Configuring MPLS VPN Traffic Injection

In MPLS VPN traffic injection, a Layer-3 MPLS VPN is established between the cleaning device and the traffic-injection router. Thereby, cleaned traffic is injected to the original link and is finally sent to the Zone.

Implementation Mechanism

This function is configured on the AntiDDoS.

As shown in Figure 1, Router1 is a traffic-diversion router. A traffic-diversion channel is established between GE1/0/1 on Router1 and GE2/0/1 on the cleaning device. Inbound traffic is diverted to GE2/0/1 through Router1 GE1/0/1 for cleaning.

A Layer-3 MPLS VPN is established between the cleaning device and Router2. The cleaning device acts as an ingress Provider Edge (PE) device, Router1 as a P device, and Router2 as an egress PE device. Cleaned traffic is injected through GE2/0/2 to GE1/0/1 on Router2 along the dynamically established Label Switched Path (LSP). Cleaned traffic is tagged with two layers of labels and outer labels are stripped after the traffic passes through Router1. Then Router2 searches the corresponding private routing table based on inner private labels to forward the traffic to the Zone.

In practice, the traffic-injection router can be either Router2 or another downstream router.

Figure 1 MPLS VPN traffic injection

In the BGP traffic-diversion scenario, MPLS VPN traffic injection directly issues injected traffic to the downstream router that cannot learn the traffic-diversion route, avoiding loops.

As typical dynamic traffic injection, MPLS VPN traffic injection delivers flexible applications and sound scalability, but demands MPLS supported by routers.

NOTE:
IP addresses of Zones on different VPNs cannot overlap with each other.

Configuring the Cleaning Device

  1. Set the IP address of the interface on the cleaning device and loopback address serving as the LSR ID. Use OSPF to notify the network segment connected to each interface and the host route of the LSR ID.
  2. Configure basic MPLS functions.
    1. Run the system-view command in the user view to access the system view.
    2. Run the mpls lsr-id lsr-id command to set an LSR ID.

      lsr-id specifies an LSR ID, in dotted decimal notation. It is used for identifying an LSR.

      Setting the LSR ID is the premise of configuring other MPLS commands.

      No default LSR ID is available. You are advised to use the IP address of the loopback interface of the LSR as the LSR ID.

      To modify the specified LSR ID, run the undo mpls command in the system view to delete all MPLS configurations.

    3. Run the mpls command to enable global MPLS and access the MPLS view.
    4. Run the quit command to return to the system view.
    5. Run the mpls ldp command to enable global LDP and access the MPLS-LDP view.
    6. Run the quit command to return to the system view.
    7. Run the interface interface-type { interface-number | interface-number.subinterface-number } command to access the interface view.

      The interface type can be 10GE, GigabitEthernet, POS, Eth-Trunk, IP-Trunk, or the subinterface of 10GE, GigabitEthernet, or Eth-Trunk. However, it cannot be GigabitEthernet 0/0/0 on the MPU.

      The interface indicates GE2/0/2 on the cleaning device.

    8. Run the mpls command to enable interface-based MPLS.
    9. Run the mpls ldp command to enable interface-based LDP.
    10. Run the quit command to return to the system view.
  3. Configure a VPN instance.
    1. Run the ip vpn-instance vpn-instance-name vpn-instance-name command to create a VPN instance and access the corresponding view.
    2. Run the route-distinguisher route-distinguishercommand to configure the RD of the VPN instance.

      The VPN instance takes effect only after specified with a RD. Before setting the RD, you cannot configure any parameters except for the description.

    3. Run the vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ] command to create a VPN-target extended community for the VPN instance.

      VPN Target is the attribute of the extended BGP community. VPN Target controls the receiving and advertising of VPN routes. You can configure a maximum of eight VPN targets at a time by running the vpn-target command. A VPN instance can be configured with a maximum of 16 VPN targets.

    4. Run the interface interface-type { interface-number | interface-number.subinterface-number } command to access the interface view.

      The interface type can be 10GE, GigabitEthernet, POS, Eth-Trunk, IP-Trunk, or the subinterface of 10GE, GigabitEthernet, or Eth-Trunk. However, it cannot be GigabitEthernet 0/0/0 on the MPU.

      The interface indicates GE2/0/1 on the cleaning device.

    5. Run the ip binding vpn-instance vpn-instance-name command to bind the interface to the VPN instance.

      NOTICE:

      After the ip binding vpn-instance command is configured, Layer-3 features such as the specified IP address and routing protocol are deleted on the interface. Re-configure them if desired.

    6. Run the ip address ip-address { mask | mask-length } [ sub ] command to set the IP address of the interface.
    7. Run the quit command to return to the system view.
  4. Configure MP-IBGP between PE devices.
    1. Run the interface loopback number command to create a loopback interface.

      The value of number ranges from 0 to 1023.

    2. Run the ip address ip-address { mask | mask-length } [ sub ] command to set the IP address of the loopback interface.
    3. Run the quit command to return to the system view.
    4. Run the bgp as-number command to access the BGP view.

      as-number specifies an AS number. The value ranges from 1 to 65,535.

    5. Run the peer peer-address as-number as-number command to set the remote PE device to the peer.

      peer-address specifies the IP address of the peer.

    6. Run the peer peer-address connect-interface loopback interface-number command to specify an interface for establishing the TCP connection.

      The MP-IBGP peer must be established between PE devices through the the 32-bit IP address of the loopback interface. This avoids route failure due to route aggregation. The route to the loopback interface is advertised to the peer PE device by using IGP on the MPLS backbone network.

    7. Run the ipv4-family vpnv4 [ unicast ] command to access the BGP-VPNv4 subaddress family view.
    8. Run the peer peer-address enable command to enable VPN-IPv4 route exchange.
  5. Configure a route between the PE device and the Customer Edge (CE) device.

    In practice, configure EBGP, static route, RIP, or OSPF between the PE device and the CE device.

Configuring Router1

The following uses Huawei NE80E as an example for describing how to configure Router1 in MPLS VPN traffic injection.

  1. Set the IP address of the Router1 interface and loopback address serving as the LSR ID. Use OSPF to notify the network segment connected to each interface and the host route of the LSR ID.
  2. Configure basic MPLS functions.
    1. Run the system-view command in the user view to access the system view.
    2. Run the mpls lsr-id lsr-id command to set an LSR ID.

      lsr-id specifies an LSR ID, in dotted decimal notation. It is used for identifying an LSR.

      Setting the LSR ID is the premise of configuring other MPLS commands.

      No default LSR ID is available. You are advised to use the IP address of the loopback interface of the LSR as the LSR ID.

      To modify the specified LSR ID, run the undo mpls command in the system view to delete all MPLS configurations.

    3. Run the mpls command to enable global MPLS and access the MPLS view.
    4. Run the quit command to return to the system view.
    5. Run the mpls ldp command to enable global LDP and access the MPLS-LDP view.
    6. Run the quit command to return to the system view.
    7. Run the interface interface-type { interface-number | interface-number.subinterface-number } command to access the interface view.

      Interfaces indicate inbound interface GE1/0/2 and outbound interface GE1/0/3.

    8. Run the mpls command to enable interface-based MPLS.
    9. Run the mpls ldp command to enable interface-based LDP.
    10. Run the quit command to return to the system view.

Configuring Router2

The following uses Huawei NE80E as an example for describing how to configure Router2 in MPLS VPN traffic injection.

  1. Set the IP address of the Router2 interface and loopback address serving as the LSR ID. Use OSPF to notify the network segment connected to each interface and the host route of the LSR ID.
  2. Configure basic MPLS functions.
    1. Run the system-view command in the user view to access the system view.
    2. Run the mpls lsr-id lsr-id command to set an LSR ID.

      lsr-id specifies an LSR ID, in dotted decimal notation. It is used for identifying an LSR.

      Setting the LSR ID is the premise of configuring other MPLS commands.

      No default LSR ID is available. You are advised to use the IP address of the loopback interface of the LSR as the LSR ID.

      To modify the specified LSR ID, run the undo mpls command in the system view to delete all MPLS configurations.

    3. Run the mpls command to enable global MPLS and access the MPLS view.
    4. Run the quit command to return to the system view.
    5. Run the mpls ldp command to enable global LDP and access the MPLS-LDP view.
    6. Run the quit command to return to the system view.
    7. Run the interface interface-type { interface-number | interface-number.subinterface-number } command to access the interface view.

      The interface indicates the inbound interface GE1/0/1 of injected traffic.

    8. Run the mpls command to enable interface-based MPLS.
    9. Run the mpls ldp command to enable interface-based LDP.
    10. Run the quit command to return to the system view.
  3. Configure a VPN instance.
    1. Run the ip vpn-instance vpn-instance-name command to create a VPN instance and access the corresponding view.
    2. Run the route-distinguisher route-distinguishercommand to configure the RD of the VPN instance.

      The VPN instance takes effect only after specified with a RD. Before setting the RD, you cannot configure any parameters except for the description.

    3. Run the vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ] command to create a VPN-target extended community for the VPN instance.

      VPN Target is the attribute of the extended BGP community. VPN Target controls the receiving and advertising of VPN routes. You can configure a maximum of eight VPN targets at a time by running the vpn-target command. A VPN instance can be configured with a maximum of 16 VPN targets.

    4. Run the interface interface-type { interface-number | interface-number.subinterface-number } command to access the interface view.

      The interface indicates that through which Router2 connects to the Zone network, that is, Router2 GE1/0/2 shown in Figure 1.

    5. Run the ip binding vpn-instance vpn-instance-name command to bind the interface to the VPN instance.

      NOTICE:

      After the ip binding vpn-instance command is configured, Layer-3 features such as the specified IP address and routing protocol are deleted on the interface. Re-configure them if desired.

    6. Run the quit command to return to the system view.
  4. Configure MP-IBGP between PE devices.
    1. Run the interface loopback number command to create a loopback interface.

      The value of number ranges from 0 to 1023.

    2. Run the ip address ip-address { mask | mask-length } [ sub ] command to set the IP address of the loopback interface.
    3. Run the quit command to return to the system view.
    4. Run the bgp as-number command to access the BGP view.
    5. Run the peer peer-address as-number as-number command to set the remote PE device to the peer.
    6. Run the peer peer-address connect-interface loopback interface-number command to specify an interface for establishing the TCP connection.

      The MP-IBGP peer must be established between PE devices through the the 32-bit IP address of the loopback interface. This avoids route failure due to route aggregation. The route to the loopback interface is advertised to the peer PE device by using IGP on the MPLS backbone network.

    7. Run the ipv4-family vpnv4 [ unicast ] command to access the BGP-VPNv4 subaddress family view.
    8. Run the peer peer-address enable command to enable VPN-IPv4 route exchange.
  5. Configure a route between the PE device and the CE device.

    In practice, configure EBGP, static route, RIP, or OSPF between the PE device and the CE device.

Parent topic: Configuring Traffic Injection
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.