Professional Documents
Culture Documents
SR BGP VPN
SR BGP VPN
This chapter provides an overview of the Border Gateway Protocol/Multiprotocol Label Switching Virtual
Private Network (BGP/MPLS VPN) and describes the tasks and commands used to configure BGP/MPLS
VPN features through the SmartEdge® OS.
For information about the tasks and commands used to monitor, troubleshoot, and administer BGP/MPLS
VPNs, see the “BGP/MPLS VPN Operations” chapter in the Routing Protocols Operations Guide for the
SmartEdge OS.
This chapter includes the following sections:
• Overview
• Configuration Tasks
• Configuration Examples
• Command Descriptions
Overview
• Carrier of Carriers
• Multihop eBGP Label Redistribution
VPN Topology
A typical BGP/MPLS VPN topology consists of multiple customer sites connected to a central service
provider site. Customer edge (CE) routers provide customer access to the service provider network over a
data link to one or more provider edge (PE) routers. The CE routers establish an adjacency with their
directly connected PE routers, and after the adjacency is established, the CE routers advertise their site’s
local VPN routes to the PE router and learn remote VPN routes from the PE router.
PE routers can exchange routing information with CE routers using static routing, Routing Information
Protocol Version 2 (RIPv2), Open Shortest Path First (OSPF), or Border Gateway Protocol (BGP). PE
routers maintain VPN routing information for the VPNs to which they are directly attached.
Packet Labels
With BGP/MPLS VPNs, there are typically two labels in a packet: an Interior Gateway Protocol (IGP) label
(tunnel label) and a VPN label. The IGP label is used in delivering the packet from an ingress PE router to
the egress PE router, where the CE router is attached. The VPN label is used by the egress PE router to
deliver the packet out of the interface connected to the proper CE router.
Note The RD contains no information about the origin of the route, or about the set of VPNs to which the
route is to be distributed. The purpose of the RD is to allow you to create distinct routes to a
common IPv4 address prefix.
A PE router must be configured to associate routes that lead to particular CE router with a particular RD.
The PE router can be configured to associate all routes leading to the same CE router with the same RD, or
it can be configured to associate different routes with different RDs, even if they lead to the same CE router.
Carrier of Carriers
The carrier of carriers (CoC) feature provides a way for a service provider to use a segment of another
service provider’s backbone network to transport traffic between two geographically separated networks.
The service provider that uses CoC to connect its two networks is called the customer carrier, and the
service provider that provides a segment of its backbone network is called the backbone carrier.
The BGP/MPLS VPN implementation of the CoC feature uses eBGP to distribute MPLS labels in IPv4
unicast routes between customer carrier CE routers and backbone carrier PE routers. The backbone carrier
uses MPLS to route traffic across its backbone network. The customer carrier can use either IP or MPLS
routing in its networks. Figure 9-1 displays the network topology for a typical BGP/MPLS VPN CoC
configuration.
Note If a non-SmartEdge router is used as a CoC-PE or CoC-CE router, that router must support IPv4
BGP label distribution. For more information about IPv4 label distribution, see RFC 3107,
Carrying Label Information in BGP-4.
The autonomous system border routers (ASBRs) do not maintain or distribute IPv4 VPN routes. Instead,
each ABSR must maintain labeled IPv4 routes to the PE routers within its AS. the routers use eBGP to
distribute the routes to other autonomous systems. ASBRs in any transit AS must also use eBGP to forward
the labeled routes. This creates a label-switched path from the ingress PE router to the egress PE router,
allowing PE routers in different autonomous systems establish multihop eBGP connections to each other,
and exchange VPN-IPv4 routes over those connections.
Configuration Tasks
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the “Command
Descriptions” section.
To configure BGP/MPLS VPNs, perform the tasks described in the following sections:
• Configuring a VPN-IPv4 Address Family for BGP Sessions Between PE Routers
• Creating a New VPN Context
• Configuring a BGP Routing Instance in a VPN Context
• Configuring Multipath Load Balancing in a BGP/MPLS VPN
• Configuring the Next-Hop Reachability Check for VPN Routes
• Configuring Route Targets
• Configuring PE-to-CE Routing
• Identifying the Specific Site from Where a Route Has Originated
• Enabling Soft GRE Tunneling
Table 9-1 Configure a VPN-IPv4 Address Family for BGP Sessions Between PE Routers
Configure a BGP routing instance in the local router bgp Enter this command in context configuration mode.
context, and access BGP configuration For detailed information about this command, see
mode. Chapter 8, “BGP Configuration.”
Enable VPN-IPv4 prefixes for a BGP routing address-family ipv4 vpn Enter this command in BGP configuration mode.
instance and enter BGP address family This command cannot be used in non-local contexts.
configuration mode.
Enable VPN-IPv4 prefixes for a specified address-family ipv4 vpn Enter this command in BGP neighbor configuration
BGP neighbor in an iBGP session, and to mode.
access BGP neighbor address family This command cannot be used in non-local contexts.
configuration mode.
Enable VPN-IPv4 prefixes for a specified address-family ipv4 vpn Enter this command in BGP peer group configuration
BGP peer group, and to enter BGP peer mode.
group address family configuration mode. This command cannot be used in non-local contexts.
Enable the multiple context feature. service multiple-contexts For more information about the service
multiple-contexts command, see the “Context
Configuration” chapter in the Basic System Configuration
Guide for the SmartEdge OS.
Create a new VPN context, and enter context context vpn-rd You cannot create new contexts on the system unless
configuration mode. you have enabled the multiple context feature using the
service multiple-contexts in global configuration mode.
Entering the full context vpn-rd command is required to
configure a VPN context. Entering the command without
the vpn-rd portion creates a context that will not be
recognized as VPN-enabled.
Configure a BGP routing instance in a router bgp vpn A BGP instance is always required within a VPN context for the
VPN context, and enter BGP following reasons:
configuration mode. • Customer routes must be distributed into BGP so they can be
advertised across the iBGP sessions that connect PE routers.
Customer routes can be distributed into BGP either statically or
from other active routing protocols.
• Route targets must also be configured within BGP address family
configuration mode.
BGP does not function properly in a VPN context until it is first
configured in the local context. Even though an ASN is not used
when configuring a BGP instance in a VPN context, this instance
uses the ASN from the BGP instance in the local context for peering
with CE routers.
When configuring BGP peering sessions within a VPN context, only
external neighbor sessions can be configured, because peering in a
VPN context must only be configured with CE routers. Also, the only
permitted address family is IPv4 unicast, and peer groups cannot be
configured.
Table 9-5 Configure the Next-Hop Reachability Check for VPN Routes
Require the next hop of a BGP VPN path next-hop-on-lsp Use the no form of this command to enable a BGP VPN path to be
to be reachable through an MPLS LSP or considered active without requiring the next hop of a VPN path to be
a tunnel in order for a VPN route to be reachable through an MPLS LSP or a tunnel.
considered active. One common application for this command is when configuring a
BGP route reflector that is not part of an MPLS network, but is used
to reflect BGP VPN routes to its clients within that MPLS network. In
this configuration, the next hops of the VPN paths may not be
reachable through an MPLS LSP or a tunnel from the route
reflector's point of view. To solve the problem, use the no form of the
this command to disable the LSP or tunnel reachability check for the
next hops, and therefore allow the BGP route reflector to correctly
select the best paths and reflect the best paths to its clients.
Create a list of export route target extended export route-target Use the ext-com argument to configure a single route target
communities for a specified VPN context. extended community, or use the route-map route-map
construct to configure an export route map for finer control over
exported Border Gateway Protocol (BGP) routes. You can
configure a single route target extended community, an export
route map, or both. You can add multiple export route targets on
the same line, or you can issue the command multiple times
with individual route targets. Export route targets are sent as
extended community attributes to other provider edge (PE)
routers.
A route map allows you to filter routes or change attributes such
as the export route target based on policy requirements. A route
map may only be used when a target community value has not
yet been configured. Use the optional ctx-name argument to
reference a route-map in another context. If the optional
ctx-name argument is not specified, then the route maps in the
current context are referenced.
This command can only be used in VPN contexts.
Create a list of import route target extended import route-target You can add multiple target communities on the same line, or
communities for a specified VPN context. you can issue the command multiple times with a single target
as the parameter. BGP routes learned from other PE routers
that carry a specific route target extended community are
imported into all VPN contexts configured with that extended
community as an import route target.
This command can only be used in VPN contexts.
Enable automatic BGP route target route-target filter This command configures the local router, if it is not configured
community filtering. as a route reflector, to ignore all VPN routes received that are
not imported into any VPN context.
You can control the number of IPv4 VPN routes that the local
ASBR advertise to the remote ASBR by configuring a
community for exportable routes on the inbound interface of the
PE router, and configuring a community based filter on the
outbound interface of the local ASBR to advertise only routes
that match the community.
Disable the AS_PATH loop detection by asloop-in Because enabling the asloop-in command disables AS_PATH
accepting a route advertisement that contains loop detection, it must only be used for specific applications that
the local ASN in the AS_PATH attribute. require this type of behavior, and in situations with strict network
control; for example, the BGP/MPLS VPN hub-and-spoke
configuration, in which a hub PE router may receive routes
containing its own ASN from a hub CE router. To disable
AS_PATH loop detection, use the asloop-in command on the
exporting context of the hub PE router.
The asloop-in command is useful only when BGP is used for
PE-to-CE routing.
For a CE router to send a route advertisement back to the PE
router from which the route is learned, the CE router must be
configured as a BGP peer with the PE router configured as a
member of the peer group. By default, routes are not sent back
to the neighbor AS from where they are received.
Replace all occurrences of a peer’s ASN in as-override When multiple VPN sites share the same ASN, enabling the AS
the AS_PATH attribute of a route with the override feature allows routes originating from an AS to be
local ASN, when advertising the route to the accepted by a router residing in the same AS. By default, the
peer. receiving router rejects the received route advertisement if the
AS_PATH attribute shows that the route originated from its own
AS to prevent routing loops.
The as-override command is useful only when BGP is used for
PE-to-CE routing.
Enabling the AS override feature may result in route loops. This
feature should only be used for specific applications that require
this type of behavior, and in situations with strict network control.
The as-override command can only be used in VPN contexts.
Enable an OSPF instance within a VPN vpn When a CE site is connected to multiple areas, the CE router’s
context to treat redistributed BGP routes as connection to a PE router should be in area 0 to allow correct
VPN routes. handling of summary link-state advertisements (LSAs).
The vpn command is useful only when OSPF is used for
PE-to-CE routing.
Table 9-8 Identify the Specific Site from Where a Route Has Originated
Identify the specific site from where a route route-origin When routes are received by a PE router, the route’s
has originated. route-origin attribute is checked against the route origin
associated with the VPN for the receive site. Received routes
are rejected if the route origin values are the same. This
prevents the readvertisement of routes back to their originating
sites.
This command is useful only when BGP is used for PE-to-CE
routing.
Enable soft GRE tunneling on the specified ip soft-gre Using soft GRE tunnels to transport MPLS-encapsulated
context. packets is called BGP/MPLS VPN over GRE, and is used to
offer BGP/MPLS VPN service when a portion of a network does
not have label switching enabled. BGP/MPLS VPN over GRE
does not require a preconfiguration of the remote GRE
endpoint. These endpoints are the BGP next-hop addresses of
the VPN routes and are learned dynamically via BGP.
Configuration Examples
This section provides BGP/MPLS VPN configuration examples in the following sections:
• Backbone Connectivity
• PE-to-CE Route Distribution
• Different BGP/MPLS VPN Topologies
• GRE over MPLS
• BGP/MPLS VPN over GRE
• New BGP Commands for BGP/MPLS VPN
• CoC
• Multihop eBGP Label Redistribution
Backbone Connectivity
The backbone connectivity must be configured in the local context.
An IGP, such as OSPF, IS-IS, or LDP must be enabled on backbone links. By default the loopback interface
IP address is used as both the router ID and LDP transport address, so it needs to be reachable. Furthermore,
MPLS switching must be enabled on the backbone links.
The following configuration allows two routers carry BGP routes for VPN-IPv4 unicast addresses. A
VPN-IPv4 unicast address is an 8 to 12 byte quantity, beginning with an 8-byte RD and ending with an
IPv4 address.
Note A VPN-IPv4 address family must be configured for the BGP PE peers. IPv4 unicast and multicast
address families can be enabled for the same peers if needed.
Note This section does not include the configuration for the backbone connectivity in the local context.
Note You must configure the service multiple-context command in order to configure a VPN context.
Note The examples shown in this section all assume eBGP is used for PE-to-CE router connectivity.
Local Import
Two CE routers that belong to the same VPN site, and are also connected to the same PE router, are usually
configured to be in the same VPN context on the PE router; however, local import can be used if the two
CE routers have different import or export policies. The following example configures a local import
network configuration. Figure 9-4 shows the network topology for the configuration.
Hub-and-Spoke
Hub-and-Spoke topology allows all spoke sites to send their traffic towards a central site location for
various different reasons; for example, authentication. The following example configures a Hub-and-Spoke
network with two spoke sites and one hub site. Figure 9-5 shows the network topology for the
configuration.
[local]PE1(config-mpls)#interface backbone1
[local]PE1(config-ctx)#router ldp
[local]PE1(config-ldp)#interface backbone1
[local]PE1(config-ctx)#router bgp 100
[local]PE1(config-bgp)#neighbor 1.1.1.2 internal
[local]PE1(config-bgp-neighbor)#update-source loop1
[local]PE1(config-bgp-neighbor)#next-hop-self
[local]PE1(config-bgp-neighbor)#address-family ipv4 vpn
[local]PE1(config)#context VPN1 vpn-rd 1.1.1.2:101
[local]PE1(config-ctx)#interface 12/1
[local]PE1(config-if)#ip address 10.1.1.1/24
[local]PE1(config-ctx)#router bgp vpn
[local]PE1(config-bgp)#address-family ipv4 unicast
[local]PE1(config-bgp-af)#export route-target 1:1
[local]PE1(config-bgp-af)#import route-target 2:2
[local]PE1(config-bgp-af)#redistribute connected
[local]PE1(config-bgp)#neighbor 10.1.1.2 external
[local]PE1(config-bgp-neighbor)#remote-as 200
[local]PE1(config-bgp-neighbor)#address-family ipv4 unicast
[local]PE1(config)#port ethernet 12/1
[local]PE1(config-port)#bind interface 12/1 local
[local]PE1(config-port)#no shutdown
[local]PE1(config)#port pos 6/1
[local]PE1(config-port)#bind interface backbone1 local
[local]PE1(config-port)#no shutdown
[local]PE1(config-port)#end
[local]CE(config-bgp-neighbor)#remote-as 100
[local]CE(config-bgp-neighbor)#address-family ipv4 unicast
[local]CE(config-bgp)#neighbor 9.1.1.1 external
[local]CE(config-bgp-neighbor)#remote-as 100
[local]CE(config-bgp)#peer-group HUB-pgrp
[local]CE(config)#port ethernet 3/1
[local]CE(config-port)#bind interface 3/1 local
[local]CE(config-port)#no shutdown
[local]CE(config)#port ethernet 3/2
[local]CE(config-port)#bind interface 3/2 local
[local]CE(config-port)#no shutdown
[local]CE(config-port)#end
Note A peer group must be configured for the eBGP peers on the Hub CE router to send back
advertisements received from the Hub PE router. By default, routes will not be advertised back to
the Hub PE router.
[local]PE2(config-port)#no shutdown
[local]PE2(config)#port pos 6/1
[local]PE2(config-port)#bind interface backbone1 local
[local]PE2(config-port)#no shutdown
[local]PE2(config-port)#end
[local]PE1(config-rsvp-lsp)#egress 3.3.3.3
[local]PE1(config-rsvp-lsp)#exit
[local]PE1(config-rsvp-if)#exit
[local]PE1(config-rsvp)#exit
[local]PE1(config-ctx)#router bgp 100
[local]PE1(config-bgp)#neighbor 3.3.3.3 internal
[local]PE1(config-bgp-neighbor)#update-source lo1
[local]PE1(config-bgp-neighbor)#address-family ipv4 unicast
[local]PE1(config-bgp-neighbor)#address-family ipv4 vpn
[local]PE1(config-bgp-neighbor)#exit
[local]PE1(config-bgp)#exit
[local]PE1(config-ctx)#exit
[local]PE1(config)#context vpn1 vpn-rd 2.2.2.2:1
[local]PE1(config-ctx)#no ip domain-lookup
[local]PE1(config-ctx)#interface gre1
[local]PE1(config-if)#ip address 30.1.1.1/30
[local]PE1(config-ctx)#interface toCE1
[local]PE1(config-if)#ip address 100.1.1.1/24
[local]PE1(config-if)#exit
[local]PE1(config-ctx)#router bgp vpn
[local]PE1(config-bgp)#address-family ipv4 unicast
[local]PE1(config-bgp-af)#export route-target 100:1
[local]PE1(config-bgp-af)#import route-target 100:1
[local]PE1(config-bgp-af)#redistribute connected
[local]PE1(config-bgp-af)#exit
[local]PE1(config-bgp)#exit
[local]PE1(config-ctx)#gre-peer name tun1 remote 100.2.1.1 local 100.1.1.1
[local]PE1(config-ctx)#end
[local]PE1(config-port)#no shutdown
[local]PE1(config-port)#end
[local]PE2(config-port)#no shutdown
[local]PE2(config-port)#end
[local]PE2(config-mpls)#exit
[local]PE2(config-ctx)#router bgp 100
[local]PE2(config-bgp)#address-family ipv4 unicast
[local]PE2(config-bgp-af)#redistribute connected
[local]PE2(config-bgp-af)#exit
[local]PE2(config-bgp)#neighbor 1.1.1.1 internal
[local]PE2(config-bgp-neighbor)#update-source loop
[local]PE2(config-bgp-neighbor)#address-family ipv4 unicast
[local]PE2(config-bgp-neighbor)#address-family ipv4 vpn
[local]PE2(config-bgp-neighbor)#exit
[local]PE2(config-bgp)#exit
[local]PE2(config-ctx)#ip soft-gre source 2.2.2.2
[local]PE2(config-ctx)#exit
[local]PE2(config)#context vpn0 vpn-rd 100:300
[local]PE2(config-ctx)#interface to_ce2
[local]PE2(config-if)#ip address 10.11.0.2/24
[local]PE2(config-if)#exit
[local]PE2(config-ctx)#router bgp vpn
[local]PE2(config-bgp)#address-family ipv4 unicast
[local]PE2(config-bgp-af)#export route-target 4134:4000
[local]PE2(config-bgp-af)#import route-target 4134:4000
[local]PE2(config-bgp-af)#redistribute connected
[local]PE2(config-bgp-af)#exit
[local]PE2(config-bgp)#neighbor 10.11.0.1 external
[local]PE2(config-bgp-neighbor)#remote-as 4001
[local]PE2(config-bgp-neighbor)#update-source to_ce2
[local]PE2(config-bgp-neighbor)#address-family ipv4 unicast
If BGP/MPLS VPN service spans multiple autonomous systems, there are two ways to exchange VPN
routes between the VPN sites across the autonomous systems:
1. Configure eBGP peering between the ASBRs, enable a VPN address family between the PE router and
ASBR, and enable a VPN address family between the ASBRs. That is, within each AS, both IPv4
unicast and VPN routes are exchanged, and ASBRs are used to exchange VPN routes for interdomain
routing.
2. Configure multihop eBGP peering between the PE routers, and enable VPN address family between the
PE routers to exchange VPN routes. The ASBR and PE routers on the backbone exchange only IPv4
unicast routes.
For both methods, the next-hop-unchanged option must be configured on the ASBRs in the VPN address
family for the peer that is peering with the other ASBR to preserve the (next-hop, label) pair.
Note Backbone connectivity in the local context is not shown in the following example.
CoC
CoC provides a way for a service provider to use a segment of another service provider’s backbone network
to transport traffic between two geographically separated networks. The service provider that uses CoC to
connect its two networks is called the customer carrier, and the service provider that provides a segment of
its backbone network is called the backbone carrier.
The BGP/MPLS VPN implementation of the CoC feature uses eBGP to distribute MPLS labels in IPv4
unicast routes between customer carrier CE routers and backbone carrier PE routers. The backbone carrier
uses MPLS to route traffic across its backbone network. The customer carrier can use either IP or MPLS
routing in its networks.
Figure 9-7 shows the network topology for this BGP/MPLS VPN CoC configuration example, where:
• The customer carrier CE routers (CoC-CE1 and CoC-CE2) are eBGP-peered to the backbone carrier
PE routers (CoC-PE1 and CoC-PE2).
• OSPF is enabled in the customer carrier networks.
• LDP and OSPF are enabled in the backbone carrier network.
• The ASN for both customer carrier networks is 200.
• The customer carrier networks only provide IP services.
[local]CoC-CE1(config-prefix-list)#exit
[local]CoC-CE1(config-ctx)#as-path-list zero-aspath-list
[local]CoC-CE1(config-as-path-list)#seq 10 permit ^$
[local]CoC-CE1(config-as-path-list)#exit
[local]CoC-CE1(config-ctx)#community-list permit-111
[local]CoC-CE1(config-community-list)#seq 10 permit 200:111
[local]CoC-CE1(config-community-list)#exit
[local]CoC-CE1(config-ctx)#route-map from-backbone-only permit 10
[local]CoC-CE1(config-route-map)#set community no-advertise
[local]CoC-CE1(config-route-map)#exit
[local]CoC-CE1(config-ctx)#route-map redist-to-bgp permit 10
[local]CoC-CE1(config-route-map)#set community 200:111
[local]CoC-CE1(config-route-map)#exit
[local]CoC-CE1(config-ctx)#route-map redist-to-ospf permit 10
[local]CoC-CE1(config-route-map)#match ip next-hop prefix-list backbone-addr
[local]CoC-CE1(config-route-map)#match route-type external
[local]CoC-CE1(config-route-map)#exit
[local]CoC-CE1(config-ctx)#route-map to-backbone-only permit 10
[local]CoC-CE1(config-route-map)#match as-path-list zero-aspath-list
[local]CoC-CE1(config-route-map)#match community-list permit-111
[local]CoC-CE1(config-route-map)#exit
[local]CoC-CE1(config-ctx)#route-map to-ibgp-peers deny 10
[local]CoC-CE1(config-route-map)#match as-path-list zero-aspath-list
[local]CoC-CE1(config-route-map)#match community-list permit-111
[local]CoC-CE1(config-route-map)#exit
[local]CoC-CE1(config-ctx)#route-map to-ibgp-peers permit 20
[local]CoC-CE1(config-route-map)#exit
[local]CoC-CE1(config-ctx)#router mpls 1
[local]CoC-CE1(config-mpls)#interface to-CoC-PE1
[local]CoC-CE1(config-mpls-if)#exit
[local]CoC-CE1(config-mpls)#exit
[local]CoC-CE1(config-ctx)#router bgp 200
[local]CoC-CE1(config-bgp)#address-family ipv4 unicast
[local]CoC-CE1(config-bgp-af)#redistribute connected route-map redist-to-bgp
[local]CoC-CE1(config-bgp-af)#redistribute ospf 1 route-map redist-to-bgp
[local]CoC-CE1(config-bgp-af)#exit
[local]CoC-CE1(config-bgp)#peer-group ibgp-peers internal
[local]CoC-CE1(config-bgp-peer-group)#update-source lo1
[local]CoC-CE1(config-bgp-peer-group)#address-family ipv4 unicast
[local]CoC-CE1(config-bgp-peer-af)#route-map to-ibgp-peers out
[local]CoC-CE1(config-bgp-peer-af)#exit
[local]CoC-CE1(config-bgp-peer-group)#exit
[local]CoC-CE1(config-bgp)#neighbor 4.4.4.4 internal
[local]CoC-CE1(config-bgp-neighbor)#peer-group ibgp-peers
[local]CoC-CE1(config-bgp-neighbor)#exit
[local]CoC-CE1(config-bgp)#neighbor 5.5.5.5 internal
[local]CoC-CE1(config-bgp-neighbor)#peer-group ibgp-peers
[local]CoC-CE1(config-bgp-neighbor)#exit
[local]CoC-CE1(config-bgp)#neighbor 6.6.6.6 internal
[local]CoC-CE1(config-bgp-neighbor)#peer-group ibgp-peers
[local]CoC-CE1(config-bgp-neighbor)#exit
[local]CoC-CE1(config-bgp)#neighbor 20.1.1.1 external
[local]CoC-CE1(config-bgp-neighbor)#remote-as 1
[local]CoC-CE1(config-bgp-neighbor)#advertisement-interval 1
[local]CoC-CE1(config-bgp-neighbor)#address-family ipv4 unicast
[local]CoC-CE1(config-bgp-peer-af)#send label
[local]CoC-CE1(config-bgp-peer-af)#route-map from-backbone-only in
[local]CoC-CE1(config-bgp-peer-af)#route-map to-backbone-only out
[local]CoC-CE1(config-bgp-peer-af)#exit
[local]CoC-CE1(config-bgp-neighbor)#exit
[local]CoC-CE1(config-bgp)#exit
[local]CoC-CE1(config-ctx)#exit
[local]CoC-CE1(config)#card ether-12-port 2
[local]CoC-CE1(config)#port ethernet 2/4
[local]CoC-CE1(config-port)#no shutdown
[local]CoC-CE1(config-port)#bind interface to-CoC-PE1 local
[local]CoC-CE1(config-port)#exit
[local]CoC-CE1(config)#port ethernet 2/10
[local]CoC-CE1(config-port)#no shutdown
[local]CoC-CE1(config-port)#bind interface to-PE1 local
[local]CoC-CE1(config-port)#end
[local]CoC-PE2(config-bgp-neighbor)#remote-as 200
[local]CoC-PE2(config-bgp-neighbor)#advertisement-interval 1
[local]CoC-PE2(config-bgp-neighbor)#as-override
[local]CoC-PE2(config-bgp-neighbor)#address-family ipv4 unicast
[local]CoC-PE2(config-bgp-peer-af)#send label
[local]CoC-PE2(config-bgp-peer-af)#exit
[local]CoC-PE2(config-bgp-neighbor)#exit
[local]CoC-PE2(config-bgp)#exit
[local]CoC-PE2(config-ctx)#exit
[local]CoC-PE2(config)#card ether-12-port 2
[local]CoC-PE2(config)#port ethernet 2/2
[local]CoC-PE2(config-port)#no shutdown
[local]CoC-PE2(config-port)#bind interface to-CoC-CE2 vpn1
[local]CoC-PE2(config-port)#exit
[local]CoC-PE2(config)#port ethernet 2/6
[local]CoC-PE2(config-port)#no shutdown
[local]CoC-PE2(config-port)#bind interface to-CoC-PE1 local
[local]CoC-PE2(config-port)#end
[local]CoC-CE2(config-bgp-peer-af)#exit
[local]CoC-CE2(config-bgp-neighbor)#exit
[local]CoC-CE2(config-bgp)#exit
[local]CoC-CE2(config-ctx)#exit
[local]CoC-CE2(config)#card ether-12-port 2
[local]CoC-CE2(config)#port ethernet 2/1
[local]CoC-CE2(config-port)#no shutdown
[local]CoC-CE2(config-port)#bind interface to-CoC-PE2 local
[local]CoC-CE2(config-port)#exit
[local]CoC-CE2(config)#port ethernet 2/7
[local]CoC-CE2(config-port)#no shutdown
[local]CoC-CE2(config-port)#bind interface to-PE2 local
[local]CoC-CE2(config-port)#end
[local]PE2(config-bgp-neighbor)#exit
[local]PE2(config-bgp)#exit
[local]PE2(config-ctx)#exit
[local]PE2(config)#card ether-12-port 3
[local]PE2(config)#port ethernet 3/10
[local]PE2(config-port)#no shutdown
[local]PE2(config-port)#bind interface to-CoC-CE2 local
[local]PE2(config-port)#end
Note To preserve VPN label next-hop information across the autonomous systems, the next-hop
information for IPv4 VPN routes must not be changed on the local PE router when advertising to
the remote PE router through multihop eBGP peering.
[local]PE1(config-if)#exit
[local]PE1(config-ctx)#interface lo1 loopback
[local]PE1(config-if)#ip address 5.5.5.5/32
[local]PE1(config-if)#exit
[local]PE1(config-ctx)#router ospf 1
[local]PE1(config-ospf)#area 0.0.0.0
[local]PE1(config-ospf-area)#interface 3/10
[local]PE1(config-ospf-if)#exit
[local]PE1(config-ospf-area)#interface lo1
[local]PE1(config-ospf-if)#exit
[local]PE1(config-ospf)#exit
[local]PE1(config-ctx)#router mpls 1
[local]PE1(config-mpls)#interface 3/10
[local]PE1(config-mpls-if)#exit
[local]PE1(config-mpls)#exit
[local]PE1(config-ctx)#router ldp
[local]PE1(config-ldp)#interface 3/10
[local]PE1(config-ldp)#exit
[local]PE1(config-ctx)#router bgp 400
[local]PE1(config-bgp)#address-family ipv4 unicast
[local]PE1(config-bgp-af)#exit
[local]PE1(config-bgp)#address-family ipv4 vpn
[local]PE1(config-bgp-af)#exit
[local]PE1(config-bgp)#neighbor 2.2.2.2 external
[local]PE1(config-bgp-neighbor)#remote-as 200
[local]PE1(config-bgp-neighbor)#advertisement-interval 1
[local]PE1(config-bgp-neighbor)#ebgp-multihop 10
[local]PE1(config-bgp-neighbor)#update-source lo1
[local]PE1(config-bgp-neighbor)#address-family ipv4 unicast
[local]PE1(config-bgp-af)#exit
[local]PE1(config-bgp-neighbor)#address-family ipv4 vpn
[local]PE1(config-bgp-af)#next-hop-unchanged
[local]PE1(config-bgp-af)#exit
[local]PE1(config-bgp-neighbor)#exit
[local]PE1(config-bgp)#neighbor 4.4.4.4 internal
[local]PE1(config-bgp-neighbor)#advertisement-interval 1
[local]PE1(config-bgp-neighbor)#update-source lo1
[local]PE1(config-bgp-neighbor)#address-family ipv4 unicast
[local]PE1(config-bgp-peer-af)#send label
[local]PE1(config-bgp-peer-af)#exit
[local]PE1(config-bgp-neighbor)#exit
[local]PE1(config-bgp)#exit
[local]PE1(config-ctx)#exit
[local]PE1(config)#context vpn1 vpn-rd 2:2
[local]PE1(config-ctx)#interface lo1 loopback
[local]PE1(config-if)#ip address 55.55.55.55/32
[local]PE1(config-if)#exit
[local]PE1(config-ctx)#router bgp vpn
[local]PE1(config-bgp)#address-family ipv4 unicast
[local]PE1(config-bgp-af)#export route-target 2:2
[local]PE1(config-bgp-af)#import route-target 2:2
[local]PE1(config-bgp-af)#redistribute connected
[local]PE1(config-bgp-af)#redistribute static
[local]PE1(config-bgp-af)#exit
[local]PE1(config-bgp)#exit
[local]PE1(config-ctx)#exit
[local]PE1(config)#card ether-12-port 3
[local]PE1(config)#port ethernet 3/10
[local]PE1(config-port)#no shutdown
[local]PE1(config-port)#bind interface 3/10 local
[local]PE1(config-port)#end
[local]ASBR1(config-bgp-peer-af)#exit
[local]ASBR1(config-bgp-neighbor)#exit
[local]ASBR1(config-bgp)#neighbor 40.1.1.2 external
[local]ASBR1(config-bgp-neighbor)#remote-as 200
[local]ASBR1(config-bgp-neighbor)#advertisement-interval 1
[local]ASBR1(config-bgp-neighbor)#address-family ipv4 unicast
[local]ASBR1(config-bgp-peer-af)#send label
[local]ASBR1(config-bgp-peer-af)#exit
[local]ASBR1(config-bgp-neighbor)#exit
[local]ASBR1(config-bgp)#exit
[local]ASBR1(config-ctx)#exit
[local]ASBR1(config)#card ether-12-port 3
[local]ASBR1(config)#port ethernet 3/2
[local]ASBR1(config-port)#no shutdown
[local]ASBR1(config-port)#bind interface 3/2 local
[local]ASBR1(config-port)#exit
[local]ASBR1(config)#port ethernet 3/4
[local]ASBR1(config-port)#no shutdown
[local]ASBR1(config-port)#bind interface 3/4 local
[local]ASBR1(config-port)#end
[local]ASBR2(config-ldp)#exit
[local]ASBR2(config-ctx)#router bgp 400
[local]ASBR2(config-bgp)#address-family ipv4 unicast
[local]ASBR2(config-bgp-af)#redistribute ospf 1
[local]ASBR2(config-bgp-af)#exit
[local]ASBR2(config-bgp)#neighbor 2.2.2.2 internal
[local]ASBR2(config-bgp-neighbor)#advertisement-interval 1
[local]ASBR2(config-bgp-neighbor)#update-source lo1
[local]ASBR2(config-bgp-neighbor)#next-hop-self
[local]ASBR2(config-bgp-neighbor)#address-family ipv4 unicast
[local]ASBR2(config-bgp-peer-af)#send label
[local]ASBR2(config-bgp-peer-af)#exit
[local]ASBR2(config-bgp-neighbor)#exit
[local]ASBR2(config-bgp)#neighbor 40.1.1.1 external
[local]ASBR2(config-bgp-neighbor)#remote-as 200
[local]ASBR2(config-bgp-neighbor)#advertisement-interval 1
[local]ASBR2(config-bgp-neighbor)#address-family ipv4 unicast
[local]ASBR2(config-bgp-peer-af)#send label
[local]ASBR2(config-bgp-peer-af)#exit
[local]ASBR2(config-bgp-neighbor)#exit
[local]ASBR2(config-bgp)#exit
[local]ASBR2(config-ctx)#exit
[local]ASBR2(config)#card ether-12-port 3
[local]ASBR2(config)#port ethernet 3/2
[local]ASBR2(config-port)#no shutdown
[local]ASBR2(config-port)#bind interface 3/2 local
[local]ASBR2(config-port)#exit
[local]ASBR2(config)#port ethernet 3/4
[local]ASBR2(config-port)#no shutdown
[local]ASBR2(config-port)#bind interface 3/4 local
[local]ASBR2(config-port)#end
[local]PE2(config-mpls-if)#exit
[local]PE2(config-mpls)#exit
[local]PE2(config-ctx)#router ldp
[local]PE2(config-ldp)#interface 3/10
[local]PE2(config-ldp)#exit
[local]PE2(config-ctx)#router bgp 400
[local]PE2(config-bgp)#address-family ipv4 unicast
[local]PE2(config-bgp-af)#exit
[local]PE2(config-bgp)#address-family ipv4 vpn
[local]PE2(config-bgp-af)#exit
[local]PE2(config-bgp)#neighbor 5.5.5.5 external
[local]PE2(config-bgp-neighbor)#remote-as 200
[local]PE2(config-bgp-neighbor)#advertisement-interval 1
[local]PE2(config-bgp-neighbor)#ebgp-multihop 10
[local]PE2(config-bgp-neighbor)#update-source lo1
[local]PE2(config-bgp-neighbor)#address-family ipv4 unicast
[local]PE2(config-bgp-af)#exit
[local]PE2(config-bgp-neighbor)#address-family ipv4 vpn
[local]PE2(config-bgp-af)#next-hop-unchanged
[local]PE2(config-bgp-af)#exit
[local]PE2(config-bgp-neighbor)#exit
[local]PE2(config-bgp)#neighbor 3.3.3.3 internal
[local]PE2(config-bgp-neighbor)#advertisement-interval 1
[local]PE2(config-bgp-neighbor)#update-source lo1
[local]PE2(config-bgp-neighbor)#address-family ipv4 unicast
[local]PE2(config-bgp-peer-af)#send label
[local]PE2(config-bgp-peer-af)#exit
[local]PE2(config-bgp-neighbor)#exit
[local]PE2(config-bgp)#exit
[local]PE2(config-ctx)#exit
[local]PE2(config)#context vpn1 vpn-rd 2:2
[local]PE2(config-ctx)#interface lo1 loopback
[local]PE2(config-if)#ip address 55.55.55.55/32
[local]PE2(config-if)#exit
[local]PE2(config-ctx)#router bgp vpn
[local]PE2(config-bgp)#address-family ipv4 unicast
[local]PE2(config-bgp-af)#export route-target 2:2
[local]PE2(config-bgp-af)#import route-target 2:2
[local]PE2(config-bgp-af)#redistribute connected
[local]PE2(config-bgp-af)#redistribute static
[local]PE2(config-bgp-af)#exit
[local]PE2(config-bgp)#exit
[local]PE2(config-ctx)#exit
[local]PE2(config)#card ether-12-port 3
[local]PE2(config)#port ethernet 3/10
[local]PE2(config-port)#no shutdown
[local]PE2(config-port)#bind interface 3/10 local
[local]PE2(config-port)#end
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure BGP/MPLS
VPN features. The commands are presented in alphabetical order.
Purpose
When entered in BGP router configuration mode, enables Virtual Private Network (VPN)-IP Version 4
(IPv4) prefixes for a Border Gateway Protocol (BGP) routing instance and enters BGP address family
configuration mode.
When entered in BGP neighbor configuration mode, enables VPN-IPv4 prefixes for a specified BGP
neighbor and enters BGP neighbor address family configuration mode.
When entered in BGP peer group configuration mode, enables VPN-IPv4 prefixes for a specified BGP peer
group and enters BGP peer group address family configuration mode.
Command Mode
BGP neighbor configuration
BGP peer group configuration
BGP router configuration
Syntax Description
This command has no keywords or arguments.
Default
None
Usage Guidelines
Use the address-family ipv4 vpn command in BGP configuration mode to specify the use of VPN-IPv4
prefixes for a BGP routing instance, and to enter BGP address family configuration mode.
Use the address-family ipv4 vpn command in BGP neighbor configuration mode to specify the use of
VPN-IPv4 prefixes for a BGP neighbor in an internal BGP (iBGP) session, and to enter BGP neighbor
address family configuration mode.
Use the address-family ipv4 vpn command in BGP peer group configuration mode to specify the use of
VPN-IPv4 prefixes for a specified BGP peer group, and to enter BGP peer group address family
configuration mode.
Note The address-family ipv4 vpn command cannot be used in non-local contexts.
Examples
The following example specifies the use of route flap statistics collection for VPN-IPv4 prefixes, and
enables the address family for the BGP neighbor, 102.210.210.1:
[local]Redback(config)#context local
[local]Redback(config-ctx)#router bgp 100
[local]Redback(config-bgp)#address-family ipv4 vpn
[local]Redback(config-bgp-af)#flap-statistics
[local]Redback(config-bgp-af)#exit
[local]Redback(config-bgp)#neighbor 102.210.210.1 internal
[local]Redback(config-bgp-neighbor)#address-family ipv4 vpn
Related Commands
as-path-list
flap-statistics
remove-private-as
route-map
route-reflector-client
table-map
context vpn-rd
context ctx-name vpn-rd route-distinguisher
Purpose
Creates a new Virtual Private Network (VPN) context, or specifies an existing VPN context, and enters
context configuration mode.
Command Mode
global configuration
Syntax Description
ctx-name Name of a new or existing context.
route-distinguisher VPN route distinguisher, which can be expressed in either of the following
formats:
• asn:nnnn, where asn is the autonomous system number and nnnn is a
32-bit integer.
• ip-addr:nn, where ip-addr is the IP address in the form A.B.C.D and nn is a
16-bit integer.
Default
None. A route distinguisher must be configured for a VPN context to be functional.
Usage Guidelines
Use the context vpn-rd command to create a new VPN context, or specify an existing VPN context, and
enter context configuration mode. You cannot create new contexts on the system unless you have enabled
the multiple context feature using the service multiple-contexts in global configuration mode. For
information on the service multiple-contexts command, see the “Context Configuration” chapter in the
Basic System Configuration Guide for the SmartEdge OS.
Entering the full context vpn-rd command is required to configure a VPN context. Entering the command
without the vpn-rd portion creates a context that will not be recognized as VPN-enabled.
Note Each VPN context only supports one route distinguisher, and the route distinguisher must conform
to the format specified in Internet Draft, BGP/MPLS VPNs, draft-ietf-ppvpn-rfc2547bis-01.txt.
Note An existing non-VPN context cannot be configured as a VPN context. You must delete the existing
non-VPN context, and recreate it as a VPN context. Likewise, a VPN context cannot be configured
as a non-VPN context. You must delete the existing VPN context, and recreate it as a non-VPN
context.
Note This command is also documented in the “Context Configuration” chapter in the Basic System
Configuration Guide for the SmartEdge OS.
Examples
The following example configures a VPN context, vpncontext, with the route distinguisher 701:3:
[local]Redback(config)#context vpncontext vpn-rd 701:3
[local]Redback(config-ctx)#
Related Commands
router bgp vpn
export route-target
export route-target {ext-com | route-map route-map [ctx-name]}
no export route-target {ext-com | route-map route-map [ctx-name]}
Purpose
Creates a list of export route targets for a specified Virtual Private Network (VPN) context.
Command Mode
BGP address family configuration
Syntax Description
ext-com Route target extended community value that is added to the export target list.
The route target extended community value can be expressed in either of the
following formats:
• asn:nnnn, where asn is the autonomous system number and nnnn is a
32-bit integer.
• ip-addr:nn, where ip-addr is the IP address in the form A.B.C.D and nn is a
16-bit integer.
route-map route-map Name of the route map used for this VPN context.
ctx-name Optional. Name of the context in which the route map is defined.
Default
None. A VPN context has no export route targets unless this command is used.
Usage Guidelines
Use the export route-target command to create a list of export route targets for a specified VPN context.
Use the ext-com argument to configure a single route target extended community, or use the
route-map route-map construct to configure an export route map for finer control over exported Border
Gateway Protocol (BGP) routes. You can configure a single route target extended community, an export
route map, or both. You can add multiple export route targets on the same line, or you can issue the
command multiple times with individual route targets. Export route targets are sent as extended community
attributes to other provider edge (PE) routers.
A route map allows you to filter routes or change attributes such as the export route target based on policy
requirements. A route map may only be used when a target community value has not yet been configured.
Use the optional ctx-name argument to reference a route-map in another context. If the optional ctx-name
argument is not specified, then the route maps in the current context are referenced.
Note The export route-target command can only be used in VPN contexts.
Use the no form of this command to remove a list of export route targets for a specified VPN context.
Examples
The following example configures the export route targets, 701:3 and 192.168.1.2:5:
[local]Redback(config)#context vpncontext vpn-rd 701:3
[local]Redback(config-ctx)#router bgp vpn
[local]Redback(config-bgp)#address-family ipv4 unicast
[local]Redback(config-bgp-af)#export route-target 701:3 192.168.1.2:5
Related Commands
import route-target
route-map
route-target filter
import route-target
import route-target ext-com
no import route-target ext-com
Purpose
Creates a list of import route target extended communities for a specified Virtual Private Network (VPN)
context.
Command Mode
BGP address family configuration
Syntax Description
ext-com Route target extended community value that is added to the import target list.
The route target extended community value can be expressed in either of the
following formats:
• asn:nnnn, where asn is the autonomous system number and nnnn is a
32-bit integer.
• ip-addr:nn, where ip-addr is the IP address in the form A.B.C.D and nn is a
16-bit integer.
Default
None. A VPN context has no import route targets unless this command is used.
Usage Guidelines
Use the import route-target command to create a list of import route target extended communities for a
specified VPN context. You can add multiple target communities on the same line, or you can issue the
command multiple times with a single target as the parameter. BGP routes learned from other provider edge
(PE) routers that carry a specific route target extended community are imported into all VPN contexts
configured with that extended community as an import route target.
Import route targets are used to filter routes from other PE routers before importing the routes into a VPN
context.
Note The import route-target command can only be used in VPN contexts.
Use the no form of this command to remove a list of import route target extended communities for a
specified VPN context.
Examples
The following example configures the two import route targets, 701:3 and 192.168.1.2:5:
[local]Redback(config)#context vpncontext vpn-rd 701:3
[local]Redback(config-ctx)#router bgp vpn
[local]Redback(config-bgp)#address-family ipv4 unicast
[local]Redback(config-bgp-af)#import route-target 701:3 192.168.1.2:5
Related Commands
export route-target
route-target filter
ip soft-gre
ip soft-gre [source src-addr]
no ip soft-gre [source src-addr]
Purpose
Enables soft-Generic Routing Encapsulation (GRE) tunneling on the specified context.
Command Mode
context configuration
Syntax Description
source src-addr Optional. Source address for the soft GRE tunnel. The IP address is in the
form A.B.C.D.
Default
soft GRE tunneling is disabled.
Usage Guidelines
Use the ip soft-gre command to enable soft GRE tunneling on the specified context.
Encapsulating packets via Generic Routing Encapsulation (GRE) from an ingress provider edge (PE) router
to an egress PE router is called soft GRE tunneling. Soft GRE tunnels are not Interior Gateway Protocol
(IGP) visible links, and routing adjacencies are not supported across these tunnels. As a result, soft GRE
tunnels have little in common with traditional (hard) GRE tunnels. The tunnel exists only in the sense of
GRE encapsulation and decapsulation.
Only the ingress PE router and the egress PE router need to support the soft GRE functionality, and the PE
routers can span over multiple autonomous systems.
Using soft GRE tunnels to transport Multiprotocol Label Switching (MPLS)-encapsulated packets is called
Border Gateway Protocol/MPLS Virtual Private Network (BGP/MPLS VPN) over GRE, and is used to
offer BGP/MPLS VPN service when a portion of a network does not have label switching enabled.
BGP/MPLS VPN over GRE does not require pre-configuration of the remote GRE endpoint. These
endpoints are the BGP next-hop addresses of the VPN routes, and are learned dynamically via BGP.
Note The ip soft-gre command is also documented in Chapter 14, “L2VPN Configuration,” where it is
used to enable Layer 2 Virtual Private Network (L2VPN) over GRE.
Use the no form of this command to disable soft GRE on the specified context.
Examples
The following example enables soft GRE in the local context:
[local]Redback(config)#context local
[local]Redback(config-ctx)#ip soft-gre
Related Commands
None
multi-paths eibgp
multi-paths eibgp path-num
{no | default} multi-paths eibgp
Purpose
Configures multipath load balancing using a mixture of both external Border Gateway Protocol (eBGP) and
internal BGP (iBGP) equal-cost paths in a BGP/Multiprotocol Label Switching (MPLS) Virtual Private
Network (VPN).
Command Mode
BGP router configuration
Syntax Description
path-num Maximum number of equal-cost paths to use when balancing the traffic load. The range of
values is 1 to 8.
Default
The command is disabled.
Usage Guidelines
Use the multi-paths eibgp command to configure multipath load balancing using a mixture of both eBGP
and iBGP equal-cost paths in a BGP/MPLS VPN.
Note If the multi-paths command (in BGP router configuration mode) is used with the external or
internal keyword to configure the maximum number of pure eBGP or pure iBGP (not a mixture of
eBGP and iBGP) equal-cost paths for load balancing, then the number of eBGP or iBGP paths
within the mixture of eBGP and iBGP multipaths can not exceed the corresponding limits specified
for pure eBGP multipath or pure iBGP multipath respectively.
For more information about the multi-paths command, see Chapter 8, “BGP Configuration.”
Use the no or default form of this command to disable Multipath load balancing.
Examples
The following example configures multipath load balancing among any combination of up to 7 eBGP and
iBGP equal cost paths:
[local]Redback#config
[local]Redback(config)#context local
[local]Redback(config)#router bgp
[local]Redback(config-bgp)#multi-paths eibgp 7
[local]Redback(config-bgp)#
Related Commands
multi-paths
next-hop-on-lsp
next-hop-on-lsp
no next-hop-on-lsp
Purpose
Requires the next hop of a Border Gateway Protocol (BGP) Virtual Private Network (VPN) path to be
reachable through a Multiprotocol Label Switching (MPLS) label-switched path (LSP) or a tunnel in order
for a VPN route to be considered active.
Command Mode
BGP router configuration
Syntax Description
This command has no keywords or arguments.
Default
The next hop of a BGP VPN path must be reachable through an MPLS LSP or a tunnel in order for the VPN
route to be considered active.
Usage Guidelines
Use the next-hop-on-lsp command to require the next hop of a BGP VPN path to be reachable through an
MPLS LSP or a tunnel, in order for a VPN route to be considered active.
Use the no form of this command to enable a BGP VPN path to be considered active without requiring the
next hop of a VPN path to be reachable through an MPLS LSP or a tunnel.
One common application for this command is configuring a BGP route reflector that is not part of an MPLS
network, but is used to reflect BGP VPN routes to its clients within that MPLS network. In this
configuration, the next hops of the VPN paths may not be reachable through an MPLS LSP or a tunnel from
the route reflector's point of view. To solve the problem, use the no form of this command to disable the
LSP or tunnel reachability check for the next hops, and therefore allow the BGP route reflector to correctly
select the best paths and reflect the best paths to its clients.
Examples
The following example enables the sending of BGP VPN routes when the next hop is not resolved or
reachable:
[local]Redback(config)#context local
[local]Redback(config-ctx)#router bgp
[local]Redback(config-bgp)#next-hop-on-lsp
[local]Redback(config-bgp)#
Related Commands
None
Purpose
Configures a Border Gateway Protocol (BGP) routing instance in a Virtual Private Network (VPN) context
and enters BGP configuration mode.
Command Mode
context configuration
Syntax Description
This command has no keywords or arguments.
Default
None
Usage Guidelines
Use the router bgp vpn command to configure a BGP routing instance in a VPN context, and enter BGP
configuration mode. A BGP instance is always required within a VPN context for the following reasons:
1. Customer routes must be distributed into BGP so they can be advertised across the internal BGP (iBGP)
sessions that connect provider edge (PE) routers. Customer routes can be distributed into BGP either
statically or from other active routing protocols.
2. Route targets must also be configured within BGP address family configuration mode.
BGP does not function properly in a VPN context until it is first configured in the local context. Even
though an autonomous system number (ASN) is not used when configuring a BGP instance in a VPN
context, this instance uses the ASN from the BGP instance in the local context for peering with customer
edge (CE) routers.
When configuring BGP peering sessions within a VPN context, only external neighbor sessions can be
configured, because peering in a VPN context must only be configured with CE routers. Furthermore, the
only permitted address family is IP Version 4 (IPv4) unicast, and peer groups cannot be configured.
Examples
The following example configures a BGP routing instance within a VPN context, and redistributes static
routes from a customer into BGP:
[local]Redback(config)#context vpncontext vpn-rd 701:3
[local]Redback(config-ctx)#router bgp vpn
[local]Redback(config-bgp)#address-family ipv4 unicast
[local]Redback(config-bgp-af)#redistribute static
Related Commands
context vpn-rd
router-id
route-target filter
route-target filter
no route-target filter
Purpose
Enables automatic Border Gateway Protocol (BGP) route target community filtering.
Command Mode
BGP address family configuration
Syntax Description
This command has no keywords or arguments.
Default
Denies all incoming IP Version 4 (IPv4) Virtual Private Network (VPN) routes that are not imported into
any VPN context, if the local router is not configured as a route reflector.
Usage Guidelines
Use the route-target filter command to enable automatic BGP route target community filtering. This
command configures the local router, if it is not configured as a route reflector, to ignore all VPN routes
received that are not imported into any VPN context.
Note For BGP route target filtering to work properly, you must first use the address-family ipv4 vpn
command to specify the use of VPN-IPv4 prefixes for the BGP instance.
You can control the number of IPv4 VPN routes that the local autonomous system border router (ASBR)
advertise to the remote ASBR by configuring a community for exportable routes on the inbound interface
of the provider edge (PE) router, and configuring a community based filter on the outbound interface of the
local ASBR to advertise only routes that match the community.
Use the no form of this command to allow the local router to accept all BGP IPv4 VPN routes. Accepting
all IPv4 VPN routes is the desired behavior for a router configured as an ASBR for inter-autonomous
system (AS) VPNs.
Examples
The following example configures a local router to accept all received IPv4 VPN routes:
[local]Redback(config)#context local
[local]Redback(config-ctx)#router bgp 100
[local]Redback(config-bgp)#address-family ipv4 vpn
[local]Redback(config-bgp-af)#no route-target filter
Related Commands
address-family ipv4 vpn import route-target
export route-target
vpn
vpn [domain-id ip-addr] {domain-tag tag-name | local-as asn}
no vpn
Purpose
Enables an Open Shortest Path First (OSPF) instance within a Virtual Private Network (VPN) context to
treat redistributed Border Gateway Protocol (BGP) routes as VPN routes.
Command Mode
OSPF router configuration
Syntax Description
domain-id ip-addr Optional. Domain ID value. Used to determine whether redistributed BGP
routes should be treated as VPN routes and be handled differently than an
OSPF instance configured within a VPN context; the default value is 0.
domain-tag tag-name Domain tag. Used for type 5 link-state advertisements (LSAs) corresponding
to redistributed BGP routes within the VPN domain. Either the tag-name or
asn argument must be specified.
local-as asn Autonomous system number (ASN), 2-byte. Used to formulate the tag for
type 5 LSAs corresponding to redistributed BGP routes with the same VPN.
Either the tag-name or asn argument must be specified, but the tag-name
argument overrides the use of the asn argument to formulate the tag.
Default
OSPF VPN treatment of routes is disabled.
Usage Guidelines
Use the vpn command to enable an OSPF instance within a VPN context to treat redistributed BGP routes
as VPN routes.
When a customer edge (CE) site is connected to multiple areas, the CE router’s connection to a provider
edge (PE) router should be in area 0 to allow correct handling of summary LSAs.
Note The vpn command is useful only when OSPF is used for PE-to-CE routing.
Use the no form of this command to disable the OSPF VPN treatment of routes.
Examples
The following example configures an OSPF instance within a VPN context to treat redistributed BGP
routes with domain IDs equal to 1.1.1.1 as VPN routes:
[local]Redback(config-ospf)#vpn domain-id 1.1.1.1 domain-tag 0xfeedacee
Related Commands
context vpn-rd
router ospf
sham-link