No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN

S1720, S2700, S5700, and S6720 V200R010C00

This document describes the VPN configuration procedures and provides configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Inter-AS Martini VLL (Option A)

Example for Configuring Inter-AS Martini VLL (Option A)

Networking Requirements

The MPLS network of an ISP provides the L2VPN service to many users. PE1 belongs to AS 100 and PE2 belongs to AS 200, as shown in Figure 5-31. The users connect to the MPLS network through PE1 and PE2, and users on the PEs change frequently. A proper VPN solution is required to provide secure VPN services for users and to simplify the configuration when new users connect to the network.

NOTE:

By default, link type negotiation is enabled globally on the device. If a VLANIF interface is used as an AC-side interface for L2VPN, the configuration conflicts with link type negotiation. In this case, run the lnp disable command in the system view to disable link type negotiation.

The lnp disable command has no impact on services before the device restarts. After the device restarts, the device can only forward packets from the VLANs specified by the port default vlan command at Layer 2. The port default vlan 1 command is configured by default, so only packets of VLAN 1 can be forwarded at Layer 2.

Figure 5-31  Inter-AS Martini VLL (Option A)

Configuration Roadmap

The PEs connect to different ASs (AS100 and AS200) of the ISP, so an inter-AS VPN solution is required. To simplify the configuration when new users connect to the network, configure a Martini VLL using inter-AS Option A.

The configuration roadmap is as follows:

  1. Run an IGP protocol on the backbone network so that the devices in the same AS can communicate with each other.

  2. Configure the basic MPLS capabilities on the backbone network and set up dynamic LSPs between PEs and ASBR_PEs in the same AS. If PEs and ASBR_PEs are not directly connected, set up a remote LDP session.

  3. Establish MPLS L2VC connections between the PEs and ASBR_PEs in the same AS.

Procedure

  1. Configure VLANs that each interface belongs to and assign an IP address to each VLANIF interface according to Figure 5-31.

    # Configure CE1. The configuration on CE2, PE1, PE2, ASBR_PE1 and ASBR_PE2 is similar to the configuration on CE1 and is not mentioned here.

    <HUAWEI> system-view
    [HUAWEI] sysname CE1
    [CE1] vlan batch 10
    [CE1] interface vlanif 10
    [CE1-Vlanif10] ip address 192.168.1.1 255.255.255.0
    [CE1-Vlanif10] quit
    [CE1] interface gigabitethernet 0/0/1
    [CE1-GigabitEthernet0/0/1] port link-type trunk
    [CE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
    [CE1-GigabitEthernet0/0/1] quit

  2. Configure an IGP protocol on the MPLS backbone network.

    PEs and ASBR_PEs on the backbone network can communicate with each other by using IGP.

    In this example, IS-IS is used as IGP.

    # Configure PE1. The configuration on PE2, ASBR_PE1 and ASBR_PE2 is similar to the configuration on PE1 and is not mentioned here.

    [PE1] isis 1
    [PE1-isis-1] is-level level-1-2
    [PE1-isis-1] network-entity 10.0000.0000.0001.00
    [PE1-isis-1] quit
    [PE1] interface vlanif 20
    [PE1-Vlanif20] isis enable 1
    [PE1-Vlanif20] quit
    [PE1] interface loopback 0
    [PE1-LoopBack0] ip address 1.1.1.9 32
    [PE1-LoopBack0] isis enable 1
    [PE1-LoopBack0] quit

    After the configuration is complete, the ASBR and PE in the same AS can establish an IS-IS adjacency. Run the display isis peer command, and you can see that the IS-IS adjacency is Up, and the PEs can learn each other's loopback address.

    The command output of PE1 is used as an example.

    [PE1] display isis peer
    
                              Peer information for ISIS(1)                           
                                                                                     
      System Id     Interface          Circuit Id       State HoldTime Type     PRI  
    -------------------------------------------------------------------------------  
    0000.0000.0002  Vlanif20           0000.0000.0001.01 Up   21s      L1(L1L2)  64
    0000.0000.0002  Vlanif20           0000.0000.0001.01 Up   21s      L2(L1L2)  64
    
    Total Peer(s): 2

    The ASBR and PE in the same AS can ping each other.

    The command output of PE1 is used as an example.

    [PE1] ping 2.2.2.9
      PING 2.2.2.9: 56  data bytes, press CTRL_C to break
        Reply from 2.2.2.9: bytes=56 Sequence=1 ttl=255 time=180 ms
        Reply from 2.2.2.9: bytes=56 Sequence=2 ttl=255 time=90 ms
        Reply from 2.2.2.9: bytes=56 Sequence=3 ttl=255 time=60 ms
        Reply from 2.2.2.9: bytes=56 Sequence=4 ttl=255 time=60 ms
        Reply from 2.2.2.9: bytes=56 Sequence=5 ttl=255 time=100 ms
    
      --- 2.2.2.9 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 60/98/180 ms   

  3. Enable MPLS and configure dynamic LSPs.

    Configure the basic MPLS capabilities on the MPLS backbone network. Establish a dynamic LDP LSP between the PE and ASBR_PE in the same AS.

    [PE1] mpls lsr-id 1.1.1.9
    [PE1] mpls
    [PE1-mpls] quit
    [PE1] mpls ldp
    [PE1-mpls-ldp] quit
    [PE1] interface vlanif 20
    [PE1-Vlanif20] mpls
    [PE1-Vlanif20] mpls ldp
    [PE1-Vlanif20] quit

    # Configure PE1. The configuration on PE2, ASBR_PE1 and ASBR_PE2 is similar to the configuration on PE1 and is not mentioned here.

    After this step, an LSP is established between the PE and ASBR_PE in the same AS.

    The command output of ASBR_PE1 is used as an example.

    [ASBR_PE1] display mpls ldp session
    
     LDP Session(s) in Public Network
     Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
     A '*' before a session means the session is being deleted.
     ------------------------------------------------------------------------------
     PeerID             Status      LAM  SsnRole  SsnAge      KASent/Rcv
     ------------------------------------------------------------------------------
     1.1.1.9:0          Operational DU   Active   0000:00:19  79/79
     ------------------------------------------------------------------------------
     TOTAL: 1 session(s) Found.

  4. Configure the MPLS L2VC connection.

    Configure the L2VC connection on the PE and ASBR_PE and connect the PE to the CE.

    # Configure PE1. In this example, a VLANIF interface is used as the AC-side interface, so you need to run the lnp disable command in the system view before performing the following steps. If you cannot disable link type negotiation on the live network, do not use a VLANIF interface as the AC-side interface.

    [PE1] mpls l2vpn
    [PE1-l2vpn] quit
    [PE1] interface vlanif 10
    [PE1-Vlanif10] mpls l2vc 2.2.2.9 100
    [PE1-Vlanif10] quit

    # Configure ASBR_PE1. In this example, a VLANIF interface is used as the AC-side interface, so you need to run the lnp disable command in the system view before performing the following steps. If you cannot disable link type negotiation on the live network, do not use a VLANIF interface as the AC-side interface.

    [ASBR_PE1] mpls l2vpn
    [ASBR_PE1-l2vpn] quit
    [ASBR_PE1] interface vlanif 30
    [ASBR_PE1-Vlanif30] mpls l2vc 1.1.1.9 100
    [ASBR_PE1-Vlanif30] quit

    # Configure ASBR_PE2. In this example, a VLANIF interface is used as the AC-side interface, so you need to run the lnp disable command in the system view before performing the following steps. If you cannot disable link type negotiation on the live network, do not use a VLANIF interface as the AC-side interface.

    [ASBR_PE2] mpls l2vpn
    [ASBR_PE2-l2vpn] quit
    [ASBR_PE2] interface vlanif 30
    [ASBR_PE2-Vlanif30] mpls l2vc 4.4.4.9 100
    [ASBR_PE2-Vlanif30] quit

    # Configure PE2. In this example, a VLANIF interface is used as the AC-side interface, so you need to run the lnp disable command in the system view before performing the following steps. If you cannot disable link type negotiation on the live network, do not use a VLANIF interface as the AC-side interface.

    [PE2] mpls l2vpn
    [PE2-l2vpn] quit
    [PE2] interface vlanif 50
    [PE2-Vlanif50] mpls l2vc 3.3.3.9 100
    [PE2-Vlanif50] quit

  5. Verify the configuration.

    Check information about the L2VPN connection on PE1. You can see that an L2VC has been set up and the VC status is up.

    The command outputs of PE1 and ASBR_PE2 are used as an example.

    [PE1] display mpls l2vc interface vlanif 10
     *client interface       : Vlanif10 is up
      Administrator PW       : no
      session state          : up
      AC status              : up
      VC state               : up
      Label state            : 0
      Token state            : 0
      VC ID                  : 100
      VC type                : VLAN
      destination            : 2.2.2.9
      local group ID         : 0            remote group ID      : 0
      local VC label         : 8195        remote VC label      : 8195
      local AC OAM State     : up
      local PSN OAM State    : up
      local forwarding state : forwarding
      local status code      : 0x0
      remote AC OAM state    : up
      remote PSN OAM state   : up
      remote forwarding state: forwarding
      remote status code     : 0x0
      ignore standby state   : no
      BFD for PW             : unavailable
      VCCV State             : up
      manual fault           : not set
      active state           : active
      forwarding entry       : exist
      link state             : up
      local VC MTU           : 1500         remote VC MTU        : 1500
      local VCCV             : alert ttl lsp-ping bfd
      remote VCCV            : alert ttl lsp-ping bfd
      local control word     : disable      remote control word  : disable
      tunnel policy name     : --
      PW template name       : --
      primary or secondary   : primary
      load balance type      : flow                                                 
      Access-port            : false                                                
      Switchover Flag        : false                                                
      VC tunnel/token info   : 1 tunnels/tokens
        NO.0  TNL type       : lsp   , TNL ID : 0x10031
        Backup TNL type      : lsp   , TNL ID : 0x0
      create time            : 1 days, 22 hours, 15 minutes, 9 seconds
      up time                : 0 days, 22 hours, 54 minutes, 57 seconds
      last change time       : 0 days, 22 hours, 54 minutes, 57 seconds
      VC last up time        : 2010/10/09 19:26:37
      VC total up time       : 0 days, 22 hours, 54 minutes, 57 seconds
      CKey                   : 16
      NKey                   : 15
      PW redundancy mode     : frr
      AdminPw interface      : --
      AdminPw link state     : --
      Diffserv Mode          : uniform                                              
      Service Class          : be                                                   
      Color                  : --                                                   
      DomainId               : --                                                   
      Domain Name            : --                                                   
    
    [ASBR_PE2] display mpls l2vc interface vlanif 30
     *client interface       : Vlanif30 is up
      Administrator PW       : no
      session state          : up
      AC status              : up
      VC state               : up
      Label state            : 0
      Token state            : 0
      VC ID                  : 100
      VC type                : VLAN
      destination            : 4.4.4.9
      local group ID         : 0            remote group ID      : 0
      local VC label         : 8195        remote VC label      : 8195
      local AC OAM State     : up
      local PSN OAM State    : up
      local forwarding state : forwarding
      local status code      : 0x0
      remote AC OAM state    : up
      remote PSN OAM state   : up
      remote forwarding state: forwarding
      remote status code     : 0x0
      ignore standby state   : no
      BFD for PW             : unavailable
      VCCV State             : up
      manual fault           : not set
      active state           : active
      forwarding entry       : exist
      link state             : up
      local VC MTU           : 1500         remote VC MTU        : 1500
      local VCCV             : alert ttl lsp-ping bfd
      remote VCCV            : alert ttl lsp-ping bfd
      local control word     : disable      remote control word  : disable
      tunnel policy name     : --
      PW template name       : --
      primary or secondary   : primary
      load balance type      : flow                                                 
      Access-port            : false                                                
      Switchover Flag        : false                                                
      VC tunnel/token info   : 1 tunnels/tokens
        NO.0  TNL type       : lsp   , TNL ID : 0x10031
        Backup TNL type      : lsp   , TNL ID : 0x0
      create time            : 1 days, 22 hours, 15 minutes, 9 seconds
      up time                : 0 days, 22 hours, 54 minutes, 57 seconds
      last change time       : 0 days, 22 hours, 54 minutes, 57 seconds
      VC last up time        : 2010/10/09 19:26:37
      VC total up time       : 0 days, 22 hours, 54 minutes, 57 seconds
      CKey                   : 17
      NKey                   : 18
      PW redundancy mode     : frr
      AdminPw interface      : --
      AdminPw link state     : --
      Diffserv Mode          : uniform                                              
      Service Class          : be                                                   
      Color                  : --                                                   
      DomainId               : --                                                   
      Domain Name            : --                                                   
    

    CE1 and CE2 can ping each other.

    The command output of CE1 is used as an example.

    [CE1] ping 192.168.1.2
      PING 192.168.1.2: 56  data bytes, press CTRL_C to break
        Reply from 192.168.1.2: bytes=56 Sequence=1 ttl=255 time=172 ms
        Reply from 192.168.1.2: bytes=56 Sequence=2 ttl=255 time=156 ms
        Reply from 192.168.1.2: bytes=56 Sequence=3 ttl=255 time=156 ms
        Reply from 192.168.1.2: bytes=56 Sequence=4 ttl=255 time=156 ms
        Reply from 192.168.1.2: bytes=56 Sequence=5 ttl=255 time=156 ms
    
      --- 192.168.1.2 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 156/159/172 ms

Configuration Files

  • CE1 configuration file

    #
    sysname CE1
    #
    vlan batch 10
    #
    interface Vlanif10
     ip address 192.168.1.1 255.255.255.0
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    return
  • PE1 configuration file

    The lnp disable command has no impact on services before the device restarts. After the device restarts, the device can only forward packets from the VLANs specified by the port default vlan command at Layer 2. The port default vlan 1 command is configured by default, so only packets of VLAN 1 can be forwarded at Layer 2.

    #
    sysname PE1
    #
    vlan batch 10 20
    #
    lnp disable
    #
    mpls lsr-id 1.1.1.9
    mpls
    #
    mpls l2vpn
    #
    mpls ldp
    #
    isis 1
     network-entity 10.0000.0000.0001.00
    #
    interface Vlanif10
     mpls l2vc 2.2.2.9 100
    #
    interface Vlanif20
     ip address 20.1.1.1 255.255.255.0
     isis enable 1
     mpls
     mpls ldp
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    interface GigabitEthernet0/0/2
     port link-type trunk
     port trunk allow-pass vlan 20
    #
    interface LoopBack0
     ip address 1.1.1.9 255.255.255.255
     isis enable 1
    #
    return
  • ASBR_PE1 configuration file

    The lnp disable command has no impact on services before the device restarts. After the device restarts, the device can only forward packets from the VLANs specified by the port default vlan command at Layer 2. The port default vlan 1 command is configured by default, so only packets of VLAN 1 can be forwarded at Layer 2.

    #
    sysname ASBR_PE1
    #
    vlan batch 20 30
    #
    lnp disable
    #
    mpls lsr-id 2.2.2.9
    mpls
    #
    mpls l2vpn
    #
    mpls ldp
    #
    isis 1
     network-entity 10.0000.0000.0002.00
    #
    interface Vlanif20
     ip address 20.1.1.2 255.255.255.0
     isis enable 1
     mpls
     mpls ldp
    #
    interface Vlanif30
     mpls l2vc 1.1.1.9 100
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 20
    #
    interface GigabitEthernet0/0/2
     port link-type trunk
     port trunk allow-pass vlan 30
    #
    interface LoopBack0
     ip address 2.2.2.9 255.255.255.255
     isis enable 1
    #
    return
  • ASBR_PE2 configuration file

    The lnp disable command has no impact on services before the device restarts. After the device restarts, the device can only forward packets from the VLANs specified by the port default vlan command at Layer 2. The port default vlan 1 command is configured by default, so only packets of VLAN 1 can be forwarded at Layer 2.

    #
    sysname ASBR_PE2
    #
    vlan batch 30 40
    #
    lnp disable
    #
    mpls lsr-id 3.3.3.9
    mpls
    #
    mpls l2vpn
    #
    mpls ldp
    #
    isis 1
     network-entity 10.0000.0000.0003.00
    #
    interface Vlanif30
     mpls l2vc 4.4.4.9 100
    #
    interface Vlanif40
     ip address 30.1.1.1 255.255.255.0
     isis enable 1
     mpls
     mpls ldp
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 30
    #
    interface GigabitEthernet0/0/2
     port link-type trunk
     port trunk allow-pass vlan 40
    #
    interface LoopBack0
     ip address 3.3.3.9 255.255.255.255
     isis enable 1
    #
    return
  • PE2 configuration file

    The lnp disable command has no impact on services before the device restarts. After the device restarts, the device can only forward packets from the VLANs specified by the port default vlan command at Layer 2. The port default vlan 1 command is configured by default, so only packets of VLAN 1 can be forwarded at Layer 2.

    #
    sysname PE2
    #
    vlan batch 40 50
    #
    lnp disable
    #
    mpls lsr-id 4.4.4.9
    mpls
    #
    mpls l2vpn
    #
    mpls ldp
    #
    isis 1
     network-entity 10.0000.0000.0004.00
    #
    interface Vlanif40
     ip address 30.1.1.2 255.255.255.0
     isis enable 1
     mpls
     mpls ldp
    #
    interface Vlanif50
     mpls l2vc 3.3.3.9 100
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 40
    #
    interface GigabitEthernet0/0/2
     port link-type trunk
     port trunk allow-pass vlan 50
    #
    interface LoopBack0
     ip address 4.4.4.9 255.255.255.255
     isis enable 1
    # 
    return
  • CE2 configuration file

    #
    sysname CE2
    #
    vlan batch 50
    #
    interface Vlanif50
     ip address 192.168.1.2 255.255.255.0
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 50
    #
    return
Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141944

Views: 109418

Downloads: 586

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next