Example for Configuring Basic BGP/MPLS IP VPN (VPN Instances Are Automatically Generated for Virtual Systems)
This example describes how to configure basic BGP/MPLS IP VPN, including the configuration of MPLS LSP, VPNv4 peer, VPN instance automatically generated for the virtual system.
Networking Requirements
CE1 and CE2 belong to vpna, which is automatically generated by a virtual system.
The VPN-target attribute used by vpna is 111:1.
Users of the same VPN can communicate with each other.
Configuration Roadmap
The BGP/MPLS IP VPN configuration roadmap is as follows:
Configure OSPF in the backbone network for communications between PEs.
Configure basic MPLS capabilities and MPLS LDP and establish MPLS LSPs.
Configure MP-IBGP for VPN route exchange between PEs.
Create virtual system vpna on PEs, configure VPN instances, bind the interface connecting to a CE to a VPN instance.
Configure EBGP for VPN route exchange between PEs and CEs.
Use the ping command to test the connectivity. Run the undo service-manage enable command on each PE interface. Otherwise, ping packets are discarded. After the connectivity test succeeds, run the service-manage enable command to enhance system security.
In the scenario where a virtual system automatically generates a VPN instance, undo service-manage enable must be configured on the WAN interface. This is because the inbound zone of sessions created in the virtual system is the zone of the virtual-if1 interface when the VPN instance of the virtual system forwards MPLS packets. If access control is enabled on the WAN interface, the ping from the root system to the virtual system may fail, and therefore packets cannot pass through.
- If the FW is used to simulate a P, run the undo firewall session link-state check command. Otherwise, MPLS packets will be discarded. This is because the last hop P strips the MPLS header in advance, resulting in inconsistent forward and return packets.
- The following example provides basic security policy parameters. You can set other parameters to the desired values.
Data Preparation
To implement the configuration, you need to collect the following data:
MPLS LSR-IDs on PEs and the P: loopback interface address
vpna's RD: 100:1
VPN-Target route sending and receiving attribute of vpna: 111:1
Procedure
- Configure OSPF on the MPLS backbone network for communications between the PE and P on the backbone network.
# Configure PE1.
<FW> system-view [FW] sysname PE1 [PE1] interface loopback 1 [PE1-LoopBack1] ip address 1.1.1.9 32 [PE1-LoopBack1] quit [PE1] interface GigabitEthernet 0/0/1 [PE1-GigabitEthernet0/0/1] ip address 172.1.1.1 24 [PE1-GigabitEthernet0/0/1] undo service-manage enable [PE1-GigabitEthernet0/0/1] quit [PE1] firewall zone untrust [PE1-zone-untrust] add interface GigabitEthernet 0/0/1 [PE1-zone-untrust] quit [PE1] ospf [PE1-ospf-1] area 0 [PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255 [PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0 [PE1-ospf-1-area-0.0.0.0] quit [PE1-ospf-1] quit
# Configure a security policy on PE1 for connectivity on the backbone network.
[PE1] security-policy [PE1-policy-security] rule name policy_sec_1 [PE1-policy-security-rule-policy_sec_1] source-zone untrust local [PE1-policy-security-rule-policy_sec_1] destination-zone untrust local [PE1-policy-security-rule-policy_sec_1] action permit [PE1-policy-security-rule-policy_sec_1] quit
# Configure the P.
<Router> system-view [Router] sysname P [P] interface loopback 1 [P-LoopBack1] ip address 2.2.2.9 32 [P-LoopBack1] quit [P] interface GigabitEthernet 0/0/0 [P-GigabitEthernet0/0/0] ip address 172.1.1.2 24 [P-GigabitEthernet0/0/0] quit [P] interface GigabitEthernet 0/0/1 [P-GigabitEthernet0/0/1] ip address 172.2.1.1 24 [P-GigabitEthernet0/0/1] quit [P] ospf [P-ospf-1] area 0 [P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255 [P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255 [P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0 [P-ospf-1-area-0.0.0.0] quit [P-ospf-1] quit
# Configure PE2.
<FW> system-view [FW] sysname PE2 [PE2] interface loopback 1 [PE2-LoopBack1] ip address 3.3.3.9 32 [PE2-LoopBack1] quit [PE2] interface GigabitEthernet 0/0/1 [PE2-GigabitEthernet0/0/1] ip address 172.2.1.2 24 [PE2-GigabitEthernet0/0/1] undo service-manage enable [PE2-GigabitEthernet0/0/1] quit [PE2] firewall zone untrust [PE2-zone-untrust] add interface GigabitEthernet 0/0/1 [PE2-zone-untrust] quit [PE2] ospf [PE2-ospf-1] area 0 [PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255 [PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0 [PE2-ospf-1-area-0.0.0.0] quit [PE2-ospf-1] quit
# Configure a security policy on PE2 for connectivity on the backbone network.
[PE2] security-policy [PE2-policy-security] rule name policy_sec_1 [PE2-policy-security-rule-policy_sec_1] source-zone untrust local [PE2-policy-security-rule-policy_sec_1] destination-zone untrust local [PE2-policy-security-rule-policy_sec_1] action permit [PE2-policy-security-rule-policy_sec_1] quit
After configuration, OSPF neighbors should be set up between PE1, PE2, and the P. Run the display ospf peer command, and you can see that the neighbor state is Full. Run the display ip routing-table command, and you can see that Loopback1 routes have been learned between the PEs.
Take the display on PE1 as an example:
[PE1] display ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 8 Routes : 8 Destination/Mask Proto Pre Cost Flags NextHop Interface 1.1.1.9/32 Direct 0 0 D 127.0.0.1 LoopBack1 2.2.2.9/32 OSPF 10 1 D 172.1.1.2 GigabitEthernet0/0/1 3.3.3.9/32 OSPF 10 2 D 172.1.1.2 GigabitEthernet0/0/1 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 172.1.1.0/24 Direct 0 0 D 172.1.1.1 GigabitEthernet0/0/1 172.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1 172.2.1.0/24 OSPF 10 2 D 172.1.1.2 GigabitEthernet0/0/1[PE1] display ospf peer OSPF Process 1 with Router ID 1.1.1.9 Neighbors Area 0.0.0.0 interface 172.1.1.1(GigabitEthernet0/0/1)'s neighbors Router ID: 172.1.1.2 Address: 172.1.1.2 State: Full Mode:Nbr is Master Priority: 1 DR: None BDR: None MTU: 1500 Dead timer due in 38 sec Neighbor is up for 00:02:44 Authentication Sequence: [ 0 ] - On the MPLS backbone network, configure basic MPLS capabilities and MPLS LDPs and set up LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9 [PE1] mpls [PE1-mpls] quit [PE1] mpls ldp [PE1-mpls-ldp] quit [PE1] interface GigabitEthernet 0/0/1 [PE1-GigabitEthernet0/0/1] mpls [PE1-GigabitEthernet0/0/1] mpls ldp [PE1-GigabitEthernet0/0/1] quit
# Configure the P.
[P] mpls lsr-id 2.2.2.9 [P] mpls [P-mpls] quit [P] mpls ldp [P-mpls-ldp] quit [P] interface GigabitEthernet 0/0/0 [P-GigabitEthernet0/0/0] mpls [P-GigabitEthernet0/0/0] mpls ldp [P-GigabitEthernet0/0/0] quit [P] interface GigabitEthernet 0/0/1 [P-GigabitEthernet0/0/1] mpls [P-GigabitEthernet0/0/1] mpls ldp [P-GigabitEthernet0/0/1] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9 [PE2] mpls [PE2-mpls] quit [PE2] mpls ldp [PE2-mpls-ldp] quit [PE2] interface GigabitEthernet 0/0/1 [PE2-GigabitEthernet0/0/1] mpls [PE2-GigabitEthernet0/0/1] mpls ldp [PE2-GigabitEthernet0/0/1] quit
After configuration, LDP sessions should be set up between PE1 and the P and between PE2 and the P. Run the display mpls ldp session command, and you can see that the status is Operational. Run the display mpls ldp lsp command, and you can see the establishment status of LDP LSPs.
Take the display on PE1 as an example:
[PE1] display mpls ldp session LDP Session(s) in Public Network Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM) A '*' before a session means the session is being deleted. ------------------------------------------------------------------------------ PeerID Status LAM SsnRole SsnAge KASent/Rcv ------------------------------------------------------------------------------ 2.2.2.9:0 Operational DU Passive 0000:00:15 64/64 3.3.3.9:0 Operational DU Passive 0000:00:15 64/64 ------------------------------------------------------------------------------ TOTAL: 2 session(s) Found.
[PE1] display mpls ldp lsp LDP LSP Information ------------------------------------------------------------------------------- DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface ------------------------------------------------------------------------------- 1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0 1.1.1.9/32 3/NULL 3.3.3.9 127.0.0.1 InLoop0 *1.1.1.9/32 Liberal/1029 DS/2.2.2.9 *1.1.1.9/32 Liberal/1031 DS/3.3.3.9 2.2.2.9/32 NULL/3 - 172.1.1.2 GE0/0/1 2.2.2.9/32 1031/3 2.2.2.9 172.1.1.2 GE0/0/1 2.2.2.9/32 1031/3 3.3.3.9 172.1.1.2 GE0/0/1 *2.2.2.9/32 Liberal/1030 DS/3.3.3.9 3.3.3.9/32 NULL/1028 - 172.1.1.2 GE0/0/1 3.3.3.9/32 1032/1028 2.2.2.9 172.1.1.2 GE0/0/1 3.3.3.9/32 1032/1028 3.3.3.9 172.1.1.2 GE0/0/1 *3.3.3.9/32 Liberal/3 DS/3.3.3.9 ------------------------------------------------------------------------------- TOTAL: 8 Normal LSP(s) Found. TOTAL: 4 Liberal LSP(s) Found. TOTAL: 0 Frr LSP(s) Found. A '*' before an LSP means the LSP is not established A '*' before a Label means the USCB or DSCB is stale A '*' before a UpstreamPeer means the session is stale A '*' before a DS means the session is stale A '*' before a NextHop means the LSP is FRR LSP
- Set up the MP-IBGP peer relationship between PEs.
# Configure PE1.
[PE1] bgp 100 [PE1-bgp] peer 3.3.3.9 as-number 100 [PE1-bgp] peer 3.3.3.9 connect-interface loopback 1 [PE1-bgp] ipv4-family vpnv4 [PE1-bgp-af-vpnv4] peer 3.3.3.9 enable [PE1-bgp-af-vpnv4] quit [PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100 [PE2-bgp] peer 1.1.1.9 as-number 100 [PE2-bgp] peer 1.1.1.9 connect-interface loopback 1 [PE2-bgp] ipv4-family vpnv4 [PE2-bgp-af-vpnv4] peer 1.1.1.9 enable [PE2-bgp-af-vpnv4] quit [PE2-bgp] quit
After the configuration is complete, run the display bgp peer command or the display bgp vpnv4 all peer command on the PEs. You can see that the BGP peer relationship is set up between the PEs and is in the Established state.
[PE1] display bgp vpnv4 all peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 3 Peers in established state : 3 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 3.3.3.9 4 100 12 18 0 00:09:38 Established 0
- On the PEs, configure VPN instances to connect the CEs to the PEs.
# Configure PE1.
# Enable the virtual system function.
[PE1] vsys enable
# Configure a resource class.
[PE1] resource-class r1 [PE1-resource-class-r1] resource-item-limit session reserved-number 10000 maximum 50000 [PE1-resource-class-r1] resource-item-limit bandwidth 20 outbound [PE1-resource-class-r1] quit
# Create virtual systems and allocate resources. At the same time, VPN instances are generated.
[PE1] vsys name vpna [PE1-vsys-vpna] assign resource-class r1 [PE1-vsys-vpna] assign interface GigabitEthernet 0/0/0 [PE1-vsys-vpna] quit# Configure VPN instances.
[PE1] ip vpn-instance vpna [PE1-vpn-instance-vpna] ipv4-family [PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1 [PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both [PE1-vpn-instance-vpna-af-ipv4] quit [PE1-vpn-instance-vpna] quit
# Configure virtual systems and assign them to security zones. You do not need to set an IP address for Virtual-if1, but you must add it to a security zone.
[PE1] switch vsys vpna <PE1-vpna> system-view [PE1-vpna] interface GigabitEthernet 0/0/0 [PE1-vpna-GigabitEthernet0/0/0] ip address 10.1.1.2 24 [PE1-vpna-GigabitEthernet0/0/0] quit [PE1-vpna] firewall zone trust [PE1-vpna-zone-trust] add interface GigabitEthernet 0/0/0 [PE1-vpna-zone-trust] quit [PE1-vpna] firewall zone dmz [PE1-vpna-zone-dmz] add interface Virtual-if1 [PE1-vpna-zone-dmz] quit
# Configure a security policy for virtual system vpna for connectivity between CEs.
During MPLS VPN forwarding, the root system no longer processes packets based on the firewall forwarding process. Instead, packets are sent to Virtual-if1, and the virtual system processes the packets based on the configured policy.[PE1-vpna] security-policy [PE1-vpna-policy-security] rule name policy_sec_2 [PE1-vpna-policy-security-rule-policy_sec_2] source-zone trust dmz [PE1-vpna-policy-security-rule-policy_sec_2] destination-zone trust dmz [PE1-vpna-policy-security-rule-policy_sec_2] action permit [PE1-vpna-policy-security-rule-policy_sec_2] quit
# Configure PE2.
# Enable the virtual system function.
[PE2] vsys enable
# Configure a resource class.
[PE2] resource-class r1 [PE2-resource-class-r1] resource-item-limit session reserved-number 10000 maximum 50000 [PE2-resource-class-r1] resource-item-limit bandwidth 20 outbound [PE2-resource-class-r1] quit
# Create virtual systems and allocate resources. At the same time, VPN instances are generated.
[PE2] vsys name vpna [PE2-vsys-vpna] assign resource-class r1 [PE2-vsys-vpna] assign interface GigabitEthernet 0/0/0 [PE2-vsys-vpna] quit# Configure VPN instances.
[PE2] ip vpn-instance vpna [PE2-vpn-instance-vpna] ipv4-family [PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1 [PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both [PE2-vpn-instance-vpna-af-ipv4] quit [PE2-vpn-instance-vpna] quit
# Configure virtual systems and assign them to security zones.
[PE2] switch vsys vpna <PE2-vpna> system-view [PE2-vpna] interface GigabitEthernet 0/0/0 [PE2-vpna-GigabitEthernet0/0/0] ip address 10.2.1.2 24 [PE2-vpna-GigabitEthernet0/0/0] quit [PE2-vpna] firewall zone trust [PE2-vpna-zone-trust] add interface GigabitEthernet 0/0/0 [PE2-vpna-zone-trust] quit [PE2-vpna] firewall zone dmz [PE2-vpna-zone-dmz] add interface Virtual-if1 [PE2-vpna-zone-dmz] quit
# Configure a security policy for virtual system vpna for connectivity between CEs.
[PE2-vpna] security-policy [PE2-vpna-policy-security] rule name policy_sec_2 [PE2-vpna-policy-security-rule-policy_sec_2] source-zone trust dmz [PE2-vpna-policy-security-rule-policy_sec_2] destination-zone trust dmz [PE2-vpna-policy-security-rule-policy_sec_2] action permit [PE2-vpna-policy-security-rule-policy_sec_2] quit
# Configure CE1.
<Router> system-view [Router] sysname CE1 [CE1] interface GigabitEthernet 0/0/0 [CE1-GigabitEthernet0/0/0] ip address 10.1.1.1 24 [CE1-GigabitEthernet0/0/0] quit
# Configure CE2.
<Router> system-view [Router] sysname CE1 [CE1] interface GigabitEthernet 0/0/0 [CE1-GigabitEthernet0/0/0] ip address 10.2.1.1 24 [CE1-GigabitEthernet0/0/0] quit
After configuration, run the display ip vpn-instance verbose command on the PEs, and you can see the configuration status of the VPN instances. Each PE can successfully ping through the CEs that they connect to.
Suppose that a PE has multiple interfaces that are bound to the same VPN. When you run the ping -vpn-instance command to ping the CE that connects to the peer PE, you need to specify the source IP address. In other words, in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command, you must specify -a source-ip-address. Otherwise, the ping may fail.
Take PE1 and CE1 for example:
[PE1] display ip vpn-instance verbose Total VPN-Instances configured : 1 Total IPv4 VPN-Instances configured : 1 Total IPv6 VPN-Instances configured : 0 VPN-Instance Name and ID : vpna, 1 Interfaces : GigabitEthernet0/0/0 Address family ipv4 Create date : 2017-06-15 11:58:37+08:00 Up time : 0 days, 23 hours, 16 minutes and 47 seconds Route Distinguisher : 100:1 Export VPN Targets : 111:1 Import VPN Targets : 111:1 Label Policy : label per instance Per-Instance Label : NULL Log Interval : 5[PE1] ping -vpn-instance vpna 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=56 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=4 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=4 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=52 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=3 ms --- 10.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/23/56 ms - Set up the EBGP peer relationship between PEs and CEs and introduce VPN routes.
# Configure CE1.
[CE1] bgp 65410 [CE1-bgp] peer 10.1.1.2 as-number 100 [CE1-bgp] import-route direct
# Configure CE2.
[CE2] bgp 65420 [CE2-bgp] peer 10.2.1.2 as-number 100 [CE2-bgp] import-route direct
# Configure PE1.
[PE1] bgp 100 [PE1-bgp] ipv4-family vpn-instance vpna [PE1-bgp-vpna] peer 10.1.1.1 as-number 65410 [PE1-bgp-vpna] import-route direct [PE1-bgp-vpna] quit
# Configure PE2.
[PE2] bgp 100 [PE2-bgp] ipv4-family vpn-instance vpna [PE2-bgp-vpna] peer 10.2.1.1 as-number 65420 [PE2-bgp-vpna] import-route direct [PE2-bgp-vpna] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance vpn-instance-name peer command on the PEs. You can see that the BGP peer relationship is set up between the PEs and is in the Established state.
Take the peer relationship between PE1 and CE1 as an example:
[PE1] display bgp vpnv4 vpn-instance vpna peer BGP local router ID : 1.1.1.9 Local AS number : 100 VPN-Instance vpna, Router ID 1.1.1.9: Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 10.1.1.1 4 65410 11 9 0 00:06:37 Established 1
- Verify the configuration.
On a PE, run the display ip routing-table vpn-instance vpn-instance-name command, and you can see the route to the peer CE.
Take the display on PE1 as an example:
[PE1] display ip routing-table vpn-instance vpna Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: vpna Destinations : 3 Routes : 3 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 Direct 0 0 D 10.1.1.2 GigabitEthernet0/0/0 10.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0 10.2.1.0/24 IBGP 255 0 RD 3.3.3.9 GigabitEthernet0/0/1CEs in one VPN can ping through each other. CE1 and ping through CE3 (10.2.1.1/24).
[CE1] ping 10.2.1.1 PING 10.2.1.1: 56 data bytes, press CTRL_C to break Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms --- 10.2.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 34/48/72 ms
Configuration Files
Configuration file of PE1:
#
sysname PE1
#
vsys enable
#
resource-class r1
resource-item-limit session reserved-number 10000 maximum 50000
resource-item-limit bandwidth 20 outbound
#
vsys name vpna 1
assign resource-class r1
assign interface GigabitEthernet 0/0/0#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1ip address 172.1.1.1 255.255.255.0
undo service-manage enable
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
# firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1# security-policy rule name policy_sec_1 source-zone untrust source-zone local destination-zone untrust destination-zone local action permit#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
import-route direct
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
#
switch vsys vpna
#
interface GigabitEthernet0/0/0ip address 10.1.1.2 255.255.255.0
#
# firewall zone trust set priority 85 add interface GigabitEthernet0/0/0# firewall zone dmz set priority 50 add interface Virtual-if1
#
security-policy rule name policy_sec_2 source-zone trust source-zone dmz destination-zone trust destination-zone dmz action permit#
return
Configuration file of the P:
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
Configuration file of PE2:
#
sysname PE2
#
vsys enable
#
resource-class r1
resource-item-limit session reserved-number 10000 maximum 50000
resource-item-limit bandwidth 20 outbound
#
vsys name vpna 1
assign resource-class r1
assign interface GigabitEthernet 0/0/0#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0ip binding vpn-instance vpna
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1ip address 172.2.1.2 255.255.255.0
undo service-manage enable
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
# firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1# security-policy rule name policy_sec_1 source-zone untrust source-zone local destination-zone untrust destination-zone local action permit#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
peer 10.2.1.1 as-number 65420
import-route direct
#
ospf 1
area 0.0.0.0
network 172.2.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
#
switch vsys vpna
#
interface GigabitEthernet0/0/0ip address 10.2.1.2 255.255.255.0
# firewall zone trust set priority 85 add interface GigabitEthernet0/0/0# firewall zone dmz set priority 50 add interface Virtual-if1
#
security-policy rule name policy_sec_2 source-zone trust source-zone dmz destination-zone trust destination-zone dmz action permit#
return
Configuration file of CE1:
#
sysname CE1
#
interface GigabitEthernet0/0/0ip address 10.1.1.1 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
Configuration file of CE2:
#
sysname CE2
#
interface GigabitEthernet0/0/0ip address 10.2.1.1 255.255.255.0
#
bgp 65420
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return