No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Shortcut Scenario of DSVPN (BGP)

Example for Configuring Shortcut Scenario of DSVPN (BGP)

Networking Requirements

A large-scale enterprise has a central office (Hub) and multiple branches which are located in different areas and belong to different ASs (this example shows only two Spokes Spoke1 and Spoke2). The networks of the central office and branches frequently change. The Spokes use dynamic addresses to connect to the public network. On the enterprise network, Open Shortest Path First (OSPF) is used for intra-AS routing and External Border Gateway Protocol (EBGP) is used for inter-AS routing.

The enterprise wants to establish a VPN between the Spokes.

Figure 4-20  Networking diagram for the Shortcut DSVPN configuration

Configuration Roadmap

The configuration roadmap is as follows:
  1. Because a Spoke uses a dynamic address to connect to the public network, it does not know the public IP address of the other Spoke. DSVPN is implemented to establish a VPN between the Spokes.

  2. Shortcut Scenario of DSVPN is implemented because the enterprise has a large number of branches.

  3. The networks of the central office and branches frequently change. BGP is deployed to realize communication between the Hub and Spokes and to simplify maintenance.

Procedure

  1. Assign an IP address to each interface.

    Configure IP addresses for the interfaces of each Router.

    # Configure IP addresses for interfaces of Hub.

    <Huawei> system-view
    [Huawei] sysname Hub
    [Hub] interface GigabitEthernet 1/0/0
    [Hub-GigabitEthernet1/0/0] ip address 1.1.1.10 255.255.255.0
    [Hub-GigabitEthernet1/0/0] quit
    [Hub] interface tunnel 0/0/0
    [Hub-Tunnel0/0/0] ip address 172.16.1.1 255.255.255.0
    [Hub-Tunnel0/0/0] quit
    

    Configure IP addresses for interfaces of the Spoke1 and Spoke2 as shown in Figure 4-20. The specific configuration is not mentioned here.

  2. Configure routes between the Routers.

    Configure OSPF on each Router to provide reachable routes to the public network.

    # Configure OSPF on Hub.

    [Hub] ospf 2 router-id 1.1.1.10
    [Hub-ospf-2] area 0.0.0.1
    [Hub-ospf-2-area-0.0.0.1] network 1.1.1.0 0.0.0.255
    [Hub-ospf-2-area-0.0.0.1] quit
    [Hub-ospf-2] quit
    

    # Configure OSPF on Spoke1.

    [Spoke1] ospf 2 router-id 1.1.2.10
    [Spoke1-ospf-2] area 0.0.0.1
    [Spoke1-ospf-2-area-0.0.0.1] network 1.1.2.0 0.0.0.255
    [Spoke1-ospf-2-area-0.0.0.1] quit
    [Spoke1-ospf-2] quit
    

    # Configure OSPF on Spoke2.

    [Spoke2] ospf 2 router-id 1.1.3.10
    [Spoke2-ospf-2] area 0.0.0.1
    [Spoke2-ospf-2-area-0.0.0.1] network 1.1.3.0 0.0.0.255
    [Spoke2-ospf-2-area-0.0.0.1] quit
    [Spoke2-ospf-2] quit
    

  3. Configure reachable routes between the ASs.

    Configure OSPF to implement reachable routes between Hub and Spokes that are located in different ASs.

    # Configure Hub.

    [Hub] ospf 1 router-id 172.16.1.1
    [Hub-ospf-1] area 0.0.0.0
    [Hub-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
    [Hub-ospf-1-area-0.0.0.0] quit
    [Hub-ospf-1] quit
    

    # Configure Spoke1.

    [Spoke1] ospf 1 router-id 172.16.1.2
    [Spoke1-ospf-1] area 0.0.0.0
    [Spoke1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
    [Spoke1-ospf-1-area-0.0.0.0] quit
    [Spoke1-ospf-1] quit
    

    # Configure Spoke2.

    [Spoke2] ospf 1 router-id 172.16.1.3
    [Spoke2-ospf-1] area 0.0.0.0
    [Spoke2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
    [Spoke2-ospf-1-area-0.0.0.0] quit
    [Spoke2-ospf-1] quit
    
    NOTE:

    The BGP configuration on a Spoke subnet is given as an example. Perform the same configuration on other Spoke subnets.

    When the subnet of a branch changes, you only need to configure the dynamic routing policy on the local device.

  4. Configure Basic EBGP Functions

    # Configure Hub.

    [Hub] bgp 100
    [Hub-bgp] router-id 172.16.1.1
    [Hub-bgp] import-route ospf 1
    [Hub-bgp] peer 172.16.1.2 as-number 200
    [Hub-bgp] peer 172.16.1.3 as-number 300
    [Hub-bgp] aggregate 192.168.0.0 16 detail-suppressed
    [Hub-bgp] quit
    

    # Configure Spoke1.

    [Spoke1] bgp 200
    [Spoke1-bgp] router-id 172.16.1.2
    [Spoke1-bgp] import-route ospf 1
    [Spoke1-bgp] peer 172.16.1.1 as-number 100
    [Spoke1-bgp] quit
    

    # Configure Spoke2.

    [Spoke2] bgp 300
    [Spoke2-bgp] router-id 172.16.1.3
    [Spoke2-bgp] import-route ospf 1
    [Spoke2-bgp] peer 172.16.1.1 as-number 100
    [Spoke2-bgp] quit
    

  5. Configure tunnel interfaces.

    Configure route attributes on Hub and Spokes to ensure that the routes from the Spokes to Hub are reachable. Enable the NHRP redirect function on Hub. Configure NHRP mapping entries of Hub and enable the NHRP shortcut function on Spoke1 and Spoke2.
    NOTE:

    In the shortcut scenario, configure BGP and set relevant attributes in the BGP view.

    # On Hub, configure a tunnel interface and enable the NHRP redirect function.
    [Hub] interface tunnel 0/0/0
    [Hub-Tunnel0/0/0] tunnel-protocol gre p2mp
    [Hub-Tunnel0/0/0] source GigabitEthernet 1/0/0
    [Hub-Tunnel0/0/0] nhrp entry multicast dynamic
    [Hub-Tunnel0/0/0] nhrp redirect
    [Hub-Tunnel0/0/0] quit
    
    # On Spoke1, configure a tunnel interface and a static NHRP mapping entry of Hub, and enable the NHRP shortcut function.
    [Spoke1] interface tunnel 0/0/0
    [Spoke1-Tunnel0/0/0] tunnel-protocol gre p2mp
    [Spoke1-Tunnel0/0/0] source GigabitEthernet 1/0/0
    [Spoke1-Tunnel0/0/0] nhrp entry 172.16.1.1 1.1.1.10 register
    [Spoke1-Tunnel0/0/0] nhrp shortcut
    [Spoke1-Tunnel0/0/0] quit
    
    # On Spoke2, configure a tunnel interface and a static NHRP mapping entry of Hub, and enable the NHRP shortcut function.
    [Spoke2] interface tunnel 0/0/0
    [Spoke2-Tunnel0/0/0] tunnel-protocol gre p2mp
    [Spoke2-Tunnel0/0/0] source GigabitEthernet 1/0/0
    [Spoke2-Tunnel0/0/0] nhrp entry 172.16.1.1 1.1.1.10 register
    [Spoke2-Tunnel0/0/0] nhrp shortcut
    [Spoke2-Tunnel0/0/0] quit
    

  6. Verify the configuration.

    After the preceding configurations are complete, check the NHRP mapping entries of Spoke1 and Spoke2.

    # Run the display nhrp peer all command on Spoke1. The command output is as follows:

    [Spoke1] display nhrp peer all
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    172.16.1.1      32    1.1.1.10        172.16.1.1       hub          up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 00:10:58
    Expire time     : --
    
    Number of nhrp peers: 1
    

    # Run the display nhrp peer all command on Spoke2. The command output is as follows:

    [Spoke2] display nhrp peer all
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    172.16.1.1      32    1.1.1.10        172.16.1.1       hub          up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 00:07:55
    Expire time     : --
    
    Number of nhrp peers: 1
    
    NOTE:

    If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view only the static NHRP mapping entry of Hub.

    On Hub, check the NHRP mapping entries of Spoke1 and Spoke2.

    # Run the display nhrp peer all command on Hub. The command output is as follows:

    [Hub] display nhrp peer all
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    172.16.1.2      32    1.1.2.10        172.16.1.2      registered   up|unique
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 00:02:02
    Expire time     : 01:57:58
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    172.16.1.3      32    1.1.3.10        172.16.1.3      registered   up|unique
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 00:01:53
    Expire time     : 01:59:35
    
    Number of nhrp peers: 2
    

  7. Run the ping command to check the configuration result.

    Ping 192.168.2.1 on Spoke1. You can see that Spoke1 and Spoke2 have learned dynamic NHRP mapping entries from each other.

    # Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output is as follows:

    [Spoke1] ping -a 192.168.1.1 192.168.2.1
      PING 192.168.2.1: 56  data bytes, press CTRL_C to break
        Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=254 time=3 ms
        Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=2 ms
        Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=2 ms
        Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=2 ms
        Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=2 ms
    
      --- 192.168.2.1 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 2/2/3 ms
    
    

    # Run the display nhrp peer all command on Spoke1. The command output is as follows:

    [Spoke1] display nhrp peer all
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type            Flag
    -------------------------------------------------------------------------------
    172.16.1.1      32    1.1.1.10        172.16.1.1      hub              up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 00:46:35
    Expire time     : --
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type            Flag
    -------------------------------------------------------------------------------
    192.168.2.1     32    1.1.3.10        172.16.1.3      remote-network  up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 00:00:28
    Expire time     : 01:59:32
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type            Flag
    -------------------------------------------------------------------------------
    172.16.1.3      32    1.1.3.10        172.16.1.3      remote          up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 00:00:28
    Expire time     : 01:59:32
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type            Flag
    -------------------------------------------------------------------------------
    172.16.1.2      32    1.1.2.10        172.16.1.2      local           up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 00:00:28
    Expire time     : 01:59:32
    
    Number of nhrp peers: 4
    

    # Run the display nhrp peer all command on Spoke2. The command output is as follows:

    [Spoke2] display nhrp peer all
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type            Flag
    -------------------------------------------------------------------------------
    172.16.1.1      32    1.1.1.10        172.16.1.1      hub              up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 00:43:32
    Expire time     : --
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type            Flag
    -------------------------------------------------------------------------------
    192.168.1.1     32    1.1.2.10        172.16.1.2      remote-network  up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 00:00:47
    Expire time     : 01:59:13
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type            Flag
    -------------------------------------------------------------------------------
    172.16.1.2      32    1.1.2.10        172.16.1.2      remote          up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 00:00:47
    Expire time     : 01:59:13
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type            Flag
    -------------------------------------------------------------------------------
    172.16.1.3      32    1.1.3.10        172.16.1.3      local           up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 00:00:47
    Expire time     : 01:59:13
    
    Number of nhrp peers: 4
    

Configuration Files

  • Hub configuration file

    #
    sysname Hub
    # 
    interface GigabitEthernet1/0/0
     ip address 1.1.1.10 255.255.255.0
    # 
    interface Tunnel0/0/0
     ip address 172.16.1.1 255.255.255.0
     tunnel-protocol gre p2mp
     source GigabitEthernet1/0/0
     nhrp redirect
     nhrp entry multicast dynamic
    # 
    bgp 100
     router-id 172.16.1.1
     peer 172.16.1.2 as-number 200
     peer 172.16.1.3 as-number 300
     # 
     ipv4-family unicast
      undo synchronization
      aggregate 192.168.0.0 255.255.0.0 detail-suppressed
      import-route ospf 1
      peer 172.16.1.2 enable
      peer 172.16.1.3 enable
    # 
    ospf 1 router-id 172.16.1.1
     area 0.0.0.0
      network 192.168.0.0 0.0.0.255
    # 
    ospf 2 router-id 1.1.1.10
     area 0.0.0.1
      network 1.1.1.0 0.0.0.255
    
    # 
    return
    
  • Spoke1 configuration file

    #
    sysname Spoke1
    # 
    interface GigabitEthernet1/0/0
     ip address 1.1.2.10 255.255.255.0
    # 
    interface GigabitEthernet2/0/0
     ip address 192.168.1.1 255.255.255.0
    # 
    interface Tunnel0/0/0
     ip address 172.16.1.2 255.255.255.0
     tunnel-protocol gre p2mp
     source GigabitEthernet1/0/0
     nhrp shortcut
     nhrp entry 172.16.1.1 1.1.1.10 register
    # 
    bgp 200
     router-id 172.16.1.2
     peer 172.16.1.1 as-number 100
     # 
     ipv4-family unicast
      undo synchronization
      import-route ospf 1
      peer 172.16.1.1 enable
    # 
    ospf 1 router-id 172.16.1.2
     area 0.0.0.0
      network 192.168.1.0 0.0.0.255
    # 
    ospf 2 router-id 1.1.2.10
     area 0.0.0.1
      network 1.1.2.0 0.0.0.255
    
    # 
    return
    
  • Spoke2 configuration file

    #
    sysname Spoke2
    # 
    interface GigabitEthernet1/0/0
     ip address 1.1.3.10 255.255.255.0
    # 
    interface GigabitEthernet2/0/0
     ip address 192.168.2.1 255.255.255.0
    # 
    interface Tunnel0/0/0
     ip address 172.16.1.3 255.255.255.0
     tunnel-protocol gre p2mp
     source GigabitEthernet1/0/0
     nhrp shortcut
     nhrp entry 172.16.1.1 1.1.1.10 register
    # 
    bgp 300
     router-id 172.16.1.3
     peer 172.16.1.1 as-number 100
     # 
     ipv4-family unicast
      undo synchronization
      import-route ospf 1
      peer 172.16.1.1 enable
    # 
    ospf 1 router-id 172.16.1.3
     area 0.0.0.0
      network 192.168.2.0 0.0.0.255
    # 
    ospf 2 router-id 1.1.3.10
     area 0.0.0.1
      network 1.1.3.0 0.0.0.255
    
    # 
    return
    
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 144844

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next