No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Connecting a VPN to the Internet

Example for Connecting a VPN to the Internet

Networking Requirements

As shown in Figure 7-61, CE1 and CE2 need to communicate with each other, and users connected to CE1 need to connect to the Internet.

To enable users connected to CE1 to access the Internet, connect an agent server to CE1 and configure a public IP address for the agent server. Then users connected to CE1 can access the Internet through the agent server. In this example, the P represents on the Internet.

Figure 7-61  Networking diagram for connecting a VPN to the Internet

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure basic BGP/MPLS IP VPN functions.

  2. Configure three static routes:

    • On CE1, create a default route and specify PE1 as the next hop.

    • On PE1, configure a default route from the VPN to the Internet and specify P as the next hop. This route enables traffic to be transmitted from the agent server to the Internet.

    • On PE1, configure a static route from the Internet to the agent server and specify CE1 as the next hop. Configure IGP to advertise the static route to the Internet. This route enables traffic to be transmitted from the Internet to the agent server.

Procedure

  1. Assign IP addresses to interfaces according to Figure 7-61.

    # Configure PE1.

    <Huawei> system-view
    [Huawei] sysname PE1
    [PE1] interface loopback 1
    [PE1-LoopBack1] ip address 1.1.1.1 32
    [PE1-LoopBack1] quit
    [PE1] interface gigabitethernet 2/0/0
    [PE1-GigabitEthernet2/0/0] ip address 100.1.1.1 24
    [PE1-GigabitEthernet2/0/0] quit
    

    The configuration on PE2, P, CE1, and CE2 is similar to the configuration on PE1 and is not mentioned here.

  2. Configure an IGP protocol on the MPLS backbone network for IP connectivity.

    # Configure PE1.

    [PE1] ospf
    [PE1-ospf-1] area 0
    [PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
    [PE1-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255
    [PE1-ospf-1-area-0.0.0.0] quit
    [PE1-ospf-1] quit
    

    The configuration on PE2 and P is similar to the configuration on PE1 and is not mentioned here.

    NOTE:

    The IP addresses of loopback interfaces that are used as LSR IDs need to be advertised.

    After the configuration is complete, the devices on the backbone network can learn the loopback interface addresses from each other.

  3. Set up MPLS LDP LSPs and an MP-IBGP peer relationship between the devices on the backbone network.

    # Enable MPLS LDP on PE1 to set up MPLS LDP LSPs.

    [PE1] mpls lsr-id 1.1.1.1
    [PE1] mpls
    [PE1-mpls] quit
    [PE1] mpls ldp
    [PE1-mpls-ldp] quit
    [PE1] interface gigabitethernet 2/0/0
    [PE1-GigabitEthernet2/0/0] mpls
    [PE1-GigabitEthernet2/0/0] mpls ldp
    [PE1-GigabitEthernet2/0/0] quit
    

    The configuration on PE2 and P is similar to the configuration on PE1 and is not mentioned here.

    After the configuration is complete, run the display mpls ldp session command on P. The command output shows that the LDP sessions between PE1 and P, and between PE2 and P are in Operational state.

    The information displayed on P is used as an example.

    [P] display mpls ldp session
    
     LDP Session(s) in Public Network
     Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
     A '*' before a session means the session is being deleted.
     ------------------------------------------------------------------------------
     PeerID             Status      LAM  SsnRole  SsnAge      KASent/Rcv
     ------------------------------------------------------------------------------
     1.1.1.1:0          Operational DU   Active   0000:00:00  2/2
     3.3.3.3:0          Operational DU   Active   0000:23:08  5556/5555
     ------------------------------------------------------------------------------
     TOTAL: 2 session(s) Found.
    
    

    # Configure an MP-IBGP peer on PE1.

    [PE1] bgp 100
    [PE1-bgp] peer 3.3.3.3 as-number 100
    [PE1-bgp] peer 3.3.3.3 connect-interface loopback 1
    [PE1-bgp] ipv4-family vpnv4
    [PE1-bgp-af-vpnv4] peer 3.3.3.3 enable
    [PE1-bgp-af-vpnv4] quit
    [PE1-bgp] quit

    The configuration on PE2 is similar to the configuration on PE1 and is not mentioned here.

    Run the display bgp vpnv4 all peer command on PE1 and PE2. The command output shows that an MP-IBGP peer relationship has been set up between the PEs and is in Established state. The information displayed on PE1 is used as an example.

    [PE1] display bgp vpnv4 all peer
    
     BGP local router ID : 1.1.1.1
     Local AS number : 100
     Total number of peers : 1                 Peers in established state : 1
    
      Peer            V    AS  MsgRcvd  MsgSent  OutQ  Up/Down       State PrefRcv
      3.3.3.3         4   100        6        8     0 00:03:48 Established       2

  4. Create VPN instances and set up EBGP peer relationships.

    # Create VPN instance vpn1 on the PEs and bind it to the interfaces connected to CEs. The information displayed on PE1 is used as an example.

    [PE1] ip vpn-instance vpn1
    [PE1-vpn-instance-vpn1] ipv4-family
    [PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
    [PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both
    [PE1-vpn-instance-vpn1-af-ipv4] quit
    [PE1-vpn-instance-vpn1] quit
    [PE1] interface gigabitethernet 1/0/0
    [PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
    [PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 24
    [PE1-GigabitEthernet1/0/0] quit
    

    The configuration on PE2 is similar to the configuration on PE1 and is not mentioned here.

    Set up EBGP peer relationships between PE1 and CE1 and between PE2 and CE2 so that routes of the CEs can be advertised to the PEs. The configuration on CE1 and PE1 is used as an example.

    # Configure CE1.

    [CE1] bgp 65410
    [CE1-bgp] peer 10.1.1.2 as-number 100
    [CE1-bgp] import-route direct
    [CE1-bgp] quit
    

    The configuration on CE2 is similar to the configuration on CE1 and is not mentioned here.

    # Configure PE1.

    [PE1] bgp 100
    [PE1-bgp] ipv4-family vpn-instance vpn1
    [PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
    [PE1-bgp-vpn1] import-route direct
    [PE1-bgp-vpn1] import-route static
    [PE1-bgp-vpn1] quit
    [PE1-bgp] quit
    

    The configuration on PE2 is similar to the configuration on PE1 and is not mentioned here.

    After the configuration is complete, run the display ip vpn-instance command on the PEs. In the command output, vpn1 is displayed in the VPN-Instance Name field.

    The information displayed on PE1 is used as an example.

    [PE1] display ip vpn-instance
     Total VPN-Instances configured      : 1                                        
     Total IPv4 VPN-Instances configured : 1                                        
     Total IPv6 VPN-Instances configured : 0                                        
                                                                                    
      VPN-Instance Name               RD                     Address-family
      vpn1                            100:1                  IPv4          

    Run the display bgp vpnv4 all peer command on the PEs. The command output shows that the IBGP and EBGP peer relationships are all in Established state.

    The information displayed on PE1 is used as an example.

    [PE1] display bgp vpnv4 all peer
    
     BGP local router ID : 1.1.1.1
     Local AS number : 100
     Total number of peers : 2                 Peers in established state : 2
    
      Peer            V    AS  MsgRcvd  MsgSent  OutQ  Up/Down       State PrefRcv
      3.3.3.3         4   100      127      134     0 01:39:44 Established       2
    
      Peer of IPv4-family for vpn instance :
    
     VPN-Instance vpn1, Router ID 1.1.1.1:
      10.1.1.1        4 65410      107      110     0 01:26:33 Established       3
    
    

  5. Configure static routes to enable VPN users to access the Internet.

    # On CE1, create a default route and specify PE1 as the next hop.

    [CE1] ip route-static 0.0.0.0 0 10.1.1.2
    

    # Configure PE1.

    # Configure a default route from the agent server to the Internet and specify P as the next hop. Specify the public keyword in the command to use the public IP address of P as the next hop address.

    [PE1] ip route-static vpn-instance vpn1 0.0.0.0 0 100.1.1.2 public
    
    NOTE:

    If the CEs and PEs are connected through an Ethernet network, you must specify the next hop when configuring the static route.

    # Configure a static route from the Internet to the agent server and specify CE1 as the next hop.

    [PE1] ip route-static 10.3.1.0 24 vpn-instance vpn1 10.1.1.1
    

    # Advertise the preceding static route to the Internet using an IGP (OSPF in this example).

    [PE1] ospf 1
    [PE1-ospf-1] import-route static
    [PE1-ospf-1] quit

    # Configure the agent server. Set the IP address of the agent server to 10.3.1.1/24 and the default gateway address of the agent server to 10.3.1.2/24 (address of CE1). In addition, the agent server must run the agent software.

  6. Verify the configuration.

    # Run the display ip routing-table vpn-instance vpn1 command on PE1 to check the VPN routing table of vpn1. The VPN routing table has a default route with the next hop address 100.1.1.2 and the outbound interface GE2/0/0.

    [PE1] display ip routing-table vpn-instance vpn1
    Route Flags:
    R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Tables: vpn1
             Destinations : 7        Routes : 7
      Destination/Mask  Proto  Pre  Cost         Flags  NextHop         Interface
            0.0.0.0/0   Static 60   0              RD   100.1.1.2       GigabitEthernet2/0/0
           10.1.1.0/24  Direct 0    0               D   10.1.1.2        GigabitEthernet1/0/0
           10.1.1.2/32  Direct 0    0               D   127.0.0.1       GigabitEthernet1/0/0
         10.1.1.255/32  Direct 0    0               D   127.0.0.1       GigabitEthernet1/0/0
           10.2.1.0/24  IBGP   255  0              RD   3.3.3.3         GigabitEthernet2/0/0
           10.3.1.0/24  EBGP   255  0               D   10.1.1.1        GigabitEthernet1/0/0
    255.255.255.255/32  Direct 0    0               D   127.0.0.1       InLoopBack0
    

    # Run the display ip routing-table command on PE1 to check the IP routing table on PE1. The routing table has a route to the agent server, in which the next hop address is 10.1.1.1.

    [PE1] display ip routing-table
    Route Flags:
    R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Tables: Public
             Destinations : 12       Routes : 12
      Destination/Mask  Proto  Pre  Cost         Flags  NextHop         Interface
            1.1.1.1/32  Direct 0    0               D   127.0.0.1       LoopBack1
            2.2.2.2/32  OSPF   10   1               D   100.1.1.2       GigabitEthernet2/0/0
            3.3.3.3/32  OSPF   10   2               D   100.1.1.2       GigabitEthernet2/0/0
          100.1.1.0/24  Direct 0    0               D   100.1.1.1       GigabitEthernet2/0/0
          100.1.1.1/32  Direct 0    0               D   127.0.0.1       GigabitEthernet2/0/0
        100.1.1.255/32  Direct 0    0               D   127.0.0.1       GigabitEthernet2/0/0
          100.2.1.0/24  OSPF   10   2               D   100.1.1.2       GigabitEthernet2/0/0
           10.3.1.0/24  Static 60   0              RD   10.1.1.1        GigabitEthernet1/0/0
           127.0.0.0/8  Direct 0    0               D   127.0.0.1       InLoopBack0
          127.0.0.1/32  Direct 0    0               D   127.0.0.1       InLoopBack0
    127.255.255.255/32  Direct 0    0               D   127.0.0.1       InLoopBack0
    255.255.255.255/32  Direct 0    0               D   127.0.0.1       InLoopBack0 

    # P can ping the agent server.

    [P] ping 10.3.1.1
      PING 10.3.1.1: 56  data bytes, press CTRL_C to break                         
        Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=1 ms                 
        Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=1 ms                 
        Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=1 ms                 
        Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=1 ms                 
        Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=1 ms                 
                                                                                    
      --- 10.3.1.1 ping statistics ---                                             
        5 packet(s) transmitted                                                     
        5 packet(s) received                                                        
        0.00% packet loss                                                           
        round-trip min/avg/max = 1/1/1 ms                                           

    # The agent server can access the P on the Internet.

Configuration Files

  • CE1 configuration file

    #
     sysname CE1
    #
    interface GigabitEthernet1/0/0
     ip address 10.1.1.1 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 10.3.1.2 255.255.255.0
    #
    bgp 65410
     peer 10.1.1.2 as-number 100
     #
     ipv4-family unicast
      undo synchronization
      import-route direct
      peer 10.1.1.2 enable
    #
    ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
    #
    return
  • PE1 configuration file

    #
     sysname PE1
    #
    ip vpn-instance vpn1
     ipv4-family
      route-distinguisher 100:1
      vpn-target 1:1 export-extcommunity
      vpn-target 1:1 import-extcommunity
    #
     mpls lsr-id 1.1.1.1
     mpls
    #
    mpls ldp
    #
    interface GigabitEthernet1/0/0
     ip binding vpn-instance vpn1
     ip address 10.1.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 100.1.1.1 255.255.255.0
     mpls 
     mpls ldp
    #
    interface LoopBack1
     ip address 1.1.1.1 255.255.255.255
    #
    bgp 100
     peer 3.3.3.3 as-number 100
     peer 3.3.3.3 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 3.3.3.3 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 3.3.3.3 enable
     #
     ipv4-family vpn-instance vpn1
      peer 10.1.1.1 as-number 65410
      import-route static
      import-route direct
    #
    ospf 1
     import-route static
     area 0.0.0.0
      network 1.1.1.1 0.0.0.0
      network 100.1.1.0 0.0.0.255
    #
    ip route-static 10.3.1.0 255.255.255.0 vpn-instance vpn1 10.1.1.1
    ip route-static vpn-instance vpn1 0.0.0.0 0.0.0.0 100.1.1.2 public
    #
    return
  • P configuration file

    #
     sysname P
    #
     mpls lsr-id 2.2.2.2
     mpls
    #
    mpls ldp
    #
    interface GigabitEthernet1/0/0
     ip address 100.1.1.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet2/0/0
     ip address 100.2.1.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface LoopBack1
     ip address 2.2.2.2 255.255.255.255
    #
    ospf 1
     area 0.0.0.0
      network 2.2.2.2 0.0.0.0
      network 100.1.1.0 0.0.0.255
      network 100.2.1.0 0.0.0.255
    #
    return
  • PE2 configuration file

    #
     sysname PE2
    #
    ip vpn-instance vpn1
     ipv4-family
      route-distinguisher 100:2
      vpn-target 1:1 export-extcommunity
      vpn-target 1:1 import-extcommunity
    #
     mpls lsr-id 3.3.3.3
     mpls
    #
    mpls ldp
    #
    interface GigabitEthernet1/0/0
     ip address 100.2.1.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet2/0/0
     ip binding vpn-instance vpn1
     ip address 10.2.1.2 255.255.255.0
    #
    interface LoopBack1
     ip address 3.3.3.3 255.255.255.255
    #
    bgp 100
     peer 1.1.1.1 as-number 100
     peer 1.1.1.1 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 1.1.1.1 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 1.1.1.1 enable
     #
     ipv4-family vpn-instance vpn1
      peer 10.2.1.1 as-number 65420
      import-route direct
    #
    ospf 1
     area 0.0.0.0
      network 3.3.3.3 0.0.0.0
      network 100.2.1.0 0.0.0.255
    #
    return
  • CE2 configuration file

    #
     sysname CE2
    #
    interface GigabitEthernet1/0/0
     ip address 10.2.1.1 255.255.255.0
    #
    bgp 65420
     peer 10.2.1.2 as-number 100
     #
     ipv4-family unicast
      undo synchronization
      import-route direct
      peer 10.2.1.2 enable
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 145220

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next