No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an MCE Device

Configuring an MCE Device

You can configure multi-instance routing protocols on an MCE device to implement service isolation between different VPN users in a LAN.

Pre-configuration Tasks

Before configuring an MCE device, complete the following task:

  • Configuring the link layer protocol and network layer protocol for LAN interfaces and connecting the LAN to the MCE device (reserve one interface for each service)

Configuration Process

The following tasks are mandatory.

Configuring a VPN Instance

Context

The following configurations are performed on the MCE device.

Similar configurations must be performed on the PE devices. The PE configuration procedure and commands used vary in devices from different vendors and different product models. For detailed configuration, see the documentation of the PE devices.

Procedure

  1. Create a VPN instance.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      ip vpn-instance vpn-instance-name

      A VPN instance is created, and its view is displayed.

      NOTE:

      A VPN instance name is case sensitive. For example, vpn1 and VPN1 are different VPN instances.

    3. (Optional) Run:

      description description-information

      The description is configured for the VPN instance.

      The description is similar to that of the host name and interface, which can be used to record information about the relationship between a VPN instance and a VPN.

    4. Run:

      ipv4-family

      The IPv4 address family is enabled for the VPN instance, and the VPN instance IPv4 address family view is displayed.

    5. Run:

      route-distinguisher route-distinguisher

      An RD is configured for the VPN instance IPv4 address family.

      A VPN instance IPv4 address family takes effect only after being configured with an RD. The RDs of different VPN instances on a PE must be different.

      NOTE:
      • RDs cannot be modified but can be deleted after being configured.After an RD is deleted, all configurations in the VPN instance IPv4 address family of the corresponding VPN instance will be deleted.

      • If you configure an RD for the VPN instance IPv4 address family in the created VPN instance view, the VPN instance IPv4 address family is enabled and the the VPN instance IPv4 address family view is displayed.

    6. Run:

      vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

      A VPN target is configured for the VPN instance IPv4 address family.

      A VPN target is a BGP extended community attribute. It is used to control the receiving and advertisement of VPN routing information. A maximum of eight VPN targets can be configured using a vpn-target command.

      When VPN sites connected to the MCE device need to communicate with one another, configure VPN targets on the MCE device to implement VPN route cross. If the VPN sites connected to the MCE device do not need to communicate with one another, you do not need to configure VPN targets.

    7. (Optional) Run:

      prefix limit number { alert-percent [ route-unchanged ] | simply-alert }

      The allowed maximum number of route prefixes is set for the VPN instance IPv4 address family.

      The configuration restricts the number of route prefixes imported from the switches and other PEs into a VPN instance IPv4 address family on a PE, preventing the PE from receiving too many route prefixes.

      NOTE:

      If the prefix limit command is run, the system gives a prompt when the number of route prefixes added to the routing table of the VPN instance IPv4 address family exceeds the limit. After the prefix limit command is run to increase the allowed maximum number of route prefixes in a VPN instance IPv4 address family or the undo prefix limit command is run to cancel the limit, the system adds newly received route prefixes of various protocols to the private network IP routing table.

      After the number of route prefixes exceeds the maximum limit, direct and static routes can still be added to the IPv4 address family routing table of VPN instances.

    8. (Optional) Configure a routing policy for the VPN instance.

      In addition to using VPN targets to control VPN route advertisement and reception, you can configure a routing policy for the VPN instance to better control VPN routes.
      • An import routing policy filters routes before they are imported into the VPN instance IPv4 address family.
      • An export routing policy filters routes before they are advertised to other PE devices.
      NOTE:

      Before applying a routing policy to a VPN instance, create the routing policy. For details about how to configure a routing policy, see Routing Policy Configuration in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide - IP Routing.

      Run the following command as required:
      • To configure an import routing policy for the VPN instance IPv4 address family, run import route-policy policy-name.
      • To configure an export routing policy for the VPN instance IPv4 address family, run export route-policy policy-name.

    9. Run:

      commit

      The configuration is committed.

  2. Bind the VPN instance to an interface.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. On an Ethernet interface, run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

      NOTE:

      If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

    4. Run:

      ip binding vpn-instance vpn-instance-name

      A VPN instance is bound to the interface.

      By default, an interface is a public network interface and is not associated with any VPN instance.

      NOTE:

      After a VPN instance is bound to an interface, configuration of the Layer 3 features including IP addresses and routing protocols is deleted from the interface.

    5. Run:

      ip address ip-address { mask | mask-length }

      An IP address is configured for the interface.

    6. Run:

      commit

      The configuration is committed.

Configure Route Exchange Between an MCE Device and VPN Sites

Context

The following configurations are performed on the MCE device. On the devices in the site, you only need to configure the corresponding routing protocol.

Configure Static Routes Between an MCE Device and a Site
Perform the following configurations on the MCE device. You only need to configure a static route to the MCE device in the site. The site configuration is not provided here.
NOTE:

For detailed configuration of static routes, see Static Route Configuration in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide - IP Routing.

Table 9-4 MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Configure a static route to the site.

ip route-static vpn-instance vpn-source-name destination-address { mask | mask-length } { nexthop-address [ public ] | interface-type interface-number [ nexthop-address ] } [ preference preference | tag tag ] *

You must specify the next hop address on the MCE device.

Commit the configuration.

commit

-

Configure RIP Between an MCE Device and a Site
Perform the following configurations on the MCE device. Configure RIPv1 or RIPv2 in the site. The site configuration is not provided here.
NOTE:

For detailed RIP configuration, see RIP Configuration in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide - IP Routing.

Table 9-5 MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Create a RIP process running between the MCE device and the site and enter the RIP view.

rip process-id vpn-instance vpn-instance-name

A RIP process can be bound to only one VPN instance. If a RIP process is not bound to any VPN instance before it is started, this process becomes a public network process and can no longer be bound to a VPN instance.

Enable RIP on the network segment of the interface to which the VPN instance is bound.

network network-address

-

(Optional) Import the routes to the remote sites advertised by the PE device in to the RIP routing table.

import-route protocol [ process-id ] [ cost { cost | transparent } | [ route-policy route-policy-name ] ] *

Perform this step if another routing protocol is running between the MCE and PE devices in the VPN instance.

Commit the configuration.

commit

-

Configure OSPF Between an MCE Device and a Site
Perform the following configurations on the MCE device. Configure OSPF in the site. The site configuration is not provided here.
NOTE:

For detailed OSPF configuration, see OSPF Configuration in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide - IP Routing.

Table 9-6 MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Create an OSPF process running between the MCE device and the site and enter the OSPF view.

ospf [ process-id | router-id router-id ] * vpn-instance vpn-instance-name

-

(Optional) Import the routes to the remote sites advertised by the PE device into the OSPF routing table.

import-route { bgp [ permit-ibgp ] | direct | rip [ process-id-rip ] | static | isis [ process-id-isis ] | ospf [ process-id-ospf ] } [ cost cost | route-policy route-policy-name | tag tag | type type ] *

Perform this step if another routing protocol is running between the MCE and PE devices in the VPN instance.

Configure an OSPF area and enter the OSPF area view.

area { area-id | area-id-address }

-

Enable OSPF on the network segment of the interface to which the VPN instance is bound.

network ip-address wildcard-mask

-

Commit the configuration.

commit

-

Configure IS-IS Between an MCE Device and a Site
Perform the following configurations on the MCE device. You only need to configure IS-IS in the site. The site configuration is not provided here.
NOTE:

For detailed IS-IS configuration, see IS-IS Configuration in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide - IP Routing.

Table 9-7 MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Create an IS-IS process running between the MCE device and the site and enter the IS-IS view.

isis process-id vpn-instance vpn-instance-name

An IS-IS process can be bound to only one VPN instance. If an IS-IS process is not bound to any VPN instance before it is started, this process becomes a public network process and can no longer be bound to a VPN instance.

Set a network entity title (NET) for the IS-IS process.

network-entity net

A NET specifies the current IS-IS area address and the system ID of the switch modules. A maximum of three NETs can be configured for one process on each switch modules.

Import the routes to the remote sites advertised by the PE device into the IS-IS routing table.

Use either of the following commands:
  • import-route { direct | static | { ospf | rip | isis } [ process-id ] | bgp } [ cost-type { external | internal } | cost cost | tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ] *

  • import-route { { ospf | rip | isis } [ process-id ] | bgp | direct } inherit-cost [ { level-1 | level-2 | level-1-2 } | tag tag | route-policy route-policy-name ] *

Perform this step if another routing protocol is running between the MCE and PE devices in the VPN instance.

Return to system view.

quit

-

Enter the view of the interface to which the VPN instance is bound.

interface interface-type interface-number

-

Enable IS-IS on the interface.

isis enable [ process-id ]

-

Commit the configuration.

commit

-

Configure BGP between an MCE Device and a Site
Perform the following configurations on the MCE device.
Table 9-8 MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv4 address family view.

ipv4-family vpn-instance vpn-instance-name

-

Configure the device connected to the MCE device in the site as a VPN peer.

peer ipv4-address as-number as-number

-

Import the routes to the remote sites advertised by the PE device into the BGP routing table.

import-route protocol [ process-id ] [ med med | route-policy route-policy-name ] *

Perform this step if another routing protocol is running between the MCE and PE devices in the VPN instance.

Allow routing loops.

peer ipv4-address allow-as-loop [ number ]

Generally, BGP uses the AS number to detect route loops. If BGP is running between the MCE device and the site, the MCE device advertises the routing information with the local AS number to the site. If the route update messages sent from the site contain the local AS number, the MCE device rejects the route update messages. To configure the MCE device to accept these route update messages, configure it to allow routing loops.

Commit the configuration.

commit

-

Perform the following configurations on the device connected to the MCE device in the site.
Table 9-9 Site configuration

Action

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Configure the MCE device as a VPN peer.

peer ipv4-address as-number as-number

-

Import IGP routes of the VPN into the BGP routing table.

import-route protocol [ process-id ] [ med med | route-policy route-policy-name ] *

The site must advertise routes to its attached VPN network segments to the MCE device.

Commit the configuration.

commit

-

Configure Route Exchange Between an MCE Device and a PE Device

Context

Routing protocols that can be used between an MCE device and a PE device are static routing, RIP, OSPF, IS-IS, and BGP.Choose one of the following configurations as needed:

The following configurations are performed on the MCE device. The configurations on the PE device are similar. For details, see the user manual of the PE device.

Configure Static Routes Between an MCE Device and a PE Device

Perform the following configurations on the MCE device.

Table 9-10 MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Configure a static route to the PE device.

ip route-static vpn-instance vpn-source-name destination-address { mask | mask-length } vpn-instance vpn-destination-name nexthop-address [ preference preference | tag tag ] *

You must specify the next hop address on the MCE device.

Commit the configuration.

commit

-

Configure RIP Between an MCE Device and a PE Device
Perform the following configurations on the MCE device.
Table 9-11 MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Create a RIP process running between the MCE and PE devices and enter the RIP view.

rip process-id vpn-instance vpn-instance-name

A RIP process can be bound to only one VPN instance. If a RIP process is not bound to any VPN instance before it is started, this process becomes a public network process and can no longer be bound to a VPN instance.

Enable RIP on the network segment of the interface to which the VPN instance is bound.

network network-address

-

(Optional) Import VPN routes of the site into the RIP routing table.

import-route protocol [ process-id ] [ cost { cost | transparent } | [ route-policy route-policy-name ] ] *

Perform this step if another routing protocol is running between the MCE device and VPN sites in the VPN instance.

Commit the configuration.

commit

-

Configure OSPF Between an MCE Device and a PE Device

Perform the following configurations on the MCE device.

Table 9-12 MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Create an OSPF process running between the MCE and PE devices and enter the OSPF view.

ospf [ process-id | router-id router-id ] * vpn-instance vpn-instance-name

-

(Optional) Import VPN routes of the site into the OSPF routing table.

import-route { bgp [ permit-ibgp ] | direct | rip [ process-id-rip ] | static | isis [ process-id-isis ] | ospf [ process-id-ospf ] } [ cost cost | route-policy route-policy-name | tag tag | type type ] *

Perform this step if another routing protocol is running between the MCE device and VPN sites in the VPN instance.

Disable routing loop detection in the OSPF process.

vpn-instance-capability simple

By default, routing loop detection is disabled in an OSPF process. If routing loop detection is not disabled in the OSPF process on the MCE device, the MCE device rejects OSPF routes sent from the PE device.

Configure an OSPF area and enter the OSPF area view.

area { area-id | area-id-address }

-

Enable OSPF on the network segment of the interface to which the VPN instance is bound.

network ip-address wildcard-mask

-

Commit the configuration.

commit

-

Configure IS-IS Between an MCE Device and a PE Device

Perform the following configurations on the MCE device.

Table 9-13 MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Create an IS-IS process running between the MCE and PE devices and enter the IS-IS view.

isis process-id vpn-instance vpn-instance-name

An IS-IS process can be bound to only one VPN instance. If an IS-IS process is not bound to any VPN instance before it is started, this process becomes a public network process and can no longer be bound to a VPN instance.

Set a network entity title (NET) for the IS-IS process.

network-entity net

A NET specifies the current IS-IS area address and the system ID of the switch modules. A maximum of three NETs can be configured for one process on each switch modules.

(Optional) Import VPN routes of the site into the IS-IS routing table.

Use either of the following commands:
  • import-route { direct | static | { ospf | rip | isis } [ process-id ] | bgp } [ cost-type { external | internal } | cost cost | tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ] *

  • import-route { { ospf | rip | isis } [ process-id ] | bgp | direct } inherit-cost [ { level-1 | level-2 | level-1-2 } | tag tag | route-policy route-policy-name ] *

Perform this step if another routing protocol is running between the MCE device and VPN sites in the VPN instance.

Return to system view.

quit

-

Enter the view of the interface to which the VPN instance is bound.

interface interface-type interface-number

-

(Ethernet interface) Switch the Ethernet interface to Layer 3 mode.

undo portswitch

By default, an Ethernet interface works in Layer 2 mode.

If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.
NOTE:

If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

Enable IS-IS on the interface.

isis enable [ process-id ]

-

Commit the configuration.

commit

-

Configure BGP Between an MCE Device and a PE Device
Perform the following configurations on the MCE device.
Table 9-14 MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv4 address family view.

ipv4-family vpn-instance vpn-instance-name

-

Configure the PE device as the VPN peer of the MCE device.

peer ipv4-address as-number as-number

-

Import the routes to the remote sites advertised by the PE device into the BGP routing table.

import-route protocol [ process-id ] [ med med | route-policy route-policy-name ] *

Perform this step if another routing protocol is running between the MCE device and VPN sites in the VPN instance.

Commit the configuration.

commit

-

Checking the Configuration

Prerequisites

The MCE configuration is complete.

Procedure

  • Run the display ip vpn-instance vpn-instance-name command to check brief information about a specified VPN instance.
  • Run the display ip vpn-instance verbose vpn-instance-name command to check detailed information about a specified VPN instance.
  • Run the display ip vpn-instance import-vt ivt-value command to check information about all the VPN instances with import VPN targets.
  • Run the display ip vpn-instance [ vpn-instance-name ] interface command to check brief information about the interface to which a specified VPN instance is bound.
  • Run the display ip routing-table vpn-instance vpn-instance-name [ verbose ] command to check the routing table on the MCE device. The routing table contains routes to the LAN and remote sites for each service.
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 58499

Downloads: 3621

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next