No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an MCE Device

Configuring an MCE Device

A multi-VPN-instance CE (MCE) device can connect to multiple VPNs. The MCE solution isolates services of different VPNs while reducing cost of network devices.

Pre-configuration Tasks

Before configuring an MCE device, complete the following tasks:

  • Configuring a VPN Instance on the multi-instance CE, and the PE that is accessed by it (each service with a VPN instance)

  • Configuring the link layer protocol and network layer protocol for LAN interfaces and connecting the LAN to the multi-instance CE (each service using an interface to access the multi-instance CE)

  • Binding related VPN instances to the interfaces of the multi-instance CE and PE interfaces through which the PE accesses the multi-instance and configuring IP addresses for those interfaces

Configuration Procedure

The following tasks are mandatory and can be performed in a random order.

Configure Route Exchange Between an MCE Device and VPN Sites

Context

Routing protocols that can be used between an MCE device and VPN sites are static routing, RIP (Routing Information Protocol), OSPF (Open Shortest Path First), IS-IS (Intermediate System to Intermediate System), or BGP (Border Gateway Protocol).Choose one of the following configurations as needed:

The following configurations are performed on the MCE device. On the devices in the site, you only need to configure the corresponding routing protocol.

Configure Static Routes Between an MCE Device and a Site

Perform the following configurations on the MCE device. You only need to configure a static route to the MCE device in the site. The site configuration is not provided here. For detailed configuration of static routes, see Static Route Configuration in the Huawei AR Series Access Routers Configuration Guide - IP Routing.

Table 7-13  MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Configure a static route to the site.

ip route-static vpn-instance vpn-source-name destination-address { mask | mask-length } { nexthop-address [ public ] | interface-type interface-number [ nexthop-address ] } [ preference preference | tag tag ] *

You must specify the next hop address on the MCE device.

Configure RIP Between an MCE Device and a Site
Perform the following configurations on the MCE device. Configure RIPv1 or RIPv2 in the site. The site configuration is not provided here. For detailed RIP configuration, see RIP Configuration in the Huawei AR Series Access Routers Configuration Guide - IP Routing.
Table 7-14  MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Create a RIP process running between the MCE device and the site and enter the RIP view.

rip process-id vpn-instance vpn-instance-name

A RIP process can be bound to only one VPN instance. If a RIP process is not bound to any VPN instance before it is started, this process becomes a public network process and can no longer be bound to a VPN instance.

Enable RIP on the network segment of the interface to which the VPN instance is bound.

network network-address

-

(Optional) Import the routes to the remote sites advertised by the PE device in to the RIP routing table.

import-route { { static | direct | unr } | { rip | ospf | isis } [ process-id ] } [ cost cost | route-policy route-policy-name ] *

import-route bgp [ cost { cost | transparent } | route-policy route-policy-name ] *

Perform this step if another routing protocol is running between the MCE and PE devices in the VPN instance.

Configure OSPF Between an MCE Device and a Site

Perform the following configurations on the MCE device. Configure OSPF in the site. The site configuration is not provided here. For detailed OSPF configuration, see OSPF Configuration in the Huawei AR Series Access Routers Configuration Guide - IP Routing.

Table 7-15  MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Create an OSPF process running between the MCE device and the site and enter the OSPF view.

ospf [ process-id | router-id router-id ] * vpn-instance vpn-instance-name

-

(Optional) Import the routes to the remote sites advertised by the PE device into the OSPF routing table.

import-route { bgp [ permit-ibgp ] | direct | unr | rip [ process-id-rip ] | static | isis [ process-id-isis ] | ospf [ process-id-ospf ] } [ cost cost | type type | tag tag | route-policy route-policy-name ] *

Perform this step if another routing protocol is running between the MCE and PE devices in the VPN instance.

Configure an OSPF area and enter the OSPF area view.

area { area-id | area-id-address }

-

Enable OSPF on the network segment of the interface to which the VPN instance is bound.

network ip-address wildcard-mask

-

Configure IS-IS Between an MCE Device and a Site

Perform the following configurations on the MCE device. You only need to configure IS-IS in the site. The site configuration is not provided here. For detailed IS-IS configuration, see IS-IS Configuration in the Huawei AR Series Access Routers Configuration Guide - IP Routing.

Table 7-16  MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Create an IS-IS process running between the MCE device and the site and enter the IS-IS view.

isis process-id vpn-instance vpn-instance-name

An IS-IS process can be bound to only one VPN instance. If an IS-IS process is not bound to any VPN instance before it is started, this process becomes a public network process and can no longer be bound to a VPN instance.

Set a network entity title (NET) for the IS-IS process.

network-entity net

A NET specifies the current IS-IS area address and the system ID of the router. A maximum of three NETs can be configured for one process on each router.

Import the routes to the remote sites advertised by the PE device into the IS-IS routing table.

Use either of the following commands:
  • import-route { direct | static | unr | { ospf | rip | isis } [ process-id ] | bgp } [ cost-type { external | internal } | cost cost | tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ] *

  • import-route { { ospf | rip | isis } [ process-id ] | bgp | direct | unr }inherit-cost [ { level-1 | level-2 | level-1-2 } | tag tag | route-policy route-policy-name ] *

Perform this step if another routing protocol is running between the MCE and PE devices in the VPN instance.

Return to system view.

quit

-

Enter the view of the interface to which the VPN instance is bound.

interface interface-type interface-number

-

Enable IS-IS on the interface.

isis enable [ process-id ]

-

Configure BGP between an MCE Device and a Site
Perform the following configurations on the MCE device.
Table 7-17  MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv4 address family view.

ipv4-family vpn-instance vpn-instance-name

-

Configure the device connected to the MCE device in the site as a VPN peer.

peer ipv4-address as-number as-number

-

Import the routes to the remote sites advertised by the PE device into the BGP routing table.

import-route protocol [ process-id ] [ med med | route-policy route-policy-name ] *

Perform this step if another routing protocol is running between the MCE and PE devices in the VPN instance.

Perform the following configurations on the device connected to the MCE device in the site.
Table 7-18  Site configuration

Action

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Configure the MCE device as a VPN peer.

peer ipv4-address as-number as-number

-

Import IGP routes of the VPN into the BGP routing table.

import-route protocol [ process-id ] [ med med | route-policy route-policy-name ] *

The site must advertise routes to its attached VPN network segments to the MCE device.

Configure Route Exchange Between an MCE Device and a PE Device

Context

Routing protocols that can be used between an MCE device and a PE device are static routing, RIP, OSPF, IS-IS, and BGP. Choose one of the following configurations as needed:

The following configurations are performed on the MCE device. The configurations on the PE device are similar to those on a PE device in the BGP/MPLS IP VPN networking. For detailed configuration, see Configuring Route Exchange Between PE and CE Devices.

Configure Static Routes Between an MCE Device and a PE Device

Perform the following configurations on the MCE device.

Table 7-19  MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Configure a static route to the PE device.

ip route-static vpn-instance vpn-source-name destination-address { mask | mask-length } vpn-instance vpn-destination-name nexthop-address [ preference preference | tag tag ] *

You must specify the next hop address on the MCE device.

Configure RIP Between an MCE Device and a PE Device
Perform the following configurations on the MCE device.
Table 7-20  MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Create a RIP process running between the MCE and PE devices and enter the RIP view.

rip process-id vpn-instance vpn-instance-name

A RIP process can be bound to only one VPN instance. If a RIP process is not bound to any VPN instance before it is started, this process becomes a public network process and can no longer be bound to a VPN instance.

Enable RIP on the network segment of the interface to which the VPN instance is bound.

network network-address

-

(Optional) Import VPN routes of the site into the RIP routing table.

import-route { { static | direct | unr } | { rip | ospf | isis } [ process-id ] } [ cost cost | route-policy route-policy-name ] *

import-route bgp [ cost { cost | transparent } | route-policy route-policy-name ] *

Perform this step if another routing protocol is running between the MCE device and VPN sites in the VPN instance.

Configure OSPF Between an MCE Device and a PE Device

Perform the following configurations on the MCE device.

Table 7-21  MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Create an OSPF process running between the MCE and PE devices and enter the OSPF view.

ospf [ process-id | router-id router-id ] * vpn-instance vpn-instance-name

-

(Optional) Import VPN routes of the site into the OSPF routing table.

import-route { bgp [ permit-ibgp ] | direct | unr | rip [ process-id-rip ] | static | isis [ process-id-isis ] | ospf [ process-id-ospf ] } [ cost cost | type type | tag tag | route-policy route-policy-name ] *

Perform this step if another routing protocol is running between the MCE device and VPN sites in the VPN instance.

Disable routing loop detection in the OSPF process.

vpn-instance-capability simple

By default, routing loop detection is disabled in an OSPF process. If routing loop detection is not disabled in the OSPF process on the MCE device, the MCE device rejects OSPF routes sent from the PE device.

Configure an OSPF area and enter the OSPF area view.

area { area-id | area-id-address }

-

Enable OSPF on the network segment of the interface to which the VPN instance is bound.

network ip-address wildcard-mask

-

Configure IS-IS Between an MCE Device and a PE Device

Perform the following configurations on the MCE device.

Table 7-22  MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Create an IS-IS process running between the MCE and PE devices and enter the IS-IS view.

isis process-id vpn-instance vpn-instance-name

An IS-IS process can be bound to only one VPN instance. If an IS-IS process is not bound to any VPN instance before it is started, this process becomes a public network process and can no longer be bound to a VPN instance.

Set a network entity title (NET) for the IS-IS process.

network-entity net

A NET specifies the current IS-IS area address and the system ID of the router. A maximum of three NETs can be configured for one process on each router.

(Optional) Import VPN routes of the site into the IS-IS routing table.

Use either of the following commands:
  • import-route { direct | static | unr | { ospf | rip | isis } [ process-id ] | bgp } [ cost-type { external | internal } | cost cost | tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ] *

  • import-route { { ospf | rip | isis } [ process-id ] | bgp | direct | unr }inherit-cost [ { level-1 | level-2 | level-1-2 } | tag tag | route-policy route-policy-name ] *

Perform this step if another routing protocol is running between the MCE device and VPN sites in the VPN instance.

Return to system view.

quit

-

Enter the view of the interface to which the VPN instance is bound.

interface interface-type interface-number

-

Enable IS-IS on the interface.

isis enable [ process-id ]

-

Configure BGP Between an MCE Device and a PE Device
Perform the following configurations on the MCE device.
Table 7-23  MCE configuration

Action

Command

Description

Enter the system view.

system-view

-

Enter the BGP view.

bgp { as-number-plain | as-number-dot }

-

Enter the BGP-VPN instance IPv4 address family view.

ipv4-family vpn-instance vpn-instance-name

-

Configure the PE device as the VPN peer of the MCE device.

peer ipv4-address as-number as-number

-

Import the routes to the remote sites advertised by the PE device into the BGP routing table.

import-route protocol [ process-id ] [ med med | route-policy route-policy-name ] *

Perform this step if another routing protocol is running between the MCE device and VPN sites in the VPN instance.

Verifying the MCE Configuration

Prerequisites

The configurations of the Multi-VPN-Instance CE function are complete.

Procedure

  • Run the display ip routing-table vpn-instance vpn-instance-name [ verbose ] command to check the VPN routing table on the multi-instance CE. If there are routes to the LAN and the remote nodes for each service, the configuration is successful.
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 151561

Downloads: 367

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next