No relevant resource is found in the selected language.
Enterprise
Worldwide
Huawei Global - English
Support Documentation
NE20E-S V800R011C10 Configuration Guide - LAN Access and MAN Access 02
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring the VXLAN over IPsec Active-Active Scenario

Example for Configuring the VXLAN over IPsec Active-Active Scenario

In the scenario where a data center is interconnected with an enterprise site, a CE is dual-homed to a VXLAN network, which enhances VXLAN access reliability and implements rapid convergence in case of a fault. IPsec encapsulation implements encrypted packet transmission, securing packet transmission.

Networking Requirements

As shown in Figure1 Networking diagram for configuring the VXLAN over IPsec active-active scenario, CE1 is dual-homed to PE1 and PE2; PE1 and PE2 uses a virtual address as the source VTEP address of an NVE interface. In this way, the CPE is aware of only one remote NVE interface and establishes a static VXLAN tunnel with the Anycast VTEP address. VXLAN packets are transmitted in plain text in the network, which is insecure. IIPsecencryption implements encrypted packet transmission, securing packet transmission.

Figure 16-27 Networking diagram for configuring the VXLAN over IPsec active-active scenario

Interface 1, interface 2, and interface 3 stand for GigabitEthernet0/1/1, GigabitEthernet0/1/2, and GigabitEthernet0/1/3, respectively.



Table 16-10 Interface IP address

Device

Interface

IP address

PE1

GigabitEthernet 0/1/1

10.1.20.1/24

GigabitEthernet 0/1/2

192.168.1.1/24

GigabitEthernet 0/1/3

10.1.1.1/24

LoopBack0

1.1.1.1/32

LoopBack1

3.3.3.3/32

LoopBack2

5.5.5.5/32

PE2

GigabitEthernet 0/1/1

10.1.20.2/24

GigabitEthernet 0/1/2

192.168.2.1/24

GigabitEthernet 0/1/3

10.1.2.1/24

LoopBack0

2.2.2.2/32

LoopBack1

3.3.3.3/32

LoopBack2

5.5.5.5/32

CE1

GigabitEthernet 0/1/1

192.168.1.2/24

GigabitEthernet 0/1/2

192.168.2.2/24

CPE

GigabitEthernet0/1/1

10.1.1.2/24

LoopBack0

4.4.4.4/32

LoopBack1

6.6.6.6/32

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an IGP on the CEs, PEs, and CPE to implement Layer 2 network connectivity.
  2. Configure service access points on PE1 and PE2 so that CE1 can be dual-homed to PE1 and PE2.
  3. Establish static VXLAN tunnels between the PEs and CPE so that the PEs and CEP can communicate.
  4. Establish a bypass VXLAN tunnel between PE1 and PE2 so that PE1 and PE2 can communicate.
  5. (Optional) Configure a UDP port on the PEs to prevent the receiving of replicated packets.
  6. Configure IPsec on the PEs and CPE and establish IPsec tunnels.

Data Preparation

To complete the configuration, you need the following data:

  • Interfaces and their IP addresses

  • EVPN instance names

  • VPN targets of the received and sent routes in EVPN instances

  • Preshared key

  • Security protocol, encryption algorithm, and authentication algorithm to be adopted by IPsec

  • Encryption algorithm and authentication algorithm that an IKE proposal uses

Procedure

  1. Assign an IP address to each interface on each node, and configure loopback interface addresses.

    For detailed configurations, see Configuration Files.

  2. Configure an IGP at the AC side and on the backbone. In this example, IS-IS is adopted.

    For detailed configurations, see Configuration Files.

  3. Configure EVPN.

    Configure PE1.

    [~PE1] evpn
    [*PE1-evpn] vlan-extend private enable
    [*PE1-evpn] vlan-extend redirect enable
    [*PE1-evpn] local-remote frr enable
    [*PE1-evpn] bypass-vxlan enable
    [*PE1-evpn] quit
    [*PE1] commit

    Repeat this step for PE2. For configuration details, see Configuration Files in this section.

  4. Configure a BGP peer relationship between PE1 and PE2.

    # Configure PE1.

    [~PE1] bgp 100
    [*PE1-bgp] peer 2.2.2.2 as-number 100
    [*PE1-bgp] peer 2.2.2.2 connect-interface LoopBack 1
    [*PE1-bgp] ipv4-family unicast
    [*PE1-bgp-af-ipv4] undo synchronization
    [*PE1-bgp-af-ipv4] peer 2.2.2.2 enable
    [*PE1-bgp-af-ipv4] quit
    [*PE1-bgp] l2vpn-family evpn
    [*PE1-bgp-af-evpn] undo policy vpn-target
    [*PE1-bgp-af-evpn] peer 2.2.2.2 enable
    [*PE1-bgp-af-evpn] peer 2.2.2.2 advertise encap-type vxlan
    [*PE1-bgp-af-evpn] quit
    [*PE1-bgp] quit
    [*PE1] commit

    Repeat this step for PE2. For configuration details, see Configuration Files in this section.

  5. Create a VXLAN tunnel.
    1. Configure EVPN instances and bind them to BDs on the PEs.

      # Configure PE1.

      [~PE1] evpn vpn-instance evpn1 bd-mode
      [*PE1-evpn-instance-evpn1] route-distinguisher 11:11
      [*PE1-evpn-instance-evpn1] vpn-target 1:1 export-extcommunity
      [*PE1-evpn-instance-evpn1] vpn-target 1:1 import-extcommunity
      [*PE1-evpn-instance-evpn1] quit
      [*PE1] bridge-domain 10
      [*PE1-bd10] vxlan vni 10 split-horizon-mode
      [*PE1-bd10] evpn binding vpn-instance evpn1
      [*PE1-bd10] quit
      [*PE1] commit

      Repeat this step for PE2. For configuration details, see Configuration Files in this section.

    2. Enable ingress replication on the PEs.

      # Configure the CPE.

      [~CPE] interface nve 1
      [*CPE-Nve1] source 4.4.4.4
      [*CPE-Nve1] vni 10 head-end peer-list 3.3.3.3
      [*CPE-Nve1] quit
      [*CPE] commit

      # Configure PE1.

      [~PE1] interface nve 1
      [*PE1-Nve1] source 3.3.3.3
      [*PE1-Nve1] bypass source 1.1.1.1
      [*PE1-Nve1] mac-address 00e0-fc12-7890
      [*PE1-Nve1] vni 10 head-end peer-list protocol bgp
      [*PE1-Nve1] vni 10 head-end peer-list 4.4.4.4
      [*PE1-Nve1] quit
      [*PE1] commit

      Repeat this step for PE2. For configuration details, see Configuration Files in this section.

  6. Configure CE1 to access the PEs.

    Configure PE1.

    [*PE1] e-trunk 1
    [*PE1-e-trunk-1] priority 10
    [*PE1-e-trunk-1] peer-address 2.2.2.2 source-address 1.1.1.1
    [*PE1-e-trunk-1] quit
    [*PE1] interface eth-trunk 1
    [*PE1-Eth-Trunk1] mac-address 00e0-fc12-3456
    [*PE1-Eth-Trunk1] mode lacp-static
    [*PE1-Eth-Trunk1] e-trunk 1
    [*PE1-Eth-Trunk1] e-trunk mode force-master
    [*PE1-Eth-Trunk1] es track evpn-peer 2.2.2.2
    [*PE1-Eth-Trunk1] esi 0000.0001.0001.0001.0001
    [*PE1-Eth-Trunk1] quit
    [*PE1] interface eth-trunk1.1 mode l2
    [*PE1-Eth-Trunk1.1] encapsulation dot1q vid 1
    [*PE1-Eth-Trunk1.1] rewrite pop single
    [*PE1-Eth-Trunk1.1] bridge-domain 10
    [*PE1-Eth-Trunk1.1] quit
    [~PE1] commit

    Repeat this step for PE2. For configuration details, see Configuration Files in this section.

  7. (Optional) Configure a UDP port on the PEs to prevent the receiving of replicated packets.

    # Configure PE1.

    [~PE1] evpn enhancement port 1345
    [*PE1] commit

    The same UDP port number must be set for the PEs in the active state.

    Repeat this step for PE2. For configuration details, see Configuration Files in this section.

  8. Configure IPsec on PE1.
    1. Configure advanced ACL 3000.

      [~PE1] acl 3000
[*PE1-acl-adv-3000] rule 5 permit ip source 3.3.3.3 0 destination 4.4.4.4 0
[*PE1acl-adv-3000] quit
[*PE1] commit

    2. Configure an IPsec proposal named tran1.

      [~PE1] ipsec proposal tran1
[*PE1-ipsec-proposal-tran1] encapsulation-mode tunnel
[*PE1-ipsec-proposal-tran1] transform esp
[*PE1-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[*PE1-ipsec-proposal-tran1] esp encryption-algorithm aes 256
[*PE1-ipsec-proposal-tran1] quit
[*PE1] commit

    3. Configure an IKE proposal numbered 10.

      [~PE1] ike proposal 10
[*PE1-ike-proposal-10] authentication-method pre-share
[*PE1-ike-proposal-10] authentication-algorithm sha2-256
[*PE1-ike-proposal-10] integrity-algorithm hmac-sha2-256
[*PE1-ike-proposal-10] dh group14
[*PE1-ike-proposal-10] quit
[*PE1] commit

    4. Configure an IKE peer named b.

      [~PE1] ike peer b
[*PE1-ike-peer-b] ike-proposal 10
[*PE1-ike-peer-b] remote-address 4.4.4.4
[*PE1-ike-peer-b] pre-shared-key abcde
[*PE1-ike-peer-b] quit
[*PE1] commit

      By default, both IKEv1 and IKEv2 are enabled on the NE20E, and IKEv2 takes precedence over IKEv1. If the remote device does not support IKEv2, disable IKEv2 on the local device and use IKEv1 to perform the IKE negotiation.

      The pre-shared key configured on the local device must be the same as that configured on the IKE peer.

    5. Configure an IPsec policy named map1 and numbered 10.

      [~PE1] ipsec policy map1 10 isakmp
[*PE1-ipsec-policy-isakmp-map1-10] security acl 3000
[*PE1-ipsec-policy-isakmp-map1-10] proposal tran1
[*PE1-ipsec-policy-isakmp-map1-10] ike-peer b
[~PE1-ipsec-policy-isakmp-map1-10] local-address 3.3.3.3
[*PE1-ipsec-policy-isakmp-map1-10] quit
[*PE1] commit

    6. Configure an IPsec service instance group named group1.

      • When the NE20E is in NSP 1:1 protection mode, perform the following configurations:
        [~PE1] service-location 1
        [*PE1-service-location-1] location follow-forwarding-mode
        [*PE1-service-location-1] commit
        [~PE1-service-location-1] quit
      • For the , perform the following configurations:
        [~PE1] service-location 1
        [*PE1-service-location-1] location slot 2
        [*PE1-service-location-1] commit
        [~PE1-service-location-1] quit
      • Configure the NE20E that is not working in NSP 1:1 protection mode.
        [~PE1] service-location 1
        [*PE1-service-location-1] location slot 2
        [*PE1-service-location-1] commit
        [~PE1-service-location-1] quit
      [~PE1] service-instance-group group1
      [*PE1-service-instance-group-group1] service-location 1
      [*PE1-service-instance-group-group1] quit
      [*PE1] commit

    7. Create and configure an IPsec tunnel.

      [~PE1] interface Tunnel 1
[*PE1-Tunnel1] ip address 11.1.1.1 255.255.255.255
[*PE1-Tunnel1] tunnel-protocol ipsec
[*PE1-Tunnel1] ipsec policy map1 service-instance-group group1
[*PE1-Tunnel1] quit
[*PE1] commit

    8. Configure static routes that import traffic into the tunnel.

      [~PE1] ip route-static 6.6.6.6 255.255.255.255 GigabitEthernet0/1/3 10.1.1.2
[*PE1] ip route-static 4.4.4.4 255.255.255.255 Tunnel1 6.6.6.6
[*PE1] commit

      Repeat this step for PE2. For configuration details, see Configuration Files in this section.

  9. Configure IPsec on the CPE.
    1. Configure advanced ACL 3000.

      [~CPE] acl 3000
[*CPE-acl-adv-3000] rule 5 permit ip
[*CPE-acl-adv-3000] quit
[*CPE] commit

    2. Configure an IPsec proposal named tran1.

      [~CPE] ipsec proposal tran1
[*CPE-ipsec-proposal-tran1] encapsulation-mode tunnel
[*CPE-ipsec-proposal-tran1] transform esp
[*CPE-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[*CPE-ipsec-proposal-tran1] esp encryption-algorithm aes 256
[*CPE-ipsec-proposal-tran1] quit
[*CPE] commit

    3. Configure an IKE proposal numbered 10.

      [~CPE] ike proposal 10
[*CPE-ike-proposal-10] authentication-method pre-share
[*CPE-ike-proposal-10] authentication-algorithm sha2-256
[*CPE-ike-proposal-10] integrity-algorithm hmac-sha2-256
[*CPE-ike-proposal-10] dh group14
[*CPE-ike-proposal-10] quit
[*CPE] commit

    4. Configure an IKE peer named 1.

      [~CPE] ike peer 1
[*CPE-ike-peer-1] ike-proposal 10
[*CPE-ike-peer-1] remote-address 5.5.5.5
[*CPE-ike-peer-1] pre-shared-key abcde
[*CPE-ike-peer-1] quit
[*CPE] commit

      By default, both IKEv1 and IKEv2 are enabled on the NE20E, and IKEv2 takes precedence over IKEv1. If the remote device does not support IKEv2, disable IKEv2 on the local device and use IKEv1 to perform the IKE negotiation.

      The pre-shared key configured on the local device must be the same as that configured on the IKE peer.

    5. Configure an IPsec policy template named temp1.

      [~CPE] ipsec policy-template temp1 1
[*CPE-ipsec-policy-templet-temp1-1] security acl 3000
[*CPE-ipsec-policy-templet-temp1-1] proposal tran1
[*CPE-ipsec-policy-templet-temp1-1] ike-peer 1
[*CPE-ipsec-policy-templet-temp1-1] local-address 6.6.6.6
[*CPE-ipsec-policy-templet-temp1-1] quit
[*CPE] commit

    6. Create a security policy based on the policy template. 

      [~CPE] ipsec policy 1 1 isakmp template temp1
[*CPE] commit

    7. Configure an IPsec service instance group named group1.

      • When the NE20E is in NSP 1:1 protection mode, perform the following configurations:
        [~CPE] service-location 1
        [*CPE-service-location-1] location follow-forwarding-mode
        [*CPE-service-location-1] commit
        [~CPE-service-location-1] quit
      • Configure the NE20E that is not working in NSP 1:1 protection mode.
        [~CPE] service-location 1
        [*CPE-service-location-1] location slot 2
        [*CPE-service-location-1] commit
        [~CPE-service-location-1] quit
      [~CPE] service-instance-group group1
      [*CPE-service-instance-group-group1] service-location 1
      [*CPE-service-instance-group-group1] quit
      [*CPE] commit

    8. Create and configure an IPsec tunnel.

      [~CPE interface Tunnel 1
[*CPE-Tunnel1] ip address 22.2.2.2 255.255.255.255
[*CPE-Tunnel1] tunnel-protocol ipsec
[*CPE-Tunnel1] ipsec policy 1 service-instance-group group1
[*CPE-Tunnel1] quit
[*CPE] commit

    9. Configure static routes that import traffic into the tunnel.

      [~CPE] ip route-static 5.5.5.5 255.255.255.255 GigabitEthernet0/1/1 192.168.1.1
[*CPE] commit

Configuration Files

  • PE1 configuration file

    #

sysname PE1
# evpn enhancement port 1345
#
evpn
 vlan-extend private enable
 vlan-extend redirect enable
 local-remote frr enable
 bypass-vxlan enable
#
evpn vpn-instance evpn1 bd-mode
 route-distinguisher 11:11
 vpn-target 1:1 export-extcommunity
 vpn-target 1:1 import-extcommunity
#
bridge-domain 10
 vxlan vni 10 split-horizon-mode
 evpn binding vpn-instance evpn1
#  
acl number 3000
  rule 5 permit ip source 3.3.3.3 0 destination 4.4.4.4 0
#
e-trunk 1
 priority 10
 peer-address 2.2.2.2 source-address 1.1.1.1
#
isis 1
 network-entity 10.0000.0000.0001.00
 frr
#
    #                                                                                
service-location 1                                                                
 location follow-forwarding-mode //NSP 1:1 protection mode                   
 location slot 2 //Non-NSP 1: 1 protection mode            #                                                                                 service-instance-group group1                                                            service-location 1                                                                    #
ike proposal 10
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256 
 integrity-algorithm hmac-sha2-256
#
ike peer b
 pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
 ike-proposal 10
 remote-address 6.6.6.6
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256  
 esp encryption-algorithm aes 256
#                                         
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer b
 proposal tran1
 local-address 5.5.5.5
#
interface Eth-Trunk1
 mac-address 00e0-fc12-3456
 mode lacp-static
 e-trunk 1
 e-trunk mode force-master
 es track evpn-peer 2.2.2.2
 esi 0000.0001.0001.0001.0001
#
interface Eth-Trunk1.1 mode l2
 encapsulation dot1q vid 1
 rewrite pop single
 bridge-domain 10
#
interface GigabitEthernet 0/1/1
 undo shutdown
 ip address 10.1.20.1 255.255.255.0
#
interface GigabitEthernet 0/1/2
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet 0/1/3
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255
 isis enable 1
#
interface LoopBack1
 ip address 3.3.3.3 255.255.255.255
 isis enable 1
#
interface LoopBack2
 ip address 5.5.5.5 255.255.255.255
 isis enable 1
#
interface Nve1
 source 3.3.3.3
 bypass source 1.1.1.1
 mac-address 00e0-fc12-7890
 vni 10 head-end peer-list protocol bgp
 vni 10 head-end peer-list 4.4.4.4
#
bgp 100
 peer 2.2.2.2 as-number 100
 peer 2.2.2.2 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 2.2.2.2 enable
#
 l2vpn-family evpn
  undo policy vpn-target
  peer 2.2.2.2 enable
  peer 2.2.2.2 advertise encap-type vxlan
#
interface Tunnel1 
 ip address 11.1.1.1 255.255.255.0                                              
 tunnel-protocol ipsec
 ipsec policy map1 service-instance-group group1
#
ip route-static 6.6.6.6 255.255.255.255 GigabitEthernet0/1/3 10.1.1.2        
ip route-static 4.4.4.4 255.255.255.255 Tunnel1 6.6.6.6   
#
return

  • PE2 configuration file

    #

sysname PE2
# evpn enhancement port 1345
#
evpn
 vlan-extend redirect enable
 vlan-extend private enable
 local-remote frr enable
 bypass-vxlan enable
#
evpn vpn-instance evpn1 bd-mode
 route-distinguisher 22:22
 vpn-target 1:1 export-extcommunity
 vpn-target 1:1 import-extcommunity
#
bridge-domain 10
 vxlan vni 10 split-horizon-mode
 evpn binding vpn-instance evpn1
#
acl number 3000
  rule 5 permit ip source 3.3.3.3 0 destination 4.4.4.4 0
    #                                                                                
service-location 1                                                                
 location follow-forwarding-mode //NSP 1:1 protection mode       
 location slot 2 //Non-NSP 1: 1 protection mode                      
 #                                                                                 service-instance-group group1                                                            service-location 1                                      #
ike proposal 10
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256 
 integrity-algorithm hmac-sha2-256
#
ike peer b
 pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
 ike-proposal 10
 remote-address 2.2.2.2
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256  
 esp encryption-algorithm aes 256
#                                         
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer b
 proposal tran1
 local-address 5.5.5.5
    #

e-trunk 1
 priority 10
 peer-address 1.1.1.1 source-address 2.2.2.2
#
isis 1
 network-entity 10.0000.0000.0002.00
 frr
#
interface Eth-Trunk1
 mac-address 00e0-fc12-3456
 mode lacp-static
 e-trunk 1
 e-trunk mode force-master
 es track evpn-peer 1.1.1.1
 esi 0000.0001.0001.0001.0001
#
interface Eth-Trunk1.1 mode l2
 encapsulation dot1q vid 1
 rewrite pop single
 bridge-domain 10
#
interface GigabitEthernet 0/1/1
 undo shutdown
  ip address 10.1.20.2 255.255.255.0
#
interface GigabitEthernet 0/1/2
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet 0/1/3
 undo shutdown
 ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255
 isis enable 1
#
interface LoopBack1
 ip address 3.3.3.3 255.255.255.255
 isis enable 1
#
interface LoopBack2
 ip address 5.5.5.5 255.255.255.255
 isis enable 1
#
interface Nve1
 source 3.3.3.3
 bypass source 2.2.2.2
 mac-address 00e0-fc12-7890
 vni 10 head-end peer-list protocol bgp
 vni 10 head-end peer-list 4.4.4.4
#
bgp 100
 peer 1.1.1.1 as-number 100
 peer 1.1.1.1 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 1.1.1.1 enable
 #
 l2vpn-family evpn
  undo policy vpn-target
  peer 1.1.1.1 enable
  peer 1.1.1.1 advertise encap-type vxlan
 #
    interface Tunnel1 
 ip address 11.1.1.1 255.255.255.0  
 tunnel-protocol ipsec
 ipsec policy map1 service-instance-group group1
#
ip route-static 6.6.6.6 255.255.255.255 GigabitEthernet0/1/3 10.1.2.2        
ip route-static 4.4.4.4 255.255.255.255 Tunnel1 6.6.6.6   
#
return

  • CE1 configuration file

    #

sysname CE
#
vlan batch 1 to 4094
#
interface Eth-Trunk1
 portswitch
 port link-type trunk
 port trunk allow-pass vlan 1
#
interface GigabitEthernet 0/1/1
  undo shutdown
 eth-trunk 1
#
interface GigabitEthernet 0/1/2
 undo shutdown
 eth-trunk 1
#
return

  • CPE configuration file

    #

sysname CPE
#
bridge-domain 10
 vxlan vni 10 split-horizon-mode
#
acl number 3000
  rule 5 permit ip
    #                                                                                
service-location 1                                                                
 location follow-forwarding-mode //NSP 1:1 protection mode       
 location slot 2 //Non-NSP 1: 1 protection mode                      
 #                                                                                 service-instance-group group1                                                            service-location 1                                      #
ike proposal 10
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256 
 integrity-algorithm hmac-sha2-256
#
ike peer 1
 pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
 ike-proposal 10
 remote-address 5.5.5.5
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256  
 esp encryption-algorithm aes 256
#                                         
ipsec policy-template temp1 1
#
 security acl 3000
 ike-peer 1
 proposal tran1
 local-address 6.6.6.6
#
ipsec policy 1 1 isakmp template temp1
    #

isis 1
 network-entity 20.0000.0000.0001.00
 frr
#
interface GigabitEthernet 0/1/1
 undo shutdown
 ip address 10.1.1.2 255.255.255.0
 isis enable 1
#
interface GigabitEthernet 0/1/1.1 mode l2
 encapsulation dot1q vid 10
 rewrite pop single
 bridge-domain 10
#
interface LoopBack0
 ip address 4.4.4.4 255.255.255.255
 isis enable 1
#
interface LoopBack1
 ip address 6.6.6.6 255.255.255.255
 isis enable 1
#
interface Nve1
 source 4.4.4.4
 vni 10 head-end peer-list 3.3.3.3
#
    interface Tunnel1 

 ip address 22.2.2.2 255.255.255.255                                             
 tunnel-protocol ipsec 
 ipsec policy 1 service-instance-group group1                                                                         
#
 ip route-static 5.5.5.5 255.255.255.255 GigabitEthernet0/1/1 192.168.1.1
#
return
Translation
简体中文
Download
Updated: 2020-02-07

Document ID: EDOC1100125511

Views: 54470

Downloads: 41

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next
Huawei e+ App Huawei e+

Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :