Configuring routing between an MCE and a VPN site

You can configure static routing, RIP, OSPF, IS-IS, EBGP or IBGP between an MCE and a VPN site.

Configuring static routing between an MCE and a VPN site

An MCE can reach a VPN site through a static route. Static routing on a traditional CE is globally effective and does not support address overlapping among VPNs. An MCE supports binding a static route to a VPN instance, so that the static routes of different VPN instances can be isolated from each other.

To configure a static route to a VPN site:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure a static route for a VPN instance.

ip route-static vpn-instance s-vpn-instance-name dest-address { mask-length | mask } { interface-type interface-number [ next-hop-address ] | next-hop-address [ public ] [ track track-entry-number ] | vpn-instance d-vpn-instance-name next-hop-address [ track track-entry-number ] } [ permanent ] [ preference preference ] [ tag tag-value ] [ description text ]

By default, no static routes are configured.

Perform this configuration on the MCE. On the VPN site, configure a common static route.

3. (Optional.) Configure the default preference for static routes.

ip route-static default-preference default-preference

The default preference is 60.

Configuring RIP between an MCE and a VPN site

A RIP process belongs to the public network or a single VPN instance. If you create a RIP process without binding it to a VPN instance, the process belongs to the public network. Binding RIP processes to VPN instances can isolate routes of different VPNs. For more information about RIP, see Layer 3—IP Routing Configuration Guide.

To configure RIP between an MCE and a VPN site:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create a RIP process for a VPN instance and enter RIP view.

rip [ process-id ] vpn-instance vpn-instance-name

Perform this configuration on the MCE. On a VPN site, create a common RIP process.

3. Enable RIP on the interface attached to the specified network.

network network-address

By default, RIP is disabled on an interface.

4. Redistribute remote site routes advertised by the PE into RIP.

import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost-value | route-policy route-policy-name | tag tag ] *

By default, no route is redistributed into RIP.

Configuring OSPF between an MCE and a VPN site

An OSPF process belongs to the public network or a single VPN instance. If you create an OSPF process without binding it to a VPN instance, the process belongs to the public network.

Binding OSPF processes to VPN instances can isolate routes of different VPNs. For more information about OSPF, see Layer 3—IP Routing Configuration Guide.

To configure OSPF between an MCE and a VPN site:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create an OSPF process for a VPN instance and enter OSPF view.

ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] *

Perform this configuration on the MCE. On a VPN site, create a common OSPF process.

An OSPF process bound to a VPN instance does not use the public network router ID configured in system view. Therefore, configure a router ID for the OSPF process.

An OSPF process can belong to only one VPN instance, but one VPN instance can use multiple OSPF processes to advertise VPN routes.

3. Redistribute remote site routes advertised by the PE into OSPF.

import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost-value | nssa-only | route-policy route-policy-name | tag tag | type type ] *

By default, no routes are redistributed into OSPF.

4. Create an OSPF area and enter OSPF area view.

area area-id

By default, no OSPF areas exist.

5. Enable OSPF on the interface attached to the specified network in the area.

network ip-address wildcard-mask

By default, an interface neither belongs to any area nor runs OSPF.

Configuring IS-IS between an MCE and a VPN site

An IS-IS process belongs to the public network or a single VPN instance. If you create an IS-IS process without binding it to a VPN instance, the process belongs to the public network.

Binding IS-IS processes to VPN instances can isolate routes of different VPNs. For more information about IS-IS, see Layer 3—IP Routing Configuration Guide.

To configure IS-IS between an MCE and a VPN site:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create an IS-IS process for a VPN instance and enter IS-IS view.

isis [ process-id ] vpn-instance vpn-instance-name

Perform this configuration on the MCE. On a VPN site, configure a common IS-IS process.

3. Configure a network entity title.

network-entity net

By default, no NET is configured.

4. Create the IS-IS IPv4 unicast address family and enter its view.

address-family ipv4 [ unicast ]

By default, the IS-IS IPv4 unicast address family is not created.

5. Redistribute remote site routes advertised by the PE into IS-IS.

import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost-value | cost-type { external | internal } | [ level-1 | level-1-2 | level-2 ] | route-policy route-policy-name | tag tag ] *

By default, IS-IS does not redistribute routes from any other routing protocol.

If you do not specify the route level in the command, the command redistributes routes to the level-2 routing table by default.

6. Return to system view.

quit

N/A

7. Enter interface view.

interface interface-type interface-number

N/A

8. Enable the IS-IS process on the interface.

isis enable [ process-id ]

By default, no IS-IS process is enabled on the interface.

Configuring EBGP between an MCE and a VPN site

To run EBGP between an MCE and a VPN site, you must configure a BGP peer for each VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on the VPN site.

  1. Configure the MCE:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter BGP instance view.

bgp as-number [ instance instance-name ] [ multi-session-thread ]

By default, BGP is not enabled.

3. Enter BGP-VPN instance view.

ip vpn-instance vpn-instance-name

Configuration commands in BGP-VPN instance view are the same as those in BGP instance view. For more information, see Layer 3—IP Routing Configuration Guide.

4. Configure an EBGP peer.

peer { group-name | ipv4-address [ mask-length ] } as-number as-number

By default, no BGP peers or peer groups exist.

5. Enter BGP-VPN IPv4 unicast address family view.

address-family ipv4 [ unicast ]

N/A

6. Enable BGP to exchange IPv4 unicast routes with the peer.

peer { group-name | ipv4-address [ mask-length ] } enable

By default, BGP does not exchange IPv4 unicast routes with any peer.

7. Allow the local AS number to appear in the AS_PATH attribute of routes received from the peer, and set the maximum number of repetitions.

peer { group-name | ipv4-address [ mask-length ] } allow-as-loop [ number ]

By default, BGP discards incoming route updates that contain the local AS number.

8. Redistribute remote site routes advertised by the PE into BGP.

import-route protocol [ { process-id | all-processes } [ allow-direct | med med-value | route-policy route-policy-name ] * ]

By default, no routes are redistributed into BGP.

  1. Configure a VPN site:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter BGP instance view.

bgp as-number [ instance instance-name ] [ multi-session-thread ]

By default, BGP is not enabled.

3. Configure the MCE as an EBGP peer.

peer { group-name | ipv4-address [ mask-length ] } as-number as-number

By default, no BGP peers or peer groups exist.

4. Enter BGP-VPN IPv4 unicast address family view.

address-family ipv4 [ unicast ]

N/A

5. Enable BGP to exchange IPv4 unicast routes with the peer.

peer { group-name | ipv4-address [ mask-length ] } enable

By default, BGP does not exchange IPv4 unicast routes with any peer.

6. Redistribute the IGP routes of the VPN into BGP.

import-route protocol [ { process-id | all-processes } [ allow-direct | med med-value | route-policy route-policy-name ] * ]

By default, no routes are redistributed into BGP.

A VPN site must advertise the VPN network addresses it can reach to the connected MCE.

Configuring IBGP between MCE and VPN site

To run IBGP between an MCE and a VPN site, you must configure a BGP peer for each VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on the VPN site.

  1. Configure the MCE:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter BGP instance view.

bgp as-number [ instance instance-name ] [ multi-session-thread ]

By default, BGP is not enabled.

3. Enter BGP-VPN instance view.

ip vpn-instance vpn-instance-name

N/A

4. Configure an IBGP peer.

peer { group-name | ipv4-address [ mask-length ] } as-number as-number

By default, no BGP peers or peer groups exist.

5. Enter BGP-VPN IPv4 unicast address family view.

address-family ipv4 [ unicast ]

N/A

6. Enable BGP to exchange IPv4 unicast routes with the peer.

peer { group-name | ipv4-address [ mask-length ] } enable

By default, BGP does not exchange IPv4 unicast routes with any peer.

7. (Optional.) Configure the system to be the RR, and specify the peer as the client of the RR.

peer { group-name | ipv4-address [ mask-length ] } reflect-client

By default, no RR or RR client is configured.

After you configure a VPN site as an IBGP peer, the MCE does not advertise the BGP routes learned from the VPN site to other IBGP peers, including VPNv4 peers. The MCE advertises routes learned from a VPN site only when you configure the VPN site as a client of the RR (the MCE).

8. Redistribute remote site routes advertised by the PE into BGP.

import-route protocol [ process-id | all-processes ] [ allow-direct | med med-value | route-policy route-policy-name ] *

By default, no routes are redistributed into BGP.

  1. Configure a VPN site:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter BGP instance view.

bgp as-number [ instance instance-name ] [ multi-session-thread ]

By default, BGP is not enabled.

3. Configure the MCE as an IBGP peer.

peer { group-name | ipv4-address [ mask-length ] } as-number as-number

By default, no BGP peers or peer groups exist.

4. Enter BGP-VPN IPv4 unicast address family view.

address-family ipv4 [ unicast ]

N/A

5. Enable BGP to exchange IPv4 unicast routes with the peer.

peer { group-name | ipv4-address [ mask-length ] } enable

By default, BGP does not exchange IPv4 unicast routes with any peer.

6. Redistribute the IGP routes of the VPN into BGP.

import-route protocol [ { process-id | all-processes } [ allow-direct | med med-value | route-policy route-policy-name ] * ]

By default, no routes are redistributed into BGP.

A VPN site must advertise VPN network addresses to the connected MCE.