No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Layer 3 VXLAN Gateway

Configuring a Layer 3 VXLAN Gateway

Context

A VBDIF interface is configured on a Layer 3 VXLAN gateway to forward packets across network segments. You do not need to create a VBDIF interface for communication between users in the same network segment.

If end users in a VXLAN site need to access the Internet or communicate with end users in another VXLAN site, a Layer 3 VXLAN gateway needs to be deployed to provide end users with Layer 3 services.

After you create a logical Layer 3 VBDIF interface and configure an IP address for the VBDIF interface, the VBDIF interface functions as the gateway for tenants in the BD to forward packets at Layer 3 based on the IP address. Each BD has only one VBDIF interface.

To ensure that users in different network segments can communicate with each other, ensure that the default gateway address is the IP address of the VBDIF interface on the Layer 3 VXLAN gateway.

Procedure

  1. Configure a VPN instance.
    1. Run system-view

      The system view is displayed.

    2. Run ip vpn-instance vpn-instance-name

      A VPN instance is created, and the VPN instance view is displayed.

    3. Run ipv4-family

      The IPv4 address family is enabled for the VPN instance and the VPN instance IPv4 address family view is displayed.

      By default, the IPv4 address family is disabled for the VPN instance.

    4. Run route-distinguisher route-distinguisher

      A route distinguisher (RD) is configured for the VPN instance.

      By default, no RD is configured for the VPN instance.

    5. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ] evpn

      The VPN target is configured for the VPN instance.

      A VPN target is a BGP extended community attribute. It is used to control the receiving and advertisement of EVPN routing information. A maximum of eight VPN targets can be configured using a vpn-target command. If you want to configure more VPN targets in the EVPN instance address family, run the vpn-target evpn command multiple times.

    6. (Optional) Run export route-policy policy-name evpn

      The VPN instance IPv4 address family is associated with an export routing policy to filter EVPN routes to be advertised to the EVPN address family.

      To strictly control EVPN route advertisement, you need to configure an export routing policy. It can filter routes to be advertised to the EVPN address family.

    7. (Optional) Run import route-policy policy-name evpn

      The VPN instance IPv4 address family is associated with an import routing policy to filter EVPN routes received from the EVPN address family.

      To strictly control EVPN route acceptance, you need to configure an import routing policy. It can filter routes received from the EVPN address family.

    8. Run quit

      Exit from the VPN instance IPv4 address family view and return to the VPN instance view.

    9. Run vxlan vni vni-id

      A VNI is bound to the VPN instance.

      By default, no VNI is bound to the VPN instance.

    10. Run quit

      Exit from the VPN instance view and return to the system view.

  2. Configure a Layer 3 gateway and bind the VPN instance to it.
    1. Run interface vbdif bd-id

      A VBDIF interface is created and the VBDIF interface view is displayed.

      NOTE:

      The number of the VBDIF interface must match an existing BD ID.

    2. Run ip binding vpn-instance vpn-instance-name

      The VBDIF interface is bound to the VPN instance.

      NOTE:
      • Using the ip binding vpn-instance command will delete Layer 3 configurations such as the IP address and routing protocol on the VBDIF interface. Reconfigure them if needed.
      • An interface cannot be bound to a VPN instance that is not enabled with an address family.

    3. Run ip address ip-address { mask | mask-length } [ sub ]

      An IP address is configured for the VBDIF interface to implement Layer 3 communication.

      By default, no IP address is configured for a VBDIF interface.

    4. (Optional) Run mac-address mac-address

      A MAC address is configured for the VBDIF interface.

      By default, the MAC address of a VBDIF interface is the system MAC address.

    5. Run quit

      Exit from the VBDIF interface view and return to the system view.

  3. Configure VXLAN gateways to advertise IP prefix routes to each other.
    1. Run bgp as-number

      The BGP view is displayed.

    2. Run ipv4-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv4 address family view is displayed.

    3. Run import-route protocol [ process-id ] [ med med | route-policy route-policy-name ] *

      Routes of other protocols are imported to the BGP-VPN instance IPv4 address family view.

      To enable advertisement of host IP routes, you only need to configure the device to import direct routes. To enable advertisement of network segment routes, advertise these routes using a dynamic routing protocol such as OSPF and enable the device to import routes of dynamic routing protocols.

    4. Run advertise l2vpn evpn

      The VPN instance is enabled to advertise IP routes to the BGP-EVPN address family.

      By default, the VPN instance is disabled from advertising IP routes to the BGP-EVPN address family.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 150752

Downloads: 365

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next