn6-instance vpn6-instance-name } network command
to check VPN-IPv6 routing information advertised.
l Run the display bgp vpnv6 { all | vpn6-instance vpn6-instance-name } paths [ as-regular-
expression ] command to check AS path information of BGP VPN-IPv6.
l Run the display bgp vpn6-instance vpn6-instance-name vpn6-instance-name peer
{ group-name | ipv6-address } log-info command to check BGP peer's log information of
specified IPv6 VPN instance.
----End
4.10.2 Checking the Network Connectivity and Reachability

This part describes how to use the ping command to detect network connectivity between the
sending end and the receiving end, and how to use the tracert command to identify the devices
along the path.
Procedure
l Run the ping ipv6 host command to check whether the IPv6 network is correctly set up to
send IPv6 packets from the transmitting end to the destination address.
l Run the tracert ipv6 ipv6-host command to check the gateways through which the IPv6
packets are sent from the transmitting end to the destination address.
l Run the ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interface-
type interface-number | -m time | -n | -p pattern | -q | -r | -s packetsize |-t timeout | -tos tos-
value | -v | -vpn-instance vpn-instance-name ] * host command to check whether the IPv4
backbone network is correctly set up to send IPv4 packets from the transmitting end to the
destination address.
l Run the tracert [ -a source-ip-address | -f first-ttl | -m max-ttl | -p port | -q nqueries | -vpn-
instance vpn-instance-name | -w timeout ] * host command to check the gateways through
which the IPv4 packets are sent from the transmitting end of the IPv4 backbone network
to the destination address of the IPv4 backbone network.
----End
Example
After the VPN configuration, using the ping command with ipv6 vpn6-instance vpn6-instance-
name on PE device, you can check whether the PE and the CE that belongs to the same VPN
can communicate with each other. If the ping fails, you can use the tracert command with vpn6-
instance vpn6-instance-name to locate the fault.
If multiple interfaces bound with the same VPN exist on the PE, specify the source IP address,
that is, -a source-ipv6-address when you ping the remote CE that accesses the peer PE. If you
do not specify a source IP address, the PE selects the smallest IPv6 address of the interface bound
to the IPv6 VPN on the PE as the source address of the ICMPv6 packet. If the CE does not have
the route to the selected IPv6 address, the ICMPv6 packet sent back from the peer PE is discarded.

4.10.3 Viewing the Integrated Route Statistics of all IPv6 VPN

Instances
The comprehensive route statistics for IPv6 VPN Instances refer to the route statistics for all
IPv6 VPN Instances.
Procedure
l Run the display ipv6 routing-table all-vpn6-instance statistics to view the integrated
route statistics of all IPv6 VPN Instances.
----End
4.10.4 Resetting BGP Statistics of IPv6 VPN instance

BGP statistics for IPv6 VPN instance cannot be restored after being cleared. Therefore, confirm
the action with caution.
Procedure
l Run the reset bgp vpn6-instance vpn6-instance-name [ ipv6-address ] flap-info command
in the user view to clear statistics of the BGP peer flap for a specified IPv6 VPN
instance.
l Run the reset bgp vpn6-instance vpn6-instance-name dampening [ ipv6-address prefix-
length ] command in the user view to clear dampening information of IPv6 VPN
instance.
----End
4.10.5 Resetting BGP Connections

After the BGP configuration is changed, you can validate the new configuration by soft reset or
the reset of the BGP connections. Note that resetting BGP connections leads to interruption of
IPv6 VPN services.
Context
CAUTION
IPv6 VPN services are interrupted after the BGP connection is reset. So, confirm the action
before you use the command.
When the BGP configuration changes, you can use the soft reset or reset BGP connections to
let the new configurations take effect. Soft reset requires the BGP peers have route refreshment
capability (supporting Route-Refresh messages).
Procedure
l Run the refresh bgp vpn6-instance vpn6-instance-name { all | ipv6-address | group
group-name | internal | external } import command in the user view to trigger the inbound
soft reset of IPv6 VPN instance's BGP connection.

l Run the refresh bgp vpn6-instance vpn6-instance-name { all | ipv6-address | group

group-name | internal | external } export command in the user view to trigger the outbound
soft reset of IPv6 VPN instance's BGP connection.
l Run the refresh bgp vpnv6 { all | ipv4-address | ipv6-address | group group-name |
internal | external } import command in the user view to reset trigger the inbound soft
reset of BGP VPNv6 connection.
l Run the refresh bgp vpnv6 { all | ipv4-address | ipv6-address | group group-name |
internal | external } export command in the user view to trigger the outbound soft reset
of BGP VPNv6 connection.
l Run the reset bgp vpn6-instance vpn6-instance-name { all | as-number | ipv6-address |
group group-name | external } command in the user view to reset BGP connections of the
IPv6 VPN instance.
l Run the reset bgp vpnv6 { as-number | ipv4-address | group group-name | all | internal |
external } command in the user view to reset BGP VPNv6 connections.
----End
4.10.6 Debugging BGP/MPLS IPv6 VPN

You can run the debugging command to view the debugging information and locate the fault.
Debugging affects the system performance.
Context
CAUTION
Enabling the debugging affects the system performance. After debugging, run the undo
debugging all command to disable it at once.
Run the following debugging commands in user view to debug BGP/MPLS IPv6 VPN and to
locate the fault.
For more information, see the chapter "Information Center Configuration" in the Quidway
S7700 Smart Routing Switch Configuration Guide - System Management. For the description
about the debugging commands, refer to the Quidway S7700 Smart Routing Switch Debugging
Reference.
Procedure
l Run the debugging bgp vpn6-instance vpn6-instance-name ipv6-address { all | event |
timer } command in the user view to enable the debugging of the specified BGP peers in
an IPv6 VPN instance.
l Run the debugging bgp vpn6-instance vpn6-instance-name ipv6-address { keepalive |
open | packet | raw-packet | route-refresh } [ receive | send ] [ verbose ] command in
the user view to enable the packet debugging of the specified BGP peers in an IPv6 VPN
instance.
l Run the debugging bgp update vpn6-instance vpn6-instance-name [ peer ipv6-address
| ipv6-prefix ipv6-prefix-name | acl acl-number ] [ receive | send ] [ verbose ] command
in the user view to enable the BGP Update packets debugging of IPv6 VPN instances.

l Run the debugging bgp update vpnv6 [ peer ipv4-address | ipv6-prefix ipv6-prefix-
name | acl acl-number ] [ receive | send ] [ verbose ] command in the user view to enable
the BGP Update packets debugging of VPN-IPv6 routes.
l Run the debugging bgp update label-route [ peer peer-ipv4-address ] [ acl acl-number
| ipv6-prefix ipv6-prefix-name ] [ receive | send ] [ verbose ] command in the user view
to enable the BGP Update packets debugging of labeled routes.
----End

This section provides several configuration examples of IPv6 VPN. In each configuration
example, the networking requirements, configuration notes, configuration roadmap,
configuration procedures, and configuration files are provided.
4.11.1 Example for Configure Basic BGP/MPLS IPv6 VPN

As shown in Figure 4-2, CE1 and CE3 belong to vpna, and CE2 and CE4 belong to vpnb. The
users in different VPNs cannot access each other. Interface VALNIF 1001 or VLANIF 1011 on
each CE is the internal network interface.
In this example, different ways for exchanging routes are adopted according to the AS to which
the directly-connected PEs and CEs belong to.
l PE1 and CE1 exchange routes through BGP4+.
l PE1 and CE2 exchange routes through IPv6 static routes.
l PE2 and CE3 exchange routes through IS-ISv6.
l PE2 and CE4 exchange routes through RIPng.
You can choose the route exchange way according to the actual networking.

Figure 4-2 Networking diagram for configure basic BGP/MPLS IPv6 VPN
vpna
AS: 65410 AS: 100
vpnb
CE1 CE4
GE2/0/0 GE2/0/0
GE1/0/0 VLANIF 1001 VLANIF1011 GE1/0/0
Loopback1
GE1/0/0 2.2.2.9/32 GE1/0/0
PE1 GE1/0/0 GE2/0/0 PE2
Loopback1 VLANIF 10 VLANIF 20 Loopback1
1.1.1.9/32 GE3/0/0 GE3/0/0 3.3.3.9/32
GE2/0/0 VLANIF 10 P VLANIF 20 GE2/0/0
VLANIF 101 MPLS backbone VLANIF 100
AS: 100
GE1/0/0 GE1/0/0
GE2/0/0 GE2/0/0
CE2 CE3
vpna
AS: 100
vpnb AS: 65420
Device Interface VLANIF Interface IPv4 Address IPv6 Address
PE1 GigabitEthernet1/0/0 VLANIF 100 - 2001::2/64
GigabitEthernet2/0/0 VLANIF 101 - 2003::2/64
GigabitEthernet3/0/0 VLANIF 10 192.168.1.1/24 -
PE2 GigabitEthernet1/0/0 VLANIF 101 - 2005::2/64
P GigabitEthernet1/0/0 VLANIF 10 192.168.1.2/24 -
CE1 GigabitEthernet1/0/0 VLANIF 100 - 2001::1/64

1. Configure an IGP protocol on the IPv4 public network to implement interconnection on
2. Configure MPLS and MPLS LDP on each PE and P. That is, the VPN uses the LDP LSP
on the IPv4 public network.
3. Configure MP-IBGP on PE1 and PE2. That is, the PEs exchange IPv6 VPN routes through
BGP.
4. Configure the IPv6 routing protocol on each PE and CE so that the PEs and CEs can learn
the IPv6 routes of each other.
Data Preparation
l ASNs used by the PEs and CEs to establish BGP peers
l RD, export VPN target, and import VPN target of each VPNv6 instance
Procedure
Step 1 Configure the IPv6 packet forwarding capability of each CE and PE.
# Enable the IPv6 forwarding capability on CE1.
<CE1> system-view
[CE1] ipv6
The configurations on CE2, CE3, CE4, PE1, and PE2 are similar to the configuration on CE1
Step 2 Configure the VLAN ID allowed by each interface and set the IP addresses of the VLANIF
interfaces except for the interfaces that connect PEs to CEs. For the data planning, see Figure
4-2.
1. configure the VLAN IDs allowed on the interfaces.
# Configure the VLAN ID allowed by the interface of CE1.
[CE1-GigabitEthernet1/0/0] port link-type hybrid
[CE1-GigabitEthernet2/0/0] port link-type hybrid
The configurations on CE2, CE3, CE4, PE1, and PE2 are similar to the configuration on
CE1 and are not mentioned here.

2. Set IPv6 or IPv4 addresses for interfaces.
# Set the IPv6 address for the interface of CE1.

[CE1-Vlanif100] ipv6 enable
[CE1-Vlanif100] ipv6 address 2001::1 64
[CE1-Vlanif100] quit
The configurations on CE2, CE3, and CE4 are similar to the configuration on CE1 and are
not mentioned here.
# Set the IPv4 address for the interface of PE1.

[PE1-Vlanif10] quit
The configurations on P and PE2 are similar to the configuration on PE1 and are not
mentioned here.
Step 3 Configure an IGP protocol on the backbone network to ensure the connectivity of the backbone
network. The IS-IS protocol is used in this example.
# Configure an IPv4 IGP protocol on PE1. The IS-IS protocol is used in this example.
[PE1] isis 1
[PE1-isis-1] quit
[PE1-Vlanif10] quit
The configurations on P and PE2 are similar to the configuration on PE1 and are not mentioned
here.
After the configuration, PE1, P, and PE2 can learn the routes of each other, including the routes
on the loopback interface. You can view the routes by using the display ip routing-table
command. Take the display on PE1 as an example.
LDP LSP Information
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0
*1.1.1.9/32 Liberal
2.2.2.9/32 NULL/3 - 192.168.1.2 Vlanif10
2.2.2.9/32 1024/3 2.2.2.9 192.168.1.2 Vlanif10
3.3.3.9/32 NULL/1025 - 192.168.1.2 Vlanif10
3.3.3.9/32 1025/1025 2.2.2.9 192.168.1.2 Vlanif10
-------------------------------------------------------------------------------

Step 4 Establish a tunnel between PE1 and PE2.
The MPLS LDP LSP is used in this example.
# Enable MPLS and MPLS LDP on PE1.

[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif10] mpls
[PE1-Vlanif10] quit
# Enable MPLS and MPLS LDP on P.

[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif10] mpls
[P-Vlanif10] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
# Enable MPLS and MPLS LDP on PE2.

[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif20] mpls
[PE2-Vlanif20] quit
After the preceding configurations are complete, an LDP LSP can be established between PE1
and PE2. Run the display mpls ldp lsp command, and you can see the establishment status of
the LDP LSP. Take the display on PE1 as an example.
LDP LSP Information
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0
*1.1.1.9/32 Liberal
2.2.2.9/32 NULL/3 - 192.168.1.2 Vlanif10
2.2.2.9/32 1024/3 2.2.2.9 192.168.1.2 Vlanif10
3.3.3.9/32 NULL/1025 - 192.168.1.2 Vlanif10
3.3.3.9/32 1025/1025 2.2.2.9 192.168.1.2 Vlanif10
-------------------------------------------------------------------------------

Step 5 Configure the VPNv6 instance on PE1 and PE2.

# Configure the IPv6 VPN instance vpna on PE1.
[PE1] ipv6 vpn6-instance vpna
[PE1-vpn6-instance-vpna] route-distinguisher 100:1
[PE1-vpn6-instance-vpna] vpn-target 22:22 export-extcommunity
[PE1-vpn6-instance-vpna] vpn-target 33:33 import-extcommunity
[PE1-vpn6-instance-vpna] quit
# Bind the interface directly connected PE1 to CE1 to the VPNv6 instance vpna.
[PE1-Vlanif100] ipv6 enable
[PE1-Vlanif100] ipv6 binding vpn6-instance vpna
[PE1-Vlanif100] ipv6 address 2001::2 64
# Configure the VPNv6 instance vpnb on PE1.

[PE1] ipv6 vpn6-instance vpnb
[PE1-vpn6-instance-vpnb] route-distinguisher 200:1
[PE1-vpn6-instance-vpnb] vpn-target 44:44 export-extcommunity
[PE1-vpn6-instance-vpnb] vpn-target 55:55 import-extcommunity
[PE1-vpn6-instance-vpnb] quit
# Bind the interface directly connected PE1 to CE2 to the VPNv6 instance vpnb.
[PE1-Vlanif101] ipv6 binding vpn6-instance vpnb
# Configure the VPNv6 instance vpna on PE2.

[PE2] ipv6 vpn6-instance vpna
[PE2-vpn6-instance-vpna] route-distinguisher 300:1
[PE2-vpn6-instance-vpna] vpn-target 33:33 export-extcommunity
[PE2-vpn6-instance-vpna] vpn-target 22:22 import-extcommunity
[PE2-vpn6-instance-vpna] quit
# Bind the interface directly connected PE2 to CE3 to the VPNv6 instance vpna.
[PE2-Vlanif100] ipv6 binding vpn6-instance vpna
# Configure the VPNv6 instance vpnb on PE2.

[PE2] ipv6 vpn6-instance vpnb
[PE2-vpn6-instance-vpnb] route-distinguisher 400:1
[PE2-vpn6-instance-vpnb] vpn-target 55:55 export-extcommunity
[PE2-vpn6-instance-vpnb] vpn-target 44:44 import-extcommunity
[PE2-vpn6-instance-vpnb] quit
# Bind the interface directly connected PE2 to CE4 to the VPNv6 instance vpnb.
[PE2-Vlanif101] ipv6 binding vpn6-instance vpnb
After the preceding configurations are complete, run the display ipv6 vpn6-instance verbose
command on each PE to view information about the VPNv6 instance. Each PE can ping the
connected CE. Take the display on PE1 as an example.

[PE1] display ipv6 vpn6-instance verbose

VPN6-Instance Name and ID : vpna, 1

Create date : 2009/05/17 15:38:28 UTC-08:00
Log Interval : 5
VPN6-Instance Name and ID : vpnb, 2

Create date : 2009/05/17 15:40:18 UTC-08:00
Log Interval : 5
[PE1] ping ipv6 vpn6-instance vpna 2001::1

PING 2001::1 : 56 data bytes, press CTRL_C to break
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
--- 2001::1 ping statistics ---
0.00% packet loss
Step 6 Establish the VPNv6 peer relation between PE1 and PE2.
# Configure BGP on PE1.
[PE1] bgp 100
# Configure BGP on PE2.

[PE2] bgp 100
After the preceding configurations are complete, run the display bgp vpnv6 all peer command
on a PE to view the status of VPNv6 peer relation. Take the display on PE1 as an example.

3.3.3.9 4 100 3 3 0 00:02:19 Established 0
You can see that a VPNv6 peer relation is established between PE1 and PE2.
Step 7 Configure BGP4+ on PE1 and CE1.
# Configure EBGP on PE1.

[PE1] bgp 100
[PE1-bgp] ipv6-family vpn6-instance vpna
[PE1-bgp6-vpna] peer 2001::1 as-number 65410
[PE1-bgp6-vpna] import-route direct
[PE1-bgp6-vpna] quit
[PE1-bgp] quit
# Configure EBGP on CE1.

[CE1] bgp 65410
[CE1-bgp] router-id 10.10.10.10
[CE1-bgp] peer 2001::2 as-number 100
[CE1-bgp-af-ipv6] peer 2001::2 enable
[CE1-bgp-af-ipv6] import-route direct
[CE1-bgp-af-ipv6] quit
[CE1-bgp] quit
After the preceding configurations are complete, run the display bgp vpnv6 vpn6-instance
vpnv6-instance-name peer command on PE1 to view the status of the peer relation.
[PE1] display bgp vpnv6 vpn6-instance vpna peer
2001::1 4 65410 10 9 0 00:06:10 Established 1
You can also run the display bgp ipv6 peer command on CE1 to view the status of the peer
relation.
[CE1] display bgp ipv6 peer
2001::2 4 100 2 3 0 00:00:32 Established 0
You can see that the EBGP connection is established between PE1 and CE1.
Step 8 Configure a static route between PE1 and CE2.
# Configure an IPv6 static route for the VPNv6 instance vpnb on PE1.
[PE1] ipv6 route-static vpn6-instance vpnb 1998:: 64 2003::1
# Import the static route and directly connected route to BGP on PE1.
[PE1] bgp 100
[PE1-bgp] ipv6-family vpn6-instance vpnb
[PE1-bgp6-vpnb] import-route static
[PE1-bgp6-vpnb] import-route direct
[PE1-bgp6-vpnb] quit
[PE1-bgp] quit
# Configure the IPv6 default route on CE2.

[CE2] ipv6 route-static :: 0 2003::2

Step 9 Configure IS-ISv6 on PE2 and CE3.

# Configure IS-ISv6 on PE2.
[PE2] isis 10 vpn6-instance vpna
[PE2-isis-10] network-entity 30.4444.4444.4444.4444.00
[PE2-isis-10] ipv6 enable
[PE2-isis-10] ipv6 import-route bgp
[PE2-isis-10] quit
[PE2-Vlanif100] isis ipv6 enable 10
# Import IS-ISv6 routes to BGP on PE2.

[PE2] bgp 100
[PE2-bgp] ipv6-family vpn6-instance vpna
[PE2-bgp6-vpna] import-route isis 10
[PE2-bgp6-vpna] quit
[PE2-bgp] quit
# Configure IS-ISv6 on CE3.

[CE3] isis 10
[CE3-isis-10] ipv6 enable
[CE3-isis-10] quit
[CE3-Vlanif100] isis ipv6 enable 10
[CE3-Vlanif1001] isis ipv6 enable 10
[CE3-vlanif1001] quit
Step 10 Configure RIPng on PE2 and CE4.

# Configure RIPng on PE2.
[PE2] ripng 100 vpn6-instance vpnb
[PE2-ripng-100] import-route bgp
[PE2-ripng-100] quit
[PE2-Vlanif101] ripng 100 enable
# Import RIPng routes to BGP on PE2.

[PE2] bgp 100
[PE2-bgp] ipv6-family vpn6-instance vpnb
[PE2-bgp6-vpnb] import-route ripng 100
# Configure RIPng on CE4.

[CE4] ripng 100
[CE4-ripng-100] quit
[CE4-Vlanif101] ripng 100 enable
[CE4-vlanif101] quit
[CE4-Vlanif1011] ripng 100 enable

After the preceding configurations are complete, the CEs can learn the routes of each other. Run
the display ipv6 routing-table vpn6-instance command on each PE to view the routes of the
VPNv6 instance. You can also run the ping or tracert command to verify the configuration. In
addition, you can run the display ipv6 routing-table, ping, or tracert command on each CE to
verify the configuration. Take the display on PE1 and CE1 as an example.

[PE1] ping ipv6 vpn6-instance vpna 1999::1

Reply from 1999::1
Reply from 1999::1
Reply from 1999::1
Reply from 1999::1
Reply from 1999::1

0.00% packet loss
[CE1] tracert ipv6 1999::1

traceroute to 1999::1 30 hops max,60 bytes packet
1 2001::2 62 ms 31 ms 32 ms
2 2004::2 101 ms 94 ms 98 ms
3 1999::1 156 ms 157 ms 171 ms
The address 1999::1/64 also exists on CE4. Therefore, when you run the display ipv6
statistics command on CE3 and CE4 to check the change of the number of sent and received
ICMPv6 packets, you can find that the packets are sent to the correct interface. The sites that
are not allowed to communicate with each other are separated.
----End
Configuration Files
#
sysname PE1
#
ipv6
#
#
ipv6 vpn6-instance vpna
#
ipv6 vpn6-instance vpnb
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
isis 1
network-entity 10.1111.1111.1111.00
#
ipv6 enable
ipv6 binding vpn6-instance vpna
ipv6 address 2001::2/64
#
interface Vlanif101
ipv6 enable

ipv6 binding vpn6-instance vpnb

#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
isis enable 1
mpls
mpls ldp
#
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 3.3.3.9 enable
#
ipv6-family vpn6-instance vpna
import-route direct
peer 2001::1 as-number 65410
#
ipv6-family vpn6-instance vpnb
import-route direct
import-route static
#
ipv6 route-static vpn6-instance vpnb 1998:: 64 2003::1
#
return
#
sysname P
#
vlan batch 10 20
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
isis 1
network-entity 20.2222.2222.2222.00
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#
interface Vlanif20

ip address 192.168.2.1 255.255.255.0

isis enable 1
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
isis enable 1
#
return
#
sysname PE2
#
ipv6
#
#
#
ipv6 vpn6-instance vpnb
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
isis 1
network-entity 30.3333.3333.3333.00
#
isis 10 vpn6-instance vpna
network-entity 30.4444.4444.4444.4444.00
#
ipv6 enable topology standard
ipv6 import-route bgp
#
#
interface Vlanif20
ip address 192.168.2.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#
interface Vlanif100
ipv6 enable
ripng 100 enable
#
ipv6 enable
ipv6 binding vpn6-instance vpnb
isis ipv6 enable 10
#

#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 1.1.1.9 enable
#
#
ipv6-family vpn6-instance vpnb
import-route ripng 100
#
ripng 100 vpn6-instance vpnb
import-route bgp
#
return
#
sysname CE1
#
ipv6
#
vlan batch 100 1001
#
ipv6 enable
#
ipv6 enable
#
#
#
bgp 65410
router-id 10.10.10.10
#
ipv6-family unicast
import-route direct

peer 2001::2 enable

#
return
#
sysname CE2
#
ipv6
#
vlan batch 101 1011
#
ipv6 enable
#
ipv6 enable
#
#
#
ipv6 route-static :: 0 2003::2
#
return
#
sysname CE3
#
ipv6
#
vlan batch 100 1001
#
isis 10
network-entity 30.2222.2222.2222.00
#
ipv6 enable topology standard
#
#
ipv6 enable
isis ipv6 enable 10
#
ipv6 enable
isis ipv6 enable 10
#
#
#
return
#
sysname CE4
#

ipv6
#
vlan batch 101 1011
#
interface Vlanif101
ipv6 enable
ripng 100 enable
#
ipv6 enable
ripng 100 enable
#
#
#
ripng 100
#
return
4.11.2 Example for Configuring Hub&Spoke (Using BGP4+

Between PE and CE)
only by the Hub-PE. You need to configure BGP4+ between Hub-PE and Hub-CE, and between
Spoke-PE and Spoke-CE.


AS: 65430
Hub-CE
GE1/0/0 GE2/0/0
VLAN30 VLAN40
GE3/0/0 GE3/01
Hub-PE
GE1/0/0 GE2/0/0

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
VLAN10 VLAN20
GE2/0/0 GE2/0/0
GE1/0/0 Spoke-PE1 Spoke-PE2 GE1/0/0

Backbone
AS100
VLAN50 VLAN60
GE1/0/0 GE1/0/0
Spoke-CE1 Spoke-CE2
AS: 65410 AS: 65420
Device Interface VLANIF IPv4 Address IPv6 Address

Interface
Hub-PE GigabitEthernet1/0/0 VLANIF 10 10.1.1.2/24 -
Loopback1 - 2.2.2.9/32 -
Spoke-PE1 GigabitEthernet1/0/0 VLANIF 50 - 2001::2/64
Loopback1 - 1.1.1.9/32 -
Loopback1 - 3.3.3.9/32 -
Hub-CE GigabitEthernet1/0/0 VLANIF 30 - 2003::1/64

Spoke-CE1 GigabitEthernet1/0/0 VLANIF 50 - 2001::1/64
1. Set up tunnel and IBGP peer relation between the Hub-PE and the Spoke-PE. Do not set
up IBGP peer relation between Spoke-PEs because they do not exchange VPN routes.
2. Create two IPv6 VPN instances, namely, vpn_in and vpn_out, on the Hub-PE. The VPN
target received by vpn_in is the same as the VPN target advertised by the Spoke-PEs. The
VPN target advertised by vpn_out is different from the received VPN target, but is the
same as the VPN target received by the Spoke-PEs.
3. Create an IPv6 VPN instance on the Spoke-PE. The VPN target received by the IPv6 VPN
instance is the same as the VPN target advertised by vpn_out, and the VPN target advertised
by the IPv6 VPN instance is the same as the VPN target received by vpn_in.
4. Run BGP4+ between the CE and the PE.
5. Configure the Hub-PE to accept the routes in an AS whose number is repeated once.
Data Preparation
Procedure
Step 1 Configure an IGP protocol on the backbone network to make the Hub-PE and the Spoke-PE
After configuration, an OSPF neighbor relation is set up between the PEs. Run the display ospf
peer command, and you can see that the neighbor relation is in Full state. Run the display ip
routing-table command on the PEs, and you can see that the PEs can learn the routes on the
loopback interface of each other.
LDP LSP.
Step 3 Configure the IPv6 VPN instances on each PE and connect the CEs to the PEs.
NOTE
Pay attention to the VPN targets on the Hub-PE and Spoke-PE.

The VPN targets of the two IPv6 VPNs on the Hub-PE are advertised by the two Spoke-PE, and
the advertised VPN target is different from the received VPN target.
Configure the IPv6 VPN instances on the Spoke-PE. The imported VPN target for the VPN on
the Spoke-PE is advertised by the Hub-PE.
[Spoke-PE1] ipv6 vpn6-instance vpna
[Spoke-PE1-vpn6-instance-vpna] route-distinguisher 100:1
[Spoke-PE1-vpn6-instance-vpna] vpn-target 100:1 export-extcommunity
[Spoke-PE1-vpn6-instance-vpna] vpn-target 200:1 import-extcommunity
[Spoke-PE1-vpn6-instance-vpna] quit
[Spoke-PE1-Vlanif50] ipv6 enable
[Spoke-PE1-Vlanif50] ipv6 binding vpn6-instance vpna
[Spoke-PE1-Vlanif50] ipv6 address 2001::2 64

[Hub-PE] ipv6 vpn6-instance vpn_in
[Hub-PE-vpn6-instance-vpn_in] route-distinguisher 100:21
[Hub-PE-vpn6-instance-vpn_in] vpn-target 100:1 import-extcommunity
[Hub-PE-vpn6-instance-vpn_in] quit
[Hub-PE] ipv6 vpn6-instance vpn_out
[Hub-PE-vpn6-instance-vpn_out] route-distinguisher 100:22
[Hub-PE-vpn6-instance-vpn_out] vpn-target 200:1 export-extcommunity
[Hub-PE-vpn6-instance-vpn_out] quit
[Hub-PE-Vlanif30] ipv6 enable
[Hub-PE-Vlanif30] ipv6 binding vpn6-instance vpn_in
[Hub-PE-Vlanif30] ipv6 address 2003::2 64
[Hub-PE-Vlanif40] ipv6 binding vpn6-instance vpn_out
# Configure IP addresses of the interfaces on the CE devices according to Figure 4-3. The
After the configuration, run the display ipv6 vpn6-instance verbose command on the PEs, and
you can view the configuration of the IPv6 VPN instances.
Take the display on Hub-PE as an example.
[Hub-PE] display ipv6 vpn6-instance verbose
VPN6-Instance Name and ID : vpn_in, 1

Create date : 2009/05/10 13:13:32 UTC-08:00

Log Interval : 5
VPN6-Instance Name and ID : vpn_out, 2

Create date : 2009/05/10 13:13:38 UTC-08:00
Log Interval : 5
Step 4 Set up the EBGP peer relations between PEs and CEs to import VPN routes.
<Spoke-CE1> system-view
[Spoke-CE1-bgp] router-id 10.10.10.10
[Spoke-CE1-bgp] peer 2001::2 as-number 100
[Spoke-CE1-bgp] ipv6-family unicast
[Spoke-CE1-bgp-af-ipv6] peer 2001::2 enable
[Spoke-CE1-bgp-af-ipv6] import-route direct
[Spoke-CE1-bgp-af-ipv6] quit
[Spoke-PE1] bgp 100
[Spoke-PE1-bgp] ipv6-family vpn6-instance vpna
[Spoke-PE1-bgp6-vpna] peer 2001::1 as-number 65410
[Spoke-PE1-bgp6-vpna] import-route direct
[Spoke-PE1-bgp6-vpna] quit
[Spoke-PE2] bgp 100

<Hub-CE1> system-view
[Hub-CE] bgp 65430
[Hub-CE-bgp] router-id 30.30.30.30
[Hub-CE-bgp] peer 2003::2 as-number 100
[Hub-CE-bgp] peer 2004::2 as-number 100
[Hub-CE-bgp] ipv6-family unicast
[Hub-CE-bgp-af-ipv6] peer 2003::2 enable

[Hub-CE-bgp-af-ipv6] peer 2004::2 enable

[Hub-CE-bgp-af-ipv6] import-route direct
[Hub-CE-bgp-af-ipv6] quit
[Hub-CE-bgp] quit

[Hub-PE] bgp 100
[Hub-PE-bgp] ipv6-family vpn6-instance vpn_in
[Hub-PE-bgp6-vpn_in] peer 2003::1 as-number 65430
[Hub-PE-bgp6-vpn_in] import-route direct
[Hub-PE-bgp6-vpn_in] quit
[Hub-PE-bgp] ipv6-family vpn6-instance vpn_out
[Hub-PE-bgp6-vpn_out] peer 2004::1 as-number 65430
[Hub-PE-bgp6-vpn_out] peer 2004::1 allow-as-loop 1
[Hub-PE-bgp6-vpn_out] import-route direct
[Hub-PE-bgp6-vpn_out] quit
[Hub-PE-bgp] quit
find that the BGP peer relation between the PE and the CE is in Established state. By running
the ping ipv6 vpn6-instance, you can see that each PE can ping its connected CE.

[Hub-PE] ping ipv6 vpn6-instance vpn_in -a 2003::2 2003::1
Reply from 2003::1
Reply from 2003::1
Reply from 2003::1
Reply from 2003::1
Reply from 2003::1

0.00% packet loss
[Hub-PE] ping ipv6 vpn6-instance vpn_out -a 2004::2 2004::1

Reply from 2004::1
Reply from 2004::1
Reply from 2004::1
Reply from 2004::1
Reply from 2004::1

0.00% packet loss
NOTE
If multiple interfaces on a PE are bound to the same VPN, you must specify the source IPv6 address when
you run the ping ipv6 vpn6-instance command to ping the CE connected to the peer PE. That is, specify
-a source-ipv6-address in the ping ipv6 vpn6-instance vpn6-instance-name -a source-ipv6-address dest-
ipv6-address command. Otherwise, the ping operation may fail.


Set up MP-IBGP peer relation between the Spoke-PE and the Hub-PE, but do not set up the MP-
IBGP peer relation between the Spoke-PEs.
NOTE
The Spoke-PE does not need to allow the repeated ASN, because the Switch does not check the AS path
attribute in the routing information advertised by the IBGP peers.
[Spoke-PE1] bgp 100

[Spoke-PE2] bgp 100

[Hub-PE] bgp 100
After the configuration, run the display bgp peer or display bgp vpnv6 all peer command on
each PE, and you can see that the BGP peer relation between the PEs is in Established state.
result.
Take the display on Spoke-CE1 as an example.
[Spoke-CE1] ping ipv6 2002::1
Reply from 2002::1
Reply from 2002::1
Reply from 2002::1
Reply from 2002::1
Reply from 2002::1


0.00% packet loss
[Spoke-CE1] tracert ipv6 2002::1

1 2001::2 31 ms 31 ms 32 ms
2 2004::2 93 ms 94 ms 110 ms
3 2004::1 93 ms 94 ms 94 ms
4 2003::2 94 ms 93 ms 94 ms
5 2002::2 156 ms 157 ms 156 ms
6 2002::1 187 ms 188 ms 187 ms
Run the display bgp ipv6 routing-table command on the Spoke-CE, and you can see the
repeated ASNs in AS paths of the BGP routes to the remote Spoke-CE.
[Spoke-CE1] display bgp ipv6 routing-table

*> Network : ::1 PrefixLen : 128

NextHop : :: LocPrf :
MED : 0 PrefVal : 0
Label :
Path/Ogn : ?
*> Network : 2001:: PrefixLen : 64

MED : 0 PrefVal : 0
Label :
Path/Ogn : ?
*
NextHop : 2001::2 LocPrf :
MED : 0 PrefVal : 0
Label :
Path/Ogn : 100 ?
*> Network : 2001::1 PrefixLen : 128

MED : 0 PrefVal : 0
Label :
Path/Ogn : ?
*>
Network : 2002:: PrefixLen : 64
MED : PrefVal : 0
Label :
Path/Ogn : 100 65430 100 ?

MED : PrefVal : 0
Label :
Path/Ogn : 100 65430 ?

MED : PrefVal : 0
Label :
Path/Ogn : 100 ?
*> Network : FE80:: PrefixLen : 10

MED : 0 PrefVal : 0
Label :
Path/Ogn : ?
----End
Configuration Files
#
sysname Spoke-CE1
#
ipv6
#
vlan batch 50
#
interface Vlanif50
ipv6 enable
#
#
bgp 65410
router-id 10.10.10.10
#
ipv6-family unicast
import-route direct
peer 2001::2 enable
#
return

#
sysname Spoke-PE1
#
ipv6
#
vlan batch 10 50
#
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif50
ipv6 enable
#
#

#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
#
sysname Spoke-PE2
#
ipv6
#
vlan batch 20 60
#
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 11.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ipv6 enable
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100


#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 11.1.1.0 0.0.0.255
#
return
#
sysname Spoke-CE2
#
ipv6
#
vlan batch 60
#
interface Vlanif60
ipv6 enable
#
#
bgp 65420
router-id 20.20.20.20
#
ipv6-family unicast
import-route direct
peer 2002::2 enable
#
return
#
sysname Hub-CE
#
ipv6
#
vlan batch 30 40
#
interface Vlanif30
ipv6 enable
#
interface Vlanif40
ipv6 enable
#
#

#
bgp 65430
router-id 30.30.30.30
#
ipv6-family unicast
import-route direct
peer 2003::2 enable
peer 2004::2 enable
#
return
#
sysname Hub-PE
#
ipv6
#
#
ipv6 vpn6-instance vpn_in
#
ipv6 vpn6-instance vpn_out
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
ip address 11.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ipv6 enable
ipv6 binding vpn6-instance vpn_in
#
interface Vlanif 40
ipv6 enable
#
#
#
#

#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv6-family vpn6-instance vpn_in
import-route direct
#
ipv6-family vpn6-instance vpn_out
peer 2004::1 allow-as-loop
import-route direct
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
#
return
4.11.3 Example for Configuring Hub&Spoke (Using the Default

Route Between Hub-PE and Hub-CE)
only by the Hub-PE. You need to configure the default route between the Hub-PE and the Hub-
CE.


AS: 65430
Hub-CE
GE1/0/0 GE2/0/0
VLAN30 VLAN40
GE3/0/0 GE3/01
Hub-PE
GE1/0/0 GE2/0/0

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
VLAN10 VLAN20
GE2/0/0 GE2/0/0
GE1/0/0 Spoke-PE1 Spoke-PE2 GE1/0/0

Backbone
AS100
VLAN50 VLAN60
GE1/0/0 GE1/0/0
Spoke-CE1 Spoke-CE2
AS: 65410 AS: 65420
Device Interface VLANIF IPv4 Address IPv6 Address

Interface
Hub-PE GigabitEthernet1/0/0 VLANIF 10 10.1.1.2/24 -
Loopback1 - 2.2.2.9/32 -
Loopback1 - 1.1.1.9/32 -
Loopback1 - 3.3.3.9/32 -
Hub-CE GigabitEthernet1/0/0 VLANIF 30 - 2003::1/64

1. Set up tunnel and IBGP peer relation between the Hub-PE and the Spoke-PE. Do not set
up IBGP peer relation between Spoke-PEs because they do not exchange VPN routes.
2. Create two IPv6 VPN instances, namely, vpn_in and vpn_out, on the Hub-PE. The VPN
target received by vpn_in is the same as the VPN target advertised by the Spoke-PEs. The
VPN target advertised by vpn_out is different from the received VPN target, but is the
same as the VPN target received by the Spoke-PEs.
3. Create an IPv6 VPN instance on the Spoke-PE. The VPN target received by the IPv6 VPN
instance is the same as the VPN target advertised by vpn_out, and the VPN target advertised
by the IPv6 VPN instance is the same as the VPN target received by vpn_in.
4. Configure the default route as follows:
l Configure the IPv6 default route on the Hub-CE. Set the next hop of the route as the
IPv6 address of the Hub-PE's interface bound to vpn_in.
l Configure the default route for vpn_out on the Hub-PE. Set the next hop of the default
route as the address of the Hub-CE.
l In the BGP VPN6-instance address family view of vpn_out on the Hub-PE, run the
network :: 0 command to advertise the default route to all Spoke sites.
5. Configure BGP4+ between Spoke-PE and Spoke-CE.
Data Preparation

Procedure
Step 1 Configure an IGP protocol on the backbone network to make the Hub-PE and the Spoke-PE
After configuration, an OSPF neighbor relation is set up between the PEs. Run the display ospf
peer command, and you can see that the neighbor relation is in Full state. Run the display ip
routing-table command on the PEs, and you can see that the PEs can learn the routes on the
loopback interface of each other.
LDP LSP.

Step 3 Configure the IPv6 VPN instance on each PE and connect the CEs to the PEs.
NOTE
Pay attention to the VPN targets on the Hub-PE and Spoke-PE.
The VPN targets of the two IPv6 VPNs on the Hub-PE are advertised by the two Spoke-PE, and
the advertised VPN target is different from the received VPN target.
Configure the IPv6 VPN instances on the Spoke-PE. The imported VPN target for the VPN on
the Spoke-PE is advertised by the Hub-PE.

[Hub-PE] ipv6 vpn6-instance vpn_in
[Hub-PE-vpn6-instance-vpn_in] route-distinguisher 100:21
[Hub-PE-vpn6-instance-vpn_in] vpn-target 100:1 import-extcommunity
[Hub-PE-vpn6-instance-vpn_in] quit
[Hub-PE] ipv6 vpn6-instance vpn_out
[Hub-PE-vpn6-instance-vpn_out] route-distinguisher 100:22
[Hub-PE-vpn6-instance-vpn_out] vpn-target 200:1 export-extcommunity
[Hub-PE-vpn6-instance-vpn_out] quit
[Hub-PE-Vlanif30] ipv6 binding vpn6-instance vpn_in
[Hub-PE-Vlanif40] ipv6 binding vpn6-instance vpn_out
# Configure IP addresses of the interfaces on the CEs according to Figure 4-4. The configuration

[Hub-PE] display ipv6 vpn6-instance verbose
VPN6-Instance Name and ID : vpn_in, 1

Create date : 2009/05/10 13:13:32 UTC-08:00
Log Interval : 5
VPN6-Instance Name and ID : vpn_out, 2

Create date : 2009/05/10 13:13:38 UTC-08:00
Log Interval : 5
Step 4 Set up EBGP peer relation between the Spoke-PE and the Spoke-CE and import VPN routes.
[Spoke-PE1] bgp 100
[Spoke-PE2] bgp 100

find that the BGP peer relation between the PE and the CE is in Established state. By running
the ping ipv6 vpn6-instance, you can see that each PE can ping its connected CE.
NOTE
If multiple interfaces on a PE are bound to the same VPN, you must specify the source IPv6 address when
you run the ping ipv6 vpn6-instance command to ping the CE connected to the peer PE. That is, specify
-a source-ipv6-address in the ping ipv6 vpn6-instance vpn6-instance-name -a source-ipv6-address dest-
ipv6-address command. Otherwise, the ping operation may fail.
Step 5 Configure the default route on the Hub-PE and the Hub-CE.
<Hub-CE> system-view
[Hub-CE] ipv6 route-static :: 0 2003::2

# Configure the default route for vpn_out. Set the next hop of the default route as the address
of the Hub-CE.
[Hub-PE] ipv6 route-static vpn6-instance vpn_out :: 0 2004::1
# Advertise the default route through MP-IBGP.

[Hub-PE] bgp 100
[Hub-PE-bgp] ipv6-family vpn6-instance vpn_out
[Hub-PE-bgp6-vpn_out] network :: 0
# Advertise the default route through MP-IBGP.

[Hub-PE-bgp6-vpn_out] import-route direct
[Hub-PE-bgp6-vpn_out] quit
[Hub-PE-bgp] quit

NOTE
The Spoke-PE does not need to allow the repeated ASN, because the Switch does not check the AS path
attribute in the routing information advertised by the IBGP peers.
[Spoke-PE1] bgp 100
[Spoke-PE2] bgp 100

[Hub-PE] bgp 100


After the configuration, run the display bgp vpnv6 all peer command on each PE, and you can
see that the MP-IBGP peer relation between the PEs is in Established state.
After the preceding configurations, check the BGP IPv6 VPN routes on the Spoke-PE. You can
find that the default route of vpn_out on the Hub-PE is advertised to each Spoke-PE.
Take the display on Spoke-PE1 as an example.
[Spoke-PE1] display bgp vpnv6 all routing-table

*>i Network : :: PrefixLen : 0

NextHop : ::FFFF:3.3.3.3 LocPrf : 100
MED : 0 PrefVal : 0
Label : 15365
Path/Ogn : i
*>i Network : 2004:: PrefixLen : 64

MED : 0 PrefVal : 0
Label : 15364
Path/Ogn : ?
Total routes of vpn6-instance vpna: 6
*>i Network : :: PrefixLen : 0

MED : 0 PrefVal : 0
Label : 15365
Path/Ogn : i

MED : 0 PrefVal : 0
Label : NULL
Path/Ogn : ?
*
MED : 0 PrefVal : 0
Label : NULL
Path/Ogn : 65410 ?

MED : 0 PrefVal : 0
Label : NULL
Path/Ogn : ?

MED : 0 PrefVal : 0
Label : 15364
Path/Ogn : ?


MED : 0 PrefVal : 0
Label : NULL
Path/Ogn : ?
result.
[Spoke-CE1] ping ipv6 2002::1
Reply from 2002::1
Reply from 2002::1
Reply from 2002::1
Reply from 2002::1
Reply from 2002::1

0.00% packet loss
[Spoke-CE1] tracert ipv6 2002::1

1 2001::2 16 ms 31 ms 16 ms
2 2004::2 78 ms 62 ms 63 ms
3 2004::1 62 ms 63 ms 62 ms
4 2003::2 63 ms 62 ms 63 ms
5 2002::2 109 ms 94 ms 109 ms
6 2002::1 125 ms 141 ms 125 ms
Run the display bgp ipv6 routing-table command on the Spoke-CE, and you can see the default
route advertised by BGP on the peer Spoke-PE. Run the display ipv6 routing-table command,
and you can see the default route whose next hop is the peer Spoke-PE.
[Spoke-CE1] display bgp ipv6 routing-table

*> Network : :: PrefixLen : 0

MED : PrefVal : 0
Label :
Path/Ogn : 100 ?

MED : 0 PrefVal : 0
Label :
Path/Ogn : ?


MED : 0 PrefVal : 0
Label :
Path/Ogn : ?
*
MED : 0 PrefVal : 0
Label :
Path/Ogn : 100 ?

MED : 0 PrefVal : 0
Label :
Path/Ogn : ?

MED : 0 PrefVal : 0
Label :
Path/Ogn : ?
[Spoke-CE1] display ipv6 routing-table

Routing Table : Public
Destination : ::1 PrefixLength : 128

NextHop : ::1 Preference : 0
Interface : InLoopBack0 Protocol : Direct
State : Active NoAdv Cost : 0
Tunnel ID : 0x0 Label : NULL
Age : 14437sec
Destination : 2001:: PrefixLength : 64

NextHop : 2001::1 Preference : 0
Interface : Vlanif50 Protocol : Direct
State : Active Adv Cost : 0
Age : 9500sec
Destination : 2001::1 PrefixLength : 128

Age : 9500sec

Interface : Vlanif50 Protocol : BGP
Age : 9410sec
Destination : FE80:: PrefixLength : 10

NextHop : :: Preference : 0
Interface : NULL0 Protocol : Direct
Age : 9502sec
----End

Configuration Files
#
sysname Spoke-CE1
#
ipv6
#
vlan batch 50
#
interface Vlanif50
ipv6 enable
#
#
bgp 65410
router-id 10.10.10.10
#
ipv6-family unicast
import-route direct
peer 2001::2 enable
#
return

#
sysname Spoke-PE1
#
ipv6
#
vlan batch 10 50
#
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif50
ipv6 enable
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100


#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
#
sysname Spoke-PE2
#
ipv6
#
vlan batch 20 60
#
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 11.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ipv6 enable
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv6-family vpnv6

policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 11.1.1.0 0.0.0.255
#
return

#
sysname Spoke-CE2
#
ipv6
#
vlan batch 60
#
interface Vlanif60
ipv6 enable
#
#
bgp 65420
router-id 20.20.20.20
#
ipv6-family unicast
import-route direct
peer 2002::2 enable
#
return

#
sysname Hub-CE
#
ipv6
#
vlan batch 30 40
#
interface Vlanif30
ipv6 enable
#
interface Vlanif40
ipv6 enable
#
#
#
ipv6 route-static :: 0 2003::2
#
return


#
sysname Hub-PE
#
ipv6
#
#
ipv6 vpn6-instance vpn_in
#
ipv6 vpn6-instance vpn_out
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
ip address 11.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ipv6 enable
#
interface Vlanif 40
ipv6 enable
#
#
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable

peer 3.3.3.9 enable

#
ipv6-family vpnv6
policy vpn-target
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv6-family vpn6-instance vpn_out
network :: 0
import-route direct
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
#
ipv6 route-static vpn6-instance vpn_out :: 0 2004::1
#
return
4.11.4 Example for Configuring Inter-AS IPv6 VPN Option A
Context
As shown in Figure 4-5, CE1 and CE2 belong to the same VPN. CE1 accesses PE1 through AS
100, and CE2 accesses PE2 through AS 200.
The inter-AS BGP/MPLS IPv6 VPN is implemented through Option A. That is, the VRF-to-
VRF method is used to manage VPN routes.
Figure 4-5 Networking diagram for configuring inter-AS VPN Option A

2.2.2.9/32 3.3.3.9/32
GE2/0/0 VLAN 12 GE2/0/0 GE1/0/0
GE1/0/0 162.1.1.1/24
172.1.1.1/24 2003::1/64 2003::2/64
VLAN 11 ASBR-PE1 ASBR-PE2 VLAN 22
Loopback1 Loopback1
1.1.1.9/32 4.4.4.9/32
GE1/0/0
172.1.1.2/24 GE1/0/0
PE1 162.1.1.2/24 PE2
GE2/0/0 GE2/0/0
VLAN 2001::2/64 2002::2/24 VLAN
10 10
GE1/0/0 GE1/0/0
2001::1/64 2002::1/24
CE1
CE2
AS 65001 AS 65002

1. Set up the EBGP peer relation between the PE and the CE and set up MP-IBGP peer relation
2. Create an IPv6 VPN instance on each ASBR and bind each instance to the interface
connected to the other ASBR (regarding the ASBR as its CE) and set up the EBGP peer
relation between the ASBR.
Data Preparation
l MPLS LSR IDs of PEs and ASBR-PEs
l IPv6 VPN instance names, RDs, and VPN targets for the PEs and ABSRs
Procedure
Step 1 Specify the VLAN IDs that are allowed by the interfaces, as shown in Figure 4-5.
Step 2 On the MPLS backbone networks in AS 100 and AS 200, configure an IGP protocol so that the
PEs and the ASBRs on the network can communicate with each other.
The OSPF protocol is used in this example and the configuration procedure is not mentioned
here.
NOTE
The 32-bit loopback interface address used as the LSR ID must be advertised by OSPF.
After the configuration, the OSPF neighbor relation can be established between the ASBR and
the PE in the same AS. Run the display ospf peer command, and you can find that the neighbor
status is Full.
The ASBR and PE in the same AS can ping each other and learn the loopback interface address
of each other.
Step 3 Configure the basic MPLS function and MPLS LDP on the MPLS backbone networks of AS
100 and AS 200 and set up the MPLS LDP LSP.
ASBR-PE1.
<PE1> system-view
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif11] mpls
[PE1-Vlanif11] quit
to PE1.

[ASBR-PE1] mpls
[ASBR-PE1] mpls ldp
to PE2.
[ASBR-PE2] mpls
[ASBR-PE2] mpls ldp
ASBR-PE2.
<PE2> system-view
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif22] mpls
[PE2-Vlanif22] quit
After the configuration, the LDP peer relation can be set up between the PE and ASBR in the
same AS. Run the display mpls ldp session command on each device, and you can see that the
session state is Operational.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 4 Configure the basic BGP/MPLS IPv6 VPNs in AS 100 and AS 200.
NOTE
The VPN targets of the IPv6 VPN instances of the ASBR and PE in an AS should match each other. In
different ASs, the VPN targets of the PEs do not need to match.
# Configure CE1.
<CE1> system-view

[CE1-Vlanif10] quit
[CE1] bgp 65001
[CE1-bgp] quit
# On PE1, set up an EBGP peer relation between PE1 and CE1.

[PE1] ipv6 vpn6-instance vpn1
[PE1-vpn6-instance-vpn1] route-distinguisher 100:1
[PE1-vpn6-instance-vpn1] vpn-target 1:1 both
[PE1-vpn6-instance-vpn1] quit
[PE1-Vlanif10] ipv6 binding vpn6-instance vpn1
[PE1-Vlanif10] quit
[PE1] bgp 100
[PE1-bgp] ipv6-family vpn6-instance vpn1
[PE1-bgp6-vpn1] peer 2001::1 as-number 65001
[PE1-bgp6-vpn1] import-route direct
[PE1-bgp6-vpn1] quit
[PE1-bgp] quit
# On PE1, set up an MP-IBGP peer relation between ASBR-PE1 and MP-IBGP.

[PE1] bgp 100
# On ASBR-PE1, set up an MP-IBGP peer relation between ASBR-PE1 and PE1.

[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] ipv6-family vpnv6
[ASBR-PE1-bgp-af-vpnv6] peer 1.1.1.9 enable
[ASBR-PE1-bgp-af-vpnv6] quit
[ASBR-PE1-bgp] quit
NOTE
The configurations on CE2, PE2, and ASBR-PE2 are similar to the configurations on CE1, PE1 and ASBR-
PE1 and are not mentioned here.
After the configuration, run the display bgp vpnv6 vpn6-instance peer command on a PE, and
you can find that the BGP peer relation between the PE and CE is in Established state. By running
the display bgp vpnv6 all peer command, you can see the BGP peer relations are set up between
the PE and CE, and between the PE and ASBR.
[PE1] display bgp vpnv6 vpn6-instance vpn1 peer

2001::1 4 65001 14 12 0 00:08:36 Established 1


2.2.2.9 4 100 13 12 0 00:09:10 Established 0
Peer of vpn6 instance :
vpn6 instance vpn1 :

2001::1 4 65001 17 14 0 00:11:09 Established 1
Step 5 Configure the inter-AS VPN in VRF-to-VRF mode.

# On ASBR-PE1, create an IPv6 VPN instance and bind the instance to the interface connected
[ASBR-PE1] ipv6 vpn6-instance vpn1

[ASBR-PE1-vpn6-instance-vpn1] route-distinguisher 100:2
[ASBR-PE1-vpn6-instance-vpn1] vpn-target 1:1 both
[ASBR-PE1-vpn6-instance-vpn1] quit
[ASBR-PE1-Vlanif12] ipv6 enable
[ASBR-PE1-Vlanif12] ipv6 binding vpn6-instance vpn1
[ASBR-PE1-Vlanif12] ipv6 address 2003::1 64
# On ASBR-PE2, create an IPv6 VPN instance and bind the instance to the interface connected
[ASBR-PE2] ipv6 vpn6-instance vpn1
[ASBR-PE2-vpn6-instance-vpn1] route-distinguisher 200:2
[ASBR-PE2-vpn6-instance-vpn1] vpn-target 2:2 both
[ASBR-PE2-vpn6-instance-vpn1] quit
[ASBR-PE2-Vlanif12] ipv6 enable
[ASBR-PE2-Vlanif12] ipv6 binding vpn6-instance vpn1
[ASBR-PE2-Vlanif12] ipv6 address 2003::2 64

[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] ipv6-family vpn6-instance vpn1
[ASBR-PE1-bgp6-vpn1] peer 2003::2 as-number 200
[ASBR-PE1-bgp6-vpn1] import-route direct
[ASBR-PE1-bgp6-vpn1] quit
[ASBR-PE1-bgp] quit

[ASBR-PE2] bgp 200
[ASBR-PE2-bgp] ipv6-family vpn6-instance vpn1
[ASBR-PE2-bgp6-vpn1] peer 2003::1 as-number 100
[ASBR-PE2-bgp6-vpn1] import-route direct
[ASBR-PE2-bgp6-vpn1] quit
[ASBR-PE2-bgp] quit
By running the display bgp vpnv6 vpn6-instance peer command, you can see that the BGP
peer relation is established between the ASBR-PEs.
After the preceding configuration, CEs can learn the routes from the interfaces of each other,
and CE1 and CE2 can ping each other successfully. Take the display on CE1 as an example:

[CE1] display ipv6 routing-table


Age : 10889sec

Age : 789sec

Age : 789sec

Age : 792sec
[CE1] ping ipv6 2002::1
Reply from 2002::1
Reply from 2002::1
Reply from 2002::1
Reply from 2002::1
Reply from 2002::1

0.00% packet loss
Run the display ipv6 routing-table vpn6-instance command on an ASBR, and you can see the
IPv6 VPN routing table on the ASBR. Take the display on ASBR-PE1 for example.
<ASBR-PE1> display ipv6 routing-table vpn6-instance vpn1
Routing Table : vpn1

NextHop : ::FFFF:1.1.1.9 Preference : 255
Interface : NULL0 Protocol : BGP
State : Active Adv GotQ Cost : 0
Tunnel ID : 0x6002000 Label : 15360
Age : 1937sec

Age : 432sec


Age : 1435sec

Age : 1436sec

Age : 1438sec
Run the display bgp vpnv6 all routing-table command on the ASBR, and you can see the IPv6
VPN routes of the ASBR. Take the display on ASBR-PE1 for example.
<ASBR-PE1> display bgp vpnv6 all routing-table



MED : 0 PrefVal : 0
Label : 15360
Path/Ogn : ?
Total routes of vpn6-instance vpn1: 6

MED : 0 PrefVal : 0
Label : 15360
Path/Ogn : ?

MED : PrefVal : 0
Label : NULL
Path/Ogn : 200 ?

MED : 0 PrefVal : 0
Label : NULL
Path/Ogn : ?
*
MED : 0 PrefVal : 0
Label : NULL
Path/Ogn : 200 ?


MED : 0 PrefVal : 0
Label : NULL
Path/Ogn : ?

MED : 0 PrefVal : 0
Label : NULL
Path/Ogn : ?
----End
Configuration Files
#
sysname CE1
#
ipv6
#
vlan batch 10
#
interface Vlanif10
ipv6 enable
#
#
bgp 65001
router-id 10.10.10.10
#
ipv6-family unicast
import-route direct
peer 2001::2 enable
#
return

#
sysname PE1
#
ipv6
#
vlan batch 10 11
#
ipv6 vpn6-instance vpn1
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
intface Vlanif10
ipv6 enable
ipv6 binding vpn6-instance vpn1
#
interface vlanif11
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp

#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 2.2.2.9 enable
#
ipv6-family vpn6-instance vpn1
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
sysname ASBR-PE1
#
ipv6
#
vlan batch 11 12
#
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif11
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif12
ipv6 enable
#
#

#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
import-route direct
peer 1.1.1.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
sysname ASBR-PE2
#
ipv6
#
vlan batch 12 22
#
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif12
ipv6 enable
#
interface Vlanif22
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 200

#
ipv4-family unicast
peer 4.4.4.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 4.4.4.9 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
ipv6
#
vlan batch 10 22
#
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface Vlanif10
ipv6 enable
#
interface Vlanif22
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 3.3.3.9 enable

#
import-route direct
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
ipv6
#
vlan batch 10
#
interface Vlanif10
ipv6 enable
#
#
bgp 65002
router-id 20.20.20.20
#
ipv6-family unicast
import-route direct
peer 2002::2 enable
#
return
4.11.5 Example for Configuring Dual-Homed CEs

It is a trend that all the telecommunication services will be carried on a universal IP network.
Some important services such as 3G/NGN, IPTV streaming media, and VIP customer VPN
require high reliability of the network. To improve the network reliability, you can improve the
reliability of the links by configuring fast route convergence, fault detection, fast reroute, and
route backup in addition to improving the reliability of the network devices.
On the access layer, the dual-homed CE networking is a common solution to improve the network
reliability. A dual-homed CE refers to a CE that is connected to two PEs that belong to the same
VPN with the CE. In this networking, the CE connects to the backbone network through two
links. The two links work in load balancing mode or active/standby mode.
As shown in Figure 4-6, CE1 is located in site1 of vpn1, and CE2 is located in site2 of vpn1.
CE1 is connected to PE1 and PE2, and CE2 is connected to PE3 and PE4.
If the data traffic volume from CE1 to CE2 is large but traffic volume from CE2 to CE1 is small,
the data traffic from CE1 to CE2 can be transmitted in load balancing mode. The data traffic
from CE2 to CE1 is transmitted through PE4, and PE3 only works as a backup.

Figure 4-6 Networking diagram of dual-homed CEs
PE1 GE2/0/0 PE3

GE2/0/0
GE1/0/0 GE1/0/0 GE1/0/0 GE2/0/0
P1 GE1/0/0
GE1/0/0 CE1
AS100 CE2
VPN Backbone GE2/0/0
GE3/0/0
GE2/0/0 PE2 P2 PE4
GE2/0/0 GE1/0/0 GE3/0/0
GE1/0/0 GE2/0/0
AS 65410 GE1/0/0 GE2/0/0
AS 65420
Device Interface VLANIF Interface IPv4 Address IPv6 Address
PE1 Loopback1 - 1.1.1.1/32 -
GE1/0/0 VLANIF 101 - 2001::2/64
GE2/0/0 VLANIF 10 100.1.1.1/30 -
PE2 Loopback1 - 2.2.2.2/32 -
GE1/0/0 VLANIF 102 - 2002::2/64
GE2/0/0 VLANIF 20 100.2.1.1/30 -
P1 Loopback1 - 5.5.5.5/32 -
GE1/0/0 VLANIF 10 100.1.1.2/30 -
GE2/0/0 VLANIF 30 100.3.1.1/30 -
P2 Loopback1 - 6.6.6.6/32 -
GE1/0/0 VLANIF 20 100.2.1.2/30 -
GE2/0/0 VLANIF 40 100.4.1.1/30 -
PE3 Loopback1 - 3.3.3.3/32 -
GE1/0/0 VLANIF 30 100.3.1.2/30 -
GE2/0/0 VLANIF 103 - 2003::2/64
PE4 Loopback1 - 4.4.4.4/32 -
GE1/0/0 VLANIF 40 100.4.1.2/30 -
GE2/0/0 VLANIF 104 - 2004::2/64
CE1 GE1/0/0 VLANIF 101 - 2001::1/64
GE2/0/0 VLANIF 102 - 2002::1/64
GE3/0/0 VLANIF 1001 - 2005::1/64
CE2 GE1/0/0 VLANIF 103 - 2003::1/64
GE2/0/0 VLANIF 104 - 2004::1/64

GE3/0/0 VLANIF 1002 - 2006::1/64
1. Configure a basic BGP/MPLS IPv6 VPN.

2. Enable load balancing for the data traffic to CE2 in the BGP view on CE1.
3. Increase the MED value of the BGP-VPN route on PE3 to ensure that the next hop of the
route selected by CE2 to the users connected to CE1 is PE4.
Data Preparation
l MPLS LSR-IDs of PEs and Ps

l VPN instances on PE1 and PE2
l ASNs of CE1 and CE2
Procedure
Step 1 Configure the ID of the VLAN that each interface belongs to, as shown in Figure 4-6.
Step 2 Configure an IGP protocol on the MPLS backbone network so that PEs and Ps can communicate
with each other.
# Configure PE1.
# Set IP addresses of interfaces. The IP addresses of the loopback interfaces must use a mask of
32 bits.
<PE1> system-view
[PE1-Vlanif10] quit
# Configure the ISIS protocol to advertise routes of the interfaces.

[PE1] isis 1
[PE1-isis-1] quit
[PE1-Vlanif10] quit
The configurations of PE2, PE3, PE4, P1, and P2 are similar to the configuration of PE1, and

After the configuration is complete, run the display ip routing-table command. you can see
that PE1 and PE2 can learn the routes of Loopback1 interface of each other; PE2 and PE4 can
learn routes of Loopback1 interface of each other.

3.3.3.3/32 ISIS 15 20 D 100.1.1.2 Vlanif10
5.5.5.5/32 ISIS 15 10 D 100.1.1.2 Vlanif10
100.1.1.0/30 Direct 0 0 D 100.1.1.1 Vlanif10
100.3.1.0/30 ISIS 15 20 D 100.1.1.2 Vlanif10
Step 3 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS
backbone network.
# Configure PE1.
# Enable MPLS and LDP in the system view, set the LSR ID to the IP address of the loopback
interface, and trigger the LSP.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# Enable MPLS and LDP on the interface connected to the backbone network.
[PE1-Vlanif10] mpls
[PE1-Vlanif10] quit
# The configurations of PE2, PE3, PE4, P1, and P2 are similar to the configuration of PE1, and
After the preceding configurations, LDP sessions should be set up between PE1 and P, and
between PE2 and P. Run the display mpls ldp session command, and you can see that Status
is Operational. Run the display mpls ldp lsp command, and you can see the establishment
status of the LDP LSP.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------

<PE1> display mpls ldp lsp
LDP LSP Information

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 5.5.5.5 127.0.0.1 InLoop0
*1.1.1.9/32 Liberal
3.3.3.9/32 NULL/1025 - 10.1.1.2 Vlanif10
3.3.3.9/32 1025/1025 5.5.5.5 10.1.1.2 Vlanif10
5.5.5.5/32 NULL/3 - 10.1.1.2 Vlanif10
5.5.5.5/32 1024/3 5.5.5.5 10.1.1.2 Vlanif10
-----------------------------------------------------------------------------
# Configure PE1.
# Enable IPv6, create a VPN instance, and set the RD and VPN target of the VPN instance. The
VPN target set on the local PE must be the same as the VPN target of the MP-BGP peer PE so
that the sites in the same VPN can access each other.
[PE1] ipv6
# Bind the interface connected to the CE to the VPN instance and set the IP address of the
interface.
# Configure PE2.
[PE2] ipv6
interface.
# Configure PE3.

interface.
# Configure PE4.
interface.
# Configure IPv6 addresses of the interfaces on the CEs according to Figure 4-6. The
<PE1> display ipv6 vpn6-instance verbose

Create date : 2006/10/14 18:12:43
Step 5 Configure EBGP between the PEs and the CEs to import the VPN routes.
# Configure CE1.
# Enable BGP, specify PE1 and PE2 as the EBGP peers, and import the direct route.
[CE1] bgp 65410


[CE1-bgp] quit
# Configure PE1.
# Enable BGP.
[PE1] bgp 100
# Enter the view of the BGP-IPv6 instance. Specify CE1 as the EBGP peer and import the direct
route.
# Configure PE2.
# Enable BGP.
[PE2] bgp 100
route.
# Configure CE2.
# Enable BGP, specify PE3 and PE4 as the EBGP peers, and import the direct route.
[CE2] bgp 65420
[CE2-bgp] quit
# Configure PE3.
# Enable BGP.
[PE3] bgp 100
route.
# Configure PE4.
# Enable BGP.

[PE4] bgp 100
route.
After the configuration, run the display bgp vpnv6 vpn6-instance vpn6-instance-name peer
command on a PE, and you can see that the BGP peer relation between the PE and CE is in
Established state. The PE can ping the connected CE successfully.
[PE1] display bgp vpnv6 vpn6-instance vpn1 peer

2001::1 4 65410 408 435 0 06:16:09 Established 5
<PE1> ping ipv6 vpn6-instance vpn1 2001::1

Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1

0.00% packet loss

# Configure PE1.
# Specify PE3 as the IBGP peer. Configure the loopback interface to set up the IBGP connection.
[PE1] bgp 100
# Enter the VPNv6 address family view and enable the exchange of the VPN IPv6 routing
information between the peers.
# Configure PE3.
[PE3] bgp 100

# Configure PE2.
[PE2] bgp 100
# Configure PE4.
[PE4] bgp 100
After the configuration, run the display bgp vpnv6 all peer command on a PE, and you can see
that the BGP peer relation between the PE and CE is in Established state.
3.3.3.3 4 100 70 81 0 01:00:23 Established 3
vpn6 instance vpn1 :

2001::1 4 65410 16 12 0 00:06:42 Established 3
Step 7 On CE1, enable load balancing for the traffic from CE1 to CE2.
[CE1] bgp 65410
[CE1-bgp-af-ipv6] maximum load-balancing 2
Step 8 Configure a routing policy. Increase the MED value of the BGP route advertised by PE3 to CE2
and ensure that the traffic from CE2 to CE1 can pass through PE4. PE3 functions as a backup.
[PE3] route-policy policy1 permit node 10
[PE3-route-policy] apply cost 120
[PE3] bgp 100
[PE3-bgp6-vpn1] peer 2003::1 route-policy policy1 export


Check the BGP IPv6 routing table of CE2. You can see that the MED value of the route to
2005::/64 advertised by the PE3 is 120. This value is greater than the MED value of the route
advertised by the PE4. Therefore, the route advertised by the PE4 is selected. By default, the
MED value is 0.
<CE2> display bgp ipv6 routing-table


MED : 0 PrefVal : 0
Label :
Path/Ogn : ?

MED : 120 PrefVal : 0
Label :
Path/Ogn : 100 ?
*
MED : PrefVal : 0
Label :
Path/Ogn : 100 65410 ?

MED : PrefVal : 0
Label :
Path/Ogn : 100 ?
*
Label :
Path/Ogn : 100 65410 ?

MED : 0 PrefVal : 0
Label :
Path/Ogn : ?
*
Label :
Path/Ogn : 100 ?

MED : 0 PrefVal : 0
Label :
Path/Ogn : ?

MED : 0 PrefVal : 0
Label :
Path/Ogn : ?

*
MED : 0 PrefVal : 0
Label :
Path/Ogn : 100 ?

MED : 0 PrefVal : 0
Label :
Path/Ogn : ?

MED : PrefVal : 0
Label :
Path/Ogn : 100 65410 ?
*
Label :
Path/Ogn : 100 65410 ?

MED : 0 PrefVal : 0
Label :
Path/Ogn : ?

MED : 0 PrefVal : 0
Label :
Path/Ogn : ?

MED : 0 PrefVal : 0
Label :
Path/Ogn : ?
Run the display ipv6 routing-table command on CE2, and you can see the routes to the users
connected to the peer CE1. The next hop of the route is 2004::2, which is the IPv6 address of
the interface of PE4 connected to CE2.
<CE2> display ipv6 routing-table

Age : 9051sec

Age : 1302sec



Age : 1470sec

Age : 1695sec

Age : 1695sec

Age : 3851sec

Age : 3851sec

Age : 1471sec

Interface : LoopBack1 Protocol : Direct
Age : 3840sec

Age : 3840sec

Age : 3860sec
If the configuration is successful:

Run the display ipv6 routing-table command on CE1, and you can see the routes to the users
connected to the peer CE2. The routes work in load balancing mode.
[CE1] display ipv6 routing-table



Age : 11041sec

Age : 1592sec

Age : 1592sec

Age : 7736sec

Age : 7736sec

Interface : GigabitEthernet1/0/0 Protocol : BGP
Age : 1242sec

Age : 1760sec

Interface : LoopBack1 Protocol : Direct
Age : 8137sec

Age : 8137sec

Age : 1760sec


Age : 1242sec

Age : 8137sec
----End
Configuration Files
#
sysname CE1
#
ipv6
#
vlan batch 101 102 1001
#
interface Vlanif101
ipv6 enable
#
interface Vlanif102
ipv6 enable
#
ipv6 enable
#
#
#
#
bgp 65410
router-id 10.10.10.10
#
ipv6-family unicast
import-route direct
maximum load-balancing 2
peer 2001::2 enable
peer 2002::2 enable
#
return

#
sysname PE1
#
ipv6

#
vlan batch 10 101
#
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0001.00
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif101
ipv6 enable
ipv6 address 2001::2 64
#
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.3 enable
#
ipv6-family vpnv6
policy vpn-target
peer 3.3.3.3 enable
#
import-route direct
#
Return
#
sysname PE2
#
ipv6
#
vlan batch 20 102
#
#

mpls lsr-id 2.2.2.2

mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0002.00
#
interface Vlanif20
ip address 100.2.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif102
ipv6 enable
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 4.4.4.4 enable
#
ipv6-family vpnv6
policy vpn-target
peer 4.4.4.4 enable
#
import-route direct
#
Return
#
sysname P1
#
vlan batch 10 30
#
mpls lsr-id 5.5.5.5
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0005.00
#
interface Vlanif 10
ip address 100.1.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif 30

ip address 100.3.1.1 255.255.255.252

isis enable 1
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 5.5.5.5 255.255.255.255
isis enable 1
#
Return
#
sysname P2
#
vlan batch 20 40
#
mpls lsr-id 6.6.6.6
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0006.00
#
interface Vlanif20
ip address 100.2.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif40
ip address 100.4.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 6.6.6.6 255.255.255.255
isis enable 1
#
Return
sysname PE3
#
ipv6
#
vlan batch 30 103
#

#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0003.0
#
interface Vlanif30
ip address 100.3.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
ipv6 enable
#
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv6-family vpnv6
policy vpn-target
peer 1.1.1.1 enable
#
peer 2003::1 route-policy policy1 export
import-route direct
#
route-policy policy permit node 10
apply cost 120
#
return
#
sysname PE4
#
ipv6
#
vlan batch 40 104
#
#
mpls lsr-id 4.4.4.4
mpls
#

mpls ldp
#
isis 1
network-entity 10.0000.0000.0004.00
#
interface Vlanif40
ip address 100.4.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
#
#
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable
#
ipv6-family vpnv6
policy vpn-target
peer 2.2.2.2 enable
#
import-route direct
#
Return
#
sysname CE2
#
vlan batch 103 104 1002
#
ipv6 enable
#
ipv6 enable
#
ipv6 enable
#
#

#
#
bgp 65420
router-id 20.20.20.20
#
ipv6-family unicast
import-route direct
peer 2003::2 enable
peer 2004::2 enable
#
Return
4.11.6 Example for Configuring a VPNv6 RR

To reduce the MP-IBMP connections between PEs and the load on PEs in IPv6 VPN deployment,
you can configure a P or PE in the same AS as the route reflector to reflect VPNv6 routes. This
facilitates maintenance and management of routes.
Figure 4-7 Networking diagram for configuring the VPNv6 route reflector
Loopback1
2.2.2.9
GE1/0/0 GE2/0/0
100.1.2.2/24 100.2.3.1/24
RR1
VLAN 10 VLAN 20
AS100
PE1 PE2
GE1/0/0 GE1/0/0
Loopback1 100.1.2.1/24 100.2.3.2/24 Loopback1
1.1.1.9 3.3.3.9
GE2/0/0 GE2/0/0
2001::2/64 2002::2/64
VLAN 30 VLAN 40
GE1/0/0 GE1/0/0
2001::1/64 2002::1/64
CE1 CE2
AS 65410 AS 65420
As shown in Figure 4-7, PE1, PE2, and RR1 are located in AS100 on the backbone network.
CE1 and CE2 belong to VPNA. You need to configure RR as the router reflector.

1. Set up MP-IBGP connections between the PEs and RR so that the PEs do not need to set
up an MP-IBGP connection.
2. Set up EBGP connections between the PEs and CEs.
3. Set up an MPLS LSP on the public network and enable MPLS LDP on the devices and
interfaces along the LSP.
4. Configure RR to accept all the VPNv6 routing information without filtering the routing
information based on VPN targets. Then the RR can save all the VPN-IPv6 routes sent
from PE1 and PE2 and advertises the VPN-IPv6 routes to the PEs.
Data Preparation
l MPLS LSR-IDs of PEs and RR

l Routing protocol used to exchange routing information between the PEs and CEs (EBGP
in this example)
l Convergence priorities of the routes in the VPN instances
l Name of the RD filter and name of the routing policy
Configuration Procedure
1. Configure an IGP protocol on the MPLS backbone network to implement interworking of
devices along the LSP.
OSPF is used as the IGP protocol in this example. The configuration procedure is not
mentioned here.
NOTE
The address of the loopback interface, which functions as the LSR ID, must be advertised.
After the configuration, devices along the LSP can learn the address of the loopback
interface of each other.

2.2.2.9/32 OSPF 10 1 D 100.1.2.2 Vlanif10
3.3.3.9/32 OSPF 10 3 D 100.1.2.2 Vlanif10
100.1.2.0/24 Direct 0 0 D 100.1.2.1 Vlanif10
100.2.3.0/24 OSPF 10 2 D 100.1.2.2 Vlanif10
2. Set up an LSP on the MPLS backbone network.

Enable MPLS and MPLS LDP on the devices and interfaces along the LSP. The
After the configuration, run the display mpls ldp session command, and you can see in
the display that the Session State item is Operational.
Take the display on PE1 and RR as an example:

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
<RR> display mpls ldp session

----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
3. Configure IPv6 VPN instances on PEs.

For the configuration procedure, see Example for Configuring BGP/MPLS IPv6 VPN.
4. Set up the EBGP peer relation between PEs and CEs to import VPN routes.
For the configuration procedure, see Example for Configuring Hub&Spoke (Using
BGP4+).
5. Set up the MP-IBGP peer relation between PEs and RR.
# Configure PE1.
<PE1> system-view
[PE1] bgp 100
# Configure RR.
<RR> system-view
[RR] bgp 100
[RR-bgp] peer 1.1.1.9 as-number 100
[RR-bgp] peer 1.1.1.9 connect-interface loopback 1
[RR-bgp] peer 3.3.3.9 as-number 100
[RR-bgp] peer 3.3.3.9 connect-interface loopback 1
[RR-bgp] ipv6-family vpnv6
[RR-bgp-af-vpnv6] peer 1.1.1.9 enable
[RR-bgp-af-vpnv6] peer 3.3.3.9 enable
[RR-bgp-af-vpnv6] quit
[RR-bgp] quit
# Configure PE2.

The configuration of PE2 is similar to the configuration of PE1, and is not mentioned.
After the configuration, run the display bgp vpnv6 all peer command on the PEs, and you
can see that the IBGP peer relation is set up between the PEs and RR and is in Established
state. The EBGP relation is set up between the PE and CEs.
Take the display on PE1 and RR as an example.

Local ASN : 100
2.2.2.9 4 100 15 17 0 00:13:11 Established 0
vpn6 instance VPNA :

2001::1 4 65410 9 10 0 00:06:41 Established 0
6. Enable the route reflection function on the RR.

# Configure RR.
[RR] bgp 100
[RR-bgp] ipv6-family vpnv6
[RR-bgp-af-vpnv6] reflector cluster-id 100
[RR-bgp-af-vpnv6] peer 1.1.1.9 reflect-client
[RR-bgp-af-vpnv6] peer 3.3.3.9 reflect-client
[RR-bgp-af-vpnv6] undo policy vpn-target
[RR-bgp-af-vpnv6] quit

Display the VPN routing table on a PE, and you can see the route to the remote CE.
<PE1> display ipv6 routing-table vpn6-instance VPNA
Routing Table : VPNA

Age : 10936sec

Age : 10936sec

NextHop : ::FFFF:3.3.3.9 Preference : 255
Interface : NULL0 Protocol : BGP
State : Active Adv GotQ Cost : 0
Tunnel ID : 0x6002d20 Label : 15360
Age : 1753sec

Age : 10940sec

If CE1 and CE2 can ping each other, it indicates that the route reflection function is
configured successfully.
Configuration Files
#
sysname PE1
#
ipv6
#
vlan batch 10 30
#
ipv6 vpn6-instance VPNA
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 100.1.2.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ipv6 enable
ipv6 binding vpn6-instance VPNA
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 2.2.2.9 enable
#
ipv6-family vpn6-instance VPNA
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.2.0 0.0.0.255
#
return
l Configuration file of RR

#
sysname RR
#
ipv6
#
vlan batch 10 20
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 100.1.2.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
ip address 100.2.3.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv6-family vpnv6
peer 1.1.1.9 enable
peer 1.1.1.9 reflect-client
peer 3.3.3.9 enable
peer 3.3.3.9 reflect-client
#
ospf 1
area 0.0.0.0
network 100.1.2.0 0.0.0.255
network 100.2.3.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
#
sysname PE2
#
ipv6
#
vlan batch 20 40
#
ipv6 vpn6-instance VPNA


#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 100.2.3.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ipv6 enable
ipv6 binding vpn6-instance VPNA
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 2.2.2.9 enable
#
ipv6-family vpn6-instance VPNA
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 100.2.3.0 0.0.0.255
#
return
#
sysname CE1
#
ipv6
#
vlan batch 30
#
interface Vlanif30
ipv6 enable
#
#
bgp 65410

#
ipv6-family unicast
peer 2001::2 enable
import-route direct
#
return

#
sysname CE2
#
ipv6
#
vlan batch 40
#
interface Vlanif40
ipv6 enable
#
#
bgp 65420
#
ipv6-family unicast
peer 2002::2 enable
import-route direct
#
return

Configuration Guide - VPN 5 VLL Configuration
5 VLL Configuration
About This Chapter
This chapter describes how to configure a VLL to transparently transmit data on the MPLS
network.
5.1 Introduction to VLL

A Virtual Leased Line (VLL) emulates the traditional leased line on the IP network, and provides
asymmetric and low-cost digital data network (DDN) services. For users on both ends of a VLL,
the VLL is similar to the traditional leased line. As a point-to-point virtual private line
technology, VLL supports nearly all link layer protocols.
5.2 VLL Features Supported by the S7700
VLL can be implemented in four modes, namely, Circuit Cross Connect (CCC), Switched
Virtual Circuit (SVC), Kompella, and Martini. VLL also supports inter-Autonomous System
(inter-AS) applications.
5.3 Configuring CCC VLL
This section describes how to configure a CCC VLL. The CCC VLL transmits data by adding
a one-layer label to the data. Being configured by the administrator, the CCC VLL is applicable
to an MPLS network of the small size and simple topology. The CCC VLL needs no signaling
negotiation and control packet exchange, and thus consumes fewer resources and is easy to
understand. Nevertheless, the CCC VLL has poor scalability and is inconvenient to maintain.
5.4 Configuring the SVC VLL
This section describes how to configure an SVC VLL. After the SVC VLL is configured, L2VPN
information can be transmitted without the usage of any signaling protocol.
5.5 Configuring Martini VLL
This section describes how to configure a Martini VLL. To configure the Martini VLL, you need
to establish the point-to-point link to implement L2VPN, and use the Label Distribution Protocol
(LDP) to transmit Layer 2 information and VC labels.
5.6 Configuring Kompella VLL
This section describes how to configure a Kompella VLL. To configure the Kompella VLL, you
need to establish the Kompella VLL on the MPLS network in end-to-end (CE-to-CE) mode, and
use the Border Gateway Protocol (BGP) to transmit Layer 2 information and VC labels.
5.7 Configuring Inter-AS Martini VLL

If the MPLS backbone network on which a Martini VLL is set up spans multiple ASs, you can
configure the Martini VLL to be an inter-AS Martini VLL.
5.8 Configuring the Inter-AS Kompella VLL
If the MPLS backbone network on which Kompella VLLs are configured spans multiple ASs,
and the Kompella VLLs are in a great number, you can adopt the multi-hop inter-AS solution.
5.9 Configuring VLL FRR
This section describes how to configure VLL Fast Re-route (FRR). After VLL FRR is
configured, the VLL traffic is switched to the secondary path if the primary path fails. If the
primary path recovers, the VLL traffic can be switched back to it according to the revertive
switching policy.
5.10 Maintaining VLL
This section describes how to maintain a VLL. Detailed operations include resetting the BGP
connection of the VLL, and monitoring the L2VPN running status.
Each configuration example consists of such information as the networking requirements,
configuration notes, and configuration roadmap.

5.1 Introduction to VLL

A Virtual Leased Line (VLL) emulates the traditional leased line on the IP network, and provides
asymmetric and low-cost digital data network (DDN) services. For users on both ends of a VLL,
the VLL is similar to the traditional leased line. As a point-to-point virtual private line
technology, VLL supports nearly all link layer protocols.
Traditional VPNs are based on Asynchronous Transfer Mode (ATM) or Frame Relay (FR) ,
where different VPNs can share the network structure of carriers. Traditional VPNs have the
following disadvantages:
l Dependence on special media (such as ATM or FR): The carriers must establish ATM
networks or FR networks for ATM-based or FR-based VPNs across the country. This is a
waste of network construction.
l Complicated VPN structure: when a site is added to an existing VPN, it is necessary to
modify the configuration of all the edge nodes that access the VPN site.
To avoid the preceding disadvantages, new solutions are introduced. Virtual Leased Line (VLL)
based on Multiprotocol Label Switching (MPLS) L2VPN is one of the solutions.
NOTE
VLL in this chapter refers to VLL based on MPLS L2VPN, unless otherwise specified.
The VLL provides Layer 2 VPN services on the MPLS network. It allows the establishment of
L2VPNs on different media including VLAN, Ethernet. At the same time, the MPLS network
provides traditional IP services, MPLS L3VPN, traffic engineering and QoS.
The VLL transfers Layer 2 data of the user transparently on the MPLS network. An MPLS
network is a Layer 2 switching network on which used to establish Layer 2 connections are
established between nodes.
Compared with BGP/MPLS VPN, VLL has the following advantages:
l High scalability: The VLL establishes layer 2 link relationships. It does not import and
manage the routing information of the user. It significantly reduces the load of the PE device
and SP network. This enables the carrier to support more VPNs and more users.
l Reliability and guaranteed security of private routing information: The VLL cannot obtain
and process VPN routing information because it is not imported.
l Support for network layer protocols such as IP, IPX, and SNA.
Figure 5-1 shows the model of VLL.
Figure 5-1 VLL model
AC VC AC
Tunnel
CE PE MPLS Network PE CE

l Attachment Circuit (AC) : AC is an independent link or circuit that connects CE and PE.
The AC interface may be a physical interface or a logical interface. The AC attributes
include the encapsulation type, MTU and interface parameters of specified link type.
l Virtual Circuit (VC) : It refers to a kind of logical connection between two PEs.
l Tunnel (Network Tunnel) : It transmits the user data transparently.
Through the label stack, VLL can realize the transparent transmission of user datagram in an
MPLS network.
l Outer label: The label, which is also called tunnel label, is used in transferring packets from
one PE to another.
l Inner label: The label, which is also called VC label in VLL, is used to identify different
links between VPNs. The PE on the receiver side transfers packets to the corresponding
CE according to the VC label.
Figure 5-2 shows the packet label change in the forwarding process.
Figure 5-2 VLL label processing

CE 1 PE 1 P PE 2 CE 2
L2PDU T V L2PDU T' V L2PDU L2PDU
Figure 5-2 shows the Layer 2 Protocol Data Unit (PDU) that is the link layer packet.
Here, T represents Tunnel label; V represents VC label; T' indicates that the outer label is
substituted in the forwarding process.
5.2 VLL Features Supported by the S7700

VLL can be implemented in four modes, namely, Circuit Cross Connect (CCC), Switched
Virtual Circuit (SVC), Kompella, and Martini. VLL also supports inter-Autonomous System
(inter-AS) applications.
CCC VLL
The Circuit Cross Connect (CCC) implements the VLL by static configuration.
Unlike common VLL, the CCC adopts one label to transfer user data, so it uses the LSP
exclusively. These LSPs can only be used to transfer the data of this CCC link, and cannot be
used in other VLL links, BGP/MPLS VPN, or used to transfer common IP packets.
The two types of CCC connection are as follows:
l Local connection: refers to the connection between two local CEs. The two CEs are
connected to the same PE. Similar to a layer 2 switch, PE can directly transport packets
without configuring static LSP.
l Remote connection: refers to the connection between local CE and remote CE. The two
CEs are on different PEs. In this case, static LSP configuration is needed to transfer packets

from one PE to another PE. Configuration command is run on the PE to map the static LSP
to the CCC connection.
SVC VLL
The SVC implements VLL through static configuration. The SVC transfers L2VPN information
without using the signaling protocols. The VC label needs to be configured manually.
While creating the static L2VC connection of SVC, specify the tunnel type (LDP LSP or CR-
LSP) by configuring the tunnel policy.
The SVC supports inter-AS L2VPN in multi-hop mode. It does not support local connection.
NOTE
The incoming label of the CCC and receive label of the SVC all range from 16 to 1023. They are in the
same label space with those reserved for static LSPs. The outgoing label of CCC and the transmit label of
SVC, however, ranges from 0 to 1048575 because it is for intercommunication.
Martini VLL
The Martini mode implements the L2VPN by setting up a point-to-point link. It takes LDP as
the signaling protocol to transfer Layer 2 information and VC labels.
The Martini VLL adopts VC-type plus VC-ID to identify a VC between two CEs.
l VC-type: indicates the type of the VC, such as Ethernet and VLAN.
l VC-ID: A VC ID and a VC type uniquely identify a VC on a PE.
The PEs connecting two CEs exchange VC labels through LDP, and bind the corresponding CE
by VC-ID.
A VC is set up when all the following conditions are satisfied:
l The tunnel between the two PEs is successfully created.
l The label exchange and the binding with CE are completed.
l The state of the two interfaces of AC is Up.
In order to exchange VC labels between PEs, the Martini extends LDP by adding the FEC type
in the VC FEC. For remote connections, the two PEs that exchange the VC label cannot be
directly connected; therefore, the remote LDP session must be set up to convey the VC FEC and
the VC label.
Martini supports inter-AS L2VPN in multi-hop mode. However, it does not support local
connection.
Kompella VLL
The Kompella mode takes BGP as the signaling protocol to transfer Layer 2 information and
VC labels. It realizes the L2VPN by means of end-to-end (CE to CE) in the MPLS network.
The Kompella VLL is different from Martini. That is, it does not operate on the connection
between the CEs directly. It allocates different VPNs in the whole SP network and encodes each
CE in the VPN. Similar to BGP/MPLS VPN, the Kompella VLL uses VPN targets to identify
different VPNs that make the VPN networking more flexible.
To connect two CEs, you need to configure the local CE ID and remote CE ID on the PE.

The Kompella supports both local and remote connections. It supports inter-AS L2VPN in the
following two modes:
l Multi-hop mode: adopts routes with BGP label.
l MP-EBGP mode: saves label block on the ASBR.
The Kompella VLL adopts the label block to allocate the labels. Through the label blocks, labels
can be allocated to connections at the same time.
Users specify the local CE range that indicates the number of CEs that can be connected with
this CE. The PE assigns a label block for this CE. The size of the label block is equal to the CE
range. In this manner, the users can reserve some extra labels for the VPN for future use. On a
short term basis, it is a waste of label resources, but it reduces the workload of VPN deployment
and configuration in expansion.
Suppose an enterprise VPN has 10 CEs and the number may increase to 20 due to its service
expansion in future. The CE range of each CE can be set to 20 to meet future expansion. If the
VPN adds nodes in the future, it is necessary to modify the configuration of the PE that is directly
connected with the new CE, without modifying other PEs.
Inter-AS VLL
The realization of an inter-AS VLL depends on the actual environment. In CCC mode, the label
is of single layer. Therefore, the inter-AS can be realized after the static LSP is set up between
the ASBRs.
SVC, Martini and Kompella modes can realize the inter-AS Option A (VRF-to-VRF) . In the
L2VPN networking, the link type between the ASBRs and that of the VC must be the same. In
the inter-AS Option A, each ASBR must reserve a sub-interface for each inter-AS VC. If the
number of the inter-AS VCs is small, the Option A can be adopted. Compared with the L3VPN,
the inter-AS Option A of the L2VPN consume more resources,so it is not recommended.
Option C is a better solution. The SP network devices need only set up the outer tunnel on the
PEs of different ASs. The ASBR need not maintain information about the inter-AS L2VPN. The
ASBR also need not reserve interfaces for the inter-AS L2VPN. L2VPN information is
exchanged only between PesPEs only. The exchange requires a low consumption of resources,
and the configuration workload does not increase.
The S7700 does not support Option C.
Access Mode
When configuring a VLL, you need to configure the interface (that is, AC interface) connecting
the PE to the CE.
On the S7700, a VLL supports the following interfaces to be configured as AC interfaces:
l XGE interfaces
l XGE sub-interfaces
l GE interfaces
l GE sub-interfaces
l Ethernet interfaces
l Ethernet sub-interfaces
l Eth-Trunk interfaces

l Eth-Trunk sub-interfaces
l VLANIF interfaces
The sub-interfaces can be dotlq sub-interfaces, QinQ sub-interfaces, VLAN mapping sub-
interfaces, or VLAN stacking sub-interfaces.
When XGE, GE, Ethernet, or Eth-Trunk interfaces are used as AC interfaces, the outer tags
carried in the packets sent from the AC to the PW are C tags (inserted by customer devices,
which are meaningless to the SP) by default.
When sub-interfaces or VLANIF interfaces are used as AC interfaces, the outer tags carried in
the packets sent from the AC to the PW are S tags (inserted by SP devices, which are usually
used to differentiate user traffic) by default.
NOTE
l Only VLANIF interfaces can function as the AC interfaces for VLL connections in CCC mode.
l By default, physical interfaces on the S7700 are Layer 2 interfaces. When using XGE, GE, Ethernet,
or Eth-Trunk interfaces on the S7700 as AC interfaces, you need to run the undo portswitch command
to switch Layer 2 interfaces to Layer 3 interfaces.
l When using GE, XGE, Ethernet, or Eth-Trunk interfaces as AC interfaces, ensure that these interfaces
do not contain any sub-interfaces.
For details on how to access the VLL through a sub-interface, see Connecting Sub-interfaces to
a VLL Network in the Quidway S7700 Smart Routing Switch Configuration Guide -
Ethernet.
Processing Tags Carried in Packets by the VLL

The system process packets according to the AC interface type and PW encapsulation type.
The PW encapsulation types can be classified into Ethernet encapsulation and VLAN
encapsulation.
l When VLANIF interfaces or sub-interfaces function as AC interfaces, the VLAN
encapsulation is adopted by default.
l When Ethernet, GE, XGE, or Eth-Trunk interfaces function as AC interfaces, the Ethernet
Table 5-1 Processing VLAN tags carried in packets from the AC by the PW
PW Encapsulation Type Processing of the VLAN Tag
VLAN encapsulation Do not process the S tag carried in a packet.
Ethernet encapsulation If an S tag is carried in a packet, delete the S

tag from the packet.
If no S tag is carried in a packet, do not
process the packet.

Table 5-2 Processing VLAN tags carried in packets from the PW by the AC
AC Interface Type Processing of the VLAN Tag
Ethernet, GE, XGE or Eth-Trunk interface Do not process the packet.
VLANIF interface If an S tag is carried in a packet, rewrite the S

tag.
If no S tag is carried in a packet, add an S tag
in the packet.
VLAN stacking sub-interface If an S tag is carried in a packet, delete the S

process the packet.
VLAN mapping sub-interface If an S tag is carried in a packet, rewrite the S

tag.
in the packet.
NOTE
The added or replaced tag is the VLAN tag on the
interface where VLAN mapping is not performed.
Dot1q sub-interface If an S tag is carried in a packet, do not process

the packet.
in the packet.
NOTE
If Ethernet encapsulation is adopted, the packets
sent from the PW to the AC do not carry any S tag.
In this case, the Dotlq sub-interface is required to
allow packets of only one VLAN to pass.
QinQ sub-interface If an S tag is carried in a packet, rewrite the S

tag.
in the packet.
NOTE
When VLL or VPLS is deployed on the F48CEAT, G48SFA, or G48TFA, if the PVID on the outbound
interface is the same as the VLAN ID of the packets, the interface removes the VLAN tag from the packet;
otherwise, the VLAN tag is not removed.
VLL FRR
With the wide applications of VLLs, the requirement for the reliability of VLLs becomes
increasingly high, especially for L2VPNs that carry real-time services such as VoIP and IPTV.
Virtual Lease Line Fast Reroute (VLL FRR) is one of the solutions to increasing the reliability
of L2VPNs.
VLL FRR is mainly used in the following networking mode:

l Asymmetrically connected CEs

One CE is connected to a PE through an AC and the other CE is dual-homed to PEs through
two ACs, as shown in Figure 5-3.
Figure 5-3 Asymmetrically connected CEs
P1 PE2
PE1
VPN backbone AC2

CE1 AC1 AC3 CE2
PE3 Site2
Site1 P2
GR
The VLL in Martini mode supports graceful restart (GR). In this manner, after the device
performs the switchover, the VC labels remain unchanged. During the switchover, the VC keeps
Up. The packet forwarding on the VC is not affected by the switchover.
5.3 Configuring CCC VLL

This section describes how to configure a CCC VLL. The CCC VLL transmits data by adding
a one-layer label to the data. Being configured by the administrator, the CCC VLL is applicable
to an MPLS network of the small size and simple topology. The CCC VLL needs no signaling
negotiation and control packet exchange, and thus consumes fewer resources and is easy to
understand. Nevertheless, the CCC VLL has poor scalability and is inconvenient to maintain.
CCC is applicable to the small-sized MPLS networks that has simple topology. CCC needs to
be configured manually. CCC does not need signaling negotiation or packet interaction. The
resource consumption is low and the configuration is simple. However, CCC is not easy to be
maintained and the extensibility is poor.
You need to configure interface connecting the PE to the CE (namely the AC interface) before
configuring a CCC.
NOTE
On an S7700, only the VLANIF interface can be configured as the AC interface of CCC connection.

Before configuring the CCC VLL, complete the following task:
l Configuring the basic MPLS capability on the MPLS backbone network (PEs and P)
Data Preparation
To configure the CCC VLL, you need the following data.
No. Data
1 Name of a CCC connection
2 Connection type: local connection or remote connection
3 Local CCC connection: the types and numbers of the incoming and outgoing
interfaces
4 Remote CCC connection: the type and number of the incoming interface, the IP
address of the next-hop or the type and number of the outgoing interface
5 Remote CCC connection: the in-label and out-label values of LSRs
Choose 5.3.3 Creating a Local CCC Connection or 5.3.4 Creating a Remote CCC
Connection according to the required connection type.
5.3.2 Enabling the MPLS L2VPN

Before configuring a CCC VLL, you must enable MPLS L2VPN.
Context
Do as follows on the PEs of the two ends of the VC:
Procedure
Step 1 Run:
system-view

Step 2 Run:
mpls l2vpn
The MPLS L2VPN is configured.
----End
5.3.3 Creating a Local CCC Connection

This part describes how to create a local CCC connection. To create the local CCC connection,
you need to only configure the incoming and outgoing interfaces of the CCC connection on a
local PE. The local CCC connection is bidirectional and thus only one such connection needs
to be created.

Context
The local CCC connection is bidirectional, and thus only one connection is required.
Do as follows on the PEs:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ccc ccc-connection-name interface interface-type1 interface-number1 [ raw |
tagged ] out-interface interface-type2 interface-number2 [ raw | tagged ]
A local CCC connection is created.

The S7700 can create a local CCC connection only on the VLANIF interface. By default, the
raw encapsulation type is adopted.
----End
Follow-up Procedure
After the configuration mentioned above on the PE, a local CCC connection is created.
5.3.4 Creating a Remote CCC Connection

This part describes how to create a remote CCC connection. To create the remote CCC
connection, you need to configure the incoming and outgoing interfaces and set the incoming
label and outgoing label for the CCC connection on the local and remote PEs. In addition, you
need to configure two bidirectional static LSPs on the P device. The remote CCC connection is
unidirectional and thus two such connections need to be created.
Procedure
l Configuring the PE
1. Run:
system-view

2. Run:
ccc ccc-connection-name interface interface-type1 interface-number1 [ raw
| tagged ] in-label in-label-value out-label out-label-value nexthop
nexthop-address [ control-word | no-control-word ]
A remote CCC connection is configured.

On the PE or P, the remote CCC connection can be configured only on the VLANIF
interface. You must use nexthop to specify the IP address of the next hop. By default,
the remote CCC connection adopts the raw encapsulation type.
l Configuring P

Do as follows on the Ps that the VC passes through:

1. Run:
system-view

2. Run:
static-lsp transit lsp-name incoming-interface interface-type interface-
number in-label in-label nexthop nexthop-address out-label out-label
The P device is configured as a transit LSR of the static LSP.

It is not necessary to configure static LSPs on the PEs for the CCC connection. You
should configure a bidirectional transit static LSP on all the P devices between the
PEs. These LSPs are used to transfer the data of this CCC exclusively. Furthermore,
MPLS L2VPN need not be enabled on the P devices.
When you configure the outgoing interfaces of the CCC remote connection, the
outgoing interfaces must be VLANIF interface
You must use the nexthop to specify the IP address of the next hop.
----End

After a CCC VLL is configured, you can view information about the CCC connection and
interfaces of the CCC connection.
Prerequisite
The configurations of the CCC VLL function are complete.
Procedure
l Run the display vll ccc [ ccc-name | type { local | remote } ] command to check the CCC
connection information.
l Run the display l2vpn ccc-interface vc-type ccc [ down | up ] command to check the
interface information of the CCC connection.
----End
Example
Run the display vll ccc command. You can find that the status of the CCC VC is Up. For example:
Information about the local connection is as follows:
<Quidway> display vll ccc
total ccc vc : 1
local ccc vc : 1, 1 up
remote ccc vc : 0, 0 up
name: CE1-CE2, type: local, state: up,
intf1: Vlanif10 (up), intf2: Vlanif20 (up)
VC last up time : 2008/07/24 12:31:31
VC total up time: 0 days, 2 hours, 12 minutes, 51 seconds
Information about the remote connection is as follows:

<Quidway> display vll ccc

total ccc vc : 1;
name: CE1-CE2, type: remote, state: up,
intf: vlanif11 (up), in-label: 100 , out-label: 200 , nexthop: 10.1.1.1
VC last up time : 2008/07/24 12:31:31
Run the display l2vpn ccc-interface vc-type ccc command. You can find that the VC type is
CCC and the VC status is Up. For example:
<Quidway> display l2vpn ccc-interface vc-type ccc
Total ccc-interface of CCC : 1
up (1), down (0)
Interface Encap Type State VC Type
Vlanif11 ethernet up ccc
5.4 Configuring the SVC VLL

This section describes how to configure an SVC VLL. After the SVC VLL is configured, L2VPN
information can be transmitted without the usage of any signaling protocol.

Before configuring an SVC VLL, familiarize yourself with the applicable environment,
The setup process of the SVC outer label (public network tunnel) is the same as that of the
Martini. Inner label is manually specified, without the signaling transmission of the VC label,
during the VC configuration.
The SVC does not use signaling protocols to transfer L2VPN information. Packets are
transported between the PEs through tunnels.
The SVC supports multiple types of tunnels such as LDP LSP and CR-LSP. By default, the LDP
LSP tunnel is used.
Before configuring SVC VLL, you need to complete the following tasks:
l Configuring the static route or IGP for the MPLS backbone network (PE and P) to
implement IP connectivity
l Enabling the MPLS for PEs
l Establishing a tunnel between PEs according to the tunnel policy
Data Preparation
To configure the SVC VLL, you need the following data.

No. Data
1 Type and number of the interface accessing CE
2 Destination LSR ID of SVC
3 In-label and out-label values of L2VPN connection
4 Tunnel policy of the SVC
5.4.2 Enabling MPLS L2VPN

Before configuring an SVC VLL, you must enable MPLS L2VPN.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
mpls l2vpn
The MPLS L2VPN is enabled.
----End
5.4.3 Creating an SVC VLL Connection

Context
Do as follows on the PEs on the two ends of the VC.
Procedure
Step 1 Run:
system-view

Step 2 Run:

undo portswitch
The Layer 2 interface is configured as a Layer 3 interface.

NOTE
To use an XGE interface, a GE interface, an Ethernet interface, or an Eth-Trunk interface of the S7700 as
the AC interface of the PE, you need to perform step 3 to configure the Layer 2 interface as a Layer 3
interface.
Step 4 Run:
mpls static-l2vc destination ip-address transmit-vpn-label transmit-label-value
receive-vpn-label receive-label-value [ tunnel-policy tnl-policy-name | [ control-
word | no-control-word ] | [ raw | tagged ] ] *
The SVC VLL is created.
----End

After an SVC VLL is configured, you can view information about the SVC connection and
interfaces of the SVC connection.
Prerequisite
The configurations of the SVC VLL function are complete.
Procedure
l Run the display mpls static-l2vc [ interface interface-type interface-number ] command
to check the SVC L2VPN connection information on the PE.
l Run the display l2vpn ccc-interface vc-type static-vc [ down | up ] command to check
the interface information of the SVC connections in Up/Down state.
----End
Example
Run the display mpls static-l2vc command. You can find that the VC status is Up. For example:
<Quidway> display mpls static-l2vc
Total svc connections: 1, 1 up, 0 down
*Client Interface : Vlanif10 is up
AC Status : up
VC State : up
VC ID : 0
VC Type : VLAN
Destination : 3.3.3.9
Transmit VC Label : 100
Receive VC Label : 200
Control Word : Disable
VCCV Capability : alert lsp-ping bfd
Tunnel Policy Name : --
Traffic Behavior : --
PW Template Name : --
Main or Secondary : Main
Create time : 0 days, 0 hours, 6 minutes, 44 seconds
UP time : 0 days, 0 hours, 6 minutes, 44 seconds
Last change time : 0 days, 0 hours, 6 minutes, 44 seconds
VC last up time : 2010/07/24 12:31:31
CKey : 16
NKey : 15
Run the display l2vpn ccc-interface vc-type static-vc up command. You can find that the VC
type is SVC and the status is Up. For example:

<Quidway> display l2vpn ccc-interface vc-type static-vc up

Total ccc-interface of SVC VC: 1
up (1), down (0)
Vlanif1110 vlan up static-vc
5.5 Configuring Martini VLL

This section describes how to configure a Martini VLL. To configure the Martini VLL, you need
to establish the point-to-point link to implement L2VPN, and use the Label Distribution Protocol
(LDP) to transmit Layer 2 information and VC labels.

Before configuring a Martini VLL, familiarize yourself with the applicable environment,
In Martini mode, double-layer labels are adopted. The inner label uses the extended LDP as the
signaling protocol to transmit the Layer 2 information and the VC label.
In Martini mode, an LSP between two PEs can be shared by multiple VCs. Information about
the VC label and LSP is stored only on the PE devices. The P devices do not store any Layer 2
VPN information. Therefore, Martini mode features excellent extensibility. When a new VC is
needed, you only need to configure a unidirectional VC on each PE device of the two ends. The
network operation is not affected.
Before configuring Martini VLL, you need to complete the following tasks:
l Configuring the static route or IGP for the MPLS backbone network (PE or P) to implement
IP connectivity
l Enabling basic MPLS functions on PEs and Ps.
l Establishing an LDP session between PEs which are connected directly, or establishing a
remote LDP session between PEs which are connected indirectly
l Establishing a CR-LSP or LDP LSP tunnel between PEs according to the tunnel policy
Data Preparation
To configure Martini VLL, you need the following data.
No. Data
1 Type and number of the interface accessing CE
2 Destination address and VC ID of L2VC
3 Tunnel policy


Before configuring a Martini VLL, you must enable MPLS L2VPN.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
mpls l2vpn
----End
5.5.3 Creating a Martini VLL Connection
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
mpls l2vpn
The MPLS L2VPN view is displayed.
Step 3 Run:
The Martini mode is enabled.
NOTE
l By default, the S7700 uses pseudo wire emulation edge-to-edge (PWE3) mode. The PWE3 mode can
use Notification messages to negotiate the PW status. The Martini mode, however, does not support
Notification messages. For details about Notification messages, see the chapter 6.1 Introduction to
PWE3.
l If the peer PE does not support Notification messages, you need to set the mode to Martini by using
the mpls l2vpn default martini command.
l Before using the mpls l2vpn default martini command to enable the Martini mode that does not
support Notification messages, delete the VC configuration related to notification messages, including
the PWE3 configuration and VSI configuration.

Step 4 Run:
quit

Step 5 Run:

undo portswitch
NOTE
the AC interface of the PE, you need to run undo portswitch to configure the Layer 2 interface as a Layer
3 interface.
Step 7 Run:
mpls l2vc { ip-address | pw-template pw-template-name } * vc-id [ group-id group-
id | tunnel-policy policy-name | [ control-word | no-control-word ] | [ raw |
tagged ] | mtu mtu-value | secondary ] *
The Martini VLL is created.
NOTE
The raw and tagged parameters are available only for Ethernet links.
The Martini L2VC requires the VC IDs of the VCs of the same encapsulation type on a PE to
be unique. The change of the encapsulation type may cause collision of VC IDs.
----End

After a Martini VLL is configured, you can view information about the two ends of the Martini
VLL.
Prerequisite
The configurations of the Martini VLL function are complete.
Procedure
l Run the display mpls l2vc [ vc-id | interface interface-type interface-number ] command
to check the Martini VLL connection information on the local PE.
l Run the display mpls l2vc remote-info [ vc-id ] command to check the peer Martini VLL
connection information on the local PE.
----End
Example
Run the display mpls l2vc command. You can find that destination is the peer IP address of
the specified VC and VC state is up. For example:

<Quidway> display mpls l2vc


session state : up
AC status : up
VC state : up
VC ID : 101
VC type : VLAN
forwarding entry : existent
local group ID : 0
link state : up
tunnel policy name : --
VC last up time : 2010-07-24 12:31:31
CKey : 16
NKey : 15
Run the display mpls l2vc remote-info command. You can find that the peer address is the peer
address of the specified VC. For example:
<Quidway> display mpls l2vc remote-info
Total remote ldp vc : 1
Transport Group Peer Remote Remote C MTU/ N S
VC ID ID Addr Encap VC Label Bit CELLS Bit Bit
101 0 3.3.3.9 vlan 2355223552 0 1500 0 0
5.6 Configuring Kompella VLL

This section describes how to configure a Kompella VLL. To configure the Kompella VLL, you
need to establish the Kompella VLL on the MPLS network in end-to-end (CE-to-CE) mode, and
use the Border Gateway Protocol (BGP) to transmit Layer 2 information and VC labels.

Before configuring a Kompella VLL, familiarize yourself with the applicable environment,
The Kompella VLL uses BGP as the signaling protocol to transfer L2VPN information between
PEs.
Similar to BGP/MPLS VPN, Kompella mode uses the VPN target to control the receiving and
sending of the VPN routes. This brings about great flexibility.

The Kompella mode adopts the label block. Each CE is allocated with a label block that decides
this CE can set up how many connections with other CEs. This permits some additional label to
the VPN for the future extensibility. The PEs calculate the inner label according to the label
block.
The Kompella mode supports the local and the remote connection and inter-AS Kompella VLL
Option A.
Before configuring Kompella VLL, complete the following tasks:
l Configuring the static route or IGP for the MPLS backbone network (PE and P) to
implement IP connectivity
l Enabling MPLS for the PE and P
l Establishing tunnels (CR-LSP or LSP) between PEs according to the tunnel policy
NOTE
For the local connection, the IGP and LDP configurations are not required.
Data Preparation
To configure Kompella VLL, you need the following data.
No. Data
1 AS number of local PE and peer PE
2 Name, RD and VPN-Target of the L2VPN connection
3 CE name, CE ID and CE range
4 CE offset

Before configuring a Kompella VLL, you must enable MPLS L2VPN.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
mpls l2vpn

----End
5.6.3 Configuring BGP/MPLS L2VPN

To configure a local Kompella connection, you do not need to configure the L2VPN capacity
of BGP.
Context
For local connection, the configuration in this section is not required.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
A remote PE is specified as the peer.

Step 4 Run:
An interface to create the TCP connection is specified.

The loopback interface address with 32-bit mask must be used to establish the MP-IBGP peer
relationship between the PEs. This can avoid a situation of packets being unable to find the
correct route due to route aggregation. The route to the loopback interface is advertised to the
peer PE through IGP on the MPLS backbone network.
Step 5 Run:
l2vpn-family
The BGP L2VPN address family view is displayed.

Step 6 Run:
Exchanging routing information with a specified peer is enabled.
----End
5.6.4 Configuring a VPN

In Kompella VLL mode, you must create an L2VPN instance on the PE for each directly
connected CE.

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
mpls l2vpn l2vpn-name encapsulation { ethernet | vlan } [ control-word | no-control-
word ]
A VPN is created and the MPLS-L2VPN instance view is displayed.

Step 3 Run:
The RD for L2VPN is configured.

mtu mtu-value
The Layer 2 MTU is set for the VPN.

The MTU for the VPN should be consistent in the whole network. If the MTU of the same VPN
on two PEs differs, these two PEs cannot exchange reachability information and cannot set up
connections. By default, the MTU is 1500 in the MPLS-L2VPN instance view.
Devices of some manufacturers do not support the MTU matching check in the L2VPN instance.
When Huawei products are connected with non-Huawei products in Kompella mode, you can
choose one of the following configurations on the S7700:
l Configure the MTU of the L2VPN on the PE to be the same as that of non-Huawei products.
l Use the ignore-mtu-match command to ignore the MTU matching check.
ignore-mtu-match
The MTU matching check is ignored.

Step 6 Run:
vpn-target vpn-target & <1-16> [ both | export-extcommunity | import-extcommunity ]
The VPN target is configured.

The Kompella VLL must create an L2VPN instance on the PE for each directly connected CE.
When an L2VPN is created, the specified encapsulation type must be consistent with that of the
CE interface.
The configuration and usage of the VPN target and RD are completely the same as that of the
BGP/MPLS VPN. It means that the configuration and usage of the VPN target and RD are
omitted here except one point: For Kompella VLL, you must configure RD before configuring
the other commands. The RD cannot be changed once it is configured. The only way to modify
RD is to delete this VLL and re-create one.
----End

5.6.5 Creating a CE Connection

Context
A CE ID is used to uniquely identify a CE in a VPN. It is recommended that the CE IDs are
numbered in series starting from 1.
The CE range indicates the maximum number of CEs that a local CE can connect. According
to the prediction of the VPN expansion, you can configure a CE range larger than what is
required. This can reduce the modification of configurations when CEs are added on the VPN
in future.
You can only increase the CE range. For example, if the CE range is 10, you can increase it to
20, but cannot reduce it to 5. When the CE range is increased from 10 to 20, the system allocates
another label block whose range is 10 instead of releasing the original label block. In this case,
services are not interrupted when the CE range changes. The only way to reduce the CE range
is to delete the CE connection and re-create one.
The CE offset is the CE ID of the other local or remote CE that is connected to this CE.
The default-offset is the default CE offset. You can set the default offset to 0 or 1. Its default
value is 0. If the default offset is 1, you cannot change it to 0.
If the default offset is 0, the CE offset must be less than the CE range. If the default offset is 1,
the CE offset must be not greater than that of the CE range.
For the remote connection, the CE offset must be the same as the CE ID of the remote CE;
otherwise, the connection cannot be set up. For the local connection between two CEs, the offset
of a CE is the CE ID of the other CE.
If the CE offset is not designated when you create a CE connection, pay attention to the following
points:
l For the first connection of this CE, the CE offset defaults to the value of default-offset.
l For other connections, the CE offset is that of the earlier connection plus 1. If the CE offset
of the earlier connection plus 1 is equal to this CE ID, then the CE offset is that of the earlier
connection plus 2.
If the CE ID starting from 1 is numbered in an incremental sequence and the connections are
configured according to this sequence, most connections can use the default CE offset. This
simplifies the configuration.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mpls l2vpn vpn-name

Step 3 Run:
ce ce-name id ce-id [ range ce-range ] [ default-offset ce-offset ]

The CE is created and the MPLS L2VPN CE view is displayed.

Step 4 Run:
connection [ ce-offset id ] interface interface-type interface-number [ tunnel-
policy policy-name ] [ raw | tagged ]
A CE connection is created.
NOTE
All Kompella L2VPN instances and VPLS VSI instances of a device share one label block; therefore, the
sum of the ranges of all Kompella L2VPN instances and VPLS VSI instances cannot exceed the size of
the label block. If the size exceeds the limit, the system prompts that the labels cannot be obtained because
the required labels exceed the upper limit; thus, allocation of a site ID to a VSI or creation of a CE fails.
the AC interface of the PE, you need to perform undo portswitch to configure the Layer 2 interface as a
Layer 3 interface before you run connection command.
----End
5.6.6 (Optional) Configuring BGP L2VPN Features

This part describes how to configure a BGP L2VPN. To configure the BGP L2VPN, you need
to configure the route attributes of the BGP L2VPN, the MultiProtocol-Interior BGP (MP-IBGP)
connection with the peer group, and route reflection of BGP L2VPN routes.
Context
To manage L2VPN label blocks, BGP defines a BGP L2VPN sub-address family view.
This section generalizes BGP configurations related to Kompella L2VPN. For the applications
of each configuration, refer to the related sections.
Procedure
l Configuring BGP L2VPN Route Attributes
NOTE
BGP L2VPN uses the TCP connection the same as the common BGP, and most BGP L2VPN features
inherit the common BGP configurations. You need to enable the capability of exchanging L2VPN
label blocks between BGP peers in the BGP L2VPN sub-address family view because L2VPN label
blocks need to be exchanged.
l Configuring the PE to Establish MP-IBGP Connections with the Peer Group
Add all the client PEs to a peer group and establish an MP-IBGP connection with the peer
group.
1. Run:
system-view

2. Run:
bgp as-number

3. Run:


4. Run:

5. Run:

6. Run:
l2vpn-family
The BGP L2VPN sub-address family view is displayed.

7. Run:
enabled.
8. Run:

l Configuring BGP L2VPN Route Reflection on the RR
1. Run:
system-view

2. Run:
bgp as-number

3. Run:
l2vpn-family
The BGP L2VPN sub-address family view is displayed.

4. Run:
peer { group-name | ip-address } reflect-client
The RR and its client are configured.

5. Run:
The filtering of L2VPN label blocks based on the VPN target is disabled.
6. (Optional) Run:

----End


After a Kompella VLL is configured, you can view BGP and connection information about the
Kompella VLL, L2VPN information on PEs, and information about the route target (RT)
attribute list.
Prerequisite
The configurations of the Kompella VLL function are complete.
Procedure
l Run the display bgp l2vpn { all | group [ group-name ] | peer [ [ peer-ip-address ]
verbose ] | route-distinguisher route-distinguisher [ ce-id ce-id [ label-offset label-
offset ] ] } command to check the BGP information of the Kompella VLL.
l Run the display mpls l2vpn connection [ vpn-name [ remote-ce ce-id | down | up |
verbose ] | summary | interface interface-type interface-number ] command to check the
connection information of the Kompella VLL.
l Run the display mpls l2vpn [ l2vpn-name [ local-ce | remote-ce ] ] command to check the
VLL information on PE.
l Run the display mpls l2vpn { export-route-target-list | import-route-target-list }
command to check the route target list of the L2VPN.
----End
Example
Run the display bgp l2vpn command. You can find that nexthop is the peer address of the VC,
route-distinguisher of the L2VPN is correct, and the label allocation is complete. For example:
<Quidway> display bgp l2vpn all
BGP Local router ID : 1.1.1.9, local AS number : 100
Origin codes:i - IGP, e - EGP, ? - incomplete
bgp.l2vpn: 1 destination
CE ID Label Offset Label Base nexthop pref as-path
2 0 35850 6.6.6.6 100
Run the display mpls l2vpn connection command. You can find that VPN name is correctly
configured, status of the connection is up, and route-distinguisher is correctly configured. For
example:
<Quidway> display mpls l2vpn connection
1 total connections,
connections: 1 up, 0 down, 0 local, 1 remote, 0 unknown
CE name: ce1, id: 1,
Rid type status peer-id route-distinguisher interface
primary or not
----------------------------------------------------------------------------
2 rmt up 3.3.3.9 100:1 GigabitEthernet1/0/0.1
primary
Run the display mpls l2vpn [ l2vpn-name [ local-ce | remote-ce ] ] command. You can find
that route-distinguisher and L2VPN route targets are correctly configured. For example:
<Quidway> display mpls l2vpn vpn1
VPN name: vpn1, encap type: vlan, local ce number(s): 1, remote ce number(s): 1
route distinguisher: 100:1, MTU: 1500
import vpn target: 1:1,
export vpn target: 1:1,

remote vpn site(s) :

no. remote-pe-id route-distinguisher
1 3.3.3.9 100:1
Run the display mpls l2vpn { export-route-target-list | import-route-target-list } command.

You can find that the route target is correctly configured. For example:
<Quidway> display mpls l2vpn import-route-target-list
import vpn target list: 744:7 745:7 746:7 888:8
<Quidway> display mpls l2vpn export-route-target-list
export vpn target list: 755:7 888:8
5.7 Configuring Inter-AS Martini VLL

If the MPLS backbone network on which a Martini VLL is set up spans multiple ASs, you can
configure the Martini VLL to be an inter-AS Martini VLL.

Before configuring an inter-AS Martini VLL, familiarize yourself with the applicable
If the MPLS backbone network bearing the Martini VLL spans multiple ASs, you must configure
the inter-AS Martini VLL.
There are two solutions to the inter-AS Martini VLL:
l Inter-AS Option A: This solution can be easily implemented. When the number of inter-
AS Martini VLLs on ASBRs is small, Option A is recommended.
l Inter-AS Option C: In this solution, ASBRs do not need to create or maintain VCs. When
each AS has a large number of Martini L2VPN routes to be exchanged, Option C can be
used to prevent the ASBR from hindering the network extension.
S7700 does not support Option C.
Before configuring the inter-AS Martini VLL, complete the following tasks:
l Configuring static routes or IGP on the PE or P devices in the MPLS backbone network of
ASs to implement the IP connectivity of the backbone network devices in the same AS
l Configuring the basic MPLS capability on the MPLS backbone network of each AS
l Configuring MPLS LDP and establishing LDP LSP for the MPLS backbone of each AS
Data Preparation
To configure the inter-AS Martini VLL, you need the following data.
No. Data
1 Mode of the inter-AS VPN

No. Data
2 Number of each AS
5.7.2 Configuring Inter-AS Option A

In inter-AS Martini VLL OptionA, each ASBR must reserve a sub-interface for each inter-AS
VC. Therefore, this solution is only applicable to the situation that the number of inter-AS VCs
is small. Compared with L3VPN, this inter-AS L2VPN solution consumes more resources and
requires heavier configuration workload, which is not recommended.
Context
To configure inter-AS Martini VLL Option A, see 5.5.3 Creating a Martini VLL
Connection.
NOTE
l Configuring the ASBR by regarding the peer ASBR as the local CE

l You do not need to perform inter-AS related configurations on the ASBR or to configure the IP
addresses on the ASBR interfaces that directly connect ASBRs.
l If the inter-AS SVC VLL Option A needs to be configured, create the SVC for each AS. For the detailed
configuration, see 5.4.3 Creating an SVC VLL Connection.

After an inter-AS Martini VLL is configured, you can view information about the local PW end
and the remote PW end.
Prerequisite
The configurations of the Inter-AS Martini VLL function are complete.
Procedure
to check information about the local PW on the PE.
l Run the display mpls l2vc remote-info [ vc-id ] command to check information about the
remote PW on the PE.
----End
Example
Run the display mpls l2vc [ vc-id | interface interface-type interface-number ] command. You
can see that VC State is up. For example:
<Quidway> display mpls l2vc interface Vlanif 802
session state : up
AC state : up
VC state : up
VC ID : 11

VC type : VLAN
local VC label : 23552 remote VC label :
23552
local forwarding state : not forwarding
forwarding entry : not exist
link state : down
remote VCCV : none
local control word : disable remote control word : none
NO.0 TNL Type : lsp , TNL ID : 0x202000
VC last up time : 2008-07-24 12:31:31
CKey : 21
NKey : 20
Run the display mpls l2vc remote-info command. You can find that Peer Addr is the peer
100 0 3.3.3.9 vlan 23552 0 1500 1 0
5.8 Configuring the Inter-AS Kompella VLL

If the MPLS backbone network on which Kompella VLLs are configured spans multiple ASs,
and the Kompella VLLs are in a great number, you can adopt the multi-hop inter-AS solution.

Before configuring an inter-AS Kompella VLL, familiarize yourself with the applicable
If the MPLS backbone network of the Kompella VLL covers multiple ASs, you must configure
the inter-AS Kompella VLL.
Two schemes are available for the inter-AS Kompella VLL:

l Inter-AS VPN-Option A
If the number of VPNs and VPN routes on the PE is small, the inter-AS VPN Option A
scheme can be used. When this scheme is used, the ASBR must support VPN instances
and can manage VPN routes. In addition, the ASBR must provide a dedicated interface for
each inter-AS VPN. The interface can be a sub-interface, physical interface, or logical
interface. Therefore, this scheme puts high requirement on the performance of the ASBR.
The ASBR, however, does not need any inter-AS configuration.
l Inter-AS VPN Option C
If each AS has a large number of VPN routes to be exchanged, the VPN Option C can be
used to prevent the ASBR from becoming a bottleneck of the network. If this scheme is
adopted, the VPN routes are exchanged between the ingress PE and egress PE directly, and
are not forwarded or stored by the intermediate devices. This scheme is applicable to the
scenario of load balancing in the MPLS VPN.
Before configuring the inter-AS Kompella VLL, complete the following tasks:
l Configuring static routes or IGP on the PE or P devices in the MPLS backbone network of
the ASs to implement IP networking of the backbone network devices in the same AS
l Configuring the basic MPLS capacity on the MPLS backbone network of each AS
Data Preparation
To configure the inter-AS Kompella VLL, you need the following data.
No. Data
1 Scheme of the inter-AS VPN
2 Number of each AS
5.8.2 Configuring the Inter-AS Kompella VLL Option A

In inter-AS Kompella VLL OptionA, each ASBR must reserve a sub-interface for each inter-
AS VC. Therefore, this solution is only applicable to the situation that the number of inter-AS
VCs is small. Compared with L3VPN, this inter-AS L2VPN solution consumes more resources
and requires heavier configuration workload, which is not recommended.
Context
To configure inter-AS Kompella VLL Option A, see 5.6 Configuring Kompella VLL.
NOTE
l Configuring the ASBR of the remote end as the CE of the local end
l You do not need to perform inter-AS related configurations on the ASBR or to configure the IP
addresses on the ASBR interfaces that directly connect ASBRs.


After an inter-AS Kompella VLL is configured, you can view BGP and connection information
about the Kompella VLL, L2VPN information on PEs, and information about the Route Target
(RT) attribute list.
Prerequisite
The configurations of the Inter-AS Kompella VLL function are complete.
Procedure
l Run the display bgp l2vpn { all | group [ group-name ] | peer [ [ peer-ip-address ]
verbose ] | route-distinguisher route-distinguisher [ ce-id ce-id [ label-offset label-
offset ] ] } command to check BGP information about a Kompella VLL.
verbose ] | summary | interface interface-type interface-number ] command to check
information about the Kompella VLLs.
l Run the display mpls l2vpn [ l2vpn-name [ local-ce | remote-ce ] ] command to check
L2VPN information about a PE.
l Run the display mpls l2vpn { export-route-target-list | import-route-target-list }
command to check the route target list of an L2VPN.
----End
Example
Run the display bgp l2vpn command. You can find that Nexthop is the peer address of the VC,
route-distinguisher of the L2VPN is correct, and the label allocation is complete. For example:
<Quidway> display bgp l2vpn all
BGP Local router ID : 1.1.1.9, local AS number : 100
Origin codes:i - IGP, e - EGP, ? - incomplete
bgp.l2vpn: 1 destination
CE ID Label Offset Label Base nexthop pref as-path
2 0 35850 3.3.3.9 0 100
Run the display mpls l2vpn connection command. You can find that VPN name is correctly
configured, Status of the connection is up, and route-distinguisher is correctly configured. For
example:
<Quidway> display mpls l2vpn connection
VPN name: vpn1,
primary or not
----------------------------------------------------------------------------
1 rmt up 6.6.6.6 1:1 Vlanif222
primary
Run the display mpls l2vpn [ l2vpn-name [ local-ce | remote-ce ] ] command. You can find
that route-distinguisher and L2VPN route targets are correctly configured. For example:
<Quidway> display mpls l2vpn vpn1
VPN name: vpn1, encap type: vlan, local ce number(s): 1, remote ce number(s): 1

route distinguisher: 100:1, MTU: 1500

import vpn target: 1:1,
export vpn target: 1:1,
remote vpn site(s) :
no. remote-pe-id route-distinguisher
1 3.3.3.9 100:1
Run the display mpls l2vpn { export-route-target-list | import-route-target-list } command.

You can find that the route target is correctly configured. For example:
<Quidway> display mpls l2vpn import-route-target-list
import vpn target list: 744:7 745:7 746:7 888:8
5.9 Configuring VLL FRR

This section describes how to configure VLL Fast Re-route (FRR). After VLL FRR is
configured, the VLL traffic is switched to the secondary path if the primary path fails. If the
primary path recovers, the VLL traffic can be switched back to it according to the revertive
switching policy.

VLL FRR Supported by the S7700 is mainly used in the networking modes of asymmetrically
connected CEs:
The CE on one end of the VC accesses the PE of higher reliability through a single reliable link.
The CE on the other end is dual-homed to the PE of lower reliability. Thus, two communication
paths exist between the CEs. The path of higher reliability functions as the master path, and the
path with the lower reliability functions as the backup path.
After the VLL FRR is configured, L2VPN traffic is rapidly switched to the backup path when
a fault occurs on the master path. After the fault on the master path is rectified, the L2VPN traffic
is switched back to the master path according to the revertive switchover policy.
NOTE
For asymmetrically connected CEs, the primary and secondary IP addresses need to be configured on the
interface connecting the CE to the PE through a single link. When the master path is available, the CE uses
the primary IP address to communicate with the remote CE. When a fault occurs on the master path, the
local CE communicates with the remote CE by using the secondary IP address.
Before configuring VPN FRR, complete the following tasks:
l Configuring a PW on each of the master path and backup path for the networking where
CEs are asymmetrically connected to PEs (The types of PWs on the master path and backup
path must be the same.)
l Configuring CEs to exchange routing information by using routing protocols or static routes

NOTE
To configure a Martini VLL or PWE3 for VLL FRR, you must use the PW template to configure a PW,
enable the control word in the PW template.
In the networking where CEs are asymmetrically connected to PEs, the backup PW cannot transmit data
when the master path and backup path work normally. If the AC interface of the backup PW borrows the
IP address of the AC interface of the master PW, the following situations occur:
l The policy of none revertive switchover cannot be configured.
l The local CE has two equal-cost and direct routes to the remote CE. The destination addresses and next
hops of the two routes are the same. Actually, the route that passes through the backup PW is invalid.
l If CEs exchange routing information by using routing protocols, you need to modify the cost or metric
of the AC interface of the backup path to be greater than that of the AC interface of the master path.
The local CE cannot communicate with the peer CE, but can communicate with other user devices.
l If CEs use static routes to exchange routing information, you need to modify the preference of the
backup route to be lower than that of the primary route (the greater the value, the lower the preference)
by using the ip route-static dest-ip-address mask out-interface preference preference-value
command.
Data Preparation
To configure VLL FRR, you need the following data.
No. Data
1 Delay for revertively switching traffic when faults are cleared and the delay for
advertising fault recovery (by default, the delay for revertively switching traffic is 30
seconds and the delay for advertising fault recovery is 10 seconds.)
2 Link type of the AC interface
5.9.2 Configuring Master and Backup PWs

In the networking where CEs are asymmetrically connected to PEs, you need to configure master
and backup PWs.
Context
l In the networking where CEs are asymmetrically connected to PEs, you need to configure
master and backup PWs. The master and backup PWs must be of the same type.
NOTE
VLL FRR supports only LDP PWs and BGP PWs, that is, Martini VLL and Kompella VLL.
When using XGE, GE, Ethernet, or Eth-Trunk interfaces as AC interfaces, you need to run the undo
portswitch command in the current interface view before configuring master and backup PWs.
Procedure
l LDP PW
1. Run:
system-view

2. Run:
mpls l2vpn

3. Run:
The system switches to the Martini mode.
NOTE
Before using the mpls l2vpn default martini command to set the behavior of the dynamic VC
signaling to non-Notification mode, you need to delete the configurations of VCs (including
PWE3 VCs and VPLS VCs) that support the Notification signaling.
4. Run:
quit

5. Run:

6. Run:
mpls l2vc { ip-address | pw-template pw-template-name } * vc-id [ group-
id group-id | tunnel-policy policy-name | [ control-word | no-control-
word ] | [ raw | tagged ] | mtu mtu-value ] *
The master PW is configured.
NOTE
Before using a PW template to create a PW, you need to configure a PW template. For details,
refer to 6.3 Configuring the Attributes of a PW Template.
7. (Optional) Run:
mpls l2vc { ip-address | pw-template pw-template-name } * vc-id [ group-
id group-id | tunnel-policy policy-name | [ control-word | no-control-
word ] | [ raw | tagged ] | mtu mtu-value ] * secondary
The backup PW is configured.
NOTE
l Both master and backup PWs need to be configured on the PE to which a CE is single-
homed. Only the master PW needs to be configured on the PE to which a CE is dual-homed.
l Master and backup PWs must have different VC IDs.
l The control word configuration on the primary and secondary PWs must be the same.
Otherwise, lots of packets will be lost after the primary/secondary PW switchover.
l BGP PW
1. 5.6.2 Enabling MPLS L2VPN.
2. 5.6.3 Configuring BGP/MPLS L2VPN.
3. 5.6.4 Configuring a VPN.
NOTE
After this step, the system enters the MPLS-L2VPN instance view, and then you can perform
Step 4. Otherwise, you need to run the mpls l2vpn l2vpn-name command to enter the MPLS-
L2VPN instance view.

4. Run:
ce ce-name id ce-id [ range ce-range ] [ default-offset ce-offset ]
The MPLS-L2VPN-CE view is displayed.

5. Run:
[ tunnel-policy policy-name ] [ raw | tagged ]
A master connection is created for the CE.

6. (Optional) Run:
[ tunnel-policy policy-name ] [ raw | tagged ] secondary
A backup connection is created for the CE.
NOTE
l Both master and backup connections need to be configured on the PE to which a CE is

single-homed. Only the master connection needs to be configured on the PE to which a CE
is dual-homed.
l When configuring master and backup connections, ensure that master and backup
connections are configured on the same AC interface that connects a PE to a CE.
----End
5.9.3 (Optional) Configuring Fast Fault Notification - Physical Layer

Fault Notification
Physical layer fault notification expedites fault detection and notification.
Context
The S7700 supports physical layer fault notification, which can be configured only on the
Ethernet main interface.
Configure physical layer fault notification on the PE.
Procedure
Step 1 Run:
system-view

Step 2 Run:

l The AC interface must be a primary Ethernet interface.
l The AC interface is configured with an VC.
Step 3 Run:
mpls l2vpn trigger if-down
Physical layer fault notification is enabled.
----End

5.9.4 (Optional) Configuring BFD for PW

BFD for PW expedites the fault detection on the public network.
Context
BFD for PW, which speeds up fault detection, is recommended.
Static BFD for PW or dynamic BFD for PW can be configured on PEs. For detailed
configuration, see the following sections:
l 6.8 Configuring Static BFD for PW

l 6.9 Configuring Dynamic BFD for PW
Example
NOTE
l BFD for PW must be configured or deleted on the PEs at the both ends of a PW simultaneously.
Otherwise, the PW statuses on the two PEs are different.
l To detect statuses of the tunnels that carry PWs, you can configure BFD for tunnels. For detailed
configuration, refer to the chapters "Basic MPLS Configuration" and "MPLS TE Configuration" in the
Quidway S7700 Smart Routing Switch Configuration Guide - MPLS.
5.9.5 (Optional) Configuring the Revertive Switchover

The revertive switching policies can be classified into three modes: immediate revertive mode,
delayed revertive mode, and non-revertive mode. By default, the revertive switching policy is
in delayed revertive mode.
Context
When CEs are connected to PEs asymmetrically, do as follows on the PE (where traffic is
switched) to which a CE is connected through a single link:
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
mpls l2vpn reroute { { delay delay-time | immediately } [ resume resume-time ] |
never }
The revertive switchover policy is configured.
The types of the revertive switchover on PEs are as follows:

l Immediate revertive switchover: The local PE immediately switches traffic to the master PW
and notifies the fault to the remote PE of the backup PW. The PE notifies the rectification
of the fault to the remote PE of the backup PW after the period of resume-time.
l Delayed revertive switchover: The PE switches traffic to the master PW after the period of
delay-time.
l None revertive switchover: The PE does not switch traffic to the master PW until the backup
PW is faulty.
For an asymmetric networking, in which ACs are of the Ethernet type, note the following:
l If the remote shutdown function is configured on the interface of a PE that connects a CE,
you are recommended not to use the policy of immediate revertive switchover, which may
lead to network flapping and traffic loss. On the other hand, you can use the policy of delayed
revertive switchover to set delay-time equal to or more than 30 seconds.
l If the Ethernet OAM function is configured on the interface of a PE that connects a CE, and
a revertive switchover policy is also configured, you cannot set resume-time to be 0 seconds,
but be equal to or longer than one second.
----End

Procedure
to view information about the local end of the Martini VC.
l Run the display mpls l2vc remote-info [ vc-id ] command to view information about the
remote end of the Martini VC.
l Run the display mpls l2vpn connection [ [ vpn-name [ remote-ce ce-id | down | up |
verbose ] ] | summary | [ interface interface-type interface-number ] ] command to view
information about the Kompella VLL.
l Run the display mpls l2vpn forwarding-info [ vc-label ] interface interface-type
interface-number command to view forwarding information about the L2VPN.
----End
Example
Run the display mpls l2vc [ vc-id | interface interface-type interface-number ] command, and
you can see that the status of the master and backup PWs is Up, the VC status of the master PW
is active, and VC status of the backup PW is inactive. The following is an example:
session state : up
AC state : up
VC state : up
VC ID : 100
VC type : VLAN
23552


BFD for PW : available
link state : up
remote VCCV : alert lsp-ping bfd
NO.0 TNL type : lsp, TNL ID : 0x48002004
VC last up time : 2010/12/01 10:00:00
CKey : 4
NKey : 3

session state : up
AC state : up
VC state : up
VC ID : 200
VC type : VLAN
23552
active state : inactive
link state : up
local VC MTU : 1500 remote VC MTU :
1500
primary or secondary : secondary

VC last up time : 2010/12/01 10:00:00

CKey : 5
NKey : 3
reroute policy : delay 30 s, resume 10 s

reason of last reroute : --
time of last reroute : -- days, -- hours, -- minutes, -- seconds
delay timer ID : -- residual time :--
resume timer ID : -- residual time :--
Run the display mpls l2vc remote-info command, and you can see that Peer Addr is the peer
address of the VC. The following is an example:

100 0 11.11.11.11 vlan 23552 1 1500 1 0
200 0 11.11.11.11 vlan 23552 1 1500 1 0
Run the display mpls l2vpn connection interface command, and you can see that the local VC
status and remote VC status of the master PW and the backup PW are both Up, the forwarding
state of the master PW is true, and the forwarding state of the backup PW is false. The BFD
session is Up.
<Quidway> display mpls l2vpn connection interface vlanif 11
conn-type: remote
local vc state: up
remote vc state: up
local ce-id: 1
local ce name: ce1
remote ce-id: 2
peer id: 3.3.3.3
tunnel policy: p1
forwardEntry exist or not: true
AC OAM state: up
BFD for PW session index: 256
BFD for PW state: up
Local C bit is set, Remote C bit is set
tunnel type: cr lsp, id: 0x20002
conn-type: remote
local vc state: up
remote vc state: up
local ce-id: 1
local ce name: ce1
remote ce-id: 3
peer id: 2.2.2.2
tunnel policy: default
primary or secondary: secondary
forward entry active or not:false


AC OAM state: up
BFD for PW session index: 257
BFD for PW state: up
Local C bit is set, Remote C bit is set
tunnel type: lsp , id: 0x10004
Reroute policy : delay 30 s, resume 10 s

Reason of last reroute : --
Time of last reroute : -- days, -- hours, -- minutes, -- seconds
delay timer ID : -- rest time :--
resume timer ID : -- rest time :--
Run the display mpls l2vpn forwarding-info [ vc-label ] interface interface-type interface-
number command, and you can see that ENTRYTYPE of the master PW is SEND,
PWSTATE is ACTIVE, BFDSTATE is UP, and ADMIN is UP. The following is an example:
<Quidway> display mpls l2vpn forwarding-info interface vlanif 11
The Main PW Forward Information :
VCLABEL TNLTYPE ENTRYTYPE PWSTATE BFDSTATE ADMIN CTLWORD CC CV TNLID
---------------------------------------------------------------------------
23552 CRLSP SEND ACTIVE UP UP TRUE 1 8 0x20002
1 Record(s) Found.
The Second PW Forward Information :

---------------------------------------------------------------------------
23552 LSP SEND INACTIVE UP UP TRUE 1 8 0x10004
1 Record(s) Found.
5.10 Maintaining VLL

This section describes how to maintain a VLL. Detailed operations include resetting the BGP
connection of the VLL, and monitoring the L2VPN running status.
5.10.1 Enabling Traffic Statistics on the VLL

This section describes how to enable the function of collecting statistics on VLL traffic before
viewing VLL traffic statistics.
Context
You can collect statistics on VLL traffic on the user-side interfaces that are bound to the VLL.
In this case, you need to enable the function of collecting statistics on VLL traffic on the device
before the VLL connection is set up.
Procedure
Step 1 Run:
system-view
Step 2 Run:
mpls l2vpn traffic-statistics enable
The traffic statistics on the VLL is enabled.

The function of collecting traffic statistics is only valid to the VLL connection that is created
after this function is enabled.
----End
5.10.2 Viewing Traffic Statistics on the VLL

This section describes how to view VLL traffic statistics on the specified interface.
Procedure
l Run:
display traffic-statistics l2vpn interface interface-type interface-number
The VLL traffic statistics on the specified interface are displayed.
To view VLL traffic statistics, you need to enable the function of collecting traffic statistics
on the VLL before the VLL connection is set up.
----End
5.10.3 Resetting Traffic Statistics on the VLL

This section describes how to reset VLL traffic statistics on the specified interface.
Procedure
l Run the following command in the user view:
reset traffic-statistics l2vpn interface interface-type interface-number
The VLL traffic statistics on the specified interface are reset.
----End
5.10.4 Resetting BGP TCP Connections of VLL

If the BGP L2VPN application and other applications share the same TCP connection, resetting
the BGP connection of the VLL causes the reset of BGP peer relationships of all applications
on this TCP connection. Therefore, confirm the action with caution.
Context
CAUTION
If the BGP L2VPN application and other applications share the same TCP connection, the reset
bgp l2vpn command resets the BGP neighbor relationship of all applications on this TCP
connection. So, confirm the action before you use the command.
After the parameters configured in the BGP L2VPN address family view are modified, you can
run the reset bgp l2vpn command to reset the TCP connection of the BGP L2VPN. After that,
BGP re-negotiates parameters, re-sends label information, and re-establishes the session.

Procedure
l Run the reset bgp l2vpn { as-number | peer-ip-address | all | internal | external } command
in the user view to reset BGP L2VPN TCP connections.
----End
5.10.5 Monitoring the Running Status of VLL

This part describes how to monitor the L2VPN running status by viewing the L2VPN connection
information.
Context
During the routine maintenance, you can run the following commands in any view to know the
running status of VLL.
Procedure
l Run the display vll ccc [ ccc-name | type { local | remote } ] command to check information
about the CCC connection.
to check information about the SVC VLL connection.
to check information about the local Martini VLL connection on the PE.
l Run the display bgp l2vpn { all | group [ group-name ] | peer [ [ ip-address ] verbose ] |
route-distinguisher route-distinguisher [ ce-id ce-id [ label-offset label-offset ] ] }
command to check BGP information about a Kompella VLL.
verbose ] | summary | interface interface-type interface-number ] command to check
information about a Kompella VLL.
----End
5.10.6 Debugging VLL

When a VLL fault occurs, run the relevant debugging command to debug the fault, view the
debugging information, locate the fault, and analyze the cause.
Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo
debugging all command to disable it immediately.
When a fault occurs, run the following debugging commands in the user view to locate the fault.
For the procedure of displaying the debugging information, refer to the chapter "System
Maintenance" in the Quidway S7700 Smart Routing Switch Configuration Guide - Device
Management.

Procedure
l Run the debugging mpls l2vpn { all | advertisement | download | error | event | oam-
mapping |reroute | timer | connections [ interface interface-type interface-number ] }
command in the user view to enable the debugging of the VLL.
l Run the debugging bgp update l2vpn bgp update l2vpn [ acl acl-number | ip-prefix ip-
prefix-name | peer peer-ipv4-address ] [ receive | send ] [ verbose ] command in the user
view to enable the debugging of BGP Update messages of the Kompella VLL.
----End
5.10.7 Checking Connectivity of the VLL Network

The VLL connectivity can be checked through the ping or tracert command.
Prerequisite
Before using the ping or tracert command to check connectivity of a VLL network, you need
to ensure that the VLL network is correctly configured.
The channel types supported by the VLL network in Martini or Kompella mode are listed in the
"Procedure" part.
By default, VCCV in Label Alert mode is enabled. Before using the control word channel, you
need to run the control-word command to enable the control word function. After that, VCCV
in control word channel mode is enabled.
When locating the fault on the VLL network in Martini mode, you can use either VCCV in
control word channel mode or VCCV in normal mode.
Procedure
l Checking the connectivity of the VLL network in Martini mode
Control word channel
ping vc pw-type pw-id [ -c echo-number | -m time-value | -s data-bytes | -t timeout-
value | -exp exp-value | -r reply-mode | -v ] * control-word [ remote peer-pw-id |
draft6 ] *
Label Alert channel
value | -exp exp-value | -r reply-mode | -v ] * label-alert [ remote remote-ip-address |
draft6 ] *
l Locating the fault on the VLL network in Martini mode
tracert vc { pw-type pw-id [ -exp exp-value | -f first-ttl | -m max-ttl | -r reply-mode | -
t timeout-value ] * control-word [ [ [ remote remote-pw-id ] draft6 ] | remote remote-
ip-address ] [ full-lsp-path ]
Label Alert channel
t timeout-value ] * label-alert [ remote remote-ip-address ] [ full-lsp-path ]
[ draft6 ]
Normal mode


t timeout-value ] * normal [ remote remote-ip-address ] [ full-lsp-path ] [ draft6 ]
l Checking the connectivity of the VLL network in Kompella mode
ping vc vpn-instance vpn-name local-ce-id remote-ce-id [ -c echo-number | -m time-
value | -s data-bytes | -t timeout-value | -exp exp-value | -r reply-mode | -v ] * control-
word
Label Alert channel
ping vc vpn-instance vpn-name local-ce-id remote-ce-id [ -c echo-number | -m time-
value | -s data-bytes | -t timeout-value | -exp exp-value | -r reply-mode | -v ] * label-
alert
l Locating the fault on the VLL network in Kompella mode
tracert vc -vpn-instance vpn-name local-ce-id remote-ce-id [ -exp exp-value | -f first-
ttl | -m max-ttl | -r reply-mode | -t timeout-value ] * { control-word | draft6 } [ full-
lsp-path ]
Label Alert channel
tracert vc -vpn-instance vpn-name local-ce-id remote-ce-id [ -exp exp-value | -f first-
ttl | -m max-ttl | -r reply-mode | -t timeout-value ] * label-alert [ full-lsp-path ]
----End

Each configuration example consists of such information as the networking requirements,
5.11.1 Example for Configuring a Local CCC Connection

As shown in Figure 5-4, the CE is connected to the PE through a GE interface.
A local CCC connection is created between CE1 and CE2.

Figure 5-4 Networking diagram for configuring local CCC connection

CE 2
GE1/0/0
CCC local connection
CE 1 GE 2/0/0
GE 1/0/0 GE 1/0/0
PE
Loopback1
1.1.1.9/32
PE GigabitEthernet1/0/0 VLANIF 10 -
Loopback1 - 1.1.1.9/32
1. Configure the basic MPLS capacity on the PE and enable the MPLS L2VPN.
2. Create a local connection between CE1 and CE2 on PE. The local CCC connection is
bidirectional, so only one connection is needed.
Data Preparation
IP addresses of the interfaces
Procedure
Step 1 Configure CEs.
# Configure CE1.
[CE1] vlan 10
[CE1-Vlan10] quit
[CE1]interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0]port link-type trunk
[CE1-GigabitEthernet1/0/0]port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0]quit
[CE1-Vlanif10] quit
# Configure CE2.

[CE2] vlan 20
[CE2-vlan20] quit
[CE2-GigabitEthernet1/0/0]port link-type trunk
[CE2-GigabitEthernet1/0/0]port trunk allow-pass vlan 20
[CE2-GigabitEthernet1/0/0]quit
[CE2-Vlanif20] quit
NOTE
The packets sent from CE to PE must have VLAN tags.
Step 2 Configure PEs.

# Configure the LSR ID and enable MPLS and MPLS L2VPN.
[Quidway] sysname PE
[PE] interface loopback 1
[PE-LoopBack1] ip address 1.1.1.9 32
[PE-LoopBack1] quit
[PE] mpls lsr-id 1.1.1.9
[PE] mpls
[PE-mpls] quit
[PE] mpls l2vpn
[PE-l2vpn] quit
[PE] vlan batch 10 20
[PE] interface gigabitethernet 1/0/0
[PE-GigabitEthernet1/0/0] port hybrid pvid vlan 10
[PE-GigabitEthernet1/0/0] port hybrid tagged vlan 10
[PE-GigabitEthernet1/0/0] quit
[PE] interface gigabitethernet 2/0/0
[PE-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[PE-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[PE-GigabitEthernet2/0/0] quit
# Create a local connection between CE1 and CE2.

[PE-Vlanif10] quit
[PE-Vlanif20] quit
[PE] ccc ce1-ce2 interface vlanif 10 out-interface vlanif 20

After the configuration, display the CCC information on the PE. You can see that a local CCC
connection is set up and the status is Up.
<PE> display vll ccc
total ccc vc : 1
name: ce1-ce2, type: local, state: up,

intf1: Vlanif10 (up), intf2: Vlanif20 (up)
VC last up time : 2010/07/24 12:31:31
Run the display l2vpn ccc-interface vc-type ccc command, and you can see that the VC type
is CCC and the status is Up.
<PE> display l2vpn ccc-interface vc-type all

up (2), down (0)


CE1 and CE2 can ping each other.

<CE1> ping 100.1.1.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif 10
ip address 100.1.1.1 255.255.255.0
#
#
return
#
sysname PE
#
vlan batch 10 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
interface Vlanif10
#
interface Vlanif20
#
#
#
ccc ce1-ce2 interface Vlanif10 out-interface Vlanif20
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255

#
return

#
sysname CE2
#
vlan batch 20
#
interface Vlanif 20
ip address 100.1.1.2 255.255.255.0
#
#
return
5.11.2 Example for Configuring a Remote CCC Connection

The CE is connected to the PE through a GE interface.
To create a remote CCC connection between CE1 and CE2, you need to complete the following
tasks:
l Create the remote CCC connection between the two PEs.
l Configure two static LSPs on P to exchange packets.
Figure 5-5 Networking diagram for configuring remote CCC connection

CE 1 to CE 2 O-Label I-Label O-Label I-Label
200 200 201 201
I-Label O-Label I-Label O-Label

100 100 101 101 CE 2 to CE 1

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
P
PE1 PE2
GE 2/0/0 GE 2/0/0 GE1/0/0 GE 1/0/0
GE 1/0/0 GE 2/0/0
GE 1/0/0 CCC remote GE 1/0/0

connection
CE 1 CE 2

Loopback1 - 1.1.1.9/32
Loopback1 - 3.3.3.9/32
Loopback1 - 2.2.2.9/32
1. Configure a bidirectional static LSP for the CCC connection between PEs. The LSP is
exclusively used by the CCC connection.
2. Enable MPLS L2VPN on the PEs. MPLS L2VPN need not be enabled on P.
3. Set up two connections: one from CE1 to CE2 and the other from CE2 to CE1.
Data Preparation
l Out-label and in-label of the remote CCC connection
Pay attention to the mapping between the in-labels and out-labels on the PE and P. For the settings
of the out-label and the in-label, see Figure 5-5.
Procedure
Step 1 Configure the ID of the VLAN that each interface belongs to, as shown in Figure 5-5.
NOTE
The packets sent from CE to PE must have VLAN tags.
Step 2 Assign the IP addresses to the VLANIF interfaces on the CEs.
# Configure CE1.
[CE1-Vlanif10] quit
# Configure CE2.
[CE2-Vlanif40] quit

Step 3 Assign an IP address to each VLANIF interface of the Switches.
# Configure PE1.
[PE1-Vlanif20] quit
# Configure the P.
[Quidway] sysname P
[P-LoopBack1] quit
[P-Vlanif30] quit
[P-Vlanif20] quit
# Configure PE2.
[PE2-Vlanif30] quit
Step 4 Configure the basic MPLS capabilities on the MPLS backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure the P.
[P] mpls
[P-mpls] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit

Step 5 Create the remote CCC connection between the two PEs.
# Configure PE1: Enable MPLS L2VPN globally and create the remote CCC connection from
CE1 to CE2. Connect the incoming interface of PE1 to CE1 and the outgoing interface of PE1
to the P. Set the incoming label to 100 and the outgoing label to 200.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1-Vlanif10] quit
[PE1] ccc CE1-CE2 interface vlanif 10 in-label 100 out-label 200 nexthop 10.1.1.2
# Configure PE2: Enable mpls l2vpn globally and create the remote CCC connection from CE2
to CE1. Connect the incoming interface of PE2 to CE2 and the outgoing interface of PE2 to the
P. Set the incoming label to 201 and the outgoing label to 101.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
[PE2-Vlanif40] quit
[PE2] ccc CE2-CE1 interface vlanif 40 in-label 201 out-label 101 nexthop 10.2.2.2
Step 6 Configure static LSPs on P for forwarding packets.
# Configure P: Configure a static LSP for forwarding packets from PE1 to PE2, and configure
another static LSP for forwarding packets from PE2 to PE1.
[P] static-lsp transit PE1-PE2 incoming-interface vlanif 20 in-label 200 nexthop
10.2.2.1 out-label 201
[P] static-lsp transit PE2-PE1 incoming-interface vlanif 30 in-label 101 nexthop
10.1.1.1 out-label 100
After the configuration, display information about the CCC connection on the PEs. You can find
that a remote CCC connection is set up on each of PE1 and PE2 and the status of the connection
is Up.
<PE1> display vll ccc
total ccc vc : 1

intf: Vlanif10 (up), in-label: 100 , out-label: 200 , nexthop: 10.1.1.2
VC last up time : 2007/10/09 17:35:14
<PE2> display vll ccc
total ccc vc : 1

intf: Vlanif40 (up), in-label: 201 , out-label: 101 , nexthop : 10.2.2.2
VC last up time : 2009/10/09 17:35:14
Run the display l2vpn ccc-interface vc-type ccc command on PE, and you can see that the VC
type is CCC and the status is Up. Take PE1 for example.
<PE1> display l2vpn ccc-interface vc-type ccc

up (1), down (0)

Run the display mpls lsp command on the P, and you can view the label and interface
information of the two static LSPs.
<P> display mpls lsp
-------------------------------------------------------------------------------
LSP Information: STATIC LSP
-------------------------------------------------------------------------------
-/- 200/201 Vlanif20/Vlanif30
-/- 101/100 Vlanif30/Vlanif20

<CE1> ping 100.1.1.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
#
#
return

#
sysname PE1
#
vlan batch 10 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
interface Vlanif10
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
#

#
#
#
ccc CE1-CE2 interface Vlanif 10 in-label 100 out-label 200 nexthop 10.1.1.2
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
return
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
static-lsp transit PE1-PE2 incoming-interface Vlanif 20 in-label 200 nexthop
10.2.2.1 out-label 201
static-lsp transit PE2-PE1 incoming-interface Vlanif 30 in-label 101 nexthop
10.1.1.1 out-label 100
#
return
#
sysname PE2
#
vlan batch 30 40
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
#
interface Vlanif40
#
#


#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
return

#
sysname CE2
#
vlan batch 40
#
interface Vlanif 40
ip address 100.1.1.2 255.255.255.0
#
#
return
5.11.3 Example for Configuring an SVC VLL

The CE is connected to the PE through a GE interface.
An SVC VLL is set up between CE1 and CE2. The SVC connection is created on PEs and the
VC label is specified.
Figure 5-6 Networking diagram for configuring SVC VLL

Loopback 1 Loopback 1 Loopback 1
1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
PE 1 PE 2
GE 2/0/0 GE 2/0/0 GE 1/0/0 GE 1/0/0
GE 1/0/0 GE 2/0/0
P
SVC
connection
GE 1/0/0 GE 1/0/0
CE 1 CE 2
Loopback1 - 1.1.1.9/32

Loopback1 - 3.3.3.9/32
Loopback1 - 2.2.2.9/32
1. Enable MPLS and MPLS L2VPN.

2. Create a static L2VC connection between PEs and manually configure the VC label.
Data Preparation
l Labels of the static L2VC connection
The out-label of PE1 is the same as the in-label of PE2; whereas the in-label of PE1 is the same
as the out-label of PE2.
Procedure
Step 1 Configure interface addresses for CE, PE and P according to Figure 5-6, including VLAN
interfaces and VLANIF interfaces.
Step 2 Configure IGP on the MPLS backbone network. (In this example, OSPF is used.)
When configuring OSPF, advertise the 32-bit addresses of loopback interfaces on PEs and P.
The loopback interface addresses are the LSR IDs.
Step 3 Configure basic MPLS functions and LDP on the MPLS backbone network. That is, set up LDP
LSPs.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure the P.


[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
After the configuration, LDP sessions are set up between PE1, P, and PE2. Run the display mpls
ldp session command, and you can see that the status of the LDP session is Operational.
Take the display on PE1 for example:

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 4 Enable MPLS L2VPN and create static VCs on PEs.

# Configure PE1: Create a static VC on VLANIF 10, which is connected to CE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1-Vlanif10] mpls static-l2vc destination 3.3.3.9 transmit-vpn-label 100 receive-
vpn-label 200
[PE1-Vlanif10] quit
# Configure PE2: Create a static VC on VLANIF 40, which is connected to CE2.

[PE2] mpls l2vpn
[PE2-l2vpn] quit
[PE2-Vlanif40] mpls static-l2vc destination 1.1.1.9 transmit-vpn-label 200 receive-
vpn-label 100
[PE2-Vlanif40] quit

View the L2VPN connection information of the SVC on the PE, and you can see that a static
L2VC connection is established.

<PE1> display mpls static-l2vc interface vlanif 10

AC Status : up
VC State : up
VC ID : 0
VC Type : VLAN
VCCV Capabilty : alert lsp-ping bfd
Tunnel Policy : --
NO.0 TNL Type : lsp , TNL ID : 0x4800200f
VC last up time : 2010/12/03 20:14:14
CKey : 7
NKey : 6
Run the display l2vpn ccc-interface vc-type static-vc up command, and you can see that the
VC type is static VC and the status is Up. Take the display on PE1 for example.
<PE1> display l2vpn ccc-interface vc-type static-vc up

up (1), down (0)
Vlanif10 vlan up static-vc

<CE1> ping 100.1.1.2
0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
#
#
return


#
sysname PE1
#
vlan batch 10 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
mpls ldp
#
interface Vlanif 10
mpls static-l2vc destination 3.3.3.9 transmit-vpn-label 100 receive-vpn-label
200
#
interface Vlanif 20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#
#

interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return

#
sysname PE2
#
vlan batch 30 40
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
mpls ldp
#
interface Vlanif 30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 40
100
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return

#
sysname CE2
#
vlan batch 40
#
interface Vlanif40
ip address 100.1.1.2 255.255.255.0
#
#
return

5.11.4 Example for Configuring a Martini VLL

As shown in Figure 5-7, CE1 and CE2 are connected to PE1 and PE2 respectively through
VLANs.
A Martini VLL is set up between CE1 and CE2.
Figure 5-7 Networking diagram for configuring the Martini VLL

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE 2/0/0 GE 1/0/0
PE 1 PE 2
GE 2/0/0 GE1/0/0
GE1/0/0 GE 2/0/0
P
GE1/0/0 GE 1/0/0
Martini
CE 1 CE 2
Loopback1 - 1.1.1.9/32
Loopback1 - 3.3.3.9/32
Loopback1 - 2.2.2.9/32
1. Configure the routing protocol on backbone devices (PE and P) and enable MPLS.
2. Use the default tunnel policy to create an LSP and configure the LSP as the tunnel for data
transmission.

3. Enable MPLS L2VPN and create VC connections on the PEs.
Data Preparation
l IP address of the remote peer of each PE
l VC ID
Procedure
Step 1 Configure interface addresses for CE, PE and P according to Figure 5-7, including VLAN and
VLANIF interfaces.
Step 2 Configure IGP on the MPLS backbone network. (In this example, OSPF is used.)
When configuring OSPF, advertise the 32-bit addresses of loopback interfaces on PEs and P.
The loopback interface addresses are the LSR IDs.
After the configuration, OSPF adjacencies are established between PE1, P, and PE2. By running
the display ospf peer command, you can see that the status of the OSPF adjacency is Full. Run
the display ip routing-table command, and you can see that the PEs can learn the routes of each
other's Loopback1 interface.
Step 3 Configure the basic MPLS capability and MPLS LDP on the MPLS network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure the P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp

[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
Step 4 Set up a remote LDP session between PEs.

# Configure PE1.
# Configure PE2.
After the configuration, run the display mpls ldp session command on PE1 to view the
establishment of the LDP session. You can find that an LDP session is set up between PE1 and
PE2.
Take the display on PE1 for example.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 5 Enable MPLS L2VPN on the PE and establish VCs.

# Configure PE1: Create a VC on VLANIF 10, which is connected to CE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1-Vlanif10] mpls l2vc 3.3.3.9 101
[PE1-Vlanif10] quit
# Configure PE2: Create a VC on VLANIF 40, which is connected to CE2.

[PE2] mpls l2vpn
[PE2-l2vpn] quit
[PE2-vlanif40] quit

View the L2VPN connection information on the PEs, and you can see that an L2VC is set up
and is in Up state.
<PE1> display mpls l2vc interface vlanif 10

session state : up
AC state : up
VC state : up
VC ID : 101
VC type : VLAN
link state : up
VC last up time : 2010/10/09 19:26:37
CKey : 8
NKey : 3

Take the display on CE1 for example.
<CE1> ping 100.1.1.2
0.00% packet loss
----End
Configuration Files
#
sysname CE1
#

vlan batch 10
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
#
#
return
#
sysname PE1
#
vlan batch 10 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif10
mpls l2vc 3.3.3.9 101
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif 20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#

interface Vlanif 30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
#
sysname PE2
#
vlan batch 30 40
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 1.1.1.9
#
interface Vlanif 30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 40
mpls l2vc 1.1.1.9 101
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
#
sysname CE2

#
vlan batch 40
#
interface Vlanif 40
ip address 100.1.1.2 255.255.255.0
#
#
return
5.11.5 Example for Configuring a Local Kompella VLL
As shown in Figure 5-8, CE1 and CE2 are connected to the same PE through GE interfaces.
A local Kompella VLL is set up between CE1 and CE2.
Figure 5-8 Networking diagram for configuring a local Kompella VLL

CE2
Kompella local connection GE1/0/0
GE2/0/0
GE1/0/0 GE1/0/0
PE
CE1
Loopback1
1.1.1.9/32
PE GigabitEthernet1/0/0 VLANIF 10 -
Loopback1 - 1.1.1.9/32
1. Enable MPLS on the PEs.

2. Enable the MPLS L2VPN.
3. Configure VLL instances and CE connections.

Data Preparation
l Names of VPN instances and RDs

l Names and IDs of the CEs (The CE IDs are globally unique.) CE range, namely, the label
block
Procedure
Step 1 Configure the addresses of the VLANIF interfaces of CE1 and CE2 according to Figure 5-8 and
the IDs of the VLANs to which the interfaces belong.
Step 2 Configure a local connection in Kompella mode.
# Configure basic MPLS functions.
[PE] interface loopback 1
[PE-LoopBack1] ip address 1.1.1.9 32
[PE-LoopBack1] quit
[PE] mpls lsr-id 1.1.1.9
[PE] mpls
[PE-mpls] quit
# Configure MPLS L2VPN and CE connections.

[PE] mpls l2vpn
[PE-l2vpn] quit
[PE] mpls l2vpn vpn1 encapsulation vlan
[PE-mpls-l2vpn-vpn1] route-distinguisher 100:1
[PE-mpls-l2vpn-vpn1] ce ce1 id 1 range 10
[PE-mpls-l2vpn-ce-vpn1-ce1] connection ce-offset 2 interface vlanif 10
[PE-mpls-l2vpn-ce-vpn1-ce1] quit
[PE-mpls-l2vpn-vpn1] ce ce2 id 2 range 10
[PE-mpls-l2vpn-ce-vpn1-ce2] connection ce-offset 1 interface vlanif 20
[PE-mpls-l2vpn-ce-vpn1-ce2] quit
[PE-mpls-l2vpn-vpn1] quit

After the configuration, run the display mpls l2vpn connection command on the PE. You can
see that two L2VPN connections are set up and they are in Up state.
<PE> display mpls l2vpn connection
VPN name: vpn1,


primary or not
----------------------------------------------------------------------------
2 loc up --- --- Vlanif20
primary

primary or not
----------------------------------------------------------------------------
1 loc up --- --- Vlanif10

primary

<CE1> ping 30.1.1.2
0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 30.1.1.1 255.255.255.0
#
#
return
#
sysname PE
#
vlan batch 10 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
interface Vlanif10
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
#
port hybrif tagged vlan 10
#
port hybrif tagged vlan 20
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255

#
return

#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 30.1.1.2 255.255.255.0
#
#
return
5.11.6 Example for Configuring a Remote Kompella Connection

As shown in Figure 5-9, CE1 and CE2 are respectively connected to PE1 and PE2 through
GE interfaces.
A remote Kompella VLL is set up between CE1 and CE2.
Figure 5-9 Networking diagram for configuring a remote Kompella VLL

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE 2/0/0 GE 1/0/0
GE 1/0/0 GE 2/0/0
GE 1/0/0 PE 1 P PE 2 GE 2/0/0
Kompella
GE 1/0/0 Remote
GE 1/0/0
CE 1 CE 2
Loopback1 - 1.1.1.9/32
Loopback1 - 3.3.3.9/32
Loopback1 - 2.2.2.9/32

1. Configure routing protocols on the PEs and P on the backbone network to implement
internetworking, and enable basic MPLS functions and LDP.
2. Enable MPLS L2VPN and configure BGP L2VPN on PEs.
3. Configure the VPN instance and CE connections.
Data Preparation
l ASN of BGP
l Names of VPN instances, RDs, and VPN targets
l Names and IDs of the CEs (The CE IDs are globally unique.), and CE range, namely, the
label block
Procedure
Step 1 Configure the IDs of the VLANs to which the interfaces of CE, PE, and P belong according to
Figure 5-9.
NOTE
The packet sent from CE to PE must have VLAN tags.
Step 2 Configure an IGP protocol on the MPLS backbone network.

In this example, OSPF is used as the IGP protocol. When configuring OSPF, advertise the 32-
bit addresses of loopback interfaces on PEs and P. The loopback interface addresses are the LSR
IDs. The configuration procedure is not mentioned here.
After the configuration, run the display ip routing-table command on each LSR. You can view
that the LSRs have learned the routes from each other.
------------------------------------------------------------------------------

2.2.2.9/32 OSPF 10 2 D 168.1.1.2 Vlanif20
3.3.3.9/32 OSPF 10 3 D 168.1.1.2 Vlanif20


168.1.1.0/24 Direct 0 0 D 168.1.1.1 Vlanif20
168.1.1.255/24 Direct 0 0 D 168.1.1.1 Vlanif20
169.1.1.0/24 OSPF 10 2 D 168.1.1.2 Vlanif20
Run the display ospf peer command, and you can see that the OSPF neighbor relation is set up
and the neighbor status is Full.
<PE1> display ospf peer

Neighbors
Area 0.0.0.0 interface 168.1.1.1(Vlanif20)'s neighbors

Router ID: 2.2.2.9 Address: 168.1.1.2
State: Full Mode:Nbr is Master Priority: 1
DR: None BDR: None MTU: 0
Dead timer due in 35 sec
Neighbor is up for 00:17:12
Authentication Sequence: [ 0 ]
Step 3 Configure basic MPLS functions and LDP, and set up LDP LSPs.
After the configuration, run the display mpls ldp session and display mpls ldp peer commands
on each LSR. You can see information about the LDP session and peers.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
<PE1> display mpls ldp peer
LDP Peer Information in Public network

A '*' before a peer means the peer is being deleted.
------------------------------------------------------------------------------
Peer-ID Transport-Address Discovery-Source
------------------------------------------------------------------------------
2.2.2.9:0 2.2.2.9 Vlanif20
------------------------------------------------------------------------------
TOTAL: 1 Peer(s) Found.
Step 4 Configure the basic BGP L2VPN capability.

# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1] bgp 100

[PE1-bgp] l2vpn-family
[PE1-bgp-af-l2vpn] peer 3.3.3.9 enable
[PE1-bgp-af-l2vpn] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
[PE2] bgp 100
[PE2-bgp-af-l2vpn] quit
[PE2-bgp] quit
After the configuration, run the display bgp l2vpn peer command on PE1 and PE2, and you
can see that the peer relation between the PEs is in Established state.
<PE1> display bgp l2vpn peer

3.3.3.9 4 100 2 4 0 00:00:32 Established 0
Step 5 Configure the L2VPN and CE connections.

# Configure PE1.
[PE1] mpls l2vpn vpn1 encapsulation vlan
[PE1-mpls-l2vpn-vpn1] route-distinguisher 100:1
[PE1-mpls-l2vpn-vpn1] vpn-target 1:1
[PE1-mpls-l2vpn-vpn1] ce ce1 id 1 range 10
[PE1-mpls-l2vpn-ce-vpn1-ce1] connection ce-offset 2 interface vlanif 10
[PE1-mpls-l2vpn-ce-vpn1-ce1] quit
[PE1-mpls-l2vpn-vpn1] quit
# Configure PE2.
[PE2-mpls-l2vpn-vpn1] vpn-target 1:1
[PE2-mpls-l2vpn-vpn1] ce ce2 id 2 range 10

After the configuration, run the display mpls l2vpn connection command on PEs, and you can
see that an L2VPN connection is in Up state.
<PE1> display mpls l2vpn connection
VPN name: vpn1,



primary or not
----------------------------------------------------------------------------
1 rmt up 3.3.3.9 100:1 Vlanif10
primary

<CE1> ping 30.1.1.2
0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 30.1.1.1 255.255.255.0
#
#
return

#
sysname PE1
#
vlan batch 10 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
mpls ldp
#
interface Vlanif10
#
interface Vlanif20
ip address 168.1.1.1 255.255.255.0
mpls
mpls ldp
#
#

#
mpls l2vpn vpn1 encapsulation vlan
ce ce1 id 1 range 10 default-offset 0
connection ce-offset 2 interface Vlanif 10
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.9 enable
#
l2vpn-family
policy vpn-target
peer 3.3.3.9 enable
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 168.1.1.0 0.0.0.255
#
return
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface VLanif20
ip address 168.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 169.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 168.1.1.0 0.0.0.255
network 169.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0

#
return
#
sysname PE2
#
vlan batch 30 40
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
mpls ldp
#
interface Vlanif 30
ip address 169.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 40
#
#
#
#
connection ce-offset 1 interface Vlanif40
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
l2vpn-family
policy vpn-target
peer 1.1.1.9 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 169.1.1.0 0.0.0.255
#
return
#
sysname CE2
#
vlan batch 40
#
interface Vlanif40
ip address 30.1.1.2 255.255.255.0

#
#
return
5.11.7 Example for Configuring the Inter-AS Martini VLL Option

A
As shown in Figure 5-10, the Option A scheme is used to establish the inter-AS Martini VLL.
The MPLS backbone in an AS uses IS-IS as the IGP protocol.
Figure 5-10 Networking diagram for configuring the inter-AS Martini VLL Option A
MPLS backbone MPLS backbone

AS 100 AS 200
Loopback0 Loopback0 Loopback0 Loopback0

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32 4.4.4.9/32
GE2/0/0 GE2/0/0 GE2/0/0

GE1/0/0 GE1/0/0 GE1/0/0
PE1 ASBR -PE1 PE2
ASBR -PE2
GE1/0/0 GE2/0/0
GE1/0/0 GE1/0/0
CE1 CE2
Loopback0 - 1.1.1.9/32
Loopback0 - 4.4.4.9/32
ASBR-PE1 GigabitEthernet1/0/0 VLANIF 20 10.1.1.2/24
Loopback0 - 2.2.2.9/32
ASBR-PE2 GigabitEthernet1/0/0 VLANIF 30 -

Loopback0 - 3.3.3.9/32
1. Run an IGP protocol on the backbone network so that the devices in the same AS can
2. Configure the basic MPLS capability on the backbone network and establish dynamic LSPs
between PEs and ASBR-PEs in the same AS. If PEs and ASBR-PEs are not directly
connected, establish a remote LDP session.
3. Establish MPLS L2VC connections between the PEs and ASBR-PEs in the same AS.
Data Preparation
l IS-IS data
l IP address of the peer
l L2VC ID
Procedure
Step 1 Configure the IDs of the VLANs to which the interfaces belong according to Figure 5-10.
PEs and ASBR-PEs on the backbone network can communicate with each other by using IGP.
In this example, IS-IS is used as IGP and the configuration procedure is not mentioned.
After the configuration, the ASBR and PE in the same AS can establish an IS-IS adjacency. Run
the display isis peer command, and you can see that the IS-IS adjacency is in Up state, and the
PEs can learn each other's loopback address.
<PE1> display isis peer
Peer information for ISIS(1)

----------------------------
System Id Interface Circuit Id State HoldTime Type PRI
0000.0000.0002 Vlanif20 0000000001 Up 21s L1L2 --
The ASBR and PE in the same AS can ping each other.


<PE1> ping 2.2.2.9


0.00% packet loss
Step 3 Enable MPLS and configure dynamic LSPs.

Configure the basic MPLS capability on the MPLS backbone network. Establish a dynamic LDP
LSP between the PE and ASBR-PE in the same AS.
After this step, an LSP is established between the PE and ASBR-PE in the same AS.
Take the display on ASBR-PE1 for example.
<ASBR-PE1> display mpls ldp session

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 4 Configure the MPLS L2VC connection.

Configure the L2VC connection on the PE and ASBR-PE and connect the PE to the CE.
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1-Vlanif10] quit
# Configure ASBR-PE1.
[ASBR-PE1] mpls l2vpn
[ASBR-PE1-l2vpn] mpls l2vpn default martini
[ASBR-PE1-l2vpn] quit
[ASBR-PE1-Vlanif30] mpls l2vc 1.1.1.9 100
[ASBR-PE2-l2vpn] mpls l2vpn default martini
# Configure PE2.
[PE2] mpls l2vpn

[PE2-l2vpn] quit
[PE2-Vlanif50] quit
# Configure CE1.
[CE1-Vlanif10] ip address 100.1.1.1 255.255.255.0
[CE1-Vlanif10] quit
# Configure CE2.
[CE2-Vlanif50] quit
Display information about the L2VPN connection on PE1. You can see that an L2VC is set up
and the VC status is Up.
Take the display on PE1 and ASBR-PE2 for example.

<PE1> display mpls l2vc interface Vlanif 10
session state : up
AC state : up
VC state : up
VC ID : 100
VC type : VLAN
remote statuscode : 0x0
BFD for PW : disable
link state : up
local VCCV : Disable
tunnel policy : --
traffic behavior : --
VC last up time : 2009-11-24 12:31:31
CKey : 16
NKey : 15

<ASBR-PE2> display mpls l2vc interface Vlanif 30

session state : up
AC state : up
VC state : up
VC ID : 100
VC type : VLAN
BFD for PW : disable
link state : up
tunnel policy : --
VC last up time : 20009-11-24 12:31:31
CKey : 17
NKey : 18

<CE1> ping 100.1.1.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1

#
vlan batch 10
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
#
#
return
#
sysname PE1
#
vlan batch 10 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0001.00
#
interface Vlanif10
mpls l2vc 2.2.2.9 100
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
isis enable 1
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
isis enable 1
#
return
#
sysname ASBR-PE1
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls l2vpn
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0002.00
#
interface Vlanif20

ip address 10.1.1.2 255.255.255.0

isis enable 1
mpls
mpls ldp
#
interface Vlanif30
mpls l2vc 1.1.1.9 100
#
#
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
isis enable 1
#
return
#
sysname ASBR-PE2
#
vlan batch 30 40
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0003.00
#
interface Vlanif30
mpls l2vc 4.4.4.9 100
#
interface Vlanif40
ip address 30.1.1.1 255.255.255.0
isis enable 1
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 3.3.3.9 255.255.255.255
isis enable 1
#
return
#
sysname PE2
#
vlan batch 40 50
#
mpls lsr-id 4.4.4.9
mpls

#
mpls l2vpn
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0004.00
#
interface Vlanif40
ip address 30.1.1.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#
interface Vlanif50
mpls l2vc 3.3.3.9 100
#
#
#
interface LoopBack0
ip address 4.4.4.9 255.255.255.255
isis enable 1
#
return

#
sysname CE2
#
vlan batch 50
#
interface Vlanif 50
ip address 100.1.1.2 255.255.255.0
#
#
return
5.11.8 Example for Configuring the Inter-AS Kompella VLL Option

A
As shown in Figure 5-11, the devices on the MPLS backbone network use OSPF as IGP to
realize the communication between the devices in the same AS. The Option A scheme is used
to establish the inter-AS Kompella VLL. The peer ASBR is regarded as the CE.

Figure 5-11 Networking diagram for configuring the inter-AS Kompella VLL Option A

AS 100 AS 200

1.1.1.1/32 2.2.2.2/32 3.3.3.3/32 4.4.4.4/32
GE2/0/0 GE2/0/0 GE2/0/0

GE1/0/0 GE1/0/0 GE1/0/0
PE1 GE1/0/0 ASBR -PE1 GE2/0/0 PE2
ASBR -PE2
GE1/0/0 GE1/0/0
CE1 CE2
Loopback1 - 1.1.1.9/32
Loopback1 - 4.4.4.9/32
Loopback1 - 2.2.2.9/32
Loopback1 - 3.3.3.9/32
2. Enable MPLS on the backbone and establish a dynamic LSP between the PE and the ASBR-
PE.

3. Establish an IBGP adjacency between the PE and the ASBR-PE in an AS.

4. Set up a Kompella VLL connection between the PE and the ASBR-PE in an AS.
Data Preparation
l OSPF data
l L2VPN instance name, RD, and VPN target on the PE and the ASBR-PE
l CE connection name, CE ID, CE range (10 by default), and default offset (1 or 0, the default
is 0) on the PE and ASBR-PEs
Procedure
Step 2 Configure an IGP protocol on the backbone network.
PEs and ASBR-PEs on the MPLS backbone network can communicate with each other by using
IGP. OSPF is used as the IGP protocol in this example.
The configuration procedure is not mentioned. Note that the address of Loopback1 must be
advertised to the IBGP peer.
After the configuration, the ASBR-PE and the PEs in the same AS can learn the Loopback1
addresses of each other. Run the display ip routing-table command, and you can see that the
ASBR and the PEs in the same AS can learn the Loopback1 addresses of each other.
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 2 D 20.1.1.2 Vlanif20
20.1.1.0/30 Direct 0 0 D 20.1.1.1 Vlanif20
The ASBR-PE and the PEs in the same AS can ping each other's Loopback1 address.
<PE1> ping 2.2.2.2


0.00% packet loss
Step 3 Enable MPLS and establish the LSP.

Enable MPLS and establish LDP LSP on the ASBR-PE and the PEs in the same AS.
After the configuration, the LDP adjacencies are established between the PE and the ASBR-PEs
in the same AS. Run the display mpls ldp session command on each Switch, and you can find
that the session status is Operational.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 4 Configure IBGP.

Configure MP-IBGP connections between PE1 and ASBR-PE1, and between PE2 and ASBR-
PE2.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.2 connect-interface LoopBack 1
[PE1-bgp] quit
[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] quit
[ASBR-PE2] bgp 200
[ASBR-PE2-bgp] quit
# Configure PE2.
[PE2] bgp 200
[PE2-bgp] quit
After the configuration, run the display bgp peer command, and you can see that the IBGP peer
relation between PE1 and the ASBR-PE in the same AS is in Established state. Take the display
on PE1 for example.
[PE1] display bgp peer


2.2.2.2 4 100 2 3 0 00:00:03 Established 0
Step 5 Enable BGP peers in the BGP L2VPN address family view.
After BGP peers are enabled on the PEs and ASBR-PEs in the BGP L2VPN address family
view, L2VPN instance information can be exchanged between the PEs and ASBR-PEs.
# Configure PE1.
[PE1] bgp 100
[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] l2vpn-family
[ASBR-PE1-bgp-af-l2vpn] peer 1.1.1.1 enable
[ASBR-PE2] bgp 200
[ASBR-PE2-bgp] l2vpn-family
[ASBR-PE2-bgp-af-l2vpn] peer 4.4.4.4 enable
# Configure PE2.
[PE2] bgp 200
Step 6 Set up the Kompella L2VPN connection between PEs.

The major steps are as follows:
l Enable MPLS L2VPN on the PEs and ASBR-PEs.
l Create VPN instances and CE connections on PE1 and PE2.
l Configure IP addresses in the same network segment for the interfaces through which CE1
and CE2 access the PEs.
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1-mpls-l2vpn-vpn1] mtu 1500
[PE1-mpls-l2vpn-vpn1] vpn-target 1:1 both
[PE1-mpls-l2vpn-vpn1] ce ce1 id 1 range 10 default-offset 0
[ASBR-PE1] mpls l2vpn vpn1 encapsulation vlan
[ASBR-PE1-mpls-l2vpn-vpn1] route-distinguisher 100:2
[ASBR-PE1-mpls-l2vpn-vpn1] mtu 1500
[ASBR-PE1-mpls-l2vpn-vpn1] vpn-target 1:1 both
[ASBR-PE1-mpls-l2vpn-vpn1] ce ce2 id 2 range 10 default-offset 0

[ASBR-PE1-mpls-l2vpn-ce-vpn1-ce2] connection ce-offset 1 interface vlanif 30

[ASBR-PE1-mpls-l2vpn-ce-vpn1-ce2] quit
[ASBR-PE1-mpls-l2vpn-vpn1] quit
[ASBR-PE2] mpls l2vpn vpn1 encapsulation vlan
[ASBR-PE2-mpls-l2vpn-vpn1] route-distinguisher 200:1
[ASBR-PE2-mpls-l2vpn-vpn1] mtu 1500
[ASBR-PE2-mpls-l2vpn-vpn1] vpn-target 1:1 both
[ASBR-PE2-mpls-l2vpn-vpn1] ce ce3 id 3 range 10 default-offset 0
[ASBR-PE2-mpls-l2vpn-ce-vpn1-ce3] connection ce-offset 4 interface vlanif 30
[ASBR-PE2-mpls-l2vpn-ce-vpn1-ce3] quit
[ASBR-PE2-mpls-l2vpn-vpn1] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
[PE2-mpls-l2vpn-vpn1] mtu 1500
[PE2-mpls-l2vpn-vpn1] vpn-target 1:1 both
[PE2-mpls-l2vpn-vpn1] ce ce4 id 4 range 10 default-offset 0
# Configure CE1.
[CE1-Vlanif10] quit
# Configure CE2.
[CE2-Vlanif50] quit

Display information about the L2VPN connection on PE1. You can see that an L2VC is set up
Take the display on PE1 and ASBR-PE2 for example.
# The display on PE1 is as follows:
<PE1> display mpls l2vpn connection interface vlanif 10
conn-type: remote
local vc state: up
remote vc state: up
local ce-id: 1
local ce name: ce1
remote ce-id: 2
peer id: 2.2.2.2
CKey: 19
NKey: 3


AC OAM state: up
tunnel type: lsp
tunnel id: 0x10002
# The display on ASBR-PE2 is as follows:

<ASBR-PE2> display mpls l2vpn connection interface vlanif 30
conn-type: remote
local vc state: up
remote vc state: up
local ce-id: 3
local ce name: ce3
remote ce-id: 4
peer id: 4.4.4.4
CKey: 19
NKey: 3
AC OAM state: up
tunnel type: lsp
tunnel id: 0x10001

<CE1> ping 10.1.1.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0

#
#
return
#
sysname PE1
#
vlan batch 10 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
mpls ldp
#
interface Vlanif10
#
interface Vlanif 20
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable
#
l2vpn-family
policy vpn-target
peer 2.2.2.2 enable
#
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 20.1.1.0 0.0.0.3
#
return
#
sysname ASBR-PE1
#

vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls l2vpn
#
mpls ldp
#
interface Vlanif20
ip address 20.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
#
#
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
l2vpn-family
policy vpn-target
peer 1.1.1.1 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 20.1.1.0 0.0.0.3
#
return
#
sysname ASBR-PE2
#
vlan batch 30 40
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
interface Vlanif30
#
interface Vlanif40
ip address 40.1.1.1 255.255.255.0

mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 200
#
ipv4-family unicast
peer 4.4.4.4 enable
#
l2vpn-family
peer 4.4.4.4 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 40.1.1.0 0.0.0.3
#
#
return
#
sysname PE2
#
vlan batch 40 50
#
mpls lsr-id 4.4.4.4
mpls
#
mpls l2vpn
#
mpls ldp
#
interface Vlanif40
ip address 40.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif50
#
#
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255

#
bgp 200
#
ipv4-family unicast
peer 3.3.3.3 enable
#
l2vpn-family
policy vpn-target
peer 3.3.3.3 enable
#
ospf 1
area 0.0.0.0
network 40.1.1.0 0.0.0.3
network 4.4.4.4 0.0.0.0
#
#
#
return

#
sysname CE2
#
vlan batch 50
#
interface Vlanif 50
ip address 10.1.1.2 255.255.255.0
#
#
return

Configuration Guide - VPN 6 PWE3 Configuration
6 PWE3 Configuration
About This Chapter
This chapter describes how to configure PWE3 to transparently transmit data on the MPLS
network.
6.1 Introduction to PWE3

PWE3 refers to a Layer 2 service-bearing technology on a PSN that emulates basic characteristics
of ATM services, FR services, Ethernet services, low-speed TDM services, and SONET/SDH
services.
6.2 PWE3 Features Supported by the S7700
PWE3 can be classified into the static PW and dynamic PW based on implementation schemes,
and can be classified into the single-hop PW and multi-hop PW based on networking types.
6.3 Configuring the Attributes of a PW Template
This section describes how to import a PW template to simplify the configurations of PWs with
similar attributes.
6.4 Configuring a Static PW
This section describes how to configure a static PW. A static PW transmits L2VPN packets
between PEs without using a signaling protocol.
6.5 Configuring a Dynamic PW
This section describes how to configure a dynamic PW. To configure a dynamic PW, extended
LDP needs to be used to transmit Layer 2 information and VC labels.
6.6 Configuring PW Switching
This section describes how to configure a multi-hop switching PW. When the multi-hop
switching PW forwards traffic, PW label switching occurs.
6.7 Configuring a Backup PW
To configure PW FRR in the scenario where CEs are asymmetrically connected PEs, you need
to configure a backup PW. After the master PW fails, traffic can be switched to the backup PW.
6.8 Configuring Static BFD for PW
This section describes how to configure static BFD for PW. After static BFD for PW is
configured, the fault on a PW can be rapidly detected and upper-layer applications can be
immediately switched.

6.9 Configuring Dynamic BFD for PW

This section describes how to configure dynamic BFD for PW. After dynamic BFD for PW is
6.10 Configuring PWE3 FRR
This section describes how to configure PW FRR. After PW FRR is configured, the L2VPN
traffic can be timely switched to backup path as soon as the master path fails. After the master
path recovers, the L2VPN traffic can be switched back to it according to the revertive switching
policy.
6.11 Configuring Inter-AS PWE3
This section describes how to configure inter-AS PWE3. After inter-AS PWE3 is configured,
the MPLS backbone network that bears PWE3 can span multiple ASs.
6.12 Maintaining PWE3
This section describes how to maintain PWE3. Detailed operations include PW connectivity
detection, and PW fault location.
You can learn the configuration procedures based on the configuration flowchart. Each
configuration example consists of such information as the networking requirements,

6.1 Introduction to PWE3

PWE3 refers to a Layer 2 service-bearing technology on a PSN that emulates basic characteristics
of ATM services, FR services, Ethernet services, low-speed TDM services, and SONET/SDH
services.
Pseudo-Wire Emulation Edge to Edge (PWE3) is a type of end-to-end Layer 2 transmitting
technology. It emulates the essential attributes of a telecommunications service such as ATM,
FR or Ethernet in a Packet Switched Network (PSN). PWE3 also emulates the essential attributes
of low-speed Time Division Multiplexing (TDM) circuits and SONET/SDH.
With the Label Distribution Protocol (LDP) as the signaling protocol, PWE3 emulates various
Layer 2 services (such as Layer 2 data packets) of the Customer Edge(CE) through tunnels such
as the Multiprotocol Label Switch Protocol. PWE3 can also transparently transmit the Layer 2
data of the CEs. This proximate emulation may lead to distortion of TDM data.
Figure 6-1 shows the PWE3 framework.
Figure 6-1 PWE3 framework
AC PW AC
PSN Tunnel
CE1 PE1 PSN PE2 CE2
The relevant terms defined in the RFC are explained as follows:

l Provider Edge (PE) device.
l Customer Edge (CE) device.
l Provider (P): It is a device on the backbone network of a service provider.
l Attachment Circuit (AC): It is an unshared link or circuit that connects a CE and a PE. An
AC can be either physical or virtual. The attributes of an AC include the encapsulation type,
MTU, and link interface parameters.
l PSN tunnel: One or more PWs can be carried over a PSN tunnel.
l Pesudo-Wire (PW): It is a virtual connection. A PW is set up by using the signaling protocol.
A PW uses VC-type and VC-ID to identify a Virtual Circuit (VC), which is similar to that of
VLL in Martini mode.
l VC type refers to the encapsulation type of the VC, such as VLAN or Ethernet.
l VC ID refers to the identifier of the VC. The VC ID of each VC with the same type on the
entire PE must be unique.

6.2 PWE3 Features Supported by the S7700

PWE3 can be classified into the static PW and dynamic PW based on implementation schemes,
and can be classified into the single-hop PW and multi-hop PW based on networking types.
You need to know the following terms defined in the RFC before you read this section:
l Ultimate PE (U-PE): is a PE to which an AC is bound. A U-PE is the first or last PE of an

MH-PW.
l Switching Point PE (S-PE): is a PE that switches PW labels in an MH-PW. An S-PE
establishes and manages PW segments with other S-PEs or U-PEs. A PW segment is a
static or dynamically configured PW established between a pair of PEs. This pair of PEs
can be two U-PEs, two S-PEs, or one U-PE and one S-PE.
PW is classified based on:
l Implementation mechanism: Static PW and Dynamic PW

l Networking model: SH-PW and MH-PW
Static PW and Dynamic PW

l Static PW
A Static PW negotiates parameters without any signaling protocol. You must specify the
relevant information manually.
l Dynamic PW
A Dynamic PW is a PW that is established by using a signaling protocol.
A U-PE switches VC labels and binds the corresponding CE through a VC ID. A VC
can be established only when the tunnel between two PEs is successfully set up and
label interchanging and binding are completed.
The LDP-PW uses LDP as the signaling protocol to send PW messages. The LDP-PW
requires switching PWs to complete the MH-PW.
The tunnel used to set up an LDP PW can be an LDP LSP, a CR-LSP, or a GRE tunnel.
By default, an LDP LSP is used.
LDP-PW messages include:
Request: is used to request label distribution.
Mapping: is used to distribute labels to the remote PE (U-PE or S-PE). The state bit
is sent to the remote PE by using a Mapping message. Whether to carry the state bit
or not depends on the configuration. By default, the Martini mode does not carry
state bit.
Notification: is used to announce and negotiate the PW state to reduce messages.
Withdraw: is used to ask the peer to remove labels. (It carries labels and state
information.)
Release: is used as a response to a Withdraw message. It is used to ask the peer that
sends a Withdraw message to remove labels.
Figure 6-2 shows the packet exchanges during the establishment, maintenance, and
dismantlement of an LDP PW.

Figure 6-2 Exchange of LDP-PW packets

Loopback1 Loopback1
1.1.1.1/32 2.2.2.2/32
PE1 PE2
mpls l2vc 2.2.2.2 101 Reque

s t
Mappin mpls l2vc 1.1.1.1 101

g
parameter match , VC up
ing
M app
parameter match , VC up
Notification
AC/Tunnel state changed AC/Tunnel state changed
The dynamic allocation of LDP-PW labels is performed in the receiving and sending directions.
On the basis of Martini, the dynamic PW adds the optional status parameter in the Mapping
packet and supports the Notification packet.
When the network is in the unstable state, the Notification packet can decrease the number of
packet exchanges.
For example, if an AC on a PE flaps, the Notification packet is sent to notify the AC status. After
receiving the packet, the peer does not dismantle the VC.
However, in the Martini mode, the Withdraw packet is sent repeatedly. Thus, the PW is set up
and dismantled repeatedly.
NOTE
PWE3 supports Notification mode to negotiate PW state information. The Withdraw packet is compatible
with withdraw labels in PWE3. The negotiation of two ends of the PW determines the mode to be used.
The process of tearing down a dynamic PW is described as follows:

Figure 6-3 shows the packet exchange during the process of tearing down a dynamic PW.

Figure 6-3 Process of tearing down an SH-PW
Loopback1 Loopback1
1.1.1.1/32 2.2.2.2/32
PE1 PE2
mpls l2vc 2.2.2.2 101 mpls l2vc 1.1.1.1 101

VC Deletion
Withdraw
Release
Withdraw
VC Deletion
When PE1 does not forward packets sent from PE2 for a specific cause, that is, PE2 is no longer
a peer of PE2, PE1 sends a Withdraw message to PE2. After receiving the Withdraw message,
PE2 tears down the PW and responds with a Release message. After receiving the Release
message, PE1 releases the label and tears down the PW.
SH-PW and MH-PW

l SH-PW
An SH-PW is set up between two U-PEs. That is, switching labels at PW label layer is not
required, as shown in Figure 6-4.
Figure 6-4 Networking diagram of an SH-PWE3
U-PE1 P U-PE2
PW100
CE1 CE2
l MH-PW

An MH-PW is a set of two or more contiguous PW segments between two U-PEs. Switching
labels at PW label layer is required. Figure 6-5 shows an MH-PW that functions as a single
point-to-point PW.
Figure 6-5 Networking diagram of an MH-PWE3

U-PE1 S-PE P U-PE2
PW100 PW200
CE1 CE2
l The forwarding mechanism of a U-PE on an MH-PW is the same as that on an SH-PW.

The only difference is that the MH-PW requires switching the control and data planes of
the preceding and succeeding PW segments on the S-PE.
l To carry out an MH-PW, the S-PE connects two PWs on both of PW endpoints and
exchanges labels. There are three combinations of two PWs:
Dynamic and dynamic switching: Both PWs are dynamic PWs. The PWs on both sides
of the S-PE are set up by using signaling. The remote labels are sent from two
neighboring endpoints (U-PE or S-PE) to the S-PE by using signaling.
Static and static switching: Both PWs are static PWs.
Dynamic and static switching: One of the PWs is set up with signaling, while the other
is not.
l The preceding types of PW switching support the Control Word (CW) and Virtual Circuit
Connectivity Verification (VCCV). The CW and VCCV are sent from two U-PEs to the
S-PE through labels.
BFD for PW
The Bidirectional Forwarding Detection (BFD) can fast detect a PW between the local PE and
remote PE to enable PW Fast Reroute (FRR). This lessens the impact of any link faults on
services.
l Static BFD for PW
After being encapsulated by PWs, BFD control packets are transmitted on PWs. PWs
distinguish control packets and data packets by using CWs. BFD packets are encapsulated
by using the CWs of PWs. On an MH PW, the intermediate SPE only forwards BFD packets,
but does not send the BFD packets to its CPU for processing.
l Dynamic BFD for PW
1. The Up and Down states of a PW can trigger the dynamic creation and deletion of a
BFD session. When the status of a PW that needs to be detected is Up, the local device
notifies information about its neighbor and detection parameters to the BFD module.
The BFD module then sets up a session to detect the link between the local device and
its neighbor.
2. BFD session negotiation can be implemented by adding the BFD Discriminator TLV
field to VCCV ping packets.

3. After a session is set up, BFD quickly sends detection packets. VCCV ping is used to
periodically check the information consistency of the control plane and data plane.
4. When a dynamic BFD session detects a status change of the PW, BFD instructs the
L2VPN to trigger route convergence. If a neighbor is unreachable, BFD instructs the
L2VPN to delete the related session.
NOTE
For details of BFD for LDP LSP, refer to the chapter "MPLS Configuration" in the Configuration Guide
- MPLS.
The format of the BFD Discriminator TLV in a VCCP ping packet is the same as the format of
the BFD Discriminator TLV in an LSP ping packet, as shown in Figure 6-6.
Figure 6-6 Structure of an LSP ping packet
Version Number Must Be Zero

Message Type Reply Mode Return Code Returen Subcode
Sender's Handle
Sequence Number
Timestamp Sent (Seconds)
Timestamp Sent (Microseconds)
Timestamp Receive (Seconds)
Timestamp Receive (Microseconds)
TLVs
PWE3 FRR
With the board applications of PWE3, the requirement for network reliability becomes
increasingly higher, especially for L2VPNs that bear real-time services such as VoIP and IPTV
services.
PWE3 FRR is a solution that can increase the reliability of L2VPNs.
PWE3 FRR is used in the following networking:
Asymmetrically connected CEs
One CE is connected to a PE through an AC and the other CE is dual-homed to PEs through two
ACs, as shown in Figure 6-7.

P1 PE2
PE1
VPN AC2
backbone CE2
CE1
AC1
AC3
P2
PE3 Site2
Site1
Inter-AS PWE3
In actual network, multiple sites of a VPN of a user may connect with multiple service providers
of different ASs or with multiple ASs of a service provider. The VPN is called inter-AS VPN.
Inter-AS PWE3 has two schemes:
l Inter-AS PWE3-Option A: Data of an inter-AS user is transmitted through special interfaces
between ASBRs. The user exclusively uses the link between the ASBRs.
l Inter-AS PWE3-Option C: The PEs advertise the VPN IPv4 routes through multi-hop MP-
EBGP.
The S7700 supports the Inter-AS PWE3-Option A
In Option A, the ASBRs of the two ASs are directly connected. The ASBRs are the PEs of their
respective ASs. The two ASBRs consider the peer ASBRs as their CE devices.
Figure 6-8 Networking diagram of inter-AS PWE3-Option A
CE-1
PE-1
ASBR1 ASBR2 PE-3
AC PE-4
PE-2
LSP1
CE-2

As shown in Figure 6-8, as for ASBR1 in the AS 100, ASBR2 is a CE. Similarly, as for ASBR2,
ASBR1 is a CE.
Option A is easy to implement. No inter-AS configuration is needed on the ASBRs. The

interfaces that connect the ASBR do not need to be configured with any IP addresses.
In Option A, the two directly-connected ASBRs use different links including physical and logical
links for each inter-AS VPN. The links work as ACs to connect the VPN. Thus, the performance
requirement on the PE devices is relatively high.
PWE3 Tracert
With the broad applications of PWE3, PWE3 is required to support related operations and
maintenance. PWE3 tracert is a type of a network maintenance tool developed to meet this
requirement.
PWs are classified into SH PWs and MH PWs based on different networking types. Similarly,
PWE3 tracert is classified into PWE3 SH tracecert and PWE3 MH tracert.
l Basic principle
PWE3 SH Tracert
As shown in Figure 6-9, CE1 and CE4 belong to VPN 1; CE2 and CE3 belong to
VPN 2; the LSP from PE1 to PE4 is PE1-P-PE4; the LSP from PE2 to PE3 is PE2-
P-PE3.
Figure 6-9 Networking diagram of PWE3 SH tracert
CE1 CE2
VPN2
VPN1
PE1 PE2
CE3 PE3 PE4 CE4
LSP1
VPN2 VPN1
LSP2
On PE1, you can start PWE3 tracert of VPN 1 by using related commands. This
PWE3 tracert is the same as the LSP tracert in the public network, except that a PW
label is added to packets, and the remote PE checks whether the receiving PW label
and the VC ID are the same as those on the local end.

The source PE of the PWE3 tracert continues to send MPLS echo request packets
with the Time-to-Live (TTL) of the outer label from one to a certain value and the
TTL of the inner label as one. Each Label Switching Router (LSR) does not forward
the received packet with the TTL of the outer label as one. Based on the contents of
the packet, each LSR checks the correctness of specific services and labels, and then
sends an MPLS echo reply packet to the source PE. In this way, the source PE can
collect information about each LSR that a PW passes through and information about
the egress PE. At present, the MPLS echo reply packet is an IP packet that does not
carry any label.
The LSP between PE1 and PE4 is used as an example to explain the mechanism
used by PWE3 tracert to collect information about nodes.
By starting PWE3 tracert, PE1 can collect information about nodes that the LSP
from PE1 to PE4 passes through. By comparing paths obtained by the PWE3 tracert
and PW paths generated by the protocol, you can judge whether or not there is an
error.
If the PWE3 tracert obtains only information about PE4 (TTL=2) instead of
information about P (TTL=1), it indicates that P does not support MPLS ping.
If the PWE3 tracert obtains only information about P (TTL=1) instead of information
about PE4 (TTL=2), it indicates that PE4 or the link between P and PE4 is faulty.
If the PWE3 tracert obtains information about PE1, PE2, and PE4, it indicates that
P may be faulty. A new path is generated by the protocol.
PWE3 MH tracert
As shown in Figure 6-10, an MH PW is set up between CE1 and CE2, and the IDs
of PW segments are different. The LSP is UPE1-P1-SPE1-SPE2-P2-UPE2.
Figure 6-10
Networking diagram of PWE3 MH tracert
CE2
UPE2
P1
UPE1 SPE2 P2
SPE1
CE1
The PWE3 tracert started on UPE1 can obtain a correct response only from P1 and
SPE1. SPE2 and UPE2 find that the "Remote PE Address" and "VC ID" are not
consistent. This indicates that the PWE3 tracert passes through an MH PW. In

addition, the PW label switching from the downstream mapping information sent
by each device can be seen.
On SPE1, start PWE3 tracert to UPE1 or to SPE2 and UPE2. The PWE3 tracert to
UPE1 is the same as the PWE3 SH tracert. The PWE3 tracert to SPE2 and UPE2 is
PWE3 MH tracert.
PWE3 tracert started on other PEs is the same as the preceding ones, and is not
described here.
l The relations between MPLS ping and PWE3 ping and between MPLS tracert and PWE3
tracert are as follows:
l MPLS ping
MPLS ping is similar to IP ping. The source node sends an MPLS echo request packet. The
packet is forwarded by nodes along the LSP. When the packet reaches the egress in the
MPLS area, the egress replies with an MPLS echo reply packet. If the source node receives
the MPLS echo reply packet from the destination node, it considers that the LSP can be
used to forward data; otherwise, the source node considers that the LSP cannot be used to
forward data.
l MPLS tracert
The source node of MPLS tracert continuously sends MPLS echo request packets with TTL
values from one to a certain value. After the TTL of each node on the LSP expires, each
node replies an MPLS echo reply packet. The ingress thus can collect information about
each node on the LSP, and then locate the faulty node. At the same time, MPLS tracert can
be used to collect important information about each node on the entire LSP, such as assigned
labels.
l PWE3 ping
The principle of PWE3 ping is similar to that of MPLS ping and IP ping. The difference
lies in that PWE3 ping uses a PW to forward MPLS echo request packets to judge whether
the PW can be used to forward packets. When MPLS ping succeeds, PWE3 ping may fail.
l PWE3 Tracert
The principle of PWE3 tracert is similar to that of MPLS tracert and IP tracert. The
difference lies in that PWE3 tracert uses a PW to forward MPLS echo request packets to
collect information about nodes on the PW. When MPLS tracert succeeds, PWE3 tracert
may fail.
CW
The PWE3 supports CW.
The CW is a four-octet header in some encapsulations, and is used for sending packet information
in MPLS PSN.
On the PWE3 control plane, there is a bit symbolizing whether the CW presents on the PW or
not.
On the PWE3 data plane, if the CW is supported, a four-octet control word is added in the header
of the packet to indicate the sequence of the packet.
Negotiation will be carried out successfully only when both endpoints of the PW support CW,
or do not support CW at the control layer. The CW is optional. For static PW, CW requirements
are configured manually.

VCCV-PING
The S7700 supports VC Connectivity Verification (VCCV) negotiation and VCCV-PING on
U-PEs of a static PW, dynamic PW, SH-PW, and MH-PW.
The VCCV-PING has two modes: CW mode and Label Alert mode.
l The CW mode supports VCCV between two U-PEs.

l The Label Alert mode supports VCCV-PING between U-PEs and VCCV-PING between
a U-PE and an S-PE.
PW Template
A PW template is a set of common attributes abstracted from PWs. A PW template can be shared
by different PWs. To facilitate the expansion, you can configure the common attributes of certain
PWs into a PW template. When creating a PW in interface mode, you can use this PW template.
The PW can be bound with PW template and can be reset.
Other Features
The other features supported by the S7700 are as follows:
l Supporting the PW protection (the signaling is LDP)

You can configure two PWs with different PW IDs on the same interface. One serves as
the master PW, and the other serves as the backup PW. When the master PW fails, the
service is switched to the backup PW automatically. This configuration fits better for an
MH PW.
l Supporting the PW to be configured on a VLANIF interface, XGE interface, GE interface,
Ethernet interface, Eth-Trunk interface, XGE sub-interface, GE sub-interface, Ethernet
sub-interface, and Eth-Trunk sub-interface
l Supporting the PWE3 configuration on Layer 2 devices
6.3 Configuring the Attributes of a PW Template

This section describes how to import a PW template to simplify the configurations of PWs with
similar attributes.

Before configuring the attributes of a PW template, familiarize yourself with the applicable
you complete the configuration task correctly and quickly.
Applicable Environments
Using the pw-template command, you can set the attributes for a PW, such as the peer, CW,
and tunnel policy. Importing a PW template simplifies the process of configuring the PWs with
similar attributes. The PW template is configured on a U-PE.
To verify the PW connectivity, you must configure the PW with a PW template.

NOTE
Some PW attributes such as MTU, PW type, and encapsulation type are obtained from the interface directly
connected to a CE. Therefore, those parameters do not need to be configured manually.
Before configuring the attributes of a PW template, you need to complete the following tasks:
l Configuring basic MPLS functions
l Enabling MPLS L2VPN
Data Preparation
To configure the attributes of a PW template, you need the following data.
No. Data
1 (Optional) Peer IP address
2 (Optional) Name of the tunnel policy
3 (Optional) Name and attributes of the PW template
6.3.2 Creating a PW Template

When configuring PWE3, you can directly specify the IP address of the peer or import a PW
template to set PW attributes.
Context
Do as follows on the PEs on the two ends of the PW.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mpls l2vpn
MPLS L2VPN is enabled.

Step 3 Run:
quit

Step 4 Run:
pw-template pw-template-name
A PW template is created.
----End

6.3.3 Setting the Attributes for a PW Template

A PW template has the attributes such as the IP address of the peer, control word, tunnel policy
name, and MTU.
Context
Do as follows on the PEs on the two ends of a PW:
Procedure
Step 1 Run:
system-view

Step 2 Run:
The template view is displayed.

Step 3 Run:
peer-address ip-address
The address of the remote device on the PW is specified.

Step 4 Run:
control-word
The control word is enabled.

By default, the control word is disabled, and VCCV is enabled. VCCV can be performed in two
modes: the control word mode and Label Alert mode.
l If the control word is disabled, the S7700 supports VCCV in Label Alert mode.
l If the control word is enabled, the S7700 supports VCCV in both control word mode and
Label Alert mode.
To enable VCCV in control word mode, the control word needs to be enabled only on U-PEs
on a dynamic SH PW, a dynamic MH PW, or a static SH PW; the control word needs to be
enabled on U-PEs and S-PEs on a static MP PW or a mixed dynamic MP PW.
Step 5 Run:
A tunnel policy is configured for the PW.

Step 6 Run:
mtu mtu-value
The MTU in the PW template is configured.
----End
Follow-up Procedure
Steps 3 to 6 are optional and actions are not taken in turn. Select the required steps in the actual
configuration.

If you specify a PW attribute by using a command line, the same PW attribute specified in the
PW template does not function on the PW to which this PW template is applied.
NOTE
Modifying the attributes of a PW template causes the disconnection and re-establishment of a PW. If
multiple PWs use this template at the same time, the system operation is affected. To avoid this, run the
reset pw pw-template command to validate the new configuration after modifying the attributes of a PW
template.

After a PW attribute/template is configured, you can view information such as the name of the
PW template and the configuration of the PW attribute.
Context
The configurations of the attributes of a PW template are complete.
Procedure
l Run the display pw-template [ pw-template-name ]. command to check information about
the PW template.
----End
Example
Run the display pw-template command. You can view the configured PW template name and
parameters. For example:
<Quidway> display pw-template
Total PW template number : 1
PW Template Name : 1to3

PeerIP : 3.3.3.3
Tnl Policy Name : --
CtrlWord : Enable
MTU : 1500
Max Atm Cells : 1
ATM Pack Overtime: 1000
Seq-Number : Disable
TDM Encapsulation Number: 32
Jitter-Buffer : 20
Idle-Code : ff
Rtp-Header : Disable
VCCV Capability : cw alert lsp-ping bfd
Behavior Name : --
Total PW : 1, Static PW : 0, LDP PW : 1
6.4 Configuring a Static PW

This section describes how to configure a static PW. A static PW transmits L2VPN packets
between PEs without using a signaling protocol.


Before configuring a static PW, familiarize yourself with the applicable environment, complete
the pre-configuration tasks, and obtain the required data. This can help you complete the
configuration task correctly and quickly.
A static PW does not use signaling protocols to send L2VPN packets. Packets are transmitted
between PEs over a tunnel.
The tunnel type of a static PW can be a static LSP, an LDP LSP, or a CR-LSP. By default, an
LDP LSP is used.
Before configuring a static PW, complete the following tasks:
l Configuring an IGP on the MPLS backbone to implement IP interworking
l Enabling MPLS on PEs
l Establishing tunnels between PEs based on the tunnel policy
Data Preparation
To configure a static PW, you need the following data.
No. Data
1 Interface type and number of the interface connected to a CE
2 Destination LSR ID of a static PW
3 Label value received and sent in an L2VPN
4 Tunnel policy configured for a static PW

Before configuring a static PW, you must enable MPLS L2VPN.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

mpls l2vpn
Before configuring an MPLS L2VC connection, enable MPLS L2VPN.
----End
6.4.3 Creating a Static PW

Before configuring a static PW, you must specify the VC label.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number [ subinterface-number ]
The view of the interface attached to an AC is displayed.

undo portswitch
The Layer 2 interface is switched to a Layer 3 interface.
When using XGE, GE, Ethernet, and Eth-Trunk interfaces as AC interfaces, you need to run the
undo portswitch command to switch Layer 2 interfaces to Layer 3 interfaces.
Step 4 Run:
mpls static-l2vc { destination ip-address | pw-template pw-template-name vc-id } *
transmit-vpn-label transmit-label-value receive-vpn-label receive-label-value

[ tunnel-policy tnl-policy-name | [ control-word | no-control-word ] | [ raw |
tagged ] ] *
A static PW is configured.
NOTE
The parameters raw and tagged are specified in the command only when the link type is Ethernet.
----End

After a static PW is configured, you can view information about the static PW.
Prerequisite
The configurations of the static PW function are complete.

Procedure
l Run the display mpls static-l2vc [ vc-id | interface interface-type interface-number |
state { down | up } ] command to check information about a specified static PW on a PE.
----End
Example
Run the display mpls static-l2vc [ vc-id | interface interface-type interface-number | state
{ down | up } ] command. You can see that VC State of the PW is up. For example:
<Quidway> display mpls static-l2vc interface vlanif 10
*Client Interface : vlanif 10 is up
AC Status : up
VC State : up
VC ID : 100
VC Type : VLAN
Tunnel Policy : --
PW Template Name : pwt
VC last up time : 2010/11/24 12:31:31
CKey : 2
NKey : 1
6.5 Configuring a Dynamic PW

This section describes how to configure a dynamic PW. To configure a dynamic PW, extended
LDP needs to be used to transmit Layer 2 information and VC labels.

Before configuring a dynamic PW, familiarize yourself with the applicable environment,
the configuration task correctly and quickly.
A dynamic PW uses extended LDP to transmit Layer 2 information and VC labels, and needs
to be configured on PEs of both ends of a PW.
Before configuring a dynamic PW, complete the following tasks:
l Configuring an IGP on PEs and Ps on the MPLS backbone to implement IP interworking

l Configuring basic MPLS functions on the backbone

l Establishing tunnels between PEs based on the tunnel policy
l Setting up remote LDP sessions between PEs
Data Preparation
To configure a dynamic PW, you need the following data.
No. Data
1 Type and number of the interface connected to a CE
2 Destination address of an L2VC and VC ID
3 Policy name of the tunnel

Before configuring a dynamic PW, you must enable MPLS L2VPN.
Context
Do as follows on PEs or U-PEs:
Procedure
Step 1 Run:
system-view

Step 2 Run:
mpls l2vpn

Before configuring an MPLS L2VC connection, enable MPLS L2VPN.
----End
6.5.3 Creating a Dynamic PW

A dynamic PW requires that IDs of the VCs with the same encapsulation type be unique. In
addition, the backup PW can be configured only after the master PW is configured.
Context
Do as follows on U-PEs:
Procedure
Step 1 Run:
system-view


Step 2 Run:
interface interface-type interface-number [ .subinterface-number ]
The interface view of the interface attached to an AC is displayed.

undo portswitch
A Layer 2 interface is switched to a Layer 3 interface.

When using XGE, GE, Ethernet, and Eth-Trunk interfaces as AC interfaces, run this command
Step 4 Run:
tagged ] | mtu mtu-value | secondary ] *
An MPLS L2VPN connection for a dynamic PW is configured.
NOTE
l raw and tagged are needed only for an Ethernet link.

l secondary is used to configure a backup PW. The backup PW can be configured only after the master
PW is configured. For the detailed configuration, see Configuring a Backup PW
l The combination of a PW ID and a PW type must be unique on one end of a PW, but the PW IDs on
both ends of a switch PW can be identical.
For a dynamic PW, the VC ID of the same encapsulation type should be unique. Changing
encapsulation type may cause a VC ID conflict.
----End

After a dynamic PW is configured, you can view information about the PW.
Prerequisite
The configurations of the dynamic PWs function are complete.
Procedure
to check information about a specified PW on the local PE.
PW on the remote PE.
----End
Example
Run the display mpls l2vc [ vc-id | interface interface-type interface-number ] command. You
can see that VC state is up. For example:

session state : up
AC state : up
VC state : up
VC ID : 100
VC type : VLAN
link state : up
local VCCV : cw alert lsp-ping bfd
remote VCCV : cw alert lsp-ping bfd
local control word : enable remote control word : enable
PW template name : pwt
NO.0 TNL type : lsp , TNL ID : 0x4800200f
VC last up time : 2010/12/10 20:33:37
CKey : 9
NKey : 8
Run the display mpls l2vc remote-info command. You can see that Peer Addr is the peer
address of a specified VC. For example:
100 0 192.3.3.3 vlan 23552 0 1500 1 0
6.6 Configuring PW Switching

This section describes how to configure a multi-hop switching PW. When the multi-hop
switching PW forwards traffic, PW label switching occurs.

Before configuring a switching PW, familiarize yourself with the applicable environment,

To support Multi-Hop, the PW switching is needed. MH-PW requires switching labesl at PW
label layer while forwarding packets.
PW switching must be configured on the S-PE with high performance and capability of setting
up large numbers of MPLS LDP sessions.
When configuring MH-PW, you need PW switching on the S-PE.
In the following cases, PW switching is required:
l Two PEs are not located in the same AS and no signaling or tunnel can be set up between
the two PEs. (If inter-AS tunnel is set up by the BGP labeled route, MH-PW is not required.)
l The signaling of two PEs differs from each other.
l If access device supports MPLS, but cannot set up large numbers of LDP session, you can
use User Facing Provider Edge (UFPE) as U-PE. And you can use the S-PE as the switching
node of LDP session, which is similar to signaling reflector.
Before configuring PW switching, complete the following tasks:
l Enabling MPLS L2VPN on the PEs

l 6.4 Configuring a Static PW on U-PEs if the PW switching is between two static PWs
l 6.5 Configuring a Dynamic PW on U-PEs if the PW switching is between two dynamic
PWs
Data Preparation
To configure PW switching, you need the following data.
No. Data
1 IP address and VC-ID of static PWs or dynamic PWs to-be-switch
2 Encapsulation type of L2VC
3 Sending label and receiving label of L2VPN if the PW to be switched is a static PW
4 The MTU values of the interfaces on the two ends of the PW if the PW to be switched
is a static PW
6.6.2 Configuring PW Switching

A switching PW can be any of three types, namely, dynamic switching PW, static switching
PW, and mixed switching PW.
Context
The PW switching has three modes:

l Static PWs switching: Both PWs used to switch are static.

l Dynamic PWs switching: Both PWs used to switch are dynamic.
l Mixed PWs switching: One of the PWs is dynamic, and the other is static.
Procedure
l Static PW Switching
Do as follows on the S-PEs.
1. Run:
system-view

2. Run:
mpls switch-l2vc ip-address vc-id trans trans-label recv received-label
between ip-address vc-id trans trans-label recv received-label
encapsulation encapsulation-type [ control-word [ cc { alert | cw } * cv
lsp-ping ] | [ no-control-word ] [ cc alert cv lsp-ping ] ]
The static PWs switching is enabled.

A PW label must be manually configured on the S-PE for static PW switching.
The conditions of setting up a static MH-PW are as follows:
On U-PE, once the AC state is up and PSN tunnel exists, the PW state is up.
On the S-PE, once the PSN tunnels on both sides exist, the PW is in up state. This
is regardless of whether the PW encapsulation of S-PE is consistent with that of
U-PE or not.
For the sake of management convenience, it is recommended to configure the same
PW encapsulation type on the devices along the PW (U-PE and S-PE).
l Dynamic PW Switching
1. Run:
system-view

2. Run:
mpls switch-l2vc ip-address vc-id between ip-address vc-id encapsulation
encapsulation-type [ control-word-transparent ]
The dynamic PWs switching is configured.

When configuring dynamic PW switching, ensure that the PW encapsulation type is
consistent on the devices (U-PE and S-PE) along the PW; otherwise, the PW will not
enter the Up state.
l Mixed PW Switching
NOTE
While configuring mixed PWs switching, note that the parameters "ip-address" and "vc-id" before
"between" in the command are that of dynamic PW, while the ones after "between" are that of static
PW. Both these cannot be interchanged.

1. Run:
system-view

2. Run:
mpls switch-l2vc ip-address vc-id between ip-address vc-id trans trans-
label recv received-label encapsulation encapsulation-type [ mtu mtu-
value ] [ control-word [ cc { alert | cw } * cv lsp-ping ] | [ no-control-
word ] [ cc alert cv lsp-ping ] ]
The mixed PWs switching is enabled

When configuring the mixed PWs switching, ensure that the following MTUs are the
same:
Local MTU of the dynamic PW

Peer MTU of the dynamic PW
Local MTU of the static PW
Peer MTU of the static PW
NOTE
l When configuring mixed PW switching, the MTUs of the interfaces on the two ends must
be the same and cannot be longer than 1500 bytes.
----End

After a switching PW is configured, you can view information about the switching PW.
Prerequisite
The configurations of the PW Switching function are complete.
Procedure
l Run the display mpls switch-l2vc [ ip-address vc-id encapsulation encapsulation-type |
state { down | up } ] command to check information about the PW switching on S-PEs.
----End
Example
Run the display mpls switch-l2vc [ ip-address vc-id encapsulation encapsulation-type | state
{ down | up } ] command. You can view the VC status is Up. For example:
<Quidway> display mpls switch-l2vc
Total Switch VC : 1, 1 up, 0 down
*Switch-l2vc type : LDP<---->LDP
Peer IP Address : 5.5.5.9, 1.1.1.9
VC ID : 200, 100
VC Type : VLAN
VC State : up
VC StatusCode |PSN |OAM | FW | |PSN |OAM | FW |
-Local VC :| UP | UP | UP | | UP | UP | UP |
-Remote VC:| UP | UP | UP | | UP | UP | UP |
Session State : up, up
Local/Remote Label : 23553/23552, 23552/23552
Local/Remote MTU : 1500/1500, 1500/1500

Local/Remote Control Word : Enable/Enable, Enable/Enable

Local/Remote VCCV Capability : cw alert lsp-ping bfd/cw alert lsp-ping bfd, cw
alert lsp-ping bfd/cw alert lsp-ping bfd
Switch-l2vc tunnel info :
1 tunnels for peer 5.5.5.9
CKey : 44, 1
NKey : 43, 3
Tunnel policy : --, --
VC last up time : 2010/11/24 12:31:31
6.7 Configuring a Backup PW

To configure PW FRR in the scenario where CEs are asymmetrically connected PEs, you need
to configure a backup PW. After the master PW fails, traffic can be switched to the backup PW.

Before configuring a backup PW, familiarize yourself with the applicable environment,
In the PWE3 FRR network where CEs are asymmetrically connected to PEs, a backup PW needs
to be configured.
P1 PE2
PE1
VPN AC2
backbone CE2
CE1
AC1
AC3
P2 PE3 Site2
Site1
As shown in Figure 6-11, the master PW and backup PW need to be configured on PE1. Only
one PW is required on PE2 and PE3.
On an inter-AS L2VPN and an MH PWE3, the ASBR and SPE do not distinguish the master
and backup PWs.

Before configuring a backup PW, complete the following tasks:
l Configuring an IGP on PEs and Ps in the MPLS backbone to implement IP interworking
l Enabling MPLS on PEs and Ps
l Setting up tunnels (CR-LSP, LSP) used by the master and backup PWs between PEs on
the master and backup paths
l Configuring the tunnel policy when the tunnels are CR-LSPs and not configuring the tunnel
policy when the LSP is used
l Configuring the master PW on PEs on the master path
l Configuring a PW on the PE on the backup path, without distinguishing the master and
backup PWs
l Configuring the IP addresses of the interfaces connecting the CEs to the PEs
Data Preparation
To configure a backup PW, you need the following data.
No. Data
1 Destination address and the VC ID of the backup PW
2 (Optional) Tunnel policy used by the backup PW
6.7.2 Configuring a Backup PW

The encapsulation types of master and backup PWs must be the same, but the backup VC ID
and the master VC ID cannot be the same.
Context
Do as follows on the PE to which a CE is connected through only one link:
NOTE
The types of the master and backup PWs must be consistent. That is, the encapsulation types of the master
and backup PWs must be consistent.
Procedure
Step 1 Run:
system-view

Step 2 Run:

undo portswitch


Step 4 Run:
tagged ] | mtu mtu-value ] * secondary
A backup VC is configured.
The ID of the backup VC must be different from that of the master VC.
----End

After a backup PW is configured, you can view information about the backup PW.
Context
The configurations of the backup PW are complete.
Procedure
l Run the display mpls l2vc [ vc-id | interface interface-type interface-number | remote-
info [ vc-id ] | state { down | up } ] command to check the status of a PW.
----End
Example
After the configuration is successful, the following results are displayed when the display mpls
l2vc [ vc-id | interface interface-type interface-number | remote-info [ vc-id ] | state { down |
up } ] command is used on the PE to which a CE is connected through only one link:
l The statuses of the master and backup PWs are up.
l VC state of the master PW is active, and VC state of the backup PW is inactive.
For example:
session state : up
AC state : up
VC state : up
VC ID : 100
VC type : VLAN
BFD sessionIndex : 257 BFD state : up


link state : up
Local VCCV : cw alert lsp-ping bfd
Remote VCCV : cw alert lsp-ping bfd
PW template name : 1to3
VC last up time : 2010-07-24 12:31:31
CKey : 16
NKey : 15

session state : up
AC state : up
VC state : up
VC ID : 200
VC type : VLAN
local AC OAM state : up
local PSN state : up
link state : up
VC last up time : 2010-07-24 12:31:31
CKey : 17
NKey : 18


reason of last reroute : Remote PSN fault
time of last reroute : 0 days, 0 hours, 18 minutes, 2 seconds
6.8 Configuring Static BFD for PW

This section describes how to configure static BFD for PW. After static BFD for PW is

Before configuring static BFD for PW, familiarize yourself with the applicable environment,
In MPLS-based L2VPNs, if PWs are set up between PEs, BFD can be used to detect faults of
the PWs. In this way, the speed for sensing link faults and the speed of the fast switchover of
applications at the upper layer are accelerated.
When the master and backup PWs are configured on a PE to protect links, BFD sessions need
to be set up to detect the master and backup PWs respectively.
When static BFD for PW is configured, BFD can work only in asynchronous mode.
BFD control packets are encapsulated in PW control packets, and PWs distinguish control
packets and data packets according to the control word. Therefore, during the configuration of
BFD for PW, the control word function needs to be enabled.
Before configuring static BFD for PW, complete the following tasks:
l Configuring IP parameters to make each node reachable
l Configuring PWs
NOTE
PWs must be set up on AC interfaces on PEs.
Data Preparation
To configure static BFD for PW, you need the following data.
No. Data
1 Name of a BFD session
2 Interfaces where PWs reside (AC interfaces)
3 Local discriminator and remote discriminator of a BFD session

6.8.2 Enabling BFD Globally

BFD needs to be enabled globally before static BFD for PW is configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd
BFD is enabled on the local node and the BFD view is displayed.
----End
6.8.3 Enabling the Sending of BFD for PW Packets to the Protocol

Stack
To detect PW links by using BFD sessions, the sending of BFD for PW packets to the protocol
stack must be enabled.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd for pw enable
The sending of BFD for PW packets to the protocol stack is enabled.
----End
6.8.4 Configuring BFD for PW

You must configure or cancel static BFD for PW on both ends of a PW simultaneously;
otherwise, the PW statuses on both PEs become inconsistent.
Context
Do as follows on the PEs on the two ends of the PW to be detected:
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd cfg-name bind pw interface interface-type interface-number [ secondary ]

A BFD configuration entry is created.
The outbound interface interface interface-type interface-number bound to a BFD session refers
to the AC interface where the PW resides.If a management PW is bound to the BFD session, the
interface should be the loopback interface where the management PW resides.
When the PW to be detected is a backup PW, you must select secondary.
Step 3 Run:
discriminator local discr-value
The local discriminator is set.
And run:
discriminator remote discr-value
The remote discriminator is set.
NOTE
The local discriminator of the local device corresponds to the remote discriminator of the remote device.
Step 4 Run:
commit
The configuration is committed.
When the status of the service PW is Down, the BFD session is created successfully but cannot
be Up. When the status of the management PW is Down, the BFD session cannot be created,
and the system displays prompts.
NOTE
l The local discriminator and remote discriminator of a BFD session cannot be modified after being
configured. To modify the local or remote discriminator of the BFD session, run the undo bfd bfd-
name command in the system view to delete related BFD for PW configuration and then reconfigure
it. After the PW is deleted, related configuration of the BFD session is deleted.
l BFD for PW must be configured or deleted on the PEs on the two ends of a PW simultaneously;
otherwise, the PW statuses on the two PEs are different.
----End

After static BFD for PW is configured, you can view information about BFD and BFD sessions.
Context
The configurations of static BFD for PW are complete.
Procedure
l Run the display bfd configuration pw interface interface-type interface-number
[ secondary ] [ verbose ] command to check the BFD configuration.
l Run the display bfd session pw interface interface-type interface-number [ secondary ]
[ verbose ] command to check information about the BFD session.
----End

Example
Run the display bfd configuration pw interface interface-type interface-number
[ secondary ] [ verbose ] command, and you can view the discriminators of the BFD session,
the type of the PW that is bound to the BFD session, and the type of the BFD session. For
example:
<Quidway> display bfd configuration pw interface vlanif 10 verbose
--------------------------------------------------------------------------------
BFD Session Configuration Name : 1to2
--------------------------------------------------------------------------------
Local Discriminator : 12 Remote Discriminator : 21
BFD Bind Type : PW(Master)
Bind Session Type : Static
Bind Interface : Vlanif10
TOS-EXP : 6 Local Detect Multi : 3
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
WTR Interval (ms) : -- Process PST : Enable
Proc interface status : Disable
Bind Application : L2VPN | OAM_MANAGER | MPLSFW
Session Description : --
--------------------------------------------------------------------------------
Total Commit/Uncommit CFG Number : 1/0
Run the display bfd session pw interface interface-type interface-number [ secondary]

[ verbose ] command, and you can view the status of the BFD session, discriminators of the
BFD session, the type of the PW that is bound to the BFD session, and the type of the BFD
session. For example:
<PE1> display bfd session pw interface vlanif 10 verbose
--------------------------------------------------------------------------------
Session MIndex : 256 State : Up Name : 1to2
--------------------------------------------------------------------------------
Session Detect Mode : Asynchronous Mode Without Echo Function
Bind Peer Ip Address : --.--.--.--
NextHop Ip Address : --.--.--.--
FSM Board Id : 1 TOS-EXP : 6
Actual Tx Interval (ms): 1000 Actual Rx Interval (ms): 1000
Local Detect Multi : 3 Detect Interval (ms) : 3000
Echo Passive : Disable Acl Number : --
Destination Port : 3784 TTL : 1
Proc interface status : Disable Process PST : Enable
WTR Interval (ms) : --
Active Multi : 3
Last Local Diagnostic : No Diagnostic
Session TX TmrID : -- Session Detect TmrID : --
Session Init TmrID : -- Session WTR TmrID : --
Session Echo Tx TmrID : --
PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 1/0
6.9 Configuring Dynamic BFD for PW

This section describes how to configure dynamic BFD for PW. After dynamic BFD for PW is


Before configuring dynamic BFD for PW, familiarize yourself with the applicable environment,
In the MPLS L2VPN where PWs are used as transmission tunnels, dynamic BFD for PW is used
to quickly detect faults of PWs. Once a PW is faulty, the master and backup PWs switchover
can be immediately performed to lessen the impact on carried services.
BFD control packets are encapsulated in PW control packets, and PWs distinguish control
packets and data packets based on the control word. Therefore, during the BFD for PW
configuration, you need to enable the control word function.
Types of the PWs can be detected by using BFD are as follows:
l SH PWs
l MH PWs
Before configuring dynamic BFD for PW, complete the following tasks:
l Configuring basic MPLS functions
l Configuring PWs
Data Preparation
To configure dynamic BFD for PW, you need the following data.
No. Data
1 VC ID of a PW
2 BFD parameters

Before configuring dynamic BFD for PW, you must enable BFD globally.
Context
Do as follows on the PEs at the two ends of a PW:
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd
BFD is enabled on the local node and the BFD view is displayed.
----End
6.9.3 Enabling the Sending of BFD for PW Packets to the Protocol

Stack
To detect PW links by using BFD sessions, the sending of BFD for PW packets to the protocol
stack must be enabled.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd for pw enable
The sending of BFD for PW packets to the protocol stack is enabled.
----End
6.9.4 Configuring the Attributes of a PW Template

To detect a PW based on a control word channel, you must enable the control word function by
using the PW template before configuring dynamic BFD for PW.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
The PW template view is displayed.
Step 3 Run:
control-word
The two PEs are enabled to support CWs.
----End

6.9.5 (Optional) Adjusting BFD Parameters

BFD detection parameters include the multiple of the local BFD detection time, expected
minimum interval for receiving packets, and expected minimum interval for sending packets.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
bfd-detect [ detect-multiplier multiplier | min-rx-interval rx-interval | min-tx-
interval tx-interval ] *
Time parameters of BFD are set.
----End
6.9.6 Configuring PWs

A PW can be a static, a dynamic, or a switching PW.
Procedure
Step 1 For detailed configuration, see "6.4 Configuring a Static PW, 6.5 Configuring a Dynamic
PW, or 6.6 Configuring PW Switching". You can select one of the configurations as required.
----End
6.9.7 Triggering Dynamic BFD for PW

You must configure or cancel dynamic BFD for PW on both ends of a PW simultaneously;
otherwise, the PW statuses on both PEs become inconsistent.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
mpls l2vpn pw bfd [ detect-multiplier multiplier | min-rx-interval rx-interval |
min-tx-interval tx-interval ] * [ remote-vcid vc-id ] [ secondary ]
A BFD session is dynamically set up to detect PWs.

After this command is used, the BFD session is created immediately.
This command can also be used to adjust BFD detection parameters.
To detect MH PWs, remote-vcid must be specified.
To detect backup PWs, secondary must be used.
NOTE
BFD for PW must be configured or deleted on the two PEs of a PW simultaneously; otherwise, the PW
statuses on the two PEs are different.
----End

After dynamic BFD for PW is configured, you can view information about BFD and BFD
sessions.
Context
The configurations of dynamic BFD for PW are complete.
Procedure
l Run the display bfd configuration pw interface interface-type interface-number
[ secondary ] [ verbose ] command to check the BFD configuration.
----End
Example
Run the display bfd configuration pw interface interface-type interface-number
[ secondary ] [ verbose ] command, and you can view discriminators of the BFD session, the
type of the PW that is bound to the BFD session, and the type of the BFD session. For example:
<Quidway> display bfd configuration pw interface vlanif 10 verbose
--------------------------------------------------------------------------------
BFD Session Configuration Name : dyn_8192
--------------------------------------------------------------------------------
Bind Session Type : Dynamic
WTR Interval (ms) : -- Process PST : Enable


--------------------------------------------------------------------------------
Run the display bfd session pw interface interface-type interface-number [ secondary ]

<Quidway> display bfd session pw interface vlanif 10 verbose
Session MIndex : 256 State : Up Name : dyn_8192
--------------------------------------------------------------------------------
Actual Tx Interval (ms): -- Actual Rx Interval (ms): --
Local Detect Multi : 3 Detect Interval (ms) : --
Active Multi : 3
--------------------------------------------------------------------------------
6.10 Configuring PWE3 FRR

This section describes how to configure PW FRR. After PW FRR is configured, the L2VPN
traffic can be timely switched to backup path as soon as the master path fails. After the master
path recovers, the L2VPN traffic can be switched back to it according to the revertive switching
policy.

The PW FRR supported by the S7700 is mainly used on the network where the CEs are
asymmetrically connected to PEs.
In such networking, one CE of the VC is connected to a more reliable PE through a single link
of higher reliability. The other CE is dual-homed to the PEs of lower reliability. Two paths thus
exist between the CEs. The path with higher reliability is the master path, and the path with
lower reliability is the backup path.
The revertive switchover policy is required only in the networking where the CEs are
asymmetrically connected to PEs. By default, a delay is set for the revertive switchover.

After the PW FRR is configured, L2VPN traffic is rapidly switched to the backup path when a
fault occurs on the master path. After the fault on the master path is rectified, the L2VPN traffic
is switched back to the master path according to the revertive switchover policy.
Before configuring PW FRR, complete the following tasks:
l Configuring a PW on each of the master path and backup path for the networking where
CEs are asymmetrically connected to PEs (The types of PWs on the master path and backup
path must be the same.)
l Configuring CEs to exchange routing information by using routing protocols or static routes
NOTE
In the networking where CEs are asymmetrically connected to PEs, the backup PW cannot transmit data
when the master path and backup path work normally. If the AC interface of the backup PW borrows the
IP address of the AC interface of the master PW, the following situations occur:
l A permanent non-revertive policy cannot be configured.
l The local CE has two equal-cost and direct routes to the remote CE. The destination addresses and next
hops of the two routes are the same. Actually, the route that passes through the backup PW is invalid.
l If CEs exchange routing information by using routing protocols, you need to modify the cost or metric
of the AC interface of the backup path to be greater than that of the AC interface of the master path.
The local CE cannot communicate with the peer CE, but can communicate with other user devices.
l If the AC link is an Ethernet link, the function of BFD for static routes need also be configured on CEs.
Data Preparation
To configure PW FRR, you need the following data.
No. Data
1 Type and number of the interface connected to the CE
2 Destination address and VC ID of the L2VC
3 (Optional) Local and remote identifiers of the BFD session
4 (Optional) Traffic revertive switching delay after fault recovery and fault recovery
notification delay (by default, the traffic revertive switching delay is 30 seconds and
the fault recovery notification delay is 10 seconds.)
6.10.2 Configuring Primary and Backup PWs

In the networking where CEs are asymmetrically connected to PEs, you need to configure
primary and backup PWs.
Context
l In the networking where CEs are symmetrically dual-homed to PEs, you need to configure
one PW for both the primary and backup paths. The primary and backup paths can be
configured with different types of PWs.

l In the networking where CEs are asymmetrically connected to PEs, you need to configure
primary and backup PWs. The primary and backup PWs must be of the same type.
NOTE
PWE3 FRR supports only dynamic PWs, namely, LDP PWs, rather than static PWs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
mpls l2vpn
MPLS L2VPN is enabled, and the MPLS L2VPN view is displayed.
Step 3 Run:
quit
Step 4 Run:

undo portswitch
Step 6 Run:
tagged ] | mtu mtu-value ] *
The primary PW is configured.
NOTE
Before using a PW template to create a PW, you need to configure a PW template. For details, refer to 6.3
Configuring the Attributes of a PW Template.

tagged ] | mtu mtu-value ] * secondary
The backup PW is configured.

NOTE
l Both primary and backup PWs need to be configured on the PE to which a CE is single-homed.
l Primary and backup PWs must have different VC IDs.
l The control word configuration on the primary and secondary PWs must be the same. Otherwise, lots
of packets will be lost after the primary/secondary PW switchover.
----End
6.10.3 (Optional) Configuring BFD for PW

BFD for PW expedites the fault detection on the public network.
Context
BFD for PW, which speeds up fault detection, is recommended.
Static BFD for PW or dynamic BFD for PW can be configured on PEs. For detailed
configuration, see the following sections:
l 6.8 Configuring Static BFD for PW

l 6.9 Configuring Dynamic BFD for PW
Example
NOTE
l BFD for PW must be configured or deleted on the PEs at the both ends of a PW simultaneously.
Otherwise, the PW statuses on the two PEs are different.
l To detect statuses of the tunnels that carry PWs, you can configure BFD for tunnels. For detailed
configuration, refer to the chapters "Basic MPLS Configuration" and "MPLS TE Configuration" in the
Quidway S7700 Smart Routing Switch Configuration Guide - MPLS.
6.10.4 (Optional) Configuring the Revertive Switchover

The revertive switching policies can be classified into three modes: immediate revertive mode,
delayed revertive mode, and non-revertive mode. By default, the revertive switching policy is
in delayed revertive mode.
Context
When CEs are connected to PEs asymmetrically, do as follows on the PE (where traffic is
switched) to which a CE is connected through a single link:
Procedure
Step 1 Run:
system-view
Step 2 Run:

Step 3 Run:
mpls l2vpn reroute { { delay delay-time | immediately } [ resume resume-time ] |
never }
The revertive switchover policy is configured.

The types of the revertive switchover on PEs are as follows:
l Immediate revertive switchover: The local PE immediately switches traffic to the master PW
and notifies the fault to the remote PE of the backup PW. The PE notifies the rectification
of the fault to the remote PE of the backup PW after the period of resume-time.
l Delayed revertive switchover: The PE switches traffic to the master PW after the period of
delay-time.
l None revertive switchover: The PE does not switch traffic to the master PW until the backup
PW is faulty.
For an asymmetric networking, in which ACs are of the Ethernet type, note the following:
l If the remote shutdown function is configured on the interface of a PE that connects a CE,
you are recommended not to use the policy of immediate revertive switchover, which may
lead to network flapping and traffic loss. On the other hand, you can use the policy of delayed
revertive switchover to set delay-time equal to or more than 30 seconds.
l If the Ethernet OAM function is configured on the interface of a PE that connects a CE, and
a revertive switchover policy is also configured, you cannot set resume-time to be 0 seconds,
but be equal to or longer than one second.
----End

After PW FRR is configured,you can view information about the PW on the local and remote
ends, BFD sessions, L2VPN forwarding, and fault mapping between AC and PW.
Prerequisite
The configurations of the PWE3 FRR function are complete.
Procedure
to check information about the PW on the local PE.
PW on the remote PE.
l Run the display mpls l2vpn forwarding-info [ vc-label ] interface interface-type
interface-number command to check information about L2VPN forwarding.
----End
Example
Run the display mpls l2vc [ vc-id | interface interface-type interface-number ] command, and
you can view that the statuses of the master and backup PWs are up, VC state of the master PW
is active, and VC state of the backup PW is inactive. For example:


session state : up
AC state : up
VC state : up
VC ID : 100
VC type : VLAN
link state : up
VC last up time : 2010-12-24 13:33:31
CKey : 16
NKey : 15

session state : up
AC state : up
VC state : up
VC ID : 200
VC type : VLAN
link state : up


VC last up time : 2010-12-24 13:35:21
CKey : 17
NKey : 18

reason of last reroute : Remote AC fault was resumed
time of last reroute : 0 days, 0 hours, 1 minutes, 38 seconds
Run the display mpls l2vc remote-info command, and you can view that Peer Addr is the peer
100 0 2.2.2.2 vlan 23552 1 1500 1 0
200 0 3.3.3.3 vlan 23552 1 1500 1 0
Run the display bfd session pw interface interface-type interface-number [ secondary ]

<Quidway> display bfd session pw interface vlanif 10 verbose
--------------------------------------------------------------------------------
Session MIndex : 257 State : Up Name : 1to3
--------------------------------------------------------------------------------
Active Multi : 3
--------------------------------------------------------------------------------

Run the display mpls l2vpn forwarding-info [ vc-label ] interface interface-type interface-
number command, and you can view that the ENTRYTYPE of the master PW is SEND,
PWSTATE is ACTIVE, BFDSTATE is UP, and ADMIN is UP. For example:
<Quidway> display mpls l2vpn forwarding-info interface vlanif 10
The Main PW Forward Information :
------------------------------------------------------------------------------
23553 LSP SEND ACTIVE UP UP TRUE 1 8 0x10005
1 Record(s) Found.
The Second PW Forward Information :

------------------------------------------------------------------------------
23553 LSP SEND ACTIVE UP UP TRUE 1 8 0x10003
1 Record(s) Found.
Run the manual-set pw-ac-fault command on the AC interface of the master PW, the following
situations occur:
l The status of the master PW is Down.

l VC status of the master PW is InActive, and that of the backup PW is Active.
l L2VPN data is switched to the backup PW.
Run the undo manual-set pw-ac-fault command on the AC interface of the master PW to rectify
the fault on the PW, the following situations occur:
l The status of the master PW is up.

l VC status of the master PW is Active, and VC status of the backup PW is InActive.
l L2VPN data is switched to the master PW.
6.11 Configuring Inter-AS PWE3

This section describes how to configure inter-AS PWE3. After inter-AS PWE3 is configured,
the MPLS backbone network that bears PWE3 can span multiple ASs.

Before configuring inter-AS PWE3, familiarize yourself with the applicable environment,
If the MPLS backbone network bearing PWE3 spans multiple ASs, the inter-AS PWE3 must be
configured.
Inter-AS PWE3 has the following schemes:
l Inter-AS PWE3-Option A: Option A is easy to implement and applicable to the scenario

where the number of inter-AS PWs is small.
l Inter-AS PWE3-Option C: In this option, PWs are not required for ASBRs. When multiple
inter-AS PWs exist in each AS, the ASBR may be the bottleneck in expanding the network.

Before configuring inter-AS PWE3, complete the following tasks:
l Configuring an IGP protocol for MPLS backbone networks in each AS to ensure IP

connectivity within an AS
l Configuring basic MPLS functions for MPLS backbone networks in each AS
l Configuring MPLS LDP for MPLS backbone networks in each AS and establishing LDP
LSP
Data Preparation
To configure inter-AS PWE3, you need the following data.
No. Data
1 Option of the inter-AS VPN
2 AS number of each AS
6.11.2 Configuring Inter-AS PWE3-Option A

In inter-AS PWE3 OptionA, each ASBR must reserve a sub-interface for each inter-AS VC. If
the number of inter-AS VCs is small, this solution can be used. Compared with L3VPN, this
inter-AS L2VPN solution consumes more resources and requires heavier configuration
workload, which is not recommended.
Context
The configurations of inter-AS PWE3-Option A can be summarized as follows:
l 6.5 Configuring a Dynamic PW for each AS

l Configuring the local ASBR by regarding the peer ASBR as its CE
l No inter-AS configuration is needed on the ASBRs.
l You need not configure the IP addresses on the interfaces that directly connected ASBRs.

After inter-AS PWE3 is configured, you can view PW information on the local end and remote
end.
Prerequisite
The configurations of the Inter-AS PWE3 function are complete.
Procedure
to check information about the PW on the local PE.

PW of the remote PE on the local PE.
----End
Example
Run the display mpls l2vc [ vc-id | interface interface-type interface-number ] command. In
the command output, you can find that "VC state" is Up. For example:
session state : up
AC state : up
VC state : up
VC ID : 100
VC type : VLAN
link state : up
Local VCCV : alert lsp-ping bfd
Remote VCCV : alert lsp-ping bfd
NO.0 TNL type : gre , TNL ID : 0x10003
VC last up time : 2008-07-24 12:31:31
CKey : 16
NKey : 15
Run the display mpls l2vc remote-info command. In the command output, you can find that
"Peer Addr" indicates the remote address of the designated VC. For example:
100 0 192.3.3.3 vlan 23552 0 1500 1 0

6.12 Maintaining PWE3

This section describes how to maintain PWE3. Detailed operations include PW connectivity
detection, and PW fault location.
6.12.1 Verifying the Connectivity of a PW

After PWE3 is configured, the PWE3 connectivity can be detected.
Prerequisite
Before using the ping vc and tracert vc commands to check the connectivity of a PW, ensure
that the PWE3 network is correctly configured.
By default, VCCV in Label Alert mode is enabled. Before using the control word channel, run
the control-word command to enable the control word function. After that, VCCV in control
word channel mode is enabled.
When locating faults on the PW, you can use either VCCV in control word channel mode or
VCCV in normal mode.
At present, checking the connectivity of the PW is not supported in the following situations:
l SPEs do not support the ping vc and tracert vc command (these commands are supported
only by UPEs).
l Multiple users cannot run the command simultaneously. That is, the devices on the two
ends cannot ping a VC at the same time. On a device serving as both a UPE and an SPE,
if the PW serving as an SPE is performing VCCV ping, the PW serving as a UPE will be
unable to perform VCCV ping. That is, two VCCV pings cannot be performed on a same
device at the same time.
l The MTU check of the VC is not supported.
For an MH-PW, the local VC ID and VC type needs to be specified.
In the control word mode, if VC IDs are different, the VC ID of the remote UPE needs to be
specified. In the MPLS Label Alert mode, the addresses of the remote peer SPEs or UPEs need
to be specified.
Because a static PW does not support signaling negotiation, configurations of the UPE control
word on both ends of the PW are different, with the control word being enabled on one end, but
disabled on the other. When the MPLS Label Alert mode is enabled on both ends, the PW can
be Up and the ping vc command can work. CEs, however, cannot communicate with each other
because the control words are different.
Procedure
l Check the connectivity of the PW.
value | -exp exp-value | -r reply-mode | -v ] * control-word [ remote peer-pw-id |
draft6 ] *

Label Alert channel

value | -exp exp-value | -r reply-mode | -v ] * label-alert [ remote remote-ip-address |
draft6 ] *
l Locate a fault on the PW.
tracert vc pw-type pw-id [ -exp exp-value | -f first-ttl | -m max-ttl | -r reply-mode | -t
timeout-value ] * control-word [ [ [ remote remote-pw-id ] draft6 ] | remote remote-
ip-address ] [ full-lsp-path ]
Label Alert channel
timeout-value ] * label-alert [ remote remote-ip-address ] [ full-lsp-path ] [ draft6 ]
Normal mode
timeout-value ] * normal [ remote remote-ip-address ] [ full-lsp-path ] [ draft6 ]
----End
6.12.2 Locating a Fault of a PW

After PWE3 is configured, you can locate any PW faults.
Context
To locate a PW fault, first configure basic PWE3 functions by using the PW template, and then
do as follows on each UPE:
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
control-word
The control word mode is enabled.
Step 4 Run any of the following commands to collect information about each LSR on the PW and the
egress PE.
l tracert vc pw-type pw-id [ -exp exp-value | -f first-ttl | -m max-ttl | -r reply-mode | -t timeout-

value ] * control-word [ [ [ remote remote-pw-id ] draft6 ] | remote remote-ip-address ]
[ full-lsp-path ]
value ] * label-alert [ remote remote-ip-address ] [ full-lsp-path ] [ draft6 ]


value ] * normal [ remote remote-ip-address ] [ full-lsp-path ] [ draft6 ]
When using the tracert vc command to locate a PW fault, note the following points:
l SPEs do not support the command. The command is supported only by UPEs.
l This command can be used to tracert both an SH-PW and an MH-PW constructed in the LDP
mode.
l When tracing routes of an MH-PW, besides the local PW ID and PW type, you need to specify
the remote PW ID.
The execution of the tracert vc command may be terminated in one of the following situations:
l The device that initiates tracert receives an MPLS Echo Reply packet from the egress device.
l The TTL in the label of the previous MPLS Echo Request packet sent by the device that
initiates tracert reaches the set or default maximum number of hops.
l The user presses Ctrl+C on the device to initiate tracert.
----End
6.12.3 Debugging a PWE3

After a fault occurs in PWE3, a relevant debugging command can be used to debug PWE3,
display debugging information, locate the fault, and analyze the cause.
Context
CAUTION
Debugging affects system performance. After debugging is complete, run the undo
debugging all command to disable debugging immediately.
In the case of operational faults, run the debugging command in the user view to debug the
PWE3 and locate the faults.
In the case of operational faults, run the debugging command in the user view to debug the
PWE3 and locate the faults. For the procedure of outputting the debugging information, refer to
the chapter "Maintenance and Debugging" in the Quidway S7700 Smart Routing Switch
Configuration Guide - Device Management.
Procedure
l Run the debugging mpls lspc { all | error | event | packet } command in the user view to
enable debugging of MPLS ping/tracert.
----End


6.13.1 Example for Configuring a Dynamic SH-PW
As shown in Figure 6-12, PE1 and PE2 are connected through an MPLS backbone network.
An LSP needs to be used to set a dynamic PW between PE1 and PE2.
Figure 6-12 Networking diagram for configuring a dynamic SH-PW (using LSP)
MPLS Backbone

192.2.2.2/32 192.4.4.4/32 192.3.3.3/32
GE2/0/0 GE2/0/0
GE1/0/0 GE2/0/0
PE1 GE1/0/0 P GE1/0/0 PE2
PW
GE1/0/0 GE1/0/0
CE1 CE2
Loopback1 - 192.2.2.2/32
Loopback1 - 192.3.3.3/32
Loopback1 - 192.4.4.4/32

1. Run an IGP protocol on the devices of the backbone network to implement connectivity.
2. Configure the basic MPLS functions on the backbone network and set up an LSP. Set up
the MPLS LDP peer relation between the two PEs on the two ends of the PW.
3. Create an MPLS L2VC connection between the two PEs.
Data Preparation
l Identical L2VC IDs of PEs on the two ends of a PW
l MPLS LSR ID of each PE and P
l Peer address of PE
Procedure
Step 1 Configure interface addresses for CE, PE and P according to Figure 6-12, including VLAN and
VLANIF interfaces.
The OSPF protocol is used in this example.
After the configuration, run the display ip routing-table command. You can see that PE1 and
PE2 can learn the loopback 0 address of each other that is discovered by the OSPF protocol, and
can ping each other.
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif20

10.2.2.0/24 OSPF 10 2 D 10.1.1.2 Vlanif20
192.3.3.3/32 OSPF 10 3 D 10.1.1.2 Vlanif20
192.4.4.4/32 OSPF 10 2 D 10.1.1.2 Vlanif20
<PE1> ping 192.3.3.3



0.00% packet loss

Step 3 Enable MPLS and set up tunnels and LDP sessions.

Enable MPLS on the backbone network, set up LSPs and LDP remote sessions between the PEs.
After the configuration, run the related command, and you can see that LDP sessions are set up
between PEs, and between each pair of PE and P, and the session status is Operational.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 4 Create a VC connection.

Enable MPLS L2VPN on PE1 and PE2; create a VC on each PE.
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1-Vlanif10] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
[PE2-Vlanif30] quit

View information about the L2VPN connection on the PEs, and you can see that an L2VC is set
up and is in Up state.
session state : up
AC state : up
VC state : up
VC ID : 100
VC type : VLAN


link state : up
tunnel policy : --
VC last up time : 2010/01/14 19:10:07
CKey : 8
NKey : 7

<CE1> ping 100.1.1.2
0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
#
#
return

#
sysname PE1
#
vlan batch 10 20
#
mpls lsr-id 192.2.2.2
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 192.3.3.3
#
interface Vlanif10
mpls l2vc 192.3.3.3 100
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 192.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 192.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname P
#
vlan batch 20 40
#
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
#

interface LoopBack0
ip address 192.4.4.4 255.255.255.255
#
ospf 1
area 0.0.0.0
network 192.4.4.4 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return

#
sysname PE2
#
vlan batch 30 40
#
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 192.2.2.2
#
interface Vlanif30
mpls l2vc 192.2.2.2 100
#
interface Vlanif40
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 192.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 192.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return

#
sysname CE2
#
vlan batch 30
#
interface Vlanif30
ip address 100.1.1.2 255.255.255.0
#
#
return

6.13.2 Example for Configuring a Static MH-PW
You need to set up a static MH-PW between U-PE1 and U-PE2. The S-PE is the switching node,
which sets up a two-hop static PW.
Figure 6-13 Networking diagram for configuring a static MH-PW

2.2.2.9/32 3.3.3.9/32 4.4.4.9/32
P1 P2
GE1/0/0 GE1/0/0
GE2/0/0 GE2/0/0
GE1/0/0 S-PE GE2/0/0
Loopback0 Loopback0
1.1.1.9/32 PW Sta 5.5.5.9/32
tic tic
Sta PW
GE2/0/0 GE1/0/0
U-PE1 U-PE2
GE1/0/0 GE2/0/0
GE1/0/0 GE1/0/0
CE1 CE2
U-PE1 GigabitEthernet1/0/0 VLANIF 10 -
Loopback0 - 1.1.1.9/32
U-PE2 GigabitEthernet1/0/0 VLANIF 50 40.1.1.2/24
Loopback0 - 5.5.5.9/32
Loopback0 - 2.2.2.9/32
Loopback0 - 4.4.4.9/32
S-PE GigabitEthernet1/0/0 VLANIF 30 20.1.1.2/24

Loopback0 - 3.3.3.9/32
1. Run a routing protocol on the devices of the backbone network to implement connectivity.
2. Configure the basic MPLS functions on the backbone network and set up an LSP.
3. Create an MPLS L2VC connection between the two U-PEs.
4. Create a switching PW on the S-PE.
Data Preparation
l L2VC IDs of U-PE1 and U-PE2
l MPLS LSR-IDs of U-PE1, S-PE, and U-PE2
l Name of the PW template and attributes of the PW template used on the U-PEs
l VC labels of the PW (pay attention to the mapping between the VC labels on the two ends)
l Encapsulation type of the S-PE
Procedure
Step 1 Configure interface addresses for CE, U-PE,P and S-PE according to Figure 6-13, including
VLAN and VLANIF interfaces.
Configure interface addresses of the U-PE, S-PE, and P according to Figure 6-13. When
configuring OSPF, note that the 32-bit loopback interfaces of U-PE1, S-PE, and U-PE2 must be
advertised.
Step 3 Configure basic MPLS functions and set up tunnels.
Configure the basic MPLS capability on the MPLS backbone network. Set up LSPs between U-
PE1 and S-PE, and between S-PE and U-PE2. The configuration procedure is not mentioned.
Enable MPLS L2VPN on U-PE1 and U-PE2. Create VC connections on two U-PEs.
# Configure U-PE1.
[U-PE1] pw-template pwt
[U-PE1-pw-template-pwt] peer-address 3.3.3.9

[U-PE1-pw-template-pwt] quit
[U-PE1] mpls l2vpn
[U-PE1-l2vpn] quit
[U-PE1] interface vlanif 10
[U-PE1-Vlanif10] mpls static-l2vc pw-template pwt 100 transmit-vpn-label 100
receive-vpn-label 100
[U-PE1-Vlanif10] quit
# Configure S-PE.
[S-PE] mpls l2vpn
[S-PE-l2vpn] quit
[S-PE] mpls switch-l2vc 5.5.5.9 100 trans 200 recv 200 between 1.1.1.9 100 trans
100 recv 100 encapsulation vlan
# Configure U-PE2.
[U-PE2] mpls l2vpn
[U-PE2-l2vpn] quit
NOTE
The transmit-vpn-label set on the U-PE must be consistent with the recv label on the S-PE; the receive-
vpn-label set on the U-PE must be consistent with the trans label on the S-PE. Otherwise, CEs cannot

View information about the L2VPN connection on the PEs, and you can see that an L2VC is set
up and is in Up state.
Take U-PE1 and S-PE for example.
<U-PE1> display mpls static-l2vc interface vlanif 10
AC Status : up
VC State : up
VC ID : 100
VC Type : VLAN
VCCV Capabilty : alert lsp-ping bfd
Tunnel Policy : --
PW Template Name : pwt
NO.0 TNL Type : lsp , TNL ID : 0x4800200f
VC last up time : 2010/11/14 12:31:31
CKey : 2
NKey : 3
<S-PE> display mpls switch-l2vc

*Switch-l2vc type : SVC<---->SVC

Peer IP Address : 5.5.5.9, 1.1.1.9

VC ID : 100, 100
VC Type : VLAN
VC State : up
In/Out Label : 200/200, 100/100
Control Word : Disable, Disable
VCCV Capability : alert lsp-ping bfd, alert lsp-ping bfd
CKey : 44, 1
NKey : 43, 3
VC last up time : 2010/11/14 12:31:31

<CE1> ping 100.1.1.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
#
#
return
l Configuration file of U-PE1

#
sysname U-PE1
#
vlan batch 10 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#

pw-template pwt
peer-address 3.3.3.9
#
mpls ldp
#
interface Vlanif10
mpls static-l2vc pw-template pwt 100 transmit-vpn-label 100 receive-vpn-label
100
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
#
sysname P1
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 20.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0

#
return
l Configuration file of S-PE
#
sysname S-PE
#
vlan batch 30 40
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
mpls switch-l2vc 5.5.5.9 100 trans 200 recv 200 between 1.1.1.9 100 trans 100
recv 100 encapsulation vlan
#
mpls ldp
#
interface Vlanif30
ip address 20.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 30.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
#
sysname P2
#
vlan batch 40 50
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface Vlanif40
ip address 30.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif50
ip address 40.1.1.1 255.255.255.0
mpls
mpls ldp
#


#
#
interface LoopBack0
ip address 4.4.4.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 30.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
#
return
#
sysname U-PE2
#
vlan batvh 50 60
#
mpls lsr-id 5.5.5.9
mpls
#
mpls l2vpn
#
pw-template pwt
#
mpls ldp
#
interface Vlanif50
ip address 40.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
200
#
#
#
interface LoopBack0
ip address 5.5.5.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 5.5.5.9 0.0.0.0
network 40.1.1.0 0.0.0.255
#
return
#
sysname CE2
#
vlan batch 60
#
interface Vlanif60
ip address 100.1.1.2 255.255.255.0
#

#
return
6.13.3 Example for Configuring a Dynamic MH-PW
As shown in Figure 6-14, U-PE1 and U-PE2 are connected through the MPLS backbone
network. Use the LSP and set S-PE as the switching node to set up a dynamic MH-PW between
U-PE1 and U-PE2.
Figure 6-14 Networking diagram for configuring a dynamic MH-PW

2.2.2.9/32 3.3.3.9/32 4.4.4.9/32
P1 P2
GE1/0/0 GE1/0/0
GE2/0/0 GE2/0/0
GE1/0/0 S-PE GE2/0/0
Loopback0 Loopback0
1.1.1.9/32 100 PW 5.5.5.9/32
PW 200
GE2/0/0 GE1/0/0
U-PE1 U-PE2
GE1/0/0 GE2/0/0
GE1/0/0 GE1/0/0
CE1 CE2
Loopback0 - 1.1.1.9/32
Loopback0 - 5.5.5.9/32
Loopback0 - 2.2.2.9/32

Loopback0 - 4.4.4.9/32
Loopback0 - 3.3.3.9/32
MPLS LDP peer relations between U-PE1 and S-PE, and between U-PE2 and S-PE.
3. Create a PW template. Enable the CW and LSP ping function.
4. Configure the dynamic PW on the U-PE.
5. Create a switching PW on the switching node S-PE.
Data Preparation
l L2VC IDs on U-PE1 and U-PE2 (the L2VC IDs should be different)
l IP addresses of the remote peers
l Encapsulation type of the switching PW
l Name and parameters of the PW template on U-PEs
Procedure
Configure an IGP protocol on the MPLS backbone network. OSPF is used as the IGP protocol
in this example.
Configure interface addresses of the U-PE, S-PE, and P. When configuring OSPF, note that the
32-bit loopback interfaces of U-PE1, S-PE, and U-PE2 must be advertised.
After the configuration, run the display ip routing-table command on U-PE, P, or S-PE, and
you can see that the devices can learn each other's routes. Take the display on S-PE for example.

<S-PE> display ip routing-table

------------------------------------------------------------------------------
1.1.1.9/32 OSPF 10 3 D 20.1.1.1 Vlanif30

2.2.2.9/32 OSPF 10 2 D 20.1.1.1 Vlanif30
4.4.4.9/32 OSPF 10 2 D 30.1.1.2 Vlanif40
5.5.5.9/32 OSPF 10 3 D 30.1.1.2 Vlanif40
10.1.1.0/24 OSPF 10 2 D 20.1.1.1 Vlanif30
20.1.1.0/24 Direct 0 0 D 20.1.1.2 Vlanif30
30.1.1.0/24 Direct 0 0 D 30.1.1.1 Vlanif40
40.1.1.0/24 OSPF 10 2 D 30.1.1.2 Vlanif40
The U-PEs can ping each other. Take the display on U-PE1 for example.
<U-PE1> ping 40.1.1.2

0.00% packet loss
Step 3 Enable MPLS and set up LSPs and LDP sessions.
Configure the basic MPLS capability on the MPLS backbone network. Set up tunnels and LDP
sessions between U-PE1 and S-PE, and between S-PE and U-PE2.
# Configure U-PE1.
[U-PE1] mpls lsr-id 1.1.1.9
[U-PE1] mpls
[U-PE1-mpls] quit
[U-PE1] mpls ldp
[U-PE1-mpls-ldp] quit
[U-PE1-Vlanif20] mpls
[U-PE1-Vlanif20] mpls ldp
[U-PE1] mpls ldp remote-peer 3.3.3.9
[U-PE1-mpls-ldp-remote-3.3.3.9] remote-ip 3.3.3.9
[U-PE1-mpls-ldp-remote-3.3.3.9] quit
# Configure P1.
[P1] mpls lsr-id 2.2.2.9
[P1] mpls
[P1-mpls] quit
[P1] mpls ldp

[P1-mpls-ldp] quit
[P1] interface vlanif 20
[P1-Vlanif20] mpls
[P1-Vlanif20] mpls ldp
[P1-Vlanif20] quit
[P1-Vlanif30] mpls
[P1-Vlanif30] quit
# Configure S-PE.
[S-PE] mpls lsr-id 3.3.3.9
[S-PE] mpls
[S-PE-mpls] quit
[S-PE] mpls ldp
[S-PE-mpls-ldp] quit
[S-PE] interface vlanif 30
[S-PE-Vlanif30] mpls
[S-PE-Vlanif30] mpls ldp
[S-PE-Vlanif30] quit
[S-PE] mpls ldp remote-peer 1.1.1.9
[S-PE-mpls-ldp-remote-1.1.1.9] remote-ip 1.1.1.9
[S-PE-mpls-ldp-remote-1.1.1.9] quit
# Configure P2.
[P2] mpls
[P2-mpls] quit
[P2] mpls ldp
[P2-mpls-ldp] quit
[P2-Vlanif40] mpls
[P2-Vlanif40] quit
[P2-Vlanif50] mpls
[P2-Vlanif50] quit
# Configure U-PE2.
[U-PE2] mpls
[U-PE2-mpls] quit
[U-PE2] mpls ldp
After the configuration, run thedisplay mpls ldp session command on U-PE, P, or S-PE, and
you can see that the session status is Operational. Run the display mpls ldp peer command, and
you can see the status of the LDP sessions and adjacencies. Run the display mpls lsp command,
and you can see the status of the LSP. Take the display on S-PE for example.
<S-PE> display mpls ldp session


------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
<S-PE> display mpls ldp peer

------------------------------------------------------------------------------
PeerID TransportAddress DiscoverySource
------------------------------------------------------------------------------
1.1.1.9:0 1.1.1.9 Remote Peer : 1.1.1.9
2.2.2.9:0 2.2.2.9 Vlanif30
4.4.4.9:0 4.4.4.9 Vlanif40
5.5.5.9:0 5.5.5.9 Remote Peer : 5.5.5.9
------------------------------------------------------------------------------
<S-PE> display mpls lsp

----------------------------------------------------------------------
----------------------------------------------------------------------
3.3.3.9/32 3/NULL -/-
1.1.1.9/32 NULL/1024 -/Vlanif30
1.1.1.9/32 1024/1024 -/Vlanif30
2.2.2.9/32 NULL/3 -/Vlanif30
2.2.2.9/32 1025/3 -/Vlanif30
4.4.4.9/32 NULL/3 -/Vlanif40
4.4.4.9/32 1027/3 -/Vlanif40
5.5.5.9/32 NULL/1027 -/Vlanif40
5.5.5.9/32 1026/1027 -/Vlanif40
Step 4 Create and configure the PW template.
Create a PW template on each U-PE. Enable the CW and LSP ping function.
# Configure U-PE1.
[U-PE1-pw-template-pwt] control-word
# Configure U-PE2.
NOTE
You can configure a dynamic PW without using a PW template. If the PW template is not used, PW
connectivity cannot be verified and path information of the PW cannot be collected. That is, the ping vc
and tracert vc commands cannot be used.
Enable MPLS L2VPN on U-PE1, U-PE2, and S-PE.

Configure the dynamic PW on the U-PE. Enable dynamic PW switching on the S-PE.
# Configure U-PE1.
[U-PE1] mpls l2vpn
[U-PE1-l2vpn] quit
[U-PE1-Vlanif10] mpls l2vc pw-template pwt 100
# Configure S-PE.
[S-PE] mpls l2vpn
[S-PE-l2vpn] quit
[S-PE] mpls switch-l2vc 1.1.1.9 100 between 5.5.5.9 200 encapsulation vlan
# Configure U-PE2.
[U-PE2] mpls l2vpn
[U-PE2-l2vpn] quit

1. Display information about the PWE3 connection.
Display information about the L2VPN connection on U-PE and S-PE. You can see that an
L2VC is set up and the VC status is Up.
Take the display on U-PE1 for example.
<U-PE1> display mpls l2vc interface vlanif 10
session state : up
AC state : up
VC state : up
VC ID : 100
VC type : VLAN
link state : up

VC last up time : 2011/01/27 12:31:31

CKey :
16
NKey : 15
PW redundancy mode :
--
AdminPw interface :
--
Display the status of the switching L2VC on S-PE.

*Switch-l2vc type : LDP<---->LDP

Peer IP Address : 5.5.5.9, 1.1.1.9
VC ID : 200, 100
VC Type : VLAN
VC State : up
VC StatusCode |PSN |OAM | FW | |PSN |OAM | FW |
-Local VC :| UP | UP | UP | | UP | UP | UP |
-Remote VC:| UP | UP | UP | | UP | UP | UP |
Session State : up, up
Local/Remote Label : 23552/23552, 23553/23552
Local/Remote MTU : 1500/1500, 1500/1500
Local/Remote Control Word : Enable/Enable, Enable/Enable
Local/Remote VCCV Capability : cw alert lsp-ping bfd/cw alert lsp-ping bfd,
cw alert lsp-ping bfd/cw alert lsp-ping bfd
CKey : 4, 2
NKey : 3, 1
Control-Word transparent : NO
VC last up time : 2010/01/27 12:46:59
2. Verify the connectivity of the PW.

Run the ping vc command on the U-PE, and you can see that the connectivity of the PW
is normal. Take the display on U-PE1 for example.
<U-PE1> ping vc vlan 100 control-word remote 200
Reply: bytes=100 Sequence=1 time = 740 ms
--- FEC: FEC 128 PSEUDOWIRE (NEW). Type = vlan, ID = 100 ping statistics ---
0.00% packet loss
3. Verify the connectivity between CEs and view path information between the CEs.
<CE1> ping 100.1.1.2


0.00% packet loss
Information about the path between CE1 and CE2 is as follows:

[CE1] tracert 100.1.1.2
1 100.1.1.2 250 ms 220 ms 130 ms
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
#
#
return

#
sysname U-PE1
#
vlan batch 10 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
pw-template pwt
control-word
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif10
mpls l2vc pw-template pwt 100
#
interface Vlanif 20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#

#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
#
sysname P1
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 20.1.1.0 0.0.0.255
#
return
#
sysname S-PE
#
vlan batch 30 40
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
mpls switch-l2vc 5.5.5.9 200 between 1.1.1.9 100 encapsulation vlan
#
mpls ldp
#
remote-ip 1.1.1.9
#

remote-ip 5.5.5.9
#
interface Vlanif30
ip address 20.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 30.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
#
sysname P2
#
vlan batch 40 50
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface Vlanif40
ip address 30.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif50
ip address 40.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 4.4.4.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 30.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255

#
return

#
sysname U-PE2
#
vlan batch 50 60
#
mpls lsr-id 5.5.5.9
mpls
#
mpls l2vpn
#
pw-template pwt
control-word
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif50
ip address 40.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
#
#
#
interface LoopBack0
ip address 5.5.5.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 5.5.5.9 0.0.0.0
network 40.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
vlan batch 60
#
interface Vlanif60
ip address 100.1.1.2 255.255.255.0
#
#
return

6.13.4 Example for Configuring a Mixed MH-PW
U-PE1 and U-PE2 are connected through the MPLS backbone network.
You need to create a mixed MH-PW between U-PE1 and U-PE2 with the S-PE as the switching
node.
Figure 6-15 Networking diagram for configuring a mixed MH-PW

2.2.2.9/32 3.3.3.9/32 4.4.4.9/32
P1 S-PE P2
GE1/0/0 GE1/0/0
GE2/0/0 GE2/0/0
GE1/0/0 GE2/0/0
Loopback0 100 Sta Loopback0

c PW t ic P
1.1.1.9/32 i 5.5.5.9/32
nam W2
Dy 00
GE2/0/0
GE1/0/0
U-PE1 GE1/0/0 GE2/0/0 U-PE2
GE1/0/0 GE1/0/0
CE1 CE2
Loopback0 - 1.1.1.9/32
Loopback0 - 5.5.5.9/32
Loopback0 - 2.2.2.9/32
Loopback0 - 4.4.4.9/32

Loopback0 - 3.3.3.9/32
2. Configure the basic MPLS functions on the backbone network and set up an LSP.
3. Set up a remote LDP session between the U-PE1 and S-PE.
4. Create a static or dynamic MPLS L2VC connection between the two U-PEs.
5. Create a switching PW on the S-PE.
Data Preparation
l L2VC IDs on U-PE1 and U-PE2 (the L2VC IDs should be different)
l VC label of the static PW on U-PE2 (pay attention to the mapping between the VC labels
on the two ends)
l Encapsulation type of the PW
l Name and attributes of the PW template used on U-PE2
Procedure
Configure addresses of the VLANIF interfaces on the U-PE, S-PE, and P according to Figure
6-15. When configuring OSPF, note that the 32-bit loopback interfaces of U-PE1, S-PE, and U-
PE2 must be advertised.
Step 3 Enable MPLS on U-PE1 and S-PE. Set up a tunnel and a remote LDP session between U-PE1
and S-PE.
Configure basic MPLS functions and tunnels on the MPLS backbone network. In this example,
the LSPs are configured as tunnels.
You need to set up a remote LDP session between U-PE1 and S-PE.


Create a dynamic VC connection U-PE1 and a static VC connection on U-PE2. Configure a
mixed switching PW on the S-PE.
# Configure U-PE1.
[U-PE1] mpls l2vpn
[U-PE1-Vlanif10] mpls l2vc 3.3.3.9 100
NOTE
When configuring mixed switching PW, note that ip-address vc-id on the left of between specifies the
dynamic PW, and ip-address vc-id on the right of between specifies the static PW. They cannot be
interchanged.
# Configure S-PE.
[S-PE] mpls l2vpn
[S-PE-l2vpn] quit
[S-PE] mpls switch-l2vc 1.1.1.9 100 between 5.5.5.9 200 trans 200 recv 100
encapsulation vlan
# Configure U-PE2.
[U-PE2] mpls l2vpn
[U-PE2-l2vpn] quit

Display information about the L2VPN connection on PE. You can see that an L2VC is set up
Take the display on U-PE1 and S-PE for example.
session state : up
AC state : up
VC state : up
VC ID : 100
VC type : VLAN


link state : up
tunnel policy : --
VC last up time : 2010-11-24 12:31:31
CKey : 16
NKey : 15
*Switch-l2vc type : LDP<---->SVC

Peer IP Address : 1.1.1.9, 5.5.5.9
VC ID : 100, 200
VC Type : VLAN
VC State : up
Session State : up, None
Local(In)/Remote(Out) Label : 23552/23552, 100/200
Local/Remote MTU : 1500/1500, 1500
Local/Remote Control Word : Disable/Disable, Disable
Local/Remote VCCV Capability : alert lsp-ping bfd/alert lsp-ping bfd, alert lsp-
ping bfd
CKey : 44, 1
NKey : 43, 3
VC last up time : 2010-11-24 12:31:31

<CE1> ping 100.1.1.2

0.00% packet loss
----End

Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
#
#
return

#
sysname U-PE1
#
vlan batch 10 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif10
mpls l2vc 3.3.3.9 100
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
#
sysname P1
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp

#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 20.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
#
sysname S-PE
#
vlan batch 30 40
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
mpls switch-l2vc 1.1.1.9 100 between 5.5.5.9 200 trans 200 recv 100
encapsulation vlan
#
mpls ldp
#
remote-ip 1.1.1.9
#
interface Vlanif30
ip address 20.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 30.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 3.3.3.9 255.255.255.255
#

ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
#
sysname P2
#
vlan batch 40 50
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface Vlanif 40
ip address 30.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 50
ip address 40.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 4.4.4.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 30.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
#
return
#
sysname U-PE2
#
vlan batch 50 60
#
mpls lsr-id 5.5.5.9
mpls
#
mpls l2vpn
#
pw-template pwt
#
mpls ldp
#
interface Vlanif 50
ip address 40.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 50


200
#
#
#
interface LoopBack0
ip address 5.5.5.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 5.5.5.9 0.0.0.0
network 40.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
vlan batch 60
#
interface Vlanif 60
ip address 100.1.1.2 255.255.255.0
#
#
return
6.13.5 Example for Configuring Static BFD for PW

The networking requirements are as follows:
l Set up PW1 (master PW) between PE1 and PE2.
l Set up PW2 (backup PW) between PE1 and PE3.
As shown in Figure 6-16, BFD is used to check the connectivity of the master PW and the
backup PW. If the master PW is faulty, services can be switched to the backup PW.

Figure 6-16 Networking diagram for configuring static BFD for PW
PW1
Loopback1 Loopback1
2.2.2.2/32 4.4.4.4/32
GE1/0/0
GE1/0/1 GE1/0/1
GE1/0/0
Loopback1
1.1.1.1/32 P1 PE2
CE1 CE2
GE1/0/0
GE1/0/1
GE1/0/0
GE1/0/0 PE1 Loopback1 Loopback1
GE1/0/2 3.3.3.3/32 5.5.5.5/32 GE1/0/1
GE1/0/0
GE1/0/1
GE1/0/0 GE1/0/1
P2 PE3
PW2
Loopback1 - 1.1.1.1/32
Loopback1 - 4.4.4.4/32
Loopback1 - 5.5.5.5/32
Loopback1 - 2.2.2.2/32
Loopback1 - 4.4.4.9/32
CE1 GigabitEthernet1/0/0 VLANIF 10 10.1.1.1/30(Primary IP Address)
10.1.2.1/30(Secondary IP Address)

1. Configure the MPLS network to make the network layer reachable.

2. On the AC interface of PE1, configure PW1 (from PE1 to PE2) and PW2 (from PE1 to
PE3). PW1 functions as the master PW and PW2 functions as the backup PW.
3. Configure BFD sessions to check the connectivity of PW1 and PW2.
Data Preparation
l IP addresses of the interfaces, including VLAN interfaces and VLANIF interfaces

l VC-ID of the PW
l BFD session name, local discriminator, and remote discriminator
Procedure
Step 1 Configure interface addresses for CE, PE,and P according to Figure 6-16, including VLAN and
VLANIF interfaces.
Step 2 Configure an IGP protocol on the MPLS backbone network so that PEs and P can interwork.
After the configuration, run the display ip routing-table command on the PEs, and you can see
that PE1 and PE2, and PE1 and PE3 have learned the routes on the Loopback1 interface of each
other.

------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 2 D 100.1.1.2 Vlanif20
3.3.3.3/32 OSPF 10 2 D 200.1.1.2 Vlanif30
4.4.4.4/32 OSPF 10 3 D 100.1.1.2 Vlanif20
5.5.5.5/32 OSPF 10 3 D 200.1.1.2 Vlanif30
100.1.1.0/30 Direct 0 0 D 100.1.1.1 Vlanif20
100.2.1.0/30 OSPF 10 2 D 100.1.1.2 Vlanif20
200.1.1.0/30 Direct 0 0 D 200.1.1.1 Vlanif30

200.2.1.0/30 OSPF 10 2 D 200.1.1.2 Vlanif30

# Enable MPLS, and set LSR-ID as the IP address of the Loopback1 interface. Enable MPLS
and MPLS LDP on interfaces on the backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
[PE1-Vlanif30] mpls
[PE1-Vlanif30] quit
# The configuration procedures of P1, P2, PE2, and PE3 are the same as the configuration
procedure of PE1 and are not mentioned.
After the configuration, run the display tunnel-info all command on PEs. You can see that
MPLS LSPs are set up between PE1 and PE2, and between PE1 and PE3.
<PE1> display tunnel-info all
----------------------------------------------------------------------
0x10020 lsp 2.2.2.2 0
0x10021 lsp -- 1
0x10022 lsp 3.3.3.3 2
0x10023 lsp -- 3
0x10024 lsp 4.4.4.4 4
0x10025 lsp -- 5
0x10026 lsp 5.5.5.5 6
0x10027 lsp -- 7
Run the display mpls ldp session command on PE, and you can see that the LDP peer relation
between the PE and the neighboring P is in Operational state.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------

# Configure remote LDP sessions and set their IP addresses as the addresses of the loopback
interfaces on LDP remote peers.

NOTE
If the PEs are directly connected, you do not need to manually configure remote LDP sessions between
them.
# Configure PE1.
# Configure PE2.
# Configure PE3.
After the configuration, run the display mpls ldp session command on PEs. You can see that
the LDP peer relation is in Operational state. This indicates that the LDP sessions are set up.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 5 Configure PWs on PEs by using PW templates.

# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1] pw-template 1to2
[PE1-pw-template-1to2] peer-address 4.4.4.4
[PE1-pw-template-1to2] control-word
[PE1-pw-template-1to2] quit
[PE1-Vlanif10] mpls l2vc pw-template 1to2 100
[PE1-Vlanif10] mpls l2vc pw-template 1to3 200 secondary
[PE1-Vlanif10] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit


[PE2-pw-template-2to1] peer 1.1.1.1
[PE2-Vlanif50] quit
# Configure PE3.
[PE3] mpls l2vpn
[PE3-l2vpn] quit
[PE3-Vlanif70] quit
After the configuration, run the display mpls l2vc interface command on PEs. You can see that
PWs are set up and are in the Active state. In addition, you can find that the BFD for PW function
is disabled on the PWs.

session state : up
AC state : up
VC state : up
VC ID : 100
VC type : VLAN
link state : up
tunnel policy : --
VC last up time : 2010-11-24 12:31:31
CKey : 16
NKey : 15


session state : up
AC state : up
VC state : up
VC ID : 200
VC type : VLAN
link state : up
tunnel policy : --
VC last up time : 2010-11-24 12:33:21
CKey : 16
NKey : 15

Step 6 Configure the BFD for PW function on PEs.

NOTE
On the two PEs of a BFD session, the local discriminator of the local PE must match the remote
discriminator of the remote PE, and the remote discriminator of the local PE must match the local
discriminator of the remote PE. The discriminators cannot be modified after configuration.
# Configure PE1.
[PE1] bfd
[PE1-bfd] quit
[PE1] bfd for pw enable
[PE1] bfd 1to2 bind pw interface vlanif 10
[PE1-bfd-lsp-session-1to2] discriminator local 12
[PE1-bfd-lsp-session-1to2] discriminator remote 21
[PE1-bfd-lsp-session-1to2] commit
[PE1-bfd-lsp-session-1to2] quit

[PE1] bfd 1to3 bind pw interface vlanif 10 secondary

# Configure PE2.
[PE2] bfd
[PE2-bfd] quit
# Configure PE3.
[PE3] bfd
[PE3-bfd] quit
After the configuration, BFD sessions are established between PE1 and PE2, and between PE1
and PE3. Run the display bfd session all command. You can see that the status of the BFD
sessions is Up.
<PE1> display bfd session all
--------------------------------------------------------------------------------
Local Remote PeerIpAddr InterfaceName State Type
--------------------------------------------------------------------------------
12 21 --.--.--.-- Vlanif10 Up S_PW(M)
13 31 --.--.--.-- Vlanif10 Up S_PW(S)
--------------------------------------------------------------------------------
Run the display bfd configuration all command. You can view information about the BFD
configuration, and you can see that the Commit field is True.
<PE1> display bfd configuration all
--------------------------------------------------------------------------------
CFG Name CFG Type LocalDiscr MIndex SessNum Commit AdminDown
--------------------------------------------------------------------------------
1to2 Static_PW(M) 12 256 1 True False
1to3 Static_PW(S) 13 257 1 True False
--------------------------------------------------------------------------------

When the master PW works normally, the primary address of CE1 can ping 10.1.1.2 on CE2.
The backup PW does not work, so the secondary address of CE1 cannot ping 10.1.2.2 on CE2.
# Run the display mpls l2vc interface command on PE to view the PW status. You can see that
the BFD for PW function is enabled on the master PW and the backup PW and the BFD session
is Up.
session state : up

AC state : up
VC state : up
VC ID : 100
VC type : VLAN
link state : up
tunnel policy : --
VC last up time : 2010-11-24 12:31:31
CKey : 14
NKey : 1

session state : up
AC state : up
VC state : up
VC ID : 200
VC type : VLAN
link state : up


tunnel policy : --
VC last up time : 2010-11-24 12:33:21
CKey : 16
NKey : 15

Perform the shutdown command on VLANIF 20 of PE1 to simulate a fault on the master PW.
Then, the primary address of CE1 cannot ping 10.1.1.2 on CE2. The backup PW starts to work
so that the secondary address of CE1 can ping 10.1.2.2 on CE2.
<CE1> ping 10.1.1.2
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
<CE1> ping 10.1.2.2


0.00% packet loss
# Run the display mpls l2vc interface command on PE to view the PW status. You can find
that the VC of the master PW is Down and the BFD for PW function is unavailable. In addition,
the VC of the backup PW is Up, the BFD for PW function is available, and the BFD session is
Up.
session state : down
AC state : up
VC state : down
VC ID : 100
VC type : VLAN

local forwarding state : not forwarding
forwarding entry : not exist
link state : down
local control word : enable remote control word : none
tunnel policy : --
VC last up time : 2010-11-24 12:31:31
CKey : 14
NKey : 1

session state : up
AC state : up
VC state : up
VC ID : 200
VC type : VLAN
link state : up
tunnel policy : --
VC last up time : 2010-11-24 12:31:31
CKey : 16

NKey : 15

----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.252
ip address 10.1.2.1 255.255.255.252 sub
#
#
return

#
sysname PE1
#
vlan batch 10 20 30
#
bfd
#
bfd for pw enable
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
pw-template 1to2
control-word
#
pw-template 1to3
control-word
#
mpls ldp
#
remote-ip 4.4.4.4
#
remote-ip 5.5.5.5
#
interface Vlanif10
mpls l2vc pw-template 1to2 100
mpls l2vc pw-template 1to3 200 secondary
#

interface Vlanif20
ip address 100.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface Vlanif30
ip address 200.1.1.1 255.255.255.252
mpls
mpls ldp
#
#
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 100.1.1.0 0.0.0.3
network 200.1.1.0 0.0.0.3
#
bfd 1to2 bind pw interface Vlanif10
discriminator local 12
discriminator remote 21
commit
#
bfd 1to3 bind pw interface Vlanif10 secondary
commit
#
return
#
sysname P1
#
vlan batch 20 40
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 100.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface Vlanif40
ip address 100.2.1.1 255.255.255.252
mpls
mpls ldp
#
#


#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 100.1.1.0 0.0.0.3
network 100.2.1.0 0.0.0.3
#
return
#
sysname P2
#
vlan batch 30 60
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif30
ip address 200.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface Vlanif60
ip address 200.2.1.1 255.255.255.252
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 200.1.1.0 0.0.0.3
network 200.2.1.0 0.0.0.3
#
return
#
sysname PE2
#
vlan batch 40 50
#
bfd
#
bfd for pw enable
#
mpls lsr-id 4.4.4.4
mpls
#
mpls l2vpn
#
pw-template 2to1

control-word
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif40
ip address 100.2.1.2 255.255.255.252
mpls
mpls ldp
#
interface Vlanif50
#
#
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 100.2.1.0 0.0.0.3
#
commit
#
return
#
sysname PE3
#
vlan batch 60 70
#
bfd
#
bfd for pw enable
#
mpls lsr-id 5.5.5.5
mpls
#
mpls l2vpn
#
pw-template 3to1
control-word
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif60
ip address 200.2.1.2 255.255.255.252
mpls
mpls ldp
#
interface Vlanif70


#
#
#
interface LoopBack1
ip address 5.5.5.5 255.255.255.255
#
ospf 1
area 0.0.0.0
network 5.5.5.5 0.0.0.0
network 200.2.1.0 0.0.0.3
#
commit
#
return

#
sysname CE2
#
vlan batch 50 70
#
interface Vlanif50
ip address 10.1.1.2 255.255.255.252
#
interface Vlanif70
ip address 10.1.2.2 255.255.255.252
#
#
#
return
6.13.6 Example for Configuring Dynamic BFD for SH-PW

As shown in Figure 6-17, PE1, P, and PE2 are on the same MPLS network, and CE1 and CE2
belong to one VPN instance. An SH-PW is set up between PE1 and PE2. A dynamic BFD session
is required to check the connectivity of the PW, thus protecting services on the link.

Figure 6-17 Networking diagram for configuring dynamic BFD for SH-PW
MPLS Backbone

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE2/0/0 GE2/0/0
GE1/0/0 GE2/0/0
PE1 PE2
GE1/0/0 P GE1/0/0
PW
GE1/0/0 GE1/0/0
CE2
CE1
Loopback0 - 1.1.1.9/32
Loopback0 - 3.3.3.9/32
Loopback0 - 2.2.2.9/32
1. Establish an MPLS L2VPN in SH-PW mode between CE1 and CE2.
2. Enable MPLS L2VPN and create VC connections on PE1 and PE2.
3. Configure the basic BFD capability and trigger the dynamic BFD for PW on PEs.
Data Preparation
l IP addresses of all the interfaces

l LSR IDs of the devices

l VC-ID of the PW
l BFD parameters
Procedure
Step 1 Configure interface addresses for CE, PE,and P according to Figure 6-17, including VLAN and
VLANIF interfaces.
# Configure PE1.
[PE1-Loopback0] ip address 1.1.1.9 32
[PE1-Loopback0] quit
[PE1-Vlanif20] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
# Configure the P.
[P-Loopback0] ip address 2.2.2.9 32
[P-Loopback0] quit
[P-Vlanif20] quit
[P-Vlanif40] quit
[P] ospf 1
[P-ospf-1] area 0
# Configure PE2.
[PE2-Loopback0] ip address 3.3.3.9 32
[PE2-Loopback0] quit
[PE2-Vlanif40] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
After the configuration, run the display ip routing-table command on the PEs, and you can see
that PE1 and PE2 have learned the routes on the Loopback0 interface of each other.
------------------------------------------------------------------------------



2.2.2.9/32 OSPF 10 2 D 100.1.1.2 Vlanif20
3.3.3.9/32 OSPF 10 3 D 100.1.1.2 Vlanif20
100.1.1.0/30 Direct 0 0 D 100.1.1.1 Vlanif20
100.2.1.0/30 OSPF 10 2 D 100.1.1.2 Vlanif20
# Enable MPLS, and set LSR-ID as the IP address of the Loopback0 interface. Enable MPLS
and MPLS LDP on interfaces on the backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure the P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif40] mpls
[P-Vlanif40] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif40] mpls
[PE2-Vlanif40] quit
After the configuration, run the display tunnel-info all command on PEs. You can see that
MPLS LSPs are set up between PE1 and PE2.


----------------------------------------------------------------------
0x10000 lsp 2.2.2.9 0
0x10001 lsp 3.3.3.9 1
Run the display mpls ldp session command on PE, and you can see that the LDP peer relation
between the PE and the neighboring P is in Operational state.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------

# Configure remote LDP sessions and set their IP addresses as the addresses of the loopback
interfaces on LDP remote peers.
NOTE
If the PEs are directly connected, you do not need to manually configure remote LDP sessions between
them.
# Configure PE1.
# Configure PE2.
After the configuration, run the display mpls ldp session command on PEs. You can see that
the LDP peer relation is in Operational state. This indicates that the LDP sessions are set up.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 5 Configure PWs on PEs by using PW templates.

# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit


[PE1-Vlanif10] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
[PE2-Vlanif30] quit
After the configuration, run the display mpls l2vc interface command on PEs. You can see that
PWs are set up and are in the Active state. In addition, you can find that the BFD for PW function
is disabled on the PWs.

session state : up
AC state : up
VC state : up
VC ID : 100
VC type : VLAN
link state : up
tunnel policy : --
VC last up time : 2010/11/24 14:31:31
CKey : 16
NKey : 15

Step 6 Configure the dynamic BFD on PEs.

# Configure PE1.
[PE1] bfd
[PE1-bfd] quit
[PE1-Vlanif10] mpls l2vpn pw bfd min-rx-interval 100 min-tx-interval 100
[PE1-Vlanif10] quit
# Configure PE2.
[PE2] bfd
[PE2-bfd] quit
[PE2-Vlanif30] mpls l2vpn pw bfd min-rx-interval 100 min-tx-interval 100
[PE2-Vlanif30] quit

# CE1 and CE2 can ping each other.
<CE1> ping 10.1.1.2

0.00% packet loss
# Run the display mpls l2vc interface command on PE to view the PW status. You can see that
the BFD for PW function is enabled and the BFD session is Up.
session state : up
AC state : up
VC state : up
VC ID : 100
VC type : VLAN
Dynamic BFD for PW : available
Detect Multipier : 3
Min Transit Interval : 100
Max Receive Interval : 100
Dynamic BFD Session : built


link state : up
tunnel policy : --
VC last up time : 2010-11-24 14:33:31
CKey : 16
NKey : 15
# Run the display bfd session all verbose command on PE to view the status of the BFD session.
You can find that the BFD session is Up, the BFD session is bound to a PW, and the type of the
BFD session is dynamic.
<PE1> display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 256 (One Hop) State : Up Name : dyn_8192
--------------------------------------------------------------------------------
WTR Interval (ms) : -- Local Demand Mode : Disable
Active Multi : 3
--------------------------------------------------------------------------------
----End
Configuration Files
#
sysname CE1
#
vlan batch 10

#
interface Vlanif10
ip address 10.1.1.1 255.255.255.252
#
#
return
#
sysname PE1
#
vlan batch 10 20
#
bfd
#
bfd for pw enable
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
pw-template 1to2
control-word
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif10
mpls l2vpn pw bfd min-rx-interval 100 min-tx-interval 100
#
interface Vlanif20
ip address 100.1.1.1 255.255.255.252
mpls
mpls ldp
#
#
#
interface Loopback0
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.1.0 0.0.0.3
#
return
#
sysname P
#
vlan batch 20 40
#
mpls lsr-id 2.2.2.9
mpls

#
mpls ldp
#
interface Vlanif20
ip address 100.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface Vlanif40
ip address 100.2.1.1 255.255.255.252
mpls
mpls ldp
#
#
#
interface Loopback0
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 100.1.1.0 0.0.0.3
network 100.2.1.0 0.0.0.3
#
return
#
sysname PE2
#
vlan batch 30 40
#
bfd
#
bfd for pw enable
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
pw-template 2to1
control-word
#
mpls ldp
#
remote-ip 1.1.1.9
#
interface Vlanif30
mpls l2vpn pw bfd min-rx-interval 100 min-tx-interval 100
#
interface Vlanif40
ip address 100.2.1.2 255.255.255.252
mpls
mpls ldp
#
#


#
interface Loopback0
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 100.2.1.0 0.0.0.3
#
return

#
sysname CE2
#
vlan batch 30
#
interface Vlanif30
ip address 10.1.1.2 255.255.255.252
#
#
return
6.13.7 Example for Configuring Dynamic BFD for MH-PW

As shown in Figure 6-18, U-PE1 and U-PE2 are connected through the MPLS backbone
network. You need to use the LSP and set S-PE as the switching node to set up a dynamic MH-
PW between U-PE1 and U-PE2.
A dynamic BFD session is required to check the connectivity of the MH-PW between U-PE1
and U-PE2, thus protecting services on the link.

Figure 6-18 Networking diagram for configuring dynamic BFD for MH-PW
2.2.2.9/32 3.3.3.9/32 4.4.4.9/32
P1 S-PE P2
GE1/0/0 GE1/0/0
GE2/0/0 GE2/0/0
GE1/0/0 GE2/0/0
Loopback0 PW Loopback0
1.1.1.9/32 100 20 5.5.5.9/32
PW 0
GE2/0/0 GE1/0/0
U-PE1 GE1/0/0 GE2/0/0 U-PE2
GE1/0/0 GE1/0/0
CE1 CE2
Loopback0 - 1.1.1.9/32
Loopback0 - 5.5.5.9/32
Loopback0 - 2.2.2.9/32
Loopback0 - 4.4.4.9/32
Loopback0 - 3.3.3.9/32

MPLS LDP peer relations between U-PE1 and S-PE, and between U-PE2 and S-PE.
3. Create a PW template. Enable the CW and LSP ping function.
4. Create an MPLS L2VC connection between the two U-PEs.
5. Create a switching PW on the switching node S-PE.
6. Configure the basic BFD capability and trigger the dynamic BFD for PW on U-PEs.
Data Preparation
l IP addresses of the interfaces, including VLAN interfaces and VLANIF interfaces
l LSR IDs of the devices
l VC-ID of the PW
l BFD parameters
Procedure
Step 1 Configure the IDs of the VLANs to which the interfaces of CE, PE, and P belong according to
Figure 6-18.
Step 2 Assign an IP address to the VLANIF interface connecting the CE to the PE.
Configure an IGP protocol on the MPLS backbone network. OSPF is used as the IGP protocol
in this example.
Configure interface addresses of the U-PE, S-PE, and P. When configuring OSPF, note that the
32-bit loopback interfaces of U-PE1, S-PE, and U-PE2 must be advertised.
# Configure U-PE1.
[U-PE1] interface loopback 0
[U-PE1-LoopBack0] ip address 1.1.1.9 32
[U-PE1-LoopBack0] quit
[U-PE1-Vlanif20] ip address 10.1.1.1 24
[U-PE1] ospf 1
[U-PE1-ospf-1] area 0.0.0.0
[U-PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[U-PE1-ospf-1-area-0.0.0.0] quit
[U-PE1-ospf-1] quit
# Configure P1.
[P1] interface loopback 0
[P1-LoopBack0] ip address 2.2.2.9 32
[P1-LoopBack0] quit


[P1-Vlanif20] ip address 10.1.1.2 24
[P1-Vlanif20] quit
[P1-Vlanif30] quit
[P1] ospf 1
[P1-ospf-1] area 0.0.0.0
[P1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[P1-ospf-1-area-0.0.0.0] quit
[P1-ospf-1] quit
# Configure S-PE.
[S-PE] interface loopback 0
[S-PE-LoopBack0] ip address 3.3.3.9 32
[S-PE-LoopBack0] quit
[S-PE-Vlanif30] ip address 20.1.1.2 24
[S-PE-Vlanif40] ip address 30.1.1.1 24
[S-PE] ospf 1
[S-PE-ospf-1] area 0.0.0.0
[S-PE-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[S-PE-ospf-1-area-0.0.0.0] quit
[S-PE-ospf-1] quit
# Configure P2.
[P2] interface loopback 0
[P2-LoopBack0] ip address 4.4.4.9 32
[P2-LoopBack0] quit
[P2-Vlanif40] quit
[P2-Vlanif50] quit
[P2] ospf 1
[P2-ospf-1] area 0.0.0.0
[P2-ospf-1-area-0.0.0.0] quit
[P2-ospf-1] quit
# Configure U-PE2.
[U-PE2] interface loopback 0
[U-PE2-LoopBack0] ip address 5.5.5.9 32
[U-PE2-LoopBack0] quit
[U-PE2-Vlanif50] ip address 40.1.1.2 24
[U-PE2] ospf 1
[U-PE2-ospf-1] area 0.0.0.0
[U-PE2-ospf-1-area-0.0.0.0] quit
[U-PE2-ospf-1] quit
After the configuration, run the display ip routing-table command on U-PE, P, or S-PE, and
you can see that the devices can learn each other's routes. Take the display on S-PE for example.

<S-PE> display ip routing-table

------------------------------------------------------------------------------
1.1.1.9/32 OSPF 10 3 D 20.1.1.1 Vlanif30

2.2.2.9/32 OSPF 10 2 D 20.1.1.1 Vlanif30
4.4.4.9/32 OSPF 10 2 D 30.1.1.2 Vlanif40
5.5.5.9/32 OSPF 10 3 D 30.1.1.2 Vlanif40
10.1.1.0/24 OSPF 10 2 D 20.1.1.1 Vlanif30
20.1.1.0/24 Direct 0 0 D 20.1.1.2 Vlanif30
30.1.1.0/24 Direct 0 0 D 30.1.1.1 Vlanif40
40.1.1.0/24 OSPF 10 2 D 30.1.1.2 Vlanif40
The U-PEs can ping each other. Take the display on U-PE1 for example.
<U-PE1> ping 40.1.1.2

0.00% packet loss
Step 4 Enable MPLS and set up LSPs and LDP sessions.
Configure the basic MPLS capability on the MPLS backbone network. Set up tunnels and LDP
sessions between U-PE1 and S-PE, and between S-PE and U-PE2.
# Configure U-PE1.
[U-PE1] mpls
[U-PE1-mpls] quit
[U-PE1] mpls ldp
# Configure P1.
[P1] mpls
[P1-mpls] quit
[P1] mpls ldp
[P1-mpls-ldp] quit


[P1-Vlanif20] mpls
[P1-Vlanif20] quit
[P1] interface Vlanif 30
[P1-Vlanif30] mpls
[P1-Vlanif30] quit
# Configure S-PE.
[S-PE] mpls lsr-id 3.3.3.9
[S-PE] mpls
[S-PE-mpls] quit
[S-PE] mpls ldp
[S-PE-mpls-ldp] quit
# Configure P2.
[P2] mpls
[P2-mpls] quit
[P2] mpls ldp
[P2-mpls-ldp] quit
[P2-Vlanif40] mpls
[P2-Vlanif40] quit
[P2-Vlanif50] mpls
[P2-Vlanif50] quit
# Configure U-PE2.
[U-PE2] mpls
[U-PE2-mpls] quit
[U-PE2] mpls ldp
After the configuration, run thedisplay mpls ldp session command on U-PE, P, or S-PE, and
you can see that the session status is Operational. Run the display mpls ldp peer command, and
you can see the status of the LDP sessions and adjacencies. Run the display mpls lsp command,
and you can see the status of the LSP. Take the display on S-PE for example.
<S-PE> display mpls ldp session


------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
<S-PE> display mpls ldp peer

------------------------------------------------------------------------------
PeerID TransportAddress DiscoverySource
------------------------------------------------------------------------------
1.1.1.9:0 1.1.1.9 Remote Peer : 1.1.1.9
2.2.2.9:0 2.2.2.9 Vlanif30
4.4.4.9:0 4.4.4.9 Vlanif40
5.5.5.9:0 5.5.5.9 Remote Peer : 5.5.5.9
------------------------------------------------------------------------------
<S-PE> display mpls lsp

----------------------------------------------------------------------
----------------------------------------------------------------------
3.3.3.9/32 3/NULL -/-
1.1.1.9/32 NULL/1024 -/Vlanif30
1.1.1.9/32 1024/1024 -/Vlanif30
2.2.2.9/32 NULL/3 -/Vlanif30
2.2.2.9/32 1025/3 -/Vlanif30
4.4.4.9/32 NULL/3 -/Vlanif40
4.4.4.9/32 1027/3 -/Vlanif40
5.5.5.9/32 NULL/1027 -/Vlanif40
5.5.5.9/32 1026/1027 -/Vlanif40
Step 5 Create and configure the PW template.

Create a PW template on each U-PE. Enable the CW and LSP ping function.
# Configure U-PE1.
# Configure U-PE2.

Configure the dynamic PW on the U-PE. Enable dynamic PW switching on the S-PE.

NOTE
PWE3 does not support point-to-multipoint (P2MP). When you create an MPLS L2VC on an ATM sub-
interface, the ATM sub-interface must be in the point-to-point (P2P) type. When you configure the
transparent transmission of ATM cells, the type of the ATM sub-interface is not restricted.
# Configure U-PE1.
[U-PE1] mpls l2vpn
[U-PE1-l2vpn] quit
# Configure S-PE.
[S-PE] mpls l2vpn
[S-PE-l2vpn] quit
[S-PE] mpls switch-l2vc 1.1.1.9 100 between 5.5.5.9 200 encapsulation vlan
# Configure U-PE2.
[U-PE2] mpls l2vpn
[U-PE2-l2vpn] quit
After the preceding configuration, run the display mpls l2vc interface command on U-PEs to
check L2VPN connections. You can see that PWs are set up and in Active state. In addition, you
can find that the BFD for PW function is disabled on the PWs.
session state : up
AC state : up
VC state : up
VC ID : 100
VC type : VLAN
link state : up
tunnel policy : --


VC last up time : 2010-11-26 08:25:38
CKey : 16
NKey : 15
Step 7 Configure the dynamic BFD on PEs.

# Configure U-PE1.
[U-PE1] bfd
[U-PE1-bfd] quit
[U-PE1] bfd for pw enable
[U-PE1] interface Vlanif 10
[U-PE1-Vlanif10] mpls l2vpn pw bfd min-rx-interval 100 min-tx-interval 100 remote-
vcid 200
# Configure U-PE2.
[U-PE2] bfd
[U-PE2-bfd] quit
[U-PE2] bfd for pw enable
[U-PE2-Vlanif60] mpls l2vpn pw bfd min-rx-interval 100 min-tx-interval 100 remote-
vcid 100

# CE1 and CE2 can ping each other.
<CE1> ping 100.1.1.2

0.00% packet loss
# Run the display mpls l2vc interface command on U-PEs to view the PW status. You can see
that the BFD for PW function is enabled and the BFD session is Up.
session state : up
AC state : up
VC state : up
VC ID : 100
VC type : VLAN


Dynamic BFD for PW : available
Detect Multipier : 3
Min Transit Interval : 100
Max Receive Interval : 100
Dynamic BFD Session : built
link state : up
tunnel policy : --
VC last up time : 2010-11-26 08:25:38
CKey : 16
NKey : 15
# Run the display bfd session all verbose command on U-PEs to view the status of the BFD
session. You can find that the BFD session is Up, the BFD session is bound to a PW, and the
type of the BFD session is dynamic.

<U-PE1> display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 256 (One Hop) State : Up Name : dyn_8192
--------------------------------------------------------------------------------
Local Detect Multi : 3 Detect Interval (ms) : --
WTR Interval (ms) : -- Local Demand Mode : Disable
--------------------------------------------------------------------------------

----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
#
#
return

#
sysname U-PE1
#
vlan batch 10 20
#
bfd
#
bfd for pw enable
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
pw-template pwt
control-word
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif10
mpls l2vpn pw bfd min-rx-interval 100 min-tx-interval 100 remote-vcid 200
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
#
ospf 1

area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
#
sysname P1
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 20.1.1.0 0.0.0.255
#
return
#
sysname S-PE
#
vlan batch 30 40
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
mpls switch-l2vc 5.5.5.9 200 between 1.1.1.9 100 encapsulation vlan
#
mpls ldp
#
remote-ip 1.1.1.9
#
remote-ip 5.5.5.9
#
interface Vlanif30
ip address 20.1.1.2 255.255.255.0
mpls

mpls ldp
#
interface Vlanif40
ip address 30.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
#
sysname P2
#
vlan batch 40 50
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface Vlanif40
ip address 30.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif50
ip address 40.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 4.4.4.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 30.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
#
return
#
sysname U-PE2
#

vlan batch 50 60
#
bfd
#
bfd for pw enable
#
mpls lsr-id 5.5.5.9
mpls
#
mpls l2vpn
#
pw-template pwt
control-word
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif50
ip address 40.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
mpls l2vpn pw bfd min-rx-interval 100 min-tx-interval 100 remote-vcid 100
#
#
#
interface LoopBack0
ip address 5.5.5.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 5.5.5.9 0.0.0.0
network 40.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
vlan batch 60
#
interface Vlanif60
ip address 100.1.1.2 255.255.255.0
#
#
return

6.13.8 Example for Configuring Inter-AS PWE3-Option A
As shown in Figure 6-19, the Option A scheme is used to establish the inter-AS PWE3.
Figure 6-19 Networking diagram for configuring inter-AS PWE3-Option A
MPLS backbone MPLS backbone

AS100 AS200
1.1.1.9/32 2.2.2.9/32 3.3.3.9/32 4.4.4.9/32
GE2/0/0 GE2/0/0 GE2/0/0

GE1/0/0 GE1/0/0 GE1/0/0
PE1 ASBR-PE1 ASBR-PE2 PE2
GE1/0/0 GE2/0/0
GE1/0/0 GE1/0/0
CE1 CE2
Loopback0 - 1.1.1.9/32
Loopback0 - 4.4.4.9/32
Loopback0 - 2.2.2.9/32
Loopback0 - 3.3.3.9/32
The MPLS backbone networks in an AS use IS-IS as the IGP protocol.

2. Configure the basic MPLS capability on the backbone network and establish dynamic LSPs
between PEs and ASBR-PEs in the same AS. If PEs and ASBR-PEs are not directly
connected, establish a remote LDP session.
3. Establish MPLS L2VC connections between the PEs and ASBR-PEs in the same AS.
Data Preparation
l IS-IS data
l IP addresses of the peers (addresses of loopback interfaces on the peers)
l MPLS LSR-IDs of PEs and ASBR-PEs (addresses of the local loopback interfaces)
l L2VC ID
Procedure
PEs and ASBR-PEs on the MPLS backbone network can communicate with each other by using
IGP.
In this example, IS-IS is used as IGP and the configuration procedure is not mentioned.
After the configuration, the IS-IS neighbor relation can be established between the ASBR-PE
and the PE in the same AS. Run the display isis peercommand, and you can find that the neighbor
relation is Up.
<ASBR-PE1> display isis peer

----------------------------
0000.0000.0001 Vlanif20 0000000002 Up 28s L1L2 --
Total Peer(s): 1
Run the display ip routing-table command, and you can see that the PEs and ASBR-PEs can
learn the loopback routes of each other.
<ASBR-PE1> display ip routing-table
------------------------------------------------------------------------------

1.1.1.9/32 ISIS 15 10 D 10.1.1.1 Vlanif20

10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif20
The ASBR-PEs and PEs in the same AS can ping each other.
Configure the basic MPLS capability on the MPLS backbone network. Establish a dynamic LDP
LSP between the PE and ASBR-PE in the same AS.
After this step, an LSP is established between the PE and ASBR-PE in the same AS.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 4 Configure the MPLS L2VC connection.

Configure the L2VC connection on the U-PE and ASBR-PE and connect the U-PE to the CE.
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1-Vlanif10] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
[PE2-Vlanif50] quit

# Configure CE1.
[CE1-Vlanif10] quit
# Configure CE2.
[CE2-Vlanif50] quit

Display information about the L2VPN connection on PE. You can see that an L2VC is set up
session state : up
AC state : up
VC state : up
VC ID : 100
VC type : VLAN
link state : up
tunnel policy : --
VC last up time : 2008-07-24 12:31:31
CKey : 11
NKey : 10
<ASBR-PE2> display mpls l2vc interface vlanif 30

session state : up
AC state : up

VC state : up
VC ID : 100
VC type : VLAN
link state : up
tunnel policy : --
VC last up time : 2008-07-24 12:31:31
CKey : 11
NKey : 10

<CE1> ping 100.1.1.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#

interface Vlanif10
ip address 100.1.1.1 255.255.255.0
#
#
return
#
sysname PE1
#
vlan batch 10 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0001.00
#
interface Vlanif10
mpls l2vc 2.2.2.9 100
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
isis enable 1
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
isis enable 1
#
return
#
sysname ASBR-PE1
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls l2vpn
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0002.00
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#

interface Vlanif30
mpls l2vc 1.1.1.9 100
#
#
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
isis enable 1
#
return
#
sysname ASBR-PE2
#
vlan batch 30 40
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0003.00
#
interface Vlanif30
mpls l2vc 4.4.4.9 100
#
interface Vlanif40
ip address 30.1.1.1 255.255.255.0
isis enable 1
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 3.3.3.9 255.255.255.255
isis enable 1
#
return
#
sysname PE2
#
vlan batch 40 50
#
mpls lsr-id 4.4.4.9
mpls
#
mpls l2vpn
#
mpls ldp
#
isis 1

network-entity 10.0000.0000.0004.00
#
interface Vlanif40
ip address 30.1.1.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#
interface Vlanif50
mpls l2vc 3.3.3.9 100
#
#
#
interface LoopBack0
ip address 4.4.4.9 255.255.255.255
isis enable 1
#
return

#
sysname CE2
#
vlan batch 50
#
interface Vlanif 50
ip address 100.1.1.2 255.255.255.0
#
#
return

Configuration Guide - VPN 7 VPLS Configuration
7 VPLS Configuration
About This Chapter
This chapter describes the principle, applications, and configurations of VPLS.
7.1 Introduction to VPLS

The Virtual Private LAN Service (VPLS), also called the Transparent LAN Service (TLS) or
virtual private switched network service, is an L2VPN technology that is based on Multi-
Protocol Label Switching (MPLS) and Ethernet technologies.
7.2 VPLS Features Supported by the S7700
Before configuring VPLS, you need to know such concepts as control plane and access plane,
flooding, packet encapsulation, VPLS access mode, HVPLS, VPLS access through VLLs, VPLS
access through static VLLs in dual-homed mode, inter-AS applications, VPLS tunnel load
balancing, MAC address learning, and IP address detection. This can help you complete the
7.3 Configuring Kompella VPLS
This section describes how to configure Kompella VPLS. Detailed operations include
configuring BGP as the signaling protocol, and configuring VPN targets to implement automatic
discovery of VPLS PEs.
7.4 Configuring Martini VPLS
This section describes how to configure Martini VPLS, with the signaling type beling LDP.
7.5 Configuring LDP HVPLS
If there are a large number of VPLS PEs, you can adopt the Hierarchical VPLS (HVPLS)
networking scheme to reduce the performance requirements of PEs.
7.6 Configuring the Static VLL to Access the VPLS Network
This section describes how to configure a static VLL to access a UPE to an SPE (a VPLS
network). The configuration is needed if the UPE does not support dynamic VLLs and needs to
access the SPE through the static VLL.
7.7 Configuring Inter-AS Kompella VPLS
This section describes how to configure inter-AS Kompella VPLS. After inter-AS Kompella
VPLS is configured, the MPLS backbone network that bears VPLS can span multiple ASs.
7.8 Configuring Inter-AS Martini VPLS

When deploying VPLS in a larger scope, PEs or CEs may belong to different ASs. In such a
situation, you cannot directly establish PWs between PEs based on LDP. To address the problem,
you can configure inter-AS LDP VPLS.
7.9 Configuring Dual-homed Kompella VPLS
This section describes how to configure dual-homed Kompella VPLS. After dual-homed
Kompella VPLS is configured, VPLS reliability is enhanced, and thus preventing faults on each
PE.
7.10 Configuring Related Parameters of a VSI
This section describes how to set or adjust general VPLS parameters.
7.11 Configuring Suppression on VPLS Traffic
This section describes how to suppress the broadcast, multicast, and unknown unicast traffic on
the VPLS network.
7.12 Maintaining VPLS
Maintaining VPLS involves collecting, viewing, and clearing VPLS PW traffic statistics,
checking consistency of VPN configurations, enabling/disabling VSIs, clearing MAC address
entries, diagnosing MAC address learning capacity, detecting the forwarding process of VPLS
multicast traffic, checking the VPLS network connectivity, and detecting IP addresses.

7.1 Introduction to VPLS

The Virtual Private LAN Service (VPLS), also called the Transparent LAN Service (TLS) or
virtual private switched network service, is an L2VPN technology that is based on Multi-
Protocol Label Switching (MPLS) and Ethernet technologies.
With the development of Ethernet technology, Ethernet has become a crucial LAN technology.
As an access technology, it is widely applied to Metropolitan Area Network (MAN) and Wide
Area Network (WAN).
Virtual Private LAN Service (VPLS) is used to connect more than one Ethernet LAN segment
through the PSN and make them operate in an environment similar to a LAN.
The VPLS is also called Transparent LAN Service (TLS) or Virtual Private Switched Network
Service, and differs from the point-to-point service of the common L2VPN. With the VPLS
technology, the service provider offers Ethernet-based multi-point service to clients through the
MPLS backbone network.
In a simple case, a VPLS contains multiple sites connected to the Provider Edge Device (PE) to
implement emulated LAN.
Figure 7-1 VPLS architecture
CE CE
site3
site1
VPLS- A PE PE VPLS- A
VPLS -B Emulated VPLS -B

LAN
CE
CE
site2 PE
site4
VPLS- A
CE
site5
In VPLS, the PSN simulates network bridge devices and forwards packets based on MAC
addresses, or MAC addresses and VLAN tags.
The following lists basic concepts of VPLS:
l PW

The Pseudo Wire (PW) is a virtual connection used to transmit frames between two PEs.
The PE establishes and maintains PWs through signaling and the two PEs on both ends of
a PW maintain the PW status.
l VSI
Every Virtual Switch Instance (VSI) offers separate VPLS service. The VSI implements
Ethernet bridge function and terminates PW.
l VC
The Virtual Circuit (VC) is a logical unidirectional circuit between two nodes. Two opposite
directional VCs constitute a PW. A VC can be used as a unidirectional PW.
l AC
The CE accesses the PE through the Attachment Circuit (AC) . The AC can be either a
physical link or a logical link. The AC transmits frames between the CE and the PE.
The PE implements VPLS forwarding by using the VSIs. Ethernet frames are forwarded between
the PEs through the fully-connected PW.
Figure 7-2 shows the VPLS forwarding model.
Figure 7-2 VPLS forwarding model
CE CE
VLAN3 VLAN3
VSI 1 VSI 1
PE PE
VSI 2 VSI 2
CE VSI 1 VSI 2 CE
VLAN2 VLAN2
PE
CE CE
VLAN3 VLAN2
7.2 VPLS Features Supported by the S7700

Before configuring VPLS, you need to know such concepts as control plane and access plane,
flooding, packet encapsulation, VPLS access mode, HVPLS, VPLS access through VLLs, VPLS
access through static VLLs in dual-homed mode, inter-AS applications, VPLS tunnel load
balancing, MAC address learning, and IP address detection. This can help you complete the

Control Plane and Data Plane

The control plane of the VPLS PE has the following functions:
l Member discovery: To find all the other PEs in the same VPLS, implement it by manually
configuring or by automatically running certain protocols. Automatically running the
protocols is called "automatic discovery".
l Signaling mechanism: The signaling protocol establishes, maintains and removes the PW
between the PEs in the same VPLS.
The data plane of the VPLS PE has the following functions:
l Encapsulation: After receiving Ethernet frames from a CE, a PE sends them to the PSN
after encapsulation.
l Forwarding: After receiving Ethernet frames, a PE forwards the frames according to the
inbound interface and the destination MAC address of the frames.
l Decapsulation: After receiving Ethernet frames from a packet switched network, a PE
decapsulates the frames, and then forwards the frames to CEs.
The S7700 supports the implementation of the VPLS functions of the control plane in the BGP
or the LDP signaling mode:
l Kompella VPLS: adopts BGP as signaling. Automatic member discovery of VPLS is

implemented by configuring VPN targets. If you want to add or delete a PE, only the
operations on one of its peer PEs are needed. Kompella VPLS has better expansibility.
l Martini VPLS: adopts LDP as signaling. The PE peer must be manually specified because
the PEs are fully connected in a VPLS. When adding a new PE, you must modify the
configuration on all the related PEs. Since PW is a point-to-point link, the LDP mode
establishes, maintains and removes the PWs more effectively.
Flooding
The Ethernet broadcasts the packets with unknown addresses. Therefore, in VPLS, the received
packets with unknown unicast addresses, broadcast addresses, or multicast addresses are flooded
to all the other ports. If multicast needs to be used, PEs need to adopt other methods such as
Internet Group Management Protocol (IGMP) snooping and Protocol Independent Multicast
(PIM) snooping.
Access Mode
On the S7700, the PE supports the following AC interfaces:
l XGE interfaces
l XGE sub-interfaces
l GE interfaces
l GE sub-interfaces
l Ethernet interfaces
l Ethernet sub-interfaces
l Eth-Trunk interfaces
l Eth-Trunk sub-interfaces
l VLANIF interfaces

The sub-interfaces can be dotlq sub-interfaces, QinQ sub-interfaces, VLAN mapping sub-
interfaces, or VLAN stacking sub-interfaces.
When XGE, GE, Ethernet, or Eth-Trunk interfaces are used as AC interfaces, the outer tags
carried in the packets sent from the AC to the PW are C tags (inserted by user devices, which
are meaningless to the SP) by default.
When sub-interfaces or VLANIF interfaces are used as AC interfaces, the outer tags carried in
the packets sent from the AC to the PW are S tags (inserted by SP devices, which are used to
differentiate user traffic) by default.
NOTE
l By default, physical interfaces on the S7700 are Layer 2 interfaces. When using XGE, GE, Ethernet,
and Eth-Trunk interfaces on the S7700 as AC interfaces, you need to run the undo portswitch command
l When using Ethernet, GE, XGE, or Eth-Trunk interfaces as AC interfaces, ensure that these interfaces
do not contain any sub-interfaces.
l If a VLAN is configured with IGMP snooping or MLD snooping, the VLANIF interface of the VLAN
cannot be used as an AC interface. To bind the VLANIF interface to a VSI, delete the IGMP snooping
or MLD snooping configuration from the VLAN first.
l Do not configure VSI and VLAN mapping for the same VLAN on an interface; otherwise, either VSI
or VLAN mapping will take effect.
Processing Tags Carried in Packets by VPLS

The system process packets according to the AC interface type and PW encapsulation type.
The PW encapsulation types can be classified into Ethernet encapsulation and VLAN
encapsulation.
l When VLANIF interfaces or sub-interfaces function as AC interfaces, the VLAN
l When Ethernet, GE, XGE, or Eth-Trunk interfaces function as AC interfaces, the Ethernet
NOTE
When Dotlq or QinQ sub-interfaces function as AC interfaces, the Ethernet encapsulation cannot be used.
Table 7-1 Processing tags carried in packets from the AC by the PW

PW Encapsulation Type Processing of the Tag
VLAN encapsulation Do not process the S tag carried in a packet.
Ethernet encapsulation If an S tag is carried in a packet, delete the S

process the packet.

Table 7-2 Processing tags carried in packets from the PW by the AC

AC Interface Type Processing of the Tag
Ethernet, GE, or XGE interface Do not process the packet.
VLANIF interfaces If an S tag is carried in a packet, rewrite the S

tag.
in the packet.
VLAN stacking sub-interface If an S tag is carried in a packet, delete the S

process the packet.
VLAN mapping sub-interface If an S tag is carried in a packet, rewrite the S

tag.
in the packet.
NOTE
The added or replaced tag is the VLAN tag on the
interface where VLAN mapping is not performed.
Dot1q sub-interface Do not process the packet.
QinQ sub-interface Do not process the packet.
NOTE
When VLL or VPLS is deployed on the F48CEAT, G48SFA, or G48TFA, if the PVID on the outbound
interface is the same as the VLAN ID of the packets, the interface removes the VLAN tag from the packet;
otherwise, the VLAN tag is not removed.
HVPLS
The above mentioned VPLS requires that the PE devices forward the Ethernet frame through
the fully-connected Ethernet PW. Thus, each PE must set up connections with the other PEs in
the same VPLS. If a VPLS has the PE devices of the number N, the VPLS will possess the
connection of N x (N - 1)/2. When the number of PEs increases, the VPLS connection increases
by squares of N.
The introduction of the Hierarchical Virtual Private LAN Service (HVPLS) resolves the problem
caused by excessive connections.
Figure 7-3 shows the HVPLS basic model.

Figure 7-3 HVPLS model
CE
basic VPLS full mesh

AC PW SPE
SPE
PW PW
UPE
AC PW SPE
CE
In the HVPLS model, PEs falls into the following two types:
l Underlayer PE (UPE)
It refers to the user aggregation device. It is directly connected with the CE. It is only
necessary for the UPE to set up the connection with a PE in the VPLS fully-connected
network. The UPE supports the routing and the MPLS encapsulation.If the UPE is
connected with multiple CEs and possesses the bridge function, the frame forwarding can
be performed on the UPE. Thus, the load on the SPE can be relieved.
l Superstratum PE (SPE)
The SPE refers to the core device that is connected with the UPE and located in the VPLS
fully-connected network. The SPE sets up the connections with all the other devices within
the VPLS fully-connected network.
The UPE connected with the SPE is like a CE to the SPE. The PW set up between the UPE
and the SPE works as the AC of the SPE. The SPE needs to learn the MAC addresses of
all the sites on the UPE side and that of the UPE interface connected with the SPE.
Ethernet Loop Detection in a VPLS Network

Virtual Private LAN Service (VPLS) is a significant technology for Metropolitan Area Networks
(MANs). To avoid the impact of single point failures on services, user networks are connected
to the VPLS network of a carrier through redundant links. The redundant links, however, lead
to loops, which further causes the broadcast storm.
In networking applications, you can deploy the Spanning Tree Protocol (STP) or common
loopback detection technologies to avoid the preceding problems. In practice, however, STP
should be deployed at the user side, and the common loopback detection technology requires
the devices at the user side to allow special Layer 2 loopback detection packets to pass through.
When user networks cannot be controlled, you can deploy Ethernet loop detection supported by
the S7700 over the carrier network. Ethernet loop detection need not be deployed at the user
side. This also avoids the broadcast storm caused by loops formed in a VPLS network.

VLL Accessing the VPLS

As shown in Figure 7-4, in the HVPLS, SPE1 and SPE2 support VPLS. VSIs of the SPEs adopt
LDP as the signaling protocol of the VPLS.
In practical networks, such as MAN access networks, virtual leased lines (VLLs) set up between
Underlayer Provider Edges (UPEs) and SPEs can connect the Customer Edges (CEs) to the
backbone VPLS network. In certain networking environment, if a UPE does not support the
dynamic VLL, the UPE needs to access SPEs through the static VLL. A UPE and an SPE
generally set up a static virtual circuit (SVC) between each other to create a VLL.
Figure 7-4 Networking diagram of the VLL accessing the VPLS
SPE1 VPLS SPE2

Network
PW
VL
L
L
VL
UPE1 UPE2
CE1 CE2 CE3 CE4
The UPEs add double MPLS labels to the packets sent by the CEs. The outer layer is the LSP
label and is switched when a packet passes through the devices on the access network. The inner
label is the VC label that identifies the VC. The inner label remains unchanged when a packet
is transmitted along the LSP.
The packets received by the SPEs contain double labels. The outer label, which is a public
network label, is popped up. The inner label decides which VSI the VLL accesses.
Static VLL Accessing the VPLS Network in Dual-homed Mode

To ensure the reliable VLL accessing, the UPE accessing the SPE in dual-homed mode is
introduced. In dual-homed mode, if a PW fails, the data traffic is immediately switched to another
PW, as shown in Figure 7-5.
In VPLS, the bidirectional transmission paths are consistent because the routing information
about the Layer 2 forwarding is automatically learned through MAC addresses of the data traffic.
If a fault occurs, the VPLS traffic of a UPE device is switched to another LSP. The SPE devices
belonging to the VSI delete the MAC entries of this VSI. After the switchover or the deletion,
the MAC entries need to be learned afresh.

Figure 7-5 Networking diagram of the static VLL accessing the VPLS network in dual-homed
mode
SPE1 SPE3
UPE1 x UPE2
SPE2 SPE4
CE1 CE2
LDP Message
As shown in Figure 7-5, if a fault occurs on the LSP between the UPE1 and the SPE1, SPE1
detects the fault and asks the other SPEs to delete the related MAC addresses by sending LDP
messages.
The UPEs detect the LSP status through MPLS Operation Administration & Maintenance
(OAM). If a fault is detected, the traffic switchover is performed. After the switchover, the related
VSIs on the SPEs learn the MAC addresses afresh; thus, the traffic can return through the new
SPEs. Before other SPEs learn the MAC addresses, traffic must be broadcast.
After the fault is removed, the UPE receives double VLL broadcast traffic: one from the SPEs
before the switchover, the other from the SPEs after the switchover. The UPE decides which
broadcast traffic to be thrown away. After the fault is rectified, the traffic of the UPE is not
switched back to the original LSP. This is because the SPE is not triggered to send LDP packets
to other SPEs to delete MAC addresses before detecting LSP failures.
Inter-AS VPLS
Martini and Kompella VPLSs can realize the inter-AS Option A. In the inter-AS L2VPN
network, the link type between Autonomous System Boundary Routers (ASBRs) must be the
same as the VC type. In inter-AS Option A, each ASBR must reserve a sub-interface for each
inter-AS VC. If the number of inter-AS VCs is small, Option A can be used. VPLS adopting
inter-AS Option A consumes more resources and requires more configurations.
Option C is a better solution. The devices on the SP network need only to set up the outer tunnel
on PEs in different ASs. The ASBR does not need to maintain information about the inter-AS
VPLS or reserve interfaces for the inter-AS VPLS. VSI information of VPLS is exchanged only
between PEs. Thus, resources consumption decreases and configurations do not increase.
VPLS MAC Ping and VPLS MAC Trace

As a main technology for setting up a metropolitan area network (MAN), VPLS has been widely
adopted in large scale globally. VPLS is predominant in terms of technology but its capabilities
of service detection and monitoring are weak. VPLS MAC Ping and VPLS MAC Trace are tools
for detecting connectivity and locating faults on the VPLS network.

By analyzing the reply packet in response to the detection request packet sent from a PE to a
specified VSI or MAC address on the VPLS network, VPLS MAC Ping and VPLS MAC Trace
can detect whether the MAC address learning capability of devices on the VPLS network is
normal, which helps to determine whether the Layer 2 forwarding function works well.
The forwarding of request packets relies on the MAC forwarding table. If the MAC address is
unknown, request packets are broadcast throughout the Pseudo Wire (PW) in the specified VSI
and received by multiple peers. For MAC Ping requests, only the device with the specified MAC
address returns a reply packet. For MAC Trace requests, each node on the network that the
request packet passes returns a reply packet.
NOTE
For detailed principles of VPLS MAC Ping and VPLS MAC Trace, refer to the Chapter "VPLS" in the
Quidway S7700 Smart Routing Switch Feature Description.
S7700 supports the following VPLS network detection modes:

l Non-NQA mode: indicates that the network detection is implemented through a command
line. In this mode, information about the VPLS MAC Ping and VPLS MAC Trace is
immediately displayed after the command is run.
The non-NQA mode is applicable to following VPLS network types:
Martini VPLS
Kompella VPLS
Martini H-VPLS
l NQA mode: NQA VPLS MAC Ping and NQA VPLS MAC Trace
This mode supports the concurrent and scheduling of multiple NQA test instances, and the
display of statistics about packets.
E-STP
l A CE dual homed to the VPLS network
As shown in Figure 7-6, PEs are fully meshed in the VPLS network, and the CE is dual
homed to the VPLS network through two PEs. When the CE forwards broadcast packets
or unknown unicast packets, the process is as follows:
1. The CE sends broadcast packets or unknown unicast packets to PE2 or PE3.
2. After receiving the broadcast packets or unknown unicast packets, PE2 or PE3
broadcasts these packets.
3. After receiving the packets broadcast by PE2 or PE3, the other PE, that is, PE3 or PE2,
also broadcasts the packets. The packets, however, are from the PW side. Therefore,
PE3 or PE2 broadcasts these packets to the CE side.

Figure 7-6 Typical networking of a CE dual homed to the VPLS network

PE1
VPLS
PW
PE2 PE3
CE
Data flow 1
Data flow 2
As shown in Figure 7-6, a ring is formed by PE2, PE3, and the CE. Therefore, STP needs
to be enabled on the ring to prevent the loop.
After STP priorities are configured on PE2 and PE3, the root bridge is determined, the
redundant link on the CE side are blocked, and consequently, the loop is prevented.
NOTE
If the STP mode is MSTP, all PEs must be configured in the same MST region.
l Inter-AS VPLS network
As shown in Figure 7-7, PE1, Switch 1, and Switch 3, all belonging to AS 1, are fully
meshed in the VPLS network. PE2, Switch 2, and Switch 4, all belonging to AS 2, are fully
meshed in the VPLS network.
Figure 7-7 Typical networking of inter-AS VPLS

AS1 ASBR ASBR AS2
Switch1 Switch2
VPLS
VPLS
PE2
CE1 PE1 CE2
Switch3 Switch4
ASBR ASBR
Data flow 1
Data flow 2

ASBRs of different ASs are inter-connected in back-to-back mode. Switch 1 and Switch 2
(Switch 3 and Switch 4) communicate with each other in either of the following modes:
Option A: The devices can communicate with each other through the ordinary Ethernet
port (the VLANIF interface of the VLAN where the Ethernet port is located), Eth-Trunk
interface (the VLANIF interface of the VLAN where the Eth-Trunk interface is located),
Ethernet sub-interface, or Eth-Trunk sub-interface. Then, the ASBR Switch 1 is
considered as the CE device of the ASBR Switch 2 that accesses the VPLS network of
AS 2, and the ASBR Switch 2 as the CE of the ASBR Switch 1 that accesses the VPLS
network of AS 1. The ASBR Switch 3 and ASBR Switch 4 have the similar relationships.
PW interconnection: Inter-AS devices functions as the peers of each other, and inter-
AS communication is established though the PW. The inter-AS PW, however, does not
follow the split horizon principle, and traffic received from the intra-AS PW is sent to
the inter-AS PW.
Switch 1 forwards received broadcast packets or unknown unicast packets as follows:
1. Switch 1 does not forward the packets to Switch 3, but directly forwards the packets
to Switch 2. That is because PE1, Switch 1, and Switch 3 are fully meshed, with PWs
established between them. Therefore, the packets from the PW side are not forwarded
back.
2. Switch 2 receives the packets sent by Switch 1 and then broadcasts these packets.
Option A: mVSIs need to be created between Switch 1 and Switch 3, and between
Switch 2 and Switch 4.
A ring is formed by Switch 1, Switch 2, Switch 4, and Switch 3. The ring is composed
of two inter-AS service PWs and two intra-AS mPWs.
After STP is configured on the ring, the link between Switch 3 and Switch 4 is blocked,
the associated service PW of the service VSI is also blocked, and then service traffic is
transmitted along the link between Switch 1 and Switch 2.
If the link between Switch 1 and Switch 2 fails, after STP convergence, service traffic
is switched to and transmitted on the link between Switch 3 and Switch 4.
PW interconnection: mVSIs need to be created between Switch 1 and Switch 3, and
between Switch 2 and Switch 4.
A ring is formed by Switch 1, Switch 2, Switch 4, and Switch 3. The ring is composed
of two inter-AS mPWs and two intra-AS mPWs. After STP is configured on the ring,
the mPW between Switch 3 and Switch 4 is blocked, and then service traffic is
transmitted along the link between Switch 1 and Switch 2.
When the mPW and inter-AS PW are blocked, the associated service PWs are also
blocked.
If the PW between Switch 1 and Switch 2 fails, after STP convergence, service traffic
is switched to and transmitted on the service PW between Switch 3 and Switch 4.
MAC Address Learning

The Ethernet network sends the broadcast packets, multicast packets and unicast packets with
unknown destination MAC addresses to all the other ports on the same Ethernet segment.
In the VPLS, the service provider network simulates network bridge devices and the PE performs
the MAC address learning. The PE must associate the destination MAC address with the PW to

forward packets. The PE identifies the remote MAC addresses through the PW and the directly-
connected MAC addresses through the AC.
The MAC address learning has the following two modes:
l Qualified: The PE identifies the MAC addresses according to the MAC addresses of the
Ethernet packets and the VLAN tags, that is, based on every VLAN of every VSI. In this
mode, every VLAN has its broadcast domain and independent MAC address range.
l Unqualified: The PE identifies the MAC addresses according to MAC addresses of the
Ethernet packets, that is, based on every VSI. In this mode, all VLANs share a broadcast
domain and a MAC address range. The MAC address of a VLAN must be unique, and must
not have an overlapped address.
NOTE
Currently, the S7700 supports only the unqualified mode.
If the PE receives broadcast traffic sent by the local customer, the PE forwards it to all the other
AC side ports and to the PEs of the same VPLS.
If the PE receives the broadcast traffic sent by the remote PE, the PE forwards it to the directly-
connected customer devices of the same VPLS, instead of other PEs.
For the packet whose destination MAC address is a non-broadcast address, if the PE does not
identify this type of MAC address, then the PE broadcasts this packet.
Diagnosis of the MAC Address Learning Capability

VPLS MAC diagnostic tools can diagnose whether the MAC address learning capability of
devices in a VPLS domain is normal.
In S7700, the MAC address learning capability can be diagnosed through the following modes:
l Populating an OAM MAC address into the local or peer device in the VPLS domain
l Purging the OAM MAC address from the local or peer device in the VPLS domain
l Populating a Register OAM MAC address into the local or peer device in the VPLS domain
vpn-config ping
The configuration and deployment of VPN services are complex. VPN services cannot be
successfully configured unless some configurations of peer PEs on the VPN are identical. For
example, on a Martini VPLS network, only when VSI-IDs of PE peers are identical, can VPLS
services be successfully configured. In the past, the configuration consistency is checked by
network maintenance engineers, which is error-prone when there are many VPN services on the
device.
As a solution, vpn-config ping is used to facilitate the configuration consistency check when
many VPN services exist on a PE. With vpn-config ping, a probe packet is sent from the VPN
requesting PE to search for VPN configuration of the requesting PE peer on a specified
responding PE; the responding PE is required to return a Reply packet carrying configuration
information to the requesting PE, which in turn displays the information to the user.
After arriving at PE1, configurations of the peer PE2, such as the VSI name, PW status, PW-
ID, VPN type, VSI management status, VSI operation status, MTU, number of CEs, VC type,
incoming label, and outgoing label, are displayed on the user terminal.

7.3 Configuring Kompella VPLS

This section describes how to configure Kompella VPLS. Detailed operations include
configuring BGP as the signaling protocol, and configuring VPN targets to implement automatic
discovery of VPLS PEs.

Before configuring Kompella VPLS, familiarize yourself with the applicable environment,
If the PE devices support the BGP as VPLS signaling, you can configure Kompella VPLS.
Automatic discovery of the VPLS PE is implemented through the VPN-Target configuration.
As shown in Figure 7-8, PE1, PE2, and PE3 are in the same VPLS network.
l To make the CEs attached to PE1, PE2, and PE3 interwork with each other, that is, to
construct a full-mesh VPLS network, ensure that the VPN-Targets configured on PE1, PE2,
and PE3 are the same.
l To make PE1 communicate with both PE2 and PE3 (but PE2 and PE3 cannot
communicate), ensure that the inbound VPN-Target configured on PE1 is the same as the
outbound VPN-Targets configured on both PE2 and PE3, and the outbound VPN-Target
configured on PE1 is the same as the inbound VPN-Targets configured on both PE2 and
PE3.
Figure 7-8 Typical VPLS networking

CE1
PE1
PE2 PE3
CE2 CE3
Before configuring Kompella VPLS, complete the following tasks:

l Configuring the LSR ID on the PE and the P and enabling MPLS

l Enabling MPLS L2VPN on the PE
l Establishing the tunnel between the PEs to transmit user data
Data Preparation
To configure Kompella VPLS, you need the following data.
No. Data
1 BGP peer to exchange VPLS information
2 VSI name
3 RD and VPN target of VSI
4 CE ID of the site, the number of CEs allowed to access VPLS, and default offset
value of the CE ID
5 Binding interface of the VSI
7.3.2 Enabling the BGP Peer to Exchange VPLS Information

BGP VPLS shares the TCP connection with the common BGP protocol. Therefore, most BGP
VPLS configurations are the same as the configurations of the common BGP protocol.
Nevertheless, VPLS label blocks need to be exchanged in BGP VPLS. Therefore, you need to
enable peers to exchange VPLS label blocks in the BGP VPLS sub-address family view.
Context
NOTE
For details of commands in BGP VPLS address family view, refer to the chapter "IP Routing Commands"
in the Quidway S7700 Smart Routing Switch Command Reference.
Do as follows on the PEs of the two ends of the PW:
Procedure
Step 1 Run:
system-view

Step 2 Run:
bgp as-number

Step 3 Run:
The BGP peer is configured.


The interface used to set up the TCP connection is specified.
NOTE
To improve reliability, on the PE, the local loopback interface is generally specified as the interface to set
up the TCP connection.
Step 5 Run:
vpls-family
The BGP VPLS sub-address family view is displayed.

Step 6 Run:
The exchange of VPLS information is enabled on the BGP peer.
NOTE
The BGP VPLS shares a TCP session with the common BGP protocol. Most configurations of the BGP
VPLS network are the same as the configurations of the BGP protocol. To exchange information about the
VPLS label block, you need to enable peers to exchange the VPLS block label in the BGP VPLS sub-
address family view.
----End
Follow-up Procedure
NOTE
For information about commands in the BGP VPLS sub-address family view, refer to the chapter "IP
Routing Commands" in the Quidway S7700 Smart Routing Switch Command Reference.
7.3.3 Creating a VSI and Configuring BGP Signaling

This part describes how to configure Kompella VPLS. Detailed operations include creating and
configuring VSIs (set RDs and VPN targets of the VSIs), configuring BGP, and creating site
connections.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
vsi vsi-name auto
A VSI is created and automatic member discovery mechanism is configured.

The Kompella VPLS does not directly deal with the connection between the CEs. It numbers
the CEs and creates a VSI on the PE for each CE.
Step 3 Run:

pwsignal bgp
The PW signaling protocol is configured as BGP and the VSI-BGP view is displayed.
Step 4 Run:
The RD of the VSI is configured.
After the PW signaling protocol is configured as BGP, configure the RD to make the VSI take
effect.
NOTE
For a PE, different VSIs have different RDs.

For the same VSI on different PEs:
l If a CE accesses two PEs, RDs of the VSI must be different.
l If a CE accesses a PE, RDs of the VSI can be either the same or different.
Step 5 Run:
The VPN target of the VSI is configured.
When using this command, note the mapping between the VPN target attribute at the local end
and the VPN target at the remote end. That is,
l export-extcommunity of the local end must be consistent with import-extcommunity of

the peer.
l import-extcommunity of the local end must be consistent with export-extcommunity of
the peer.
Traffic can be normally transmitted in bidirectional way only if the preceding two conditions
are satisfied. If only one condition is met, the traffic can be transmitted only in unidirectional
way. For convenience of configuration, the four values are generally configured to be the same.
Step 6 Run:
site site-id [ range site-range ] [ default-offset { 0 | 1 } ]
The site is configured.
The two ends of the VSI cannot be configured with the same site ID. The value of the local site
ID must be less than the sum of the site-range and default-offset of the remote end. The value
of the local site ID, however, must be larger than the value of the default-offset of the remote
end.
NOTE
All Kompella L2VPN instances and VPLS VSI instances of one device share one label block; therefore,
the sum of the ranges of all Kompella L2VPN instances and VPLS VSI instances cannot be greater than
the label block. Otherwise, the system prompts that the labels cannot be obtained because the required
labels exceed the upper limit; thus, allocation of a site ID to a VSI or creation of a CE fails.
----End

Follow-up Procedure
TIP
A VSI can set up the VSI connection with multiple VSIs with the same site number and the same VPN
target of other PEs. Among those VSIs, a VSI is the primary VSI, and the others are backup VSIs. This
backup scheme is not recommended.
Multiple VSIs with the same site number and the same VPN target are allocated with the same label, and
they are actually the same VSI. A VSI can set up only one VSI connection with multiple VSIs with the
same site number and the same VPN target.
7.3.4 (Optional) Configuring Huawei Devices to Communicate with

Non-Huawei Devices
When interconnecting a Huawei device with other vendor's devices, you need to set the global
encapsulation type of Kompella VPLS on the Huawei device, and configure the Huawei device
to ignore the MTU match check.
Context
NOTE
When Huawei devices need to communicate with non-Huawei devices with the VPLS encapsulation type
carried by BGP extended community attributes as 19, you need to perform this configuration.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vpls bgp encapsulation { ethernet | vlan }
The global encapsulation type of Kompella VPLS is configured.

After this command is used and the VPLS packet with encapsulation type 19 is received, the
system re-encapsulates this packet according to the user configuration and then performs other
processing related to VPLS.
When this command is not used, the system re-encapsulates the received VPLS packet with
encapsulation type 19 in VLAN mode.
Step 3 Run:
vsi vsi-name
The view of the created VSI is displayed.

Step 4 Run:
ignore-mtu-match
The MTU matching check is ignored and the sent VPLS packet is re-encapsulated.
By default, the MTU in the VSI view is 1500. If the MTUs of the same VSI on two PEs are
different, the two PEs cannot exchange information or establish a connection.
The equipment of some manufacturers cannot perform the MTU matching check in the VSI.
When a Huawei device communicates with a non-Huawei device in Kompella mode, you need

to run the ignore-mtu-match command on the Huawei data communication device using the
S7700 to ignore the MTU matching check. This ensures that the VC link is Up.
In addition, after the ignore-mtu-match command is used, the VPLS packet sent by the device
adopts the standard encapsulation type 19.
----End
Follow-up Procedure
NOTE
The vpls bgp encapsulation { ethernet | vlan } and ignore-mtu-match commands must be used together
on Huawei devices so that Huawei devices can communicate with non-Huawei devices.
7.3.5 Binding the VSI to an AC Interface

Based on the type of link between a PE and a CE, a VSI and an AC interface are bound in various
views.
Context
Based on the type of link between a PE and a CE, a VSI is bound to an AC interface on the PE
in one of the following modes:
l Binding the VSI with the Ethernet interface, GE interface or XGE interface when the PE
and the CE are connected through the Ethernet interface
l Binding the VSI with the Ethernet sub-interface, GE sub-interface or XGE sub-interface
when the PE and the CE are connected through the Ethernet sub-interface or GE sub-
interface
l Binding the VSI with the VLANIF interface when the PE and the CE are connected through
the VLANIF interface
l Binding the VSI with the Eth-Trunk when the PE and the CE are connected through the
Eth-Trunk interface
l Binding the VSI with the Eth-Trunk sub-interface when the PE and the CE are connected
through the Eth-Trunk sub-interface
NOTE
The sub-interfaces can be dotlq sub-interfaces, QinQ sub-interfaces, VLAN mapping sub-interfaces, or
VLAN stacking sub-interfaces. For details on how to access the VPLS through a sub-interface, see
Connecting Sub-interfaces to a VPLS Network in the Quidway S7700 Smart Routing Switch Configuration
Guide - Ethernet.
In the VPLS application, different CEs are transparently connected in the same LAN segment through
VSIs, and the IP addresses of the CEs must be different. The IP address of the interface that connects the
PE to the CE and the IP address of the CE must be in different network segments. Otherwise, the local CE
may learn incorrect ARP entries. This leads to traffic loss between CEs in the same VSI.
Procedure
l Bind a VSI to an Ethernet interface.
1. Run:
system-view

2. Run:
interface { ethernet | gigabitethernet | xgigabitethernet } interface-
number
The Ethernet interface view is displayed.

3. (Optional) Run:
undo portswitch

4. Run:
l2 binding vsi vsi-name
The VSI is bound to the Ethernet interface.

l Bind a VSI to a VLANIF interface.
1. Run:
system-view

2. Run:
interface vlanif vlan-id
The VLANIF interface view is displayed.

3. Run:
The VLANIF interface is bound to the VSI.
NOTE
Do not configure VSI and VLAN mapping for the same VLAN on an interface; otherwise,
either VSI or VLAN mapping will take effect.
l Bind a VSI to an Eth-Trunk interface.
1. Run:
system-view

2. Run:
interface eth-trunk trunk-id
An Eth-Trunk interface is created.

3. Run:
quit

4. Run:
number
The view of the interface to be added into the Eth-Trunk is displayed.
An Eth-Trunk member interface cannot be configured with a static MAC address.

NOTE
Member interfaces of a trunk cannot be Eth-Trunk interfaces.

5. Run:
eth-trunk trunk-id
The interface is added into the Eth-Trunk.
Before adding an interface into an Eth-Trunk, ensure the interface is not configured
with any Layer 3 attributes such as IP address and any services.
An Ethernet interface can join only one Eth-Trunk interface. To join another Eth-
Trunk interface, the Ethernet interface must quit from the original one.
Member interfaces of an Eth-Trunk interface must be of the same type. That is, FE
interfaces and GE interfaces cannot join an Eth-Trunk interface.
6. Run:
quit

7. Run:
The Eth-Trunk interface view is displayed.

8. (Optional) Run:
undo portswitch

9. Run:
The Eth-Trunk interface is bound with the VSI.
----End
7.3.6 (Optional) Configuring the Features of Kompella VPLS

Kompella VPLS features include RR, reflection policy, and disabling VPN-target-based filtering
on received VPLS label blocks.
Context
The BGP VPLS sub-address family view is used to manage the VPLS label block.
Do as follows on the PEs of both ends of a PW:
Procedure
Step 1 Run:
system-view
Step 2 Run:
bgp as-number


Step 3 Run:
vpls-family
The BGP-VPLS sub-address family view is displayed.

Step 4 Run:
peer { group-name | ipv4-address } reflect-client
The route reflector (RR) and its client are configured.

Step 5 Run:
The filtering of VPLS label blocks based on VPN targets is disabled.

The reflection policy is configured.
----End

After Kompella VPLS is configured, you can view information about local VSIs, remote VSIs,
and VPLS connections.
Prerequisite
The configurations of the Kompella VPLS function are complete.
Procedure
l Run the display vsi [ name vsi-name ] [ verbose ] command to check the information about
the VPLS VSI.
l Run the display vsi remote bgp [ nexthop nexthop-address [ export-vpn-target vpn-
target ] | route-distinguisher route-distinguisher ] command to check information about
the remote VSI.
l Run the display vpls connection [ bgp | vsi vsi-name ] [ down | up ] [ verbose ] command
to check the information about the VPLS connection.
----End
Example
Run the display vsi [ name vsi-name ] [ verbose ] command. You can view that the item "VSI
State" is displayed as "up". If verbose is selected, the item "Signaling" is displayed as "bgp" and
the item "VC State" is displayed as "up". This means that the configuration succeeds. For
example:
<Quidway> display vsi name bgp1 verbose
***VSI Name : bgp1
Administrator VSI : no
Isolate Spoken : disable
VSI Index : 0
PW Signaling : bgp
Member Discovery Style : auto

PW MAC Learn Style : unqualify

Encapsulation Type : vlan
MTU : 1500
Diffserv Mode : uniform
Mpls Exp : --
DomainId : 255
Domain Name :
Ignore AcState : disable
Multicast Fast Swicth : disable
Create Time : 0 days, 3 hours, 30 minutes, 31 seconds
VSI State : up
BGP RD : 168.1.1.1:1
SiteID/Range/Offset : 1/5/0
Import vpn target : 100:1
Export vpn target : 100:1
Remote Label Block : 35840/5/0
Local Label Block : 35840/5/0
Interface Name : GigabitEthernet1/0/0.1
State : up
Last Up Time : 2008-08-15 15:41:59
Total Up Time : 0 days, 0 hours, 1 minutes, 2 seconds
**PW Information:
*Peer Ip Address : 3.3.3.9
PW State : up
Local VC Label : 35842
Remote VC Label : 35841
PW Type : label
Tunnel ID : 0x10001
PW Last Up Time : 2008-08-15 15:41:59
PW Total Up Time : 0 days, 0 hours, 1 minutes, 3 seconds
Run the display vsi remote bgp [ nexthop nexthop-address [ export-vpn-target vpn-target ] |
route-distinguisher route-distinguisher ] command. If information about the remote VSI
established through BGP is displayed, it means that the configuration succeeds. For example:
<Quidway> display vsi remote bgp
Total Number : 1
**BGP RD : 169.1.1.2:1
Ref Number : 1
NextHop : 3.3.3.3
EncapType : vlan
MTU : 1500
SiteID : 2
Run the display vpls connection [ bgp | vsi vsi-name ] [ down | up ] [ verbose ] command. You
can view that the item "VC State" is displayed as "up". If verbose is selected, the item "Signaling"
is displayed as "bgp", the item "VC State" is displayed as "up", and label allocation is complete.
For example:
<Quidway> display vpls connection bgp verbose
VSI Name: v1 Signaling: bgp
**Remote Site ID : 2
VC State : up
RD : 200:1
Encapsulation : vlan
MTU : 1500
Peer Ip Address : 4.4.4.4
PW Type : label
Tunnel Policy : --
Tunnel ID : 0x10001,
Export vpn target : 1:1,

7.4 Configuring Martini VPLS

This section describes how to configure Martini VPLS, with the signaling type beling LDP.

Before configuring Martini VPLS, familiarize yourself with the applicable environment,
When the PE devices support the LDP to be the VPLS signaling, you can configure the Martini
VPLS. PEs must be fully connected to each other through PWs, each of which requires a
dedicated LDP session. As a result, an LDP session must be set up between any two PEs.
As shown in Figure 7-9, PE1, PE2, and PE3 are in the same VPLS network. In Martini VPLS,
static peer relationship is established. Therefore, to make PE1 communicate both PE2 and PE3
(but PE2 and PE3 cannot communicate), you only need to specify the peer as PE1 not PE3 on
PE2. The configuration on PE3 is similar.
Figure 7-9 Typical VPLS networking

CE1
PE1
PE2 PE3
CE2 CE3
Before configuring Martini VPLS, complete the following tasks:
l Configuring the LSR ID on the PEs and Ps and enabling MPLS and MPLS LDP
l Enabling the MPLS L2VPN on the PEs
l Establishing the tunnel used to transmit the user data between PEs
l Establishing a remote LDP session between the PEs if they are connected indirectly

Data Preparation
To configure Martini VPLS, you need the following data.
No. Data
1 VSI name
2 VSI ID
3 IP address of the peer and tunnel policy to establish the peer
4 Binding interface of the VSI
7.4.2 Creating a VSI and Configuring LDP Signaling

When using LDP as the PW signaling, you must configure the VSI ID for a VSI. VSI IDs
differentiate VSIs, and you can use these VSI IDs during PW signaling negotiation.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
vsi vsi-name static
A VSI is created and static member discovery mechanism is adopted.

Step 3 Run:
pwsignal ldp
The PW signaling protocol is specified as LDP and the VSI-LDP view is displayed.
Step 4 Run:
vsi-id vsi-id
The VSI ID is configured.
NOTE
The two ends of the VSI must agree on the same VSI ID.
The VSI exists only on the PE. One PE can have multiple VSIs. One VPLS on a PE has only
one VSI.
Step 5 Run:
The VSI peer is configured.

When you take the LDP as PW signaling, you must configure VSI ID for the VSI to take effect.
The VSI ID varies with the VSI, and you can use these VSI IDs in the stage of PW signaling
negotiation.
The LDP does not support the automatic discovery of the VPLS PE. You must manually specify
the peer PE of the VPLS.
----End
7.4.3 Binding the VSI to an AC Interface

Based on the type of link between a PE and a CE, a VSI and an AC interface are bound in various
views.
Context
Based on the type of link between a PE and a CE, a VSI is bound to an AC interface on the PE
in one of the following modes:
l Binding the VSI with the Ethernet interface, GE interface or XGE interface when the PE
and the CE are connected through the Ethernet interface
l Binding the VSI with the Ethernet sub-interface, GE sub-interface or XGE sub-interface
when the PE and the CE are connected through the Ethernet sub-interface or GE sub-
interface
l Binding the VSI with the VLANIF interface when the PE and the CE are connected through
the VLANIF interface
l Binding the VSI with the Eth-Trunk when the PE and the CE are connected through the
Eth-Trunk interface
l Binding the VSI with the Eth-Trunk sub-interface when the PE and the CE are connected
through the Eth-Trunk sub-interface
NOTE
The sub-interfaces can be dotlq sub-interfaces, QinQ sub-interfaces, VLAN mapping sub-interfaces, or
VLAN stacking sub-interfaces. For details on how to access the VPLS through a sub-interface, see
Connecting Sub-interfaces to a VPLS Network in the Quidway S7700 Smart Routing Switch Configuration
Guide - Ethernet.
In the VPLS application, different CEs are transparently connected in the same LAN segment through
VSIs, and the IP addresses of the CEs must be different. The IP address of the interface that connects the
PE to the CE and the IP address of the CE must be in different network segments. Otherwise, the local CE
may learn incorrect ARP entries. This leads to traffic loss between CEs in the same VSI.
Procedure
l Bind a VSI to an Ethernet interface.
1. Run:
system-view

2. Run:
number
The Ethernet interface view is displayed.

3. (Optional) Run:
undo portswitch

4. Run:
The VSI is bound to the Ethernet interface.

l Bind a VSI to a VLANIF interface.
1. Run:
system-view

2. Run:
interface vlanif vlan-id
The VLANIF interface view is displayed.

3. Run:
The VLANIF interface is bound to the VSI.

NOTE
Do not configure VSI and VLAN mapping for the same VLAN on an interface; otherwise,
either VSI or VLAN mapping will take effect.
l Bind a VSI to an Eth-Trunk interface.
1. Run:
system-view

2. Run:
An Eth-Trunk interface is created.

3. Run:
quit

4. Run:
number
The view of the interface to be added into the Eth-Trunk is displayed.

An Eth-Trunk member interface cannot be configured with a static MAC address.
NOTE
Member interfaces of a trunk cannot be Eth-Trunk interfaces.

5. Run:
eth-trunk trunk-id
The interface is added into the Eth-Trunk.

Before adding an interface into an Eth-Trunk, ensure the interface is not configured
with any Layer 3 attributes such as IP address and any services.
An Ethernet interface can join only one Eth-Trunk interface. To join another Eth-
Trunk interface, the Ethernet interface must quit from the original one.
Member interfaces of an Eth-Trunk interface must be of the same type. That is, FE
interfaces and GE interfaces cannot join an Eth-Trunk interface.
6. Run:
quit

7. Run:
The Eth-Trunk interface view is displayed.

8. (Optional) Run:
undo portswitch

9. Run:
The Eth-Trunk interface is bound with the VSI.
----End

After VPLS in LDP mode is configured, you can view information about local VSIs, remote
VSIs, VPLS connections, outgoing interfaces of VSI PWs, and the tunnel policy referenced by
the VSIs.
Prerequisite
The configurations of the Martini VPLS function are complete.
Procedure
l Run the display vsi [ name vsi-name ] [ verbose ] command to check the information about
the VPLS VSI.
l Run the display vsi remote ldp [ router-id ip-address ] [ pw-id pw-id ] command to check
information about the remote VSI.
to check information about the VPLS connection.
l Run the display vsi pw out-interface [ vsi vsi-name ] command to check information about
the outgoing interface of the VSI PW.
l Run the display l2vpn vsi-list tunnel-policy policy-name command to check information
about the tunnel policy used by the VSI.
l Run the ping vpn-config peer-address peer-address vsi-name vsi-name [ pw-id pw-id ]
[ local ] [ remote ] command to view configurations of the VSI on the peer PE.
----End

Example
State" is displayed as "up". If verbose is selected, the item "Signaling" is displayed as "ldp" and
the item "VC State" is displayed as "up". This means that the configuration succeeds. For
example:
<Quidway> display vsi name a2 verbose
***VSI Name : a2
VSI Index : 0
PW Signaling : ldp
Member Discovery Style : static
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
VSI State : up
......
Run the display vsi remote ldp [ router-id ip-address ] [ pw-id pw-id ] command. If information
about the remote VSI established through LDP is displayed, it means that the configuration
<Quidway> display vsi remote ldp
Vsi Peer VC Group Encap MTU Vsi
ID RouterID Label ID Type Value Index
2 3.3.3.9 23552 0 vlan 1500 0
Run the display vpls connection [ ldp | vsi vsi-name ] [ down | up ] [ verbose ] command. You
is displayed as "ldp", the item "VC State" is displayed as "up", and label allocation is complete.
For example:
<Quidway> display vpls connection ldp verbose
VSI Name: a2 Signaling: ldp
**Remote Vsi ID : 2
VC State : up
Group ID : 0
MTU : 1500
PW Type : label
Tunnel Policy : --
Run the ping vpn-config peer-address peer-address vsi-name vsi-name [ pw-id pw-id ]
[ local ] [ remote ] command. You can view configurations of the VSI on the local and peer
PEs, which include information about the VSI type, VSI description, VSI management status,
VSI operation status, PW status, MTU value, number of AC in the VSI, IP address of the peer
PE, IP address of the local PE, whether probe or Echo Reply packets are forwarded through the
LSP tunnel, PW-ID, PE types, VC encapsulation type, and outer incoming and outgoing tags.
<Quidway> ping vpn-config peer-address 6.6.6.6 vsi-name ldpvpls pw-id 119 local
remote
VPN-CONFIG PING: Prese CTRL_C to break.
Result Detail: Request Sent - Reply Received

Local VSI description:

Remote VSI description:
PW State: Up
local remote
------------------------------------------------
VSI Name: ldpvpls ldpvpls
VSI ID: 119 119
VPN Type: Martini VPLS Martini VPLS
Admin State: UP UP
Oper State: UP UP
VSI MTU: 1500 1500
CE Count: 1 1
Actual IP Addr: 9.9.9.9 6.6.6.6

Expected Peer IP: 6.6.6.6 9.9.9.9
SPE: NO NO
PW-ID: 119 119

VC-Type: VLAN VLAN
Egress Lable: 27648 27648
Ingress Lable: 27648 27648
LSP Tunnel Used: YES YES
NOTE
To reduce the bandwidth consumption, the ping vpn-config command only sends one probe packet and
set timeout period for waiting for a Response packet to 10 seconds.
7.5 Configuring LDP HVPLS

If there are a large number of VPLS PEs, you can adopt the Hierarchical VPLS (HVPLS)
networking scheme to reduce the performance requirements of PEs.

Before configuring HVPLS in LDP mode, familiarize yourself with the applicable environment,
If the VPLS possess excessive PEs, you can adopt the HVPLS to reduce the performance
requirement of the PE devices.
Before configuring the HVPLS, complete the following tasks:
l Complete the task of 7.4 Configuring Martini VPLS between the SPE and the PE
l Set up the MPLS LDP peer between the UPE and the SPE
l Create the VSI instance on the SPE and specify the UPE as its PE of lower layer
l Create the VSI instance on the UPE and specify the SPE as the VSI peer
l Configure the CE1 and the CE2 to access the UPE, and configure the CE3 to access the PE
NOTE
The Kompella VPLS uses BGP as the signaling. The configuration of the route reflector can solve the
problem of excessive connections caused by the VPLS fully connection.
Therefore, the S7700 supports only the Martini HVPLS.

Data Preparation
To configure the HVPLS, you need the following data.
No. Data
1 Corresponding relationship between the UPE and the SPE
3 VSI name, VSI ID, and the interface bound with VSI
4 Tunnel policy
7.5.2 Configuring SPE

This part describes how to configure an SPE to establish VSI peer relationships with other SPEs,
and with UPEs.
Context
Procedure
Step 1 Run
system-view

Step 2 Run:
vsi vsi-name static
The VSI is created and the static member discovery mechanism is adopted.
Step 3 Run:
pwsignal ldp
The PW signaling protocol is specified as the LDP and the VSI-LDP view is displayed.
Step 4 Run:
vsi-id vsi-id

Step 5 Run:
The VSI peer between the SPEs is configured.

Step 6 Run:
peer peer-address [ negotiation-vc-id vc-id ] [ tnl-policy policy-name ]upe
The VSI peer between the SPE and the UPE is configured.
----End

7.5.3 Configuring UPE

This part describes how to configure a UPE to establish the VSI peer relationships with SPEs.
Context
The configuration of the UPE is similar to that on the PE of the VPLS fully-connected network.
The difference is that the UPE sets up connections only with the connected SPEs.
For the detailed configuration, see 7.4 Configuring Martini VPLS.

After HVPLS in LDP mode is configured, you can view information about local VSIs, remote
VSIs, outgoing interfaces of VSI PWs, and the tunnel policy referenced by the VSIs.
Prerequisite
The configurations of the LDP HVPLS function are complete.
Procedure
l Run the display vsi [ name vsi-name ] [ verbose ] command to check information about
the VPLS VSI.
l Run the display vsi pw out-interface [ vsi vsi-name ] command to check information about
the outgoing interface of the VSI PW.
l Run the display l2vpn vsi-list tunnel-policy policy-name command to check information
about the tunnel policy used by the VSI.
----End
Example
the item "VSI State" is displayed as "up". This means that the configuration succeeds. For
example:
<Quidway> display vsi name vsi123 verbose
***VSI Name : vsi123
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :

VSI State : up
......
Vsi Peer VC Group Vsi MTU Vsi State
ID RouterID Label ID Type Value Index Code
123 3.3.3.9 17408 0 vlan 1500 1 FORWARD
7.6 Configuring the Static VLL to Access the VPLS Network

This section describes how to configure a static VLL to access a UPE to an SPE (a VPLS
network). The configuration is needed if the UPE does not support dynamic VLLs and needs to
access the SPE through the static VLL.

Before configuring a static VLL to access the VPLS network, familiarize yourself with the
In the practical network such as a MAN, if a UPE device does not support the dynamic VLL,
the UPE device has to access the SPE through the static VLL. In this case, the VLL set up between
the UPE and the SPE is generally in SVC mode.
Before configuring the static VLL to access the VPLS network, complete the following tasks:
l Configuring IGP on the SPE and P devices in the MPLS backbone network to ensure the
IP connectivity
l Realizing the connectivity between the SPE devices in the VPLS meshed network
l Setting up a dynamic LSP or a static LSP between the UPE and the SPE devices
l Enabling MPLS L2VPN on the interfaces connected the UPE and the SPE devices
l Configuring the tunnel policy
Data Preparation
To configure the static VLL to access the VPLS network, you need the following data.
No. Data
1 Mappings between the UPE and the SPE devices
3 VSI name, VSI ID, the interface bound with the VSI

No. Data
4 ID of the destination LSR of the static VLL
5 Received and sent label of the static VLL
6 Tunnel policy of the static VLL
7.6.2 Configuring a UPE to Access an SPE Through a Static VLL

Context
Do as follows on the UPE.
Procedure
Step 1 Run:
system-view

Step 2 Enter the interface view.
Step 3 Run:
The interface view is displayed.

undo portswitch
NOTE
the AC interface of the PE, you need to run undo portswitch to configure the Layer 2 interface as a Layer
3 interface.
Step 5 Run:
A static VC is created between the UPE and the SPE.
----End
7.6.3 Configuring the UPE to Access the SPE Through the Static VLL
This section describes how to configure a static VLL on a UPE, specifying the peer as an SPE.
Context
Do as follows on the UPE:

Procedure
Step 1 Run:
system-view

Step 2 Enter the interface view.
NOTE
The encapsulation modes of the VLL and VPLS must be the same regardless of the access mode.
l Ethernet access: Run the interface { ethernet | gigabitethernet | xgigabitethernet }
interface-number command to enter the Ethernet interface view.
l VLAN access:
If the UPE supports sub-interfaces, do as follows:
Run the interface { ethernet | gigabitethernet | xgigabitethernet } interface-
number.subinterface-number command to enter the Ethernet interface view.
If the UPE does not support sub-interfaces, do as follows:
1. Run the vlan vlan-id command to create a VLAN and enter the VLAN view.
2. Run the quit command to return to the system view.
3. Run the interface vlanif vlan-id command to create a VLANIF interface and enter
the VLANIF view.
Step 3 Run:
The static VC is created between the UPE and the SPE devices.
NOTE
The parameters raw and tagged are needed only for the Ethernet link.
----End
7.6.4 Binding the VSI of the SPE with the VLL

This part describes how to configure an SPE to establish VSI peer relationships with other SPEs,
and with UPEs.
Context
Do as follows on the SPE devices:
Procedure
Step 1 Run:
system-view

Step 2 Run:
vsi vsi-name static

The VSI view is created and the static member discovery is enabled.
Step 3 Run:
pwsignal ldp
The LDP is specified as the PW signaling protocol and the VSI LDP view is displayed.
Step 4 Run:
vsi-id vsi-id
Step 5 Run:
mac-withdraw enable
After the configuration, when an AC fault or a UPE fault occurs and the VSI remains Up, the
local MAC address is deleted and all the remote peers are informed of the deletion.
This command takes effect only after the interface-status-change mac-withdraw enable
command is also used.
Step 6 Run:
The VSI peer is configured.
Step 7 Run:
peer peer-address [ tnl-policy policy-name ] static-upe trans transmit-label recv
receive-label
The received and sent labels between the SPE and the static UPE are configured.
The label trans here must be the same as the label receive-vpn-label that is configured on UPE.
In addition, the label recv must be the same as the label transmit-vpn-label that is configured
on UPE.
----End

After configuring a static VLL to access the VPLS network, you can view information about
SVCs, interfaces of the SVCs that are in the Up state, local VSIs, remote VSIs, VPLS
connections, and dynamic MAC address entries.
Prerequisite
The configurations of the Static VLL to Access the VPLS Network function are complete.
Procedure
to check information about the L2VPN connection in SVC mode.
l Run the display l2vpn ccc-interface vc-type static-vc up command to check information
about the SVC interface in the Up state.
the VSI of the VPLS.

l Run the display vpls connection [ ldp | vsi vsi-name ] [ down | up ] [ verbose ] command
l Run the display mac-address dynamic slot-id command to check the dynamic MAC
address entries.
----End
Example
Run the display mpls static-l2vc command. You can view that the VC status is Up. For example:
<Quidway> display mpls static-l2vc interface gigabitethernet 2/0/0.1
*Client Interface : GigabitEthernet2/0/0.1 is up
AC Status : up
VC State : up
VC ID : 0
VC Type : VLAN
Tunnel Policy : --
Run the display l2vpn ccc-interface vc-type static-vc up command. You can view that the VC
type is SVC and the status is Up. For example:
<Quidway> display l2vpn ccc-interface vc-type static-vc up
up (1), down (0)
GigabitEthernet1/0/0 vlan up static-vc
Run the display vsi [ name vsi-name ] [ verbose ] command. You can find the item "VSI State"
is displayed as "up". If verbose is selected, the item "Signaling" is displayed as "ldp" and the
item "VC State" is "up". This means that the configuration succeeds. For example:
<Quidway> display vsi name v100 verbose
***VSI Name : v100
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 0
Domain Name :
Multicast Fast switch : disable
VSI State : up

......
Vsi Peer VC Group Vsi MTU Vsi State
123 3.3.3.9 17408 0 vlan 1500 1 FORWARD
Run the display mac-address dynamic slot-idcommand. You can view the MAC address
learned by the corresponding interface. For example:
<Quidway> display mac-address dynamic 1
MAC Address VLAN PEVLAN CEVLAN Port Type Lsp/
LSR-ID
VSI/SI MAC-
Tunnel
----------------------------------------------------------------------------------
--------
0000-c101-0202 100 123 12 GigabitEthernet1/0/0 dynamic
3/4137
0000-c101-0102 100 123 12 GigabitEthernet1/0/1 dynamic
3/3366
Total 2 ,2 printed
7.7 Configuring Inter-AS Kompella VPLS

This section describes how to configure inter-AS Kompella VPLS. After inter-AS Kompella
VPLS is configured, the MPLS backbone network that bears VPLS can span multiple ASs.

Before configuring inter-AS Kompella VPLS, familiarize yourself with the applicable
If the MPLS backbone network bearing VPLS spans multiple ASs, the inter-AS VPLS must be
configured.
If the number of CEs that access PEs is small, inter-AS VPLS Option A can be adopted. In
Option A, ASBRs in the AS must support VSIs and must be capable of managing VPLS label
blocks. In addition, ASBRs must reserve dedicated interfaces including sub-interfaces, physical
interfaces, and bound logical interfaces for each inter-AS VPLS network. That is, Option A
poses high requirements of ASBRs; however, for inter-AS networking, ASBRs do not need any
special configurations.
Before configuring the Kompella VPLS, complete the following tasks:
l Configuring IGP for MPLS backbone networks in each AS to ensure IP connectivity within
an AS
l Configuring the basic MPLS functions for MPLS backbone networks in each AS

l Configuring the VSI on the PE connected with the CE and binding the VSI to the AC
interface
l Configuring the IP address on the CE interface that accesses the PE
l Establishing the tunnel between the PE and the ASBR in the same AS (Option A)
Data Preparation
To configure the Kompella VPLS, you need the following data.
No. Data
1 To configure the VSI on the PE and the ASBR, you need the following data:
l VSI name and RD
l (Optional) Description of the VSI
l VPN target
l (Optional) Routing policy that controls sending and receiving of information
about VPLS label blocks
l (Optional) Permitted maximum number of label blocks saved in a VSI
2 CE ID of the site, number of permitted CEs that access the VPLS network, CE ID
and default CE offset
3 PE interfaces that bound to VSIs
4 AS number of the PEs
5 IP addresses and interfaces used to establish the IBGP peers between the PEs and the
ASBRs
7.7.2 Configuring Inter-AS Kompella VPLS Option A

In inter-AS Kompella VPLS OptionA, each ASBR must reserve a sub-interface for each inter-
AS VC. If the number of inter-AS VCs is small, this solution can be used. Compared with
L3VPN, this inter-AS L2VPN solution consumes more resources and requires heavier
configuration workload, which is not recommended.
Context
The configurations of Kompella VPLS Option A can be summarized as follows:
l Configuring the Kompella VPLS for each AS
l Configuring ASBR by considering the peer ASBR as its CE
l Configuring the VSIs on the PE and the ASBR respectively and binding the VSIs to the
AC interfaces (The PE provides the access service for the CE; the ASBR accesses the peer
ASBRs)

NOTE
In inter-AS VPLS Option A, for the same VPLS network, the VPN target of the VSI on the ASBR and that
on the PE in the same AS must be matched. The VPN target of the VSI on the ASBR and that on the PE
in different ASs need not be matched.

In inter-AS Kompella VPLS OptionC, devices in the SP network only need to establish outer
tunnels on PEs of different ASs. ASBRs do not need to maintain information about the inter-
AS L2VPN or reserve sub-interfaces for the inter-AS L2VPN. Actually, L2VPN information is
exchanged only between PEs. As a result, this solution requires fewer resources and less
configuration workload.
Prerequisite
The configurations of the Inter-AS Kompella VPLS function are complete.
Procedure
l Run the display bgp vpls group [ group-name ] command to check information about BGP
VPLS peer groups on the PE or the ASBR.
l Run the display bgp vpls peer [ ipv4-address verbose ] command to check information
about BGP VPLS peers on the PE or the ASBR.
l Run the display bgp vpls all command to check information about BGP VPLS label blocks
l Run the display vpls connection [ bgp | vsi vsi-name ] [ down | up ] [ verbose ]. command
to check the VPLS connection on the PE.
l Run the display bgp routing-table label command to check label information about
labeled IPv4 routes on the PE or the ASBR.
l Run the ping vpls mac mac-address vsi vsi-name [ vlan vlan-id | -c count | -m time-
value | -s packsize | -t timeout | -exp exp | -r replymode ] * command to check the
connectivity of Layer 2 links on the VPLS network.
l Run the trace vpls mac mac-address vsi vsi-name [ vlan vlan-id ] [-t timeout | -f first-ttl |
-m max-ttl | -exp exp | -r replymode ] * command to check the PEs and P that packets pass
from the sender to the receiver on the VPLS network and check the connectivity of Layer
2 links, which helps to locate the faulty node on the network.
In OptionA mode, the ping and trace functions support intra-AS detection.
----End
Example
After the configurations, run the display bgp vpls peer command on the PE or the ASBR. You
can view that the status of the BGP VPLS peer between the PE and the ASBR in the same AS
is "Established". For example:
<Quidway> display bgp vpls peer
4.4.4.4 4 200 5 8 0 00:02:04 Established 0

Run the display bgp vpls all command on the PE or ASBR. You can view information about
the VPLS label block on the ASBR. For example:
<Quidway> display bgp vpls all
BGP Local Router ID : 1.1.1.1, Local AS Number : 100
Status codes : * - active, > - best
BGP.VPLS : 2 Label Blocks
--------------------------------------------------------------------------------
SiteID Offset NextHop Range LabBase TunnelID FromPeer MHPref
--------------------------------------------------------------------------------
> 1 0 0.0.0.0 5 35840 0x0 0.0.0.0 0
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
*> 2 0 4.4.4.4 5 35840 0x0 4.4.4.4 0
Run the display vpls connection command on the PE or the ASBR. You can view that the status
of the VPLS connection on the PE or the ASBR is "up". For example:
<Quidway> display vpls connection
connections: 1 up, 0 down, 0 ldp, 1 bgp
SiteID RD PeerAddr InLabel OutLabel VCState
2 200:1 4.4.4.4 35842 35843 up
Run the display bgp routing-table label command on the PE or ASBR. You can view
information about the labeled IPv4 routes. For example:
<Quidway> display bgp routing-table label
Network NextHop In/Out Label
*>i 4.4.4.4 2.2.2.2 NULL/15361
Run the ping vpls mac command to check whether the device with the MAC address is
reachable. For example:
<Quidway> ping vpls mac 00e0-5952-6f01 vsi v123
Ping mac 00e0-5952-6f01 vsi v123 : 100 data bytes , press CTRL_C to break
Reply from 10.1.1.1 : bytes=100 sequence=1 ttl=255 time = 1ms
The IP address of the PE is 5.5.5.9 and the interface on the PE is
GigabitEthernet5/0/0.100.
--- vsi : v123 00e0-5952-6f01 ping statistics ---
0.00% packet loss
Run the trace vpls mac command to check the connectivity of Layer 2 links. For example:
<Quidway> trace vpls mac 00e0-5952-6f01 vsi v123
Traceroute to mac 00e0-5952-6f01 vsi v123, 30 hops max, press CTRL_C to break
TTL Num Replier Time Type Downstream Hit
------------------------------------------------------------------------
0 1 Ingress 10.1.1.2/[1026] N
2 Ingress 10.3.3.2/[10] N
1 1 10.1.1.2 6ms Transit 10.2.2.2/[3] --
2 192.5.5.5 5ms Egress N

2 1 192.3.3.3 3ms Egress Y

Info: Succeeded in tracing the destination address 00e0-5952-6f01.
7.8 Configuring Inter-AS Martini VPLS

When deploying VPLS in a larger scope, PEs or CEs may belong to different ASs. In such a
situation, you cannot directly establish PWs between PEs based on LDP. To address the problem,
you can configure inter-AS LDP VPLS.

Before configuring the inter-AS Martini VPLS, familiarize yourself with the applicable
If the MPLS backbone network bearing the Martini VPLS spans multiple ASs, you must
configure the inter-AS Martini VPLS.
S7700 supports Inter-AS Option A. This solution can be easily implemented. When the number
of inter-AS Martini VPLS routes on ASBRs is small, Option A is recommended.
Before configuring inter-AS Martini VPLS, complete the following tasks:
l Configuring static routes or the IGP protocol on the PE or P devices in the MPLS backbone
network of ASs to implement the IP connectivity of the backbone network devices in the
same AS
l Configuring the basic MPLS capability on the MPLS backbone network of each AS
Data Preparation
To configure the inter-AS Martini L2VPN, you need the following data.
No. Data
1 Mode of the inter-AS VPN
2 Number of each AS
7.8.2 Configuring Inter-AS Martini VPLS Option A

In inter-AS Martini VPLS OptionA, each ASBR must reserve a sub-interface for each inter-AS
VC. If the number of inter-AS VCs is small, this solution can be used. Compared with L3VPN,
this inter-AS L2VPN solution consumes more resources and requires heavier configuration
workload, which is not recommended.

Context
The configuration of inter-AS Martini VPLS Option A is as follows:
l 7.3.7 Checking the Configuration for each AS
l Configuring the ASBR by regarding the peer ASBR as the local CE
l No inter-AS-related configuration needs to be performed on the ASBR.
l No IP address needs to be configured for the interfaces between ASBRs. The configuration
procedure is not mentioned.

After inter-AS Martini VPLS is configured, you can view information about local VSIs, remote
VSIs, and VPLS connections.
Prerequisite
The configurations of the Inter-AS Martini VPLS function are complete.
Procedure
the VSI of the VPLS.
l Run the display vpls connection [ ldp | vsi vsi-name ] [ down | up ] [ verbose ] command
l Run the ping vpn-config peer-address peer-address vsi-name vsi-name [ pw-id pw-id ]
[ local ] [ remote ] command to check configurations of the VSI on the peer PE.
l Run the ping vpls mac mac-address vsi vsi-name [ vlan vlan-id | -c count | -m time-
value | -s packsize | -t timeout | -exp exp | -r replymode ] * command to check the
connectivity of Layer 2 links on the VPLS network.
l Run the trace vpls mac mac-address vsi vsi-name [ vlan vlan-id ] [-t timeout | -f first-ttl |
-m max-ttl | -exp exp | -r replymode ] * command to check the PEs and P that packets pass
from the sender to the receiver and check the connectivity of Layer 2 links, which helps to
locate the faulty node on the network.
NOTE
In OptionA mode, the ping and trace functions support intra-AS detection.
----End
Example
the item "VSI State" is displayed as "up". This means that the configuration succeeds. For
example:
***VSI Name : a1
VSI Index : 0
PW Signaling : ldp


MTU : 1500
Mpls Exp : --
DomainId : 0
Domain Name :
VSI State : up
VSI ID : 2
*Peer Router ID : 4.4.4.4
VC Label : 27648
Peer Type : dynamic
Session : up
Tunnel ID : 0x10001
State : up
Last Up Time : 2008-08-15 15:41:59
**PW Information:
PW State : up
PW Type : label
Tunnel ID : 0x10001
FIB Link-ID : 1
PW Last Up Time : 2008-08-15 15:41:59
Vsi Peer VC Group Encap MTU Vsi State
123 3.3.3.9 27648 0 vlan 1500 1 FORWARD
Run the display vpls connection [ ldp | vsi vsi-name ] [ down | up ] [ verbose ] command. You
is displayed as "ldp", the item "VC State" is displayed as "up", and label allocation is complete.
For example:
VSI Name: a2 Signaling: ldp
VsiID EncapType PeerAddr InLabel OutLabel VCState
2 vlan 1.1.1.1 27648 27648 up
VSI Name: bgp1 Signaling: bgp
1 168.1.1.1:1 1.1.1.1 35842 35842 up
Run the ping vpn-config peer-address peer-address vsi-name vsi-name [ pw-id pw-id ]
[ local ] [ remote ] command. You can view configurations of the VSI on the local and peer
PEs, which include information about the VSI type, VSI description, VSI management status,
VSI operation status, PW status, MTU value, number of AC in the VSI, IP address of the peer
PE, IP address of the local PE, whether probe or Echo Reply packets are forwarded through the
LSP tunnel, PW-ID, PE types, VC encapsulation type, and outer incoming and outgoing tags.
<Quidway> ping vpn-config peer-address 6.6.6.6 vsi-name ldpvpls pw-id 119 local
remote
VPN-CONFIG PING: Prese CTRL_C to break.
Result Detail: Request Sent - Reply Received
Local VSI description:
Remote VSI description:

PW State: Up
local remote
------------------------------------------------
VSI Name: ldpvpls ldpvpls
VSI ID: 119 119
VPN Type: Martini VPLS Martini VPLS
Admin State: UP UP
Oper State: UP UP
VSI MTU: 1500 1500
CE Count: 1 1
Actual IP Addr: 9.9.9.9 6.6.6.6

Expected Peer IP: 6.6.6.6 9.9.9.9
SPE: NO NO
PW-ID: 119 119

VC-Type: VLAN VLAN
Egress Lable: 27648 27648
Ingress Lable: 27648 27648
LSP Tunnel Used: YES YES
NOTE
Run the ping vpls mac command to check whether the device with the MAC address is
reachable. For example:
<Quidway> ping vpls mac 00e0-5952-6f01 vsi v123
Ping mac 00e0-5952-6f01 vsi v123 : 100 data bytes , press CTRL_C to break
The IP address of the PE is 5.5.5.9 and the interface on the PE is
GigabitEthernet5/0/0.100.
--- vsi : v123 00e0-5952-6f01 ping statistics ---
0.00% packet loss
Run the trace vpls mac command to check the connectivity of Layer 2 links. For example:
<Quidway> trace vpls mac 00e0-5952-6f01 vsi v123
Traceroute to mac 00e0-5952-6f01 vsi v123, 30 hops max, press CTRL_C to break
TTL Num Replier Time Type Downstream Hit
------------------------------------------------------------------------
0 1 Ingress 10.1.1.2/[1026] N
2 Ingress 10.3.3.2/[10] N
1 1 10.1.1.2 6ms Transit 10.2.2.2/[3] --
2 192.5.5.5 5ms Egress N
2 1 192.3.3.3 3ms Egress Y
Info: Succeeded in tracing the destination address 00e0-5952-6f01.
7.9 Configuring Dual-homed Kompella VPLS

This section describes how to configure dual-homed Kompella VPLS. After dual-homed
Kompella VPLS is configured, VPLS reliability is enhanced, and thus preventing faults on each
PE.


Before configuring dual-homed Kompella VPLS, familiarize yourself with the applicable
To improve the reliability of VPLS and prevent the fault on a PE, you can adopt the networking
where a CE accesses two PEs.
Before configuring dual-homed Kompella VPLS, complete the following tasks:
l Configuring LSR IDs and enabling MPLS on PEs and Ps
l Enabling MPLS L2VPN on PEs
l Establishing the tunnels between PEs to transmit user data
l Establishing BGP VPLS peer relationship between PEs
Data Preparation
To configure dual-homed Kompella VPLS, you need the following data.
No. Data
1 BGP peers used to exchange VPLS information
2 Name of the VSI
3 RDs and VPN Targets of the VSI
4 CE ID of the site, maximum number of permitted CEs that access the VPLS network,
and default CE offset
5 Interface bound to the VSI
7.9.2 Creating VSIs and Configuring BGP Signaling

When configuring Kompella VPLS, you need to create and configure VSIs (set RDs and VPN
targets of the VSIs), configure BGP, and create site connections.
Context
Configure two VSIs with the same attributes on two dual-homed PEs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vsi vsi-name auto
VSIs are created and the automatic member discovery mechanism is adopted.
The Kompella VPLS does not directly operate on the connection between CEs. Each CE has a
globally unique number. On a PE, a VSI is created for each CE that is directly connected to this
PE device.
Step 3 Run:
pwsignal bgp
BGP is configured as the PW signaling protocol and the VSI BGP view is displayed.
Step 4 Run:
The RD is configured for the VSI.
After configuring BGP as the PW signaling protocol, you must configure the RD of the VSI to
validate the VSI.
Step 5 Run:
The VPN Target is configured for the VSI.
When configuring the VPN Target of the VSI, ensure that the VPN target of export-
extcommunity is the same as that of import-extcommunity.
Step 6 Run:
site site-id [ range site-range ] [ default-offset { 0 | 1 } ]
Information about the sites of the VSI is configured.
The site ID of the local end must be less than the sum of the site-range value and default-
offset value on the peer end. The site ID of the local end must be greater than the default-
offset value of the peer end.
NOTE
At present, the VSIs of the two dual-homed PEs can be configured with only one label block. To enlarge
the range, use the undo site command to delete all the original sites and then configure a larger range. In
addition, the VSIs of the two dual-homed PEs can be configured with only one AC.
Step 7 Run:
quit
The VSI view is displayed.
Step 8 Run:
quit

vpls bgp encapsulation { ethernet | vlan }
The encapsulation type is configured for the VPLS.

Step 9 is configured only when the PE communicates with non-Huawei devices. Before
performing Step 9, check the encapsulation type of the VSI on the peer PE. The local VSI and
peer VSI can communicate only when the VSI encapsulation type of the peer PE is the same as
that configured for the local PE. In VPLS BGP mode, the default encapsulation type of VPLS
packets is VLAN.
NOTE
The signaling protocol, RD, default-offset, site ID, and encapsulation type of the VSIs on the two PEs that
a CE accesses must be the same.
----End
7.9.3 Configuring the Multi-homed Preference for a VSI

If the VSIs of two PEs to which a CE is dual homed are Up, the PE with the higher priority
functions as the master PE, whereas the PE with the lower priority functions as the backup PE.
Therefore, you should not assign the same priority to the PEs, because this hinders the master/
backup PE negotiation.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
vsi vsi-name
Step 3 Run:
multi-homing-preference preference-value
The multi-homed preference is configured for a VSI.
When the VSIs of the two PEs that a CE accesses are Up, the PE with the higher preference
serves as the active PE, and the PE with the lower preference works as the standby PE. In addition,
both PEs need be configured with different preferences to realize a smooth active/standby
negotiation.
The active PE is responsible for forwarding the traffic of the CE; the standby PE is only
responsible for checking whether the VSI of the active PE is Up. After a PE is selected as the
standby PE, the status of the VSI of the standby PE is set to Down. After the VSI of the active
PE becomes Down, the standby PE becomes the new active PE.
After the BGP session between the two PEs that a CE accesses becomes Down, the PW of the
PE with the lower preference becomes Up, and the PW between the two PEs becomes Up.
----End

7.9.4 Binding a VSI to an AC Interface

According to different AC link types, you can bind a VSI to AC interfaces in different views.
Context
For the configuration procedure, see "Binding the VSI to the Interface Connected with CE".

After dual-homed Kompella VPLS is configured, you can view information about BGP VPLS
peers, VPLS label blocks, and VPLS connections.
Prerequisite
The configurations of the dual-homed Kompella VPLS function are complete.
Procedure
l Run the display bgp vpls group [ group-name ] command to check information about BGP
VPLS peer groups on the PE or the ASBR.
l Run the display bgp vpls peer [ ipv4-address verbose ] command to check information
about BGP VPLS peers on the PE or the ASBR.
l Run the display bgp vpls all command to check information about the BGP VPLS label
blocks on the PE or ASBR.
to check information about the VPLS connection on the PE.
----End
Example
After the configurations, run the display bgp vpls peer command on the PE or the ASBR. You
can view that the status of the BGP VPLS peer relationship between PEs is "Established". For
example:
<Quidway> display bgp vpls peer
4.4.4.4 4 200 5 8 0 00:02:04 Established 0
Run the display bgp vpls all command on the PE. You can view information about the VPLS
label block on the PE. For example:
<Quidway> display bgp vpls all
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
> 1 0 0.0.0.0 5 35840 0x0 0.0.0.0 0
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
*> 2 0 4.4.4.4 5 35840 0x0 4.4.4.4 0
Run the display vpls connection command on the PE. You can view that the status of the VPLS
connection on the PE is "up". For example:
2 200:1 4.4.4.4 35842 35841 up
7.10 Configuring Related Parameters of a VSI

This section describes how to set or adjust general VPLS parameters.

Before setting or adjusting VPLS parameters, familiarize yourself with the applicable
After creating a VSI and assigning a signaling protocol to it, you can adjust general parameters
of the VSI. According to different applicable environments, you can modify the MAC address
learning mode and the MAC address entry.
Before configuring related parameters of the VSI, complete the following tasks:
l Creating a VSI
l Configuring Kompella VPLS or Configuring Martini VPLS
Data Preparation
To configure basic VPLS capability, you need the following data.
No. Data
1 Encapsulation type of the VSI
2 MAC address learning mode and MAC address entry
3 Descriptive information of the VSI
7.10.2 Configuring General Parameters of the VSI

General VSI parameters include the encapsulation type of the VSI, MTU for negotiation, VSI
description, and processing mode for unicast or multicast unknown frames.

Context
Do as follows on the PEs of the both ends of the PW:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
encapsulation { ethernet | vlan }
The VPLS encapsulation mode is configured for the VSI.

If the QinQ sub-interface or dotlq sub-interface is bound to the VSI, the VPLS encapsulation
type cannot be specified as ethernet.
mtu mtu-value
The MTU for the packets sent by the VSI is configured.

When configuring MTU, you must use the same MTU on different PEs when creating a VSI for
the same VPLS.
NOTE
When an interface is bound to the VSI, the MTU can be configured in the interface view but it does not
take effect. The PW signaling uses the MTU that is configured in the VSI view for the PW MTU negotiation.

description description
The descriptive information about the VSI is configured.
----End
7.10.3 Configuring MAC Address Learning

In VPLS, packets are forwarded according to MAC address forwarding entries. In most cases,
MAC address learning can be performed automatically. Nevertheless, to prevent attacks and
troubleshoot faults, you can adopt the VSI-based MAC address management mechanism
provided by the S7700.
Context
A physical interface can belong to multiple VLANs at the same time. Multiple VLAN interfaces
can be bound with the same VSI. Therefore, when configuring MAC address static entries or
blackhole entries for VSI bound to the VLAN interfaces, you must specify the physical interface
and VLAN interface.

Procedure
Step 1 Run:
system-view
Step 2 Run:
mac-address aging-time aging-time
The aging time of MAC address entries for the VPLS is configured.
Step 3 Run:
mac-address static mac-address interface-type interface-number vlanif interface-
number vsi vsi-name
Static MAC address entries are configured.
Step 4 Run:
mac-address blackhole mac-address vsi vsi-name
MAC address blackhole entries are configured.
Step 5 Run:
vsi vsi-name
Step 6 Run:
pwsignal ldp
The PW signaling protocol is specified as LDP and the VSI-LDP view is displayed.
Step 7 Run:
vsi-id vsi-id
Step 8 Run:
quit
Return to the VSI view.
Step 9 Run:
mac-learning { enable | disable }
The MAC address learning is enabled or disabled.
Step 10 Run:
mac-learn-style unqualify
The unqualify MAC address learning mode is configured.
Step 11 Run:
mac-limit { action { discard | forward } | alarm { disable | enable } | maximum max-
num } *
The MAC address learning limit is configured.
----End

7.10.4 Configuring a VSI to Ignore the AC Status

When the services running on the old network will switch to the new network, you can configure
a VSI to ignore the AC status.
Context
Figure 7-10 Networking diagram of configuring a VSI to ignore the AC status

Server
A
A'
B
C' B'
D'
DSLAM
Devices on the old network
Devices on the new network
As shown in Figure 7-10, if the services running on the old network will switch to the new
network, and you want to check whether the VSI on the new network can work normally before
the service switchover, you need to configure the VSI to ignore the AC status on D'. After the
configuration, the VSI on D' keeps Up before the DSLAM is connected to the new network.
The AC statuses are classified into the following statuses:
l The status of an physical AC interface or logical AC interface that is bound to the VSI
l The UPE PW status in the scenario of VLL accessing VPLS

The VSI can be Up only if at least one AC interface or the UPE PW is Up. After you configure
a VSI to ignore the AC status, the VSI can keep Up when the VSI PW is Up. That is, the VSI
status bears no relation to the AC status.
Do as follows on the PE (D' in Figure 7-10):
Procedure
Step 1 Run:
system-view
The system view is display

Step 2 Run:
mpls l2vpn
The MPLS L2VPN view is display

Step 3 Run:
vpls ignore-ac-state
The VSI is configured to ignore the AC status.
----End
Follow-up Procedure
The vpls ignore-ac-state is used only before the service switchover between a new VPLS
network and an old one. After the service switchover, run the undo vpls ignore-ac-state
command to restore the default setting.
7.11 Configuring Suppression on VPLS Traffic

This section describes how to suppress the broadcast, multicast, and unknown unicast traffic on
the VPLS network.

As shown in Figure 7-11, the VPLS network is deployed over the edge layer. The primary and
backup PWs are configured on the S7700s that function as UPEs to converge user traffic from
the access layer. To ensure the security and transmission of unicast traffic, you need to restrict
unicast traffic, multicast traffic, and broadcast traffic on UPEs to properly use the network
bandwidth.

Figure 7-11 Networking where the VPLS network is deployed over the edge layer
Access Ethernet Aggregation Edge
UPE
UPE
PE-AGG NPE
DSLAM
VPLS
NPE
UPE PE-AGG
DSLAM
UPE
Before configuring the suppression on broadcast traffic based on VSIs, complete the following
task:
Configuring Kompella VPLS or Configuring Martini VPLS
Data Preparation
To configure the suppression on broadcast traffic based on VSIs, you need the following data.
No. Data
1 Name of VSI
2 Type of the traffic to be suppressed (broadcast, multicast, or unknown unicast)
3 Committed information rate (CIR), that is, the maximum transmission rate of the
traffic that can pass through
4 Committed burst size (CBS), that is, the maximum size of traffic that can pass through
7.11.2 Configuring VSI-based Traffic Suppression
Context
Do as follows on the PEs on which the VSI broadcast traffic, multicast traffic, and unknown
unicast traffic need to be suppressed.

Procedure
Step 1 Run:
system-view
Step 2 Run:
vsi vsi-name
Step 3 Run:
broadcast-suppression cir cir-value cbs cbs-value
The broadcast traffic is suppressed based on VSIs.
Step 4 Run:
multicast-suppression cir cir-value cbs cbs-value
The multicast traffic is suppressed based on VSIs.
Step 5 Run:
unknown-unicast-suppression cir cir-value cbs cbs-value
The unknown unicast traffic is suppressed based on VSIs.
----End
Context
The configurations of VPLS traffic suppression are complete.
Procedure
l Run the display this command in the VSI view to check whether VPLS traffic suppression
is enabled.
----End
Example
Run the display this command in the VSI view to check whether VPLS traffic suppression is
enabled.
[Quidway] vsi v1
[Quidway-v1] display this
#
vsi v1 static
pwsignal ldp
vsi-id 10
peer 9.9.9.9
broadcast-suppression cir 1000 cbs 11000
#

7.12 Maintaining VPLS

Maintaining VPLS involves collecting, viewing, and clearing VPLS PW traffic statistics,
checking consistency of VPN configurations, enabling/disabling VSIs, clearing MAC address
entries, diagnosing MAC address learning capacity, detecting the forwarding process of VPLS
multicast traffic, checking the VPLS network connectivity, and detecting IP addresses.
7.12.1 Collecting the Statistics of the Traffic on a VPLS PW

If an operator needs to analyze the traffic model of the IP/MPLS core MAN for the reference of
deploying and maintaining Diff-serv TE, or the operator needs to charge the subscribers (not the
monthly-paid subscribers) based on traffic, you can collect the statistics of the traffic on a
specified PW.
Context
NOTE
The F series boards, including G48SFA, G48TFA, and F48TFA do not support VPLS traffic statistics.
Do as follows on the PE configured with the VPLS:
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Choose one of the following commands to enable the function of collecting the statistics of the
traffic.
l Kompella VPLS
Run the pwsignal bgp command. The PW signaling protocol is configured as BGP and
the VSI-BGP view is displayed.
To enable the function of collecting the statistics of the traffic on the public network of
the specified Kompella VPLS PW, run the traffic-statistics peer peer-address remote-
site site-id enable command.
l Martini VPLS
Run the pwsignal ldp command. The PW signaling protocol is configured as LDP and
the VSI-LDP view is displayed.
To enable the function of collecting the statistics of the traffic on the public network of
the specified Martini VPLS PW, run the traffic-statistics peer peer-address
[ negotiation-vc-id vc-id ] enable command.
----End

7.12.2 Checking the Traffic on a VPLS PW

After VPLS traffic statistics are enabled, you can view information about the traffic on VPLS
PWs.
Context
NOTE
If a PW becomes Down in five minutes, the traffic calculated before the PW becomes Down is not used
to calculate the 5-minute traffic rate.
After the traffic on a VPLS PW is set, you can run the following commands in any view to view
the running status of the traffic on a VPLS PW.
Procedure
l Run the display traffic-statistics vsi vsi-name peer peer-address remote-site site-id
command to check the statistics of the traffic on the public network of the specified
Kompella VPLS PW in the specified VSI.
l Run the display traffic-statistics vsi vsi-name peer peer-address [ negotiation-vc-id vc-
id ] command to check the statistics of the traffic on the public network of the specified
LDP VPLS PW in the specified VSI.
----End
7.12.3 Clearing the Traffic Statistics

The deleted traffic statistics cannot be restored. Therefore, conform the action with caution.
Context
CAUTION
The traffic statistics information cannot be restored after you clear it. So, confirm the action
before you use the command.
Procedure
l Run the reset traffic-statistics vsi name vsi-name [ peer peer-address [ negotiation-vc-
id vc-id ] ] command in the user view to clear the statistics of the traffic on the public
network of the specified LDP VPLS PW in the specified VSI.
l Run the reset traffic-statistics vsi name vsi-name [ peer peer-address remote-site site-
id ] command in the user view to clear the statistics of the traffic on the public network of
the specified BGP VPLS PW in the specified VSI.
l Run the reset traffic-statistics vsi name vsi-name [ peer-address remote-site site-id ]
command in the user view to clear the statistics of the traffic on the public network of the
specified BGP VPLS PW in the specified VSI.
----End

7.12.4 Checking the Consistency of VPN Configurations(Service

Ping)
Checking the consistency of VPN configurations, you can locate faults on the VPN connection.
Context
NOTE
Procedure
l Run:
ping vpn-config peer-address peer-address vsi-name vsi-name [ pw-id pw-id ]
[ local ] [ remote ]
Consistency of configurations on both ends of a VPN is checked, which can help you locate
faults on the VPN connection.
The command output includes information about about the VSI type, VSI description, VSI
management status, VSI operation status, PW status, MTU value, number of AC in the
VSI, IP address of the peer PE, IP address of the local PE, whether probe or Echo Reply
packets are forwarded through the LSP tunnel, PW-ID, PE types, VC encapsulation type,
and outer incoming and outgoing tags.
----End
7.12.5 Debugging VPLS

After a fault occurs in the VPLS network, you can run the relevant debugging command to debug
VPLS, view debugging information, locate the fault, and analyze the cause.
Context
CAUTION
Debugging affects the system performance. So, after debugging, run the undo debugging all
command to disable it immediately.
When a fault occurs, run the debugging commands in the user view to check the debugging
information and locate the fault.
Procedure
l Run the debugging mpls l2vpn { advertisement | all | connections interface [ interface-
type interface-number ] | download | error | event | timer } command in the user view to
enable MPLS L2VPN debugging.
l Run the debugging mpls l2vpn { vpls_fib | vpls_mid } command in the user view to enable
VPLS debugging.

l Run the debugging mpls packet [ error ] [ acl acl-number ] [ inlabel outer-in-label
[ inner-in-label ] ] [ l2vpn-in-interface interface-type interface-number ] command in the
user view to enable the MPLS packet debugging.
l Run the debugging mpls ldp { advertisement | all | error | main | notification | pdu |
session | socket | timer } [ interface interface-type interface-number ] or debugging
mpls ldp { hsb | remote-peer remote-peer-name }command in the user view to enable the
LDP debugging..
----End
7.12.6 Enabling or Disabling VSI

Sometimes, to halt services, you can disable a VSI temporarily, and then add, cancel, or adjust
VSI functions.
Context
Do as follows in the VSI view.
Procedure
l Enable VSI
1. Run the system-view command to enter the system view.
2. Run the vsi vsi-name command to enter the vsi view.
3. Run the undo shutdown command to check enable VSI.
l Disable VSI
1. Run the system-view command to enter the system view.
2. Run the vsi vsi-name command to enter the vsi view.
3. Run the shutdown command to check disable VSI.
----End
Example
Regarding requirements of service management such as service suspension, you can temporarily
shut down the VSI, and then add, delete or adjust the VSI function.
The shutdown command affects the PW connection. The AC is Down, and the Layer 2
forwarding table is deleted.
7.12.7 Clearing MAC Address Entries

The deleted MAC address entries cannot be restored. Therefore, conform the action with caution.
Context
CAUTION
After the MAC address entries are cleared, the entries cannot be restored. So, confirm the action
before you clear the entries.

Procedure
l Run the undo mac-address static mac-address interface-type interface-number vlanif
interface-number vsi vsi-name command to clear the MAC address entries of the VSI.
l Run the undo mac-address { dynamic | static | all } command to clear the dynamic, static,
or all the MAC address entries.
l Run the undo mac-address blackhole [ vsi vsi-name ] command to clear all the blackhole
MAC address entries.
----End
7.12.8 Checking the MAC Address Learning Capability

The diagnostic tool of the OAM MAC address learning capability include MAC Populate and
MAC Purge.
Context
VPLS data forwarding relies on MAC address learning. Therefore, data packets cannot be
correctly forwarded in the VPLS domain unless the MAC addresses of data packets can be
learned by the PE device. Diagnostic tool of the OAM MAC address learning capability can
check the MAC address learning of the VSIs on a device by adding special OAM MAC addresses
to a VPLS network.
When packets fail to be forwarded between CEs but the PW is Up, you can use the diagnostic
tool of the OAM MAC address learning capability to check whether a fault occurs in the MAC
address learning on a device.
The diagnostic tool of the OAM MAC address learning capability include:
l MAC Populate: adds OAM MAC addresses to a VPLS network.
l MAC Purge: removes the added OAM MAC addresses.
On the S7700, you can diagnose the MAC address learning capability in the following methods:
l Add OAM MAC addresses to the local or peer device in the VPLS network.
After adding the OAM MAC address, you can run the display mac-address oam command
to check whether the local or the peer device has learned the OAM MAC addresses. In this
manner, you can diagnose the MAC address learning capability of the device.
l Remove the OAM MAC addresses from the local or peer device in the VPLS network.
The OAM MAC addresses to be removed must be the ones that have been added.
l Add OAM MAC addresses of the register type to the local or peer device in the VPLS
network.
After the OAM MAC addresses of the register type are added, the packets destined for the
addresses are discarded.
The diagnostic tool of the OAM MAC address learning capability can be used in the following
VPLS networks:
l VPLS in LDP mode
l VPLS in BGP mode
l HVPLS in LDP mode

Procedure
l Run:
mac-populate vsi vsi-name mac mac-address [ packet-num num | flood ] *
A test on the MAC address learning capacity is initiated by adding an OAM MAC address
to the device.
vsi vsi-name: specifies the name of the VSI of which the MAC address learning
capability needs to be diagnosed.
mac mac-address: only 10 OAM MAC addresses are supported currently.
0018-82a4-3fb1
0018-82a4-3fb2
0018-82a4-3fb3
0018-82a4-3fb4
0018-82a4-3fb5
0018-82a4-3fb6
0018-82a4-3fb7
0018-82a4-3fb8
0018-82a4-3fb9
0018-82a4-3fba
packet-num num: specifies the number of the sent diagnosis packets. The value is a
decimal integer that ranges from 1 to 5. The default value is 3.
flood:indicates that diagnose packets are flooded in the VPLS network. In this case,
both the local device and the peer device configured with the same VSI can learn the
specified OAM MAC address. If this parameter is not specified, only the PE where the
command is run can learn the specified OAM MAC address.
The OAM MAC address populated into the local and peer devices can control the
forwarding. According to the OAM MAC address, the peer device forwards the received
packets corresponding to the OAM MAC address to the local device. The aging time
of OAM MAC addresses is set to 150 seconds.
l Run:
mac-purge vsi vsi-name mac mac-address [ packet-num num | register | flood ] *
An OAM MAC address is purged from the forwarding table.
flood:If this parameter is not specified, only the PE where the command is run can
remove the specified OAM MAC address. If this parameter is specified, the diagnose
packets are flooded in the VPLS network. In this case, both the local device and the
peer device configured with the same VSI can remove the specified OAM MAC address.
register:indicates that the specified OAM MAC address becomes the blackhole MAC
address, and all the packets destined for this address are discarded.
----End
7.12.9 Checking Connectivity of the VPLS Network

The ping and tracert commands can be used to detect the connectivity of the VPLS network.

Context
To check connectivity of a VPLS network, configure a VPLS network and do as follows on the
PE:
Procedure
l Run:
ping vpls mac mac-address vsi vsi-name [ vlan vlan-id | -c count | -m time-
value | -s packsize | -t timeout | -exp exp | -r replymode | -h ttl ] *
Connectivity of the Layer 2 forwarding link on the VPLS network is checked.

l Run:
ping vpls [ -c echo-number | -m time-value | -s data-bytes | -t timeout-value
| -r reply-mode | -exp exp-value | -v ] * vsi vsi-name local-site-id remote-
site-id
Connectivity of the link between PEs on the Kompella VPLS network is checked.
l Run:
ping vpls [ -c echo-number | -m time-value | -s data-bytes | -t timeout-value
| -r reply-mode | -exp exp-value | -v ] * vsi vsi-name peer peer-address
[ negotiate-vc-id vc-id ]
Connectivity of the link between PEs on the Martini VPLS network is checked.
l Run:
trace vpls mac mac-address vsi vsi-name [ vlan vlan-id ] [-t timeout | -f first-
ttl | -m max-ttl | -exp exp | -r replymode ] *
PEs and P devices along the PW on the VPLS network are displayed; connectivity of the
Layer 2 forwarding link is checked; the faulty node is located.
l Run:
tracert vpls [ -exp exp-value | -f first-ttl | -m max-ttl | -r reply-mode | -
t timeout-value ] * vsi vsi-name local-site-id remote-site-id [ full-lsp-path ]
Connectivity of the Kompella VPLS network is checked.

l Run:
tracert vpls [ -exp exp-value | -f first-ttl | -m max-ttl | -r reply-mode | -
t timeout-value ] * vsi vsi-name peer peer-address [ negotiate-vc-id vc-id ]
[ full-lsp-path ]
Connectivity of the Martini VPLS network is checked.

----End

7.13.1 Example for Configuring Martini VPLS

As shown in Figure 7-12, VPLS needs to be enabled on PE1 and PE2; CE1 is connected to PE1
and CE2 is connected to PE2; CE1 and CE2 belong to the same VPLS network; PWs are

established with LDP as the VPLS signaling, and VPLS is configured to implement the
interworking between CE1 and CE2.
Figure 7-12 Networking diagram for configuring Martini VPLS

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE2/0/0 GE2/0/0
PE1 PE2
GE1/0/0 GE1/0/0
GE1/0/0 P GE2/0/0
GE1/0/0 GE1/0/0
CE1 CE2
PE1 GigabitEthernet 1/0/0 VLANIF 10 -
GigabitEthernet 2/0/0 VLANIF 20 168.1.1.1/24
Loopback1 - 1.1.1.9/32
PE2 GigabitEthernet 1/0/0 VLANIF 30 169.1.1.2/24
GigabitEthernet 2/0/0 VLANIF 40 -
Loopback1 - 3.3.3.9/32
P GigabitEthernet 1/0/0 VLANIF 20 168.1.1.2/24
Loopback1 - 2.2.2.9/32
CE1 GigabitEthernet 1/0/0 VLANIF 10 10.1.1.1/24
1. Configure a routing protocol on the backbone network to implement the interworking

between devices.
2. Establish remote LDP sessions between PEs.
3. Establish tunnels between PEs to transmit user data.
4. Enable MPLS L2VPN on PEs.
5. Create VSIs on PEs, use the signaling protocol as LDP, and bind VSIs to related AC
interfaces.

Data Preparation
l Names and IDs of VSIs
l IP addresses of peers and tunnel policy used for setting up peer relationships
l Interfaces to which VSIs are bound
Procedure
Step 1 Configure the VLAN to which each interface belongs according to Figure 7-12.
NOTE
Do not add the AC-side port and PW-side port of a PE to the same VLAN; otherwise, a loop may occur.
Step 2 Configure an IGP. In this example, OSPF is adopted.

When configuring OSPF, advertise 32-bit loopback interface addresses (LSR IDs) of PE1, P,
and PE2.
After the configuration is complete, run the display ip routing-table command on PE1, P, and
PE2. You can view the routes learned by PE1, P, and PE2 from each other.
Step 3 Configure basic MPLS functions and LDP.
After the configuration, run the display mpls ldp session command. You can find that the
Status of the peer relationship between PE1 and PE2 is Operational, which indicates that the
peer relationship is established. Run the display mpls lsp command, and you can view the setup
of the LSP.
Step 4 Establish remote LDP sessions between PEs.
# Configure PE1.
# Configure PE2.
After the configuration, run the display mpls ldp session on PE1 or PE2. You can find that the
status of the peer relationship between PE1 and PE2 is Operational, which indicates that the
peer relationship is established.
Step 5 Enable MPLS L2VPN on PEs.
# Configure PE1.
[PE1] mpls l2vpn
# Configure PE2.

[PE2] mpls l2vpn
Step 6 Configure VSIs on PEs.

# Configure PE1.
[PE1] vsi a2 static
[PE1-vsi-a2] pwsignal ldp
[PE1-vsi-a2-ldp] vsi-id 2
[PE1-vsi-a2-ldp] peer 3.3.3.9
# Configure PE2.
[PE2] vsi a2 static
Step 7 Bind VSIs to interfaces on PEs.

# Configure PE1.
[PE1-Vlanif10] l2 binding vsi a2
[PE1-Vlanif10] quit
# Configure PE2.
[PE2-Vlanif40] quit
Step 8 Assign an IP address to each VLANIF interface on CEs.

# Configure CE1.
<Quidway> sysname CE1
[CE1-Vlanif10] quit
# Configure CE2.
[CE2-Vlanif40] quit

After the preceding configurations, run the display vsi name a2 verbose command on PE1. You
can find that a VSI named a2 sets up a PW to PE2, and the status of the VSI is UP.
.
<PE1> display vsi name a2 verbose
***VSI Name : a2
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :


VSI State : up
VSI ID : 2
VC Label : 27648
Peer Type : dynamic
Session : up
Tunnel ID : 0x20021
Broadcast Tunnel ID : 0x20021
CKey : 2
NKey : 1
StpEnable : 0
PwIndex : 1
Interface Name : Vlanif10

State : up
Last Up Time : 2009/02/03 00:16:08
**PW Information:

PW State : up
PW Type : label
Ckey : 0x2
Nkey : 0x1
Main PW Token : 0x10002
Slave PW Token : 0x0
Tnl Type : LSP
OutInterface : Vlanif20
Stp Enable : 0
Mac Flapping : 0
PW Last Up Time : 2009/02/03 00:16:09
CE1 (10.1.1.1) can ping CE2 (10.1.1.2) successfully.

<CE1> ping 10.1.1.2
0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10

ip address 10.1.1.1 255.255.255.0

#
#
return

#
sysname CE2
#
vlan batch 40
#
interface Vlanif40
ip address 10.1.1.2 255.255.255.0
#
#
return

#
sysname PE1
#
vlan batch 10 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif10
l2 binding vsi a2
#
interface Vlanif20
ip address 168.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 168.1.1.0 0.0.0.255
#
return

#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 168.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 169.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 168.1.1.0 0.0.0.255
network 169.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return

#
sysname PE2
#
vlan batch 30 40
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
#
mpls ldp
#
remote-ip 1.1.1.9
#
interface Vlanif30
ip address 169.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
l2 binding vsi a2
#

#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 169.1.1.0 0.0.0.255
#
return
7.13.2 Example for Configuring Kompella VPLS
As shown in Figure 7-13, PE1 and PE2 are PEs to be enabled with the VPLS function; CE1 is
connected to PE1 and CE2 is connected to PE2; CE1 and CE2 belong to the same VPLS network;
It is required to set up PWs by using BGP as the VPLS signaling, implement the automatic
discovery of VPLS PEs through VPN targets, and implement interworking between CE1 and
CE2.
Figure 7-13 Networking diagram for configuring Kompella VPLS

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE2/0/0 GE2/0/0
PE1 PE2
GE1/0/0 GE1/0/0
GE1/0/0 P GE2/0/0
GE1/0/0 GE1/0/0
CE1 CE2
Loopback1 - 1.1.1.9/32
Loopback1 - 3.3.3.9/32

Loopback1 - 2.2.2.9/32
1. Configure a routing protocol on the backbone network to implement the interworking

between devices and enable basic MPLS functions.
2. Set up LSP tunnels between PEs.
4. Enable BGP peers to exchange the VPLS information between PEs.
5. Create VSIs on PEs, specify BGP as the signaling protocol, and specify the RD, VPN target,
and site.
6. Bind VSIs to AC interfaces.
Data Preparation
l IP addresses of peers
l Names of the VSIs on PE1 and PE2
l BGP AS numbers on PE1 and PE2
l Signaling protocol of a VSI, that is, BGP
l RDs, VPN targets, site IDs of VSIs on PEs
l Interfaces to which VSIs are bound and VLAN IDs of the interfaces
Procedure
NOTE
Step 2 Configure an IGP. In this example, OSPF is adopted.
Configure an IP address for each interface on the PEs and P as shown in Figure 7-13. When
configuring OSPF, advertise 32-bit loopback interface addresses (LSR IDs) of PE1, P, and PE2.
After the configuration is complete, run the display ip routing-table command on PE1, P, and
PE2. You can view the routes learned by PE1, P, and PE2 from each other.

For detailed configuration procedures, see the following configuration files.
After the configuration, run the display mpls ldp peer command. You can find that the peer
relationship is established between PE1 and P and between PE2 and P. Run the display mpls
ldp session command on PE1 and PE2, and you can find that an LDP session is set up between
PE1 and PE2. Run the display mpls lsp command, and you can view the setup of the LSP.
Step 4 Establish BGP peers to exchange VPLS information.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] vpls-family
[PE1-bgp-af-vpls] peer 3.3.3.9 enable
[PE1-bgp-af-vpls] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp-af-vpls] quit
# Configure PE1.
[PE1] mpls l2vpn
# Configure PE2.
[PE2] mpls l2vpn
Step 6 Configure VSIs on PEs.

NOTE
Site IDs at both ends of a VSI must be different.
# Configure PE1.
[PE1] vsi bgp1 auto
[PE1-vsi-bgp1] pwsignal bgp
[PE1-vsi-bgp1-bgp] route-distinguisher 168.1.1.1:1
[PE1-vsi-bgp1-bgp] vpn-target 100:1 import-extcommunity
[PE1-vsi-bgp1-bgp] vpn-target 100:1 export-extcommunity
[PE1-vsi-bgp1-bgp] site 1 range 5 default-offset 0
# Configure PE2.
[PE2] vsi bgp1 auto
[PE2-vsi-bgp1] pwsignal bgp
[PE2-vsi-bgp1-bgp] route-distinguisher 169.1.1.2:1
[PE2-vsi-bgp1-bgp] vpn-target 100:1 import-extcommunity
[PE2-vsi-bgp1-bgp] vpn-target 100:1 export-extcommunity
[PE2-vsi-bgp1-bgp] site 2 range 5 default-offset 0
Step 7 Bind VSIs to AC interfaces on PEs.
# Create a sub-interface on PE1, allow the sub-interface to receive packets from VLAN 10, and
bind a VSI to the sub-interface.


[PE1-Vlanif10] l2 binding vsi bgp1
# Create a sub-interface on PE2, allow the sub-interface to receive packets from VLAN 10, and
bind a VSI to the sub-interface.
[PE2-Vlanif40] l2 binding vsi bgp1

# Configure CE1.
# Configure CE2.

After the preceding configurations, run the display vsi name bgp1 verbose command on PE1.
You can find that a VSI named bgp1 sets up a PW to PE2, and the status of the VSI is UP.
.
<PE1> display vsi name bgp1 verbose
***VSI Name : bgp1

VSI Index : 1
PW Signaling : bgp
Member Discovery Style : auto
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
VSI State : up
BGP RD : 168.1.1.1:1
SiteID/Range/Offset : 1/5/0
Import vpn target : 100:1
Local Label Block : 31744/10/0

State : up
Last Up Time : 2009/02/03 00:26:25
**PW Information:

PW State : up
PW Type : label

Ckey : 0x3
Nkey : 0x1
Tnl Type : LSP
Stp Enable : 0
Mac Flapping : 0
PW Last Up Time : 2009/02/03 00:32:43
CE1 (10.1.1.1) can ping CE2 (10.1.1.2) successfully.

<CE1> ping 10.1.1.2
0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return

#
sysname CE2
#
vlan batch 40
#
interface Vlanif40
ip address 10.1.1.2 255.255.255.0
#
#
return

#
sysname PE1
#
vlan batch 10 20
#

mpls lsr-id 1.1.1.9

mpls
#
mpls l2vpn
#
vsi bgp1 auto
pwsignal bgp
route-distinguisher 168.1.1.1:1
site 1 range 5 default-offset 0
#
mpls ldp
#
interface Vlanif10
l2 binding vsi bgp1
#
interface Vlanif20
ip address 168.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
vpls-family
policy vpn-target
peer 3.3.3.9 enable
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 168.1.1.0 0.0.0.255
#
return
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 168.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 169.1.1.1 255.255.255.0
mpls
mpls ldp
#


#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 168.1.1.0 0.0.0.255
network 169.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return

#
sysname PE2
#
vlan batch 30 40
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi bgp1 auto
pwsignal bgp
route-distinguisher 169.1.1.2:1
#
mpls ldp
#
interface Vlanif30
ip address 169.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
l2 binding vsi bgp1
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
vpls-family
policy vpn-target
peer 1.1.1.9 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 169.1.1.0 0.0.0.255

#
return
7.13.3 Example for Configuring VPLS over TE in Martini Mode
Figure 7-14 Networking of VPLS over TE in Martini mode

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE1/0/0 GE2/0/0
VLANIF20 VLANIF30
100.1.1.1/24 100.2.1.1/24
PE1 PE2
GE1/0/0 GE1/0/0
VLANIF20 VLANIF30
GE2/0/0
100.1.1.2/24
P 100.2.1.2/24
GE2/0/0
VLANIF10 VLANIF 40
MPLS TE Tunnel
GE1/0/0 GE1/0/0
VLANIF10 VLANIF40
10.1.1.1/24 10.1.1.2/24
CE1 CE2
As shown in Figure 7-14, CE1 and CE2 belong to the same VPLS. They are connected to the
MPLS backbone network through PE1 and PE2. OSPF is used as the IGP protocol on the MPLS
backbone network.
It is required that VPLS in Martini mode and the dynamic signaling protocol RSVP-TE be used
to establish an MPLS TE tunnel between PE1 and PE2 to carry VPLS services.
1. Configure a routing protocol on the devices (PEs and the P device) on the backbone network
to make them reachable, and enable MPLS.
2. Establish an MPLS TE tunnel and create a tunnel policy.
4. Create VSIs on PEs, specify LDP as the signaling protocol, and bind VSIs to the related
AC interfaces.
5. Configure VSIs to use the MPLS TE tunnel.
Data Preparation
l OSPF areas enabled with MPLS TE

l IP addresses of peers and tunnel policy

l Interfaces to which VSIs are bound
Procedure
Step 1 Create VLANs and configure interfaces to allow packets of these VLANs to pass.
# Configure PE1.
# The configurations of CE1, CE2, PE2, and P device are the same as the configuration of PE1,
Step 2 Assign IP addresses to interfaces on the backbone network and configure OSPF.
Step 3 Enable MPLS, MPLS TE, MPLS RSVP-TE, and MPLS TE Constraint Shortest Path First
(CSPF).
On the nodes along the MPLS TE tunnel, enable MPLS, MPLS TE, and MPLS RSVP-TE in
both the system view and the interface view. On the ingress node of the tunnel, enable MPLS
TE CSPF in the system view.
# Configure PE1.
[PE1] mpls
[PE1-mpls] mpls te
[PE1-mpls] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit

[P] mpls
[P-mpls] mpls te
[P-mpls] mpls rsvp-te
[P-mpls] quit
[P-Vlanif20] mpls
[P-Vlanif20] mpls te
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] mpls te
[P-Vlanif30] quit
# Configure PE2.


[PE2] mpls
[PE2-mpls] mpls te
[PE2-mpls] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
Step 4 Configure OSPF TE on the backbone network.
# Configure PE1.
[PE1] ospf
[PE1-ospf-1] area 0.0.0.0

[P] ospf
[P-ospf-1] opaque-capability enable
[P-ospf-1] area 0.0.0.0
[P-ospf-1-area-0.0.0.0] mpls-te enable
# Configure PE2.
[PE2] ospf
[PE2-ospf-1] area 0.0.0.0
Step 5 Configure tunnel interfaces.
# Create tunnel interfaces on PEs. Specify MPLS TE as the tunneling protocol and RSVP-TE
as the signaling protocol.
# Configure PE1.
# Configure PE2.

After the configuration, run the display this interface command in the tunnel interface view,
and you can view that the value of Line protocol current state is UP. It indicates that the MPLS
TE tunnel is set up successfully. For example, information about PE1 is displayed as follows:
Route Port,The Maximum Transmit Unit is 1500 bytes
Tunnel protocol/transport MPLS/MPLS, ILM disabled

0 output error
0 output drop

Run the display tunnel-info all command in the system view, and you can view that the TE
tunnel with the destination address being the peer MPLS LSR ID exists between PEs. For
example, information about PE1 is displayed as follows:
----------------------------------------------------------------------
0x10020 cr lsp 3.3.3.9 0
0x10021 lsp -- 1
0x10022 lsp(*) -- 2
Step 6 Configure remote LDP sessions.

Set up remote peer sessions between PE1 and PE2.
# Configure PE1.
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# Configure PE2.
[PE2] mpls ldp
[PE2-mpls-ldp] quit
After the configuration, an LDP session can be successfully set up between PEs.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 7 Configure a tunnel policy.

# Configure PE1.
# Configure PE2.

# Configure PE1.
[PE1] mpls l2vpn
# Configure PE2.
[PE2] mpls l2vpn
Step 9 Create VSIs on PEs and configure a tunnel policy.

# Configure PE1.
[PE1] vsi a2 static
[PE1-vsi-a2-ldp] peer 3.3.3.9 tnl-policy policy1
[PE1-vsi-a2-ldp] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2-ldp] peer 1.1.1.9 tnl-policy policy1
Step 10 Bind VSIs to interfaces on PEs.

# Configure PE1.
[PE1-Vlanif10] quit
# Configure PE2.
[PE2-Vlanif40] quit
# Configure CE1.
[CE1-Vlanif10] quit
# Configure CE2.


[CE2-Vlanif40] quit
After the preceding configurations, run the display vsi name a2 verbose command on PE1, and
you can view that the VSI named a2 has established a PW to PE2, and the VSI is in Up state.
***VSI Name : a2
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
VSI State : up
VSI ID : 2
VC Label : 27648
Peer Type : dynamic
Session : up
Tunnel ID : 0x10020
CKey : 6
NKey : 5
StpEnable : 0
PwIndex : 0
Tunnel Policy Name : policy1
State : up
Last Up Time : 2009/01/05 18:10:44
**PW Information:
PW State : up
PW Type : label
Tunnel ID : 0x10020
Ckey : 0x6
Nkey : 0x5
Tnl Type : LSP
Stp Enable : 0
Mac Flapping : 0
PW Last Up Time : 2009/01/06 10:03:35
Run the display mpls lsp include 3.3.3.9 32 verbose command on PE1, and you can view
information about the LSP to 3.3.3.9/32.
<PE1> display mpls lsp include 3.3.3.9 32 verbose
-------------------------------------------------------------------------------
LSP Information: RSVP LSP
-------------------------------------------------------------------------------

No : 1
SessionID : 100
IngressLsrID : 1.1.1.1
LocalLspID : 1
Tunnel-Interface : Tunnel1/0/0
Fec : 3.3.3.9/32
Nexthop : 100.1.1.2
In-Label : NULL
Out-Label : 9217
In-Interface : ----------
Out-Interface : Vlanif20
LspIndex : 2048
Token : 0x10080
LsrType : Ingress
Mpls-Mtu : 1500
TimeStamp : 2040sec
Bfd-State : ---
Run the display vsi pw out-interface vsi a2 command on PE1, and you can view that the
outbound interface of the MPLS TE tunnel between 1.1.1.9 and 3.3.3.9 is Tunnel 1/0/0, but the
actual outbound interface is VLANIF20.
<PE1> display vsi pw out-interface vsi a2
Total: 1
--------------------------------------------------------------------------------
Vsi Name peer vcid interface
--------------------------------------------------------------------------------
a2 3.3.3.9 100 Tunnel1/0/0
Vlanif20

<CE1> ping 10.1.1.2

0.00% packet loss
After CE1 pings CE2, run the display interface tunnel 1/0/0 command on the PE to view tunnel
interface information, and you can view that the number of packets passing through the interface
increases. For example, information about PE1 is displayed as follows:
<PE1> display interface tunnel 1/0/0

primary tunnel id is 0xe008948, secondary tunnel id is 0x0



0 output error
0 output drop

----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return

#
sysname PE1
#
vlan batch 10 20
#
mpls lsr-id 1.1.1.9
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9 tnl-policy policy1
#
mpls ldp
#
remote-ip 3.3.3.9
#
#
interface Vlanif10
l2 binding vsi a2
#
interface Vlanif20
ip address 100.1.1.1 255.255.255.0
ospf cost 1
mpls
mpls te
mpls rsvp-te
#
#


#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
destination 3.3.3.9
mpls te commit
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.1.0 0.0.0.255
mpls-te enable
#
#
return
l Configuration file of the P device

#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif20
ip address 100.1.1.2 255.255.255.0
ospf cost 1
mpls
mpls te
mpls rsvp-te
#
interface Vlanif30
ip address 100.2.1.1 255.255.255.0
ospf cost 1
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 100.1.1.0 0.0.0.255
network 100.2.1.0 0.0.0.255
mpls-te enable
#

return
#
sysname PE2
#
vlan batch 30 40
#
mpls lsr-id 3.3.3.9
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9 tnl-policy policy1
#
mpls ldp
#
remote-ip 1.1.1.9
#
interface Vlanif 30
ip address 100.2.1.2 255.255.255.0
ospf cost 1
mpls
mpls te
mpls rsvp-te
#
interface Vlanif40
l2 binding vsi a2
#
interface GigabitEtherne1/0/0
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
destination 1.1.1.9
mpls te commit
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 100.2.1.0 0.0.0.255
mpls-te enable
#
#
return
#
sysname CE2

#
vlan batch 40
#
interface Vlanif40
ip address 10.1.1.2 255.255.255.0
#
#
return
7.13.4 Example for Configuring LDP HVPLS
As shown in Figure 7-15, Site 1, Site 2, and Site 3 belong to the same VPLS; CE1 and CE2
access the basic VPLS fully-connected network through UPEs and CE3 accesses the network
through a PE.
Figure 7-15 Networking diagram for configuring LDP HVPLS

Basic VPLS full mesh
Loopback1 Loopback1
2.2.2.9/32 3.3.3.9/32
GE1/0/0
GE1/0/0 PE
GE2/0/0
Loopback1 SPE GE2/0/0
1.1.1.9/32
GE3/0/0
UPE
GE1/0/0
GE1/0/0 GE2/0/0
CE3
GE1/0/0
CE1 GE1/0/0 CE2 Site3
Site1 Site2
UPE GigabitEthernet 1/0/0 VLANIF 10 -
Loopback1 - 1.1.1.9/32
SPE GigabitEthernet 1/0/0 VLANIF 30 100.1.1.2/24
Loopback1 - 2.2.2.9/32
PE GigabitEthernet 1/0/0 VLANIF 40 100.2.1.2/24

Loopback1 - 3.3.3.9/32
1. Complete the task of Configuring Martini VPLS between SPEs and PEs.
2. Establish the MPLS LDP peer relationship between UPEs and SPEs.
3. Create a VSI on an SPE, and specify the UPE as its PE of the lower layer.
4. Create a VSI on a UPE, and specify the SPE as the peer of the VSI.
5. Configure CE1 and CE2 to access UPE, and configure CE3 to access PE.
Data Preparation

l MPLS LSR IDs (as IP addresses of peers) of UPE, SPE, and PE
l Routing protocol UPE, SPE, and PE
Procedure
NOTE
Step 2 Configure an IGP.

OSPF is adopted in the example. The configuration details are not mentioned here.
After the configuration, run the display ip routing-table command on UPEs, SPEs, and PEs.
You can view that UPEs, SPEs, and PEs have learned the addresses of the loopback interfaces
from each other.
After the configuration, run the display mpls ldp session command. You can find that the
Status of the peer relationship between the UPE and the SPE or between the PE and the SPE is
Operational, which indicates that the peer relationship is established. Run the display mpls
lsp command, and you can view the setup of the LSP.

Step 4 Enable MPLS L2VPN and configure a VSI.

<UPE> system-view
[UPE] mpls l2vpn
[UPE] vsi v123 static
[UPE-vsi-v123] pwsignal ldp
[UPE-vsi-v123-ldp] vsi-id 123
[UPE-vsi-v123-ldp] peer 2.2.2.9
# Configure the SPE.

<SPE> system-view
[SPE] mpls l2vpn
[SPE] vsi v123 static
[SPE-vsi-v123] pwsignal ldp
[SPE-vsi-v123-ldp] vsi-id 123
[SPE-vsi-v123-ldp] peer 3.3.3.9
[SPE-vsi-v123-ldp] peer 1.1.1.9 upe
# Configure the PE.

<PE> system-view
[PE] mpls l2vpn
[PE] vsi v123 static
[PE-vsi-v123] pwsignal ldp
[PE-vsi-v123-ldp] vsi-id 123
[PE-vsi-v123-ldp] peer 2.2.2.9
Step 5 Bind VSIs to interfaces on the SPE and UPE.

[UPE-Vlanif10] l2 binding vsi v123
[UPE-Vlanif10] quit
[UPE-Vlanif20] l2 binding vsi v123
[UPE-Vlanif20] quit
# Configure the PE.

[PE-Vlanif50] l2 binding vsi v123
# Configure CE1.
# Configure CE2.
# Configure CE3.

After the preceding configurations, run the display vsi name v123 verbose command on the
SPE. You can view that the VSI named v123 is in the Up state and the corresponding PW is also
in the Up state.
<SPE> display vsi name v123 verbose
***VSI Name : v123

VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
VSI State : up
VSI ID : 123
VC Label : 27648
Peer Type : dynamic
Session : up
Tunnel ID : 0x20022
CKey : 6
NKey : 5
StpEnable : 0
PwIndex : 0

VC Label : 27649
Peer Type : dynamic
Session : up
Tunnel ID : 0x10020
CKey : 6
NKey : 5
StpEnable : 0
PwIndex : 0
**PW Information:

PW State : up
PW Type : MEHVPLS
Tunnel ID : 0x10020
Ckey : 0x6
Nkey : 0x5
Tnl Type : LSP
Stp Enable : 0
Mac Flapping : 0
PW Last Up Time : 2009/02/03 00:32:43

PW State : up


PW Type : label
Tunnel ID : 0x20022
Ckey : 0x6
Nkey : 0x5
Tnl Type : LSP
Stp Enable : 0
Mac Flapping : 0
PW Last Up Time : 2009/02/03 00:31:43
CE1, CE2, and CE3 can ping each other successfully. After you run the shutdown command
on the interface to which the VSI is bound of the UPE or PE, CE2 and CE3 cannot ping each
other successfully. This indicates that user data is transmitted through the PW of this VSI.
----End
Configuration Files
l Configuration file of the UPE
#
sysname UPE
#
vlan batch 10 20 30
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi v123 static
pwsignal ldp
vsi-id 123
peer 2.2.2.9
#
mpls ldp
#
interface Vlanif10
l2 binding vsi v123
#
interface Vlanif20
l2 binding vsi v123
#
interface Vlanif30
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1

area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.1.0 0.0.0.255
#
return
l Configuration file of the SPE
#
sysname SPE
#
vlan batch 30 40
#
mpls lsr-id 2.2.2.9
mpls
#
mpls l2vpn
#
vsi v123 static
pwsignal ldp
vsi-id 123
peer 3.3.3.9
peer 1.1.1.9 upe
#
mpls ldp
#
interface Vlanif 30
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 100.2.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 100.2.1.0 0.0.0.255
network 100.1.1.0 0.0.0.255
#
return
l Configuration file of the PE
#
sysname PE
#
vlan batch 40 50
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi v123 static
pwsignal ldp
vsi-id 123
peer 2.2.2.9
#

mpls ldp
#
interface Vlanif40
ip address 100.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif50
l2 binding vsi v123
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 100.2.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return
#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
#
#
return
#
sysname CE3
#
vlan batch 50
#
interface Vlanif50
ip address 10.1.1.3 255.255.255.0
#

#
return
7.13.5 Example for Configuring Static VLLs to Access a VPLS

Network
As shown in Figure 7-16, UPEs do not support dynamic VLLs, and access SPEs through static
VLLs; VLLs are set up between UPEs and SPEs in SVC mode; CE1 and CE2 access the VPLS
fully-connected VPLS network through UPEs.
Figure 7-16 Networking diagram for configuring static VLLs to access a VPLS network
1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE1/0/0 GE1/0/0
SPE1 SPE2
GE1/0/0 GE2/0/0
GE2/0/0 P GE2/0/0
Loopback1 Loopback1
4.4.4.9/32 5.5.5.9/32
GE1/0/0 GE1/0/0
UPE1 UPE2
GE2/0/0 GE2/0/0
GE1/0/0 GE1/0/0
CE1 CE2
UPE1 GigabitEthernet 1/0/0 VLANIF 20 100.1.3.2/24
Loopback1 - 4.4.4.9/32
SPE1 GigabitEthernet 1/0/0 VLANIF 30 100.1.1.1/24
Loopback1 - 1.1.1.9/32
Loopback1 - 2.2.2.9/32
SPE2 GigabitEthernet 1/0/0 VLANIF 40 100.1.2.2/24

Loopback1 - 3.3.3.9/32
UPE2 GigabitEthernet 1/0/0 VLANIF 50 100.1.4.2/24
Loopback1 - 5.5.5.9/32
1. Complete the task of Configuring Martini VPLS between SPEs.
2. Configure basic MPLS L2VPN functions on UPEs and SPEs.
3. Configure static VLLs and VSIs on SPEs and enable MAC-withdraw function on the VSIs.
4. Configure UPEs to access SPEs through static VLLs.
Data Preparation
l MPLS LSR IDs of UPEs and SPEs, which are used as peer IP addresses
l Routing protocol
l Received and sent labels on static LSPs between UPEs and SPEs
Procedure
1. Configure IP addresses for interfaces.
As shown in Figure 7-16, configure the VLAN to which each interface belongs, and
configure the IP addresses and masks for loopback interfaces and VLANIF interfaces. The
details are not mentioned here.
NOTE
Do not add the AC-side port and PW-side port of a PE to the same VLAN; otherwise, a loop may
occur.
2. Configure an IGP.
Configure OSPF on SPEs and the P device to advertise the network segment and LSR IDs.
# Configure SPE1.
<SPE1> system-view
[SPE1] ospf
[SPE1-ospf-1] area 0
[SPE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[SPE1-ospf-1-area-0.0.0.0] quit
[SPE1-ospf-1] quit
# Configure P.

<P> system-view
[P] ospf
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure SPE2.
<SPE2> system-view
[SPE2] ospf
[SPE2-ospf-1] quit
# Configure UPE1.
<UPE1> system-view
[UPE1] ospf
[UPE1-ospf-1] area 0
[UPE1-ospf-1-area-0.0.0.0] network 4.4.4.9 0.0.0.0
[UPE1-ospf-1-area-0.0.0.0] quit
[UPE1-ospf-1] quit
# Configure UPE2.
<UPE2> system-view
[UPE2] ospf
[UPE2-ospf-1] quit
3. Configure basic MPLS functions and LDP.

# Configure SPE1.
[SPE1] mpls lsr-id 1.1.1.9
[SPE1] mpls
[SPE1-mpls] quit
[SPE1] quit
[SPE1] mpls ldp
[SPE1-mpls-ldp] quit
[SPE1] interface vlanif 30
[SPE1-Vlanif30] mpls
[SPE1-Vlanif30] mpls ldp
[SPE1-Vlanif30] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
[P-Vlanif40] mpls
[P-Vlanif40] quit

# Configure SPE2.
[SPE2] mpls
[SPE2-mpls] quit
[SPE2] quit
[SPE2] mpls ldp
After the configuration, run the display mpls ldp session command on SPE1, P, and SPE2.
You can find that the Status of the peer relationship between SPE1 and P or between SPE2
and P is Operational, which indicates that the peer relationship is established. Run the
display mpls lsp command, and you can view the setup of the LSP.
Take the display on SPE1 as an example.
<SPE1> display mpls ldp session

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
<SPE1> display mpls lsp

----------------------------------------------------------------------
----------------------------------------------------------------------
2.2.2.9/32 NULL/3 -/Vlanif30
1.1.1.9/32 3/NULL -/-
3.3.3.9/32 NULL/1025 -/Vlanif30
4. Establish remote LDP sessions between SPEs.

# Configure SPE1.
[SPE1] mpls ldp remote-peer 3.3.3.9
[SPE1-mpls-ldp-remote-3.3.3.9] remote-ip 3.3.3.9
[SPE1-mpls-ldp-remote-3.3.3.9] quit
# Configure SPE2.
[SPE2-mpls-ldp-remote-1.1.1.9] remote-ip 1.1.1.9
[SPE2-mpls-ldp-remote-1.1.1.9] quit
After the configuration, run the display mpls ldp session command on SPE1 and SPE2.
You can find that the status of the peer relationship between SPE1 and SPE2 is
Operational. That is, the peer relationship is established.
Take the display on SPE1 as an example.
<SPE1> display mpls ldp session


------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
5. Configure static LSPs between UPEs and SPEs.

# Configure UPE1.
[UPE1] mpls lsr-id 4.4.4.9
[UPE1] mpls
[UPE1-mpls] quit
[UPE1] interface vlanif 20
[UPE1-Vlanif20] mpls
[UPE1-Vlanif20] quit
[UPE1] static-lsp ingress UPE1toSPE1 destination 1.1.1.9 32 nexthop 100.1.3.1
out-label 20
[UPE1] static-lsp egress SPE1toUPE1 incoming-interface vlanif 20 in-label 30
# Configure UPE2.
[UPE2] mpls
[UPE2-mpls] quit
[UPE2] static-lsp ingress UPE2toSPE2 destination 3.3.3.9 32 nexthop 100.1.4.1
out-label 40
[UPE2] static-lsp egress SPE2toUPE2 incoming-interface vlanif 50 in-label 50
# Configure SPE1.
[SPE1] static-lsp ingress SPE1toUPE1 destination 4.4.4.9 32 nexthop 100.1.3.2
out-label 30
[SPE1] static-lsp egress UPE1toSPE1 incoming-interface vlanif 20 in-label 20
# Configure SPE2.
[SPE2] static-lsp ingress SPE2toUPE2 destination 5.5.5.9 32 nexthop 100.1.4.2
out-label 50
[SPE2] static-lsp egress UPE2toSPE2 incoming-interface vlanif 50 in-label 40
6. Enable MPLS L2VPN on UPEs and configure the UPEs to access SPEs through static
VLLs.
# Configure UPE1.
<UPE1> system-view
[UPE1] mpls l2vpn
[UPE1-l2vpn] quit
[UPE1-Vlanif10] mpls static-l2vc destination 1.1.1.9 transmit-vpn-label 100
# Configure UPE2.
<UPE2> system-view
[UPE2] mpls l2vpn
[UPE2-l2vpn] quit
[UPE2-Vlanif60] mpls static-l2vc destination 3.3.3.9 transmit-vpn-label 100
7. Enable MPLS L2VPN on SPEs and bind VSIs.

# Configure SPE1.
<SPE1> system-view
[SPE1] mpls l2vpn

[SPE1] vsi V100 static

[SPE1-vsi-V100] pwsignal ldp
[SPE1-vsi-V100-ldp] vsi-id 100
[SPE1-vsi-V100-ldp] mac-withdraw enable
[SPE1-vsi-V100-ldp] peer 3.3.3.9
[SPE1-vsi-V100-ldp] peer 4.4.4.9 static-upe trans 100 recv 100
[SPE1-vsi-V100-ldp] quit
# Configure SPE2.
<SPE2> system-view
[SPE2] mpls l2vpn
[SPE2] vsi V100 static
[SPE2-vsi-V100] pwsignal ldp
[SPE2-vsi-V100-ldp] vsi-id 100
[SPE2-vsi-V100-ldp] mac-withdraw enable
[SPE2-vsi-V100-ldp] peer 1.1.1.9
[SPE2-vsi-V100-ldp] peer 5.5.5.9 static-upe trans 100 recv 100
[SPE2-vsi-V100-ldp] quit

After the configuration, run the display mpls static-l2vc on UPEs. You can find that static
VLLs are established and the VC status is Up. Take the display on UPE1 as an example.
<UPE1> display mpls static-l2vc interface vlanif 10
AC Status : up
VC State : up
VC ID : 0
VC Type : VLAN
VCCV Capabilty : Disable
Tunnel Policy : --
VC last up time : 2010/02/02 12:31:31
Run the display vsi name V100 command on SPEs, and you can find that the VSI named
V100 is Up and the corresponding PW is also Up. Take the display on SPE1 as an example.
<SPE1> display vsi name V100 verbose
***VSI Name : V100

VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 0
Domain Name :
VSI State : up
VSI ID : 100

VC Label : 27648
Peer Type : dynamic
Session : up
Tunnel ID : 0x10021
CKey : 6
NKey : 5
StpEnable : 0
PwIndex : 0

VC Label : 100
Peer Type : static
Tunnel ID : 0x20024
CKey : 6
NKey : 5
StpEnable : 0
PwIndex : 0
**PW Information:

PW State : up
PW Type : MEHVPLS
Tunnel ID : 0x20024
Ckey : 0x6
Nkey : 0x5
Tnl Type : LSP
Stp Enable : 0
Mac Flapping : 0
PW Last Up Time : 2010-02-02 15:41:59

PW State : up
PW Type : label
Tunnel ID : 0x10021
Ckey : 0x6
Nkey : 0x5
Tnl Type : LSP
Stp Enable : 0
Mac Flapping : 0
PW Last Up Time : 2010-02-02 15:41:59
CE1 and CE2, which reside in the same network segment, can ping each other successfully.
After you run the shutdown command on VLANIF 10 (to which the VSI is bound) of
UPE1, CE1 and CE2 cannot ping each other successfully. This indicates that user data is
transmitted through the PW of this VSI.
Before VLANIF 20 of SPE1 is shut down, check the MAC addresses learnt by the VSI on
SPE2.
<SPE2> display mac-address dynamic
MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID
VSI/SI
----------------------------------------------------------------------------

0000-c101-0102 V100 Vlanif20 dynamic 3/3366
Total matching items displayed = 2
After VLANIF 20 of SPE1 is shut down, the VSI bound to the static VLL becomes Down.
Check MAC addresses learnt by the VSI on SPE2, and you can find that one MAC address
learned from VLANIF 20 is deleted.
<SPE2> display mac-address dynamic
MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID
VSI/SI
----------------------------------------------------------------------------
Total matching items displayed = 0
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return

#
sysname CE2
#
interface Vlanif60
ip address 10.1.1.2 255.255.255.0
#
#
return
l Configuration file of UPE1

#
sysname UPE1
#
vlan batch 10 20
#
mpls lsr-id 4.4.4.9
mpls
#
mpls l2vpn
#
interface Vlanif10
100
#
interface Vlanif20
ip address 100.1.3.2 255.255.255.0
mpls
#
#


#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 100.1.3.0 0.0.0.255
#
static-lsp ingress UPE1toSPE1 destination 1.1.1.9 32 nexthop 100.1.3.1 out-
label 20
static-lsp egress SPE1toUPE1 incoming-interface Vlanif 20 in-label 30
#
return
l Configuration file of SPE1

#
sysname SPE1
#
vlan batch 20 30
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi V100 static
pwsignal ldp
vsi-id 100
peer 3.3.3.9
peer 4.4.4.9 static-upe tran 100 recv 100
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif20
ip address 100.1.3.1 255.255.255.0
mpls
#
interface Vlanif30
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.1.0 0.0.0.255
network 100.1.3.0 0.0.0.255
#
static-lsp ingress SPE1toUPE1 destination 4.4.4.9 32 nexthop 100.1.3.2 out-
label 30
static-lsp egress UPE1toSPE1 incoming-interface Vlanif 20 in-label 20

#
return
#
sysname P
#
vlan batch 30 40
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 100.1.2.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 100.1.1.0 0.0.0.255
network 100.1.2.0 0.0.0.255
#
return
#
sysname SPE2
#
vlan batch 40 50
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi V100 static
pwsignal ldp
vsi-id 100
peer 1.1.1.9
peer 5.5.5.9 static-upe tran 100 recv 100
#
mpls ldp
#
remote-ip 1.1.1.9
#
interface Vlanif40
ip address 100.1.2.2 255.255.255.0
mpls
mpls ldp
#

interface Vlanif50
ip address 100.1.4.1 255.255.255.0
mpls
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 100.1.2.0 0.0.0.255
network 100.1.4.0 0.0.0.255
#
static-lsp ingress SPE2toUPE2 destination 5.5.5.9 32 nexthop 100.1.4.2 out-
labe
l 50
static-lsp egress UPE2toSPE2 incoming-interface Vlanif 50 in-label 40
#
return

#
sysname UPE2
#
vlan batch 50 60
#
mpls lsr-id 5.5.5.9
mpls
#
mpls l2vpn
#
interface Vlanif50
ip address 100.1.4.2 255.255.255.0
mpls
#
interface Vlanif60
100
#
#
#
interface LoopBack1
ip address 5.5.5.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 5.5.5.9 0.0.0.0
network 100.1.4.0 0.0.0.255
#
static-lsp ingress UPE2toSPE2 destination 3.3.3.9 32 nexthop 100.1.4.1 out-
label 40
static-lsp egress SPE2toUPE2 incoming-interface Vlanif 50 in-label 50
#
return

7.13.6 Example for Configuring Dynamic VLLs to Access a VPLS

Network
As shown in Figure 7-17, VLLs are set up between UPEs and SPEs in Martini mode. CE1 and
CE2 access the full-meshed VPLS network through UPEs.
Figure 7-17 Networking of VPLS access through the dynamic VLL

1.1.1.9 GE1/0/0 2.2.2.9 GE1/0/0 3.3.3.9
VLANIF 10 VLANIF 20
100.1.1.1/24 100.1.2.2/24
SPE1 SPE2
GE1/0/0 GE2/0/0
VLANIF 10 P VLANIF 20 GE2/0/0
GE2/0/0
100.1.1.2/24 100.1.2.1/24 VLANIF 40
VLANIF 30
100.1.3.1/24 100.1.4.1/24
Lo
4. k1
o
4. c
GE2/0/0 GE2/0/0 5. pba

4. pba
9
VLANIF 30 VLANIF 40 5. c
o
5. k1
Lo
100.1.4.2/24 9
100.1.3.2/24
UPE1 UPE2
GE1/0/0
GE1/0/0
VLANIF 60
VLANIF 50
GE1/0/0 GE1/0/0
VLANIF50 VLANIF 60
10.1.1.1/24 10.1.1.2/24
CE1 CE2
SPE1 GigabitEthernet1/0/0 VLANIF 10 100.1.1.1/24
Loopback1 - 1.1.1.9/32
SPE2 GigabitEthernet1/0/0 VLANIF 20 100.1.2.2/24
loopback1 - 2.2.2.9/32
UPE1 GigabitEthernet1/0/0 VLANIF 50 -
Loopback1 - 4.4.4.9/32
UPE2 GigabitEthernet1/0/0 VLANIF 60 -

Loopback1 - 5.5.5.9/32
1. Configure a routing protocol on the backbone network.
2. Configure the basic MPLS functions on the UPEs and SPEs and set up LSP tunnels.
3. Configure the MPLS L2VPN capability on the UPEs and SPEs.
4. Configure dynamic VLLs on the UPEs.
5. Configure VSIs on the SPEs and configure the SPEs to access VPLS through VLL.
Data Preparation
l VLANs configured on the interfaces and IP addresses of the interfaces on UPEs and SPEs
l MPLS LSR IDs of UPEs and SPEs, which are used as peer IP addresses
l Routing protocol
l VC ID of the L2VC
Procedure
Step 1 Create VLANs and add interfaces to the VLANs.
Step 2 Set IP addresses.
Set the IP addresses and masks of the interfaces, including VLANIF interfaces and loopback
interfaces, on the UPEs and SPEs according to Figure 7-17.
Step 3 Configure an IGP protocol.
Run OSPF on the SPEs and P to advertise the routes of the network segment and LSR IDs.
# Configure SPE1.
<SPE1> system-view
[SPE1] ospf
[SPE1-ospf-1] quit

# Configure P.
<P> system-view
[P] ospf
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure SPE2.
<SPE2> system-view
[SPE2] ospf
[SPE2-ospf-1] quit
# Configure UPE1.
<UPE1> system-view
[UPE1] ospf
[UPE1-ospf-1] quit
# Configure UPE2.
<UPE2> system-view
[UPE2] ospf
[UPE2-ospf-1] quit

# Configure SPE1.
[SPE1] mpls
[SPE1-mpls] quit
[SPE1] mpls ldp
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif10] mpls

[P-Vlanif10] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
# Configure SPE2.
[SPE2] mpls
[SPE2-mpls] quit
[SPE2] mpls ldp
# Configure UPE1.
[UPE1] mpls
[UPE1-mpls] quit
[UPE1] mpls ldp
[UPE1-mpls-ldp] quit
[UPE1-Vlanif30] mpls ldp
# Configure UPE2.
[UPE2] mpls
[UPE2-mpls] quit
[UPE2] mpls ldp
[UPE2-mpls-ldp] quit
[UPE2-Vlanif40] mpls ldp
After the configuration, run the display mpls ldp session command on UPEs, P, and SPEs. You
can see that the peer relationship is set up between SPE and UPE, or between SPE and P. The
status of the peer relationship is Operational. Run the display mpls lsp command, and you can
view the status of the LSPs.
Step 5 Set up remote LDP sessions between SPEs.
# Configure SPE1.
[SPE1-mpls-ldp-remote-1] remote-ip 3.3.3.9
[SPE1-mpls-ldp-remote-1] quit
# Configure SPE2.
[SPE2-mpls-ldp-remote-1] remote-ip 1.1.1.9
[SPE2-mpls-ldp-remote-1] quit
Step 6 Enable the MPLS L2VPN function and configure Martini VLLs on the UPEs.
# Configure UPE1.

[UPE1] mpls l2vpn

[UPE1] mpls l2vpn default martini
[UPE1-l2vpn] quit
[UPE1-Vlanif50] mpls l2vc 1.1.1.9 100
# Configure UPE2.
[UPE2] mpls l2vpn
[UPE2-l2vpn] quit
[UPE2-Vlanif60] mpls l2vc 3.3.3.9 100
Step 7 Enable the MPLS L2VPN function and configure VSIs on SPEs.
# Configure SPE1.
[SPE1] mpls l2vpn
[SPE1-l2vpn] quit
[SPE1] vsi v100 static
[SPE1-vsi-v100] pwsignal ldp
[SPE1-vsi-v100-ldp] vsi-id 100
[SPE1-vsi-v100-ldp] peer 3.3.3.9
[SPE1-vsi-v100-ldp] peer 4.4.4.9 upe
[SPE1-vsi-v100-ldp] quit
# Configure SPE2.
[SPE2] mpls l2vpn
[SPE2-l2vpn] quit
[SPE2] vsi v100 static
[SPE2-vsi-v100] pwsignal ldp
[SPE2-vsi-v100-ldp] vsi-id 100
[SPE2-vsi-v100-ldp] peer 1.1.1.9
[SPE2-vsi-v100-ldp] peer 5.5.5.9 upe
[SPE2-vsi-v100-ldp] quit
After the configuration, run the display mpls l2vc command on the UPEs. You can find that the
dynamic VLLs are established and the VC status is Up. Take the display on UPE1 as an example.
[UPE1] display mpls l2vc

session state : up
AC status : up
VC state : up
VC ID : 100
VC type : VLAN
local group ID : 0
link state : up

VC last up time : 2010-01-16 10:53:02

CKey : 16
NKey : 15
Run the display vsi name v100 command on an SPE, and you can see that the VSI named
v100 is in Up state and the PW is also in Up state. Take the display on SPE1 as an example.
<SPE1> display vsi name v100
Vsi Mem PW Mac Encap Mtu Vsi
Name Disc Type Learn Type Value State
v100 static ldp unqualify vlan 1500 up
CE1 and CE2, which are located on the same network segment, can ping each other.
[CE1] ping 10.1.1.2
0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 50
#
interface Vlanif 50
ip address 10.1.1.1 255.255.255.0
#
#
return

#
sysname CE2
#
vlan batch 60
#
interface Vlanif 60
ip address 10.1.1.2 255.255.255.0
#
#
return

#
sysname UPE1
#
vlan batch 30 50
#

mpls lsr-id 4.4.4.9

mpls
#
mpls l2vpn
#
mpls ldp
#
interface vlanif 30
ip address 100.1.3.2 255.255.255.0
mpls
mpls ldp
#
interface vlanif 50
mpls l2vc 1.1.1.9 100
#
#
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 100.1.3.0 0.0.0.255
#
return
#
sysname SPE1
#
vlan batch 10 30
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi v100 static
pwsignal ldp
vsi-id 100
peer 3.3.3.9
peer 4.4.4.9 upe
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif 10
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 30
ip address 100.1.3.1 255.255.255.0
mpls
mpls ldp
#
#

#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.1.0 0.0.0.255
network 100.1.3.0 0.0.0.255
#
return
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif 10
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 20
ip address 100.1.2.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 100.1.1.0 0.0.0.255
network 100.1.2.0 0.0.0.255
#
return
#
sysname SPE2
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi v100 static
pwsignal ldp
vsi-id 100
mac-withdraw enable
peer 1.1.1.9
peer 5.5.5.9 upe
#
mpls ldp

#
remote-ip 1.1.1.9
#
interface Vlanif 20
ip address 100.1.2.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 40
ip address 100.1.4.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 100.1.2.0 0.0.0.255
network 100.1.4.0 0.0.0.255
#
return
#
sysname UPE2
#
vlan batch 40 60
#
mpls lsr-id 5.5.5.9
mpls
#
mpls l2vpn
#
mpls ldp
#
interface Vlanif 40
ip address 100.1.4.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 60
mpls l2vc 3.3.3.9 100
#
#
#
interface LoopBack1
ip address 5.5.5.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 5.5.5.9 0.0.0.0
network 100.1.4.0 0.0.0.255

#
return
7.13.7 Example for Configuring Inter-AS Martini VPLS Option A
As shown in Figure 7-18, the Option A scheme is adopted to establish the inter-AS Martini
VPLS. The MPLS backbone network in an AS uses IS-IS as the IGP protocol.
Figure 7-18 Networking diagram for configuring inter-AS Martini VPLS Option A
VPLS Backbone VPLS Backbone

AS 100 AS 200
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32 4.4.4.4/32
GE2/0/0 GE2/0/0 GE1/0/0 GE2/0/0
GE1/0/0 GE1/0/0
PE1 ASBR-PE1 ASBR-PE2 PE2
GE1/0/0 GE2/0/0
GE1/0/0 GE1/0/0
CE1 CE2
Loopback1 - 1.1.1.1/32
ASBR-PE1 GigabitEthernet 1/0/0 VLANIF 20 100.1.1.2/24
Loopback1 - 2.2.2.2/32
ASBR-PE2 GigabitEthernet 1/0/0 VLANIF 30 -
Loopback1 - 3.3.3.3/32
Loopback1 - 4.4.4.4/32

1. Run an IGP on the MPLS backbone network so that devices in the same AS can interwork.
2. Configure basic MPLS functions on devices in the backbone network and establish dynamic
LSPs between PEs and ASBR-PEs in the same AS. Establish remote LDP sessions if PEs
and ASBR-PEs are indirectly connected.
3. Establish VPLS connections between PEs and ASBR-PEs in the same AS.
Data Preparation
l IS-IS data
l IP addresses of remote peers
l MPLS LSR IDs on PEs and ASBR-PEs
l VSI IDs
Procedure
NOTE
Step 2 Configure an IGP on the MPLS backbone network.

PEs and ASBR-PEs on the backbone network can interwork by using an IGP.
In this example, IS-IS is used, and the configuration details are not mentioned here.
After the configuration, the IS-IS neighbor relationship is established between ASBR-PEs and
PEs in the same AS. Run the display isis peer command, and you can view that the status of
IS-IS neighbors is Up, and the PEs can learn loopback addresses from each other.

----------------------------
0000.0000.0002 Vlanif20 0000000002 Up 23s L1L2 --
Total Peer(s): 1
ASBR-PEs and PEs in the same AS can ping each other successfully.
<PE1> ping 2.2.2.2



0.00% packet loss

Configure basic MPLS functions on the MPLS backbone network. Establish dynamic LDP LSPs
between PEs and ASBR-PEs in the same AS.
Run the display mpls ldp session command, and you can view that an LSP tunnel is established
between the PE and ASBR-PE in the same AS.
Take ASBR-PE1 as an example.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------

# Configure PE1.
[PE1] mpls l2vpn
# Configure PE2.
[PE2] mpls l2vpn
Step 5 Bind VSIs to related interfaces.

Configure VSIs on PEs and ASBR-PEs respectively and bind the VSIs to related interfaces.
# Configure PE1.
[PE1] vsi a1 static
[PE1-vsi-a1] quit
[PE1-Vlanif10] quit
[ASBR-PE1] vsi a1 static
[ASBR-PE1-vsi-a1] pwsignal ldp

[ASBR-PE1-vsi-a1-ldp] vsi-id 2
[ASBR-PE1-vsi-a1-ldp] peer 1.1.1.1
[ASBR-PE1-vsi-a1-ldp] quit
[ASBR-PE1-vsi-a1] quit
[ASBR-PE1-Vlanif30] l2 binding vsi a1
[ASBR-PE2] vsi a1 static
[ASBR-PE2-vsi-a1] pwsignal ldp
[ASBR-PE2-vsi-a1-ldp] vsi-id 3
[ASBR-PE2-vsi-a1-ldp] peer 4.4.4.4
[ASBR-PE2-vsi-a1-ldp] quit
[ASBR-PE2-vsi-a1] quit
[ASBR-PE2-Vlanif30] l2 binding vsi a1
# Configure PE2.
[PE2] vsi a1 static
[PE2-vsi-a1] quit
[PE2-Vlanif50] quit

# Configure CE1.
[CE1-Vlanif10] quit
# Configure CE2.
[CE2-Vlanif50] quit

After the preceding configurations, run the display vsi name verbose command on PE1. You
can find that a VSI named a1 sets up a PW to PE2, and the status of the VSI is UP.
***VSI Name : a1
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 0
Domain Name :
VSI State : up

VSI ID : 2
VC Label : 23552
Peer Type : dynamic
Session : up
Tunnel ID : 0x20020
CKey : 6
NKey : 5
StpEnable : 0
PwIndex : 0

State : up
Last Up Time : 2009-08-15 15:41:59
**PW Information:

PW State : up
PW Type : label
Tunnel ID : 0x20020
Ckey : 0x6
Nkey : 0x5
Tnl Type : LSP
Stp Enable : 0
Mac Flapping : 0
PW Last Up Time : 2009-08-15 15:41:59
CE1 and CE2 can ping each other successfully.

Take the display on CE1 as an example.
<CE1> ping 10.1.1.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0

#
#
return
#
sysname PE1
#
vlan batch 10 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi a1 static
pwsignal ldp
vsi-id 2
peer 2.2.2.2
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0001.00
#
interface Vlanif10
l2 binding vsi a1
#
interface Vlanif20
ip address 100.1.1.1 255.255.255.0
isis enable 1
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
isis enable 1
#
return
#
sysname ASBR-PE1
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls l2vpn
#
vsi a1 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
#
mpls ldp
#
isis 1

network-entity 10.0000.0000.0002.00
#
interface Vlanif20
ip address 100.1.1.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#
interface Vlanif30
l2 binding vsi a1
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
isis enable 1
#
return
#
sysname ASBR-PE2
#
vlan batch 30 40
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi a1 static
pwsignal ldp
vsi-id 3
peer 4.4.4.4
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0003.00
#
interface Vlanif30
l2 binding vsi a1
#
interface Vlanif40
ip address 200.1.1.1 255.255.255.0
isis enable 1
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
isis enable 1
#
return

#
sysname PE2
#
vlan batch 40 50
#
mpls lsr-id 4.4.4.4
mpls
#
mpls l2vpn
#
vsi a1 static
pwsignal ldp
vsi-id 3
peer 3.3.3.3
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0004.00
#
interface Vlanif40
ip address 200.1.1.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#
interface Vlanif50
l2 binding vsi a1
#
#
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
isis enable 1
#
return

#
sysname CE2
#
vlan batch 50
#
interface Vlanif50
ip address 10.1.1.2 255.255.255.0
#
#
return
7.13.8 Example for Configuring Inter-AS Kompella VPLS Option A

As shown in Figure 7-19, CE1 and CE2 belong to the same VPLS, and access the backbone
network through PE1 in AS 100 and PE2 in AS 200 respectively.

It is required to adopt Option A to implement inter-AS Kompella VPLS. The interfaces that
connect ASBR-PEs serve as AC interfaces to which VSIs are bound, that is, the interfaces are
exclusively used by the VPLS.
Figure 7-19 Networking diagram for configuring inter-AS Kompella VPLS Option A
VPLS Backbone VPLS Backbone

AS 100 AS 200
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32 4.4.4.4/32
GE2/0/0 GE2/0/0 GE1/0/0 GE2/0/0

GE1/0/0 GE1/0/0
PE1 GE1/0/0 ASBR-PE1 ASBR-PE2 PE2
GE2/0/0
GE1/0/0 GE1/0/0
CE1 CE2
Loopback1 - 1.1.1.1/32
ASBR-PE1 GigabitEthernet 1/0/0 VLANIF 20 100.1.1.2/24
Loopback1 - 2.2.2.2/32
ASBR-PE2 GigabitEthernet 1/0/0 VLANIF 30 -
Loopback1 - 3.3.3.3/32
Loopback1 - 4.4.4.4/32

1. Configure an IGP on the backbone network to implement the connectivity between ASBR-
PEs and PEs and set up tunnels between PEs.
2. Establish MP IBGP peer relationships between PEs and ASBR-PEs in the same AS.
3. Configure VSIs on PE1, ASBR-PE1, ASBR-PE2, and PE2 and bind the VSIs to related
AC interfaces.
Data Preparation
l IS-IS data
l MPLS LSR IDs of PEs and ASBR-PEs (IP addresses of the loopback interfaces on peers)
l CE IDs and CE ranges
l IP addresses of interfaces connecting CEs to PEs (No IP address is required for interfaces
connecting PEs to CEs.)
Procedure
NOTE
Step 2 Configure an IGP on the backbone network.

Devices on the MPLS backbone network can interwork through an IGP. IS-IS used as an IGP
in this example.
The configuration details are not mentioned here. Note that IS-IS must be enabled on Loopback1.
After the configuration, IS-IS neighbor relationships are established between ASBR-PEs and
PEs in the same AS. Run the display isis peer command, and you can view that the neighbors
are Up. Run the display ip routing-table command, and you can view that ASBRs and PEs can
learn loopback addresses from each other.
Take PE1 as an example.

----------------------------
0000.0000.0002 Vlanif20 0000000001 Up 20s L1L2 --
Total Peer(s): 1

------------------------------------------------------------------------------

2.2.2.2/32 ISIS 15 10 D 100.1.1.2 Vlanif20
100.1.1.0/30 Direct 0 0 D 100.1.1.1 Vlanif20


ASBR-PEs and PEs in the same AS can ping Loopback1 of each other successfully. Take ASBR-
PE1 as an example.
<ASBR-PE1> ping 1.1.1.1

0.00% packet loss
Step 3 Enable MPLS and MPLS LDP, and establish tunnels.

Enable MPLS and MPLS LDP on PEs and ASBR-PEs in the same AS and establish LDP LSPs.
After the configuration, run the display mpls lsp command on each PE, and you can find that
LSPs are successfully set up between the PEs and the ASBR-PEs in the same AS.
Take PE1 as an example.
<PE1> display mpls lsp

-------------------------------------------------------------------------
2.2.2.2/32 NULL/3 -/Vlanif20
2.2.2.2/32 1024/3 -/Vlanif20
Step 4 Configure MP IBGP connections within an AS.

# Establish MP IBGP connections and enable BGP VPLS.
# Configure PE1.
<PE1> system-view
[PE1] bgp 100
[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] vpls-family
[ASBR-PE1-bgp-af-vpls] peer 1.1.1.1 enable
The configurations of AS 200 are similar to those of AS 100, and thus are not mentioned here.
After this step, run the display bgp vpls peer command on PEs or ASBR-PEs, and you can find
that MP-IBGP peer connections are in the Established state.


<PE1> display bgp vpls peer

2.2.2.2 4 100 11 13 0 00:09:04 Established 0
Step 5 Enable MPLS L2VPN on PEs and ASBR-PEs.

# Configure PE1.
[PE1] mpls l2vpn
# Configure PE2.
[PE2] mpls l2vpn
Step 6 Configure VSIs on PEs and ASBR-PEs and bind the VSIs to related AC interfaces.
# Configure PE1.
[PE1] vsi v1 auto
[PE1-vsi-v1] pwsignal bgp
[PE1-vsi-v1-bgp] route-distinguisher 100:1
[PE1-vsi-v1-bgp] vpn-target 1:1 import-extcommunity
[PE1-vsi-v1-bgp] vpn-target 1:1 export-extcommunity
[PE1-vsi-v1-bgp] site 1 range 5 default-offset 0
[PE1-vsi-v1-bgp] quit
[PE1-vsi-v1] quit
[PE1-Vlanif10] l2 binding vsi v1
[PE1-Vlanif10] quit
[ASBR-PE1] vsi v1 auto
[ASBR-PE1-vsi-v1] pwsignal bgp
[ASBR-PE1-vsi-v1-bgp] route-distinguisher 100:2
[ASBR-PE1-vsi-v1-bgp] vpn-target 1:1 import-extcommunity
[ASBR-PE1-vsi-v1-bgp] vpn-target 1:1 export-extcommunity
[ASBR-PE1-vsi-v1-bgp] site 2 range 5 default-offset 0
[ASBR-PE1-vsi-v1-bgp] quit
[ASBR-PE1-vsi-v1] quit
[ASBR-PE1-Vlanif30] l2 binding vsi v1
[ASBR-PE2] vsi v1 auto
[ASBR-PE2-vsi-v1] pwsignal bgp
[ASBR-PE2-vsi-v1-bgp] route-distinguisher 200:1
[ASBR-PE2-vsi-v1-bgp] vpn-target 1:1 import-extcommunity
[ASBR-PE2-vsi-v1-bgp] vpn-target 1:1 export-extcommunity
[ASBR-PE2-vsi-v1-bgp] site 1 range 5 default-offset 0
[ASBR-PE2-vsi-v1-bgp] quit
[ASBR-PE2-vsi-v1] quit


[ASBR-PE2-Vlanif30] l2 binding vsi v1
# Configure PE2.
[PE2] vsi v1 auto
[PE2-vsi-v1] pwsignal bgp
[PE2-vsi-v1-bgp] route-distinguisher 200:2
[PE2-vsi-v1-bgp] vpn-target 1:1 import-extcommunity
[PE2-vsi-v1-bgp] vpn-target 1:1 export-extcommunity
[PE2-vsi-v1-bgp] site 2 range 5 default-offset 0
[PE2-vsi-v1-bgp] quit
[PE2-vsi-v1] quit
[PE2-Vlanif50] l2 binding vsi v1
[PE2-Vlanif50] quit

# Configure CE1.
[CE1-Vlanif10] quit
# Configure CE2.
[CE2-Vlanif50] quit

Run the display vpls connection bgp command on a PE, and you can view that the status of the
VSI is Up.
<PE1> display vpls connection bgp verbose
**Remote Site ID : 2
VC State : up
RD : 100:2
MTU : 1500
PW Type : label
Tunnel Policy : --
Export vpn target : 1:1,
CE1 and CE2 can ping through each other.

<CE1> ping 10.1.1.2
0.00% packet loss

Run the display bgp vpls all command on a PE or an ASBR-PE, and you can view information
about the VPLS label block of BGP.
Take ASBR-PE1 as an example.
<ASBR-PE1> display bgp vpls all
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
*> 1 0 1.1.1.1 5 31744 0x0 1.1.1.1 0
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
> 2 0 0.0.0.0 5 31744 0x0 0.0.0.0 0
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
ip address 10.1.1.1 255.255.255.0
#
#
return

#
sysname PE1
#
vlan batch 10 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi v1 auto
pwsignal bgp
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0001.00
#
interface Vlanif10
l2 binding vsi v1
#
interface Vlanif20

ip address 100.1.1.1 255.255.255.0

isis enable 1
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable
#
vpls-family
policy vpn-target
peer 2.2.2.2 enable
#
return
#
sysname ASBR-PE1
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls l2vpn
#
vsi v1 auto
pwsignal bgp
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0002.00
#
interface Vlanif20
ip address 100.1.1.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#
interface Vlanif30
l2 binding vsi v1
#
#

#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
vpls-family
policy vpn-target
peer 1.1.1.1 enable
#
return
#
sysname ASBR-PE2
#
vlan batch 30 40
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi v1 auto
pwsignal bgp
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0003.00
#
interface Vlanif30
l2 binding vsi v1
#
interface Vlanif40
ip address 100.3.1.1 255.255.255.0
isis enable 1
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
isis enable 1
#
bgp 200
#
ipv4-family unicast
peer 4.4.4.4 enable

#
vpls-family
policy vpn-target
peer 4.4.4.4 enable
#
return
#
sysname PE2
#
vlan batch 40 50
#
mpls lsr-id 4.4.4.4
mpls
#
mpls l2vpn
#
vsi v1 auto
pwsignal bgp
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0004.00
#
interface Vlanif40
ip address 100.3.1.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#
interface Vlanif50
l2 binding vsi v1
#
#
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
isis enable 1
#
bgp 200
#
ipv4-family unicast
peer 3.3.3.3 enable
#
vpls-family
policy vpn-target
peer 3.3.3.3 enable
#
return
#
sysname CE2
#
vlan batch 50

#
interface Vlanif 50
ip address 100.1.1.2 255.255.255.0
#
#
return

Configuration Guide - VPN 8 VPLS Convergence Configuration
8 VPLS Convergence Configuration
About This Chapter
This chapter describes the rationale, application, and configuration of VPLS convergence.
8.1 VPLS Convergence Overview
This section describes the principle and concepts of VPLS convergence.
8.2 VPLS Convergence Supported by the S7700
This section describes the VPLS convergence features supported by the S7700.
8.3 Configuring VPLS Convergence (UPE Directly Connected to the NPE)
This section describes how to configure VPLS convergence when the UPE is directly connected
to the NPE.
8.4 Configuring BFD for VSI PW
If a BFD session is bound to the mVSI PW, you can monitor the service VSI by monitoring the
status of the mVSI PW.
8.5 Maintaining VPLS Convergence
This section describes how to debug VPLS convergence.
This section provides a configuration example of VPLS convergence.

8.1 VPLS Convergence Overview

This section describes the principle and concepts of VPLS convergence.
The Ethernet switching technology has been mainly applied to the Local Area Network (LAN)
for a long time. With the advantages of expanding bandwidth, simplicity, and cost-efficiency,
the Ethernet technology is coming into wider use in the Metropolitan Area Network (MAN) and
Wide Area Network (WAN). The demands of customers and carriers also drive the rapid
development of the Metro Ethernet.
The advantages of the Metro Ethernet are as follows:
l Flexible bandwidth
l Low-cost and simple technology
l Wide application
l Powerful support on multicast
l High scalability and security
Generally, in the VPLS convergence solution, an UPE is connected to two NPEs and VPLS
convergence is used to improve reliability. In the actual networking, the S7700 can be used as
the UPE and configured with the management VSI (mVSI).
Hierarchical VPLS (HVPLS) or VPLS connections are set up between different devices on the
Metro Ethernet. The Management Virtual Router Redundancy Protocol (mVRRP) is run
between core devices to determine whether a device is the master or the backup. The pseudo
wires (PWs) and attachment circuit (AC) interfaces between VSIs determine the master and the
backup by tracking the status of the mVRRP virtual router.
When mVRRP performs the switchover, the PW and AC interfaces between VSIs also perform
the switchover. Meanwhile, the VSI clears its own MAC address and learns the MAC address
of the new master device again.
8.2 VPLS Convergence Supported by the S7700

This section describes the VPLS convergence features supported by the S7700.
mVPLS
The VSI of the mVPLS is called the mVSI.
The conditions on which the mVSI and service VSI become Up are as follows:
l Service VSI: A service VSI becomes Up when at least two AC interfaces become Up or
one PW and one AC interface become Up.
l mVSI: An mVSI becomes Up when at least one PW or AC interface becomes Up.
The mVSI can be bound to the service VSI. When receiving a gratuitous ARP packet, the mVSI
requests all the bound service VSIs to clear the MAC address entries and to learn the MAC
addresses again.

mVRRP
The only difference between an mVRRP group and a common VRRP group is that the mVRRP
group can be bound to service VRRP groups and can determine the status of a service VRRP
group according to the binding relation.
Although an mVRRP group can be bound to multiple service VRRP groups, the mVRRP group
cannot be bound to any other mVRRP groups as a service VRRP group.
According to different application scenarios, the binding relations related to the mVRRP group
are as follows:
l Binding relation between a service VRRP group and an mVRRP group
l Binding relation between a service interface and an mVRRP group
l Binding relation between a PW and an mVRRP group
As shown in the following networking diagram, an UPE is connected to two NPEs. VRRP runs
between NPEs. The VRRP priority determines whether an NPE is the master or the backup.
When the link related to the master NPE fails or the master NPE fails, the backup NPE changes
its status to master.

Figure 8-1 UPE dual-homed to the NPEs
I n te rn et
IP/MPLS
core
IP
network
NPE1 NPE2
Metro
ethernet
UPE3 UPE4 network
UPE1 UPE2
DSLAM2
DSLAM1
DSLAM3
Access
network
Multiple mVRRP groups are run between the NPEs. The services are bound to different mVRRP
groups so that they can use different master NPEs. For example, the user of UPE1 uses NPE1
as the master NPE and uses NPE2 as the backup NPE; the user of UPE2 uses NPE2 as the master
NPE and uses NPE1 as the backup NPE.
NOTE
For more information about VRRP, see VRRP and VRRP6 Configuration in the Quidway S7700 Smart
Routing Switch Configuration Guide - Reliability.
mVRRP over mVPLS

mVRRP over mVPLS indicates that mVRRP packets are transmitted by the mVSI through the
mPW.
As shown in Figure 8-2, mVPLS is run between the UPE and the NPEs; the mVSI is configured
on the UPE and the NPEs; mVRRP runs between NPEs. mVRRP packets are transmitted through

the mPW between the UPE and the NPEs and forwarded by the mVSI. Other service packets
are transmitted through the service PW and exchanged by the service VSI between the UPE and
the NPEs.
Figure 8-2 Binding relation between the mVSI and the service VSI
VSI1 VSI2
NPE1
mVSI
VSI1 VSI2
UPE
S9300 VSI1 VSI2
NPE2
PW for mVSI
PW for normal VSI
The mVRRP packets and other service packets are transmitted through different PWs; therefore,
the packets are separated from each other.
The mVSI and the service VSI are bound on the UPE. When the VRRP group on the NPE
performs master/backup switchover, the following occurs:
1. The mVSI on the UPE receives the gratuitous ARP packet sent from the NPE through the
mPW between the UPE and the NPEs.
2. The mVSI checks whether the received gratuitous ARP packet is the same as the previously
received one. That is, the mVSI checks whether the two packets are received through the
same PW and whether their IP addresses, incoming labels, incoming interfaces, and MAC
addresses are the same.
l If they are the same, it indicates that the mVRRP group between NPEs does not perform
the master/backup switchover.
l If they are the different, it indicates that the mVRRP group between NPEs has performed
the master/backup switchover.
3. The UPE clears the MAC addresses of all the bound service VSIs according to the binding
relation between the mVSI and the service VSI. In addition, the service VSI on the UPE
sends a MAC Withdraw message to all the peers in the local VSI. When receiving the
message, the remote peers clear the MAC addresses on the PW side.
4. After the MAC address of the service VSI is cleared, the UPE broadcasts the received
packet destined for the new master NPE because the packet is an unknow frame. After
receiving the broadcast packets, the new master NPE learns the source MAC address of
the packet for the reverse traffic forwarding.

In addition, different from the service VSI, the mVSI is used to transmit and intercept the
ARP packets; therefore, you cannot shut down the mVSI.
8.3 Configuring VPLS Convergence (UPE Directly

Connected to the NPE)
This section describes how to configure VPLS convergence when the UPE is directly connected
to the NPE.

As shown in Figure 8-3, the UPE is directly connected to two NPEs. You need to run VRRP
between the NPEs and set the precedence for the mVRRP to determine the master NPE and the
backup NPE. The mVRRP packets are transmitted and forwarded through the mPW and the
mVSI between the UPE and the NPE.
The service VSI and service PW also need to be set up between the UPE and the NPE to transmit
and forward service packets from an access network.
VPLS convergence is deployed on the UPE and the NPEs. After mVRRP and the mVSI are
correctly configured, the service data of users can be sent to the master NPE. When the master
NPE or the link between the UPE and the master NPE fails, the backup NPE automatically
becomes the master NPE and the service data of users are sent to the new master NPE.
Figure 8-3 Networking diagram for configuring VPLS convergence (UPE directly accesses the
NPE)
mVRRP mVRRP
VRRP VRRP
NPE1 NPE2
VSI
mVSI
UPE
Access
network
PW for mVSI
PW for VSI
Packet of mVRRP
Packet of VRRP

Before configuring basic functions of VPLS convergence (UPE directly accesses the NPEs),
complete the following tasks:
l Setting the LSR ID on the UPE and the NPE, enabling MPLS, and creating an MPLS LDP
session
l Enabling MPLS L2VPN on the UPE and the NPE
l Configuring the mVRRP and the binding relations for the mVRRP on the NPE
l Configuring a service VSI on the UPE
Data Preparation
To configure basic functions of VPLS convergence (UPE directly accesses the NPEs), you need
the following data.
No. Data
1 Names and IDs of the mVSI and the service VSI
2 IP address of the peer and the tunnel policy used by the PW
3 Name and number of the interface to which a VSI is bound
8.3.2 Configuring the mVSI
Context
To forward the mVRRP packets on the NPEs through the mVSI on the UPE, do as follows.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vsi vsi-name static
A VSI is created and the automatic member discovery mechanism is configured.

Step 3 Run:
pwsignal ldp
LDP is configured as the signaling protocol of the PW and the VIS-LDP view is displayed.
Step 4 Run:
vsi-id vsi-id
The ID of the VSI is set.

Step 5 Run:

peer peer-address [ negotiation-vc-id vc-id ] [ tnl-policy policy-name ] upe
The VSI peer relation is configured between the UPE and the NPE. The MPLS LSR ID of the
NPE is configured as the peer address.
Step 6 Run:
quit
Return to the VSI view.
Step 7 Run:
admin-vsi
The VSI is configured as the mVSI.
----End
8.3.3 Configuring the Binding Relations for the mVSI
Context
Do as follows on the UPE.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vsi vsi-name
The view of the created VSI is displayed.
Step 3 Run:
track admin-vsi vsi-name
The service VSI is bound to an mVSI.
The mVSI can be bound to the service VSI. When receiving a gratuitous ARP packet or BFD
Down packets, the mVSI requests all the bound service VSIs to clear the MAC address entries
and to learn the MAC addresses again.
NOTE
The control plane requests the forwarding plane to clear the MAC addresses of the service VSIs if the
number of service VSIs bound to the mVSI reaches the threshold. The threshold is determined by the PAF
file and the license file.
l If the number of service VSIs bound to the mVSI does not reach the threshold, the control plane delivers
notification messages one by one to the forwarding plane to clear the MAC addresses of the service
VSIs bound to the mVSI and records the events in the logs.
l If the number of service VSIs bound to the mVSI reaches the threshold, the control plane delivers
notification messages to the forwarding plane to clear the MAC addresses of all the service VSIs and
records the log.
----End


Prerequisite
The configurations of VPLS convergence are complete.
Procedure
l Run the display admin-vsi binding [ admin-vsi vsi-name ] command to view the binding
relations between the mVSI and the service VSIs.
----End
Example
Run the display admin-vsi binding command. If information about the binding relations
between the mVSI and all service VSIs are displayed, it means that the configuration is
successful.
<Quidway> display admin-vsi binding
Admin-vsi Service-vsi
--------------------------------------------
admin-vsi1 biz-vsi1
biz-vsi2
8.4 Configuring BFD for VSI PW

If a BFD session is bound to the mVSI PW, you can monitor the service VSI by monitoring the
status of the mVSI PW.

Before configuring BFD for VSI PW, familiarize yourself with the applicable environment,
In the VPLS convergence MAN solution, you can establish multiple service VSI PWs and bind
them to an mVSI PW. In this manner, if a BFD session is bound to the mVSI PW, you can
monitor the service VSI only by monitoring the status of the mVSI PW.
Pre-configuration Task
Before configuring BFD for VSI PW, complete the following task:
l Establishing an mVSI PW correctly
NOTE
BFD for the VSI PW uses the default multicast IP address as the peer IP address, and this BFD session
must be established on the mVSI PW because only the mVSI PW can process multicast BFD packets.
Data Preparation
To configure BFD for VSI PW, you need the following data.

No. Data
1 Name of the management VSI
2 BFD name
3 Peer IP address of the VSI PW to be detected by the BFD session
4 BFD session parameters: local and remote discriminators

Before configuring BFD for VSI PW, you need to enable BFD globally.
Context
Do as follows on routers at both ends of the link to be detected:
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd
BFD is enabled on this node and the BFD view is displayed.
----End
8.4.3 Enabling the Sending of BFD for VSI-PW Packets to the

Protocol Stack
To detect VSI PW links by using BFD sessions, the sending of BFD for VSI-PW packets to the
protocol stack must be enabled.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd for vsi-pw enable
The sending of BFD for VSI-PW packets to the protocol stack is enabled.
----End

8.4.4 Establishing BFD Sessions

After a BFD session is established and bound to the VSI PW, you need to commit the
configuration.
Context
Do as follows on routers at both ends of the VSI PW to be detected:
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd cfg-name bind peer-ip default-ip vsi vsi-name peer peer-address [ vc-id vc-id ]
BFD for VSI PW is configured.
NOTE
A default multicast IP address is required for BFD for VSI PW, that is, a Layer 2 tunnel.
Step 3 Run the following commands to set discriminators:

l Run the discriminator local discr-value command to set the local discriminator.
l Run the discriminator remote discr-value command to set the remote discriminator.
NOTE
The local discriminator of the local system and the remote discriminator of the remote system are the same.
The remote discriminator of the local system and the local discriminator of the remote system are the same.
Otherwise, BFD sessions cannot be established. In addition, discriminators cannot be changed after being
set.
Step 4 Run:
commit
The configuration is committed.
----End

After BFD for VSI PW is configured, you can view information about BFD configurations, BFD
sessions, and BFD statistics.
Prerequisite
The configurations of the BFD for VSI PW function are complete.
Procedure
l Run the display bfd configuration { { all | static } for-vsi-pw | vsi-pw vsi vsi-name
peer peer-address [ vc-id vc-id ] } [ verbose ] command to check BFD configuration on
BFD for VSI PW.

l Run the display bfd session { all | static } for-vsi-pw [ verbose ] command to check BFD
configuration on BFD for VSI PW.
l Run the display bfd statistics session{ all | static } for-vsi-pw command to check BFD
statistics on BFD for VSI PW.
----End
Example
# Display the statistics of the BFD session.
<Quidway> display bfd configuration all for-vsi-pw verbose
BFD Session Configuration Name : to_a
BFD Bind Type : VSI PW
Bind Peer Ip Address : 224.0.0.184
Bind Interface : Ethernet6/0/0
Vsi Name : hello
Vsi Pw Peer Ip Address : 3.3.3.3
Vc Id : 200
WTR Interval (ms) : -- Process PST : Disable
Local Demand Mode : Disable
Bind Application : VSI PW
---------------------------------------------------------------------
You can see that a BFD session named to_a is established, and the binding type is VSI PW.
8.5 Maintaining VPLS Convergence

This section describes how to debug VPLS convergence.
8.5.1 Debugging VPLS Convergence
Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging
all command to disable it immediately.
When a fault occurs in software-based VPLS forwarding, run the following debugging command
in the user view to locate the fault.
For the procedure for enabling the debugging, refer to the chapter "Information Center" in the
Configuration Guide - System Management. For the description of the debugging commands,
refer to the Quidway S7700 Smart Routing Switch Debugging Reference.

Procedure
l Run the debugging mpls l2vpn vpls-forward { error-message | mac-event | vpls-
event } command in the user view to enable the debugging of software-based VPLS
forwarding and view the debugging information.
----End

This section provides a configuration example of VPLS convergence.
8.6.1 Example for Configuring the mVSI

Figure 8-4 shows the networking diagram for configuring VPLS convergence on the Metro
Ethernet.
l The two NPEs are the core devices in the Metro Ethernet. They access the upstream IP/
MPLS core network and the downstream UPE. The mVRRP runs between NPE1 and NPE2
to determine whether an NPE is the master or the slave. An mVSI runs on the UPE. The
mVPPR packets are exchanged between NPE1 and NPE2 through the mVSI on the UPE.
The service PWs of NPE1 and NPE2 are bound to the mVRRP group so that the status of
the service PWs is determined by the mVRRP group. Normally, only the service PW on
the master NPE processes the service data of users.
l The service data of users is sent to the service VSI on the UPE, and then forwarded to the
two NPEs through the service VSI.
l The service VSIs on the UPE are bound to the mVSI. When active/standby switchover
occurs between the NPEs, the MAC addresses of all the service VSIs bound to the mVSI
on the UPE are cleared. The service VSIs learn the MAC address of the new master NPE
and services are not interrupted.

Figure 8-4 Configuring the mVSI
mVRRP VRID1 NPE2

NPE1
GE1/0/1 GE1/0/1
10.1.1.2/24 10.1.2.2/24
GE1/0/1 VSI GE1/0/2

VLANIF 100 m VSI VLANIF 200
10.1.1.1/24 10.1.2.1/24
GE1/0/0 UPE
GE1/0/0
LAN Switch
GE1/0/1
VLAN101
PC1
192.168.2.3/24
Gateway:192.168.2.254
PW for mVRRP
PW for normal VRRP
Device Interface Name VLANIF interface IP Address
Name
UPE Loopback1 - 1.1.1.1/32
UPE GE1/0/0 - -
UPE GE1/0/1 VLANIF 100 10.1.1.1/24
UPE GE1/0/2 VLANIF 200 10.1.2.1/24
NPE1 Loopback1 - 2.2.2.2/32
NPE2 Loopback1 - 3.3.3.3/32
NOTE
In the networking diagram, the UPE refers to the S7700. Only the configurations on the S7700 are provided
here.
1. Configure the routing and MPLS functions.

l Set the IP addresses for the interfaces on the UPE.

l Configure the routing protocol on the UPE so that reachable routes are created between
the UPE and the NPEs.
l Configure the basic MPLS functions on the UPE.
l Configure MPLS LDP on the UPE.
2. Configure the VPLS.
l Configure the mVSI and service VSI on the UPE.
The mVSI transmits the mVRRP packets and peer BFD packets between the NPEs.
The service VSIs exchange service packets between the NPE and users.
l Bind the service VSI to the mVSI on the UPE.
When the switchover occurs between the NPEs, the mVSI on the UPE receives a
gratuitous ARP packet. The UPE clears the MAC addresses of all the bound service
VSIs according to the binding relation between the mVSI and the service VSIs.
Data Preparation
l Numbers and IP addresses of related interfaces and IS-IS process ID

l LSR ID, tunnel number, tunnel ID, and LDP peer name
l VSI name, VC ID, and tunnel policy
Procedure
Step 1 Configure routes.
After the configuration, reachable routes are available between the UPE and NPEs.
Step 2 Configure MPLS functions.

NOTE
In this example, the MPLS TE tunnel is used between the UPE and the NPEs.
1. Enable MPLS, MPLS TE, MPLS RSVP-TE, and MPLS CSPF.

On the nodes along the MPLS TE tunnel, enable MPLS, MPLS TE, and MPLS RSVP-TE
both in the system view and the interface view. On the ingress node of the tunnel, enable
MPLS CSPF in the system view. Set the address of Loopback1 to the LSR ID.
[UPE] mpls lsr-id 1.1.1.1

[UPE] mpls
[UPE-mpls] mpls te
[UPE-mpls] mpls rsvp-te
[UPE-mpls] mpls te cspf
[UPE-mpls] quit
[UPE-Vlanif100] mpls
[UPE-Vlanif100] mpls te
[UPE-Vlanif100] mpls rsvp-te
[UPE-Vlanif100] quit
[UPE-Vlanif200] mpls
[UPE-Vlanif200] mpls te

[UPE-Vlanif200] mpls rsvp-te

[UPE-Vlanif200] quit
2. Configure IS-IS TE.

[UPE] isis 1
[UPE-isis-1] cost-style wide
[UPE-isis-1] traffic-eng level-2
[UPE-isis-1] quit
3. Set up MPLS LDP sessions.

Set up MPLS LDP sessions between UPE and NPEs. Set the IP addresses of LDP remote
peers to the MPLS LSR-IDs of remote devices.
[UPE] mpls ldp
[UPE-ldp] quit
[UPE] mpls ldp remote-peer 2.2.2.2
[UPE-mpls-ldp-remote-2.2.2.2] remote-ip 2.2.2.2
[UPE-mpls-ldp-remote-2.2.2.2] quit
[UPE] mpls ldp remote-peer 3.3.3.3
[UPE-mpls-ldp-remote-3.3.3.3] remote-ip 3.3.3.3
[UPE-mpls-ldp-remote-3.3.3.3] quit
After the configuration, LDP sessions are established between the UPE and NPEs. Run the
display mpls ldp session command, and you can see that the status of the LDP sessions is
Operational.
Take the display on the UPE and NPE1 as an example:
[UPE] display mpls ldp session

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
4. Configure tunnel interfaces.

Create the tunnel interfaces on UPE and NPEs, and set the tunnel protocol to MPLS TE
and the singnaling protocol to RSVP-TE.
[UPE] interface tunnel 1/0/1
[UPE-Tunnel1/0/1] ip address unnumbered interface loopback1
[UPE-Tunnel1/0/1] tunnel-protocol mpls te
[UPE-Tunnel1/0/1] destination 2.2.2.2
[UPE-Tunnel1/0/1] description TO NPE1
[UPE-Tunnel1/0/1] mpls te tunnel-id 1
[UPE-Tunnel1/0/1] mpls te commit
[UPE-Tunnel1/0/1] quit
[UPE] interface tunnel 1/0/2
[UPE-Tunnel1/0/2] ip address unnumbered interface loopback1
[UPE-Tunnel1/0/2] tunnel-protocol mpls te
[UPE-Tunnel1/0/2] destination 3.3.3.3
[UPE-Tunnel1/0/2] description TO NPE2
[UPE-Tunnel1/0/2] mpls te tunnel-id 2
[UPE-Tunnel1/0/2] mpls te commit

After the configuration, run the display ip interface brief command, and you can see that
the protocol status of the created tunnel interface is Up.
5. Configure the tunnel policy.
[UPE] tunnel-policy policy1
[UPE-tunnel-policy-policy1] tunnel select-seq cr-lsp load-balance-number 1
[UPE-tunnel-policy-policy1] quit
Step 3 Configure VPLS.

1. Create the mVSI on the UPE. The mVSI performs only local packet exchange.
The mVRRP packets are exchanged between the NPEs through the mVSI on the UPE.
[UPE] mpls l2vpn
[UPE-l2vpn] quit
[UPE] vsi admin-vsi1 static
[UPE-vsi-admin-vsi1] pwsignal ldp
[UPE-vsi-admin-vsi1-ldp] vsi-id 10
[UPE-vsi-admin-vsi1-ldp] quit
[UPE-vsi-admin-vsi1] admin-vsi
[UPE-vsi-admin-vsi1] quit
[UPE] interface gigabitethernet 1/0/1.1
[UPE-GigabitEthernet1/0/1.1] control-vid 1 dot1q-termination
[UPE-GigabitEthernet1/0/1.1] dolt1q termination vid 10
[UPE-GigabitEthernet1/0/1.1] l2 binding vsi admin-vsi1
[UPE-GigabitEthernet1/0/1.1] quit
[UPE-GigabitEthernet1/0/2.1] dolt1q termination vid 10
[UPE-GigabitEthernet1/0/2.1] l2 binding vsi admin-vsi1
After the configuration, run the display vsi command on the UPE, and you can see that the
VSI status is Up.
Take the display on the UPE as an example:
[UPE] display vsi name admin-vsi1 verbose
***VSI Name : admin-vsi1

Administrator VSI : yes
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
VSI State : up
VSI ID : 10

State : up
Last Up Time : 2009/03/15 15:41:59
State : up
Last Up Time : 2009/03/15 15:41:59

2. Configure the service VSI and bind the service interface to the service VSI.
NOTE
The common HVPLS needs to be configured between the UPE and NPEs.
[UPE] vsi biz-vsi1 static
[UPE-vsi-biz-vsi1] pwsignal ldp
[UPE-vsi-biz-vsi1-ldp] vsi-id 101
[UPE-vsi-biz-vsi1-ldp] peer 2.2.2.2
[UPE-vsi-biz-vsi1-ldp] peer 3.3.3.3
[UPE-vsi-biz-vsi1-ldp] quit
[UPE-vsi-biz-vsi1] quit
[UPE-GigabitEthernet1/0/0.1] dot1q termination vid 101
[UPE-GigabitEthernet1/0/0.1] l2 binding vsi biz-vsi1
After the configuration, run the display vsi command on the UPE, and you can see that the
VSI status is Up.
[UPE] display vsi
Total VSI number is 2, 2 is up, 0 is down, 2 is LDP mode, 0 is BGP mode
Vsi Mem PW Mac Encap Mtu Vsi

Name Disc Type Learn Type Value State
--------------------------------------------------------------------------
admin-vsi1 static ldp unqualify vlan 1500 up
biz-vsi1 static ldp unqualify vlan 1500 up
Step 4 Bind service VSI with admin VSI

[UPE] vsi biz-vsi1
[UPE-vsi-biz-vsi1] track admin-vsi admin-vsi1
[UPE-vsi-biz-vsi1] quit

Run the display admin-vsi binding command on the UPE, and you can view the binding
relations between the service VSI and the mVSI.
[UPE] display admin-vsi binding
Admin-vsi Service-vsi
--------------------------------------------
admin-vsi1 biz-vsi1
----End
Configuration Files
l Configuration file of the UPE
#
sysname UPE
#
vlan batch 100 200
#
bfd
#
mpls lsr-id 1.1.1.1
mpls
mpls te
mpls rsvp-te
#

mpls l2vpn
#
vsi admin-vsi1 static
pwsignal ldp
vsi-id 10
admin-vsi
#
vsi biz-vsi1 static
pwsignal ldp
vsi-id 101
peer 2.2.2.2
peer 3.3.3.3
tnl-policy policy1
track admin-vsi admin-vsi1
#
mpls ldp
#
remote-ip 2.2.2.2
#
remote-ip 3.3.3.3
#
isis 1
is-level level-2
cost-style wide
network-entity 49.0010.0010.0100.1001.00
traffic-eng level-2
#
ip address 10.1.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
ip address 10.1.2.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface GigabitEthernet1/0/0.1
l2 binding vsi biz-vsi1
#
port link-type-trunk
#
l2 binding vsi admin-vsi1
#
port link-type-trunk
#
l2 binding vsi admin-vsi1
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
isis enable 1

#
description TO NPE1
destination 2.2.2.2
mpls te tunnel-id 1
mpls te commit
#
description TO NPE2
destination 3.3.3.3
mpls te tunnel-id 2
mpls te commit
#
tunnel select-seq cr-lsp load-balance-number 1
#
return


Configuration Guide - VPN (V100R006C00 - 01)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuration Guide - VPN (V100R006C00 - 01)

Uploaded by

Copyright:

Available Formats

Quidway S7700 Smart Routing Switch

Configuration Guide - VPN

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential i

About This Document

This document is intended for:

Indicates a hazard with a high level of risk, which if not

Indicates a hazard with a medium or low level of risk, which

Indicates a potentially hazardous situation, which if not

NOTE Provides additional information to emphasize or supplement

Issue 01 (2011-07-15) Huawei Proprietary and Confidential ii

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... }* Optional items are grouped in braces and separated by

[ x | y | ... ]* Optional items are grouped in brackets and separated by

# A line starting with the # sign is comments.

Changes in Issue 01 (2011-07-15)

Issue 01 (2011-07-15) Huawei Proprietary and Confidential iii

About This Document.....................................................................................................................ii

Issue 01 (2011-07-15) Huawei Proprietary and Confidential iv

1.8.2 Debugging a Tunnel................................................................................................................................29

3 BGP MPLS IP VPN Configuration..........................................................................................95

Issue 01 (2011-07-15) Huawei Proprietary and Confidential v

3.4 Configuring Basic BGP/MPLS IP VPN.........................................................................................................105

Issue 01 (2011-07-15) Huawei Proprietary and Confidential vi

3.10.3 Configuring the OSPF Multi-Instance on the Multi-Instance CE.......................................................143

Issue 01 (2011-07-15) Huawei Proprietary and Confidential vii

3.17.2 Example for Configuring Overlapping Addresses in Two BGP/MPLS IP VPNs..............................186

4 BGP MPLS IPv6 VPN Configuration....................................................................................321

Issue 01 (2011-07-15) Huawei Proprietary and Confidential viii

4.6.3 Applying the Tunnel Policy to the IPv6 VPN.......................................................................................350

Issue 01 (2011-07-15) Huawei Proprietary and Confidential ix

5.3.3 Creating a Local CCC Connection........................................................................................................455

Issue 01 (2011-07-15) Huawei Proprietary and Confidential x

5.10.6 Debugging VLL...................................................................................................................................487

Issue 01 (2011-07-15) Huawei Proprietary and Confidential xi

6.8.5 Checking the Configuration...................................................................................................................570

Issue 01 (2011-07-15) Huawei Proprietary and Confidential xii

7.3.6 (Optional) Configuring the Features of Kompella VPLS......................................................................688

Issue 01 (2011-07-15) Huawei Proprietary and Confidential xiii

7.12.1 Collecting the Statistics of the Traffic on a VPLS PW.......................................................................724

8 VPLS Convergence Configuration.........................................................................................799

Issue 01 (2011-07-15) Huawei Proprietary and Confidential xiv

1 VPN Tunnel Management Configuration

About This Chapter

1.1 Introduction to VPN Tunnels

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 1

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 2

1.1 Introduction to VPN Tunnels

Common VPN Tunnels

Tunnel Configuration Management

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 3

1.2 VPN Tunnel Features Supported by the S7700

The tunnel policy can be in either of two modes:

These two modes are mutually exclusive.

Issue 01 (2011-07-15) Huawei Proprietary and Confidential 4

Tunnel Binding Mode

Figure 1-1 Networking example using VPN primary tunnel binding