Configuring nested VPN
For a network with many VPNs, nested VPN is a good solution to implement layered management of VPNs and to conceal the deployment of internal VPNs.
To build a nested VPN network, perform the following configurations:
Configurations between customer PE and customer CE—Configure VPN instances on the customer PE and configure route exchange between customer PE and customer CE.
Configurations between customer PE and provider CE—Configure BGP VPNv4 route exchange between them. To make sure the provider CE can receive all VPNv4 routes, configure the undo policy vpn-target command on the provider CE to not filter VPNv4 routes by RTs.
Configurations between provider CE and provider PE—Configure VPN instances and enable nested VPN on the provider PE and configure BGP VPNv4 route exchange between the provider CE and provider PE.
Configurations between provider PEs—Configure BGP VPNv4 route exchange between them.
Nested VPN allows a customer PE to directly exchange VPNv4 routes with a provider PE, without needing to deploy a provider CE. In this case, the customer PE also acts as the provider CE. Therefore, you must configure provider CE settings on it.
Configurations on the customer CE, customer PE, and provider CE are similar to basic MPLS L3VPN configurations. This task describes the configurations on the provider PE.
When you configure nested VPN, follow these guidelines:
The address spaces of sub-VPNs of a VPN cannot overlap.
Do not assign nested VPN peers addresses that public network peers use.
Nested VPN does not support multihop EBGP. A provider PE and a provider CE must use the addresses of the directly connected interfaces to establish a neighbor relationship.
To configure nested VPN:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter BGP instance view. | bgp as-number [ instance instance-name ] | N/A |
3. Enter BGP VPNv4 address family view. | address-family vpnv4 | N/A |
4. Enable nested VPN. | nesting-vpn | By default, nested VPN is disabled. |
5. Return to BGP instance view. | quit | N/A |
6. Enter BGP-VPN instance view. | ip vpn-instance vpn-instance-name | N/A |
7. Specify the peer CE or the peer group of the peer CE. | peer { group-name | ipv4-address [ mask-length ] } as-number as-number | By default, no peer is specified. |
8. Create the BGP-VPN VPNv4 address family and enter its view. | address-family vpnv4 | By default, the BGP-VPN VPNv4 address family is not created. |
9. Enable BGP VPNv4 route exchange with the peer CE or the peer group of the peer CE. | peer { group-name | ipv4-address [ mask-length ] } enable | By default, BGP does not exchange VPNv4 routes with any peer. |
10. (Optional.) Configure the SoO attribute for the BGP peer or peer group. | peer { group-name | ipv4-address [ mask-length ] } soo site-of-origin | By default, the SoO attribute is not configured. |