No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring VLL to Use a GRE Tunnel

Example for Configuring VLL to Use a GRE Tunnel

Networking Requirements

NOTE:

AR100&AR120&AR150&AR160&AR200 cannot be used in this scenario.

An ISP network provides the L2VPN service for users. Many users connect to the MPLS network through PE1 and PE2, and users on the PEs change frequently. A proper VPN solution is required to provide secure VPN services for users and to simplify configuration when new users connect to the network.

A Martini VLL connection can be set up between CE1 and CE2 to meet these requirements. By default, the system uses Label Switched Paths (LSPs) for Martini VLL, and does not perform load balancing. When the P does not provide MPLS functions, VLL cannot be implemented.

To solve the problem, apply a tunnel policy to Martini VLL to specify that VLL services are transmitted over a GRE tunnel.

Figure 3-22  Networking diagram for configuring VLL to use a GRE tunnel

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a routing protocol on the PE and P devices on the backbone network to ensure reachability between them.

  2. Enable MPLS and MPLS LDP on PEs. Set up a remote LDP session between the PEs to exchange VC labels between the PEs.

  3. Enable MPLS L2VPN on PEs. Enabling MPLS L2VPN is the prerequisite for VLL configuration.

  4. Create GRE tunnel interfaces on PEs and establish a GRE tunnel between PEs.

  5. Create VC connections on PEs. Because the P does not support MPLS functions, configure a tunnel policy and apply it when you create VC connections so that VLL services can be transmitted over a GRE tunnel.

Procedure

  1. Configure interface IP addresses and a routing protocol on the PEs and P.

    # Configure PE1. The configurations of PE2 and P are similar to the configuration of PE1, and are not mentioned here.

    <Huawei> system-view
    [Huawei] sysname PE1
    [PE1] interface gigabitethernet 2/0/0
    [PE1-GigabitEthernet2/0/0] ip address 172.1.1.1 255.255.255.0
    [PE1-GigabitEthernet2/0/0] quit
    [PE1] interface loopback 1
    [PE1-LoopBack1] ip address 10.10.1.1 255.255.255.255
    [PE1-LoopBack1] quit
    [PE1] ospf 1
    [PE1-ospf-1] area 0
    [PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
    [PE1-ospf-1-area-0.0.0.0] network 10.10.1.1 0.0.0.0
    [PE1-ospf-1-area-0.0.0.0] quit
    [PE1-ospf-1] quit
    

    After the configurations are complete, OSPF neighbor relationships can be set up between PE1, P, and PE2. Run the display ospf peer command. You can see that the neighbor status is Full. Run the display ip routing-table command. You can see that PEs have learnt the routes to Loopback1 of each other.

  2. Configure basic MPLS functions and LDP on PEs and establish a remote LDP session between PEs.

    # Configure PE1.

    [PE1] mpls lsr-id 10.10.1.1
    [PE1] mpls
    [PE1-mpls] quit
    [PE1] mpls ldp
    [PE1-mpls-ldp] quit
    [PE1] mpls ldp remote-peer 10.10.2.1
    [PE1-mpls-ldp-remote-10.10.2.1] remote-ip 10.10.2.1
    [PE1-mpls-ldp-remote-10.10.2.1] quit

    # Configure PE2.

    [PE2] mpls lsr-id 10.10.2.1
    [PE2] mpls
    [PE2-mpls] quit
    [PE2] mpls ldp
    [PE2-mpls-ldp] quit
    [PE2] mpls ldp remote-peer 10.10.1.1
    [PE2-mpls-ldp-remote-10.10.1.1] remote-ip 10.10.1.1
    [PE2-mpls-ldp-remote-10.10.1.1] quit

    After the configurations are complete, run the display mpls ldp session command on PE1 to view the LDP session status. You can see that an LDP session is set up between PE1 and PE2.

    The display on PE1 is used as an example.

    [PE1] display mpls ldp session
                                                                                    
     LDP Session(s) in Public Network                                               
     Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)                  
     A '*' before a session means the session is being deleted.                     
     ------------------------------------------------------------------------------ 
     PeerID             Status      LAM  SsnRole  SsnAge      KASent/Rcv            
     ------------------------------------------------------------------------------ 
     10.10.2.1:0          Operational DU   Passive  0000:00:01  1/1                   
     ------------------------------------------------------------------------------ 
     TOTAL: 1 session(s) Found.                                                     

  3. Enable MPLS L2VPN on PEs.

    # Configure PE1.

    [PE1] mpls l2vpn
    [PE1-l2vpn] quit
    

    # Configure PE2.

    [PE2] mpls l2vpn
    [PE2-l2vpn] quit

  4. Create GRE tunnel interfaces on PEs and establish a GRE tunnel between PEs.

    # Configure PE1.

    [PE1] interface tunnel 0/0/1
    [PE1-Tunnel0/0/1] ip address 10.2.1.1 255.255.255.0 
    [PE1-Tunnel0/0/1] tunnel-protocol gre
    [PE1-Tunnel0/0/1] source 10.10.1.1
    [PE1-Tunnel0/0/1] destination 10.10.2.1
    [PE1-Tunnel0/0/1] quit

    # Configure PE2.

    [PE2] interface tunnel 0/0/1
    [PE2-Tunnel0/0/1] ip address 10.2.1.2 255.255.255.0 
    [PE2-Tunnel0/0/1] tunnel-protocol gre
    [PE2-Tunnel0/0/1] source 10.10.2.1
    [PE2-Tunnel0/0/1] destination 10.10.1.1
    [PE2-Tunnel0/0/1] quit

    After the configurations are complete, the tunnel interfaces go Up and can ping each other.

    The display on PE1 is used as an example.
    [PE1] ping -a 10.2.1.1 10.2.1.2
      PING 10.2.1.2: 56  data bytes, press CTRL_C to break        
        Reply from 10.2.1.2: bytes=56 Sequence=1 ttl=255 time=1 ms
        Reply from 10.2.1.2: bytes=56 Sequence=2 ttl=255 time=1 ms
        Reply from 10.2.1.2: bytes=56 Sequence=3 ttl=255 time=1 ms
        Reply from 10.2.1.2: bytes=56 Sequence=4 ttl=255 time=1 ms
        Reply from 10.2.1.2: bytes=56 Sequence=5 ttl=255 time=1 ms
                                                                  
      --- 10.2.1.2 ping statistics ---                            
        5 packet(s) transmitted                                   
        5 packet(s) received                                      
        0.00% packet loss                                         
        round-trip min/avg/max = 1/1/1 ms

  5. Configure a tunnel policy, create VC connections, and apply the policy to the VC connections so that VLL services can be transmitted over a GRE tunnel.

    # Configure PE1.

    [PE1] tunnel-policy gre1
    [PE1-tunnel-policy-gre1] tunnel select-seq gre load-balance-number 1
    [PE1-tunnel-policy-gre1] quit
    [PE1] interface gigabitethernet 1/0/0
    [PE1-GigabitEthernet1/0/0] mpls l2vc 10.10.2.1 39 tunnel-policy gre1
    [PE1-GigabitEthernet1/0/0] quit

    # Configure PE2.

    [PE2] tunnel-policy gre1
    [PE2-tunnel-policy-gre1] tunnel select-seq gre load-balance-number 1
    [PE2-tunnel-policy-gre1] quit
    [PE2] interface gigabitethernet 2/0/0
    [PE2-GigabitEthernet2/0/0] mpls l2vc 10.10.1.1 39 tunnel-policy gre1
    [PE2-GigabitEthernet2/0/0] quit

  6. Verify the configuration.

    # After the configurations are complete, check the L2VPN connection on PEs. You can see that an L2VC connection has been set up and is in Up state.

    # The display on PE1 is used as an example.
    [PE1] display mpls l2vc interface gigabitethernet 1/0/0
     *client interface       : GigabitEthernet1/0/0 is up
      Administrator PW       : no
      session state          : up
      AC status              : up
      Ignore AC state        : disable
      VC state               : up
      Label state            : 0
      Token state            : 0
      VC ID                  : 39
      VC type                : Ethernet
      destination            : 10.10.2.1
      local group ID         : 0            remote group ID      : 0
      local VC label         : 1025         remote VC label      : 1024
      local AC OAM State     : up
      local PSN OAM State    : up
      local forwarding state : forwarding
      local status code      : 0x0
      remote AC OAM state    : up
      remote PSN OAM state   : up
      remote forwarding state: forwarding
      remote status code     : 0x0
      ignore standby state   : no
      BFD for PW             : unavailable
      VCCV State             : up
      manual fault           : not set
      active state           : active
      forwarding entry       : exist
      link state             : up
      local VC MTU           : 1500         remote VC MTU        : 1500
      local VCCV             : alert ttl lsp-ping bfd 
      remote VCCV            : alert ttl lsp-ping bfd 
      local control word     : disable      remote control word  : disable
      tunnel policy name     : gre1
      PW template name       : --
      primary or secondary   : primary
      load balance type      : flow
      Access-port            : false
      Switchover Flag        : false
      VC tunnel/token info   : 1 tunnels/tokens
        NO.0  TNL type       : gre   , TNL ID : 0x2
        Backup TNL type      : lsp   , TNL ID : 0x0
      create time            : 0 days, 2 hours, 37 minutes, 1 seconds
      up time                : 0 days, 0 hours, 2 minutes, 11 seconds
      last change time       : 0 days, 0 hours, 2 minutes, 11 seconds
      VC last up time        : 2013/02/20 18:58:24
      VC total up time       : 0 days, 2 hours, 35 minutes, 58 seconds
      CKey                   : 2
      NKey                   : 1
      PW redundancy mode     : frr
      AdminPw interface      : --
      AdminPw link state     : --
      Diffserv Mode          : uniform
      Service Class          : --
      Color                  : --
      DomainId               : --
      Domain Name            : --

    # Run the display tunnel-info tunnel-id command on PEs according to the tunnel ID in the preceding command output. You can view details of the specified tunnel ID.

    [PE1] display tunnel-info tunnel-id 2
    Tunnel ID:                    0x2
    Tunnel Token:                 2
    Type:                         gre
    Destination:                  10.10.2.1
    Out Slot:                     0
    Instance ID:                  0
    Interface:                    Tunnel0/0/1

    # CE1 and CE2 can ping each other successfully.

    # The display on CE1 is used as an example.

    [CE1] ping 10.1.1.2
      PING 10.1.1.2: 56  data bytes, press CTRL_C to break
        Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=31 ms
        Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=10 ms
        Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=5 ms
        Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=2 ms
        Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=28 ms
      --- 10.1.1.2 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 2/15/31 ms 

Configuration Files

  • Configuration file of CE1

    #
     sysname CE1
    #
    interface GigabitEthernet1/0/0
     ip address 10.1.1.1 255.255.255.0
    #
    return
  • Configuration file of PE1

    #
     sysname PE1
    #
    mpls lsr-id 10.10.1.1
    mpls
    #
    mpls l2vpn
    #
    mpls ldp
    #
    mpls ldp remote-peer 10.10.2.1
     remote-ip 10.10.2.1
    #
    interface GigabitEthernet1/0/0
     mpls l2vc 10.10.2.1 39 tunnel-policy gre1
    #
    interface GigabitEthernet2/0/0
     ip address 172.1.1.1 255.255.255.0
    #
    interface LoopBack1
     ip address 10.10.1.1 255.255.255.255
    #
    interface Tunnel0/0/1
     ip address 10.2.1.1 255.255.255.0
     tunnel-protocol gre
     source 10.10.1.1
     destination 10.10.2.1
    # 
    ospf 1
     area 0.0.0.0
      network 10.10.1.1 0.0.0.0
      network 172.1.1.0 0.0.0.255
    #
    tunnel-policy gre1 
     tunnel select-seq gre load-balance-number 1
    #
    return
  • Configuration file of P

    #
     sysname P
    #
    interface GigabitEthernet2/0/0
     ip address 172.1.1.2 255.255.255.0
    #
    interface GigabitEthernet1/0/0
     ip address 172.2.1.2 255.255.255.0
    #
    ospf 1
     area 0.0.0.0
      network 172.1.1.0 0.0.0.255
      network 172.2.1.0 0.0.0.255
    #
    return
  • Configuration file of PE2

    #
     sysname PE2
    #
    mpls lsr-id 10.10.2.1
    mpls
    #
    mpls l2vpn
    #
    mpls ldp
    #
    mpls ldp remote-peer 10.10.1.1
     remote-ip 10.10.1.1
    #
    interface GigabitEthernet1/0/0
     ip address 172.2.1.1 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     mpls l2vc 10.10.1.1 39 tunnel-policy gre1
    #
    interface LoopBack1
     ip address 10.10.2.1 255.255.255.255
    #
    interface Tunnel0/0/1
     ip address 10.2.1.2 255.255.255.0
     tunnel-protocol gre
     source 10.10.2.1
     destination 10.10.1.1
    #
    ospf 1
     area 0.0.0.0
      network 10.10.2.1 0.0.0.0
      network 172.2.1.0 0.0.0.255
    #
    tunnel-policy gre1 
     tunnel select-seq gre load-balance-number 1
    #
    return
  • Configuration file of CE2

    #
     sysname CE2
    #
    interface GigabitEthernet1/0/0
     ip address 10.1.1.2 255.255.255.0
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 150747

Downloads: 365

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next