No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Connecting a CE to a VPN Through a GRE Tunnel over a Public Network

Example for Connecting a CE to a VPN Through a GRE Tunnel over a Public Network

Networking Requirements

In Figure 3-23:

  • PE1 and PE2 reside on the MPLS backbone network.

  • R1 connects CE1 and PE1 over the public network.

  • CE2 is directly connected to PE2.

  • CE1 and CE2 reside on the same VPN and are reachable to each other.

PE1 is indirectly connected to CE1. Therefore, no VPN instance can be bound to the physical interface of PE1. A GRE tunnel is set up between CE1 and PE1 and this tunnel traverses the public network. On PE1, bind the GRE tunnel to a VPN to connect CE1 to the VPN using the GRE tunnel.

NOTE:

The AR100&AR120&AR150&AR160&AR200 cannot work on an MPLS backbone network.

Figure 3-23  Connecting a CE to a VPN through a GRE tunnel over a public network

Configuration Roadmap

The configuration roadmap is as follows:

  1. Run OSPF process 10 on PE1 and PE2 to implement interworking between them, and enable MPLS.

  2. Run OSPF process 20 on CE1, R1, and PE1 to implement interworking among them.

  3. Set up a GRE tunnel between CE1 and PE1.

  4. Create vpn1 on PE1 and PE2. On PE1, bind vpn1 to the GRE tunnel interface. On PE2, bind vpn1 to the physical interface connected to CE2.

  5. Configure IS-IS on CE1 and PE1 to calculate routes between CE2 and PE2 and their connected PEs.

  6. Run BGP on the PEs to implement interworking between CE1 and CE2.

Procedure

  1. Configure an IP address for each interface.

    # Configure CE1.

    <Huawei> system-view
    [Huawei] sysname CE1
    [CE1] interface gigabitethernet 1/0/0
    [CE1-GigabitEthernet1/0/0] ip address 10.1.1.2 24
    [CE1-GigabitEthernet1/0/0] quit
    [CE1] interface gigabitethernet 2/0/0
    [CE1-GigabitEthernet2/0/0] ip address 30.1.1.1 24
    [CE1-GigabitEthernet2/0/0] quit

    # Configure R1.

    <Huawei> system-view
    [Huawei] sysname R1
    [R1] interface gigabitethernet 1/0/0
    [R1-GigabitEthernet1/0/0] ip address 30.1.1.2 24
    [R1-GigabitEthernet1/0/0] quit
    [R1] interface gigabitethernet 2/0/0
    [R1-GigabitEthernet2/0/0] ip address 50.1.1.1 24
    [R1-GigabitEthernet2/0/0] quit

    # Configure PE1.

    <Huawei> system-view
    [Huawei] sysname PE1
    [PE1] interface gigabitethernet 1/0/0
    [PE1-GigabitEthernet1/0/0] ip address 50.1.1.2 24
    [PE1-GigabitEthernet1/0/0] quit
    [PE1] interface gigabitethernet 2/0/0
    [PE1-GigabitEthernet2/0/0] ip address 110.1.1.1 24
    [PE1-GigabitEthernet2/0/0] quit
    [PE1] interface loopback 1
    [PE1-LoopBack1] ip address 1.1.1.9 32
    [PE1-LoopBack1] quit

    # Configure IP addresses for interfaces on PE2 except the interface to be bound to a VPN instance, because all configurations on this interface are deleted when the interface is bound to a VPN instance.

    <Huawei> system-view
    [Huawei] sysname PE2
    [PE2] interface gigabitethernet 1/0/0
    [PE2-GigabitEthernet1/0/0] ip address 110.1.1.2 24
    [PE2-GigabitEthernet1/0/0] quit
    [PE2] interface loopback 1
    [PE2-LoopBack1] ip address 3.3.3.9 32
    [PE2-LoopBack1] quit

    # Configure CE2.

    <Huawei> system-view
    [Huawei] sysname CE2
    [CE2] interface gigabitethernet 1/0/0
    [CE2-GigabitEthernet1/0/0] ip address 11.1.1.1 24
    [CE2-GigabitEthernet1/0/0] quit
    [CE2] interface gigabitethernet 2/0/0
    [CE2-GigabitEthernet2/0/0] ip address 10.2.1.2 24
    [CE2-GigabitEthernet2/0/0] quit

  2. Configure routes between the PEs and enable MPLS.

    # On PE1, enable MPLS LDP, and run OSPF process 10 to configure reachable routes between the PEs. LSPs are set up automatically.

    [PE1] mpls lsr-id 1.1.1.9
    [PE1] mpls
    [PE1-mpls] lsp-trigger all
    [PE1-mpls] quit
    [PE1] mpls ldp
    [PE1-mpls-ldp] quit
    [PE1] ospf 10
    [PE1-ospf-10] area 0
    [PE1-ospf-10-area-0.0.0.0] network 1.1.1.9 0.0.0.0
    [PE1-ospf-10-area-0.0.0.0] network 110.1.1.0 0.0.0.255
    [PE1-ospf-10-area-0.0.0.0] quit
    [PE1-ospf-10] quit
    [PE1] interface gigabitethernet 2/0/0
    [PE1-GigabitEthernet2/0/0] mpls
    [PE1-GigabitEthernet2/0/0] mpls ldp
    [PE1-GigabitEthernet2/0/0] quit

    # On PE2, enable MPLS LDP, and run OSPF process 10 to configure reachable routes between the PEs. LSPs are set up automatically.

    [PE2] mpls lsr-id 3.3.3.9
    [PE2] mpls
    [PE2-mpls] lsp-trigger all
    [PE2-mpls] quit
    [PE2] mpls ldp
    [PE2-mpls-ldp] quit
    [PE2] ospf 10
    [PE2-ospf-10] area 0
    [PE2-ospf-10-area-0.0.0.0] network 3.3.3.9 0.0.0.0
    [PE2-ospf-10-area-0.0.0.0] network 110.1.1.0 0.0.0.255
    [PE2-ospf-10-area-0.0.0.0] quit
    [PE2-ospf-10] quit
    [PE2] interface gigabitethernet 1/0/0
    [PE2-GigabitEthernet1/0/0] mpls
    [PE2-GigabitEthernet1/0/0] mpls ldp
    [PE2-GigabitEthernet1/0/0] quit

  3. Create a VPN instance vpn1 on PE1 and bind vpn1 to the GRE tunnel.

    [PE1] ip vpn-instance vpn1
    [PE1-vpn-instance-vpn1] route-distinguisher 100:1
    [PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 export-extcommunity
    [PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 import-extcommunity
    [PE1-vpn-instance-vpn1-af-ipv4] quit
    [PE1-vpn-instance-vpn1] quit
    [PE1] interface tunnel 0/0/1
    [PE1-Tunnel0/0/1] ip binding vpn-instance vpn1 
    [PE1-Tunnel0/0/1] ip address 2.2.2.2 255.255.255.0
    [PE1-Tunnel0/0/1] quit

  4. Create a VPN instance vpn1 on PE2 and bind vpn1 to a user-side interface.

    [PE2] ip vpn-instance vpn1
    [PE2-vpn-instance-vpn1] route-distinguisher 200:1
    [PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 export-extcommunity
    [PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 import-extcommunity
    [PE2-vpn-instance-vpn1-af-ipv4] quit
    [PE2-vpn-instance-vpn1] quit
    [PE2] interface gigabitethernet 2/0/0
    [PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpn1 
    [PE2-GigabitEthernet2/0/0] ip address 11.1.1.2 255.255.255.0
    [PE2-GigabitEthernet2/0/0] quit

  5. Configure tunnel interfaces of the GRE tunnel.

    # Configure CE1.

    [CE1] interface tunnel 0/0/1
    [CE1-Tunnel0/0/1] tunnel-protocol gre
    [CE1-Tunnel0/0/1] source 30.1.1.1
    [CE1-Tunnel0/0/1] destination 50.1.1.2
    [CE1-Tunnel0/0/1] ip address 2.2.2.1 24
    [CE1-Tunnel0/0/1] quit

    # Configure PE1.

    [PE1] interface tunnel 0/0/1
    [PE1-Tunnel0/0/1] tunnel-protocol gre
    [PE1-Tunnel0/0/1] source 50.1.1.2
    [PE1-Tunnel0/0/1] destination 30.1.1.1
    [PE1-Tunnel0/0/1] quit

  6. Configure OSPF on CE1, R1, and PE1.

    # Configure CE1.

    [CE1] ospf 20
    [CE1-ospf-20] area 0
    [CE1-ospf-20-area-0.0.0.0] network 30.1.1.0 0.0.0.255
    [CE1-ospf-20-area-0.0.0.0] quit
    [CE1-ospf-20] quit

    # Configure R1.

    [R1] ospf 20
    [R1-ospf-20] area 0
    [R1-ospf-20-area-0.0.0.0] network 30.1.1.0 0.0.0.255
    [R1-ospf-20-area-0.0.0.0] network 50.1.1.0 0.0.0.255
    [R1-ospf-20-area-0.0.0.0] quit
    [R1-ospf-20] quit

    # Configure PE1.

    [PE1] ospf 20
    [PE1-ospf-20] area 0
    [PE1-ospf-20-area-0.0.0.0] network 50.1.1.0 0.0.0.255
    [PE1-ospf-20-area-0.0.0.0] quit
    [PE1-ospf-20] quit

  7. Configure IS-IS on CE1 and PE1 to calculate routes between them.

    # Configure CE1.

    [CE1] isis 50
    [CE1-isis-50] network-entity 50.0000.0000.0001.00
    [CE1-isis-50] quit
    [CE1] interface gigabitethernet 1/0/0
    [CE1-GigabitEthernet1/0/0] isis enable 50
    [CE1-GigabitEthernet1/0/0] quit
    [CE1] interface tunnel 0/0/1
    [CE1-Tunnel0/0/1] isis enable 50
    [CE1-Tunnel0/0/1] quit

    # Configure PE1.

    [PE1] isis 50 vpn-instance vpn1
    [PE1-isis-50] network-entity 50.0000.0000.0002.00
    [PE1-isis-50] quit
    [PE1] interface tunnel 0/0/1
    [PE1-Tunnel0/0/1] isis enable 50
    [PE1-Tunnel0/0/1] quit

  8. Configure IS-IS on CE2 and PE2 to calculate routes between them.

    # Configure CE2.

    [CE2] isis 50
    [CE2-isis-50] network-entity 50.0000.0000.0004.00
    [CE2-isis-50] quit
    [CE2] interface gigabitethernet 1/0/0
    [CE2-GigabitEthernet1/0/0] isis enable 50
    [CE2-GigabitEthernet1/0/0] quit
    [CE2] interface gigabitethernet 2/0/0
    [CE2-GigabitEthernet2/0/0] isis enable 50
    [CE2-GigabitEthernet2/0/0] quit

    # Configure PE2.

    [PE2] isis 50 vpn-instance vpn1
    [PE2-isis-50] network-entity 50.0000.0000.0003.00
    [PE2-isis-50] quit
    [PE2] interface gigabitethernet 2/0/0
    [PE2-GigabitEthernet2/0/0] isis enable 50
    [PE2-GigabitEthernet2/0/0] quit

  9. Set up an MP-IBGP peer relationship between the PEs.

    # On PE1, configure an IBGP peer relationship with PE2 using a loopback interface to exchange VPN IPv4 route information.

    [PE1] bgp 100
    [PE1-bgp] peer 3.3.3.9 as-number 100
    [PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
    [PE1-bgp] ipv4-family vpnv4
    [PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
    [PE1-bgp-af-vpnv4] quit

    # Import IS-IS routes to vpn1.

    [PE1-bgp] ipv4-family vpn-instance vpn1
    [PE1-bgp-vpn1] import-route isis 50

    # On PE2, configure an IBGP peer relationship with PE1 using a loopback interface to exchange VPN IPv4 route information.

    [PE2] bgp 100
    [PE2-bgp] peer 1.1.1.9 as-number 100
    [PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
    [PE2-bgp] ipv4-family vpnv4
    [PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
    [PE2-bgp-af-vpnv4] quit

    # Import IS-IS routes to vpn1.

    [PE2-bgp] ipv4-family vpn-instance vpn1
    [PE2-bgp-vpn1] import-route isis 50

  10. Import BGP routes to the IS-IS routing table.

    # Configure PE1.

    [PE1] isis 50
    [PE1-isis-50] import-route bgp

    # Configure PE2.

    [PE2] isis 50
    [PE2-isis-50] import-route bgp

  11. Verify the configuration.

    # After the configuration is complete, CE1 and CE2 have reachable routes to each other. The command output on CE1 is used as an example.

    <CE1> display ip routing-table 41.1.1.0
    <keyword conref="../commonterms/commonterms.xml#commonterms/route-flags"></keyword>
    ------------------------------------------------------------------------------
    Routing Table : Public
    Summary Count : 1
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
           41.1.1.0/24  ISIS-L2 15   74          D   2.2.2.2         Tunnel0/0/1
    

Configuration Files

  • Configuration file of CE1

    #
     sysname CE1
    #
    isis 50
     network-entity 50.0000.0000.0001.00
    #
    interface GigabitEthernet1/0/0
     ip address 10.1.1.2 255.255.255.0
     isis enable 50
    #
    interface GigabitEthernet2/0/0
     ip address 30.1.1.1 255.255.255.0
    #
    interface Tunnel0/0/1
     ip address 2.2.2.1 255.255.255.0
     tunnel-protocol gre
     source 30.1.1.1
     destination 50.1.1.2
     isis enable 50
    #
    ospf 20
     area 0.0.0.0
      network 30.1.1.0 0.0.0.255
    #
    return
  • Configurations file of R1

    #
     sysname R1
    #
    interface GigabitEthernet1/0/0
    ip address 30.1.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
    ip address 50.1.1.1 255.255.255.0
    #
    ospf 20
     area 0.0.0.0
      network 30.1.1.0 0.0.0.255
      network 50.1.1.0 0.0.0.255
    #
    return
  • Configuration file of PE1

    #
     sysname PE1
    #
    ip vpn-instance vpn1
     route-distinguisher 100:1
     vpn-target 111:1 export-extcommunity
     vpn-target 111:1 import-extcommunity
    #
    mpls lsr-id 1.1.1.9
    mpls
     lsp-trigger all
    #
    mpls ldp
    #
    isis 50 vpn-instance vpn1
     network-entity 50.0000.0000.0002.00
     import-route bgp
    #
    interface GigabitEthernet1/0/0
     ip address 50.1.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 110.1.1.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface LoopBack1
     ip address 1.1.1.9 255.255.255.255
    #
    interface Tunnel0/0/1
     ip binding vpn-instance vpn1
     ip address 2.2.2.2 255.255.255.0
     tunnel-protocol gre
     source 50.1.1.2
     destination 30.1.1.1
     isis enable 50
    #
    bgp 100
     peer 3.3.3.9 as-number 100
     peer 3.3.3.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 3.3.3.9 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 3.3.3.9 enable
     #
     ipv4-family vpn-instance vpn1
      import-route isis 50
    #
    ospf 10
     area 0.0.0.0
      network 1.1.1.9 0.0.0.0
      network 110.1.1.0 0.0.0.255
    #
    ospf 20
     area 0.0.0.0
      network 50.1.1.0 0.0.0.255
    #
    return
  • Configuration file of PE2

    #
     sysname PE2
    #
    ip vpn-instance vpn1
     route-distinguisher 200:1
     vpn-target 111:1 export-extcommunity
     vpn-target 111:1 import-extcommunity
    #
    mpls lsr-id 3.3.3.9
    mpls
     lsp-trigger all
    #
    mpls ldp
    #
    isis 50 vpn-instance vpn1
     network-entity 50.0000.0000.0003.00
     import-route bgp
    #
    interface GigabitEthernet1/0/0
     ip address 110.1.1.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet2/0/0
     ip binding vpn-instance vpn1
     ip address 11.1.1.2 255.255.255.0
     isis enable 50
    #
    interface LoopBack1
     ip address 3.3.3.9 255.255.255.255
    #
    bgp 100
     peer 1.1.1.9 as-number 100
     peer 1.1.1.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 1.1.1.9 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 1.1.1.9 enable
     #
     ipv4-family vpn-instance vpn1
      import-route isis 50
    #
    ospf 10
     area 0.0.0.0
      network 3.3.3.9 0.0.0.0
      network 110.1.1.0 0.0.0.255
    #
    return
  • Configuration file of CE2

    #
     sysname CE2
    #
    isis 50
     network-entity 50.0000.0000.0004.00
    #
    interface GigabitEthernet1/0/0
     ip address 11.1.1.1 255.255.255.0
     isis enable 50
    #
    interface GigabitEthernet2/0/0
     ip address 10.2.1.2 255.255.255.0
     isis enable 50
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 152194

Downloads: 367

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next