No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Connecting a CE to a VPN Through a GRE Tunnel over a VPN

Example for Connecting a CE to a VPN Through a GRE Tunnel over a VPN

Networking Requirements

In Figure 3-24:

  • PE1 and PE2 reside on a class 1 carrier's MPLS backbone network.

  • The VPN instance vpn2 belongs to a class 2 carrier's network, and CE1 is directly connected to PE1.

  • CE2 and CE3 connect to user hosts. CE2 is directly connected to PE2, and CE3 is directly connected to CE1. CE2 and CE3 belong to vpn1 and are reachable to each other.

PE1 is indirectly connected to CE3. Therefore, no VPN instance can be bound to the physical interface of PE1. A GRE tunnel is set up between CE3 and PE1 and this tunnel traverses vpn2. On PE1, bind the GRE tunnel to vpn1 to connect CE3 to vpn1 using the GRE tunnel.

NOTE:

The AR100&AR120&AR150&AR160&AR200 cannot work on an MPLS backbone network.

Figure 3-24  Connecting a CE to a VPN through a GRE Tunnel over a VPN

Configuration Roadmap

The configuration roadmap is as follows:

  1. Run OSPF process 10 on PE1 and PE2 to implement interworking between them, and enable MPLS.

  2. Configure a VPN instance vpn2 on PE1, and run OSPF process 20 on PE1, CE1, and CE3 to implement interworking among the three devices.

  3. Set up a GRE tunnel between CE3 and PE1. CE3 is connected to PE1 over vpn2, and the interface on PE1 directly connected to CE1 is bound to vpn2. Therefore, the interfaces directly connecting CE3 to CE1 and directly connecting PE1 to CE1 belong to vpn2. When configuring a GRE tunnel between PE1 and CE3, you need to set a tunnel destination address that belongs to vpn2.

  4. Create vpn1 on PE1 and PE2. On PE1, bind vpn1 to the GRE tunnel interface. On PE2, bind vpn1 to the physical interface connected to CE2.

  5. Run IS-IS on the devices to dynamically calculate routes between the CEs and PEs.

  6. Run BGP on the PEs to implement interworking between CE2 and CE3.

Procedure

  1. Configure an IP address for each interface.

    # Configure CE3.

    <Huawei> system-view
    [Huawei] sysname CE3
    [CE3] interface gigabitethernet 1/0/0
    [CE3-GigabitEthernet1/0/0] ip address 10.1.1.2 24
    [CE3-GigabitEthernet1/0/0] quit
    [CE3] interface gigabitethernet 2/0/0
    [CE3-GigabitEthernet2/0/0] ip address 30.1.1.1 24
    [CE3-GigabitEthernet2/0/0] quit

    # Configure CE1.

    <Huawei> system-view
    [Huawei] sysname CE1
    [CE1] interface gigabitethernet 1/0/0
    [CE1-GigabitEthernet1/0/0] ip address 30.1.1.2 24
    [CE1-GigabitEthernet1/0/0] quit
    [CE1] interface gigabitethernet 2/0/0
    [CE1-GigabitEthernet2/0/0] ip address 50.1.1.1 24
    [CE1-GigabitEthernet2/0/0] quit

    # Configure IP addresses for interfaces on PE1 except the interface to be bound to a VPN instance, because all configurations on this interface are deleted when the interface is bound to a VPN instance.

    <Huawei> system-view
    [Huawei] sysname PE1
    [PE1] interface gigabitethernet 2/0/0
    [PE1-GigabitEthernet2/0/0] ip address 110.1.1.1 24
    [PE1-GigabitEthernet2/0/0] quit
    [PE1] interface loopback 1
    [PE1-LoopBack1] ip address 1.1.1.9 32
    [PE1-LoopBack1] quit

    # Configure IP addresses for interfaces on PE2 except the interface to be bound to a VPN instance, because all configurations on this interface are deleted when the interface is bound to a VPN instance.

    <Huawei> system-view
    [Huawei] sysname PE2
    [PE2] interface gigabitethernet 1/0/0
    [PE2-GigabitEthernet1/0/0] ip address 110.1.1.2 24
    [PE2-GigabitEthernet1/0/0] quit
    [PE2] interface loopback 1
    [PE2-LoopBack1] ip address 3.3.3.9 32
    [PE2-LoopBack1] quit

    # Configure CE2.

    <Huawei> system-view
    [Huawei] sysname CE2
    [CE2] interface gigabitethernet 1/0/0
    [CE2-GigabitEthernet1/0/0] ip address 11.1.1.1 24
    [CE2-GigabitEthernet1/0/0] quit
    [CE2] interface gigabitethernet 2/0/0
    [CE2-GigabitEthernet2/0/0] ip address 10.2.1.2 24
    [CE2-GigabitEthernet2/0/0] quit

  2. Configure routes between the PEs and enable MPLS.

    # On PE1, enable MPLS LDP, and run OSPF process 10 to configure reachable routes between the PEs. LSPs are set up automatically.

    [PE1] mpls lsr-id 1.1.1.9
    [PE1] mpls
    [PE1-mpls] lsp-trigger all
    [PE1-mpls] quit
    [PE1] mpls ldp
    [PE1-mpls-ldp] quit
    [PE1] ospf 10
    [PE1-ospf-10] area 0
    [PE1-ospf-10-area-0.0.0.0] network 1.1.1.9 0.0.0.0
    [PE1-ospf-10-area-0.0.0.0] network 110.1.1.0 0.0.0.255
    [PE1-ospf-10-area-0.0.0.0] quit
    [PE1-ospf-10] quit
    [PE1] interface gigabitethernet 2/0/0
    [PE1-GigabitEthernet2/0/0] mpls
    [PE1-GigabitEthernet2/0/0] mpls ldp
    [PE1-GigabitEthernet2/0/0] quit

    # On PE2, enable MPLS LDP, and run OSPF process 10 to configure reachable routes between the PEs. LSPs are set up automatically.

    [PE2] mpls lsr-id 3.3.3.9 32
    [PE2] mpls
    [PE2-mpls] lsp-trigger all
    [PE2-mpls] quit
    [PE2] mpls ldp
    [PE2-mpls-ldp] quit
    [PE2] ospf 10
    [PE2-ospf-10] area 0
    [PE2-ospf-10-area-0.0.0.0] network 3.3.3.9 0.0.0.0
    [PE2-ospf-10-area-0.0.0.0] network 110.1.1.0 0.0.0.255
    [PE2-ospf-10-area-0.0.0.0] quit
    [PE2-ospf-10] quit
    [PE2] interface gigabitethernet 1/0/0
    [PE2-GigabitEthernet1/0/0] mpls
    [PE2-GigabitEthernet1/0/0] mpls ldp
    [PE2-GigabitEthernet1/0/0] quit

  3. Create a VPN instance vpn2 on PE1 and bind vpn2 to an interface on a class 2 carrier's network.

    [PE1] ip vpn-instance vpn2
    [PE1-vpn-instance-vpn2] route-distinguisher 100:2
    [PE1-vpn-instance-vpn2-af-ipv4] vpn-target 222:2 export-extcommunity
    [PE1-vpn-instance-vpn2-af-ipv4] vpn-target 222:2 import-extcommunity
    [PE1-vpn-instance-vpn2-af-ipv4] quit
    [PE1-vpn-instance-vpn2] quit
    [PE1] interface gigabitethernet 1/0/0
    [PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpn2 
    [PE1-GigabitEthernet1/0/0] ip address 50.1.1.2 255.255.255.0
    [PE1-GigabitEthernet1/0/0] quit

  4. Create a VPN instance vpn1 on PE1 and bind vpn1 to the GRE tunnel.

    [PE1] ip vpn-instance vpn1
    [PE1-vpn-instance-vpn1] route-distinguisher 100:1
    [PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 export-extcommunity
    [PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 import-extcommunity
    [PE1-vpn-instance-vpn1-af-ipv4] quit
    [PE1-vpn-instance-vpn1] quit
    [PE1] interface tunnel 0/0/1
    [PE1-Tunnel0/0/1] ip binding vpn-instance vpn1 
    [PE1-Tunnel0/0/1] ip address 2.2.2.2 255.255.255.0
    [PE1-Tunnel0/0/1] quit

  5. Create a VPN instance vpn1 on PE2 and bind vpn1 to a user-side interface.

    [PE2] ip vpn-instance vpn1
    [PE2-vpn-instance-vpn1] route-distinguisher 200:1
    [PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 export-extcommunity
    [PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 import-extcommunity
    [PE2-vpn-instance-vpn1-af-ipv4] quit
    [PE2-vpn-instance-vpn1] quit
    [PE2] interface gigabitethernet 2/0/0
    [PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpn1 
    [PE2-GigabitEthernet2/0/0] ip address 11.1.1.2 255.255.255.0
    [PE2-GigabitEthernet2/0/0] quit

  6. Configure tunnel interfaces of the GRE tunnel.

    # Configure CE3.

    [CE3] interface tunnel 0/0/1
    [CE3-Tunnel0/0/1] tunnel-protocol gre
    [CE3-Tunnel0/0/1] source 30.1.1.1
    [CE3-Tunnel0/0/1] destination 50.1.1.2
    [CE3-Tunnel0/0/1] ip address 2.2.2.1 24
    [CE3-Tunnel0/0/1] quit

    # Configure PE1.

    [PE1] interface tunnel 0/0/1
    [PE1-Tunnel0/0/1] tunnel-protocol gre
    [PE1-Tunnel0/0/1] source 50.1.1.2
    [PE1-Tunnel0/0/1] destination vpn-instance vpn2 30.1.1.1
    [PE1-Tunnel0/0/1] quit

  7. Configure routing protocols on CE3, CE1, and PE1.

    # Configure CE3.

    [CE3] ospf 20
    [CE3-ospf-20] area 0
    [CE3-ospf-20-area-0.0.0.0] network 30.1.1.0 0.0.0.255
    [CE3-ospf-20-area-0.0.0.0] quit
    [CE3-ospf-20] quit

    # Configure CE1.

    [CE1] ospf 20
    [CE1-ospf-20] area 0
    [CE1-ospf-20-area-0.0.0.0] network 30.1.1.0 0.0.0.255
    [CE1-ospf-20-area-0.0.0.0] network 50.1.1.0 0.0.0.255
    [CE1-ospf-20-area-0.0.0.0] quit
    [CE1-ospf-20] quit

    # Configure PE1.

    [PE1] ospf 20 vpn-instance vpn2
    [PE1-ospf-20] area 0
    [PE1-ospf-20-area-0.0.0.0] network 50.1.1.0 0.0.0.255
    [PE1-ospf-20-area-0.0.0.0] quit
    [PE1-ospf-20] quit

  8. Configure IS-IS on CE3 and PE1 to calculate routes between them.

    # Configure CE3.

    [CE3] isis 50
    [CE3-isis-50] network-entity 50.0000.0000.0001.00
    [CE3-isis-50] quit
    [CE3] interface gigabitethernet 1/0/0
    [CE3-GigabitEthernet1/0/0] isis enable 50
    [CE3-GigabitEthernet1/0/0] quit
    [CE3] interface tunnel 0/0/1
    [CE3-Tunnel0/0/1] isis enable 50
    [CE3-Tunnel0/0/1] quit

    # Configure PE1.

    [PE1] isis 50 vpn-instance vpn1
    [PE1-isis-50] network-entity 50.0000.0000.0002.00
    [PE1-isis-50] quit
    [PE1] interface tunnel 0/0/1
    [PE1-Tunnel0/0/1] isis enable 50
    [PE1-Tunnel0/0/1] quit

  9. Configure IS-IS on CE2 and PE2 to calculate routes between them.

    # Configure CE2.

    [CE2] isis 50
    [CE2-isis-50] network-entity 50.0000.0000.0004.00
    [CE2-isis-50] quit
    [CE2] interface gigabitethernet 1/0/0
    [CE2-GigabitEthernet1/0/0] isis enable 50
    [CE2-GigabitEthernet1/0/0] quit
    [CE2] interface gigabitethernet 2/0/0
    [CE2-GigabitEthernet2/0/0] isis enable 50
    [CE2-GigabitEthernet2/0/0] quit

    # Configure PE2.

    [PE2] isis 50 vpn-instance vpn1
    [PE2-isis-50] network-entity 50.0000.0000.0003.00
    [PE2-isis-50] quit
    [PE2] interface gigabitethernet 2/0/0
    [PE2-GigabitEthernet2/0/0] isis enable 50
    [PE2-GigabitEthernet2/0/0] quit

  10. Set up an MP-IBGP peer relationship between the PEs.

    # On PE1, configure an IBGP peer relationship with PE2 using a loopback interface to exchange VPN IPv4 route information.

    [PE1] bgp 100
    [PE1-bgp] peer 3.3.3.9 as-number 100
    [PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
    [PE1-bgp] ipv4-family vpnv4
    [PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
    [PE1-bgp-af-vpnv4] quit

    # Import IS-IS routes to vpn1.

    [PE1-bgp] ipv4-family vpn-instance vpn1
    [PE1-bgp-vpn1] import-route isis 50

    # On PE2, configure an IBGP peer relationship with PE1 using a loopback interface to exchange VPN IPv4 route information.

    [PE2] bgp 100
    [PE2-bgp] peer 1.1.1.9 as-number 100
    [PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
    [PE2-bgp] ipv4-family vpnv4
    [PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
    [PE2-bgp-af-vpnv4] quit

    # Import IS-IS routes to vpn1.

    [PE2-bgp] ipv4-family vpn-instance vpn1
    [PE2-bgp-vpn1] import-route isis 50

  11. Import BGP routes to the IS-IS routing table.

    # Configure PE1.

    [PE1] isis 50
    [PE1-isis-50] import-route bgp

    # Configure PE2.

    [PE2] isis 50
    [PE2-isis-50] import-route bgp

  12. Verify the configuration.

    # After the configuration is complete, CE1 and CE2 have reachable routes to each other. The command output on CE1 is used as an example.

    <CE1> display ip routing-table 41.1.1.0 
    Route Flags:
    R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Table : Public
    Summary Count : 1
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
           41.1.1.0/24  ISIS-L2 15   74          D   2.2.2.2         Tunnel0/0/1
    

Configuration Files

  • Configuration file of CE3

    #
     sysname CE3
    #
    isis 50
     network-entity 50.0000.0000.0001.00
    #
    interface GigabitEthernet1/0/0
     ip address 10.1.1.2 255.255.255.0
     isis enable 50
    #
    interface GigabitEthernet2/0/0
     ip address 30.1.1.1 255.255.255.0
    #
    interface Tunnel0/0/1
     ip address 2.2.2.1 255.255.255.0
     tunnel-protocol gre
     source 30.1.1.1
     destination 50.1.1.2
     isis enable 50
    #
    ospf 20
     area 0.0.0.0
      network 30.1.1.0 0.0.0.255
    #
    return
  • Configuration file of CE1

    #
     sysname CE1
    #
    interface GigabitEthernet1/0/0
     ip address 30.1.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 50.1.1.1 255.255.255.0
    #
    ospf 20
     area 0.0.0.0
      network 30.1.1.0 0.0.0.255
      network 50.1.1.0 0.0.0.255
    #
    return
  • Configuration file of PE1

    #
     sysname PE1
    #
    ip vpn-instance vpn1
     route-distinguisher 100:1
     vpn-target 111:1 export-extcommunity
     vpn-target 111:1 import-extcommunity
    #
    ip vpn-instance vpn2
     route-distinguisher 100:2
     vpn-target 222:2 export-extcommunity
     vpn-target 222:2 import-extcommunity
    #
    mpls lsr-id 1.1.1.9
    mpls
     lsp-trigger all
    #
    mpls ldp
    #
    isis 50 vpn-instance vpn1
     network-entity 50.0000.0000.0002.00
     import-route bgp
    #
    interface GigabitEthernet1/0/0
     ip binding vpn-instance vpn2
     ip address 50.1.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 110.1.1.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface LoopBack1
     ip address 1.1.1.9 255.255.255.255
    #
    interface Tunnel0/0/1
     ip binding vpn-instance vpn1
     ip address 2.2.2.2 255.255.255.0
     tunnel-protocol gre
     source 50.1.1.2
     destination vpn-instance vpn2 30.1.1.1
     isis enable 50
    #
    bgp 100
     peer 3.3.3.9 as-number 100
     peer 3.3.3.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 3.3.3.9 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 3.3.3.9 enable
     #
     ipv4-family vpn-instance vpn1
      import-route isis 50
    #
    ospf 10
     area 0.0.0.0
     network 1.1.1.9 0.0.0.0
      network 110.1.1.0 0.0.0.255
    #
    ospf 20 vpn-instance vpn2
     area 0.0.0.0
      network 50.1.1.0 0.0.0.255
    #
    return
  • Configuration file of PE2

    #
     sysname PE2
    #
    ip vpn-instance vpn1
     route-distinguisher 200:1
     vpn-target 111:1 export-extcommunity
     vpn-target 111:1 import-extcommunity
    #
    mpls lsr-id 3.3.3.9
    mpls
     lsp-trigger all
    #
    mpls ldp
    #
    isis 50 vpn-instance vpn1
     network-entity 50.0000.0000.0003.00
     import-route bgp
    #
    interface GigabitEthernet1/0/0
     ip address 110.1.1.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet2/0/0
     ip binding vpn-instance vpn1
     ip address 11.1.1.2 255.255.255.0
     isis enable 50
    #
    interface LoopBack1
     ip address 3.3.3.9 255.255.255.255
    #
    bgp 100
     peer 1.1.1.9 as-number 100
     peer 1.1.1.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 1.1.1.9 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 1.1.1.9 enable
     #
     ipv4-family vpn-instance vpn1
      import-route isis 50
    #
    ospf 10
     area 0.0.0.0
      network 3.3.3.9 0.0.0.0
      network 110.1.1.0 0.0.0.255
    #
    return
  • Configuration file of CE2

    #
     sysname CE2
    #
    isis 50
     network-entity 50.0000.0000.0004.00
    #
    interface GigabitEthernet1/0/0
     ip address 11.1.1.1 255.255.255.0
     isis enable 50
    #
    interface GigabitEthernet2/0/0
     ip address 10.2.1.2 255.255.255.0
     isis enable 50
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 152959

Downloads: 369

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next