No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN

S7700 and S9700 V200R013C00

This document describes the configurations of VPN, including GRE, IPSec, BGP/MPLS IP VPN, BGP/MPLS IPv6 VPN, VLL, PWE3, VPLS, L2VPN Access to L3VPN.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Forwarding Isolation Between AC Interfaces

Example for Configuring Forwarding Isolation Between AC Interfaces

Networking Requirements

Figure 7-35 shows a backbone network built by an enterprise. Site1 connects to PE1 through CE1 and then connects to the backbone network. Site2 connects to PE2 through CE2, CE3, and CE4 and then connects to the backbone network. Martini VPLS is configured between PE1 and PE2 to realize Layer 2 service forwarding between users. CE2, CE3, and CE4 are used to connect different user services to the network. The enterprise requires forwarding isolation between CE3 and CE4, but wants CE2 to communicate with both CE3 and CE4.

Figure 7-35  Configuring forwarding isolation between AC interfaces

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure VLANs and IP addresses for interfaces.

  2. Configure OSPF.

  3. Configure MPLS LDP.

  4. Establish a remote MPLS LDP session.

  5. Configure Martini VPLS.

  6. Configure forwarding isolation between AC interfaces to realize forwarding isolation between CE3 and CE4, while enabling CE2 to communicate with both CE3 and CE4.

Procedure

  1. Configure VLANs and IP addresses for interfaces.

    # Configure CE2. The configurations of CE1, CE3, and CE4 are similar to the configuration of CE2, and are not mentioned here.

    <HUAWEI> system-view
    [HUAWEI] sysname CE2
    [CE2] vlan batch 100
    [CE2] interface vlanif 100
    [CE2-Vlanif100] ip address 10.1.1.2 255.255.255.0
    [CE2-Vlanif100] quit
    [CE2] interface gigabitethernet 1/0/0
    [CE2-GigabitEthernet1/0/0] port link-type trunk
    [CE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 100
    [CE2-GigabitEthernet1/0/0] quit

    # Configure Switch.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] vlan batch 100 200 300
    [Switch] interface gigabitethernet 1/0/0
    [Switch-GigabitEthernet1/0/0] port link-type trunk
    [Switch-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 200 300
    [Switch-GigabitEthernet1/0/0] quit
    [Switch] interface gigabitethernet 2/0/1
    [Switch-GigabitEthernet2/0/1] port link-type trunk
    [Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 100
    [Switch-GigabitEthernet2/0/1] quit
    [Switch] interface gigabitethernet 2/0/2
    [Switch-GigabitEthernet2/0/2] port link-type trunk
    [Switch-GigabitEthernet2/0/2] port trunk allow-pass vlan 200
    [Switch-GigabitEthernet2/0/2] quit
    [Switch] interface gigabitethernet 2/0/3
    [Switch-GigabitEthernet2/0/3] port link-type trunk
    [Switch-GigabitEthernet2/0/3] port trunk allow-pass vlan 300
    [Switch-GigabitEthernet2/0/3] quit

    # Configure PE2. The configurations of PE1 and the P are similar to the configuration of PE2, and are not mentioned here.

    <HUAWEI> system-view
    [HUAWEI] sysname PE2
    [PE2] vlan batch 30 100 200 300
    [PE2] interface vlanif 30
    [PE2-Vlanif30] ip address 169.1.1.2 255.255.255.0
    [PE2-Vlanif30] quit
    [PE2] interface gigabitethernet 1/0/0
    [PE2-GigabitEthernet1/0/0] port link-type trunk
    [PE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 30
    [PE2-GigabitEthernet1/0/0] quit
    [PE2] interface gigabitethernet 2/0/0
    [PE2-GigabitEthernet2/0/0] port link-type trunk
    [PE2-GigabitEthernet2/0/0] port trunk allow-pass vlan 100 200 300
    [PE2-GigabitEthernet2/0/0] quit
    NOTE:

    The AC-side and PW-side physical interfaces of a PE cannot be added to the same VLAN; otherwise, a loop may occur.

  2. Configure OSPF on PE1, the P, and PE2.

    # Configure PE1. The configurations of PE2 and the P are similar to the configuration of PE1, and are not mentioned here.

    [PE1] interface loopback 1
    [PE1-LoopBack1] ip address 1.1.1.9 255.255.255.255
    [PE1-LoopBack1] quit
    [PE1] ospf 1
    [PE1-ospf-1] area 0.0.0.0
    [PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
    [PE1-ospf-1-area-0.0.0.0] network 168.1.1.0 0.0.0.255
    [PE1-ospf-1-area-0.0.0.0] quit
    [PE1-ospf-1] quit
    

    After the configuration is complete, run the display ip routing-table command on PE1, PE2, and the P. You can view the routes that the devices have learned from each other.

  3. Configure basic MPLS functions and LDP on PE1, the P, and PE2.

    # Configure PE1. The configurations of PE2 and the P are similar to the configuration of PE1, and are not mentioned here.

    [PE1] mpls lsr-id 1.1.1.9
    [PE1] mpls
    [PE1-mpls] quit
    [PE1] mpls ldp
    [PE1-mpls-ldp] quit
    [PE1] interface vlanif 20
    [PE1-Vlanif20] mpls
    [PE1-Vlanif20] mpls ldp
    [PE1-Vlanif20] quit
    

    After the configuration is complete, run the display mpls ldp session command on PE1, PE2 and the P. You can view that Status of the peer relationship between PE1 and the P and between PE2 and the P is Operational, which indicates that the peer relationships have been established. Run the display mpls lsp command to view the LSP information.

  4. Establish a remote LDP session between the PEs.

    # Configure PE1.

    [PE1] mpls ldp remote-peer 3.3.3.9
    [PE1-mpls-ldp-remote-3.3.3.9] remote-ip 3.3.3.9
    [PE1-mpls-ldp-remote-3.3.3.9] quit

    # Configure PE2.

    [PE2] mpls ldp remote-peer 1.1.1.9
    [PE2-mpls-ldp-remote-1.1.1.9] remote-ip 1.1.1.9
    [PE2-mpls-ldp-remote-1.1.1.9] quit

    After the configuration is complete, run the display mpls ldp session command on PE1 or PE2. You can view that Status of the peer relationship between PE1 and PE2 is Operational, indicating that a remote LDP session has been established.

  5. Enable MPLS L2VPN on the PEs.

    # Configure PE1.

    [PE1] mpls l2vpn
    [PE1-l2vpn] quit

    # Configure PE2.

    [PE2] mpls l2vpn
    [PE2-l2vpn] quit

  6. Configure LDP VPLS on the PEs.

    # Configure PE1.

    [PE1] vsi a2 static
    [PE1-vsi-a2] pwsignal ldp
    [PE1-vsi-a2-ldp] vsi-id 2
    [PE1-vsi-a2-ldp] peer 3.3.3.9
    [PE1-vsi-a2-ldp] quit
    [PE1-vsi-a2] quit

    # Configure PE2.

    [PE2] vsi a2 static
    [PE2-vsi-a2] pwsignal ldp
    [PE2-vsi-a2-ldp] vsi-id 2
    [PE2-vsi-a2-ldp] peer 1.1.1.9
    [PE2-vsi-a2-ldp] quit
    [PE2-vsi-a2] quit

  7. Bind interfaces to the VSI on the PEs.

    # Configure PE1.

    [PE1] interface vlanif 10
    [PE1-Vlanif10] l2 binding vsi a2
    [PE1-Vlanif10] quit

    # Configure PE2.

    [PE2] interface vlanif 100
    [PE2-Vlanif100] l2 binding vsi a2
    [PE2-Vlanif100] quit
    [PE2] interface vlanif 200
    [PE2-Vlanif200] l2 binding vsi a2
    [PE2-Vlanif200] quit
    [PE2] interface vlanif 300
    [PE2-Vlanif300] l2 binding vsi a2
    [PE2-Vlanif300] quit

  8. Configure forwarding isolation between AC interfaces on PE2 and set the VSI attribute of VLANIF100 to hub. The settings allow CE2 to communicate with both CE3 and CE4 but isolate CE3 and CE4.

    # Configure forwarding isolation between AC interfaces in the VSI a2.

    [PE2] vsi a2
    [PE2-vsi-a2] isolate spoken
    [PE2-vsi-a2] quit

    # Set the VSI attribute of VLANIF100 to hub.

    [PE2] interface vlanif 100
    [PE2-Vlanif100] hub-mode enable
    [PE2-Vlanif100] quit

  9. Verify the configuration.

    # After the network becomes stable, run the display vsi name a2 verbose command on PE1. You can view that VSI a2 sets up a PW to PE2, and the status of the VSI is Up.

    [PE1] display vsi name a2 verbose
    
     ***VSI Name               : a2
        Administrator VSI      : no
        Isolate Spoken         : disable
        VSI Index              : 0
        PW Signaling           : ldp
        Member Discovery Style : static
        PW MAC Learn Style     : unqualify
        Encapsulation Type     : vlan
        MTU                    : 1500
        Diffserv Mode          : uniform
        Mpls Exp               : --
        DomainId               : 255
        Domain Name            :
        Ignore AcState         : disable
        P2P VSI                : disable
        Create Time            : 0 days, 0 hours, 7 minutes, 18 seconds
        VSI State              : up
    
        VSI ID                 : 2
       *Peer Router ID         : 3.3.3.9
        Negotiation-vc-id      : 2
        primary or secondary   : primary
        ignore-standby-state   : no
        VC Label               : 1028
        Peer Type              : dynamic
        Session                : up
        Tunnel ID              : 0x48000003
        Broadcast Tunnel ID    : 0x48000003
        Broad BackupTunnel ID  : 0x0
        CKey                   : 2
        NKey                   : 1
        Stp Enable             : 0
        PwIndex                : 0
        Control Word           : disable
        BFD for PW             : unavailable
    
        Interface Name         : Vlanif10
        State                  : up
        Access Port            : false
        Last Up Time           : 2017/12/25 15:05:00
        Total Up Time          : 0 days, 0 hours, 4 minutes, 27 seconds
    
      **PW Information:
    
       *Peer Ip Address        : 3.3.3.9
        PW State               : up
        Local VC Label         : 1028
        Remote VC Label        : 1026
        Remote Control Word    : disable
        PW Type                : label
        Local  VCCV            : alert lsp-ping bfd
        Remote VCCV            : alert lsp-ping bfd
        Tunnel ID              : 0x48000003
        Broadcast Tunnel ID    : 0x48000003
        Broad BackupTunnel ID  : 0x0
        Ckey                   : 0x2
        Nkey                   : 0x1
        Main PW Token          : 0x48000003
        Slave PW Token         : 0x0
        Tnl Type               : LSP
        OutInterface           : Vlanif20
        Backup OutInterface    :
        Stp Enable             : 0
        PW Last Up Time        : 2017/12/25 15:05:23
        PW Total Up Time       : 0 days, 0 hours, 4 minutes, 18 seconds

    # You can successfully ping CE2, CE3, and CE4 on CE1. The following shows the ping result from CE1 to CE2.

    [CE1] ping 10.1.1.2
      PING 10.1.1.2: 56  data bytes, press CTRL_C to break
        Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=254 time=1 ms
        Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=254 time=1 ms
        Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=254 time=1 ms
        Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=254 time=1 ms
        Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=254 time=1 ms
    
      --- 10.1.1.2 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 1/1/1 ms
    

    # You can successfully ping CE3 and CE4 on CE2. The following shows the ping result from CE2 to CE3.

    [CE2] ping 10.1.1.3
      PING 10.1.1.3: 56  data bytes, press CTRL_C to break
        Reply from 10.1.1.3: bytes=56 Sequence=1 ttl=254 time=1 ms
        Reply from 10.1.1.3: bytes=56 Sequence=2 ttl=254 time=1 ms
        Reply from 10.1.1.3: bytes=56 Sequence=3 ttl=254 time=1 ms
        Reply from 10.1.1.3: bytes=56 Sequence=4 ttl=254 time=1 ms
        Reply from 10.1.1.3: bytes=56 Sequence=5 ttl=254 time=1 ms
    
      --- 10.1.1.3 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 1/1/1 ms
    

    # CE3 and CE4 cannot ping each other. The following shows the ping result from CE3 to CE4.

    [CE3] ping 10.1.1.4
      PING 10.1.1.4: 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- 10.1.1.4 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss
    

Configuration Files

  • CE1 configuration file

    #
    sysname CE1
    #
    vlan batch 10
    #
    interface Vlanif10
     ip address 10.1.1.1 255.255.255.0
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    return
  • CE2 configuration file

    #
    sysname CE2
    #
    vlan batch 100
    #
    interface Vlanif100
     ip address 10.1.1.2 255.255.255.0
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 100
    #
    return
  • CE3 configuration file

    #
    sysname CE3
    #
    vlan batch 200
    #
    interface Vlanif200
     ip address 10.1.1.3 255.255.255.0
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 200
    #
    return
  • CE4 configuration file

    #
    sysname CE4
    #
    vlan batch 300
    #
    interface Vlanif300
     ip address 10.1.1.4 255.255.255.0
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 300
    #
    return
  • Switch configuration file

    #
    sysname Switch
    #
    vlan batch 100 200 300
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 100 200 300
    #
    interface GigabitEthernet2/0/1
     port link-type trunk
     port trunk allow-pass vlan 100
    #
    interface GigabitEthernet2/0/2
     port link-type trunk
     port trunk allow-pass vlan 200
    #
    interface GigabitEthernet2/0/3
     port link-type trunk
     port trunk allow-pass vlan 300
    #
    return
  • PE1 configuration file

    #
    sysname PE1
    #
    vlan batch 10 20
    #
    mpls lsr-id 1.1.1.9
    mpls
    #
    mpls l2vpn
    #
    vsi a2 static 
     pwsignal ldp 
      vsi-id 2    
      peer 3.3.3.9
    # 
    mpls ldp
    #
    mpls ldp remote-peer 3.3.3.9
     remote-ip 3.3.3.9
    #
    interface Vlanif10
     l2 binding vsi a2
    #
    interface Vlanif20
     ip address 168.1.1.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    interface GigabitEthernet2/0/0
     port link-type trunk
     port trunk allow-pass vlan 20
    #
    interface LoopBack1
     ip address 1.1.1.9 255.255.255.255
    #
    ospf 1
     area 0.0.0.0
      network 1.1.1.9 0.0.0.0
      network 168.1.1.0 0.0.0.255
    #
    return
  • P configuration file

    #
    sysname P
    #
    vlan batch 20 30
    #
    mpls lsr-id 2.2.2.9
    mpls
    #
    mpls ldp
    #
    interface Vlanif20
     ip address 168.1.1.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface Vlanif30
     ip address 169.1.1.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 20
    #
    interface GigabitEthernet2/0/0
     port link-type trunk
     port trunk allow-pass vlan 30
    #
    interface LoopBack1
     ip address 2.2.2.9 255.255.255.255
    #
    ospf 1
     area 0.0.0.0
      network 2.2.2.9 0.0.0.0
      network 168.1.1.0 0.0.0.255
      network 169.1.1.0 0.0.0.255
    #
    return
  • PE2 configuration file

    #
    sysname PE2
    #
    vlan batch 30 100 200 300
    #
    mpls lsr-id 3.3.3.9
    mpls
    #
    mpls l2vpn
    #
    vsi a2 static
     pwsignal ldp
      vsi-id 2
      peer 1.1.1.9
     isolate spoken
    #
    mpls ldp
    #
    mpls ldp remote-peer 1.1.1.9
     remote-ip 1.1.1.9
    #
    interface Vlanif30
     ip address 169.1.1.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface Vlanif100
     l2 binding vsi a2
     hub-mode enable
    #
    interface Vlanif200
     l2 binding vsi a2
    #
    interface Vlanif300
     l2 binding vsi a2
    #
    interface GigabitEthernet1/0/0
     port link-type trunk
     port trunk allow-pass vlan 30
    #
    interface GigabitEthernet2/0/0
     port link-type trunk
     port trunk allow-pass vlan 100 200 300
    #
    interface LoopBack1
     ip address 3.3.3.9 255.255.255.255
    #
    ospf 1
     area 0.0.0.0
      network 3.3.3.9 0.0.0.0
      network 169.1.1.0 0.0.0.255
    #
    return
Translation
Download
Updated: 2019-04-08

Document ID: EDOC1100065751

Views: 35101

Downloads: 50

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next