No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN 01

NE05E and NE08E V300R003C10SPC500

This is NE05E and NE08E V300R003C10SPC500 Configuration Guide - VPN
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Hub and Spoke (IPv6)

Example for Configuring Hub and Spoke (IPv6)

In the networking of Hub and Spoke, an access control device is specified in the VPN, and users communicate with each other through the access control device.

Networking Requirements

On the network shown in Figure 6-16, the communications between the Spoke-CEs is controlled by the Hub-CE at a central site. That is, the traffic between Spoke-CEs is forwarded through the Hub-CE, not only through the Hub-PE.

Figure 6-16 Diagram of the Hub and Spoke networking
NOTE:

Interfaces 1 through 4 in this example are GE 0/1/0, GE 0/2/0, GE 0/3/0, GE 0/4/0, respectively.



Configuration Notes

When configuring Hub and Spoke, note the following:

  • The import target and export target configured on a Spoke-PE are different.

  • Two VPN instances (vpn_in and vpn_out) are created on the Hub-PE. The VPN targets received by vpn_in are the VPN targets advertised by the two Spoke-PEs; the VPN targets advertised by vpn_out are the VPN targets received by the two Spoke-PEs and are different from the VPN targets received by vpn_in.

  • The Hub-PE is configured to accept the routes whose AS number is repeated once in the AS_Path attribute.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Establish MP-IBGP peer relationships between the Hub-PE and Spoke-PEs. There is no need to establish the MP-IBGP peer relationship or exchange VPN route information between the two Spoke-PEs.

  2. Create VPN instances and VPN targets on PEs.

  3. Configure EBGP connections between CEs and PEs.

Data Preparation

To complete the configuration, you need the following data:

  • MPLS LSR ID of each PE

  • Names, RDs, and VPN targets of the VPN instances of the Hub-PE and Spoke-PEs

Procedure

  1. Configure an IGP on the MPLS backbone network for the interworking between the Hub-PE and Spoke-PEs.

    In this example, OSPF is used as the IGP protocol. For configuration details, see Configuration Files in this section.

    After the configuration, the OSPF neighbor relationships have been set up between the Hub-PE and Spoke-PEs. Run the display ospf peer command. The command output shows that the neighbor status is Full. Run the display ip routing-table command. The command output shows that the Hub-PE and Spoke-PEs have learnt the routes to the loopback interface of each other.

  2. Configure basic MPLS functions and MPLS LDP, and set up LDP LSPs on the MPLS backbone network.

    For configuration details, see Configuration Files in this section.

    After the configuration, LDP neighbor relationships have been set up between the Hub-PE and Spoke-PEs. Run the display mpls ldp session command on NEs. The command output shows that the Session Status field is Operational.

  3. Configure VPN instances enabled with the IPv6 address family on the PEs and connect the CEs to PEs.

    NOTE:

    The import target of a VPN on the Hub-PE must contain the export target attributes of all Spoke-PEs.

    The export target of another VPN on the Hub-PE must contain the import target attributes of all Spoke-PEs.

    # Configure Spoke-PE1.

    <Spoke-PE1> system-view
    [~Spoke-PE1] ip vpn-instance vpna
    [*Spoke-PE1-vpn-instance-vpna] ipv6-family
    [*Spoke-PE1-vpn-instance-vpna-af-ipv6] route-distinguisher 100:1
    [*Spoke-PE1-vpn-instance-vpna-af-ipv6] vpn-target 100:1 export-extcommunity
    [*Spoke-PE1-vpn-instance-vpna-af-ipv6] vpn-target 200:1 import-extcommunity
    [*Spoke-PE1-vpn-instance-vpna-af-ipv6] commit
    [*Spoke-PE1-vpn-instance-vpna-af-ipv6] quit
    [*Spoke-PE1] interface gigabitethernet 0/1/0
    [*Spoke-PE1-GigabitEthernet0/1/0] ip binding vpn-instance vpna
    [*Spoke-PE1-GigabitEthernet0/1/0] ipv6 enable
    [*Spoke-PE1-GigabitEthernet0/1/0] ipv6 address 2001:db8:1::2 64
    [*Spoke-PE1-GigabitEthernet0/1/0] commit
    [~Spoke-PE1-GigabitEthernet0/1/0] quit

    # Configure Spoke-PE2.

    <Spoke-PE2> system-view
    [~Spoke-PE2] ip vpn-instance vpna
    [*Spoke-PE2-vpn-instance-vpna] ipv6-family
    [*Spoke-PE2-vpn-instance-vpna-af-ipv6] route-distinguisher 100:3
    [*Spoke-PE2-vpn-instance-vpna-af-ipv6] vpn-target 100:1 export-extcommunity
    [*Spoke-PE2-vpn-instance-vpna-af-ipv6] vpn-target 200:1 import-extcommunity
    [*Spoke-PE2-vpn-instance-vpna-af-ipv6] commit
    [*Spoke-PE2-vpn-instance-vpna-af-ipv6] quit
    [*Spoke-PE2] interface gigabitethernet 0/1/0
    [*Spoke-PE2-GigabitEthernet0/1/0] ip binding vpn-instance vpna
    [*Spoke-PE2-GigabitEthernet0/1/0] ipv6 enable
    [*Spoke-PE2-GigabitEthernet0/1/0] ipv6 address 2001:db8:2::2 64
    [*Spoke-PE2-GigabitEthernet0/1/0] commit
    [~Spoke-PE2-GigabitEthernet0/1/0] quit

    # Configure the Hub-PE.

    <Hub-PE> system-view
    [~Hub-PE] ip vpn-instance vpn_in
    [*Hub-PE-vpn-instance-vpn_in] ipv6-family
    [*Hub-PE-vpn-instance-vpn_in-af-ipv6] route-distinguisher 100:21
    [*Hub-PE-vpn-instance-vpn_in-af-ipv6] vpn-target 100:1 import-extcommunity
    [*Hub-PE-vpn-instance-vpn_in-af-ipv6] commit
    [*Hub-PE-vpn-instance-vpn_in-af-ipv6] quit
    [*Hub-PE-vpn-instance-vpn_in] quit
    [*Hub-PE] ip vpn-instance vpn_out
    [*Hub-PE-vpn-instance-vpn_out] ipv6-family
    [*Hub-PE-vpn-instance-vpn_out-af-ipv6] route-distinguisher 100:22
    [*Hub-PE-vpn-instance-vpn_out-af-ipv6] vpn-target 200:1 export-extcommunity
    [*Hub-PE-vpn-instance-vpn_out-af-ipv6] commit
    [*Hub-PE-vpn-instance-vpn_out-af-ipv6] quit
    [*Hub-PE-vpn-instance-vpn_out] quit
    [*Hub-PE] interface gigabitethernet 0/3/0
    [*Hub-PE-GigabitEthernet0/3/0] ip binding vpn-instance vpn_in
    [*Hub-PE-GigabitEthernet0/3/0] ipv6 enable
    [*Hub-PE-GigabitEthernet0/3/0] ipv6 address 2001:db8:3::2 64
    [*Hub-PE-GigabitEthernet0/3/0] commit
    [*Hub-PE-GigabitEthernet0/3/0] quit
    [*Hub-PE] interface gigabitethernet 0/4/0
    [*Hub-PE-GigabitEthernet0/4/0] ip binding vpn-instance vpn_out
    [*Hub-PE-GigabitEthernet0/4/0] ipv6 enable
    [*Hub-PE-GigabitEthernet0/4/0] ipv6 address 2001:db8:4::2 64
    [*Hub-PE-GigabitEthernet0/4/0] commit
    [~Hub-PE-GigabitEthernet0/4/0] quit

    # Assign an IP address to each interface on CEs as shown in Figure 6-16. The detailed configuration procedure is not mentioned here. For configuration details, see Configuration Files in this section.

    After the configuration, run the display ip vpn-instance verbose command on PEs to view the configurations of VPN instances. Each PE can successfully ping its connected CEs by using the ping ipv6 vpn-instance vpn-name ip-address command.

  4. Set up the EBGP peer relationships between the PEs and CEs and import VPN routes.

    NOTE:

    Configure the Hub-PE to allow the AS number to be repeated once in the AS_Path attribute to receive the routes advertised by the Hub-CE.

    You do not need to configure the Spoke-PEs to allow the AS number to be repeated once because the NE does not check the AS-Path attributes in its received routes advertised by the IBGP peer.

    # Configure Spoke-CE1.

    [~Spoke-CE1] interface loopback 1
    [*Spoke-CE1-Loopback1] ipv6 enable
    [*Spoke-CE1-Loopback1] ipv6 address 2001:db8:11::1 128
    [*Spoke-CE1-Loopback1] quit
    [*Spoke-CE1] bgp 65410
    [*Spoke-CE1-bgp] ipv6-family unicast
    [*Spoke-CE1-bgp-af-ipv6] peer 2001:db8:1::2 as-number 100
    [*Spoke-CE1-bgp-af-ipv6] network 2001:db8:11::1 128
    [*Spoke-CE1-bgp-af-ipv6] quit
    [*Spoke-CE1-bgp] quit
    [*Spoke-CE1] commit

    # Configure Spoke-PE1.

    [~Spoke-PE1] bgp 100
    [*Spoke-PE1-bgp] ipv6-family vpn-instance vpna
    [*Spoke-PE1-bgp-vpna] peer 100.1.1.1 as-number 65410
    [*Spoke-PE1-bgp-vpna] commit
    [~Spoke-PE1-bgp-vpna] quit
    [~Spoke-PE1-bgp] quit

    # Configure Spoke-CE2.

    [~Spoke-CE2] interface loopback 1
    [*Spoke-CE2-Loopback1] ipv6 enable
    [*Spoke-CE2-Loopback1] ipv6 address 2001:db8:12::2 128
    [*Spoke-CE2-Loopback1] quit
    [*Spoke-CE2] bgp 65420
    [*Spoke-CE2-bgp] ipv6-family unicast
    [*Spoke-CE2-bgp-af-ipv6] peer 2001:db8:2::2 as-number 100
    [*Spoke-CE2-bgp-af-ipv6] network 2001:db8:12::2 128
    [*Spoke-CE2-bgp-af-ipv6] quit
    [*Spoke-CE2-bgp] quit
    [*Spoke-CE2] commit

    # Configure Spoke-PE2.

    [~Spoke-PE2] bgp 100
    [*Spoke-PE2-bgp] ipv6-family vpn-instance vpna
    [*Spoke-PE2-bgp-6-vpna] peer 2001:db8:2::1 as-number 65420
    [*Spoke-PE2-bgp-6-vpna] quit
    [*Spoke-PE2-bgp] quit
    [*Spoke-PE2] commit

    # Configure the Hub-CE.

    [~Hub-CE] interface loopback 1
    [*Hub-CE-Loopback1] ipv6 enable
    [*Hub-CE-Loopback1] ipv6 address 2001:db8:13::3 128
    [*Hub-CE-Loopback1] quit
    [*Hub-CE] bgp 65430
    [*Hub-CE-bgp] ipv6-family unicast
    [*Hub-CE-bgp-af-ipv6] peer 2001:db8:3::2 as-number 100
    [*Hub-CE-bgp-af-ipv6] peer 2001:db8:4::2 as-number 100
    [*Hub-CE-bgp-af-ipv6] network 2001:db8:13::3 128
    [*Hub-CE-bgp-af-ipv6] quit
    [*Hub-CE-bgp] quit
    [*Hub-CE] commit

    # Configure the Hub-PE.

    [~Hub-PE] bgp 100
    [*Hub-PE-bgp] ipv6-family vpn-instance vpn_in
    [*Hub-PE-bgp-6-vpn_in] peer 2001:db8:3::1 as-number 65430
    [*Hub-PE-bgp-6-vpn_in] commit
    [*Hub-PE-bgp-6-vpn_in] quit
    [*Hub-PE-bgp] ipv6-family vpn-instance vpn_out
    [*Hub-PE-bgp-6-vpn_out] peer 2001:db8:4::1 as-number 65430
    [*Hub-PE-bgp-6-vpn_out] peer 2001:db8:4::1 allow-as-loop 1
    [*Hub-PE-bgp-6-vpn_out] quit
    [*Hub-PE-bgp] quit
    [*Hub-PE] commit

    After the configuration, run the display bgp vpnv6 all peer command on the PEs. The command output shows that BGP peer relationships have been established between PEs and CEs.

  5. Set up MP-IBGP peer relationships between the PEs.

    # Configure Spoke-PE1.

    [~Spoke-PE1] bgp 100
    [*Spoke-PE1-bgp] peer 2.2.2.9 as-number 100
    [*Spoke-PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
    [*Spoke-PE1-bgp] ipv6-family vpnv6
    [*Spoke-PE1-bgp-af-vpnv6] peer 2.2.2.9 enable
    [*Spoke-PE1-bgp-af-vpnv6] commit
    [~Spoke-PE1-bgp-af-vpnv6] quit

    # Configure Spoke-PE2.

    [~Spoke-PE2] bgp 100
    [*Spoke-PE2-bgp] peer 2.2.2.9 as-number 100
    [*Spoke-PE2-bgp] peer 2.2.2.9 connect-interface loopback 1
    [*Spoke-PE2-bgp] ipv6-family vpnv6
    [*Spoke-PE2-bgp-af-vpnv6] peer 2.2.2.9 enable
    [*Spoke-PE2-bgp-af-vpnv6] commit
    [~Spoke-PE2-bgp-af-vpnv6] quit

    # Configure the Hub-PE.

    [~Hub-PE] bgp 100
    [*Hub-PE-bgp] peer 1.1.1.9 as-number 100
    [*Hub-PE-bgp] peer 1.1.1.9 connect-interface loopback 1
    [*Hub-PE-bgp] peer 3.3.3.9 as-number 100
    [*Hub-PE-bgp] peer 3.3.3.9 connect-interface loopback 1
    [*Hub-PE-bgp] ipv6-family vpnv6
    [*Hub-PE-bgp-af-vpnv6] peer 1.1.1.9 enable
    [*Hub-PE-bgp-af-vpnv6] peer 3.3.3.9 enable
    [*Hub-PE-bgp-af-vpnv6] commit
    [~Hub-PE-bgp-af-vpnv6] quit

    After the configuration, run the display bgp peer or display bgp vpnv6 all peer command on the PEs. The command output shows that the BGP peer relationships have been established between the PEs.

  6. Verify the configuration.

    After the configuration, the Spoke-CEs can successfully ping each other.

    The following example uses the command output on Spoke-CE1.

    <Spoke-CE1> ping ipv6 -a 2001:db8:11::1 2001:db8:12::2
      PING 2001:db8:12::2 : 56  data bytes, press CTRL_C to break
        Reply from 2001:db8:12::2
        bytes=56 Sequence=1 hop limit=59 time=7 ms
        Reply from 2001:db8:12::2
        bytes=56 Sequence=2 hop limit=59 time=3 ms
        Reply from 2001:db8:12::2
        bytes=56 Sequence=3 hop limit=59 time=3 ms
        Reply from 2001:db8:12::2
        bytes=56 Sequence=4 hop limit=59 time=3 ms
        Reply from 2001:db8:12::2
        bytes=56 Sequence=5 hop limit=59 time=3 ms
    
      ---2001:db8:12::2 ping statistics---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max=3/3/7 ms

    Run the display bgp ipv6 routing-table command on each Spoke-CE, and you can find that there are repetitive AS numbers in the AS-Path attributes of the BGP routes to the peer Spoke-CE.

    The following example uses the command output on Spoke-CE1.

    <Spoke-CE1> display bgp ipv6 routing-table
     BGP Local router ID is 1.1.1.1
     Status codes: * - valid, > - best, d - damped, x - best external,
                   h - history,  i - internal, s - suppressed, S - Stale
                   Origin : i - IGP, e - EGP, ? - incomplete
    
    
     Total Number of Routes: 3
     *>    Network  : 2001:db8:11::1                           PrefixLen : 128
           NextHop  : ::                                       LocPrf    :
           MED      : 0                                        PrefVal   : 0
           Label    :
           Path/Ogn :  i
     *>    Network  : 2001:db8:12::2                           PrefixLen : 128
           NextHop  : 2001:db8:1::2                            LocPrf    :
           MED      :                                          PrefVal   : 0
           Label    :
           Path/Ogn : 100 65430 100 65420i
     *>    Network  : 2001:db8:13::3                           PrefixLen : 128
           NextHop  : 2001:db8:1::2                            LocPrf    :
           MED      :                                          PrefVal   : 0
           Label    :
           Path/Ogn : 100 65430i

Configuration Files

  • Configuration file of Spoke-CE1

    #
    sysname Spoke-CE1
    #
    interface GigabitEthernet0/1/0
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8:1::1/64
    #
    interface LoopBack1
     ipv6 enable
     ipv6 address 2001:db8:11::1/128
    #
    bgp 65410
     router-id 1.1.1.1
     peer 2001:db8:1::2 as-number 100
     #
     ipv6-family unicast
      undo synchronization
      network 2001:db8:11::1 128
      peer 2001:db8:1::2 enable
    #
    return
  • Configuration file of Spoke-PE1

    #
    sysname Spoke-PE1
    #
    ip vpn-instance vpna
     ipv6-family
      route-distinguisher 100:1
      vpn-target 100:1 export-extcommunity
      vpn-target 200:1 import-extcommunity
    #
    mpls lsr-id 1.1.1.9
    #
    mpls
    #
    mpls ldp
    #
    interface GigabitEthernet0/1/0
     undo shutdown
     ip binding vpn-instance vpna
     ipv6 enable
     ipv6 address 2001:db8:1::2/64
    #
    interface GigabitEthernet0/2/0
     undo shutdown
     ip address 20.1.1.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface LoopBack1
     ip address 1.1.1.9 255.255.255.255
    #
    bgp 100
     peer 2.2.2.9 as-number 100
     peer 2.2.2.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.9 enable
     #
     ipv6-family vpnv6
      policy vpn-target
      peer 2.2.2.9 enable
     #
     ipv6-family vpn-instance vpna
      peer 2001:db8:1::1 as-number 65410
    #
    ospf 1
     area 0.0.0.0
      network 1.1.1.9 0.0.0.0
      network 20.1.1.0 0.0.0.255
    #
    return
  • Configuration file of Spoke-PE2

    #
    sysname Spoke-PE2
    #
    ip vpn-instance vpna
     ipv6-family
      route-distinguisher 100:3
      vpn-target 100:1 export-extcommunity
      vpn-target 200:1 import-extcommunity
    #
    mpls lsr-id 3.3.3.9
    #
    mpls
    #
    mpls ldp
    #
    interface GigabitEthernet0/1/0
     undo shutdown
     ip binding vpn-instance vpna
     ipv6 enable
     ipv6 address 2001:db8:2::2/64
    #
    interface GigabitEthernet0/2/0
     undo shutdown
     ip address 11.1.1.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface LoopBack1
     ip address 3.3.3.9 255.255.255.255
    #
    bgp 100
     peer 2.2.2.9 as-number 100
     peer 2.2.2.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.9 enable
     #
     ipv6-family vpnv6
      policy vpn-target
      peer 2.2.2.9 enable
     #
     ipv6-family vpn-instance vpna
      peer 2001:db8:2::1 as-number 65420
    #
    ospf 1
     area 0.0.0.0
      network 3.3.3.9 0.0.0.0
      network 11.1.1.0 0.0.0.255
    #
    return
  • Configuration file of Spoke-CE2

    #
    sysname Spoke-CE2
    #
    interface GigabitEthernet0/1/0
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8:2::1/64
    #
    interface LoopBack1
     ipv6 enable
     ipv6 address 2001:db8:12::2/128
    #
    bgp 65420
     router-id 3.3.3.3
     peer 2001:db8:2::2 as-number 100
     #
     ipv6-family unicast
      undo synchronization
      network 2001:db8:12::2 128
      peer 2001:db8:2::2 enable
    #
    return
  • Configuration file of the Hub-CE

    #
    sysname Hub-CE
    #
    interface GigabitEthernet0/1/0
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8:3::1/64
    #
    interface GigabitEthernet0/2/0
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8:4::1/64
    #
    interface LoopBack1
     ipv6 enable
     ipv6 address 2001:db8:13::3/128
    #
    bgp 65430
     router-id 2.2.2.2
     peer 2001:db8:3::2 as-number 100
     peer 2001:db8:4::2 as-number 100
     #
     ipv6-family unicast
      undo synchronization
      network 2001:db8:13::3 128
      peer 2001:db8:3::2 enable
      peer 2001:db8:4::2 enable
    #
    return
  • Configuration file of the Hub-PE

    #
    sysname Hub-PE
    #
    ip vpn-instance vpn_in
     ipv6-family
      route-distinguisher 100:21
      vpn-target 100:1 import-extcommunity
    #
    ip vpn-instance vpn_out
     ipv6-family
      route-distinguisher 100:22
      vpn-target 200:1 export-extcommunity
    #
    mpls lsr-id 2.2.2.9
    #
    mpls
    #
    mpls ldp
    #
    interface GigabitEthernet0/1/0
     undo shutdown
     ip address 20.1.1.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet0/2/0
     undo shutdown
     ip address 11.1.1.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet0/3/0
     undo shutdown
     ip binding vpn-instance vpn_in
     ipv6 enable
     ipv6 address 2001:db8:3::2/64
    #
    interface GigabitEthernet0/4/0
     undo shutdown
     ip binding vpn-instance vpn_out
     ipv6 enable
     ipv6 address 2001:db8:4::2/64
    #
    interface LoopBack1
     ip address 2.2.2.9 255.255.255.255
    #
    bgp 100
     peer 1.1.1.9 as-number 100
     peer 1.1.1.9 connect-interface LoopBack1
     peer 3.3.3.9 as-number 100
     peer 3.3.3.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 1.1.1.9 enable
      peer 3.3.3.9 enable
     #
     ipv6-family vpnv6
      policy vpn-target
      peer 1.1.1.9 enable
      peer 3.3.3.9 enable
     #
     ipv6-family vpn-instance vpn_in
      peer 2001:db8:3::1 as-number 65430
     #
     ipv6-family vpn-instance vpn_out
      peer 2001:db8:4::1 as-number 65430
      peer 2001:db8:4::1 allow-as-loop
    #
    ospf 1
     area 0.0.0.0
      network 2.2.2.9 0.0.0.0
      network 20.1.1.0 0.0.0.255
      network 11.1.1.0 0.0.0.255
    #
    return
Translation
Download
Updated: 2019-01-14

Document ID: EDOC1100058925

Views: 32669

Downloads: 59

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next