No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Typical Configuration Examples

CloudEngine 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a VPN Instance to forward service packets

Configuring a VPN Instance to forward service packets

Applicable Products and Versions

This example applies to the CE12800/CE6800/CE5800 V100R001C00 or later, the CE7800 V100R003C00 or later, the CE8800 V100R006C00 or later, and CE12800E V200R002C50 or later.

Networking Requirements

As shown in Figure 2-54, servers in the service area need to access the Internet. The data server and video server in the service area connect to the gateway router through access switch SwitchB and core switch SwitchA and communicate with the Internet through the gateway Router.

A firewall connects to core switch SwitchA in bypass mode to ensure security of traffic exchanged between servers and the Internet. Then all traffic passing through SwitchA is redirected to the firewall through VPN instance. The firewall filters the traffic to ensure security of internal and external networks.

Figure 2-54 Configuring a VPN instance to forward service packets

Table 2-17 describes the network plan of devices shown in Figure 2-54.

Table 2-17 Network plan

Item

Data

Data server

VLAN that the server belongs to: VLAN 100

Video server

VLAN that the server belongs to: VLAN 100

SwitchA

VLAN that 10GE1/0/1 belongs to: VLAN 100

VLAN that 10GE2/0/2 belongs to: VLAN 102 and VLAN 103

VLAN that 10GE3/0/3 belongs to: VLAN 101

VLANIF 100 IP address: 10.10.10.1/24

VLANIF 101 IP address: 1.1.1.1/24

VLANIF 102 IP address: 192.168.10.1/24

VLANIF 103 IP address: 192.168.11.1/24

SwitchB

VLAN that 10GE1/0/1 belongs to: VLAN 100

VLAN that 10GE1/0/2 belongs to: VLAN 100

VLAN that 10GE1/0/3 belongs to: VLAN 100

Configuration Roadmap

The configuration roadmap is as follows:

  1. Connect a core firewall to SwitchA in bypass mode to filter insecure traffic.
  2. Create the VPN instance vrf1 and bind it with the corresponding interfaces to ensure that all traffic destined to the Internet is transmitted by vrf1.
  3. Configure a static route or routing protocol to direct all traffic sent from the Internet to the data and video servers to the firewall.

Procedure

  1. Create VLANs and configure interfaces to implement interworking at Layer 2.

    # Create VLAN 100 on SwitchB.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchB
    [*HUAWEI] commit
    [~SwitchB] vlan batch 100
    [*SwitchB] commit

    # Add 10GE1/0/1, 10GE1/0/2, and 10GE1/0/3 on SwitchB to VLAN 100.

    [~SwitchB] interface 10ge 1/0/1
    [~SwitchB-10GE1/0/1] port link-type trunk 
    [*SwitchB-10GE1/0/1] port trunk allow-pass vlan 100
    [*SwitchB-10GE1/0/1] quit
    [*SwitchB] interface 10ge 1/0/2
    [*SwitchB-10GE1/0/2] port link-type access
    [*SwitchB-10GE1/0/2] port default vlan 100
    [*SwitchB-10GE1/0/2] quit
    [*SwitchB] interface 10ge 1/0/3
    [*SwitchB-10GE1/0/3] port link-type access
    [*SwitchB-10GE1/0/3] port default vlan 100
    [*SwitchB-10GE1/0/3] quit
    [*SwitchB] commit

    # On SwitchA, create VLAN 100 (connected to SwitchB), VLAN 101 (connected to the gateway Router), and VLANs 102 and 103 (connected to the firewall).

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchA
    [*HUAWEI] commit
    [~SwitchA] vlan batch 100 to 103
    [*SwitchA] commit

    # Set the interface type of 10GE1/0/1, 10GE2/0/2, and 10GE3/0/3 on SwitchA to trunk, and add them to the VLANs.

    [~SwitchA] interface 10ge 1/0/1
    [~SwitchA-10GE1/0/1] port link-type trunk
    [*SwitchA-10GE1/0/1] port trunk allow-pass vlan 100
    [*SwitchA-10GE1/0/1] quit
    [*SwitchA] interface 10ge 2/0/2
    [*SwitchA-10GE2/0/2] port link-type trunk 
    [*SwitchA-10GE2/0/2] port trunk allow-pass vlan 102 to 103
    [*SwitchA-10GE2/0/2] quit
    [*SwitchA] interface 10ge 3/0/3
    [*SwitchA-10GE3/0/3] port link-type trunk 
    [*SwitchA-10GE3/0/3] port trunk allow-pass vlan 101
    [*SwitchA-10GE3/0/3] quit
    [*SwitchA] commit

  2. Create the VPN instance vrf1 and bind it with the corresponding interfaces to ensure that all traffic destined to the Internet is transmitted by vrf1.

    # Create the VPN instance vrf1.

    [~SwitchA] ip vpn-instance vrf1
    [*SwitchA-vpn-instance-vrf1] description YeWu
    [*SwitchA-vpn-instance-vrf1] ipv4-family
    [*SwitchA-vpn-instance-vrf1-af-ipv4] route-distinguisher 100:1
    [*SwitchA-vpn-instance-vrf1-af-ipv4] vpn-target 100:1 both 
    [*SwitchA-vpn-instance-vrf1-af-ipv4] quit
    [*SwitchA-vpn-instance-vrf1] quit
    [*SwitchA] commit

    # Create VLANIF 100 to VLANIF 103. Assume that the IP addresses of firewall interfaces connected to VLANIF 102 and VLANIF 103 are 192.168.10.2/24 and 192.168.11.2/24.Bind the VPN instance vrf1 with VLANIF 100 and VLANIF 102 to provide access to VPN users.

    [~SwitchA] interface vlanif 100
    [~SwitchA-Vlanif100] ip binding vpn-instance vrf1
    [*SwitchA-Vlanif100] ip address 10.10.10.1 24
    [*SwitchA-Vlanif100] quit
    [*SwitchA] interface vlanif 101
    [*SwitchA-Vlanif101] ip address 1.1.1.1 24
    [*SwitchA-Vlanif101] quit
    [*SwitchA] interface vlanif 102
    [*SwitchA-Vlanif102] ip binding vpn-instance vrf1
    [*SwitchA-Vlanif102] ip address 192.168.10.1 24
    [*SwitchA-Vlanif102] quit
    [*SwitchA] interface vlanif 103
    [*SwitchA-Vlanif102] ip address 192.168.11.1 24
    [*SwitchA-Vlanif102] quit
    [*SwitchA] commit

    # Configure static routes.

    [~SwitchA] ip route-static vpn-instance vrf1 0.0.0.0 0.0.0.0 192.168.10.2
    [*SwitchA] commit

  3. Configure a static route or routing protocol such as OSPF to direct all traffic sent from the Internet to the data and video servers to the firewall. A static route is used in this example.

    [~SwitchA] ip route-static 10.10.10.0 255.255.255.0 192.168.11.2
    [*SwitchA] commit

Verifying the Configuration

  1. Run the display ip vpn-instance vrf1 command to view information about the VPN instance vrf1.
    [~SwitchA] display ip vpn-instance vrf1
      VPN-Instance Name               RD                    Address-family   
      vrf1                            100:1                 IPv4  
  2. Run the display ip vpn-instance interface command to view interface information of the VPN instance.

    [~SwitchA] display ip vpn-instance interface
     Total VPN-Instances configured      : 1          
     Total IPv4 VPN-Instances configured : 1         
     Total IPv6 VPN-Instances configured : 0          
                                        
     VPN-Instance Name and ID : vrf1, 50          
      Interface Number : 2                
      Interface list : Vlanif100,         
                       Vlanif102           
               

Configuration Files

  • Configuration file of SwitchB

    #
    sysname SwitchB
    #
    vlan batch 100
    #
    interface 10GE1/0/1
     port link-type trunk
     port trunk allow-pass vlan 100
    #
    interface 10GE1/0/2
     port default vlan 100
    #
    interface 10GE1/0/3
     port default vlan 100
    #
    return
    
  • Configuration file of SwitchA

    #
    sysname SwitchA
    #
    vlan batch 100 to 102
    #
    ip vpn-instance vrf1
     description YeWu
     ipv4-family
      route-distinguisher 100:1
      vpn-target 100:1 export-extcommunity
      vpn-target 100:1 import-extcommunity
    #
    interface Vlanif100
     ip binding vpn-instance vrf1
     ip address 10.10.10.1 255.255.255.0
    #
    interface Vlanif101
     ip address 1.1.1.1 255.255.255.0
    #
    interface Vlanif102
     ip binding vpn-instance vrf1
     ip address 192.168.10.1 255.255.255.0
    #
    interface Vlanif103
     ip address 192.168.11.1 255.255.255.0
    #
    interface 10GE1/0/1
     port link-type trunk
     port trunk allow-pass vlan 100
    #
    interface 10GE2/0/2
     port link-type trunk
     port trunk allow-pass vlan 101
    #
    interface 10GE3/0/3
     port link-type trunk
     port trunk allow-pass vlan 102 to 103
    #
    ip route-static 10.10.10.0 255.255.255.0 192.168.11.2
    ip route-static vpn-instance vrf1 0.0.0.0 0.0.0.0 192.168.10.2
    #
    return 
Download
Updated: 2019-04-03

Document ID: EDOC1000039339

Views: 118169

Downloads: 7532

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next