No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Double RRs to Optimize the VPN Backbone Layer

Example for Configuring Double RRs to Optimize the VPN Backbone Layer

Networking Requirements

When deploying a VPN, you can configure double route reflectors (RRs) on the VPN. To achieve this, you need to select two RRs from the Ps in the same AS on the backbone network and ensure that the two RRs back up each other and reflect routes of the public network and VPNv4.

As shown in Figure 7-60, PE1, PE2, RR1, and RR2 are located in AS 100 on the backbone network. CE1 and CE2 belong to vpna. Select RR1 and RR2 as the RRs of the VPN.

Figure 7-60  Networking diagram for configuring double RRs on a VPN

Device

Interface and IP Address

Device

Interface and IP Address

PE1

PE2

RR1

RR2

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an IGP protocol on the MPLS backbone network for IP connectivity.
  2. Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network to set up MPLS LSPs.
  3. Configure VPN instances on PE1 and PE2 and bind the instances to the interfaces connected to the CEs. Configure the same VPN target for the VPN instances to enable users in the same VPN to communicate with each other.
  4. Set up EBGP peer relationships between the PEs and CEs and import VPN routes into BGP.
  5. Set up MP-IBGP peer relationships between PEs and RRs. The PEs do not need to set up an MP-IBGP peer relationship.
  6. Configure the same reflector cluster ID for RR1 and RR2 so that they back up each other.
  7. Configure RR1 and RR2 to accept all VPNv4 routes without filtering the routes based on VPN targets, because RR1 and RR2 must save all VPNv4 routes and advertise them to PEs.
NOTE:

On a VPN with double RRs, ensure that each RR has at least two paths to a PE and the paths do not share the same network segment or node. If there is only one path between the RRs and PEs or if the paths share the same network segment or node, double RRs cannot improve network reliability.

Procedure

  1. Assign IP addresses to interfaces according to Figure 7-60.

    # Configure PE1.

    <Huawei> system-view
    [Huawei] sysname PE1
    [PE1] interface loopback 1
    [PE1-LoopBack1] ip address 1.1.1.9 32
    [PE1-LoopBack1] quit
    [PE1] interface gigabitethernet 1/0/0
    [PE1-GigabitEthernet1/0/0] ip address 100.1.2.1 24
    [PE1-GigabitEthernet1/0/0] quit
    [PE1] interface gigabitethernet 3/0/0
    [PE1-GigabitEthernet3/0/0] ip address 100.1.3.1 24
    [PE1-GigabitEthernet3/0/0] quit
    

    The configuration on PE2, RRs, CE1, and CE2 is similar to the configuration on PE1 and is not mentioned here.

  2. Configure an IGP protocol on the MPLS backbone network for IP connectivity.

    # Configure PE1.

    [PE1] ospf
    [PE1-ospf-1] area 0
    [PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
    [PE1-ospf-1-area-0.0.0.0] network 100.1.2.0 0.0.0.255
    [PE1-ospf-1-area-0.0.0.0] network 100.1.3.0 0.0.0.255
    [PE1-ospf-1-area-0.0.0.0] quit
    [PE1-ospf-1] quit
    

    The configuration on PE2 and RRs is similar to the configuration on PE1 and is not mentioned here.

    NOTE:

    The IP addresses of loopback interfaces that are used as LSR IDs need to be advertised.

    After the configuration is complete, the devices on the backbone network can learn the loopback interface addresses from each other.

    The information displayed on PE1 is used as an example.

    [PE1] display ip routing-table
    Route Flags:
    R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Tables: Public
             Destinations : 17       Routes : 19
    
      Destination/Mask  Proto  Pre  Cost         Flags  NextHop         Interface
    
            1.1.1.9/32  Direct 0    0                D  127.0.0.1       LoopBack1
            2.2.2.9/32  OSPF   10   1                D  100.1.2.2       GigabitEthernet1/0/0
            3.3.3.9/32  OSPF   10   1                D  100.1.3.2       GigabitEthernet3/0/0
            4.4.4.9/32  OSPF   10   2                D  100.1.3.2       GigabitEthernet1/0/0
                        OSPF   10   2                D  100.1.2.2       GigabitEthernet3/0/0
          100.1.2.0/24  Direct 0    0                D  100.1.2.1       GigabitEthernet1/0/0
          100.1.2.1/32  Direct 0    0                D  127.0.0.1       GigabitEthernet1/0/0
        100.1.2.255/32  Direct 0    0                D  127.0.0.1       GigabitEthernet1/0/0
          100.1.3.0/24  Direct 0    0                D  100.1.3.1       GigabitEthernet3/0/0
          100.1.3.1/32  Direct 0    0                D  127.0.0.1       GigabitEthernet3/0/0
        100.1.3.255/32  Direct 0    0                D  127.0.0.1       GigabitEthernet3/0/0
          100.2.3.0/24  OSPF   10   2                D  100.1.3.2       GigabitEthernet3/0/0
                        OSPF   10   2                D  100.1.2.2       GigabitEthernet1/0/0
          100.2.4.0/24  OSPF   10   2                D  100.1.2.2       GigabitEthernet1/0/0
          100.3.4.0/24  OSPF   10   2                D  100.1.3.2       GigabitEthernet3/0/0
          127.0.0.0/8   Direct 0    0                D  127.0.0.1       InLoopBack0
          127.0.0.1/32  Direct 0    0                D  127.0.0.1       InLoopBack0
    127.255.255.255/32  Direct 0    0                D  127.0.0.1       InLoopBack0
    255.255.255.255/32  Direct 0    0                D  127.0.0.1       InLoopBack0
    

  3. Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network to set up LDP LSPs.

    # Configure PE1.

    [PE1] mpls lsr-id 1.1.1.9
    [PE1] mpls
    [PE1-mpls] quit
    [PE1] mpls ldp
    [PE1-mpls-ldp] quit
    [PE1] interface gigabitethernet 1/0/0
    [PE1-GigabitEthernet1/0/0] mpls
    [PE1-GigabitEthernet1/0/0] mpls ldp
    [PE1-GigabitEthernet1/0/0] quit
    [PE1] interface gigabitethernet 3/0/0
    [PE1-GigabitEthernet3/0/0] mpls
    [PE1-GigabitEthernet3/0/0] mpls ldp
    [PE1-GigabitEthernet3/0/0] quit
    

    The configuration on PE2 and RRs is similar to the configuration on PE1 and is not mentioned here.

    After the configuration is complete, run the display mpls ldp session command on the PEs and RRs. The State field in the command output displays as Operational.

    The information displayed on PE1 and RR1 is used as an example.

    [PE1] display mpls ldp session
    
     LDP Session(s) in Public Network
     Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
     A '*' before a session means the session is being deleted. 
    ----------------------------------------------------------------------
     PeerID             Status      LAM  SsnRole  SsnAge      KASent/Rcv
    ----------------------------------------------------------------------
     2.2.2.9:0          Operational DU   Passive  0000:00:01  8/8
     3.3.3.9:0          Operational DU   Passive  0000:00:00  4/4
    ----------------------------------------------------------------------
     TOTAL: 2 session(s) Found.
    
    [RR1] display mpls ldp session
    
     LDP Session(s) in Public Network
     Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
     A '*' before a session means the session is being deleted. 
    ----------------------------------------------------------------------
     PeerID             Status      LAM  SsnRole  SsnAge      KASent/Rcv
    ----------------------------------------------------------------------
     1.1.1.9:0          Operational DU   Active   000:00:02   11/11
     3.3.3.9:0          Operational DU   Passive  000:00:01   8/8
     4.4.4.9:0          Operational DU   Passive  000:00:00   4/4
    ----------------------------------------------------------------------
     TOTAL: 3 session(s) Found.
    

  4. Configure VPN instances on the PEs.

    # Configure PE1.

    [PE1] ip vpn-instance vpna
    [PE1-vpn-instance-vpna] ipv4-family
    [PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
    [PE1-vpn-instance-vpna-af-ipv4] vpn-target 1:1 both
    [PE1-vpn-instance-vpna-af-ipv4] quit
    [PE1-vpn-instance-vpna] quit
    [PE1] interface gigabitethernet 2/0/0
    [PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpna
    [PE1-GigabitEthernet2/0/0] ip address 10.1.1.2 24
    [PE1-GigabitEthernet2/0/0] quit
    

    The configuration on PE2 is similar to the configuration on PE1 and is not mentioned here.

  5. Set up EBGP peer relationships between the PEs and CEs and import VPN routes into BGP.

    # Configure CE1.

    [CE1] bgp 65410
    [CE1-bgp] peer 10.1.1.2 as-number 100
    [CE1-bgp] quit
    

    The configuration on CE2 is similar to the configuration on CE1 and is not mentioned here.

    # Configure PE1.

    [PE1] bgp 100
    [PE1-bgp] ipv4-family vpn-instance vpna
    [PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
    [PE1-bgp-vpna] import-route direct
    [PE1-bgp-vpna] quit
    [PE1-bgp] quit
    

    The configuration on PE2 is similar to the configuration on PE1 and is not mentioned here.

  6. Set up MP-IBGP peer relationships between PEs and RRs.

    # Configure PE1.

    [PE1] bgp 100
    [PE1-bgp] peer 2.2.2.9 as-number 100
    [PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
    [PE1-bgp] peer 3.3.3.9 as-number 100
    [PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
    [PE1-bgp] ipv4-family vpnv4
    [PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
    [PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
    [PE1-bgp-af-vpnv4] quit
    [PE1-bgp] quit

    # Configure RR1.

    [RR1] bgp 100
    [RR1-bgp] group rr1 internal
    [RR1-bgp] peer rr1 connect-interface loopback 1
    [RR1-bgp] peer 1.1.1.9 group rr1
    [RR1-bgp] peer 3.3.3.9 group rr1
    [RR1-bgp] peer 4.4.4.9 group rr1
    [RR1-bgp] ipv4-family vpnv4
    [RR1-bgp-af-vpnv4] peer rr1 enable
    [RR1-bgp-af-vpnv4] peer 1.1.1.9 group rr1
    [RR1-bgp-af-vpnv4] peer 3.3.3.9 group rr1
    [RR1-bgp-af-vpnv4] peer 4.4.4.9 group rr1
    [RR1-bgp-af-vpnv4] quit
    [RR1-bgp] quit

    # Configure RR2.

    [RR2] bgp 100
    [RR2-bgp] group rr2 internal
    [RR2-bgp] peer rr2 connect-interface loopback 1
    [RR2-bgp] peer 1.1.1.9 group rr2
    [RR2-bgp] peer 2.2.2.9 group rr2
    [RR2-bgp] peer 4.4.4.9 group rr2
    [RR2-bgp] ipv4-family vpnv4
    [RR2-bgp-af-vpnv4] peer rr2 enable
    [RR2-bgp-af-vpnv4] peer 1.1.1.9 group rr2
    [RR2-bgp-af-vpnv4] peer 2.2.2.9 group rr2
    [RR2-bgp-af-vpnv4] peer 4.4.4.9 group rr2
    [RR2-bgp-af-vpnv4] quit
    [RR2-bgp] quit

    The configuration on PE2 is similar to the configuration on PE1 and is not mentioned here.

    After the configuration is complete, run the display bgp vpnv4 all peer command on the PEs. The command output shows that the PEs have set up IBGP peer relationships with RRs, and the peer relationships are in Established state. The PEs also set up EBGP peer relationships with the CEs.

    The information displayed on PE1 is used as an example.

    [PE1] display bgp vpnv4 all peer
    
     BGP local router ID : 1.1.1.9
     Local AS number : 100
     Total number of peers : 3                 Peers in established state : 3
      Peer          V    AS   MsgRcvd  MsgSent  OutQ  Up/Down       State PrefRcv
      2.2.2.9       4    100   2        4         0   00:00:31    Established   0
      3.3.3.9       4    100   3        5         0   00:01:23    Established   0
    
      Peer of IPv4-family for vpn instance :                                        
                                                                                    
     VPN-Instance vpna, Router ID 1.1.1.9: 
      10.1.1.1      4    65410 79       82        0   01:13:29    Established    0

  7. Configure route reflection on RR1 and RR2.

    # Configure RR1.

    [RR1] bgp 100
    [RR1-bgp] ipv4-family vpnv4
    [RR1-bgp-af-vpnv4] reflector cluster-id 100
    [RR1-bgp-af-vpnv4] peer rr1 reflect-client 
    [RR1-bgp-af-vpnv4] undo policy vpn-target
    [RR1-bgp-af-vpnv4] quit
    [RR1-bgp] quit

    # Configure RR2.

    [RR2] bgp 100
    [RR2-bgp] ipv4-family vpnv4
    [RR2-bgp-af-vpnv4] reflector cluster-id 100
    [RR2-bgp-af-vpnv4] peer rr2 reflect-client
    [RR2-bgp-af-vpnv4] undo policy vpn-target
    [RR2-bgp-af-vpnv4] quit
    [RR2-bgp] quit

  8. Verify the configuration.

    # Check the VPN routing table on a PE. The routing table contains a route to the remote CE.

    # The information displayed on PE1 is used as an example.

    [PE1] display ip routing-table vpn-instance vpna
    Route Flags:
    R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Tables: vpna
             Destinations : 8        Routes : 8
    
      Destination/Mask  Proto  Pre  Cost         Flags  NextHop         Interface
    
           10.1.1.0/24  Direct 0    0                D  10.1.1.2        GigabitEthernet2/0/0
           10.1.1.2/32  Direct 0    0                D  127.0.0.1       GigabitEthernet2/0/0
         10.1.1.255/32  Direct 0    0                D  127.0.0.1       GigabitEthernet2/0/0
           10.2.1.0/24  IBGP   255  0               RD  4.4.4.9         GigabitEthernet3/0/0
          127.0.0.0/8   Direct 0    0                D  127.0.0.1       InLoopBack0
          127.0.0.1/32  Direct 0    0                D  127.0.0.1       InLoopBack0
    127.255.255.255/32  Direct 0    0                D  127.0.0.1       InLoopBack0
    255.255.255.255/32  Direct 0    0                D  127.0.0.1       InLoopBack0 

    # If CE1 and CE2 can ping each other, the route reflection function has been configured successfully.

    # Run the shutdown command in the view of GE3/0/0 on PE1 and GE3/0/0 on PE2. CE1 and CE2 can still ping each other, indicating that the RRs are successfully configured.

Configuration Files

  • PE1 configuration file

    #
     sysname PE1
    #
    ip vpn-instance vpna
     ipv4-family
      route-distinguisher 100:1
      vpn-target 1:1 export-extcommunity
      vpn-target 1:1 import-extcommunity
    #
    mpls lsr-id 1.1.1.9
    mpls
    #
    mpls ldp
    #
    interface GigabitEthernet1/0/0
     ip address 100.1.2.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet2/0/0
     ip binding vpn-instance vpna
     ip address 10.1.1.2 255.255.255.0
    #
    interface GigabitEthernet3/0/0
     ip address 100.1.3.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface LoopBack1
     ip address 1.1.1.9 255.255.255.255
    #
    bgp 100
     peer 2.2.2.9 as-number 100
     peer 2.2.2.9 connect-interface LoopBack1
     peer 3.3.3.9 as-number 100
     peer 3.3.3.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.9 enable
      peer 3.3.3.9 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 2.2.2.9 enable
      peer 3.3.3.9 enable
     #
     ipv4-family vpn-instance vpna
      peer 10.1.1.1 as-number 65410
      import-route direct
    #
    ospf 1
     area 0.0.0.0
      network 1.1.1.9 0.0.0.0
      network 100.1.2.0 0.0.0.255
      network 100.1.3.0 0.0.0.255
    #
    return 
  • RR1 configuration file

    #
     sysname RR1
    #
    mpls lsr-id 2.2.2.9
    mpls
    #
    mpls ldp
    #
    interface GigabitEthernet1/0/0
     ip address 100.1.2.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet2/0/0
     ip address 100.2.3.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet3/0/0
     ip address 100.2.4.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface LoopBack1
     ip address 2.2.2.9 255.255.255.255
    #
    bgp 100
     peer 1.1.1.9 as-number 100
     peer 3.3.3.9 as-number 100
     peer 4.4.4.9 as-number 100
     group rr1 internal
     peer rr1 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization                                                          
      peer rr1 enable                                                                
      peer 1.1.1.9 enable                                                           
      peer 1.1.1.9 group rr1                                                         
      peer 3.3.3.9 enable                                                           
      peer 3.3.3.9 group rr1 
      peer 4.4.4.9 enable                                                           
      peer 4.4.4.9 group rr1 
     #
     ipv4-family vpnv4
      reflector cluster-id 100
      undo policy vpn-target
      peer rr1 enable
      peer rr1 reflect-client
      peer 1.1.1.9 enable
      peer 1.1.1.9 group rr1
      peer 3.3.3.9 enable
      peer 3.3.3.9 group rr1
      peer 4.4.4.9 enable
      peer 4.4.4.9 group rr1
    #
    ospf 1
     area 0.0.0.0
      network 100.1.2.0 0.0.0.255
      network 100.2.3.0 0.0.0.255
      network 100.2.4.0 0.0.0.255
      network 2.2.2.9 0.0.0.0
    #
    return
  • RR2 configuration file

    #
     sysname RR2
    #
    mpls lsr-id 3.3.3.9
    mpls
    #
    mpls ldp
    #
    interface GigabitEthernet1/0/0
     ip address 100.2.3.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet2/0/0
     ip address 100.3.4.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet3/0/0
     ip address 100.1.3.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface LoopBack1
     ip address 3.3.3.9 255.255.255.255
    #
    bgp 100
     peer 1.1.1.9 as-number 100
     peer 2.2.2.9 as-number 100
     peer 4.4.4.9 as-number 100
     group rr2 internal
     peer rr2 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization                                                          
      peer rr2 enable                                                                
      peer 1.1.1.9 enable                                                           
      peer 1.1.1.9 group rr2                                                         
      peer 3.3.3.9 enable                                                           
      peer 3.3.3.9 group rr2 
      peer 4.4.4.9 enable                                                           
      peer 4.4.4.9 group rr2 
     #
     ipv4-family vpnv4
      reflector cluster-id 100
      undo policy vpn-target
      peer rr2 enable
      peer rr2 reflect-client
      peer 1.1.1.9 enable
      peer 1.1.1.9 group rr2
      peer 2.2.2.9 enable
      peer 2.2.2.9 group rr2
      peer 4.4.4.9 enable
      peer 4.4.4.9 group rr2
    #
    ospf 1
     area 0.0.0.0
      network 100.2.3.0 0.0.0.255
      network 100.3.4.0 0.0.0.255
      network 100.1.3.0 0.0.0.255
      network 3.3.3.9 0.0.0.0
    #
    return
  • PE2 configuration file

    #
    sysname PE2
    #
    ip vpn-instance vpna
     ipv4-family
      route-distinguisher 100:1
      vpn-target 1:1 export-extcommunity
      vpn-target 1:1 import-extcommunity
    #
    mpls lsr-id 4.4.4.9
    mpls
    #
    mpls ldp
    #
    interface GigabitEthernet1/0/0
     ip address 100.3.4.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet2/0/0
     ip binding vpn-instance vpna
     ip address 10.2.1.2 255.255.255.0
    #
    interface GigabitEthernet3/0/0
     ip address 100.2.4.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface LoopBack1
     ip address 4.4.4.9 255.255.255.255
    #
    bgp 100
     peer 2.2.2.9 as-number 100
     peer 2.2.2.9 connect-interface LoopBack1
     peer 3.3.3.9 as-number 100
     peer 3.3.3.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.9 enable
      peer 3.3.3.9 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 3.3.3.9 enable
      peer 2.2.2.9 enable
     #
     ipv4-family vpn-instance vpna
      peer 10.2.1.1 as-number 65420
      import-route direct
    #
    ospf 1
     area 0.0.0.0
      network 4.4.4.9 0.0.0.0
      network 100.3.4.0 0.0.0.255
      network 100.2.4.0 0.0.0.255
    #
    return
  • CE1 configuration file

    #
     sysname CE1
    #
    interface GigabitEthernet1/0/0
     ip address 10.1.1.1 255.255.255.0
    #
    bgp 65410
     peer 10.1.1.2 as-number 100
     #
     ipv4-family unicast
      undo synchronization
      peer 10.1.1.2 enable
    #
    return
  • CE2 configuration file

    #
     sysname CE2
    #
    interface GigabitEthernet1/0/0
     ip address 10.2.1.1 255.255.255.0
    #
    bgp 65420
     peer 10.2.1.2 as-number 100
     #
     ipv4-family unicast
      undo synchronization
      peer 10.2.1.2 enable
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 150794

Downloads: 365

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next