No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Examples for NE and ME60 Routers in Typical Enterprise Scenarios 2.0

This document provides NE series routers typical configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Financial WAN Interconnection

Example for Configuring Financial WAN Interconnection

This section provides a typical case of configuring MPLS VPN to implement WAN interconnection for branches of an enterprise in a financial industry scenario.

Applicable Products and Versions

This configuration applies to NE40E/NE20E/NE5000E/CX6600 series products running V800R010C00 or later.

Networking Requirements

A bank employs the "three data centers in two cities" mode to deploy a data center and has branches in multiple cities. As shown in the following figure, its WAN uses an architecture of access, aggregation, and backbone layers, and dual-node, dual-link networking to implement WAN interconnection for data centers and branches and integrate multiple services on one physical network. In addition, it uses the MPLS VPN technology to logically isolate E2E services and the AC-WAN controller to implement fast service deployment and traffic optimization, facilitating comprehensive service expansion.


Basic Configurations

Log in to a device for the first time.

For details, see "Logging In to a Device for the First Time" in "Common Features".

Configure a device name and IP addresses of interfaces.

Configure a specific name for each device to identify a device after you log in to it. For example, name a device HUAWEI.

#
sysname HUAWEI
#

Configure an IP address for the management network interface of the device so that you can remotely log in to the device through this IP address. For example, assign 172.16.1.1/24 to GE0/0/0.

#
interface GigabitEthernet0/0/0
 undo shutdown
 ip address 172.16.1.1 255.255.255.0   //Configure an IP address for the management network interface.
#

Repeat the preceding step to configure an IP address for the service interface.

Configure a local time zone.

Perform the following operations on all devices to set the local time zone:

#
clock timezone BJ add 08:00:00   //Take Beijing, China as an example. Set the local time zone name to BJ and increase the time offset value by 8, in that Beijing is in time zone UTC+8.
#

Configure the device to periodically save the configurations.

Perform the following operations on all devices:

#
set save-configuration
#

Configure remote login.

You can remotely log in to the device through Telnet or SSH. Telnet has security risks. SSH is recommended.

For details, see "Using STelnet (SSH) to Remotely Log In to a Device" in "Common Features".

Configure network management.

Parameter Planned Value
NMS scheme In this example, a separate network management network is deployed in each data center to manage network devices in the data center or core backbone network in inband, outband, and hybrid modes. The NMS of a branch is deployed in its production equipment room and manages branch network devices in inband mode.
Outband management scheme Connect an Ethernet cable to the management interface of a router and configure a local VPN on the GigabitEthernet0/0/0 interface for isolation from other routes on the public network. Configure a default route in the VPN and set the next hop to the Layer 3 switch of the outband NMS.
Connection to AAA servers Connect a router to the active and standby AAA servers through the management interface using HWTACACS.
Connection to syslog servers Connect a router to the active and standby syslog servers through the management interface.

Configure NMS VPN on all devices that support outband NMS.

#
ip vpn-instance MGT        //Configure an NMS VPN instance.
 ipv4-family
  route-distinguisher 65530:65530   //Configure an RD.
#
interface GigabitEthernet0/0/0    //Access the management interface.
 speed auto
 duplex auto
 undo shutdown
 ip binding vpn-instance MGT      //Bind the NMS VPN to the interface.
 ip address 10.10.1.1 255.255.255.0   //Configure a management IP address.
#

Perform the following operations on all devices to configure SNMP:

#
acl name ACL_SNMP_A basic                      //Configure a basic ACL for the NMS in region A to allow only the NMS of a specified IP address to manage the device.
 description ACL_FOR_SNMP_A                  //Add a description.
 rule 10 permit vpn-instance MGT source 10.10.2.1 0    //Add an NMS address.
 ….      //Add other NMS addresses as required.
#
….       //Configure ACLs and corresponding NMS addresses for the NMSs in other cities as required.
#
snmp-agent             //Enable SNMP.
snmp-agent community read cipher *************** acl ACL_SNMP_A     //Set an SNMP read/write community name (plaintext or ciphertext) and an ACL.
….   //Set SNMP read/write community names for other ACLs as required.
#
snmp-agent sys-info version v2c v3        //Configure an SNMP version.
snmp-agent community complexity-check disable       //Disable community name complexity check.
snmp-agent group v3 NMS_G privacy read-view iso notify-view iso   //Configure an SNMP user group, map SNMP users to the SNMP view, authenticate and encrypt packets, and specify the read/write view name as iso.
snmp-agent target-host host-name ACController trap address udp-domain 10.17.1.1 udp-port 1666 params securityname ACTrap_A v3 privacy  //Set a destination address for receiving Inform messages.
#
snmp-agent mib-view included iso iso        //Configure a MIB view to include an iso view and an iso subnode.
snmp-agent mib-view included alliso iso      //Configure a MIB view to include an alliso view and an iso subnode.
snmp-agent usm-user v3 ACTrap_A         //Add a user to the SNMP group.
snmp-agent usm-user v3 ACTrap_A group NMS_G   //Specify the name of the group to which the user belongs.
snmp-agent usm-user v3 ACTrap_A authentication-mode sha cipher **********  //Set the authentication mode of the SNMP user to SHA and specify a key.
snmp-agent usm-user v3 ACTrap_A privacy-mode aes128 cipher *******    //Set the encryption algorithm for the SNMP user information to AES128 and configure a key.
#
snmp-agent trap source LoopBack0      //Specify a source address for sending trap messages.
#
snmp-agent trap enable   //Enable the router to send trap messages.

Perform the following operations on all devices to configure syslog:

#
info-center loghost source GigabitEthernet0/0/0       //Configure GE0/0/0 to send logs.
info-center loghost 10.10.2.1 vpn-instance MGT level critical  //Specify the IP address of a syslog server and set the log level to critical. The server is in a VPN. Therefore, you need to specify a VPN instance.
#

Configure NTP.

Perform the following operations on all devices:

#
ntp-service source-interface GigabitEthernet0/0/0 vpn-instance MGT  //Specify a local interface for sending NTP messages. In this example, the interface belongs to an NMS VPN. Therefore, you need to specify the name of an NMS VPN instance.
ntp-service unicast-server 10.10.2.254 vpn-instance MGT  //Specify the IP address of an NTP server.
#

Configuring an IGP

Overall planning

Routes are categorized into the following types:

  • Network routes: generated based on devices' IP addresses, such as interworking interface addresses, loopback interface addresses used by protocols (IGP, BGP, or MPLS for example). Network routes are used to implement network connectivity.
  • Service routes: include terminal and service system routes. Service routes are used to implement service connectivity.

Network routes are usually carried by an IGP, which can be OSPF or IS-IS. In this example, OSPF is used as an IGP.

NOTE:

Do not import service routes into an IGP routing table.

Simplify network routes as much as possible by deploying only one IGP area or level within the WAN.

Procedure

  1. Perform basic OSPF configurations.

    Table 1-7  Planning of basic OSPF parameters
    Parameter Planned Value
    Protocol type OSPF
    Process ID 1
    Router ID IP address of loopback 0
    Area Area 0 (considering the small number of devices on the WAN core backbone network)
    Interface type P2P. The default interface type of Ethernet interfaces is broadcast. Because only two devices on the same network segment in the backbone area run OSPF, you can change the network type of the involved interfaces to P2P.
    Route advertisement Routes to the IP addresses of interconnected interfaces and loopback 0

    Configurations on all WAN devices, including PEs, DC-Ps, RRs, and WAN-Ps are as follows:

    #
    router id 10.80.3.2              // Configure a router ID.
    #
    ospf 1                        // Configure an OSPF process ID.
     bandwidth-reference 100000     // Configure the bandwidth reference value.
     area 0.0.0.0                  // Configure an OSPF area ID.
      network 10.1.1.1 0.0.0.0 description loopback 0   // Advertise the IP address of loopback 0.
      network 10.2.1.1 0.0.0.0 description Eth-trunk 0   // Advertise the IP address of Eth-Trunk 0.
      …..                        // Advertise the IP addresses of other interfaces as required.
    #
    interface Eth-Trunk0
     ospf network-type p2p    // Set the OSPF interface type to P2P.
    #
    
    NOTE:
    During configuration, set the type of all interfaces in the OSPF area to P2P. In this example, the configuration of Eth-Trunk 0 is used as an example.
  2. Configure OSPF costs.

    The core backbone network of the WAN uses dual-plane networking. During IGP deployment, properly plan route costs so that traffic of different services on the backbone network can be balanced on different planes. In this way, bandwidth can be fully utilized, service quality can be improved, and service reliability can be ensured. Recommendations for IGP cost deployment:
    • The costs of WAN links must be greater than those of local links by at least 10 fold.
    • If two interfaces have the same network role, set a smaller cost for the interface with higher link bandwidth.
    • According to the formula "Interface cost = Bandwidth reference value/Interface bandwidth", the bandwidth reference value (in Mbit/s) of a 10GE interface equals the interface bandwidth (10000 Mbit/s) multiplied by the interface cost (10 for example), and the calculation result is 100000 Mbit/s.

    Table 1-8  OSPF cost planning
    Link Cost Planning Suggestions Cost in This Example
    Local LAN link between DC-Ps at the same site Set the cost of the local LAN link to a value smaller than those of WAN links to ensure that traffic is forwarded across planes preferentially from a P. 10
    Local LAN link between DC-PEs at the same site Set the cost of the local LAN link to a value smaller than those of WAN links to ensure that traffic is forwarded across planes preferentially from a P and then from a PE. 20
    Local LAN link between a DC-PE and DC-P at the same site Set the cost of the local LAN link to a value smaller than those of WAN links. 50
    WAN link between DC-Ps in the same city Ensure that traffic between data centers is transmitted across planes rather than through a detour to another data center. 100
    WAN link between DC-Ps in different cities Ensure that the cost of the WAN link is greater than that of each MAN or LAN link. 200
    LAN link between a WAN-P and DC-P On the WAN-P, set the cost of the local LAN link to a value smaller than that of the WAN link between the WAN-P and the access-layer PE. 100
    WAN link between a WAN-P and a branch PE On the WAN-P, set the cost of the WAN link to a value larger than that of the LAN link between the WAN-P and DC-P. 1000
    Local LAN link between an RR and a DC-P RRs reflect routes rather than forwarding traffic. Therefore, set the largest cost for this link among all links. 10000

    Configurations on all WAN devices, including PEs, DC-Ps, RRs, and WAN-Ps are as follows:

    #
    interface Eth-Trunk0        // Enter the interface view.
     ospf cost 20              // Set the OSPF cost to 20.
    #
    
    NOTE:
    Set costs on all interfaces in the OSPF area as planned. In this example, the cost configuration of one interface is used as an example.
  3. (Optional) Adjust OSPF convergence parameters.

    If BFD for OSPF is not deployed on the live network, you need to adjust OSPF parameters based on the requirements of the WAN and leased line quality to ensure network reliability and speed up OSPF convergence.

    NOTE:
    If the live network consists of devices provided by different vendors, you need to define unified OSPF fast convergence parameters on the basis of test verification, since software and hardware features vary with the vendor's device and even the same function of a standard protocol has different interpretation and implementation modes among vendors.

    Adjust OSPF fast convergence parameters to meet the following objectives:

    • Implement second-level IGP convergence in the case of a single point of failure on a WAN device.
    • Keep network stability (without route flapping).
    • Keep a proper CPU load on the routers.
    • Prevent frequent network connection or route flapping caused by frequent LSA updates and reduce network bandwidth and device resource consumption by setting the interval (configured using the lsa-arrival-interval command) at which LSAs are received to be less than or equal to the interval (configured using the lsa-originate-interval command) at which LSAs are updated.
    • Keep the parameters on the entire network to be consistent (except for different implementation mechanisms or parameter value ranges).
    Table 1-9  Planning of OSPF convergence parameters
    Parameter Default Value Value in This Example
    Interval at which Hello packets are sent 10s 3s
    Dead interval of an OSPF neighbor 40s Default value
    Interval at which LSAs are retransmitted 5s 2s
    Interval at which LSAs are received Max-interval (1000 ms), start-interval (500 ms), and hold-interval (500 ms) Default value
    Interval at which LSAs are updated Max-interval (5000 ms), start-interval (500 ms), and hold-interval (1000 ms) Default value
    Interval at which OSPF routes are calculated Max-interval (5000 ms), start-interval (500 ms), and hold-interval (1000 ms) Max-interval (10000 ms), start-interval (500 ms), and hold-interval (1000 ms)
    NOTE:
    The values used in this example are for your reference.

    Configurations on all WAN devices, including PEs, DC-Ps, RRs, and WAN-Ps are as follows:

    #
    ospf 1              // Configure an OSPF process ID.
     spf-schedule-interval intelligent-timer 10000 500 1000    // Configure the interval at which OSPF routes are calculated.
    #
    interface Eth-Trunk0
     ospf timer hello 3        // Configure the interval at which Hello packets are sent.
     ospf timer retransmit 2    // Configure the interval at which LSAs are retransmitted.
    #
    interface Eth-Trunk1
     ospf timer hello 3
     ospf timer retransmit 2
    #
    
    NOTE:
    Set OSPF convergence parameters on all interfaces in the OSPF area as planned.
  4. Configure OSPF security.

    On a network that requires high security, you are advised to configure OSPF authentication. By default, no authentication mode or password is configured for an OSPF area.

    Table 1-10  Planning of OSPF security parameters
    Parameter Planned Value
    Authentication type Area authentication
    Authentication mode MD5
    Ciphertext password type cipher

    Configurations on all WAN devices, including PEs, DC-Ps, RRs, and WAN-Ps are as follows:

    #
    ospf 1
     area 0.0.0.0              // Configure security authentication in the OSPF area view.
      authentication-mode md5 1 cipher *****************************   // Configure OSPF MD5 authentication. The configuration file is displayed in ciphertext.
    #
    

Configuring BGP

Overall planning

Since MPLS VPN is used to carry various services, MP-IBGP needs to be used to exchange VPN routes between PEs; static routes, IGP multi-instance, or EBGP is used between PEs and CEs. In this example, EBGP is used between PEs and CEs. Through the powerful BGP policy control capability, VPN routes are transmitted between ASs, thus implementing complex access control.

The core backbone network, data center network, service center network, and branches are divided into independent ASs and use private AS numbers. Loopback 0 addresses are used to establish IBGP peer relationships, whereas IP addresses of directly connected interfaces are used to establish EBGP peer relationships.

Procedure

  1. Configure BGP RRs.

    In this example, four routers are deployed on the core backbone network as RRs to back up each other. The RRs provide BGP and VPNv4 route reflection functions for aggregation and access devices. The PEs of the data centers and branches function as RR clients, and no IBGP peer relationships are established between RRs.

    Table 1-11  Planning of basic BGP parameters
    Parameter Planned Value
    Cluster ID AS number of the backbone core layer. The four RRs share the same cluster ID.
    RR priority The lower the loopback IP address of an RR, the higher the priority of the RR.
    Peer group names GROUP_IBGP and GROUP_EBGP. Configure the peer group names as required.
    Keepalive time of the peer or peer group 10s. Set the value based on the WAN link quality. Reducing the value of this parameter can speed up link fault detection.
    Hold time of the peer or peer group 30s. Set the value based on the WAN link quality. Reducing the value of this parameter can speed up link fault detection.
    Exchange of public-network IPv4 unicast routes Disabled because MPLS VPN is used to carry various types of services.
    NOTE:
    You are advised to use the default values of LDP timers. You can also plan LDP timers based on the leased line quality. The values used in this example are for your reference.

    Configurations on an RR:

    #
    bgp 64512
     undo default ipv4-unicast                // Disable exchanges of public-network IPv4 unicast routes.
     group GROUP_IBGP internal            // Create an IBGP peer group.
     peer GROUP_IBGP connect-interface LoopBack0  // Loopback 0's address is used to establish an IBGP peer relationship.
     peer 10.1.3.2 as-number 64512           // Establish an IBGP peer relationship with the peer at 10.1.3.2 (loopback address of a PE).
     peer 10.1.3.2 group GROUP_IBGP        // Add the peer at 10.1.3.2 to the peer group.
     peer 10.1.3.2 description TO_PE01-A      // Configure a description for the peer 10.1.3.2.
     peer 10.1.3.2 timer keepalive 10 hold 30    // Adjust the timers to speed up fault detection.
     …// Add other PEs to the peer group as required. 
     #
     ipv4-family unicast                    // Enter the IPv4 unicast address family view.
      undo synchronization
      undo peer GROUP_IBGP enable        // Disable exchanges of public-network IPv4 unicast routes.
     #
     ipv4-family vpnv4
      reflector cluster-id 64512              // Set the cluster ID for the RRs.
      undo policy vpn-target                // Receive all VPN routes and cancel VPN target filtering for VPNv4 routes.
      peer GROUP_IBGP enable             // Enable the peer group to exchange VPNv4 routing information.
      peer GROUP_IBGP reflect-client        // Enable route reflection for the peer group.
      peer GROUP_IBGP advertise-community  // Enable the community attribute to be advertised to peers.
    #
    

    Configurations on a PE:

    #
    bgp 64512                            // Set the AS number to 64512.
     undo default ipv4-unicast               // Disable all peers from exchanging IPv4 unicast routes.
     group GROUP_IBGP internal           // Configure an IBGP peer group.
     peer GROUP_IBGP connect-interface LoopBack0  // Use loopback 0 to establish a BGP session with the RR.
     peer 10.1.3.5 as-number 64512          // Establish an IBGP peer relationship with the RR (10.1.3.5).
     peer 10.1.3.5 group GROUP_IBGP       // Add the peer to the peer group GROUP_IBGP.
     peer 10.1.3.5 description TO_RR01-A     // Configure a description for the peer.
     peer 10.1.3.5 timer keepalive 10 hold 30   // Adjust the timers to speed up fault detection.
     ….  // Perform configurations related to other RRs as required.
    #
     ipv4-family vpnv4
      policy vpn-target
      peer GROUP_IBGP enable              // Enable the device to exchange VPNv4 routing information with the BGP peer group.
      peer GROUP_IBGP advertise-community  // Enable the community attribute to be advertised to peers.
    #
    
  2. Configure BGP attributes.

    Table 1-12  Planning of BGP attributes
    BGP Attribute Description
    Community The community attribute is used to determine through which plane IBGP advertises routes. You can set different community attribute values for different network planes, geographical locations, routing protocol sources, and service types based on route distribution.
    Local Preference When a data-center PE receives routes from IBGP peers, a route-policy can be used to set a Local Preference for the routes. For example, the Local Preference of the routes received from the same plane is set to 200, and the Local Preference of the routes received from a different plane is set to a smaller value, 100 for example. The larger the Local Preference, the higher the priority. When BGP routes are advertised between two dual-homed CEs of a branch, the Local Preference attribute needs to be advertised. When learning BGP routes from PEs, the CEs modify the Local Preference attribute.

    Configure route-policies on PEs and CEs and apply the route-policies to received BGP routes. The following example uses the configuration on a PE:

    #
    route-policy EBGP_CE_TO_PE permit node 10
     if-match ip-prefix EBGP_CE_TO_PE
     apply community 100:1 additive
    #
    ip community-filter basic ADD_LOCALPREF1 index 10 permit 100:1    // Configure a basic community filter named ADD_LOCALPREF1 to match the route with the attribute value of 100:1.
    ip community-filter basic ADD_LOCALPREF2 index 10 permit 100:2    // Configure a basic community filter named ADD_LOCALPREF2 to match the route with the attribute value of 100:2.
    #
    route-policy ADD_LOCAL_PREFERENCE permit node 10           // Configure a route-policy.
     if-match community-filter ADD_LOCAL_PREFERENCE1          // Configure a matching rule.
     apply local-preference 200            // Apply the Local Preference to the routes matching the configured rule.
    #
    route-policy ADD_LOCAL_PREFERENCE permit node 20
     if-match community-filter ADD_LOCAL_PREFERENCE2
     apply local-preference 100
    #
    bgp 64512
     ipv4-family vpnv4
      peer 10.1.3.5 route-policy ADD_LOCAL_PREFERENCE import  // Apply the route-policy to the routes received from the RR (10.1.3.5).
      …// Add configurations to apply a route-policy to RRs.
    #
    
  3. Configure BGP security.

    Table 1-13  Planning of BGP security parameters
    Parameter Planned Value
    Authentication type MD5
    Password -
    Ciphertext password type cipher

    Perform the following configurations on PEs and RRs:

    #
    bgp 64512
     peer GROUP_IBGP password cipher *****************************
    #
    

Configuring MPLS

Overall planing

MPLS LDP tunnels are deployed on the entire network. Full-meshed LDP LSPs are automatically established between all routers on a backbone network. A TE group is deployed between PEs in each data center. TE tunnels are delegated to the controller through PCEP for traffic optimization. Hot standby is deployed on each TE tunnel to improve reliability.

Traffic between branch networks and data centers and between branches is carried over LDP tunnels. Traffic between data centers is also carried on LDP tunnels if all TE links are faulty. The traffic transmitted over LDP LSPs cannot be processed for traffic optimization. In this situation, TE tunnels are deployed between Ps that are directly connected through WAN links and LDP remote peers are also deployed, which implements LDP over TE.

Procedure

  1. Configure MPLS LDP.

    Table 1-14  LDP parameter planning
    Parameter Planned Value
    MPLS LSR ID The LSR ID of each device must be unique. The loopback0 address of each device is used as an LSR ID.
    Policy for establishing LDP LSPs Host, which prevents unwanted LSPs from being generated
    Scope of devices on which LDP LSPs are established All PEs and Ps
    Hello Send timer In this example, the planned value is 5s. The default value is 15s.
    Hello Hold timer Default values used:
    • 15s for the link Hello Hold timer
    • 45s for the target Hello Hold timer
    Keepalive Send timer In this example, the planned value is 10s. The default value is 15s.
    Keepalive Hold timer In this example, the planned value is 30s. The default value is 45s.
    LDP reliability

    Enable LDP-OSPF synchronization.

    LDP FRR is disabled, and LDP path adjustment is triggered by IGP convergence. Because data centers are carried over TE tunnels, LDP FRR is not required. If there is no backup WAN link between a branch and a data center or between branches, LDP FRR is not effective as expected.

    NOTE:
    You are advised to use the default values for LDP timers. You can also plan the parameters based on the actual situation of the WAN and the quality of leased line services of a carrier. In this example, the planned values are for reference only.

    Perform the following steps on each WAN device (PEs, DC-P, and WAN-P, excluding RRs):

    #
    mpls lsr-id 10.1.2.3               //Set an MPLS LSR ID.
    #
    mpls                          //Enable MPLS globally.
    #
    mpls ldp                       //Enable MPLS LDP globally.
    #
    interface Eth-Trunk0             //Enter the interface view.
    mpls                          //Enable MPLS on the interface.
    mpls ldp                       //Enable MPLS LDP on the interface.
     mpls ldp timer hello-send 5       //Adjust the interval at which MPLS LDP Hello messages are sent.
     mpls ldp timer keepalive-hold 30   //Set the MPLS LDP Keepalive Hold timer.
     mpls ldp timer keepalive-send 10   //Set the MPLS LDP Keepalive Send time.
    
    NOTE:
    In actual applications, enable MPLS LDP and adjust parameters on all interfaces in an MPLS domain. The configuration of each interface is the same as that of Eth-Trunk0.
  2. Configure MPLS TE.

    Table 1-15  TE tunnel planning
    Parameter Planned Value
    Tunnel name

    Format: VpnType-ServiceType-Source-Destination-n

    Example: L3-Key-PE1-PE4-01

    Administrative status Up (default)
    Source node Select Source node.
    Destination node Select Destination node.
    Bandwidth constraint 0
    Priority Set this parameter based on the tunnel design. For details, see the tunnel design in this section.
    User label Not set (default value)
    Hot standby Enable
    Best-effort path The best-effort path is enabled for L2VPN, not for tunnels.
    Explicit path Set this parameter as required.
    Signaling type RSVP-TE
    Control mode Delegate
    Southbound protocol NETCONF
    MTU 1500, in bytes
    Bandwidth mode Dynamic-bandwidth
    Switchback ON
    Switchback time (s) 10
    Including attribute of affinities

    "Include any 0x1" for the primary tunnel (the tunnel with the highest priority in the range of 1 to 4)

    Not set for backup tunnels

    Excluding attribute of affinities Not set
    Tunnel delay (s) 0
    Hop limit 32
    Service class See Table TE priority planning.
    Rate limit OFF
    Binding recursion

    Tunnel to which L3VPN traffic recurses: OFF

    Tunnel to which L2VPN traffic recurses: ON

    Traffic statistics collection ON
    Table 1-16  TE priority planning
    Packet Priority Service Type Tunnel Priority
    CS7 Reserved for a protocol 1
    CS6 Reserved for a protocol 1
    EF Key and external connection services 1
    AF4 Voice and video 2
    AF3 Interaction 3
    AF2 Batch, test 4
    AF1 OA 5
    BE Default 6
    NOTE:
    In this example, the tunnel management (including creation, modification, and deletion) is performed by the SDN controller (the shortcut configuration is modified on the router). The following commands are for reference only.
    #
    mpls
     mpls te             //Enable MPLS TE globally. 
     mpls te pce delegate   //Configure the active stateful PCE algorithm used to compute paths for TE tunnels.
     mpls rsvp-te         //Enable RSVP-TE globally.
     mpls rsvp-te hello    //Enable the Hello mechanism globally.
     mpls rsvp-te srefresh  //Configure Srefresh.
     mpls te cspf         //Enable CSPF.
    #
    interface Eth-Trunk0
    mpls
     mpls te              //Enable MPLS TE on the interface.
     mpls te link administrative group 1   //Configure an administrative group attribute for the interface.
     mpls te bandwidth max-reservable-bandwidth dynamic 75  //Set the dynamic maximum reservable bandwidth of the link.
     mpls te bandwidth dynamic bc0 100  //Set the BC0 dynamic bandwidth of the link.
     mpls rsvp-te         //Enable RSVP-TE on the interface.
     mpls rsvp-te hello    //Enable the Hello mechanism on the interface.
    #
    ¡­..                //The configurations of the other interfaces are similar to the configuration of Eth-Trunk0. The configuration details are not provided.
    #
    interface Tunnel1          //Create a TE tunnel interface.
     ip address unnumbered interface LoopBack0   //Assign an IP address to a TE tunnel interface.
     tunnel-protocol mpls te    //Enable MPLS TE as a tunneling protocol.
     destination 10.1.2.3       //Set a tunnel destination address that is the LSR ID of the egress.
     mpls te record-route label  //Enable the device to record routes and labels, which is used to v view a label that each node on a path assigns for the tunnel during maintenance.
     mpls te priority 6        //Set the setup and holding priorities for the MPLS TE tunnel.
     mpls te backup hot-standby dynamic-bandwidth  //Enable TE hot standby and dynamic bandwidth adjustment for an HSB CR-LSP.
     mpls te backup hot-standby overlap-path   //Configure the function so that a hot-standby CR-LSP can be established over a path that only contains some links of a primary CR-LSP. The hot-standby and primary CR-LSPs cannot fully overlap.
     statistic enable                  //Enable traffic statistics collection.
     mpls te affinity property 1 mask 1  //Set an affinity.
     mpls te tunnel-id 1              //Set a tunnel ID.
     mpls te pce delegate            //Enable the device to delegate the tunnel to the PCE server for path computation.
     mpls te service-class ef cs6 cs7   //Set service classes for packets that can pass through the MPLS TE tunnel.
    #
    ¡­.                          //The configurations of the other TE tunnel interface are similar to the configurations of Tunnel1. The configuration details are not provided.
    #
    

    For tunnels on the DC-P node that needs to participate in path computation, enable the TE IGP shortcut function on each tunnel interface.

    NOTE:
    By the time this document is released, the TE IGP shortcut function of each version must be manually configured on forwarders.
    #
    interface Tunnel1                  //Enable the TE tunnel interface view.
      mpls te igp shortcut              //Enable the TE IGP shortcut function.
      mpls te igp metric absolute 190     //Set a metric for the TE tunnel.
    #
    

Configuring MPLS VPNs

Overall planing

In this case, an L3VPN or L2VPN can be used to carry multiple services, such as production services, network test services, interconnection services of subsidiaries, interconnection services of delegation organizations, DC disaster recovery services, and external connection services. You are advised to select a bearer mode based on the following principles.
Service Type VPN Type
Production service L3VPN
Network test service L3VPN
Subsidiary interconnection service L3VPN
Delegation organization interconnection service L3VPN
DC disaster discovery service L2VPN
Access service for branches outside a specific country L2VPN
External connection service L2VPN

Procedure

  1. Configure an MPLS L3VPN.

    Table 1-17  L3VPN parameter planning
    Parameter Planned Value in This Example
    VPN instance name VPNA
    Route distinguisher

    As-number: n

    Example: 64512:1

    VPN target

    As-number: n

    Example: 64512:01

    Tunnel selection policy TE tunnels take precedence over LDP LSPs for load balancing.
    Label allocation mode One label per instance
    TTL mode Uniform
    Routing protocol between PEs and CEs Static route, IGP multi-instance, or EBGP can be used. In this example, EBGP is used between PEs and CEs.
    MPLS DiffServ mode Default mode used: Uniform

    Configuration on each PE

    #
    ip vpn-instance VPNA                     //Create a VPN instance named VPNA.
     description VPNA                       //Configure a description.
     ipv4-family
      route-distinguisher 64512:1               //Set an RD.
      tnl-policy L3VPN-Tunnel-Policy                        //Configure a tunnel policy.
      apply-label per-instance                  //Set the label allocation mode to "a label per instance".
      vpn-target 64512:01 export-extcommunity   //Configure the export VPN target.
      vpn-target 64512:01 import-extcommunity   //Configure the import VPN target.
      ttl-mode uniform                        //Set an MPLS TTL mode.
    #
    interface Eth-Trunk2
     ip binding vpn-instance VPNA             //Bind the interface to the VPN instance.
     ip address 10.3.1.1 255.255.255.252        //Assign an IP address to the interface.
    #
    bgp 64512
     ipv4-family vpn-instance VPNA
      import-route direct med 0                //Import the local CE's direct route to the VPN routing table and remain the minimal MED. If the other conditions are the same, the direct route is preferentially selected. If this command is not run, the PE does not advertise the direct route to the remote PE using MP-BGP.
      auto-frr
      peer 10.3.1.2 as-number 65001
      peer 10.3.1.2 route-policy EBGP_CE_TO_PE import
    #
    tunnel-policy L3VPN-Tunnel-Policy                     //Configure a tunnel policy.
     tunnel select-seq cr-lsp lsp load-balance-number 10 unmix     //Configure the device to prefer a TE LSP to an LDP LSP. A maximum of 10 LSPs can be established to balance traffic.
    #
    

    Configuration on each CE

    #
    bgp 65001
    peer 10.3.1.1 as-number 65001
    # 
    ipv4-family unicast
      undo synchronization
      peer 10.3.1.2 enable
      import-route direct
      ¡­ //This command enables the CE to advertise its VPN network segment address to the PE and to the remote CE. The type of route to be imported in this step depends on the real-world networking.
    #
    
  2. Configure an MPLS L2VPN.

    Table 1-18  L2VPN parameter planning
    Parameter Planned Value
    L2VPN type VLL
    VC label distribution protocol MPLS LDP
    Tunnel selection policy TE tunnel binding
    VC ID A specific ID is planned for each VC.
    MPLS DiffServ mode Default mode used: Uniform

    Perform the following steps on each PE.

    #
    mpls l2vpn                    //Enable MPLS L2VPN globally.
    #
    mpls ldp remote-peer 10.1.2.2     //Configure a remote LDP peer.
     remote-ip 10.1.2.2             //Specify the IP address of the remote peer that is the LSR ID of the remote PE.
    #
    interface GigabitEthernet1/0/0
     description to_PE2_G1/0/0
     mpls l2vc 10.1.2.2 1000 tunnel-policy L2VPN_PE1_TO_PE2   //Create a VC.
    #
    tunnel-policy L2VPN_PE1_TO_PE2
     tunnel binding destination 10.1.1.1 te Tunnel1 Tunnel2        //Configure a TE tunnel binding.
    #
    
    NOTE:
    The configuration of the PE2-to-PE1 VC is similar to that of the PE1-to-PE2 VC. The configuration details are not provided.

Configuring Reliability

Overall planing

Table 1-19  Reliability planning
Category Reliability Planning
Routing protocol

Enable BFD for OSPF for all WAN transmission links.

Enable BFD for BGP between the RR and each branch PE.

Tunnel reliability Configure TE hot-standby to work with BFD for TE-LSP and BFD for tunnel technologies.
L3VPN Configure VPN FRR to work with BFD for IP to implement rapid protection switching.
Table 1-20  BFD parameter planning
Parameter Planned Value
BFD for OSPF

min-tx-interval: 50 ms (default: 1000 ms)

min-rx-interval: 50 ms (default: 1000 ms)

detect-multiplier: 3

BFD for TE LSP

min-tx-interval: 50 ms (default: 10 ms)

min-rx-interval: 50 ms (default: 10 ms)

detect-multiplier: 3

BFD for TE

min-tx-interval: 100 ms (default: 10 ms)

min-rx-interval: 100 ms (default: 10 ms)

detect-multiplier: 3

BFD for IP (for VPN FRR)

min-tx-interval: 100 ms (default: 10 ms)

min-rx-interval: 100 ms (default: 10 ms)

detect-multiplier: 3

BFD for BGP

min-tx-interval: 200 ms (default: 10 ms)

min-rx-interval: 200 ms (default: 10 ms)

detect-multiplier: 3

NOTE:
The preceding BFD parameters must be properly planned based on the actual WAN line quality. The planned values provided in this example are for reference only.

Procedure

  1. Configure TE hot standby.

    Configure hot standby on TE interfaces. Tunnel-related configuration in this example is completed using the SDN controller. For details, see Configure MPLS TE.

  2. Configure VPN FRR.

    #
    ip vpn-instance VPNA
      vpn frr                                //Enable VPN FRR.
    #
    
  3. Configure BFD for OSPF.

    Enable BFD for OSPF on the interfaces at both ends of each WAN transmission link and configure OSPF neighbor relationship flapping suppression.

    #
    interface GigabitEthernet2/1/1                  //Access the interface view.
     ospf bfd enable                             //Enable BFD for OSPF.
     ospf bfd min-tx-interval 50 min-rx-interval 50    //Configure the minimum interval at which BFD packets are sent and the minimum interval at which BFD packets are received.
     ospf suppress-flapping peer detecting-interval 180 threshold 3 resume-interval 240 //Set detection parameters for OSPF neighbor relationship flapping suppression.
     ospf suppress-flapping peer hold-down 300       //Configure an OSPF neighbor relationship flapping suppression mode and a suppression duration.
    #
    
  4. Configure BFD for TE.

    Configure BFD for TE tunnel and BFD for TE-LSP at both ends of the specified TE tunnel.

    NOTE:
    BFD for TE can be configured using commands or the SDN controller. You are advised to complete the configuration using the SDN controller. The configuration commands provided in this example are for reference only.
    #
    bfd Bfd101 bind mpls-te interface Tunnel1   //Configure BFD for tunnel.
     discriminator local 1                      //Configure a local discriminator.
     discriminator remote 101                   //Configure a remote discriminator.
     min-tx-interval 100                        //Configure the minimum interval at which BFD packets are sent.
     min-rx-interval 100                        //Configure the minimum interval at which BFD packets are received.
     process-pst                                //Enable a BFD session to modify the port state table (PST) if the BFD session detects a fault, so that the BFD session is associated with the PST.
    #
    bfd Bfd102 bind mpls-te interface Tunnel1 te-lsp  //Configure BFD for TE LSP.
     discriminator local 2                        //Configure a local discriminator.
     discriminator remote 102                    //Configure a remote discriminator.
     min-tx-interval 50                         //Configure the minimum interval at which BFD packets are sent.
     min-rx-interval 50                         //Configure the minimum interval at which BFD packets are received.
     process-pst                              //Enable a BFD session to modify the PST if the BFD session detects a fault.
    #
    
  5. Configure BFD for VPN FRR.

    Configure BFD for IP on the PEs at both ends of an L3VPN service.

    Configuration for the PE in the data center:

    #
    bfd D-PE1_B-PE1_1 bind peer-ip 10.4.1.2
     discriminator local 101
     discriminator remote 101
     min-tx-interval 100
     min-rx-interval 100
    #
    

    Configuration for the branch PE:

    #
    bfd B-PE1_D-PE1_1 bind peer-ip 10.1.1.2
     discriminator local 101
     discriminator remote 101
     min-tx-interval 100
     min-rx-interval 100
    #
    
  6. Configure BFD for BGP.

    Configure BFD for BGP for the link between the RR and branch PE.

    Configuration for the RR:

    #
    bgp 65000
     peer 10.7.1.2 bfd min-tx-interval 200 min-rx-interval 200     //Set BFD parameters. In this example, the BGP session address of the branch PE is 10.7.1.2.
     peer 10.7.1.2 bfd enable                               //Enable BFD for BGP.
    ¡­             .//Enable BFD for BGP for the links between the RR and other branch PEs if any.
    #
    

    Configuration for the branch PE:

    #
    bgp 65000
     peer 10.1.3.5 bfd min-tx-interval 200 min-rx-interval 200     //Set BFD parameters. In this example, the BGP session address of the RR is 10.1.3.5.
     peer 10.1.3.5 bfd enable                               //Enable BFD for BGP.
    ¡­.            //Enable BFD for BGP for the links between the branch PE and other RRs if any.
    #
    

Configuring QoS

Overall Planning

  • The CEs on the network mark DSCP values for data packets. Behavior aggregate (BA) classification is deployed on all links, and the PQ and WFQ technologies are deployed on the WAN links. Bandwidth is allocated based on the DSCP values of data packets to provide differentiated services.
  • The packets that are not marked with QoS priorities on CEs need to be marked on PEs.
  • The intranet VPN uses the Uniform model. Other VPNs use the Pipe model, with the priority being BE.
Table 1-21  QoS parameter planning
Parameter Planned Value
DiffServ domain for BA classification Default domain
DiffServ domain mappings Default value
Priority marking Multi-field (MF) classification is used for marking.
L3VPN DiffServ model Uniform
L2VPN DiffServ model Pipe
Traffic shaping scope Traffic shaping is implemented on the WAN links that may be congested. By default, traffic shaping is implemented on an interface based on the interface bandwidth.
Congestion avoidance mode Weighted random early detection (WRED)
NOTE:
In applications, plan the preceding QoS parameters based on the actual WAN requirements. The planned values in this example are for reference only.

Procedure

  1. Configure BA classification.

    Run the trust upstream default command on all interfaces through which the service passes (as shown in Figure below) to trust upstream packet priorities (including EXP values of MPLS packets and DSCP values of IP packets).

    Figure 1-9  Interfaces on which BA classification is required
    #
    interface Eth-Trunk0               //Enter the interface view.
     trust upstream default             //Configure BA classification.
    #
    
  2. Configure MF classification.

    If the CE does not mark the QoS priority of packets or the QoS priority of service flows needs to be re-set on the WAN because the QoS priority value does not meet the planning requirements, mark the value on the PE.

    #
    acl name Remark_QOS advance              //Configure an ACL.
     description Remark_QOS                  //Add description.
     rule 5 permit ip source 10.1.0.0 0.1.255.255    //Configure a rule to match the source IP address.
    …  
    #
    traffic classifier RemarkClass operator or       //Configure a traffic classifier.
     if-match acl name Remark_QOS             //Configure an ACL rule.
    #
    traffic behavior RemarkBehavior              //Configure a traffic behavior.
     service-class af1 color green                 //Place traffic matching the rule in the AF1 queue.
     user-queue cir 250000 pir 250000             //Set the shaping value to 250 Mbps.
    #
    traffic policy RemarkPolicy                   //Configure a traffic policy.
     share-mode                               //Configure all traffic on an interface to share bandwidth.
     classifier RemarkClass behavior RemarkBehavior precedence 1   //Associate the traffic classifier with the traffic behavior.
    #
    interface Eth-Trunk3
    traffic-policy TestPolicy inbound               //Apply the traffic policy to the incoming traffic on the interface.
    
    #
    
  3. Configure congestion management and avoidance.

    On the DC-P, WAN-P, and branch PE devices connected to the WAN links, adjust the shaping rate of the traffic entering the WAN links and modify the congestion avoidance mechanism.

    NOTE:
    By default, traffic shaping is performed on an interface based on the interface bandwidth. Priority queuing (PQ) applies to CS7, CS6, and EF queues, and weighted fair queuing (WFQ) applies to the other queues. The tail drop solution is used for congestion avoidance. In applications, plan the QoS parameters based on the actual WAN requirements. The configurations in this example are for reference only.
    # 
    port-wred W                  //Configure WRED.
     color green low-limit 70 high-limit 100 discard-percentage 10   //Configure the upper and lower thresholds and drop probability of WRED.
     color yellow low-limit 60 high-limit 90 discard-percentage 30
     color red low-limit 50 high-limit 80 discard-percentage 50
    #
    interface GigabitEthernet1/0/0
     port shaping 200                    //Set the shaping rate of the interface to 200 Mbps.
     port-queue be lpq outbound           //Configure LPQ for the BE queue.
     port-queue af1 lpq outbound          //Configure LPQ for the AF1 queue.
     port-queue af2 wfq weight 50 port-wred W outbound   //Configure WFQ for the AF2 queue and set the weight to 50%. Use the WRED policy.
     port-queue af3 wfq weight 50 port-wred W outbound   //Configure WFQ for the AF3 queue and set the weight to 50%. Use the WRED policy.
     port-queue af4 pq shaping 50 outbound             //Configure PQ for the AF4 queue and set the shaping rate to 50 Mbps.
    
    #
    
  4. Configure the MPLS DiffServ model.

    Configure the MPLS DiffServ models for the L2VPN and L3VPN on the PE.

    #
    ip vpn-instance VPNA
     diffserv-mode uniform         //Configure the Uniform model for the L3VPN. Use the default configuration.
    #
    interface GigabitEthernet1/0/1
     mpls l2vc 10.1.2.2 1000 tunnel-policy L2VPN_PE1_TO_PE2
     diffserv-mode pipe ef green      //Configure the DiffServ model as Pipe on the interface bound to the L2VPN and configure the L2VPN traffic to enter the EF queue.
    
    #
    

Configuring Southbound Protocols of the Controller

Procedure

  1. Configure PCEP.

    Perform the following steps on each PE and P:

    #
    pce-client                       //Configure this router as a PCC.
     connect-server 10.100.1.1         //Assign an IP address to the PCE server.
    #
    
  2. Configure BGP-LS.

    Perform the following steps on the RR to establish a BGP-LS connection with the controller so that the controller can collect the network topology.

    #
    bgp 64512
     peer 10.100.1.1 as-number 64512              //Enable the PCC to establish a BGP peer relationship with the controller.
     peer 10.100.1.1 connect-interface LoopBack0    //Configure an interface used to establish a BGP peer relationship.
     ipv4-family unicast
      undo peer 10.100.1.1 enable                 //Disable the PCC from establishing a BGP peer relationship with the controller in the unicast address family.
     link-state-family unicast
      peer 10.100.1.1 enable                     //Enable the PCC to establish an BGP-LS peer relationship with the controller.
    #
    ospf 65000
     bgp-ls enable                             //Enable BGP-LS to advertise OSPF topology information.
    #
    
  3. Configure NETCONF.

    Perform the following steps on each forwarder (PE, P, and RR):

    NOTE:
    Before configuring NETCONF, configure the SSH protocol. For details, see "Configuring a Remote Login".
    #
    aaa
     local-user netconf password irreversible-cipher 8$1c$ca8S~hql  //Create a user named netconf and configure the AAA authentication mode and key.
     local-user netconf service-type ssh                        //Enable SSH.
     local-user netconf state block fail-times 3 interval 5          //Set the maximum of failed login attempts to 3. If a login fails for three times, another login attempt can be made in 5 minutes after the account is locked.
     local-user netconf user-group ug                  //Add the user to a specified user group.
    #
    snetconf server enable                           //Enable SNETCONF.
    ssh user netconf                                //Create an SSH user.
    ssh user netconf authentication-type password        //Specify an authentication mode.
    ssh user netconf service-type snetconf              //Configure SSH to support SNETCONF.
    ssh client first-time enable                       //Enable the first-time authentication on the SSH client.
    #
    
  4. Configure LLDP.

    Perform the following steps on each forwarder (PE, P, and RR):

    #
    lldp enable                  //Enable LLDP globally to discover Layer 2 topology.
    #
    

Configuring NetStream

Overall Planning

This section describes how to configure NetStream to collect link traffic for traffic analysis and abnormal traffic detection. The following planning is provided as an example. Adjust the planning according to actual requirements.

Parameter Planned Value
Deployment position

WAN-P and DC-P WAN interfaces and NMS VPN access interface.

DC-PE service access interface and NMS VPN access interface.

Active aging time of original flows The default value is 30 minutes. In this example, the value is set to 1 minute to accelerate the detection of the active flow status.
Inactive aging time of original flows The default value is 30 seconds. In this example, the value is set to 5 seconds to improve the statistics collection efficiency.
Collecting statistics about original flows based on TCP-flags Enabled.
Sampling mode of MPLS packets Inner IP packet and label collection.
Version of the exported packets carrying original flow statistics V9.
Format of interface indexes contained in exported packets 32.
Update interval of the original flow export template The default value is 30 minutes. In this example, the value is set to 1 minute.
Number of packets based on which a packet is sampled One packet is sampled every 100 packets.
NOTE:
In actual applications, you need to plan the NetStream parameters based on the actual WAN requirements. The planned values in this example are for reference only.

Procedure

#
slot 1                            //Access the slot view.
 ip netstream sampler to slot self      //Specify a NetStream service processing board for an interface board.
#
….//Add the preceding configurations to all interface board slots where the interfaces use NetStream to collect traffic as required.
#
ip netstream timeout active 1          //Set the active aging time of original flows.
ip netstream timeout inactive 5        //Set the inactive aging time of original flows.
ip netstream tcp-flag enable          //Enable NetStream to collect statistics about TCP flags in original flows.
ip netstream mpls-aware label-and-ip  //Configure the device to collect labels and inner IP packets in MPLS packets.
ip netstream export version 9         //Configure the version of the exported packets carrying original flow statistics.
ip netstream export index-switch 32   //Configure the format of interface indexes contained in exported packets.
ip netstream export template timeout-rate 1   //Set the update interval of the original flow export template.
ip netstream sampler fix-packets 100 inbound //Configure a packet to be sampled every 100 packets in the inbound direction.
ip netstream sampler fix-packets 100 outbound//Configure a packet to be sampled every 100 packets in the outbound direction.
ip netstream export source 10.10.8.1   //Set the source IP address of exported packets.
ip netstream export host 10.117.3.13 9996 vpn-instance MGT  //Set the destination IP address of exported packets.
#
interface Eth-Trunk2
 ip binding vpn-instance VPNA
 ip netstream inbound              //Enable the NetStream function to collect statistics about inbound data flows on an interface.
 ip netstream outbound             //Enable the NetStream function to collect statistics about outbound data flows on an interface.
#
….//Enable the NetStream function for inbound and outbound data flows on all interfaces that require NetStream to collect traffic.
#
Updated: 2019-05-16

Document ID: EDOC1000120969

Views: 25969

Downloads: 873

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next