No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN 01

NE05E and NE08E V300R003C10SPC500

This is NE05E and NE08E V300R003C10SPC500 Configuration Guide - VPN
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring and Applying a Tunnel Selector

Configuring and Applying a Tunnel Selector

After a tunnel selector is configured, a tunnel polices can be selected for routes. This improves the flexibility of tunnel policy applications.

Usage Scenario

If VPN instances are not expected to be created on the ASBR, tunnel policies cannot be configured. In BGP/MPLS IP VPN networking, tunnel policies apply to VPN instances. All the routes of a VPN instance are iterated to the same tunnel. In inter-AS VPN Option B networking, the ASBR receives all VPNv4 or VPNv6 routes from PE peers. The ASBR has these VPNv4 or VPNv6 routes iterated to LSPs or, if bandwidth guarantee is required, MPLS TE tunnels. Without configuring VPN instances on ASBRs, tunnel policies cannot be configured on the ASBRs.

In inter-AS VPN Option C networking, a device cannot iterate labeled routes to TE tunnels to guarantee bandwidth or implement load balancing among BGP LSPs by default.

The tunnel selector is then introduced to address the problems.

The tunnel selector can apply tunnel policies to VPNv4 routes (VPNv6 routes) or labeled BGP routes. The tunnel policies will select proper tunnels for the routes.

Pre-configuration Tasks

Before configuring a tunnel selector, complete the following tasks:

  • Configure a tunnel policy.

  • Configure an RD filter if the RD will be used for route filtering.

  • Configure an access control list (ACL) or IPv4 prefix list if the IPv4 next hop will be used for route filtering.

  • Configure an IPv6 access control list (ACL6) or IPv6 prefix list if the IPv6 next hop will be used for route filtering.

Configuration Procedures

Figure 2-2 Flowchart for configuring and applying a tunnel selector

Configuring a Tunnel Selector

A tunnel selector comprises if-match and apply clauses. The if-match clause defines route filtering rules, whereas the apply clause applies a tunnel policy to filtered routes.

Context

A tunnel selector allows routes to be iterated to proper tunnels as expected.

A tunnel selector comprises the following parts:
  • if-match clause: filters routes by route attribute, such as the RD and next hop.

  • apply clause: applies a tunnel policy to routes filtered by the if-match clause.

Perform the following steps on the PE or ASBR where a tunnel policy needs to be applied.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run tunnel-selector tunnel-selector-name { permit | deny } node node

    A tunnel selector is created, and the view of the tunnel selector is displayed.

    By default, a tunnel selector is not created.

  3. (Optional) Configure the if-match clause.

    NOTE:

    If the if-match clause is not configured, all routes are permitted.

    Run the following commands as needed to configure one or more route filtering rules. If you skip this step, all VPNv4, VPNv6, or labeled BGP-IPv4 routes are permitted.

    1. To match the RDs of routes, run the if-match rd-filter rd-filter-number command.

      
      

    2. To match the IPv4 next hops of routes, run the if-match ip next-hop { acl { acl-number | acl-name } | ip-prefix ip-prefix-name } command.

      NOTE:
      The acl { acl-number | acl-name } parameter can be used only if either or both of the following steps have been performed:
      • Configure a basic ACL rule.
        1. Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ]

          The ACL view is displayed.

        2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name | vpn-instance vpn-instance-name ] *

          A basic ACL rule is configured.

      • Configure an advanced ACL rule.
        1. Run acl { name advance-acl-name [ advance | [ advance ] number advance-acl-number ] | [ number ] advance-acl-number } [ match-order { config | auto } ]

          The ACL view is displayed.

        2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } ip [ destination { destination-ip-address { destination-wildcard | 0 } | any } | source { source-ip-address { source-wildcard | 0 } | any } | time-range time-name] *

          An advanced ACL rule is configured.

      The rules for using the permit and deny keywords are as follows:
      • If the action specified in an ACL rule is permit, a route that has matched this rule is considered to have passed the check by the if-match clause.

      • If the action specified in an ACL rule is deny, a route that has matched this rule is considered to have failed the check by the if-match clause.

      • If a route has not matched any ACL rules, the route is considered to have failed the check by the if-match clause.

      • If an ACL does not contain any rules, all routes are considered to have failed the check by the if-match clause.

      • In a tunnel-selector where the first node is a permit node, if a route has passed the check by the if-match clause, the system will take the action specified in the apply clause on this route. If the route has not passed the check by the if-match clause, the system will take the action specified in the apply clause in the next node in the tunnel-selector.

      • In a tunnel-selector where the first node is a deny node, if a route has passed the check by the if-match clause, the system will not take the action specified in the apply clause on this route. If the route has not passed the check by the if-match clause, the system will take the action specified in the apply clause in the next node in the tunnel-selector.

    3. To match the IPv6 next hops of routes, run the if-match ipv6 next-hop prefix-list ipv6-prefix-name command.
    4. To match the IP prefixes of routes, run the if-match ip-prefix command.
    5. To match the community attributes of routes, run the if-match community-filter command.
  4. Run apply tunnel-policy tunnel-policy-name

    A tunnel policy is applied to the routes.

    By default, the tunnel policy is not applied.

  5. Run commit

    The configuration is committed.

Applying a Tunnel Selector

After a tunnel selector is configured, it needs to be applied to VPNv4, VPNv6 or labeled BGP routes. The mode in which a tunnel selector is applied to routes varies according to the route type.

Context

The system can use a tunnel selector to have routes iterated to a proper tunnel only after the tunnel selector is applied to the routes on the PE or ASBR.

A tunnel selector applies to the following types of routes:
  • VPNv4 routes: A tunnel selector can be applied to a BGP-VPNv4 address family so that the ASBR in inter-AS VPN Option B networking can apply tunnel policies to VPNv4 routes and have the routes iterated to proper tunnels.

  • VPNv6 routes: A tunnel selector can be applied to a BGP-VPNv6 address family so that the ASBR in inter-AS VPN Option B networking can apply tunnel policies to VPNv6 routes and have the routes iterated to proper tunnels.

  • Labeled BGP-IPv4 routes: A tunnel selector can be applied to a BGP-IPv4 unicast address family so that the PE in inter-AS VPN Option C networking can apply tunnel policies to labeled BGP-IPv4 routes.

Perform the following steps on the PE or ASBR where a tunnel selector needs to be applied:

Procedure

  • Apply a tunnel selector to VPNv4 routes.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

      By default, BGP is disabled.

    3. Run ipv4-family vpnv4

      The BGP-VPNv4 address family view is displayed.

      By default, the BGP-VPNv4 address family view is disabled.

    4. Run tunnel-selector tunnel-selector-name

      A tunnel selector is applied to VPNv4 routes on the local device.

      After the tunnel selector is applied to VPNv4 routes, the VPNv4 routes filtered by the if-match clause will be iterated to a tunnel according to the tunnel policy specified in the apply clause. The VPNv4 routes filtered out by the if-match clause are iterated to LSPs by default.

      By default, a tunnel selector is not applied.

    5. Run commit

      The configuration is committed.

  • Apply a tunnel selector to VPNv6 routes.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv6-family vpnv6

      The BGP-VPNv6 address family view is displayed.

    4. Run tunnel-selector tunnel-selector-name

      A tunnel selector is applied to VPNv6 routes on the local device.

      After the tunnel selector is applied to VPNv6 routes, the VPNv6 routes filtered by the if-match clause will be iterated to a tunnel according to the tunnel policy specified in the apply clause. The VPNv6 routes filtered out by the if-match clause are iterated to LSPs by default.

    5. Run commit

      The configuration is committed.

  • Apply a tunnel selector to the labeled BGP-IPv4 routes.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run tunnel-selector tunnel-selector-name [ all ]

      A tunnel selector is applied to the labeled BGP-IPv4 routes on the local device.

      After the tunnel selector is applied to the labeled BGP-IPv4 routes, the labeled routes filtered by the if-match clause will be iterated to a tunnel according to the tunnel policy specified in the apply clause. The labeled BGP-IPv4 routes matching the if-match clause are iterated to LSPs by default.

      In an inter-AS VPN Option C scenario, to implement tunnel-based load-balancing among labeled BGP routes, run the tunnel-selector tunnel-selector-name all command to configure a tunnel selector on the ASBR. If the all parameter is used, the tunnel selector applies to all BGP IPv4 unicast routes, including labeled routes, imported routes, and network segment routes.

    4. Run commit

      The configuration is committed.

Verifying the Tunnel Selector Configuration

After configuring and applying a tunnel selector, run the following commands to check information about the tunnel selector and tunnel policy in the system.

Procedure

  1. Run the display tunnel-selector tunnel-selector-name command to check detailed information about a tunnel selector.
  2. Run the display tunnel-policy tunnel-policy-name command to check information about the apply clause of a tunnel selector.
  3. Run the display bgp vpnv4 all routing-table ipv4-address [ mask [ longer-prefixes ] | mask-length [ longer-prefixes ] ] command to check information about the tunnels to which VPNv4 routes on the ASBR are iterated.
  4. Run the display bgp vpnv6 all routing-table ipv6-address [ prefix-length ] command to check information about the tunnels to which VPNv6 routes on the ASBR are iterated.
  5. Run the display ip routing-table ip-address [ mask | mask-length ] [ longer-match ] verbose command to check information about the tunnels to which labeled BGP-IPv4 routes on the PE are iterated.
  6. Run the display ipv6 routing-table ipv6-address [ prefix-length ] [ longer-match ] verbose command to check information about the tunnels to which the labeled BGP-IPv6 routes on the PE are iterated.
  7. Run the display tunnel-info { tunnel-id tunnel-id | all | statistics } command to check information about tunnels in the system.

Example

Run the display tunnel-selector tunnel-selector-name command. The command output shows detailed information about the configured tunnel selector, including the contents of the if-match and apply clauses.

<HUAWEI> display tunnel-selector
tunnel-selector: tps
  permit : 10
    Match clauses:
        if-match ip next-hop ip-prefix ipv4prefix
    Apply clauses:
        apply tunnel-policy policy1

Run the display tunnel-policy tunnel-policy-name command. The command output shows information about the tunnel policy specified in the apply clause.

<HUAWEI> display tunnel-policy policy1
The number of binding:1
Tunnel Policy Name                      Destination     Tunnel Intf                             Ignore-dest-check   Down Switch
-------------------------------------------------------------------------------------------------------------------------------
policy1                                 4.4.4.4         Tunnel1                                 Disable             Disable

Run the display bgp vpnv4 all routing-table ipv4-address [ mask [ longer-prefixes ] | mask-length [ longer-prefixes ] ] command. The command output shows information about the tunnels to which VPNv4 routes on the ASBR are iterated.

<HUAWEI> display bgp vpnv4 all routing-table 11.11.11.11
 BGP local router ID : 172.16.1.1
 Local AS number : 100

 Total routes of Route Distinguisher(100:1): 1
 BGP routing table entry information of 10.10.10.10/32:
 Label information (Received/Applied): 16/16
 From: 1.1.1.9 (10.1.1.2)
 Route Duration: 0d01h10m10s
 Relay IP Nexthop: 172.16.1.2
 Relay IP Out-interface: GigabitEthernet0/1/0
 Relay Tunnel Out-Interface: GigabitEthernet0/1/0
 Original nexthop: 1.1.1.9
 Qos information : 0x0
 Ext-Community: RT <1 : 1>
 AS-path 65001, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, b
est, select, pre 255
 Advertised to such 1 peers:
    192.168.1.2

Run the display ip routing-table ip-address [ mask | mask-length ] verbose command. The command output shows information about the tunnels to which labeled routes on the PE are iterated.

<HUAWEI> display ip routing-table 1.1.1.1 verbose
Route Flags: R - relay, D - download
to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _Public_
Summary Count : 1

Destination: 1.1.1.1/32
     Protocol: IBGP             Process ID: 1
   Preference: 255                   Cost: 1
      NextHop: 10.1.1.1        Neighbour: 10.1.1.1
        State: Active Adv             Age: 01h46m15s
          Tag: 0                 Priority: 0
        Label: 15360              QoSInfo: 0x0
   IndirectID: 0x0
 RelayNextHop: 0.0.0.0          Interface: GigabitEthernet0/1/0
     TunnelID: 0x1000004           Flags:  D

Run the display tunnel-info all command. The command output shows tunnel information of the system, including the tunnel type, tunnel ID, and destination address.

<HUAWEI> display tunnel-info all
Tunnel ID               Type              Destination          Status
----------------------------------------------------------------------
0x000000000300000001    te                3.3.3.3              up
0x000000000300000002    te                2.2.2.2              down
0x000000000300000003    te                192.168.2.0          up
Translation
Download
Updated: 2019-01-14

Document ID: EDOC1100058925

Views: 33339

Downloads: 59

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next