No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN 01

NE05E and NE08E V300R003C10SPC500

This is NE05E and NE08E V300R003C10SPC500 Configuration Guide - VPN
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring and Applying a Tunnel Policy

Configuring and Applying a Tunnel Policy

After a tunnel policy is applied to a VPN service, the system will select a tunnel based on the policy. Tunnel policies enable VPN data to be transmitted over desired tunnels.

Usage Scenario

VPN (including L2VPN and L3VPN) data on the backbone network needs to be carried by tunnels. At present, LSPs and MPLS TE tunnels can be used for VPN data transmission.

By default, the system selects LSPs to transmit VPN data without performing load balancing. In the following situations, this cannot meet VPN requirements:

  • MPLS TE tunnels need to be selected for VPN service transmission.

  • Load balancing among tunnels needs to be implemented to fully utilize network resources when multiple tunnels are available for VPN service transmission.

  • Some VPN services demand Quality of Service (QoS) guarantee. They must be carried by dedicated MPLS TE tunnels.

In these situations, tunnel policies must be configured and applied to the VPN service. The following types of VPNs support tunnel policies:

  • BGP/MPLS IP VPN
  • BGP/MPLS IPv6 VPN
  • Static virtual circuit (SVC) virtual private wire service (VPWS)
  • LDP VPWS
  • LDP virtual private LAN service (VPLS)

The mode in which a tunnel policy is applied to VPN services varies according to the VPN type.

Pre-configuration Tasks

Before configuring and applying a tunnel policy, complete the following tasks:

  • Create a tunnel, which may be an LSP or an MPLS TE tunnel, for the VPN service.
    NOTE:

    For details about how to create an LSP, see Configuring an LDP LSP and Configuring an IS-IS SR-BE Tunnel and Configuring an OSPF SR-BE Tunnel.

    For details about how to create an MPLS TE tunnel, see Configuring an RSVP-TE Tunnel.

  • Build the VPN.

Configuration Procedures

Figure 2-1 Flowchart for configuring and applying a tunnel policy

Configuring a Tunnel Policy

Tunnel policies are divided into tunnel type prioritizing policies and tunnel binding policies.

Context

VPN data needs to be carried by tunnels. By default, the system selects LSPs to carry VPN services without performing load balancing. If this cannot meet the requirements of VPN services, a tunnel policy needs to be used. The tunnel policy may be a tunnel type prioritizing policy or a tunnel binding policy. Determine which type of tunnel policy to use based on your actual requirements:

  • A tunnel type prioritizing policy can change the tunnel type selected for VPN services and allow load balancing among tunnels.
  • A tunnel binding policy can bind a VPN service to specified MPLS TE tunnels to provide QoS guarantee for the VPN service.

Perform the following steps on the PE where a tunnel policy needs to be applied:

Procedure

  • Configure a tunnel type prioritizing policy.
    1. Run system-view

      The system view is displayed.

    2. Run tunnel-policy policy-name

      A tunnel policy is created, and the tunnel policy view is displayed.

    3. (Optional) Run description description-information

      A description is configured for the tunnel policy.

      The tunnel policy description helps users memorize the tunnel policy.

    4. Run tunnel select-seq { cr-lsp | gre | { lsp | { ldp | bgp | sr-lsp } } } * load-balance-number load-balance-number [ unmix ]

      The sequence in which each type of tunnel is selected and the number of tunnels participating in load balancing are configured.

      After this command is run, the system selects tunnels based on the specified sequence. If tunnels that have higher priorities are unreachable, the system will continue to select tunnels that have lower priorities based on the sequence. For example, if the tunnel select-seq cr-lsp lsp load-balance-number 3 command is run, the system can select MPLS TE tunnels (as preferred ones) or LSPs for VPN service transmission and use a maximum of three tunnels for load balancing. If the number of available MPLS TE tunnels is smaller than 3, LSPs will be qualified to join the MPLS TE tunnels in load balancing.

      LSPs include LDP LSPs, SR-LSPs, and BGP LSPs. If lsp is specified, the default priority sequence in descending order is LDP LSP > BGP LSP > SR-LSP. If sr-lsp, ldp or bgp is specified, the priority sequence for LSPs can be specified.

      CR-LSPs include RSVP-TE tunnels and SR-TE tunnels. If cr-lsp is specified in the tunnel select-seq command, the tunnel that goes Up earlier has a higher priority.

      If unmix is configured, only one type of tunnel can be selected. For example, in a scenario where the tunnel select-seq cr-lsp lsp load-balance-number 3 unmix command is configured for the tunnel policy:
      • If three or more CR-LSPs are available on the network, the system randomly selects three of them for service transmission.

      • If less than three CR-LSPs are available on the network, the system selects only the available CR-LSPs for service transmission.

    5. Run commit

      The configuration is committed.

  • Configure a common tunnel binding policy.
    1. Run system-view

      The system view is displayed.

    2. Run interface tunnel interface-number

      The MPLS TE tunnel interface view is displayed.

    3. Run mpls te reserved-for-binding

      Tunnel binding is enabled.

    4. Run quit

      Return to the system view.

    5. Run tunnel-policy policy-name

      A tunnel policy is created.

    6. (Optional) Run description description-information

      A description is configured for the tunnel policy.

      The tunnel policy description helps users memorize the tunnel policy.

    7. Run tunnel binding destination dest-ip-address te { tunnel interface-number } &<1-16> [ ignore-destination-check ] [ down-switch | include-ldp ]

      The MPLS TE tunnels to be bound are specified.

      NOTE:
      • If a PE has multiple peers, you can run the tunnel binding command several times with different destination addresses in one tunnel policy.

      • If down-switch is configured and the bound MPLS TE tunnels fail, the system will select other tunnels for VPN data transmission in the sequence of LSPs and MPLS TE tunnels.

    8. Run commit

      The configuration is committed.

Applying a Tunnel Policy to a VPN Service

After being configured, a tunnel policy needs to be applied to a VPN service.

Context

The system can select proper tunnels for VPN data transmission based on the configured tunnel policy only after the policy is applied to the VPN service.

A VPN may be an L2VPN or L3VPN, depending on which network layer the VPN belongs to in TCP/IP:
  • L3VPNs are divided into BGP/MPLS IP VPN and BGP/MPLS IPv6 VPN based on the protocol stack used.

  • L2VPNs are divided into VPWS and VPLS.

The mode in which a tunnel policy is applied to VPN services varies according to the VPN type. Use a proper method to apply a tunnel policy based on the VPN type:

Procedure

  • Apply a tunnel policy to a BGP/MPLS IP VPN. Perform the following steps on the PEs:

    For details about how to build a BGP/MPLS IP VPN, see Configuring a Basic BGP/MPLS IP VPN.

    1. Run system-view

      The system view is displayed.

    2. Run ip vpn-instance vpn-instance-name

      The VPN instance view is displayed.

    3. Run ipv4-family

      The VPN instance IPv4 address family view is displayed.

    4. Run tnl-policy policy-name

      A tunnel policy is applied to the VPN instance IPv4 address family.

    5. Run commit

      The configuration is committed.

  • Apply a tunnel policy to a BGP/MPLS IPv6 VPN. Perform the following steps on the PEs:

    For details about how to build a BGP/MPLS IPv6 VPN, see Configuring a Basic BGP/MPLS IPv6 VPN.

    1. Run system-view

      The system view is displayed.

    2. Run ip vpn-instance vpn-instance-name

      The VPN instance view is displayed.

    3. Run ipv6-family

      The VPN instance IPv6 address family view is displayed.

    4. Run tnl-policy policy-name

      A tunnel policy is applied to the VPN instance IPv6 address family.

    5. Run commit

      The configuration is committed.

  • Apply a tunnel policy to an SVC VPWS.

    For details about how to build an SVC VPWS, see Configuring an SVC VPWS. Perform the following steps on the PEs configured with VCs:

    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The AC interface view is displayed.

    3. Run mpls static-l2vc { { destination ip-address | pw-template pw-template-name vc-id } * | destination ip-address [ vc-id ] } transmit-vpn-label transmit-label-value receive-vpn-label receive-label-value [ tunnel-policy tnl-policy-name | access-port | [ control-word | no-control-word ] | [ raw | tagged ] ] *

      A tunnel policy is applied to the VC of the SVC VPWS.

    4. Run commit

      The configuration is committed.

  • Apply a tunnel policy to an LDP VPWS.

    For details about how to build an LDP VPWS, see Configuring LDP VPWS. Perform the following steps on the PEs configured with VCs:

    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The attachment circuit (AC) interface view is displayed.

    3. Run mpls l2vc { pw-template pw-template-name | ip-address } * vc-id tunnel-policy policy-name

      A tunnel policy is applied to the VC of the LDP VPWS.

    4. Run commit

      The configuration is committed.

  • Apply a tunnel policy to an LDP VPLS.

    For details about how to build an LDP VPLS, see Configuring an LDP VPLS. Perform the following steps on each endpoint PE of the pseudo wire (PW):

    1. Run system-view

      The system view is displayed.

    2. Run vsi vsi-name [ auto | static ]

      A virtual switching instance (VSI) is created.

    3. Run pwsignal ldp

      LDP is configured as the PW signaling protocol, and the VSI-LDP view is displayed.

    4. Run vsi-id vsi-id

      The VSI ID is set.

    5. Run peer peer-address [ negotiation-vc-id vc-id ] [ tnl-policy policy-name ]

      A VSI peer is configured, and a tunnel policy is applied to the VSI peer.

    6. Run commit

      The configuration is committed.

Verifying the Tunnel Policy Configuration

After configuring and applying a tunnel policy to a VPN service, run the following commands to check the applied tunnel policy and tunnel information in the system.

Procedure

  • Run the display tunnel-info { tunnel-id | all | statistics } command to check information about tunnels in the system.
  • Run the display interface tunnel interface-number command to check detailed information about a specified tunnel interface.
  • Run the display tunnel-policy [ tunnel-policy-name ] command to check information about the tunnel policy in the system.
  • Run the display ip vpn-instance verbose [ vpn-instance-name ] command to check information about the tunnel policy applied to a VPN instance.
  • Run the display mpls static-l2vc interface interface-type interface-number command to check the tunnel policy used by an SVC VPWS.
  • Run the display mpls l2vc [ interface interface-type interface-number ] command to check the tunnel policy used by an LDP VPWS.
  • Run the display vpls connection [ ldp | vsi vsi-name ] verbose command to check the tunnel policy used by an LDP VPLS.

Example

Run the display tunnel-info all command. The command output shows tunnel information in the system, including the tunnel type, tunnel ID, and destination address.

<HUAWEI> display tunnel-info all
Tunnel ID               Type              Destination          Status
----------------------------------------------------------------------
0x000000000300000001    te                3.3.3.3              up
0x000000000300000002    te                2.2.2.2              down
0x000000000300000003    te                192.168.2.0          up
Run the display interface tunnel interface-number command. The command output shows that the tunnel interface has been configured.
<HUAWEI> display interface Tunnel 10
Tunnel10 current state : UP (ifindex: 19)
Line protocol current state : UP
Last line protocol up time : 2010-10-27 08:15:50
Description: TO******Loopback1
Route Port,The Maximum Transmit Unit is 1500, Current BW: 100Mbps 
Internet Address is unnumbered, using address of LoopBack1(1.1.1.1/32)
Encapsulation is TUNNEL, loopback not set
Tunnel destination 2.2.2.2
Tunnel up/down statistics 1
Tunnel protocol/transport MPLS/MPLS, ILM is available,
primary tunnel id is 0x33, secondary tunnel id is 0x0
Current system time: 2010-10-27 08:21:10
    300 seconds output rate 0 bits/sec, 0 packets/sec
    0 seconds output rate 0 bits/sec, 0 packets/sec
    126 packets output,  34204 bytes
    0 output error
    18 output drop
    Last 300 seconds input utility rate:  0.00%
    Last 300 seconds output utility rate: 0.00%

Run the display tunnel-policy command. The command output shows all tunnel policies configured in the system.

<HUAWEI> display tunnel-policy
Total   tunnel policy num:              2
Sel-Seq tunnel policy num:              1
Binding tunnel policy num:              1
Invalid tunnel policy num:              0

Tunnel Policy Name                      Select-Seq                   Load balance No  Unmix
--------------------------------------------------------------------------------------------
ppp                                     LSP CR-LSP                                 3 Disable

Tunnel Policy Name                      Destination     Tunnel Intf                             Ignore-dest-check   Down switch
-------------------------------------------------------------------------------------------------------------------------------
pppp                                    4.4.4.4         Tunnel1                                 Disable             Disable 

Run the display ip vpn-instance verbose vpn-instance-name command. The command output shows detailed information about a VPN instance.

<HUAWEI> display ip vpn-instance verbose vpn1
 Total VPN-Instances configured : 1
 Total IPv4 VPN-Instances configured : 0
 Total IPv6 VPN-Instances configured : 1
 VPN-Instance Name and ID : vpn1, 1
  Interfaces : GigabitEthernet0/1/0
 Address family ipv6
  Create date : 2006/09/27 15:25:29
  Up time : 0 days, 00 hours, 02 minutes and 11 seconds
  Vrf Status : UP
  Route Distinguisher : 100:1
  Export VPN Targets :  2:2
  Import VPN Targets :  1:1
  Label policy : label per route
Tunnel Policy : policy1

Run the display mpls static-l2vc interface interface-type interface-number command. The command output shows the tunnel policy used by an SVC VPWS or static pseudo wire emulation edge-to-edge (PWE3).

<HUAWEI> display mpls static-l2vc interface gigabitethernet 0/1/1
*Client Interface   : GigabitEthernet 0/1/1 is up
  AC Status          : up
  VC State           : up
  VC ID              : 0
  VC Type            : PPP
  Destination        : 3.3.3.9
  Transmit VC Label  : 100
  Receive VC Label   : 200
  Label Status       : 0
  Token Status       : 0
  Control Word       : Disable
  VCCV Capabilty     : alert ttl lsp-ping bfd
  active state       : inactive
  OAM Protocol       : --
  OAM Status         : --
  OAM Fault Type     : --
  PW APS ID          : --
  PW APS Status      : --
  TTL Value          : 1
  Link State         : up
  Tunnel Policy      : policy1
  PW Template Name   : --
  Traffic Behavior   : --
  Main or Secondary  : Main
  load balance type    : flow
  Access-port          : false
  VC tunnel/token info : 1 tunnels/tokens
  NO.0  TNL Type : cr lsp, TNL ID : 0x1
  Backup TNL Type : lsp   , TNL ID : 0x0
  Create time          : 0 days, 0 hours, 2 minutes, 57 seconds
  UP time              : 0 days, 0 hours, 2 minutes, 57 seconds
  Last change time     : 0 days, 0 hours, 2 minutes, 57 seconds
  VC last up time      : 2011/04/21 13:51:52
  VC total up time     : 0 days, 0 hours, 2 minutes, 57 seconds
  CKey                 : 2
  NKey                 : 1 
For an L2VPN in SVC or Martini mode, run the display mpls l2vc interface interface-type interface-number command to check the tunnel policy applied to the VC. In the following example, the command output shows that the tunnel policy applied to the VC on GigabitEthernet0/1/0 is policy4.
<HUAWEI> display mpls l2vc interface gigabitEthernet0/1/0
*client interface       : GigabitEthernet0/1/0 is up
  session state          : up
  AC state               : up
  VC state               : up
  VC ID                  : 100
  VC type                : PPP
  destination            : 3.3.3.9
  local group ID         : 0            remote group ID      : 0
  local VC label         : 21504        remote VC label      : 21505
  local AC OAM State     : up
  local PSN State        : up
  local forwarding state : forwarding
  local status code      : 0x0 
  remote AC OAM state    : up
  remote PSN state       : up
  remote forwarding state: forwarding
  remote statuscode      : 0x0 
  Dynamic BFD for PW     : available
  Detect Multipier       : 3
  Min Transit Interval   : 100
  Max Receive Interval   : 100
  Dynamic BFD Session    : built
  BFD for PW             : unavailable
    BFD sessionIndex     : 256          BFD state : up
  manual fault           : not set
  active state           : active
  forwarding entry       : exist
  link state             : up
  local VC MTU           : 4470         remote VC MTU        : 4470
  local VCCV             : cw alert lsp-ping bfd
  remote VCCV            : cw alert lsp-ping bfd
  local control word     : enable       remote control word  : enable
  tunnel policy name     : policy4
  traffic behavior name  : --
  PW template name       : pwt
  primary or secondary   : primary
  VC tunnel/token info   : 1 tunnels/tokens
  NO.0  TNL type : lsp   , TNL ID : 0x2002003
  create time            : 0 days, 0 hours, 24 minutes, 0 seconds
  up time                : 0 days, 0 hours, 15 minutes, 0 seconds
  last change time       : 0 days, 0 hours, 15 minutes, 0 seconds
  VC last up time : 2008-07-24 12:31:31
  VC total up time: 0 days, 2 hours, 12 minutes, 51 seconds
  CKey                   : 11                                                   
  NKey                   : 10 
Run the display vpls connection [ ldp | vsi vsi-name ] verbose command. The command output shows the tunnel policy used by a MartiniVPLS.
<HUAWEI> display vpls connection verbose
VSI Name: a2                               Signaling: ldp
  **Remote Vsi ID   : 2
    VC State        : up
    Encapsulation   : vlan
    Group ID        : 0
    MTU             : 1500
    Peer Ip Address : 1.1.1.1
    PW Type         : label
    Local VC Label  : 17408
    Remote VC Label : 17409
    Tunnel Policy   : Policy6
    Tunnel ID       : 0x6002011,
    Local VC Label     : 19457
    Remote VC Label    : 19458
    Tunnel Policy      : --
    Tunnel ID          : 0x6002011,
    Remote Label Block : 19456/5/0
    Export vpn target  : 100:1, 
Translation
Download
Updated: 2019-01-14

Document ID: EDOC1100058925

Views: 27547

Downloads: 53

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next