Configuring routing between an MCE and a VPN site
You can configure IPv6 static routing, RIPng, OSPFv3, IPv6 IS-IS, or EBGP between an MCE and a VPN site.
Configuring IPv6 static routing between an MCE and a VPN site
An MCE can reach a VPN site through an IPv6 static route. IPv6 static routing on a traditional CE is globally effective and does not support address overlapping among VPNs. An MCE supports binding an IPv6 static route with an IPv6 VPN instance, so that the IPv6 static routes of different IPv6 VPN instances can be isolated from each other.
To configure IPv6 static routing between an MCE and a VPN site:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Configure an IPv6 static route for an IPv6 VPN instance. | ipv6 route-static vpn-instance s-vpn-instance-name ipv6-address prefix-length { interface-type interface-number [ next-hop-address ] | nexthop-address [ public ] | vpn-instance d-vpn-instance-name nexthop-address } [ permanent ] [ preference preference ] [ tag tag-value ] [ description text ] | By default, no IPv6 static routes are configured. Perform this configuration on the MCE. On a VPN site, configure normal IPv6 static routes. |
3. (Optional.) Configure the default preference for IPv6 static routes. | ipv6 route-static default-preference default-preference | The default preference for IPv6 static routes is 60. |
Configuring RIPng between an MCE and a VPN site
A RIPng process belongs to the public network or a single IPv6 VPN instance. If you create a RIPng process without binding it to an IPv6 VPN instance, the process belongs to the public network. By configuring RIPng process-to-IPv6 VPN instance bindings on a MCE, you allow routes of different VPNs to be exchanged between the MCE and the sites through different RIPng processes, ensuring the separation and security of IPv6 VPN routes.
For more information about RIPng, see Layer 3—IP Routing Configuration Guide.
To configure RIPng between an MCE and a VPN site:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Create a RIPng process for a VPN instance and enter RIPng view. | ripng [ process-id ] vpn-instance vpn-instance-name | Perform this configuration on the MCE. On a VPN site, configure normal RIPng. |
3. Redistribute remote site routes advertised by the PE. | import-route protocol [ process-id ] [ allow-ibgp ] [ allow-direct | cost cost-value | route-policy route-policy-name ] * | By default, no routes are redistributed into RIPng. |
4. Return to system view. | quit | N/A |
5. Enter interface view. | interface interface-type interface-number | N/A |
6. Enable RIPng on the interface. | ripng process-id enable | By default, RIPng is disabled. |
Configuring OSPFv3 between an MCE and a VPN site
An OSPFv3 process belongs to the public network or a single IPv6 VPN instance. If you create an OSPFv3 process without binding it to an IPv6 VPN instance, the process belongs to the public network.
By configuring OSPFv3 process-to-IPv6 VPN instance bindings on a MCE, you allow routes of different IPv6 VPNs to be exchanged between the MCE and the sites through different OSPFv3 processes, ensuring the separation and security of IPv6 VPN routes.
For more information about OSPFv3, see Layer 3—IP Routing Configuration Guide.
To configure OSPFv3 between an MCE and a VPN site:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Create an OSPFv3 process for a VPN instance and enter OSPFv3 view. | ospfv3 [ process-id | vpn-instance vpn-instance-name ] * | Perform this configuration on the MCE. On a VPN site, configure common OSPFv3. Deleting a VPN instance also deletes all related OSPFv3 processes. |
3. Set the router ID. | router-id router-id | N/A |
4. Redistribute remote site routes advertised by the PE. | import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost-value | nssa-only | route-policy route-policy-name | tag tag | type type ] * | By default, no routes are redistributed into OSPFv3. |
5. Return to system view. | quit | N/A |
6. Enter interface view. | interface interface-type interface-number | N/A |
7. Enable OSPFv3 on the interface. | ospfv3 process-id area area-id [ instance instance-id ] | By default, OSPFv3 is disabled on an interface. |
Configuring IPv6 IS-IS between an MCE and a VPN site
An IPv6 IS-IS process belongs to the public network or a single IPv6 VPN instance. If you create an IPv6 IS-IS process without binding it to an IPv6 VPN instance, the process belongs to the public network.
By configuring IPv6 IS-IS process-to-IPv6 VPN instance bindings on a MCE, you allow routes of different IPv6 VPNs to be exchanged between the MCE and the sites through different IPv6 IS-IS processes. This ensures the separation and security of IPv6 VPN routes. For more information about IPv6 IS-IS, see Layer 3—IP Routing Configuration Guide.
To configure IPv6 IS-IS between an MCE and a VPN site:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Create an IPv6 IS-IS process for a VPN instance and enter IS-IS view. | isis [ process-id ] vpn-instance vpn-instance-name | Perform this configuration on the MCE. On a VPN site, configure common IPv6 IS-IS. |
3. Configure a network entity title for the IS-IS process. | network-entity net | By default, no NET is configured. |
4. Create the IS-IS IPv6 unicast address family and enter its view. | address-family ipv6 [ unicast ] | By default, the IS-IS IPv6 unicast address family is not created. |
5. (Optional.) Redistribute remote site routes advertised by the PE. | import-route protocol [ process-id ] [ allow-ibgp ] [ allow-direct | cost cost-value | [ level-1 | level-1-2 | level-2 ] | route-policy route-policy-name | tag tag ] * | By default, no routes are redistributed to IPv6 IS-IS. If you do not specify the route level in the command, redistributed routes are added to the level-2 routing table. |
6. Return to system view. | quit | N/A |
7. Enter interface view. | interface interface-type interface-number | N/A |
8. Enable the IPv6 IS-IS process on the interface. | isis ipv6 enable [ process-id ] | By default, no IPv6 IS-IS process is enabled on the interface. |
Configuring EBGP between an MCE and a VPN site
To use EBGP between an MCE and IPv6 VPN sites, you must configure a BGP peer for each IPv6 VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on the IPv6 VPN sites.
Configure the MCE:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter BGP instance view. | bgp as-number [ instance instance-name ] [ multi-session-thread ] | N/A |
3. Enter BGP-VPN instance view. | ip vpn-instance vpn-instance-name | N/A |
4. Specify an IPv6 BGP peer in an AS. | peer { group-name | ipv6-address [ prefix-length ] } as-number as-number | By default, no BGP peers exist. |
5. Enter BGP-VPN IPv6 unicast address family view. | address-family ipv6 [ unicast ] | N/A |
6. Enable BGP to exchange IPv6 unicast routes with the specified peer. | peer { group-name | ipv6-address [ prefix-length ] } enable | By default, BGP does not exchange IPv6 unicast routes with any peer. |
7. Redistribute remote site routes advertised by the PE. | import-route protocol [ { process-id | all-processes } [ allow-direct | med med-value | route-policy route-policy-name ] * ] | By default, no route redistribution is configured. |
Configure a VPN site:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter BGP instance view. | bgp as-number [ instance instance-name ] [ multi-session-thread ] | N/A |
3. Configure the MCE as an EBGP peer. | peer { group-name | ipv6-address [ prefix-length ] } as-number as-number | By default, no BGP peers exist. |
4. Enter BGP IPv6 unicast address family view. | address-family ipv6 [ unicast ] | N/A |
5. Enable BGP to exchange IPv6 unicast routes with the specified peer. | peer { group-name | ipv6-address [ prefix-length ] } enable | By default, BGP does not exchange IPv6 unicast routes with any peer. |
6. Redistribute the IGP routes of the VPN. | import-route protocol [ { process-id | all-processes } [ allow-direct | med med-value | route-policy route-policy-name ] * ] | By default, no routes are redistributed into BGP. A VPN site must advertise IPv6 VPN network addresses it can reach to the connected MCE. |
Configuring IBGP between an MCE and a VPN site
To use IBGP between an MCE and a VPN site, you must configure a BGP peer for each IPv6 VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on the VPN site.
Configure the MCE:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter BGP instance view. | bgp as-number [ instance instance-name ] [ multi-session-thread ] | By default, BGP is not enabled. |
3. Enter BGP-VPN instance view. | ip vpn-instance vpn-instance-name | N/A |
4. Configure an IBGP peer. | peer { group-name | ipv6-address [ prefix-length ] } as-number as-number | By default, no BGP peers or peer groups exist. |
5. Enter BGP-VPN IPv6 unicast address family view. | address-family ipv6 [ unicast ] | N/A |
6. Enable BGP to exchange IPv6 unicast routes with the peer. | peer { group-name | ipv6-address [ prefix-length ] } enable | By default, BGP does not exchange IPv6 unicast routes with any peer. |
7. (Optional.) Configure the system to be the RR, and specify the peer as the client of the RR. | peer { group-name | ipv6-address [ prefix-length ] } reflect-client | By default, no RR or RR client is configured. After you configure a VPN site as an IBGP peer, the MCE does not advertise the BGP routes learned from the VPN site to other IBGP peers, including VPNv6 peers. The MCE advertises routes learned from a VPN site only when you configure the VPN site as a client of the RR (the MCE). |
8. Redistribute remote site routes advertised by the PE into BGP. | import-route protocol [ { process-id | all-processes } [ allow-direct | med med-value | route-policy route-policy-name ] * ] | By default, no routes are redistributed into BGP. |
Configure a VPN site:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter BGP instance view. | bgp as-number [ instance instance-name ] [ multi-session-thread ] | By default, BGP is not enabled. |
3. Configure the MCE as an IBGP peer. | peer { group-name | ipv6-address [ prefix-length ] } as-number as-number | By default, no BGP peers or peer groups exist. |
4. Enter BGP-VPN IPv6 unicast address family view. | address-family ipv6 [ unicast ] | N/A |
5. Enable BGP to exchange IPv6 unicast routes with the peer. | peer { group-name | ipv6-address [ prefix-length ] } enable | By default, BGP does not exchange IPv6 unicast routes with any peer. |
6. Redistribute the IGP routes of the VPN into BGP. | import-route protocol [ { process-id | all-processes } [ allow-direct | med med-value | route-policy route-policy-name ] * ] | By default, no routes are redistributed into BGP. A VPN site must advertise VPN network addresses to the connected MCE. |