No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring the VXLAN over IPSec Active-Active Scenario

Example for Configuring the VXLAN over IPSec Active-Active Scenario

In the scenario where a data center is interconnected with an enterprise site, a CE is dual-homed to a VXLAN network, which enhances VXLAN access reliability and implements rapid convergence in case of a fault. IPSec encapsulation implements encrypted packet transmission, securing packet transmission.

Networking Requirements

As shown in Figure 17-25, CE1 is dual-homed to PE1 and PE2; PE1 and PE2 uses a virtual address as the source VTEP address of an NVE interface. In this way, the CPE is aware of only one remote NVE interface and establishes a static VXLAN tunnel with the Anycast VTEP address. VXLAN packets are transmitted in plain text in the network, which is insecure. IPSec encryption implements encrypted packet transmission, securing packet transmission.

Figure 17-25 Networking diagram for configuring the VXLAN over IPSec active-active scenario
NOTE:

Interface 1, interface 2, and interface 3 stand for GigabitEthernet0/1/1, GigabitEthernet0/1/2, and GigabitEthernet0/1/3, respectively.



Table 17-10 Interface IP address

Device Name

Interface Name

IP Address and Mask

PE1

GigabitEthernet 0/1/1

10.1.20.1/24

GigabitEthernet 0/1/2

192.168.1.1/24

GigabitEthernet 0/1/3

10.1.1.1/24

LoopBack0

1.1.1.1/32

LoopBack1

3.3.3.3/32

PE2

GigabitEthernet 0/1/1

10.1.20.2/24

GigabitEthernet 0/1/2

192.168.2.1/24

GigabitEthernet 0/1/3

10.1.2.1/24

LoopBack0

2.2.2.2/32

LoopBack1

3.3.3.3/32

CE1

GigabitEthernet 0/1/1

192.168.1.2/24

GigabitEthernet 0/1/2

192.168.2.2/24

CPE

GigabitEthernet0/1/1

10.1.1.2/24

LoopBack0

4.4.4.4/32

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an IGP on the CEs, PEs, and CPE to implement Layer 2 network connectivity.
  2. Configure service access points on PE1 and PE2 so that CE1 can be dual-homed to PE1 and PE2.
  3. Establish static VXLAN tunnels between the PEs and CPE so that the PEs and CEP can communicate.
  4. Establish a bypass VXLAN tunnel between PE1 and PE2 so that PE1 and PE2 can communicate.
  5. (Optional) Configure a UDP port on the PEs to prevent the receiving of replicated packets.
  6. Configure IPSec on the PEs and CPE and establish IPSec tunnels.

Data Preparation

To complete the configuration, you need the following data:

  • Interfaces and their IP addresses

  • EVPN instance names

  • VPN targets of the received and sent routes in EVPN instances

  • Preshared key

  • Security protocol, encryption algorithm, and authentication algorithm to be adopted by IPSec

  • Encryption algorithm and authentication algorithm that an IKE proposal uses

Procedure

  1. Assign an IP address to each interface on each node, and configure loopback interface addresses.

    For detailed configurations, see Configuration Files.

  2. Configure an IGP at the AC side and on the backbone. In this example, IS-IS is adopted.

    For detailed configurations, see Configuration Files.

  3. Configure EVPN.

    Configure PE1.

    [~PE1] evpn
    [*PE1-evpn] vlan-extend private enable
    [*PE1-evpn] vlan-extend redirect enable
    [*PE1-evpn] local-remote frr enable
    [*PE1-evpn] bypass-vxlan enable
    [*PE1-evpn] quit
    [*PE1] commit

    Repeat this step for PE2. For configuration details, see Configuration Files in this section.

  4. Configure a BGP peer relationship between PE1 and PE2.

    # Configure PE1.

    [~PE1] bgp 100
    [*PE1-bgp] peer 2.2.2.2 as-number 100
    [*PE1-bgp] peer 2.2.2.2 connect-interface LoopBack 1
    [*PE1-bgp] ipv4-family unicast
    [*PE1-bgp-af-ipv4] undo synchronization
    [*PE1-bgp-af-ipv4] peer 2.2.2.2 enable
    [*PE1-bgp-af-ipv4] quit
    [*PE1-bgp] l2vpn-family evpn
    [*PE1-bgp-af-evpn] undo policy vpn-target
    [*PE1-bgp-af-evpn] peer 2.2.2.2 enable
    [*PE1-bgp-af-evpn] peer 2.2.2.2 advertise encap-type vxlan
    [*PE1-bgp-af-evpn] quit
    [*PE1-bgp] quit
    [*PE1] commit

    Repeat this step for PE2. For configuration details, see Configuration Files in this section.

  5. Create a VXLAN tunnel.
    1. Configure EVPN instances and bind them to BDs on the PEs.

      # Configure PE1.

      [~PE1] evpn vpn-instance evpn1 bd-mode
      [*PE1-evpn-instance-evpn1] route-distinguisher 11:11
      [*PE1-evpn-instance-evpn1] vpn-target 1:1 export-extcommunity
      [*PE1-evpn-instance-evpn1] vpn-target 1:1 import-extcommunity
      [*PE1-evpn-instance-evpn1] quit
      [*PE1] bridge-domain 10
      [*PE1-bd10] vxlan vni 10 split-horizon-mode
      [*PE1-bd10] evpn binding vpn-instance evpn1
      [*PE1-bd10] quit
      [*PE1] commit

      Repeat this step for PE2. For configuration details, see Configuration Files in this section.

    2. Enable ingress replication on the PEs.

      # Configure the CPE.

      [~CPE] interface nve 1
      [*CPE-Nve1] source 4.4.4.4
      [*CPE-Nve1] vni 10 head-end peer-list 3.3.3.3
      [*CPE-Nve1] quit
      [*CPE] commit

      # Configure PE1.

      [~PE1] interface nve 1
      [*PE1-Nve1] source 3.3.3.3
      [*PE1-Nve1] bypass source 1.1.1.1
      [*PE1-Nve1] mac-address 0009-0009-0009
      [*PE1-Nve1] vni 10 head-end peer-list protocol bgp
      [*PE1-Nve1] vni 10 head-end peer-list 4.4.4.4
      [*PE1-Nve1] quit
      [*PE1] commit

      Repeat this step for PE2. For configuration details, see Configuration Files in this section.

  6. Configure CE1 to access the PEs.

    Configure PE1.

    [*PE1] e-trunk 1
    [*PE1-e-trunk-1] priority 10
    [*PE1-e-trunk-1] peer-address 2.2.2.2 source-address 1.1.1.1
    [*PE1-e-trunk-1] quit
    [*PE1] interface eth-trunk 1
    [*PE1-Eth-Trunk1] mac-address 0004-0004-0017
    [*PE1-Eth-Trunk1] mode lacp-static
    [*PE1-Eth-Trunk1] e-trunk 1
    [*PE1-Eth-Trunk1] e-trunk mode force-master
    [*PE1-Eth-Trunk1] es track evpn-peer 2.2.2.2
    [*PE1-Eth-Trunk1] esi 0000.0001.0001.0001.0001
    [*PE1-Eth-Trunk1] quit
    [*PE1] interface eth-trunk1.1 mode l2
    [*PE1-Eth-Trunk1.1] encapsulation dot1q vid 1
    [*PE1-Eth-Trunk1.1] rewrite pop single
    [*PE1-Eth-Trunk1.1] bridge-domain 10
    [*PE1-Eth-Trunk1.1] quit
    [~PE1] commit

    Repeat this step for PE2. For configuration details, see Configuration Files in this section.

  7. (Optional) Configure a UDP port on the PEs to prevent the receiving of replicated packets.

    # Configure PE1.

    [~PE1] evpn enhancement port 1345
    [*PE1] commit

    The same UDP port number must be set for the PEs in the active state.

    Repeat this step for PE2. For configuration details, see Configuration Files in this section.

  8. Configure IPSec on PE1.
    1. Configure advanced ACL 3000.

      [~PE1] acl 3000
      [*PE1-acl-adv-3000] rule 5 permit ip source 3.3.3.3 0 destination 4.4.4.4 0
      [*PE1acl-adv-3000] quit
      [*PE1] commit

    2. Configure an IPSec proposal named tran1.

      [~PE1] ipsec proposal tran1
      [*PE1-ipsec-proposal-tran1] encapsulation-mode tunnel
      [*PE1-ipsec-proposal-tran1] transform esp
      [*PE1-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
      [*PE1-ipsec-proposal-tran1] esp encryption-algorithm aes 256
      [*PE1-ipsec-proposal-tran1] quit
      [*PE1] commit

    3. Configure an IKE proposal numbered 10.

      [~PE1] ike proposal 10
      [*PE1-ike-proposal-10] authentication-method pre-share
      [*PE1-ike-proposal-10] authentication-algorithm sha2-256
      [*PE1-ike-proposal-10] integrity-algorithm hmac-sha2-256
      [*PE1-ike-proposal-10] dh group14
      [*PE1-ike-proposal-10] quit
      [*PE1] commit

    4. Configure an IKE peer named b.

      [~PE1] ike peer b
      [*PE1-ike-peer-b] ike-proposal 10
      [*PE1-ike-peer-b] remote-address 4.4.4.4
      [*PE1-ike-peer-b] pre-shared-key abcde
      [*PE1-ike-peer-b] quit
      [*PE1] commit
      NOTE:

      By default, both IKEv1 and IKEv2 are enabled on the NE20E, and IKEv2 takes precedence over IKEv1. If the remote device does not support IKEv2, disable IKEv2 on the local device and use IKEv1 to perform the IKE negotiation.

      The pre-shared key configured on the local device must be the same as that configured on the IKE peer.

    5. Configure an IPSec policy named map1 and numbered 10.

      [~PE1] ipsec policy map1 10 isakmp
      [*PE1-ipsec-policy-isakmp-map1-10] security acl 3000
      [*PE1-ipsec-policy-isakmp-map1-10] proposal tran1
      [*PE1-ipsec-policy-isakmp-map1-10] ike-peer b
      [~PE1-ipsec-policy-isakmp-map1-10] local-address 3.3.3.3
      [*PE1-ipsec-policy-isakmp-map1-10] quit
      [*PE1] commit

    6. Configure an IPsec service instance group named group1.

      • perform the following configurations:
        [~PE1] service-location 1
        [*PE1-service-location-1] location slot 1
        [*PE1-service-location-1] commit
        [~PE1-service-location-1] quit
      [~PE1] service-instance-group group1
      [*PE1-service-instance-group-group1] service-location 1
      [*PE1-service-instance-group-group1] quit
      [*PE1] commit

    7. Create and configure an IPSec tunnel.

      [~PE1] interface Tunnel 1
      [*PE1-Tunnel1] ip address 11.1.1.1 255.255.255.255
      [*PE1-Tunnel1] tunnel-protocol ipsec
      [*PE1-Tunnel1] ipsec policy map1 service-instance-group group1
      [*PE1-Tunnel1] quit
      [*PE1] commit

    8. Configure static routes that import traffic into the tunnel.

      [~PE1] ip route-static 4.4.4.4 255.255.255.255 GigabitEthernet0/1/3 10.1.1.2
      [*PE1] ip route-static 4.4.4.4 255.255.255.255 Tunnel1 6.6.6.6
      [*PE1] commit

      Repeat this step for PE2. For configuration details, see Configuration Files in this section.

  9. Configure IPSec on the CPE.
    1. Configure advanced ACL 3000.

      [~CPE] acl 3000
      [*CPE-acl-adv-3000] rule 5 permit ip
      [*CPE-acl-adv-3000] quit
      [*CPE] commit

    2. Configure an IPSec proposal named tran1.

      [~CPE] ipsec proposal tran1
      [*CPE-ipsec-proposal-tran1] encapsulation-mode tunnel
      [*CPE-ipsec-proposal-tran1] transform esp
      [*CPE-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
      [*CPE-ipsec-proposal-tran1] esp encryption-algorithm aes 256
      [*CPE-ipsec-proposal-tran1] quit
      [*CPE] commit

    3. Configure an IKE proposal numbered 10.

      [~CPE] ike proposal 10
      [*CPE-ike-proposal-10] authentication-method pre-share
      [*CPE-ike-proposal-10] authentication-algorithm sha2-256
      [*CPE-ike-proposal-10] integrity-algorithm hmac-sha2-256
      [*CPE-ike-proposal-10] dh group14
      [*CPE-ike-proposal-10] quit
      [*CPE] commit

    4. Configure an IKE peer named 1.

      [~CPE] ike peer 1
      [*CPE-ike-peer-1] ike-proposal 10
      [*CPE-ike-peer-1] remote-address 5.5.5.5
      [*CPE-ike-peer-1] pre-shared-key abcde
      [*CPE-ike-peer-1] quit
      [*CPE] commit
      NOTE:

      By default, both IKEv1 and IKEv2 are enabled on the NE20E, and IKEv2 takes precedence over IKEv1. If the remote device does not support IKEv2, disable IKEv2 on the local device and use IKEv1 to perform the IKE negotiation.

      The pre-shared key configured on the local device must be the same as that configured on the IKE peer.

    5. Configure an IPSec policy template named temp1.

      [~CPE] ipsec policy-template temp1 1
      [*CPE-ipsec-policy-templet-temp1-1] security acl 3000
      [*CPE-ipsec-policy-templet-temp1-1] proposal tran1
      [*CPE-ipsec-policy-templet-temp1-1] ike-peer 1
      [*CPE-ipsec-policy-templet-temp1-1] local-address 6.6.6.6
      [*CPE-ipsec-policy-templet-temp1-1] quit
      [*CPE] commit

    6. Create a security policy based on the policy template.

      [~CPE] ipsec policy 1 1 isakmp template temp1
      [*CPE] commit

    7. Configure an IPsec service instance group named group1.

      • perform the following configurations:
        [~CPE] service-location 1
        [*CPE-service-location-1] location slot 1
        [*CPE-service-location-1] commit
        [~CPE-service-location-1] quit
      [~CPE] service-instance-group group1
      [*CPE-service-instance-group-group1] service-location 1
      [*CPE-service-instance-group-group1] quit
      [*CPE] commit

    8. Create and configure an IPSec tunnel.

      [~CPE interface Tunnel 1
      [*CPE-Tunnel1] ip address 22.2.2.2 255.255.255.255
      [*CPE-Tunnel1] tunnel-protocol ipsec
      [*CPE-Tunnel1] ipsec policy 1 service-instance-group group1
      [*CPE-Tunnel1] quit
      [*CPE] commit

    9. Configure static routes that import traffic into the tunnel.

      [~CPE] ip route-static 5.5.5.5 255.255.255.255 GigabitEthernet0/1/1 192.168.1.1
      [*CPE] commit

Configuration Files

  • PE1 configuration file

    #
    sysname PE1
    #
    evpn enhancement port 1345
    #
    evpn
     vlan-extend private enable
     vlan-extend redirect enable
     local-remote frr enable
     bypass-vxlan enable
    #
    evpn vpn-instance evpn1 bd-mode
     route-distinguisher 11:11
     vpn-target 1:1 export-extcommunity
     vpn-target 1:1 import-extcommunity
    #
    bridge-domain 10
     vxlan vni 10 split-horizon-mode
     evpn binding vpn-instance evpn1
    #  
    acl number 3000
      rule 5 permit ip source 3.3.3.3 0 destination 4.4.4.4 0
    #
    isis 1
     network-entity 10.0000.0000.0001.00
     frr
    #
    
    license
     active ipsec slot 1
    #                                                                                
    service-location 1                                                                
    location slot 2
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    
    #
    ike proposal 10
     encryption-algorithm aes-cbc 256
     dh group14
     authentication-algorithm sha2-256 
     integrity-algorithm hmac-sha2-256
    #
    ike peer b
     pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
     ike-proposal 10
     remote-address 6.6.6.6
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256  
     esp encryption-algorithm aes 256
    #                                         
    ipsec policy map1 10 isakmp
     security acl 3000
     ike-peer b
     proposal tran1
     local-address 5.5.5.5
    # 
    interface Eth-Trunk1
     esi 0000.0001.0001.0001.0001
    #
    interface Eth-Trunk1.1 mode l2
     encapsulation dot1q vid 1
     rewrite pop single
     bridge-domain 10
    #
    interface GigabitEthernet 0/1/1
     undo shutdown
     ip address 10.1.20.1 255.255.255.0
    #
    interface GigabitEthernet 0/1/2
     undo shutdown
     eth-trunk 1
    #
    interface GigabitEthernet 0/1/3
     undo shutdown
     ip address 10.1.1.1 255.255.255.0
    #
    interface LoopBack0
     ip address 1.1.1.1 255.255.255.255
     isis enable 1
    #
    interface LoopBack1
     ip address 3.3.3.3 255.255.255.255
     isis enable 1
    #
    interface LoopBack2
     ip address 5.5.5.5 255.255.255.255
     isis enable 1
    #
    interface Nve1
     source 3.3.3.3
     bypass source 1.1.1.1
     mac-address 0009-0009-0009
     vni 10 head-end peer-list protocol bgp
     vni 10 head-end peer-list 4.4.4.4
    #
    bgp 100
     peer 2.2.2.2 as-number 100
     peer 2.2.2.2 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.2 enable
    #
     l2vpn-family evpn
      undo policy vpn-target
      peer 2.2.2.2 enable
      peer 2.2.2.2 advertise encap-type vxlan
    #
    interface Tunnel1 
     ip address 11.1.1.1 255.255.255.0                                              
     tunnel-protocol ipsec
     ipsec policy map1 service-instance-group group1
    #
    ip route-static 6.6.6.6 255.255.255.255 GigabitEthernet0/1/3 10.1.1.1        
    ip route-static 4.4.4.4 255.255.255.255 Tunnel1 6.6.6.6   
    #
    return
    
  • PE2 configuration file

    #
    sysname PE2
    #
    evpn enhancement port 1345
    #
    evpn
     vlan-extend redirect enable
     vlan-extend private enable
     local-remote frr enable
     bypass-vxlan enable
    #
    evpn vpn-instance evpn1 bd-mode
     route-distinguisher 22:22
     vpn-target 1:1 export-extcommunity
     vpn-target 1:1 import-extcommunity
    #
    bridge-domain 10
     vxlan vni 10 split-horizon-mode
     evpn binding vpn-instance evpn1
    #
    acl number 3000
      rule 5 permit ip source 3.3.3.3 0 destination 4.4.4.4 0
    #                                                                                
    service-location 1                                                                
    location slot 1
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    #
    ike proposal 10
     encryption-algorithm aes-cbc 256
     dh group14
     authentication-algorithm sha2-256 
     integrity-algorithm hmac-sha2-256
    #
    ike peer b
     pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
     ike-proposal 10
     remote-address 2.2.2.2
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256  
     esp encryption-algorithm aes 256
    #                                         
    ipsec policy map1 10 isakmp
     security acl 3000
     ike-peer b
     proposal tran1
     local-address 5.5.5.5
    
    #
    isis 1
     network-entity 10.0000.0000.0002.00
     frr
    #
    interface Eth-Trunk1
      esi 0000.0001.0001.0001.0001
    #
    interface Eth-Trunk1.1 mode l2
     encapsulation dot1q vid 1
     rewrite pop single
     bridge-domain 10
    #
    interface GigabitEthernet 0/1/1
     undo shutdown
      ip address 10.1.20.2 255.255.255.0
    #
    interface GigabitEthernet 0/1/2
     undo shutdown
     eth-trunk 1
    #
    interface GigabitEthernet 0/1/3
     undo shutdown
     ip address 10.1.2.1 255.255.255.0
    #
    interface LoopBack0
     ip address 2.2.2.2 255.255.255.255
     isis enable 1
    #
    interface LoopBack1
     ip address 3.3.3.3 255.255.255.255
     isis enable 1
    #
    interface LoopBack2
     ip address 5.5.5.5 255.255.255.255
     isis enable 1
    #
    interface Nve1
     source 3.3.3.3
     bypass source 2.2.2.2
     mac-address 0009-0009-0009
     vni 10 head-end peer-list protocol bgp
     vni 10 head-end peer-list 4.4.4.4
    #
    bgp 100
     peer 1.1.1.1 as-number 100
     peer 1.1.1.1 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 1.1.1.1 enable
     #
     l2vpn-family evpn
      undo policy vpn-target
      peer 1.1.1.1 enable
      peer 1.1.1.1 advertise encap-type vxlan
     #
    interface Tunnel1 
     ip address 11.1.1.1 255.255.255.0  
     tunnel-protocol ipsec
     ipsec policy map1 service-instance-group group1
    #
    ip route-static 6.6.6.6 255.255.255.255 GigabitEthernet0/1/3 10.1.2.1        
    ip route-static 4.4.4.4 255.255.255.255 Tunnel1 6.6.6.6   
    #
    return
    
  • CE1 configuration file

    #
    sysname CE
    #
    vlan batch 1 to 4094
    #
    interface Eth-Trunk1
     portswitch
     port link-type trunk
     port trunk allow-pass vlan 1
    #
    interface GigabitEthernet 0/1/1
      undo shutdown
     eth-trunk 1
    #
    interface GigabitEthernet 0/1/2
     undo shutdown
     eth-trunk 1
    #
    return
    
  • CPE configuration file

    #
    sysname CPE
    #
    bridge-domain 10
     vxlan vni 10 split-horizon-mode
    #
    acl number 3000
      rule 5 permit ip
    #                                                                                
    service-location 1                                                                
    location slot 1
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    #
    ike proposal 10
     encryption-algorithm aes-cbc 256
     dh group14
     authentication-algorithm sha2-256 
     integrity-algorithm hmac-sha2-256
    #
    ike peer 1
     pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
     ike-proposal 10
     remote-address 5.5.5.5
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256  
     esp encryption-algorithm aes 256
    #                                         
    ipsec policy-template temp1 1
    #
     security acl 3000
     ike-peer 1
     proposal tran1
     local-address 6.6.6.6
    #
    ipsec policy 1 1 isakmp template temp1
    
    #
    isis 1
     network-entity 20.0000.0000.0001.00
     frr
    #
    interface GigabitEthernet 0/1/1
     undo shutdown
     ip address 10.1.1.2 255.255.255.0
     isis enable 1
    #
    interface GigabitEthernet 0/1/1.1 mode l2
     encapsulation dot1q vid 10
     rewrite pop single
     bridge-domain 10
    #
    interface LoopBack0
     ip address 4.4.4.4 255.255.255.255
     isis enable 1
    #
    interface LoopBack1
     ip address 6.6.6.6 255.255.255.255
     isis enable 1
    #
    interface Nve1
     source 4.4.4.4
     vni 10 head-end peer-list 3.3.3.3
    #
    
    interface Tunnel1 
     ip address 22.2.2.2 255.255.255.255                                             
     tunnel-protocol ipsec 
     ipsec policy 1 service-instance-group group1                                                                         
    #
     ip route-static 5.5.5.5 255.255.255.255 GigabitEthernet0/1/1 192.168.1.1
    #
    return
    
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055378

Views: 16782

Downloads: 35

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next