No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Tunnel Interface

Configuring a Tunnel Interface

Context

A GRE tunnel is established between two tunnel interfaces; therefore, you need to configure tunnel interfaces on devices at both ends of a tunnel. Set the protocol type to GRE, specify the tunnel source address (or interface) and tunnel destination address, and specify IP addresses for tunnel interfaces.

  • Source IP address of the tunnel: Indicates the source IP address defined in the packet transmission protocol. When the configured value is an IP address, the value is directly used as the source IP address. When the configured value is a source interface, the IP address of the interface is used as the source IP address.
  • Destination IP address of the tunnel: Indicates the destination IP address defined in the packet transmission protocol.
  • IP address of the tunnel interface: Indicates an IP address assigned to the tunnel interface. A dynamic or static routing protocol uses this IP address to advertise the tunnel interface. The IP address of the tunnel interface may be a public network address or not. It can also be an IP address borrowed from another interface to save IP addresses. However, if the IP address of the tunnel interface is borrowed from another interface, tunnel interface communication cannot be implemented using this IP address. Therefore, to achieve tunnel reachability if the IP address is borrowed, you must configure a static route or a routing protocol to implement reachability of the IP address.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface tunnel interface-number

    A tunnel interface is created and the tunnel interface view is displayed.

  3. Run tunnel-protocol gre

    The protocol type of the tunnel interface is set to GRE.

  4. (Optional) Run gre key { plain key-number | [ cipher ] plain-cipher-text }

    The key number of a GRE tunnel.

    NOTE:

    Normally, only one GRE tunnel can be established over a physical link that has only one source address and one destination address. To solve this problem, GRE keys are introduced to identify tunnel interfaces with the same source address and same destination address. This implementation allows multiple GRE tunnels to be established over a physical link that has only one source address and one destination address to carry different types of services.

    If you want to configure the same source and destination addresses for multiple GRE tunnels, configure the gre key command first. Otherwise, the configuration fails.

  5. Run source { source-ip-address | interface-type interface-number }

    A source address or source interface is specified for the tunnel.

    NOTE:
    When configuring the source interface of a tunnel, note the following:
    • Do not specify the tunnel interface of a GRE tunnel as its own source interface. You can specify the tunnel interface of another tunnel as the source interface.

    • You can configure the virtual address of a VRRP group as the source address of a tunnel.

    • Do not configure a bridge-if interface as the source interface of a tunnel.

  6. Run destination [ vpn-instance vpn-instance-name ] dest-ip-address

    A destination address is specified for the tunnel.

    If a customer edge (CE) is connected to a provider edge (PE) through the GRE tunnel, specify a virtual private network (VPN) instance to add the tunnel interface to a private network routing table when configuring the destination address for the tunnel.

  7. (Optional) Run tunnel route-via interface-type interface-number { mandatory | preferred }

    The routing outbound interface for the GRE tunnel is specified.

    By default, a GRE tunnel does not have a routing outbound interface.

    GRE packets are forwarded based on routing tables. If there are multiple equal-cost routes to the destination address, GRE packets are shared among these routes. In some situations, the actual routing outbound interface of GRE packets transmitted over a GRE tunnel may be the routing outbound interface for another GRE tunnel. If Unicast Reverse Path Forwarding (URPF) is enabled on the next hop device, this device checks the source addresses of these GRE packets to identify their outbound interface and then determines whether the outbound interface for these packets are the same as the actual interface that receives these packets. After the device finds that the outbound interface for these packets is different from the actual interface that receives these packets, the device drops these packets. To solve this problem, run the tunnel route-via command to specify the routing outbound interface for each GRE tunnel.

    If you configure mandatory when running the tunnel route-via command, traffic is strictly forwarded through the specified routing outbound interface. Specifically, if the available routing outbound interfaces for GRE packets transmitted over a GRE tunnel do not include the routing outbound interface specified for the tunnel, packets cannot be forwarded. If you configure preferred when running the tunnel route-via command, traffic is preferentially forwarded through the specified routing outbound interface. Specifically, if the available routing outbound interfaces for GRE packets transmitted over a GRE tunnel do not include the routing outbound interface specified for the tunnel, packets can still be forwarded through available routing outbound interfaces.

  8. (Optional) Run mtu mtu

    A maximum transmission unit (MTU) is configured for the tunnel interface.

    By default, the MTU of a tunnel interface is 1500 bytes.

    NOTE:

    To change the MTU of a tunnel interface, run the shutdown command and then the undo shutdown command on the interface to make the new MTU effective.

  9. (Optional) Run description text

    An interface description is provided.

    By default, the following description is provided for the tunnel interface: HUAWEI, AR Series, Tunnel interface-number Interface.

    For example, the description of Tunnel0/0/1 is "HUAWEI, AR Series, Tunnel0/0/1 Interface."

  10. Run either of the following commands to specify an IP address for the tunnel interface.

    • Specify an IP address.

      • Specify an IPv4 address for the tunnel interface when IPv4 networks communicate using the GRE tunnel.

        Run ip address ip-address { mask | mask-length } [ sub ]

        An IPv4 address is specified for the tunnel interface.

      • Specify an IPv6 address for the tunnel interface when IPv6 networks communicate using the GRE tunnel.

        Run ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

        An IPv6 address is specified for the tunnel interface.
        NOTE:

        Before specifying an IPv6 address for an interface, run the ipv6 command in the system view to enable IPv6 packet forwarding and run the ipv6 enable command on the interface to enable the IPv6 function.

    • Borrow an IP address.

      Run ip address unnumbered interface interface-type interface-number

      The tunnel interface is configured to borrow an IP address.

      NOTE:

      A tunnel interface cannot borrow an IPv6 address.

  11. (Optional) Run qos group qos-group-value

    A QoS group to which packets belong is configured.

    By default, packets do not belong to any QoS group.

    NOTE:
    • This command is effective for GRE and DSVPN protocol packets only. You can configure this command for other protocol packets, but the configuration does not take effect.
    • This command takes effect in the packet encapsulation process but not the packet decapsulation process. That is, the command takes effect only for incoming packets.

Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31852

Downloads: 45

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next