No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - VPN

This document describes the VPN configuration procedures and provides configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Using a Tunnel Selector to Select MPLS TE Tunnels for HoVPN Data Transmission

Example for Using a Tunnel Selector to Select MPLS TE Tunnels for HoVPN Data Transmission

Networking Requirements

A BGP/MPLS IP VPN uses a plane model, which has the same performance requirement for all the PEs. If some PEs have problems in performance or scalability, the whole network is affected. At present, most networks use hierarchical architectures; therefore, BGP/MPLS IP VPN using a plane architecture cannot meet the requirements of these networks. BGP/MPLS IP VPNs must use a hierarchical model to have their scalability improved. The solution of HoVPN therefore emerges.

As shown in Figure 3-69, CE1, CE2, and CE3 belong to one VPN. The routing capabilities and forwarding performance of UPEs are low as compared with those of the SPE and NPE. Therefore, HoVPN is used to reduce the stress on UPEs. In addition, a lot of real-time services such as voice and online video services exist on the VPN. To guarantee QoS for these VPN services, the carrier has all the services transmitted over MPLS TE tunnels. The SPE selects LSPs for VPN data transmission without performing load balancing by default. VPN services on the SPE cannot be iterated to any tunnel and data forwarding will be interrupted.

To address the problem, use a tunnel selector on the SPE to ensure that VPN services on the SPE are iterated to MPLS TE tunnels.

Figure 3-69  Networking for using a tunnel selector to select MPLS TE tunnels for HoVPN data

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an IGP on the backbone network to achieve connectivity between PEs and ensure that the UPEs, SPE, and NPE can learn each other's loopback interface address.

  2. Enable MPLS and MPLS TE on the UPEs, SPE, and NPE, and set up MPLS TE tunnels between PEs.

  3. Set up MP-IBGP peer relationships between the UPEs and the SPE, and between the NPE and the SPE.

  4. On the UPEs and NPE, create a VPN instance and establish EBGP peer relationships with CEs.

  5. On the SPE, create a VPN instance, specify the UPEs as the user-end PEs of the SPE, and configure the SPE to advertise default routes of the VPN instance to the UPEs.

  6. Configure the tunnel policy and tunnel selector. Apply the tunnel policy to the VPN instance on each PE and the tunnel selector to the BGP-VPNv4 address family on the SPE.

Procedure

  1. Configure an HoVPN and set up MPLS TE tunnels on the backbone network.

    1. Assign IP addresses to interfaces on the CEs, UPEs, SPE, and NPE.
    2. Configure an IGP (OSPF in this example) on the MPLS backbone network. When configuring OSPF, advertise the 32-bit addresses of loopback interfaces on PEs.
    3. Set up MPLS TE tunnels between the UPEs and the SPE, and between the NPE and the SPE.
    4. Configure MP-IBGP peer relationships between the UPEs and the SPE, and between the NPE and the SPE.
    5. On the UPEs and NPE, create a VPN instance and establish EBGP peer relationships with CEs.
    6. On the SPE, create a VPN instance, specify the UPE1 and UPE2 as the user-end PEs of the SPE, and configure the SPE to advertise default routes of the VPN instance to UPE1 and UPE2.

    For details, see the configuration files.

  2. Configure the tunnel policy and tunnel selector. Apply the tunnel policy to the VPN instance on each PE and the tunnel selector to the BGP-VPNv4 address family on the SPE.

    # Configure UPE1. The configurations on UPE2 and the NPE are similar to that of UPE1, and are not provided here. For details, see the following configuration files.

    [UPE1] interface tunnel 1
    [UPE1-Tunnel1] mpls te reserved-for-binding
    [UPE1-Tunnel1] mpls te commit
    [UPE1-Tunnel1] quit
    [UPE1] tunnel-policy bindTE
    [UPE1-tunnel-policy-bindTE] tunnel binding destination 2.2.2.9 te tunnel1
    [UPE1-tunnel-policy-bindTE] quit
    [UPE1] ip vpn-instance vpna
    [UPE1-vpn-instance-vpna] tnl-policy bindTE
    [UPE1-vpn-instance-vpna] quit

    # Configure a tunnel policy on the SPE and apply it to the VPN instance.

    [SPE] tunnel-policy bindTE
    [SPE-tunnel-policy-bindTE] tunnel binding destination 1.1.1.9 te tunnel1
    [SPE-tunnel-policy-bindTE] tunnel binding destination 3.3.3.9 te tunnel2
    [SPE-tunnel-policy-bindTE] tunnel binding destination 4.4.4.9 te tunnel3
    [SPE-tunnel-policy-bindTE] quit
    [SPE] ip vpn-instance vpna
    [SPE-vpn-instance-vpna] tnl-policy bindTE
    [SPE-vpn-instance-vpna] quit

    # Configure a tunnel selector and apply it to the BGP-VPNv4 address family on the SPE so that VPNv4 routes can be iterated to MPLS TE tunnels based on the tunnel policy.

    [SPE] tunnel-selector bindTE permit node 10
    [SPE-tunnel-selector] apply tunnel-policy bindTE
    [SPE-tunnel-selector] quit
    [SPE] bgp 100
    [SPE-bgp] ipv4-family vpnv4
    [SPE-bgp-af-vpnv4] tunnel-selector bindTE 
    [SPE-bgp-af-vpnv4] quit
    [SPE-bgp] quit

    After completing the configuration, run the display tunnel-policy command or the display tunnel-selector command to view the configured tunnel policy or tunnel selector. The display on the SPE is used as an example:

    [SPE] display tunnel-policy
    Total   tunnel policy num:              1
    Sel-Seq tunnel policy num:              0 
    Binding tunnel policy num:              1 
    Invalid tunnel policy num:              0
                           
    Tunnel Policy Name                      Destination     Tunnel Intf       Ignore-dest-check   Down switch 
    ------------------------------------------------------------------------------------------------------------- 
    bindTE                                  1.1.1.9         Tunnel1           Disable             Enable
                                            3.3.3.9         Tunnel2           Disable             Enable 
                                            4.4.4.9         Tunnel3           Disable             Enable  
    
    [SPE] display tunnel-selector
    Tunnel-selector : bindTE
      permit : 10 (matched counts: 3)
        Apply clauses :
          apply tunnel-policy bindTE   

  3. Verify the configuration.

    After the configurations are complete, CE1, CE2, and CE3 can successfully ping each other. The display on CE1 is used as an example:

    [CE1] ping 10.2.1.1
      PING 10.2.1.1: 56  data bytes, press CTRL_C to break
        Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=253 time=85 ms
        Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=253 time=70 ms
        Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=253 time=57 ms
        Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=253 time=66 ms
        Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=253 time=55 ms
      --- 10.2.1.1 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 55/66/85 ms

    Run the display bgp vpnv4 all routing-table peer 2.2.2.9 received-routes command on UPE1 or UPE2. The command output shows that each UPE has received a default route from the SPE. The default route replaces the specific routes to the sites connected to CE2 and CE3, reducing the routing table sizes on the UPE devices. The display on UPE1 is used as an example:

    [UPE1] display bgp vpnv4 all routing-table peer 2.2.2.9 received-routes
    
    
     BGP Local router ID is 1.1.1.9
     Status codes: * - valid, > - best, d - damped,
                   h - history,  i - internal, s - suppressed, S - Stale
                   Origin : i - IGP, e - EGP, ? - incomplete
    
    
     Total Number of Routes: 1
    
     Route Distinguisher: 100:10
    
    
          Network            NextHop        MED        LocPrf    PrefVal Path/Ogn
    
     *>i  0.0.0.0            2.2.2.9         0          100        0      i         

    Run the display bgp vpnv4 all routing-table command on the SPE. The command output shows that the SPE receives VPNv4 routes from other devices and these routes are selected preferentially. Only the preferred VPNv4 routes are forwarded to other MP-IBGP peers.

    [SPE] display bgp vpnv4 all routing-table
    
    
     BGP Local router ID is 2.2.2.9
     Status codes: * - valid, > - best, d - damped,
                   h - history,  i - internal, s - suppressed, S - Stale
                   Origin : i - IGP, e - EGP, ? - incomplete
    
    
    
     Total number of routes from all PE: 3
     Route Distinguisher: 100:1
    
    
          Network            NextHop        MED        LocPrf    PrefVal Path/Ogn
    
     *>i10.1.1.0/24        1.1.1.9         0          100        0      ?
    
     Route Distinguisher: 100:2
    
    
          Network            NextHop        MED        LocPrf    PrefVal Path/Ogn
    
     *>i10.2.1.0/24        3.3.3.9         0          100        0      ?
    
     Route Distinguisher: 100:3
    
    
          Network            NextHop        MED        LocPrf    PrefVal Path/Ogn
    
     *>i10.3.1.0/24        4.4.4.9         0          100        0      ?
    
     VPN-Instance vpna, Router ID 2.2.2.9:
    
     Total Number of Routes: 3
          Network            NextHop        MED        LocPrf    PrefVal Path/Ogn
    
     *>i  10.1.1.0/24        1.1.1.9         0          100        0      ?
     *>i  10.2.1.0/24        3.3.3.9         0          100        0      ?
     *>i  10.3.1.0/24        4.4.4.9         0          100        0      ?

    Run the display bgp vpnv4 all routing-table x.x.x.x command on the SPE. The command output shows detailed information about the VPNv4 route to an address specified by x.x.x.x, including information about the tunnel to which the route is iterated. The network segment 10.3.1.0/24 is used as an example:

    [SPE] display bgp vpnv4 all routing-table 10.3.1.0
    
    
     BGP local router ID : 2.2.2.9
     Local AS number : 100
    
     Total routes of Route Distinguisher(100:3): 1
     BGP routing table entry information of 10.3.1.0/24:
     Label information (Received/Applied): 1029/1043
     From: 4.4.4.9 (4.4.4.9)
     Route Duration: 00h37m28s
     Relay IP Nexthop: 172.3.1.1
     Relay IP Out-Interface: Vlanif10
     Relay Tunnel Out-Interface: Tunnel3
     Relay token: 0x9
     Original nexthop: 4.4.4.9
     Qos information : 0x0
     Ext-Community:RT <1 : 1>
     AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, intern
    al, best, select, pre 255
     Advertised to such 1 peers:
        3.3.3.9
    
     VPN-Instance vpna, Router ID 2.2.2.9:
    
     Total Number of Routes: 1
     BGP routing table entry information of 10.3.1.0/24:
     Label information (Received/Applied): 1029/NULL
     From: 4.4.4.9 (4.4.4.9)
     Route Duration: 00h37m28s
     Relay Tunnel Out-Interface: Tunnel3
     Relay token: 0x9
     Original nexthop: 4.4.4.9
     Qos information : 0x0
     Ext-Community:RT <1 : 1>
     AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, intern
    al, best, select, active, pre 255
     Not advertised to any peer yet

    The command output shows that the route to 10.3.1.0/24 is iterated to the tunnel with the tunnel interface of Tunnel3 and the tunnel token of 0x9. To view detailed information about the tunnel, run the display tunnel-info tunnel-id command.

    [SPE] display tunnel-info tunnel-id 9
    Tunnel ID:                    0x9
    Tunnel Token:                 9
    Type:                         cr lsp
    Destination:                  4.4.4.9
    Out Slot:                     0
    Instance ID:                  0
    Interface:                    Tunnel3
    Sub Tunnel ID:                0x0

    In summary, after the tunnel policy and tunnel selector are used for HoVPN, the VPN data between the UPE and the SPE, and between the SPE and the NPE can be transmitted over MPLS TE tunnels. This meets the networking requirements.

Configuration Files

  • CE1 configuration file

    #
    sysname CE1
    #
    vlan batch 40
    #
    interface Vlanif40
     ip address 10.1.1.1 255.255.255.0
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 40
    # 
    bgp 65410
     peer 10.1.1.2 as-number 100
     #
     ipv4-family unicast
      undo synchronization
      peer 10.1.1.2 enable
    # 
    return
  • UPE1 configuration file

    #
    sysname UPE1
    #
    vlan batch 20 40
    #
    ip vpn-instance vpna
     ipv4-family
      route-distinguisher 100:1
      tnl-policy bindTE 
      vpn-target 1:1 export-extcommunity
      vpn-target 1:1 import-extcommunity
    #
    mpls lsr-id 1.1.1.9
     mpls
      mpls te
      mpls rsvp-te
      mpls te cspf
    #
    interface Vlanif20
     ip address 172.1.1.1 255.255.255.0
     mpls
     mpls te
     mpls rsvp-te
    #
    interface Vlanif40
     ip binding vpn-instance vpna
     ip address 10.1.1.2 255.255.255.0
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 40
    #
    interface GigabitEthernet2/0/0
     port link-type trunk
     port trunk allow-pass vlan 20
    #
    interface LoopBack1
     ip address 1.1.1.9 255.255.255.255
    #
    interface Tunnel1
     ip address unnumbered interface LoopBack1
     tunnel-protocol mpls te
     destination 2.2.2.9
     mpls te tunnel-id 100
     mpls te reserved-for-binding
     mpls te commit
    #
    bgp 100
     peer 2.2.2.9 as-number 100
     peer 2.2.2.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.9 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 2.2.2.9 enable
    #
     ipv4-family vpn-instance vpna
      import-route direct
      peer 10.1.1.1 as-number 65410
    #
    ospf 1
     opaque-capability enable
     area 0.0.0.0
      network 1.1.1.9 0.0.0.0
      network 172.1.1.0 0.0.0.255
      mpls-te enable
    #
    tunnel-policy bindTE
     tunnel binding destination 2.2.2.9 te Tunnel1
    #
    return
  • CE3 configuration file

    #
    sysname CE3
    #
    vlan batch 50
    #
    interface Vlanif50
     ip address 10.3.1.1 255.255.255.0
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 50
    #
    bgp 65430
     peer 10.3.1.2 as-number 100
     #
     ipv4-family unicast
      undo synchronization
      peer 10.3.1.2 enable
    # 
    return
  • UPE2 configuration file

    #
    sysname UPE2
    #
    vlan batch 10 50
    #
    ip vpn-instance vpna
     ipv4-family
      route-distinguisher 100:3
      tnl-policy bindTE 
      vpn-target 1:1 export-extcommunity
      vpn-target 1:1 import-extcommunity
    #
    mpls lsr-id 4.4.4.9
     mpls
      mpls te
      mpls rsvp-te
      mpls te cspf 
    #
    interface Vlanif10
     ip address 172.3.1.1 255.255.255.0
     mpls
     mpls te
     mpls rsvp-te
    #
    interface Vlanif50
     ip binding vpn-instance vpna
     ip address 10.3.1.2 255.255.255.0
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 50
    #
    interface GigabitEthernet2/0/0
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    interface LoopBack1
     ip address 4.4.4.9 255.255.255.255
    #
    interface Tunnel1
     ip address unnumbered interface LoopBack1
     tunnel-protocol mpls te
     destination 2.2.2.9
     mpls te tunnel-id 100
     mpls te reserved-for-binding 
     mpls te commit
    #
    bgp 100
     peer 2.2.2.9 as-number 100
     peer 2.2.2.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.9 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 2.2.2.9 enable
    #
     ipv4-family vpn-instance vpna
      import-route direct
      peer 10.3.1.1 as-number 65430
    #
    ospf 1
     opaque-capability enable 
     area 0.0.0.0
      network 4.4.4.9 0.0.0.0
      network 172.3.1.0 0.0.0.255
      mpls-te enable
    #
    tunnel-policy bindTE
     tunnel binding destination 2.2.2.9 te Tunnel1
    #
    return
  • SPE configuration file

    #
    sysname SPE
    #
    vlan batch 10 20 30
    #
    ip vpn-instance vpna
     ipv4-family
      route-distinguisher 100:10
      tnl-policy bindTE
      vpn-target 1:1 export-extcommunity
      vpn-target 1:1 import-extcommunity
    #
    tunnel-selector bindTE permit node 10
     apply tunnel-policy bindTE 
    #
    mpls lsr-id 2.2.2.9
     mpls
      mpls te
      mpls rsvp-te
      mpls te cspf 
    #
    interface Vlanif10
     ip address 172.3.1.2 255.255.255.0
     mpls
     mpls te
     mpls rsvp-te
    #
    interface Vlanif20
     ip address 172.1.1.2 255.255.255.0
     mpls
     mpls te
     mpls rsvp-te
    #
    interface Vlanif30
     ip address 172.2.1.1 255.255.255.0
     mpls
     mpls te
     mpls rsvp-te
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 20
    #
    interface GigabitEthernet2/0/0
     port link-type trunk
     port trunk allow-pass vlan 30
    #
    interface GigabitEthernet3/0/0
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    interface LoopBack1
     ip address 2.2.2.9 255.255.255.255
    #
    interface Tunnel1
     ip address unnumbered interface LoopBack1
     tunnel-protocol mpls te
     destination 1.1.1.9
     mpls te tunnel-id 100
     mpls te reserved-for-binding 
     mpls te commit
    #
    interface Tunnel2
     ip address unnumbered interface LoopBack1
     tunnel-protocol mpls te
     destination 3.3.3.9
     mpls te tunnel-id 200
     mpls te reserved-for-binding 
     mpls te commit
    #
    interface Tunnel3
     ip address unnumbered interface LoopBack1
     tunnel-protocol mpls te
     destination 4.4.4.9
     mpls te tunnel-id 300
     mpls te reserved-for-binding 
     mpls te commit
    #
    bgp 100
     peer 1.1.1.9 as-number 100
     peer 1.1.1.9 connect-interface LoopBack1
     peer 3.3.3.9 as-number 100
     peer 3.3.3.9 connect-interface LoopBack1
     peer 4.4.4.9 as-number 100
     peer 4.4.4.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 1.1.1.9 enable
      peer 3.3.3.9 enable
      peer 4.4.4.9 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      tunnel-selector bindTE
      peer 1.1.1.9 enable
      peer 1.1.1.9 upe
      peer 1.1.1.9 default-originate vpn-instance vpna
      peer 3.3.3.9 enable
      peer 4.4.4.9 enable
      peer 4.4.4.9 upe
      peer 4.4.4.9 default-originate vpn-instance vpna
    #
    ospf 1
     opaque-capability enable
     area 0.0.0.0
      network 2.2.2.9 0.0.0.0
      network 172.1.1.0 0.0.0.255
      network 172.2.1.0 0.0.0.255
      network 172.3.1.0 0.0.0.255
      mpls-te enable
    #
    tunnel-policy bindTE
     tunnel binding destination 1.1.1.9 te Tunnel1
     tunnel binding destination 3.3.3.9 te Tunnel2
     tunnel binding destination 4.4.4.9 te Tunnel3
    #
    return
  • NPE configuration file

    #
    sysname NPE
    #
    vlan batch 30 60
    #
    ip vpn-instance vpna
     ipv4-family
      route-distinguisher 100:2
      tnl-policy bindTE
      vpn-target 1:1 export-extcommunity
      vpn-target 1:1 import-extcommunity
    #
    mpls lsr-id 3.3.3.9
     mpls
      mpls te
      mpls rsvp-te
      mpls te cspf
    #
    interface Vlanif30
     ip address 172.2.1.2 255.255.255.0
     mpls
     mpls te
     mpls rsvp-te
    #
    interface Vlanif60
     ip binding vpn-instance vpna
     ip address 10.2.1.2 255.255.255.0
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 60
    #
    interface GigabitEthernet2/0/0
     port link-type trunk
     port trunk allow-pass vlan 30
    #
    interface LoopBack1
     ip address 3.3.3.9 255.255.255.255
    #
    interface Tunnel1
     ip address unnumbered interface LoopBack1
     tunnel-protocol mpls te
     destination 2.2.2.9
     mpls te tunnel-id 100
     mpls te reserved-for-binding 
     mpls te commit
    #
    bgp 100
     peer 2.2.2.9 as-number 100
     peer 2.2.2.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.9 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 2.2.2.9 enable
    #
     ipv4-family vpn-instance vpna
      import-route direct
      peer 10.2.1.1 as-number 65420
    #
    ospf 1
     opaque-capability enable
     area 0.0.0.0
      network 3.3.3.9 0.0.0.0
      network 172.2.1.0 0.0.0.255
      mpls-te enable
    #
    tunnel-policy bindTE
     tunnel binding destination 2.2.2.9 te Tunnel1
    #
    return
  • CE2 configuration file

    #
    sysname CE2
    #
    vlan batch 60
    #
    interface Vlanif60
     ip address 10.2.1.1 255.255.255.0
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 60
    #
    bgp 65420
     peer 10.2.1.2 as-number 100
     #
     ipv4-family unicast
      undo synchronization
      peer 10.2.1.2 enable
    #
    return
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178118

Views: 159538

Downloads: 159

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next