No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring BGP/MPLS IP VPN to Use a GRE Tunnel

Example for Configuring BGP/MPLS IP VPN to Use a GRE Tunnel

Networking Requirements

NOTE:

The AR100&AR120&AR150&AR160&AR200 cannot be used in this scenario.

In Figure 3-21:
  • Branch 1 connects to the VPN backbone network through CE1 and PE1.
  • Branch 2 connects to the VPN backbone network through CE2 and PE2.

On the backbone network, PEs provide MPLS functions, and the P does not provide MPLS functions.

The enterprise wants to establish a GRE tunnel between the PEs and use IP to forward VPN packets over the IP network.

Figure 3-21  Networking diagram for configuring BGP/MPLS IP VPN to use a GRE tunnel

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure OSPF between the PEs and P to implement IP connectivity on the backbone network.

  2. Create a GRE tunnel between PEs so that VPN packets can be transmitted over the GRE tunnel.

  3. Configure VPN instances on PEs and bind each PE interface connected to a CE to a VPN instance.

  4. Because the P device does not support MPLS functions, an LSP cannot be used to transmit VPN packets. Configure a tunnel policy on the PEs to specify that VPN packets are transmitted over a GRE tunnel, and apply the tunnel policy.

  5. Establish EBGP peer relationships between PEs and CEs to exchange routes so that a CE can learn routes from the peer CE and CE1 can communicate with CE2.

Procedure

  1. Configure an IP address for each interface.

    # Configure CE1.

    <Huawei> system-view
    [Huawei] sysname CE1
    [CE1] interface gigabitethernet 1/0/0
    [CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
    [CE1-GigabitEthernet1/0/0] quit

    # Configure IP addresses for interfaces on PE1 except the interface to be bound to a VPN instance. This is because all configurations on this interface are deleted when the interface is bound to a VPN instance.

    <Huawei> system-view
    [Huawei] sysname PE1
    [PE1] interface gigabitethernet 2/0/0
    [PE1-GigabitEthernet2/0/0] ip address 172.1.1.1 24
    [PE1-GigabitEthernet2/0/0] quit
    [PE1] interface loopback 1
    [PE1-LoopBack1] ip address 10.10.1.1 32
    [PE1-LoopBack1] quit

    # Configure the P device.

    <Huawei> system-view
    [Huawei] sysname P
    [P] interface gigabitethernet 1/0/0
    [P-GigabitEthernet1/0/0] ip address 172.1.1.2 24
    [P-GigabitEthernet1/0/0] quit
    [P] interface gigabitethernet 2/0/0
    [P-GigabitEthernet2/0/0] ip address 172.2.1.1 24
    [P-GigabitEthernet2/0/0] quit

    # Configure IP addresses for interfaces on PE2 except the interface to be bound to a VPN instance. This is because all configurations on this interface are deleted when the interface is bound to a VPN instance.

    <Huawei> system-view
    [Huawei] sysname PE2
    [PE2] interface gigabitethernet 2/0/0
    [PE2-GigabitEthernet2/0/0] ip address 172.2.1.2 24
    [PE2-GigabitEthernet2/0/0] quit
    [PE2] interface loopback 1
    [PE2-LoopBack1] ip address 10.10.2.1 32
    [PE2-LoopBack1] quit

    # Configure CE2.

    <Huawei> system-view
    [Huawei] sysname CE2
    [CE2] interface gigabitethernet 1/0/0
    [CE2-GigabitEthernet1/0/0] ip address 10.2.1.1 24
    [CE2-GigabitEthernet1/0/0] quit

  2. Configure IGP on the MPLS backbone network to implement interworking between PEs.

    # Configure PE1.

    [PE1] ospf 1
    [PE1-ospf-1] area 0
    [PE1-ospf-1-area-0.0.0.0] network 10.10.1.1 0.0.0.0
    [PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
    [PE1-ospf-1-area-0.0.0.0] quit
    [PE1-ospf-1] quit
    

    # Configure the P device.

    [P] ospf 1
    [P-ospf-1] area 0
    [P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
    [P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
    [P-ospf-1-area-0.0.0.0] quit
    [P-ospf-1] quit
    

    # Configure PE2.

    [PE2] ospf 1
    [PE2-ospf-1] area 0
    [PE2-ospf-1-area-0.0.0.0] network 10.10.2.1 0.0.0.0
    [PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
    [PE2-ospf-1-area-0.0.0.0] quit
    [PE2-ospf-1] quit
    

    After the configurations are complete, OSPF neighbor relationships can be set up between PE1, P, and PE2. Run the display ospf peer command. You can see that the neighbor status is Full. Run the display ip routing-table command. You can see that PEs have learnt the routes to Loopback1 of each other.

  3. Configure a GRE tunnel.

    # Configure PE1.

    [PE1] interface tunnel 0/0/1
    [PE1-Tunnel0/0/1] tunnel-protocol gre
    [PE1-Tunnel0/0/1] source loopback 1
    [PE1-Tunnel0/0/1] destination 10.10.2.1
    [PE1-Tunnel0/0/1] ip address 10.3.1.1 24
    [PE1-Tunnel0/0/1] quit

    # Configure PE2.

    [PE2] interface tunnel 0/0/1
    [PE2-Tunnel0/0/1] tunnel-protocol gre
    [PE2-Tunnel0/0/1] source loopback 1
    [PE2-Tunnel0/0/1] destination 10.10.1.1
    [PE2-Tunnel0/0/1] ip address 10.3.1.2 24
    [PE2-Tunnel0/0/1] quit

  4. Enable basic MPLS functions on the PEs.

    # Configure PE1.

    [PE1] mpls lsr-id 10.10.1.1
    [PE1] mpls
    [PE1-mpls] quit

    # Configure PE2.

    [PE2] mpls lsr-id 10.10.2.1
    [PE2] mpls
    [PE2-mpls] quit

  5. Configure VPN instances on PEs and bind each interface that connects a PE to a CE to a VPN instance. Apply tunnel policies on the PEs to specify the GRE tunnel used to forward VPN packets.

    # Configure PE1.

    [PE1] tunnel-policy gre1
    [PE1-tunnel-policy-gre1] tunnel select-seq gre load-balance-number 1
    [PE1-tunnel-policy-gre1] quit
    [PE1] ip vpn-instance vpn1
    [PE1-vpn-instance-vpn1] ipv4-family
    [PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
    [PE1-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both
    [PE1-vpn-instance-vpn1-af-ipv4] tnl-policy gre1
    [PE1-vpn-instance-vpn1-af-ipv4] quit
    [PE1-vpn-instance-vpn1] quit
    [PE1] interface gigabitethernet 1/0/0
    [PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
    [PE1-GigabitEthernet1/0/0] ip address 10.1.1.2 24
    [PE1-GigabitEthernet1/0/0] quit

    # Configure PE2.

    [PE2] tunnel-policy gre1
    [PE2-tunnel-policy-gre1] tunnel select-seq gre load-balance-number 1
    [PE2-tunnel-policy-gre1] quit
    [PE2] ip vpn-instance vpn1
    [PE2-vpn-instance-vpn1] ipv4-family
    [PE2-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:2
    [PE2-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both
    [PE2-vpn-instance-vpn1-af-ipv4] tnl-policy gre1
    [PE2-vpn-instance-vpn1-af-ipv4] quit
    [PE2-vpn-instance-vpn1] quit
    [PE2] interface gigabitethernet 1/0/0
    [PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
    [PE2-GigabitEthernet1/0/0] ip address 10.2.1.2 24
    [PE2-GigabitEthernet1/0/0] quit

    After the configurations are complete, run the display ip vpn-instance verbose command on PEs to view the configurations of VPN instances. Each PE can ping its local CE.

    NOTE:

    If a PE has multiple interfaces bound to the same VPN instance, specify a source IP address by setting -a source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command to ping a remote CE. If the source IP address is not specified, the ping operation fails.

  6. Set up EBGP peer relationships between the PEs and CEs and import VPN routes to EBGP.

    # Configure CE1.

    [CE1] bgp 65410
    [CE1-bgp] peer 10.1.1.2 as-number 100
    [CE1-bgp] import-route direct
    [CE1-bgp] quit

    # Configure PE1.

    [PE1] bgp 100
    [PE1-bgp] ipv4-family vpn-instance vpn1
    [PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
    [PE1-bgp-vpn1] import-route direct
    [PE1-bgp-vpn1] quit
    [PE1-bgp] quit

    # Configure CE2.

    [CE2] bgp 65420
    [CE2-bgp] peer 10.2.1.2 as-number 100
    [CE2-bgp] import-route direct
    [CE2-bgp] quit

    # Configure PE2.

    [PE2] bgp 100
    [PE2-bgp] ipv4-family vpn-instance vpn1
    [PE2-bgp-vpn1] peer 10.2.1.1 as-number 65420
    [PE2-bgp-vpn1] quit
    [PE2-bgp] quit

    After the configurations are complete, run the display bgp vpnv4 vpn-instance peer command on PEs. You can see that BGP peer relationships have been established between PEs and CEs and are in Established state.

    The command output on PE1 is used as an example.

    [PE1] display bgp vpnv4 vpn-instance vpn1 peer
    
     BGP local router ID : 10.10.1.1
     Local AS number : 100
    
     VPN-Instance vpn1, Router ID 10.10.1.1:
     Total number of peers : 1                Peers in established state : 1
    
      Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State PrefRcv
    
      10.1.1.1        4       65410        6        3     0 00:01:14 Established       3

  7. Set up an MP-IBGP peer relationship between PEs.

    # Configure PE1.

    [PE1] bgp 100
    [PE1-bgp] peer 10.10.2.1 as-number 100
    [PE1-bgp] peer 10.10.2.1 connect-interface loopback 1
    [PE1-bgp] ipv4-family vpnv4
    [PE1-bgp-af-vpnv4] peer 10.10.2.1 enable
    [PE1-bgp-af-vpnv4] quit
    [PE1-bgp] quit

    # Configure PE2.

    [PE2] bgp 100
    [PE2-bgp] peer 10.10.1.1 as-number 100
    [PE2-bgp] peer 10.10.1.1 connect-interface loopback 1
    [PE2-bgp] ipv4-family vpnv4
    [PE2-bgp-af-vpnv4] peer 10.10.1.1 enable
    [PE2-bgp-af-vpnv4] quit
    [PE2-bgp] quit

    After the configurations are complete, run the display bgp vpnv4 all peer command on a PE. The command output shows that the BGP peer relationships have been established between the PEs and are in the Established state.

    [PE1] display bgp vpnv4 all peer
    
     BGP local router ID : 10.10.1.1
     Local AS number : 100
     Total number of peers : 2                Peers in established state : 2
    
      Peer            V          AS  MsgRcvd  MsgSent  OutQ  Up/Down       State PrefRcv
    
      10.10.2.1       4         100        4        7     0 00:02:54 Established       0
    
      Peer of IPv4-family for vpn instance :
    
     VPN-Instance vpn1, Router ID 10.10.1.1:
      10.1.1.1        4       65410      122      119     0 01:57:43 Established       3

  8. Verify the configuration.

    # After the configuration is complete, CEs can learn routes to each other. CEs can successfully ping each other.

    # The command output on CE1 is used as an example.

    [CE1] display ip routing-table 10.2.1.0
    Route Flags:
    R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Table : Public
    Summary Count : 1
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
           10.2.1.0/24  EBGP    255  0           D   10.1.1.2        GigabitEthernet1/0/0
    
    [CE1] ping 10.2.1.1
      PING 10.2.1.1: 56  data bytes, press CTRL_C to break                          
        Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=253 time=1 ms                  
        Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=253 time=1 ms                  
        Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=253 time=1 ms                  
        Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=253 time=10 ms                 
        Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=253 time=1 ms                  
                                                                                    
      --- 10.2.1.1 ping statistics ---                                              
        5 packet(s) transmitted                                                     
        5 packet(s) received                                                        
        0.00% packet loss                                                           
        round-trip min/avg/max = 1/2/10 ms                                          
    

Configuration Files

  • Configuration file of CE1

    #
     sysname CE1
    #
    interface GigabitEthernet1/0/0
     ip address 10.1.1.1 255.255.255.0
    #
    bgp 65410
     peer 10.1.1.2 as-number 100
     #
     ipv4-family unicast
      undo synchronization
      import-route direct
      peer 10.1.1.2 enable
    #
    return
  • Configuration file of PE1

    #
     sysname PE1
    #
    ip vpn-instance vpn1
     ipv4-family
      route-distinguisher 100:1
      tnl-policy gre1
      vpn-target 100:1 export-extcommunity
      vpn-target 100:1 import-extcommunity
    #
    mpls lsr-id 10.10.1.1
    mpls
    #
    interface GigabitEthernet1/0/0
     ip binding vpn-instance vpn1
     ip address 10.1.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 172.1.1.1 255.255.255.0
    #
    interface LoopBack1
     ip address 10.10.1.1 255.255.255.255
    #
    interface Tunnel0/0/1
     ip address 10.3.1.1 255.255.255.0
     tunnel-protocol gre
     source LoopBack1
     destination 10.10.2.1
    #
    tunnel-policy gre1
     tunnel select-seq gre load-balance-number 1
    #
    bgp 100
     peer 10.10.2.1 as-number 100
     peer 10.10.2.1 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 10.10.2.1 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 10.10.2.1 enable
     #
     ipv4-family vpn-instance vpn1
      peer 10.1.1.1 as-number 65410
      import-route direct
    #
    ospf 1
     area 0.0.0.0
      network 10.10.1.1 0.0.0.0
      network 172.1.1.0 0.0.0.255
    #
    return
  • Configuration file of the P device

    #
     sysname P
    #
    interface GigabitEthernet1/0/0
     ip address 172.1.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 172.2.1.1 255.255.255.0
    #
    ospf 1
     area 0.0.0.0
      network 172.1.1.0 0.0.0.255
      network 172.2.1.0 0.0.0.255
    #
    return
  • Configuration file of PE2

    #
     sysname PE2
    #
    ip vpn-instance vpn1
     ipv4-family
      route-distinguisher 100:2
      tnl-policy gre1
      vpn-target 100:1 export-extcommunity
      vpn-target 100:1 import-extcommunity
    #
    mpls lsr-id 10.10.2.1
    mpls
    #
    interface GigabitEthernet1/0/0
     ip binding vpn-instance vpn1
     ip address 10.2.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 172.2.1.2 255.255.255.0
    #
    interface LoopBack1
     ip address 10.10.2.1 255.255.255.255
    #
    interface Tunnel0/0/1
     ip address 10.3.1.2 255.255.255.0
     tunnel-protocol gre
     source LoopBack1
     destination 10.10.1.1
    #
    tunnel-policy gre1
     tunnel select-seq gre load-balance-number 1
    #
    bgp 100
     peer 10.10.1.1 as-number 100
     peer 10.10.1.1 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 10.10.1.1 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 10.10.1.1 enable
    #
     ipv4-family vpn-instance vpn1
      peer 10.2.1.1 as-number 65420
    #
    ospf 1
     area 0.0.0.0
      network 10.10.2.1 0.0.0.0
      network 172.2.1.0 0.0.0.255
    #
    return
  • Configuration file of CE2

    #
     sysname CE2
    #
    interface GigabitEthernet1/0/0
     ip address 10.2.1.1 255.255.255.0
    #
    bgp 65420
     peer 10.2.1.2 as-number 100
     #
     ipv4-family unicast
      undo synchronization
      import-route direct
      peer 10.2.1.2 enable
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 151887

Downloads: 367

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next