Hello, everyone! I Yibo East , is a Cisco background, focus on Huawei's network engineering; Well, did not talk much, we go directly to the topic.
Article Directory
For special reasons, the "N" letter is replaced with the "#" symbol.
1. Topology
Two, configuration and analysis
Background requirements: Branch A can only visit Branch C, but not other branches; Similarly, Branch B can only visit Branch D.
Configure according to the figure above; proceed in the following steps.
(1) Configure the public network LSP tunnel IGP and LDP in AS10 and AS20 respectively;
(2) Configure the MP-IBGP neighbor architecture/reflector in AS10 and AS20;
(3) Configure the service access vp of the VP# instance on the PE #Instance creation is bound to the CE interface, RD is correctly configured, and RT is correctly configured with the routing protocol between PE-CE;
(4) For each VP#, the ASBR-PE is interconnected through sub-interfaces and bound vp# instance, each instance is configured with EBGP neighbor relationship;
(5) Import vp#v4 route on PE correctly, IGP import BGP, BGP import IGP;
(6) Check whether the route is transmitted normally;
(7) Test connectivity;
(8) Familiar with the routing mechanism and the distribution characteristics of private network labels and public network labels.
1. Configure the public network LSP tunnel IGP and LDP in AS10 and AS20 respectively; configure the MP-IBGP neighbor architecture/reflector in AS10 and AS20.
AR1
[AR1]int g0/0/2
[AR1-GigabitEthernet0/0/2]ip address 10.1.12.1 24
[AR1-GigabitEthernet0/0/2]int l0
[AR1-LoopBack0]ip address 1.1.1.1 32
[AR1-LoopBack0]q
[AR1]rip
[AR1-rip-1]version 2
[AR1-rip-1]network 10.0.0.0
[AR1-rip-1]network 1.0.0.0
[AR1-rip-1]q
[AR1]mpls lsr-id 1.1.1.1
[AR1]mpls
[AR1-mpls]mpls ldp
[AR1-mpls-ldp]q
[AR1]int g0/0/2
[AR1-GigabitEthernet0/0/2]mpls
[AR1-GigabitEthernet0/0/2]mpls ldp
[AR1]bgp 10
[AR1-bgp]peer 2.2.2.2 as-number 10
[AR1-bgp]peer 2.2.2.2 connect-interface LoopBack0
[AR1-bgp]peer 2.2.2.2 next-hop-local
[AR1-bgp]ipv4-family vpnv4
[AR1-bgp-af-vpnv4]peer 2.2.2.2 enable
AR2
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]ip address 10.1.12.2 24
[AR2-GigabitEthernet0/0/0]int g0/0/1
[AR2-GigabitEthernet0/0/1]ip address 10.1.23.2 24
[AR2-GigabitEthernet0/0/1]int l0
[AR2-LoopBack0]ip address 2.2.2.2 32
[AR2-LoopBack0]q
[AR2]rip
[AR2-rip-1]version 2
[AR2-rip-1]network 10.0.0.0
[AR2-rip-1]network 2.0.0.0
[AR2]mpls lsr-id 2.2.2.2
[AR2]mpls
[AR2-mpls]mpls ldp
[AR2-mpls-ldp]q
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]mpls
[AR2-GigabitEthernet0/0/0]mpls ldp
[AR2-GigabitEthernet0/0/0]int g0/0/1
[AR2-GigabitEthernet0/0/1]mpls
[AR2-GigabitEthernet0/01]mpls ldp
[AR2-GigabitEthernet0/01]q
[AR2]bgp 10
[AR2-bgp]peer 1.1.1.1 as-number 10
[AR2-bgp]peer 1.1.1.1 connect-interface LoopBack0
[AR2-bgp]peer 1.1.1.1 next-hop-local
[AR2-bgp]peer 3.3.3.3 as-number 10
[AR2-bgp]peer 3.3.3.3 connect-interface LoopBack0
[AR2-bgp]peer 3.3.3.3 next-hop-local
[AR2-bgp]ipv4-family vpnv4
[AR2-bgp-af-vpnv4]undo policy vpn-target
[AR2-bgp-af-vpnv4]peer 1.1.1.1 enable
[AR2-bgp-af-vpnv4]peer 1.1.1.1 reflect-client
[AR2-bgp-af-vpnv4]peer 3.3.3.3 enable
[AR2-bgp-af-vpnv4]peer 3.3.3.3 reflect-client
AR3
[AR3]int g0/0/0
[AR3-GigabitEthernet0/0/0]ip address 10.1.23.3 24
[AR3-GigabitEthernet0/0/0]int l0
[AR3-LoopBack0]ip address 3.3.3.3 32
[AR3-LoopBack0]q
[AR3]rip
[AR3-rip-1]undo summary
[AR3-rip-1]version 2
[AR3-rip-1]network 10.0.0.0
[AR3-rip-1]network 3.0.0.0
[AR3-rip-1]q
[AR3]mpls lsr-id 3.3.3.3
[AR3]mpls
[AR3-mpls]mpls ldp
[AR3-mpls-ldp]q
[AR3]int g0/0/0
[AR3-GigabitEthernet0/0/0]mpls
[AR3-GigabitEthernet0/0/0]mpls ldp
The underlying configuration of AR4, AR5, and AR6 is similar
2. Configure the service access of the VP# instance on the PE. The vp# instance is created and bound to the CE interface, RD is configured correctly, and the routing protocol between PE and CE is configured correctly for RT.
Branch A can only access branch C, not other branches
AR1
[AR1]ip vpn-instance ybd1
[AR1-vpn-instance-ybd1]route-distinguisher 10:1
[AR1-vpn-instance-ybd1]vpn-target 10:1 both
[AR1-vpn-instance-ybd1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip binding vpn-instance ybd1
[AR1-GigabitEthernet0/0/0]ip address 10.1.17.1 255.255.255.0
[AR1-GigabitEthernet0/0/0]bgp 10
[AR1-bgp]ipv4-family vpn-instance ybd1
[AR1-bgp-ybd1]peer 10.1.17.7 as-number 1
AR7
[AR79]int g0/0/0
[AR79-GigabitEthernet0/0/0]ip address 10.1.17.7 24
[AR79-GigabitEthernet0/0/0]bgp 1
[AR79-bgp]peer 10.1.17.1 as-number 10
[AR79-bgp]network 7.7.7.7 255.255.255.255
[AR79-bgp]peer 10.1.17.1 enable
[AR79-bgp]peer 10.1.17.1 allow-as-loop
[AR79]dis bgp peer
[AR1]dis bgp vp#v4 all peer
AR3
[AR3]ip vpn-instance ybd5
[AR3-vpn-instance-ybd5]route-distinguisher 10:1
[AR3-vpn-instance-ybd5]vpn-target 10:1 both
[AR3-vpn-instance-ybd5]int g0/0/1.10
[AR3-GigabitEthernet0/0/1.10]dot1q termination vid 10
[AR3-GigabitEthernet0/0/1.10]ip binding vpn-instance ybd5
[AR3-GigabitEthernet0/0/1.10]ip address 10.1.34.3 255.255.255.0
[AR3-GigabitEthernet0/0/1.10]arp broadcast enable
[AR3-GigabitEthernet0/0/1.10]bgp 10
[AR3-bgp]ipv4-family vpn-instance ybd5
[AR3-bgp-ybd5]peer 10.1.34.4 as-number 20
AR4
[AR4]ip vpn-instance ybd6
[AR4-vpn-instance-ybd6]route-distinguisher 20:1
[AR4-vpn-instance-ybd6]vpn-target 20:1 both
[AR4-vpn-instance-ybd6]int g0/0/0.20
[AR4-GigabitEthernet0/0/0.20]dot1q termination vid 10
[AR4-GigabitEthernet0/0/0.20]ip binding vpn-instance ybd6
[AR4-GigabitEthernet0/0/0.20]ip address 10.1.34.4 255.255.255.0
[AR4-GigabitEthernet0/0/0.20]arp broadcast enable
[AR4-GigabitEthernet0/0/0.20]bgp 20
[AR4-bgp]ipv4-family vpn-instance ybd6
[AR4-bgp-ybd6]peer 10.1.34.3 as-number 10
AR6
[AR6]ip vpn-instance ybd3
[AR6-vpn-instance-ybd3]route-distinguisher 20:1
[AR6-vpn-instance-ybd3]vpn-target 20:1
[AR6-vpn-instance-ybd3]int g0/0/1
[AR6-GigabitEthernet0/0/1]ip binding vpn-instance ybd3
[AR6-GigabitEthernet0/0/1]ip address 10.1.69.6 255.255.255.0
[AR6-GigabitEthernet0/0/1]bgp 20
[AR6-bgp]ipv4-family vpn-instance ybd3
[AR6-bgp-ybd3]peer 10.1.69.9 as-number 1
[AR6-bgp-ybd3]peer 10.1.69.9 substitute-as
AR97
[AR97]int g0/0/0
[AR97-GigabitEthernet0/0/0]ip address 10.1.69.9 255.255.255.0
[AR97-GigabitEthernet0/0/0]bgp 1
[AR97-bgp]peer 10.1.69.6 as-number 20
[AR97-bgp]network 9.9.9.9 255.255.255.255
[AR97]dis ip routing-table
[AR79]dis ip routing-table
How does company A access company C?
Check the 9.9.9.9 route on AR79,
[AR79] The
output result of dis ip routing-table above 9.9.9.9 shows that the next hop of the 9.9.9.9 route is 10.1.17.1;
The data packet is encapsulated as:
Then according to the routing table of the instance ybd1 bound under the interface of AR1, to check the relevant route.
[AR1]dis ip routing-table vp#-instance ybd1
[AR1]dis bgp vp#v4 vpn-instance ybd1 routing-table 9.9.9.9 The
private network label 1027 is
labeled and encapsulated as: 
[AR1]
The label out of dis mpls lsp is 1024
Labeled and packaged into: 
2 labels pressed
Then AR1 is sent out according to the G0/0/2 interface
RR lookup label
[AR2]dis mpls lsp
The incoming label of 3.3.3.3 is 1024 and the outgoing label is 3. Then the top label is ejected and sent out from the G0/0/1 interface.
After AR3 received, check lsp
[AR3]
The label obtained by dis mpls lsp through the BGP protocol. If the received label is 1027, it belongs to the ybd5 routing table for forwarding.
Popup label 
[AR3]dis ip routing-table vp#-instance ybd5 9.9.9.9
The next hop is 10.1.34.4 and the outbound interface g0/0/1.10 is sent;
this is an IP packet;
The next hop is 6.6.6.6, and then look for the routing label of 9.9.9.9.
[AR4]dis bgp vp#v4 all routing-table 9.9.9.9
AR6 assigned it a private network label of 1026, and then labeled it with a label of 1026,
Check the public network label of the next hop 6.6.6.6
Outgoing label 1024, outgoing interface is G0/0/1
[AR5]dis mpls lsp
The incoming label of 6.6.6.6 is 1024 and the outgoing label is 3. Then the top label is ejected and sent out from the G0/0/1 interface.
[AR6]
The label obtained by dis mpls lsp through the BGP protocol. If the received label is 1026, it belongs to the ybd3 routing table for forwarding.
Popup label
[AR6]dis ip routing-table vp#-instance ybd3 9.9.9.9 The
next hop is 10.1.69.9, and the outgoing interface g0/0/1 is issued;
Forwarding level is OK;
[AR79]tracert -a 7.7.7.7 9.9.9.9
path
3. Branch B can only access Branch D
The vp#v4 route is imported correctly on the PE, IGP is imported to BGP, and BGP is imported to IGP
AR1
[AR1]ip vpn-instance ybd2
[AR1-vpn-instance-ybd2]route-distinguisher 10:2
[AR1-vpn-instance-ybd2]vpn-target 10:2 both
[AR1-vpn-instance-ybd2]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip binding vpn-instance ybd2
[AR1-GigabitEthernet0/0/1]ip address 10.1.18.1 255.255.255.0
[AR1-GigabitEthernet0/0/1]
[AR1]ospf 1 vpn-instance ybd2
[AR1-ospf-1]import-route bgp
[AR1-ospf-1]a 0
[AR1-ospf-1-area-0.0.0.0]network 10.1.18.1 0.0.0.0
[AR1-ospf-1-area-0.0.0.0]q
[AR1-ospf-1]q
[AR1]bgp 10
[AR1-bgp]ipv4-family vpn-instance ybd2
[AR1-bgp-ybd2]import-route ospf 1
AR18
[AR18]int g0/0/0
[AR18-GigabitEthernet0/0/0]ip address 10.1.18.8 255.255.255.0
[AR18-GigabitEthernet0/0/0]q
[AR18]int l0
[AR18-LoopBack0]ip address 8.8.8.8 32
[AR18-LoopBack0]q
[AR18]ospf 1 router-id 8.8.8.8
[AR18-ospf-1]a 0
[AR18-ospf-1-area-0.0.0.0]network 8.8.8.8 0.0.0.0
[AR18-ospf-1-area-0.0.0.0]network 10.1.18.8 0.0.0.0
AR6 and AR81 configurations are similar
[AR18]dis ip routing-table 
There are no related routes for companies A and D on the AR18 router.
[AR18]ping 10.10.10.10
In addition, the same neighbor specified by the bgp instance does not affect it, because the instances are different.
RD: Distinguish instances, marking routes, only valid locally, distinguishing the same routes from different sites;
RT: Controlling routes, controlling the import and export of routes.
Third, the characteristics of cross-domain VP#-OptionA
Back to back
Advantages: relatively simple configuration;
Create a subinterface on the ASBR and bind it to the vpn instance.
Configure the VPN instance on the PE and bind the interface.
Disadvantages: poor scalability;
That is, ASBR needs to manage all VP# routes and create VP# instances for each VP#. The number of VP#-IPv4 routes that the ASBR needs to maintain is too large. If the number of cross-domain VP# is relatively small, it can be used first.
The routing ASBRs of the two instances here must be managed.
[AR3]dis bgp vp#v4 all routing-table
Famous aphorisms moments The
world is like a mirror: frown at it, and it frowns at you; smile at it, it also smiles at you.
Welcome to my ebaina technical community article "Huawei Cross-domain VPN-OptionA"
https://www.ebaina.com/articles/140000005405
Well, this issue is here. If you like this article, please like and comment to share the collection. If you can still click and follow, that is really my biggest encouragement. Thank you, see you next time!