No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN 01

NE05E and NE08E V300R003C10SPC500

This is NE05E and NE08E V300R003C10SPC500 Configuration Guide - VPN
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an MCE (IPv6)

Configuring an MCE (IPv6)

Multi-VPN-instance can be configured for routing protocols on a customer edge (CE) to isolate different types of services on a local area network (LAN).

Usage Scenario

Virtual private network (VPN) services are becoming increasingly refined and the demand for VPN service security is growing. Operators must isolate different types of VPN services on networks to meet this demand. The traditional Border Gateway Protocol (BGP)/Multiprotocol Label Switching (MPLS) VPN technology isolates VPN services by deploying one CE for each VPN, which is expensive and complicates network deployment. If multiple VPNs use the same CE to access upper-layer devices, these VPNs share the same routing and forwarding table, and data security for these VPNs cannot be ensured. The multi-VPN-instance CE (MCE) technology addresses the conflict between network costs and data security problems caused by multiple VPNs sharing the same CE.

On the network shown in Figure 6-12, the research and development (R&D) and sales departments of company X share the same LAN in city A. The two departments use the same CE to access the VPN backbone network. You can configure Open Shortest Path First (OSPF) multi-vpn-instance on the CE in city A and the provider edge (PE) to which the CE is connected to achieve the following objectives:
  • The sales departments in cities A and B can communicate with each other.
  • The R&D departments in cities A and C can communicate with each other.
  • The R&D departments are isolated from the sales departments.
Similar to OSPF multi-vpn-instance on a PE, each OSPF instance on the CE in city A serves as a virtual CE for each type of service. This CE is called an MCE. The MCE can isolate different types of services at low costs, ensuring service security.
Figure 6-12 MCE networking

Pre-configuration Tasks

Before configuring an MCE, complete the following tasks:

  • Configuring a VPN instance for each service on the MCE and the PE to which the MCE is connected (for details, see Configuring a VPN Instance)

  • Configuring link and network layer protocols for LAN interfaces, and connect the LAN interface for each type of service to the MCE.

  • Binding the MCE's interfaces and the PE's interfaces connected to the MCE to VPN instances (for details, see Binding Interfaces to a VPN Instance), and configuring IPv6 addresses for these interfaces

Configuration Procedures

Figure 6-13 Flowchart for configuring an MCE

Configuring a Routing Protocol on an MCE

To enable a multi-VPN-instance customer edge (MCE) to communicate with provider edge (PE) and virtual private network (VPN) devices, configure a routing protocol for each type of service on the MCE.

Context

An MCE can communicate with PEs and VPN devices using any of the following routing protocols: BGP4+, IPv6 static route, RIPng, OSPFv3, or IS-ISv6. Select one of the following configuration procedures:

Procedure

  • Configure EBGP on the MCE.
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv6-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv6 address family view is displayed.

    4. Run peer ipv6-address as-number as-number

      A PE is configured as a VPN BGP peer for the MCE.

    5. (Optional) Run peer { ipv6-address | group-name } ebgp-max-hop [ hop-count ]

      The maximum number of hops between the MCE and its EBGP peer (the PE) is set.

      This step is mandatory if the MCE is not directly connected to the PE. Generally, EBGP peers are directly connected. If they are not directly connected, run the peer ebgp-max-hop command so that EBGP peers can establish a multi-hop Transmission Control Protocol (TCP) connection.

      The default value of hop-count is 255. If the maximum number of hops is set to 1, the MCE cannot establish an EBGP connection to a peer if they are not directly connected.

    6. Run commit

      The configuration is committed.

  • Configure a static route on the MCE.
    1. Run system-view

      The system view is displayed.

    2. Run ipv6 route-static vpn-instance vpn-source-name destination-ipv6-address prefix-length interface-type interface-number [ nexthop-ipv6-address ] [ preference preference | tag tag ] *

      A static route is configured for a specified VPN instance IPv6 address family.

    3. Run commit

      The configuration is committed.

  • Configure RIPng on the MCE.
    1. Run system-view

      The system view is displayed.

    2. Run ripng process-id vpn-instance vpn-instance-name

      A RIPng process is created, and the RIPng view is displayed.

      A RIPng process can be bound only to one VPN instance. If you do not specify a VPN instance when creating a RIPng process , this RIPng process is a public network process and can no longer be bound to a VPN instance.

    3. Run network network-address

      RIPng is enabled on the network segment where an interface bound to the VPN instance resides.

    4. Run commit

      The configuration is committed.

    NOTE:

    Deleting a VPN instance or disabling a VPN instance IPv6 address family will also delete all the RIPng processes bound to this VPN instance or VPN instance IPv6 address family.

  • Configure OSPFv3 on the MCE.
    1. Run system-view

      The system view is displayed.

    2. Run ospfv3 [ process-id ] vpn-instance vpn-instance-name

      An OSPF process is created, and the OSPF view is displayed.

      Create the same OSPF process on the MCE and its connected PE. An OSPF process can be bound only to one VPN instance.

      Specify a router ID when creating an OSPF process and binding the OSPF instance to a VPN instance. The OSPF process bound to the VPN instance cannot automatically use the public network router ID configured in the system view. If no router ID is specified, OSPF uses a specified rule to select an IP address from the IP addresses of the interfaces that are bound to the VPN instance as a router ID.

    3. (Optional) Run domain-id { domain-id-int | domain-id-ipaddr }

      The domain ID is configured.

      The domain ID can be an integer or in dotted decimal notation.

      Generally, the routes that are imported from a PE are advertised as External-LSAs. The routes that belong to different nodes of the same OSPFv3 domain are advertised as Type-3 LSAs (intra-domain routes). This requires that different nodes in the same OSPFv3 domain have the same domain ID.

    4. (Optional) Run route-tag tag-value

      The VPN route tag is configured.

      By default, the first two bytes of the tag value are 0xD000, and the last two bytes are the local BGP AS number. For example, if the local BGP AS number is 100, the default tag value in decimal notation is 3489661028.

    5. Run vpn-instance-capability simple

      Routing loop detection is disabled.

      If OSPF VPN multi-vpn-instance has been deployed on the MCE and PE, the PE sends the MCE a link-state advertisement (LSA) with the Down (DN) bit set to 1. Because VPN instances have been configured on the MCE, the MCE has routing loop detection enabled. If the MCE detects that the LSA contains the DN bit with the value 1, this LSA cannot be used to calculate routes. Run the vpn-instance-capability simple command to disable OSPF routing loop detection. When OSPF routing loop detection is disabled, the MCE calculates all OSPF routes without checking the DN bit and route tag.

    6. Run quit

      Return to the system view.

    7. Run interface interface-type interface-number

      The interface bound to the VPN instance is displayed.

    8. Run ospfv3 process-id area area-id [ instance instance-id ]

      OSPFv3 is enabled on the interface.

    9. Run commit

      The configuration is committed.

    NOTE:
    Deleting a VPN instance or disabling a VPN instance IPv6 address family will also delete all the OSPFv3 processes bound to this VPN instance or VPN instance IPv6 address family.

  • Configure IS-ISv6 on the MCE.
    1. Run system-view

      The system view is displayed.

    2. Run isis process-id vpn-instance vpn-instance-name

      An IS-IS process is created, and the IS-IS view is displayed.

      An IS-IS process can be bound only to one VPN instance. If you do not specify a VPN instance when creating an IS-IS process, this IS-IS process is a public network process and can no longer be bound to a VPN instance.

    3. Run network-entity net

      The network entity title (NET) is configured.

      A NET contains the current IS-IS area address and the system ID of the NE.

    4. (Optional) Run is-level { level-1 | level-1-2 | level-2 }

      An IS-IS level is specified for the NE.

      The default IS-IS level of the NE is level-1-2.

    5. Run isis ipv6 enable

      IPv6 is enabled for the IS-IS process.

      IPv6 can be enabled for an IS-IS process only after being enabled in the system view.

    6. Run quit

      Return to the system view.

    7. Run interface interface-type interface-number

      The view of the interface bound to the VPN instance is displayed.

    8. Run isis ipv6 enable [ process-id ]

      IS-ISv6 is enabled on the interface.

    9. Run quit

      Return to the system view.

    10. Run commit

      The configuration is committed.

    NOTE:

    Deleting a VPN instance or disabling a VPN instance IPv6 address family will also delete all the IS-IS processes bound to this VPN instance or VPN instance IPv6 address family.

Configuring a Routing Protocol on the PE Connected to the MCE

To enable a provider edge (PE) to communicate with a multi-VPN-instance customer edge (MCE), configure routing protocol multi-vpn-instance on the MCE.

Context

A PE can communicate with an MCE using any of the following routing protocols: BGP4+, IPv6 static route, RIPng, OSPFv3, or IS-ISv6. Select one of the following configuration procedures:

Procedure

  • Configuring BGP4+ on the PE
    1. Run system-view

      The system view is displayed.

    2. Run bgp as-number

      The BGP view is displayed.

    3. Run ipv6-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv6 address family view is displayed.

    4. Run peer ipv6-address as-number as-number

      An MCE is configured as a VPN BGP peer for the PE.

    5. (Optional) Run peer { ipv6-address | group-name }ebgp-max-hop [ hop-count ]

      The maximum number of hops between the PE and its EBGP peer (the MCE) is set.

      This step is mandatory if the PE is not directly connected to the MCE. Generally, EBGP peers are directly connected. If they are not directly connected, run the peer ebgp-max-hop command so that EBGP peers can establish a multi-hop Transmission Control Protocol (TCP) connection.

      The default value of hop-count is 255. If the maximum number of hops is set to 1, the PE cannot establish an EBGP connection to a peer if they are not directly connected.

    6. (Optional) Run either of the following commands to enable the PE to import the direct routes destined for the MCE into the VPN routing and forwarding (VRF) table and advertise the routes to the remote PE:

      • import-route direct [ med med | route-policy route-policy-name ] *

      • network ipv6-address prefix-length [ route-policy route-policy-name ]

        The direct routes destined for the MCE are imported into the VRF table of the IPv6 VPN instance.

        NOTE:

        The PE automatically learns the direct routes destined for the MCE. The learned routes take precedence over the direct routes advertised from the MCE using EBGP. If this step is not performed, the PE does not use the Multi-protocol Extensions for Border Gateway Protocol (MP-BGP) to advertise the direct routes destined for the MCE to the remote PE.

    7. Run commit

      The configuration is committed.

  • Configure a static route on the PE.
    1. Run system-view

      The system view is displayed.

    2. Run ipv6 route-static vpn-instance vpn-source-name destination-ipv6-address prefix-length interface-type interface-number [ nexthop-ipv6-address ] [ preference preference | tag tag ] *

      A static route is configured for a specified VPN instance IPv6 address family.

    3. Run bgp as-number

      The BGP view is displayed.

    4. Run ipv6-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv6 address family view is displayed.

    5. Run import-route static [ med med | route-policy route-policy-name ] *

      The configured static route is added to the VRF table of the BGP-VPN instance IPv6 address family.

    6. Run commit

      The configuration is committed.

  • Configure RIPng on the PE.
    1. Run system-view

      The system view is displayed.

    2. Run ripng process-id vpn-instance vpn-instance-name

      A RIPng process is created, and the RIPng view is displayed.

      A RIPng process can be bound only to one VPN instance.

    3. Run import-route bgp [ permit-ibgp ] [ cost cost | inherit-cost | route-policy route-policy-name ] *

      BGP routes are imported.

      After the import-routebgp command is run in the RIPng view, the PE can import the VPN-IPv6 routes learned from the remote PE into the RIPng routing table and advertise them to the attached CE.

    4. Run quit

      Return to the system view.

    5. Run interface interface-type interface-number

      The view of the interface connected to the MCE is displayed.

    6. Run ripng process-id enable

      RIPng is enabled on the interface.

      NOTE:

      If IPv6 is not enabled, this command cannot be run in the interface view.

    7. Run quit

      Return to the system view.

    8. Run bgp as-number

      The BGP view is displayed.

    9. Run ipv6-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv6 address family view is displayed.

    10. Run import-route ripng process-id [ med med | route-policy route-policy-name ] *

      The configured RIPng route is added to the VRF table of the BGP-VPN instance IPv6 address family.

      After the import-route ripng command is run in the BGP-IPv6 VPN instance IPv6 address family view, the PE will import the IPv6 routes learned from the MCE into the BGP routing table and advertise VPN-IPv6 routes to the remote PE.

      NOTE:

      If a RIPng multi-instance process is deleted, RIPng will be disabled on all the interfaces in the process.

      Deleting a VPN instance or disabling a VPN instance IPv6 address family will delete all the RIPng processes bound to the VPN instance or VPN instance IPv6 address family on the PE.

    11. Run commit

      The configuration is committed.

    NOTE:

    Deleting a VPN instance or disabling a VPN instance IPv6 address family will also delete all the RIPng processes bound to this VPN instance or VPN instance IPv6 address family.

  • Configuring OSPFv3 on the PE
    1. Run system-view

      The system view is displayed.

    2. Run ospfv3 [ process-id ] vpn-instance vpn-instance-name

      An OSPFv3 process is created, and the OSPFv3 view is displayed.

      An OSPFv3 process can be bound only to one VPN instance.

    3. Run router-id router-id

      A router ID is configured.

      The router ID of each OSPFv3 process is unique in an AS. If no router ID is set, no OSPFv3 process can be run.

    4. (Optional) Run domain-id { domain-id-int | domain-id-ipaddr }

      The domain ID is configured.

      The domain ID can be an integer or in dotted decimal notation.

      Generally, the routes that are imported from a PE are advertised as External-LSAs. The routes that belong to different nodes of the same OSPFv3 domain are advertised as Type-3 LSAs (intra-domain routes). This requires that different nodes in the same OSPFv3 domain have the same domain ID.

    5. (Optional) Run route-tag tag-value

      The VPN route tag is configured.

      By default, the first two bytes of the tag value are 0xD000, and the last two bytes are the local BGP AS number. For example, if the local BGP AS number is 100, the default tag value in decimal notation is 3489661028.

    6. Run import-route bgp [ cost cost | route-policy route-policy-name | tag tag | type type ] *

      BGP routes are imported into the OSPFv3 routing table so that the PE can advertise the routes to the CE using OSPFv3.

    7. Run quit

      Return to the system view.

    8. Run interface interface-type interface-number

      The interface bound to the VPN instance is displayed.

    9. Run ospfv3 process-id area area-id [ instance instance-id ]

      OSPFv3 is enabled on the interface.

    10. Run quit

      Return to the system view.

    11. Run bgp as-number

      The BGP view is displayed.

    12. Run ipv6-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv6 address family view is displayed.

    13. Run import-route ospfv3 process-id [ med med | route-policy route-policy-name ]*

      OSPFv3 routes are imported into the VRF table of the BGP-VPN instance IPv6 address family.

    14. Run commit

      The configuration is committed.

    NOTE:
    Deleting a VPN instance or disabling a VPN instance IPv6 address family will also delete all the OSPFv3 processes bound to this VPN instance or VPN instance IPv6 address family.

  • Configuring IS-ISv6 on the PE
    1. Run system-view

      The system view is displayed.

    2. Run isis process-id vpn-instance vpn-instance-name

      An IS-IS process is created on the PE, and the IS-IS view is displayed.

      An IS-IS multi-instance process can be bound to only one VPN instance. If an IS-IS process is not bound to any VPN instance before it is started, this process becomes a public network process.

      If only one IS-IS process, either a public network IS-IS process or a multi-instance IS-IS instance, runs on the NE, you do not need to specify process-id in the command. The value of process-id defaults to 1.

      NOTE:

      If an IS-IS multi-instance process is deleted, IS-IS will be disabled on all the interfaces in the process.

      Deleting a VPN instance or disabling a VPN instance IPv6 address family will delete all the IS-IS processes bound to a VPN instance or disabling a VPN instance IPv6 address family on the PE.

    3. Run network-entity net

      The network entity title (NET) is configured.

      A NET specifies the current IS-IS area address and the system ID of the NE.

    4. (Optional) Run is-level { level-1 | level-1-2 | level-2 }

      The IS-IS level of the NE is specified.

      By default, the IS-IS level of the NE is Level-1-2.

    5. Run isis ipv6 enable

      IPv6 is enabled for the IS-IS process.

      IPv6 can be enabled for an IS-IS process only after being enabled in the system view.

    6. Run ipv6 import-route bgp inherit-cost [ tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ]*

      BGP routes are imported.

    7. Run quit

      Return to the system view.

    8. Run interface interface-type interface-number

      The interface view is displayed.

    9. Run isis ipv6 enable [ process-id ]

      IS-ISv6 is enabled on the interface.

    10. Run quit

      Return to the system view.

    11. Run bgp as-number

      The BGP view is displayed.

    12. Run ipv6-family vpn-instance vpn-instance-name

      The BGP-VPN instance IPv6 address family view is displayed.

    13. Run import-route isis process-id [ med med | route-policy route-policy-name ]*

      IS-IS routes are imported into the VRF table of the BGP-VPN instance IPv6 address family.

    14. Run commit

      The configuration is committed.

    NOTE:

    Deleting a VPN instance or disabling a VPN instance IPv6 address family will also delete all the IS-IS processes bound to this VPN instance or VPN instance IPv6 address family.

Verifying the MCE (IPv6) Configuration

After the multi-VPN-instance CE (MCE) is configured, the VPN routing and forwarding (VRF) table of the MCE contains the routes to the local area network (LAN) and remote sites for each type of service.

Prerequisites

All MCE configurations are complete.

Procedure

  • Run the display ipv6 routing-table vpn-instance vpn-instance-name [ verbose ] command to check the VRF table on the MCE.

Example

Run the display ipv6 routing-table vpn-instance command to view the VRF table of the MCE. The command output shows that the VRF table contains the routes to the LAN and to the remote sites for each type of service.

<HUAWEI> display ipv6 routing-table vpn-instance vpna
Routing Table : vpna
         Destinations : 8        Routes : 8

Destination  : 1::1                                    PrefixLength : 128
NextHop      : FE80::3A00:10FF:FE03:107                Preference   : 150
Cost         : 1                                       Protocol     : OSPFv3ASE
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : GigabitEthernet0/1/0                    Flags        : D

Destination  : 3::3                                    PrefixLength : 128
NextHop      : FE80::2200:10FF:FE03:0                  Preference   : 100
Cost         : 1                                       Protocol     : RIPng
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : GigabitEthernet0/3/0                    Flags        : D

Destination  : 1998::                                  PrefixLength : 64
NextHop      : 1998::2                                 Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : GigabitEthernet0/1/0                    Flags        : D

Destination  : 1998::2                                 PrefixLength : 128
NextHop      : ::1                                     Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : GigabitEthernet0/1/0                    Flags        : D

Destination  : 2001::                                  PrefixLength : 64
NextHop      : FE80::3A00:10FF:FE03:107                Preference   : 150
Cost         : 1                                       Protocol     : OSPFv3ASE
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : GigabitEthernet0/1/0                    Flags        : D

Destination  : 2003::                                  PrefixLength : 64
NextHop      : 2003::2                                 Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : GigabitEthernet0/3/0                    Flags        : D

Destination  : 2003::2                                 PrefixLength : 128
NextHop      : ::1                                     Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : GigabitEthernet0/3/0                    Flags        : D

Destination  : FE80::                                  PrefixLength : 10
NextHop      : ::                                      Preference   : 0
Cost         : 0                                       Protocol     : Direct
RelayNextHop : ::                                      TunnelID     : 0x0
Interface    : NULL0                                   Flags        : D
Translation
Download
Updated: 2019-01-14

Document ID: EDOC1100058925

Views: 27858

Downloads: 53

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next