No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring IP FRR for VPN Routes

Example for Configuring IP FRR for VPN Routes

Networking Requirements

When multiple CEs in a site connect to the same PE, the PE learns multiple IP VPN routes with the same VPN prefix. To use one of IP VPN routes as the primary route and the other as backup routes, configure IP FRR for VPN routes. Then the PE generates primary and backup routes to the VPN prefix. When the link of the primary route fails, IP traffic on the VPN is quickly switched to the link of a backup route.

As shown in Figure 7-58, the PE has two OSPF routes to RTA. The route on Link_A is the optimal route, and the route on Link_B is the suboptimal route. IP FRR for VPN routes needs to be configured on the PE to quickly switch IP traffic on the VPN to Link_B when Link_A fails.

Figure 7-58  Networking diagram for configuring IP FRR for VPN routes

Configuration Roadmap

The configuration roadmap is as follows:

  1. Enable basic OSPF functions on each router so that routes to RTA can be advertised to CE1 and CE2.

  2. On the PE, configure VPN instance vpn1, bind GE1/0/0 and GE2/0/0 to vpn1, and configure OSPF multi-instance.

  3. Set the cost on GE2/0/0 of the PE and RTA both to a large value so that OSPF preferentially selects Link_A.

  4. Configure IP FRR for VPN routes on the PE.

  5. Configure BFD to detect the link status.

Procedure

  1. Assign IP addresses to interfaces.

    # Assign IP addresses to the interfaces on RTA.

    <Huawei> system-view
    [Huawei] sysname RTA
    [RTA] interface gigabitethernet 1/0/0
    [RTA-GigabitEthernet1/0/0] ip address 10.3.1.2 30
    [RTA-GigabitEthernet1/0/0] quit
    [RTA] interface gigabitethernet 2/0/0
    [RTA-GigabitEthernet2/0/0] ip address 10.4.1.2 30
    [RTA-GigabitEthernet2/0/0] quit
    [RTA] interface gigabitethernet 3/0/0
    [RTA-GigabitEthernet3/0/0] ip address 10.5.1.1 30
    [RTA-GigabitEthernet3/0/0] quit
    

    The configuration on PE, CE1, and CE2 is similar to the configuration on RTA and is not mentioned here.

  2. Configure OSPF on CE1, CE2, and RTA.

    # Configure CE1.

    [CE1] ospf 1
    [CE1-ospf] area 0
    [CE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.3
    [CE1-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.3
    [CE1-ospf-1-area-0.0.0.0] quit
    [CE1-ospf-1] quit

    The configuration on CE2 and RTA is similar to the configuration on CE1 and is not mentioned here.

    After the configuration is complete, CE1, CE2, and RTA can learn interface addresses from each other. The information displayed on CE1 is used as an example.

    [CE1] display ip routing-table
    Route Flags:
    R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Tables: Public
             Destinations : 13       Routes : 13
    
     Destination/Mask  Proto  Pre  Cost        Flags  NextHop         Interface
    
          10.1.1.0/30  Direct 0    0               D  10.1.1.2        GigabitEthernet1/0/0
          10.1.1.2/32  Direct 0    0               D  127.0.0.1       GigabitEthernet1/0/0
          10.1.1.3/32  Direct 0    0               D  127.0.0.1       GigabitEthernet1/0/0
          10.3.1.0/30  Direct 0    0               D  10.3.1.1        GigabitEthernet2/0/0
          10.3.1.1/32  Direct 0    0               D  127.0.0.1       GigabitEthernet2/0/0
          10.3.1.3/32  Direct 0    0               D  127.0.0.1       GigabitEthernet2/0/0
          10.2.1.0/30  OSPF   10   3               D  10.3.1.2        GigabitEthernet2/0/0
          10.4.1.0/30  OSPF   10   2               D  10.3.1.2        GigabitEthernet2/0/0
          10.5.1.0/24  OSPF   10   2               D  10.3.1.2        GigabitEthernet2/0/0
         127.0.0.0/8   Direct 0    0               D  127.0.0.1       InLoopBack0
         127.0.0.1/32  Direct 0    0               D  127.0.0.1       InLoopBack0
    127.255.255.255/32 Direct 0    0               D  127.0.0.1       InLoopBack0 
    255.255.255.255/32 Direct 0    0               D  127.0.0.1       InLoopBack0

  3. Configure a VPN instance and OSPF multi-instance on the PE.

    # On the PE, configure VPN instance vpn1 and bind GE1/0/0 and GE2/0/0 to vpn1.

    [PE] ip vpn-instance vpn1
    [PE-vpn-instance-vpn1] ipv4-family
    [PE-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
    [PE-vpn-instance-vpn1-af-ipv4] vpn-target 111:1
    [PE-vpn-instance-vpn1-af-ipv4] quit
    [PE-vpn-instance-vpn1] quit
    [PE] interface gigabitethernet 1/0/0
    [PE-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
    [PE-GigabitEthernet1/0/0] ip address 10.1.1.1 30
    [PE-GigabitEthernet1/0/0] quit
    [PE] interface gigabitethernet 2/0/0
    [PE-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
    [PE-GigabitEthernet2/0/0] ip address 10.2.1.1 30
    [PE-GigabitEthernet2/0/0] quit

    # Configure OSPF multi-instance on the PE.

    [PE] ospf vpn-instance vpn1
    [PE-ospf-1] area 0
    [PE-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.3
    [PE-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.3
    [PE-ospf-1-area-0.0.0.0] quit
    [PE-ospf-1] quit

  4. Set the cost on the OSPF interface.

    # Set the cost on GE2/0/0 of the PE to 100 so that OSPF preferentially selects Link_A.

    [PE] interface gigabitethernet 2/0/0
    [PE-GigabitEthernet2/0/0] ospf cost 100
    [PE-GigabitEthernet2/0/0] quit

    # Set the cost on GE2/0/0 of RTA to 100 so that OSPF preferentially selects Link_A.

    [RTA] interface gigabitethernet 2/0/0
    [RTA-GigabitEthernet2/0/0] ospf cost 100
    [RTA-GigabitEthernet2/0/0] quit

  5. Configure a routing policy.

    # Configure a routing policy, a backup next hop, and a backup outbound interface on the PE. Configure an if-match clause.

    [PE] ip ip-prefix frr1 permit 10.5.1.0 24
    [PE] route-policy ip_frr_rp permit node 10
    [PE-route-policy] if-match ip-prefix frr1
    [PE-route-policy] apply backup-nexthop 10.2.1.2
    [PE-route-policy] apply backup-interface gigabitethernet 2/0/0
    [PE-route-policy] quit

  6. Configure association between BFD and IP FRR.

    # Configure the PE.

    [PE] bfd
    [PE-bfd] quit
    [PE] bfd for_ip_frr bind peer-ip 10.1.1.2 vpn-instance vpn1 interface gigabitethernet 1/0/0
    [PE-bfd-session-for_ip_frr] discriminator local 10
    [PE-bfd-session-for_ip_frr] discriminator remote 20
    [PE-bfd-session-for_ip_frr] min-tx-interval 100
    [PE-bfd-session-for_ip_frr] min-rx-interval 100
    [PE-bfd-session-for_ip_frr] commit
    [PE-bfd-session-for_ip_frr] quit

    # Configure CE1.

    [CE1] bfd
    [CE1-bfd] quit
    [CE1] bfd for_ip_frr bind peer-ip 10.1.1.1 interface gigabitethernet 1/0/0
    [CE1-bfd-session-for_ip_frr] discriminator local 20
    [CE1-bfd-session-for_ip_frr] discriminator remote 10
    [CE1-bfd-session-for_ip_frr] min-tx-interval 100
    [CE1-bfd-session-for_ip_frr] min-rx-interval 100
    [CE1-bfd-session-for_ip_frr] commit
    [CE1-bfd-session-for_ip_frr] quit

    # Run the display bfd session all verbose command on the PE and CE1. The command output shows that the BFD session status is Up.

  7. Enable IP FRR for VPN routes.

    [PE] ip vpn-instance vpn1
    [PE-vpn-instance-vpn1] ipv4-family
    [PE-vpn-instance-vpn1-af-ipv4] ip frr route-policy ip_frr_rp
    [PE-vpn-instance-vpn1-af-ipv4] quit
    [PE-vpn-instance-vpn1] quit

  8. Verify the configurations.

    # Run the display ip routing-table vpn-instance command on the PE. The command output shows that the next hop of the route to 10.5.1.0/24 is 10.1.1.2, and the route has a backup next hop and a backup outbound interface.

    [PE] display ip routing-table vpn-instance vpn1 10.5.1.0 verbose
    Route Flags:
    R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Table : vpn1  
    Summary Count : 1   
    Destination: 10.5.1.0/24
         Protocol: OSPF            Process ID: 1
       Preference: 10                    Cost: 3
          NextHop: 10.1.1.2         Neighbour: 0.0.0.0
            State: Active Adv             Age: 00h00m03s
              Tag: 0                 Priority: low
            Label: NULL               QoSInfo: 0x0
       IndirectID: 0x0
     RelayNextHop: 0.0.0.0          Interface: GigabitEthetnet1/0/0
         TunnelID: 0x0                  Flags: D  
        BkNextHop: 10.2.1.2       BkInterface: GigabitEthetnet2/0/0
          BkLabel: NULL           SecTunnelID: 0x0
     BkPETunnelID: 0x0        BkPESecTunnelID: 0x0
     BkIndirectID: 0x0 

    # Run the shutdown command on GE1/0/0 of CE1 to simulate a link failure.

    [CE1] interface gigabitethernet 1/0/0
    [CE1-GigabitEthernet1/0/0] shutdown
    [CE1-GigabitEthernet1/0/0] quit

    # Run the display ip routing-table vpn-instance command on the PE again. The command output shows that the next hop of the route to 10.5.1.0/24 is 10.2.1.2.

    [PE] display ip routing-table vpn-instance vpn1 10.5.1.0 verbose
    Route Flags:
    R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Table : vpn1  
    Summary Count : 1   
    Destination: 10.5.1.0/24
         Protocol: OSPF            Process ID: 1
       Preference: 10                    Cost: 102
          NextHop: 10.2.1.2         Neighbour: 0.0.0.0
            State: Active Adv             Age: 00h01m03s
              Tag: 0                 Priority: low
            Label: NULL               QoSInfo: 0x0
       IndirectID: 0x0
     RelayNextHop: 0.0.0.0          Interface: GigabitEthetnet2/0/0
         TunnelID: 0x0                  Flags: D  
        BkNextHop: 10.2.1.2       BkInterface: GigabitEthetnet2/0/0
          BkLabel: NULL           SecTunnelID: 0x0
     BkPETunnelID: 0x0        BkPESecTunnelID: 0x0
     BkIndirectID: 0x0 

Configuration Files

  • PE configuration file

    #
     sysname PE
    #
    ip vpn-instance vpn1
     ipv4-family
      route-distinguisher 100:1
      ip frr route-policy ip_frr_rp
      vpn-target 111:1 export-extcommunity
      vpn-target 111:1 import-extcommunity
    #
     bfd
    #
    interface GigabitEthernet1/0/0
     ip binding vpn-instance vpn1
     ip address 10.1.1.1 255.255.255.252
    #
    interface GigabitEthernet2/0/0
     ip binding vpn-instance vpn1
     ip address 10.2.1.1 255.255.255.252
     ospf cost 100
    #
    ospf 1 vpn-instance vpn1
     area 0.0.0.0
      network 10.1.1.0 0.0.0.3
      network 10.2.1.0 0.0.0.3
    #
    ip ip-prefix frr1 index 10 permit 10.5.1.0 24
    #
    route-policy ip_frr_rp permit node 10
     if-match ip-prefix frr1
     apply backup-nexthop 10.2.1.2
     apply backup-interface GigabitEthernet2/0/0
    #
    bfd for_ip_frr bind peer-ip 10.1.1.2 vpn-instance vpn1 interface GigabitEthernet 1/0/0
     discriminator local 10
     discriminator remote 20
     min-tx-interval 100
     min-rx-interval 100 
     commit
    #
    return
  • CE1 configuration file

    #
     sysname CE1
    #
    bfd
    #
    interface GigabitEthernet1/0/0
     ip address 10.1.1.2 255.255.255.252
    #
    interface GigabitEthernet2/0/0
     ip address 10.3.1.1 255.255.255.252
    #
    ospf 1
     area 0.0.0.0
      network 10.1.1.0 0.0.0.3
      network 10.3.1.0 0.0.0.3
    #
    bfd for_ip_frr bind peer-ip 10.1.1.1 interface GigabitEthernet 1/0/0
     discriminator local 20
     discriminator remote 10
     min-tx-interval 100
     min-rx-interval 100 
     commit
    #
    return
  • CE2 configuration file

    #
     sysname CE2
    #
    interface GigabitEthernet1/0/0
     ip address 10.2.1.2 255.255.255.252
    #
    interface GigabitEthernet2/0/0
     ip address 10.4.1.1 255.255.255.252
    #
    ospf 1
     area 0.0.0.0
      network 10.2.1.0 0.0.0.3
      network 10.4.1.0 0.0.0.3
    #
    return
  • RTA configuration file

    #
     sysname RTA
    #
    interface GigabitEthernet1/0/0
     ip address 10.3.1.2 255.255.255.252
    #
    interface GigabitEthernet2/0/0
     ip address 10.4.1.2 255.255.255.252
     ospf cost 100
    #
    interface GigabitEthernet3/0/0
     ip address 10.5.1.1 255.255.255.0
    #
    ospf 1
     area 0.0.0.0
      network 10.3.1.0 0.0.0.3
      network 10.4.1.0 0.0.0.3
     area 0.0.0.2
      network 10.5.1.0 0.0.0.255
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 143523

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next