No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN

S7700 and S9700 V200R013C00

This document describes the configurations of VPN, including GRE, IPSec, BGP/MPLS IP VPN, BGP/MPLS IPv6 VPN, VLL, PWE3, VPLS, L2VPN Access to L3VPN.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring VLL Access to L3VPN

Example for Configuring VLL Access to L3VPN

Networking Requirements

In Figure 8-5, the access network is an L2VPN constructed using Virtual Leased Line (VLL) and the bearer network is an L3VPN constructed using MPLS VPN. To lower the networking cost and simplify the network, the Network Provider Edge (NPE) connecting the access network and bearer network must be able to provide both L2VPN termination and L3VPN access functions. In this way, the NPE realizes the functions of both PE-AGG and NPE on the traditional network.

Figure 8-5  Networking diagram for VLL access to L3VPN

Configuration Roadmap

  1. Configure an Interior Gateway Protocol (IGP) to realize route reachability. Open Shortest Path First (OSPF) is used in this example.

  2. Configure basic MPLS LDP functions to set up LDP sessions.

  3. On the NPE, create an L2VE interface to terminate the VLL connection, create an L3VE interface to access the L3VPN, and bind these two interfaces to the same VE group.

  4. Configure a Martini VLL between the UPE and NPE and terminate the L2VPN on the NPE.

  5. Configure a VPN instance on the NPE and PE to connect the L2VPN and CE2 to the L3VPN.

  6. Set up an MP-IBGP neighbor relationship between the NPE and PE to import VPN routes.

NOTE:

By default, link type negotiation is enabled globally on the device. If a VLANIF interface is used as an AC-side interface for L2VPN, the configuration conflicts with link type negotiation. In this case, run the lnp disable command in the system view to disable link type negotiation.

The lnp disable command has no impact on services before the device restarts. After the device restarts, the device can only forward packets from the VLANs specified by the port default vlan command at Layer 2. The port default vlan 1 command is configured by default, so only packets of VLAN 1 can be forwarded at Layer 2.

Procedure

  1. Specify the VLANs to which interfaces belong.

    # Configure the NPE. The configurations of CE1, UPE, PE, and CE2 are similar to the configuration of the NPE.

    <HUAWEI> system-view
    [HUAWEI] sysname NPE
    [NPE] vlan batch 10 20
    [NPE] interface gigabitethernet 1/0/1
    [NPE-GigabitEthernet1/0/1] port link-type trunk
    [NPE-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
    [NPE-GigabitEthernet1/0/1] quit
    [NPE] interface gigabitethernet 1/0/2
    [NPE-GigabitEthernet1/0/2] port link-type trunk
    [NPE-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
    [NPE-GigabitEthernet1/0/2] quit

  2. Configure VLANIF interfaces and loopback IP addresses.

    # Configure the NPE. The configurations of CE1, UPE, PE, and CE2 are similar to the configuration of the NPE.

    [NPE] interface vlanif 10
    [NPE-Vlanif10] ip address 10.10.10.2 24
    [NPE-Vlanif10] quit
    [NPE] interface vlanif 20
    [NPE-Vlanif20] ip address 10.10.20.1 24
    [NPE-Vlanif20] quit
    [NPE] interface LoopBack 1
    [NPE-LoopBack1] ip address 2.2.2.9 32
    [NPE-LoopBack1] quit

  3. Configure an IGP to realize route reachability. OSPF is used in this example. When configuring OSPF, you need to configure the UPE, NPE, and PE to advertise the IP addresses of loopback interfaces.

    # Configure the UPE.

    [UPE] ospf 1 router-id 1.1.1.9
    [UPE-ospf-1] area 0
    [UPE-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
    [UPE-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255
    [UPE-ospf-1-area-0.0.0.0] quit
    [UPE-ospf-1] quit

    # Configure the NPE.

    [NPE] ospf 1 router-id 2.2.2.9
    [NPE-ospf-1] area 0
    [NPE-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
    [NPE-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255
    [NPE-ospf-1-area-0.0.0.0] network 10.10.20.0 0.0.0.255
    [NPE-ospf-1-area-0.0.0.0] quit
    [NPE-ospf-1] quit

    # Configure the PE.

    [PE] ospf 1 router-id 3.3.3.9
    [PE-ospf-1] area 0
    [PE-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
    [PE-ospf-1-area-0.0.0.0] network 10.10.20.0 0.0.0.255
    [PE-ospf-1-area-0.0.0.0] quit
    [PE-ospf-1] quit

    After the configuration is complete, OSPF neighbor relationships can be set up between the UPE, NPE, and PE. Run the display ospf peer command on the UPE, NPE, and PE, and you can see that the neighbors are in Full state. Run the display ip routing-table command on the UPE, NPE, and PE. You can see that the UPE, NPE, and PE have learned the routes to each other's loopback1 address.

  4. Configure basic MPLS LDP functions to set up LDP sessions.

    # Enable MPLS and MPLS LDP on the UPE.

    [UPE] mpls lsr-id 1.1.1.9
    [UPE] mpls
    [UPE-mpls] quit
    [UPE] mpls ldp
    [UPE-mpls-ldp] quit
    [UPE] interface vlanif 10
    [UPE-Vlanif10] mpls
    [UPE-Vlanif10] mpls ldp
    [UPE-Vlanif10] quit

    # Enable MPLS and MPLS LDP on the NPE.

    [NPE] mpls lsr-id 2.2.2.9
    [NPE] mpls
    [NPE-mpls] quit
    [NPE] mpls ldp
    [NPE-mpls-ldp] quit
    [NPE] interface vlanif 10
    [NPE-Vlanif10] mpls
    [NPE-Vlanif10] mpls ldp
    [NPE-Vlanif10] quit
    [NPE] interface vlanif 20
    [NPE-Vlanif20] mpls
    [NPE-Vlanif20] mpls ldp
    [NPE-Vlanif20] quit

    # Enable MPLS and MPLS LDP on the PE.

    [PE] mpls lsr-id 3.3.3.9
    [PE] mpls
    [PE-mpls] quit
    [PE] mpls ldp
    [PE-mpls-ldp] quit
    [PE] interface vlanif 20
    [PE-Vlanif20] mpls
    [PE-Vlanif20] mpls ldp
    [PE-Vlanif20] quit

    # After the configurations are complete, LDP sessions can be set up between the UPE and NPE and between the NPE and PE. After running the display mpls ldp session command, you can view that the status of the LDP sessions is Operational. The command output on the UPE is used as an example.

    [UPE] display mpls ldp session
     LDP Session(s) in Public Network
     Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
     A '*' before a session means the session is being deleted. 
     ------------------------------------------------------------------------------
     PeerID            Status      LAM  SsnRole  SsnAge       KASent/Rcv
     ------------------------------------------------------------------------------
     2.2.2.9:0          Operational DU   Passive  0000:00:01  6/6
     ------------------------------------------------------------------------------
     TOTAL: 1 session(s) Found.
    
    

  5. On the NPE, create an L2VE interface to terminate the L2VPN connection, create an L3VE interface to access the L3VPN, and bind these two interfaces to the same VE group.

    # Create an L2VE interface to terminate the L2VPN connection.

    [NPE] interface Virtual-Ethernet 1/0/1
    [NPE-Virtual-Ethernet1/0/1] ve-group 1 l2-terminate
    [NPE-Virtual-Ethernet1/0/1] quit

    # Create an L3VE interface to access the L3VPN.

    [NPE] interface Virtual-Ethernet 1/0/2
    [NPE-Virtual-Ethernet1/0/2] ve-group 1 l3-access
    [NPE-Virtual-Ethernet1/0/2] quit

    # After the configurations are complete, run the display virtual-ethernet ve-group command on the NPE. You can find that the binding relationship between the two VE interfaces and the VE group is established.

    [NPE] display virtual-ethernet ve-group
     Ve-groupID    TerminateVE                 AccessVE
     1             Virtual-Ethernet1/0/1(L2)   Virtual-Ethernet1/0/2(L3) 
    Total 1, 1 printed

  6. Configure a Martini VLL between the UPE and NPE and terminate the L2VPN on the NPE.

    # Configure the UPE. Create a VC on VLANIF30 of the UPE.

    [UPE] mpls l2vpn
    [UPE-l2vpn] quit
    [UPE] interface vlanif 30
    [UPE-Vlanif30] mpls l2vc 2.2.2.9 101
    [UPE-Vlanif30] quit

    # Configure the NPE. Configure a dot1q VLAN ID on the L2VE sub-interface and create a VC.

    [NPE] mpls l2vpn
    [NPE-l2vpn] quit
    [NPE] interface Virtual-Ethernet 1/0/1.1
    [NPE-Virtual-Ethernet1/0/1.1] dot1q termination vid 30
    [NPE-Virtual-Ethernet1/0/1.1] mpls l2vc 1.1.1.9 101
    [NPE-Virtual-Ethernet1/0/1.1] quit

  7. Configure a VPN instance on the NPE and PE to connect the L2VPN and CE2 to the L3VPN.

    # Configure the NPE. Create a VPN instance, configure a dot1q VLAN ID on the L3VE sub-interface, bind the VPN instance to the L3VE sub-interface, and configure an IP address.

    [NPE] ip vpn-instance vpna
    [NPE-vpn-instance-vpna] route-distinguisher 100:1
    [NPE-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
    [NPE-vpn-instance-vpna-af-ipv4] quit
    [NPE-vpn-instance-vpna] quit
    [NPE] interface Virtual-Ethernet 1/0/2.1
    [NPE-Virtual-Ethernet1/0/2.1] dot1q termination vid 30
    [NPE-Virtual-Ethernet1/0/2.1] ip binding vpn-instance vpna
    [NPE-Virtual-Ethernet1/0/2.1] ip address 192.168.30.1 24
    [NPE-Virtual-Ethernet1/0/2.1] quit
    

    # Configure the PE. Create a VPN instance, bind the VPN instance to a VLANIF interface, and configure an IP address.

    [PE] ip vpn-instance vpna
    [PE-vpn-instance-vpna] route-distinguisher 200:1
    [PE-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
    [PE-vpn-instance-vpna-af-ipv4] quit
    [PE-vpn-instance-vpna] quit
    [PE] interface vlanif 40
    [PE-Vlanif40] ip binding vpn-instance vpna
    [PE-Vlanif40] ip address 192.168.40.1 24
    [PE-Vlanif40] quit
    

  8. Set up an MP-IBGP neighbor relationship between the NPE and PE to import VPN routes.

    # Configure the NPE.

    [NPE] bgp 100
    [NPE-bgp] peer 3.3.3.9 as-number 100
    [NPE-bgp] peer 3.3.3.9 connect-interface loopback 1
    [NPE-bgp] ipv4-family vpnv4
    [NPE-bgp-af-vpnv4] peer 3.3.3.9 enable
    [NPE-bgp-af-vpnv4] quit
    [NPE-bgp] ipv4-family vpn-instance vpna
    [NPE-bgp-vpna] import-route direct
    [NPE-bgp-vpna] quit
    [NPE-bgp] quit

    # Configure the PE.

    [PE] bgp 100
    [PE-bgp] peer 2.2.2.9 as-number 100
    [PE-bgp] peer 2.2.2.9 connect-interface loopback 1
    [PE-bgp] ipv4-family vpnv4
    [PE-bgp-af-vpnv4] peer 2.2.2.9 enable
    [PE-bgp-af-vpnv4] quit
    [PE-bgp] ipv4-family vpn-instance vpna
    [PE-bgp-vpna] import-route direct
    [PE-bgp-vpna] quit
    [PE-bgp] quit

    # After the configurations are complete, run the display bgp vpnv4 all peer command on the NPE. You can see that a BGP peer relationship has been set up between the NPE and PE and is in Established state.

    [NPE] display bgp vpnv4 all peer
    BGP local router ID : 2.2.2.9
     Local AS number : 100
     Total number of peers : 1                 Peers in established state : 1
    
      Peer            V    AS  MsgRcvd  MsgSent    OutQ  Up/Down    State        PrefRcv
    
      3.3.3.9         4   100   12      18         0     00:09:38   Established   0
    

  9. Verify the configuration.

    # Run the display ip routing-table vpn-instance command on the PE. You can view the routes to the remote CE. The command output on the PE is used as an example.

    [PE] display ip routing-table vpn-instance vpna
    Route Flags: R - relay, D - download to fib, T - to vpn-instance
    ------------------------------------------------------------------------------
    Routing Tables: vpna
             Destinations : 3        Routes : 3
    
    Destination/Mask     Proto    Pre  Cost     Flags NextHop         Interface
    
     192.168.40.0/24     Direct   0    0        D     192.168.40.1    Vlanif40
     192.168.40.1/32     Direct   0    0        D     127.0.0.1       Vlanif40
     192.168.30.0/24     IBGP     255  0        RD    2.2.2.9         Vlanif20
    

    # CE1 and CE2 can successfully ping the IP address of the L3VE sub-interface on the NPE. CE1 and CE2 can successfully ping each other. The ping result from CE1 to CE2 is used as an example.

    [CE1] ping 192.168.40.2
      PING 192.168.40.2: 56  data bytes, press CTRL_C to break
        Reply from 192.168.40.2: bytes=56 Sequence=1 ttl=253 time=72 ms
        Reply from 192.168.40.2: bytes=56 Sequence=2 ttl=253 time=34 ms
        Reply from 192.168.40.2: bytes=56 Sequence=3 ttl=253 time=50 ms
        Reply from 192.168.40.2: bytes=56 Sequence=4 ttl=253 time=50 ms
        Reply from 192.168.40.2: bytes=56 Sequence=5 ttl=253 time=34 ms
      --- 192.168.40.2 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 34/48/72 ms  
    

Configuration Files

  • UPE configuration file

    #
    sysname UPE
    #
    vlan batch 10 30
    #
    lnp disable
    #
    mpls lsr-id 1.1.1.9
    mpls
    #
    mpls l2vpn
    #
    mpls ldp
    #
    interface Vlanif10
     ip address 10.10.10.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface Vlanif30
     mpls l2vc 2.2.2.9 101
    #
    interface GigabitEthernet1/0/1
     port link-type trunk
     port trunk allow-pass vlan 30
    #
    interface GigabitEthernet1/0/2
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    interface LoopBack1
     ip address 1.1.1.9 255.255.255.255
    #
    ospf 1 router-id 1.1.1.9
     area 0.0.0.0
      network 1.1.1.9 0.0.0.0
      network 10.10.10.0 0.0.0.255
    #
    return
  • NPE configuration file

    #
    sysname NPE
    #
    vlan batch 10 20
    #
    ip vpn-instance vpna
     ipv4-family
      route-distinguisher 100:1
      vpn-target 111:1 export-extcommunity
      vpn-target 111:1 import-extcommunity
    #
    mpls lsr-id 2.2.2.9
    mpls
    #
    mpls l2vpn
    #
    mpls ldp
    #
    interface Vlanif10
     ip address 10.10.10.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface Vlanif20
     ip address 10.10.20.1 255.255.255.0
     mpls
     mpls ldp
    #
    interface GigabitEthernet1/0/1
     port link-type trunk
     port trunk allow-pass vlan 10
    # 
    interface GigabitEthernet1/0/2
     port link-type trunk
     port trunk allow-pass vlan 20
    #
    interface Virtual-Ethernet1/0/1
     ve-group 1 l2-terminate
    #
    interface Virtual-Ethernet1/0/1.1
     dot1q termination vid 30
     mpls l2vc 1.1.1.9 101
    #
    interface Virtual-Ethernet1/0/2
     ve-group 1 l3-access
    #
    interface Virtual-Ethernet1/0/2.1
     dot1q termination vid 30
     ip binding vpn-instance vpna
     ip address 192.168.30.1 255.255.255.0
    #
    interface LoopBack1
     ip address 2.2.2.9 255.255.255.255
    # 
    bgp 100
     peer 3.3.3.9 as-number 100
     peer 3.3.3.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 3.3.3.9 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 3.3.3.9 enable
     #
     ipv4-family vpn-instance vpna
      import-route direct
    #
    ospf 1 router-id 2.2.2.9
     area 0.0.0.0
      network 2.2.2.9 0.0.0.0
      network 10.10.10.0 0.0.0.255
      network 10.10.20.0 0.0.0.255
    #
    return
  • PE configuration file

    #
    sysname PE
    #
    vlan batch 20 40
    #
    ip vpn-instance vpna
     ipv4-family
      route-distinguisher 200:1
      vpn-target 111:1 export-extcommunity
      vpn-target 111:1 import-extcommunity
    #
    mpls lsr-id 3.3.3.9
    mpls
    #
    mpls ldp
    #
    interface Vlanif20
     ip address 10.10.20.2 255.255.255.0
     mpls
     mpls ldp
    #
    interface Vlanif40
     ip binding vpn-instance vpna
     ip address 192.168.40.1 255.255.255.0
    #
    interface GigabitEthernet1/0/1
     port link-type trunk
     port trunk allow-pass vlan 20
    # 
    interface GigabitEthernet1/0/2
     port link-type trunk
     port trunk allow-pass vlan 40
    #
    interface LoopBack1
     ip address 3.3.3.9 255.255.255.255
    # 
    bgp 100
     peer 2.2.2.9 as-number 100
     peer 2.2.2.9 connect-interface LoopBack1
     #
     ipv4-family unicast
      undo synchronization
      peer 2.2.2.9 enable
     #
     ipv4-family vpnv4
      policy vpn-target
      peer 2.2.2.9 enable
     #
     ipv4-family vpn-instance vpna
      import-route direct
    #
    ospf 1 router-id 3.3.3.9
     area 0.0.0.0
      network 3.3.3.9 0.0.0.0
      network 10.10.20.0 0.0.0.255
    #
    return
  • CE1 configuration file

    #
    sysname CE1
    #
    vlan batch 30
    #
    interface Vlanif30
     ip address 192.168.30.2 255.255.255.0
    #
    interface GigabitEthernet1/0/1
     port link-type trunk
     port trunk allow-pass vlan 30
    #
    ip route-static 0.0.0.0 0.0.0.0 192.168.30.1
    #
    return
  • CE2 configuration file

    #
    sysname CE2
    #
    vlan batch 40
    #
    interface Vlanif40
     ip address 192.168.40.2 255.255.255.0
    #
    interface GigabitEthernet1/0/1
     port link-type trunk
     port trunk allow-pass vlan 40
    #
    ip route-static 0.0.0.0 0.0.0.0 192.168.40.1
    #
    return
Translation
Download
Updated: 2019-04-08

Document ID: EDOC1100065751

Views: 33242

Downloads: 50

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next