Configuring nested VPN

For a network with many VPNs, nested VPN is a good solution to implement layered management of VPNs and to conceal the deployment of internal VPNs.

To build a nested VPN network, perform the following configurations:

Nested VPN allows a customer PE to directly exchange VPNv4 routes with a provider PE, without needing to deploy a provider CE. In this case, the customer PE also acts as the provider CE. Therefore, you must configure provider CE settings on it.

Configurations on the customer CE, customer PE, and provider CE are similar to basic MPLS L3VPN configurations. This task describes the configurations on the provider PE.

When you configure nested VPN, follow these guidelines:

To configure nested VPN:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter BGP instance view.

bgp as-number [ instance instance-name ] [ multi-session-thread ]

N/A

3. Enter BGP VPNv4 address family view.

address-family vpnv4

N/A

4. Enable nested VPN.

nesting-vpn

By default, nested VPN is disabled.

5. Return to BGP instance view.

quit

N/A

6. Enter BGP-VPN instance view.

ip vpn-instance vpn-instance-name

N/A

7. Specify the peer CE or the peer group of the peer CE.

peer { group-name | ipv4-address [ mask-length ] } as-number as-number

By default, no peer is specified.

8. Create the BGP-VPN VPNv4 address family and enter its view.

address-family vpnv4

By default, the BGP-VPN VPNv4 address family is not created.

9. Enable BGP VPNv4 route exchange with the peer CE or the peer group of the peer CE.

peer { group-name | ipv4-address [ mask-length ] } enable

By default, BGP does not exchange VPNv4 routes with any peer.

10. (Optional.) Configure the SoO attribute for the BGP peer or peer group.

peer { group-name | ipv4-address [ mask-length ] } soo site-of-origin

By default, the SoO attribute is not configured.