No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring VPN FRR

Example for Configuring VPN FRR

Networking Requirements

As shown in Figure 7-57, CE1 dual-homing networking is deployed to improve reliability of VPN data transmission. Link_A is the primary link, and Link_B is the backup link. The customer wants to transmit VPN services through the primary link and hopes that VPN traffic can be quickly switched to the backup link when the primary link fails.

Figure 7-57  Networking diagram for configuring VPN FRR

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure OSPF on PE1, PE2, and PE3 to implement interworking on the backbone network.

  2. Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network to set up LDP LSPs.

  3. Configure a VPN instance on PE1, PE2, and PE3. On PE2 and PE3, bind the VPN instance to the interfaces connected to CE1.

  4. Set up EBGP peer relationships between PE2 and CE1 and between PE3 and CE1. Set up MP-IBGP peer relationships between the PEs.

  5. On PE1, configure a routing policy for VPN FRR, configure the backup next hop, and enable VPN FRR. When VPN FRR is not required, run the undo vpn frr command to disable this function.

  6. Configure multi-hop BFD on PE1 and PE2.

Procedure

  1. Assign IP addresses to interfaces according to Figure 7-57.

    # Configure PE1.

    <Huawei> system-view
    [Huawei] sysname PE1
    [PE1] interface loopback 1
    [PE1-LoopBack1] ip address 1.1.1.1 32
    [PE1-LoopBack1] quit
    [PE1] interface gigabitethernet 2/0/0
    [PE1-GigabitEthernet2/0/0] ip address 100.1.1.1 30
    [PE1-GigabitEthernet2/0/0] quit
    [PE1] interface gigabitethernet 3/0/0
    [PE1-GigabitEthernet3/0/0] ip address 100.2.1.1 30
    [PE1-GigabitEthernet3/0/0] quit
    

    The configuration on PE2, PE3, and CE1 is similar to the configuration on PE1 and is not mentioned here.

  2. Configure OSPF on the MPLS backbone network for IP connectivity between the PEs on the backbone network.

    # Configure PE1.

    [PE1] ospf
    [PE1-ospf-1] area 0
    [PE1-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.3
    [PE1-ospf-1-area-0.0.0.0] network 100.2.1.0 0.0.0.3
    [PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
    [PE1-ospf-1-area-0.0.0.0] quit
    [PE1-ospf-1] quit
    

    The configuration on PE2 and PE3 is similar to the configuration on PE1 and is not mentioned here.

  3. Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network to set up LDP LSPs.

    # Configure PE1.

    [PE1] mpls lsr-id 1.1.1.1
    [PE1] mpls
    [PE1-mpls] quit
    [PE1] mpls ldp
    [PE1-mpls-ldp] quit
    [PE1] interface gigabitethernet 2/0/0
    [PE1-GigabitEthernet2/0/0] mpls
    [PE1-GigabitEthernet2/0/0] mpls ldp
    [PE1-GigabitEthernet2/0/0] quit
    [PE1] interface gigabitethernet 3/0/0
    [PE1-GigabitEthernet3/0/0] mpls
    [PE1-GigabitEthernet3/0/0] mpls ldp
    [PE1-GigabitEthernet3/0/0] quit
    

    # Configure PE2.

    [PE2] mpls lsr-id 2.2.2.2
    [PE2] mpls
    [PE2-mpls] quit
    [PE2] mpls ldp
    [PE2-mpls-ldp] quit
    [PE2] interface gigabitethernet 1/0/0
    [PE2-GigabitEthernet1/0/0] mpls
    [PE2-GigabitEthernet1/0/0] mpls ldp
    [PE2-GigabitEthernet1/0/0] quit
    

    # Configure PE3.

    [PE3] mpls lsr-id 3.3.3.3
    [PE3] mpls
    [PE3-mpls] quit
    [PE3] mpls ldp
    [PE3-mpls-ldp] quit
    [PE3] interface gigabitethernet 1/0/0
    [PE3-GigabitEthernet1/0/0] mpls
    [PE3-GigabitEthernet1/0/0] mpls ldp
    [PE3-GigabitEthernet1/0/0] quit
    

    Run the display mpls lsp command on the PEs. The command output shows that LSPs are established between PE1 and PE2 and between PE1 and PE3. The information displayed on PE1 is used as an example.

    [PE1] display mpls lsp
    ----------------------------------------------------------------------
                     LSP Information: LDP LSP
    ----------------------------------------------------------------------
    FEC                In/Out Label     In/Out IF                      Vrf Name
    1.1.1.1/32         3/NULL           -/-
    3.3.3.3/32         NULL/3           -/GE3/0/0
    3.3.3.3/32         1025/3           -/GE3/0/0
    2.2.2.2/32         NULL/3           -/GE2/0/0
    2.2.2.2/32         1024/3           -/GE2/0/0

  4. Configure VPN instances on PEs and bind the instances to the interfaces connected to CE1.

    # Configure PE1.

    [PE1] ip vpn-instance vpn1
    [PE1-vpn-instance-vpn1] ipv4-family
    [PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
    [PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1
    [PE1-vpn-instance-vpn1-af-ipv4] quit
    [PE1-vpn-instance-vpn1] quit
    

    # Configure PE2.

    [PE2] ip vpn-instance vpn1
    [PE2-vpn-instance-vpn1] ipv4-family
    [PE2-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:2
    [PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1
    [PE2-vpn-instance-vpn1-af-ipv4] quit
    [PE2] interface gigabitethernet 2/0/0
    [PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
    [PE2-GigabitEthernet2/0/0] ip address 10.1.1.2 30
    [PE2-GigabitEthernet2/0/0] quit
    

    # Configure PE3.

    [PE3] ip vpn-instance vpn1
    [PE3-vpn-instance-vpn1] ipv4-family
    [PE3-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:3
    [PE3-vpn-instance-vpn1-af-ipv4] vpn-target 111:1
    [PE3-vpn-instance-vpn1-af-ipv4] quit
    [PE3-vpn-instance-vpn1] quit
    [PE3] interface gigabitethernet 2/0/0
    [PE3-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
    [PE3-GigabitEthernet2/0/0] ip address 10.2.1.2 30
    [PE3-GigabitEthernet2/0/0] quit
    

  5. Import direct VPN routes to PE1. Set up EBGP peer relationships between PE2 and CE1 and between PE3 and CE1 to import VPN routes.

    # Configure PE1.

    [PE1] bgp 100
    [PE1-bgp] ipv4-family vpn-instance vpn1
    [PE1-bgp-vpn1] import-route direct
    [PE1-bgp-vpn1] quit
    [PE1-bgp] quit

    # Configure PE2.

    [PE2] bgp 100
    [PE2-bgp] ipv4-family vpn-instance vpn1
    [PE2-bgp-vpn1] peer 10.1.1.1 as-number 65410
    [PE2-bgp-vpn1] import-route direct
    [PE2-bgp-vpn1] quit
    [PE2-bgp] quit

    # Configure PE3.

    [PE3] bgp 100
    [PE3-bgp] ipv4-family vpn-instance vpn1
    [PE3-bgp-vpn1] peer 10.2.1.1 as-number 65410
    [PE3-bgp-vpn1] import-route direct
    [PE3-bgp-vpn1] quit
    [PE3-bgp] quit

    # Configure CE1.

    [CE1] bgp 65410
    [CE1-bgp] peer 10.1.1.2 as-number 100
    [CE1-bgp] peer 10.2.1.2 as-number 100
    [CE1-bgp] import-route direct
    [CE1-bgp] network 10.3.1.0 24
    [CE1-bgp] quit

    After the configuration is complete, run the display bgp vpnv4 all peer command on PE2 and PE3. The command output shows that PE2 and PE3 have set up EBGP peer relationships with CE1. The peer relationships are in Established state.

    The information displayed on PE2 is used as an example.

    [PE2] display bgp vpnv4 all peer
                                                                                   
     BGP local router ID : 2.2.2.2                                                  
     Local AS number : 100                                                          
     Total number of peers : 1                Peers in established state : 1        
                                                                                    
      Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State PrefRcv
                                                                                    
      Peer of IPv4-family for vpn instance :                                        
                                                                                    
     VPN-Instance vpn1, Router ID 2.2.2.2:                                          
      10.1.1.1        4       65410      966      968     0 16:01:19 Established       5

  6. Set up an MP-IBGP peer relationship between the PEs.

    # Configure PE1.

    [PE1] bgp 100
    [PE1-bgp] peer 2.2.2.2 as-number 100
    [PE1-bgp] peer 2.2.2.2 connect-interface loopback 1
    [PE1-bgp] peer 3.3.3.3 as-number 100
    [PE1-bgp] peer 3.3.3.3 connect-interface loopback 1
    [PE1-bgp] ipv4-family vpnv4
    [PE1-bgp-af-vpnv4] peer 2.2.2.2 enable
    [PE1-bgp-af-vpnv4] peer 3.3.3.3 enable
    [PE1-bgp-af-vpnv4] quit
    [PE1-bgp] quit
    

    # Configure PE2.

    [PE2] bgp 100
    [PE2-bgp] peer 1.1.1.1 as-number 100
    [PE2-bgp] peer 1.1.1.1 connect-interface loopback 1
    [PE2-bgp] ipv4-family vpnv4
    [PE2-bgp-af-vpnv4] peer 1.1.1.1 enable
    [PE2-bgp-af-vpnv4] quit
    [PE2-bgp] quit
    

    # Configure PE3.

    [PE3] bgp 100
    [PE3-bgp] peer 1.1.1.1 as-number 100
    [PE3-bgp] peer 1.1.1.1 connect-interface loopback 1
    [PE3-bgp] ipv4-family vpnv4
    [PE3-bgp-af-vpnv4] peer 1.1.1.1 enable
    [PE3-bgp-af-vpnv4] quit
    [PE3-bgp] quit
    

    Run the display bgp vpnv4 all peer command on the PEs. The command output shows that an MP-IBGP peer relationship has been set up between the PEs and is in Established state.

    The information displayed on PE1 is used as an example.

    [PE1] display bgp vpnv4 all peer
    
     BGP local router ID : 1.1.1.1
     Local AS number : 100
     Total number of peers : 2                 Peers in established state : 2
    
    Peer            V    AS  MsgRcvd  MsgSent    OutQ  Up/Down       State PrefRcv
    
    2.2.2.2         4   100       20       17       0 00:13:26 Established       5
    3.3.3.3         4   100       24       19       0 00:17:18 Established       5

  7. Configure the VPN FRR routing policy.

    [PE1] ip ip-prefix vpn_frr_list permit 2.2.2.2 32
    [PE1] route-policy vpn_frr_rp permit node 10
    [PE1-route-policy] if-match ip next-hop ip-prefix vpn_frr_list
    [PE1-route-policy] apply backup-nexthop 3.3.3.3
    [PE1-route-policy] quit
    

  8. Configure multi-hop BFD.

    # Configure multi-hop BFD on PE1.

    [PE1] bfd
    [PE1-bfd] quit
    [PE1] bfd for_vpn_frr bind peer-ip 2.2.2.2
    [PE1-bfd-session-for_vpn_frr] discriminator local 10
    [PE1-bfd-session-for_vpn_frr] discriminator remote 20
    [PE1-bfd-session-for_vpn_frr] min-tx-interval 100
    [PE1-bfd-session-for_vpn_frr] min-rx-interval 100
    [PE1-bfd-session-for_vpn_frr] commit
    [PE1-bfd-session-for_vpn_frr] quit
    

    # Configure multi-hop BFD on PE2.

    [PE2] bfd
    [PE2-bfd] quit
    [PE2] bfd for_vpn_frr bind peer-ip 1.1.1.1
    [PE2-bfd-session-for_vpn_frr] discriminator local 20
    [PE2-bfd-session-for_vpn_frr] discriminator remote 10
    [PE2-bfd-session-for_vpn_frr] min-tx-interval 100
    [PE2-bfd-session-for_vpn_frr] min-rx-interval 100
    [PE2-bfd-session-for_vpn_frr] commit
    [PE2-bfd-session-for_vpn_frr] quit

    After the configuration is complete, run the display bfd session all verbose command on PE1 and PE2. The command output shows that a multi-hop BFD session is established and the status of the BFD session is Up.

  9. Enable VPN FRR.

    # Enable VPN FRR on PE1.

    [PE1] ip vpn-instance vpn1
    [PE1-vpn-instance-vpn1] ipv4-family
    [PE1-vpn-instance-vpn1-af-ipv4] vpn frr route-policy vpn_frr_rp
    [PE1-vpn-instance-vpn1-af-ipv4] quit
    [PE1-vpn-instance-vpn1] quit

  10. Verify the configuration.

    # Check the backup next hop, backup label, and backup tunnel ID on PE1.

    [PE1] display ip routing-table vpn-instance vpn1 10.3.1.0 verbose
    Route Flags:
    R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Table : vpn1                                                            
    Summary Count : 1  
    
    
    Destination: 10.3.1.0/24
         Protocol: IBGP            Process ID: 0
       Preference: 255                   Cost: 0
          NextHop: 2.2.2.2          Neighbour: 2.2.2.2
            State: Active Adv Relied      Age: 00h15m06s
              Tag: 0                 Priority: low
            Label: 15361              QoSInfo: 0x0
       IndirectID: 0x13
     RelayNextHop: 100.1.1.2        Interface: GigabitEthernet2/0/0
         TunnelID: 0x31                 Flags: RD
        BkNextHop: 3.3.3.3        BkInterface:GigabitEthernet3/0/0
          BkLabel: 15362          SecTunnelID: 0x0
     BkPETunnelID: 0x32             BkPESecTunnelID: 0x0
     BkIndirectID: 0x15

    # Run the shutdown command on GE1/0/0 of PE2 to simulate a link failure.

    [PE2] interface gigabitethernet 1/0/0
    [PE2-GigabitEthernet1/0/0] shutdown
    [PE2-GigabitEthernet1/0/0] quit

    # Run the display ip routing-table vpn-instance command on the PE1 again. The command output shows that the next hop of the route to 10.3.1.0/24 is 3.3.3.3.

    [PE1] display ip routing-table vpn-instance vpn1 10.3.1.0 verbose
    Route Flags:
    R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Table : vpn1                                                            
    Summary Count : 1  
    
    Destination: 10.3.1.0/24
         Protocol: IBGP            Process ID: 0
       Preference: 255                   Cost: 0
          NextHop: 3.3.3.3          Neighbour: 3.3.3.3
            State: Active Adv Relied      Age: 00h15m06s
              Tag: 0                 Priority: low
            Label: 15362              QoSInfo: 0x0
       IndirectID: 0x15
     RelayNextHop: 100.2.1.2        Interface: GigabitEthernet3/0/0
         TunnelID: 0x32                 Flags: RD
    

Configuration Files

  • PE1 configuration file

    #
     sysname PE1
    #
    ip vpn-instance vpn1
     ipv4-family
      route-distinguisher 100:1
      vpn frr route-policy vpn_frr_rp
      vpn-target 111:1 export-extcommunity
      vpn-target 111:1 import-extcommunity
    #
     mpls lsr-id 1.1.1.1
     mpls
    #
    mpls ldp
    #
    interface GigabitEthernet2/0/0
     ip address 100.1.1.1 255.255.255.252
     mpls 
     mpls ldp
    #
    interface GigabitEthernet3/0/0
     ip address 100.2.1.1 255.255.255.252
     mpls 
     mpls ldp
    #
    interface LoopBack1
     ip address 1.1.1.1 255.255.255.255
    #
    bfd for_vpn_frr bind peer-ip 2.2.2.2
     discriminator local 10
     discriminator remote 20
     min-tx-interval 100
     min-rx-interval 100
     commit
    #
    bgp 100
     peer 2.2.2.2 as-number 100
     peer 2.2.2.2 connect-interface LoopBack1
     peer 3.3.3.3 as-number 100
     peer 3.3.3.3 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.2 enable
      peer 3.3.3.3 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 2.2.2.2 enable
      peer 3.3.3.3 enable
     #
     ipv4-family vpn-instance vpn1
      import-route direct
    #
    ospf 1
     area 0.0.0.0
      network 100.1.1.0 0.0.0.3
      network 100.2.1.0 0.0.0.3
      network 1.1.1.1 0.0.0.0
    #
    ip ip-prefix vpn_frr_list index 10 permit 2.2.2.2 32
    #
    route-policy vpn_frr_rp permit node 10
     if-match ip next-hop ip-prefix vpn_frr_list
     apply backup-nexthop 3.3.3.3
    #
    return
  • PE2 configuration file

    #
     sysname PE2
    #
    ip vpn-instance vpn1
     ipv4-family
      route-distinguisher 100:2
      vpn-target 111:1 export-extcommunity
      vpn-target 111:1 import-extcommunity
    #
     mpls lsr-id 2.2.2.2
     mpls
    #
    mpls ldp
    #
    interface GigabitEthernet1/0/0
     ip address 100.1.1.2 255.255.255.252
     mpls
     mpls ldp
    #
    interface GigabitEthernet2/0/0
     ip binding vpn-instance vpn1
     ip address 10.1.1.2 255.255.255.252
    #
    interface LoopBack1
     ip address 2.2.2.2 255.255.255.255
    #
    bfd for_vpn_frr bind peer-ip 1.1.1.1
     discriminator local 20
     discriminator remote 10
     min-tx-interval 100
     min-rx-interval 100
     commit
    #
    bgp 100
     peer 1.1.1.1 as-number 100
     peer 1.1.1.1 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 1.1.1.1 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 1.1.1.1 enable
     #
     ipv4-family vpn-instance vpn1
      peer 10.1.1.1 as-number 65410
      import-route direct
    #
    ospf 1
     area 0.0.0.0
      network 100.1.1.0 0.0.0.3
      network 2.2.2.2 0.0.0.0
    #
    return
  • PE3 configuration file

    #
     sysname PE3
    #
    ip vpn-instance vpn1
     ipv4-family
      route-distinguisher 100:3
      vpn-target 111:1 export-extcommunity
      vpn-target 111:1 import-extcommunity
    #
     mpls lsr-id 3.3.3.3
     mpls
    #
    mpls ldp
    #
    interface GigabitEthernet1/0/0
     ip address 100.2.1.2 255.255.255.252
     mpls
     mpls ldp
    #
    interface GigabitEthernet2/0/0
     ip binding vpn-instance vpn1
     ip address 10.2.1.2 255.255.255.252
    #
    interface LoopBack1
     ip address 3.3.3.3 255.255.255.255
    #
    bgp 100
     peer 1.1.1.1 as-number 100 
     peer 1.1.1.1 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 1.1.1.1 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 1.1.1.1 enable
     #
     ipv4-family vpn-instance vpn1
      peer 10.2.1.1 as-number 65410
      import-route direct
    #
    ospf 1
     area 0.0.0.0
      network 100.2.1.0 0.0.0.3
      network 3.3.3.3 0.0.0.0
    #
    Return
  • CE1 configuration file

    #
     sysname CE1
    #
    interface GigabitEthernet1/0/0
     ip address 10.1.1.1 255.255.255.252
    #
    interface GigabitEthernet2/0/0
     ip address 10.2.1.1 255.255.255.252
    #
    interface GigabitEthernet3/0/0
     ip address 10.3.1.1 255.255.255.0
    #
    bgp 65410
     peer 10.1.1.2 as-number 100
     peer 10.2.1.2 as-number 100
     #
     ipv4-family unicast
      undo synchronization
      network 10.3.1.0 255.255.255.0
      import-route direct
      peer 10.1.1.2 enable
      peer 10.2.1.2 enable
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 145385

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next