Configuring nested VPN
For a network with many VPNs, nested VPN is a good solution to implement layered management of VPNs and to conceal the deployment of internal VPNs.
To build a nested VPN network, perform the following configurations:
Configurations between customer PE and customer CE—Configure VPN instances on the customer PE and configure route exchange between customer PE and customer CE.
Configurations between customer PE and provider CE—Configure BGP VPNv4 route exchange between them. To make sure the provider CE can receive all BGP VPNv4 routes, configure the undo policy vpn-target command on the provider CE to not filter VPNv4 routes by RTs.
Configurations between provider CE and provider PE—Configure VPN instances and enable nested VPN on the provider PE and configure BGP VPNv4 route exchange between the provider CE and provider PE.
Configurations between provider PEs—Configure BGP VPNv4 route exchange between them.
Nested VPN allows a customer PE to directly exchange VPNv4 routes with a provider PE, without needing to deploy a provider CE. In this case, the customer PE also acts as the provider CE. Therefore, you must configure provider CE settings on it.
Configurations on the customer CE, customer PE, and provider CE are similar to basic MPLS L3VPN configurations. This task describes the configurations on the provider PE.
When you configure nested VPN, follow these guidelines:
The address spaces of sub-VPNs of a VPN cannot overlap.
Do not assign nested VPN peers addresses that public network peers use.
Nested VPN does not support multi-hop EBGP. A provider PE and a provider CE must use the addresses of the directly connected interfaces to establish a neighbor relationship.
To configure nested VPN:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter BGP view. | bgp as-number | N/A |
3. Enter BGP VPNv4 address family view. | address-family vpnv4 | N/A |
4. Enable nested VPN. | nesting-vpn | By default, nested VPN is disabled. |
5. Return to BGP view. | quit | N/A |
6. Enter BGP-VPN instance view. | ip vpn-instance vpn-instance-name | N/A |
7. Specify the peer CE or the peer group of the peer CE. | peer { group-name | peer-address } as-number as-number | By default, no peer is specified. |
8. Create the BGP-VPN VPNv4 address family and enter its view. | address-family vpnv4 | By default, the BGP-VPN VPNv4 address family is not created. |
9. (Optional.) Enable BGP VPNv4 route exchange with the peer CE or the peer group of the peer CE. | peer { group-name | peer-address } enable | By default, BGP does not exchange VPNv4 routes with any peer. |