No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring an Ethernet over mGRE Tunnel

Example for Configuring an Ethernet over mGRE Tunnel

Networking Requirements

In Figure 2-16, a medium-sized enterprise has the headquarters (Hub) and two branches (Spoke1 and Spoke2) located in different areas. The Hub and Spoke subnets use Ethernet networks, and Spokes connect to the public network using dynamic addresses. The enterprise requires that the Hub and Spoke subnets can communicate over the public network.

Assume that the dynamic addresses obtained by Spoke1 and Spoke2 are 1.1.2.10 and 1.1.3.10, respectively.

Figure 2-16  Ethernet over mGRE tunnel

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure DSVPN to implement VPN interconnection between the Spokes because the Spokes connect to the public network using dynamic IP addresses and the Spokes do not know the public IP addresses of each other.

  2. Configure the non-shortcut mode because there are only two Spokes.

  3. Configure Ethernet over mGRE to enable communication between the Hub and Spoke subnets that are Ethernet networks.

Procedure

  1. Configure an IP address for each physical interface.

    # Configure an IP address for the interface on the Hub.

    <Huawei> system-view
    [Huawei] sysname Hub
    [Hub] interface gigabitethernet 1/0/0
    [Hub-GigabitEthernet1/0/0] ip address 1.1.1.10 255.255.255.0
    [Hub-GigabitEthernet1/0/0] quit
    

    # Configure an IP address for the interface on Spoke1.

    <Huawei> system-view
    [Huawei] sysname Spoke1
    [Spoke1] interface gigabitethernet 1/0/0
    [Spoke1-GigabitEthernet1/0/0] ip address 1.1.2.10 255.255.255.0
    [Spoke1-GigabitEthernet1/0/0] quit
    

    # Configure an IP address for the interface on Spoke2.

    <Huawei> system-view
    [Huawei] sysname Spoke2
    [Spoke2] interface gigabitethernet 1/0/0
    [Spoke2-GigabitEthernet1/0/0] ip address 1.1.3.10 255.255.255.0
    [Spoke2-GigabitEthernet1/0/0] quit
    

  2. Configure OSPF to ensure reachable routes between the routers over the public network.

    # Configure OSPF on the Hub.

    [Hub] ospf 2
    [Hub-ospf-2] area 0.0.0.1
    [Hub-ospf-2-area-0.0.0.1] network 1.1.1.0 0.0.0.255
    [Hub-ospf-2-area-0.0.0.1] quit
    [Hub-ospf-2] quit
    

    # Configure OSPF on Spoke1.

    [Spoke1] ospf 2
    [Spoke1-ospf-2] area 0.0.0.1
    [Spoke1-ospf-2-area-0.0.0.1] network 1.1.2.0 0.0.0.255
    [Spoke1-ospf-2-area-0.0.0.1] quit
    [Spoke1-ospf-2] quit
    

    # Configure OSPF on Spoke2.

    [Spoke2] ospf 2
    [Spoke2-ospf-2] area 0.0.0.1
    [Spoke2-ospf-2-area-0.0.0.1] network 1.1.3.0 0.0.0.255
    [Spoke2-ospf-2-area-0.0.0.1] quit
    [Spoke2-ospf-2] quit
    

  3. Configure tunnel interfaces and create mGRE tunnels.

    Configure tunnel interfaces on the Hub and Spokes and configure the static NHRP peer entry of the Hub on Spoke1 and Spoke2.

    # Configure a tunnel interface on the Hub.
    [Hub] interface tunnel 0/0/1
    [Hub-Tunnel0/0/1] tunnel-protocol gre p2mp
    [Hub-Tunnel0/0/1] ip address 10.16.1.1 255.255.255.0
    [Hub-Tunnel0/0/1] source gigabitethernet 1/0/0
    [Hub-Tunnel0/0/1] nhrp entry multicast dynamic
    [Hub-Tunnel0/0/1] quit
    # Configure a tunnel interface and a static NHRP peer entry of the Hub on Spoke1.
    [Spoke1] interface tunnel 0/0/1
    [Spoke1-Tunnel0/0/1] tunnel-protocol gre p2mp
    [Spoke1-Tunnel0/0/1] ip address 10.16.1.2 255.255.255.0
    [Spoke1-Tunnel0/0/1] source gigabitethernet 1/0/0
    [Spoke1-Tunnel0/0/1] nhrp entry 10.16.1.1 1.1.1.10 register
    [Spoke1-Tunnel0/0/1] quit
    
    # Configure a tunnel interface and a static NHRP peer entry of the Hub on Spoke2.
    [Spoke2] interface tunnel 0/0/1
    [Spoke2-Tunnel0/0/1] tunnel-protocol gre p2mp
    [Spoke2-Tunnel0/0/1] ip address 10.16.1.3 255.255.255.0
    [Spoke2-Tunnel0/0/1] source gigabitethernet 1/0/0
    [Spoke2-Tunnel0/0/1] nhrp entry 10.16.1.1 1.1.1.10 register
    [Spoke2-Tunnel0/0/1] quit
    

  4. Configure Ethernet over mGRE.

    # The configurations on Spoke1 and Spoke2 are the same as that on the Hub. The configuration on the Hub is used as an example.

    # Configure a Layer 2 VE interface VE0/0/2 and bind it to the LAN-side physical Ethernet interface GE2/0/0.

    [Hub] vlan 100
    [Hub-vlan100] quit
    [Hub] interface virtual-ethernet 0/0/2
    [Hub-Virtual-Ethernet0/0/2] portswitch
    [Hub-Virtual-Ethernet0/0/2] port link-type access
    [Hub-Virtual-Ethernet0/0/2] port default vlan 100
    [Hub-Virtual-Ethernet0/0/2] quit
    [Hub] interface gigabitethernet 2/0/0
    [Hub-GigabitEthernet2/0/0] map interface virtual-ethernet 0/0/2
    [Hub-GigabitEthernet2/0/0] quit
    

    # Configure a Layer 2 VE interface VE0/0/1 and bind it to the WAN-side tunnel interface Tunnel0/0/1.

    [Hub] interface virtual-ethernet 0/0/1
    [Hub-Virtual-Ethernet0/0/1] portswitch
    [Hub-Virtual-Ethernet0/0/1] port link-type trunk
    [Hub-Virtual-Ethernet0/0/1] port trunk allow-pass vlan 100
    [Hub-Virtual-Ethernet0/0/1] quit
    [Hub] interface tunnel 0/0/1
    [Hub-Tunnel0/0/1] map interface virtual-ethernet 0/0/1
    [Hub-Tunnel0/0/1] quit
    

  5. Verify the configuration.

    After the configurations are complete, check the NHRP peer entries on Spoke1 and Spoke2.

    # Run the display nhrp peer all command on Spoke1.

    [Spoke1] display nhrp peer all
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    10.16.1.1       32    1.1.1.10        10.16.1.1       hub          up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/1
    Created time    : 00:10:58
    Expire time     : --
    
    Number of nhrp peers: 1
    

    # Run the display nhrp peer all command on Spoke2.

    [Spoke2] display nhrp peer all
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    10.16.1.1       32    1.1.1.10        10.16.1.1       hub          up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/1
    Created time    : 00:07:55
    Expire time     : --
    
    Number of nhrp peers: 1
    
    NOTE:

    The output of the display nhrp peer all command indicates that only the static NHRP peer entry of the Hub is displayed on Spoke1 and Spoke2.

    On the Hub, check registration information about Spoke1 and Spoke2.

    # Run the display nhrp peer all command on the Hub.

    [Hub] display nhrp peer all
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    10.16.1.2       32    1.1.2.10        10.16.1.2       registered   up|unique
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/1
    Created time    : 00:02:02
    Expire time     : 01:57:58
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    10.16.1.3       32    1.1.3.10        10.16.1.3       registered   up|unique
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/1
    Created time    : 00:01:53
    Expire time     : 01:59:35
    
    Number of nhrp peers: 2
    

  6. Run the ping command and check the configuration result.

    The subnet addresses of the Hub, Spoke1, and Spoke2 can successfully ping each other. Spoke1 and Spoke2 can obtain the dynamic NHRP peer of each other.

    # Run the display nhrp peer all command on Spoke1.

    [Spoke1] display nhrp peer all
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    10.16.1.1       32    1.1.1.10        10.16.1.1       hub          up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/1
    Created time    : 00:46:35
    Expire time     : --
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    10.16.1.3       32    1.1.3.10        10.16.1.3       registered   up|unique
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/1
    Created time    : 00:00:28
    Expire time     : 01:59:32
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    10.16.1.2       32    1.1.2.10        10.16.1.2       local        up|unique
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/1
    Created time    : 00:00:28
    Expire time     : 01:59:32
    
    Number of nhrp peers: 3
    

    # Run the display nhrp peer all command on Spoke2.

    [Spoke2] display nhrp peer all
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    10.16.1.1       32    1.1.1.10        10.16.1.1       hub          up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/1
    Created time    : 00:43:32
    Expire time     : --
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    10.16.1.2       32    1.1.2.10        10.16.1.2       registered   up|unique
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/1
    Created time    : 00:00:47
    Expire time     : 01:59:13
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    10.16.1.3       32    1.1.3.10        10.16.1.3       local        up|unique
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/1
    Created time    : 00:00:47
    Expire time     : 01:59:13
    
    Number of nhrp peers: 3
    

Configuration Files

  • Hub configuration file

    #
     sysname Hub
    #
    vlan batch 100
    # 
    interface GigabitEthernet1/0/0
     ip address 1.1.1.10 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     map interface Virtual-Ethernet0/0/2
    #
    interface Virtual-Ethernet0/0/1
     portswitch
     port link-type trunk
     port trunk allow-pass vlan 100
    #
    interface Virtual-Ethernet0/0/2
     portswitch
     port link-type access
     port default vlan 100
    #
    interface Tunnel0/0/1
     ip address 10.16.1.1 255.255.255.0
     tunnel-protocol gre p2mp
     source GigabitEthernet1/0/0
     map interface Virtual-Ethernet0/0/1
     nhrp entry multicast dynamic
    # 
    ospf 2
     area 0.0.0.1
      network 1.1.1.0 0.0.0.255
    return
    
  • Spoke1 configuration file

    #
     sysname Spoke1
    #
    vlan batch 100
    # 
    interface GigabitEthernet1/0/0
     ip address 1.1.2.10 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     map interface Virtual-Ethernet0/0/2
    #
    interface Virtual-Ethernet0/0/1
     portswitch
     port link-type trunk
     port trunk allow-pass vlan 100
    #
    interface Virtual-Ethernet0/0/2
     portswitch
     port link-type access
     port default vlan 100
    #
    interface Tunnel0/0/1
     ip address 10.16.1.2 255.255.255.0
     tunnel-protocol gre p2mp
     source GigabitEthernet1/0/0
     map interface Virtual-Ethernet0/0/1
     nhrp entry 10.16.1.1 1.1.1.10 register
    # 
    ospf 2
     area 0.0.0.1
      network 1.1.2.0 0.0.0.255
    # 
    return
    
  • Spoke2 configuration file

    #
     sysname Spoke2
    #
    vlan batch 100
    # 
    interface GigabitEthernet1/0/0
     ip address 1.1.3.10 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     map interface Virtual-Ethernet0/0/2
    #
    interface Virtual-Ethernet0/0/1
     portswitch
     port link-type trunk
     port trunk allow-pass vlan 100
    #
    interface Virtual-Ethernet0/0/2
     portswitch
     port link-type access
     port default vlan 100
    #
    interface Tunnel0/0/1
     ip address 10.16.1.3 255.255.255.0
     tunnel-protocol gre p2mp
     source GigabitEthernet1/0/0
     map interface Virtual-Ethernet0/0/1
     nhrp entry 10.16.1.1 1.1.1.10 register
    # 
    ospf 2
     area 0.0.0.1
      network 1.1.3.0 0.0.0.255
    # 
    return
    
Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31658

Downloads: 45

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next