No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - IP Routing 01

This is ME60 V800R010C10SPC500 Configuration Guide - IP Routing
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the Association Between IPv4 Direct Routes and IPsec Instance Status

Configuring the Association Between IPv4 Direct Routes and IPsec Instance Status

The association between IPv4 direct routes and IP security (IPsec) instance status ensures that data encrypted using IPsec can be transmitted to the correct radio network controller site gateway (RSG).

Usage Scenario

In an IP radio access network (IPRAN) scenario, some services require high security. To meet such requirements, cell site gateways (CSGs) encrypt data of these services using IPsec. After the data flows to RSGs (IPsec gateways) through an IPsec tunnel, the RSGs decrypt the data. In most cases, carriers deploy master and backup RSGs and configure the same IP address for the IPsec tunnel interfaces of the master and backup RSGs to improve network reliability.

Without the association between IPv4 direct routes and IPsec instance status, IPv4 direct routes with the same prefix generated on the IPsec tunnel interfaces of the master and backup RSGs share the same default cost (0). As a result, after receiving these routes from the master and backup RSGs, CSGs cannot select an optimal one based on the cost.

With the association between IPv4 direct routes and IPsec instance status:
  • If the IPsec instance status is master on an IPsec tunnel interface, the cost of the IPv4 direct routes generated on the interface is 0.
  • If the IPsec instance status is backup on an IPsec tunnel interface or the system cannot detect the IPsec instance status, the cost of the IPv4 direct routes generated on the interface is the cost configured on the interface.

After receiving the IPv4 direct routes with the same prefix from the master and backup RSGs, CSGs can select an optimal one based on the cost. Therefore, the CSGs can transmit data encrypted using IPsec to the correct RSG.

Pre-configuration Tasks

Before configuring the association between IPv4 direct routes and IPsec instance status, complete the following tasks:
  • Configure link layer protocol parameters and IP addresses for interfaces and ensure that the link layer protocol of each interface is Up.
  • Configure IPsec.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface tunnel interface-number

    A tunnel interface is created, and the tunnel interface view is displayed.

  3. Run tunnel-protocol ipsec

    The encapsulation protocol is set to IPsec on the tunnel interface.

  4. Run ipsec policy policy-name service-instance-group service-group-name instance instance-id

    The IPsec policy is applied on the interface.

  5. Run direct-route track ipsec-instance degrade-cost cost

    The association between IPv4 direct routes and IPsec instance status is configured.

    NOTE:

    If the IPsec tunnel interface uses the IP address of another interface, the association between the cost of IPv4 direct routes and the IPsec instance status cannot be configured on this IPsec tunnel interface.

    The cost of local IPv4 direct routes that are not to be advertised cannot be associated with the IPsec instance status.

  6. Run commit

    The configuration is committed.

Checking the Configurations

After configuring association between IPv4 direct routes and IPsec instance status, run the display ip routing-table vpn-instance vpn-instance-name [ ip-address ] [ verbose ] command on the RSG to check the information about the IP routing table of the VPN instance or run the display ip routing-table [ ip-address [ mask | mask-length ] [ verbose ] ] command to check the information about the IP routing table of the public network instance.
  • If the IPsec instance status is master on an IPsec tunnel interface, the cost of the IPv4 direct routes generated on the interface is 0.
  • If the IPsec instance status is backup on an IPsec tunnel interface or the system cannot detect the IPsec instance status, the cost of the IPv4 direct routes generated on the interface is the cost configured on the interface.
<HUAWEI> display ip routing-table
Route Flags: R - relay, D - download
to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _public_
         Destinations : 10       Routes : 10        

Destination/Mask    Proto   Pre  Cost        Flags NextHop         Interface

        0.0.0.0/0   Static  60   0             D   172.16.1.2      GigabitEthernet1/0/0
      127.0.0.0/8   Direct  0    0             D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0             D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0             D   127.0.0.1       InLoopBack0
     172.16.1.0/24  Direct  0    0             D   172.16.1.1      GigabitEthernet1/0/0
     172.16.1.1/32  Direct  0    0             D   127.0.0.1       GigabitEthernet1/0/0
   172.16.1.100/32  Direct  0    0             D   127.0.0.1       GigabitEthernet1/0/0
   172.16.1.255/32  Direct  0    0             D   127.0.0.1       GigabitEthernet1/0/0
    192.168.1.1/32  Direct  0    50            D   127.0.0.1       Tunnel0
255.255.255.255/32  Direct  0    0             D   127.0.0.1       InLoopBack0

According to the preceding command output, the cost of the direct route generated on the IPsec tunnel interface has been changed to 50.

Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059437

Views: 20776

Downloads: 15

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next