No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Configuration Guide - User Access 01

This is NE40E V800R010C10SPC500 Configuration Guide - User Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Access to L3VPNs Through L2TP Tunnels

Example for Configuring Access to L3VPNs Through L2TP Tunnels

This section provides an example for configuring access to L3VPNs through L2TP tunnels, including the networking requirements, configuration roadmap, configuration procedure, and configuration files.

Networking Requirements

As shown in Figure 10-9, DeviceA functions as an LAC and DeviceB functions as an LNS; the domain name of the headquarters of enterprise01 is isp1 and PC1 is a user of enterprise01; the domain name of the headquarters of enterprise 02 is isp2 and PC2 is a user of enterprise02.

Figure 10-9 Networking for configuring access to L3VPNs through L2TP tunnels
NOTE:

Interfaces 1 through 3 in this example are GE2/0/0,GE1/0/1,GE3/0/0.



Device Interface IP Address
DeviceA GigabitEthernet1/0/1.1 11.11.11.1/24
GigabitEthernet1/0/1.2 12.12.12.1/24
GigabitEthernet2/0/0.100 -
LoopBack0 1.1.1.1/32
LoopBack1 2.2.2.2/32
DeviceB GigabitEthernet1/0/1.1 11.11.11.2/24
GigabitEthernet1/0/1.2 12.12.12.2/24
LoopBack0 3.3.3.3/32
LoopBack1 4.4.4.4/32

Configuration Roadmap

Multiple enterprises share the same LNS, and users of different enterprises need to communicate with their headquarters. The network addresses of the headquarters are private addresses. Generally, users cannot directly access the Intranet server through the Internet. By using VPNs and multi-instances, users can access the Intranet data.

NOTE:

Addresses of different VPN instances can overlap.

  1. Configure dial-up parameters at the user side.

  2. Configure an LAC.

    • Configure the PPPoX access service, including the virtual template, AAA scheme, virtual template, and BAS interface.
    • Enable basic L2TP functions.
    • Configure tunnel connections on the LAC.
    • Configure the tunnel authentication mode.
    • Configure L2TP user attributes.
    • Configure the routing protocol (static route in this case) to make the LAC and LNS reachable.
  3. Configure an LNS.

    • Create a VPN instance.
    • Configure a virtual template.
    • Configure tunnel connections on the LNS.
    • Configure the user and tunnel authentication modes.
    • Set parameters for the tunnel on the LNS side.
    • Configure an address pool for allocating IP addresses to L2TP users and bind the address pool to a VPN instance.
    • Configure domains for L2TP users, then specify the address pool and the VPN instance in each domain.
    • Configure the routing protocol (static route in this case) to make the LAC and LNS reachable.
    • Assign an IP address to the interface that is connected to the enterprise network and bind the interface to a VPN instance.

Data Preparation

To complete the configuration, you need the following data:

  • User names and passwords of PC1 and PC2

  • Tunnel password, and local tunnel name and remote tunnel name on the LNS

  • Names, RDs, and VPN targets of VPN instances

  • Numbers of virtual templates and numbers of L2TP groups

  • Number, range, and mask of the remote address pool

NOTE:

This section provides only the procedures relevant to L2TP.

Procedure

  1. Configure the devices at the user side.

    To create a dial-in connection, dial the access number specified on DeviceA, and receive addresses assigned by the LNS.

    On PC1, input the user name user1@isp1 and password in the displayed dial-up terminal window (The user name and password have been registered on the LNS).

    On PC2, input the user name user1@isp2 and password in the displayed dial-up terminal window (The user name and password have been registered on the LNS).

  2. Configure DeviceA that functions as an LAC.

    # Configure virtual template 1.

    <Device> system-view
    <~Device> sysname DeviceA
    [*DeviceA] interface virtual-template 1
    [*DeviceA-Virtual-Template1] ppp authentication-mode chap
    [*DeviceA-Virtual-Template1] commit
    [~DeviceA-Virtual-Template1] quit

    # Bind virtual template 1 to GE 2/0/0.100.

    [~DeviceA] interface gigabitethernet 2/0/0.100
    [*DeviceA-GigabitEthernet2/0/0.100] pppoe-server bind virtual-template 1
    [*DeviceA-GigabitEthernet2/0/0.100] user-vlan 1 100
    [*DeviceA-GigabitEthernet2/0/0.100-vlan-1-100] commit
    [~DeviceA-GigabitEthernet2/0/0.100-vlan-1-100] quit

    # Configure a BAS interface.

    [~DeviceA-GigabitEthernet2/0/0.100] bas
    [*DeviceA-GigabitEthernet2/0/0.100-bas] access-type layer2-subscriber
    [*DeviceA-GigabitEthernet2/0/0.100-bas] authentication-method ppp
    [*DeviceA-GigabitEthernet2/0/0.100-bas] commit
    [~DeviceA-GigabitEthernet2/0/0.100-bas] quit
    [~DeviceA-GigabitEthernet2/0/0.100] quit

    # Configure the LAC interface that connects to the LNS and create sub-interfaces for the interface.

    [~DeviceA] interface gigabitethernet1/0/1.1
    [*DeviceA-GigabitEthernet1/0/1.1] vlan-type dot1q 1
    [*DeviceA-GigabitEthernet1/0/1.1] ip address 11.11.11.1 255.255.255.0
    [*DeviceA-GigabitEthernet1/0/1.1] commit
    [~DeviceA-GigabitEthernet1/0/1.1] quit
    [~DeviceA] interface gigabitethernet1/0/1.2
    [*DeviceA-GigabitEthernet1/0/1.2] vlan-type dot1q 2
    [*DeviceA-GigabitEthernet1/0/1.2] ip address 12.12.12.1 255.255.255.0
    [*DeviceA-GigabitEthernet1/0/1.2] commit
    [~DeviceA-GigabitEthernet1/0/1.2] quit

    # Create loopback interfaces.

    [~DeviceA] interface loopback0
    [*DeviceA-LoopBack0] ip address 1.1.1.1 255.255.255.255
    [*DeviceA-LoopBack0] commit
    [~DeviceA-LoopBack0] quit
    [~DeviceA] interface loopback1
    [*DeviceA-LoopBack1] ip address 2.2.2.2 255.255.255.255
    [*DeviceA-LoopBack1] commit
    [~DeviceA-LoopBack1] quit

    # Configure an L2TP group and attributes of the L2TP group.

    [~DeviceA] l2tp enable
    [~DeviceA] l2tp-group lac1
    [*DeviceA-l2tp-lac1] tunnel name lac1
    [*DeviceA-l2tp-lac1] start l2tp ip 3.3.3.3
    [*DeviceA-l2tp-lac1] tunnel authentication
    [*DeviceA-l2tp-lac1] tunnel password simple 1qaz#EDC
    [*DeviceA-l2tp-lac1] tunnel source loopback0
    [*DeviceA-l2tp-lac1] commit
    [~DeviceA-l2tp-lac1] quit
    [~DeviceA] l2tp-group lac2
    [*DeviceA-l2tp-lac2] tunnel name lac2
    [*DeviceA-l2tp-lac2] start l2tp ip 4.4.4.4
    [*DeviceA-l2tp-lac2] tunnel authentication
    [*DeviceA-l2tp-lac2] tunnel password simple 1qaz#EDC
    [*DeviceA-l2tp-lac2] tunnel source loopback1
    [*DeviceA-l2tp-lac2] commit
    [~DeviceA-l2tp-lac2] quit

    # Configure the RADIUS server.

    [~DeviceA] radius-server group radius1
    [*DeviceA-radius-radius1] radius-server authentication 20.20.20.1 1812
    [*DeviceA-radius-radius1] radius-server accounting 20.20.20.1 1813
    [*DeviceA-radius-radius1] radius-server shared-key itellin
    [*DeviceA-radius-radius1] commit
    [~DeviceA-radius-radius1] quit

    # Configure the domain to which users belong.

    [~DeviceA] aaa
    [*DeviceA-aaa] domain isp1
    [*DeviceA-aaa-domain-isp1] l2tp-group lac1
    [*DeviceA-aaa-domain-isp1] radius-server group radius1
    [*DeviceA-aaa-domain-isp1] authentication-scheme default1
    [*DeviceA-aaa-domain-isp1] accounting-scheme default1
    [*DeviceA-aaa-domain-isp1] commit
    [~DeviceA-aaa-domain-isp1] quit
    [~DeviceA-aaa] domain isp2
    [*DeviceA-aaa-domain-isp2] l2tp-group lac2
    [*DeviceA-aaa-domain-isp2] radius-server group radius1
    [*DeviceA-aaa-domain-isp2] authentication-scheme default1
    [*DeviceA-aaa-domain-isp2] accounting-scheme default1
    [*DeviceA-aaa-domain-isp2] commit
    [~DeviceA-aaa-domain-isp2] quit
    [~DeviceA-aaa] quit

    # Configure routes.

    [~DeviceA] ip route-static 3.3.3.3 255.255.255.255 11.11.11.2
    [~DeviceA] ip route-static 4.4.4.4 255.255.255.255 12.12.12.2

  3. Configure NE40EB that functions as an LNS.

    # Create two VPN instances.

    <Device> system-view
    <~Device> sysname DeviceB
    [*DeviceB] ip vpn-instance vrf1
    [*DeviceB-vpn-instance-vrf1] route-distinguisher 100:1
    [*DeviceB-vpn-instance-vrf1] vpn-target 100:1 both
    [*DeviceB–vpn-instance-vrf1] commit
    [~DeviceB–vpn-instance-vrf1] quit
    [~DeviceB] ip vpn-instance vrf2
    [*DeviceB-vpn-instance-vrf2] route-distinguisher 100:2
    [*DeviceB-vpn-instance-vrf2] vpn-target 100:2 both
    [*DeviceB–vpn-instance-vrf2] commit
    [~DeviceB–vpn-instance-vrf2] quit

    # Create sub-interfaces.

    [~DeviceB] interface gigabitethernet1/0/1.1
    [*DeviceB-GigabitEthernet1/0/1.1] vlan-type dot1q 1
    [*DeviceB-GigabitEthernet1/0/1.1] ip address 11.11.11.2 255.255.255.0
    [*DeviceB-GigabitEthernet1/0/1.1] commit
    [~DeviceB-GigabitEthernet1/0/1.1] quit
    [~DeviceB] interface gigabitethernet1/0/1.2
    [*DeviceB-GigabitEthernet1/0/1.2] vlan-type dot1q 2
    [*DeviceB-GigabitEthernet1/0/1.2] ip address 12.12.12.2 255.255.255.0
    [*DeviceB-GigabitEthernet1/0/1.2] commit
    [~DeviceB-GigabitEthernet1/0/1.2] quit

    # Create loopback interfaces.

    [~DeviceB] interface loopback0
    [*DeviceB-LoopBack0] ip address 3.3.3.3 255.255.255.255
    [*DeviceB-LoopBack0] commit
    [~DeviceB-LoopBack0] quit
    [~DeviceB] interface loopback1
    [*DeviceB-LoopBack1] ip address 4.4.4.4 255.255.255.255
    [*DeviceB-LoopBack1] commit
    [~DeviceB-LoopBack1] quit

    # Create virtual template 1.

    [~DeviceB] interface virtual-template 1
    [*DeviceB-Virtual-Template1] ppp authentication-mode chap
    [*DeviceB-Virtual-Template1] commit
    [~DeviceB-Virtual-Template1] quit

    # Enable L2TP and configure an L2TP group.

    [~DeviceB] l2tp enable
    [~DeviceB] l2tp-group lns1
    [*DeviceB-l2tp-lns1] tunnel name lns1
    [*DeviceB-l2tp-lns1] allow l2tp virtual-template 1 remote lac1
    [*DeviceB-l2tp-lns1] tunnel authentication
    [*DeviceB-l2tp-lns1] tunnel password simple 1qaz#EDC
    [*DeviceB-l2tp-lns1] commit
    [~DeviceB-l2tp-lns1] quit
    [~DeviceB] l2tp-group lns2
    [*DeviceB-l2tp-lns1] tunnel name lns2
    [*DeviceB-l2tp-lns2] allow l2tp virtual-template 1 remote lac2
    [*DeviceB-l2tp-lns2] tunnel authentication
    [*DeviceB-l2tp-lns2] tunnel password simple 1qaz#EDC
    [*DeviceB-l2tp-lns2] commit
    [~DeviceB-l2tp-lns2] quit

    # Create LNS group 1, and bind the tunnel source interface to the tunnel board.

    [~DeviceB] lns-group group1
    [*DeviceB-lns-group-group1] bind slot 1 
    [*DeviceB-lns-group-group1] bind source loopback 0
    [*DeviceB-lns-group-group1] bind source loopback 1
    [*DeviceB-lns-group-group1] commit
    [~DeviceB-lns-group-group1] quit

    # Configure the address pool used to assign addresses to users.

    [~DeviceB] ip pool pool1 bas local
    [*DeviceB-ip-pool-pool1] gateway 10.10.0.1 255.255.255.0
    [*DeviceB-ip-pool-pool1] section 0 10.10.0.10 10.10.0.100
    [*DeviceB-ip-pool-pool1] vpn-instance vrf1
    [*DeviceB-ip-pool-pool1] commit
    [~DeviceB-ip-pool-pool1] quit
    [~DeviceB] ip pool pool2 bas local
    [*DeviceB-ip-pool-pool2] gateway 10.10.0.1 255.255.255.0
    [*DeviceB-ip-pool-pool2] section 0 10.10.0.10 10.10.0.100
    [*DeviceB-ip-pool-pool2] vpn-instance vrf2
    [*DeviceB-ip-pool-pool2] commit
    [~DeviceB-ip-pool-pool2] quit

    # Configure the RADIUS server.

    [~DeviceB] radius-server group radius1
    [*DeviceB-radius-radius1] radius-server authentication 20.20.20.1 1812
    [*DeviceB-radius-radius1] radius-server accounting 20.20.20.1 1813
    [*DeviceB-radius-radius1] radius-server shared-key itellin
    [*DeviceB-radius-radius1] commit
    [~DeviceB-radius-radius1] quit

    # Configure the domains to which users belong.

    [~DeviceB] aaa
    [*DeviceB-aaa] domain isp1
    [*DeviceB-aaa-domain-isp1] radius-server group radius1
    [*DeviceB-aaa-domain-isp1] authentication-scheme default1
    [*DeviceB-aaa-domain-isp1] accounting-scheme default1
    [*DeviceB-aaa-domain-isp1] ip-pool pool1
    [*DeviceB-aaa-domain-isp1] vpn-instance vrf1
    [*DeviceB-aaa-domain-isp1] commit
    [~DeviceB-aaa-domain-isp1] quit
    [~DeviceB-aaa] domain isp2
    [*DeviceB-aaa-domain-isp2] radius-server group radius1
    [*DeviceB-aaa-domain-isp2] authentication-scheme default1
    [*DeviceB-aaa-domain-isp2] accounting-scheme default1
    [*DeviceB-aaa-domain-isp2] ip-pool pool2
    [*DeviceB-aaa-domain-isp2] vpn-instance vrf2
    [*DeviceB-aaa-domain-isp2] commit
    [~DeviceB-aaa-domain-isp2] quit
    [~DeviceB-aaa] quit

    # Configure routes.

    [~DeviceB] ip route-static 1.1.1.1 255.255.255.255 11.11.11.1
    [~DeviceB] ip route-static 2.2.2.2 255.255.255.255 12.12.12.1

  4. Verify the configuration.

    [NE40EA] ping -vpn-instance vrf1 3.3.3.3
    PING 3.3.3.3: 56  data bytes, press CTRL_C to break                           
        Reply from 3.3.3.3: bytes=56 Sequence=1 ttl=255 time=12 ms                  
        Reply from 3.3.3.3: bytes=56 Sequence=2 ttl=255 time=10 ms                  
        Reply from 3.3.3.3: bytes=56 Sequence=3 ttl=255 time=5 ms                   
        Reply from 3.3.3.3: bytes=56 Sequence=4 ttl=255 time=8 ms                   
                                                                                    
      --- 3.3.3.3 ping statistics ---                                               
        4 packet(s) transmitted                                                     
        4 packet(s) received                                                        
        0.00% packet loss                                                           
        round-trip min/avg/max = 5/8/12 ms                           
    [NE40EA] ping -vpn-instance vrf2 4.4.4.4
    PING 4.4.4.4: 56  data bytes, press CTRL_C to break                           
        Reply from 4.4.4.4: bytes=56 Sequence=1 ttl=255 time=12 ms                  
        Reply from 4.4.4.4: bytes=56 Sequence=2 ttl=255 time=10 ms                  
        Reply from 4.4.4.4: bytes=56 Sequence=3 ttl=255 time=5 ms                   
        Reply from 4.4.4.4: bytes=56 Sequence=4 ttl=255 time=8 ms                   
                                                                                    
      --- 4.4.4.4 ping statistics ---                                               
        4 packet(s) transmitted                                                     
        4 packet(s) received                                                        
        0.00% packet loss                                                           
        round-trip min/avg/max = 5/8/12 ms                           
    [NE40EA] test l2tp-tunnel l2tp-group lac1 ip-address 3.3.3.3
    Testing L2TP tunnel connectivity now....... 
    Test L2TP tunnel connectivity success.
    [NE40EA] test l2tp-tunnel l2tp-group lac2 ip-address 4.4.4.4
    Testing L2TP tunnel connectivity now....... 
    Test L2TP tunnel connectivity success.

    # VPN users can access the headquarters of enterprises.

    PC1 can access Headquarter01 and PC2 can access Headquarter02.

    If PC1 enters the user name user1@isp2 and the password, PC1 can access Headquarter02 as a user of vrf2.

Configuration Files

  • Configuration file of DeviceA
    #
     sysname DeviceA
    #
     l2tp enable
    #
    radius-server group radius1
     radius-server authentication 20.20.20.1 1812 
     radius-server accounting 20.20.20.1 1813 
     radius-server shared-key itellin
    #
    interface Virtual-Template1
    ppp authentication-mode chap
    #
    interface GigabitEthernet2/0/0
     undo shutdown
    #
    interface GigabitEthernet2/0/0.100
     pppoe-server bind Virtual-Template 1
     undo shutdown
     user-vlan 1 100
     bas
      access-type layer2-subscriber
    #
    interface LoopBack0
     ip address 1.1.1.1 255.255.255.255
    #
    interface LoopBack1
     ip address 2.2.2.2 255.255.255.255
    #
    l2tp-group lac1
     tunnel password simple 1qaz#EDC
     tunnel name lac1
     start l2tp ip 3.3.3.3
     tunnel source LoopBack0
    #
    l2tp-group lac2
     tunnel password simple 1qaz#EDC
     tunnel name lac2
     start l2tp ip 4.4.4.4
     tunnel source LoopBack1
    #
    aaa
    domain isp1
      authentication-scheme default1
      accounting-scheme default1
      radius-server group radius1
      l2tp-group lac1
    domain isp2
      authentication-scheme default1
      accounting-scheme default1
      radius-server group radius1
      l2tp-group lac2
    #
    interface GigabitEthernet1/0/1.1
     undo shutdown
     vlan-type dot1q 1
     ip address 11.11.11.1 255.255.255.0
    #
    interface GigabitEthernet1/0/1.2
     undo shutdown
     vlan-type dot1q 2
     ip address 12.12.12.1 255.255.255.0
    #
     ip route-static 3.3.3.3 255.255.255.255 11.11.11.2
     ip route-static 4.4.4.4 255.255.255.255 12.12.12.2
    #
    return
  • Configuration file of DeviceB

    #
     sysname DeviceB
    #
     l2tp enable
    #
    radius-server group radius1
     radius-server authentication 20.20.20.1 1812 
     radius-server accounting 20.20.20.1 1813 
     radius-server shared-key itellin
    #
    interface Virtual-Template1
    ppp authentication-mode chap
    #
    ip vpn-instance vrf1
    route-distinguisher 100:1
     vpn-target 100:1 export-extcommunity
     vpn-target 100:1 import-extcommunity
    #
    ip vpn-instance vrf2
    route-distinguisher 100:2
     vpn-target 100:2 export-extcommunity
     vpn-target 100:2 import-extcommunity
    #
    interface LoopBack0
     ip address 3.3.3.3 255.255.255.255
    #
    interface LoopBack1
     ip address 4.4.4.4 255.255.255.255
    #
    l2tp-group lns1
     allow l2tp virtual-template 1 remote lac1
     tunnel password simple 1qaz#EDC
     tunnel name lns1
    #
    l2tp-group lns2
     allow l2tp virtual-template 1 remote lac2
     tunnel password simple 1qaz#EDC
     tunnel name lns2
    #
    lns-group group1
     bind slot 1 
     bind source LoopBack0
     bind source LoopBack1
    #
    ip pool pool1 bas local
     vpn-instance vrf1
     gateway 10.10.0.1 255.255.255.0
     section 0 10.10.0.10 10.10.0.100
    #
    ip pool pool2 bas local
     vpn-instance vrf2
     gateway 10.10.0.1 255.255.255.0
     section 0 10.10.0.10 10.10.0.100
    #
    aaa
    domain  isp1
      authentication-scheme   default1
      accounting-scheme   default1
      radius-server group radius1
      vpn-instance vrf1
      ip-pool   pool1
    domain  isp2
      authentication-scheme   default1
      accounting-scheme   default1
      radius-server group radius1
      vpn-instance vrf2
      ip-pool   pool2
    #
    interface GigabitEthernet1/0/1.1
     undo shutdown
     vlan-type dot1q 1
     ip address 11.11.11.2 255.255.255.0
    #
    interface GigabitEthernet1/0/1.2
     undo shutdown
     vlan-type dot1q 2
     ip address 12.12.12.2 255.255.255.0
    #
     ip route-static 1.1.1.1 255.255.255.255 11.11.11.1
     ip route-static 2.2.2.2 255.255.255.255 12.12.12.1
    #
    return
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055031

Views: 17471

Downloads: 70

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next