No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring L3VPN Using LDP Signaling over GRE

Example for Configuring L3VPN Using LDP Signaling over GRE

Networking Requirements

In Figure 7-63:
  • Branch 1 connects to the VPN backbone network through CE1 and PE1.
  • Branch 2 connects to the VPN backbone network through CE2 and PE2.

On the backbone network, PEs provide MPLS functions, and the P does not provide MPLS functions.

The enterprise wants to deploy BGP/MPLS IP VPN between PE1 and PE2 and use LDP LSPs to transmit VPN data so that CE1 can communicate with CE2.

Figure 7-63  Networking for configuring L3VPN using LDP signaling over

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure OSPF between the PEs and P to implement IP connectivity on the backbone network.

  2. Configure basic MPLS functions and MPLS LDP on PEs so that MPLS LSPs can be established to transmit VPN data.

  3. Because the P device does not support MPLS functions and an LSP is required to transmit VPN data, use LDP over GRE so that a GRE tunnel is set up between PEs to transmit services over LDP LSPs. Create GRE tunnel interfaces on PEs, specify source and destination addresses of the tunnel, and establish a GRE tunnel between PEs to implement interworking on the MPLS network.

  4. Enable MPLS LDP on tunnel interfaces to implement LDP over GRE and establish MPLS LSPs.

  5. Configure VPN instances on PEs and bind each PE interface connected to a CE to a VPN instance.

  6. Establish an MP-IBGP peer relationship between PE1 and PE2, and establish EBGP peer relationships between PEs and CEs and import VPN routes, so that CE1 can communicate with CE2.

NOTE:

The IP address of Loopback1 interface is used as the LSR ID, that is, LDP uses this IP address to establish a session. A GRE tunnel interface must have an IP address configured, and uses addresses of Loopback0 interfaces as source and destination addresses. The source and destination addresses, and physical interface are advertised by an IGP, and the IP address of Loopback1 interface and tunnel interface address are advertised by another IGP or static route. If a static route is used, specify the tunnel interface as the outbound interface.

Procedure

  1. Configure OSPF between the PEs and P to implement IP connectivity on the backbone network.

    # Configure PE1.

    <Huawei> system-view
    [Huawei] sysname PE1
    [PE1] interface gigabitethernet 2/0/0
    [PE1-GigabitEthernet2/0/0] ip address 172.1.1.1 24
    [PE1-GigabitEthernet2/0/0] quit
    [PE1] interface loopback 0
    [PE1-LoopBack0] ip address 1.1.1.1 32
    [PE1-LoopBack0] quit
    [PE1] interface loopback 1
    [PE1-LoopBack1] ip address 1.1.1.9 32
    [PE1-LoopBack1] quit
    [PE1] ospf 1
    [PE1-ospf-1] area 0
    [PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
    [PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
    [PE1-ospf-1-area-0.0.0.0] quit
    [PE1-ospf-1] quit
    

    The configurations of PE2 and P are similar to the configuration of PE1, and are not mentioned here.

    After the configurations are complete, OSPF neighbor relationships can be set up between PE1, P, and PE2. Run the display ospf peer command. You can see that the neighbor status is Full. Run the display ip routing-table command. You can see that PEs have learnt the routes to Loopback1 of each other.

  2. Enable basic MPLS functions and MPLS LDP on PEs.

    # Configure PE1.

    [PE1] mpls lsr-id 1.1.1.9
    [PE1] mpls
    [PE1-mpls] quit
    [PE1] mpls ldp
    [PE1-mpls-ldp] quit

    # Configure PE2.

    [PE2] mpls lsr-id 2.2.2.9
    [PE2] mpls
    [PE2-mpls] quit
    [PE2] mpls ldp
    [PE2-mpls-ldp] quit

  3. Create GRE tunnel interfaces on PEs, and specify source and destination addresses of the tunnel.

    Create and configure GRE tunnel interfaces on PE1 and PE2, and establish a GRE tunnel between PEs to implement interworking on the MPLS network.

    # Configure PE1.

    [PE1] interface tunnel 0/0/1
    [PE1-Tunnel0/0/1] tunnel-protocol gre
    [PE1-Tunnel0/0/1] ip address 20.1.1.1 24
    [PE1-Tunnel0/0/1] source loopback 0
    [PE1-Tunnel0/0/1] destination 2.2.2.2
    [PE1-Tunnel0/0/1] quit
    [PE1] ospf 11
    [PE1-ospf-11] area 0
    [PE1-ospf-11-area-0.0.0.0] network 1.1.1.9 0.0.0.0
    [PE1-ospf-11-area-0.0.0.0] network 20.1.1.0 0.0.0.255
    [PE1-ospf-11-area-0.0.0.0] quit
    [PE1-ospf-11] quit

    # Configure PE2.

    [PE2] interface tunnel 0/0/1
    [PE2-Tunnel0/0/1] tunnel-protocol gre
    [PE2-Tunnel0/0/1] ip address 20.1.1.2 24
    [PE2-Tunnel0/0/1] source loopback 0
    [PE2-Tunnel0/0/1] destination 1.1.1.1
    [PE2-Tunnel0/0/1] quit
    [PE2] ospf 11
    [PE2-ospf-11] area 0
    [PE2-ospf-11-area-0.0.0.0] network 2.2.2.9 0.0.0.0
    [PE2-ospf-11-area-0.0.0.0] network 20.1.1.0 0.0.0.255
    [PE2-ospf-11-area-0.0.0.0] quit
    [PE2-ospf-11] quit

    After the configurations are complete, a GRE tunnel is set up between PE1 and PE2. Run the display ip routing-table command. You can see that PEs have learnt the routes to Loopback1 of each other.

  4. Enable MPLS LDP on tunnel interfaces of PEs.

    Enable MPLS LDP on tunnel interfaces of PE1 and PE2 so that MPLS LSPs can be established.

    # Configure PE1.

    [PE1] interface tunnel 0/0/1
    [PE1-Tunnel0/0/1] mpls
    [PE1-Tunnel0/0/1] mpls ldp
    [PE1-Tunnel0/0/1] quit

    # Configure PE2.

    [PE2] interface tunnel 0/0/1
    [PE2-Tunnel0/0/1] mpls
    [PE2-Tunnel0/0/1] mpls ldp
    [PE2-Tunnel0/0/1] quit

    After the configurations are complete, an LDP session can be set up between PE1 and PE2. Run the display mpls ldp session command. You can see that the Status field is Operational in the command output.

  5. Configure a VPN instance on each PE and connect CEs to PEs.

    # Configure PE1.

    [PE1] ip vpn-instance vpn1
    [PE1-vpn-instance-vpn1] ipv4-family
    [PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
    [PE1-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both
    [PE1-vpn-instance-vpn1-af-ipv4] quit
    [PE1-vpn-instance-vpn1] quit
    [PE1] interface gigabitethernet 1/0/0
    [PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
    [PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 24
    [PE1-GigabitEthernet1/0/0] quit

    # Configure PE2.

    [PE2] ip vpn-instance vpn1
    [PE2-vpn-instance-vpn1] ipv4-family
    [PE2-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:2
    [PE2-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both
    [PE2-vpn-instance-vpn1-af-ipv4] quit
    [PE2-vpn-instance-vpn1] quit
    [PE2] interface gigabitethernet 1/0/0
    [PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
    [PE2-GigabitEthernet1/0/0] ip address 10.2.1.2 24
    [PE2-GigabitEthernet1/0/0] quit

    Configure IP addresses for CE interfaces according to Figure 7-63.

    # Configure CE1.

    <Huawei> system-view
    [Huawei] sysname CE1
    [CE1] interface gigabitethernet 1/0/0
    [CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
    [CE1-GigabitEthernet1/0/0] quit

    The configuration of CE2 is similar to that of CE1, and is not mentioned here.

    After the configurations are complete, run the display ip vpn-instance verbose command on PEs to view the configurations of VPN instances. Each PE can successfully ping the connected CE.

    NOTE:

    If multiple interfaces on a PE is bound to the same VPN instance, specify a source IP addresses by specifying -a source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command to ping the remote CE. Otherwise, the ping operation fails.

  6. Set up EBGP peer relationships between the PEs and CEs and import VPN routes to EBGP.

    # Configure CE1.

    [CE1] bgp 65410
    [CE1-bgp] peer 10.1.1.2 as-number 100
    [CE1-bgp] import-route direct
    [CE1-bgp] quit

    # Configure PE1.

    [PE1] bgp 100
    [PE1-bgp] ipv4-family vpn-instance vpn1
    [PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
    [PE1-bgp-vpn1] import-route direct
    [PE1-bgp-vpn1] quit
    [PE1-bgp] quit

    # Configure CE2.

    [CE2] bgp 65420
    [CE2-bgp] peer 10.2.1.2 as-number 100
    [CE2-bgp] import-route direct
    [CE2-bgp] quit

    # Configure PE2.

    [PE2] bgp 100
    [PE2-bgp] ipv4-family vpn-instance vpn1
    [PE2-bgp-vpn1] peer 10.2.1.1 as-number 65420
    [PE2-bgp-vpn1] quit
    [PE2-bgp] quit

    After the configurations are complete, run the display bgp vpnv4 vpn-instance peer command on PEs. You can see that BGP peer relationships have been established between PEs and CEs and are in Established state.

    The display on PE1 is used as an example.

    [PE1] display bgp vpnv4 vpn-instance vpn1 peer
    
     BGP local router ID : 1.1.1.9
     Local AS number : 100
    
     VPN-Instance vpn1, Router ID 1.1.1.9:
     Total number of peers : 1                Peers in established state : 1
    
      Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State PrefRcv
    
      10.1.1.1        4       65410        6        3     0 00:01:14 Established       3

  7. Set up an MP-IBGP peer relationship between PEs.

    # Configure PE1.

    [PE1] bgp 100
    [PE1-bgp] peer 2.2.2.9 as-number 100
    [PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
    [PE1-bgp] ipv4-family vpnv4
    [PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
    [PE1-bgp-af-vpnv4] quit
    [PE1-bgp] quit

    # Configure PE2.

    [PE2] bgp 100
    [PE2-bgp] peer 1.1.1.9 as-number 100
    [PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
    [PE2-bgp] ipv4-family vpnv4
    [PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
    [PE2-bgp-af-vpnv4] quit
    [PE2-bgp] quit

    After the configurations are complete, run the display bgp vpnv4 all peer command on a PE. You can see that the BGP peer relationship between PEs is in Established state.

    [PE1] display bgp vpnv4 all peer
    
     BGP local router ID : 1.1.1.9
     Local AS number : 100
     Total number of peers : 2                Peers in established state : 2
    
      Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State PrefRcv
    
      2.2.2.9         4         100        4        7     0 00:02:54 Established       0
    
      Peer of IPv4-family for vpn instance :
    
     VPN-Instance vpn1, Router ID 1.1.1.9:
      10.1.1.1        4       65410      122      119     0 01:57:43 Established       3

  8. Verify the configuration.

    # After the configurations are complete, CEs can learn routes to the interface of each other, and can ping each other successfully.

    # The display on CE1 is used as an example.

    [CE1] display ip routing-table 10.2.1.0
    Route Flags:
    R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Table : Public
    Summary Count : 1
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
           10.2.1.0/24  EBGP    255  0           D   10.1.1.2        GigabitEthernet1/0/0
    
    [CE1] ping 10.2.1.1
      PING 10.2.1.1: 56  data bytes, press CTRL_C to break                          
        Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=253 time=1 ms                  
        Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=253 time=1 ms                  
        Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=253 time=1 ms                  
        Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=253 time=10 ms                 
        Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=253 time=1 ms                  
                                                                                    
      --- 10.2.1.1 ping statistics ---                                              
        5 packet(s) transmitted                                                     
        5 packet(s) received                                                        
        0.00% packet loss                                                           
        round-trip min/avg/max = 1/2/10 ms                                          
    

Configuration Files

  • CE1 configuration file

    #
     sysname CE1
    #
    interface GigabitEthernet1/0/0
     ip address 10.1.1.1 255.255.255.0
    #
    bgp 65410
     peer 10.1.1.2 as-number 100
     #
     ipv4-family unicast
      undo synchronization
      import-route direct
      peer 10.1.1.2 enable
    #
    return
  • PE1 configuration file

    #
     sysname PE1
    #
    ip vpn-instance vpn1
     ipv4-family
      route-distinguisher 100:1
      vpn-target 100:1 export-extcommunity
      vpn-target 100:1 import-extcommunity
    #
    mpls lsr-id 1.1.1.9
    mpls
    #                                                                               
    mpls ldp                                                                        
    #
    interface GigabitEthernet1/0/0
     ip binding vpn-instance vpn1
     ip address 10.1.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 172.1.1.1 255.255.255.0
    #
    interface LoopBack0
     ip address 1.1.1.1 255.255.255.255
    #
    interface LoopBack1
     ip address 1.1.1.9 255.255.255.255
    #
    interface Tunnel0/0/1
     ip address 20.1.1.1 255.255.255.0
     tunnel-protocol gre
     source LoopBack0
     destination 2.2.2.2
     mpls
     mpls ldp
    #
    bgp 100
     peer 2.2.2.9 as-number 100
     peer 2.2.2.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.9 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 2.2.2.9 enable
     #
     ipv4-family vpn-instance vpn1
      peer 10.1.1.1 as-number 65410
      import-route direct
    #
    ospf 1
     area 0.0.0.0
      network 1.1.1.1 0.0.0.0
      network 172.1.1.0 0.0.0.255
    #
    ospf 11
     area 0.0.0.0
      network 1.1.1.9 0.0.0.0
      network 20.1.1.0 0.0.0.255
    #
    return
  • P configuration file

    #
     sysname P
    #
    interface GigabitEthernet1/0/0
     ip address 172.1.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 172.2.1.1 255.255.255.0
    #
    ospf 1
     area 0.0.0.0
      network 172.1.1.0 0.0.0.255
      network 172.2.1.0 0.0.0.255
    #
    return
  • PE2 configuration file

    #
     sysname PE2
    #
    ip vpn-instance vpn1
     ipv4-family
      route-distinguisher 100:2
      vpn-target 100:1 export-extcommunity
      vpn-target 100:1 import-extcommunity
    #
    mpls lsr-id 2.2.2.9
    mpls
    #
    mpls ldp
    #
    interface GigabitEthernet1/0/0
     ip binding vpn-instance vpn1
     ip address 10.2.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 172.2.1.2 255.255.255.0
    #
    interface LoopBack0
     ip address 2.2.2.2 255.255.255.255
    #
    interface LoopBack1
     ip address 2.2.2.9 255.255.255.255
    #
    interface Tunnel0/0/1
     ip address 20.1.1.2 255.255.255.0
     tunnel-protocol gre
     source LoopBack0
     destination 1.1.1.1
     mpls
     mpls ldp
    #
    bgp 100
     peer 1.1.1.9 as-number 100
     peer 1.1.1.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 1.1.1.9 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 1.1.1.9 enable
    #
     ipv4-family vpn-instance vpn1
      peer 10.2.1.1 as-number 65420
    #
    ospf 1
     area 0.0.0.0
      network 2.2.2.2 0.0.0.0
      network 172.2.1.0 0.0.0.255
    #
    ospf 11
     area 0.0.0.0
      network 2.2.2.9 0.0.0.0
      network 20.1.1.0 0.0.0.255
    #
    return
  • CE2 configuration file

    #
     sysname CE2
    #
    interface GigabitEthernet1/0/0
     ip address 10.2.1.1 255.255.255.0
    #
    bgp 65420
     peer 10.2.1.2 as-number 100
     #
     ipv4-family unicast
      undo synchronization
      import-route direct
      peer 10.2.1.2 enable
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 154289

Downloads: 372

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next