No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring a Dynamic Multi-Segment PW

Example for Configuring a Dynamic Multi-Segment PW

Networking Requirements

As shown in Figure 11-14, the MPLS network of an ISP provides the L2VPN service for users. The S-PE has powerful functions, and U-PE1 and U-PE2 function as access devices and cannot directly establish remote LDP sessions. Many users connect to the MPLS network through U-PE1 and U-PE2, and users on the U-PEs change frequently. A proper VPN solution is required to provide secure VPN services for users and simplify configuration and maintenance when new users connect to the network.

Figure 11-14  Networking diagram for configuring a dynamic multi-segment PW

Configuration Roadmap

Because the S-PE has powerful functions, and U-PE1 and U-PE2 cannot directly establish remote LDP sessions, you can configure a multi-segment PW and PW switching on the S-PE to meet the customer requirements. To simplify maintenance, configure a dynamic multi-segment PW.

The configuration roadmap is as follows:

  1. Configure an IGP protocol on the backbone network so that backbone network devices can communicate.

  2. Configure basic MPLS functions and establish LSPs on the backbone network. Establish remote MPLS LDP peer relationships between U-PE1 and the S-PE, and between U-PE2 and the S-PE.

  3. Create PW templates and enable the control word function and LSP ping.

  4. Configure a dynamic PW on the S-PE.

  5. Configure PW switching on the S-PE.

Procedure

  1. Configure an IP address for each interface on the devices according to Figure 11-14.

    # Configure CE1. The configuration on U-PE1, P1, S-PE, P2, U-PE2, and CE2 is similar to the configuration on CE1 and is not mentioned here.

    <Huawei> system-view
    [Huawei] sysname CE1
    [CE1] interface gigabitethernet 1/0/0
    [CE1-GigabitEthernet1/0/0] ip address 100.1.1.1 255.255.255.0
    [CE1-GigabitEthernet1/0/0] quit

  2. Configure an IGP protocol and Loopback address on the MPLS backbone network.

    # Configure U-PE1. The configuration on P1, S-PE, P2, and U-PE2 is similar to the configuration on U-PE1 and is not mentioned here.

    [U-PE1] interface loopback 0
    [U-PE1-LoopBack0] ip address 1.1.1.9 255.255.255.255
    [U-PE1-LoopBack0] quit
    [U-PE1] ospf 1
    [U-PE1-ospf-1] area 0
    [U-PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
    [U-PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
    [U-PE1-ospf-1-area-0.0.0.0] quit
    [U-PE1-ospf-1] quit
    

    After the configuration is complete, run the display ip routing-table command on the U-PEs, Ps or S-PE. The command output shows that these devices have learnt the routes of each other.

  3. Enable MPLS and set up LSP tunnels and remote LDP sessions.

    Configure basic MPLS functions on the MPLS backbone network, and set up LSP tunnels and remote LDP sessions between U-PE1 and the S-PE, and between the S-PE and U-PE2.

    # Configure U-PE1.

    [U-PE1] mpls lsr-id 1.1.1.9
    [U-PE1] mpls
    [U-PE1-mpls] quit
    [U-PE1] mpls ldp
    [U-PE1-mpls-ldp] quit
    [U-PE1] interface gigabitethernet 2/0/0
    [U-PE1-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
    [U-PE1-GigabitEthernet2/0/0] mpls
    [U-PE1-GigabitEthernet2/0/0] mpls ldp
    [U-PE1-GigabitEthernet2/0/0] quit
    [U-PE1] mpls ldp remote-peer 3.3.3.9
    [U-PE1-mpls-ldp-remote-3.3.3.9] remote-ip 3.3.3.9
    [U-PE1-mpls-ldp-remote-3.3.3.9] quit

    # Configure P1.

    [P1] mpls lsr-id 2.2.2.9
    [P1] mpls
    [P1-mpls] quit
    [P1] mpls ldp
    [P1-mpls-ldp] quit
    [P1] interface gigabitethernet 1/0/0
    [P1-GigabitEthernet1/0/0] mpls
    [P1-GigabitEthernet1/0/0] mpls ldp
    [P1-GigabitEthernet1/0/0] quit
    [P1] interface gigabitethernet 2/0/0
    [P1-GigabitEthernet2/0/0] mpls
    [P1-GigabitEthernet2/0/0] mpls ldp
    [P1-GigabitEthernet2/0/0] quit

    # Configure the S-PE.

    [S-PE] mpls lsr-id 3.3.3.9
    [S-PE] mpls
    [S-PE-mpls] quit
    [S-PE] mpls ldp
    [S-PE-mpls-ldp] quit
    [S-PE] interface gigabitethernet 1/0/0
    [S-PE-GigabitEthernet1/0/0] mpls
    [S-PE-GigabitEthernet1/0/0] mpls ldp
    [S-PE-GigabitEthernet1/0/0] quit
    [S-PE] interface gigabitethernet 2/0/0
    [S-PE-GigabitEthernet2/0/0] mpls
    [S-PE-GigabitEthernet2/0/0] mpls ldp
    [S-PE-GigabitEthernet2/0/0] quit
    [S-PE] mpls ldp remote-peer 1.1.1.9
    [S-PE-mpls-ldp-remote-1.1.1.9] remote-ip 1.1.1.9
    [S-PE-mpls-ldp-remote-1.1.1.9] quit
    [S-PE] mpls ldp remote-peer 5.5.5.9
    [S-PE-mpls-ldp-remote-5.5.5.9] remote-ip 5.5.5.9
    [S-PE-mpls-ldp-remote-5.5.5.9] quit

    # Configure P2.

    [P2] mpls lsr-id 4.4.4.9
    [P2] mpls 
    [P2-mpls] quit
    [P2] mpls ldp
    [P2-mpls-ldp] quit
    [P2] interface gigabitethernet 1/0/0
    [P2-GigabitEthernet1/0/0] mpls
    [P2-GigabitEthernet1/0/0] mpls ldp
    [P2-GigabitEthernet1/0/0] quit
    [P2] interface gigabitethernet 2/0/0
    [P2-GigabitEthernet2/0/0] mpls
    [P2-GigabitEthernet2/0/0] mpls ldp
    [P2-GigabitEthernet2/0/0] quit

    # Configure U-PE2.

    [U-PE2] mpls lsr-id 5.5.5.9
    [U-PE2] mpls 
    [U-PE2-mpls] quit
    [U-PE2] mpls ldp
    [U-PE2-mpls-ldp] quit 
    [U-PE2] interface gigabitethernet 1/0/0
    [U-PE2-GigabitEthernet1/0/0] mpls
    [U-PE2-GigabitEthernet1/0/0] mpls ldp
    [U-PE2-GigabitEthernet1/0/0] quit
    [U-PE2] mpls ldp remote-peer 3.3.3.9
    [U-PE2-mpls-ldp-remote-3.3.3.9] remote-ip 3.3.3.9
    [U-PE2-mpls-ldp-remote-3.3.3.9] quit
    

    After the configuration is complete, run the display mpls ldp session command on the U-PEs, Ps, or S-PE. The command output shows that the LDP sessions are established and the status is Operational. Run the display mpls ldp peer command. The command output shows that LDP peer relationships are established. Run the display mpls lsp command. The command output shows that LSPs are established.

  4. Create and configure PW templates.

    Create PW templates on the U-PEs, and enable the control word function.

    # Configure U-PE1.

    [U-PE1] mpls l2vpn
    [U-PE1-l2vpn] quit
    [U-PE1] pw-template pwt
    [U-PE1-pw-template-pwt] peer-address 3.3.3.9
    [U-PE1-pw-template-pwt] control-word
    [U-PE1-pw-template-pwt] quit

    # Configure U-PE2.

    [U-PE2] mpls l2vpn
    [U-PE2-l2vpn] quit
    [U-PE2] pw-template pwt
    [U-PE2-pw-template-pwt] peer-address 3.3.3.9
    [U-PE2-pw-template-pwt] control-word
    [U-PE2-pw-template-pwt] quit
    NOTE:

    You can also configure a dynamic PW without using the PW template. If the PW template is not used, PW connectivity cannot be verified and path information of the PW cannot be collected. That is, you cannot run the ping vc or tracert vc command.

  5. Create VCs.

    Enable MPLS L2VPN on U-PE1, U-PE2, and the S-PE.

    Configure dynamic PWs on U-PEs, and configure PW switching on the S-PE.

    # Configure U-PE1.

    [U-PE1] interface gigabitethernet 1/0/0
    [U-PE1-GigabitEthernet1/0/0] mpls l2vc pw-template pwt 100 
    [U-PE1-GigabitEthernet1/0/0] quit

    # Configure the S-PE.

    [S-PE] mpls l2vpn
    [S-PE-l2vpn] quit
    [S-PE] mpls switch-l2vc 1.1.1.9 100 between 5.5.5.9 200 encapsulation ethernet

    # Configure U-PE2.

    [U-PE2] interface gigabitethernet 2/0/0
    [U-PE2-GigabitEthernet2/0/0] mpls l2vc pw-template pwt 200
    [U-PE2-GigabitEthernet2/0/0] quit

  6. Verify the configuration.

    1. View the PWE3 connection.

      View the L2VPN connection on the U-PEs and S-PE. The command output shows that an L2VC is set up and the VC status is Up.

      The display on U-PE1 is used as an example.

      [U-PE1] display mpls l2vc interface gigabitethernet 1/0/0
       *client interface       : GigabitEthernet1/0/0 is up
        Administrator PW       : no
        session state          : up
        AC status              : up
        Ignore AC state        : disable
        VC state               : up
        Label state            : 0                                       
        Token state            : 0                                      
        VC ID                  : 100                                    
        VC type                : Ethernet                               
        destination            : 3.3.3.9                                
        local group ID         : 0            remote group ID      : 0   
        local VC label         : 1028         remote VC label      : 1032 
        local AC OAM State     : up                                     
        local PSN OAM State    : up                                   
        local forwarding state : forwarding                            
        local status code      : 0x0                                    
        remote AC OAM state    : up                                    
        remote PSN OAM state   : up                                    
        remote forwarding state: forwarding                            
        remote status code     : 0x0                                   
        ignore standby state   : no                                     
        BFD for PW             : unavailable                          
        VCCV State             : up                                    
        manual fault           : not set                               
        active state           : active                                 
        forwarding entry       : exist                                  
        link state             : up                                    
        local VC MTU           : 1500         remote VC MTU        : 1500 
        local VCCV             : cw alert ttl lsp-ping bfd          
        remote VCCV            : cw alert ttl lsp-ping bfd          
        local control word     : enable       remote control word  : enable  
        tunnel policy name     : --                                      
        PW template name       : pwt                                    
        primary or secondary   : primary                            
        load balance type      : flow                                  
        Access-port            : false                                  
        Switchover Flag        : false                                  
        VC tunnel/token info   : 1 tunnels/tokens                       
          NO.0  TNL type       : lsp   , TNL ID : 0x4                   
          Backup TNL type      : lsp   , TNL ID : 0x0                   
        create time            : 0 days, 0 hours, 9 minutes, 38 seconds 
        up time                : 0 days, 0 hours, 0 minutes, 50 seconds 
        last change time       : 0 days, 0 hours, 0 minutes, 50 seconds 
        VC last up time        : 2013/12/04 16:09:45                    
        VC total up time       : 0 days, 0 hours, 0 minutes, 50 seconds 
        CKey                   : 4                     
        NKey                   : 3                     
        PW redundancy mode     : frr                   
        AdminPw interface      : --                     
        AdminPw link state     : --                    
        Diffserv Mode          : uniform               
        Service Class          : --                    
        Color                  : --                    
        DomainId               : --                    
        Domain Name            : -- 

      Check the L2VC status on the S-PE.

      [S-PE] display mpls switch-l2vc
       Total Switch VC : 1, 1 up, 0 down                                    
                                                                           
      *Switch-l2vc type             : LDP<---->LDP                   
       Peer IP Address              : 5.5.5.9, 1.1.1.9                       
       VC ID                        : 200, 100                               
       VC Type                      : Ethernet                               
       VC State                     : up                             
       VC StatusCode                |PSN |OAM | FW |    |PSN |OAM | FW |    
                         -Local VC :| UP | UP | UP |    | UP | UP | UP |    
                         -Remote VC:| UP | UP | UP |    | UP | UP | UP |    
       Session State                : up, up                                
       Local/Remote Label           : 1031/1028, 1032/1028                  
       InLabel Status               : 0 , 0                                  
       Local/Remote MTU             : 1500/1500, 1500/1500                   
       Local/Remote Control Word    : Enable/Enable, Enable/Enable           
       Local/Remote VCCV Capability : cw alert ttl lsp-ping bfd /cw alert ttl 
       lsp-ping bfd , cw alert ttl lsp-ping bfd /cw alert ttl lsp-ping bfd    
       Switch-l2vc tunnel info      :                                        
                                      1 tunnels for peer 5.5.5.9             
                                      NO.0  TNL Type : lsp   , TNL ID : 0x10 
                                      1 tunnels for peer 1.1.1.9             
                                      NO.0  TNL Type : lsp   , TNL ID : 0xe 
       CKey                         : 14, 16                                
       NKey                         : 13, 15                                
       Tunnel policy                : --, --                                
       Control-Word transparent     : NO                                    
       Create time                  : 0 days, 0 hours, 6 minutes, 39 seconds
       UP time                      : 0 days, 0 hours, 5 minutes, 16 seconds
       Last change time             : 0 days, 0 hours, 5 minutes, 16 seconds
       VC last up time              : 2013/12/01 23:02:39                   
       VC total up time             : 0 days, 0 hours, 5 minutes, 16 seconds 
    2. Detect connectivity of the PW.

      Run the ping vc command on the U-PEs. The command output shows that connectivity of the PW is normal. The display on U-PE1 is used as an example.

      [U-PE1] ping vc ethernet 100 control-word remote 5.5.5.9 200
          Reply from 5.5.5.9: bytes=100 Sequence=1 time = 740 ms
          Reply from 5.5.5.9: bytes=100 Sequence=2 time = 90 ms
          Reply from 5.5.5.9: bytes=100 Sequence=3 time = 160 ms
          Reply from 5.5.5.9: bytes=100 Sequence=4 time = 130 ms
          Reply from 5.5.5.9: bytes=100 Sequence=5 time = 160 ms
      
        --- FEC: FEC 128 PSEUDOWIRE (NEW). Type = vlan, ID = 100 ping statistics ---
          5 packet(s) transmitted
          5 packet(s) received
          0.00% packet loss
          round-trip min/avg/max = 90/256/740 ms
    3. Check connectivity between the CEs and information about the paths between the CEs.

      CE1 and CE2 can ping each other.

      [CE1] ping 100.1.1.2
        PING 100.1.1.2: 56  data bytes, press CTRL_C to break
          Reply from 100.1.1.2: bytes=56 Sequence=1 ttl=255 time=180 ms
          Reply from 100.1.1.2: bytes=56 Sequence=2 ttl=255 time=120 ms
          Reply from 100.1.1.2: bytes=56 Sequence=3 ttl=255 time=160 ms
          Reply from 100.1.1.2: bytes=56 Sequence=4 ttl=255 time=160 ms
          Reply from 100.1.1.2: bytes=56 Sequence=5 ttl=255 time=130 ms
      
        --- 100.1.1.2 ping statistics ---
          5 packet(s) transmitted
          5 packet(s) received
          0.00% packet loss
          round-trip min/avg/max = 120/150/180 ms

      On CE1, perform the tracert operation.

      [CE1] tracert 100.1.1.2
       traceroute to  100.1.1.2(100.1.1.2) max hops: 30 ,packet length: 40,press CTRL_C to break 
       1 100.1.1.2 250 ms  220 ms  130 ms  

Configuration Files

  • Configuration file of CE1

    #
    sysname CE1
    #
    interface GigabitEthernet1/0/0
     ip address 100.1.1.1 255.255.255.0
    #
    return
  • Configuration file of U-PE1

    #
    sysname U-PE1
    #
    mpls lsr-id 1.1.1.9
    mpls
    #
    mpls l2vpn
    #
    pw-template pwt
     peer-address 3.3.3.9
     control-word
    # 
    mpls ldp
    #
     mpls ldp remote-peer 3.3.3.9
     remote-ip 3.3.3.9  
    #
    interface GigabitEthernet1/0/0
     mpls l2vc pw-template pwt 100 
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.1.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface LoopBack0
     ip address 1.1.1.9 255.255.255.255
    #
    ospf 1
     area 0.0.0.0
      network 10.1.1.0 0.0.0.255
      network 1.1.1.9 0.0.0.0
    #
    return
  • Configuration file of P1

    #
    sysname P1
    #
    mpls lsr-id 2.2.2.9
    mpls
    #
    mpls ldp
    #
    interface GigabitEthernet1/0/0
     ip address 10.1.1.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet2/0/0
     ip address 20.1.1.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface LoopBack0
     ip address 2.2.2.9 255.255.255.255
    #
    ospf 1
     area 0.0.0.0
      network 2.2.2.9 0.0.0.0
      network 10.1.1.0 0.0.0.255
      network 20.1.1.0 0.0.0.255
    #
    return
  • Configuration file of the S-PE

    #
    sysname S-PE
    #
    mpls lsr-id 3.3.3.9
    mpls
    #
    mpls l2vpn
    #
    mpls switch-l2vc 1.1.1.9 100 between 5.5.5.9 200 encapsulation ethernet
    #
    mpls ldp
    #
    mpls ldp remote-peer 1.1.1.9
     remote-ip 1.1.1.9
    #
    mpls ldp remote-peer 5.5.5.9
     remote-ip 5.5.5.9
    #
    interface GigabitEthernet1/0/0
     ip address 20.1.1.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet2/0/0
     ip address 30.1.1.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface LoopBack0
     ip address 3.3.3.9 255.255.255.255
    #
    ospf 1
     area 0.0.0.0
      network 3.3.3.9 0.0.0.0
      network 20.1.1.0 0.0.0.255
      network 30.1.1.0 0.0.0.255
    #
    return
  • Configuration file of P2

    #
    sysname P2
    #
    mpls lsr-id 4.4.4.9
    mpls
    #
    mpls ldp
    #
    interface GigabitEthernet1/0/0
     ip address 30.1.1.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet2/0/0
     ip address 40.1.1.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface LoopBack0
     ip address 4.4.4.9 255.255.255.255
    #
    ospf 1
     area 0.0.0.0
      network 4.4.4.9 0.0.0.0
      network 30.1.1.0 0.0.0.255
      network 40.1.1.0 0.0.0.255
    #
    return
  • Configuration file of U-PE2

    #
    sysname U-PE2
    #
    mpls lsr-id 5.5.5.9
    mpls
    #
    mpls l2vpn
    #
    pw-template pwt
     peer-address 3.3.3.9
     control-word
    # 
    mpls ldp
    #
    mpls ldp remote-peer 3.3.3.9
     remote-ip 3.3.3.9
    #
    interface GigabitEthernet1/0/0
     ip address 40.1.1.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet2/0/0
     mpls l2vc pw-template pwt 200 
    #
    interface LoopBack0
     ip address 5.5.5.9 255.255.255.255
    #
    ospf 1
     area 0.0.0.0
      network 5.5.5.9 0.0.0.0
      network 40.1.1.0 0.0.0.255
    #
    return
  • Configuration file of CE2

    #
    sysname CE2
    #
    interface GigabitEthernet1/0/0
     ip address 100.1.1.2 255.255.255.0
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 144827

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next