No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring a VLL Using an MPLS TE Tunnel

Example for Configuring a VLL Using an MPLS TE Tunnel

Networking Requirements

As shown in Figure 10-25, the MPLS network of an ISP provides the L2VPN service for users. Many users connect to the MPLS network through PE1 and PE2, and users connected to the PE devices change frequently. A proper VPN solution is required to provide secure VPN services for users and to simplify configuration when new users connect to the network.

Figure 10-25  Networking for configuring a Martini VLL

Configuration Roadmap

As the number of access users is large and the users frequently change, a VLL in Martini mode is recommended between the PEs to simplify configuration when new users connect to the network. To ensure reliable transmission of VPN services, the highly reliable MPLS TE tunnel is recommended as the public network tunnel.

The configuration roadmap is as follows:

  1. Assign an IP address to each interface, and configure an IGP on the PE and P devices on the backbone network to implement interworking between the devices.

  2. Create an MPLS TE tunnel and configure a tunnel policy to transmit VLL data.

  3. Create a VLL in Martini mode between the PEs to simplify configuration when new users connect to the network. Create a remote LDP session between the PEs to transmit local VC labels to the remote device. Create a VC connection between the PEs and apply the tunnel policy to select the MPLS TE tunnel.

Procedure

  1. Configure an IP address and routing protocol for each interface.

    Assign IP addresses to interfaces, and configure an IGP on the PE and P devices of the backbone network according to Figure 10-25 to implement interworking between the devices.

    # Configure CE1. The configuration on CE2 is similar to the configuration on CE1 and is not mentioned here.

    <Huawei> system-view
    [Huawei] sysname CE1
    [CE1] interface gigabitethernet 1/0/0
    [CE1-GigabitEthernet1/0/0] ip address 192.168.1.1 255.255.255.0
    [CE1-GigabitEthernet1/0/0] quit

    # Configure PE1. The configuration on P and PE2 is similar to the configuration on PE1 and is not mentioned here.

    <Huawei> system-view
    [Huawei] sysname PE1
    [PE1] interface loopback 1
    [PE1-LoopBack1] ip address 1.1.1.9 255.255.255.255
    [PE1-LoopBack1] quit
    [PE1] interface gigabitethernet 2/0/0
    [PE1-GigabitEthernet2/0/0] ip address 172.1.1.1 255.255.255.0
    [PE1-GigabitEthernet2/0/0] quit
    [PE1] ospf 1
    [PE1-ospf-1] area 0
    [PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
    [PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
    [PE1-ospf-1-area-0.0.0.0] quit
    [PE1-ospf-1] quit

  2. Set up an MPLS TE tunnel and create a tunnel binding policy.

    • Enable MPLS, MPLS TE, and RSVP-TE globally on PE1, P, and PE2, and on all interfaces along the tunnel. Enable CSPF on the ingress of the tunnel.

      # Configure PE1.

      [PE1] mpls lsr-id 1.1.1.9
      [PE1] mpls
      [PE1-mpls] mpls te
      [PE1-mpls] mpls rsvp-te
      [PE1-mpls] mpls te cspf
      [PE1-mpls] quit
      [PE1] interface gigabitethernet 2/0/0
      [PE1-GigabitEthernet2/0/0] mpls
      [PE1-GigabitEthernet2/0/0] mpls te
      [PE1-GigabitEthernet2/0/0] mpls rsvp-te
      [PE1-GigabitEthernet2/0/0] quit

      # Configure the P device.

      [P] mpls lsr-id 2.2.2.9
      [P] mpls
      [P-mpls] mpls te
      [P-mpls] mpls rsvp-te
      [P-mpls] quit
      [P] interface gigabitethernet 1/0/0
      [P-GigabitEthernet1/0/0] mpls
      [P-GigabitEthernet1/0/0] mpls te
      [P-GigabitEthernet1/0/0] mpls rsvp-te
      [P-GigabitEthernet1/0/0] quit
      [P] interface gigabitethernet 2/0/0
      [P-GigabitEthernet2/0/0] mpls
      [P-GigabitEthernet2/0/0] mpls te
      [P-GigabitEthernet2/0/0] mpls rsvp-te
      [P-GigabitEthernet2/0/0] quit

      # Configure PE2.

      [PE2] mpls lsr-id 3.3.3.9
      [PE2] mpls
      [PE2-mpls] mpls te
      [PE2-mpls] mpls rsvp-te
      [PE2-mpls] mpls te cspf
      [PE2-mpls] quit
      [PE2] interface gigabitethernet 1/0/0
      [PE2-GigabitEthernet1/0/0] mpls
      [PE2-GigabitEthernet1/0/0] mpls te
      [PE2-GigabitEthernet1/0/0] mpls rsvp-te
      [PE2-GigabitEthernet1/0/0] quit
    • Configure OSPF TE on the MPLS backbone network to advertise TE information.

      # Configure PE1. The configuration on P and PE2 is similar to the configuration on PE1 and is not mentioned here.

      [PE1] ospf 1
      [PE1-ospf-1] opaque-capability enable
      [PE1-ospf-1] area 0
      [PE1-ospf-1-area-0.0.0.0] mpls-te enable
      [PE1-ospf-1-area-0.0.0.0] quit
      [PE1-ospf-1] quit
    • Configure tunnel interfaces for the MPLS TE tunnel.

      On the ingress of the tunnel, create a tunnel interface and set the IP address, tunnel protocol, destination IP address, tunnel ID. Then, run the mpls te commit command to commit the configuration.

      # Configure PE1.

      [PE1] interface tunnel 0/0/1
      [PE1-Tunnel0/0/1] ip address unnumbered interface loopback 1
      [PE1-Tunnel0/0/1] tunnel-protocol mpls te
      [PE1-Tunnel0/0/1] destination 3.3.3.9
      [PE1-Tunnel0/0/1] mpls te tunnel-id 100
      [PE1-Tunnel0/0/1] mpls te commit
      [PE1-Tunnel0/0/1] quit
      

      # Configure PE2.

      [PE2] interface tunnel 0/0/1
      [PE2-Tunnel0/0/1] ip address unnumbered interface loopback 1
      [PE2-Tunnel0/0/1] tunnel-protocol mpls te
      [PE2-Tunnel0/0/1] destination 1.1.1.9
      [PE2-Tunnel0/0/1] mpls te tunnel-id 100
      [PE2-Tunnel0/0/1] mpls te commit
      [PE2-Tunnel0/0/1] quit
      

      After the configuration is complete, run the display mpls te tunnel-interface command on the PE devices at both ends of the tunnel. The command output shows that an MPLS TE tunnel is set up successfully. The command output on PE1 is used as an example.

      [PE1] display mpls te tunnel-interface 
          ----------------------------------------------------------------
                                     Tunnel0/0/1                
          ----------------------------------------------------------------
          Tunnel State Desc   :  UP                         
          Active LSP          :  Primary LSP                
          Session ID          :  100                         
          Ingress LSR ID      :  1.1.1.9          Egress LSR ID:  3.3.3.9
          Admin State         :  UP               Oper State   :  UP
          Primary LSP State      : UP
            Main LSP State       : READY               LSP ID  : 1  
                        
    • Configure a tunnel binding policy.

      # Configure PE1.

      [PE1] interface tunnel 0/0/1
      [PE1-Tunnel0/0/1] mpls te reserved-for-binding
      [PE1-Tunnel0/0/1] mpls te commit
      [PE1-Tunnel0/0/1] quit
      [PE1] tunnel-policy 1
      [PE1-tunnel-policy-1] tunnel binding destination 3.3.3.9 te tunnel 0/0/1
      [PE1-tunnel-policy-1] quit
      

      # Configure PE2.

      [PE2] interface tunnel 0/0/1
      [PE2-Tunnel0/0/1] mpls te reserved-for-binding
      [PE2-Tunnel0/0/1] mpls te commit
      [PE2-Tunnel0/0/1] quit
      [PE2] tunnel-policy 1
      [PE2-tunnel-policy-1] tunnel binding destination 1.1.1.9 te tunnel 0/0/1
      [PE2-tunnel-policy-1] quit
      

  3. Create a remote LDP session between PE1 and PE2.

    # Configure PE1.

    [PE1] mpls ldp
    [PE1-mpls-ldp] quit
    [PE1] mpls ldp remote-peer 3.3.3.9
    [PE1-mpls-ldp-remote-3.3.3.9] remote-ip 3.3.3.9
    [PE1-mpls-ldp-remote-3.3.3.9] quit

    # Configure PE2.

    [PE2] mpls ldp
    [PE2-mpls-ldp] quit
    [PE2] mpls ldp remote-peer 1.1.1.9
    [PE2-mpls-ldp-remote-1.1.1.9] remote-ip 1.1.1.9
    [PE2-mpls-ldp-remote-1.1.1.9] quit

    After the configuration is complete, run the display mpls ldp session command on PE1 to view the LDP session status. The command output shows that the LDP session status is Operational, indicating that a remote LDP session is established between PE1 and PE2.

    The command output on PE1 is used as an example.

    [PE1] display mpls ldp session
      
     LDP Session(s) in Public Network                      
     Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
     A '*' before a session means the session is being deleted. 
     ------------------------------------------------------------------------------
     PeerID             Status      LAM  SsnRole  SsnAge      KASent/Rcv
     ------------------------------------------------------------------------------ 
     3.3.3.9:0         Operational DU   Passive  0000:00:00  1/1 
     ------------------------------------------------------------------------------ 
     TOTAL: 1 session(s) Found.  
    

  4. Create a VC connection between the PE devices, and apply a tunnel binding policy to the connection.

    # Configure PE1.

    [PE1] mpls l2vpn
    [PE1-l2vpn] quit
    [PE1] interface gigabitethernet 1/0/0
    [PE1-GigabitEthernet1/0/0] mpls l2vc 3.3.3.9 101 tunnel-policy 1
    [PE1-GigabitEthernet1/0/0] quit

    # Configure PE2.

    [PE2] mpls l2vpn
    [PE2-l2vpn] quit
    [PE2] interface gigabitethernet 2/0/0
    [PE2-GigabitEthernet2/0/0] mpls l2vc 1.1.1.9 101 tunnel-policy 1
    [PE2-GigabitEthernet2/0/0] quit

  5. Verify the configuration.

    # Check the L2VPN connections on the PE devices. You can see that an L2VC is set up and is in Up state.

    The command output on PE1 is used as an example.

    [PE1] display mpls l2vc interface gigabitethernet 1/0/0
     *client interface       : GigabitEthernet1/0/0 is up         
      Administrator PW       : no          
      session state          : up                     
      AC status              : up                     
      Ignore AC state        : disable
      VC state               : up                      
      Label state            : 0                      
      Token state            : 0                     
      VC ID                  : 101                     
      VC type                : Ethernet                  
      destination            : 3.3.3.9                 
      local group ID         : 0            remote group ID      : 0 
      local VC label         : 1026         remote VC label      : 1032
      local AC OAM State     : up                                 
      local PSN OAM State    : up                                
      local forwarding state : forwarding                        
      local status code      : 0x0                                
      remote AC OAM state    : up                               
      remote PSN OAM state   : up                              
      remote forwarding state: forwarding                           
      remote status code     : 0x0                                  
      ignore standby state   : no                                 
      BFD for PW             : unavailable                          
      VCCV State             : up                                   
      manual fault           : not set                           
      active state           : active                            
      forwarding entry       : exist                             
      link state             : up                       
      local VC MTU           : 1500         remote VC MTU        : 1500
      local VCCV             : alert ttl lsp-ping bfd   
      remote VCCV            : alert ttl lsp-ping bfd   
      local control word     : disable      remote control word  : disable
      tunnel policy name     : 1                                   
      PW template name       : --                                  
      primary or secondary   : primary                       
      load balance type      : flow      
      Access-port            : false    
      Switchover Flag        : false    
      VC tunnel/token info   : 1 tunnels/tokens  
        NO.0  TNL type       : cr lsp, TNL ID : 0x1 
        Backup TNL type      : lsp   , TNL ID : 0x0 
      create time            : 0 days, 4 hours, 16 minutes, 25 seconds  
      up time                : 0 days, 4 hours, 15 minutes, 58 seconds  
      last change time       : 0 days, 4 hours, 15 minutes, 58 seconds  
      VC last up time        : 2013/09/16 09:57:04   
      VC total up time       : 0 days, 4 hours, 15 minutes, 58 seconds 
      CKey                   : 4                                  
      NKey                   : 3                                 
      PW redundancy mode     : frr                                 
      AdminPw interface      : --                                  
      AdminPw link state     : --                               
      Diffserv Mode          : uniform                          
      Service Class          : --                               
      Color                  : --                               
      DomainId               : --                               
      Domain Name            : --  

    # CE1 and CE2 can ping each other.

    The command output on CE1 is used as an example.

    [CE1] ping 192.168.1.2
      PING 192.168.1.2: 56  data bytes, press CTRL_C to break          
        Reply from 192.168.1.2: bytes=56 Sequence=1 ttl=255 time=10 ms 
        Reply from 192.168.1.2: bytes=56 Sequence=2 ttl=255 time=1 ms  
        Reply from 192.168.1.2: bytes=56 Sequence=3 ttl=255 time=10 ms 
        Reply from 192.168.1.2: bytes=56 Sequence=4 ttl=255 time=1 ms  
        Reply from 192.168.1.2: bytes=56 Sequence=5 ttl=255 time=10 ms 
                                                     
      --- 192.168.1.2 ping statistics ---            
        5 packet(s) transmitted                      
        5 packet(s) received                         
        0.00% packet loss                            
        round-trip min/avg/max = 1/6/10 ms

Configuration Files

  • Configuration file of CE1

    #
    sysname CE1
    #
    interface GigabitEthernet1/0/0
     ip address 192.168.1.1 255.255.255.0
    #
    return
  • Configuration file of PE1

    #
    sysname PE1
    #
    mpls lsr-id 1.1.1.9
    mpls
     mpls te
     mpls rsvp-te
     mpls te cspf
    #
    mpls l2vpn
    #
    mpls ldp
    #
    mpls ldp remote-peer 3.3.3.9
     remote-ip 3.3.3.9
    #
    interface GigabitEthernet1/0/0
     mpls l2vc 3.3.3.9 101 tunnel-policy 1
    #
    interface GigabitEthernet2/0/0
     ip address 172.1.1.1 255.255.255.0
     mpls
     mpls te
     mpls rsvp-te
    #
    interface LoopBack1
     ip address 1.1.1.9 255.255.255.255
    #
    interface Tunnel0/0/1
     ip address unnumbered interface LoopBack1
     tunnel-protocol mpls te
     destination 3.3.3.9
     mpls te tunnel-id 100
     mpls te reserved-for-binding
     mpls te commit
    #
    ospf 1
     opaque-capability enable
     area 0.0.0.0
      network 1.1.1.9 0.0.0.0
      network 172.1.1.0 0.0.0.255
      mpls-te enable 
    #
    tunnel-policy 1 
     tunnel binding destination 3.3.3.9 te Tunnel0/0/1
    #
    return
  • Configuration file of the P device

    #
    sysname P
    #
    mpls lsr-id 2.2.2.9
    mpls
     mpls te
     mpls rsvp-te
    #
    interface GigabitEthernet1/0/0
     ip address 172.1.1.2 255.255.255.0
     mpls
     mpls te
     mpls rsvp-te
    #
    interface GigabitEthernet2/0/0
     ip address 172.1.2.1 255.255.255.0
     mpls
     mpls te
     mpls rsvp-te
    #
    interface LoopBack1
     ip address 2.2.2.9 255.255.255.255
    #
    ospf 1
     opaque-capability enable
     area 0.0.0.0
      network 2.2.2.9 0.0.0.0
      network 172.1.1.0 0.0.0.255
      network 172.1.2.0 0.0.0.255
      mpls-te enable 
    #
    return
  • Configuration file of PE2

    #
    sysname PE2
    #
    mpls lsr-id 3.3.3.9
    mpls
     mpls te
     mpls rsvp-te
     mpls te cspf
    #
    mpls l2vpn
    #
    mpls ldp
    #
    mpls ldp remote-peer 1.1.1.9
     remote-ip 1.1.1.9
    #
    interface GigabitEthernet1/0/0
     ip address 172.1.2.2 255.255.255.0
     mpls
     mpls te
     mpls rsvp-te
    #
    interface GigabitEthernet2/0/0
     mpls l2vc 1.1.1.9 101 tunnel-policy 1
    #
    interface LoopBack1
     ip address 3.3.3.9 255.255.255.255
    #
    interface Tunnel0/0/1
     ip address unnumbered interface LoopBack1
     tunnel-protocol mpls te
     destination 1.1.1.9
     mpls te tunnel-id 100
     mpls te reserved-for-binding
     mpls te commit
    #
    ospf 1
     opaque-capability enable
     area 0.0.0.0
      network 3.3.3.9 0.0.0.0
      network 172.1.2.0 0.0.0.255
      mpls-te enable 
    #
    tunnel-policy 1 
     tunnel binding destination 1.1.1.9 te Tunnel0/0/1
    #
    return
  • Configuration file of CE2

    #
    sysname CE2
    #
    interface GigabitEthernet1/0/0
     ip address 192.168.1.2 255.255.255.0
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 152298

Downloads: 369

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next