Configuring routing between an MCE and a VPN site

You can configure static routing, RIPng, OSPFv3, IPv6 IS-IS, or EBGP between an MCE and a VPN site.

Configuring static routing between an MCE and a VPN site

An MCE can reach a VPN site through an IPv6 static route. IPv6 static routing on a traditional CE is globally effective and does not support address overlapping among VPNs. An MCE supports binding an IPv6 static route with an IPv6 VPN instance, so that the IPv6 static routes of different IPv6 VPN instances can be isolated from each other.

To configure IPv6 static routing between an MCE and a VPN site:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure an IPv6 static route for an IPv6 VPN instance.

ipv6 route-static vpn-instance s-vpn-instance-name ipv6-address prefix-length { interface-type interface-number [ next-hop-address ] | nexthop-address [ public ] | vpn-instance d-vpn-instance-name nexthop-address } [ permanent ] [ preference preference-value ] [ tag tag-value ] [ description description-text ]

By default, no IPv6 static route is configured.

Perform this configuration on the MCE. On a VPN site, configure normal IPv6 static routes.

3. (Optional.) Configure the default preference for IPv6 static routes.

ipv6 route-static default-preference default-preference-value

The default preference for IPv6 static routes is 60.

Configuring RIPng between an MCE and a VPN site

A RIPng process belongs to the public network or a single IPv6 VPN instance. If you create a RIPng process without binding it to an IPv6 VPN instance, the process belongs to the public network. By configuring RIPng process-to-IPv6 VPN instance bindings on a MCE, you allow routes of different VPNs to be exchanged between the MCE and the sites through different RIPng processes, ensuring the separation and security of IPv6 VPN routes.

For more information about RIPng, see Layer 3—IP Routing Configuration Guide.

To configure RIPng between an MCE and a VPN site:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create a RIPng process for a VPN instance and enter RIPng view.

ripng [ process-id ] vpn-instance vpn-instance-name

Perform this configuration on the MCE. On a VPN site, configure normal RIPng.

3. Redistribute remote site routes advertised by the PE.

import-route protocol [ process-id ] [ allow-ibgp ] [ cost cost | route-policy route-policy-name ] *

By default, no routes are redistributed into RIPng.

4. (Optional.) Configure the default cost value for the redistributed routes.

default cost value

The default value is 0.

5. Return to system view.

quit

N/A

6. Enter interface view.

interface interface-type interface-number

N/A

7. Enable RIPng on the interface.

ripng process-id enable

By default, RIPng is disabled.

Configuring OSPFv3 between an MCE and a VPN site

An OSPFv3 process belongs to the public network or a single IPv6 VPN instance. If you create an OSPFv3 process without binding it to an IPv6 VPN instance, the process belongs to the public network.

By configuring OSPFv3 process-to-IPv6 VPN instance bindings on a MCE, you allow routes of different IPv6 VPNs to be exchanged between the MCE and the sites through different OSPFv3 processes, ensuring the separation and security of IPv6 VPN routes.

For more information about OSPFv3, see Layer 3—IP Routing Configuration Guide.

To configure OSPFv3 between an MCE and a VPN site:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create an OSPFv3 process for a VPN instance and enter OSPFv3 view.

ospfv3 [ process-id | vpn-instance vpn-instance-name ] *

Perform this configuration on the MCE. On a VPN site, configure common OSPFv3.

Deleting a VPN instance also deletes all related OSPFv3 processes.

3. Set the router ID.

router-id router-id

N/A

4. (Optional.) Configure an OSPFv3 domain ID.

domain-id { domain-id [ secondary ] | null }

The default domain ID is 0.

Perform this configuration on the MCE.

All OSPF processes of the same VPN must be configured with the same OSPF domain ID to ensure correct route advertisement.

This command is available in Release 2311P04 and later versions.

5. Redistribute remote site routes advertised by the PE.

import-route protocol [ process-id | all-processes | allow-ibgp ] [ cost cost | nssa-only | route-policy route-policy-name | tag tag | type type ] *

By default, no routes are redistributed into OSPFv3.

The nssa-only keyword and the tag tag option are available in Release 2311P04 and later versions.

6. Return to system view.

quit

N/A

7. Enter interface view.

interface interface-type interface-number

N/A

8. Enable OSPFv3 on the interface.

ospfv3 process-id area area-id [ instance instance-id ]

By default, OSPFv3 is disabled on an interface.

Configuring IPv6 IS-IS between an MCE and a VPN site

An IPv6 IS-IS process belongs to the public network or a single IPv6 VPN instance. If you create an IPv6 IS-IS process without binding it to an IPv6 VPN instance, the process belongs to the public network.

By configuring IPv6 IS-IS process-to-IPv6 VPN instance bindings on a MCE, you allow routes of different IPv6 VPNs to be exchanged between the MCE and the sites through different IPv6 IS-IS processes, ensuring the separation and security of IPv6 VPN routes. For more information about IPv6 IS-IS, see Layer 3—IP Routing Configuration Guide.

To configure IPv6 IS-IS between an MCE and a VPN site:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create an IPv6 IS-IS process for a VPN instance and enter IS-IS view.

isis [ process-id ] vpn-instance vpn-instance-name

Perform this configuration on the MCE. On a VPN site, configure common IPv6 IS-IS.

3. Configure a network entity title for the IS-IS process.

network-entity net

By default, no NET is configured.

4. Enable IPv6 for the IPv6 IS-IS process.

ipv6 enable

By default, IPv6 is disabled.

5. (Optional.) Redistribute remote site routes advertised by the PE.

ipv6 import-route protocol [ process-id ] [ allow-ibgp ] [ cost cost | [ level-1 | level-1-2 | level-2 ] | route-policy route-policy-name | tag tag ] *

By default, no routes are redistributed to IPv6 IS-IS.

If you do not specify the route level in the command, redistributed routes are added to the level-2 routing table.

6. Return to system view.

quit

N/A

7. Enter interface view.

interface interface-type interface-number

N/A

8. Enable the IPv6 IS-IS process on the interface.

isis ipv6 enable [ process-id ]

By default, no IPv6 IS-IS process is enabled.

Configuring EBGP between an MCE and a VPN site

To use EBGP between an MCE and IPv6 VPN sites, you must configure a BGP peer for each IPv6 VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on the IPv6 VPN sites. You can also configure the filtering of received and advertised routes.

  1. Configure the MCE:

    Step

    Command

    Remarks

    1. Enter system view.

    system-view

    N/A

    2. Enter BGP view.

    bgp as-number

    N/A

    3. Enter BGP-VPN instance view.

    ip vpn-instance vpn-instance-name

    N/A

    4. Specify an IPv6 BGP peer in an AS.

    peer { group-name | ipv6-address } as-number as-number

    By default, no BGP peer is configured.

    5. Enter BGP-VPN IPv6 unicast address family view.

    address-family ipv6 [ unicast ]

    N/A

    6. Enable BGP to exchange IPv6 unicast routes with the specified peer.

    peer { group-name | ip-address } enable

    By default, BGP does not exchange IPv6 unicast routes with any peer.

    7. Redistribute remote site routes advertised by the PE.

    import-route protocol [ process-id [ med med-value | route-policy route-policy-name ] * ]

    By default, no route redistribution is configured.

    8. (Optional.) Configure filtering of advertised routes.

    filter-policy { acl6-number | prefix-list ipv6-prefix-name } export [ protocol process-id ]

    By default, BGP does not filter advertised routes.

    9. (Optional.) Configure filtering of received routes.

    filter-policy { acl6-number | prefix-list ipv6-prefix-name } import

    By default, BGP does not filter received routes.

  2. Configure a VPN site:

    Step

    Command

    Remarks

    1. Enter system view.

    system-view

    N/A

    2. Enter BGP view.

    bgp as-number

    N/A

    3. Configure the MCE as an EBGP peer.

    peer { group-name | ipv6-address } as-number as-number

    By default, no BGP peer is configured.

    4. Enter BGP IPv6 unicast address family view.

    address-family ipv6 [ unicast ]

    N/A

    5. Enable BGP to exchange IPv6 unicast routes with the specified peer.

    peer { group-name | ip-address } enable

    By default, BGP does not exchange IPv6 unicast routes with any peer.

    6. Redistribute the IGP routes of the VPN.

    import-route protocol [ process-id [ med med-value | route-policy route-policy-name ] * ]

    By default, no routes are redistributed into BGP.

    A VPN site must advertise IPv6 VPN network addresses it can reach to the connected MCE.

Configuring IBGP between an MCE and a VPN site

To use IBGP between an MCE and a VPN site, you must configure a BGP peer for each IPv6 VPN instance on the MCE, and redistribute the IGP routes of each VPN instance on the VPN site.

  1. Configure the MCE:

    Step

    Command

    Remarks

    1. Enter system view.

    system-view

    N/A

    2. Enter BGP view.

    bgp as-number

    N/A

    3. Enter BGP-VPN instance view.

    ip vpn-instance vpn-instance-name

    N/A

    4. Configure an IBGP peer.

    peer { group-name | ipv6-address } as-number as-number

    N/A

    5. Enter BGP-VPN IPv6 unicast address family view.

    address-family ipv6 [ unicast ]

    N/A

    6. Enable BGP to exchange IPv6 unicast routes with the peer.

    peer { group-name | ipv6-address } enable

    By default, BGP does not exchange IPv6 unicast routes with any peer.

    7. (Optional.) Configure the system to be the RR, and specify the peer as the client of the RR.

    peer { group-name | ipv6-address } reflect-client

    By default, no RR or RR client is configured.

    After you configure a VPN site as an IBGP peer, the MCE does not advertise the BGP routes learned from the VPN site to other IBGP peers, including VPNv6 peers. The MCE advertises routes learned from a VPN site only when you configure the VPN site as a client of the RR (the MCE).

    8. Redistribute remote site routes advertised by the PE into BGP.

    import-route protocol [ process-id [ med med-value | route-policy route-policy-name ] * ]

    By default, no routes are redistributed into BGP.

    9. (Optional.) Configure filtering of advertised routes.

    filter-policy { acl6-number | prefix-list ipv6-prefix-name } export [ protocol process-id ]

    By default, BGP does not filter advertised routes.

    10. (Optional.) Configure filtering of received routes.

    filter-policy { acl6-number | prefix-list ipv6-prefix-name } import

    By default, BGP does not filter received routes.

  2. Configure a VPN site:

    Step

    Command

    Remarks

    1. Enter system view.

    system-view

    N/A

    2. Enter BGP view.

    bgp as-number

    N/A

    3. Configure the MCE as an IBGP peer.

    peer { group-name | ipv6-address } as-number as-number

    N/A

    4. Enter BGP-VPN IPv6 unicast address family view.

    address-family ipv6 [ unicast ]

    N/A

    5. Enable BGP to exchange IPv6 unicast routes with the peer.

    peer { group-name | ipv6-address } enable

    By default, BGP does not exchange IPv6 unicast routes with any peer.

    6. Redistribute the IGP routes of the VPN into BGP.

    import-route protocol [ process-id [ med med-value | route-policy route-policy-name ] * ]

    By default, no routes are redistributed into BGP.

    A VPN site must advertise VPN network addresses to the connected MCE.