No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FAQ-How to Achieve Inter-VPN Access on the User Side of an ME60 V600R008?

Publication Date:  2019-04-22 Views:  120 Downloads:  0

Issue Description

How to achieve inter-VPN access on the user side of an ME60?

Solution

Two domains are configured with different user groups.
sys
user-group vpn1
user-group vpn2
Original VPN configuration:
ip vpn-instance vpn1
route-distinguisher 2000:1
quit
ip vpn-instance vpn2
route-distinguisher 1000:2
quit

Address pool:
ip pool vpn1 bas local
vpn-instance vpn1
gateway 35.1.35.1 255.255.255.0
section 1 35.1.35.1 35.1.35.2
excluded-ip-address  35.1.35.2
section 2 35.1.35.3 35.1.35.100
quit
ip pool vpn2 bas local
vpn-instance vpn2
gateway 35.2.35.1 255.255.255.0
section 1 35.2.35.1 35.2.35.2
excluded-ip-address  35.2.35.2
quit

Domain configuration:
domain vpn1
authentication-scheme default0
accounting-scheme default0
ip-pool vpn1
vpn-instance vpn1
user-group vpn1
quit
domain vpn2
authentication-scheme default0
accounting-scheme default0             
ip-pool vpn2
vpn-instance vpn2
user-group vpn2
quit

BAS interface configuration:
interface GigabitEthernet2/0/4.1
user-vlan 2501
bas
access-type layer2-subscriber default-domain authentication vpn1
authentication-method bind
ip-trigger
arp-trigger
vpn-instance vpn1
quit
quit
interface GigabitEthernet2/0/7.200
user-vlan 2502
bas                                     
access-type layer2-subscriber default-domain authentication vpn2
authentication-method bind
ip-trigger
arp-trigger
vpn-instance vpn2
quit
quit

The two VPNs must be configured to be able to reference each other.
For the LPUA, FIB entries are searched before ACL redirection is implemented. If referencing is not configured or a static route is configured, traffic is discarded because FIB entries do not exist. The purpose of this configuration is to ensure that traffic is not discarded due to non-existence of routes before ACL redirection is performed.
This configuration is key to the LPUK.
ip vpn-instance vpn1
route-distinguisher 2000:1
vpn-target 2000:1 export-extcommunity
vpn-target 1000:2 import-extcommunity
quit
ip vpn-instance vpn2
route-distinguisher 1000:2
vpn-target 1000:2 export-extcommunity
vpn-target 2000:1 import-extcommunity
quit

Specify vpn-group for the two VPNs to implement redirection.
vpn-group vpn2 vpn-instance vpn2
vpn-group vpn1 vpn-instance vpn1

Configure UCL redirection for the traffic exchanging between the VPNs.
acl number 6001
rule 5 permit ip source user-group vpn1 destination ip-address 35.2.35.0 0.0.0.255
quit
acl number 6002
rule 10 permit ip source user-group vpn2 destination ip-address 35.1.35.0 0.0.0.255
quit
traffic classifier vpn1 operator or
if-match acl 6001
quit
traffic classifier vpn2 operator or
if-match acl 6002
quit
traffic behavior vpn1
redirect vpn-group vpn2
quit
traffic behavior vpn2
redirect vpn-group vpn1
quit
traffic policy vpn
share-mode
classifier vpn1 behavior vpn1
classifier vpn2 behavior vpn2
quit
traffic-policy vpn inbound

END