No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN

S9300, S9300E, and S9300X V200R010C00

This document describes the VPN configuration procedures and provides configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring IP+VPN Hybrid FRR

Example for Configuring IP+VPN Hybrid FRR

Networking Requirements

As shown in Figure 2-66, a CE is dual-homed to PE1 and PE2. The customer hopes that when the direct link between CE and PE1 fails, the route can be quickly switched to the link PE1-PE2-CE to ensure rapid switching of VPN service traffic, thereby minimizing the impact of the link failure on VPN services.

NOTE:

In this scenario, to avoid loops, ensure that all connected interfaces have STP disabled and connected interfaces are removed from VLAN 1. If STP is enabled and VLANIF interfaces of switches are used to construct a Layer 3 ring network, an interface on the network will be blocked. As a result, Layer 3 services on the network cannot run normally.

Figure 2-66  Networking for IP+VPN hybrid FRR

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure OSPF on the MPLS backbone network (PE1 and PE2) to enable interworking on the backbone network.

  2. Enable basic MPLS capabilities and MPLS LDP to set up LDP LSPs on the MPLS backbone network.

  3. Configure a VPN instance on PE1 and PE2, and bind the CE-side interfaces to the VPN instance to connect the CE to PE1 and PE2.

  4. Establish a BGP VPNv4 peer relationship between PE1 and PE2.

  5. Configure a hybrid FRR policy on PE1 and PE2, specify the backup next hop in the policy, and enable IP FRR.

Procedure

  1. Create VLANs, add related interfaces to the VLANs, and assign IP addresses to VLANIF and loopback interfaces.

    # Configure PE1. The configurations of PE2 and CE are similar to the configurations of PE1. For details, see the configuration files.

    <Quidway> system-view
    [Quidway] sysname PE1
    [PE1] interface loopback 1
    [PE1-LoopBack1] ip address 1.1.1.1 32
    [PE1-LoopBack1] quit
    [PE1] vlan batch 10 20
    [PE1] interface gigabitethernet 1/0/1
    [PE1-GigabitEthernet1/0/1] port link-type trunk
    [PE1-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
    [PE1-GigabitEthernet1/0/1] quit
    [PE1] interface gigabitethernet 2/0/2
    [PE1-GigabitEthernet2/0/2] port link-type trunk
    [PE1-GigabitEthernet2/0/2] port trunk allow-pass vlan 20 
    [PE1-GigabitEthernet2/0/2] quit
    [PE1] interface vlanif 10
    [PE1-Vlanif10] ip address 10.3.1.2 30
    [PE1-Vlanif10] quit
    

  2. Configure OSPF on the MPLS backbone network to enable interworking between the PE devices.

    # Configure PE1. The configuration of PE2 is similar to the configuration of PE1. For details, see the configuration files.

    [PE1] ospf
    [PE1-ospf-1] area 0
    [PE1-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.3
    [PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
    [PE1-ospf-1-area-0.0.0.0] quit
    [PE1-ospf-1] quit
    

  3. Enable basic MPLS capabilities and MPLS LDP on the PE devices to set up LDP LSPs on the MPLS backbone network.

    # Configure PE1.

    [PE1] mpls lsr-id 1.1.1.1
    [PE1] mpls
    [PE1-mpls] quit
    [PE1] mpls ldp
    [PE1-mpls-ldp] quit
    [PE1] interface vlanif 10
    [PE1-Vlanif10] mpls
    [PE1-Vlanif10] mpls ldp
    [PE1-Vlanif10] quit
    

    # Configure PE2.

    [PE2] mpls lsr-id 2.2.2.2
    [PE2] mpls
    [PE2-mpls] quit
    [PE2] mpls ldp
    [PE2-mpls-ldp] quit
    [PE2] interface vlanif 10
    [PE2-Vlanif10] mpls
    [PE2-Vlanif10] mpls ldp
    [PE2-Vlanif10] quit

    After the configuration is complete, an LDP peer relationship is established between PE1 and PE2. Run the display mpls ldp session command on the PE devices. the command output shows that the Status is Operational. Run the display mpls ldp lsp command to view information about the established LDP LSPs. The display on PE1 is used as an example:

    [PE1] display mpls ldp lsp
    
    LDP LSP Information
     -------------------------------------------------------------------------------
     Flag after Out IF: (I) - LSP Is Only Iterated by RLFA
     -------------------------------------------------------------------------------
     DestAddress/Mask   In/OutLabel    UpstreamPeer    NextHop         OutInterface
     -------------------------------------------------------------------------------
     1.1.1.1/32         3/NULL         2.2.2.2         127.0.0.1       InLoop0
    *1.1.1.1/32         Liberal/1024                   DS/2.2.2.2
     2.2.2.2/32         NULL/3         -               10.3.1.1        Vlanif10
     2.2.2.2/32         1024/3         2.2.2.2         10.3.1.1        Vlanif10
     -------------------------------------------------------------------------------
     TOTAL: 3 Normal LSP(s) Found.
     TOTAL: 1 Liberal LSP(s) Found.
     TOTAL: 0 Frr LSP(s) Found.
     A '*' before an LSP means the LSP is not established
     A '*' before a Label means the USCB or DSCB is stale
     A '*' before a UpstreamPeer means the session is stale
     A '*' before a DS means the session is stale
     A '*' before a NextHop means the LSP is FRR LSP

  4. Configure a VPN instance on the PE devices and bind the CE-side interfaces to the VPN instance to connect the CE to the PE devices.

    # Configure PE1.

    [PE1] ip vpn-instance vpn1
    [PE1-vpn-instance-vpn1] ipv4-family
    [PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
    [PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1
    [PE1-vpn-instance-vpn1-af-ipv4] quit
    [PE1-vpn-instance-vpn1] quit
    [PE1] interface vlanif 20
    [PE1-Vlanif20] ip binding vpn-instance vpn1
    [PE1-Vlanif20] ip address 10.1.1.2 30
    [PE1-Vlanif20] quit

    # Configure PE2.

    [PE2] ip vpn-instance vpn1
    [PE2-vpn-instance-vpn1] ipv4-family
    [PE2-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:2
    [PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1
    [PE2-vpn-instance-vpn1-af-ipv4] quit
    [PE2-vpn-instance-vpn1] quit
    [PE2] interface vlanif 30
    [PE2-Vlanif30] ip binding vpn-instance vpn1
    [PE2-Vlanif30] ip address 10.2.1.2 30
    [PE2-Vlanif30] quit

  5. Configure static routes between the CE and the PE devices. Import direct VPN routes and static routes on PE1 and PE2.

    NOTE:

    When configuring hybrid FRR, you must specify outbound interfaces in the static routes from the PE devices to the CE.

    # Configure PE1.

    [PE1] ip route-static vpn-instance vpn1 10.5.1.0 24 vlanif20 10.1.1.1
    [PE1] bgp 100
    [PE1-bgp] ipv4-family vpn-instance vpn1
    [PE1-bgp-vpn1] import-route direct
    [PE1-bgp-vpn1] import-route static
    [PE1-bgp-vpn1] quit
    [PE1-bgp] quit

    # Configure PE2.

    [PE2] ip route-static vpn-instance vpn1 10.5.1.0 24 vlanif30 10.2.1.1
    [PE2] bgp 100
    [PE2-bgp] ipv4-family vpn-instance vpn1
    [PE2-bgp-vpn1] import-route direct
    [PE2-bgp-vpn1] import-route static
    [PE2-bgp-vpn1] quit
    [PE2-bgp] quit

    # Configure the CE.

    [CE] ip route-static 0.0.0.0 0.0.0.0 10.1.1.2 preference 60
    [CE] ip route-static 0.0.0.0 0.0.0.0 10.2.1.2 preference 100

  6. Set up a BGP VPNv4 peer relationship between PE1 and PE2.

    # Configure PE1.

    [PE1] bgp 100
    [PE1-bgp] peer 2.2.2.2 as-number 100
    [PE1-bgp] peer 2.2.2.2 connect-interface loopback 1
    [PE1-bgp] ipv4-family vpnv4
    [PE1-bgp-af-vpnv4] peer 2.2.2.2 enable
    [PE1-bgp-af-vpnv4] quit
    [PE1-bgp] quit

    # Configure PE2.

    [PE2] bgp 100
    [PE2-bgp] peer 1.1.1.1 as-number 100
    [PE2-bgp] peer 1.1.1.1 connect-interface loopback 1
    [PE2-bgp] ipv4-family vpnv4
    [PE2-bgp-af-vpnv4] peer 1.1.1.1 enable
    [PE2-bgp-af-vpnv4] quit
    [PE2-bgp] quit

    After the configuration is complete, run the display bgp vpnv4 all peer command on PE1 and PE2. The command output shows that a BGP VPNv4 peer relationship has been set up and it is in the Established state.

  7. Configure a hybrid FRR routing policy.

    [PE1] ip ip-prefix frr1 permit 10.1.1.1 32
    [PE1] route-policy ip_vpn_frr_rp permit node 10
    [PE1-route-policy] if-match ip next-hop ip-prefix frr1
    [PE1-route-policy] apply backup-nexthop 2.2.2.2
    [PE1-route-policy] quit

  8. Enable IP FRR.

    [PE1] ip vpn-instance vpn1
    [PE1-vpn-instance-vpn1] ipv4-family
    [PE1-vpn-instance-vpn1-af-ipv4] ip frr route-policy ip_vpn_frr_rp
    [PE1-vpn-instance-vpn1-af-ipv4] quit
    [PE1-vpn-instance-vpn1] quit

    # Run the display ip routing-table vpn-instance command to check the routing entries of the VPN instance. The fields in boldface indicate the backup next hop, backup label, and backup tunnel ID. The command output shows that the hybrid FRR entry has been generated.

    [PE1] display ip routing-table vpn-instance vpn1 10.5.1.0 verbose
    Route Flags: R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Table : vpn1
    Summary Count : 2
    
    Destination: 10.5.1.0/24
         Protocol: Static          Process ID: 0
       Preference: 60                    Cost: 0
          NextHop: 10.1.1.1         Neighbour: 0.0.0.0
            State: Active Adv             Age: 00h01m33s
              Tag: 0                 Priority: medium
            Label: NULL               QoSInfo: 0x0
       IndirectID: 0x0
     RelayNextHop: 0.0.0.0          Interface: Vlanif20
         TunnelID: 0x0                  Flags:  D
        BkNextHop: 2.2.2.2        BkInterface: Vlanif10
          BkLabel: 75776          SecTunnelID: 0x0
     BkPETunnelID: 0x200800b  BkPESecTunnelID: 0x0
     BkIndirectID: 0x0 
    
    Destination: 10.5.1.0/24
         Protocol: IBGP             Process ID: 0
       Preference: 255                    Cost: 0
          NextHop: 2.2.2.2           Neighbour: 2.2.2.2
           State: Inactive Adv Relied     Age: 00h01m33s 
             Tag: 0                  Priority: low
           Label: 1025                QoSInfo: 0x0
       IndirectID: 0x6
     RelayNextHop: 10.3.1.1          Interface: Vlanif10
         TunnelID: 0x48000007            Flags: R
    NOTE:

    When the link between PE1 and the CE fails, the static routes on the link become invalid. Then traffic is quickly switched to the backup link based on the FRR entry.

    After IP FRR is disabled, traffic is switched based on route convergence. The switching speed is slower than switching based on IP FRR.

Configuration Files

  • PE1 configuration file

    #
    sysname PE1
    #
    vlan batch 10 20
    #
    ip vpn-instance vpn1
     ipv4-family
      route-distinguisher 100:1
      ip frr route-policy ip_vpn_frr_rp
      vpn-target 111:1 export-extcommunity
      vpn-target 111:1 import-extcommunity
    #
     mpls lsr-id 1.1.1.1
     mpls
    #
    mpls ldp
    #
    interface Vlanif10
     ip address 10.3.1.2 255.255.255.252
     mpls
     mpls ldp
    #
    interface Vlanif20
     ip binding vpn-instance vpn1
     ip address 10.1.1.2 255.255.255.252
    #
    interface GigabitEthernet1/0/1
     port link-type trunk
     port trunk allow-pass vlan 10
    # 
    interface GigabitEthernet2/0/2
     port link-type trunk
     port trunk allow-pass vlan 20
    #
    interface LoopBack1
     ip address 1.1.1.1 255.255.255.255
    #
    bgp 100
     peer 2.2.2.2 as-number 100
     peer 2.2.2.2 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.2 enable
    #
     ipv4-family vpnv4
      policy vpn-target
      peer 2.2.2.2 enable
    #
     ipv4-family vpn-instance vpn1
      import-route direct
      import-route static
    #
    ospf 1
     area 0.0.0.0
      network 1.1.1.1 0.0.0.0
      network 10.3.1.0 0.0.0.3
    # 
    route-policy ip_vpn_frr_rp permit node 10
     if-match ip next-hop ip-prefix frr1
     apply backup-nexthop 2.2.2.2
    # 
    ip ip-prefix frr1 index 10 permit 10.1.1.1 32
    #
    ip route-static vpn-instance vpn1 10.5.1.0 255.255.255.0 Vlanif20 10.1.1.1
    #
    return
  • PE2 configuration file

    #
    sysname PE2
    #
    vlan batch 10 30
    #
    ip vpn-instance vpn1
     ipv4-family
      route-distinguisher 100:2
      vpn-target 111:1 export-extcommunity
      vpn-target 111:1 import-extcommunity
    #
     mpls lsr-id 2.2.2.2
     mpls
    #
    mpls ldp
    #
    interface Vlanif10
     ip address 10.3.1.1 255.255.255.252
     mpls
     mpls ldp
    #
    interface Vlanif30
     ip binding vpn-instance vpn1
     ip address 10.2.1.2 255.255.255.252
    #
    interface GigabitEthernet1/0/1
     port link-type trunk
     port trunk allow-pass vlan 10
    # 
    interface GigabitEthernet2/0/2
     port link-type trunk
     port trunk allow-pass vlan 30
    #
    interface LoopBack1
     ip address 2.2.2.2 255.255.255.255
    #
    bgp 100
     peer 1.1.1.1 as-number 100
     peer 1.1.1.1 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 1.1.1.1 enable
    #
     ipv4-family vpnv4
     policy vpn-target 
      peer 1.1.1.1 enable
    #
     ipv4-family vpn-instance vpn1
      import-route direct
      import-route static
    #
    ospf 1
     area 0.0.0.0
      network 2.2.2.2 0.0.0.0
      network 10.3.1.0 0.0.0.3
    #
    ip route-static vpn-instance vpn1 10.5.1.0 255.255.255.0 Vlanif30 10.2.1.1
    #
    return
  • CE configuration file

    #
    sysname CE
    #
    vlan batch 10 20 30
    #
    interface Vlanif10
     ip address 10.5.1.1 255.255.255.0
    #
    interface Vlanif20
     ip address 10.1.1.1 255.255.255.252
    #
    interface Vlanif30
     ip address 10.2.1.1 255.255.255.252
    #
    interface GigabitEthernet1/0/1
     port link-type trunk
     port trunk allow-pass vlan 20
    # 
    interface GigabitEthernet2/0/2
     port link-type trunk
     port trunk allow-pass vlan 30
    # 
    interface GigabitEthernet3/0/3
     port link-type trunk
     port trunk allow-pass vlan 10
    #
     ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
     ip route-static 0.0.0.0 0.0.0.0 10.2.1.2 preference 100
    # 
    return
Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000142068

Views: 113884

Downloads: 208

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next