No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN

S7700 and S9700 V200R013C00

This document describes the configurations of VPN, including GRE, IPSec, BGP/MPLS IP VPN, BGP/MPLS IPv6 VPN, VLL, PWE3, VPLS, L2VPN Access to L3VPN.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring VPN GR

Example for Configuring VPN GR

Networking Requirements

CE1 and CE2 belong to the same VPN. PE1, P, PE2 on the backbone network belong to the same AS and use the IS-IS protocol to exchange routing information. CE1 connects to PE1, and CE2 connects to PE2. BGP runs between CE1 and PE1, and OSPF runs between CE2 and PE2. Figure 3-63 shows the networking diagram.

Figure 3-63  Networking diagram for configuring VPN GR

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure basic BGP/MPLS IP VPN functions.

  2. Configure IGP GR, BGP GR, and LDP GR on the backbone network. Configure GR for the routing protocols running between the PEs and CEs to ensure uninterrupted VPN traffic forwarding when an active/standby switchover occurs on any of the CEs, PEs, and P.

Procedure

  1. Create VLANs and add interfaces to the VLANs.

    # Configure PE1. The configuration on P, PE2, CE2, and CE1 is similar to the configuration on PE1 and is not mentioned here.

    <HUAWEI> system-view
    [HUAWEI] sysname PE1
    [PE1] vlan batch 10 20
    [PE1] interface gigabitethernet 1/0/0
    [PE1-GigabitEthernet1/0/0] port link-type trunk
    [PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
    [PE1-GigabitEthernet1/0/0] quit
    [PE1] interface gigabitethernet 2/0/0
    [PE1-GigabitEthernet2/0/0] port link-type trunk
    [PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 20
    [PE1-GigabitEthernet2/0/0] quit

  2. Configure basic BGP/MPLS IP VPN functions on the backbone network.

    Configure IS-IS as the IGP on the backbone network, enable LDP on PE1 and PE2, and establish an MP-IBGP peer relationship between PE1 and PE2.

    # Configure PE1.

    [PE1] interface loopback 1
    [PE1-LoopBack1] ip address 1.1.1.9 32
    [PE1-LoopBack1] quit
    [PE1] mpls lsr-id 1.1.1.9
    [PE1] mpls
    [PE1-mpls] quit
    [PE1] mpls ldp
    [PE1-mpls-ldp] quit
    [PE1] isis 1
    [PE1-isis-1] network-entity 10.0000.0000.0001.00
    [PE1-isis-1] quit
    [PE1] interface loopback 1
    [PE1-LoopBack1] isis enable 1
    [PE1-LoopBack1] quit
    [PE1] interface vlanif 20
    [PE1-Vlanif20] ip address 100.1.1.1 30
    [PE1-Vlanif20] isis enable 1
    [PE1-Vlanif20] mpls
    [PE1-Vlanif20] mpls ldp
    [PE1-Vlanif20] quit
    [PE1] bgp 100
    [PE1-bgp] peer 3.3.3.9 as-number 100
    [PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
    [PE1-bgp] ipv4-family vpnv4
    [PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
    [PE1-bgp-af-vpnv4] quit
    [PE1-bgp] quit

    # Configure P.

    [P] interface loopback 1
    [P-LoopBack1] ip address 2.2.2.9 32
    [P-LoopBack1] quit
    [P] mpls lsr-id 2.2.2.9
    [P] mpls
    [P-mpls] quit
    [P] mpls ldp
    [P-mpls-ldp] quit
    [P] isis 1
    [P-isis-1] network-entity 10.0000.0000.0002.00
    [P-isis-1] quit
    [P] interface loopback 1
    [P-LoopBack1] isis enable 1
    [P-LoopBack1] quit
    [P] interface vlanif 20
    [P-Vlanif20] ip address 100.1.1.2 30
    [P-Vlanif20] isis enable 1
    [P-Vlanif20] mpls
    [P-Vlanif20] mpls ldp
    [P-Vlanif20] quit
    [P] interface vlanif 30
    [P-Vlanif30] ip address 100.2.1.1 30
    [P-Vlanif30] isis enable 1
    [P-Vlanif30] mpls
    [P-Vlanif30] mpls ldp
    [P-Vlanif30] quit

    # Configure PE2.

    [PE2] interface loopback 1
    [PE2-LoopBack1] ip address 3.3.3.9 32
    [PE2-LoopBack1] quit
    [PE2] mpls lsr-id 3.3.3.9
    [PE2] mpls
    [PE2-mpls] quit
    [PE2] mpls ldp
    [PE2-mpls-ldp] quit
    [PE2] isis 1
    [PE2-isis-1] network-entity 10.0000.0000.0003.00
    [PE2-isis-1] quit
    [PE2] interface loopback 1
    [PE2-LoopBack1] isis enable 1
    [PE2-LoopBack1] quit
    [PE2] interface vlanif 30
    [PE2-Vlanif30] ip address 100.2.1.2 30
    [PE2-Vlanif30] isis enable 1
    [PE2-Vlanif30] mpls
    [PE2-Vlanif30] mpls ldp
    [PE2-Vlanif30] quit
    [PE2] bgp 100
    [PE2-bgp] peer 1.1.1.9 as-number 100
    [PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
    [PE2-bgp] ipv4-family vpnv4
    [PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
    [PE2-bgp-af-vpnv4] quit
    [PE2-bgp] quit

    After the configuration is complete, run the display isis peer command on PE1 or PE2. You see that the IS-IS neighbor relationship is in Up state. Run the display mpls ldp session command, and you can see that an LDP session has been established and the session status is Operational. Run the display bgp vpnv4 all peer command, and you can see that the BGP peer relationship has been established and is in Established state.

  3. Configure VPN instances on PEs and bind the interfaces connected to CEs to the VPN instances.

    Configure VPN instance vpn1 on PE1 and bind the interface connected to CE1 to vpn1. Configure VPN instance vpn1 on PE2 and bind the interface connected to CE2 to vpn1. Configure EBGP on CE1 and PE1. Configure OSPF on CE2 and PE2.

    # Configure CE1.

    [CE1] interface vlanif 10
    [CE1-Vlanif10] ip address 10.1.1.1 30
    [CE1-Vlanif10] quit
    [CE1] bgp 65410
    [CE1-bgp] peer 10.1.1.2 as-number 100
    [CE1-bgp] import-route direct
    [CE1-bgp] quit

    # Configure PE1.

    [PE1] ip vpn-instance vpn1
    [PE1-vpn-instance-vpn1] ipv4-family
    [PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
    [PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1
    [PE1-vpn-instance-vpn1-af-ipv4] quit
    [PE1-vpn-instance-vpn1] quit
    [PE1] interface vlanif 10
    [PE1-Vlanif10] ip binding vpn-instance vpn1
    [PE1-Vlanif10] ip address 10.1.1.2 30
    [PE1-Vlanif10] quit
    [PE1] bgp 100
    [PE1-bgp] ipv4-family vpn-instance vpn1
    [PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
    [PE1-bgp-vpn1] quit
    [PE1-bgp] quit

    # Configure PE2.

    [PE2] ip vpn-instance vpn1
    [PE2-vpn-instance-vpn1] ipv4-family
    [PE2-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:2
    [PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1
    [PE2-vpn-instance-vpn1-af-ipv4] quit
    [PE2-vpn-instance-vpn1] quit
    [PE2] interface vlanif 40
    [PE2-Vlanif40] ip binding vpn-instance vpn1
    [PE2-Vlanif40] ip address 10.2.1.2 30
    [PE2-Vlanif40] quit
    [PE2] ospf 2 vpn-instance vpn1
    [PE2-ospf-2] area 0
    [PE2-ospf-2-area-0.0.0.0] network 10.2.1.0 0.0.0.3
    [PE2-ospf-2-area-0.0.0.0] quit
    [PE2-ospf-2] import-route bgp
    [PE2-ospf-2] quit
    [PE2] bgp 100
    [PE2-bgp] ipv4-family vpn-instance vpn1
    [PE2-bgp-vpn1] import-route ospf 2
    [PE2-bgp-vpn1] quit
    [PE2-bgp] quit

    # Configure CE2.

    [CE2] interface vlanif 40
    [CE2-Vlanif40] ip address 10.2.1.1 30
    [CE2-Vlanif40] quit
    [CE2] ospf 2
    [CE2-ospf-2] area 0
    [CE2-ospf-2-area-0.0.0.0] network 10.2.1.0 0.0.0.3
    [CE2-ospf-2-area-0.0.0.0] quit
    [CE2-ospf-2] import-route direct
    [CE2-ospf-2] quit

    The basic BGP/MPLS IP VPN configuration is complete, and CE1 and CE2 can communicate with each other.

  4. Configure IGP GR on the backbone network.

    Configure IGP GR on PE1, P, and PE2.

    # Configure PE1.

    [PE1] isis 1
    [PE1-isis-1] graceful-restart
    [PE1-isis-1] quit

    # Configure P.

    [P] isis 1
    [P-isis-1] graceful-restart
    [P-isis-1] quit

    # Configure PE2.

    [PE2] isis 1
    [PE2-isis-1] graceful-restart
    [PE2-isis-1] quit

    Run the display isis graceful-restart status command on PE1, P, and PE2. The command output shows that IS-IS GR has been configured.

    The information displayed on PE1 is used as an example.

    [PE1] display isis graceful-restart status
    
                            Restart information for ISIS(1)
                            -------------------------------
    
    IS-IS(1) Level-1 Restart Status
    Restart Interval: 300
    SA Bit Supported
      Total Number of Interfaces = 2
    Restart Status: RESTART COMPLETE
    
    IS-IS(1) Level-2 Restart Status
    Restart Interval: 300
    SA Bit Supported
      Total Number of Interfaces = 2
      Restart Status: RESTART COMPLETE

  5. Configure MPLS LDP GR on the backbone network.

    Configure MPLS LDP GR on PE1, P, and PE2.

    # Configure PE1.

    [PE1] mpls ldp
    [PE1-mpls-ldp] graceful-restart
    [PE1-mpls-ldp] quit

    # Configure P.

    [P] mpls ldp
    [P-mpls-ldp] graceful-restart
    [P-mpls-ldp] quit

    # Configure PE2.

    [PE2] mpls ldp
    [PE2-mpls-ldp] graceful-restart
    [PE2-mpls-ldp] quit

  6. Configure GR for the routing protocols running between the PEs and CEs.

    Configure BGP GR on PE1 and CE1. Configure OSPF GR on PE2 and CE2.

    # Configure PE1.

    [PE1] bgp 100
    [PE1-bgp] graceful-restart
    [PE1-bgp] quit

    # Configure CE1.

    [CE1] bgp 65410
    [CE1-bgp] graceful-restart
    [CE1-bgp] quit

    # Configure PE2.

    [PE2] ospf 2 vpn-instance vpn1
    [PE2-ospf-2] opaque-capability enable
    [PE2-ospf-2] graceful-restart
    [PE2-ospf-2] quit

    # Configure CE2.

    [CE2] ospf 2
    [CE2-ospf-2] opaque-capability enable
    [CE2-ospf-2] graceful-restart
    [CE2-ospf-2] quit

    Run the display ospf brief command on PE2 or CE2. The command output shows that OSPF GR has been configured successfully.

    The information displayed on PE2 is used as an example.

    [PE2] display ospf brief
    
             OSPF Process 2 with Router ID 10.2.1.2
                      OSPF Protocol Information
    
     RouterID: 10.2.1.2         Border Router:  AREA  AS
     ECA-route-type: 0x0306
     Route Tag: 3489661028
     PE Router, Multi-VPN-Instance is enabled
     Opaque Capable
    Global DS-TE Mode: Non-Standard IETF Mode
    Graceful-restart capability: planned and un-planned, totally
     Helper support capability  : enabled
            filter capability   : disabled
            policy capability   : strict lsa check, planned and un-planned
     Applications Supported: MPLS Traffic-Engineering
     Spf-schedule-interval: max 10000ms, start 500ms, hold 1000ms
     Default ASE parameters: Metric: 1 Tag: 1 Type: 2
     Route Preference: 10
     ASE Route Preference: 150
     SPF Computation Count: 8
     RFC 1583 Compatible
     Retransmission limitation is disabled
     OSPF is in protocol hot standby state: Real-Time Backup
     Area Count: 1   Nssa Area Count: 0 
     ExChange/Loading Neighbors: 0
     Process total up interface count: 1
     Process valid up interface count: 1
     
     Area: 0.0.0.0          (MPLS TE not enabled)
     Authtype: None   Area flag: Normal
     SPF scheduled Count: 8     
     ExChange/Loading Neighbors: 0            
     Router ID conflict state: Normal
     Area interface up count: 1
    
     Interface: 10.2.1.2 (Vlanif40)
     Cost: 1       State: BDR       Type: Broadcast    MTU: 1500
     Priority: 1
     Designated Router: 10.2.1.1
     Backup Designated Router: 10.2.1.2
     Timers: Hello 10 , Dead 40 , Poll  120 , Retransmit 5 , Transmit Delay 1

  7. Configure BGP GR on PEs.

    BGP GR has been configured in step 5, so you only need to configure BGP GR on PE2 in this step.

    # Configure PE2.

    [PE2] bgp 100
    [PE2-bgp] graceful-restart
    [PE2-bgp] quit

    Run the display bgp vpnv4 all peer verbose command on PE1. The command output shows that IBGP GR has taken effect between PE1 and PE2, and EBGP GR has taken effect between PE1 and CE1.

    [PE1] display bgp vpnv4 all peer verbose
    
             BGP Peer is 3.3.3.9,  remote AS 100
             Type: IBGP link
             BGP version 4, Remote router ID 3.3.3.9
             Update-group ID: 1
             BGP current state: Established, Up for 00h23m47s
             BGP current event: RecvUpdate
             BGP last state: OpenConfirm
             BGP Peer Up count: 2
             Received total routes: 2
             Received active routes total: 2
             Received mac routes: 0
             Advertised total routes: 2
             Port:  Local - 51939    Remote - 179
             Configured: Connect-retry Time: 32 sec
             Configured: Min Hold Time: 0 sec
             Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Received  : Active Hold Time: 180 sec
             Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Peer optional capabilities:
             Peer supports bgp multi-protocol extension
             Peer supports bgp route refresh capability
             Peer supports bgp 4-byte-as capability
             Graceful Restart Capability: advertised and received
                  Restart Timer Value received from Peer: 150 seconds
                 Address families preserved for peer in GR:
                     IPv4 Unicast (was preserved)
                     VPNv4 (was preserved)
             Address family IPv4 Unicast: advertised and received
             Address family VPNv4: advertised and received
     Received: Total 29 messages
                      Update messages                9
                      Open messages                  1
                      KeepAlive messages             19
                      Notification messages          0
                      Refresh messages               0
     Sent: Total 25 messages
                      Update messages                5
                      Open messages                  1
                      KeepAlive messages             19
                      Notification messages          0
                      Refresh messages               0
     Authentication type configured: None
     Last keepalive received: 2012-03-03 07:13:49+08:00
     Last keepalive sent    : 2012-03-03 07:13:49+08:00
     Last update    received: 2012-03-03 07:13:49+08:00
     Last update    sent    : 2012-03-03 07:13:49+08:00
     Minimum route advertisement interval is 0 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     Connect-interface has been configured
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured
    
             IPv4-family for VPN instance:   vpn1   
    
             BGP Peer is 10.1.1.1, remote AS 65410
             Type: EBGP link
             BGP version 4, Remote router ID 10.1.1.1
             Update-group ID: 1
             BGP current state: Established, Up for 00h43m05s
             BGP current event: RecvKeepalive
             BGP last state: OpenConfirm
             BGP Peer Up count: 2
             Received total routes: 2
             Received active routes total: 2
             Received mac routes: 0
             Advertised total routes: 2
             Port:  Local - 49941    Remote - 179
             Configured: Connect-retry Time: 32 sec
             Configured: Min Hold Time: 0 sec
             Configured: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Received  : Active Hold Time: 180 sec
             Negotiated: Active Hold Time: 180 sec   Keepalive Time:60 sec
             Peer optional capabilities:
             Peer supports bgp multi-protocol extension
             Peer supports bgp route refresh capability
             Peer supports bgp 4-byte-as capability
             Graceful Restart Capability: advertised and received
                 Restart Timer Value received from Peer: 150 seconds
                 Address families preserved for peer in GR:
                     IPv4 Unicast (was preserved)
             Address family IPv4 Unicast: advertised and received
     Received: Total 25 messages
                      Update messages                4
                      Open messages                  1
                      KeepAlive messages             20
                      Notification messages          0
                      Refresh messages               0
     Sent: Total 28 messages
                      Update messages                9
                      Open messages                  1
                      KeepAlive messages             18
                      Notification messages          0
                      Refresh messages               0
     Authentication type configured: None
     Last keepalive received: 2012-03-03 07:13:49+08:00
     Last keepalive sent    : 2012-03-03 07:13:49+08:00
     Last update    received: 2012-03-03 07:13:49+08:00
     Last update    sent    : 2012-03-03 07:13:49+08:00
     Minimum route advertisement interval is 30 seconds
     Optional capabilities:
     Route refresh capability has been enabled
     4-byte-as capability has been enabled
     Peer Preferred Value: 0
     Routing policy configured:
     No routing policy is configured

  8. Verify the configurations.

    # Run the display switchover state command on PE1 to check the status of the standby MPU. The following information is displayed:

    Slot 4 HA FSM State(master): realtime or routine backup.
    Slot 5 HA FSM State(slave): receiving realtime or routine data.

    Perform an active/standby switchover on PE1.

    [PE1] slave switchover
    Warning: This operation will switch the slave board to the master board. Continu
    e?[Y/N]:y

    Communication between the site connected to CE1 and the site connected to CE2 is not interrupted.

    NOTE:

    Communication between the sites may be interrupted when two or more neighboring devices among CE1, PE1, PE2, CE2 perform an active/standby switchover at the same time.

Configuration Files

  • PE1 configuration file

    #
    sysname PE1
    #
    vlan batch 10 20
    #
    ip vpn-instance vpn1
     ipv4-family
      route-distinguisher 100:1
      vpn-target 111:1 export-extcommunity
      vpn-target 111:1 import-extcommunity
    #
    mpls lsr-id 1.1.1.9
    mpls
    #
    mpls ldp
     graceful-restart
    #
    isis 1
     graceful-restart
     network-entity 10.0000.0000.0001.00
    #
    interface Vlanif10
     ip binding vpn-instance vpn1
     ip address 10.1.1.2 255.255.255.252
    #
    interface Vlanif20
     ip address 100.1.1.1 255.255.255.252
     isis enable 1
     mpls
     mpls ldp
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    interface GigabitEthernet2/0/0
     port link-type trunk
     port trunk allow-pass vlan 20
    #
    interface LoopBack1
     ip address 1.1.1.9 255.255.255.255
     isis enable 1
    #
    bgp 100
     graceful-restart
     peer 3.3.3.9 as-number 100
     peer 3.3.3.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 3.3.3.9 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 3.3.3.9 enable
     #
     ipv4-family vpn-instance vpn1
      peer 10.1.1.1 as-number 65410
    #
    return
  • P configuration file

    #
    sysname P
    #
    vlan batch 20 30
    #
    mpls lsr-id 2.2.2.9
    mpls
    #
    mpls ldp
     graceful-restart
    #
    isis 1
     graceful-restart
     network-entity 10.0000.0000.0002.00
    #
    interface Vlanif20
     ip address 100.1.1.2 255.255.255.252
     isis enable 1
     mpls
     mpls ldp
    #
    interface Vlanif30
     ip address 100.2.1.1 255.255.255.252
     isis enable 1
     mpls
     mpls ldp
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 20
    #
    interface GigabitEthernet2/0/0
     port link-type trunk
     port trunk allow-pass vlan 30
    #
    interface LoopBack1
     ip address 2.2.2.9 255.255.255.255
     isis enable 1
    #
    return
  • PE2 configuration file

    #
    sysname PE2
    #
    vlan batch 30 40
    #
    ip vpn-instance vpn1
     ipv4-family
      route-distinguisher 100:2
      vpn-target 111:1 export-extcommunity
      vpn-target 111:1 import-extcommunity
    #
    mpls lsr-id 3.3.3.9
    mpls
    #
    mpls ldp
     graceful-restart
    #
    isis 1
     graceful-restart
     network-entity 10.0000.0000.0003.00
    #
    interface Vlanif30
     ip address 100.2.1.2 255.255.255.252
     isis enable 1
     mpls
     mpls ldp
    #
    interface Vlanif40
     ip binding vpn-instance vpn1
     ip address 10.2.1.2 255.255.255.252
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 30
    #
    interface GigabitEthernet2/0/0
     port link-type trunk
     port trunk allow-pass vlan 40
    #
    interface LoopBack1
     ip address 3.3.3.9 255.255.255.255
     isis enable 1
    #
    bgp 100
     graceful-restart
     peer 1.1.1.9 as-number 100
     peer 1.1.1.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 1.1.1.9 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 1.1.1.9 enable
     #
     ipv4-family vpn-instance vpn1
      import-route ospf 2
    #
    ospf 2 vpn-instance vpn1
     import-route bgp
     opaque-capability enable
     graceful-restart
     area 0.0.0.0
      network 10.2.1.0 0.0.0.3
    #
    return
  • CE1 configuration file

    #
    sysname CE1
    #
    vlan batch 10
    #
    interface Vlanif10
     ip address 10.1.1.1 255.255.255.252
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    bgp 65410
     graceful-restart
     peer 10.1.1.2 as-number 100
     #
     ipv4-family unicast
     undo synchronization
     import-route direct
     peer 10.1.1.2 enable
    #
    return
  • CE2 configuration file

    #
    sysname CE2
    #
    vlan batch 40
    #
    interface Vlanif40
     ip address 10.2.1.1 255.255.255.252
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 40
    #
    ospf 2
     import-route direct
     opaque-capability enable
     graceful-restart
     area 0.0.0.0 
      network 10.2.1.0 0.0.0.3
    #
    return
Translation
Download
Updated: 2019-04-08

Document ID: EDOC1100065751

Views: 37953

Downloads: 50

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next