No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN 01

NE05E and NE08E V300R003C10SPC500

This is NE05E and NE08E V300R003C10SPC500 Configuration Guide - VPN
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a VPN Instance

Configuring a VPN Instance

A VPN instance can be configured on a PE to manage VPN routes.

Context

In the Hub and Spoke networking, the PE connected to a central site (Hub site) is called Hub-PE and the PE connected to a non-central site (Spoke site) is called Spoke-PE. Spoke-PEs and the Hub-PE must have VPN instances configured. If the Hub-PE and Hub-CE are connected through dual links, the Hub-PE must have two VPN instances configured, for example, vpn_in and vpn_out. If the Hub-PE and Hub-CE are connected through a single link, the Hub-PE needs only one VPN instance, for example, vpnhub.

NOTE:

Steps 1 to 8 are performed to configure one VPN instance. Configurations of different VPN instances are similar. Note that different VPN instances on the same device must have different names, RDs, and descriptions.

Procedure

  • Configure the Spoke-PE.
    1. Run system-view

      The system view is displayed.

    2. Run ip vpn-instance vpn-instance-name1

      The VPN instance view of vpn-in is displayed.

    3. (Optional) Run description description-information

      A description of the VPN instance is configured.

      The description is used to record the purpose of creating the VPN instance and the CEs with which the VPN instance sets up connections.

    4. Run ipv4-family

      The VPN instance IPv4 address family view is displayed.

    5. Run route-distinguisher route-distinguisher

      An RD is configured for the VPN instance IPv4 address family.

      The VPN instance IPv4 address family takes effect only after an RD is configured. Before configuring an RD, you can configure only the description about the VPN instance. No other parameters can be configured.

    6. Run vpn-target vpn-target2 &<1-8> import-extcommunity

      The VPN target extended community is configured for the VPN instance IPv4 address family to receive the VPNv4 routes advertised by the Hub-PE.

      vpn-target2 must be in the export VPN target list configured on the Hub-PE.

    7. Run vpn-target vpn-target1 &<1-8> export-extcommunity

      The VPN target extended community is configured for the VPN instance IPv4 address family to advertise the routes of the sites the Spoke-PEs access.

      vpn-target1 must be in the import VPN target list configured on the Hub-PE.

    8. (Optional) Run import route-policy policy-name

      A routing policy for importing VPN routes is configured.

      In addition to using VPN targets to control VPN route sending and receiving, an import routing policy can be used to filter routes imported to the VPN instance IPv4 address family or modify route attributes so that VPN route receiving can be better controlled.

    9. (Optional) Run export route-policy policy-name [ add-ert-first ]

      A routing policy for exporting VPN routes is configured.

      In addition to using VPN targets to control VPN route sending and receiving, an export routing policy can be used to filter routes to be advertised to other PEs or modify route attributes so that VPN route sending can be better controlled.

      By default, ERTs are added to VPN routes before these routes are matched against an export routing policy. If the export routing policy contains RT-related filtering rules, these rules cannot apply to these routes. If you want to apply the RT-related filtering rules defined in an export routing policy to VPN routes, run the add-ert-first command to configure the system to add ERTs to VPN routes before matching these routes against the export routing policy.

    10. (Optional) Run apply-label per-instance

      MPLS label allocation based on the VPN instance IPv4 address family is configured. Then, all the routes of the VPN instance IPv4 address family use the same label.

      Generally, each route is assigned one label (one label per route).

    11. Run commit

      The configuration is committed.

  • Configure the Hub-PE. (Hub-CE accessing through dual links)
    1. Run system-view

      The system view is displayed.

    2. Run ip vpn-instance vpn-instance-name1

      The VPN instance view of vpn-in is displayed.

    3. (Optional) Run description description-information

      A description of the VPN instance is configured.

      The description is used to record the purpose of creating the VPN instance and the CEs with which the VPN instance sets up connections.

    4. Run ipv4-family

      The VPN instance IPv4 address family view is displayed.

    5. Run route-distinguisher route-distinguisher

      An RD is configured for the VPN instance IPv4 address family.

      The VPN instance IPv4 address family takes effect only after an RD is configured. Before configuring an RD, you can configure only the description about the VPN instance. No other parameters can be configured.

    6. Run vpn-target vpn-target1 &<1-8> import-extcommunity

      The VPN target extended community is configured for the VPN instance IPv4 address family to receive the VPNv4 routes advertised by all the Spoke-PEs.

      The vpn-target1 list here must contain the export VPN targets configured on all the Spoke-PEs.

    7. (Optional) Run import route-policy policy-name

      A routing policy for importing VPN routes is configured.

      In addition to using VPN targets to control VPN route sending and receiving, an import routing policy can be used to filter routes imported to the VPN instance IPv4 address family or modify route attributes so that VPN route receiving can be better controlled.

    8. (Optional) Run export route-policy policy-name [ add-ert-first ]

      A routing policy for exporting VPN routes is configured.

      In addition to using VPN targets to control VPN route sending and receiving, an export routing policy can be used to filter routes to be advertised to other PEs or modify route attributes so that VPN route sending can be better controlled.

      By default, ERTs are added to VPN routes before these routes are matched against an export routing policy. If the export routing policy contains RT-related filtering rules, these rules cannot apply to these routes. If you want to apply the RT-related filtering rules defined in an export routing policy to VPN routes, run the add-ert-first command to configure the system to add ERTs to VPN routes before matching these routes against the export routing policy.

    9. Run commit

      The configuration is committed.

    10. Run quit

      Return to the system view.

    11. Run ip vpn-instance vpn-instance-name2

      The VPN instance view of vpn-out is displayed.

    12. (Optional) Run description description-information

      A description of the VPN instance is configured.

      The description is used to record the purpose of creating the VPN instance and the CEs with which the VPN instance sets up connections.

    13. Run ipv4-family

      The VPN instance IPv4 address family view is displayed.

    14. Run route-distinguisher route-distinguisher

      An RD is configured for the VPN instance IPv4 address family.

      The VPN instance IPv4 address family takes effect only after an RD is configured. Before configuring an RD, you can configure only the description about the VPN instance. No other parameters can be configured.

    15. Run vpn-target vpn-target2 &<1-8> export-extcommunity

      The VPN target extended community is configured for the VPN instance IPv4 address family to advertise the routes of all the hub and spoke sites.

      The vpn-target2 list here must contain the import VPN targets configured on all the Spoke-PEs.

    16. (Optional) Run import route-policy policy-name

      A routing policy for importing VPN routes is configured.

      In addition to using VPN targets to control VPN route sending and receiving, an import routing policy can be used to filter routes imported to the VPN instance IPv4 address family or modify route attributes so that VPN route receiving can be better controlled.

    17. (Optional) Run export route-policy policy-name [ add-ert-first ]

      A routing policy for exporting VPN routes is configured.

      In addition to using VPN targets to control VPN route sending and receiving, an export routing policy can be used to filter routes to be advertised to other PEs or modify route attributes so that VPN route sending can be better controlled.

      By default, ERTs are added to VPN routes before these routes are matched against an export routing policy. If the export routing policy contains RT-related filtering rules, these rules cannot apply to these routes. If you want to apply the RT-related filtering rules defined in an export routing policy to VPN routes, run the add-ert-first command to configure the system to add ERTs to VPN routes before matching these routes against the export routing policy.

    18. (Optional) Run apply-label per-instance

      MPLS label allocation based on the VPN instance IPv4 address family is configured. Then, all the routes of the VPN instance IPv4 address family use the same label.

      Generally, each route is assigned one label (one label per route).

    19. Run commit

      The configuration is committed.

  • Configure the Hub-PE. (Hub-CE accessing through a single link)
    1. Run system-view

      The system view is displayed.

    2. Run ip vpn-instance vpn-instance-name1

      The VPN instance view of vpnhub is displayed.

    3. (Optional) Run description description-information

      A description of the VPN instance is configured.

      The description is used to record the purpose of creating the VPN instance and the CEs with which the VPN instance sets up connections.

    4. Run ipv4-family

      The VPN instance IPv4 address family view is displayed.

    5. Run route-distinguisher route-distinguisher

      An RD is configured for the VPN instance IPv4 address family.

      The VPN instance IPv4 address family takes effect only after an RD is configured. Before configuring an RD, you can configure only the description about the VPN instance. No other parameters can be configured.

    6. Run vpn-target vpn-target1 &<1-8> import-extcommunity

      The VPN target extended community is configured for the VPN instance IPv4 address family to receive the VPNv4 routes advertised by all the Spoke-PEs.

      The vpn-target1 list here must contain the export VPN targets configured on all the Spoke-PEs.

    7. Run vpn-target vpn-target2 &<1-8> export-extcommunity

      The VPN target extended community is configured for the VPN instance IPv4 address family to advertise the routes of all the hub and spoke sites.

      The vpn-target2 list here must contain the import VPN targets configured on all the Spoke-PEs.

    8. (Optional) Run import route-policy policy-name

      A routing policy for importing VPN routes is configured.

      In addition to using VPN targets to control VPN route sending and receiving, an import routing policy can be used to filter routes imported to the VPN instance IPv4 address family or modify route attributes so that VPN route receiving can be better controlled.

    9. Run export route-policy policy-name [ add-ert-first ]

      An export routing policy is configured for the VPN instance IPv4 address family.

      Before performing this step, you must create a routing policy that filters only default routes according to Overview of Routing Policies. Then perform this step to enable the Hub-PE to advertise only default routes to Spoke-PEs.

      By default, export VPN targets (RTs) are added to VPN routes before these routes are matched against an export routing policy. If the export routing policy contains RT-related filtering rules, these rules cannot apply to these routes. If you want to apply the RT-related filtering rules defined in an export routing policy to VPN routes, specify the add-ert-first parameter to configure the system to add export RTs to VPN routes before matching these routes against the export routing policy.

    10. Run apply-label per-route pop-go

      The device is configured to assign a unique label to each BGP VPNv4 route sent to its remote peer and forward the labeled data packets received from the peer through outbound interfaces found in the local incoming label map (ILM) table.

      By default, the local device assigns a unique label to each VPNv4 route sent to its BGP VPNv4 peer, that is, per label per route. After the local device receives a labeled data packet from its BGP VPNv4 peer, the local device removes the label, searches the IP forwarding table for a forwarding entry based on the longest-match principle, and sends the packet based on the found forwarding entry.

      After the apply-label per-route pop-go command is configured, the Hub-PE records in the ILM table the mapping between the label assigned to each VPNv4 route and the outbound interface of the route when sending BGP VPNv4 routes to Spoke-PEs. After the Hub-PE receives a labeled data packet from a Spoke-PE, the Hub-PE searches the ILM table for the outbound interface based on the assigned label instead of searching the IP forwarding table based on the longest-match principle. Then the Hub-PE removes the label and forwards the data packet through the outbound interface, therefore preventing the data packet from being forwarded to another Spoke-PE without passing through the Hub-CE.

    11. Run commit

      The configuration is committed.

Translation
Download
Updated: 2019-01-14

Document ID: EDOC1100058925

Views: 28017

Downloads: 53

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next