No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring an L2TP Tunnel on a VPN for User Access

Example for Configuring an L2TP Tunnel on a VPN for User Access

This section provides an example for configuring an L2TP tunnel on a VPN for user access, including the networking requirements, configuration roadmap, configuration procedure, and configuration files.

Networking Requirements

The network is shown in Figure 10-14. To save public network addresses, the carrier expects to use private network addresses but not public network addresses to establish L2TP tunnels.

Figure 10-14 Networking for configuring an L2TP tunnel on a VPN for user access
NOTE:

Interfaces 1 through 3 in this example are GE1/0/1,GE2/0/0.100,GE1/0/2.



Device Tunnel Interface IP Address Loopback Interface IP Address
DeviceA GE 1/0/1 10.0.0.1/24 Loopback 0 1.1.1.1
DeviceB GE 1/0/1 10.0.0.2/24 Loopback 0 3.3.3.3
DeviceB GE 1/0/2 10.10.0.2/24 Loopback 1 4.4.4.4
DeviceC GE 1/0/1 10.10.0.1/24 Loopback 1 2.2.2.2

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the dial-up connection at the user side.

  2. Configure the LAC.

  3. Configure the LNS.

Data Preparation

To complete the configuration, you need the following data:

  • User names and passwords of PC1 and PC2

  • Tunnel password, tunnel name on the LNS, and tunnel name on the LAC

  • VPN instance name

  • Numbers of virtual templates and L2TP groups

  • Number, range, and mask of the remote address pool

Procedure

  1. Configure the user side.

    To create a dial-up connection, dial the access number specified on Device A, and receive addresses assigned by the LNS server.

    Enter the user name user1@isp1 and the password (already registered on the LNS) in the displayed dial-up terminal window on PC1.

    Enter the user name user1@isp2 and password (already registered on the LNS) in the displayed dial-up terminal window on PC2.

  2. Configure Device A (LAC).

    # Configure virtual template 1.

    <Device> system-view
    [~Device] sysname DeviceA
    [*DeviceA] interface virtual-template 1
    [*DeviceA-Virtual-Template1] ppp authentication-mode chap
    [*DeviceA-Virtual-Template1] commit
    [~DeviceA-Virtual-Template1] quit

    # Bind virtual template 1 to GE 2/0/0.100.

    [~DeviceA] interface gigabitethernet 2/0/0.100
    [*DeviceA-GigabitEthernet2/0/0.100] pppoe-server bind virtual-template 1
    [*DeviceA-GigabitEthernet2/0/0.100] user-vlan 1 100
    [*DeviceA-GigabitEthernet2/0/0.100-vlan-1-100] commit
    [~DeviceA-GigabitEthernet2/0/0.100-vlan-1-100] quit

    # Configure a BAS interface.

    [~DeviceA-GigabitEthernet2/0/0.100] bas
    [*DeviceA-GigabitEthernet2/0/0.100-bas] access-type layer2-subscriber
    [*DeviceA-GigabitEthernet2/0/0.100-bas] authentication-method ppp
    [*DeviceA-GigabitEthernet2/0/0.100-bas] commit
    [~DeviceA-GigabitEthernet2/0/0.100-bas] quit
    [~DeviceA-GigabitEthernet2/0/0.100] quit

    # Create a VPN instance.

    [~DeviceA] ip vpn-instance vrf1
    [*DeviceA-vpn-instance-vrf1] route-distinguisher 100:1
    [*DeviceA-vpn-instance-vrf1] vpn-target 100:1 both
    [*DeviceA–vpn-instance-vrf1] commit
    [~DeviceA–vpn-instance-vrf1] quit

    # Bind the LAC interface connected to the LNS to the VPN instance.

    [~DeviceA] interface gigabitethernet1/0/1
    [*DeviceA-GigabitEthernet1/0/1] ip binding vpn-instance vrf1
    [*DeviceA--GigabitEthernet1/0/1] ip address 10.0.0.1 255.255.255.0
    [*DeviceA--GigabitEthernet1/0/1] commit
    [~DeviceA--GigabitEthernet1/0/1] quit

    # Create Loopback 0.

    [~DeviceA] interface loopback0
    [*DeviceA-LoopBack0] ip binding vpn-instance vrf1
    [*DeviceA-LoopBack0] ip address 1.1.1.1 255.255.255.255
    [*DeviceA-LoopBack0] commit
    [~DeviceA-LoopBack0] quit

    # Configure an L2TP group and related attributes of the L2TP group.

    [~DeviceA] l2tp enable
    [~DeviceA] l2tp-group lac1
    [*DeviceA-l2tp-lac1] tunnel name lac1
    [*DeviceA-l2tp-lac1] start l2tp ip 3.3.3.3
    [*DeviceA-l2tp-lac1] tunnel authentication
    [*DeviceA-l2tp-lac1] tunnel password simple 1qaz#EDC
    [*DeviceA-l2tp-lac1] tunnel source loopback0
    [*DeviceA-l2tp-lac1] commit
    [~DeviceA-l2tp-lac1] quit

    # Configure the RADIUS server on LAC 1.

    [~DeviceA] radius-server group radius1
    [*DeviceA-radius-radius1] radius-server authentication 10.0.0.249 1812
    [*DeviceA-radius-radius1] radius-server accounting 10.0.0.249 1813
    [*DeviceA-radius-radius1] radius-server shared-key itellin
    [*DeviceA-radius-radius1] commit
    [~DeviceA-radius-radius1] quit

    # Configure the domain to which the user belongs on LAC 1.

    [~DeviceA] aaa
    [*DeviceA-aaa] domain isp1
    [*DeviceA-aaa-domain-isp1] l2tp-group lac1
    [*DeviceA-aaa-domain-isp1] radius-server group radius1
    [*DeviceA-aaa-domain-isp1] authentication-scheme default1
    [*DeviceA-aaa-domain-isp1] accounting-scheme default1
    [* DeviceA-aaa-domain-isp1] commit
    [~DeviceA-aaa-domain-isp1] quit
    [~DeviceA-aaa] quit

    # Configure routes.

    [~DeviceA] ip route-static vpn-instance vrf1 3.3.3.3 255.255.255.255 10.0.0.2

  3. Configure Device C (LAC).

    # Configure virtual template 1.

    <Device> system-view
    [~Device] sysname DeviceC
    [*DeviceC] interface virtual-template 1
    [*DeviceC-Virtual-Template1] ppp authentication-mode chap
    [*DeviceC-Virtual-Template1] commit
    [~DeviceC-Virtual-Template1] quit

    # Bind virtual template 1 to GE 2/0/0.100.

    [~DeviceC] interface gigabitethernet 2/0/0.100
    [*DeviceC-GigabitEthernet2/0/0.100] pppoe-server bind virtual-template 1
    [*DeviceA-GigabitEthernet2/0/0.100] user-vlan 1 100
    [*DeviceA-GigabitEthernet2/0/0.100-vlan-1-100] commit
    [~DeviceA-GigabitEthernet2/0/0.100-vlan-1-100] quit

    # Configure a BAS interface.

    [~DeviceA-GigabitEthernet2/0/0.100] bas
    [*DeviceA-GigabitEthernet2/0/0.100-bas] access-type layer2-subscriber
    [*DeviceA-GigabitEthernet2/0/0.100-bas] authentication-method ppp
    [*DeviceA-GigabitEthernet2/0/0.100-bas] commit
    [~DeviceA-GigabitEthernet2/0/0.100-bas] quit
    [~DeviceA-GigabitEthernet2/0/0.100] quit

    # Create a VPN instance.

    [DeviceC] ip vpn-instance vrf2
    [~DeviceC] ip vpn-instance vrf2
    [*DeviceC-vpn-instance-vrf2] route-distinguisher 100:2
    [*DeviceC-vpn-instance-vrf2] vpn-target 100:2 both
    [*DeviceC–vpn-instance-vrf2] commit
    [~DeviceC–vpn-instance-vrf2] quit

    # Bind the LAC interface connected to the LNS to the VPN instance.

    [DeviceC] interface gigabitethernet1/0/1
    [~DeviceC] interface gigabitethernet1/0/1
    [*DeviceC-GigabitEthernet1/0/1] ip binding vpn-instance vrf2
    [*DeviceC-GigabitEthernet1/0/1] ip address 10.10.0.1 255.255.255.0
    [*DeviceC-GigabitEthernet1/0/1] commit
    [~DeviceC-GigabitEthernet1/0/1] quit

    # Create Loopback 1.

    [~DeviceC] interface loopback1
    [*DeviceC-LoopBack1] ip binding vpn-instance vrf2
    [*DeviceC-LoopBack1] ip address 2.2.2.2 255.255.255.255
    [*DeviceC-LoopBack1] commit
    [~DeviceC-LoopBack1] quit

    # Configure an L2TP group and related attributes of the L2TP group.

    [~DeviceC] l2tp enable
    [~DeviceC] l2tp-group lac2
    [*DeviceC-l2tp-lac2] tunnel name lac2
    [*DeviceC-l2tp-lac2] start l2tp ip 4.4.4.4
    [*DeviceC-l2tp-lac2] tunnel authentication
    [*DeviceC-l2tp-lac2] tunnel password simple 1qaz#EDC
    [*DeviceC-l2tp-lac2] tunnel source loopback1
    [*DeviceC-l2tp-lac2] commit
    [~DeviceC-l2tp-lac2] quit

    # Configure the RADIUS server on LAC 2.

    [~DeviceC] radius-server group radius1
    [*DeviceC-radius-radius1] radius-server authentication 10.10.0.249 1812
    [*DeviceC-radius-radius1] radius-server accounting 10.10.0.249 1813
    [*DeviceC-radius-radius1] radius-server shared-key itellin
    [*DeviceC-radius-radius1] commit
    [~DeviceC-radius-radius1] quit

    # Configure the domain to which the user belongs on LAC 2.

    [~DeviceC] aaa
    [*DeviceC-aaa] domain isp2
    [*DeviceC-aaa-domain-isp2] l2tp-group lac2
    [*DeviceC-aaa-domain-isp2] radius-server group radius1
    [*DeviceC-aaa-domain-isp2] authentication-scheme default1
    [*DeviceC-aaa-domain-isp2] accounting-scheme default1
    [*DeviceC-aaa-domain-isp2] commit
    [~DeviceC-aaa-domain-isp2] quit
    [~DeviceC-aaa] quit

    # Configure routes.

    [~DeviceC] ip route-static vpn-instance vrf2 4.4.4.4 255.255.255.255 10.10.0.2

  4. Configure Device B (LNS)

    # Create two VPN instances.

    [~DeviceB] ip vpn-instance vrf1
    [*DeviceB-vpn-instance-vrf1] route-distinguisher 100:1
    [*DeviceB-vpn-instance-vrf1] vpn-target 100:1 both
    [*DeviceB–vpn-instance-vrf1] commit
    [~DeviceB–vpn-instance-vrf1] quit
    [~DeviceB] ip vpn-instance vrf2
    [*DeviceB-vpn-instance-vrf2] route-distinguisher 100:2
    [*DeviceB-vpn-instance-vrf2] vpn-target 100:2 both
    [*DeviceB–vpn-instance-vrf2] commit
    [~DeviceB–vpn-instance-vrf2] quit

    # Create two interfaces.

    [~DeviceB] interface gigabitethernet1/0/1
    [*DeviceB-GigabitEthernet1/0/1] ip binding vpn-instance vrf1
    [*DeviceB--GigabitEthernet1/0/1] ip address 10.0.0.2 255.255.255.0
    [*DeviceB--GigabitEthernet1/0/1] commit
    [~DeviceB--GigabitEthernet1/0/1] quit
    [~DeviceB] interface gigabitethernet1/0/2
    [*DeviceB-GigabitEthernet1/0/2] ip binding vpn-instance vrf2
    [*DeviceB-GigabitEthernet1/0/2] ip address 10.10.0.2 255.255.255.0
    [*DeviceB-GigabitEthernet1/0/2] commit
    [~DeviceB-GigabitEthernet1/0/2] quit

    # Create loopback interfaces.

    [~DeviceB] interface loopback0
    [*DeviceB-LoopBack0] ip binding vpn-instance vrf1
    [*DeviceB-LoopBack0] ip address 3.3.3.3 255.255.255.255
    [*DeviceB-LoopBack0] commit
    [~DeviceB-LoopBack0] quit
    [~DeviceB] interface loopback1
    [*DeviceB-LoopBack1] ip binding vpn-instance vrf2
    [*DeviceB-LoopBack1] ip address 4.4.4.4 255.255.255.255
    [*DeviceB-LoopBack1] commit
    [~DeviceB-LoopBack1] quit

    # Create virtual template 1.

    [~DeviceB] interface virtual-template 1
    [*DeviceB-Virtual-Template1] ppp authentication-mode chap
    [*DeviceB-Virtual-Template1] commit
    [~DeviceB-Virtual-Template1] quit

    # Enable L2TP and configure L2TP groups.

    [~DeviceB] l2tp enable
    [~DeviceB] l2tp-group lns1
    [*DeviceB-l2tp-lns1] tunnel name lns1
    [*DeviceB-l2tp-lns1] allow l2tp virtual-template 1 remote lac1
    [*DeviceB-l2tp-lns1] tunnel authentication
    [*DeviceB-l2tp-lns1] tunnel password simple 1qaz#EDC
    [*DeviceB-l2tp-lns1] commit
    [~DeviceB-l2tp-lns1] quit
    [~DeviceB] l2tp-group lns2
    [*DeviceB-l2tp-lns1] tunnel name lns2
    [*DeviceB-l2tp-lns1] allow l2tp virtual-template 1 remote lac2
    [*DeviceB-l2tp-lns1] tunnel authentication
    [*DeviceB-l2tp-lns1] tunnel password simple 1qaz#EDC
    [*DeviceB-l2tp-lns1] commit
    [~DeviceB-l2tp-lns1] quit

    # Create LNS group 1, and bind the tunnel board and the interfaces to the LNS group.

    [~DeviceB] lns-group group1
    [*DeviceB-lns-group-group1] bind slot 1 
    [*DeviceB-lns-group-group1] bind source LoopBack0
    [*DeviceB-lns-group-group1] bind source LoopBack1
    [*DeviceB-lns-group-group1] commit
    [~DeviceB-lns-group-group1] quit

    # Configure the address pool used to assign addresses to users.

    [~DeviceB] ip pool pool1 bas local
    [*DeviceB-ip-pool-pool1] gateway 210.10.0.1 255.255.255.0
    [*DeviceB-ip-pool-pool1] section 0 210.10.0.10 210.10.0.100
    [*DeviceB-ip-pool-pool1] commit
    [~DeviceB-ip-pool-pool1] quit
    [~DeviceB] ip pool pool2 bas local
    [*DeviceB-ip-pool-pool2] gateway 155.10.0.1 255.255.255.0
    [*DeviceB-ip-pool-pool2] section 0 155.10.0.10 155.10.0.100
    [*DeviceB-ip-pool-pool2] commit
    [~DeviceB-ip-pool-pool2] quit

    # Configure the RADIUS server.

    [~DeviceB] radius-server group radius1
    [*DeviceB-radius-radius1] radius-server authentication 20.20.20.1 1812
    [*DeviceB-radius-radius1] radius-server accounting 20.20.20.1 1813
    [*DeviceB-radius-radius1] radius-server shared-key itellin
    [*DeviceB-radius-radius1] commit
    [~DeviceB-radius-radius1] quit

    # Configure the domain to which the user belongs.

    [~DeviceB] aaa
    [*DeviceB-aaa] domain isp1
    [*DeviceB-aaa-domain-isp1] radius-server group radius1
    [*DeviceB-aaa-domain-isp1] authentication-scheme default1
    [*DeviceB-aaa-domain-isp1] accounting-scheme default1
    [*DeviceB-aaa-domain-isp1] ip-pool pool1
    [*DeviceB-aaa-domain-isp1] commit
    [~DeviceB-aaa-domain-isp1] quit
    [~DeviceB-aaa] domain isp2
    [*DeviceB-aaa-domain-isp2] radius-server group radius1
    [*DeviceB-aaa-domain-isp2] authentication-scheme default1
    [*DeviceB-aaa-domain-isp2] accounting-scheme default1
    [*DeviceB-aaa-domain-isp2] ip-pool pool2
    [*DeviceB-aaa-domain-isp2] commit
    [~DeviceB-aaa-domain-isp2] quit
    [~DeviceB-aaa] quit

    # Configure routes.

    [~DeviceB] ip route-static vpn-instance vrf1 1.1.1.1 255.255.255.255 10.0.0.1
    [~DeviceB] ip route-static vpn-instance vrf2 2.2.2.2 255.255.255.255 10.10.0.1

  5. Verify the configuration.

    [~DeviceA] ping -vpn-instance vrf1 3.3.3.3
    PING 3.3.3.3: 56  data bytes, press CTRL_C to break                           
        Reply from 3.3.3.3: bytes=56 Sequence=1 ttl=255 time=12 ms                  
        Reply from 3.3.3.3: bytes=56 Sequence=2 ttl=255 time=10 ms                  
        Reply from 3.3.3.3: bytes=56 Sequence=3 ttl=255 time=5 ms                   
        Reply from 3.3.3.3: bytes=56 Sequence=4 ttl=255 time=8 ms                   
                                                                                    
      --- 3.3.3.3 ping statistics ---                                               
        4 packet(s) transmitted                                                     
        4 packet(s) received                                                        
        0.00% packet loss                                                           
        round-trip min/avg/max = 5/8/12 ms                           
    [~DeviceC] ping -vpn-instance vrf2 4.4.4.4
    PING 4.4.4.4: 56  data bytes, press CTRL_C to break                           
        Reply from 4.4.4.4: bytes=56 Sequence=1 ttl=255 time=12 ms                  
        Reply from 4.4.4.4: bytes=56 Sequence=2 ttl=255 time=10 ms                  
        Reply from 4.4.4.4: bytes=56 Sequence=3 ttl=255 time=5 ms                   
        Reply from 4.4.4.4: bytes=56 Sequence=4 ttl=255 time=8 ms                   
                                                                                    
      --- 4.4.4.4 ping statistics ---                                               
        4 packet(s) transmitted                                                     
        4 packet(s) received                                                        
        0.00% packet loss                                                           
        round-trip min/avg/max = 5/8/12 ms                           
    [~DeviceA] test l2tp-tunnel l2tp-group lac1 ip-address 3.3.3.3
    Testing L2TP tunnel connectivity now....... 
    Test L2TP tunnel connectivity success.
    [~DeviceC] test l2tp-tunnel l2tp-group lac2 ip-address 4.4.4.4
    Testing L2TP tunnel connectivity now....... 
    Test L2TP tunnel connectivity success.

Configuration Files

  • Configuration file of Device A

    #
     sysname DeviceA
    #
     l2tp enable
    #
    radius-server group radius1
     radius-server authentication 10.0.0.249 1812 
     radius-server accounting 10.0.0.249 1813 
     radius-server shared-key itellin
    #
    interface Virtual-Template1
    ppp authentication-mode chap
    #
    interface GigabitEthernet2/0/0.100
     undo shutdown
     pppoe-server bind Virtual-Template 1
     user-vlan 1 100
     bas
      access-type layer2-subscriber
    #
    ip vpn-instance vrf1
    route-distinguisher 100:1
     vpn-target 100:1 export-extcommunity
     vpn-target 100:1 import-extcommunity
    #
    interface LoopBack0
     ip binding vpn-instance vrf1
     ip address 1.1.1.1 255.255.255.255
    l2tp-group lac1
     tunnel password simple 1qaz#EDC
     tunnel name lac1
     start l2tp ip 3.3.3.3
     tunnel source LoopBack0
    #
    aaa
    domain isp1
      authentication-scheme default1
      accounting-scheme default1
      radius-server group radius1
      l2tp-group lac1
    #
    interface GigabitEthernet1/0/1
     undo shutdown
     ip binding vpn-instance vrf1
     ip address 10.0.0.1 255.255.255.0
    #
     ip route-static vpn-instance vrf1 3.3.3.3 255.255.255.255 10.0.0.2
    #
    return
  • Configuration file of Device C

    #
     sysname DeviceC
    #
     l2tp enable
    #
    radius-server group radius1
     radius-server authentication 10.10.0.249 1812 
     radius-server accounting 10.10.0.249 1813 
     radius-server shared-key itellin
    #
    interface Virtual-Template1
    ppp authentication-mode chap
    #
    interface GigabitEthernet2/0/0.100
     undo shutdown
     pppoe-server bind Virtual-Template 1
     user-vlan 1 100
     bas
      access-type layer2-subscriber
    #
    ip vpn-instance vrf2
    route-distinguisher 200:1
     vpn-target 200:1 export-extcommunity
     vpn-target 200:1 import-extcommunity
    #
    interface LoopBack0
     ip binding vpn-instance vrf1
     ip address 2.2.2.2 255.255.255.255
     l2tp-group lac2
     tunnel password simple 1qaz#EDC
     tunnel name lac2
     start l2tp ip 4.4.4.4
     tunnel source LoopBack0
    #
    aaa
    domain isp2
      authentication-scheme default1
      accounting-scheme default1
      radius-server group radius1
      l2tp-group lac2
    #
    interface GigabitEthernet1/0/1
     undo shutdown
     ip binding vpn-instance vrf1
     ip address 10.10.0.1 255.255.255.0
    #
     ip route-static vpn-instance vrf2 4.4.4.4 255.255.255.255 10.10.0.2
    #
    return
  • Configuration file of Device B

    #
     sysname DeviceB
    #
     l2tp enable
    #
    radius-server group radius1
     radius-server authentication 20.20.20.1 1812 
     radius-server accounting 20.20.20.1 1813 
     radius-server shared-key itellin
    #
    interface Virtual-Template1
    ppp authentication-mode chap
    #
    ip vpn-instance vrf1
    route-distinguisher 100:1
     vpn-target 100:1 export-extcommunity
     vpn-target 100:1 import-extcommunity
    #
    ip vpn-instance vrf2
    route-distinguisher 100:2
     vpn-target 100:2 export-extcommunity
     vpn-target 100:2 import-extcommunity
    #
    interface LoopBack0
     ip binding vpn-instance vrf1
     ip address 3.3.3.3 255.255.255.255
    #
    interface LoopBack1
     ip binding vpn-instance vrf2
     ip address 4.4.4.4 255.255.255.255
    #
    l2tp-group lns1
     allow l2tp virtual-template 1 remote lac1
     tunnel password simple 1qaz#EDC
     tunnel name lns1
    #
    l2tp-group lns2
     allow l2tp virtual-template 1 remote lac2
     tunnel password simple 1qaz#EDC
     tunnel name lns2
    #
    lns-group group1
     bind slot 1 
     bind source LoopBack0
     bind source LoopBack1
    #
    ip pool pool1 bas local
     gateway 210.10.0.1 255.255.255.0
     section 0 210.10.0.10 10.10.0.100
    #
    ip pool pool2 bas local
     gateway 155.10.0.1 255.255.255.0
     section 0 155.10.0.10 10.10.0.100
    #
    aaa
    domain  isp1
      radius-server group  radius1
      authentication-scheme   default1
      accounting-scheme   default1
      ip-pool pool1
    domain  isp2
      radius-server group  radius1
      authentication-scheme   default1
      accounting-scheme   default1
      ip-pool pool2
    #
    interface GigabitEthernet1/0/1
     undo shutdown
     ip binding vpn-instance vrf1
     ip address 10.0.0.2 255.255.255.0
    #
    interface GigabitEthernet1/0/2
     undo shutdown
     ip binding vpn-instance vrf2
     ip address 10.10.0.2 255.255.255.0
    #
     ip route-static vpn-instance vrf1 1.1.1.1 255.255.255.255 10.0.0.1
     ip route-static vpn-instance vrf2 2.2.2.2 255.255.255.255 10.10.0.1
    #
    return
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17356

Downloads: 70

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next