No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Hub and Spoke

Example for Configuring Hub and Spoke

Networking Requirements

A bank wants to realize secure communication between its headquarters and branches through MPLS VPN. VPN traffic from branches passes the headquarters so that the headquarters can monitor the traffic. The Hub and Spoke networking can meet the bank's needs. As shown in Figure 7-45, the Spoke-CEs connect to branches, and the Hub-CE connects to the headquarters. All traffic transmitted between Spoke-CEs is forwarded by the Hub-CE.

Figure 7-45  Networking diagram for configuring Hub and Spoke

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an IGP protocol on the backbone network to enable the Hub-PE and Spoke-PEs to communicate with each other.
  2. Configure basic MPLS capabilities and MPLS LDP on the backbone network to set up LDP LSPs.
  3. Set up MP-IBGP peer relationships between the Hub-PE and the Spoke-PEs. The Spoke-PEs do not need to set up an MP-IBGP peer relationship or exchange VPN routing information.

  4. Create two VPN instances on the Hub-PE. One is used to receive routes from Spoke-PEs, and the other is used to advertise routes to the Spoke-PEs. Set import target of the first VPN instance to 100:1 and the export target of the other VPN instance to 200:1.

  5. Create a VPN instance on the Spoke-PEs. Set the export target of the VPN instance to 100:1 and the import target to 200:1.

  6. Configure EBGP on the CEs and PEs to enable them to exchange VPN routing information. Configure Hub-PE to allow Hub-PE to receive the route with the AS repeated for one time.

Procedure

  1. Configure OSPF on the backbone network to enable the Hub-PE and Spoke-PEs to communicate with each other.

    # Configure Spoke-PE1. The configuration on the Hub-PE and Spoke-PE2 is similar to the configuration on Spoke-PE1 and is not mentioned here.

    <Huawei> system-view
    [Huawei] sysname Spoke-PE1
    [Spoke-PE1] interface loopback 1
    [Spoke-PE1-LoopBack1] ip address 1.1.1.9 32
    [Spoke-PE1-LoopBack1] quit
    [Spoke-PE1] interface gigabitethernet 2/0/0
    [Spoke-PE1-GigabitEthernet2/0/0] ip address 10.1.1.1 24
    [Spoke-PE1-GigabitEthernet2/0/0] quit
    [Spoke-PE1] ospf 1
    [Spoke-PE1-ospf-1] area 0
    [Spoke-PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
    [Spoke-PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
    [Spoke-PE1-ospf-1-area-0.0.0.0] quit
    [Spoke-PE1-ospf-1] quit
    

    After the configuration is complete, Hub-PE can establish OSPF neighbor relationships with the Spoke-PEs. Run the display ospf peer command on the PEs. The command output shows that the status of OSPF neighbor relationships is Full. Run the display ip routing-table command. The command output shows that the Hub-PE and the Spoke-PEs have learned the route to the loopback interface of each other.

  2. Configure basic MPLS capabilities and MPLS LDP on the backbone network to set up LDP LSPs.

    # Configure the Hub-PE. The configuration on the Spoke-PEs is similar to the configuration on the Hub-PE and is not mentioned here.

    [Hub-PE] mpls lsr-id 2.2.2.9
    [Hub-PE] mpls
    [Hub-PE-mpls] label advertise non-null
    [Hub-PE-mpls] quit
    [Hub-PE] mpls ldp
    [Hub-PE-mpls-ldp] quit
    [Hub-PE] interface gigabitethernet 1/0/0
    [Hub-PE-GigabitEthernet1/0/0] mpls
    [Hub-PE-GigabitEthernet1/0/0] mpls ldp
    [Hub-PE-GigabitEthernet1/0/0] quit
    [Hub-PE] interface gigabitethernet 2/0/0
    [Hub-PE-GigabitEthernet2/0/0] mpls
    [Hub-PE-GigabitEthernet2/0/0] mpls ldp
    [Hub-PE-GigabitEthernet2/0/0] quit
    

    After the configuration is complete, the Hub-PE can set up LDP peer relationships with the Spoke-PEs. Run the display mpls ldp session command on the PEs. In the command output, the state is Operational. Run the display mpls ldp lsp command. Information about the established LDP LSPs is displayed.

  3. Configure VPN instances on PEs and bind the instances to the interfaces connected to CEs.

    NOTE:

    The import target of the VPN instances on the Hub-PE is the export target of the VPN instance on the Spoke-PEs. The import target and export target on the Hub-PE are different. The import VPN target on the Spoke-PEs is the export VPN target on the Hub-PE.

    # Configure Spoke-PE1.

    [Spoke-PE1] ip vpn-instance vpna
    [Spoke-PE1-vpn-instance-vpna] ipv4-family
    [Spoke-PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
    [Spoke-PE1-vpn-instance-vpna-af-ipv4] vpn-target 100:1 export-extcommunity
    [Spoke-PE1-vpn-instance-vpna-af-ipv4] vpn-target 200:1 import-extcommunity
    [Spoke-PE1-vpn-instance-vpna-af-ipv4] quit
    [Spoke-PE1-vpn-instance-vpna] quit
    [Spoke-PE1] interface gigabitethernet 1/0/0
    [Spoke-PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
    [Spoke-PE1-GigabitEthernet1/0/0] ip address 100.1.1.2 24
    [Spoke-PE1-GigabitEthernet1/0/0] quit
    

    #Configure Spoke-PE2.

    [Spoke-PE2] ip vpn-instance vpna
    [Spoke-PE2-vpn-instance-vpna] ipv4-family
    [Spoke-PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 100:3
    [Spoke-PE2-vpn-instance-vpna-af-ipv4] vpn-target 100:1 export-extcommunity
    [Spoke-PE2-vpn-instance-vpna-af-ipv4] vpn-target 200:1 import-extcommunity
    [Spoke-PE2-vpn-instance-vpna-af-ipv4] quit
    [Spoke-PE2-vpn-instance-vpna] quit
    [Spoke-PE2] interface gigabitethernet 1/0/0
    [Spoke-PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpna
    [Spoke-PE2-GigabitEthernet1/0/0] ip address 120.1.1.2 24
    [Spoke-PE2-GigabitEthernet1/0/0] quit
    

    # Configure the Hub-PE.

    [Hub-PE] ip vpn-instance vpn_in
    [Hub-PE-vpn-instance-vpn_in] ipv4-family
    [Hub-PE-vpn-instance-vpn_in-af-ipv4] route-distinguisher 100:21
    [Hub-PE-vpn-instance-vpn_in-af-ipv4] vpn-target 100:1 import-extcommunity
    [Hub-PE-vpn-instance-vpn_in-af-ipv4] quit
    [Hub-PE-vpn-instance-vpn_in] quit
    [Hub-PE] ip vpn-instance vpn_out
    [Hub-PE-vpn-instance-vpn_out] ipv4-family
    [Hub-PE-vpn-instance-vpn_out-af-ipv4] route-distinguisher 100:22
    [Hub-PE-vpn-instance-vpn_out-af-ipv4] vpn-target 200:1 export-extcommunity
    [Hub-PE-vpn-instance-vpn_out-af-ipv4] quit
    [Hub-PE-vpn-instance-vpn_out] quit
    [Hub-PE] interface gigabitethernet 3/0/0
    [Hub-PE-GigabitEthernet3/0/0] ip binding vpn-instance vpn_in
    [Hub-PE-GigabitEthernet3/0/0] ip address 110.1.1.2 24
    [Hub-PE-GigabitEthernet3/0/0] quit
    [Hub-PE] interface gigabitethernet 4/0/0
    [Hub-PE-GigabitEthernet4/0/0] ip binding vpn-instance vpn_out
    [Hub-PE-GigabitEthernet4/0/0] ip address 110.2.1.2 24
    [Hub-PE-GigabitEthernet4/0/0] quit
    

    # Assign IP addresses to interfaces on CEs according to Figure 7-45.

    # Configure Spoke-CE1. The configuration on other CEs is similar to the configuration on Spoke-CE1 and is not mentioned here.

    <Huawei> system-view
    [Huawei] sysname Spoke-CE1
    [Spoke-CE1] interface gigabitethernet 1/0/0
    [Spoke-CE1-GigabitEthernet1/0/0] ip address 100.1.1.1 24
    [Spoke-CE1-GigabitEthernet1/0/0] quit

    After the configuration is complete, run the display ip vpn-instance verbose command on the PEs to check the configuration of VPN instances. Each PE can ping its connected CE by using the ping -vpn-instance vpn-name ip-address command.

    NOTE:

    If a PE has multiple interfaces bound to the same VPN instance, you need to specify the source IP addresses by setting -a source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command to ping the remote CE. If the source IP address is not specified, the ping operation fails.

  4. Set up EBGP peer relationships between the PEs and CEs and import VPN routes into BGP.

    NOTE:

    To accept the routes advertised by Hub-CE, configure the Hub-PE to allow AS number to be repeated once.

    # Configure Spoke-CE1.

    [Spoke-CE1] bgp 65410
    [Spoke-CE1-bgp] peer 100.1.1.2 as-number 100
    [Spoke-CE1-bgp] import-route direct
    [Spoke-CE1-bgp] quit

    # Configure Spoke-PE1.

    [Spoke-PE1] bgp 100
    [Spoke-PE1-bgp] ipv4-family vpn-instance vpna
    [Spoke-PE1-bgp-vpna] peer 100.1.1.1 as-number 65410
    [Spoke-PE1-bgp-vpna] import-route direct
    [Spoke-PE1-bgp-vpna] quit
    [Spoke-PE1-bgp] quit

    # Configure Spoke-CE2.

    [Spoke-CE2] bgp 65420
    [Spoke-CE2-bgp] peer 120.1.1.2 as-number 100
    [Spoke-CE2-bgp] import-route direct
    [Spoke-CE2-bgp] quit

    #Configure Spoke-PE2.

    [Spoke-PE2] bgp 100
    [Spoke-PE2-bgp] ipv4-family vpn-instance vpna
    [Spoke-PE2-bgp-vpna] peer 120.1.1.1 as-number 65420
    [Spoke-PE2-bgp-vpna] import-route direct
    [Spoke-PE2-bgp-vpna] quit
    [Spoke-PE2-bgp] quit

    # Configure the Hub-CE.

    [Hub-CE] bgp 65430
    [Hub-CE-bgp] peer 110.1.1.2 as-number 100
    [Hub-CE-bgp] peer 110.2.1.2 as-number 100
    [Hub-CE-bgp] import-route direct
    [Hub-CE-bgp] quit

    # Configure the Hub-PE.

    [Hub-PE] bgp 100
    [Hub-PE-bgp] ipv4-family vpn-instance vpn_in
    [Hub-PE-bgp-vpn_in] peer 110.1.1.1 as-number 65430
    [Hub-PE-bgp-vpn_in] import-route direct
    [Hub-PE-bgp-vpn_in] quit
    [Hub-PE-bgp] ipv4-family vpn-instance vpn_out
    [Hub-PE-bgp-vpn_out] peer 110.2.1.1 as-number 65430
    [Hub-PE-bgp-vpn_out] peer 110.2.1.1 allow-as-loop 1
    [Hub-PE-bgp-vpn_out] import-route direct
    [Hub-PE-bgp-vpn_out] quit
    [Hub-PE-bgp] quit
    

    After the configuration is complete, run the display bgp vpnv4 all peer command on the PEs. The command output shows that the BGP peer relationships have been set up between the PEs and CEs and are in Established state.

  5. Set up MP-IBGP peer relationships between the Spoke-PEs and Hub-PE.

    NOTE:

    The Spoke-PEs do not need to allow the repeated AS number, because the router does not check the AS_Path attribute in the routing information advertised by the IBGP peers.

    # Configure Spoke-PE1.

    [Spoke-PE1] bgp 100
    [Spoke-PE1-bgp] peer 2.2.2.9 as-number 100
    [Spoke-PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
    [Spoke-PE1-bgp] ipv4-family vpnv4
    [Spoke-PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
    [Spoke-PE1-bgp-af-vpnv4] quit

    #Configure Spoke-PE2.

    [Spoke-PE2] bgp 100
    [Spoke-PE2-bgp] peer 2.2.2.9 as-number 100
    [Spoke-PE2-bgp] peer 2.2.2.9 connect-interface loopback 1
    [Spoke-PE2-bgp] ipv4-family vpnv4
    [Spoke-PE2-bgp-af-vpnv4] peer 2.2.2.9 enable
    [Spoke-PE2-bgp-af-vpnv4] quit

    # Configure the Hub-PE.

    [Hub-PE] bgp 100
    [Hub-PE-bgp] peer 1.1.1.9 as-number 100
    [Hub-PE-bgp] peer 1.1.1.9 connect-interface loopback 1
    [Hub-PE-bgp] peer 3.3.3.9 as-number 100
    [Hub-PE-bgp] peer 3.3.3.9 connect-interface loopback 1
    [Hub-PE-bgp] ipv4-family vpnv4
    [Hub-PE-bgp-af-vpnv4] peer 1.1.1.9 enable
    [Hub-PE-bgp-af-vpnv4] peer 3.3.3.9 enable
    [Hub-PE-bgp-af-vpnv4] quit

    After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer command on the PEs. The command output shows that the BGP peer relationships have been set up between the Spoke-PEs and the Hub-PE and are in Established state.

  6. Verify the configuration.

    # After the configuration is complete, the Spoke-CEs can ping each other. Run the tracert command on the CEs. The command output shows that the traffic between the Spoke-CEs is forwarded through the Hub-CE. You can also deduce the number of forwarding devices between the Spoke-CEs based on the TTL in the ping result.

    # The information displayed on Spoke-CE1 is used as an example.

    [Spoke-CE1] ping 120.1.1.1
      PING 120.1.1.1: 56  data bytes, press CTRL_C to break
        Reply from 120.1.1.1: bytes=56 Sequence=1 ttl=250 time=80 ms
        Reply from 120.1.1.1: bytes=56 Sequence=2 ttl=250 time=129 ms
        Reply from 120.1.1.1: bytes=56 Sequence=3 ttl=250 time=132 ms
        Reply from 120.1.1.1: bytes=56 Sequence=4 ttl=250 time=92 ms
        Reply from 120.1.1.1: bytes=56 Sequence=5 ttl=250 time=126 ms
      --- 120.1.1.1 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 80/111/132 ms 
    
    [Spoke-CE1] tracert 120.1.1.1
     traceroute to  120.1.1.1(120.1.1.1), max hops: 30 ,packet length: 40,press CTRL
    _C to break                                                                     
     1 100.1.1.2 10 ms  2 ms  1 ms                                                  
     2 110.2.1.2 < AS=100 > 10 ms  2 ms  2 ms                                       
     3 110.2.1.1 < AS=100 > 10 ms  2 ms  2 ms                                       
     4 110.1.1.2 < AS=65430 > 10 ms  2 ms  2 ms                                     
     5 120.1.1.2 < AS=100 > 10 ms  2 ms  2 ms                                       
     6 120.1.1.1 < AS=100 > 10 ms  2 ms  5 ms        

    # Run the display bgp routing-table command on the Spoke-CEs. The command output shows the repeated AS number in AS paths of the BGP routes to the remote Spoke-CE.

    # The information displayed on Spoke-CE1 is used as an example.

    [Spoke-CE1] display bgp routing-table
                                                                                    
     BGP Local router ID is 100.1.1.1                                               
     Status codes: * - valid, > - best, d - damped,                                 
                   h - history,  i - internal, s - suppressed, S - Stale            
                   Origin : i - IGP, e - EGP, ? - incomplete                        
                                                                                    
                                                                                    
     Total Number of Routes: 8                                                      
          Network            NextHop        MED        LocPrf    PrefVal Path/Ogn   
                                                                                    
     *>   100.1.1.0/24       0.0.0.0         0                     0      ?         
                             100.1.1.2       0                     0      100?      
     *>   100.1.1.1/32       0.0.0.0         0                     0      ?         
     *>   110.1.1.0/24       100.1.1.2                             0      100 65430?
     *>   110.2.1.0/24       100.1.1.2                             0      100?      
     *>   120.1.1.0/24       100.1.1.2                             0      100 65430 100?
     *>   127.0.0.0          0.0.0.0         0                     0      ?         
     *>   127.0.0.1/32       0.0.0.0         0                     0      ?         
    

Configuration Files

  • Spoke-CE1 configuration file

    #
     sysname Spoke-CE1
    #
    interface GigabitEthernet1/0/0
     ip address 100.1.1.1 255.255.255.0
    #
    bgp 65410
     peer 100.1.1.2 as-number 100
     #
     ipv4-family unicast
      undo synchronization
      import-route direct
      peer 100.1.1.2 enable
    #
    return
  • Spoke-PE1 configuration file

    #
     sysname Spoke-PE1
    #
    ip vpn-instance vpna
     ipv4-family 
      route-distinguisher 100:1
      vpn-target 100:1 export-extcommunity
      vpn-target 200:1 import-extcommunity
    #
     mpls lsr-id 1.1.1.9
     mpls
      label advertise non-null
    #
    mpls ldp
    #
    interface GigabitEthernet1/0/0
     ip binding vpn-instance vpna
     ip address 100.1.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.1.1 255.255.255.0
     mpls
     mpls ldp
    #  
    interface LoopBack1
     ip address 1.1.1.9 255.255.255.255
    #
    bgp 100
     peer 2.2.2.9 as-number 100
     peer 2.2.2.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.9 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 2.2.2.9 enable
     #
     ipv4-family vpn-instance vpna
      peer 100.1.1.1 as-number 65410
      import-route direct
    #
    ospf 1
     area 0.0.0.0
      network 10.1.1.0 0.0.0.255
      network 1.1.1.9 0.0.0.0
    #
    return
  • Spoke-PE2 configuration file

    #
     sysname Spoke-PE2
    #
    ip vpn-instance vpna
     ipv4-family
      route-distinguisher 100:3
      vpn-target 100:1 export-extcommunity
      vpn-target 200:1 import-extcommunity
    #
     mpls lsr-id 3.3.3.9
     mpls
      label advertise non-null
    #
    mpls ldp
    #
    interface GigabitEthernet1/0/0
     ip binding vpn-instance vpna
     ip address 120.1.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 11.1.1.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface LoopBack1
     ip address 3.3.3.9 255.255.255.255
    #
    bgp 100
     peer 2.2.2.9 as-number 100
     peer 2.2.2.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.9 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 2.2.2.9 enable
     #
     ipv4-family vpn-instance vpna
      peer 120.1.1.1 as-number 65420
      import-route direct
    #
    ospf 1
     area 0.0.0.0
      network 3.3.3.9 0.0.0.0
      network 11.1.1.0 0.0.0.255
    #
    return
  • Spoke-CE2 configuration file

    #
     sysname Spoke-CE2
    #
    interface GigabitEthernet1/0/0
     ip address 120.1.1.1 255.255.255.0
    #
    bgp 65420
     peer 120.1.1.2 as-number 100
     #
     ipv4-family unicast
      undo synchronization
      import-route direct
      peer 120.1.1.2 enable
    #
    return
  • Hub-CE configuration file

    #
     sysname Hub-CE
    #
    interface GigabitEthernet1/0/0
     ip address 110.1.1.1 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 110.2.1.1 255.255.255.0
    #
    bgp 65430
     peer 110.1.1.2 as-number 100
     peer 110.2.1.2 as-number 100
     #
     ipv4-family unicast
      undo synchronization
      import-route direct
      peer 110.2.1.2 enable
      peer 110.1.1.2 enable
    #
    return
  • Hub-PE configuration file

    #
     sysname Hub-PE
    #
    ip vpn-instance vpn_in
     ipv4-family
      route-distinguisher 100:21
      vpn-target 100:1 import-extcommunity
    #
    ip vpn-instance vpn_out
     ipv4-family
      route-distinguisher 100:22
      vpn-target 200:1 export-extcommunity
    #
     mpls lsr-id 2.2.2.9
     mpls
      label advertise non-null
    #
    mpls ldp
    #
    interface GigabitEthernet1/0/0
     ip address 10.1.1.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet2/0/0
     ip address 11.1.1.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet3/0/0
     ip binding vpn-instance vpn_in
     ip address 110.1.1.2 255.255.255.0
    #
    interface GigabitEthernet4/0/0
     ip binding vpn-instance vpn_out
     ip address 110.2.1.2 255.255.255.0
    #
    interface LoopBack1
     ip address 2.2.2.9 255.255.255.255
    #
    bgp 100
     peer 1.1.1.9 as-number 100
     peer 1.1.1.9 connect-interface LoopBack1
     peer 3.3.3.9 as-number 100
     peer 3.3.3.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 1.1.1.9 enable
      peer 3.3.3.9 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 1.1.1.9 enable
      peer 3.3.3.9 enable
     #
     ipv4-family vpn-instance vpn_in
      peer 110.1.1.1 as-number 65430
      import-route direct
     #
     ipv4-family vpn-instance vpn_out
      peer 110.2.1.1 as-number 65430
      peer 110.2.1.1 allow-as-loop
      import-route direct
    #
    ospf 1
     area 0.0.0.0
      network 2.2.2.9 0.0.0.0
      network 10.1.1.0 0.0.0.255
      network 11.1.1.0 0.0.0.255
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 143519

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next