No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Tunnel Policies

Configuring Tunnel Policies

This section describes how to configure a tunnel policy and tunnel selector. By default, VPN services are transmitted through LSP tunnels. To use TE tunnels to transmit VPN services or load balance VPN traffic on multiple tunnels, configure a tunnel policy.

Pre-configuration Tasks

Before configuring a tunnel policy, complete the following tasks:

  • Creating GRE or LSP or MPLS TE tunnels used to transmit VPN services
    NOTE:

    For details on how to create a GRE tunnel, see GRE Configuration in the Huawei AR Series Access Routers Configuration Guide - VPN.

    For details on how to create an LSP tunnel, see MPLS LDP Configuration in the Huawei AR Series Access Routers Configuration Guide - MPLS.

    For details on how to create a TE tunnel, see MPLS TE Configuration in the Huawei AR Series Access Routers Configuration Guide - MPLS.

  • Establishing the basic VPN network (For details about BGP/MPLS IP VPN configuration, see Configuring Basic BGP/MPLS IP VPN Functions)

Before configuring and applying a tunnel selector, complete the following tasks:

  • Configuring a tunnel policy (see Configuring and Applying a Tunnel Policy)

  • Configuring an RD filter if routes need to be filtered based on RDs

  • Configuring an ACL or IPv4 prefix if routes need to be filtered based on the next hop IPv4 address

Configuration Procedure

When VPN services need to be transmitted over TE or GRE tunnels, or when multiple tunnels need to perform load balancing to fully use network resources, complete the task of Configuring and Applying a Tunnel Policy.

To select TE or GRE tunnels to transmitted VPN services in HoVPN, inter-AS VPN Option B, or inter-AS VPN Option C networking, complete the task of Configuring and Applying a Tunnel Selector on the SPE, ASBR, and PE devices.

NOTE:

By default, if you specify a nonexistent tunnel policy in a command, the command does not take effect.

If you need the nonexistent tunnel policy can be specified in a command, run the tunnel-policy nonexistent-config-check command.

Configuring and Applying a Tunnel Policy

Context

VPN data is transmitted over tunnels. By default, LSP tunnels are used to transmit data, and each service is transmitted by only one LSP tunnel.

If the default tunnel configuration cannot meet VPN service requirements, apply tunnel policies to VPNs. You can configure either of the following types of tunnel policies according to service requirements:

  • Tunnel type prioritization policy: This policy can change the type of tunnels selected for VPN data transmission or select multiple tunnels for load balancing.
  • Tunnel binding policy: This policy can bind multiple TE tunnels to provide QoS guarantee for a VPN.

Perform the following steps on the PE devices that need to use a tunnel policy.

Procedure

  1. Configure a tunnel policy.

    Use either of the following methods to configure a tunnel policy.

    Configure a tunnel type prioritization policy.

    By default, no tunnel policy is configured. LSP tunnels are used to transmit VPN data and each VPN service is transmitted over one LSP tunnel.

    1. Run system-view

      The system view is displayed.

    2. Run tunnel-policy policy-name

      A tunnel policy is created, and tunnel policy view is displayed.

    3. (Optional) Run description description-information

      The description of the tunnel policy is configured.

    4. Run tunnel select-seq { gre | lsp | cr-lsp }* load-balance-number load-balance-number

      The sequence in which each type of tunnel is selected and the number of tunnels participating in load balancing are set.

    Configure a tunnel binding policy.

    1. Run system-view

      The system view is displayed.

    2. Run interface tunnel interface-number

      A tunnel interface is created and the tunnel interface view is displayed.

    3. Run tunnel-protocol mpls te

      MPLS TE is configured as a tunnel protocol.

    4. Run mpls te reserved-for-binding

      The binding capability of the TE tunnel is enabled.

    5. Run mpls te commit

      The MPLS TE configuration is committed for the configuration to take effect.

    6. Run quit

      Return to the system view.

    7. Run tunnel-policy policy-name

      A tunnel policy is created.

    8. (Optional) Run description description-information

      The description of the tunnel policy is configured.

    9. Run tunnel binding destination dest-ip-address te { tunnel interface-number } &<1-16> [ ignore-destination-check ] [ down-switch ]

      Bind specified TE tunnels in the policy.

      NOTE:
      • If the PE device has multiple peers, you can run the tunnel binding command multiple times to specify different destination IP addresses in a tunnel policy.
      • If down-switch is specified in the command, the system selects available tunnels in an order of LSP, CR-LSP, and GRE when the bound tunnels are unavailable.

  2. Apply the tunnel policy.
    1. Run system-view

      The system view is displayed.

    2. Run ip vpn-instance vpn-instance-name

      The VPN instance view is displayed.

    3. Run ipv4-family

      The VPN instance IPv4 address family view is displayed.

    4. Run tnl-policy policy-name

      A tunnel policy is applied to the VPN instance IPv4 address family.

Verifying the Configuration

After configuring a tunnel policy and apply it to a VPN instance, you can check information about the tunnel policy applied to the VPN instance and tunnels in the system.

  • Run the display tunnel-info { tunnel-id tunnel-id | all | statistics [ slots ] } command to check information about tunnels in the system.
  • Run the display interface tunnel interface-number command to check detailed information about a specified tunnel interface.
  • Run the display tunnel-policy [ tunnel-policy-name ] command to check information about the specified tunnel policy.
  • Run the display ip vpn-instance verbose [ vpn-instance-name ] command to check the tunnel policy applied to the specified VPN instance.

Configuring and Applying a Tunnel Selector

Context

By configuring a tunnel selector, you can set route filtering conditions to iterate expected routes to the specified tunnels. A tunnel consists of two parts:
  • if-match clause: matches an attribute of routes, for example, RD and next hop.

    If no if-match clause is configured in a tunnel selector, all routes match the tunnel selector.

  • apply clause: applies a tunnel policy to the routes matching the filtering rules.

After a tunnel selector is applied to routes on a PE, ASBR, or SPE device, the device filters routes using the specified filtering rules and iterates the matching routes to specified tunnels.

A tunnel selector takes effect for the following routes:
  • VPNv4 routes: When a tunnel selector is applied to a BGP-VPNv4 address family on an SPE device in HoVPN networking or an ASBR in inter-AS VPN Option B networking, the SPE device or ASBR applies the tunnel policy to VPNv4 routes and iterates the matching routes to expected tunnels.

  • Labeled BGP-IPv4 routes: When a tunnel selector is applied to the BGP-IPv4 unicast address family on a PE device or an ASBR in inter-AS VPN Option C networking, the PE device or ASBR applies the tunnel policy to labeled BGP-IPv4 routes.

Procedure

  1. Create a tunnel selector.
    1. Run system-view

      The system view is displayed.

    2. Run tunnel-selector tunnel-selector-name { permit | deny } node node

      A tunnel selector is created, and tunnel selector view is displayed.

    3. (Optional) Configure if-match clauses.

      If no if-match clause is configured in a tunnel selector, all routes match the tunnel selector.

      • To configure an if-match clause that filters routes based on router distinguishers (RDs), run if-match rd-filter rd-filter-number.
      • To configure an if-match clause that filters routes based on next-hop IPv4 addresses, run if-match ip next-hop { acl { acl-number | acl-name } | ip-prefix ip-prefix-name }.
      • To configure an if-match clause that filters routes based on next-hop IPv6 addresses, run if-match ipv6 next-hop prefix-list ipv6-prefix-name.

    4. Run apply tunnel-policy tunnel-policy-name

      An apply clause is configured to specify a tunnel policy for the routes matching the if-match clause.

  2. Apply the tunnel selector.

    Perform the following steps on an SPE device in HoVPN networking or an ASBR in inter-AS VPN Option B networking:

    1. Run system-view

      The system view is displayed.

    2. Run bgp { as-number-plain | as-number-dot }

      The BGP view is displayed.

    3. Run ipv4-family vpnv4

      The BGP-VPNv4 address family view is displayed.

    4. Run tunnel-selector tunnel-selector-name

      The tunnel selector is applied to VPNv4 routes on the local device. The tunnel policy specified in the apply clause is applied to the VPNv4 routes that matching the if-match clause. The VPNv4 routes that are filtered out by the if-match clause are iterated to LSP tunnels.

  3. Apply the tunnel selector.

    Apply the tunnel selector to VPNv4 routes.

    Perform the following steps on an SPE device in HoVPN networking or an ASBR in inter-AS VPN Option B networking:

    1. Run system-view

      The system view is displayed.

    2. Run bgp { as-number-plain | as-number-dot }

      The BGP view is displayed.

    3. Run ipv4-family vpnv4

      The BGP-VPNv4 address family view is displayed.

    4. Run tunnel-selector tunnel-selector-name

      The tunnel selector is applied to VPNv4 routes on the local device. The tunnel policy specified in the apply clause is applied to the VPNv4 routes that matching the if-match clause. The VPNv4 routes that are filtered out by the if-match clause are iterated to LSP tunnels.

    Apply the tunnel selector to labeled BGP-IPv4 routes.

    Perform the following steps on a PE device or an ASBR in inter-AS VPN Option C networking:

    1. Run system-view

      The system view is displayed.

    2. Run bgp { as-number-plain | as-number-dot }

      The BGP view is displayed.

    3. Run tunnel-selector tunnel-selector-name

      The tunnel selector is applied to labeled BGP-IPv4 routes on the local device.

      The tunnel policy specified in the apply clause is applied to the labeled BGP-IPv4 routes that matching the if-match clause. The labeled BGP-IPv4 routes that are filtered out by the if-match clause are iterated to LSP tunnels.

Verifying the Configuration

After configuring and applying a tunnel selector, run the following commands to check information about the tunnel selector and tunnel policy specified in the tunnel selector.

  • Run the display tunnel-selector tunnel-selector-name command to check detailed information about the tunnel selector.
  • Run the display tunnel-policy tunnel-policy-name command to check information about the tunnel policy specified by the apply clause in the tunnel selector.
  • Run the display bgp vpnv4 all routing-table ipv4-address [ mask [ longer-prefixes ] | mask-length [ longer-prefixes ] ] command to check tunnels selected for VPNv4 routes on the ASBR or SPE device.
  • Run the display ip routing-table ip-address [ mask | mask-length ] [ longer-match ] verbose command to check the tunnels selected for labeled BGP-IPv4 routes on the PE device.
  • Run the display tunnel-info { tunnel-id tunnel-id | all | statistics [ slots ] } command to check information about tunnels in the system.
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 142589

Downloads: 359

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next