No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Dual Hubs in Active/Standby Mode

Example for Configuring Dual Hubs in Active/Standby Mode

Networking Requirements

A large-scale enterprise has a central office (Hub1 and Hub2) and multiple branches which are located in different areas (this example shows only two Spokes Spoke1 and Spoke2). The networks of the central office and branches frequently change. The Spokes use dynamic addresses to connect to the public network. Open Shortest Path First (OSPF) is used on the enterprise network.

The enterprise wants to establish a VPN between the Spokes. Hub1 functions as the master device and Hub2 functions as the backup device. Hub2 takes over the services and forwards protocol packets if Hub1 fails. When Hub1 recovers, services are switched back to Hub1.

Figure 3-22  Networking diagram for dual-Hub DSVPN configuration

Configuration Roadmap

The configuration roadmap is as follows:
  1. Because a Spoke uses a dynamic address to connect to the public network, it does not know the public IP address of the other Spoke. DSVPN is implemented to establish a VPN between the Spokes.

  2. Shortcut Scenario of DSVPN is implemented because the enterprise has a large number of branches.

  3. The networks of the central office and branches frequently change. OSPF is deployed to realize communication between the Hub and Spokes and to simplify maintenance.

  4. Dual-Hub DSVPN is implemented to provide redundant backup by using Hub2.

Procedure

  1. Assign an IP address to each interface.

    Configure IP addresses for the interfaces of each Router.

    # Configure IP addresses for interfaces of Hub1.

    <Huawei> system-view
    [Huawei] sysname Hub1
    [Hub1] interface GigabitEthernet 1/0/0
    [Hub1-GigabitEthernet1/0/0] ip address 1.1.1.10 255.255.255.0
    [Hub1-GigabitEthernet1/0/0] quit
    [Hub1] interface tunnel 0/0/0
    [Hub1-Tunnel0/0/0] ip address 172.16.1.1 255.255.255.0
    [Hub1-Tunnel0/0/0] quit
    [Hub1] interface loopback 0
    [Hub1-LoopBack0] ip address 192.168.0.1 255.255.255.0
    [Hub1-LoopBack0] quit
    

    Configure IP addresses for interfaces of the Spoke1, Spoke2 and Hub2 as shown in Figure 3-22. The specific configuration is not mentioned here.

  2. Configure routes between the Routers.

    Configure OSPF on each Router to provide reachable routes to the public network.

    # Configure OSPF on Hub1.

    [Hub1] ospf 2 router-id 1.1.1.10
    [Hub1-ospf-2] area 0.0.0.1
    [Hub1-ospf-2-area-0.0.0.1] network 1.1.1.0 0.0.0.255
    [Hub1-ospf-2-area-0.0.0.1] quit
    [Hub1-ospf-2] quit
    

    # Configure OSPF on Hub2.

    [Hub2] ospf 2 router-id 1.1.254.10
    [Hub2-ospf-2] area 0.0.0.1
    [Hub2-ospf-2-area-0.0.0.1] network 1.1.254.0 0.0.0.255
    [Hub2-ospf-2-area-0.0.0.1] quit
    [Hub2-ospf-2] quit
    

    # Configure OSPF on Spoke1.

    [Spoke1] ospf 2 router-id 1.1.2.10
    [Spoke1-ospf-2] area 0.0.0.1
    [Spoke1-ospf-2-area-0.0.0.1] network 1.1.2.0 0.0.0.255
    [Spoke1-ospf-2-area-0.0.0.1] quit
    [Spoke1-ospf-2] quit
    

    # Configure OSPF on Spoke2.

    [Spoke2] ospf 2 router-id 1.1.3.10
    [Spoke2-ospf-2] area 0.0.0.1
    [Spoke2-ospf-2-area-0.0.0.1] network 1.1.3.0 0.0.0.255
    [Spoke2-ospf-2-area-0.0.0.1] quit
    [Spoke2-ospf-2] quit
    

  3. Configure basic OSPF functions.

    # Configure Hub1.

    [Hub1] ospf 1 router-id 172.16.1.1
    [Hub1-ospf-1] area 0.0.0.0
    [Hub1-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
    [Hub1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
    [Hub1-ospf-1-area-0.0.0.0] quit
    [Hub1-ospf-1] quit
    

    # Configure the basic OSPF functions on Hub2.

    [Hub2] ospf 1 router-id 172.16.1.254
    [Hub2-ospf-1] area 0.0.0.0
    [Hub2-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
    [Hub2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
    [Hub2-ospf-1-area-0.0.0.0] quit
    [Hub2-ospf-1] quit
    

    # Configure Spoke1.

    [Spoke1] ospf 1 router-id 172.16.1.2
    [Spoke1-ospf-1] area 0.0.0.0
    [Spoke1-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
    [Spoke1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
    [Spoke1-ospf-1-area-0.0.0.0] quit
    [Spoke1-ospf-1] quit
    

    # Configure Spoke2.

    [Spoke2] ospf 1 router-id 172.16.1.3
    [Spoke2-ospf-1] area 0.0.0.0
    [Spoke2-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
    [Spoke2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
    [Spoke2-ospf-1-area-0.0.0.0] quit
    [Spoke2-ospf-1] quit
    

  4. Configure tunnel interfaces.

    Configure the OSPF network type to Point-to-Multipoint (P2MP) on Hubs and Spokes. Enable the NHRP redirect function on Hub1 and Hub2. Configure NHRP mapping entries of Hubs and enable the NHRP shortcut function on Spoke1 and Spoke2.

    # Configure a tunnel interface and OSPF on Hub1 and enable the NHRP redirect function.
    [Hub1] interface tunnel 0/0/0
    [Hub1-Tunnel0/0/0] tunnel-protocol gre p2mp
    [Hub1-Tunnel0/0/0] source GigabitEthernet 1/0/0
    [Hub1-Tunnel0/0/0] nhrp entry multicast dynamic
    [Hub1-Tunnel0/0/0] ospf network-type p2mp
    [Hub1-Tunnel0/0/0] ospf cost 1000
    [Hub1-Tunnel0/0/0] nhrp redirect
    [Hub1-Tunnel0/0/0] quit
    
    # Configure a tunnel interface and OSPF on Hub2 and enable the NHRP redirect function.
    [Hub2] interface tunnel 0/0/0
    [Hub2-Tunnel0/0/0] tunnel-protocol gre p2mp
    [Hub2-Tunnel0/0/0] source GigabitEthernet 1/0/0
    [Hub2-Tunnel0/0/0] nhrp entry multicast dynamic
    [Hub2-Tunnel0/0/0] ospf network-type p2mp
    [Hub2-Tunnel0/0/0] ospf cost 3000
    [Hub2-Tunnel0/0/0] nhrp redirect
    [Hub2-Tunnel0/0/0] quit
    
    # Configure a tunnel interface, OSPF, and a static NHRP mapping entry of Hubs on Spoke1, and enable the NHRP shortcut function.
    [Spoke1] interface tunnel 0/0/0
    [Spoke1-Tunnel0/0/0] tunnel-protocol gre p2mp
    [Spoke1-Tunnel0/0/0] source GigabitEthernet 1/0/0
    [Spoke1-Tunnel0/0/0] nhrp entry 172.16.1.1 1.1.1.10 register
    [Spoke1-Tunnel0/0/0] nhrp entry 172.16.1.254 1.1.254.10 register
    [Spoke1-Tunnel0/0/0] ospf network-type p2mp
    [Spoke1-Tunnel0/0/0] nhrp shortcut
    [Spoke1-Tunnel0/0/0] nhrp registration interval 300
    [Spoke1-Tunnel0/0/0] quit
    
    # Configure a tunnel interface, OSPF, and a static NHRP mapping entry of Hubs on Spoke2, and enable the NHRP shortcut function.
    [Spoke2] interface tunnel 0/0/0
    [Spoke2-Tunnel0/0/0] tunnel-protocol gre p2mp
    [Spoke2-Tunnel0/0/0] source GigabitEthernet 1/0/0
    [Spoke2-Tunnel0/0/0] nhrp entry 172.16.1.1 1.1.1.10 register
    [Spoke2-Tunnel0/0/0] nhrp entry 172.16.1.254 1.1.254.10 register
    [Spoke2-Tunnel0/0/0] ospf network-type p2mp
    [Spoke2-Tunnel0/0/0] nhrp shortcut
    [Spoke2-Tunnel0/0/0] nhrp registration interval 300
    [Spoke2-Tunnel0/0/0] quit
    
    NOTE:
    • Configure different OSPF cost values on Hub1 and Hub2 to ensure that the Spokes prefer Hub1 as the next hop device.

    • When Hub1 recovers, it restarts to forward OSPF protocol packets when receiving NHRP Registration Request packets from Spokes. The Spokes learn routes to Hub1 after the routes they have already learned are aged out. Set the interval for sending NHRP Registration Request packets to a proper value to ensure that the Spokes can quick detect Hub1 recovery. The interval is set to 1800 seconds by default.

  5. Verify the configuration.

    After the preceding configurations are complete, check the NHRP mapping entries of Spoke and Hub. Take Spoke1 as an example.

    # Run the display nhrp peer all command on Spoke1.

    [Spoke1] display nhrp peer all
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    172.16.1.1      32    1.1.1.10        172.16.1.1      hub           up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 05:35:50
    Expire time     : --
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    172.16.1.254    32    1.1.254.10      172.16.1.254    hub          up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 04:32:49
    Expire time     : --
    
    Number of nhrp peers: 2
    
    NOTE:

    If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view only the static NHRP mapping entry of Hub.

  6. Run the ping command and check the configuration result.

    Ping 192.168.2.1 on Spoke1. You can see that Spoke1 and Spoke2 have learned dynamic NHRP mapping entries from each other.

    # Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke. Take Spoke1 as an example.

    [Spoke1] ping -a 192.168.1.1 192.168.2.1
      PING 192.168.2.1: 56  data bytes, press CTRL_C to break
        Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=254 time=3 ms
        Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=2 ms
        Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=2 ms
        Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=2 ms
        Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=2 ms
    
      --- 192.168.2.1 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 2/2/3 ms
    
    

    # Run the display nhrp peer all command on Spoke1.

    [Spoke1] display nhrp peer all
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    172.16.1.1      32    1.1.1.10        172.16.1.1      hub          up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 05:42:50
    Expire time     : --
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    172.16.1.254    32    1.1.254.10      172.16.1.254    hub          up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 04:39:49
    Expire time     : --
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type           Flag
    -------------------------------------------------------------------------------
    192.168.2.1     32    1.1.3.10        172.16.1.3      remote-network up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 00:00:19
    Expire time     : 01:59:41
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    172.16.1.3      32    1.1.3.10        172.16.1.3      remote       up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 00:00:19
    Expire time     : 01:59:41
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    192.168.1.1     32    1.1.2.10        172.16.1.2      local        up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 00:00:19
    Expire time     : 01:59:41
    
    Number of nhrp peers: 5
    

  7. Shutdown the physical interface GE1/0/0 of Hub1.

    # Run the shutdown command on GE1/0/0 of Hub1.

    [Hub1] interface GigabitEthernet 1/0/0
    [Hub1-GigabitEthernet1/0/0] shutdown
    [Hub1-GigabitEthernet1/0/0] quit

  8. Run the ping command and check the configuration result.

    Ping 192.168.2.1 on Spoke1. You can see that Spoke1 and Spoke2 have learned dynamic NHRP mapping entries from each other.

    Before you run the ping command, ensure that no default route to Hub1 exists on the local device.

    # Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1.

    [Spoke1] ping -a 192.168.1.1 192.168.2.1
      PING 192.168.2.1: 56  data bytes, press CTRL_C to break
        Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=254 time=2 ms
        Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=2 ms
        Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=2 ms
        Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=2 ms
        Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=2 ms
    
      --- 192.168.2.1 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 2/2/2 ms
    
    

    # Run the display nhrp peer all command on Spoke. Take Spoke1 as an example.

    [Spoke1] display nhrp peer all
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    172.16.1.1      32    1.1.1.10        172.16.1.1      hub          down
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 05:46:29
    Expire time     : --
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    172.16.1.254    32    1.1.254.10      172.16.1.254    hub          up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 04:43:28
    Expire time     : --
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type           Flag
    -------------------------------------------------------------------------------
    192.168.2.1     32    1.1.3.10        172.16.1.3      remote-network up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 00:00:22
    Expire time     : 01:59:38
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    172.16.1.3      32    1.1.3.10        172.16.1.3      remote       up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 00:00:22
    Expire time     : 01:59:38
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    192.168.1.1     32    1.1.2.10        172.16.1.2      local        up
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/0
    Created time    : 00:00:22
    Expire time     : 01:59:38
    
    Number of nhrp peers: 5
    
    NOTE:

    Run the undo nhrp peer command to clear the NHRP mapping entries existing on the Spokes before running the ping command.

Configuration Files

  • Hub1 configuration file

    #
    sysname Hub1
    # 
    interface GigabitEthernet1/0/0
     ip address 1.1.1.10 255.255.255.0
    # 
    interface LoopBack0
     ip address 192.168.0.1 255.255.255.0
    # 
    interface Tunnel0/0/0
     ip address 172.16.1.1 255.255.255.0
     tunnel-protocol gre p2mp
     source GigabitEthernet1/0/0
     ospf cost 1000
     ospf network-type p2mp
     nhrp redirect
     nhrp entry multicast dynamic
    # 
    ospf 1 router-id 172.16.1.1
     area 0.0.0.0
      network 172.16.1.0 0.0.0.255
      network 192.168.0.0 0.0.0.255
    # 
    ospf 2 router-id 1.1.1.10
     area 0.0.0.1
      network 1.1.1.0 0.0.0.255
    # 
    return
    
  • Hub2 configuration file

    #
    sysname Hub2
    # 
    interface GigabitEthernet1/0/0
     ip address 1.1.254.10 255.255.255.0
    # 
    interface LoopBack0
     ip address 192.168.0.2 255.255.255.0
    # 
    interface Tunnel0/0/0
     ip address 172.16.1.254 255.255.255.0
     tunnel-protocol gre p2mp
     source GigabitEthernet1/0/0
     ospf cost 3000
     ospf network-type p2mp
     nhrp redirect
     nhrp entry multicast dynamic
    # 
    ospf 1 router-id 172.16.1.254
     area 0.0.0.0
      network 172.16.1.0 0.0.0.255
      network 192.168.0.0 0.0.0.255
    # 
    ospf 2 router-id 1.1.254.10
     area 0.0.0.1
      network 1.1.254.0 0.0.0.255
    # 
    return
    
  • Spoke1 configuration file

    #
    sysname Spoke1
    # 
    interface GigabitEthernet1/0/0
     ip address 1.1.2.10 255.255.255.0
    # 
    interface LoopBack0
     ip address 192.168.1.1 255.255.255.0
    # 
    interface Tunnel0/0/0
     ip address 172.16.1.2 255.255.255.0
     tunnel-protocol gre p2mp
     source GigabitEthernet1/0/0
     ospf network-type p2mp
     nhrp shortcut
     nhrp registration interval 300
     nhrp entry 172.16.1.254 1.1.254.10 register
     nhrp entry 172.16.1.1 1.1.1.10 register
    # 
    ospf 1 router-id 172.16.1.2
     area 0.0.0.0
      network 172.16.1.0 0.0.0.255
      network 192.168.1.0 0.0.0.255
    # 
    ospf 2 router-id 1.1.2.10
     area 0.0.0.1
      network 1.1.2.0 0.0.0.255
    # 
    return
    
  • Spoke2 configuration file

    #
    sysname Spoke2
    # 
    interface GigabitEthernet1/0/0
     ip address 1.1.3.10 255.255.255.0
    # 
    interface LoopBack0
     ip address 192.168.2.1 255.255.255.0
    # 
    interface Tunnel0/0/0
     ip address 172.16.1.3 255.255.255.0
     tunnel-protocol gre p2mp
     source GigabitEthernet1/0/0
     ospf network-type p2mp
     nhrp shortcut
     nhrp registration interval 300
     nhrp entry 172.16.1.254 1.1.254.10 register
     nhrp entry 172.16.1.1 1.1.1.10 register
    # 
    ospf 1 router-id 172.16.1.3
     area 0.0.0.0
      network 172.16.1.0 0.0.0.255
      network 192.168.2.0 0.0.0.255
    # 
    ospf 2 router-id 1.1.3.10
     area 0.0.0.1
      network 1.1.3.0 0.0.0.255
    # 
    return
    
Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31406

Downloads: 43

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next