About IP L3VPN over SRv6
IP L3VPN over SRv6 uses SRv6 tunnels tocarry IP L3VPN services. This technology establishes SRv6 tunnels among geographicallydispersed customer sites over an IPv6 network and transparently forwards Layer3 customer traffic to remote sites over the IPv6 network through the tunnels. Formore information about MPLS L3VPN configuration, see MPLSConfiguration Guide.
Basic principle
Figure 1 shows atypical IP L3VPN over SRv6 network.
·PE 1 and PE 2 use BGP to advertise IPv4 or IPv6VPN routes to each other over the IPv6 backbone network. The VPN routes containprivate network routing information and SID information.
·The PEs have an SRv6 tunnel between them and they use the SRv6 tunnel to forward VPNtraffic across sites.
·The devices in the IPv6 backbone network forwardthe SRv6-encapsulated VPN traffic through the optimal path calculated by IGP.
IP L3VPN over SRv6 connects geographicallydispersed sites that belong to the same VPN over the IPv6 backbone network.
Route advertisem*nt
The route advertisem*nt process of IPv4L3VPN over SRv6 is similar to that of IPv6 L3VPN over SRv6. This section uses IPv4L3VPN over SRv6 to illustrate the process.
As shown in Figure 1, localroutes of CE 1 are advertised to CE 2 by using the following process:
1.CE 1 uses static routing, RIP, OSPF, IS-IS,EBGP, or IBGP to advertise privatenetwork routes of the local site to PE 1.
2.After learning the route information of CE1, PE 1 stores the private routes to the routing table of the VPN instance. Inthis example, VPN instance 1 is used. Then, PE 1 convertsthe routes to BGP VPNv4 routes and advertises the BGP VPNv4 routes to PE 2 byusing MP-BGP. The BGP VPNv4 routes carry the RD, RT, and SID attributes (theSID attribute is used as the private network label). All private network routesof the VPN instance are allocated the same End.DT4 or End.DT46 SID.
3.When PE 2 receives the routes advertised byPE 1, it adds the routes to the routing table of VPN 1, converts the routes toIPv4 routes, and advertises the IPv4 routes to CE 2.
4.By adding the received IPv4 routes to therouting table, CE 2 learns the private network routes of CE 1.
Packet forwarding
The packet forwarding process is similar forIPv4 L3VPN over SRv6 and IPv6 L3VPN over SRv6. This section uses IPv4 L3VPNover SRv6 and VPN sites to illustrate the process.
As shown in Figure 1, CE 2forwards an IPv4 packet to CE 1 as follows:
1.CE 2 sends the IPv4 packet to PE 2.
2.PE 2 receives the packet on an interface associated with VPN 1. PE 2 searches for a route that matches thedestination IPv4 address of the packet in the routing table of VPN 1. The corresponding End.DT4 or End.DT46 SIDis found. Then, PE 2 encapsulatesan outer IPv6 header for the packet. The End.DT4 or End.DT46 SID isencapsulated in the outer IPv6 header as the destination address.
3.PE 2 searches the IPv6 routing table basedon the End.DT4 or End.DT46 SID for the optimal IGP route and forwards the packet to P through the route.
4.P searches the IPv6 routing table based onthe End.DT4 or End.DT46 SID for the optimal IGP route and forwards the packet to PE 1 through the route.
5.When PE 1 receives the packet, it processesthe packet as follows:
a.Searches the local SID forwarding table forthe End.DT4 or End.DT46 SID.
b.Removes the outer IPv6 header.
c.Matches the packet to VPN 1 based on the SID,searches the routing table of VPN 1 for the optimal route, and forwards the packet to CE 1.
IP L3VPN over SRv6 FRR
|
| IMPORTANT: IP L3VPN over SRv6 FRR is supported only when the customer sites belong to VPNs. |
IP L3VPN over SRv6 Fast Reroute (FRR) isapplicable to a dualhomed scenario, as shown in Figure 2. Byusing static BFD to detect the primary link, FRR enables a PE to use the backuplink when the primary link fails. The PE then selects a new optimal route, anduses the new optimal route to forward traffic.
IP L3VPN over SRv6 supports VPNv4 routebackup for a VPNv4 route and VPNv6 route backup for a VPNv6 route.
Figure 2 Network diagram of VPNv4 route backupfor a VPNv4 route
IPv4 L3VPN over SRv6 and IPv6 L3VPN overSRv6 use the same FRR mechanism. This section uses VPNv4 route backup for aVPNv4 route as an example to illustrate the mechanism.
As shown in Figure 2, configureFRR on the ingress node PE 1, and specify the backup next hop for VPN 1 as PE3. When PE 1 receives a VPNv4 route to CE 2 from both PE 2 and PE 3, it usesthe route from PE 2 as the primary link, and the route from PE 3 as the backup link.
Configure static BFD for public tunnels onPE 1 to detect the connectivity of the public tunnel from PE 1 to PE 2. Whenthe tunnel PE 1—PE 2operates correctly, traffic from CE 1 to CE 2 goes through the path CE 1—PE1—PE 2—CE 2. When the tunnel fails, the traffic goes through the path CE 1—PE1—PE 3—CE 2.
In this scenario, PE 1 is responsible forprimary link detection and traffic switchover.
For more information about static BFD, seeBFD configuration in High Availability ConfigurationGuide.
IP L3VPN over SRv6 tasks at a glance
To configure IP L3VPN over SRv6, performthe following tasks:
1.Configuring a VPN instance and associatinginterfaces connected to CEs with the VPN instance
Perform this task on PEs. For moreinformation, see MPLS L3VPN in MPLS Configuration Guide.
2.Configuring route exchange between a PE anda CE
Configure an IPv4 routing protocol (staticrouting, RIP, OSPF, IS-IS, EBGP, or IBGP) or an IPv6 routing protocol (IPv6static routing, RIPng, OSPFv3, IPv6 IS-IS, EBGP, or IBGP) to exchange routesbetween a PE and a CE
On the CE, configure an IPv4 or IPv6routing protocol to advertise routes of the local site to the PE. On the PE,associate the routing protocol with the VPN instance. For more informationabout routing protocol configurations, see Layer 3—IPRouting Configuration Guide.
3.Configuring route exchange between PEs
a.Configuring an SRv6 SID
Perform this task to manually configurean End.DT4, End.DT6, End.DT46, End.DX4, End.DX6 SID.
b.Applying a locator to a BGP VPN instance
BGP can advertise SRv6 SIDs through BGProutes only after you apply a locator to BGP.
c.ConfiguringPEs to exchange BGP VPNv4 or VPNv6 routes
d.ConfiguringIPv6 peers to exchange SRv6 SIDs
This feature enables PEs to exchangeEnd.DT4, End.DT6, End.DT46, End.DX4, or End.DX6 SIDs through BGP VPNv4 or VPNv6routes.
e.(Optional.) Configuring next hop-based dynamic End.DX4or End.DX6 SID allocation for private network routes
This feature enables a PE to dynamicallyallocate End.DX4 or End.DX6 SIDs to BGP private network routes based on theroute next hops.
f.(Optional.) Configuring BGP VPNv4 or VPNv6 routes
4.Configuring the route recursion mode
5.Specifying a source address for the outerIPv6 header of SRv6-encapsulated packets
This feature specifies the source addressof the outer IPv6 header for SRv6 packets that are delivered between twoprivate network sites over the backbone network.
6.(Optional.) Configuring IP L3VPN over SRv6 FRR
7.(Optional.) Configuring a TTL processing mode fortunnels associated with a VPN instance
Configuring anSRv6 SID
Restrictions andguidelines
If PEs advertise BGP VPNv4 or VPNv6 routesto each other, you must specify a VPN instance when configuring an opcode.
Procedure
1.Enter system view.
system-view
2.Enable SRv6 and enter SRv6 view.
segment-routing ipv6
3.Configure a locator and enter SRv6 locatorview.
locator locator-name [ ipv6-prefix ipv6-address prefix-length [ args args-length | static static-length ] * ]
4.Configure an opcode. Perform one of thefollowing tasks:
¡Configurean End.DT4 SID.
opcode { opcode | hex hex-opcode } end-dt4 [ vpn-instance vpn-instance-name ]
The specified VPN instance must exist. AnEnd.DT4 SID cannot be configured in different VPN instances.
¡Configurean End.DT6 SID.
opcode { opcode | hex hex-opcode } end-dt6 [ vpn-instance vpn-instance-name ]
The specified VPN instance must exist. AnEnd.DT6 SID cannot be configured in different VPN instances.
¡Configurean End.DT46 SID.
opcode { opcode | hex hex-opcode } end-dt46 [ vpn-instance vpn-instance-name ]
The specified VPN instance must exist. AnEnd.DT46 SID cannot be configured in different VPN instances.
¡Configurean End.DX4 SID.
opcode { opcode | hex hex-opcode } end-dx4interface interface-type interface-number nexthop nexthop-ipv4-address [ vpn-instance vpn-instance-name ]
The specified VPN instance must exist. AnEnd.DX4 SID cannot be configured with different output interfaces or next hops.
¡Configurean End.DX6 SID.
opcode { opcode | hex hex-opcode } end-dx6interface interface-type interface-number nexthop nexthop-ipv6-address [ vpn-instance vpn-instance-name ]
The specified VPN instance must exist. AnEnd.DX6 SID cannot be configured with different output interfaces or next hops.
Applying alocator to a BGP VPN instance
About this task
Use this feature in BGP-VPN IPv4 or IPv6unicast address family view of a VPN instance to apply for SRv6 SIDs for the privatenetwork routes of the VPN instance.
Use this feature if the device will use End.DT4,End.DT6, End.DT46, End.DX4, or End.DX6 SIDs to deliver VPN traffic across sites.
Restrictions andguidelines
The VPN instance of the specified locatormust be the same as the VPN instance of the private network. To specify a VPNinstance for a locator, use the opcode end-dt4, opcode end-dt6, opcode end-dt46, opcode end-dx4, or opcode end-dx6 command in SRv6 locator view.
Prerequisites
Before you perform this task, you mustcreate the specified locator.
Procedure
1.Enter system view.
system-view
2.Enter BGP instance view.
bgp as-number [ instance instance-name ]
3.Enter BGP-VPN instance view.
ip vpn-instance vpn-instance-name
4.Enter BGP-VPN IPv4 unicast address familyview or BGP-VPN IPv6 unicast address family view.
¡EnterBGP-VPN IPv4 unicast address family view.
address-family ipv4 [ unicast ]
¡EnterBGP-VPN IPv6 unicast address family view.
address-family ipv6 [ unicast ]
5.Apply a locator to the BGP VPN instance.
segment-routing ipv6 locator locator-name [ auto-sid-disable ]
By default, no locator is applied to aBGP VPN instance.
Configuring PEs to exchange BGP VPNv4 orVPNv6 routes
Restrictions andguidelines
For more information about the commands inthis section, see BGP in Layer 3—IP Routing CommandReference.
To ensure optimal route selection and SRv6tunnel traffic forwarding, make sure a pair of PEs are not both IPv4 and IPv6peers to each other.
Procedure
1.Enter system view.
system-view
2.Enter BGP instance view.
bgp as-number [ instance instance-name ]
3.Specify a remote PE as an IPv6 peer.
peer { group-name | ipv6-address [ prefix-length ] } as-number as-number
4.Specify a source interface (IPv6 address)for establishing TCP connections to an IPv6 peer or peer group.
peer { group-name | ipv6-address [ prefix-length ] } connect-interface interface-type interface-number
By default, BGP uses the output interfacein the optimal route destined for a BGP peer or peer group as the source interfacefor establishing TCP connections.
5.Create the BGP VPNv4 or VPNv6 address familyand enter its view.
¡Createthe BGP VPNv4 address family and enter its view.
address-family vpnv4
¡Createthe BGP VPNv6 address family and enter its view.
address-family vpnv6
6.Enable BGP to exchange VPNv4 or VPNv6 routinginformation with an IPv6 peer or peer group.
peer { group-name | ipv6-address [ prefix-length ] } enable
By default, BGP cannot exchange VPNv4 orVPNv6 routing information with an IPv6 peer or peer group.
Configuring IPv6 peers to exchange SRv6 SIDs
About this task
Perform this task to configure IPv6 peers toexchange SRv6 SID information through BGP VPNv4 or VPNv6 routes.
Procedure
1.Enter system view.
system-view
2.Enter BGP instance view.
bgp as-number [ instance instance-name ]
3.Enter BGP VPNv4 address family view or BGPVPNv6 address family view.
¡EnterBGP VPNv4 address family view.
address-family vpnv4
¡EnterBGP VPNv6 address family view.
address-family vpnv6
4.Enable BGP to exchange SRv6 SID informationwith an IPv6 peer or peer group.
peer { group-name | ipv6-address [ prefix-length ] } prefix-sid
By default, BGP cannot exchange SRv6 SIDinformation with an IPv6 peer or peer group.
Configuringnext hop-based dynamic End.DX4 or End.DX6 SID allocation for private networkroutes
About this task
Perform this task to forward an SRv6decapsulated VPN packet to the next hop without looking up the routing table ofthe VPN instance.
By default, all BGP private network routesof a VPN instance are allocated the SID of the VPN instance. When a PE removesthe SRv6 encapsulation from a received packet, it looks up the routing table ofthe VPN instance based on the SID for an optimal route. Then, the PE forwardsthe packet to a CE. To forward the packet to the next hop without looking upthe routing table of the VPN instance, perform this task.
This task dynamically allocates End.DX4 or End.DX6SIDs to all or specific next hops of the BGP private network routes in a VPNinstance based on the next hop addresses. When forwarding a packet, the PEsearches for the output interface and next hop based on the End.DX4 or End.DX6 SIDof the packet. Then, the PE directly forwards the packet out of the outputinterface to the next hop.
Restrictions andguidelines
This feature does not allocate End.DX4 or End.DX6SIDs to direct routes.
Prerequisites
Before you perform this task in BGP-VPN IPv4or IPv6 unicast address family view, execute the segment-routingipv6 locator command in the same view to apply alocator to the view. This ensures successful dynamic End.DX4 or End.DX6 SIDallocation.
Procedure
1.Enter system view.
system-view
2.Enter BGP instance view.
bgp as-number [ instance instance-name ]
3.Enter BGP-VPN instance view.
ip vpn-instance vpn-instance-name
4.Enter BGP-VPN IPv4 unicast address familyview or BGP-VPN IPv6 unicast address family view.
¡EnterBGP-VPN IPv4 unicast address family view.
address-family ipv4 [ unicast ]
¡EnterBGP-VPN IPv6 unicast address family view.
address-family ipv6 [ unicast ]
5.Allocate End.DX4 or End.DX6 SIDs to the nexthops of BGP private network routes.
¡AllocateEnd.DX4 or End.DX6 SIDs to all next hops of BGP private network routes.
segment-routing ipv6 apply-sid all-nexthop
¡Executethe following commands in sequence to allocate an End.DX4 or End.DX6 SID to thespecified next hop of BGP private network routes.
segment-routing ipv6 apply-sid specify-nexthop
nexthop nexthop-address interface interface-typeinterface-number
By default, VPN instance-based SIDallocation is used for private network routes.
Configuring BGP VPNv4 or VPNv6 routes
Restrictions and guidelines for BGP VPNv4 or VPNv6 routeconfiguration
For more information about the commands inthis section, see BGP in Layer 3—IP Routing CommandReference.
Controlling BGP VPNv4 or VPNv6 route advertisem*nt and reception
1.Enter system view.
system-view
2.Enter BGP instance view.
bgp as-number [ instance instance-name ]
3.Enter BGP VPNv4 address family view or BGPVPNv6 address family view.
¡EnterBGP VPNv4 address family view.
address-family vpnv4
¡EnterBGP VPNv6 address family view.
address-family vpnv6
4.Set the maximum number of routes that BGPcan receive from a peer or peer group.
peer { group-name | ipv6-address [ prefix-length ] } route-limit prefix-number [ { alert-only | discard | reconnect reconnect-time } | percentage-value] *
By default, the number of routes that BGPcan receive from a peer or peer group is not limited.
5.Save all route updates from a peer or peergroup.
peer { group-name | ipv6-address [ prefix-length ] } keep-all-routes
By default, route updates from peers andpeer groups are not saved.
Setting a preferred value for received BGPVPNv4 or VPNv6 routes
1.Enter system view.
system-view
2.Enter BGP instance view.
bgp as-number [ instance instance-name ]
3.Enter BGP VPNv4 address family view or BGPVPNv6 address family view.
¡EnterBGP VPNv4 address family view.
address-family vpnv4
¡EnterBGP VPNv6 address family view.
address-family vpnv6
4.Set a preferred value for routes receivedfrom a peer or peer group.
peer { group-name | ipv6-address [ prefix-length ] } preferred-value value
By default, the preferred value is 0 forroutes received from a peer or peer group.
Configuring BGP VPNv4 or VPNv6 routereflection
1.Enter system view.
system-view
2.Enter BGP instance view.
bgp as-number [ instance instance-name ]
3.Enter BGP VPNv4 address family view or BGPVPNv6 address family view.
¡EnterBGP VPNv4 address family view.
address-family vpnv4
¡EnterBGP VPNv6 address family view.
address-family vpnv6
4.Configure the router as a route reflector (RR)and specify a peer or peer group as its client.
peer { group-name | ipv6-address[ prefix-length ] } reflect-client
By default, no RR or client isconfigured.
5.(Optional.) Enable route reflection betweenclients.
reflect between-clients
By default, route reflection betweenclients is enabled.
6.(Optional.) Configure the cluster ID of the RR.
reflector cluster-id { cluster-id | ip-address }
By default, an RR uses its own router IDas the cluster ID.
7.(Optional.) Create an RR reflection policy.
rr-filter { ext-comm-list-number | ext-comm-list-name }
By default, an RR does not filterreflected routes.
8.(Optional.) Enable the RR to change theattributes of routes to be reflected.
reflect change-path-attribute
By default, the RR cannot change theattributes of routes to be reflected.
Configuring BGP VPNv4 or VPNv6 route attributes
1.Enter system view.
system-view
2.Enter BGP instance view.
bgp as-number [ instance instance-name ]
3.Enter BGP VPNv4 address family view or BGPVPNv6 address family view.
¡EnterBGP VPNv4 address family view.
address-family vpnv4
¡EnterBGP VPNv6 address family view.
address-family vpnv6
4.Specify the router as the next hop forroutes sent to a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } next-hop-local
By default, the router sets itself as thenext hop for routes sent to a peer or peer group.
5.Configure the AS_PATH attribute.
¡Permitthe local AS number to appear in routes from a peer or peer group and set theappearance times.
peer { group-name | ipv6-address [ prefix-length ] } allow-as-loop [ number ]
By default, the local AS number is notallowed in routes from a peer or peer group.
¡Removeprivate AS numbers from the AS_PATH attribute of updates sent to an EBGP peeror peer group.
peer { group-name | ipv6-address [ prefix-length ] } public-as-only
By default, BGP updates sent to an EBGPpeer or peer group can carry both public and private AS numbers.
6.Advertise the COMMUNITY attribute to a peeror peer group.
peer { group-name | ipv6-address [ prefix-length ] } advertise-community
By default, the COMMUNITY attribute isnot advertised.
7.Configure the SoO attribute for a peer orpeer group.
peer { group-name | ipv6-address [ prefix-length ] } soo site-of-origin
By default, no SoO attribute isconfigured for a peer or peer group.
Configuring BGP VPNv4 or VPNv6 routedistribution filtering policies
1.Enter system view.
system-view
2.Enter BGP instance view.
bgp as-number [ instance instance-name ]
3.Enter BGP VPNv4 address family view or BGPVPNv6 address family view.
¡EnterBGP VPNv4 address family view.
address-family vpnv4
¡EnterBGP VPNv6 address family view.
address-family vpnv6
4.Specify an ACL or IP prefix list to filteradvertised BGP routes.
filter-policy {ipv4-acl-number | name ipv4-acl-name | prefix-list prefix-list-name } export [ protocol process-id ]
By default, no ACL or IP prefix list isspecified to filter advertised BGP routes.
5.Specify an ACL or IP prefix list to filterreceived BGP routes.
filter-policy {ipv4-acl-number | name ipv4-acl-name | prefix-list prefix-list-name } import
By default, no ACL or IP prefix list is specifiedto filter received BGP routes.
6.Specify an IP prefix list to filter BGProutes for a peer or peer group.
peer { group-name | ipv6-address [ prefix-length ] } prefix-list prefix-list-name { export | import }
By default, no IP prefix list is specifiedto filter BGP routes for a peer or peer group.
7.Apply a routing policy to routes receivedfrom or advertised to a peer or peer group.
peer { group-name | ipv6-address [ prefix-length ] } route-policyroute-policy-name { export | import }
By default, no routing policy is appliedto routes received from or advertised to a peer or peer group.
8.Enable route target filtering of receivedVPNv4 or VPNv6 routes.
policy vpn-target
By default, the route target filteringfeature is enabled for received VPNv4 or VPNv6 routes. BGP adds an VPNv4 orVPNv6 route to the routing table only when the export route targets of theroute match the local import route targets.
Configuringthe BGP Additional Paths feature
1.Enter system view.
system-view
2.Enter BGP instance view.
bgp as-number [ instance instance-name ]
3.Enter BGP VPNv4 address family view or BGPVPNv6 address family view.
¡EnterBGP VPNv4 address family view.
address-family vpnv4
¡EnterBGP VPNv6 address family view.
address-family vpnv6
4.Configure the BGP Additional Pathscapabilities.
peer { group-name | ipv6-address [ prefix-length ] } additional-paths { receive | send } *
By default, no BGP Additional Pathscapabilities are configured.
5.Set the maximum number of Add-Path optimalroutes that can be advertised to a peer or peer group.
peer { group-name | ipv6-address [ prefix-length ] } advertise additional-pathsbest number
By default, only one Add-Path optimalroute can be advertised to a peer or peer group.
6.(Optional.) Set the optimal route selectiondelay timer.
route-select delay delay-value
By default, the optimal route selectiondelay timer is 0 seconds, which indicates that optimal route selection is notdelayed.
Configuring theroute recursion mode
About this task
After a PE receives a customer packetdestined for an SRv6 SID, it forwards the packet according to the routerecursion mode.
·SRv6 BE mode—This mode is also called SID-based forwarding mode. In this mode,the PE first encapsulates the End.DT4, End.DT6, or End.DT46 SID into thepacket. Then, the PE searches the IPv6 routing table based on the SIDencapsulated in the packet to forward the packet.
·SRv6 TE mode—This mode is also called SRv6 TE policy-based forwarding mode. Inthis mode, the PE first searches for a matching SRv6 TE policy based on the packetattributes. Then, the PE adds an SRH to the packet. The SRH includes the End.DT4,End.DT6, or End.DT46 SID and the SID list of the SRv6 TE policy. Finally, the PEforwards the encapsulated packet through the SRv6 TE policy. For moreinformation, see "Configuring SRv6 TE policies."
·SRv6 TE and SRv6 BE hybridmode—In this mode, the PE preferentially usesthe SRv6 TE mode to forward the packet. If no SRv6 TE policy is available for thepacket, the PE forwards the packet in SRv6 BE mode.
Prerequisites
To use the SRv6 TE mode or the SRv6 TE and SRv6BE hybrid mode, you must configure a tunnel policy and SRv6 TE policy. For moreinformation, see tunnel policy configuration in MPLSConfiguration Guide and "Configuring SRv6 TE policies."
Procedure
1.Enter system view.
system-view
2.Enter BGP instance view.
bgp as-number [ instance instance-name ]
3.Enter BGP-VPN instance view.
ip vpn-instance vpn-instance-name
4.Enter BGP-VPN IPv4 unicast address familyview or BGP-VPN IPv6 unicast address family view.
¡EnterBGP-VPN IPv4 unicast address family view.
address-family ipv4 [ unicast ]
¡EnterBGP-VPN IPv6 unicast address family view.
address-family ipv6 [ unicast ]
5.Configure the route recursion mode.
segment-routing ipv6 { best-effort |traffic-engineer | traffic-engineer best-effort }
By default, a PE searches the IPv6routing table based on the next hop of a matching route to forward traffic.
Specifying asource address for the outer IPv6 header of SRv6-encapsulated packets
Restrictions andguidelines
To ensure correct traffic forwarding in an IPL3VPN over SRv6 network, you must specify a source address for the outer IPv6header of SRv6-encapsulated packets.
You cannot specify a loopback address,link-local address, multicast address, or unspecified address as the sourceIPv6 address. You must specify an IPv6 address of the local device as thesource IPv6 address, and make sure the IPv6 address has been advertised by arouting protocol. As a best practice, specify a loopback interface address ofthe local device as the source IPv6 address.
Procedure
1.Enter system view.
system-view
2.Enter SRv6 view.
segment-routing ipv6
3.Specify a source address for the outer IPv6header of SRv6-encapsulated packets.
encapsulation source-address ipv6-address [ ip-ttl ttl-value ]
By default, no source address isspecified for the outer IPv6 header of SRv6-encapsulated packets.
Configuring IP L3VPN over SRv6 FRR
About this task
IP L3VPN over SRv6 FRR enables the deviceto calculate backup routes for all routes of a VPN instance to reduce thetraffic interruption caused by link or device failures on the backbone. If thedevice learns two unequal-cost routes destined for the same network fromdifferent peers, the optimal route is backed up by the other route. When theoptimal route becomes unavailable, the device uses the backup route to forwardtraffic. At the same time, the device calculates a new optimal route and thenuses it to direct traffic forwarding.
Restrictions andguidelines
This feature might cause routing loops incertain conditions. Make sure you are fully aware of this feature when you useit on a live network.
Procedure
1.Enter system view.
system-view
2.Configure static BFD.
bfd static session-name [ peer-ipv6 ipv6-address[ vpn-instance vpn-instance-name ] source-ipv6 ipv6-address [ discriminator local local-value remote remote-value ] [ track-interface interface-typeinterface-number ] ]
3.Return to system view.
quit
4.Enter BGP instance view.
bgp as-number [ instance instance-name ]
5.Configure BGP FRR to use BFD to detect nexthop connectivity for the primary route.
primary-path-detect bfd echo
By default, BGP FRR uses ARP to detectthe connectivity to the next hop of the primary route.
For more information about this command,see BGP commands in Layer 3—IP Routing Command Reference.
6.Enter BGP-VPN IPv4 unicast address familyview, BGP VPNv4 address family view, BGP-VPN IPv6 unicast address family view, orBGP VPNv6 address family view.
¡Executethe following commands in sequence to enter BGP-VPN IPv4 unicast address familyview:
ip vpn-instance vpn-instance-name
address-family ipv4 [ unicast ]
¡EnterBGP VPNv4 address family view.
address-family vpnv4
¡Executethe following commands in sequence to enter BGP-VPN IPv6 unicast address familyview:
ip vpn-instance vpn-instance-name
address-family ipv6 [ unicast ]
¡EnterBGP VPNv6 address family view.
address-family vpnv6
7.Enable FRR for the address family.
pic
By default, FRR is disabled for a BGPaddress family.
For more information about this command,see BGP commands in Layer 3—IP Routing Command Reference.
Configuring a TTL processing mode fortunnels associated with a VPN instance
About this task
A tunnel associated with a VPN instancesupports the following TTL processing modes:
·Pipe—When an IP or IPv6 packet enters the tunnel of the VPN instance,the ingress node adds a new header to the packet. The ingress node sets the TTLvalue or hop limit in the new header to 255 or the value specified by using theencapsulationsource-address ip-ttl command in SRv6 view. Whenthe packet leaves the tunnel of the VPN instance, the egress node removes thenew header from the packet.The TTL value or hop limit in the original packetdoes not change when the packet is forwarded in the tunnel. Therefore, thepublic network nodes are invisible to user networks, and the tracert facilitycannot show the real path in the public network.
·Uniform—When an IP or IPv6 packet enters the tunnel of the VPN instance,the ingress node adds a new header to the packet. The ingress node copies theTTL value or the hop limit of the original packet to the TTL or hop limit fieldof the new header. When the packet leaves the tunnel of the VPN instance, theegress node copies the remaining TTL value or hop limit in the new header backto the original packet. The TTL value or hop limit can reflect how many hopsthe packet has traversed in the public network. The tracert facility can show thereal path along which the packet has traveled.
Restrictions andguidelines
In the current software version, you canconfigure a TTL processing mode only for SRv6 tunnels associated with VPNinstances.
Procedure
1.Enter system view.
system-view
2.Enter VPN instance view.
ip vpn-instance vpn-instance-name [ index vpn-index ]
3.Configure a TTL processing mode for thetunnels associated with the VPN instance.
ttl-mode { pipe | uniform }
By default, the TTL processing mode forthe tunnels associated with a VPN instance is pipe.
For more information about this command,see MPLS L3VPN configuration in MPLS Configuration Guide.
Verifying and maintaining IP L3VPN over SRv6
Displaying the configuration and running status of IP L3VPN overSRv6 VPN
For more information about the commands inthis section, see basic BGP commands in Layer 3—IPRouting Command Reference.
Perform display tasks in any view.
·Display BGP VPNv4 peer or peer group information.
display bgp [ instance instance-name ] peer vpnv4 { ipv6-address prefix-length | ipv6-address{ log-info | verbose } }
·Display BGP update group information for VPNv4address family.
display bgp [ instance instance-name ] update-groupvpnv4 ipv6-address
·Display BGP VPNv6 peer or peer groupinformation.
display bgp [ instance instance-name ] peer vpnv6 [ vpn-instance vpn-instance-name] [ ipv6-address prefix-length | { ipv6-address | group-name group-name } log-info | [ ipv6-address] verbose ]
·Display BGP update group information for VPNv6address family.
display bgp [ instance instance-name ] update-group vpnv6 [ vpn-instance vpn-instance-name] [ ipv6-address ]
Resetting BGP sessions
About this task
For BGP setting changes to take effect, youmust reset or soft-reset BGP sessions. Soft-resetting BGP sessions updates BGProuting information without tearing down the BGP sessions. Resetting BGPsessions updates BGP routing information by tearing down and re-establishing theBGP sessions. Soft-reset requires that both the local router and the peersupport ROUTE-REFRESH messages.
Procedure
For more information about the commands,see basic BGP commands in Layer 3—IP Routing CommandReference.
Perform the tasks in user view.
·Soft-reset BGP sessions of the BGP VPNv4 addressfamily.
refresh bgp [ instance instance-name ] ipv6-address [ prefix-length ] { export | import } vpnv4
·Reset BGP sessions of the BGP VPNv4 addressfamily.
reset bgp [ instance instance-name ] ipv6-address [ prefix-length ] vpnv4
Clearing flap statistics for BGP VPNv4 routes
To clear flap statistics for BGP VPNv4 routes,execute the following command in user view:
reset bgp [ instance instance-name ] flap-info vpnv4[ipv4-address [ mask | mask-length ] | as-path-acl as-path-acl-number | peer ipv6-address [ prefix-length ] ]
IP L3VPN over SRv6 configuration examples
Example: Configuring IP L3VPN over SRv6 in SRv6 BE mode
Networkconfiguration
As shown in Figure 3, thebackbone network is an IPv6 network, and VPN 1 is an IPv4 network. Deploy IPL3VPN over SRv6 between PE 1 and PE 2 and use an SRv6 tunnel to transmit VPNv4traffic between the PEs.
·Configure EBGP to exchange VPN routinginformation between the CEs and PEs.
·Configure IPv6 IS-IS on the PEs in the same ASto realize IPv6 network connectivity.
·Configure MP-IBGP to exchange VPNv4 routinginformation between the PEs.
Table 1 Interface and IP address assignment
| Device | Interface | IP address | Device | Interface | IP address |
| CE 1 | GE0/0/1 | 10.1.1.2/24 | PE 2 | Loop0 | 3::3/128 |
| PE 1 | Loop0 | 1::1/128 | GE0/0/1 | 10.2.1.1/24 | |
| GE0/0/1 | 10.1.1.1/24 | GE0/0/2 | 2002::1/96 | ||
| GE0/0/2 | 2001::1/96 | CE 2 | GE0/0/1 | 10.2.1.2/24 | |
| P | Loop0 | 2::2/128 | |||
| GE0/0/1 | 2001::2/96 | ||||
| GE0/0/2 | 2002::2/96 |
Procedure
1.Configure IPv6 IS-IS on the PEs and device Pfor network connectivity between the devices:
# Configure PE 1.
<PE1> system-view
[PE1] isis 1
[PE1-isis-1] is-level level-1
[PE1-isis-1] cost-style wide
[PE1-isis-1] network-entity10.1111.1111.1111.00
[PE1-isis-1] address-family ipv6 unicast
[PE1-isis-1-ipv6] quit
[PE1-isis-1] quit
[PE1] interface loopback 0
[PE1-LoopBack0] ipv6 address 1::1 128
[PE1-LoopBack0] isis ipv6 enable 1
[PE1-LoopBack0] quit
[PE1] interface gigabitethernet 0/0/2
[PE1-GigabitEthernet0/0/2] ipv6 address2001::1 96
[PE1-GigabitEthernet0/0/2] isis ipv6 enable
[PE1-GigabitEthernet0/0/2] quit
# Configure P.
<P> system-view
[P] isis
[P-isis-1] is-level level-1
[P-isis-1] cost-style wide
[P-isis-1] network-entity 10.2222.2222.2222.00
[P-isis-1] address-family ipv6 unicast
[P-isis-1-ipv6] quit
[P-isis-1] quit
[P] interface loopback 0
[P-LoopBack0] ipv6 address 2::2 128
[P-LoopBack0] isis ipv6 enable
[P-LoopBack0] quit
[P] interface gigabitethernet 0/0/1
[P-GigabitEthernet0/0/1] ipv6 address 2001::296
[P-GigabitEthernet0/0/1] isis ipv6 enable
[P-GigabitEthernet0/0/1] quit
[P] interface gigabitethernet 0/0/2
[P-GigabitEthernet0/0/2] ipv6 address 2002::296
[P-GigabitEthernet0/0/2] isis ipv6 enable
[P-GigabitEthernet0/0/2] quit
# Configure PE 2.
<PE2> system-view
[PE2] isis
[PE2-isis-1] is-level level-1
[PE2-isis-1] cost-style wide
[PE2-isis-1] network-entity 10.3333.3333.3333.00
[PE2-isis-1] address-family ipv6 unicast
[PE2-isis-1-ipv6] quit
[PE2-isis-1] quit
[PE2] interface loopback 0
[PE2-LoopBack0] ipv6 address 3::3 128
[PE2-LoopBack0] isis ipv6 enable
[PE2-LoopBack0] quit
[PE2] interface gigabitethernet 0/0/2
[PE2-GigabitEthernet0/0/2] ipv6 address 2002::196
[PE2-GigabitEthernet0/0/2] isis ipv6 enable
[PE2-GigabitEthernet0/0/2] quit
# Verify that PE 1, P, and PE 2 haveestablished IPv6 IS-IS neighbor relationships and the neighbor state is up.
[PE1] display isis peer
[P] display isis peer
[PE2] display isis peer
# Verify that PE 1 and PE 2 each learn aroute destined for the loopback interface of each other.
[PE1] display isis route ipv6
[PE2] display isis route ipv6
2.Configure VPN instance settings on PE 1 andPE 2 and verify that each CE can access its local PE:
# Configure PE 1.
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] route-distinguisher100:1
[PE1-vpn-instance-vpn1] vpn-target 111:1
[PE1-vpn-instance-vpn1] quit
[PE1] interface gigabitethernet 0/0/1
[PE1-GigabitEthernet0/0/1] ip bindingvpn-instance vpn1
[PE1-GigabitEthernet0/0/1] ip address 10.1.1.124
[PE1-GigabitEthernet0/0/1] quit
# Configure PE 2.
[PE2] ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] route-distinguisher 100:1
[PE2-vpn-instance-vpn1] vpn-target 111:1
[PE2-vpn-instance-vpn1] quit
[PE2] interface gigabitethernet 0/0/1
[PE2-GigabitEthernet0/0/1] ip bindingvpn-instance vpn1
[PE2-GigabitEthernet0/0/1] ip address 10.2.1.124
[PE2-GigabitEthernet0/0/1] quit
# Configure IP addresses for theinterfaces on the CEs, as shown in Figure 3.(Details not shown.)
# Display VPN instance settings on eachPE. This step uses PE 1 as an example.
[PE1] display ip vpn-instance
Total VPN-Instancesconfigured : 1
Total IPv4 VPN-Instancesconfigured : 1
Total IPv6 VPN-Instancesconfigured : 1
VPN-Instance NameRD Address family Create time
vpn1100:1 IPv4/IPv6 2019/08/12 13:59:39
# Verify that each PE can ping its localCE. This step uses PE 1 and CE 1 as an example.
[PE1] ping -vpn-instance vpn1 10.1.1.2
Ping 10.1.1.2 (10.1.1.2): 56data bytes, press CTRL+C to break
56 bytes from 10.1.1.2:icmp_seq=0 ttl=255 time=2.000 ms
56 bytes from 10.1.1.2:icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 10.1.1.2:icmp_seq=2 ttl=255 time=1.000 ms
56 bytes from 10.1.1.2:icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 10.1.1.2: icmp_seq=4ttl=255 time=0.000 ms
--- Ping statistics for 10.1.1.2in VPN instance vpn1 ---
5 packet(s) transmitted, 5packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev= 0.000/0.600/2.000/0.800 ms
3.Set up an EBGP peer relationship between eachPE and its local CE and distribute VPN routes to EBGP:
# Configure CE 1.
<CE1> system-view
[CE1] bgp 65410
[CE1-bgp-default] peer 10.1.1.1 as-number100
[CE1-bgp-default] address-family ipv4unicast
[CE1-bgp-default-ipv4] peer 10.1.1.1 enable
[CE1-bgp-default-ipv4] import-route direct
[CE1-bgp-default-ipv4] quit
[CE1-bgp-default] quit
# Configure CE 2 in the same way as CE 1is configured. (Details not shown.)
# Configure PE 1.
[PE1] bgp 100
[PE1-bgp-default] router-id 1.1.1.1
[PE1-bgp-default] ip vpn-instance vpn1
[PE1-bgp-default-vpn1] peer 10.1.1.2as-number 65410
[PE1-bgp-default-vpn1] address-family ipv4unicast
[PE1-bgp-default-ipv4-vpn1] peer 10.1.1.2enable
[PE1-bgp-default-ipv4-vpn1] quit
[PE1-bgp-default-vpn1] quit
# Configure PE 2 in the same way PE 1 is configured.(Details not shown.)
# Verify that the PEs have establishedBGP peer relationships with their local CEs and the peers are in establishedstate.
[PE1] display bgp peer ipv4 vpn-instance
[PE2] display bgp peer ipv4 vpn-instance
4.Set up an MP-IBGP peer relationship betweenPE 1 and PE 2:
# Configure PE 1.
[PE1] bgp 100
[PE1-bgp-default] peer 3::3 as-number 100
[PE1-bgp-default] peer 3::3connect-interface loopback 0
[PE1-bgp-default] address-family vpnv4
[PE1-bgp-default-vpnv4] peer 3::3 enable
[PE1-bgp-default-vpnv4] quit
[PE1-bgp-default] quit
# Configure PE 2.
[PE2] bgp 100
[PE2-bgp-default] peer 1::1 as-number 100
[PE2-bgp-default] peer 1::1connect-interface loopback 0
[PE2-bgp-default] address-family vpnv4
[PE2-bgp-default-vpnv4] peer 1::1 enable
[PE2-bgp-default-vpnv4] quit
[PE2-bgp-default] quit
# Verify that the PEs have established aBGP peer relationship and the peers are in established state.
[PE1] display bgp peer vpnv4
[PE2] display bgp peer vpnv4
5.Specify a source address for the outer IPv6header of SRv6-encapsulated packets on PE 1 and PE 2:
# Configure PE 1.
[PE1] segment-routing ipv6
[PE1-segment-routing-ipv6] encapsulationsource-address 11::11
# Configure PE 2.
[PE2] segment-routing ipv6
[PE2-segment-routing-ipv6] encapsulationsource-address 33::33
6.Configure the destination address (End.DT4SID) of the outer IPv6 header for SRv6-encapsulated packets:
# Configure PE 1.
[PE1-segment-routing-ipv6] locator aaaipv6-prefix 1:2::1:0 96 static 8
[PE1-segment-routing-ipv6-locator-aaa] quit
[PE1-segment-routing-ipv6] quit
[PE1] isis 1
[PE1-isis-1] address-family ipv6 unicast
[PE1-isis-1-ipv6] segment-routing ipv6 locatoraaa
[PE1-isis-1-ipv6] quit
[PE1-isis-1] quit
# Configure PE 2.
[PE2-segment-routing-ipv6] locator bbbipv6-prefix 6:5::1:0 96 static 8
[PE2-segment-routing-ipv6-locator-bbb] quit
[PE2-segment-routing-ipv6] quit
[PE2] isis 1
[PE2-isis-1] address-family ipv6 unicast
[PE2-isis-1-ipv6] segment-routing ipv6locator bbb
[PE2-isis-1-ipv6] quit
[PE2-isis-1] quit
# Verify that the PEs have distributedthe End.DT4 SIDs to the routing table and generated SRv6 routes. This step usesPE 1 as an example.
[PE1] display ipv6 routing-table protocolsrv6
Summary count : 1
SRv6 Routing table status :<Active>
Summary count : 1
Destination: 1:2::101/128Protocol : SRv6
NextHop :::1 Preference: 4
Interface :InLoop0 Cost : 0
SRv6 Routing table status :<Inactive>
Summary count : 0
7.Add End.DT4 SIDs toprivate network routes on PE 1 and PE 2:
# Configure PE 1.
[PE1] bgp 100
[PE1-bgp-default] ip vpn-instance vpn1
[PE1-bgp-default-vpn1] address-family ipv4unicast
[PE1-bgp-default-ipv4-vpn1] segment-routingipv6 locator aaa
[PE1-bgp-default-ipv4-vpn1] quit
[PE1-bgp-default-vpn1] quit
[PE1-bgp-default] quit
# Configure PE 2.
[PE2] bgp 100
[PE2-bgp-default] ip vpn-instance vpn1
[PE2-bgp-default-vpn1] address-family ipv4unicast
[PE2-bgp-default-ipv4-vpn1] segment-routingipv6 locator bbb
[PE2-bgp-default-ipv4-vpn1] quit
[PE2-bgp-default-vpn1] quit
[PE2-bgp-default] quit
8.Enable IPv6 peers on the PEs to exchange End.DT4SIDs and enable the SID-route-recursion feature:
# Configure PE 1.
[PE1] bgp 100
[PE1-bgp-default] address-family vpnv4
[PE1-bgp-default-vpnv4] peer 3::3 prefix-sid
[PE1-bgp-default-vpnv4] quit
[PE1-bgp-default] ip vpn-instance vpn1
[PE1-bgp-default-vpn1] address-family ipv4unicast
[PE1-bgp-default-ipv4-vpn1] segment-routingipv6 best-effort
[PE1-bgp-default-ipv4-vpn1] quit
[PE1-bgp-default-vpn1] quit
[PE1-bgp-default] quit
# Configure PE 2.
[PE2] bgp 100
[PE2-bgp-default] address-family vpnv4
[PE2-bgp-default-vpnv4] peer 1::1 prefix-sid
[PE2-bgp-default-vpnv4] quit
[PE2-bgp-default] ip vpn-instance vpn1
[PE2-bgp-default-vpn1] address-family ipv4unicast
[PE2-bgp-default-ipv4-vpn1] segment-routingipv6 best-effort
[PE2-bgp-default-ipv4-vpn1] quit
[PE2-bgp-default-vpn1] quit
[PE2-bgp-default] quit
# Display BGP VPNv4 routing informationon each PE and verify that the routes advertised by the PEs have the SIDattribute. This step uses PE 1 as an example.
[PE1] display bgp routing-table vpnv410.2.1.0
BGP local router ID: 1.1.1.1
Local AS number: 100
Route distinguisher:100:1(vpn1)
Total number of routes: 1
Paths: 1 available, 1 best
BGP routing table informationof 10.2.1.0/24:
From : 3::3 (3.3.3.3)
Rely nexthop :FE80::2A96:34FF:FE9D:216
Original nexthop: 3::3
Out interface : GigabitEthernet0/0/2
Route age : 00h14m23s
OutLabel : 3
Ext-Community : <RT:111:1>
RxPathID : 0x0
TxPathID : 0x0
PrefixSID : End.DT4 SID <6:5::101>
AS-path : 65420
Origin : incomplete
Attribute value : MED 0,localpref 100, pref-val 0
State : valid,internal, best
IP precedence : N/A
QoS local ID : N/A
Traffic index : N/A
Tunnel policy : NULL
Rely tunnel IDs : N/A
Verifying theconfiguration
# Display IPv4 routing table information onthe PEs and verify that each PE has a route destined for the remote CE and thenext hop of the route is the End.DT4 SID of the route. This step uses PE 1 asan example.
[PE1] display ip routing-table vpn-instancevpn1
Destinations : 11 Routes : 11
Destination/Mask Proto PreCost NextHop Interface
0.0.0.0/32 Direct 0 0 127.0.0.1InLoop0
10.1.1.0/24 Direct 00 10.1.1.1 GE0/0/1
10.1.1.0/32 Direct 00 10.1.1.1 GE0/0/1
10.1.1.1/32 Direct 00 127.0.0.1 InLoop0
10.1.1.255/32 Direct 00 10.1.1.1 GE0/0/1
10.2.1.0/24 BGP 2550 6:5::101 GE0/0/2
127.0.0.0/8 Direct 00 127.0.0.1 InLoop0
127.0.0.0/32 Direct 00 127.0.0.1 InLoop0
127.0.0.1/32 Direct 00 127.0.0.1 InLoop0
127.255.255.255/32 Direct 00 127.0.0.1 InLoop0
255.255.255.255/32 Direct 00 127.0.0.1 InLoop0
# Verify that CE 1 and CE 2 can ping each other.(Details not shown.)
