No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Hub and Spoke

Configuring Hub and Spoke

In Hub and Spoke networking, a central site is deployed and all the other sites communicate through the central site. The central site controls communication between sites.

Pre-configuration Tasks

Before configuring Hub and Spoke, complete the following tasks:

  • Configuring IGP on PE devices and P devices in the MPLS backbone network

    NOTE:

    When RIP-1 runs on the backbone network, you need to enable LDP to search for routes to establish LSPs based on the longest match rule. For details, see Configuring LDP Extensions for Inter-Area LSPs.

  • Configuring basic MPLS capabilities and MPLS LDP (or RSVP-TE) on PE devices and P devices in the MPLS backbone network

  • Configuring the IP addresses, through which the CE devices access the PE devices, on the CE devices

NOTE:

You also need to configure VPN tunnel policies when VPN services need to be transmitted over TE tunnels or when multiple tunnels need to perform load balancing to fully use network resources. For detailed configuration, see Configuring and Applying a Tunnel Policy.

Configuration Procedure

All the following tasks are mandatory. Perform these tasks in this sequence to complete the Hub and Spoke configuration.

Configuring MP-IBGP Between Hub-PE and Spoke-PE

Context

The Hub-PE must set up the MP-IBGP peer with all the Spoke-PE devices. Spoke-PE devices do not need to set up the MP-IBGP peer between each other.

Perform the following steps on the Hub-PE and Spoke-PE devices.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bgp { as-number-plain | as-number-dot }

    The BGP view is displayed.

  3. Run peer ipv4-address as-number as-number

    The peer PE is configured as a BGP peer.

  4. Run peer ipv4-address connect-interface loopback interface-number

    An interface is used to set up a Transmission Control Protocol (TCP) connection with the BGP peer.

    NOTE:

    A PE must use a loopback interface address with a 32-bit mask to set up an MP-IBGP peer relationship with the peer PE so that VPN routes can be iterated to tunnels. The route to the local loopback interface is advertised to the peer PE using an IGP on the MPLS backbone network.

  5. Run ipv4-family vpnv4 [ unicast ]

    The BGP-VPNv4 address family view is displayed.

  6. Run peer ipv4-address enable

    The ability to exchange VPN IPv4 routes with the BGP peer is enabled.

Configuring VPN Instances on PE Devices

Context

Configure VPN instances on each Spoke-PE device and the Hub-PE device. This section provides only the mandatory configuration for a VPN instance. For the optional configuration of a VPN instance, see Configuring a VPN Instance on a PE Device.

Procedure

  • Configure VPN instances on the Hub-PE device.

    Configure the following two VPN instances for the Hub-PE device:

    • VPN-in: accepts and maintains all the VPNv4 routes advertised by all the Spoke-PE devices.

    • VPN-out: maintains the routes of the Hub site and all the Spoke sites and advertises those routes to all the Spoke-PE devices.

    1. Run system-view

      The system view is displayed.

    2. Run ip vpn-instance VPN-in

      The VPN-in instance is created and the VPN-in instance view is displayed.

    3. Run ipv4-family

      The IPv4 address family is enabled for the VPN-in instance, and the VPN-in instance IPv4 address family view is displayed.

    4. Run route-distinguisher route-distinguisher

      The RD of the VPN-in instance IPv4 address family is configured.

    5. Run vpn-target vpn-target1 &<1-8> import-extcommunity

      The VPN target extended community for the VPN-in instance IPv4 address family is created to import the VPNv4 routes advertised by all the Spoke-PE devices.

      vpn-target1 lists the Export VPN targets advertised by all the Spoke-PE devices.

    6. Run quit

      The VPN instance view is displayed.

    7. Run quit

      Return to the system view.

    8. Run ip vpn-instance VPN-out

      The VPN-out instance is created and the VPN-out instance view is displayed.

    9. Run ipv4-family

      The IPv4 address family is enabled for the VPN-out instance, and the VPN-out instance IPv4 address family view is displayed.

    10. Run route-distinguisher route-distinguisher

      The RD of the VPN-out instance IPv4 address family is configured.

    11. Run vpn-target vpn-target2 &<1-8> export-extcommunity

      The VPN target extended community for the VPN-out instance IPv4 address family is created to advertise the routes of all the Hubs and Spokes.

      vpn-target2 lists the Import VPN targets advertised by all the Spoke-PE devices.

  • Configure a Spoke-PE device.

    Every Spoke-PE device is configured with a VPN instance.

    1. Run system-view

      The system view is displayed.

    2. Run ip vpn-instance vpn-instance-name

      The VPN instance view of VPN-in is displayed.

    3. Run ipv4-family

      The VPN instance IPv4 address family view is displayed.

    4. Run route-distinguisher route-distinguisher

      The RD of the VPN-in instance is configured.

    5. Run vpn-target vpn-target2 &<1-8> import-extcommunity

      The VPN target extended community is configured for the VPN instance IPv4 address family to receive the VPNv4 routes advertised by the Hub-PE device.

      vpn-target2 must be in the export VPN target list configured on the Hub-PE device.

    6. Run vpn-target vpn-target1 &<1-8> export-extcommunity

      The VPN target extended community is configured for the VPN instance IPv4 address family to advertise the routes of Spoke sites.

      vpn-target1 must be in the import VPN target list configured on the Hub-PE device.

Binding a VPN Instance to an Interface

Prerequisites

A VPN instance has been created and the IPv4 address family has been enabled for the VPN instance.

Context

The configuration on the Hub-PE involves two interfaces or sub-interfaces: one is bound with the VPN-in and receives the routes advertised by the Spoke-PE; the other is bound with the VPN-out and advertises the routes of the Hub and all the Spokes.

  • After configuring a VPN instance on a PE device, bind the VPN instance to the interface that belongs to the VPN. Otherwise, the interface functions as a public network interface and cannot forward VPN data.
  • An interface becomes a private network interface after a VPN instance is bound to it. You must configure an IP address for the interface so that the PE device can exchange routing information with its attached CE device.
  • After a VPN instance is bound to an interface, configuration of the Layer 3 features (IPv4 and IPv6 features) including IP addresses and routing protocols is deleted from the interface.
  • When you disable an address family (IPv4 or IPv6 address family) in a VPN instance, configuration of the address family is deleted from the interface. No interface is bound to a VPN instance if no address family configuration exists in the VPN instance.

Perform the following steps on the Hub-PE and all the Spoke-PE devices.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run ip binding vpn-instance vpn-instance-name

    A VPN instance is bound to the interface.

    By default, an interface is a public network interface and is not associated with any VPN instance.

  4. Run ip address ip-address { mask | mask-length }

    An IP address is configured for the interface.

Configuring Route Exchange Between PE device and CE Devices

Context

The Hub-PE and Hub-CE devices can use IGP or EBGP to exchange routing information. When they use EBGP, you must configure the Hub-PE device to allow repeated local AS number.

As shown in Figure 7-37, the routing information advertised by a Spoke-CE is forwarded to the Hub-CE and Hub-PE device before being transmitted to other Spoke-PE devices. If EBGP runs between the Hub-PE device and the Hub-CE, the Hub-PE device performs the AS-Loop detection on the route. If the Hub-PE device detects its own AS number in the route, it discards the route. In this case, to implement the Hub and Spoke networking, the Hub-PE device must be configured to permit the existence of repeated local AS numbers.
Figure 7-37  EBGP running between the Hub-CE and Hub-PE devices

Procedure

  • Configure EBGP between the Hub-PE and Hub-CE devices.

    For detailed configuration procedures, see Configuring a Routing Protocol Between PE device and CE.

    The Spoke-PE and Spoke-CE devices can use EBGP, IGP, or static routes.

    To set up an EBGP peer relationship between the Hub-PE and Hub-CE devices and between a Spoke-PE device and a Spoke-CE device, perform the following steps on the Hub-PE device:

    1. Run system-view

      The system view is displayed.

    2. Run bgp { as-number-plain | as-number-dot }

      The BGP view is displayed.

    3. Run ipv4-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv4 address family view is displayed.

    4. Run peer ip-address allow-as-loop [ number ]

      The Hub-PE is configured to allow the routing loop. Here the value of number is set as 1, which means the route with the AS repeated once can be sent.

  • Configure an IGP between the Hub-PE and Hub-CE devices.

    For detailed configuration procedures, see Configuring a Routing Protocol Between PE and CE.

    In this way, instead of BGP, IGP or static routes are adopted between the Spoke-PE and the Spoke-CE. If BGP is used, the source BGP route's AS number will get lost when the route is transmitted through the IGP running between the Hub-PE and Hub-CE. The Spoke-PE will receive both the source BGP route sent by the Spoke-CE and the source BGP route with no AS number forwarded by the Hub-PE. The source BGP route sent by the Spoke-CE has an AS number and is therefore not preferred by the Spoke-PE. After the route is withdrawn, the Spoke-PE prefers the source BGP route received from the Spoke-CE again and advertises this route again. As this process repeats, route flapping occurs.

  • Configure static routes between the Hub-PE and the Hub-CE devices.

    For detailed configuration procedures, see Configuring a Routing Protocol Between PE device and CE.

    EBGP, IGP, or static routes can be used between the Spoke-PE and the Spoke-CE devices.

    If the Hub-CE device uses the default route to access the Hub-PE device, perform the following steps on the Hub-PE device to advertise the default route to all the Spoke-PE devices:

    1. Run system-view

      The system view is displayed.

    2. Run ip route-static vpn-instance vpn-source-name 0.0.0.0 0.0.0.0 nexthop-address [ preference preference | tag tag ]* [ description text ]

      Here, vpn-instance-name refers to the VPN-out. nexthop-address is the IP address of the Hub-CE interface that is connected with the PE device interface bound with the VPN-out instance.

    3. Run bgp { as-number-plain | as-number-dot }

      The BGP view is displayed.

    4. Run ipv4-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv4 address family view is displayed. vpn-instance-name refers to the VPN-out instance.

    5. Run network 0.0.0.0 0

      The default route is advertised to all the Spoke-PE devices through MP-BGP.

Verifying the Hub and Spoke Configuration

Prerequisites

The configurations of the Hub and Spoke function are complete.

Procedure

  • Run the display ip routing-table vpn-instance vpn-instance-name command to check routing information about the VPN-in and VPN-out on the Hub-PE.

    If the VPN-in routing table has routes to all the Spoke stations, and the VPN-out routing table has routes to the Hub and all the Spoke stations, it means the configuration is successful.

  • Run the display ip routing-table command to check routing information on the Hub-CE and all the Spoke-CE devices.

    The Hub-CE and all the Spoke-CE devices have routes to the Hub and all the Spoke sites.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 150720

Downloads: 365

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next