Configuring routing between an MCE and a VPN site

You can configure static routing, RIP, OSPF, IS-IS, EBGP, or IBGP between an MCE and a VPN site.

Configuring static routing between an MCE and a VPN site

An MCE can reach a VPN site through a static route. Static routing on a traditional CE is globally effective and does not support address overlapping among VPNs. An MCE supports binding a static route to a VPN instance, so that the static routes of different VPN instances can be isolated from each other.

To configure a static route to a VPN site:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure a static route for a VPN instance.

ip route-static vpn-instance s-vpn-instance-name dest-address { mask-length | mask } { interface-type interface-number [ next-hop-address ] | next-hop-address [ public ] [ track track-entry-number ] | vpn-instance d-vpn-instance-name next-hop-address [ track track-entry-number ] } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]

By default, no static route is configured.

Perform this configuration on the MCE. On the VPN site, configure a common static route.

3. (Optional.) Configure the default preference for static routes.

ip route-static default-preference default-preference-value

The default preference is 60.

Configuring RIP between an MCE and a VPN site

A RIP process belongs to the public network or a single VPN instance. If you create a RIP process without binding it to a VPN instance, the process belongs to the public network. Binding RIP processes to VPN instances can isolate routes of different VPNs. For more information about RIP, see Layer 3—IP Routing Configuration Guide.

To configure RIP between an MCE and a VPN site:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create a RIP process for a VPN instance and enter RIP view.

rip [ process-id ] vpn-instance vpn-instance-name

Perform this configuration on the MCE. On a VPN site, create a common RIP process.

3. Enable RIP on the interface attached to the specified network.

network network-address

By default, RIP is disabled on an interface.

4. Redistribute remote site routes advertised by the PE into RIP.

import-route protocol [ process-id ] [ allow-ibgp ] [ cost cost | route-policy route-policy-name | tag tag ] *

By default, no route is redistributed into RIP.

5. (Optional.) Configure the default cost value for the redistributed routes.

default cost value

The default cost is 0.

Configuring OSPF between an MCE and a VPN site

An OSPF process belongs to the public network or a single VPN instance. If you create an OSPF process without binding it to a VPN instance, the process belongs to the public network.

Binding OSPF processes to VPN instances can isolate routes of different VPNs. For more information about OSPF, see Layer 3—IP Routing Configuration Guide.

To configure OSPF between an MCE and a VPN site:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create an OSPF process for a VPN instance and enter OSPF view.

ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] *

Perform this configuration on the MCE. On a VPN site, create a common OSPF process.

An OSPF process bound to a VPN instance does not use the public network router ID configured in system view. Therefore, configure a router ID for the OSPF process.

An OSPF process can belong to only one VPN instance, but one VPN instance can use multiple OSPF processes to advertise VPN routes.

3. (Optional.) Configure the OSPF domain ID.

domain-id domain-id [ secondary ]

The default domain ID is 0.

Perform this configuration on the MCE.

All OSPF processes of the same VPN must be configured with the same OSPF domain ID to ensure correct route advertisement.

4. (Optional.) Configure the type codes of OSPF extended community attributes.

ext-community-type { domain-id type-code1 | router-id type-code2 | route-type type-code3 }

The defaults are as follows:

  • 0x0005 for Domain ID.

  • 0x0107 for Router ID.

  • 0x0306 for Route Type.

5. (Optional.) Configure the external route tag for imported VPN routes.

route-tag tag-value

By default, no route tag is configured.

In some networks, a VPN might be connected to multiple MCEs. When one MCE advertises the routes learned from BGP to the VPN, the other MCEs might learn the routes, resulting in routing loops. To avoid such routing loops, you can configure route tags for VPN instances on an MCE. HP recommends that you configure the same route tag for the same VPN on the MCEs.

6. Redistribute remote site routes advertised by the PE into OSPF.

import-route protocol [ process-id | all-processes | allow-ibgp ] [ cost cost | route-policy route-policy-name | tag tag | type type ] *

By default, no routes are redistributed into OSPF.

7. (Optional.) Configure OSPF to redistribute the default route.

default-route-advertise summary cost cost

By default, OSPF does not redistribute the default route.

This command redistributes the default route in a Type-3 LSA. The MCE advertises the default route to the site.

8. Create an OSPF area and enter OSPF area view.

area area-id

By default, no OSPF area is created.

9. Enable OSPF on the interface attached to the specified network in the area.

network ip-address wildcard-mask

By default, an interface neither belongs to any area nor runs OSPF.

Configuring IS-IS between an MCE and a VPN site

An IS-IS process belongs to the public network or a single VPN instance. If you create an IS-IS process without binding it to a VPN instance, the process belongs to the public network.

Binding IS-IS processes to VPN instances can isolate routes of different VPNs. For more information about IS-IS, see Layer 3—IP Routing Configuration Guide.

To configure IS-IS between an MCE and a VPN site:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create an IS-IS process for a VPN instance and enter IS-IS view.

isis [ process-id ] vpn-instance vpn-instance-name

Perform this configuration on the MCE. On a VPN site, configure a common IS-IS process.

3. Configure a network entity title.

network-entity net

By default, no NET is configured.

4. Redistribute remote site routes advertised by the PE into IS-IS.

import-route protocol [ process-id | all-processes | allow-ibgp ] [ cost cost | cost-type { external | internal } | [ level-1 | level-1-2 | level-2 ] | route-policy route-policy-name | tag tag ] *

By default, IS-IS does not redistribute routes from any other routing protocol.

If you do not specify the route level in the command, the command redistributes routes to the level-2 routing table by default.

5. Return to system view.

quit

N/A

6. Enter interface view.

interface interface-type interface-number

N/A

7. Enable the IS-IS process on the interface.

isis enable [ process-id ]

By default, IS-IS is disabled.

Configuring EBGP between an MCE and a VPN site

To run EBGP between an MCE and a VPN site, you must configure a BGP peer for each VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on the VPN site.

You can configure filtering policies to filter received routes and advertised routes.

  1. Configure the MCE:

    Step

    Command

    Remarks

    1. Enter system view.

    system-view

    N/A

    2. Enter BGP view.

    bgp as-number

    N/A

    3. Enter BGP-VPN instance view.

    ip vpn-instance vpn-instance-name

    N/A

    4. Configure an EBGP peer.

    peer { group-name | ip-address } as-number as-number

    By default, no BGP peer is configured.

    5. Enter BGP-VPN IPv4 unicast address family view.

    address-family ipv4 [ unicast ]

    N/A

    6. Enable BGP to exchange IPv4 unicast routes with the peer.

    peer { group-name | ip-address } enable

    By default, BGP does not exchange IPv4 unicast routes with any peer.

    7. Allow the local AS number to appear in the AS_PATH attribute of routes received from the peer, and set the maximum number of repetitions.

    peer { group-name | ip-address } allow-as-loop [ number ]

    By default, BGP discards incoming route updates that contain the local AS number.

    8. Redistribute remote site routes advertised by the PE into BGP.

    import-route protocol [ { process-id | all-processes } [ med med-value | route-policy route-policy-name ] * ]

    By default, no routes are redistributed into BGP.

    9. (Optional.) Configure filtering of advertised routes.

    filter-policy { acl-number | prefix-list prefix-list-name } export [ protocol process-id ]

    By default, BGP does not filter advertised routes.

    10. (Optional.) Configure filtering of received routes.

    filter-policy { acl-number | prefix-list prefix-list-name } import

    By default, BGP does not filter received routes.

  2. Configure a VPN site:

    Step

    Command

    Remarks

    1. Enter system view.

    system-view

    N/A

    2. Enter BGP view.

    bgp as-number

    N/A

    3. Configure the MCE as an EBGP peer.

    peer { group-name | ip-address } as-number as-number

    N/A

    4. Enter BGP-VPN IPv4 unicast address family view.

    address-family ipv4 [ unicast ]

    N/A

    5. Enable BGP to exchange IPv4 unicast routes with the peer.

    peer { group-name | ip-address } enable

    By default, BGP does not exchange IPv4 unicast routes with any peer.

    6. Redistribute the IGP routes of the VPN into BGP.

    import-route protocol [ { process-id | all-processes } [ med med-value | route-policy route-policy-name ] * ]

    By default, no routes are redistributed into BGP.

    A VPN site must advertise the VPN network addresses it can reach to the connected MCE.

Configuring IBGP between MCE and VPN site

To run IBGP between an MCE and a VPN site, you must configure a BGP peer for each VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on the VPN site.

  1. Configure the MCE:

    Step

    Command

    Remarks

    1. Enter system view.

    system-view

    N/A

    2. Enter BGP view.

    bgp as-number

    N/A

    3. Enter BGP-VPN instance view.

    ip vpn-instance vpn-instance-name

    N/A

    4. Configure an IBGP peer.

    peer { group-name | ip-address } as-number as-number

    N/A

    5. Enter BGP-VPN IPv4 unicast address family view.

    address-family ipv4 [ unicast ]

    N/A

    6. Enable BGP to exchange IPv4 unicast routes with the peer.

    peer { group-name | ip-address } enable

    By default, BGP does not exchange IPv4 unicast routes with any peer.

    7. (Optional.) Configure the system to be the RR, and specify the peer as the client of the RR.

    peer { group-name | ip-address } reflect-client

    By default, no RR or RR client is configured.

    After you configure a VPN site as an IBGP peer, the MCE does not advertise the BGP routes learned from the VPN site to other IBGP peers, including VPNv4 peers. The MCE advertises routes learned from a VPN site only when you configure the VPN site as a client of the RR (the MCE).

    8. Redistribute remote site routes advertised by the PE into BGP.

    import-route protocol [ process-id | all-processes ] [ med med-value | route-policy route-policy-name ] *

    By default, no routes are redistributed into BGP.

    9. (Optional.) Configure filtering of advertised routes.

    filter-policy { acl-number | prefix-list prefix-list-name } export [ protocol process-id ]

    By default, BGP does not filter advertised routes.

    10. (Optional.) Configure filtering of received routes.

    filter-policy { acl-number | prefix-list prefix-list-name } import

    By default, BGP does not filter received routes.

  2. Configure a VPN site:

    Step

    Command

    Remarks

    1. Enter system view.

    system-view

    N/A

    2. Enter BGP view.

    bgp as-number

    N/A

    3. Configure the MCE as an IBGP peer.

    peer { group-name | ip-address } as-number as-number

    N/A

    4. Enter BGP-VPN IPv4 unicast address family view.

    address-family ipv4 [ unicast ]

    N/A

    5. Enable BGP to exchange IPv4 unicast routes with the peer.

    peer { group-name | ip-address } enable

    By default, BGP does not exchange IPv4 unicast routes with any peer.

    6. Redistribute the IGP routes of the VPN into BGP.

    import-route protocol [ { process-id | all-processes } [ med med-value | route-policy route-policy-name ] * ]

    By default, no routes are redistributed into BGP.

    A VPN site must advertise VPN network addresses to the connected MCE.