Professional Documents
Culture Documents
V200R002C00
02
Date
2012-03-30
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 02 (2012-03-30)
Commissioning engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
DANGER
WARNING
CAUTION
Issue 02 (2012-03-30)
TIP
NOTE
ii
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
Italic
[]
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... }*
[ x | y | ... ]*
&<1-n>
Change History
Updates between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
iii
Contents
Contents
About This Document.....................................................................................................................ii
1 GRE Configuration.......................................................................................................................1
1.1 Introduction to GRE...........................................................................................................................................2
1.2 GRE Features Supported by the AR3200...........................................................................................................2
1.3 Configuring GRE................................................................................................................................................3
1.3.1 Establishing the Configuration Task.........................................................................................................3
1.3.2 Configuring a Tunnel Interface.................................................................................................................4
1.3.3 Configuring Routes for the Tunnel............................................................................................................5
1.3.4 (Optional) Configuring GRE Security Options.........................................................................................6
1.3.5 Checking the Configuration.......................................................................................................................7
1.4 Configuring a GRE Tunnel Between CE and PE...............................................................................................8
1.4.1 Establishing the Configuration Task.........................................................................................................8
1.4.2 Configuring the GRE Tunnel Interface on CE..........................................................................................9
1.4.3 Configuring the GRE Tunnel Interface on PE.........................................................................................10
1.4.4 Binding the GRE Tunnel with the VPN to Which CE belongs on PE....................................................12
1.4.5 Checking the Configuration.....................................................................................................................12
1.5 Configuring the Keepalive Function................................................................................................................13
1.5.1 Establishing the Configuration Task.......................................................................................................13
1.5.2 Enabling the Keepalive Function............................................................................................................14
1.5.3 Checking the Configuration.....................................................................................................................15
1.6 Maintaining GRE..............................................................................................................................................16
1.6.1 Resetting the Statistics of a Tunnel Interface..........................................................................................16
1.6.2 Monitoring the Running Status of GRE..................................................................................................16
1.6.3 Debugging GRE......................................................................................................................................17
1.7 Configuration Examples...................................................................................................................................17
1.7.1 Example for Configuring a Static Route for GRE...................................................................................17
1.7.2 Example for Configuring a Dynamic Routing Protocol for GRE...........................................................21
1.7.3 Example for Configuring a GRE Tunnel to Transmit VPN Multicast Data Encrypted with IPSec........25
1.7.4 Example for Configuring the CE to Access a VPN Through a GRE Tunnel of the Public Network
..........................................................................................................................................................................31
1.7.5 Example for Configuring the Keepalive Function for GRE....................................................................38
iv
Contents
Contents
vi
Contents
3 L2TP Configuration...................................................................................................................208
3.1 L2TP Overview..............................................................................................................................................209
3.1.1 Introduction to L2TP.............................................................................................................................209
3.1.2 L2TP Features Supported by the AR3200.............................................................................................209
3.2 Configuring Basic L2TP Functions................................................................................................................210
3.2.1 Establishing the Configuration Task.....................................................................................................210
3.2.2 Configuring Basic L2TP Capability......................................................................................................211
3.3 Configuring LAC............................................................................................................................................212
3.3.1 Establishing the Configuration Task.....................................................................................................212
3.3.2 Configuring an L2TP Connection on LAC Side...................................................................................213
3.3.3 (Optional) Configuring LAC Auto-Dial................................................................................................213
3.3.4 (Optional) Configuring Local Authentication on LAC Side.................................................................215
3.3.5 (Optional) Configuring RADIUS Authentication on LAC Side...........................................................215
3.3.6 Checking the Configuration...................................................................................................................217
3.4 Configuring LNS............................................................................................................................................218
3.4.1 Establishing the Configuration Task.....................................................................................................219
3.4.2 Configuring an L2TP Connection on LNS............................................................................................220
3.4.3 (Optional) Configuring User Authentication on LNS...........................................................................221
3.4.4 Allocating Addresses to Access Users..................................................................................................222
3.4.5 Checking the Configuration...................................................................................................................222
3.5 Adjusting L2TP Connection...........................................................................................................................223
3.5.1 Establishing the Configuration Task.....................................................................................................223
3.5.2 Configuring Security Options for L2TP Connection............................................................................224
3.5.3 Configuring L2TP Connection Parameters...........................................................................................225
3.6 Maintaining L2TP...........................................................................................................................................226
3.6.1 Disconnecting a Tunnel Forcibly..........................................................................................................226
3.6.2 Monitoring the Running Status of L2TP...............................................................................................226
3.6.3 Debugging L2TP Information...............................................................................................................227
Issue 02 (2012-03-30)
vii
Contents
4 IPSec Configuration..................................................................................................................242
4.1 IPSec Overview..............................................................................................................................................244
4.2 IPSec Features Supported by the AR3200.....................................................................................................245
4.3 Establishing an IPSec Tunnel Manually.........................................................................................................246
4.3.1 Establishing the Configuration Task.....................................................................................................246
4.3.2 Defining Protected Data Flows..............................................................................................................247
4.3.3 Configuring an IPSec Proposal..............................................................................................................248
4.3.4 Configuring an IPSec Policy.................................................................................................................248
4.3.5 Applying an IPSec Policy to an Interface..............................................................................................250
4.3.6 Checking the Configuration...................................................................................................................251
4.4 Establishing an IPSec Tunnel Through IKE Negotiation...............................................................................251
4.4.1 Establishing the Configuration Task.....................................................................................................251
4.4.2 Defining Protected Data Flows..............................................................................................................252
4.4.3 (Optional) Configuring an IKE Proposal...............................................................................................253
4.4.4 Configuring an IKE Peer.......................................................................................................................254
4.4.5 Configuring an IPSec Proposal..............................................................................................................256
4.4.6 Configuring an IPSec Policy.................................................................................................................257
4.4.7 Configuring an IPSec Policy Template.................................................................................................258
4.4.8 (Optional) Setting Optional Parameters................................................................................................259
4.4.9 (Optional) Configuring Route Injection................................................................................................261
4.4.10 Applying an IPSec policy to an interface............................................................................................261
4.4.11 Checking the Configuration.................................................................................................................262
4.5 Establishing an IPSec Tunnel Using an IPSec Tunnel Interface....................................................................262
4.5.1 Establishing the Configuration Task.....................................................................................................262
4.5.2 Configuring an IPSec Profile.................................................................................................................263
4.5.3 Configuring an IPSec Tunnel Interface.................................................................................................264
4.5.4 Checking the Configuration...................................................................................................................265
4.6 Establishing an IPSec Tunnel Using the Efficient VPN Policy.....................................................................266
4.6.1 Establishing the Configuration Task.....................................................................................................266
4.6.2 Configuring Client Mode.......................................................................................................................267
4.6.3 Configuring Network Mode..................................................................................................................270
4.6.4 Verifying the Configuration..................................................................................................................273
4.7 Maintaining IPSec..........................................................................................................................................273
4.7.1 Displaying the IPSec Configuration......................................................................................................273
4.7.2 Clearing IPSec Information...................................................................................................................274
4.8 Configuration Examples.................................................................................................................................274
4.8.1 Example for Establishing an SA Manually...........................................................................................275
Issue 02 (2012-03-30)
viii
Contents
ix
Contents
Issue 02 (2012-03-30)
1 GRE Configuration
GRE Configuration
Issue 02 (2012-03-30)
1 GRE Configuration
IP
network
IP
network
IP
network
Tunnel
PC
PC
When the tunnel is used in the network, a few hops are hidden. This enlarges the scope of the
network operation.
Working in Combination with IPSec to Compensate for the IPSec Flaw in Multicast
Data Protection
Based on GRE, multicast data can be encapsulated and transmitted in the GRE tunnel. Based on
IPSec, only the unicast data can realize encrypted protection.
Issue 02 (2012-03-30)
1 GRE Configuration
Internet
IPSec tunnel
GRE tunnel
Corporate
intranet
Remote
office
network
As shown in Figure 1-2, if the multicast data is transmitted in the IPSec tunnel, establish the
GRE tunnel and encapsulate the multicast data with GRE. Then encrypt the encapsulated
multicast data with IPSec. When these tasks are performed, the encrypted multicast data can be
transmitted in the IPSec tunnel.
Applicable Environment
To set up a GRE tunnel, create a tunnel interface first, and configure the GRE functions on the
tunnel interface. If the tunnel interface is deleted, all the configurations on the interface are
deleted.
Pre-configuration Tasks
Before configuring an ordinary GRE tunnel, complete the following task:
l
Data Preparation
To configure an ordinary GRE tunnel, you need the following data.
Issue 02 (2012-03-30)
No.
Data
No.
Data
1 GRE Configuration
Context
Perform the following steps on the routers at the two ends of a tunnel.
Procedure
Step 1 Run:
system-view
l The virtual IP address of the VRRP backup group can be configured as the source address of the GRE
tunnel.
l The bridge-if interface can not be configured as the source interface of the GRE tunnel.
The source interface of the tunnel cannot be the interface of the tunnel, but can be specified as
the interface of another tunnel.
Step 5 Run:
destination ip-address
1 GRE Configuration
The new MTU takes effect only after you run the shutdown command and the undo
shutdown command on the interface.
Step 7 Choose one of the following commands to configure the IP address of the tunnel interface.
l Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IP
address of the tunnel interface.
l Run the ip address unnumbered interface interface-type interface-number command to
configure IP unnumbered for the tunnel interface.
To support dynamic routing protocols on a tunnel, configure a network address for the tunnel
interface. The network address of the tunnel interface may not be a public address, but should
be in the same network segment on both ends of the tunnel.
By default, the network address of a tunnel interface is not set.
----End
Context
Perform the following steps on the devices at two ends of a tunnel.
NOTE
The packets encapsulated with GRE are forwarded correctly only if the routes for the tunnel are available
on both the source and destination routers.
Procedure
Step 1 Run:
system-view
1 GRE Configuration
protocol is used, the protocol must be configured on the tunnel interface and the GE interface
connected to the PC. Moreover, in the routing table of Router A, the egress with the
destination as the network segment where GE 2/0/0 on Router C resides cannot be Tunnel
0/0/1.
In practical configurations, configure a multi-process routing protocol or change the metric
value of the tunnel interface. This prevents the tunnel interface from being selected as the
outbound interface of routes to the destination physical interface of the tunnel.
In practical configurations, tunnel interfaces and physical interfaces connected to the public
network should use different routing protocols or different processes of the same routing
protocol. With one of these procedures in place, you can avoid selecting a tunnel interface
as an outbound interface for packets destined for the destination of the tunnel. In addition, a
physical interface is prevented from forwarding user packets that should be forwarded
through the tunnel.
Figure 1-3 Diagram of configuring the GRE dynamic routing protocol
Backbone
GE1/0/0
RouterA
GE2/0/0
RouterC
Tunnel
GE2/0/0 Tunnel0/0/1
Tunnel0/0/2 GE1/0/0
PC1
PC2
----End
Context
Perform the following steps on the routers at two ends of a tunnel.
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)
1 GRE Configuration
----End
Context
The configurations of the GRE function are complete.
Procedure
l
Run the display interface tunnel [ interface-number ] command to check tunnel interface
information.
Run the display ip routing-table command to check the IPv4 routing table.
Run the ping -a source-ip-address host command to check whether the two ends of the
tunnel can successfully ping each other.
----End
Example
Run the display interface tunnel command. If the tunnel interface is Up, the configuration
succeeds. For example:
<Huawei> display interface Tunnel 0/0/1
Tunnel0/0/1 current state : UP
Line protocol current state : UP
Description:HUAWEI, AR Series, Tunnel0/0/1 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 5.5.5.2/24
Encapsulation is TUNNEL, loopback not set
Tunnel source 150.1.1.1 (Ethernet4/0/0), destination 150.1.1.2
Tunnel protocol/transport GRE/IP, key disabled
keepalive disabled
Checksumming of packets disabled
Issue 02 (2012-03-30)
1 GRE Configuration
Run the display ip routing-table command. If the route passing through the tunnel interface
exists in the routing table, the configuration succeeds. For example:
[Huawei] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 8
Routes : 8
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.2
GigabitEthernet2/0/0
10.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.2.1.0/24 Static 60
0
D 40.1.1.1
Tunnel0/0/2
20.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
40.1.1.0/24 Direct 0
0
D 40.1.1.1
Tunnel0/0/2
40.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
Run the ping -a source-ip-address host command to see that the ping from the local tunnel
interface to the destination tunnel succeeds.
<Huawei> ping -a 40.1.1.1 40.1.1.2
PING 40.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 40.1.1.2: bytes=56 Sequence=1 ttl=255 time=24
Reply from 40.1.1.2: bytes=56 Sequence=2 ttl=255 time=33
Reply from 40.1.1.2: bytes=56 Sequence=3 ttl=255 time=48
Reply from 40.1.1.2: bytes=56 Sequence=4 ttl=255 time=33
Reply from 40.1.1.2: bytes=56 Sequence=5 ttl=255 time=36
--- 40.1.1.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 24/34/48 ms
ms
ms
ms
ms
ms
Applicable Environment
To allow users of the CE that is not directly connected with a PE to access the Multi-Protocol
Label Switching (MPLS) VPN, configure a GRE tunnel, create routes between them, and
configure MPLS VPN on the PE.
Issue 02 (2012-03-30)
1 GRE Configuration
A GRE tunnel needs to be created between a CE and a PE in the following two cases:
l
Pre-configuration Tasks
Before configuring a GRE tunnel between a CE and a PE, complete the following tasks:
l
Configuring the VPN provided that it is also passed through by the GRE tunnel between
the CE and PE
Data Preparation
To configure a GRE tunnel between a CE and a PE, you need the following data.
No.
Data
Source address or source interface and destination address of the GRE tunnel interface
specified on the CE
Source address or source interface and destination address of the GRE tunnel interface
specified on the PE
Name of the VPN provided that it is also passed through by the GRE tunnel between
the CE and PE
Context
Perform the following steps on the CE.
Procedure
Step 1 Run:
system-view
1 GRE Configuration
Step 2 Run:
interface tunnel interface-number
The tunnel interface is created and the tunnel interface view is displayed.
Step 3 Run:
tunnel-protocol gre
l The virtual IP address of the VRRP backup group can be configured as the source address of the GRE
tunnel.
l The bridge-if interface can not be configured as the source interface of the GRE tunnel.
The source interface of the tunnel cannot be the interface of the tunnel, but can be specified as
the interface of another tunnel.
The source address of the tunnel specified on the CE is identical with the destination address of
the tunnel specified on the PE. The destination address of the tunnel specified on the CE is
identical with the source address of the tunnel specified on the PE.
Step 5 Run:
destination ip-address
The interface MTU can be modified. The new MTU takes effect only after you run the
shutdown and the undo shutdown commands in succession on the interface.
Step 7 Choose one of the following commands to configure the IP address of the tunnel interface.
l Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IP
address of the tunnel interface.
l Run the ip address unnumbered interface interface-type interface-number command to
configure IP unnumbered for the tunnel interface.
----End
Context
Perform the following steps on the PE.
Issue 02 (2012-03-30)
10
1 GRE Configuration
Procedure
Step 1 Run:
system-view
l The virtual IP address of the VRRP backup group can be configured as the source address of the GRE
tunnel.
l The bridge-if interface can not be configured as the source interface of the GRE tunnel.
The source interface of the tunnel cannot be the interface of the tunnel, but can be specified as
the interface of another tunnel.
The source address of the tunnel specified on the PE is identical with the destination address of
the tunnel specified on the CE. The destination address of the tunnel specified on the PE is
identical with the source address of the tunnel specified on the CE.
Step 5 Run:
destination ip-address
The interface MTU is modified. The new MTU takes effect only after you run the shutdown
and the undo shutdown commands in succession on the interface.
Step 7 Choose one of the following commands to configure the IP address of the tunnel interface.
l Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IP
address of the tunnel interface.
l Run the ip address unnumbered interface interface-type interface-number command to
configure IP unnumbered for the tunnel interface.
----End
Issue 02 (2012-03-30)
11
1 GRE Configuration
1.4.4 Binding the GRE Tunnel with the VPN to Which CE belongs
on PE
Bind the tunnel interface on the PE that connects the CE to a VPN instance. Then, the tunnel
interface becomes a VPN interface. The packets sent from the VPN interface are forwarded
based on forwarding information in the VPN instance.
Context
Perform the following steps on the PE.
Procedure
Step 1 Run:
system-view
The tunnel interface is created and the tunnel interface view is displayed.
Step 3 Run:
ip binding vpn-instance vpn-instance-name
The running of the ip binding vpn-instance command on a tunnel interface can delete the Layer 3 attributes,
such as the IP address and routing protocol. If these Layer 3 attributes are still required, configure them
again.
A tunnel interface cannot be bound to any VPN instance that is not enabled with an address family.
Disabling a VPN instance address family deletes the Layer 3 attributes, such as the IP address and routing
protocol of the tunnel interface bound to the VPN instance. Disabling all VPN instance address families
unbinds all the bound tunnel interfaces from the VPN instance.
Step 4 Choose one of the following commands to configure the IP address of the tunnel interface.
l Run the ip address ip-address { mask | mask-length } [ sub ] command to assign an IP address
to the tunnel interface.
l Run the ip address unnumbered interface interface-type interface-number command to
configure IP unnumbered for the tunnel interface.
----End
Prerequisites
The GRE tunnel between the CE and the PE is fully configured.
Issue 02 (2012-03-30)
12
1 GRE Configuration
Procedure
l
Run the display interface tunnel [ interface-number ] command to check the working
mode of the tunnel interface.
Run the display ip routing-table command to check the routing table on the CE.
Run the ping -a source-ip-address host command to check whether two ends of the tunnel
can successfully ping each other.
----End
Example
Run the display interface tunnel command on two ends of the tunnel. If the tunnel interface is
Up, the configuration is successful. Take the display on the PE as an example:
<Huawei> display interface Tunnel 0/0/1
Tunnel0/0/1 current state : UP
Line protocol current state : UP
Last line protocol up time : 2008-03-03 10:51:44
Description:HUAWEI, AR Series, Tunnel0/0/1 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 5.5.5.2/24
Encapsulation is TUNNEL, loopback not set
Tunnel source 150.1.1.1 (Ethernet4/0/0), destination 150.1.1.2
Tunnel protocol/transport GRE/IP, key disabled
keepalive disabled
Checksumming of packets disabled
Current system time: 2008-03-04 19:17:30
300 seconds input rate 0 bits/sec, 0 packets/sec
300 seconds output rate 0 bits/sec, 0 packets/sec
0 seconds input rate 0 bits/sec, 0 packets/sec
0 seconds output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes
0 input error
0 packets output, 0 bytes
0 output error
Input bandwidth utilization : -Output bandwidth utilization : --
Application Environment
The Keepalive function can be configured on one end of a GRE tunnel to test the GRE tunnel
status. If the remote end is found unreachable, the tunnel is disconnected on time to avoid data
black hole.
Issue 02 (2012-03-30)
13
1 GRE Configuration
Source
Destination
GRE tunnel
RouterA
RouterB
Pre-configuration Tasks
Before configuring the Keepalive function, complete the following tasks:
l
Data Preparation
To configure the Keepalive function, you need the following data.
No.
Data
Context
Perform the following steps on the router that requires the Keepalive function.
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)
14
1 GRE Configuration
Before configuring the tunnel policy and the GRE tunnel for the VPN, enable the GRE tunnel Keepalive
function. With this function enabled, the VPN does not select the GRE tunnel that cannot reach the remote
end, and the data loss can be avoided. The reasons for enabling the Keepalive function are listed below:
l If the Keepalive function is not enabled, the local tunnel interface may always be Up regardless of
whether data reaches the remote end.
l If the Keepalive function is enabled on the local end, the local tunnel interface is set Down when the
remote end is unreachable. As a result, the VPN does not select the unreachable GRE tunnel and the
data is not lost.
----End
Prerequisites
The Keepalive function is enabled on the GRE tunnel.
Procedure
Step 1 Run:
system-view
Check the Keepalive packets and Keepalive Response packets sent and received by the GRE
tunnel interface.
----End
Example
On the tunnel interface that is enabled with the Keepalive function, run the display keepalive
packets count command to ascertain the number of sent Keepalive packets and received
Issue 02 (2012-03-30)
15
1 GRE Configuration
Keepalive Response packets on both the local end and the remote end. If the Keepalive function
is successfully configured on the local tunnel interface, the number of sent Keepalive packets
or received Keepalive Response packets on the local end is not 0.
[Huawei] interface tunnel 0/0/1
[Huawei-Tunnel0/0/1] tunnel-protocol gre
[Huawei-Tunnel0/0/1] keepalive
[Huawei-Tunnel0/0/1] display keepalive packets count
Send 34 keepalive packets to peers, Receive 34 keepalive response packets from peers
Receive 0 keepalive packets from peers, Send 0 keepalive response packets to peers.
Procedure
l
Run the reset counters interface tunnel [ interface-number ] command in the system view
to reset statistics about the tunnel interface.
Run:
system-view
Run:
interface tunnel interface-number
Run:
reset keepalive packets count
You can run the reset keepalive packets count command only in the tunnel interface view,
and the interface tunnel protocol must be GRE.
----End
Context
In routine maintenance, you can run the following commands to view the GRE running status.
Issue 02 (2012-03-30)
16
1 GRE Configuration
Procedure
l
Run the display interface tunnel [ interface-number ] command to check the tunnel
interface running status.
Run the display ip routing-table command to check the routing table on the CE.
----End
Context
NOTE
The debugging process affects system performance. Therefore, after finishing the debugging process, run
the undo debugging all command immediately to disable the debugging.
When GRE goes abnormal, run the debugging commands in the user view to view debugging
information, locate the fault, and analyze the cause.
Procedure
l
Run the debugging tunnel keepalive command in the user view to debug the Keepalive
function of the GRE tunnel.
----End
Networking Requirements
In Figure 1-5, Router A, Router B, and Router C belong to the VPN backbone network and
OSPF runs between them.
GRE is enabled between Router A and Router C to achieve interworking between PC 1 and PC
2.
PC1 takes Router A as its default gateway, and PC2 takes Router C as its default gateway.
Issue 02 (2012-03-30)
17
1 GRE Configuration
RouterB
GE1/0/0
20.1.1.2/24
RouterA
GE2/0/0
30.1.1.1/24
GE1/0/0
GE1/0/0
30.1.1.2/24
20.1.1.1/24
Tunnel
GE2/0/0 Tunnel0/0/1
10.1.1.2/24 40.1.1.1/24
PC1
10.1.1.1/24
RouterC
Tunnel0/0/1 GE2/0/0
40.1.1.2/24 10.2.1.2/24
PC2
10.2.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Specify the source address of the tunnel interface as the IP address of the interface that
sends the packet.
4.
Specify the destination address of the tunnel interface as the IP address of the interface that
receives the packet.
5.
Assign network addresses to the tunnel interfaces to enable the tunnel to support the
dynamic routing protocol.
6.
Configure the static route between Router A and its connected PC, and the static route
between Router C and its connected PC to make the traffic between PC1 and PC2
transmitted through the GRE tunnel.
7.
Configure the egress of the static route as the local tunnel interface.
Data Preparation
To complete the configuration, you need the following data:
l
Source address and destination address of the GRE tunnel, and IP addresses of tunnel
interfaces
Procedure
Step 1 Assign an IP address to each interface.
Issue 02 (2012-03-30)
18
1 GRE Configuration
Assign an IP address to each interface as shown in Figure 1-5. The specific configuration is not
mentioned here.
Step 2 Configure IGP for the VPN backbone network.
# Configure Router A.
[RouterA] ospf 1
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
# Configure Router B.
[RouterB] ospf 1
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
[RouterB-ospf-1] quit
# Configure Router C.
[RouterC] ospf 1
[RouterC-ospf-1] area 0
[RouterC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.0] quit
[RouterC-ospf-1] quit
After the configuration, run the display ip routing-table command on Router A and Router C.
You can find that they both learn the OSPF route to the network segment of the remote interface.
Take Router A as an example.
[RouterA] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 8
Routes : 8
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.2
GigabitEthernet2/0/0
10.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
20.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
30.1.1.0/24 OSPF
10
2
D 20.1.1.2
GigabitEthernet1/0/0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
# Configure Router C.
[RouterC] interface tunnel 0/0/1
[RouterC-Tunnel0/0/1] ip address 40.1.1.2 24
[RouterC-Tunnel0/0/1] source 30.1.1.2
[RouterC-Tunnel0/0/1] destination 20.1.1.1
[RouterC-Tunnel0/0/1] quit
Issue 02 (2012-03-30)
19
1 GRE Configuration
After the configuration, the status of tunnel interfaces goes Up, and the tunnel interfaces can
ping each other successfully.
Take Router A as an example:
[RouterA] ping -a 40.1.1.1 40.1.1.2
PING 40.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 40.1.1.2: bytes=56 Sequence=1 ttl=255 time=24
Reply from 40.1.1.2: bytes=56 Sequence=2 ttl=255 time=33
Reply from 40.1.1.2: bytes=56 Sequence=3 ttl=255 time=48
Reply from 40.1.1.2: bytes=56 Sequence=4 ttl=255 time=33
Reply from 40.1.1.2: bytes=56 Sequence=5 ttl=255 time=36
--- 40.1.1.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 24/34/48 ms
ms
ms
ms
ms
ms
# Configure Router C.
[RouterC] ip route-static 10.1.1.0 24 tunnel 0/0/1
After the configuration, run the displayip routing-table command on Router A and Router C.
You can find the static route to the network segment of the remote user end through the tunnel
interface.
Take Router A as an example:
[RouterA] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 11
Routes : 11
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.2
GigabitEthernet2/0/0
10.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.2.1.0/24 Static 60
0
D 40.1.1.1
Tunnel0/0/1
20.1.1.0/24 Direct 0
0
D 20.1.1.1
GigabitEthernet1/0/0
20.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
20.1.1.2/32 Direct 0
0
D 20.1.1.2
GigabitEthernet1/0/0
30.1.1.0/24 OSPF
10
2
D 20.1.1.2
GigabitEthernet1/0/0
40.1.1.0/24 Direct 0
0
D 40.1.1.1
Tunnel0/0/1
40.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
Configuration Files
l
Issue 02 (2012-03-30)
20
1 GRE Configuration
Issue 02 (2012-03-30)
21
1 GRE Configuration
Networking Requirements
In Figure 1-6, Router A, Router B, and Router C belong to the VPN backbone network and
OSPF runs between them.
GRE is enabled between Router A and Router C for the interworking between PC1 and PC2.
PC1 takes Router A as its default gateway, and PC2 takes Router C as its default gateway.
OSPF is enabled on the tunnel interface. OSPF process 1 is used for the VPN backbone network
and OSPF process 2 is used for user access.
Figure 1-6 Networking diagram of configuring a dynamic routing protocol for GRE
RouterB
GE1/0/0
GE2/0/0
20.1.1.2/24
30.1.1.1/24
OSPF 1
RouterA
RouterC
Tunnel
GE2/0/0
10.1.1.2/24
10.1.1.1/24
GE1/0/0
30.1.1.2/24
GE1/0/0
20.1.1.1/24
Tunnel0/0/1 OSPF 2
40.1.1.1/24
Tunnel0/0/1
40.1.1.2/24
GE2/0/0
10.2.1.2/24
10.2.1.1/24
PC1
PC2
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure IGP on each router in the backbone network to realize the interworking between
these devices. Here OSPF process 1 is used.
2.
Create the GRE tunnel between routers that are connected to PCs.Then routers can
communicate through the GRE runnel.
3.
Configure the dynamic routing protocol on the network segments through which PCs access
the backbone network. Here OSPF process 2 is used.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 02 (2012-03-30)
22
1 GRE Configuration
Procedure
Step 1 Assign an IP address to each interface.
Assign an IP address to each interface as shown in Figure 1-6. The specific configuration is not
mentioned here.
Step 2 Configure IGP for the VPN backbone network.
The specific configuration procedures are the same as those in 1.7.1 Example for Configuring
a Static Route for GRE and are not mentioned here.
Step 3 Configuring the tunnel interfaces
The specific configuration procedures are the same as those in 1.7.1 Example for Configuring
a Static Route for GRE and are not mentioned here.
Step 4 Configure OSPF on the tunnel interfaces.
# Configure Router A.
[RouterA] ospf 2
[RouterA-ospf-2] area 0
[RouterA-ospf-2-area-0.0.0.0] network 40.1.1.0 0.0.0.255
[RouterA-ospf-2-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[RouterA-ospf-2-area-0.0.0.0] quit
[RouterA-ospf-2] quit
# Configure Router C.
[RouterC] ospf 2
[RouterC-ospf-2] area 0
[RouterC-ospf-2-area-0.0.0.0] network 40.1.1.0 0.0.0.255
[RouterC-ospf-2-area-0.0.0.0] network 10.2.1.0 0.0.0.255
[RouterC-ospf-2-area-0.0.0.0] quit
[RouterC-ospf-2] quit
Issue 02 (2012-03-30)
23
1 GRE Configuration
Direct 0
Direct 0
0
0
D
D
127.0.0.1
127.0.0.1
InLoopBack0
InLoopBack0
Configuration Files
l
Issue 02 (2012-03-30)
24
1 GRE Configuration
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
ospf 2
area 0.0.0.0
network 40.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return
Networking Requirements
In Figure 1-7, Router A and Router C are required to transmit multicast packets, and the multicast
packets must be encrypted through IPSec. Before being encrypted through IPSec, multicast
packets must be encapsulated with GRE because IPSec cannot directly encrypt multicast packets.
Figure 1-7 Networking diagram of transmitting IPSec-encrypted multicast packets through a
GRE tunnel
RouterB
GE1/0/0
20.1.1.2/24
RouterA
GE2/0/0
30.1.1.1/24
GE1/0/0
GE1/0/0
30.1.1.2/24
20.1.1.1/24
GRE with IPSec
RouterC
GE2/0/0 Tunnel0/0/1
10.1.1.2/24 40.1.1.1/24
Tunnel0/0/1 GE2/0/0
40.1.1.2/24 10.2.1.2/24
10.1.1.1/24
10.2.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure OSPF on the backbone network devices, namely, Router A, Router B, and
Router C, to realize the interworking between these devices.
2.
Create a GRE tunnel between Router A and Router C to encapsulate multicast packets.
Issue 02 (2012-03-30)
25
3.
1 GRE Configuration
Create an IPSec tunnel between Router A and Router C to encrypt the GRE encapsulated
multicast packets.
Data Preparation
To complete the configuration, you need the following data:
l
Data for configuring the routing protocol for the backbone network
Data for configuring IPSec such as IPSec proposal name and ACL
Procedure
Step 1 Configure the routing protocol.
Configure a routing protocol on Router A, Router B, and Router C to implement the interworking
between these devices. OSPF is configured in this example. The configuration details are not
mentioned here.
After the configuration,
l Router A and Router C are routable.
l Router A can successfully ping GE1/0/0 of Router C.
l Router C can successfully ping GE1/0/0 of Router A.
Step 2 Configure the interfaces of the GRE tunnel.
# Configure Router A.
[RouterA] interface tunnel0/0/1
[RouterA-Tunnel0/0/1] ip address 40.1.1.1 255.255.255.0
[RouterA-Tunnel0/0/1] tunnel-protocol gre
[RouterA-Tunnel0/0/1] source 20.1.1.1
[RouterA-Tunnel0/0/1] destination 30.1.1.2
[RouterA-Tunnel0/0/1] quit
# Configure Router C.
[RouterC] interface tunnel0/0/1
[RouterC-Tunnel0/0/1] ip address 40.1.1.2 255.255.255.0
[RouterC-Tunnel0/0/1] tunnel-protocol gre
[RouterC-Tunnel0/0/1] source 30.1.1.2
[RouterC-Tunnel0/0/1] destination 20.1.1.1
[RouterC-Tunnel0/0/1] quit
Issue 02 (2012-03-30)
26
1 GRE Configuration
# Configure Router C.
[RouterC] multicast routing-enable
[RouterC] interface gigabitethernet 2/0/0
[RouterC-GigabitEthernet2/0/0] pim dm
[RouterC-GigabitEthernet2/0/0] igmp enable
[RouterC-GigabitEthernet2/0/0] quit
[RouterC] interface tunnel0/0/1
[RouterC-Tunnel0/0/1] pim dm
[RouterC-Tunnel0/0/1] quit
# After multicast is enabled, the multicast data between Router A and Router C is transmitted
through the GRE tunnel.
Step 4 Configure aggressive IKE negotiation between Router A and Router C.
NOTE
To encapsulate multicast packets with GRE and then encrypt the multicast packets with IPSec, the remote
address in IKE peer mode must be the destination address of the local tunnel.
# Configure Router A.
[RouterA] ike local-name rta
[RouterA] ike peer RouterC v1
[RouterA-ike-peer-routerc] exchange-mode aggressive
[RouterA-ike-peer-routerc] local-id-type name
[RouterA-ike-peer-routerc] pre-shared-key 12345
[RouterA-ike-peer-routerc] remote-name rtc
[RouterA-ike-peer-routerc] remote-address 30.1.1.2
[RouterA-ike-peer-routerc] quit
# Configure Router C.
[RouterC] ike local-name rtc
[RouterC] ike peer RouterA v1
[RouterC-ike-peer-routera] exchange-mode aggressive
[RouterC-ike-peer-routera] local-id-type name
[RouterC-ike-peer-routera] pre-shared-key 12345
[RouterC-ike-peer-routera] remote-name rta
[RouterC-ike-peer-routera] remote-address 20.1.1.1
[RouterC-ike-peer-routera] quit
Encapsulate multicast packets with GRE and then encrypt these packets with IPSec. Note that the source
and destination addresses for the local end of the tunnel must match the ACL of the IPSec policy, and the
IPSec policy must be applied to the physical interface transmitting data.
# Configure IPSec on Router A and Router C. The default parameters of the IPSec proposal is
used in this example.
# Configure Router A.
[RouterA] acl number 3000
[RouterA-acl-adv-3000] rule permit gre source 20.1.1.1 0 destination 30.1.1.2 0
[RouterA-acl-adv-3000] quit
[RouterA] ipsec proposal p1
[RouterA-ipsec-proposal-p1] quit
Issue 02 (2012-03-30)
27
1 GRE Configuration
# Configure Router C.
[RouterC] acl number 3000
[RouterC-acl-adv-3000] rule permit gre source 30.1.1.2 0 destination 20.1.1.1 0
[RouterC-acl-adv-3000] quit
[RouterC] ipsec proposal p1
[RouterC-ipsec-proposal-p1] quit
[RouterC] ipsec policy policy1 1 isakmp
[RouterC-ipsec-policy-isakmp-policy1-1] security acl 3000
[RouterC-ipsec-policy-isakmp-policy1-1] ike-peer RouterA
[RouterC-ipsec-policy-isakmp-policy1-1] proposal p1
[RouterC-ipsec-policy-isakmp-policy1-1] quit
[RouterC] interface gigabitethernet 1/0/0
[RouterC-GigabitEthernet1/0/0] ipsec policy policy1
[RouterC-GigabitEthernet1/0/0] quit
# After the configuration, the multicast data between Router A and Router C can be transmitted
through the GRE tunnel encrypted with IPSec.
Step 6 On the source device and the destination device of the tunnel, configure the tunnel to forward
routes.
# Configure Router A.
[RouterA] ip route-static 10.2.1.0 255.255.255.0 tunnel 0/0/1
# Configure Router C.
[RouterC] ip route-static 10.1.1.0 255.255.255.0 tunnel 0/0/1
Issue 02 (2012-03-30)
28
1 GRE Configuration
----End
Configuration Files
l
Issue 02 (2012-03-30)
29
1 GRE Configuration
Issue 02 (2012-03-30)
30
1 GRE Configuration
#
interface GigabitEthernet1/0/0
ip address 30.1.1.2 255.255.255.0
ipsec policy policy1
#
interface GigabitEthernet2/0/0
ip address 10.2.1.2 255.255.255.0
pim dm
igmp enable
#
interface Tunnel0/0/1
ip address 40.1.1.2 255.255.255.0
tunnel-protocol gre
source 30.1.1.2
destination 20.1.1.1
pim dm
#
ospf 1
area 0.0.0.0
network 30.1.1.2 0.0.0.0
#
ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/1
#
return
Networking Requirements
As shown in Figure 1-8,
l
Issue 02 (2012-03-30)
31
1 GRE Configuration
Figure 1-8 Networking diagram in which CEs access a VPN through the GRE tunnel of the
public network
Loopback1
MPLS
R1
GE2/0/0
T
CE1
GE2/0/0
GE1/0/0
GE2/0/0
GE1/0/0
Loopback1
el
unn
GE1/0/0
PE1
Tunnel0/0/1
PE2
GE2/0/0
CE2
GE1/0/0
GE2/0/0
Tunnel0/0/1
GE1/0/0
PC2
PC1
Router
Interface
IP address
CE1
GE1/0/0
21.1.1.2/24
CE1
GE2/0/0
30.1.1.1/24
CE1
Tunnel0/0/1
2.2.2.1/24
R1
GE1/0/0
30.1.1.2/24
R1
GE2/0/0
50.1.1.1/24
PE1
Loopback1
1.1.1.9/32
PE1
GE1/0/0
50.1.1.2/24
PE1
GE2/0/0
110.1.1.1/24
PE1
Tunnel0/0/1
2.2.2.2/24
PE2
Loopback1
3.3.3.9/32
PE2
GE1/0/0
110.1.1.2/24
PE2
GE2/0/0
11.1.1.2/24
CE2
GE1/0/0
11.1.1.1/24
CE2
GE2/0/0
41.1.1.2/24
Configuration Roadmap
PE1 and CE1 are indirectly connected. So the VPN instance on PE1 cannot be bound to the
physical interface on PE1. In such a situation, a GRE tunnel is required between CE1 and PE1.
vpn1 on PE1 can then be bound to the GRE tunnel, and CE1 can access the VPN through the
GRE tunnel.
The configuration roadmap is as follows:
1.
Configure OSPF10 on PE1 and PE2 to implement the interworking between the two
devices, and then enable MPLS.
2.
Configure OSPF20 on CE1, R1, and PE1 to implement the interworking between the three
devices.
3.
Issue 02 (2012-03-30)
32
1 GRE Configuration
4.
Create VPN instances on PE1 and PE2. Then bind the VPN instance on PE1 to the GRE
tunnel interface, and bind the VPN instance on PE2 to the connected physical interface of
CE2.
5.
Configure IS-IS routes between CE1 and PE1, and between CE2 and PE2 to implement
the interworking between the CEs and PEs.
6.
Configure BGP on PEs to implement the interworking between CE1 and CE2.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure the IP address for each interface and the routing protocol for the MPLS backbone
network.
Configure OSPF10 on PE1 and PE2, and then configure MPLS and LDP. The detailed
configurations are not mentioned here.
Step 2 Configure a routing protocol between CE1, R1, and PE1.
Configure OSPF20 on CE1, R1, and PE1. The detailed configurations are not mentioned here.
Step 3 Establish a GRE tunnel between CE1 and PE1.
# Configure CE1.
[CE1] interface tunnel0/0/1
[CE1-Tunnel0/0/1] ip address 2.2.2.1 255.255.255.0
[CE1-Tunnel0/0/1] tunnel-protocol gre
[CE1-Tunnel0/0/1] source 30.1.1.1
[CE1-Tunnel0/0/1] destination 50.1.1.2
# Configure PE1.
[PE1] interface tunnel0/0/1
[PE1-Tunnel0/0/1] ip address 2.2.2.2 255.255.255.0
[PE1-Tunnel0/0/1] tunnel-protocol gre
[PE1-Tunnel0/0/1] source 50.1.1.2
[PE1-Tunnel0/0/1] destination 30.1.1.1
# After the configuration, a GRE tunnel is established between CE1 and PE1.
Step 4 Create a VPN instance named vpn1 on PE1 and bind the VPN instance to the GRE tunnel.
[PE1]ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 export-extcommunity
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 import-extcommunity
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
[PE1] interface tunnel0/0/1
[PE1-Tunnel0/0/1] ip binding vpn-instance vpn1
[PE1-Tunnel0/0/1] ip address 2.2.2.2 255.255.255.0
Step 5 Create a VPN instance named vpn1 on PE2 and bind the VPN instance to the GE interface.
[PE2]ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] route-distinguisher 200:1
Issue 02 (2012-03-30)
33
1 GRE Configuration
# Configure PE1.
[PE1] isis 50 vpn-instance vpn1
[PE1-isis-50] network-entity 50.0000.0000.0002.00
[PE1-isis-50] quit
[PE1] interface tunnel0/0/1
[PE1-Tunnel0/0/1] isis enable 50
[PE1-Tunnel0/0/1] quit
# Configure PE2.
[PE2] isis 50 vpn-instance vpn1
[PE2-isis-50] network-entity 50.0000.0000.0003.00
[PE2-isis-50] quit
[PE2] interface gigabitethernet2/0/0
[PE2-GigabitEthernet2/0/0] isis enable 50
[PE2-GigabitEthernet2/0/0] quit
Step 8 Set up the MP-BGP peer relationship between PE1 and PE2.
# On PE1, specify PE2 as an IBGP peer, set up the IBGP connection by using the loopback
interface, and enable the capability of exchanging VPN IPv4 routing information between PE1
and PE2.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit
# Enter the view of the BGP VPN instance vpn1 and import the direct routes and IS-IS routes.
Issue 02 (2012-03-30)
34
1 GRE Configuration
# On PE2, specify PE1 as an IBGP peer, set up the IBGP connection by using the loopback
interface, and enable the capability of exchanging VPN IPv4 routing information between PE2
and PE1.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
# Enter the view of the BGP VPN instance vpn1 and import the direct routes and IS-IS routes.
[PE2-bgp] ipv4-family vpn-instance vpn1
[PE2-bgp-vpn1] import-route direct
[PE2-bgp-vpn1] import-route isis 50
# Configure PE2.
[PE2] isis 50
[PE2-isis-50] import-route bgp
----End
Configuration Files
l
Issue 02 (2012-03-30)
35
1 GRE Configuration
sysname CE1
#
isis 50
network-entity 50.0000.0000.0001.00
#
interface GigabitEthernet2/0/0
ip address 30.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 21.1.1.2 255.255.255.0
isis enable 50
#
interface Tunnel0/0/1
ip address 2.2.2.1 255.255.255.0
tunnel-protocol gre
source 30.1.1.1
destination 50.1.1.2
isis enable 50
#
ospf 20
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
return
Configuration file of R1
#
sysname R1
#
interface GigabitEthernet1/0/0
ip address 30.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 50.1.1.1 255.255.255.0
#
ospf 20
area 0.0.0.0
network 30.1.1.0 0.0.0.255
network 50.1.1.0 0.0.0.255
#
return
Issue 02 (2012-03-30)
36
1 GRE Configuration
Issue 02 (2012-03-30)
37
1 GRE Configuration
Networking Requirements
As shown in Figure 1-9, Router A and Router B are configured with the GRE protocol. The two
ends of the GRE tunnel need be configured with the Keepalive function.
Figure 1-9 Networking diagram of configuring the Keepalive function on two ends of a GRE
tunnel
GE1/0/0
20.1.1.1/24
RouterA
Issue 02 (2012-03-30)
Internet
GE1/0/0
30.1.1.2/24
GRE Tunnel
Tunnel0/0/1
40.1.1.1/24
Tunnel0/0/1
40.1.1.2/24
RouterB
38
1 GRE Configuration
Configuration Roadmap
To enable the Keepalive function on one end of the GRE tunnel, run the keepalive command in
the tunnel interface view on the end.
TIP
If the Keepalive function is enabled on the source end, the forwarding function is obligatory, and the
Keepalive function is optional for the destination end.
Data Preparation
To complete the configuration, you need the following data:
l
Data for configuring the routing protocol for the backbone network
Procedure
Step 1 Configure Router A and Router B to implement the interworking between the two devices.
The detailed procedures are not mentioned here.
Step 2 Configure a tunnel on Router A and enable the Keepalive function.
<RouterA> system-view
[RouterA] interface tunnel 0/0/1
[RouterA-Tunnel0/0/1] ip address 40.1.1.1 255.255.255.0
[RouterA-Tunnel0/0/1] source 20.1.1.1
[RouterA-Tunnel0/0/1] destination 30.1.1.2
[RouterA-Tunnel0/0/1] keepalive period 20 retry-times 3
[RouterA-Tunnel0/0/1] quit
ms
ms
ms
ms
ms
# Enable the debugging of the Keepalive messages on Router A and view information about the
Keepalive messages.
Issue 02 (2012-03-30)
39
1 GRE Configuration
----End
Configuration Files
l
Issue 02 (2012-03-30)
40
41
After LDP LSPs are established for the labeled BGP routes of the public network, EBGP
connections in multi-hop mode are established between PEs of different ASs to exchange VPNv4
routes.
2.10 Configuring HoVPN
HoVPN indicates a hierarchical VPN in which multiple PEs play different roles and form a
hierarchical structure. With this structure, these PEs function as one PE, and the performance
requirements for the PEs are lowered.
2.11 Configuring a Multi-VPN-Instance CE
By using OSPF multi-instance on CEs, you can implement service isolation on the LAN.
2.12 Connecting VPN and the Internet
Generally, users within a VPN can communicate only with each other, but cannot communicate
with Internet users because VPN users cannot access the Internet. If each VPN site needs to
access the Internet, configure the interconnection between the VPN and the Internet.
2.13 Configuring Route Reflection to Optimize the VPN Backbone Layer
Using an RR can reduce the number of MP IBGP connections between PEs. This not only reduces
the burden of PEs, but also facilitates network maintenance and management.
2.14 Configuring Route Reflection to Optimize the VPN Access Layer
If a PE and the connected CEs are in the same AS, you can deploy a BGP route RR to reduce
the number of IBGP connections between CEs and facilitate maintenance and management.
2.15 Maintaining BGP/MPLS IP VPN
This section describes how to maintain the BGP/MPLS IP VPN, which involves L3VPN traffic
checking, network connectivity monitoring, BGP connection resetting.
2.16 Configuration Examples
This section provides several configuration examples of VPN networking. In each configuration
example, the networking requirements, configuration roadmap, configuration notes,
configuration procedures, and configuration files are described.
Issue 02 (2012-03-30)
42
VPN 1
Site
CE
CE
Service provider's
P backbone
P
VPN 2
Site
PE
PE
PE
VPN 2
Site
CE
CE
VPN 1
Site
A Customer Edge (CE) is an edge device on the customer network, which has one or more
interfaces directly connected to the service provider network. A CE can be a router, a
switch or a host. Usually, CEs cannot "sense" the existence of the VPN, and do not need
to support MPLS.
A Provider Edge (PE) is an edge device on the provider network, which is directly connected
to the CE. In the MPLS network, PEs perform all the VPN-related processing.
A Provider (P) is a backbone device on the provider network, which is not directly
connected to the CE. Ps only need to possess basic MPLS forwarding capabilities and do
not need to maintain information about VPNs.
43
Basic Networking
The AR3200 uses the Multi-protocol Extensions for Border Gateway Protocol (MP-BGP) to
achieve the VPN route exchange between PEs. The static route, Routing Information Protocol
(RIP) multi-instance, Open Shortest Path First (OSPF) multi-instance, Intermediate System-toIntermediate System (IS-IS) multi-instance, or external BGP (EBGP) can be used to exchange
routes between a PE and a CE. In addition, by using VPN targets to control the transmission of
VPN routes, the AR3200 can implement multiple VPN networking topologies including
Intranet, Extranet, and Hub and Spoke.
Generally, LSPs tunnels are used on the VPN backbone network. In some cases where PEs
support MPLS functions but P routers support only IP functions, GRE tunnels can be used.
Typical Networking
The AR3200 supports the following typical VPN networking scheme:
l
Inter-AS VPN
If a VPN backbone network spans multiple ASs, the inter-AS VPN must be configured.
The inter-AS VPN can be classified as Option A, Option B, or Option C.
Hierarchy of VPN(HoVPN)
To relieve the stress on a PE, the Hierarchy of VPN (HoVPN) can be configured. A device
on the convergence layer or the access layer is selected as the Underlayer Provider Edge
(UPE), which works jointly with the PE, that is, the Superstratum Provider Edge (SPE) on
the backbone layer, to implement the functions of the PE.
Multi-VPN-Instance CE
The Multi-VPN-Instance CE can be configured to improve the routing capability of the
LAN, solve the security problem of the LAN at a low cost, and ensure that the LAN services
are safely differentiated. Currently, LAN services can be differentiated by utilizing VLAN
switches, but they have a weak routing capability.
Reliability
To improve the reliability of a VPN, the following networking modes are generally adopted.
l
The backbone network is an MPLS network, on which the devices adopt hierarchical
backup and are fully connected through high-speed interfaces. If there are many PEs on
the network, the BGP route reflector is deployed to reflect IPv4 VPN routes in order to
decrease the number of Multi-Protocol internal BGP (MP IBGP) connections.
Either a mesh topology or a ring topology is used at the convergence layer based on the
requirements.
44
Applicable Environment
In BGP/MPLS IP VPN, each VPN is instantiated, and the instances of private forwarding
information of each VPN are established, that is, a VPN instance is established. A VPN instance
is also called the VPN Routing and Forwarding (VRF) table. In RFC 4364 (BGP/MPLS IP
VPNs), a VPN instance is called the per-site forwarding table.
The VPN instance is used to separate the VPN routes from public routes. In all the BGP/MPLS
IP VPN networking scenarios, configure VPN instances.
The VPN instance IPv4 address family can realize the separation of address spaces based on the
Router Distinguisher (RD), and can control VPN membership and routing rules based on the
VPN target attribute.
In addition, to achieve enhanced routing control, you can also enforce inbound and outbound
routing policies. The inbound routing policy is used to filter the routes imported into the VPN
instance IPv4 address family, and the outbound routing policy is used to filter the routes
advertised to other PEs.
Pre-configuration Tasks
Before configuring a VPN instance enabled with an IPv4 address family, complete the following
tasks:
l
Configuring routing policies if import or export routing policies need to be applied to the
VPN instance IPv4 address family
Configuring tunnel policies if load balancing is required, or the default selecting sequence
of Label Switched Paths (LSPs), Multiprotocol Label Switching Traffic Engineering
(MPLS TE) tunnels, or Generic Routing Encapsulation (GRE) tunnels need to be changed.
Data Preparation
To configure a VPN instance enabled with an IPv4 address family, you need the following data.
Issue 02 (2012-03-30)
No.
Data
RD, VPN target attribute of the VPN instance IPv4 address families
(Optional) Maximum number of routes allowed by the VPN instance IPv4 address
families
(Optional) Routing policy that controls the receiving and sending of VPN routes
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
45
No.
Data
Context
Perform the following steps on the PE that is connected to the CE.
Procedure
Step 1 Run:
system-view
The VPN instance name is case sensitive. For example, vpn1 and VPN1 are considered different VPN
instances.
No default VPN instance exists on a PE, and multiple VPN instances can be created on the PE.
Step 3 (Optional) Run:
description description-information
46
Context
Perform the following steps on the PE that is configured with VPN instances.
NOTE
Procedure
Step 1 Run:
system-view
The IPv4 address family is enabled for the VPN instance and the VPN instance IPv4 address
family view is displayed.
Step 4 Run:
route-distinguisher route-distinguisher
A configured RD cannot be changed or deleted. Delete a VPN instance or disable the VPN instance IPv4
address family before changing or deleting the RD of the VPN instance IPv4 address family.
Step 5 Run:
vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]
The VPN target extended community attribute for the VPN instance is created.
The VPN target is the extended community attribute of the Border Gateway Protocol (BGP). It
controls the import and export of VPN routes. You can configure a maximum of 8 VPN targets
with a command.
Step 6 (Optional) Run:
routing-table limit number { alert-percent | simply-alert }
Issue 02 (2012-03-30)
47
NOTE
If the routing-table limit command is run, the system gives a prompt when the number of routes injected
into the routing table of the VPN instance IPv4 address family exceeds the maximum. If the routing-table
limit command is run to increase the maximum number of routes supported in a VPN instance IPv4 address
family or the undo routing-table limit command is run to remove the limit on the routing table, for excess
routes, the following operations are required:
l For the excessive static routes, reconfigure them manually.
l For the excessive routes learned from CEs through the IGP multi-instance routing protocol, re-initiate
the multi-instance process of the routing protocol on the PE.
For the remote cross routes learned through the MP-IBGP and the BGP routes learned from CEs, the system
automatically refreshes them.
The maximum number of prefixes for the VPN instance IPv4 address family is configured.
You can define the maximum number of prefixes for a VPN instance IPv4 address family to
avoid importing too many prefixes from the CE.
Step 8 (Optional) Run:
limit-log-interval interval
The frequency of displaying logs when the number of routes exceeds the threshold is configured.
Step 9 (Optional) Run:
import route-policy policy-name
The inbound routing policy of the VPN instance IPv4 address family is configured.
Step 10 (Optional) Run:
export route-policy policy-name
The outbound routing policy of the VPN instance IPv4 address family is configured.
----End
Context
Perform the following steps on the PE configured with VPN instances IPv4 address family.
Procedure
Step 1 Run:
system-view
48
Step 2 Run:
ip vpn-instance vpn-instance-name
The IPv4 address family is enabled for the VPN instance and the VPN instance IPv4 address
family view is displayed.
Step 4 Run:
apply-label per-instance
The MPLS label is allocated based on the VPN instance IPv4 address family, which ensures that
all the routes in a VPN instance IPv4 address family use the same MPLS label.
Generally, MPLS label allocation is in one label per route mode. When the number of routes
becomes larger, more labels are required.
Therefore, MPLS label allocation based on the VPN instance IPv4 address family is introduced
and provided by the AR3200. In this manner, all the routes of a VPN instance share the same
MPLS label.
----End
Prerequisites
The functions of the VPN instance enabled with IPv4 address family are fully configured.
Procedure
l
Run the display ip vpn-instance import-vt ivt-value command to check information about
all VPN instances with the specified import VPN-target attribute.
----End
Example
Run the display ip vpn-instance command. If brief information about the VPN instance is
displayed, it means that the configuration succeeded. For example:
<Huawei> display ip vpn-instance
Total VPN-Instances configured : 4
VPN-Instance Name
Address-family
vrf1
ipv4
vrf2
vrf3
ipv4
vrf4
ipv4
Issue 02 (2012-03-30)
49
Run the display ip vpn-instance verbose command. If detailed information about the VPN
instance is displayed, it means the configuration succeeded. For example:
<Huawei> display ip vpn-instance verbose
Total VPN-Instances configured : 1
VPN-Instance Name and ID : vpn1, 1
Description : vrf1
Service ID : 123
Address family ipv4
Create date : 2010/03/05 16:26:27
Up time : 0 days, 00 hours, 09 minutes and 12 seconds
Route Distinguisher : 100:1
Export VPN Targets : 1:1
Import VPN Targets : 1:1
Label Policy : label per instance
Per-Instance Label : 1029
Import Route Policy : rp1
Export Route Policy : rp2
Tunnel Policy : tp1
Maximum Routes Limit : 200
Threshold Routes Limit : 10%
Prefix Routes Limit : 200
Threshold Prefixes Limit : 20%
Install Mode : route-unchanged
Log Interval : 30
Run the display ip vpn-instance import-vt ivt-value command. If information about all VPN
instances with the specified import VPN-target attribute is displayed, it means that the
configuration succeeded.
<Huawei> display ip vpn-instance import-vt 1:1
The number of ipv4-family matched the import-vt : 3
VPN-Instance Name and ID : vrf1, 1
VPN-Instance Name and ID : vrf4, 5
VPN-Instance Name and ID : vrf5, 4
Applicable Environment
This section describes the basic BGP/MPLS IP VPN networking. Specifically, networking
features only one carrier and one intra-AS MPLS backbone network. In addition, the roles of
the P, PE, and CE are unique. For example, no device serves both as the PE and CE.
For special BGP/MPLS IP VPN networkings, such as HoVPN, and inter-AS VPN, additional
configurations are needed. You can refer to the related sections in this chapter for details.
In terms of the configuration of the BGP/MPLS IP VPN, it is critical for you to configure the
management of the advertisement of VPN routes on the MPLS backbone networks, including
the management of route advertisement between between PEs, and the PE and CE.
Issue 02 (2012-03-30)
50
You can configure MP-IBGP to exchange routes between PEs. To exchange routes between the
PE and CE, you can configure static routes, RIP multi-instance, OSPF multi-instance, IS-IS
multi-instance, or BGP based on the specific networking situations.
NOTE
If a VPN is used to receive the external routes and the routes advertised by non-PE devices, and advertise
these routes to PEs, the VPN is called a transit VPN.
If a VPN is used to accept the internal routes and the routes advertised by PEs, the VPN is called a stub
VPN. In most cases, the static route is only used to exchange routes between the PE and CE in the stub
VPN.
Pre-configuration Tasks
Before configuring basic BGP/MPLS IP VPN, complete the following tasks:
l
Configuring IGP for the MPLS backbone network (PE, P) to implement IP connectivity
Configuring basic MPLS functions and MPLS LDP for the MPLS backbone network (PE,
P)
Data Preparation
To configure basic BGP/MPLS IP VPN, you need the following data.
No.
Data
Route-exchanging mode between the PE and CE, which can be the static route, RIP,
OSPF, IS-IS, or BGP
AS number of the PE
IP address and interface of the PE used to establish the BGP peer relationship
51
Procedure
Step 1 For the details, see Configuring VPN Instances.
----End
Context
Perform the following steps on the PE that is connected to the CE.
Procedure
Step 1 Run:
system-view
The view of the interface that is to be bound with the VPN instance is displayed.
Step 3 Run:
ip binding vpn-instance vpn-instance-name
The running of the ip binding vpn-instance command on an interface can delete the Layer 3 attributes,
such as the IP address and routing protocol. If these Layer 3 attributes are still required, configure them
again.
An interface cannot be bound to a VPN instance that is not enabled with an address family.
Disabling an address family of a VPN instance deletes the Layer 3 attributes, such as the IP address and
routing protocol of the interface bound to the VPN instance. Disabling all the address families of a VPN
instance unbinds all the bound interfaces from the VPN instance.
Step 4 Run:
ip address ip-address { mask | mask-length }
52
Context
By default, no router ID is configured for a BGP VPN instance IPv4 address family, and the
BGP router ID is used. This makes different BGP VPN instance IPv4 address families on the
same device have the same router ID. In some cases, different router IDs need to be configured
for different BGP VPN instance IPv4 address families. For example, BGP peer relationships
need to be established between different BGP VPN instance IPv4 address families on the same
PE.
There are two methods to configure a router ID for a BGP VPN instance IPv4 address family.
Procedure
l
Configuring router IDs for all BGP VPN instance IPv4 address families
1.
Run:
system-view
Run:
bgp as-number
Run:
router-id vpn-instance auto-select
Automatic router ID selection is configured for all BGP VPN instance IPv4 address
families.
NOTE
Rules for automatically selecting a router ID for a BGP VPN instance IPv4 address family are
as follows:
l If the loopback interfaces configured with IP addresses are bound to the VPN instance
enabled with the IPv4 address family, the largest IP address among the IP addresses of the
loopback interfaces is selected as the router ID.
l If no loopback interfaces configured with IP addresses are bound to the VPN instance
enabled with the IPv4 address family, the largest IP address among the IP addresses of
other interfaces bound to the VPN instance is selected as the router ID, regardless of whether
the interface is Up or Down.
Configuring a router ID for a specified BGP VPN instance IPv4 address family
1.
Run:
system-view
Run:
bgp as-number
Run:
ipv4-family vpn-instance vpn-instance-name
Run:
router-id { ipv4-address | auto-select }
Issue 02 (2012-03-30)
53
A router ID or automatic route ID selection is configured for the current BGP VPN
instance IPv4 address family.
----End
Context
Perform the following steps on the PE that is connected to the CE.
Procedure
Step 1 Run:
system-view
The 32-bit mask IP addresses of the loopback interfaces must be used to establish the MP-IBGP peer
relationship between PEs. This can ensure that the tunnel can be iterated. The route destined to the loopback
interface is advertised to the remote PE based on IGP on the MPLS backbone network.
Step 5 Run:
ipv4-family vpnv4
The VPN IPv4 routing information can be exchanged between the peers.
----End
54
Context
Select one of the following configurations as required:
l
Procedure
Perform the following steps on the PE:
1.
Run:
system-view
Run:
bgp as-number
Run:
ipv4-family vpn-instance vpn-instance-name
(Optional) Run:
as-number as-number
The AS number configured in the BGP-VPN instance IPv4 address family view cannot be the
same as the AS number configured in the BGP view.
5.
Run:
peer ipv4-address as-number as-number
(Optional) Run:
peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]
55
7.
(Optional) When the direct route of the local CE needs to be imported to the VPN
routing table (for being advertised to the remote PE), you can choose either of the
following configurations:
Run the import-route direct [ med med | route-policy route-policy-name ]*
command to import the direct routes of the local CE into the VPN routing table.
Run the network ipv4-address [ mask | mask-length ] [ route-policy route-policyname ] command to import a specific direct route of the local CE into the VPN
routing table.
NOTE
The PE can automatically learn the direct route destined for the local CE, and the learned
direct route has a higher priority than the direct route that is advertised by the local CE
based on EBGP. Therefore, if this step is not configured, the PE cannot advertise the direct
route to the remote PE based on MP-BGP.
8.
(Optional) Run:
peer { group-name | ipv4-address } soo site-of-origin
The Site of Origin (SoO) attribute is configured for the specified CE.
When multiple CEs in a VPN site access different PEs, VPN routes sent from CEs to
PEs may return to this VPN site after traveling through the backbone network. This
may cause routing loops in the VPN site.
After the SoO attribute is configured on a PE, the PE adds the SoO attribute to the
route sent from a CE and advertises the route to other PE peers. Before advertising
the VPN route to the connected CE, the PE peers check the SoO attribute carried in
the VPN route. If the PE peers find that this SoO attribute is the same as the locally
configured SoO attribute, the PE peers do not advertise this VPN route to the connected
CE.
9.
(Optional) Run:
peer ip-address allow-as-loop [ number ]
Issue 02 (2012-03-30)
56
CAUTION
In the case of multi-homed CE, the BGP AS substitution function may lead to route
loops.
Perform the following steps on the CE:
1.
Run:
system-view
Run:
bgp as-number
Run:
peer ipv4-address as-number as-number
(Optional) Run:
peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]
Run:
import-route { direct | static | rip process-id | ospf process-id | isis
process-id } [ med med | route-policy route-policy-name ]*
Run:
system-view
Run:
bgp as-number
Run:
ipv4-family vpn-instance vpn-instance-name
(Optional) Run:
as-number as-number
Issue 02 (2012-03-30)
57
The AS number configured in the BGP-VPN instance IPv4 address family view cannot be the
same as the AS number configured in the BGP view.
5.
Run:
peer ipv4-address as-number as-number
(Optional) When the direct route of the local CE needs to be imported to the VPN
routing table (for being advertised to the remote PE), select either of the following
configurations:
Run the import-route direct [ med med | route-policy route-policy-name ]*
command to import the direct routes of the local CE to the VPN routing table..
Run the network ipv4-address [ mask | mask-length ] [ route-policy route-policyname ] command to import a specific direct route of the local CE to the VPN routing
table.
NOTE
The PE can automatically learn the direct route to the local CE. The route has a higher priority
than the direct route that is advertised by IBGP. Therefore, if this step is not performed, the PE
does not advertise the direct route to the remote PE using MP-BGP.
Run:
system-view
Run:
bgp as-number
Run:
peer ipv4-address as-number as-number
Run:
import-route { direct | static | rip process-id | ospf process-id | isis
process-id } [ med med | route-policy route-policy-name ]*
Issue 02 (2012-03-30)
58
NOTE
For details, see the chapter "IP Static Route Configuration" in the Huawei AR3200 Series Enterprise
Routers Configuration Guide - IP Routing.
1.
Run:
system-view
Run:
ip route-static vpn-instance vpn-source-name destination-address { mask
| mask-length } interface-type interface-number [ nexthop-address ]
[ preference preference | tag tag ] *
The static route is configured for the specified VPN instance IPv4 address family.
3.
Run:
bgp as-number
Run:
ipv4-family vpn-instance vpn-instance-name
Run:
import-route static [ med med | route-policy route-policy-name ]*
The configured static route is imported into the routing table of the BGP VPN
instance IPv4 address family.
l
For details, see Huawei AR3200 Series Enterprise Routers Configuration Guide - IP Routing.
1.
Run:
system-view
Run:
rip process-id vpn-instance vpn-instance-name
The RIP instance is created between the PE and the CE and the RIP view is displayed.
A RIP process belongs to only one VPN instance. If you run a RIP process without
binding it to a VPN instance, this process is considered as a public network process.
A RIP process that belongs to a public network cannot be bound with a VPN instance.
3.
Run:
network network-address
The RIP is configured on the network segment of the interface bound with the VPN
instance.
4.
Run:
import-route bgp [ cost { cost | transparent } | route-policy route-policyname ]*
59
After the import-route bgp command is run in the RIP view, the PE imports the VPNIPv4 routes learned from the remote PE into the RIP, and advertises them to its CE.
5.
Run:
quit
Run:
bgp as-number
Run:
ipv4-family vpn-instance vpn-instance-name
Run:
import-route rip process-id [ med med | route-policy route-policy-name ]*
The RIP route is imported into the routing table of the BGP VPN instance IPv4 address
family.
After the configuration of the import-route rip command in the BGP VPN view, the
PE imports the VPN routes learned from its CE into BGP, forms them into VPN-IPv4
routes, and advertises them to the remote PE.
NOTE
After a VPN instance is deleted or the IPv4 address family of the VPN instance is disabled, all
the associated RIP processes are deleted.
For details, see Huawei AR3200 Series Enterprise Routers Configuration Guide - IP Routing.
1.
Run:
system-view
Run:
ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name
The OSPF instance is created between the PE and the CE, and the OSPF view is
displayed.
An OSPF process belongs to only one VPN instance. If you run an OSPF process
without binding it to a VPN instance, this process is considered as a public network
process. An OSPF process that belongs to a public network cannot be bound with a
VPN instance.
The OSPF processes that are bound to the VPN instance do not use the public network
Router ID configured in the system view. Specify the router ID when starting an OSPF
process. Otherwise, based on the router ID selecting rule, the IP address of any
interface that is bound to the VPN instance is selected as the router ID in the OSPF
process.
3.
Issue 02 (2012-03-30)
(Optional) Run:
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
60
(Optional) Run:
route-tag tag
Run:
import-route bgp [ cost cost | route-policy route-policy-name | tag tag |
type type ] *
Run:
area area-id
Run:
network ip-address wildcard-mask
OSPF is run on the network segment where the interface bound to the VPN instance
resides.
A network segment can belong to only one area. Therefore, specify to which area each
OSPF interface belongs.
OSPF can run on an interface if the following conditions are true:
The mask length of the IP address on the interface must be equal to or longer than
the wildcard-mask specified in the network command.
The primary IP address of the interface must be located in the network segment
specified in the network command.
For a loopback interface, OSPF advertises the IP address of the loopback interface as
a 32-bit host route by default, which bears no relation to the mask length configured
on the interface.
Issue 02 (2012-03-30)
61
8.
Run:
quit
Run:
quit
The OSPF route is imported into the routing table of the BGP VPN instance IPv4
address family.
NOTE
After a VPN instance is deleted or the IPv4 address family of the VPN instance is disabled, all
related OSPF processes are deleted.
For details, see Huawei AR3200 Series Enterprise Routers Configuration Guide - IP Routing.
1.
Run:
system-view
Run:
isis process-id vpn-instance vpn-instance-name
The IS-IS instance between the CE and the PE is created and the IS-IS view is
displayed.
An IS-IS process belongs to only one VPN instance. If you run an IS-IS process
without binding it to a VPN instance, this process is considered as a public network
process. An IS-IS process that belongs to a public network cannot be bound with a
VPN instance.
3.
Run:
network-entity net
(Optional) Run:
is-level { level-1 | level-1-2 | level-2 }
Issue 02 (2012-03-30)
62
Run:
import-route bgp [ cost-type { external | internal } | cost cost | tag
tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ]
*
Run:
quit
Run:
interface interface-type interface-number
Run:
isis enable [ process-id ]
Run:
quit
The IS-IS route is imported into the routing table of the BGP VPN instance IPv4
address family.
NOTE
After the VPN instance is deleted or the IPv4 address family of the VPN instance is disabled,
all IS-IS processes are deleted.
----End
Prerequisites
The basic BGP/MPLS IP VPN function configurations are complete.
Issue 02 (2012-03-30)
63
Procedure
l
Run the display ip routing-table command to check routing information on the CE.
----End
Example
Run the display ip routing-table vpn-instance vpn-instance-name command. If the VPN routes
related to the CE are displayed, it means the configuration succeeded.
Run the display ip routing-table command. If the routes to the peer CE are displayed on the
CE, it means the configuration succeeded.
Run the display ip vpn-instance [ vpn-instance-name ] interface command on the PE. If the
interface bound to a VPN instance is displayed, it means that the configuration succeeded.
Applicable Environment
If all the users are required to access to a central access control device, the Hub and Spoke
networking is adopted. In the Hub and Spoke network, all the Spoke stations communicate
through the Hub station.
Pre-configuration Task
Before configuring Hub and Spoke, complete the following tasks:
l
Configuring basic MPLS capability on PE devices and P devices in the MPLS backbone
network
Configuring the IP addresses, through which the CE devices access the PE devices, on the
CE devices
Data Preparation
Before configuring Hub and Spoke, you need the following data.
Issue 02 (2012-03-30)
64
No.
Data
Data for route configuration (static route, RIP, OSPF, IS-IS, or EBGP) between HubPE and Hub-CE, and Spoke-PE and Spoke-CE
Context
Configure the VPN instance on each Spoke-PE and Hub-PE.
Every Spoke-PE is configured with a VPN instance, while each Hub-PE is configured with the
following two VPN instances:
l
VPN-in: receives and maintains all the VPNv4 routes advertised by all the Spoke-PEs.
VPN-out: maintains the routes of all the Hub stations and Spoke stations and advertises
those routes to all the Spoke-PEs.
NOTE
l Different VPN instances on a device have different names, RDs, and description.
l Performing either Step 6 or Step 7 is recommended.
Procedure
Step 1 Run:
system-view
The VPN instance is created and the VPN instance view is displayed.
Issue 02 (2012-03-30)
65
The name of the VPN instance is case sensitive. For example, vpn1 and VPN1 are considered
different VPN instances.
Step 3 (Optional) Run:
description description-information
The IPv4 address family is enabled for the VPN instance, and the VPN instance IPv4 address
family view is displayed.
Step 5 Run:
route-distinguisher route-distinguisher
The label is allocated based on VPN instance IPv4 address family. That is, all the routes in a
VPN instance IPv4 address family use the same label.
The MPLS labels are generally allocated in the "one label per route" manner.
The AR3200 provides the MPLS label allocation feature based on the VPN instance IPv4 address
family. That is, all the routes of a VPN instance IPv4 address family share the same label.
Step 7 (Optional) Run:
routing-table limit number { alert-percent | simply-alert }
The maximum number of routes of the VPN instance IPv4 address family is configured.
You can define the maximum number of routes for a VPN instance IPv4 address family to avoid
importing excessive routes.
NOTE
If the routing-table limit command is run, the system gives a prompt when the number of routes injected
into the routing table of the VPN instance IPv4 address family exceeds the upper limit. If the routing-table
limit command is run to increase the maximum number of routes supported in a VPN instance IPv4 address
family or the undo routing-table limit command is run to remove the limit on the routing table, for excess
routes, the following operations are required:
l For the excessive static routes, reconfigure them manually.
l For the excessive routes learned from CEs through the IGP multi-instance routing protocol, re-initiate
the multi-instance process of the routing protocol on the PE.
l For the remote cross routes learned through the MP-IBGP and the BGP routes learned from CEs, the
system automatically refreshes them.
The maximum number of prefixes of the VPN instance IPv4 address family is configured.
Issue 02 (2012-03-30)
66
You can define the maximum number of prefixes for a VPN instance IPv4 address family to
avoid importing excessive prefixes.
Step 9 (Optional) Run:
limit-log-interval interval
The frequency of displaying logs when the number of routes exceeds the threshold is configured.
----End
Procedure
l
Configuring Hub-PE
1.
Run:
system-view
Run:
ip vpn-instance vpn-instance-name1
Run:
ipv4-family
Run:
vpn-target vpn-target1 &<1-8> import-extcommunity
The VPN target extended community for the VPN instance IPv4 address family is
created to import the IPv4 routes advertised by all the Spoke-PEs.
vpn-target1 lists the Export VPN targets advertised by all the Spoke-PEs.
5.
(Optional) Run:
import route-policy policy-name
The import routing policy of the VPN instance IPv4 address family is configured.
6.
(Optional) Run:
export route-policy policy-name
The export routing policy of the VPN instance IPv4 address family is configured.
7.
Run:
quit
Run:
ip vpn-instance vpn-instance-name2
Run:
ipv4-family
Issue 02 (2012-03-30)
67
The VPN target extended community for the VPN instance IPv4 address family is
created to advertise the routes of all the Hubs and Spokes.
vpn-target2 lists the Import VPN targets advertised by all the Spoke-PEs.
11. (Optional) Run:
import route-policy policy-name
The import routing policy of the VPN instance IPv4 address family is configured.
12. (Optional) Run:
export route-policy policy-name
The export routing policy of the VPN instance IPv4 address family is configured.
l
Configuring Spoke-PE
1.
Run:
system-view
Run:
ip vpn-instance vpn-instance-name1
Run:
ipv4-family
Run:
vpn-target vpn-target2 &<1-8> import-extcommunity
The VPN target extended community for the VPN instance IPv4 address family is
created to import the IPv4 routes advertised by all the Hub-PEs.
vpn-target2 should be included in the export VPN target list of the Hub-PE.
5.
Run:
vpn-target vpn-target1 &<1-8> export-extcommunity
The VPN target extended community for the VPN instance IPv4 address family is
created to advertise the IPv4 routes of the stations that the Spoke-PE accesses.
vpn-target1 should be included in the import VPN target list of the Hub-PE.
6.
(Optional) Run:
import route-policy policy-name
The import routing policy of the VPN instance IPv4 address family is configured.
7.
(Optional) Run:
export route-policy policy-name
The export routing policy of the VPN instance IPv4 address family is configured.
----End
Issue 02 (2012-03-30)
68
Context
The configuration on the Hub-PE involves two interfaces or sub-interfaces: one is bound with
the VPN-in and receives the routes advertised by the Spoke-PE; the other is bound with the
VPN-out and advertises the routes of the Hub and all the Spokes.
Perform the following steps on the Hub-PE and all the Spoke-PEs.
Procedure
Step 1 Run:
system-view
The view of the interface that is to be bound with the VPN instance is displayed.
Step 3 Run:
ip binding vpn-instance vpn-instance-name
Running the ip binding vpn-instance command on an interface can delete the Layer 3 attributes, such as
the IP address and routing protocol. If these Layer 3 attributes are still required, configure them again.
An interface cannot be bound to a VPN instance that is not enabled with an address family.
Disabling an address family of a VPN instance deletes the Layer 3 attributes, such as the IP address and
routing protocol of the interface bound to the VPN instance. Disabling all the address families of a VPN
instance unbinds all the bound interfaces from the VPN instance.
Step 4 Run:
ip address ip-address { mask | mask-length }
Context
The Hub-PE must set up the MP-IBGP peer with all the Spoke-PEs. Spoke-PEs do not need to
set up the MP-IBGP peer between each other.
Issue 02 (2012-03-30)
69
Procedure
Step 1 Run:
system-view
The 32-bit mask IP addresses of the loopback interfaces must be used to establish the MP-IBGP peer
relationship between PEs. This can ensure that the tunnel can be iterated. The route destined to the loopback
interface is advertised to the remote PE based on IGP on the MPLS backbone network.
Step 5 Run:
ipv4-family vpnv4 [ unicast ]
Context
The Hub-PE and the Hub-CE can exchange routes in the following ways.
Procedure
l
Issue 02 (2012-03-30)
70
1.
Run:
system-view
Run:
bgp as-number
Run:
ipv4-family vpn-instance vpn-instance-name
Run:
peer ip-address allow-as-loop [ number ]
Allow the routing loop. Here the value of number is set as 1, which means the route
with the AS repeated once can be sent.
l
Run:
system-view
Run:
ip route-static vpn-instance vpn-source-name 0.0.0.0 0.0.0.0 nexthopaddress [ preference preference | tag tag ]* [ description text ]
Run:
bgp as-number
Run:
ipv4-family vpn-instance vpn-instance-name
The BGP VPN instance IPv4 address family view is displayed. vpn-instance-name
refers to the VPN-out.
5.
Run:
network 0.0.0.0 0
71
Follow-up Procedure
Choose one of the preceding methods as required. For detailed configurations, see Configuring
a Routing Protocol Between PE and CE.
Prerequisites
The configurations of the Hub and Spoke function are complete.
Procedure
l
Run the display ip routing-table command to check routing information on the Hub-CE
and all the Spoke-CEs.
----End
Example
Run the preceding commands. If the VPN-in routing table has routes to all the Spoke stations,
and the VPN-out routing table has routes to the Hub and all the Spoke stations, it means the
configuration is successful.
Additionally, the Hub-CE and all the Spoke-CEs have routes to the Hub and all the Spoke
stations.
<Huawei> display ip routing-table
Total Number of Routes: 6
BGP Local router ID is 100.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
*> 100.1.1.0/24
0.0.0.0
0
0
?
*
100.1.1.2
0
0
100?
*> 100.1.1.1/32
0.0.0.0
0
0
?
*> 110.1.1.0/24
100.1.1.2
0
100 65430?
*> 110.2.1.0/24
100.1.1.2
0
100?
*> 120.1.1.0/24
100.1.1.2
0
100 65430 100?
<Huawei> display ip routing-table vpn-instance
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: vpn1
Destinations : 3
Routes : 3
Destination/Mask
1.1.1.0/24
1.1.1.1/32
5.5.5.0/24
Issue 02 (2012-03-30)
Proto
Pre
Direct 0
Direct 0
Static 60
Cost
0
0
0
Flags NextHop
D
D
RD
1.1.1.1
127.0.0.1
1.1.1.2
Interface
Ethernet2/0/0
Ethernet2/0/0
Ethernet2/0/0
72
Applicable Environment
If the MPLS backbone network bearing the VPN routes is across multiple ASs, configure the
Inter-AS VPNs.
The Inter-AS VPN Option A is convenient to implement and is suitable when the amount of the
VPNs and the VPN routes on the PE is small.
In VPN-Option A, the Autonomous System Boundary Routers (ASBRs) must support the VPN
instances and can manage VPN routes. In addition, the ASBRs must reserve special interfaces
including sub-interfaces and physical interfaces for each inter-AS VPN. Option A, therefore,
requires high performance of the ASBRs. No inter-AS configuration is needed on the ASBRs.
Pre-configuration Tasks
Before configuring inter-AS VPN Option A, complete the following tasks:
l
Configuring IGP for MPLS backbone networks in each AS to keep IP connectivity of the
backbones in one AS
Setting up the tunnel (LSP or GRE) between the PE and the ASBR in the same AS
Configuring the IP address of the CE interface through which the CE accesses the PE
Data Preparation
To configure inter-AS VPN Option A, you need the following data:
No.
Data
Issue 02 (2012-03-30)
73
No.
Data
AS number of the PE
Routing protocol configured between the PE and CE: static routes, RIP, OSPF, ISIS and BGP
IP addresses and interfaces setting up the IBGP peer between the PE and ASBR
Context
Inter-AS VPN Option A is easy to deploy. When the amount of the VPNs and the VPN routes
on the PE is small, this solution can be adopted.
Procedure
Step 1 Configuring Basic BGP/MPLS IP VPN on each AS
Step 2 Configuring ASBR by considering the peer ASBR as its CE
Step 3 Configuring VPN instances for the PE and the ASBR separately
The VPN instance for PE is used to access CE; that for ASBR is used to access its peer ASBR.
NOTE
In inter-AS VPN Option A mode, for the same VPN, the VPN targets of ASBR and the PE VPN instance
must be matched in an AS. This is not required for the PEs in different ASs.
----End
Prerequisites
The configurations of the inter-AS VPN Option A function are complete.
Procedure
l
Issue 02 (2012-03-30)
Run the display bgp vpnv4 all peer command to check information about the BGP peers
on the PE or ASBR.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
74
Run the display bgp vpnv4 all routing-table command to check the IPv4 VPN routes on
the PE or ASBR.
----End
Example
After the successful configuration, run the display bgp vpnv4 all peer command on the PE or
ASBR, and you can view that the BGP VPNv4 peer relationship between the ASBR and PE in
the same AS is "Established".
<Huawei> display bgp vpnv4 all peer
BGP local router ID : 10.1.1.1
Local AS number : 100
Total number of peers : 1
Peer
PrefRcv
2.2.2.2
AS
MsgRcvd
MsgSent
100
OutQ
Up/Down
State
0 00:00:00 Established
Run the display bgp vpnv4all routing-table command on the PE or the ASBR, and you can
view the VPNv4 routes on ASBR.
<Huawei> display bgp vpnv4 all all routing-table
Local AS number : 100
BGP Local router ID is 2.2.2.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 5
Route Distinguisher: 100:1
*>i
Network
NextHop
MED
10.1.1.0/24
1.1.1.9
LocPrf
100
PrefVal Path/Ogn
0
*>
*>
*
*>
Network
NextHop
10.2.1.0/24
192.1.1.0
192.1.1.2
0.0.0.0
192.1.1.2
0.0.0.0
192.1.1.1/32
MED
LocPrf
PrefVal Path/Ogn
0
0
0
0
0
0
0
200?
?
200?
?
10.1.1.0/24
10.2.1.0/24
192.1.1.0
*>
192.1.1.1/32
1.1.1.9
192.1.1.2
0.0.0.0
192.1.1.2
0.0.0.0
MED
LocPrf
0
0
0
0
100
PrefVal Path/Ogn
0
0
0
0
0
?
200?
?
200?
?
Run the display ip routing-table vpn-instance command on the PE or ASBR, and you can view
all the relevant routes in the VPN routing table.
Issue 02 (2012-03-30)
75
Proto
Pre
Direct 0
Direct 0
Static 60
Cost
0
0
0
Flags NextHop
D
D
RD
1.1.1.1
127.0.0.1
1.1.1.2
Interface
Ethernet2/0/0
Ethernet2/0/0
Ethernet2/0/0
Applicable Environment
If the MPLS backbone network bearing VPN routes crosses multiple ASs, the inter-AS VPN is
needed.
If the ASBR can manage VPN routes, but there are not enough interfaces for each inter-AS VPN,
the inter-AS VPN Option B is adopted. In this option, the ASBR is involved in maintaining and
advertising VPN IPv4 routes.
Pre-configuration Tasks
Before configuring inter-AS VPN Option B, complete the following tasks:
l
Configuring IGP for MPLS backbone networks in each AS to realize IP connectivity of the
backbones in one AS
Configuring basic MPLS capability and MPLS LDP for the MPLS backbone network
Configuring VPN Instances on the PE devices connected with the CE devices and Binding
an Interface with a VPN Instance
Configuring the IP addresses of the CE interfaces through which the CE accesses the PE
Data Preparation
To configure inter-AS VPN Option B, you need the following data.
Issue 02 (2012-03-30)
76
No.
Data
AS number of the PE
Routing policy configured between the PE and CE: static routes, RIP, OSPF, IS-IS
and BGP
IP addresses and interfaces setting up the IBGP peer between the PE and ASBR
Context
Perform the following steps on the PE and ASBR in the same AS.
Procedure
Step 1 Run:
system-view
The loopback interface is specified as the outgoing interface of the BGP session.
Issue 02 (2012-03-30)
77
NOTE
The 32-bit mask IP addresses of the loopback interfaces must be used to establish the MP-IBGP peer
relationship between PEs. This can ensure that the tunnel can be iterated. The route destined to the loopback
interface is advertised to the remote PE based on IGP on the MPLS backbone network.
Step 5 Run:
ipv4-family vpnv4 [ unicast ]
The exchange of IPv4 VPN routes between the PE and ASBR in the same AS is enabled.
NOTE
In the AR3200, an ASBR can only change the next-hop address of a VPNv4 route to the ASBR's address
before advertising the route to a PE.
----End
Context
Perform the following steps on the ASBR.
Procedure
Step 1 Run:
system-view
The view of the interface connected with the ASBR interface is displayed.
Step 3 Run:
ip address ip-address { mask | mask-length }
Issue 02 (2012-03-30)
78
The exchange of IPv4 VPN routes with the peer ASBR is enabled.
----End
Context
The following describes two methods for controlling the receiving and sending of VPN routes:
l
Procedure
l
Run:
system-view
Run:
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
79
bgp as-number
Run:
ipv4-family vpnv4 [ unicast ]
Run:
undo policy vpn-target
The VPN IPv4 routes are not filtered by the VPN target.
By default, the PE performs VPN target filtering on the received IPv4 VPN routes.
The routes passing the filter are added to the routing table, and the others are discarded.
If the PE is not configured with VPN instance, or the VPN instance is not configured
with the VPN target, the PE discards all the received VPN IPv4 routes.
In the Inter-AS VPN Option B mode, if the ASBR does not store information about
the VPN instance, the ASBR must save all the VPNv4 routing information and
advertise it to the peer ASBR. In this case, the ASBR should receive all the VPNv4
routing information without the VPN target filtering.
l
Run:
system-view
Run:
ip extcommunity-filter { basic-extcomm-filter-num | basic basic-extcommfilter-name | advanced-extcomm-filter-num | advanced advanced-extcommfilter-name } { permit | deny } { rt { as-number:nn | ipv4-address:nn } }
&<1-16>
Run:
route-policy route-policy-name permit node node
Run:
if-match extcommunity-filter { { basic-extcomm-filter-num | advancedextcomm-filter-num } &<1-16> | advanced-extcomm-filter-name | basicextcomm-filter-name }
Run:
quit
Run:
bgp as-number
Run:
ipv4-family vpnv4 [ unicast ]
Issue 02 (2012-03-30)
80
Run:
peer ipv4-address route-policy route-policy-name { export | import }
The routing policy is applied to controlling the VPN IPv4 routing information.
----End
Context
If the VPN receives and sends the VPNv4 routing information through the ASBR, configure the
corresponding instance on the ASBR. Otherwise, the instance is not needed.
Perform the following steps on the ASBR.
Procedure
Step 1 Run:
system-view
The IPv4 address family is enabled for the VPN instance and the VPN instance IPv4 address
family view is displayed.
Step 4 Run:
route-distinguisher route-distinguisher
The VPN target extended community for the VPN instance IPv4 address family is created.
For the same VPN in the inter-AS VPN Option B mode, the VPN targets of the ASBR and PE
in an AS should match each other.
The VPN targets of the PE in different ASs must also match each other.
Step 6 (Optional) Run:
apply-label per-instance
Issue 02 (2012-03-30)
81
The MPLS label is allocated based on the VPN instance IPv4 address family, which ensures that
all the routes in a VPN instance use the same MPLS label.
Step 7 (Optional) Run:
routing-table limit number { alert-percent | simply-alert }
The maximum number of routes of the VPN instance IPv4 address family is configured.
Step 8 (Optional) Run:
prefix limit number { alert-percent [ route-unchanged ] | simply-alert }
The maximum number of prefixes of the VPN instance IPv4 address family is configured.
Step 9 (Optional) Run:
limit-log-interval interval
The frequency of displaying logs when the number of routes exceeds the threshold is configured.
Step 10 (Optional) Run:
import route-policy policy-name
The import routing policy of the VPN instance IPv4 address family is configured.
Step 11 (Optional) Run:
export route-policy policy-name
The export routing policy of the VPN instance IPv4 address family is configured.
----End
Context
In a VPN Option B scenario, after next-hop-based label allocation is enabled on the ASBR, the
ASBR allocates only one label for the IPv4 VPN routes with the same next hop and outgoing
label. Compared with allocating a label for each IPv4 VPN route, next-hop-based label allocation
saves label resources.
Perform the following steps on the ASBR.
Procedure
Step 1 Run:
system-view
82
Step 3 Run:
ipv4-family vpnv4
The next-hop-based label allocation for IPv4 VPN routes is enabled on the ASBR.
CAUTION
After next-hop-based label allocation is enabled or disabled, the label allocated by the ASBR
for a route changes, which leads to packet loss.
----End
Procedure
Step 1 Choose one of the preceding methods as required. For detailed configurations, see 2.4.6
Configuring a Routing Protocol Between a PE and a CE.
----End
Prerequisites
The configurations of the inter-AS VPN Option B function are complete.
Procedure
l
Run the display bgp vpnv4 all peer command to check the VPN IPv4 routing table on the
PE or ASBR.
Run the display bgp vpnv4 all routing-table command to check information about all the
BGP peers on the PE or ASBR.
Run the display mpls lsp command to check information about the LSP and label on the
ASBR.
----End
Issue 02 (2012-03-30)
83
Example
Run the display bgp vpnv4 all routing-table command on the ASBR. If the VPN IPv4 routes
are displayed, the configuration is successful.
<Huawei> display bgp vpnv4 all all routing-table
Local AS number : 100
BGP Local router ID is 2.2.2.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 5
Route Distinguisher: 100:1
*>i
Network
NextHop
MED
10.1.1.0/24
1.1.1.9
LocPrf
100
PrefVal Path/Ogn
0
*>
*>
*
*>
Network
NextHop
10.2.1.0/24
192.1.1.0
192.1.1.2
0.0.0.0
192.1.1.2
0.0.0.0
192.1.1.1/32
MED
LocPrf
PrefVal Path/Ogn
0
0
0
0
0
0
0
200?
?
200?
?
10.1.1.0/24
10.2.1.0/24
192.1.1.0
*>
192.1.1.1/32
MED
1.1.1.9
192.1.1.2
0.0.0.0
192.1.1.2
0.0.0.0
LocPrf
100
0
0
0
PrefVal Path/Ogn
0
0
0
0
0
?
200?
?
200?
?
Run the display bgp vpnv4 all peer command on the PE or ASBR. If the status of the IBGP
peer between the PE and ASBR in the same AS is "Established", and the status of the EBGP
peer between ASBRs in the different AS is "Established", the configuration is successful.
<Huawei> display bgp vpnv4 all peer
BGP local router ID : 10.1.1.1
Local AS number : 100
Total number of peers : 1
Peer
PrefRcv
2.2.2.2
AS
MsgRcvd
MsgSent
100
OutQ
Up/Down
State
0 00:00:00 Established
Run the display ip routing-table vpn-instance command on the PE. If the VPN routes are
displayed, the configuration is successful.
<Huawei> display ip routing-table vpn-instance
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: vpn1
Destinations : 3
Routes : 3
Destination/Mask
1.1.1.0/24
Issue 02 (2012-03-30)
Proto
Pre
Direct 0
Cost
0
Flags NextHop
D
1.1.1.1
Interface
Ethernet2/0/0
84
0
0
D
RD
127.0.0.1
1.1.1.2
Ethernet2/0/0
Ethernet2/0/0
Run the display mpls lsp command on the ASBR. If information about the LSP and label is
displayed, it means that the configuration succeeds. If the ASBR is enabled with the next-hopbased label allocation, only one label is allocated for the VPN routes with the same next hop
and outgoing label.
<Huawei> display mpls lsp
------------------------------------------------------------------------------LSP Information: LDP LSP
------------------------------------------------------------------------------FEC
In/Out Label In/Out IF
Vrf Name
2.2.2.9/32
NULL/3
-/Pos1/0/0
2.2.2.9/32
1024/3
-/Pos1/0/0
3.3.3.9/32
NULL/3
-/Pos1/0/1
3.3.3.9/32
1025/3
-/Pos1/0/1
Applicable Environment
If the MPLS backbone network bearing VPN routes crosses multiple ASs, the inter-AS VPN is
needed.
If each AS needs to exchange a large number of VPN routes, inter-AS VPN-Option C is a good
choice to prevent the ASBR from becoming a bottleneck that impedes network expansion. Two
solutions can be adopted to realize inter-AS VPN-Option C:
l
Solution 1: After learning the labeled BGP routes of the public network in the remote AS
from the remote ASBR, the local ASBR allocates labels for these routes and advertises
these routes to the IBGP peer that supports the label switching capability. A complete LSP
is set up as a result.
Solution 2: The IBGP peer relationship between the PE and ASBR is not needed. In this
solution, an ASBR learns the labeled public BGP routes of the remote AS from the peer
ASBR. Then these labeled public BGP routes are imported to IGP to trigger the
establishment of an LDP LSP. This process can establish a complete LDP LSP between
the two PEs.
Solution 1 is described here, and solution 2 is described in 2.9 Configuring Inter-AS VPN
Option C (Solution 2).
Pre-configuration Tasks
Before configuring inter-AS VPN Option C, complete the following tasks:
Issue 02 (2012-03-30)
85
Configuring IGP for MPLS backbone networks in each AS to realize IP connectivity of the
backbones in one AS
Configuring basic MPLS capability and MPLS LDP for the MPLS backbone network
Configuring the IBGP peer relationship between the PE and ASBR in the same AS
Configuring a VPN Instance on the PE devices connected with the CE devices and Binding
an Interface with a VPN Instance
Configuring the IP addresses of the CE interfaces through which the CE accesses the PE
Data Preparation
To configure inter-AS VPN Option C, you need the following data:
No.
Data
AS number of the PE
Routing protocol configured between the PE and CE: static routes, RIP, OSPF, ISIS, or BGP
IP addresses and interfaces setting up the IBGP peer between the PE and ASBR
NOTE
Issue 02 (2012-03-30)
86
Procedure
l
Configuring the PE
1.
Run:
system-view
Run:
bgp as-number
Run:
peer ipv4-address label-route-capability
The exchange of the labeled IPv4 routes with the ASBR in the same AS is enabled.
l
Run:
system-view
Run:
interface interface-type interface-number
The view of the interface connected with the peer ASBR is displayed.
3.
Run:
ip address ip-address { mask | mask-length }
Run:
mpls
Run:
quit
Run:
bgp as-number
Run:
peer ipv4-address label-route-capability
The exchange of the labeled IPv4 routes with the PE of the same AS is enabled.
In the Option C solution, establish an inter-AS VPN LSP. The related PEs and ASBRs
exchange public network routes with the MPLS labels.
The ASBR establishes a common EBGP peer relationship with the remote ASBR to
switch labeled IPv4 routes.
The public network routes with the MPLS labels are advertised by the MP-BGP. Based
on RFC 3107 (Carrying Label Information in BGP-4), the label mapping information
of a route is carried by advertising BGP updates. This feature is implemented through
BGP extension attributes, which requires BGP peers to process the labeled IPv4 routes.
Issue 02 (2012-03-30)
87
Run:
peer ipv4-address as-number as-number
(Optional) Run:
peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]
The exchange of the labeled IPv4 routes with the peer ASBR is enabled.
If tunnel reachability checking is enabled, BGP advertises IPv4 unicast routes to
peers when routed tunnels are unreachable or advertises labeled routes to peers
when routed tunnels are reachable. This eliminates the risk of establishing an MPEBGP peer relationship between PEs over a faulty LSP because this will cause
data forwarding failures.
If tunnel reachability checking is disabled, BGP advertises labeled routes to peers
whether the tunnels for imported routes are reachable or not.
----End
Procedure
l
Run:
system-view
Run:
route-policy policy-name1 permit node node
Run:
if-match mpls-label
Issue 02 (2012-03-30)
88
Run:
apply mpls-label
Run:
quit
Run:
route-policy policy-name2 permit node node
Run:
apply mpls-label
Run:
system-view
Run:
bgp as-number
Run:
peer ipv4-address route-policy policy-name1 export
The routing policy adopted when the route is advertised to the local PE is created.
4.
Run:
peer ipv4-address route-policy policy-name2 export
The routing policy adopted when the route is advertised to the peer ASBR is created.
----End
Procedure
l
Configuring ASBRs
The address of the loopback interface that is used to set up the BGP session is advertised
to the peer ASBR and to the PEs of the other ASs.
1.
Issue 02 (2012-03-30)
Run:
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
89
system-view
Run:
bgp as-number
Run:
network ip-address [ mask | mask-length ] [ route-policy route-policyname ]
The loopback address of the PE in the local AS is advertised to the remote ASBR.
l
Configuring PE
Perform the following steps on the PE that is connected to a CE:
1.
Run:
system-view
Run:
bgp as-number
Run:
peer ipv4-address as-number as-number
Run:
peer ipv4-address ebgp-max-hop [ hop-count ]
Run:
ipv4-family vpnv4 [ unicast ]
Run:
peer ipv4-address enable
Run:
system-view
Run:
bgp as-number
90
3.
Run:
ipv4-family vpnv4 [ unicast ]
Run:
peer ipv4-address enable
Run:
peer ipv4-address next-hop-invariable
The next hop is not changed when the route is advertised to the EBGP peer.
----End
Context
For detailed configurations, see Configuring a Routing Protocol Between PE and CE.
Prerequisites
The configurations of the inter-AS VPN Option C function are complete.
Procedure
l
Run the display bgp vpnv4 all peer command to check the BGP peers on the PE.
Run the display bgp vpnv4 all routing-table command to check the VPN IPv4 routing
table on the PE or ASBR.
Run the display bgp routing-table label command to check information about the label
of the IPv4 route on the ASBR.
----End
Example
Run the display bgp vpnv4 all peer command on the PE. If the status of the EBGP peer between
PEs is "Established", the configuration is successful.
Run the display bgp vpnv4 all routing-table command. You can view that the PE has the VPN
IPv4 routes while the ASBR has no VPN IPv4 route.
Run the display bgp routing-table label command on the ASBR. If information about the label
of the IPv4 route is displayed, the configuration is successful.
Issue 02 (2012-03-30)
91
Run the display ip routing-table vpn-instance command on the PE. If the VPN routes to related
CEs are displayed, the configuration is successful.
Applicable Environment
If the MPLS backbone network bearing VPN routes spans multiple ASs, the inter-AS VPN is
required.
If each AS needs to exchange a large number of VPN routes, inter-AS VPN-Option C is a good
choice to prevent the ASBR from becoming a bottleneck that impedes network expansion. Two
solutions can be adopted to realize inter-AS VPN-Option C:
l
Solution 1: After learning the labeled BGP routes of the public network in the remote AS
from the remote ASBR, the local ASBR allocates labels for these routes, and advertises
these routes to the IBGP peer that supports the label switching capability. In this manner,
a complete LSP is set up.
Solution 2: The IBGP peer relationship between the PE and the ASBR is not needed. In
this solution, an ASBR learns the labeled public BGP routes of the remote AS from the
peer ASBR. Then these labeled public BGP routes are imported to IGP to trigger the
establishment of an LDP LSP. In this manner, a complete LDP LSP can be established
between the two PEs.
If an ASBR is ready to access a large number of PEs, Solution 2 is recommended because of the
easy configuration.
Pre-configuration Tasks
Before configuring inter-AS VPN-Option C, complete the following tasks:
l
Configuring IGP for the MPLS backbone network of each AS to ensure IP connectivity of
the backbone network within an AS
Configuring the basic MPLS functions and MPLS LDP for the MPLS backbone network
of each AS
Configuring VPN instances on PEs that access CEs, and associating VPN instances with
PE interfaces that connect CEs
Configuring a name for the prefix list used to filter labeled BGP routes of the public network
Issue 02 (2012-03-30)
92
Data Preparation
To configure inter-AS VPN-Option C, you need the following data.
No.
Data
AS number of each AS
(Optional) The name of the IP prefix list used to filter the labeled BGP routes of
the public network
NOTE
Procedure
l
Run:
system-view
Run:
interface interface-type interface-number
The view of the interface that connects the remote ASBR is displayed.
Issue 02 (2012-03-30)
93
3.
Run:
ip address ip-address { mask | mask-length }
Run:
quit
Run:
bgp as-number
Run:
peer ipv4-address as-number as-number
(Optional) Run:
peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]
Procedure
l
The loopback address of the PE in the local AS is advertised to the remote ASBR.
Perform the following steps on an ASBR:
1.
Run:
system-view
Run:
bgp as-number
Run:
network ip-address [ mask | mask-length ]
The loopback address of the PE in the local AS is advertised to the remote ASBR.
4.
Run:
quit
94
Run:
system-view
Run:
ospf process-id
Run:
import-route bgp [ cost cost ] [ route-policy route-policy-name ]
Run:
quit
Procedure
l
Run:
system-view
Run:
route-policy route-policy-name permit node seq-number
The routing policy applied to advertise routes to the remote ASBR is configured.
3.
Run:
apply mpls-label
Run:
quit
Run:
system-view
Run:
bgp as-number
Issue 02 (2012-03-30)
95
Run:
peer ipv4-address route-policy route-policy-name export
The routing policy applied to advertise routes to the remote ASBR is configured.
4.
Run:
quit
Run:
system-view
Run:
interface interface-type interface-number
Run:
mpls
Run:
quit
Run:
bgp as-number
Run:
peer ipv4-address label-route-capability [ check-tunnel-reachable ]
The labeled IPv4 route exchange capability with the remote ASBR is configured.
If tunnel reachability checking is enabled, BGP advertises IPv4 unicast routes to
peers when routed tunnels are unreachable or advertises labeled routes to peers
when routed tunnels are reachable. This eliminates the risk of establishing an MPEBGP peer relationship between PEs over a faulty LSP because this will cause
data forwarding failures.
If tunnel reachability checking is disabled, BGP advertises labeled routes to peers
whether the tunnels for imported routes are reachable or not.
----End
2.9.5 Establishing an LDP LSP for the Labeled BGP Routes of the
Public Network
By enabling LDP on ASBRs to allocate labels for BGP, you can establish LDP LSPs for labeled
BGP routes of the public network that are filtered in the IP prefix list
Issue 02 (2012-03-30)
96
Procedure
l
An LDP LSP is established for the labeled BGP routes of the public network that is filtered
by the IP prefix list.
Perform the following steps on ASBRs:
1.
Run:
system-view
Run:
mpls
Run:
lsp-trigger bgp-label-route [ ip-prefix ip-prefix-name ]
An LDP LSP is established for the labeled BGP routes of the public network that is
filtered by the IP prefix list.
----End
Procedure
l
Run:
system-view
Run:
bgp as-number
Run:
peer ipv4-address as-number as-number
Run:
peer ipv4-address connect-interface interface-type interface-number ipv4source-address
Run:
peer ipv4-address ebgp-max-hop [ hop-count ]
The maximum number of hops permitted to establish the EBGP peer is specified.
6.
Run:
ipv4-family vpnv4
Issue 02 (2012-03-30)
97
Run:
peer ipv4-address enable
Procedure
l
Configuring a PE.
1.
Run:
system-view
Run:
bgp as-number
Run:
ipv4-family vpn-instance vpn-instance-name
Run:
peer ipv4-address as-number as-number
(Optional) Run:
peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]
(Optional) Run:
network ip-address mask
(Optional) Run:
peer ip-address allow-as-loop [ number ]
(Optional) Run:
peer ip-address substitute-as
Configuring a CE.
1.
Run:
system-view
Run:
bgp as-number
Issue 02 (2012-03-30)
98
Run:
peer ipv4-address as-number
(Optional) Run:
peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]
Run:
import-route { direct | static | rip [ process-id ] | ospf process-id |
isis process-id } [ med med | route-policy route-policy-name ]*
Prerequisites
The configurations of the Inter-AS VPN Option C (Solution 2) function are complete.
Procedure
l
Run the display bgp vpnv4 all peer command to check information about the specified
VPNv4 peer on a PE.
Run the display bgp vpnv4 all routing-table command to check information about the
VPN-IPv4 routing table on a PE or an ASBR.
Run the display bgp routing-table label command to check information about the labels
of IPv4 routes on an ASBR.
Run the display ip routing-table command to check information about the routing table
on an ASBR.
----End
Example
Run the display bgp vpnv4 all peer command. The command output shows that the EBGP peer
relationship between PEs is established.
Issue 02 (2012-03-30)
99
Run the display bgp vpnv4 all routing-table command on a PE and an ASBR. The command
output shows that BGP VPNv4 routes and BGP VPN instance routes are on the PE, but not on
the ASBR.
Run the display bgp routing-table label command on an ASBR. The command output shows
information about labels of IPv4 routes.
Run the display ip routing-table vpn-instance vpn-instance-name command on a PE. The
command output shows that the VPN routing table of the PE has the VPN routes to the CE related
to the specified VPN instance.
Run the display mpls route-state verbose command on an ASBR. The command output shows
the routes with the type as L, that is, the labeled BGP routes of the public network.
Run the display ip routing-table command on an ASBR. The command output shows that the
routes to the remote PE are labeled BGP routes of the public network: The routing table is
"Public", the protocol type is "BGP", and the label has a non-zero value.
[ASBR] display ip routing-table 4.4.4.9 verbose
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Table : Public
Summary Count : 1
Destination
: 4.4.4.9/32
Protocol
: EBGP
Preference
: 255
NextHop
: 192.1.1.2
State
: Active Adv
Tag
: 0
Label
: 15360
IndirectID: 0x0
RelayNextHop
: 0.0.0.0
TunnelID
: 0x6002006
Process ID
: 0
Cost
: 1
Neighbour: 192.1.1.2
Age
: 00h12m53s
Priority
: low
QoSInfo
: 0x0
Interface
Flags
: GE2/0/0
: D
Run the display mpls lsp command on an ASBR. The command output shows that an LDP LSP
is established between the ASBR and the remote PE. Additionally, the LDP ingress LSP to the
remote PE can be found on the local PE.
[ASBR] display mpls lsp protocol ldp include 4.4.4.9 32 verbose
---------------------------------------------------------------------LSP Information: LDP LSP
---------------------------------------------------------------------No
: 1
VrfIndex
:
Fec
: 4.4.4.9/32
Nexthop
: 192.1.1.2
In-Label
: 1024
Out-Label
: NULL
In-Interface
: ---------Out-Interface
: ---------LspIndex
: 13313
Token
: 0x0
FrrToken
: 0x0
LsrType
: Egress
Outgoing token
: 0x6002006
Label Operation
: POPGO
Mpls-Mtu
: -----TimeStamp
: 15829sec
Bfd-State
: --BGPKey
: ---
Issue 02 (2012-03-30)
100
Applicable Environment
For hierarchical VPN networks, adopt the HoVPN to reduce the requirements for PE devices.
Pre-configuration Tasks
Before configuring HoVPN, complete the task of Configuring Basic BGP/MPLS IP VPN=.
Data Preparation
To configure HoVPN, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
101
Step 4 Run:
ipv4-family vpnv4 [ unicast ]
The capability of exchanging BGP VPNv4 routing information with the peer is enabled.
Step 6 Run:
peer { ipv4-address | group-name } upe
Context
Perform the following steps on the SPE.
Procedure
Step 1 Run:
system-view
The default routes of a specified VPN instance are advertised to the UPE.
After running the command, the SPE advertises a default route to the UPE with its local address
as the next hop, regardless of whether there is a default route in the local routing table.
----End
102
Prerequisites
The configurations of the HoVPN function are complete
Procedure
l
Run the display ip routing-table command to check the routing table on the CE.
----End
Example
Run the display ip routing-table on the CE connected with the UPE. The command output
shows that there is a default route whose next hop is the UPE and there is no route to the network
segment where the peer CE resides.
<CE> display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 5
Routes : 5
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
0.0.0.0/0 BGP
255 0
D 10.1.1.2
GigabitEthernet1/0/0
10.1.1.0/24 Direct 0
0
D 10.1.1.1
GigabitEthernet1/0/0
10.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0GigabitEthernet1/0/0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
Applicable Environment
The multi-VPN-instance CE is used in the LAN. You can implement service isolation through
the multiple OSPF instances on the CE devices.
One OSPF process can belong to only one VPN instance but one VPN instance can run several
OSPF processes.
The Multi-VPN-Instance CE can be considered a networking solution that isolates services by
isolating routes. Before configuring a multi-VPN-instance CE, disable routing loop detection.
Pre-configuration Tasks
Before configuring a multi-VPN-instance CE, complete the following tasks:
l
Issue 02 (2012-03-30)
Configuring a VPN Instance on the multi-instance CE, and the PE that is accessed by it
(each service with a VPN instance)
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
103
Configuring the link layer protocol and network layer protocol for LAN interfaces and
connecting the LAN to the multi-instance CE (each service using an interface to access the
multi-instance CE)
Binding related VPN instances to the interfaces of the multi-instance CE and PE interfaces
through which the PE accesses the multi-instance and configuring IP addresses for those
interfaces
Data Preparation
To configure a multi-VPN-instance CE, you need the following data.
No.
Data
Names of the VPN instances corresponding with the OSPF processes used by each
service
Context
Perform the following steps on the PE that is accessed by the multi-instance CE.
Procedure
Step 1 Run:
system-view
104
Step 5 Run:
quit
Context
Perform the following steps on the multi-instance CE.
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)
105
If the multi-instance CE does not learn the routes of a LAN through the OSPF multi-instance of the process,
the routes of the LAN need to be imported to the OSPF instances of the process.
----End
Context
Perform the following steps on the MCE.
Procedure
Step 1 Run:
system-view
Prerequisites
The configurations of the Multi-VPN-Instance CE function are complete.
Procedure
l
----End
Issue 02 (2012-03-30)
106
Example
Run the display ip routing-table vpn-instance command on the multi-instance CE to check
the VPN routing table. If there are routes to the LAN and the remote nodes for each service, the
configuration is successful.
[MCE] display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: vpna
Destinations : 8
Routes : 8
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 O_ASE 150 1
D 192.1.1.1
Pos1/0/0
10.1.1.1/32 O_ASE 150 1
D 192.1.1.1
Pos1/0/0
10.3.1.0/24 Direct 0
0
D 10.3.1.2
Pos3/0/0
10.3.1.1/32 Direct 0
0
D 10.3.1.1
Pos3/0/0
10.3.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0Pos3/0/0
192.1.1.0/24 Direct 0
0
D 192.1.1.2
Pos1/0/0
192.1.1.1/32 Direct 0
0
D 192.1.1.1
Pos1/0/0
192.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0Pos1/0/0
Applicable Environment
You can enable VPN users to access the Internet, by supplementing certain software
configurations in the established VPN network.
Pre-configuration Tasks
Before configuring VPN users to access the Internet, complete the following task:
l
Data Preparation
To configure interconnection between a VPN and the Internet, you need the following data.
Issue 02 (2012-03-30)
No.
Data
107
Context
Perform the following steps on the CE.
Procedure
Step 1 Run:
system-view
If the CE and the PE are connected through an Ethernet network, the next-hop must be specified.
----End
Context
Perform the following steps on the PE.
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)
108
The static route from the VPN to the Internet is configured and the next-hop address is a public
network address.
----End
Context
Perform the following steps on the PE.
Procedure
Step 1 Run:
system-view
The static route from the public network to the VPN is configured and the next-hop address is
a private network address.
NOTE
If the CE and PE are connected through an Ethernet network, the next-hop must be specified.
----End
Prerequisites
The configurations of the VPN and the Internet function are complete.
Procedure
l
Run the display ip routing-table command to check the routing table on the CE and the
destination router in the public network.
----End
Issue 02 (2012-03-30)
109
Example
Run the display ip routing-table vpn-instance command on the PE. The command output
shows that the route to the CE and the route to the destination router in the public network exist
in the VPN routing table.
<Huawei> display ip routing-table vpn-instance vpn1
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: vpn1
Destinations : 7
Routes : 7
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
0.0.0.0/0
Static 60
0
RD 100.1.1.2
Pos2/0/0
10.1.1.0/24 Direct 0
0
D 10.1.1.2
Pos1/0/0
10.1.1.1/32 Direct 0
0
D 10.1.1.1
Pos1/0/0
10.1.1.2/32 Direct 0
0
D 127.0.0.1
Pos2/0/0
10.2.1.0/24 BGP
255 0
RD 3.3.3.3
Pos2/0/0
10.2.1.1/32 BGP
255 0
RD 3.3.3.3
Pos2/0/0
10.2.1.2/32 BGP
255 0
RD 3.3.3.3
Pos2/0/0
100.3.1.1/32 BGP
255 0
D 10.1.1.1
Pos1/0/0
Run the display ip routing-table command on the CE. The command output shows that the CE
has the route to the destination router in the public network and the destination router in the
public network has the route to the CE.
<Huawei> display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 10
Routes : 10
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
1.1.1.1/32 Direct 0
0
D 127.0.0.1
LoopBack1
2.2.2.2/32 OSPF
10
2
D 100.1.1.2
Pos2/0/0
3.3.3.3/32 OSPF
10
3
D 100.1.1.2
Pos2/0/0
100.1.1.0/24 Direct 0
0
D 100.1.1.1
Pos2/0/0
100.1.1.1/32 Direct 0
0
D 127.0.0.1
Pos1/0/0
100.1.1.2/32 Direct 0
0
D 100.1.1.2
Pos2/0/0
100.2.1.0/24 OSPF
10
2
D 100.1.1.2
Pos2/0/0
100.3.1.0/24 Static 60
0
D 10.1.1.1
Pos1/0/0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
Run the ping command to check the connectivity between the CE and the destination device on
the public network.
<Huawei> ping 100.3.1.1
PING 100.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 100.3.1.1: bytes=56 Sequence=1 ttl=254 time=62
Reply from 100.3.1.1: bytes=56 Sequence=2 ttl=254 time=62
Reply from 100.3.1.1: bytes=56 Sequence=3 ttl=254 time=62
Reply from 100.3.1.1: bytes=56 Sequence=4 ttl=254 time=62
Reply from 100.3.1.1: bytes=56 Sequence=5 ttl=254 time=62
--- 100.3.1.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/62/62 ms
ms
ms
ms
ms
ms
Issue 02 (2012-03-30)
110
Applicable Environment
The BGP speaker does not advertise the routes learned from IBGP devices to its IBGP peers.
To make a PE advertise the routes of the VPN that the PE accesses to the BGP VPNv4 peers in
the same AS, the PE must establish IBGP connections with all the peers to directly exchange
VPN routing information. That is, MP IBGP peers must establish full connections between each
other. Suppose there are n PEs (including ASBRs) in an AS, n (n-1)/2 MP IBGP connections
need to be established. A large number of IBGP peers consume a great amount of network
resources.
The Route Reflector (RR) can solve this problem. In an AS, one router can be configured as the
RR to reflect VPNv4 routes and the other PEs and ASBRs serve as the clients, which are called
Client PEs. An RR can be a P, PE, ASBR, or a router of other types.
The introduction of the RR reduces the number of MP IBGP connections. This lightens the
burden on PEs and facilitates network maintenance and management.
Pre-configuration Tasks
Before configuring route reflection to optimize the VPN backbone layer, complete the following
tasks:
l
Configuring the routing protocol for the MPLS backbone network to implement IP
interworking between routers in the backbone network
Establishing tunnels (LSPs or GRE tunnels) between the RR and all Client PEs
Data Preparation
To configure the BGP VPNv4 route reflection, you need the following data.
No.
Data
Type and number of the interfaces used to set up the TCP connection
111
Context
Perform the following steps on all Client PEs.
Procedure
Step 1 Run:
system-view
ipv4-address enable
Context
Choose one of the following schemes to configure the RR.
Procedure
l
Run:
system-view
Issue 02 (2012-03-30)
112
Run:
bgp as-number
Run:
group group-name [ internal ]
Run:
peer group-name connect-interface interface-type interface-number
The interface is specified as an interface to establish the TCP connection. The interface
IP address must be the same as the MPLS LSR ID. It is recommended to specify a
loopback interface to establish the TCP connection.
5.
Run:
ipv4-family vpnv4
Run:
peer group-name enable
The capability of exchanging IPv4 VPN routes between the RR and the peer group is
enabled.
7.
Run:
peer ip-address group group-name
Run:
system-view
Run:
bgp as-number
Run:
peer ipv4-address as-number as-number
Run:
peer ipv4-address connect-interface interface-type interface-number
Run:
ipv4-family vpnv4
Run:
peer ipv4-address enable
Issue 02 (2012-03-30)
113
The capability of exchanging VPNv4 routes between the RR and the client PE is
enabled.
----End
Context
Perform the following steps on the RR.
Procedure
Step 1 Run:
system-view
114
Prerequisites
The configurations of the reflection to optimize the VPN backbone layer function are complete.
Procedure
l
Run the display bgp vpnv4 all peer [ [ ipv4-address ] verbose ] command to check
information about the BGP VPNv4 peer on the RR or the Client PEs.
Run the display bgp vpnv4 all routing-table peer ipv4-address { advertised-routes |
received-routes } command or display bgp vpnv4 all routing-table statistics command
to check information about the routes received from the peer or the routes advertised to the
peer on the RR or the Client PEs.
Run the display bgp vpnv4 all group [ group-name ] command to check information about
the VPNv4 peer group on the RR.
----End
Example
If the configurations succeed,
l
The status of the MP IBGP connections between the RR and all Client PEs is "Established"
after running the display bgp vpnv4 all peer command on the RR or Client PEs.
<Huawei> display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 3
Peer
V
AS MsgRcvd MsgSent
2.2.2.9
4
100 2
4
3.3.3.9
4
100 3
5
Peer of IPv4-family for vpn instance :
VPN-Instance vpna, router ID 1.1.1.9:
10.1.1.1
4 65410
79
82
0 01:13:29
Established
The RR and each Client PE can receive and send VPNv4 routing information between each
other after running the display bgp vpnv4 all routing-table peer command on the RR or
the Client PEs.
<Huawei> display bgp vpnv4 all routing-table peer 2.2.2.9 received-routes
BGP Local router ID is 1.1.1.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 1
Route Distinguisher: 100:1
*>i
Network
NextHop
MED
LocPrf
1.1.1.1
2.2.2.9
100
PrefVal Path/Ogn
0
If the peer group is configured, information about the group members is displayed and the
status of the BGP connections between the RR and the group members is "Established"
after running the display bgp vpnv4 all group command on the RR.
<Huawei> display bgp vpnv4 all group vpna
Group in VPNV4:
BGP peer-group: vpna
Remote AS: 100
Issue 02 (2012-03-30)
115
100
MsgSent
13
15
OutQ
Up/Down
State
0 00:11:12 Established
Applicable Environment
If a PE and multiple CEs accessing the PE are located in the same AS, to reduce the IBGP
connections between the CEs, the PE can be configured as an RR to reflect the routes of the
VPN instance, and the CEs can be configured as clients, which are called Client CEs. This
procedure simplifies and facilitates network maintenance and management.
Pre-configuration Tasks
Before configuring route reflection to optimize the VPN access layer, complete the following
tasks:
l
Configure a routing protocol for the MPLS backbone network to implement IP interworking
between the routers in the backbone network.
Data Preparation
Before configuring route reflection to optimize the VPN access layer, you need the following
data.
Issue 02 (2012-03-30)
No.
Data
Type and number of the interfaces used to set up the TCP connection
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
116
No.
Data
Context
Perform the following steps on all Client CEs.
Procedure
Step 1 Run:
system-view
Context
Perform the following steps on the RR.
Issue 02 (2012-03-30)
117
Procedure
l
Run:
system-view
Run:
bgp as-number
Run:
ipv4-family vpn-instance vpn-instance-name
Run:
group group-name [ internal ]
Run:
peer group-name connect-interface interface-type interface-number
Run:
peer ip-address
groupgroup-name
Run:
system-view
Run:
bgp as-number
Run:
ipv4-family vpn-instance vpn-instance-name
Run:
peer ipv4-address as-number as-number
Run:
peer ipv4-address connect-interface interface-type interface-number
118
2.14.4 Configuring Route Reflection for the Routes of the BGP VPN
Instance
The premise of enabling BGP VPNv4 route reflection is that the RR has established the MPIBGP connections with all its clients (CEs).
Context
Perform the following steps on the RR.
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)
119
Prerequisites
The configurations of the route reflection to optimize the VPN access layer function are
complete.
Procedure
l
Run the display bgp peer [ ipv4-address ] verbose command to check information about
the BGP peer on the Client CE.
Run the display bgp vpnv4 all routing-table peer ipv4-address { advertised-routes |
received-routes } command or display bgp vpnv4 all routing-table statistics command
to check information about the routes received from the peer or the routes advertised to the
peer on the RR.
Run the display bgp routing-table peer ipv4-address { advertised-routes | receivedroutes }command or display bgp routing-table statistics command to check information
about the routes received from the peer or the routes advertised to the peer on the Client
CE.
Run the display bgp group [ group-name ] command to check information about the
VPNv4 peer group on the CE.
----End
Example
If the configurations succeed, you can achieve the following objects:
l
You can find that the status of the MP IBGP connections between the RR and all Client
CEs is "Established" after running the display bgp vpnv4 all peer command on the RR.
<Huawei> display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 3
Peer
V
AS MsgRcvd MsgSent
2.2.2.9
4
100 2
4
3.3.3.9
4
100 3
5
Peer of IPv4-family for vpn instance :
VPN-Instance vpna, router ID 1.1.1.9:
10.1.1.1
4 65410
79
82
0 01:13:29
Established
You can find that the status of the IBGP connections between the RR and all Client CEs is
"Established" after running the display bgp peer command on the Client CE.
<Huawei> display bgp peer
BGP Local router ID : 1.2.3.4
local AS number : 10
Issue 02 (2012-03-30)
120
MsgRcvd
1.1.1.1
100
1.2.5.6
200
32
35
0 00:00:07
Idle
0
0 00:17:49 Established
You can view the routing information advertised by the RR to the Client CE or the routing
information advertised by the Client CE to the RR after running the display bgp vpnv4
all routing-table peer command on the RR.
<Huawei> display bgp vpnv4 all routing-table peer 2.2.2.9 received-routes
BGP Local router ID is 1.1.1.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 1
Route Distinguisher: 100:1
*>i
Network
NextHop
MED
LocPrf
1.1.1.1
2.2.2.9
100
PrefVal Path/Ogn
0
You can view the routing information advertised by the Client CE to the RR and the routing
information advertised by the RR to the Client CE after running the display bgp routingtable peer ipv4-address { advertised-routes | received-routes } command or display bgp
vpnv4 all routing-table statistics command on the Client CE.
<Huawei> display bgp routing-table peer 1.1.1.1 accepted-routes
BGP Local router ID is 10.1.1.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 2
Network
NextHop
MED
LocPrf
i 1.1.1.1/32
1.1.1.1
0
100
*>i 10.1.1.0/24
1.1.1.1
0
100
<Huawei> display bgp vpnv4 all routing-table statistics
PrefVal Path/Ogn
0
0
?
?
If the peer group is configured, you can view information about the group members and
find that the status of the BGP connections between the RR and the group members is
"Established" after running the display bgp vpnv4 all group command on the RR.
<Huawei> display bgp vpnv4 all group vpna
Group in VPNV4:
BGP peer-group: vpna
Remote AS: 100
Authentication type configured: None
Type : internal
Issue 02 (2012-03-30)
121
100
MsgSent
13
15
OutQ
Up/Down
State
0 00:11:12 Established
Procedure
l
----End
Context
In routine maintenance, you can run the following commands in any view to check the status of
BGP/MPLS IP VPN.
Procedure
l
Issue 02 (2012-03-30)
122
Run the display bgp vpnv4 { all | route-distinguisher route-distinguisher | vpninstance vpn-instance-name } routing-table ipv4-address [ mask | mask-length ] command
to check information about the BGP VPNv4 routing table.
Run the display bgp vpnv4 { all | route-distinguisher route-distinguisher | vpninstance vpn-instance-name } routing-table statistics command to check statistics about
the BGP VPNv4 routing table.
Run the display bgp vpnv4 { all | route-distinguisher route-distinguisher | vpninstance vpn-instance-name } routing-table command to check information about the
BGP VPNv4 routing table.
Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } group [ groupname ] command to check information about the BGP VPNv4 peer group.
Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } peer [ [ ipv4address ] verbose ] command to check BGP VPNv4 peer information.
Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } network command
to check the routing information advertised by BGP VPNv4.
Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } paths [ as-regularexpression ] command to check the AS path information of BGP VPNv4.
Run the display bgp vpnv4 vpn-instance vpn-instance-name peer { group-name | ipv4address } log-info command to check the BGP peer's log information of a specified VPN
instance.
----End
Procedure
l
Run the ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interfacetype interface-number | -m time | -n | -p pattern | -q | -r | -s packetsize | -t timeout | -tos tosvalue | -v | -vpn-instance vpn-instance-name ] * host command to check the network
connectivity.
Run the tracert [ -a source-ip-address | -f first-ttl | -m max-ttl | -p port | -q nqueries | -vpninstance vpn-instance-name | -w timeout ] * host command to trace the gateways that the
packet passes by from the source to the destination.
Run the ping lsp [ -a source-ip | -c count | -exp exp-value | -h ttl-value | -m interval | -r
reply-mode | -s packet-size | -t time-out | -v ] * vpn-instance vpn-name remote remoteaddress mask-length command to check the connectivity of the L3VPN LSP.
----End
Example
After the VPN configuration, run the ping command with vpn-instance vpn-instance-name on
the PE to check whether the PE and the CEs that belong to the same VPN can communicate with
each other. If the ping fails, you can use the tracert command with vpn-instance vpn-instancename to locate the fault.
<Huawei> ping -vpn-instance vpna 10.1.1.1
Issue 02 (2012-03-30)
123
If multiple interfaces bound to the same VPN exist on the PE, specify the source IP address (a source-ip-address) when you ping or tracert the remote CE that accesses the peer PE.
Otherwise, the ping or tracert may fail.
If you do not specify a source IP address, the PE randomly chooses the smallest IP address of
the interface bound to the VPN on the PE as the source address of the ICMP packet. If no route
to the selected address exists on the CE, the ICMP packet sent back from the peer PE is discarded.
<Huawei> ping -a 202.38.160.243 -c 8 10.1.1.2
PING 10.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=32
Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=32
Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=32
Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=32
Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=32
Reply from 10.1.1.2: bytes=56 Sequence=6 ttl=255 time=32
Reply from 10.1.1.2: bytes=56 Sequence=7 ttl=255 time=32
Reply from 10.1.1.2: bytes=56 Sequence=8 ttl=255 time=32
--- 10.1.1.2 ping statistics --8 packet(s) transmitted
8 packet(s) received
0.00% packet loss
round-trip min/avg/max = 32/32/32 ms
ms
ms
ms
ms
ms
ms
ms
ms
Procedure
l
Run the reset bgp vpn-instance vpn-instance-name ipv4-family [ ipv4-address ]flapinfo command in the user view to clear statistics of the BGP peer flap for a specified VPN
instance IPv4 address family.
Run the reset bgp vpn-instance vpn-instance-name ipv4-family dampening [ ipv4address [ mask | mask-length ] ] command in the user view to clear dampening information
of the VPN instance IPv4 address family.
----End
Issue 02 (2012-03-30)
124
Context
CAUTION
VPN services are interrupted after the BGP connection is reset. Exercise caution when running
the commands.
When the BGP configuration changes, you can use the soft reset or reset BGP connections to
let the new configurations take effect. A soft reset requires that the BGP peers have route
refreshment capability (supporting Route-Refresh messages).
Procedure
l
Run the refresh bgp vpnv4 { all | ipv4-address | group group-name | internal | external }
import command in the user view to trigger the inbound soft reset of the BGP VPNv4
connection.
Run the refresh bgp vpnv4 { all | ipv4-address | group group-name | internal | external }
export command in the user view to trigger the outbound soft reset of the BGP VPNv4
connection.
Run the reset bgp vpn-instance vpn-instance-name ipv4-family { as-number | ipv4address | group group-name | all | internal | external } command in the user view to reset
BGP connections of the VPN instance IPv4 address family.
Run the reset bgp vpnv4 { as-number | ipv4-address | group group-name | all | internal |
external } command in the user view to reset BGP VPNv4 connections.
----End
Networking Requirements
As shown in Figure 2-2:
Issue 02 (2012-03-30)
125
The VPN target attribute of VPN-A is 111:1, and that of VPN-B is 222:2.
AS: 65430
VPN-A
VPN-A
CE1
CE3
Eth1/0/0
10.3.1.1/24
Eth1/0/0
10.1.1.1/24
Eth1/0/0
10.1.1.2/24
Loopback1
1.1.1.9/32
Eth2/0/0
10.2.1.2/24
Loopback1
2.2.2.9/32
PE1
Eth2/0/0
PE2
172.2.1.1/24
Eth1/0/0
172.1.1.2/24
Eth3/0/0
172.1.1.1/24
Eth3/0/0
172.2.1.2/24
MPLS backbone
Eth1/0/0
10.3.1.2/24
Loopback1
3.3.3.9/32
Eth2/0/0
10.4.1.2/24
AS: 100
Eth1/0/0
10.2.1.1/24
Eth1/0/0
10.4.1.1/24
CE2
CE4
VPN-B
VPN-B
AS: 65420
AS: 65440
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure the basic MPLS functions and MPLS LDP on the PEs, and establish the MPLS
LSPs between the PEs.
3.
Configure MP IBGP to exchange the VPN routing information between the PEs.
4.
Configure the VPN instance on the PE connected with the CE in the backbone network,
and bind the PE interface connected with the CE to the corresponding VPN instance.
5.
Configure EBGP between the CE and the PE to exchange VPN routing information.
Data Preparation
To configure BGP/MPLS IP VPN, you need the following data:
l
Issue 02 (2012-03-30)
126
Procedure
Step 1 Configure an IGP on the MPLS backbone to allow the PEs and the Ps to reach each other.
# Configure PE1.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] interface ethernet3/0/0
[PE1-Ethernet3/0/0] ip address 172.1.1.1 24
[PE1-Ethernet3/0/0] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure the P.
<Huawei> system-view
[Huawei] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.9 32
[P-LoopBack1] quit
[P] interface ethernet 1/0/0
[P-Ethernet1/0/0] ip address 172.1.1.2 24
[P-Ethernet1/0/0] quit
[P] interface ethernet 2/0/0
[P-Ethernet2/0/0] ip address 172.2.1.1 24
[P-Ethernet2/0/0] quit
[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
<Huawei> system-view
[Huawei] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.9 32
[PE2-LoopBack1] quit
[PE2] interface ethernet 3/0/0
[PE2-Ethernet3/0/0] ip address 172.2.1.2 24
[PE2-Ethernet3/0/0] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration, the OSPF neighbor relationship should be established between PE1 and
the P and between the P and PE2. After running the display ospf peer command, you can find
that the OSPF neighbor relationship is in Full state. Run the display ip routing-table command
on the PEs, and you can find that the PEs have learned the routes of the Loopback1 interface of
each other.
Issue 02 (2012-03-30)
127
Step 2 Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network to set up
the LDP LSP.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface ethernet 3/0/0
[PE1-Ethernet3/0/0] mpls
[PE1-Ethernet3/0/0] mpls ldp
[PE1-Ethernet3/0/0] quit
# Configure the P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface ethernet 1/0/0
[P-Ethernet1/0/0] mpls
[P-Ethernet1/0/0] mpls ldp
[P-Ethernet1/0/0] quit
[P] interface ethernet 2/0/0
[P-Ethernet2/0/0] mpls
[P-Ethernet2/0/0] mpls ldp
[P-Ethernet2/0/0] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface ethernet 3/0/0
[PE2-Ethernet3/0/0] mpls
[PE2-Ethernet3/0/0] mpls ldp
[PE2-Ethernet3/0/0] quit
Issue 02 (2012-03-30)
128
After the configuration, LDP sessions are set up between PE1 and the P and between the P and
PE2. After running the display mpls ldp session command on the routers, you can find that the
status of the session is "Operational" in the display result. Run the display mpls ldp lsp
command, and view the status of the LDP LSP.
Use PE1 as an example:
[PE1] display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------PeerID
Status
LAM SsnRole SsnAge
KASent/Rcv
------------------------------------------------------------------------2.2.2.9:0
Operational DU Passive 0000:00:01 5/5
------------------------------------------------------------------------TOTAL: 1 session(s) Found.
[PE1] display mpls ldp lsp
LDP LSP Information
------------------------------------------------------------------------------DestAddress/Mask
In/OutLabel
UpstreamPeer
NextHop
OutInterface
------------------------------------------------------------------------------1.1.1.9/32
3/NULL
2.2.2.9
127.0.0.1
InLoop0
*1.1.1.9/32
Liberal
2.2.2.9/32
NULL/3
172.1.1.2
Ethernet3/0/0
2.2.2.9/32
1024/3
2.2.2.9
172.1.1.2
Ethernet3/0/0
3.3.3.9/32
NULL/1025
172.1.1.2
Ethernet3/0/0
3.3.3.9/32
1025/1025
2.2.2.9
172.1.1.2
Ethernet3/0/0
------------------------------------------------------------------------------TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is in GR state
A '*' before a NextHop means the LSP is FRR LSP
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
After the configuration, run the display bgp peer command or the display bgp vpnv4 all peer
command, you can see that the BGP peer relationship is set up between the PE and the CE, and
the peer status is Established.
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1
Peer
V
AS MsgRcvd
Issue 02 (2012-03-30)
MsgSent
PrefRcv
129
12
18
00:09:38
Established
Step 4 Configure VPN instances on PEs and bind the instances to the CE interfaces.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface ethernet 1/0/0
[PE1-Ethernet1/0/0] ip binding vpn-instance vpna
[PE1-Ethernet1/0/0] ip address 10.1.1.2 24
[PE1-Ethernet1/0/0] quit
[PE1] interface ethernet 2/0/0
[PE1-Ethernet2/0/0] ip binding vpn-instance vpnb
[PE1-Ethernet2/0/0] ip address 10.2.1.2 24
[PE1-Ethernet2/0/0] quit
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] ipv4-family
[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] interface ethernet 1/0/0
[PE2-Ethernet1/0/0] ip binding vpn-instance vpna
[PE2-Ethernet1/0/0] ip address 10.3.1.2 24
[PE2-Ethernet1/0/0] quit
[PE2] interface ethernet 2/0/0
[PE2-Ethernet2/0/0] ip binding vpn-instance vpnb
[PE2-Ethernet2/0/0] ip address 10.4.1.2 24
[PE2-Ethernet2/0/0] quit
# Configure an IP address for the CE interface according to Figure 2-2. Details for the
configuration procedure are not provided here.
After the configuration, check the configuration of VPN instances by running the display ip
vpn-instance verbose command on the PEs. Each PE can successfully ping its own CE.
NOTE
When the interfaces on a PE are bound to the same VPN, you need to specify the source IP address when
you use the ping command to ping the CE connected to the peer PE. This means that you need to specify
-a source-ip-address in the ping -a source-ip-address -vpn-instance vpn-instance-name dest-ip-address
command; otherwise, the ping fails.
Issue 02 (2012-03-30)
130
Step 5 Establish the EBGP peer relationship between the PE and the CE to import VPN routes.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
NOTE
The configuration procedures of CE2, CE3 and CE4 are similar to that of CE1.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
NOTE
The configuration of PE2 is similar to that of PE1, and the details for the configuration procedure are not
provided here.
After the configuration, run the display bgp vpnv4 all peer command on the PE. You can see
that the BGP peer relationship is set up between the PE and the CE, and the peer status is
Established.
Use the peer relationship between PE1 and CE1 as an example.
Issue 02 (2012-03-30)
131
The CEs in the same VPN can successfully ping each other whereas two CEs in different VPNs
cannot ping each other.
For example, CE1 can successfully ping CE3 (10.3.1.1/24) but cannot ping CE4 (10.4.1.1/24).
[CE1] ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72
Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50
Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50
Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34
--- 10.3.1.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms
[CE1] ping 10.4.1.1
PING 10.4.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.4.1.1 ping statistics --5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
ms
ms
ms
ms
ms
----End
Issue 02 (2012-03-30)
132
Configuration Files
l
Issue 02 (2012-03-30)
133
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
Issue 02 (2012-03-30)
134
Issue 02 (2012-03-30)
135
return
Networking Requirements
As shown in Figure 2-3,CE1 and CE2 belong to the same VPN, and access PE1 and PE2
respectively. CE1 and CE2 use the same AS number 600.
Figure 2-3 Networking diagram of BGP AS number substitution
Loopback1
1.1.1.9/32
PE1
GE1/0/0
10.1.1.2/24
GE1/0/0
10.1.1.1/24
CE1
Loopback1
2.2.2.9/32
Loopback1
3.3.3.9/32
GE1/0/0
20.1.1.2/24
GE2/0/0
PE2
30.1.1.2/24
GE1/0/0
10.2.1.2/24
GE2/0/0
GE2/0/0
30.1.1.1/24
20.1.1.1/24
P
Backbone
GE1/0/0
AS 100
10.2.1.1/24
CE2
GE2/0/0
200.1.1.1/24
GE2/0/0
100.1.1.1/24
VPN1
AS 600
VPN1
AS 600
Configuration Roadmap
The configuration roadmap is as follows:
Issue 02 (2012-03-30)
136
1.
Configure IGP on the backbone network to realize the interconnection between PEs and
between the PE and the P.
2.
Set up the MPLS LDP LSP between PEs. Create the VPN instance on the PE. Configure
the CE to access the PE.
3.
Set up the EBGP relationship between the PE and the CE. Import the route of the CE to
the PE.
4.
Data Preparation
To configure the BGP AS number substitution, you need the following data:
l
The same AS number used by the CE1 and the CE2 (It is different from the AS number of
the backbone network.)
Procedure
Step 1 Configure basic BGP/MPLS IP VPN.
The configuration of basic BGP/MPLS IP VPN includes:
l Configure OSPF on the MPLS backbone network. PE and P can learn routes of the Loopback
interface from each other.
l Configure MPLS basic capability and MPLS LDP on the MPLS backbone network to
establish LDP LSP.
l Establish the MP-IBGP neighbor between PEs to advertise VPN-IPv4 routes.
l Configure the VPN instances of VPN1 on PE2 and associate it with CE2.
l Configure the VPN instances of VPN1 on PE1 and associate it with CE1.
l Configure BGP between PE1 and CE1, and between PE2 and CE2 to import CEs routes into
PEs.
After the configuration given above, run the display ip routing-table command on CE2. It
shows that CE2 can learn the route of the network segment (10.1.1.0/24) of the interface on CE1
that is connected with PE1. There is no route to the VPN site (100.1.1.0/24) of the CE1. The
same situation occurs on CE1.
[CE2] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 9
Routes : 9
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 EBGP
255 0
D
10.2.1.2
GigabitEthernet1/0/0
10.1.1.1/32 EBGP
255 0
D
10.2.1.2
GigabitEthernet1/0/0
10.2.1.0/24 Direct 0
0
D
10.2.1.1
GigabitEthernet1/0/0
10.2.1.2/32 Direct 0
0
D
10.2.1.2
GigabitEthernet1/0/0
10.2.1.1/32 Direct 0
0
D
127.0.0.1
InLoopBack0
127.0.0.0/8 Direct 0
0
D
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D
127.0.0.1
InLoopBack0
200.1.1.0/24 Direct 0
0
D
200.1.1.1
GigabitEthernet2/0/0
200.1.1.1/32 Direct 0
0
D
127.0.0.1
InLoopBack0
Run the display ip routing-table vpn-instance command on PE. It shows that there are routes
to the VPN site of the remote CE in the VPN instances of the PE.
Issue 02 (2012-03-30)
137
Run the display bgp routing-table peer received-routes command on CE2. It shows that CE2
does not receive the route to 100.1.1.0/24.
[CE2] display bgp routing-table peer 10.2.1.2 received-routes
Total Number of Routes: 4
BGP Local router ID is 10.2.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
*>
10.1.1.0/24
10.2.1.2
0
100?
*>
10.1.1.1/32
10.2.1.2
0
100?
*
10.2.1.0/24
10.2.1.2
0
0
100?
*>
10.2.1.1/32
10.2.1.2
0
0
100?
Issue 02 (2012-03-30)
138
0
0
0
D
D
D
127.0.0.1
127.0.0.1
127.0.0.1
InLoopBack0
InLoopBack0
127.0.0.1
InLoopBack0
Configure the BGP AS number substitution function on the PE1. The GigabitEthernet interfaces
of CE1 and CE2 can then ping through each other.
[CE1] ping -a 100.1.1.1 200.1.1.1
PING 200.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 200.1.1.1: bytes=56 Sequence=1 ttl=253 time=109 ms
Reply from 200.1.1.1: bytes=56 Sequence=2 ttl=253 time=67 ms
Reply from 200.1.1.1: bytes=56 Sequence=3 ttl=253 time=66 ms
Reply from 200.1.1.1: bytes=56 Sequence=4 ttl=253 time=85 ms
Reply from 200.1.1.1: bytes=56 Sequence=5 ttl=253 time=70 ms
--- 200.1.1.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 66/79/109 ms
----End
Configuration Files
l
Issue 02 (2012-03-30)
139
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 600
peer 10.1.1.1 substitute-as
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 20.1.1.0 0.0.0.255
#
return
Configuration file of P
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 20.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 30.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
Issue 02 (2012-03-30)
140
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 30.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 600
peer 10.2.1.1 substitute-as
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 30.1.1.0 0.0.0.255
#
return
Issue 02 (2012-03-30)
141
Networking Requirements
The communication between the Spoke-CEs is controlled by the Hub-CE in the central site, that
is, the traffic between the Spoke-CEs is forwarded by not only the Hub-PE but also the HubCE, as shown in Figure 2-4.
Figure 2-4 Hub and Spoke networking diagram
AS: 65430
Hub-CE
Eth1/0/0
110.1.1.1/24
Eth2/0/0
110.2.1.1/24
Eth3/0/0
110.1.1.2/24
Eth4/0/0
110.2.1.2/24
Hub-PE
Eth2/0/0
11.1.1.2/24
Eth1/0/0
10.1.1.2/24
Loopback1
1.1.1.9/32
Eth2/0/0
11.1.1.1/24
Eth2/0/0
10.1.1.1/24
Eth1/0/0
100.1.1.2/24
Spoke-PE1
Loopback1
3.3.3.9/32
Loopback1
2.2.2.9/32
Backbone
Spoke-PE2
Eth1/0/0
120.1.1.2/24
AS100
Eth1/0/0
100.1.1.1/24
Eth1/0/0
120.1.1.1/24
Spoke-CE1
AS: 65410
Spoke-CE2
AS: 65420
Configuration Roadmap
The configuration roadmap is as follows:
1.
Set up the MP-IBGP peer relationship between the Hub-PE and Spoke-PE. (There is no
need to set up the MP-IBGP peer relationship between the Spoke-PEs.)
2.
Create a VPN instance on the Spoke-PE and set the Import-Target differenet from the
Export-Target.
3.
Create two VPN instances, namely, vpn_in and vpn_out on the Hub-PE. Set the VPNTarget community attribute received by vpn_in as those advertised by two Spoke-PEs. Set
the VPN target community attribute advertised by vpn_out to be the VPN target community
attribute received by the two Spoke-PEs and to be different from the attributes received by
vpn_out.
4.
Issue 02 (2012-03-30)
142
5.
Configure Hub-PE to allow Hub-PE to receive the route with the AS repeated for one time.
Data Preparation
To configure the Hub&Spoke, you need the following data:
l
The VPN instance name of the Hub-PE and Spoke-PE, RD and the VPN-target
Procedure
Step 1 Configure IGP to implement the inter-networking between the Hub-PE and the Spoke-PE in the
backbone network.
The OSPF is used in this example, and the specific configuration procedures are not mentioned.
After the configuration, the OSPF neighbor relationship is established between each pair of HubPE and Spoke-PE.
After running the display ospf peer command, you can see that the status of the neighbor is
Full.
After running the display ip routing-table command on the PE, you can find that PEs learn the
Lookback routes of each other.
Step 2 Configure the basic MPLS capabilities and MPLS LDP on the backbone networks and establish
LDP LSP.
The specific configuration procedures are not mentioned here.
After the configuration, LDP neighbor relationship is established between the Hub-PE and the
Spoke-PE.
After running the display mpls ldp session command on each device, you can see that the status
of the session is "Operational".
Step 3 Configure VPN instances on each PE and connect the CE to the PE.
NOTE
The Import-Target list of one of the VPN on Hub-PE should include the Export-Targets of all Spoke-PEs.
The Export-Target list of another VPN on Hub-PE should include the Import-Targets of all Spoke-PEs.
# Configure Spoke-PE 1.
<Spoke-PE1> system-view
[Spoke-PE1] ip vpn-instance vpna
[Spoke-PE1-vpn-instance-vpna] ipv4-family
[Spoke-PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[Spoke-PE1-vpn-instance-vpna-af-ipv4] vpn-target 100:1 export-extcommunity
[Spoke-PE1-vpn-instance-vpna-af-ipv4] vpn-target 200:1 import-extcommunity
[Spoke-PE1-vpn-instance-vpna-af-ipv4] quit
[Spoke-PE1-vpn-instance-vpna] quit
[Spoke-PE1] interface ethernet 1/0/0
[Spoke-PE1-Ethernet1/0/0] ip binding vpn-instance vpna
[Spoke-PE1-Ethernet1/0/0] ip address 100.1.1.2 24
[Spoke-PE1-Ethernet1/0/0] quit
# Configure Spoke-PE 2.
<Spoke-PE2> system-view
<Spoke-PE2> system-view
Issue 02 (2012-03-30)
143
# Configure Hub-PE.
<Hub-PE> system-view
[Hub-PE] ip vpn-instance vpn_in
[Hub-PE-vpn-instance-vpn_in] ipv4-family
[Hub-PE-vpn-instance-vpn_in-af-ipv4] route-distinguisher 100:21
[Hub-PE-vpn-instance-vpn_in-af-ipv4] vpn-target 100:1 import-extcommunity
[Hub-PE-vpn-instance-vpn_in-af-ipv4] quit
[Hub-PE-vpn-instance-vpn_in] quit
[Hub-PE] ip vpn-instance vpn_out
[Hub-PE-vpn-instance-vpn_out] ipv4-family
[Hub-PE-vpn-instance-vpn_out-af-ipv4] route-distinguisher 100:22
[Hub-PE-vpn-instance-vpn_out-af-ipv4] vpn-target 200:1 export-extcommunity
[Hub-PE-vpn-instance-vpn_out-af-ipv4] quit
[Hub-PE-vpn-instance-vpn_out] quit
[Hub-PE] interface ethernet 3/0/0
[Hub-PE-Ethernet3/0/0] ip binding vpn-instance vpn_in
[Hub-PE-Ethernet3/0/0] ip address 110.1.1.2 24
[Hub-PE-Ethernet3/0/0] quit
[Hub-PE] interface ethernet 4/0/0
[Hub-PE-Ethernet4/0/0] ip binding vpn-instance vpn_out
[Hub-PE-Ethernet4/0/0] ip address 110.2.1.2 24
[Hub-PE-Ethernet4/0/0] quit
When the interfaces on a PE are bound to the same VPN, you need to specify the source IP address when
you use the ping command to ping the CE connected with the peer PE. That is, you need to specify -a
source-ip-address in the ping -a source-ip-address -vpn-instance vpn-instance-name dest-ip-address
command; otherwise, the ping fails.
Step 4 Establish EBGP peers between the PE and the CE and import the VPN routes.
NOTE
To accept the routes advertised by Hub-PE, configure the Hub-CE to allow AS number to be repeated once.
You need not allow the AS number to be repeated once on the Spoke-PE because a router does not check
the AS-PATH attribute when the router receives the routes advertised by the IBGP peer.
# Configure Spoke-CE 1.
[Spoke-CE1] bgp
[Spoke-CE1-bgp]
[Spoke-CE1-bgp]
[Spoke-CE1-bgp]
65410
peer 100.1.1.2 as-number 100
import-route direct
quit
# Configure Spoke-PE 1.
[Spoke-PE1] bgp 100
Issue 02 (2012-03-30)
144
# Configure Spoke-CE 2.
[Spoke-CE2] bgp
[Spoke-CE2-bgp]
[Spoke-CE2-bgp]
[Spoke-CE2-bgp]
65420
peer 120.1.1.2 as-number 100
import-route direct
quit
# Configure Spoke-PE 2.
[Spoke-PE2] bgp 100
[Spoke-PE2-bgp] ipv4-family vpn-instance vpna
[Spoke-PE2-bgp-vpna] peer 120.1.1.1 as-number 65420
[Spoke-PE2-bgp-vpna] quit
[Spoke-PE2-bgp] quit
# Configure Hub-CE.
[Hub-CE] bgp
[Hub-CE-bgp]
[Hub-CE-bgp]
[Hub-CE-bgp]
[Hub-CE-bgp]
65430
peer 110.1.1.2 as-number 100
peer 110.2.1.2 as-number 100
import-route direct
quit
# Configure Hub-PE.
[Hub-PE] bgp 100
[Hub-PE-bgp] ipv4-family vpn-instance vpn_in
[Hub-PE-bgp-vpn_in] peer 110.1.1.1 as-number 65430
[Hub-PE-bgp-vpn_in] quit
[Hub-PE-bgp] ipv4-family vpn-instance vpn_out
[Hub-PE-bgp-vpn_out] peer 110.2.1.1 as-number 65430
[Hub-PE-bgp-vpn_out] peer 110.2.1.1 allow-as-loop 1
[Hub-PE-bgp-vpn_out] quit
[Hub-PE-bgp] quit
After the configuration, run the display bgp vpnv4 all peer command on each PE devices and
you can see that the BGP peer relationship is established between the PE and the CE.
Step 5 Establish MP-IBGP peers between the PEs
# Configure Spoke-PE 1.
[Spoke-PE1] bgp 100
[Spoke-PE1-bgp] peer 2.2.2.9 as-number 100
[Spoke-PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[Spoke-PE1-bgp] ipv4-family vpnv4
[Spoke-PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[Spoke-PE1-bgp-af-vpnv4] quit
# Configure Spoke-PE 2.
[Spoke-PE2] bgp 100
[Spoke-PE2-bgp] peer 2.2.2.9 as-number 100
[Spoke-PE2-bgp] peer 2.2.2.9 connect-interface loopback 1
[Spoke-PE2-bgp] ipv4-family vpnv4
[Spoke-PE2-bgp-af-vpnv4] peer 2.2.2.9 enable
[Spoke-PE2-bgp-af-vpnv4] quit
# Configure Hub-PE.
[Hub-PE] bgp
[Hub-PE-bgp]
[Hub-PE-bgp]
[Hub-PE-bgp]
[Hub-PE-bgp]
Issue 02 (2012-03-30)
100
peer
peer
peer
peer
1.1.1.9
1.1.1.9
3.3.3.9
3.3.3.9
as-number 100
connect-interface loopback 1
as-number 100
connect-interface loopback 1
145
After the configuration, run the display bgp peer or display bgp vpnv4 all peer command on
each PE device. You can see the BGP peer relationship is set up between the PEs, and the status
is Established.
Step 6 Verify the configuration.
After the configuration, the Spoke-CEs can ping through each other. Run the tracert command,
and you can see that the traffic between Spoke-CEs is forwarded through Hub-CE. You can also
deduce the number of forwarding devices between Spoke-CEs based on the TTL in the Ping
result.
Consider Spoke-CE 1 as an example:
[Spoke-CE1] ping 120.1.1.1
PING 120.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 120.1.1.1: bytes=56 Sequence=1 ttl=250 time=80 ms
Reply from 120.1.1.1: bytes=56 Sequence=2 ttl=250 time=129 ms
Reply from 120.1.1.1: bytes=56 Sequence=3 ttl=250 time=132 ms
Reply from 120.1.1.1: bytes=56 Sequence=4 ttl=250 time=92 ms
Reply from 120.1.1.1: bytes=56 Sequence=5 ttl=250 time=126 ms
--- 120.1.1.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 80/111/132 ms
[Spoke-CE1] tracert 120.1.1.1
traceroute to 120.1.1.1(120.1.1.1), max hops: 30 ,packet length: 40
1 100.1.1.2 8 ms 2 ms 2 ms
2 110.2.1.2 3 ms 2 ms 2 ms
3 110.2.1.1 3 ms 2 ms 2 ms
4 110.1.1.2 3 ms 2 ms 2 ms
5 120.1.1.2 6 ms 6 ms 6 ms
6 120.1.1.1 6 ms 6 ms 6 ms
Run the display bgp routing-table command on Spoke-CE, and you can see that there are
repetitive AS numbers in AS paths of the BGP routes toward the remote Spoke-CE.
Consider Spoke-CE 1 as an example:
[Spoke-CE1] display bgp routing-table
Total Number of Routes: 6
BGP Local router ID is 100.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
*> 100.1.1.0/24
0.0.0.0
0
0
?
*
100.1.1.2
0
0
100?
*> 100.1.1.1/32
0.0.0.0
0
0
?
*> 110.1.1.0/24
100.1.1.2
0
100 65430?
*> 110.2.1.0/24
100.1.1.2
0
100?
*> 120.1.1.0/24
100.1.1.2
0
100 65430 100?
----End
Configuration Files
l
Issue 02 (2012-03-30)
146
interface Ethernet1/0/0
ip address 100.1.1.1 255.255.255.0
#
bgp 65410
peer 100.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 100.1.1.2 enable
#
return
Issue 02 (2012-03-30)
147
Issue 02 (2012-03-30)
148
bgp 65430
peer 110.1.1.2 as-number 100
peer 110.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 110.2.1.2 enable
peer 110.1.1.2 enable
#
return
Issue 02 (2012-03-30)
149
import-route direct
#
ipv4-family vpn-instance vpn_out
peer 110.2.1.1 as-number 65430
peer 110.2.1.1 allow-as-loop
import-route direct
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
#
return
Networking Requirements
As shown in Figure 2-5, CE1 and CE2 belong to the same VPN. The CE1 accesses the network
through the PE1 in AS 100 and the CE2 accesses the network through the PE2 in AS 200.
The Inter-AS BGP/MPLS IP VPN is implemented using Option A. That is, VRF-to-VRF method
is used to manage the VPN routes.
Figure 2-5 Networking diagram of inter-AS VPN
BGP/MPLS Backbone
BGP/MPLS Backbone
AS 200
AS 100
Loopback1
Loopback1
2.2.2.9/32
3.3.3.9/32
GE1/0/0
GE2/0/0
GE2/0/0
GE1/0/0
172.1.1.1/24
192.1.1.1/24 192.1.1.2/24
162.1.1.1/24
Loopback1
Loopback1
ASBR1
ASBR2
1.1.1.9/32
4.4.4.9/32
GE1/0/0
GE1/0/0
172.1.1.2/24
PE1
PE2
162.1.1.2/24
GE2/0/0
10.1.1.2/24
GE1/0/0
10.1.1.1/24
CE1
AS 65001
GE2/0/0
10.2.1.2/24
GE1/0/0
10.2.1.1/24
CE2
AS 65002
Configuration Roadmap
The configuration roadmap is as follows:
Issue 02 (2012-03-30)
150
1.
Set up the EBGP peer relationship between the PE and the CE. Set up the MP-IBGP peer
relationship between the PE and the ASBR
2.
Create the VPN instance on two ASBRs and bind the instance to the interface connected
another ASBR. Set up the EBGP peer relationship between ASBRs
Data Preparation
To complete the configuration, you need the following data:
l
The VPN instance names of the PE and the ASBR, RDs and the VPN-targets
Procedure
Step 1 Configure IGP on the MPLS backbone of AS 100 and AS 200 respectively to make ASBR and
PE can reach each other in the same AS.
OSPF is used as the IGP in this example, the configuration procedure is not mentioned.
NOTE
The 32-bit loopback interface address used as LSR ID should be advertised by OSPF.
After the configuration, the OSPF neighbor relationship should be established between the
ASBR and the PE of the same AS. Run the display ospf peer command to find that the OSPF
neighbor relationship is in "Full" state.
The ASBR and the PE in the same AS can ping through each other and can learn the Loopback
interface address of each other.
Step 2 Configure MPLS basic capability and MPLS LDP on the MPLS backbone of AS 100 and AS
200 respectively to set up LDP LSP.
# Configure basic MPLS capability on PE1 and enable LDP on the interface connecting ASBR1.
<PE1> system-view
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet1/0/0
[PE1-GigabitEthernet1/0/0] mpls
[PE1-GigabitEthernet1/0/0] mpls ldp
[PE1-GigabitEthernet1/0/0] quit
# Configure basic MPLS capability on ASBR1 and enable LDP on the interface connecting PE1.
<ASBR1> system-view
[ASBR1] mpls lsr-id 2.2.2.9
[ASBR1] mpls
[ASBR1-mpls] quit
[ASBR1] mpls ldp
[ASBR1-mpls-ldp] quit
[ASBR1] interface gigabitethernet1/0/0
[ASBR1-GigabitEthernet1/0/0] mpls
[ASBR1-GigabitEthernet1/0/0] mpls ldp
[ASBR1-GigabitEthernet1/0/0] quit
# Configure basic MPLS capability on ASBR2 and enable LDP on the interface connecting PE2.
<ASBR2> system-view
[ASBR2] mpls lsr-id 3.3.3.9
Issue 02 (2012-03-30)
151
[ASBR2] mpls
[ASBR2-mpls] quit
[ASBR2] mpls ldp
[ASBR2-mpls-ldp] quit
[ASBR2] interface gigabitethernet1/0/0
[ASBR2-GigabitEthernet1/0/0] mpls
[ASBR2-GigabitEthernet1/0/0] mpls ldp
[ASBR2-GigabitEthernet1/0/0] quit
# Configure basic MPLS capability on PE2 and enable LDP on the interface connecting ASBR2.
<PE2> system-view
[PE2] mpls lsr-id 4.4.4.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet1/0/0
[PE2-GigabitEthernet1/0/0] mpls
[PE2-GigabitEthernet1/0/0] mpls ldp
[PE2-GigabitEthernet1/0/0] quit
After the configuration, the LDP neighbor relationship should be established between the PE
and the ASBR in the same AS. Running the display mpls ldp session command on the PE or
ASBR, you can find the session state is "Operational" in the output information.
Consider PE1 as an example.
[PE1] display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
-------------------------------------------------------------------------PeerID
Status
LAM SsnRole SsnAge
KASent/Rcv
-------------------------------------------------------------------------2.2.2.9:0
Operational DU
Passive 0000:00:02 9/9
-------------------------------------------------------------------------TOTAL: 1 session(s) Found.
Step 3 Configure basic BGP/MPLS IP VPN on the MPLS backbone of AS 100 and AS 200 respectively.
NOTE
The VPN target of the VPN instances of the ASBR and the PE in the same AS should match. In different
ASs, the matching of the VPN target attributes of the PEs is unnecessary.
# Configure CE1.
<CE1> system-view
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[CE1-GigabitEthernet1/0/0] quit
[CE1] bgp 65001
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
Issue 02 (2012-03-30)
152
The configurations of CE2, PE2 and ASBR2 are similar to that of CE1, PE1 and ASBR1 and are not
mentioned here.
After the above configurations, run the display bgp vpnv4 vpn-instance peer command. You
can find the BGP peer relationship between PE and CE is set up, that is the "State" in display is
"Established". Run display bgp vpnv4 all peer to find the BGP peer relationship is "Established"
between the PE and the CE, and between the PE and the ASBR.
Consider PE1 as an example.
[PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.9
Local AS number : 100
VPN-Instance vpn1, router ID 1.1.1.9:
Total number of peers : 1
Peers in established state : 1
Peer
V AS MsgRcvd MsgSent OutQ Up/Down
State
PrefRcv
10.1.1.1 4 65001
10
10
0 00:07:10 Established
2
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 2
Peers in established state : 2
Peer
V
AS MsgRcvd MsgSent OutQ Up/Down
State PrefRcv
2.2.2.9
4
100
3
7
0 00:01:36 Established
0
Peer of IPv4-family for vpn instance :
VPN-Instance vpn1, router ID 1.1.1.9:
10.1.1.1
4 65001
13
13
0 00:04:00 Established
Issue 02 (2012-03-30)
153
[ASBR1-GigabitEthernet2/0/0] quit
# Configure ASBR2. Create a VPN instance and bind it to the interface connected to ASBR1.
(ASBR2 regards ASBR1 as its CE after configuration.)
[ASBR2] ip vpn-instance vpn1
[ASBR2-vpn-instance-vpn1] ipv4-family
[ASBR2-vpn-instance-vpn1-af-ipv4] route-distinguisher 200:2
[ASBR2-vpn-instance-vpn1-af-ipv4] vpn-target 2:2 both
[ASBR2-vpn-instance-vpn1-af-ipv4] quit
[ASBR2-vpn-instance-vpn1] quit
[ASBR2] interface gigabitethernet 2/0/0
[ASBR2-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[ASBR2-GigabitEthernet2/0/0] ip address 192.1.1.2 24
[ASBR2-GigabitEthernet2/0/0] quit
After the above configuration, run the display bgp vpnv4 vpn-instance peer command on
ASBRs, and you can see that the BGP peer relationship is established between the ASBRs.
Step 5 Verify the configuration.
After the above configuration, the CEs learn interface routes of each other. CE1 and CE2 can
ping through each other.
Consider CE1 as an example.
[CE1] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 7
Routes : 7
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.1
GigabitEthernet1/0/0
10.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.2.1.0/24 EBGP
255 0
D 10.1.1.2
GigabitEthernet1/0/0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
192.1.1.0/24 EBGP
255 0
D 10.1.1.2
GigabitEthernet1/0/0
192.1.1.2/32 EBGP
255 0
D 10.1.1.2
GigabitEthernet1/0/0
[CE1] ping 10.2.1.1
PING 10.2.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=251 time=119 ms
Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=251 time=141 ms
Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=251 time=136 ms
Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=251 time=113 ms
Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=251 time=78 ms
--- 10.2.1.1 ping statistics --5 packet(s) transmitted
Issue 02 (2012-03-30)
154
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 78/117/141 ms
Run the display ip routing-table vpn-instance command on ASBR to see the information of
the VPN routing table.
[ASBR1] display ip routing-table vpn-instance vpn1
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: vpn1
Destinations : 7
Routes : 7
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 IBGP
255 0
RD 1.1.1.9
GigabitEthernet1/0/0
10.1.1.1/32 IBGP
255 0
RD 1.1.1.9
GigabitEthernet1/0/0
10.2.1.0/24 IBGP
255 0
D 192.1.1.2
GigabitEthernet2/0/0
10.2.1.1/32 IBGP
255 0
D 192.1.1.2
GigabitEthernet2/0/0
192.1.1.0/24 Direct 0
0
D 192.1.1.1
GigabitEthernet2/0/0
192.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
192.1.1.2/32 Direct 0
0
D 192.1.1.2
GigabitEthernet2/0/0
Run the display bgp vpnv4 all routing-table command on the ASBR, and you can see the
VPNv4 routes on the ASBR.
[ASBR1] display bgp vpnv4 all routing-table
Local AS number : 100
BGP Local router ID is 2.2.2.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 5
Route Distinguisher: 100:1
*>i
Network
NextHop
MED
LocPrf
10.1.1.0/24
1.1.1.9
100
MED
LocPrf
PrefVal Path/Ogn
0
NextHop
10.2.1.0/24
192.1.1.0
192.1.1.1/32
192.1.1.2
0.0.0.0
192.1.1.2
0.0.0.0
Network
NextHop
*>i
*>
*>
10.1.1.0/24
10.2.1.0/24
192.1.1.0
*>
192.1.1.1/32
1.1.1.9
192.1.1.2
0.0.0.0
192.1.1.2
0.0.0.0
*>
*>
*
*>
PrefVal Path/Ogn
0
0
0
0
0
0
0
MED
LocPrf
100
0
0
0
200?
?
200?
?
PrefVal Path/Ogn
0
0
0
0
0
?
200?
?
200?
?
----End
Configuration Files
l
Issue 02 (2012-03-30)
155
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65001
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
Issue 02 (2012-03-30)
156
ipv4-family
route-distinguisher 100:2
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 192.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
peer 192.1.1.2 as-number 200
import-route direct
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
Issue 02 (2012-03-30)
157
Issue 02 (2012-03-30)
158
Networking Requirements
As shown in Figure 2-6, the CE1 and the CE2 belong to the same VPN. The CE1 accesses the
network through the PE1 in the AS 100. The CE2 accesses the network through the PE2 in the
AS 200.
The inter-AS BGP/MPLS IP VPN is implemented using Option B:
l
ASBR does not perform VPN target filtering on the received VPN-IPv4 routes.
BGP/MPLS Backbone
BGP/MPLS Backbone
AS 200
AS 100
Loopback1
Loopback1
2.2.2.9/32
3.3.3.9/32
GE1/0/0
GE2/0/0
GE2/0/0
GE1/0/0
172.1.1.1/24
192.1.1.1/24 192.1.1.2/24
162.1.1.1/24
Loopback1
Loopback1
ASBR1
ASBR2
1.1.1.9/32
4.4.4.9/32
GE1/0/0
GE1/0/0
172.1.1.2/24
PE1
PE2
162.1.1.2/24
GE2/0/0
10.1.1.2/24
GE1/0/0
10.1.1.1/24
CE1
AS 65001
Issue 02 (2012-03-30)
GE2/0/0
10.2.1.2/24
GE1/0/0
10.2.1.1/24
CE2
AS 65002
159
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure IGP on the backbone network to interconnect the ASBR and the PE in the same
AS. Set up MPLS LDP LSP between the ASBR and the PE in the same AS.
2.
Set up the EBGP peer relationship between the PE and the CE. Set up the MP-IBGP peer
relationship between the PE and the ASBR.
3.
Configure the VPN instance on the PE. (There is no need to configure the VPN instance
on the ASBR.)
4.
Enable MPLS on the interface connected ASBRs. Set up the MP-EBGP peer relationship
between ASBRs. Configure no VPN-target filtration on the received VPNv4 routes.
Data Preparation
To complete the configuration, you need the following data:
l
Name, RD and the VPN-Target of the VPN instance configured on the PE1 and PE2
Procedure
Step 1 Configure IGP on MPLS backbone of AS 100 and AS 200 respectively to make the PE and the
P reach each other in the same AS.
OSPF is used as the IGP in this example, the configuration procedure is not mentioned here.
NOTE
The 32-bit loopback interface address used as the LSR ID should be advertised by OSPF.
After the configuration, the OSPF neighbor relationship should be established between the
ASBR and the PE of the same AS. Run the display ospf peer command to find that the status
of the OSPF neighbor relationship is "Full".
The ASBR and the PE in the same AS can learn the Loopback addresses of each other and can
ping through each other.
Step 2 Configure MPLS basic capability and MPLS LDP on the MPLS backbone of AS 100 and AS
200 respectively to setup LDP LSP.
For configuration procedures, see Example for Configuring Inter-AS VPN Option A.
Step 3 Configure basic BGP/MPLS IP VPN on the MPLS backbone of AS 100 and AS 200 respectively.
NOTE
The VPN target of the VPN instances of the PE1 and the PE2 should be matched.
Issue 02 (2012-03-30)
160
# Configure ASBR 1. Establish MP-EBGP peer with ASBR 2 and perform no VPN target
filtering on the received VPNv4 routes, and then enable ASBR 1 to allocate labels based on the
next hop.
[ASBR1] bgp 100
[ASBR1-bgp] peer 192.1.1.2 as-number 200
[ASBR1-bgp] ipv4-family vpnv4
[ASBR1-bgp-af-vpnv4] peer 192.1.1.2 enable
[ASBR1-bgp-af-vpnv4] undo policy vpn-target
[ASBR1-bgp-af-vpnv4] apply-label per-nexthop
[ASBR1-bgp-af-vpnv4] quit
[ASBR1-bgp] quit
NOTE
The configurations of ASBR 2 are similar to that of ASBR 1 and are not mentioned here.
Run the display bgp vpnv4 all routing-table command on the ASBR, and you can see the
VPNv4 routes on the ASBR.
Consider ASBR 1 for an example.
[ASBR1] display bgp vpnv4 all routing-table
Local AS number : 100
BGP Local router ID is 2.2.2.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 3
Route Distinguisher: 100:1
Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
*>i 10.1.1.0/24
1.1.1.9
0
100
0
?
*>i 10.1.1.1/32
1.1.1.9
0
100
0
?
Issue 02 (2012-03-30)
161
MED
LocPrf
PrefVal Path/Ogn
0
200?
----End
Configuration Files
l
Issue 02 (2012-03-30)
162
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
Issue 02 (2012-03-30)
163
Issue 02 (2012-03-30)
164
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
Networking Requirements
As shown in Figure 2-7, CE1 and CE2 belong to the same VPN. The CE1 accesses the network
through the PE1 in AS 100 and the CE2 accesses the network through the PE2 in AS 200.
The Inter-AS BGP/MPLS IP VPN is implemented using Option C.
Figure 2-7 Networking diagram of inter-AS VPN
BGP/MPLS Backbone
BGP/MPLS Backbone
AS 200
AS 100
Loopback1
Loopback1
2.2.2.9/32
3.3.3.9/32
GE1/0/0
GE2/0/0
GE2/0/0
GE1/0/0
172.1.1.1/24
192.1.1.1/24 192.1.1.2/24
162.1.1.1/24
Loopback1
Loopback1
ASBR1
ASBR2
1.1.1.9/32
4.4.4.9/32
GE1/0/0
GE1/0/0
172.1.1.2/24
PE1
PE2
162.1.1.2/24
GE2/0/0
10.1.1.2/24
GE1/0/0
10.1.1.1/24
CE1
AS 65001
Issue 02 (2012-03-30)
GE2/0/0
10.2.1.2/24
GE1/0/0
10.2.1.1/24
CE2
AS 65002
165
Configuration Roadmap
The configuration roadmap is as follows:
1.
Set up the MP-EBGP peer relationship between PEs in different ASs and configure the
maximum hops between PEs.
2.
Configure the routing policy on the ASBR: Assign MPLS labels to the loopback routes
with MPLS tokens received from the PE in the local AS before advertising the routes to
the remote ASBR; Assign new MPLS labels to the routes advertised to the PE in the local
AS if they are labeled IPv4 routes.
3.
Configure the PE and the ASBR of the local AS to exchange the labeled IPv4 route.
4.
Configure the ASBR and the peer ASBR to exchange the labeled IPv4 route.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure IGP on the MPLS backbone of AS 100 and AS 200 respectively to make the PE and
the ASBR can reach each other in the same AS.
OSPF is used as IGP in this example, and the configuration procedure is not mentioned here.
NOTE
The 32-bit loopback interface address used as the LSR ID should be advertised by OSPF.
After the configuration, the OSPF neighbor relationship should be established between the
ASBR and the PE of the same AS. Run the display ospf peer command to find the status of the
OSPF neighbor relationship as "Full".
Take PE1 as an example.
<PE1> display ospf peer
OSPF Process 1 with Router ID 1.1.1.9
Neighbors
Area 0.0.0.0 interface 172.1.1.2(GigabitEthernet1/0/0)'s neighbors
Router ID: 2.2.2.9
Address: 172.1.1.1
State: Full Mode:Nbr is Master Priority: 1
DR: None
BDR: None
MTU: 0
Dead timer due in 31 sec
Neighbor is up for 00:28:11
Authentication Sequence: [ 0 ]
The ASBR and the PE in the same AS can learn Loopback addresses of each other and can ping
through each other.
Step 2 Configure MPLS basic capability and MPLS LDP on the MPLS backbone of AS 100 and AS
200 respectively to setup LDP LSP.
For configuration procedures, see Example for Configuring Inter-AS VPN Option A.
Step 3 Set up the IBGP peer relationship between the PEs and the ASBRs in the same AS.
Issue 02 (2012-03-30)
166
The import VPN-taget configured on PE1 must be the same as the export VPN-target configured on PE2;
the export VPN-taget configured on PE1 must be the same as the import VPN-target configured on PE2.
# Configure ASBR 1. Apply route policies to the routes advertised to PE1 and enable to exchange
label IPv4 routes with PE1.
[ASBR1] bgp 100
[ASBR1-bgp] peer 1.1.1.9 route-policy policy2 export
[ASBR1-bgp] peer 1.1.1.9 label-route-capability
# Configure ASBR 1. Apply route policies to the routes advertised to ASBR 2 and enable to
exchange label IPv4 routes with ASBR 2.
[ASBR1-bgp]
[ASBR1-bgp]
[ASBR1-bgp]
[ASBR1-bgp]
# Configure ASBR1. Advertise the Loopback routes with MPLS tokens of PE1 to ASBR2, and
then to PE2.
[ASBR1] route-policy policy3 permit node 1
[ASBR1-route-policy] if-match mpls-token
[ASBR1-route-policy] quit
[ASBR1] bgp 100
[ASBR1-bgp] network 1.1.1.9 32 route-policy policy3
[ASBR1-bgp] quit
NOTE
The configurations of PE2 and ASBR 2 are similar to that of PE1 and ASBR 1 and are not mentioned here.
167
# Configure PE2.
[PE2] bgp 200
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface LoopBack 1
[PE2-bgp] peer 1.1.1.9 ebgp-max-hop 10
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
There is no VPNv4 route on the ASBR. Run the display bgp routing-table label command on
the ASBR to see the label information of the routes.
Consider ASBR1 as an example:
[ASBR1] display bgp routing-table label
Total Number of Routes: 2
BGP Local router ID is 2.2.2.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Network
NextHop
In/Out Label
*>
1.1.1.9
172.1.1.2
15360/NULL
*>
4.4.4.9
192.1.1.2
15361/15361
----End
Issue 02 (2012-03-30)
168
Configuration Files
l
Issue 02 (2012-03-30)
169
Issue 02 (2012-03-30)
170
interface GigabitEthernet2/0/0
ip address 192.1.1.2 255.255.255.0
mpls
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 200
peer 192.1.1.1 as-number 100
peer 4.4.4.9 as-number 200
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
network 4.4.4.9 255.255.255.255 route-policy policy3
peer 192.1.1.1 enable
peer 192.1.1.1 route-policy policy1 export
peer 192.1.1.1 label-route-capability
peer 4.4.4.9 enable
peer 4.4.4.9 route-policy policy2 export
peer 4.4.4.9 label-route-capability
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
route-policy policy1 permit node 1
apply mpls-label
route-policy policy2 permit node 1
if-match mpls-label
apply mpls-label
route-policy policy3 permit node 1
if-match mpls-token
#
return
Issue 02 (2012-03-30)
171
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 3.3.3.9 enable
peer 3.3.3.9 label-route-capability
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 65002
import-route direct
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
Networking Requirements
As shown in Figure 2-8. CE1 and CE2 belong to the same VPN. CE1 accesses AS100 through
PE1, and CE2 accesses AS200 through PE2.
Issue 02 (2012-03-30)
172
BGP/MPLS Backbone
AS 200
Loopback1
3.3.3.9/32
GE2/0/0
192.1.1.2/24
GE1/0/0
172.1.1.2/24
PE1
GE1/0/0
162.1.1.1/24
Loopback1
4.4.4.9/32
ASBR2
GE1/0/0
162.1.1.2/24
PE2
GE2/0/0
10.1.1.2/24
GE2/0/0
10.2.1.2/24
GE1/0/0
10.1.1.1/24
GE1/0/0
10.2.1.1/24
CE1
AS 65001
CE2
AS 65002
No IBGP peer relationship is needed between a PE and an ASBR. The ASBR learns the labeled
BGP routes of the public network at the remote AS from the peer ASBR. Then these BGP routes
are imported to IGP. In this manner, LDP can distribute labels for these routes and establish an
inter-AS LDP LSP. The inter-AS BGP/MPLS IP VPN Option C can then be realized.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Advertise the routes of the PE within an AS to the remote PE: Advertise the routes of the
PE within an AS to the remote ASBR through BGP, import these BGP routes to IGP on
the remote ASBR, and then advertise the routes of the PE to the remote PE by using IGP.
2.
Configure a routing policy on the ASBR: Allocate MPLS labels to the the routes with MPLS
tokens received by a PE within the local AS and advertised to the remote ASBR. Allocate
new MPLS labels to the labeled IPv4 routes advertised to the PE within the local AS.
3.
Exchange the labeled IPv4 routes between the local ASBR and the remote ASBR.
4.
Configure an LDP LSP for the labeled BGP routes of the public network on ASBRs.
5.
Establish the MP-EBGP peer relationship between PEs of different ASs, and specify the
maximum hops between PEs because the PEs are generally not directly connected.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 02 (2012-03-30)
173
Procedure
Step 1 Configure IGP on the MPLS backbone networks of AS100 and AS200. In this manner, PEs
within each MPLS backbone network can be interconnected with ASBRs.
In this example, IGP adopts OSPF, and the specific configuration steps are not mentioned here.
NOTE
Advertise the 32-bit IP address of the loopback interface, that is, the LSR ID, by using OSPF.
After the configuration, the OSPF neighbor relationship can be established between the ASBR
and the PE in the same AS. Run the display ospf peercommand to find that the neighboring
state is Full.
Take PE1 as an example:
<PE1> display ospf peer
OSPF Process 1 with Router ID 1.1.1.9
Neighbors
Area 0.0.0.0 interface 172.1.1.2(GigabitEthernet1/0/0)'s neighbors
Router ID: 2.2.2.9
Address: 172.1.1.1
State: Full Mode:Nbr is Master Priority: 1
DR: None
BDR: None
MTU: 0
Dead timer due in 28 sec
Neighbor is up for 00:01:04
Authentication Sequence: [ 0 ]
The ASBR and PE in the same AS can learn the IP address of the loopback1 interface of each
other. They can also ping each other successfully.
Step 2 Establish the EBGP peer relationship between the ASBRs.
# Configure ASBR1.
[ASBR1] bgp 100
[ASBR1-bgp] peer 192.1.1.2 as-number 200
[ASBR1-bgp] quit
# Configure ASBR2.
[ASBR2] bgp 200
[ASBR2-bgp] peer 192.1.1.1 as-number 100
[ASBR2-bgp] quit
After the configuration, run the display bgp peer command on ASBRs to find the adjacency
status is Established.
Take ASBR1 as an example:
[ASBR1] display bgp peer
BGP local router ID : 2.2.2.9
Local AS number : 100
Total number of peers : 1
Peer
AS
MsgRcvd
MsgSent
192.1.1.2
4 200
129
134
OutQ
Up/Down
State
PrefRcv
0 01:39:21 Established
Issue 02 (2012-03-30)
174
# On ASBR1, import BGP routes to OSPF, and advertise the routes of PE2 to PE1 through OSPF.
[ASBR1] ospf 1
[ASBR1-ospf-1] import-route bgp
# On ASBR2, import BGP routes to OSPF, and advertise the routes of PE1 to PE2 through OSPF.
[ASBR2] ospf 1
[ASBR2-ospf-1] import-route bgp
After the configuration, run the display ip routing-table command on the PEs to check the
routing table. Take PE1 as an example:
[PE1] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 8
Routes : 8
Destination/Mask
Proto
1.1.1.9/32 Direct
2.2.2.9/32 OSPF
GigabitEthernet1/0/0
4.4.4.9/32 O_ASE
GigabitEthernet1/0/0
127.0.0.0/8
Direct
127.0.0.1/32 Direct
172.1.1.0/24 Direct
GigabitEthernet1/0/0
172.1.1.1/32 Direct
GigabitEthernet1/0/0
172.1.1.2/32 Direct
Pre
Cost
Flags NextHop
0
10
0
1
D
D
127.0.0.1
172.1.1.1
150
172.1.1.1
0
0
0
0
0
0
D
D
D
127.0.0.1
127.0.0.1
172.1.1.2
172.1.1.1
127.0.0.1
Interface
InLoopBack0
InLoopBack0
InLoopBack0
InLoopBack0
Step 4 Configure basic MPLS functions and MPLS LDP on the MPLS backbone networks of AS100
and AS200 to establish LDP LSP.
# Configure basic MPLS functions on PE1 and enable LDP on the interface connected with
ASBR1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] mpls
[PE1-GigabitEthernet1/0/0] mpls ldp
[PE1-GigabitEthernet1/0/0] quit
# Configure basic MPLS functions on ASBR1 and enable LDP on the interface connected with
PE1.
[ASBR1] mpls lsr-id 2.2.2.9
[ASBR1] mpls
Issue 02 (2012-03-30)
175
[ASBR1-mpls] quit
[ASBR1] mpls ldp
[ASBR1-mpls-ldp] quit
[ASBR1] interface gigabitethernet 1/0/0
[ASBR1-GigabitEthernet1/0/0] mpls
[ASBR1-GigabitEthernet1/0/0] mpls ldp
[ASBR1-GigabitEthernet1/0/0] quit
# Configure basic MPLS functions on ASBR2 and enable LDP on the interface connected with
PE2.
[ASBR2] mpls lsr-id 3.3.3.9
[ASBR2] mpls
[ASBR2-mpls] quit
[ASBR2] mpls ldp
[ASBR2-mpls-ldp] quit
[ASBR2] interface gigabitethernet 1/0/0
[ASBR2-GigabitEthernet1/0/0] mpls
[ASBR2-GigabitEthernet1/0/0] mpls ldp
[ASBR2-GigabitEthernet1/0/0] quit
# Configure basic MPLS functions on PE2 and enable LDP on the interface connected with
ASBR2.
[PE2] mpls lsr-id 4.4.4.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] mpls
[PE2-GigabitEthernet1/0/0] mpls ldp
[PE2-GigabitEthernet1/0/0] quit
After the configuration, the LDP sessions between PE1 and the ASBR1, and between PE2 and
ASBR2 are set up. Run the display mpls ldp session command. You can view that the status is
"Operational". Run the display mpls ldp lsp command, and you can view whether LDP LSPs
are set up.
Take PE1 as an example:
[PE1] display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
-----------------------------------------------------------------------------PeerID
Status
LAM SsnRole SsnAge
KASent/Rcv
-----------------------------------------------------------------------------2.2.2.9:0
Operational DU
Passive 0000:00:01 5/5
-----------------------------------------------------------------------------TOTAL: 1 session(s) Found.
<PE1> display mpls ldp lsp
LDP LSP Information
------------------------------------------------------------------------------DestAddress/Mask
In/OutLabel
UpstreamPeer
NextHop
OutInterface
------------------------------------------------------------------------------1.1.1.9/32
3/NULL
2.2.2.9
127.0.0.1
InLoop0
*1.1.1.9/32
Liberal
2.2.2.9/32
NULL/3
172.1.1.1
GigabitEthernet1/0/0
2.2.2.9/32
1024/3
2.2.2.9
172.1.1.1
GigabitEthernet1/0/0
------------------------------------------------------------------------------TOTAL: 3 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
Issue 02 (2012-03-30)
176
'*'
'*'
'*'
'*'
before
before
before
before
# On ASBR1, apply a routing policy to the routes advertised to ASBR2, and enable the labeled
IPv4 route exchange with ASBR2.
[ASBR1] bgp
[ASBR1-bgp]
[ASBR1-bgp]
[ASBR1-bgp]
100
peer 192.1.1.2 route-policy policy1 export
peer 192.1.1.2 label-route-capability
quit
NOTE
The configuration on ASBR2 is similar to that on ASBR1 and not mentioned here. Please refer to the
configuration file.
Step 6 Configure LDP LSPs for the labeled BGP routes of the public network on ASBRs.
# Configure ASBR1.
[ASBR1] mpls
[ASBR1-mpls] lsp-trigger bgp-label-route
[ASBR1-mpls] quit
# Configure ASBR2.
[ASBR2] mpls
[ASBR2-mpls] lsp-trigger bgp-label-route
[ASBR2-mpls] quit
Step 7 Configure the VPN instance on the PEs and configure the CEs to access the instances.
# Configure PE1.
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] ipv4-family
[PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 export-extcommunity
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 import-extcommunity
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[PE1-GigabitEthernet2/0/0] ip address 10.1.1.2 24
[PE1-GigabitEthernet2/0/0] quit
# Configure PE2.
[PE2] ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] ipv4-family
[PE2-vpn-instance-vpn1-af-ipv4] route-distinguisher 200:1
[PE2-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 export-extcommunity
[PE2-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 import-extcommunity
Issue 02 (2012-03-30)
177
[PE2-vpn-instance-vpn1-af-ipv4] quit
[PE2-vpn-instance-vpn1] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[PE2-GigabitEthernet2/0/0] ip address 10.2.1.2 24
[PE2-GigabitEthernet2/0/0] quit
After the configuration, run the display ip vpn-instance verbose command on PEs to view the
configurations of VPN instances. Each PE can ping its connected CE successfully.
Take PE1 and CE1 as examples:
[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 1
VPN-Instance Name and ID : vpn1, 1
Interfaces : GigabitEthernet2/0/0
Address family ipv4
Create date : 2008/02/27 09:53:47
Up time : 0 days, 00 hours, 35 minutes and 43 seconds
Route Distinguisher : 100:1
Export VPN Targets : 1:1
Import VPN Targets : 1:1
Label Policy : label per route
Log Interval : 5
[PE1] ping -vpn-instance vpn1 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Request time out
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=50
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=40
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=30
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=10
ms
ms
ms
ms
Step 8 Establish the MP-EBGP peer relationship between PE1 and PE2.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 4.4.4.9 as-number 200
[PE1-bgp] peer 4.4.4.9 connect-interface LoopBack 1
[PE1-bgp] peer 4.4.4.9 ebgp-max-hop 10
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 4.4.4.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 200
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface LoopBack 1
[PE2-bgp] peer 1.1.1.9 ebgp-max-hop 10
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
Step 9 Set up the EBGP peer relationship between PEs and CEs to import VPN routes.
# Configure CE1.
[CE1] bgp 65001
[CE1-bgp] peer 10.1.1.2 as-number 100
Issue 02 (2012-03-30)
178
# Configure CE2.
[CE2] bgp
[CE2-bgp]
[CE2-bgp]
[CE2-bgp]
65002
peer 10.2.1.2 as-number 200
import-route direct
quit
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65001
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] quit
# Configure PE2.
[PE2] bgp 200
[PE2-bgp] ipv4-family vpn-instance vpn1
[PE2-bgp-vpn1] peer 10.2.1.1 as-number 65002
[PE2-bgp-vpn1] import-route direct
[PE2-bgp-vpn1] quit
After the configuration, run the display bgp vpnv4 vpn-instance peer command on a PE to
find that the BGP peer relationship between the PE and CE is in the Established state.
Take the peer relationship between PE 1 and CE 1 as an example:
[PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.9
Local AS number : 100
VPN-Instance vpn1, router ID 1.1.1.9:
Total number of peers : 1
Peer
10.1.1.1
V
AS
4 65001
MsgRcvd
3
MsgSent
3
Issue 02 (2012-03-30)
179
After the configuration, run the display ip routing-table dest-ip-address verbose command on
ASBR1, you can find that the routes from ASBR1 to PE2 are labeled BGP routes of the public
network. The routing table is "Public", the protocol type is "BGP", and the label has a non-zero
value.
Take ASBR1 as an example:
[ASBR1] display ip routing-table 4.4.4.9 verbose
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Table : Public
Summary Count : 1
Destination
Protocol
Preference
NextHop
State
Tag
Label
IndirectID
RelayNextHop
TunnelID
:
:
:
:
:
:
:
:
:
:
4.4.4.9/32
BGP
255
192.1.1.2
Active Adv
0
15360
0x0
0.0.0.0
0x6002006
Process ID
Cost
Neighbour
Age
Priority
QoSInfo
Interface
Flags
:
:
:
:
:
:
0
1
192.1.1.2
00h12m53s
0
0x0
: GigabitEthernet2/0/0
: D
Run the display mpls lsp protocol ldp include dest-ip-address verbose on ASBR1 and PE2
respectively, you can find that an LDP LSP is established between ASBR1 and PE2. Besides,
you can find an LDP Ingress LSP on a PE to the remote PE.
[ASBR1] display mpls lsp protocol ldp include 4.4.4.9 32 verbose
---------------------------------------------------------------------LSP Information: LDP LSP
---------------------------------------------------------------------No
: 1
VrfIndex
:
Fec
: 4.4.4.9/32
Nexthop
: 192.1.1.2
In-Label
: 1024
Out-Label
: NULL
In-Interface
: ---------Out-Interface
: ---------LspIndex
: 13313
Token
: 0x0
FrrToken
: 0x0
LsrType
: Egress
Outgoing token
: 0x6002006
Label Operation
: POPGO
Mpls-Mtu
: -----TimeStamp
: 15829sec
Bfd-State
: ---
----End
Configuration Files
l
Issue 02 (2012-03-30)
180
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65001
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
Issue 02 (2012-03-30)
181
lsp-trigger bgp-label-route
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 192.1.1.1 255.255.255.0
mpls
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 192.1.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
network 1.1.1.9 255.255.255.255 route-policy policy0
peer 192.1.1.2 enable
peer 192.1.1.2 route-policy policy1 export
peer 192.1.1.2 label-route-capability
#
ospf 1
import-route bgp
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
route-policy policy0 permit node 1
if-match mpls-token
route-policy policy1 permit node 1
apply mpls-label
#
return
Issue 02 (2012-03-30)
182
#
ospf 1
import-route bgp
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
route-policy policy0 permit node 1
if-match mpls-token
route-policy policy1 permit node 1
apply mpls-label
#
return
Issue 02 (2012-03-30)
183
Networking Requirements
As shown in Figure 2-9:
l
CE1 and CE2 belong to VPN-A and the VPN target is 1:1.
CE1 accesses the backbone network through the UPE and CE2 accesses the network
through the PE.
The UPE, the SPE and the PE are interconnected through OSPF.
Loopback1
Loopback1
3.3.3.9/32
2.2.2.9/32
GE2/0/0
172.2.1.1/24
GE1/0/0
PE
Loopback1 172.1.1.2/24
GE2/0/0
1.1.1.9/32
172.2.1.2/24
SPE
GE2/0/0
172.1.1.1/24
UPE GE1/0/0
10.1.1.2/24
GE1/0/0
10.2.1.2/24
AS: 100
GE1/0/0
10.2.1.1/24
GE1/0/0
10.1.1.1/24
CE1
VPN-A
CE2
AS: 65410
AS: 65420
VPN-A
Configuration Roadmap
The configuration roadmap is as follows:
Issue 02 (2012-03-30)
184
1.
Configure IGP in the backbone network and ensure the PEs can learn the loopback address
from each other.
2.
3.
Create the VPN instance on the UPE and set up the EBGP peer relationship between the
UPE and the CE1.
4.
Create the VPN instance on the PE and set up the EBGP peer relationship between the PE
and the CE2.
5.
Set up the MP-IBGP peer relationship between the UPE and the SPE, the PE and the SPE.
6.
Create the VPN instance on the SPE. Specify the UPE as the underlayer PE, that is, the
user layer PE. Advertise the default route of the VPN instance to the UPE.
Data Preparation
To complete the configuration, you need the following data:
l
VPN instance name, RD and VPN target created on the UPE, SPE and PE
Procedure
Step 1 Configure OSPF on the MPLS backbone network to implement internetworking.
After the configuration, OSPF neighbors are established among UPE, SPE and PE. Run the
display ospf peer command to see the status of the OSPF neighbor relationship is "Full". Run
the display ip routing-table command to see that PEs know loopback routes from each other.
The specific configuration procedures are not mentioned here.
Step 2 Configure basic MPLS capability and MPLS LDP on MPLS backbone networks and establish
LDP LSP.
After the configuration, LDP session can be established among UPE, SPE and PE. Run the
display mpls ldp session command to see that the session state is "Operational". Run the display
mpls ldp lsp command to see LDP LSP is established.
The specific configuration procedures are not mentioned here.
Step 3 Configure PEs and CEs.
# Configure UPE.
<UPE> system-view
[UPE] ip vpn-instance vpna
[UPE-vpn-instance-vpna] ipv4-family
[UPE-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[UPE-vpn-instance-vpna-af-ipv4] vpn-target 1:1
[UPE-vpn-instance-vpna-af-ipv4] quit
[UPE-vpn-instance-vpna] quit
[UPE] interface gigabitethernet 1/0/0
[UPE-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[UPE-GigabitEthernet1/0/0] ip address 10.1.1.2 24
[UPE-GigabitEthernet1/0/0] quit
[UPE] bgp 100
[UPE-bgp] ipv4-family vpn-instance vpna
[UPE-bgp-vpna] peer 10.1.1.1 as-number 65410
[UPE-bgp-vpna] import-route direct
[UPE-bgp-vpna] quit
[UPE-bgp] quit
Issue 02 (2012-03-30)
185
# Configure CE1.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[CE1-GigabitEthernet1/0/0] quit
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE.
<PE> system-view
[PE] ip vpn-instance vpna
[PE-vpn-instance-vpna] ipv4-family
[PE-vpn-instance-vpna-af-ipv4] route-distinguisher 100:2
[PE-vpn-instance-vpna-af-ipv4] vpn-target 1:1
[PE-vpn-instance-vpna-af-ipv4] quit
[PE-vpn-instance-vpna] quit
[PE] interface gigabitethernet 1/0/0
[PE-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[PE-GigabitEthernet1/0/0] ip address 10.2.1.2 24
[PE-GigabitEthernet1/0/0] quit
[PE] bgp 100
[PE-bgp] ipv4-family vpn-instance vpna
[PE-bgp-vpna] peer 10.2.1.1 as-number 65420
[PE-bgp-vpna] import-route direct
[PE-bgp-vpna] quit
[PE-bgp] quit
# Configure CE2.
<Huawei> system-view
[Huawei] sysname CE2
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] ip address 10.2.1.1 24
[CE2-GigabitEthernet1/0/0] quit
[CE2] bgp 65420
[CE2-bgp] peer 10.2.1.2 as-number 100
[CE2-bgp] import-route direct
[CE2-bgp] quit
After the configuration, run the display ip vpn-instance verbose command on the PE or UPE
to see the configurations of VPN instances. By running the command ping -vpn-instance, the
PE and UPE can ping the CEs attached to themselves successfully.
NOTE
When the interfaces on a PE are bound to the same VPN, you need to specify the source IP address when
you use the ping -vpn-instance command to ping the CE connected with the peer PE. That is, you need
to specify -a source-ip-address in the ping -a source-ip-address -vpn-instance vpn-instance-name destip-address command; otherwise, the ping fails.
Step 4 Configure MP-IBGP peer relationship between UPE and SPE, and between PE and SPE.
# Configure UPE.
<UPE> system-view
[UPE] bgp 100
[UPE-bgp] peer 2.2.2.9 as-number 100
[UPE-bgp] peer 2.2.2.9 connect-interface loopback 1
[UPE-bgp] ipv4-family vpnv4
[UPE-bgp-af-vpnv4] peer 2.2.2.9 enable
[UPE-bgp-af-vpnv4] quit
[UPE-bgp] quit
# Configure SPE.
Issue 02 (2012-03-30)
186
<SPE> system-view
[SPE] bgp 100
[SPE-bgp] peer 1.1.1.9 as-number 100
[SPE-bgp] peer 1.1.1.9 connect-interface loopback 1
[SPE-bgp] peer 3.3.3.9 as-number 100
[SPE-bgp] peer 3.3.3.9 connect-interface loopback 1
[SPE-bgp] ipv4-family vpnv4
[SPE-bgp-af-vpnv4] peer 1.1.1.9 enable
[SPE-bgp-af-vpnv4] peer 3.3.3.9 enable
[SPE-bgp-af-vpnv4] quit
[SPE-bgp] quit
# Configure PE.
<PE> system-view
[PE] bgp 100
[PE-bgp] peer 2.2.2.9 as-number 100
[PE-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE-bgp] ipv4-family vpnv4
[PE-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE-bgp-af-vpnv4] quit
[PE-bgp] quit
Issue 02 (2012-03-30)
187
Run the display bgp vpnv4 all routing-table command on UPE to see a default route of VPN
instances vpna with the next hop to SPE.
[UPE] display bgp vpnv4 all routing-table
BGP Local router ID is 1.1.1.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 3
Route Distinguisher: 100:1
*>
*
Network
NextHop
10.1.1.0/24
0.0.0.0
10.1.1.1
MED
LocPrf
0
0
PrefVal Path/Ogn
0
0
?
65410?
*>i
*>i
*>
*
Network
NextHop
MED
LocPrf
0.0.0.0
2.2.2.9
100
Network
NextHop
MED
LocPrf
0.0.0.0
10.1.1.0/24
2.2.2.9
0.0.0.0
10.1.1.1
0
0
0
100
PrefVal Path/Ogn
0
PrefVal Path/Ogn
0
0
0
i
?
65410?
----End
Configuration Files
l
Issue 02 (2012-03-30)
188
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
Issue 02 (2012-03-30)
189
#
interface GigabitEthernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 1.1.1.9 upe
peer 1.1.1.9 default-originate vpn-instance vpna
peer 3.3.3.9 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
#
return
Configuration file of PE
#
sysname PE
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:2
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpna
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
Issue 02 (2012-03-30)
190
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 10.2.1.1 as-number 65420
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 172.2.1.0 0.0.0.255
#
return
Networking Requirements
As shown in Figure 2-10, the networking requirements are as follows:
l
CE1 and CE2 belong to the same LAN, and MCE, CE3, and CE4 belong to the same LAN.
An MCE is used by the client to exchange routes between multiple VPN instances.
CE1 and CE3 belong to vpna, while CE2 and CE4 belong to vpnb.
The users residing in the same VPN can mutually access, but those in different VPNs cannot
mutually access. So, the services of different VPNs in LAN are isolated from each other.
Issue 02 (2012-03-30)
191
vpna
CE1
Eth1/0/0
10.1.1.1/24
Eth1/0/0
10.3.1.1/24
Loopback1
2.2.2.9/32
Eth1/0/0
Eth2/0/0
192.1.1.1/24 192.1.1.2/24
Eth3/0/0
10.3.1.2/24
vpna
Eth1/0/0
Eth3/0/0
Eth2/0/0
Eth2/0/0 PE1 172.1.1.2/24 PE2 192.2.1.1/24 192.2.1.2/24
10.2.1.2/24
MCE
vpnb
Eth4/0/0
10.4.1.2/24
Eth1/0/0
10.2.1.1/24
Eth1/0/0
10.4.1.1/24
Eth1/0/0
10.1.1.2/24
Loopback1
1.1.1.9/32
CE3
Eth3/0/0
172.1.1.1/24
CE2
CE4
vpnb
vpnb
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure OSPF between the PEs. Configure the MP-IBGP for PEs to distribute VPN
routes learnt from CEs to each other.
2.
Set up EBGP peer relationship between the PE and the connected CE to import the VPN
routes to the VPN routing table of the PE.
3.
Configure the OSPF multi-instance between MCE and PE2 to exchange VPN routes.
Configure RIPv2 between MCE and CE3 to exchange VPN routes. Configure RIPv2
between MCE and CE4 to exchange VPN routes.
NOTE
When configuring OSPF multi-instance between MCE and PE2, configure as follows:
l In the OSPF view of the PE2, (This OSPF process refers to the process used for the configuration of
OSPF multi-instance) import the BGP route. Therefore, the MCE obtains the VPN routes that PE1 has
learned from CE1 or CE2.
l Import the OSPF routes (This OSPF process refers to the process used by the configuration of OSPF
multi-instance) in the BGP view of PE2. In this way, PE1 obtains the VPN route from the MCE.
Data Preparation
To complete this configuration, prepare the following data:
l
A VPN instance for each isolated service is created on PE1, PE2 and MCE. Set the name,
the RD and the VPN target for these VPN instances. Note that, VPN targets of different
VPN instances differ from each other. The VPN targets of the same VPN instance are
matched.
For different OSPF multi-instances, the OSPF process numbers must be different.
Issue 02 (2012-03-30)
192
On the MCE, the RIP process numbers used for importing the VPN routes of the CE3 should
differ from that of the CE4.
Procedure
Step 1 Run OSPF on routers of the backbone network to implement internetworking.
The detailed configuration procedure is not mentioned here.
After this configuration, the PEs can learn the loopback1 address of each other.
Consider PE2 as an example:
<PE2> display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 7
Routes : 7
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
1.1.1.9/32 OSPF
10
2
D 172.1.1.1
Ethernet1/0/0
2.2.2.9/32 Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
172.1.1.0/24 Direct 0
0
D 172.1.1.2
Ethernet1/0/0
172.1.1.1/32 Direct 0
0
D 172.1.1.1
Ethernet1/0/0
172.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
Step 2 Enable MPLS and MPLS LDP for PEs to set up an LSP between PEs.
The detailed configuration procedure is not mentioned here. After this configuration, run the
display mpls ldp session command on the PE. You can find that the session status of the MPLS
LDP between the PEs is "operational".
Consider PE2 as an example:
<PE2> display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
-------------------------------------------------------------------------PeerID
Status
LAM SsnRole SsnAge
KASent/Rcv
-------------------------------------------------------------------------1.1.1.9:0
Operational DU
Active
0000:00:04 17/17
-------------------------------------------------------------------------TOTAL: 1 session(s) Found.
Step 3 Configure VPN instances for PEs, and connect CE1 and CE2 to PE1, and MCE to PE2.
# Configure PE1.
<PE1> system-view
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface ethernet1/0/0
[PE1-Ethernet1/0/0] ip binding vpn-instance vpna
[PE1-Ethernet1/0/0] ip address 10.1.1.2 24
[PE1-Ethernet1/0/0] quit
Issue 02 (2012-03-30)
193
# Configure PE2.
<PE2> system-view
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] ipv4-family
[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] interface ethernet2/0/0
[PE2-Ethernet2/0/0] ip binding vpn-instance vpna
[PE2-Ethernet2/0/0] ip address 192.1.1.1 24
[PE2-Ethernet2/0/0] quit
[PE2]interface ethernet3/0/0
[PE2-Ethernet3/0/0] ip binding vpn-instance vpnb
[PE2-Ethernet3/0/0] ip address 192.2.1.1 24
[PE2-Ethernet3/0/0] quit
Step 4 Configure the VPN instance for MCE, and connect CE3,CE4 and PE2 to MCE.
<Huawei> system-view
[Huawei] sysname MCE
[MCE] ip vpn-instance vpna
[MCE-vpn-instance-vpna] ipv4-family
[MCE-vpn-instance-vpna-af-ipv4] route-distinguisher 300:1
[MCE-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[MCE-vpn-instance-vpna-af-ipv4] quit
[MCE-vpn-instance-vpna] quit
[MCE] ip vpn-instance vpnb
[MCE-vpn-instance-vpnb] ipv4-family
[MCE-vpn-instance-vpnb-af-ipv4] route-distinguisher 300:2
[MCE-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[MCE-vpn-instance-vpnb-af-ipv4] quit
[MCE-vpn-instance-vpnb] quit
[MCE] interface ethernet3/0/0
[MCE-Ethernet3/0/0] ip binding vpn-instance vpna
[MCE-Ethernet3/0/0] ip address 10.3.1.2 24
[MCE-Ethernet3/0/0] quit
[MCE] interface ethernet4/0/0
[MCE-Ethernet4/0/0] ip binding vpn-instance vpnb
[MCE-Ethernet4/0/0] ip address 10.4.1.2 24
[MCE-Ethernet4/0/0] quit
[MCE] interface ethernet1/0/0
[MCE-Ethernet1/0/0] ip binding vpn-instance vpna
[MCE-Ethernet1/0/0] ip address 192.1.1.2 24
[MCE-Ethernet1/0/0] quit
[MCE] interface ethernet2/0/0
[MCE-Ethernet2/0/0] ip binding vpn-instance vpnb
[MCE-Ethernet2/0/0] ip address 192.2.1.2 24
[MCE-Ethernet2/0/0] quit
Step 5 Set up MP-IBGP peer relationship between PE1 and PE2, and set up EBGP peer relationship
between PE1 and CE1, and between PE1 and CE2.
The detailed configuration procedure is not mentioned here. After this configuration, run the
display bgp vpnv4 all peer command on PE1. You can find the status of IBGP peer relationship
between PE1 and PE2 is "established". The state of EBGP peer relationship between PE1 and
CE1, and between PE1 and CE2 are "established".
Issue 02 (2012-03-30)
194
11
0 00:04:14 Established
12
0 00:04:09 Established
# Configure MCE.
<MCE> system-view
[MCE] ospf 100 vpn-instance
[MCE-ospf-100] area 0
[MCE-ospf-100-area-0.0.0.0]
[MCE-ospf-100-area-0.0.0.0]
[MCE-ospf-100] quit
[MCE] ospf 200 vpn-instance
[MCE-ospf-200] area 0
[MCE-ospf-200-area-0.0.0.0]
[MCE-ospf-200-area-0.0.0.0]
[MCE-ospf-200] quit
vpna
network 192.1.1.0 0.0.0.255
quit
vpnb
network 192.2.1.0 0.0.0.255
quit
Step 7 Configure RIPv2 between MCE and CE3, and between MCE and CE4.
# Configure MCE.
[MCE] rip 100
[MCE-rip-100]
[MCE-rip-100]
[MCE-rip-100]
[MCE-rip-100]
[MCE] rip 200
[MCE-rip-200]
[MCE-rip-200]
[MCE-rip-200]
vpn-instance vpna
version 2
network 10.0.0.0
import-route ospf 100
quit
vpn-instance vpnb
version 2
network 10.0.0.0
import-route ospf 200
# Configure CE3.
<Huawei> system-view
[Huawei] sysname CE3
Issue 02 (2012-03-30)
195
# Configure CE4.
<Huawei> system-view
[Huawei] sysname CE4
[CE4] rip 200
[CE4-rip-200] version 2
[CE4-rip-200] network 10.0.0.0
[CE4-rip-200] import-route direct
Step 8 Skip the test for loop on MCE, and import RIP routes.
<MCE> system-view
[MCE] ospf 100 vpn-instance vpna
[MCE-ospf-100] vpn-instance-capability simple
[MCE-ospf-100] import-route rip 100
[MCE] ospf 200 vpn-instance vpnb
[MCE-ospf-200] vpn-instance-capability simple
[MCE-ospf-200] import-route rip 200
Run the display ip routing-table vpn-instance command on the PE. You can find PE has a
route to each peer CE.
Consider vpna on PE1 as an example:
[PE1] display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: vpna
Destinations : 5
Routes : 5
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.2
Ethernet1/0/0
10.1.1.1/32 Direct 0
0
D 10.1.1.1
Ethernet1/0/0
10.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.3.1.0/24 EBGP
255 2
RD 2.2.2.9
Ethernet3/0/0
192.1.1.0/24 EBGP
255 0
RD 2.2.2.9
Ethernet3/0/0
CE1 and CE3 can ping through each other. Also, CE2 and CE4 can ping through each other.
Consider CE1 as an example:
[CE1] ping 10.3.1.1
PING 10.3.1.1: 56
Issue 02 (2012-03-30)
196
time=125
time=125
time=125
time=125
time=125
ms
ms
ms
ms
ms
The CE1 and CE3 can not ping through CE2 and CE4.
Consider the display of ping CE4 on CE1 as an example:
[CE1] ping 10.4.1.1
PING 10.4.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.4.1.1 ping statistics --5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
----End
Configuration Files
l
Issue 02 (2012-03-30)
197
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Ethernet2/0/0
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
interface Ethernet3/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
import-route direct
#
ipv4-family vpn-instance vpnb
peer 10.2.1.1 as-number 65420
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
Issue 02 (2012-03-30)
198
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip binding vpn-instance vpna
ip address 192.1.1.1 255.255.255.0
#
interface Ethernet3/0/0
ip binding vpn-instance vpnb
ip address 192.2.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
import-route ospf 100
#
ipv4-family vpn-instance vpnb
import-route ospf 200
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
ospf 100 vpn-instance vpna
import-route bgp
area 0.0.0.0
network 192.1.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route bgp
area 0.0.0.0
network 192.2.1.0 0.0.0.255
#
return
Issue 02 (2012-03-30)
199
Issue 02 (2012-03-30)
200
rip 200
version 2
network 10.0.0.0
import-route direct
#
return
Networking Requirements
As shown in Figure 2-11, CE1 and CE2 on the private network can mutually access. Meanwhile
a proxy server with the public network address is attached with CE1. Thus, users of CE1 can
access Internet through this proxy server. In this example, the P device serves as a substitute for
the Internet.
Figure 2-11 Example of enabling VPN users to access the public network
Loopback1
1.1.1.1/32
PE1
GE1/0/0
10.1.1.2/24
GE1/0/0
100.1.1.2/24
GE2/0/0
100.1.1.1/24
GE1/0/0
100.2.1.2/24
GE2/0/0
100.2.1.1/24
Internet
GE1/0/0
10.1.1.1/24
GE2/0/0
100.3.1.2/24
CE1
Loopback1
2.2.2.2/32
vpn1
AS100
Agent Server
100.3.1.1/24
AS 65410
Loopback1
3.3.3.3/32
PE2
GE2/0/0
10.2.1.2/24
GE1/0/0
10.2.1.1/24
CE2
vpn1
AS 65420
Configuration Roadmap
In this configuration, configure the L3VPN first. It needs the following static routes:
1.
2.
Add a default route from the VPN device to the Internet on PE1. The next hop is P. Thus,
the traffic of the proxy server can reaches the Internet.
3.
Add a static route from the Internet to the proxy server on PE1 and the next hop is CE1.
Use IGP to advertise this route to the Internet, Thus, the traffic of Internet can reaches the
server attached with CE1.
Issue 02 (2012-03-30)
201
Data Preparation
To complete the configuration, you need the following data:
l
RD of VPN
VPN-Target of VPN
Procedure
Step 1 Configure IGP.
Assign IP addresses for physical interfaces and loopback interfaces on the backbone network.
Run IGP on each router of the backbone so that PE1, P and PE2 can ping through each other,
and know the loopback address of each other. The detailed configuration procedure is not
mentioned here.
Step 2 Set up an MPLS LDP LSP and MP-IBGP peer relationship.
Set up an MPLS LSP and MP-IBGP peer relationship between the PEs. The detailed
configuration procedure is not mentioned here.
After the configuration given above, run the display mpls ldp session command on P. You can
find the LDP session "Status" between PE1 and P, and that between PE2 and P is "Operational".
The display on P is as follows:
<P> display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
-------------------------------------------------------------------------PeerID
Status
LAM SsnRole SsnAge
KASent/Rcv
------------------------------------------------------------------------1.1.1.1:0
Operational DU
Active
0000:00:05 23/23
3.3.3.3:0
Operational DU
Passive 0000:00:04 18/18
-------------------------------------------------------------------------TOTAL: 2 session(s) Found.
Run the display bgp vpnv4 all peer command on PE. You can find that the MP-IBGP peer
relationship state is "Established".
Consider PE1 as an example:
<PE1> display bgp vpnv4 all peer
BGP local router ID : 1.1.1.1
Local AS number : 100
Total number of peers : 1
Peer
V
AS MsgRcvd
3.3.3.3
4
100
6
MsgSent
8
202
Run the command display bgp vpnv4 all peer on PE and you can see that the IBGP peer and
the EBGP peer are "Estabished".
Consider PE1 as an example:
<PE1> display bgp vpnv4 all peer
BGP local router ID : 1.1.1.1
Local AS number : 100
Total number of peers : 2
Peers in established state : 2
Peer
V
AS MsgRcvd MsgSent OutQ Up/Down
State
3.3.3.3
4
100
127
134
0 01:39:44
Established
Peer of IPv4-family for vpn instance :
VPN-Instance vpn1, router ID 1.1.1.1:
10.1.1.1
4 65410
107
110
0 01:26:33
PrefRcv
2
Established
Step 4 Configure the static route to enable VPN to access the public network.
# Configure a default route on CE1 and the next hop is PE1.
<CE1> system-view
[CE1] ip route-static 0.0.0.0 0 10.1.1.2
# Configure PE1.
# Configure a default route from the proxy server of the VPN site to Internet. The next hop is
P. Specify the address of the next hop as public network address. That is, add a keyword public
after the next hop address in the command.
<PE1> system-view
[PE1] ip route-static vpn-instance vpn1 0.0.0.0 0 100.1.1.2 public
# Configure a static route back to the proxy server. The next hop is CE1.
[PE1] ip route-static 100.3.1.0 24 vpn-instance vpn1 10.1.1.1
# Use IGP to advertise the static route back to the proxy server on PE1 to the Internet.
[PE1] ospf 1
[PE1-ospf-1] import-route static
# Configure the proxy server. Set the IP address of the proxy server as 100.3.1.1/24. Set its
default gateway as CE1, that is, 100.3.1.2/24. A proxy software should also be run on the proxy
server.
Step 5 Verify the configuration.
Run the display ip routing-table vpn-instance command on PE1. You can find a default route,
with next hop being 100.1.1.2 and the out-interface being GigabitEthernet2/0/0, exists in the
VPN routing table.
[PE1] display ip routing-table vpn-instance vpn1
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: vpn1
Destinations : 7
Routes : 7
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
0.0.0.0/0
Static 60
0
RD 100.1.1.2
GigabitEthernet2/0/0
10.1.1.0/24 Direct 0
0
D 10.1.1.2
GigabitEthernet1/0/0
10.1.1.1/32 Direct 0
0
D 10.1.1.1
GigabitEthernet1/0/0
Issue 02 (2012-03-30)
203
0
0
D
RD
127.0.0.1
3.3.3.3
255
RD
3.3.3.3
255
RD
3.3.3.3
255
InLoopBack0
10.1.1.1
Run the display ip routing-table command on PE1 to display that the route to the proxy server
exists in the public network routing table, and the IP address of next hop is 10.1.1.1.
[PE1] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 10
Routes : 10
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
1.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
2.2.2.2/32 OSPF
10
2
D 100.1.1.2
GigabitEthernet2/0/0
3.3.3.3/32 OSPF
10
3
D 100.1.1.2
GigabitEthernet2/0/0
100.1.1.0/24 Direct 0
0
D 100.1.1.1
GigabitEthernet2/0/0
100.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
100.1.1.2/32 Direct 0
0
D 100.1.1.2
GigabitEthernet2/0/0
100.2.1.0/24 OSPF
10
2
D 100.1.1.2
GigabitEthernet2/0/0
100.3.1.0/24 Static 60
0
D 10.1.1.1
GigabitEthernet1/0/0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
ms
ms
ms
ms
ms
Configuration Files
l
Issue 02 (2012-03-30)
204
Configuration file of P
#
sysname P
#
Issue 02 (2012-03-30)
205
Issue 02 (2012-03-30)
206
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 100.2.1.0 0.0.0.255
#
return
Issue 02 (2012-03-30)
207
3 L2TP Configuration
L2TP Configuration
Issue 02 (2012-03-30)
208
3 L2TP Configuration
LAC
client
LAC
Remote
system
PSTN/
ISDN
Network
LNS
Internal
server
Network
PC
LAN
LAC
LNS
Issue 02 (2012-03-30)
Internal
server
209
3 L2TP Configuration
NAS-initialized: initiated by remote users. The remote user connects to the LAC through
Public Switched Telephony Network (PSTN) or Integrated Services Digital Network
(ISDN). The LAC sends a request to the LNS for establishing a tunnel connection through
the Internet. Remote user addresses are assigned by the LNS. The LNS or the agent on the
LAC performs authentication and accounting on the remote user.
Client-initialized: initiated directly by LAC users who support L2TP. In this mode, LAC
clients can send a request for establishing a tunnel connection directly to an LNS, without
the need to pass through the LAC device. The addresses of the LAC clients are assigned
by the LNS.
LAC-Auto-Initiated: In most cases, an L2TP user directly dials up to a LAC, and only PPP
connection is established between the user and LAC. If the LAC serves also as a PPP client,
connection between the user and LAC can be established in other modes in addition to PPP.
The users can send IP packets to the LAC, and then the LAC forwards the packets to the
LNS. To make the LAC serve as a PPP client, create a virtual PPP user and server on the
LAC. The virtual PPP user negotiates with the virtual PPP server, and the virtual PPP server
establishes an L2TP tunnel with the LNS to negotiate with the LNS.
The AR3200 can serve as a LAC and an LNS at the same time, and supports the incoming calls
of multiple concurrent users. If sufficient memory and line capacity are provided, L2TP can
receive and initiate multiple calls at the same time.
Applicable Environment
The L2TP group is an important concept that you need to know when configuring L2TP. After
configuring an L2TP group, you can flexibly configure L2TP functions on the device and realize
point-to-point or point-to-multipoint networking applications between the L2TP Access
Concentrator (LAC) and the L2TP Network Server (LNS).
Pre-configuration Tasks
None
Data Preparation
To configure basic L2TP functions, you need the following data.
Issue 02 (2012-03-30)
210
No.
Data
Names of the tunnels on the LAC side and the LNS side
3 L2TP Configuration
Context
The L2TP groups are numbered separately on the LAC and LNS. To establish the association
between the L2TP groups on LAC and LNS, you need to ensure that the configurations of the
L2TP groups are consistent, such as the received peer name of the tunnel, initiation of the L2TP
connection request, and LNS address.
After creating an L2TP group, you can configure other L2TP functions in the L2TP group view.
The configuration may vary with the role of the device (LAC or LNS).
Perform the following operations on the LAC side and the LNS side.
Procedure
Step 1 Run:
system-view
L2TP is enabled.
The L2TP functions can be realized only if L2TP is enabled. If L2TP is disabled, the device
cannot offer related L2TP functions even if parameters of L2TP have been configured.
By default, L2TP is disabled, and no L2TP group exists.
Step 3 Run:
l2tp-group group-number
211
3 L2TP Configuration
NOTE
The name of the tunnel on the LAC side must be the same as the remote end name of the receiving tunnel
on the LNS side.
----End
Applicable Environment
A device does not send a request for establishing an L2TP tunnel with another device or an LNS
server until certain conditions are met.
To judge whether a user is an access user and whether a connection with the LNS needs to be
established, you must set conditions to distinguish the information about the access user and
specify the IP address of the LNS.
Either of two triggering conditions, namely, a full user name, or the specified domain name of
a user, is needed to initiate the L2TP connection request.
When initiating a tunnel establishment request, the LAC needs to send the source address of the
tunnel to the LNS.
Pre-configuration Tasks
Before configuring the LAC, complete the following tasks:
l
Data Preparation
To configure the LAC, you need the following data.
Issue 02 (2012-03-30)
No.
Data
Interface type and interface number used to initiate the request for tunnel establishment
212
3 L2TP Configuration
No.
Data
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Context
Enterprises expect virtual private networks (VPNs) to be constructed between the headquarters
and branches. The VPN construction costs, however, are high if the enterprises lease resources
from carriers. The VPDN technology allows an enterprise to construct a VPN, and the carrier
needs to provide Internet access for the enterprise. The investments are lowered. Branch routers
establish the VPDN network by dialing up and serve as PPP clients and LACs.
Perform the following steps on the router.
Issue 02 (2012-03-30)
213
3 L2TP Configuration
Procedure
Step 1 Run:
system-view
A virtual template interface is created and the virtual template interface view is displayed.
Step 3 Configure an IP address for the virtual interface in any of the following methods:
l
Run:
ip address ip-address { mask | mask-length }
Run:
ip address ppp-negotiate
Run:
ip address unnumbered interface interface-type interface-number
The virtual template interface is configured to borrow an IP address from another interface.
Step 4 Run the following command as required.
l
Run:
ppp pap local-user username password { cipher | simple } password
1.
Run:
ppp chap user username
Run:
ppp chap password { cipher | simple } password
214
3 L2TP Configuration
packets from users are sent out from the LAC through the PPP interface and reach the LNS
through an L2TP tunnel.
----End
Context
NOTE
For more information about Authorization, Authentication and Accounting (AAA), refer to the Huawei
AR3200 Series Enterprise Routers Configuration Guide - Security.
Procedure
Step 1 Run:
system-view
215
3 L2TP Configuration
Procedure
l
Run:
system-view
Run:
aaa
Run:
authentication-scheme authentication-scheme-name
Run:
authentication-mode radius
Run:
quit
Run:
accounting-scheme accounting-scheme-name
An accounting scheme is created and the view of the accounting scheme is displayed.
NOTE
7.
Run:
accounting-mode radius
Run:
system-view
Run:
radius-server template template-name
Run:
radius-server authentication ip-address port
The IP address and port of the RADIUS authentication server are configured.
4.
Run:
radius-server accounting ip-address port
Issue 02 (2012-03-30)
216
3 L2TP Configuration
The IP address and port of the RADIUS accounting server are configured.
5.
Run:
radius-server shared-key { cipher | simple
} key-string
Run:
radius-server retransmit retry-times
Creating a Domain and Applying the RADIUS Template and the Authentication and
Accounting Scheme
Do as follows on the router:
1.
Run:
system-view
Run:
aaa
Run:
domain domain-name
Run:
radius-server template-name
Run:
authentication-scheme authentication-scheme-name
Run:
accounting-scheme accounting-scheme-name
The mandatory configurations on the RADIUS service are the user name, password, IP address for
the NAS device to access the RADIUS server, shared key, and port number of the RADIUS server.
The user name and password must be set the same as the user side.
----End
Prerequisites
The configurations of the LAC function are complete.
Issue 02 (2012-03-30)
217
3 L2TP Configuration
Procedure
l
Run the display l2tp tunnel command to check information about the L2TP tunnel.
Run the display l2tp session command to check information about the L2TP session.
Run the display l2tp-group [ group-number ] command to check the configuration about
one special L2TP group.
----End
Example
Run the display l2tp tunnel command on the LAC side. If information about the L2TP tunnel
is displayed, it means the configurations on both the LAC side and the LNS side succeed. For
example:
<Huawei> display l2tp tunnel
Total tunnel = 1
LocalTID RemoteTID RemoteAddress
1
1
202.38.160.1
Port
57344
Sessions RemoteName
1
LAC
Run the display l2tp session command, and you can view that the L2TP session is established.
For example:
<Huawei> display l2tp session
Total session = 1
LocalSID RemoteSID
2036
1469
LocalTID
1
Run the display l2tp-group [ group-number ] command, and you can check the configuration
about one special L2TP group. For example:
<Huawei> display l2tp-group 1
----------------------------------------------L2tp-index
:
1
GroupType
:
REQUEST_DIALIN_L2TP
TunnelAuth
:
Use tunnel authentication
LocalName
:
lac1
TunnelPass
:
huawei
Encrypt
:
0
Hello
:
60
Retransmit
:
5
Timeout
:
2
IfIndex
:
4294967295
SrcIp
:
255.255.255.255
VtNum
:
0
RemoteName
:
ForceChap
:
0
LcpReg
:
0
LcpMismatch
:
0
tunnel each user
:
0
-----------------------------------------------
Issue 02 (2012-03-30)
218
3 L2TP Configuration
Applicable Environment
An LNS offers different virtual templates to receive the tunnel-establishing requests from
different LACs. After receiving one of these requests, the LNS needs to check whether the name
of the LAC (remote end) are valid, and then decide whether to permit the remote end to establish
a tunnel.
After an LAC performs the user authentication, an LNS can re-authenticates the user. That is,
the user is authenticated twice. One is on the LAC, and the other is on the LNS.
After a user passes the authentication on the LNS, the user can communicate with the LNS. If
the user authentication on the LNS fails, L2TP is notified to remove the L2TP connection. In
this manner, an L2TP tunnel is established only after authentications on both the LAC and the
LNS are successful.
The LNS authenticates users in three ways, namely, agent authentication, mandatory CHAP
authentication, and LCP re-negotiation. Among them, the LCP re-negotiation has the highest
priority.
l
LCP re-negotiation
LCP re-negotiation adopts the authentication mode configured on the related virtual
template.
For the NAS-initialized VPN service, a user firstly performs the PPP negotiation with
the NAS when a PPP session starts. If the negotiation is performed well, then NAS
initializes an L2TP tunnel connection, and transmits user information to the LNS. The
LNS then judges whether the user is legal or not based on the received agent
authentication information.
If a more restrict authentication is required on the LNS, or the LNS needs to obtain
certain user information directly (Mostly when the LNS and LAC are from different
providers), LCP re-negotiation needs to be performed between the LNS and the user,
whereas the agent authentication information on the NAS is ignored.
Agent authentication
If neither LCP re-negotiation nor mandatory CHAP authentication is configured, the LNS
performs agent authentication for users. In this authentication mode, the LAC sends all user
authentication information to the LNS. The LNS then authenticate the user information
based on the local configuration.
Suppose the authentication mode configured on the virtual template is CHAP, and that
configured on LAC is PAP when LNS adopts agent authentication. The authentication
cannot pass successfully, because the authentication level of CHAP is higher than that of
PAP.
Issue 02 (2012-03-30)
219
3 L2TP Configuration
NOTE
After LCP re-negotiation is enabled, if authentication is not configured on the related virtual template, LNS
will not perform secondary authentication for the user. In this manner, the user is authenticated only once
on the LAC.
For other cases, secondary authentication is performed. The authentication mode "none" is also a type of
authentication.
Pre-configuration Tasks
Before configuring the LNS, you need to complete the following tasks:
l
Data Preparation
To configure LNS, you need the following data.
No.
Data
Context
Do as follows on LNS:
Procedure
Step 1 Run:
system-view
220
3 L2TP Configuration
l If the L2TP group number is not 1, run the allow l2tp virtual-template virtual-templatenumber remote remote-name command.
l If the L2TP group number is 1, run the allow l2tp virtual-template virtual-templatenumber [ remote remote-name ] command.
The default L2TP group number is 1. When the group number of L2TP is set to 1, you need not
specify the remote name of the tunnel. If you specify the name of the remote end in the view of
the L2TP group 1, L2TP group 1 will not be regarded as the default L2TP group any more.
NOTE
Only the L2TP group with the group number 1 can be set as the default group.
In the same L2TP group, the start command and the allow l2tp command are mutually exclusive. When
one is configured, the other becomes invalid automatically.
----End
Context
NOTE
For more information about AAA, refer to the Huawei AR3200 Series Enterprise Routers Configuration
Guide - Security.
Do as follows on LNS:
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)
221
3 L2TP Configuration
Context
In the AR3200, each access user belongs to a domain. If a user with no domain specified accesses
an L2TP tunnel, the user uses the default domain. After the L2TP tunnel between the LAC and
LNS is set up, the LNS should assign the IP address for the access user from the address pool
of the user domain.
Procedure
Step 1 For details of the address pool configuration and address assignment, refer to the Huawei
AR3200 Series Enterprise Routers Configuration Guide - IP Services and Configuration Guide
- Security.
----End
Prerequisites
The configurations of the LNS function are complete.
Procedure
l
Run the display l2tp tunnel command to check information about the L2TP tunnel.
Run the display l2tp session command to check information about the L2TP session.
Issue 02 (2012-03-30)
222
3 L2TP Configuration
Run the display l2tp-group [ group-number ] command to check the configuration about
one special L2TP group.
Run the display access-user command to view information about the accessed users.
----End
Example
Run the display l2tp tunnel command. If information about the L2TP tunnel is displayed, it
means the configuration succeeds. For example:
<Huawei> display l2tp tunnel
Total tunnel = 1
LocalTID RemoteTID RemoteAddress
1
1
12.1.1.1
Port
1701
Sessions RemoteName
1
LNS
Run the display l2tp session command, and you can view that the L2TP session is established.
For example:
<Huawei> display l2tp session
Total session = 1
LocalSID RemoteSID
1
1
LocalTID
1
Run the display l2tp-group [ group-number ] command, and you can check the configuration
about one special L2TP group. For example:
<Huawei> display l2tp-group 1
----------------------------------------------L2tp-index
:
1
GroupType
:
ACCEPT_DIALIN_L2TP
TunnelAuth
:
Use tunnel authentication
LocalName
:
lns
TunnelPass
:
huawei
Encrypt
:
0
Hello
:
60
Retransmit
:
5
Timeout
:
2
IfIndex
:
4294967295
SrcIp
:
255.255.255.255
VtNum
:
1
RemoteName
:
lac1
ForceChap
:
0
LcpReg
:
0
LcpMismatch
:
0
tunnel each user
:
0
-----------------------------------------------
223
3 L2TP Configuration
Applicable Environment
This section describes the common L2TP configurations, which can be applied for either the
LAC or the LNS.
l
Tunnel authentication: Either an LAC or an LNS can send tunnel authentication requests.
An L2TP tunnel can be established only if both the LAC and the LNS are enabled with the
tunnel authentication, and have the same password (not null). Otherwise, the local end
disconnects the tunnel automatically. If the tunnel authentications are disabled on both ends,
the L2TP tunnel still cannot be established even if the passwords on two ends are the same.
Attribute Value Pair (AVP) hidden transmission: AVP is adopted in the L2TP protocol to
transmit and negotiate some parameter attributes of L2TP. For the sake of security, users
transmit these AVPs in hidden mode.
Hello packets sending: To check the connectivity of a tunnel, the LAC and the LNS send
Hello packets to each other periodically, and the receiver responds the peer within a
specified interval. If no response is received from the peer within the specified interval, the
local end resends the Hello packets. After the Hello packets are resent for more than three
times, the L2TP tunnel is regarded as disconnected. The tunnel connection needs to be reestablished between the LAC and the LNS.
NOTE
All the configurations described in this section are optional. You can take the default settings in most cases.
Pre-configuration Tasks
None
Data Preparation
To adjust the L2TP connection, you need the following data.
No.
Data
Context
Do as follows on the LNS side or the LAC:
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)
224
3 L2TP Configuration
If tunnel authentication is enabled on one end (either the LAC or the LNS), the peer must be enabled with
tunnel authentication.
Context
Do as follows on the LNS or the LAC:
Procedure
Step 1 Run:
system-view
225
3 L2TP Configuration
Step 3 Run:
tunnel timer hello interval
Procedure
l
Run the reset l2tp tunnel { peer-name remote-name | local-id tunnel-id } command to
disconnect the L2TP tunnel forcibly in the user view.
If the parameter peer-name is specified, all the tunnels with this name are cleared. If the
parameter tunnel-id is specified, only the tunnel with this tunnel ID is cleared.
A tunnel is cleared when the number of access users is 0, a network fault occurs, or the
administrator needs to disconnect the tunnel.
In addition, either the LAC or the LNS can request for clearing a tunnel initiatively. The
side receiving the clearing request must reply with the Acknowledgement (ACK) message,
and then wait for a certain period before performing the tunnel clearing operation. In this
manner, even if the ACK message is lost, the side can still have time to receive the resent
clearing request.
After an L2TP tunnel is disconnected forcibly, all control and session connections in the
tunnel are cleared. The tunnel can be re-established when a new user dials in.
----End
Context
In routine maintenance, you can run the following commands to view the running status of L2TP.
Procedure
l
Issue 02 (2012-03-30)
Run the display l2tp session command to view information about the L2TP session.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
226
3 L2TP Configuration
Run the display l2tp tunnel command to view information about the L2TP tunnel.
Run the display access-user command to view information about the user sessions.
Run the display l2tp-group command to view information about current L2TP groups.
----End
Context
NOTE
Debugging affects the system performance. So, after the debugging, run the undo debugging all command
to disable it immediately.
When an L2TP fault occurs, run the following debugging commands in the user view to debug
L2TP and locate the fault.
For the procedure of outputting the debugging information, see the chapter "Maintenance and
Debugging" in the Huawei AR3200 Series Enterprise Routers Configuration Guide - System
Management.
Procedure
l
Run the debugging l2tp all command in the user view to enable complete L2TP debugging.
Run the debugging l2tp control command in the user view to enable control packet
debugging.
Run the debugging l2tp dump command in the user view to enable PPP packet debugging.
Run the debugging l2tp error command in the user view to enable L2TP error debugging.
Run the debugging l2tp event command in the user view to enable L2TP event debugging.
Run the debugging l2tp hidden command in the user view to enable hidden AVP
debugging.
Run the debugging l2tp payload command in the user view to enable L2TP packet
debugging.
Run the debugging l2tp timestamp command in the user view to enable L2TP time stamp
debugging.
----End
227
3 L2TP Configuration
Networking Requirements
As shown in Figure 3-2, PC1 connects the Public Switched Telephone Network (PSTN) through
a Modem; and then connects the LAC, namely, Router A, across the PSTN. PC2 connects Router
A through a tunnel. The LAC and the LNS are connected through the Internet. The LAC and
the LNS communicate with each other through a tunnel. Users access the tunnel by using domain
names. On both the LAC and the LNS, the user name and the password are authenticated locally.
NOTE
When the AR3200 communicates with a non-Huawei device, configure the AR3200 to invert clock signals
transmitted by a synchronous serial interface as required.
Modem
PC1
PSTN
RouterB
RouterA
Internet
ISDN
LNS
LAC
Tunnel
PC2
Server
headquarters
Configuration Roadmap
The configuration roadmap is as follows:
1.
A user intends to communicate with the server in the headquarters. The IP address of the
server is a private address. In this manner, the user cannot access the server directly through
the Internet. A VPN is then needed to help the user access the data of the internal network.
2.
The user accesses the headquarters by using the domain name "huawei.com". The LNS
needs to configure an address pool in this domain that can allocate an IP address for the
user.
Data Preparation
To complete the configuration, you need the following data:
l
Consistent user name, domain name, and password of the router at both the user side and
the LAC side
Protocol used on the LNS side, tunnel authentication mode (CHAP is used), password for
the tunnel, and local and remote names of the LNS
Issue 02 (2012-03-30)
228
3 L2TP Configuration
Procedure
Step 1 Configure the user side.
Create a dial-in connection, and an access number named Huawei1. In addition, receive the
address assigned by the LNS server.
Enter the user name "vpdnuser@huawei.com" in the dial-up terminal window that pops up, with
the password being Hello. Note that the user name and password should have been registered
on the LNS server of the company.
Step 2 Configure Router A (LAC).
In this example, the IP address of Serial 1/0/0 on the LAC that connects the tunnel is
202.38.160.1; the IP address of Serial 1/0/0 on the LNS that connects the tunnel is 202.38.160.2.
# Configure IP addresses for both serial ports.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface serial 1/0/0
[RouterA-Serial1/0/0] link-protocol ppp
[RouterA-Serial1/0/0] ip address 202.38.160.1 255.255.255.0
[RouterA-Serial1/0/0] quit
# Set the user name and password. Note that the user name and password must be consistent
with those set on the user side.
[RouterA] aaa
[RouterA-aaa] local-user vpdnuser@huawei.com password simple Hello
[RouterA-aaa] local-user vpdnuser@huawei.com service-type ppp
Issue 02 (2012-03-30)
229
3 L2TP Configuration
# Configure the name of the local end and the name of the peer.
[RouterB-l2tp1] tunnel name LNS
[RouterB-l2tp1] allow l2tp virtual-template 1 remote LAC
# # Set the user name and password. Note that the user name and password must be consistent
with those set on the LAC side.
[RouterB] aaa
[RouterB-aaa] local-user vpdnuser@huawei.com password simple Hello
[RouterB-aaa] local-user vpdnuser@huawei.com service-type ppp
Port
57344
Sessions RemoteName
1
LAC
Run the display l2tp session command. You can check whether the L2TP session is set up. Take
the display on the LNS side as an example.
[RouterB] display l2tp session
Total session = 1
LocalSID RemoteSID
2036
1469
LocalTID
1
In this manner, VPN users can access the server in the headquarters.
----End
Configuration Files
l
Issue 02 (2012-03-30)
230
3 L2TP Configuration
#
l2tp
enable
#
aaa
authentication-scheme
default
authorization-scheme
default
accounting-scheme
default
domain
default
domain
default_admin
domain
huawei.com
local-user vpdnuser@huawei.com password simple
Hello
local-user vpdnuser@huawei.com service-type
ppp
#
interface
Serial1/0/0
link-protocol
ppp
ip address 202.38.160.1
255.255.255.0
#
l2tp-group
1
tunnel password simple
quidway
tunnel name
LAC
start l2tp ip 202.38.160.2 domain
huawei.com
#
return
Issue 02 (2012-03-30)
231
3 L2TP Configuration
255.255.255.0
#
interface
Serial1/0/0
link-protocol
ppp
ip address 202.38.160.2
255.255.255.0
#
l2tp-group
1
mandatorychap
allow l2tp virtual-template 1 remote
LAC
tunnel password simple
quidway
tunnel name
LNS
#
return
Networking Requirements
As shown in Figure 3-3, Users access the NAS through the PSTN or the Integrated Services
Digital Network (ISDN). The LNS, namely, Router A, connects the NAS through the Internet.
Figure 3-3 Networking diagram of NAS-initialized VPN
Internet
PSTN/ISDN
VPN
Client
Tunnel
NAS
RouterA
LNS
Headquarters
Configuration Roadmap
The procedure for a user to access the headquarters is as follows:
1.
2.
The NAS performs the user authentication. If the user is found to be a VPN user, the NAS
sends a tunnel-connecting request to the LNS.
3.
After a tunnel between the NAS and the LNS is set up, the NAS sends the information
about the negotiation with the VPN user as the contents of the packets to the LNS.
4.
The LNS decides whether to accept the connecting request according to the negotiated
information.
Issue 02 (2012-03-30)
232
3 L2TP Configuration
5.
The user communicates with the headquarters by using the tunnel between the NAS and
the LNS.
6.
The user accesses the headquarters network by using the default domain (the domain name
is "default") and adopts the local authentication. The addresses are allocated from the
address pool. In this mode, the address pool should be configured in the AAA view of the
LNS.
Data Preparation
To complete the configuration, you need the following data:
l
User name and password for the Remote Authentication Dial in User Service (RADIUS)
authentication (the same as user name and password of the VPN)
On the LNS router, number of the virtual template, IP address and mask of the template,
and L2TP group number
Procedure
Step 1 Configure the user side.
Enter the VPN user name "vpdnuser", the password "Hello", and the access code "170" in the
dial-up network window. Then enter the user name and password for the RADIUS authentication
in the dial-up terminal window.
Step 2 Configure NAS.
In this example, the access server is used as the LAC device.
# Set 170 as the access code on the access server.
# On the RADIUS access server, set the user name and password for a VPN user, and set the IP
address for the corresponding LNS device. (In this example, the IP address of the LNS interface
connected with the tunnel is 202.38.160.2.)
# Define the local device name as A8010, and fulfill the tunnel authentication. The password
used in the tunnel authentication is "huawei".
NOTE
Issue 02 (2012-03-30)
233
3 L2TP Configuration
# Configure the name of the tunnel local end and the peer end on LNS.
[RouterA-l2tp1] tunnel name LNS
[RouterA-l2tp1] allow l2tp virtual-template 1 remote A8010
# Set the user name and password, which must be the same as those set on the user side.
[RouterA] aaa
[RouterA-aaa] local-user vpdnuser password simple Hello
[RouterA-aaa] local-user vpdnuser service-type ppp
[RouterA-aaa] quit
Port
1701
Sessions RemoteName
1
A8010
Running the display l2tp session command, you can check whether sessions are set up. Take
the display on the LNS as an example.
<RouterA> display l2tp session
Total session = 1
LocalSID RemoteSID
1469
2036
LocalTID
1
In this manner, the VPN user can access the network of the headquarters.
----End
Configuration Files
NOTE
Issue 02 (2012-03-30)
234
3 L2TP Configuration
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
local-user vpdnuser password simple Hello
local-user vpdnuser service-type ppp
#
interface Virtual-Template1
ppp authentication-mode chap
remote address pool 1
ip address 192.168.0.1 255.255.255.0
#
interface Serial 1/0/0
link-protocol ppp
ip address 202.38.160.2 255.255.255.0
#
l2tp-group 1
allow l2tp virtual-template 1 remote A8010
tunnel password simple huawei
tunnel name LNS
#
return
Networking Requirements
As shown in Figure 3-4, the staff on business trip accesses the NAS through the PSTN, and
Router A on the LNS side of the company headquarters connects the NAS through the Internet.
The data generated during the communication between the staff and the LNS is transmitted
through the tunnel.
Figure 3-4 Networking diagram of client-initialized VPNs
Staff on
errands
RouterA
LNS
NAS
PSTN
Internet
Tunnel
Server
Headquarters
Configuration Roadmap
The configuration roadmap is as follows:
1.
The VPN user firstly connects the Internet, and then originates the tunnel connection request
to the LNS.
2.
A virtual tunnel is set up between the VPN user and the LNS after the LNS accepts this
connection request.
Issue 02 (2012-03-30)
235
3 L2TP Configuration
3.
The VPN user communicates with the company headquarters by using the tunnel between
the VPN user and LNS.
4.
The VPN user accesses the network with the default domain (the domain name is "default")
and adopts the local authentication by default. The address is allocated from the address
pool. In this condition, you need to configured the address pool in the AAA view on the
LNS.
Data Preparation
To complete the configuration, you need the following data:
l
IP address of the interface through which the LNS connects with the tunnel
Number, IP address, and mask of the virtual-template interface, as well as L2TP group
number
Procedure
Step 1 Configure the devices on the VPN client side.
The L2TP client software must be configured on the host of the VPN client side and users can
connect to the Internet by dialing up. Then perform the following configurations. Note that the
setting process may vary with the client software.
# Set the VPN user name as "vpdnuser", and the password as "Hello".
# Set the IP address of LNS as the IP address of the interface on the router to access the Internet.
In this example, the IP address of the interface on the LNS connected with the tunnel is
202.38.160.2.
# Modify connection attributes, and adopt the L2TP protocol.
# If the hosts on the client side support IPSec, disable IPSec.
Step 2 Configure the LNS routers.
# Create and configure a virtual-template interface.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface virtual-template 1
[RouterA-Virtual-Template1] ip address 192.168.0.1 255.255.255.0
[RouterA-Virtual-Template1] ppp authentication-mode chap
[RouterA-Virtual-Template1] remote address pool 1
[RouterA-Virtual-Template1] quit
# Configure the names of the local end and the tunnel peer on the LNS.
[RouterA-l2tp1] tunnel name LNS
[RouterA-l2tp1] allow l2tp virtual-template 1 remote vpdnuser
Issue 02 (2012-03-30)
236
3 L2TP Configuration
[RouterA-l2tp1] quit
# Set the user name and password the same as the configurations on the VPN client side.
[RouterA] aaa
[RouterA-aaa] local-user vpdnuser password simple Hello
[RouterA-aaa] local-user vpdnuser service-type ppp
[RouterA-aaa] quit
Port
2134
Sessions RemoteName
1
vpdnuser
Run the display l2tp session command. You can find that the session is set up. For example:
[RouterA] display l2tp session
Total session = 1
LocalSID RemoteSID LocalTID
1576
1036
1
Configuration Files
The configuration file of the LNS is as follows:
NOTE
Issue 02 (2012-03-30)
237
3 L2TP Configuration
Networking Requirements
Departments in the enterprise headquarters need to use independent network segments. Staff in
branches need to access the networks of their own departments. To meet these requirements, an
L2TP tunnel can be established between the branch routers and router in the headquarters. As
shown in Figure 3-5, a PC in the branch connects to the LAC (RouterA) through a LAN interface,
and RouterA connects to the LNS (RouterB) through the Internet. The tunnel between RouterA
and RouterB implements communication between the branch and headquarters.
NOTE
When the AR3200 communicates with a non-Huawei device, configure the AR3200 to invert clock signals
transmitted by a synchronous serial interface as required.
PC
RouterB
RouterA
Serial1/0/0
12.1.1.2/24
LAN
192.168.1.0/24
Internet
Serial1/0/0
12.1.1.1/24
LNS
LAC
Tunnel
Server
headquarters
192.168.0.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Enable L2TP and create a virtual PPP user on the LAC. The virtual PPP user sends a
connection request to the server in the headquarters through the L2TP tunnel. After the
request is authenticated, the server assigns a private IP address to the virtual PPP user.
2.
Configure a route with the destination segment of headquarters, and outbound interface of
the virtual PPP user interface. Enable the auto-dial function on the LAC.
3.
Data Preparation
To complete the configuration, you need the following data:
l
Protocol used on the LNS, authentication mode (CHAP is used in this example), tunnel
password, local and remote device names of the LNS.
Issue 02 (2012-03-30)
238
3 L2TP Configuration
Procedure
Step 1 Configure RouterA (the LAC side).
In this example, the IP address of Serial1/0/0 on RouterA is 12.1.1.2, and the IP address of
Serial1/0/0 on RouterB is 12.1.1.1.
# Assign an IP address to Serial1/0/0 on RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface serial 1/0/0
[RouterA-Serial1/0/0] link-protocol ppp
[RouterA-Serial1/0/0] ip address 12.1.1.2 255.255.255.0
[RouterA-Serial1/0/0] quit
# Set the user name and password, which must be the same as those on the user side.
[RouterA] aaa
[RouterA-aaa] local-user huawei password simple 123
[RouterA-aaa] local-user huawei service-type ppp
[RouterA-aaa] quit
# Configure the user name and password, authentication mode, and IP address for the virtual
PPP user.
[RouterA] interface virtual-template 1
[RouterA-Virtual-Template1] ppp pap local-user huawei password simple 123
[RouterA-Virtual-Template1] ip address 13.1.1.2 255.255.255.0
[RouterA-Virtual-Template1] quit
# Configure a private route so that the packets sent to the headquarters are forwarded through
L2TP tunnels.
[RouterA] ip route-static 192.168.0.0 255.255.255.0 Virtual-Template1
Issue 02 (2012-03-30)
239
3 L2TP Configuration
[RouterB-Virtual-Template1]
[RouterB-Virtual-Template1]
[RouterB-Virtual-Template1]
[RouterB-Virtual-Template1]
# Set the local and remote device names for the LNS.
[RouterB-l2tp1] tunnel name LNS
[RouterB-l2tp1]allow l2tp virtual-template 1 remote LAC
# Set the user name and password, which must be the same as those on the LAC side.
[RouterB] aaa
[RouterB-aaa] local-user huawei password simple 123
[RouterB-aaa] quit
Port
1701
Sessions RemoteName
1
LNS
# Run the display l2tp session command to check the session status. The following shows the
command output on the LNS:
[RouterB] display l2tp session
Total session = 1
LocalSID RemoteSID
1
1
LocalTID
1
# The VPN user can access the resources in the enterprise headquarters.
----End
Configuration Files
l
#
sysname RouterA
#
l2tp enable
#
aaa
authentication-scheme default
Issue 02 (2012-03-30)
240
3 L2TP Configuration
authorization-scheme default
accounting-scheme default
domain default
local-user huawei password simple 123
local-user huawei service-type ppp
#
interface Virtual-Template1
ppp pap local-user huawei password simple 123
ip address 13.1.1.2 255.255.255.0
l2tp-auto-client enable
#
interface Serial1/0/0
link-protocol ppp
ip address 12.1.1.2 255.255.255.0
#
l2tp-group 1
tunnel password simple 123
tunnel name LAC
start l2tp ip 12.1.1.1 fullusername huawei
#
ip route-static 192.168.0.0 255.255.255.0 Virtual-Template1
#
return
#
sysname RouterB
#
l2tp enable
#
ip pool 1
gateway-list 13.1.1.1
network 13.1.1.0 mask 255.255.255.0
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
local-user huawei password simple 123
local-user huawei service-type ppp
#
interface Virtual-Template1
ppp authentication-mode pap
remote address pool 1
ip address 13.1.1.1 255.255.255.0
#
interface Serial1/0/1
link-protocol ppp
ip address 12.1.1.1 255.255.255.0
#
l2tp-group 1
allow l2tp virtual-template 1 remote LAC
tunnel password simple 123
tunnel name LNS
#
return
Issue 02 (2012-03-30)
241
4 IPSec Configuration
IPSec Configuration
242
4 IPSec Configuration
Issue 02 (2012-03-30)
243
4 IPSec Configuration
Encapsulation mode
Transport mode: AH or ESP is inserted behind the IP header but before all transportlayer protocols, as shown in Figure 4-1.
Tunnel mode: AH or ESP is inserted before the original IP header but behind a new IP
header, as shown in Figure 4-2.
Figure 4-1 Packet format in transport mode
Mode
transport
Protocol
AH
ESP
AH-ESP
Issue 02 (2012-03-30)
data
ESP
Tail
IP Header AH ESP TCP Header data ESP Tail ESP Auth data
244
4 IPSec Configuration
tunnel
Protocol
AH
ESP
ESP
raw IP
Header
AH-ESP new IP Header AH ESPraw IP Header TCP Header data ESP TailESP Auth data
Negotiation mode
IPSec uses two negotiation modes to establish SAs: manual mode (manual) and IKE
negotiation mode (isakmp).
In manual mode or IKE negotiation mode, an IPSec tunnel is established based on ACLs.
IPSec peers can use various security protection measures (authentication, encryption, or
both) on different data flows.
The general process of establishing an IPSec tunnel in manual mode or IKE negotiation
mode is as follows:
1.
2.
3.
Configure an IPSec policy or an IPSec policy group to specify the association between
data flows and the IPSec proposal (protection measures for the data flows), SA
negotiation mode, peer IP address (start and end points of the protection path), required
key, and SA lifetime.
4.
Issue 02 (2012-03-30)
245
4 IPSec Configuration
Configuring the router as a PE and associating the VPN instance with the PE
interface connected to the CE
l
An IPSec tunnel established using an IPSec tunnel interface is based on routes. If the
outbound interface in a route is the IPSec tunnel interface, IPSec protects the data flows
forwarded along the route. The IPSec configuration takes effect after the configured IPSec
profile is applied to the IPSec tunnel interface.
The general process of establishing an IPSec tunnel using tunnel interfaces is as follows:
1.
2.
3.
Configure an IPSec profile and bind it to an IPSec profile to protect data flows, IKE
peer parameters, and SA lifetime.
4.
When an IPSec tunnel is established using the Efficient VPN policy, only mandatory
parameters, such as the IP address and pre-shared key, need to be configured on the remote
device. Other parameters, such as authentication and encryption algorithms used in IKE
negotiation, and the IPSec proposal, are preconfigured on the server. When the remote
device initiates IPSec tunnel negotiation, it sends its IKE capabilities including
authentication algorithm and encryption algorithm, and IPSec proposal it supports to the
server. The server establishes an IPSec tunnel with the remote device according to the
preconfigured IPSec tunnel parameters and those sent from the remote device.
NOTE
The Efficient VPN function is used with a license. To use the Efficient VPN function, apply for and purchase
the following license from the Huawei local office:
l
Applicable Environment
Data flows must be authenticated to ensure data transmission security. In a high security scenario,
data flows must be authenticated and encrypted. In such a scenario, configure IPSec on the device
that initiates the IPSec service and the device that terminates the IPSec service.
Pre-configuration Tasks
Before establishing an IPSec tunnel manually, complete the following tasks:
l
Setting parameters of the link-layer protocol for the interfaces to ensure that the link-layer
protocol on the interfaces is Up
Issue 02 (2012-03-30)
246
4 IPSec Configuration
Data Preparation
To establish an IPSec tunnel manually, you need the following data.
No.
Data
NOTE
Procedure
Step 1 Run:
system-view
l The ACL must be configured to match the data flows accurately. It is recommended that you set the
action of the ACL rule to permit for the data flows that need to be protected.
l Create different ACLs and IPSec policies for the data flows with different security requirements.
----End
Issue 02 (2012-03-30)
247
4 IPSec Configuration
Procedure
Step 1 Run:
system-view
248
4 IPSec Configuration
Context
CAUTION
When configuring SPI, string authentication key (string-key), hexadecimal authentication key
(authentication-hex), and hexadecimal encryption key (encryption-hex) on two ends of an
IPSec tunnel, ensure that the inbound parameters on the local end are the same as the outbound
parameters on the remote end, and the outbound parameters on the local end are the same as the
inbound parameters on the remote end.
Procedure
Step 1 Run:
system-view
249
4 IPSec Configuration
NOTE
The security protocol must be the same as the security protocol specified in the transform command in
4.3.3 Configuring an IPSec Proposal. If the security protocol specified in transform is ah-esp, both the
ah and esp protocols must be configured in the sa spi command.
Step 8 Run:
sa spi outbound { ah | esp } spi-number
Step 9 Run:
sa authentication-hex { inbound | outbound } { ah | esp } hex-key
CAUTION
Use the same key format on the two ends. For example, if the key on one end is a character string
but the key on the other end is a hexadecimal number, the IPSec tunnel cannot be established.
If you configure the keys in different formats, the last configured key takes effect.
Step 11 Run:
sa encryption-hex { inbound | outbound } esp hex-key
250
4 IPSec Configuration
Context
An interface can use only one IPSec policy. An IPSec policy group that establishes an SA through
IKE negotiation can be applied to multiple interfaces, whereas an IPSec policy group that is used
to establish an SA manually can be applied only to one interface. If the applied IPSec policy
establishes an SA in manual mode, the SA is generated immediately.
Procedure
Step 1 Run:
system-view
Prerequisites
The configurations required for establishing an IPSec tunnel manually are complete.
Procedure
l
Run the display ipsec sa command to view information about the SA.
Run the display ipsec proposal [ name proposal-name ] command to view information
about the IPSec proposal.
Run the display ipsec policy [ brief | name policy-name [ seq-number ] ] command to view
information about the IPSec policy.
----End
251
4 IPSec Configuration
Application Environment
Data flows must be authenticated to ensure data transmission security. In a high security scenario,
data flows must be authenticated and encrypted. In such a scenario, configure IPSec on the device
that initiates the IPSec service and the device that terminates the IPSec service.
When the network topology is complex, you can establish IPSec tunnels through IKE
negotiation.
Pre-configuration Tasks
Before establishing an IPSec tunnel through IKE negotiation, complete the following tasks:
l
Setting parameters of the link-layer protocol and IP addresses for the interfaces to ensure
that the link-layer protocol on the interfaces is Up
Data Preparation
To establish an IPSec tunnel through IKE negotiation, you need to the following data.
No.
Data
IKE peer name, negotiation mode, IKE proposal name, IKE peer ID type, preshared key, remote address, and remote host name
Name and sequence number of the IPSec policy, (optional) Perfect Forward
Secrecy (PFS) feature used in IKE negotiation
Type and number of the interface to which the IPSec policy is applied
NOTE
252
4 IPSec Configuration
Procedure
Step 1 Run:
system-view
l The ACL must be configured to match the data flows accurately. It is recommended that you set the
action of the ACL rule to permit for the data flows that need to be protected.
l Create different ACLs and IPSec policies for the data flows with different security requirements.
----End
Procedure
Step 1 Run:
system-view
253
4 IPSec Configuration
Issue 02 (2012-03-30)
254
4 IPSec Configuration
The pre-shared key used by the local end and remote peer is configured.
If pre-shared key authentication is configured, configure a pre-shared key for each remote peer.
The two ends of an IPSec tunnel must use the same pre-shared key.
When pre-shared key authentication is configured, an authenticator must be configured.
Step 10 Run:
remote-address { ip-address | host-name }
In the IPSec policy template mode, you do not need to run the remote-address command.
Issue 02 (2012-03-30)
255
4 IPSec Configuration
The remote host name is configured. Perform this step only when name authentication is used
in aggressive mode.
If IKEv2 is used, set local-id-type to ip and peer-id-type to name, and configure remotename.
Step 13 (Optional) Run:
inband ocsp
The Online Certificate Status Protocol (OCSP) is enabled for the IKE peer.
Step 14 (Optional) Run:
pki realm realm-name
Procedure
Step 1 Run:
system-view
256
4 IPSec Configuration
Procedure
Step 1 Run:
system-view
257
4 IPSec Configuration
After IKE negotiation phase 1 succeeds, the IPSec SA is established in the specified triggering
mode. In automatic triggering mode, the IPSec SA is established immediately after IKE
negotiation phase 1 succeeds. In traffic-based triggering mode, the IPSec SA is established only
after packets are received.
By default, the automatic triggering mode is used.
Step 6 (Optional) Run:
sa duration { traffic-based kilobytes | time-based interval }
For details on how to configure an IKE peer, see 4.4.4 Configuring an IKE Peer.
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured.
If PFS is specified on the local end, you also need to specify PFS on the remote peer. The DiffieHellman group specified on the two ends must be the same; otherwise, the negotiation fails. If
the remote end uses the template mode, the Diffie-Hellman groups can be different.
----End
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)
258
4 IPSec Configuration
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured.
By default, the PFS feature is not used in IKE negotiation.
----End
Procedure
Step 1 Run:
system-view
259
4 IPSec Configuration
Step 4 Run:
ike heartbeat-timer timeout interval
Run:
dpd { idle-time seconds | retransmit-interval seconds | retry-limit times }
The idle time for DPD, retransmission interval of DPD packets, and maximum number of
retransmissions are set.
l
Run:
dpd msg { seq-hash-notify | seq-notify-hash }
Run:
dpd type { on-demand | periodic }
260
4 IPSec Configuration
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
261
4 IPSec Configuration
After IKE negotiation succeeds and the SA is established, the data flows are encrypted and then
transmitted between two ends.
----End
Prerequisites
The configurations required to establish an IPSec tunnel through IKE negotiation are complete.
Procedure
l
Run the display ike sa [ v2 ] [ conn-id connid | peer-name peername | phase phasenumber | verbose ] command to view information about the SAs established through IKE
negotiation.
Run the display ike peer [ name peer-name ] [ verbose ] command to view the
configuration of a specified IKE peer or all IKE peers.
Run the display ike proposal command to view the configuration of a specified IKE
proposal or all IKE proposals.
Run the display ipsec sa [ brief | duration | policy policy-name [ seq-number ] | peerip
peer-ip-address ] command to view the configuration of a specified SA or all SAs.
Run the display ipsec policy [ brief | name policy-name [ seq-number ] ] command to view
information about a specified IPSec policy or all IPSec policies.
Run the display ipsec proposal [ name proposal-name ] command to view information
about a specified IPSec proposal or all IPSec proposals.
----End
Applicable Environment
An IPSec profile simplifies IPSec policy management. After an IPSec profile is applied to an
IPSec tunnel interface, only one IPSec tunnel is generated and this tunnel protects all the data
flows passing through the IPSec tunnel interface.
Issue 02 (2012-03-30)
262
4 IPSec Configuration
Pre-configuration Tasks
Before establishing an IPSec tunnel using an IPSec tunnel interface, complete the following
tasks:
l
Setting link layer protocol parameters and IP addresses for interfaces to ensure that the link
layer protocol on the interfaces is Up
Data Preparation
To establish an IPSec tunnel using an IPSec tunnel interface, you need the following data.
No.
Data
IKE peer name, negotiation mode, IKE proposal name, IKE peer ID type, preshared key
Number, IP address, and source and destination IP addresses of the IPSec tunnel
interface
Context
An IPSec profile defines the IKE peer, IPSec proposal, SA lifetime, and Perfect Forward Secrecy
(PFS). To ensure successful IKE negotiation, parameters in the IPSec profile on the local end
and remote end must match.
Procedure
Step 1 Run:
system-view
263
4 IPSec Configuration
proposal proposal-name
For details on how to configure an IKE proposal, see 4.4.5 Configuring an IPSec Proposal.
Step 4 Run:
ike-peer peer-name
For details on how to configure an IKE peer, see 4.4.4 Configuring an IKE Peer.
Context
An IPSec tunnel interface encapsulates the IPSec header into packets. To make a configured
IPSec profile take effect, configure an IPSec tunnel interface and apply the IPSec profile to the
IPSec tunnel interface.
Issue 02 (2012-03-30)
264
4 IPSec Configuration
Procedure
Step 1 Run:
system-view
A tunnel interface can be bound to an IPSec profile only when the encapsulation mode of the tunnel interface
is set to IPSec, GRE, or Multipoint GRE (MGRE).
Step 5 Run:
source { [ vpn-instance vpn-instance-name ] source-ip-address | interface-type
interface-number }
It is recommended that you specify the interface type and number for source. If you specify an IP address
that is dynamically assigned to an interface, the IPSec configuration may fail to be restored because of
invalid source address.
265
4 IPSec Configuration
Prerequisites
All the configurations of the IPSec tunnel established using an IPSec tunnel interface are
complete.
Procedure
l
Run the display ipsec profile [ brief | name profile-name ] command to check the IPSec
profile information.
Run the display ipsec proposal [ name proposal-name ] command to check the IPSec
proposal information.
Run the display ipsec sa [ brief | duration | policy policy-name [ seq-number ] | profile
profile-name | peerip peer-ip-address ] command to check the SA information.
Run the display this command in the interface view to check the configuration of the tunnel
interface.
----End
Applicable Environment
You must perform a great number of IPSec configurations on two peers to establish an IPSec
tunnel between the peers. The configurations include the authentication and encryption
algorithms used in IKE negotiation, Diffie-Hellman key agreement protocol, and IPSec proposal.
If the network has hundreds of sites, the IPSec configurations on remote devices are complicated.
Huawei provides the Efficient VPN solution, which allows remote branches to easily connect
to the enterprise headquarters and releases enterprise administrators from complex manual
configurations.
Preconfiguration Tasks
Before configuring the Efficient VPN policy, complete the following tasks:
l
Configuring link layer protocol parameters for interfaces to ensure that the link layer
protocol status on the interfaces is Up
Data Preparation
To configure the Efficient VPN policy, you need the following data.
Issue 02 (2012-03-30)
266
4 IPSec Configuration
No.
Data
Name and sequence number of an IPSec policy, and name and sequence number
of an IPSec policy template
DNS server address, WINS server address, and allocable network segment
address in the global address pool
Context
Only mandatory parameters, such as the IP address and pre-shared key, need to be configured
on a remote device. Other parameters, such as authentication and encryption algorithms used in
IKE negotiation, and the IPSec proposal, are preconfigured on the server.
Procedure
Step 1 Perform the following steps on the remote router:
1.
Run:
system-view
Run:
ipsec efficient-vpn efficient-vpn-name mode client
An IPSec Efficient VPN policy in client mode is created and the Efficient VPN policy view
is displayed.
3.
Run:
remote-address { ip-address | host-name } { v1 | v2 }
(Optional) Run:
remote-name name
(Optional) Run:
authentication-method { pre-share |
rsa-signature }
267
6.
4 IPSec Configuration
(Optional) Run:
pre-shared-key key
Run:
quit
Run:
interface interface-type interface-number
Run:
ipsec efficient-vpn(interface view) efficient-vpn-name
Run:
system-view
Run:
ip pool ip-pool-name
Run:
network ip-address [ mask { mask | mask-length } ]
An allocable network segment address is specified for the global address pool.
4.
Run:
quit
Run:
aaa
Run:
service-scheme service-scheme-name
(Optional) Run:
dns ip-address
(Optional) Run:
dns ip-address secondary
Run:
ip-pool pool-name [ move-to new-position ]
The location of the IP address pool is specified in the AAA service scheme.
Issue 02 (2012-03-30)
268
4 IPSec Configuration
The DH group used in IKE negotiation must be set to dh group2 for an efficient-vpn policy.
15. Run:
quit
l When the IKE v1 version is used, the aggressive mode must be enabled using exchange-mode.
l Run the service-scheme command to bind the IKE peer to the AAA service scheme.
17. Run:
quit
l encapsulation-mode must be set to tunnel to establish an IPSec tunnel using the Efficient VPN policy.
l The Efficient VPN policy supports only Encapsulating Security Payload (ESP).
19. Run:
Issue 02 (2012-03-30)
269
4 IPSec Configuration
quit
Context
Perform the following steps on the routers on the remote device and server:
Procedure
Step 1 Run:
system-view
Issue 02 (2012-03-30)
270
4 IPSec Configuration
Afer the ACL is applied, the ACL rules can match only IP packets.
Step 4 Run:
quit
An IPSec Efficient VPN policy in network mode is created and the Efficient VPN view is
displayed.
Step 6 Run:
security acl acl-number
rsa-signature }
271
4 IPSec Configuration
NOTE
Issue 02 (2012-03-30)
272
4 IPSec Configuration
Prerequisites
All Efficient VPN configurations are complete.
Procedure
l
Run the display ike sa [ v2 ] [ conn-id connid | peer-name peername | phase phasenumber | verbose ] command to check information about the IPSec tunnel established
through IKE negotiation.
Run the display ipsec sa [ brief | duration | policy policy-name [ seq-number ] | profile
profile-name | efficient-vpn efficient-vpn-name | peerip peer-ip-address ] command to
check information about SAs.
Run the display ipsec proposal [ name proposal-name ] command to check information
about IPSec proposals.
Run the display ipsec efficient-vpn [ brief | capality | name efficient-vpn-name ] command
to check information about the Efficient VPN policy.
----End
Prerequisites
The configurations of IPSec are complete.
Procedure
l
Issue 02 (2012-03-30)
Run the display ipsec sa [ brief | duration | policy policy-name [ seq-number ] | profile
profile-name | peerip peer-ip-address ] command to check information about the IPSec
SA.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
273
4 IPSec Configuration
Run the display ike sa [ v2 ] [ conn-id connid | peer-name peername | phase phasenumber | verbose ] command to check information about the IPSec tunnel that is
established.
Run the display ipsec statistics { ah | esp } command to check the statistics about IPSec
packets.
Run the display ike statistics { all | msg | v1 | v2 } command to check the statistics about
IKE packets.
Run the display ipsec profile [ brief | name profile-name ] command to check information
about the IPSec profile.
Run the display ipsec efficient-vpn [ brief | capality | name efficient-vpn-name ] command
to check information about the Efficient VPN policy.
----End
Context
CAUTION
The statistics cannot be restored after being cleared.
Procedure
l
Run the reset ipsec statistics { ah | esp } command in the user view to clear the statistics
about IPSec packets.
Run the reset ike statistics { all | msg } command in the user view to clear the statistics
about IKE packets.
Run the reset ipsec sa profile profile-name command in the user view to clear the SA
generated by the IPSec profile.
Run the reset ipsec sa efficient-vpn efficient-vpn-name command in the user view to clear
the SA generated by the Efficient VPN policy.
Run the reset ike sa { all | conn-id connection-id } command in the user view to delete a
specified IPSec tunnel or all established IPSec tunnels.
----End
Issue 02 (2012-03-30)
274
4 IPSec Configuration
Networking Requirements
As shown in Figure 4-3, an IPSec tunnel is established between RouterA and RouterB to protect
data flows between the subnet of PC A (10.1.1.0/24) and subnet of PC B (10.1.2.0/24). The
IPSec tunnel uses the ESP protocol, DES encryption algorithm, and SHA-1 authentication
algorithm.
Figure 4-3 Network diagram for configuring IPSec
Eth 1/0/0
Eth 1/0/0
202.138.163.1/24
RouterA
202.138.162.1/24
RouterB
Internet
IPSec Tunnel
PC A
10.1.1.2/24
10.1.2.2/24
PC B
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure Access Control Lists (ACLs) and define the data flows to be protected.
3.
4.
5.
Configure IPSec policies and apply the ACLs and IPSec proposal to the IPSec policies.
6.
Procedure
Step 1 Configure IP addresses for the interfaces on RouterA and RouterB.
# Assign an IP address to the interface of RouterA.
<Huawei> system-view
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ip address 202.138.163.1 255.255.255.0
[Huawei-Ethernet1/0/0] quit
Issue 02 (2012-03-30)
275
4 IPSec Configuration
Step 2 Configure ACLs on RouterA and RouterB to define the data flows to be protected.
# Configure an ACL on RouterA.
[Huawei] acl number 3101
[Huawei-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
[Huawei-acl-adv-3101] quit
# Configure a static route to the peer on RouterB. In this example, the next hop to PCA is
202.138.162.2.
[Huawei] ip route-static 10.1.1.0 255.255.255.0 202.138.162.2
Run the display ipsec proposal command on RouterA and RouterB to view the configuration
of the IPSec proposal. Take the display on RouterA as an example.
[Huawei] display ipsec proposal
Number of Proposals: 1
IPsec proposal name: tran1
Encapsulation mode: Tunnel
Transform
: esp-new
ESP protocol
: Authentication SHA1-HMAC-96
Encryption
DES
Issue 02 (2012-03-30)
276
4 IPSec Configuration
tunnel remote 202.138.162.1
tunnel local 202.138.163.1
sa spi outbound esp 12345
sa spi inbound esp 54321
sa string-key outbound esp abcdefg
sa string-key inbound esp gfedcba
quit
Run the display ipsec policy command on RouterA and RouterB to view the configurations of
the IPSec policies. Take the display on RouterA as an example.
[Huawei] display ipsec policy
===========================================
IPsec Policy Group: "map1"
Using interface: {}
===========================================
Sequence number: 10
Security data flow: 3101
Tunnel local address: 202.138.163.1
Tunnel remote address: 202.138.162.1
Proposal name:tran1
Inbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 54321 (0xd431)
ESP string-key: gfedcba
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 12345 (0x3039)
ESP string-key: abcdefg
ESP encryption hex key:
ESP authentication hex key:
Step 6 Apply the IPSec policies to the interfaces of RouterA and RouterB.
# Apply the IPSec policy to the interface of RouterA.
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ipsec policy map1
[Huawei-Ethernet1/0/0] quit
Run the display ipsec sa command on RouterA and RouterB to view the configuration of the
IPSec SAs. Take the display on RouterA as an example.
Issue 02 (2012-03-30)
277
4 IPSec Configuration
Configuration Files
l
Issue 02 (2012-03-30)
278
4 IPSec Configuration
Networking Requirements
As shown in Figure 4-4, an IPSec tunnel is established between RouterA and RouterB. This
IPSec tunnel protects data flows between the subnet of PC A (10.1.1.0/24) and subnet of PC B
(10.1.2.0/24). The IPSec tunnel uses the ESP protocol, DES encryption algorithm, and MD5
authentication algorithm.
Issue 02 (2012-03-30)
279
4 IPSec Configuration
NOTE
Eth 1/0/0
202.138.163.1/24
RouterA
202.138.162.1/24
RouterB
Internet
IPSec Tunnel
PC A
10.1.1.2/24
10.1.2.2/24
PC B
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Specify the local host ID and IKE peer for IKE negotiation.
3.
Configure Access Control Lists (ACLs) and define the data flows to be protected.
4.
5.
6.
Configure IPSec policies and apply the ACLs and IPSec proposal to the IPSec policies.
7.
Procedure
Step 1 Configure IP addresses for the interfaces on RouterA and RouterB.
# Assign an IP address to the interface of RouterA.
<Huawei> system-view
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ip address 202.138.163.1 255.255.255.0
[Huawei-Ethernet1/0/0] quit
Issue 02 (2012-03-30)
280
4 IPSec Configuration
Step 2 Configure local IDs and IKE peers on RouterA and RouterB.
# Configure the local ID and IKE peer on RouterA.
[Huawei] ike peer spub
[Huawei-ike-peer-spub]
[Huawei-ike-peer-spub]
[Huawei-ike-peer-spub]
v1
pre-shared-key huawei
remote-address 202.138.162.1
quit
NOTE
In aggressive mode, if the value of local-id-type is name, configure the IP address of the remote peer
(remote-address x.x.x.x) on the local end.
v1
pre-shared-key huawei
remote-address 202.138.163.1
quit
Run the display ike peer command on RouterA and RouterB to view the configuration of the
IKE peer. Take the display on RouterA as an example.
[Huawei] display ike peer name spub verbose
---------------------------------------Peer name
: spub
Exchange mode
: main on phase 1
Pre-shared-key
: huawei
Local ID type
: IP
DPD
: Disable
DPD mode
: Periodic
DPD idle time
: 30
DPD retransmit interval : 15
DPD retry limit
: 3
Host name
:
Peer Ip address
: 202.138.162.1
VPN name
:
Local IP address
:
Remote name
:
Nat-traversal
: Disable
Configured IKE version
: Version one
PKI realm
: NULL
Inband OCSP
: Disable
----------------------------------------
Step 3 Configure ACLs on RouterA and RouterB to define the data flows to be protected.
# Configure an ACL on RouterA.
[Huawei] acl number 3101
[Huawei-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
[Huawei-acl-adv-3101] quit
Issue 02 (2012-03-30)
281
4 IPSec Configuration
# Configure a static route to the peer on RouterB. In this example, the next hop to PCA is
202.138.162.2.
[Huawei] ip route-static 10.1.1.0 255.255.255.0 202.138.162.2
Run the display ipsec proposal command on RouterA and RouterB to view the configuration
of the IPSec proposal. Take the display on RouterA as an example.
[Huawei] display ipsec proposal
Number of Proposals: 1
IPsec proposal name: tran1
Encapsulation mode: Tunnel
Transform
: esp-new
ESP protocol
: Authentication MD5-HMAC-96
Encryption
DES
ike-peer spub
proposal tran1
security acl 3101
quit
ike-peer spua
proposal tran1
security acl 3101
quit
Run the display ipsec policy command on RouterA and RouterB to view the configurations of
the IPSec policies. Take the display on RouterA as an example.
[Huawei] display ipsec policy
===========================================
IPsec policy group: "map1"
Using interface: {}
===========================================
Sequence number: 10
Security data flow: 3101
Peer name: spub
Perfect forward secrecy: None
Proposal name: tran1
IPsec SA local duration(time based): 3600 seconds
IPsec SA local duration(traffic based): 1843200 kilobytes
SA trigger mode: Automatic
Route inject: None
Step 7 Apply the IPSec policies to the interfaces of RouterA and RouterB.
# Apply the IPSec policy to the interface of RouterA.
Issue 02 (2012-03-30)
282
4 IPSec Configuration
Run the display ipsec sa command on RouterA and RouterB to view the configuration of the
IPSec SAs. Take the display on RouterA as an example.
[Huawei] display ipsec sa
===============================
Interface: Ethernet 1/0/0
path MTU: 1500
===============================
----------------------------IPsec policy name: "map1"
sequence number: 10
mode: isakmp
----------------------------Connection id: 3
encapsulation mode: tunnel
tunnel local : 202.138.163.1
tunnel remote: 202.138.162.1
[inbound ESP SAs]
spi: 1406123142 (0x53cfbc86)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436528/3575
max received sequence-number: 4
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 3835455224 (0xe49c66f8)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436464/3575
max sent sequence-number: 5
udp encapsulation used for nat traversal: N
----End
Configuration Files
l
Issue 02 (2012-03-30)
283
4 IPSec Configuration
#
ike peer spub
v1
pre-shared-key
huawei
remote-address
202.138.162.1
#
ipsec policy map1 10
isakmp
security acl
3101
ike-peer
spub
proposal
tran1
#
ip route-static 10.1.2.0 255.255.255.0 202.138.163.2
#
interface Ethernet1/0/0
ip address 202.138.163.1 255.255.255.0
ipsec policy map1
#
return
Issue 02 (2012-03-30)
284
4 IPSec Configuration
Networking Requirements
As shown in Figure 4-5, an IPSec tunnel is established between RouterA and RouterB. This
IPSec tunnel protects data flows between the subnet of PC A (10.1.1.0/24) and subnet of PC B
(10.1.2.0/24). The IPSec tunnel uses the ESP protocol, DES encryption algorithm, and SHA-1
authentication algorithm.
Figure 4-5 Network diagram for configuring IKE negotiation
Eth 1/0/0
Eth 1/0/0
202.138.163.1/24
RouterA
202.138.162.1/24
RouterB
Internet
IPSec Tunnel
PC A
10.1.1.2/24
10.1.2.2/24
PC B
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Specify the local host ID and IKE peer for IKE negotiation.
4.
Configure Access Control Lists (ACLs) and define the data flows to be protected.
5.
6.
7.
Configure IPSec policies and apply the ACLs and IPSec proposal to the IPSec policies.
8.
Procedure
Step 1 Configure IP addresses for the interfaces on RouterA and RouterB.
# Assign an IP address to the interface of RouterA.
<Huawei> system-view
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ip address 202.138.163.1 255.255.255.0
[Huawei-Ethernet1/0/0] quit
Issue 02 (2012-03-30)
285
4 IPSec Configuration
Step 3 Configure local IDs and IKE peers on RouterA and RouterB.
# Configure the local ID and IKE peer on RouterA.
[Huawei] ike local-name huawei01
[Huawei] ike peer spub v1
[Huawei-ike-peer-spub] exchange-mode aggressive
[Huawei-ike-peer-spub] ike-proposal 1
[Huawei-ike-peer-spub] local-id-type name
[Huawei-ike-peer-spub] pre-shared-key huawei
[Huawei-ike-peer-spub] remote-name huawei02
[Huawei-ike-peer-spub] remote-address 202.138.162.1
[Huawei-ike-peer-spub] local-address 202.138.163.1
[Huawei-ike-peer-spub] quit
NOTE
In aggressive mode, if the value of local-id-type is name, configure the IP address of the remote peer
(remote-address x.x.x.x) on the local end.
Run the display ike peer command on RouterA and RouterB to view the configuration of the
IKE peer. Take the display on RouterA as an example.
[Huawei] display ike peer name spub verbose
---------------------------------------Peer name
: spub
Exchange mode
: aggressive on phase 1
Pre-shared-key
: huawei
Proposal
: 1
Local ID type
: Name
DPD
: Disable
DPD mode
: Periodic
DPD idle time
: 30
DPD retransmit interval : 15
DPD retry limit
: 3
Host name
:
Peer Ip address
: 202.138.162.1
VPN name
:
Local IP address
: 202.138.163.1
Issue 02 (2012-03-30)
286
4 IPSec Configuration
Remote name
: huawei02
Nat-traversal
: Disable
Configured IKE version
: Version one
Auto-configure
: Disable
PKI realm
: NULL
Inband OCSP
: Disable
----------------------------------------
Step 4 Configure ACLs on RouterA and RouterB to define the data flows to be protected.
# Configure an ACL on RouterA.
[Huawei] acl number 3101
[Huawei-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
[Huawei-acl-adv-3101] quit
# Configure a static route to the peer on RouterB. In this example, the next hop to PCA is
202.138.162.2.
[Huawei] ip route-static 10.1.1.0 255.255.255.0 202.138.162.2
encapsulation-mode tunnel
transform esp
esp encryption-algorithm des
esp authentication-algorithm sha1
quit
encapsulation-mode tunnel
transform esp
esp encryption-algorithm des
esp authentication-algorithm sha1
quit
Run the display ipsec proposal command on RouterA and RouterB to view the configuration
of the IPSec proposal. Take the display on RouterA as an example.
[Huawei] display ipsec proposal
Number of Proposals: 1
IPsec proposal name: tran1
Encapsulation mode: Tunnel
Transform
: esp-new
ESP protocol
: Authentication SHA1-HMAC-96
Encryption
DES
Issue 02 (2012-03-30)
287
4 IPSec Configuration
ike-peer spub
proposal tran1
security acl 3101
quit
ike-peer spua
proposal tran1
security acl 3101
quit
Run the display ipsec policy command on RouterA and RouterB to view the configurations of
the IPSec policies. Take the display on RouterA as an example.
[Huawei] display ipsec policy
===========================================
IPsec policy group: "map1"
Using interface: {}
===========================================
Sequence number: 10
Security data flow: 3101
Peer name: spub
Perfect forward secrecy: None
Proposal name: tran1
IPsec SA local duration(time based): 3600 seconds
IPsec SA local duration(traffic based): 1843200 kilobytes
SA trigger mode: Automatic
Route inject: None
Step 8 Apply the IPSec policies to the interfaces of RouterA and RouterB.
# Apply the IPSec policy to the interface of RouterA.
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ipsec policy map1
[Huawei-Ethernet1/0/0] quit
Run the display ipsec sa command on RouterA and RouterB to view the configuration of the
IPSec SAs. Take the display on RouterA as an example.
[Huawei] display ipsec sa
===============================
Interface: Ethernet 1/0/0
path MTU: 1500
===============================
----------------------------IPsec policy name: "map1"
sequence number: 10
mode: isakmp
----------------------------Connection id: 3
encapsulation mode: tunnel
tunnel local : 202.138.163.1
[inbound ESP SAs]
spi: 1406123142 (0x53cfbc86)
Issue 02 (2012-03-30)
288
4 IPSec Configuration
----End
Configuration Files
l
Issue 02 (2012-03-30)
289
4 IPSec Configuration
isakmp
security acl
3101
ike-peer
spub
proposal
tran1
#
ip route-static 10.1.2.0 255.255.255.0 202.138.163.2
#
interface Ethernet1/0/0
ip address 202.138.163.1 255.255.255.0
ipsec policy map1
#
return
Issue 02 (2012-03-30)
290
4 IPSec Configuration
#
return
Networking Requirements
As shown in Figure 4-6, an IPSec tunnel is established between RouterA and RouterB to protect
traffic on the IPSec tunnel interface. The IPSec tunnel uses the AH-ESP protocol, 3DES
encryption algorithm, and SHA-1 authentication algorithm.
Figure 4-6 Networking diagram for establishing an IPSec tunnel using the IPSec tunnel interface
Eth1/0/0
Eth1/0/0
202.138.163.1/24
RouterA
Tunnel0/0/0
192.168.1.1/24
10.1.1.2/24
202.138.162.1/24
Internet
RouterB
Tunnel0/0/0
192.168.1.2/24
IPSec Tunnel
10.1.2.2/24
Network A
Network B
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Specify the local IDs and IKE peers required in IKE negotiation.
5.
6.
Configure IPSec profiles and bind the IPSec proposals and IKE peers to the IPSec profiles.
7.
Procedure
Step 1 Configure IP addresses for the interfaces on RouterA and RouterB.
# Assign an IP address to the interface of RouterA.
Issue 02 (2012-03-30)
291
4 IPSec Configuration
<Huawei> system-view
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ip address 202.138.163.1 255.255.255.0
[Huawei-Ethernet1/0/0] quit
# Configure a static route to the remote peer on RouterB. This example assumes that the next
hop address in the route to RouterB is 202.138.162.2.
[Huawei] ip route-static 10.1.1.0 255.255.255.0 202.138.162.2
dh group5
authentication-algorithm aes_xcbc_mac_96
prf aes_xcbc_128
quit
dh group5
authentication-algorithm aes_xcbc_mac_96
prf aes_xcbc_128
quit
Step 4 Configure local IDs and IKE peers on RouterA and RouterB.
# Configure the local ID and IKE peer on RouterA.
[Huawei] ike peer spub
[Huawei-ike-peer-spub]
[Huawei-ike-peer-spub]
[Huawei-ike-peer-spub]
v2
ike-proposal 1
pre-shared-key huawei
quit
v2
ike-proposal 1
pre-shared-key huawei
quit
Run the display ike peer command on RouterA and RouterB to view the configuration of the
IKE peer. Take the display on RouterA as an example.
[Huawei] display ike peer name spub verbose
---------------------------------------Peer name
: spub
Pre-shared-key
: huawei
proposal
: 1
Local ID type
:
DPD
: Disable
DPD mode
: Periodic
DPD idle time
: 30
Issue 02 (2012-03-30)
292
4 IPSec Configuration
transform ah-esp
ah authentication-algorithm sha1
esp authentication-algorithm sha1
esp encryption-algorithm 3des
quit
transform ah-esp
ah authentication-algorithm sha1
esp authentication-algorithm sha1
esp encryption-algorithm 3des
quit
Run the display ipsec proposal command on RouterA and RouterB to view the configuration
of the IPSec proposal. Take the display on RouterA as an example.
[Huawei] display ipsec proposal
Number of Proposals: 1
IPSec proposal name: tran1
Encapsulation mode: Tunnel
Transform
: ah-esp-new
AH protocol
: Authentication SHA1-HMAC-96
ESP protocol
: Authentication SHA1-HMAC-96
Encryption
3DES
Step 7 Apply the IPSec profiles to the interfaces of RouterA and RouterB.
# Apply the IPSec profile to the interface of RouterA.
[Huawei] interface tunnel 0/0/0
Issue 02 (2012-03-30)
293
4 IPSec Configuration
ip address 192.168.1.1 24
tunnel-protocol gre
source 202.138.163.1
destination 202.138.162.1
ipsec profile profile1
quit
----End
Configuration Files
l
Issue 02 (2012-03-30)
294
4 IPSec Configuration
source 202.138.163.1
destination 202.138.163.2
ipsec profile profile1
#
interface Ethernet1/0/0
ip address 202.138.163.1 255.255.255.0
#
return
Networking Requirements
As shown in Figure 4-7, an IPSec tunnel is established between RouterA and RouterB to protect
data flows between the subnet of PC A (10.1.1.0/24) and subnet of PC B (10.1.2.0/24). An SA
is established and the key is exchanged automatically between the Remote and Server,
simplifying the configuration and improving efficiency.
Issue 02 (2012-03-30)
295
4 IPSec Configuration
Figure 4-7 Networking for Establishing an SA Using Efficient VPN in Client Mode
RouterA
Remote
RouterB
Internet
Eth1/0/0
60.1.1.1/24
Server
Eth1/0/0
60.1.2.1/24
IPSec Tunnel
10.1.1.2/24
PC A
10.1.2.2/24
PC B
Configuration Roadmap
The configuration roadmap on RouterA is as follows:
1.
2.
3.
4.
5.
6.
2.
3.
4.
5.
6.
Procedure
Step 1 Configure RouterA.
1.
2.
Configure a static route to the remote peer on RouterA. This example assumes that the next
hop address in the route to RouterB is 60.1.1.2.
[Huawei] ip route-static 10.1.2.0 255.255.255.0 60.1.1.2
3.
Issue 02 (2012-03-30)
296
4 IPSec Configuration
4.
5.
6.
2.
Configure a static route to the remote peer on RouterB. This example assumes that the next
hop address in the route to RouterA is 60.1.2.2.
[Huawei] ip route-static 10.1.1.0 255.255.255.0 60.1.2.2
3.
Configure the resource attributes to be allocated: the IP address, DNS server address, and
WINS server address.
[Huawei] ip pool pooltest
[Huawei-ip-pool-pooltest] network 100.1.1.0 mask 255.255.255.128
[Huawei-ip-pool-pooltest] quit
[Huawei] aaa
[Huawei-aaa] service-scheme schemetest
[Huawei-aaa-service-schemetest] dns 2.2.2.2
[Huawei-aaa-service-schemetest] dns 2.2.2.3 secondary
[Huawei-aaa-service-schemetest] ip-pool pooltest
[Huawei-aaa-service-schemetest] wins 3.3.3.2
[Huawei-aaa-service-schemetest] wins 3.3.3.3 secondary
[Huawei-aaa-service-schemetest] quit
[Huawei-aaa] quit
4.
5.
6.
Issue 02 (2012-03-30)
After the preceding configuration, RouterA can still ping RouterB and the data transmitted
between them is encrypted.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
297
4 IPSec Configuration
Run the display ike sa command on RouterA, and the following information is displayed:
[Huawei] display ike sa v2
Conn-ID
Peer
VPN
Flag(s)
Phase
--------------------------------------------------------64
60.1.2.1
0
RD|ST
2
62
60.1.2.1
0
RD|ST
1
Flag
Description:
RD--READY
ST--STAYALIVE
RL--REPLACED
FD--FADING
TO-TIMEOUT
HRT--HEARTBEAT
LKG--LAST KNOWN GOOD SEQ NO.
BCK--BACKED UP
2.
Run the display ipsec sa command on RouterA and RouterB to view the IPSec
configuration. The display on RouterA is used as an example.
[Huawei] display ipsec sa
===============================
Interface: Ethernet 1/0/0
Path MTU: 1500
===============================
----------------------------IPSec efficient-vpn name: "2"
Mode: EFFICIENTVPN-CLIENT MODE
----------------------------Connection ID
: 64
Encapsulation mode: Tunnel
Tunnel local
: 60.1.1.1
Tunnel remote
: 60.1.2.1
Flow source
: 100.1.1.126/255.255.255.255 0/0
Flow destination : 0.0.0.0/0.0.0.0 0/0
[Outbound ESP SAs]
SPI: 3752053811 (0xdfa3cc33)
proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/1390
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 4182141148 (0xf94668dc)
proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/1390
Max received sequence-number: 0
UDP encapsulation used for NAT traversal: N
3.
Run the display ipsec efficient-vpn command on RouterA to view information about the
Efficient VPN policy.
[Huawei] display ipsec efficient-vpn
===========================================
IPSec efficient-vpn name: 2
Using interface
: Ethernet1/0/0
===========================================
IPSEC Efficient-vpn Name : 2
IPSEC Efficient-vpn Mode : 1 (1:Client 2:Network)
ACL Number
:
Auth Method
: 8 (8:PSK 9:RSA)
VPN name
:
Local ID Type
: 1 (1:IP 2:Name)
Remote Address
: 60.1.2.1
IKE Version
: 2 (1:IKEv1 2:IKEv2)
FQDN
:
Pre Shared Key
: huawei
PFS Type
: 0 (0:Disable 1:Group1 2:Group2 5:Group5
14:Group14)
Local Address
:
Remote Name
:
PKI Object
:
Interface loopback
: LoopBack100
Interface loopback IP
: 100.1.1.126/32
Issue 02 (2012-03-30)
298
4 IPSec Configuration
: 2.2.2.2, 2.2.2.3
: 3.3.3.2, 3.3.3.3
----End
Configuration Files
l
Issue 02 (2012-03-30)
299
4 IPSec Configuration
dns
2.2.2.2
dns 2.2.2.3
secondary
ip-pool
pooltest
wins
3.3.3.2
wins 3.3.3.3
secondary
#
interface
Ethernet1/0/0
ip address 60.1.2.1
255.255.255.0
ipsec policy policy1
#
ip route-static 10.1.1.0 255.255.255.0 60.1.2.2
#
return
Networking Requirements
As shown in Figure 4-8, an IPSec tunnel is established between RouterA and RouterB to protect
data flows that are transmitted between the subnet of PC A (10.1.1.0/24) and subnet of PC B
(10.1.2.0/24) and match the ACL. In network mode, the remote device does not apply for or an
IP address, and NAT and PAT are disabled on the remote device.
Figure 4-8 Networking for Establishing an SA Using Efficient VPN in Network Mode
RouterA Eth1/0/0
100.1.1.1/24
Remote
Eth1/0/0.1
99.1.1.1/24
Internet
Eth1/0/0 RouterB
100.1.2.1/24
Eth1/0/0.1
99.1.2.1/24
Server
IPSec Tunnel
10.1.1.2/24
10.1.2.2/24
PC A
Issue 02 (2012-03-30)
PC B
300
4 IPSec Configuration
Configuration Roadmap
The configuration roadmaps of RouterA and RouterB are as follows:
1.
2.
3.
4.
5.
Procedure
Step 1 Configure IP addresses for the interfaces on RouterA and RouterB.
# Assign an IP address to the interface of RouterA.
<Huawei> system-view
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ip address 100.1.1.1 255.255.255.0
[Huawei-Ethernet1/0/0] quit
[Huawei] interface ethernet 1/0/0.1
[Huawei-Ethernet1/0/0.1] ip address 99.1.1.1 255.255.255.0
[Huawei-Ethernet1/0/0.1] dot1q termination vid 1
[Huawei-Ethernet1/0/0.1] arp broadcast enable
[Huawei-Ethernet1/0/0.1] quit
# Configure a static route to the remote peer on RouterB. This example assumes that the next
hop address in the route to RouterA is 100.1.2.2.
[Huawei] ip route-static 10.1.1.0 255.255.255.0 100.1.2.2
Step 3 Configure ACLs on RouterA and RouterB to define the data flows to be protected.
# Configure an ACL on RouterA.
[Huawei] acl number 3000
[Huawei-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination
10.1.2.0 0.0.0.255
[Huawei-acl-adv-3000] quit
Issue 02 (2012-03-30)
301
4 IPSec Configuration
[Huawei-acl-adv-3000] quit
Step 4 Configure the Efficient VPN policies in network mode on RouterA and RouterB.
# Configure the Efficient VPN policy in network mode on RouterA.
[Huawei] ipsec efficient-vpn easyvpn_1
[Huawei-ipsec-efficient-vpn-easyvpn_1]
[Huawei-ipsec-efficient-vpn-easyvpn_1]
[Huawei-ipsec-efficient-vpn-easyvpn_1]
[Huawei-ipsec-efficient-vpn-easyvpn_1]
mode network
remote-address 99.1.2.1 v1
pre-shared-key htipl1.,;[-09876543211;'[]
security acl 3000
quit
mode network
remote-address 99.1.1.1 v1
pre-shared-key htipl1.,;[-09876543211;'[]
security acl 3000
quit
Step 5 Apply the Efficient VPN policies to the sub-interfaces of RouterA and RouterB.
# Apply the Efficient VPN policy to the sub-interface on RouterA.
[Huawei] interface ethernet 1/0/0.1
[Huawei-Ethernet1/0/0.1] ipsec efficient-vpn easyvpn_1
l Run the display ipsec sa command on RouterA and RouterB to view the IPSec configuration.
The display on RouterA is used as an example.
[Huawei] display ipsec sa
===============================
Interface: Ethernet 1/0/0.1
Path MTU: 1500
===============================
----------------------------IPSec efficient-vpn name: "easyvpn_1"
mode: EFFICIENTVPN-NETWORK MODE
----------------------------Connection ID: 3
encapsulation mode: Tunnel
tunnel local
: 99.1.1.1
tunnel remote
: 99.1.2.1
Flow source
: 100.1.1.1/0.0.0.0 0/0
Flow destination : 100.1.2.1/0.0.0.0 0/0
[Outbound ESP SAs]
SPI: 71167994 (0x43deffa)
proposal: ESP-ENCRYPT-AES-256 SHA2-512-256
SA remaining key duration (bytes/sec): 1887436800/1845
Issue 02 (2012-03-30)
302
4 IPSec Configuration
----End
Configuration Files
l
Issue 02 (2012-03-30)
303
5 DSVPN Configuration
DSVPN Configuration
Issue 02 (2012-03-30)
304
5 DSVPN Configuration
When DSVPN is configured, IPSec does not need to be configured. If IPSec is configured to protect GRE
traffic, the remote IP address in an NHRP mapping entry needs to be advertised to the local device to
establish an IPSec tunnel.
Create tunnel interfaces and specify source addresses for tunnel interfaces.
2.
3.
Configure NHRP mapping entries of the central office device on branch devices.
Issue 02 (2012-03-30)
305
5 DSVPN Configuration
NOTE
The DSVPN function is used with a license. To use the DSVPN function, apply for and purchase the
following license from the Huawei local office:
l
Applicable Environment
In the traditional hub-spoke model, data traffic concentrates at branches and the central office.
If data traffic is transmitted between two branches, to implement IPSec, the central office needs
to decrypt data on the tunnel of the sending branch and encrypt the data on the tunnel of the
receiving branch. Traffic between the two branches needs to pass through the central office,
wasting resources of the central office and causing a delay in traffic forwarding. To solve this
problem, the DSVPN technology is used to enable the two branches to dynamically establish a
data forwarding tunnel.
Pre-configuration Tasks
Before configuring DSVPN, complete the following task:
l
Setting link layer parameters and IP addresses for interfaces so that the network layer
protocol of the interfaces is Up
Data Preparation
To configure DSVPN, you need the following data.
Issue 02 (2012-03-30)
No.
Data
NHRP authentication string, NHRP registration interval, and NHRP entry holding
time
306
5 DSVPN Configuration
Context
After creating a tunnel interface, set the tunnel encapsulation mode to Multipoint GRE (MGRE)
and configure a source address for the tunnel interface. To enable the tunnel interface to support
dynamic routing protocols, configure an IP address for the tunnel interface. Perform the
following operations on the routers of branches and the central office.
Procedure
Step 1 Run:
system-view
You must configure the tunnel encapsulation mode before setting the source IP address or other parameters
for a tunnel interface. Changing the encapsulation mode of a tunnel interface deletes other parameters of
the tunnel interface.
Step 4 Run:
ip address ip-address { mask | mask-length }
The source address or source interface is configured for the tunnel interface.
----End
Context
The routes passing through a tunnel must be available on branches and the central office so that
packets encapsulated with the MGRE header can be forwarded correctly. These routes can be
static routes or dynamic routes. Perform the following operations on the routers of branches and
the central office.
Issue 02 (2012-03-30)
307
5 DSVPN Configuration
Procedure
Step 1 Run:
system-view
A static route must be configured on both the source and destination devices.
l Configure dynamic routes. Dynamic routing can be implemented using OSPF, RIP, or BGP.
For the configuration of a dynamic routing protocol, see Huawei AR3200 Series
Configuration Guide - IP Routing.
NOTE
l If OSPF is configured, the OSPF network type of the tunnel interface must be broadcast.
l If RIP is configured, the split horizon function must be disabled on the tunnel interface.
----End
Context
NHRP allows a source device on a Non-Broadcast Multiple Access (NBMA) network to obtain
the public address of the next hop to the destination device. Perform the following operations
on the router of a branch.
Procedure
Step 1 Run:
system-view
308
5 DSVPN Configuration
This step is required when branches have only summarized routes to the central office.
----End
Context
NHRP allows a source device on a Non-Broadcast Multiple Access (NBMA) network to obtain
the public address of the next hop to the destination device. Perform the following operations
on the router of the central office.
Procedure
Step 1 Run:
system-view
p2mp
309
5 DSVPN Configuration
Dynamically registered branches are added to the NHRP multicast member table.
By default, no dynamically registered branch is added to the NHRP multicast member table.
NOTE
This step is required when branches learn routes from each other.
The AR3200 is configured to override conflicting NHRP mapping entries during NHRP
registration.
By default, the AR3200 does not override conflicting NHRP mapping entries during NHRP
registration.
Step 8 Run:
nhrp redirect
This step is required when branches have only summarized routes to the central office.
----End
Context
When DSVPN is configured, IPSec does not need to be configured. If IPSec is configured to
protect GRE traffic, the remote IP address in an NHRP mapping entry needs to be advertised to
the local device to establish an IPSec tunnel. Perform the following operations on the routers of
branches and the central office.
Issue 02 (2012-03-30)
310
5 DSVPN Configuration
Procedure
Step 1 Run:
system-view
For the detailed configuration of an IKE peer, see 4.4.4 Configuring an IKE Peer.
Step 4 Run:
proposal proposal-name
For the detailed configuration of an IKE proposal, see 4.4.5 Configuring an IPSec Proposal.
Step 5 Run:
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }
The router is configured to use Perfect Forward Secrecy (PFS) in IPSec negotiation.
By default, PFS is not used in IPSec negotiation.
Step 6 Run:
quit
Issue 02 (2012-03-30)
311
5 DSVPN Configuration
Prerequisites
All DSVPN configurations are complete.
Procedure
l
Run the display nhrp peer command to check NHRP mapping entries.
Run the display ipsec profile [ brief | name profile-name ] command to check the IPSec
profile configuration.
----End
Prerequisites
All DSVPN configurations are complete.
Procedure
l
Run the display nhrp peer command to check NHRP mapping entries.
----End
Context
CAUTION
Statistics cannot be restored after being cleared. Exercise caution when you run the reset
command.
Issue 02 (2012-03-30)
312
5 DSVPN Configuration
Procedure
l
Run the reset nhrp statistics interface interface-type interface-number command in the
user view to clear the NHRP packet statistics on a specified tunnel interface.
----End
Networking Requirements
As shown in Figure 5-1, the hub (central office), Spoke1 (a branch), and Spoke2 (a branch)
belong to the same autonomous system (AS). They can communicate with each other on the IP
network using routing protocols.
Figure 5-1 Configuring DSVPN when branches learn routes from each other
Spoke1
(branch)
Eth1/0/0 44.3.1.2/24
NHRP
Tunnel 0/0/0
172.16.1.101/24
NHRP
Internet
Eth1/0/0
44.1.1.1/24
Tunnel 0/0/0
172.16.1.1/24
Hub
(central office)
Eth1/0/0 44.4.1.2/24
Spoke2
(branch)
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Create tunnel interfaces on the Routers (Spoke1, Spoke2, and the hub) and specify source
addresses for tunnel interfaces.
3.
Issue 02 (2012-03-30)
313
5 DSVPN Configuration
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Assign an IP address to each interface.
Assign an IP address to each interface as shown in Figure 5-1. The specific configuration is not
mentioned here.
Step 2 Configure routes between the Routers.
# Configure OSPF on the Ethernet interface of the hub
[Huawei] ospf 2
[Huawei-ospf-2] area 0
[Huawei-ospf-2-area-0.0.0.0] network 44.1.1.0 0.0.0.255
[Huawei-ospf-2-area-0.0.0.0] quit
[Huawei-ospf-2] quit
# Configure Spoke1
[Huawei] ospf 3
[Huawei-ospf-2] area 0
[Huawei-ospf-2-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[Huawei-ospf-2-area-0.0.0.0] quit
[Huawei-ospf-2] quit
# Configure Spoke2
[Huawei] ospf 3
[Huawei-ospf-2] area 0
[Huawei-ospf-2-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[Huawei-ospf-2-area-0.0.0.0] quit
[Huawei-ospf-2] quit
Issue 02 (2012-03-30)
314
5 DSVPN Configuration
Step 4 Configure tunnel interfaces on the Routers and configure NHRP mapping entries of the hub on
Spoke1 and Spoke2.
# Configure a tunnel interface on the hub.
[Huawei] system-view
[Huawei] interface tunnel 0/0/0
[Huawei-Tunnel0/0/0] ip address 172.16.1.1 255.255.255.0
[Huawei-Tunnel0/0/0] tunnel-protocol gre p2mp
[Huawei-Tunnel0/0/0] source ethernet 1/0/0
[Huawei-Tunnel0/0/0] nhrp entry multicast dynamic
[Huawei-Tunnel0/0/0] ospf network-type broadcast
[Huawei-Tunnel0/0/0] ospf dr-priority 10
# Configure a tunnel interface and an NHRP mapping entry of the hub on Spoke1.
[Huawei] system-view
[Huawei] interface tunnel 0/0/0
[Huawei-Tunnel0/0/0] ip address 172.16.1.101 255.255.255.0
[Huawei-Tunnel0/0/0] tunnel-protocol gre p2mp
[Huawei-Tunnel0/0/0] source ethernet 1/0/0
[Huawei-Tunnel0/0/0] nhrp entry 172.16.1.1 44.1.1.1 register
[Huawei-Tunnel0/0/0] ospf network-type broadcast
[Huawei-Tunnel0/0/0] ospf dr-priority 8
# Configure a tunnel interface and an NHRP mapping entry of the hub on Spoke2.
[Huawei] system-view
[Huawei] interface tunnel 0/0/0
[Huawei-Tunnel0/0/0] ip address 172.16.1.102 255.255.255.0
[Huawei-Tunnel0/0/0] tunnel-protocol gre p2mp
[Huawei-Tunnel0/0/0] source ethernet 1/0/0
[Huawei-Tunnel0/0/0] nhrp entry 172.16.1.1 44.1.1.1 register
[Huawei-Tunnel0/0/0] ospf network-type broadcast
[Huawei-Tunnel0/0/0] ospf dr-priority 8
Run the display nhrp peer all command on Spoke2, and the command output is as follows.
[Huawei] display nhrp peer all
------------------------------------------------------------------------------Protocol-addr
Mask NBMA-addr
NextHop-addr
Type
Flag
------------------------------------------------------------------------------172.16.1.1
32
44.1.1.1
172.16.1.1
static
hub
------------------------------------------------------------------------------Tunnel interface: Tunnel0/0/0
Created time
: 2011.08.18-15:12:53
Expire time
: -NOTE
If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view only the NHRP
mapping entry of the hub.
On the hub, check the NHRP mapping entries on Spoke1 and Spoke2.
Issue 02 (2012-03-30)
315
5 DSVPN Configuration
Run the display nhrp peer all command on the hub, and the command output is as follows.
[Huawei] display nhrp peer all
------------------------------------------------------------------------------Protocol-addr
Mask NBMA-addr
NextHop-addr
Type
Flag
------------------------------------------------------------------------------172.16.1.101
32
44.3.1.2
172.16.1.101
dynamic
route tunnel
------------------------------------------------------------------------------Tunnel interface: Tunnel0/0/0
Created time
: 2008.01.07-18:07:45
Expire time
: 2008.01.07-20:07:52
------------------------------------------------------------------------------Protocol-addr
Mask NBMA-addr
NextHop-addr
Type
Flag
------------------------------------------------------------------------------172.16.1.102
32
44.4.1.2
172.16.1.102
dynamic
route tunnel
------------------------------------------------------------------------------Tunnel interface: Tunnel0/0/0
Created time
: 2008.01.07-18:11:51
Expire time
: 2008.01.07-20:11:57
Run the display nhrp peer all command on Spoke2, and the command output is as follows.
[Huawei] display nhrp peer all
------------------------------------------------------------------------------Protocol-addr
Mask NBMA-addr
NextHop-addr
Type
Flag
------------------------------------------------------------------------------172.16.1.1
32
44.1.1.1
172.16.1.1
static
hub
------------------------------------------------------------------------------Tunnel interface: Tunnel0/0/0
Created time
: 2011.08.18-15:12:53
Expire time
: -------------------------------------------------------------------------------Protocol-addr
Mask NBMA-addr
NextHop-addr
Type
Flag
------------------------------------------------------------------------------172.16.1.101
32
44.3.1.2
172.16.1.101
dynamic
route tunnel
------------------------------------------------------------------------------Tunnel interface: Tunnel0/0/0
Created time
: 2011.08.18-16:10:33
Expire time
: 2011.08.18-18:10:33
------------------------------------------------------------------------------Protocol-addr
Mask NBMA-addr
NextHop-addr
Type
Flag
------------------------------------------------------------------------------172.16.1.102
32
44.4.1.2
172.16.1.102
dynamic
local
-------------------------------------------------------------------------------
Issue 02 (2012-03-30)
316
5 DSVPN Configuration
----End
Configuration Files
l
Issue 02 (2012-03-30)
317
5 DSVPN Configuration
area 0.0.0.0
network 44.4.1.0 0.0.0.255
#
ospf 3
area 0.0.0.0
network 172.16.1.0 0.0.0.255
#
return
Networking Requirements
As shown in Figure 5-2, the hub (central office), Spoke1 (a branch), and Spoke2 (a branch)
belong to the same autonomous system (AS). They can communicate with each other on the IP
network using routing protocols.
Figure 5-2 Configuring DSVPN when branches have only summarized routes to the central
office
Spoke1
(branch)
Eth1/0/0 44.3.1.2/24
NHRP
Tunnel 0/0/0
172.16.1.101/24
NHRP
Internet
Eth1/0/0
44.1.1.1/24
Tunnel 0/0/0
172.16.1.1/24
Hub
(central office)
Eth1/0/0 44.4.1.2/24
Spoke2
(branch)
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Create tunnel interfaces on the Routers (Spoke1, Spoke2, and the hub) and specify source
addresses for tunnel interfaces.
3.
Enable NHRP redirect on the hub and NHRP shortcut on Spoke1 and Spoke2.
4.
Issue 02 (2012-03-30)
318
5 DSVPN Configuration
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Assign an IP address to each interface.
Assign an IP address to each interface as shown in Figure 5-2. The specific configuration is not
mentioned here.
Step 2 Configure routes between the Routers.
# Configure RIP on the Ethernet interface of the hub
[Huawei] rip
[Huawei-rip-1] network 44.0.0.0
[Huawei-rip-1] version 2
[Huawei-rip-1] quit
# Configure Spoke1
[Huawei] rip 2
[Huawei-rip-1] network 172.16.1.0
[Huawei-rip-1] version 2
[Huawei-rip-1] quit
# Configure Spoke2
[Huawei] rip 2
[Huawei-rip-1] network 172.16.1.0
[Huawei-rip-1] version 2
[Huawei-rip-1] quit
Step 4 Configure tunnel interfaces on the Routers and configure NHRP mapping entries of the hub on
Spoke1 and Spoke2.
# Configure a tunnel interface and enable NHRP redirect on the hub.
[Huawei] system-view
[Huawei] interface tunnel 0/0/0
Issue 02 (2012-03-30)
319
5 DSVPN Configuration
ip address 172.16.1.1 255.255.255.0
tunnel-protocol gre p2mp
source ethernet 1/0/0
nhrp redirect
nhrp entry multicast dynamic
# Configure a tunnel interface and an NHRP mapping entry of the hub, and enable NHRP shortcut
on Spoke1.
[Huawei] system-view
[Huawei] interface tunnel 0/0/0
[Huawei-Tunnel0/0/0] ip address 172.16.1.101 255.255.255.0
[Huawei-Tunnel0/0/0] tunnel-protocol gre p2mp
[Huawei-Tunnel0/0/0] source ethernet 1/0/0
[Huawei-Tunnel0/0/0] nhrp shortcut
[Huawei-Tunnel0/0/0] nhrp entry 172.16.1.1 44.1.1.1 register
# Configure a tunnel interface and an NHRP mapping entry of the hub, and enable NHRP shortcut
on Spoke2.
[Huawei] system-view
[Huawei] interface tunnel 0/0/0
[Huawei-Tunnel0/0/0] ip address 172.16.1.102 255.255.255.0
[Huawei-Tunnel0/0/0] tunnel-protocol gre p2mp
[Huawei-Tunnel0/0/0] source ethernet 1/0/0
[Huawei-Tunnel0/0/0] nhrp shortcut
[Huawei-Tunnel0/0/0] nhrp entry 172.16.1.1 44.1.1.1 register
Run the display nhrp peer all command on Spoke2, and the command output is as follows.
[Huawei] display nhrp peer all
------------------------------------------------------------------------------Protocol-addr
Mask NBMA-addr
NextHop-addr
Type
Flag
------------------------------------------------------------------------------172.16.1.1
32
44.1.1.1
172.16.1.1
static
hub
------------------------------------------------------------------------------Tunnel interface: Tunnel0/0/0
Created time
: 2011.08.18-15:12:53
Expire time
: -NOTE
If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view only the NHRP
mapping entry of the hub.
On the hub, check the NHRP mapping entries on Spoke1 and Spoke2.
Run the display nhrp peer all command on the hub, and the command output is as follows.
[Huawei] display nhrp peer all
------------------------------------------------------------------------------Protocol-addr
Mask NBMA-addr
NextHop-addr
Type
Flag
------------------------------------------------------------------------------172.16.1.101
32
44.3.1.2
172.16.1.101
dynamic
route tunnel
Issue 02 (2012-03-30)
320
5 DSVPN Configuration
Run the display nhrp peer all command on Spoke2, and the command output is as follows.
[Huawei] display nhrp peer all
------------------------------------------------------------------------------Protocol-addr
Mask NBMA-addr
NextHop-addr
Type
Flag
------------------------------------------------------------------------------172.16.1.1
32
44.1.1.1
172.16.1.1
static
hub
------------------------------------------------------------------------------Tunnel interface: Tunnel0/0/0
Created time
: 2011.08.18-15:12:53
Expire time
: -------------------------------------------------------------------------------Protocol-addr
Mask NBMA-addr
NextHop-addr
Type
Flag
------------------------------------------------------------------------------172.16.1.101
32
44.3.1.2
172.16.1.101
dynamic
route tunnel
------------------------------------------------------------------------------Tunnel interface: Tunnel0/0/0
Created time
: 2011.08.18-16:10:33
Expire time
: 2011.08.18-18:10:33
------------------------------------------------------------------------------Protocol-addr
Mask NBMA-addr
NextHop-addr
Type
Flag
------------------------------------------------------------------------------172.16.1.102
32
44.4.1.2
172.16.1.102
dynamic
local
------------------------------------------------------------------------------Tunnel interface: Tunnel0/0/0
Created time
: 2011.08.18-16:10:33
Expire time
: 2011.08.18-18:10:33
----End
Issue 02 (2012-03-30)
321
5 DSVPN Configuration
Configuration Files
l
Issue 02 (2012-03-30)
322
Issue 02 (2012-03-30)
323
Dynamic remote access: Users can use any terminals to access an enterprise's intranet
through the Internet anytime and anywhere.
Differentiated user access privileges: The SSL VPN gateway assigns different access
privileges to employees, partners, and other users on the Internet. Each user can only access
authorized resources.
Terminals with different operating systems and application programs: Terminals running
different operating systems and application programs can access the enterprise's intranet.
Home
Mobile office
Internet
LAN
Internal servers
Partner
Hotel
Issue 02 (2012-03-30)
324
Virtual Gateway
An AR3200 functioning as an SSL VPN gateway can be divided into multiple virtual gateways.
Service configuration and user management are based on virtual gateways. Before configuring
SSL VPN services on the AR3200, create a virtual gateway.
When functioning as an SSL VPN gateway, the AR3200 provides two types of interfaces:
extranet interface and intranet interface.
An extranet interface connects to the Internet. Users on a virtual gateway can access the
web login page by using the extranet interface address.
An intranet interface connects to an internal server, allowing the virtual gateway to
communicate with the internal server.
To prevent unauthorized users from accessing internal resources and protect intranet
security, each virtual gateway must authenticate login users. After being bound to an AAA
domain, a virtual gateway performs AAA authentication for all login users. Only the
authenticated users are allowed to access internal resources.
To use an AR3200 as an SSL VPN gateway, you must configure and enable the basic SSL VPN
functions. If the basic SSL VPN functions are disabled, no user can access internal servers
through the SSL VPN gateway.
Issue 02 (2012-03-30)
325
The Web proxy service is based on the HTTPS protocol. Users access the internal Web
server through the SSL VPN gateway. The SSL VPN gateway functions as a proxy that
forwards data between users and the internal Web server. This function helps ensure that
access to the internal Web server is secure.
The port forwarding function allows applications to access internal servers using TCP.
Users can access the TCP-based services on the internal network. The typical port
forwarding services include Telnet login, desktop sharing, and mailing.
The IP forwarding function allows remote terminals to communicate with internal servers
at the network layer. For example, the remote terminals are allowed to ping internal servers.
The maximum number of online SSL VPN users is limited by the license. The SSL VPN function has
multiple capacity licenses, which allow different numbers of access users. Select one or more capacity
licenses according to service requirements. The device supports a maximum of two online SSL VPN users
without a license.
Applicable Environment
The configurations of basic SSL VPN functions include extranet/intranet interfaces and AAA
domain.
To use an AR3200 as an SSL VPN gateway, you must configure and enable the basic SSL VPN
functions. If the basic SSL VPN functions are disabled, no user can access internal servers
through the SSL VPN gateway.
Issue 02 (2012-03-30)
326
Pre-configuration Tasks
Before configuring basic SSL VPN functions, complete the following tasks:
l
Configuring IP addresses for the interfaces which will be configured as intranet and extranet
interfaces
Creating the AAA domain that you want to bind to the virtual gateway
Data Preparation
To configure the basic SSL VPN functions, you need the following data.
No.
Data
Context
An AR3200 functioning as an SSL VPN gateway can be divided into multiple virtual gateways.
Service configuration and user management are based on virtual gateways. Before configuring
SSL VPN services on the AR3200, create a virtual gateway.
Procedure
Step 1 Run:
system-view
327
Applicable Environment
Figure 6-2 Interfaces of a virtual gateway
Remote terminal
Extranet
interface
Intranet
interface
LAN
Internet
Internal servers
When functioning as an SSL VPN gateway, the AR3200 provides two types of interfaces:
extranet interface and intranet interface.
l
An extranet interface connects to the Internet. Users on a virtual gateway can access the
web login page by using the extranet interface address.
The intranet and extranet interfaces must be Layer 3 interfaces and have IP addresses.
Procedure
Step 1 Run:
system-view
328
Context
After being bound to an AAA domain, a virtual gateway performs AAA authentication for all
login users. Only the authenticated users are allowed to access internal resources.
Procedure
Step 1 Run:
system-view
Prerequisites
The following basic SSL VPN configurations have been completed:
l
Extranet and intranet interfaces (See 6.3.3 Configuring Intranet and Extranet
Interfaces.)
AAA domain (See 6.3.4 Binding an AAA Domain to the Virtual Gateway.)
Procedure
Step 1 Run:
system-view
329
Procedure
l
Run the display sslvpn gateway [ gateway-name ] command to check the virtual gateway
configurations.
----End
Applicable Environment
User management functions include:
l
The number of online SSL VPN users supported by the AR3200 is limited by the license. The number
of online SSL VPN users that each license support depends on the license level. The AR3200 supports
a maximum of two online SSL VPN users without a license. To enable the AR3200 to support more
online SSL VPN users, buy licenses from Huawei local office.
Issue 02 (2012-03-30)
330
Pre-configuration Tasks
Before configuring user management, complete the following task:
l
Procedure
Step 1 Run:
system-view
2.
Run the local-user user-name service-type sslvpn command to set the user type to SSL
VPN user.
3.
4.
Step 3 Run:
sslvpn gateway gateway-name
The maximum number of online users allowed by the virtual gateway is configured.
NOTE
The number of online SSL VPN users supported by the AR3200 is limited by the license. The number of
online SSL VPN users that each license support depends on the license level. The AR3200 supports a
maximum of two online SSL VPN users without a license. To enable the AR3200 to support more online
SSL VPN users, buy licenses from Huawei local office.
The maximum online duration of users allowed by the virtual gateway is configured.
By default, the maximum online duration of users allowed by the virtual gateway is 120 minutes.
Step 6 (Optional) Run:
cut user { name user-name | id user-id | all }
331
Run the display sslvpn gateway [ gateway-name ] command to check the virtual gateway
configurations.
Applicable Environment
Figure 6-3 Remote access to internal servers using the SSL VPN gateway
Web server
Email
SSL VPN gateway
Remote host
Internet
LAN
Intranet
SSL tunnel
Internal host
FTP server
As shown in Figure 6-3, an SSL VPN gateway is located at an intranet's edge, and works with
the browsers installed on remote terminals or clients downloaded using browsers to protect user
data on the Internet. Additionally, the SSL VPN gateway functions as the proxy to allow users
to access internal servers.
The AR3200 supports three service types as an SSL VPN gateway: Web proxy, port forwarding,
and IP forwarding.
Pre-configuration Tasks
Before configuring an SSL VPN service, complete the following task:
l
Data Preparation
To configure the SSL VPN serviced, you need the following data.
Issue 02 (2012-03-30)
332
No.
Data
Service parameters:
l Web proxy parameters: Web server's URL
l Port forwarding parameters: application server's IP address and port number
l IP forwarding parameters: IP address pool, ACL, routing mode, destination IP
address and mask of user route (for Split mode)
Context
An AR3200 functioning as an SSL VPN gateway can be divided into multiple virtual gateways.
Service configuration and user management are based on virtual gateways. Before configuring
SSL VPN services on the AR3200, create a virtual gateway.
Procedure
Step 1 Run:
system-view
Context
Figure 6-4 Web proxy service network
Remote terminal
Internet
Issue 02 (2012-03-30)
Web server
LAN
333
As shown in Figure 6-4, users access the internal Web server through the SSL VPN gateway.
The SSL VPN gateway functions as a proxy that forwards data between users and the internal
Web server. This function helps ensure that access to the internal Web server is secure.
The URL for the internal Web server must be specified so that users can access the Web server.
Procedure
Step 1 Run:
system-view
If the Web proxy function on the SSL VPN gateway is invalid, enable the tunnel mode; however, the tunnel
mode lowers security.
----End
Context
Figure 6-5 Port forwarding service network
Remote terminal
Issue 02 (2012-03-30)
Application server
LAN
334
As shown in Figure 6-5, users can access the TCP-based services on the internal network. The
typical port forwarding services include Telnet login, desktop sharing, and mailing.
NOTE
The TCP-based port numbers on the remote terminal and application server must be the same; otherwise,
the port forwarding service will fail.
The IP address and port number of the internal application server must be specified so that users
can access the application server.
To use the port forwarding service, a client software program is automatically downloaded from
the web page to transmit application-layer data through SSL connections. Users do not need to
upgrade their TCP program.
Procedure
Step 1 Run:
system-view
port port-number
The IP address and port number are configured for the port forwarding service.
By default, no IP address or port number is configured for the port forwarding service.
----End
Issue 02 (2012-03-30)
335
Context
Figure 6-6 IP forwarding service network
Remote terminal
Internet
Application server
LAN
As shown in Figure 6-6, the SSL VPN gateway allows remote terminals to communicate with
internal servers at the network layer. For example, they can share files.
To use the IP forwarding service, client software specific to the IP forwarding service must be
downloaded from the web page and installed on the terminals. After the client software is
installed, a virtual network adapter is also installed on the terminal. The client software is
responsible for setting up an SSL connection between the terminal and gateway, requesting an
IP address for the virtual network adapter, and creating a route with the virtual network adapter
as outbound interface.
After an IP address pool is bound to the IP forwarding service, an IP address is allocated from
the IP address pool to the terminal.
To limit user access, you can use the bind acl command to apply an ACL to the IP forwarding
service. Alternatively, you can set the routing mode to Split. In the Split mode, a terminal can
only communicate with the servers in the specified network segment.
Procedure
Step 1 Run:
system-view
336
If you configure a lease for the IP addresses in the IP address pool, ensure that the lease is longer than the
maximum online duration of SSL VPN users.
If users close the Internet Explorer when using the IP forwarding service, the running program cannot stop
and routes cannot be restored. In this situation, stop and restart the network adapter.
----End
Procedure
l
Run the display sslvpn gateway [ gateway-name ] command to check the virtual gateway
configurations.
Run the display sslvpn gateway gateway-name resource class { web-proxy | portforwarding | ip-forwarding } command to check the resources on a virtual gateway.
----End
337
Networking Environment
As shown in Figure 6-7, an enterprise's network connects to the Internet using a Router that
functions as an SSL VPN gateway. The marketing personnel on external networks, VIP
customers, and partners access the enterprise's intranet through the Router.
The networking requirements are as follows:
l
Marketing personnel access the internal Web server and mail server, share desktop with
the internal host 10.138.10.21, and ping the internal hosts 10.138.10.64-10.138.10.95.
VIP customers access the internal mail server and access the internal application server
through Telnet.
Marketing
personnel
Application
server
Eth2/0/0
Mail server
Eth1/0/0
LAN
Internet
Intranet
Router
Customers
Desktop
sharing host
Web server
Partner
Configuration Roadmap
The configuration roadmap is as follows:
l
Create virtual gateways on the Router for marketing personnel, VIP customers, and partners
and configure resources in the virtual gateways.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 02 (2012-03-30)
IP Address
Port Number
Web server
10.138.10.1
80
Application service
10.138.10.2
34
Mail server
10.138.10.3
995
10.138.10.21
3389
338
Resource Type
IP Address
Port Number
Remote host
10.138.10.32-10.138.10.192
Virt
ual
Gate
way
Na
me
Extranet
Interfac
e
Intranet
Interfac
e
AAA
Dom
ain
Network
Segment
Mark
eting
perso
nnel
mark
et
Ethernet
2/0/0
Ethernet
1/0/0
defau
lt
Michael and
Michael123456
10.135.30.
0/24
VIP
custo
mers
custo
mer
Partn
ers
com
pany
Jessica and
Jessica654321
Ethernet
2/0/0
Ethernet
1/0/0
defau
lt
Amanda and
Amanda123456
10.136.30.
0/24
David and
David654321
Ethernet
2/0/0
Ethernet
1/0/0
defau
lt
10.137.30.
0/24
NOTE
Choose an AAA domain according to service requirements. For the configuration of an AAA domain,
see AAA Configuration in the Huawei AR3200 Series Enterprise Routers Configuration Guide Security.
Ensure that routes are available between the Router, enterprise intranet, and users.
Before using the AR3200 as an SSL VPN gateway, configure the Router as an HTTPS server. For the
configuration procedure, see "SSL Configuration" in the Huawei AR3200 Series Enterprise Routers
Configuration Guide - Security.
Procedure
l
Issue 02 (2012-03-30)
339
2.
3.
Configure the intranet/extranet interfaces and bind an AAA domain to the virtual
gateway.
[Router-sslvpn-market]
[Router-sslvpn-market]
[Router-sslvpn-market]
[Router-sslvpn-market]
4.
5.
# Configure the port forwarding service to allow marketing personnel to access the
mail server and share desktop with the internal host 10.138.10.21.
[Router-sslvpn-market] service-type port-forwarding resource market_portforwarding
[Router-sslvpn-market-pf-res-market_port-forwarding] server ip-address
10.138.10.21 port 3389
[Router-sslvpn-market-pf-res-market_port-forwarding] quit
# Configure the IP forwarding service to allow marketing personnel to ping the internal
hosts 10.138.10.64-10.138.10.95.
[Router-sslvpn-market] service-type ip-forwarding resource market_ipforwarding
[Router-sslvpn-market-if-res-market_ip-forwarding] bind ip-pool
market_pool
[Router-sslvpn-market-if-res-market_ip-forwarding] route-mode split
[Router-sslvpn-market-if-res-market_ip-forwarding] route-split ip address
10.138.10.64 mask 27
[Router-sslvpn-market-if-res-market_ip-forwarding] quit
[Router-sslvpn-market] quit
NOTE
To ensure that reachable routes are available between the enterprise intranet and virtual network
adapters of the SSL VPN users, configure a dynamic routing protocol on the Router and
configure the routing protocol to import user network routes (UNRs).
6.
Issue 02 (2012-03-30)
340
2.
Configure the intranet/extranet interfaces and bind an AAA domain to the virtual
gateway.
[Router-sslvpn-customer]
[Router-sslvpn-customer]
[Router-sslvpn-customer]
[Router-sslvpn-customer]
3.
4.
5.
2.
Configure the intranet/extranet interfaces and bind an AAA domain to the virtual
gateway.
[Router-sslvpn-company]
[Router-sslvpn-company]
[Router-sslvpn-company]
[Router-sslvpn-company]
3.
4.
5.
Issue 02 (2012-03-30)
341
Open the Internet Explorer on the terminal, such as a computer, and enter https://
1.1.1.1/sslvpn to access the login page. Enter the user name and password, and select
the virtual gateway company. After authentication, you can see a resource list on the
Web page.
----End
Configuration Files
#
sysname Router
#
interface Ethernet 2/0/0
ip address 1.1.1.1 255.255.255.0
#
interface Ethernet 1/0/0
ip address 10.138.10.254 255.255.255.0
#
ip pool market_pool
network 10.139.30.0 mask 24
#
sslvpn gateway market
extranet interface Ethernet 2/0/0
intranet interface Ethernet 1/0/0
bind domain default
user liming password cipher !9$"OZ$+1"-',917]_2Y71!!
user wangjun password cipher =S@P;D^[S_2)S(YTABR0IQ!!
enable
service-type web-proxy resource market_web-proxy
link http://10.138.10.1:80/
service-type port-forwarding resource market_port-forwarding
server ip-address 10.138.10.21 port 3389
service-type ip-forwarding resource market_ip-forwarding
bind ip-pool market_pool
route-mode split
route-split ip address 10.138.10.64 mask 27
#
sslvpn gateway customer
extranet interface Ethernet 2/0/0
intranet interface Ethernet 1/0/0
bind domain default
user zhanghong password cipher B193FII=.MY%X)AG\U/NCA!!
user huwei password cipher P<9=H7#P["9%X)AG\U/NCA!!
enable
service-type port-forwarding resource customer_port-forwarding
server ip-address 10.138.10.3 port 995
#
sslvpn gateway company
extranet interface Ethernet 2/0/0
intranet interface Ethernet 1/0/0
bind domain default
user jack password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
user john password cipher +Q4Z3D_*-N[Q=^Q`MAF4<1!!
enable
service-type web-proxy resource company_web-proxy
link http://10.138.10.1:80/
#
return
Issue 02 (2012-03-30)
342