No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - VPN

This document describes the VPN configuration procedures and provides configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring a VLL Using an MPLS TE Tunnel

Example for Configuring a VLL Using an MPLS TE Tunnel

Networking Requirements

The MPLS network of an ISP provides the L2VPN service to many users. The users connect to the MPLS network through PE1 and PE2, and users connected to the PE devices change frequently. A proper VPN solution is required to provide secure VPN services for users and to simplify the configuration when new users connect to the network.

A VLL using an MPLS TE Tunnel, as shown in Figure 5-30, satisfies these requirements.

NOTE:

By default, link type negotiation is enabled globally on the device. If a VLANIF interface is used as an AC-side interface for L2VPN, the configuration conflicts with link type negotiation. In this case, run the lnp disable command in the system view to disable link type negotiation.

The lnp disable command has no impact on services before the device restarts. After the device restarts, the device can only forward packets from the VLANs specified by the port default vlan command at Layer 2. The port default vlan 1 command is configured by default, so only packets of VLAN 1 can be forwarded at Layer 2.

Figure 5-30  VLL using an MPLS TE tunnel

Configuration Roadmap

MPLS TE tunnels can provide the FRR and hot standby functions to improve tunnel reliability.

A Martini VLL connection can be set up between CE1 and CE2, and a TE tunnel can be set up on the public network.

The configuration roadmap is as follows:

  1. Add interfaces to VLANs, assign IP addresses to VLANIF interfaces, and configure an IGP on the PE and P devices of the backbone network to implement interworking between the devices.

  2. Set up an MPLS TE tunnel and create a tunnel policy.

  3. Set up a remote LDP session between the PE devices to exchange VC labels between them.

  4. Create a VC connection between the PE devices, and apply a tunnel binding policy to the connection.

Procedure

  1. Add interfaces on the CE, PE, and P devices to VLANs, assign IP addresses to VLANIF interfaces, and configure an IGP on the PE and P devices of the backbone network according to Figure 5-30, to implement interworking between the devices.

    # Configure CE1. The configuration of CE2 is similar to the configuration of CE1, and is not mentioned here.

    <HUAWEI> system-view
    [HUAWEI] sysname CE1
    [CE1] vlan batch 10
    [CE1] interface vlanif 10
    [CE1-Vlanif10] ip address 192.168.1.1 255.255.255.0
    [CE1-Vlanif10] quit
    [CE1] interface gigabitethernet 1/0/0
    [CE1-GigabitEthernet1/0/0] port link-type trunk
    [CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
    [CE1-GigabitEthernet1/0/0] quit

    # Configure PE1. The configurations of PE2 and the P device are similar to the configuration of PE1, and are not mentioned here.

    <HUAWEI> system-view
    [HUAWEI] sysname PE1
    [PE1] vlan batch 10 100
    [PE1] interface vlanif 100
    [PE1-Vlanif100] ip address 172.1.1.1 255.255.255.0
    [PE1-Vlanif100] quit
    [PE1] interface loopback 1
    [PE1-LoopBack1] ip address 1.1.1.9 255.255.255.255
    [PE1-LoopBack1] quit
    [PE1] interface gigabitethernet 1/0/0
    [PE1-GigabitEthernet1/0/0] port link-type trunk
    [PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
    [PE1-GigabitEthernet1/0/0] quit
    [PE1] interface gigabitethernet 2/0/0
    [PE1-GigabitEthernet2/0/0] port link-type trunk
    [PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 100
    [PE1-GigabitEthernet2/0/0] quit
    [PE1] ospf 1
    [PE1-ospf-1] area 0
    [PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
    [PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
    [PE1-ospf-1-area-0.0.0.0] quit
    [PE1-ospf-1] quit

  2. Set up an MPLS TE tunnel and create a tunnel binding policy.

    • Enable MPLS, MPLS TE, and RSVP-TE globally on PE1, P, and PE2, and on all interfaces along the tunnel. Enable constraint shortest path first (CSPF) on the ingress of the tunnel.

      # Configure PE1.

      [PE1] mpls lsr-id 1.1.1.9
      [PE1] mpls
      [PE1-mpls] mpls te
      [PE1-mpls] mpls rsvp-te
      [PE1-mpls] mpls te cspf
      [PE1-mpls] quit
      [PE1] interface vlanif 100
      [PE1-Vlanif100] mpls
      [PE1-Vlanif100] mpls te
      [PE1-Vlanif100] mpls rsvp-te
      [PE1-Vlanif100] quit

      # Configure the P device.

      [P] mpls lsr-id 2.2.2.9
      [P] mpls
      [P-mpls] mpls te
      [P-mpls] mpls rsvp-te
      [P-mpls] quit
      [P] interface vlanif 100
      [P-Vlanif100] mpls
      [P-Vlanif100] mpls te
      [P-Vlanif100] mpls rsvp-te
      [P-Vlanif100] quit
      [P] interface vlanif 200
      [P-Vlanif200] mpls
      [P-Vlanif200] mpls te
      [P-Vlanif200] mpls rsvp-te
      [P-Vlanif200] quit

      # Configure PE2.

      [PE2] mpls lsr-id 3.3.3.9
      [PE2] mpls
      [PE2-mpls] mpls te
      [PE2-mpls] mpls rsvp-te
      [PE2-mpls] mpls te cspf
      [PE2-mpls] quit
      [PE2] interface vlanif 200
      [PE2-Vlanif200] mpls
      [PE2-Vlanif200] mpls te
      [PE2-Vlanif200] mpls rsvp-te
      [PE2-Vlanif200] quit
    • Configure OSPF TE on the MPLS backbone network to advertise TE information.

      # Configure PE1. The configurations of PE2 and the P device are similar to the configuration of PE1, and are not mentioned here.

      [PE1] ospf 1
      [PE1-ospf-1] opaque-capability enable
      [PE1-ospf-1] area 0
      [PE1-ospf-1-area-0.0.0.0] mpls-te enable
      [PE1-ospf-1-area-0.0.0.0] quit
      [PE1-ospf-1] quit
    • Configure tunnel interfaces for the MPLS TE tunnel and enable MPLS TE CSPF.

      On the ingress of the tunnel, create a tunnel interface and set the IP address, tunnel protocol, destination IP address, tunnel ID, and dynamic signaling protocol for the tunnel interface. Then, run the mpls te commit command to commit the configuration.

      # Configure PE1.

      [PE1] interface tunnel 1
      [PE1-Tunnel1] ip address unnumbered interface loopback 1
      [PE1-Tunnel1] tunnel-protocol mpls te
      [PE1-Tunnel1] destination 3.3.3.9
      [PE1-Tunnel1] mpls te tunnel-id 100
      [PE1-Tunnel1] mpls te signal-protocol rsvp-te
      [PE1-Tunnel1] mpls te commit
      [PE1-Tunnel1] quit
      

      # Configure PE2.

      [PE2] interface tunnel 1
      [PE2-Tunnel1] ip address unnumbered interface loopback 1
      [PE2-Tunnel1] tunnel-protocol mpls te
      [PE2-Tunnel1] destination 1.1.1.9
      [PE2-Tunnel1] mpls te tunnel-id 100
      [PE2-Tunnel1] mpls te signal-protocol rsvp-te
      [PE2-Tunnel1] mpls te commit
      [PE2-Tunnel1] quit
      

      After the configuration is complete, run the display mpls te tunnel-interface command on the PE devices at both ends of the tunnel. The command output shows that an MPLS TE tunnel is set up successfully. The command output of PE1 is used as an example.

      [PE1]display mpls te tunnel-interface 
          ----------------------------------------------------------------
                                     Tunnel1                
          ----------------------------------------------------------------
          Tunnel State Desc   :  UP                         
          Active LSP          :  Primary LSP                
          Session ID          :  100                         
          Ingress LSR ID      :  1.1.1.9          Egress LSR ID:  3.3.3.9
          Admin State         :  UP               Oper State   :  UP
          Primary LSP State      : UP
            Main LSP State       : READY               LSP ID  : 1  
                        
    • Configure a tunnel binding policy.

      # Configure PE1.

      [PE1] interface tunnel 1
      [PE1-Tunnel1] mpls te reserved-for-binding
      [PE1-Tunnel1] mpls te commit
      [PE1-Tunnel1] quit
      [PE1] tunnel-policy 1
      [PE1-tunnel-policy-1] tunnel binding destination 3.3.3.9 te tunnel 1
      [PE1-tunnel-policy-1] quit
      

      # Configure PE2.

      [PE2] interface tunnel 1
      [PE2-Tunnel1] mpls te reserved-for-binding
      [PE2-Tunnel1] mpls te commit
      [PE2-Tunnel1] quit
      [PE2] tunnel-policy 1
      [PE2-tunnel-policy-1] tunnel binding destination 1.1.1.9 te tunnel 1
      [PE2-tunnel-policy-1] quit
      

  3. Create a remote LDP session between PE1 and PE2.

    # Configure PE1.

    [PE1] mpls ldp
    [PE1-mpls-ldp] quit
    [PE1] mpls ldp remote-peer 3.3.3.9
    [PE1-mpls-ldp-remote-3.3.3.9] remote-ip 3.3.3.9
    [PE1-mpls-ldp-remote-3.3.3.9] quit

    # Configure PE2.

    [PE2] mpls ldp
    [PE2-mpls-ldp] quit
    [PE2] mpls ldp remote-peer 1.1.1.9
    [PE2-mpls-ldp-remote-1.1.1.9] remote-ip 1.1.1.9
    [PE2-mpls-ldp-remote-1.1.1.9] quit

    After the configuration is complete, run the display mpls ldp session command on PE1 to view the LDP session status. The command output shows that the LDP session status is Operational, indicating that a remote LDP session is established between PE1 and PE2.

    The command output of PE1 is used as an example.

    [PE1] display mpls ldp session
      
     LDP Session(s) in Public Network                      
     Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
     A '*' before a session means the session is being deleted. 
     ------------------------------------------------------------------------------
     PeerID             Status      LAM  SsnRole  SsnAge      KASent/Rcv
     ------------------------------------------------------------------------------ 
     3.3.3.9:0         Operational DU   Passive  0000:00:00  1/1 
     ------------------------------------------------------------------------------ 
     TOTAL: 1 session(s) Found.  
    

  4. Create a VC connection between the PE devices, and apply a tunnel binding policy to the connection.

    # Configure PE1. In this example, a VLANIF interface is used as the AC-side interface, so you need to run the lnp disable command in the system view before performing the following steps. If you cannot disable link type negotiation on the live network, do not use a VLANIF interface as the AC-side interface.

    [PE1] mpls l2vpn
    [PE1-l2vpn] quit
    [PE1] interface vlanif 10
    [PE1-Vlanif10] mpls l2vc 3.3.3.9 101 tunnel-policy 1
    [PE1-Vlanif10] quit

    # Configure PE2. In this example, a VLANIF interface is used as the AC-side interface, so you need to run the lnp disable command in the system view before performing the following steps. If you cannot disable link type negotiation on the live network, do not use a VLANIF interface as the AC-side interface.

    [PE2] mpls l2vpn
    [PE2-l2vpn] quit
    [PE2] interface vlanif 20
    [PE2-Vlanif20] mpls l2vc 1.1.1.9 101 tunnel-policy 1
    [PE2-Vlanif20] quit

  5. Verify the configuration.

    Check the L2VPN connections on the PE devices. You can see that an L2VC is set up and is in Up state.

    The command output of PE1 is used as an example.

    [PE1] display mpls l2vc interface vlanif 10
     *client interface       : Vlanif10 is up         
      Administrator PW       : no          
      session state          : up                     
      AC status              : up                     
      VC state               : up                      
      Label state            : 0                      
      Token state            : 0                     
      VC ID                  : 101                     
      VC type                : VLAN                    
      destination            : 3.3.3.9                 
      local group ID         : 0            remote group ID      : 0 
      local VC label         : 1026         remote VC label      : 1032
      local AC OAM State     : up                                 
      local PSN OAM State    : up                                
      local forwarding state : forwarding                        
      local status code      : 0x0                                
      remote AC OAM state    : up                               
      remote PSN OAM state   : up                              
      remote forwarding state: forwarding                           
      remote status code     : 0x0                                  
      ignore standby state   : no                                 
      BFD for PW             : unavailable                          
      VCCV State             : up                                   
      manual fault           : not set                           
      active state           : active                            
      forwarding entry       : exist                             
      link state             : up                       
      local VC MTU           : 1500         remote VC MTU        : 1500
      local VCCV             : alert ttl lsp-ping bfd   
      remote VCCV            : alert ttl lsp-ping bfd   
      local control word     : disable      remote control word  : disable
      tunnel policy name     : 1                                   
      PW template name       : --                                  
      primary or secondary   : primary                       
      load balance type      : flow      
      Access-port            : false    
      Switchover Flag        : false    
      VC tunnel/token info   : 1 tunnels/tokens  
        NO.0  TNL type       : cr lsp, TNL ID : 0x48000002 
        Backup TNL type      : lsp   , TNL ID : 0x0 
      create time            : 0 days, 4 hours, 16 minutes, 25 seconds  
      up time                : 0 days, 4 hours, 15 minutes, 58 seconds  
      last change time       : 0 days, 4 hours, 15 minutes, 58 seconds    
      VC last up time        : 2013/01/09 22:57:04   
      VC total up time       : 0 days, 4 hours, 15 minutes, 58 seconds    
      CKey                   : 4                                  
      NKey                   : 3                                 
      PW redundancy mode     : frr                                 
      AdminPw interface      : --                                  
      AdminPw link state     : --                               
      Diffserv Mode          : uniform                          
      Service Class          : be                               
      Color                  : --                               
      DomainId               : --                               
      Domain Name            : --  

    CE1 and CE2 can ping each other.

    The command output on CE1 is used as an example.

    [CE1] ping 192.168.1.2
      PING 192.168.1.2: 56  data bytes, press CTRL_C to break          
        Reply from 192.168.1.2: bytes=56 Sequence=1 ttl=255 time=10 ms 
        Reply from 192.168.1.2: bytes=56 Sequence=2 ttl=255 time=1 ms  
        Reply from 192.168.1.2: bytes=56 Sequence=3 ttl=255 time=10 ms 
        Reply from 192.168.1.2: bytes=56 Sequence=4 ttl=255 time=1 ms  
        Reply from 192.168.1.2: bytes=56 Sequence=5 ttl=255 time=10 ms 
                                                     
      --- 192.168.1.2 ping statistics ---            
        5 packet(s) transmitted                      
        5 packet(s) received                         
        0.00% packet loss                            
        round-trip min/avg/max = 1/6/10 ms

Configuration Files

  • CE1 configuration file

    #
    sysname CE1
    #
    vlan batch 10
    #
    interface Vlanif10
     ip address 192.168.1.1 255.255.255.0
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    return
  • PE1 configuration file

    The lnp disable command has no impact on services before the device restarts. After the device restarts, the device can only forward packets from the VLANs specified by the port default vlan command at Layer 2. The port default vlan 1 command is configured by default, so only packets of VLAN 1 can be forwarded at Layer 2.

    #
    sysname PE1
    #
    vlan batch 10 100
    #
    lnp disable
    #
    mpls lsr-id 1.1.1.9
    mpls
     mpls te
     mpls rsvp-te
     mpls te cspf
    #
    mpls l2vpn
    #
    mpls ldp
    #
    mpls ldp remote-peer 3.3.3.9
     remote-ip 3.3.3.9
    #
    interface Vlanif10
     mpls l2vc 3.3.3.9 101 tunnel-policy 1
    #
    interface Vlanif100
     ip address 172.1.1.1 255.255.255.0
     mpls
     mpls te
     mpls rsvp-te
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    interface GigabitEthernet2/0/0
     port link-type trunk
     port trunk allow-pass vlan 100
    #
    interface LoopBack1
     ip address 1.1.1.9 255.255.255.255
    #
    interface Tunnel1
     ip address unnumbered interface LoopBack1
     tunnel-protocol mpls te
     destination 3.3.3.9
     mpls te tunnel-id 100
     mpls te reserved-for-binding
     mpls te commit
    #
    ospf 1
     opaque-capability enable
     area 0.0.0.0
      network 1.1.1.9 0.0.0.0
      network 172.1.1.0 0.0.0.255
      mpls-te enable 
    #
    tunnel-policy 1 
     tunnel binding destination 3.3.3.9 te Tunnel1
    #
    return
  • P configuration file

    #
    sysname P
    #
    vlan batch 100 200
    #
    mpls lsr-id 2.2.2.9
    mpls
     mpls te
     mpls rsvp-te
    #
    interface Vlanif100
     ip address 172.1.1.2 255.255.255.0
     mpls
     mpls te
     mpls rsvp-te
    #
    interface Vlanif200
     ip address 172.1.2.1 255.255.255.0
     mpls
     mpls te
     mpls rsvp-te
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 100
    #
    interface GigabitEthernet2/0/0
     port link-type trunk
     port trunk allow-pass vlan 200
    #
    interface LoopBack1
     ip address 2.2.2.9 255.255.255.255
    #
    ospf 1
     opaque-capability enable
     area 0.0.0.0
      network 2.2.2.9 0.0.0.0
      network 172.1.1.0 0.0.0.255
      network 172.1.2.0 0.0.0.255
      mpls-te enable 
    #
    return
  • PE2 configuration file

    The lnp disable command has no impact on services before the device restarts. After the device restarts, the device can only forward packets from the VLANs specified by the port default vlan command at Layer 2. The port default vlan 1 command is configured by default, so only packets of VLAN 1 can be forwarded at Layer 2.

    #
    sysname PE2
    #
    vlan batch 20 200
    #
    lnp disable
    #
    mpls lsr-id 3.3.3.9
    mpls
     mpls te
     mpls rsvp-te
     mpls te cspf
    #
    mpls l2vpn
    #
    mpls ldp
    #
    mpls ldp remote-peer 1.1.1.9
     remote-ip 1.1.1.9
    #
    interface Vlanif20
     mpls l2vc 1.1.1.9 101 tunnel-policy 1
    #
    interface Vlanif200
     ip address 172.1.2.2 255.255.255.0
     mpls
     mpls te
     mpls rsvp-te
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 200
    #
    interface GigabitEthernet2/0/0
     port link-type trunk
     port trunk allow-pass vlan 20
    #
    interface LoopBack1
     ip address 3.3.3.9 255.255.255.255
    #
    interface Tunnel1
     ip address unnumbered interface LoopBack1
     tunnel-protocol mpls te
     destination 1.1.1.9
     mpls te tunnel-id 100
     mpls te reserved-for-binding
     mpls te commit
    #
    ospf 1
     opaque-capability enable
     area 0.0.0.0
      network 3.3.3.9 0.0.0.0
      network 172.1.2.0 0.0.0.255
      mpls-te enable 
    #
    tunnel-policy 1 
     tunnel binding destination 1.1.1.9 te Tunnel1
    #
    return
  • CE2 configuration file

    #
    sysname CE2
    #
    vlan batch 20
    #
    interface Vlanif20
     ip address 192.168.1.2 255.255.255.0
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 20
    #
    return
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178118

Views: 165276

Downloads: 168

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next